Infosec Bootcamp Day 1 Flashcards
Identification, Authentication, Authorization
- Identification - identifying factors of user
- Authentication - confirming identification of user
- Authorization - once I&A is completed, system will authorize user based on permissions
Protecting Integrity
- Least privilege - only giving access based on need to know
- Separation of duties - different parts of process is done by different personnel to ensure integrity of process
- Rotation of Duties - determines if primary user is doing something wrong
Protecting Availability
- Redundancy - multiple instances of critical components
- **Fault Tolerance **- systems can suffer disruption and continue to run
- Contingency Planning - i.e. Back up plans
Non-repudiation
Sender cannot deny having sent a message to recipient
Bulk Data is typically sent with what kind of algorithm?
Symmetric!! i.e. AES, private key cryptography
- Data owner
- Data custodian
* data owner - classifies data and determines who needs access
* data custoadian - day to day activities; administer, maintain, protect data, back up data
Deming Model
PDCA
* Plan
* Do
* Check
* Act
GDPR drivers
OECD Fair Information Practices
Privacy Law
- Criminal Law
- Common Law
- Civil (Tort) Law
- Administrative Law
Code of Ethics
Calculation of ALE
Tonardo is estimated to damage 50% of a facility if it hits. The value of the facility is $1,000,000. What is the probability of one tornado in ten years?
AV x EF = SLE
1,000,000 x .5 = 500,000
SLE x ARO = ALE
500k x 1/10 = 50k
STRIDE
- Spoofing - false identity
- Tampering - unauthorized changes
- Repudiation - attacker deny having performed action
- Information disclosure
- Denial of service
- Elevation of privilege
BIS
CFAA
ECPA
COPPA
Bureau of Industry and Security - sets regultaions on export of encryption products outside of U.S.
CFAA - computer fraud
ECPA - governemnt wiretap restrictions
COPPA - children’s online privacy protection act
Due Diligence vs Due Care
Due diligence is establishing a plan, policy, and process to protect the interests of an organization.
Due care is practicing the individual activities that maintain the security effort.
During the annual review of the company’s deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated
ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard
Governance
compares the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.
Gamification
Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behavior change.
Renee’s organization is establishing a partnership with a firm located in France that will involve the exchange of personal information. Her partners in France want to ensure that the transfer will be compliant with the GDPR. What mechanism would be most appropriate?
The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/US Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but that is no longer valid. Privacy Lock is a made-up term.
- GLBA
- SOX
GLBA - regulations on how financial institutions handle private information belonging to their customers
SOX - mandates certain practices in financial record keeping and reporting for corporations
Delphi Technique
qualitative risk assessment that seeks to rech an anonymous consensus
- Copyright
- Patent
- Copyright - i.e. Coding, music, 70 years after death of last author
- Patent - i.e. invention, 20 year from time of submission to USPTO
BCP vs DRP
BCP - continues operations during the disaster
DRP - recovery efforts to normalcy after disaster
CIA
- **Confidentiality **- most important in government agencies like FedRAMP, DOD; prevents unauthorized disclosure of sensitive information; encryption
- **Integrity **- most important in banking/financial; prevent unauthorized modification to information - password security, hashing
- Availability - most important in health industry and infrastructure (pipeline criss); prevent disruption in services and ensures information is available when needed; BC/DR
Ignore Risk vs Accept Risk
In both scenarios, no action is done on the risk that is presented however when accepting risk, that means management has reviewed a control to determine the risk will be accepted whereas if a risk is ignored, there is no review of the risk, it is simply ignored and no action is done on the risk