Chapter 1: Security Principles Flashcards

1
Q

Vulnerability

A

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk

A

A measure of the extent to which an entity is threatened by a potential circumstance or event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Threat

A

Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image or reputation), organisational assets, individuals, other organisations or the nation through an information system via unauthorised access, destruction, disclosure, modification of information and/or denial of service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Threat Vector

A

The means by which a threat actor carries out their objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Likelihood

A

The probability that a risk will occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk Impact

A

Risk impact is the potential consequence or damage that a problem can cause if it occurs. It can be measured in terms of financial loss, operational disruption, customer dissatisfaction, reputation damage, legal liability, or any other relevant metric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk Identification

A

Risk identification (RI) is a set of activities that detect, describe and catalog all potential risks to assets and processes that could have negatively impact business outcomes in terms of performance, quality, damage, loss or reputation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk Acceptance

A

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk Avoidance

A

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Transference

A

Paying an external party to accept the financial impact of a given risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security Controls

A

Mitigate the impact or reduce the likelihood of the threat happening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

NIST 800-53

A

The NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organisations is a set of recommended security and privacy controls for federal information systems and organisations to help meet the Federal Information Security Management Act (FISMA) requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

PCI-DSS

A

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Cost/Benefit Analysis

A

A cost-benefit analysis is a systematic process that businesses use to analyse which decisions to make and which to forgo.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Appetite

A

Risk appetite is the level of risk that an organisation is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ISC2 Code of Ethics Canons

A
  • Protect society, the common good, necessary public trust and confidence and the infrastructure
  • Act honorably, honestly, justly, responsibly and legally
  • Provide diligent and competent service to principals
  • Advance and protect the profession
17
Q

Risk Tolerance

A

The level of risk or degree of uncertainty that is acceptable to organisations. The organisation’s or stakeholder’s readiness to bear the remaining risk after risk response in order to achieve its objectives, with the consideration that such tolerance can be influenced by legal or regulatory requirements.

18
Q

Rootkits

A

A rootkit is software used by cybercriminals to gain control over a target computer or network. Rootkits can sometimes appear as a single piece of software but are often made up of a collection of tools that allow hackers administrator-level control over the target device.

A rootkit tries to maintain root-level access while concealing malicious activity. It typically creates a backdoor and attempts to remain undetected by anti-malware software. A rootkit is active while the system is running.

19
Q

Cross-Site Scripting

A

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

20
Q

Risk Management

A

Cybersecurity risk management is an ongoing process of identifying, analysing, evaluating, and addressing your organisation’s cybersecurity threats. Cybersecurity risk management isn’t simply the job of the security team; everyone in the organisation has a role to play.