Module 5: Security

Question 1

Security

Answer 1

the practice of controlling access to a resource

Question 2

Accessibility

Answer 2

how easy it is for users to use a resource - must be balanced with security

Question 3

CIA Triad

Answer 3

Confidentiality
Integrity
Availability

Question 4

Confidentiality

Answer 4

ensuring information is only available to authorized users

Question 5

Integrity

Answer 5

ensuring that data is not modified by unauthorized users

Question 6

Availability

Answer 6

ensuring the data is accessible to users who need it when they need it

Question 7

Snooping

Answer 7

any attempt to get access to information that you are not authorized to view

Question 8

Eavesdropping/Wiretapping

Answer 8

snooping on data as it is transmitted over a network

Question 9

Social Engineering

Answer 9

getting users to reveal information in order to gain access to a network

Question 10

Dumpster Diving

Answer 10

going through an organization’s garbage in order to get helpful information

Question 11

Man-in-the-Middle Attack

Answer 11

when someone on the network intercepts, captures, and relays communications between two unsuspecting individuals

Question 12

Replay Attack

Answer 12

when a host captures another host’s response to a server and replays that response to gain unauthorized access to a system

Question 13

Impersonation Attack

Answer 13

an attack in which a user can masquerade as an authorized user in order to gain access to a system

Question 14

Denial of Service Attack

Answer 14

any attack in which an attacker targets the availability of a service (as in a DDoS attack).

Question 15

Access Controls

Answer 15

a system that prevents unauthorized access of a resource

Question 16

Authentication

Answer 16

proving that a user is who they say they are

Question 17

Authorization

Answer 17

ensuring that only specific users have access to a resource

Question 18

Accounting

Answer 18

recording when and by whom a resource was accessed

Question 19

Identity Fraud

Answer 19

compromising someone’s account or masquerading as another user

Question 20

Shoulder Surfing

Answer 20

stealing a password or other secure information by watching the person type it

Question 21

Fault Tolerance

Answer 21

building extra components into a system to ensure the system can continue operating in the event of component failure

Question 22

Contingency Plan

Answer 22

backup plan

Question 23

Redundancy

Answer 23

having more than one of a thing to protect against failure (for example: data is mirrored on two identical hard drives in case one fails).

Question 24

RAID 1

Answer 24

An array of hard drives in which data is written to both drives, so that they each contain identical information.

Question 25

RAID 5

Answer 25

An array of hard drives in which three disks are combined into a single logical drive. Data is written across all disks in such a way that it can be recovered if one disk fails.

Question 26

UPS

Answer 26

Uninterruptible Power Supply - provides emergency power to a system in case of power outage; consists of a battery, capacitors, or other energy storage device.

Question 27

Program Virus

Answer 27

sequences of malicious code that insert themselves into another program

Question 28

Macro Virus

Answer 28

malicious code that is embedded in Microsoft Office documents

Question 29

Worm

Answer 29

a virus that can spread using network resources without human intervention (the user doesn’t need to start a program, etc.)

Question 30

Payload

Answer 30

the part of the virus that does damage - can be performed to vandalize, corrupt files, or install other malware

Question 31

Email Spoofing

Answer 31

Some malware can appear as though it is being sent from one of your contacts by spoofing its sent-from address

Question 32

Application Exploits

Answer 32

security vulnerabilities that exist in software applications

Question 33

Drive-by Download

Answer 33

when malware is embedded into a website, the user only needs to visit the site to become infected

Question 34

Trojan

Answer 34

a type of malware that pretends to be a useful program in order to get the user to install it

Question 35

Rogueware/Scareware

Answer 35

a type of malware that masquerades as an antivirus program in order to trick users into installing it

Question 36

Backdoor

Answer 36

a method of accessing and controlling a PC remotely

Question 37

Ransomware

Answer 37

malware that encrypts a user’s documents/files and demands payment in order to provide the means to decrypt the files

Question 38

Security Update

Answer 38

fixes for security vulnerabilities that are released by program vendors

Question 39

Patch

Answer 39

a fix for an application that is released by the application vendor

Question 40

Vector

Answer 40

the means by which a computer is infected by malware (downloading programs, visiting infected sites, etc.)

Question 41

Antivirus Signatures/Definitions

Answer 41

patterns that antivirus programs use to detect and remove infections

Question 42

Heuristic Identification

Answer 42

detecting viruses based on their behavior, rather than the actual code itself

Question 43

On-Access Scanning

Answer 43

scanning a file for malware whenever it is accessed by the system

Question 44

Quarantine

Answer 44

when an infected file is prevented from being accessed

Question 45

Device Hardening

Answer 45

the act of making a device more secure

Question 46

Bloatware/Crapware

Answer 46

software that is pre-installed on new PCs - usually demos of paid software

Question 47

Spam

Answer 47

unsolicited e-mail messages, frequently used to spread malware infections or launch phishing attacks

Question 48

Phishing

Answer 48

a technique for tricking a user into revealing information by requesting it in an official-looking e-mail or website.

