Unit 1: General Security Concepts

Question 1

Control Categories

Answer 1

Technical, Managerial, Operational, and Physical

Question 2

Technical Controls

Answer 2

• Controls implemented using systems
• Operating system controls
• Firewalls, anti-virus

Question 3

Managerial Controls

Answer 3

• Controls that address security design and implementation
• Security policies, standard operating procedures

Question 4

Operational Controls

Answer 4

• Controls that are implemented by people
• Security guards, awareness programs

Question 5

Physical Controls

Answer 5

• Controls limiting physical access to buildings, rooms, etc.
• Fencing, door locks

Question 6

Preventative Controls

Answer 6

Controls that block access to a resource (firewalls, guard shacks, door locks).

Question 7

Deterrent Controls

Answer 7

Controls designed to discourage people from violating security directives (threat of demotion, warning signs).

Question 8

Detective Controls

Answer 8

Controls designed to identify and log intrusions/intrusion attempts (system logs, motion detectors).

Question 9

Corrective Controls

Answer 9

Controls that are applied after an event to reverse impact or continue operating (backup restoration, fire extinguisher, law enforcement).

Question 10

Compensation Controls

Answer 10

Additional security controls put in place to compensate for weaknesses in other controls (separation of duties, backup generator, blocking instead of patching).

Question 11

Directive Controls

Answer 11

Controls that direct subjects towards security compliance - seen as a weak control (fire storage policies, compliance policies).

Question 12

C.I.A. Triad

Answer 12

Confidentiality, Integrity, Availability

Question 13

Confidentiality

Answer 13

Ensures that only authorized parties can view information (i.e. encryption).

Question 14

Integrity

Answer 14

Safeguarding the accuracy & completeness of information (i.e. hashing).

Question 15

Availability

Answer 15

Ensuring that authorized users have access to information when required (i.e. reliable backups).

Question 16

Non-repudiation

Answer 16

Proof of the origin, authenticity and integrity of data.

Question 17

Proof of Integrity

Answer 17

Verifying that data has not changed by hashing

Question 18

Hashing

Answer 18

A code that represents data as a short string of text, like a digital fingerprint.

Question 19

Proof of Origin

Answer 19

Verifying the person who sent the data is who they claim to be (authentication).

Question 20

AAA Framework

Answer 20

Authentication, Authorization, Accounting

Question 21

Authentication

Answer 21

Proving you are who you say you are which can be done by: what you know and what you have, or two factor authentication (i.e. password and phone for confirmation code).

Question 22

Authorization

Answer 22

What access do specific authenticated users have, often done by abstraction.

Question 23

Accounting

Answer 23

A record of login time, data sent, accessed, or edited, logout time, and more.

Question 24

Abstraction

Answer 24

Defining users by roles, attributes, tags, etc. to avoid white or blacklisting individuals.

Question 25

Gap Analysis

Answer 25

A method for examining and evaluating the current state of a process in order to identify opportunities for improvement in the future.

Question 26

Zero Trust

Answer 26

Security design paradigm where any request (device, process, or person) must be authenticated before being allowed. Done using planes of operation.

Question 27

Planes of Operation

Answer 27

Breaking the network into functional planes, smaller components to efficiently authenticate requests.

Question 28

Data Plane

Answer 28

The actual contact made between physical devices and data transmissions as these messages traverse a network (i.e. ports).

Question 29

Control Plane

Answer 29

The process of decision making, such as routing, blocking, and forwarding, that is performed by protocols (i.e. network address configs/settings).

Question 30

Adaptive Identity

Answer 30

Relies on real-time validation that takes into account the user’s behavior, device, location, and more.

Question 31

Threat Scope Reduction

Answer 31

Limiting the number of possible entry points.

Question 32

Policy-Driven Access Control

Answer 32

Entails developing, managing, and enforcing user access policies based on their roles and responsibilities (i.e. “no editing data” policy only applies to irrelevant employee rolls).

Question 33

Policy Enforcement Point (PEP)

Answer 33

This entity protects the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information. Contains Policy Decision Point (PDP).

Question 34

Policy Engine

Answer 34

Part of the PDP that cross references the access request with its pre-defined policies.

Question 35

Policy Admin

Answer 35

Part of the PDP that is a communicator between PEP and Policy Engine. Provides access tokens, credentials, etc.

Question 36

Physical Security

Answer 36

Weak security measures that physical prevent intrusion. Includes but is not limited to barricades, access control vestibules, video surveillance, lighting, sensors, etc.

Question 37

Honeypots

Answer 37

A seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.

