Security Fundamentals: CIA Triad & Key Concepts

Questions and Answers

In the context of security, which of the following scenarios represents a compromise of integrity?

• An unauthorized user gains access to a database containing employee social security numbers.
• A denial-of-service attack renders a company's website unavailable to customers.
• A disgruntled employee maliciously modifies financial records to conceal fraudulent transactions. (correct)
• A server room is flooded due to a burst pipe, causing irreparable damage to critical hardware.

Which security principle is primarily violated when a system administrator accidentally exposes sensitive customer data due to a misconfigured server?

• Confidentiality (correct)
• Integrity
• Availability
• Non-repudiation

In a scenario where a user successfully sends an encrypted email, but the recipient is unable to decrypt it due to a corrupted key, which principle of the CIA Triad is primarily affected?

• Non-repudiation
• Confidentiality
• Integrity
• Availability (correct)

Which of the following best describes the purpose of implementing non-repudiation in a digital transaction system?

Guaranteeing that all parties involved in a transaction cannot deny their participation. (B)

An organization implements a system requiring users to authenticate with a password and a one-time code sent to their mobile device. Which security principle is being enhanced?

Authentication (A)

Which of the following scenarios exemplifies the principle of least privilege when assigning user permissions?

Allowing a marketing team member read-only access to the customer database, but not the ability to modify records. (A)

A company uses video surveillance, physical locks, and security personnel. Which security control category do these measures primarily fall under?

Physical (A)

Which type of security control is implemented when an organization mandates security awareness training for all new employees?

Preventative (D)

An organization implements alarms and motion detectors to identify unauthorized access. Which security control type is being used?

Detective (D)

An organization experiences a malware outbreak. After the incident, they re-image affected systems and apply new security patches. Which type of security control is being implemented?

Corrective (D)

A company decides to add extra layers of security because the primary security controls are not 100% effective. What kind of security control is being applied?

Compensating (C)

Which security model centers around the principle that no user or device should be inherently trusted, regardless of their location within or outside the network perimeter?

Zero Trust (B)

In a Zero Trust architecture, what is the primary function of the control plane?

To define, manage, and enforce policies related to user and system access. (A)

What is the term for a weakness in system design or implementation that could be exploited by a threat?

Vulnerability (A)

An organization identifies a critical vulnerability in their web application but lacks the immediate resources to patch it. What is the MOST appropriate initial step in risk management?

Implement compensating controls, such as a web application firewall, to mitigate the risk. (B)

Which of the following methods is LEAST effective in ensuring data confidentiality?

Storing all data on a physically secure server within the organization's headquarters. (B)

Which of the following techniques is MOST suitable for ensuring data integrity during transmission?

Hashing (D)

Which of the following actions BEST exemplifies the principle of availability in the context of disaster recovery planning?

Regularly backing up critical data to an offsite location. (C)

An organization implements redundant network connections and backup power generators to minimize downtime. Which security principle is the organization primarily addressing?

Availability (C)

What is the primary purpose of using digital signatures in electronic communication?

To verify the identity of the sender and ensure message integrity. (D)

A cybersecurity analyst discovers a user accessing the network from an unusual geographic location at an odd hour, and an attempt to access sensitive files. Which security concept should be implemented?

Somewhere you are (B)

A security analyst implements a system that tracks user activities and resource usage. What is the PRIMARY security benefit?

Facilitating incident response and forensic analysis (C)

What is the primary goal of using Syslog servers in a security monitoring infrastructure?

To aggregate logs from various network devices and systems for centralized analysis. (B)

A project manager is tasked with assessing the current state of security and identifying areas for improvement. Which type of analysis should the project manager conduct?

Gap Analysis (A)

An organization outsources its email infrastructure to a cloud provider. A security review reveals that the cloud provider's security measures do not fully align with the organizations compliance requirements. What kind of gap analysis would be most suited for this assessment?

Business Gap Analysis (B)

How does an organization use a Plan of Actions and Milestones (POA&M)?

To define vulnerability remediation tasks. (A)

An attacker launches a Distributed Denial of Service attack (DDoS). Which type of threat actor is most likely responsible?

Unskilled attacker (script kiddie) (B)

A group of activists hacks into a company's website and replaces the homepage with a message protesting the company's environmental practices. What type of threat actor is MOST likely responsible?

Hacktivist (D)

What is the PRIMARY motivation for organized cybercrime groups?

Generating financial gain (A)

Which type of threat actor is MOST likely to employ a false flag attack?

Nation-state actor (C)

Which term BEST describes a prolonged and targeted cyberattack where an intruder gains unauthorized access to a network and remains undetected for an extended period?

Advanced Persistent Threat (APT) (C)

What is the MOST effective way to mitigate the risk of insider threats?

