Mock exam 1 - Qs got wrong Flashcards

Question

Provisioning requests for the IT department have been backlogged for months. You are concerned that employees are using unauthorized cloud services to deploy VMs and store company data. Which of the following services can be used to bring this shadow IT back under the corporate security policy? A) VPN B) CASB C) SLA D) SWG

Answer 1

B) CASB **A cloud access security broker (CASB** enforces proper security measures between a cloud solution and a customer organization. A CASB monitors user activities, notifies administrators about significant events, performs malware prevention and detection, and enforces compliance with security policies. A secure web gateway (SWG) is a cloud-based web gateway that combines features of a Next-generation Firewall (NGFW) and a Web Application Firewall (WAF). SWG provides an ongoing update to filters and detection databases and is designed to provide filtering services between cloud-based resources and on-premises resources. SWG uses standard WAF functions, TLS decryption, CASB functions, sandboxing features, and threat detection functions to protect enterprises from the ever-evolving cloud-based risks and attacks. A service level agreement (SLA) is an agreement between a company and a vendor in which the vendor agrees to provide certain functions for a specified period. Besides ensuring compliance with your security policy and reporting compliance issues in real-time, a CASB should report risks, see any shadow IT, and do it all from one platform. A CASB uses an array of strategies to protect an organization from cyberattacks. A CASB uses data loss prevention to protect against critical data leaks by labeling, tracking, and restricting access to files and specific information as it travels from a device to the cloud and beyond. Shadow IT is IT applications, systems, and resources (such as cloud services) that are installed or used by internal staff without the knowledge or consent of the IT department. Shadow IT is neither authorized nor approved, and therefore poses a risk to the organization's security posture, risk management, data integrity, and regulatory compliance.

Answer 2

B)Spraying A spraying attack is not a cryptographic attack, but rather a type of brute-force password attack. A spraying attack has a couple of different forms. It may use a common or default password for an organization and test that against multiple accounts. “P@$$w0rd” is often used as a secure password, and in a larger organization, you are likely to find an account that uses this password. Another form would be to use a variation of a company’s slogan against a user list. A downgrade attack is a cryptographic attack that causes the system to use less-stringent security controls. When these less-stringent (downgraded) security controls, typically insecure protocols, are activated, the attacker takes advantage of those less-than-secure settings. An example would be an attack that disables HTTPS port 443. In order for web traffic to go through, HTTP port 80 is enabled. HTTP is less secure protocol than HTTPS, and the attacker exploits HTTP. A collision attack is a cryptographic attack that combines brute force attacks, each with a different input, to produce the same hash value. A birthday attack is a type of cryptographic attack. A birthday attack is named after the mathematical probability that two people in the same network have the same birthday.

Answer 3

C) Right to be forgotten The right to be forgotten, also known as the right to erasure, grants individuals the right to request the deletion or removal of their personal data from an organization's systems or records. This right is enshrined in privacy regulations such as the GDPR and allows individuals to exercise control over their personal information, particularly in cases where the data is no longer necessary for the purposes for which it was collected or processed. Compliance with the right to be forgotten requires organizations to establish procedures for handling data deletion requests and ensure that personal data is promptly and securely erased when requested by the data subject. Legal implications of privacy compliance encompass the local/regional, national, and global laws and regulations that govern the collection, use, and protection of personal data. These legal frameworks define the rights and responsibilities of organizations regarding the processing of individuals' personal information and establish penalties for non-compliance. For example, in the European Union, the General Data Protection Regulation (GDPR) outlines strict requirements for data protection and privacy, with significant fines for violations. Similarly, laws such as the California Consumer Privacy Act (CCPA) in the United States impose legal obligations on organizations handling personal data, with potential legal consequences for non-compliance. The data subject refers to the individual to whom the personal data relates, whose privacy rights are protected by privacy regulations and laws. Data subjects have the right to control their personal information, including the right to access, correct, and delete their data, as well as the right to be informed about how their data is processed. Compliance with privacy regulations requires organizations to respect the rights of data subjects and implement measures to ensure the lawful and fair processing of their personal data. Data inventory and retention practices involve identifying and categorizing the personal data collected and stored by an organization, as well as establishing policies and procedures for its proper retention and disposal. Effective data inventory and retention practices enable organizations to manage personal data responsibly, minimize data collection, and comply with legal requirements regarding data retention periods. By maintaining an accurate inventory of personal data and implementing data retention schedules, organizations can reduce the risk of unauthorized access, misuse, or retention of unnecessary data.

