03 Some adversaries use DoS attacks as their primary weapon to harm targets, whereas others may use them as weapons of last resort when all other attempts to intrude on a target fail. Which of the following is most likely to detect DoS attacks.

Host-based IDS
Network-based IDS
Vulnerability scanner
Penetration testing

04 Unfortunately, attackers have many options of attacks to perform against their targets. Which of the following is considered a denial of service (DoS) attack?

Pretending to be a technical manager over the phone and asking a receptionist to change their password.
While surfing the web, sending to a webserver a malformed URL that causes the system to consume 100 percent of the CPU.
Intercepting network traffic by copying the packets as they pass through a specific subnet.
Sending message packers to a recipient who did not request them, simply to be annoying.

05 Hardware networking devices operate within the protocol stack just like protocols themselves, Thuis, hardware networking devices can be associated with an OSI model layer related to the protocols they manage or control. At which layer of the OSi model does a router operate?

Network layer
Layer 1
Transport layer
Layer 5

06 Which type of firewall automatically adjusts its filtering rules based on the content and context of the traffic of existing sessions?

Static packet filtering
Application level gateway
Circuit level gateway
Stateful inspection firewall

07 A VPN can be a significant security improvement for many communication links. A VPN can be established over which of the following?

Wireless LAN connection
Remote access dial up connection
WAN link
All of the above

08 Adversaries will use any and all means to harm their targets. This includes mixed attack concepts together to make a more effective campaign. What type of malware uses social engineering to trick a victim into installing it?

Virus
Worm
Trojan Horse
Logic Bomb

09 Security is established by understanding the assets of an organization that need protection and understanding the threats that could cause harm to those assets. Then, controls are selected that provide protection for the CIA Triad of the assets at risk. The CIA Triad consists of what elements?

Consciousness, interoperable, arranged
Authentication, authorization, accountability
Capable, available, integral
Availability, confidentiality, integrity

10 The security concepts of AAA services describes the elements that are necessary to establish subject accountability. Which of the following is not a required component in the support of accountability?

Logging
Privacy
Identification verification
Authorization

11 Collusion is when two or more people work together to commit a crime or violate a company policy. Which of the following is not a defense against collusion?

Separation of duties
Restricted job responsibilities
Group user accounts
Job rotation

12 A data custodian is responsible for securing resources after … has assigned the resource a security label.

Senior management
The data owner
An auditor
Security staff

13 In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures used to gain detailed understanding of the software development process?

Repeatable
Defined
Managed
Optimizing

14 Which one of the following is a layer of the ring protection scheme design concepts that is not normally implemented?

Layer 0
Layer 1
Layer 3
Layer 4

15 TCP operates at the Transport layer and is a connection oriented protocol. It uses a special process to establish a session each time a communication takes place. What is the last phase of the TCP three-way handshake sequence?

SYN flagged packet
ACK flagged packet
FIN flagged packet
SYN/ACK flagged pakket

16 The lack of secure coding practices has enabled an uncountable number of software vulnerabilities that hackers have discovered and exploited. Which one of the following vulnerabilities would be best countered by adequate parameter checking?

Time of check to time of use
Buffer overflow
SYN flood
Distributed Denial of Service (DDos)

17 Computers are based on binary mathematics. All computer functions are derived from the basic set of Boolean operations. What is the value of the logical operation shown here?

X: 011010 X OR Y: ?

Y: 001101

010111
001000
011111
100101

18 Which of the following are considered standard data type classification used in either a government/military or a private sector organization? Choose all that apply.

Public
Healthy
Private
Internal
Sensitive
Proprietary
Essential
Certified
Critical
Confidential
For your eyes only

19 The General Data Protection Regulation GDPR has defined several roles in relation to the protection and management of personally identifiable information PII. Which of the following statements is true?

A data processor is the entity assigned specific responsibilities for a data asset in order to ensure its protection for use by the application.
A data custodian is the entity that performs operations on data.
A data controller is the entity that makes decisions about the data they are collecting.
A data owner is the entity assigned or delegated the day to day responsibility of proper storage and transport as well as protecting data, assets and other organizational objects.

