CySA+ Last Minute Review Guide (CS0-002)

Domain 1:
Threat and Vulnerability Management

Threat intelligence provides cybersecurity analysts When automating threat intelligence processing,
with insight into the nature of external threats and the organizations rely upon the Structured Threat
tools, techniques, and procedures used by those threats. Information Expression (STIX) standard: an XML
language used to describe threat components and
Organizations may purchase proprietary/closed- their relationships. The Trusted Automated Exchange
source intelligence from commercial vendors and/or of Indicator Information (TAXII) protocol allows
make use of free open-source intelligence developed the automated exchange of STIX data between
by the security community. Cybersecurity analysts cybersecurity components.
may engage in industry-specific information sharing
and analysis communities (ISACs) to exchange threat You should be familiar with the four most common
information with peers. categories of cybersecurity threat actor:
• Nation-state actors are government-sponsored
When assessing the value of an intelligence source, cyberattackers with access to vast resources.
analysts should consider the intelligence’s timeliness, • Hacktivists are attackers who have a motivation
relevance, and accuracy to determine how much centered on political activism.
weight to assign it. • Organized crime groups use cyberattacks for
financial gain.
The intelligence cycle describes the process of • Insider threats come from employees or other
intelligence analysis, from requirements gathering stakeholders who undermine security, either
through feedback. There are five stages to the accidentally or intentionally.
intelligence cycle:
MITRE’s Adversarial Tactics, Techniques, and Common
Procedures (ATT&CK) framework is a collection of
information about the techniques used by attackers
seeking to gain access to an organization and its systems.

The Diamond model provides an approach for

Gathering Requirements modelling attacks by describing the relationship
Feedback Gathering between the adversary, victim, infrastructure, and
capabilities, as shown here:

Adversary
Threat
Intelligence Threat Data
Dissemination Collection

Infrastructure Capability
Threat Data
Analysis

Victim

© 2021, CertMike.com 1
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 1:
Threat and Vulnerability Management

The last threat model you should be familiar with is the The CVSS base score combines all eight of these factors
Lockheed Martin Cyber Kill Chain. This approach models into a single score from 0.0 to 10.0, with the following
adversary activities as a seven-step process: severity descriptions:

Reconnaissance CVSS Score Rating

1
0.0 None
Weaponization 0.1-3.9 Low
2

Delivery 4.0-6.9 Medium

3
7.0-8.9 High
Exploitation 9.0-10.0 Critical
4

Installation Network vulnerability scanning first discovers active

5
services on the network and then probes those services
Command and Control for known vulnerabilities. Web application vulnerability
6
scans use tools that specialize in probing for web
Actions and Objectives application weaknesses.
7

The vulnerability management workflow includes three

Threat intelligence should be shared with other relevant basic steps: detection, remediation, and validation.
functions within the organization, including incident
response, vulnerability management, risk management, Be familiar with common vulnerability assessment tools
security engineering, and detection & monitoring. and interpreting their output:

The Common Vulnerability Scoring System (CVSS) Web Scanners Infrastructure Enumeration Wireless Cloud
rates the severity of security vulnerabilities based upon Scanners Tools Assessment Scanners

eight criteria: OWASP ZAP Nessus Nmap Aircrack-ng ScoutSuite

1. Attack Vector (AV) Burp suite OpenVAS hping Reaver Prowler

2. Attack Complexity (AC) Nikto Qualys Responder oclHashcat Pacu
3. Privileges Required (PR)
Arachni
4.User Interaction (UI)
5. Scope (S)
6.Confidentiality Impact (C) Active scanning techniques engage with the target
7. Integrity Impact (I) system to probe it for known vulnerabilities while
8. Availability Impact (A) passive scanning techniques are stealthier. Passive
scans do not engage with the target system but attempt
to identify vulnerabilities by observing network traffic
and other system characteristics.

© 2021, CertMike.com 2
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 1:
Threat and Vulnerability Management

When validating a vulnerability report, there are four When assessing software security, static analysis
possible outcomes: techniques perform analysis of code without actually
executing the code, while dynamic analysis techniques
execute the code and monitor its activity. Strong
Does the vulnerability actually exist?
assessments combine both static and dynamic techniques.
Yes No
Fuzzing is a common dynamic analysis technique that
Was a vulnerability reported?

supplies machine-generated input to applications in an

attempt to undermine security.
Yes True Positive False Positive
Reverse engineering techniques seek to decompile
executable code to gain access to the original source
code or assembly language.

