Podcast
Questions and Answers
______ is something in need of protection.
______ is something in need of protection.
Asset
______ is a gap or weakness in protection efforts.
______ is a gap or weakness in protection efforts.
Vulnerability
______ aims to exploit a vulnerability to thwart protection efforts.
______ aims to exploit a vulnerability to thwart protection efforts.
Threat
The process of identifying, estimating and prioritizing risks is known as ______.
The process of identifying, estimating and prioritizing risks is known as ______.
______ relates to making decisions about the best actions to take regarding the identified and prioritized risk.
______ relates to making decisions about the best actions to take regarding the identified and prioritized risk.
______ are put in place by organizational governance, such as executive management, to provide guidance in all activities.
______ are put in place by organizational governance, such as executive management, to provide guidance in all activities.
______ are the detailed steps to complete a task that support departmental or organizational policies.
______ are the detailed steps to complete a task that support departmental or organizational policies.
The ______ is a framework that helps to establish trust in the use of public key cryptography to sign and encrypt messages via digital certificates.
The ______ is a framework that helps to establish trust in the use of public key cryptography to sign and encrypt messages via digital certificates.
______ can authenticate a sender, because they control a private key that produces messages in a way that no one else can.
______ can authenticate a sender, because they control a private key that produces messages in a way that no one else can.
______ proves integrity by computing a unique fixed-size message digest from any variable length input.
______ proves integrity by computing a unique fixed-size message digest from any variable length input.
Flashcards
Confidentiality
Confidentiality
Security professional's obligation to regulate access—protecting data while allowing authorized access.
Integrity
Integrity
Measures the degree to which something is whole, complete, internally consistent, and correct.
Availability
Availability
Timely and reliable access to information and services for authorized users.
Authentication
Authentication
Signup and view all the flashcards
Non-Repudiation
Non-Repudiation
Signup and view all the flashcards
Information Security Risk
Information Security Risk
Signup and view all the flashcards
Asset
Asset
Signup and view all the flashcards
Vulnerability
Vulnerability
Signup and view all the flashcards
Threat
Threat
Signup and view all the flashcards
Risk Assessment
Risk Assessment
Signup and view all the flashcards
Study Notes
- Cybersecurity focuses on protecting digital information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction
- A CIA Triad is a model designed to guide security policies
CIA Triad
- Confidentiality: Protecting sensitive information from unauthorized access
- Regulates access to protect data while allowing authorized access
- Uses Personally Identifiable Information (PII), which is any data that can identify an individual
- Uses Protected Health Information (PHI), which is information regarding one's health status
- Integrity: Ensuring data is whole, complete, consistent, and correct
- Important when regarding Data integrity, the property that data has not been altered without authorization
- System Integrity is when the system performs its intended function
- Availability is the timely and reliable access to information for authorized users
- Authentication verifies a user's identification through passwords, tokens, or biometrics
- Single-Factor Authentication (SFA) uses one method of authentication
- Multi-Factor Authentication (MFA) uses multiple authentication methods
- Non-Repudiation is a legal protection against falsely denying actions
- Privacy is an individual's right to control their information distribution
- General Data Protection Regulation (GDPR) applies to organizations doing business in the EU or with EU citizens
- Information Security Risk includes potential adverse impacts from unauthorized actions
- Asset: Something needing protection, tangible or intangible
- Vulnerability: A gap or weakness in those protection efforts
- Threat: Something or someone that aims to exploit a vulnerability
Threat Actors
- Insiders act deliberately, by simple human error, or by gross incompetence
- Outside individuals or informal groups act either planned or opportunistic
- Formal nonpolitical entities include business competitors and cybercriminals
- Formal political entities include terrorists, nation-states, and hacktivists
- Intelligence or information gatherers can be any of the above
- Technology includes free-running bots and AI
- Risk Assessment identifies, estimates, and prioritizes risks to an organization
