Asset Security Flashcards
1
Q
Risk
A
Anything that can impact the confidentiality, integrity, or availability of an asset
2
Q
Security risk planning is based on analysis of…
A
Assets
Threats
Vulnerabilities
3
Q
Asset
A
Something of perceived value to the org
4
Q
Threat
A
Any circumstance or event that can negatively impact assets
5
Q
Vulnerability
A
Something that can be exploited by a threat
6
Q
The risk equation
A
Likelihood * Impact.
In other words, how likely is the risk to happen, and how big will the impact be?
7
Q
Intentional Threat
A
Something/someone that intentionally plans to exploit vulnerabilities
8
Q
Unintentional threat
A
Something that accidentally threatens a vulnerability.
9
Q
Technical vulnerability
A
Software or hardware problem
10
Q
Human vulnerability
A
Stupid human behavior
11
Q
Asset Management
A
The process of tracking assets and the risks that affect them
12
Q
Asset Inventory
A
A catalog of assets that need to be protected
13
Q
Asset classification
A
The practice of labeling assets based on sensitivity and importance to an organization
14
Q
Public assets
A
Those that can be shared with anyone
15
Q
Internal-only
A
Only to be shared internally
16
Q
Confidential
A
Only for people in a certain part of the org
17
Q
Restricted
A
Only for very specific people (need to know)
18
Q
Data
A
Information that is translated, processed, and stored on a computer
19
Q
In use data
A
Being accessed by 1 or more actors
20
Q
In transit data
A
Email or any data going from a->b
21
Q
Data at rest
A
The data that is not being used atm
22
Q
Information security
A
Keep data in all states away from potential bad actors
23
Q
Damage risk
A
24
Q
Disclosure risk
A
25
Loss of information risk
26
Security Policy
Set of rules that reduce risk and protect information
27
Standards
References for how to set policy
28
Procedures
Step by step process for how to do certain security tasks
29
Compliance
The process of adhering to internal standards and external regulations
30
Regulations
Rules set by a government or other authority to control the way something is done
31
NIST (CSF) Framework
A voluntary framework that consists of standards, guidelines, and best practices to manage security risks
32
NIST Core
Core functions of the NIST framework
Identify
Protect
Detect
Respond
Recover
33
Tiers
1-4 how well the core functions are being performed
34
Profiles
A snapshot of functions and the tier of each at a given time
35
Security controls
Safeguards designed to reduce specific risks
36
Technical controls
Encryption, authentication, and more
37
Operational Comtrols
Awareness management and incident response
38
Manegrial Controls
Policies and procedures
39
Information privacy
Right to choose when, how, and to what extent data is shared
40
Principal of least privilege
The idea that people should have no more than the minimum amount of data necessary to do provide a service
41
Data owner
Someone who decided when their data can be accessed, edit, use, and destroy their data
42
Data custodian
Responsible for handling, transport, and storage of data
43
Usage audit for principle of least privilege
Helps determine if someone is using data and if it’s being used correctly, as well as whether or not it’s being used at all, and if not, whether or not it should be revoked
44
Privilege audit for principle of least privilege
Checks if a person’s role will match their privilege
45
Account change audit
For detecting audits of suspicious activity on a base account like too many password resers
46
Data Lifecycle Stage 1
Collection
47
Data Lifecycle Stage 2
Storage
48
Data Lifecycle Stage 3
Usage
49
Data Lifecycle Stage 4
Archival
50
Data Lifecycle Stage 5
Destruction
51
Data Steward
The person or group that maintains and implements data governance policies for an org
52
PHI
Personal health information
53
GDPR-specific data
Name, Address, phone number, financial information, and medical information
54
PCI DSS
Security standards for major orgs in the financial industry
55
Security Audit
A review of an orgs security controls, policies, and procedures against a set of standards
56
Security assessment
Determines how resilient current security implementations are against threats
57
PII can include
Photos and videos
58
Cryptography
The process of transforming information into a form that unintended readers can’t understand
59
Algorithm
A set of rules that solve a problem
60
Cipher
An algorithm that encrypts information
61
Cryptographic key
A mechanism that decrypts a cipher
62
Brute force attack
Trial and error to find a key
63
Public key infrastructure
An encryption framework that secures the exchange of information online
64
Step 1 of PKI
Exchange of encrypted information
65
Asymmetric Encryption
Use of a private and public key pair for encryption and decryption of data
66
Symmetric encryption
Use of a single secret key to exchange information
67
Step 2 of PKI
Developing a system of trust via digital certificates
68
Digital Certificate
Veries the ID of a public key holder
69
Triple DES
Creates 3 blocks of ciphers, each a 64 bit key, for a total of 192 bits
70
Advanced Encryption Standard
A more secure symmetric algorithm. Created keys that are 128, 192, or 256 bits
71
Rivers Shamir Adleman
Asymmetric. Public and private key. Long key lengths of 1,024, 2,048, or 4,096 bits.
For highly sensitive data
72
Digital Signature Algo
2048 bits for public keys, developed by NIST
73
OpenSSL
An open source algorithm for generating public and private keys
74
Heartbleed bug
A bug that affected the Open SSL by exploiting exposed data on the memory of websites and apps
75
Kerchoff’s Principle
All details of an algorithm should be knowable (except private key) without it sacrificing security
76
Hash function
Produces a hash value that can’t be decrypted. If the hash value doesn’t match, there is a rejection. Used for checking the integrity of files or programs.
77
Non repudiation
The concept that authenticity of information can’t be denied
78
sha256sum new file.txt
Creates a hash value from the Linux terminal
79
Rainbow table
A table that matches well-established weak passwords to their hashes for hackers. Can be used to compare to a database of hashes
80
Collision attacks
Trying to generate the same hash from different data due to the small bit size produced by the hashing function
81
Access controls
Security controls that manage access, authorization, and accountability of information
82
AAA Framework
Authentication, authorization, and accounting framework
83
Authentication
Answers the question who are you?
Knowledge : what you know
Ownership: what do you own
Characteristic: something you are
84
SSO (Single Sign On)
Let’s you log on through multiple ways
85
Authorization
Determines what a user can do/access.
86
Separation of duties
The principle that users should not be given levels of authorization that would not allow them to misuse a system
87
Separation of duties
Users should not be given levels of authorization that would allow them to misuse the system
88
Basic auth
The technology used to establish a user’s request access to a server
Sends an identifier every time the user visits a site
89
O-auth
Shares designated access to identity without sharing information(like goggle sign up)
90
Access logs
The thing that logs a user’s activity on a network
91
Session
A sequence of network HTTP basic auth requests and responses associated with the same user
92
Session ID
A
93
User procisioning
Creating and maintaining a user’s digital identity
94
Deprovisioning users
Deleting their accounts
