ISDS 4096 Exam 1
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/150
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
151 Terms
CIA triad
confidentiality, integrity, availability
confidentiality
only authorized users can view information
focus: secrecy and limiting access
integrity
information is complete and unaltered; only authorized users can change info
focus: correctness and protection from improper modification
availability
information is accessible by authorized users whenever they request the info
focus: uptime, access, reliability
easy CIA comparison
confidentiality = who can see it
integrity = can it be trusted
availability = can it be accessed
DAD triad
disclosure, alteration, destruction
disclosure
information exposed to unauthorized parties; violation of confidentiality
alteration
information is changed improperly; violation of integrity
destruction
information or systems are destroyed, denied, or made inaccessible; violation of availability
easy DAD comparison
exposed data = disclosure = confidentiality problem
changed data = alteration = integrity problem
unavailable system = destruction/denial = availability problem
authenticity
assurance that data is genuine and originates from its claimed source
nonrepudiation
assurance that someone can't deny performing an action/sending a communication
AAA services
identification, authentication, authorization, auditing, accounting
identification
claiming an identity
examples: entering username, swiping ID badge, typing employee number
authentication
proving the identity
examples: password, fingerprint, code from authenticator app
authorization
determining what actions are allowed
examples: whether user can view payroll files, whether employee can edit records, whether admin can install software
auditing
recording and reviewing user/system activity
example: reviewing logs
accounting
tracking actions to a user so responsibility can be assigned
example: recording which user modified a database record
security governance and planning
exists at multiple levels and should align with organization's goals, mission, and objectives
strategic plan
long-term plan that defines organization's security purpose and aligns security with business goals
useful for 5 years, should include risk assessment
tactical plan
midterm plan that provides more detail on how to accomplish strategic goals
useful for a year, prescribes and schedules tasks to accomplish organizational goals
examples: project plans, acquisition plans, budget plans, etc.
operational plan
short-term, highly detailed plan that explains how to carry out goals in practice
based on strategic and tactical plans; daily operations, detailed procedures, staffing
examples: training plans, system deployment plans, product design plans
due diligence
establishing plans, policies, and processes to protect organization; knowing what should be done and planning for it
understand risk and create right framework
example: organization performs risk assessment and writes security policy
due care
practicing activities that maintain protection; doing right action at right time
example: organization actually enforces MFA and trains employees
policy
short written statement defining course of action for entire organization
standard
detailed written definition of how software and hardware are to be used
procedure
written instructions for how to use policies and standards
guideline
suggested course of action for using a policy, standard, or procedure
threat modeling
thinking through how system could be attacked -> identifying possible threats before incident happens -> prioritizing threats so defenses can be chosen
two major tools: STRIDE (categorizing threats) and DREAD (prioritizing threats)
STRIDE
spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege
spoofing
gaining access through falsified identity
examples: fake user account identity, impersonating a trusted sender, fake login credentials
tampering
unauthorized changes or manipulation of data
examples: editing records, modifying files, changing packets in transit
repudiation
ability to deny having performed an action (by maintaining plausible deniability); can result in innocent third parties being blamed for security violations
examples: user denies sending a transaction, malicious actor tries to avoid accountability
information disclosure
disclosure of private or controlled information to unauthorized entities
examples: leaked customer data, exposed health records, unauthorized file access
denial of service
attack that prevents authorized use of a resource/makes a service unavailable
examples: traffic flooding, resource exhaustion, deliberate outage-causing attack
elevation of privilege
turning a limited account into one with greater privileges
examples: normal user becoming admin, application exploit leading to root access
STRIDE review
fake identity -> spoofing
data changed -> tampering
deny action -> repudiation
secret exposed -> information disclosure
service unavailable -> denial of service
user gains extra permissions -> elevation of privilege
Why is diagramming used in threat modeling?
to reveal where a technology or system might be attacked, so threats can be identified and prioritized
help reveal attack points and trust concerns; STRIDE used to categorize possible threats found in design and DREAD used afterward to prioritize them
DREAD
scoring criteria: damage potential, reproducibility, exploitability, affected users, discoverability
how to use DREAD?
rank each threat from 1 to 10 on all 5 criteria
add the scores
divide by 5
result = numeric score between 1 and 10 (higher score = more serious threat)
damage potential
how severe the harm would be if threat occurs
reproducibility
how easily the attack can be repeated
exploitability
how hard or easy it is to perform the attack
affected users
how many users are likely to be impacted (percentage)
discoverability
how easy it is for attacker to discover the weakness
defense in depth
using multiple layers of security controls so one failed control doesn't leave the system unprotected
example: firewall + logging + endpoint protection
What determines whether people are a risk or an asset?
training, motivation, security design
job descriptions
define roles and responsibilities to reduce misuse and confusion
acceptable use policy (AUP)
defines allowed and prohibited use of company resources
non-disclosure agreement (NDA)
prevents employees from sharing confidential info
principle of least privilege
users receive only minimum access needed to perform their job
privilege creep
accumulation of excessive access over time
separation of duties
dividing critical tasks among multiple people to prevent fraud
job rotation
switching roles periodically to uncover fraud
user behavior analytics (UBA)
monitoring user behavior to detect anomalies
offboarding
removing access and credentials when an employee leaves
social engineering
manipulating people to reveal information or perform unauthorized actions
phishing
mass email attack to steal information
spear phishing
targeted phishing attack
whaling
targeting high-value individuals
business email compromise (BEC)
impersonating executives to commit fraud
prepending
adding misleading prefixes like RE:, FW:, INTERNAL:
baiting
luring victims with something enticing (e.g. infected USB)
tailgating
following someone into a restricted area
shoulder surfing
watching someone enter sensitive info
dumpster diving
searching trash for sensitive data
credential hijacking
stealing and using login credentials
invoice scam
fake invoice used to trick payment
hoax
tricking users into harmful actions
risk management
process of identifying, assessing, and responding to risk
threat agent
entity that carries out an attack
threat event
actual occurrence of an attack or incident
threat vector
path used to attack (email, USB, network, etc.)
vulnerability
weakness that can be exploited
risk
likelihood and impact of a threat exploiting a vulnerability
safeguard (control)
measure that reduces risk
attack
attempt to exploit a vulnerability
breach
successful attack
risk relationship
threat + vulnerability = risk
risk responses
avoid, mitigate, transfer, accept
asset valuation purpose
justifies security controls and prioritizes protection
NIST Cybersecurity Framework
identify, protect, detect, respond, recover
NIST Risk Management Framework (RMF)
prepare, categorize, select, implement, assess, authorize, monitor
risk maturity model levels
ad hoc, preliminary, defined, integrated, optimized
end of life (EOL)
product no longer produced
end of support (EOS/EOSL)
product no longer receives updates
incident
any event negatively affecting CIA
security incident
malicious or intentional attack event
incident response steps
detection, response, mitigation, reporting, recovery, remediation, lessons learned
detection methods
IDS, antivirus, logs, user reports
preventive controls
stop attacks before they occur
detective controls
identify attacks after they occur
botnet
network of infected systems controlled by an attacker
command and control (C2)
system used to control botnets
denial of service (DoS)
attack that disrupts system availability
distributed DoS (DDoS)
multiple systems attacking one target
SYN flood
DOS attack exploiting TCP handshake
smurf attack
ICMP flooding attack
fraggle attack
UDP flooding attack
ping flood
overwhelming system with ping requests
