General Flashcards
What is the CIA Triad?
Confidentiality
Integrity
Availability
What is Integrity?
Property of Information: maintained in a way that ensures completeness, accuracy, internal consistency, and usefulness for a stated purpose.
What is Confidentiality?
Permitting authorized access while at the same time protecting information from improper disclosure.
What is PII?
Personally Identifiable Information
Sensitivity
Measure of importance of information / reason for need to protect.
Data Integrity
Assurance that data has not been altered in an unauthorized manner.
Availability
(1) timely and reliable access & ability to use for authorized users.
Authentication Types
(1) Something you know: password (knowledge based)
(2) Something you have: e.g., token device (token based)
(3) Something you are: biometrics (characteristic based)
Non-Repudiation
Protection against an individual falsely denying having performed a particular action. Capability to determine if an action was taken.
Risk
Measure of the extent to which an entity is threatened by a potential circumstance or event.
Probability vs. Impact
Risk Management: Asset
Something that needs protection.
Risk Management: Vulnerability
Gap or Weakness in Protection
Risk Management: Threat
Something or someone that can exploit a vulnerability.
Risk Matrix
Probability vs. Impact
Risk Treatment
(1) Avoidance
(2) Mitigation
(3) Acceptance
(4) Transfer
Risk Priorities
Qualitative
Quantitative
Semi-Quantitative (critical, high, medium, low)
Security Controls
Physical
Administrative
Technical (or: Logical)
Governance Elements
Regulations and Laws
Standards
Policies
Procedures
Standards (in Governance)
ISO, NIST, IETF, IEEE – usually set by professional organizations or governing bodies.
Laws vs. Standars vs. Policies
Policy is informed by applicable laws and specifies which standards (may be external + internal standards) the organization follows.
ISC2 Code of Ethics Canon
(1) Protect society, common good, necessary public trust and confidence, and infrastructure
(2) Act honorably, honestly, justly, responsibly, and legally.
(3) Provide diligent and competent service to principals.
(4) Advance and protect the profession.
Don’t have to report to law enforcement or ISC2.
ISC Code of Ethics Preamble
Purpose and Intent of Code of Ethics
(1) The safety and welfare of society and commmon good, duty to principals and each others -> adhere to highest ethical standards of behavior
(2) strict adherance to the code is condition of certification.
Breach
Loss of control, compromise, unauthorized disclsoure/acquisition
Event
Obserable occurrence in a network or system.
Exploit
A particular attack (vector)
Incident
An event that actually or potentially jeopardizes CIA of a system.
Intrusion
Security event in which an intruder gains access without authorization.
Threat
Circumstance or event with potential to impact operations, functions, or CIA
Vulnerability
Weakness or Flaw
Zero Day
Previously unknown system vulnerability with the potential of exploitation.
Incident Response Plan
Preparation
Detection and Analysis
Containment, Eradication, Recovery
Post-Incident Activity
Business Continuity Plan Components
Procedures/Plans/Checklists
Contact Info
Comms Plan
Disaster Recovery Plan
Detailed Plan of how to recover. Including checklists of how to bring up alternative sites and load backups and recover data.
Activated in case Incident Response and Business Continuity plans fail.
Business Impact Analysis
Analysis of the impact that loss of a component or of an entire system will have on the business.
Security Control Elements
Objects, Subjects, Rules
Layered Defense / Defense in Depth
Multiple layers of access controls, e.g., MFA
Principle of Least Privilege
Permitting minimum access necessary
Segregation of Duties
Multiple persons should be involved in enabling high-risk transactions.
Discretionary Access Control
Direct mapping of objects <> subjects with level of access. Up to the discretion of the object owner.
Mandatory Access Control
Only security administrators control security rules.
