Security Controls and Policies Quiz

Questions and Answers

Which category of security controls primarily focuses on policies and procedures defined by an organization's security policy?

Managerial (correct)

Technical

Operational

Physical

What type of security control is designed to prevent security incidents before they occur?

Detective

Corrective

Preventive (correct)

Compensating

Which type of security controls would best describe mechanisms that provide protection to physical facilities and real-world objects?

Managerial

Technical

Physical (correct)

Operational

What category of security controls assists in ensuring compliance with security policies through daily operations?

Operational

Which type of control provides a response to a security incident after it has been detected?

Corrective

What is the primary focus of conditional access in security?

Enforcing conditions of access

Which component is responsible for making policy decisions in a Zero Trust model?

Policy Engine

Why is physical security considered essential in an overall security strategy?

It prevents unauthorized physical access to facilities

What does a bollard primarily act as in physical security?

A physical barrier to restrict vehicle access

In a Zero Trust security model, where are security controls primarily applied?

Within the Control Plane

Which of the following best describes the role of a Policy Administrator?

To establish and maintain access policies

What is a key aspect of the Security+ exam highlighted in the content?

It includes both physical and technical security measures

What does SIEM stand for in security terminology?

Security Information and Event Management

What is a primary function of access badges in security systems?

To electronically unlock doors and prevent unauthorized access.

Which method can be implemented to ensure lighting serves as an effective deterrent control?

Install lights at all entrances and exits of a building.

How can lights be protected from being tampered with by an attacker?

Place lights high enough or protect them with a metal cage.

What type of sensor detects heat signatures emitted by living beings or objects?

Infrared sensor.

What is a honeypot in the context of cyber deception?

A decoy used to lure attackers for observation.

What is the purpose of a honeyfile in cybersecurity?

To detect unauthorized data access by luring attackers.

Which technology is specifically used to detect movement in a designated area?

Microwave technology.

What is a key feature of a honeynet?

A group of honeypots used in cybersecurity.

What is the primary purpose of change management processes in an organization?

To ensure proposed changes are reviewed before implementation

Which of the following best describes the difference between change management and change control?

Change management dictates how changes are processed; change control evaluates specific change requests

What does configuration management ensure in an organization's security policy?

Systems are configured similarly and configurations are documented

Which of the following is NOT typically part of a change management process?

Immediate implementation of changes without review

What role does the Change Advisory Board (CAB) play in change management?

To evaluate change requests and determine their potential benefit

How does baselining contribute to security operations?

By ensuring all systems are deployed with a common starting point

A significant aspect of a change management program is performing which analysis?

Impact analysis of changes on security

What aspect of change management mitigates the risks associated with unauthorized changes?

Standard operating procedures for processing change requests

What is the main purpose of maintaining documentation during the change management process?

To ensure that all technical team members can access historical decisions

Which aspect of change management involves identifying the effects of changes on interconnected systems?

Dependency tracking

What would be a likely consequence of not updating documentation after system changes?

Inaccurate representation of the operating environment

What is a critical capability of version control systems in change management?

To facilitate conflict identification between developers' changes

Why are legacy applications significant when planning changes in a cloud environment?

They may not support certain updates like component version changes

What is the role of the maintenance window in the change management process?

To conduct application restarts and implement risky changes

Which of the following is NOT a benefit of maintaining documentation in change management?

Facilitates easier detection of software bugs

In what way does version control contribute to the software development process?

It enables teams to track and manage changes in software code

What is the primary function of a Trusted Platform Module (TPM)?

To store and manage disk encryption keys securely

Which of the following best describes the purpose of a Hardware Security Module (HSM)?

It safeguards and manages digital keys and performs cryptographic functions.

How does a Hardware Root of Trust (HRoT) enhance system security?

By verifying that keys match before the secure boot process.

What is a primary feature of a Key Management System (KMS)?

To maintain programmatic access via API for secret management.

Which term describes a secure and isolated area within a system for processing sensitive data?

Trusted Execution Environment

What does steganography attempt to achieve in data security?

To conceal a file within another file or medium.

Which statement is true regarding the comparison of TPM and HSM?

HSMs are often removable or external devices unlike TPMs.

