Module 1

Question 1

Computer

Answer 1

An electronic device that can be programmed to carry out a set of arithmetic or logical operations and may be used for storing and processing data/information. Examples include desktop computers, mobile devices, IoT devices, and industrial controllers.

Question 2

Data

Answer 2

Raw statistics and facts collected from either analysis or reference. It lacks context and can be stored in an electronic format.

Question 3

Information

Answer 3

Processed data that offers context and can influence decisions.

Question 4

Information System

Answer 4

An entire set of data, software, hardware, network, people, procedures, and policies dealing with processing and distributing information in an organization.

Question 5

Computer Security

Answer 5

Measures and controls ensuring the confidentiality, integrity, and availability of information system assets, including hardware, software, firmware, and information being processed, stored, and communicated.

Question 6

Confidentiality

Answer 6

Only authorized parties can view private/confidential information.

Question 7

Integrity

Answer 7

Information is changed only in a specified and authorized manner.

Question 8

Availability

Answer 8

Information is accessible to authorized users whenever needed.

Question 9

Data at Rest

Answer 9

Data being stored in memory or on disk.

Question 10

Data in Transit

Answer 10

Data being transferred between systems, in physical or electronic form.

Question 11

Data in Use

Answer 11

Data being actively examined or modified, usually decrypted.

Question 12

Security Threat

Answer 12

Any action/inaction that could cause disclosure, alteration, loss, damage, or unavailability of information assets.

Question 13

Target

Answer 13

Organization’s assets such as hardware, software, data, and communication lines and networks.

Question 14

Agent

Answer 14

Entity (people and/or organizations) originating the threat (intentional or unintentional).

Question 15

Event

Answer 15

Malicious or accidental disclosure/alteration of information, misuse of authorized information, etc.

Question 16

Vulnerability

Answer 16

Weakness in an information system, security procedure, internal controls, or implementation that could be exploited or triggered by a threat source.

Question 17

Attack

Answer 17

A threat event deliberately executed by an agent against an asset with vulnerability.

Question 18

Inside Attack

Answer 18

Initiated by an entity inside the security perimeter with authorized access but uses resources improperly.

Question 19

Outside Attack

Answer 19

Initiated from outside the perimeter by an unauthorized or illegitimate user of the system.

Question 20

Active Attack

Answer 20

An attempt to alter system resources or affect their operation, compromising integrity or availability.

Question 21

Passive Attack

Answer 21

An attempt to learn or make use of information without affecting system resources, compromising confidentiality.

Question 22

Deliberate Software Attacks

Answer 22

A deliberate action aimed at violating/compromising a system’s security using specialized software.

Question 23

Malware

Answer 23

A program covertly inserted into a victim’s system with the intent to compromise CIA of data or disrupt operations.

Question 24

Password Cracking

Answer 24

Discovering a password through methods like brute force, dictionary attacks, or guessing.

Question 25

Denial of Service (DoS)

Answer 25

An attack that overwhelms a target system with requests, rendering it unavailable to legitimate users.

Question 26

Spoofing

Answer 26

The insertion of forged identification data to gain illegitimate advantages, such as IP or email spoofing.

Question 27

Sniffing

Answer 27

Use of a program or device to monitor data traveling over a network, often undetectable.

Question 28

Man-in-the-Middle Attack

Answer 28

An attack where two computers believe they are communicating directly, but a third party is intercepting the data.

Question 29

Phishing

Answer 29

An attempt to gain sensitive information by posing as a legitimate entity, often through email or fake websites.

Question 30

Pharming

Answer 30

Redirecting users to a false website without their knowledge, typically through DNS poisoning.

Question 31

White Hat

Answer 31

Ethical hackers hired to discover security vulnerabilities.

Question 32

Gray Hat

Answer 32

Hackers who illegally access systems but typically do not exploit vulnerabilities.

Question 33

Black Hat

Answer 33

Criminal hackers who use their skills for malicious activities.

Question 34

Elite Hacker

Answer 34

Hackers capable of discovering new vulnerabilities and writing scripts to exploit them.

Question 35

Script Writer

Answer 35

Hackers who write scripts to exploit known vulnerabilities.

Question 36

Script Kiddies

Answer 36

Hackers with minimal knowledge, relying on scripts written by others to conduct attacks.

Question 37

Economy of Mechanism

Answer 37

Design security mechanisms as simple and small as possible for easier testing and verification.

Question 38

Fail-safe Defaults

Answer 38

Access should be based on permission rather than exclusion, with the default being lack of access.

Question 39

Complete Mediation

Answer 39

Every access request must be checked against the control mechanism, without relying on cached decisions.

Question 40

Open Design

Answer 40

Security mechanism design should be open rather than secret, avoiding ‘security by obscurity.’

Question 41

Separation of Privilege

Answer 41

Multiple privilege attributes are required to achieve access to a restricted resource (e.g., multi-factor authentication).

Question 42

Least Privilege

Answer 42

Users should operate with the minimum privileges necessary to perform their tasks.

Question 43

Least Common Mechanism

Answer 43

Minimize shared functions across users to enhance mutual security.

Question 44

Psychological Acceptability

Answer 44

Security mechanisms should not unduly interfere with users’ work and should meet the needs of access authorizers.

Question 45

Encapsulation

Answer 45

Encapsulating a collection of procedures and data objects in its own domain to restrict access.

Question 46

Modularity

Answer 46

Develop secure functions as separate modules and use modular architecture for security design.

Question 47

Layering

Answer 47

Use multiple, overlapping protection strategies addressing people, technology, and operations.

Question 48

Least Astonishment

Answer 48

Systems should behave in ways that are least likely to surprise the user.

Question 49

Attack Surface

Answer 49

The reachable and exploitable vulnerabilities in a system.

Question 50

Network Attack Surface

Answer 50

Vulnerabilities over networks, such as denial-of-service attacks or communication link disruptions.

Question 51

Software Attack Surface

Answer 51

Vulnerabilities in software code, especially in web servers.

Question 52

Human Attack Surface

Answer 52

Vulnerabilities created by personnel or outsiders, like social engineering and human error.