Module 2: Protect Organizational Assets

by
Contents hide
1 INTRODUCTION – Protect Organizational Assets
2 TEST YOUR KNOWLEDGE: SAFEGUARD INFORMATION
3 TEST YOUR KNOWLEDGE: ENCRYPTION METHODS
4 TEST YOUR KNOWLEDGE: AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING
5 MODULE 2 CHALLENGE
6 CONCLUSION – Protect Organizational Assets
Spread the love

INTRODUCTION – Protect Organizational Assets

It shows the study material for security controls, which must be there for any foundational security within an organization. It covers not only about the so-called protection but also how the protection metamorphizes into privacy and asset security, looking at how privacy concerns may frame that which is broader within the security construct. Learners will gain an insight into how bastions of encryption are most critical for safeguarding the privacy of digital assets; this will, therefore, enable robust privacy protection mechanisms.

This module involves the principles of how authentication and authorization methods technically function. It explains how these modules play an important role in validating the identity of users and controlling access to various systems. The students will learn the important principles and examples of actual applications of those principles, which would definitely give them clarity on the importance of maintaining integrity and confidentiality when it comes to the assets of an organization. They will provide theoretical knowledge as well as hands-on experience so that the students can sail through the turbulent waters of asset security within an organization.

Learning Objectives

  • Define processes for effective data handling.
  • Understanding how security controls are reducing risks.
  • Analyze the role of encryption and hashing in the protection of assets.
  • Implementing an authentication security measure.
  • Authorization best practice implementation to manage access to users effectively.

TEST YOUR KNOWLEDGE: SAFEGUARD INFORMATION

1. What are the categories of security controls? Select all that apply.

  • Managerial (CORRECT)
  • Operational (CORRECT)
  • Privacy
  • Technical (CORRECT)

Security measures could be listed into three approaches, namely; technical, operational, and managerial. Under technical controls would be those that rely on technology as a means of securing assets. In operational controls, one would find procedures that are designed to make sure an environment is secure by daily practices. Managerial controls cover how technical and operational measures will work together to mitigate risk.

2. Fill in the blank: A data _____ decides who can access, edit, use, or destroy their information.

  • owner (CORRECT)
  • handler
  • protector
  • custodian

In essence, it is the data ownership that defines who is authorized to access, modify, use, or delete the information.

3. A writer for a technology company is drafting an article about new software features that are being released. According to the principle of least privilege, what should the writer have access to while drafting the article? Select all that apply.

  • The software they are reviewing (CORRECT)
  • Software developers who are knowledgeable about the product (CORRECT)
  • Other new software that is in development
  • Login credentials of the software users

The reviewer ought to be able to use that software plus the software developers who will provide support regarding what this information should apply towards a more considerable readership.

4. Which privacy regulations influence how organizations approach data security? Select three answers.

  • Payment Card Industry Data Security Standard (PCI DSS) (CORRECT)
  • Health Insurance Portability and Accountability Act (HIPAA) (CORRECT)
  • Infrastructure as a Service (IaaS)
  • General Data Protection Regulation (GDPR) (CORRECT)

The management of information security practices by organizations is much impacted by some treasured privacy compliances, such as GDPR, PCI DSS, and HIPAA.

5. What are the three types of security controls? Select three answers.

  • Operational (CORRECT)
  • Technical (CORRECT)
  • Managerial (CORRECT)
  • Regulatory

You might say there are three categories that generalize all security types: technical, operational, and managerial controls. They’re all critical components needed in order for the company to have adequate information privacy.

TEST YOUR KNOWLEDGE: ENCRYPTION METHODS

1. Which of the following elements are required when using encryption? Select all that apply.

  • Cipher (CORRECT)
  • Key (CORRECT)
  • Token
  • Certificate

For the purpose of secure transfer of messages, encryption requires a cipher and a key.

2. Which technologies are used in public key infrastructure (PKI) to securely exchange information online? Select two answers.

