Access Control and CIA Triangle Quiz

Questions and Answers

Which category of controls includes policies, procedures, and guidelines aligned with security goals?

• Technical controls
• Logical controls
• Physical controls
• Administrative controls (correct)

Which type of control actively blocks unauthorized actions before they occur?

• Recovery controls
• Detective controls
• Corrective controls
• Preventive controls (correct)

What type of control identifies and alerts on unauthorized activities as they happen?

• Deterrent controls
• Recovering controls
• Preventive controls
• Detective controls (correct)

What does the term 'corrective controls' refer to in cybersecurity?

Controls that fix vulnerabilities post-incident (B)

What type of asset is characterized as having a physical form that can be touched?

Tangible assets (C)

Which state of data occurs when it is actively being processed by a system?

In-use (D)

Which element does the countermeasure dimension in the cybersecurity cube include?

Data protection (A)

What describes an event that violates security unintentionally?

Accidental breach (A)

What method of access control is primarily based on job titles?

Role-Based Access Control (RBAC) (A)

Which of the following is an example of Rule-Based Access Control (RAC)?

Permitting students to access labs only at certain times. (C)

What is the equation used to calculate Annualized Loss Expectancy (ALE)?

ALE = SLE x ARO (A)

What does the Qualitative Method of Risk Assessment rely on?

Expert judgment and subjective ranking. (C)

Which risk response strategy involves eliminating the risk altogether?

Risk Avoidance (C)

What is the primary goal of Risk Mitigation?

To reduce the impact of risks on a project. (D)

In Risk Management, what are the two key steps in Risk Assessment?

Identify assets and risk analysis (D)

What does Risk Transfer aim to achieve?

Sharing responsibility for the risk. (B)

What principle does non-repudiation ensure in a security context?

An individual cannot deny having performed a particular action. (A)

Which access control model is based solely on the owner of the data determining access rights?

Discretionary Access Control (DAC) (A)

Which model evaluates user access based on the historical behavior of the user?

History-Based Access Control (HBAC) (B)

What does the availability aspect of the CIA Triangle refer to?

Making sure that authorized users have access to information and resources when needed. (A)

In access control, what is the primary function of authentication?

To verify the identity of a user. (A)

What does the principle of audit in access control allow organizations to do?

Collect data about user activities and detect violations. (C)

Which of the following access control models relies on attributes of users and environmental conditions?

Attribute-Based Access Control (ABAC) (C)

Security Enhanced Linux implements which type of access control model?

Mandatory Access Control (MAC) (D)

Flashcards

RBAC

Role-Based Access Control; access is granted based on job title or role, not individual discretion.

RAC

Rule-Based Access Control; access is based on specific contextual rules, like when and where.

Risk Assessment

Process of determining potential risks, ranking them based on the probability and impact.

Risk Management

Steps to identify, assess, mitigate, and monitor potential risks.

ALE

Annualized Loss Expectancy; measures the expected monetary loss from a risk over a year.

SLE

Single Loss Expectancy; estimates the monetary loss from a single risk event.

Risk Mitigation

Actions taken to reduce the impact of negative risks.

Qualitative Risk Assessment

Ranking risks based on expert judgment using scales (e.g., high, medium, low).

CIA Triangle

A model of information security goals: Confidentiality, Integrity, and Availability.

Non-Repudiation

A security principle preventing someone from denying a particular action.

Authentication

Process of verifying a user's identity.

Authorization

Determining what a verified user can access or do.

Attribute-Based Access Control (ABAC)

Access control based on evaluating a set of rules, policies and relationships using attributes of users, systems and environmental conditions.

Discretionary Access Control (DAC)

Access control where data owners decide who can access resources, based mainly on user ID and ownership.

Mandatory Access Control (MAC)

Access control regulated by a central authority based on security levels.

History-Based Access Control (HBAC)

Access control based on user activity history; previous actions affect future permissions.

Control Categories in Cybersecurity

Administrative (Management), Physical (Operational), and Logical (Technical) controls are different ways to protect systems and data.