Enforcing the principle of least privilege and zero trust architecture (D)

An employee uses a personal laptop to access company email and shared drives without the IT department's knowledge or approval. What is this an example of?

Shadow IT (C)

What is the term for the path or method used by an attacker to gain unauthorized access to a system or network?

Threat vector (D)

Which of the following BEST describes a watering hole attack?

An attacker compromises a website frequently visited by their intended victims. (D)

A security team deploys honeypots and honeynets within its network. What is the PRIMARY objective?

To deceive, detect, and divert attackers from critical assets, gathering intelligence on their tactics. (B)

A security administrator configures a system to send fake telemetry data in response to network scans in order to deter potential attackers. What technique is used?

Spoofing fake telemetry data (B)

What is the purpose of bollards in physical security?

Redirecting vehicular traffic. (A)

An attacker attempts to gain unauthorized access to a secure facility by repeatedly trying different key combinations on a cipher lock. Which type of attack is this?

Brute force (A)

An unauthorized individual gains access to a secure area by closely following an authorized employee through an access control vestibule. What is this physical security breach called?

Tailgating (D)

What is the PRIMARY benefit of using electronic access control systems with badges for physical security?

Providing audit trails and access logs (C)

A security administrator wants to enhance the security of a door by implementing an authentication method that relies on unique physical characteristics. Which technology should be implemented?

Biometrics (A)

An organization discovers that attackers are cloning access badges to gain unauthorized entry. What action would be most appropriate?

Implementing multifactor authentication (C)

An attacker pretends to be a technician to trick someone into providing a password. What type of attack is occurring?

Pretexting (D)

How might a social engineer most effectively leverage the principle of scarcity during an attack?

By sending an email stating an account will be closed if not verified. (B)

Flashcards

Information Security

Protecting data from unauthorized access, modification, disruption, disclosure and destruction.

Information Systems Security

Protecting the systems (computers, servers, network devices) that hold and process critical data.

Confidentiality

Ensuring information is accessible only to authorized personnel (e.g. encryption).

Integrity

Ensuring data remains accurate and unaltered (e.g. checksums).

Availability

Ensuring information and resources are accessible when needed (e.g. redundancy measures).

Non-Repudiation

Guarantees that an action or event cannot be denied by the involved parties (e.g. digital signatures).

CIANA Pentagon

Extension of CIA triad, adding non-repudiation and authentication.

Authentication

Verifying the identity of a user or system (e.g., password checks).

Authorization

Determining actions/resources authenticated user can access (e.g., permissions).

Accounting

Tracking user activities and resource usage for audit/billing.

Technical Controls

Technologies, hardware, and software mechanisms to manage and reduce risk.

Managerial Controls

Strategic planning and governance side of security.

Operational Controls

Procedures to protect data on a day-to-day basis, governed by internal processes.

Physical Controls

Tangible, real-world measures taken to protect assets.

Preventative Controls

Proactive measures to thwart potential security threats or breaches.

Deterrent Controls

Discouraging potential attackers by making the effort seem less appealing.

Detective Controls

Monitor and alert organizations to malicious activities.

Corrective Controls

Mitigate any potential damage and restore systems to their normal state.

Compensating Controls

Alternative measures when primary security controls are not effective.

Directive Controls

Guide actions, inform, or mandate policy or documentation.

Zero Trust Model

No one should be trusted by default. Verify every device, user and transaction.

Control Plane

Adaptive identity, threat scope reduction, policy-driven access control, secured zones.

Data Plane

Adaptive Identity

Threat

Anything that could cause harm, loss, damage, or compromise to our systems.

Vulnerability

Weakness in system design/implementation.

Risk Management

Finding ways to minimize the likelihood of an outcome.

Confidentiality

Protection of information from unauthorized access/disclosure.

Encryption

Converting data into a code to prevent unauthorized access.

Access Controls

Setting up strong user permissions.

Data Masking

Obscuring specific data within a database to make it inaccessible.

Physical Security Measures

Ensuring confidentiality with paper records & digital information.

Training and Awareness

Regular training on security awareness best practices.

Integrity

Information & data remain accurate and unchanged.

Hashing

Converting data into a fixed-size value.

Digital Signatures

Ensure both integrity and authenticity

Checksums

Method to verify the integrity of data during transmission

Availability

Information, systems, resources are accessible and operational.

Server Redundancy

Using multiple servers in load balance or failover configuration.

Data Redundancy

Storing data in multiple places.

Network Redundancy

Ensures data can travel through another route if one network path fails.