- Risk Treatment involves deciding on the best actions for prioritized risks
- Avoidance eliminates the risk entirely
- Acceptance takes no action to reduce the risk
- Mitigation prevents or reduces the possibility of a risk event
- Risk Transference passes the risk to another party in exchange for payment
Cybersecurity Frameworks
- Identify develops security policies and evaluates risks
- Protect involves procuring, developing, installing, and operating IT assets with embedded security
- Detect performs ongoing monitoring
- Respond identifies, analyzes, contains, and eradicates threats
- Recover implements resilience to restore systems and data
- Security Controls include safeguards or countermeasures for information systems
Types of security controls
- Physical Controls use hardware devices and architectural features to control movement
- Technical Controls (logical controls) provide automated protection and facilitate detection
- Administrative Controls (managerial controls) are directives and guidelines for human behavior
- RBAC (Role-Based Access Control) grants access based on user roles
- granular access using access control entries at the individual user levels
- Governance Elements ensure organizational activities support standards and regulations
Examples of governance elements
- Procedures are detailed steps for completing tasks
- Policies are guidance provided by organizational governance
- Standards provide a framework to introduce policies and procedures
- Regulations are laws that carry financial penalties for noncompliance
- The Health Insurance Portability and Accountability Act (HIPAA) OF 1996 governs the use of protected health information (PHI) and can result in fines and imprisonment
- The International Organization for Standardization (ISO) develops international standards
- The National Institute of Standards and Technology (NIST) publishes technical standards
- The Internet Engineering Task Force (IETF) creates standards for communication protocols
- The Institute of Electrical and Electronics Engineers (IEEE) sets standards for telecommunications
- Policies are broad, but not detailed
- Governance Policies are used to moderate and control decision-making
- Procedures are explicit, repeatable activities
- Cryptographic Algorithms encode or decode data
- Modern Cryptographic Systems includes symmetric and asymmetric algorithm
- Cryptography encodes information to make it secure
- Plaintext (or cleartext) is an unencrypted message
- Ciphertext is an encrypted message
- Algorithms encrypt and decrypt messages
- Cryptanalysis cracks cryptographic systems
- Encryption Algorithm or Cipher encodes data for secure storage and transmission
- A KEY is used with the encryption cipher to ensure only authorized users can decrypt
- Symmetric Encryption uses the same secret key for encryption and decryption
Encryption
- Encryption Algorithms use a key to increase security
- A Keyspace is the range of values for keys
- Modern Ciphers use large key spaces
- Modern Symmetric Ciphers use bits and the number of bits is the key length
- Asymmetric Encryption uses two different keys (public and private)
- A public key encrypts and only its paired private key decrypts
Encryption functions
- Hashing produces a fixed-length bit string (hash or message digest)
- Secure Hash Algorithm (SHA) is considered the strongest, with SHA256 (256-bit digest) being the most popular
- Message Digest Algorithm #5 (MD5) produces a 128-bit digest but may be needed for compatibility
- Public Key Cryptography authenticates a sender via a private key
- Hashing proves integrity by computing fixed-size message digests
- Digital Signatures combine cryptography and hashing
- Public Key Infrastructure (PKI) establishes trust
- Private CAs operate within an organization
- Third-Party CAs can be used to establish trust between servers and clients
- Digital Certificates wrap a subscriber's public key and information
Data security
- Encryption keeps data safe, even if stolen during storage and or intercepts in transit
- Data at Rest: Data in persistent storage
- Data in Transit (or data in motion): Data being transmitted over a network
- Data in Use (or data in processing): Data in volatile memory
- Encrypting megabytes or gigabytes of data is referred to "bulk"
- Data Encryption in Bulk uses a symmetric cipher, such as AES
- Full-disk encryption (FDE) encrypts the entire disk
- Volume Encryption encrypts an entire section like (disk, partition or drive).
- File Encryption encrypts individual files or folders
- Transport/Communication Encryption secures data-in-motion
- Wi-Fi Protected Access (WPA) secures traffic over wireless networks
- Internet Protocol Security (IPSec) secures traffic between two endpoints
- Transport Layer Security (TLS) secures application data
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
