J.Dion Sec. 2 Security Fundamentals Flashcards
Any weakness in the system design or implementaton.
Vulnerability
Why can vulnerabilities be controlled?
They are typically internal factors that are within the organizational control such as
software bugs
Misconfigured software
Improper protection for Network Devices
Missing security patches
Lack of physical security
What lies at the intersection of threats and vulnerabilities?
Risk to the enterprise systems and networks.
Threat + No Vulnerability =
No Risk
Vulnerability + No Threat =
No Risk
Finding different ways to minimize the likelihood of an outcome occurring and achieve the desires outcomes.
Risk management
Anything that could cause harm, loss, damage, or compromise to information technology systems.
Threat
Refers to the protection of information from unauthorized access and disclosure.
Confidentiality
Process of converting data into code to prevent unauthorized access.
Encryption
What are the 5 basic methods to ensure confidentiality?
Encryption
Access Controls
Data Masking
Physical Security Measures
Training and Awareness
Method that ensures only authorized personnel can access certain types of data?
Access controls
Method that involves obscuring data within a database to make it inaccessible for unauthorized users while retaining the real data’s authenticity and use for authorized users.
Data masking
Method used to ensure confidentiality for physical types of data and for digital information contained on servers and workstations.
Physical security measures
Method of conducting regular training on the security awareness best practices that employees can use to protect the organization’s sensitive data.
Training and awareness
When we hear confidentiality think
Encryption
When we hear encryption think
confidentiality
Helps to ensure information and data remain accurate and unchanged from their original state unless intentionally modified by an authorized user.
Integrity
What does integrity verify?
The accuracy and trustworthiness of data over the entire lifecycle.
What three main reasons is integrity important?
Ensure data accuracy
Maintain trust
Ensure system operability
What five methods help maintain integrity of data?
Hash
Digital signatures
Checksums
Access Controls
Regular Audits
Method that converts data into a fixed-size value.
Hashing
What are the results of hashing function?
Hash digest
Serves as a digital fingerprint for any given piece of data to prove its integrity.
Hash digest
Method that uses encryptions to ensure integrity and authenticy.
Digital signatures
Method to verify the integrity of data during transmission.
Checksums
Methos that ensures only authorized individuals can modify data and reduce the risk of unintentional or malicious alterations.
Access Controls
Method that involves reviewing logs and operations to ensure only authorized changes have been made and any discrepancies are addressed,
Regular audits
When we hear integrity think
hashing
Used to ensure that information, systems, and resources are accessible and operational when needed by authorized users.
Availability
What does it mean when a service provider has 3 Nines?
In a standard calendar year the service is available 99.9% of the time with a maximum downtime of 8.76 hours.
What is the maximum down time for 3 Nines?
8.76 hours in 365 days
What is the maximum down time for 5 Nines?
5.26 minutes per year (365 days)
Duplication of critical components or functions of a system with the intention of enhancing its reliability.
Redundancy
What are the types of redundancy?
Server redundancy
Data redundancy
Network redundancy
Power redundancy
Redundancy type that involves using multiple servers in a load balance so that if one is overloaded or fails, the other servers can take over the load to continue supporting end users.
Server redundancy
Redundancy type that involves storing data in multiple places.
Data redundancy
Redundancy that ensures if one network path fails, the data can travel through another route.
Network redundancy
Redundancy that involves using backup power sources to ensure that an organization’s systems remain operational during period of power disruption or outages within a local service area,
Power redundancy
When we hear availability think
redundancy
Security measure that is focused on providing undeniable proof in digital transactions.
Non-repudiation
Security method the is created by first hashing a particular message/communication and encrypting the hash digest with the user’s private key using asymmetric encryption.
Digital signature
What three main reasons is non-repudiation important?
Confirm digital transactions authenticity
Ensuring integrity of critical communications
Provides accountability in digital processes
When we hear non-repudiation think
digital signatures
Security measure that ensures individuals/entities are who they claim to be during a communication/transaction.
Authentication
What are the 5 commonly used authentication methods?
Something you know
Something you have
Something you are
Something you do
Somewhere you are
Authentication method that relies on information that a user can recall.
Something you know (knowledge factor)
What is an example of a knowledge factor?
Username and password
Authentication method that relies on the user presenting a physical item to authenticate themselves.
Something you have (possession factor)
What is an example of a possession factor?
A security badge for getting into work.
Authentication method that relies on the user providing a unique physical/behavioral characteristic to validate that they are who they claim to be.
Something you are (inherence factor)
What is an example of inherence factor?
A biometric verification such as facial recognition to unlock iphone.
Authentication method that relies on the user conducting a unique action to prove who they are.
Something you do (action factor)
What is an example of an action factor?
A secret handshake.
Authentication method that relies on the user being in a certain geographic location before access is granted.
Somewhere you are (location factor)
What is an example of a location factor?
Adding geofencing on kids smartphones so they can unlock the front door when they are within 20 feet from the door.
Two authentication methods combined
Two-factor authentication (2FA)
Two or more authentication methods combined
Multi-factor authentication (MFA)
Security process that requires users to provide multiple methods of identification to verify their identity.
