Fundamentals of Security Flashcards
Objectives: ● 1.1 - Compare and contrast various types of security controls ● 1.2 - Summarize fundamental security concepts
What is Information Security?
■ Protecting data and information from unauthorized access, modification,
disruption, disclosure, and destruction
What is Information Systems Security?
■ Protecting the systems (e.g., computers, servers, network devices) that hold and
process critical data
What is the CIA Triad, and what does each part mean?
■ Confidentiality
● Ensures information is accessible only to authorized personnel (e.g.,
encryption)
■ Integrity
● Ensures data remains accurate and unaltered (e.g., checksums)
■ Availability
● Ensures information and resources are accessible when needed (e.g.,
redundancy measures)
What is the CIANA Pentagon
■ Confidentiality
● Ensures information is accessible only to authorized personnel (e.g.,
encryption)
■ Integrity
● Ensures data remains accurate and unaltered (e.g., checksums)
■ Availability
● Ensures information and resources are accessible when needed (e.g.,
redundancy measures)
Non-Repudiation
■ Guarantees that an action or event cannot be denied by the involved parties
(e.g., digital signatures)
Authentication
● Verifying the identity of a user or system (e.g., password checks)
What are the Triple A’s of Security
■ Authentication
● Verifying the identity of a user or system (e.g., password checks)
■ Authorization
● Determining actions or resources an authenticated user can access (e.g.,
permissions)
■ Accounting
● Tracking user activities and resource usage for audit or billing purposes
What are the four Security Control Categories?
■ Technical
■ Managerial
■ Operational
■ Physical
What are the five Security Control Types?
■ Preventative
■ Deterrent
■ Detective
■ Corrective
■ Compensating
■ Directive
What is the Zero Trust Model?
■ Operates on the principle that no one should be trusted by default
What must we do to achieve zero trust, using the control plane and the data plane?
● Control Plane
○ Adaptive identity, threat scope reduction, policy-driven access
control, and secured zones
● Data Plane
○ Subject/system, policy engine, policy administrator, and
establishing policy enforcement points
What is a Threat?
■ Anything that could cause harm, loss, damage, or compromise to our information
technology systems
Threats can come from where?
● Natural disasters
● Cyber-attacks
● Data integrity breaches
● Disclosure of confidential information
Vulnerability are what?
■ Any weakness in the system design or implementation
Vulnerabilities come from internal factors such as?
● Software bugs
● Misconfigured software
● Improperly protected network devices
● Missing security patches
● Lack of physical security
Describe how Threats and Vulnerabilities intersect.
■ If you have a threat, but there is no matching vulnerability to it, then you have no
risk
■ The same holds true that if you have a vulnerability but there’s no threat against
it, there would be no risk
Define Risk Management?
■ Finding different ways to minimize the likelihood of an outcome and achieve the
desired outcome
Define Confidentiality.
■ Refers to the protection of information from unauthorized access and disclosure
■ Ensure that private or sensitive information is not available or disclosed to
unauthorized individuals, entities, or processes
Confidentiality is important for 3 main reasons. What are they?
■ To protect personal privacy
■ To maintain a business advantage
■ To achieve regulatory compliance