Security Part 1 Flashcards
1
Q
What is Defense in Depth?
A
It is a cybersecurity risk management strategy that is based on the idea that systems can never be completely secure
It encompasses 3 categories of controls:
- Physical
- Technical
- Administrative
2
Q
What is layered security?
A
- It is a part of the defense in depth technical controls
- It is a approach that creates overlapping protective layers so that if 1 security measure fails, deeper layers will stop or slow an attack
- Under this ideology, individual system components can never be completely secure
3
Q
What are stakeholders in IT?
A
- Systems analysts
- Internal end users
- Internal managers
- External companies (customers)
- Stakeholders are any individual/organization with an interest in/affected by an information system
4
Q
What is a cybercriminal?
A
They conduct ransomware attacks to extort money
5
Q
What is a cyberterrorist?
A
They interrupt critical systems to spread hear or create civil unrest
6
Q
Why would a company communicate social media policies to employees as part of a security awareness training program?
A
They would do that to reduce the risk of aiding cyberattack reconnaissance
7
Q
What is RECONNAISSANCE?
A
- The attacker will scan public sources to gather planning information
- Employees who are not cyber aware may post something on social media that attackers can use for malicious purposes
- Ex: Employee may post on instagram where they work and attackers can use that info for malicious purposes
8
Q
What is a replay attack?
A
- The threat agent intercepts info while it is being transmitted and resubmits it to trick another system into providing more info
- Ex: if an encrypted bank password is intercepted, the attacker may later resubmit it to transfer funds
- In this case, the attacker would appear as the original sender because the encrypted password would match
9
Q
What is a preventitive control in a replay attack?
A
It would be to add time/session stamps to all encrypted messages
10
Q
What is an attack surface?
A
- It is the sum of all the points where an attacker can try to gain unauthorized access to an organization’s environment
- Adding more IoT devices expands the attack surface, creating additional weaknesses
11
Q
What are some common authentication techniques?
A
- Iris reader
- Fingerprint reader
- Facial recognition
- Smart card reader
12
Q
What is a digital signature?
A
- It is something that uses data encryption to record a unique identifier, and other info such as the date, time, and location of the signature
- This stamp protects electronic documents from unauthorized alteration and records signers’ identity
- It would NOT prevent unauthorized access to a company payroll file because it is not used to grant entry into a system
13
Q
What is the Internet of Things?
A
- It is a network of physical objects with embedded sensors, software used to connect and exchange data via the internet
- IoT devices use unencrypted communication channels, leaving the data transmitted between the devices vulnerable to attacks
14
Q
What is Man in the Middle?
A
It is an attack where attackers can intercept, read, and alter data in transit from one person to another person
15
Q
What is a buffer overflow attack?
A
It is an attack that exploits hardware memory limitations
16
Q
What is a buffer?
A
It is a temporary storage area used to hold data for processing/transmission
17
Q
What do software coding errors create?
A
They create vulnerabilities that attackers can use to overwhelm a system
18
Q
What is a covert channel attack?
A
It is a cyberattack technique where an unauthorized intrasystem channel adds small bits of data to the stream without being detected
19
Q
What is a race condition attack?
A
- It is a cyberattack technique that exploits a brief gap in time during a processing sequence
- Ex: The moment between when a user logs in and when the login is verified in a database
20
Q
What is a SQL injection attack?
A
It is an attack where a SQL query is injected into an application through a data input field
21
Q
Organizations use what kind of controls to lessen the risks associated with cyberattacks?
A
- Preventitive
- Detective
- Corrective
22
Q
What is virus quarantining?
A
It corrects a detected incident in which files were infected with spyware, ransomware, malware
23
Q
What is firewall redundancy?
A
- It is a preventitive control
- Firewalls mitigate the risk of unauthrorized access
24
Q
What is network analysis?
A
- It is a detective control associated with computer-generated logging
- Ex: An event log records network traffic and usage, like logins, failed passwords
25
What is software hardening?
- It is a preventitive control
- Hardening refers to implementing additional security measures, such as encryption/obfuscation (the act of making something unclear) to protect code from reverse engineering (code that is deconstructed)
26
What does the SERVICE AUDITOR do in order to assess the suitability of the design of controls in a SOC 2 Type 2 examination?
