Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CompTIA Security + > Fundamentals of Security > Flashcards

Fundamentals of Security Flashcards

1.1 - Compare and contrast various types of security controls 1.2 - Summarize fundamental security concepts

1
Q

What is the primary focus of Information Security?

A. Protecting systems from physical damage.
B. Protecting data and information from unauthorized access, modification, disruption, disclosure, and destruction.
C. Managing user permissions within a network.
D. Ensuring data remains unaltered and accessible when needed.

A

Answer:
B. Protecting data and information from unauthorized access, modification, disruption, disclosure, and destruction.

Why correct: Information Security focuses on protecting data and information from unauthorized access, modification, disruption, disclosure, and destruction.
Incorrect Options:

A: This describes physical security, not Information Security.
C: This relates to access control, which is a subset of security practices.
D: While integrity and availability are part of Information Security, the primary focus is broader.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does Non-Repudiation ensure in Information Security?

A. Information is only accessible to authorized personnel.
B. Data remains accurate and unaltered.
C. An action or event cannot be denied by the involved parties.
D. Information and resources are accessible when needed.

A

C. An action or event cannot be denied by the involved parties.

Why correct: Non-Repudiation guarantees that actions or events cannot be denied by the involved parties, typically through mechanisms like digital signatures.
Incorrect Options:

A: This describes Confidentiality.
B: This describes Integrity.
D: This describes Availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the two additional principles added to the CIA Triad in the CIANA Pentagon?

A. Integrity and Availability
B. Authentication and Non-Repudiation
C. Confidentiality and Authorization
D. Accounting and Adaptive Identity

A

Answer:
B. Authentication and Non-Repudiation

Why correct: The CIANA Pentagon extends the CIA Triad by adding Authentication (verifying user/system identity) and Non-Repudiation (ensuring actions/events cannot be denied).
Incorrect Options:

A: Integrity and Availability are already part of the CIA Triad.
C: Authorization is not part of the CIANA Pentagon.
D: Adaptive Identity is a component of the Zero Trust model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the role of Authentication in the Triple A’s of Security?

A. Tracking user activities and resource usage.
B. Determining what resources a user can access.
C. Verifying the identity of a user or system.
D. Protecting information from unauthorized access.

A

Answer:
C. Verifying the identity of a user or system.

Why correct: Authentication involves verifying the identity of a user or system, such as through password checks.
Incorrect Options:

A: This describes Accounting.
B: This describes Authorization.
D: This is the goal of Information Security, not specifically Authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is NOT a category of Security Controls?

A. Technical
B. Physical
C. Directive
D. Logical

A

Answer:
D. Logical

Why correct: The categories of Security Controls are Technical, Managerial, Operational, and Physical. Logical is not a category.
Incorrect Options:

A, B, C: These are all valid categories of Security Controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which principle is central to the Zero Trust Model?

A. Trust is granted to internal users by default.
B. No one should be trusted by default, regardless of origin.
C. Users must always be authenticated only once.
D. Authentication and Authorization are not required.

A

Answer:
B. No one should be trusted by default, regardless of origin.

Why correct: The Zero Trust Model operates on the principle that no one, whether inside or outside the network, should be trusted by default.
Incorrect Options:

A: Trust is not granted by default in Zero Trust.
C: Authentication is continuous in Zero Trust.
D: Authentication and Authorization are critical in Zero Trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following Security Control Categories protects material assets?

A. Managerial
B. Physical
C. Technical
D. Operational

A

B. Physical

Explanation:

Correct Answer: Physical security controls protect tangible assets, such as buildings and hardware, from unauthorized access or damage.
Incorrect Options:
A: Managerial controls are focused on policies, procedures, and risk assessments.
C: Technical controls rely on technology to enforce security.
D: Operational controls focus on day-to-day security tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is a Preventative Security Control?

A. A firewall blocking unauthorized access to a network.
B. A surveillance camera recording activity.
C. A backup system restoring lost data.
D. A user awareness training program.

A

A. A firewall blocking unauthorized access to a network.

Explanation:

Correct Answer: Preventative controls are designed to stop incidents before they occur, such as a firewall blocking unauthorized network access.
Incorrect Options:
B: Surveillance cameras are Detective controls, as they help identify and monitor events.
C: A backup system restoring lost data is a Corrective control.
D: User awareness training is a Directive control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which Security Control Type aims to discourage malicious activities?

A. Preventative
B. Deterrent
C. Detective
D. Corrective

A

B. Deterrent

Explanation:

Correct Answer: Deterrent controls, such as warning signs or guard presence, aim to discourage malicious activities by creating the perception of difficulty or risk.
Incorrect Options:
A: Preventative controls actively block unauthorized activities.
C: Detective controls are used to identify incidents after they occur.
D: Corrective controls are used to fix or recover from incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which Security Control Type is responsible for identifying incidents that have already occurred?

