100 Questions
What does the CIA triad refer to in the context of security?
Confidentiality, Integrity, Accessibility
Why is it important for computing systems to have integrity?
To rely on the accuracy and trustworthiness of the systems and the information they store
What does the term 'non-repudiation' refer to in the context of security?
Ensuring that a party cannot deny the authenticity of a message or action
What aspects must a modern security practitioner comprehend in a rapidly changing technological world?
Principles of architecture, design, management, interoperability, and evolution
What is the foundation of every organization’s security architecture according to the text?
(Confidentiality, Integrity, Accessibility)
Why is obtaining and sustaining security described as a multifaceted, interdisciplinary problem?
Because it involves evaluation of software and hardware components as well as human processes and physical restrictions in the actual world
What are threat actors responsible for in the context of cybersecurity?
Executing cyberthreats
What is the impact in the context of cybersecurity?
The level of damage from unauthorized information disclosure or modification
What refers to the probability of a cybersecurity threat occurring multiplied by its impact?
Risks
What does attack surface refer to in the context of cybersecurity?
The points or vectors through which an unauthorized user can extract data
What do attack trees depict in the context of system attacks?
The objectives attackers intend to achieve
What does compliance refer to in the context of cybersecurity?
Ensuring specified norms and rules are met
Which of the following is NOT one of the principles in the CIA information security triad?
Authenticity
What does confidentiality mean in the context of information security?
Ensuring that information remains private and is accessed only by authorized individuals
Which of the following is considered an example of a threat in cybersecurity?
Denial of service (DoS) attacks
What is the primary safeguard for the secrecy of information systems in the context of confidentiality?
Cryptography
What does integrity relate to in the framework of information security?
Dependability, completeness, and accuracy of information
What is the significance of availability in the CIA information security triad?
It is just as central to information security as confidentiality and integrity
What does regulatory compliance involve?
Classifying data based on importance and sensitivity
What is the primary purpose of risk assessment in the context of regulatory compliance?
To identify risks, evaluate their likelihood and possible effects
What do cyber security standards facilitate?
Establishment of common security requirements and capabilities
What does the Federal Risk and Authorization Management Program (FedRAMP) provide?
A standardized method for security assessment and authorization
What is the primary purpose of rule-based regulations?
To emphasize hazards and specify precise controls and processes
What is the role of regulators when drafting prescriptive regulations?
To provide a detailed list of what must or can be done
What is a characteristic of outcome-based regulations?
They allow firms to take any approach as long as it's sufficient, effective, and reasonable
Which industry is governed by the Health Insurance Portability and Accountability Act (HIPPA)?
Healthcare
What is the primary focus of the Sarbanes–Oxley Act in the financial sector?
Defining security procedures for safeguarding stored records
What aspect of compliance does the Payment Card Industry Data Security Standards (PCI-DSS) address?
Handling of payment card data
What is the goal of the Health Insurance Portability and Accountability Act (HIPPA) in relation to personal health information (PHI)?
To ensure the consistent security of PHI as per its value
Which industry must comply with the ISO/IEC 27001:2013 standard?
Manufacturing
What is the primary responsibility of the North American Electric Reliability Council (NERC) in the energy industry?
Managing compliance standards of utility companies
Which standard is significant in governing retail security and the handling of payment card transactions?
Payment Card Industry Data Security Standards (PCI-DSS)
What is the primary focus of Defense in Depth (DiD) security approach?
Safeguarding against DDoS attacks and data breaches
What is the significance of redundancy in a layered security strategy like Defense in Depth (DiD)?
It restricts and mitigates damage if one layer is breached
Which category of security controls protects IT systems and other physical assets from risks such as tampering and unlawful access?
Physical security controls
In what context is the term 'DiD' originally derived from?
Military strategy
What is an essential premise of a Defense in Depth (DiD) strategy?
Detection and prevention of attacks without multiple products
What does ISO/IEC 27001:2013 primarily focus on?
