C836 - Fundamentals of Information
Security (WGU) Exam Questions
Correctly Answered
Information Security - ANS Protecting an organization's information and information
systems from unauthorized access, use, disclosure, disruption, modification, or
destruction.
Compliance - ANS Requirements that are set forth by laws and
industry regulations.
CIA - ANS Confidentiality, Integrity, Availability
Confidentiality - ANS Refers to our ability to protect our data from those who are not
authorized to use/view it
Integrity - ANS The ability to prevent people from changing your data in an unauthorized
or undesirable manner
Availability - ANS Refers to the ability to access our data when we need it
Possession/Control - ANS refers to the physical disposition of the media on which the
data is stored. (tape examples where some are encrypted and some are not)
Authenticity - ANS whether you've attributed the data in question to the proper owner or
creator. (altered email that says it's from one person when it's not - violation of the
authenticity of the email)
Utility - ANS refers to how useful the data is to you.
Attacks - ANS interception, interruption, modification, and
fabrication
Interception - ANS attacks that allow unauthorized users to access your data,
applications, or environments. Are primarily attacks against confidentiality
,Interruption - ANS attacks that make your assets unusable or unavailable to you
temporarily or permanently. DoS attack on a mail server, for example. May also affect
integrity
Modification - ANS attacks involve tampering with our asset. Such attacks might
primarily be considered an integrity attack but could also represent an availability attack.
Fabrication - ANS attacks involve generating data, processes, communications, or other
similar activities with a system. Fabrication attacks primarily affect integrity but could be
considered an availability attack as well.
Risk - ANS is the likelihood that an event will occur. To have risk there must be a
threat and vulnerability.
Threats - ANS are any events being man-made, natural or environmental that could
cause damage to assets.
Vulnerabilities - ANS are a weakness that a threat event or the threat agent can take
advantage of.
Impact - ANS takes into account the value of the asset being threatened and uses it to
calculate risk
Risk Management Process - ANS Identify assets, identify threats, assess vulnerabilities,
assess risks, mitigate risks
Defense in Depth - ANS Using multiple layers of security to defend your assets.
Controls - ANS are the ways we protect assets. Three different types: physical, logical,
administrative
Physical Controls - ANS environment; physical items that protect assets think locks,
doors, guards, and, fences or environmental factors (time)
Logical Controls - ANS Sometimes called technical controls, these protect the systems,
networks, and environments that process, transmit, and store our data
Administrative Controls - ANS based on laws, rules, policies, and procedures,
guidelines, and other items that are "paper" in nature. They are the policies that
organizations create for governance. For example, acceptable use and email use policies.
Preparation - ANS phase of incident response consists of all of the activities that we can
perform, in advance of the incident itself, in order to better enable us to handle it.
, Incident Response Process - ANS 1. Preparation
2. Detection and Analysis (Identification)
3. Containment
4. Eradication
5. Recovery
6. Post-incident activity: document/Lessons learned
Detection & Analysis - ANS where the action begins to happen in our incident response
process. In this phase, we will detect the occurrence of an issue and decide whether or
not it is actually an incident, so that we can respond appropriately to it.
Containment - ANS involves taking steps to ensure that the situation does not cause
any more damage than it already has, or to at least lessen any ongoing harm.
Eradication - ANS attempt to remove the effects of the issue from our environment.
Recovery - ANS restoring devices or data to pre-incident state (rebuilding systems,
reloading applications, backup media, etc.)
Post-incident activity - ANS determine specifically what happened, why it happened,
and what we can do to keep it from happening again. (postmortem).
Identity - ANS who or what we claim to be. Simply an assertion.
Authentication - ANS the act of providing who or what we claim to be. More technically,
the set of methods used to establish whether a claim is true
Verification - ANS simply verifies status of ID. For example, showing your driver's
license at a bar. "Half-step" between identity and authentication
Five Different Types of Authentication - ANS • Something you know:
Username/Password/Pin
• Something you have: ID badge/swipe card/OTP
• Something you are: Fingerprint/Iris/Retina scan
• Somewhere you are: Geolocation
• Something you do: Handwriting/typing/walking
Single-factor authentication - ANS only using one type of authentication
Dual-factor authentication - ANS using two different factors of authentication (2 of the
same factor does not count )
Multi-factor authentication - ANS Use of several (more than two) authentication
techniques together, such as passwords and security tokens, and geolocation.
