Section 2

Question 1

Explain the difference between a vulnerability and a threat

Answer 1

a vulnerability is something that a threat can exploit, while a threat is something that can cause damage

Question 2

What is “security”

Answer 2

means protecting your assets, whether from attackers invading your networks, natural disasters, vandalism, loss, or misuse

Question 3

What are logical assets

Answer 3

assets that exist as data or intellectual property

Question 4

What is information security

Answer 4

protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction

Question 5

What happens when you increase the level of security

Answer 5

you usually decrease the level of productivity

Question 6

What usually determines the level of security something has

Answer 6

how it relates to the value of the item being secured. The cost of the security you put in place should never outstrip the value of what it’s protecting

Question 7

What are some examples of when you would not be secure

Answer 7

Not applying security patches or application updates to your systems

Using weak passwords

Downloading programs from the internet

Opening email attachments from unknown senders

Using wireless networks without encryption

Question 8

What does confidentiality in the CIA triad mean

Answer 8

refers to our ability to protect our data from those who are not authorized to view it.

Question 9

What does integrity in the CIA triad mean

Answer 9

the ability to prevent people from changing your data in an unauthorized or undesirable manner but also reversing unwanted authorized changes

Question 10

What does availability in the CIA triad mean

Answer 10

refers to the ability to access our data when we need it

Question 11

What is the Parkerian Hexad model

Answer 11

a more complex model that includes the components of the CIA triad but also possession, authenticity, and utility

Question 12

What does possession (control) refer to in the Parkerian Hexad model

Answer 12

to the physical disposition of the media on which the data is stored

Question 13

What does authenticity refer to in the Parkerian Hexad model

Answer 13

allows you to say whether you’ve attributed the data in question to the proper owner or creator

Question 14

What does utility refer to in the Parkerian Hexad model

Answer 14

how useful the data is to you

Question 15

What are the 4 categories of types of attacks

Answer 15

interception, interruption, modification, and fabrication

Question 16

What type of attack affects confidentiality in the CIA triad

Answer 16

interception

Question 17

What type of attack affects integrity in the CIA triad

Answer 17

interruption, modification, and fabrication

Question 18

What type of attack affects availability in the CIA triad

Answer 18

interruption, modification, and fabrication

Question 19

What is an interception attack

Answer 19

allow unauthorized users to access your data, applications, or environments, and they are primarily attacks against confidentiality

Question 20

What is an interception attack

Answer 20

allow unauthorized users to access your data, applications, or environments, and they are primarily attacks against confidentiality. can be conducted against data at rest or in motion

Question 21

What is an interruption attack

Answer 21

make your assets unusable or unavailable to you on a temporary or permanent basis

Question 22

What is an interruption attack

Answer 22

make your assets unusable or unavailable to you on a temporary or permanent basis. mostly affect availability but can affect integrity as well

Question 23

What is a modification attack

Answer 23

involves tampering with an asset or altering data. mostly attacks on integrity but also availability

Question 24

What is a fabrication attack

Answer 24

involve generating data, processes, communications, or other similar material with a system. primarily affect integrity but could affect availability

Question 25

What is a “threat”

Answer 25

something that has the potential to cause harm

Question 26

What are “vulnerabilities”

Answer 26

weaknesses, or holes, that threats can exploit to cause harm

Question 27

What is “risk”

Answer 27

the likelihood that something bad will happen

Question 28

What is “impact”

Answer 28

takes into account the value of the asset being threatened and uses it to calculate risk

Question 29

What are the steps of risk management

Answer 29

identify assets, identify threats, assess vulnerabilities, assess risks, mitigate risks

Question 30

What are “controls”

Answer 30

putting measures into place to mitigate risk

Question 31

What are “controls” and what are the different types

Answer 31

putting measures into place to mitigate risk. physical, logical, and administrative

Question 32

What are physical controls

Answer 32

protect the physical environment in which your systems sit, or where you data is stored

Question 33

What are logical controls

Answer 33

sometimes called technical controls, protect the systems, networks, and environments that process, transmit, and store data

Question 34

What are administrative controls

Answer 34

based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature

Question 35

What does the incident response process consist of

Answer 35

preparation, detection and analysis, containment, eradication, recovery, and post incident activity

Question 36

What is the preparation phase in the incident response process

Answer 36

consists of all the activities you can perform ahead of time to better handle an incident.

Question 37

What is the detection and analysis phase in the incident response process

Answer 37

you detect an issue, decide whether
it’s actual an incident and respond to it appropriately

Question 38

What is the containment, eradication, and recovery phase in the incident response process

Answer 38

Containment involves taking steps to ensure that the situation doesn’t cause any more damage than it already has - or at least lessen any ongoing harm.

