Tier 3a — Security Principles

Threat

An external force that jeopardizes security

Threat vector

The method an attacker uses to reach the target

Threat actor

The person or group behind the threat

Vulnerability

A weakness in a system that an attacker could exploit

Risk

A threat combined with a corresponding vulnerability

Risk equation

Risk = Threat + Vulnerability

Likelihood

The probability that a risk will actually occur

Impact

The amount of damage if a risk materializes

Confidentiality

Keep data private — only authorized people can see it

Integrity

Data is accurate and unaltered by unauthorized parties

Availability

Systems work when users need them — uptime

Confidentiality example

Encryption, clean desk policy, screen locks

Integrity example

Hashing, digital signatures, file integrity monitoring

Availability example

Backups, redundancy, DDoS protection, fault tolerance

Risk avoidance

Change business practices to make the risk irrelevant

Risk transference

Move the risk to another party (e.g., insurance) — can't transfer 100%

Risk mitigation

Reduce the likelihood or impact of the risk

Risk acceptance

Acknowledge the risk and continue operations anyway

Inherent risk

Original level of risk before any controls are applied

Residual risk

Risk that remains after controls are applied

Control risk

New risk introduced BY the controls themselves

Risk tolerance

The level of risk the organization is willing to accept

Qualitative risk analysis

Subjective judgment grouped into categories (high/medium/low)

Quantitative risk analysis

Numeric ratings in dollars for likelihood and impact

Configuration management

Tracks how devices are set up — OS and software inventory

Baseline

Configuration snapshot at a given point in time

Baselining

Establishing a known-good config as a reference point

Versioning

Assigning numbers to track configuration changes over time

Version control

Tracks revisions to files/code over time

Configuration diagrams

Documents that show how systems are set up

Change management

Controls how changes happen to minimize risk

ISC2 Canon 1

Protect society, the common good, public trust, and the infrastructure

ISC2 Canon 2

Act honorably, honestly, justly, responsibly, and legally

ISC2 Canon 3

Provide diligent and competent service to principals

ISC2 Canon 4

Advance and protect the profession

Policy

Bedrock document of security expectations — MANDATORY

Standard

Specific details of required security controls — MANDATORY

Procedure

Step-by-step instructions to perform tasks — may or may not be mandatory

Guideline

Advice from security professionals — OPTIONAL

AUP

Acceptable Use Policy — authorized uses of technology

BYOD

Bring Your Own Device policy — personal devices for work

Something you know

Authentication factor — password, PIN, security question

Something you have

Authentication factor — token, debit card, authenticator app

Something you are

Authentication factor — biometric (fingerprint, iris, face)

MFA

Multi-Factor Authentication — combines TWO DIFFERENT factor categories

SSO

Single Sign-On — share authenticated session across systems (UX, not auth strength)

Non-repudiation

Prevents someone from falsely denying an action — provided by digital signatures

PII

Personally Identifiable Information — data traceable to an individual

PHI

Protected Health Information — medical records (governed by HIPAA)

PCI DSS

Payment Card Industry Data Security Standard — regulates payment card data

Preventive control

Stops a security issue from happening (firewall, MFA, fence)

Detective control

Identifies issues that have occurred (IDS, CCTV, log review)

Corrective control

Remediates issues after they happen (patching, restore from backup)

Technical control

Uses technology to achieve the control objective (a.k.a. logical)

Administrative control

Uses processes and policies (training, AUP)

Physical control

Impacts the physical world (locks, fences, guards, bollards)