Domain 1: Security Principles Flashcards
What are the three main goals of cybersecurity?
Confidentiality: Protects information from unauthorized disclosure.
Integrity: Protects information from unauthorized changes.
Availability: Protects authorized access to system and data.
CIA
Snooping
Involves gathering information that is out in the open.
Dumpster Diving
Looking through trash for information
Eavesdropping
Rules about sensitive conversations prevent eavesdropping
Wiretapping
Electronic Eavesdropping
Social Engineering
Attacker uses psychological tricks to persuade employee to give it or give access to information
True or False? Education and Training helps combat Social Engineering
True
Unauthorized Modification
Attackers make changes without permission (can be internal=employees or external
Impersonation
Attackers pretend to be someone else
Man-in-the-Middle (MinM)
- Attackers place themselves in the middle of communication sessions
- Intercepts network traffic as users log in to their system and assume their role.
- Impersonation on an electronic/digital level.
Replay
- Attackers eavesdrop on logins and reuse the captured credentials
True or False? Encryption protects against replay attacks
True
Denial of Service (DoS)
- When a malicious individual bombards a system with an overwhelming amount of traffic.
- The idea to is to send so many requests to a server that it is unable to answer any requests from legitimate users
What can be used to protect against DoS attacks?
Firewalls
Power Outages
Having redundant power sources and back-up generators protect against power outages
Hardware Failures/Destruction
- Failure of servers, hard drives, network gear etc
- Redundant components protect against hardware failure
- Building systems that have a built-in redundancy, so that if one component fails, the other will take over
What to do in the event of a hardware failure?
Set up backup data centers. (ex. Cloud)
Service Outages
Service outages may occur due to programming errors, failure of underlying equipment, and many more reasons
Building systems that are resilient in the fact of errors and hardware failures protect against service outages
Identification
Identification involves making a claim of identity (Can be false)
Ex. Username
Authentication
Authentication requires proving a claim of identity
Ex. Passwords
Authorization
- Authorization ensures that an action is allowed
- Electronic authorization commonly takes the form ofaccess control lists
- Access Control Lists also providesAccounting functionality
- Electronic authorization commonly takes the form ofaccess control lists
Accounting
- Accounting allows to track and maintain logs of user activity
- Can track systems and web browsing history
Controls for password requirements
Length
Complexity
Expiration (Force password changes)
History (Can’t use a past password)
Password Manager
Secured password vaults often protected by biometric mechanisms.
Facilitates the use of strong passwords
Stores passwords
Multi-factor authentication
Something you know (Passwords, pins)
Something you are (Biometrics, voice, fingerprints)
Something you have (Software and hardware tokens)
Single Sign-On (SSO)
- Shares authenticated sessions across systems
- Organizations create SSO solutions within their organizations toavoid users repeatedly authenticating
Non-repudiation
Prevents someone from telling the truth
Methods of non-repudiation
- Physical signatures can provide non-repudiation on contracts, receipts etc
- Digital signatures use encryption to provide non-repudiation
- Other methods can be biometric security controls, Video-surveillance etc
Organization Privacy Concerns
- Protecting our own data
- Protect your down organizations data
- Educating on users
- Educated users of how they can protect their own personal information
- Protecting data collected by our organizations
- Protecting data that was entrusted to the organization (ex= client’s data)
Types of Private Information
- Personally-Identifiable Information (PII)
- Any information that can be tied back to a specific individual
- Protected Health Information (PHI)
- Health care records
- Regulated by HIPPA
- Health care records
Reasonable Expectation of Privacy
Many laws that govern whether information must be protected are based upon whether the person disclosing the information had a reasonable expectation of privacy
Ex. if you upload a YouTube video, you do not have an expectation of privacy
True or false. You have a reasonable expectation of privacy when it comes to emails and messages.
True
What is an internal risk and how to handle it?
Internal Risk - Risks that come from inside the organization
Solution: Internal control can stop it.
What is an external risk and how to handle it?
External Risk - Risks that arise outside the organization.
Solution: Build controls that reduce the chances of attacks/risks being successful. (Multi-factor authentication and social engineering awareness campaigns.)
What is a multiparty risk and how to handle it?
Risks that affect more than one organization.
