Domain 1 - Security Principles

Question 1

What is Information Security?

Answer 1

Secures everything.. Paper, documents voice, etc…

Question 2

What is IT security?

Answer 2

All hardware software, being processed, stored and communicated.

Question 3

What is Cyber Security?

Answer 3

Is everything from IT security that is accessible from the internet

Question 4

What does the CIA triad stand for?

Answer 4

Confidentiality, Availability, and Integrity

Question 5

What is confidentiality mean?

Answer 5

That there is no unauthorized access to the data.

Question 6

What are the three states of data?

Answer 6

Data:

At rest
In motion
In use

Question 7

What does Integrity mean?

Answer 7

We ensure the data has not been altered.

Question 8

What does availability mean?

Answer 8

Ensuring authorized people can access the data they need.

Question 9

What does DAD stand for?

Answer 9

Disclosure, Alteration, and Destruction . It is the opposite of the CIA triad.

Question 10

What does the IAAA acronym stand for?

Answer 10

Identification
Authentication
Authorization
Accountability

Question 11

What is an Identification?

Answer 11

Something that identifies you. Username, SSN, employee number.

Question 12

What is an example of Type 1 Authentication? Also known as knowledge factors.

Answer 12

Something you know
Your pin number for the ATM
your password or passphrase

Question 13

What is an example of Type 2 Authentication? Also known as possession factors.

Answer 13

ID
passport
token
smart code
MFA device

Question 14

What is an example of Type 3 Authentication? Also known as realistic or biometric factors.

Answer 14

It is something you are
Iris scan
facial geometry
fingerprint

Question 15

What are physiological characteristics?

Answer 15

Uses the shape of the body for type 3 authentication.

Question 16

What are behavioral characteristics?

Answer 16

Uses the pattern of behavior of the person for type 3 athentication.

Question 17

What is Authorization?

Answer 17

It is he process of assigning access to systems after a user has authenticated

Question 18

What is DAC (Discretionary Access Control)?

Answer 18

It’s when access to an object is assigned at the discretion of the object owner.

Commonly used when availability is most important.

Question 19

What is MAC (Mandatory Access Control?

Answer 19

Labels are assigned to objects and subjects (users) have clearance assigned to them to be able to see the objects.

commonly used when confidentiality is the most important

Question 20

What is RBAC?

Answer 20

Role based access control. Access is based on a role.

Question 21

What is ABAC (Attribute Based Access Control)?

Answer 21

Access to objects is based on subjects, objects, and environmental conditions.

Question 22

What is context-based access control?

Answer 22

Access is provided to an object and is based on contextual parameters such as location, time, access history, etc..

Question 23

What is content based access control?

Answer 23

Access is provided on the attributes or content of an object. Think different data on the same website depending on who you are.

Question 24

What is accountability?

Answer 24

Tracing an action to a subject’s identity.

Question 25

What are subjects?

Answer 25

Users or applications

Question 26

What are objects?

Answer 26

Any data

Question 27

What is the formula for risk?

Answer 27

Threat * Vulnerability * Impact

Question 28

What is the formula for total risk?

Answer 28

Threat * vulnerability * asset value

Question 29

What is the formula for residual risk?

Answer 29

total risk - countermeasures

Question 30

What is the high-level process for risk maagement?

Answer 30

Identify Risk
Assess Risk
Respond to Risk
Risk monitoring

Question 31

What is a qualitative risk analysis?

Answer 31

It is subjective. How likely something is to happen and how bad is it if it does happen. Happens first.

Question 32

What is quantitative risk analysis?

Answer 32

What will it actually cost us in dollars.

Question 33

What is due diligence?

Answer 33

Doing research before implementation

Question 34

What is due care?

Answer 34

It is the implementation itself

Question 35

What is the first step of the risk assessment processs?

Answer 35

Ensuring you have an inventory of your assets.

Question 36

What are the risk strategies?

Answer 36

Risk mitigation
Risk transference (share.. Like insurance)
Risk acceptance
Risk avoidance (not pursuing whatever is causing the risk)

Question 37

What is the asset value in quantitative risk analysis?

Answer 37

The value of the asset in dollars

Question 38

What is the exposure factor in quantitative risk analysis?

Answer 38

How much of the asset is lost in an incident

Question 39

What is single loss expectancy in quantitative risk analysis?

Answer 39

How much a single incident will cost us

Question 40

What is the annual rate of occurrence in quantitative risk analysis?

Answer 40

How many times a specific incident happens in a year.

Question 41

What is the annualized loss expectancy in quantitative risk analysis?

Answer 41

How much will this cost if we don’t mitigate the risk.

Question 42

What is leftover risk called?

Answer 42

Residual Risk

Question 43

What is a KGI?

Answer 43

Key goal indicator. Measured after the project is done.

Question 44

What is KPI?

Answer 44

Key Performance indicator. Measured on one single task.

Question 45

What are KRIs?

Answer 45

Metrics that demonstrate the risk an organization is facing.

Question 46

Who sets Risk appetite?

Answer 46

Senior Management

Question 47

What is a secondary risk?

Answer 47

A risk that may open another risk

Question 48

Where are risks tracked?

Answer 48

The risk register

Question 49

Single use passwords are what authentication type?

Answer 49

Type 2. Something you have.

Question 50

What are the access control categories?

Answer 50

Administrative (Directive) controls

Technical (logical) controls - Hardware, Software, Firmware

Physical controls

Question 51

What are Administrative (Directive) control examples?

Answer 51

Policies, procedures, and laws we need to adhere to.

Question 52

What are Technical (logical) control examples?

Answer 52

Hardware, software, firmware, smart cards, etc..

Question 53

What are Physical access control examples?

Answer 53

Locks, doors, fences, dogs, man traps, alarms, cameras.

Question 54

What are preventative controls?

Answer 54

They prevent actions from happening.

Least privileged access
IPS
Drug Tests

Question 55

What are detective controls?

Answer 55

They detect during or after an attack

IDS
Alarms
Logs
Camera

Question 56

What are corrective controls?

Answer 56

Controls that correct an attack

AV
Patches

Question 57

What are recovery controls?

Answer 57

controls to help us recover after an attack.

Disaster recovery plans
Backups
HA environments

Question 58

What are deterrent access controls?

Answer 58

controls that deter and attack, but don’t stop anything.

Guard
Dog
Camera

Question 59

What is a compensating control?

Answer 59

Controls that compensate.

A guard stationed around a break in the fence.

Question 60

What are the four code of ethics cannons?

Answer 60

Protect society and the common good

Act honorably, honestly, justly,legally

Provide diligent and competent service

Advance and protect the profession

Question 61

Who sets governance?

Answer 61

Senior Leadership

Question 62

What kind of law is HIPAA?

Answer 62

Administrative Law

Question 63

What is an example of private regulations?

Answer 63

PCI DSS

Question 64

Are security breach notification laws federal?

Answer 64

No, all 50 states have individual laws.

Question 65

What is the electronic communications privacy act?

Answer 65

Protection against warrantless wiretapping. weakened by the Patriot Act.

Question 66

Who does GDPR protect?

Answer 66

The EU and EEA citizens

Question 67

Who handles the tactical planning?

Answer 67

Management

Question 68

hat can be used to help build policies?

Answer 68

Our strategy