Security Fundamentals

Question 0

What to protect or what information to secure

Answer 0

Data. The information assets

Resources. Virtual or physical system components

Question 1

Information security refers to

Answer 1

The protection of information resources from unauthorized access, attacks, thefts, or data damage

Question 2

The three primary goals of security

Answer 2

Prevention. Prevent users gaining unauthorized access to confidential information.
Detection. Users discovered trying to access unauthorized data
Recovery. Employ a process to recover vital data

Question 3

In terms of security what is collateral damage

Answer 3

Compromised reputation, loss of goodwill, reduce investor confidence, loss of customers and financial losses.

Question 4

Risk is

Answer 4

Exposure to the chance of damage or loss. The likelihood of a hazard or threat occurring. Associated with the loss of a system, power, or network.

Question 5

A threat is

Answer 5

Any action that could cause damage to an asset.

Question 6

Some potential threats to computer and network security

Answer 6

Unauthorized access or changes to data 
Interruption of services 
Interruption of access to assets
Damage to hardware 
Unauthorized access or damage to facilities

Question 7

A vulnerability is

Answer 7

Any condition that leaves a system open to harm

Question 8

List some vulnerabilities in terms of security

Answer 8

Improperly configured or installed hardware or software 
Untested software or firmware patches 
Bugs in software or OS
misuse of software or communication protocols 
Poorly designed networks 
Poor physical security 
Insecure passwords 
Design flaws in software or OS
Unchecked user Input

Question 9

An intrusion occurs when

Answer 9

An attacker accesses a computer system without the authorization. Occurs when the system is vulnerable to Attacks.

Question 10

Three types of intrusions

Answer 10

Physical
Host-based
Network-based

Question 11

An attack is

Answer 11

Exploit a vulnerability in a system without the authorization

Question 12

Attacks on a computer system and network security include

Answer 12

Physical 
Network-based
Software-based
Social engineering 
Web application-based

Question 13

Controls are

Answer 13

The countermeasures (solutions and activities) put in place to avoid, mitigate, or counteract security risks due to threats or attacks.

Question 14

Type of controls

Answer 14

Prevention controls
Detection controls
Correction controls

Question 15

Prevention controls help to

Answer 15

Prevent a threat or attach from exposing a vulnerability

Question 16

Detection controls help to

Answer 16

Discover If a threat or vulnerability has entered the computer system

Question 17

Correction controls help to

Answer 17

Mitigate the consequences of a threat or attack from adversely affecting the computer system

Question 18

The security management process involves

Answer 18

Identify security controls detect problems and determine how to protect a system
Implement security controls installing control mechanisms to prevent problems in a system
Monitor security controls detecting and solving security issues that arise

Question 19

Information security seeks to address three specific principles

Answer 19

Confidentiality
Integrity
Availability

Question 20

Confidentiality is the fundamental principle of

Answer 20

Keeping information and communication private and protecting them from unauthorized access

Question 21

Integrity is the fundamental principle of

Answer 21

Keeping organization information accurate, free of errors, and without unauthorized modifications.

Question 22

Confidentiality is typically controlled through

Answer 22

Encryption, access controls and steganography

Question 23

Integrity is typically controlled through

Answer 23

Hashing, digital signature, certificates, and non-reputation.

Question 24

Availability is the fundamental principle of

Answer 24

Ensuring that systems operate continuously and that authorized users can access the data they need.

Question 25

Availability is typically controlled through

Answer 25

Redundancy, fault tolerance, and patching.

Question 26

Non-repudiation is

Answer 26

Ensuring that the part that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

Question 27

Identification is a method that

Answer 27

Ensures that an entity requesting access to resources by using a set of credentials is the true owner of the credentials.

Question 28

Authentication is the method of

Answer 28

Validating unique credentials

Question 29

Authorization is the process of

Answer 29

Determining what rights and privileges a particular entity has.

Question 30

Access control is the process of

Answer 30

Determining and assigning privileges.

How authorization is managed.

Question 31

The four access control models

Answer 31

Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Rule-Based Access Control

Question 32

In security terms accounting is

Answer 32

The process of tracking and recording system activities and resource access

Question 33

In security terms auditing is

Answer 33

Examining logs of what was recorded.

Question 34

Implicit deny dictates that

Answer 34

Everything that is not explicitly allowed is denied. Users only allowed to access data and perform actions when permissions are specifically granted to them.

Question 35

Principle of least privilege

Answer 35

Users and software should only have the minimal level of access necessary for them to perform their duties.

Question 36

List common security practices

Answer 36

Implicit deny
Least privilege 
Separation of duties
Job rotation 
Mandatory vacation 
Time of day restrictions 
Privilege management

Question 37

Separations of duties states that

Answer 37

No one person should have too much power or responsibility. Duties Divided among individuals to prevent ethical conflicts or abuse of powers

Question 38

Job rotation is

Answer 38

No one person stays in a vital Job role too long. Helps prevent abuse of power, reduces boredom, and enhances professional skills.

