Fundamentals of Security Flashcards by Carly Worrell

Act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure and corruption and destruction.

Information Security

How well did you know this?

Not at all

Perfectly

The data that systems hold, not the data systems themselves is an example of what?

Information Security

How well did you know this?

Not at all

Perfectly

Act of protecting the systems that hold and process the critical data.

Information Systems Security

How well did you know this?

Not at all

Perfectly

The actual data systems (cell phones, computers, servers) not the actual data they hold are an example of what?

Information Systems Security

How well did you know this?

Not at all

Perfectly

What is the CIA Triad also known as the 3 pillars of security

Confidentiality
Integrity
Availability

How well did you know this?

Not at all

Perfectly

Ensures that information is only accessible to those with appropriate authorization.

Confidentiality

How well did you know this?

Not at all

Perfectly

What Pillar of security is this an example of. Encrypting sensitive files and authorizing specific people to de-encrypt them and read them.

Confidentiality

How well did you know this?

Not at all

Perfectly

Ensures that data remains accurate and unaltered unless modification is required.

Integrity

How well did you know this?

Not at all

Perfectly

What Pillar of security is this an example of. Checksums can be used to verify that a file has not been changed or corrupted as it moves along a network during a data transfer

Integrity

How well did you know this?

Not at all

Perfectly

Ensures that information and resources are accessible and functional when needed by authorized users.

Availability

How well did you know this?

Not at all

Perfectly

What Pillar of security is this an example of. When you implement redundancy measures for a website to ensure it remains online and up at any time regardless of how much traffic it is receiving.

Availability

How well did you know this?

Not at all

Perfectly

What is the CIANA Pentagon

Confidentiality
Integrity
Availability
Non-Repudiation
Authentication

How well did you know this?

Not at all

Perfectly

Guaranteeing that a specific action or event has taken place and cannot be denied by the parties involved.

Non-Repudiation

How well did you know this?

Not at all

Perfectly

Sending an email that has been digitally signed that a person cannot deny sending the email is an example of what

Non-Repudiation

How well did you know this?

Not at all

Perfectly

What are the AAA of Security

Authentication
Authorization
Accounting

How well did you know this?

Not at all

Perfectly

Process of verifying the identity of a user or system

Authentication

How well did you know this?

Not at all

Perfectly

Defines what actions or resources a user can access

Authorization

How well did you know this?

Not at all

Perfectly

Act of tracking user activities and resource usage, typically for auditing or billing purposes

Accounting

How well did you know this?

Not at all

Perfectly

This is an example of what AAA of security. When you try to login to get our email username and password is being checked against a stored version to confirm your identity.

Authentication

How well did you know this?

Not at all

Perfectly

This is an example of what AAA of security. In a company database you as an employee you may have access to view records but you many not have access to edit them so you have read permission

Authorization

How well did you know this?

Not at all

Perfectly

This is an example of what AAA of security. When you log into your computer what you do is being logged to be able to monitor unusual or unauthorized behavior.

Accounting

How well did you know this?

Not at all

Perfectly

Measures or mechanisms put in place to mitigate risks and protect the confidentiality, integrity and availability of information systems and data

Security Controls

How well did you know this?

Not at all

Perfectly

What are Security Control Categories

Technical
Managerial
Operational
Physical

How well did you know this?

Not at all

Perfectly

What are Security Control Types

Preventative
Deterrent
Detective
Corrective
Compensation
Directive

How well did you know this?

Not at all

Perfectly

Security model that operates on the principle that no one whether inside or outside the organization should be trusted be default.

Zero Trust

Verification required for everybody is an example of what.

Zero Trust

Consists of the adaptive identity, threat scope reduction, policy-driven access control and secured zones.

Control Plane

Focused of the subject/system, policy engine, policy administrator, and establishing policy enforcement points.

Data Plane

Anything that could cause harm, loss, damage or compromise to information technology systems.

Threat

External Source Threats are threats we cannot fully control. Name four types

Natural Disasters Cyber Attacks Data integrity breaches Disclosure of confidential infomration

Any weakness in the system design or implementation

Vulnerability

Internal factors are threats we can control and prevent name 5 examples

Softeware bugs Misconfigured software Improperly protected network devices Missing security patches Lack of physical security

Finding different ways to minimize the likely hood of an outcome occurring and achieving the desired outcomes

Risk Management

This is an example of what Threat, Vulnerability or Risk Management. You are trying to get to work on time but you remember you have to stop and get gas causing you to be late.