What is an example of a service provided by a Key Management System (KMS)?

Providing programmatic access to application secrets.

Study Notes

CompTIA Security+ Exam Cram Notes

• The course covers the CompTIA Security+ Exam SY0-701.
• The course material covers every topic in the official exam syllabus.
• Pete Zerger, VCISO, CISSP, MVP, is the instructor.
• The course is the 2024 edition.

Domain 1: Controls

• Security controls are measures to counter and minimize loss or unavailability of services/apps due to vulnerabilities.
• Safeguards are proactive (reducing the likelihood of an event).
• Countermeasures are reactive (reducing the impact after an event).
• There are four main categories of controls; technical, physical, managerial, and operational.

Categories of Security Controls

• Technical controls use technology (hardware and software), for example, encryption, smartcards, passwords, biometrics, access control lists (ACLs), firewalls, routers, and IDS/IPS.
• Physical controls are tangible and include guards, fences, lights, motion detectors, guard dogs, video cameras, alarms, and laptop locks.
• Managerial controls are policy-based, such as, policies, procedures, hiring practices, background checks, data classification, security training, and risk assessments.
• Operational controls are people-centric activities, such as awareness training, configuration management, and media protection.

Control Types

• Deterrent: discourages violating security policies e.g., locks, fences, security badges.
• Preventive: deployed to stop unwanted/unauthorized activity e.g., fences, locks, biometrics
• Detective: discovers/detects unwanted/unauthorized activity e.g., security guards, guard dogs, motion detectors, logs, honey pots
• Corrective: modifies the environment to return systems to normal after an incident e.g., backups, patching, antivirus
• Compensating: provides options to other existing controls to aid in enforcement e.g., security policies, personnel supervision, monitoring.

Control Overlap

• Controls often have multiple functions.
• For example, a security camera can be a deterrent, and detective.
• The classification depends on implementation and the risk addressed.
• Focus on keywords such as "warning," "sign", "visibility", "perception", "access control", "policy", "procedure"

Domain 1: General Security Concepts

• Confidentiality, Integrity, Availability (CIA):
  • Confidentiality ensures only authorized subjects have access to objects.
  • Integrity ensures data or system configurations are not modified without authorization.
  • Availability ensures authorized requests for objects are granted within a reasonable time frame.
• Non-repudiation: the guarantee no one can deny a transaction, proves integrity, based on asymmetric cryptography e.g. digital signatures.
• Authentication, Authorization, and Accounting (AAA): Authentication—user/service proves identity using credentials. Authorization—authenticated users access based on roles and permissions. Accounting—tracks user activity and records in logs (audit trail).

Authorization Models

• Discretionary Access Control (DAC): Based on user and object attributes, the owner grants/denies access to others e.g., NTFS.

• Role-Based Access Control (RBAC): Roles, not users, are given permissions.

• Rule-Based Access Control: Global rules (restrictions or filters) that apply to all subjects in the system are implemented. e.g., firewall rules

• Mandatory Access Control (MAC): Predefined labels that determine access. e.g., military security

• Attribute-Based Access Control: Access is based on attributes of the account (e.g., department, location, role)

• Subjects: Users, groups, or services.

• Objects: Files, folders, shares, and printers

Gap Analysis

• A standard (e.g., ISO 27001) is used for comparing the organization's current operations to standard requirements.
• Areas where the organization’s security controls are not comparable to the standard—are identified as gaps.
• The outcome of an audit is an attestation, a formal statement confirming controls.

Zero Trust

• An approach where no entity is trusted by default.
• Based on three main principles:
  • Assume breach.
  • Verify access explicitly.
  • Least privilege access.
• Supported by defense in depth.

Policy Enforcement Point (PEP)

• Responsible for enabling, monitoring, and terminating connections between subjects and resources.
• Enforces access control policies.
• May enforce Multi-Factor Authentication (MFA) for access from unexpected locations.
• Evaluates access requests against predefined policies.

Policy Decision Point (PDP)

• Makes access decisions (allowing, denying).
• Considers contextual information such as user identity.
• Considers device health and risk assessment for a request.

