Mastering the Basics of Security Flashcards
You want to ensure that data is only viewable by authorized users. What security principle are you trying to enforce? A. Confidentiality B. Integrity C. Availability D. Authentication
A. Confidentiality ensures that data is only viewable by authorized users and can be ensured with access controls and encryption. Integrity is enforced with hashing. Availability can be ensured with power and cooling systems, and various fault tolerance and redundancy techniques. Authentication proves a person’s identity and is a first step in access control, but by itself it does not provide confidentiality.
2. Of the following choices, what is the best way to protect the confidentiality of data? A. Authentication B. Encryption C. Hashing D. PaaS
- B. Encryption protects the confidentiality of data. You can encrypt any type of data, including sensitive data stored on a server, a desktop, a mobile device, or within a database. Authentication proves a person’s identity and is a first step in access control, but, by itself, it does not provide confidentiality. Hashing ensures the integrity of data. Platform as a Service (PaaS) provides an easy to configure operating system for on-demand cloud computing.
- You want to ensure that data has not been changed between the time when it was sent and when it arrived at its destination. What provides this assurance?
A. Confidentiality
B. Integrity
C. Availability
D. Authentication
B. Integrity provides assurances that data has not been modified and is enforced with hashing. Confidentiality prevents unauthorized disclosure and is enforced with access controls and encryption. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to be.
4. A database administrator is tasked with increasing the retail prices of all products in a database by 10 percent. The administrator writes a script performing a bulk update of the database and executes it. However, all retail prices are doubled (increased by 100 percent instead of 10 percent). What has been lost? A. Confidentiality B. Integrity C. Hashing D. Authentication
B. Integrity B. The database has lost integrity through an unintended change. Loss of confidentiality indicates that unauthorized users have accessed the database. Hashing can be used to verify integrity in some situations (though not in this scenario), but hashing would not be compromised. Authentication provides proof that users are who they claim to be.
5. Your organization is addressing single points of failure as potential risks to security. What are they addressing? A. Confidentiality B. Integrity C. Availability D. Authentication
C. By addressing a single point of failure (SPOF), you increase availability. An SPOF can be a drive, a server, power, cooling or any other item whose failure will cause the entire system to fail. Confidentiality is enforced with encryption, and integrity is enforced with hashing, Authentication provides proof of a user’s identity.
- An organization hosts several bays of servers used to support a large online ecommerce business. Which one of the following choices would increase the availability of this datacenter?
A. Encryption
B. Hashing
C. Generators
D. Integrity
C. Generators can provide power to a datacenter if the power fails, ensuring that the servers within the datacenter continue to operate. Encryption increases the confidentiality of data within the datacenter. Hashing verifies integrity.
- You are planning to host a free online forum for users to share IT security-related information with each other. Any user can anonymously view data. Users can post messages after logging in, but you do not want users to be able to modify other users’ posts. What levels of confidentiality, integrity, and availability should you seek?
A. Low confidentiality, low integrity, and low availability
B. Medium confidentiality, low integrity, and high availability
C. High confidentiality, low integrity, and low availability
D. Low confidentiality, medium integrity, and medium availability
D. Data can be viewed anonymously, so low confidentiality is acceptable. You do not want users to modify other users’ posts, so integrity is medium. The site is free but you do want users to be able to access it when needed, so availability is medium.
- What is the purpose of risk mitigation?
A. Reduce the chances that a threat will exploit a vulnerability
B. Reduce the chances that a vulnerability will exploit a threat
C. Eliminate risk
D. Eliminate threats
<p>A. Risk mitigation reduces the chances that a threat will exploit a vulnerability. Risk is the likelihood that a threat (such as an attacker) will exploit a vulnerability (any weakness). A vulnerability cannot exploit a threat. You cannot eliminate risk or eliminate threats.
</p>
- What is completed when a user’s password has been verified?
A. Identification
B. Authentication
C. Authorization
D. Access verification
B. A user is authenticated when the password is verified. The user claims an identity with a username. After authentication, users are authorized to access resources based on their identity, and auditing can verify what resources a user has accessed.
- Which of the following formulas represent the complexity of a password policy that requires users to use only upper and lower case letters with a length of eight characters?
A. 52 ^ 8
B. 26 ^ 8
C. 8 ^ 52
D. 8 ^ 26
A. The correct formula is 52 ^ 8. The formula to calculate the complexity of a password is C ^ N, where C is the number of possible characters used and N is the length of the password. Since both uppercase (A-Z) and lowercase (a-z) characters are used, C is fifty-two, and the password has a stated length of eight characters.
- Of the following choices, what password has a dissimilar key space than the others?
A. Secur1tyIsFun
B. Passw0rd
C. IL0ve $ ecur1ty
D. 4uBetutaOn
C. IL0ve $ ecur1ty has 13 characters with a mixture of all four character types (uppercase letters, lowercase letters, numbers, and symbols). This has a larger key space (more possibilities) than the other passwords. Secur1ty, Passw0rd, and 3uBetuta each use only three character types.
- Robert lets you know that he is using his username as his password since it’s easier to remember. You decide to inform the user that this isn’t a secure password. What explanation would you include?
A. The password wouldn’t meet account lockout requirements
B. The password is too hard to remember C. The password is not long enough
D. The password is not complex
D. Strong passwords do not include any part of a username, and if just the username is used, the password would not be complex. Password characteristics are not related to account lockout (where a user account can be locked out after entering the wrong password too many times). A username as a password would not be difficult to remember. Users with long names could have extremely long passwords so they will likely meet length requirements.
13. Your organization has implemented a self-service password reset system. What does this provide? A. Password policy B. Certificate reset C. Password recovery D. Previous logon notification
C. A self-service password reset system allows users to recover passwords without administrative intervention. A password policy ensures that users create strong passwords and change them periodically. A password reset system does not reset certificates. A previous logon notification provides notification to users when they last logged on and can help them identify if someone else is using their account.
14. A user entered the incorrect password for his account three times in a row and can no longer log on because his account is disabled. What caused this? A. Password policy B. Account disablement policy C. Account complexity policy D. Account lockout policy
D. An account lockout policy will force an account to be locked out after the wrong password is entered a set number of times (such as after three failed attempts). A password policy ensures strong passwords are used and users change their password regularly. An account disablement policy refers to disabling inactive accounts, such as after an employee is terminated. A password policy ensures users create strong, complex passwords, but there is no such thing as an account complexity policy.
- A user is issued a token with a number displayed in an LCD. What does this provide?
A. Rolling password for one-time use
B. Multifactor authentication
C. CAC
D. PIV
A. A token (such as an RSA token) provides a rolling password for one-time use. While it can be used with multifactor authentication (requiring the user to also enter other information such as a password), it doesn’t provide multifactor authentication by itself. A CAC and a PIV are both specialized types of smart cards that include photo identification.