- Understand management's process for identifying risks that threaten the achievement of the service organization's principal service commitments and system requirements
- Assess the completeness of management's risk assessment
- Perform an independent risk assessment
- Determine whether management has implemented the controls
27
When performing procedures, what can a service auditor request?
- Ad hoc computer-generated reports from the service organization's databases
- To see if the retrieved data is relevant, the service organization personnel must input the query into the database
28
What are the 5 components of the COSO ERM framework?
- Governance and culture (Ex of culture-building activities: security awareness training, creating operating structures, defining an entity's desired cyber culture)
- Strategy and objective setting (Ex: Formulating business objectives)
Performance
- Review and revision (Ex: Assessing changes)
- Information, communication, reporting
29
What is least privilege?
This principle states that the system administrator should grant users only the minimum level of access rights necessary to perform an operation for the minimum time
30
What is the need to know principle?
This principle states that users should only have access to info needed for the job function
31
What is whitelisting?
It is a principle that involves using pre-approved lists to determine if an application can be installed, for example
32
What is zero-trust?
It is a principle associated with intrusion detection systems nd treats all network data as suspicious
33
Who are hacktivists?
They are people who conduct attacks to create an awareness of political or social causes
34
What is the 1st step in threat modeling?
- To prepare a DETAILED INVENTORY LIST of all infrastructure components, including mobile devices that access the organization's network
- Without a detailed inventory, it would be tough to identify if mobile activity originated from a legitimate insider vs a threat agent
35
What is the 2nd step in threat modeling?
Preparing an inventory and mapping network connections
36
What is the 3rd step in threat modeling?
Estimating the type, likelihood, and severity of threats
37
What is the 4th step in threat modeling?
Reviewing policies that mitigate risk
38
Security assessment reporting is a risk advisory engagement that applies what standard?
Statements on Standards for Consulting Services
39
What is Statements on Standards for Attestation Engagement?
Apply to SOC compliance, review, agreed-upon procedure engagements
40
What is Statements on Auditing Standards?
GAAS apply to financial statement audits
41
What is a data container?
- It is a separately encrypted storage site on a mobile device
- CONTAINERIZATION is a security control that allows for storage of critical business data apart from personal data on the same device
42
What are 2 preconditions to a SOC 2 Type 2 examination?
1) Management takes responsibility for identify risks
2) Suitability of design and operating effectiveness of controls
43
Intrusion PREVENTION system is
Installed on the organization's network, between the external internet and the organization's internal internet
44
Intrusion DETECTION system is
installed on the user's device (laptop) and protects external network access points by identifying and notifying admin of suspicious data requests
45
What is log analysis?
It is a detective control that involves reviewing logs for errors or exceptions, which can help organizations find cybersecurity incidents AFTER they OCCUR
46
What's the purpose of TRUST SERVICES CRITERIA?
It's used to benchmark controls in attestation and risk advisory engagements that evaluate the trust services categories of security, availability, processing integrity, confidentiality, or privacy
47
What are the 3 types of trust services criteria?
1) Common Criteria
2) Supplemental Criteria
3) Additional category-specific criteria
48
What is a digital certificate?
- It is an electronic file that allows organizations to send data securely over the internet
- They help the receiver of electronic communication verify the identity of the sender of such communication
49
What is spear phishing?
- It is an attack that targets a specific individual
- It requires the attacker to research potential targets to gather credible info
- This info is used by the attacker to disguise themselves as a friend or colleague
50
What is whaling?
It is a form of spear phishing that targets high-ranking individuals (Bob Harrison example) in an organization
51
What is 1 way to prevent data leakage through mobile apps?
- To revoke user granted permissions
- Mobile users sometimes voluntarily give apps permissions to access their personal data without knowing if the app is secure
52
What are the 5 stages in the vulnerability management cycle?
Risk assessment
Threat prioritization
Risk responses
Reassessment
Improvement
53
What is another word for piggybacking?
Tailgating
54
What is pass back?
It is where an individual with access permissions gives their access card to an unauthorized person
55
What are some examples of risk assessment procedures?
Reperformance, inquiry, inspection, observation, and walkthroughs
56
What is an exploit?