20 If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike?

Renee’s public key
Renee’s private key
Mike’s public key
Mike’s private key

21 A systems administrator is setting up a new data management system. It will be gathering data from numerous locations across the netwerk, even from remote office locations. The data will be moved to a centralized facility, where it will be stored on a massive RAID array. The data will be encrypted on the storage system using AES-256, and most files will be signed as well. The location of this warehouse is secured so that only authorized personnel can enter the room and all digital access is limited to a set of security administrators. Which of the following describes the data?

The data is encrypted in transit
The data is encrypted in processing
The data is redundantly stored
The data is encrypted at rest

22 The _ _ _ is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization.

Data owner
Data controller
Data processor
Data custodian

23 A security auditor is seeking evidence of how sensitive documents made their way out of the organization and onto a public document distribution site. It is suspected that an insider exfiltrated the data over a network connection to an external server, but this is only a quess. Which of the following would be useful in determination whether this suspicion is accurate. Choose two.

NAC
DLP alerts (Data Loss Prevention)
Syslog
Log analysis
Malware scanner reports
Integrity monitoring

24 A new Wireless Access Point (WAP) is being installed to add wireless connectivity to the company network. The configuration policy indicates that WPA3 is to be used and thus only newer updated endpoint devices can connect. The policy also states that ENT authentication will not be implemented. What authentication mechanism can be implemented in this situation?

IEEE 802.1X
IEEE 802.1q
Simultaneous Authentication of Equals (SAE)
EAP-FAST

25 When securing a mobile device, what types of authentication can be used that depend on the user’s physical attributes? (Choose all that apply).

Fingerprint
TOTP (Time based One Time Password)
Voice
SMS
Retina
Gait
Phone call
Facial recognition
Smartcard
Password

26 A recently acquired piece of equipment is not working properly. Your organization does not have a trained repair technician on staff, so you have to bring in an outside expert. What type of account should be issued to a trusted third-party repair technician?

Guest account
Privileged account
Service account
User account

27 Security should be designed and integrated into the organization as means to support and maintain the business objectives. However the only way to know if the implemented security is sufficient is to test it. Which of the following is a procedure designed to test and perhaps bypass a system’s security controls?

Logging usage data
War dialing
Penetration testing
Deploying secured desktop workstations

28 Security needs to be designed to support the business objectives, but it also needs to be legally defensible. To defend the security of an organization, a log of events and activities must be created. Auditing is a required factor to sustain and enforce what?

Accountability
Confidentiality
Accessibility
Redundancy

29 Risk assessment is a process by which the assets, threats, probabilities and likelihoods are evaluated in order to establish criticality prioritization. What is the formula used to pute the ALE?

ALE = AV * EF * ARO
ALE = ARO * EF
ALE = AV * ARO
ALE = EF * ARO

30 Incident response plans, business continuity plans and disaster recovery plans are crafted when implementing business level redundancy. These plans are derived from the information obtained when performing a business impact assessment (BIA). What is the first step of the BIA process?

Identification of priorities
Likelihood assessment
Risk identification
Resource prioritization

31 Many events can threaten the operation, existence, and stability of an organization. Some of those threats are human caused, whereas others are from natural events. Which of the following represents natural events that can pose a threat or risk to an organization?

Earthquake
Flood
Tornado
All of the above.

32 What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately, upon failure of the primary facility?

Hot site
Warm site
Cold site
All of the above

33 During an account review, an auditor provided the following report:

User last login length lass password change

Bob 4 hours 87 days

Sue 3 hours 38 days

John 1 hour 935 days

Kesha 3 hours 49 days

The security manager reviews the account policies of the organization and takes note of the following requirements:

Passwords must be at least 12 characters long
Passwords must include at least one example of three different character types.
Passwords must be changed every 180 days.
Passwords cannot be reused.

Which of the following security controls should be corrected to enforce the password policy?

Minimum password length
Account lockout
Password history and minimum age
Password maximum age

34 Any evidence to be used in a court proceeding must abide by the Rules of Evidence to be admissible. What type of evidence refers to written documents that are brought into court to prove a fact?

Best evidence
Parol evidence
Documentary evidence
Testimonial evidence

35 DevOps manager John is concerned with the CEO’s plan to minimize his department and outsource code development to a foreign programming group. John has a meeting scheduled with the board of directors to encourage them to retain code development in house due to several concerns. Which of the following should John include in his presentation? (Choose all that apply).

