Introduction to Security Terminology Flashcards
Your company issues smart phones to employees for business use. Corporate policy dictates that all data stored on smart phones must be encrypted. To which fundamental security concept does this apply?
Confidentiality
Integrity
Availability
Confidentiality
Confidentiality ensures that data is accessible only to those parties who should be authorized to access the data. Encrypting data stored on smart phones protects that data if the phone is lost or stolen
You are the network administrator for your company. Your manager has asked you to evaluate cloud backup solutions for remote branch offices. To which fundamental security concept does this apply?
Confidentiality
Integrity
Availability
Availability
Backing up data is a safeguard in case data is corrupted or deleted, thus making that data available when required
Your company requires all desktop computers to run a malware detection program twice daily. You configure your network so that only the specific digital version of the executable program that you specify is allowed to run. To which fundamental security concept does this apply?
Confidentiality
Integrity
Availability
Integrity
Integrity ensures that data actually comes from the user or device it appears to have come from and that the data has not been altered. File hashing can be used to validate that a specific version of a file is being used
You store personal documents and spreadsheets with a cloud provider. You would like your data to be available only to people who have a special unlock key. What should you apply to your documents and spreadsheets?
File hashing
File backup
File encryption
File encryption
File encryption can be implemented using a passphrase or unlock key so that only parties with knowledge of the unlock key can decrypt the data
You would like to send a confidential message to a family member through e-mail, but you have no way of encrypting the message. What alternative method would enable you to achieve your goal?
PKI
File hashing
Steganography
Steganography
Steganography is the act of hiding a message within an innocent-looking medium. A common example would be storing invisible hidden messages within pictures such that the receiving party would have to extract the hidden messages. Unsuspecting parties would see only a picture
A corporate security policy emphasizes data confidentiality, and you must configure computing devices accordingly. What should you do? (Choose two.)
Install smartcard readers so users can identify themselves before sending important e-mail messages.
Enforce SD card encryption on smart phones issued to employees.
Configure a server failover cluster to ensure that sensitive documents are always available.
Set file and folder permissions to control user file access.
Enforce SD card encryption on smart phones issued to employees.
Set file and folder permissions to control user file access.
Encrypting data and setting file and folder permissions both keep data confidential. Remember that educating users about security and specific organization policies is crucial
Michel, an IT security expert, grants permissions to folders on a file server to enable Marketing users to modify Marketing documents. Which information security goal has been satisfied?
Confidentiality
Integrity
Availability
Confidentiality
Confidentiality is achieved by allowing only Marketing users to modify Marketing documents. User accounts for Marketing staff must be secured properly, including account lockout and password policy settings
You need to implement a solution that ensures data stored on a USB removable drive has not been tampered with. What should you implement?
Steganography
File backup
File hashing
File hashing
File hashing generates a unique value from a specific version of a file. When a file is modified and the hash value is computed once again, it will be different
Ana must send an important e-mail message to Glen, the director of Human Resources (HR). Corporate policy states that messages to HR must be digitally signed. Which of the following statements is correct?
Ana’s public key is used to create the digital signature.
Ana’s public key is used to verify the digital signature.
Glen’s private key is used to create the digital signature.
Ana’s public key is used to verify the digital signature.
Digital signatures are created with the sender’s private key and verified with the sender’s mathematically related public key
John is issuing a digital certificate for Carolyn’s computer. What can the certificate be used for? (Choose two.)
Setting permissions on sensitive files
Encrypting sensitive files
Verifying the computer’s identity to secure servers
Sending encrypted e-mail messages
Encrypting sensitive files
Verifying the computer’s identity to secure servers
The public and private key pair within a digital certificate can be used to encrypt and decrypt sensitive files. Digital certificates can also be used to authenticate a computer to a secure server or appliance, such as a VPN server
Every month, Gene downloads and tests the latest software patches before applying them to production smart phones. To which security goal does this example apply?
Confidentiality
Integrity
Availability
Availability
Patching devices helps ensure that they are available and secure
You are evaluating public cloud-based e-mail hosting solutions. All vendors state that multiple servers are always running to ensure mailboxes are available. What is this an example of?
Clustering
Steganography
Digital mailbox signatures
Clustering
Clustering makes network services, such as e-mail, always available even if a mail server goes down
Your network allows only trusted scripts to run on managed devices. You write a script that must run on all managed devices. What must you do? Place the following correct steps in proper order. (Choose three.)
Obtain a trusted digital certificate and install it on your computer.
Export the private key from your digital certificate to all managed devices.
Create the script.
Digitally sign the script.
On your computer, import digital certificates from all managed devices.
Obtain a trusted digital certificate and install it on your computer.
Create the script.
Digitally sign the script.
A trusted code-signing digital certificate must first be installed on your computer before you can sign a script. Target devices must trust the code-signing certificate to allow signed scripts to run. This prevents malicious code from threat actors from running
You would like to track the modification of sensitive trade secret files. What should you implement?
Auditing
Encryption
File hashing
Auditing
Auditing the modification of files will identify who made changes from a specific machine at a certain date and time
Which party determines how data labels are assigned?
