Module 3: Protect Against Threats, Risks and Vulnerabilities

by
Contents hide
1 INTRODUCTION – Protect Against Threats, Risks and Vulnerabilities
2 TEST YOUR KNOWLEDGE: FRAMEWORKS AND CONTROLS
3 TEST YOUR KNOWLEDGE: ETHICS IN CYBERSECURITY
4 MODULE 3 CHALLENGE
Spread the love

INTRODUCTION – Protect Against Threats, Risks and Vulnerabilities

Carry on an expedition for the comprehension of the security frameworks and controls, these are very crucial tools for reducing the risk in an organization. Familiarize yourself with the fundamental principles of the CIA triad especially on confidentiality, integrity, and availability. tread through various National Institute of Standards and Technology (NIST) frameworks as well as their applications and importance to accentuate.

In addition, study security ethics focusing on the ethical parameters that guide decisions made in cybersecurity. This entire course will equip you with what you need to become a master in the complex arena of frameworks, controls, and ethics in security.

Learning Objectives:

  • Define security frameworks and controls
  • Define the CIA triad and NIST Cybersecurity Framework (CSF)
  • Discuss how the CIA triad and NIST CSF used to create procedures and processes for addressing security threats, risks, and vulnerabilities
  • Explain security ethics

TEST YOUR KNOWLEDGE: FRAMEWORKS AND CONTROLS

1. Fill in the blank: A security ______   is a set of guidelines used for building plans to help mitigate risk and threats to data and privacy.

  • framework (CORRECT)
  • control
  • regulation
  • lifecycle

A set of guidelines devised for drafting plans having emphasis on minimizing risk and protecting data, and privacy is known as security frameworks.

2. An organization requires its employees to complete a new data privacy training program each year to reduce the risk of a data breach. What is this training requirement an example of?

  • Data Confidentiality
  • Cybersecurity Framework (CSF)
  • Personally identifiable information (PII)

Security controls are set up to alleviate or maintain certain risks as security interventions.

3. What is a foundational model that informs how organizations consider risk when setting up systems and security policies?

  • Sensitive personally identifiable information (SPII)
  • Cybersecurity Framework (CSF)
  • Confidentiality, integrity, and availability (CIA) triad (CORRECT)
  • General Data Protection Regulation law (GDPR)

The CIA triad is a core fundamental model used to guide organizations when evaluating risk in the design of systems and security policies. The CIA triad consists of the three elements that form the core principles of confidentiality, integrity, and availability.

4. Security teams use the NIST Cybersecurity Framework (CSF) as a baseline to manage short and long-term risk.

  • True (CORRECT)
  • False

A NIST Cyber Security Framework (CSF) bases its security strategies on ever continuing evaluation of short- to long-term risks in cybersecurity. The CSF is a voluntary framework composed of standards, guidelines, and best practices for applying to an organization to help it effectively manage and reduce its cybersecurity risks.

5. What is the CIA triad?

  • A mandatory cybersecurity framework
  • A cybersecurity process used to encrypt data
  • A cybersecurity control that eliminates risk
  • A foundational cybersecurity model (CORRECT)

CIA refers to the triad of Confidentiality, Integrity, and Availability. These concepts are central and fundamental for any organization concerned with evaluating and managing risk while designing systems and security policies. They would protect sensitive data, ensure data accuracy and availability of systems.

TEST YOUR KNOWLEDGE: ETHICS IN CYBERSECURITY

1. An employee trained to handle Pll and SPII leaves confidential patient information unlocked in a public area. Which ethical principles does this violate? Select all that apply.

  • Privacy protections (CORRECT)
  • Remaining unbiased
  • Confidentiality (CORRECT)
  • Laws (CORRECT)

These breach legislation, confidentiality and privacy protection.

2. Fill in the blank: Privacy protection means safeguarding _____ from unauthorized use.

  • compliance processes
  • business networks
  • documentation
  • personal information (CORRECT)

To protect the privacy of an individual, it is to hide or secure the personal information from unauthorized usage. It is also important to ensure that access for users was granted in such a way that they cannot reach sensitive data that they are not privy to.