No False Negative True Negative When deploying services in the cloud, organizations
may choose from three major cloud strategies:

• Software-as-a-Service (SaaS) deploys entire

applications to the cloud. The customer is only
Common parameters that you may tune when configuring responsible for supplying data and manipulating the
vulnerability scans include: application.
• Using credentialed scans to log onto target systems • Infrastructure-as-a-Service (IaaS) sells basic
and improve scan accuracy building blocks, such as servers and storage. The
• Using a combination of server-based scans that run customer manages the operating system and
over the network and agent-based scans that run configures and installs software.
on the local system. • Platform-as-a-Service (PaaS) provides the customer
• Using different scan perspectives to determine the with a managed environment to run their own
external view that an outside attacker would see software without concern for the underlying hardware.
and the internal view available to an insider or an
attacker that has already gained a foothold on the Cloud services may be built and/or purchased in
network several forms:
• Public cloud providers sell services to many
There are some common inhibitors to remediating different customers and many customers may share
vulnerabilities that arise during scans: the same physical hardware.
• Requirements from memoranda of understanding • Private cloud environments dedicate hardware to a
(MOU) or service-level agreements (SLAs) single user.
• Organizational governance and change • Hybrid cloud environments combine elements of
management processes public and private cloud in a single organization.
• Business process interruption • Community cloud environments use a model
• Degrading functionality similar to the public cloud but with access restricted
• Presence of legacy and proprietary systems to a specific set of customers.

© 2021, CertMike.com 3
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 1:
Threat and Vulnerability Management

Attack Type Description Many of these attacks arise due to a set of common
SQL injection Manipulate web applications to send unauthorized vulnerabilities that exist in source code:
commands to the back-end database • Improper error handling
Overflow Place more data than expected in a memory buffer • Insecure pointer dereferencing
in an attempt to execute unauthorized code • Race conditions
Remote code Allow an attacker to execute code of their
• Broken authentication
execution choosing without accessing the system directly • Sensitive data exposure
• Insecure components
Directory Embed periods and slashes in URLs in an attempt
traversal to navigate the web server’s file system • Insufficient logging and monitoring
• Weak or default configurations
Privilege Exploits that allow an attacker to take a
escalation normal user account and manipulate it to gain
• Use of insecure functions (especially strcpy)
administrative access. Often performed using a
rootkit.
Password Attempts to access a large number of accounts by
spraying trying commonly used passwords
Credential Attempts to access accounts belonging to
stuffing a specific user with username/password
combinations exposed in the breach of another
site. Effective because users reuse the same
passwords in multiple locations.
Impersonation Attacks where the attacker is able to appear to a
remote user/system as another individual.
On-path Formerly known as man-in-the-middle attacks.
attack Eavesdropping attack where the attacker inserts
themselves into the middle of an encrypted
communications channel.
Session Attacks where the adversary steals a cookie or
hijacking other session credential to take over a user’s
existing authenticated session.
Cross-site Attack where the adversary tricks the user’s
scripting browser into executing embedded scripts that are
(XSS) either stored on a web server (persistent XSS) or
use input that is repeated as output (reflected XSS).

© 2021, CertMike.com 4
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 2:
Software and Systems Security

When developing new systems, organizations move The spiral model uses a more iterative approach:
them through a four-stage process using different
environments: Cumulative cost
1. Development environments are where developers 1. Determine Progress 2. Identity and
create and modify the system. objectives resolve risks
2. Test environments are where the system is
tested. If flaws are discovered, it is returned to
development.
3. Staging environments are where approved code is
placed, awaiting release to production.
4. Production environments contain systems that are Requirements Operational

currently serving customer needs.

plan Prototype 1 Prototype 2 prototype

Concept of Concept of
operation Requirements Detailed
Requirements Draft
design

Development
System plan
Verification
& Validation
Code

Requirements
Integration
Test plan Verification
& Validation
Test

Implementation
Software
4. Plan the Release 3. Development
Requirements
next iteration and Test

Preliminary
Design While the agile approach eschews this rigidity for
a series of incremental deliverables created using a
process that values:
Detailed • Individuals and interactions instead of processes
Design and tools
• Working software instead of comprehensive
documentation
Code and • Customer collaboration instead of contract
Debug negotiation
• Responding to change instead of following a plan

