S3, M3-M5 Flashcards
(133 cards)
1
Q
What is the key difference in vulnerability assessments and security assessments, in terms of scope?
A
Vulnerability assessment focuses on technical weaknesses, and security assessment is more comprehensive.
2
Q
Security assessment engagements result in the issuance of what type of report?
A
Security Assessment Report (SAR)
3
Q
What is the first step in a security assessment engagaement?
A
defining assessment procedures, objectives, objects, and methods
4
Q
What is an assessment object?
A
identifies items being assessed as part of a specific control
5
Q
What is an assessment method?
A
define nature of action to take
6
Q
What two things does a security assessment report document?
A
- findings, and
- reccomendations for correcting issues/vulnerabilities
7
Q
What are determination statements in a SAR?
A
assign a grade to each procedure performed
8
Q
What are the two possible grades for a determination statements?
A
- Satisfied, S
- Other than Satisfied, O
9
Q
Elements that have more evidence/depth require (less/more) testing.
A
less
10
Q
If training to employees is provided in-house, what otehr tools will the organization need?
A
teaching tools aka content creation tools
11
Q
What should be done with trainings over time?
A
revisions to stay updated
12
Q
What are the three relevant categories of personell with differing levels of responsibility, when it comes to employee training?
A
management, specialized IT personnel, all other employees
13
Q
How often should refresher training courses be administered to employees?
A
annually
14
Q
What is a security program champion?
A
lead the effort of implementing a security plaform
15
Q
What is the definition of privacy?
A
- protects the rights of an individual, and
- gives the individual control over what information they are willing to share with others
15
Q
What is confidentiality?
A
protects unauthorized access to information gathered by the company
16
Q
How can privacy and confidentiality be represented in a two step process?
A
- Gather information according to privacy requirements.
- Protect the confidentiality of gathered information.
17
Q
What is the definition of PII?
A
all data that can be used to identify an individual
18
Q
Is an address PII?
A
Yes.
19
Q
Is a photographic image considered PII?
A
Yes.
20
Q
How much personal information should be collected and retained?
A
minimal
21
Q
What two items are included within the broader umbrella of “confidential data”?
A
- PII
- proprietary information
22
Q
What does pseudonymization do?
A
replace the name of someone with a fake name (Patient 123)
23
Q
Should the ability to access personal info from mobile devices be more strict or less strict?
A
More strict, because of the increased risk of mobile devices.
24
What is obfuscation?
replacing production (real) data with data that is less valuable to unauthorized users
25
What are the three most common data obfuscation applications/procedures?
- encryption
- tokenization
- masking
26
What is a higher form of protection, encryption or tokenization?
encryption
27
What does encryption do?
*scramble* unencrypted data using cryptography so that it can only be deciphered with a key
28
The term "production data" is roughly synonymous with ___ data.
real
29
In what three ways can a token be generated?
- random number generators
- hashing
- encryption
30
What is tokenization?
remove production (real) data and replace with a surrogate value or token (fake data)
31
Where are keys used to reverse tokenization stored?
in a token vault
32
How does tokenization differ from encryption?
Tokenization does not generally change the length or type of characters
33
What is masking?
swap data with like data so that the original identifying characteristics are *disguised*
34
Can you give an example of masking?
**** for credit card numbers
35
Cryptography involves applying an algorithm to transform ____ into _____.
plaintext to ciphertext
36
What are the two types of keys (encryption)?
public and private
37
What is a public key?
key that is shraed eitehr publicly or with a group
38
What is a private key?
key that it known only to one user
39
Does symmetric encryption use a private or public key?
private only
40
What is symmetric encryption?
involves single shared or private key used for encryprion and decryption of the data.
41
What type of entity commonly uses symmetric encryption?
used by banks
42
What is a common drawback of symmetric encryption?
does not provide proof that the sender is who they say they are (cannot tell where message originated)
43
Is symmetric encryption east or difficult to scale?
Difficult, because every combination of users in the group must have their own private key.
