Final Exam Guide

AIS · Prof. Lanz · Ch 16 cybersecurity + Center for Internet Security focus

Format 40 MC Questions

Primary Focus Ch 16 + CIS Controls

Also Tested SOC, TSC, Frameworks

Case Equifax

★

What Lanz emphasized

Read the CIS introduction — it will be tested. For each control, read the overview, "why is this control critical?", and the safeguards. Always read IG1; he'll tell you if IG2/IG3 matter. Don't memorize which safeguard maps to which control — know the concept of what each safeguard accomplishes.

Chapter 16 — Cybersecurity

The Cyber-Kill Chain

Definitely Tested

The full life cycle of a cyberattack — three sequential stages.
Every attack in Ch 16 falls into one of these stages, and every stage is either physical or logical.

Stage 1

Reconnaissance

Gather information about the network. Identify targets and vulnerabilities.

Stage 2

Access

Get into the network. Use info from recon or force entry.

Stage 3

Disrupt

Damage, destroy, steal, ransom, or shut down the network.

Reconnaissance Attacks — Physical vs Logical

Definitely Tested

Physical recon

Human interaction required

Phishing — deceptive email tricking the victim. Social engineering is always physical because the target is a person.

Dumpster diving — looking through trash for passwords, network diagrams, sensitive info.

Eavesdropping (sniffing) — unauthorized interception of communication. Mitigate with encryption + secure FTP.

Logical recon

Fully digital, no human target

Ping sweep (IP probe) — pings each IP to see which hosts are active.

Port scan — narrows the active list by finding which ports are open and accepting traffic.

Defenses: internal vulnerability scans, penetration testing, applying patches promptly.

Email phishing red flags

Wrong sender domain (e.g. arnazon.com not amazon.com), vague salutation, poor grammar.
Urgency words: "suspended", "security concerns", "immediately".
Hover-mismatched links, surveys asking for personal info instead of a portal login.

Access Attacks — Physical vs Logical

Definitely Tested

Physical access

Tailgating (piggybacking)

Following an authorized user through a checkpoint to use their credentials.

Accidental: authorized user is unaware.
Polite: authorized user holds the door.

Controls: PE-2/3 (authorizations, escorts, guards, barriers), PE-6 (intrusion alarms, surveillance).

Logical access

Force or exploit the network

Brute-force — guess passwords with automation; dictionary attacks use common words.

On-path (MITM) — actively injects between two endpoints. Different from eavesdropping (passive).

IP spoofing — forges source addresses to impersonate a legitimate host.

NIST password guidelines

Length 8–64, mix character types, avoid dictionary words and previously used passwords.
Only reset on compromise. Use MFA where possible. Limit failed login attempts.

Disruptive Attacks

Definitely Tested

Denial-of-service family

DoS — flood a single target with fake requests until it can't serve real users. Single source.
Botnet — network of malware-infected computers acting as robots for the attacker.
DDoS — DoS but distributed across many sources/IPs. Harder to stop because each source must be identified, and harder to distinguish from legitimate traffic.

Malware types — replication is the key distinction

Replicates

Virus · Worm

Virus — replicates with human interaction (clicking, opening attachments).

Worm — replicates without human interaction. Same destructive power as a virus.

Does not replicate

Trojan · Logic Bomb

Trojan horse — disguised as benign software; usually installs a back door.

Logic bomb — dormant code that triggers when conditions are met. Hard to detect or prevent until activated.

Ransomware = malware used to hold a system hostage in exchange for a payment (Colonial Pipeline).

NIST — Framework vs Control Catalog

Definitely Tested

NIST = National Institute of Standards and Technology (U.S. Dept. of Commerce). Mandated by the FISMA law for federal agencies.
Two distinct things to keep separate on the exam:

High-level framework

NIST CSF — Functions

v1.1: 5 functions — Identify, Protect, Detect, Respond, Recover.

v2.0: 6 functions — added Govern.

Best-practice cybersecurity program framework.

Detailed control catalog

NIST 800-53 — 18 Families

18 control families (AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PS, RA, SA, SC, SI, PM).

Each family contains specific controls (e.g. RA-5 Vulnerability Scanning, CA-8 Pen Testing, SC-5 DoS Protection).

