Electronic Access Control Quiz

Questions and Answers

What is the primary defense against eavesdropping in electronic communication?

Using passwords for access control

Implementing encryption for data transmission (correct)

Conducting regular security audits

Implementing physical barriers to conversations

Which of the following best describes the goal of integrity protection?

Maximizing the speed of data access

Reducing data storage costs

Ensuring only authorized changes to data are made (correct)

Preventing data theft at all costs

What is the best defense against impersonation attacks?

Installing firewalls at all network entry points

Utilizing complex passwords

Conducting user training and education (correct)

Implementing biometric authentication systems

What attack involves capturing a legitimate user's session information to gain unauthorized access later?

Replay Attack (C)

Which principle is crucial for preventing unauthorized modifications by outsiders?

Principle of least privilege (B)

What must be satisfied in addition to proving identity to gain access to a system?

Access control confirming allowed permissions (A)

What does accounting in an access control system enable administrators to do?

Track user activity and reconstruct it from logs (B)

Which of the following correctly outlines the electronic access control process?

Identification, Authentication, Authorization, Accounting (A)

What form does authentication often take in the context of electronic access control?

Access control lists (ACL) specifying permissions (A)

Which of the following is included in the mechanisms for setting a password policy?

Password Length Requirements (C)

What is one potential concern when tracking user activity within an organization?

Ensuring compliance with legal and privacy policies (C)

In the identification stage of access control, what information does a user typically provide?

A username (D)

What is a key characteristic of digital access control systems compared to physical ones?

They can log different types of user activity (D)

Which of the following best describes the role of availability in an organization?

It assesses customer satisfaction based on service reliability. (B)

What is a common defense against Denial of Service (DoS) attacks?

Deployment of firewalls. (C)

Which of the following contributes to service outages?

Overcapacity due to increased demand. (D)

What defense can be used against power outages?

Utilizing redundant power sources. (D)

What is a consequence of hardware failures?

Disruption in access to information. (A)

What is the best defense against destruction of equipment due to large-scale disasters?

Implementing off-site backup data centers. (B)

Under what circumstance might an organization experience denial?

Systems being unreachable by users. (A)

What does the term non-repudiation refer to in security?

Assuring that users cannot deny their actions. (A)

Which of the following best describes the alteration risk in the DAD triad?

Modification of data from its original form. (B)

What is recommended to increase resilience against system failures?

Developing systems with built-in redundancy. (A)

What is the primary function of signatures in transactions?

To verify the identity of the purchaser. (C)

What does the term 'non-repudiation' refer to in e-commerce transactions?

The inability to deny a transaction after it has been completed. (A)

Which of the following is considered a biometric security control?

Facial recognition. (A)

In the context of access control, what does 'AAA' stand for?

Authentication, Authorization, Accounting. (B)

During which step of the access control process is a claim about identity made?

Identification. (B)

What is the role of authentication in an access control system?

To provide proof of claimed identity. (A)

What does the 'accounting' step in the AAA process refer to?

The tracking of user actions within the system. (B)

Why is strong evidence important in authentication?

To prevent unauthorized access. (A)

Which of these options is a characteristic of multi-factor authentication?

Requiring two or more verification methods. (D)

What is a digital signature's primary purpose?

To ensure non-repudiation in electronic documents. (B)

Which of the following describes the primary aim of Disaster Recovery (DR)?

To restore business operations as quickly as possible after disruptions. (B)

What is NOT a potential trigger for a Disaster Recovery Plan (DRP)?

Decrease in market share. (D)

During the initial response to a disaster, what is the main focus?

Containing damage and restoring immediate capabilities. (B)

Which metric indicates the maximum acceptable amount of data loss in time during a DR event?

Recovery Point Objective (RPO) (D)

Why is flexibility key during a disaster response?

It enables the organization to handle varying disaster types. (B)

In the assessment phase after a disaster, what is primarily evaluated?

The damage and functional recovery plans. (B)

What aspect of communication is vital for responders during disaster recovery?

Having secure and reliable means to communicate internally. (D)

Which of the following tasks occurs first after initiating a Disaster Recovery Plan?

Containing the damage and restoring immediate capabilities. (A)

What role do temporary jobs play during a Disaster Recovery process?

They allow organizations to adapt to immediate needs. (A)

Which of the following is an essential component of a Disaster Recovery Plan?

