Section 1 General Security Concepts Flashcards
What are security risks?
come in many different categories and types.
What are the varied assets in security?
Assets include data, physical property, and computer systems.
What is the purpose of security controls?
To prevent security events, minimize the impact, and limit the damage.
What are technical controls?
Controls implemented using systems, such as operating system controls, firewalls, and anti-virus.
What are managerial controls?
Administrative controls associated with security design and implementation, including security policies and standard operating procedures.
What are operational controls?
Controls implemented by people instead of systems, such as security guards and awareness programs.
What are physical controls?
Controls that limit physical access, including guard shacks, fences, locks, and badge readers.
What is a preventive control?
A control that blocks access to a resource.
What are examples of preventive controls?
Firewall rules, following security policy, guard shack checks all identification, and enabling door locks.
What is a deterrent control?
A control that discourages an intrusion attempt but does not directly prevent access.
What are examples of deterrent controls?
Application splash screens, threat of demotion, front reception desk, and posted warning signs.
What is the purpose of preventive controls?
To block access to resources and prevent unauthorized access.
What is the purpose of deterrent controls?
To make an attacker think twice before attempting an intrusion.
What are detective control types?
Detective control types identify and log an intrusion attempt but may not prevent access.
What actions are involved in detecting the issue?
Collect and review system logs, review login reports, regularly patrol the property, and enable motion detectors.
What are corrective control types?
Corrective control types apply a control after an event has been detected, reverse the impact of an event, and continue operating with minimal downtime.
What actions are involved in correcting the problem?
Restoring from backups can mitigate a ransomware infection, create policies for reporting security issues, contact law enforcement to manage criminal activity, and use a fire extinguisher.
What are compensating control types?
Compensating control types use other means when existing controls aren’t sufficient and may be temporary.
What actions can compensate the exploitation of a weakness?
A firewall blocks a specific application instead of patching the app, implement a separation of duties, require simultaneous guard duties, and use a generator after a power outage.
What is a directive control type?
A directive control type directs a subject towards security compliance.
It is considered a relatively weak security control.
What are some examples of directive controls?
Examples include:
- Store all sensitive files in a protected folder
- Create compliance policies and procedures
- Train users on proper security policy
- Post a sign for ‘Authorized Personnel Only’
What are security controls?
measures implemented to manage and mitigate risks.
They can be categorized into various types.
Are the lists of security controls inclusive?
No, the lists of security controls are not inclusive; there are many categories of control.
What are the main categories of security controls?
The main categories of security controls are Technical, Managerial, Operational, and Physical.
What is an example of a technical security control?
An example of a technical security control is a firewall.
What is an example of a managerial security control?
An example of a managerial security control is an on-boarding policy.
What is an example of a physical security control?
An example of a physical security control is a door lock.
What are some types of security controls?
Types of security controls include Preventive, Detective, Corrective, Deterrent, and Compensating.
What is an example of a detective security control?
An example of a detective security control is system logs.
What is an example of a corrective security control?
An example of a corrective security control is backup recovery.
What is an example of a compensating security control?
An example of a compensating security control is blocking instead of patching.
Can security controls exist in multiple categories?
Yes, some security controls may exist in multiple types or categories.
How do security controls evolve?
New security controls are created as systems and processes evolve.
What is the CIA Triad?
A combination of principles that form the fundamentals of security.
Sometimes referenced as the AIC Triad.
What does Confidentiality in the CIA Triad refer to?
Preventing disclosure of information to unauthorized individuals or systems.
What does Integrity in the CIA Triad ensure?
Messages can’t be modified without detection.
What is the focus of Availability in the CIA Triad?
Ensuring systems and networks must be up and running.
What is a key aspect of Confidentiality?
Certain information should only be known to certain people.
What is Encryption?
Encoding messages so only certain people can read it.
What are Access controls?
Selectively restricting access to a resource.
What is Two-factor authentication?
An additional confirmation before information is disclosed.
What does integrity in data refer to?
Data is stored and transferred as intended. Any modification to the data would be identified.
What is hashing?
Hashing maps data of an arbitrary length to data of a fixed length.
What is the purpose of digital signatures?
Digital signatures are a mathematical scheme to verify the integrity of data.
How do certificates work in data integrity?
Certificates combine with a digital signature to verify an individual.
What is non-repudiation?
Non-repudiation provides proof of integrity and can be asserted to be genuine.
What does availability in data security mean?
Information is accessible to authorized users and is always at your fingertips.
What is redundancy in the context of availability?
Redundancy involves building services that will always be available.
What is fault tolerance?
Fault tolerance means the system will continue to run, even when a failure occurs.
What is the purpose of patching in data security?
Patching ensures stability and closes security holes.
What are the main objectives of data security?
The main objectives are integrity, availability, and confidentiality.
What is non-repudiation?
You can’t deny what you’ve said; there’s no taking it back.
How does signing a contract relate to non-repudiation?
Your signature adds non-repudiation; you really did sign the contract and others can see your signature.
What perspective does non-repudiation add for cryptography?
It provides proof of integrity and proof of origin, with high assurance of authenticity.
What is proof of integrity?
It verifies that data does not change; the data remains accurate and consistent.
How is data represented in cryptography for integrity?
We use a hash, which represents data as a short string of text, known as a message digest or fingerprint.
What happens if the data changes?
If the data changes, the hash changes; if the person changes, you get a different fingerprint.
Does hashing associate data with an individual?
No, it only tells you if the data has changed.
What happens when one character is changed in a file?
The hash changes
If the hash is different, something has changed, indicating data integrity has been compromised.
What does integrity prove in a message?
It proves the message was not changed.