3. You receive a text message on your personal device from your manager stating that they cannot access the company’s secured online database. They’re updating the company’s monthly party schedule and need another employee’s birth date right away. Your organization’s policies and procedures state that employee information should never be accessed or shared through personal communication channels. What should you do?

  • Respectfully decline, then remind your manager of the organization’s guidelines. (CORRECT)
  • Give your manager the employee’s birth date; a party is a friendly gesture.
  • Ask your manager to provide proof of their inability to access the database.
  • Request identification from your manager to ensure the text message is authentic; then, provide the birth date.

You ought to nicely turn down that request and remind your boss of the organization’s regulations. As a security analyst, it is incumbent upon you to represent the company policies and procedures in order to maintain security and compliance.

4. You work for a U.S.-based utility company that suffers a data breach. Several hacktivist groups claim responsibility for the attack. However, there is no evidence to verify their claims. What is the most ethical way to respond to this incident?

  • Target a specific hacktivist group as a warning to the others.
  • Improve the company’s defenses to help prevent future attacks. (CORRECT)
  • Conduct cyberattacks against each hacktivist group that claimed responsibility.
  • Escalate the situation by involving other organizations that have been targeted.

Most morally justifiable action in such case would be defending against future attacks since counterattacks are considered illegal in the U.S.provided, they are not conducted by authorized federal employees or military personnel. Legal and ethical guidelines must be followed to ensure compliance and accountability with the security measures.

MODULE 3 CHALLENGE

1. What are some of the primary purposes of security frameworks? Select three answers.

  • Aligning security with business goals (CORRECT)
  • Identifying security weaknesses (CORRECT)
  • Securing financial information (CORRECT)
  • Safeguarding specific individuals

Correct!

2. Which of the following are core components of security frameworks? Select two answers.

  • Establishing regulatory compliance measures
  • Implementing security processes (CORRECT)
  • Managing data requests
  • Monitoring and communicating results (CORRECT)

3. Fill in the blank: A security professional implements encryption and multi-factor authentication (MFA) to better protect customers’ private data. This is an example of using _____

  • security teams
  • security controls (CORRECT)
  • organizational upgrades
  • networking regulations

Correct!

4. You are helping your security team consider risk when setting up a new software system. Using the CIA triad, you focus on confidentiality, availability, and what else?

  • Information
  • Intelligence
  • Inconsistencies
  • Integrity (CORRECT)

Correct!

5. Fill in the blank: A key aspect of the CIA triad is ensuring that only ______ can access specific assets.

  • social media sites
  • business competitors
  • authorized users (CORRECT)
  • internet providers

Correct!

6. Which of the following statements accurately describe the NIST CSF? Select all that apply.

  • It is only effective at managing long-term risk.
  • Security teams use it as a baseline to manage risk. (CORRECT)
  • It consists of standards, guidelines, and best practices. (CORRECT)
  • Its purpose is to help manage cybersecurity risk. (CORRECT)

Correct!

7. For what reasons might disgruntled employees be some of the most dangerous threat actors? Select two answers.

  • They know where to find sensitive information. (CORRECT)
  • They have access to sensitive information. (CORRECT)
  • They have advanced technical skills.
  • They are less productive than other employees.

Correct!

8. A security professional overhears two employees discussing an exciting new product that has not been announced to the public. The security professional chooses to follow company guidelines with regards to confidentiality and does not share the information about the new product with friends. Which concept does this scenario describe?

  • Security controls
  • Preserving evidence
  • Security ethics (CORRECT)
  • Data encryption

Correct!

9. Fill in the blank: The ethical principle of ______ involves safeguarding a company database that contains sensitive information about employees.

  • honesty
  • privacy protection (CORRECT)
  • unrestricted access
  • non-bias

Correct!

10. Which ethical principle describes the rules that are recognized by a community and enforced by a governing entity?

  • Guidelines
  • Protections
  • Restrictions
  • Laws (CORRECT)

Correct!

