Chapter 1 - Security Governance Through Principles and Policies Flashcards
three common types of security evaluation
risk assessment, vulnerability assessment, and penetration testing
Risk assessment
is a process of identifying assets, threats, and vulnerabilities, and then using that information to calculate risk
Vulnerability assessment
uses automated tools to locate known security weaknesses, which can be addressed by adding in more defenses or adjusting the existing protections
Penetration testing
uses trusted individuals to stress-test the security infrastructure to find issues that may not be discovered by the prior two means, with the goal of finding those concerns before an adversary takes advantage of them
primary goals and objectives of a security infrastructure
Confidentiality, integrity, and availability (CIA)
Confidentiality
is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of is to prevent or minimize unauthorized access to data
countermeasures that can help ensure confidentiality?
encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
Sensitivity
Sensitivity refers to the quality of information, which could cause harm or damage if disclosed
Discretion
Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
Criticality
The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information.
Concealment
Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy.
Secrecy
Secrecy is the act of keeping something a secret or preventing the disclosure of information.
Privacy
Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
Seclusion
Seclusion involves storing something in an out-of-the-way location, likely with strict access controls.
Isolation
Isolation is the act of keeping something separated from others.
Integrity
is the concept of protecting the reliability and correctness of data. Prevents unauthorized alterations of data.
Integrity can be examined from three perspectives
- Preventing unauthorized subjects from making modifications
- Preventing authorized subjects from making unauthorized modifications, such as mistakes
- Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any other object is valid, consistent, and verifiable
Numerous attacks focus on the violation of integrity.
viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system backdoors
Numerous countermeasures can ensure integrity against possible threats
strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash verifications, interface restrictions, input/function checks, and extensive personnel training.
Accuracy
Being correct and precise
Truthfulness
Being a true reflection of reality
Validity
Being factually or logically sound
Accountability
Being responsible or obligated for actions and results
Responsibility
Being in charge or having control over something or someone
Completeness
Having all necessary components or parts
Comprehensiveness
Being complete in scope; the full inclusion of all needed elements
Availability
means authorized subjects are granted timely and uninterrupted access to objects. Often, controls support sufficient bandwidth and timeliness of processing as deemed necessary by the organization or situation
ways to maintain availability on a system
- ensure authorized access and an acceptable level of performance
- to quickly handle interruptions
- provide for redundancy
- maintain reliable backups
- prevent data loss or destruction.
Numerous countermeasures can ensure availability against possible threats
- designing intermediary delivery systems properly
- using access controls effectively
- monitoring performance and network traffic
- using firewalls and routers to prevent DoS attacks
- implementing redundancy for critical systems
- maintaining and testing backup systems
Business continuity planning (BCP), focus on the use of fault tolerance features at the various levels of access/storage/security (that is, disk, server, or site) with the goal of eliminating single points of failure to maintain availability of critical systems.
Usability
The state of being easy to use or learn or being able to be understood and controlled by a subject
Accessibility
The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
Timeliness
Being prompt, on time, within a reasonable time frame, or providing low-latency response
DAD Triad
Disclosure, alteration, and destruction. DAD Triad represents the failures of security protections in the CIA Triad
Authenticity
is the security concept that data is authentic or genuine and originates from its alleged source. This is related to integrity, but it’s more closely related to verifying that it is from a claimed origin
Nonrepudiation
ensures that the subject of an activity or who caused an event cannot deny that the event occurred. can be established using digital certificates, session identifiers, transaction logs, and numerous other transactional and access control mechanisms
AAA services
is a core security mechanism of all security environments. The three As in this abbreviation refer to authentication, authorization, and accounting (or sometimes auditing)
five elements of AAA services
- identification
- authentication
- authorization
- auditing
- accounting
Identification
is claiming to be an identity when attempting to access a secured area or system. . Providing an identity can involve typing in a username; swiping a smartcard; waving a proximity device; speaking a phrase; or positioning your face, hand, or finger for a camera or scanning device. Without an identity, a system has no way to correlate an authentication factor with the subject.
Authentication
is proving that you are that claimed identity. Authentication requires the subject to provide additional information that corresponds to the identity they are claiming. The most common form of authentication is using a password
Authorization
is defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity or subject. The process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. In most cases, the system evaluates the subject, the object, and the assigned permissions related to the intended activity.
Auditing
is recording a log of the events and activities related to the system and subjects. Auditing is recording activities of a subject and its objects as well as recording the activities of application and system functions. Log files provide an audit trail for re-creating the history of an event, intrusion, or system failure. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis
Accounting
is reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions, especially violations of organizational security policy. Accountability is established by linking an individual to the activities of an online identity through the security services and mechanisms of auditing, authorization, authentication, and identification. Thus, individual accountability is ultimately dependent on the strength of these processes
Monitoring vs Auditing
Monitoring is part of what is needed for audits, and audit logs are part of a monitoring system, but the two terms have different meanings. Monitoring is a type of watching or oversight, whereas auditing is a recording of the information into a record or file. It is possible to monitor without auditing, but you can’t audit without some form of monitoring.