Code from third parties will need to be manually reviewed for function and security.
If the third party goes out of business, existing code may need to be abandoned.
Third party code development is always more expensive.
A software escrow agreement should be established.

36 When TLS is being used to secure web communications, what URL prefix appears in the web browser address bar to signal this fact?

SHTTP://
TLS://
FTPS://
HTTPS://

37 A new update has been released by the Vendor of an important software product that is an essential element of a critical business task. The Chief Security Officer (CSO) indicates that the new software version needs to be tested and evaluated in a virtual lab, which has a cloned simulation of many of the company’s production systems. Furthermore, the results of this evaluation must be reviewed before a decision is made as to whether the software update should be installed and, if so, when to install it. What security principle is the CSO demonstrating?

Business Continuity Planning (BCP)
Onboarding
Change management
Static analysis

38 What type of token device produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate?

HOTP
HMAC
SAML
TOTP

39 Your organization is moving a significant portion of their data processing from an on-premise solution to the cloud. When evaluating a cloud service provider (CSP), which of the following are the most important security concerts?

Data retention policy
Number of customers
Hardware used to support VMs
Whether they offer MaaS, IDaaS and SaaS

40 Most software vulnerabilities exist because of a lack of secure or defensive coding practices used by the developers. Which of the following is considered a secure coding technique? (Choose all that apply)

Using immutable systems
Using stored procedures
Using code signing
Using server-side validation
Optimizing file sizes
Using third party software libraries

Security Governance Principles and Policies

Confidentiality

Sensitivity	Refers to the quality of information which could cause harm.
Discretion	Act of a decision where an operator can influence or control disclosure.
Criticality	The higher the criticality the more important to maintain confidentiality.
Concealment	The act of hiding or preventing disclosure.
Secrecy	The act of keeping something a secret or preventing disclosure.
Privacy	Keeping information confidential that is personally identifiable.
Seclusion	Involves storing something in and out of the way location.
Isolation	The act of keeping something separated from others.

Integrity

Preventing unauthorized subjects from making modifications.

Preventing unauthorized subjects from making unauthorized modifications such as mistakes.

Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any other object is valid, consistent, and verifiable.

Availability

Usability	The state of being easy to use or learn of being able to be understood and controlled by a subject.
Accessibility	The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations.
Timeliness	Being prompt, on time, within a reasonable time frame, or providing low latency response.

Elements of AAA services

Identification
1. A subject must perform identification to start the process of authentication, authorization and accountability (AAA)
Authentication
1. The process of verifying whether a claimed identity is valid is authentication.
Authorization
1. Once a subject is authenticated, access must be authorized.
Auditing
1. A subject’s actions are tracked and recorded for the purpose to keep the subject accountable for their actions.
Accounting
1. Accountability is established by linking an individual to their activities of an online identity through the AAA security services.

Defense in Depth

Defense in depth, also known as layering, is the use of multiple controls in a series.

1. Parallel configuration goes very wide but shallow

2. Serial configuration goes very deep but are narrow

Abstraction

Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Data hiding

Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the object.

Security by obscurity means that data is not hidden but kept a secret and not talked about. If searched it could be found by the subject.

Security boundaries

A security boundary exists between a high security area and a low security area, such as between a LAn and the internet. Once you identify a security boundary, you must deploy mechanisms to control the flow of information across that boundary.

Security governance

Is the collection of practices related to supporting, evaluating, defining and directing the security efforts of an organization. Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance.

ATO = Authorization To Operate

TATO = Temporary Authorization To Operate

Due Diligence and Due Care

Due Diligence

Establishing a plan, policy, and process to protect the interest of an organization.

Due care

Practicing the individual activities that maintain the due diligence effort.

Due Diligence is developing a formalized security structure containing a security policy, standards, baseline, guidelines and procedures.

Due Care is the continued application of this security structure onto the IT infrastructure of an organization.

Due Diligence is knowing what should be done and planning for it.

Due Care is doing the right action at the right time.

Exam Essentials

Understand the CIA Triad Elements

Confidentiality is the principle that objects are not disclosed to unauthorized subjects.

Integrity is the principle that objects retain their veracity and are intentionally modified only be authorized subjects.

Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.

Know the elements of AAA services

AAA is composed of identification, authentication, authorization, auditing and accountability.

Be able to explain how identification works

Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization and accountability.

