Domain 1: Security Principles Flashcards
What is Information Security
Protecting paper documents, voice information, data, and the knowledge people have
What is IT Security
Protecting hardware, software, and data (computers, servers, networks, firmware, data being processed, stored, and communicated
What is Cyber Security
Everything from IT security that is accessible from the internet
What does CIA stand for
Confidentiality, Integrity, Availability
What is Confidentiality
Keeping our data and systems safe by ensuring no one unauthorised can access it
What is Integrity
Protecting data and systems against modification by making sure the data has not been altered
What is Availability
Ensuring authorised people can access they data they need when they need to
What do we use to ensure Confidentiality
Disk Encryption, secure transport encryption, clean desk policies, no shoulder surfing, screen locks, strong passwords, mfa, access control, need-to-know, least privilege
What threatens Confidentiality
attacks on encryption, social engineering, key loggers, cameras, backdoors in IOT devices
What do we use to ensure Integrity
Cryptography, check sums, message digests/hash (md5, sha1, or sha2), digital signatures, access control, non-repudiation
What threatens Integrity
alterations of data, code injections, attacks on encryption
What do we use to ensure Integrity
IPS/IDS, patch management, redundancy in power (ups/generator), disks (RAID), traffic paths (network design), HVAC, staff, high availability design, replication of data
What threatens availability
malicious attacks (DDOS, physical, system compromise, staff), application failures, component failure (hardware)
What is the opposite of CIA
DAD - Discolsure (opposite of confidentiality): someone not authroised getting access
Alteration (oppostive of integrity): data has been changed without authorisation
Destruction (opposite of availability): your data or system are not accessible or destroyed
What is IAAA
Identification, authentication, authorisation, accountability
what is identification
your username, id number, employee number
what is authentication and what are the types
proving you are an identity
type 1: something you know - passwords, pass phrase, pin
Type 2: something you have - ID, passport, smart card, token, cookie, phone
Type 3: something you are - biometrics, finger print, iris scan, palm vein scan, facial geometry
What are the minimum password requirements
specify minmum length, upper and lower case,, numbers, symbols, not contain usernames or easy to guess words or phrases, expiration date, not reused, limit reuse via policy
What is key stretching
adding a few seconds to password verification to make brute force an unfeasible attack
What is Brute Force Attack
using the entire key space to continually guess a password until it is excepted.
How to protect against Brute Force
Key stetching, limit number of incorrect guesses (clipping) - lock account when limit is reached
what is totp
a type 2 authentication (something you have) which generates a a shared secret every short time period
What is flase rejection rate (type 1 error)
an authorised user is rejected. Can occur when biometric settings are too strict (99%+)
what is flase accept rate (type 2 error)
an unauthroised user is granted access
What are the two types of biometric identifiers
Physiological characteristics:
finger print, palm veins, facial rec, dna, palm print, hand geo, iris, retina.
Behavioral characteristic:
typing rythm, walk/gait, signature, voice
what are some issus with biometrics
privacy:
biometrics can show diseases, pregnacy, diabetes, neurological diseases
breaches:
pictures of your face and fingers can be used to get through biometrics scans
recordings of your voice and copies of your signatures
Non recreation:
stolen passwords can be regenerated, biometrics can’t
What is least privilege
the minimum necessary access needed for users to access only exactly what they need
what is need to know
even if you have access, if you do not need ti know, then don’t access the data
What is DAC
discretionary access control - used when availability is most importat. access to an object is controlled by the object owner. Uses an ACL based on identity
what is MAC
mandatory access control - used when confidentiality is most importat. access to an object is determiend by labels and clearance.
what is a label
objects have labels assigned to them to allow subjects with the right clearance to access them
what is clearance
subjects have clearance assigned to them based on their current and future tustworthiness
what is rbac
role based access control - used when integrity is most important. access control mechanicsm defined around roles. A role is assigned permissions, and subjects in that roles are addedd tot he group. Can enforce seperation of duties and prevent privilege creep
what is abac
attribute based access control - access to objects is granted based on subjects, objexts, and environmental conditions. attributes could be subject (name, role, id, clearance), Objects (name, owner, date of creation), environment (location, time of access, threat level)
what is context based access control
access to an object is controlled based on parameter such as location time, sequence of responses, access history. E.g. captcha, mac address filtering
content based access control
access provided based on attributes or content of an object. the value and attributes of the content being accesses determine the control requirements. e.g. showing or hiding menus in applications
what is accountability (or auditing)
tracing an action to a subjects identity. Proves who did an action (non-repudation) usings logs
what type of user account has zero accountability?
shared/group accounts
what is non repudiation
when a user can’t deny having performed a certain action
what is a subject
users and programs. a subject is something that manipulates an object
what is an object
passive data (physcial and data). an object is manipulated by a subject
whats privacy
the state of being free from observation or being disturbed by other people and freedom from unauthorised intrusion
who do we calculate risk, total risk and residual risk
risk = threat * vulnerability (or likelyhood) * impact
total risk = threat * vuln * asset value
Residual risk = total risk - countermeasures
what is a threat
a potentially harmful incident
what is a vulnerability
a weakness that can allow the threat to do harm
what is due diligence
doing the research of a countermeasure before implementation
due care
implementation of the countermeasure
