WGU C727_Cybersecurity Management I - Strategic_November 2021

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Four Components of an Effective Cybersecurity Strategy

1. Business risk assessment 2. Enabling set of capabilities 3. A target state to get to 4. A portfolio of initiatives

The five domains of processes

1. Evaluate, Direct, and Monitor (EDM) 2. Align, Plan, and Organize (APO) 3. Build, Acquire, and Implement (BAI) 4. Deliver, Service, and Support (DSS) 5. Monitor, Evaluate, and Assess (MEA)

Three primary risks associated with cloud computing

1. Internet dependency 2. Concentration of data 3. Poorly executed contracts

Password Policy Components

1. Maximum age 2. Password Complexity 3. Password Length 4. Minimum Age 5. Password History

PCI DSS Password Requirements

1. Passwords expire at least every 90 days 2. Passwords must be at least seven characters long

NIST Password Recommendations (NIST SP 800-63B)

1. Passwords must be hashed 2. Passwords should not expire 3. Users should not be required to use special characters 4. Users should be able to copy and paste passwords 5. Users should be able to use all characters 6. Password length should be at least eight characters and as many as 64 characters 7. Password systems should screen passwords.

Three Primary Authentication Factors

1. Something you know (Type 1) 2. Something you have (Type 2) 3. Something you are (Type 3)

Reduction Analysis (AKA Decomposing) Key Concepts

1. Trust Boundaries 2. Dataflow Paths 3. Input Points 4. Privileged Operations 5. Details about Security Stance and Approach

Security Development Lifecycle (SDL)

A Microsoft security management process used to consider and implement security at each stage of a product's development. This supports the motto of "Secure by Design, Secure by Default, Secure in Deployment and Communication" (also known as SD3+C).

RACI Chart

A RACI chart is a matrix chart that only uses the activities of responsible, accountable, consult, and inform.

Capability Table

A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.

Directory Service

A centralized database that includes information about subjects and objects, including authentication data. Example: Light-weight Directory Access Protocol (LDAP).

Access Control List (ACL)

A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.

Privileges

A combination of rights and permissions.

COBIT 5

A comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT; helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use

Deterrent Control

A control that attempts to discourage security violations before they occur.

Service-Level Requirement (SLR)

A customer requirement for an aspect of an IT service. Service level requirements are based on business objectives and used to negotiate agreed service level targets.

Erasing

A delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or erasure process removes only the directory or catalog link to the data. The actual data remains on the drive.

Security Policy

A document that defines the security requirements for an organization.

Risk Register

A document that inventories all the identified risks to an organization or system within an individual project.

Identity Theft and Assumption Deterrence Act

A federal act that makes it a crime to transfer or use, without authority, the identity of another person knowingly and with the intent to commit any unlawful activity as defined by federal law and state and local felony laws.

International Traffic in Arms Regulations (ITAR)

A federal regulation that controls the export of items that are specifically designated as military and defense items, including technical information related to those items. The items covered under this regulation appear on a list called the United States Munitions List.

Computer Fraud and Abuse Act (CFAA)

A federal statute that prohibits unlawful access to computers used in national defense, by financial institutions, or by governments.

Risk Rejection

A final but unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care / due-diligence responses to risk. May be considered negligence in court.

Vulnerability

A flaw or weakness that allows a threat agent to bypass security.

Phishing

A form of social engineering attack focused on stealing credentials or identity information from any potential target.

Business Email Compromise (BEC)

A form of spear phishing that is often focused on convincing members of accounting to transfer funds, pay invoices, or purchase products from a message that appears to originate from a boss, manager, or executive.

Exit Interview

A formal conversation to find out why an employee is leaving and to learn about potential problems in the organization.

Authorization to Operate (ATO)

A formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations.

Security Policy

A formalized statement that defines how security will be implemented within a particular organization.

Risk Framework

A guideline or recipe for how risk is to be assessed, resolved, and monitored. Risk Management Framework (RMF) - Establishes mandatory requirements for federal agencies Cybersecurity Framework (CSF) - Designed for critical infrastructure and commercial organizations

Risk Reporting

A key task to perform at the conclusion of a risk analysis. Providing a presentation of reported risks to interested/relevant parties.

Privacy Act of 1974

A law that gives citizens access to the government's files on them

Civil Law

A law that governs relationships between individuals and organizations, defines their legal rights. Examples include contract disputes, real estate transactions, employment matters, and estate/probate procedures.

General Data Protection Regulation (GDPR)

A legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

Shrink-wrap License Agreement

A license written on the outside of software packaging. Such licenses get their name because they commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package.

Mandatory Access Control (MAC)

A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf. Referred to as a lattice-based model.

Scripted Access

A method to automate the logon process with a script that provides the logon credentials to a system. It is considered a form of single sign-on.

Service Level Agreement (SLA)

A negotiated agreement between the customer and the vendor. The SLA may specify the levels of availability, serviceability, performance, operation, or other commitment requirements.

HMAC-based one-time password (HOTP)

A one-time password that changes when a specific event occurs. Hash message authentication code based.

Object

A passive entity that provides information to active subjects.

