SYO-701 Security Terminology and Standards Flashcards
Confidentiality (CIA)
Only authorized persons can gain access to information and are able to read the information. A number of technologies, such as permissions (ACL) and encryption (at rest and in transit) , can be used to keep information confidential
Integrity (CIA)
Ensure that when data is sent from a source to a destination, the information received at the destination has not been altered in transit. Data integrity also means that if you store a file on the drive open it later, you can be certain that the data has not been altered while in storage
Integrity (CIA) concepts
Hashing:
Ensure data integrity when communicating over a network, the sending system runs the data through a mathematical algorithm, known as a hashing algorithm, which then generates an answer (known as the hash value). This
hash value is then sent with the data. On the receiving end of the
transmission, the destination system runs the data through the same mathematical algorithm to generate an answer (hash value).
Digital Signature:
created on a message in order to prove the integrity of the sender of the message.
Digital Certificate:
A digital certificate is an electronic file used to transport keys for encrypting or digitally signing messages
Nonrepudiation:
the concept of ensuring that someone cannot dispute that they sent a message or made a change.
Availability (CIA)
The concept of ensuring that the information is available when the
user wants it
Permissions - limits who can delete data and ensures availability to those who need it
Backups
Fault Tolerance:
Implement data redundancy solutions to ensure that if one of the hard drives fails, the other drives have a copy of the information. Having multiple drives work together this way is known as RAID, or Redundant Array of Independent Disk Clustering
Clustering:
Allows you to have multiple servers acting as one unit so that if one server fails, another server takes over the workload
Accountability (CIAA)
Accountability is ensuring that users are accountable for their
actions—if someone inappropriately deletes a file, for example, a record of that action exists to hold them accountable.
Log files
Audit files
Firewalls and proxy servers
Identification and Authentication
Identification happens before authentication and is the process of having users identify themselves to the system. The most popular method companies use to identify individual users is to give each user a unique username. The users type their username into the system in order to identify themselves. After the user inputs the identifying information (the username), the user inputs the password for that account for purposes of authentication
Authorisation
Once authenticated, users are given access to different resources.
Permissions
Router ACLs
Proxy servers:
Can control what web sites can be visited or even what types of Internet applications can
be used by the internal users
Security principles (Least Privilege, Separation of Duties, and Rotation of Duties)
Least privilege means that you give a user only the minimum level of permissions needed to perform their tasks or duties
Separation of Duties means you ensure that all critical tasks are
broken down into different processes and that each process is performed by a different employee
Rotation of Duties s is the principle of rotating multiple employees through different job roles. Ensures accountability and redundancy
Diversity of Defence
Concept that you should use different products to increase the level of security in your environment. Although all products have vulnerabilities, the vulnerabilities are different for each of the different products, and the
hacker will have to work extra hard to get through each different product.
Vulnerability and Exploit
Vulnerability is a weakness in a piece of software or hardware that was created by the manufacturer by accident. Once a vulnerability is found, hackers work on a way to exploit the weakness and compromise the system security
Types of vulnerabilities
Use of open-source intelligence
Improper input handling
Misconfiguration/weak configuration
Default configuration
Authorised, Unauthorised, and Semi-authorised Hackers
Authorised hackers
Also known as a white-hat hacker, an authorized hacker learns how to compromise system security for
defensive purposes, meaning they are doing it to better learn how to
protect the system or network
Unauthorized hacker:
Also known as a black-hat hacker, an unauthorized hacker compromises systems or networks for malicious reasons
Semi-authorized hacker:
Also known as a gray-hat hacker, a semi-authorized hacker is a person who hacks into systems for
non-malicious reasons
Advanced persistent threat (APT)
Advanced persistent threat (APT) Advanced persistent threats
(APTs) are individuals or groups that perform highly comprehensive, well-planned attacks that give them long-term access to the target systems. Long-term access to a system is needed so that the attacker can collect sensitive information over a long
period of time
Structure of a policy
Overview
Scope
Policy
Enforcement
Definitions
Revision History
Types of Policies
Standard:
A standard policy is a policy that needs to be followed and typically covers a specific area of security
Guidelines:
Recommendations on how to follow
security best practices
Procedure:
also known as a standard operating procedure (SOP). The SOP documents step-by-step procedures
showing how to configure a system or device, or step-by-step instructions on how to implement a specific security solution
Security control
are used to identify any mechanism used to protect an asset within the organization. Examples of security
controls are firewalls, antivirus software, and access control list
Acceptable Use Policy (AUP)
AUP lets the users know what the company considers acceptable use of many topics, including:
Internet
e-mail
laptops
mobile devices
social media
Password Policy
points to consider:
minimum password length
password history
maximum password age
minimum password age
password complexity
Adverse Actions
each policy should specify adverse actions for anyone who does not follow the security policies.
Change control/management policy
Specifies the process to follow when
implementing a change to the network. Specifies procedures to follow should reduce mistakes in configuration because a process can ensure that the change will be properly tested
Security clearance and data labels
Classification labels (such as secret, top secret, or even unclassified) are assigned to the information, or assets. Once all of the assets have their classification labels assigned, you can then assign employees their security clearance levels that determine which assets they can access.
Mandatory vacations
The importance of taking vacation time is that it helps detect fraudulent or suspicious activities within the organization because another employee will need to take over the job role while someone is on vacation. This will help keep employees honest in their job functions because they know they will be held accountable for irregular activities discovered during their absence
Memorandum of Understanding
An MOU is a document that establishes an agreement between the two parties and specifies
their relationship to one another.
Statement of Work
An SOW outlines the type of work a
company is being hired for, the timeline for that work, the cost of
the work performed, the payment schedule, and any conditions
related to the work.
Measurement systems analysis
The MSA h is a mathematical operation used to determine variants within a measurement process.
ISO/IEC 17799
The International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) created the ISO/IEC 17799 standard, which specifies best practices for information security management.
ISO/IEC 17799 breaks the management of information security into different categories (typically known as domains).
PHI and HIPAA
Protected health information (PHI)
is health information about a patient, their care, health status, and payment history that is protected by rules in the Health Insurance Portability and
Accountability Act (HIPAA). Organizations will typically anonymize this information from the patient to maintain their privacy.
Personally Identifiable Information
PII is any information that can
uniquely identify a person. It should be protected at all times (examples include national identification number and driver’s licence number)
General Data Protection Regulation (GDPR)
GDPR is a European regulation that is designed to protect private data of individuals. Organizations that process or handle personal data must have security controls in place to ensure unauthorized access to the private data does not occur
Center for Internet Security (CIS)
CIS is a nonprofit organization formed in 2000 that creates and promotes cybersecurity
defense best practices to help safeguard systems
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
Cybersecurity Framework (CSF)
The NIST Risk Management Framework (RMF) is a document that outlines the steps to integrate security risk management into the system development lifecycle. The framework is broken into seven phases to perform risk management.
The NIST Cybersecurity Framework is a resource from NIST
that is a set of strategies to help companies manage cybersecurity
risk
NIST SP 800-171
NIST Special Publication 800-171 is a recommended standard for federal organizations to secure
information while it is being processed, stored, and used on
nonfederal systems. This framework defines a number of technical controls that can be used to safeguard the information