Cornerstone security principles Flashcards
The 3 main objectives of security are
Confidentiality, integrity and availability
What is information security?
The protection of information and information systems from unauthorized access, use,disclosure,modification,or destruction in order to provide confidentiality,integrity and availability (CIA triad)
Confidentiality
Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and properietary information.
Integrity
Guarding against improper information modification, and includes ensuring information non-repudiation and authenticity.
Availability
Ensuring timely and reliable access and use of information.
3 key cyber security tenets
Confidentiality, integrity and availability
Confidentiality, integrity and availability (CIA) versus
Disclosure, Alteration and Destruction (DAD)
Identification
-provides a weak an unproven claim of identity. -providing a username would be an example of identification. -Requires proof(authentication) prior to being granted access (authorization) to controlled data.
Authentication
-Serves as proof a user’s identity claim is legitimate. -Strong authentication implies higher integrity means of proof or multiple methods of proof.
Authorization
Proceeds after successful authentication and determines what the authenticated user can do
Accounting
-Details the interaction performed by individuals. -Audit logs could be generated allowing users to be held accountable for their documented actions
Types/categories of authentication
-Something you have (such as token, smart card, or badge) -Something you are (biometrics: fingerprint, retina scan, voice, palm scans, hand geometry) -Something you know (passwords or phrases) -Something you are (such as GPS)
Using two or more categories of authentication are called
Two-factor or multi-factor authentication
PoLP abbreviation of
Principle of least privilege and may also known as Minimum Necessary Access
Mandates individuals only be granted access necessary to perform their required functions
Principle of least privilege or Minimum Necessary Access
Risk is mitigated by requiring two parties to perform what one person could.
Separation of Duties. -It serves as a check on excessive authority.
Require collusion among more than one individual in order to successfully perpetrate a fraud.
Separation of Duties
Force other people to be in charge of carrying out key tasks normally performed by another employee
Rotation of Duties or job rotation. -it is a common way of detecting fraud associated with printing excess payroll checks.
Acting as any reasonable person would.
Due Care or Prudent Man Rule
Practices or processes that ensure the decided upon standard of care is maintained
Due Diligence
The implementation of due care is
Due Diligence
What are major types of controls?
-Preventive -Detective -Corrective -Deterrent -Recovery -Compensating
Preventive Controls
-Try to prevent an attack from being successful. -Will not allow a user to violate the security policy in place.
Detective Controls
-Assumes an attack has begun -Tries to detect that is a problem after an attack occurs -Time-critical with detection-an attack is occurring
