Information Security Fundamentals

Questions and Answers

Which of the following correctly lists the three main components of the CIA Triad?

• Integrity, Accessibility, Security
• Confidentiality, Integrity, Availability (correct)
• Authentication, Encryption, Firewall
• Confidentiality, Identification, Authentication

Which action exemplifies ensuring confidentiality of data?

• Ensuring backup systems are functional
• Using strong passwords and encryption (correct)
• Making information accessible to everyone
• Preventing unauthorized changes to data

Which security measure is designed to primarily prevent unauthorized network access?

• Firewall
• VPN
• Antivirus software (correct)
• Backup storage

What is the primary purpose of encryption in information security?

To convert data into unreadable format for unauthorized users (A)

Which of the following scenarios exemplifies a social engineering attack?

Phishing emails tricking users into providing login credentials (C)

Which of the following is a key characteristic of a strong password?

A mix of uppercase, lowercase, numbers, and symbols (C)

Which of the following options represents a type of malware?

Ransomware (A)

Which method provides the best protection for sensitive information?

Use strong encryption and access control (D)

What is the primary function of a VPN (Virtual Private Network)?

To provide a secure and encrypted connection over the internet (C)

Which of the following is NOT considered a cybersecurity threat?

Backup storage (D)

What is the primary goal of Information Security Governance?

To provide strategic direction and manage security risks (A)

Which of the following is a key component of an organization's security program?

Information Security Blueprint (A)

What is the main purpose of a Security Education, Training, and Awareness (SETA) program?

To enhance security knowledge and prevent human errors (B)

Which option is NOT typically considered a type of security policy?

Employee Salary Policy (A)

What is the main focus of Business Continuity Planning (BCP)?

Ensuring critical business functions continue during a disaster (A)

What is typically the first step in contingency planning?

Risk Assessment (D)

Which term describes the strategy of implementing multiple layers of security controls?

Defense in Depth (D)

The ISO 27000 Series is widely recognized for which purpose?

Setting international standards for information security management (C)

Which action best describes the purpose of Incident Response Planning (IRP)?

To detect and mitigate the impact of security incidents (D)

What does the term 'Access Control List (ACL)' define?

A record that defines access permissions for users and systems (B)

What is the primary purpose of information security laws?

To regulate the sale of computer hardware (C)

Which law established minimum security practices for federal computer systems?

Computer Security Act of 1987 (D)

In information security, what does the term 'Due Diligence' refer to?

The practice of maintaining security measures continuously (D)

Which act provides guidelines for financial institutions regarding the protection of consumer information?

Gramm-Leach-Bliley Act (B)

What does 'Personally Identifiable Information (PII)' refer to?

Passwords used by organizations (D)

To whom does the General Data Protection Regulation (GDPR) primarily apply?

Companies processing the personal data of individuals in the European Union (B)

Which of the following is a key component of the Data Privacy Act of 2012 (DPA)?

Regulating data processing and protecting individual privacy rights (A)

Which organization developed the Ten Commandments of Computer Ethics?

Computer Ethics Institute (CEI) (B)

Which law criminalizes unauthorized access to computer systems and networks?

Computer Fraud and Abuse Act (CFAA) (C)

Which area does the Sarbanes-Oxley Act (SOX) primarily regulate?

Government surveillance practices (B)

Flashcards

CIA Triad

Confidentiality, Integrity, and Availability, ensuring data is protected, accurate, and accessible.

Ensuring confidentiality

Ensuring that information is only accessible to authorized individuals or systems.

Firewall

A security system that monitors and controls incoming and outgoing network traffic.

Encryption

To convert data into an unreadable format to protect it from unauthorized access.

Social engineering attack

Tricking individuals into revealing sensitive information through deceptive means.

Strong Password

A combination of uppercase and lowercase letters, numbers, and symbols.

Ransomware

Malicious software designed to block access to a computer system until a sum of money is paid.

Protect sensitive information best

Using strong encryption and access controls.

Purpose of a VPN

To provide a secure and encrypted connection over the internet.

