CC™ (Certified in Cybersecurity)

Kevin Henry

Study Guide
I am excited that you are on the journey to get your CC™ (Certified in Cybersecurity)
certification. This study guide is meant to complement the CC™ (Certified in Cybersecurity)
video courses on Pluralsight.

Here are a few tips to help you get the most out of these resources:
1. Print this out before you start the video courses.
2. Follow along with the courses, and complete the self-assessment questions for each
course to test your understanding.
3. Keep this document after you finish the course as a part of the materials you will use
to study for the exam.

The CC certification is based on an exam outline that covers five domains of essential
knowledge. It is important to review all five of the Pluralsight courses in the order they are
listed in your journey to achieve this certification. Follow along with the courses in this path,
and then register for the exam.

Reach out on LinkedIn to let me know how you are doing along the way.

Kevin Henry

1
CC™ (Certified in Cybersecurity)
Kevin Henry

Table of Contents
Security Principles for CCSM
Checklist of Exam Objectives: Areas to Study
Exam Essentials: What You Need to Know
Important Terminology
Self-Assessment Questions: Test your Understanding

Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts for CCSM
Checklist of Exam Objectives: Areas to Study
Exam Essentials: What You Need to Know
Important Terminology
Self-Assessment Questions: Test your Understanding

Access Controls Concepts for CCSM

Checklist of Exam Objectives: Areas to Study
Exam Essentials: What You Need to Know
Important Terminology
Self-Assessment Questions: Test your Understanding

Network Security for CCSM

Checklist of Exam Objectives: Areas to Study
Exam Essentials: What You Need to Know
Important Terminology
Self-Assessment Questions: Test Your Understanding

Security Operations for CCSM

Checklist of Exam Objectives: Areas to Study
Exam Essentials: What You Need to Know
Important Terminology
Self-Assessment Questions: Test your Understanding

2
CC™ (Certified in Cybersecurity)
Kevin Henry

Security Principles for CCSM

Checklist of Exam Objectives: Areas to Study
1.1 Understand, the security concepts of information assurance
● Confidentiality
● Integrity
● Availability
● Authentication (e.g., methods of authentication, multi-factor authentication (MFA))
● Non-repudiations
● Privacy

1.2 Understand the risk management process

● Risk management (e.g., risk priorities, risk tolerance)
● Risk identification, assessment, and treatment

1.3 Understand security controls

● Technical controls
● Administrative controls
● Physical controls

1.4 Understand (ISC)2 Code of Ethics

● Professional code of conduct

1.5 Understand governance processes

● Policies
● Procedures
● Standards
● Regulations and laws

Exam Essentials: What You Need to Know

Golden Keys
The requirements for an information security program are:
● To align with business mission goals and objectives
● To have senior management support
● To provide governance of the information security program

The Information Security Triad

● Confidentiality (also addresses privacy and secrecy)
● Integrity

3
CC™ (Certified in Cybersecurity)
Kevin Henry

● Availability

Other information Security Concepts

● Authentication
○ Of users and processes requiring access
○ Multi-factor authentication (MFA) is better than single factor authentication
● Non-repudiation

Risk justifies Controls

● Controls must be traceable back to ensure that they address the risk that justified
them.
● Controls come with a cost—in performance, maintenance, and potential control
failure. Therefore, controls should only be used when necessary.
● Governance of the information security program is achieved with policies, and
procedures, baselines, and standards used to enforce policy.

Information Security Policy

● Management’s statement of intent and commitment to the information security
program
● Must be signed by management
● Grants authority to the security function

Procedures
● Step-by-step actions
● Mandated to accomplish a task in compliance with the intent of policy

Baselines
Implementation specific minimum acceptable requirements for controls or configuration

Standards
Mandated requirements for hardware or software; or the use of external standards such as
ISO standards as a template for internal processes

Compliance
Having a record of activity to prove compliance

Ethics
● It’s important to develop and communicate an organizational ethics policy.
● Be familiar with the four main principles (canons) of the ISC2 Code of Ethics.
● Know their order of importance.

4
CC™ (Certified in Cybersecurity)
Kevin Henry

Important Terminology
Asset — An entity with value to its owner

Attack — Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or
destroy information system resources or the information itself. CNSSI 4009

Availability — The measure of the criticality of an entity and the value of the entity to
supporting a business process

Compliance — Proven adherence to standards

Confidentiality — The protection of sensitive data from unauthorized disclosure

Covert channels — A hidden channel that releases information in violation of policy

Due Care — The actions taken by a reasonable, prudent person to protect others from
unreasonable harm

Due Diligence — The enforcement of the actions of due care

Encryption — The process of rendering sensitive data unreadable through substitution and
transposition using a mathematical function (algorithm)

Incident — An adverse event with the potential to affect business mission

Information Security Risk — The risk to organizational operations (including mission,

functions, image, reputation), organizational assets, individuals, other organizations, and the
nation due to the potential for unauthorized access, use, disclosure, disruption, modification,
or destruction of information and/or information systems (NIST SP800-30r1)

Integrity — The measure of accuracy or precision of an entity or process

Masking — The overwriting or hiding of sensitive information by hiding characters as they

are entered or displayed

Non-repudiation — The ability to link actions to an individual entity

Obfuscation — To hide sensitive information from unauthorized disclosure by replacing

sensitive information with non-sensitive values

Residual Risk — Portion of risk remaining after security measures have been applied (CNSSI
4009)

Risk Acceptance — The level of risk within the limits set by the risk owner

Social Engineering — The manipulation of a person to induce them to do something they

should not do

Threat — Any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational assets,

5
CC™ (Certified in Cybersecurity)
Kevin Henry

individuals, other organizations, or the nation through an information system via

unauthorized access, destruction, disclosure, or modification of information, and/or denial of
service (CNSSI 4009)

Tokenization — The replacement of sensitive data with a non-sensitive token value that can
be linked back to the sensitive data by authorized personnel

Vulnerability — Weakness in an information system, system security procedures, internal

controls, or implementation that could be exploited by a threat source (CNSSI 4009)

