Fundamentals of Information Security

Controlling access to resources 

What is the purpose of authorization in data security?  

Ensuring data is not altered 

What is the goal of ensuring integrity in data security?  

Interruption of access to website services

What is an example of an availability failure in data security?  

By securing data from unauthorized access 

How can encryption contribute to maintaining confidentiality in data security?  

Entering a username and password when logging into an online banking site 

Which example shows authentication in data security?  

Preventing users from denying their actions 

What does non-repudiation mean in data security?

By requiring multiple forms of verification for access to resources 

How does multi-factor authentication (MFA) improve security?   

Software attack surface   

Which attack surface is targeted by exploiting vulnerabilities in web applications? 

An employee accidentally sharing sensitive information   

What is an example of an insider threat?  

To replicate itself and spread to other computers 

What is the purpose of a worm in cybersecurity?  

To analyze systems for suspicious activity 

What is the purpose of log monitoring in data security?  

Monitoring employee activities 

What is a mitigation strategy for insider threats? 

To outline the steps to take before and after a data breach 

What is the purpose of an incident response plan?  

To monitor and filter incoming and outgoing network traffic   

What is the primary purpose of a firewall in a network security context?  

To restrict privileges based on a user's role in the organization

What is the purpose of role-based access control (RBAC)?  

A federal agency implements continuous monitoring of its information systems.  

Which example illustrates a requirement under the Federal Information Security Modernization Act (FISMA)?

Secure customers’ payment card data

A retail store wants to comply with the Payment Card Industry Data Security Standard (PCI DSS). 
 
What will PCI DSS help this store achieve?

To help organizations understand their security risks

What is a core function of the NIST Cybersecurity Framework?

Identify 

A hospital follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework guidelines by conducting a comprehensive risk assessment to inventory its medical devices and patient records, identifying vulnerabilities that could lead to data breaches or unauthorized access.
 
Which function of the NIST Cybersecurity Framework does this represent?

It protects data from being tampered with. 

How does a cryptographic hash contribute to the security of a Blockchain network?  

Modularity allows for targeted updates and fixes.

How does modularity affect the maintenance of software security over time?  

Tokenization

Which technique involves replacing sensitive data with a non-sensitive equivalent that can be used for development and testing purposes? 

Code signing 

Which practice involves attaching a digital certificate to software to verify its authenticity and ensure it has not been tampered with?  

Checksums  

Which technique is used to verify the integrity of data in software security?  

Use checksums for file uploads

A company wants to ensure the integrity of files transferred over a network. 
 
What should the company do to achieve this goal? 

Structured query language (SQL) injection 

An attacker inputs malicious code into a website's search bar, causing the database to execute unintended commands.

Which type of software security threat did the attacker use?

Insufficient logging and monitoring 

An attacker manipulates record files to cover their tracks after a successful breach.  
 
Which weakness allows the attacker to perform this action?  

Vetting and monitoring third-party components 

A software development team decides to use a cloud service for data storage, but before doing so, they conduct a thorough security assessment to ensure the service meets their organization’s security standards. Post-integration, the team continuously uses tools to track any emerging vulnerabilities or changes in the cloud service, ensuring ongoing compliance with their organization’s security policies. 
 
Which software security best practice does the software development team demonstrate in this situation? 

It simulates real-world attacks by sending malformed data to an application. 

How does fuzz testing help to identify potential security vulnerabilities in software?  

Peer reviews help identify bugs and vulnerabilities in code that may be missed by the original developer.  

Why are peer reviews important in software and component security?   

Static analysis tools 

What is an automated method for enhancing code security and quality without having to run the code?

Identify and address software vulnerabilities 

What can Common Weaknesses Enumeration (CWE) help organizations do to improve security?  

National Institute of Standards and Technology Special Publication (NIST SP) 800-218   

Which standard is titled, “the Secure Software Development Framework (SSDF),” a publication that provides guidelines and best practices for incorporating security throughout the software development lifecycle?

National Institute of Standards and Technology Special Publication (NIST SP) 800-53  

Which resource is a set of guidelines for security and privacy controls for federal information systems and organizations?

Improper configuration of microservices can lead to unauthorized access to sensitive data. 

How is cloud security affected by configuration of microservices?  

Internet Protocol Security (IPSec)

A company that has employees working remotely wants its remote employees to securely access internal resources, like databases and applications, as if they were on the local network, without compromising security. 
 
What should this company use for this purpose? 

By comparing network traffic against known threat patterns

 How does a signature-based intrusion detection system protect networks?

Using secure network protocols  

How can a company protect against unauthorized access to network communications?  

Network congestion

What does rate limiting help prevent?  

