Security Fundamentals

Question 1

CODE OF ETHICS CANONS

Answer 1

• Protect society, the common good, necessary public trust and confidence, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principles
• Advance and protect the profession

Question 2

Confidentiality

Answer 2

• Unauthorized access to application, system, or data

Question 3

Integrity

Answer 3

• Change or removal of data from a system or product

Question 4

Availability

Answer 4

• Disruption or prevention of access to data or services

Question 5

Incorporating Stakeholder Input

Answer 5

• Look for subject-matter expertise with internal stakeholders, regardless of roles and responsibility
• Stake holder input is critical in early phases
• Stakeholder buy-in is necessary
• Input from project and program managers is critical

Question 6

Owner

Answer 6

• Owns the information

* Determines the classification level

Question 7

Steward

Answer 7

• Manages the data and metadata

* Ensures compliance (standards/controls) and data quality

Question 8

Custodian

Answer 8

• Is the keeper of the information

* Ensures CIA is maintained

Question 9

Chief privacy officer

Answer 9

• Ensures privacy of all data in the entire organization

Question 10

Protecting Privacy: Often mandate from regulations or industry compliance such as HIPAA or PCI-DSS

Answer 10

• Data owners
• Data Processors
• Data Remanence
• Collection Limitations

Question 11

Data Loss Prevention (DLP)

Answer 11

• Provides strategic methods for ensuring that end users do not transmit sensitive or critical information outside the corporate network
• Stops data breaches and leakage

Question 12

Personally Identifiable information (PII)

Answer 12

• Individuals identifiable information
• Consists of first name or initial with last name and one or more pieces of info
• Social Security number, driver’s license number, ID card, financial account number, medical/health info

Question 13

Protected health information (PHI)

Answer 13

• Individuals identifiable health information
• Contains at least one piece of info
• Name, address, birth date, phone number, mail or e-mail address, social security number, URL, IP

Question 14

Data Retention

Answer 14

• Keeping data until it’s no longer needed

Question 15

Data retention policy

Answer 15

• Identifies how, where, and why data will be retained
• Operational use / Current and Future use
• Adherence to legal and regulatory requirements
• Periodic audits

Question 16

Destruction

Answer 16

• Burning
• Shredding
• Pulverizing
• Pulping

Question 17

Sanitization

Answer 17

• Degaussing: Removing the magnetic field of drive
• Purging: Clearing everything off the media
• Wiping: Overwriting every sector of drive with 1s and 0s
• Encryption: Encrypting all files before deleting or disposing of media

Question 18

Security Control Categories

Answer 18

Administrative, Technical, and Physical

Question 19

Administrative

Answer 19

Defines policies, procedures, and guidelines:

* Password policy, hiring policy, screening policy, mandatory vacations, training, Rotation of duties

Question 20

Technical

Answer 20

Controls access to a resource:

* Firewalls, encryption, passwords, IDS/IPS, smart cards, bio-metrics, RADIUS, Anti-Virus Software

Question 21

Physical

Answer 21

Controls access to facility:

* Locks, Guards, Fences, Video cameras, Gates, Bollards, Dogs, Alarms, Motion Detectors

Question 22

Preventive

Answer 22

• Stops attacker from performing attack

: Fences, IPS sensor, Security Guard gates, Locks

Question 23

Detective

Answer 23

• Identifies an attack that is happening

: Cameras, IDS Sensor, Anti-malware

Question 24

Corrective

Answer 24

• Restores a system to state before attack

: Disaster recovery policies, Business continuity planning, Automated, Cloud-based, antivirus, anti-malware and DLP

Question 25

Deterrent

Answer 25

• Discourages attacker from performing attack

: Presence of security guards or cameras

Question 26

Compensating ( Recovery)

Answer 26

• Aids controls already in place

: Automated cloud services, Cloud access security broker, Managed security service provider

Question 27

Data at rest (data in storage)

Answer 27

• On hard disks, memory cards, data centers, cloud storage, archives and backups, external and removable drives

Question 28

Data in motion (data in transit)

Answer 28

• Data sent on LAN, WAN, MAN, dedicated lines, wired, wireless

Question 29

Data in use (volatile data)

Answer 29

• Data in CPU registers, RAM memory, volatile storage

Question 30

Protecting Data at Rest

Answer 30

• Conventional perimeter based defenses like firewalls, IPS, and antivirus programs
• Defense-in-depth access controls and MFA
• Volume, disk, and file encryption
• Partitioned storage

Question 31

Protecting Data in Motion

Answer 31

• Encapsulation
• Dedicated channels
• Transport Layer Security (SSL/TLS)
• IPSec VPN’s
• EAP wireless variants
• 802.1X and 802.11AE MACsec

Question 32

Protecting Data in Use

Answer 32

• The least mature protection system
• Newer methods for protecting volatile data in memory
• Trusted computing system (SE-Linux)
• Overhead due to encryption/decryption and often costly and difficult to implement

Question 33

Enterprise information security Architecture (EISA)

Answer 33

• The current and/ or future and behavior of an organization’s security processes
• Information security systems
• Personnel and organizational sub units that align with the organization’s core goals and strategic direction
• A structured approach to developing an integrated and comprehensive security architecture