The combination of the probability of an event and its consequence (ISO/IEC 73). ___ is/are mitigated through the use of controls or safeguards.
Risk
Threat
Asset
Vulnerability
Anything that is capable of acting against an asset in a manner that can result in harm.
Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation
A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.
The risk level or exposure without taking into account the actions that management has taken or might take
Inherent Risk
Residual Risk
Which breadcrumb is correct when framing an approach to risk management?
Threat Source initiates > Threat Events exploits > Vulnerability causing > Adverse Impact producing > Organization Risk
Threat Source initiates > Vulnerability causing > Threat Events exploits > Adverse Impact producing > Organization Risk
Threat Events exploits >Threat Source initiates > Vulnerability causing > Adverse Impact producing > Organization Risk
Threat Events exploits > Vulnerability causing > Threat Source initiates > Adverse Impact producing > Organization Risk
Approach to developing risk scenarios is based on describing risk events that are specific to cybersecurity-related situations, typically hypothetical situations envisioned by the people performing the job functions in specific processes.
Top-down Approach
Bottom-up Approach
Approach to scenario development is based on understanding business goals and how a risk event could affect the achievement of those goals. Under this model, the risk practitioner looks for the outcome of events that may hamper business goals identified by senior management.
The ___ approach is suited to general risk management of the company, because it looks at both IT- and non- IT-related events. A benefit of this approach is that because it is more general, it is easier to achieve management buy-in even if management usually is not interested in IT. The ___ approach also deals with the goals that senior managers have already identified as important to them.
Bottom-down Approach
The ____ approach can be a good way to identify scenarios that are highly dependent on the specific technical workings of a process or system, which may not be apparent to anyone who is not intimately involved with that work but could have substantial consequences for the organization.
___ is used to calculate the risk that an organization faces based on the number of events that may occur within a given time period.
Impact
Likelihood
Vulnerabilty
Failure to detect a ___ may be the result of its absence, or it may be a false negative arising from configurations of a tool or improper performance of a manual review.
Given the combination of unknown ___ and unknown ___, it is difficult of the cybersecurity professional to provide a comprehensive estimate of the likelihood of a successful attack.
Threat, Vulnerability
Asset, Threat
Vulnerability, Asset
Threat, Risk
Vulnerability assessments and penetration test provide the cybersecurity practitioner with valuable information on which to partially estimate the ___ .
Vulnerabilities
Risks
Threats
When using ___ rankings, the most important state is to rigorously define the meaning of each category and use definitions consistently throughout the assessment process.
Quantitative
Qualitative
For each identified threat, the ___ of harm expected to result should also be determined.
Select all that apply: A number of methodologies are available to measure risk. Different industries and professions have adopted various tactics based upon the following criteria:
Risk tolerance
Size and scope of the environment in the question
Amount of data available
Risk appetite
Threat events
Threat impacts
It is particularly important to understand an organization's ___ when considering how to measure risk.
Risk management plan
Risk assessment
There are three different approaches to implementing cybersecurity. Which three are they below
Ad hoc
Compliance-based
Risk-based
Threat-based
Impact-based
Likelihood-based
An ___ approach simply implements security with no particular rationale or criteria. ___ implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.
Also known as standards-based security, this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security
___ security relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs. The ___ approach is usually scenario-based.
The ___ approach is usually scenario-based.
___ have been known to breach security boundaries and perform malicious acts to gain a competitive advantage.
Cybercriminals
Corporations
Online social hackers
Script kiddies
Motivated by the desire for profit, these individuals are involved in fraudulent financial transactions
Cyberwarriors
Hacktivists
Characterized by their willingness to use violence to achieve their goals, ___ frequently target critical infrastructures and government groups.
Cyberterrorists
Nation states
Often likened to hacktivists, ___ , also referred to as cyberfighters, are nationally motivated citizens who may act on behalf of a political party or against another political party that threatens them.
Although they typically have fairly low-tech methods and tools, dissatisfied current or former ___ represent a clear cybersecurity risk. All of these attacks are adversarial, but some are not related to APT cyberattacks.
Employees
Although they often act independently, politically motivated hackers may target specific individuals or organizations to achieve various ideological ends.
___ often target government and private entities with a high level of sophistication to obtain intelligence or carry out other destructive activities.
Skilled in social engineering, these attackers are frequently involved in cyberbullying, identity theft and collection of other confidential information or credentials.
___ are individuals who are learning to hack; they may work alone or with others and are primarily involved in code injections and distributed denial-of-service (DDoS) attacks.