A. Preventative
B. Deterrent
C. Detective
D. Directive

A

C. Detective

Explanation:

Correct Answer: Detective controls, such as intrusion detection systems or log monitoring, help identify and record incidents after they occur.
Incorrect Options:
A: Preventative controls stop incidents before they happen.
B: Deterrent controls discourage malicious behavior.
D: Directive controls provide guidance or instructions to enforce security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which type of Security Control is used to restore systems to normal after an incident?

A. Corrective
B. Preventative
C. Compensating
D. Detective

A

A. Corrective

Explanation:

Correct Answer: Corrective controls, such as patch management or restoring from backups, are used to recover from and mitigate the effects of a security incident.
Incorrect Options:
B: Preventative controls block incidents from occurring.
C: Compensating controls are alternative measures to meet a security requirement.
D: Detective controls identify incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which Security Control Type serves as an alternative measure when a primary control is not feasible?

A. Preventative
B. Compensating
C. Directive
D. Corrective

A

B. Compensating

Explanation:

Correct Answer: Compensating controls provide an alternative way to achieve security objectives when the primary control is not feasible, such as using multifactor authentication when biometric authentication is unavailable.
Incorrect Options:
A: Preventative controls block incidents from occurring.
C: Directive controls enforce policies and procedures.
D: Corrective controls recover from incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which Security Control Type provides guidance to ensure compliance with security policies?

A. Preventative
B. Directive
C. Detective
D. Corrective

A

B. Directive

Explanation:

Correct Answer: Directive controls, such as security policies and procedures, provide guidance to ensure compliance and proper implementation of security measures.
Incorrect Options:
A: Preventative controls block incidents.
C: Detective controls identify incidents.
D: Corrective controls recover from incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the fundamental principle of the Zero Trust Model?

A. Grant access by default to trusted devices.
B. No one is trusted by default, even within the network.
C. Rely solely on external firewalls for protection.
D. Trust but verify all access requests.

A

B. No one is trusted by default, even within the network.

Explanation:

Correct Answer: The Zero Trust Model operates on the principle of “never trust, always verify,” requiring strict access verification for all users, devices, and systems, regardless of their location.
Incorrect Options:
A: The Zero Trust Model avoids granting access by default, even to trusted devices.
C: External firewalls alone are insufficient for Zero Trust.
D: Zero Trust advocates “never trust,” not “trust but verify.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which component of the Data Plane is responsible for enforcing access decisions?

A. Policy Engine
B. Subject/System
C. Policy Enforcement Point
D. Policy Administrator

A

C. Policy Enforcement Point

Explanation:

Correct Answer: The Policy Enforcement Point is where the access decision is executed, either granting or denying the request based on policy.
Incorrect Options:
A: Policy Engine cross-references access requests with policies but does not enforce them.
B: Subject/System is the entity attempting access.
D: Policy Administrator manages access policies but does not enforce them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following is not part of the Control Plane in the Zero Trust Model?

A. Threat Scope Reduction
B. Secured Zones
C. Policy Enforcement Point
D. Policy-Driven Access Control

A

C. Policy Enforcement Point

Explanation:

Correct Answer: Policy Enforcement Point is part of the Data Plane, responsible for executing access decisions.
Incorrect Options:
A, B, D: These are all part of the Control Plane, focusing on defining and managing policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a threat in the context of information security?

A. A weakness in system design or implementation.
B. Anything that could cause harm, loss, or compromise to IT systems.
C. The absence of physical security controls.
D. A missing security patch in software.

A

B. Anything that could cause harm, loss, or compromise to IT systems.

Explanation:

Correct Answer: A threat refers to anything, such as natural disasters, cyber-attacks, or data breaches, that could cause harm to information technology systems.
Incorrect Options:
A, C, D: These describe vulnerabilities, which are weaknesses in a system that could be exploited by a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is an example of a vulnerability?

A. A hurricane causing a power outage.
B. A misconfigured software application.
C. A phishing attack targeting employees.
D. Disclosure of confidential information.

A

B. A misconfigured software application.

Explanation:

Correct Answer: Vulnerabilities are weaknesses in the system, such as misconfigured software, missing patches, or lack of physical security.
Incorrect Options:
A: A hurricane is a natural disaster and considered a threat.
C: A phishing attack is a type of cyber-attack and thus a threat.
D: Disclosure of confidential information is a threat outcome, not a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Where does risk exist in enterprise systems?

A. When a threat exists without a matching vulnerability.
B. When a vulnerability exists but there’s no matching threat.
C. When threats and vulnerabilities intersect.
D. When there are no threats or vulnerabilities.

A

C. When threats and vulnerabilities intersect.

Explanation:

Correct Answer: Risk arises when there is both a threat and a matching vulnerability that could be exploited.
Incorrect Options:
A, B: Risk does not exist when there is no intersection between threats and vulnerabilities.
D: Risk requires both threats and vulnerabilities to exist simultaneously.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following is not an example of a vulnerability?