Training for disaster responsibilities in advance. (C)

Study Notes

Domain 1: Security Principles

• Security Principles provides foundational knowledge for cybersecurity careers.
• Five objectives: information assurance concepts, risk management, security controls, ISC2 Code of Ethics, and governance.
• The average weight of this domain is 26%.
• Key concepts covered include Confidentiality, Integrity, and Availability (CIA Triad).
• Also covers Non-Repudiation, Authentication and Authorization.
• Information security involves protecting information systems from unauthorized access, use, disclosure, modification, or destruction to maintain Confidentiality, Integrity, and Availability.

Security Trio Explained

• Information security encompasses all forms of data protection.
• IT Security is focused on the technical aspects like hardware and software.
• Cybersecurity is the overall protection for systems, networks, and programs against all types of digital attacks.

Confidentiality

• Confidentiality is the secrecy of protected information.
• Cybercriminals often target confidentiality as it is the most common form of protection they want to compromise.
• Data breaches often stem from unauthorized access without proper authorization.
• Risks and defenses include snooping (enforcing clean desk policy), dumpster diving (using a paper shredder), eavesdropping (using encryption and rules regarding sensitive conversations), and social engineering (user training/education).

Integrity

• Integrity is the reliability and correctness of data.
• Data protection safeguards against unauthorized alterations.
• Cybercriminal activities could involve altering data to disrupt target operations.
• Integrity considerations include preventing modifications by outsiders, preventing unintended changes by authorized users, and maintaining data consistency.
• Risks and defenses include unauthorized modifications (following the principle of least privilege), impersonation (improving user training and education), man-in-the-middle attacks (implementing encryption, like TLS), and replay attacks (using similar techniques as for MITM).

Availability

• Availability focuses on timely and continuous access rights for authorized users.
• Business operations depend on system and data availability.
• Security measures must guarantee continuous access.
• Risks and defenses include Denial of Service (DoS) attacks (deploying firewalls, and partnering with ISPs), power outages (using redundant power sources and backup generators), hardware failures (implementing system redundancy), destruction of equipment (implementing backup data centers or remote locations), and service outages (designing resilient systems against errors and hardware failures).

DAD Triad

• When the goals of the CIA triad are not met, there is disclosure, alteration, or destruction.
• Disclosure is unauthorized access to information, often called a data breach.
• Alteration is changing data or information from its original form (encrypting/deleting).
• Destruction/Denial is causing a system to be unreachable by any user.

Non-Repudiation

• Non-repudiation is a security goal preventing someone from denying an action/truth.
• E-commerce transactions involve signatures and additional information for security to protect from denial of claims.
• Physical signatures and digital signatures are used to provide non-repudiation, along with biometric security (fingerprint, facial recognition) and video surveillance (CCTV).

Authentication and Authorization

• Authentication verifies user identity.
• Authorization determines user access rights/permissions.
• Accounting (or Accountability) tracks user activities.
• AAA (Authentication, Authorization, Accounting) often referred to.
• Access Control Systems (digital and password policies), Authentication Factors (knowledge, possession, and inheritance), and Multi-Factor Authentication are critical components of authentication and authorization.

Digital Access Control

• User identity primarily established through usernames.
• Password securely tied to usernames for authentication.
• Access Control Lists (ACLs) grant specific file system permissions based on user identity.
• Accounting involves user activity and web browsing to maintain a record of actions within the set boundaries.

Password Policies

• Password security requirements are created from different technical controls.
• Mechanisms include password length, complexity (upper/lowercase, numbers, and special characters), expiration, history (to prevent reuse), resets (quickly and privately), and reuse (limiting the reuse to enhance security across multiple networks).

Authentication Factors

• Three main types: Something you know (e.g. passwords, PINs), Something you have (e.g. tokens, smart cards), Something you are (e.g. biometrics like fingerprints).
• False Rejection Rate (FRR), and False Acceptance Rate (FAR) are crucial in biometric authentication to avoid misidentification.
• Crossover Error Rate (CER) is a good measure to optimize balance.

Privacy

• Privacy is a human right.
• Organizations are responsible for educating users and supporting privacy officials.
• Types of private information include PII (Personally Identifiable Information), PHI (Protected Health Information), and PCI (Payment Card Industry) information.
• Key areas of privacy concern include: Types of private information, Expectation of privacy, General Data Protection Regulation (GDPR), and Privacy Management Frameworks.

