Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
64 Cards in this Set
- Front
- Back
|
What is a security incident? |
An adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of an organization's information technology systems and data. Security controls attempt to prevent or limit the impact of a security incident. |
|
|
What are the 3 common control implementation methods? |
1. Technical (controls use technology) 2. Management (controls use administrative or management methods) 3. Operational (controls are implemented by people in day-to-day operations) |
|
|
What is a technical control? |
A technical control is one that uses technology to reduce vulnerabilities. An administrator installs and configures a technical control, and the technical control then provides the protection automatically. Examples include: Encryption, Antivirus software, intrusion detection systems, firewalls, least privilege, etc. |
|
|
What is Least Privilege? |
The principle of least privilege specifies that individuals or processes are granted only the privileges they need to perform their assigned tasks or functions, but no more. Privileges are a combination of rights and permissions. |
|
|
What do management controls use to reduce and manage risk? |
Planning and assessment methods. Many provide an ongoing review of an organization's risk management capabilities. |
|
|
Risk assessments, vulnerability assessments and penetration tests are all examples of which type of control implementation method? |
Management controls. |
|
|
What is a vulnerability assessment? |
A vulnerability assessment attempts to discover current vulnerabilities or weaknesses. When necessary, an organization implements additional controls to reduce the risk from these vulnerabilities. |
|
|
What are 5 examples of operational controls? |
1. Awareness and Training 2. Configuration and change management 3. Contingency planning 4. Media protection 5. Physical and environmental protection. |
|
|
Why is awareness and training such an important operational control? |
The importance of training to reduce risk cannot be overstated. Training helps users maintain password security, follow a clean desk policy, understand threats such as phishing and malware, and much more. |
|
|
What are the 5 control goals in relationship to security incidents? |
1. Preventive controls 2. Detective controls 3. Corrective controls 4. Deterrent controls 5. Compensating controls |
|
|
What is the main goal of preventive controls? |
To prevent an incident from occurring. |
|
|
What is the main goal of detective controls? |
to attempt to detect incidents after they have occurred. |
|
|
What is the main goal of corrective controls? |
to attempt to reverse the impact of an incident |
|
|
What is the main goal of deterrent controls? |
to attempt to discourage individuals from causing an incident |
|
|
What is a compensating control? |
An alternative control used when a primary control is not feasible. |
|
|
What is hardening? |
Hardening is the practice of making a system or application more secure than its default configuration. This includes disabling unneeded services and protocols, protecting management interfaces and applications, protecting passwords, and disabling unnecessary accounts. It is a preventative control. |
|
|
Why is security awareness and training so important? |
It ensures that users are aware of security vulnerabilities and threats which prevents incidents. When users understand how social engineers operate, they are less likely to be tricked. Security awareness and training is a preventative control. |
|
|
T/F Change management is an operational and preventative control |
True. Change management ensure that changes don't result in unintended outages. Instead of administrators making changes on the fly they submit the change to a change management process. It is an operational control, which attempts to prevent incidents. |
|
|
What is an account disablement policy? |
An account disablement policy ensure that user accounts are disabled when an employee leaves. This prevents anyone, including ex-employees, from continuing to use these accounts. |
|
|
T/F Detective controls discover an event before it actually occurs. |
False. It discovers the event after it's already occurred. |
|
|
Log monitoring, Trend analysis, security audit, video surveillence and motion detection are all examples of which type of control? |
Detective control |
|
|
What is the goal of corrective controls? |
Corrective controls attempt to reverse the impact of an incident or problem after it has occurred. Some examples are Active IDS and Backups and system recovery. |
|
|
What is an Active IDS? |
Active intrusion detection systems (IDS) attempt to detect attacks and then modify the environment to block the attack from continuing. |
|
|
How to backups and system recoveries act as corrective controls? |
Backups ensure that personnel can recover data if it is lost or corrupted. Similarly, system recovery procedures ensure administrators can recover a system after a failure. |
|
|
What are deterrent controls? |
Deterrent controls attempt to discourage a threat. Some deterrent controls attempt to discourage potential attackers from attacking, and others attempt to discourage employees from violating a security policy. You can often describe many deterrent controls as preventive controls. |
|
|
What are 2 examples of physical security controls that deter threats? |
