Untitled

Questions and Answers

An organization is developing a new method for processing customer data. Which security domain would be MOST important for protecting the specific steps involved in this method?

• Data security
• Operations security (correct)
• Physical security
• Personnel security

A company wants to ensure that only authorized employees can access sensitive financial records. Which critical characteristic of information is the company primarily trying to uphold?

• Confidentiality (correct)
• Availability
• Utility
• Integrity

During a network upgrade, a critical database server experiences unexpected downtime, preventing users from accessing essential data. Which critical characteristic of information has been compromised?

• Authenticity
• Confidentiality
• Integrity
• Availability (correct)

A disgruntled employee modifies several entries in a sales database, causing incorrect order information to be sent to customers. Which critical characteristic of information has been MOST directly violated?

Integrity (C)

A company discovers that an unauthorized individual has gained physical access to its server room. Which security domain has been breached?

Physical security (C)

A company implements a policy requiring mandatory background checks for all new employees with access to sensitive data. This measure primarily addresses which security domain?

Personnel security (A)

An attacker intercepts and decrypts sensitive email communications between executives. Which security domain was MOST directly compromised?

Communications security (A)

A hospital implements encryption on its patient database and restricts access to authorized personnel only. Which two critical characteristics of information are MOST directly addressed by these measures?

Confidentiality and Availability (B)

Which of the following best describes the primary goal of cybersecurity?

To protect internet-connected systems, including hardware, software, and data, from cyberattacks. (C)

An organization implements firewalls, border routers, and VPNs with quarantine procedures. Which layer of the defense-in-depth approach does this represent?

Network perimeter (D)

Which cybersecurity measure primarily focuses on protecting data at the user level?

Strong passwords and Access Control Lists (ACLs) (A)

An organization updates its antivirus software, hardens operating systems, and manages security updates. What aspect of cybersecurity is being addressed?

Endpoint security (C)

Which of the following scenarios exemplifies the concept of 'defense in depth'?

A network uses firewalls, intrusion detection systems, and regular security audits. (D)

Implementing guards, locks, and tracking devices typically falls under which component of the defense-in-depth strategy?

Physical Security (B)

What is the primary advantage of adopting a multi-layered security approach for an organization?

It provides redundancy and minimizes the impact of a single point of failure. (B)

An organization discovers a vulnerability in a web application. According to the defense-in-depth strategy, what should be the organization's first course of action?

Isolate the affected segment of the network to prevent lateral movement. (D)

Which scenario exemplifies a breach of information authenticity?

A financial report is altered by an insider before being presented to stakeholders. (B)

In the context of information security, 'utility' is best described as:

The extent to which information serves a specific purpose or end goal. (C)

Which of the following situations demonstrates a breach of information 'possession'?

An employee makes a copy of a confidential document without authorization. (C)

According to the principles described, which of the following is NOT a primary dimension in cybersecurity according to the model discussed?

Risk Assessment Strategies (B)

In the McCumber Cube framework, what does the 'Information States' dimension primarily address?

The various conditions in which data exists, such as storage, transmission, and processing. (A)

Which of the following scenarios accurately describes why a breach of ownership does not always result in a breach of confidentiality?

A company's server is physically stolen, but all data on it is encrypted and password protected. (C)

A hospital's patient database is accessible, but the software needed to interpret the encrypted medical records is unavailable due to a system failure. Which critical characteristic of information is primarily affected?

Utility (B)

Which of the following scenarios best illustrates a compromise of information accuracy?

A research paper contains incorrect data due to a flawed experimental design. (C)

According to the McCumber Cube, which of the following is NOT a primary dimension to consider when analyzing information security?

Network Infrastructure (C)

In the context of information security, what does 'Data at Rest' (DAR) primarily refer to?

Data stored in an information system, like memory or a hard drive. (C)

Which of the following administrative controls is crucial for maintaining information system security, according to the text?

Providing regular cybersecurity awareness training. (D)

An organization is developing a new application. Which approach BEST reflects the principles described regarding software security during the initial stages?

Integrate security considerations from the outset, even in the initial design phases. (D)

What is a potential consequence of neglecting information security during the initial development of software?

