Elements of Security

Question 1

What are the CIA Triads in InfoSec?

Answer 1

Confidentiality, Integrity, Availability

Question 2

What is Confidentiality?

1 of the CIA Triads

Answer 2

Only allow authorized parties to access the data or system.

Question 3

Define Integrity.

1 of the CIA Triads

Answer 3

Protect the data from unauthorized modification or deletion.

Question 4

What is Availability?

1 of the CIA Triads

Answer 4

Ensure that data and systems that you are protecting can still be accessed and used as needed.

Question 5

Define Information Security.

Answer 5

Information Security is anything that you do to protect your data.

Question 6

SECURITY, FUNCTIONALITY, USABILITY

Answer 6

-These attributes are interlocked
-Security is at odds with nearly every other organizational process.
-Increasing security usually requires decreasing functionality and usability.

Question 7

Define “Defense-in-Depth”.

Answer 7

-Multiple layers of security controls.

Question 8

What is the purpose of “Defense-in-Depth”

Answer 8

Defense-in-Depth provides redundancy in the event of a control failure.

Question 9

What are the three (3) types of Active Defense?

Answer 9

Annoyance, Attribution, Attack

Question 10

What is Annoyance in the context of Active Defense?

Answer 10

-it involves tracking a hacker and leading them to a fake server (honeypot).
-waste their time
-make them easy to detect

Question 11

What is Attribution in the context of Active Defense?

Answer 11

-Identify the attacker
-Use tools to trace the source of an attack back to a specific location, or even an individual.

Question 12

What is Attack in the context of Active Defense?

Answer 12

-This is the most controversial and risky.
-You “hack back”
-access an alleged hackers’ computer
-delete the data or take revenge
-both steps are considered illegal.

Question 13

Hack Value

Answer 13

Perceived value or worth of a target as seen by the attacker.

Question 14

Vulnerability

Answer 14

A weakness or flaw in a system.

Question 15

Threat

Answer 15

Anything that can potentially violate the security of a system or organization.

Question 16

Exploit

Answer 16

An actual mechanism for taking advantage of a vulnerability.

Question 17

Payload

Answer 17

The part of an exploit that actually damages the system or steals the information.

Question 18

Zero-day Attack

Answer 18

An attack that occurs before a vendor is aware of a flaw or is able to provide a patch for a flaw.

Question 19

Daisy Chaining / Pivoting

Answer 19

Using a successful attack to immediately launch another attack.

Question 20

Doxing

Answer 20

Publishing personally identifiable information (PII) about an individual usually with a malicious intent.

Question 21

Non-Repudiation

Answer 21

The inability to deny that you did something . Usually accomplished through requiring authentication and digital signatures on documents.

Question 22

Control

Answer 22

Any policy, process or technology set in place to reduce risk.

Question 23

Mitigation

Answer 23

Any action or control used to minimize damage in the event of negative event.

Question 24

Accountability

Answer 24

Ensure that responsible parties are held liable for actions they have taken.

Question 25

Authenticity

Answer 25

The proven fact that something is legitimate or real.

Question 26

Enterprise Information Security Architecture (EISA)

Answer 26

The process of instituting a complete information security solution that protects every aspect of an enterprise organization.

Question 27

SECURITY CONTROL TYPES: Physical

Answer 27

Tangible mechanisms designed to deter unauthorized access to rooms, equipment, document, and other items.

Question 28

SECURITY CONTROL TYPES: Administrative

Answer 28

Procedures and policies that inform people on how the business is to be run and how day to day operations are to be conducted. Can be enforced through management policing, physical, and technical means.

Question 29

SECURITY CONTROL TYPES: Technical

Answer 29

Any measures taken to reduce risk via technological means.