1. Information Security Flashcards
P.I.I.
Personal Identifiable Information
Information Security
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Eugene Spafford quote
“The only truly secure system is one that is powered off…”
C.I.A. Triad
The Confidentiality, Integrity, and Availability Triad
Negative of the C.I.A. Triad
The D.A.D. Disclosure, Alteration, and Denial
C. of the C.I.A. Triad
Confidentiality - Ability to protect our data from those who are not authorized to view it.
I. of the C.I.A. Triad
Integrity - Ability to prevent people from changing your data in an unauthorized or undesirable manner. You need means to prevent AND reverse unauthorized change. RELIABILITY
A. of the C.I.A. Triad
Availability - Ability to access our data when we need it.
DoS Attack
Denial of Service Attack. Attacks the A. of the C.I.A. Triad.
The Parkerian Hexad
C.I.A. Triad + Possession/Control, Authenticity, and Utility (C.I.A.U.P.A)
I. in the Parkerian Hexad
Integrity does NOT account for authorized, but incorrect, modification of data
P. of the Parkerian Hexad
Possession - Physical disposition of the media on which the data is stored
A. of the Parkerian Hexad (Au)
Authenticity - Whether you’ve attributed the data in question to the proper owner
U. of the Parkerian Hexad
Utility - How useful the data is to you. NOT BINARY
Types of attacks (4)
Interception, Interruption, Modification, and Fabrication
What does an Interception attack compromise of the C.I.A. Triad?
Confidentiality - Unauthorized user access
What does an Interruption attack compromise of the C.I.A. Triad?
Integrity and Availability - Assets unusable/unavailable
What does a modification attack compromise of the C.I.A. Triad?
Integrity and Availability - Tampering with assets
What does a Fabrication attack compromise of the C.I.A. Triad?
Integrity and Availability - Generating data, processes, communications, or other similar material with a system
Risk
Takes into account the value of the asset to calculate the impact
Steps of Risk Management (5)
Identify assets > Identify threats > Assess vulnerabilities > Assess risks > Mitigate risks (Repeat as needed)
Types of controls (3)
Physical, Logical, and Administrative
Physical controls
Protect the physical environment
Logical controls AKA Technical controls
Protect the systems, networks, and environments that process, transmit, and store data
Administrative controls
Based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature
Incident Response Process (6)
Preparation > Detection and Analysis > Containment > Eradication > Recovery > Post Incident Activity
I.D.S.
Intrusion Detection System
A.V.
Antivirus
S.I.E.M.
Security Information and Event Monitoring tool
M.S.S.P.
Managed Security Service Provider
Defense in Depth (Multilayered Defense)
External Network (Internal Network (Host (Application (Data) ) ) ) )
External Network Defense EXs
DMZ, VPN, Logging, Auditing, Penetration Testing, Vulnerability Analysis
Network Perimeter Exs
Firewalls, Proxy, Logging, Auditing
Internal Network Defense Exs
IDS, IPS, Logging, Auditing
Host Defense Exs
Authentications, AV, Firewalls, IDP, IPS, Passwords
Application Defense Exs
SSO, Content filtering, Data validation, Auditing
Data Defense Exs
Encryption, Access controls, Backups
Authentication (5 types)
Act of proving who/what we claim to be - Know (user, pass, pin), Have (Badge, Card, OTP), Are (Fingerprint, Iris, Retina), Do (Handwriting, Typing, Walking), Are (Geolocation)
Access Control Types (4)
Allowing, Denying, Limiting, Revoking
Sandbox (Limiting Control)
Set of resources devoted to a program, process, or similar entity, outside of which the entity cannot operate
C.S.R.F. (Access Control)
Cross-site request forgery - Misuses the authority of the browser on the users computer
D.A.C. (Access Control)
Discretionary access control
M.A.C. (Access Control)
Mandatory access control (Principle of least privilege)
Ru.B.A.C.
Rule-based access control
A.B.A.C. (CAPTCHA)
Attribute-based access control - Subject vs. Resource
Physical Access Controls
Controlling movement in/out of buildings
Multi-level access control models (3)
Bell-La Padula Model, Biba Model, and Brewer and Nash Model
Bell-La Padula Model
D.A.C. and M.A.C. “No read up. No write down”
Biba Model
INTEGRITY “No read down. No write up”
Brewer and Nash Model
Prevent conflicts of interest. Objects, Company Groups, Conflict Cases.
Authorization
Process of determining exactly what an authenticated party can do
A.C.L.s (Access Control Lists)
Lists containing info about what kind of access certain parties are allowed to have to a given system
File system A.C.L. Examples
Read, Write, Execute
Network A.C.L.s
Filter access based on identifiers like IP (Internet Protocol) Addresses, Media Access Control Addresses, and Ports
Ports
Numerical designation for one side of a connection between 2 devises. Used to identify the application to which traffic should be routed
Media Access Control Addresses
Unique identifiers hard-coded into each network interface
Confused Deputy Problem
When the software with access to a resource (the deputy) has a greater level of permission to access the resource than the user who is controlling the software