SSCP Notes Flashcards
What is AIC security triad?
Availability, Integrity, and Confidentiality
Three primary goals of Information Security?
- Preventing loss of availability
- The loss of integrity
- The loss of confidentiality for systems and data
Organization protect against loss of availability using?
- Backups
- Redundant disks
- Redundant servers
- Redundant connections
- redundant sites
Redundant sites are know as:
- Hot site - Ready at a moments notice
- Cold site - An empty building with electricity, and running water
- Warm site - a cross between a cold site and hot site.
Fault-tolerant and redundant technologies ensure
that availability is not lost even if a system suffers a failure.
Integrity
Prevents any unauthorized or unwanted modification of data. It ensures that data is correct and current.
A hash
is simply a number created by performing a mathematical algorithm against a file or message. As long as the the file or message stay the same, the hash (the number) will always be the same.
Message Digest version 5 (MD5)
Is a commonly used hashing algorithm. It creates a fixed-size 128-bit number (represented as 32 hexadecimal characters) from any message or file.
An audit log
Tracks changes to a resource, including what was changed, who changed it, and when. This creates an audit trail.
You protect against the loss of confidentiality by
Ensuring that data is not disclosed to unauthorized users.
Access controls
Are implemented to control or restrict access to resources.
Encryption
Provides another layer of protection for confidentiality.
Confidentiality
Works when secure encryption algorithms are implemented and sound security practice are followed.
Security controls
Attempt to reduce risk by either reducing vulnerabilities or the impact of a threat.
One benefit of of a defense-in-depth strategy
That even if a single control fails, other controls still provided protection.
A defense-in depth strategy
Provides a layered approached to security.
The AAA of security
Authentication - system verifies the credentials.
Authorization - Based on who the user is, authorization is granted to different resources.
Accounting Logging tracks activity of a user through monitoring. Audit logs create an audit trail.
If a system can identify individual users, track their actions, and monitor their behavior, It provides
Accountability.
Nonrepudiation
Ensures that a party cannot believably deny (or repudiate) taking an action. Nonrepudiation is enforced through audit logging and with digital signatures.
The principle of least privilege
This means that you grant users access to what they need to perform their job, and no more.
Separation of duties
It ensures that no single person has complete control over a process. It significantly reduces the risk of fraud within an organization.
Many companies also use ________ and __________ to reduce the risk of collusion.
Job rotation and Mandatory vacations.
Due Diligence
Refers to the investigative steps that an organization takes prior to taking on something new, such as signing a contract or making a major purchase. An organization has an obligation to exercise due diligence to discover risks associated with large purchases.
Due Care
is the practice of implementing security policies and practices to protect resources. It ensures that a certain level of protection is applied to protect against losses from known risks.
Management decides what risks to mitigate, and the risk that remain is
Residual risk.
Organizations have a requirement to exercise due care to protect
PII.
Identifcation
Occurs when a user professes, or claim, an identity by presenting the identity to a system.