Fundamentals of Security

Question 1

Information Systems Security

Answer 1

Protecting the systems (e.g., computers, servers, network devices) that hold and
process critical data

Question 2

Information Security

Answer 2

Protecting data and information from unauthorized access, modification, disruption, disclosure, and destruction

Question 3

Name the 3 parts of the CIA Triad

Answer 3

Confidentiality, Integrity, Availability

Question 4

Define Confidentiality

Answer 4

Ensures information is accessible only to authorized personnel (e.g.,
encryption)

Question 5

Define Integrity

Answer 5

Ensures data remains accurate and unaltered (e.g., checksums)

Question 6

Define Availability

Answer 6

Ensures information and resources are accessible when needed (e.g.,
redundancy measures)

Question 7

Define Non-Repudiation

Answer 7

Guarantees that an action or event cannot be denied by the involved parties
(e.g., digital signatures)

Question 8

What is the CIANA Pentagon?

Answer 8

An extension of the CIA triad with the addition of non-repudiation and
authentication

Question 9

What are the Triple A’s of Security?

Answer 9

Authentication, Authorization, Accounting

Question 10

Define Authentication

Answer 10

Verifying the identity of a user or system (e.g., password checks)

Question 11

Define Authorization

Answer 11

Determining actions or resources an authenticated user can access (e.g.,
permissions)

Question 12

Define Accounting

Answer 12

Tracking user activities and resource usage for audit or billing purposes

Question 13

Name the 4 Security Control Categories

Answer 13

■ Technical
■ Managerial
■ Operational
■ Physical

Question 14

Name the 6 Security Control Types

Answer 14

■ Preventative
■ Deterrent
■ Detective
■ Corrective
■ Compensating
■ Directive

Question 15

What is the Zero Trust Model?

Answer 15

Operates on the principle that no one should be trusted by default

Question 16

What 2 things do we use to achieve zero trust?

Answer 16

The control plane and the data plane

Question 17

Control Plane

Answer 17

• Adaptive identity
• threat scope reduction
• policy-driven access control
• secured zones

Question 18

Data Plane

Answer 18

• Subject/system
• policy engine
• policy administrator
• establishing policy enforcement points

Question 19

What is a threat?

Answer 19

Anything that could cause harm, loss, damage, or compromise to our information technology systems

Question 20

A threat can come from the following 4 things

Answer 20

● Natural disasters
● Cyber-attacks
● Data integrity breaches
● Disclosure of confidential information

Question 21

What is a vulnerability?

Answer 21

Any weakness in the system design or implementation

Question 22

A vulnerability can come from internal factors like the following

Answer 22

● Software bugs
● Misconfigured software
● Improperly protected network devices
● Missing security patches
● Lack of physical security

Question 23

Where threats and vulnerabilities intersect, that is where the risk to your enterprise systems and networks lies

Answer 23

■ If you have a threat, but there is no matching vulnerability to it, then you have no risk
■ The same holds true that if you have a vulnerability but there’s no threat against it, there would be no risk

Question 24

What is Risk Managment?

Answer 24

Finding different ways to minimize the likelihood of an outcome and achieve the
desired outcome

Question 25

What does Confidentiality refer to and what does it ensure?

Answer 25

■ Refers to the protection of information from unauthorized access and disclosure
■ Ensure that private or sensitive information is not available or disclosed to
unauthorized individuals, entities, or processes

Question 26

Confidentiality is important for 3 main reasons

Answer 26

■ To protect personal privacy
■ To maintain a business advantage
■ To achieve regulatory compliance

Question 27

To ensure confidentiality, we use five basic methods

Answer 27

• Encryption
• Access Controls
• Data Masking
• Physical Security Measures
• Training and Awareness

Question 28

What is Encryption?

Answer 28

Process of converting data into a code to prevent unauthorized access

Question 29

How are Access Controls good for Confidentiality?

Answer 29

By setting up strong user permissions, you ensure that only authorized personnel can access certain types data

Question 30

What is Data Masking?