It is code/malicious software that is used to carry out an attack after a vulnerability has been identified
57
During a risk advisory engagement to provide a security assessment report, what would a CPA do?
- They would perform vulnerability scans
- Vulnerability scans evaluate hardware, software, networks for security weaknesses
58
What is electronic data interchange (EDI)?
It is the transfer of data or documents from one computer system to another
59
What is discretionary access control?
- Under this control, the owner of the file (Excel for example) decides what the authorization and permissions are.
- Ex: Spreadsheet owner can grant permission (view, comment, edit) to other firm members
60
What is a distributed denial of service attack?
- It is an attack where multiple bots send a surge of false requests to overwhelm a network
- These false requests slow down network traffic
61
What are the 6 stages in a cyberattack?
Reconnaissance
Gaining access
Escalation of privileges
Maintaining access
Network exploitation
Covering tracks
62
What is network spoofing?
- It occurs when a hacker impersonates a Wi-Fi network to trick users into providing sensitive data
- Public hotspot users should avoid making transactions or logging into important sites. Instead, you should use your own cell phone hotspot to stay safe
63
What are the different types of malware?
- Ransomware (prevents access to a system until money is paid)
- Spyware (tracks browsing history and keystrokes)
- Adware (directs users to different websites via pop-up ads)
- Malware (infects using viruses, worms, trojan horses)
64
What does SEGREGATION prevent?
- It prevents a customer for example, from accessing proprietary product info
- Customers interact with a separate network that doesn't interface with internal company systems
65
Inspecting documentation showing the database table relationships and inquiring if the service organization follows a data security framework, and reperforming calcualtions are examples of:
The service auditor's risk assessment
66
What is return-oriented programming attack?
This attack changes the return addresses within existing executable memory instruction sequences
67
What are mandatory access controls?
- Used in situations where sensitive information is held
- Permission settings are configured by the system administrator
68
What is a Business Impact Analysis?
- This analysis addresses ALL SITUATIONS (natural disasters, fires, cyberattacks, etc) that can disrupt business functions
69
What are the "Statements on Standards for Attestation Engagements"?
These attestation standards apply to examinations (SOC, compliance), reviews, and agreed-upon procedure engagements
70
What are "Statements on Standards for Consulting Services"?
Security assessment reporting is a RISK ADVISORY engagement that applies these statements
71
What is an administrative control in a defense-in-depth strategy?
- Security awareness training
- This is because these administrative controls will control access to the system and train employees
72
What is a host-based intrusion detection system?
It checks for system files missing from data leaving a host device
73
What is a protocol-based intrusion detection system?
They safeguard web servers by examining data going to and from a user front end
74
What is an application protocol-based intrusion detection system?
It defends application servers by examining data sent between application servers
75
What is a network-based intrusion detection system?
It is used to identify threats that create unusual traffic and policy violations
76
What is cross site scripting?
It is a cyberattack where attackers inject malicious script into a website. The script then executes in a victim's browser, enabling the attackers to access and use data stored by the browser
77
What is clickjacking?
It is a way to hijack web traffic by tricking users into clicking a malicious link or initiating an unintended action like taking them to a different webpage
78
What is return oriented programming?
It bypasses security defenses by manipulating return addresses. These attacks alter the flow of instructions rather than injecting harmful code
79
What are the 4 logical control concepts?
- Principle of Least Privilege
- Need-to-know principle
- Whitelisting
- Zero-trust
80
What does authentication do?
It confirms a user's identity
81
What does authorization do?
It determines what a user is privileged to do within a system
82
What is script injection?
- It delivers and executes malicious code
- These scripts can damage systems, access data, or steal money
83
What is Discretionary Access Control?
- It is where the object owner can extend access to any user
- All users granted access to the object can grant privileges to other subjects, limiting the organization's ability to restrict its personnel's purchase requisition approval level
84
What is mandatory access control?
Resource objects are given a security label and category that define the department or role that may be granted access
85
What is the "Statements on Standards for Consulting Services"?
It is a standard in which a CPA firm applies in an engagment to provide a security assessment report that involves documenting issues, findings, and recommendations
86
What is a buffer overflow attack?
It exploits unpatched vulnerabilities in the code of an application
87
What is cross site scripting?
It targets web applications through browsers
