Chapter 1 Flashcards
{BLANK} ensures that the subject of an activity or who caused an event cannot deny that the event occurred.
Nonrepudiation
Think - AAA Services
{BLANK} is the security concept that data is authentic or genuine and originates from its alleged source.
Authenticity
Think - CIA Triad
{BLANK} is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources.
Confidentiality
{BLANK} is establishing a plan, policy, and process to protect the interest of an organization.
Due Diligence
{BLANK} is knowing what should be done and planning for it.
Due Diligence
A {BLANK} defines a minimum level of security that every system throughout the organization must meet.
Baseline
{BLANK} is reviewing log files to check for compliance and violations in order to hold subjects accountable for their action especially violations of organizational security policy.
Accounting (aka Accountability)
AAA Services is a core security mechanism of all security environments. What are the five elements of AAA services?
- Identification
- Authenticication
- Authorization
- Auditing
- Accounting
An {BLANK} is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.
Auditor
What are the five key concepts of the decomposition process?
- Trust Boundaries
- Dataflow Paths
- Input Points
- Privileged Operations
- Detailed about Security and Approach
{BLANK} is the collection of practices related to supporting, evaluating, defining, and directing the security efforts of an organization.
Security Governance
Think - CIA Triad
{BLANK} means authorized subjects are granted timely and uninterrupted access to objects.
Availability
{BLANK} is preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
Data Hiding
A {BLANK} is the line intersection between any two areas, subnets, or environments that have different security requirements or needs.
Security Boundary
{BLANK} is practicing the individual activities that maintain the due diligence effort.
Due Care
{BLANK} is doing the right action at the right time.
Due Care
A {BLANK} offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professional and users.
Guideline
{BLANK}, also known as laying, is the use of multiple controls in a series.
Defense in Depth
What are the common security roles present in a typical secured environment?
- Senior Manager
- Security Professional
- Assest Owner
- Custodian
- User
- Auditor
{BLANK} is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.
Third-Party Governance
{BLANK} is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected.
PASTA
(Process for Attack Simulation and Threat Analysis)
{BLANK} is the process of reading the exchanged materials and verifying them against standards and expectations.
Documentation Review
What does the acronym STRIDE stand for?
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service (DoS)
- Elevation of Privilege
{BLANK} define compulsory requirements for the homogenous use of hardware, software, technology and security controls.
Standards
A {BLANK} or {BLANK} is a detailed, step-by-step how-to document that describes that exact actions necessary to implement a specific security mechanism, control, or solution.
Procedure; Standard Operating Procedure
{BLANK} are typically viewed as the primary goals and objectives of a security infrastructure.
CIA Triad
The {BLANK} (end user or operator)
User
Think - AAA Services
{BLANK} is recording a log of the events and activities related to the systen and subjects.
Auditing
Think - AAA Services
{BLANK} is defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity or subject.
Authorization
The {BLANK} role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.
Custodian
Think - AAA Services
{BLANK} is proving that you are that claimed identity.
Authentication
Think - AAA Services
{BLANK} is claiming to be an identity when attempting to access a secured area or system.
Identification
The {BLANK} role is assigned to the person who is responsible for classifying information for placement and proctection within the security solution.
Asset Owner
The {BLANK} information security (InfoSec) officer or computer incident repsonse team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.
Security Professional
The organizational owner, {BLANK}, role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets.
Senior Manager
{BLANK} is the concept of protecting the reliability and correctness of data.
Integrity
{BLANK} is use for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
Abstraction
{BLANK} is a documented set of best IT security practices crafted by ISACA. It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.
COBIT
(Control Objectives for Information and Related Technology)
COBIT is based on six key principles for governance and management of enterprose IT:
- Provide Stakeholder Value
- Holistic Approach
- Dynamic Governance System
- Governance Distinct from Management
- Tailored to Enterprose Needs
- End-toEnd Governace System
Think - STRIDE
An attack with the goal of gaining access to a target system through the use of a falsified identity. When an attacker spoofs their identitiy as a vaild or authorized entity, they are often able to bypass filters and blockades against unauthorized access.
Spoofing
Think - STRIDE
Any action resulting in unauthorized changes or manipulation of data whether in transit or in storage.
Tampering
Think - STRIDE
The ability of an user or attacker to deny having performed an action or activity by maintaining plausible deniability. Repudiation attacks can also result in innocent third parties being blamed for security entities.
Repudiation
Think - STRIDE
An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation connection overloading or traffic flooding.
Denial of Service (DoS)
Think -STRIDE
An attack where a linited user account is transformed into an account with greater priveleges, powers, and access.
Elevation of Privilege
Think - STRIDE
The revelation or distribution of provate, confidential, or controlled information to external or unauthorized entities.
Information Disclosure
