Domain 1: Security and Risk Management Flashcards
Confidentiality
Ensure the protection of the secrecy of data, objects, or resources & prevent or minimize unauthorized access to data.
Integrity
Protecting the
reliability and correctness of data; Prevents unauthorized alterations of
data.
Availability
Means authorized subjects are
granted timely and uninterrupted access to objects
AAA
identification, authentication, authorization, auditing, and accounting
Identification
Identification is the process by which a subject professes an identity and accountability is
initiated.
Authentication
The process of verifying that the claimed identity is valid
Authorization
Ensures that the requested activity or access to an object is possible given the rights and
privileges assigned to the authenticated identity.
Auditing
Auditing, or monitoring, is the programmatic means by which a subject’s actions are
tracked and recorded for the purpose of holding the subject accountable for their actions
while authenticated on a system.
Accountability
Subjects are held accountable for
their actions. Effective accountability relies on the capability to prove a subject’s identity
and track their activities.
Legally Defensible Security
organization’s
security needs to be legally defensible. When bad things do happen, organizations often desire assistance
from law enforcement and the legal system for compensation. To obtain legal restitution,
you must demonstrate that a crime was committed, that the suspect committed that
crime, and that you took reasonable efforts to prevent the crime. Ultimately, this requires a complete
security solution that has strong multifactor authentication techniques, solid authorization
mechanisms, and impeccable auditing systems. Additionally, you must show that
the organization complied with all applicable laws and regulations, that proper warnings
and notifications were posted, that both logical and physical security were not otherwise
compromised, and that there are no other possible reasonable interpretations of the
electronic evidence. This is a fairly challenging standard to meet. Thus, an organization
should evaluate its security infrastructure and redouble its effort to design and implement
legally defensible security.
Protection Mechanisms
Protection
mechanisms are common characteristics of security controls. Not all security controls must
have them, but many controls offer their protection for confidentiality, integrity, and availability
through the use of these mechanisms. Common examples of these mechanisms
include using multiple layers or levels of access, employing abstraction, hiding data, and
using encryption.
Layering
Layering, also known as defense in depth, is simply the use of multiple controls in a series. Using a multilayered solution allows
for numerous, different controls to guard against whatever threats come to pass.
Abstraction
Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that
are assigned security controls, restrictions, or permissions as a collective. Abstraction simplifies
security by enabling you to assign security controls to a group of objects collected by type
or function.
Data Hiding
Data hiding is exactly what it sounds like: preventing data from being discovered or
accessed by a subject by positioning the data in a logical storage compartment that is not
accessible or seen by the subject. Forms of data hiding include keeping a database from
being accessed by unauthorized visitors and restricting a subject at a lower classification
level from accessing data at a higher classification level.
security through obscurity
is the idea of not
informing a subject about an object being present and thus hoping that the subject will not
discover the object. Security through obscurity does not actually implement any form of
protection. It is instead an attempt to hope something important is not discovered by keeping
knowledge of it a secret. An example of security though obscurity is when a programmer
is aware of a flaw in their software code, but they release the product anyway hoping
that no one discovers the issue and exploits it.