Understanding Security Layers

Remember Points:

• Before starting to secure an environment, a fundamental understanding of the standard concepts of security is needed. 
• CIA (an acronym for Confidentiality, Integrity, and Availability) refers to the core goals of an information security program. 
• Confidentiality deals with keeping information, networks, and systems secure from unauthorized access. 
• One of the goals of a successful information security program is to ensure the integrity that the information is protected against any unauthorized or accidental changes. 
• Availability is defined as a characteristic of a resource being accessible to a user, application, or computer system when required. 
• Threat and risk management is the process of identifying, assessing, and prioritizing threats and risks.
• Risk is generally defined as the probability that an event will occur. 
• After prioritizing risks, there are four generally accepted responses to these risks: Avoidance, Acceptance, Mitigation, and Transfer. 
• The Principle of Least Privilege is a security discipline that requires that a user, system, or application be given no more privilege than necessary to perform its function or job.
• An attack surface consists of the set of methods and avenues an attacker can use to enter a system and potentially cause damage. The larger the attack surface of an environment, the greater the risk of a successful attack. 
• The key to thwarting a social engineering attack is employee awareness. If employees know what to look out for, an attacker will find little success. 
• Physical security uses a defense-in-depth or a layered security approach that controls who can physically access the resources of an organization. 
• Physical premises can be divided into three logical areas: the external perimeter, the internal perimeter, and secure areas.
• Computer security consists of the processes, procedures, policies, and technologies used to protect computer systems. 
• Mobile devices and mobile storage devices are some of the largest challenges facing many security professionals today, because of their size and portability. 
• A keylogger is a physical or logical device used to capture keystrokes. 
• Threat modeling is a procedure for optimizing network security by identifying vulnerabilities, identifying their risks, and defining countermeasures to prevent or mitigate the effects of the threats to the system.

Select the correct answer(s) for each of the following questions. 

1. Which of the following are valid risk responses? (Choose all that apply.) 

1. Mitigation 
2. Transfer 
3. Investment 
4. Avoidance

(a),(b),(d)

As a risk manager, you'll be responsible for managing the risk to an organization, its employees, customers, reputation, assets, and interests of stakeholders. You'll identify and assess threats to an organization, put plans in place for if things go wrong, and decide how to avoid, reduce or transfer risk.

2. Which of the following are considered removable devices or drives? (Choose all that apply.) 

1. iPod 
2. Netbook 
3. USB flash drive 
4. Burnable DVD drive

(a),(c),(d)

Removable media is any type of storage device that can be removed from a computer while the system is running. Examples of removable media include CDs, DVDs, and Blu-ray disks, as well as diskettes and USB drives. Removable media makes it easy for a user to move data from one computer to another.

3. Which of the following would be considered appropriate security measures for a building’s external security perimeter? (Choose all that apply.) 

1. Motion detector
2. Parking lot lights
3. Turnstile
4. Guard patrols 

(b), (d)

4. When traveling on business and headed out to dinner with a client, which of the following should be done to secure a laptop? (Choose the best answer.)

1.  Lock it in the car trunk.
2. Store it out of sight in a dresser drawer.
3. Secure it to a piece of furniture with a laptop security cable.
4. Check it at the Front Desk. 

(a)

5. Which of the following refers to the process of eliminating risk by choosing to not engage in an action or activity? 

1. Mitigation 
2. Residual risk 
3. Avoidance 
4. Acceptance 

(c)

risk avoidance — by deciding not to go ahead with activity likely to generate risk; risk transfer — by arranging for another party to bear part or all of the risk, for example, insurers; sharing the risk with another party or parties.

6. Which of the following technologies could be used to help ensure the confidentiality of proprietary manufacturing techniques for the auto parts manufacturing business? (Choose all that apply.) 

1. Strong encryption
2. Guard patrols
3. A laptop safe 
4. Strong authentication 

(a), (d)

Confidentiality deals with keeping information, networks, and systems secure from unauthorized access.

7. The information security acronym CIA stands for which of the following?

1. Confidentiality, Identity, Access Control
2. Confidentiality, Integrity, Access Control
3. Confidentiality, Integrity, Availability 
4. Control, Identity, Access Control

(c)

CIA (an acronym for Confidentiality, Integrity, and Availability) refers to the core goals of an information security program.

8. Which of the following statements best describes the concept of core security principles? 

1. Core security principles refer to the internal security perimeter when setting up a layered physical security environment.
2. Core security principles refer to the principles of confidentiality, availability, and integrity. 
3. Core security principles refer to leveraging security best practices. 
4. Core security principles refer to the four methods of addressing risk. 

