Domain 1 Flashcards
3 components of security education
Policy - what to do
Training - skills for doing it
Awareness - changes behavior
CIA Triad vs DAD
CIA: Confidentiality, Integrity, Availability
DAD (logical opposite of CIA): Disclosure, Alteration, Destruction
Controls are implemented across what three levels? Give examples for each
Administrative (aka directive): background checks, policies/procedures
Technical: encryption, smart cards
Physical: locks, securing laptops/magnetic media, protection of cable
Criminal vs Civil
Criminal: possible to get jail time, burden of proof is beyond a reasonable doubt (99.9%)
Civil: tip of scale (50.1%)
CVSS
Common Vulnerability Scoring System
Draw chart of 5 types of documentation
refer to “Types of Documentation - Drawing 1B”
Draw the qualitative RA matrix
Qualitative Risk Analysis Matrix helps identify most significant risks to organization
Likelihood on left vertical, Impact top horizontal (high med low)
Refer to “Qualitative RA Matrix - Domain 1 pg 67”
Excessive risk
means above acceptable level of risk for executive / data owner; excessive does NOT mean a lot of risk
Fork bomb
attack that says while 1=1 (which is always the case) keep forking out (starting new process) until all memory is used and system crashes
Formula for Risk
risk = threat x vulnerability
threat drives calculation, vulnerability reduces the risk
threat: potential for harm, can be internal/external/competitor/govt (hurricanes, snowstorms, viruses, worms)
vulnerability: weakness (unpatched system, default install)
variation of smurf involving spoofed UDP datagrams sent to UDP port 7
fraggle
IAAA
Identification: means by which users claim their identities to a system
Authentication: establishes, tests or reconciles a user’s identity
Authorization: rights/permissions granted to an individual (or process) that enable access to a computer
Accountability: system’s ability to determine actions of single individual within a system, shows that a particular individual performed a particular action e.g. audit trails and logs
LAND attack
creates recursive loop which crashes system e.g. from 192.168.1.1 > 192.168.1.1 on 8080
List all quantitative formulas
SLE (Single Loss Expectancy) = EF (exposure factor) x AV (asset value)
ARO (Annualized Rate of Occurrence)
ALE (Annualized Loss Expectancy) = SLE x ARO
TCO (Total Cost of Ownership)
ROI (Return on Investment)
Cost/Benefit Analysis
List all types of controls and examples of each
Preventative: locks on doors, firewalls
Detective: goes off during attack (alarm systems, IDS), means preventative failed
Corrective: short-term fix to prevent future attacks (police guards)
Compensating: alternative control (one-way firewall in hospital if MRI system could never be connected to network but doctors need info from it)
Recovery: long-term fix
Suppressive: where you detect and respond to deal with a problem
Name a directive control that is a strategic user-focused document?
Policy
Name the 5 types of documentation
‘Policy, Procedure, Standard, Baseline, Guideline (optional)
Name different types of DoS attacks
DoS attacks:
- Crafted Packets
- Ping of Death
- LAND attack
- Tear drop
- Flooding
- Syn flood
- Smurf
- Fraggle
DDoS - compromising multiple machines to attack the victim
-Fork bomb
OCTAVE
Operationally Critical Threat, Asset and Vulnerability Evaluation
password guessing vs password cracking
Guessing (online, where you try to guess at website login prompt but subject to account lockout)
Cracking (offline, no account lockout but need raw encrypted passwords)
PCI DSS requirements
Payment Card Industry Data Security Standard - aka dirty dozen (12 requirements), know in general the 12 goals (don’t need to know order):
Install/maintain firewalls, no vendor default passwords/parameters, protect stored data, encrypt transmission of data across public network, use/update antivirus, develop/maintain secure systems and applications, restrict access to cardholder data by business need to know, authenticate access to system components, restrict physical access to cardholder data, track and monitor all access to network resources to cardholder data, regularly test security systems/processes, maintain a policy that addresses information security for all personnel