Ch-1 Flashcards
(6 cards)
The three key objectives of cybersecurity
Confidentiality
Integrity
Availability
The three key threats to cybersecurity
DAD Triad
Disclosure - The exposure of sensitive information (Confidentiality)
Alteration - the unauthorized modification of information (Integrity)
Denial - Disruption of legitimate access (Availability)
Breach risk categories
Financial, Reputational, Strategic, Operational, & Compliance
Security Control Categories
Technical - Enforce CIA in the digital space.
Ex: firewall rules, ACLs, IPS, and encryption
Operational - Include the processes put in place to manage technology.
Ex: User access management, log monitoring, and Vuln management
Managerial - Procedural mechanisms that focus on the mechanics of the risk management process.
Ex: Risk assessments, Planning exercises, and the incorporation of security into the organizations management practices.
Security Control Types
Preventative - Stop issues before they ever occur
Detective - Identify events that have occurred. Ex: IDS
Corrective - Remediate issues that have occurred. Ex: Restoring backups after an attack
Deterrent - Trying to prevent attempts from occurring. Ex: Guard dogs
Physical - Security controls that impact the physical world. Ex: Fences, Locks, Alarms
Compensating - Designed to mitigate the risk when exceptions are made to a security policy.
PCI DSS Compensating Controls
PCI DSS sets three criteria that must be met for a compensating control to be satisfactory
- Control must meet the intent and rigor of the original requirement
- Control must provide a similar level of defense as the original
- Control must be “above and beyond” other PCI DSS requirements
Ex: If an organization has to run an outdated OS on a specific machine that is prohibited due to security vulnerabilities, then they should run that specific machine in an isolated network with little to no access to other systems.
