2. Fundamentals Of Security Flashcards
Information Security
Protecting data and information from unauthorized access, modification, disclosure, and disruption.
Information Systems Security
Protecting the systems that hold and process critical data
CIA Triad
Confidentiality
Ensure information is accessible only to authorized personnel.
e.g. encryption
CIA Triad
Integrity
Ensure data remains accurate and unaltered.
e.g. checksums
CIA Triad
Availability
Ensure information and resources are accessible when needed.
e.g. redundancy measures.
Non-Repudiation
Guarantees that an action or event cannot be denied by the involved parties.. e.g.. digital signatures
Authentication
Verify the identity of a user or system
Authorization
Determining actions or resources an authenticated user can access.
e.g. permissions
Accounting
Tracking user activities and resource usage for audit or billing purposes.
Security Control Categories
Technical
Managerial
Operational
Physical
Security Control Types
Preventative
Deterrent
Detective
Corrective
Compensating
Directive
Zero Trust Model
Operates on the principle that no one should be trusted by default.
Zero Trust is achieved by:
Control Plane - Adaptive identity, threat scope reduction, policy-driven access control, and secured zones
Data Plane - Subject/system, policy engine, policy administrator and establishing policy enforcement points
Threat
Anything that could cause harm, loss, damage, or compromise to our information technology systems
Vulnerability
Any weakness in the system design or implementation
Risk of the system is located
Where threats and vulnerabilities intersect
Risk Management
Finding different ways to minimize the likelihood of an outcome and achieve the desired outcome
3 reasons confidentiality is important
Protect personal privacy
Maintain a business advantage
Achieve regulatory compliance
5 methods to ensure confidentiality
Encryption, Access Controls, Data Masking, Physical Security Measures, Training and Awareness
3 reasons integrity is important
Ensure accuracy
Maintain Trust
Ensure system operability
5 methods to maintain integrity:
Hashing
Digital Signatures
Checksums
Access Controls
Regular Audits
3 reasons Availability is important
Ensures business continuity
Maintains customer trust
Upholds organizational reputation
5 methods to maintain availability
Redundancy
Server Redundancy
Data Redundancy
Network Redundancy
Power Redundancy
3 reasons non-repudiation is important
Confirm the authenticity of a digital transaction
Ensure the integrity of crucial communications
Provide accountability in digital processes
5 common authentication methods
Something you Know (Knowledge)
Something you have (Posession)
Something you are (Inherence)
Something you do (Action)
Somewhere you are (Location)
Accounting
A security measure that ensures all user activities during a communication or transaction are properly tracked and recorded.
5 accounting methods
Audit trail
Maintain Regulatory Compliance
Conduct forensic Analysis
Perform resource optimization
Achieve user accountability
Technical Controls
Technologies, hardware, and software mechanisms that are implemented to manage and reduce risks
Managerial Controls
(Administrative controls)
Involve the strategic planning and governance side of security
Operational Controls
Procedures and measures that are designed to protect data on a
day-to-day basis
Physical Controls
Tangible, real-world measures taken to protect assets
Preventative Controls
Proactive measures implemented to thwart potential security threats or breaches
Deterrent Controls
Discourage potential attackers by making the effort seem less appealing or more challenging
Detective Controls
Monitor and alert organizations to malicious activities as they occur or shortly thereafter.
Corrective Controls
Mitigate any potential damage and restore our systems to their normal state
Compensating Controls
Alternative measures that are implemented when primary security
controls are not feasible or effective
Directive Controls
Often rooted in policy or documentation and set the standards for
behavior within an organization
Gap Analysis
Process of evaluating the differences between an organization’s current performance and its desired performance
2 types of Gap Analysis
Technical Gap Analysis
Business Gap Analysis
Zero Trust
Zero Trust demands verification for every device, user, and transaction within the network, regardless of its origin
