Part 1 Flashcards by Thomas Berry

CISSP domain Security and Risk Management?

Defining security goals and objectives, risk mitigation, compliance, business continuity, and the law.

How well did you know this?

Not at all

Perfectly

Which CISSP Domain defines security goals and objectives, risk mitigation, compliance, business continuity, and the law.

Security and Risk Management.

How well did you know this?

Not at all

Perfectly

Which area of CISSP does the following example belong in?

Security analysts may need to update company policies related to private health information if a change is made to a federal compliance regulation such as the Health Insurance Portability and Accountability Act, also known as HIPAA.

Security and Risk Management.

How well did you know this?

Not at all

Perfectly

CISSP domain Asset Security?

Securing digital and physical assets. Also related to the storage, maintenance, retention, and destruction of data.

How well did you know this?

Not at all

Perfectly

Which area of CISSP does the following example belong in?

An analyst is tasked with making sure that old equipment is properly disposed of and destroyed, including any type of confidential information.

Asset Security Domain.

How well did you know this?

Not at all

Perfectly

Which CISSP domain is involved in securing digital and physical assets. Also related to the storage, maintenance, retention, and destruction of data.

Asset Security.

How well did you know this?

Not at all

Perfectly

CISSP domain Security architecture and engineering?

Focuses on optimizing data security by ensuring effective tools, systems, and process are in place.

How well did you know this?

Not at all

Perfectly

Which CISSP domain focuses on optimizing data security by ensuring effective tools, systems, and process are in place.

Security Architecture and Engineering.

How well did you know this?

Not at all

Perfectly

Which CISSP domain is the following an example of?

Configuring a firewall.

Security Architecture and Engineering.

How well did you know this?

Not at all

Perfectly

What is a firewall?

A device used to monitor and filter incoming and outgoing computer network traffic.

How well did you know this?

Not at all

Perfectly

A device used to monitor and filter incoming and outgoing computer network traffic.

Firewall.

How well did you know this?

Not at all

Perfectly

CISSP domain Communication and Network Security?

Focuses on managing and securing physical networks and wireless communications.

How well did you know this?

Not at all

Perfectly

Which CISSP domain focuses on managing and securing physical networks and wireless communications?

Communication and Network Security.

How well did you know this?

Not at all

Perfectly

Which CISSP domain is the following an example of?

Analyzing user behavior within your organization

Communication and Network Security.

How well did you know this?

Not at all

Perfectly

CISSP domain Identity and Access Management?

Focuses on keeping data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications.

How well did you know this?

Not at all

Perfectly

which CISSP domain focuses on keeping data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications.

Identity and Access Management.

How well did you know this?

Not at all

Perfectly

Which CISSP domain is the following and example of?

Setting up employees’ keycard access to buildings.

Identity and Access Management.

How well did you know this?

Not at all

Perfectly

CISSP domain Security Assessment and Testing?

Focuses on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.

How well did you know this?

Not at all

Perfectly

Which CISSP domain focuses on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.

Security Assessment and Testing.

How well did you know this?

Not at all

Perfectly

Which CISSP domain is the following an example of?

Analyst who is asked to regularly audit permissions to ensure that no unauthorized person can view employee salaries.

Security Assessment and Testing.

How well did you know this?

Not at all

Perfectly

CISSP domain security operations?

Focuses on conducting investigations and implementing preventative measures.

How well did you know this?

Not at all

Perfectly

CISSP domain that focuses on conducting investigations and implementing preventative measures.

Security Operations

How well did you know this?

Not at all

Perfectly

Which CISSP domain is the following an example of?

As an analyst, you receive an alert that an unknown device has been connected to your internal network. You would need to follow the organization’s policies and procedures to quickly stop the potential threat.

Security Operations.

How well did you know this?

Not at all

Perfectly

CISSP domain software development security?

Focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services.

How well did you know this?

Not at all

Perfectly

Which CISSP domain focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services?

Software Development Security.

Which CISSP domain is the following an example of? If one of your partner teams is creating a new mobile app, then you may be asked to advise on the password policies or ensure that any user data is properly secured and managed.

Software Development Security.

Password attack? Which domain do they fall under?

An attempt to access password-secured devices, systems, networks, or data. Communication and network security domain.

Social Engineering Attack? Which domain do they fall under?

A manipulation technique that exploits human error to gain private information, access, or valuables. Security and Risk Management Domain.

Physical attack? Which domain do they fall under?

Security incident that affects not only digital but also physical environments where the incident is deployed. Asset Security Domain.

Adversarial Artificial Intelligence? Which domain(s) does it fall under?

A technique that manipulates artificial intelligence and machine learning technology to conduct attacks more efficiently. Communication and network security OR Identity and access management.

Supply-Chain Attack? Which domain(s) do they fall under?

Targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed. Security and Risk Management. Security Architecture and Engineering. Security Operations Domain.

Cryptographic Attack? Which domain do they fall under?

Affects secure forms of communication between a sender and intended recipient. Communication and Network Security.

Advanced Persistent Threats (APTs)? What are their typical intentions and motivations?

These attackers have significant expertise accessing an organization's network without authorization. Damaging critical infrastructure, such as the power grid and natural resources. Gaining access to intellectual property, such as trade secrets or patents.

Insider Threats? What are their typical intentions and motivations?

These attackers abuse their authorized access to obtain data that may hard an organization. Sabotage. Corruption. Espionage. Unauthorized.

These attackers abuse their authorized access to obtain data that may hard an organization.