44
What is more secure, symmetric or asymmetric encryption?
asymmetric
45
What is asymmetric encryption?
public key is used to encrypt and private is used to decrypt or vice versa
46
What are two popular applications of asymmetric encryption?
- digital signing
- blockchain
47
What is the main drawback of asymmetric encryption?
slower speed (more computing power)
48
Hashing is (one-way/two-way). Encryption is (one-way/two-way).
one-way, two-way
49
What is the intended use of encryption?
securely transfer data
50
What is the intended use of hashing?
validate that data is sent from the true sender
51
What is the relationship between encryption and hashing?
used together to securely transfer (encryption) the message and validate the authenticity (hashing) of the message
52
What do substitution ciphers do?
replace each character of plaintext with another character
53
What do tranposing ciphers do?
rearrange letters of a message using a matrix
54
What do data loss prevention systems do?
detect and prevent attempts by employees/unauthorized users to transfer sensitive *information out* of the organization electronically
55
What is an example of a DLP being used with pattern-matching methods?
If the intended export has SS numbers in it (9 character numbers with dashes), then it will be blocked.
56
What are the three types of DLP systems?
- Network-Based
- Cloud Based
- Endpoint Based
57
What are network-based DLPs?
scan outgoing data across the network
58
What are endpoint-based DLPs?
scan files stored or sent to devices
59
Digital security control relates to what process?
encryption
60
What is the difference between deleting and purging/erasing?
After you delete, data still exists in some form.
Purging permanently removes data.
61
What is degaussing?
createing a strong magnetic field to erase data on devices that use magnetism
62
What is the most effective way to completely remove data?
physical destruction of the device
63
What is a read-through?
distributing procedures/policies and reading through them
64
What is a walk-through?
role-playing or simulating a disaster scenario
65
What is perform more commonly, a walkthrough or a fire drill?
walkthrough
66
Walkthroughs should occur in (some/all) departments of an organization.
all
67
In accounting department, only authorized employees should be able to do what three things?
C - Withdraw or Transfer Cash
P - Collect or Divert Payments
R - Report on Financial Information
68
In a service auditor's walkthrough, what three things do they gain an understanding of?
- flow of transactions
- design of controls
- operating effectiveness of controls
69
What question should a service auditor ask themselves when determining whether they should modify their opinion for a given misstatement?
If I do not modify the opinion, could that create a problem/misunderstanding for the reader of the report?
70
Is a deviation in an entity-level control usually considered pervasive or not pervasive?
pervasive
71
What is an incident response plan?
documentation of procedures, people, and information to detect, respond to, and limit consequences of a cyberattack against an organization
72
What events are charted on a recovery timeline?
- incident start
- detection
- containment
- eradication
- normal business operations restored
73
What does file integrity monitoring do?
detect files and whether anything has become corrupt
74
What is the most ciritcal component of an IRP?
human capital (people) designated to respond
75
What are the three models for a human capital being used in an incident response plan?
- centralized incident response team
- distributed incident response team
- coordinating team
76
What is a centralized incident response team?
single team manages incidents across the organization
77
The centralized incident response team is better for (smaller/larger) teams that (are/are not) distributed geographically.
smaller, are not
78
What is a distributed incident response team?
mutiple incident response teams responsible for different segments of the network
79
The distributed incident response team is better for (smaller/larger) teams that (are/are not) distributed geographically.
larger, are
80
What is a coordinating team?
seconary function that coordinates with other departments, dispatching them as necessary
81
Why is 24/7 avaialbility important for an incident response team?
the quicker you discover an incident, the lower its overall impact
82
What is a viable alternative to hiring a full-time IRP staff?
outsourcing
83
What is a way to boost employee morale and reduce the workload on IRP employees?
segregating roles
84
Do incident response team members need broader or narrower knowlege than other IT employees?
broader
85
Cybersecurity involves the safety of ___ and ___.
infrastructure and data
86
Incident response plans must distinguish between recognizing and responsing to an ____ versus an ____.
event, incident
87
What is a cybersecurity event?
observable occurence in a system or network
88
Are events always a bad thing?