Question 38

Honeynets

Answer 38

Collection of honeypots connecting several honey pot systems on a subnet for a more realistic environment.

Question 39

Honeyfiles

Answer 39

A file pretending to be legitimate, in order to detect malicious activity (BankAcctAndRoutingNumbersWPassIncludedNoMFA.txt!)

Question 40

Honeytokens

Answer 40

Digital data created specifically to monitor the behavior of potential attackers.

Question 41

Public Key Infrastructure (PKI)

Answer 41

The system for issuing and managing pairs of public and private keys and corresponding digital certificates.

Question 42

Symmetric Encryption

Answer 42

A single shared key used to encrypt and decrypt.

Question 43

Asymmetric encryption

Answer 43

Two keys with an establish mathematical relationships are made simultaneously. One key is private to be used by the person decrypting only, and one key is public to encrypt data.

Question 44

Full Disk Encryption (FDE)

Answer 44

A technology that encrypts everything stored on a storage medium automatically, without any user interaction (i.e. BitLocker).

Question 45

Individual File Encryption

Answer 45

Service usually built into OS, but may also be 3rd party application that encrypts certain data by request.

Question 46

Database Encryption

Answer 46

An encryption method that targets databases and the data they contain, rather than individual files or whole disks.

Question 47

Key Stretching

Answer 47

A technique used to increase the strength of stored data. it adds additional bits (called salts) and can help thwart brute force and rainbow table attacks.

Question 48

Trusted Platform Module (TPM)

Answer 48

A chip on the motherboard of the computer that provides cryptographic services. May have private keys burned onto the chip.

Question 49

Hardware Security Module (HSM)

Answer 49

A device that can safely store and manage encryption keys in large environments (data centers). This can be used in servers, data transmission, protecting log files, etc.

Question 50

Key Management System

Answer 50

Integrated approach for generating, distributing and managing, cryptographic keys for devices and applications all from one console.

Question 51

Secure Enclave

Answer 51

Extensions which allow a trusted process to create an encrypted container for sensitive data.

Question 52

Obfuscation

Answer 52

the action of making something obscure, unclear, or unintelligible - Hiding information in plain sight.

Question 53

Steganography

Answer 53

Greek for “concealed writing” - the art and science of hiding information by embedding messages within other, seemingly harmless messages.

Question 54

Tokenization

Answer 54

A deidentification method where a unique token is substituted for real data (i.e. sending a placeholder SSN through a network instead of your real SSN, incase there is a middle man).

Question 55

SHA256

Answer 55

Common cryptographic hash algorithm that generates an almost-unique, fixed size 256-bit (32-byte) hash. Of the strongest hash functions available.

Question 56

MD5

Answer 56

128 bits hashing algorithm similar to SHA256. A possible collision problem was recorded in 1996, and consequently it is not recommended.

Question 57

Practical Hashing

Answer 57

Storing salted hashes instead of plaintext passwords.

Question 58

Salt

Answer 58

Random data added to a password when hashing. Performed so users with the same password get different hashes.

Question 59

Rainbow Table

Answer 59

A table of every possible input and their hashes, rendered unusable with salt hashing. Makes harder for hackers to get golden goose of information.

Question 60

Digital Signature Hashing

Answer 60

Proves a message was not changed (integrity), helps prove source (authentication, and makes sure the signature isn’t fake (non-repudiation). Users sign with their private key, which public can verify with public key based on the established mathematical relationship.

Question 61

Blockchain Technology

Answer 61

Refers to a decentralized “public ledger” of all transactions that have ever been executed. It is constantly expanding, as “completed” blocks are added to the ledger with each new transaction.

Question 62

Digital Certificate

Answer 62

a data file that identifies individuals or organizations online and is comparable to a digital signature.

Question 63

X.509

Answer 63

The standard format for digital certificates.

Question 64

Web of Trust

Answer 64

A decentralized model used for sharing certificates without the need for a centralized CA. Multiple sources can sign each other’s certificate.

Question 65

Root of Trust

Answer 65

An inherently trusted component including hardware, software, secure enclave, etc. (i.e. browsers will most likely tell you if websites you’re connecting to are secure or not).

Question 66

Certificate Signing Request (CSR)

Answer 66

A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate. A keypair is created, the public key is sent to a Certificate Authority, CA digitally signs or denies requests.

Question 67

Certificate Authority (CA)

Answer 67

A trusted third-party agency that is responsible for issuing digital certificates.

Question 68

Certificate Revocation List (CRL)

Answer 68

A repository that lists revoked digital certificates.