The actual occurrence of a threat, or an activity by a threat agent (or adversary) against an asset.
Exploit
Attack Vector
Attack
Attack Mechanism
From an attacker’s point of view, the asset is a target, and the path or route used to gain access to the target (asset) is known as an
There are two types of attack vectors: ingress and egress. Which one is known as data exfiltration?
Ingress
Egress
Which attack vector focuses on intrusion and hacking into systems?
Employees that steal data from systems and networks is an example of which attack vector?
The attacker must defeat any controls in place and/or use an ___ to take advantage of a vulnerability.
The method used to deliver the exploit.
Target
An example of this can be a crafted malicious pdf, crafted by the attacker and delivered by email.
Which order is correct for the attributes of an attack?
Attack Vector, Exploit, Vulnerability, Payload, Target (Asset)
Attack Vector, Exploit, Payload, Vulnerability, Target (Asset)
Attack Vector, Vulnerability, Payload, Exploit, Target (Asset)
Attack Vector, Vulnerability, Exploit, Payload, Target (Asset)
Usually the result of an error, malfunction or mishap of some sort.
Adversarial Threat Event
Nonadversarial Threat Event
Made by a human threat agent
The adversary gathers information using a variety of techniques, passive or active.
Perform reconnaissance
Create attack tools
Deliver malicious capabilities
Exploit and compromise
Conduct an attack
Achieve results
Maintain a presence or set of capabilities
Coordinate a campaign
The adversary crafts the tools needed to carry out a future attack.
The adversary inserts or installs whatever is needed to carry out the attack.
The adversary takes advantage of information and systems in order to compromise them.
The adversary coordinates attack tools or performs activities that interfere with organizational functions.
The adversary causes an adverse impact.
The adversary continues to exploit and compromise the system
The adversary coordinates a campaign against the organization.
What is the correct order of the Threat Process?
Perform reconnaissance, Create attack tools, Exploit and compromise, Deliver malicious capabilities, Conduct an attack, Achieve results, Maintain a presence or set of capabilities, Coordinate a campaign
Perform reconnaissance, Create attack tools, Deliver malicious capabilities, Exploit and compromise, Conduct an attack, Achieve results, Maintain a presence or set of capabilities, Coordinate a campaign
Perform reconnaissance, Deliver malicious capabilities, Create attack tools, Exploit and compromise, Conduct an attack, Achieve results, Maintain a presence or set of capabilities, Coordinate a campaign
Perform reconnaissance, Deliver malicious capabilities, Create attack tools, Exploit and compromise, Conduct an attack, Maintain a presence or set of capabilities, Achieve results, Coordinate a campaign
Perform reconnaissance: The adversary gathers information using a variety of techniques, passive or active. Passive may include:
i. Sniffing network traffic ii. Using open source discovery of organizational information (news groups; company postings on IT design and IT architecture) iii. Google hacking
i. Scanning the network perimeter ii. Social engineering (fake phone calls, low-level phishing)
The following are examples of which attack process? a. Sniffing network traffic b. Using open source discovery of organizational information (news groups; company postings on IT design and IT architecture) c. Google hacking d. Scanning the network perimeter e. Social engineering (fake phone calls, low-level phishing)
The following are examples of which attack process? a. Phishing or spear phishing attacks b. Crafting counterfeit websites or certificates c. Creating and operating false organizations and placing them in to the supply chain to inject malicious components
The following are examples of which attack process? a. Introducing malware into organizational information systems b. Placing subverted individuals into privileged positions within the organization c. Installing sniffers or scanning devices on targeted networks and systems d. Inserting tampered hardware or critical components into organizational systems or supply chains
The following are examples of which attack process? a. Split tunneling or gaining physical access to organizational facilities b. Exfiltrating data or sensitive information c. Exploiting multitenancy (i.e., multiple customers on shared resources) in a public cloud environment (e.g., attacking open public access points; application program interfaces [APIs]) d. Launching zero-day exploits
The following are examples of which attack process? a. Communication interception or wireless jamming attacks b. Denial-of-service (DoS) or distributed DDoS attacks c. Remote interference with or physical attacks on organizational facilities or infrastructures d. Session-hijacking or man-in-the-middle attacks
The following are examples of which attack process? a. Obtaining unauthorized access to systems and/or sensitive information b. Degrading organizational services or capabilities c. Creating, corrupting or deleting critical data d. Modifying the control flow of information system (e.g., industrial control system, supervisory control and data acquisition (SCADA) systems)
The following are examples of which attack process? a. Obfuscating adversary actions or interfering with intrusion detection systems (IDSs) b. Adapting cyberattacks in response to organizational security measures
The following are examples of which attack process? a. Multi-staged attacks b. Internal and external attacks c. Widespread and adaptive attacks
Which of the following is NOT a Nonadversarial Threat Event?
