1 Today's Security Professional Flashcards
CIA
What are the three core objectives of cybersecurity?
confidentiality, integrity, and availability
Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information.
Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Nonrepudiation means…
Nonrepudiation means that someone who performed some action, such as sending a message, **cannot later deny having taken that action. **
Digital signatures are a common example of nonrepudiation. They allow anyone who is interested to confirm that a message truly originated with its purported sender.
their mechanism of action and their intent - TMOPs, 1P, 2Cs, 3Ds
Security controls and types?
Controls are grouped into the categories of
* managerial,
* operational,
* physical, and
* technical based on the way that they achieve their objectives.
Types:
* preventive,
* detective,
* corrective,
* deterrent,
* compensating, and
* directive
based on their intended purpose.
What does AAA stand for?
Authentication, Authorization, and Accounting (AAA) (Authenticating people, authenticating systems, authorization models)
What does Zero trust mean
Never trust, always verify
control plane, data plane
What is the DAD triad?
disclosure, alteration, and denial, maps to
CIA triad
CIA and DAD triads are very useful tools for cybersecurity planning and risk analysis
What are the types of risk? (FISOC)
Financial
Reputational
Identity Theft
Strategic Risk
Operational Risk
Compliance Risk
What approach would you take to Implementing Security Controls?
1) Gap analysis
review the control objectives for a particular organization, system, or service and then examines the controls designed to achieve those objectives.
Gaps identified during a gap analysis should be treated as potential risks and remediated as time and resources permit
What are the security control categories and types?
Preventive controls intend to stop a security issue before it occurs. Firewalls and encryption are examples of preventive controls.
Deterrent controls seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of deterrent controls.
Detective controls identify security events that have already occurred. Intrusion detection systems are detective controls.
Corrective controls remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective control.
Compensating controls are controls designed to mitigate the risk associated with exceptions made to a security policy.
Directive controls inform employees and others what they should do to achieve security objectives. Policies and procedures are examples of directive controls.
PCI DSS requirement
The Payment Card Industry Data Security Standard (PCI DSS) includes one of the most formal compensating control processes in use today. It sets out three criteria that must be met for a compensating control to be satisfactory:
The control must meet the intent and rigor of the original requirement.
The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against.
The control must be “above and beyond” other PCI DSS requirements.
In many cases, organizations adopt compensating controls to address a temporary exception to a security requirement. In those cases, the organization should also develop remediation plans designed to bring the organization back into compliance with the literal meaning and intent of the original control.
What are the states of data we need to protect?
Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. This data is prone to theft by insiders or external attackers who gain access to systems and are able to browse through their contents.
Data in transit is data that is in motion/transit over a network. When data travels on an untrusted network, it is open to eavesdropping attacks by anyone with access to those networks.
Data in use is data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information.
What is data encryption
Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.
What are DLP systems?
What is Agent-based DLP?
What is DRM?
Data loss prevention (DLP) systems help organizations enforce information handling policies and procedures to prevent data loss and theft. They search systems for stores of sensitive information that might be unsecured and monitor network traffic for potential attempts to remove sensitive information from the organization. They can act quickly to block the transmission before damage is done and alert administrators to the attempted breach.
DLP systems work in two different environments:
**Agent-based DLP
Agentless (network-based) DLP**
Agent-based DLP uses software agents installed on systems that search those systems for the presence of sensitive information. These searches often turn up Social Security numbers, credit card numbers, and other sensitive information in the most unlikely places!
Detecting the presence of stored sensitive information allows security professionals to take prompt action to either remove it or secure it with encryption. Taking the time to secure or remove information now may pay handsome rewards down the road if the device is lost, stolen, or compromised.
Agent-based DLP can also monitor system configuration and user actions, blocking undesirable actions. For example, some organizations use host-based DLP to block users from accessing USB-based removable media devices that they might use to carry information out of the organization’s secure environment.
Agentless (network-based) DLP systems are dedicated devices that sit on the network and monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information. They can then block those transmissions, preventing the unsecured loss of sensitive information.
DLP systems may simply block traffic that violates the organization’s policy, or in some cases, they may automatically apply encryption to the content. This automatic encryption is commonly used with DLP systems that focus on email.