Time-Based One-Time Password (TOTP)

A password that is used once and is only valid during a specific time period. Time based.

Token Device

A password-generating device that users can carry with them. They use dynamic onetime passwords, making them more secure than static passwords. These are typically six or eight PINs.

Acceptable Use Policy (AUP)

A policy that defines the actions users may perform while accessing systems and networking equipment.

Birthday Attack

A probability method of finding a collision in a hash function in order to obtain passwords.

Encryption

A process of encoding messages to keep them secret, so only "authorized" parties can read it.

Audit Trail

A report that traces who has accessed electronic information, when information was accessed, and whether any information was changed

Compensation Control

A security control that is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.

Principle of Least Privilege

A security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job.

Mutual Authentication

A security mechanism that requires that each party in a communication verify its identity.

Issue-Specific Security Policy

A security policy that addresses specific security issues.

System-Specific Security Policy

A security policy that focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls.

Identity and Access Management (IAM)

A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.

Cloud Access Security Broker (CASB)

A set of software tools or services that resides between the enterprises' on-premises infrastructure and the cloud provider's infrastructure to ensure that the security policies of the enterprise extend to their data in the cloud.

NIST Cybersecurity Framework (CSF)

A set of standards designed to serve as a voluntary risk-based framework for securing information and systems.

Fuzz Testing

A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.

Digital Rights Management (DRM)

A strategy designed to prevent illegal distribution of movies, music, and other digital content.

Risk Management

A strategy to offset business risks.

Passphrase

A string of characters similar to a password but has a unique meaning to the user. They're easy to remember, and encourage the user to create longer passwords.

Access Control Matrix

A table that includes subjects, objects and assigned privileges.

Visual, Agile, and Simple Threat (VAST)

A threat modeling concept based on Agile project management and programming principles.

Asynchronous Dynamic Password Token

A token device that generates onetime passwords after the user enters a PIN in the token device. The PIN is provided by a server as a challenge, and the user enters the onetime password created by the token as the response.

Vertical Privilege Escalation

A type of privilege escalation in which an attacker obtains privileges of a higher level than what they have been assigned.

Cognitive Password (aka security questions)

A variant of the password authentication factor that asks a series of questions about facts or predefined responses that only the subject should know.

Spear Phishing

A variation of phishing in which the phisher sends fraudulent emails to a certain organization's employees.

Cryptographic Erasure

A wiping technique that encrypts the data on a media device and destroys the encryption key.

Contractual License Agreement

A written contract between the software vendor and the customer outlining the responsibilities of each.

Job Description

A written description of the basic tasks, duties, and responsibilities required of an employee holding a particular job

Attribute-Based Access Control

Access is based on attributes (of a person, a resource, or an environment). Commonly used in software-defined networks (SDN).

Threat Events

Accidental or intentional exploitations of vulnerabilities. They can also be natural or man-made.

Single Sign-On (SSO)

Allows a user to authenticate once to gain access to multiple systems, without requiring the user to independently authenticate with each system.

Bring Your Own Device (BYOD)

Allows employees to use their personal mobile devices and computers to access enterprise data and applications.

Risk Assignment (Transferring)

Allows the organization to transfer risk to another entity. (insurance).

Crossover Error Rate (CER)

Also called the equal error rate, the point at which the rate of false rejections equals the rate of false acceptances. Devices with lower CERs are more accurate than devices with higher CERs.

Computer Abuse Amendments Act of 1994

Amended 1984 act- made writing viruses illegal

Advanced persistent threat (APT)

An APT says what it does and does what it says—it's a coordinated, persistent, resilient, adaptive attack against a target. APTs are primarily used to steal data. They can take a long time to research, plan, coordinate, and execute, but when they succeed, they are frequently devastating.

Rule-Based Access Control

An access control model that based on a list of predefined rules that determine what accesses should be granted for subjects.

Role-Based Access Control (RBAC)

An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. Based on organization's hierarchy.

Service Account

An account used by a service or application.

Children's Online Privacy Protection Act (COPPA)

An act, directed at Web sites catering to children, that requires site owners to post comprehensive privacy policies and to obtain parental consent before they collect any personal information from children under 13 years of age.

Subject

An active entity that accesses a passive object to receive information from, or data about, an object.

Nondisclosure Agreement (NDA)

An agreement between two parties that defines which information is considered confidential and cannot be shared outside the two parties.

Delphi Technique

An anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Used in the qualitative risk analysis process. Used to elicit honest and uninfluenced responses from all participants.

Spoofing attack

An attempt by someone or something to masquerade as someone else.

OpenID Connect (OIDC)

An authentication layer that sits on top of the OAuth 2.0 authorization protocol. Uses a JavaScript Object Notation (JSON) web token (JWT).

multifactor authentication (MFA)

An authentication process that requires the client to provide two or more pieces of information. The three categories of authentication factors are knowledge (something you know), possession (something you have), and inherence (something you are).

Kerberos

An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users. Provides a single sign-on solution for users and protects logon credentials. Utilizes a ticket system.

Pass-The-Hash Attack

An exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

Background Check

An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.

