1 Today's Security Professional Flashcards
CIA
What are the three core objectives of cybersecurity?
confidentiality, integrity, and availability
Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information.
Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Nonrepudiation means…
Nonrepudiation means that someone who performed some action, such as sending a message, **cannot later deny having taken that action. **
Digital signatures are a common example of nonrepudiation. They allow anyone who is interested to confirm that a message truly originated with its purported sender.
their mechanism of action and their intent - TMOPs, 1P, 2Cs, 3Ds
Security controls and types?
Controls are grouped into the categories of
* managerial,
* operational,
* physical, and
* technical based on the way that they achieve their objectives.
Types:
* preventive,
* detective,
* corrective,
* deterrent,
* compensating, and
* directive
based on their intended purpose.
What does AAA stand for?
Authentication, Authorization, and Accounting (AAA) (Authenticating people, authenticating systems, authorization models)
What does Zero trust mean
Never trust, always verify
control plane, data plane
What is the DAD triad?
disclosure, alteration, and denial maps to
CIA triad
CIA and DAD triads are very useful tools for cybersecurity planning and risk analysis
Types of risk
Financial
Reputational - Identity Theft
Strategic Risk
Operational Risk
Compliance Risk
Implementing Security Controls
Gap analysis
reviews the control objectives for a particular organization, system, or service and then examines the controls designed to achieve those objectives.
Gaps identified during a gap analysis should be treated as potential risks and remediated as time and resources permit
What are the security control categories and types?
****Preventive controls intend to stop a security issue before it occurs. Firewalls and encryption are examples of preventive controls.
Deterrent controls seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of deterrent controls.
Detective controls identify security events that have already occurred. Intrusion detection systems are detective controls.
Corrective controls remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective control.
Compensating controls are controls designed to mitigate the risk associated with exceptions made to a security policy.
Directive controls inform employees and others what they should do to achieve security objectives. Policies and procedures are examples of directive controls.
PCI DSS requirement
The Payment Card Industry Data Security Standard (PCI DSS) includes one of the most formal compensating control processes in use today. It sets out three criteria that must be met for a compensating control to be satisfactory:
The control must meet the intent and rigor of the original requirement.
The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against.
The control must be “above and beyond” other PCI DSS requirements.
In many cases, organizations adopt compensating controls to address a temporary exception to a security requirement. In those cases, the organization should also develop remediation plans designed to bring the organization back into compliance with the literal meaning and intent of the original control.
What are the states of data we need to protect?
Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. This data is prone to theft by insiders or external attackers who gain access to systems and are able to browse through their contents.
Data in transit is data that is in motion/transit over a network. When data travels on an untrusted network, it is open to eavesdropping attacks by anyone with access to those networks.
Data in use is data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information.
What is data encryption
Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.
Data Loss Prevention
Data loss prevention (DLP) systems help organizations enforce information handling policies and procedures to prevent data loss and theft. They search systems for stores of sensitive information that might be unsecured and monitor network traffic for potential attempts to remove sensitive information from the organization. They can act quickly to block the transmission before damage is done and alert administrators to the attempted breach.
DLP systems work in two different environments:
**Agent-based DLP
Agentless (network-based) DLP**
Agent-based DLP uses software agents installed on systems that search those systems for the presence of sensitive information. These searches often turn up Social Security numbers, credit card numbers, and other sensitive information in the most unlikely places!
Detecting the presence of stored sensitive information allows security professionals to take prompt action to either remove it or secure it with encryption. Taking the time to secure or remove information now may pay handsome rewards down the road if the device is lost, stolen, or compromised.
Agent-based DLP can also monitor system configuration and user actions, blocking undesirable actions. For example, some organizations use host-based DLP to block users from accessing USB-based removable media devices that they might use to carry information out of the organization’s secure environment.
Agentless (network-based) DLP systems are dedicated devices that sit on the network and monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information. They can then block those transmissions, preventing the unsecured loss of sensitive information.
DLP systems may simply block traffic that violates the organization’s policy, or in some cases, they may automatically apply encryption to the content. This automatic encryption is commonly used with DLP systems that focus on email.
DLP systems also have two mechanisms of action:
Pattern matching, where they watch for the telltale signs of sensitive information. For example, if they see a number that is formatted like a credit card or Social Security number, they can automatically trigger on that. Similarly, they may contain a database of sensitive terms, such as “Top Secret” or “Business Confidential,” and trigger when they see those terms in an outbound transmission.
Watermarking, where systems or administrators apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags.
Watermarking technology is also commonly used in digital rights management (DRM) solutions that enforce copyright and data ownership restrictions.
Data Minimization
Data minimization techniques seek to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.
If we can’t completely remove data from a dataset, we can often transform it into a format where the original sensitive information is deidentified. The deidentification process removes the ability to link data back to an individual, reducing its sensitivity.
An alternative to deidentifying data is transforming it into a format where the original information can’t be retrieved. This is a process called data obfuscation, and we have several tools at our disposal to assist with it:
Hashing uses a hash function to transform a value in our dataset to a corresponding hash value. If we apply a strong hash function to a data element, we may replace the value in our file with the hashed value.
Tokenization replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We’d then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone’s identity. Of course, if you use this approach, you need to keep the lookup table secure!
Masking partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X’s or *’s to render the card number unreadable.
Although it isn’t possible to retrieve the original value directly from the hashed value, there is one major flaw to this approach. If someone has a list of possible values for a field, they can conduct something called a rainbow table attack. In this attack, the attacker computes the hashes of those candidate values and then checks to see if those hashes exist in our data file.
For example, imagine that we have a file listing all the students at our college who have failed courses but we hash their student IDs. If an attacker has a list of all students, they can compute the hash values of all student IDs and then check to see which hash values are on the list. For this reason, hashing should only be used with caution.
