C795 Cybersecurity Management II - Tactical(Questions with complete solutions)

As an IT security professional, you have just been hired by a multisite automotive dealership to protect and manage its computer network. What is your first task in establishing a secure defense system for the company?This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Hire a system security vendor. B Perform a full vulnerability assessment. C Perform an asset inventory and classification audit. D Document all users on the corporate domain. Answer C is correct. A security administrator has to have a complete inventory of systems and equipment connected to the corporate network. Once this information is complete and accurate, a security professional can begin mapping vulnerabilities to the known systems. Which characteristic most accurately describes a zero-day exploit vulnerability?This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A It is only known to hackers and a few security professionals. B It is only known to the hacker. C It was a major concern in the late 1990s, but current technology has eliminated them. D It is widely known, but ineffective and only used occasionally. Explanation: Answer B is correct. A zero-day exploit is a flaw in an operating system or program code that is discovered by a threat actor with the intention of exploiting the vulnerability before authors of the code can patch or rewrite the code to eliminate the vulnerability. 00:01 00:54 CVE MITRE Corporation National Vulnerability Database (NVD) National Institute of Standards and Technology's (NIST) Computer Security Division, these days the NVD is brought to you by your friends at the Department of Homeland Security's National Cybersecurity Division. According to them Which organizations provide vulnerability-mapping services, tools, or resources that can be accessed for free?This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A AARP B OWASP C NIST D ACLU E MITRE Explanation: Answers B, C, and E are correct. The Open Web Application Security Project (OWASP), National Institute of Standards and Technology (NIST), and MITRE Corporation all provide free vulnerability-mapping services, tools, or resources. One of the main purposes of a cybersecurity professional is to help a company establish its security requirements. Which critical components of an application risk assessment accomplish this objective? Select all that apply.This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Understanding the application type B Determining the users C Establishing the criticality to business D Setting the application life-cycle E Classifying the information processed Explanation: Answers A, C, and E are correct. Defining the security requirements of a risk assessment can involve multiple key factors that should be incorporated early in the planning and development phases. The security requirements do not include defining users or application lifespan. cloud/software as a service (SaaS) applications. Commercial off-the-shelf (COTS) applications. Applications developed by vendors and installed on the organization's information systems. These applications are usually purchased outright by organizations with usage based on licensing agreements. Cloud/SaaS applications. Applications developed by service providers or vendors and installed on the provider or vendor information system. Organizations typically have an on-demand or pay-per-usage metrics. In-house developed applications. Applications developed, installed, and maintained by the organization using internal teams and/or contractors With the development of faster, more reliable internet access, cloud services are increasing in popularity. Talia researched moving part of her company's data and infrastructure to a cloud-based service. She evaluated risks associated with cloud services and has established a list of risks. Which risk is NOT associated with cloud or SaaS services?This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Limited storage scalability B Misaligned cybersecurity standards with the vendor C Legal or regulatory restrictions imposed on the company but not the vendor D Lack of control over a vendor's cybersecurity policies E Data storage confidentiality Explanation: Answer A is correct. Limited storage capability is not a risk in cloud-based services. One of the strong arguments for online storage is the ability to scale to needs easily and economically. Policies and procedures must ensure that cybersecurity are addressed through the development or acquisition life cycle in line with the following guiding principles: security requirements should be identified up front based on the risks the security requirements should be included in the application development and selection processes the security requirements should be tested for effectiveness pre- and postimplementation when using cloud/SaaS providers, cybersecurity due diligence should be conducted developers should be trained on secure coding practices, and the developed code should be inspected for security defects Enterprise risk management (ERM)1 The enterprise risk assessment methodology has become an established approach to identifying and managing systemic risk for an organization Reasons/Rationale for Performing a Security Risk Assessment Cost justification—Added security usually involves additional expense. Since this does not generate easily identifiable income, justifying the expense is often difficult. An effective IT security risk assessment process should educate key business managers on the most critical risks associated with the use of technology, and automatically and directly provide justification for security investments. Productivity—Enterprise security risk assessments should improve the productivity of IT operations, security and audit. By taking steps to formalize a review, create a review structure, collect security knowledge within the system's knowledge base and implement self-analysis features, the risk assessment can boost productivity. Breaking barriers—To be most effective, security must be addressed by organizational management as well as the IT staff. Organizational management is responsible for making decisions that relate to the appropriate level of security for the organization. The IT staff, on the other hand, is responsible for making decisions that relate to the implementation of the specific security requirements for systems, applications, data and controls. Self-analysis—The enterprise security risk assessment system must always be simple enough to use, without the need for any security knowledge or IT expertise. This will allow management to take ownership of security for the organization's systems, applications and data. It also enables security to become a more significant part of an organization's culture. Communication—By acquiring information from multiple parts of an organization, an enterprise security risk assessment boosts communication and expedites decision making. Risk assessments can vary greatly depending upon the type, size, or nature of the company receiving the assessment. However, core goals remain the same. Which goals are considered the core goals?This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Increase productivity B Identify the risks C Decrease employee exposure D Quantify the risks Explanation: Answers B and D are correct. The main objectives or rationale for performing a security risk assessment are identifying the risks that can disrupt business operations and quantifying