J.Dion Sec. 2 Security Fundamentals

Question 1

Any weakness in the system design or implementaton.

Answer 1

Vulnerability

Question 2

Why can vulnerabilities be controlled?

Answer 2

They are typically internal factors that are within the organizational control such as

software bugs
Misconfigured software
Improper protection for Network Devices
Missing security patches
Lack of physical security

Question 3

What lies at the intersection of threats and vulnerabilities?

Answer 3

Risk to the enterprise systems and networks.

Question 4

Threat + No Vulnerability =

Answer 4

No Risk

Question 5

Vulnerability + No Threat =

Answer 5

No Risk

Question 6

Finding different ways to minimize the likelihood of an outcome occurring and achieve the desires outcomes.

Answer 6

Risk management

Question 7

Anything that could cause harm, loss, damage, or compromise to information technology systems.

Answer 7

Threat

Question 8

Refers to the protection of information from unauthorized access and disclosure.

Answer 8

Confidentiality

Question 9

Process of converting data into code to prevent unauthorized access.

Answer 9

Encryption

Question 10

What are the 5 basic methods to ensure confidentiality?

Answer 10

Encryption
Access Controls
Data Masking
Physical Security Measures
Training and Awareness

Question 11

Method that ensures only authorized personnel can access certain types of data?

Answer 11

Access controls

Question 12

Method that involves obscuring data within a database to make it inaccessible for unauthorized users while retaining the real data’s authenticity and use for authorized users.

Answer 12

Data masking

Question 13

Method used to ensure confidentiality for physical types of data and for digital information contained on servers and workstations.

Answer 13

Physical security measures

Question 14

Method of conducting regular training on the security awareness best practices that employees can use to protect the organization’s sensitive data.

Answer 14

Training and awareness

Question 14

When we hear confidentiality think

Answer 14

Encryption

Question 14

When we hear encryption think

Answer 14

confidentiality

Question 14

Helps to ensure information and data remain accurate and unchanged from their original state unless intentionally modified by an authorized user.

Answer 14

Integrity

Question 15

What does integrity verify?

Answer 15

The accuracy and trustworthiness of data over the entire lifecycle.

Question 15

What three main reasons is integrity important?

Answer 15

Ensure data accuracy
Maintain trust
Ensure system operability

Question 16

What five methods help maintain integrity of data?

Answer 16

Hash
Digital signatures
Checksums
Access Controls
Regular Audits

Question 17

Method that converts data into a fixed-size value.

Answer 17

Hashing

Question 18

What are the results of hashing function?

Answer 18

Hash digest

Question 19

Serves as a digital fingerprint for any given piece of data to prove its integrity.

Answer 19

Hash digest

Question 20

Method that uses encryptions to ensure integrity and authenticy.

Answer 20

Digital signatures

Question 21

Method to verify the integrity of data during transmission.

Answer 21

Checksums

Question 22

Methos that ensures only authorized individuals can modify data and reduce the risk of unintentional or malicious alterations.

Answer 22

Access Controls

Question 23

Method that involves reviewing logs and operations to ensure only authorized changes have been made and any discrepancies are addressed,

Answer 23

Regular audits

Question 24

When we hear integrity think

Answer 24

hashing

Question 25

Used to ensure that information, systems, and resources are accessible and operational when needed by authorized users.

Answer 25

Availability

Question 26

What does it mean when a service provider has 3 Nines?

Answer 26

In a standard calendar year the service is available 99.9% of the time with a maximum downtime of 8.76 hours.

Question 27

What is the maximum down time for 3 Nines?

Answer 27

8.76 hours in 365 days

Question 28

What is the maximum down time for 5 Nines?

Answer 28

5.26 minutes per year (365 days)

Question 29

Duplication of critical components or functions of a system with the intention of enhancing its reliability.

Answer 29

Redundancy

Question 30

What are the types of redundancy?

Answer 30

Server redundancy
Data redundancy
Network redundancy
Power redundancy

Question 31

Redundancy type that involves using multiple servers in a load balance so that if one is overloaded or fails, the other servers can take over the load to continue supporting end users.

Answer 31

Server redundancy

Question 32

Redundancy type that involves storing data in multiple places.

Answer 32

Data redundancy

Question 33

Redundancy that ensures if one network path fails, the data can travel through another route.

Answer 33

Network redundancy

Question 34

Redundancy that involves using backup power sources to ensure that an organization’s systems remain operational during period of power disruption or outages within a local service area,

Answer 34

Power redundancy

Question 35

When we hear availability think

Answer 35

redundancy

Question 36

Security measure that is focused on providing undeniable proof in digital transactions.

Answer 36

Non-repudiation

Question 37

Security method the is created by first hashing a particular message/communication and encrypting the hash digest with the user’s private key using asymmetric encryption.

