PRACTICE

01 Fundamental Security Concepts
Mini Quiz Answers

Question 1: An engineer for a small company is trying to explain the importance of security to the company's owner. The owner feels the company does not need permissions added to the shared drive containing highly sensitive information. What security concept means that information can only be read by people who have been explicitly authorized to access it?

  • A. Confidentiality. With confidentiality, integrity, and availability, also known as the CIA Triad, confidentiality means that only people with explicit authorization to access the information can read it. This type of authority involves setting permissions for files and folders.
  • B. Integrity. Integrity refers to storing and transferring data as intended and authorized.
  • C. Availability. Availability refers to information that is readily accessible to those authorized to view or modify it.
  • D. Recovery. Recovery is the last part of the National Institute of Standards and Technology’s (NIST) Cyber Security Framework which refers to implementing cybersecurity resilience to restore systems and data if other controls cannot prevent attacks.

Question 2: A small business owner is concerned that, despite having permissions set on a shared drive, they couldn't determine who deleted an important file. An IT engineer recommends enabling file auditing to ensure all user actions are tracked and recorded. What security principle does this support?

  • A. Confidentiality. With confidentiality, integrity, and availability, also known as the CIA Triad, confidentiality means that only people with explicit authorization to access the information can read it. This type of authority involves setting permissions for files and folders.
  • B. Non-remediation. Non-remediation does not refer to a common term, practice, or concept in security.
  • C. Non-repudiation. Non-repudiation means a person cannot deny doing something, such as creating, modifying, or sending a resource. For the company, this would mean enabling file auditing on its file share.
  • D. Availability. Availability refers to information that is readily accessible to those authorized to view or modify it.

Question 3: A newly hired Chief Information Security Officer (CISO) is implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework. What first function would help the CISO better develop the company's security policies, such as acceptable use policy (AUP), and build out recommendations for security controls?

  • A. Protect. The second function of the NIST Cybersecurity Framework is protect, referring to the procurement, development, or deployment of IT assets and how to defend them against malicious actors.
  • B. Identify. The identify function in the National Institute of Standards and Technology's Cybersecurity Framework refers to developing security policies and capabilities. The CISO preparing policies and controls would fall under the identify function.
  • C. Detect. The framework's third function is detect, which refers to ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new threats.
  • D. Respond. The fourth function of the framework is respond or how a company would identify, analyze, contain, and eradicate threats to systems and data security.

Question 4: After implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the CISO is assessing the company's security posture to identify deficiencies from the framework's recommendations. What process can the CISO run to get a better sense of what the company needs to improve upon?

  • A. Implement business continuity plan. A business continuity plan would significantly improve security posture, but the CISO is verifying what currently exists, not what should exist.
  • B. Penetration test. The CISO would not be performing a penetration test.
  • C. Implement disaster recovery plan. Implementing a disaster recovery plan would likely be a remediation step for any defects the CISO finds during the analysis.
  • D. Gap analysis. The CISO would be preparing a gap analysis report. This report will show the defects in the company’s current security posture against the NIST Cybersecurity Framework (or any other baseline security framework).

Question 5: A medium-sized mechanical engineering firm wants to better define the account creation process during the onboarding of new hires. It is looking to ensure that the new hires have the right programs, file permissions, and security controls completed ahead of time through automation. What modern access control implementation would aid the company’s account creation process?

  • A. IAM. The company typically implements modern access control as an identity and access management (IAM) system. The company would want to implement an IAM system to ensure the proper creation of accounts and their associated permissions.
  • B. LDAP. Lightweight Directory Access Protocol (LDAP) would be one portion of a complete IAM system.
  • C. CISO. Chief information security officer (CISO) is the title of the person responsible for the management of security teams or departments within a company.
  • D. CTO. The chief technology officer (CTO) is similar to the chief information officer (CIO) but focuses on the company’s technology products.

Question 6: What component of modern access controls determines what rights a user should have on each resource?

  • A. Authentication. Authentication refers to proving that users are who or what they claim to be when attempting to access the resource. An authentication factor determines what sort of credential users can use.
  • B. Authorization. Authorization refers to determining what rights users should have on each resource and enforcing those rights. Authorization may involve permissions, individually, group, or role-based.
  • C. Identification. Identification refers to creating an account or ID that uniquely represents the user, device, or process on the network.
  • D. Accounting. Accounting refers to tracking the authorized usage of a resource or use of rights by a subject and alerting when detecting unauthorized usage.

