Access Control and CIA Triangle Quiz

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which category of controls includes policies, procedures, and guidelines aligned with security goals?

Technical controls

Logical controls

Physical controls

Administrative controls (correct)

Which type of control actively blocks unauthorized actions before they occur?

Recovery controls

Detective controls

Corrective controls

Preventive controls (correct)

What type of control identifies and alerts on unauthorized activities as they happen?

Deterrent controls

Recovering controls

Preventive controls

Detective controls (correct)

What does the term 'corrective controls' refer to in cybersecurity?

Controls that fix vulnerabilities post-incident Signup and view all the answers

What type of asset is characterized as having a physical form that can be touched?

Tangible assets Signup and view all the answers

Which state of data occurs when it is actively being processed by a system?

In-use Signup and view all the answers

Which element does the countermeasure dimension in the cybersecurity cube include?

Data protection Signup and view all the answers

What describes an event that violates security unintentionally?

Accidental breach Signup and view all the answers

What method of access control is primarily based on job titles?

Role-Based Access Control (RBAC) Signup and view all the answers

Which of the following is an example of Rule-Based Access Control (RAC)?

Permitting students to access labs only at certain times. Signup and view all the answers

What is the equation used to calculate Annualized Loss Expectancy (ALE)?

ALE = SLE x ARO Signup and view all the answers

What does the Qualitative Method of Risk Assessment rely on?

Expert judgment and subjective ranking. Signup and view all the answers

Which risk response strategy involves eliminating the risk altogether?

Risk Avoidance Signup and view all the answers

What is the primary goal of Risk Mitigation?

To reduce the impact of risks on a project. Signup and view all the answers

In Risk Management, what are the two key steps in Risk Assessment?

Identify assets and risk analysis Signup and view all the answers

What does Risk Transfer aim to achieve?

Sharing responsibility for the risk. Signup and view all the answers

What principle does non-repudiation ensure in a security context?

An individual cannot deny having performed a particular action. Signup and view all the answers

Which access control model is based solely on the owner of the data determining access rights?

Discretionary Access Control (DAC) Signup and view all the answers

Which model evaluates user access based on the historical behavior of the user?

History-Based Access Control (HBAC) Signup and view all the answers

What does the availability aspect of the CIA Triangle refer to?

Making sure that authorized users have access to information and resources when needed. Signup and view all the answers

In access control, what is the primary function of authentication?

To verify the identity of a user. Signup and view all the answers

What does the principle of audit in access control allow organizations to do?

Collect data about user activities and detect violations. Signup and view all the answers

Which of the following access control models relies on attributes of users and environmental conditions?

Attribute-Based Access Control (ABAC) Signup and view all the answers

Security Enhanced Linux implements which type of access control model?

Mandatory Access Control (MAC) Signup and view all the answers

Study Notes

CIA Triangle

Confidentiality: Ensures an individual or entity cannot deny performing an action.
Integrity: Non-repudiation ensures an individual or entity cannot deny having performed a particular action.
Availability: Ensures resources are accessible when needed.

Access Control Components

Authentication: Verifying a user's identity.
Authorization: Determining the extent of access to resources and type of services.
Access: Successful authentication and authorization allows verified users to access resources.
Audit: Organizations use audits to collect data on user activities and analyze potential access violations.
Management: Organizations manage access control systems by adding and removing authentication/authorization for users and systems.

Access Control Models

Attribute-Based Access Control (ABAC): Access is granted/denied by evaluating rules, policies, and relationships based on user, system, and environmental attributes.

Discretionary Access Control (DAC)

Data owners determine access to resources based on user ID and ownership.
Less secure than other models.

History-Based Access Control (HBAC)

Access is granted/denied based on user history, activities, and request content.
Examines patterns of behavior over time to mitigate risk.

Mandatory Access Control (MAC)

Access rights are regulated by a central authority based on multiple security levels.
Security Enhanced Linux (SELinux) is an example of MAC implementation.

Identity-Based Access Control (IBAC)

Network administrators can manage activity and access based on individual requirements.

Organization-Based Access Control (OrBAC)

Allows the policy designer to set security policies independently of the implementation.
Manages permissions for organizational parts.

Role-Based Access Control (RBAC)

Access is based on job title.
Eliminates discretion in granting access.

Risk Management

Risk = Event Probability of Occurrence x Event Impact
Risk Assessment: Determine assets, perform risk analysis.
Risk Control: Implement risk mitigation strategies, monitor risks.
Qualitative Risk Assessment: Ranks risks subjectively (high, medium, low).
Quantitative Risk Assessment: Uses numerical data to estimate risk probability and financial impact (ALE = SLE x ARO).

Risk Response Strategies

Accept: Acknowledge and prepare for consequences.
Mitigate: Reduce negative impact through safeguards and controls.
Transfer: Shift risk to a third party.
Avoid: Eliminate the risk by changing processes or behaviors.

Control Categories

Administrative (Management): Policies, procedures, guidelines defining personnel and business practices.
Physical (Operational): Measures to prevent unauthorized access to sensitive material (e.g., alarms, guards).
Logical (Technical): Technology-based controls to reduce vulnerabilities in hardware and software (e.g., antivirus, firewalls).

Control Types

Deterrent: Discourages malicious activities (e.g., security policies).
Preventive: Stops security incidents before they occur (e.g., Intrusion Prevention Systems).
Detective: Identifies security incidents after they occur (e.g., Intrusion Detection Systems).
Recovery: Restores systems and data after an incident.
Corrective: Fixes vulnerabilities.

Security Governance

Policies, Procedures, Standards, Guidelines: Key elements of security governance.
Assets: Tangible and intangible resources.

Security Quiz Questions

Cybersecurity framework development, hacking process without permission, data states, cyber security cube, data storage, countermeasure dimension (involving network availability), and more are included among the questions.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

Test your knowledge on the essential concepts of the CIA Triangle and access control components. This quiz covers confidentiality, integrity, availability, as well as authentication, authorization, and various access control models. Assess your understanding of these critical security principles!