Domain 1 Security & Risk Management Flashcards
What is a vulnerability
A weakness in a system that could be potentially be exploited.
What is a Threat
Anything that can bring harm to a system
What is Impact
attempts to determine what the outcome of a successful exploitation would be
What is Likelihood
An additional input into the Risk equation outside of just threat and vulnerability
How likely successful exploitation of a vulnerability.
Quantitative risk analysis
always numerically based and tied directly back to money
Single Loss Expectancy
SLE = EF (Exposure Factor) X AV (Asset Value)
Asset Value
The value of the asset
Exposure Factor (EF)
% of the asset value (AV) due to a threat
Annualized Rate of Occurrence (ARO)
Frequency of threat occurrence per year
Annualized Loss Expectancy (ALE)
Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)
Principle of least privileges
Aka Minimum Necessary Access
Individuals only be granted the access necessary to perform their required business functions
Applies to system configuration, firewall rule sets, etc…
Rotation of duties
force other people to be in charge of carrying out key tasks normally performed by another employee.
Separation of duties
limit risk associated with critical functions/transactions by requiring two parties to perform what one person could otherwise perform.
Risk Transfer
Involve 3rd party to help address the risk
Most common type is breach insurance.
Risk Avoidance
declining not to move forward with a project that introduces the unacceptable level of risk.
e.g. decommissioning of a deployed system.
Risk Mitigation
Take actions that decreases the risk
Reduce the risk to an acceptable level
Request for Information (RFI)
gather information about the available providers of the items or service being procured
Request for Proposal (RFP)
determine which provider will bid for the project, what their proposal looks like, and what the cost will be
Request for Quote (RFQ)
included as overall part of RFP
determining the cost a supplier/provider would charege
Business Partnership Agreement (BPA)
typically used when business operates legally as partnership
address things like ownership, profit/losses, and contributions
Memorandum of Understanding/Agreement (MOU/)
two organizations interconnect information systems/networks.
Interconnection Security Agreement (ISA)
technical security requirements with two organization connect
Supports MOU/MOA
Service Level Agreement (SLA)
force providers to agree to provide an acceptable level of security.
Operating Level Agreement (OLA)
Internal agreement that supports SLA
determines level of service required of internal departments in order to be able to fully satisfy the details of the SLA
Enterprise License Agreement (ELA)
govern how an organization that licenses large volume of software is allowed to use that software
Acceptable Use Policy (AUP)
catch all policy that tried to define both expected user behavior and prohibited user behavior
Risk
=Threat x Vulnerability
Exploit
Process of threat taking advantage of a vulnerability
Threat
anything that can cause harm to an information system
Virus
malware that requires a carrier
Worm
malware that self propagates
Trojan
Benign-appearing function
Cover malicious function
Non-Disclosure Agreement (NDA)
neither employer nor employee will divulge sensitive data
Non-Compete Agreement
establishes employee who leaves the organization agrees not to work for a competitor
Non-Solicitation Agreement
Prohibits an employee that leaves the company from
soliciting other employees to also leave
soliciting customers of the employer for business
Opposite of
Confidentiality
Integrity
Availability
Disclosure
Alteration
Destruction
Confidentiality
prevents unauthorized disclosure of data
Integrity
prevents unauthorized modification of assets
Availability
ensure required access to resource remains possible
Identification
weak unproven claim of identity
Authentication
proof that user’s identify claim was legitimate
Authorization
proceeds after successful authentication and determines what authenticated users can do
Accountability
logging - details the interaction performed by the individuals
Compensatory Damages
Money awarded directly related to the actual losses/harm incurred (e.g. usb stick)
Statutory Damages
Monetary damages designated by law
Punitive Damages
Awards meant to punish the defendant (not tied to actual loss)
Legal Fees
some but not all jurisdictions considered fees a form of compensatory damages that could be awarded.
Civil Law
primary associated with torts, contracts, and property
preponderance of evidence
no jail time
Criminal Law
Society itself has been harmed
burden of proof beyond reasonable doubt
Jail time
Qualitative risk analysis
Not tied to dollar amount associated with potential lost
Risk Rating
Useful for prioritization of risk
Types of Authentication
Something you know (password/phrases)
Something you have (token)
Something you are (biometrics)
Someplace you are (GPS)
Preventive Control
prevent attack from being successful
Detective Control
Tries to detect problem after an attack occurs
used after the fact
Hiring procedures and human resources are detective controls
Rotating users and PTO discover illegal activities
Deterrent Control
discourages security violations
Compensating Control
Adding another control/layer
Corrective Control
reacts to an attack and takes corrective action for data recovery
Recovery control
Restores the operating state to normal after an attack or system failure
Due Care
base level of protection that a reasonable person takes to check piece of code
Acting as any reasonable would
Due Diligence
Practice or process that ensure the decided upon standard of care is maintained
Patent
Protects invention for 20 years Must: Having utility Novelty non-obvious
Copyright
Form of Expression (paper, vinyl etc..)
Trademark
word, name, symbol, or device that is used in trade with goods to indicate the source of the goods
Distinguish them from other goods
Trade Secret
Project critical intellectual property that is not publicly available
Risk Analysis
Determine where level of risk is unacceptable
Two approaches: Qualitative and Quantitative.
Threat Modeling
seeks to understand threats and consider how they might negatively impact security
Attack Surface
represents all the ways in which an attacker could attempt to introduce data to exploit a vulnerability.
Security Policy
High level guidance regarding expectation
This is the Why
Standards
Focused on how to achieve what security policies mandate
This is they What
What makes up a policy
Purpose Related documents Cancellation Background Scope Policy Statement Responsibility
Standards
Provide the detailed guidance for carrying out tasks
This is the How
Baseline
more specific implementation of the standard
Guidelines
Are not mandatory
Best practices