Question 39

Mandatory vacations is used to

Answer 39

Provide an opportunity to review employees activities. Requires that employees take at least one vacation a year for a full week. The corporate audit and security employees have time to investigate and discover any discrepancies

Question 40

Time of day restrictions are

Answer 40

Controls that restrict the period of time when users are allowed to access systems. Can be applied to individual systems and wireless access points also.

Question 41

What is an orphaned account

Answer 41

User accounts that remain active even after the employees have left the organization.

Question 42

Privilege management is

Answer 42

The use authentication and authorization mechanisms to provide centralized or decentralized administration of user and group access control. Should include an auditing component. Single sign on can offer this.

Question 43

What is the purpose of PMI

Answer 43

Privileged management infrastructure purpose is to issue specific permissions to users within the infrastructure. Leveraged along side PKI (public key infrastructure) which is used to validate signatures for

Question 44

Describe user name/password authentication

Answer 44

A users credentials are compared against credentials stores in a database. Not very secure because doesn’t necessarily identify the correct user. Most basic and widely used.

Question 45

Describe (MAC) mandatory access control

Answer 45

Access is controlled by comparing an objects security designation and a users security clearance. Clearance level just correspond to the objects security level.

Question 46

Describe discretionary access control (DAC)

Answer 46

Access to each object is controlled on a customized basis based on a users identity.

Question 47

Describe role-based access control (RBAC)

Answer 47

Users are assigned to predefined roles and network objects are configured to allow access only to specific roles

Question 48

Describe rule-based access control

Answer 48

Non-discretionary technique based on a set of operational rules or restrictions

Question 49

What are tokens

Answer 49

Physical or virtual objects (smart cards, ID badges or data packets) that store authentication information (PINs, info about user, passwords)

Question 50

What are smart cards

Answer 50

An example of token based authentication. A plastic card containing an embedded computer chip that stores electronic information

Question 51

Biometrics are

Answer 51

Use physical characteristics as authentication. Involves fingerprint scanner, retinal scanner. Hand geometry, voice recognition, and facial recognition software.

Question 52

What is geolocation authentication

Answer 52

Authentication from an approved location. Performed by associating a geographical location with an IP address or MAC Address for example.

Question 53

Describe keystroke authentication

Answer 53

Describes exactly when a keyboard key is pressed and released. Each user has certain tendencies and patterns that can be recorded and measured o compare against future keystrokes.

Question 54

What is multi-factor authentication

Answer 54

Any authentication scheme that requires validation of two or more authentication factors. Any combination of who you are, what you have, what you know, where you are or are not, and what you do.

Question 55

What is mutual authentication

Answer 55

Security mechanism that requires each party in a communication verifies each other’s identity.

Question 56

Cryptography

Answer 56

The science of hiding information

Question 57

Encryption is

Answer 57

A cryptographic technique that converts data from plain text or clear text into coded or cipher text form

Question 58

Decryption is

Answer 58

Converts cipher text back to clear text

Question 59

Quantum cryptography is

Answer 59

An experimental method of data encryption based upon quantum communication and computation.

Question 60

A qubit is

Answer 60

A unit of data that is encrypted by entangling data with a photon or electron that has a particular spin cycle which can be read using a polarization filter that controls spin.

Question 61

A cypher is

Answer 61

An algorithm used to encrypt or decrypt data.

Operates on individual letters or bits and scrambles the message

Question 62

An algorithm in electronic cryptography is

Answer 62

A complex mathematical function

Question 63

Enciphering is

Answer 63

Applying a cipher to plaintext or clear text

Question 64

Deciphering is

Answer 64

Translating cipher text to clear text

Question 65

Two major categories if encryption ciphers

Answer 65

Stream and block

Question 66

Describe steam cipher

Answer 66

Encrypts data one bit at a time. Each plaintext bit is transformed into encrypted cipher text. Fast time execute. When errors occur they inky affect one bit.

Question 67

Describe block cipher

Answer 67

Encrypts data one block at a time often in 74-bit blocks. Stronger and more secure but slower performance.

Question 68

List some encryption and security goals

Answer 68

Confidentiality 
Integrity 
Non-repudiation 
Authentication 
Access control

Question 69

Steganography is

Answer 69

An alternative cipher process that hides information by enclosing it in another file. Obscures the fact they information is even present.

Question 70

An encryption key is

Answer 70

A specific piece of information that is used with an algorithm to perform encryption and decryption

Question 71

Two states of encryption keys

Answer 71

Static or ethemeral

Question 72

Static keys are

Answer 72

Keys Intended to be used for a long time and for many instances within a key establishment process

Question 73

Ephemeral keys are

Answer 73

Keys generated for each communication or session

Question 74

What’s a one time pad

Answer 74

An encryption algorithm developed assuming the key is used once created randomly and kept secret.

Question 75

Hashing encryption is

Answer 75

One-way encryption the transforms clear text into cipher text and not intended to be decrypted.

