Network-and-Security-Foundation Questions and Answers

Authorizationis the process of granting specific access rights and permissions based on user roles. By implementingRole-Based Access Control (RBAC), organizations ensure that users only have access to resources necessary for their job functions, reducing the risk of insider threats.

Authenticationverifies identity but does not control access.

Accountinglogs activities but does not restrict access.

Availabilityensures system uptime but is unrelated to permissions.

Infrastructure as a Service (IaaS)provides virtualized computing resources over the cloud, including virtual machines where users can install and configure their own operating systems and applications. It offers flexibility and scalability without requiring hardware investment. Examples include AWS EC2 and Microsoft Azure Virtual Machines.

FaaSexecutes small code functions without infrastructure management.

PaaSprovides a managed platform but not full OS control.

SaaSoffers ready-to-use applications without infrastructure control.

Theeconomy of mechanismprinciple states that security systems should beas simple and small as possible. Reducing complexity makes security mechanisms easier to understand, audit, and defend against attacks.

Least common mechanismreduces shared resources to limit security risks.

Least privilegerestricts access based on necessity.

Zero-trust modelassumes no implicit trust in users or devices.

Human-centerednessin security design prioritizesuser experience and productivitywhile implementing security measures. It ensures that security policies are intuitive and do not excessively burden users, reducing resistance to security compliance.

Least common mechanismminimizes shared resources to enhance security.

Fail-safeensures secure defaults in case of system failure.

Zero-trust modelassumes no inherent trust in users or devices.

TheNetwork or Internet layerof the TCP/IP model is responsible for addressing, routing, and delivering packets across networks. TheInternet Protocol (IP)operates at this layer, ensuring thatdata is correctly routed from the source to the destination.

Physical or network access layerdeals with hardware transmission (e.g., Ethernet, Wi-Fi).

Application layerincludes end-user services (e.g., HTTP, FTP).

Transport layermanages data flow using protocols like TCP and UDP but does not handle IP addressing.

Enhancing physical resource securityensures that servers, networking devices, and data storage facilities are protected from unauthorized physical access, theft, or tampering. This includes measures like biometric authentication, surveillance, and restricted access zones.

Using a variable network topologydoes not directly protect data.

Increasing wireless access point rangemay improve connectivity but does not enhance security.

WEPis weak and should not be used for data protection.

TheSession layer(Layer 5 of the OSI model) is responsible for establishing, maintaining, and terminating communication sessions between network applications. It ensures that data exchanges remain synchronized and structured.

Data link layerhandles error detection and frame transmission.

Physical layerdeals with hardware-level transmission.

Transport layerensures reliable data delivery but does not manage sessions.

Confidentialityensures that only authorized users have access to sensitive information. Without proper access controls, employees may be able to view or modify sensitive data without proper authorization, leading to a confidentiality breach.

Integrityinvolves protecting data from unauthorized modifications.

Availabilityensures that systems remain operational.

Interpretationis not part of the CIA triad.

Having restoration policies in placeensures that in the event of data breaches, ransomware, or system failures, data can be quickly restored from secure backups. This minimizes downtime and data loss.

Using a variable network topologydoes not directly improve data security.

Changing passwords weeklymay lead to weaker security due to password fatigue.

WEPis obsolete and does not provide strong encryption for data protection.

Phishingis a cyberattack where attackers impersonate legitimate entities (e.g., banks, companies) and send fraudulent emails or messages designed to trick recipients into revealing sensitive information, such as usernames, passwords, or financial details. The fake link in the email directs victims to a malicious site that captures their credentials.

IP address spoofingdisguises a system’s identity but does not involve email deception.

Session hijackingtakes over an active session but does not involve email scams.

Man-in-the-middle attackintercepts communication rather than tricking users via emails.

PIPEDArequires businesses in Canada to protectpersonal informationthrough security measures andproper disposal practices. This includessecure deletion of personal data when no longer neededto prevent unauthorized access.

Compensating individuals for data salesis not a legal requirement.

Notifying individuals of each data accessis unnecessary unless required by a breach.

Disclosing security softwareis not mandated by PIPEDA.

A violation ofintegrityoccurs whendata is modified incorrectly, whether intentionally or by accident. In this case, anemployee modifying a customer account incorrectlydemonstrates a breach of data integrity.

A and Crelate toavailability, as they describe system downtime.

Drelates toconfidentiality, as it describes improper data protection.

AType 2 hypervisor(hosted hypervisor) runs on top of an existing operating system and allows for the creation of virtual machines. Examples include VMware Workstation and Oracle VirtualBox.

Type 1 hypervisorsrun directly on hardware without an OS (e.g., VMware ESXi, Microsoft Hyper-V).

Open-source and proprietarydescribe licensing models, not hypervisor types.