Recent Cybersecurity Threats

Know the Examples

Colonial Pipeline — ransomware attack; CEO paid $4.4M ransom.
Florida Water Supply — hacker accessed treatment system and increased sodium hydroxide levels (terrorism-like physical impact via cyber).
Equifax — names, SSNs, DOBs, addresses, driver's license info stolen. Root cause: failed to apply a known vendor patch. Maps to Continuous Vulnerability Management (CIS Control 7).

CIS Controls — Center for Internet Security

Background & Threat Intelligence

Read the Intro

SANS originally created the critical security controls list, then transferred it to CIS.
To know which controls to prioritize, you have to know what the threats are — that's where threat intel comes in.

Verizon DBIRAnnual retrospective — real breaches Verizon investigated. "What already happened."
MITRE ATT&CKPredictive database of enterprise adversary techniques. Used in risk assessments to anticipate attacks before they happen.
CIS BenchmarksMeasurable configuration standards. The framework you bring to the audit committee / board.
NISTU.S. risk management frameworks. Anchored by the FISMA law.
ISOInternational standard.
FISMAU.S. federal law requiring information security at federal agencies — points to NIST.

The Six Asset Classes

Memorize

Documentation applies to everything (above the line). Network applies to everything (below the line). Both wrap the workflow.
The flow: Users → Devices → Software → Data (the end result you protect).
Hardware is not a separate class — it's part of Devices.

Documentation

Users → Devices → Software → Data

Network

If you could only choose one to secure: Documentation or Data. (Use cyber language, not accounting language.)
Multi-layered security: many points of entry → controls at every level.

Documentation Hierarchy — 4 P's

Memorize

IT policies do not come from the Board — they come from the IT Steering Committee. (Lanz IT-specific distinction.)
Procedure is the lowest, most specific level — ordered steps to accomplish a task.

Highest

Plan

Strategic direction.

↓

Policy

Rules and intent.

↓

Process

How work flows.

Lowest

Procedure

Specific steps.

Implementation Groups (IG1, IG2, IG3)

Always Read IG1

IG1 — Essential cyber hygiene. Fundamental controls every small-to-mid business should implement. Always read this.
IG2 — Builds on IG1; for larger or more regulated enterprises. Lanz will tell you if you need to read it.
IG3 — Most mature; for organizations that need to defend against sophisticated adversaries.
There is no IG4.

The 18 CIS Controls

Know Each Concept

Don't memorize which safeguard maps to which control — know what each control accomplishes.
The concepts below are what Lanz emphasized in lecture for each one.

Inventory and Control of Enterprise Assets

"Can't protect what you don't know you have." Active discovery, DHCP logging. Static inventory is most secure but a pain. Know all safeguards.

Inventory and Control of Software Assets

Ensure software is currently supported — unsupported software won't get security patches. Allowlist authorized software (SG 2.5).

Data Protection

Inventory + risk-rank data (3.7). When in doubt, encrypt (3.9). Encrypt data in transit (3.10), segment data (3.12), data loss prevention (3.13). Firewalls cannot read encrypted packets — that's why DLP exists.

Secure Configuration of Enterprise Assets and Software

Harden all assets — configure for security. Eliminate default accounts (everybody knows them). Host firewalls (4.5). Uninstall unused software (4.8) — if it's there, you're responsible for it.

Account Management

Hierarchy of admin types — what each can do. Review access every 30 days. Dedicated admin accounts separate from daily-use accounts.

Access Control Management

Role-Based Access Control (RBAC, SG 6.8). MFA required for externally-exposed apps, remote access, and admin access.

Continuous Vulnerability Management

"Where accounting and audit go crazy." Vulnerability scanners rate findings. This is the Equifax control.

Audit Log Management

Logs let you know everything that's going on. Configuration determines log detail — wrong config can disable logs. Centralize logs (SG 8.9).

Email and Web Browser Protections

Lighter coverage in lecture.

Malware Defenses

Anti-malware signatures must update automatically, daily (10.2) — manual or quarterly defeats the purpose.

Data Recovery

Need ability to restore after a breach. Test recovery quarterly (SG 11.5) — untested backups are unproven.

Network Infrastructure Management

Keep network infrastructure up to date (12.1). Maintain a current network schematic (12.4) so you understand what you're looking at.

Network Monitoring and Defense

Encryption + firewalls. Configurations are everything. Segment the network (13.4) and put a safeguard in each segment via firewalls.

Security Awareness and Skills Training

Train people to recognize threats. Counters phishing and social engineering at the human layer.