Multi-factor authentication (MFA)
What are the 5 factors of authentication?
Knowledge
Possession
Inherence
Action
Location
Permissions and privileges granted to users or entities after they have been authenticated.
Authorization
Explain authorization
A set of rules and policies that are used to dictate what actions users can perform once verified.
Serves as the gatekeeper to ensure that the right people have access to the right things.
Security measure that ensures all user activities are properly tracked and recorded.
Accounting
What is included in a robust accounting system?
Audit trail
Regulatory compliance
Forensic analysis
Resource optimization
User accountability
Accounting measure that provides chronological record of all user activities that can be used to trace changes, unauthorized access, or anomalies back to a specific user or point in time.
Audit trail
Accounting measure that maintains a comprehensive record of all the users’ activities.
Regulatory compliance
Accounting measure that uses detailed accounting/event logs to help cybersecurity experts understand what happened, how it happened, and how to prevent similar incidents from occurring again.
Forensic analysis
Accounting measure where organizations can optimize system performance and minimize costs by tracking resource utilization/allocation decisions.
Resource optimization
Accounting measure that ensures users’ actions are monitored/logged, deterring potential misuse and promoting adherence to organization’s policies.
User accountability
Three technologies used in accounting?
Syslog servers
Network analysis tools
SIEMs
Technology that is used to aggregate logs from various network devices/systems so that system admins can analyze them to detect patterns/anomalies in organization systems.
Syslog servers
Accounting technology used to capture/analyze network traffic to gain detailed insights into all the data moving within a network.
Network analyzers
Name a network analyzer product.
Wireshark
Accounting technology used to provide real-time analysis of security alerts generated by various hardware/software infrastructures in an organization.
Security Information and Event Management (SIEM)
What are the 4 broad categories for security control?
Technical controls
Managerial controls
Operational controls
Physical controls
Controls that are implemented to manage and reduce risks of the technological, hardware, and software mechanisms.
Technical controls
What are examples of technical controls?
Antivirus
Firewalls
Encryption processes
Intrusion detection systems
Control that involves strategic planning and governance side of security.
Managerial controls
Managerial controls are also known as?
Administrative controls
Control with procedures/measures that are designed to protect data on a day-to-day basis and are mainly governed by internal processes and human actions.
Operational controls
What is an example of operational control?
Organization requiring a password change every 90 days.
What 4 general areas do managerial controls encompass?
Risk assessment
Security policies
Training programs
Incident response strategies
What general areas do operation controls encompass?
Backup procedures
Account reviews
User training programs
Controls with tangible, real-world measures taken to protect assets.
Physical controls
Examples of physical controls
Shredding sensitive documents
Security guards
Locking the doors
What are the 6 basic types of controls?
Preventative
Deterrent
Detective
Corrective
Compensating
Directive
Control with proactive measures implemented to thwart potential security threats/breaches.
Preventive controls
An example of preventative control.
Firewall because it can filters incoming/outgoing traffic and could block any potentially harmful data packets.
Control type that aims to discourage potential attackers by making the effort seem less appealing or more challenging.
Deterrent control
Give an example of deterrent control
A house alarm system with the ADT signs in the front yard or on the windows. The signs are the deterrent not the actual alarm system.
Control type that monitors and alerts organizations to malicious activities as they occur or shortly after.
Detective controls
Give an example of detective control.
The security cameras showing the burglar breaking into the home. The burglar still broke in but is now recorded and identified.
Give an example of network detective control.
Intrusion Detection System (IDS)
Scans network traffic constantly looking for unusual activity such as an unexpected data spike, the IDS will notify the network admin.
Control type that mitigates any potential damage and restores the systems to their normal state.
Corrective controls
Give an example of corrective control.
Organization affected by malware, antivirus software will be used to detect, quarantine, and remove the malware. The quarantine and removal is the corrective control not the detection.
What control type is detecting malware?
Detective control
What control type is quarantining and removing malware?
Corrective control
Type of control that takes alternative measures when primary security controls are not feasible or effective.
Compensating controls
What is the latest form of wireless encryption?
WPA3
Using a legacy system that is compatible with WPA2 and placing a VPN on top of that from endpoint to internal servers. What type of control is the VPN?
Compensating control
It’s a legacy system and using the VPN on top of the WPA2 connection helps mitigate potential vulnerabilities within the WPA2 encryption schema.
Control type that often is rooted in policy or documentation and sets the standard for behavior within the organization.
Directive control
An AUP is what type of control?
Acceptable Use Policy is a directive control.
Process of evaluating the differences between an organization’s current performance and its desired performance.
Gap Analysis
Name the 4 steps in gap analysis.
- Define the scope of the analysis.
- Gather data on the current state of the organization.
- Analyze the data to identify the gaps.
- Develop a plan to bridge the gaps.
What are the two basic types of gap analysis?
Technical gap analysis
Business gap analysis
Gap analysis type that involves evaluating an organization’s current technical infrastructure & identifying any areas where it falls short of the technical capabilities required to fully utilize their security solutions.
Technical gap analysis
Gap analysis type that involves evaluating an organization’s current business processes & identifying any areas where they fall short of the capabilities required to fully utilize cloud-based solutions.
