ISDS 4096 Exam 2 Terms Burns

CIA Triad

Confidentiality, Integrity, Availability

Confidentiality

Only authorized users can view information.

Integrity

Information is complete and unaltered: a.k.a., only authorized users can change information.

Availability

Information is accessible by authorized users whenever they request information.

Policy

A short written statement that defines a course of action that applies to entire organization.

Standard

A detailed written definition of how software and hardware are to be used

Procedures

Written instructions for how to use policies and standards

Guidelines

Suggested course of action for using policy, standard, or procedure.

OR

Offer recommendations on how standards and baselines are implemented.

Standards

Define compulsory requirements

Baselines

Define the minimum level of security. Operationally focused form of a standard.

STRIDE

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), and Elevation of Privilege

Spoofing

An attack with the goal of gaining access to a target system through the use of falsified identity. When an attacker spoofs their identity as a valid or authorized entity, they are often able to bypass filters and blockades against unauthorized access.

Tampering

Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage.

Repudiation

The ability of a user or attacker to deny having performed an action or activity by maintaining plausible deniability.

Information Disclosure

The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities.

Denial of Service (DoS)

An attack that attempts to prevent a system from performing its normal functions. This can be done through flaw exploitation, connection overloading, or traffic flooding.

Elevation of Privilege

An attack where a limited user account is transformed into an account with greater privileges, powers, and access.

Employee Oversight

Monitoring and supervision employees' activities

Collusion

Several people work together to perform a crime.

User Behavior Analytics (UBA)

User behavior analytics refers to the process of monitoring user behavior in an attempt to discover potential threats and attacks. UBA is designed to perform advanced threat detection in an organization by monitoring employee behavior and identifying those behaviors that could lead to potential threats to the organization.

Social Engineering Principles

Authority, Intimidation, Consensus, Scarcity, Familiarity, Trust, and Urgency

Authority

The trick is to convince the target that the attacker is someone with valid internal or external authority. Some attacker attackers claim their authority verbally, and others assume authority by wearing a costume or uniform.

Intimidation

Uses authority, confidence, or even the threat of harm to motivate someone to follow orders or instructions. It is often focusing on exploiting uncertainty in situations where a clear directive of operation or response isn't defined.

Consensus

Or "social proof" is the act of taking advantage of a person's natural tendency to mimic what others are doing or are perceived as having done in the past. The attacker attempts to convince the victim that a particular action or response is necessary to be consistent with social norms or previous occurrences.

Scarcity

A technique used to convince someone that an object has a higher value based on the object's scarcity.

Familiarity

Attempts to exploit a person's native trust in that which is familiar. The attacker often tries to appear to have a common contact or relationship with the target, such as mutual friends or experiences, or uses a facade to take on the identity of another company or person.

Trust

An attacker working to develop a relationship with a victim. This may take seconds or months, but eventually the attacker attempts to use the value of the relationship (the victim's trust in the attacker) to convince the victim to reveal information or perform an action that violates company security.

Urgency

Often joint with scarcity, because the need to act quickly increases as scarcity indicates a greater risk of missing out. Often used as a method to get a quick response from a target before they have time to carefully consider or refuse compliance.

End-of-life (EOL)

A manufacturer no longer produces a produce a product. Should be scheduled for replacement or to be reitred.

End-of-service-life (EOSL) or End-of-support (EOS)

Systems that are no longer receiving updates and support from the vendor. Must be replace/retired

Cybersecurity Framework

Identify, Protect, Detect, Respond, and Recover

identity

Develop an organizational understanding to manage cybersecurity risk to: systems, assets, data, and capabilities.

Protect

Develop and implement the appropriate safeguards to ensure the delivery of services.

Detect

Develop and implement the appropriate activities to identify the occurrence of cybersecurity events.

Respond

Develop and implement the appropriate to take action regarding a detected cybersecurity event.

Recover

Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Incident Management Steps

Detection, Response, Mitigation, Reporting, Recovery, Remediation, and Lessons Learned

Intrusion Detection and Prevention Systems

Tools and techniques to detect and prevent unauthorized access

Intrusion Detection System (IDS)

More of an alerting system that lets an organization know if anomalous or malicious activity is detected.

