Security Plus - Chapter 1

Question 1

Confidentiality

Answer 1

Ensures that unauthorized individuals are not able to gain access to sensitive information.

Question 2

Integrity

Answer 2

Ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.

Question 3

Availability

Answer 3

Ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.

Question 4

Confidentiality Controls

Answer 4

Firewalls
Access Control Lists
Encryption

Question 5

Integrity Controls

Answer 5

Hashing
Integrity Monitoring Solution
Power surge protection

Question 6

Availability Controls

Answer 6

Fault tolerance
Clustering
Backups

Question 7

Nonrepudiation

Answer 7

A person that performed an action cannot later deny having taken that action. Digital signatures ensure nonrepudiation.

Question 8

CIA Triad

Answer 8

Confidentiality, Integrity, Availability

Question 9

DAD Triad

Answer 9

Disclosure, Alteration, Denial

Question 10

Disclosure

Answer 10

The exposure of sensitive information to unauthorized individuals. Also known as data loss and a violation of the principle of Confidentiality.

Question 11

Alteration

Answer 11

The unauthorized modification of sensitive information and is a violation of the principle of integrity.

Question 12

Denial

Answer 12

The disruption of an authorized user’s legitimate access to information. This is a violation of the principle of Availability.

Question 13

Types of breach impact risks

Answer 13

Financial
Reputational
Strategic
Operational
Compliance

Question 14

Financial Risk

Answer 14

The risk of monetary damage to the organization as the result of a data breach.

Question 15

Reputational Risk

Answer 15

Negative publicity surrounding a security breach that causes loss of goodwill among customers, employees, suppliers, and other stakeholders.

Question 16

Strategic Risk

Answer 16

The risk an organization will become less effective in meeting its major goals and objectives as a result of a security breach.

Question 17

Operational Risk

Answer 17

The risk to the organizations ability to carry out its day-to-day functions as the result of a security breach.

Question 18

Compliance Risk

Answer 18

When a security breach causes an organization to run afoul of legal or regulatory requirements.

Question 19

Control Objectives

Answer 19

Statements of a desired security state that the organization wishes to achieve.

Question 20

Security Controls

Answer 20

Specific measures that fulfill the security objectives of an organization.

Question 21

Gap Analysis

Answer 21

The Cybersecurity team reviews the control objectives for a particular organization, system, or service and then examines the controls designed to achieve those objectives. Any controls that do not meet the objectives are identified, and are considered potential risks that should be remediated as time and resources permit.

Question 22

Technical Controls

Answer 22

A security control category that enforces confidentiality, integrity, and availability in the digital space.
Firewall rules
Access Control lists
Intrusion prevention systems
Encryption

Question 23

Operational Controls

Answer 23

A security control category in which processes are established to manage technology in a secure manner.
User access reviews
Log monitoring
Vulnerability management

Question 24

Managerial Controls

Answer 24

A security control category where procedural mechanisms that focus on the mechanics of the risk management process.
Risk assessments
Security planning exercises
Review security in change management

Question 25

Physical Controls

Answer 25

A security control category where security controls that impact the physical access areas of an organization.
Fences
Lighting
Locks
Fire suppression
Burglar alarms

Question 26

Preventive Controls

Answer 26

A security control type that intends to stop a security issue before it occurs.
Firewalls
Encryption

Question 27

Deterrent Controls

Answer 27

A security control type that seeks to prevent an attacker from attempting to violate security policies.
Guard dogs
Barbed wire fences

Question 28

Detective Controls

Answer 28

A security control type that identifies security events that have already occurred.
Intrusion detection systems

Question 29

Corrective Controls

Answer 29

A security control type that remediates any security issues that have already occurred.
Restoration of backups

Question 30

Compensating Controls

Answer 30

A security control type designed to mitigate the risk associated with exceptions made to a policy. Controls established to be used in place of a control that is not able to be implemented. These usually do not place the same control strength as the original, so used in conjunction with an exception.

Question 31

Directive Controls

Answer 31

A security control type the informs users of the organizations systems what they should do to achieve security objectives.
Policies
Procedures

Question 32

Data At Rest

Answer 32

Stored data that resides on hard drives, tapes, in the cloud, or on other storage media.

Question 33

Data In Transit

Answer 33

Data that is in motion/transit over a network.

Question 34

Data In Use

Answer 34

Data that is actively in use by a computer system.

Question 35

Data Encryption

Answer 35

Technology that uses mathematical algorithms to protect information from prying eyes, while in transit over a network and while it resides on systems.

Question 36

Data Loss Prevention

Answer 36

A system that helps organizations enforce information handling policies and procedures to prevent data loss and theft.

Question 37

Pattern Matching

Answer 37

A DLP mechanism that watches for specific attributes of data that can be categorized as sensitive data.

Question 38

Watermarking

Answer 38

A DLP mechanism where systems or administrators apply electronic tags to sensitive documents and the DLP system monitors the systems and networks for unencrypted data containing those tags.

Question 39

Digital Rights Management

Answer 39

Enforces copyright and data ownership restrictions

Question 40

Data Minimization

Answer 40

A technique that seeks to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis.

Question 41

Deidentification

Answer 41

A process that removes the ability to link data back to an individual, reducing its sensitivity.

Question 42

Data Obfuscation

Answer 42

Transforming data into a format where the original information cannot be retrieved.

Question 43

Hashing

Answer 43

Utilizes a hash function to transform a value in the dataset to a corresponding hash value.

Question 44

Tokenization

Answer 44

Replaces sensitive values with a unique identifier using a lookup table.

Question 45

Masking

Answer 45

Partially redacts sensitive information by replacing some or all of the sensitive fields with blank characters.

Question 46

Rainbow Table Attack

Answer 46

The attacker computes the hashes of known candidate values and checks to see if those hashes exist in the data file.

Question 47

Access Restrictions

Answer 47

Security measures that limit the ability of individuals or systems to access sensitive information or resources.
Geographic restrictions
Permission restrictions

Question 48

Segmentation

Answer 48

Places sensitive systems on separate networks where they may communicate with each other but have strict restrictions on their ability to communicate with systems on other networks.

Question 49

Isolation

Answer 49

Removes access for a system to or from an outside network.