Security Assertion Markup Language (SAML)

An open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations. It provides SSO capabilities for browsers. Utilizes a principal (such as a user), a service provider (such as a website), and an identity provider (a third party that holds the authentication and authorization information).

OpenID

An open standard and decentralized authentication protocol.

OAuth 2.0

An open standard for authorization used for websites and applications

Fast Identity Online (FIDO) Alliance

An open-industry association with a stated mission of reducing the over-reliance on passwords.

User and Entity Behavior Analytics (UEBA)

Analysis of behaviors and activities of human and nonhuman users, and of the software and hardware entities associated with those users and activities, as a way of detecting inappropriate or unauthorized activity, including fraud detection, malware and insider attacks.

Spoofing

Any action to hide a valid identity.

Data in Transit

Any data sent over a network. It's common to encrypt sensitive data-in-transit.

Data at Rest

Any data stored on media. It's common to encrypt sensitive data-at-rest.

Proprietary Data

Any data that helps an organization maintain a competitive edge.

Protected Health Information (PHI)

Any health-related information that can be related to a specific person.

Personally Identifiable Information (PII)

Any information that could identify a particular individual.

User (End User)

Any person that has access to the secured system.

Threat

Any potential occurrence that may cause an undesirable outcome for an organization, or for a specific asset.

Declassification

Any process that purges media or a system in preparation for reuse in an unclassified environment. Many times, media is destroyed rather that declassified.

Safeguards

Anything that removes or reduces a vulnerability or protects against one or more specific threats.

Asset

Anything used in a business process or task.

Risk Maturity Model (RMM)

Assesses the key indicators and activities of a mature, sustainable, and repeatable risk management process. They generally relate the assessment of risk maturity against a five-level model: 1. Ad Hoc 2. Preliminary 3. Defined 4. Integrated 5. Optimized

Business Continuity Planning (BCP)

Assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur. There are four main steps: 1. Project Scope and Planning 2. Business Impact Analysis 3. Continuity Planning 4. Approval and Implementation

Quantitative Risk Analysis

Assigns real dollar figures to the loss of an asset and is based on mathematical calculations.

Impersonation attack

Attacker assumes the identity of one of the legitimate parties in a network

Horizontal Privilege Escalation

Attacker grants themselves the same access levels they already have but assumes the identity of another user.

Data Loss Prevention (DLP) Systems

Attempt to detect and block data exfiltration attempts.

Dictionary Attack

Attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

Brute-Force Attack

Attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symbols. Attackers typically use programs that try all password combinations.

Rainbow Table Attack

Attempts to discover the password from the hash using databases of precomputed hashes; countermeasure is salting.

Business Model for Information Security (BMIS)

BMIS is a business-oriented model for managing information security utilizing systems thinking to clarify complex relationships within an enterprise. The four elements and six dynamic interconnections form the basis of a three dimensional model that establish the boundaries of an information security program and models how the program functions and reacts to internal and external change. BMIS provides the context for frameworks such as COBIT.

Smartcard

Badge that has an integrated circuit chip embedded in it to *provide identity and auth* -most have microprocessor and 1+ certificates (used for asymm crypto like enc'ing data or digitally signing email) -common to require users to enter a PIN to provide two factor auth -CAC (common access cards) and PIV (personal id verification) cards are used by US govt

Candidate Screening

Based on sensitivity and classification defined by the job description. Background checks, reference checks, education verification, etc.

Exposure

Being susceptible to asset loss because of a threat; There is the possibility that a vulnerability can or will be exploited by a threat agent or event.

Sniffing

Capturing and recording network traffic

Remote Authentication Dial-In User Service (RADIUS)

Centralizes authentication for remote access connections, such as with VPNs or dial-up access. Encrypts only the password's exchange by default, but it is possible to use RADIUS/TLS to encrypt the entire session. Provides AAA services between network access servers and a shared authentication server.

Credential Surfing Attack

Checks single username and password on multiple sites.

Device Fingerprinting

Collects unique information from a user's browser or smartphone that can be combined with other data files to identify specific devices and users.

Privacy by Design

Companies should promote consumer privacy throughout their organizations and at every stage of development of their products and services.

Government vs. Nongovernmental Data Classification Chart

Comparison of Government and Nongovernmental data classifications.

Pillars of Cyber Security

Confidentiality, Integrity, Availability, and Safety (Introduced to address issues related to Internet of Things (IoT))

Compliance

Conforming to or adhering to rules, policies, regulations, standards, or requirements.

Supply Chain

Consists of all parties involved, directly or indirectly, in obtaining raw materials or a product.

Key Trends Influencing Threat Agents

Consumerization of cybercrime, Low barriers to entry for technical novices, Dark net mystique, Low rates of attributions.

click-through license agreements

Contract terms are either written on the software box or include in the software documentation. you are required to click a button indicating you have read the terms during installation process.

Chief Executive Officer (CEO)

Corporate officer who has overall responsibility for managing the business and delegates responsibilities to other corporate officers.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Covers personal information that is identifiable to Canadian residents.

SMAC Applications

Currently driving organization innovation: 1. Social 2. Mobile 3. Analytics 4. Cloud

Examples of Threat Agents

Cybercriminals, Insiders (e.g., employees), Nation-States, Corporations, Hacktivists, Cyber-Fighters, Cyberterrorists, Script Kiddies.