A. A software bug.
B. A missing security patch.
C. A cyber-attack exploiting a network.
D. Improperly protected network devices.

A

C. A cyber-attack exploiting a network.

Explanation:

Correct Answer: A cyber-attack is a threat, not a vulnerability.
Incorrect Options:
A, B, D: These are examples of vulnerabilities, as they represent weaknesses in the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the primary goal of risk management in information security?

A. Eliminate all vulnerabilities in a system.
B. Minimize the likelihood of undesired outcomes.
C. Prevent all threats from occurring.
D. Ensure there are no risks in the system.

A

B. Minimize the likelihood of undesired outcomes.

Explanation:

Correct Answer: Risk management focuses on reducing the likelihood of undesired outcomes by addressing vulnerabilities and mitigating threats.
Incorrect Options:
A: It’s not feasible to eliminate all vulnerabilities completely.
C: Preventing all threats is impossible; risk management mitigates their impact.
D: Risk can never be fully eliminated, only minimized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the primary focus of confidentiality in information security?

A. Ensuring data remains accurate and unaltered.
B. Protecting information from unauthorized access and disclosure.
C. Guaranteeing information and resources are accessible when needed.
D. Tracking user activities and resource usage.

A

B. Protecting information from unauthorized access and disclosure.

Explanation:

Correct Answer: Confidentiality refers to safeguarding private or sensitive information so that it is not accessible to unauthorized individuals, entities, or processes.
Incorrect Options:
A: This describes integrity, not confidentiality.
C: This refers to availability, not confidentiality.
D: This is related to accounting or audit, not confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is not a main reason why confidentiality is important?

A. To protect personal privacy.
B. To achieve regulatory compliance.
C. To prevent data from being altered.
D. To maintain a business advantage.

A

C. To prevent data from being altered.

Explanation:

Correct Answer: Preventing data alteration pertains to integrity, not confidentiality.
Incorrect Options:
A, B, D: These are valid reasons why confidentiality is crucial, as it ensures the protection of personal privacy, compliance with regulations, and retention of a competitive business advantage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which method involves obscuring specific data within a database while retaining its authenticity for authorized users?

A. Encryption
B. Access Controls
C. Data Masking
D. Physical Security Measures

A

C. Data Masking

Explanation:

Correct Answer: Data masking obscures specific data in a database to prevent unauthorized access while keeping the data usable for authorized purposes.
Incorrect Options:
A: Encryption converts data into a code, but it is not the same as data masking.
B: Access controls manage permissions but do not modify or obscure the data.
D: Physical security measures ensure physical protection but are unrelated to database-level data masking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the purpose of access controls in ensuring confidentiality?

A. To obscure specific data in a database.
B. To convert data into an unreadable code.
C. To set up strong user permissions for authorized access.
D. To provide physical protection for data.

A

C. To set up strong user permissions for authorized access.

Explanation:

Correct Answer: Access controls ensure only authorized personnel can access specific types of data by establishing strong user permissions.
Incorrect Options:
A: Data masking obscures data but does not involve user permissions.
B: Encryption converts data into a code to prevent unauthorized access.
D: Physical security measures focus on securing physical assets, not access permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following confidentiality methods addresses physical types of data, such as paper records?

A. Encryption
B. Access Controls
C. Physical Security Measures
D. Training and Awareness

A

C. Physical Security Measures

Explanation:

Correct Answer: Physical security measures protect both physical data (e.g., paper records) and digital information stored on servers or workstations.
Incorrect Options:
A: Encryption protects digital data by converting it into code but does not address physical assets.
B: Access controls are focused on user permissions, not physical protection.
D: Training and awareness involve educating employees rather than directly securing physical assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the primary purpose of conducting training and awareness programs in maintaining confidentiality?

A. To obscure specific data within a database.
B. To ensure employees are educated on security best practices.
C. To convert data into a code for unauthorized users.
D. To track user activities and audit their actions.

A

B. To ensure employees are educated on security best practices.

Explanation:

Correct Answer: Training and awareness ensure employees understand best practices for protecting their organization’s sensitive data.
Incorrect Options:
A: Data masking involves obscuring data but is unrelated to employee training.
C: Encryption converts data into code but is a separate confidentiality method.
D: Accounting tracks user activities and is unrelated to training programs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is the primary goal of integrity in information security?

A. Ensuring information is accessible only to authorized personnel.
B. Ensuring information and data remain accurate and unchanged unless modified by an authorized individual.
C. Guaranteeing information and resources are accessible when needed.
D. Tracking user activities for auditing purposes.

