Fundamentals of Information Security Quiz

Questions and Answers

What are the three primary components of the CIA Triad in Information Security?

Confidentiality, Integrity, Availability (correct)

Control, Integrity, Availability

Confidentiality, Intrusion, Availability

Confidentiality, Integrity, Authorization

What is the primary purpose of 'RAID' technology in data storage?

Data redundancy, performance improvement, or both

A stateful firewall only allows traffic that is part of a new or already established connection, while a packet filtering firewall examines the content of the traffic.

False

What is the main goal of using a 'fuzzer' in security testing?

To find vulnerabilities or weaknesses

The Gramm-Leach-Bliley Act (GLBA) focuses on protecting the privacy of customers' non-public personal information.

True

A brute force attack involves the use of multiple password attempts until the correct one is guessed.

True

The HIPAA law specifically governs the protection of information related to educational institutions.

False

Which component of the Parkerian Hexad is specifically concerned with the ownership or creator attribution of data?

Authenticity

In the context of attack types, which term describes an event that causes data to become unavailable or unusable?

Interruption

What is the correct order of steps in the risk management process?

Identify Asset, Identify Threats, Assess Vulnerabilities, Assess Risk, Mitigate Risk

Which type of authentication involves verifying a user based on their geographical location?

Somewhere you are

What process includes preparation activities performed before an incident occurs?

Incident response

Which of the following best defines a 'threat' in information security?

Potential harmful event or action

In mutual authentication, what is typically exchanged to verify each party?

Digital certificates

What is the primary objective of the containment process in incident management?

To ensure the situation does not cause further damage

Which act aims to promote the adoption of electronic health records by healthcare providers?

Health Information Technology for Economic and Clinical Health (HITECH)

Which access control model allows the system administrator to define access based on predetermined rules?

Rule-based Access Control

What is the primary purpose of compliance in an organizational context?

To conform to relevant laws and regulations

What does the principle of 'least privilege' aim to achieve in access control?

Ensuring users have only necessary access rights

In the context of access control, what does revoking access entail?

Taking away access from a previously authorized user

Which of the following describes the term 'phishing' in cybersecurity?

An attack convincing a victim to provide personal information via email

What does the term 'defense in-depth' refer to in security?

Implementing multiple security measures to safeguard a system

What is the main focus of post-incident activity in incident management?

Determining the root cause and prevention strategies

Which of the following is NOT a form of access control?

Establishing backup media

What kind of measures does a Network Intrusion Detection System (NIDS) specifically focus on?

Monitoring for malicious activities within network traffic

Which access control model gives the owner of the resources the authority to determine who gets access?

Discretionary Access Control (DAC)

What is a primary responsibility of accountability in access control?

Making it possible to trace actions back to individuals

Which term refers to measures taken to eliminate the effects of a security incident?

Eradication

What can be concluded about the confidentiality provided by hash functions?

Hash functions provide integrity but not confidentiality.

Which statement best describes digital signatures?

They provide nonrepudiation for sent messages.

What is the purpose of certificates in cryptography?

To validate an individual's identity using a public key.

What differentiates data at rest from data in motion?

Data at rest is stored on a storage device, while data in motion is being transmitted.

Which encryption method is the hardest to implement effectively?

Encrypting data in use.

What is a common characteristic of a DDoS attack?

It overloads a network or website with traffic.

What is the role of IPsec in network security?

It creates a secure, encrypted tunnel between devices.

Which of the following statements is true regarding keyless cryptography?

It secures information using mathematical algorithms without a traditional key.

How does the Family Educational Rights and Privacy Act (FERPA) protect individuals?

By regulating the sharing of educational records and personally identifiable information.

What distinguishes a man-in-the-middle attack from other cyber attacks?

It intercepts and potentially alters communications between two parties.

Which of the following best describes nonrepudiation?

Confidently ensuring a user cannot deny an action

What distinguishes an Intrusion Prevention System (IPS) from an Intrusion Detection System (IDS)?

IPS takes action against threats, while IDS only monitors.

Which of the following describes symmetric cryptography?

Employs a single key for both encryption and decryption

Which of the following is NOT a characteristic of Block Ciphers?

Encrypts data one bit at a time

Which of the following symmetric key algorithms is considered outdated and insecure?

DES

What is the primary function of Asymmetric Cryptography?

To use public and private keys for encryption and decryption

Which of the following protocols is primarily known for securing web and email traffic?

PGP

What key length options does AES support?

128-bit, 192-bit, and 256-bit

What is the main purpose of SSL and TLS protocols?

To secure data transmission over networks

Penetration testing is most accurately defined as?

Simulating real-world attack techniques to identify vulnerabilities

Study Notes

Fundamentals of Information Security

• CIA Triad: Confidentiality (only authorized access), Integrity (data unaltered), Availability (accessible when needed).
• Parkerian Hexad: Confidentiality (authorized access), Integrity (unaltered without detection), Availability (accessible when needed), Possession (physical control of data), Authenticity (correct origin), Utility (usefulness of data).
• Attack Types: Interception (affects confidentiality), Interruption (unavailable assets), Modification (tampering), Fabrication (false information).

