CYB2001 Final Exam

Flashcards for CYB2001 Final Exam Review

CUI

Controlled Unclassified Information

FCI

Federal Contract Information

PII

Personally Identifiable Information

PCI CHD

Payment Card Industry Cardholder Data

PHI (ePHI)

Protected Health Information and Electronic Protected Health Information (HIPAA-related data)

IP

Intellectual Property

ITAR

International Traffic in Arms Regulation

Confidentiality

Ensures that unauthorized individuals cannot gain access to sensitive information

Integrity

Ensures there are no unauthorized or illegitimate modifications to data

Availability

Ensures information and systems are ready to meet the needs of legitimate users

Asset

Something we protect

Threat

Some outside force that could do us harm

Vulnerability

Some negative quality of our asset

Risk

The unwanted outcome that could occur by a threat and a vulnerability coming together on our asset

Firewall

Protects “good internal systems from the bad internet”

High Availability Firewalls (HAFs)

Apply two firewalls in a system; in case one fails, the second firewall stands in its place.

Web Application Firewalls (WAFs)

Protect our web apps from the “bad” public internet.

Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS)

Detect and prevent break-ins.

Honeypot

Systems that have no actual purpose, other than to raise an alarm if someone interacts with it.

Data Backups

A system that replicates our data, either physically onsite, remotely at a service provider, or both.

Traditional AV

Signature-based anti-virus software.

Next-generation AV

Endpoint Detection and Response (EDR) – signature and behavior-based, machine learning capabilities.

SOC

Security Operations Center – 24/7 cybersecurity monitoring by a security team.

SIEM

Security Information and Event Management (logging and data correlation).

SOAR

Security Orchestration and Response (automation tooling)

DLP

Data loss prevention (ensures our data stays with us)

FIM

File integrity monitoring (detects file changes)

Email Security Gateways

Protect email systems from users clicking bad URLs, attachments, phishing. Builds in sandboxes for securely detonating malware.

Vulnerability scanners

Performs vulnerability scanning/automated security checks.

Secrets manager

Password safe/key management tools.

GRC tools

Tools for managing risk and compliance to-do’s, status, audit evidence, etc.

Symmetric Encryption

Uses the same key to decrypt and encrypt

Asymmetric Encryption

Uses different keys to decrypt and encrypt

Script Kiddies

Generally unskilled, novice, “mom’s basement” hackers

Hacktivists

Hack for a “cause” they care about

Nation States

Known as Advanced Persistent Threats, APTs; generally includes terrorist groups

Insider Threats

Accidental human error, negligence, or purposeful/deliberate actions

Ransomware

Stealing and ransom’ing data by encrypting files with malware and extorting the victim

Business Email Compromise (BEC)

Hijacking emails/email accounts

Denial of Service (DOS/DDOS)

Impacting Service Availability

Supply Chain Attacks

Impacting your security by hacking the vendors and third-party services/products you use

Vulnerability Scanning

Using tools to “knock on the door”, see what’s in our environments, open ports, what services are running, patch levels

Penetration Testing

Human-led testing to “break the door down”, often outsourced. Simulates an attacker.

Threat Modeling

Analyzing potential threats and vulnerabilities

Defense in Depth/Layered Security

Implementing multiple layers of security controls

Network Segmentation

Using subnets/VLANs (virtual LANs), and other methods, to split up the environment so the network isn’t “flat”.

GRC

Governing IT and IT security, risk management, and compliance.

ARO

Annual Rate of Occurrence – how many times in a year something will need to be done

SLE

Single Loss Expectancy - How much it costs to replace something one-time

ALE

Annual Loss Expectancy – How much it costs to replace something in a given year

Risk acceptance

Making no changes in the face of risk

Risk mitigation

Implementing additional security features to reduce risk

Risk avoidance

Deciding not to do something any longer to avoid the risk

Risk transference

Shifting the risk away from yourself, such as purchasing cyber or flood insurance, or outsourcing some functionality to a service provider instead of doing it yourself

Information Security Policy

Broadly defines the why and what of an organization’s cyber objectives “don’t do this thing because it’s bad”

Standards

Quantifiable measures that define the what and how “check the firewall rules once per month..”

Procedures

Specific steps “during a security incident, do this checklist”

Guidelines

Recommendations and best practices “keep these items in mind when doing this activity”

NIST CSF

A general cybersecurity framework applicable to almost any type of organization. Developed by NIST, the US Government standards body.

NIST RMF

A general risk management framework, developed by NIST.

NIST PF

A general data privacy framework from NIST.

HIPAA/HITECH/HITRUST

Compliance standards, frameworks and law for Healthcare Security.

CMMC

Cybersecurity Maturity Model Certification, built heavily from NIST SP 800-171. The government’s requirements for their defense contractors.

FedRAMP

Secure development framework for protecting software sold to the government

FFIEC/GLBA

Federal Financial Institutions Examination Council Gramm Leach Bliley Act Compliance standards and law for banking/finance security

SOX

Sarbanes Oxley. Law for publicly traded companies

PCI DSS/PCI SSF

Payment Card Industry Data Security Standard Compliance standard for credit/debit card payments security Payment Card Industry Software Security Framework Compliance standard for security in payment software

COBIT

General IT management framework developed by auditors

ITIL

General IT management framework

SOC

Service Organization Controls. A compliance standard for showing your clients that you are handling security well.

NERC CIP

Cybersecurity in electric generation utilities

Identification

Determining a security event has occurred

Preservation

Ensuring evidence is not destroyed

Collection

Acquiring the evidence

Examination & Analysis

Reviewing the evidence

Attribution

Determining who did it

Presentation

The final investigation report

IRP

Incident Response Plan; what to do if a network has been ransomeware’d

DRP

Disaster Recovery Plan; what to do if a building caught fire overnight, or flooded

Evasion

AI Security Attack type

Poisoning

AI Security Attack type

Extraction

AI Security Attack type

Inference

AI Security Attack type

Prompt Injection

AI Security Attack type

Zero Trust

Utilizes real-time, continuous authentication practices, assumes “the network is always hostile”

SRP Triad

Safety, Reliability, Performance in Operational Technology Security

GDPR

General Data Protection Regulation, the European Union’s and United Kingdom’s Data Security and Privacy regulation.

PIPEDA

Canada’s data security and privacy law

PIPL

China’s data security and privacy law

CFAA

Computer Fraud and Abuse Act – making it illegal to hack or commit computer crime

ECPA

Electronic Communications Privacy Act – makes it illegal to hack or wrongly intercept telecommunications – phone calls, data, emails, etc.

FERPA

Family Educational Rights and Privacy Act – Protects student data

CCPA/CPRA

California’s Data Privacy Laws. The most substantial state privacy laws in the US.