Information Security Fundamentals

Questions and Answers

What is the primary goal of Risk Management?

• To implement security controls
• To eliminate all risks
• To make risks as small as possible (correct)
• To increase the probability of threats

What is the primary goal of Information Security?

• To ensure the availability of information systems
• To ensure the integrity of information
• To prevent unauthorized access to information
• To protect assets in order to achieve CIA (Confidentiality, Integrity, Availability) (correct)

What is an Incident in the context of security?

• The occurrence of a security violation (correct)
• A potential threat to security
• A weakness in the system design
• A mechanism to mitigate threats

What is the risk associated with a lack of confidentiality?

Loss of privacy, unauthorized access, identity theft (A)

What is the primary purpose of tracking vulnerabilities?

To mitigate potential security violations (B)

What is the term for the potential loss of an asset upon an incident?

Exposure Factor (D)

What is the purpose of audit logs?

To track security controls such as errors, login attempts, changes, etc. (C)

What is the primary method of ensuring the integrity of information?

Quality assurance and audit logs (C)

What is a common system used to track vulnerabilities?

Common Vulnerability Scoring System (C)

What is the term for an action or event that may potentially compromise security?

Threat (B)

What is the purpose of authentication?

To verify/prove a subject's claims to a given identity (A)

What is the primary purpose of authorization?

To grant an authenticated subject proper access rights to different assets (D)

What type of access control assigns security levels on users and resources?

Mandatory Access Control (A)

What is the risk associated with a lack of availability?

Business disruption, loss of customer confidence, loss of revenue (A)

Study Notes

Information Security

• Information Security is the process and methods of protecting assets to achieve CIA (Confidentiality, Integrity, Availability)
• CIA is crucial to protect print, electronic, or any other form of confidential, private, and sensitive information or data from unauthorized access

Confidentiality

• Confidentiality ensures that information is kept private and secure
• It assures that information is available only to those who have authorized access
• Risks associated with confidentiality: loss of privacy, unauthorized access, identity theft
• Controls to maintain confidentiality: encryption, authentication, access controls

Integrity

• Integrity ensures that information is not modified, deleted, or added without authorization
• It ensures the trustworthiness, accuracy, and completeness of the data
• Risks associated with integrity: unreliable/inaccurate information
• Controls to maintain integrity: quality assurance and audit logs

Availability

• Availability ensures that systems for processing, delivering, and storing information are accessible when required
• Risks associated with availability: business disruption, loss of customer confidence, and loss of revenue
• Controls to maintain availability: back-up storage and sufficient capacity

Triple A of InfoSec

• Authentication: process in which a subject attempts to verify/prove their claims to a given identity
• Three primary forms of authentication: what you have, who you are, and what you know
• Authorization: the act of granting an authenticated subject to their proper access rights to different assets
• Schemes of authorization: Mandatory Access Control, Discretionary Access Control, Role-based Access Control, and Attribute-based Access Control

Audit Trail

• Audit Trail tracks security controls such as errors, login attempts, changes, etc.
• Actions should be traceable to a specific subject for the information to be useful

Assets

• Assets are any tangible/intangible item with value to an organization
• Assets whose loss can cause a potential disruption to an organization

Vulnerabilities

• Vulnerabilities are weaknesses/flaws that may intentionally/unintentionally triggered, leading to violation of security policies
• Vulnerabilities may be present in inherent design or the actual system
• Current and existing vulnerability tracking systems: U.S. Computer Emergency Readiness Team, Common Vulnerability Scoring System, Common Vulnerabilities and Exposure

Threats, Impacts, Exposure Factor

• Threat: an action/event that may potentially compromise/violate security
• Incident: the occurrence upon realization of a violation of security
• Impact: the outcome of the incident
• Exposure Factor: potential loss of an asset upon an incident

Risk

• Risk: probability of a particular threat to occur because of a specific vulnerability
• Risk Management: process of reducing risks to acceptable levels
• Goal of risk management is to minimize risk, not eliminate it

Security Controls (Countermeasures)

• Security Controls: mechanisms to mitigate threats
• Improper implementation may lead to increased risks
• Groups of Security Controls: Technical, Administrative, and Physical

Description

Learn about the importance of information security and how to protect assets from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.