PII - personally identifiable information - any data stored on an individual that could be used to identify them PHI - protected health information - information regarding one's health status GDPR - General Data Protection Regulation Availability can be defined as (1) timely and reliable access to information and the ability to use it, and (2) for authorized users, timely and reliable access to data and information services single-factor authentication (SFA) Knowledge-based authentication uses a passphrase or secret code (such as a PIN) to differentiate between an authorized and unauthorized user Non-repudiation is a legal term and is defined as the protection against an individual falsely denying having performed a particular action Privacy is the right of an individual to control the distribution of information about themselves Integrity - The property that data has not been altered in an unauthorized manner
An asset is something in need of protection. A vulnerability is a gap or weakness in those protection efforts. A threat is something or someone that aims to exploit a vulnerability to thwart protection efforts. Takeaways to remember about risk identification: Identify risk to communicate it clearly. Employees at all levels of the organization are responsible for identifying risk. Identify risk to protect against it. Risk assessment is defined as the process of identifying, estimating and prioritizing risks to an organization's operations (including its mission, functions, image and reputation), assets, individuals and other organizations Risk treatment relates to making decisions about the best actions to take regarding the identified and prioritized risk. Risk tolerance - The level of risk an entity is willing to assume in order to achieve a potential desired result Transference - Passing a risk to a third party
Security controls pertain to the physical, technical and administrative mechanisms that act as safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information Administrative control - instructions such as acceptable use policy, emergency operations procedures, employee awareness training Physical control - tangible objects that physically control where people can be such as a badge reader, stop sign in parking lot, door lock, security guard Technical control - rules such as an access control list, antivirus, firewall
Procedures are the detailed steps to complete a task that support departmental or organizational policies. Policies are put in place by management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations. Standards are often used by governance teams (not to be confused with the government) to provide a framework to introduce policies and procedures in support of regulations. Regulations are commonly issued in the form of laws, usually from the government (not to be confused with governance) and typically carry financial penalties for noncompliance.
Breach - The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence Event - Any observable occurrence in a network or system Exploit - A particular attack. It is named this way because these attacks exploit system vulnerabilities Incident - An event that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system Intrusion - A security event where an intruder attempts to/ gains access to a system/ resource without authorization Threat - Any circumstance or event with the potential to adversely impact organizational operations Vulnerability - Weakness in an information system, system security procedures Zero Day - A previously unknown system vulnerability with the potential of exploitation Three Steps of an Incident Response Plan: Preparation - Develop a policy approved by management, identify points of failure, train staff, identify roles and responsibilities Detection and Analysis - Monitor all possible points of attack, standardize incident documentation Containment - Gather evidence, Choose an appropriate containment strategy, Identify the attacker, Isolate the attack Security Operations Center (SOC) - A team that monitors the network and/or systems of a business to resolve issues before they become disruptions
Business Impact Analysis (BIA) - An analysis of a systems functions and dependencies used to characterize system contingency requirements and priorities in an event of a significant disruption
Security Control - A safeguard or countermeasure designed to preserve Confidentiality, Integrity and Availability of data Subjects - An individual, process or device that requests access to assets or services. Subjects have a level of clearance/permission that relates to its ability to access assets or services, when a subject requests to access a resource they are 'active.' Objects - Anything that a subject attempts to access (such as a device, process, person, user, program, server or client) Rules - An instruction developed to allow or deny access to an object by comparing the validated identity of the subject to an access control list. One example of a rule is a firewall access control list. Layered Defense - The use of multiple controls in series to protect an asset; also called defense in depth For example: Which of the following strategies integrates people, technology and operation capabilities to establish variable barriers across multiple layers and missions of the organization? The answer would be defense in depth or a layered defense. Assets > Administrative Controls > Logical/Technical Controls > Physical Controls Least Privilege - Each user is granted access only to the items they need and nothing more. User Provisioning - The process of creating, maintaining and deactivating user identities Examples of a regular user account - Part-time employee, Remote employee, Full-time employee, Temporary employee A privileged user account - Has access to servers and other infrastructure devices, Should require MFA, Uses the most stringent access control, Has the highest level of logging, Often has the ability to create users and assign permissions
OSI Model - Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), Application (7) Important Ports: 21 - FTP 23 - Telnet 25 - SMTP 37 - NTP 53 - DNS 80 - HTTP 143 - IMAP 161/162 - SNMP 445 - SMB 389 - LDAP
