Unit 2: Security, Confidentiality, and Privacy

• Topic 01

  Information Security Frameworks

  15 questions
• Topic 02

  Access Controls

  36 questions
• Topic 03

  Network Security

  45 questions
• Topic 04

  Cybersecurity Threats and Vulnerabilities

  45 questions
• Topic 05

  Data Encryption and Key Management

  43 questions
• Topic 06

  Privacy Laws and Regulations

  42 questions
• Topic 07

  Business Continuity and Disaster Recovery

  43 questions

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

1. A company's SSL inspection proxy decrypts, inspects, and re-encrypts all HTTPS traffic from employee workstations. The security team discovers that personal banking traffic and medical portal traffic are being decrypted and logged alongside business traffic. What privacy and legal risk does this create, and how should the inspection policy be remediated?

   • A
     There is no legal risk because the company owns the network and employees have no expectation of privacy when using company internet connections
   • B
     The risk is only operational — inspecting personal traffic creates unnecessary data retention obligations and should be excluded for performance reasons, not legal compliance
   • C
     The only remediation required is to delete logs of personal traffic after 24 hours; no bypass categories are needed because retention length determines legality
   • D
     Decrypting personal financial and medical traffic may violate employee privacy expectations and potentially applicable laws (HIPAA, financial privacy regulations). Remediation: configure SSL inspection bypass categories for personal banking, healthcare, and other sensitive personal domains so those sessions are not decrypted.
     Correct answer
   Explanation

   DNS acts as the internet's phone book, translating domain names to IP addresses. DNS hijacking redirects this translation to return malicious IP addresses:

   1. The attacker modifies DNS records (through compromised registrar credentials, BGP route manipulation, or router firmware compromise) to return a malicious IP when clients query for 'bank.example.com'
   2. Users type 'bank.example.com' in their browser — exactly the correct domain name
   3. Their DNS resolver returns the attacker's IP instead of the legitimate IP
   4. Users connect to the attacker's server, which presents a cloned banking website
   5. The browser URL bar shows 'bank.example.com' (correct), but the user is connected to a malicious server

   Why browser URL doesn't help users: users see the correct domain name — the attack happens at the DNS resolution layer, before the connection is established. Detection: a valid TLS certificate for bank.example.com would not be issued to the attacker by a trusted CA (unless they also compromise a CA). HSTS (HTTP Strict Transport Security) and DNSSEC (DNS Security Extensions) mitigate this attack.

2. NIST SP 800-53 provides a prescriptive controls catalogue for federal information systems. How does NIST SP 800-53 differ from the NIST Cybersecurity Framework (CSF)?

   • A
     NIST SP 800-53 is used for risk assessments; the NIST CSF is used for compliance audits
   • B
     NIST SP 800-53 is a prescriptive catalogue of specific security controls for federal systems; the NIST CSF is an outcome-based, voluntary framework that describes what to achieve without prescribing specific controls
     Correct answer
   • C
     NIST SP 800-53 and the NIST CSF are two names for the same framework maintained by NIST
   • D
     NIST SP 800-53 applies only to healthcare organisations; the NIST CSF applies to all critical infrastructure sectors
   Explanation

   The key distinction is prescriptiveness and audience. NIST SP 800-53 is a detailed, prescriptive catalogue of security and privacy controls organised into 20 control families (AC, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR, AT). It specifies exactly what controls must be implemented for federal information systems categorised as Low, Moderate, or High impact under FIPS 199. It is mandatory for US federal agencies. The NIST CSF, in contrast, is outcome-based and technology-neutral — it describes what outcomes organisations should achieve (Identify, Protect, Detect, Respond, Recover, Govern) without specifying how. The CSF is primarily voluntary and descriptive; SP 800-53 is prescriptive and (for federal agencies) mandatory.

3. Two companies in the same industry enter a reciprocal agreement to use each other's facilities in the event of a disaster. What is the primary risk of this recovery site arrangement?

   • A
     The primary risk is that regulators will not accept a reciprocal agreement as a valid recovery strategy under SOX or HIPAA
   • B
     The primary risk is that the other company's systems will be incompatible with the first company's applications
   • C
     The primary risk is that the companies are competitors, creating a risk that proprietary information will be exposed during recovery operations
   • D
     A regional disaster may affect both companies simultaneously, making neither facility available for recovery when it is most needed
     Correct answer
   Explanation

   Reciprocal (mutual aid) agreements are a low-cost alternative to dedicated recovery sites, but they carry a significant operational risk: if both companies are in the same geographic area and a regional disaster (hurricane, power grid failure, widespread flooding) affects the region, neither company's facility may be usable. Additionally, there is a practical risk that when a disaster occurs, the host company may be at full capacity with their own operations and unable to accommodate the other company. Reciprocal agreements may also suffer from configuration incompatibility and lack of pre-positioning of data and systems. Security concerns (competitor access to proprietary systems) are real but secondary to the geographic risk. ISO/IEC 22301 guidance recommends that reciprocal agreements be supplemented with a formal contract addressing capacity guarantees, activation procedures, and information security.