A

B. Ensuring information and data remain accurate and unchanged unless modified by an authorized individual.

Explanation:

Correct Answer: Integrity focuses on maintaining the accuracy and trustworthiness of data over its entire lifecycle, preventing unauthorized or unintentional changes.
Incorrect Options:
A: This describes confidentiality, not integrity.
C: This refers to availability, not integrity.
D: While audits support integrity, tracking user activities is not its primary goal.

30
Q

Which of the following is not a reason why integrity is important?

A. To ensure data accuracy.
B. To protect personal privacy.
C. To maintain trust.
D. To ensure system operability.

A

B. To protect personal privacy.

Explanation:

Correct Answer: Protecting personal privacy is a key focus of confidentiality, not integrity.
Incorrect Options:
A, C, D: These are valid reasons why integrity is important, as it ensures data accuracy, fosters trust, and ensures systems operate as expected.

31
Q

What method converts data into a fixed-size value to ensure its integrity?

A. Checksums
B. Digital Signatures
C. Hashing
D. Access Controls

A

C. Hashing

Explanation:

Correct Answer: Hashing converts data into a fixed-size value, making it possible to detect any changes to the data and ensure its integrity.
Incorrect Options:
A: Checksums verify data integrity during transmission but do not involve creating fixed-size values.
B: Digital signatures ensure both integrity and authenticity but are not the same as hashing.
D: Access controls manage permissions but do not directly verify data integrity.

32
Q

How do digital signatures contribute to maintaining integrity?

A. By tracking and auditing system logs for discrepancies.
B. By ensuring only authorized users can access sensitive information.
C. By verifying both the integrity and authenticity of data.
D. By converting data into a fixed-size value to detect changes.

A

C. By verifying both the integrity and authenticity of data.

Explanation:

Correct Answer: Digital signatures confirm that data has not been altered and verify the identity of the sender, ensuring both integrity and authenticity.
Incorrect Options:
A: Audits review logs for discrepancies but do not provide real-time integrity verification.
B: Access controls limit access but do not verify data integrity.
D: Hashing, not digital signatures, converts data into fixed-size values.

33
Q

Which method is specifically used to verify the integrity of data during transmission?

A. Digital Signatures
B. Checksums
C. Hashing
D. Regular Audits

A

B. Checksums

Explanation:

Correct Answer: Checksums are used to verify the integrity of data during transmission by detecting errors or alterations.
Incorrect Options:
A: Digital signatures verify both integrity and authenticity but are not specifically for data transmission.
C: Hashing generates fixed-size values but is not focused on transmission verification.
D: Audits review logs and changes but do not verify transmitted data.

34
Q

Which of the following methods ensures only authorized individuals can modify data?

A. Access Controls
B. Hashing
C. Checksums
D. Regular Audits

A

A. Access Controls

Explanation:

Correct Answer: Access controls limit modifications to authorized personnel, reducing the risk of unintentional or malicious changes.
Incorrect Options:
B: Hashing verifies data integrity but does not control access.
C: Checksums detect data changes but do not prevent them.
D: Audits detect discrepancies after the fact but do not directly prevent unauthorized modifications.

35
Q

What is the purpose of regular audits in ensuring integrity?

A. To convert data into a fixed-size value for verification.
B. To systematically review logs and operations for authorized changes.
C. To protect data from unauthorized access.
D. To ensure data is transmitted securely.

A

B. To systematically review logs and operations for authorized changes.

Explanation:

Correct Answer: Regular audits ensure that any changes to data or systems are authorized and discrepancies are addressed promptly.
Incorrect Options:
A: Hashing converts data into fixed-size values but does not involve systematic reviews.
C: Protecting data from unauthorized access pertains to confidentiality.
D: Ensuring secure data transmission is related to encryption, not audits.

36
Q

What does availability ensure in information security?

A. Information and resources are protected from unauthorized access.
B. Information, systems, and resources are accessible and operational when needed by authorized users.
C. The integrity and authenticity of information are maintained.
D. Information remains confidential and protected from unauthorized disclosure.

A

B. Information, systems, and resources are accessible and operational when needed by authorized users.

Explanation:

Correct Answer: Availability focuses on ensuring that authorized users can access systems, information, and resources when needed.
Incorrect Options:
A: This describes confidentiality, not availability.
C: This describes integrity, not availability.
D: This is also related to confidentiality, not availability.

37
Q

Which of the following is not a benefit of ensuring availability?

A. Ensuring business continuity
B. Protecting personal privacy
C. Maintaining customer trust
D. Upholding an organization’s reputation

A

B. Protecting personal privacy

Explanation:

Correct Answer: Protecting personal privacy is related to confidentiality, not availability.
Incorrect Options:
A, C, D: These are valid benefits of availability, as it ensures systems are operational, fosters trust, and maintains reputation.

38
Q

What is the primary strategy for maintaining availability in systems and networks?

