Chapter 1 Flashcards
Today's Security Professionals
Confidentiality (C.I.A)
Ensures that unauthorized individuals are not able to gain access to sensitive information.
Integrity (C.I.A)
Ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
Availability (C.I.A)
Ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Nonrepudiation
Someone who performed some action, such as sending a message, cannot later deny having taken that action.
Disclosure
The exposure of sensitive information to unauthorized individuals. Also known as Data Loss.
Data Exfiltration
When attackers gain access to info and remove it.
Alteration
The unauthorized modification of information. This is a violation of the principal of integrity.
Denial
The disruption of an authorized user’s legitimate access to information.
Security Control Categories
Measures implemented to protect systems, data, and infrastructure from threats. Three main types:
- Technical Controls
- Administrative Controls
- Physical Controls
Technical Controls
Enforce CIA in the digital space.
Administrative Controls
These are policies, procedures, and guidelines established to manage security. Examples include security awareness training, access control policies, and incident response protocols.
Physical Controls
Security controls that impact the physical world.
Operational Controls
The processes that we put in place to manage technology in a secure manner.
Ex: Access reviews, log monitoring, and vulnerability management.
Managerial Controls
Procedural mechanisms that focus on the mechanics of the risk management process. Implemented through processes like awareness, training, and oversight.
Security Control Types
Security controls can be categorized based on their purpose and function. Here are the main types:
1. Preventive Controls
2. Detective Controls
3. Corrective Controls
4. Deterrent Controls
5. Compensating Controls
6. Recovery Controls
Preventive Controls
It intends to stop a security issue before it occurs.
Ex: Firewall, Encryption
Detective Controls
Identifies security events that have already occurred.
Ex: Intrusion detection systems
Compensating Controls
Controls designed to mitigate risk associated with exceptions made to a security policy.
Ex: Something temporary while solving a problem that has occurred. Generator, block instead of patch, separation duties
Directive Controls
inform employees and others what they should do to achieve security objectives.
Deterrent Controls
Seek to prevent an attacker from attempting to violate security policies.
Ex: Guard dogs, barbed wire fences, signs(DO NOT ENTER)
Corrective Controls
Remediate security issues that have already occurred.
Ex: Restoring back-ups after ransomware attacks.
Data Obfuscation
Transforming data into a format, where the original information can’t be retrieved.
Ex: Hashing, Tokenization, Masking
Masking
Partially redacts sensitive information by replacing some or all sensitive fields with blank characters.
Ex: xxx - xx - 1236
Tokenization
This replaces sensitive values with a unique identifier using a lookup table.
Ex: Replacing student ID with a 10 digit number maintained in a lookup table.