Testing

Operations
and
Maintenance

© 2021, CertMike.com 5
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 2:
Software and Systems Security

There are three different types of penetration tests: Static testing evaluates software code without
• During white box penetration tests, testers have full executing it, while dynamic testing executes the code
access to information about the target systems. during the test. Fuzz testing supplies invalid input to
• During black box penetration tests, testers conduct applications in an attempt to trigger an error state.
their work without any knowledge of the target
environment. Interface testing evaluates the connections between
• Gray box tests reside in the middle, providing different system components.
testers with partial knowledge about the environment.
Misuse case testing evaluates known avenues of attack
Code review provides an important software assurance in an application.
tool that allows peer review by fellow developers for
security, performance, and reliability issues. Test coverage analysis metrics evaluate the
completeness of testing efforts using the formula:
Fagan inspections are a formal code review process
that follows a rigorous six-step process with formalized
entry and exit parameters for each step: (use cases tested)
test coverage =
(all use cases)

Planning Common criteria for test coverage analysis include:

• Branch coverage (if statements tested under all
conditions)
• Condition coverage (logical tests evaluated under
Overview all inputs)
• Function coverage (each function tested).
• Loop coverage (every loop executed multiple times,
once, and not at all)
Preparation • Statement coverage (every line of code executed)

In virtualized environments, many guest systems

run on a single piece of hardware. The hypervisor is
Inspection responsible for separating resources used by different
guests. Type 1 hypervisors run directly on the “bare
metal” hardware while type 2 hypervisors run on a host
operating system.
Rework
Application virtualization virtualizes individual
software apps instead of entire operating systems,
presenting them to the user through a web-based or
Follow UP other interface. Virtual desktop infrastructure (VDI)
creates entire user workstations in the cloud.

© 2021, CertMike.com 6
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 2:
Software and Systems Security

Network segmentation places different types of • Administrative controls, such as account reviews,
systems on different network segments, minimizing provide management of personnel and business
the likelihood of cross-infection. This may be done with practices.
physically separate networks or with virtual networks
(VLANs). Extremely sensitive network segments may Multifactor authentication systems combine authentication
be separated by an air gap, meaning they are not technologies from two or more of the following categories:
connected to any other network. Virtual private clouds • Something you know (Type 1 factors) rely upon
(VPCs) are used to create virtual network segmentation secret information, such as a password.
in cloud environments. • Something you have (Type 2 factors) rely upon physical
possession of an object, such as a smartphone.
Virtual private networks (VPNs) use encryption to • Something you are (Type 3 factors) rely upon
connect remote network segments together and to biometric characteristics of a person, such as a face
connect remote users to enterprise networks. scan or fingerprint.

The hardware root of trust is established through the Authentication technologies may experience two types of
use of the trusted platform module (TPM) and provides errors. False positive errors occur when a system accepts
assurance that hardware has not been tampered an invalid user as correct. It is measured using the false
with. The boot process for a system is managed by acceptance rate (FAR). False negative errors occur
the Unified Extensible Firmware Interface (UEFI) when a system rejects a valid user, measured using the
which replaces the older BIOS approach. High security false rejection rate (FRR). We evaluate the effectiveness
applications may require the use of a trusted foundry of an authentication technology using the crossover
for chips that establishes a high degree of assurance error rate (CER), as shown in the diagram below:
that the chip was securely built.

The core activities of identity and access management are:

• Identification where a user makes a claim of identity. FAR
• Authentication where the user proves the claim of FRR
identity.
• Authorization where the system confirms that the
Error Rate

user is permitted to perform the requested action.

In access control systems, we seek to limit the access CER

that subjects (e.g. users, applications, processes) have
to objects (e.g. information resources, systems)

Access controls work in three different fashions:

• Technical (or logical) controls use hardware
and software mechanisms, such as firewalls and
intrusion prevention systems, to limit access.
• Physical controls, such as locks and keys, limit Sensitivity
physical access to controlled spaces.

© 2021, CertMike.com 7
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 2:
Software and Systems Security

RADIUS is an authentication protocol commonly used Rule-based access control systems make access
for backend services. TACACS+ serves a similar purpose control decisions based upon a set of predefined rules.
and is the only protocol from the TACACS family that is Firewalls are a common example.
still commonly used.

The Security Assertion Markup Language (SAML)

provides an open standard for different entities to
exchange authentication and authorization information
when performing federation.

