Domain 1 Flashcards
CIA - Confidentiality (definition-attacks-defense)
- High level of assurance that info is kept from unauthorized parties
- Attacks: Shoulder surfing, social engineering, decryption, brute-force
- Defense: Encryption, access controls
CIA - Confidentiality - Related concepts (SDCSPSI)
- Sensitivity: What could happen if this info was disclosed
- Discretion: When you choose to control the information disclosure to limit damage
- Concealment: Act of hiding or preventing disclosure
- Secrecy: Keeping something secret
- Privacy: Keeping sensible info confidential
- Seclusion: Storing something in an out-of-the-way manner
- Isolation: Keeping something separated from others
CIA - Integrity (def - approaches)
When info remains unaltered by unauthorized parties
Approaches:
Preventing intentional unauthorized modification
Preventing accidental modifications
Ensure internal and external consistency of the information
CIA - Availability (def - examples)
Usable access to a resource is always provided in a timely and uninterrupted manner
- Examples:Load Balancing
Clustering
Backups
Redundancy
AAA (IAAAA)
- Identification: A subject claims a specific identity
- Authentication: A subject proves he is who he claims to be
- Authorization: Deciding what the subject can access and how can it be used
- Auditing: Recording activities of the subject in a log
- Accountability: Reviewing the log to check for compliance
From Vulnerability to Exposure - Vulnerability (def -example)
A weakness in a system that allows a threat to compromise security
Examples:
AP without security enabled
Too many ports allowed on a firewall
Unneeded service running on a server
From Vulnerability to Exposure - Exploit
Occurs when a vulnerability is taken advantage of by an attacker
From Vulnerability to Exposure - Threat
Danger that a vulnerability will be exploited
From Vulnerability to Exposure - Threat Agent
Entity that exploits a vulnerability
From Vulnerability to Exposure - Risk
The likelihood that a threat agent will exploit a vulnerability combined with the damage that could result
From Vulnerability to Exposure - Exposure
Single real-world instance of a vulnerability being exploited by a threat agent
From Vulnerability to Exposure - Control
Countermeasure put into place to mitigate the risk
Controls - Categories (ATP)
- Administrative Controls: Controls put in place by management
Examples
Training
Security Policy - Technical Controls: Software elements such as hashing, encryption or authentication enforcement
- Physical Controls: Controls that are physical
Examples
Lighting
Fences
Keycards
Security Guards
Controls - Functions (PCDDRC)
- Preventative: Avoid an incident
- Corrective: Fix a component or system
- Deterrent: Discourage an attacker
- Detective: Identify an intruder
- Recovery: Bring environment back to normal operation
- Compensating: Alternative control if the first choice is unavailable
Security Frameworks - ISO 27000 Series - BS7799 (year-who-what-parts)
- Created in 1995
- Published by British Standards Institute
- Outlines how an ISMS should be created and maintained
- Part 1
Describes controls - Part 2
Shows how an ISMS can be setup
Security Frameworks - ISO 27000 Series (1-8, 11, 14-15,31-35,37,799)
ISO 27000 Overview and vocabulary for the rest of the 27000 series ISO 27001 Standard for creation, implementation, control and improvement of ISMS ISO 27002 General guidelines for implementing an ISMS ISO 27003 ISMS implementation ISO 27004 ISMS measurement ISO 27005 Risk management ISO 27006 Certification body requirements ISO 27007 ISMS auditing ISO 27008 Guidance for auditors ISO 27011 Telecommunications organizations ISO 27014 Information security governance ISO 27015 Financial sector ISO 27031 Business continuity ISO 27032 Cybersecurity ISO 27033 Network security ISO 27034 Application security ISO 27035 Incident management ISO 27037 Digital evidence collection and preservation ISO 27799 Health organizations
Security Frameworks - Enterprise Architecture Development - Introduction (structure-guidance-terms)
- Addresses the structure and behavior of an organization
- It’s a guidance on how to build an architecture
- Allows each group of people within an organization to view the business in terms they can understand
Security Frameworks - Enterprise Architecture Development - Zachman (who-orientation-matrix)
- Created by John Zachman in the 80s
- This framework is not security oriented, but it is a good template to work with because it offers direction on how to understand an actual enterprise in a modular fashion
* 2-dimensional matrix X-axis 5 different audiences Y-axis 6 different views
Security Frameworks - Enterprise Architecture Development - Zachman (audiencies - views)
Audiences Executives Business Managers System Architects Engineers Technicians Entire enterprise Views What How Where Who When Why
Security Frameworks - Enterprise Architecture Development - TOGAF (who-arch types-adm)
- Created by US DoD
* Architecture types Business Data Application Technology
- Architecture Development Method (ADM)
Used to create each type
The last step feeds back into the first step
After each iteration, the process has been improved to reflect changing requirements
Each iteration addresses each of the four views
