CH 1. Security Governance Through Principles and Policies Flashcards
Confidentiality (Definition)
- measures used to ensure the protection of the secrecy of data, objects, and resources.
- focuses security measures on ensuring that no one other than the intended recipient of a message is able to receive/read it.
What is the goal of Confidentiality?
- prevent unauthorized access to data
- encrypts data at rest (stored on a disk)
- encrypts data on the network (in transit)
What does Confidentiality protection provide?
- provides a means for authorized users to access and interact with resources
- actively prevents unauthorized users from accessing and interacting with resources
What is an access control?
- the management of a relationship between subjects and objects
What is an “object” in a security relationship?
- the passive element in a security relationship
- such as files, computers, network connections, and applications
What is an “subject” in a security relationship?
- the active element in a security relationship that acts upon or against an object
- such as users, programs, and computers
What are examples of attacks used to violate confidentiality?
- capturing network traffic
- stealing passwords
- social engineering
port scanning - shoulder surfing
- sniffing
- escalation of privileges
What are examples of human error that results in a violation of confidentiality?
- not encrypting data transmissions
- no securing access points
- backdoors in code
- misrouted faxes
- documents left on printers
- not locking terminals
What countermeasures can help ensure confidentiality against possible threats?
- encryption
- network traffic padding
- access controls
- authentication procedures
- data classification
- personnel training
- IPsec tunnel for VPN
- Multi-factor Authentication
Sensitivity (Definition)
- refers to the quality of information
- could cause harm if disclosed
Discretion (Definition)
- an act or decision where an operator can influence or control disclosure in order to minimize harm or damage
Criticality (Definition)
- the level to which information is mission critical
- the higher the level of criticality, the more likely the need to maintain the confidentiality of the information
Concealment (Definition)
- the act of hiding or preventing disclosure
- often viewed as a means of cover, obfuscation, or distraction
Security Through Obscurity (Definition)
- the concept of attempting to gain protection through hiding, silence, or secrecy
- not considered a valid security measure, but may still have value
Secrecy (Definition)
- the act of keeping something a secret or preventing the disclosure of information
Privacy (Definition)
- refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed
Seclusion (Definition)
- involves something in an out-of-the-way location
- this location can also provide strict access controls
Isolation (Definition)
- the act of keeping something separated from others
- Isolation can be used to prevent commingling of information or disclosure of information (confidentiality)
Integrity (Definition)
- the concept of protecting the reliability and correctness of data
- prevents unauthorized alteration of data
- ensures that data remains correct, unaltered, and preserved
What does properly implemented Integrity protection provide?
- a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses or intrusions) as well as mistakes made by unauthorized users.
What does a security mechanism that protects Integrity provide?
- high level of assurance that the data, objects, and resources are unaltered from their original protected state.
- prevents alterations while the object is in storage, in transit, or in process
What are the three perspectives that Integrity is examined from?
- preventing unauthorized subjects from making modifications
- preventing authorized subjects from making unauthorized modifications (mistakes)
- maintaining the internal and external consistency of objects so that their data is correct
What are examples of attacks on data Integrity?
- viruses
- logic bombs
- unauthorized access
- errors in coding and applications
- malicious modifications
- intentional replacement
- system back doors
What are examples of unauthorized changes made by authorized users?
- modifying or deleting files
- entering invalid data
- altering configurations
- errors in commands, codes, and scripts
- introducing a virus
- executing malicious code
What are examples of security measures to protect against Integrity violations?
- access control
- authentication procedures
- intrusion detection
- data encryption
- hash total verifications
- interface restrictions
- personnel training
Accuracy (Definition)
- being correct and precise
Truthfulness (Definition)
- being a true reflection of reality
Authenticity (Definition)
- being authentic or genuine
Validity (Definition)
- being factually or logically sound
Nonrepudiation (Definition)
- not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
Accountability (Definition)
- being responsible or obligated for actions and results
Responsibility (Definition)
- being in charge or having control over something or someone
Completeness (Definition)
- having all needed and necessary components or parts
Comprehensiveness (Definition)
- being complete in scope
- the full inclusion of all needed elements
Availability (Definition)
- authorized subjects are granted timely and uninterrupted access to objects
What must occur for Availability to be maintained on a system?
- controls must be in place to ensure authorized access and an acceptable level of performance, to quickly handle interruptions, to provide for redundancy, to maintain reliable backups, and to prevent data loss or destruction
What are examples of threats to Availability?
- device failure
- software errors
- environmental issues (heat, static, flooding, power loss)
- DoS attacks
- Object destruction
- Communication interruptions
What are examples of unintended violations of Availability?
- Accidentally deleting files
- overutilization of hardware or software components
- under-allocating resources
- mislabeling or incorrectly classifying objects
What are examples of countermeasures to prevent violations of Availability?
- access controls
- monitoring performance and network traffic
- using firewalls and routers to prevent DoS attacks
- implementing redundancy for critical systems
- maintaining and testing backup systems
- fault tolerant disk
Usability (Definition)
- the state of being easy to use or learn or being able to be understood and controlled by a subject
Accessibility (Definition)
- the assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
Timeliness (Definition)
- being prompt, on time, within a reasonable time frame, or providing low-latency response
5 elements of AAA services?
- Identification
- Authentication
- Authorization
- Auditing
- Accounting
Identification
- claiming to be an identity when attempting to access a secured area or system
- the process by which a subject professes an identity and accountability is initiated
- can include: providing a username; swiping a smart card; waving a proximity device; speaking a phrase; using a biometric device
Authentication
- proving that you are that identity
- the process of verifying or testing that the claimed identity is valid
- most common form is a password
- Identification and authentication are often used together as a single two-step process
Authorization
- defining permissions (i.e. allow/grant and/or deny) of a resource and object access for a specific identity
- once a subject is authenticated, access must be authorized
- just because a subject has been identified and authenticated does not mean they have been authorized
Auditing
- recording a log of the events and activities related to the system and subjects
- the programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system
Accounting (aka Accountability)
- reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
- an organization’s security policy can be properly enforced only if accountability is maintained.
- effective accountability relies on the capability to prove a subject’s identity and track their activities.
- if you are unable to legally support your security efforts, then you will be unlikely to be able to hold a human accountable for actions linked to a user account.
Access control matrix
- compares the subject, the object, and the intended activity
- if the specific action is allowed, the subject is authorized
What is needed to hold a human accountable for their actions linked to a user account?
- multi-factor authentication
- with only a password as authentication, there is significant room for doubt since passwords are the least secure form of authentication
- w/ MFA there is very little possibility that any other human could have compromised the authentication process
What is required for legal restitution of a computer crime?
1) demonstrate that a crime was committed
2) that the suspect committed the crime
3) that you took reasonable efforts to prevent the crime
* ** your organization’s security needs to be legally defensible ***
Layering
- aka Defense in Depth
- the use of numerous, different controls to guard against whatever threats come to pass
- when security solutions are designed in layers, a failed control should not result in exposure of systems or data
Abstraction
- used for efficiency
- similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective
- thus, the concept of abstraction is used when classifying objects or assigning roles to subjects
Data Hiding
- the act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject
Security through Obscurity
- does not implement any form of protection
- it is an attempt to hope something important is not discovered by keeping knowledge of it a secret.
- an example of security through obscurity is when a programmer is aware of a flaw in their software code, by they release the product anyway hoping that no one discovers the issue and exploits it
Encryption
- the art and science of hiding the meaning or intent of a communication from unintended recipients.