course 5 – ASSETS, THREATS, AND VULNERABILITIES

Module 1: Introduction to Asset Security

GOOGLE CYBERSECURITY PROFESSIONAL CERTIFICATE

Coursera Study Guide

Enroll in Coursera Google Cybersecurity Professional Certificate

Introduction to Asset Security

In this comprehensive overview, participants will delve into the fundamental aspects of asset management within the cybersecurity landscape. The module initiates by shedding light on how organizations strategically identify and prioritize assets for protection, emphasizing the crucial link between effective risk management and the classification of assets. The exploration extends to the distinctive challenges associated with securing both physical and digital assets, providing participants with insights into the multifaceted nature of asset protection in contemporary cybersecurity contexts.

Furthermore, participants will be introduced to the renowned National Institute of Standards and Technology (NIST) framework, which serves as a guiding beacon for industry standards, guidelines, and best practices in managing cybersecurity risk. By delving into the NIST framework, participants gain a comprehensive understanding of the systematic approach to cybersecurity risk management, equipping them with the knowledge and tools necessary to navigate the complex landscape of asset protection. This module serves as a crucial building block in participants’ journey toward mastering cybersecurity risk management and aligns them with industry-leading practices for safeguarding organizational assets.

Learning Objectives

  • Define threat, vulnerability, asset, and risk.
  • Explain security’s role in mitigating organizational risk.
  • Classify assets based on value.
  • Identify whether data is in use, in transit, or at rest.
  • Discuss the uses and benefits of the NIST Cybersecurity Framework.

TEST YOUR KNOWLEDGE: INTRODUCTION TO ASSETS

1. What is a risk?

  • A weakness that can be exploited by a threat
  • The practice of labeling assets based on sensitivity and importance to an organization
  • Any circumstance or event that can negatively impact assets
  • Anything that can impact the confidentiality, integrity, or availability of an asset (CORRECT)

A risk is anything that can impact the confidentiality, integrity, or availability of an asset.

2. A security professional discovers a rogue access point on their company WiFi that is not managed by the networking team. The rogue device is altering and deleting sensitive records without authorization. What is the rogue device in this scenario?

  • Threat (CORRECT)
  • Vulnerability
  • Asset
  • Risk

The rogue device is a threat because it is negatively impacting the company’s assets.

3. A product team is storing customer survey data for a new project in a cloud drive. The data is only accessible to product team members while the project is in development. What is this data’s asset type?

  • Internal demo
  • Confidential (CORRECT)
  • Customer data
  • Public

This data is confidential. Confidential assets such as this customer survey data can only be accessed by those working on a specific project.

4. What is the practice of labeling assets based on sensitivity and importance to an organization?

  • Asset management
  • Asset restriction
  • Asset inventory
  • Asset classification (CORRECT)

Asset classification is the practice of labeling assets based on sensitivity and importance to an organization.

5. What are the elements of security risk planning? Select three answers.

  • Assets (CORRECT)
  • Systems
  • Threats (CORRECT)
  • Vulnerabilities (CORRECT)

Security risk planning involves the analysis of three elements: assets, threats, and vulnerabilities. An asset is an item perceived as having value to an organization, such as a cash register and the money inside it.

Security risk planning involves the analysis of three elements: assets, threats, and vulnerabilities. A threat is any circumstance or event that can negatively affect assets, such as a burglar stealing money from a cash register.

Security risk planning involves the analysis of three elements: assets, threats, and vulnerabilities. A vulnerability is a weakness that can be exploited by a threat, such as an unlocked door to a restricted area.

6. Fill in the blank: _____ assets are often highly sensitive and considered need-to-know.

  • Internal-only
  • Public
  • Restricted (CORRECT)
  • Confidential

Restricted assets are often highly sensitive and considered need-to-know.

TEST YOUR KNOWLEDGE: DIGITAL AND PHYSICAL ASSETS

1. What is the practice of keeping data in all states away from unauthorized users?

  • Information security (CORRECT)
  • Asset
  • Cybersecurity
  • Network

Information security, or InfoSec, is the practice of keeping data in all states away from unauthorized users.

2. An employee is promoted to a new role, so their workstation is transferred to a different office. As the employee’s workstation is being relocated, what data state are its files in?

  • At rest (CORRECT)
  • In transit
  • In use
  • In storage

The files are at rest. Data is at rest when it is not being accessed. In this scenario, moving the workstation does not change the data state.

3. What is an example of data in transit?

  • A sent email is traveling over the network to reach its destination. (CORRECT)
  • A spreadsheet file is saved on an employee’s hard drive.
  • A manager is editing a report on their computer.
  • A user logs in to their online account to review their messages.