Custodian
Owner
Privacy officer
Owner
Data owners decide how data should be labeled, such as top secret or publicly available
Which of the following organizes the appropriate identification methods from least secure to most secure?
Smartcard, retinal scan, password
Retinal scan, password, smartcard
Username and password, smartcard, retinal scan
Username and password, smartcard, retinal scan
Username/password is single-factor authentication (something you know). Smartcard authentication is multifactor (something you have and something you know), and retinal scans are something you are, which is difficult to forge
You are explaining how the corporate file auditing policy will work to a new IT employee. Place the following items in the correct order: ___, ___, ___, and ___.
A user opens a file, modifies the contents, and then saves the file.
A server validates a correct username and password combination.
A user provides a username and password at a logon screen.
The file activity generated by the user is logged.
A user provides a username and password at a logon screen.
A server validates a correct username and password combination.
A user opens a file, modifies the contents, and then saves the file.
The file activity generated by the user is logged.
After a user identifies himself with a username and password, authentication then occurs. Upon successful authentication, a user is then authorized to access the appropriate files. If the user’s current action is being audited for a given file, this information is logged
Your manager has asked you to implement a solution that will prevent users from viewing inappropriate web sites. Which solution should you employ?
Router ACLs
Web site permissions
Proxy server
Proxy server
Proxy servers retrieve content that users request. Because of this, proxy servers can easily prevent users from accessing inappropriate content
Trinity uses her building access card to enter a work facility after hours. She has access to only the second floor. What is this an example of?
Authorization
Authentication
Accountability
Authorization
Authorization means having legitimate access to specific resources such as web sites, files on a file server, or, in this case, access to a specific floor in a building
Sean is capturing Wi-Fi network traffic using a packet analyzer and is able to read the contents of network transmissions. What can be done to keep network transmissions private?
Install digital certificates on each transmitting device.
Use smartcard authentication.
Encrypt the Wi-Fi traffic.
Encrypt the Wi-Fi traffic.
The network transmissions can be kept private by encrypting all Wi-Fi traffic using Wi-Fi encryption protocols such as Wi-Fi Protected Access 2 (WPA2)
Which security mechanisms can be used for the purpose of nonrepudiation? (Choose two.)
Encryption
Clustering
Auditing
Digital signatures
Auditing
Digital signatures
Auditing can track activities from a specific user or computer. Digital signatures are unique in that they are created using a user’s or computer’s private key, which is accessible only to that user or computer. Both of these mechanisms invalidate any denials related to activities from the user or computer
You are the network administrator for a pharmaceutical firm. Last month, the company hired a third party to conduct a security audit. From the audit findings, you learn that customers’ confidential medical data is not properly secured. Which security concept has been ignored in this case?
Due diligence
Due care
Due process
Due care
Due care means taking steps to address a security problem, such as ensuring client data is kept confidential
Which of the following are the best examples of the Custodian security role? (Choose three.)
Human Resources department employee
Server backup operator
CEO
Law enforcement employee responsible for signing out evidence
Sales executive
Human Resources department employee
Server backup operator
Law enforcement employee responsible for signing out evidence
Custodians are responsible for maintaining access to and the integrity of data. Human Resources employees, server backup operators, and law enforcement employees all must ensure that data access and integrity are preserved
Franco, an accountant, accesses a shared network folder containing travel expense documents to which he has read and write access. What is this an example of?
Privilege escalation
Due care
Authorization
Authorization
Franco is accessing an item that he has legitimate access to; this is authorization
A large corporation requires new employees to present a driver’s license and passport to a security officer before receiving a company-issued laptop. Which security principle does this map to?
Authorization
Confidentiality
Identification
Identification
Providing a driver’s license and passport means employees are providing identification
Choose the best example of authentication from the following:
Each morning a network administrator visits various web sites looking for the newest Windows Server vulnerabilities.
Before two systems communicate with one another across a network, they exchange PKI certificates to ensure they share a common ancestor.
A file server has two power supplies in case one fails.
Before two systems communicate with one another across a network, they exchange PKI certificates to ensure they share a common ancestor.
Exchanging PKI certificates before allowing communication is an example of system authentication
Raylee is the new network administrator for a legal firm. She studies the existing file server folder structures and permissions and quickly realizes the previous administrator did not properly secure legal documents in these folders. She sets the appropriate file and folder permissions to ensure that only the appropriate users can access the data, based on corporate policy. What security role has Raylee undertaken?
Custodian
Data owner
User
Custodian
The Custodian performs data protection and maintenance duties based on established security policies, which Raylee is doing in this case
From the following list, which best describes authentication?
Logging in to a TFTP server with a username and password
Using a username, password, and token card to connect to the corporate VPN
Checking corporate web mail on a secured web site at http://owa.acme.com after supplying credentials
Using a username, password, and token card to connect to the corporate VPN
Proving who you are with something you know (username/password) and something you have (token card) is authentication
While experimenting with various server network configurations, you discover an unknown weakness in the server operating system that could allow a remote attacker to connect to the server with administrative privileges. What have you discovered?