'Rigorous process' for meeting all requirements in compliance
Which industry must comply with PCI-DSS rules governing retail security?
'Retail' industry
What does layered security in Defense in Depth (DiD) aim to prevent?
Attackers from gaining access to a protected network
What does multi-factor authentication (MFA) require to confirm the identity of a person or device?
Biometric identification and identity verification using external tools
What does zero trust security strategy integrate?
Various security notions mentioned above
What is the primary goal of layered security in the Defense in Depth (DiD) approach?
Safeguarding an organization from a broad range of physical and cyber threats
What is an essential characteristic of an integrated security strategy?
Guaranteeing that multiple security products collaborate effectively
What is a common misconception about security, as described in the text?
Security is always absolute and not context-dependent
What does behavior analysis in security help detect?
Abnormal traffic patterns and unauthorized access
What is the primary difference between a bug and a flaw in the context of security?
In the context of security, a bug refers to a low-level implementation error, while a flaw refers to a design error.
Why is it generally considered more expensive and complex to fix a flaw compared to fixing a bug in software?
Flaws typically require significant restructuring of both problematic code and dependent code
In the context of software security, what could be the consequence of failing to sanitize user-supplied input used in a database call, resulting in SQL injection?
Disclosure of secrets
What is the significance of developing safe software from the beginning in the context of application security?
Eliminates the need to add extra security components later on
What do taxonomies achieve in the context of software security?
Divide a body of information and establish links between things
Why might vulnerabilities remain unfixed in certain circumstances, leaving the system vulnerable to security issues?
Vulnerabilities cannot be fixed, leading to system insecurity
What is the primary function of physical security controls in a Defense in Depth (DiD) approach?
To protect IT systems and physical assets from tampering and unlawful access
What is the main purpose of administrative security controls in the context of Defense in Depth (DiD)?
To govern access to internal systems and sensitive data
What is the primary role of technical security controls in a Defense in Depth (DiD) strategy?
To avoid network and application-based vulnerabilities
What is the potential consequence of a single point of failure in a security solution?
A compromised network or system leading to hacking or harm
What do existing DiD methods encompass based on the provided information?
Physical, technical, and administrative security controls only
What is the primary focus of technical security controls as part of a Defense in Depth (DiD) approach?
Avoiding data breaches and DDoS attacks
What is a recommended solution to prevent injection vulnerabilities?
Use server-side input validation that is affirmative
What does secure design aim to achieve in software development?
Regularly evaluate risks and ensure that code is securely constructed
What is a characteristic of Insecure Design according to the text?
Absence of business risk profiling intrinsic to the software
What is the primary purpose of the OWASP Software Assurance Maturity Model (SAMM)?
Prevent known attack techniques
What is an essential element of a safe development lifecycle according to the text?
Regularly evaluate risks and ensure that code is securely constructed
What is the significance of threat modeling in secure software development?
To validate assumptions and enforce requirements for appropriate conduct
What is the essential purpose of OWASP's top 10 list?
To categorize and highlight the most critical vulnerabilities in web applications
What is the best solution to minimize access control vulnerabilities?
Reinforce business limit constraints specific to each application
Why is it important to identify sensitive data according to privacy laws and business requirements?
To ensure compliance with data protection regulations
What is the key recommendation for encrypting in-transit data to prevent cryptographic failures?
Utilize standard algorithms, protocols, and keys
How can access control failures be minimized?
Access control failures should be logged
Why is it crucial to disable directory listings on the webserver?
To prevent unauthorized access and exposure of files
What is the primary purpose of the MITRE ATT&CK framework?
To identify and classify security threats and tactics
What is the role of MITRE in relation to security?
Running federally financed research and development centers
Why does an application become vulnerable if frequent vulnerability scans are not performed?
Due to unknown versions of components
What is the purpose of a segmented application architecture?
To effectively separate components or tenants securely
What is the significance of a repeatable hardening procedure?
It ensures identical configurations for all environments
How does the MITRE ATT&CK framework focus on detections?
