Information Security Quiz

Questions and Answers

Which of the following best describes the primary focus of Information Security?

• Ensuring all data is accessible to every user within a network.
• Protecting information assets to achieve Confidentiality, Integrity, and Availability (CIA). (correct)
• Preventing any modification of data, regardless of whether it's authorized.
• Guaranteeing the continuous operation of all business systems.

Within the CIA triad, what does Confidentiality primarily ensure?

• That data remains accurate and unmodified.
• That all data is stored using encryption methods.
• That systems are available when required.
• That access to information is limited to authorized individuals. (correct)

Which of the following controls is most directly associated with maintaining the Integrity of data?

• Using quality assurance processes and audit logs. (correct)
• Implementing strong encryption algorithms.
• Utilizing multi-factor authentication methods.
• Employing frequent data backups.

What is the primary risk associated with a failure in the 'Availability' aspect of information security?

Loss of customer confidence and business disruption. (B)

Which of the following is NOT a direct control for maintaining Confidentiality?

Regular audit logs. (C)

Which of the following best describes the role of the 'AAA' framework in relation to the CIA triad?

It provides supporting concepts necessary to practically implement the CIA principles. (D)

Which of these is a key control for ensuring Availability during a system outage?

Performing regular backups (A)

What does the concept of 'asset' refer to within the scope of Information Security?

Anything that has value to individuals and businesses. (C)

Which of the following best describes a vulnerability in the context of IT security?

A weakness that can be triggered to violate security policies. (D)

What is the primary goal of risk management in the context of IT security?

To reduce risks to acceptable levels given current resources. (B)

Which of the following is NOT considered a security control?

A lack of planning in the implementation of security policies. (A)

Which of the following sequences of steps represents the software development life cycle?

Requirement, Analysis, Design, Implementation, Post-delivery maintenance (B)

What is a key benefit of the Model-View-Controller (MVC) architecture?

It allows independent testing of components, as well as provides extra security through isolation. (B)

In the MVC architecture, what is the main function of the 'Controller'?

To contain the application logic and act as a mediator. (B)

Which security principle emphasizes granting users only the necessary level of access?

Principle of least privilege. (C)

Which of the following is NOT a characteristic of a secure organization?

Lack of security information policies. (B)

What advantage does a manual inspection have over other forms of testing?

It can be applied early in the SDLC. (D)

What is the 'trust-but-verify' approach associated with?

Manual inspection and review. (B)

Which testing method is best done in the later stages of the SDLC?

Penetration Testing. (B)

Which of the following is a drawback of penetration testing?

It is typically done late in the SDLC. (C)

Which activity provides more information to the reviewers compared to other testing approaches?

Source code review. (B)

Which of these are advantages of source code review?

It is fast, accurate and complete. (B)

What is a disadvantage of relying on only source code review for security testing?

It does not cover run-time errors. (A)

What is the primary purpose of authentication?

To verify an individual's claims to their identity (B)

Which of the following is NOT a form of authentication?

What you drive (A)

Which method of authentication uses a piece of information known only to the user?

Knowledge-based authentication (C)

In the context of security, what does authorization refer to?

Granting access rights after authentication (A)

Which of the following is an example of a biometric authentication method?

Fingerprint (C)

Which common authorization scheme uses predefined rules to grant access?

Mandatory Access Control (C)

Why are audit trails important in security?

To track and analyze user activities (A)

What qualifies as an asset in an organizational context?

Any item with value, tangible or intangible (D)

What is one of the primary roles of a Threat Identifier in a standard template?

To describe the potential impact of a threat (C)

Which approach employs a combination of the probability of an event occurring and its potential impact to evaluate risk?

Probability x Impact Ranking (B)

Why is it important to have security checkpoints in development methodologies?

To incorporate security measures at various stages (B)

What does the architectural requirement of reliability aim to prevent?

Single points of failure in systems (A)

Which characteristic is essential for an organization to be considered secure?

Centralized management of security protocols (B)

What is one of the key goals of defining architectural requirements?

To meet compliance and performance goals (B)

Which of the following is NOT a characteristic of secure coding principles?

Rapid development methods without oversight (A)

How does modular design benefit system maintenance?

It allows easy updates and modifications. (C)

What is the primary purpose of documentation requirements in software development?

To ensure security is integrated throughout the software development lifecycle. (D)

Which of the following are key components that must be validated during security testing?

Authentication, access control, and secure configurations. (B)

What is the role of in-code commenting in software development?

To improve readability and security awareness within the codebase. (C)

Which testing methodology involves ethical hackers attempting to compromise an application?

Penetration testing. (A)

Why is exception handling important in an application?

To ensure security, stability, and minimal exposure of sensitive information. (C)

What does fuzz testing primarily involve?

Trying different input data to find vulnerabilities. (C)

What practice should be avoided in in-code comments to maintain security?

Storing secrets such as passwords and keys in comments. (C)

Which of the following statements is true regarding documentation requirements?

They ensure transparency, compliance, and maintainability in development. (D)

What is a threat according to threat modeling?

