1.2 Summarize fundamental security concepts. Flashcards
What does the CIA Triad include?
Confidentiality
Integrity
Availability
Confidentiality
Ensures sensitive information is only accessible to authorized users and remains shielded from unauthorized access.
Integrity
Guarantees data is accurate, unaltered, and trustworthy by preventing unauthorized changes. Hashing algorithms such as SHA1 or MD5 provide data integrity.
Availability
Ensures data and services are accessible when needed, minimizing disruptions in access.
What does non-repudiation ensure?
Accountability in digital actions by preventing denial of involvement.
Mechanisms include digital signatures, authentication, and audit trails to establish the origin and legitimacy of actions or communications.
AAA
Authentication
Authorization
Accounting
Authentication
Verifies the identity of users or systems seeking access. For systems, protocols like 802.1X validate endpoint certificates.
Authorization
Determines what actions users or systems can perform within the network.
Accounting
Tracks and logs user activities, resource access, and actions performed for compliance and troubleshooting.
AAA protocols
RADIUS
Diameter
TACACS+
RADIUS
Used in remote access scenarios; secures sensitive data exchange between clients and servers using shared secrets.
Diameter
Successor to RADIUS, supporting modern networks like 4G/5G.
TACACS+
Developed by Cisco, grants or denies access to network devices while enhancing security with shared secrets.
What is gap analysis?
A strategic process to evaluate an organization’s security posture against standards and best practices.
Includes assessment, benchmarking, identifying gaps, prioritization of risks, and a remediation strategy.
Key tasks of gap analysis process
Assessment, benchmarking, identifying gaps, prioritization of risks, and a remediation strategy.
Assessment (gap analysis process)
A thorough assessment is conducted to
understand the organization’s current security measures,
policies, procedures, and technologies.
Benchmarking (gap analysis process)
This involves comparing the existing
security practices against established industry standards frameworks, and compliance regulations.
Identification (gap analysis process)
Gaps are pinpointed by identifying areas where security measures fall short of the desired or required level
Prioritization (gap analysis process)
Not all gaps are equal in terms of risk.
Prioritization involves ranking the identified gaps based on their potential impact and likelihood of exploitation.
Remediation strategy (gap analysis process)
With prioritized gaps in mind, a comprehensive remediation strategy is developed. This strategy outlines actionable steps to close the identified gaps
and enhance the organization’s security posture.
What is zero trust in cybersecurity?
The principle of “never trust, always verify,” ensuring continuous validation of users and devices.
Involves concepts like adaptive identity, policy-driven access control, and threat scope reduction.
What is the control plane in a zero-trust model?
The command center that manages user/device authorization based on policies and threat intelligence.
Components of control plane
- Policy engine: Determines access based on company rules.
- Policy administrator: Executes the engine’s decisions and issues access tokens.
- Policy enforcement point: Ensures authorized actions are allowed, blocking unauthorized access.
Adaptive identity
Adaptive identity tailors user privileges based on contextual understanding. By analyzing user behavior, location, and device characteristics, this approach ensures that access rights are dynamically
Threat scope reduction
Preventing threats before they manifest is a paramount goal in cybersecurity. By intentionally narrowing the potential attack surface, organizations can preemptively thwart possible avenues of exploitation. This involves strategies such as minimizing exposed services, reducing the attackable code base, and employing rigorous patch management.
Policy-driven access control
The translation of security policies and guidelines into concrete action is a challenge faced by many organizations. Policy-driven access control offers a solution by automating the enforcement of these directives. Through a systematic approach, organizations can define access rights, permissions, and responses to specific scenarios. This not only ensures consistency but also eliminates the risk of human error in the execution of security protocols.
Policy administrator
The policy administrator executes the decisions made by the policy engine to control access to the network. They issue access tokens and can communicate with the data plane.
Policy engine
The policy engine determines who gains access to critical network resources on a per-user basis. It operates based on policies, written by the organization’s security team, which lay down the rules for access. Context is crucial, with data from SIEM, threat intelligence, user attributes, and device information informing decisions. Once the policy engine evaluates all the parameters, it communicates its decision to a policy administrator, who executes it on the ground.
Policy enforcement point
The policy enforcement point (PEP) is a security checkpoint that ensures only authorized actions are allowed by following the rules set by the policy administrator and verified by the policy engine. It blocks unauthorized actions and allows only safe, trusted ones.
Data plane
The data plane is responsible for the movement and forwarding of data packets within a network, executing tasks like routing, switching, and packet forwarding based on predefined policies. It ensures secure and efficient data transmission, with entities (subjects) initiating communication and systems (like routers and firewalls) handling the processing and forwarding of data. Together, subjects and systems ensure smooth and secure network operations.