Security (WGU) Exam Questions
Correctly Answered
Information Security - ANS Protecting an organization's information and information
systems from unauthorized access, use, disclosure, disruption, modification, or
destruction.
Compliance - ANS Requirements that are set forth by laws and
industry regulations.
CIA - ANS Confidentiality, Integrity, Availability
Confidentiality - ANS Refers to our ability to protect our data from those who are not
authorized to use/view it
Integrity - ANS The ability to prevent people from changing your data in an unauthorized
or undesirable manner
Availability - ANS Refers to the ability to access our data when we need it
Possession/Control - ANS refers to the physical disposition of the media on which the
data is stored. (tape examples where some are encrypted and some are not)
Authenticity - ANS whether you've attributed the data in question to the proper owner or
creator. (altered email that says it's from one person when it's not - violation of the
authenticity of the email)
Utility - ANS refers to how useful the data is to you.
Attacks - ANS interception, interruption, modification, and
fabrication
Interception - ANS attacks that allow unauthorized users to access your data,
applications, or environments. Are primarily attacks against confidentiality
,Interruption - ANS attacks that make your assets unusable or unavailable to you
temporarily or permanently. DoS attack on a mail server, for example. May also affect
integrity
Modification - ANS attacks involve tampering with our asset. Such attacks might
primarily be considered an integrity attack but could also represent an availability attack.
Fabrication - ANS attacks involve generating data, processes, communications, or other
similar activities with a system. Fabrication attacks primarily affect integrity but could be
considered an availability attack as well.
Risk - ANS is the likelihood that an event will occur. To have risk there must be a
threat and vulnerability.
Threats - ANS are any events being man-made, natural or environmental that could
cause damage to assets.
Vulnerabilities - ANS are a weakness that a threat event or the threat agent can take
advantage of.
Impact - ANS takes into account the value of the asset being threatened and uses it to
calculate risk
Risk Management Process - ANS Identify assets, identify threats, assess vulnerabilities,
assess risks, mitigate risks
Defense in Depth - ANS Using multiple layers of security to defend your assets.
Controls - ANS are the ways we protect assets. Three different types: physical, logical,
administrative
Physical Controls - ANS environment; physical items that protect assets think locks,
doors, guards, and, fences or environmental factors (time)
Logical Controls - ANS Sometimes called technical controls, these protect the systems,
networks, and environments that process, transmit, and store our data
Administrative Controls - ANS based on laws, rules, policies, and procedures,
guidelines, and other items that are "paper" in nature. They are the policies that
organizations create for governance. For example, acceptable use and email use policies.
Preparation - ANS phase of incident response consists of all of the activities that we can
perform, in advance of the incident itself, in order to better enable us to handle it.
, Incident Response Process - ANS 1. Preparation
2. Detection and Analysis (Identification)
3. Containment
4. Eradication
5. Recovery
6. Post-incident activity: document/Lessons learned
Detection & Analysis - ANS where the action begins to happen in our incident response
process. In this phase, we will detect the occurrence of an issue and decide whether or
not it is actually an incident, so that we can respond appropriately to it.
Containment - ANS involves taking steps to ensure that the situation does not cause
any more damage than it already has, or to at least lessen any ongoing harm.
Eradication - ANS attempt to remove the effects of the issue from our environment.
Recovery - ANS restoring devices or data to pre-incident state (rebuilding systems,
reloading applications, backup media, etc.)
Post-incident activity - ANS determine specifically what happened, why it happened,
and what we can do to keep it from happening again. (postmortem).
Identity - ANS who or what we claim to be. Simply an assertion.
Authentication - ANS the act of providing who or what we claim to be. More technically,
the set of methods used to establish whether a claim is true
Verification - ANS simply verifies status of ID. For example, showing your driver's
license at a bar. "Half-step" between identity and authentication
Five Different Types of Authentication - ANS • Something you know:
Username/Password/Pin
• Something you have: ID badge/swipe card/OTP
• Something you are: Fingerprint/Iris/Retina scan
• Somewhere you are: Geolocation
• Something you do: Handwriting/typing/walking
Single-factor authentication - ANS only using one type of authentication
Dual-factor authentication - ANS using two different factors of authentication (2 of the
same factor does not count )
Multi-factor authentication - ANS Use of several (more than two) authentication
techniques together, such as passwords and security tokens, and geolocation.
