General Security Concepts (12%)

Question 1

What are the four Security Controls

Answer 1

Technical Controls
Managerial controls
Operational control
Physical control.

Question 2

Technical Controls

Answer 2

• Controls implemented using systems
• Operating systems controls
• Firewalls, anti-virus

Question 3

Managerial Controls

Answer 3

• Administrative controls associated with security design and implementation
• Security Policies, standard operating procedures

Question 4

Operational Controls

Answer 4

• Controls implemented by people instead of systems,
• Security guards, awareness programs

Question 5

Physical Controls examples

Answer 5

• Limit physical access
  -Guard Shack
• Fences, locks
• Badge readers

Question 6

Preventative control type examples for each control category

Answer 6

Firewall - (Technical)
On boarding Policy (Managerial)
Guard Shack (Operational
Physical (door lock)

Question 7

Deterrent control type examples for each category

Answer 7

Splash Screen (Technical)
Demotion (Managerial)
Reception Desk (Operational)
Warning Signs (Physical)

Question 8

Detective control type examples for each category.

Answer 8

System Logs (Technical)
Review login reports (Managerial)
Property Patrols (Operational)
Motion detectors (Physical)

Question 9

Corrective control types for each category

Answer 9

Back up recovery (Technical)
Policies for reporting issues (Managerial)
Contact authorities (Operational)
Fire extinguisher (Physical)

Question 10

Compensating control types for each category.

Answer 10

Blocking instead of patching (Technical)
Separation of duties (Managerial)
Require multiple security staff (Operational)
Power Generator (Physical)

Question 11

Directive control types for each category

Answer 11

File storage Policies (Technical)
Compliance Policies (Managerial)
Security Policy training (Operational)
Sign: Authorised Personal Only (Physical)

Question 12

What is a compensating control type

Answer 12

Control using other means, Existing controls aren’t sufficient, may be temporary

Question 13

Directive control types

Answer 13

• Direct a subject towards security compliance
• A relatively weak security control

Question 14

Preventive control types

Answer 14

Block access to a resource

Question 15

Deterrent control types

Answer 15

Discourage an intrusion attempt.

Question 16

Detective

Answer 16

Identify and log an intrusion attempt.
May not prevent access.

Question 17

Corrective control types

Answer 17

Apply a control after an event has been detected.
Reverse the impact of an event
Continue operating with minimal downtime

Question 18

The CIA triad

Answer 18

Combination of Principles:
- Confidentiality (Prevent disclosure of information to unauthorised individuals or systems)
-Integrity (Messages cant be modified without detection)
-Availability (Systems and networks must be up and running.

Question 19

Confidentiality

Answer 19

Certain information should only be known to certain people.

Encryption (Encode messages only certain people can read it)
Access Controls (Selectively Restrict access to a resource).
Two factor authentication (Additional confirmation before information is disclosed)

Question 20

Integrity

Answer 20

Data is stored and transferred as intended
Hashing ( Map data of an arbitrary length to data of a fixed length)
Hashing (Map data of an arbitrary length to data of a fixed length).
Digital signatures (Mathematical scheme to verify the integrity of data)
Certificates (Combine with a a digital signature to verify an individual).
Non-Repudiation (Provides proof of integrity can be asseted to be genuine

Question 21

Availability

Answer 21

Information is accessible to authorised user
Redundancy (Build services that will always be available)
System will continue to run, even when a failure occurs
Patching, Stability Close Security holes

Question 22

Non Repudiation

Answer 22

Confirmation of integrity and proof or origin, with high assurance of authenticity.

Question 23

Proof of integrity

Answer 23

Verify data does not change - The data remains accurate and consistent.

In Cryptography, we use a hash to prove integrity. If the data changes the hash changes. Doesn’t necessary associate data with an individual only tells you if the data has changed.

Question 24

Proof that the message was not changed

Answer 24

Integrity

Question 25

Prove the source of the message

Answer 25

Authentication

Question 26

Make sure the signature isn’t fake

Answer 26

Non-Repudiation.

Question 27

Sign with a private key

Answer 27

This is only known to person sending the data, verified by the private key associated with this public key.

Question 28

Explain the digital signature/hashng process to send a message.

Answer 28

• Alice attaches digital signature to her plain text which creates a Hash of the plaintext.
• Alice then uses her private key to encrypt the hash of the plain text.
• Encrypted hash is attached to the plain text.
• Bob is going to use Alices public key to decrypt the the encrypted hash and see the original hash sent by Alice.
• Once the decryption takes place Bob will have the original hash of the plain text.
• Bob then uses the same hashing algorithm to see if the plain text is the same as the one sent by Alice.

