1.2 : Security Concepts Flashcards
Summarize fundamental security concepts
CIA Triad
Confidentiality, Integrity, and Availability.
Confidentiality
Protecting information from unauthorized access. Examples: Encryption, access control lists. An attack would seek to disclose.
Integrity
Ensuring data is accurate and unaltered. Examples: Hashing, digital signatures. An attack would seek to corrupt / alter.
Availability
Ensuring systems and data are accessible to those who are authorized when needed. Examples: Redundant systems, backups.
Non-repudiation
- Non-repudiation ensures that a party cannot deny the authenticity/origin of their communications and transactions.
- Digital Signatures (certificates) are the most common method used to achieve non-repudiation.
- Key Tools: Public Key Infrastructure (PKI), audit logs, and blockchain (in some contexts).
AAA
- Authentication, Authorization, and Accounting
- Framework for controlling access, determining user permissions, and logging user actions.
- Examples: Login credentials (authentication), role-based access (authorization), audit logs (accounting).
Authentication (People)
Verifying the identity of individuals before granting access. Examples: Passwords, biometrics.
Authentication (Systems)
Verifying the identity of devices or systems before communication. Examples: Digital certificates, token-based authentication, API keys
Authorization Models
Ways of defining what an authenticated user or system is allowed to do. Examples: Role-based access control (RBAC), attribute-based access control (ABAC).
Gap Analysis
Process of comparing current security posture to desired security levels to identify and document gaps.
Zero Trust
A security model that assumes no implicit trust and continuously verifies every access request as though it originates from an open network. Examples: Multi-factor authentication, least privilege access.
Control Plane (Zero Trust)
Manages policies and decisions in a Zero Trust architecture. Examples: Adaptive identity, policy-driven access control.
Data Plane (Zero Trust)
Enforces policies on data access in a Zero Trust model. Examples: Implicit trust zones, policy enforcement points.
Physical Security
Measures to protect physical assets from unauthorized access or harm. Examples: Bollards, fencing, video surveillance.
Bollards
Physical barriers used to prevent vehicle access to a protected area. Examples: Concrete barriers, retractable bollards.
Access Control Vestibule
A secure entryway that restricts access to a building or room. Examples: Mantraps, double-door systems.
Fencing
A physical barrier to deter and prevent unauthorized access.
Video Surveillance
Cameras and monitoring systems used to observe and record activity.
Security Guard
Personnel responsible for monitoring and protecting physical premises.
Access Badge
- Physical security measure.
- An identification card that grants access to restricted areas.
- Examples: RFID cards, smart cards.
Lighting
Using lighting can enhance security and deter unauthorized access. Examples: Motion-activated lights, perimeter lighting.
Sensors
Devices that detect physical conditions or changes in the environment. Examples: Infrared sensors, pressure sensors, microwave sensors, ultrasonic sensors.
Deception Technology
- Techniques used to mislead attackers and disrupt their activities.
- Attract attackers and gather data on their methods
- Examples: Honeypots, honeyfiles, honeynets.
Honeypot
A decoy system used to attract and detect attackers. Examples: Fake servers, simulated databases.
Honeynet
- A network of honeypots designed to capture extensive attack data.
- A fake network environment used to study attack behaviors.
Honeyfile
A bait file placed in a system to detect unauthorized access. Examples: Fake confidential documents, decoy financial records.
Honeytoken
Authentication method of some kind, a token, used to detect unauthorized access. Examples: Fake credentials, decoy API keys.