Security Governance Process

• Security governance defines strategies to oversee the organization.
• Security governance elements include plans, policies, standards, and procedures.
• Laws and regulations form the basis for the organization's security governance policies and practices.
• Examples discussed include GDPR and others.

Domain 2: Business Continuity Management

• BCM is the second domain of the ISC2 CC exam.
• Students learn the purpose, importance, and aspects of business continuity, disaster recovery, and incident response.

Business Continuity Planning

• BCP (business continuity planning) is a core responsibility of information security professionals.
• It involves activities to keep operations running during a crisis.
• BCP can be triggered by various hazards, including technological failure, human error, attacks (terrorism, hacking), and natural disasters like earthquakes and typhoons.
• This function supports the availability security objective.

Scope Definitions

• A concise scope is essential for managing BCM initiatives.
• It's critical upfront to clearly define which business processes will be covered by the plan, what types of systems need to be covered, and what risk controls should be considered.

Business Impact Analysis

• BIA assesses the potential impacts of risks to define mission-critical functions and supporting systems.
• Results help determine which controls to use and how much is appropriate based on tolerance.

Business Continuity Controls

• Security experts use tools and strategies for availability issues.
• Redundancy (and fault tolerance) is critical, ensuring a system can function despite failures in individual parts.
• Single Point of Failure (SPOF) analysis helps identify and remove SPOFs to enable system/process functionality despite a single part's failure.
• Another important control for BC is Personnel Succession Planning.

High Availability

• HA uses multiple systems to protect against failures.
• It’s crucial to have system redundancy to sustain operation. This could involve different locations or geographically redundant backups.
• Load balancing is a similar but different concept and involves distributing load among systems.

Fault Tolerance

• Fault Tolerance helps to avoid system failures from the start.
• Components such as power supply, storage media, and networking components are common failure points.
• FT controls help maintain operation even with simultaneous component failures.

Disaster Recovery Planning

• Disaster recovery (DR) is a subset of business continuity aiming for rapid return to normal/operational capacity and procedures.
• DR plans contain quick measures for temporary restoration of operations, and comprehensive actions to return to normal operation.
• Disruptions can be caused by natural disasters, technological failures, health emergencies and actions from other people or malicious actors.

Disaster Recovery Metrics

• Key metrics include Recovery Point Objective (RPO), Recovery Time Objective (RTO), Work Recovery Time (WRT), and Maximum Tolerable Downtime (MTD).
• RPO measures acceptable data loss; RTO measures acceptable downtime and WRT and MTD (defined by leadership) assess the maximal tolerable downtime.
• Recovery Service Levels (RSLs) provide an estimated percentage of availability during a disaster.

DR Testing

• Different types of DR testing ensure the effectiveness and preparedness to respond to disruptions.
• These include (but are not limited to) read-through, walk-through, simulation (theoretical exercises), parallel tests, and full interruption tests.

Incident Response Program

• Incident response (IR), involves all the activities leading up to establishing an incident response plan, creating/staffing an incident management team, creating an incident communications plan, and incident identification and response.

Incident Response Team

• The incident response team should include essential personnel and may involve experts outside the organization to address specific areas of needed expertise.
• Individuals are trained and assigned roles to engage in handling an incident.
• Procedures are put in place for incident notification and escalation, along with contact processes and designated protocols for communication.

Incident Communications Plan

• An effective incident communications plan is vital for all organizations and covers internal and external communications.
• Internal teams require efficient notification, while external communications often involve sensitive data and may need to be restricted to prevent unnecessary exposure.

Incident Identification

• Procedures help identify incidents, which could be via monitoring, employee reports, customer reports or reports from other organizations.
• Security data sources (IDS/IPS systems, Firewalls, and authentication systems) provide evidence of actions.
• SIEM (security information and event management system) technology facilitates these assessments, and systems can generate alerts for possible events.

Incident Response

• Incident response begins when a security professional recognizes an incident.
• The team immediately isolates the compromised system and/or systems involved.
• A wide range of activities are conducted to stop the incident and return to normal operation to minimize the damage or impacts of such an incident.

Description

Test your knowledge on electronic access control mechanisms and security principles. This quiz covers topics such as eavesdropping defenses, integrity protection, impersonation attacks, and more. Challenge yourself to understand the critical components of access control systems.