DLP systems also have two mechanisms of action:
Pattern matching, where they watch for the telltale signs of sensitive information. For example, if they see a number that is formatted like a credit card or Social Security number, they can automatically trigger on that. Similarly, they may contain a database of sensitive terms, such as “Top Secret” or “Business Confidential,” and trigger when they see those terms in an outbound transmission.
Watermarking, where systems or administrators apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags.
Watermarking technology is also commonly used in digital rights management (DRM) solutions that enforce copyright and data ownership restrictions.
Data Minimization
Data minimization techniques seek to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.
If we can’t completely remove data from a dataset, we can often transform it into a format where the original sensitive information is deidentified. The deidentification process removes the ability to link data back to an individual, reducing its sensitivity.
An alternative to deidentifying data is transforming it into a format where the original information can’t be retrieved. This is a process called data obfuscation, and we have several tools at our disposal to assist with it:
Hashing uses a hash function to transform a value in our dataset to a corresponding hash value. If we apply a strong hash function to a data element, we may replace the value in our file with the hashed value.
Tokenization replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We’d then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone’s identity. Of course, if you use this approach, you need to keep the lookup table secure!
Masking partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X’s or *’s to render the card number unreadable.
Although it isn’t possible to retrieve the original value directly from the hashed value, there is one major flaw to this approach. If someone has a list of possible values for a field, they can conduct something called a rainbow table attack. In this attack, the attacker computes the hashes of those candidate values and then checks to see if those hashes exist in our data file.
For example, imagine that we have a file listing all the students at our college who have failed courses but we hash their student IDs. If an attacker has a list of all students, they can compute the hash values of all student IDs and then check to see which hash values are on the list. For this reason, hashing should only be used with caution.
Types of restriction
Access Restrictions
Access restrictions are security measures that limit the ability of individuals or systems to access sensitive information or resources. Two common types of access restrictions are geographic restrictions and permission restrictions:
Geographic restrictions limit access to resources based on the physical location of the user or system. For example, an organization may restrict access to a database to only those users located within a certain country or region. This can help to prevent unauthorized access from outside of the organization’s trusted network.
Permission restrictions limit access to resources based on the user’s role or level of authorization. For example, a company may grant access to financial data only to authorized personnel who have undergone appropriate background checks and training.
Segmentation and Isolation
Organizations may also limit the access to sensitive systems based on their network location. Segmentation places sensitive systems on separate networks where they may communicate with each other but have strict restrictions on their ability to communicate with systems on other networks. Isolation goes a step further and completely cuts a system off from access to or from outside networks.
What are the categories of security controls?
- Technical
- Managerial
- Operational
- Physical
List the types of security control.
- Preventive
- Deterrent
- Detective
- Corrective
- Compensating
- Directive
What does the acronym CIA stand for in cybersecurity?
- Confidentiality
- Integrity
- Availability
What is non-repudiation?
A fundamental security concept ensuring that a party cannot deny the authenticity of their signature on a message or the sending of a message itself.
What is gap analysis?
A method for assessing the difference between the current state and desired future state of security measures.
What are the cryptographic solutions mentioned for data protection?
- Obfuscation
- Tokenization
- Data masking
What are the general data considerations in security?
- Data states
- Data at rest
- Data in transit
- Data in use
What methods can be used to secure data?
- Geographic restrictions
- Encryption
- Hashing
- Masking
- Tokenization
- Obfuscation
- Segmentation
- Permission restrictions
What are the elements of the risk management process?
- Risk identification
True or False: Security professionals are responsible for protecting the availability of information systems.
True
Fill in the blank: The basic objectives of cybersecurity include ________, integrity, and availability.
confidentiality
What is the role of security professionals in an organization?
To protect the confidentiality, integrity, and availability of information and information systems.
What does the risk management process help security professionals to do?
Identify and mitigate risks to the organization’s information and systems.
What are the three key objectives of cybersecurity programs?
Confidentiality, Integrity, Availability
These objectives are often referred to as the CIA triad.
What does confidentiality in cybersecurity ensure?
Unauthorized individuals cannot gain access to sensitive information.
Security controls such as firewalls, access control lists, and encryption are implemented to protect confidentiality.
What are some examples of security controls that protect confidentiality?
- Firewalls
- Access control lists
- Encryption
These measures help prevent unauthorized access to sensitive information.
What does integrity in cybersecurity ensure?
No unauthorized modifications to information or systems.