By explaining how detections happen without vendor-specific focus
Why is it important to limit resource usage by user or service?
To ensure efficient and secure operation of the system
What is the significance of conducting vulnerability scans for an application?
It identifies unknown versions of components and hierarchical dependencies
Why is it crucial to implement a segmented application architecture?
To effectively and securely separate components or tenants
Which database aids developers in the discovery of threats to open-source projects on the GitHub platform?
GitHub Advisory Database
What is the primary purpose of CodeQL?
To automate security checks and variant analysis
What do security engineers use a variant analysis for?
Identifying potential vulnerabilities across multiple codebases
What is the primary focus of secure application development training?
Teaching developers how to write safer code
What is a data breach defined as?
Taking information from a system without the owner's knowledge or consent
Why is it ineffective to hand over software to security engineers for testing and fixing vulnerabilities?
Developers understand the software more than anyone else
What does OWASP define as an application security vulnerability?
An implementation bug that allows an attacker to harm a stakeholder
What is an essential phase in reducing the risk associated with software vulnerabilities?
-yearly secure development training
What is the significance of annual training for software developers?
-refresh their skills and inform them of the most current threats
What is the primary goal of the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses (CWE Top 25)?
To illustrate the most dangerous software weaknesses encountered in the past two years
What is the main objective of the Common Weakness Enumeration (CWE)?
To prevent vulnerabilities at the source through training
Why are the 2021 Common Weakness Enumeration (CWE) Top 25 vulnerabilities considered dangerous?
They allow adversaries to seize total control of a system or steal information
Who does the Common Weakness Enumeration (CWE) primarily aim to train in order to prevent vulnerabilities?
Software and hardware architects, designers, programmers, and acquirers
What is the significance of the CWE List and classification taxonomy?
To act as a vocabulary for identifying and describing various CWE-based problems
What is the primary focus of the MITRE ATT&CK framework?
To provide a knowledge base for understanding adversary behavior
What does the Health Insurance Portability and Accountability Act (HIPPA) primarily aim to achieve in relation to personal health information (PHI)?
To ensure the confidentiality and integrity of PHI
What is the essential purpose of OWASP's Software Assurance Maturity Model (SAMM)?
To provide a framework for building security into software development processes
What is an important aspect that project managers, developers, testers, users, security researchers, and educators should understand by referring to the 2021 Common Weakness Enumeration (CWE) Top 25?
The most severe and current security vulnerabilities
What is a crucial aspect that Defense in Depth (DiD) strategy addresses?
Ensuring that multiple layers of security are in place
What does vulnerability scanning for an application help in achieving?
Detecting and addressing potential security weaknesses
Why is it important to identify sensitive data according to privacy laws and business requirements?
To ensure regulatory compliance only
Study Notes
- Computing systems play a significant role in our daily lives, requiring assurance of their accessibility, integrity, and confidentiality.
- The CIA triad (Confidentiality, Integrity, Availability) forms the foundation of every organization's security architecture.
- Confidentiality ensures that private information remains confidential and is accessible only to authorized individuals.
- Integrity guarantees the accuracy, completeness, and dependability of information, as well as the prevention of unauthorized changes.
- Availability ensures that information is accessible to authorized users.
- Non-Repudiation is a property of cryptographic digital signatures that demonstrates the authenticity of a digital transaction.
- Threats in cybersecurity are occurrences or events that have the potential to cause harm to a system or organization.
- Threat actors are entities, such as individuals or groups, that execute cyber threats.
- Vulnerabilities are systemic weaknesses that make the consequences of threats more dangerous.
- Impact refers to the level of damage that can be anticipated from a breach of confidentiality, integrity, or availability.
- Risks are situations that must be prevented, taking into account both the probability of occurrence and the severity of the impact.
Test your knowledge of cybersecurity fundamentals such as the CIA triad, confidentiality, integrity, availability, non-repudiation, threats, threat actors, vulnerabilities, impact, and risks.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
