Security Governance Flashcards
What are the three parts of the CIA triad ?
Confidentiality, Integrity and Availability
What is the Confidentiality part of the CIA Triad ?
Ensures sensitive information is only seen by authorised users.
What are the three controls that ensure confidentiality ?
Encryption, Access Controls, Steganography
What are the eight most common attacks that breech Confidentiality ?
Sniffing, Shoulder Surfing, Stealing Password files, Capturing Network Traffic, Social Engineering, Port Scanning, Eavesdropping and Escalation of Privileges
What are the six countermeasures to ensure confidentiality ?
Encryption, Network Traffic Padding, Strong Access Control, Strict authentication procedures, Data classification, Personnel Training
What are the four components of Confidentiality ?
Sensitivity, Discretion, Criticality, Concealment, Secrecy, Privacy, Seclusion, Isolation
What is the Integrity part of the CIA triad ?
Refers to the prevention of unauthorised alterations to the data.
Integrity ensures that data is _ _ _
Unaltered, Preserved Correct
Besides encryption what other counter measures can be used to preserve integrity ?
Hashing
What is the availability part of the CIA triad ?
Ensuring that resources are available to access whenever those authorised to do so need to.
What are the three most common threats to availability ?
DOS, Human Error, Natural Disaster
Name three common countermeasures for availability attacks
DOS mitigation and load balancers, backups and high fault tolerance
What is identification ?
The process by which an individual submits proof of their identity to the system.
What is authentication ?
The process by which the system checks and verifies the provided identity.
What is authorisation ?
The set of permissions given to a user of the system
What is auditing ?
Tracking and recording user activity to find out any anomalies in behaviour.
What is the difference between monitoring and auditing ?
Monitoring doesnt record unlike auditing
What is accounting ?
Linking user activity to identity
What is threat modelling ?
Identifying all possible threats to a system so that they can be categorized and analyzed
What does the phrase threat modelling is proactive mean ?
You are attempting to find and fix issue before they arise.
What are the two categories of threats in threat modelling ?
Internal and External
Where is the highest risks within threat modelling ?
Internal
What are the seven stages of threat analysis ?
Definition of Objectives (DO), Definition of Technical Scope (DTS), Application Decomposition and Analysis (ADA), Threat Analysis (TA), Weakness and Vulnerability Analysis (WVA), Attack Modelling and Simulation (AMS), Risk Analysis and Management (RAM)
What is the main threat modelling scheme for application threats ?
STRIDE - Spoofing, Tampering, Repudiation, Information Disclosure, DOS and Elevation of Privelege
What is spoofing ?
The misrepresentation of identity - MAC Addresses, Wireless Access Points, IP addresses can be spoofed
What is tampering ?
The altering of data at rest or in transit
What is repudiation ?
The denying or shifting of blame for the attack
What are the eight areas that a security policy should cover?
Encryption, Access Control, Authentication, Firewalls, Antivirus, Websites, Routers and switches.
What are the four categories of security policy
promiscous, prudent, permissive and paranoid
Workplace privacy policies should cover ?
Informing you employees, collecting only the information that is required, allow employees access to their own information, keeping information in a secure area.
Who is responsible for enforcing policies ?
HR
What is risk management ?
Ongoing process of identifying and addressing security risks that could damage or disclose data
What is risk analysis ?
First step of Risk Management which identifies the risks the likelihood of occurrence and impact and determines the cost/benefit ratio for settting up safeguards
What is an Asset ?
Any physical, intellectual property item that belongs to a business and must be protected.
What is asset valuation ?
attributing a monetary and non monetary cost to an asset
What is a threat ?
Anything that could cause damage to an organizations assets
What is a vulnerability
A weakness that can be exploited to cause damage to an organizations assets
What is exposure ?
An assets susceptibility to damage or loss to threat
What is a risk ?
The likelihood that an asset can be exploited
What are safeguards ?
Measures that are intended to reduce the likelihood of an asset being exploited
What is an atttack ?
A concentrated effort to take advantage of a vulnerability
What is a breach ?
Term used to describe a successfull attack on an asset
What is quantitative risk analysis
Calculates the total monetary loss associated with damage or loss to an asset
What is exposure factor (EF) ?
The percentage loss to the organisation if an asset were to be damaged or lost.
What is single loss expectancy (SLE) ?
The expected loss to the organisation if a single risk was realised against the asset. Asset_Value(AV) * EF
What is the annualised rate of occurrence (ARO) ?
The frequency with which a particular risk is to occur each year
What is annualised loss expectancy ?
Expected yearly cost for all threats against each asset ARO * SLE
What are safeguard cost calculations ?
The cost benefit ration of implementing safeguards
ALE (Before) - ALE (After) - Annual Cost of Safeguard
What is Qualitative Risk Analysis ?
Determination of intangible cost of damage or loss to an asset
What are six risk responses coming out of Qualitative Risk Analysis /
Reduce, Assign, Transfer, Deter, Reject, Avoid
What is risk rejection ?
Ignoring the risk
What is risk assignment ?
Transferring the risk to another entity or assignment
