WGU D430 FUNDAMENTALS OF INFORMATION SECURITY EXAM OBJECTIVE ASSESSMENT NEWEST 2026 TEST BANK ACTUAL EXAM 300 QUESTIONS AND CORRECT DETAILED ANSWERS (VERIFIED ANSWERS) |ALREADY GRADED A+

Information security

Keeping data, software, and hardware secure against unauthorized access, use, disclosure, disruption, modification, or destruction.

Compliance

The requirements that are set forth by laws and industry regulations. Example : HIPPA/ HITECH- healthcare, PCI/DSS- payment card industry, FISMA- federal government agencies

CIA

The core model of all information security. Confidential, integrity and availability

Confidential

Allowing only those authorized to access the data requested

integrity

Keeping data unaltered by accidental or malicious intent

Availability

The ability to access data when needed

Parkerian hexad model

Confidentiality , integrity, availability, possession/control, authenticity, utility

Possession/ control

Refers to the physical disposition of the media on which the data is stored

authenticity

Allows us to talk about the proper attribution as to the owner or creator of the data in question

Utility

How useful the data is to us

Types of attacks

1- interception

2- interruption

3- modification

4- fabrication

Interception

Attacks allows unauthorized users to access our data, applications, or environments. Are primarily an attack against confidentiality

Interruption

Attacks cause our assets to become unstable or unavailable for our use, on a temporary or permanent basis. This attack affects availability but can also attack integrity

Modification

Attacks involve tampering with our asset. Such attacks might primarily be considered an integrity attack, but could also be an availability attack.

Fabrication

Attacks involve generating data, processes, communications, or other similar activities with a system. Attacks primarily affect integrity but can be considered an availability attack.

Risk

The likelihood that a threat will occur. There must be a threat and vulnerability

Threat

Any event being man-made, natural or environmental that could damage the assets

Vulnerabilities

Weakness that a threat event or the threat can take advantage of

Impact

taking into account the assets cost

Controls

The ways we protect assets. Physical, technical/ logical, and administrative

Physical controls

Controls are physical items that protect assets. Think of locks, doors, guards and fences

Technical/ logical controls

Controls are devices and software that protect assets. Think of firewalls, av, ids, and ips

Administrative controls

Controls are the policies that organizations create for governance. Ex: email policies

risk mamagement

A constant process as assets are purchased, used and retired. The general steps are 1- identify assets

2- identify threats

3- assess vulnerabilities

4- assess risk

5- mitigating risks

Identify assets

First and most important part or risk management. Identifying and categorizing the assets we are protecting

Identify threats

Once we have our critical assets we can identify the threats that might effect them

Assess Vulnerabilities

Look at potential threats. any given asset may have thousand or millions of threats that could impact it, but only a small fraction of the threats will be relevant

Assess risks

Once we have identified the threats and vulnerabilities for a given asset we can access the overall risk

Mitigating risks

Putting measures in place to help ensure that a given type of threat is accounted for

Incident response

Response to when risk management practices have failed and have cause an inconvenience to a disastrous event

Incident response cycle

1 preparation

2- detection and analysis

3- containment

4- eradication

5- recovery

6- post incident activity

Preparation phase

The preparation phase consists of all of the activities that we can preform in advance of the incident itself in order to better enable us to handle it

Detection and analysis phase

Where the action begins to happen. We will detect the occurrence of an issue and decide whether or not it is actually an incident so that we can respond

Containment phase

Taking steps to ensure that the situation does not cause any more damage than it already has, or to at least lessen any ongoing harm.

Eradication phase

We will attempt to remove the effects of the issue from our environment

Recovery phase

Recover to a better state that we were prior to the incident or perhaps prior to when the issue started if we did not detect it immediately

Post incident activity phase

We attempt to determine specifically what happened, why it happened, and what we can do to keep it from happening again.

Defense in depth

Layering of security controls is more effective and secure than relying on a single control

Identity

Who or what we claim to be ( username)

Authentication

The act of proving who or what we claim to be (password)

Identity verification

The half step between identity and authentication (showing two forms of Id)

single-factor authentication

Involves the use of simply one of the three available factors solely in order to carry out the authentication process being requested

Dual-factor authentication

An authentication method that includes multiple methods for a single authentication transaction. Often referred to as "something you have and something you know," when the factors include a device such as a smart card and a secret such as a password or PIN.