Insider threats.

These attackers have significant expertise accessing an organization's network without authorization.

Advanced Persistent Threats.

Hacktivists? What are their typical intentions and motivations?

Threat actors that are driven by a political agenda. Demonstrations. Propaganda. Social Change Campaigns. Fame.

Threat actors that are driven by a political agenda.

Hacktivists.

What are the three main category of hackers?

Authorized (ethical hackers). Semi-authorized hackers (researchers). Unauthorized hackers (unethical hackers).

Authorized (ethical) hackers?

Follow a code of ethics and adhere to the law to conduct organizational risk evaluations. Motivated to safeguard people and organizations from malicious threat actors.

Semi-authorized hackers (researchers)?

They search for vulnerabilities but don't take advantage of the vulnerabilities they find.

Unauthorized (unethical) hackers?

They are malicious threat actors who do not follow or respect the law. Their goal is to collect and sell confidential data for financial gain.

Examples of security _____ include security and risk management and security architecture and engineering.

domains

A security professional is asked to destroy and dispose of old hard drives that include confidential customer information. Which security domain is this task related to?

Asset Security

Your supervisor asks you to audit user permissions for payroll data to ensure no unauthorized employees have access to it. Which security domain is this audit related to?

Security Assessment and Testing

You are asked to investigate an alert related to an unknown device that is connected to the company's internal network. After you complete your investigation, you follow company policies and procedures to implement preventative measures that will stop the potential threat posed by the device. Which security domain is this scenario related to?

Security Operations

Business Email Compromise?

A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage

Business Email Compromise

CISSP?

Certified Information Systems Security Professional is a globally recognized and highly sought-after information security certification, awarded by the International Information Systems Security Certification Consortium

Computer Virus?

Malicious code written to interfere with computer operations and cause damage to data and software

Computer Virus

Cryptographic Attack

An attack that affects secure forms of communication between a sender and intended recipient

Cryptographic Attack

Malware

Software designed to harm devices or networks

Phishing?

The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Phishing

Physical Attack

A security incident that affects not only digital but also physical environments where the incident is deployed

Physical Attack

Physical Social Engineering?

An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location

Physical Social Engineering?

Social Engineering?

A manipulation technique that exploits human error to gain private information, access, or valuables

Social Engineering

Social Media Phishing?

A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack

Social Media Phishing.

Spear Phishing?

A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Spear Phishing.

Supply-chain Attack?

An attack that targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed

Supply-chain Attack.

USB baiting?

An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network

USB baiting.

Vishing?

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Vishing.

Watering Hole Attack?

A type of attack when a threat actor compromises a website frequently visited by a specific group of users

Watering Hole Attack.

Worms and Viruses are examples of?

Malware

The _____ spread globally within a couple of months due to users inserting a disk into their computers that was meant to track illegal copies of medical software.

Brain Virus

Social engineering is a manipulation technique that exploits _____ error to gain access to private information.

Human

Configuring a firewall and ensuring that effective systems and process are in place are examples of which domain?

Security Architecture and Engineering.

Which domain involves conducting, collecting, and analyzing data, as well as conducting security audits to monitor for risks, threats, and vulnerabilities?

Security Assessment and Testing.

A security professional is asked to issue a keycard to a new employee. Which domain does this scenario relate to?

Identity and Access Management

Security Frameworks?

Guidelines used for building plans to help mitigate risks and threats to data and privacy.

Security Frameworks

Security Lifecycle?

A constantly evolving set of policies and standards that define how an organization manages risks, follow established guidelines, and meets regulatory compliance, or laws.

Security Lifecycle

The purpose of security frameworks include..

Protecting personally identifiable information, securing financial information, identifying security weaknesses, managing organizational risks, and aligning security with business goals.

An organization may have a goal to align with the E.U.'s General Data Protection Regulation, also known as GDPR. GDPR is a data protection law established to grant European citizens more control over their personal data. A security analyst may be asked to identify and document areas where an organization is out of compliance with GDPR. Which framework is this an example of?

Identifying and documenting security goals.

When implementing guidelines to achieve GDPR compliance, your organization may need to develop new policies for how to handle data requests from individual users. Which framework is this an example of?

Setting Guidelines to achieve security goals.

In the case of GDPR, a security analyst working for a social media company may help design procedures to ensure the organization complies with verified user data requests. An example of this type of request is when a user attempts to update or delete their profile information. Which framework is this an example of?

Implementing strong security processes.

You may monitor your organization's internal network and report a potential security issue affecting GDPR to your manager or regulatory compliance officer. Which framework is this an example of?

Monitoring and communicating results.

Security Controls?

Safeguards designed to reduce specific security risks.

A foundational model that helps inform how organizations consider risk when setting up systems and security policies.

CIA Triad

What does CIA triad stand for?

Confidentiality, Integrity, and Availability.

What are the 4 types of Security Frameworks?

Identifying and documenting security goals. Setting guidelines to achieve security goals. Implementing strong security processes. Monitoring and communicating results.

The process of adhering to internal standards and external regulations?

Compliance.

U.S.-based agency that develops multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk. The more aligned an organization is with compliance, the lower the risk.

The National Institute of Standards and Technology (NIST)

A regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid.

The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.

The Federal Risk and Authorization Management Program (FedRAMP)

Nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense.

Center for Internet Security (CIS)

European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization.

General Data Protection Regulation (GDPR)

International security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.

Payment Card Industry Data Security Standard (PCI DSS)