Understand the process of authentication

Authentication is the process of verifying or testing that a claimed identity is valid.

Know how authorization fits into a security plan

Once a subject is authenticated, its access must be authorized. The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity.

Be able to explain the auditing process

Auditing is the programmatic means by which subjects are held accountable for their actions while authenticated on a system through the documentation or recording of subject activities.

Understand the importance of accountability

Security can be maintained only if subjects are held accountable for the actions. Effective accountability relies on the capability to prove a subject’s identity and track their activities.

Be able to explain nonrepudiation

Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Know about defense in depth

Defense in depth also known as layering, is simply the use of multiple controls in a series. Using a multi layered solution allows for numerous different controls to guard against whatever threats come to pass.

Be able to explain the concept of extraction

Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Understanding data hiding

Data hiding is exactly what it sounds like. Preventing data from being discovered or accessed by a subject.

Know about security boundaries

A security boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Understand security governance

Security governance is the collection of practices related to supporting, defining and directing the security efforts of an organization.

Know about third party governance

Third party governance is the system of external entities,oversight that may be mandated by law, regulation, industry standards, contractual obligation or licensing requirements.

Understand documentation review

Documentation review is the process of reading the exchanged materials and verifying them against standards and expectations.

Understand alignment of security function to business strategy, goals, missions and objectives

Security management planning ensures proper creation, implementation, and enforcement of a security policy.

Know what a business case is

A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action.

Understanding security management planning

Security management is based on three types of plans, strategic, tactical and operational. Strategic is longterm, Tactical is midterm. Operational is short term.

Know the elements of a formalized security policy structure

To create a comprehensive security plan, you need the following items in place, security policy, standards, baselines, guidelines and procedures.

Understand organizational process

Security governance needs to address every aspect of an organization. This includes the organizational processes of acquisitions, divestitures and governance committees.

Understand the security roles

The primary security roles are senior manager, security professional, asset owner, custiodian, user and auditor.

Know the basics of COBIT

Control Objectives for Information and Related Technology is a security concept infrastructure used to organize the complex security solution of companies.

Understand due diligence and due care

Due diligence is establishing a plan, policy and process to protect the interest of an organization.

Due care is practicing the individual activities that maintain the due diligence effort.

Know the basics of threat modeling

This is the security process where potential threats are identified, categorized and analyzed.

Review Questions

01. Confidentiality, integrity and availability are typical viewed as the primary goals and objectives of a security infrastructure. Which of the following is not considered a violation of confidentiality?

Stealing passwords using a keystroke logging tool
Eavesdropping on wireless network communication
Hardware destruction caused by arson
Social engineering that tricks a user into providing personal information to a false website.

02. Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives.

A network border perimeter
The CIA Triad
AAA Services
Ensuring that subject activities are recorded

03. James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated?

Identification
Availability
Encryption
Layering

04. Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance?

Security governance ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.
Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
Security governance is a documented set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.
Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.

05. You have been tasked with crafting a long term security plan that is fairly stable. It needs to define the organization’s security purpose. It also needs to define the security function and align into the goals, mission and objectives of the organization. What are you being asked to create?

Tactical plan
Operational plan
Strategic plan
Rollback plan

06. Annalies’s organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are example of those risk? Choose all that apply.

Inappropriate information disclosure
Increased worker compliance
Data loss
Downtime
Additional insight into the motivations of inside attackers
Failure to achieve sufficient return on investment (ROI)

07. Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organisation and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure.

ITIL
ISO 27000
CIS
CSF

08. A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional responsibility for security, including writing the security policy and implementing it?

Senior management
Security professional
Custodian
Auditor

09. Control Objectives for Information and Related Technologies (COBIT) is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on six key principles for governance and management of enterprise IT. Which of the following are among these key principles. Choose all that apply.

Holistic Approach
End to End Governance System
Provide Stakeholder Value
Maintaining Authenticity and Accountability
Dynamic Governance System

10. In today’s business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements. Choose all that apply.

Due diligence is establishing a plan, policy, and process to protect the interest of an organization. *
Due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines and procedures.
Due diligence is the continued application of a security structure onto the IT infrastructure of an organization.
Due care is practicing the individual activities that maintain the security effort.
Due care is knowing what should be done and planning for it.
Due diligence is doing the right action at the right time.

