Security and Risk Management Fundamentals

Questions and Answers

What is the primary goal of defense in depth in security principles?

To delay an attacker's progress through multiple layers of defense (correct)

To provide a single, strong defense mechanism

To reduce the risk of a single point of failure

To eliminate all risks associated with a particular asset

What is the primary purpose of data classification in asset security?

To determine the level of sensitivity and confidentiality of data (correct)

To determine the level of encryption required for data

To determine the level of backup and archival required for data

To determine the level of access control required for data

What is the primary advantage of using asymmetric encryption over symmetric encryption in security engineering?

Asymmetric encryption is more suitable for large-scale data encryption

Asymmetric encryption is more vulnerable to brute-force attacks

Asymmetric encryption is more secure and provides better key exchange (correct)

Asymmetric encryption is faster and more efficient

What is the primary purpose of network segmentation in communication and network security?

To isolate and limit the attack surface in case of a breach

What is the primary advantage of using Role-Based Access Control (RBAC) in identity and access management?

RBAC is more secure and provides better access control

What is the primary purpose of Identity as a Service (IDaaS) in identity and access management?

To provide a cloud-based identity management solution

Which of the following is the primary goal of risk assessment in risk management?

Evaluating the likelihood and impact of identified risks

What is the primary difference between qualitative and quantitative risk analysis?

Qualitative analysis is subjective, while quantitative analysis is objective

Which of the following threat models is primarily used to identify threats to confidentiality, integrity, and availability?

STRIDE Threat Model

What is the primary purpose of a security policy in security and risk management?

To provide a high-level document outlining an organization's security objectives and requirements

What is the primary difference between a security policy and a security procedure?

A security policy is high-level, while a security procedure is detailed

What is the primary goal of compliance in security and risk management?

To adhere to laws, regulations, and industry standards

Study Notes

Security and Risk Management

• Security Fundamentals:
  • Confidentiality, Integrity, and Availability (CIA) triad
  • Security principles: least privilege, separation of duties, defense in depth
  • Security models: Bell-LaPadula, Biba, Clark-Wilson
• Risk Management:
  • Risk assessment: identifying, analyzing, and prioritizing risks
  • Risk treatment: acceptance, mitigation, transfer, avoidance
  • Risk monitoring and review
• Security Policy and Procedures:
  • Security policies: organizational, issue-specific, and system-specific
  • Procedures: incident response, disaster recovery, business continuity

Asset Security

• Protecting Sensitive Assets:
  • Data classification: public, internal, confidential, top secret
  • Data handling: storage, transmission, and destruction
  • Asset management: inventory, classification, and control
• Data Protection:
  • Encryption: symmetric, asymmetric, and hashing
  • Digital rights management (DRM)
  • Data loss prevention (DLP)
• Physical Security:
  • Physical access control: doors, locks, and biometrics
  • Surveillance and monitoring
  • Environmental controls: temperature, humidity, and power

Security Engineering

• Security Models and Architectures:
  • Secure/Multics, Bell-LaPadula, and Biba models
  • Trusted Computer System Evaluation Criteria (TCSEC)
  • Common Criteria (CC) and Evaluation Assurance Level (EAL)
• Cryptography:
  • Symmetric encryption: AES, DES, and Blowfish
  • Asymmetric encryption: RSA, elliptic curve, and Diffie-Hellman
  • Hash functions: SHA, MD5, and HMAC
• Secure Design Principles:
  • Secure by design and default
  • Least privilege and separation of duties
  • Defense in depth and layered security

Communication and Network Security

• Network Fundamentals:
  • OSI and TCP/IP models
  • Network architectures: LAN, WAN, Wi-Fi, and Internet
  • Network protocols: HTTP, FTP, SSH, and DNS
• Network Security:
  • Network access control: firewalls, intrusion detection, and access control lists
  • Network segmentation and isolation
  • Secure communication protocols: SSL/TLS, IPsec, and PPTP
• Wireless Security:
  • Wireless network security: WEP, WPA, and WPA2
  • Wireless threats: rogue access points, eavesdropping, and jamming

