Security, Confidentiality, and Privacy

Question 1

General Data Protection Regulation (GDPR) 7 principles - global law

Answer 1

1. Lawfulness, fairness & transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity & confidentiality
7. Accountability

Question 2

COBIT governance system objective =

Answer 2

ensure alignment of IT with business goals & objectives

Question 3

HIPAA (security standard) 2 Safeguards

Answer 3

1. Administrative Safeguards
   a. conducting regular risk assessments and audits
2. Technical/Physical Safeguards
   a. encrypting PHI in transit & at rest
   b. installing firewalls & antivirus software
   c. locking cabinets & doors that contain PHI

Question 4

Access Control Mechanism:

Answer 4

Hardware/software features, operating/management procedures, and various combinations of these designed to prevent and detect unauthorized access and to permit authorized access in an automated system

Question 5

National Institute of Standards and Technology (NIST) Privacy Framework:

Answer 5

designed to help organizations achieve their specific cybersecurity goals and objectives to achieve key business outcomes

1. Core: set of privacy activates and outcomes
2. Profiles: selection of specific functions, categories & subcategories from the Core that reflect an organizations privacy goals & needs
3. Implementation Tiers: tool for evaluating an organizations privacy risk management practices

Question 6

Payment Card Industry Data Security Standard (PCI DSS):

Answer 6

optimize the security of credit, debit and cash card transactions

Question 6

NIST Privacy Framework single privacy objective =

Answer 6

Personally identifiable information must be collected, used, retained, and disclosed in compliance with the commitments in the entity’s privacy notice and with criteria set out in the NIST Privacy Framework

Question 7

CIA triad

Answer 7

1. Availability
2. Confidentiality
3. Reliability

Question 8

Privacy by default:

Answer 8

building privacy safeguards at the outset (limit data collection or refer to privacy as the default setting)

Question 9

PCI DSS v4.0 Goals (6) and Core Requirements (12)

Answer 9

a. Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain network security controls.
Requirement 2: Apply secure configurations to all system components.

b. Protect Account Data
Requirement 3: Protect stored account data.
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

c. Maintain a Vulnerability Management Program
Requirement 5: Protect all systems and networks from malicious software.
Requirement 6: Develop and maintain secure systems and software

d. Implement Strong Access Control Measures
Requirement 7: Restrict access to system components and cardholder data by business need to know.
Requirement 8: Identify users and authenticate access to system components.

e. Regularly Monitor and Test Networks
Requirement 10: Log and monitor all access to system components and cardholder data.
Requirement 11: Test the security of systems and networks regularly.

f. Maintain an Information Security Policy
Requirement 12: Support information security with organizational policies and programs.

Question 10

Email spoofing:

Answer 10

perpetrator pretends to be someone else

Question 11

Password spoofing:

Answer 11

perpetrator tricks user into logging into malicious system to capture username & password

Question 12

Keyloggers:

Answer 12

malicious software designed to track every keystroke to obtain user credentials to give to attacker

Question 13

Social engineering:

Answer 13

uses persuasion/deception to gain access to IT systems (impersonation through phone or email, dumpster diving & shoulder surfing)

Question 14

Electronic trashing:

Answer 14

accessing residual data after a file has been deleted

Question 15

Electronic piggybacking:

Answer 15

gaining unauthorized access to a resource via another user’s legitimate credentials

Question 16

Network analysis attack:

Answer 16

perpetrator performs research to build a complete profile of an organizations network infrastructure & architecture

Question 17

Masquerading attack:

Answer 17

attempt to gain access to computer system or facility by posing as an authorized user

Question 18

Email bombing:

Answer 18

sending identical email message to particular email ID several times

Question 19

Malware attack:

Answer 19

deploying malicious software to compromise systems, steal data or disrupt operations

Question 20

Sniffing attack:

Answer 20

eavesdropping on network traffic to intercept and capture data

Question 21

Phishing attack:

Answer 21

tricking users into revealing sensitive info through emails or websites

Question 22

Nonrepudiation:

Answer 22

ensure senders of a message cannot deny sending info & that receivers cannot deny receiving it

Question 23

Web application attack:

