Chapter 3 mod 1

Question 1

What does the term “control” refer to in the context of security?

Answer 1

In the context of security, a control is a safeguard or countermeasure designed to preserve Confidentiality, Integrity, and Availability of data, forming the CIA Triad.

Question 2

What does Access Control involve, and what are its key components?

Answer 2

Access control involves limiting what objects can be available to what subjects according to what rules. The key components include objects, subjects, and rules.

Question 3

What is the significance of the CIA Triad in security?

Answer 3

The CIA Triad (Confidentiality, Integrity, and Availability) is significant in security as it serves as the foundation for designing safeguards and countermeasures to protect data.

Question 4

Can you provide 3 examples of a technical security control?

Answer 4

Firewalls,
intrusion detection systems (IDS),
encryption,
identification and authentication mechanisms

Question 5

Can you provide 3 examples of an administrative security control?

Answer 5

Security education training and awareness programs;
A policy of least privilege
Bring your own device (BYOD) policies;
Password management policies;
Incident response plans

Question 6

Can you provide 3 examples of a physical security control?

Answer 6

Fences
Cameras
Alarm Systems
Access Control Systems
Proper Lighting
Document and Equipment Disposal
Regular Audits of Systems

Question 7

What is the central role of access controls in an information security program?

Answer 7

Access controls are considered the heart of an information security program because they regulate who can access organizational assets and what actions they can perform.

Question 8

Define the term “subject” in the context of access controls.

Answer 8

In the context of access controls, a subject is any entity, such as a user, client, process, or program, that initiates a request for access to organizational assets.

Question 9

Explain the concept of access based on three elements.

Answer 9

Access is based on three elements: subjects (entities requesting access), objects (entities being accessed), and rules (instructions determining access based on validated identities).

Question 10

What distinguishes a subject from an object in access controls?

Answer 10

A subject is active and initiates requests for services, while an object is passive and responds to requests. Objects, such as devices or processes, do not contain their own access control logic.

Question 11

Provide examples of subjects in the context of access controls.

Answer 11

Subjects can be users, processes, procedures, clients, programs, or devices like endpoints, workstations, smartphones, or removable storage devices with onboard firmware.

Question 12

What is an object in the context of access controls, and how does it respond to requests?

Answer 12

An object is anything a subject attempts to access, such as a building, computer, file, or server. Objects are passive and respond to requests when called upon by a subject.

Question 13

Explain the role of access control rules and provide an example.

Answer 13

Access control rules are instructions developed to allow or deny access to an object by comparing the validated identity of the subject to an access control list. For example, a firewall access control list might be used to determine access permissions.

Question 14

How do objects in the access control context differ from subjects, and what is their ownership concept?

Answer 14

Objects are passive entities that respond to requests, while subjects initiate requests. Objects have owners who determine access rights, often recorded in rule bases or access control lists.

Question 15

What is the purpose of a rule in access controls, and how does it determine access to an object?

Answer 15

An access rule is developed to allow or deny access to an object by comparing the validated identity of the subject to an access control list. It may define attributes to determine the appropriate level of access.

Question 16

In the context of access controls, how can a rule apply time-based access?

Answer 16

A rule in access controls can apply time-based access by specifying conditions related to time, allowing or denying access to an object based on the specified timeframe.

Question 17

What is the dependency of risk reduction on in the context of controls assessments?

Answer 17

Risk reduction depends on the effectiveness of the control, and it should be applicable to the current situation while adapting to a changing environment.

Question 18

In the context of physical security, what is a key consideration when securing a repurposed area for confidential files?

Answer 18

A key consideration in securing a repurposed area is determining whether to install biometric scanners on doors, with a site assessment deciding the number of doors requiring this level of security.

Question 19

How does a site assessment contribute to the decision-making process in physical security, specifically regarding door security?

Answer 19

A site assessment determines if all five doors need biometric scanners, helping decide whether to permanently secure, replace with a permanent wall, or use alternative security measures.

Question 20

What is the primary factor that must align when implementing security controls in the described scenario?

Answer 20

The cost of implementing controls must align with the value of what is being protected, ensuring a balance between security measures and their associated expenses.

Question 21

What considerations might influence the decision to install biometric scanners on all doors or opt for alternative security measures?

Answer 21

Considerations include the necessity of biometric scanners on all doors, budget constraints, and whether access to the area requires auditing, which can impact the choice of security controls.

