Security Controls and Policies Quiz

Questions and Answers

Which category of security controls primarily focuses on policies and procedures defined by an organization's security policy?

• Managerial (correct)
• Technical
• Operational
• Physical

What type of security control is designed to prevent security incidents before they occur?

• Detective
• Corrective
• Preventive (correct)
• Compensating

Which type of security controls would best describe mechanisms that provide protection to physical facilities and real-world objects?

• Managerial
• Technical
• Physical (correct)
• Operational

What category of security controls assists in ensuring compliance with security policies through daily operations?

Operational (B)

Which type of control provides a response to a security incident after it has been detected?

Corrective (D)

What is the primary focus of conditional access in security?

Enforcing conditions of access (B)

Which component is responsible for making policy decisions in a Zero Trust model?

Policy Engine (D)

Why is physical security considered essential in an overall security strategy?

It prevents unauthorized physical access to facilities (A)

What does a bollard primarily act as in physical security?

A physical barrier to restrict vehicle access (C)

In a Zero Trust security model, where are security controls primarily applied?

Within the Control Plane (A)

Which of the following best describes the role of a Policy Administrator?

To establish and maintain access policies (D)

What is a key aspect of the Security+ exam highlighted in the content?

It includes both physical and technical security measures (B)

What does SIEM stand for in security terminology?

Security Information and Event Management (D)

What is a primary function of access badges in security systems?

To electronically unlock doors and prevent unauthorized access. (A)

Which method can be implemented to ensure lighting serves as an effective deterrent control?

Install lights at all entrances and exits of a building. (B)

How can lights be protected from being tampered with by an attacker?

Place lights high enough or protect them with a metal cage. (C)

What type of sensor detects heat signatures emitted by living beings or objects?

Infrared sensor. (B)

What is a honeypot in the context of cyber deception?

A decoy used to lure attackers for observation. (C)

What is the purpose of a honeyfile in cybersecurity?

To detect unauthorized data access by luring attackers. (C)

Which technology is specifically used to detect movement in a designated area?

Microwave technology. (A)

What is a key feature of a honeynet?

A group of honeypots used in cybersecurity. (A)

What is the primary purpose of change management processes in an organization?

To ensure proposed changes are reviewed before implementation (B)

Which of the following best describes the difference between change management and change control?

Change management dictates how changes are processed; change control evaluates specific change requests (C)

What does configuration management ensure in an organization's security policy?

Systems are configured similarly and configurations are documented (B)

Which of the following is NOT typically part of a change management process?

Immediate implementation of changes without review (B)

What role does the Change Advisory Board (CAB) play in change management?

To evaluate change requests and determine their potential benefit (D)

How does baselining contribute to security operations?

By ensuring all systems are deployed with a common starting point (C)

A significant aspect of a change management program is performing which analysis?

Impact analysis of changes on security (D)

What aspect of change management mitigates the risks associated with unauthorized changes?

Standard operating procedures for processing change requests (D)

What is the main purpose of maintaining documentation during the change management process?

To ensure that all technical team members can access historical decisions (B)

Which aspect of change management involves identifying the effects of changes on interconnected systems?

Dependency tracking (C)

What would be a likely consequence of not updating documentation after system changes?

Inaccurate representation of the operating environment (A)

What is a critical capability of version control systems in change management?

To facilitate conflict identification between developers' changes (C)

Why are legacy applications significant when planning changes in a cloud environment?

They may not support certain updates like component version changes (B)

What is the role of the maintenance window in the change management process?

To conduct application restarts and implement risky changes (A)

Which of the following is NOT a benefit of maintaining documentation in change management?

Facilitates easier detection of software bugs (C)

In what way does version control contribute to the software development process?

It enables teams to track and manage changes in software code (A)

What is the primary function of a Trusted Platform Module (TPM)?

To store and manage disk encryption keys securely (B)

Which of the following best describes the purpose of a Hardware Security Module (HSM)?

It safeguards and manages digital keys and performs cryptographic functions. (D)

How does a Hardware Root of Trust (HRoT) enhance system security?

