Security Basics Quiz

Questions and Answers

Which of the following best describes the purpose of encryption in security?

To hide data within other data for covert communication

To ensure data is available when needed

To prevent unauthorized disclosure of data (correct)

To authenticate users before granting access

What does the term 'steganography' refer to in the context of data protection?

Creating digital signatures for authentication

Ensuring data integrity through hashing

Hiding data within other data (correct)

The process of encrypting data

Which hashing function is mentioned as an example for assuring data integrity?

RSA

AES

DES

HMAC (correct)

What is the primary function of digital signatures in security?

To provide evidence of authentication and non-repudiation

Which of the following describes 'risk' in a security context?

The likelihood of a threat exploiting a vulnerability

What does 'defense in depth' refer to?

Implementing multiple layers of security controls

What does the term 'availability' mean in the context of security?

Data and services are accessible when required

Which of the following is NOT a method to achieve risk mitigation?

Preventing any possible threats

What is the primary purpose of access controls in an authentication process?

To ensure only authorized users can perform critical tasks

Which of the following describes 'Something You Have' in the context of the five factors of authentication?

A smart card or token

Which characteristic is NOT a recommended password rule?

Passwords should be at least 6 characters long

What is the purpose of using multifactor authentication?

To combine multiple methods of authentication for increased security

What does TOTP stand for in the context of authentication?

Time-based One-Time Password

Which of the following options is a function of a smart card in authentication?

Embedding a certificate for identity verification

What describes the function of Kerberos in authentication services?

It provides mutual authentication using tickets

Which method is NOT considered a biometric authentication factor?

Password entry

What impact do antivirus software solutions primarily aim to reduce?

The impact of malware

What is a common issue related to authentication that may arise with biometric systems?

Biometric errors in recognition

Study Notes

Security Basics

• Security is about Confidentiality, Integrity, and Availability (CIA).

CIA of Security

• Confidentiality: Prevents unauthorized data disclosure, ensuring only authorized users can view data.

  • Methods include encryption (e.g., AES) and access controls.

• Integrity: Assures data hasn't been modified, tampered with, or corrupted

  • Hashing verifies integrity (e.g., MD5, SHA-1, HMAC). Hash values change if data changes.

• Availability: Data and services are accessible when needed

  • Techniques include redundancy, fault tolerance, and patching. Remove single points of failure (SPOF).

Access Controls

• Identification: Claiming identity (e.g., username).
• Authentication: Proves identity (e.g., password).
• Authorization: Access granted based on proven identity.

Steganography

• Hiding data within other data (e.g., a secret message inside an image).
• Observers unaware of hidden message.

Digital Signatures

• Legal agreement, like a handwritten signature.
• Provides authentication and non-repudiation (prevents denial of actions).

Non-Repudiation

• Prevents entities from denying an action (e.g., credit card purchase).
• Techniques: digital signatures, and audit logs.

Patching

• Software frequently requires updates (patches).
• Patch management involves testing and deploying patches.

Defense in Depth

• Multiple layers of protection (e.g., firewall, antivirus, deep freeze).

Risk

• Likelihood of a threat exploiting a vulnerability, resulting in loss.
• Threat: Circumstance or event compromising confidentiality, integrity, or availability (e.g., insider threat).
• Vulnerability: Weakness in a system.

Risk Mitigation

• Reducing the chance a threat exploits a vulnerability.
• Done through implementing controls (countermeasures and safeguards).
• Risk is still manageable with controls (e.g., insurance, evacuation plans).

Controls

• Access controls: Only authorized users can perform critical tasks after authentication.
• Business continuity and Disaster Recovery Plans: Reduce the impact of disasters.
• Antivirus software: Reduces the impact of malware.

Authentication Concepts

• Identification: Simply stating your name (without proof).
• Authentication: Proving your identity (e.g., password, fingerprint).
• Authorization: Granting access to resources based on identity.

Five Factors of Authentication

• Something you know: (Weakest) e.g., password
• Something you have: e.g., smart card.
• Something you are: (Strongest) e.g., fingerprint
• Somewhere you are: e.g., geolocation.
• Something you do: e.g., gestures on touchscreen.

Password Rules

• Password complexity: Use various character types (uppercase, lowercase, numbers, symbols).
• Password expiration: Force users to change passwords regularly.
• Password recovery: Clear procedure to recover lost passwords.
• Password history: Prevent users from reusing previous passwords.
• Other aspects: Change passwords, verify identity before resetting, implement policies, change default passwords, don't write passwords down, don't share.

Creating Strong Passwords

• Minimum length (8+ characters).
• Non-dictionary words.
• Combination of character types (uppercase, lowercase, numbers, special characters).

Smart Cards

• Embedded certificates.
• Public Key Infrastructure (PKI) supports certificate management.

Token or Key Fob

• HMAC-based One-Time Password (HOTP), uses a secret key and counter.
• Time-based One-Time Password (TOTP) uses a timestamp.

Biometrics Methods

• Fingerprint, thumbprint, handprint, retinal scans, iris scans, voice recognition, facial recognition.

Somewhere You Are

• IP address (general location; can block logins from unusual locations).
• MAC address (identifies a specific device).

Something You Do

• Gestures, keystrokes.

Multifactor Authentication

• Uses more than one authentication factor.
• Doesn't consider two similar authentication factors as two-factor authentication (e.g., password and PIN).

Authentication Issues

• Weak passwords
• Forgotten passwords
• Biometric errors

Authentication Services

• Kerberos: Network authentication protocol using ticket-based system, time-stamped tickets. Uses ports 88 (TCP & UDP).
• LDAP (Lightweight Directory Access Protocol): Directory access protocol, version 3 uses TLS encryption; an extension of X.500 standard.

Virtualization

• Hypervisor: Software managing virtual machines. Type I (bare-metal) or Type II (software, within OS).

• Host: Computer running the hypervisor.

• Guest: Virtual machine.

• Host elasticity: Adjust resources dynamically.

• Host scalability: Increase resources easily.

• Virtual machine snapshots: Copies of VMs at specific times allowing recovery and testing.

• Virtual Desktop Infrastructure (VDI)/Virtual Desktop Environment (VDE)) -Persistent VDE keeps user changes.

  • Non-persistent VDE doesn't retain user changes.

• Virtualization containers: Application containers, isolates application cells within the OS.

Virtualization Associated Risks

• VM files/escape: Can be copied; allows attacker to access host from guest.
• VM sprawl/uncontrolled VM creation: Could lead to data loss or security issues if not managed properly.
• Loss of confidentiality

Description

Test your knowledge on the fundamental concepts of security, including the CIA triad: Confidentiality, Integrity, and Availability. Explore access controls, steganography, and digital signatures to understand how data protection is achieved.