11. Fill in the blank: A security professional has been tasked with implementing strict password policies on workstations to reduce the risk of password theft. This is an example of

  • hardware changes
  • security teams
  • networking regulations
  • security controls (CORRECT)

Correct!

12. You are helping your security team consider risk when setting up a new software system. Using the CIA triad, you focus on integrity, availability, and what else?

  • Communication
  • Confidentiality (CORRECT)
  • Conformity       

Correct!

13. Fill in the blank: As a security professional, you monitor the potential threats associated with _____ because they often have access to sensitive information, know where to find it, and may have malicious intent.

  • disgruntled employees (CORRECT)
  • external vendors
  • existing customers
  • governing agencies

Correct!

14. A security professional is updating software on a coworker’s computer and happens to see a very interesting email about another employee. The security professional chooses to follow company guidelines with regards to privacy protections and does not share the information with coworkers. Which concept does this scenario describe?

  • Business email compromise
  • Preserving evidence
  • Security ethics
  • Security control (CORRECT)

Correct!

15. A security professional working at a bank is running late for a meeting. They consider saving time by leaving files on their desk that contain client account numbers. However, after thinking about company guidelines with regards to compliance, the security professional takes the time to properly store the files. Which concept does this scenario describe?

  • Security controls
  • Public finance
  • Preserving evidence
  • Security ethics (CORRECT)

Correct!

16. Fill in the blank: The ethical principle of _____ involves safeguarding an organization’s human resources records that contain personal details about employees.

  • honesty
  • privacy protection (CORRECT)
  • unlimited access
  • non-bias

Correct!

17. You are a security professional working for a state motor vehicle agency that stores drivers’ national identification numbers and banking information. Which ethical principle involves adhering to rules that are intended to protect these types of data?

  • Investigations
  • Restrictions
  • Laws (CORRECT)
  • Guidelines

Correct!

18. Which of the following are core components of security frameworks? Select two answers.

  • Implementing security processes (CORRECT)
  • Monitoring personally identifiable information
  • Setting guidelines to achieve security goals (CORRECT)
  • Establishing regulatory compliance measures

Correct!

19. You are helping your security team consider risk when setting up a new software system. Using the CIA triad, you focus on confidentiality, integrity, and what else?

  • Availability (CORRECT)
  • Applications
  • Accuracy
  • Activity

Correct!

20. Fill in the blank: ____ are items perceived as having value to an organization.

  • Assets (CORRECT)
  • Alerts
  • Incidents
  • Lifecycles

Correct!

21. Which of the following statements accurately describe the NIST CSF? Select all that apply.

  • Its purpose is to help manage cybersecurity risk. (CORRECT)
  • It is a voluntary framework. (CORRECT)
  • Security teams use it as a baseline to manage risk. (CORRECT)
  • It is only effective at managing short-term risk.

Correct!

22. Fill in the blank: Some of the most dangerous threat actors are ______ because they often know where to find sensitive information, can access it, and may have malicious intent.

  • disgruntled employees (CORRECT)
  • senior partners
  • past vendors
  • dissatisfied customers

Correct!

23. Which ethical principle describes safeguarding personal information from unauthorized use?

  • Incident investigation
  • Privacy protection (CORRECT)
  • Non-bias
  • Honesty

Correct!

24. Fill in the blank: The ethical principle of _____  involves adhering to compliance regulations.

  • guidelines
  • laws (CORRECT)
  • protections
  • restrictions

Correct!

25. Fill in the blank: A security professional has been tasked with implementing safeguards to reduce suspicious activity on their company’s network. They use ______ to help them reduce this type of risk.

  • security ethics
  • private information         
  • security controls (CORRECT)
  • public websites

Correct!

26. What are some of the primary purposes of security frameworks? Select three answers.

  • Aligning security with business goals (CORRECT)
  • Safeguarding specific individuals
  • Managing organizational risks (CORRECT)
  • Protecting PII data (CORRECT)

Correct!

Leave a Comment