1. Cable lock - Securing laptops to furniture with a cable lock deters thieves from stealing the laptops. 2. Hardware locks - Other locks such as locked doors securing a wiring closet or a server room also deter attacks. Many server bay cabinets also include locking cabinet doors. |
|
|
What is a physical security control? |
It is something you can physically touch, such as a hardware lock, a fence, an identification badge, and security camera. Physical security access controls attempt to control entry and exits, and organizations commonly implement different controls at different boundaries. |
|
|
What is an example of a physical security control that is implemented around the perimeter? |
Military bases and many other organizations erect a fence around the entire perimeter. They often post security guards at gates to control access. In some cases, organizations install barricades to block vehicles. |
|
|
What is an example of a physical security control that is implemented within the building? |
Buildings commonly have additional controls for both safety and security. Guards and locked doors restrict entry so only authorized personnel enter. Many buildings include lighting and video cameras to monitor the entrances and exits. |
|
|
T/F Access points to data centers and server rooms should be limited to a single entrance and exit whenever possible. |
True. |
|
|
What is a door access system? |
A door access system is one that only opens after some access control mechanism is used. Some common door access controls are cipher locks, proximity cards, and biometrics. In the event of a fire, door access systems should allow personnel to exit the building without any form of authentication. |
|
|
What are cipher locks? |
Cipher locks require users to enter a code to gain access. It's important to provide training to users on the importance of keeping the code secure. This includes not giving it out to others and preventing shoulder surfers from seeing the code when users enter it. Cipher locks do not identify users. |
|
|
What are proximity cards? |
Proximity cards are small credit card-sized cards that activate when they are in close proximity to a card reader. Many organizations use these for access points, such as the entry to a building or the entry to a controlled area within a building. The door uses an electronic lock that only unlocks when the user passes the proximity card in front of a card reader. |
|
|
What is tailgating (piggybacking)? |
This occurs when one user follows closely behind another user without using credentials. |
|
|
What is a mantrap? |
A mantrap is a physical security mechanism designed to control access to a secure area through a buffer zone. Personnel use something like a proximity card to gain access, and the mantrap allows one person, and only one person, to pass through. Because they only allow one person through at a time, mantraps prevent tailgating. |
|
|
What type of security control is a security guard? |
Security guards are physical security controls that can protect access to restricted areas. Security guards can be an effective deterrent to prevent tailgating. They can also check individual's identification against a preapproved access list. |
|
|
What kind of security control is least privilege? |
Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions. |
|
|
T/F Windows domains use Group Policy to manage multiple users and computers in a domain. |
True. Group Policy allows an administrator to configure a setting once in a Group Policy Object (GPO) and apply this setting on many users and computers within the domain. Administrators use it to create password policies, lock down the GUI, configure host-based firewalls, and much more. |
|
|
What is maximum password age? |
This setting defines when users must change their password. For example, setting this to 45 days causes the password to expire after 45 days. |
|
|
What is minimum password age? |
The minimum password age defines how long users must wait before changing their password again. If you set this to 1 day, it prevents users from changing their passwords until 1 day has passed. This is useful with a password history to prevent users from changing their password multiple times until they get back to the original password. |
|
|
What is role-based access control? |
Role-based access control uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions. An administrator creates the roles and then assigns specific rights and permissions to the roles (instead of to the users). When an administrator adds a user to a role, the user has all the rights and permissions of that role. |
|
|
What is rule-based access control? |
Rule-based access control is based on a set of approved instructions, such as an access control list. Some rule-BAC systems use rules that trigger in response to an event such as modifying ACLs after detecting an attack, or granting additional permissions to a user in certain situations. |
|
|
What is the DAC (Discretionary Access Control) model? |
The DAC model specifies that every object has an owner, and the owner has full, explicit control of the object. Microsoft NTFS uses the DAC model. |
|
|
What is the MAC (Mandatory Access Control) model? |
The MAC model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subject (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don't match, the access model blocks access. |
|
|