A. Encryption
B. Redundancy
C. Hashing
D. Regular Audits

A

B. Redundancy

Explanation:

Correct Answer: Redundancy enhances reliability by duplicating critical system components or functions to prevent service disruptions.
Incorrect Options:
A: Encryption protects data confidentiality, not availability.
C: Hashing ensures data integrity but does not maintain availability.
D: Regular audits detect discrepancies but are not directly related to availability.

39
Q

What is the purpose of server redundancy?

A. To ensure data can travel through alternate routes if a network path fails.
B. To use backup power sources to maintain system operation.
C. To distribute workloads or provide failover capability if one server fails.
D. To store data in multiple locations for reliability.

A

C. To distribute workloads or provide failover capability if one server fails.

Explanation:

Correct Answer: Server redundancy ensures multiple servers can share workloads or take over if one server fails, maintaining system availability.
Incorrect Options:
A: This describes network redundancy, not server redundancy.
B: This describes power redundancy, not server redundancy.
D: This describes data redundancy, not server redundancy.

40
Q

What type of redundancy involves ensuring data is stored in multiple places?

A. Server Redundancy
B. Data Redundancy
C. Network Redundancy
D. Power Redundancy

A

B. Data Redundancy

Explanation:

Correct Answer: Data redundancy ensures data is stored in multiple locations to protect against loss or corruption.
Incorrect Options:
A: Server redundancy focuses on servers, not data.
C: Network redundancy deals with alternative network paths.
D: Power redundancy involves backup power sources, not data storage.

41
Q

Which redundancy method ensures that if one network path fails, data can travel through another route?

A. Server Redundancy
B. Data Redundancy
C. Network Redundancy
D. Power Redundancy

A

C. Network Redundancy

Explanation:

Correct Answer: Network redundancy ensures continuous data transmission by providing alternate network paths.
Incorrect Options:
A: Server redundancy relates to servers, not network paths.
B: Data redundancy focuses on data storage, not transmission.
D: Power redundancy deals with maintaining power supply.

42
Q

What is the primary purpose of power redundancy?

A. To use multiple servers for load balancing.
B. To provide backup power sources to maintain operations during power failures.
C. To store data in multiple locations for recovery purposes.
D. To ensure alternate routes for data transmission in case of network failure.

A

B. To provide backup power sources to maintain operations during power failures.

Explanation:

Correct Answer: Power redundancy ensures uninterrupted system operation by using backup sources like generators or UPS systems.
Incorrect Options:
A: This describes server redundancy, not power redundancy.
C: This describes data redundancy.
D: This describes network redundancy.

43
Q

What is the primary goal of non-repudiation in the context of digital transactions?

A. To ensure data confidentiality.
B. To provide undeniable proof of participation or authenticity in digital transactions.
C. To ensure only authorized individuals can access critical systems.
D. To prevent unauthorized modification of data.

A

B. To provide undeniable proof of participation or authenticity in digital transactions.

Explanation:

Correct Answer: Non-repudiation focuses on ensuring that participants cannot deny their involvement or the authenticity of their actions in a digital transaction.
Incorrect Options:
A: This describes confidentiality, not non-repudiation.
C: This aligns with access control, not non-repudiation.
D: This relates to integrity, not non-repudiation.

44
Q

Which of the following is not a benefit of non-repudiation?

A. Confirming the authenticity of digital transactions
B. Ensuring the confidentiality of sensitive information
C. Providing accountability in digital processes
D. Ensuring the integrity of critical communications

A

B. Ensuring the confidentiality of sensitive information

Explanation:

Correct Answer: Confidentiality pertains to protecting sensitive information from unauthorized access, not non-repudiation.
Incorrect Options:
A, C, D: These are valid benefits of non-repudiation, as it confirms authenticity, ensures communication integrity, and provides accountability.

45
Q

Which method is most commonly used to ensure non-repudiation in digital transactions?

A. Hashing
B. Digital Signatures
C. Symmetric Encryption
D. Firewalls

A

B. Digital Signatures

Explanation:

Correct Answer: Digital signatures are unique to each user and ensure non-repudiation by proving authenticity and integrity in digital transactions.
Incorrect Options:
A: Hashing verifies data integrity but does not ensure non-repudiation.
C: Symmetric encryption does not provide the unique proof required for non-repudiation.
D: Firewalls are used for network security, not non-repudiation.

46
Q

What are the two main steps in creating a digital signature?

A. Encrypting the message and hashing it with a private key.
B. Hashing the message and encrypting the hash digest with the user’s private key.
C. Using symmetric encryption to encode the message and storing it in a secure location.
D. Hashing the message and encrypting the hash digest with the public key.

A

B. Hashing the message and encrypting the hash digest with the user’s private key.

Explanation:

Correct Answer: A digital signature is created by first hashing the message to create a digest, then encrypting the digest with the user’s private key using asymmetric encryption.
Incorrect Options:
A: The hash digest, not the message, is encrypted with the private key.
C: Symmetric encryption is not used for digital signatures.
D: The private key, not the public key, is used to create the signature.