Eradication is removing the effects of the issue from your environment

Recovery involves restoring devices or data from backup media, rebuilding systems, or reloading applications

Question 39

What is “defense in depth”

Answer 39

a strategy in which to formulate a multilayered defense that will allow you to still mount a successful resistance should one or more of your defensive measures fail

Question 40

What is the goal of defense in depth in an information security setting

Answer 40

to place enough defensive measures between your truly important assets and the attacker so that you’ll notice than an attack is in progress and have enough time to prevent it

Question 41

What are the layers of defense in depth from inward to outward

Answer 41

data, application, host, internal network, external network

Question 42

What is identification and authentication

Answer 42

identification makes a claim about what someone or something is, and authentication establishes whether this claim is true

Question 43

What is identity verification and how is it different from authentication

Answer 43

requesting credentials for proving identity. authentication is different because it is determining if it is true or not

Question 44

What is authentication

Answer 44

the set of methods used to establish whether a claim of identity is true.

Question 45

What is multifactor authentication

Answer 45

one or more factors. when you are only using 2, it is called two-factor authentication

Question 46

Name the factors for authentication

Answer 46

something you know, something you are, something you have, something you do, where you are

Question 47

What is mutual authentication

Answer 47

an authentication mechanism in which both parties in a transaction authenticate each other. the client authenticates to the server and the server authenticates to the client often relying on digital certificates

Question 48

What is a man-in-the-middle attack

Answer 48

the attacker inserts himself between the client and the server. The attacker then impersonates the server to the client and the client to the server.

Question 49

What are 3 common identification and authentication methods

Answer 49

passwords, biometrics, and hardware tokens

Question 50

What 7 characteristics are biometrics defined by

Answer 50

universality, uniqueness, permanence, collectability, performance, acceptability, circumvention

Question 51

What is uniqueness in biometrics

Answer 51

a measure of how unique a characteristic is among individuals.

Question 51

What is universality in biometrics

Answer 51

means you should be able to find your chosen biometric characteristic in the majority of people you expect to enroll in the system

Question 52

What is permanence in biometrics

Answer 52

tests how well a characteristic resists change over time and with advancing age

Question 53

What is collectability in biometrics

Answer 53

measures how easy it is to acquire a characteristic

Question 54

What is performance in biometrics

Answer 54

measures how well a given system functions based on factors such as speed, accuracy, and error rate

Question 55

What is acceptability in biometrics

Answer 55

a measure of how acceptable the characteristic is to the users of the system

Question 56

What is circumvention in biometrics

Answer 56

describes how easy it is to trick a system by using a falsified biometric identifier.

Question 57

What is the false acceptance rate (FAR) in biometrics

Answer 57

measures how often you accept a user who should be rejected. also called a false positive

Question 58

What is the false rejection rate (FRR) in biometrics

Answer 58

measures how often we reject a legitimate user and is sometimes called a false negative.

Question 59

What is the equal error rate (EER) in biometrics

Answer 59

a balance between the 2 error types. If you plot both the FAR and the FRR on a graph, the EER marks the point where the two lines intersect. EER is a measure of accuracy in biometric systems

Question 60

What is authorization

Answer 60

the process of determining exactly what an authenticated party can do.

Question 61

What are access controls

Answer 61

the tools and systems you use to deny or allow access.
You can base access controls on physical attributes, sets of rules, lists of individuals or systems, or other, more complex factors.

Question 62

What is allowing access when relating to access control

Answer 62

giving a party access to a given resource.

Question 63

What is denying access when relating to access control

Answer 63

preventing a given party from accessing the resource in question.

Question 64

What is limiting access when relating to access control

Answer 64

allowing only some degree of access to your resources. In a physical security scheme, you might have a master key that can open any door in the building, an intermediate key that can open only a few doors, and a low-level key that can open only one door. You might also implement limited access when you’re using applications that may be exposed to attack-prone environments, like web browsers used on the internet.

Question 65

What is revoking access when relating to access control

Answer 65

taking access away from a party after you’ve granted it.

Question 66

What is an access control list (ACL)

Answer 66

lists containing information about what kind of access certain parties are allowed to have to a given system.

Question 67

What is a “socket”

Answer 67

the combination of both an IP address and a port

Question 68

What is the “confused deputy problem” attack

Answer 68

when the software with access to a resource (the deputy) has a greater level of permission to access the resource than the user who is controlling the software. If you can trick the software into misusing its greater level of authority, you can potentially carry out an attack

Question 69

What is cross-site request forgery (CSRF)

Answer 69

an attack that misuses the authority of the browser on the user’s computer. If the attacker knows of, or can guess, a website that has already authenticated the user—perhaps a common site such as Amazon.com—the attacker can embed a link in a web page or HTML-based email, generally to an image hosted from a site controlled by the attacker. When the target’s browser attempts to retrieve the image in the link, it also executes the additional commands the attacker has embedded in it, often in a fashion completely invisible to the target.

