Cybersecurity Kahoot for Final Exam

Insider Threat: This threat actor is usually an employee

Network Segmentation: We can accomplish this with Subnetting/VLAN-ing, Firewalls

Symmetric Encryption: Uses the same key to encrypt and decrypt, e.g., AES, DES

Asymmetric Encryption: Uses different keys to encrypt and decrypt, e.g., RSA, SHA

PHI/ePHI: Health-related data

PCI CHD: Credit card and debit card data (Payment Card Industry Cardholder Data)

PII: SSNs, DOBs, and Driver License Numbers

BEC: Business Email Compromise (not Business Enterprise Compromise)

CFAA: The US Federal Law that Prohibits Hacking (Computer Fraud and Abuse Act)

US Federal Law Types: Civil (Tort), Criminal, Administrative

FERPA: Protects Student Data

State Cyber Laws Types: Data Disposal, Data Privacy, Data Security, Breach Notification

Wisconsin State Cyber Laws: Wi Act 73 for Insurance, Wi Statute 134.97, Wi Statute 134.98

CCPA/CPRA: The most substantial State Cybersecurity Privacy Law in the US

GDPR: The most widely followed global cybersecurity data security and privacy law

NIST 800-61: NIST SP for Incident Response - The Computer Security Incident Handling Guide

Attribution: The act of determining who the threat actor is

Incident Response Plan Importance: Helps think clearly during an IT Security event, has contact info and response/recovery procedures

Zero Trust: Presumes that the network is "always hostile" and authentication should be continuously validated

GRC: Governance, Risk, and Compliance (Confidentiality is not included)

SLE: $25,000 (for AV = $25,000)

ARO: .1 (for AV = $250,000 and 10-year replacement cycle with ALE = $25,000)

Single Loss Expectancy: The cost to replace an asset one-time

ALE: Annual Loss Expectancy

Risk Transferrence Example: Cyber Insurance or Flood Insurance

Policy: The most broad type of security documentation

NIST Frameworks: NIST Cybersecurity, NIST Risk Mgmt & AI Risk Mgmt, NIST Privacy

NIST SP 800-53: Followed by Federal government agencies

NIST SP 800-171: Used by organizations supporting the Federal Government

CIS IG3: The most complex CIS IG

SOC 2 Type 1: A Point in Time Assessment

SOC 2 Type 2: A Period of Time Assessment

COBIT and ITIL: IT Management Frameworks

Healthcare Security: HIPAA, HITECH, HITRUST

CIA Triad: Confidentiality, Integrity, Availability

Threat: An outside force that could do us harm

Vulnerability: A negative quality of our asset

Risk: When a threat and vulnerability come together

High Availability Firewalls (HAFs): "2 Firewalls in a System"

IDS/IPS: Intrusion Detection, Intrusion Prevention

Backup Types: Data, Power, Connectivity

Security Software Types: Anti-virus/Anti-malware, SIEM/SOAR, DLP/FIM, ESG/Phishing Awareness

Vulnerability Management Tasks: Vulnerability Scanning, Penetration Testing, Threat Modeling

Defense in Depth: A layered security approach

ISO27001/27002: A globally recognized security framework

CMMC: Protects ITAR, CUI, FCI

Banking/Finance Data Security: GLBA, FFIEC

SOX Applicability: Applies to Publicly-Traded companies (not privately-held companies)