Security Principles Flashcards
CC Domain 1, including the foundational concepts of cybersecurity.
Confidentiality
is the secrecy of the information within the asset being protected. Confidentiality is the most common form of protection that cyber criminals seek to compromise.
Access controls
are processes, tools, or configuration settings that ensure that access to data is restricted to only those individuals who are authorized to access it.
Access controls are mechanisms to ensure that only those persons or resources who are specifically authorized to access an information resource are allowed to have such access.
Cryptography
makes data unreadable except to authorized persons and protects the confidentiality of data while the data is at rest (in storage) or while it is being transmitted.
Integrity
data is not being altered or corrupted in any way
hashes
which is a technique to detect if the contents of a data file or any data set have been altered from their original source.
Availability
vailability attacks are commonly known as denial of
service (DoS) attacks,
Threat actors
are cyber criminals who seek to compromise the confidentiality, integrity, oravailability of these information assets.
Authentication
is the method by which systems verify that a user who is
requesting access to a resource really is who they claim to be.
Nonrepudiation
guarantee that a sender of a message cannot later deny that they sent the message
Information assurance
refers to the measure of information security goal of information assurance is to verify and ensure the confidentiality, integrity, and availability of data and assets, and this can only be done by
measuring the effectiveness of security controls.
Conduct Research
The first step the cyber criminal performs in an attack is to gather as much information as possible about the target to be able to carry out the attack.
Identify Targets
During this phase the attacker tries to identify the organization’s
information assets as well as their corresponding vulnerabilities that can be exploited
Exploit Targets
Once the targets are identified, the attacker can design and execute the attack. This involves probing and taking advantage of specific
vulnerabilities with the goal of gaining unauthorized access to the
enterprise.
Do Bad Things
Once the attacker gains access, they can do a variety of things to achieve their objective. Usually, the attacker attempts to expand access laterally throughout the network to explore and discover more systems and data to gain deeper access and perform more attacks.
Risk Management
is the term used to describe the discipline of how an organization chooses and implements the right level of security that is appropriate for them and their situation or business.
Risk Identification
identify the potential threats the organization may face and document in risk ledger.
threat modeling
process of examining each asset, the potential threats faced by each asset, and the adverse effects caused by the threat against the asset.
Risk Management Tiers
Organizational tier Addresses risk by defining and implementing
a holistic risk management program that applies to the entire
organization
* Mission/business process Addresses the risks of major functions
of the business
* Information system Addresses the risks of specific information
systems
Transfer risk
make it somebody else’s problem (risk
transference). The most common form of risk transference is to buy
insurance. Outsource the risk
Accept the risk
means that as long as the risk is within
acceptable levels, the organization can “live with” the risk and take
their chances (risk acceptance)
risk appetite
Avoid the risk
stopping the related activity or shutting down a system entirely (risk avoidance)
The most common example of
this is shutting down services or software applications that have
known flaws or vulnerabilities.
Mitigate
reduce the risk by putting in some kind of control or
countermeasure (risk mitigation) ->fix
Risk Tolerance
Level of variation(tolerance)
Risk Priorities
identify risk -> risk ledger
access damage
Governance
process of defining strategies to oversee the entire
organization or a specific subset (such as IT governance, security
governance, or financial governance) to meet organizational goals and objectives.
Regulations and Laws
Laws and regulations are rules typically established by a governmental body or similar agency that specify requirements that are legally enforceable.
SOX, HIPAA, FISMA & GDPR
Standards
documents developed and published by external standards organizations containing best practices that may be used for the development of security program elements.
ISO, NIST, PCI SSC, IEEE, IETF, CSA & OWASP
Plans
can be written for all kinds of things such as a vulnerability management plan, business continuity plan, or incident response plan.
Policies
high-level management statements providing prescriptive directives to the organization.
Procedures
step-by-step workflows or instructions that define how a task should be accomplished.
Defense-in-Depth
the concept of coordinating and leveraging multiple layers of controls to increase the effort required for a potential attacker to succeed in their nefarious activity.
Administrative Controls
are management oriented controls that provide directives and
instruction aimed at people within the organization.
Technical controls
are hardware or software components that protect computing and network resources such as computers, servers, mobile devices, computer networks, or data stored within a system.
Physical controls
are tangible controls put in place to protect physical resources against physical threats, including but not limited to break-ins, fires, theft, physical harm, and so on.
Preventive controls
provide functionality that prevents or stops an adverse event or incident.
ex. Administrative (background checks, hiring and termination
processes, etc.)
* Technical (network intrusion prevention system, firewall, MFA,
antivirus, etc.)
* Physical (fences, door locks, gates, etc.)
Detective controls
provide functionality that helps to discover, detect, or identify when something bad might have occurred, such as an adverse activity, event, intruder, or incident.
ex. Administrative (mandatory vacation, review of access logs, etc.)
* Technical (a system that detects unusual activity on an organization’s
network)
* Physical (surveillance cameras, closed-circuit television [CCTV],
motion sensor, etc.)
Deterrent controls
provide functionality that deters or discourages a potential adversary from performing an attack or engaging in unwanted behavior.
Corrective controls
provide functionality that fixes a system, process, or activity after an adverse event has occurred.
ex. Administrative (e.g., terminating an employee after an offense or
implementing business continuity, disaster recovery, or incident
response plans)
* Technical (e.g., antivirus that quarantines malicious software,
restoring a system from backup)
* Physical (e.g., using a fire extinguisher to put out a fire, removing
datacenter badge access for a lost access card)
Directive controls
provide functionality that serves to communicate expected behavior.
Common examples in day-to-day life might include traffic signs that communicate expected traffic behavior such as “stop,” “yield,” and so on. Directive controls are generally administrative in nature such as policies, standards, procedures, training, and so on.
Compensating controls
serve as an alternate control to a primary control, often used when the primary control is not feasible to implement due to cost, complexity, or other organizational constraints.
ex. Administrative A small organization has a single employee accepting
cash payments, recording deposits, and reconciling financial reports.
The company may not have enough staff to fully implement
separation of duties, so instead, they implement a process where
leadership performs a regular review of reconciliation for additional
oversight.
* Technical An organization is running a critical application that relies
on old software that the manufacturer no longer releases security
updates for. Migrating to a new application may not be feasible, so an
organization may decide to implement network isolation of the
application as a compensating control.
* Physical An organization determines that a full-time security guard
for their office is too expensive, so instead they install fences, locks,
and alarms as compensating controls.