Answer 37

Digital signature

Question 38

What three main reasons is non-repudiation important?

Answer 38

Confirm digital transactions authenticity
Ensuring integrity of critical communications
Provides accountability in digital processes

Question 39

When we hear non-repudiation think

Answer 39

digital signatures

Question 40

Security measure that ensures individuals/entities are who they claim to be during a communication/transaction.

Answer 40

Authentication

Question 41

What are the 5 commonly used authentication methods?

Answer 41

Something you know
Something you have
Something you are
Something you do
Somewhere you are

Question 42

Authentication method that relies on information that a user can recall.

Answer 42

Something you know (knowledge factor)

Question 43

What is an example of a knowledge factor?

Answer 43

Username and password

Question 44

Authentication method that relies on the user presenting a physical item to authenticate themselves.

Answer 44

Something you have (possession factor)

Question 45

What is an example of a possession factor?

Answer 45

A security badge for getting into work.

Question 46

Authentication method that relies on the user providing a unique physical/behavioral characteristic to validate that they are who they claim to be.

Answer 46

Something you are (inherence factor)

Question 47

What is an example of inherence factor?

Answer 47

A biometric verification such as facial recognition to unlock iphone.

Question 48

Authentication method that relies on the user conducting a unique action to prove who they are.

Answer 48

Something you do (action factor)

Question 49

What is an example of an action factor?

Answer 49

A secret handshake.

Question 50

Authentication method that relies on the user being in a certain geographic location before access is granted.

Answer 50

Somewhere you are (location factor)

Question 51

What is an example of a location factor?

Answer 51

Adding geofencing on kids smartphones so they can unlock the front door when they are within 20 feet from the door.

Question 52

Two authentication methods combined

Answer 52

Two-factor authentication (2FA)

Question 53

Two or more authentication methods combined

Answer 53

Multi-factor authentication (MFA)

Question 54

Security process that requires users to provide multiple methods of identification to verify their identity.

Answer 54

Multi-factor authentication (MFA)

Question 55

What are the 5 factors of authentication?

Answer 55

Knowledge
Possession
Inherence
Action
Location

Question 56

Permissions and privileges granted to users or entities after they have been authenticated.

Answer 56

Authorization

Question 57

Explain authorization

Answer 57

A set of rules and policies that are used to dictate what actions users can perform once verified.

Serves as the gatekeeper to ensure that the right people have access to the right things.

Question 58

Security measure that ensures all user activities are properly tracked and recorded.

Answer 58

Accounting

Question 59

What is included in a robust accounting system?

Answer 59

Audit trail
Regulatory compliance
Forensic analysis
Resource optimization
User accountability

Question 60

Accounting measure that provides chronological record of all user activities that can be used to trace changes, unauthorized access, or anomalies back to a specific user or point in time.

Answer 60

Audit trail

Question 61

Accounting measure that maintains a comprehensive record of all the users’ activities.

Answer 61

Regulatory compliance

Question 62

Accounting measure that uses detailed accounting/event logs to help cybersecurity experts understand what happened, how it happened, and how to prevent similar incidents from occurring again.

Answer 62

Forensic analysis

Question 63

Accounting measure where organizations can optimize system performance and minimize costs by tracking resource utilization/allocation decisions.

Answer 63

Resource optimization

Question 64

Accounting measure that ensures users’ actions are monitored/logged, deterring potential misuse and promoting adherence to organization’s policies.

Answer 64

User accountability

Question 65

Three technologies used in accounting?

Answer 65

Syslog servers
Network analysis tools
SIEMs

Question 66

Technology that is used to aggregate logs from various network devices/systems so that system admins can analyze them to detect patterns/anomalies in organization systems.

Answer 66

Syslog servers

Question 67

Accounting technology used to capture/analyze network traffic to gain detailed insights into all the data moving within a network.

Answer 67

Network analyzers

Question 68

Name a network analyzer product.

Answer 68

Wireshark

Question 69

Accounting technology used to provide real-time analysis of security alerts generated by various hardware/software infrastructures in an organization.

Answer 69

Security Information and Event Management (SIEM)

Question 70

What are the 4 broad categories for security control?

Answer 70

Technical controls
Managerial controls
Operational controls
Physical controls

Question 71

Controls that are implemented to manage and reduce risks of the technological, hardware, and software mechanisms.

Answer 71

Technical controls

Question 71

What are examples of technical controls?

Answer 71

Antivirus
Firewalls
Encryption processes
Intrusion detection systems

Question 72

Control that involves strategic planning and governance side of security.

Answer 72

Managerial controls

Question 73

Managerial controls are also known as?