OAuth is an authentication standard that allows users to

log into applications using credentials provided by other
identity providers without providing the application
with those credentials. OpenID Connect is a consumer-
focused implementation of OAuth used by Google and
other cloud service providers.

Access control lists (ACLs) form the basis of many access

management systems and provide a listing of subjects and
their permissions on objects and groups of objects.

Discretionary access control (DAC) systems allow the

owners of objects to modify the permissions that other
users have on those objects. Mandatory access control
(MAC) systems enforce predefined policies that users
may not modify.

Role-based access control assigns permissions to

individual users based upon their assigned role(s) in the
organization. For example, backup administrators might
have one set of permissions while sales representatives
have an entirely different set.

Attribute-based access control (ABAC) systems make

access control decisions based upon characteristics of
the user, system, information, or other attributes.

Risk-based access control systems vary their access

control decisions based upon the current threat
environment.

© 2021, CertMike.com 8
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 3:
Security Operations and Monitoring

Endpoint monitoring provides important operational Network device logs often arrive using the Simple
information to cybersecurity analysts because endpoint Network Management Protocol (SNMP) and may be
behavior is often the first indicator of a compromise. accessed using vendor-specific commands. On Cisco
Endpoint detection and response (EDR) systems devices, the show logging command provides access
provide this insight, while user and entity behavior to router logs. Cisco devices report log events using
analytics (UEBA) solutions allow deeper behavioral a standard system of log levels that are numbered in
inspection. decreasing order of severity:

When monitoring endpoints, watch for cases of Level Name

deviations from known good behavior as well as
0 Emergency
specific examples of known malicious behavior.
Anomaly detection techniques do not watch for known 1 Alert
good or bad behavior but rather monitor for deviations 2 Critical
from normal baselines.
3 Error

Network monitoring allows you to determine what 4 Warning

systems communicated with each other. Full packet 5 Notification
capture stores the entire contents of network 6 Information
communication but is intrusive and resource- 7 Debug
intensive. Netflow records are like a telephone bill,
recording information about the nature and length of
communication but not storing the actual content. The netstat command allows you to view information
about active network connections on a Windows or
Records from domain name system (DNS) queries help Linux system. The nslookup and dig commands allow
organizations understand what connection attempts you to perform DNS lookups, while the traceroute
were made from their organization. Similarly useful (Linux/Mac) and tracert (Windows) commands allow you
information may come from content filters that capture to discover the network path between devices.
the full URLs of webpages requested by end users.
Both of these sources of information may be critical to Security information and event management (SIEM)
tracing a malware infection. systems perform aggregation and correlation of log
entries from different devices, searching for records
Log review provides cybersecurity analysts with insight that, when viewed together, indicate a potential security
into the behavior of users, systems, and network issue. Automated rules perform the vast majority of
devices. Logs may be sent to a centralized log SIEM processing but analysts may write manual queries
repository using the syslog protocol. to search for specific information.

© 2021, CertMike.com 9
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 3:
Security Operations and Monitoring

Tool Description

Intrusion Monitor a host or network for signs of

Detection System intrusion and report to administrators.

Ale
rts Management console Intrusion Monitor a host or network for signs of
Prevention System intrusion and attempt to block malicious
Aggregation
traffic automatically.
Security Information Aggregate and correlate security information
Au & Event Management received from other systems.
Re toma
SIEM sp
on ted System
ses
Firewall Restricts network traffic to authorized
connections.
Rules

Security Devices Application Limits applications to those on an

Information Sources
Whitelisting approved list.
Application Blocks applications on an unapproved list.
Blacklisting
Analysts, vendors Sandbox Provides a safe space to run potentially
and threat feeds
malicious code.
Honeypot System that serves as a decoy to attract
Security orchestration, automation, and response attackers.
(SOAR) platforms take SIEM technology to the next Honeynet Unused network designed to capture
level by incorporating high degrees of automation probing traffic.
and coordination between different security solutions. DNS Sinkhole Uses false DNS replies to block access to
The Security Content Automation Protocol (SCAP) known malicious sites
facilitates this interconnectivity. VPN Concentrator Provides a central aggregation point
for VPN connections.
Email headers provide information about the path Proxy Server Makes requests to other servers on behalf of
traveled by email messages across the network, an end user, providing anonymization and
although they are susceptible to forgery. DomainKeys performance enhancement.
Identified Mail (DKIM) allows organizations to sign both Data Loss Blocks the exfiltration of sensitive information
the body of the message and elements of the header to Prevention from an organization.
prove their authenticity. Sender Protection Framework Mail Gatevay Screen inbound messages for malicious
(SPF) allows organizations to publish a list of authorized content.
mail servers for their domains. Domain-based Message Cloud Access Service that intercepts requests headed for
Authentication, Reporting, and Conformance (DMARC) Security Broker cloud services to confirm their compliance
uses SPF and DKIM to determine whether messages are (CASB) with organizational security policies
authentic. Hardware Security Stores and manages encryption keys
Module (HSM)