An email traveling over a network to its destination is an example of data in transit.

4. Fill in the blank: Data is in use when it is being _____ by one or more users.

  • accessed (CORRECT)
  • ignored
  • transported
  • classified

Data is in use when it is being accessed by one or more users.

5. The only type of data that security teams must protect is data in use.

  • True
  • False (CORRECT)

Security teams are responsible for protecting data in all states: in use, in transit, and at rest.

TEST YOUR KNOWLEDGE: RISK AND ASSET SECURITY

1. What type of risk do security plans address? Select three answers.

  • Loss of information (CORRECT)
  • Shift of market conditions
  • Damage to assets (CORRECT)
  • Disclosure of data (CORRECT)

Security plans address risks such as damage to assets, loss of information, and disclosure of data.

2. What are the basic elements of a security plan? Select three answers.

  • Standards (CORRECT)
  • Policies (CORRECT)
  • Procedures (CORRECT)
  • Regulations

The basic elements of a security plan are policies, standards, and procedures. Policies are rules that reduce risk and protect information. Standards are references that inform how to set policies. And procedures are step-by-step instructions to perform a specific security task.

3. Fill in the blank: The NIST CSF is a _____ framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

  • voluntary (CORRECT)
  • mandatory
  • limited
  • rigid

The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a comprehensive framework with a flexible design that can be used in any industry.

4. What are some benefits of the NIST Cybersecurity Framework (CSF)? Select three answers.

  • It is required to do business online.
  • It’s adaptable to fit the needs of any business. (CORRECT)
  • It helps organizations achieve regulatory standards. (CORRECT)
  • It can be used to identify and assess risk. (CORRECT)

Some benefits of the CSF are that it’s adaptable to fit the needs of any business, it helps organizations achieve regulatory standards, and it can be used to identify and assess risk.

5. What primary elements do security plans include? Select three answers.

  • Assets
  • Policies (CORRECT)
  • Procedures (CORRECT)
  • Standards (CORRECT)

Security plans include three basic elements: policies, standards, and procedures. Policies are a set of rules that reduce risk and protect information. Standards are references that inform how to set policies. Procedures are step-by-step instructions for performing a specific security task.

6. “Identify” and “Detect” are two of the five NIST Cybersecurity Framework (CSF) core functions. What are the other three? Select all that apply.

  • Protect (CORRECT)
  • Respond (CORRECT)
  • Recover (CORRECT)
  • Plan

The five NIST Cybersecurity Framework (CSF) core functions are identify, protect, detect, respond, and recover. The core is a simplified version of the functions or duties of a security plan. Think of these functions as a checklist for reducing security risk.

Module 1 Challenge

1. An attacker spreads malicious software within an organization, which executes unauthorized actions on the organization’s systems. What does this scenario describe?

  • Threat (CORRECT)
  • Regulation
  • Procedure
  • Vulnerability

2. Which of the following are examples of security vulnerabilities? Select three answers.

  • Unlocked doors at a business (CORRECT)
  • Weak password (CORRECT)
  • Suspended access card
  • Unattended laptop (CORRECT)

3. Which of the following statements correctly describe security asset management? Select two answers.

  • It uncovers gaps in security. (CORRECT)
  • It decreases vulnerabilities.
  • It helps identify risks. (CORRECT)
  • It is a one-time process.

4. An employee is asked to email customers and request that they complete a satisfaction survey. The employee must be given access to confidential information in the company database to conduct the survey. What types of confidential customer information should the employee be able to access from the company’s database to do their job? Select two answers.

  • Credit card data
  • Home addresses
  • E-mail addresses (CORRECT)
  • Customer names (CORRECT)

5. What are the characteristics of restricted information? Select two answers.

  • It is considered need-to-know. (CORRECT)
  • It is available to anyone in an organization.
  • It is highly sensitive. (CORRECT)
  • It is protected with less defenses.

6. Which of the following can be prevented with effective information security? Select three answers.

  • Reputational damage (CORRECT)
  • Compliance with regulations
  • Identity theft (CORRECT)
  • Financial loss (CORRECT)

7. What is an example of data in use? Select three answers.

  • Downloading a file attachment.
  • Playing music on your phone. (CORRECT)
  • Reading emails in your inbox. (CORRECT)
  • Watching a movie on a laptop. (CORRECT)

8. What are some key benefits of a security plan? Select three answers.

  • Enhance business advantage by collaborating with key partners.
  • Establish a shared set of standards for protecting assets. (CORRECT)
  • Outline clear procedures that describe how to protect assets and react to threats. (CORRECT)
  • Define consistent policies that address what’s being protected and why. (CORRECT)

9. An employee who has access to company assets abuses their privileges by stealing information and selling it for personal gain. What does this scenario describe?