Exploit
Bug
Vulnerability
Vulnerability
Vulnerabilities are unintended weaknesses in computing devices
Sean is a security consultant and has been hired to perform a network penetration test against his client’s network. Sean’s role is best described as which of the following:
White-hat hacker
Black-hat hacker
Gray-hat hacker
White-hat hacker
White-hat hackers expose security flaws without malicious intent for the purposes of better protecting computers and computer networks
Which of the following are classified as availability solutions? (Choose two.)
Auditing
RAID
File server backups
Smartcard authentication
RAID
File server backups
Redundant Array of Independent Disks (RAID) groups disks together for the purpose of performance and data availability. RAID level 1 (disk mirroring), for example, ensures that all disk writes occur on two disks in case one disk fails. File server backups ensure that corrupted or deleted data is available from the backup media
You are reviewing document security on your private cloud document server. You notice employees in the Sales department have been given full permissions to all project documents. Sales personnel should have only read permissions to all project documents. Which security principle has been violated?
Separation of duties
Least privilege
Job rotation
Least privilege
The concept of least privilege is designed so that users have only the permissions they need to do their jobs
A user, Sylvain, downloads an exploit that takes advantage of a web site vulnerability. Without detailed knowledge of the exploit, Sylvain runs the malicious code against numerous web sites he wishes to gain access to. Which label best identifies Sylvain?
White-hat hacker
Script kiddie
Red-hat hacker
Script kiddie
Script kiddies simply download and run exploits created by others without having a full understanding of what the exploit actually does. Technical proficiency in the attack itself is not required; the exploit is simply run by the script kiddie. This can be used by the casual malicious user, by organized crime rings, or even by nation states that buy zero-days (currently unknown exploits) for surveillance purposes. Nation states supporting surveillance or hacking against other nations are especially worrisome due to a potentially endless source of funding
Which term refers to individuals who use computer hacking to promote a political or ideological agenda?
Scriptivist
Script kiddie
Hacktivist
Hacktivist
Hacktivism compromises IT system security for the purposes of spreading the word about a specific agenda such as human rights or government corruption
In planning your network infrastructure, you decide to use a layered firewall approach between the Internet and your internal network. Which firewall strategy should you also employ?
The last ACL rule should allow all.
Use firewall appliances from different vendors.
The first ACL rule should deny all.
Use firewall appliances from different vendors.
Vendor diversity increases security; a specific security compromise on one firewall appliance most likely will not work on a different vendor’s firewall appliance. This adds another layer of security, which is referred to as defense-in-depth
Which application-testing technique uncovers improper input handling?
Fuzzing
Overloading
Penetration test
Fuzzing
Fuzzing provides a large amount of input data, even invalid data, to an application in order to observe its behavior; the idea is to ensure that the application is stable and secure with its input and error handling
Which type of tools are used for reconnaissance to collect and analyze public information about an organization?
Big data suite
Packet sniffer
Open source intelligence
Open source intelligence
Open source intelligence tools are used to collect and analyze publicly available data about an organization. The goal is to make intelligent decisions based on this analysis
Which programming problem stems from multiple threads not executing in a predictable sequential pattern?
Fuzzing
Blue screen of death
Race condition
Race condition
In a race condition, when code is executed by multiple threads, the timing of dependent events is not predictable, and as a result a different thread can function in an unintended manner. For example, a piece of code might check the value of a variable and take action later, while that variable’s value can change in the interim
Your company plans to use multiple Internet of Things (IoT) devices in the facility to control lighting and temperature. You suggest to management that the use of IoT devices presents many security risks. Which of the following is a known security issue with many IoT devices?
Use of Telnet
Inability to update embedded firmware
Inability to log events
Inability to update embedded firmware
Many IoT devices are unable to update embedded firmware, as is also often seen with end-of-life systems that are no longer supported by the vendor. This means as IoT device vulnerabilities are discovered, there is no way to apply a fix directly to the device, since often the firmware does not accept updates; this is simply a choice made by the vendor. IoT devices are targeted to general consumers, and security is often not a priority
Jim is an IT technician for a medium-sized medical clinic. The clinic recently purchased four wireless access points to cover medical devices within a floor of the building. Jim installed the access points in the best locations for signal coverage and then changed the WPA2 password. What mistake did Jim make?
Jim should have enabled WEP.
No more than two access points should be used due to interference.
The default administrator configuration was left unchanged.
The default administrator configuration was left unchanged.
Many network and IoT devices ship with a default administrative configuration including the username and password; this must be changed immediately since it is known by all
Which type of vulnerability results from writing data beyond expected memory boundaries?
Pointer dereference
Integer overflow
Buffer overflow
Buffer overflow
Buffer overflows result from writing data beyond expected memory boundaries, which can crash a program or provide escalated privileges
A piece of malware replaces a library of code used as needed by a controlling program. What name describes this type of security issue?
DLL injection
Pointer dereference
Integer overflow
DLL injection
DLL injections insert code into a dynamic link library, which is called by a program at runtime as needed