The need for multiple versions of the application to address security vulnerabilities. (B)

Why is software often considered the most difficult component of an IS to secure?

Software often contains bugs and errors, leading to vulnerabilities. (D)

Which of the following BEST describes the relationship between the five components of an information system (software, hardware, data, people, procedures) and overall security?

The components have individual strengths and weaknesses, which when used together, result in a secure IS. (D)

An organization's data is being transmitted between two information systems. According to the definitions, which information state is exemplified?

Data in Transit (DIT) (B)

During which phase of the Security System Development Life Cycle (SecSDLC) are potential impacts on organizations and individuals defined in the event of a security breach?

Planning and Analysis (B)

Which of the following activities is performed during the Design phase of the Security System Development Life Cycle (SecSDLC)?

Security functional and assurance requirement analysis (C)

In the context of the Security System Development Life Cycle (SecSDLC), what is the primary focus of the Implementation phase?

Integrating the chosen security controls within well-defined boundaries. (B)

What activity is central to the Support phase of the Security System Development Life Cycle (SecSDLC)?

Ensuring security levels are maintained during environmental changes (B)

How does the Security System Development Life Cycle (SecSDLC) enhance the traditional System Development Life Cycle (SDLC)?

By identifying specific threats and creating controls to counter them. (A)

What is the result of incorporating all possible threat considerations into a well-observed and planned Information System (IS)?

A demonstrable, well-planned IS (A)

Which of the following actions is part of the Security System Development Life Cycle (SecSDLC)?

Performing a preliminary risk assessment. (A)

What is the immediate outcome of the planning and analysis phase in the Security System Development Life Cycle (SecSDLC)?

An initial description of the basic security needs (B)

Which of the following scenarios represents the greatest risk associated with unauthorized access to an organization's procedures?

Malicious actors exploit detailed system instructions to compromise the integrity of the information system. (A)

In the context of information system (IS) security, why are people often considered the 'weakest component'?

People are more easily manipulated or deceived into compromising security protocols than technology is. (A)

An organization is developing a new information system. During which phase of the System Development Life Cycle (SDLC) would the team acquire the necessary hardware and software?

Design (C)

Which of the following is the primary goal of the 'Support' phase in the System Development Life Cycle (SDLC)?

To identify and address errors, monitor performance, and implement necessary updates. (C)

An organization's security team discovers a critical vulnerability in a newly implemented software module during the 'Implementation' phase of the SecSDLC. What should be their immediate course of action?

Roll back the implementation, address the vulnerability, and re-test the software module before redeployment. (A)

In the context of the Security System Development Life Cycle (SecSDLC), what does C.I. refer to, and why is it important to protect it?

C.I. refers to Confidentiality, Integrity, and Availability, which are the core principles of information security. (C)

Which of the following actions primarily contributes to mitigating the risk associated with 'people' as the weakest component in an IS environment?

Conducting regular security awareness training and enforcing security policies. (B)

During which phase of the SDLC is a detailed analysis performed, including studying the current system and determining user requirements?

Analysis (B)

What is the primary advantage of using the Security System Development Life Cycle (SecSDLC) compared to implementing security measures ad hoc?

The SecSDLC integrates security considerations into every phase of system development. (C)

An organization is prioritizing project requests during the 'Planning' phase of the SDLC. Which factor should be given the MOST consideration?

The project's alignment with the organization's strategic goals and objectives. (B)

Flashcards

Cybersecurity

Protecting internet-connected systems (hardware, software, data) from cyberattacks.

Defense-in-depth

A strategy that uses multiple security layers to protect assets.

Physical Security

Physical security measures.

Network Security

Network security measures.

Network Segments

Internal network protections.

OS Hardening

Protection at the operating system level.

Application Hardening

Security measures implemented within applications.

Data Security

Password protocols and Access Control Lists.

Personnel Security

Protecting individuals authorized to access the organization and its operations.

Operations Security (OPSEC)

Protecting the details of specific operations or activities.

Communications Security (COMSEC)

Protecting communication media and technologies.

The C.I.A. Triad

Confidentiality, Integrity, and Availability - The three main goals of cybersecurity.