Vulnerability - Getting gas is something that could have been done the night before. Vulnerabilities can be prevented

This is an example of what Threat, Vulnerability or Risk Management. You are trying to get to work on time but a there is a car accident on the high way you are now stuck in traffic causing you to be late.

Threat - You could not have prevented the other driver to not cause a car accident

This is an example of what Threat, Vulnerability or Risk Management. You are trying to get to work on time you feel rushed so you decide to leave an extra 30 minutes early.

Risk Management - You are giving yourself extra time incase any vulnerabilities or threats pop up on your way to work

Refers to the process of information from unauthorized access and disclosure

Confidentiality

This is an example of what CIA. Sensitive data is only to be seen by authorized people

Confidentiality

What are the 5 basic methods of Confidentiality

Encryption Access controls Data masking Physical Security Measures Training and awareness

Process of converting data into code to prevent unauthorized access

Encryption

This is an example of what 5 basic methods of Confidentiality (Encryption, Access Controls, Data Masking, Physical Security Measures, Training and awareness) Scrambles the plane text data into an indecipherable jumble until the right decryption key is provided.

Encryption

Ensure only authorized personal can access certain type of access

Access Control

This is an example of what 5 basic methods of Confidentiality (Encryption, Access Controls, Data Masking, Physical Security Measures, Training and awareness) Your boss might want you to save your personal record on the companies shared drive but they only want themselves to access it. Permissions are set to give them read/right access.

Access Control

Method that involves obscuring data within a data base to make it in accessible for unauthorized users while retaining the real data's authenticity and use for authorized users.

Data Masking

This is an example of what 5 basic methods of Confidentiality (Encryption, Access Controls, Data Masking, Physical Security Measures, Training and awareness) Hiding the first 12 numbers of a credit card but showing the last four numbers.

Data Masking

Used to ensure confidentiality for physical types of data and for digital information contained on servers and worksheets

Physical Security Measures

This is an example of what 5 basic methods of Confidentiality (Encryption, Access Controls, Data Masking, Physical Security Measures, Training and awareness) Locking doors to filing cabinets or installing security cameras.

Physical Security Measures

Conducting regular training on the security awareness best practices that employees can use to protect the organization.

Training and awareness

Confidentiality should always be paired with what word

Encryption

Helps to ensure information and data remain accurate and unchanged from their original state unless intentionally modified by an authorized individual.

Integrity

What are the 5 methods of Integrity

Hashing Digital Signature Checksums Access Controls Regular Audits

Integrity should always be paired with what word.

Hashing

Process of converting data into a fixed size volume

Hashing

Use encryption to ensure integrity and authenticity

Digital Signature

Method to verify integrity of data during transmission

Checksums

Ensure that only authorized individuals can modify data and reduce the risk of unintentional or malicious alternations

Access Control

Reviewing logs and operations to ensure that only authorized changes have been made and discrepancies are addressed

Regular Audits

Used to ensure that information, systems, and resources are accessible and operational when needed by authorized users

Availability

What word should always be paired with Availability

Redundancy

Duplicates critical components or functions of a system with the intent of enhancing its reliability

Redundancy

What are 4 types of redundancy

Server Redundancy Data Redundancy Network Redundancy Power Redundancy

Focused on providing undeniable proof in digital transations

Non-Repudiation

Proof it was sent by a specific user

Digital Signature

What are 3 important reasons of non-repudiation

Confirming the authenticity of digital transactions Ensuring Integrity Providing Accountability

Non-Repudiation should always be paired with what word

Digital Signature

Security measures that ensures individual or entities are who they claim to be during a communication or transaction.

Authentication

What are the 5 common authentication methods

Something you know Something you have Something you are Something you do Something you are

Permissions and privileges granted to users or entities after they have been authenticated

Authorization

Security measure that ensures all users activities are properly tracked and recorded.

Accounting

Used to aggregate logs from various network devices so systems admins can analyze them to detect patterns or anomalies in he organization

Syslog Server

Used to capture and analyze network traffic to gain detailed insights into all the data moving with in a network.