Answer 23

exploiting vulnerabilities in web applications

Question 24

Distributed denial of service (DDoS) attack:

Answer 24

overwhelming a target system with a flood of traffic or requests causing it to become unavailable to legitimate users

Question 25

Cybersecurity attacker:

Answer 25

specific threat agent actively launching attacks against an organizations systems

Question 26

SQL injection attack:

Answer 26

manipulates input fields to inject SQL code into a database query

Question 27

Cross-site scripting (XSS) attack:

Answer 27

injects malicious scripts into a web application (comments or input fields)

Question 28

Logic bomb:

Answer 28

uses a computer program to trigger an unauthorized malicious activity at a prespecified event (financial calculation exceeds a specific dollar amount)

Question 29

Worm:

Answer 29

independent computer program that reproduces by copying itself from 1 system to another, do not require human involvement (uses open file shares to infect several workstations quickly)

Question 30

Race condition attack:

Answer 30

2 or more processes/threads attempt to access shared resources simultaneously

Question 31

Data diddling attack:

Answer 31

perpetrator gains access to a system & makes insignificant, random, or incremental data modification during or before data entry into a system (executed by insiders)

Question 32

Salami attack:

Answer 32

theft of small amounts of assets from several sources

Question 33

Attack Lifecyle

Answer 33

Reconnaissance: marks the beginning of a cyberattack (collects info about targe system)
Enumeration: process of extracting usernames/machine names/network resources/shares/services from a system
Maintaining access: installing backdoors to maintain control
Covering tracks: attempt to erase or alter log files to remove evidence of their presence

Question 34

Honeypots:

Answer 34

computers that security admin place as a trap for intruders

Question 35

Denial-of-service attack:

Answer 35

attempt to make network resource unavailable by overloading the server with false requests

Question 36

Lockwords:

Answer 36

system generated terminal passwords shared among users

Question 37

Passcodes:

Answer 37

combination of password & ID card

Question 38

Local Area Network (LAN): series of microcomputers linked together by cable & sometimes a common storage device

Answer 38

1. Star LAN: remote computers with direct access to a central computer (spokes connected to the hub)
2. Ring LAN: does not have a common hub, but can have a server (ring with each computer/node connected to only 2 other computers)

Question 39

Wide Area Network (WAN):

Answer 39

communications network that connects geographically separated areas (cities or continents)

Question 40

Virtual Private Network (VPN):

Answer 40

a combination of public and private resources, uses the internet to provide secure remote access to an organizations network

Question 41

Access Controls (4)

Answer 41

1. Role-based: restricts access according to job roles & responsibilities
2. Rule-based: restricts access based on specific rules relating to nature of the subject & object
3. Discretionary: resource owner decides who should access the resource
4. Single sign-on: technology used to manage access to networks, applications and multiple systems

Question 42

Utility program:

Answer 42

used to perform routine tasks that are needed often by many different processing applications

Question 43

Public (Asymmetric) Key Encryption:

Answer 43

uses key pairs (public key & mathematically related private key)

Use Public Keys
1. RSA (Rivest–Shamir–Adleman)
2. Elliptic-curve cryptography (ECC): for mobile devices

Question 44

Privacy by default:

Answer 44

building privacy safeguards at the outset (data retention & destruction)

Question 45

SSH (Secure Shell):

Answer 45

securing remote connections

Question 46

Incident Response Stages

Answer 46

a. Preparation: prevent incidents from occurring (creating risk management plan, implementing security controls, educating employees about cybersecurity)
b. Detection & Analysis: collect as much info as possible about the incident
c. Containment, Eradication & Recovery: stopping the attack, removing all traces of malware & restoring normal operations
d. Post-incident Activity: review to learn from incident & improve company’s incident response process

Question 47

Fourth-Generation Languages (routine basis)

Answer 47

1. Report generator
2. Program generator
3. Application generator

Question 48

Distributed data processing:

Answer 48

network of interdependent computers where functions are centralized, other are decentralized & processing is shared among 2 or more computers

Question 49

Built-on security feature

Answer 49

= any feature installed during the postimplementation of a system

Question 50

Data Quality Subdimension (3)