Self-Assessment Questions: Test your Understanding

1. The organization has a system that must operate reliably to support business
operations. What security concept must be addressed with this system?
a. Confidentiality
b. Integrity
c. Availability
d. Non-repudiation

2. The organization is conducting a risk assessment that determines the level of risk to a
business process. What must be determined to calculate this level of risk?
a. Risk treatment
b. Risk monitoring
c. The value of the asset
d. Frequency of vulnerabilities

3. A business process is to be protected using a control. Which control is the best to

implement?
a. Administrative
b. Technical
c. Logical
d. A combination of all three

4. An improperly configured router would be an example of a:

a. Threat event
b. Threat agent
c. Compensating control
d. Vulnerability

5. Which document mandates the behavior of employees?

a. Baseline
b. Risk register
c. Policy

6
CC™ (Certified in Cybersecurity)
Kevin Henry

d. Guideline

6. Who can accept risk on behalf of the organization?

a. CISO
b. IT manager
c. Risk owner
d. Risk assessor

7. What is the best control to mitigate against social engineering?

a. Awareness
b. Firewall
c. Anti-virus
d. Access control

8. What is the core principle of ethics related to?

a. Law
b. Harm
c. Policy
d. Religion

9. What is a key requirement of many privacy laws?

a. Breach notification
b. Encryption
c. Availability
d. Firewall configuration

10. The step-by-step list of actions an administrator should follow when setting up a new
user account is known as a:
a. Procedure
b. Standard
c. Functional policy
d. Baseline

11. An organization has determined that the cost of mitigating a risk is higher than the
value of the asset being protected. How was this determined?
a. Risk assessment
b. Cost/benefit analysis (CBA)
c. Control selection
d. Threat modeling

12. An ineffective security control may be an example of a:

a. Vulnerability

7
CC™ (Certified in Cybersecurity)
Kevin Henry

b. Threat
c. Defense in depth
d. Asset

13. A risk owner may accept a risk that is above the normal risk acceptance level. What is
this known as?
a. Risk tolerance
b. Risk mitigation
c. Risk avoidance
d. Total risk

14. A Certified in Cybersecurity certification holder does not report a serious problem with
another employee’s actions to management because the other employee is a friend.
Which principle of the (ISC)2 code of ethics does this violate?
a. Provide diligent and competent service to principals
b. Do no harm
c. Protect society and the common good
d. Advance and protect the profession

15. What type of control is a smoke detector?

a. Compensating
b. Safeguard
c. Recovery
d. Countermeasure

8
CC™ (Certified in Cybersecurity)
Kevin Henry

Answers to Self-Assessment Questions

1. C — Availability is measured by the criticality of an entity.
2. C — A risk assessment level is dependent on the value of the process affected.
3. D — Almost all controls require the use of all three types of controls to be effective— a
firewall (technical control) needs to be protected from damage (physical control) and
properly administered (administrative control).
4. D — A vulnerability is a weakness or gap in controls that could be exploited by a
threat.
5. C — A policy mandates what an employee may, or may not, do.
6. C — The risk owner is the only person that can accept risk. The risk owner may be a
CISO but not necessarily.
7. A — Awareness is more effective than technical controls
8. B — The core principle of ethics is ‘do no harm.’
9. A — Many laws specify the need to protect data but do not specify the algorithms that
must be used. Laws frequently require notification in the event of a breach.
10. A — A procedure mandates the steps that must be followed when performing a task.
11. B — The determination of benefit (protecting the asset) does not justify the cost of the
control.
12. A — A vulnerability is a weakness in, or lack of, a control.
13. A — This is an example of tolerating a risk perhaps because the cost of mitigation is
too high.
14. A — We must do our work ethically on behalf of our principals (employers, customers).
15. D — a smoke detector is a countermeasure that operates when there is a potential
adverse event, so it is not a safeguard since it does not prevent a fire.

9
CC™ (Certified in Cybersecurity)
Kevin Henry

Business Continuity (BC), Disaster Recovery

(DR) & Incident Response Concepts for CCSM
Checklist of Exam Objectives: Areas to Study
2.1 Understand Business Continuity (BC)
● Purpose
● Importance
● Components

2.2 Understand Disaster Recovery (DR)

● Purpose
● Importance
● Components

2.3 Understand Incident Response

● Purpose
● Importance
● Components

Exam Essentials: What You Need to Know

Investigations
Chain of custody, gathering and preserving evidence, analysis and reporting

Monitoring
Log management, types of firewalls, host and network-based IDS and IPS, egress monitoring,
anti-virus

Configuration Management
Change control, baselines, patch management

Media Protection
Number of uses, age, environmental protection

Incident Management
The process, lessons learned to improve response

BCP/DRP
The process, types of tests, terminology – BIA, RPO, SDO, RTO, MTD

10
CC™ (Certified in Cybersecurity)
Kevin Henry

Personnel Security
Awareness, safety

Important Terminology
Business Impact Analysis (BIA) — The determination of the impact of a disruption to the
business mission (delivery of products and services) over the duration (time) of the disruption

Cold Site — A building that can be converted into an IT operations center; must have power,
HVAC, and network communications to be considered a viable cold site

Duress — When a person is forced/pressured to do something against their will

Hot Site — A fully equipped site for recovery of IT operations; may be a commercially-owned
site or a mirrored site owned by the organization

Maximum Tolerable Downtime (MTD) — The longest time that a critical product or service
(business process) could be unavailable before the business is likely to suffer irreparable
harm (also Maximum Allowable Downtime (MAD) or Maximum Tolerable Period of
Disruption (MTPD))

Maximum Tolerable Outage (MTO) — The longest time that a business can continue to
operate in a disrupted state before the business would suffer irreparable harm

Recovery Point Objective (RPO) — The data recovery point that indicates the maximum
amount of data that would be lost following a disruption

Recovery Time Objective (RTO) — The desired scheduled time for the recovery of a business
operation; the most critical business functions have the shortest RTO

