Fundamentals of Information Security Quiz

Questions and Answers

What are the three primary components of the CIA Triad in Information Security?

• Confidentiality, Integrity, Availability (correct)
• Control, Integrity, Availability
• Confidentiality, Intrusion, Availability
• Confidentiality, Integrity, Authorization

What is the primary purpose of 'RAID' technology in data storage?

Data redundancy, performance improvement, or both

A stateful firewall only allows traffic that is part of a new or already established connection, while a packet filtering firewall examines the content of the traffic.

False (B)

What is the main goal of using a 'fuzzer' in security testing?

To find vulnerabilities or weaknesses

The Gramm-Leach-Bliley Act (GLBA) focuses on protecting the privacy of customers' non-public personal information.

True (A)

A brute force attack involves the use of multiple password attempts until the correct one is guessed.

True (A)

The HIPAA law specifically governs the protection of information related to educational institutions.

False (B)

Which component of the Parkerian Hexad is specifically concerned with the ownership or creator attribution of data?

Authenticity (C)

In the context of attack types, which term describes an event that causes data to become unavailable or unusable?

Interruption (C)

What is the correct order of steps in the risk management process?

Identify Asset, Identify Threats, Assess Vulnerabilities, Assess Risk, Mitigate Risk (D)

Which type of authentication involves verifying a user based on their geographical location?

Somewhere you are (C)

What process includes preparation activities performed before an incident occurs?

Incident response (D)

Which of the following best defines a 'threat' in information security?

Potential harmful event or action (B)

In mutual authentication, what is typically exchanged to verify each party?

Digital certificates (D)

What is the primary objective of the containment process in incident management?

To ensure the situation does not cause further damage (C)

Which act aims to promote the adoption of electronic health records by healthcare providers?

Health Information Technology for Economic and Clinical Health (HITECH) (A)

Which access control model allows the system administrator to define access based on predetermined rules?

Rule-based Access Control (D)

What is the primary purpose of compliance in an organizational context?

To conform to relevant laws and regulations (C)

What does the principle of 'least privilege' aim to achieve in access control?

Ensuring users have only necessary access rights (B)

In the context of access control, what does revoking access entail?

Taking away access from a previously authorized user (D)

Which of the following describes the term 'phishing' in cybersecurity?

An attack convincing a victim to provide personal information via email (A)

What does the term 'defense in-depth' refer to in security?

Implementing multiple security measures to safeguard a system (C)

What is the main focus of post-incident activity in incident management?

Determining the root cause and prevention strategies (B)

Which of the following is NOT a form of access control?

Establishing backup media (B)

What kind of measures does a Network Intrusion Detection System (NIDS) specifically focus on?

Monitoring for malicious activities within network traffic (B)

Which access control model gives the owner of the resources the authority to determine who gets access?

Discretionary Access Control (DAC) (D)

What is a primary responsibility of accountability in access control?

Making it possible to trace actions back to individuals (D)

Which term refers to measures taken to eliminate the effects of a security incident?

Eradication (B)

What can be concluded about the confidentiality provided by hash functions?

Hash functions provide integrity but not confidentiality. (C)

Which statement best describes digital signatures?

They provide nonrepudiation for sent messages. (A)

What is the purpose of certificates in cryptography?

To validate an individual's identity using a public key. (B)

What differentiates data at rest from data in motion?

Data at rest is stored on a storage device, while data in motion is being transmitted. (A)

Which encryption method is the hardest to implement effectively?

Encrypting data in use. (D)

What is a common characteristic of a DDoS attack?

It overloads a network or website with traffic. (C)

What is the role of IPsec in network security?

It creates a secure, encrypted tunnel between devices. (C)

Which of the following statements is true regarding keyless cryptography?

It secures information using mathematical algorithms without a traditional key. (C)

How does the Family Educational Rights and Privacy Act (FERPA) protect individuals?

By regulating the sharing of educational records and personally identifiable information. (D)

What distinguishes a man-in-the-middle attack from other cyber attacks?

It intercepts and potentially alters communications between two parties. (B)

Which of the following best describes nonrepudiation?