By verifying that keys match before the secure boot process. (C)

What is a primary feature of a Key Management System (KMS)?

To maintain programmatic access via API for secret management. (D)

Which term describes a secure and isolated area within a system for processing sensitive data?

Trusted Execution Environment (A)

What does steganography attempt to achieve in data security?

To conceal a file within another file or medium. (A)

Which statement is true regarding the comparison of TPM and HSM?

HSMs are often removable or external devices unlike TPMs. (A)

What is an example of a service provided by a Key Management System (KMS)?

Providing programmatic access to application secrets. (D)

Flashcards

Security Controls

Mechanisms used to protect resources and systems, categorized by their type (technical, managerial, operational, physical).

Technical Controls

Hardware or software methods for managing resource access and system protection.

Managerial Controls

Security policies and procedures set by an organization.

Operational Controls

Daily procedures that make sure security policies are followed.

Physical Controls

Methods used to protect physical assets and the facility.

Conditional Access

A security feature that enforces specific access conditions.

Zero Trust

A security model that assumes no implicit trust, verifying every access request.

Policy Decision Point

The point where security policies are evaluated and decisions about access are made.

Policy Engine

Part of the system that implements security policies.

Physical Security

Protection of physical assets and environments.

Data Access

The act of accessing data.

Control Plane

The security management component of a system.

Physical Barrier

A physical object that prevents unauthorized access.

Access Badges

Electronic devices that unlock doors, restricting unauthorized personnel entry.

Lighting Control

Using lighting strategically to deter attackers and save energy.

Infrared Sensors

Detect heat signatures to detect movement, used in security systems.

Pressure Sensors

Detect changes in pressure, like someone standing on a mat.

Microwave Sensors

Use microwaves to detect movement within a range.

Ultrasonic Sensors

Use sound waves to detect objects for parking or security.

Honeypot

A decoy to lure attackers away from real systems.

Honeyfile/Honeytoken

Decoy files/tokens in a system to detect data theft attempts.

Change Management

A policy outlining how changes are processed in an organization, reducing risks from unauthorized changes or outages.

Change Control

The process of evaluating a change request within an organization to see if it benefits the company.

Configuration Management

Ensures systems are similarly configured, configurations are known and documented, and the 'current state' is clear.

Approval Process (in Change Management)

Ensures all proposed changes are reviewed and cleared by management before implementation.

Impact Analysis (in Change Management)

Assessing the effect of a change on systems and services.

Baselining

Ensuring systems start with a common baseline or starting point.

Change Management impact to security

Preventing security-related incidents and outages through organized change procedures.

Business Processes (security impact)

Processes like approval, impacting security operations, and change management.

Maintenance Window

A scheduled time for performing maintenance tasks on a system or application.

Application Restarts

A process of stopping and starting an application.

Legacy Applications

Older computer applications or systems.

Dependencies

Interconnected systems and services.

Documentation

Written records of systems and procedures.

Version Control

Tracking different versions of code and system configurations.

Current State

A system's present condition, including its configurations, and operating rules.

System/Application Configurations

The settings and parameters that control how software runs on a computer.

Hardware Security Module (HSM)

A physical device that protects and manages digital keys, performing encryption/decryption, digital signatures, and strong authentication.

Trusted Platform Module (TPM)

A component that provides secure access to keys for disk encryption and secure boot processes. It prevents unauthorized access.

Hardware Root of Trust (HRoT)

A security layer that verifies the authenticity of firmware and keys, preventing unauthorized code execution.

Key Management System (KMS)

A service, often cloud-based, for securely storing and managing application secrets such as API keys, passwords, and certificates.

Enclave

A secure, isolated area within a system for processing sensitive data, even on possibly compromised hardware.

Steganography

Hiding information within another file, image, or message, often used to conceal exfiltration attempts in data.

Full Disk Encryption (FDE)

Method of encrypting the entire storage device.

Obscuration

Privacy enhancement techniques.Used to protect privacy.