Answer 30

Method that involves obscuring specific data within a database to make it inaccessible for unauthorized users while retaining the real data’s authenticity and use for authorized users

Question 31

What are Physical Security Measures?

Answer 31

Ensure confidentiality for both physical types of data, such as paper records stored in a filing cabinet, and for digital information contained on servers and workstations

Question 32

What is Training and Awareness?

Answer 32

Conduct regular training on the security awareness best practices that
employees can use to protect their organization’s sensitive data

Question 33

What does Integrity help ensure and verify?

Answer 33

■ Helps ensure that information and data remain accurate and unchanged from its original state unless intentionally modified by an authorized individual
■ Verifies the accuracy and trustworthiness of data over the entire lifecycle

Question 34

Integrity is important for three main reasons

Answer 34

■ To ensure data accuracy
■ To maintain trust
■ To ensure system operability

Question 35

To help us maintain the integrity of our data, systems, and networks, we usually utilize five methods

Answer 35

• Hashing
• Digital Signatures
• Checksums
• Access Controls
• Regular Audits

Question 36

What is Hashing?

Answer 36

Process of converting data into a fixed-size value

Question 37

What do digital signatures ensure?

Answer 37

Ensure both integrity and authenticity

Question 38

What are Checksums?

Answer 38

Method to verify the integrity of data during transmission

Question 39

Why are Access Controls good for Integrity?

Answer 39

Ensure that only authorized individuals can modify data and this reduces
the risk of unintentional or malicious alterations

Question 40

Why are regular audits good for Integrity?

Answer 40

Involve systematically reviewing logs and operations to ensure that only authorized changes have been made, and any discrepancies are immediately addressed

Question 41

What does Availability ensure?

Answer 41

Ensure that information, systems, and resources are accessible and operational when needed by authorized users

Question 42

As cybersecurity professionals, we value availability since it can help us with the following

Answer 42

■ Ensuring Business Continuity
■ Maintaining Customer Trust
■ Upholding an Organization’s Reputation

Question 43

To overcome the challenges associated with maintaining availability, the best strategy is to use redundancy in your systems and network designs. What are 4 different types of redundancy?

Answer 43

• Server Redundancy
• Data Redundancy
• Network Redundancy
• Power Redundancy

Question 44

What is Redundancy?

Answer 44

Duplication of critical components or functions of a system with the intention of enhancing its reliability

Question 45

What is Server Redundancy?

Answer 45

Involves using multiple servers in a load balanced or failover configuration
so that if one is overloaded or fails, the other servers can take over the
load to continue supporting your end users

Question 46

What is Data Redundancy?

Answer 46

Involves storing data in multiple places

Question 47

What is Network Redundancy?

Answer 47

Ensures that if one network path fails, the data can travel through
another route

Question 48

What is Power Redundancy?

Answer 48

Involves using backup power sources, like generators and UPS systems

Question 49

What is Non-repudiation?

Answer 49

■ Focused on providing undeniable proof in the world of digital transactions
■ Security measure that ensures individuals or entities involved in a
communication or transaction cannot deny their participation or the authenticity
of their actions

Question 50

What are Digital Signatures?

Answer 50

■ Considered to be unique to each user who is operating within the digital domain
■ Created by first hashing a particular message or communication that you want to
digitally sign, and then it encrypts that hash digest with the user’s private key using asymmetric encryption

Question 51

Non-repudiation is important for three main reasons

Answer 51

■ To confirm the authenticity of digital transactions
■ To ensure the integrity of critical communications
■ To provide accountability in digital processes

Question 52

What is Authentication?

Answer 52

Security measure that ensures individuals or entities are who they claim to be during a communication or transaction

Question 53

What are 5 commonly used authentication methods?