Key Concepts, Identification, and Authorization

• Authorization: Defining what a user can access, modify, and delete.

• Least Privilege: Granting users only the minimum access required for their job.

• Access Control: Allowing, denying, limiting, and revoking access to resources.

• Access Control Models: Discretionary (DAC), Mandatory (MAC), Role-based (RBAC), Attribute-based (ABAC). Explains each by defining the entity that controls access, and what guides the process of resource access.

• Accountability: Tracking actions for responsibility.

• Nonrepudiation: Preventing denial of actions or statements

Access Control

• Access Control List (ACL): Rules for permission on network traffic.

Auditing, Cryptography, and Legal Issues

• Cryptography: Using codes and ciphers for secure information.

  • Symmetric Cryptography: Uses a single key to encrypt and decrypt.
    • Block Cipher: Encrypts fixed-size blocks of data.
    • Stream Cipher: Encrypts data one bit at a time.
  • Asymmetric Cryptography: Uses a public and private key.
  • Secure Sockets Layer (SSL), Transport Layer Security (TLS): Protocols securing data transmission.

• Hash Functions: Create unique hash values from data.

     -  Hashes provide integrity (not confidentiality) useful for verifying data integrity. Keyless cryptographic methods relying on mathematical algorithms to secure information.
  

  • Keyless Cryptography: Uses mathematical algorithms for security without a key.

• Digital Signatures: Ensure message authenticity and prevent denial of sending.

• Certificates: Link a public key to a specific entity, for electronic identification.

• IPsec and SSL VPN: Technologies securing connections between devices.

Operations and Human Element Study

• Pretexting: Convincing someone by impersonation.
• Phishing: Tricking users with deceptive emails or websites.
• Tailgating: Following an authorized person into a secure area.
• Brute Force: Repeatedly trying passwords until correct.

Physical and Network Security

• Physical Threats: Extreme temperatures, gases, liquids, living organisms, projectiles, movement, energy, people, toxins, and smoke or fire.

• Defense-in-Depth: Using multiple security layers for protection.

• RAID: Data storage technology improving redundancy, performance, and improvement.

• Intrusive Detection System (IDS): Monitors networks, hosts, or applications for unauthorized activity.

• Network Intrusion Detection System (NIDS): Detects malicious network activity.

• Anti-Threat Software & Hosts: Includes firewalls, anti-virus, and spyware detection.

• Network Segmentation: Dividing a network into smaller, more manageable units.

Protecting data at rest and in motion.

• Data Protection at Rest: Encrypting data stored in a resting state.
• Data Protection in Motion: Encrypting data during transmission.
• SSL/TLS & DDOS Attacks: used in networks.

Laws and Regulations

• FISMA (Federal Information Security Modernization Act): Protecting government information.
• FERPA (Family Educational Rights and Privacy Act): Protecting student information.
• HIPAA (Health Insurance Portability and Accountability Act): Protecting health information.
• HITECH Act: Promoting health information technology adoption.
• SOX (Sarbanes-Oxley Act): Financial records are accurate and timely revealed.
• COPPA (Children's Online Privacy Protection Act): Protecting child data.
• Gramm-Leach-Bliley Act (GLBA): Protecting customer information.
• PCI DSS (Payment Card Industry Data Security Standard): Protecting credit card information.

Operating System and Application Security

• OS Hardening: Reducing vulnerabilities through software removal, altering accounts, and timely updates.
• Nessus: Vulnerability assessment tool identifying and assessing system vulnerabilities.
• Buffer Overflows: Exploits insufficient data validation.
• Race Conditions: Vulnerabilities where multiple processes access shared resources simultaneously.

Penetration Testing

• Penetration Testing: Mimicking real-world attack methodologies in controlled environments.

Network Tools for Security

• Firewalls: Controlling network traffic flow.
• Packet Filtering: Allowing or blocking specified traffic types.
• Stateful Firewalls: Monitoring connection states.
• Deep Packet Inspection: Analyzing packet content.
• Proxy Servers: Filtering traffic and serving as intermediaries.
• DMZ (Demilitarized Zone): Separating internet-reachable services from the internal network.
• Port Scanners (Nmap): Identifying open ports on a system.
• Packet Sniffers (Wireshark, Tcpdump): Analyzing network traffic.
• Honeypots: Systems designed to attract hackers and monitor their activities without affecting the safety of the main system.

Additional Security Tools

• SQL injections and XSS (Cross-Site Scripting): Security vulnerabilities.
• Fuzzers (Nikto or Wireshark): Security testing methodology.

Description

Test your understanding of essential concepts in information security, including the CIA Triad and the Parkerian Hexad. Explore key elements such as authorization, access control models, and types of attacks. This quiz will challenge your knowledge on how to protect and manage data effectively.