Confidential

Damage to national security.

Sensitive

Data breach would cause damage to the mission or organization.

Unclassified

Data is not sensitive or classified. Available to anyone.

Public Data

Data that is available to anyone. It might be in brochures, in press releases, or on web sites.

Data in Use

Data that is in the process of being created, updated, destroyed, or changed.

Private

Data that should stay private within the organization but that doesn't meet the definition of confidential or proprietary data.

Standards

Define compulsory requirements for the homogenous use of hardware, software, technology, and security controls.

Acceptable Use Policy

Defines a level of acceptable performance and expectation of behavior and activity.

Directive Control

Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

Compensating Controls

Designed to compensate for the failure or absence of other controls and mitigate the damage from an attack. Examples include having a hot failover site (a geographically separate site that mirrors your environment, available the instant you need it), isolating critical systems from the Internet (aka air-gapping), and, in general, backup and disaster recovery plans that can keep the lights on while everyone else is in the dark.

Detective Controls

Designed to identify that an attack is occurring, including what kind of an attack, where it came from, what it used, and, if you're lucky, who may be behind it.

Corrective Controls

Designed to minimize the damage from an attack. Examples include restoring from backup, patching the systems with the latest security fixes, upgrading to the latest version of applications and operating systems, and the like.

Preventive Controls

Designed to prevent the attack from reaching the asset in the first place.

Education

Detailed endeavor in which students and users learn much more than they actually need to know to perform their work tasks.

Procedure

Detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.

Detect Function

Detect is the set of plans and actions that you will use to identify, classify, etc., an attack against your assets.

Detective Control

Detects undesirable events that have already occurred

Deterrence Function

Deterrence is not a question of education alone. It is also built on reducing what's called your attack surface. As part of the deter function you need to take a close look at your business. What do you do, who are your partners, what are the threats, and how have they changed over time?

DAD Triad

Disclosure, Alteration, and Destruction. The opposite of the CIA triad.

Denial of Service (DoS) Attack

DoS attacks come in two flavors: single-source and distributed. A single-source DoS attack occurs when one computer is used to drown another computer with so many requests that the targeted one can't function while a distributed DoS (DDoS) attack achieves the same result through many (meaning thousands or millions of) computers.

Control Objectives for Information and Related Technology (COBIT)

Documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.

Trusts

Established between domains to create a security bridge and allow users from one domain to access resources on another. Trusts can be one-way only, or two-way.

Due Diligence

Establishing a plan, policy, and process to protect the interests of an organization.

Annual Cost of the Safeguard (ACS)

Estimated yearly cost for the safeguard to be present in the organization.

Discretionary Access Control (DAC)

Every object has an owner and the owner can grant or deny access to any other subjects.

Risk Assessment

Examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of damage it would cause, and assessing various countermeasures for each risk.

Top Secret

Exceptionally grave damage to national security.

Single Loss Expectancy (SLE)

Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.

Economic Espionage Act (1996)

Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage.

Recovery Control

Extension of corrective controls but have more advanced or complex abilities. Attempts to repair or restore resources, functions, and capabilities after a security policy violation.

Offboarding

Facilitates employee departure from the company by assisting the completion of exit tasks, including exit interviews, forms completion, the return of company property, and ensuring that employees receive the appropriate extended benefits.

Gramm-Leach-Bliley Act (GLBA)

Federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.

Destruction

Final stage in the lifecycle of media and the most secure method of sanitizing media.

Chief Technical Officer (CTO)

Focuses on ensuring that equipment and software work properly to support the business functions.

Continuity of Operations Plan (COOP)

Focuses on how an organization will carry out critical business functions beginning shortly after a disruption occurs and extending for up to one month of sustained operations.

Social Engineering

Form of attack that exploits human nature and human behavior.

Hoax

Form of social engineering designed to convince targets to perform an action that will cause problems or reduce their IT security.

Service-Level Agreement (SLA)

Formal contract between customers and their service providers that defines the specific responsibilities of the service provider and the level of service expected by the customer

Criminal Law

Forms the bedrock of the body of laws that preserve the peace and keep our society safe. Contains prohibitions against murder, assault, robbery, arson, etc. Penalties include community service, fines, and prison/jail time.

Shoulder Surfing

Gaining compromising information through observation (as in looking over someone's shoulder).

Payment Card Industry Data Security Standard (PCI DSS)

Governs the security of credit card information.

Risk-Based Access Control

Grants access after evaluating risk. Makes risk-based decisions using policies embedded within software code. Can require users to authenticate with multifactor authentication.

Copyright Law

Guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work. Protected until 70 years after the date of the last author.

Third-Party Audit

Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity's security infrastructure, based on Service Organization Control (SOC) (SOC) reports.

Confidential (Nongovernmental Organizations)

Highest level of classified data.

Business Impact Analysis (BIA)

Identifies all critical business functions and the effect that a specific disasters or threats may have upon them.

Data Classification

Identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.

