Pre Exam: Fundamentals of Information Security

What is the purpose of authorization in data security?

Controlling access to resources

What is the goal of ensuring integrity in data security?

Ensuring data is not altered

What is an example of an availability failure in data security?

Interruption of access to website services

How can encryption contribute to maintaining confidentiality in data security?

By securing data from unauthorized access

Which example shows authentication in data security?

Entering a username and password when logging into an online banking site

What does non-repudiation mean in data security?

Preventing users from denying their actions

How does multi-factor authentication (MFA) improve security?

By requiring multiple forms of verification for access to resources

Which attack surface is targeted by exploiting vulnerabilities in web applications?

Software attack surface

What is an example of an insider threat?

An employee accidentally sharing sensitive information

What is the purpose of a worm in cybersecurity?

To replicate itself and spread to other computers

What is the purpose of log monitoring in data security?

To analyze systems for suspicious activity

What is a mitigation strategy for insider threats?

Monitoring employee activities

What is the purpose of an incident response plan?

To outline the steps to take before and after a data breach

What is the primary purpose of a firewall in a network security context?

To monitor and filter incoming and outgoing network traffic

What is the purpose of role-based access control (RBAC)?

To restrict privileges based on a user's role in the organization

Which example illustrates a requirement under FISMA?

A federal agency implements continuous monitoring of its information systems

What will PCI DSS help a store achieve?

Secure customers' payment card data

What is a core function of the NIST Cybersecurity Framework?

To help organizations understand their security risks

Which NIST function is risk assessment and inventory?

Identify

How does a cryptographic hash contribute to blockchain security?

It protects data from being tampered with

How does modularity affect software security maintenance?

Modularity allows for targeted updates and fixes

Which technique replaces sensitive data with non-sensitive equivalents?

Tokenization

Which practice verifies software authenticity with a certificate?

Code signing

Which technique verifies data integrity?

Checksums

How can a company ensure integrity of transferred files?

Use checksums/hashing

Which best practice is vetting cloud services continuously?

Vetting and monitoring third-party components

How does fuzz testing identify vulnerabilities?

It sends malformed data to an application

Why are peer reviews important?

They identify bugs and vulnerabilities missed by developers

What is an automated method to enhance code security without running code?

Static analysis tools

What can CWE help organizations do?

Identify and address software vulnerabilities

Which standard is SSDF?

NIST SP 800-218

Which standard provides security controls for federal systems?

NIST SP 800-53

What attack injects malicious code into a database?

SQL injection

What weakness allows attackers to alter logs?

Insufficient logging and monitoring

How does microservice misconfiguration affect cloud security?

It can lead to unauthorized access to sensitive data

What should remote workers use for secure access?

VPN (IPSec)

How does signature-based IDS protect networks?

By comparing traffic against known threat patterns

How can companies protect network communications?

Using secure protocols like HTTPS/IPSec

What does rate limiting help prevent?

Network congestion

Why implement redundant systems?

To support continuous service availability during an attack

What is the purpose of ARP spoofing?

To intercept and manipulate network traffic

How can IP spoofing attacks be prevented?

By analyzing network traffic for inconsistencies

What vulnerability is common in IoT devices?

Hardcoded passwords

What law protects electronic communications?

ECPA

What is the purpose of FERPA?

To safeguard student privacy

How does CFAA address societal needs?

By deterring cybercrime with legal repercussions

What is the purpose of SOX?

To enhance corporate responsibility and transparency

Which law protects student records access?

FERPA

Which law requires internal controls to prevent fraud?

SOX

Which law regulates financial data use?

GLBA

Which law applies to EU personal data?

GDPR

What type of attack impersonates executives for fraud?

Whaling

How can organizations protect against whaling?

Using email authentication mechanisms

What is smishing?

A social engineering attack using fraudulent text messages

What is the goal of pretexting?

To deceive targets into revealing confidential information

What is an example of corporate espionage?

A competitor stealing trade secrets

What attack involves holding a door open for unauthorized entry?

Piggybacking

What does the identification phase of IRP do?

Determines the nature and scope of an incident

What is an example of a technical control?

Multi-factor authentication

What policy component handles breaches?

Security incident response plan

What policy component involves password rules?

User responsibilities

What do employee cybersecurity trainings represent?

User responsibilities

Which phase involves risk management planning?

Identify

Which phase involves forensic analysis after incident?

Respond

What best practice is demonstrated by MFA + modern systems?

Risk mitigation

What proactive measure helps against DDoS?

Rate limiting

What best practice limits dev access to needed resources?

Access controls

What best practice uses drills for ransomware readiness?

Incident response planning

Which standard establishes ISMS?

ISO/IEC 27001

Which standard guides VPN configuration?

NIST SP 800-77

What is a key aspect of NIST SP 800-53?

Security and privacy controls