Previous Page
Next Page

Certification Summary

In this chapter, we explained the fundamental information security concepts and principles, looked at what constitutes good security architectures and practices, and learned that good practices include people, processes, and technology working in concert. We also discussed the concepts of accountability, authentication, authorization, privacy, confidentiality, integrity, and non-repudiation, as well as types and functionalities of information security controls and the importance of information systems governance.

Two-Minute Drill

Here are some of the key points from the certification objectives in Chapter 1.

Describe Principles of Information Security

  • Information security is the confidentiality, integrity, and availability of information.

  • Confidentiality is the prevention of unauthorized disclosure of information.

  • Integrity is the means of ensuring that information is protected from unauthorized or unintentional alteration, modification, or deletion.

  • Availability ensures that information is readily accessible to authorized viewers at all times.

  • Identification is the means by which a user (human, system, or process) provides a claimed unique identity to a system.

  • Authentication is a method for proving that you are who you say you are.

  • Strong authentication is the use of two or more different authentication methods, such as a smart card and PIN, or a password and a form of biometrics, such as a fingerprint or retina scan.

  • Authorization is the process of ensuring that a user has sufficient rights to perform the requested operation and preventing those without sufficient rights from doing the same.

Explain Information Security Fundamentals and Define Good Security Architectures

  • The principle of least privilege stipulates that one should not be assigned any more privileges than those absolutely necessary to do the required job.

  • The purpose of the segregation (or separation) of duties is to avoid the possibility of a single person being responsible for a variety of functions within an organization. Rotation of duties is a similar control that is intended to detect abuse of privileges or fraud and is a practice that helps the organization avoid becoming overly dependent on a single member of staff. By rotating staff, the organization has more chances of discovering violations or fraud.

Self Test

The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.

Describe Principles of Information Security

1. 

What is the purpose of audit trails and logs?

  1. They record events as they happen.

  2. An audit trail can be used in court proceedings but logs cannot.

  3. They serve to establish accountability.

  4. They may be used in place of deterrent controls.

  5. All of the above

    C. The purpose of the audit trail and logs is to provide accountability in information systems.     A is correct but is not the best answer; choices B and D are wrong. The issue of whether audit trails and logs can be used in court proceedings would depend on particular jurisdiction and is outside the scope of this book; audit trails and logs are detective controls but may function as deterrent controls as well when their existence is known to potential attackers.

2. 

Fingerprints can be used for

  1. What you have authentication

  2. What you are authentication

  3. Biological identification

  4. Keeping things simple

  5. All of the above

    B. Fingerprints can be used for what you are, or biometric , authentication.     A is wrong because what you have authentication refers to token-based authentication mechanisms. C is wrong because there is no such term as biological identification in information security. D is wrong because use of fingerprints does not simplify authentication or identification since this requires additional configuration and tuning.

3. 

What type of control is intended to offset deficiencies of other controls?

  1. Preventive

  2. Defensive

  3. Compensating

  4. Recovery

  5. All of the above

    C. Compensating controls offset deficiencies of other controls.    There is no such term as defensive controls in information security, so that rules out B . Choices A and D are incorrect because preventive controls aim to prevent security violations and recovery controls are not intended to offset deficiencies of other controls.

4. 

What is strong authentication?

  1. Strong authentication uses long passwords.

  2. Strong authentication requires smart cards.

  3. Strong authentication requires the use of at least two different authentication methods.

  4. Strong authentication is provided via biometrics.

  5. All of the above

    C. At least two different authentication methods are necessary for strong authentication.    Long passwords do not provide strong authentication on their own, so answer A is not correct. Strong authentication does not necessarily require use of smart cards, as stated in B . And C is wrong because biometrics does not necessarily provide strong authentication on its own.

5. 

The principle of least privilege applies only to user accounts.

  1. True

  2. False

  3. True, but only on non-Solaris systems.

  4. True, provided users use good passwords.

    B. The principle of least privilege does not only apply to user accounts but is a universally applicable principle.    The answers are incorrect because the principle of least privilege has no relation to use of good passwords and is not dependent on a particular operating system or environment.

6. 

The principle of isolating process spaces from each other is known as

  1. Virtualization

  2. Separation

  3. Defense in depth

  4. Compartmentalization

  5. All of the above

    D. Compartmentalization is the isolation of process spaces from each other in order to minimize the effect of security violation in one compartment on another.    Answer A, virtualization, is a related concept but is not the correct answer. B is wrong because compartmentalization is the correct term. C is wrong because defense in depth is about using several types and/or layers of defense.

7. 

Surveys show that most organizations are at which level of the information security maturity model?

  1. Nonexistent

  2. Defined

  3. Detective

  4. Repeatable

  5. All of the above

    D. Most organizations are at the repeatable level of the information security maturity model.     C is inappropriate because it refers to a type of control. Other choices are wrong because surveys show that most organizations are at the repeatable level.

8. 

Privacy is a concern in which of the following industries?