Confidentiality

Preventing disclosure or exposure to unauthorized individuals or systems.

Information Availability

Information is available when authorized users can access it when needed, in the correct format.

Information Accuracy

Information free from mistakes, errors, and reflects the value the end user expects.

Information Authenticity

Information is genuine, original, and unaltered from its original creation, storage or transfer state.

Information Utility

Information has value when it serves a particular purpose and is in a meaningful format for the user.

Information Possession

Information possession means having ownership or control of the information, regardless of format.

Confidentiality vs. Ownership

Compromising confidentiality always leads to ownership breach, but ownership breach does not always mean confidentiality is breached.

Cybersecurity Dimensions

The 3 dimensions are Security Goals, Security Measures , and Information States.

McCumber Cube

Graphical representation of the interconnections among different Information security factors.

C.I.A Triad

Confidentiality, Integrity, and Availability. Core principles ensuring data protection, reliability, and accessibility.

Information States

Data at Rest (storage), Data in Transit (transmission), and Data in Processing (operations).

Security Controls

Administrative (policies), educational (training), and technological (tools) methods employed to protect information systems.

Policy and Practices

Plans and guidelines that govern how an organization manages and protects its information assets.

Education

The process of ensuring users understand security roles and responsibilities to mitigate risks.

Technology

Hardware and software safeguards to defend information systems from threats and vulnerabilities.

Information System Components

Software, hardware, data, people, and procedures working together to manage information.

Hardware

The physical components that house, execute software, store/transmit data, and provide user interfaces.

Data

An organization's most valuable asset; the primary target of intentional attacks.

People (Users)

Users of the information system, often the weakest security link.

Procedures

Detailed, written instructions for performing specific tasks within an organization.

SDLC

A methodology for designing and implementing an Information System (IS).

Waterfall Model

A common SDLC model using a sequential, phase-by-phase approach.

SDLC: Planning

The initial step in SDLC, involving project review, prioritization, resource allocation, and team identification.

SDLC: Analysis

Studying the current system, determining user needs, and recommending solutions.

SDLC: Design

Acquiring hardware/software and creating detailed system specifications.

SecSDLC

A variation of the SDLC phases, integrating security considerations into each stage of system development.

Information Asset Protection

Safeguarding the organization's information assets.

Security System Development Life Cycle (SecSDLC)

A process for developing secure systems throughout their lifecycle.

Impact Analysis (SecSDLC)

Defining potential impacts on organizations/individuals if a security breach occurs.

Preliminary Risk Assessment

The beginning stage of assessing potential security risks an organization could face.

Security Planning (SecSDLC)

Analyzing security needs by complete characteristic of the IS and the security that it needs.

System Integration (SecSDLC)

Ensuring new IS integrates with chosen security measures.

Security Support (SecSDLC)

Maintaining security levels after system setup.

SecSDLC vs. SDLC

SecSDLC identifies threats and creates counter-measures; SDLC doesn't focus on security

Study Notes

Cyber Security Introduction

• Cyber security involves the protection of internet-connected systems, including hardware, software, and data, from cyberattacks.

5 Components of an Information System (IS)

• Hardware: Physical components like computers and servers.
• Software: Applications, operating systems, and utilities.
• Data: The information stored and processed by the system.
• People: Users who interact with the system.
• Procedures: Instructions for accomplishing specific tasks.

Introduction to Cyber Security

• Cyber security aims to build a defense-in-depth approach
• A successful organization should have a multi-layer of security in place.
• Physical security secures physical items and objects from unauthorized access and misuse.
• Personnel security protects the individuals authorized to access the organization and its operations.
• Operations security protects the details of particular operations and activities.
• Communications security protects communications media and technology.
• Network security protects network components and connections.
• Data security protects the confidentiality, integrity, and availability of information assets during storage, processing, and transmission.
• The elements of cyber security are People, Policy, and Technology