Four of trust zones
Implicit trust zones
Internal network zone
Demilitarized Zone (DMZ)
External network zone
Implicit trust zones
Implicit trust zones are areas within a network or system where trust is assumed without explicit verification. These zones simplify communication by allowing components to interact without strict authentication, based on predefined security rules or assumptions.
The internal network zone
The internal network zone is where devices and resources are considered trustworthy due to being behind the company’s firewall. This zone, also known as the local area network (LAN), houses critical infrastructure such as domain controllers and database servers.
The Demilitarized Zone (DMZ)
The Demilitarized Zone (DMZ) is a middle ground between trusted and untrusted areas, allowing controlled access to certain services from the external network. It often includes resources accessed by both trusted and untrusted networks and may have stricter communication controls with the internal network.
The external network zone
The external network zone, such as the internet, is typically considered untrusted due to inherent risks. Communication from this zone into the internal network requires strong security measures, and it is often referred to as the untrusted wide area network.
Physical security
Physical security is crucial as it involves measures to deter, detect, and respond to risks. It includes barriers and surveillance systems, all contributing to a security framework that protects people, assets, and critical information.
Bollards
Bollards are a key physical security measure, acting as strong barriers against vehicular threats. Typically placed around important buildings, public spaces, or critical infrastructure, they are designed to withstand impacts and prevent unauthorized vehicle access.
Access control vestibules
Access control vestibules create a controlled environment to improve security. For example, in door entry systems, individuals enter a space through one door, where their identity is verified by a security guard before accessing the building through a second door.
Fencing
Fencing is a classic yet effective element of physical security. It not only marks property boundaries but also serves as a visible deterrent against unauthorized access. Modern fencing incorporates advanced materials, designs, and technologies to enhance security.
Video surveillance
Video surveillance is a vital part of physical security, using advanced cameras, analytics, and monitoring systems for real-time visibility and event recording. It helps security teams identify threats, investigate incidents, and enhance overall security management.
Security guards
Security guards are essential for physical security, enforcing protocols, patrolling, and responding to incidents. Their observation skills, along with training in conflict resolution and emergency response, make them a crucial asset.
Access badges
Access badges, often using RFID or smart technology, allow authorized personnel seamless entry to secure areas. They help identify authorized individuals and create an audit trail of entry events, with different colors used for guests.
Lighting
Lighting in physical security deters intruders by illuminating areas, enhances visibility by reducing hiding spots, discourages crimes like theft and vandalism, and aids in access control and identity verification.
Visitor logs
Visitor logs track every entry and exit, serving as an important reference for audits and investigations. Signing in visitors also makes you responsible for their presence, highlighting the need for accurate documentation to maintain accountability.
Sensor technologies
Sensor technologies are key to modern security, detecting anomalies and triggering responses. With types like infrared, pressure, microwave, and ultrasonic, they enable real-time threat detection with minimal human involvement.
Types of sensors
Infrared
Pressure
Microwave
Ultrasonic
Infrared sensors
Infrared sensors detect heat signature changes, identifying human or animal presence, and are used in perimeter and indoor security.
Pressure sensors
Pressure sensors detect pressure changes from touch or movement, providing reliable indicators of activity.
Microwave sensors
Microwave sensors emit pulses and detect frequency changes from moving objects, excelling in various security situations.
Ultrasonic sensors
Ultrasonic sensors use sound waves to “see” around corners or in hidden areas, proving valuable in difficult environments.
Deception and disruption technology
Deception and disruption technology is a modern cybersecurity approach that goes beyond traditional defense, using strategies like honeypots, honeynets, honeyfiles, honeytokens, and fake information to deceive and disrupt potential threats. These digital decoys turn vulnerabilities into a strategic advantage.
Honeypot
A honeypot is a decoy website with lower security set up by security teams to observe hacker attack methods. It helps in preventing future attacks and serves as a distraction to protect the real web server.
Honeynet
A honeynet is a network of honeypots designed to deceive attackers, drawing them away from the actual network. It provides a controlled environment for cybersecurity professionals to study and analyze malicious activities while protecting real networks from harm.
Honeyfile
A honeyfile is a strategically crafted file, such as one titled “password,” designed to lure attackers. When accessed, it triggers alarms, marking the intrusion and helping defenders anticipate the attacker’s next move.
Honeytoken
Honeytokens are deceptive markers used in cybersecurity to trap digital intruders. These tokens contain dummy data that appears valuable but holds no real worth for the organization. Once taken, they trigger alerts, allowing defenders to track the infiltrator, whether external or internal.
Fake Information
Fake information tactics, such as a DNS sinkhole and fake telemetry, are used to mislead attackers. A DNS sinkhole redirects queries to different IP addresses, creating a “black hole” effect, while fake telemetry involves returning false data to confuse attackers and obscure real information.