  1. Financial services

  2. Financial services and government

  3. Telecommunications

  4. All of the above

    D. All of the above. Privacy is a concern in all industries, because organizations in all industries collect, process, and store personal information of employees, clients, and partners.

9. 

What is assurance?

  1. It is a type of insurance against security violations.

  2. It is the written security policy.

  3. It is about the trustworthiness of a system.

  4. It is provided by the mandatory access control (MAC).

  5. All of the above

    C. Assurance is about the trustworthiness of a system.     A is wrong because there is no such type of insurance. B is wrong because, although written security policy is always required, it is not a guarantee of assurance. D is wrong because the use of MAC does not guarantee assurance.

10. 

Information security policies and procedures are a(n)

  1. Technical control

  2. Administrative control

  3. Form of access control

  4. Operational control

  5. All of the above

    B. Information security policies and procedures are an administrative control.     A is wrong because policies and procedures are not a technical control. C is wrong because policies and procedures are not a form of access control. D is wrong because, although policies and procedures address operational controls, choice B is a better answer.

11. 

In information security context, names must be

  1. Unique locally

  2. Unique globally

  3. Standardized

  4. Secret

  5. All of the above

    A. Names must be unique locally.     B is wrong because names may be unique globally, but it's not necessary. C is wrong because names may be standardized, but that is not mandatory. D is wrong because names are not necessarily secret.

12. 

What risks apply to what you have authentication methods? (Choose all that apply.)

  1. Same risks as with what you are authentication

  2. Same risks that apply to regular keys

  3. Risks that apply to all authentication methods

  4. Certain non-assurance–related risks

  5. All of the above

    B and C are correct because what you have authentication methods are subject to the same risks (such as theft and damage) as regular keys, and they are subject to the same general risks that apply to all authentication methods (such as unauthorized access).     A is wrong because risks of what you are and what you have authentication methods are different, and D is wrong because it doesn't make sense.

Answers

1. 

þ C. The purpose of the audit trail and logs is to provide accountability in information systems.

ý A is correct but is not the best answer; choices B and D are wrong. The issue of whether audit trails and logs can be used in court proceedings would depend on particular jurisdiction and is outside the scope of this book; audit trails and logs are detective controls but may function as deterrent controls as well when their existence is known to potential attackers.

2. 

þ B. Fingerprints can be used for what you are, or biometric, authentication.

ý A is wrong because what you have authentication refers to token-based authentication mechanisms. C is wrong because there is no such term as biological identification in information security. D is wrong because use of fingerprints does not simplify authentication or identification since this requires additional configuration and tuning.

3. 

þ C. Compensating controls offset deficiencies of other controls.

ý There is no such term as defensive controls in information security, so that rules out B. Choices A and D are incorrect because preventive controls aim to prevent security violations and recovery controls are not intended to offset deficiencies of other controls.

4. 

þ C. At least two different authentication methods are necessary for strong authentication.

ý Long passwords do not provide strong authentication on their own, so answer A is not correct. Strong authentication does not necessarily require use of smart cards, as stated in B. And C is wrong because biometrics does not necessarily provide strong authentication on its own.

5. 

þ B. The principle of least privilege does not only apply to user accounts but is a universally applicable principle.

ý The answers are incorrect because the principle of least privilege has no relation to use of good passwords and is not dependent on a particular operating system or environment.

6. 

þ D. Compartmentalization is the isolation of process spaces from each other in order to minimize the effect of security violation in one compartment on another.

ý Answer A, virtualization, is a related concept but is not the correct answer. B is wrong because compartmentalization is the correct term. C is wrong because defense in depth is about using several types and/or layers of defense.

7. 

þ D. Most organizations are at the repeatable level of the information security maturity model.

ý C is inappropriate because it refers to a type of control. Other choices are wrong because surveys show that most organizations are at the repeatable level.

8. 

þ D. All of the above. Privacy is a concern in all industries, because organizations in all industries collect, process, and store personal information of employees, clients, and partners.

9. 

þ C. Assurance is about the trustworthiness of a system.

ý A is wrong because there is no such type of insurance. B is wrong because, although written security policy is always required, it is not a guarantee of assurance. D is wrong because the use of MAC does not guarantee assurance.

10. 

þ B. Information security policies and procedures are an administrative control.

ý A is wrong because policies and procedures are not a technical control. C is wrong because policies and procedures are not a form of access control. D is wrong because, although policies and procedures address operational controls, choice B is a better answer.

11. 

þ A. Names must be unique locally.

ý B is wrong because names may be unique globally, but it's not necessary. C is wrong because names may be standardized, but that is not mandatory. D is wrong because names are not necessarily secret.

12. 

þ B and C are correct because what you have authentication methods are subject to the same risks (such as theft and damage) as regular keys, and they are subject to the same general risks that apply to all authentication methods (such as unauthorized access).

ý A is wrong because risks of what you are and what you have authentication methods are different, and D is wrong because it doesn't make sense.

Explain Information Security Fundamentals and Define Good Security Architectures

13. 

