Information Security Quiz

Questions and Answers

Which of the following best describes the primary focus of Information Security?

Ensuring all data is accessible to every user within a network.

Protecting information assets to achieve Confidentiality, Integrity, and Availability (CIA). (correct)

Preventing any modification of data, regardless of whether it's authorized.

Guaranteeing the continuous operation of all business systems.

Within the CIA triad, what does Confidentiality primarily ensure?

That data remains accurate and unmodified.

That all data is stored using encryption methods.

That systems are available when required.

That access to information is limited to authorized individuals. (correct)

Which of the following controls is most directly associated with maintaining the Integrity of data?

Using quality assurance processes and audit logs. (correct)

Implementing strong encryption algorithms.

Utilizing multi-factor authentication methods.

Employing frequent data backups.

What is the primary risk associated with a failure in the 'Availability' aspect of information security?

Loss of customer confidence and business disruption. (B)

Which of the following is NOT a direct control for maintaining Confidentiality?

Regular audit logs. (C)

Which of the following best describes the role of the 'AAA' framework in relation to the CIA triad?

It provides supporting concepts necessary to practically implement the CIA principles. (D)

Which of these is a key control for ensuring Availability during a system outage?

Performing regular backups (A)

What does the concept of 'asset' refer to within the scope of Information Security?

Anything that has value to individuals and businesses. (C)

Which of the following best describes a vulnerability in the context of IT security?

A weakness that can be triggered to violate security policies. (D)

What is the primary goal of risk management in the context of IT security?

To reduce risks to acceptable levels given current resources. (B)

Which of the following is NOT considered a security control?

A lack of planning in the implementation of security policies. (A)

Which of the following sequences of steps represents the software development life cycle?

Requirement, Analysis, Design, Implementation, Post-delivery maintenance (B)

What is a key benefit of the Model-View-Controller (MVC) architecture?

It allows independent testing of components, as well as provides extra security through isolation. (B)

In the MVC architecture, what is the main function of the 'Controller'?

To contain the application logic and act as a mediator. (B)

Which security principle emphasizes granting users only the necessary level of access?

Principle of least privilege. (C)

Which of the following is NOT a characteristic of a secure organization?

Lack of security information policies. (B)

What advantage does a manual inspection have over other forms of testing?

It can be applied early in the SDLC. (D)

What is the 'trust-but-verify' approach associated with?

Manual inspection and review. (B)

Which testing method is best done in the later stages of the SDLC?

Penetration Testing. (B)

Which of the following is a drawback of penetration testing?

It is typically done late in the SDLC. (C)

Which activity provides more information to the reviewers compared to other testing approaches?

Source code review. (B)

Which of these are advantages of source code review?

It is fast, accurate and complete. (B)

What is a disadvantage of relying on only source code review for security testing?

It does not cover run-time errors. (A)

What is the primary purpose of authentication?

To verify an individual's claims to their identity (B)

Which of the following is NOT a form of authentication?

What you drive (A)

Which method of authentication uses a piece of information known only to the user?

Knowledge-based authentication (C)

In the context of security, what does authorization refer to?

Granting access rights after authentication (A)

Which of the following is an example of a biometric authentication method?

Fingerprint (C)

Which common authorization scheme uses predefined rules to grant access?

Mandatory Access Control (C)

Why are audit trails important in security?

To track and analyze user activities (A)

What qualifies as an asset in an organizational context?

Any item with value, tangible or intangible (D)

What is one of the primary roles of a Threat Identifier in a standard template?

To describe the potential impact of a threat (C)

Which approach employs a combination of the probability of an event occurring and its potential impact to evaluate risk?

Probability x Impact Ranking (B)

Why is it important to have security checkpoints in development methodologies?

To incorporate security measures at various stages (B)

What does the architectural requirement of reliability aim to prevent?

Single points of failure in systems (A)

Which characteristic is essential for an organization to be considered secure?

Centralized management of security protocols (B)

What is one of the key goals of defining architectural requirements?

To meet compliance and performance goals (B)

Which of the following is NOT a characteristic of secure coding principles?

Rapid development methods without oversight (A)

How does modular design benefit system maintenance?

It allows easy updates and modifications. (C)

What is the primary purpose of documentation requirements in software development?

To ensure security is integrated throughout the software development lifecycle. (D)

Which of the following are key components that must be validated during security testing?

Authentication, access control, and secure configurations. (B)

What is the role of in-code commenting in software development?

To improve readability and security awareness within the codebase. (C)

Which testing methodology involves ethical hackers attempting to compromise an application?

Penetration testing. (A)

Why is exception handling important in an application?

To ensure security, stability, and minimal exposure of sensitive information. (C)

What does fuzz testing primarily involve?

Trying different input data to find vulnerabilities. (C)

What practice should be avoided in in-code comments to maintain security?

Storing secrets such as passwords and keys in comments. (C)

Which of the following statements is true regarding documentation requirements?

They ensure transparency, compliance, and maintainability in development. (D)

What is a threat according to threat modeling?

Any undesirable event that may be malicious or incidental (A)

What is the main goal of threat modeling?

To identify and optimize security through understanding vulnerabilities (C)

Which of the following is NOT a benefit of threat modeling?

Reduces the need for testing (B)

Which step is NOT part of the threat modeling process?

Develop the application architecture (D)

In threat modeling, which of the following best describes the term 'attack surface'?

Areas in an application that may be leveraged for an attack (A)

What does the 'Strider/Dread model' provide in threat modeling?

Classification for known threats and their likelihood (A)

Which group is included in identifying threat agents?

Internal and external users including insiders (D)

What is an essential prerequisite for effective threat modeling?

An understanding of regulatory compliance requirements (C)

What does the process of decomposing the application involve?

Analyzing components, features, and behaviors impacting security (C)

What is the initial action in performing threat modeling?

Identify security objectives and assets (A)

Which of the following factors are considered in prioritizing identified risks?

Likelihood and impact factors (D)

Which of the following is a common threat identified in threat modeling?

Script kiddies (D)

What is true about the iterative nature of threat modeling?

Outputs from previous steps should be continually recorded and referenced (B)