Intrusion Prevention System (IPS)

Takes detection a step forward and shuts down the network before access can be gained or prevent further movement in a network

(ISC)2 Code of Ethics

1. Protect society, the commonwealth, and the infrastructure.

2. Act honorably, honestly, justly, responsibly, and legally.

3. Provide diligent and competent service to principals.

4. Advance and protect the profession.

Forensic Procedure

Network analysis, Software analysis, and Hardware/embedded device analysis

Network Analysis

- Intrusion detection and prevention system logs

- Network flow data captured by a flow monitoring system

- Captures deliberately collected during an incident

- Logs from firewalls and other network security devices

Software Analysis

Validation of file hash values against known file types

Hardware/Embedded Device Analysis

A type of Analysis in which an analyst may review the contents of hardware and embedded devices.

This may include a review of: PCs, Personal computers, Smartphones, Tablet computers, and Embedded computers in cars, security systems, and other devices

Host-based IDS (HIDS)

- Monitors activity on a single computer, including process calls and information recorded in system, application, security, and host-based firewall logs.

- Can detect infections where an intruder has infiltrated a system and is controlling it remotely.

Downsides to Host-based IDS

- More costly to manage because they require administrative attention on each system

- Cannot detect network attacks on other systems

- Easier for an intruder to discover and disable

Network-based IDS (NIDS)

- Monitors and evaluates network activity to detect attacks or event anomalies.

- A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console such as a security information and event management (SIEM) system.

- These sensors can monitor traffic at routers, firewalls, network switches that support port mirroring, and other types of network taps.

Downsides to Network-based IDS

Usually can detect an attack, but it can't always provide info about an attack's success. So it won't know if an attack affected specific systems, user accounts, files, or applications. However, after administrators receive the alert, they can check relevant systems and use NIDS logs as part of an audit trail to learn what happened.

NIST SP 800-53

Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.

Risk Assessment Process

Step 1. Prepare for Assessment

Step 2. Conduct Assessment

Step 3. Communicate Results

Step 4. Maintain Assessment

Step 1. Prepare for Assessment

- Identify the purpose of the assessment

- Identify the scope of the assessment

- Identify the assumptions and constraints associated with the assessment

- Identify the sources of info to be used as inputs to the assessment

- Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed during the assessment.

Step 2. Conduct Assessment

- Identify threat sources

- Determine the likelihood

- Determine the impact

- Determine risk value

Step 3. Communicate Results

- Prepare a report

- Tailor the report

- Use visual aids

- Provide context

- Highlight the benefits

- Follow up

Step 4. Maintain Assessment

- Conduct regular assessments

- Monitor threat intelligence

- Conduct employee training and report potential risks

- Review and prioritize

Monte Carlo Simulation

- Uses a computer to generate a large number of scenarios based on probabilities for inputs.

Personally Identifiable Information (PII)

Any information about an individual maintained by an agency, including:

(1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and

(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Protected Health Information (PHI)

- HIPPA

- Health information means any information, whether oral or recorded in any form or medium, that:

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) related to the past, present, or future physical or mental health or condition of any individual, or the past, present, or future payment for the provision of healthcare to an individual.

Proprietary Data

Any data that helps an organization maintain a competitive edge.

Non-government Data Classification Standards

Private Data, Confidential (more secure), Internal Use Only, and Public Domain Data (less secure)

Data Loss Prevention (DLP)

A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users.

Network-based DLP

- scans all outgoing data looking for specific data

- if sensitive data is sent, the DLP with detect it, prevent it from leaving, and send an alert

Endpoint-based DLP

- can scan files stored on a system as well as files sent to external devices (such as printers)

- can prevent users from copying data to USB drives or sending sensitive info to printers

Solid State Drive (SSD) Destruction

- Use integrated circuitry or flash-based memory.

- NSA requires disintegrators to shred the SSDs to a size of 2 mm or smaller (0.079 in).

Hard Disk Drive (HDD)

- Use magnetization

- Degausser creates a heavy magnetic field to realign the magnetized media.

