Sybex Chapter 1: CIA Concepts Flashcards
Domain 1.1-1.11
Objects
Passive element in a security relationship such as files, computers, network connections, and applications.
Subjects
Active element of a security relationship such as users, programs, and computers
Subject-Object relationship
Subjects act upon an object
Management of relationship between subjects and objects known as…
Access control
Three phases of data that must be protected
In storage, in process, in transit
CIA Attack: Sniffing
Confidentiality
CIA Attack: Stealing password files
Confidentiality
CIA Attack: Social Engineering
Confidentiality
CIA Attack: Port Scanning
Confidentiality
CIA Attack: Shoulder surfing
Confidentiality
CIA Attack: Eavesdropping
Confidentiality
CIA Attack: Escalation of priviledges
Confidentiality
Events that lead to confidentiality breaches (7)
Failing to: Encrypt transmission Fully authenticate remote system Leaving open access points Running a RAT Misrouted fax Documents left on printers Walking away from unlocked machine
Confidentiality measures (6)
Encryption Network traffic padding Strict access control Rigorous auth Data classification Training
Sensitivity
“The quality of information” which could cause harm if disclosed.
Discretion
Decision where an operator can control disclosure to minimize harm.
Criticality (of information)
Level to which information is mission critical
Concealment
Act of hiding or preventing disclosure
Security through obscurity
Privacy
Keeping information confidential that is PI or that might cause harm, embarrassment, if revealed.
Seclusion (of information)
Storing something in an out of the way location. Can provide strict access controls.
Isolation
Keeping something isolated from others. Prevents comingling of information.
Integrity protection
Prevents unauthorized alterations of data
CIA Attack: Malicious modification
Integrity
CIA Attack: Intentional replacement
Integrity
Integrity violations can occur by…
Attacks
User action
Oversight in security policy
Misconfigured control
Integrity measures (8)
Strict access control Rigorous authentication procedures IDS Object/Data Encryption hash verification interface restriction Input/function checks training
Accuracy
Being correct and precise
Truthfulness
Being a true reflection of reality
Authenticity
Being authentic or genuine
Validity
Being factually or logically sound
Nonrepudiation
Not being able to deny having performed an action or being able to verify origin of an action
Accountability
Bing responsible for actions and results
Responsibility
Being in charge or having control over something/someone
Completeness
Having all needed components or parts
Comprehensiveness
Being complete in scope
Nonrepudiation is an essential part of…
Accountability
Nonrepudiation can be established using…(4)
Digital certificates
Sessions Identifiers
Transaction logs
other transaction and access control mechanisms
AAA Services
Authentication, Authorization, Accountability, Auditing
Identification