Quiz: Security Principles

DataField.Dev

Quiz: Security Principles

A 26-question self-check covering the chapter's principles and how they apply. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] A ransomware attack encrypts files but neither reads nor alters their contents. Which leg of the CIA triad does it primarily attack? A. confidentiality B. integrity C. availability D. non-repudiation

2. An attacker silently changes account balances in a banking ledger while the system continues to report the corrupted values as correct. This is primarily an attack on: A. confidentiality B. integrity C. availability D. authentication

3. [Sec+] "Verifying that an entity is who it claims to be" defines: A. authorization B. authentication C. accounting D. non-repudiation

4. [CISSP] Determining what an authenticated user is permitted to do is: A. authentication B. authorization C. identification D. auditing

5. [Sec+] A locked server-room door is best classified as which control function and nature? A. detective / technical B. preventive / physical C. corrective / administrative D. compensating / physical

6. A SIEM correlation rule that alerts on suspicious logins is which function? A. preventive B. detective C. corrective D. compensating

7. [Sec+] You cannot patch a legacy system, so you isolate it on its own segment and monitor it heavily to satisfy the intent of the patching requirement. The isolation is a __ control. A. preventive B. corrective C. compensating D. directive

8. [CISSP] The principle that every user and process should have only the access required for its function — and no more — is: A. separation of duties B. least privilege C. defense in depth D. fail-safe default

9. Requiring that the person who initiates a wire transfer cannot also approve it is an example of: A. least privilege B. separation of duties C. fail-open D. non-repudiation

10. [Sec+] A firewall configured to deny all traffic except what is explicitly permitted is applying: A. fail-open B. default-deny / fail-safe default C. least privilege of the data D. dual control

11. [CISSP] Designing each defensive layer as if the layer in front of it has already failed describes: A. zero trust architecture B. defense in depth C. separation of duties D. compensating controls

12. "Never trust, always verify — no implicit trust by user, device, or network location" is the slogan of: A. the perimeter model B. zero trust C. fail-open design D. dual control

13. [Sec+] Three identical firewalls from the same vendor with the same misconfiguration provide, in effect: A. three independent layers B. one layer drawn three times C. defense in depth D. separation of duties

14. Which control most directly limits an attacker's lateral movement after they compromise one ordinary user account? A. a longer password policy B. least privilege C. a deterrent banner D. fail-open authentication

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "Availability is an IT-operations concern, not a security concern."

16. [Sec+] "Enabling detailed logging automatically gives an organization non-repudiation."

17. "A defense made entirely of preventive controls is well designed as long as the controls are high quality."

18. [CISSP] "Zero trust is achieved by purchasing and deploying a single zero-trust product."

19. "Information systems should always fail open so that a control failure never blocks legitimate users."

20. "Separation of duties is defeated by an administrative account powerful enough to perform every step of a sensitive process alone."

Section 3 — Fill in the blank (1 pt each)

21. The two independent axes used to classify any control are its _ (preventive, detective, corrective, compensating) and its _ (administrative, technical, physical).

22. [Sec+] The three properties of the CIA triad are confidentiality, _, and _.

23. The slow accumulation of unnecessary access rights as people change roles is called _ _.

24. The working assumption that an attacker is already inside, so you design for detection and response as well as prevention, is called _ _.

Section 4 — Short answer (2 pts each)

25. [CISSP] Explain why the function × nature control matrix is described as a gap-analysis tool, and name the imbalance most common in immature security programs.

26. [Sec+] Zero trust is described in the chapter as a synthesis of earlier principles. Name two principles it combines and explain, in two or three sentences, how it is built from them.

Answer Key

Click to reveal answers and explanations

1. **C** — data is unreadable but not disclosed or altered: availability. 2. **B** — silent, unauthorized alteration is an integrity attack (and a dangerous one because it goes unnoticed). 3. **B** — authentication proves identity. 4. **B** — authorization governs permitted actions. 5. **B** — a locked door stops entry (preventive) and is a tangible barrier (physical). 6. **B** — an alert identifies an event without stopping it: detective. 7. **C** — an alternative that meets the requirement's intent is compensating. 8. **B** — least privilege. 9. **B** — splitting a high-risk process across people is separation of duties. 10. **B** — deny-by-default is fail-safe default. 11. **B** — defense in depth. 12. **B** — zero trust. 13. **B** — same vendor + same flaw = dependent failure, i.e., one layer. 14. **B** — least privilege limits what a compromised account can reach. 15. **F** — availability is core security; ransomware/DoS that discloses and alters nothing can be the worst incident of all. 16. **F** — logging records *that* something happened, but shared accounts and forgeable logs destroy attributability; non-repudiation needs action bound to a specific actor. 17. **F** — every preventive control eventually fails, and with no detective layer the breach runs unseen; quality does not substitute for depth and detection. 18. **F** — zero trust is a posture built incrementally across identity, devices, network, and data, not a SKU. 19. **F** — information systems should usually fail *closed*; fail-open is for life-safety systems (fire exits), not access control. 20. **T** — an all-powerful admin account can perform both halves of any split, silently defeating the separation. 21. function; nature. 22. integrity; availability. 23. privilege creep. 24. assume breach. 25. The matrix is a gap-analysis tool because laying real controls onto its cells makes empty cells — missing capabilities — visually obvious; the most common imbalance is a defense full of *preventive, technical* controls with empty *detective* rows and *administrative* columns (lots of walls, no way to see intruders, and no governance of the human attack surface). 26. It combines least privilege (grant only the minimum access, evaluated per request) with assume breach / fail-safe default (treat the network as hostile and deny unless explicitly verified). Zero trust applies both continuously to every access request, replacing implicit network-location trust with explicit, contextual, minimal verification — which is exactly those older principles taken to their logical end in a post-perimeter world. **Topics to review by question:** missed 1–2, 15 → §3.1; 3–4, 16 → §3.2; 5–7, 25 → §3.3; 8–10, 14, 20 → §3.4; 11, 13, 17, 24 → §3.5; 12, 18, 26 → §3.6; 19 → §3.4 (fail-safe defaults).