1.0 General Security Concepts

Question 1

Which type of control would a firewall be classified as?

Answer 1

a) Technical

Question 2

Security awareness training for employees is an example of which control type?

Answer 2

b) Managerial

Question 3

Which control type is most likely to be automated?

Answer 3

a) Technical

Question 4

Which control type is most focused on day-to-day security activities?

Answer 4

c) Operational

Question 5

A company’s disaster recovery plan would be considered what type of control?

Answer 5

b) Managerial

Question 6

Biometric access systems are an example of which control type?

Answer 6

d) Physical

Question 7

Which control type is most likely to be implemented through written policies and procedures?

Answer 7

b) Managerial

Question 8

Log review and monitoring would typically be classified as what type of control?

Answer 8

c) Operational

Question 9

Which control type is most focused on overall security strategy and governance?

Answer 9

b) Managerial

Question 10

A security guard conducting patrols is an example of which control type?

Answer 10

c) Operational

Question 11

Which control type is most likely to require regular software updates or patches?

Answer 11

a) Technical

Question 12

Risk assessments are typically considered what type of control?

Answer 12

b) Managerial

Question 13

Which control type is most prone to human error or inconsistency?

Answer 13

c) Operational

Question 14

Encryption of data at rest is an example of which control type?

Answer 14

a) Technical

Question 15

Which control type is most likely to be visible to employees and visitors?

Answer 15

d) Physical

Question 16

Which type of control is designed to discourage potential attackers from attempting a security breach?

Answer 16

b) Deterrent

Question 17

An intrusion detection system (IDS) is an example of which type of control?

Answer 17

c) Detective

Question 18

When a primary control cannot be implemented due to technical limitations, what type of control would be most appropriate?

Answer 18

a) Compensating

Question 19

Which control type is most closely associated with security policies and procedures?

Answer 19

c) Directive

Question 20

A firewall is primarily an example of which type of control?

Answer 20

c) Preventive

Question 21

Incident response plans are best categorized as which type of control?

Answer 21

c) Corrective

Question 22

Which control type aims to limit damage and restore systems to normal after a security incident?

Answer 22

c) Corrective

Question 23

Security awareness training programs are primarily examples of which two types of controls?

Answer 23

a) Preventive and Directive

Question 24

Which control type is most likely to involve psychological elements to influence potential attackers?

Answer 24

b) Deterrent

Question 25

A SIEM system that alerts security personnel to potential threats is an example of which control type?

Answer 25

c) Detective

Question 26

Which control type is most closely associated with providing alternative security measures?

Answer 26

b) Compensating

Question 27

Encryption is primarily an example of which type of control?

Answer 27

a) Preventive

Question 28

Which control type is most likely to be implemented after a security incident has occurred?

Answer 28

d) Corrective

Question 29

Access control systems are primarily examples of which type of control?

Answer 29

a) Preventive

Question 30

Which control type is most closely associated with ensuring compliance with security policies?

Answer 30

c) Directive

Question 31

What are the three components of the CIA triad?

Answer 31

Confidentiality, Integrity, Availability

Question 32

Which principle ensures that data remains unaltered and trustworthy throughout its lifecycle?

Answer 32

Integrity

Question 33

What is the primary purpose of non-repudiation in information security?

Answer 33

To ensure that a user cannot deny performing a specific action

Question 34

In the AAA framework, what does the first “A” stand for?

Answer 34

Authentication

Question 35

Which authentication method might use fingerprints or retinal scans?

Answer 35

Biometrics

Question 36

What is the main difference between authentication and authorization?

Answer 36

Authentication verifies identity, while authorization determines access rights

Question 37

Which authorization model assigns permissions based on a user’s job function or title?

Answer 37

Role-Based Access Control (RBAC)

Question 38

In ABAC, what are four types of attributes that might be considered for access decisions?

Answer 38

User
Resource
Action
Environmental Attributes

Question 39

Who typically controls access rights in a Discretionary Access Control (DAC) model?

