Chapter 1 - Security Governance Through Principles and Policies

Question 1

three common types of security evaluation

Answer 1

risk assessment, vulnerability assessment, and penetration testing

Question 2

Risk assessment

Answer 2

is a process of identifying assets, threats, and vulnerabilities, and then using that information to calculate risk

Question 3

Vulnerability assessment

Answer 3

uses automated tools to locate known security weaknesses, which can be addressed by adding in more defenses or adjusting the existing protections

Question 4

Penetration testing

Answer 4

uses trusted individuals to stress-test the security infrastructure to find issues that may not be discovered by the prior two means, with the goal of finding those concerns before an adversary takes advantage of them

Question 5

primary goals and objectives of a security infrastructure

Answer 5

Confidentiality, integrity, and availability (CIA)

Question 6

Confidentiality

Answer 6

is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of is to prevent or minimize unauthorized access to data

Question 7

countermeasures that can help ensure confidentiality?

Answer 7

encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training

Question 8

Sensitivity

Answer 8

Sensitivity refers to the quality of information, which could cause harm or damage if disclosed

Question 9

Discretion

Answer 9

Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.

Question 10

Criticality

Answer 10

The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information.

Question 11

Concealment

Answer 11

Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy.

Question 12

Secrecy

Answer 12

Secrecy is the act of keeping something a secret or preventing the disclosure of information.

Question 13

Privacy

Answer 13

Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.

Question 14

Seclusion

Answer 14

Seclusion involves storing something in an out-of-the-way location, likely with strict access controls.

Question 15

Isolation

Answer 15

Isolation is the act of keeping something separated from others.

Question 16

Integrity

Answer 16

is the concept of protecting the reliability and correctness of data. Prevents unauthorized alterations of data.

Question 17

Integrity can be examined from three perspectives

Answer 17

• Preventing unauthorized subjects from making modifications
• Preventing authorized subjects from making unauthorized modifications, such as mistakes
• Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any other object is valid, consistent, and verifiable

Question 18

Numerous attacks focus on the violation of integrity.

Answer 18

viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system backdoors

Question 19

Numerous countermeasures can ensure integrity against possible threats

Answer 19

strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash verifications, interface restrictions, input/function checks, and extensive personnel training.

Question 20

Accuracy

Answer 20

Being correct and precise

Question 21

Truthfulness

Answer 21

Being a true reflection of reality

Question 22

Validity

Answer 22

Being factually or logically sound

Question 23

Accountability

Answer 23

Being responsible or obligated for actions and results

Question 24

Responsibility

Answer 24

Being in charge or having control over something or someone

Question 25

Completeness

Answer 25

Having all necessary components or parts

Question 26

Comprehensiveness

Answer 26

Being complete in scope; the full inclusion of all needed elements

Question 27

Availability

Answer 27

means authorized subjects are granted timely and uninterrupted access to objects. Often, controls support sufficient bandwidth and timeliness of processing as deemed necessary by the organization or situation

Question 28

ways to maintain availability on a system

Answer 28

• ensure authorized access and an acceptable level of performance
• to quickly handle interruptions
• provide for redundancy
• maintain reliable backups
• prevent data loss or destruction.

Question 29

Numerous countermeasures can ensure availability against possible threats

Answer 29

• designing intermediary delivery systems properly
• using access controls effectively
• monitoring performance and network traffic
• using firewalls and routers to prevent DoS attacks
• implementing redundancy for critical systems
• maintaining and testing backup systems

Business continuity planning (BCP), focus on the use of fault tolerance features at the various levels of access/storage/security (that is, disk, server, or site) with the goal of eliminating single points of failure to maintain availability of critical systems.

Question 30

Usability

Answer 30

The state of being easy to use or learn or being able to be understood and controlled by a subject

Question 31

Accessibility

Answer 31

The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations

Question 32

Timeliness

Answer 32

Being prompt, on time, within a reasonable time frame, or providing low-latency response

Question 33

DAD Triad

Answer 33

Disclosure, alteration, and destruction. DAD Triad represents the failures of security protections in the CIA Triad

Question 34

Authenticity

Answer 34

is the security concept that data is authentic or genuine and originates from its alleged source. This is related to integrity, but it’s more closely related to verifying that it is from a claimed origin

Question 35

Nonrepudiation

Answer 35

ensures that the subject of an activity or who caused an event cannot deny that the event occurred. can be established using digital certificates, session identifiers, transaction logs, and numerous other transactional and access control mechanisms

Question 36

AAA services

Answer 36

is a core security mechanism of all security environments. The three As in this abbreviation refer to authentication, authorization, and accounting (or sometimes auditing)

Question 37

five elements of AAA services

Answer 37

• identification
• authentication
• authorization
• auditing
• accounting

Question 38

Identification

Answer 38

is claiming to be an identity when attempting to access a secured area or system. . Providing an identity can involve typing in a username; swiping a smartcard; waving a proximity device; speaking a phrase; or positioning your face, hand, or finger for a camera or scanning device. Without an identity, a system has no way to correlate an authentication factor with the subject.

Question 39

Authentication

Answer 39

is proving that you are that claimed identity. Authentication requires the subject to provide additional information that corresponds to the identity they are claiming. The most common form of authentication is using a password

Question 40

Authorization

Answer 40

is defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity or subject. The process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. In most cases, the system evaluates the subject, the object, and the assigned permissions related to the intended activity.

Question 41

Auditing

Answer 41

is recording a log of the events and activities related to the system and subjects. Auditing is recording activities of a subject and its objects as well as recording the activities of application and system functions. Log files provide an audit trail for re-creating the history of an event, intrusion, or system failure. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis

Question 42

Accounting

Answer 42

is reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions, especially violations of organizational security policy. Accountability is established by linking an individual to the activities of an online identity through the security services and mechanisms of auditing, authorization, authentication, and identification. Thus, individual accountability is ultimately dependent on the strength of these processes

Question 43

Monitoring vs Auditing

Answer 43

Monitoring is part of what is needed for audits, and audit logs are part of a monitoring system, but the two terms have different meanings. Monitoring is a type of watching or oversight, whereas auditing is a recording of the information into a record or file. It is possible to monitor without auditing, but you can’t audit without some form of monitoring.