1.2 : Security Concepts

Question 1

CIA Triad

Answer 1

Confidentiality, Integrity, and Availability.

Question 2

Confidentiality

Answer 2

Protecting information from unauthorized access. Examples: Encryption, access control lists. An attack would seek to disclose.

Question 3

Integrity

Answer 3

Ensuring data is accurate and unaltered. Examples: Hashing, digital signatures. An attack would seek to corrupt / alter.

Question 4

Availability

Answer 4

Ensuring systems and data are accessible to those who are authorized when needed. Examples: Redundant systems, backups.

Question 5

Non-repudiation

Answer 5

• Non-repudiation ensures that a party cannot deny the authenticity/origin of their communications and transactions.
• Digital Signatures (certificates) are the most common method used to achieve non-repudiation.
• Key Tools: Public Key Infrastructure (PKI), audit logs, and blockchain (in some contexts).

Question 6

AAA

Answer 6

• Authentication, Authorization, and Accounting
• Framework for controlling access, determining user permissions, and logging user actions.
• Examples: Login credentials (authentication), role-based access (authorization), audit logs (accounting).

Question 7

Authentication (People)

Answer 7

Verifying the identity of individuals before granting access. Examples: Passwords, biometrics.

Question 8

Authentication (Systems)

Answer 8

Verifying the identity of devices or systems before communication. Examples: Digital certificates, token-based authentication, API keys

Question 9

Authorization Models

Answer 9

Ways of defining what an authenticated user or system is allowed to do. Examples: Role-based access control (RBAC), attribute-based access control (ABAC).

Question 10

Gap Analysis

Answer 10

Process of comparing current security posture to desired security levels to identify and document gaps.

Question 11

Zero Trust

Answer 11

A security model that assumes no implicit trust and continuously verifies every access request as though it originates from an open network. Examples: Multi-factor authentication, least privilege access.

Question 12

Control Plane (Zero Trust)

Answer 12

Manages policies and decisions in a Zero Trust architecture. Examples: Adaptive identity, policy-driven access control.

Question 13

Data Plane (Zero Trust)

Answer 13

Enforces policies on data access in a Zero Trust model. Examples: Implicit trust zones, policy enforcement points.

Question 14

Physical Security

Answer 14

Measures to protect physical assets from unauthorized access or harm. Examples: Bollards, fencing, video surveillance.

Question 15

Bollards

Answer 15

Physical barriers used to prevent vehicle access to a protected area. Examples: Concrete barriers, retractable bollards.

Question 16

Access Control Vestibule

Answer 16

A secure entryway that restricts access to a building or room. Examples: Mantraps, double-door systems.

Question 17

Fencing

Answer 17

A physical barrier to deter and prevent unauthorized access.

Question 18

Video Surveillance

Answer 18

Cameras and monitoring systems used to observe and record activity.

Question 19

Security Guard

Answer 19

Personnel responsible for monitoring and protecting physical premises.

Question 20

Access Badge

Answer 20

• Physical security measure.
• An identification card that grants access to restricted areas.
• Examples: RFID cards, smart cards.

Question 21

Lighting

Answer 21

Using lighting can enhance security and deter unauthorized access. Examples: Motion-activated lights, perimeter lighting.

Question 22

Sensors

Answer 22

Devices that detect physical conditions or changes in the environment. Examples: Infrared sensors, pressure sensors, microwave sensors, ultrasonic sensors.

Question 23

Deception Technology

Answer 23

• Techniques used to mislead attackers and disrupt their activities.
• Attract attackers and gather data on their methods
• Examples: Honeypots, honeyfiles, honeynets.

Question 24

Honeypot

Answer 24

A decoy system used to attract and detect attackers. Examples: Fake servers, simulated databases.

Question 25

Honeynet

Answer 25

• A network of honeypots designed to capture extensive attack data.
• A fake network environment used to study attack behaviors.

Question 26

Honeyfile

Answer 26

A bait file placed in a system to detect unauthorized access. Examples: Fake confidential documents, decoy financial records.

Question 27

Honeytoken

Answer 27

Authentication method of some kind, a token, used to detect unauthorized access. Examples: Fake credentials, decoy API keys.