Testout Sec+ 1.1 Security Overview
Which of the following is an example of a vulnerability? -A misconfigured server -Denial of service attack -Virus infection -Unauthorized access to confidential resources.
A misconfigured server is a vulnerability. A vulnerability is the absence or weakness of a safeguard that could be exploited, such as a USB port that is enabled or the server hosting the database. All of the other selections are examples of exposures. An exposure is an instance of exposure to losses from a threat agent.
Which of the following is the correct definition of a threat? -The likelihood of an attack taking advantage of a vulnerability -Instance of exposure to losses from an attacker -Absence or weakness of a safeguard that could be exploited -Any potential danger to the confidentiality, integrity, or availability of information or systems.
A threat is any potential danger to the confidentiality, integrity, or availability of information or systems. Risk is the likelihood of a threat taking advantage of a vulnerability. A vulnerability is the absence or weakness of a safeguard that could be exploited. An exposure is an instance of exposure to losses from a threat agent.
A user copies files from her desktop computer to a USB flash device and puts the device into her pocket. Which of the following security risks is most pressing? -Confidentiality -Integrity -Non-repudiation -Availability
Confidentiality ensures that data is not disclosed to unintended persons. Removable media poses a big threat to confidentiality because it makes it easy to remove data and share data with unauthorized users. Availability ensures that data is available when it is needed. Copying files to a server that includes malware could threaten data's availability if the malware deletes or corrupts data. Integrity ensures that data is not modified or tampered with. Non-repudiation provides validation of a message's origin.
By definition, which security concept ensures that only authorized parties can access data? -Confidentiality -Non-repudiation -Authentication -Integrity
Confidentiality ensures that only authorized parties can access data. When a cryptographic system protects data confidentiality, unauthorized users cannot view the resource. Non-repudiation is the ability to prove that a sender sent a message. Integrity is protection against alteration. Authentication is the assignment of access privileges to users.
Your computer system is a participant in an asymmetric cryptography system. You've created a message to send to another user. Before transmission, you hash the message and encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user. In this example. what protection does the hashing activity provide? -Confidentiality -Integrity -Availability -Non-repudiation
Hashing of any sort at any time, including within a digital signature, provides data integrity. Signing the message with the private key creates non-repudiation. A digital signature activity, as a whole, does not provide protection for confidentiality because the original message is sent in clear form. No form of cryptography provides protection for availability.
Which of the following is an example of an internal threat? -A water pipe in the server room breaks. -A server back door allows an attacker on the internet to gain access to the intranet site. -A user accidentally deletes the new product designs. -A delivery man is able to walk into a controlled area and steal a laptop.
Internal treats are intentional or accidental acts by employees, including: -Malicious acts such as theft, fraud or sabotage -Intentional or unintentional actions that destroy or alter data -Disclosing sensitive information by snooping or espionage External threats are events that originate outside of the organization. They typically focus on compromising the organization's information assets. Examples of external threats include hackers, fraud perpetrators, and viruses. Natural events are events that may reasonably be expected to occur over time, such as a fire or a broken water pipe.
Smart phones with cameras and Internet capabilities pose a risk to which security concept? -Non-repudiation -Availability -Confidentiality -Integrity
Smart phones with cameras and data transfer capabilities pose a risk to confidentiality. Users can take pictures of computer screens or save data to cell phones and make that information available to non-authorized users. Availability ensures that data is available when it is needed. Copying files to a server that includes malware could threaten data's availability if the malware deletes or corrupts data. Integrity ensures that data is not modified or tampered with. Non-repudiation provides validation for a message's origin.
By definition, which security concept uses the ability to prove that a sender sent an encrypted message? -Integrity -Authentication -Privacy -Non-repudiation
The ability to prove that a sender sent a message is known as non-repudiation. By various mechanisms in different cryptographic solutions, you can prove that only the sender is able to initiate a communication. Therefore, the sender cannot repute that they originated a message. Integrity is protection against alteration. Authentication is the assignment of access privileges to users. Privacy is the protection and confidentiality of personal information.
What is the greatest threat to the confidentiality of data in most secure organizations? -Operator error -USB devices -Hacker intrusion -Malware
The greatest threat to data confidentiality in most secure organizations is portable devices (including USB devices). There are so many devices that can support file storage that stealing data has become easy, and preventing data theft is difficult.
Which of the following is not a valid concept to associate with integrity? -Control access to resources to prevent unwanted access -Ensure that your systems record the real information when collecting data -Prevent the unauthorized change of data -Protect your environment so it maintains the highest source of truth.
To control access to resources and prevent unwanted access is to protect of confidentiality, not integrity. Integrity concepts include preventing unauthorized change, ensuring that your data is a true reflection of reality (meaning that it recording real information), and maintaining the highest source of truth.