Domain 1: Security Principles

Question 1

What is Information Security

Answer 1

Protecting paper documents, voice information, data, and the knowledge people have

Question 2

What is IT Security

Answer 2

Protecting hardware, software, and data (computers, servers, networks, firmware, data being processed, stored, and communicated

Question 3

What is Cyber Security

Answer 3

Everything from IT security that is accessible from the internet

Question 4

What does CIA stand for

Answer 4

Confidentiality, Integrity, Availability

Question 5

What is Confidentiality

Answer 5

Keeping our data and systems safe by ensuring no one unauthorised can access it

Question 6

What is Integrity

Answer 6

Protecting data and systems against modification by making sure the data has not been altered

Question 7

What is Availability

Answer 7

Ensuring authorised people can access they data they need when they need to

Question 8

What do we use to ensure Confidentiality

Answer 8

Disk Encryption, secure transport encryption, clean desk policies, no shoulder surfing, screen locks, strong passwords, mfa, access control, need-to-know, least privilege

Question 9

What threatens Confidentiality

Answer 9

attacks on encryption, social engineering, key loggers, cameras, backdoors in IOT devices

Question 10

What do we use to ensure Integrity

Answer 10

Cryptography, check sums, message digests/hash (md5, sha1, or sha2), digital signatures, access control, non-repudiation

Question 11

What threatens Integrity

Answer 11

alterations of data, code injections, attacks on encryption

Question 12

What do we use to ensure Integrity

Answer 12

IPS/IDS, patch management, redundancy in power (ups/generator), disks (RAID), traffic paths (network design), HVAC, staff, high availability design, replication of data

Question 13

What threatens availability

Answer 13

malicious attacks (DDOS, physical, system compromise, staff), application failures, component failure (hardware)

Question 14

What is the opposite of CIA

Answer 14

DAD - Discolsure (opposite of confidentiality): someone not authroised getting access
Alteration (oppostive of integrity): data has been changed without authorisation
Destruction (opposite of availability): your data or system are not accessible or destroyed

Question 15

What is IAAA

Answer 15

Identification, authentication, authorisation, accountability

Question 16

what is identification

Answer 16

your username, id number, employee number

Question 17

what is authentication and what are the types

Answer 17

proving you are an identity
type 1: something you know - passwords, pass phrase, pin
Type 2: something you have - ID, passport, smart card, token, cookie, phone
Type 3: something you are - biometrics, finger print, iris scan, palm vein scan, facial geometry

Question 18

What are the minimum password requirements

Answer 18

specify minmum length, upper and lower case,, numbers, symbols, not contain usernames or easy to guess words or phrases, expiration date, not reused, limit reuse via policy

Question 19

What is key stretching

Answer 19

adding a few seconds to password verification to make brute force an unfeasible attack

Question 20

What is Brute Force Attack

Answer 20

using the entire key space to continually guess a password until it is excepted.

Question 21

How to protect against Brute Force

Answer 21

Key stetching, limit number of incorrect guesses (clipping) - lock account when limit is reached

Question 22

what is totp

Answer 22

a type 2 authentication (something you have) which generates a a shared secret every short time period

Question 23

What is flase rejection rate (type 1 error)

Answer 23

an authorised user is rejected. Can occur when biometric settings are too strict (99%+)

Question 24

what is flase accept rate (type 2 error)

Answer 24

an unauthroised user is granted access

Question 25

What are the two types of biometric identifiers

Answer 25

Physiological characteristics:
finger print, palm veins, facial rec, dna, palm print, hand geo, iris, retina.
Behavioral characteristic:
typing rythm, walk/gait, signature, voice

Question 26

what are some issus with biometrics

Answer 26

privacy:
biometrics can show diseases, pregnacy, diabetes, neurological diseases
breaches:
pictures of your face and fingers can be used to get through biometrics scans
recordings of your voice and copies of your signatures
Non recreation:
stolen passwords can be regenerated, biometrics can’t

Question 27

What is least privilege

Answer 27

the minimum necessary access needed for users to access only exactly what they need

Question 28

what is need to know

Answer 28

even if you have access, if you do not need ti know, then don’t access the data

Question 29

What is DAC

Answer 29

discretionary access control - used when availability is most importat. access to an object is controlled by the object owner. Uses an ACL based on identity

Question 30

what is MAC

Answer 30

mandatory access control - used when confidentiality is most importat. access to an object is determiend by labels and clearance.

Question 31

what is a label

Answer 31

objects have labels assigned to them to allow subjects with the right clearance to access them

Question 32

what is clearance

Answer 32

subjects have clearance assigned to them based on their current and future tustworthiness

Question 33

what is rbac

Answer 33

role based access control - used when integrity is most important. access control mechanicsm defined around roles. A role is assigned permissions, and subjects in that roles are addedd tot he group. Can enforce seperation of duties and prevent privilege creep

Question 34

what is abac

Answer 34

attribute based access control - access to objects is granted based on subjects, objexts, and environmental conditions. attributes could be subject (name, role, id, clearance), Objects (name, owner, date of creation), environment (location, time of access, threat level)

Question 35

what is context based access control

Answer 35

access to an object is controlled based on parameter such as location time, sequence of responses, access history. E.g. captcha, mac address filtering

Question 36

content based access control

Answer 36

access provided based on attributes or content of an object. the value and attributes of the content being accesses determine the control requirements. e.g. showing or hiding menus in applications

Question 37

what is accountability (or auditing)

Answer 37

tracing an action to a subjects identity. Proves who did an action (non-repudation) usings logs

Question 38

what type of user account has zero accountability?

Answer 38

shared/group accounts

Question 39

what is non repudiation

Answer 39

when a user can’t deny having performed a certain action

Question 40

what is a subject

Answer 40

users and programs. a subject is something that manipulates an object

Question 41

what is an object

Answer 41

passive data (physcial and data). an object is manipulated by a subject

Question 42

whats privacy

Answer 42

the state of being free from observation or being disturbed by other people and freedom from unauthorised intrusion

Question 43

who do we calculate risk, total risk and residual risk

Answer 43

risk = threat * vulnerability (or likelyhood) * impact
total risk = threat * vuln * asset value
Residual risk = total risk - countermeasures

Question 44

what is a threat

Answer 44

a potentially harmful incident

Question 45

what is a vulnerability

Answer 45

a weakness that can allow the threat to do harm

Question 46

what is due diligence

Answer 46

doing the research of a countermeasure before implementation

Question 47

due care

Answer 47

implementation of the countermeasure