NIST Framework

Identify, Protect, Detect, Respond, Recover

Brute Force Attack

If there is any elegance in hacking a system, then this method lacks it. A brute force attack, much like a brute, doesn't use any brains, only force—in this case, computing force. So, if I wanted to guess your password with a brute force attack, I would use a very fast computer to try every single combination possible of the number—a task that can take a large amount of time or a startlingly brief amount, depending on the complexity of the password.

Man-in-the-Middle Attack

In this type of an attack, the hacker intercepts the communication between two systems, replacing it with his own, eventually leading to his gaining control of both systems.

Trade Secrets

Information owned by the company by which the company gains a competitive advantage

Intellectual Property (IP)

Intangible property that is the result of intellectual activity.

Threat agent/actor

Intentionally exploit vulnerabilities. Usually people, but could also be programs, hardware, or systems.

Document Exchange and Review

Investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews.

Technical or Logical Controls

Involve the hardware or software mechanisms used to manage access and to provide protection for IT resources and systems.

Dumpster Diving

Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away.

Single-Factor Authentication

Involves the use of simply one of the three available factors solely in order to carry out the authentication process being requested.

ISACA

Issues standards, guidance, and procedures for conducting information system audits

Awareness

Knowledge or perception of a situation or fact.

Sarbanes-Oxley Act (SOX)

Law that requires publicly traded companies to maintain adequate systems of internal control. Used to reduce unethical corporate behavior.

Electronic Communications Privacy Act of 1986 (ECPA)

Made it a crime to invade the electronic privacy of an individual.

Human Impact Management for Information Security (HIMIS)

Managing human risks to information security through awareness and behavior management.

Supply Chain Risk Management (SCRM)

Means to ensure that all of the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners. Each link in the supply chain should be responsible and accountable to the next link in the chain.

Centralized Access Control

Method of control in which all authorization verification is performed by a single entity within a system.

Tactical Plan

Midterm plan, developed to provide more details on accomplishing the goals set forth in the strategic plan. Useful for about a year.

Baseline

Minimum level of security that every system throughout the organization must meet.

Corrective Control

Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.

Tailoring

Modifying the list of security controls within a baseline so that they align with the mission of the organization.

Purging

More intense form of clearing that prepares media for reuse in less secure environments. Provides a level of assurance that the original data is not recoverable using any known methods.

Outsourcing

Obtain (goods or a service) from an outside or foreign supplier, especially in place of an internal source.

Guideline

Offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.

Mimikatz

One of the tools to gather credential data from Windows systems. Mimikatz It's now well known to extract plaintext password, hash, PIN code, and kerberos tickets from memory. Capabilities include: 1. Read passwords from memory 2. Extract kerberos tickets 3. Extract certificates and private keys 4. Read LM and NTLM password hashes in mempry 5. Read cleartext passwords in Local Security Authority Subsystem Service (LSASS) 6. List running processes

Senior Manager

Organizational owner, who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. Must approve all policies before they are carried out.

Business Continuity Management System (BCMS)

Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity.

Scoping

Part of the tailoring process and refers to reviewing a list of baseline security controls and applying only those controls that apply to the IT systems you're trying to protect.

Security Champion

People that take the lead in security-related projects. Often, they are non-security employees.

Assets Include

Personnel, Information, Systems, Devices, Facilities, and Applications

Phishing Attack

Phishing and spear phishing are attacks that use social engineering methods. Social engineering in this context is just a fancy word for lying. Hackers convince a victim that the attacker is a trusted entity (such as a friend, established business, institution, or government agency) and trick the victim into giving up their data willingly.

Vishing

Phishing attacks committed using telephone calls or VoIP systems.

SMishing (SMS Phishing)

Phishing using text messages.

Air Gap

Physical security control and means that systems and cables from the classified network never physically touch systems and cables from the unclassified network.

Administrative Controls

Policies and procedures defined by an organization's security policy and other regulations or requirements. Focused on personnel oversight and business practices.

Due Care

Practicing the individual activities that maintain the due diligence effort.

Data Hiding

Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Health Insurance Portability and Accountability Act (HIPAA)

Privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store Private medical information about individuals.

Documentation Review

Process of reading the exchanged materials and verifying them against standards and expectations.

End-Of-Service-Life (EOSL)

Products that no longer receive updates or support from the vendor. Sometimes referred to as End-Of-Support (EOS)

Drive-By Download

Program which automatically downloads when a user visits a web page, usually without their knowledge or consent.

Protect Function

Protect is your set of plans and actions that put in place the right controls (remember: controls do stuff) to protect the assets.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Often included as a contractual requirement by government agencies.

Categories of security controls in a defense-in-depth implementation

Protection Layers: 1. Administrative Controls (Policies) 2. Logical/Technical Controls 3. Physical Controls

Fourth Amendment

Protects against unreasonable search and seizure.

Patents

Protects the intellectual property rights of inventors. Inventor granted exclusive rights for a period of 20 years.

Family Educational Rights and Privacy Act (FERPA)

Protects the privacy of student education records

Baseline

Provide a starting point and ensure a minimum security standard.

