C836 EXAM AND REVIEW UPDATED 2022/2023 CHAPTER 1 TO chapter 6
CHAPTER 1
Define the confidentiality, integrity, availability (CIA) triad.
- -gives a
... [Show More] model by which we can think about and discuss security concepts, tends to be very focused on security, as it pertains to data.
Differentiate confidentiality, integrity, and availability. Confidentiality
- similar but not the same as privacy
- necessary component of privacy and refers to our ability to protect data from those who are not authorized to view it
Integrity
- Refers to the ability to prevent our data from being changed in an unauthorized or undesirable manner
- This could mean the unauthorized change or deletion of our data or portions of our data, or it could mean an authorized but undesirable change or deletion of data
- To maintain integrity, we not only need to have the means to prevent unauthorized changes to our data but also need the ability to reserve the authorized changes that need to be undone
Availability
- -refers to the ability to access our data when we need it
- -loss of availability can refer to a wide variety of breaks anywhere in the chain that allows us access tour data
- Issues can result from power loss, operating system or application problems, network attacks, compromise of a system, or other problems
Define information security.
- -protecting information and information systems from unauthorized access, use, disclosure, disruption modification, or destruction
- It means we want to protect our data (where ever it is) and system assets from those who would see to misuse it
Define the Parkerian Hexad and its principles.
- Consist of CIA triad as well as possession or control, authenticity, and utility for a total of six principles
- It is not widely known as the CIA triad
- Integrity does not account for authorized but incorrect modification of data and instead focuses on the state of the data itself in the sense of completeness
- Possession or control refers to the physical disposition of the media on which data is stored. This enables us without involving other factors such as availability to discuss our loss of the data in its physical medium. The principle of
possession would enable us to more accurately describe the scope of the incident.
- Authenticity allows us to talk about the proper attribution as to the owner or creator of the data in question. Authenticity can be enforced through the use of digital signatures. Nonrepudiation prevents someone from taking an action such as sending an email and then later denying that he or she has done so.
- Utility refers to how useful the data is to us. It is the only principle that is not necessarily binary to nature. We can have a variety of degrees of utility depending the data format.
Identify the four types of attacks (i.e., interception, interruption, modification, and fabrication).
- Interception attacks allow unauthorized users to access our data, applications, or environments, and are primarily an attack against confidentiality. Interception might take the form unauthorized file viewing or copying, eavesdropping on phone conversations, or reading e-mail, and be conducted against data at rest or in motion. Properly executed, interception attacks can be very difficult to detect.
- Interruption attacks cause our assets to become unusable or unavailable for our use, on a temporary or permanent basis. Interruption attacks often affect availability but can be an attack on integrity as well.
- Modification attacks involve tampering with our asset. Such attacks might primarily be considered an integrity attack but could also represent an availability attack.
- Fabrication attacks involve generating data, processes, communications, or other similar activities with a system. Fabrication attacks primarily affect integrity but could be considered an availability attack as well.
- Confidentiality (Interception), Integrity (Interruption, Modification, Fabrication), Availability (Interruption, Modification, Fabrication)
Compare threats, vulnerabilities, risk, and impact.
- Threat is something that has the potential to cause us harm. Threats tend to be specific to certain environments particularly in the world of information security.
- Vulnerabilities are weaknesses that can be used to harm us. In the essence they are holes that can be exploited by threats in order to cause us harm. A vulnerability might be a specific operating system or application that we are running, a physical location where we have chosen to place our office building, a data center that is populated over the capacity of its air-conditioning system, a lack of backup generators, or other factors.
- Risk is the likelihood that something bad will happen. In order for us to have a risk in a particular environment, we need to have both a threat and vulnerability that the specific threat can exploit.
- Impact is considering the value of the asset being threatened to be a factor, this may change whether we see a risk as being present or not.
Define the risk management process and its stages.
- Identify assets, one of the first and arguably one of the most important parts of the risk management process is identifying and categorizing the assets that we are protecting. If we cannot enumerate the assets that we have and evaluate the importance of each of them, protecting them can become a very difficult task. Once we have been able to identify that asset in use, deciding which of them is a critical business asset is another question entirely. Making an accurate determination of which assets are truly critical to conducting business will generally require the input of functions that make use of the asset, those that support the asset itself, and potentially other involved parties as well. Not all assets need to be protected equally, by determining where resources should be focused, and cost can reduce while security increased.
- Identify threats takes place after critical assets are enumerated. It is useful to a have a framework within which to discuss the nature of a given threat and the CIA triad or Parkerian hexad serve nicely for this purpose. There needs to be a concern with losing control of data, maintaining accurate data, and keeping the system up and running. Given this information, we can begin to look at areas of vulnerability and potential risk.
- Assess vulnerabilities, in the context of potential threats. An asset may have thousands or millions of threats that could impact it, but only a small fraction of these will actual be relevant. The issue of identifying these is narrowed by considerably by looking at the potential threats first.
