Module 3 - Basics of Security - Q&A Flashcards
Which of the following two relationships are inversely proportional? (Choose two.) A. Functionality B. Confidentiality C. Security D. Availability
A, C. Functionality and security are inversely proportional to each other; that is, as one increases, the other decreases.
Which of the three security goals is most concerned with ensuring that data is not subject to unauthorized modification or alteration? A. Availability B. Integrity C. Confidentiality D. Non-repudiation
B. Integrity is the security goal that security personnel want to achieve by preventing unauthorized data modification or alteration.
Which of the following supporting elements concerns the inability of the user to deny that he or she has performed an action with regard to data or on the system? A. Confidentiality B. Authentication C. Authorization D. Non-repudiation
D. Non-repudiation means that a user cannot deny that he or she performed an action with regard to data or on a system.
Mark is attempting to log on to a computer system. He successfully presents his user credentials, but the system continually denies his logon attempts and will not allow him to access the system. Which of the following steps in the logon process is failing? A. Identification B. Authorization C. Authentication D. Auditing
C. Mark has successfully identified himself, but the system refuses to authenticate him and does not validate the credentials he has supplied. The system has not even proceeded to the authorization and auditing steps at this point.
Which of the following supporting elements of security relates to the correct level of permissions, rights, and privileges that a person may have with respect to what actions they may take with data or on a system? A. Non-repudiation B. Authorization C. Confidentiality D. Authentication
B. Authorization relates to the level of rights, privileges, and permissions the user has with respect to data and systems.
An organization decides to split the ability to perform security-related tasks among several different people. Which of the following concepts is the organization practicing? A. Non-repudiation B. Administrative control C. Job rotation D. Separation of duties
D. The organization is practicing separation of duties because it has separated the ability to perform critical or sensitive tasks among several different people, thereby reducing the risk of fraud or unauthorized activity by a single person.
The company policy requires that two people be present in order to witness and verify that highly sensitive information that is no longer needed has been properly destroyed. What practice is the company adhering to by requiring two people to perform this task? A. Multi-person control B. Separation of duties C. Non-repudiation D. Job rotation
A. The company is engaging in multi-person control by requiring two people to be present to witness and verify the destruction of the sensitive information.
The company suspects that Mike, a system administrator, is performing unauthorized actions on the network. Mike has not taken any significant time off in several years. Which of the following practices should the company consider in order to audit the activities Mike has performed while in his position? A. Separation of duties B. Job rotation C. Mandatory vacation D. Multi-person control
C. The organization should consider implementing a mandatory vacation in order to audit Mike’s activities while working in his position.
Jessica, who works in the accounting department, was discovered to have been performing administrative level actions on the accounting servers during a recent audit. While these actions were not malicious in nature, Jessica does not work at a level that would typically require server administration duties. Which of the following is not being properly implemented in the scenario? A. Separation of duties B. Principle of least privilege C. Technical control D. Accountability
B. Since Jessica’s duties do not require her to have administrative control over the accounting server, the principle of least privilege is being violated in this scenario.
The company was recently subject to a hacking attack that resulted in the breach of several thousand records containing consumer financial data. All the following are examples of actions the company took to prevent such an attack, demonstrating due care, except:
A. Allowing all employees, regardless of duties, to access the data
B. Installing and securely configuring a firewall
C. Enabling encryption for all data
D. Requiring strong authentication methods
A. Allowing any employee, regardless of need-to-know, to access financial data does not demonstrate an example of due care. Allowing only those particular employees with a definite need-to-know based upon their daily duties, and restricting access from all other employees, would have demonstrated due care. All other choices are examples of the company fulfilling its due care responsibilities.