Control Types (Cybersecurity)

Deterrent, Preventive, Detective, Recovery, and Corrective controls each address different parts of the security process.

Security Governance Elements

Policies, Procedures, Standards, and Guidelines are crucial for a well-run cybersecurity program.

Cybersecurity Assets

Tangible and intangible resources that need protection are considered cybersecurity assets.

Intrusion Detection System (IDS)

A system that detects suspicious or unauthorized activity.

Intrusion Prevention System (IPS)

A system that proactively blocks or eliminates unauthorized actions.

Cybersecurity incidents

Unintentional or intentional events that violate security.

Cybersecurity Cube Dimensions

Countermeasures, Control levels, and Assets are dimensions of the cybersecurity cube.

Study Notes

CIA Triangle

• Confidentiality: Ensures an individual or entity cannot deny performing an action.
• Integrity: Non-repudiation ensures an individual or entity cannot deny having performed a particular action.
• Availability: Ensures resources are accessible when needed.

Access Control Components

• Authentication: Verifying a user's identity.
• Authorization: Determining the extent of access to resources and type of services.
• Access: Successful authentication and authorization allows verified users to access resources.
• Audit: Organizations use audits to collect data on user activities and analyze potential access violations.
• Management: Organizations manage access control systems by adding and removing authentication/authorization for users and systems.

Access Control Models

• Attribute-Based Access Control (ABAC): Access is granted/denied by evaluating rules, policies, and relationships based on user, system, and environmental attributes.

Discretionary Access Control (DAC)

• Data owners determine access to resources based on user ID and ownership.
• Less secure than other models.

History-Based Access Control (HBAC)

• Access is granted/denied based on user history, activities, and request content.
• Examines patterns of behavior over time to mitigate risk.

Mandatory Access Control (MAC)

• Access rights are regulated by a central authority based on multiple security levels.
• Security Enhanced Linux (SELinux) is an example of MAC implementation.

Identity-Based Access Control (IBAC)

• Network administrators can manage activity and access based on individual requirements.

Organization-Based Access Control (OrBAC)

• Allows the policy designer to set security policies independently of the implementation.
• Manages permissions for organizational parts.

Role-Based Access Control (RBAC)

• Access is based on job title.
• Eliminates discretion in granting access.

Risk Management

• Risk = Event Probability of Occurrence x Event Impact
• Risk Assessment: Determine assets, perform risk analysis.
• Risk Control: Implement risk mitigation strategies, monitor risks.
• Qualitative Risk Assessment: Ranks risks subjectively (high, medium, low).
• Quantitative Risk Assessment: Uses numerical data to estimate risk probability and financial impact (ALE = SLE x ARO).

Risk Response Strategies

• Accept: Acknowledge and prepare for consequences.
• Mitigate: Reduce negative impact through safeguards and controls.
• Transfer: Shift risk to a third party.
• Avoid: Eliminate the risk by changing processes or behaviors.

Control Categories

• Administrative (Management): Policies, procedures, guidelines defining personnel and business practices.
• Physical (Operational): Measures to prevent unauthorized access to sensitive material (e.g., alarms, guards).
• Logical (Technical): Technology-based controls to reduce vulnerabilities in hardware and software (e.g., antivirus, firewalls).

Control Types

• Deterrent: Discourages malicious activities (e.g., security policies).
• Preventive: Stops security incidents before they occur (e.g., Intrusion Prevention Systems).
• Detective: Identifies security incidents after they occur (e.g., Intrusion Detection Systems).
• Recovery: Restores systems and data after an incident.
• Corrective: Fixes vulnerabilities.

Security Governance

• Policies, Procedures, Standards, Guidelines: Key elements of security governance.
• Assets: Tangible and intangible resources.

Security Quiz Questions

• Cybersecurity framework development, hacking process without permission, data states, cyber security cube, data storage, countermeasure dimension (involving network availability), and more are included among the questions.