- Assess risks, once we have identified the threats and vulnerabilities for a given asset, we can assess the overall risk. Risk is the conjunction of a threat and a vulnerability. A vulnerability with no matching threat or a threat with no matching vulnerability do not constitute risk.
- Mitigating risks, to help mitigate risk, we can put measures in place to help ensure that a given type of threat is accounted for. These measures are referred to as controls. Controls are divided into three categories: physical, logical, and administrative.
Define the incident response process and its stages.
- If our risk management efforts fail, incident response exists to react to such events. Incident response should be primarily oriented to the items that we feel are likely to cause us pain as an organization, which we should now know based on our risk management efforts. Reactions to such incidents should be based, as much as is possible or practical, on documented incident response plan, which are regularly reviewed, tested, and practiced by those who will be expected to enact them in the case of an actual incident. The incident response process at a high level consists of: Preparation, Detection and analysis, Containment, Eradication, Recovery, Post incident activity.
- Preparation, the preparation phase of incident response consists of all the activities that we can perform, in advance of the incident itself, in order to better enable us to handle it. This involves having the policies and procedures that
govern incident response and handling in place, conducting training and education for both incident handlers and those who are expected to report incidents, conducting incident response exercises, developing and maintaining documentation, and numerous other such activities. The importance of this phase of incident response should not be underestimated. Without adequate preparation, it is extremely unlikely that response to an incident will go well and/or in the direction that we expect to go. The time determines what needs to be done, who needs to do it, and how to do it, is not when we are faced with a burning emergency.
- Detection and analysis phase is where the action begins to happen in our incident response process. This phase will detect the occurrence of an issue and decide whether it is an incident so that we can respond to it appropriately. The detection portion of this phase will often be the result of monitoring of or alerting based on the output of a security tool or service. The analysis portion is often a combination of automation from a tool or service.
- Containment, eradication, and recovery phase is where most of the work takes place to solve the incident, at least in the short term. Containment involves taking takes steps to ensure that the situation does not cause any more damage that it already has, or at least lessen any on going harm. Eradication is the attempt to remove the effects of the issue from the environment. Recovery is to recover to a better state that were in which we were prior to the incident, or perhaps prior to the issue started if we did not detect the problem immediately. This could potentially involve restoring devices or date from backup media, rebuilding systems, reloading applications, or any similar activities.
Post incident activity phase is often referred to as postmortem, we attempt to determine specifically what happened, why it happened, and what we can do to keep it from happening again.
Define “defense in depth.”
- Is a strategy common to both military maneuvers and information security. The basic concept of is to formulate a multilayered defense that will allow us to still achieve a successful defense should one or more of our defense measures fail.
Define compliance, including regulatory and industry compliance.
Identify types of controls to mitigate risk (i.e., physical, logical, administrative).
o Physical controls are those controls that protect the physical environment in which our systems sit, or where our data is stored. Such controls also control access in and out of such environments. Physical controls logically include items such as fences, gates, locks, bollards, guards, and cameras, but also include systems that maintain the physical environment such as heating and air- conditioning systems, fire suppression systems, and backup power generators.
o Logical and technical controls are those that protect systems, networks, and environments that process, transmit, and store out data. Logical controls can include items such as passwords, encryption, logical access controls firewalls,
and intrusion detection systems. Logical controls enable us, in a logical sense, to prevent unauthorized activities from taking place. If our logical controls are implemented properly and are successful, an attacker or unauthorized user cannot access our applications and data without subverting the controls that are in place. This allows multiple functions like finance, HR, and sales to all be run on one server, but none of them to have access to each other. If one is compromised, they are not all compromised.
o Administrative controls are based on rules, laws, policies, procedures, guidelines, and other items that are paper in nature. Administrative controls set out the rules for how we expect the users of our environment to behave. Administrative controls can represent differing levels of authority. One important concept when we discuss administrative controls is the ability to enforce compliance with them.
Identify elements of risk management in policies and procedures. Identify elements of incident response in policies and procedures. Identify the layers of a defense-in-depth strategy.
- External network, Internal network, Host, Application, Data
Compare the abilities of physical, logical, and administrative controls, and combinations of same, to protect resources.
Classify cybersecurity tools according to the type of vulnerability they find/identify. Identify cybersecurity concepts and principles that protect IT infrastructure.
Categorize control mechanisms (i.e., physical, logical, administrative) according to the type of risk they mitigate or eliminate.
Differentiate between the CIA triad and the Parkerian Hexad.
Align the four types of attacks (i.e., interception, interruption, modification, and fabrication) to the legs of the CIA triad.
- Interception – Confidentiality, Interruption, Modification, Fabrication – Integrity and Availability
CHAPTER 2
Define identification, including "who we claim to be." [Show Less]