Restoration — The process of returning to normal business operations following a disruption;

restoration is usually performed in reverse order from recovery., and it restores the least
critical business processes first

Service Delivery Objective (SDO) — The level of service that must be reached by the RTO;
the SDO is usually a percentage of normal operational capability

Warm Site — A partially equipped site for recovery of IT operations; would require additional
hardware to bring it into operational status

11
CC™ (Certified in Cybersecurity)
Kevin Henry

Self-Assessment Questions: Test your Understanding

1. What is the FIRST priority of an incident response plan?
a. Be prepared
b. Protect life
c. Contain the damage
d. Recover to normal

2. What is the ultimate objective of incident response once an organization has

experienced a serious incident?
a. Minimize damage
b. Relocate to an alternate location
c. Resume normal operations
d. Document all incident management actions

3. What is the first step in incident response planning?

a. Enable incident detection
b. Contain the damage
c. Be prepared
d. Apply lessons learned

4. The business continuity team has been asked to provide input into the BIA
calculations. From which perspective should the BIA be conducted?
a. The user perspective
b. The business perspective
c. The IT perspective
d. The regulatory perspective

5. What is a key component of a successful incident response plan?

a. Management support
b. Preparation for worst-cases scenarios
c. Excellent technical skills
d. Meeting the Recovery Time Objective (RTO)

6. What is the difference between an incident and an event?

a. All incidents are types of events
b. All events are also incidents
c. Incidents require re-location of critical services
d. An event always has adverse consequences

12
CC™ (Certified in Cybersecurity)
Kevin Henry

7. The business continuity plan for recovery of critical business processes following a
serious incident is based on:
a. Recovery Point Objective (RPO)
b. Maximum Tolerable Outage (MTO)
c. Recovery Time Objective (RTO)
d. Allowable Interruption Window (AIW)

8. What is a risk associated with using tape for the backups of critical data?
a. Lost data
b. Time required to restore data
c. Length of time between backups
d. Tapes have a higher cost

9. What is the advantage of reviewing the lessons learned from an incident a few days
after the incident instead of only reviewing immediately?
a. Better analysis without the emotion of the moment
b. Less people are involved in the discussion
c. More data can be remembered
d. Incident documentation is available

10. The priority for recovery of critical business processes is determined by:
a. Business Impact Analysis (BIA)
b. Cost of recovery
c. Maximum Tolerable Period of Disruption (MTPD)
d. Recovery Point Objective (RPO)

11. What is the purpose of Disaster Recovery Planning (DRP)?

a. Relocation of services to an alternate site
b. Restoration of critical business operations
c. Emergency response and preparedness
d. Provide leadership and authority during a crisis

12. During a serious incident that requires the use of a Business Continuity Plan, the most
critical business operations are recovered first. When the organization returns to
normal operations, which services should have first priority?
a. The most critical business operations
b. All services should be recovered simultaneously
c. The least critical business processes
d. Customer-facing systems

13. Which of the following is NOT normally part of recovery resource requirements?
a. Data
b. Equipment

13
CC™ (Certified in Cybersecurity)
Kevin Henry

c. Supply chain
d. Security

14. The security manager is invited to a test of the business continuity plan. All the key
team members will meet in a boardroom and describe their role in the event of a
crisis. Which type of test is this likely to be?
a. Desktop
b. Simulation
c. Walkthrough
d. Parallel

15. How frequently should a Business Continuity Plan be tested?

a. Daily
b. Monthly
c. Annually
d. Only following a major update

14
CC™ (Certified in Cybersecurity)
Kevin Henry

Answers to Self-Assessment Questions

1. B — All of the answers are good, but life safety is always the first priority
2. C — Containment and mitigation are important, but they are the means to
accomplish the ultimate objective, which is to get back to normal. All steps taken
should be documented.
3. A — A tough question but the best option is to be prepared, even for unexpected
incidents where there is no detection to enable. We must choose the best answer
from the answers provided, not just look for the answer we would like to see.
4. B — A BIA is a BUSINESS impact analysis. That should include the other answers as
well.
5. A — Without management support any plan is sure to fail during times of crisis
6. A — This is the only correct answer. Not all events are incidents, and most events do
not have adverse impact on business operations.
7. C — The BCP is based on the Recovery Time Objective (RTO) for critical business
processes.
8. A — It takes a longer time to recover from tape than other media such as solid-state
drives. The other factors such as lost data or time between backups may affect any
backup media and are not only a tape problem.
9. A — Immediately following the incident, people may be tired and emotionally
exhausted. There is more opportunity for anger or unkind comments. When people
have had a chance to rest and think about the incident, they may be able to provide
more analysis and thoughtful input. The disadvantage in waiting is that some people
may not be available. In all cases, the incident documentation should be available.
10. A — BIA is used to identify critical business functions and the priority for recovery.
11. A — A disaster recovery plan addresses the need to relocate operations to an alternate
site - especially IT operations. The other answers apply to Incident Response and
Business Continuity..
12. C — The least critical services are ‘restored’ to ‘normal’ first in order to test the systems
and operations at the new location without jeopardizing most critical services.
Remember that ‘normal’ following a crisis may not be the same as ‘normal’ was prior
to the crisis.
13. D — The recovery resource requirements identified during a BIA are facilities,
personnel, data, equipment, and supply chain.
14. C — This is most likely a walkthrough. The key team members are involved as a team.
In a read-through or desktop, the test is not done as a team. A parallel test operates
the test while still continuing normal operations. A simulation involved executing
parts of the plan.
15. B — Best practice states that a BCP should be tested at least annually, or more
frequently if possible.

15
CC™ (Certified in Cybersecurity)
Kevin Henry

Access Controls Concepts for CCSM

Checklist of Exam Objectives: Areas to Study
3.1 Understand physical access controls
● Physical security controls (e.g., badge systems, gate entry, environmental design)
● Monitoring (e.g., security guards, closed-circuit television (CCTV), alarm systems, logs)
● Authorized versus unauthorized personnel

3.2 Understand logical access controls

● Principle of least privilege
● Segregation of duties
● Discretionary Access Control (DAC)
● Mandatory Access Control (MAC)
● Role

Exam Essentials: What You Need to Know

Remember that access control is about letting the ‘right’ entities (people, processes) to be
able to perform the ‘right’ tasks, not just about keeping people out.