Question 22

Explain the potential alternatives to biometric scanners for securing doors in the described scenario.

Answer 22

Alternatives could include permanently securing doors, removing and replacing them with a permanent wall, or using simpler security measures like deadbolt locks, depending on the security requirements.

Question 23

What is the significance of auditing access in the context of choosing security controls for the repurposed area?

Answer 23

Auditing access is important in determining the appropriate level of control. If auditing is unnecessary and multiple biometric locks are not needed, a simple deadbolt lock might suffice.

Question 24

How does the concept of value aligning with cost apply to the implementation of security controls in the described scenario?

Answer 24

The cost of implementing controls must align with the value of the confidential files being protected, ensuring that the chosen security measures provide an appropriate level of protection without unnecessary expenses.

Question 25

Explain the potential consequences of not aligning the cost of security controls with the value of what is being protected.

Answer 25

Failure to align the cost of security controls with the value of protected assets can result in either inadequate protection or unnecessary expenses, compromising the overall effectiveness of the security measures.

Question 26

Define defense in depth in the context of information security.

Answer 26

Defense in depth is an information security strategy that integrates people, technology, and operational capabilities, establishing variable barriers across multiple layers to apply layered countermeasures and fulfill security objectives.

Question 27

What does defense in depth aim to achieve, and what is its limitation?

Answer 27

Defense in depth aims to prevent or deter cyberattacks by applying multiple layered countermeasures but cannot guarantee the avoidance of an attack.

Question 28

Provide a technical example illustrating defense in depth using multi-factor authentication.

Answer 28

In the context of defense in depth, a technical example involves multi-factor authentication, requiring a username/password and a code sent to a phone for identity verification, employing something you know and something you have as authentication layers.

Question 29

How do multiple firewalls contribute to defense in depth, especially in a scenario with varying information sensitivity levels?

Answer 29

Multiple firewalls are used to separate untrusted networks from trusted networks housing sensitive data, ensuring network traffic validation by rules on more than one firewall, with the most sensitive information stored behind multiple firewalls.

Question 30

Explain the concept of layered technical controls in defense in depth, using the example of multi-factor authentication.

Answer 30

Layered technical controls involve using multiple security layers, as seen in multi-factor authentication where username/password and a phone code verification are combined, making it more challenging for adversaries to obtain authentication codes individually.

Question 31

Provide a non-technical example illustrating the layers of access in a data center within the framework of defense in depth.

Answer 31

In a data center, defense in depth involves physical barriers like door locks, technical access rules preventing network access, and administrative controls defining access rules, creating multiple layers of access requirements.

Question 32

What is the purpose of using additional firewalls in defense in depth when handling information at varying sensitivity levels?

Answer 32

Additional firewalls separate untrusted networks from trusted networks, enforcing network traffic validation by rules on more than one firewall, with the most sensitive information stored behind multiple layers for heightened security.

Question 33

What is multi-factor authentication, and how does it contribute to defense in depth?

Answer 33

Multi-factor authentication involves using multiple authentication methods, such as a username/password and a phone code, contributing to defense in depth by creating layered barriers that are more challenging for adversaries to breach.

Question 34

How does a layered defense strategy address different types of access permissions within an organization?

Answer 34

A layered defense strategy, like defense in depth, addresses various access permissions, including system, building, server room, network, and application access, by implementing multiple barriers and countermeasures across different layers of the organization.

Question 35

Explain the role of administrative controls in defense in depth, using the example of data center access.

Answer 35

In defense in depth, administrative controls, such as policies, define rules assigning access to authorized individuals in a data center, complementing physical and technical barriers to enhance security.

Question 36

What is the primary use case of privileged access management?

Answer 36

Privileged access management primarily involves managing human user identities’ create, read, update, and delete privileges on a database.

Question 37

Explain the potential issue with system access control in the absence of privileged access management.

Answer 37

Without privileged access management, system access control statically assigns administrative user privileges 24/7, relying solely on the login process to prevent misuse of that identity.

Question 38

What does just-in-time privileged access management offer as a contrast to static privilege assignment?

Answer 38

Just-in-time privileged access management involves role-based subsets of privileges that become active in real time when the identity requests the use of a resource or service, contrasting with static, always-on privilege assignment.

Question 39

Describe the privileges typically associated with human user identities in a privileged access management scenario.

