1.1 - General Security Concepts Flashcards
(28 cards)
What is a Vulnerability
A weakness in software, hardware, devices
Threat
A potential danger
Adversarial = Someone targeting that threat
Non-adversarial = not targeted e.g. flood, power outage, weather event
Threat Actor
Adversary/Someone with malicious intent
Exploit
When a threat actor successfully takes advantage of a vulnerability
Risk
Level of uncertainty
What are Controls?
Tactics, mechanisms, strategies that proactively minimise risk in these ways:
Reduce or eliminate a vulnerability
Reduces or eliminates the likelihood that a threat actor will be able to exploit a vulnerability
Reduces or eliminates the impacts of an exploit
What are Countermeasures?
Controls that have been implemented to address a specific threat
This is generally reactive to the threat
It Can be more effective but cannot be used broadly
How can controls be trustworthy?
They should be functional (what does it do?)
They should be effective (how well does it work?)
What is a Control Objective
A statement of desired result or purpose to be achieved by implementing a control or set of controls
What is Security Control Diversity?
It is a design that implements the use of overlapping layers of diverse controls so that if a control fails the next control is successful
What is Security Control Baselines?
A set of minimum security controls that organisations implement to protect their systems and data
How can you apply/fine tune controls?
Scoping, Tailoring Compensating, supplemeting
What is Scoping?
Eliminates unnecessary baseline recommendations that doesn’t apply to the organisation
What is Tailoring?
Customising the baseline recommendations to align with the organisation’s needs
What is Compensating?
Substituting recommended baseline control with a similar control
What is Supplementing?
Augmenting (adding to) the baseline recommendations
What is Cost Benefit Analysis?
Process of evaluating the security investments and comparing the estimated costs and the benefits to see/determine whether it applies/beneficial to the business
What are the 4 Control Categories?
Technical, Managerial, Operational, Physical
What is the Technical control category?
Mechanisms/controls that are implemented using technology to reduce vulnerability in hardware, software, and/or firmware components (e.g. firewalls, cryptography, authentication systems)
What is the Managerial control category?
This relates to risk management, governance, oversight, strategic alignment, and decision making (e.g. risk assessments, project management)
What is the Operational control category?
Security measures/processes that are implemented/put into place and managed by people (e.g. change management, training, testing)
What is the Physical control category?
These are designed to address physical interactions –> related to building and equipment (e.g. gates, barricades, locks)
What are the 4 control classification?
Deterrent, preventative, detective, corrective
What is the deterrent control classification?
Discourages a threat agent from acting