Answer 39

The resource owner

Question 40

Which access control model is most commonly used in high-security government environments?

Answer 40

Mandatory Access Control (MAC)

Question 41

What is the primary goal of a gap analysis in security?

Answer 41

To identify differences between current and desired security states

Question 42

In the Zero Trust model, what does “adaptive identity” refer to?

Answer 42

Continuous evaluation and adaptation to user behavior and context

Question 43

What is the role of the Policy Engine in the Zero Trust Control Plane?

Answer 43

To evaluate access requests against policies and make decisions

Question 44

What is an “implicit trust zone” in the context of Zero Trust architecture?

Answer 44

An area within the network where some level of trust is assumed

Question 45

Which physical security measure is designed to control vehicle access?

Answer 45

Bollards

Question 46

What type of sensor detects heat signatures?

Answer 46

Infrared sensors

Question 47

What is the primary purpose of a honeypot?

Answer 47

To attract and detect attacks

Question 48

How does a honeytoken differ from a honeyfile?

Answer 48

A honeytoken is false data
A honey file is a fake file

Question 49

In the Zero Trust model, what is the function of the Policy Enforcement Point?

Answer 49

To enforce access decisions made by the Policy Engine

Question 50

What is the main difference between the Control Plane and Data Plane in Zero Trust architecture?

Answer 50

The Control Plane makes decisions

The Data Plane enforces them and handles data flow

Question 51

What is the primary purpose of a backout plan in change management?

Answer 51

b) To revert changes if problems occur

Question 52

Which of the following is NOT typically included in an impact analysis?

Answer 52

c) Marketing strategy

Question 53

What does SOP stand for in the context of change management?

Answer 53

b) Standard Operating Procedure

Question 54

Which of the following is a key benefit of version control in change management?

Answer 54

c) Maintains a history of modifications

Question 55

In change management, what does the term “stakeholder” refer to?

Answer 55

c) Individuals or groups affected by the change

Question 56

What is the primary purpose of a maintenance window?

Answer 56

b) To schedule changes during off-peak hours

Question 57

Which of the following is NOT typically part of the change approval process?

Answer 57

c) Marketing campaign planning

Question 58

What is the main goal of impact analysis in change management?

Answer 58

b) To assess potential consequences of a change

Question 59

Which of the following is a key consideration when dealing with legacy applications in change management?

Answer 59

c) Balancing security needs with system limitations

Question 60

What is the purpose of allow lists and deny lists in the context of change management?

Answer 60

b) To control access to systems or resources

Question 61

Which of the following is NOT a typical step in the change approval process?

Answer 61

c) Implementation of the change

Question 62

What is the primary purpose of assigning ownership in change management?

Answer 62

b) To ensure accountability throughout the change process

Question 63

Which of the following best describes the relationship between change management and risk management?

Answer 63

c) Change management helps identify and mitigate risks associated with changes

Question 64

What is the main purpose of updating diagrams as part of change management documentation?

Answer 64

b) To maintain accurate visual representations of the IT environment

Question 65

Which of the following is NOT a typical technical implication of change management?

Answer 65

c) Increased system performance

Question 66

What is the primary purpose of a backout plan in change management?

Answer 66

To revert changes and restore systems to their previous state if unexpected issues occur

Question 67

Which of the following is NOT typically a stakeholder in the change management process?

a) IT staff
b) End-users
c) Competitors
d) Compliance officers

Answer 67

c) Competitors

Question 68

How does version control contribute to effective change management?

Answer 68

Answer: Tracks changes over time, enables rollbacks, and facilitates auditing

Question 69

What is the main benefit of conducting an impact analysis before implementing a change?

Answer 69

Answer: Identifies potential effects on various aspects of the organization before implementation

Question 70

In the context of change management, what does “ownership” refer to?

Answer 70

Answer: Assigning responsibility for the change to a specific individual or team

Question 71

Why is it important to update documentation after implementing changes?