Question 7: After a recent server outage, the company discovered an employee accidentally unplugged the power cable from a server housed in an unsecured closet. What security control did the company lack that led to the server outage?

  • A. Managerial. Managerial controls provide oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
  • B. Technical. Technical controls are the implementation of a system, such as hardware, software, or firmware. For example, firewalls, antivirus software, and OS access control models are technical controls.
  • C. Operational. Operational control involves people, such as hiring security guards and performing training programs.
  • D. Physical. Physical controls such as alarms, gateways, locks, lighting, and security cameras deter and detect access to premises.

Question 8: After a server outage due to a security breach, a company has taken several steps to recover from the incident. They have restored critical data from the latest backups and applied urgent security patches to address the exploited vulnerabilities. The security team has updated the incident response plan to incorporate lessons learned from the breach. What category of security control functional type BEST describes the function of these recent implementations?

  • A. Corrective. Corrective controls eliminate or reduce the impact of a security policy violation. A corrective control occurs after an attack. In this scenario, these actions aim to directly address the damage caused by the outage and improve the recovery process.
  • B. Preventive. Preventive controls eliminate or reduce the likelihood that an attack can succeed. The company implements this control to avert a potential incident from occurring.
  • C. Detective. Detective controls may not prevent or deter access, but they will identify and record an attempted or successful intrusion. A security camera would be a type of detective control.
  • D. Operational. Operational controls involve people, such as hiring security guards and performing training programs.

Question 9: An information technology manager audited the company's support tickets and decided to implement a new standard operating procedure. The manager noticed a trend with the tickets, where the majority were for new computer setups. What security control function would the manager's implementation of a new standard operating procedure have?

  • A. Compensating. Compensating controls are a substitute for a principal control, as recommended by a security standard, and afford the same (or better) level of protection. However, they use a different methodology or technology.
  • B. Deterrent. Deterrent controls may not physically or logically prevent access, but they psychologically discourage an attacker from attempting an intrusion. Deterrent controls could include signs and warnings of legal penalties against trespass or intrusion.
  • C. Directive. A directive control enforces a rule of behavior, such as a policy, best practice standard, or standard operating procedure (SOP).
  • D. Corrective. Corrective controls eliminate or reduce the impact of a security policy violation. A corrective control occurs after an attack.

Question 10: An information technology (IT) department is growing to a size where there is a need for a new group to manage security. The chief executive officer (CEO) wants to hire a new executive officer for the role and split it into its own department, separate from the IT department. The CEO should hire for which position?

  • A. CIO. The chief information officer (CIO) is responsible for the company's equipment and infrastructure.
  • B. CTO. The chief technology officer (CTO) is similar to the chief information officer (CIO) but focuses on the company's technology products.
  • C. CEO. The chief executive officer is the figurehead or visionary in charge of leading the company's executive staff.
  • D. CISO. The chief information security officer (CISO) is the title of the individual responsible for managing security teams or departments within a company.

Question 11: A newly hired CISO met with the human resources (HR) department to discuss how to better secure the company’s access to sensitive information. In what way does this meeting fall under the responsibility of the new CISO?

  • A. Monitoring audit logs. While monitoring audit logs would fall under a security role, it would not necessarily occur with the HR group.
  • B. Reviewing user permissions. Working with human resources to ensure the proper user permissions for their given role falls under the security aspect of the chief information security officer.
  • C. Documenting access controls. Documenting access controls also fall under the CISO role but would likely not fall under a joint role with HR.
  • D. Managing security-related incident response. Incident response would not necessarily involve HR unless it points to an internal threat actor.

Question 12: After a company hires a new CISO, the Chief Executive Officer (CEO) requests the CISO to hire staff for the new team. The purview of the team will be for monitoring and protecting critical information assets throughout the company. What BEST describes the location of this new team within the structure of the company?