Which of the following accurately identifies the primary security control classifications? A. Role-based, mandatory,and discretionary B. Technical, Management, and Operational C. Physical, logical, and technical D. Technical and preventive |
B. Security controls are classified as technical (implemented by technical means), management (implemented administratively), and operational (for day-to-day operations). Access control methods are role-based, rule-based, mandatory, and discretionary. Physical and logical are not terms used to describe security control classifications, even though some controls are physical and some are logical) Although technical is a security control classification, preventive refers to a security control goal. |
|
|
You need to reduce the attack surface of a web server. Which of the following is a preventive control that will assist with this goal? A. Disabling unnecessary services B. Identifying the initial baseline configuration C. Using hardware locks D. Monitoring logs for trends |
Correct Answer: A. Disabling unnecessary services is one of the several steps you can take to harden a server and it is a preventive control. Identifying the initial baseline configuration is useful to determine the security posture of the system, but by itself it doesn't prevent attacks. Hardware locks are useful to protect a server room where a web server operates, but it doesn't reduce the attack surface. Monitoring logs and trend analysis are detective controls, not preventive controls. |
|
|
A security expert is identifying and implementing several different physical deterrent controls to protect an organization's server room. Which of the following choices would BEST meet this objective? A. Using hardware locks B. Utilizing data encryption C. Performing a vulnerability assessment D. Training users |
Correct Answer: A. A hardware lock is a physical security control. It's also a deterrent control because it would deter someone from entering. Data encryption is a technical control designed to protect data and is not a physical security control. A vulnerability assessment is a management control designed to discover vulnerabilities, but it is not a physical control. Training users is an effective preventive control, but it is not a physical control. |
|
|
You need to secure access to a data center. Which of the following choices provides the BEST physical security to meet this need? A. Biometrics B. Cable locks C. CCTV D. Mantrap |
Correct Answer: A, C, D. A biometric reader used for access control, a mantrap, and a closed-circuit television system all provide strong physical security for accessing a data center. Cable locks are effective theft deterrents for mobile devices such as laptops, but they don't protect data centers. |
|
|
A security professional needs to identify a physical security control that will identify and authenticate individuals before allowing them to pass, and restrict passage to only a single person at a time. What should the professional recommend? A. Tailgating B. Smart cards C. Biometrics D. Mantrap |
Correct Answer: D. A mantrap controls access to a secure area, and only allows a single person to pass at a time. The scenario describes the social engineering tactic of tailgating, not the control to prevent it. Some sophisticated mantraps include identification and authorization systems, such as biometric systems or smart cards and PINs. However, biometrics and smart cards used for physical security do not restrict passage to one person at a time unless they are combined with a mantrap. |
|
|
Your company wants to control access to a restricted area of the building by adding an additional physical security control that includes facial recognition. Which of the following provides the BEST solution? A. Bollards B. Guards C. Palm scanners D. Video Surveillance |
Correct Answer: B. Security guards can protect access to restricted areas with facial recognition and by checking identities of personnel before letting them in. Bollards are effective barricades to block vehicles, but they do not block personnel. Palm scanners are effective biometric access devices, but they do not use facial recognition. Video surveillance can monitor who goes in and out of an area, but it cannot control the access. |
|
|
Employees access a secure area by entering a cipher code, but this code does not identify individuals. After a recent security incident, management has decided to implement a key card system that will identify individuals who enter and exit this secure area. However, the installation might take six months or longer. Which of the following choices can the organization install immediately to identify individuals who enter or exit the secure area? A. Mantrap B. Access list C. CCTV D. Bollards |
Correct Answer: C. Closed-circuit television or a similar video surveillance system can monitor the entrance and record who enters and exits the area. A mantrap prevents tailgating, but it doesn't necessarily identify individuals. An access list is useful if a guard is identifying users and allowing access based on the access list, but the access list does not identify users. Bollards are a type of barricade that protects building entrances. |
|
|
Thieves recently rammed a truck through the entrance of your company's main building. During the chaos, their partners proceeded to steal a significant amount of IT equipment. Which of the following choices can you use to prevent this from happening again? A. Bollards B. Guards C. CCTV D. Mantrap |