  • General Data Protection Regulation (GDPR)
  • Digital certificates (CORRECT)
  • Platform as a service (PaaS)
  • Encryption algorithms (CORRECT)

PKI enlists the usage of encryption algorithms and digital certificates to ensure a safe and secure exchange of information over the web. To begin with, the use of asymmetric and symmetric algorithms gets a specification for the efficient and secured encryption of the data. Finally, the digital certificates are used to establish a trust relationship between the parties while exchanging secured data.

3. Fill in the blank: _____ encryption produces a public and private key pair.

  • Salting
  • Asymmetric (CORRECT)
  • Symmetric
  • Hashing

Asymmetric encryption is a method of using a pair of keys for encryption and decryption; a public key and a private key. The public key will be given away and the data owner will keep hold of the private key.

4. An attacker gains access to a database where user passwords are secured with the SHA-256 hashing algorithm. Can the attacker decrypt the user passwords?

  • Yes. Hash algorithms produce a decryption key.
  • No. Hash algorithms do not produce decryption keys. (CORRECT)

User passwords are stored as irreversible hash values, thus the attacker cannot decrypt them. Only symmetric and asymmetric encryption methods produce keys to proceed with decryption.

5. What term describes being unable to deny that information is authentic?

  • Non-repudiation (CORRECT)
  • Availability
  • Confidentiality
  • Integrity

It guarantees that the information is not deniable and verifies that the sender of the message is indeed as he claims to be. Repudiating non-repudiation with guarantees cannot be, and upon it has complete authenticity to go full-fledged under such a system.

6. Fill in the blank: _____ is the process of transforming information into a form that unintended readers cannot understand.

  • Cryptography (CORRECT)
  • Decryption
  • Algorithm
  • Cipher

It is a procedure by which data would be transformed in such a way that they would be rendered unintelligible to unauthorized parties. The actual term used for rendering information is ciphering or encrypting it.

7. Public key infrastructure (PKI) is a two-step process that includes the exchange of encrypted information. What other step is involved in the PKI process?

  • The decryption of secret keys
  • The authentication controls of Caesar’s cipher
  • The establishment of trust using digital certificates (CORRECT)
  • The storage of public information

Through the process of PKI, encrypted information and trust are transferred from one entity to another via duly supplied digital certificates. In PKI, data can be encrypted using either asymmetric or symmetric or both encryption keys. This can be followed by authenticating the identity of a site, individual, organization, device, or server by a digital certificate linking that entity’s public key to such an identity.

8. Fill in the blank: Hash values are primarily used to determine the _____ of files and applications.

  • digest
  • function
  • availability
  • integrity (CORRECT)

The verification of integrity is the time when hash values are used to enforce data files and applications’ integrity. However, they are still applicable in enforcing confidentiality by being nonreverse-translatable.

TEST YOUR KNOWLEDGE: AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING

1. What factors do authentication systems use to verify a user’s identity? Select three answers.

  • Knowledge (CORRECT)
  • Characteristic (CORRECT)
  • Authorization
  • Ownership (CORRECT)

Three factors are the foundation of authentication systems to verify the identity of a user: what the user knows, something the user has, and then something personal: what the user is.

2. How do businesses benefit from implementing single sign-on (SSO) technology? Select two answers.

  • By requiring multiple forms of identification
  • By simplifying their user management (CORRECT)
  • By providing a better user experience (CORRECT)
  • By streamlining HTTP traffic between servers

An organization would be gaining by introducing SSO to create a better user experience, in addition to easier maintenance of users.

3. A retail company has one employee that’s in charge of purchasing goods, another employee that’s in charge of approving new purchases, and a third employee that’s in charge of paying invoices. What security principle is the retail company implementing?

  • Non-repudiation
  • Separation of duties (CORRECT)
  • Authentication, authorization, and accounting (AAA)
  • Least privilege

The retail company is carrying out the aforementioned policy in the name of separation of duties. This security practice basically denies users to levels of authorization that can enable them to misuse the system.

4. What are the categories of access controls? Select three answers.

  • Authentication (CORRECT)
  • Administration
  • Accounting (CORRECT)
  • Authorization (CORRECT)

Some of the different types of access control are authentication, authorization, and accounting.