Integrity controls include hashing and integrity monitoring solutions.
What are integrity threats?
- Unauthorized alteration by attackers
- Nonmalicious sources like power spikes
Integrity is crucial for maintaining the accuracy and trustworthiness of information.
What does availability in cybersecurity ensure?
Information and systems are ready for legitimate users when needed.
Availability controls include fault tolerance, clustering, and backups.
What are availability threats?
- Attackers seeking disruption of access
- Nonmalicious sources like natural disasters
These threats can prevent legitimate users from accessing necessary information or services.
What is the CIA triad in cybersecurity?
Confidentiality, Integrity, Availability
Cybersecurity analysts refer to these three goals when assessing risks and security controls.
What is nonrepudiation in the context of cybersecurity?
Assurance that someone cannot deny having performed an action.
Digital signatures are a common example of nonrepudiation.
True or False: Nonrepudiation is part of the CIA triad.
False
Nonrepudiation is an important goal but is not one of the three objectives in the CIA triad.
Fill in the blank: The main components of the CIA triad security model are _______.
Confidentiality, Integrity, Availability
Understanding these components is essential for cybersecurity professionals.
What is a security incident?
A breach of the confidentiality, integrity, and/or availability of information or information systems.
What are the three main causes of security incidents?
- Malicious activity
- Accidental activity
- Natural activity
What does the DAD triad represent?
The three key threats to cybersecurity: disclosure, alteration, and denial.
What does disclosure refer to in cybersecurity?
The exposure of sensitive information to unauthorized individuals, violating confidentiality.
What is data exfiltration?
When attackers gain access to sensitive information and remove it from the organization.
What does alteration mean in the context of cybersecurity?
The unauthorized modification of information, violating integrity.
What is denial in cybersecurity?
The disruption of an authorized user’s legitimate access to information, violating availability.
What can cause denial events?
- Intentional attacks (e.g., DDoS)
- Accidental activity (e.g., server failure)
- Natural activity (e.g., natural disasters)
What are the five categories of potential impact from a security incident?
- Financial
- Reputational
- Strategic
- Operational
- Compliance
What is financial risk in the context of a data breach?
The risk of monetary damage to the organization as a result of a data breach.
What is reputational risk?
The loss of goodwill among stakeholders due to negative publicity surrounding a security breach.
Fill in the blank: The most common impact on individuals from a security breach is the risk of _______.
identity theft.
What does strategic risk refer to?
The risk that an organization will become less effective in meeting its major goals and objectives due to a breach.
What is operational risk?
Risk to the organization’s ability to carry out its day-to-day functions.
What is compliance risk?
The risk of violating legal or regulatory requirements due to a security breach.
True or False: A risk can only fit into one category.
False.
How can a data breach affect compliance risk?
By causing an organization to run afoul of legal or regulatory requirements, leading to potential sanctions.
What is an example of compliance risk related to healthcare?
Violating HIPAA requirements by losing patient medical records.
What is the purpose of control objectives in an organization?
To express the level of protection required to preserve confidentiality, integrity, and availability of information and systems.
What are security controls?
Specific measures that fulfill the security objectives of an organization.
What is a gap analysis in cybersecurity?
An evaluation of security controls to identify cases where they do not meet the control objectives.
What should be done with gaps identified during a gap analysis?
They should be treated as potential risks and remediated as time and resources permit.
What are the four categories of security controls?
- Technical controls
- Operational controls
- Managerial controls
- Physical controls
What do technical controls enforce?
Confidentiality, integrity, and availability in the digital space.
Give an example of a technical security control.
Firewall rules, access control lists, intrusion prevention systems, encryption.
What do operational controls include?
Processes to manage technology in a secure manner, such as user access reviews and log monitoring.
What is the focus of managerial controls?
The mechanics of the risk management process.
Provide examples of physical security controls.
- Fences
- Perimeter lighting
- Locks
- Fire suppression systems
- Burglar alarms
What should organizations consider when selecting security controls?
Criteria and parameters imposed by their environment or outside regulators.
What is an example of combining different control categories?
Preventing unauthorized access to a datacenter using biometric locks, user access reviews, and routine risk assessments.
What are the types of security controls based on their desired effect?
- Preventive controls
- Deterrent controls
- Detective controls
- Corrective controls
- Compensating controls
- Directive controls
What do preventive controls aim to do?
