Ch.1 - Security Fundementals Flashcards
Assets
Anything of value to your organization
- Example: employees, physical property, business relationships, information/data
- Value of assets > its initial cost
o Example with thieves stealing computers: buy equipment, disrupt business operations,
loss of revenues, undermine trust of customers/business partners, loss of data
Information Security
Focuses on sensitive data and communications
Threat
Anything that can harm an asset/disrupt business operations
- Example: malicious attacks, human errors, equipment malfunction, natural disaster
Risk
Chance of harm affecting asset
Vulnerability
Weakness(es) asset has against potential threats
CIA triad
What are the 3?
Core of information security. Designing networks/data systems with CIA triad help protect
against threats (less vulnerable).
- Confidentiality: Ensure info is viewable by authorized users/systems only. Inaccessible or
unreadable to others.
- Integrity: Ensure info remains accurate and complete over its lifetime. Info can’t be modified in
undetected manners.
- Availability: Ensure info is always easily accessible to authorized users.
*Accountability
Ensure employee actions are tracked and held accountable
*Non-repudiation
Authenticity is verified in a way that prevents creators from disputing it
Security Controls
What are the 8?
Tools/measures used to achieve security goals (usually to protect assets)
Managerial - Technical - Operational - Physical - Preventative - Detective - Corrective - Deterrent
Managerial (Administrative Controls)
Org policies and security training (starting point of all)
Technical (Logical Controls)
Tech solutions used to enforce security (firewalls, encryptions, etc.)
Operational
Day-to-day employee activities used to achieve security goals (backups)
Physical
Method used to guarantee physical security and safety of assets (locks, fences, cams)
Preventative
Proactive controls acting to prevent loss from occurring in the first place
Detective
Monitoring controls that detect active threat or record it for later evidence
Corrective
Follow up controls used to minimize harm caused and prevent recurrence
Deterrent
Visible controls to discourage attack/intrusion (aimed toward physical security)
Confidentiality Controls
- Least Privilege: Users are given only the permissions they need to perform their duties
- Need to know: Similar, but focused on restricting data access to those who require it
- Separation of duties: Breaking tasks into components, each of which is performed by a different
employee with different permissions
Technical Confidentiality Controls
- Access Controls: Restrict access to systems and other resources
- Encryption: Mathematical processes to render data unreadable without a proper decryption key
- Steganography: Practice of concealing secret messages inside more ordinary ones
Integrity Controls
- Hashing: Mathematical functions designed to create small, fixed-size fingerprint of given
message/file, such that any small change in original data will produce a different hash - Digital signature: Combination of hashing and other cryptography that can verify authenticity
and integrity of message creator (certificates) - Backups: Regular/complete backups to restore data to its original form
- Version control: Storing multiple versions of files for frequent/collaborative changes
Availability Controls
- Redundancy: Multiple/backup systems arranged so that if one fails, others can replace it
- Fault tolerance: System designed to continue functioning if a hard/software fails
- Patch management: Hotfixes (security updates) applied to systems because of incidents
Compensating Controls
Alternative control that doesn’t match letter of requirement but gives equal or better protections
Event
Meaningful change in system’s state that is both detectable and happened at specific time
Incident
Event or series of events that is unexpected/unusual posing threat to the system overall
True Positive
Problem occured, analysis recognized it, can be addressed
True Negative
Event is harmless, no alerts triggered, working properly
False Positive
Event is harmless, analysis says it’s a problem, disruptions in routine
False Negative
Problem occured, analysis mistook it for harmless event, undetections
Governance
Formal, policy-driven practice to align operational functions with overall business strategy. Policies must address stakeholder goals and define for control and accountability. Making sure its there.
Organizational planning
- Strategic Plan: Business-wide plan on org’s vision/values/objectives – Senior management
- Tactical Plan: Mid-level plan to meet some objective defined by strategic plan (mid)
- Operational Plan: Plan describing day-to-day operations to meet goals in other plans (low)
Regulatory Compliance
Obligated to meet requirements defined by external stakeholders
Sarbanes-Oxley Act of 2002 (SOX)
Federal Information Security Management Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Family Educational Rights and Privacy Act (FERPA)
Gramm-Leach-Bliley Act (GLBA)
General Data Protection Regulation (GDPR)
Payment Card Industry Data Security Standard (PCI DSS)
Due Diligence
Before you sign a contract, take regulated actions that could lead you into legal liability. You must investigate the situation, understand risks and obligations it brings, then take reasonable care in your following actions.
