Ch.1 - Security Fundementals Flashcards

1
Q

Assets

A

Anything of value to your organization
- Example: employees, physical property, business relationships, information/data
- Value of assets > its initial cost
o Example with thieves stealing computers: buy equipment, disrupt business operations,
loss of revenues, undermine trust of customers/business partners, loss of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Information Security

A

Focuses on sensitive data and communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Threat

A

Anything that can harm an asset/disrupt business operations

- Example: malicious attacks, human errors, equipment malfunction, natural disaster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk

A

Chance of harm affecting asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Vulnerability

A

Weakness(es) asset has against potential threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CIA triad

What are the 3?

A

Core of information security. Designing networks/data systems with CIA triad help protect
against threats (less vulnerable).
- Confidentiality: Ensure info is viewable by authorized users/systems only. Inaccessible or
unreadable to others.
- Integrity: Ensure info remains accurate and complete over its lifetime. Info can’t be modified in
undetected manners.
- Availability: Ensure info is always easily accessible to authorized users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

*Accountability

A

Ensure employee actions are tracked and held accountable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

*Non-repudiation

A

Authenticity is verified in a way that prevents creators from disputing it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security Controls

What are the 8?

A

Tools/measures used to achieve security goals (usually to protect assets)

Managerial - Technical - Operational - Physical - Preventative - Detective - Corrective - Deterrent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Managerial (Administrative Controls)

A

Org policies and security training (starting point of all)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Technical (Logical Controls)

A

Tech solutions used to enforce security (firewalls, encryptions, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Operational

A

Day-to-day employee activities used to achieve security goals (backups)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Physical

A

Method used to guarantee physical security and safety of assets (locks, fences, cams)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Preventative

A

Proactive controls acting to prevent loss from occurring in the first place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Detective

A

Monitoring controls that detect active threat or record it for later evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Corrective

A

Follow up controls used to minimize harm caused and prevent recurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Deterrent

A

Visible controls to discourage attack/intrusion (aimed toward physical security)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Confidentiality Controls

A
  • Least Privilege: Users are given only the permissions they need to perform their duties
  • Need to know: Similar, but focused on restricting data access to those who require it
  • Separation of duties: Breaking tasks into components, each of which is performed by a different
    employee with different permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Technical Confidentiality Controls

A
  • Access Controls: Restrict access to systems and other resources
  • Encryption: Mathematical processes to render data unreadable without a proper decryption key
  • Steganography: Practice of concealing secret messages inside more ordinary ones
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Integrity Controls

A
  • Hashing: Mathematical functions designed to create small, fixed-size fingerprint of given
    message/file, such that any small change in original data will produce a different hash
  • Digital signature: Combination of hashing and other cryptography that can verify authenticity
    and integrity of message creator (certificates)
  • Backups: Regular/complete backups to restore data to its original form
  • Version control: Storing multiple versions of files for frequent/collaborative changes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Availability Controls

A
  • Redundancy: Multiple/backup systems arranged so that if one fails, others can replace it
  • Fault tolerance: System designed to continue functioning if a hard/software fails
  • Patch management: Hotfixes (security updates) applied to systems because of incidents
22
Q

Compensating Controls

A

Alternative control that doesn’t match letter of requirement but gives equal or better protections

23
Q

Event

A

Meaningful change in system’s state that is both detectable and happened at specific time

24
Q

Incident

A

Event or series of events that is unexpected/unusual posing threat to the system overall

25
Q

True Positive

A

Problem occured, analysis recognized it, can be addressed

26
Q

True Negative

A

Event is harmless, no alerts triggered, working properly

27
Q

False Positive

A

Event is harmless, analysis says it’s a problem, disruptions in routine

28
Q

False Negative

A

Problem occured, analysis mistook it for harmless event, undetections

29
Q

Governance

A

Formal, policy-driven practice to align operational functions with overall business strategy. Policies must address stakeholder goals and define for control and accountability. Making sure its there.

30
Q

Organizational planning

A
  • Strategic Plan: Business-wide plan on org’s vision/values/objectives – Senior management
  • Tactical Plan: Mid-level plan to meet some objective defined by strategic plan (mid)
  • Operational Plan: Plan describing day-to-day operations to meet goals in other plans (low)
31
Q

Regulatory Compliance

A

Obligated to meet requirements defined by external stakeholders

Sarbanes-Oxley Act of 2002 (SOX)

Federal Information Security Management Act (FISMA)

Health Insurance Portability and Accountability Act (HIPAA)

Family Educational Rights and Privacy Act (FERPA)

Gramm-Leach-Bliley Act (GLBA)

General Data Protection Regulation (GDPR)

Payment Card Industry Data Security Standard (PCI DSS)

32
Q

Due Diligence

A

Before you sign a contract, take regulated actions that could lead you into legal liability. You must investigate the situation, understand risks and obligations it brings, then take reasonable care in your following actions.

