Security

Question 1

Ensuring that information is viewable only by authorized users or systems, and is either inaccessible or unreadable to unauthorized users.

Answer 1

Confidentiality

Question 2

Ensuring that information remains accurate and complete over its entire lifetime. In particular, this means making sure that data in storage or transit can’t be modified in an undetected manner.

Answer 2

Integrity

Question 3

Ensuring that information is always easily accessible to authorized users. This means making sure that connectivity and performance is maintained at the highest possible level.

Answer 3

Availability

Question 4

The core of information security is commonly summed up into three components, known as the CIA triad

Answer 4

Confidentiality
Integrity
Availability

Question 5

The chance of harm coming to an asset

Answer 5

Risk

Question 6

Anything that can cause harm to an asset

Answer 6

Threat

Question 7

Any weakness the asset has against potential threats

Answer 7

Vulnerability

Question 8

Malicious or unwanted software designed to steal data or impair your computer’s performance

Answer 8

Malware

Question 9

Hackers, malicious software, and other automated attacks can try to access your computer over the network to steal data, or implant malware.

Answer 9

Network attacks

Question 10

A malicious or even negligent user getting access to your account can do damage directly, or just weaken other security measures to make your data more vulnerable

Answer 10

Unauthorized users

Question 11

Older hardware, software, and network protocols commonly have outdated security features or known vulnerabilities that make them unsafe against modern threats

Answer 11

Insecure technologies

Question 12

Most common vulnerabilities in the enterprise include:

Answer 12

Insecure technologies
Weak configurations
Non-compliant systems
Physical environment
User behavior
Weak documentation

Question 13

Target vulnerabilities which have not yet been patched, and may not even be known to software vendors

Answer 13

zero-day attacks

Question 14

Watching someone who is viewing or entering sensitive information, or eavesdropping on confidential conversations

Answer 14

Shoulder surfing

Question 15

Hunting for discarded documents and other media in a target’s trash, looking for information

Answer 15

Dumpster diving

Question 16

Getting into a secure area by tagging along right behind someone who has legitimate access, with or without their knowledge

Answer 16

Piggybacking/Tailgating

Question 17

Impersonating an authority figure or other relevant person over the phone and requesting sensitive information

Answer 17

Phone impersonation

Question 18

Sending unsolicited emails or other electronic messages, with undesired or malicious content

Answer 18

Spam

Question 19

Using fake but official-looking messages to trick users into performing dangerous actions

Answer 19

Phishing

Question 20

A variant of phishing that targets specific people, such as members of an organization or even individual users

Answer 20

Spear phishing

Question 21

Malware attached to an infected file, usually an executable program but possibly as a script inside a data file like an office document

Answer 21

Virus

Question 22

Malware that spreads without any human interaction

Answer 22

Worm

Question 23

Malware that appears to be a harmless or useful program, like a game or even an anti-virus application

Answer 23

Trojan horse

Question 24

Any hidden way into a system or application that bypasses normal authentication systems.

Answer 24

Backdoor

Question 25

Turn the computer into a zombie: part of a large network of computers that performs distributed network attacks or other processing tasks

Answer 25

Botnet

Question 26

Malware that compromises boot systems and core operating system functions in order to hide from most detection methods

Answer 26

Rootkit

Question 27

A particularly intrusive sort of malware that attempts to extort money from the victim in order to undo or prevent further damage

Answer 27

Ransomware

Question 28

Malware specifically designed to gather information about user and computer activities to send to other parties, often through a backdoor

Answer 28

Spyware

Question 29

Malware that delivers advertisements to the infected system, either as pop-ups or within browser or other application windows

Answer 29

Adware

Question 30

The attacker tries every possible password or key in a methodical order, until finding the right one

Answer 30

Brute force

Question 31

The attacker uses a word list, such as a literal dictionaries or list of common passwords

Answer 31

Dictionary attack

Question 32

Many password-based authentication systems rely on cryptographic hashes generated from the password, rather than the password itself

Answer 32

Hash table

Question 33

A more popular variety of hash table that’s designed to use less disk space, most effective against short passwords

Answer 33

Rainbow table

Question 34

Designed to prevent legitimate users from accessing a network service or an entire network

Answer 34

DoS: Denial of service

Question 35

Where a single target is flooded by traffic from many individual computers, often spread across the Internet.

