M2 Practice Quiz

#CIA_triad #AAA

Question 1

  1. Jane, a database administrator at Dion Training, wants to ensure that a file has not changed since the last time she uploaded it to her cloud storage. She has created an SHA-256 hash digest of the file and will compare the stored file's hash digest against the one she calculated when she initially uploaded the file. Which of the following pillars of the CIANA pentagon is she focused on?

    Options:

    • Integrity
    • Availability
    • Confidentiality
    • Non-repudiation

    Overall explanation:

    • Integrity is the security pillar that focuses on the assurance that data is trustworthy and accurate, and hasn't been unintentionally modified.
    • Confidentiality is the protection of data from unauthorized access and disclosure to ensure that only those with the necessary rights can view it.
    • Availability ensures that data or services are accessible to authorized users when they need them.
    • Non-repudiation is a guarantee that a particular operation or transaction was performed by a particular entity, providing proof of the origin or delivery of data and protecting against denial by one of the parties involved.

    Tags: Integrity

Question 2

  1. Vikas, a developer at Dion Training, just digitally signed the company's new app before releasing it in the App Store. Before the app is installed, the user's device will validate the digitally signature to ensure that it was actually developed and uploaded by Dion Training. Which of the following pillars of the CIANA pentagon is she focused on?

    Options:

    • Authentication
    • Non-repudiation
    • Availability
    • Confidentiality

    Overall explanation:

    • Non-repudiation ensures that a party in a transaction can't deny having performed an action. By digitally signing the app, the developer provides proof of the origin and guarantees that the company developed and uploaded it.
    • Confidentiality safeguards data against unauthorized access.
    • Authentication verifies an entity's identity before granting access.
    • Availability ensures data or services are ready for authorized users.

    Tags: Non-repudiation

Question 3

  1. Jason, an instructor at Dion Training, is logging into the company's exam application to write some new questions for the CompTIA Security+ exam. He enters his username/password at the login prompt and then receives a one-time code on his smartphone that he enters to validate his identity. Which of the following pillars of security was he focused on when performing this action?

    Options:

    • Authorization
    • Accounting
    • Availability
    • Authentication

    Overall explanation:

    • Authentication verifies an entity's identity before granting access to a resource. When entering the username/password and providing the one-time code from a smartphone, a user is going through a two-factor authentication process. Authorization determines what rights or privileges a user has after they are authenticated. Availability ensures data or services are ready for authorized users. Accounting tracks and logs user activities.

    Tags: Authentication

Question 4

  1. David, the CTO of Dion Training, just sent out a new policy that will require all of the company's users to reset their password every 60 days using a long, strong, and complex password. Which of the following type of security controls best classifies this policy?

    Options:

    • Compensating
    • Corrective
    • Directive
    • Detective

    Overall explanation:

    • Directive controls are policies or procedures that dictate specific actions or behaviors by users or systems. Since the CTO issued a policy mandating password resets every 60 days with specific criteria for password complexity, they were providing a clear directive to the company's users.
    • Detective controls are used to detect and alert about incidents. Compensating controls provide alternatives to primary controls. Corrective controls address issues after they arise. In this scenario, the policy acts as a directive control.

    Tags: Security Control Types

Question 5

  1. Christle, a student support manager at Dion Training, is logging into the company's exam voucher application to help a student schedule their CompTIA Security+ exam. Even though she is already connected to the corporate network, the application asks her to validate her identity by sending her a one-time code on her smartphone that she enters to validate her identity. Which of the following security concepts is being utilized by the company's architecture?

    Options:

    • Zero trust
    • Gap analysis
    • Side loading
    • Root of trust

    Overall explanation:

    • Zero trust is a security model that advocates for a "never trust, always verify" approach. It does not automatically trust any user or system, whether inside or outside the organizational perimeter. By requiring an internal employee to provide additional authentication factors, the system exemplifies the zero trust principle by not trusting any user by default, even if they are known and inside the network.
    • Root of trust is a secure source that can be trusted within a computing system, typically embedded during the manufacturing phase, to ensure foundational security tasks.
    • Gap analysis refers to a method of assessing the differences in performance between a company's current capabilities and its desired state.
    • Side loading is the process of installing applications on a device without using the official app store for that platform.

    Tags: Zero Trust