1 Security Principles Flashcards
5 Domains
1 Security Principles 2 Business Continuity, Disaster Recovery, and Incident Response (10%) 3 Access Control Concepts 4 Network Security 5 Security Operations
ISC2 Canon 1
Protect society, the common good, necessary public trust and confidence, and the infrastructure
ISC2 Canon 2
Act honorably, honestly, justly, responsibly, and legally
ISC2 Canon 3
Provide diligent and competent service to principals (employer or client)
ISC2 Canon 4
Advance and protect the profession
3 main goals/concerns of information security
CIA
Confidentiality:
ensuring only authorized individuals have access to information and resources
Integrity:
protecting information from unauthorized changes
Availability:
ensures authorized access to systems and data whenever needed
Confidentiality concerns/attacks (5):
1 Snooping, 2 dumpster diving, 3 eavesdropping, 4 wiretapping (electronic eavesdropping) 5 social engineering
Integrity attacks (4)
1 unauthorized modification 2 impersonation (social engineering) 3 MITM 4 replay
Availability disruptions (5)
1 DoS 2 power outages 3 hardware failure 4 destruction of equipment 5 service outages
Access Control - 3 steps
1 Identification (“i’m Dave” , username) 2 authentication (ID, password) 3 Authorization (permissions)
AAAs
Authentication, Authorization, Accounting
An SSO ______
shares authenticated sessions across systems
Privacy concerns/responsibilities (3)
1- we are concerned about our own private information
2 - we have a responsibility to educate users in our own organization
3 - we have a responsibility to assist privacy officials
2 common forms of private information
1 PII 2 PHI
A legal principle that privacy programs are based on
Reasonable Expectation of Privacy
The main responsibility of a cybersecurity professional is to
Manage Risk
Main Risk categories (2)
1 Internal
2 External
Risk shared among different organizations
Multiparty Risk (SaaS attack)
Risk assessment =
- the process of identifying and triaging risks (prioritize) based on the likelihood of occurrence and the expected impact
Threat =
- external forces that jeopardizes the security of your information and systems
Threat vector
the method that an attacker uses to get to your target
Vulnerabilities
- weaknesses in your security controls that a threat might exploit to undermine the CIA of your information or systems
Risk =
Threat * vulnerability (exists when both a vulnerability and a corresponding threat that might exploit that vulnerability are present)
Likelihood =
the probability that the event (risk) will actually occur. (low, medium, high)
Risk (definition):
- the possibility that the occurrence of an event will adversely affect the achievement of the organization’s objectives
Impact =
- the amount of damage that will occur if the risk (event) materializes
2 techniques to assess the likelihood and impact of a risk for risk assessment
1 Qualitative
2 Quantitative
Risk Treatment/Risk Management =
The process of analyzing potential responses to risks (on your list) and implementing those responses to control each risk appropriately
4 basic Risk Treatment Options
1 Risk Avoidance
2 Risk Transference
3 Risk Mitigation
4 Risk Acceptance
Risk Profile =
the combination of risks that affect an organization
Inherent Risk/Raw Risk =
- the level of risk an organization faces before any internal controls are applied
Residual Risk/Net Risk =
- the level of risk an organization faces after internal controls have been applied
Control Risk =
new risks introduced by the implementation of controls
Risk Tolerance
- the level of risk an organization is willing to accept (before action is required)
The goal of risk management is
to make sure that the combination of the residual risk and the control risk is below the organization’s risk tolerance
Control objective =
the purpose of a security control
Defense in Depth =
- applying multiple overlapping controls to achieve the same (control) objective
Security Control categories by purpose (3)
1 Preventative (stops a security issue from occurring) - firewall
2 Detective - IDS
3 Corrective/Recovery (remediates security issues that have already occurred) - backup tapes
Security Control categories by mechanism of action (3)
1 Technical/Logical (uses technology to achieve security objectives)
2 Administrative
3 Physical
Configuration management purpose =
ensures change occurs when desired and in a controlled manner (ensures a stable operating environment)
Baseline purpose =
a configuration snapshot used to assess whether a system has changed
2 critical components of change management
Versioning and Version Control
(major version of the software.major update.minor update)
Security Governance =
- a framework of policies, practices and strategies (from senior management) with the goal of providing direction and ascertaining that risks are managed appropriately to achieve security goals
GDPR =
(General Data Protection Regulation)
- applies to all EU residents, regardless of where they are located
PCI-DSS
Payment Card Industry Data Security Standard
Security Policy Framework (4 different types of documents)
1 Policies
2 Standards
3 Guidelines
4 Procedures
Policies are
Rules - mandatory bedrock documents from the top level of the organization. “sensitive information must be encrypted using approved technology” (allows for change)
Standards are
mandatory (derive their authority from policy) and prescribe the specific details of security controls that the organization must follow (approved encryption algorithms)
Guidelines are
Advice. Not mandatory - best practices. “employees should use encrypted wireless networks whenever they are available”
Procedures are
step-by-step instructions to perform a specific task. May be mandatory or optional.
AUP =
(Acceptable Use Policy) describes authorized uses of technology and what is prohibited
Data Handling Policies =
defines what is considered sensitive information and how to protect that sensitive information
Password Policies =
documentation of requirements
BYOD (Bring Your Own Device) Policies =
the security controls that must be in place
and the types of information that may be accessed
Privacy Policies =
what PII is retained, and how it will be used (stored, transmitted, etc)
Change Management Policies =
describe how changes are made to the organization’s technology infrastructure (approval, rollout and rollback)
2 ways to protect for service outages:
1 Resilient systems (backup hard drives, power supplies, etc) and 2 Redundant systems with failover (back up servers, cloud, etc)
AAA in IT (3 steps example)
1 username, 2 password (MFA), 3 access control list
2 factors used to evaluate (rank/triage) risks:
1 likelihood, 2 impact
Common Security Policies Content (6)
AUP, Data Handling, Password, BYOD, Privacy, Change Management