Intrusion Detection System (IDS) - automates the inspection of logs and real-time system events to detect intrusion attempts and system failures Host-based Intrusion Detection System (HIDS) - monitors activity on a single computer, including process calls and information recorded in system, application, security and host-based firewall logs Network Intrusion Detection System (NIDS) - monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details Security Information and Event Management (SIEM) - tools that collect information about the IT environment from many disparate sources to better examine the overall security of the organization and streamline security efforts Identify Threats - IDS, NIDS, SIEM, Scans Identify & Prevent - HIDS, Antivirus, Firewall, IPS (NIPS/HIPS)
Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA) - Some organizations seeking to minimize downtime and enhance BC (Business Continuity) and DR (Disaster Recovery) capabilities will create agreements with other, similar organizations. They agree that if one of the parties experiences an emergency and cannot operate within their own facility, the other party will share its resources and let them operate within theirs in order to maintain critical functions. Managed service provider (MSP) - A company that manages information technology assets for another company Service-Level Agreement (SLA) - The purpose of an SLA is to document specific parameters, minimum service levels and remedies for any failure to meet the specified requirements of a cloud provider. Zero trust networks - Microsegmented networks, with firewalls at nearly every connecting point
All ideas, data, information or knowledge can be thought of as going through six major sets of activities throughout its lifetime. Conceptually, these involve: Create, Store, Use, Share, Archive, Destroy Classification - Classifications dictate rules and restrictions about how that information can be used, stored or shared with others Labeling - Part of implementing controls to protect classified information, the higher the level, the greater the presumed harm to the organization, and thus the greater security protection the data asset requires Highly restricted: Compromise of data with this sensitivity label could possibly put the organization's future existence at risk. Compromise could lead to substantial loss of life, injury or property damage, and the litigation and claims that would follow. Moderately restricted: Compromise of data with this sensitivity label could lead to loss of temporary competitive advantage, loss of revenue or disruption of planned investments or activities. Low sensitivity (sometimes called "internal use only"): Compromise of data with this sensitivity label could cause minor disruptions, delays or impacts. Unrestricted public data: As this data is already published, no harm can come from further dissemination or disclosure. Retention - The idea that information and data should be kept only for as long as it is beneficial, no more and no less Destruction - Data that might be left on media after deleting is known as remanence Audits - A way to measure compliance with policy, but do not normally influence the retention policy itself. Organizations must maintain adherence to retention policy for logs as prescribed by law, regulations and corporate governance.
Configuration management - A process that's used to ensure only changes that are approved become part of a configuration Identification -Identification of a system and all its components, interfaces and documentation. Baseline - A minimum level of protection that can be used as a reference point. Change Control - Process for requesting changes to a baseline, by means of making changes to one or more components. Verification and Audit - A validation process, which may involve testing and analysis, to verify that nothing in the system was broken by a newly applied set of changes.
Request for change (RCF) - First stage of change management Approval for change - Evaluate RCFs for completeness and assign to the proper change authorization process
Mirror site - Highest availability (Includes data) Cold site - Facility is prepared (Just the empty building) Warm site - Equipment prepared Hot site - Includes server but no data MTD (Maximum tolerable downtime) - Represents the total amount of downtime that can occur without causing significant harm to the organization's mission RTO (Recovery time objective) - The planned recovery time for a process or system which should occur before reaching the business process's maximum tolerable downtime RPO (Recovery point objective) - The maximum targeted period in which data can be lost without severely impacting the recovery of operations BCP (Business Continuity Plan) Process 1. Develop the contingency planning policy 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Create contingency strategies 5. Develop an information system contingency plan 6. Ensure plan testing, training, and exercises 7. Ensure plan maintenance CBK (Common Body of Knowledge) Based incident response 1. Detection (By tool or person) 2. Response: Confirm and set priority 3. Mitigation: Fix temporarily (Such as removing from network) 4. Reporting (To management) 5. Recovery (Repair damage) 6. Remediation (Understand what happened) 7. Lesson Learned (To prevent from happening again in the future) NIST (National Institute of Standards and Technology) Based incident response 1 & 2. Detect and Analysis 3 & 4. Containment 5 & 6. Eradication and Recovery - 7 -. Post Incident Activity Example: Alice is an information security manager working in the organization. His team received an incident ticket from the Operation Team regarding one system that is infected with a virus. What will be the first step of the team to handle this situation? Steps: 1. Confirm and validate all details associated with the ticket 2. Report to senior management if it is critical 3. Disconnect the impacted system from the production network 4. Find the root cause Example: What is the most important parameter to consider while categorizing and prioritizing an incident? a. {Impact and criticality} b. Confidentiality and integrity c. Sensitivity and availability d. Authenticity and visibility A network admin has purchased two devices that will act as failovers for each other. Which of the following concepts does this BEST illustrate? a. Authentication b. Integrity c. Confidentiality d. {Availability} A security professional has just finished the Business Impact Analysis (BIA) for their company. What would the next step be for the professional? a. Prepare the policy and publish on the website b. Select and form the team c. {Prepare and select the recovery strategy} d. Test the plan What is the true statement regarding the primary difference between a mirrored site and a hot site? A mirror site everything that a hot site has (Building, servers, facilities) but also includes the data
