Domain 1 - Security Principles Flashcards
What is Information Security?
Secures everything.. Paper, documents voice, etc…
What is IT security?
All hardware software, being processed, stored and communicated.
What is Cyber Security?
Is everything from IT security that is accessible from the internet
What does the CIA triad stand for?
Confidentiality, Availability, and Integrity
What is confidentiality mean?
That there is no unauthorized access to the data.
What are the three states of data?
Data:
At rest
In motion
In use
What does Integrity mean?
We ensure the data has not been altered.
What does availability mean?
Ensuring authorized people can access the data they need.
What does DAD stand for?
Disclosure, Alteration, and Destruction . It is the opposite of the CIA triad.
What does the IAAA acronym stand for?
Identification
Authentication
Authorization
Accountability
What is an Identification?
Something that identifies you. Username, SSN, employee number.
What is an example of Type 1 Authentication? Also known as knowledge factors.
Something you know
Your pin number for the ATM
your password or passphrase
What is an example of Type 2 Authentication? Also known as possession factors.
ID
passport
token
smart code
MFA device
What is an example of Type 3 Authentication? Also known as realistic or biometric factors.
It is something you are
Iris scan
facial geometry
fingerprint
What are physiological characteristics?
Uses the shape of the body for type 3 authentication.
What are behavioral characteristics?
Uses the pattern of behavior of the person for type 3 athentication.
What is Authorization?
It is he process of assigning access to systems after a user has authenticated
What is DAC (Discretionary Access Control)?
It’s when access to an object is assigned at the discretion of the object owner.
Commonly used when availability is most important.
What is MAC (Mandatory Access Control?
Labels are assigned to objects and subjects (users) have clearance assigned to them to be able to see the objects.
commonly used when confidentiality is the most important
What is RBAC?
Role based access control. Access is based on a role.
What is ABAC (Attribute Based Access Control)?
Access to objects is based on subjects, objects, and environmental conditions.
What is context-based access control?
Access is provided to an object and is based on contextual parameters such as location, time, access history, etc..
What is content based access control?
Access is provided on the attributes or content of an object. Think different data on the same website depending on who you are.
What is accountability?
Tracing an action to a subject’s identity.
What are subjects?
Users or applications
What are objects?
Any data
What is the formula for risk?
Threat * Vulnerability * Impact
What is the formula for total risk?
Threat * vulnerability * asset value
What is the formula for residual risk?
total risk - countermeasures
What is the high-level process for risk maagement?
Identify Risk
Assess Risk
Respond to Risk
Risk monitoring
What is a qualitative risk analysis?
It is subjective. How likely something is to happen and how bad is it if it does happen. Happens first.
What is quantitative risk analysis?
What will it actually cost us in dollars.
What is due diligence?
Doing research before implementation
What is due care?
It is the implementation itself
What is the first step of the risk assessment processs?
Ensuring you have an inventory of your assets.
What are the risk strategies?
Risk mitigation
Risk transference (share.. Like insurance)
Risk acceptance
Risk avoidance (not pursuing whatever is causing the risk)
What is the asset value in quantitative risk analysis?
The value of the asset in dollars
What is the exposure factor in quantitative risk analysis?
How much of the asset is lost in an incident
What is single loss expectancy in quantitative risk analysis?
How much a single incident will cost us
What is the annual rate of occurrence in quantitative risk analysis?
How many times a specific incident happens in a year.
What is the annualized loss expectancy in quantitative risk analysis?
How much will this cost if we don’t mitigate the risk.
What is leftover risk called?
Residual Risk
What is a KGI?
Key goal indicator. Measured after the project is done.
What is KPI?
Key Performance indicator. Measured on one single task.
What are KRIs?
Metrics that demonstrate the risk an organization is facing.
Who sets Risk appetite?
Senior Management
What is a secondary risk?
A risk that may open another risk
Where are risks tracked?
The risk register
Single use passwords are what authentication type?
Type 2. Something you have.
What are the access control categories?
Administrative (Directive) controls
Technical (logical) controls - Hardware, Software, Firmware
Physical controls
What are Administrative (Directive) control examples?
Policies, procedures, and laws we need to adhere to.
What are Technical (logical) control examples?
Hardware, software, firmware, smart cards, etc..
What are Physical access control examples?
Locks, doors, fences, dogs, man traps, alarms, cameras.
What are preventative controls?
They prevent actions from happening.
Least privileged access
IPS
Drug Tests
What are detective controls?
They detect during or after an attack
IDS
Alarms
Logs
Camera
What are corrective controls?
Controls that correct an attack
AV
Patches
What are recovery controls?
controls to help us recover after an attack.
Disaster recovery plans
Backups
HA environments
What are deterrent access controls?
controls that deter and attack, but don’t stop anything.
Guard
Dog
Camera
What is a compensating control?
Controls that compensate.
A guard stationed around a break in the fence.
What are the four code of ethics cannons?
Protect society and the common good
Act honorably, honestly, justly,legally
Provide diligent and competent service
Advance and protect the profession
Who sets governance?
Senior Leadership
What kind of law is HIPAA?
Administrative Law
What is an example of private regulations?
PCI DSS
Are security breach notification laws federal?
No, all 50 states have individual laws.
What is the electronic communications privacy act?
Protection against warrantless wiretapping. weakened by the Patriot Act.
Who does GDPR protect?
The EU and EEA citizens
Who handles the tactical planning?
Management
hat can be used to help build policies?
Our strategy