Correct Answer: B. Bollards are effective barricades that can block vehicles. Guards can restrict access for personnel, but they cannot stop trucks from ramming through a building. Closed-circuit television or a similar video surveillance system can monitor the entrance, but it won't stop the attack. Mantraps prevent tailgating, but they most likely won't stop a truck. |
|
|
You maintain a training job with 18 computers. You have enough rights and permissions on these machines so that you can configure them as needed for classes. However, you do not have the rights to add them to your organization's domain. Which of the following choices BEST describes this example? A. Least privilege B. Need to know C. User-based privileges D. Separation of duties |
Correct Answer: A. When following the principle of least privilege, individuals have only enough rights and permissions to perform their job, and this is exactly what is described in this scenario. Need to know typically refers to data and information rather than the privileges required to perform an action, such as adding computers to a domain. User-based privileges refer to giving permissions to individual users rather than groups, and this question doesn't address either user-based privileges or group based privileges. Separation of duties is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process, and it isn't addressed in this question either. |
|
|
Developers in your organization have created an application designed for the sale team. Salespeople can log on to the application using a simple password of 1234. However, this password does not meet the organization's password policy. What is the BEST response by the security administrator after learning about this? A. Nothing. Strong passwords aren't required in applications. B. Modify the security policy to accept this password. C. Document this as an exception in the application's documentation. D. Direct the application team manager to ensure the application adheres to the organization's password policy. |
Correct Answer: D. The application should be recoded to adhere to the company's password policy, so the best response is to direct the application team manager to do so. Application passwords should be strong and should adhere to an organization's security policy. It is not appropriate to weaken a security policy to match a weakness in an application. Nor is it appropriate to simply document that the application uses a weak password |
|
|
You are redesigning your password policy to increase the security of the passwords. Which of the following choices provides the BEST security (Select TWO). A. Maximum password age. B. Password complexity C. Password history D. Password length |
Correct Answer: B, D. Password complexity and password length provide the best security. Complexity requires a mix of uppercase and lowercase letters, numbers, and special characters. Length requires a minimum number of characters in the password. Maximum password age requires users to change their password regularly, but by itself allows simple or short passwords. Password history prevents users from reusing passwords. |
|
|
A company's account management policy dictates that administrators should disable user accounts instead of deleting them when an employee leaves the company. What security benefit does this provide? A. Ensures that user keys are retained. B. Ensures that user files are retained. C. Makes it easier to enable the account if the employee returns. D. Ensures that users cannot log on remotely |
Correct Answer: A. User accounts typically have security keys associated with them. These keys are retained when the account is disabled, but they are no longer accessible when the account is deleted. By disabling the account, it helps ensure that access to files is retained, but it does not directly retain user files. Employees who leave are not expected to return, so this policy has nothing to do with making it easier to enable an account when they return. Users will not be able to use the account locally or remotely if they are disabled or deleted, which is primarily reason to have an account management policy. |
|
|
You need to create an account for a contractor who will be working at your company for 90 days. Which of the following is the BEST security step to take when creating this account? A. Configure history on the account. B. Configure a password expiration date on the account. C. Configure an expiration date on the account. D. Configure complexity |
Correct Answer: C. When creating temporary accounts, it's best to configure expiration dates so that the system will automatically disable the accounts on the specified date. History, password expiration, and complexity all refer to password policy settings. However, it's rare to configure a specific password policy on a single account. |
|
|
You're asked to identify who is accessing a spreadsheet containing employee salary data. Detailed logging is configured correctly on this file. However, you are unable to identify a specific person who is accessing the file. What is the MOST likely reason? A. Shared accounts are not prohibited. B. Guest accounts are disabled. C. Permissions for the file were assigned to a group. D. Account lockout has been enabled. |