Answer 53

• Something you know (Knowledge Factor)
• Something you have (Possession Factor)
• Something you are (Inherence Factor)
• Something you do (Action Factor)
• Somewhere you are (Location Factor)

Question 54

Something you know (Knowledge Factor)

Answer 54

Relies on information that a user can recall

Question 55

Something you have (Possession Factor)

Answer 55

Relies on the user presenting a physical item to authenticate themselves

Question 56

Something you are (Inherence Factor)

Answer 56

Relies on the user providing a unique physical or behavioral characteristic of the person to validate that they are who they claim to be

Question 57

Something you do (Action Factor)

Answer 57

Relies on the user conducting a unique action to prove who they are

Question 58

Somewhere you are (Location Factor)

Answer 58

Relies on the user being in a certain geographic location before access is
granted

Question 59

What is Multi-Factor Authentication System (MFA)

Answer 59

Security process that requires users to provide multiple methods of identification
to verify their identity

Question 60

Authentication is critical to understand because of the following

Answer 60

■ To prevent unauthorized access
■ To protect user data and privacy
■ To ensure that resources are accessed by valid users only

Question 61

What is Authorization?

Answer 61

Pertains to the permissions and privileges granted to users or entities after they have been authenticated

Question 62

Authorization mechanisms are important to help us with the following

Answer 62

■ To protect sensitive data
■ To maintain the system integrity in our organizations
■ To create a more streamlined user experience

Question 63

What is Accounting?

Answer 63

Security measure that ensures all user activities during a communication or transaction are properly tracked and recorded

Question 64

Your organization should use a robust accounting system so that you can create the following 5 important tasks

Answer 64

• Create an audit trail
• Maintain regulatory compliance
• Conduct forensic analysis
• Perform resource optimization
• Achieve user accountability

Question 65

What does Creating an audit trail do?

Answer 65

Provides a chronological record of all user activities that can be used to
trace changes, unauthorized access, or anomalies back to a source or
point in time

Question 66

What does Maintaining regulatory compliance do?

Answer 66

Maintains a comprehensive record of all users’ activities

Question 67

What does Conducting forensic analysis do?

Answer 67

Uses detailed accounting and event logs that can help cybersecurity
experts understand what happened, how it happened, and how to prevent similar incidents from occurring again

Question 68

What does Performing resource optimization do?

Answer 68

Organizations can optimize system performance and minimize costs by
tracking resource utilization and allocation decisions

Question 69

What does Achieving user accountability do?

Answer 69

Thorough accounting system ensures users’ actions are monitored and logged , deterring potential misuse and promoting adherence to the organization’s policies

Question 70

To perform accounting, we usually use different technologies like the following 3

Answer 70

• Syslog Servers
• Network Analysis Tools
• Security Information and Event Management (SIEM) Systems

Question 71

For accounting purposes, what are Syslog Servers used for?

Answer 71

Used to aggregate logs from various network devices and systems so that system administrators can analyze them to detect patterns or anomalies in the organization’s systems

Question 72

For accounting purposes, what are Network Analysis Tools used for?

Answer 72

Used to capture and analyze network traffic so that network
administrators can gain detailed insights into all the data moving within a
network

Question 73

For accounting purposes, what are Security Information and Event Management (SIEM) Systems used for?

Answer 73

Provides us with a real-time analysis of security alerts generated by
various hardware and software infrastructure in an organization

Question 74

What are 4 broad categories of Security Controls?

Answer 74

• Technical Controls
• Managerial Controls
• Operational Controls
• Physical Controls

Question 75

What are Technical Controls?

Answer 75

Technologies, hardware, and software mechanisms that are implemented
to manage and reduce risks

Question 76

What are Managerial Controls?

Answer 76

● Sometimes also referred to as administrative controls
● Involve the strategic planning and governance side of security

Question 77

What are Operational Controls?

Answer 77

● Procedures and measures that are designed to protect data on a
day-to-day basis
● Are mainly governed by internal processes and human actions

Question 78

What are Physical Controls?

Answer 78

Tangible, real-world measures taken to protect assets

Question 79

What are 6 Basic Types of Security Controls?

Answer 79

• Preventive Controls
• Deterrent Controls
• Detective Controls
• Corrective Controls
• Compensating Controls
• Directive Controls

Question 80

What are Preventive Controls?

