Asset Security

Question 1

Risk

Answer 1

Anything that can impact the confidentiality, integrity, or availability of an asset

Question 2

Security risk planning is based on analysis of…

Answer 2

Assets
Threats
Vulnerabilities

Question 3

Asset

Answer 3

Something of perceived value to the org

Question 4

Threat

Answer 4

Any circumstance or event that can negatively impact assets

Question 5

Vulnerability

Answer 5

Something that can be exploited by a threat

Question 6

The risk equation

Answer 6

Likelihood * Impact.

In other words, how likely is the risk to happen, and how big will the impact be?

Question 7

Intentional Threat

Answer 7

Something/someone that intentionally plans to exploit vulnerabilities

Question 8

Unintentional threat

Answer 8

Something that accidentally threatens a vulnerability.

Question 9

Technical vulnerability

Answer 9

Software or hardware problem

Question 10

Human vulnerability

Answer 10

Stupid human behavior

Question 11

Asset Management

Answer 11

The process of tracking assets and the risks that affect them

Question 12

Asset Inventory

Answer 12

A catalog of assets that need to be protected

Question 13

Asset classification

Answer 13

The practice of labeling assets based on sensitivity and importance to an organization

Question 14

Public assets

Answer 14

Those that can be shared with anyone

Question 15

Internal-only

Answer 15

Only to be shared internally

Question 16

Confidential

Answer 16

Only for people in a certain part of the org

Question 17

Restricted

Answer 17

Only for very specific people (need to know)

Question 18

Data

Answer 18

Information that is translated, processed, and stored on a computer

Question 19

In use data

Answer 19

Being accessed by 1 or more actors

Question 20

In transit data

Answer 20

Email or any data going from a->b

Question 21

Data at rest

Answer 21

The data that is not being used atm

Question 22

Information security

Answer 22

Keep data in all states away from potential bad actors

Question 23

Damage risk

Question 24

Disclosure risk

Question 25

Loss of information risk

Question 26

Security Policy

Answer 26

Set of rules that reduce risk and protect information

Question 27

Standards

Answer 27

References for how to set policy

Question 28

Procedures

Answer 28

Step by step process for how to do certain security tasks

Question 29

Compliance

Answer 29

The process of adhering to internal standards and external regulations

Question 30

Regulations

Answer 30

Rules set by a government or other authority to control the way something is done

Question 31

NIST (CSF) Framework

Answer 31

A voluntary framework that consists of standards, guidelines, and best practices to manage security risks

Question 32

NIST Core

Answer 32

Core functions of the NIST framework

Identify
Protect
Detect
Respond
Recover

Question 33

Tiers

Answer 33

1-4 how well the core functions are being performed

Question 34

Profiles

Answer 34

A snapshot of functions and the tier of each at a given time

Question 35

Security controls

Answer 35

Safeguards designed to reduce specific risks

Question 36

Technical controls

Answer 36

Encryption, authentication, and more

Question 37

Operational Comtrols

Answer 37

Awareness management and incident response

Question 38

Manegrial Controls

Answer 38

Policies and procedures

Question 39

Information privacy

Answer 39

Right to choose when, how, and to what extent data is shared

Question 40

Principal of least privilege

Answer 40

The idea that people should have no more than the minimum amount of data necessary to do provide a service

Question 41

Data owner

Answer 41

Someone who decided when their data can be accessed, edit, use, and destroy their data

Question 42

Data custodian

Answer 42

Responsible for handling, transport, and storage of data

Question 43

Usage audit for principle of least privilege

Answer 43

Helps determine if someone is using data and if it’s being used correctly, as well as whether or not it’s being used at all, and if not, whether or not it should be revoked

Question 44

Privilege audit for principle of least privilege

Answer 44

Checks if a person’s role will match their privilege

Question 45

Account change audit

Answer 45

For detecting audits of suspicious activity on a base account like too many password resers

Question 46

Data Lifecycle Stage 1

Answer 46

Collection

Question 47

Data Lifecycle Stage 2

Answer 47

Storage

Question 48

Data Lifecycle Stage 3

Answer 48

Usage

Question 49

Data Lifecycle Stage 4

Answer 49

Archival

Question 50

Data Lifecycle Stage 5

Answer 50

Destruction

Question 51

Data Steward

Answer 51

The person or group that maintains and implements data governance policies for an org

