Assets, Threats, and Vulnerabilities

Question 1

Asset classification

Answer 1

The practice of labeling assets based on sensitivity and importance to an organization.

This helps prioritize security measures.

Question 2

Asset inventory

Answer 2

A catalog of assets that need to be protected.

It is essential for effective asset management.

Question 3

Asset management

Answer 3

The process of tracking assets and the risks that affect them.

It ensures that assets are secure and effectively utilized.

Question 4

Data

Answer 4

Information that is translated, processed, or stored by a computer.

Data can be structured or unstructured.

Question 5

Data at rest

Answer 5

Data not currently being accessed.

Examples include files stored on a hard drive.

Question 6

Data in transit

Answer 6

Data traveling from one point to another.

This includes data sent over the internet or a network.

Question 7

Data in use

Answer 7

Data being accessed by one or more users.

This is often the most vulnerable state of data.

Question 8

Information security (InfoSec)

Answer 8

The practice of keeping data in all states away from unauthorized users.

It encompasses various security measures and policies.

Question 9

Policy

Answer 9

A set of rules that reduce risk and protect information.

Policies guide the organization’s security posture.

Question 10

Procedures

Answer 10

Step-by-step instructions to perform a specific security task.

They ensure consistent execution of security measures.

Question 11

Regulations

Answer 11

Rules set by a government or other authority to control the way something is done.

Regulations can dictate compliance requirements.

Question 12

Standards

Answer 12

References that inform how to set policies.

They provide a baseline for compliance and best practices.

Question 13

Likelihood x Impact = Risk

Answer 13

One way to interpret risk is to consider the potential effects that negative events can have on a business. A way to present this idea is with a specific calculation.

Question 14

Restricted, confidential, internal-only, and public

Answer 14

The 4 most common classification schemes.

Question 15

Restricted

Answer 15

Highest level classification scheme. This category is reserved for incredibly sensitive assets, like need-to-know information.

Question 16

Confidential

Answer 16

Second highest classification scheme. This scheme refers to assets whose disclosure may lead to a significant negative impact on an organization.

Question 17

Internal-only

Answer 17

Third highest classification scheme. This scheme describes assets that are available to employees and business partners.

Question 18

Public

Answer 18

This is the lowest level classification scheme. These assets have no negative consequences to the organization if they’re released.

Question 19

Risk register

Answer 19

A central record of potential risks to an organization’s assets, information systems, and data.

Question 20

Access controls

Answer 20

Security controls that manage access, authorization, and accountability of information.

Access controls are essential for protecting sensitive data from unauthorized access.

Question 21

Algorithm

Answer 21

A set of rules used to solve a problem.

Algorithms are fundamental to programming and data processing.

Question 22

Application programming interface (API) token

Answer 22

A small block of encrypted code that contains information about a user.

API tokens are commonly used for authentication in web services.

Question 23

Asymmetric encryption

Answer 23

The use of a public and private key pair for encryption and decryption of data.

Asymmetric encryption enhances security by using two keys instead of one.

Question 24

Basic auth

Answer 24

The technology used to establish a user’s request to access a server.

Basic auth is a simple authentication scheme built into the HTTP protocol.

Question 25

Bit

Answer 25

The smallest unit of data measurement on a computer.

A bit can be either 0 or 1.

Question 26

Brute force attack

Answer 26

The trial and error process of discovering private information.

Brute force attacks are often used to crack passwords.

Question 27

Cipher

Answer 27

An algorithm that encrypts information.

Ciphers can be symmetric or asymmetric.

Question 28

Cryptographic key

Answer 28

A mechanism that decrypts ciphertext.

Cryptographic keys are crucial for data security.

Question 29

Cryptography

Answer 29

The process of transforming information into a form that unintended readers can’t understand.

Cryptography ensures the confidentiality and integrity of data.

Question 30

Data custodian

Answer 30

Anyone or anything that’s responsible for the safe handling, transport, and storage of information.

Data custodians play a vital role in data governance.

Question 31

Data owner

Answer 31

The person that decides who can access, edit, use, or destroy their information.

Data owners have the ultimate responsibility for data security.

Question 32

Digital certificate

Answer 32

A file that verifies the identity of a public key holder.

Digital certificates are essential for establishing secure communications.

Question 33

Encryption

Answer 33

The process of converting data from a readable format to an encoded format.

Encryption is critical for protecting sensitive information.

Question 34

Hash collision

Answer 34

An instance when different inputs produce the same hash value.

Hash collisions can lead to security vulnerabilities.

