General Security Concepts Flashcards
Name four control categories
- Technical controls
- Managerial controls
- Operational controls
- Physical controls
Which control type is a relatively weak one and why?
- Directive control types
- It’s relatively weak because you basically just ask someone to follow the rules or to do or not do something
Name 6 control types
- Preventive controls (förebyggande)
- Deterrent controls (avskräckande)
- Detective controls (varning)
- Corrective controls (Korrigerande)
- Compensating controls (kompenserande)
- Directive controls (direktiv)
Explain operational controls
Operational controls is a control category and are controls implemented by people instead of systems, for example: awareness programs
Explain managerial controls
Managerial controls is a control category and are administrative controls like security policies. Also known as Governance in the term GRC
Explain technical controls
Technical crontrols is a control category and are controls implemented using systems, for example firewalls or anti-virus
What are preventive control types?
Preventive control types prevents something bad happening before it happens
What are detective control types?
Detective control types identifies/detect if something bad happens but does not necessarily prevent it
What are deterrent control types?
Deterrent control types “scares” someone to not do bad things due to the consequences
What are corrective control types?
Corrective control types corrects the problem and is applied after something bad has happened
What are compensating control types?
Compensating control types are used when existing controls aren’t enough
What are directive control types?
When you direct a subject towards security compliance, basically when you ask someone to do or not do something
When you collect and review a system log, what category and type of control is that?
Category: Technical
Type: Detective
When you restore a system with backup after an ransomware attack, what category and type of control is that?
Category: Technical
Type: Corrective
If you put up warning signs with consequences if you enter a specific room without permission, what category and type of control is that?
Category: Physical
Type: Deterrent
What is the CIA Triad and what do the letters stand for?
- The CIA Triad is the fundamentals of security
- C = Confidentiality
- I = Integrity
- A = Availability
Name 3 technical controls that you can apply to ensure the information is confidential
- Encryption
- Access controls
- Two-factor authentication
Name 3 technical controls that you can apply to ensure that the information has not been compromised (integrity)
- Hashing
- Digital signatures
- Certificates
Name 3 technical controls that you can apply to ensure that the information is available when needed
- Redundancy
- Fault tolerance
- Patching
What is Non-repudiation?
Non-repudiation is the assurance that someone cannot deny the validity of something - it provides proof of the origin and integrity of data (confirmes who sent it and that it has not been modified on the way)
What is a hash?
Hashing is the process of transforming any given key or string of characters into another value, usually represented by a shorter, fixed-length value or key.
A hash function generates new values accordning to a mathematical hashing algorithm. To prevent the conversion of a hash back into the original key or string, a good hash always uses a one-way hashing algorithm.
Which key do you encrypt with?
The private key
Which key do you decrypt with?
The public key
What is proof of integrity and proof of origin?
- Proof of integrity proves that data has not been modified
- Proof of origin proves the source of the data
What do the different A:s in AAA framework stand for and what do the different A:s mean?
- Authentication - Proves that you are who you say you are, using a password for example
- Authorization - What accesses you have based on your identification and authentication
- Accounting - What recources are beeing used (login time, data sent and received, logout time - for example)
How can you authenticate a device?
You use a digitally signed certificate on the device
What is Certificate Authority (CA)?
A device or software that is responsable for managing all the certificates in the environment
What is used to validate the certificate on a device?
The CA’s (Certificate Authoriy’s) digital signature
Why is it important to use an authorization model?
If you don’t use an authorization model it’s hard to keep control (why does a specific authorization exist?) and it does not scale well if there are a large number of users.
By creating groups the authorizations are esier to understand and control and it supports any number of users or resources
What is a Gap analysis?
An analysis that defines the gap between where you are and where you want to be
Name two frameworks that can be used to set a security baseline
- NIST Special Publication 800-171 Revision 2
- ISO/IEC 27001
What is Zero trust, easily explained?
Zero trust is a holistic approach to network security where everything must be verified - nothing is inherently trusted.
Name 7 different physical security controls
- Barricades
- Access control vestibules
- Fencing
- Video surveillance
- Guards and access badges
- Lighting
- Sensors
Why does more light mean better physical security?
- Attackers avoid the light
- Easier to see what is happening when lit
- Non infrared cameras can see better
What is a honeypot?
A honeypot is a network-attached, controlled and safe environment, set up as a decoy to lure cyber attackers into the trap
What is a honeynet?
A honeynet is a bigger network of more than one honeypot that looks more like real infrastructure to the attacker
What is a honeyfile?
Honeyfiles are baits inside of a honeynet, for example a file named “passwords.txt”
Why is it important to have a change approval process?
To avoid downtime, confusion and misstakes
Why should you have a test environment where you can test changes before making any changes in the production environment?
To be able to test and confirm that the change goes well and also to be able to test the backout plan/rollback
Name 3 things to consider when choosing a maintenace window for applying a change
- Not doing it during the workday - if possible
- Overnight is often a better choice
- Also consider the time of year
Describe a good change approval process (8 steps)
- Use request forms
- Detemine the purpose of the change
- Identify the scope of the change
- Choose a date and time for the change
- Determine affected systems and the impact
- Analyze the risks
- Get approval for the change
- Get end-users acceptance after the change is complete
