Study Guide Ch 1 Flashcards
Confidentiality
the principle that objects are not disclosed to unauthorized subjects
Integrity
the principle that objects retain their veracity and are intentionally modified by only authorized subjects
Availability
the principle that authorized subjects are granted timely and uninterrupted access to object
Countermeasures for confidentiality include:
encryption,
network traffic padding, strict access control, rigorous authentication procedures,
data classification,
extensive personnel training
Attacks against confidentiality include:
capturing network traffic stealing password files social engineering, port scanning, shoulder surfing, eavesdropping, sniffing
Mechanisms which support integrity include:
controls which restrict access to data, objects, and resources
activity logging
Attacks against integrity include:
viruses, logic bombs, unauthorized access,
errors in coding and applications,
malicious modification, intentional replacement,
and system back doors
Countermeasures for maintaining integrity
strict access control, rigorous authentication procedures,
intrusion detection systems, object/data encryption, hash total verification, interface restrictions, input/function checks,
and extensive personnel training.
threats to availability
device failure,
software errors,
environmental issues,
DoS attacks,
object destruction,
communication interruptions
Availability countermeasures include:
monitoring performance and network traffic,
using firewalls and routers to prevent DoS attacks,
implementing redundancy for critical systems,
maintaining and testing backup systems
Identification
the process by which a subject professes an identity and accountability is initiated
How does identification work?
Providing an identity can involve typing in a username; swiping a smart card; waving a proximity device, etc
Authentication
The process of verifying or testing that the claimed identity is valid
How does authentication work?
Authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities
Authorization
defining the allows and denials of resource and object access for a specific identity
Auditing
the programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable
What does the enforcement of the security policy depend on?
An organization’s security policy can be properly enforced only if accountability is maintained
Non repudiation
Non repudiation ensures that the subject of an activity or event cannot deny that the event occurred
What is security management based on?
Strategic, tactical and operational planning
Strategic Plan
a long-term plan that is fairly stable and defines the goals, mission and objectives of the organization
Tactical plan
a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan
Operational Plan
a short-term, highly detailed plan based on the strategic and tactical plans.
Elements of a formal security policy structure
security policy, standards, baselines, guidelines, and procedures
The primary security roles
senior manager, organizational owner, upper management, security professional, user, data owner, data custodian, auditor
Senior manager
ultimately responsible for the security maintained by an organization
Security professional
has the functional responsibility for security, including writing the security policy and implementing it
Data Owner
the person who is responsible for classifying information
Data Custodian
the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management
User
assigned to any person who has access to the secured system
Auditor
responsible for reviewing and verifying that the security policy is properly implemented
How does education fit into the security processes of an organization?
Education is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks
What is layering?
the use of multiple controls in series
Define data hiding
preventing data from being discovered or accessed by a subject
Abstraction
Abstraction is used to collect similar elements into groups, classes, or roles
Encryption
Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients
benefits of using a data classification scheme
- It demonstrates an organization’s commitment to protecting valuable resources and assets.
- It assists in identifying those assets that are most critical or valuable to the organization.
- It lends credence to the selection of protection mechanisms.
- It is often required for regulatory compliance or legal restrictions.
- It helps to define access levels, types of authorized uses, and parameters for declassification and/or destruction of resources that are no longer valuable.
- It helps with data life-cycle management
Benefits of change management
- Changes are always controlled.
- A formalized testing process
- All changes can be reversed
- Users are informed of changes before they occur
- The effects of changes are systematically analyzed.
- The negative impact of changes on capabilities, functionality, and performance is minimized.
- Changes are reviewed and approved by a CAB (change approval board).
The goal of change management
to ensure that any change does not lead to reduced or compromised security
Data classification
the process of organizing items, objects, subjects into categories
Government data classification scheme
Top Secret Secret Confidential SBU Unclassified
Commercial data classification scheme
Confidential
Private
Sensitive
Public
Define Threat modeling
the security process where potential threats are identified, categorized, and analyzed
3 Approaches to Identifying Threats
Focused on Assets
Focused on Attackers
Focused on Software
STRIDE
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
Threat modeling steps
Identify threats
Diagram
Reduce/Decompose
Prioritize/Mitigation
The DREAD rating system
Damage potential Reproducibility Exploitability Affected users Discoverability
COBIT
Control Objectives for Information and Related Technology
Data Hiding
preventing data from being discovered or accessed by positioning the data in a logical storage compartment that is not accessible