To support continuous service availability during an attack

Why is it important to implement redundant systems?   

To intercept and manipulate network traffic 

What is the purpose of Address Resolution Protocol (ARP) spoofing? 

By analyzing network traffic for inconsistencies

How can IP spoofing attacks be prevented?  

Risk mitigation 

A manufacturing company performs a thorough vulnerability scan and discovers that its legacy systems are vulnerable, leading them to invest in modern solutions and implement multi-factor authentication to protect sensitive operational data. 
 
Which network security best practices does this company demonstrate?  

Implementing rate limiting  

What is a proactive measure to protect against distributed denial-of-service (DDoS) attacks?

Access controls 

A software company ensures that developers are only able to view and make changes to the code repositories required for their projects to minimize the risk of accidental changes or data leaks. 
 
Which network security best practices does this software company demonstrate?

Incident response planning 

A tech startup develops a comprehensive strategy that includes scenario-based drills, ensuring that all employees understand their roles and responsibilities, which enables them to quickly contain a ransomware attack and minimize downtime. 
 
Which network security best practices does this startup demonstrate?

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001

Which standard helps organizations to establish, implement, maintain, and continually improve an information security management system? 

National Institute of Standards and Technology Special Publication (NIST SP) 800-77

A corporation is implementing Internet Protocol Security (IPSec) VPNs for secure remote access to protect confidential communications. 
 
Which standard can the corporation use for guidance to ensure the VPNs are properly configured and encrypted?

Security and privacy controls for information systems

What is a key aspect of National Institute of Standards and Technology Special Publication (NIST SP) 800-53? 

They often have hardcoded passwords. 

What is a common vulnerability found in many internet of things (IoT) devices?

Whaling

A cybercriminal impersonated the Chief Executive Officer (CEO) of a company in an email to the company’s Chief Financial Officer (CFO), requesting an urgent fund transfer for a supposed business deal. The CFO complied, and the company lost millions of dollars.
 
Which type of security breach is described in this example? 

By using email authentication mechanisms

How can organizations protect against whaling attacks? 

A social engineering attack that uses fraudulent text messages

What is smishing in information security?

Deceiving a target into exposing confidential information 

What is the goal of pretexting in a cyber attack? 

A competitor's employee steals trade secrets from a company.

What is an example of a corporate espionage agent? 

Piggybacking

An outsider posing as a delivery person carrying a large package convinces an employee to hold open the door of a restricted area for them to enter and gain access to confidential information.
 
Which type of security breach is described in this example? 

By determining the nature and scope of an incident

How does the identification phase in an incident response plan (IRP) help in responding to security incidents?

Multi-factor authentication

What is an example of a technical control in cybersecurity risk mitigation?

Incident response

Which component of a cybersecurity policy provides a plan for identifying, containing, and mitigating security breaches?

User responsibilities

This is an excerpt from an organization’s cybersecurity policy:  Employees are required to use strong passwords and are prohibited from sharing their login credentials with others. Additionally, employees must lock their computers when leaving their desks and report any lost or stolen devices immediately to the IT department.
 
Which component of a cybersecurity policy does this excerpt illustrate?

Protect

An organization conducts regular training sessions for employees to educate them about cybersecurity best practices and how to recognize potential threats.
 
In which phase of the security lifecycle does this risk management activity occur?

Respond

An organization’s security team conducts a forensic analysis to understand the scope and impact of a security incident and to gather evidence for potential legal action.
 
In which phase of the security lifecycle does this risk management activity occur?

Electronic Communications Privacy Act (ECPA)

Which law is primarily concerned with the protection of electronic communications from unauthorized access and interception? 

To enhance trust in educational institutions by safeguarding student privacy

What is the intended effect of Family Educational Rights and Privacy Act (FERPA) on society?

By deterring cybercrime with legal repercussions for unauthorized access

How does the Computer Fraud and Abuse Act (CFAA) address societal needs and problems?

To foster investor confidence by enhancing corporate responsibility and transparency

What is the intended effect of Sarbanes-Oxley Act (SOX) on society?

Family Educational Rights and Privacy Act (FERPA)

A university implemented new procedures to ensure that student records are only accessible to authorized personnel to comply with a law.
 
Which law is most applicable to this example?

Sarbanes-Oxley Act (SOX)

Which data security law requires companies to establish and maintain internal controls to prevent fraud and protect investors?

Gramm-Leach-Bliley Act (GLBA)

Which data security law regulates the collection and use of personal financial information? 

General Data Protection Regulation (GDPR)

Which data protection law applies to any organization that processes the personal data of individuals within the European Union, regardless of where the organization is based?