Standards and Important Flashcards
DPO
Makes sure organization complies with laws regarding data privacy such as GDPR.
PHI
Protected Health Information
GDPR
General Data Protection Regulation
Data protection and privacy for individuals in the EU. Prevents privacy data from being exported outside of the EU and gives the user the power to have it removed. Requires the organization to explain their privacy policy.
HIPAA
Protecting PHI. Regulates how it’s stored, used, transferred over the network etc.
MOU
Memorandum Of Understanding
Both sides agree to the contents of the memorandum. Statements of confidentiality. Informal letter of intent, not a full blown contract.
MSA
Measurement System Analysis
Assesses the measurement process. Calculates measurement uncertainty.
BPA
Business Partnership Agreement
Provides details about owner stake, financial contract, decision-making agreements, prepare for contingencies.
CIS CSC
Center for Internet Security Critical Security Controls for Effective Cyber Defense
FRAMEWORK that identifies twenty key security controls that can be implemented for different organization sizes.
NIST RMF
National Institute of Standards and Technology Risk Management Framework
A 6 step FRAMEWORK required by government agencies.
1. Categorize - Define the environment
2. Select - Pick appropriate controls
3. Implement - Define proper implementation
4. Assess - Determine if the controls are working
5. Authorize - Make a decision to authorize a system
6. Monitor - Check for ongoing compliance
NIST CSF
National Institute of Standards and Technology Cybersecurity Framework
FRAMEWORK for commercial implementation rather than government.
- Framework Core - Identify, Protect, Detect, Respond, Recover
- Framework implementation tiers - Organization’s view of cybersecurity risk and processes to manage the risk
- Framework Profile - Alignment of standards, guidelines and practices to the framework core
ISO/IEC 27001
STANDARD, ISMS (Information Security Management Systems)
Organizations can implement the ISMS requirements. Then they go through a 3 stage process to become ISO 27001 compliant.
ISO/IEC 27002
STANDARD
Complement to the ISO 27001. Provides best practice guidelines for organizations relating to implementing the ISMS requirements.
ISO/IEC 27701
STANDARD, PIMS (Privacy Information Management System)
Based on ISO 2700. Outlines a framework for managing and protecting PII. Provides guidelines for complying with GDPR.
ISO 31000
STANDARD
Related to risk management. Guidelines for organizations to help manage risk.
CSA CCM
Cloud Security Alliance Cloud Controls Matrix FRAMEWORK
Cloud-specific security controls.
PCI DSS
Payment Card Industry Data Security Standard
A STANDARD for protecting credit cards. Six control objectives.
1. Build and maintain secure network and systems
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access controls measures
5. Regularly monitor and test networks
6. Maintain information security policy
Non-repudiation
Proof of data integrity and the origin of the data.
MAC (Crypto)
Message Authentication Code
Provides non-repudiation.
RFC 3227
Guidelines for evidence collection and archiving.
MITRE ATT&CK
ATTACK FRAMEWORK, MITRE Adversary Tactics Techniques and Common Knowledge
Gives a bunch of different attack methods that an adversary might use as well as mitigations and detection techniques.
Diamond Model of Intrusion Analysis
Adversary, capabilities, victim, infrastructure
COOP
Continuity of Operations Planning
Plan that explains how to continue operations with certain systems being unavailable. E.g paper receipts, manual transactions, etc
OCSP Stapling
Online Certificate Status Protocol Stapling
Provides scalability for OSCP checks. Lets a client determine if a certificate is revoked on their own without contacting the CA. OSCP status is “stapled” into the SSL/TLS handshake.
Pinning
Pin the expected certificate or public key to an application. Complied in the app or added at first run.
CSR
Certificate Signing Request.
Request sent to the CA which will validate your identity and create a cert for you. You can then register this cert with your site.
SAML
Implements SSO
OAuth
Determines what resources a user can access. e.g Google wants to access your files.
SWG
Next-Gen secure Web Gateway
Examines JSON strings and API calls. Allows or disallow certain activities.
NIST SP800-61
Computer Security Incident Handling Guide
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-incident Activity
IPSEC Components
- AH - Authentication Header. A protocol. Does NOT provide encryption. Provides Data integrity, guarantees origin, prevents replay attacks.
- ESP - Encapsulation Security Payload - Encrypts and authenticates the tunneled data. Integrity checking.
- Combine them to achieve integrity and authentication.
ECC
Elliptic Curve Cryptography - Asymmetric. Less processing power.
Block Cipher Mode: CTR
Counter Mode
Block cipher acts like a stream cipher. Encrypts successive values of a counter.
NAS
Network Attached Storage
Provides file level access to a large storage array over the network. If you want to modify a file you have to overwrite the entire file. Requires a lot of bandwidth.
SAN
Storage Area Network
Provides access to a storage drive over the network. Looks and feels like a local storage device. Block level access. If you want to modify a file you only need to change a few blocks not the entire file. Requires a lot of bandwidth.
RAID 0
- Striping without parity.
- High performance, NO FAULT TOLERANCE, NO REDUNDANCY
- 2 Disks
RAID 1
- Mirroring
- Duplicates data for fault tolerance, requires twice the disk space
- 2 Disks
RAID 5
- Striping with parity
- Fault tolerant, only requires an additional disk for redundancy
- 3 Disks
RAID 6
- Extension of RAID 5
- 4 Disks
RAID 10 or RAID 1+0
- Combines mirroring (RAID-1) and striping (RAID-0)
- 4 Disks
WPA2-Enterprise
Uses 802.1x. Hence radius
SOX
Sarbanes-oxley act. Data governance regulation that requires that executives take individual responsibility for the accuracy of financial reports.
Ccmp
Counter mode with cipher block chaining. Used by WPA2. CCMP uses AES for confidentiality and uses CBC-MAC for message integrity
GCMP
Block cipher mode used by WPA3. Confidentiality with AES. integrity guaranteed by gmac.
WPA3
Does not use PSK instead uses SAE which adds PFS. Also uses GCMP for confidentiality and integrity.
PFS
ECC, Diffie Hellman ephemeral. Asymmetric. Generates random public keys for each session.