47
Q

Why is non-repudiation essential in digital communications?

A. To confirm the authenticity of digital transactions.
B. To prevent unauthorized individuals from accessing critical data.
C. To maintain data confidentiality during transmission.
D. To ensure system uptime and reliability.

A

A. To confirm the authenticity of digital transactions.

Explanation:

Correct Answer: Non-repudiation ensures that digital transactions are authentic and that participants cannot deny their involvement.
Incorrect Options:
B: This relates to access control, not non-repudiation.
C: This describes confidentiality, not non-repudiation.
D: This relates to availability, not non-repudiation.

48
Q

What role does a private key play in the creation of a digital signature?

A. It verifies the authenticity of the signature.
B. It encrypts the original message.
C. It encrypts the hash digest of the message.
D. It decrypts the signature during verification.

A

C. It encrypts the hash digest of the message.

Explanation:

Correct Answer: The private key is used to encrypt the hash digest during the creation of a digital signature, ensuring its uniqueness and authenticity.
Incorrect Options:
A: The authenticity is verified using the public key, not the private key.
B: The private key encrypts the hash digest, not the original message.
D: Decryption is performed with the public key, not the private key.

49
Q

What is the primary goal of authentication?

A. To assign permissions to users after verifying their identity.
B. To ensure individuals or entities are who they claim to be during a communication or transaction.
C. To create an audit trail of user activities.
D. To protect sensitive data from unauthorized access.

A

B. To ensure individuals or entities are who they claim to be during a communication or transaction.

Explanation:

Correct Answer: Authentication verifies the identity of users or entities.
Incorrect Options:
A: This describes authorization, not authentication.
C: This describes accounting, not authentication.
D: While authentication contributes to this, it primarily focuses on identity verification.

50
Q

Why is authentication critical for organizations?

A. It ensures only authorized users access specific resources.
B. It verifies permissions granted to authenticated users.
C. It helps track and record user activities.
D. It prevents unauthorized access and protects user privacy.

A

D. It prevents unauthorized access and protects user privacy.

Explanation:

Correct Answer: Authentication ensures only valid users can access resources, safeguarding user data and privacy.
Incorrect Options:
A: This is a benefit of authorization.
B: Authorization follows authentication.
C: This describes accounting.

51
Q

What does authorization involve?

A. Verifying a user’s identity.
B. Tracking and recording user activities.
C. Granting permissions and privileges to authenticated users.
D. Encrypting sensitive user data.

A

C. Granting permissions and privileges to authenticated users.

Explanation:

Correct Answer: Authorization determines what actions an authenticated user can perform or what resources they can access.
Incorrect Options:
A: This is authentication.
B: This is accounting.
D: Encryption ensures confidentiality, not authorization.

52
Q

Why is authorization important in cybersecurity?

A. To verify users’ identities before granting them access.
B. To maintain system integrity and protect sensitive data.
C. To log user activities for future audits.
D. To optimize resource allocation decisions.

A

B. To maintain system integrity and protect sensitive data.

Explanation:

Correct Answer: Authorization ensures sensitive data and system resources are accessed only by permitted users, maintaining security and integrity.
Incorrect Options:
A: This is a function of authentication.
C: This is part of accounting.
D: This is related to resource optimization, a benefit of accounting.

53
Q

What is the main purpose of accounting in cybersecurity?

A. To assign permissions to users.
B. To track and record user activities for audit and analysis.
C. To verify the authenticity of user identities.
D. To ensure real-time analysis of security threats.

A

B. To track and record user activities for audit and analysis.

Explanation:

Correct Answer: Accounting involves maintaining logs and records of user activities, creating an audit trail for accountability and forensic analysis.
Incorrect Options:
A: This is part of authorization.
C: This describes authentication.
D: SIEM systems assist in this but are part of accounting tools, not its main purpose.

54
Q

Which of the following is not a benefit of a robust accounting system?

A. Maintaining regulatory compliance.
B. Preventing unauthorized access to sensitive data.
C. Conducting forensic analysis after security incidents.
D. Tracking resource utilization for optimization.

A

B. Preventing unauthorized access to sensitive data.

Explanation:

Correct Answer: Preventing unauthorized access is the goal of authentication and authorization, not accounting.
Incorrect Options:
A, C, D: These are key benefits of accounting.

55
Q

What is the role of a SIEM (Security Information and Event Management) system in accounting?

A. To aggregate logs from various network devices.
B. To analyze network traffic for anomalies.
C. To provide real-time analysis of security alerts.
D. To encrypt sensitive user data.

A

C. To provide real-time analysis of security alerts.

Explanation:

Correct Answer: SIEM systems offer real-time security analysis by collecting and analyzing data from various hardware and software infrastructure.
Incorrect Options:
A: This is the role of syslog servers.
B: This is the role of network analysis tools.
D: Encryption is unrelated to accounting.