Question 70

What is “user interface redressing” also know as “clickjacking”

Answer 70

client-side attack that takes advantage of some of the page rendering features that are available in newer web browsers. To carry out a clickjacking attack, the attacker must legitimately control or have taken control of some portion of a website. The attacker constructs or modifies the site by placing an invisible layer over something the client would normally click. This causes the client to execute a command that’s different than the one they think they’re performing.

Question 71

What is an access control model and what are the 2 main types

Answer 71

a way of determining who should be allowed access to what resources.

discretionary access control (DAC)

mandatory access control (MAC)

Question 72

What is the DAC model

Answer 72

the owner of the resource determines who gets access to it and exactly what level of access they can have.

Question 73

What is the MAC model

Answer 73

the owner of the resource doesn’t get to decide who gets to access it. Instead, a separate group or individual has the authority to set access to resources.

Question 74

What is the principle of least privilege

Answer 74

dictates that you should give a party only the bare minimum level of access it needs to perform its functionality.

Question 75

What is rule-based access control

Answer 75

allows access according to a set of rules defined by the system administrator. If the rule is matched, access to the resource will be granted or denied accordingly.

Question 76

What is role-based access control (RBAC)

Answer 76

allows access based on the role of the individual being granted access. For example, if you have an employee whose only role is to enter data into an application, RBAC would mandate that you allow the employee access to only that application.

Question 77

What is attribute-based access control (ABAC)

Answer 77

based on the specific attributes of a person, resource, or environment. “subject attributes” belong to an individual such as being able to complete a CAPTCHA
“resource attributes” belong to a resource, such as an operating system or application.
“environmental attributes” enable access controls based on environmental conditions.

Question 78

What are multilevel access control models

Answer 78

combine several of the access control models for more security

Question 79

What is the Bell-LaPadula model

Answer 79

A multilevel access control model that places an emphasis on confidentiality and consists of 2 properties-

The Simple Security Property - The level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to access it. In other words, an individual cannot read a resource classified at a higher level, but they can read resources at a lower level.
The * Property (or Star Property) - Anyone accessing a resource can only write (or copy) its contents to another resource classified at the same level or higher.

Question 80

What is the Biba model

Answer 80

a multilevel access control model that places an emphasis on integrity of data and consists of 2 properties-

The Simple Integrity Axiom - The level of access granted to an individual must be no lower than the classification of the resource. In other words, access to one level does not grant access to lower levels.
The * Integrity Axiom (or Star Integrity Axiom) - Anyone accessing a resource can only write its contents to a resource classified at the same level or lower.
We can summarize these rules as “no read down” and “no write up,” respectively. This means that assets that are of high integrity (meaning they shouldn’t be altered) and assets that are of low integrity are kept strictly apart.

Question 81

What is the brewer and nash model

Answer 81

a multilevel access control model designed to prevent conflicts of interest. considers 3 main resource classes-

access is determined dynamically based on materials previously accessed

Objects: Resources, such as files or information, pertaining to a single organization
Company groups: All objects pertaining to an organization
Conflict classes: All groups of objects concerning competing parties

Question 82

What is auditing?

Answer 82

the process of reviewing an organization’s records or information.

Question 83

What is nonrepudiation

Answer 83

refers to a situation in which an individual is unable to successfully deny that they have made a statement or taken an action, generally because we have sufficient evidence that they did it.

Question 84

What is a ‘clipping level’ when monitoring logs

Answer 84

a predefined threshold in system security monitoring that determines how many identical events or incidents can occur before they are considered a potential security issue.

Question 85

What are “assessments” in security audits and what are the different types

Answer 85

tests that find and fix vulnerabilities before any attackers do.

two approaches to this: vulnerability assessments and penetration testing.

Question 86

What are vulnerability assessments

Answer 86

involve using vulnerability scanning tools, such as Qualys, to locate weaknesses in an environment.

Question 87

What is penetration testing

Answer 87

you mimic the techniques an actual attacker would use to breach a system. You may attempt to gather additional information on the target environment from users or other systems in the vicinity, exploit security flaws in web-based applications or web-connected databases, or conduct attacks through unpatched vulnerabilities in applications or operating systems.

Question 88

What is the purpose of ensuring accountability in security

Answer 88

to make people responsible for their actions. is a good deterrent

Question 89

What does the Business Software Alliance (BSA) do

Answer 89

It regularly audits other organizations to ensure that they’re complying with software licensing.