Confidently ensuring a user cannot deny an action (A)

What distinguishes an Intrusion Prevention System (IPS) from an Intrusion Detection System (IDS)?

IPS takes action against threats, while IDS only monitors. (D)

Which of the following describes symmetric cryptography?

Employs a single key for both encryption and decryption (C)

Which of the following is NOT a characteristic of Block Ciphers?

Encrypts data one bit at a time (C)

Which of the following symmetric key algorithms is considered outdated and insecure?

DES (A)

What is the primary function of Asymmetric Cryptography?

To use public and private keys for encryption and decryption (B)

Which of the following protocols is primarily known for securing web and email traffic?

PGP (B)

What key length options does AES support?

128-bit, 192-bit, and 256-bit (B)

What is the main purpose of SSL and TLS protocols?

To secure data transmission over networks (A)

Penetration testing is most accurately defined as?

Simulating real-world attack techniques to identify vulnerabilities (C)

Flashcards

CIA Triad

A model of information security focusing on Confidentiality, Integrity, and Availability.

Confidentiality

Ensuring only authorized individuals access data.

Integrity

Maintaining data accuracy and preventing unauthorized changes.

Availability

Ensuring authorized users can access data when needed.

Parkerian Hexad

An expanded information security model, adding Possession, Authenticity, and Utility to the CIA Triad.

Threat

A potential danger or risk to an asset.

Vulnerability

A weakness in a system that can be exploited by a threat.

Authentication

Verifying a user's identity.

Mutual Authentication

Both parties in a transaction authenticate each other..

Risk Management Process

A structured approach to identifying, analyzing, and mitigating risks.

Incident Response Process

A structured approach to handling security incidents.

Authorization

Determining what accesses a user controls.

Least Privilege

Granting only the necessary access to perform a task.

Access Control

Managing who can access resources and how.

Network ACL

Rules governing network traffic.

Accountability

Ensuring actions are traceable to responsible parties.

Intrusion Detection (IDS)

Systems that monitor for malicious activity.

Intrusion Prevention (IPS)

Systems that take action against detected threats.

Symmetric Encryption

Using the same key for encryption and decryption.

Asymmetric Encryption

Using different keys for encryption and decryption.

Phishing

A social engineering attack tricking users into revealing sensitive info.

Tailgating

Unauthorized entry by following an authorized person.

Brute Force

Repeatedly trying passwords until correct.

Buffer Overflow

A vulnerability exploiting insufficient input validation.

SQL Injection

Injecting malicious code into SQL queries.

Cross-Site Scripting (XSS)

Injecting malicious script into web pages.

Discretionary Access Control (DAC)

A model where the owner of a resource controls who has access to it.

Mandatory Access Control (MAC)

A model where a separate authority (not the owner) determines access to resources.

Role-Based Access Control (RBAC)

A model where access is granted based on a user's role within an organization.

What are the three main principles of the CIA Triad?

Confidentiality, Integrity, and Availability are the three core principles. Confidentiality ensures only authorized individuals access data, integrity maintains data accuracy and prevents alterations, and availability guarantees authorized users can access data when needed.

What's a major difference between the CIA Triad and the Parkerian Hexad?

The Parkerian Hexad expands upon the CIA Triad by incorporating three additional principles: possession, authenticity, and utility. Possession refers to physical control of the data, authenticity verifies the data's source, and utility assesses the data's usefulness.

Interception Attack

An attacker gains unauthorized access to data, applications, or the network environment.

What's a Vulnerability?

A weakness in a system, application, or configuration that can be exploited by a threat to cause harm.

What is the purpose of Mutual Authentication?

Mutual authentication involves both parties in communication verifying each other's identities before exchanging data. This helps prevent 'man-in-the-middle' attacks where an attacker intercepts and alters communication.

Why is Risk Management Important?

Risk management is a structured process to identify, analyze, and mitigate potential threats and vulnerabilities to protect assets. It helps minimize potential damage and ensure security measures are effective.

What is an Incident Response Process?