Six key principals for governance and management of enterprise IT that COBIT is based on

Provide stakeholder value Holistic Approach Dynamic Governance System Governance Distinct from Management Tailored to Enterprise Needs End-to-end Governance System

Credential Management Services

Provide storage space for usernames and passwords. Many web browsers can remember usernames and passwords for any site that a user has visited.

Least Privilege

Providing only the minimum amount of privileges necessary to perform a job or function.

Defense in Depth

Putting multiple and diverse barriers (controls) between the attacker and the asset.

Recover Function

Recover refers to whatever plans or protocols you have in place to bring things back to normal after an attack.

Typo Squatting

Redirecting a user to a fictitious website based on a misspelling of the URL. Also called URL hijacking.

Permissions

Refer to access granted for an object and determine what you can do with it.

AAA Services

Refers to five elements: Identification - Claiming an identity Authentication - Proving identity Authorization - Defining allows/denies for an identity Auditing - Recording log of events Accounting - Review log files

Rights

Refers to the ability to take an action on an object.

Security Through Obscurity

Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices.

Process/Policy Review

Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review.

Need to Know

Requirement of access to data for a clearly defined purpose.

Communications Assistance for Law Enforcement Act (CALEA) of 1994

Requires communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

Prudent person rule

Requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.

Context-Dependent Access Control

Requires specific activity before granting users access.

Federal Information Security Management Act (FISMA)

Requires that federal agencies implement an information security program that covers the agency's operations.

Respond Function

Respond is the set of activities that you engage in response to an attack.

Asset Owner

Responsible for classifying information for placement and protection within the security solution.

Auditor

Responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

Data Custodian

Responsible for storage, maintenance, and protection of information.

Custodian

Responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.

Constrained Interface

Restrictions on interfaces that restrict users on what they can see and do based on their privileges

Content-Dependent Access Control

Restricts access to data based on the content within an object.

Record Retention

Retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed.

Three Common Types of Security Evaluation

Risk Assessment, Vulnerability Assessment, and Penetration Testing

Code of Federal Regulations (CFR)

Rules and regulations published by executive agencies of the U.S. federal government. These administrative laws are just as enforceable as statutory laws (known collectively as federal law), which must be passed by Congress.

Collusion

Secret agreement or cooperation. Working together to perpetrate a crime.

NIST SP 800-53

Security and Privacy Controls for Federal Information Systems and Organizations. Commonly used as an industry cybersecurity benchmark.

Physical Controls

Security mechanisms focused on providing protection to the facility and real-world objects.

Threat Modeling

Security process where potential threats are identified, categorized, and analyzed.

Gamification

Selective use of game design and game mechanics to drive employee engagement in non-gaming business scenarios.

Terminal Access Controller Access-Control System Plus (TACACS+)

Separates authentication, authorization, and accounting into separate processes, which can be hosted on three different servers if desired. Encrypts all authentication information, not just the password. Developed by CISCO.

Secret

Serious damage to national security.

Export Administration Regulations (EAR)

Set of United States government regulations that control the export and reexport of "dual use" items, information and software that are primarily commercial in nature but also have potential military applications.

Process for Attack Simulation and Threat Analysis (PASTA)

Seven stage risk-centric threat-modeling methodology: 1. Definition of the objectives (DO) for the analysis of risks. 2. Definition of the technical scope (DTS). 3. Application Decomposition and Analysis (ADA). 4. Threat Analysis (TA). 5. Weakness and vulnerability analysis (WVA) 6. Attack modeling and simulation (AMS). 7. Risk analysis and management (RAM).

Operational Plan

Short-term, highly detailed plan based on the strategic and tactical plans. Valid only for a short time. must be updated often.

Abstraction

Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Cloud Service License Agreements

Simply flash legal terms on the screen, display a link and check box for review. May bind an organization to onerous terms and conditions.

Influence Campaigns

Social engineering attacks that attempt to guide, adjust, or change public opinion, often waged by nation-states against their real or perceived foreign enemies.

Vendor Management System (VMS)

Software solution that assists with the management and procurement of staffing services, hardware, software, and other needed products or services.

ISO 27001:2013

Specifies the requirements for establishing, implementing continually improving information security.

STRIDE

Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

USA Patriot Act (2001)

Strengthens the federal government's power to conduct surveillance, perform searches, and detain individuals in order to combat terrorism.

Security Control Framework

Structure of the security solution desired by the organization.

Authorization

Subjects are granted access to objects based on proven identities.

How do you measure any cyber security effort's success?

Success in cybersecurity will be the absence of impact on confidentiality, integrity, and availability of digital information no matter where it is (stationary/stored, traveling/transmitted, or processed).

Decentralized Access Control

System of access control in which authorization verification is performed by various entities located throughout a system.

DREAD Rating System

System used to determine threat prioritization: - Damage Potential - Reproducibility - Exploitability - Affected Users - Discoverability

Impersonation

Taking on the identity of an individual to get access into the system or communications protocol.

Whaling

Targeted to senior business executives and government leaders.

Training

Teaching employees to perform their work tasks and to comply with the security policy. Targeted to groups of employees with similar job functions.

Elements of the Risk Management Framework (RMF)

The RMF utilizes six cyclical phases.

Prepending

The adding of a term, expression, or phrase to the beginning or header of some other communication.

