Module 1: General Security Concepts

Question 1

What is a vulnerability?

Answer 1

A weakness.

Question 2

What is a threat?

Answer 2

A potential danger.

Question 3

What is an exploit?

Answer 3

When a threat actor successfully takes advantage of a vulnerability.

Question 4

What is a threat actor?

Answer 4

An adversary with malicious intent.

Question 5

What are controls?

Answer 5

Tactics, mechanisms, or strategies that proactively minimize risk in one or more ways.

Question 6

In what ways do controls proactively minimize risk? (Hint: 3 ways)

Answer 6

Reduce/eliminate vulnerabilities; reduce/eliminate the likelihood of vulnerability exploitation by threat actors; reduce/eliminate the impact of an exploit

Question 7

What are countermeasures?

Answer 7

Controls implemented to address specific threats.

Question 8

Controls are ______ and countermeasures are _______.

Answer 8

Proactive/Reactive

Question 9

Countermeasures are ______ effective but ______ broadly efficient.

Answer 9

More/Less

Question 10

Controls should be ________.

Answer 10

Verifiable (trustworthy)

Question 11

What is control functionality?

Answer 11

What a control does.

Question 12

What is control effectiveness?

Answer 12

How well a control works.

Question 13

What makes up “effectiveness” for a control?

Answer 13

Consistent, complete, reliable, timely operation.

Question 14

What is control assurance?

Answer 14

A measure of confidence that intended security controls are effective in their application.

Question 15

What is a control objective?

Answer 15

A statement of desired result/purpose to be achieved.

Question 16

What is Defense-in-Depth also known as?

Answer 16

Layered security or layered controls.

Question 17

What is Defense-in-Depth/layered security?

Answer 17

The design and implementation of multiple overlapping layers of diverse controls.

Question 18

Controls should not be subject to __________ and should maintain _______.

Answer 18

A cascade effect/independence

Question 19

Diversity in controls refers to what?

Answer 19

Type(s) of controls and associated vendor(s).

Question 20

What is a security control baseline?

Answer 20

The minimum standard for a given environment.

Question 21

Control baselines must strategically align with what?

Answer 21

The needs of the organization.

Question 22

Control baselines are what?

Answer 22

A starting point.

Question 23

Control baselines should be proportionate to the ______ and _____ of the asset.

Answer 23

Criticality/sensitivity

Question 24

What is the principle of proportionality?

Answer 24

Control baselines should be proportionate to the criticality and sensitivity classifications of the asset being protected.

Question 25

What is scoping?

Answer 25

Eliminating unnecessary baseline recommendations that are not applicable.

Question 26

What is tailoring?

Answer 26

Customizing baseline recommendations to align with organizational requirements.

Question 27

What is compensating?

Answer 27

Substituting a recommended baseline with a similar control.

Question 28

What is supplementing?

Answer 28

Augmenting the baseline recommendations.

Question 29

What is the baseline modification process?

Answer 29

Identify control baseline, apply scoping considerations, tailor controls, select compensating controls (if needed), supplement baseline controls (if needed), publish, implement, assess, monitor.

Question 30

What is a cost-benefit analysis?

Answer 30

The process of comparing the estimated costs and benefits to determine whether it makes sense to proceed from a business perspective.

Question 31

What are the control categories?

Answer 31

Technical, managerial, operational, and physical.

Question 32

What a technical controls?

Answer 32

Control mechanisms implemented using hardware, software, and/or firmware components. These controls can be native or supplemental.

Question 33

What are managerial controls?

Answer 33

Controls related to risk management, governance, oversight, strategic alignment, and design making.

Question 34

What are operational controls?

Answer 34

Controls that align with a process that are primarily implemented and executed by people.

Question 35

What are physical controls?

Answer 35

Controls designed to address physical interactions. These are generally related to buildings and equipment.

Question 36

Examples of managerial controls are:

Answer 36

Risk assessments, project management

Question 37

Examples of technical controls are:

Answer 37

Firewalls, cryptography, authentication systems

Question 38

Examples of operational controls are:

Answer 38

Change management, testing, training

Question 39

Examples of physical controls are:

Answer 39

Gates, barricades, locks, security guards, access control vestibules

Question 40

What are the control classifications?

Answer 40

Deterrent, preventative, detective, corrective

Question 41

What are deterrent controls?

Answer 41

Controls that discourage a threat agent from acting.

Question 42

What are preventative controls?

Answer 42

Controls that stop a threat agent from being successful.

Question 43

What are detective controls?

Answer 43

Controls that identify and report a threat agent or action.

Question 44

What are corrective controls?

Answer 44

Controls that minimize the impact of a threat agent or modify or fix a situation.

Question 45

What are compensating controls?

Answer 45

Controls that are implemented in lieu of a recommended control that provides equivalent or comparable protection.

Question 46

What are directive controls?

Answer 46

Proactive actions taken to cause or encourage a desirable event or outcome to occur.

Question 47

What are the components of the Information Security CIA Triad?

Answer 47

Confidentiality, Integrity, Availability

Question 48

What is confidentiality?

Answer 48

The assurance that information is not disclosed to unauthorized persons, processes, or devices. Data is covered in storage, during processing, and in transit.

Question 49

What is integrity?

Answer 49

The principle that systems are trustworthy, work as intended, and that data is complete and accurate.

Question 50

What is availability?

Answer 50

The principle that information systems and supporting infrastructure are operating and accessible when needed.

Question 51

What is authentication?

Answer 51

The process of verifying identity.

Question 52

What is authorization?

Answer 52

The process of approving access.

Question 53

What is accounting?

Answer 53

The process of tracing actions to the source.

Question 54

What is non-repudiation?

Answer 54

The process of assuring the validity and origin of data.

Question 55

What is privacy?

Answer 55

The right of an individual to control the use of their personal information.

Question 56

What are data privacy controls?

Answer 56

Controls related to actions regarding collection, usage, notification, accuracy, and sharing.

Question 57

What are data security controls?

Answer 57

Controls related to the protection mechanisms of confidentiality, integrity, and availability.