Study Notes

CompTIA Security+ Exam Cram Notes

• The course covers the CompTIA Security+ Exam SY0-701.
• The course material covers every topic in the official exam syllabus.
• Pete Zerger, VCISO, CISSP, MVP, is the instructor.
• The course is the 2024 edition.

Domain 1: Controls

• Security controls are measures to counter and minimize loss or unavailability of services/apps due to vulnerabilities.
• Safeguards are proactive (reducing the likelihood of an event).
• Countermeasures are reactive (reducing the impact after an event).
• There are four main categories of controls; technical, physical, managerial, and operational.

Categories of Security Controls

• Technical controls use technology (hardware and software), for example, encryption, smartcards, passwords, biometrics, access control lists (ACLs), firewalls, routers, and IDS/IPS.
• Physical controls are tangible and include guards, fences, lights, motion detectors, guard dogs, video cameras, alarms, and laptop locks.
• Managerial controls are policy-based, such as, policies, procedures, hiring practices, background checks, data classification, security training, and risk assessments.
• Operational controls are people-centric activities, such as awareness training, configuration management, and media protection.

Control Types

• Deterrent: discourages violating security policies e.g., locks, fences, security badges.
• Preventive: deployed to stop unwanted/unauthorized activity e.g., fences, locks, biometrics
• Detective: discovers/detects unwanted/unauthorized activity e.g., security guards, guard dogs, motion detectors, logs, honey pots
• Corrective: modifies the environment to return systems to normal after an incident e.g., backups, patching, antivirus
• Compensating: provides options to other existing controls to aid in enforcement e.g., security policies, personnel supervision, monitoring.

Control Overlap

• Controls often have multiple functions.
• For example, a security camera can be a deterrent, and detective.
• The classification depends on implementation and the risk addressed.
• Focus on keywords such as "warning," "sign", "visibility", "perception", "access control", "policy", "procedure"

Domain 1: General Security Concepts

• Confidentiality, Integrity, Availability (CIA):
  • Confidentiality ensures only authorized subjects have access to objects.
  • Integrity ensures data or system configurations are not modified without authorization.
  • Availability ensures authorized requests for objects are granted within a reasonable time frame.
• Non-repudiation: the guarantee no one can deny a transaction, proves integrity, based on asymmetric cryptography e.g. digital signatures.
• Authentication, Authorization, and Accounting (AAA): Authentication—user/service proves identity using credentials. Authorization—authenticated users access based on roles and permissions. Accounting—tracks user activity and records in logs (audit trail).

Authorization Models

• Discretionary Access Control (DAC): Based on user and object attributes, the owner grants/denies access to others e.g., NTFS.

• Role-Based Access Control (RBAC): Roles, not users, are given permissions.

• Rule-Based Access Control: Global rules (restrictions or filters) that apply to all subjects in the system are implemented. e.g., firewall rules

• Mandatory Access Control (MAC): Predefined labels that determine access. e.g., military security

• Attribute-Based Access Control: Access is based on attributes of the account (e.g., department, location, role)

• Subjects: Users, groups, or services.

• Objects: Files, folders, shares, and printers

Gap Analysis

• A standard (e.g., ISO 27001) is used for comparing the organization's current operations to standard requirements.
• Areas where the organization’s security controls are not comparable to the standard—are identified as gaps.
• The outcome of an audit is an attestation, a formal statement confirming controls.

Zero Trust

• An approach where no entity is trusted by default.
• Based on three main principles:
  • Assume breach.
  • Verify access explicitly.
  • Least privilege access.
• Supported by defense in depth.

Policy Enforcement Point (PEP)

• Responsible for enabling, monitoring, and terminating connections between subjects and resources.
• Enforces access control policies.
• May enforce Multi-Factor Authentication (MFA) for access from unexpected locations.
• Evaluates access requests against predefined policies.

Policy Decision Point (PDP)

• Makes access decisions (allowing, denying).
• Considers contextual information such as user identity.
• Considers device health and risk assessment for a request.

Adaptive Identity and Threat Scope Reduction

These are elements of the Control Plane of Zero Trust. They are designed for zero trust logic.