Access controls pertain to both logical (technical) and physical controls.

Know the Identity Management lifecycle, especially termination of access

Be familiar with the IAAA, including the function of each step.

Single Sign On has benefits and disadvantages. Know how to implement and manage the
risk of single sign on.

Most access control implementations are based on discretionary access control. This is where
the asset owner makes the decision on who gets access and what level of access they get.
Mandatory Access Control (MAC) requires compliance with policy as well as the owner’s
consent. In MAC, the owner’s decision enforces need-to-know.

Be familiar with the implementations of Federated Identity Management.

RBAC (Role Based Access Control) is based on personnel with similar or identical access
requirements; in this way, it may violate the principle of least privilege.

16
CC™ (Certified in Cybersecurity)
Kevin Henry

Important Terminology
Accounting or Auditing (as part of identity and access management) — The tracking and
recording of all activity on a system; establishes a link between activities and the unique
identifier of the entity that executed the activity

Authentication — To verify or validate the identity

Authorization — The rights or privileges granted to an authorized user

Discretionary Access Control (DAC) — The majority of systems in the world are based on
DAC. In DAC the owner of the asset determines what level of access is granted, and to whom
the access is granted. The system just enforces the access decision made by the owner.

Federated Identity Management (FIM) — ‘Single sign on for the web;’ use of an identity
provider to review the login of a subject (client, relaying party) and provide proof of
authentication (security assertion) to a relying party (merchant).

Identity Management Lifecycle — The need to actively manage identities throughout the
identity lifecycle, from provision to maintenance to de-provisioning

Mandatory Access Control (MAC) — Access that is mandated by policy and provides a more
stringent level of access than discretionary access control. MAC enforces separation of duties
and requires labeling of assets and users, and it requires consent of asset owners and
compliance with policy before access is granted.

Multi-factor Authentication (MFA) — The use of more than one factor to authenticate an
identity. The factors are based on: what you know; what you have; and what you are.
Standards often require the use of two different factors in order to be considered MFA

Role Based Access Control (RBAC) — Access permissions based on a defined job role; a job
role may include entities (persons or processes) with identical or similar access requirements

Rule Based Access Control — Access permissions based on explicit rules that may permit or
deny access

Privileged Access Accounts — A higher risk to the organization since the higher levels of
access can be misused. Requires compensating controls – more supervision; monitoring of
actions, removal of access when no longer required, etc.

Public Key Infrastructure (PKI) — The deployment of Public Key Cryptography (asymmetric
algorithms) using digital certificates to authenticate users and devices to enable secure
communications

17
CC™ (Certified in Cybersecurity)
Kevin Henry

Self-Assessment Questions: Test your Understanding

1. The organization has a policy to change the administrator password on all servers
whenever an IT administrator leaves the organization even though all employees have
unique UserIDs and the organization uses Multi-factor Authentication. Is this a
reasonable policy?
a. No. It is a lot of work with little associated risk
b. Yes, because the former employee may know another user’s password.
c. No, because knowledge of the password will not permit access due to MFA
d. Yes, because the policy requires it.

2. A recent audit found many UserIDs on the system that were not being used. The
auditor stated that this was an unacceptable risk. Why is this a risk?
a. Because UserIDs may be used by someone else if they are not in regular use
b. Because this is a violation of least privilege
c. Because there is no way to track misuse of such UserIDs
d. Because each UserID has a licensing cost that is wasted

3. How can an organization avoid the risk of having unused UserIDs?

a. Encourage the use of shared IDs
b. Force all passwords to change every 30 days
c. Have each supervisory manager perform scheduled reviews
d. Terminate all user accounts annually and require re-enrollment

4. User access is restricted according to groupings of their job responsibilities. Which

access model is this based on?
a. Role based access control
b. Rule based access control
c. Mandatory Access Control
d. Attribute based Access Control

5. Which control can be used to prevent the highjacking of an existing remote logon
session?
a. Periodic authentication
b. Multi-factor Authentication
c. Strong password policies
d. Continuous authentication

6. PKI can be used to manage access based on which principle:

a. MFA
b. RBAC
c. Credential Management

18
CC™ (Certified in Cybersecurity)
Kevin Henry

d. Symmetric encryption

7. What term is used to indicate the correct level of access to be enforced associated
with a building?
a. Clearance
b. Object
c. Classification
d. Mandatory

8. An offensive email was sent, but the user claims that they did not send it. Which
security principle is in question here?
a. Non-repudiation
b. Authentication
c. Integrity
d. Confidentiality

9. What is commonly used to create a dynamic password?

a. Fingerprint
b. Iris scan
c. Smartcard
d. Passport

10. What can be used to substitute sensitive data with a non-sensitive value in an e-
commerce credit card transaction?
a. Masking
b. Tokenization
c. Obfuscation
d. Transposition

11. A user account was used to send an email when the user left their workstation
unattended and logged in. What control should be used to address this risk?
a. Session timeout
b. Policy
c. MFA
d. Non-repudiation

12. Which type of access control uses geographic location to determine access
permissions?
a. Attribute
b. Mandatory
c. Discretionary
d. Role Based

19
CC™ (Certified in Cybersecurity)
Kevin Henry

13. Which control is used to prevent errors or fraud?

a. Logging
b. Least privilege
c. Separation of duties
d. Collusion

14. A merchant does not want to manage user accounts for their internet-based
customers and decides to use a solution based on OpenID. What is this an example
of?
a. Single Sign On
b. Kerberos
c. Active Directory
d. XML