Critical Characteristics of Information

• The goal of Cyber Security is to maintain the C.I.A triad: Confidentiality, Integrity, and Availability.
• Other characteristics to consider are Accuracy, Authenticity, Utility, and Possession.
• Confidentiality prevents the disclosure or exposure of information to unauthorized individuals or systems; examples include credit cards, PII, and health records.
• Integrity ensures that information is accurate, complete, and authorized; the integrity of information is threatened when the information is exposed to corruption, damage, destruction, or disruption of its authentic state.
• Availability enables authorized users to access information when and where needed, without interference or obstruction.
• Accuracy means information is free from mistakes or errors and has the value that the end-user expects; if information contains a value different from the user's expectations due to intentional or unintentional modification of the content, it is no longer accurate.
• Authenticity means that the information is genuine or original rather than a reproduction or fabrication; information is authentic when it is the same as it was originally created, placed, stored, or transferred.
• Utility means the information has value for some purpose or end; information has value when it serves a particular purpose.
• Possession means having ownership or control of some object or item; information is said to be in possession if one obtains it, independent of format or other characteristic.
• Breaching confidentiality always results in a breach of ownership but breaching ownership does not always result in a breach of confidentiality.
• There are three dimensions in cybersecurity: security goals (C.I.A.), security measures/controls (policy, education/training, technology), and information states (storage, transmission, processing).
• McCumber Cube: This is a graphical representation of the interconnections among the different information security factors. The dimensions and attributes of the McCumber Cube include desired goals (C.I.A), information states, and security controls.
  • Data at rest (DAR) means data in an information system in storage, such as in memory, on a magnetic tape, or a disk.
  • Data in transit (DIT) means data being transferred between information systems.
  • Policy and practices are administrative controls, including plans and guidance.
  • Education ensures that the users of information systems are aware of their roles and responsibilities -Technology, consisting of software and hardware-based solutions, is designed to protect information systems.

Components of an Information System

• An information system consists of software, hardware, data, people, and procedures that work together to achieve a common goal.
• Software includes applications, operating systems, and other utilities and is the most difficult component to secure because bugs and errors can lead to insecure information.
• Software is the most important component in the IS. Information security is not often considered at the first round of implementation, leading to versions after versions of application
• Hardware is physical technology that houses and executes the software, stores and transmits data, and provides interfaces to run the software.
• Data is the most valuable asset possessed by an organization and often the target of intentional attacks.
• People are often the weakest component in an IS environment; policy, agreement, education, and training play important roles in mitigating this risk.
• Procedures consist of written instructions for accomplishing a specific task; unauthorized access to these procedures can threaten the integrity of the information.

System Development Life Cycle (SDLC)

• SDLC is a methodology or approach for designing and implementing an information system.
• It is a sequence of procedures to solve a problem, the most common approach being the waterfall model.
• The steps of the SDLC are:
  • Planning involves reviewing and prioritizing project requests, allocating resources, and identifying the project development team.
  • Analysis involves performing detailed analysis activities, studying the current system, determining user requirements, and recommending a solution.
  • Design involves acquiring hardware and software and developing system details.
  • Implementation involves developing the program, installing and testing the new system, and training users
  • Support involves identifying errors and enhancements, monitoring system performance, and updating the system

Security System Development Life Cycle (SecSDLC)

• SecSDLC requires cybersecurity to be managed similarly to any other system implementation.
• This approach involved adapting the SDLC phases to integrate security measures.
• Each phase of the SecSDLC considers the security of the system and the information it uses.
• Each implementation is done securely and protects the confidentiality, integrity, and availability (C.I.A.) of the organization's information assets.
• The steps of the SecSDLC are:
  • Planning and Analysis define the potential impact on organizations or individuals if security is breached and conducts a preliminary risk assessment.
  • Design involves risk assessments, security functional and assurance requirement analysis, and security planning – a complete characteristic of the IS and the security it needs in security.
  • Implementation involves inspection and acceptance and system integration with robust security controls.
  • Support Ensures the level of security if any changes happen to the environment, which requires updates as needed and continuous monitoring.

SDLC vs. SecSDLC

• SecSDLC follows the exact phases as the formal SDLC.
• SecSDLC identifies specific threats that could happen to the IS and creates specific controls to counter those threats.
• A well-observed and planned IS can be demonstrated if all possible current and possible future threats have been taken care of.