Sybex Chapter 1: CIA Concepts

Question 1

Objects

Answer 1

Passive element in a security relationship such as files, computers, network connections, and applications.

Question 2

Subjects

Answer 2

Active element of a security relationship such as users, programs, and computers

Question 3

Subject-Object relationship

Answer 3

Subjects act upon an object

Question 4

Management of relationship between subjects and objects known as…

Answer 4

Access control

Question 5

Three phases of data that must be protected

Answer 5

In storage, in process, in transit

Question 6

CIA Attack: Sniffing

Answer 6

Confidentiality

Question 7

CIA Attack: Stealing password files

Answer 7

Confidentiality

Question 8

CIA Attack: Social Engineering

Answer 8

Confidentiality

Question 9

CIA Attack: Port Scanning

Answer 9

Confidentiality

Question 10

CIA Attack: Shoulder surfing

Answer 10

Confidentiality

Question 11

CIA Attack: Eavesdropping

Answer 11

Confidentiality

Question 12

CIA Attack: Escalation of priviledges

Answer 12

Confidentiality

Question 13

Events that lead to confidentiality breaches (7)

Answer 13

Failing to:
Encrypt transmission
Fully authenticate remote system
Leaving open access points
Running a RAT
Misrouted fax
Documents left on printers
Walking away from unlocked machine

Question 14

Confidentiality measures (6)

Answer 14

Encryption
Network traffic padding
Strict access control
Rigorous auth
Data classification
Training

Question 15

Sensitivity

Answer 15

“The quality of information” which could cause harm if disclosed.

Question 16

Discretion

Answer 16

Decision where an operator can control disclosure to minimize harm.

Question 17

Criticality (of information)

Answer 17

Level to which information is mission critical

Question 18

Concealment

Answer 18

Act of hiding or preventing disclosure

Security through obscurity

Question 19

Privacy

Answer 19

Keeping information confidential that is PI or that might cause harm, embarrassment, if revealed.

Question 20

Seclusion (of information)

Answer 20

Storing something in an out of the way location. Can provide strict access controls.

Question 21

Isolation

Answer 21

Keeping something isolated from others. Prevents comingling of information.

Question 22

Integrity protection

Answer 22

Prevents unauthorized alterations of data

Question 23

CIA Attack: Malicious modification

Answer 23

Integrity

Question 24

CIA Attack: Intentional replacement

Answer 24

Integrity

Question 25

Integrity violations can occur by…

Answer 25

Attacks
User action
Oversight in security policy
Misconfigured control

Question 26

Integrity measures (8)

Answer 26

Strict access control
Rigorous authentication procedures
IDS
Object/Data Encryption
hash verification
interface restriction
Input/function checks
training

Question 27

Accuracy

Answer 27

Being correct and precise

Question 28

Truthfulness

Answer 28

Being a true reflection of reality

Question 29

Authenticity

Answer 29

Being authentic or genuine

Question 30

Validity

Answer 30

Being factually or logically sound

Question 31

Nonrepudiation

Answer 31

Not being able to deny having performed an action or being able to verify origin of an action

Question 32

Accountability

Answer 32

Bing responsible for actions and results

Question 33

Responsibility

Answer 33

Being in charge or having control over something/someone

Question 34

Completeness

Answer 34

Having all needed components or parts

Question 35

Comprehensiveness

Answer 35

Being complete in scope

Question 36

Nonrepudiation is an essential part of…

Answer 36

Accountability

Question 37

Nonrepudiation can be established using…(4)

Answer 37

Digital certificates
Sessions Identifiers
Transaction logs
other transaction and access control mechanisms

Question 38

AAA Services

Answer 38

Authentication, Authorization, Accountability, Auditing

Identification

Question 39

Availability

Answer 39

Authorized subjects are granted timely and uninterrupted access to objects

Question 40

Availability offers a high level of…

Answer 40

assurance that objects are available to auth subjects

Question 41

Threats to availability (3)

Answer 41

Device failure
SW Errors
Environmental issues

Question 42

Availability attacks

Answer 42

DOS
Object Destruction
Communication Interruptions

Question 43

Events that lead to availability breaches…

Answer 43

Accidentally deleting files
Overutilizing a HW or SW component
Under-allocating resources
incorrectly labeling/classifying objects
Policy screwup
Misconfigured control

Question 44

Availability countermeasures (9)

Answer 44

Proper design
access controls
performance monitoring
firewalls
router
redundancy
backup systems (inc. testing)
fault tolerance features
eliminating single points of failure

Question 45

Usability

Answer 45

Being easy to use/learn

Question 46

Accessibility

Answer 46

Assurance that widest range of subjects can interact without limitaitons

Question 47

Timeliness

Answer 47

Being prompt, on time, etc.

