WGU D430 Fundamentals of Information Security Exam Questions with Correct Answers

WGU D430 Fundamentals of Information Security Exam Questions with Correct Answers Define the confidentiality in the CIA triad. - Correct Answer Our ability to protect data from those who are not authorized to view it." "Examples of confidentiality - Correct Answer A patron using an ATM card wants to keep their PIN number confidential. An ATM owner wants to keep bank account numbers confidential." "Pretexting - Correct Answer a form of social engineering in which one individual lies to obtain confidential data about another individual" "Phishing - Correct Answer An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information" "competitive intelligence - Correct Answer the process of intelligence gathering and analysis to support business decisions" "Competitive Counterintelligence - Correct Answer the practice of managing the range of intelligence-gathering activities directed at an organization" "Network-based IDS (NIDS) - Correct Answer an independent platform that monitors network traffic to identify intruders." "host-based IDS - Correct Answer are used to analyze the activities on or directed at the network interface of a particular asset (host)." "Wireshark - Correct Answer a sniffer that is capable of intercepting and troubleshooting traffic from both wired and wireless sources." "Nmap - Correct Answer A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner." "Which port service needs to be removed when running a webserver? - Correct Answer 53" "Port 80 - Correct Answer provides Hypertext Transfer Protocol (HTTP) services, which serves Web content." "AES - Correct Answer AES is the standard encryption algorithm used by the US Federal government." "SSRF - Correct Answer (Server-Side Request Forgery) An attack that takes advantage of a trusting relationship between web servers. Attacker finds vulnerable web application, sends request to web server, web server performs request on behalf of attacker." "kismet - Correct Answer Kismet is a tool commonly used to detect wireless access points." "Hping3 - Correct Answer A tool used to test the security of firewalls and map network topology. - constructs specially crafted ICMP packets to evade measures to hide devices behind firewall - scripting functionality to test firewall/IDS" "Burp Suite - Correct Answer Burp Suite is a web assessment and analysis tool that looks for issues on websites such as cross-site scripting or SQL injection flaws." "Fuzzer - Correct Answer A type of tool that works by bombarding our applications with all manner of data and inputs from a wide variety of sources, in the hope that we can cause the application to fail or to perform in unexpected ways" "How can confidentiality be broken? - Correct Answer Losing a laptop An attacker gets access to info A person can look over your shoulder" "Define integrity in the CIA triad. - Correct Answer The ability to prevent people from changing your data and the ability to reverse unwanted changes." "How do you control integrity? - Correct Answer Permissions restrict what users can do (read, write, etc.)" "Examples of integrity - Correct Answer Data used by a doctor to make medical decisions needs to be correct or the patient can die." "Define the availability in the CIA triad. - Correct Answer Our data needs to be accessible when we need it." "How can availability be broken? - Correct Answer Loss of power, application problems. If caused by an attacker, this is a Denial of Service attack." "Define information security. - Correct Answer The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability." "Define the Parkerian Hexad and its principles. - Correct Answer The Parkerian Hexad includes confidentiality, integrity, and availability from the CIA triad. It also includes possession (or control), authenticity, and utility." "Authenticity - Correct Answer Whether the data in question comes from who or where it says it comes from (i.e. did this person actually send this email?)" "Confidentiality is affected by what type of attack? - Correct Answer Interception (eaves dropping)" "Integrity is affected by what type of attacks? - Correct Answer Interruption (assets are unusable), modification (tampering with an asset), fabrication (generating false data)" "Authenticity is affected by what type of attacks? - Correct Answer Interruption (assets are unusable), modification (tampering with an asset), fabrication (generating false data)" "Utility - Correct Answer How useful the data is to you (can be a spectrum, not just yes or no)" "Possession - Correct Answer Do you physically have the data in question? Used to describe the scope of a loss" "Identify the four types of attacks - Correct Answer interception, interruption, modification, and fabrication" "Interception attacks - Correct Answer Make your assets unusable or unavailable" "Interruption attacks - Correct Answer cause assets to become unusable or unavailable for our use, on a temporary or permanent basis" "Modification attacks - Correct Answer Tampering with an asset" "Fabrication attacks - Correct Answer Generating data, process, and communications" "Define the risk management process - Correct Answer 1. Identify assets 2. Identify threats 3. Assess vulnerabilities 4. Assess risks 5. Mitigate risks" "Define the incident response process and its stages. - Correct Answer Preparation Detection and analysis Containment Eradication Recovery" "Preparation in incident response - Correct Answer creating policies and procedures" "Detection in incident response - Correct Answer Using tools and humans to decide if an incident is an incident" "Defense in Depth - Correct Answer employing multiple layers of controls to avoid a single point of failure" "Identify types of controls to mitigate risk - Correct Answer physical, logical, administrative" "Identify elements of risk management in policies and procedures. - Correct Answer Development of robust policies Identification of emergent recent Identify elements of internal weakness" "Identify the layers of a defense-in-depth strategy. - Correct Answer External network Internal network Host Application Data" "Define identification - Correct Answer The claim of who we/networks are" "Define identity verification. - Correct Answer Someone claims who they are and you take it one step father and ask for ID" "Define authentication - Correct Answer A set of methods used to determine if a claim of identity is true." "Compare authentication types. - Correct Answer Multifactor authentication Mutual authentication" "Identify password security best practices. - Correct Answer Upper case Lower case Numbers Symbols" "Identify the factors involved in a multifactor authentication technique. - Correct Answer Something you do Something you have Where you are" "Define accountability and its benefits - Correct Answer nonrepudiation, deterrence, intrusion detection and prevention, and admissibility of records" "Auditing - Correct Answer Hold users of your system accountable. A methodical examination and review of an organization's records." "nonrepudiation measures - Correct Answer make it so that someone can't send an email and then deny sending it. usually with a digital signature." "Which standards apply to any financial entity policies? - Correct Answer Gramm-Leech-Bliley" "Which standards apply to publicly traded companies doing business in the U.S? - Correct Answer Sarbanes-Oxley Act (SOX)" "Which standards apply to credit card industry? - Correct Answer PCI DSS" "Which characteristic falls under accountability? - Correct Answer Identity" "What company audits other companies for licensing requirements? - Correct Answer BSA" "Define cryptography, including its origins and influencers. - Correct Answer The science of protecting the confidentiality and integrity of data" "symmetric key cryptography - Correct Answer the sender and receiver use the same key for encryption and decryption" "Asymmetric Key Cryptography - Correct Answer Encryption that uses two separate keys- a public key and a private key. Advantage is that you can post the public key and anyone can send you an encrypted message." "Hash functions - Correct Answer mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm message identity and integrity" "digital signature - Correct Answer a means of electronically signing a document with data that cannot be forged" "Digital certificate - Correct Answer Link a public key to an individual" "Protecting data at rest - Correct Answer use encryption and physical security" "Protecting data in motion - Correct Answer use encryption, protect the connection with a VPN," "Protecting data in use - Correct Answer We are somewhat limited in our ability to protect data while it is being used by those who legitimately have access to it. Authorized users can print files, move them to other machines or storage devices, etc." "Rivest-Shamir-Adleman - Correct Answer encryption algorithm" "Which term is synonymous with symmetric cryptography? - Correct Answer Secret key cryptography" "Which term is synonymous with asymmetric cryptography? - Correct Answer Public key cryptography" "regulatory compliance - Correct Answer Regulations mandated by law usually requiring regular audits and assessments" "industry compliance - Correct Answer Regulations or standards designed for specific industries that may impact ability to conduct business (e.g. PCI DSS)" "privacy - Correct Answer the right of people not to reveal information about themselves" "GLBA - Correct Answer "Graham-Leach-Bliley Act" (Financial Services Modernization Act of 1999) repealed a 1933 law that barred the consolidation of financial institutions and insurance companies. Included within GLBA are multiple sections relating to the privacy of financial information. Companies must provide written notice to consumers of their privacy rights and explain the company's procedures for safeguarding data." "Privacy guidelines - Correct Answer Guidelines to follow to protect private information of patients" "FISMA - Correct Answer federal info security management act - US law requires federal agencies to create, document and implement security program" "HIPPA - Correct Answer Health Insurance Portability and Accountability Act. Protects patient privacy." "FERPA - Correct Answer Family Educational Rights and Privacy Act" "SOX - Correct Answer Sarbanes-Oxley Act. This law requires publicly traded companies and their independent auditors to demonstrate that their numbers are accurate and that they have processes in place to ensure accurate reporting. Several sections of the law have important implications for human resource activities." "Industry compliance vs. Regulatory compliance - Correct Answer Industry compliance isn't enforced by the government, like regulatory compliance. It's a group of stakeholders in the industry that get together and decide what compliance looks like." "COPPA - Correct Answer Children's Online Privacy Protection Act" "ECC - Correct Answer Asymmetric Key Algorithm, provides encryption, digital signatures, key exchange, based on the idea of using points on a curve to define the public/private key, used in wireless devices and smart cards" "RSA - Correct Answer asymmetric algorithm" "SHA - Correct Answer hashing algorithm" "DES - Correct Answer block cipher symmetric algorithm" "MD5 - Correct Answer Message Digest 5. A hashing function used to provide integrity." "PGP - Correct Answer Pretty Good Privacy. Commonly used to secure e-mail communications between two private individuals but is also used in companies. It provides confidentiality, integrity, authentication, and non-repudiation. It can digitally sign and encrypt e-mail. It uses both asymmetric and symmetric encryption." "Operations Security Process - Correct Answer 1. Identification of critical information 2. Analysis of threats 3. Analysis of vulnerabilities 4. Assessment of risks 5. Application of countermeasures" "Operations Security - Correct Answer A security and risk management process that prevents sensitive information from getting in the wrong hands." "Competitive intelligence - Correct Answer the process of gathering and analyzing information to support business decisions" "Haase's Laws: Know the threats - Correct Answer If you don't know the threat, how do you know what to protect? Know the threats for your data based on your location." "Haase's Laws: Know what to protect - Correct Answer If you don't know what to protect, how do you know you're protecting it? Some orgs classify information (top secret)." "Hasse's Laws: Protect the information - Correct Answer If you don't protect the information, your adversaries win." "Human Element Security - Correct Answer Security Awareness, Training, and Education (SATE)"