Answer 80

Proactive measures implemented to thwart potential security threats or
breaches

Question 81

What are Deterrent Controls?

Answer 81

Discourage potential attackers by making the effort seem less appealing
or more challenging

Question 82

What are Detective Controls?

Answer 82

Monitor and alert organizations to malicious activities as they occur or shortly thereafter

Question 83

What are Corrective Controls?

Answer 83

Mitigate any potential damage and restore our systems to their normal
state

Question 84

What are Compensating Controls?

Answer 84

Alternative measures that are implemented when primary security
controls are not feasible or effective

Question 85

What are Directive Controls?

Answer 85

● Guide, inform, or mandate actions
● Often rooted in policy or documentation and set the standards for
behavior within an organization

Question 86

What is Gap Analysis?

Answer 86

Process of evaluating the differences between an organization’s current performance and its desired performance. Conducting a gap analysis can be a valuable tool for organizations looking to improve their operations, processes, performance, or overall security posture

Question 87

There are 4 main steps involved in conducting a gap analysis

Answer 87

■ Define the scope of the analysis
■ Gather data on the current state of the organization
■ Analyze the data to identify any areas where the organization’s current
performance falls short of its desired performance
■ Develop a plan to bridge the gap

Question 88

2 Basic Types of Gap Analysis

Answer 88

■ Technical Gap Analysis
■ Business Gap Analysis

Question 89

What is a Technical Gap Analysis?

Answer 89

● Involves evaluating an organization’s current technical infrastructure
● identifying any areas where it falls short of the technical capabilities
required to fully utilize their security solutions

Question 90

What is a Business Gap Analysis?

Answer 90

● Involves evaluating an organization’s current business processes
● Identifying any areas where they fall short of the capabilities required to
fully utilize cloud-based solutions

Question 91

What are Plan of Action and Milestones (POA&M) for gap analyses?

Answer 91

● Outlines the specific measures to address each vulnerability
● Allocate resources
● Set up timelines for each remediation task that is needed

Question 92

What does Zero Trust demand?

Answer 92

verification for every device, user, and transaction within the
network, regardless of its origin

Question 93

To create a zero trust architecture, we need to use two different planes

Answer 93

• Control Plane
• Data Plane

Question 94

What does the Control Plane refer to?

Answer 94

Refers to the overarching framework and set of components responsible
for defining, managing, and enforcing the policies related to user and
system access within an organization

Question 95

Which 4 key elements does the Control Plane Encompass?

Answer 95

• Adaptive Identity
• Threat Scope Reduction
• Policy-Driven Access Control
• Secured Zones

Question 96

What is Adaptive Identity?

Answer 96

Relies on real-time validation that takes into account the
user’s behavior, device, location, and more

Question 97

What is Threat Scope Reduction?

Answer 97

■ Limits the users’ access to only what they need for their
work tasks because this reduces the network’s potential
attack surface
■ Focused on minimizing the “blast radius” that could occur
in the event of a breach

Question 98

What is Policy-Driven Access Control?

Answer 98

Entails developing, managing, and enforcing user access
policies based on their roles and responsibilities

Question 99

What are Secured Zones?

Answer 99

Isolated environments within a network that are designed to house sensitive data

Question 100

Control Plane uses a ——– and a ——– to make
decisions about access

Answer 100

Policy Engine and Policy Administrator

Question 101

What does a Policy Engine do?

Answer 101

Cross-references the access request with its predefined
policies

Question 102

What is a Policy Administrator used for?

Answer 102

Used to establish and manage the access policies

Question 103

What does a data plane consist of?

Answer 103

Subject/System and Policy Enforcement Point

Question 104

What does a Subject/System refer to in terms of a data plane?

Answer 104

Refers to the individual or entity attempting to gain access

Question 105

What does a Policy Enforcement Point refer to in terms of a data plane?

Answer 105

Where the decision to grant or deny access is actually executed