First CBK Domain Flashcards
What is the CIA Triad (sometimes referred to as AIC)?
Confidentiality
Integrity
Availability
What is Confidentiality in the CIA Triad?
what most think IT security is, in addition, its the measures taken to keep our data and secrets, secret and to insure no unauthorized persons can access the data.
What is Integrity in the CIA Triad?
It’s how we protect against modifications of the data and systems and
how we ensure the data has not been altered.
What is Availability in the CIA Triad?
How we ensure authorized people can access the data they need, when they need to
What are some threads that target Confidentiality in the CIA Triad?
Attacks on your encryption (cryptanalysis)
Social Engineering
Key Loggers (software/hardware) cameras, steganography
IoT (Internet of Things) - The growing number of connected devices we have pose a new threat, they can be a back door to other systems.
What are things we do to insure Confidentiality regarding the CIA Triad?
Encryption for data at rest (for instance AES256), full disk encryption.
Secure transport protocols for data in motion. (SSL, TLS or IPSEC).
Best practices for data in use - clean desk, no shoulder surfing, screen
view angle protector, PC locking (automatic and when leaving).
Strong passwords, multi-factor authentication, masking, access control,
need-to-know, least privilege.
What are some threats that target Integrity regarding the CIA Triad?
Alterations of our data
Code injections
Attacks on your encryption (cryptanalysis).
What are some threats that target Availability regarding the CIA Triad?
Malicious attacks (DDOS, physical, system compromise, staff)
Application failures (errors in the code).
Component failure (Hardware).
What are some things we do to insure Availability regarding the CIA Triad?
IPS/IDS.
Patch Management.
Redundancy on hardware power (Multiple power
supplies/UPS’s/generators), Disks (RAID), Traffic paths (Network
design), HVAC, staff, HA (high availability) and much more.
SLA’s – How much uptime do we want (99.9%?) – (ROI)
What is the opposite of the CIA Triad?
DAD, Disclosure, Alteration, and Destruction
What is “Disclosure” regarding the DAD?
Someone not authorized getting
access to your information.
What is “Alteration” regarding DAD?
Your data has been changed.
What is “Destruction” regarding DAD?
Your data or systems have
been destroyed or rendered inaccessible.
What is IAAA?
Identification and Authentication, Authorization and
Accountability
Regarding the “I” Identification in IAAA, what is it?
Your name, username, ID number, employee
number, SSN etc.
What is the “A” Authentication, in IAAA?
It is the step to prove you are who you say you are and Should always be done with multi-factor
authentication!
Different types of Authentication are:
Something you know - Type 1 Authentication (passwords, pass phrase,
PIN, etc.).
Something you have - Type 2 Authentication (ID, passport, smart card,
token, cookie on PC, etc.).
Something you are - Type 3 Authentication (and Biometrics)
(Fingerprint, iris scan, facial geometry, etc.).
What is the Second “A” Authorization in IAAA?
What you are allowed to access
▪ We use Access Control models. What and
how we implement depends on the
organization and what our security goals
are.
▪ More on this in Domain 5 - Identity and
Access Management (DAC, MAC, RBAC,
RUBAC)
What is the third “A” accountability in the IAAA?
(also often referred to as Auditing)
Trace an Action to a Subject’s Identity:
Prove who/what a given action was performed by (non-repudiation)
What is the Security Governance Principles?
Least Privilege and Need to Know.
▪ Least Privilege – (Minimum necessary access) Give users/systems exactly the
access they need, no more, no less.
▪ Need to Know – Even if you have access, if you do not need to know, then you
should not access the data
What is Non-Repudiation?
A user cannot deny having performed a certain action. This uses both
Authentication and Integrity.
Define Subject.
Something/someone that’s Active Most often users, but can also be programs – Subject
manipulates Object.
Define Object.
Someone/something that’s Passive Any passive data (both physical paper and data) – Object is
manipulated by Subject.
Can someone/something be both a “Subject” and an “Object”?
Yes but at different times, an active program is a subject; when
closed, the data in program can be object.