Domain 1 - Security Principles

Question 1

What is the difference between IT security and Cybersecurity?

Answer 1

Cyber security has to do with assets that have internet access.

Question 2

What does the CIA in CIA Triad stand for?

Answer 2

Confidentiality, Availability, Integrity

Question 3

Should IOT devices be on the same network as confidential systems?

Answer 3

No. IOT devices are usually created for functionality, not security. Keep them separate when possible.

Question 4

What are the three states of data?

Answer 4

Data at rest, data in transit (motion), data in use

Question 5

What is Data Integrity?

Answer 5

Ensuring data has not been altered

Question 6

What is the opposite of the CIA Triad?

Answer 6

DAD (Disclosure, Alteration, and Destruction)

Question 7

What does IAAA stand for?

Answer 7

Identification, Authentication, Authorization, and Accountability

Question 8

What is an “Identification” ?

Answer 8

Something that identifies you,. Username, ID Number, SSN, etc..

Question 9

What is type 1 authentication?

Answer 9

A password, pass phrase, pin number. Something you remember. These are also called Knowledge Factors.

Question 10

What is Type 2 authentication?

Answer 10

IDs, Passports, tokens, cookies… Also known as possession factors.

Question 11

What is Type 3 authentication?

Answer 11

Fingerprints, Facial recognition, iris scans, etc.. Realistic authentication is another term for these auth types.

Question 12

What does DAC stand for?

Answer 12

Discretionary Access Control.

Question 13

When is DAC most often used?

Answer 13

When availability is most important.

Question 14

How does DAC work?

Answer 14

Access to an object is assigned at the discretion of the object owner.

Question 15

What does MAC stand for?

Answer 15

Mandatory Access Control

Question 16

When is MAC most often used?

Answer 16

When confidentiality is the most important

Question 17

What are labels assigned to when using MAC?

Answer 17

Objects

Question 18

What are clearances assigned to when using MAC?

Answer 18

Subjects / People

Question 19

What is RBAC?

Answer 19

Access by grouping

Question 20

When is RBAC most often used?

Answer 20

When integrity is the most important

Question 21

What does ABAC stand for?

Answer 21

Attribute based access control

Question 22

How does ABAC work?

Answer 22

Access to objects is granted based on subjects, objects, and environmental conditions.

Question 23

What is context based access control?

Answer 23

Access to an object is based on certain contextual parameters such as location, time, sequence of responses, and access history.

Question 24

What is content based access control?

Answer 24

Accessed is provided based on the attributes of an objects.

Question 25

What is Accountability?

Answer 25

Often referred to as auditing. It traces an action to a subjects identity.

Question 26

What does non-repudiation mean when

Answer 26

It means a user cannot deny having performed a certain action.

Question 27

What are “Subjects”?

Answer 27

These can be users, but also programs.

Question 28

What are “Objects”?

Answer 28

Any passive data.. Physical paper and any server data

Question 29

What is the equation for Risk?

Answer 29

Threat * Vulnerability (or likelihood)

Question 30

What is the equation for Total Risk?

Answer 30

Threat * Vulnerability * Asset Value

Question 31

What is the equation for Residual Risk?

Answer 31

Total Risk - Countermeasures

Question 32

What is Qualitative Risk Analysis?

Answer 32

How likely is it to happen and how bad is it if it happens? Subjective.

Question 33

What is Quantitative Risk Analysis?

Answer 33

What will it actually cost us in dollars

Question 34

What is Due Dilligence?

Answer 34

Doing research before implementation?

Question 35

What is Due Care?

Answer 35

The implementation itself.

Question 36

What is the first thing you need to do when you start a risk management iterative for the first time?

Answer 36

Classify your assets by risk criticality.

Question 37

What does Risk Mitigation mean?

Answer 37

Reducing the risk?

Question 38

What does Risk Transference mean?

Answer 38

Sharing or transferring the risk to someone else. Cyber insurance is a perfect example of risk transference.

Question 39

what is Risk Acceptance?

Answer 39

Accepting the risk. This can happen when the counter-measure is more expensive than the risk itself.

Question 40

What is Risk Avoidance?

Answer 40

When you stop doing whatever you are doing because you cannot mitigate, transfer, or accept this risk.

Question 41

What is Risk Rejection?

Answer 41

When a risk exists and you ignore it. This is NEVER acceptable.

Question 42

What does AV stand for in Risk Management?

Answer 42

Asset Value.. The value of the asset. The actual dollars and potential penalties for lost PII.

Question 43

What does EF stand for in Risk Management?

Answer 43

exposure factor. How much loss. In the case of a laptop being stolen it is 100%.

Question 44

What does SLE in Risk Management mean?

Answer 44

Single Loss Expectancy. This is the dollar value of the loss.

Question 45

What does ARO in mean in Risk Management?

Answer 45

Annual rate of occurrence.. For example, how many laptops are stolen per year?

Question 46

What does ALE mean in Risk Management?

Answer 46

Annualized Loss Expectancy. The total dollar value of the lost.

Question 47

What is KGI in risk management?

Answer 47

Measurement of the overall goal

Question 48

What is a KPI in Risk Management?

Answer 48

How well the IT process is performing to achieve the goal.

Question 49

What does KRI stand for?

Answer 49

Key Risk Indicator

Question 50

What does KRI in Risk Management mean?

Answer 50

It is a metric that demonstrates the risks an organization is facing or how risky an activity is.

Question 51

What are Administrative (Directive) Controls?

Answer 51

Organizational Policies and Procedures.

Question 52

What are the Physical (logical) Controls?

Answer 52

Locks, Fences, Guards, Dogs, etc..

Question 53

What are Technical controls?

Answer 53

Hardware, Software, Firmware…. Firewalls, antivirus, IDP / IPS , etc..

Question 54

What are Preventative controls?

Answer 54

It prevents an action from happening. Least privilege, IDS / IPS, etc..

Question 55

What is a Detective Control?

Answer 55

A control that detects during or after an attack. Logs, camera, etc..

Question 56

What is a Corrective Control?

Answer 56

A control that corrects an attack. AV and patching..

Question 57

What are Recovery controls

Answer 57

Controls that help us recover after an attack.

Question 58

What are Deterrent controls?

Answer 58

Controls that deter an attack.. They deter, but do not stop the attack.

Question 59

What are compensating controls?

Answer 59

Used to compensate for another weakness

Question 60

What are the code of ethics four canons?

Answer 60

Protect Society
Act Honorably
Provide diligent and competent services
Advance and protect the profession

Question 61

Who handles governance in an organization?

Answer 61

This is handled by the C-Level executives.

Question 62

Who handles the implementation to meet governance directives?

Answer 62

Management

Question 63

What is the definition of criminal law?

Answer 63

Incarceration, death, and financial fines

Question 64

What is the definition of Civil Law (Tort law)

Answer 64

Individuals, groups, or organizations are the victims and proof must be “the majority of proof”.This means more likely than not.

Question 65

What is the definition of Administrative Law (Regulatory Law)?

Answer 65

Laws enacted by government agencies. HIPAA is an example.

Question 66

What is the definition of Private Regulation?

Answer 66

compliance that is required by contract. PCI DSS is an example.

Question 67

What is the definition for customary law?

Answer 67

Handles the personal conduct and patterns of behavior.

Question 68

Does GDPR cover European citizens living abroad?

Answer 68

No. They need to be physically located in the EU for protections.

Question 69

Are policies specific?

Answer 69

No, they are high-level and non-specific