Multi-factor authentication

Use of several authentication techniques together, such as passwords and security tokens.

mutual authentication

The process where the session is authenticated on both ends and just one end . Prevents man in the middle attacks

man-in-the-middle attack

a hacker placing himself between a client and a host to intercept communications between them

brute force attack

the password cracker tries every possible combination of characters to guess the password

Password manager

Programs that store all of the users passwords with a master password

Manual Password Synchronization

When a user synced passwords from different systems without a software application

Biometrics

Authentication factors that use physical features ( something that you are )

Universality

Stipulates that we should be able to find our chosen biometric characteristics in the majority of people we expect to enroll in the system

uniqueness

A measure of how unique a particular characteristic is among individuals

Permanence

Tests show how well a particular characteristic resists change over time and with advancing age

Collectibility

Measures how easy it is to acquire a characteristic with which we can use later to authenticate a user

Performance

A set of metrics that judge how well a given system functions

Acceptability

A measure of how acceptable the particular characteristic is to the users of the system

circumvention

Describes the ease with which a system can be tricked by a falsified biometric identifier

Hardware tokens

Physical devices that generate a one time password ( something you have )

Software tokens

Applications that generate OTP

one time password

OTP passwords that expire after a time frame of after one time usage

Authorization

What the user can access, modify, and delete

Principle of Least Privilege

The lowest level of authorization allowed to a user to preform duties

Allowing access

Let's us give a particular party or parties access to a given resource

Denying access

Simply the opposite of granting access

Limiting access

Refers to allowing some access to out resource, but only up to a certain point

sandbox

A set of resources devoted to a program, process, or similar entity, outside of which the entity cannot operate

Revoking access

Takes access that was once allowed away from the user.

ACLs (access control lists)

The means by which we implement authorization and deny or allow access to parties based on what resources we have determined they should be allowed access to .

capability-based security

The use of a token that controls our access

Read

Allowing us to access the contents of a file or directory

Write

Write to a file or directory

Execute

Execute the contents of the file

Network ACLs

Access controlled by the identifiers we use for network transactions such as ip address, MAC address and ports

confused deputy problem

A type of attack that is more common in systems that use ACLs rather than capabilities;

- when software has greater permissions than user, the user can trick the software into misusing authority

CSRF

Cross-Site Request Forgery is an attack that causes an end user to execute unwanted actions on a web application in which he or she is currently authenticated. Unlike with XSS, in CSRF, the attacker exploits the website's trust of the browser rather than the other way around. The website thinks that the request came from the user's browser and was actually made by the user. However, the request was planted in the user's browser

Clickjacking Attack

also calles UI redress attack; typically uses an inline frame, or iframe.

In a clickjacking attack, an attacker wraps a trusted page in an iframe that places transparent image over legitimate links, graphics or form fields. Causes client to execute a command differing from what they think they are performing

Discretionary Access Control (DAC)

an access control model in which the subject has total control over any object that the subject owns along with the programs that are associated with those objects

Mandatory Access Control (MAC)

The most restrictive access control model, typically found in military settings in which security is of supreme importance.

Rule-Based Access Control

A model that is based off of allowing or denying access based on a set of predetermined rules

Role-Based Access Control (RBAC)

An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization

Attribute-based access control (ABAC)

Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions

Multilevel Access Control

are used where the simpler access control models that we just discussed are considered to not be robust enough to protect the information to which we are controlling access. Such access controls are used extensively by military and government organizations, or those that often handle data of a very sensitive nature. We might see multilevel security models used to protect a variety of data, from nuclear secrets to protected health information (PHI).

Bell-LaPadula Model

implements a combination of DAC and MAC and is primarily concerned with the confidentiality of the resource in question. Generally, in cases where we see DAC and MAC implemented together, MAC takes precedence over DAC, and DAC works within the accesses allowed by the MAC permissions.

Simple Security Property

The level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to be able to access it

The * property

Anyone accessing a resource can only write its contents to one classified at the same level or higher

The Biba model of access control

Primarily concerned with protecting the integrity of the data, even at the expense of confidentiality

Simple integrity axiom

The level of access granted to an individual must be no lower than the classification of the resource.

Brewer and Nash model

aka Chinese Wall; Access control model designed to prevent conflicts of interest. Commonly used in industries such as financial

Accountability

Provides us with the means to trace activists in our environment back to their source. Depends on identification, authentication, and access control being present so that we know who a given transaction is associated with, and what permissions were used to allow them to carry it out

Nonrepudiation

Refers to a situation in which sufficient evidence exists to prevent an individual from denying that he or she has made a statement or taken action

Deterrence

discouraging criminal acts by threatening punishment

Admissibility of records

When we seek to introduce records in legal settings, it is often much easier to do so and have them accepted when they are produced from a regulated and consistent tracking system.

Intrusion Detection System (IDS)

Preforms strictly as a monitoring and alert toll. Only notifying us that an attack or undesirable activity is taking place

Intrusion Prevention System (IPS)

Can take action based on what is happening in the environment. In response to an attack over the network an ips might refuse traffic from the source of the attack

Auditing

Ensuring that we have accurate records of who did what and when. Primarily focused on compliance with relevant laws and policies, and access to and from systems and sometimes physical security

Assessments

Vulnerability and penetration testing

Vulnerability Assessment

Tools such as Nessus . They work by scanning the target systems to discover which ports are open on them and then interrogating each open port to find out exactly which service is listening on the port in question

Penetration Testing

We conduct a test where we mimic as closely as possible the techniques an actual attacker would us

Cryptology

The study of deciphering secret messages. Cryptographic algorithms

Cryptanalysis

The breaking and finding a weakness in the algorithm