Answer 71

Answer: Ensures accuracy, maintains compliance, and provides up-to-date guidance

Question 72

What role does a maintenance window play in the change management process?

Answer 72

Answer: Scheduled period for implementing changes with minimal business disruption

Question 73

How can allow lists and deny lists be affected by system changes?

Answer 73

Answer: May require updates to accommodate new systems or block potential threats

Question 74

What is the purpose of a Standard Operating Procedure (SOP) in change management?

Answer 74

Answer: Provides consistent, documented processes for routine operations and changes

Question 75

Why might legacy applications pose a challenge during the change management process?

Answer 75

Answer: Limited support, potential conflicts with new security measures, special accommodations needed

Question 76

What is the primary goal of the approval process in change management?

Answer 76

Answer: To review and authorize proposed changes, ensuring they align with organizational needs and policies

Question 77

How can proper change management help with compliance and auditing efforts?

Answer 77

Answer: Provides documented processes, change history, and accountability

Question 78

What potential issues can arise from neglecting to consider dependencies when implementing changes?

Answer 78

Answer: Unintended consequences, system failures, or security vulnerabilities

Question 79

Why is it important to involve the security team in the change management process?

Answer 79

Answer: Ensures changes align with security policies and don’t introduce vulnerabilities

Question 80

What role do test results play in the change management process?

Answer 80

Answer: Validate effectiveness, identify potential issues, and inform decision-making

Question 81

What is the significance of documenting changes in network diagrams?

Answer 81

Answer: Maintains accurate visual representations of systems and their relationships

Question 82

How can change management processes help mitigate risks associated with technical changes?

Answer 82

Answer: Provides structured approach to assess, implement, and monitor changes

Question 83

How does change management relate to incident response procedures?

Answer 83

Answer: Helps identify recent changes that may have contributed to an incident

Question 84

What factors should be considered when scheduling a maintenance window?

Answer 84

Answer: Business impact, stakeholder availability, adequate time for implementation and testing

Question 85

How can effective change management contribute to an organization’s overall security posture?

Answer 85

Answer: Ensures controlled implementation of changes, risk assessment, and maintenance of security controls

Question 86

What is the primary difference between symmetric and asymmetric encryption?

Answer 86

c) Number of keys used

Question 87

Which encryption level protects all data on a storage device?

Answer 87

b) Full-disk encryption

Question 88

What is the purpose of a Hardware Security Module (HSM)?

Answer 88

b) To manage and safeguard cryptographic keys

Question 89

Which of the following is NOT a function of a Certificate Authority (CA)?

Answer 89

c) Encrypting network traffic

Question 90

What is the main purpose of key stretching?

Answer 90

b) To make weak passwords more resistant to brute-force attacks

Question 91

Which cryptographic concept ensures the integrity and authenticity of a message?

Answer 91

c) Digital signature

Question 92

What is steganography used for in the context of cryptography?

Answer 92

b) Hiding the existence of information

Question 93

Which protocol is used to check the revocation status of digital certificates in real-time?

Answer 93

b) OCSP

Question 94

Which type of certificate can secure multiple subdomains of a single domain?

Answer 94

c) Wildcard certificate

Question 95

What is the primary purpose of a Trusted Platform Module (TPM)?

Answer 95

b) To store and protect cryptographic keys

Question 96

What is the main advantage of asymmetric encryption over symmetric encryption?

Answer 96

d) Ability to securely exchange keys over an insecure channel

Question 97

Which of the following is NOT a common use of blockchain technology?

Answer 97

c) Full-disk encryption

Question 98

What is the purpose of salting in the context of password hashing?

Answer 98

b) To make rainbow table attacks more difficult

Question 99

Which encryption level is most appropriate for protecting specific records within a database?

Answer 99

c) Record encryption

Question 100

What is the primary purpose of a Certificate Signing Request (CSR)?

Answer 100

c) To initiate the process of obtaining a digital certificate