Identity and Access Management

• Identity Management:
  • Identity types: users, groups, and roles
  • Identity authentication: passwords, biometrics, and smart cards
  • Identity authorization: access control, permissions, and privileges
• Access Control:
  • Access control models: MAC, DAC, and RBAC
  • Access control mechanisms: authentication, authorization, and accounting
  • Access control protocols: Kerberos, RADIUS, and TACACS+
• Identity as a Service (IDaaS):
  • Cloud-based identity management
  • Identity federation and single sign-on (SSO)

Security Fundamentals

• Confidentiality, Integrity, and Availability (CIA) triad ensures data protection
• Security principles:
  • Least privilege: limiting access to necessary resources
  • Separation of duties: dividing tasks to prevent misuse
  • Defense in depth: multiple layers of security
• Security models:
  • Bell-LaPadula: access control and confidentiality
  • Biba: integrity and availability
  • Clark-Wilson: integrity and separation of duties

Risk Management

• Risk assessment:
  • Identifying potential risks
  • Analyzing likelihood and impact
  • Prioritizing risks
• Risk treatment:
  • Acceptance: taking no action
  • Mitigation: reducing risk
  • Transfer: sharing risk with others
  • Avoidance: eliminating risk
• Risk monitoring and review: continuous evaluation and improvement

Security Policy and Procedures

• Security policies:
  • Organizational: company-wide policies
  • Issue-specific: addressing specific security concerns
  • System-specific: security policies for individual systems
• Procedures:
  • Incident response: responding to security breaches
  • Disaster recovery: restoring systems after disasters
  • Business continuity: maintaining business operations during disasters

Asset Security

Protecting Sensitive Assets

• Data classification:
  • Public: unrestricted access
  • Internal: limited access
  • Confidential: restricted access
  • Top secret: highly restricted access
• Data handling:
  • Storage: secure data storage
  • Transmission: secure data transfer
  • Destruction: secure data disposal
• Asset management:
  • Inventory: tracking assets
  • Classification: categorizing assets
  • Control: controlling access to assets

Data Protection

• Encryption:
  • Symmetric: same key for encryption and decryption
  • Asymmetric: different keys for encryption and decryption
  • Hashing: one-way encryption for data integrity
• Digital rights management (DRM): controlling access to digital content
• Data loss prevention (DLP): detecting and preventing data breaches

Physical Security

• Physical access control:
  • Doors: controlling physical access
  • Locks: securing physical access
  • Biometrics: authentication through physical characteristics
• Surveillance and monitoring: monitoring physical environments
• Environmental controls:
  • Temperature: controlling temperature
  • Humidity: controlling humidity
  • Power: controlling power supply

Security Engineering

Security Models and Architectures

• Secure/Multics model: access control and confidentiality
• Bell-LaPadula model: access control and confidentiality
• Biba model: integrity and availability
• TCSEC: Trusted Computer System Evaluation Criteria
• Common Criteria (CC) and Evaluation Assurance Level (EAL): evaluating security

Cryptography

• Symmetric encryption:
  • AES: Advanced Encryption Standard
  • DES: Data Encryption Standard
  • Blowfish: symmetric encryption algorithm
• Asymmetric encryption:
  • RSA: asymmetric encryption algorithm
  • Elliptic curve: asymmetric encryption algorithm
  • Diffie-Hellman: key exchange algorithm
• Hash functions:
  • SHA: Secure Hash Algorithm
  • MD5: Message-Digest Algorithm 5
  • HMAC: Keyed-Hash Message Authentication Code

Secure Design Principles

• Secure by design and default:
  • Designing systems with security in mind
  • Default security settings
• Least privilege and separation of duties:
  • Limiting access to necessary resources
  • Dividing tasks to prevent misuse
• Defense in depth and layered security:
  • Multiple layers of security
  • Redundancy and fail-safes