Any undesirable event that may be malicious or incidental (A)

What is the main goal of threat modeling?

To identify and optimize security through understanding vulnerabilities (C)

Which of the following is NOT a benefit of threat modeling?

Reduces the need for testing (B)

Which step is NOT part of the threat modeling process?

Develop the application architecture (D)

In threat modeling, which of the following best describes the term 'attack surface'?

Areas in an application that may be leveraged for an attack (A)

What does the 'Strider/Dread model' provide in threat modeling?

Classification for known threats and their likelihood (A)

Which group is included in identifying threat agents?

Internal and external users including insiders (D)

What is an essential prerequisite for effective threat modeling?

An understanding of regulatory compliance requirements (C)

What does the process of decomposing the application involve?

Analyzing components, features, and behaviors impacting security (C)

What is the initial action in performing threat modeling?

Identify security objectives and assets (A)

Which of the following factors are considered in prioritizing identified risks?

Likelihood and impact factors (D)

Which of the following is a common threat identified in threat modeling?

Script kiddies (D)

What is true about the iterative nature of threat modeling?

Outputs from previous steps should be continually recorded and referenced (B)

Flashcards

Information Security

Protection of information assets to ensure CIA.

CIA

Confidentiality, Integrity, and Availability of information.

Confidentiality

Assurance that information is accessible only to authorized users.

Integrity

Assurance that data is accurate and unaltered.

Availability

Assurance that information is accessible when needed.

Authentication

Verifying the identity of a user or system.

Authorization

Granting permission to access specific information or resources.

Audit Trail

A record of all user activities and changes in the system.

Forms of Authentication

Three methods: what you know, what you have, what you are.

What you know

Authentication using information only known by the user, like passwords.

What you have

Authentication based on physical devices, like tokens or cards.

What you are

Authentication using unique biological traits, like fingerprints.

Assets

Any valuable item to an organization, tangible or intangible.

GDPR

General Data Protection Regulation; a data protection law in the EU.

HIPAA

Health Insurance Portability and Accountability Act; US regulation for health information.

PCI DSS

Payment Card Industry Data Security Standard; security standard for payment card transactions.

Documentation Requirements

Records and guidelines needed throughout the software development lifecycle.

Security Testing

Methodologies that ensure web applications have minimal vulnerabilities.

Pen Testing

Ethical hacking that simulates attacks to assess security.

Fuzz Testing

Testing that uses random data inputs to discover security vulnerabilities.

In-Code Commenting

Adding descriptive comments in source code for better security awareness.

Threat Identifier

A label used to classify a specific security threat.

Prioritize Threats

The process of ranking identified threats to address them effectively.

Delphi Ranking

A method using expert opinions to achieve consensus on threat severity.

DREAD

A system for assessing risks based on Damage, Reproducibility, Exploitability, Affected Users, and Discoverability.

Probability x Impact Ranking

A calculation that assesses risk by combining the likelihood of occurrence and potential impact.

Secure Release Management

The process to safely deliver a software update or product to users.

Architectural Requirements

Guidelines that dictate how a system should be designed for security, performance, and compliance.

Organizational Security Champions

Key personnel advocating for and implementing security within an organization.

Vulnerability

A weakness that can be triggered to violate security policies.

Threat

An action/event that may compromise security.

Incident

The occurrence of a security violation.

Impact

The outcome of a security violation.

Exposure Factor

Potential loss of an asset when a threat occurs.

Risk

The probability that a threat will occur targeting a vulnerability.

Security Controls

Mechanisms to mitigate threats.

Software Engineering

Systematic development of high-quality software to solve customer problems.

Software Development Life Cycle (SDLC)

Sequence of steps in building software products.

Model-View-Controller (MVC)

Architecture that separates logic from user interface.

Model (in MVC)

Encapsulates data and functionality in MVC architecture.

View (in MVC)

The presentation layer, rendering user interface data.

Controller (in MVC)

Processes user input and mediates between model and view.

Secure Coding Principles

Practices ensuring software is written securely.

Threat Model

A structured representation of information affecting an application's security.

Threat Modeling

The process of capturing, organizing, and analyzing security information for applications.

Objectives of Threat Modeling

To optimize security by identifying objectives and vulnerabilities.

Benefits of Threat Modeling

Provides clarity on security efforts and rational decision-making for security.

Prioritize Identified Risks

Estimate likelihood and impact factors to assess overall risk levels.

Stride Model

A classification scheme for threats, assessing likelihood of realization.

Dread Model

Evaluates threats based on damage potential, and other factors.

Identify Security Objectives

Understand the organization's security direction before taking action.

Application Profiling

Provides a high-level view of an application through its architecture.

Decompose the Application

Analyze specific components to identify security impacts.

Identify Threats

Focus on known threats once application understanding is clear.

Threat Graph

Visual representation of potential threat scenarios akin to an attack tree.

Threat List

Structured approach to threat modeling showing cross-correlations among threats.

Identifying Attack Surfaces

Areas in an application that may be exploited in an attack.