Sybex Chapter 1: CIA Concepts Flashcards
Domain 1.1-1.11
1
Q
Objects
A
Passive element in a security relationship such as files, computers, network connections, and applications.
2
Q
Subjects
A
Active element of a security relationship such as users, programs, and computers
3
Q
Subject-Object relationship
A
Subjects act upon an object
4
Q
Management of relationship between subjects and objects known as…
A
Access control
5
Q
Three phases of data that must be protected
A
In storage, in process, in transit
6
Q
CIA Attack: Sniffing
A
Confidentiality
7
Q
CIA Attack: Stealing password files
A
Confidentiality
8
Q
CIA Attack: Social Engineering
A
Confidentiality
9
Q
CIA Attack: Port Scanning
A
Confidentiality
10
Q
CIA Attack: Shoulder surfing
A
Confidentiality
11
Q
CIA Attack: Eavesdropping
A
Confidentiality
12
Q
CIA Attack: Escalation of priviledges
A
Confidentiality
13
Q
Events that lead to confidentiality breaches (7)
A
Failing to: Encrypt transmission Fully authenticate remote system Leaving open access points Running a RAT Misrouted fax Documents left on printers Walking away from unlocked machine
14
Q
Confidentiality measures (6)
A
Encryption Network traffic padding Strict access control Rigorous auth Data classification Training
15
Q
Sensitivity
A
“The quality of information” which could cause harm if disclosed.
16
Q
Discretion
A
Decision where an operator can control disclosure to minimize harm.
17
Q
Criticality (of information)
A
Level to which information is mission critical
18
Q
Concealment
A
Act of hiding or preventing disclosure
Security through obscurity
19
Q
Privacy
A
Keeping information confidential that is PI or that might cause harm, embarrassment, if revealed.
20
Q
Seclusion (of information)
A
Storing something in an out of the way location. Can provide strict access controls.
21
Q
Isolation
A
Keeping something isolated from others. Prevents comingling of information.
22
Q
Integrity protection
A
Prevents unauthorized alterations of data
23
Q
CIA Attack: Malicious modification
A
Integrity
24
Q
CIA Attack: Intentional replacement
A
Integrity
25
Integrity violations can occur by...
Attacks
User action
Oversight in security policy
Misconfigured control
26
Integrity measures (8)
```
Strict access control
Rigorous authentication procedures
IDS
Object/Data Encryption
hash verification
interface restriction
Input/function checks
training
```
27
Accuracy
Being correct and precise
28
Truthfulness
Being a true reflection of reality
29
Authenticity
Being authentic or genuine
30
Validity
Being factually or logically sound
31
Nonrepudiation
Not being able to deny having performed an action or being able to verify origin of an action
32
Accountability
Bing responsible for actions and results
33
Responsibility
Being in charge or having control over something/someone
34
Completeness
Having all needed components or parts
35
Comprehensiveness
Being complete in scope
36
Nonrepudiation is an essential part of...
Accountability
37
Nonrepudiation can be established using...(4)
Digital certificates
Sessions Identifiers
Transaction logs
other transaction and access control mechanisms
38
AAA Services
Authentication, Authorization, Accountability, Auditing
Identification
39
Availability
Authorized subjects are granted timely and uninterrupted access to objects
40
Availability offers a high level of...
assurance that objects are available to auth subjects
41
Threats to availability (3)
Device failure
SW Errors
Environmental issues
42
Availability attacks
DOS
Object Destruction
Communication Interruptions
43
Events that lead to availability breaches...
```
Accidentally deleting files
Overutilizing a HW or SW component
Under-allocating resources
incorrectly labeling/classifying objects
Policy screwup
Misconfigured control
```
44
Availability countermeasures (9)
```
Proper design
access controls
performance monitoring
firewalls
router
redundancy
backup systems (inc. testing)
fault tolerance features
eliminating single points of failure
```
45
Usability
Being easy to use/learn
46
Accessibility
Assurance that widest range of subjects can interact without limitaitons
47
Timeliness
Being prompt, on time, etc.