Threat hunting presumes that intruders have already

compromised an organization’s network and searches
for indicators of compromise that demonstrate their
presence and activity.

© 2021, CertMike.com 10
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 4:
Incident Response

When responding to a security incident, be prepared to Incident response plans should base the severity of
use the NIST four-stage process: an incident on the criticality of data involved, paying
particular attention to:
• Personally identifiable information (PII)
• Protected health information (PHI)
• Personal financial information
• Sensitive personal information (SPI)
• Intellectual property and other corporate high-value
assets

The preparation phase of incident response should

include training, testing, and documentation of
procedures.

The detection and analysis phase of incident response

determines that an incident is underway and determines
As you prepare for an incident response effort, you the severity level and appropriate response.
should develop an incident communication plan
that uses secure means of communication to limit The objective of the containment phase is to limit the
communication to trusted parties and prevent the damage caused by the incident through the isolation
inadvertent release of information. of affected systems and assets. This is closely linked to
eradication and recovery efforts that seek to restore
Generally, you are not required to disclose security normal operations.
incidents to law enforcement unless you choose to do
so or are subject to legal or regulatory requirements. During the post-incident activities phase, the
organization conducts a lessons learned process,
Your incident response team should include updates change management records, determines
representatives from all relevant internal teams: what evidence should be retained, writes an incident
• Cybersecurity report, and makes any necessary updates to the
• Other technology experts incident response plan.
• Legal
• Human resources Indicators of compromise (IoC) are items of unusual
• Public relations activity that may suggest a security incident and require
• Senior leadership further investigation.

You should also have your team prepared to coordinate Network-based IoC include:
with external groups that are not represented directly • Bandwidth consumption/spikes
on the team, including law enforcement and regulatory • Beaconing, scanning, and sweeping
bodies. • Peer-to-peer communication
• Rogue devices

© 2021, CertMike.com 11
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 4:
Incident Response

Host-based IoC include: Organizations should issue a legal hold whenever they
• Processor consumption have a reasonable expectation that litigation may occur.
• Memory consumption This legal hold should instruct employees to retain all
• Storage consumption relevant records and disable any automated jobs that
• Presence of unauthorized software/processes would delete relevant records.
• Unauthorized modifications to system files/registry/
privileges
• Unauthorized scheduled tasks
• Data exfiltration

Application-based IoC include:

• New accounts
• Unexpected output or outbound communication
• Service interruptions
• Unusual log entries

The presence of any single IoC does not necessarily

mean a security incident is taking place, but it does
suggest the need for further investigation.

Analysts can collect network traffic using the graphical

Wireshark packet capture tool or the command-line
tcpdump packet capture tool. They may send captured
packets back out on the network using the tcpreplay tool.

Forensic investigations make use of a set of special-

purpose forensic tools, including:

Tool Purpose
dd Creates a disk image at the command line
FTK imager Commercial disk imaging tool
WinHex Hexadecimal file editor
memdump Linux memory analysis tool
Autopsy Suite of forensic tools

File carving techniques allow you to comb through the

unallocated space of a hard disk image and recover files
and other interesting data that might be present.

© 2021, CertMike.com 12
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 5:
Compliance and Assessment

Security controls are divided into three categories, AnnualizedLossExpectancy =

based upon how they function: AnnualizedRateofOccurence * SLE
Category Description
Responses to a risk include:
Managerial Procedural mechanisms that focus on the
mechanics of the risk management process • Avoid risk by changing business practices
• Mitigate risk by implementing controls
Operational Processes that we put in place to manage
technology in a secure manner
• Accept risk and continue operations
• Transfer risk through insurance or contract
Technical Use technological means to meet a security
objective
Information should be classified based upon its
sensitivity to the organization.
We can also classify security controls into six different
types, based upon what they are designed to achieve: TOP SECRET HIGHLY SENSITIVE
Type Description
Preventative Stops an adversary from violating security policies