56
Q

Which tool is best suited for aggregating logs from various network devices for accounting purposes?

A. Network analysis tools
B. SIEM systems
C. Syslog servers
D. Encryption mechanisms

A

C. Syslog servers

Explanation:

Correct Answer: Syslog servers are used to collect and manage logs from multiple systems for analysis and anomaly detection.
Incorrect Options:
A: These tools focus on traffic analysis.
B: SIEM systems provide broader real-time security analysis, including alerts.
D: Encryption mechanisms are unrelated to log aggregation.

57
Q

Which category of security control involves strategic planning and governance?

A. Technical Controls
B. Managerial Controls
C. Operational Controls
D. Physical Controls

A

B. Managerial Controls

Explanation:

Correct Answer: Managerial controls (also known as administrative controls) focus on strategic planning and governance.
Incorrect Options:
A: Technical controls deal with technologies and hardware/software mechanisms.
C: Operational controls involve day-to-day procedures and human actions.
D: Physical controls are tangible measures, such as locks or cameras.

58
Q

What type of control is best described as procedures and measures designed to protect data on a daily basis?

A. Technical Controls
B. Managerial Controls
C. Operational Controls
D. Preventive Controls

A

C. Operational Controls

Explanation:

Correct Answer: Operational controls are focused on protecting data on a day-to-day basis and are governed by processes and human actions.
Incorrect Options:
A: Technical controls deal with hardware, software, and technology-based mechanisms.
B: Managerial controls involve planning and governance.
D: Preventive controls are designed to proactively stop threats, but they do not specifically govern daily procedures.

59
Q

Which type of security control discourages potential attackers by making the effort seem less appealing or more challenging?

A. Preventive Controls
B. Deterrent Controls
C. Detective Controls
D. Directive Controls

A

B. Deterrent Controls

Explanation:

Correct Answer: Deterrent controls are aimed at discouraging attackers by making attacks seem less appealing or difficult.
Incorrect Options:
A: Preventive controls are proactive measures to stop threats.
C: Detective controls monitor and alert about malicious activities.
D: Directive controls guide and set behavior standards through policies and documentation.

60
Q

What type of control is an alternative measure implemented when primary security controls are not feasible or effective?

A. Preventive Controls
B. Corrective Controls
C. Compensating Controls
D. Physical Controls

A

C. Compensating Controls

Explanation:

Correct Answer: Compensating controls serve as alternative measures when primary controls are unavailable or ineffective.
Incorrect Options:
A: Preventive controls proactively thwart potential threats.
B: Corrective controls mitigate damage and restore systems to normal.
D: Physical controls are tangible measures to protect assets.

61
Q

Which security control type is rooted in policy or documentation and sets the standards for behavior within an organization?

A. Corrective Controls
B. Preventive Controls
C. Directive Controls
D. Managerial Controls

A

C. Directive Controls

Explanation:

Correct Answer: Directive controls are rooted in policies and documentation and provide guidance or mandates for behavior.
Incorrect Options:
A: Corrective controls restore systems after an issue has occurred.
B: Preventive controls proactively stop threats.
D: Managerial controls focus on strategic governance, not setting behavior standards through documentation.

62
Q

What is the primary purpose of a gap analysis?

A. To evaluate differences between current and desired performance
B. To monitor ongoing security incidents
C. To implement new security tools
D. To create new organizational policies

A

A. To evaluate differences between current and desired performance

Explanation:

Correct Answer: A gap analysis evaluates the differences between an organization’s current performance and its desired performance.
Incorrect Options:
B: Monitoring security incidents is not the purpose of gap analysis.
C: While implementation may follow, it is not the goal of the analysis itself.
D: Gap analysis may inform policy creation but is not limited to it.

63
Q

Which of the following is NOT a step in conducting a gap analysis?

A. Define the scope of the analysis
B. Develop a plan to bridge the gap
C. Implement the solutions identified during the analysis
D. Gather data on the current state of the organization

A

C. Implement the solutions identified during the analysis

Explanation:

Correct Answer: Implementing solutions is not part of the gap analysis itself but rather the follow-up to the analysis.
Incorrect Options:
A: Defining the scope is a key step in a gap analysis.
B: Developing a plan is essential to address gaps found during the analysis.
D: Gathering data is a critical step for understanding the organization’s current state.

64
Q

What does Technical Gap Analysis focus on?

A. Evaluating current business processes
B. Identifying shortfalls in technical infrastructure
C. Outlining remediation measures for vulnerabilities
D. Allocating resources for business operations

A

B. Identifying shortfalls in technical infrastructure

Explanation:

Correct Answer: Technical Gap Analysis evaluates an organization’s current technical infrastructure to identify shortfalls in technical capabilities.
Incorrect Options:
A: Business processes are addressed in a business gap analysis.
C: Remediation measures fall under the Plan of Action and Milestones (POA&M).
D: Resource allocation is a part of POA&M, not technical gap analysis.

