Sybex Chapter 1: CIA Concepts Flashcards

Domain 1.1-1.11

1
Q

Objects

A

Passive element in a security relationship such as files, computers, network connections, and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Subjects

A

Active element of a security relationship such as users, programs, and computers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Subject-Object relationship

A

Subjects act upon an object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Management of relationship between subjects and objects known as…

A

Access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Three phases of data that must be protected

A

In storage, in process, in transit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CIA Attack: Sniffing

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CIA Attack: Stealing password files

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CIA Attack: Social Engineering

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CIA Attack: Port Scanning

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CIA Attack: Shoulder surfing

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CIA Attack: Eavesdropping

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CIA Attack: Escalation of priviledges

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Events that lead to confidentiality breaches (7)

A
Failing to:
Encrypt transmission
Fully authenticate remote system
Leaving open access points
Running a RAT
Misrouted fax
Documents left on printers
Walking away from unlocked machine
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Confidentiality measures (6)

A
Encryption
Network traffic padding
Strict access control
Rigorous auth
Data classification
Training
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Sensitivity

A

“The quality of information” which could cause harm if disclosed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Discretion

A

Decision where an operator can control disclosure to minimize harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Criticality (of information)

A

Level to which information is mission critical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Concealment

A

Act of hiding or preventing disclosure

Security through obscurity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Privacy

A

Keeping information confidential that is PI or that might cause harm, embarrassment, if revealed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Seclusion (of information)

A

Storing something in an out of the way location. Can provide strict access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Isolation

A

Keeping something isolated from others. Prevents comingling of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Integrity protection

A

Prevents unauthorized alterations of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

CIA Attack: Malicious modification

A

Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CIA Attack: Intentional replacement

A

Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Integrity violations can occur by…

A

Attacks
User action
Oversight in security policy
Misconfigured control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Integrity measures (8)

A
Strict access control
Rigorous authentication procedures
IDS
Object/Data Encryption
hash verification
interface restriction
Input/function checks
training
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Accuracy

A

Being correct and precise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Truthfulness

A

Being a true reflection of reality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Authenticity

A

Being authentic or genuine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Validity

A

Being factually or logically sound

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Nonrepudiation

A

Not being able to deny having performed an action or being able to verify origin of an action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Accountability

A

Bing responsible for actions and results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Responsibility

A

Being in charge or having control over something/someone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Completeness

A

Having all needed components or parts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Comprehensiveness

A

Being complete in scope

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Nonrepudiation is an essential part of…

A

Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Nonrepudiation can be established using…(4)

A

Digital certificates
Sessions Identifiers
Transaction logs
other transaction and access control mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

AAA Services

A

Authentication, Authorization, Accountability, Auditing

Identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Availability

A

Authorized subjects are granted timely and uninterrupted access to objects

40
Q

Availability offers a high level of…

A

assurance that objects are available to auth subjects

41
Q

Threats to availability (3)

A

Device failure
SW Errors
Environmental issues

42
Q

Availability attacks

A

DOS
Object Destruction
Communication Interruptions

43
Q

Events that lead to availability breaches…

A
Accidentally deleting files
Overutilizing a HW or SW component
Under-allocating resources
incorrectly labeling/classifying objects
Policy screwup
Misconfigured control
44
Q

Availability countermeasures (9)

A
Proper design
access controls
performance monitoring
firewalls
router
redundancy
backup systems (inc. testing)
fault tolerance features
eliminating single points of failure
45
Q

Usability

A

Being easy to use/learn

46
Q

Accessibility

A

Assurance that widest range of subjects can interact without limitaitons

47
Q

Timeliness

A

Being prompt, on time, etc.

48
Q

OT

A

Operational Technology

49
Q

Operational technology (OT)

A

Systems such as PLC, SCADA, MES (manufacturing execution system)

50
Q

Which systems follow AIC triad?

