SYO 701 - Andrew Flashcards
Confidentiality
The measure taken to ensure that sensitive information is not disclosed to unauthorized individuals, entities, or processes.
Access Controls: use of Passwords, Bio-metric Verification, access cards.
Encryption: process of encoding information in such a way that only authorized parties can read it. Encryption Key is needed to decrypt and read information.
Secure Communications: Using Secure Protocols like SSL/ TLS for transmitting data to prevent interception by unauthorized entities.
Integrity
Protecting data from unauthorized changes to ensure that it is reliable and correct. Refers to Trustworthiness and accuracy of data.
*Data Accuracy
*Data Consistency
*Data Trustworthiness
Methods used:
*Cryptographic Hash Functions
*Digital Signatures
*Access Controls
Availability
Refers to ensuring that Data, Systems, and Services are accessible to authorized users when needed
The How:
*Fault Tolerance - building systems that can continue operating properly even if some of their components fail
*Backup Systems - regularly backing up data and systems to enable recovery in case of data loss or corruption
The goal is to prevent service disruptions due to system failures, infrastructure problems, or malicious attacks like DDoS
DAD Triade
Opposite of the CIA:
1 - Disclosure - Refers to the unauthorized access and exposure of information
2 - Alteration - Loss of Integrity, where unauthorized changes are made to Data
3 - Denial - Direct attack to Availability. Involves attacks that will take data or systems offline resulting in no access
Zero Trust
Centers on the belief that Organizations should not automatically trust anything inside or outside their perimeter and instead must verify anything and everything trying to connect to its systems before granting access.
*Strict Identity verification
*Least Privilege Access
*Multi-Factor Authentication (MFA)
*Monitor and Log all Traffic
Authentication
Process of verifying the identity of a User, device, or other entity in a computer system. A prerequisite to granting access to resources in a system.
Non Repudiation
Ensures that a party in a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.
*can be implemented using digital signature
*digital signature binds a person to the digital data they send
Authorization
Once a User is Authenticated, the Authorization process determines what that user is permitted to do by matching user or system credentials against an access control list.
Accounting
(Also referred to as Auditing) is ensured by keeping a track of activities. Involves logging and monitoring of User actions.
How:
Activity Tracking - involves collecting data on user activities, such as Login times, duration of sessions, accessed resources, network services used, system changes made, and data transferred (stored in System Log).
Accountability
Principle that ensures individuals or entities are held responsible for their actions within a system
Prerequisites:
Identification, Authentication, Authorization, Accounting > Accountability
Control Categories - Technical
Technical Controls - (aka Logical Security Controls) are mechanisms implemented in hardware, software, or firmware that automate the process of preventing, detecting, and responding to security threats.
*Access Controls Mechanisms
*Firewalls
*IDS/ IPS
*Encryption
*Antivirus & Anti-malware Software
*Virtual Private Networks (VPN)
Gap Analysis
An assessment that company’s use to compare their current security posture with a set of standards, best practices, or regulatory requirements to identify areas that need improvement.
Control Categories - Managerial (Administrative)
Policies, Procedures, and guidelines that govern the behavior of people within an Organization and the operation of IT systems
*Security Policies/ Procedures
*Risk Management
*Incident Response and Recovery Plans
*Business Continuity and Disaster Recovery Planning
Control Categories - Operational
Day to Day methods and procedures that are implemented by an organization to ensure and maintain the security of its information and assets.
Performed by People:
*Security Awareness training
*Physical Media Protection
Control Categories - Physical
Measure taken to protect the actual Hardware and Facilities that house the systems, Networks, and Data.
*Lighting
*Signs
*Fences
*Security Guards
*Cameras
Security Control Types
Preventative - attempts to stop a security incident from occurring. Firewalls, IPS, Encryption, ACLs
Detective - attempts to detect events that resulted in a security incident. IDS, SIEM, Video Surveillance, Motion Detection
Corrective - attempts to remediate an incident that has occurred. UPS, Restoring Backups, Incident Response procedures.
Deterrent - attempts to discourage a threat. Guard Dogs, Cameras, Barbed Wire
Directive - provides direction on how to systems. Policies / Procedures. Instructional “manuals”
Compensating - provides alternate controls when the Primary control may not be sufficient. Segregation of Duties.
Defense in Depth
Layered Security. Information assurance concept where MULTIPLE LAYERS of security controls (defense mechanisms) are placed throughout an I.T. systems.
Data > Firewall > Procedures/ Policies > Physical Protection
Threat Motivations
1 - Data Exfiltration: Stealing data from a Target, often for selling or leverage
2 - Espionage: Spying on entities to gather sensitive information, common with Nation States
3 - Service Disruption: Disabling or disturbing a service, often seen with hacktivists protesting against specific services or companies
4 - Blackmail: Threatening to release sensitive data unless a demand (usually monetary) is met.
5 - Financial gain: stealing data or directly siphoning money, a common motivation for organized crime
6 - Philosophical / Political beliefs: Acting based on personal or group beliefs, commonly seen with Hacktivist
7 - Ethical: Acting on perceived ethical obligations, sometimes seen with whistleblowers or “white hat” hackers identifying vulnerabilities
8 - Revenge: Targeting en entity out of vengeance for a perceived wrong
9 - Disruption/ Chaos: Motivated purely by the desire to create disorder, sometimes without specific political or financial goals
10 War: Cyber-operations that are a component of larger warfare, typically driven by Nation-States
Threat Actors
Nation State
Unskilled attacker
Hacktivist
Insider Threat
Organized Crime
Shadow IT
Attributes of Actors
Internal/ External: whether or not the threat actor originates from within or outside of the Organization
Resources/ Funding: The amount of money and resources available to the threat actor.
Level of Sophistication / Capability: The technical skill level of the threat actor. Nation states and organized crime have high sophistication
Nation State
A country’s Government which can engage in or sponsor cyber activities. Well funded and sophisticated.
*espionage
*Cyber warfare
*political / economic/ military advantage
Hacktivist
Someone who uses hacking techniques and digital tools to promote a political agenda, social change, or ideological beliefs.
Shadow I.T.
Refers to information technology systems and solutions
built and used inside organizations without explicit
organizational approval.
Vulnerabilities
A weakness or a “hole in our system” that can be exploited by a threat actor or Hacker to gain unauthorized access to or perform unauthorized actions on a computer system.
Memory Injection
Inserting malicious code into a program’s memory.
Race Conditions
Vulnerability that occurs when the timing of actions affects a systems state and outcome.
TOCTOU - Time of Check to Time of Use
*Code applications correctly
*Follow good secure Programming practices
SQL Injections
SQL - Structured Query (ask questions) Language. Used to talk with Database.
Front End - User Interface (Web page)
Back End - Database holds all information (SQL).