Deletion

Erasing, Clearing, Purging, and Degassing

Erasing

Simply performing a delete operation against a file, a selection of files, or the entire media. (gone forever)

Clearing

Or overwriting, is a process of preparing media for reuse and ensuring that the cleared data cannot be recovered using traditional recovery tools.

Purging

A more intense form of clearing that prepares media for reuse in a less secure environment (downgrade).

Degaussing

The process of removing or rearranging the magnetic field of a disk in order to render the data unrecoverable. (typically a hard disk)

Pseudonymization

the process of removing personal identifies from data and replacing those identifiers with pseudonyms/aliases or artificial identifiers as placeholder values. Often similar in structure to original data.

Tokenization

The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.

Anonymization

the process of removing all relevant data so that it is impossible to identify the original subject or person. (reidentification)

Managed Services in the Cloud

Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a Service (IaaS)

Software as a Service (SaaS)

Models provide fully functional applications typically accessible via a web browser.

Platform as a Service (PaaS)

Models provide consumers with a computing platform, including hardware, operating systems, and a runtime environment.

Infrastructure as a Service (IaaS)

Models provide basic computing resources to customers. (IBM Cloud, AWS, Microsoft Azure, and etc)

Common Vulnerabilities and Exposures (CVE)

An online list of known vulnerabilities (and patches) to software, especially web servers. It is maintained by the MITRE Corporation.

Business Impact Analysis (BIA)

A process that helps an organization identify critical systems and components that are essential to the organization's success.

Single Loss Expectancy (SLE)

Asset Value (AV) * Exposure Factor (EF)

[AV x EF]

Annualized Rate of Occurrence (ARO)

Number of incidents per year

Annualized Loss Expectancy (ALE)

Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

[SLE x ARO]

Redundant Array of Independent Disks (RAID)

a technology used to combine multiple hard drives into a single unit called an array. This enhances performance and reliability.

Uninterruptible Power Supply (UPS)

An almost instant battery power source that provides electric current during a power outage. Provides 5 to 30 minutes to shutdown or start a generator.

Quality of Service (QoS)

a set of technologies that work on a network to guarantee its ability to dependably run high-priority applications and traffic under limited network capacity.

Bandwidth

speed of a link

Latency

Time it takes for a network request to travel from its sender to its receiver.

Packet Loss

refers to data that never reaches its destination or gets discarded because it arrives too late

Jitter

When a time delay in the sending of data packets over a network connection occurs

Cold Site

an off-site location kept on standby for disaster recovery but without any active hardware. Requires time to set up and become operational.

Hot Site

A fully functional off-site location that can take over immediately in the event of a system failure. Fully equipped but expensive

Warm Site

Somewhere between cold and hot sites. It has some hardware and can become operational more quickly than a cold site but still requires some time.

Cloud Site

A virtual site that allows for quick scaling and deployment but is dependent on internet connectivity.

Computer Crime

The statute prohibits seven categories of conduct involving unauthorized access to computers, including, with certain exceptions and conditions:

1. Obtaining national security information through unauthorized computer access and sharing or retaining it;

2. Obtaining certain types of information through unauthorized computer access;

3. Accessing government computers without authorization;

4. Engaging in computer‐based frauds through unauthorized computer access;

5. Knowingly causing damage to certain computers by transmission of a program, information, code, or command;

6. Trafficking in passwords or other means of unauthorized access to a computer; and

7. Making extortionate threats to harm a computer

or based on information obtained through

unauthorized access to a computer.

Federal Information Security Management Act (FISMA)

This places a significant burden on federal agencies and government contractors, who must develop and maintain substantial documentation of their FISMA compliance activities.

Copyrights

- Original works of authorship

- Author: 70 years after death

- Companies: 120 years after creation or 95 years once published

Digital Millennium Copyright Act

a 1998 US law intended to update copyright law for electronic commerce and electronic content providers. It criminalizes the circumvention of electronic and digital copyright protection systems.

Trademark

symbol, word, or words legally registered or established by use as representing a company or product or services. must not be confusingly similar or descriptive.

Patents

- intellectual property rights granted for inventions that are useful, novel, and non-obvious

- 20-year protection from the date of filing

Trade Secrets

intellectual property rights in the form of inventions and information, not generally known to others, that convey economic advantages to the holders. NDA