33
Q

Due Care

A

Less about research ahead of time and more about ongoing actions you perform for wtv assets you’re responsible for

34
Q

Organizational Roles and Responsibilities

A

Needed to identify who is responsible for each role

  • Manager: Responsible for org’s assets and make decisions on how to protect them
  • Security professional: Technically trained for implementing security controls
  • User: Has access to sensitive asset, but not in context of securing it (need training)
  • Auditor: Responsible for monitoring/reviewing effectiveness of security policies
35
Q

Management Positions

A

CInfoO, CSecurityO, CInfoSecurityO, CComplianceO, CPrivacyO

36
Q

Policy Enforcement

A

Successful security program requires participation of every employee

37
Q

Defense in depth

A

Strategies defining multiple layers on which the org needs to be secured. Each layer defines where you need to look when you set up security systems.

A single layer can be made more secure by
applying multiple complementary controls.
Each layer is interconnected.
“Layered Defense”

38
Q

Security by Design

A

A system designed from the start having security in mind (assume it’ll be attacked)

  • Secure by design: Follow secure development procedures to minimize security bugs and incorporate security controls that resist attack
  • Secure by default: Software having default config settings that promote secure operations
  • Secure by deployment: Easy for users to deploy/maintain in a secure state
  • Communications: Communicate openly with users/admins about security issues
39
Q

Security Through Obscurity

A

Uses security technology or features that are hidden (not standard)

40
Q

Open Security

A

All technologies/methodologies used are known (anyone can inspect/dissect)

41
Q

Security vs. Usability

A

You can have a system that’s secure, usable or inexpensive to design and maintain, but when you stress one of the three too much, at least one of the others will suffer

42
Q

Security Documentation

A

Components used to achieve security

  • Framework: Program documenting overall processes needed to design policies to achieve needs
  • Policy: Statement describing how the org is to be run (intent and goals)
  • Standard: Methodologies/requirements needed to satisfy policies (password needs to be …)
  • Guideline: Descriptions of best practices/recommendations for achieving specific policy goal
  • Benchmark: Checklist of potential vulnerabilities in software and config settings to mitigate
  • Procedures: Ordered instructions for complying with element of policy/standard (mandatory)
  • Controls: Safeguard/countermeasure designed to reduce security risks
43
Q

IT Governance Frameworks

A

Detailed advice/techniques to design a set of customized policies

NIST 800 series

NIST Risk Management Framework (RMF)

NIST Cybersecurity Framework (CSF)

International Organization for Standardization (ISO) frameworks

CIS Critical Security Controls for Effective Cyber Defense (CIS CSC)

Cloud Security Alliance Cloud Controls Matrix (CCA CCM)

Statement on Standards for Attestation Engagements (SSAE)

Control Objectives for Information and
Related Technologies
(COBIT)

Information Technology Infrastructure Library (ITIL)

44
Q

EXAMPLE - NIST CSF Components

A

Focuses on overall risk management

  • Core: Functions that can be applied to almost any industry sector
  • Tiers: Describes how the org views cybersecurity risk and its approach to manage them
  • Profile: How org achieve security goals by indexing its core functions with its business reqs
45
Q

Secure Configuration Guides

A

Advice on applying controls and hardening network – CIS

46
Q

Benchmark categories include

A
  • Workstation, server, mobile operating systems
  • Web and application servers
  • Network infrastructure devices
  • Web browsers and other desktop apps
47
Q

Asset Management

A

IT assets include hardware/software components needed for your infrastructure

  • Computers and network appliances
  • Peripherals and other devices
  • Data and storage media
  • Software and software licenses
  • Supporting infrastructure (network cabling, HVAC systems, server rooms)

Must have policies that ensure all assets are
document/secured through entire life cycle

48
Q

Quality Control Procedures

A

Need to apply and verify that all work effectively and personal adheres to it

  • Test: Ensures a (set of) security control is functioning as intended (generally automated)
  • Assessment: Review process comparing existing sec controls against known sec objectives
  • Audit: Systematic evaluation of effectiveness against set of established criteria
  • Evaluation: Broader approach to determine effectiveness of security strategy and improve
49
Q

Security Audits

A

What is covered depends on kind of problems it’s meant to uncover such as financial fraud or failure to protect customer privacy. Subject of review include:

  • Effectiveness of security controls: both individually and as a defense in depth
  • Security logs: find unusual activities or unreported incidents
  • Incident response reports: verify that responses were appropriate and detect trends or patterns
  • User and administrator activities: verify compliance with network policies
  • Users and user permissions: minimize potential unauthorized access
  • Device configurations and installed applications: for comparison to the security baseline
  • Financial records: find evidence of fraud or illegal accounting practices

IMPORTANT: Auditor will have full access to all systems/data. Maybe require assistance or personnel

50
Q

Continuous Improvement

A

Cybersecurity trends constantly evolving/changing – need to adapt

  • (Cyber) Threat Intelligence: Evidence-based knowledge reflecting current/emerging threats
51
Q

Change Management

A

Org understanding need for change and accepting new normal (done by experts)

  • Does the change have a meaningful benefit?
  • What side effects, good and bad, will it have?
  • How hard will it be to implement?
  • How can any newly introduced risks be managed?
52
Q

Change Control

A

Make sure change doesn’t cause any problems

  • Identify and document the reason why a change is necessary
  • Research/document steps needed for change, potential impacts, and who will be affected
  • Go through org’s approval process for specific change
  • Prepare for change by gathering resources and notifying users when you will perform it
  • Implement and test the change
  • Follow-up on change by updating network documentation and continuing to monitor for negative impacts