5. What credential does OAuth use to authenticate users?

  • An application programming interface (API) token (CORRECT)
  • A digital certificate
  • A session cookie
  • A one-time passcode (OTP)

OAuth uses API tokens to authenticate users. An API token is a digital credential exchanged between a platform and a service provider to validate the identity of the user.

6. What are the three factors of authentication? Select three answers.

  • Knowledge (CORRECT)
  • Characteristic (CORRECT)
  • Algorithm
  • Ownership (CORRECT)

The three factors of authentication are characteristic, ownership, and knowledge. As far as ownership is concerned, this can be proven by something in a user’s possession, such as a one-time passcode, through identifying the person for a certain purpose in terms of ownership and identity.

7. Authorization controls are linked to two security principles. One is the principle of least privilege. What is the other?

  • OAuth
  • The AAA framework
  • Separation of duties (CORRECT)
  • HTTP basic auth

Authorization controls combine with the principles of separation of duties and least privilege. Separation of duties does not allow authorizations to be given in levels that will enable a user to abuse the system. Limiting users’ access to the least privileges allows them to have access only to those resources that are required for their roles.

MODULE 2 CHALLENGE

1. Which of the following examples are categories of security controls? Select three answers.

  • Compliance
  • Operational (CORRECT)
  • Technical (CORRECT)
  • Managerial (CORRECT)

2. A paid subscriber of a news website has access to exclusive content. As a data owner, what should the subscriber be authorized to do with their account? Select three answers.

  • Review their username and password (CORRECT)
  • Update their payment details (CORRECT)
  • Stop their subscription (CORRECT)
  • Edit articles on the website

3. What do symmetric encryption algorithms use to encrypt and decrypt information?

  • A single secret key (CORRECT)
  • A hash value
  • A public and private key pair
  • A digital certificate

4. A security analyst is investigating a critical system file that may have been tampered with. How might the analyst verify the integrity of the system file?

  • By brute forcing the system file using a rainbow table.
  • By comparing the system files hash value to a known, trusted hash value. (CORRECT)
  • By decrypting the system files secret key using Advanced Encryption Standard (AES).
  • By opening the system file in word processing application and checking its version history.

5. Which of the following steps are part of the public key infrastructure process? Select two answers.

  • Establish trust using digital certificates (CORRECT)
  • Transfer hash digests
  • Exchange of public and private keys
  • Exchange of encrypted information (CORRECT)

6. What factors do authentication systems use to verify a user’s identity? Select three answers.

  • Ownership (CORRECT)
  • Accounting
  • Characteristic (CORRECT)
  • Knowledge (CORRECT)

7. A business has one person who receives money from customers at the register. At the end of the day, another person counts that money that was received against the items sold and deposits it. Which security principles are being implemented into business operations? Select two answers.

  • Least privilege (CORRECT)
  • Separation of duties (CORRECT)
  • Single sign-on
  • Multi-factor authentication

8. What is the purpose of security controls?

  • Encrypt information for privacy
  • Create policies and procedures
  • Establish incident response systems
  • Reduce specific security risks (CORRECT)

9. A large hotel chain collects customer email addresses as part of a national sweepstakes. As data custodians, what are the hotel chain’s responsibilities to protect this information? Select three answers.

  • To safely handle the data when it’s accessed (CORRECT)
  • To securely transport the data over networks (CORRECT)
  • To protect the data while in storage (CORRECT)
  • To edit the data when necessary

10. You send an email to a friend. The service provider of your inbox encrypts all messages that you send. What happens to the information in your email when it’s encrypted?

  • It’s converted from plaintext to ciphertext. (CORRECT)
  • It’s converted from ciphertext to plaintext.
  • It’s converted from Caesar’s cipher to plaintext.
  • It’s converted from a hash value to ciphertext.

11. Fill in the blank: A _____ is used to prove the identity of users, companies, and networks in public key infrastructure.