Answer 4

B) single sign-on Single sign-on (SSO) allows users to freely access all systems to which their account has been granted access after the initial authentication. The SSO process addresses the issue of multiple usernames and passwords. It is based on granting users’ access to all the systems, applications, and resources they need when they start a computer session. This is considered both an advantage and a disadvantage. It is an advantage because the user only has to log in once and does not have to constantly re-authenticate when accessing other systems. Multiple directories can be browsed using single sign-on. It is a disadvantage because the maximum authorized access is possible if a user account and its password are compromised. All the systems that are enrolled in the SSO system are referred to as a federation. In most cases, transitive trusts are configured between the systems for authentication. Systems that can be integrated into an SSO solution include Kerberos, LDAP, smart cards, Active Directory, and SAML. A federated identity management system provides access to multiple systems across different enterprises. Discretionary access control (DAC) and mandatory access control (MAC) are access control models that help companies design their access control structure. They provide no authentication mechanism by themselves. Smart cards are authentication devices that can provide increased security by requiring insertion of a valid smart card to log on to the system. They do not determine the level of access allowed to a system. Most smart cards have expiration dates. If a user was reissued a smart card after the previous smart card had expired and the user is able to log into the domain but is now unable to send digitally signed or encrypted e-mail, you should publish the new certificates to the global address list. A biometric device can provide increased security by requiring verification of a personal asset, such as a fingerprint, for authentication. They do not determine the level of access allowed to a system. Single sign-on was created to dispose of the need to maintain multiple user accounts and passwords to access multiple systems. With single sign-on, a user is given an account and password that logs on to the system and grants the user access to all systems to which the user's account has been granted. User accounts and passwords are stored on each individual server in a decentralized privilege management environment.

Answer 5

D)Compensating type The BEST answer is that you implemented the compensating control type because the primary control, separation of duties, was not feasible due to a staffing shortage. You increased your auditing frequency and added a withdrawal alert to the account to compensate for the loss of the primary control. Note that both of these controls would be considered detective controls IF they were not being implemented in place of a primary control. A detective control alerts you to an incident that is occurring or has already occurred. In this scenario, the purpose of the new controls is to compensate for the absence of another control, which is separation of duties. The category of operational controls supports daily operations. These controls are implemented by people. A step-by-step procedure describing how to perform the duties of the job role so that the risk of fraud is minimized would be an example of operational control. Preventative controls, like firewalls and door locks, block access to security weaknesses. There is nothing in the scenario to indicate the employee knows about the increased auditing, so it is not a deterrent. Deterrent controls discourage behavior that would harm the enterprise, such as acceptable use policies (AUPS) and signs that announce the use of video surveillance. Managerial is a category of controls based on oversight and risk management. These controls are implemented with policies and plans, and guide behaviors and actions to align with the organization’s security goals. If auditing were the primary control for this job role instead of separation of duties, then it would fall in the managerial category. CompTIA defines four categories of access control: technical, operational, managerial, and physical. Technical control – a category of controls that use software or hardware to restrict access, such as firewalls, encryption, and multi-factor authentication. Physical control – a category of controls that are implemented in the physical realm, such as locks, fences, CCTV, backup media, and secured cabling. Managerial (sometimes called administrative) control – a category of controls that dictate how management uses oversight to meet the company's security goals. Managerial controls include risk assessments, performance reviews, background checks, personnel controls, a supervisory structure, security training, and auditing. Operational control – a category of controls that provide employees with best practices to follow and actions to implement to meet security goals. Examples are standard operating procedures, incident response policies, and password policies. Controls can also be classified according to six different control types: Preventative – A preventative control stops security issues before they occur. Deterrent – A deterrent control affects human behavior to make security issues less likely to occur. Detective – A detective control finds indicators of security issues that are occurring or have occurred. Corrective – A corrective control restores control and attempts to correct any damage that was inflicted during a security issue that occurred. Compensating – A compensating control is put into place when the recommended primary control cannot be used. Directive – A directive control provides behavioral guidance, guidelines, and policies to follow regarding potential, current, or past security issues.