The incident response process is a structured approach to handling security incidents. It includes preparation, detection, containment, eradication, recovery, and post-incident review.

HIPAA

A law requiring healthcare organizations to protect patient health information (PHI) confidentiality and integrity.

HITECH Act

Promotes electronic health record (EHR) adoption by healthcare providers to improve efficiency and data sharing.

SOX Act

Requires publicly traded companies to maintain accurate financial records and timely disclosures.

GLBA

Protects the privacy of customer financial information held by financial institutions.

PCI DSS

A set of security standards for companies that process credit card payments, to protect cardholder data.

Nonrepudiation

Ensuring that an individual cannot deny having made a statement or taken an action.

Intrusion Detection System (IDS)

A system that monitors network activity for malicious events and reports them.

Intrusion Prevention System (IPS)

A system that takes actions to prevent malicious events from occurring.

Auditing

The process of examining and reviewing an organization's records to ensure accountability.

Penetration Testing

Simulating a real-world attack to identify vulnerabilities in a system.

Cryptography

The practice of using codes and ciphers to secure information.

Symmetric Cryptography

Using the same key for both encryption and decryption.

Asymmetric Cryptography

Using a public key for encryption and a private key for decryption.

SSL (Secure Sockets Layer) and TLS (Transport Layer Security)

Protocols used to secure data transmission over networks by providing authentication and encryption.

What is the difference between IDS and IPS?

An IDS detects malicious activity and reports it, while an IPS takes action to prevent the activity from occurring.

Hash Function

A mathematical function that takes an input (message) and generates a fixed-length, unique output (hash) based on the input content. Hashes are used for integrity checks, ensuring the data hasn't been tampered with.

Keyless Cryptography

A method of securing data without using traditional keys. It relies on mathematical algorithms, like hash functions, to encrypt data, creating a unique 'signature' for it.

Digital Signature

A cryptographic technique used to verify the authenticity and integrity of a digital message. It ensures the message was sent by the expected sender and that it hasn't been tampered with during transmission.

Certificate

An electronic document that links a public key to a specific individual or organization. They act as digital identification, similar to a driver's license or passport.

IPsec and SSL VPN

Technologies that secure connections between devices by creating an encrypted tunnel. Think of sending data in a sealed, locked container.

Protecting Data at Rest

Securing data stored on devices like hard drives or servers. Often achieved through encryption.

Protecting Data in Motion

Securing data as it moves across networks, like when transferring a file or sending an email. Techniques like SSL VPN and TLS are used.

Protecting Data in Use

Securing data while it's being accessed or manipulated by users, which is often the most challenging aspect of data security.

DDOS Attack

A cyber attack where an attacker overwhelms a website or network with excessive traffic, making it inaccessible to legitimate users.

Man-in-the-Middle Attack

A type of cyber attack where an attacker intercepts communication between two parties, potentially reading, altering, or injecting false information.

Study Notes

Fundamentals of Information Security

• CIA Triad: Confidentiality (only authorized access), Integrity (data unaltered), Availability (accessible when needed).
• Parkerian Hexad: Confidentiality (authorized access), Integrity (unaltered without detection), Availability (accessible when needed), Possession (physical control of data), Authenticity (correct origin), Utility (usefulness of data).
• Attack Types: Interception (affects confidentiality), Interruption (unavailable assets), Modification (tampering), Fabrication (false information).

Key Concepts, Identification, and Authorization

• Authorization: Defining what a user can access, modify, and delete.

• Least Privilege: Granting users only the minimum access required for their job.

• Access Control: Allowing, denying, limiting, and revoking access to resources.

• Access Control Models: Discretionary (DAC), Mandatory (MAC), Role-based (RBAC), Attribute-based (ABAC). Explains each by defining the entity that controls access, and what guides the process of resource access.

• Accountability: Tracking actions for responsibility.

• Nonrepudiation: Preventing denial of actions or statements

Access Control

• Access Control List (ACL): Rules for permission on network traffic.

Auditing, Cryptography, and Legal Issues

• Cryptography: Using codes and ciphers for secure information.

