Asset Security Flashcards

1
Q

Risk

A

Anything that can impact the confidentiality, integrity, or availability of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security risk planning is based on analysis of…

A

Assets
Threats
Vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Asset

A

Something of perceived value to the org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Threat

A

Any circumstance or event that can negatively impact assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Vulnerability

A

Something that can be exploited by a threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The risk equation

A

Likelihood * Impact.

In other words, how likely is the risk to happen, and how big will the impact be?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Intentional Threat

A

Something/someone that intentionally plans to exploit vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Unintentional threat

A

Something that accidentally threatens a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Technical vulnerability

A

Software or hardware problem

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Human vulnerability

A

Stupid human behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Asset Management

A

The process of tracking assets and the risks that affect them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Asset Inventory

A

A catalog of assets that need to be protected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Asset classification

A

The practice of labeling assets based on sensitivity and importance to an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Public assets

A

Those that can be shared with anyone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Internal-only

A

Only to be shared internally

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Confidential

A

Only for people in a certain part of the org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Restricted

A

Only for very specific people (need to know)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Data

A

Information that is translated, processed, and stored on a computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In use data

A

Being accessed by 1 or more actors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In transit data

A

Email or any data going from a->b

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Data at rest

A

The data that is not being used atm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Information security

A

Keep data in all states away from potential bad actors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Damage risk

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Disclosure risk

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Loss of information risk

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Security Policy

A

Set of rules that reduce risk and protect information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Standards

A

References for how to set policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Procedures

A

Step by step process for how to do certain security tasks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Compliance

A

The process of adhering to internal standards and external regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Regulations

A

Rules set by a government or other authority to control the way something is done

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

NIST (CSF) Framework

A

A voluntary framework that consists of standards, guidelines, and best practices to manage security risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

NIST Core

A

Core functions of the NIST framework

Identify
Protect
Detect
Respond
Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Tiers

A

1-4 how well the core functions are being performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Profiles

A

A snapshot of functions and the tier of each at a given time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Security controls

A

Safeguards designed to reduce specific risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Technical controls

A

Encryption, authentication, and more

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Operational Comtrols

A

Awareness management and incident response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Manegrial Controls

A

Policies and procedures

39
Q

Information privacy

A

Right to choose when, how, and to what extent data is shared

40
Q

Principal of least privilege

A

The idea that people should have no more than the minimum amount of data necessary to do provide a service

41
Q

Data owner

A

Someone who decided when their data can be accessed, edit, use, and destroy their data

42
Q

Data custodian

A

Responsible for handling, transport, and storage of data

43
Q

Usage audit for principle of least privilege

A

Helps determine if someone is using data and if it’s being used correctly, as well as whether or not it’s being used at all, and if not, whether or not it should be revoked

44
Q

Privilege audit for principle of least privilege

A

Checks if a person’s role will match their privilege

45
Q

Account change audit

A

For detecting audits of suspicious activity on a base account like too many password resers

46
Q

Data Lifecycle Stage 1

A

Collection

47
Q

Data Lifecycle Stage 2

A

Storage

48
Q

Data Lifecycle Stage 3

A

Usage

49
Q

Data Lifecycle Stage 4

A

Archival

50
Q

Data Lifecycle Stage 5

A

Destruction

51
Q

Data Steward

A

The person or group that maintains and implements data governance policies for an org

52
Q

PHI

A

Personal health information

53
Q

GDPR-specific data

A

Name, Address, phone number, financial information, and medical information

54
Q

PCI DSS

A

Security standards for major orgs in the financial industry

55
Q

Security Audit

A

A review of an orgs security controls, policies, and procedures against a set of standards

56
Q

Security assessment

A

Determines how resilient current security implementations are against threats

57
Q

PII can include

A

Photos and videos

58
Q

Cryptography

A

The process of transforming information into a form that unintended readers can’t understand

59
Q

Algorithm

A

A set of rules that solve a problem

60
Q

Cipher

A

An algorithm that encrypts information

61
Q

Cryptographic key

A

A mechanism that decrypts a cipher

62
Q

Brute force attack

A

Trial and error to find a key

63
Q

Public key infrastructure

A

An encryption framework that secures the exchange of information online

64
Q

Step 1 of PKI

A

Exchange of encrypted information

65
Q

Asymmetric Encryption

A

Use of a private and public key pair for encryption and decryption of data

66
Q

Symmetric encryption

A

Use of a single secret key to exchange information

67
Q

Step 2 of PKI

A

Developing a system of trust via digital certificates

68
Q

Digital Certificate

A

Veries the ID of a public key holder

69
Q

Triple DES

A

Creates 3 blocks of ciphers, each a 64 bit key, for a total of 192 bits

70
Q

Advanced Encryption Standard

A

A more secure symmetric algorithm. Created keys that are 128, 192, or 256 bits

71
Q

Rivers Shamir Adleman

A

Asymmetric. Public and private key. Long key lengths of 1,024, 2,048, or 4,096 bits.

For highly sensitive data

72
Q

Digital Signature Algo

A

2048 bits for public keys, developed by NIST

73
Q

OpenSSL

A

An open source algorithm for generating public and private keys

74
Q

Heartbleed bug

A

A bug that affected the Open SSL by exploiting exposed data on the memory of websites and apps

75
Q

Kerchoff’s Principle

A

All details of an algorithm should be knowable (except private key) without it sacrificing security

76
Q

Hash function

A

Produces a hash value that can’t be decrypted. If the hash value doesn’t match, there is a rejection. Used for checking the integrity of files or programs.

77
Q

Non repudiation

A

The concept that authenticity of information can’t be denied

78
Q

sha256sum new file.txt

A

Creates a hash value from the Linux terminal

79
Q

Rainbow table

A

A table that matches well-established weak passwords to their hashes for hackers. Can be used to compare to a database of hashes

80
Q

Collision attacks

A

Trying to generate the same hash from different data due to the small bit size produced by the hashing function

81
Q

Access controls

A

Security controls that manage access, authorization, and accountability of information

82
Q

AAA Framework

A

Authentication, authorization, and accounting framework

83
Q

Authentication

A

Answers the question who are you?
Knowledge : what you know
Ownership: what do you own
Characteristic: something you are

84
Q

SSO (Single Sign On)

A

Let’s you log on through multiple ways

85
Q

Authorization

A

Determines what a user can do/access.

86
Q

Separation of duties

A

The principle that users should not be given levels of authorization that would not allow them to misuse a system

87
Q

Separation of duties

A

Users should not be given levels of authorization that would allow them to misuse the system

88
Q

Basic auth

A

The technology used to establish a user’s request access to a server

Sends an identifier every time the user visits a site

89
Q

O-auth

A

Shares designated access to identity without sharing information(like goggle sign up)

90
Q

Access logs

A

The thing that logs a user’s activity on a network

91
Q

Session

A

A sequence of network HTTP basic auth requests and responses associated with the same user

92
Q

Session ID

A

A

93
Q

User procisioning

A

Creating and maintaining a user’s digital identity

94
Q

Deprovisioning users

A

Deleting their accounts