Stop a security issue before it occurs.
What is an example of a deterrent control?
Vicious guard dogs or barbed wire fences.
What do detective controls identify?
Security events that have already occurred.
What is a corrective control?
Remediates security issues that have already occurred.
What is the purpose of compensating controls?
To mitigate the risk associated with exceptions made to a security policy.
What do directive controls inform employees about?
What they should do to achieve security objectives.
What are the three criteria for a satisfactory compensating control according to PCI DSS?
- Meet the intent and rigor of the original requirement
- Provide a similar level of defense as the original requirement
- Be ‘above and beyond’ other PCI DSS requirements
What is an example of using a compensating control?
Running an outdated operating system on an isolated network to mitigate security risks.
Why might organizations adopt compensating controls?
To address temporary exceptions to a security requirement.
What should organizations develop alongside compensating controls?
Remediation plans to return to compliance with the original control requirements.
What are the three states of data?
Data at rest, Data in transit, Data in use
Define ‘data at rest’.
Stored data that resides on hard drives, tapes, in the cloud, or on other storage media
What is ‘data in transit’?
Data that is in motion/transit over a network
What does ‘data in use’ refer to?
Data that is actively in use by a computer system
What is the primary purpose of data encryption?
To protect information from prying eyes while in transit or at rest
True or False: Encrypted data is unintelligible to anyone with the appropriate decryption key.
True
What do data loss prevention (DLP) systems do?
Help organizations enforce information handling policies and prevent data loss and theft
List the two environments where DLP systems operate.
- Agent-based DLP
- Agentless (network-based) DLP
Describe agent-based DLP.
Uses software agents installed on systems to search for sensitive information
What is agentless (network-based) DLP?
Dedicated devices that monitor outbound network traffic for unencrypted sensitive information
What are the two mechanisms of action used by DLP systems?
- Pattern matching
- Watermarking
Define data minimization.
Techniques that seek to reduce the amount of sensitive information maintained regularly
What is the main strategy for achieving data minimization?
Destroy data when it is no longer necessary
What does deidentification do?
Removes the ability to link data back to an individual, reducing sensitivity
Fill in the blank: The process of transforming data into a format where the original information can’t be retrieved is called _______.
data obfuscation
What is hashing?
Using a hash function to transform a value into a corresponding hash value
What is tokenization?
Replacing sensitive values with a unique identifier using a lookup table
What is masking in the context of data protection?
Partially redacting sensitive information by replacing some fields with blank characters
What are access restrictions?
Security measures that limit the ability to access sensitive information or resources
Differentiate between geographic restrictions and permission restrictions.
- Geographic restrictions limit access based on the physical location
- Permission restrictions limit access based on the user’s role or authorization
What is the purpose of segmentation in network security?
To place sensitive systems on separate networks with strict communication restrictions
What does isolation mean in the context of data security?
Completely cutting a system off from access to or from outside networks
What are the three main goals of cybersecurity professionals?
Confidentiality, integrity, and availability
These goals are collectively known as the CIA triad.
What does confidentiality in cybersecurity ensure?
Unauthorized individuals cannot access sensitive information
This is crucial for protecting personal and organizational data.
What is meant by integrity in the context of cybersecurity?
No unauthorized modifications to information or systems
Integrity encompasses both intentional and unintentional changes.
Define availability in cybersecurity.
Information and systems are ready for legitimate users when needed
This ensures that services remain operational and accessible.
What is the CIA triad?
A model that outlines the three main goals of cybersecurity: confidentiality, integrity, and availability
It serves as a framework for understanding and addressing security risks.
What must cybersecurity analysts evaluate to protect their organizations?
Risks to the CIA triad
This involves assessing potential threats and vulnerabilities.
What types of security controls should be implemented?
Managerial, operational, technical, and physical controls
Each category addresses different aspects of security.
What are the types of controls that should be varied in a cybersecurity strategy?
- Preventive
- Detective
- Corrective
- Deterrent
- Compensating
- Directive
A diverse mix of controls enhances overall security posture.
Fill in the blank: The goals of cybersecurity are known as the _______.
CIA triad
This acronym represents confidentiality, integrity, and availability.
True or False: Availability means that sensitive information is always accessible to unauthorized users.
False
Availability refers to access for legitimate users, not unauthorized individuals.