No, they can be benign.
89
What is an incident?
an adverse event, an event with a negative consequence
90
What is a computer security incident?
one that is compuer-security related and caused by *malicious human intent*
91
What is involved in preparation for responding to an incident?
assembling key personnel, tools, and processes to prepare
91
What is involved in detection for responding to an incident?
recognize, evaluate, and classify deviations from normal operations
92
What is involved in containment for responding to an incident?
contain so that further damage is not incurred
93
What is involved in eradication for responding to an incident?
extract threat and restore affected systems
94
What is involved in reporting for responding to an incident?
communication of incident to management, IT personnel, affected employees
95
What is involved in recovery for responding to an incident?
return org's IT operations to fully functional state
96
What is involved in learning for responding to an incident?
understand what happened, learn and improve
97
T/F: Reporting of an incident is uniform for management, IT personnel, and affected employees.
False, communication should be tailored to each group.
98
When recovering from an incident, what are some of the first steps to do?
increasing overall security (immediate high-impact changes)
99
When recovering from an incident, what are some of the later steps to do?
strategic changes (long term changes)
100
Which step does the SANS Institute IRP remove?
reporting
101
The information technology infrastrucure librbary (ITIL) developed what two things?
- incident management process
- issued certifications
102
What types of organizations does the US-CERT create IRPs for?
government, academia, and private sector
103
IRPs may be tailored for particular types of ____.
attacks
104
What is mean time to detect? Is a higher or lower number worse?
time to detect a prior incident or one in progress (higher is worse)
105
What is mean time to acknowledge? Is a higher or lower time worse?
time to acknowledge an incident once it occurred, (higher is worse)
106
How is mean time to acknowledge calculated?
time between when incident is reported and when it is recognized as an actual threat
107
What is another term for mean time to contain?
mean time to remediation
108
What is mean time to contain?
average time it takes to stop and isolate an incident
109
What is mean time to repair?
time to restore a system to normal/target operations
110
What is mean time between failtures?
average time between consecutive incident failures
111
Should mean time between failures be low or high?
high
112
What are business interruption losses (cyber insurance)?
lost revenue from operating delays due to attack
113
What are cyber extorition losses (2) (cyber insurance)?
ransom payments, fees to attorneys/IT experts for negotiating with attackers
114
What are incident response costs?
recovery of lost or stolen data, including cost of labor
115
Whare are replacement costs for information systems?
replacing IT assets
116
Are litigation and attorney fees insurable losses?
Yes.
117
What costs of reputational damage are insurable (3)?
public relations, crisis management, and marketing to customers
118
What cost of reputational damage are NOT insurable?
harm to company's brand
119
Are costs of information or identity theft insurable?
Yes.
120
Why do cyberinsurance companies require some mitigating controls to be in place in the organization?
to reduce the likelihood and impact of an attack
121
If an insurance company beleives someone's IRP is not robust, would their premiums be higher or lower?
higher
122
In a SAR, risk levels are generally assigned to (issues discovered/procedures used).
issues discovered
123
Who is more likely to take action to remediate an issue, the centralized incident response team or the CEO?
centralized incident response team
124
What is the best control to help protect against accidental deletion of data?
Back-Ups
125
Why are access controls not the best to help protect against accidental deletion of data?
because even someone with access could end up deleting data accidentally
126
(Symmetric/asymmetric) encryption is employed to protect the data exchanged between a user's device and the VPN server.
symmetric
127
Cleartext is a synonym for ____.
plaintext
128
The longer the key is, the (easier/harder) it is to crack the key (context: data encryption).
harder
129
A delay in the processing of customer orders is a (financial/operational) issue.
operational (short-term financial)
130
Certificate authorities use a "___ ___ ___" to verify identities by checking certificates.
tree of trust
131
What is a first party risk?
direct losses suffered by the insured party, not the losses suffered or liabilities to third parties