• Adaptive Identity—Changes authentication.
• Threat Scope Reduction—Decreases risks to the organization.

Implicit Trust Zones, Subject/System, and Policy Enforcement Points

Implicit Trust Zones—former security perimeter (firewall) areas.

Subject—user wanting to access a resource. System—non-human entity accessing a resource e.g., device

Policy Enforcement Point (PEP)—evaluates requests against predefined policies and controls access.

Conditional Access

• Enforcing "conditions of access."
• Checks and verifies access via signals.
• Processes via a signal-decision-enforcement loop for various access requests.

Physical Security

• Physical security is essential. Without it, no additional security measures are sufficient.
• Gaining physical access allows attackers to cause significant damages.

PKI (Public Key Infrastructure)

• Management of cryptographic keys.
• Certificates for authentication (including domain validation, extended validation ,wildcard).
• Trust models include bridge, hierarchical, hybrid, mesh models
• Key escrow. A method of storing cryptographic keys to permit recovery is also part of PKI.
• CRL (Certificate Revocation List). Contains information about revoked certificates.
• OCSP (Online Certificate Status Protocol). Faster method than CRL to check status of certificates and issues CSRs.
• Pinning (A procedure). For preventing the use of fraudulent certificates.
• Root of trust/trusted certificate authorities: The central certification authority in a PKI.
• Levels of encryption such as file, volume, and disk encryption.

Tools

• TPM (Trusted Platform Module): Chip on motherboard that manages encryption keys for full-disk encryption (FDE) solutions).
• HSM (Hardware Security Module): Protects keys, encrypts/decrypts data, and provides strong authentication.
• KMS (Key Management System): Centralized storage and management of keys (e.g., Azure Key Vault, AWS KMS).
• Secure Enclave: Hardware-based secure area for processing sensitive data.

Obfuscation

• Techniques such as steganography, tokenization, pseudonymization, anonymization, and data masking.
• Steganography—hiding data within another data object (e.g., hiding secrets in image files).
• Tokenization—Replacing data with tokens.
• Pseudonymization—Using different identifiers in place of personally identifiable information (PII).
• Anonymization—Removing all PII.
• Data masking—Hiding some portions of data (e.g., showing only asterisks for credit card numbers).
• Data minimization—Collecting only the necessary data to fulfil a specific purpose.

Hashing vs. Encryption

• Hashing is a one-way function that creates a unique message digest.
• Encryption is a two-way function, allowing for encryption and decryption.
• Hashing is used to validate integrity, while encryption creates confidentiality.

Hashing Function Requirements

• Works with any input;
• Generates a fixed-length output;
• Computation of the hash function is relatively easy;
• Provides a one-way approach, (cannot reverse the process);
• Must be collision-free.

Hash Functions

• Algorithms include SHA-224, SHA-256, SHA-384, and SHA-512.
• Used for integrity, verification of digital signatures, pseudo-random numbers.

Key Stretching

• Stronger/longer keys to be resistant to brute-force attacks. Makes a cipher suit stronger by making a key longer and more random.

Asymmetric vs Symmetric Key Algorithms

• Symmetric uses a single shared secret key.
• Asymmetric uses a pair of public and private keys.
• Asymmetric keys have better scalability, key distribution, and non-repudiation than symmetric.

Digital Signatures

• Used in a signed email scenario, verifies that:
• The sender is authenticated.
• The sender did not repudiate the message.
• The message's integrity.

Examples of Cryptographic Techniques and Algorithms including Key Management

• AES, RSA, 3DES, ECC, Diffie-Hellman, El Gamal
• Hash Functions

Important Considerations relating to Cryptography

• Performance characteristics (speed/size);
• Security requirements (resiliency)
• Compatibility requirements (devices, applications, and services);
• Longevity of the chosen algorithms
• Predictability and entropy

Description

Test your knowledge on various types of security controls, including preventive, detective, and corrective measures. This quiz examines the importance of policies and procedures in an organization's security strategy and dives into concepts like Zero Trust and physical security. Challenge yourself to see how well you understand security principles!