What does authentication prove in a message?
It proves the source of the message.
What does non-repudiation ensure?
It ensures that the signature isn’t fake.
How is a message signed?
Sign with the private key
The message doesn’t need to be encrypted, and nobody else can sign this.
How is a signature verified?
Verify with the public key
Any change to the message will invalidate the signature.
What is the first step of the AAA framework?
Identification: This is who you claim to be, usually your username.
What is the second step of the AAA framework?
Authentication: Prove you are who you say you are, using a password and other authentication factors.
What is the third step of the AAA framework?
Authorization: Based on your identification and authentication, what access do you have?
What is the fourth step of the AAA framework?
Accounting: Resources used include login time, data sent and received, and logout time.
Why is authenticating systems challenging?
You have to manage many devices, often devices that you’ll never physically see.
Why can’t a system type a password?
A system can’t type a password, and you may not want to store one.
How can you truly authenticate a device?
Put a digitally signed certificate on the device.
What business processes rely on the certificate?
Access to the VPN from authorized devices and management software can validate the end device.
What is a trusted Certificate Authority (CA)?
An organization has a trusted Certificate Authority (CA). Most organizations maintain their own CAs.
How is a certificate created for a device?
The organization creates a certificate for a device and digitally signs the certificate with the organization’s CA.
How is a certificate used as an authentication factor?
The CA’s digital signature is used to validate the certificate.
What happens after a user or device has authenticated?
They need to know what they have access to.
This is the time to apply an authorization model.
What does associating individual users directly to access rights not do?
It does not scale.
What should be placed in the middle of user access?
An authorization model.
What can an authorization model be defined by?
Roles, Organizations, Attributes, etc.
What is a simple relationship in authorization?
User -> Resource.
What are some issues with the simple relationship method?
It is difficult to understand why an authorization may exist and does not scale.
What is the purpose of using an authorization model?
To add an abstraction, reduce complexity, and create a clear relationship between the user and the resource.
How does an authorization model streamline administration?
It makes authorizations easy to understand and supports any number of users or resources.
What is Gap Analysis?
It is the comparison of where you are with where you want to be, identifying the ‘gap’ between the two.
What may be required when collecting information in a Gap Analysis?
Extensive research may be required, considering various factors.
How long can Gap Analysis take?
It can take weeks or months, involving an extensive study with numerous participants.
What should you prepare for during Gap Analysis?
Be ready for emails, data gathering, and technical research.
What is important when choosing a framework?
Work towards a known baseline, which may be an internal set of goals or formal standards.
What regulations should be determined as part of the framework?
The end goal, such as NIST Special Publication 800-171 Revision 2 or ISO/IEC 27001.
What does NIST Special Publication 800-171 Revision 2 focus on?
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
What does ISO/IEC 27001 pertain to?
Information security management systems.
What is the first step in evaluating people and processes?
Get a baseline of employees, including formal experience, current training, and knowledge of security policies and procedures.
What should be examined in current processes?
Research existing IT systems and evaluate existing security policies.
What is the purpose of comparison in security analysis?
To evaluate existing systems and identify weaknesses along with the most effective processes.
What does a detailed analysis in security involve?
Examining broad security categories and breaking those into smaller segments.
What does the final comparison in an analysis and report include?
Detailed baseline objectives and a clear view of the current state.
What is necessary to transition from the current security state to the goal?
A path that will almost certainly include time, money, and lots of change control.
What is created during the gap analysis report?
A formal description of the current state and recommendations for meeting the baseline.
What is Zero Trust?
Zero trust is a holistic approach to network security that covers every device, every process, and every person.
What is a key principle of Zero Trust?
Everything must be verified; nothing is inherently trusted.
What are some methods used in Zero Trust?
Multi-factor authentication, encryption, system permissions, additional firewalls, monitoring, and analytics.
What does splitting the network into functional planes involve?
It applies to both physical, virtual, and cloud components.
What is the data plane?
The data plane processes the frames, packets, and network data, including processing, forwarding, trunking, encrypting, and NAT.
What is the control plane?
Manages the actions of the data plane, defines policies and rules, and determines how packets should be forwarded.
Includes routing tables, session tables, and NAT tables.
What is adaptive identity?
Considers the source and the requested resources, utilizing multiple risk indicators such as relationship to the organization, physical location, type of connection, and IP.
What are subjects and systems in policy enforcement?
Includes end users, applications, and non-human entities.
What is a policy enforcement point (PEP)?
Acts as the gatekeeper to allow, monitor, and terminate connections.
Can consist of multiple components working together.
What is the Policy Decision Point?
There’s a process for making an authentication decision.
What does the Policy Engine do?
Evaluates each access decision based on policy and other information sources. It can grant, deny, or revoke access.
What is the role of the Policy Administrator?
Communicates with the Policy Enforcement Point, generates access tokens or credentials, and instructs the PEP to allow or disallow access.
How can the Policy Administrator enhance security?
By making the authentication stronger, if needed.
What is threat scope reduction?
Decrease the number of possible entry points.
What is policy-driven access control?
Combine the adaptive identity with a predefined set of rules.
What is the nature of security relationships?
Security is more than a one-to-one relationship. Broad categorizations provide a security-related foundation.
What are the key categories for security zones?
Trusted, untrusted, internal network, external network, VPN 1, VPN 5, VPN 11, Marketing, IT, Accounting, Human Resources.
What can using security zones achieve?
Using the zones may be enough by itself to deny access.
For example, Untrusted to Trusted zone traffic.
What is an example of an implicitly trusted zone?
Some zones are implicitly trusted.
For example, Trusted to Internal zone traffic.