Business gap analysis
Outlines the specific measures to address each vulnerability, allocate resources, and set up timelines for each remediation task that is needed.
Plan of action and milestones (POA&M)
This demands verification for every device, user, and transaction within the network regardless of origin.
Zero Trust
What are the two zero trust architectures?
Control plane
Data plane
What are the key elements incorporated in control plane structure?
Adaptive identity
Threat scope reduction
Policy-drive access control
Secured zones
This zero trust architecture has an overarching framework & set of components responsible for defining, managing, and enforcing the policies related to user & systems access within an organization.
Control plane
Zero trust control plane element that understands static one-time verifications are not sufficient so this element relies on real-time validation that takes into account the user’s behavior, device, location, and other factors like that.
Adaptive identity
Zero trust control plane element that limit the users’ access to only what they need for their work tasks because this drastically reduces the network’s potential attack surface.
Threat scope reduction
Zero trust control plane element that entails developing, managing, and enforcing user access policies based on their roles and responsibilities.
Policy-drive access control
Zero trust control plane element that isolates environments within a network that are designed to house sensitive data.
Secured zones
Zero trust architecture that ensures the policies and procedures are properly executed.
Data Plane
Which zero trust architecture is responsible for creating the policies and procedures and which architecture is responsible for executing the policies and procedures?
Control plane = creating policies and procedures
Data plane = execute the policies and procedures
What are the key elements incorporated in data plane structure?
Subject/System
Policy engine
Policy administrator
Policy enforcement point
Zero trust data plane element that refers to the individual/entity attempting to gain access.
Subject/systems
Zero trust data plane element that cross-references the access request with its pre-defined policies.
Policy engine
Zero trust data plane element that is used to establish and manage the access policies.
Policy administrator
Zero trust data plane element that allows/restricts access, and it will effectively act as a gatekeeper to the sensitive areas of the systems/networks.
Policy enforcement point
Jane, a database administrator at Dion Training, wants to ensure that a file has not changed since the last time she uploaded it to her cloud storage. She has created a SHA-256 hash digest of the file and wants to compare the stored file’s hash digest against the one she calculated when she initially uploaded the file. Which of the following pillars of the CIANA pentagon is she focused on?
a. Confidentiality
b. Integrity
c. Availability
d. Non-repudiation
b. Integrity
Integrity is the security pillar that focuses on the assurance of data is trustworthy and accurate without unauthorized modification.
Vikas, a developer at Dion Training, just digitally signed the company’s new app before releasing it in the App Store. Before the app is installed, the user’s device will validate the digital signature to ensure that it was actually developed and uploaded by Dion Training. Which of the following pillars of the CIANA pentagon is she focused on?
a. Confidentiality
b. Authentication
c. Availability
d. Non-repudiation
d. Non-repudiation
Non-repudiation ensures that a party in a transaction can’t deny having performed an action. By digitally signing the app, the developer provides proof of the origin and guarantees that the company developed and uploaded it.
Confidentiality safeguards data against unauthorized access.
Authentication verifies an entity’s identity before granting access.
Availability ensures data or services are ready for authorized users.
Jason, an instructor at Dion Training, is logging into the company’s exam application to write some new questions for the CompTIA Security+ exam. He enters his username/password at the login prompt and then receives a one-time code on his smartphone that he enters to validate his identity. Which of the following pillars of security was the focus when performing these actions?
a. Authorization
b. Authentication
c. Availability
d. Accounting
b. Authentication
Authentication verifies an entity’s identity before granting access to a resource. When entering the username/password and providing the one-time code from a smartphone, a user is going through a two-factor authentication process.
Authorization determines what rights or privileges a user has after they are authenticated.
Availability ensures data or services are ready for authorized users.
Accounting tracks and logs user activities.
David, the CTO of Dion Training, just sent out a new policy that will require all of the company’s users to reset their password every 60 days using a long, strong, and complex password. Which of the following type of security controls best classifies this policy?
a. Detective
b. Compensating
c. Directive
d. Corrective
c. Directive
Directive controls are policies or procedures that dictate specific actions or behaviors by users or systems. Since the CTO issued a policy mandating password resets every 60 days with specific criteria for password complexity, they were providing a clear directive to the company’s users.
Detective controls are used to detect and alert about incidents.
Compensating controls provide alternatives to primary controls.
Corrective controls address issues after they arise. In this scenario, the policy acts as a directive control.
Christle, a student support manager at Dion Training, is logging into the company’s exam voucher application to help a student schedule their CompTIA Security+ exam. Even though she is already connected to the corporate network, the application asks her to validate her identity by sending her a one-time code on her smartphone that she enters to validate her identity. Which of the following security concepts is being utilized by the company’s architecture?
a. Root of trust
b. Gap analysis
c. Zero trust
d. Side loading
c. Zero trust
Zero trust is a security model that advocates for a “never trust, always verify” approach. It does not automatically trust any user or system, whether inside or outside the organizational perimeter. By requiring an internal employee to provide additional authentication factors, the system exemplifies the zero trust principle by not trusting any user by default, even if they are known and inside the network.
