Fundamentals of security Flashcards
Threat
Anything that could cause harm, loss, damage, or compromise to our information
technology systems
Vulnerability
Any weakness in the system design or implementation
Risk
Intersection between threats and vulnerabilities
Risk Management
Finding different ways to minimize the likelihood of an outcome and achieve the
desired outcome
CIA triad
Confidentiality, Integrity, Availability
Confidentiality
Refers to the protection of information from unauthorized access and disclosure
Ensure that private or sensitive information is not available or disclosed to
unauthorized individuals, entities, or processes
Integrity
Helps ensure that information and data remain accurate and unchanged from its
original state unless intentionally modified by an authorized individual
Verifies the accuracy and trustworthiness of data over the entire lifecycle
Availability
Ensure that information, systems, and resources are accessible and operational
when needed by authorized users
Methods for confidentiality
- Hashing
- Digital signatures
- Checksums
- Access controls
- Regular audits
Redundancy
Duplication of critical components or functions of a system with the
intention of enhancing its reliability
Redundancy types
- Server redundancy
- Data redundancy
- Network redundancy
- Power redundancy
Non-repudiation
Focused on providing undeniable proof in the world of digital transactions
Security measure that ensures individuals or entities involved in a
communication or transaction cannot deny their participation or the authenticity
of their actions
Authentication
Security measure that ensures individuals or entities are who they claim to be
during a communication or transaction
Common authentication factors
- Knowledge (something you know)
- Possession (something you have)
- Inherence (something you are)
- Action (something you do)
- Location (somewhere you are)
Authorization
Pertains to the permissions and privileges granted to users or entities after they
have been authenticated
Accounting
Security measure that ensures all user activities during a communication or
transaction are properly tracked and recorded
AAA
Authentication, authorization and accounting
Security control categories
- Technical controls
- Managerial controls
- Operational controls
- Physical controls
Security control types
- Preventive
- Deterrent
- Detective
- Corrective
- Compensating
- Directive
Gap analysis
Process of evaluating the differences between an organization’s current
performance and its desired performance
POA&M
Plan of Action and Milestones
- Outlines specific measures to address each vulnerability
- Allocate resources
- Set up timelines for each remediation task
Zero Trust
Zero Trust demands verification for every device, user, and transaction within the
network, regardless of its origin
Control Plane (Zero Trust)
Refers to the overarching framework and set of components responsible
for defining, managing, and enforcing the policies related to user and
system access within an organization
Data Plane (Zero Trust)
Ensures the policies are properly executed