Domain 1 - Security Principles Flashcards
What is the difference between IT security and Cybersecurity?
Cyber security has to do with assets that have internet access.
What does the CIA in CIA Triad stand for?
Confidentiality, Availability, Integrity
Should IOT devices be on the same network as confidential systems?
No. IOT devices are usually created for functionality, not security. Keep them separate when possible.
What are the three states of data?
Data at rest, data in transit (motion), data in use
What is Data Integrity?
Ensuring data has not been altered
What is the opposite of the CIA Triad?
DAD (Disclosure, Alteration, and Destruction)
What does IAAA stand for?
Identification, Authentication, Authorization, and Accountability
What is an “Identification” ?
Something that identifies you,. Username, ID Number, SSN, etc..
What is type 1 authentication?
A password, pass phrase, pin number. Something you remember. These are also called Knowledge Factors.
What is Type 2 authentication?
IDs, Passports, tokens, cookies… Also known as possession factors.
What is Type 3 authentication?
Fingerprints, Facial recognition, iris scans, etc.. Realistic authentication is another term for these auth types.
What does DAC stand for?
Discretionary Access Control.
When is DAC most often used?
When availability is most important.
How does DAC work?
Access to an object is assigned at the discretion of the object owner.
What does MAC stand for?
Mandatory Access Control
When is MAC most often used?
When confidentiality is the most important
What are labels assigned to when using MAC?
Objects
What are clearances assigned to when using MAC?
Subjects / People
What is RBAC?
Access by grouping
When is RBAC most often used?
When integrity is the most important
What does ABAC stand for?
Attribute based access control
How does ABAC work?
Access to objects is granted based on subjects, objects, and environmental conditions.
What is context based access control?
Access to an object is based on certain contextual parameters such as location, time, sequence of responses, and access history.
What is content based access control?
Accessed is provided based on the attributes of an objects.
What is Accountability?
Often referred to as auditing. It traces an action to a subjects identity.
What does non-repudiation mean when
It means a user cannot deny having performed a certain action.
What are “Subjects”?
These can be users, but also programs.
What are “Objects”?
Any passive data.. Physical paper and any server data
What is the equation for Risk?
Threat * Vulnerability (or likelihood)
What is the equation for Total Risk?
Threat * Vulnerability * Asset Value
What is the equation for Residual Risk?
Total Risk - Countermeasures
What is Qualitative Risk Analysis?
How likely is it to happen and how bad is it if it happens? Subjective.
What is Quantitative Risk Analysis?
What will it actually cost us in dollars
What is Due Dilligence?
Doing research before implementation?
What is Due Care?
The implementation itself.
What is the first thing you need to do when you start a risk management iterative for the first time?
Classify your assets by risk criticality.
What does Risk Mitigation mean?
Reducing the risk?
What does Risk Transference mean?
Sharing or transferring the risk to someone else. Cyber insurance is a perfect example of risk transference.
what is Risk Acceptance?
Accepting the risk. This can happen when the counter-measure is more expensive than the risk itself.
What is Risk Avoidance?
When you stop doing whatever you are doing because you cannot mitigate, transfer, or accept this risk.
What is Risk Rejection?
When a risk exists and you ignore it. This is NEVER acceptable.
What does AV stand for in Risk Management?
Asset Value.. The value of the asset. The actual dollars and potential penalties for lost PII.
What does EF stand for in Risk Management?
exposure factor. How much loss. In the case of a laptop being stolen it is 100%.
What does SLE in Risk Management mean?
Single Loss Expectancy. This is the dollar value of the loss.
What does ARO in mean in Risk Management?
Annual rate of occurrence.. For example, how many laptops are stolen per year?
What does ALE mean in Risk Management?
Annualized Loss Expectancy. The total dollar value of the lost.
What is KGI in risk management?
Measurement of the overall goal
What is a KPI in Risk Management?
How well the IT process is performing to achieve the goal.
What does KRI stand for?
Key Risk Indicator
What does KRI in Risk Management mean?
It is a metric that demonstrates the risks an organization is facing or how risky an activity is.
What are Administrative (Directive) Controls?
Organizational Policies and Procedures.
What are the Physical (logical) Controls?
Locks, Fences, Guards, Dogs, etc..
What are Technical controls?
Hardware, Software, Firmware…. Firewalls, antivirus, IDP / IPS , etc..
What are Preventative controls?
It prevents an action from happening. Least privilege, IDS / IPS, etc..
What is a Detective Control?
A control that detects during or after an attack. Logs, camera, etc..
What is a Corrective Control?
A control that corrects an attack. AV and patching..
What are Recovery controls
Controls that help us recover after an attack.
What are Deterrent controls?
Controls that deter an attack.. They deter, but do not stop the attack.
What are compensating controls?
Used to compensate for another weakness
What are the code of ethics four canons?
Protect Society
Act Honorably
Provide diligent and competent services
Advance and protect the profession
Who handles governance in an organization?
This is handled by the C-Level executives.
Who handles the implementation to meet governance directives?
Management
What is the definition of criminal law?
Incarceration, death, and financial fines
What is the definition of Civil Law (Tort law)
Individuals, groups, or organizations are the victims and proof must be “the majority of proof”.This means more likely than not.
What is the definition of Administrative Law (Regulatory Law)?
Laws enacted by government agencies. HIPAA is an example.
What is the definition of Private Regulation?
compliance that is required by contract. PCI DSS is an example.
What is the definition for customary law?
Handles the personal conduct and patterns of behavior.
Does GDPR cover European citizens living abroad?
No. They need to be physically located in the EU for protections.
Are policies specific?
No, they are high-level and non-specific
