Domain 1: Everything Else Flashcards
- When a user cannot deny having performed a certain action on a system.
- Both authentication and integrity are combined.
Nonrepudiation
Users should be granted the minimum amount of access required to do their jobs no more.
Least privilege
Users must know a specific piece of info before accessing it.
Need to know
- Term used to describe an active entity on a system.
- Users and computer programs can be labeled this as well.
Subjects
Term used to describe data on a system
Objects
Multiple safeguards are put into place in order to protect an asset. Safeguards aka controls are measures taken to reduce risks
Defense in Depth
What are some auditing frameworks for the purpose of a security assessment?
SOC1 and SOC2
- Report that covers internal controls over financial reporting.
- Gives your company’s user entities some assurance that their financial information is being handled safely and securely
SOC1
Focuses on implemented security controls in relation to availability security, integrity privacy, and confidentiality
SOC2
A thirty-party is brought in to review the practices of the service provider and make a statement regarding their security posture
Attestation
Documents provided that give written approval to the security company to perform pen test or audit the organization network.
Right to penetration test/right to audit
Process of acquiring products or services from a third party
Procurement
Ensures that the business is continually getting sufficient quality from its third-party vendors
Vendor Governance
What are some steps taken before an acquisition of a company?
Due diligence of acquired company’s current cybersecurity program and assessment of current network security.
When one company is split into two or more companies
Divestitures
What are security concerns relating to divestitures?
The split companies inadvertently maintaining duplicate accounts and passwords
- “protect society, the commonwealth, and the infrastructure.”
- Security professionals are charred with the promotion of safe security practices and improvement of system infrastructure for the public good.
- (ISC)^2 Code of Ethics
First canon of (ISC)^2 Code of Ethics
- “act honorably, honestly, justly, responsibly, and legally.”
- If laws from different jurisdictions are found to be in conflict. Then priority should be given to the jurisdiction in which services are being provided.
- (ISC)^2 Code of Ethics
Second canon of (ISC)^2 Code of Ethics
- “provide diligent and competent service to principles.”
- Security professionals provide competent services for which he or she is qualified.
- (ISC)^2 Code of Ethics
Third canon of (ISC)^2 Code of Ethics
- “advance and protect the profession.”
- Requires security professionals to maintain their skills and advance the skills and knowledge of others.
- (ISC)^2 Code of Ethics
Fourth canon of (ISC)^2 Code of Ethics
A document defined by the RFC regarding the expected ethical behavior on the internet.
Internet Activities Board (IAB) Code of Ethics
According to the Internet Activities Board (IAB) what are some examples of unethical behavior?
Someone who purposely:
Seeks to gain unauthorized access to a resource
Disrupt the intended use of the internet
Wastes resources (people, capacity, computer) through such actions
Destroy the Integrity of computer-based information
Compromises to privacy of users
The collection of practices related to supporting, defining and directing the security efforts of an organization
Security Governance
- High-level management directives
- Mandatory document
Policies
- A step-by-step guide for accomplishing a task.
- Mandatory document
Procedures
- Describes the specific use of technology, often applied to hardware and software.
- Mandatory document
Standards
- Are best practices.
- Discretionary document
Guidelines
- Uniform ways of implementing a standard
- Discretionary document
Baselines
- Intended to change user behavior
- i.e. reminding users to never write their passwords down
Security awareness
Intended to teach a user how to do something
Security Training
Use of a third party to provide IT support services that were once done in-house.
Outsourcing
- Outsourcing to another country.
- One problem here that will require due diligence is understanding the industry regulations of the other country.
Offshoring
- Control Category
- Are implemented by creating and following organizational policy, procedure or regulation
Administrative Controls
- Control Category
- Are implemented using software, hardware, or firmware that restricts access on an IT system
- i.e. firewalls, encryption, ACLs, protocols, IDS, clipping levels etc..
Logical/Technical Controls
- Control Category
- Are implemented with physical devices ( i.e. locks, fences, gates and security guards)
Physical controls
- Control that restricts or stops unwanted or unauthorized activity from occurring
- i.e. fences, locks, biometrics, mantraps, lighting, alarm systems, separation-of-duties policies, job rotation policies, data classification, penetration testing, access control methods, encryption, auditing and etc…
Preventive Access Control
- Control that attempts to discover or detect unwanted or unauthorized activity.
- i.e. security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection systems, violation reports and etc…
Detective Access Control
- Control that modifies the environment to return systems to normal after unwanted security incident has occurred
- i.e. Antivirus that remove or quarantine virus, IPS, backup and restore plans
Corrective Access Control
- Control that restores the functionality of a system after a security incident.
- i.e. Reimage, backup and restore fault-tolerate drives
Recovery Access Control
- Control used to discourage people from performing actions that violate security policy
- i.e. Banner messages, policies, security awareness training, locks, fences, security badges, guards, mantraps, and security cameras.
Deterrent Access Control
- Control put in place to temporary alleviate the weaknesses in another control
- i.e. Security policy dictating that smartcards be used for all employees, this process may take awhile to implement. In the meantime, hardware tokens are issues out instead
Compensating Access Control
- Control that attempts to confine or control the actions of users to force or encourage compliance with security policies
- i.e. security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.
Directive Access Control
- Type of third-party auditing report
- Provides a description of the controls provided by the audited organization as well as the auditor’s opinion based upon that description.
- Cover a single point in time and do not involve actual testing of the controls by the auditor.
Type I
- Type of third-party auditing report
- Cover a minimum six-month time period and also include an opinion from the auditor on the effectiveness of those controls based upon actual testing performed by the auditor.
Type II
Which auditing report types are considered more reliable?
Type II reports
Type I reports simply take the audited organization at their word that the controls are implemented as described
