Cornerstone security principles

Question 1

The 3 main objectives of security are

Answer 1

Confidentiality, integrity and availability

Question 2

What is information security?

Answer 2

The protection of information and information systems from unauthorized access, use,disclosure,modification,or destruction in order to provide confidentiality,integrity and availability (CIA triad)

Question 3

Confidentiality

Answer 3

Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and properietary information.

Question 4

Integrity

Answer 4

Guarding against improper information modification, and includes ensuring information non-repudiation and authenticity.

Question 5

Availability

Answer 5

Ensuring timely and reliable access and use of information.

Question 6

3 key cyber security tenets

Answer 6

Confidentiality, integrity and availability

Question 7

Confidentiality, integrity and availability (CIA) versus

Answer 7

Disclosure, Alteration and Destruction (DAD)

Question 8

Identification

Answer 8

-provides a weak an unproven claim of identity. -providing a username would be an example of identification. -Requires proof(authentication) prior to being granted access (authorization) to controlled data.

Question 9

Authentication

Answer 9

-Serves as proof a user’s identity claim is legitimate. -Strong authentication implies higher integrity means of proof or multiple methods of proof.

Question 10

Authorization

Answer 10

Proceeds after successful authentication and determines what the authenticated user can do

Question 11

Accounting

Answer 11

-Details the interaction performed by individuals. -Audit logs could be generated allowing users to be held accountable for their documented actions

Question 12

Types/categories of authentication

Answer 12

-Something you have (such as token, smart card, or badge) -Something you are (biometrics: fingerprint, retina scan, voice, palm scans, hand geometry) -Something you know (passwords or phrases) -Something you are (such as GPS)

Question 13

Using two or more categories of authentication are called

Answer 13

Two-factor or multi-factor authentication

Question 14

PoLP abbreviation of

Answer 14

Principle of least privilege and may also known as Minimum Necessary Access

Question 15

Mandates individuals only be granted access necessary to perform their required functions

Answer 15

Principle of least privilege or Minimum Necessary Access

Question 16

Risk is mitigated by requiring two parties to perform what one person could.

Answer 16

Separation of Duties. -It serves as a check on excessive authority.

Question 17

Require collusion among more than one individual in order to successfully perpetrate a fraud.

Answer 17

Separation of Duties

Question 18

Force other people to be in charge of carrying out key tasks normally performed by another employee

Answer 18

Rotation of Duties or job rotation. -it is a common way of detecting fraud associated with printing excess payroll checks.

Question 19

Acting as any reasonable person would.

Answer 19

Due Care or Prudent Man Rule

Question 20

Practices or processes that ensure the decided upon standard of care is maintained

Answer 20

Due Diligence

Question 21

The implementation of due care is

Answer 21

Due Diligence

Question 22

What are major types of controls?

Answer 22

-Preventive -Detective -Corrective -Deterrent -Recovery -Compensating

Question 23

Preventive Controls

Answer 23

-Try to prevent an attack from being successful. -Will not allow a user to violate the security policy in place.

Question 24

Detective Controls

Answer 24

-Assumes an attack has begun -Tries to detect that is a problem after an attack occurs -Time-critical with detection-an attack is occurring

Question 25

Deterrent Controls

Answer 25

Discourages security violations

Question 26

Compensating Controls

Answer 26

Used to shore up identified deficiencies in existing controls

Question 27

Corrective Controls

Answer 27

Reacts to an attack and takes corrective action for data recovery

Question 28

Recovery Controls

Answer 28

Restores the operating state to normal after an attack or system failure

Question 29

Intrusion Detection IDS and Monitor sensors, job rotation, Threat-haunting and CCTV are example of

Answer 29

Detective Controls

Question 30

The access control measures could be categorized by

Answer 30

Administrative, Technical, or Physical

Question 31

Background checks, policies and procedures are example of

Answer 31

Administrative (directive) Controls

Question 32

Encryption and smart cards are example of

Answer 32

Technical controls

Question 33

Locks , securing laptops, securing magnetic media and the protection of cable

Answer 33

Physical controls

Question 34

“Beware of dogs” or “Use of deadly force is authorized” signs are example of

Answer 34

Deterrent Controls