Answer 50

1. Intrinsic: ensures that the range & proportion of data values conform with actual values for accuracy, objectivity & reputation
2. Contextual: the range and proportion of information that is applicable and relevant to the user’s task and presented in a manner that satisfies users’ data requirements
3. Security/Accessibility: the range and proportion of information that is available or accessible

Question 51

Metadata:

Answer 51

provide a table of contents for the data warehouse info (mapping between the data sources & warehouse)

Question 52

Return-oriented programming (ROP):

Answer 52

attacker utilizes existing code sequences (gadgets) in a programs memory to perform malicious actions without injecting new code

Question 53

COSO Framework = risk identification & TSC criteria = risk management

Question 54

How does materiality determination differ between SOC 1 & SOC 2?

Answer 54

SOC1 use financial criteria & SOC 2 use operational criteria

Question 55

Cryptanalytic attack:

Answer 55

intruder tries to break into the algorithm to find out the private key

Question 56

Key management attack:

Answer 56

intruder tries to get a copy of the private key & associated passphrase

Question 57

XML (Extensible Markup Language):

Answer 57

A settings file format which formats information for use on the Web by identifying the nature of the information (e.g., information coded as a telephone number could be located on a page by a browser and dialed automatically).

Question 58

Machine Language:

Answer 58

1st gen language the elemental language of computers, a set of symbolic instruction code consisting of a long sequence of binary digital zeros and ones (bits). Every CPU has its own unique version.

Question 59

Assembly Language:

Answer 59

2nd gen language for microprocessors and other programmable devices, with a strong one-to-one correspondence between the language and the architecture’s machine code instructions. Writing programs in this language is time-consuming and prone to error

Question 60

XBRL(eXtensible Business Reporting Language):

Answer 60

Required by the SEC for reporting; an electronically readable format. This open-information format standard enables automated sharing of numeric and textual information contained in financial statements (including footnotes) and other business reports.

Question 61

Fourth-generation Language:

Answer 61

These languages have many routine procedures preprogrammed; the programmer states what is to be done, but not necessarily how to do it . They are often related to a Database Management System (DBMS) that allow programmers to create database structures and manipulate data quickly and relatively easily.

Question 62

HTML:

Answer 62

A language which inserts symbols, or tags, into text files to achieve font, color, graphic, and hyperlink effects on World Wide Web pages.

Question 63

Object-oriented Language:

Answer 63

These third-generation languages use a modular approach, increasing development efficiency and maintenance ease. Routine operations are kept with the data to be processed. The focus is on the object involved in accomplishing that task.

Question 64

Management information system:

Answer 64

A computerized database of financial information that is organized, programmed, and constantly updated to produce periodic reports used for operational, tactical, and strategic decision-making within a given organization.

Question 65

Circuit switching:

Answer 65

involves a dedicated channel for the duration of the transmission. The sender signals that it will send a message; the receiver acknowledges the signal. The sender then sends the entire message. Voice and data may use the same line with no special data protocols. The two communicating devices must be compatible.

Question 66

Packet switching:

Answer 66

divides a message into pieces which may be transmitted separately through different paths, reassembling the pieces of the original message at the destination. Lines are used on demand as opposed to being committed to a single transmission.

Question 67

Dynamic Scaling:

Answer 67

allows cloud infrastructure to adapt & allocate resources based on demand

Question 68

Virtualization:

Answer 68

act of creating a virtual version of computing environment (hardware/operating system/storage devices)

Question 69

Accounting Information System (AIS) Key Components

Answer 69

1. Financial transactions
2. Compliance
3. Data storage
4. Reporting

Question 70

Consensus mechanism in blockchain:

Answer 70

ensures all transactions are validated and agreed upon before added to blockchain

Question 71

AIS Services

Answer 71

1. Transaction processing
2. Implementing internal controls
3. Maintaining audit trails
4. Compiling financial data for F/S

Question 72

Check digit:

Answer 72

numeric value to ensure the integrity of the original data during construction or transmission (input control)

Question 73

Hash total:

Answer 73

fixed-size string of characters using hash function to ensure data integrity

Question 74

Configuration Management Database (CMDB):

Answer 74

database for entity’s hardware and software components & relationships between those components