Service Provider Management

Ties directly to SOC reports. Walk through the Trust Services Criteria for any provider holding your data.

Application Software Security

Apps need their own security. Safeguards follow the SDLC. Know 16.1 / 16.2 at a high level.

Incident Response Management

Need policies/procedures before something happens. Alternate communication channels (17.6) — assume the hacker is inside and primary channels are compromised. Run exercises (17.7).

Penetration Testing

Simulate a real attacker. Pen test exploits (only finds one way in). Vulnerability assessment identifies (find as many as possible, no exploit). If you hear "exploit," it's a pen test. Engage external testers (18.2). Fix what you find (18.3). Not ready for a pen test = a weakness.

Regulations — Match the Industry to the Rule

Industry-to-Regulation Quick Map

Definitely Tested

HealthcareHIPAA + HITECH — patient health info.
Financial svcsGLBA — banks, wealth managers, JPMorgan-type firms.
Credit cardsPCI DSS — issued by PCI Security Standards Council. Not a law. Non-compliance = lose card processing.
Identity theftFTC Red Flag Rules — the default when no industry regulator applies.
Federal agencyFISMA → NIST 800-53.
Public co. ICFRSOX — financial reporting integrity.
VoluntarySOC 2 — privacy is one of the trust criteria, but no one is required to follow SOC 2.

SOC Reports & Trust Services Criteria

SOC Report Types

Definitely Tested

SOC 1Internal controls over financial reporting (ICFR) at a service organization.
SOC 2Trust Services Criteria — security, availability, processing integrity, confidentiality, privacy. Restricted-use.
SOC 3Public summary of SOC 2. Automatically Type 2.
SOC for CyberEnterprise-wide cybersecurity risk program. Must be based on NIST CSF or TSC.
SOC for Supply ChainProduction / supply chain controls.

Type 1 vs Type 2

Type 1

Design at a point in time

"How we would like it to be." Are the controls designed properly?

Type 2

Effectiveness over a period

"What's actually there." Are the controls operating as designed?

The Five Trust Services Criteria

Memorize

Security — protection against unauthorized access (the only required criterion).
Availability — system is available for operation as agreed.
Processing Integrity — system processing is complete, valid, accurate, timely, authorized.
Confidentiality — information designated as confidential is protected.
Privacy — personal information is collected, used, retained, and disclosed appropriately.
Common traps: Accountability and Resilience are not TSCs.

Connecting Pieces

Equifax — The Anchor Case

Will Show Up

What was stolen: names, SSNs, DOBs, addresses, driver's license info.
Root cause: Equifax did not apply a known vendor patch. It was a change management / patching failure, not a phishing or insider issue.
Maps to: CIS Control 7 — Continuous Vulnerability Management.
Don't be tempted by adjacent answers (asset inventory, training, incident response). The exam wants the patching control.

Penetration Test vs Vulnerability Assessment

Classic Trap

Pen test

Exploits

Actively breaks in. Demonstrates impact. Usually finds one way in. Run after every other test. "Exploit" → pen test.

Vulnerability assessment

Identifies

Never goes in. Tries to find as many weaknesses as possible. Output feeds the remediation backlog.

Lanz's Quiet Emphases

Easy Points

CIO is responsible for applying COBIT.
IT policies come from the Steering Committee, not the Board.
Firewalls cannot read encrypted packets. That's why DLP exists at the host level.
Outdated access (Ch 14): job duties changed but access wasn't updated. Distinct from dormant (inactive) and terminated (gone).
RPA in Ch 7 automated SOX user access testing — account management + access controls.
Alternate comms in incident response: assume the attacker is inside and email/chat are compromised.
MFA is required for externally-exposed apps, remote network access, and admin access — not for internal-only printers/copiers.
Quarterly data recovery testing.

Test-Taking Strategy

Read the question fully and form your answer in your head first — then look at the choices.
Predictive vs retrospective: MITRE = before, Verizon DBIR = after. Watch the verb tense in the question.
Replication: virus + worm replicate; trojan + logic bomb don't. Worm = no human interaction.
"Exploit" in a question = pen test. "Identify only" = vulnerability assessment.
Type 1 vs Type 2: design vs operating effectiveness. SOC 3 is auto Type 2 and public.
If a question names an industry, match it to its specific regulation before reading the choices. No specific industry → FTC Red Flag.
Equifax answers map to Continuous Vulnerability Management, not adjacent controls.