15. Which form of access control permits delegation of authority?

a. DAC
b. MAC
c. RBAC
d. Rule-based

20
CC™ (Certified in Cybersecurity)
Kevin Henry

Answers to Self-Assessment Questions

1. C — This is a difficult question intended to make you think and do analysis. The best
answer is probably C, but it is good to review and think about this. What are the
considerations that you would see factoring into your answer? A is incorrect since
these are admin accounts and do represent a higher level of risk than other accounts.
B is incorrect, though it may be true. Use of MFA reduces the risk of a compromised
password. D is incorrect; if a policy is wrong, then steps should be taken to change the
policy.
2. A or B — Another think-about-it question. What is the risk? How does a security-
minded person respond to such an audit in an appropriate manner? What action
should be taken, if any? B is correct but also possibly wrong. Least privilege states that
only the minimal level of access should be provided and only for the time required.
But these could be authorized users that may only need access occasionally.
Requiring them to apply for access each time they need it would be unreasonable. C
is incorrect; you should still be able to log the activity associated with a UserID. D is
partially correct since it can be a waste of money to pay for unused IDs. A is probably
the best answer (or B) because it is a risk if a UserID starts to be used by someone else
and the real owner is not aware of it since they are not using it.
3. C —Each manager should have to review the access permissions for their direct
reports and correct any access permission errors. A is wrong; we should not
encourage shared IDs that remove accountability. B is incorrect; a password change
will disable unused IDs but not remove them. D is incorrect since terminating
accounts would be an extraordinary expense and may interrupt business operations.
4. A – This is an example of RBAC—role based access control groups users with identical
or similar job functions. B is not the best answer since rules are not necessarily related
to job roles. C refers to access control theorems, and role based access control may be
based on either MAC or DAC. D is incorrect since ABAC is a granular form of access
control entitlement based on specific conditions (attributes).
5. A — A is correct but not the best answer. Periodic authentication will prevent
extended use of a hijacked session but will not prevent it like continuous
authentication will (D). B and C are more relevant to establishing a secure session.
6. C — PKI supports credential management. MFA uses two factors, and PKI may only be
one of those. RBAC may use certificates but is not the best answer. PKI is based on
asymmetric encryption, not symmetric.
7. C — A building is an object and therefore has a classification that indicates its level of
security. A user or subject has clearance. Mandatory is an access control theorem.
8. A — The user is repudiating sending the email, so this is a breach of the principle of
non-repudiation. Authentication is also in question. Was someone else able to log into
the user’s account, or did the user leave their workstation unattended but logged in?
Did the user share their password? This is what the investigator must determine.
Integrity and confidentiality are not the concepts being breached here.
9. C — Smartcard is commonly used to create a one time (dynamic) password. The other
answers refer to biometrics and ownership with a static value.

21
CC™ (Certified in Cybersecurity)
Kevin Henry

10. B — Tokenization is used to substitute a credit card number with a token value. The
other answers may hide a credit card number from view but not substitute it.
11. B — This is a violation of policy and that needs to be the primary control to ensure that
a user does not leave a workstation logged in and unattended and to ensure that staff
knows that to send an email from another person’s account is a strict violation of
policy. A is a compensating control that may help after a few minutes if the
workstation is left logged in, but it will only help after a few minutes. MFA would not
apply to a session already logged in.
12. A — Location is an attribute. This access may be based on the concepts of MAC, DAC,
and perhaps even on RBAC. But this is an example of ABAC.
13. C — Separation or segregation of duties is designed to catch fraud or prevent errors.
Collusion is where people work together to bypass separation of duties. Logging may
detect fraud but not prevent it. Least privilege is a good answer since limiting access
may prevent unauthorized activity, but it is not the best answer
14. A — This is an example of Federated Identity Management (FIM), which is a type of
single sign on for the internet. Kerberos is an example of Single Sign On but usually
for within an organization, not for internet customers. Active Directory is a commonly
used access control method but not specific to this question. XML defines the
structure of communications, often between organizations, but it is not applicable
with the question presented.
15. A — DAC allows the delegation of authority. MAC does not permit delegation. RBAC
and rule-based may be based on either DAC or MAC.

22
CC™ (Certified in Cybersecurity)
Kevin Henry

Network Security for CCSM

Checklist of Exam Objectives: Areas to Study
4.1 Understand computer networking
● Networks (e.g., Open System Interconnection (OSI) model, Transmission Control
Protocol/Internet Protocol (TCP/IP) model, Internet Protocol version 4 (IPv4) Internet
Protocol version 6 (IPv6), WiFi)
● Ports

● Applications

4.2 Understand network threats and attacks

● Types of threats (e.g., distributed denial of service (DDoS), virus, worm, Trojan, man-in-
the-middle (MITM), side-channel)
● Identification (e.g., intrusion detection system (IDS), host-based intrusion detection
system (HIDS), network intrusion detection system (NIDS))
● Prevention (e.g., anti-virus, scams, firewalls, intrusion prevention system (IPS))

4.3 Understand network security infrastructure

● On-premises (e.g., power, data center/closets, Heating, Ventilation, and Air
Conditioning (HVAC), environmental, fire suppression, redundancy, memorandum of
understanding (MOU)/memorandum of agreements (MOA))
● Design (e.g., network segmentation (demilitarized zone (DMZ), virtual local area
network (VLAN), virtual private network (VPN), micro-segmentation), defense in
depth, Network Access Control (NAC), segmentation for embedded systems, Internet
of Things (IoT))
● Cloud (e.g., service level agreement (SLA), managed service provider (MSP), Software
as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS),
hybrid)

Exam Essentials: What You Need to Know

Golden Keys
● Security and attacks at each layer of the OSI model

23
CC™ (Certified in Cybersecurity)
Kevin Henry

● Architecting network segmentation

● Network monitoring and management

The Network Security Challenge

● Confidentiality
● Integrity
● Availability

24
CC™ (Certified in Cybersecurity)
Kevin Henry

Network Components
● Firewalls
● IDS and IPS
● DMZ and Extranet

Network Threats and Attacks

● Denial of Service (DoS)/ Distributed Denial of Service (DDoS)
● Spam
● Malicious code’
● Interception of data

Wireless Networks
● IEEE 802.11
● Cellular
● Satellite

Important Terminology
Botnet — Short for Robotically Controlled Network; a network of devices that is controlled
remotely often through applications called Zombies and via a Command and Control (C2)
server

Demilitarized Zone (DMZ) — A subnet that is used to support external communications and
is isolated from other networks. Often used to host web servers.