(b)

The fundamental principles (tenets) of information security are confidentiality, integrity, and availability. Every element of an information security program (and every security control put in place by an entity) should be designed to achieve one or more of these principles. Together, they are called the CIA Triad.

9. As the Chief Security Officer for a small medical records processing company, you have just finished setting up the physical security for your new office. You have made sure that the parking lot is illuminated, that you have guards at the door as well as doing periodic patrols, and you have badge readers throughout the building at key locations. You also have put biometric access technology on the data center door. And of course, you have cameras in the parking lot, building entrances, and the data center entrances. This type of implementation is known as: (Choose the best answer.) 

1. Access Control 
2. Core Security Principles 
3. Security best practices 
4. Defense in depth. 

(d)

10. Which of the following refers to the process of disabling unneeded services and ports to make the system more secure? 

1. Reducing the attack surface area 
2. Mitigating a Trojan horse 
3. Security avoidance 
4. Defense-in-depth 

(a)

11. Which type of network traffic originates from outside the network routers and proceeds toward a destination inside the network? 

1. Ingress 
2. Egress 
3. Traverse 
4. Encrypted 

(a)

Ingress traffic is network traffic that originates from outside of the network's routers and proceeds toward a destination inside of the network.

12. What is characteristic of a business resource—ensuring access is restricted to only permitted users, applications, or computer systems? (answer choices)

1. Confidentiality
2. Availability 
3. Integrity 
4. Access Control

(a)

The business world defines confidentiality as the characteristic of a resource that ensures access is restricted only to permitted users, applications, or computer systems.

13. If a user is deploying technologies to restrict access to a resource, they are practicing which security principle? (answer choices)

1. Confidentiality 
2. Integrity 
3. Availability 
4. Access control

(d)

The fundamental principles (tenets) of information security are confidentiality, integrity, and availability. Every element of an information security program (and every security control put in place by an entity) should be designed to achieve one or more of these principles.

14. An action or occurrence that could result in a breach in the security, outage, or corruption of a system by exploiting known or unknown vulnerabilities is a(n) what? (answer choices)

1. Threat 
2. Risk 
3. Integrity 
4. Availability

(a)

A security breach is any incident that results in unauthorized access to computer data, applications, networks, or devices. It results in information being accessed without authorization. Typically, it occurs when an intruder is able to bypass security mechanisms.

 

15. A Risk Manager for a medium-sized pharmaceutical company who is asked to perform a formal risk analysis would most likely record the results of the risk assessment in a(n) what? (answer choices)

1. Risk assessment 
2. Risk register 
3. Threat Model 
4. Risk response

(b)

Cyber risk management is the process of identifying, analyzing, evaluating, and addressing your organization's cyber security threats. The first part of any cyber risk management program is a cyber risk assessment.

   

16. What is a method used to gain access to data, systems, or networks, primarily through misrepresentation? (answer choices)

1. Integrity 
2. Brute Force 
3. Social engineering 
4. Residual risk

(c)

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

17. The consistency, accuracy, and validity of data or information are called what? (answer choices)

1. Confidentiality 
2. Integrity 
3. Availability 
4. Access Control

(b)

integrity. The consistency, accuracy, and validity of data or information.

18. A business traveler notices that there is an extra connector between the keyboard and the computer in a business center. She has most likely encountered a(n) what? (answer choices)

1. Malware 
2. Trojan Horse 
3. Keylogger 
4. Jack the Ripper

(c)

Keyloggers are activity-monitoring software programs that give hackers access to your personal data. The passwords and credit card numbers you type, the webpages you visit – all by logging your keyboard strokes. The software is installed on your computer and records everything you type.

19. Refers to the risk of an event that remains after measures have been taken to reduce the likelihood or minimize the effect of the event. (answer choices) 

1. Risk Mitigation 
2. Risk Avoidance 
3. Risk Transfer 
4. Residual Risk

(d)

Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made.

Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization and its assets. Whereas risk management aims to control the damages and financial consequences of threatening events, risk avoidance seeks to avoid compromising events entirely.

Risk transfer is a risk management and control strategy that involves the contractual shifting of a pure risk from one party to another. One example is the purchase of an insurance policy, by which a specified risk of loss is passed from the policyholder to the insurer.

20. Implementing security measures must always be balanced with what? (answer choices)

1. Confidentiality 
2. Integrity 
3. Cost 
4. Availability

(c)

Establish a range of security controls to protect assets residing on systems and networks. Consider the use of access controls at your network and the use of data encryption technologies (VPN too) as required. Use removable storage media for critical data so that it can be physically secured.