Due Care
Less about research ahead of time and more about ongoing actions you perform for wtv assets you’re responsible for
Organizational Roles and Responsibilities
Needed to identify who is responsible for each role
- Manager: Responsible for org’s assets and make decisions on how to protect them
- Security professional: Technically trained for implementing security controls
- User: Has access to sensitive asset, but not in context of securing it (need training)
- Auditor: Responsible for monitoring/reviewing effectiveness of security policies
Management Positions
CInfoO, CSecurityO, CInfoSecurityO, CComplianceO, CPrivacyO
Policy Enforcement
Successful security program requires participation of every employee
Defense in depth
Strategies defining multiple layers on which the org needs to be secured. Each layer defines where you need to look when you set up security systems.
A single layer can be made more secure by
applying multiple complementary controls.
Each layer is interconnected.
“Layered Defense”
Security by Design
A system designed from the start having security in mind (assume it’ll be attacked)
- Secure by design: Follow secure development procedures to minimize security bugs and incorporate security controls that resist attack
- Secure by default: Software having default config settings that promote secure operations
- Secure by deployment: Easy for users to deploy/maintain in a secure state
- Communications: Communicate openly with users/admins about security issues
Security Through Obscurity
Uses security technology or features that are hidden (not standard)
Open Security
All technologies/methodologies used are known (anyone can inspect/dissect)
Security vs. Usability
You can have a system that’s secure, usable or inexpensive to design and maintain, but when you stress one of the three too much, at least one of the others will suffer
Security Documentation
Components used to achieve security
- Framework: Program documenting overall processes needed to design policies to achieve needs
- Policy: Statement describing how the org is to be run (intent and goals)
- Standard: Methodologies/requirements needed to satisfy policies (password needs to be …)
- Guideline: Descriptions of best practices/recommendations for achieving specific policy goal
- Benchmark: Checklist of potential vulnerabilities in software and config settings to mitigate
- Procedures: Ordered instructions for complying with element of policy/standard (mandatory)
- Controls: Safeguard/countermeasure designed to reduce security risks
IT Governance Frameworks
Detailed advice/techniques to design a set of customized policies
NIST 800 series
NIST Risk Management Framework (RMF)
NIST Cybersecurity Framework (CSF)
International Organization for Standardization (ISO) frameworks
CIS Critical Security Controls for Effective Cyber Defense (CIS CSC)
Cloud Security Alliance Cloud Controls Matrix (CCA CCM)
Statement on Standards for Attestation Engagements (SSAE)
Control Objectives for Information and
Related Technologies
(COBIT)
Information Technology Infrastructure Library (ITIL)
EXAMPLE - NIST CSF Components
Focuses on overall risk management
- Core: Functions that can be applied to almost any industry sector
- Tiers: Describes how the org views cybersecurity risk and its approach to manage them
- Profile: How org achieve security goals by indexing its core functions with its business reqs
Secure Configuration Guides
Advice on applying controls and hardening network – CIS
Benchmark categories include
- Workstation, server, mobile operating systems
- Web and application servers
- Network infrastructure devices
- Web browsers and other desktop apps
Asset Management
IT assets include hardware/software components needed for your infrastructure
- Computers and network appliances
- Peripherals and other devices
- Data and storage media
- Software and software licenses
- Supporting infrastructure (network cabling, HVAC systems, server rooms)
Must have policies that ensure all assets are
document/secured through entire life cycle
Quality Control Procedures
Need to apply and verify that all work effectively and personal adheres to it
- Test: Ensures a (set of) security control is functioning as intended (generally automated)
- Assessment: Review process comparing existing sec controls against known sec objectives
- Audit: Systematic evaluation of effectiveness against set of established criteria
- Evaluation: Broader approach to determine effectiveness of security strategy and improve
Security Audits
What is covered depends on kind of problems it’s meant to uncover such as financial fraud or failure to protect customer privacy. Subject of review include:
- Effectiveness of security controls: both individually and as a defense in depth
- Security logs: find unusual activities or unreported incidents
- Incident response reports: verify that responses were appropriate and detect trends or patterns
- User and administrator activities: verify compliance with network policies
- Users and user permissions: minimize potential unauthorized access
- Device configurations and installed applications: for comparison to the security baseline
- Financial records: find evidence of fraud or illegal accounting practices
IMPORTANT: Auditor will have full access to all systems/data. Maybe require assistance or personnel
Continuous Improvement
Cybersecurity trends constantly evolving/changing – need to adapt
- (Cyber) Threat Intelligence: Evidence-based knowledge reflecting current/emerging threats
Change Management
Org understanding need for change and accepting new normal (done by experts)
- Does the change have a meaningful benefit?
- What side effects, good and bad, will it have?
- How hard will it be to implement?
- How can any newly introduced risks be managed?
Change Control
Make sure change doesn’t cause any problems
- Identify and document the reason why a change is necessary
- Research/document steps needed for change, potential impacts, and who will be affected
- Go through org’s approval process for specific change
- Prepare for change by gathering resources and notifying users when you will perform it
- Implement and test the change
- Follow-up on change by updating network documentation and continuing to monitor for negative impacts
