Ch.1 - Security Fundementals Flashcards
Assets
Anything of value to your organization
- Example: employees, physical property, business relationships, information/data
- Value of assets > its initial cost
o Example with thieves stealing computers: buy equipment, disrupt business operations,
loss of revenues, undermine trust of customers/business partners, loss of data
Information Security
Focuses on sensitive data and communications
Threat
Anything that can harm an asset/disrupt business operations
- Example: malicious attacks, human errors, equipment malfunction, natural disaster
Risk
Chance of harm affecting asset
Vulnerability
Weakness(es) asset has against potential threats
CIA triad
What are the 3?
Core of information security. Designing networks/data systems with CIA triad help protect
against threats (less vulnerable).
- Confidentiality: Ensure info is viewable by authorized users/systems only. Inaccessible or
unreadable to others.
- Integrity: Ensure info remains accurate and complete over its lifetime. Info can’t be modified in
undetected manners.
- Availability: Ensure info is always easily accessible to authorized users.
*Accountability
Ensure employee actions are tracked and held accountable
*Non-repudiation
Authenticity is verified in a way that prevents creators from disputing it
Security Controls
What are the 8?
Tools/measures used to achieve security goals (usually to protect assets)
Managerial - Technical - Operational - Physical - Preventative - Detective - Corrective - Deterrent
Managerial (Administrative Controls)
Org policies and security training (starting point of all)
Technical (Logical Controls)
Tech solutions used to enforce security (firewalls, encryptions, etc.)
Operational
Day-to-day employee activities used to achieve security goals (backups)
Physical
Method used to guarantee physical security and safety of assets (locks, fences, cams)
Preventative
Proactive controls acting to prevent loss from occurring in the first place
Detective
Monitoring controls that detect active threat or record it for later evidence
Corrective
Follow up controls used to minimize harm caused and prevent recurrence
Deterrent
Visible controls to discourage attack/intrusion (aimed toward physical security)
Confidentiality Controls
- Least Privilege: Users are given only the permissions they need to perform their duties
- Need to know: Similar, but focused on restricting data access to those who require it
- Separation of duties: Breaking tasks into components, each of which is performed by a different
employee with different permissions
Technical Confidentiality Controls
- Access Controls: Restrict access to systems and other resources
- Encryption: Mathematical processes to render data unreadable without a proper decryption key
- Steganography: Practice of concealing secret messages inside more ordinary ones
Integrity Controls
- Hashing: Mathematical functions designed to create small, fixed-size fingerprint of given
message/file, such that any small change in original data will produce a different hash - Digital signature: Combination of hashing and other cryptography that can verify authenticity
and integrity of message creator (certificates) - Backups: Regular/complete backups to restore data to its original form
- Version control: Storing multiple versions of files for frequent/collaborative changes