Mishandling of critical or sensitive information by authorized users
Incorrect privilege settings
Fire, flood, hurricane, windstorm or earthquake at primary or backup facilities
Introduction of vulnerabilities into software products
Viruses, Network Worms, Botnets
Pervasive disk errors or other problems caused by aging equipment
Software designed to gain access to targeted computer systems, steal information or disrupt computer operations.
DoS Attack
Malware
Social Engineering
Phishing
A piece of code that can replicate itself and spread from one computer to another. It requires intervention or execution to replicate and/or cause damage.
Spyware
Adware
Virus
Network Worm
A variant of the computer virus, which is essentially a piece of self-replicating code designed to spread itself across computer networks. It does not require intervention or execution to replicate.
Trojan Horse
Botnet
A piece of malware that gains access to a targeted system by hiding within a genuine application
Derived from “robot network,” a large, automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as DoS.
A class of malware that gathers information about a person or organization without the knowledge of that person or organization.
Ransomware
Keylogger
Rootkit
Also called “hostage code,” a class of extortive malware that locks or encrypts data or functions and demands a payment to unlock them. Several types are available for every operating system
A class of malware that secretly records user keystrokes and, in some cases, screen content.
A class of malware that hides the existence of other malware by modifying the underlying operating system.
Complex and coordinated attacks directed at a specific entity or organization. They require a substantial amount of research and time, often taking months or even years to fully execute.
Advanced persistent threats (APTs)
Brute force attack
Cross-site scripting (XSS)
A means of regaining access to a compromised system by installing software or configuring existing software to enable remote access under attacker-defined conditions.
Backdoor
Man-in-the-middle attack
An attack made by trying all possible combinations of passwords or encryption keys until the correct one is found.
Buffer overflow
Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
A type of injection in which malicious scripts are injected into otherwise benign and trusted websites.
Structure Query Language (SQL) injection
DoS attack
An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate.
Any attempt to exploit social vulnerabilities to gain access to information and/or systems.
Spear phishing
Social engineering
Spoofing
A type of email attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering.
An attack where social engineering techniques are used to masquerade as a trusted party to obtain important information such as passwords from the victim.
Faking the sending address of a transmission in order to gain illegal entry into a secure system.
An attack that consists of insertion or ‘injection’ of a SQL query via the input data from the client to the application.
Zero-day exploit
A vulnerability that is exploited before the software creator/vendor is even aware of its existence.
Advanced persistent threats (APTs)—
There are several attributes of good policies that should be considered: (select all that apply below)
Security policies should be an articulation of a well-defined information security strategy that captures the intent, expectations and direction of management.
Policies must be update/maintained on a frequent basis.
Policies must be clear and easily understood by all affected parties.
Policies should be short and concise, written in plain language.
Most organizations should create security policies ___ developing a security strategy.
Before
After
Communicate required and prohibited activities and behaviors.
Procedures
Policies
Standards
Guidelines
Interpret policies in specific situations.
Provide details on how to comply with policies and standards.
Provide general advice on issues such as “what to do in particular circumstances.” These are not requirements to be met but are strongly recommended.
Which COBIT 5 information security policy set do the following items belong to: – Data classification and ownership – System classification and ownership – Resource utilization and prioritization – Asset life cycle management – Asset protection
Risk Management
Compliance
Communication and Operations
Asset Management
Which COBIT 5 information security policy set do the following items belong to: – At-work acceptable use and behavior, including privacy, Internet/email, mobile devices, BYOD, etc. – Offsite acceptable use and behavior, including social media, blogs
Acquisition/Development/Maintenance
Rules of Behavior
Which COBIT 5 information security policy set do the following items belong to: – Information security within the life cycle, requirements definition and procurement/acquisition processes – Secure coding practices – Integration of information security with change and configuration management
Which COBIT 5 information security policy set do the following items belong to: Contract management
Vendor Management
Business Continuity and Disaster Recovery
Which COBIT 5 information security policy set do the following items belong to: – IT information security architecture and application design – Service level agreements
Which COBIT 5 information security policy set do the following items belong to: – IT information security ___ assessment process – Development of metrics – Assessment repositories
Which COBIT 5 information security policy set do the following items belong to: – Organizational risk management plan – Information risk profile
