Unit 5 - Module 2 - Safeguards

Question 1

What do you call safeguards designed to reduce specific security risks?

Answer 1

Security Controls

Question 2

What are the 3 types of security controls?

Answer 2

Technical
Operational
Managerial

Question 3

What is the protection of unauthorized access and distribution of data?

Answer 3

Information Privacy

Question 4

Who do you call the person that decides who can access, edit, use, or destroy their information?

Answer 4

Data Owner

Question 5

Anyone or anything that’s responsible for the safe handling, transport, and storage of information, what do you call them?

Answer 5

Data Custodian

Question 6

What do you call the concept in which a user is only granted the minimum level of access and authorization required to complete a task or function?

Answer 6

Principle of Least Privilege

Question 7

What are 3 ways of minimum lever of access inplemented?

Answer 7

1) Limiting access to sensitive information
2) Reducing the chances of accidental modification, tampering, or loss
3) Supporting system monitoring and administration

Question 8

What are the 4 most common user accounts and what do they do?

Answer 8

Guest Account - Provided to external users who need to access an internal network, like customers, clients, contractors, or business partners

User Account - Assigned to staff based on their job duties

Service Account - Granted to application or software that needs to interact with other software on the network

Priviledge Accounts - Elevated permissions or administative access

Question 9

When auditing accounts, what 3 common approaches are there?

Answer 9

Usage Audits
Privilege Audits
Account Change Audits

Question 10

What are the 5 stages of a data lifecycle? In order

Answer 10

Collect
Store
Use
Archive
Destroy

Question 11

What are the **3 data governance policies **that commonly categorize individuals into a specific role?

Answer 11

Data Owner - The person that decides who can access, edit, use, or destroy their information.
Data Custodian - Anyone or anything that’s responsible for the safe handling, transport, and storage of information.
Data Steward - The person or group that maintains and implements data governance policies set by an organization.

Question 12

What are the 3 catagories or peoples sensitive information?

Answer 12

PII ( Personal Identifiable Information ) - Any information used to infer an individual’s identity. Info that can be used to contact or locate someone.
**PHI - ( Protected Health Information ) **- Information that relates to peoples health.
**SPII - (Sensitive Identifiable Personal Information) **- Bank account info, login information, ect.

Question 13

What do you call the protection of unauthorized access and distribution of data?

Answer 13

Information Privacy

Question 14

What do you call the practice of keeping data in all states away from unauthorized users?

Answer 14

Information Security ( InfoSec )

Question 15

What regulations are developed by the EU and puts data owners in total control of their personal information?

Answer 15

GDPR

( General Data Protection Regulation )

Question 16

What do you call the security standards formed by major organizations in the financial industry? Securing credit and debit card transactions.

Answer 16

**PCI DSS **

( Payment Card Industry Data Security Standard )

Question 17

What U.S law requires the protection of sensitive patient health information?

Answer 17

HIPAA

( Health Insurancce Protability and Accountability Act )

Question 18

What do you call the review of an organization’s security controls, policies, and procedures against a set of expections?

Answer 18

Security Audit

Question 19

What do you call seeing how resilient the current security implementation are against threats?

Answer 19

Security Assessment

Question 20

What do you call the process of transforming information into a form that unintended readers can’t understand?

Answer 20

Cryptography

Question 21

What do you call a mechanism that decrypts ciphertext?

Answer 21

Cryptographic Key

Question 22

What do you call the encryption framework that secures the exchange of information online and establishes trust using digital certificates?

Answer 22

Public Key Infrastructure (PKI)

Question 23

What do you call the use of a public and private key pair for encryption and decryption of data?

Answer 23

Asymmetric Encryption

Question 24

What is a file that verifies the identity of a public key holder?

Answer 24

Digital Certificate

Question 25

In public key infrastructure, what do you call the use of a **single secret key** to exchange information?

Answer 25

**Symmetic Encryption**

Question 26

What is an algorithm that produces a code that **can't be decrypted**?

Answer 26

**Hash Function**

Question 27

What do you call the concept that authenticity of information can't be denied?

Answer 27

**Non-Repudiation**

Question 28

In hashing, what do you call it when the limited output size has **gone over** the exceed amount?

Answer 28

Hash Collision

Question 29

What do you call a file of pre-generated hash values and their associated plaintext?

Answer 29

**Rainbow Table**

Question 30

What do you call the safeguard that's used to strengthen hash functions?

Answer 30

**Salting**

Question 31

What do you call security controls that manage access, authorization, and accountability of information?

Answer 31

**Access Controls**

Question 32

What are 3 facotrs of authentication?

Answer 32

1) **Knowledge** - Something the user knows ( Their password or answer to questions ) 2) **Ownership** - Something the user possesses ( Multi factor authentication ) 3) **Characteristic** - Something the user is ( Finger prints scans )

Question 33

What do you call a techonology that combines serveral different logins into one?

Answer 33

**Single sign-on** (SSO)

Question 34

What do you call a security measure which requires a user to verify their identity in **two or more** ways to access a system or network?

Answer 34

Multi-Factor Authentication (MFA)

Question 35

What protocol is mostly used to transmit information on-premises?

Answer 35

**LDAP** ( Lightweight Directory Access Protocol )

Question 36

What protocol is mostly used to transmit information off-premises, like in the cloud?

Answer 36

**SAML** ( Security Assertion Markup Language )

Question 37

What is the **AAA** Framwork? ( 3 Things )

Answer 37

Authentication Authorization Accounting

Question 38

What is the principle that users should **not be given** levels of authorization that would allow them to misuse a system?

Answer 38

**Separation of Duties**

Question 39

What is the techonology used to establish a user's request to access a server?

Answer 39

**Basic Auth**

Question 40

What open-standard authorization protocol that shares designed access between applications? Also uses API tokens

Answer 40

**OAuth**

Question 41

What do you call a small block of encrypted code that contains information about a user?

Answer 41

**API Token**

Question 42

# What do you call A sequence of network HTTP basic auth requests and responces associated with the same user? ( When someone logs on and their acivitity is logged )

Answer 42

**Session**

Question 43

# What do you call A unique token that identifies a user and their device while accessing the system?

Answer 43

**Session ID**

Question 44

# What do you call A token that websites use to validate a session and determine how long that session should last?

Answer 44

**Session Cookie**

Question 45

# What do you call An event when attackers obtain a legitimate user's sessions ID

Question 46

# What do you call A collection of processes and technologies that helps organizations manage digital identities in their environment?

Answer 46

**Identity and Access Management** (IAM)

Question 47

# What do you call The process of creating and maintaining a user's digital identity?

Answer 47

**User Provisioning**

Question 48

What are the 3 frameworks that organizations use to help with **IAM**?

Answer 48

Mandatory Access Control (MAC ) Discretionary Access Control (DAC) Role-Based Access Control (RBAC)

Question 49

What framework is created to manually grant information by a **central authority** or system administrator? Usually used in law enforments, military, and other government agencies.

Answer 49

**Mandatory Access Control (MAC)**

Question 50

What access control is when a data owner decides appropriate levels of access?

Answer 50

**Discretionary Access Control (DAC)**

Question 51

What authorization is determined by a user's role within an organziation?

Answer 51

Role-Based Access Control (RBAC)