Question 35

Hash function

Answer 35

An algorithm that produces a code that can’t be decrypted.

Hash functions are used in data integrity verification.

Question 36

Hash table

Answer 36

A data structure that’s used to store and reference hash values.

Hash tables allow for efficient data retrieval.

Question 37

Identity and access management (IAM)

Answer 37

A collection of processes and technologies that helps organizations manage digital identities in their environment.

IAM is essential for maintaining security and compliance.

Question 38

Information privacy

Answer 38

The protection of unauthorized access and distribution of data.

Information privacy concerns are increasingly important in the digital age.

Question 39

Non-repudiation

Answer 39

The concept that the authenticity of information can’t be denied.

Non-repudiation ensures that a sender cannot deny sending a message.

Question 40

OAuth?

Answer 40

An open-standard authorization protocol that shares designated access between applications.

OAuth is widely used for securing APIs.

Question 41

Payment Card Industry Data Security Standards

Answer 41

What does PCI DSS stand for?

PCI DSS is a set of security standards designed to protect card information.

Question 42

Principle of least privilege

Answer 42

The concept of granting only the minimal access and authorization required to complete a task or function.

This principle helps minimize potential damage from security breaches.

Question 43

Public key infrastructure (PKI)?

Answer 43

An encryption framework that secures the exchange of online information.

PKI is essential for secure communications over the internet.

Question 44

Rainbow table

Answer 44

A file of pre-generated hash values and their associated plaintext.

Rainbow tables are used to crack password hashes.

Question 45

Salting

Answer 45

An additional safeguard that’s used to strengthen hash functions.

Salting helps prevent rainbow table attacks.

Question 46

Security assessment

Answer 46

A check to determine how resilient current security implementations are against threats.

Security assessments help identify vulnerabilities.

Question 47

Security audit

Answer 47

A review of an organization’s security controls, policies, and procedures against a set of expectations.

Security audits ensure compliance with regulations and standards.

Question 48

Security controls

Answer 48

Safeguards designed to reduce specific security risks.

Security controls can be technical, administrative, or physical.

Question 49

Separation of duties

Answer 49

The principle that users should not be given levels of authorization that would allow them to misuse a system.

This principle helps prevent fraud and errors.

Question 50

Session

Answer 50

A sequence of network HTTP basic auth requests and responses associated with the same user.

Sessions help maintain stateful interactions with users.

Question 51

Session cookie

Answer 51

A token that websites use to validate a session and determine how long that session should last.

Session cookies are essential for user experience in web applications.

Question 52

Session hijacking

Answer 52

An event when attackers obtain a legitimate user’s session ID.

Session hijacking is a serious security threat.

Question 53

Session ID

Answer 53

A unique token that identifies a user and their device while accessing a system.

Session IDs are crucial for tracking user sessions.

Question 54

Symmetric encryption

Answer 54

The use of a single secret key to exchange information.

Symmetric encryption is faster than asymmetric encryption but less secure.

Question 55

User provisioning

Answer 55

The process of creating and maintaining a user’s digital identity.

User provisioning is critical for effective identity management.

Question 56

Payment Card Industry Data Security Standards (PCI DSS)

Answer 56

A set of security standards formed by major organizations in the financial industry.

Question 57

Application programming interface

Answer 57

What does API stand for?

Question 58

Identity and access management

Answer 58

What does IAM stand for?

Question 59

Public key infrastructure

Answer 59

What does PKI stand for?

Question 60

Single Sign-On

Answer 60

What does SSO stand for?

Question 61

Data steward

Answer 61

The person or group that maintains and implements data governance policies set by an organization.

Question 62

Knowledge, ownership, and characteristic

Answer 62

What are three factors that can be used to authenticate a user?

Question 63

Knowledge

Answer 63

A factor used to authenticate a user:

something the user knows.

Question 64

Ownership

Answer 64

A factor used to authenticate a user:

something the user possesses.

Question 65

Characteristic

Answer 65

A factor used to authenticate a user:

something the user is.

Question 66

Single sign-on (SSO)

Answer 66

A technology that combines several different logins into one.

Question 67

Guest accounts, user accounts, service accounts, and privileged accounts.

Answer 67

What are the most common types of user accounts?

Question 68

Guest account

Answer 68

A type of account provided to external users who need to access an internal network, like customers, clients, contractors, or business partners.

Question 69

User account

Answer 69

A type of account assigned to staff based on their job duties.

Question 70

Service account

Answer 70

A type of account granted to applications or software that needs to interact with other software on the network.

Question 71

Privileged account

Answer 71

A type of account that elevates permissions or administrative access.