Question 52

PHI

Answer 52

Personal health information

Question 53

GDPR-specific data

Answer 53

Name, Address, phone number, financial information, and medical information

Question 54

PCI DSS

Answer 54

Security standards for major orgs in the financial industry

Question 55

Security Audit

Answer 55

A review of an orgs security controls, policies, and procedures against a set of standards

Question 56

Security assessment

Answer 56

Determines how resilient current security implementations are against threats

Question 57

PII can include

Answer 57

Photos and videos

Question 58

Cryptography

Answer 58

The process of transforming information into a form that unintended readers can’t understand

Question 59

Algorithm

Answer 59

A set of rules that solve a problem

Question 60

Cipher

Answer 60

An algorithm that encrypts information

Question 61

Cryptographic key

Answer 61

A mechanism that decrypts a cipher

Question 62

Brute force attack

Answer 62

Trial and error to find a key

Question 63

Public key infrastructure

Answer 63

An encryption framework that secures the exchange of information online

Question 64

Step 1 of PKI

Answer 64

Exchange of encrypted information

Question 65

Asymmetric Encryption

Answer 65

Use of a private and public key pair for encryption and decryption of data

Question 66

Symmetric encryption

Answer 66

Use of a single secret key to exchange information

Question 67

Step 2 of PKI

Answer 67

Developing a system of trust via digital certificates

Question 68

Digital Certificate

Answer 68

Veries the ID of a public key holder

Question 69

Triple DES

Answer 69

Creates 3 blocks of ciphers, each a 64 bit key, for a total of 192 bits

Question 70

Advanced Encryption Standard

Answer 70

A more secure symmetric algorithm. Created keys that are 128, 192, or 256 bits

Question 71

Rivers Shamir Adleman

Answer 71

Asymmetric. Public and private key. Long key lengths of 1,024, 2,048, or 4,096 bits.

For highly sensitive data

Question 72

Digital Signature Algo

Answer 72

2048 bits for public keys, developed by NIST

Question 73

OpenSSL

Answer 73

An open source algorithm for generating public and private keys

Question 74

Heartbleed bug

Answer 74

A bug that affected the Open SSL by exploiting exposed data on the memory of websites and apps

Question 75

Kerchoff’s Principle

Answer 75

All details of an algorithm should be knowable (except private key) without it sacrificing security

Question 76

Hash function

Answer 76

Produces a hash value that can’t be decrypted. If the hash value doesn’t match, there is a rejection. Used for checking the integrity of files or programs.

Question 77

Non repudiation

Answer 77

The concept that authenticity of information can’t be denied

Question 78

sha256sum new file.txt

Answer 78

Creates a hash value from the Linux terminal

Question 79

Rainbow table

Answer 79

A table that matches well-established weak passwords to their hashes for hackers. Can be used to compare to a database of hashes

Question 80

Collision attacks

Answer 80

Trying to generate the same hash from different data due to the small bit size produced by the hashing function

Question 81

Access controls

Answer 81

Security controls that manage access, authorization, and accountability of information

Question 82

AAA Framework

Answer 82

Authentication, authorization, and accounting framework

Question 83

Authentication

Answer 83

Answers the question who are you?
Knowledge : what you know
Ownership: what do you own
Characteristic: something you are

Question 84

SSO (Single Sign On)

Answer 84

Let’s you log on through multiple ways

Question 85

Authorization

Answer 85

Determines what a user can do/access.

Question 86

Separation of duties

Answer 86

The principle that users should not be given levels of authorization that would not allow them to misuse a system

Question 87

Separation of duties

Answer 87

Users should not be given levels of authorization that would allow them to misuse the system

Question 88

Basic auth

Answer 88

The technology used to establish a user’s request access to a server

Sends an identifier every time the user visits a site

Question 89

O-auth

Answer 89

Shares designated access to identity without sharing information(like goggle sign up)

Question 90

Access logs

Answer 90

The thing that logs a user’s activity on a network

Question 91

Session

Answer 91

A sequence of network HTTP basic auth requests and responses associated with the same user

Question 92

Session ID

Answer 92

A

Question 93

User procisioning

Answer 93

Creating and maintaining a user’s digital identity

Question 94

Deprovisioning users

Answer 94

Deleting their accounts