Adaptive Identity and Threat Scope Reduction

These are elements of the Control Plane of Zero Trust. They are designed for zero trust logic.

• Adaptive Identity—Changes authentication.
• Threat Scope Reduction—Decreases risks to the organization.

Implicit Trust Zones, Subject/System, and Policy Enforcement Points

Implicit Trust Zones—former security perimeter (firewall) areas.

Subject—user wanting to access a resource. System—non-human entity accessing a resource e.g., device

Policy Enforcement Point (PEP)—evaluates requests against predefined policies and controls access.

Conditional Access

• Enforcing "conditions of access."
• Checks and verifies access via signals.
• Processes via a signal-decision-enforcement loop for various access requests.

Physical Security

• Physical security is essential. Without it, no additional security measures are sufficient.
• Gaining physical access allows attackers to cause significant damages.

PKI (Public Key Infrastructure)

• Management of cryptographic keys.
• Certificates for authentication (including domain validation, extended validation ,wildcard).
• Trust models include bridge, hierarchical, hybrid, mesh models
• Key escrow. A method of storing cryptographic keys to permit recovery is also part of PKI.
• CRL (Certificate Revocation List). Contains information about revoked certificates.
• OCSP (Online Certificate Status Protocol). Faster method than CRL to check status of certificates and issues CSRs.
• Pinning (A procedure). For preventing the use of fraudulent certificates.
• Root of trust/trusted certificate authorities: The central certification authority in a PKI.
• Levels of encryption such as file, volume, and disk encryption.

Tools

• TPM (Trusted Platform Module): Chip on motherboard that manages encryption keys for full-disk encryption (FDE) solutions).
• HSM (Hardware Security Module): Protects keys, encrypts/decrypts data, and provides strong authentication.
• KMS (Key Management System): Centralized storage and management of keys (e.g., Azure Key Vault, AWS KMS).
• Secure Enclave: Hardware-based secure area for processing sensitive data.

Obfuscation

• Techniques such as steganography, tokenization, pseudonymization, anonymization, and data masking.
• Steganography—hiding data within another data object (e.g., hiding secrets in image files).
• Tokenization—Replacing data with tokens.
• Pseudonymization—Using different identifiers in place of personally identifiable information (PII).
• Anonymization—Removing all PII.
• Data masking—Hiding some portions of data (e.g., showing only asterisks for credit card numbers).
• Data minimization—Collecting only the necessary data to fulfil a specific purpose.

Hashing vs. Encryption

• Hashing is a one-way function that creates a unique message digest.
• Encryption is a two-way function, allowing for encryption and decryption.
• Hashing is used to validate integrity, while encryption creates confidentiality.

Hashing Function Requirements

• Works with any input;
• Generates a fixed-length output;
• Computation of the hash function is relatively easy;
• Provides a one-way approach, (cannot reverse the process);
• Must be collision-free.

Hash Functions

• Algorithms include SHA-224, SHA-256, SHA-384, and SHA-512.
• Used for integrity, verification of digital signatures, pseudo-random numbers.

Key Stretching

• Stronger/longer keys to be resistant to brute-force attacks. Makes a cipher suit stronger by making a key longer and more random.

Asymmetric vs Symmetric Key Algorithms

• Symmetric uses a single shared secret key.
• Asymmetric uses a pair of public and private keys.
• Asymmetric keys have better scalability, key distribution, and non-repudiation than symmetric.

Digital Signatures

• Used in a signed email scenario, verifies that:
• The sender is authenticated.
• The sender did not repudiate the message.
• The message's integrity.

Examples of Cryptographic Techniques and Algorithms including Key Management

• AES, RSA, 3DES, ECC, Diffie-Hellman, El Gamal
• Hash Functions

Important Considerations relating to Cryptography

• Performance characteristics (speed/size);
• Security requirements (resiliency)
• Compatibility requirements (devices, applications, and services);
• Longevity of the chosen algorithms
• Predictability and entropy

Description

Test your knowledge on various types of security controls, including preventive, detective, and corrective measures. This quiz examines the importance of policies and procedures in an organization's security strategy and dives into concepts like Zero Trust and physical security. Challenge yourself to see how well you understand security principles!