Correct Answer: A. The most likely reason of those given is that shared accounts are not prohibited, allowing multiple users to access the same file. For example, if the Guest account is enabled and used as a shared account by all users, the logs will indicate the Guest account accessed the file, but it won't identify specific individuals. It doesn't matter how permissions are assigned in order for a log to identify who accessed the file. Account lockout stops someone from guessing a password, but it doesn't affect file access logs. |
|
|
Members of a project team came in on the weekend to complete some work on a key project. However, they found that they were unable to access any of the project data. Which of the following choices is the MOST likely reason why they can't access this data? A. Discretionary access control B. Time-of-day access control C. Rule-based access control D. Role-based access control |
Correct Answer: B. A time-of-day access control restricts access based on the time of day. It is sometimes used to prevent employees from logging on or accessing resources after normal work hours and during weekends. None of the other options restrict access-based dates or times. |
|
|
An administrator needs to grand users access to different servers based on their job functions. Which access control model is the BEST choice to use? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control |
Correct Answer: C. The role-based access control model is the best choice for assigning access based on job functions. A discretionary access control model specifies that every object has an owner and owners have full control over objects, but it isn't related to job functions. Mandatory access control uses labels and a lattice to grant access rather than job functions. A rule-based access control model uses rules that trigger in response to events. |
|
|
Interns from a local college frequently work at your company. Some interns work with the database developers, some interns work with the web application developers, and some interns work with both developers. Interns working with the database developers require specific privileges, and interns working with the web application developers require different privileges. What is the simplest method to meet these requirements? A. Use generic accounts. B. Create user-based privileges C. Use group-based privileges D. Grant the interns access to the Guest account. |
Correct Answer: C. Using group-based privileges is the best choice to best the needs of this scenario. For example, you can create a DB_Group and a Web_Group, assign appropriate privileges to the groups, and add interns accounts to the groups based on their assignments. User-based privileges take too much time to manage because you'd have to implement them separately. Generic accounts such as the Guest account should not be used. |
|
|
Your organization wants to reduce the administrative workload related to account management. Which of the following is the BEST choice? A. Implement group-based privileges B. Implement user-based privileges C. Implement the Guest account and Guests group D. Implement periodic reviews of user access. |
Correct Answer: A. Group-based privileges reduce the administrative workload related to account management because privileges are assigned to groups that share common responsibilities. User-based privileges are extremely tedious and time consuming because privileges are assigned to all users individually. Generic accounts such as Guest should not be used. Implementing periodic user access reviews is a best practice to ensure accounts are managed properly, but they do not reduce the administrative workload. |
|
|
Bart has read access to an accounting database and Lisa has both read and write access to this database. A database application automatically triggers a change in permissions so that Bart has both read and write access when Lisa is absent. What type of access control system is in place? A. DAC B. MAC C. Role-BAC D. Rule-BAC |
Correct Answer: D. A rule-based access control system is in place in this scenario with a rule designed to trigger a change in permissions based on an event. The mandatory access control (MAC) model uses labels to identify users and data, and is used in systems requiring a need to know. A discretionary access control (DAC) model does not use triggers. A role-based access control (role-BAC) system uses group-based privileges. |
|
|
Your organization hosts several classified systems in the data center. Management wants to increase security with these systems by implementing two-factor authentication. Management also wants to restrict access to these systems to employees who have a need to know. Which of the following choices should management implement authorization? A. USB token and PIN B. Username and password C. Mandatory access control D. Rule-based access control |
Correct Answer: C. Mandatory access control (MAC) is an access control model that can be used in systems requiring a need to know. It uses labels to identify users and data. If the user has the correct label needed to access the data, the user is authorized access. A USB token and a PIN provide two factors of authentication, but the question asks what is needed for authorization. A username provides identification and a password provide authentication. A rule-based access control system (rule-BAC) uses rules to trigger a change in permissions based on an event, or rules within an access control list (ACL) on hardware devices such as routers. |
