IAS Midterm Reviewer (all answers lower letters)

It describes security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked.

CIA Triad

It is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data.

It is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations.

It refers to a strategy for managing an organization's overall governance, enterprise risk management and compliance with regulations.

This domain addresses ethical behavior and compliance with regulatory frameworks. It includes the investigative measures and techniques that can be used to determine if a crime has been committed, and methods used to gather evidence.

It looks at how information security controls and safeguards are implemented in IT systems in order to protect the Confidentiality, Integrity, and Availability of the data that are used, processed, and stored in those systems.

It consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible

It describes security measures that are designed to denyunauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm.

It is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them

It is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents.

Access Controls restrict users from accessing sensitive Information w/o permission.

This protects Information at rest or in transit

It hides information within images or other files

It ensures that information is not altered without authorization.

It provides authenticity and non-repudiation

This is achieved when the recipient of a message can be confident that the message actually came from the purported sender

This is achieved when the recipient of a message can prove to an independent third party that the message actually came from the purported sender

This ensures that information and systems remain available to authorized users when needed

This is any information that can be traced back to an individual

This is an individually identifiable health records governed under HIPAA

Enumerate the 10 Steps in Developing Comprehensive Privacy Program. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.

This states that No individual should possess two permissions that, in combination, allow them to perform a highly sensitive action

This is the ability to trace every action taken on a system back to an individual user without any ambiguity and without allowing the user to deny responsibility for that action

This limits information access

This limits system permissions

This jeopardizes least privilege

It implements several layers of protection.

It indicates that unless something is explicitly allowed it is denied

It is often called the “Prudent Man” rule, which is doing what any responsible person would do, In other words, this is implementing a security measure to mitigate against certain risk

It is essentially the management of due care. In other words, ensuring the implemented security measure was done correctly

It is the opposite of due care. If you’re not performing due care, what a prudent man would do, and you suffer a negative loss, you could be held legally liable.

It is used to prove identity through the use of some type of credential that is previously known by the authenticator.

3 Factors of Authentication

It includes any measures taken to reduce risk via technological means.

Which are common technical controls?

This security control prevents actions

This security control sends alerts during or after an attack

This security control "corrects" a damaged system or process

This security control deters users from performing actions

This security control add additional security by compensating other control's weaknesses.

This security control includes implementing different access control methods with technology you can touch

This security control include those elements that are implemented through technological means

It defines the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information

Which are common Logical Access Controls (select 5)

They are the top tier of formalized security documents.

They are much more specific than policies. They are tactical documents because they lay out specific steps or processes required to meet a certain requirement.

It is a minimum level of security that a system, network, or device must adhere to. These are usually mapped to industry standards.

This points to a statement in a policy or procedure by which to determine a course of action.

This is the most specific of security documents. This is a detailed, in-depth, step-by-step document that details exactly what is to be done.

It is anything deemed valuable to a company

Enumerate the Asset Identification & Classification Process. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.

Enumerate the Asset Lifecycle. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.

This is the long-term storage of valuable assets.

This is data that's stored on media of any form.

This is data that's currently moving across a network from one device to another

This is data that's being used by a system process, application or user.

It is the most valuable asset held by many organizations

It is the use of data sets much larger than those that may be handled by conventional data processing and analytic techniques

It describes security levels

These establish that basis for other information and asset handling requirements

They are the business leaders with overall responsibility for data. They set policies and guidelines for their data sets.

They handle the day-to-day data governance activities. They are delegated responsibility by data owners.

They actually store and process information and are often IT Staff Members

They work with information in their jobs on a daily basis

It is the process that businesses and organizations use to implement changes through building and delivering effective change strategies. It includes reviewing reasons for change, implementing changes, and helping people adapt to these changes. This could be staff structure, introducing new technology, reducing costs, increasing profits, or a combination of these to reach a desired goal.

It tracks specific device settings

It provides a configuration snapshot

It improves the efficiency and effectiveness of configuration management

It assigns numbers to each version

Enumerate the 9 steps of Change Management. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.

It is the analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system

This provides users with the knowledge they need to protect the organization's security

This keeps the lessons learned during security training top of mid for employees

It ensures that an organization’s information security controls are consistent with the laws, regulations and standards that govern the org’s activities

These are the laws, regulations and standards

It is manipulating people into divulging information or performing an action that undermines security

This type of social engineering targets specific organizations or individuals

This type of social engineering use mobile phones or telephones

This type of social engineering use SMS or text messages

This type of social engineering targets high profile individuals, such as CEO

This type of social engineering gains a victim's trust, typically by creating a backstory that makes them sound trustworthy.

This type of social engineering is a physical security attack that involves an attacker following someone into a secure or restricted area

This type of social engineering occurs when the threat actors directly observes information like log-in credentials, ATM, PINs by hovering over the shoulder of the user.