11. Security documentation is an essential element of a successful security program. Understanding the components is an early step in crafting the security documentation. Match the following components to their respective definition.

Policy

A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should provide the necessary protection.

Standard

A minimum level of security that every system throughout the organization must meet.

Procedure

A detailed step by step document that describes the exact actions necessary to implement a specific security mechanism, control or solution.

Guideline

Offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users.

12. STRIDE is often used in relation to assessing threats against applications or operation systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation?

STRIDE is a Microsoft threat-modeling framework. Each letter maps to a category of threat:

S – Spoofing identity → pretending to be someone else (confidentiality/authentication issue).
T – Tampering with data → unauthorized modification (integrity).
R – Repudiation → denying an action without a way to prove otherwise (non-repudiation).
I – Information disclosure → exposure of information to unauthorized parties (confidentiality).
D – Denial of service → making a service unavailable (availability).
E – Elevation of privilege → gaining unauthorized rights or privileges (authorization).

13. A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threats and risks of their solution and integrates protections against unwanted outcomes. What concept of threat modeling is this?

Threat hunting
Proactive approach
Qualitative approach
Adversarial approach

14. Supply Chain Risk Management (SCRM) is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations. Which of the following are true statements. Choose all that apply.

Each link in the supply chain should be responsible and accountable to the next link in the chain.
Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips.
If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements.
Failing to properly secure a supply chain can result in flawed or less reliable products or even embedded listing or remote control mechanisms.

15. Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what product component in this scenario?

Software
Services
Data
Hardware

16. Cathay’s employee has asked her to perform a documentation review of the policies and procedures of a third party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high end customers. Cathy discovered several serious issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding?

Write up a report and submit it to the CEO
Void the ATO of the vendor (Authorization To Operate)
Require that the vendor review their terms and conditions
Have the vendor sign an NDA

17. Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establishment of minimum security requirements of the third party. What should these requirements be based on?

Existing security policy
Third party audit
On-site assessment
Vulnerability scan results

18. It’s common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization’s valuable assets. Which of the following is a risk centric modeling approach that aims aat selecting or developing countermeasures in relation to the value of the assets to be protected?

VAST
SD3+C
PASTA (Process for Attack Simulation and Threat Analysis)
STRIDE

19. The next step after thread modeling is reduction analysis. Reduction analysis is also known as decomposing the application, system of environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements. Which of the following are key components to identify when performing decomposition (Choose all that apply).

Patch or update versions
Thrust boundaries
Dataflow paths
Open vs closed source code use
Input points
Privileged operations
Detail about security stance and approach

20. Defense in depth is simply the use of multiple controls in series. No one control can protect against all possible threats. Using a multilayered solutions allows for numerous different controls to guard against whatever threat comes to pass. Which of the following are terms that relate to or are based on defense in depth? Choose all that apply.

Layering
Classifications
Zones
Realms
Compartments
Silos
Segmentation
Lattice structure
Protection rings

Domain 1 – Security and Risk Management

Risk Terminology and concepts

Asset

An asset is anything used in a business process or task. If an organization relies on it (person, hardware, product, place or thing) then its an asset.

Asset valuation

Is a value assigned to an asset based on a number of factors including importance to the organization.

Threats

Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or specific asset is a threat.

Threat agents/ actors

They intentionally exploit vulnerabilities and can be programs or people, or hardware systems.

Threat events

Are accidental occurrences and intentional exploitation of vulnerabilities.

Threat vector

Is the path or means by which an attack or attacker can gain access to a target to cause harm.

Vulnerability

The weakness in an asset of the absence or the weakness of a safeguard or countermeasure is a vulnerability.

Exposure

Is being susceptible to asset loss because of a threat, there is a possibility the asset will be exploited.

Risk

Is the possibility of likelihood that a threat will exploit a vulnerability to cause harm to an asset.

Safeguards

A safeguard, security control, protection mechanism or countermeasure is anything that removes or reduces a vulnerability or protects against threats.

Attack

An attack is the intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss or disclosure of assets.

Breach

An intrusion or penetration is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. A breach is a successful attack.

Exposure factor

Represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

Single Loss Expectancy

Is the potential loss associated with a single realized threat against a specific asset.

Annualized Rate of Occurrence

Is the expected frequency with which a specific threat or risk will occur that is realized within a single year.