Communication and Network Security

Network Fundamentals

• OSI and TCP/IP models: network communication protocols
• Network architectures:
  • LAN: Local Area Network
  • WAN: Wide Area Network
  • Wi-Fi: Wireless Fidelity
  • Internet: global network
• Network protocols:
  • HTTP: Hypertext Transfer Protocol
  • FTP: File Transfer Protocol
  • SSH: Secure Shell
  • DNS: Domain Name System

Network Security

• Network access control:
  • Firewalls: controlling network access
  • Intrusion detection: detecting unauthorized access
  • Access control lists: controlling access to network resources
• Network segmentation and isolation:
  • Segmenting networks for security
  • Isolating networks for security
• Secure communication protocols:
  • SSL/TLS: Secure Sockets Layer/Transport Layer Security
  • IPsec: Internet Protocol Security
  • PPTP: Point-to-Point Tunneling Protocol

Wireless Security

• Wireless network security:
  • WEP: Wired Equivalent Privacy
  • WPA: Wi-Fi Protected Access
  • WPA2: Wi-Fi Protected Access 2
• Wireless threats:
  • Rogue access points: unauthorized access points
  • Eavesdropping: intercepting wireless transmissions
  • Jamming: disrupting wireless communications

Identity and Access Management

Identity Management

• Identity types:
  • Users: individual identities
  • Groups: collections of users
  • Roles: predefined identities
• Identity authentication:
  • Passwords: password-based authentication
  • Biometrics: authentication through physical characteristics
  • Smart cards: authentication through smart cards
• Identity authorization:
  • Access control: controlling access to resources
  • Permissions: controlling access to resources
  • Privileges: controlling access to resources

Access Control

• Access control models:
  • MAC: Mandatory Access Control
  • DAC: Discretionary Access Control
  • RBAC: Role-Based Access Control
• Access control mechanisms:
  • Authentication: verifying identities
  • Authorization: controlling access to resources
  • Accounting: tracking access to resources
• Access control protocols:
  • Kerberos: authentication protocol
  • RADIUS: Remote Authentication Dial-In User Service
  • TACACS+: Terminal Access-Control Access-Control System Plus

Identity as a Service (IDaaS)

• Cloud-based identity management:
  • Cloud-based identity services
• Identity federation and single sign-on (SSO):
  • Federating identities across organizations
  • Single sign-on for multiple systems

Security Fundamentals

• Confidentiality, Integrity, and Availability (CIA Triad) are fundamental principles of information security.
• Confidentiality protects sensitive information from unauthorized access.
• Integrity ensures data accuracy and completeness.
• Availability ensures timely and reliable access to data and systems.

Risk Management

• The Risk Management Process involves four stages: Risk Identification, Risk Assessment, Risk Mitigation, and Risk Monitoring.
• Risk Identification involves identifying potential risks and threats.
• Risk Assessment evaluates the likelihood and impact of identified risks.
• Risk Mitigation implements controls to reduce risk.
• Risk Monitoring involves ongoing monitoring and review of the risk management process.

Risk Analysis

• Qualitative Risk Analysis involves a subjective evaluation of risk likelihood and impact.
• Quantitative Risk Analysis involves an objective evaluation of risk using numerical values.

Threat Modeling

• Threat Modeling involves identifying and evaluating potential threats to an organization.
• The STRIDE Threat Model identifies threats to confidentiality, integrity, and availability.
• The DREAD Threat Model evaluates threat likelihood and impact.

Security Policies and Procedures

• A Security Policy is a high-level document outlining an organization's security objectives and requirements.
• Security Procedures are detailed, step-by-step guides for implementing security policies.
• Standards and Guidelines are specific, mandatory requirements for security controls and procedures.

Compliance and Regulations

• Compliance involves adhering to laws, regulations, and industry standards.
• Regulatory Requirements involve meeting specific legal and regulatory obligations (e.g. HIPAA, PCI-DSS).
• Audit and Compliance involve ensuring adherence to regulations and standards through regular audits and assessments.

Description

Test your knowledge of security fundamentals, risk management, and security policies. Learn about confidentiality, integrity, and availability, risk assessment, and security models.