INCREASING SENSITIVITY

PR
NT
SECRET SENSITIVE
Detective Identifies potential violations of security policies

IVA
ME
RN

TE
Corrective Restores the original state after a security incident

SE
VE

Deterrent Discourages an adversary from attempting a CONFIDENTIAL INTERNAL

CT
GO

violation of a security policy

OR
Compensating Fills the gap left when it is not possible to
implement a required control UNCLASSIFIED PUBLIC

Physical Uses physical constraints to meet a security

objective INFORMATION CLASSIFICATION

Privacy and security are closely related but have Information should be labeled with its classification and
different objectives. Security controls seek to protect security controls should be defined and appropriate for
the confidentiality, integrity, and availability of each classification level.
information belonging to the organization. Privacy
focuses on the protection of individuals by limiting Data Role Description
the ways that the organization can collect, store, and
Data Owner Senior-level executive who establishes rules
use personal information. Purpose limitation is a core and determines controls
privacy concept that says organizations may only use
System Owner Individual responsible for overseeing secure
data for the purposes they disclosed when collecting it. operation of systems
Data Processor Individual with access to personal or sensi-
Risks are the combination of a threat and a corresponding tive information
vulnerability.
Data minimization techniques lower risk by decreasing
Quantitative risk assessment uses the following formulas: the amount of sensitive information maintained by
SingleLossExpectancy = the organization. When data can’t be eliminated, data
AssetValue * ExposureFactor obfuscation techniques may render it less sensitive.

© 2021, CertMike.com 13
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179
 CySA+ Last Minute Review Guide (CS0-002)

Domain 5:
Compliance and Assessment

Data obfuscation techniques include: Organization Controls (SOC) standard, published in the
• Hashing uses a hash function to transform a value in Statement on Standards for Attestation Engagements
our dataset to a corresponding hash value. #18 (SSAE 18).
• Tokenization replaces sensitive values with a unique
identifier using a lookup table. There are three categories of SOC audits:
• Masking partially redacts sensitive information by • SOC 1 audits provide customers with the level of
replacing some or all of sensitive fields with blank assurance they need when conducting their own
characters. financial audits.
• SOC 2 audits evaluate the service provider’s
Data retention standards describe how long the confidentiality, integrity, and availability controls.
organization should preserve records. Data that is no They contain sensitive information.
longer needed should be securely destroyed. • SOC 3 audits also evaluate confidentiality, integrity,
The principle of data sovereignty says that data is and availability but are meant for public disclosure.
subject to the legal requirements of any jurisdiction
where it is collected, stored, processed, or transmitted. And there are two types of SOC 1 and SOC 2 audits:
Security frameworks provide templates for security • Type I audits describe the controls that the service
activities. These include COBIT, NIST CSF, and ISO 27001/2. provider has in place and offer an opinion on their
suitability, but not their effectiveness.
Due care is taking reasonable steps to protect the • Type II audits describe the controls that the service
interest of the organization. Due diligence ensures provider has in place, offer an opinion on their
those steps are carried out. suitability, and also provide the results of auditors’
effectiveness tests.
Security governance is carried out through
• Policies which state high-level objectives SOC 1 and 2 audits can have type I or II reports. SOC 3
(mandatory compliance). audits do not have different type reports.
• Standards which state detailed technical
requirements (mandatory compliance). Cybersecurity exercises use several types of participant
• Procedures which provide step-by-step processes • Blue team members are responsible for defending
(mandatory compliance). systems from attack
• Guidelines which offer advice and best practices • Red team members are responsible for playing the role of
(optional compliance). an attacker, seeking to undermine security controls
• White team members are responsible for evaluating
Security baselines, such as NIST SP 800-53, provide a and managing the exercise as neutral parties
standardized set of controls that an organization may
use as a benchmark. Purple team exercises bring the members of the red
and blue team together so that they may observe and
Typically, organization don’t adopt a baseline standard learn from each other’s tactics.
wholesale, but instead tailor a baseline to meet their
specific security requirements. Tabletop exercises do not conduct actual offensive or
Audits of cloud service providers and other managed defensive operations but instead gather the team to
service providers should take place using the Service discuss their response to a fictitious scenario.

© 2021, CertMike.com 14
Prepared exclusively for adavis0028@gmail.com Transaction: 0100001179