Question 48

OT

Answer 48

Operational Technology

Question 49

Operational technology (OT)

Answer 49

Systems such as PLC, SCADA, MES (manufacturing execution system)

Question 50

Which systems follow AIC triad?

Answer 50

OT

Question 51

AIC Triad

Answer 51

Availability prioritized overall and integrity over confidentiality

Question 52

Identification

Answer 52

Claiming to be an identity

Question 53

Authentication

Answer 53

Proving you are an identity

Question 54

Authorization

Answer 54

Permissions

Question 55

Auditing

Answer 55

Recording a log of events/activities

Question 56

Accounting/Accountability

Answer 56

Reviewing log files

Question 57

AAA Process

Answer 57

Subject must provide ID start AAA process

Question 58

Authentication factor

Answer 58

Private info that must be kept secret (password, etc.)

Question 59

Access Control Matrix

Answer 59

Permission table

Used to compare subject, object, and intended activity.

Question 60

Monitoring

Answer 60

Watching or oversight

Question 61

Accountability is established by…

Answer 61

Linking a human to activities of an online ID through AAA.

Question 62

Least secure form of authentication

Answer 62

Passwords

Question 63

Protection mechanisms

Answer 63

Common characteristics of security controls (Layering, Abstraction, Data Hiding, Encryption

Question 64

Layering aka

Answer 64

Defense in Depth

Question 65

Layering should be in a series or in parallel?

Answer 65

Parallel

Question 66

Abstraction

Answer 66

Ability to assign security controls to a group or object by type or function.

Question 67

Data hiding

Answer 67

Preventing data from being discovered or accessed by where it’s placed or access control.

Question 68

Security through obscurity

Answer 68

Not informing the subject about an object being present and hoping they don’t find it.

Question 69

Encryption

Answer 69

Art and science of hiding comms from unintended recipients.

Question 70

Security governance

Answer 70

The collection of practices related to supporting and directing the security efforts of an org.

Question 71

Common goal of governance (Security, Corporate, IT Governance)

Answer 71

Maintaining business process while striving toward growth and resiliency

Question 72

Security governance is commonly managed by…

Answer 72

A governance committee or BOD.

Question 73

Security management planning

Answer 73

Aligns the security functions to the strategy, goals, mission and objectives of an org.

Question 74

Business case

Answer 74

Documented or stated argument in support of taking a decision or action.

Arguing business need to do something.

Question 75

Who is responsible for initiating and defining policies for the org?

Answer 75

Upper and senior management

Question 76

Standards, baselines, guidelines, and procedures are created by who?

Answer 76

Middle management

Question 77

Who implements the security management configuration?

Answer 77

Operational managers and security professionals

Question 78

Bottom up approach to security governance

Answer 78

Security professionals make the decisions. Considered problematic

Question 79

Security management is the responsibility of…

Answer 79

Upper management

Question 80

Security plan is useless without approval from…

Answer 80

Senior management

Question 81

Strategic plan

Answer 81

Long term stable plan. Orgs security purpose. Should include risk assessment

Question 82

Strategic plan useful for how much time?

Answer 82

3-5 years if updated annually

Question 83

Tactical plan

Answer 83

Midterm plan.
Provides details on accomplishing goals in strategic plan.
Prescribes and schedules tasks to accomplish org goals

Question 84

Tactical plan examples (7)

Answer 84

Project plan
Acquisition plan
Hiring plan
Budget plan
Support plan
Maintenance plan
Dev plan

Question 85

Tactical plan useful time period

Answer 85

Around a year

Question 86

Operational plan

Answer 86

Short term, highly detailed based on strategic and operational plan

Question 87

Operational plan contains…

Answer 87

resource allotments
budget requirements
staffing assignments
scheduling
step by step implementation procedures

Question 88

Operational plan examples (3)

Answer 88

Training plan
Deployment plan
Product design plan

Question 89

Effective security plans focus attention on…(3)

Answer 89

Specific and achievable objectives
Anticipate change and problems
Basis for decision making for enter org

Question 90

Change management ensures that…

Answer 90

Any change does not lead to reduced or compromised security.

Being able to roll back changes

Question 91

Change management primary purpose

Answer 91

Make all changes subject to detailed documentation and auditing and reviewed by management

Question 92

Change management goal…

Answer 92

Prevent unwanted reductions in security

Question 93

Change management requires…

Answer 93

Detailed inventory of every component and config.

Complete documentation for every system component

Question 94

Change management goals/requirements

Answer 94

Changes are always controlled
Formal testing process
All changes can be reversed (backout/rollback)
Users are informed of changes
Effects of changes are analyzed
Users informed before change
Negative impact is minimized
Changes reviewed by CAB

Question 95

Parallel run

Answer 95

New system and old system are run in parallel. Processes performed on both simultaneously.

Question 96

Parallel run ensures

Answer 96

New system supports all functionality of old system