Answer 39

Human user identities in privileged access management are typically granted create, read, update, and delete privileges on a database.

Question 40

What is the potential security risk associated with static privilege assignment in a system?

Answer 40

Static privilege assignment poses a security risk as administrative user privileges are continuously active, relying solely on the login process to prevent misuse, leaving the system vulnerable.

Question 41

How does just-in-time privileged access management enhance security compared to static privilege assignment?

Answer 41

Just-in-time privileged access management enhances security by activating specific subsets of privileges in real-time when the identity requests a resource or service, reducing the time privileges are active and potential security risks.

Question 42

Explain the concept of role-based privileges in the context of privileged access management.

Answer 42

Role-based privileges in privileged access management involve assigning specific subsets of privileges based on the role of the user, activating only when needed for a particular resource or service.

Question 43

What is the role of the login process in a system without privileged access management?

Answer 43

In a system without privileged access management, the login process is solely relied upon to prevent misuse of administrative user privileges that are continuously active.

Question 44

How does just-in-time privileged access management address the issue of privilege misuse in real-time?

Answer 44

Just-in-time privileged access management addresses privilege misuse by activating specific subsets of privileges in real time, reducing the window of opportunity for misuse when the identity requests a resource or service.

Question 45

What privileges are commonly managed by privileged access management for human user identities accessing a database?

Answer 45

Privileged access management commonly manages create, read, update, and delete privileges for human user identities accessing a database.

Question 46

What defines privileged accounts, and how do they differ from normal user accounts?

Answer 46

Privileged accounts have permissions beyond those of normal users, typically granted to managers and administrators, possessing elevated privileges for specific tasks.

Question 47

Name three classes of users who commonly utilize privileged accounts and outline their responsibilities.

Answer 47

Systems administrators: Responsible for operating systems, applications deployment, and performance management. Help desk or IT support staff: Involved in viewing or manipulating endpoints, servers, and applications platforms. Security analysts: Require rapid access to the entire IT infrastructure and data environment.

Question 48

Why might organizations create privileged user accounts on a per-client or per-project basis?

Answer 48

Privileged user accounts may be created on a per-client or per-project basis to allow project or client service team members greater control over data and applications.

Question 49

What is the key consideration when delegating the capability to manage and protect information assets to various individuals within an organization?

Answer 49

Delegating the capability to manage and protect information assets should be contingent upon trustworthiness, as misuse or abuse of privileged accounts could harm the organization and its stakeholders.

Question 50

List three measures used to moderate the potential risks from misuse or abuse of privileged accounts.

Answer 50

1. More extensive and detailed logging than regular user accounts.
2. More stringent access control, potentially requiring additional authentication.
3. Deeper trust verification through background checks, nondisclosure agreements, and acceptable use policies.

Question 51

Explain the significance of detailed logging for privileged accounts.

Answer 51

Detailed logging for privileged accounts is vital as both a deterrent and an administrative control. The logs serve as a record of privileged actions, deterring misuse and allowing auditing to detect and respond to malicious activity.

Question 52

What security measure is emphasized for both nonprivileged users and privileged users in gaining access to organizational systems and networks?

Answer 52

Even nonprivileged users should be required to use Multi-Factor Authentication (MFA) methods, and privileged users, or those with access to privileged accounts, should undergo additional or more rigorous authentication.

Question 53

How can just-in-time identity be utilized to restrict the use of privileged account privileges?

Answer 53

just-in-time identity can restrict the use of privileged account privileges to specific tasks and times, enhancing control and security over the execution of those tasks.

Question 54

Describe the level of trust verification recommended for privileged account holders.

Answer 54

Privileged account holders should undergo more detailed background checks, adhere to stricter nondisclosure agreements and acceptable use policies, and may be subject to financial investigation. Periodic or event-triggered updates to background checks may also be necessary.

Question 55

In terms of auditing, how does the monitoring of privileged account activity differ from regular user accounts?

Answer 55

Privileged account activity should be monitored and audited at a greater rate and extent than regular user accounts, reflecting the higher level of access and potential risks associated with privileged actions.

Question 56

Define the principle of segregation of duties and its basis in security practice.

Answer 56

Segregation of duties, or separation of duties, is a security principle ensuring that no single person controls an entire high-risk transaction. It breaks transactions into parts, requiring different individuals to execute each part to enhance security.