Backups are Not threats

A secure backup of data to protect against data loss or corruption.

Information Security

Protecting information from unauthorized access, disclosure, alteration and destruction.

Cyber-attack

An attacker tricks a victim into revealing personal information.

Encryption

The process of converting plain text to protect data.

Denial of Service Attack

Hackers overwhelm a system making it unavailable.

Antivirus Software

Detects and removes malicious software.

MFA

Requires two or more authentication factors to access account.

Physical Security

Protects physical access to computers and servers.

Ransomware

Malicious software demands payment to restore data access.

Network security

Prevents unauthorized private network entry.

Security Policy

Defines how an organization protects sensitive information.

Info security laws

Protect information and ensure ethical tech use.

Computer Security Act

Establishes security practices for federal computer systems.

"Due Diligence"

Maintaining security measures continuously protects personal information.

Gramm-Leach Bliley Act

Provides guidelines for protecting consumer information for financial institutions

PII

Any information to identify an individual.

GDPR

Applies to companies processing data of EU individuals.

Data Privacy Act

Regulates data processing, individual privacy rights.

Computer ethics

Governing for how people use computers.

Computer Fraud and Abuse Act

Criminalizes unauthorized access to computer networks.

Sarbanes Oxley Act

Financial reporting and corporate accountability.

Study Notes

Introduction to Information Security

• The three main components of the CIA Triad are Confidentiality, Integrity, and Availability

• Confidentiality can be ensured using strong passwords and encryption

• Unauthorized network access can be prevented via a Firewall

• Encryption converts data into an unreadable format for unauthorized parties

• Phishing emails tricking users into providing login credentials exemplifies social engineering attacks

• A strong password contains a mix of uppercase, lowercase, numbers, and symbols

• Ransomware constitutes a type of malware

• Sensitive information may best be protected using strong encryption and access control

• A VPN (Virtual Private Network) provides a secure and encrypted connection over the internet

• Backup storage is not a cybersecurity threat

Legal, Ethical, and Professional Issues in Information Security

• The primary purpose of information security laws is to protect information and ensure the ethical use of technology
• The Computer Security Act of 1987 establishes minimum security practices for federal computer systems
• "Due Diligence" in information security refers to maintaining security measures continuously
• The Gramm-Leach-Bliley Act provides guidelines for financial institutions regarding consumer information protection
• Personally Identifiable Information (PII) includes any information that can identify an individual
• The General Data Protection Regulation (GDPR) primarily applies to companies processing personal data of individuals in the European Union
• The Data Privacy Act of 2012 (DPA) regulates data processing and protects individual privacy rights
• The Computer Ethics Institute (CEI) developed the Ten Commandments of Computer Ethics
• The Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access to computer systems and networks
• The Sarbanes-Oxley Act (SOX) primarily regulates financial reporting and corporate accountability

Planning for Security

• The primary goal of Information Security Governance is to provide strategic direction and manage security risks
• An Information Security Blueprint forms a key component of an organization's security program
• The purpose of a Security Education, Training, and Awareness (SETA) program is to enhance security knowledge and prevent human errors
• Employee Salary Policy is not a type of security policy
• Business Continuity Planning (BCP) focuses on ensuring critical business functions continue during a disaster
• Risk Assessment marks the first phase of contingency planning
• Defense in Depth describes the strategy of implementing multiple layers of security controls
• The ISO 27000 Series is widely known for setting international standards for information security management
• Incident Response Planning (IRP) aims to detect and mitigate the impact of security incidents
• An Access Control List (ACL) constitutes a record that defines access permissions for users and systems

Risk Management

• The primary purpose of risk management in information security is to identify, assess, and reduce risks to an acceptable level
• Risk Elimination is not a major phase of risk management
• Mitigation involves reducing the impact of an attack rather than preventing it
• Quantitative analysis assigns numerical values, while qualitative analysis uses subjective ratings
• Purchasing cybersecurity insurance to cover potential financial losses exemplifies a risk transfer strategy
• "Single Loss Expectancy (SLE)" refers to the estimated monetary loss if an asset is compromised
• The ISO 27000 Series framework is widely used for IT security risk management
• Asset classification that involves protecting information is based on its sensitivity and importance
• Annualized Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO)
• Duplication is not a risk control strategy