Total Risk

The amount of risk an organization would face if no safeguards were implemented. Total Risk = Threats * Vulnerabilities * Asset Value

Recovery Time Objective (RTO)

The amount of time allowed for the recovery of a business function or resource after a disaster occurs.

Risk Tolerance

The amount or level of risk that an organization will accept per individual asset-threat pair.

Security Function

The aspect of operating a business that focuses on the task of evaluating and improving security over time

Administrative Law

The body of law created by administrative agencies (in the form of rules, regulations, orders, and decisions) in order to carry out their duties and responsibilities.

Doxing

The collection of information about an individual or an organization to disclose the collected data publicly for the purpose of chaining the perception of the target.

Security Governance

The collection of practices related to supporting, defining, and directing the security efforts of an organization.

Identity and Access Provisioning Lifecycle

The creation, management, and deletion of accounts. Provisioning refers to granting accounts with appropriate privileges when they are created and during the lifetime of the account.

Data Remanence

The data that remains on media after the data was supposedly erased.

Controls Gap

The difference between total risk and residual risk. The amount of risk that is reduced by implementing safeguards. Total Risk - Controls Gap = Residual Risk

Reference Profile

The digitally stored sample of a biometric factor. Also known as a reference template.

Annualized Rate of Occurrence (ARO)

The expected frequency that a specific threat or risk will occur (in other words, become realized) within a single year. Also known as probability determination.

Security Control Assessment (SCA)

The formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation.

Identity Theft

The fraudulent acquisition and use of a person's private identifying information, usually for financial gain.

Organizational Security Policy

The highest-level security policy adopted by an organization that outlines security goals.

Identity Function

The identify function is where you develop an understanding of what your risks are, what your assets are, and what your capabilities are.

Risk Mitigation

The implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats.

Data Subject

The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store.

Attack

The intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss, or disclosure of assets.

Inherent Risk

The level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed. Sometimes referred to as initial risk, or starting risk.

Security Boundary

The line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Strategic Plan

The long-term plan for future activities and operations, usually involving at least five years.

Risk Capacity

The maximum amount of risk the organization can assume.

Maximum Tolerable Downtime (MTD)

The maximum length of time a business function can be inoperable without causing irreparable harm to the business.

Risk Limit

The maximum level of risk above the risk target that will be tolerated before further risk management actions are taken.

Biometrics

The measurement and analysis of unique physical or behavioral characteristics (as fingerprint or voice patterns) especially as a means of verifying personal identity. Methods include fingerprints, face scans, retina scans (The most accurate), iris scans, palm scans, and voice patterns.

Breach

The occurrence of a security mechanism being bypassed or thwarted by a threat agent. A successful attack.

Security Role

The part an individual plays in the overall scheme of security implementation and administration within an organization.

Threat Vector (Attack Vector)

The path or means by which an attack or attacker can gain access to a target in order to cause harm.

Attack Vector

The path that the attacker takes to compromise your asset. Although most attack vectors are pointing inward (ingress) toward systems and assets, there are attacks that point outward (egress). Those outward attacks focus on ways to extract data and assets as opposed to gaining access and potentially damaging data.

Data Owner

The person responsible for classifying information for placement and protection within the security solution.

End-Of-Life (EOL)

The point at which a manufacturer no longer produces a product.

Recovery Point Objective (RPO)

The point in time to which data must be restored in order to successfully resume processing.

Risk

The possibility of likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result. Risk = Threat * Vulnerability

Annualized Loss Expectancy (ALE)

The possible yearly loss of all instances of a specific realized threat against a specific asset. ALE is calculated using the following formula: ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

Single-Loss Expectancy (SLE)

The potential loss associated with a single realized threat against a specific asset. SLE is calculated using the following formula: SLE = Asset Value (AV) * Exposure Factor (EF)

Exposure Factor (EF)

The potential percentage of loss to an asset if a threat is realized.

Separation of Duties

The practice of requiring that processes should be divided between two or more individuals.

Implicit Deny

The principle that establishes that everything that is not explicitly allowed is denied. Think of it as deny by default.

Risk Response

The procedures that are implemented if an identified risk occurs.

Identification

The process of a subject claiming, or professing, and identity.

Risk Awareness

The process of being consistently informed about the risks in one's organization or specific department.

Privilege Escalation

The process of gaining elevated rights and permissions. Malware typically uses a variety of techniques to gain elevated privileges.

Risk Deterrence

The process of implementing deterrents to would-be violators of security and policy.

Anonymization

The process of removing all relevant data so that it is impossible to identify the original subject or person.

Degaussing

The process of removing or rearranging the magnetic field of a disk in order to render the data unrecoverable

Risk Avoidance

The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.

User Behavior Analytics (UBA)

The process of tracking user behavior to detect malicious attacks, potential threats, and financial frauds.

Pseudonymization

The process of using pseudonyms to represent other data.

Reduction Analysis (AKA Decomposing)

The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if focusing on software; computers, operating systems, and protocols if focusing on systems or networks; or departments, tasks, and networks if focusing on an entire business infrastructure. Each identified subelement should be evaluated in order to understand inputs, processing, security, data management, storage, and outputs. This is also sometimes referred to as decomposing the application, system, or environment.

