Sec+ Chapter 01: Today's Security Professional Flashcards
CIA triad
Confidentiality: Disallow unauthorized people from accessing sensitive info
Integrity: No unauthorized modification
Availability: Info and systems are ready to meet the needs of legit users when they need them
Security incident
When an org experiences a breach in one or more of the CIA triad
DAD triad
Disclosure: Inverse confidentiality
Alteration: Inverse Integrity
Denial: Inverse availability
Financial risk
Risk of monetary damage to the org as a result of a data breach
Reputational risk
Negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers, and stakeholders
Strategic risk
The risk that an org will not be able to carry out its business plans as a result of a breach
Operational risk
Risk to an org’s ability to carry out day to day functions
Compliance risk
When a breach causes an org to run afoul of legal or regulatory requirements
Control objectives
Statements written by an org about their desired state of security, but don’t actually carry out security activities
Security controls
Specific measures that fulfill the security objectives of an org
Technical controls
Our own tech systems to prevent security events
EX: Firewall rules, access control list (ACL), IPS, encryption
Operational controls
Controls managed by people
EX: Security guards, awareness programs
Managerial controls
Focuses on the design of security or policy implementation associated with the security
EX: Periodic risk assessments, security planning exercises, incorporation of security into the org, standard operating procedures
Preventive controls
Prevents access to a particular area
EX: Firewalls, door lock, security guard
Detective controls
Identify and record security events that have already happened
EX: IDS, motion detectors
Corrective controls
Mitigate damage that occurred from security events
EX: Restoring backups after ransomware attack, IPS blocking an attacker
Deterrent controls
May not stop an intrusion, but deters someone from violating security policies
EX: Guard dogs, barbed wire, login banner with warning
Physical controls
Security controls that impact the physical world
EX: Locks, fire suppression, fences, perimeter lights, alarms
Compensating controls
Mitigate the risk associated with exceptions made to a security policy
EX: Can’t sunset a legacy system, so compensating controls placed on it to isolate from network
Data at rest
Stored data that resides on HD, tapes, cloud, or storage media
Data in motion
Data in transit over a network
Data in processing
Data actively in use by a computer
