Sybex - Chapter 1

Question 1

Three Common Types of Security Evaluation

Answer 1

Risk Assessment, Vulnerability Assessment, Penetration Testing

Question 2

The process of identifying assets, threats, and vulnerabilities, then using that information to calculate risk.

Answer 2

Risk Assessment

Question 3

Using automated tools to locate known security weaknesses, which can be addressed by adding in more defenses or adjusting the existing protections.

Answer 3

Vulnerability Assessment

Question 4

Using trusted individuals to stress-test the security infrastructure to find issues that may not be discovered by prior two means, with the goal of finding those concerns before an adversary takes advantage of them.

Answer 4

Penetration Testing

Question 5

The Concept of measures used to ensure the protection of the secrecy of data, objects, resources. Goal is to prevent or minimize unauthorized access to data.

Answer 5

Confidentiality

Question 6

Countermeasures for this can include: Encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training.

Answer 6

Confidentiality

Question 7

The follow concepts belong to what part of the CIA Triad?

Sensitivity, Discretion, Criticality, Concealment, Secrecy, Privacy, Seclusion, Isolation

Answer 7

Confidentiality

Question 8

The concept of protecting the reliability and correctness of data. This prevents unauthorized alterations of data and provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users.

Answer 8

Integrity

Question 9

The following concepts belong to what part of the CIA Triad?

Preventing unauthorized subjects from making modifications, preventing authorized subjects from making unauthorized modifications such as mistakes, and maintaining the internal and external consistency of objects so data is correct and true reflection of the real world.

Answer 9

Integrity

Question 10

Countermeasures for this can include: strict access control, authentication procedures, intrusion detection systems, hash verifications, object/data encryption, interface restrictions, input checks, etc.

Answer 10

Integrity

Question 11

The following concepts belong to what part of the CIA Triad?

Accuracy, Truthfulness, Validity, Accountability, Responsibility, Completeness, Comprehensiveness

Answer 11

Integrity

Question 12

This concept means authorized subjects are granted timely and uninterrupted access to objects.

Answer 12

Availability

Question 13

The following concepts belong to what part of the CIA Triad?

Usability, Accessibility, Timeliness

Answer 13

Availability

Question 14

What does DAD Triad (Opposite of CIA Triad) stand for?

Answer 14

Disclosure - When sensitive or confidential material is accessed by unauthorized entities. Violation of Confidentiality.

Alteration - When data is maliciously or accidentally changed. Violation of integrity.

Destruction - When a resource is damaged or made inaccessible to authorized users. Violation of Availability. Also known as DoS (Denial of Service)

Question 15

Security concept that data is genuine and originates from its alleged source with high confidence.

Answer 15

Authenticity

Question 16

Ensures that the subject of an activity or who caused an event cannot deny the event occurred. This prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Answer 16

Nonrepudiation

Question 17

What are the five elements of AAA services (which leads to nonrepudiation)?

Answer 17

Identification - Claiming to be an identity when attempting to access an area or system.

Authentication - Proving you are the claimed identity

Authorization - Defining permissions of a resource or object access for specific identity

Auditing - Recording a log of events or actions related to system or subject

Accounting (aka Accountability) - Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions.

Question 18

What is it called with you layer security controls in a series for better protection?

Answer 18

Defense in Depth (also layering)

Question 19

When similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective, what is this called?

Answer 19

Abstraction

Question 20

Preventing data from being uncovered or discovered by a subject by positioning the data in logical storage compartments not accessible or seen by the subject.

Answer 20

Data Hiding