Question 49

Pharming

Answer 49

an attempt to redirect traffic to a counterfeit page in order to get users’ personal information

Question 50

Service Pack

Answer 50

a collection of updates that may also contain new features or functionality

Question 51

Windows Update

Answer 51

the website and built-in application that Windows uses to keep itself up-to-date

Question 52

Quality Updates

Answer 52

security and critical updates - these should normally be installed immediately

Question 53

Feature Updates

Answer 53

updates that introduce new functionality

Question 54

Access Control List

Answer 54

a list of users and their rights or permissions on the system

Question 55

Principle of Least Privilege

Answer 55

the idea that users should only have the permissions necessary to do their jobs, and no more

Question 56

Implicit Deny

Answer 56

unless there is a rule specifying that access should be granted, it is denied by default

Question 57

Discretionary Access Control

Answer 57

a system in which a file’s creator has full control over it and can decide what permissions other users have

Question 58

Role-Based Access Control

Answer 58

a system in which users are given a role (standard user, administrator, power user, etc.) and their access to resources is based on their role

Question 59

Mandatory Access Control

Answer 59

a system based on the idea of clearance levels

Question 60

Rule-Based Access Control

Answer 60

any system that controls access to resources based on a set of rules (such as Role-Based and Mandatory Access Control systems).

Question 61

Non-Repudiation

Answer 61

the principle that the user cannot deny having performed an action

Question 62

Windows Default Accounts

Answer 62

Administrator, standard, and guest

Question 63

Administrator Account

Answer 63

A default Windows account that has full control over the entire PC. Disabled by default.

Question 64

Guest Account

Answer 64

An account that can be used with no authentication. This is disabled by default and should remain disabled.

Question 65

Group Accounts

Answer 65

Users are assigned to specific groups (administrators, standard users, etc.) and get their security permissions based on their group assignment(s)

Question 66

Authentication Factors

Answer 66

Something you know (password, etc.)
Something you have (your phone, etc.)
Something you are (fingerprint, etc.)
Somewhere you are (GPS based location)

Question 67

Hardware Token

Answer 67

a device or item, such as a USB drive or smart card, that can act as an authentication factor

Question 68

Multifactor Authentication

Answer 68

using more than one type of authentication (from more than one group). An example would be “something you know” (password), along with “something you have” (your phone).

Question 69

Single Sign-On

Answer 69

A system that allows users to authenticate to multiple systems at once by using one sign-on (Google, for instance)

Question 70

Cipher Text

Answer 70

an encrypted document

Question 71

Encryption Key

Answer 71

a piece of information used to encrypt and decrypt data.

Question 72

Private Key

Answer 72

in private key cryptography, a private key is used to decrypt data

Question 73

Public Key

Answer 73

in private key cryptography, a public key is used to encrypt data

Question 74

PKI

Answer 74

Public Key Infrastructure

Question 75

Cryptographic Hash

Answer 75

a representation of data

Question 76

Cryptographic Hash

Answer 76

a method of keeping passwords and other information secret by using a mathematical function

Question 77

Data at Rest

Answer 77

data as it is stored on a permanent disk (hard drive, etc.)

Question 78

Data in Transit

Answer 78

data as it is being transmitted over a network

Question 79

Virtual Private Network

Answer 79

a method of providing secure communication across public networks (like the Internet)

Question 80

Cleartext

Answer 80

text (or other data) that has not been encrypted

Question 81

Dictionary Attack

Answer 81

a password attack in which an attacker will use a collection of known passwords to try to guess a password

Question 82

Brute Force Attack

Answer 82

a password attack in which an attacker will try every possible combination of characters

Question 83

Password Best Practices

Answer 83

Length: should be 9-12 characters for normal accounts or more than 14 for administrator accounts;
Complexity: avoid single words or obvious phrases; use a mixture of upper and lower case
Memorability: should be able to remember it
Do not write it down
Change password periodically
Do not reuse passwords across different sites

Question 84

Acceptable Use Policy

Answer 84

defines what a person can and cannot do with a particular service or resource

Question 85

Security Assurance

Answer 85

monitoring employee communications to ensure they do not reveal confidential information or compromise security

Question 86

Monitoring Data

Answer 86

analyzing data communications to measure an employee’s productivity

Question 87

Physical Monitoring

Answer 87

recording employees’ movement, location, and behavior within the workplace