Answer 6

A)Failover testing B)Parallel processing Failover testing and parallel processing would help in assessing system resilience and performance during a failure. **In failover testing, you would deliberately trigger a failure in a system component to evaluate the effectiveness of the failover mechanism.** This method assesses the system's ability to switch to backup components or systems seamlessly in the event of a failure, ensuring continuity and minimal disruption to operations. An example would be shutting off the power to a facility to test the backup generator. **In parallel processing, you would test the ability to handle increased workloads by simultaneously executing multiple tasks or processes to assess the system's ability to cope.** This method is particularly useful for evaluating performance under heavy loads and determining whether the system can efficiently distribute and process tasks in parallel. Parallel processing also ensures redundancy is built in to the system by duplicating components and workloads. In vulnerability scanning, you would identify and assess security vulnerabilities in a system. While this test is important for security, it does not test the architecture for capacity. Penetration testing would simulate cyberattacks to identify and exploit vulnerabilities in a system. This provides critically valuable information, but penetration testing does not evaluate capacity planning.

Answer 7

B)Security keys Security keys would be the most appropriate solution to enhance the security of the EHR system. Security keys are physical devices that users insert into their computers or mobile devices to authenticate their identities. These devices contain cryptographic keys that are used to generate unique authentication codes for each login attempt. Security keys provide a strong level of security and are easy for users to use, making them suitable for protecting sensitive patient health information. Additionally, security keys can help prevent unauthorized access to EHR systems, reducing the risk of data breaches and ensuring compliance with healthcare privacy regulations such as HIPAA. Biometrics refers to the use of physiological or behavioral characteristics, such as fingerprints, iris scans, or facial recognition, to verify the identity of users. While biometrics offers a high level of security and convenience, it may not be the most appropriate solution for the scenario described. Biometric systems can be expensive to implement and may require specialized hardware and software. Additionally, there may be concerns about user privacy and data protection when implementing biometric authentication for healthcare systems. Soft authentication tokens involve the use of physical or software-based devices that generate one-time passwords (OTPs) or cryptographic keys for user authentication. The keys are sent to an application on a mobile device. While authentication tokens provide an additional layer of security, they may not be the most appropriate solution for the scenario described. Healthcare professionals often need quick and easy access to patient records, and requiring them to generate codes with a soft token that is read with another app would be less efficient than inserting a security key into a workstation. While identification badges are commonly used for physical access control in healthcare facilities, they are not suitable for implementing multifactor authentication for electronic systems like EHRs. Identification badges do not provide the same level of security as multifactor authentication solutions like biometrics, authentication tokens, or security keys. Additionally, requiring healthcare professionals to use identification badges for EHR access could introduce security risks if badges are lost or stolen.

Answer 8

A) low security cost E) easier to implement **Role-based access control (RBAC) has a low security cost because security is configured based on roles**. For this reason, it is also easier to implement than the other access control models. During the information gathering stage of a deploying RBAC model, you will most likely need a matrix of job titles with their required access privileges. RBAC is NOT the most user friendly option. **Discretionary access control (DAC) is more user friendly than RBAC because it allows the data owner to determine user access rights.** If a user needs access to a file, he only needs to contact the file owner. RBAC is NOT discretionary in nature. DAC is discretionary, meaning access to objects is determined at the discretion of the owner. RBAC is NOT a highly secure environment. Mandatory access control (MAC) is considered a highly secure environment because every subject and object is assigned a security label. **With RBAC, it is easy to enforce minimum privilege for general users.** You would create the appropriate role, configure its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role should be granted. Roles are based on the structure of the organization and are usually hierarchical. RBAC is a popular access control model used in commercial applications, especially large networked applications. Rule-based access control is often confused with RBAC because their names are similar. With rule-based access control, access to resources is based on a set of rules. The user is given the permissions of the first rule that he matches.

Answer 9

B) Only purchase hardware from authorized vendors or resellers C) Request proof of equipment certification from hardware vendors D) Integrate supply chain management into the overall risk management framework E) Inspect hardware for signs of tampering NIST defines cybersecurity risks throughout the supply chain as “the potential for harm or compromise that may arise from suppliers, their supply chains, their products, or their services” (NIST SP 800-161r1). Among the recommended techniques for minimizing adversarial threats from hardware purchases, you should: Only purchase hardware from authorized vendors or resellers Integrate supply chain management into the overall risk management framework Inspect hardware for signs of tampering Request proof of equipment certification from hardware vendors Conduct a supply chain analysis and audit the existing supply chain Have an inventory management system that includes asset tracking and secure disposal Natural disasters are a threat to the supply chain, but they are not an adversarial threat. Adversarial threats arise from a human vector, such as malicious insiders, organized crime, and nation-states. A legally enforceable purchase order with a hardware vendor will not protect your organization from hardware that has been tampered with once it left the vendor’s direct control. Hardware should be inspected for missing or broken seals, opened boxes, refurbished components, or counterfeit components.

Mock exam 1 - Qs got wrong Flashcards

(34 cards)