Unit 1: General Security Concepts Flashcards
Control Categories
Technical, Managerial, Operational, and Physical
Technical Controls
- Controls implemented using systems
- Operating system controls
- Firewalls, anti-virus
Managerial Controls
- Controls that address security design and implementation
- Security policies, standard operating procedures
Operational Controls
- Controls that are implemented by people
- Security guards, awareness programs
Physical Controls
- Controls limiting physical access to buildings, rooms, etc.
- Fencing, door locks
Preventative Controls
Controls that block access to a resource (firewalls, guard shacks, door locks).
Deterrent Controls
Controls designed to discourage people from violating security directives (threat of demotion, warning signs).
Detective Controls
Controls designed to identify and log intrusions/intrusion attempts (system logs, motion detectors).
Corrective Controls
Controls that are applied after an event to reverse impact or continue operating (backup restoration, fire extinguisher, law enforcement).
Compensation Controls
Additional security controls put in place to compensate for weaknesses in other controls (separation of duties, backup generator, blocking instead of patching).
Directive Controls
Controls that direct subjects towards security compliance - seen as a weak control (fire storage policies, compliance policies).
C.I.A. Triad
Confidentiality, Integrity, Availability
Confidentiality
Ensures that only authorized parties can view information (i.e. encryption).
Integrity
Safeguarding the accuracy & completeness of information (i.e. hashing).
Availability
Ensuring that authorized users have access to information when required (i.e. reliable backups).
Non-repudiation
Proof of the origin, authenticity and integrity of data.
Proof of Integrity
Verifying that data has not changed by hashing
Hashing
A code that represents data as a short string of text, like a digital fingerprint.
Proof of Origin
Verifying the person who sent the data is who they claim to be (authentication).
AAA Framework
Authentication, Authorization, Accounting
Authentication
Proving you are who you say you are which can be done by: what you know and what you have, or two factor authentication (i.e. password and phone for confirmation code).
Authorization
What access do specific authenticated users have, often done by abstraction.
Accounting
A record of login time, data sent, accessed, or edited, logout time, and more.
Abstraction
Defining users by roles, attributes, tags, etc. to avoid white or blacklisting individuals.
Gap Analysis
A method for examining and evaluating the current state of a process in order to identify opportunities for improvement in the future.
Zero Trust
Security design paradigm where any request (device, process, or person) must be authenticated before being allowed. Done using planes of operation.
Planes of Operation
Breaking the network into functional planes, smaller components to efficiently authenticate requests.