Network Analyzer

Provides real-time analysis of security alerts generated by various hardware and software infrastructures in an organization

Security Information and Event Management (SIEM)

4 Types of Security Control Categories

1. Technical Controls 2. Managerial Controls 3. Operational Controls 4. Physical Controls

6 Types of Security Control Types

1. Preventative Controls 2. Deterrent Controls 3. Detective Controls 4. Corrective Controls 5. Compensating Controls 6. Directive Controls

Which Security Control builds our foundation 1. Preventative Controls 2. Deterrent Controls 3. Detective Controls 4. Corrective Controls 5. Compensating Controls 6. Directive Controls

1. Preventative Controls Proactive measures implemented to thwart potential security threats or breaches. Example: Firewall

Which Security Control Discourages threats 1. Preventative Controls 2. Deterrent Controls 3. Detective Controls 4. Corrective Controls 5. Compensating Controls 6. Directive Controls

2. Deterrent Controls Aim to discourage potential attackers by making the effort seem less appealing or more challenging. Example: Warning signs on property or a banner on a website

Which Security Control Keeps a watchful eye 1. Preventative Controls 2. Deterrent Controls 3. Detective Controls 4. Corrective Controls 5. Compensating Controls 6. Directive Controls

3. Detective Controls Monitor and alerts organizations to malicious activities as they occur or shortly there after. Example: Security camera, Intrusion detection system (IDS) in a network system

Which Security Control has to do with Emergency 1. Preventative Controls 2. Deterrent Controls 3. Detective Controls 4. Corrective Controls 5. Compensating Controls 6. Directive Controls

4. Corrective Controls Mitigate any potential damage and restore the systems to their normal state. Example: Anti virus software quarantine and removing malicious software.

Which Security Control has to do with Backups 1. Preventative Controls 2. Deterrent Controls 3. Detective Controls 4. Corrective Controls 5. Compensating Controls 6. Directive Controls

5. Compensating Controls Alternative measures that are implemented when primary security controls are not feasible or effective

Which Security Control Guides entire process 1. Preventative Controls 2. Deterrent Controls 3. Detective Controls 4. Corrective Controls 5. Compensating Controls 6. Directive Controls

6. Directive Controls Often rooted in policy or documentation and set the standards for behavior within an organization. Example: A policy on how to use company equipment

Process of evaluating the differences between an organization current performance and its desired performance

Gap Analysis

What are 2 types of gap analysis

1. Technical Gap Analysis 2. Business Gap Analysis

What type of gap analysis involves evaluating an organizations current technical infrastructure and identifying any areas where it falls short of the technical capabilities required to fully utilize their security solutions

Technical Gap Analysis

What type of gap analysis involves evaluating an organizations current business process and identifying any areas where they fall short of the capabilities required to fully utilize cloud based solutions

Business Gap Analysis

Plan of Action and Milestones (POA&M)

Outline the specific measures to address each vulnerability, allocate resources and set up timelines for each remediation task that is needed.

The overarching framework and set of components responsible for defining managing and enforcing the policies related to users and system access within an organization

Control Plane

Ensures that the polices and procedures are properly executed

Data Plane

Is this a control plane or a data plane Adaptive Identity: Identities that rely on real time validation that takes into account the users behavior device, location and other factors like that.

Control Plane

Is this a control plane or a data plane Threat scope reduction: Limits the users access to only what they need for their work tasks

Control Plane

Is this a control plane or a data plane Secured Zones: Isolated environments within a network that are designed to house sensitive data

Control Plane

Is this a control plane or a data plane Policy-Driven Access Control: Entails developing, managing , and enforcing user access policies based on their roles and responsibilities

Control Plane

Is this a control plane or a data plane Subject/System: Refers to the individual or entity attempting to gain access

Data Plane

Is this a control plane or a data plane Policy Engine: Cross-references the access request with its pre-defined policies

Data Plane

Is this a control plane or a data plane Policy Administrator: Used to establish and manage the access polices

Data Plane

Is this a control plane or a data plane Policy Enforcement Point: Allow or restrict access and it will effectively act as a gatekeeper to the sensitive areas of the systems or networks

Data Plane

Fundamentals of Security Flashcards

Section 2 (95 cards)