  • digital signature
  • access token
  • access key
  • digital certificate (CORRECT)

12. What is an advantage of using single sign-on (SSO) systems to authenticate users?

  • It prevents credential stuffing attacks.
  • Users lose access to multiple platforms when the system is down.
  • It makes the login process faster. (CORRECT)
  • Users must set multiple passwords.

13. What types of user information does an API token contain? Select two answers.

  • A user’s site permissions (CORRECT)
  • A user’s identity (CORRECT)
  • A user’s secret key
  • A user’s password

14. A customer of an online retailer has complained that their account contains an unauthorized purchase. You investigate the incident by reviewing the retailer’s access logs. Which component of the user’s session that you might review?

  • Session certificate
  • Session algorithm
  • Session API key
  • Session cookie (CORRECT)

15. Which functions would fall under the category of operational security controls? Select two answers.

  • Establishing trust using digital certificates
  • Providing security awareness training (CORRECT)
  • Exchanging encrypted information
  • Responding to an incident alert (CORRECT)

16. An employee reports that they cannot log into the payroll system with their access credentials. The employee does not recall changing their username or password. As a security analyst, you are asked to review access logs to investigate whether a breach occurred. What information are you able to review as a data custodian in this situation? Select two answers.

  • The IP address of the computer used to log in (CORRECT)
  • Any coworkers’ contact information
  • Any payroll access credentials the user has stored on the server
  • The time the user signed in and out (CORRECT)

17. How is hashing primarily used by security professionals?

  • To store data in the cloud
  • To make data quickly available
  • To decrypt sensitive data
  • To determine data integrity (CORRECT)

18. What is a disadvantage of using single sign-on (SSO) technology for user authentication?

  • Employees are more vulnerable to attack.
  • Customers receive an improved user experience.
  • Username and password management is streamlined.
  • Stolen credentials can give attackers access to multiple resources. (CORRECT)

19. A shipping company imports and exports materials around the world. Their business operations include purchasing goods from suppliers, receiving shipments, and distributing goods to retailers. How should the shipping company protect their assets under the principle of separation of duties? Select two answers.

  • Have one employee approve purchase orders (CORRECT)
  • Have one employee file purchase orders (CORRECT)
  • Have one employee receive shipments and distribute goods
  • Have one employee select goods and submit payments

20. What is the practice of monitoring the access logs of a system?

  • Authorization
  • Accounting (CORRECT)
  • Authentication
  • Auditing

21. What is a key advantage of multi-factor authentication compared to single sign-on?

  • It can grant access to multiple company resources at once.
  • It is faster when authenticating users.
  • It streamlines the authentication process.
  • It requires more than one form of identification before granting access to a system. (CORRECT)

22. The main responsibility of a receptionist at a healthcare company is to check-in visitors upon arrival. When visitor’s check-in, which kinds of information should the receptionist be able to access to complete their task? Select two answers.

  • Their billing information
  • Their medical history
  • A photo ID (CORRECT)
  • The patient being visited (CORRECT)

23. What are common authorization tools that are designed with the principle of least privilege and separation of duties in mind? Select three answers.

  • OAuth (CORRECT)
  • Basic auth (CORRECT)
  • API Tokens (CORRECT)
  • SHA256

24. What are the two most common forms of identification used by authentication systems? Select two answers.

  • Username (CORRECT)
  • Facial scan
  • Fingerprint
  • Password (CORRECT)

CONCLUSION – Protect Organizational Assets

In summary, this module provides a complete perspective on asset security, covering all the necessary aspects of protecting organizational resources. The participants have learned the complexities of security controls in the organization that protect both its physical and digital assets. This module addresses the important interaction between privacy and asset security by stressing encryption and its importance in locking down digital resources’ confidentiality.

Knowing that you have comprehended the importance of this relationship will prepare you 12-called identification and authorization systems to demonstrate how user identity verification works into a unitary strong security infrastructure. The module combines theories and application real-life to prepare students to put in place the concepts of effective asset security measures into the organizational environment. It leaves participants with a deep understanding of the very complexities of asset security and all the requisite tools needed to deal with this very important aspect of cybersecurity.

Leave a Comment