False Acceptance Rate (FAR)

The rate at which a biometric solution allows in individuals it should have rejected. Referred to as a type 2 error.

False Rejection Rate (FRR)

The rate at which a biometric solution rejects individuals it should have allowed. Referred to as a type 1 error.

Clearing

The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software file/data recovery utilities.

Risk Acceptance

The result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk.

Privacy

The right of people not to reveal information about themselves.

Multiparty Risk

The risk taken on when there are multiple organizations working on the same project. For example, if a company uses sub-contractors who in turn hire their own sub-contractors, then an attack from any of those entities or even their financial collapse poses a threat to the project.

Residual Risk

The risk that remains after management implements internal controls or some other response to risk.

Chief Information Officer (CIO)

The senior manager responsible for the overall management of information resources in an organization

Job Responsibilities

The specific work tasks an employee is required to perform on a regular basis.

Third-Party Governance

The system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.

Information Security (Infosec) Team

The team or department responsible for security within an organization.

Risk Appetite

The total amount of risk that an organization is willing to shoulder in aggregate across all assets.

Shadow IT

The use of IT solutions that are managed outside of and without the knowledge of the IT department.

Tokenization

The use of a random value to take the place of a data element that has traceable meaning.

two-factor authentication (2FA)

The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication.

Asset Value (AV)

The value of the asset you are trying to protect.

Just-in-time (JIT) Provisioning

These solutions automatically create the relationship between two entities so that new users can access resources.

Attack Payload

Think of this as a container (e.g., the outside of a bomb) that delivers the exploit (the explosives) that take advantage of one or more vulnerabilities exposing the target to the attacker.

Knowledge-Based Authentication (KBA)

This is used for fraud prevention. Consumers probably know this as the "secret question" users must answer before being granted access.

Synchronous Dynamic Password Token

Time-based and synchronized with an authentication server.

Business Case

To demonstrate a business-specific need to alter an existing process or choose an approach to a business task.

Security Professional

Trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.

Spraying Attack

Tries to log onto a system with common passwords before moving on. Used to bypass account lockout security controls.

Chief Information Security Officer (CISO)

Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.

Spam

Unsolicited email.

Health Information Technology for Economical and Clinical Health Act of 2009 (HITECH)

Updated many of HIPAA's privacy and security requirements. Implemented Business Associate Agreements (BAA) that would hold business associates accountable in the same manner as a HIPAA covered entity.

Top-Down Approach

Upper, or senior, management is responsible for initiating and defining policies for the organization.

Cost/Benefit Analysis

Used to determine whether a safeguard actually improves security without costing too much. [ALE Pre-Safeguard - ALE Post-Safeguard] - Annual Cost of Safeguard (ACS) = Value of the safeguard to the company If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then the value represents the annual savings the safeguard provides to the organization.

Managed Service Accounts

Used to run and manage services and applications.

Accountability

Users and other subjects can be held accountable for their actions when auditing is implemented.

Context-Aware Authentication

Uses multiple elements to authenticate a user and a mobile device.

Cloud-Based Federation

Uses third-party services to share federated identities.

Invoice Scams

Using fraudulent invoices to steal from a company.

Asset Valuation

Value assigned to an asset based on a number of factors such as importance to the organization, use in critical processes, actual cost, and non-monetary expenses and costs.

Authentication

Verifies the subject's identity by comparing one or more factors against a database of valid identities, such as user accounts.

On-Site Assessment

Visit the site of the organization to interview personnel and observe their operating habits.

Baiting

When a malicious individual leaves malware-infected removable media, such as a USB drive or optical disc, lying around in plain view.

Federated Identity Management (FIM)

When a user's identity is shared across multiple identity management (IdM) systems.

Mandatory Vacations

When an organization requires that an employee take a certain amount of days of vacation consecutively. This makes it easier to detect fraud, abuse, and negligence by the employee that regularly performs certain duties. Popular in the financial industry.

Tailgating/Piggybacking

When an unauthorized individual enters a restricted-access building by following an authorized user.

Trademarks

Words, slogans, and logos used to identify a company and its products or services. Granted for an initial period of 10 years, and can be renewed for unlimited successive 10-year periods.

Quantitative Risk Analysis Formulas

Yikes math! LOL Think of Exposure Factor (EF) as loss potential to make it easier to remember.

Qualitative Risk Analysis

assigns subjective and intangible values to the loss of an asset and takes into account perspectives, feelings, intuition, preferences, ideas, and gut reactions.

Defense in Depth

employing multiple layers of controls to avoid a single point-of-failure

Identity as a Service (IDaaS)

third party service that provides id and access mgmt. -effectively provides SSO for the cloud and is esp. useful when clients access SaaS app's.


Ensembles d'études connexes

Karch Focus on Pharmacology Chapter 43- Drugs Affecting Blood Pressure

View Set

Med Surg 2 Lewis Ch. 52-Breast Disorders

View Set

Forensics Ch. 2 The Crime Scene Review Questions

View Set

HESI Fundamentals/ Final Semester 2

View Set