Egress Monitoring — Monitoring the traffic going out of a network

Extranet — A subnet used to communicate with semi-trusted external parties. Isolated from
internal networks and often require higher levels of authentication than services located in a
DMZ.

Firewall — A device that acts as a gateway and regulates traffic between two networks

IEEE 802.11 — Standards for wireless local area networks (WLAN)

IPSec — Short for Internet Protocol Security; a suite of protocols used to protect IP traffic

Local Area Network (LAN) — A network of devices connected [usually] within a local, limited
area

Load Balancing— The distribution of workload across multiple devices or channels

Man-in-the-Middle (MITM) — An attack where a person inserts themself into a

communications channel to eavesdrop on communications (passive attack) or to modify the
communications (active attack)

25
CC™ (Certified in Cybersecurity)
Kevin Henry

MODEM — Modulates and demodulates electrical signals.; transforms digital data into analog
and visa versa

Network — Two or more devices that can communicate

Network Access Control (NAC)— A device that acts as a gateway controlling access to a
network.

Router — A piece of electronic equipment that connects computer networks to each other,
and sends information between networks (Cambridge dictionary)

Side Channel Attack — An attack against the operation of an integrated circuit (chip) that is
processing cryptographic functions—instead of attacking the data or the key, a side-channel
attack measures the emanations and execution power and timing from a chip thereby
disclosing data about the cryptographic functions; this data may be used to determine
factors such as key length.

SPAM— Unwanted or unsolicited email; spam can clog up networks, servers and often
contains malicious code intended to compromise the systems of the recipient

Switch — A piece of equipment on the network that receives electronic data and sends it to
the right place

Transport Layer Security (TLS) — The replacement for Secure Socket Layer (SSL) to protect
traffic at the transport layer

Trojan — Malicious code that may appear to be beneficial or harmless but contains a
damaging payload; a user is tricked into accepting the trojan without being aware of the
resulting damage

Virtual Local Area Network (VLAN) — A logical network as compared to a physical network;
may be configured as a series of ports on a physical switch or as ports located on different
switches

Virus— A type of malicious code that attaches itself to a victim’s system and then executes
its payload. Often used to damage systems and spread to other systems

Wireless Local Area Network (WLAN) — A network that connects devices over a wireless
LAN

Worm — A type of malicious code that can spread on its own without requiring a host to
support it and can spread rapidly through networks by taking advantage of vulnerable
systems

26
CC™ (Certified in Cybersecurity)
Kevin Henry

Self-Assessment Questions: Test Your Understanding

1. A bank wants to provide financial services to its clients. What type of network
communication is most common?
a. Application layer encryption
b. Transport Layer Security (TLS)
c. Internet Protocol Security (IPSec)
d. Link layer encryption

2. Which layer of the OSI stack is responsible for secure communications between two
adjacent devices?
a. Data link layer
b. Application layer
c. Network layer
d. Transport layer

3. What type of attack can alter traffic between two hosts?

a. SMURF attack
b. Ping of Death attack
c. Man-in-the-middle attack (MITM)
d. SYN Flood attack

4. An improperly configured router would be an example of a?

a. Threat event
b. Threat agent
c. Compensating control
d. Vulnerability

5. What type of attack would send malicious traffic over port 53?
a. Mail relay
b. DNS tunneling
c. IP spoofing
d. Wannacry

6. Where is a web application commonly located on a network?

a. LAN
b. WAN
c. Extranet
d. DMZ

27
CC™ (Certified in Cybersecurity)
Kevin Henry

7. Which protocol assigns an IP address to a device that wants to connect to a network?

a. DHCP
b. HTTP
c. ARP
d. MAC

8. Which layer of the OSI stack relies on data provided by the application at the source?
a. Intermediate Network
b. Destination Transport
c. Destination Application
d. Source Physical

9. Which technology can be used to securely connect an employee working remotely to

corporate systems?
a. VLAN
b. IEEE 802.11 Wireless
c. Remote Procedure Call
d. VPN

10. What does a botnet use to control infected machines?

a. Email
b. Zombies
c. SPAM
d. DNS Poisoning

11. Which of the following is a type of amplification attack—that amplifies the size of the
attack?
a. DNS reflection
b. Ping of Death
c. Man-in-the-Middle
d. ARP Poisoning

12. Which type of transmission is most reliant on line-of-sight?

a. Ethernet
b. WLAN
c. Satellite
d. IEEE 802.15

13. Which transmission media is the hardest to intercept?

a. Optical fiber
b. IEEE 802.11
c. WEP
d. Coaxial

28
CC™ (Certified in Cybersecurity)
Kevin Henry

14. What is an advantage of using SaaS instead of a locally managed application?

a. Centralized management
b. Faster response time
c. Lower operating costs
d. Better security