65
Q

What does a Plan of Action and Milestones (POA&M) include?

A. The specific measures to address vulnerabilities
B. The evaluation of business processes
C. The scope definition of the analysis
D. Gathering data on the organization’s current state

A

A. The specific measures to address vulnerabilities

Explanation:

Correct Answer: A POA&M outlines specific measures to address vulnerabilities, allocate resources, and set timelines for remediation tasks.
Incorrect Options:
B: Business process evaluation is part of a business gap analysis.
C: Scope definition is part of conducting a gap analysis, not POA&M.
D: Data gathering is part of the initial steps in gap analysis, not the POA&M.

66
Q

Which type of gap analysis focuses on evaluating business processes and their suitability for cloud-based solutions?

A. Technical Gap Analysis
B. Business Gap Analysis
C. POA&M
D. Operational Gap Analysis

A

B. Business Gap Analysis

Explanation:

Correct Answer: Business Gap Analysis evaluates an organization’s business processes to identify areas where they fall short of capabilities required for cloud-based solutions.
Incorrect Options:
A: Technical gap analysis focuses on technical infrastructure.
C: POA&M is a plan to remediate vulnerabilities, not analyze processes.
D: Operational gap analysis is not mentioned in the context provided.

67
Q

What is the primary principle of Zero Trust?

A. Allowing unrestricted access to trusted devices
B. Verifying every device, user, and transaction within the network
C. Segregating users based on geographic location only
D. Granting access to users based on seniority within the organization

A

B. Verifying every device, user, and transaction within the network

Explanation:

Correct Answer: Zero Trust demands verification for every device, user, and transaction, regardless of origin.
Incorrect Options:
A: Zero Trust does not allow unrestricted access.
C: Geographic location is just one factor and not the sole basis for verification.
D: Access is based on defined policies, not seniority.

68
Q

Which component of the Control Plane focuses on real-time validation considering user behavior, device, and location?

A. Threat Scope Reduction
B. Adaptive Identity
C. Policy-Driven Access Control
D. Secured Zones

A

B. Adaptive Identity

Explanation:

Correct Answer: Adaptive Identity relies on real-time validation of factors such as user behavior, device, and location.
Incorrect Options:
A: Threat Scope Reduction focuses on limiting access to reduce attack surfaces.
C: Policy-Driven Access Control pertains to managing user access policies.
D: Secured Zones are isolated environments for sensitive data.

69
Q

What is the main goal of Threat Scope Reduction within the Control Plane?

A. Enhancing real-time validation mechanisms
B. Restricting users’ access to only what is necessary for their tasks
C. Creating policy enforcement zones
D. Managing and enforcing access policies based on roles

A

B. Restricting users’ access to only what is necessary for their tasks

Explanation:

Correct Answer: Threat Scope Reduction limits access to reduce the network’s potential attack surface and minimize the “blast radius” in case of a breach.
Incorrect Options:
A: Real-time validation relates to Adaptive Identity.
C: Policy Enforcement Zones are not the focus of Threat Scope Reduction.
D: Policy management pertains to Policy-Driven Access Control.

70
Q

Which element of the Control Plane ensures sensitive data is housed in isolated environments?

A. Policy Administrator
B. Policy Engine
C. Secured Zones
D. Policy Enforcement Point

A

C. Secured Zones

Explanation:

Correct Answer: Secured Zones are isolated environments designed to protect sensitive data.
Incorrect Options:
A: Policy Administrator manages access policies.
B: Policy Engine cross-references access requests with predefined policies.
D: Policy Enforcement Point enforces access decisions in the Data Plane.

71
Q

What is the role of the Policy Engine in the Zero Trust Control Plane?

A. Enforcing access decisions
B. Managing access policies
C. Cross-referencing access requests with predefined policies
D. Housing sensitive data in isolated environments

A

C. Cross-referencing access requests with predefined policies

Explanation:

Correct Answer: The Policy Engine cross-references access requests against predefined policies to determine access decisions.
Incorrect Options:
A: Enforcement is done by the Policy Enforcement Point in the Data Plane.
B: Managing policies is the role of the Policy Administrator.
D: Isolated environments are part of Secured Zones.

72
Q

In the Data Plane, what is the Policy Enforcement Point responsible for?

A. Managing and defining access policies
B. Executing the decision to grant or deny access
C. Cross-referencing requests with policies
D. Evaluating the user’s behavior and location

A

B. Executing the decision to grant or deny access

Explanation:

Correct Answer: The Policy Enforcement Point in the Data Plane is where access decisions are implemented.
Incorrect Options:
A: Managing policies is the role of the Policy Administrator in the Control Plane.
C: Cross-referencing is done by the Policy Engine.
D: Evaluating user behavior is part of Adaptive Identity in the Control Plane.

CompTIA Security + (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions