Domain 1: Security and Risk Management Flashcards
CIA
Confidentiality, Integrity and Availability
States of Data
At rest
In process
In transit
Password Masking CIA principle
Condifentiality
Data in transit basic protection
TSL or SSL
Confidentiality overt and covert techniques
Cryptography
Masking
Steganograhy
Protection against system or software modification
Integrity
Methods to ensure integrity
CRC Checksum Message Digest Hashes MAC Input Validation!!!
Availability description
Provide timely access to a resource
Availability metrics
Tolerance for losses: MTD/RTO/RPO
Lega: SLA
Life expectancy: MTBF/MTTR
MTBF
Mean Time Between Failure: the expected lifespan of the device
MTTR
Mean Time To Repair: how much time will be required to restore de component to functionality
RPO
Recovery Point Objective: how much data can be lost after a restoration
MTD
Maximum Tolerance Downtime: how long can the component/system can be down before our lose is unacceptable.
SLA
Service Legal Agreement
IAAA
Identification
Authentication
Authorization
Accountability
FAR
False Accept Rate
FRR
False Reject Rate
Access Control Models
DAC
MAC
RBAC
RuBAC
DAC
Discretionary Access Control: Zero knowledge
MAC
Mandatory Access Control: Labels
RBAC
Role Based Access Control
RuBAC
Rule Based Access Control
CRUD operations
Create
Read
Update
Delete
Accountability requirements
Time
Action
Subject
Object
Tenets or secure architecture and design (16)
- How much security is enough?
- Defense in depth
- Fail-safe
- Economy of Mechanism (the K.I.S.S principle)
- Completeness of Design
- Least Common Mechanism
- Open Design
- Consider the Weakest Link
- Redundancy
- Psychological acceptability
- Separation of Duties (SOD)
- Mandatory Vacations
- Job Rotation
- Least privilege
- Need to know
- Dual Control
Risk
Likelihood that a threat will exploit a vulnerability in an asset
Threat (amenaza)
Has the potential to harm an asset
Vulnerability
A weakness; lack of a safeward
Exploit
Instance of compromise
Security Controls
Protective mechanisms to secure vulnerabilities
Safeguards: Proactive (Deters and/or Prevents)
Countermesures: Reactive (Detects and/or Corrects)
Secondary Risk
Risk event that comes as a result of another risk response
Residual Risk
The amount of risk left over after a risk response.
Total Risk * Control GAP
Fallback Plan
Plan B
Workarround
Unplanned response
Asset
Something that has value and we need to protect
Total Risk
Amount of risk without implementing mitigation.
Threats * Vulnerabilities * Asset Value
Risk assessment
Identify an valuate assets; identify threats and vulnerabilities
Risk analisys
Value of potential risks
Risk mitigation
Respond to risk
Risk monitoring
Risk 4 ever
Risk Management (AAMM)
Assessment
Analisys
Mitigation
Monitoring
Risk assessment methodologies
OCTAVE
FRAP
NIST 800-30
NIST 800-30 9 steps
- System characterization
- Threat identification
- Vulnerability identification
- Control analisys
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendations
- Results documentations
Risk analysis types
Qualitative: Nature. (High, Medium, Low). Objective opinions.
Quantitative: Determine money value. More expertise and time
Delphi Technique
Qualitative risk analysis technique
AV
Asset Value: Money
EF
Exposure Factor: Percentage of loss expected when an event happends
SLE
Single Loss Expectancy: Cost of a single occurrence of a threat instance. AV * AF
ARO
Annual Rate of Occurrence: How often the threat is expected to materialize
ALE
Annual Loss Expectancy: Cost per year as a result of a threat. SLE * ARO
TCO
Total Cost of Ownership: total cost of implementing safeguards and maintenance.
ROI
Return On Investment: Money saved implementing a safeguard. ALE_before - ALE_after - TCO
Risk mitigation strategies
Reduce: final step is Avoid (eliminate)
Accept: Cost of mitigation > Asset Value. Final step is Reject (not studying the risk)[3 monkeys]
Transfer: Insurance or SLA