48
OT
Operational Technology
49
Operational technology (OT)
Systems such as PLC, SCADA, MES (manufacturing execution system)
50
Which systems follow AIC triad?
OT
51
AIC Triad
Availability prioritized overall and integrity over confidentiality
52
Identification
Claiming to be an identity
53
Authentication
Proving you are an identity
54
Authorization
Permissions
55
Auditing
Recording a log of events/activities
56
Accounting/Accountability
Reviewing log files
57
AAA Process
Subject must provide ID start AAA process
58
Authentication factor
Private info that must be kept secret (password, etc.)
59
Access Control Matrix
Permission table
Used to compare subject, object, and intended activity.
60
Monitoring
Watching or oversight
61
Accountability is established by...
Linking a human to activities of an online ID through AAA.
62
Least secure form of authentication
Passwords
63
Protection mechanisms
Common characteristics of security controls (Layering, Abstraction, Data Hiding, Encryption
64
Layering aka
Defense in Depth
65
Layering should be in a series or in parallel?
Parallel
66
Abstraction
Ability to assign security controls to a group or object by type or function.
67
Data hiding
Preventing data from being discovered or accessed by where it's placed or access control.
68
Security through obscurity
Not informing the subject about an object being present and hoping they don't find it.
69
Encryption
Art and science of hiding comms from unintended recipients.
70
Security governance
The collection of practices related to supporting and directing the security efforts of an org.
71
Common goal of governance (Security, Corporate, IT Governance)
Maintaining business process while striving toward growth and resiliency
72
Security governance is commonly managed by...
A governance committee or BOD.
73
Security management planning
Aligns the security functions to the strategy, goals, mission and objectives of an org.
74
Business case
Documented or stated argument in support of taking a decision or action.
Arguing business need to do something.
75
Who is responsible for initiating and defining policies for the org?
Upper and senior management
76
Standards, baselines, guidelines, and procedures are created by who?
Middle management
77
Who implements the security management configuration?
Operational managers and security professionals
78
Bottom up approach to security governance
Security professionals make the decisions. Considered problematic
79
Security management is the responsibility of...
Upper management
80
Security plan is useless without approval from...
Senior management
81
Strategic plan
Long term stable plan. Orgs security purpose. Should include risk assessment
82
Strategic plan useful for how much time?
3-5 years if updated annually
83
Tactical plan
Midterm plan.
Provides details on accomplishing goals in strategic plan.
Prescribes and schedules tasks to accomplish org goals
84
Tactical plan examples (7)
```
Project plan
Acquisition plan
Hiring plan
Budget plan
Support plan
Maintenance plan
Dev plan
```
85
Tactical plan useful time period
Around a year
86
Operational plan
Short term, highly detailed based on strategic and operational plan
87
Operational plan contains...
```
resource allotments
budget requirements
staffing assignments
scheduling
step by step implementation procedures
```
88
Operational plan examples (3)
Training plan
Deployment plan
Product design plan
89
Effective security plans focus attention on...(3)
Specific and achievable objectives
Anticipate change and problems
Basis for decision making for enter org
90
Change management ensures that...
Any change does not lead to reduced or compromised security.
| Being able to roll back changes
91
Change management primary purpose
Make all changes subject to detailed documentation and auditing and reviewed by management
92
Change management goal...
Prevent unwanted reductions in security
93
Change management requires...
Detailed inventory of every component and config.
| Complete documentation for every system component
94
Change management goals/requirements
```
Changes are always controlled
Formal testing process
All changes can be reversed (backout/rollback)
Users are informed of changes
Effects of changes are analyzed
Users informed before change
Negative impact is minimized
Changes reviewed by CAB
```
95
Parallel run
New system and old system are run in parallel. Processes performed on both simultaneously.
96
Parallel run ensures
New system supports all functionality of old system