Answer 35

DDoS: Distributed denial of service

Question 36

Any attack that intercepts or observes private communications

Answer 36

Eavesdropping

Question 37

A form of eavesdropping where an attacker intercepts and relays communications between two points, often impersonating each party in the eyes of the other

Answer 37

Man-in-the-middle

Question 38

A technique that falsifies the origin of network communications, either to redirect responses or to trick users into thinking it comes from a trustworthy source

Answer 38

Spoofing

Question 39

An attacker giving false replies to DNS requests sent by a host, in order to redirect traffic to a malicious or fraudulent site

Answer 39

DNS hijacking

Question 40

A US federal law designed to prevent fraudulent accounting practices. It applies primarily to financial records managed by companies that do business in the United States.

Answer 40

SOX: The Sarbanes-Oxley Act of 2002

Question 41

A US law governing health insurance coverage, but from an IT perspective it protects the privacy of patient records. It applies to any organization that stores or handles protected data.

Answer 41

HIPAA: The Health Insurance Portability and Accountability Act

Question 42

A newly enacted European Union regulation which protects the privacy of individual data related to EU residents. It applies not only to any organization in the EU which handles personal information, but specifically to foreign organizations that do business with or market to EU residents.

Answer 42

GDPR: The General Data Protection Regulation

Question 43

It’s a set of shared rules developed by the world’s major credit card companies and administered by the PCI Council. Part of the contract an organization must sign before it is permitted to process payment cards.

Answer 43

PCI DSS

Question 44

Information that can be used to uniquely identify an individual person, either on its own or in conjunction with other information.

Answer 44

PII: Personally identifiable information

Question 45

Positive identification of a person or system wishing to initiate communications, for example via a username/password or an ID card.

Answer 45

Authentication

Question 46

Specifying the exact resources a given authorized user is allowed to access, such as file permissions on a hard drive.

Answer 46

Authorization

Question 47

Auditing and logging the actions of an authenticated user for later review, such as operating system logs tracking logins and accessed files

Answer 47

Accounting

Question 48

A list attached to a resource, giving permissions, or rules about exactly who can access it.

Answer 48

access control lists ACL

Question 49

Members of this group have full control of the computer, and they can assign user rights and access control permissions to users as necessary

Answer 49

Administrators

Question 50

Only found on Domain accounts. Members of this group have full control of computers throughout the domain

Answer 50

Domain Admins

Question 51

Members of this group can perform common tasks and run most applications

Answer 51

Users

Question 52

In older versions of Windows, members of this group had privileges beyond that of an ordinary user, but less than that of an administrator

Answer 52

Power Users

Question 53

Connected to an individual’s health status, medical treatments, and health care payments. Defined by HIPAA, and must be protected by any organization under the jurisdiction of that law

Answer 53

PHI: Protected health information

Question 54

A broad set of privacy laws intended to make sure that businesses which make sure consumers are aware of what PII businesses collect about them, and to give them more control over what is collected and how long it is kept.

Answer 54

GDPR

Question 55

Regulations apply to any information regarding payment cards issued by major credit card vendors, and the customers that pay using those cards

Answer 55

PCI

Question 56

Uses the same key for both encryption and decryption. Also known as private key cryptography since the key must be kept secret for security to be affected

Answer 56

Symmetric

Question 57

Uses two mathematically related keys. Data encrypted with the first key can only be decrypted with the second, and vice-versa. Also known as public key cryptography, since typically only one key is kept private and the other is public knowledge.

Answer 57

Asymmetric

Question 58

Don’t contain the original data and can’t be reliably reversed. However, since any change to data changes its hash, data can be compared to a stored hash to verify its integrity. Hashes are important in data preservation, authentication, and system integrity checking. Common algorithms include MD5, SHA-1, and the SHA-2 family.

Answer 58

Hashing

Question 59

Positive identification of a person or system wishing to initiate communications, for example via a username/password or an ID card.

Answer 59

Authentication

Question 60

Specifying the exact resources a given authorized user is allowed to access, such as file permissions on a hard drive

Answer 60

Authorization

Question 61

Auditing and logging the actions of an authenticated user for later review, such as operating system logs tracking logins and accessed files.

Answer 61

Accounting

Question 62

3 Authentication factors

Answer 62

Knowledge
Possession
Inherence

Question 63

Any physical property intrinsic to an individual human body, ranging from fingerprints to DNA to scent

Answer 63

Biometrics

Question 64

Examples of Biometrics

Answer 64

Fingerprint and palm scanners
Retinal scanners
Iris scanners
Facial recognition
Voice recognition systems

Question 65

A file created and signed using special cryptographic algorithms.

Answer 65

Digital certificate

Question 66

Valid for a single session, so can’t be stolen and reused.

Answer 66

OTP: A one-time password

Question 67

Any physical device used to aid authentication by containing secret information

Answer 67

Hardware token

Question 68

A process that utilizes a communications channel that is separate from the primary communication channel used by two entities trying to establish an authenticated connection.

Answer 68

out-of-band authentication