CISSP - Wiley 9th Edition - Chapter 1 Flashcards
Confidentiality
The concept of the measures used to ensure the protection of the secrecy of data, objects, or resources.
Countermeasures to ensure Confidentiality
Encryption
Network traffic padding
Strict access control
Rigorous authentication procedures
Data classification
Personnel training
Intregrity
The concept of protecting the reliability and correctness of data
Attacks that focus on the violation of integrity
Viruses
Logic bombs
Unauthorized access
Errors in coding and applications
Malicious modification
Intentional replacement
System backdoors
Availability
Authorized subjects are granted timely and uninterrupted access to objects
Countermeasures to ensure availability
Design intermediary delivery systems properly
Use access controls effectively
Monitor performance and network traffic
Use firewalls and routers to prevent DoS attacks
Implement redundancy for critical systems
Maintain and test backup system
CIA Triad
Confidentiality, Integrity, Availability
The primary goals and objectives of a security infrastructure
DAD Triad
Disclosure, Alteration, Destruction
The failures of security protections of the CIA Triad
Authenticity
The security concept that data is authentic or genuine and originates from its alleged source
Non-repudiation
Ensures that the subject of an activity or who caused an event cannot deny that the event occurred
AAA Services
Core security mechanism of all security environments
5 elements:
Identification
Authentication
Authorization
Auditing
Accounting
Identification
Claiming to be an identity when attempting to access
Authentication
Proving that you are the claimed identity
Authorization
Defining the permissions of a resource and object access for a specific identity or subject
Auditing
Recording a log of the events and activities related to the systems and subjects
Accounting
Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
Defense in Depth
Layering, the use of multiple controls in a series. By creating the controls in a series, each attack will be scanned, evaluated, or mitigated by each security control
Abstraction
Similar elements are placed into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. Abstraction is used for efficiency
Data Hiding
Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
Encryption
The science of hiding the meaning or intent of a communication from unintended recipients
Security Boundaries
The line of intersection between any two areas, subnets, or environments that have different security requirements or needs
Security Governance
The collection of practices related to supporting, evaluating, defining, and directing the security efforts of an organization.
Ideally performed by the Board of Directors or C level executives.
Third-Party Governance
The system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligations, or licensing requirements.
Documentation Review
The process of reading the exchanged materials and verifying them against standards and expectations.
