CIA Triad in Information Security

Questions and Answers

Which method is NOT typically associated with ensuring data integrity?

• Backup and recovery systems
• Checksums
• Encryption (correct)
• Digital signatures

What is the primary goal of accountability in a security context?

• To track user actions and monitor behavior (correct)
• To ensure data is available when needed
• To control user access rights
• To confirm user identities

Which principle best describes the need to restrict user permissions to only what is necessary?

• Minimum necessary access
• Least privilege (correct)
• Integrity
• Non-repudiation

Which option is primarily associated with verification of user identity?

Authentication (B)

Which example illustrates a security measure for ensuring data availability?

Failover systems (D)

What does non-repudiation help to establish?

Proof of an action having occurred (C)

Which of the following best defines authorization?

Controlling access based on user roles and privileges (A)

Which strategy effectively mitigates the risks associated with user access rights?

Just-In-Time access (C)

Flashcards are hidden until you start studying

Study Notes

Confidentiality

• Protection of sensitive information from unauthorized access, use, disclosure, modification, or destruction
• Ensures that only authorized entities have access to information
• Examples: encryption, access control, passwords

Integrity

• Protection of data from unauthorized modification, deletion, or alteration
• Ensures that data is accurate, complete, and not modified without authorization
• Examples: digital signatures, checksums, backup and recovery systems

Availability

• Ensuring that data and systems are accessible and usable when needed
• Protection against denial of service (DoS) and distributed denial of service (DDoS) attacks
• Examples: redundancy, failover systems, disaster recovery plans

Authentication

• Verifying the identity of users, systems, or entities
• Ensures that only authorized entities have access to resources
• Examples: username/password, biometric authentication, Kerberos

Authorization

• Controlling access to resources based on user identity, role, or privileges
• Ensures that users only have access to resources they are authorized to use
• Examples: access control lists (ACLs), role-based access control (RBAC), mandatory access control (MAC)

Accountability

• Tracking and monitoring user actions and activities
• Ensures that users are responsible for their actions and can be held accountable
• Examples: auditing, logging, intrusion detection systems

Non-Repudiation

• Ensuring that a user cannot deny having performed an action
• Provides proof of ownership or origin of data
• Examples: digital signatures, timestamps, receipts

Least Privilege

• Granting users and systems only the minimum privileges necessary to perform their tasks
• Reduces the attack surface and limits the damage in case of a breach
• Examples: principle of least privilege, segregation of duties, Just-In-Time (JIT) access

Confidentiality

• Protects sensitive information from unauthorized access, use, disclosure, modification, or destruction.
• Authorized entities are guaranteed access to sensitive data.
• Utilizes methods like encryption, access control, and passwords to safeguard information.

Integrity

• Safeguards data from unauthorized modification, deletion, or alteration.
• Ensures data remains accurate, complete, and unaltered without permission.
• Employs tools such as digital signatures, checksums, and backup and recovery systems to maintain data validity.

Availability

• Guarantees that data and systems are accessible and operational when required.
• Protects against attacks like denial of service (DoS) and distributed denial of service (DDoS).
• Implements strategies such as redundancy, failover systems, and disaster recovery plans to enhance system availability.

Authentication

• Confirms the identity of users, systems, or entities seeking access.
• Ensures resource access is restricted to authorized parties only.
• Common methods include username/password combinations, biometric authentication, and Kerberos security protocol.

Authorization

• Governs access to resources by evaluating user identity, role, or privileges.
• Guarantees users access solely to resources they are permitted to use.
• Utilizes models such as access control lists (ACLs), role-based access control (RBAC), and mandatory access control (MAC) to enforce permissions.

Accountability

• Involves tracking and monitoring user actions and activities to ensure responsibility.
• Makes users accountable for their actions within a system.
• Techniques include auditing, logging activities, and utilizing intrusion detection systems.

Non-Repudiation

• Ensures that a user cannot deny participation in a specific action or transaction.
• Provides verifiable proof of data ownership or origin.
• Techniques include using digital signatures, timestamps, and receipts to guarantee actions are traceable.

Least Privilege

• Grants users and systems the minimum necessary privileges to execute their functions.
• Aims to minimize potential attack vectors and mitigate damage during a security breach.
• Implements principles such as least privilege, segregation of duties, and Just-In-Time (JIT) access.