Question 57

Provide an example illustrating segregation of duties in a business process.

Answer 57

In a business process, an employee submitting an invoice for payment must have it approved by a manager before payment, demonstrating segregation of duties to prevent fraud or errors.

Question 58

How does segregation of duties contribute to preventing fraud or detecting errors in a transaction process?

Answer 58

Segregation of duties divides transactions, requiring different individuals for each part. This prevents one person from having end-to-end control, minimizing the risk of fraud or detecting errors before implementation.

Question 59

Explain the concept of collusion in the context of segregation of duties.

Answer 59

Collusion occurs when two individuals intentionally work together to bypass segregation of duties, jointly committing fraud by exploiting weaknesses in the divided transaction process.

Question 60

Describe the implementation of segregation of duties through dual control, using a bank vault as an example.

Answer 60

In dual control, a bank vault might have two separate combination locks, with different personnel knowing one combination each. Two individuals must collaborate to open the vault, ensuring dual control.

Question 61

What is the purpose of dual control in the context of segregation of duties?

Answer 61

Dual control, exemplified by two combination locks on a bank vault, ensures that no single individual knows both combinations, requiring collaboration to enhance security.

Question 62

Explain the concept of the two-person rule and its application in security strategy.

Answer 62

The two-person rule is a security strategy requiring a minimum of two people to be in an area together, preventing an individual from being alone. It reduces insider threats and ensures assistance is present in case of emergencies.

Question 63

How do access control systems implement the two-person rule in high-security areas?

Answer 63

Access control systems may prevent an individual cardholder from entering a high-security area unless accompanied by at least one other person, adhering to the two-person rule.

Question 64

What benefits does the two-person rule provide in terms of reducing insider threats to critical areas?

Answer 64

The two-person rule reduces insider threats by requiring at least two individuals to be present, minimizing the risk of unauthorized activities in critical areas.

Question 65

In addition to security, how does the two-person rule contribute to life safety within a security area?

Answer 65

For life safety, the two-person rule ensures that if one person experiences a medical emergency, there will be assistance present, promoting a safer environment within the security area.

Question 66

What is the role of authentication in determining access authorization for subjects?

Answer 66

Authentication confirms the identity of subjects. Once authenticated, the system checks authorization to verify if the subject is allowed to perform the desired action on an object.

Question 67

How does the system verify authorization after a subject has been authenticated?

Answer 67

The system checks authorization through a security matrix accessed by the system, which contains pre-approved levels. This matrix determines if the subject is allowed to complete the attempted action.

Question 68

Provide an example of how access authorization works when presenting an ID badge to a data center door.

Answer 68

When presenting an ID badge to a data center door, the system checks the ID number against a security matrix. If the ID is authorized, the door unlocks; if not, it remains locked.

Question 69

Explain the process when a user attempts to delete a file in terms of access authorization.

Answer 69

When a user tries to delete a file, the file system checks the user’s permissions to determine if they are authorized. If authorized, the file is deleted; if not, an error message is displayed, and the file remains untouched.

Question 70

What role does a security matrix play in the context of access authorization?

Answer 70

A security matrix, accessed by the system, contains pre-approved levels that determine access authorization. It is used to validate if a subject is allowed to perform a specific action on an object.

Question 71

Describe the outcome when an ID presented to a data center door is not authorized according to the security matrix.

Answer 71

If the presented ID is not authorized according to the security matrix, the data center door remains locked, denying access to the subject.

Question 72

In the context of file deletion, what happens if a user is not authorized based on their permissions?

Answer 72

If a user is not authorized to delete a file, the file system displays an error message, and the file remains untouched, preventing unauthorized actions.

Question 73

How does the concept of pre-approved levels contribute to the authorization process?

Answer 73

Pre-approved levels in the security matrix define the authorization levels for subjects. The system checks these levels to determine if a subject is allowed to perform a specific action.

Question 74

Explain the significance of checking permissions when a user attempts to perform an action on a file.

Answer 74

Checking permissions ensures that the user has the necessary authorization to perform the action on the file. If authorized, the action is executed; otherwise, the system prevents the action.

Question 75

What is the key role of the security matrix in controlling access authorization?

Answer 75

The security matrix, accessed by the system, serves as a key tool in controlling access authorization by defining pre-approved levels that determine whether a subject is allowed to complete a specific action on an object.