  • Symmetric Cryptography: Uses a single key to encrypt and decrypt.
    • Block Cipher: Encrypts fixed-size blocks of data.
    • Stream Cipher: Encrypts data one bit at a time.
  • Asymmetric Cryptography: Uses a public and private key.
  • Secure Sockets Layer (SSL), Transport Layer Security (TLS): Protocols securing data transmission.

• Hash Functions: Create unique hash values from data.

     -  Hashes provide integrity (not confidentiality) useful for verifying data integrity. Keyless cryptographic methods relying on mathematical algorithms to secure information.
  

  • Keyless Cryptography: Uses mathematical algorithms for security without a key.

• Digital Signatures: Ensure message authenticity and prevent denial of sending.

• Certificates: Link a public key to a specific entity, for electronic identification.

• IPsec and SSL VPN: Technologies securing connections between devices.

Operations and Human Element Study

• Pretexting: Convincing someone by impersonation.
• Phishing: Tricking users with deceptive emails or websites.
• Tailgating: Following an authorized person into a secure area.
• Brute Force: Repeatedly trying passwords until correct.

Physical and Network Security

• Physical Threats: Extreme temperatures, gases, liquids, living organisms, projectiles, movement, energy, people, toxins, and smoke or fire.

• Defense-in-Depth: Using multiple security layers for protection.

• RAID: Data storage technology improving redundancy, performance, and improvement.

• Intrusive Detection System (IDS): Monitors networks, hosts, or applications for unauthorized activity.

• Network Intrusion Detection System (NIDS): Detects malicious network activity.

• Anti-Threat Software & Hosts: Includes firewalls, anti-virus, and spyware detection.

• Network Segmentation: Dividing a network into smaller, more manageable units.

Protecting data at rest and in motion.

• Data Protection at Rest: Encrypting data stored in a resting state.
• Data Protection in Motion: Encrypting data during transmission.
• SSL/TLS & DDOS Attacks: used in networks.

Laws and Regulations

• FISMA (Federal Information Security Modernization Act): Protecting government information.
• FERPA (Family Educational Rights and Privacy Act): Protecting student information.
• HIPAA (Health Insurance Portability and Accountability Act): Protecting health information.
• HITECH Act: Promoting health information technology adoption.
• SOX (Sarbanes-Oxley Act): Financial records are accurate and timely revealed.
• COPPA (Children's Online Privacy Protection Act): Protecting child data.
• Gramm-Leach-Bliley Act (GLBA): Protecting customer information.
• PCI DSS (Payment Card Industry Data Security Standard): Protecting credit card information.

Operating System and Application Security

• OS Hardening: Reducing vulnerabilities through software removal, altering accounts, and timely updates.
• Nessus: Vulnerability assessment tool identifying and assessing system vulnerabilities.
• Buffer Overflows: Exploits insufficient data validation.
• Race Conditions: Vulnerabilities where multiple processes access shared resources simultaneously.

Penetration Testing

• Penetration Testing: Mimicking real-world attack methodologies in controlled environments.

Network Tools for Security

• Firewalls: Controlling network traffic flow.
• Packet Filtering: Allowing or blocking specified traffic types.
• Stateful Firewalls: Monitoring connection states.
• Deep Packet Inspection: Analyzing packet content.
• Proxy Servers: Filtering traffic and serving as intermediaries.
• DMZ (Demilitarized Zone): Separating internet-reachable services from the internal network.
• Port Scanners (Nmap): Identifying open ports on a system.
• Packet Sniffers (Wireshark, Tcpdump): Analyzing network traffic.
• Honeypots: Systems designed to attract hackers and monitor their activities without affecting the safety of the main system.

Additional Security Tools

• SQL injections and XSS (Cross-Site Scripting): Security vulnerabilities.
• Fuzzers (Nikto or Wireshark): Security testing methodology.

Description

Test your understanding of essential concepts in information security, including the CIA Triad and the Parkerian Hexad. Explore key elements such as authorization, access control models, and types of attacks. This quiz will challenge your knowledge on how to protect and manage data effectively.