Security Principles

Question 1

Confidentiality

Answer 1

is the secrecy of the information within the asset being protected. Confidentiality is the most common form of protection that cyber criminals seek to compromise.

Question 2

Access controls

Answer 2

are processes, tools, or configuration settings that ensure that access to data is restricted to only those individuals who are authorized to access it.

Access controls are mechanisms to ensure that only those persons or resources who are specifically authorized to access an information resource are allowed to have such access.

Question 3

Cryptography

Answer 3

makes data unreadable except to authorized persons and protects the confidentiality of data while the data is at rest (in storage) or while it is being transmitted.

Question 4

Integrity

Answer 4

data is not being altered or corrupted in any way

Question 5

hashes

Answer 5

which is a technique to detect if the contents of a data file or any data set have been altered from their original source.

Question 6

Availability

Answer 6

vailability attacks are commonly known as denial of
service (DoS) attacks,

Question 7

Threat actors

Answer 7

are cyber criminals who seek to compromise the confidentiality, integrity, oravailability of these information assets.

Question 8

Authentication

Answer 8

is the method by which systems verify that a user who is
requesting access to a resource really is who they claim to be.

Question 9

Nonrepudiation

Answer 9

guarantee that a sender of a message cannot later deny that they sent the message

Question 10

Information assurance

Answer 10

refers to the measure of information security goal of information assurance is to verify and ensure the confidentiality, integrity, and availability of data and assets, and this can only be done by
measuring the effectiveness of security controls.

Question 11

Conduct Research

Answer 11

The first step the cyber criminal performs in an attack is to gather as much information as possible about the target to be able to carry out the attack.

Question 12

Identify Targets

Answer 12

During this phase the attacker tries to identify the organization’s
information assets as well as their corresponding vulnerabilities that can be exploited

Question 13

Exploit Targets

Answer 13

Once the targets are identified, the attacker can design and execute the attack. This involves probing and taking advantage of specific
vulnerabilities with the goal of gaining unauthorized access to the
enterprise.

Question 14

Do Bad Things

Answer 14

Once the attacker gains access, they can do a variety of things to achieve their objective. Usually, the attacker attempts to expand access laterally throughout the network to explore and discover more systems and data to gain deeper access and perform more attacks.

Question 15

Risk Management

Answer 15

is the term used to describe the discipline of how an organization chooses and implements the right level of security that is appropriate for them and their situation or business.

Question 16

Risk Identification

Answer 16

identify the potential threats the organization may face and document in risk ledger.

Question 17

threat modeling

Answer 17

process of examining each asset, the potential threats faced by each asset, and the adverse effects caused by the threat against the asset.

Question 18

Risk Management Tiers

Answer 18

Organizational tier Addresses risk by defining and implementing
a holistic risk management program that applies to the entire
organization
* Mission/business process Addresses the risks of major functions
of the business
* Information system Addresses the risks of specific information
systems

Question 19

Transfer risk

Answer 19

make it somebody else’s problem (risk
transference). The most common form of risk transference is to buy
insurance. Outsource the risk

Question 20

Accept the risk

Answer 20

means that as long as the risk is within
acceptable levels, the organization can “live with” the risk and take
their chances (risk acceptance)

risk appetite

Question 21

Avoid the risk

Answer 21

stopping the related activity or shutting down a system entirely (risk avoidance)

The most common example of
this is shutting down services or software applications that have
known flaws or vulnerabilities.

Question 22

Mitigate

Answer 22

reduce the risk by putting in some kind of control or
countermeasure (risk mitigation) ->fix

Question 23

Risk Tolerance

Answer 23

Level of variation(tolerance)

Question 24

Risk Priorities

Answer 24

identify risk -> risk ledger
access damage

Question 25

Governance

Answer 25

process of defining strategies to oversee the entire
organization or a specific subset (such as IT governance, security
governance, or financial governance) to meet organizational goals and objectives.

Question 26

Regulations and Laws

Answer 26

Laws and regulations are rules typically established by a governmental body or similar agency that specify requirements that are legally enforceable.

SOX, HIPAA, FISMA & GDPR

Question 27

Standards

Answer 27

documents developed and published by external standards organizations containing best practices that may be used for the development of security program elements.

ISO, NIST, PCI SSC, IEEE, IETF, CSA & OWASP

Question 28

Plans

Answer 28

can be written for all kinds of things such as a vulnerability management plan, business continuity plan, or incident response plan.

Question 29

Policies

Answer 29

high-level management statements providing prescriptive directives to the organization.

Question 30

Procedures

Answer 30

step-by-step workflows or instructions that define how a task should be accomplished.

Question 31

Defense-in-Depth

Answer 31

the concept of coordinating and leveraging multiple layers of controls to increase the effort required for a potential attacker to succeed in their nefarious activity.

Question 32

Administrative Controls

Answer 32

are management oriented controls that provide directives and
instruction aimed at people within the organization.

Question 33

Technical controls

Answer 33

are hardware or software components that protect computing and network resources such as computers, servers, mobile devices, computer networks, or data stored within a system.

Question 34

Physical controls

Answer 34

are tangible controls put in place to protect physical resources against physical threats, including but not limited to break-ins, fires, theft, physical harm, and so on.

Question 35

Preventive controls

Answer 35

provide functionality that prevents or stops an adverse event or incident.
ex. Administrative (background checks, hiring and termination
processes, etc.)
* Technical (network intrusion prevention system, firewall, MFA,
antivirus, etc.)
* Physical (fences, door locks, gates, etc.)

Question 36

Detective controls

Answer 36

provide functionality that helps to discover, detect, or identify when something bad might have occurred, such as an adverse activity, event, intruder, or incident.

ex. Administrative (mandatory vacation, review of access logs, etc.)
* Technical (a system that detects unusual activity on an organization’s
network)
* Physical (surveillance cameras, closed-circuit television [CCTV],
motion sensor, etc.)

Question 37

Deterrent controls

Answer 37

provide functionality that deters or discourages a potential adversary from performing an attack or engaging in unwanted behavior.

Question 38

Corrective controls

Answer 38

provide functionality that fixes a system, process, or activity after an adverse event has occurred.

ex. Administrative (e.g., terminating an employee after an offense or
implementing business continuity, disaster recovery, or incident
response plans)
* Technical (e.g., antivirus that quarantines malicious software,
restoring a system from backup)
* Physical (e.g., using a fire extinguisher to put out a fire, removing
datacenter badge access for a lost access card)

Question 39

Directive controls

Answer 39

provide functionality that serves to communicate expected behavior.
Common examples in day-to-day life might include traffic signs that communicate expected traffic behavior such as “stop,” “yield,” and so on. Directive controls are generally administrative in nature such as policies, standards, procedures, training, and so on.

Question 40

Compensating controls

Answer 40

serve as an alternate control to a primary control, often used when the primary control is not feasible to implement due to cost, complexity, or other organizational constraints.

ex. Administrative A small organization has a single employee accepting
cash payments, recording deposits, and reconciling financial reports.
The company may not have enough staff to fully implement
separation of duties, so instead, they implement a process where
leadership performs a regular review of reconciliation for additional
oversight.
* Technical An organization is running a critical application that relies
on old software that the manufacturer no longer releases security
updates for. Migrating to a new application may not be feasible, so an
organization may decide to implement network isolation of the
application as a compensating control.
* Physical An organization determines that a full-time security guard
for their office is too expensive, so instead they install fences, locks,
and alarms as compensating controls.