- Intellectual property theftposes a risk to knowledge-based organizations
- If attackers can alter, delete, or steal this information, it would cause significant damage to the organization and its customers/counterparties
- Software license agreements issue risk fines and legal actions for violation of license agreements
Risk Assessment
Identifies risks
Threat
External forces that jeopardize security
Threat Vector
Methods used by attackers to get to their target (ex= social engineering, hacker toolkit, etc)
Vulnerability
Weaknesses in the security controls
Threat + Vulnerability = ?
Risk
What is likelihood and impact?
Likelihood - Probability that a risk will occur
Impact - Amount of damage a risk will cause.
Qualitative Techniques
Usessubjective ratingsto evaluate risk likelihood and impact: Usually in the form oflow, medium or highon both the likelihood and impact scales.
Quantitative Techniques
Uses subjectivenumeric ratingsto evaluate risk likelihood and impact
Risk Avoidance
Changes business practices to make a risk irrelevant
Risk Transference
- Attempting to shift the impact of a risk from your organization to another organization
- Example : Insurance policy
- Note that you cannot always transfer the risk completely. Reputation damage etc.
Risk Mitigation
Actions that reduce the likelihood or impact of a risk
Risk Acceptance
Choice to continue operations in the face of a risk
Risk Profile
Combination of risks that an organization faces
Inherent Risk
Initial level of risk, before any controls are put in place
Residual Risk
Risk that is reduced and what is left of it is known as the residual risk
Control Risk
- New risks that may have been introduced by the controls applied to mitigate risk
- Example : Controls Applied may be installing a firewall. While that firewall may have mitigated the inherent risk, the risk of that firewall failing is another newly introduced risk
Inherent Risk →Controls Applied→ ? + ?
(Residual Risk + Control Risk)
Risk Tolerance
Is the level of risk an organization is willing to accept
Security Controls
Are procedures and mechanisms that reduce the likelihood or impact of a risk and help identify issues
Defense in Depth
- Usesoverlappingsecurity controls
- Different methods of security with a common objective
Security professionals uses differentcategories to group similar security controls
First group the controls by their purpose. Then group the controls by their mechanism.
3 Types of Control Purposes are
- Prevent
- Stops a security issue from occurring
- Detect
- Identify security issues requiring investigation
- Correct
- Remediate security issues that have already occurred
3 Types of Control Mechanisms are:
- Technical
- Use technology to achieve control objectives
- Examples: Firewalls, Encryption, Data Loss Prevention, Antivirus Software)
- Technical Control a.k.a Logical Control
- Administrative
- Uses processes to achieve control objectives
- Examples: User access reviews, log monitoring, performing background checks)
- Physical
- Controls that impact the physical world
- Examples: Locks, Security guard
Baselines
- Provide a configuration snapshot
- Dual Net
- You can use the snapshot to assess if the settings are outside of an approved change management process system
- Basically the default configuration setting set by an organization
Versioning/Version Controls
- Assigns each release of a piece of software and an incrementing version number that may be used to identify any given copy
- These verison #s are written as three part decimals, with the
- First number representing the major version of software
- Second number representing a major updates
- Third number representing minor updates
True or False? You must not identify how domestic and internationalLaws and Regulationsapply to an organization
False
Policies
- Provide the foundation for an organization’s information security program
- Describes organization’s security expectations
- Policies are set by Senior Management
- Policies should stand the test of time anticipating future changes
- Compliance with Policies aremandatory
Standards
- Describes the specific details of security controls
- Compliance with Standards aremandatory
Guidelines
- Provide advice to the rest of the organization on best practices
- Compliance with Guidelines areoptional
Procedures
- Step-by-step procedures of an objective.
- Compliance can bemandatory or optional
Acceptable Use Policies (AUP)
Described authorized uses of technology
Data Handling Policies
Describe how to protect sensitive information
Password Policies
- Describes password security practices
- An area where all the password requirements (length, complexity) gets officially documented
Bring Your Own Device Policies (BYOD)
Cover the usage of personal devices with company information
Privacy Policies
- Cover the use of personally identifiable information
- Can be enforced by National & Local authorities
Change Management Policies
Cover the documentation, approval, and rollback of technology changes