Study Notes

Fundamentals of Security

• Information security protects data and information from unauthorized actions.
• Information systems security protects the systems holding and processing critical data.
• The CIA Triad consists of Confidentiality, Integrity, and Availability.
  • Confidentiality ensures access to information is limited to authorized personnel through methods like encryption.
  • Integrity ensures data remains accurate and unaltered, often using checksums.
  • Availability ensures information and resources are accessible when needed via redundancy measures.
• Non-Repudiation guarantees actions or events cannot be denied by involved parties via digital signatures.

Security Concepts

• The CIANA Pentagon extends the CIA triad by adding non-repudiation and authentication.
• Triple A's of Security refer to Authentication, Authorization, and Accounting.
  • Authentication verifies the identity of a user or system using password checks.
  • Authorization determines the actions or resources an authenticated user can access, including permissions.
  • Accounting tracks user activities and resource usage for audit or billing purposes

Security Controls

• Security control categories include:
  • Technical: Technologies, hardware, and software mechanisms that manage and reduce risks.
  • Managerial: Administrative controls involving strategic planning and governance.
  • Operational: Procedures and measures protecting data daily, governed by internal processes and human actions.
  • Physical: Tangible, real-world measures protecting assets.
• Security control types include:
  • Preventative: Proactive measures to thwart potential security threats or breaches.
  • Deterrent: Measures discouraging attackers by making their effort less appealing.
  • Detective: Controls that Monitor and alert organizations to malicious activities
  • Corrective: Measures mitigating damage and restoring systems to normal.
  • Compensating: Alternative measures when primary security controls are ineffective.
  • Directive: Actions that Guide or mandate.
• The Zero Trust Model assumes no entity should be trusted by default.

Zero Trust Implementation

• Achieving zero trust requires both a control plane and a data plane.
• The Control Plane offers adaptive identity, threat scope reduction, policy-driven access control, and secured zones.
• The Data Plane deals with the subject/system, policy engine, policy administrator, and establishing policy enforcement points.

Threats and Vulnerabilities

• A threat is anything causing harm, loss, damage, or compromise to IT systems from natural disasters, cyber-attacks, breaches, etc.
• A vulnerability is any weakness in system design or implementation, including software bugs, misconfigurations, improper protection, missing patches, etc.
• Risk arises where threats and vulnerabilities intersect.
• Risk management minimizes the likelihood of negative outcomes.

Confidentiality Measures

• Confidentiality ensures information is protected from unauthorized access and disclosure, maintaining privacy and regulatory compliance.
• Methods to ensure confidentiality include:
  • Encryption: Converting data into a code to prevent access.
  • Access Controls: Setting up user permissions for authorized personnel only.
  • Data Masking: Obscuring specific data within a database while retaining authenticity for authorized users.
  • Physical Security Measures: Protecting physical data like paper records and digital data on servers/workstations.
  • Training and Awareness: Educating employees on security awareness best practices.

Maintaining Integrity

• Integrity ensures data remains accurate and unchanged, verifying its trustworthiness.
• Five methods to maintain integrity include:
  • Hashing: Converting data into a fixed-size value
  • Digital Signatures: Validating integrity and authenticity.
  • Checksums: Verifying data integrity during transmission.
  • Access Controls: Allowing modifications only by authorized individuals to avoid unintentional alterations.
  • Regular Audits: Reviewing logs and operations for unauthorized changes.

Ensuring Availability

• Availability ensures that information, systems, and resources are accessible and operational when needed.
• Availability helps with business continuity, customer trust, and upholding an organization's reputation.
• Redundancy involves duplicating critical components or functions to enhance reliability.

Redundancy Types

• Types of redundancy to consider in system design:
  • Server Redundancy: Using multiple servers in load-balanced or failover setups.
  • Data Redundancy: Storing data in multiple places.
  • Network Redundancy: Ensuring data can travel through another if one network path fails.
  • Power Redundancy: Using backup power sources like generators and UPS.

Non-Repudiation and Authentication

• Non-repudiation provides undeniable proof of actions or communications.
• Digital signatures are unique to each user, created using asymmetric encryption.
• Authentication ensures individuals are who they claim to be.
• Five common authentication methods:
  • Something you know (Knowledge Factor): Using information a user can recall.
  • Something you have (Possession Factor): Presenting a physical item.
  • Something you are (Inherence Factor): Using unique physical traits.
  • Something you do (Action Factor): Performing a unique action.
  • Somewhere you are (Location Factor): Being in a specific geographic spot.

Authentication, Authorization, and Accounting

• Multi-Factor Authentication (MFA) requires users to provide multiple identification methods.
• Authentication prevents unauthorized access and protects data, ensuring valid user access.
• Authorization grants permissions and privileges after authentication.
• Authorization mechanisms protect sensitive data and maintain system integrity.
• Accounting measures track and record all user activities during communications or transactions.
• Robust accounting systems create audit trails, maintain regulatory compliance, and conduct forensic analysis.