Question 29

AAA Framework

Answer 29

Authentication (Prove you are who you say you are)

Authorisation (Based on your identification and authentication, what access do you have).

Accounting (Resources used: Login time, data sent and received, log out time).

Question 30

Certificate authority

Answer 30

An organisation that creates a certificate for a device and digitally signs the certificate with the organisation CA.

The certificate can now be included on a device as an authentication factor.

Question 31

Certificate based authentication

Answer 31

If the device certificate made by the CA was signed by the by CA.

We can compare the device certificate with the CA certificate and see that the device certificate was signed by the CA.

Question 32

Authorisation (Abstractions) benefits

Answer 32

• Reduce complexity
• Create a clear relationship between the user and the resource.
  Administration is streamlined.

Question 33

How the authorisation model works

Answer 33

User devices added to a specific group. Group members would have access to all of the necessary information required for them to work.

Question 34

Gap analysis

Answer 34

Where you are compared to where you want to be. This may require extensive research - there is a lot to consider.

Question 35

Zero trust.

Answer 35

Nothing is trusted, everything is subject to security checks. Multi-factor authentication, encryption, system permissions, additional firewalls, monitoring and analytics.

Many networks are relatively open on the inside, once you’re through the firewall, there are few security controls - this is not an example of zero trust.

Question 36

Planes of operation. (Zero trust) (Applies to physical, virtual and cloud components)

Answer 36

Split the network into functional planes

Data plane - Process the frame, packets and network data. Processing, forwarding. trunking and encrypting NAT.

Control plane - Manages the actions of the data plane, Define policies and rules, Determines how packets should be forwarded, routing tables, session tables, Nat tables.

Question 37

Controlling trust using Adapting identity

Answer 37

Consider the source and the requested resources.
Multiple risk indicators - relationships to the organisation
Make the authentication stronger, if needed.

Question 38

Controlling trust using threat scope reduction

Answer 38

Decrease the number of possible entry points

Question 39

Controlling trust using policy driven access control

Answer 39

Combine the adaptive identity with a predefined set of rules.

Question 40

Security zones

Answer 40

Used to see where a person is connecting from.
Security zones look at where we’re connecting from and where we are trying to connect to.

Zones can be used to deny access - for example from and untrusted to a trusted zone of traffic.

Zones can be used to implicitly trust. For example, trusted to internal zone traffic.

Question 41

Policy enforcement point

Answer 41

Any subject and systems communicating through this network will be subject to scrutiny by the PEP (Policy enforcement point).

Doesn’t make the decision on whether traffic is allowed or denied just gathers information and provides it to the policy decision point. (PDP)

Question 42

Policy decision point is made up of what two points -

Answer 42

Policy Engine, Policy Administrator

Question 43

Policy engine

Answer 43

Evaluates each access decision based on policy and other information sources

Question 44

Policy Administrator

Answer 44

• Communicates with the policy enforcement point
• Generates access tokens or credentials
• Tells the PEP to allow or disallow access

Question 45

Physical Security - Bollards

Answer 45

Prevent access
Channel people through a specific access point
Identify safety concerns

Question 46

Physical Security - Vestibules

Answer 46

Doors which lock in a specific sequence or in a specific way, or require an ID card.

Question 47

Physical Security - Fence

Answer 47

Build a perimeter, Usually very obvious, but prevent access.

Question 48

Physical Security - Video Surveillance

Answer 48

CCTV, Motion detection,

Question 49

Physical security - guards and badges

Answer 49

Security guard - Physical protection at the reception area of a facility.
Two-person integrity/control
Access badge, picture, name other details must be worn at all times, electronically logged.

Question 50

Physical control - Lighting

Answer 50

More light means more security. Attacks avoid the light
Specialised design consider overall light levels.

Question 51

Physical control - Sensors

Answer 51

Infrared - Detects infrared radiation in both light and dark. Common in motion detectors.
Pressure, detects a change in force, floor or window sensors
Microwave - detects movement across large area.
Ultrasonic - send ultra sonic signals receive reflected sound waves.

Question 52

Honeypot

Answer 52

Attract criminals, attract automated machines (sometimes real people) which creates a virtual display of attacking methods.

Question 53

Honeynets

Answer 53

A real network which includes more than one single device
- Servers, workstations, routers, switches, firewalls.

Question 54

Honeyfiles

Answer 54

Files with fake information which appear to have fake information. Bait the attacker to go into honey files.
An alert will be set up if the file is accessed.

Question 55

Honey token.

Answer 55

traceable data being added to the honey pot so if this data is disrupted you know where it came from.

• API credentials (Fake)
  -Fake email addresses (constantly monitor for them to come up on the internet).
  Any type of data to find.