Exam2 Flashcards
An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
Service Level Agreement (SLA)
Expresses an understanding between two or more parties indicating their intention to work together toward a common goal
Memorandum of Understanding (MOU)
Evaluates the processes and tools used to make measurements. Uses various methods to identify variations within a measurement process that can result in invalid results.
Measurement System Analysis (MSA)
A written agreement that details the relationship between business partners, including their obligations toward the partnership.
Business partnership Agreement (BPA)
Refers to the date when a product will no longer be offered for sale
End of Life (EOL)
Indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product.
End of Service Life (EOSL)
Used between two entities to ensure that proprietary data is not disclosed to unauthorized entities.
NDA
System of organizing data according to its sensitivity. Common classifications include public, confidential, secret, and top secret.
Data Classification
Refers to the processes an organization uses to manage, process, and protect data.
data governance
Identifies how long data is retained and sometimes specifies where it is stored
Data Retention Policy
- An account on a computer associated with
a specific person - The computer associates the user with a specific
identification number - Storage and files can be private to that user
- Even if another person is using the same computer
- No privileged access to the operating system
- Specifically not allowed on a user account
- This is the account type most people will use
- Your user community
Credential policies: personnel
- Access to external third-party systems
- Cloud platforms for payroll, enterprise resource planning, etc.
- Third-party access to corporate systems
- Access can come from anywhere
- Add additional layers of security
- 2FA (two factor authentication)
- Audit the security posture of third-parties
- Don’t allow account sharing
- All users should have their own account
Credential policies: Third-party
- Access to devices
- Mobile devices
- Local security
- Device certificate
- Require screen locks and unlocking standards
- Manage through a Mobile Device Manager (MDM)
- Add additional security
- Geography-based
- Include additional authentication factors
- Associate a device with a user
Credential policies: Devices
- Used exclusively by services running on a computer
- No interactive/user access (ideally)
- Web server, database server, etc.
- Access can be defined for a specific service
- Web server rights and permissions will be
different than a database server - Commonly use usernames and passwords
- You’ll need to determine the best policy for
password updates
Credential policies: service accounts
- Elevated access to one or more systems
- Super user access
- Complete access to the system
- Often used to manage hardware, drivers, and
software installation
- Often used to manage hardware, drivers, and
- This account should not be used for normal
administration- User accounts should be used
- Needs to be highly secured
- Strong passwords, 2FA
- Scheduled password changes
Credential policies: Administrator/Root Accounts
Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability.
Change Management
The procedures used to identify, document, approve, and control changes to the project baselines
Change Control
The process of tracking valuable assets throughout their life cycles
Asset management
Any risks from outside an organization. This includes and threats from external attackers It also includes and natural threats, such as hurricanes, earthquakes, and tornadoes. Sometimes predictable, often not.
Risk types: External
Any risks from within an organization. This includes employees and all the hardware and software used within the organization. These risks are generally predictable and can be mitigated with standard security controls.
Risk Types: Internal
occur when an organization contracts with an external organization for goods or services. If the third-party suffers an attack it may expose the contracting organization to additional threats.
Risk Types: Multiparty
- Acceptance
- Avoidance
- Transference
- Mitigation
Risk Management Strategies
When the cost of a control outweighs the risk, an organization will often accept the risk.
Acceptance
An organization can avoid a risk by not providing a service or not participating in a risky activity.
Avoidance
The organization transfers the risk to another entity or at least shares the risk with another entity. The most common method is by purchasing insurance.
Transference
The primary risk is that vendors do not support these systems. If vulnerabilities become known, the vendor doesn’t release patches, and anyone using the system is at risk.
Risk Types: Legacy Systems
Intellectual Property (IP) includes things like copyrights, trademarks, patents, and trade secrets. Intellectual Property is valuable to an organization and IP theft represents a significant risk.
Risk Types: IP theft
If individuals or organizations use software without buying a license, the development company loses money. Similarly, an organization can lose money if it buys licenses but does not protect them.
Risk Types - Software Compliance/Licensing
The organization implements controls to reduce risks. These controls either reduce the vulnerabilities or reduce the impact of the threat.
Mitigation
helps protect businesses and individuals from losses related to cybersecurity incidents such as data breaches and network damage.
Cybersecurity Insurance
identifies potential issues that could negatively impact an organization’s goals and objectives.
Risk Analysis
Encryption, antivirus, IDS/IPS, firewalls
Technical controls
Risk assessment, vulnerability assessment, pen testing
Administrative controls
Security guards etc
Physical controls
Hardening, Security training, and security guards, change management
Preventative controls
Log monitoring, trend analysis, security audits, cctv (can also act as deterrent control)
Detective controls
IPS detects attack and then modify environment to stop attack. Backups and system recovery allows recovery from incidents or failure.
Corrective controls: attempt to reverse impact of incident.
Cable and hardware locks deter thieves.
Deterrent controls (can also be described as preventative controls)
Alternate controls used instead of primary ones, when they are not available
Compensating controls
Time-based one-time password, uses a timestamp instead of a counter, and expire within 30 sec.
TOPT
remains active until it is used, so someone can shoulder surf and steal it.
HOPT
Network authentication protocol within a microsoft windows active directory, providing mutual authentication to prevent man in the middle and replay attacks (attacker attempts to impersonate user after intercepting data).
Kerberos
You can use the same account that has been created with google/fb etc, so you can do things like pay a website with paypal.
OAuth
Works with OAuth 2.0, and allows verification without handling credentials.
OpenID Connect