Which access control model has very limited user functionality, requires a lot of administrative overhead, is very expensive, and is not user friendly? a. {MAC} b. DAC c. RBAC d. RUBAC Which type of access control model is best suited for high security environments? a. {MAC} b. DAC c. RBAC d. RUBAC ~ Included in Questions | Answer ~ Owner / User Centric / ACL (Access Control List) | DAC (Discretionary Access Control) Flexible to the user / Less administrative overhead | DAC (Discretionary Access Control) Government / Clearance / Label / NDAC (National Defense Advisory Commission) / Strict Access Control | MAC (Mandatory Access Control) User Job Roles / Best system that has a high employee turnover | RBAC (Role Based Access Control) The objective of separation of duties is to ensure that no single individual can compromise a system. for example, person 1 can create a bill, person two can sign the bill, and person 3 can approve the bill -> Something you know (password) Authentication - > Something you have (keycard) -> Something you are (biometric) Biometrics (BEtter to have a higher FRR than FAR) False Acceptance Rate (FAR) - Falsely accepts the wrong biometrics False Rejection Rate (FRR) - Falsely rejects the correct biometrics CPTED (Crime prevention through environmental design) - Suggests that the design of buildings, landscaping and outdoor environments can either encourage or discourage crime
Authentication methods PAP (Password Authentication Protocol) - A point-to-point protocol that uses passwords to authenticate users in clear text CHAP (Challenge Handshake Authentication Protocol) - Uses a hash of the password to create keys (known as a NONCE value) to encrypt the password in transport (PAP but more secure) EAP (Extensible Authentication Protocol) - Used primarily in wireless networks to securely send and receive information using different methods (used in multi-vendor environments; more scalable) RADIUS (Remote Authentication Dial-In User Service) - a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service CASB (Cloud Access Security Broker) - A security policy enforcement point positioned between enterprise users and cloud service providers
What type of cryptosystem is Prabh using whereby data being encrypted by the sender is using the recipient's public key, and the data being decrypted is using the recipient's private key? a.{With asymmetric (public+private key) encryption} b. With symmetric (public key) encryption note: symmetric encryption is faster, asymmetric encryption is more secure examples: symmetric encryption is used in password protected ZIP files, asymmetric encryption is used for secure messaging such as email What is a major issue with symmetric key encryption? a. It is slower and asymmetric key encryption b. Algorithms are kept the proprietary standard c.{Lack of secure sharing of the secret key} d. Work factor (how long it takes to crack the key) is not mapped with key size note: the public key being sent over the network allows attackers to get the key themselves to decrypt the data Which key is used to create a digital signature? a. The receivers private key b.{The sender's private key} c. The receivers public key d. The sender's public key note: private keys are generally not sent over the network Prabh is sending Rakesh an encrypted message using a symmetric encryption algorithm. What key should he use to encrypt the message? a. Prabh public key b. Prabh private key c. Rakesh public key d.{Shared secret key} note: a shared secret key would essentially be a password that could be shared by other means to decrypt the data Which of the following is considered to be the most secure hashing algorithm? a. MD 5 b.{SHA} c. AES d. RSA note: SHA has a larger hash which means that it's harder to brute force which makes it more secure From an information security perspective, information that no longer supports the main purpose of the business should be? a. Protect under the Risk Assessment b.{Review under the retention policy} c. Review under access policy d. Review under classification policy Making an organizational culture that prioritizes information security starts with: a. Implementing stronger controls b. Conducting periodic awareness training c. Actively monitoring operations d.{Gaining the endorsement of executive management} note: gaining the support of executive management is the most important part because without executive management prioritizing information the other 3 answers aren't possible Which is the most effective way to mitigate phishing attacks in the enterprise? a. Installing AV (Anti Virus) b. Installing MFA (Multi Factor Authentication) c.{Improve user awareness} d. Encryption Which of the following is the most important to consider while protecting assets? a.{Value and Risk} b. Security and Risk c. Market and Reputation d. Vulnerabilities vs Risk Which of the following is the most critical for patch management, configuration management, risk management for the overall security posture of an enterprise a.{Inventories} b. Incident management c. Identity and access d. Strong authentication note: without inventories, the other 3 answers are irrelevant What is the most effective practice by which we maintain system integrity throughout the organization in a dynamic environment a.{Change management} b. Incident management c. Patch management d. Release management note: change management ensures only authorized changes take effect in a system