General Security Concepts

Question 1

Technical Controls

Answer 1

Controls implemented using hardware, software, and/or firmware.
Examples: Firewalls, anti-virus

Question 2

Managerial Controls

Answer 2

Relate to risk management, governance, oversight, strategic alignment and decision making Examples: risk assessments, project management

Question 3

Operational Controls

Answer 3

Aligned with a processes that are primarily implemented and executed by people.
Examples: change management, training, testing

Question 4

Physical Controls

Answer 4

Designed to address physical interactions like connected to buildings.
Examples: gates, barricades, fences

Question 5

Preventive Control

Answer 5

Stop a threat agent from being successful
Examples: Firewall rules, security policy, security guard, door locks

Question 6

Deterrent Control

Answer 6

Discourage a threat agent from acting
Examples: posted warning signs, threat of demotion, splash screen, reception desk,

Question 7

Detective Control

Answer 7

Identify and report a threat agent or action
Examples: System logs, review login reports, patrol the property, motion detectors

Question 8

Corrective Control

Answer 8

Minimize the impact of a threat agent or modify or fix a situation
Examples: Backups, fire extinguisher, policies for reporting issues, contact authorities

Question 9

Compensating Control

Answer 9

Controls implemented in lieu of a recommended control that provides comparable protection
Examples: Block instead of patch, separation of duties, require multiple security staff, power generator

Question 10

Directive Control

Answer 10

Proactive actions taken to cause/encourage a desirable event or outcome to occur
Examples: Trainings, policies, and authorized personnel only sign

Question 11

CIA Traid

Answer 11

Fundamentals of security
Confidentiality: prevents disclosure of information to unauthorized people or systems
Integrity: Information can’t be modified
Availability: Systems and networks must be up and running

Question 12

Access Controls

Answer 12

Selectively restrict access to a resource

Question 13

Hashing

Answer 13

Map data of a length to data of a fixed length

Question 14

Digital signatures

Answer 14

Math scheme to verify the integrity of data

Question 15

Certificates

Answer 15

Combine with a digital signature to verify an individual

Question 16

Non-Repuditation

Answer 16

Provides proof of integrity, can be asserted to be genuine.

Question 17

Redundancy

Answer 17

Build services that will always be available

Question 18

Fault tolerance

Answer 18

system will continue to run, even when a failure occurs.

Question 19

AAA

Answer 19

Authentication: Verifies a user and who they claim to be
Authorization: Determines if the user has permission to use a resource or access a file.
Accounting: Keeps track of a user’s activity on the system or network.

Question 20

Certificate Authority (CA)

Answer 20

Stores, signs, and issues digital certificates.

Question 21

Registration Authority (RA)

Answer 21

Verifies user requests for a digital certificate and tells the CA to issue it.

Question 22

Honeypot

Answer 22

Decoy server set up to trick an attacker

Question 23

Honeyfile

Answer 23

A decoy file deceptively named so it attracts the attention of an attacker

Question 24

Honeynet

Answer 24

A network of honeypots.

Question 25

Honeytoken

Answer 25

A beacon embedded somewhere that can bait and track an attacker

Question 26

Gap Analysis

Answer 26

The process of evaluating your org’s current security posture and security framework

Question 27

Least Privilege

Answer 27

Granting users only the access necessary to perform their job functions

Question 28

Malware

Answer 28

Malicious software designed to harm, exploit, or compromise a system.

Question 29

Defense in Depth

Answer 29

Implementing multiple layers of security controls to protect information.

Question 30

Vulnerability Assessment

Answer 30

Process of identifying, quantifying, and prioritizing vulnerabilities in a system.

Question 31

Zerto Trust Architecture

Answer 31

Security model that assumes no implicit trust and requires continuous verification.

Question 32

Data Loss Prevention (DPL)

Answer 32

Strategies and tolls to prevent unauthorized access, use, or transmission of data

Question 33

Public Key Infrastructure (PKI)

Answer 33

A framework for managing digital certificates and public key encryption

Question 34

Symmetric Encryption

Answer 34

Encryption method where the same key is used for both encryption and decryption.

Question 35

Asymmetric Encryption

Answer 35

Encryption method that uses a pair of keys a public key for encryption and a private key for decryption

Question 36

Pharming

Answer 36

Cyberattack that redirects a website’s traffic to a fraudulent website without a user’s consent.

Question 37

SQL Injection

Answer 37

Attack that involves inserting malicious SQL code into a query to a manipulate the database.

Question 38

Cross Site Scripting

Answer 38

A vulnerability that allows attackers to inject malicious scripts into a web pages viewed by other users

Question 39

Twofish

Answer 39

Symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.

Question 40

Diffie-Hellman Key Exchange

Answer 40

Allows two parties to securely share a secret key over an unsecured communication channel

Question 41

Mandatory Access Control (MAC)

Answer 41

Access control policy determined by a central authority, strictly enforcing access based on classifications

Question 42

Discretionary Access Control (DAC)

Answer 42

Access control policy where the owner of the resource determines who has access

Question 43

Role-Based Access Control (RBAC)

Answer 43

Access Control method where permissions are assigned to roles, and users are assigned to roles based on their responsibilities.

Question 44

Demilitarized Zone (DMZ)

Answer 44

A physical or logical subnetwork that separates and internal LAN from untrusted external networks

Question 45

Network Address Translation (NAT)

Answer 45

Translates private IP’s to a public IP and vice versa to enable devices on a private network to access the internet

Question 46

Virtual Land Area Network (VLAN)

Answer 46

Logical subdivision of a physical network designed to group devices, reduce traffic, and enhance security

Question 47

Port Security

Answer 47

Network security feature on switches that limit access by controlling which devices can connect to specific ports based on their MAC address

Question 48

ARP Spoofing

Answer 48

Attack where an attack sends ARP messages to associate their MAC address with a legit IP to intercept data

Question 49

DHCP Snooping

Answer 49

Security Feature that prevents unauthorized or rouge DHCP servers from assigning IP’s on a network by filtering DHCP messages and verifying trusted sources

Question 50

SSL/TLS

Answer 50

Protocols used to secure communication over a network by encrypting data in transit, ensuring confidentiality, and Integrity