15. Which technology is designed to protect one network from another?

a. Encryption
b. DNS
c. Firewall
d. LAN

29
CC™ (Certified in Cybersecurity)
Kevin Henry

Answers to Self-Assessment Questions

1. B — TLS is most common for client to web-server communications. Application layer
encryption is good for email and FTP. IPSec is used for remote working and LAN-to-
LAN communications. Link layer encryption connects two adjacent devices such as a
laptop connecting to a wireless access point using protocols such as WPA2.
2. A — Link layer encryption is used for wireless and for point-to-point connections using
a stream-based algorithm installed on a chip. This is fast and secure.
3. C — An attacker in the middle of a communications session (MITM) may alter, delete
or just listen to traffic between two parties. SMURF refers to a type of ICMP-based
flooding at the network layer. The Ping of Death is a misconfigured ICMP packet. The
SYN flood sends many TCP SYN requests to overwhelm a target at the transport layer.
4. D — This is a vulnerability that may be exploited by a threat agent (or source) using a
threat event. A compensating control is an additional control to address a weakness
in other controls.
5. B — DNS usually uses port 53, which is open on most systems to allow DNS to operate.
Sending malicious traffic disguised as DNS traffic is DNS tunneling. Mail relay is based
on misconfigured mail servers on port 25. IP spoofing takes advantage of no
authentication of IPv4 headers. Wannacry was an attack (and still one of the most
common types of malicious traffic seen in 2020) against a Windows Operating
System.
6. D — A DMZ is a network commonly used for internet-facing services such as a web
application. It is not recommended to place a web application on an internal LAN.A
WAN (Wide Area Network) is used to transmit traffic between LANs. An extranet is
also internet-facing in most cases, but it is a semi-trusted network that is used for
employees working remotely or business partners and requires more authentication
than a DMZ.
7. A — DHCP assigns an IP address to a device that wants to connect to a network. HTTP
is used at the application layer. ARP associates MAC addresses with IP addresses, The
MAC address is the address of the Network Interface Card that connects a device to a
network.
8. C — The destination Application Layer reads the Application Header created by the
source Application Layer to determine how to handle the incoming data. An
intermediate network node will use Network and DataLink headers, The destination
Transport Layer will communicate back to the source transport layer in the case of
TCP traffic. The Source Physical communicates over the physical medium with the
Destination Physical Layer.
9. D — A VPN is a good solution to protect traffic to a remote employee. A VLAN is a type
of logical network segmentation. Wireless may be used locally by either party to
connect to a Wireless Access Point, preferably using encryption such as WPA2. RPC is
a protocol used to communicate between systems.

30
CC™ (Certified in Cybersecurity)
Kevin Henry

10. B — Zombies are often used to control infected machines. Email and SPAM may be
used to distribute infections but not to control the infected machines. DNS poisoning
will send traffic to the wrong destination website.

11. A — A DNS reflection attack is often called a DNS Amplification attack. It allows the
attacker to increase the size of the attack to cause a Denial of Service. The Ping of
Death uses a very large ICMP packet to disable systems, but it does not amplify its
attack size. The Man-in-the-Middle intercepts traffic either actively (altering traffic) or
passively (monitoring traffic). ARP poisoning alters traffic routing but does not do
amplification.
12. C — A satellite signal needs line-of-sight between the satellite and the ground-based
dish. This signal can be interrupted by obstructions such as buildings, snow, or heavy
rain. Ethernet is used for wired LAN connections, and WLAN (IEEE 802.11) and
IEEE802.15 (Wireless Personal Area Networks such as Bluetooth) do not require line-
of-sight.
13. A — Optical fiber is the hardest to intercept, not impossible but the hardest of the
transmission medium provided in the answers. Wireless is easy to intercept and it is
easier to intercept traffic on a coaxial cable than on fiber.
14. A — An advantage of a Software as a Service (SaaS) as compared to a locally managed
application is the centralization of management. This is better for access control,
compliance, patching and support since those functions are managed together with
the Cloud Service Provider instead of local staff who may not be present in remote
offices. Since the SaaS requires internet access, it may not be as fast to respond as a
local application. There is no guarantee that either SaaS or a locally managed
application is more secure than the other. SaaS is almost certain to have higher
operating costs than a local application, but a local application often has higher
capital costs.
15. C — A firewall protects one network from another by examining and blocking
undesirable traffic. It should monitor both incoming and outgoing (egress) traffic.
DNS is concerned with routing of internet traffic to the correct location. A LAN is a
local area network and is not concerned with traffic between networks. Encryption
protects traffic from alteration or disclosure but may actually make the job of the
firewall more difficult by hiding the traffic so that the firewall cannot examine it
properly.

31
CC™ (Certified in Cybersecurity)
Kevin Henry

Security Operations for CCSM

Checklist of Exam Objectives: Areas to Study

5.1 Understand data security
● Encryption (e.g., symmetric, asymmetric, hashing)
● Data handling (e.g., destruction, retention, classification, labeling)
● Logging and monitoring security events

5.2 Understand system hardening

● Configuration management (e.g., baselines, updates, patches)

5.3 Understand best practice security policies

● Data handling policy
● Password policy
● Acceptable Use Policy (AUP)
● Bring Your Own Device (BYOD) policy
● Change management policy (e.g., documentation, approval, rollback)
● Privacy policy

5.4 Understand security awareness training

● Purpose/concepts (e.g., social engineering, password protection)

Exam Essentials: What You Need to Know

Golden Keys
● iInformation protection program requirements
● Alignment with business mission goals and objectives
● Requirements for compliance with privacy and data protection laws
● Value of security awareness training, the most effective control available

The Information Protection Strategy

● Encryption is often the best control for secure transmission and storage of
information.
● Integrity is provided through hashing.
● Data must be protected throughout the data life cycle including data retention and
destruction.

Security Awareness
One of the most effective of all controls

32
CC™ (Certified in Cybersecurity)
Kevin Henry

Policy
● The foundation of a security program is policy.
● There should be individual policies that address key areas such as BYOD, Wireless,
Remote Access, acceptable use, etc.

Change Management
● Change is a time of risk for an organization.
● Change should be carefully managed to prevent errors.
● Change management should be a formal documented process

Important Terminology
Asset — An entity with value to its owner

Attack — Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or
destroy information system resources or the information itself (CNSSI 4009)

Availability — The measure of the criticality of an entity and the value of the entity to
supporting a business process

Chain of Custody — A documented record of all actions related to evidence throughout the
evidence lifecycle

Compliance — Proven adherence to standards

Confidentiality — The protection of sensitive data from unauthorized disclosure

Covert Channels — A hidden channel that releases information in violation of policy

Due Care — The actions taken by a reasonable, prudent person to protect others from
unreasonable harm

Due Diligence — The enforcement of the actions of due care

Encryption — The process of rendering sensitive data unreadable through substitution and
transposition using a mathematical function (algorithm)

Incident — An adverse event with the potential to affect business mission

Information Security Risk — The risk to organizational operations (including mission,

functions, image, reputation), organizational assets, individuals, other organizations, and the
Nation due to the potential for unauthorized access, use, disclosure, disruption, modification,
or destruction of information and/or information systems (NIST SP800-30r1)

Integrity — The measure of accuracy or precision of an entity or process

33
CC™ (Certified in Cybersecurity)
Kevin Henry

Hashing Algorithms — A mathematical function used to detect changes to data and

thereby support integrity

Non-repudiation — The ability to link actions to an individual entity

Residual Risk — Portion of risk remaining after security measures have been applied (CNSSI
4009

Risk Acceptance — The level of risk within the limits set by the risk owner

Social Engineering — The manipulation of a person to induce them to do something they

should not do

Threat — Any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, or the Nation through an information system via
unauthorized access, destruction, disclosure, or modification of information, and/or denial of
service (CNSS 4009)

Vulnerability — Weakness in an information system, system security procedures, internal

controls, or implementation that could be exploited by a threat source (CNSSI 400)

Self-Assessment Questions: Test your Understanding

1. The organization has a system that must operate reliably to support business
operations. What security concept must be addressed with this system?
a. Confidentiality
b. Integrity
c. Availability
d. Non-repudiation

2. The organization is conducting a risk assessment. Which process uses the results of a
risk assessment?
a. Risk avoidance
b. Risk transference
c. Risk treatment
d. Residual risk

3. A hidden channel that releases information in violation of policy or law is known as a:

a. Covert
b. Overt
c. Phishing
d. Logic Bomb

4. Any changes to the configuration of a system should be subject to:

34
CC™ (Certified in Cybersecurity)
Kevin Henry

a. Formal approval
b. IT scheduling
c. Vendor recommendations
d. Business requirements

5. A new employee that will work in the office has been granted access to systems and
networks including the internet in order to perform their job duties. Which policy
should be explained to the employee before they are granted access?
a. Bring Your Own Device (BYOD)
b. Remote access
c. Change control
d. Acceptable Use Policy (AUP)

6. The required configuration of a system is known as:

a. Procedure
b. Baseline
c. Standard
d. Guideline

7. What is the best control to mitigate against social engineering?

a. Awareness
b. Firewall
c. Anti-virus
d. Access control

8. What is required in order to establish accountability?

a. Laws and regulations
b. Individual identification
c. Least privilege and need to know
d. Separation of duties

9. What is a key requirement of many privacy laws?

a. Breach notification
b. Encryption
c. Availability
d. Firewall configuration

10. An employee approaches the security team with a complaint about a fellow
employee or manager. The employee provides evidence they have captured by
monitoring the person they are complaining about. What should the security
manager do in this case?
a. Begin an investigation of the employee being reported on
b. Ignore the complaint since it did not come through authorized channels

35
CC™ (Certified in Cybersecurity)
Kevin Henry

c. Consult with Human Resources to determine the best approach

d. Discuss the issue with the complaining employee’s manager

11. An organization has stated that the maximum number of transactions that they could
afford to lose in the event of a system failure is three hours’ worth of activity. What
does this determination represent?
a. The volume of the backups
b. The frequency of the backups
c. The type of backup media used
d. The number of generations of back ups

12. The organization has set three levels of data classification. What is the benefit for an
employee that has access to a piece of data that is classified?
a. The classification indicates proper data handling
b. The classification only applies to data owners not to users
c. The data must be encrypted
d. The classification cannot be changed at a later time

13. A researcher can determine cryptographic key length based on the execution time of
the chip used for encryption. What type of attack does this represent?
a. A covert timing attack
b. A brute force attack
c. Network sniffing
d. Social engineering

14. An auditor accepts an assignment that they are not competent to accomplish. Which
principle of the (ISC)2 code of ethics does this violate?
a. Provide diligent and competent service to principals
b. Do no harm
c. Protect society and the common good
d. Advance and protect the profession

15. What type of control is a smoke detector?

a. Compensating
b. Safeguard
c. Recovery
d. Countermeasure

36
CC™ (Certified in Cybersecurity)
Kevin Henry

Answers to Self-Assessment Questions

1. C — Availability is measured by the criticality of an entity.
2. C — Risk treatment includes all of the other answers. The way to treat risk is based on
the risk levels identified during a risk assessment.
3. A — A covert channel is hidden; an overt channel is an obvious channel.
4. A — This is a tough one and subject to debate! All changes should be formally
approved, tested, and documented and have a rollback plan to use in case of a
problem with the change. The best answer is NOT business requirements since many
system changes are made due to identified vulnerabilities or the need to configure a
system correctly—not necessarily based on a business requirement. All changes
should be formally approved, tested and documented and have a rollback plan to use
in case of a problem with the change.
5. D — Since this is an internal employee, they probably need to know the acceptable
use policy most of all. All the policies should be explained to them, but the AUP is
most important.
6. B — The required configuration of a system is known as the baseline.
7. A — Awareness is more effective than technical controls.
8. B — An employee can be accountable to follow policy even where there are no laws or
regulations that apply. In order to establish accountability, it is not advisable to use
shared IDs.
9. A — Many laws specify the need to protect data but do not specify the algorithms that
must be used. Laws frequently require notification in the event of a breach.
10. C — There are potentially several issues here. Was the capturing of the ‘evidence’
legal? Were any policies broken? Who has the authority to act on this information and
which employee should be investigated? It is best to consult with HR and ensure
compliance with labor law.
11. B — The allowable loss of data would mandate the required frequency of data
backups.
12. A — The classification mandates proper data handling for all persons with access to
the data, – not just the data owner. Not all classified data must be encrypted—that
depends on the handling rules set by the owner. Data will often be re-classified at a
later time if the need to protect the data changes.
13. A — This is an example of a covert timing attack. It is also known as a side channel
attack.
14. A — This is the most direct violation of providing diligent and competent service to
principals, but the others apply in part.
15. D — A smoke detector is a countermeasure that operates when there is a potential
adverse event. It is not a safeguard since it does not prevent a fire.

37