Annualized Loss Expectancy

ALE, is the possible yearly loss of all instances of a specific realized threat against a specific asset. The ALE is calculated using the following formula:

ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)

ALE = SLE * ARO

Risk Responses

Risk Mitigation

Reducing risk, implementation safeguards and security controls. Deploying encryption, firewalls.

Risk Assignment

Or transferring the risk. Is the placement of the responsibility of loss due to a risk onto another entity or organization.

Risk Deterrence

The process of implementing deterrents would be violators of security and policy. The goal is to convince a threat agent not to attack. Like implementing auditing, security cameras, and waning banners and working with authorities to prosecute those in cybercrime.

Risk Avoidance

The process of selecting an alternative option or activities that have less associated risk than the default, common, expedient or cheap option.

Risk Acceptance

Is the result after a cost benefit analysis shows countermeasures costs would outweigh the possible cost of loss due to a risk.

Risk rejection

An un acceptable possible response to risk is to reject risk or ignore risk. Rejection or ignoring risk may be considered negligence in court.

SLE

Single Loss Expectency

ARO

Annualized Rate of Occurence

ALE

Annualized Lossed Expectency

ALE = SLE * ARO

Assets are protected by:

Administrative

Controls that are the policies and procedures defined by an organization

Technical or Logical

Controls that involve the hardware and software mechanisms used to protect.

Physical

Controls are security mechanisms to protect facilities like fences, locked doors, sealed windows, budget, laptop locks, swipe cards etc.

Applicable types of Controls

Preventive – is a control deployed to thwart or stop unwanted or unauthorized activity from occuring.

Deterrent – is a control deployed to discourage security policy violations.

Detective – is a control deployed to discover or detect unwanted or unauthorized activity.

Compensating – is a control deployed to provide various options to other existing controls to aid in enforcement and support of security policies.

Corrective – is a control deployed to modify the environment to return systems to normal after an unwanted or unauthorized activity has occured.

Recovery – is a control deployed as an extension of corrective controls but have more advanced or complex abilities.

Directive – is a control deployed to direct, confine, or control the actions of subjects to force or encourage complicance with security policies.

Security Control Assessment (SCA)

Is the formal evaluation of a security infrastructure’s indivisual mechanisms against a baseline or reliability expections.

Monitoring and Measurements

Security controls should provide benefits what can be monitored and measured. If a security controls benefit cannot be quantified, evaluated or compared, then it does not actually provide any security.

Risk Reporting and Documentation

Risk report is a key taks to perform at the conclusion of a risk analysis. Risk reporting involves the production of a risk report and a presentation of that report the the interested relevant parties.

Continues Improvement

Risk analysis is performed to provide upper management with the details necessary to decide which risks shouldd be mitigated, which should be transferred, which should be deterred, which should be mitigated, avoided or accepted.

Social Engineering Principles

Authority is an effective technique because most people are likely to respond to authority with obedience.

Intimidation can sometimes be seen as a derivative of the authority principle.

Concensus or social proof is the act of taking advantage of a persons natural tendency to mimic what others are doing or are percieved as having done in the past.

Scarcity is a technique used to convice someone that an object has a higher value basid on the objects scarcity.

Familiarity or liking as a social engineering principle to attempt to exploit a personsnative trust in that which is familiar.

Trust as a social engineering involves an attacker working te develop a relationship with a victim.

Urgency ofthe dovetails with scarcity, because the need to act quickly increases as scarcity indicates a greater risk of missing out.

Spear Phishing Is a more targeted form of phishing where the message is crafted and directed specifically to a group of individuals.

Whaling A form of spear phishing that targets specific high value individuals, such as a CEO.

Smishing Short Message Services (SMS) Phishing or smishing is a social engineering attack that occures over or throuth standard text messages.

Vishing calls can display a caller ID or phone nmer from any source the attacker thinks might cause the victim to answer the call.

Tailgating and Piggybacking Occurs when un authorized entity gains access to a facility under the authorization of a valid worker but without their knowledge. When a worker used their credentials to open a locked door, then the attacker grabs to opportunity to hold the door and access the building.

Typo Squatting is a practice employed to capture and redirect traffice when a user mistypes the URL or IP address of an intended resource. Like www.googles.com or www.microssoft.com.