Answer 73

Administrative controls

Question 74

Control with procedures/measures that are designed to protect data on a day-to-day basis and are mainly governed by internal processes and human actions.

Answer 74

Operational controls

Question 75

What is an example of operational control?

Answer 75

Organization requiring a password change every 90 days.

Question 76

What 4 general areas do managerial controls encompass?

Answer 76

Risk assessment
Security policies
Training programs
Incident response strategies

Question 77

What general areas do operation controls encompass?

Answer 77

Backup procedures
Account reviews
User training programs

Question 78

Controls with tangible, real-world measures taken to protect assets.

Answer 78

Physical controls

Question 79

Examples of physical controls

Answer 79

Shredding sensitive documents
Security guards
Locking the doors

Question 80

What are the 6 basic types of controls?

Answer 80

Preventative
Deterrent
Detective
Corrective
Compensating
Directive

Question 81

Control with proactive measures implemented to thwart potential security threats/breaches.

Answer 81

Preventive controls

Question 82

An example of preventative control.

Answer 82

Firewall because it can filters incoming/outgoing traffic and could block any potentially harmful data packets.

Question 83

Control type that aims to discourage potential attackers by making the effort seem less appealing or more challenging.

Answer 83

Deterrent control

Question 84

Give an example of deterrent control

Answer 84

A house alarm system with the ADT signs in the front yard or on the windows. The signs are the deterrent not the actual alarm system.

Question 85

Control type that monitors and alerts organizations to malicious activities as they occur or shortly after.

Answer 85

Detective controls

Question 86

Give an example of detective control.

Answer 86

The security cameras showing the burglar breaking into the home. The burglar still broke in but is now recorded and identified.

Question 87

Give an example of network detective control.

Answer 87

Intrusion Detection System (IDS)

Scans network traffic constantly looking for unusual activity such as an unexpected data spike, the IDS will notify the network admin.

Question 88

Control type that mitigates any potential damage and restores the systems to their normal state.

Answer 88

Corrective controls

Question 89

Give an example of corrective control.

Answer 89

Organization affected by malware, antivirus software will be used to detect, quarantine, and remove the malware. The quarantine and removal is the corrective control not the detection.

Question 90

What control type is detecting malware?

Answer 90

Detective control

Question 91

What control type is quarantining and removing malware?

Answer 91

Corrective control

Question 92

Type of control that takes alternative measures when primary security controls are not feasible or effective.

Answer 92

Compensating controls

Question 93

What is the latest form of wireless encryption?

Answer 93

WPA3

Question 94

Using a legacy system that is compatible with WPA2 and placing a VPN on top of that from endpoint to internal servers. What type of control is the VPN?

Answer 94

Compensating control

It’s a legacy system and using the VPN on top of the WPA2 connection helps mitigate potential vulnerabilities within the WPA2 encryption schema.

Question 95

Control type that often is rooted in policy or documentation and sets the standard for behavior within the organization.

Answer 95

Directive control

Question 96

An AUP is what type of control?

Answer 96

Acceptable Use Policy is a directive control.

Question 97

Process of evaluating the differences between an organization’s current performance and its desired performance.

Answer 97

Gap Analysis

Question 98

Name the 4 steps in gap analysis.

Answer 98

1. Define the scope of the analysis.
2. Gather data on the current state of the organization.
3. Analyze the data to identify the gaps.
4. Develop a plan to bridge the gaps.

Question 99

What are the two basic types of gap analysis?

Answer 99

Technical gap analysis
Business gap analysis

Question 100

Gap analysis type that involves evaluating an organization’s current technical infrastructure & identifying any areas where it falls short of the technical capabilities required to fully utilize their security solutions.

Answer 100

Technical gap analysis

Question 101

Gap analysis type that involves evaluating an organization’s current business processes & identifying any areas where they fall short of the capabilities required to fully utilize cloud-based solutions.

Answer 101

Business gap analysis

Question 102

Outlines the specific measures to address each vulnerability, allocate resources, and set up timelines for each remediation task that is needed.

Answer 102

Plan of action and milestones (POA&M)

Question 103

This demands verification for every device, user, and transaction within the network regardless of origin.

Answer 103

Zero Trust

Question 104

What are the two zero trust architectures?

Answer 104

Control plane
Data plane

Question 105

What are the key elements incorporated in control plane structure?

Answer 105

Adaptive identity
Threat scope reduction
Policy-drive access control
Secured zones

Question 105

This zero trust architecture has an overarching framework & set of components responsible for defining, managing, and enforcing the policies related to user & systems access within an organization.

Answer 105

Control plane

Question 106

Zero trust control plane element that understands static one-time verifications are not sufficient so this element relies on real-time validation that takes into account the user’s behavior, device, location, and other factors like that.