  • A. SOC. A Security Operations Center (SOC) is the team responsible for security-related activities within a company.
  • B. NOC. A Network Operations Center (NOC) is the team responsible for the network and server infrastructure-related activities inside the company.
  • C. Help desk. A help desk or "Level One" support team handles a company's first line of ticket resolution.
  • D. MSP. A managed service provider (MSP) is an outsourced information technology (IT) organization that handles some or all IT activities for a company.

Question 13: An organization is installing an Uninterruptible Power Supply for their new data center. Which of the following would BEST describe this type of control?

  • A. Compensating. A compensating security control doesn’t prevent an attack, but it does restore from an attack using other means. In this example, the UPS does not stop a power outage, but it does provide alternative power if an outage occurs.
  • B. Preventive. A preventive control limits access to a device or area.
  • C. Managerial. A managerial control sets a policy that is designed to control how people act.
  • D. Detective. A detective control may not prevent access, but it can identify and record any intrusion attempts.

Question 14: A web-based manufacturing company processes monthly charges to credit card information saved in the customer's profile. Which of the following standards would be required to maintain this payment information securely?

  • A. GDPR. GDPR (General Data Protection Regulation) is a European Union regulation that governs data protection and privacy for individuals in the EU.
  • B. ISO 27001. The ISO (International Organization for Standardization) 27001 standard focuses on the requirements for an Information Security Management System (ISMS).
  • C. PCI DSS. The PCI DSS (Payment Card Industry Data Security Standard) specifies the minimum security requirements for storing and protecting credit card information.
  • D. CSA CCM. The CSA CCM (Cloud Security Alliance Cloud Controls Matrix) provides documents for implementing and managing cloud-specific security controls.

Question 15: You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?

  • A. Technical and preventive. It is a technical type of control (implemented in software) and acts as a preventive measure (stops something from happening).
  • B. Technical and operational. A secure web gateway is a technical control, but operational involves people doing duties.
  • C. Managerial and corrective. A secure web gateway is not a managerial control (administrative).
  • D. Administrative and compensating. There is no indication that this is a compensating control designed to replace another control.

Question 16: If a company wants to ensure it is following best practice in choosing security controls, what type of resource would provide guidance?

  • A. Threat intelligence feeds. A threat intelligence feed provides evidence of specific threats.
  • B. Cybersecurity frameworks. A framework is a structured set of guidelines and controls for mitigating threats.
  • C. Open-source intelligence. OSINT is the use of public sources of intelligence to carry out research.
  • D. External consultants. While a consultant may suggest security controls, frameworks provide a standardized approach.

Question 17: A business is expanding rapidly and the owner is worried about arguments between its established SOC and programming/coding departments. What type of security business unit or function could help to resolve these issues?

  • A. CIRT. A Computer Incident Response Team identifies and manages cyberattacks.
  • B. NOC. A Network Operating Centre manages network infrastructure.
  • C. DevOps. DevOps integrates development (programming) departments with security operations, helping to reduce conflicts.
  • D. DFIR. Digital Forensics and Incident Response is the team that addresses cyberattacks and harvests evidence.

Question 18: What are the properties of a secure information processing system?

  • A. Confidentiality, Integrity, Authorization. Authorization is a quality that refers to people's access to resources, rather than a system.
  • B. Integrity, Non-Repudiation, Encryption. Although encryption can be used in a secure system, it is not a requirement.
  • C. Confidentiality, Integrity, Availability. The CIA Triad covers the three core properties of a secure information system.
  • D. Authentication, Federation, Auditing. These are examples of Identity & Access Management components.

Question 19: Security awareness training, background checks, and written security policies are examples of which control category?

  • A. Physical. Physical controls deny access to buildings or areas.
  • B. Managerial. A managerial control includes rules, training, policies, and procedures.
  • C. Technical. Technical controls are implemented in hardware and software.
  • D. Operational. Operational controls involve people carrying out duties. While there could be some overlap with these controls, these are better examples of managerial (administrative) controls.

Question 20: Which of the following is the BEST example of a deterrent control?

  • A. A password prompt. While a password prompt might deter some attackers, a deterrent should ideally signify some kind of negative consequences, to psychologically discourage intrusions.
  • B. An EDR solution. EDR is a detective and corrective control.
  • C. A firewall. A firewall is a preventive control.
  • D. A set of visible CCTV cameras around a building. For a deterrent control to be most effective, it should be highly visible.