A

OT

51
Q

AIC Triad

A

Availability prioritized overall and integrity over confidentiality

52
Q

Identification

A

Claiming to be an identity

53
Q

Authentication

A

Proving you are an identity

54
Q

Authorization

A

Permissions

55
Q

Auditing

A

Recording a log of events/activities

56
Q

Accounting/Accountability

A

Reviewing log files

57
Q

AAA Process

A

Subject must provide ID start AAA process

58
Q

Authentication factor

A

Private info that must be kept secret (password, etc.)

59
Q

Access Control Matrix

A

Permission table

Used to compare subject, object, and intended activity.

60
Q

Monitoring

A

Watching or oversight

61
Q

Accountability is established by…

A

Linking a human to activities of an online ID through AAA.

62
Q

Least secure form of authentication

A

Passwords

63
Q

Protection mechanisms

A

Common characteristics of security controls (Layering, Abstraction, Data Hiding, Encryption

64
Q

Layering aka

A

Defense in Depth

65
Q

Layering should be in a series or in parallel?

A

Parallel

66
Q

Abstraction

A

Ability to assign security controls to a group or object by type or function.

67
Q

Data hiding

A

Preventing data from being discovered or accessed by where it’s placed or access control.

68
Q

Security through obscurity

A

Not informing the subject about an object being present and hoping they don’t find it.

69
Q

Encryption

A

Art and science of hiding comms from unintended recipients.

70
Q

Security governance

A

The collection of practices related to supporting and directing the security efforts of an org.

71
Q

Common goal of governance (Security, Corporate, IT Governance)

A

Maintaining business process while striving toward growth and resiliency

72
Q

Security governance is commonly managed by…

A

A governance committee or BOD.

73
Q

Security management planning

A

Aligns the security functions to the strategy, goals, mission and objectives of an org.

74
Q

Business case

A

Documented or stated argument in support of taking a decision or action.

Arguing business need to do something.

75
Q

Who is responsible for initiating and defining policies for the org?

A

Upper and senior management

76
Q

Standards, baselines, guidelines, and procedures are created by who?

A

Middle management

77
Q

Who implements the security management configuration?

A

Operational managers and security professionals

78
Q

Bottom up approach to security governance

A

Security professionals make the decisions. Considered problematic

79
Q

Security management is the responsibility of…

A

Upper management

80
Q

Security plan is useless without approval from…

A

Senior management

81
Q

Strategic plan

A

Long term stable plan. Orgs security purpose. Should include risk assessment

82
Q

Strategic plan useful for how much time?

A

3-5 years if updated annually

83
Q

Tactical plan

A

Midterm plan.
Provides details on accomplishing goals in strategic plan.
Prescribes and schedules tasks to accomplish org goals

84
Q

Tactical plan examples (7)

A
Project plan
Acquisition plan
Hiring plan
Budget plan
Support plan
Maintenance plan
Dev plan
85
Q

Tactical plan useful time period

A

Around a year

86
Q

Operational plan

A

Short term, highly detailed based on strategic and operational plan

87
Q

Operational plan contains…

A
resource allotments
budget requirements
staffing assignments
scheduling
step by step implementation procedures
88
Q

Operational plan examples (3)

A

Training plan
Deployment plan
Product design plan

89
Q

Effective security plans focus attention on…(3)

A

Specific and achievable objectives
Anticipate change and problems
Basis for decision making for enter org

90
Q

Change management ensures that…

A

Any change does not lead to reduced or compromised security.

Being able to roll back changes

91
Q

Change management primary purpose

A

Make all changes subject to detailed documentation and auditing and reviewed by management

92
Q

Change management goal…

A

Prevent unwanted reductions in security

93
Q

Change management requires…

A

Detailed inventory of every component and config.

Complete documentation for every system component

94
Q

Change management goals/requirements

A
Changes are always controlled
Formal testing process
All changes can be reversed (backout/rollback)
Users are informed of changes
Effects of changes are analyzed
Users informed before change
Negative impact is minimized
Changes reviewed by CAB
95
Q

Parallel run

A

New system and old system are run in parallel. Processes performed on both simultaneously.

96
Q

Parallel run ensures

A

New system supports all functionality of old system