Security Frameworks - Enterprise Architecture Development - Military Oriented (DoDAF-Brits)
- Department of Defense Architecture Framework:
- Involves things as command, control, surveillance and reconnaissance
- One of its primary objectives is to ensure a common communication protocol and standard payloads
- Ministry of Defence Architecture Framework
- British version of DoDAF
Security Frameworks - Enterprise Architecture Development - Sherwood Applied Business Security Architecture (SABSA) (ESA-views-yaxis-differences)
- It’s an Enterprise Security Architecture: Ensures an organization has an effective ISMS in place
- Similar to Zachman
- Views:
- Assets (What)
- Motivation (Why)
- Process (How)
- People (Who)
- Location (Where)
Time (When)
- Y-Axis from wide to narrow
- Contextual
- Conceptual
- Logical
- Physical
- Component
- Operational
- Difference between SABSA and the others
- It is also a methodology
- Provides an actual process to follow
- It is geared toward security
Security Frameworks - Architecture Framework Terms (strat-business-process enh-sec effec)
- Strategic Alignment: An architecture is strategically aligned when it meets the needs of the business and all legal or regulatory requirements
- Business Enablement: A good security architecture must enable the business to thrive by not getting in the way, but still providing proper security
- Process Enhancement: Security forces us to take a closer look at existing processes. This could lead us to improve them
- Security Effectiveness: Most quantifiable of the attributes. Examples: ROI, SLA achievements
Security Frameworks - Frameworks for Implementation (C C N)
- COSO Internal Control
- COBIT
- NIST SP 800-53
Security Frameworks - Frameworks for Implementation - COSO IC (ident-created-categories)
- Identifies 17 control principles grouped into 5 categories
- Created in the 80s as a result of financial fraud
- Provides Corporate Governance
- Categories
- Control Environments
- Risk Assessments
- Control Activities
- Information and Communication
- Monitoring Activities
Security Frameworks - Frameworks for Implementation - COBIT (created-goals-subset-principles)
- Created by ISACA and ITGI
- Defines 17 enterprise and 17 IT goals
- It’s not strictly security related
- It is an IT related subset of COSO IC
- Principles
Meeting stakeholder needs
Covering the enterprise end-to-end
Applying a single integrated framework
Enabling a holistic approach
Separating governance from management
Security Frameworks - Frameworks for Implementation - NIST SP 800-53 (created-fed agencies-controlcategories)
- Created by the US government
- Specifies the control that federal agencies must implement
- If an agency doesn’t comply, they are violating the FISMA (Federal Information Security Management Act of 2002)
- Contains a list of 18 control categories
Security Frameworks - Frameworks for Implementation - Private vs Federal controls
Administrative = Management Technical = Technical Physical = Operational
Security Frameworks - Process Development
- ITIL
- Six Sigma
- Capability Maturity Model Integration (CMMI)
Security Frameworks - Process Development - ITIL (wherewhen-standard-focus-stages-steps)
- Developed in the UK in the 80s
- De facto standard for IT management best practices
- Focuses on achieving SLAs between the IT department and its customer
- Stages
- Design
- Transition
- Operation
- Each stage has between 3 and 5 steps
Security Frameworks - Process Development - Six Sigma (measures-rating)
- Measures process quality by using statistical calculations
* A sigma rating is applied to a process to indicate the percentage of defects it contains
Security Frameworks - Process Development - Capability Maturity Model Integration (CMMI) (determines-design-levels)
- Created by Carnegie Mellon for US DoD
- Determines the maturity of an organization’s processes
- Designed to make improvements in an incremental and standard manner
- Levels:
- Level 0: Nonexistent Management
- Level 1: Unpredictable Processes
- Level 2: Repeatable Processes
- Level 3: Defined Processes
- Level 4: Managed Processes
- Level 5: Optimized Processes
Security Frameworks - The Process Life Cycle (focus-steps)
- Focuses on how to keep processes up-to-date and healthy
- Four steps, and the last one feeds right back into the first one to start a new iteration
- Steps: Plan, Implement, Operate, Evaluate
Security Frameworks - The Process Life Cycle - Steps - 1: Plan (6)
- Establish MGMT and oversight committees
- Identify business drivers and threats
- Perform a risk assessment
- Create security architectures for the business, data, application and infrastructure
- Select possible solutions for the problems identified
- Get mgmt approval to move to the next steps
Security Frameworks - The Process Life Cycle - Steps - 2: Implement (8)
- Assign duties
- Establish baselines
- Put security policies into operation
- Identify data that needs to be secured
- Create blueprints
- Implement controls based on the blueprints
- Implement solutions to monitor the controls based on the blueprints
- Establish goals, SLAs and metrics based on the blueprints
Security Frameworks - The Process Life Cycle - Steps - 3: Operate (4)
- Follow established procedures to ensure baselines met the blueprints
- Execute audits
- Execute tasks defined by the blueprints
- Ensure SLAs are met