  • Procedure
  • Regulation
  • Threat (CORRECT)
  • Vulnerability

10. Which of the following are examples of a vulnerability? Select two answers.

  • A malfunctioning door lock (CORRECT)
  • Malicious hackers stealing access credentials
  • Attackers causing a power outage
  • An employee misconfiguring a firewall (CORRECT)

11. Fill in the blank: Information security (InfoSec) is the practice of keeping ____ in all states away from unauthorized users.

  • documents
  • files
  • data (CORRECT)
  • processes

12. What is an example of digital data at rest? Select two answers.

  • Contracts in a file cabinet
  • Email messages in an inbox (CORRECT)
  • Letters on a table
  • Files on a hard drive (CORRECT)

13. Who should an effective security plan focus on protecting? Select three answers.

  • Employees (CORRECT)
  • Competitors
  • Business partners (CORRECT)
  • Customers (CORRECT)

14. Which of the following are functions of the NIST Cybersecurity Framework core? Select three answers.

  • Protect (CORRECT)
  • Detect (CORRECT)
  • Implement
  • Respond (CORRECT)

15. Fill in the blank: The NIST Cybersecurity Framework (CSF) is commonly used to meet regulatory _____.

  • procedures
  • compliance (CORRECT)
  • fines
  • restrictions

16. A malicious hacker gains access to a company system in order to access sensitive information. What does this scenario describe?

  • Threat (CORRECT)
  • Procedure
  • Vulnerability
  • Regulation

17. Which of the following are examples of internal-only information? Select two answers.

  • Intellectual property
  • Employee records (CORRECT)
  • Business plans (CORRECT)
  • Credit card numbers

18. Which of the following are components of the NIST Cybersecurity Framework? Select three answers.

  • Tiers (CORRECT)
  • Core (CORRECT)
  • Controls
  • Profiles (CORRECT)

19. What is the first step of asset management?

  • To classify assets based on value
  • To assign a risk score to assets
  • To make an asset inventory (CORRECT)
  • To address an asset’s vulnerabilities

20. What is an example of confidential information? Select two answers.

  • Marketing strategy (CORRECT)
  • Press release
  • Project documents (CORRECT)
  • Employee contacts

21. Fill in the blank: Most security plans address risks by breaking them down into these categories: damage, disclosure, and _____.

  • removal
  • deletion
  • loss of information (CORRECT)
  • leakage

22. What NIST Cybersecurity Framework (CSF) tier is an indication that compliance is being performed at an exemplary standard?

  • Level-1
  • Level-3
  • Level-4 (CORRECT)
  • Level-2

23. Which component of the NIST Cybersecurity Framework (CSF) is used to measure the performance of a security plan?

  • Tiers (CORRECT)
  • Framework
  • Respond
  • Core

24. Which of the following refers to the process of tracking assets and the risks that affect them?

  • Asset administration
  • Asset inventory
  • Asset classification
  • Asset management (CORRECT)

25. What is an example of restricted information? Select three answers.

  • Cardholder data (CORRECT)
  • Employee email addresses
  • Intellectual property (CORRECT)
  • Health information (CORRECT)

26. Why is it so challenging to secure digital information? Select two answers.

  • There are so many resources to dedicate to security.
  • There are no regulations that protect information.
  • Technologies are interconnected. (CORRECT)
  • Most information is in the form of data. (CORRECT)

27. Which component of the NIST Cybersecurity Framework (CSF) is used to  compare the current state of a security plan to others?

  • Core
  • Compliance
  • Profiles (CORRECT)
  • Detect

28. What is an example of data in transit? Select two answers.

  • A file being downloaded from a website (CORRECT)
  • An email being sent to a colleague (CORRECT)
  • A website with multiple files available for download
  • A slideshow presentation on a thumb drive

CONCLUSION – Asset Security

This comprehensive exploration has provided participants with a holistic understanding of asset management in the cybersecurity domain. From strategically identifying and prioritizing assets to addressing the unique challenges associated with securing physical and digital resources, participants have gained invaluable insights into the critical aspects of asset protection. The introduction to the National Institute of Standards and Technology (NIST) framework has further equipped participants with industry-standard guidelines and best practices, offering a systematic approach to managing cybersecurity risk.

As participants move forward in their cybersecurity education, this module serves as a foundational knowledge base, empowering them to navigate the intricate landscape of asset protection with confidence. By integrating theoretical concepts with practical applications, this overview ensures that participants are well-prepared to contribute to effective risk management strategies and play integral roles in safeguarding organizational assets.