System Logging

• Performing resource optimization is supported through thorough accounting and event logs, helping cybersecurity experts prevent future incidents.
• To perform accounting different technologies are used:
  • Syslog Servers: Aggregate logs from various devices for pattern detection.
  • Network Analysis Tools: Capture and analyze network traffic.
  • Security Information and Event Management (SIEM) Systems: Offers real-time analysis of security alerts from infrastructure.

Security Control Categories

• There are four broad categories of security controls:
  • Technical Controls: Involve hardware and software to reduce risks.
  • Managerial Controls: Strategic planning and governance.
  • Operational Controls: Focus on day-to-day data protection.
  • Physical Controls: Tangible measures to protect assets.

Security Control Types

• Security control types:
  • Preventive Controls: Stop threats or breaches proactively.
  • Deterrent Controls: Discourage attackers.
  • Detective Controls: Monitor activities detecting malicious acts
  • Corrective Controls: Mitigate damage and restore systems.
  • Compensating Controls: Alternative measures when primary controls fail.
  • Directive Controls: Guide/inform security actions.

Gap Analysis

• Gap Analysis evaluates the differences between current and desired performance.
• Steps for conducting a gap analysis: defining scope, gathering data, analyzing gaps, developing a plan.
• It can be useful tool for organizations looking to improve security posture.
• There are two basic types of Gap Analysis:

1. Technical Gap Analysis:

• Evaluates infrastructure, identifying shortfalls in utilizing security solutions.

2. Business Gap Analysis:

• Evaluates business processes, identifying shortfalls of capabilities required to fully utilize cloud based solutions
• A Plan of Action and Milestones (POA&M) outlines steps to address vulnerabilities, allocate resources, and set remediation timelines.

Zero Trust Model

• The zero-trust approach means verification is required for every device, user and transaction.
• To create a zero trust architecture, use the control and date plane

Zero Trust - Control Plane and Data plane

• Adaptive identity, threat scope reduction, policy-driven access control, and secured zones all define Zero Trust.
• The policy Engine ensures that the accesses request matches the pre-defined policies. It establishes and manages those access policies.
• Access is granted or denied at the policy enforcement point within a Zero Trust architecture.

Threat Actors and Motivations

• Threat Actor Attributes are used to classify threat factors, e.g., "Data Exfiltration" to describe the act of unauthorized data removed from a computer, or "Hacktivism" to describe attacks conducted because of philosophical of political reasons
• These types of attacks are associated with particular threat actors, from "Unskilled persons" using basic tools, to nation states actors cyber espionage.

Security Threats

• Cybercrime groups, in contrast to hacktivists, are well structured and resourced, aiming at illicit gain through advanced hacking, custom malware such as "Ransomware", and phishing"
• Internal threats should be treated as zero trust.

Securing IT Infrastructure

• Zero Trust Architecture, robust access controls, regular audits and other security elements go a long way to securing and protecting organizations.
• This also helps to avoid Shadow IT where information technology falls outside an organizations security program.

Identifying Threat Vectors

• Threat vectors and attack surfaces must be well understood to be mitigated. Threats may originate from:
  • messages
  • images
  • files
  • networks
  • physical devices

Deceptive Technologies

• Decoy technologies go a long way towards attracting and deceiving attackers.
• One strategy to accomplish is the creation of phony Domain Name System entries.

Safeguarding Physical Assets

• Tangible objects require physical security e.g., fences, locks, cameras.
• Security should be able to resist brute force attacks and tampering.

Understanding Security Controls

• Safeguarding assets utilizes security controls (Access control Vistbiules) to control physical access. Bypassing these involves:
• Visual obstruction of camera,
• Blinding sensors,
• Interfering of other electronics.
• Security should be able to resist piggy backing and tailgating.

Door Lock Security

• Pad locks are easily circumvented
• Electronic locks are better, biometric more secure.
• To protect against skimming you need to implement multifactor.

Social engineering

• Psychological attacks can be "social proof" where authority is assumed. Impersonation can be "brand based" to seem legitimate.
• You can protect against impersonation by using "secure email gateways".

Identifying Common Phishing Techniques

• Common phishing techniques include looking for tell-tales such as Urgency", Unusual Requests", and "Mismatched URLs."

Recognizing Spear Phishing Techniques

• Email Business Compromise (BEC)" is a form of sophisticated phishing that are used to get other employees to act maliciously and trick a user.

Preventing Email Borne Threats

• Prevention can be achieved thought training to spot those threats, as well as Anti-Phishing campaigns.
• Along with those initiatives. your organization should routinely conduct user reviews of threat.