Answer 106

Adaptive identity

Question 107

Zero trust control plane element that limit the users’ access to only what they need for their work tasks because this drastically reduces the network’s potential attack surface.

Answer 107

Threat scope reduction

Question 108

Zero trust control plane element that entails developing, managing, and enforcing user access policies based on their roles and responsibilities.

Answer 108

Policy-drive access control

Question 109

Zero trust control plane element that isolates environments within a network that are designed to house sensitive data.

Answer 109

Secured zones

Question 110

Zero trust architecture that ensures the policies and procedures are properly executed.

Answer 110

Data Plane

Question 111

Which zero trust architecture is responsible for creating the policies and procedures and which architecture is responsible for executing the policies and procedures?

Answer 111

Control plane = creating policies and procedures

Data plane = execute the policies and procedures

Question 112

What are the key elements incorporated in data plane structure?

Answer 112

Subject/System
Policy engine
Policy administrator
Policy enforcement point

Question 113

Zero trust data plane element that refers to the individual/entity attempting to gain access.

Answer 113

Subject/systems

Question 114

Zero trust data plane element that cross-references the access request with its pre-defined policies.

Answer 114

Policy engine

Question 115

Zero trust data plane element that is used to establish and manage the access policies.

Answer 115

Policy administrator

Question 116

Zero trust data plane element that allows/restricts access, and it will effectively act as a gatekeeper to the sensitive areas of the systems/networks.

Answer 116

Policy enforcement point

Question 117

Jane, a database administrator at Dion Training, wants to ensure that a file has not changed since the last time she uploaded it to her cloud storage. She has created a SHA-256 hash digest of the file and wants to compare the stored file’s hash digest against the one she calculated when she initially uploaded the file. Which of the following pillars of the CIANA pentagon is she focused on?

a. Confidentiality
b. Integrity
c. Availability
d. Non-repudiation

Answer 117

b. Integrity

Integrity is the security pillar that focuses on the assurance of data is trustworthy and accurate without unauthorized modification.

Question 118

Vikas, a developer at Dion Training, just digitally signed the company’s new app before releasing it in the App Store. Before the app is installed, the user’s device will validate the digital signature to ensure that it was actually developed and uploaded by Dion Training. Which of the following pillars of the CIANA pentagon is she focused on?

a. Confidentiality
b. Authentication
c. Availability
d. Non-repudiation

Answer 118

d. Non-repudiation

Non-repudiation ensures that a party in a transaction can’t deny having performed an action. By digitally signing the app, the developer provides proof of the origin and guarantees that the company developed and uploaded it.

Confidentiality safeguards data against unauthorized access.
Authentication verifies an entity’s identity before granting access.
Availability ensures data or services are ready for authorized users.

Question 119

Jason, an instructor at Dion Training, is logging into the company’s exam application to write some new questions for the CompTIA Security+ exam. He enters his username/password at the login prompt and then receives a one-time code on his smartphone that he enters to validate his identity. Which of the following pillars of security was the focus when performing these actions?

a. Authorization
b. Authentication
c. Availability
d. Accounting

Answer 119

b. Authentication

Authentication verifies an entity’s identity before granting access to a resource. When entering the username/password and providing the one-time code from a smartphone, a user is going through a two-factor authentication process.

Authorization determines what rights or privileges a user has after they are authenticated.
Availability ensures data or services are ready for authorized users.
Accounting tracks and logs user activities.

Question 120

David, the CTO of Dion Training, just sent out a new policy that will require all of the company’s users to reset their password every 60 days using a long, strong, and complex password. Which of the following type of security controls best classifies this policy?

a. Detective
b. Compensating
c. Directive
d. Corrective

Answer 120

c. Directive

Directive controls are policies or procedures that dictate specific actions or behaviors by users or systems. Since the CTO issued a policy mandating password resets every 60 days with specific criteria for password complexity, they were providing a clear directive to the company’s users.

Detective controls are used to detect and alert about incidents.
Compensating controls provide alternatives to primary controls.
Corrective controls address issues after they arise. In this scenario, the policy acts as a directive control.

Question 121

Christle, a student support manager at Dion Training, is logging into the company’s exam voucher application to help a student schedule their CompTIA Security+ exam. Even though she is already connected to the corporate network, the application asks her to validate her identity by sending her a one-time code on her smartphone that she enters to validate her identity. Which of the following security concepts is being utilized by the company’s architecture?

a. Root of trust
b. Gap analysis
c. Zero trust
d. Side loading

Answer 121

c. Zero trust

Zero trust is a security model that advocates for a “never trust, always verify” approach. It does not automatically trust any user or system, whether inside or outside the organizational perimeter. By requiring an internal employee to provide additional authentication factors, the system exemplifies the zero trust principle by not trusting any user by default, even if they are known and inside the network.