This type of social engineering is present when someone is secretly listening to confidential information while others are conversing

It combines authentication techniques from two or more of the authentication categories: something you know, something you have and something you are.

Define PAP

Define Chap

It allows single sign-on (SSO) within a web browser across a variety of systems

Define SAML Authentication

It seeks to reduce the burden of identity and access Management

This states that individuals may have accounts across multiple systems. This reduces the number of individual identities a user must have

This is an authentication system that shares a single authentication session across multiple systems, avoiding asking users to log in multiple times.

This supports integrating Active Directory SSO with other services

Define ADFS

It extends intranets to third parties

Zero-trust approaches to security place trust in individuals rather than networks.

These platforms are the foundation of zero-trust approaches

They enforce security policies in the Cloud

These platforms remediate endpoint security issues

These state that passwords will remain the most common authentication mechanism.

This means giving group permissions to allow shared security settings

Which of these scenarios are subjected to account monitoring (select 5)

After onboarding, administrators create authentication credentials and grant appropriate authorization

During offboarding process, administrators disable accounts and revoke authorizations at the appropriate time

It is an access control system where the operating system restricts authorizations based upon labels, and users are not permitted to modify those authorizations

It is an access control system where permissions may be set by the owners of files, computers and other resources

This model is based on a principle known as ‘least privilege’. An employee is only allowed to access the areas or resources necessary to perform the duties associated with their role in the business. Access can be based on factors such as an employee’s seniority, job title, or responsibilities.

models are frequently used in conjunction with other models, particularly role-based models. This hybrid approach enables administrators to set granular rules that provide additional levels of security to meet specific types of risk.

These are rules that don’t change, unless the administrator decides to make changes to meet emerging threats or new security requirements. For example, an administrator can change the rules applying to an area if it requires a higher level of security.

These are rules that can change under certain circumstances. For example, if the security system detects multiple failed attempts at authorization, the user can be denied access.

These are rules that can deny access to any user who does not have specific credentials to enter an area.

This model is often described as a more granular form of Role-Based Access Control since there are multiple that are required in order to gain access.

This is a dynamic access control model that determines access based on the level of evaluated risk involved in the transaction. One commonly-used example is identifying the risk profile of the user logging in. If the device being logged in from is not recognized, that could elevate the risk to prompt additional authentication. If an action deemed high-risk occurs, such as attempting to update banking information, that could trigger more risk-based prompts.

This is Any access control model that does not allow users to pass on access at their discretion.

It is any weakness in the system, design implementation, software code, or lack of preventive mechanisms

It is any condition that could cause harm, loss or damage, or compromise to an asset

It is the probability of realization of threat

It is a type of risk that results directly from operating within a specific industry at a specific time

It is a type of risk that involves compliance with the laws and regulations

It is a type of risk that involves money and finances

It is a type of risk that result from internal failures from internal processes, people, or systems. It can result from unforeseen external events like power outage or cyber attack.

It is a type of risk that involves the loss of the company's reputation or community standing from product failures, lawsuits, or negative publicity.

It is a type of threat that considers that capability, intent and likelihood of adversaries.

It is a type of threat that occurs when someone makes a mistake that hurts the security of the system

It is a type of threat that occurs when equipment, software, or environmental controls fail

It is a type of threat that occurs when natural or man-made disasters occur

The main goal of this is to minimize the risk to an acceptable level and not necessarily to eliminate all risks

If the organization cannot afford to accept, avoid or mitigate the risk, they can transfer that risk to another business

In this case, the risk is too high to accept, the system configuration or design is changed to avoid the risk associated with a specific vulnerability

This is when the organization accepts the risk associated with a system's vulnerabilities and their associated risks

This is something senior executives do to compare one risk against another in order to make the best resourcing decisions

A tool for measuring risks that is used when there aren't any precise values

A tool used when the organization seeks to numerically assess the risk

It is the percentage of an asset lost during an event

It is the common calculation to determine the cost associated with a particular risk.

Enumerate the NIST RISK Management Framework Process. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.

Enumerate what's included in ISO 31000 Risk Management. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.

This technique document and track risks over time.

This tracks risk information

Enumerate the contents of Risk Register. Type in this format: (_______) (_______) (_______). All & must be "and". No commas.

This is the set of activities that an organization undertakes to educate itself about changes in the cybersecurity threat landscape and adapt security controls based upon that information.

These are properties that describe a threat.

This means using the asset inventory as the basis for the analysis

This means identifying how specific threats may affect each information system

This means identifying the impact of various threats on a specific service

It is an organized, systematic approach to seeking out indicators of compromise on our networks using expertise and analytic techniques

Enumerate the indicators of Compromise Type in this format: (_______) (_______) (_______). All & must be "and". No commas.