Vulnerability Assessment

• The primary goal of a vulnerability assessment is to identify and evaluate security weaknesses in a system
• Penetration testing actively exploits vulnerabilities, while vulnerability assessment identifies them
• OWASP stands for Open Web Application Security Project
• Cryptographic Failures do not constitute an OWASP Top 10 vulnerability
• OWASP ZAP is commonly used for web vulnerability assessment
• The key purpose of the OWASP ZAP tool is to analyze and identify web application security vulnerabilities
• SQL Injection occurs when attackers manipulate an application's URL to gain unauthorized access
• A vulnerability scanner detects and reports security weaknesses in a system
• Using parameterized queries helps mitigate injection attacks
• Regular vulnerability assessment is important to continuously identify and mitigate security weaknesses

Secure Software Development

• The main goal of secure software development is to identify and mitigate security risks throughout the software lifecycle
• The requirements phase of the Software Development Life Cycle (SDLC) focuses on gathering security requirements
• The purpose of threat modeling is to analyze and identify security risks in an application
• Code review may best be described as a security-focused audit of an application's source code
• Least Privilege is a secure software principle, emphasizing the use of only necessary privileges for a process or user
• Input validation primarily prevents SQL Injection attacks
• Static Application Security Testing (SAST) is a process that examines source code to identify security flaws
• Secure Session Management does not constitute an OWASP Top 10 vulnerability
• The purpose of the disposal phase in the SDLC is to transfer, archive, or securely erase system data
• Hardcoded Credentials represent a security risk that occurs when developers hardcode passwords in an application's source code

Secure Coding Practices

• The primary goal of secure coding practices is to prevent security vulnerabilities in software
• Implementing least privilege access control forms a fundamental principle of secure coding
• OWASP stands for Open Web Application Security Project
• Improper input validation commonly leads to SQL Injection
• Using prepared statements to prevent SQL injection is a recommended secure coding practice
• Ensuriing that users only have the minimum level of access required to perform their job is ensured by the security principle, Least Privilege
• Encoding user inputs before rendering them on a web page best prevents Cross-Site Scripting (XSS) attacks
• The primary function of error handling in secure coding is to log errors securely without exposing sensitive information
• Hashing passwords with a strong algorithm like bcrypt or Argon2 ensures secure password storage Secure session management is enforced to prevent unauthorized access to active user sessions

System Hardening

• The primary goal of system hardening is to minimize security vulnerabilities and attack surfaces
• NIST provides security guidelines for system hardening
• Allowing all incoming network traffic is not a system hardening technique
• The purpose of patch management in system hardening is to fix vulnerabilities and enhance security
• Firewalls prevent unauthorized access to a network
• An Intrusion Detection System (IDS)aims to detect and alert administrators about potential security threats
• The principle of "Least Privilege" entails granting users only the permissions necessary to perform their tasks
• Encrypting sensitive data forms a key method for database hardening
• Disabling unnecessary services is important in system hardening, as it reduces the number of potential attack vectors
• Network hardening may best be described as enhancing the security of network infrastructure and communications

Implementing Information Security

• The primary purpose of implementing an information security program is to establish measures that protect an organization's data and systems
• The Bull's-Eye Modelis commonly used to prioritize security implementation in an organization
• An employee benefits package is not a key component of an information security project plan
• The main function of change management in information security implementation is to manage modifications in IT systems to maintain security integrity
• Clear project objectives and defined roles form a factor that is critical for successfully implementing an information security project
• "Gap analysis" refers to a method of identifying security deficiencies between current and desired security states
• Phased implementation in security projects allows gradual integration that reduces disruptions
• Outsourcing information security functions reduces internal security responsibilities while gaining expertise from external providers
• Project Management in IT Security (PMITS) certification focuses on project management in IT security
• Implementation is the phase in the security implementation process that ensures new security measures are integrated smoothly into an organization