Module 1: General Security Concepts Flashcards
What is a vulnerability?
A weakness.
What is a threat?
A potential danger.
What is an exploit?
When a threat actor successfully takes advantage of a vulnerability.
What is a threat actor?
An adversary with malicious intent.
What are controls?
Tactics, mechanisms, or strategies that proactively minimize risk in one or more ways.
In what ways do controls proactively minimize risk? (Hint: 3 ways)
Reduce/eliminate vulnerabilities; reduce/eliminate the likelihood of vulnerability exploitation by threat actors; reduce/eliminate the impact of an exploit
What are countermeasures?
Controls implemented to address specific threats.
Controls are ______ and countermeasures are _______.
Proactive/Reactive
Countermeasures are ______ effective but ______ broadly efficient.
More/Less
Controls should be ________.
Verifiable (trustworthy)
What is control functionality?
What a control does.
What is control effectiveness?
How well a control works.
What makes up “effectiveness” for a control?
Consistent, complete, reliable, timely operation.
What is control assurance?
A measure of confidence that intended security controls are effective in their application.
What is a control objective?
A statement of desired result/purpose to be achieved.
What is Defense-in-Depth also known as?
Layered security or layered controls.
What is Defense-in-Depth/layered security?
The design and implementation of multiple overlapping layers of diverse controls.
Controls should not be subject to __________ and should maintain _______.
A cascade effect/independence
Diversity in controls refers to what?
Type(s) of controls and associated vendor(s).
What is a security control baseline?
The minimum standard for a given environment.
Control baselines must strategically align with what?
The needs of the organization.
Control baselines are what?
A starting point.
Control baselines should be proportionate to the ______ and _____ of the asset.
Criticality/sensitivity
What is the principle of proportionality?
Control baselines should be proportionate to the criticality and sensitivity classifications of the asset being protected.
What is scoping?
Eliminating unnecessary baseline recommendations that are not applicable.
What is tailoring?
Customizing baseline recommendations to align with organizational requirements.
What is compensating?
Substituting a recommended baseline with a similar control.
What is supplementing?
Augmenting the baseline recommendations.
What is the baseline modification process?
Identify control baseline, apply scoping considerations, tailor controls, select compensating controls (if needed), supplement baseline controls (if needed), publish, implement, assess, monitor.
What is a cost-benefit analysis?
The process of comparing the estimated costs and benefits to determine whether it makes sense to proceed from a business perspective.
What are the control categories?
Technical, managerial, operational, and physical.
What a technical controls?
Control mechanisms implemented using hardware, software, and/or firmware components. These controls can be native or supplemental.
What are managerial controls?
Controls related to risk management, governance, oversight, strategic alignment, and design making.
What are operational controls?
Controls that align with a process that are primarily implemented and executed by people.
What are physical controls?
Controls designed to address physical interactions. These are generally related to buildings and equipment.
Examples of managerial controls are:
Risk assessments, project management
Examples of technical controls are:
Firewalls, cryptography, authentication systems
Examples of operational controls are:
Change management, testing, training
Examples of physical controls are:
Gates, barricades, locks, security guards, access control vestibules
What are the control classifications?
Deterrent, preventative, detective, corrective
What are deterrent controls?
Controls that discourage a threat agent from acting.
What are preventative controls?
Controls that stop a threat agent from being successful.
What are detective controls?
Controls that identify and report a threat agent or action.
What are corrective controls?
Controls that minimize the impact of a threat agent or modify or fix a situation.
What are compensating controls?
Controls that are implemented in lieu of a recommended control that provides equivalent or comparable protection.
What are directive controls?
Proactive actions taken to cause or encourage a desirable event or outcome to occur.
What are the components of the Information Security CIA Triad?
Confidentiality, Integrity, Availability
What is confidentiality?
The assurance that information is not disclosed to unauthorized persons, processes, or devices. Data is covered in storage, during processing, and in transit.
What is integrity?
The principle that systems are trustworthy, work as intended, and that data is complete and accurate.
What is availability?
The principle that information systems and supporting infrastructure are operating and accessible when needed.
What is authentication?
The process of verifying identity.
What is authorization?
The process of approving access.
What is accounting?
The process of tracing actions to the source.
What is non-repudiation?
The process of assuring the validity and origin of data.
What is privacy?
The right of an individual to control the use of their personal information.
What are data privacy controls?
Controls related to actions regarding collection, usage, notification, accuracy, and sharing.
What are data security controls?
Controls related to the protection mechanisms of confidentiality, integrity, and availability.
