Chapter 1: Security Controls and Concepts

Question 1

Question: Which type of security control is implemented through technology, often hardware or software-based?
A) Managerial Security Control
B) Operational Security Control
C) Technical Security Control
D) Physical Security Control

Answer 1

Answer: C) Technical Security Control

Question 2

Question: Security policies and procedures, risk assessments, and security training programs are examples of which type of security control?
A) Technical Security Control
B) Managerial Security Control
C) Operational Security Control
D) Physical Security Control

Answer 2

Answer: B) Managerial Security Control

Question 3

Question: True or False: Operational security controls directly address user behavior and day-to-day operations.

Answer 3

True

Question 4

Question: Which type of security control is designed to protect the physical environment of information assets?
A) Technical Security Control
B) Managerial Security Control
C) Operational Security Control
D) Physical Security Control

Answer 4

Answer: D) Physical Security Control

Question 5

Question: Which of the following security controls aims to prevent an incident or breach from occurring in the first place?
A) Deterrent Security Control
B) Detective Security Control
C) Preventive Security Control
D) Corrective Security Control

Answer 5

Answer: C) Preventive Security Control

Question 6

Question: Warning banners and visible surveillance cameras are examples of which type of security control?
A) Preventive Security Control
B) Deterrent Security Control
C) Detective Security Control
D) Corrective Security Control

Answer 6

Answer: B) Deterrent Security Control

Question 7

Question: What is the primary function of detective security controls?

Answer 7

Answer: To identify and alert on anomalies or security incidents.

Question 8

Question: Which type of security control aims to limit the extent of damage and correct the situation once a security incident has been detected?
A) Preventive Security Control
B) Deterrent Security Control
C) Detective Security Control
D) Corrective Security Control

Answer 8

Answer: D) Corrective Security Control

Question 9

Question: When primary security controls are ineffective or unfeasible, which type of control provides alternative measures to achieve similar security objectives?
A) Directive Security Control
B) Compensating Security Control
C) Corrective Security Control
D) Preventive Security Control

Answer 9

Answer: B) Compensating Security Control

Question 10

Question: What is the primary function of directive security controls?

Answer 10

Answer: To provide a roadmap or guidance for security best practices within an organisation

Question 11

Question: What are the three core principles of the CIA triad in information security?
A) Control, Identification, Assurance
B) Confidentiality, Integrity, Availability
C) Compliance, Implementation, Audit
D) Centralisation, Isolation, Access

Answer 11

Answer: B) Confidentiality, Integrity, Availability

Question 12

Question: True or False: Non-repudiation guarantees that a sender of information can later deny having sent it.

Answer 12

Answer: False

Question 13

Question: What does “Authentication” refer to in the AAA framework?

Answer 13

Answer: Verifying the identity of users, systems, or entities.

Question 14

Question: In the AAA framework, what defines permissions and determines what authenticated users or systems are allowed to do?
A) Authentication
B) Authorisation
C) Accounting
D) Auditing

Answer 14

Answer: B) Authorisation

Question 15

Question: Which component of the AAA framework tracks user activities to ensure they are operating within their designated permissions?
A) Authentication
B) Authorisation
C) Accounting
D) Access Control

Answer 15

Answer: C) Accounting

Question 16

Question: What is the purpose of a Gap Analysis in security?

Answer 16

Answer: To identify differences between current security practices and desired outcomes or standards.

Question 17

Question: Which Zero Trust concept dynamically adjusts user/system identity verification based on context?
A) Threat Scope Reduction
B) Policy-driven Access Control
C) Adaptive Identity
D) Implicit Trust Zones

Answer 17

Answer: C) Adaptive Identity

Question 18

Question: What is a “Honeypot” in deception and disruption technology?

Answer 18

Answer: A decoy system or data set up to lure attackers.

Question 19

Question: True or False: A Honeynet is a single decoy system designed to attract attackers.

Answer 19

Answer: False (A Honeynet is a network of honeypots.)

Question 20

Question: What is a “Honeytoken”?

Answer 20

Answer: A piece of data used to alert when accessed, which has no real-world use other than being a trap.

Question 21

Question: Which aspect of business processes in change management ensures that only vetted and necessary changes get implemented, reducing the risk of introducing vulnerabilities?
A) Ownership
B) Stakeholders
C) Approval Process
D) Backout Plan

Answer 21

Answer: C) Approval Process

Question 22

Question: True or False: In change management, a backout plan is important only for major system overhauls and not for minor updates.

Answer 22

Answer: False (A backout plan is essential to revert changes if unforeseen vulnerabilities are introduced, regardless of change size.)

Question 23

Question: Which technical implication of change management might require updating lists that determine which activities or entities are permitted or prohibited, directly affecting security postures?
A) Downtime
B) Legacy Applications
C) Allow lists/Deny lists
D) Service Restart

Answer 23

Answer: C) Allow lists/Deny lists

Question 24

Question: What is the security concern related to “Legacy Applications” during change management?

Answer 24

Answer: Older software might not be compatible with new changes and can have unresolved vulnerabilities.

Question 25

Question: Why is "Version Control" important in change management from a security perspective?

Answer 25

Answer: It allows teams to track which modifications were made and when, which is critical for security forensics and understanding potential vulnerabilities.

Question 26

Question: In Public Key Infrastructure (PKI), what ensures secure communication where only the private key holder can decrypt what the public key encrypts? A) Key Escrow B) Public/Private Key C) Key Exchange D) Certificate Authority

Answer 26

Answer: B) Public/Private Key

Question 27

Question: What is the purpose of "Key Escrow" in cryptography?

Answer 27

Answer: It allows a trusted third party to hold cryptographic keys, ensuring they're available if the original holders lose access or in legal scenarios.

Question 28

Question: Which encryption level protects data as it's transmitted across networks, such as with HTTPS? A) Full-disk encryption B) Partition encryption C) File encryption D) Transport/Communication encryption

Answer 28

Answer: D) Transport/Communication encryption

Question 29

Question: True or False: Asymmetric encryption uses the same key for both encryption and decryption.

Answer 29

Answer: False (Symmetric encryption uses the same key; asymmetric uses public/private key pairs.)

Question 30

Question: Which cryptographic tool is a dedicated microcontroller that stores keys, passwords, and digital certificates securely? A) HSM B) Key Management System C) Secure Enclave D) TPM

Answer 30

Answer: D) TPM

Question 31

Question: What is "Steganography"?

Answer 31

Answer: Hiding data within other data (e.g., embedding a secret message in an image).

Question 32

Question: What is the purpose of "Salting" in hashing?

Answer 32

Answer: Random data added before hashing to ensure the same input produces different outputs, making it harder to crack.

Question 33

Question: What do "Digital Signatures" confirm?

Answer 33

Answer: The authenticity of a digital document or message.

Question 34

Question: Which certificate type is used for securing a domain and its subdomains? A) Self-signed certificate B) Third-party certificate C) Wildcard certificate D) Root of Trust certificate

Answer 34

Answer: C) Wildcard certificate