Who must be ultimately responsible for information security within organizations?

  1. Information security professionals

  2. Information systems auditors

  3. Top management

  4. Stockholders

  5. All of the above

    C. Top management must be ultimately responsible for information security within an organization.     A is incorrect because information security professionals advise management and implement management's decisions. B is wrong because information systems auditors report on the organization's security to the board of directors and/or the stockholders. D is incorrect because stockholders appoint management and are not involved in day-to-day management.

14. 

Fundamental security principles

  1. Do not apply in all situations

  2. Apply to most information systems

  3. May be used only in enterprise systems

  4. Are system-dependent

  5. All of the above

    B. Fundamental security principles apply to most information systems.     A is wrong because it is not the best available answer. C is wrong because fundamental security principles do not apply only in enterprise systems, and D is wrong because fundamental security principles are not system dependent.

15. 

Information systems governance is about what?

  1. Information security

  2. Effective and risk-aware use of information systems

  3. Risk management

  4. Corporate responsibility

  5. All of the above

    E. All of the answers are correct.

16. 

What is the advantage of Role-Based Access Control (RBAC) over Discretionary Access Control (DAC)?

  1. RBAC has no advantages over DAC.

  2. RBAC is an improved version of DAC.

  3. RBAC improves management of access control and authorizations.

  4. RBAC is one level below Mandatory Access Control (MAC).

  5. All of the above

    C. RBAC improves management of access control and authorizations by introducing the concept of roles distinct from individual users.     A is wrong because RBAC has advantages over DAC; B is wrong because RBAC is not an improved version of DAC; D is wrong because it doesn't make sense.

17. 

Which authentication method is the most complex to administer?

  1. What you know

  2. What you have

  3. What you are

  4. Who you are

  5. All of the above

    C.  What you are (biometrics) is inherently more complex to administer than what you have or what you know authentication methods.     A, B, and D are incorrect because none of these methods is as difficult to administer as what you are .

18. 

What is the purpose of choke points?

  1. Choke points are used to isolate firewalls.

  2. Choke points protect confidentiality of information.

  3. Choke points may be used only on TCP/IP networks.

  4. Choke points are for control and monitoring of data flow.

  5. All of the above

    D. Choke points are logical `narrow channels` that can be easily monitored and controlled.     A is wrong because choke points are not used to isolate firewalls. Choke points do not affect confidentiality of information, so B is wrong. And C is not the answer because choke points are not protocol-dependent.

19. 

What is the purpose of authentication?

  1. To obtain proof of claimed identity

  2. To implement access control

  3. To establish accountability

  4. To allow use of different authorizations

  5. All of the above

    E. All of the above. Authentication is needed to obtain proof of claimed identity, to implement access control, to establish accountability, and to allow for different users with different authorizations.

20. 

What is the benefit of cost-benefit analysis? (Choose all that apply.)

  1. It is necessary because organizations cannot reduce all risks to zero.

  2. It increases an organization's return on investment.

  3. It prevents denial of service attacks.

  4. It is a good governance practice.

  5. All of the above

    A, B, and D. Cost-benefit analysis is necessary because organizations cannot reduce all risks to zero, it increases an organization's return on investment, and it is a good governance practice.     C is wrong because cost-benefit analysis is not related to, and does not prevent, denial of service attacks.

Answers

13. 

þ C. Top management must be ultimately responsible for information security within an organization.

ý A is incorrect because information security professionals advise management and implement management's decisions. B is wrong because information systems auditors report on the organization's security to the board of directors and/or the stockholders. D is incorrect because stockholders appoint management and are not involved in day-to-day management.

14. 

þ B. Fundamental security principles apply to most information systems.

ý A is wrong because it is not the best available answer. C is wrong because fundamental security principles do not apply only in enterprise systems, and D is wrong because fundamental security principles are not system dependent.

15. 

þ E. All of the answers are correct.

16. 

þ C. RBAC improves management of access control and authorizations by introducing the concept of roles distinct from individual users.

ý A is wrong because RBAC has advantages over DAC; B is wrong because RBAC is not an improved version of DAC; D is wrong because it doesn't make sense.

17. 

þ C. What you are (biometrics) is inherently more complex to administer than what you have or what you know authentication methods.

ý A, B, and D are incorrect because none of these methods is as difficult to administer as what you are.

18. 

þ D. Choke points are logical "narrow channels" that can be easily monitored and controlled.

ý A is wrong because choke points are not used to isolate firewalls. Choke points do not affect confidentiality of information, so B is wrong. And C is not the answer because choke points are not protocol-dependent.

19. 

þ E. All of the above. Authentication is needed to obtain proof of claimed identity, to implement access control, to establish accountability, and to allow for different users with different authorizations.

20. 

þ A, B, and D. Cost-benefit analysis is necessary because organizations cannot reduce all risks to zero, it increases an organization's return on investment, and it is a good governance practice.

ý C is wrong because cost-benefit analysis is not related to, and does not prevent, denial of service attacks.


Previous Page
Next Page