Question 76

The several uses of hashing

Answer 76

Hashing is used in password authentication allied hash of a password
A hash value is embedded in an electronic message
Hash of a file used to verify integrity of the file after transfer

Question 77

What is SHA

Answer 77

Secure Hash Algorithm
A Hashing encryption algorithm
Modeled after MD5 (message digest 5)

Question 78

List hashing encryption algorithms

Answer 78

MD5 message digest 5
SHA secure hash algorithm
NTLM v1&2 NT Lan Manager authentication protocol created by Microsoft
RIPEMD RACE Integrity Evaluation Message Digest
HMAC Hash-based Message Authentication Code
Verify both the integrity and authenticity of a message by combining cryograohic hash functions

Question 79

What is symmetric encryption

Answer 79

Two-way encryption where encryption and decryption are performed by the same key.
Configured in software or coded in hardware.
Fast but vulnerable to loss or being compromised.

Question 80

Common names for symmetric encryption

Answer 80

Secret key
Shared key
Private key encryption

Question 81

List symmetric encryption algorithms

Answer 81

DES Data Encryption Standard a block cipher
3DES Triple DES encrypts data by processing each block of data three times using a different key each time
AES Advanced Encryption Standard algorithm. A block cipher
Blowfish freely available 64-block cipher uses variable key length
Two fish block cipher
Rivest Cipher 4,5 & 6 (RC) all have variable key lengths. RC4 is stream cipher. RC5 & RC6 are variable size block ciphers

Question 82

What is asymmetric encryption

Answer 82

Uses public and private keys.
The private key is kept secret during two-way encryption.
The public key is given to anyone.
The private key in a pair can decrypt data encoded with the corresponding public key.

Question 83

List some of the Asymmetric encryption techniques

Answer 83

RSA Rivest Shamir Adelman. First successful algorithm for public key encryption. Variable length and block size
DH Diffie-Hellman cryptographic technique provides secure key exchange
ECC Elliptic Curve Cryptography public key encryption used with wireless and mobile devices
DHE Diffie-Hellman Ephemeral variant of DH provide secure key exchange
ECDHE Elliptic Curve Diffie-Helleman Ephermal incorporates use of ECC and ephemeral keys

Question 84

What is key exchange

Answer 84

Cryptographic keys transferred among users enabling the use of a cryptographic algorithm

Question 85

Two types of key exchanges

Answer 85

In band and out of band
In band key exchanges use the same path as other data.
Out of band key exchanges use a different path

Question 86

Symmetric key encryption requires this type if key exchange to avoid keys being intercepted

Answer 86

Out of band key exchange

Question 87

A digital signature is

Answer 87

A message digest that has been encrypted again with a users private key

Question 88

Asymmetric encryption algorithms can be used with this to create digital signatures

Answer 88

Hashing algorithms

Question 89

A cipher suite is

Answer 89

A collection of asymmetric and symmetric encryption algorithms used to establish a secure connection between hosts.

Question 90

A cipher suite is commonly associated with these network protocols

Answer 90

TLS Transport Layer security

SSL Secure sockets layer

Question 91

Name the four cipher suite components

Answer 91

Key exchange algorithm
Bilk encryption algorithm
Message authentication code algorithm
Pseudorandom function

Question 92

What is a session key

Answer 92

A single use symmetric key that is used for encrypting all messages in a single series of related communication

Question 93

What are the two primary reasons to use session keys

Answer 93

Limit the amount of SATA encrypted by that key

Faster and more efficient that using asymmetric encryption alone

Question 94

Perfect forward secrecy is

Answer 94

A property of public key cryptographic systems that ensures that any key derived from a set of long term keys cannot be compromised if one of the keys is compromised at a future date. Examples DHE & ECDHE

Question 95

What is key stretching

Answer 95

Strengthens potentially weak cryptographic keys against brute force attacks.
The original key is enhanced by running it through an algorithm.

Question 96

List some key stretching techniques

Answer 96

Repeatedly looping cryptographic hash functions
Repeatedly looping block ciphers
Increase time for key to be set up
Use key derivation function such as PBKDF2
Password Based Key Derivation Function 2 &
Bcrypt

Question 97

A security policy is

Answer 97

A formalized statement indicating how security will be implemented in an organization

Question 98

List the components that make up a security policy

Answer 98

Policy statement. The plan for individual security
Standards. How to measure the level of adherence
Guidelines. Best practices for how to meet the standards
Procedures. Instructions for implementing the policy

Question 99

What is a group policy

Answer 99

A centralized account management feature on windows server systems.
Controls certain desktop workstation features, security features and granting permissions to access servers

Question 100

List the security document categories that need to be securely maintained

Answer 100

System architecture. Documentation about the configuration of your network. Network mapping & diagnostic software
Change documentation. Changes in configuration.
Logs. System logs of audits
Inventories. Equipment and asset inventories.

Question 101

Explain change management

Answer 101

A systematic way if approving and executing change to assure maximum security, stability, and availability of information technology services. An organization can properly asses risk, quantify cost of training, support, maintenance or implementation and weigh the benefits of against the complexity of the proposed changes.

Question 102

Documentation handling measures for sensitive documents

Answer 102

Classification of documents. Public, internal. Confidential, and restricted
Retention and storage. Plan for how long docs are retained for legal requirements
Disposal and destruction. Plan for outdated docs