WGU C727_Cybersecurity Management I - Strategic_November 2021
Four Components of an Effective Cybersecurity Strategy
1. Business risk assessment 2. Enabling set of capabilities 3. A target state to get to 4. A portfolio of initiatives
The five domains of processes
1. Evaluate, Direct, and Monitor (EDM) 2. Align, Plan, and Organize (APO) 3. Build, Acquire, and Implement (BAI) 4. Deliver, Service, and Support (DSS) 5. Monitor, Evaluate, and Assess (MEA)
Three primary risks associated with cloud computing
1. Internet dependency 2. Concentration of data 3. Poorly executed contracts
Password Policy Components
1. Maximum age 2. Password Complexity 3. Password Length 4. Minimum Age 5. Password History
PCI DSS Password Requirements
1. Passwords expire at least every 90 days 2. Passwords must be at least seven characters long
NIST Password Recommendations (NIST SP 800-63B)
1. Passwords must be hashed 2. Passwords should not expire 3. Users should not be required to use special characters 4. Users should be able to copy and paste passwords 5. Users should be able to use all characters 6. Password length should be at least eight characters and as many as 64 characters 7. Password systems should screen passwords.
Three Primary Authentication Factors
1. Something you know (Type 1) 2. Something you have (Type 2) 3. Something you are (Type 3)
Reduction Analysis (AKA Decomposing) Key Concepts
1. Trust Boundaries 2. Dataflow Paths 3. Input Points 4. Privileged Operations 5. Details about Security Stance and Approach
Security Development Lifecycle (SDL)
A Microsoft security management process used to consider and implement security at each stage of a product's development. This supports the motto of "Secure by Design, Secure by Default, Secure in Deployment and Communication" (also known as SD3+C).
RACI Chart
A RACI chart is a matrix chart that only uses the activities of responsible, accountable, consult, and inform.
Capability Table
A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.
Directory Service
A centralized database that includes information about subjects and objects, including authentication data. Example: Light-weight Directory Access Protocol (LDAP).
Access Control List (ACL)
A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.
Privileges
A combination of rights and permissions.
COBIT 5
A comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT; helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use
Deterrent Control
A control that attempts to discourage security violations before they occur.
Service-Level Requirement (SLR)
A customer requirement for an aspect of an IT service. Service level requirements are based on business objectives and used to negotiate agreed service level targets.
Erasing
A delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or erasure process removes only the directory or catalog link to the data. The actual data remains on the drive.
Security Policy
A document that defines the security requirements for an organization.
Risk Register
A document that inventories all the identified risks to an organization or system within an individual project.
Identity Theft and Assumption Deterrence Act
A federal act that makes it a crime to transfer or use, without authority, the identity of another person knowingly and with the intent to commit any unlawful activity as defined by federal law and state and local felony laws.
International Traffic in Arms Regulations (ITAR)
A federal regulation that controls the export of items that are specifically designated as military and defense items, including technical information related to those items. The items covered under this regulation appear on a list called the United States Munitions List.
Computer Fraud and Abuse Act (CFAA)
A federal statute that prohibits unlawful access to computers used in national defense, by financial institutions, or by governments.
Risk Rejection
A final but unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care / due-diligence responses to risk. May be considered negligence in court.
Vulnerability
A flaw or weakness that allows a threat agent to bypass security.
Phishing
A form of social engineering attack focused on stealing credentials or identity information from any potential target.
Business Email Compromise (BEC)
A form of spear phishing that is often focused on convincing members of accounting to transfer funds, pay invoices, or purchase products from a message that appears to originate from a boss, manager, or executive.
Exit Interview
A formal conversation to find out why an employee is leaving and to learn about potential problems in the organization.
Authorization to Operate (ATO)
A formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations.
Security Policy
A formalized statement that defines how security will be implemented within a particular organization.
Risk Framework
A guideline or recipe for how risk is to be assessed, resolved, and monitored. Risk Management Framework (RMF) - Establishes mandatory requirements for federal agencies Cybersecurity Framework (CSF) - Designed for critical infrastructure and commercial organizations
Risk Reporting
A key task to perform at the conclusion of a risk analysis. Providing a presentation of reported risks to interested/relevant parties.
Privacy Act of 1974
A law that gives citizens access to the government's files on them
Civil Law
A law that governs relationships between individuals and organizations, defines their legal rights. Examples include contract disputes, real estate transactions, employment matters, and estate/probate procedures.
General Data Protection Regulation (GDPR)
A legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
Shrink-wrap License Agreement
A license written on the outside of software packaging. Such licenses get their name because they commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package.
Mandatory Access Control (MAC)
A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf. Referred to as a lattice-based model.
Scripted Access
A method to automate the logon process with a script that provides the logon credentials to a system. It is considered a form of single sign-on.
Service Level Agreement (SLA)
A negotiated agreement between the customer and the vendor. The SLA may specify the levels of availability, serviceability, performance, operation, or other commitment requirements.
HMAC-based one-time password (HOTP)
A one-time password that changes when a specific event occurs. Hash message authentication code based.
Object
A passive entity that provides information to active subjects.
Time-Based One-Time Password (TOTP)
A password that is used once and is only valid during a specific time period. Time based.
Token Device
A password-generating device that users can carry with them. They use dynamic onetime passwords, making them more secure than static passwords. These are typically six or eight PINs.
Acceptable Use Policy (AUP)
A policy that defines the actions users may perform while accessing systems and networking equipment.
Birthday Attack
A probability method of finding a collision in a hash function in order to obtain passwords.
Encryption
A process of encoding messages to keep them secret, so only "authorized" parties can read it.
Audit Trail
A report that traces who has accessed electronic information, when information was accessed, and whether any information was changed
Compensation Control
A security control that is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.
Principle of Least Privilege
A security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job.
Mutual Authentication
A security mechanism that requires that each party in a communication verify its identity.
Issue-Specific Security Policy
A security policy that addresses specific security issues.
System-Specific Security Policy
A security policy that focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls.
Identity and Access Management (IAM)
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
Cloud Access Security Broker (CASB)
A set of software tools or services that resides between the enterprises' on-premises infrastructure and the cloud provider's infrastructure to ensure that the security policies of the enterprise extend to their data in the cloud.
NIST Cybersecurity Framework (CSF)
A set of standards designed to serve as a voluntary risk-based framework for securing information and systems.
Fuzz Testing
A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.
Digital Rights Management (DRM)
A strategy designed to prevent illegal distribution of movies, music, and other digital content.
Risk Management
A strategy to offset business risks.
Passphrase
A string of characters similar to a password but has a unique meaning to the user. They're easy to remember, and encourage the user to create longer passwords.
Access Control Matrix
A table that includes subjects, objects and assigned privileges.
Visual, Agile, and Simple Threat (VAST)
A threat modeling concept based on Agile project management and programming principles.
Asynchronous Dynamic Password Token
A token device that generates onetime passwords after the user enters a PIN in the token device. The PIN is provided by a server as a challenge, and the user enters the onetime password created by the token as the response.
Vertical Privilege Escalation
A type of privilege escalation in which an attacker obtains privileges of a higher level than what they have been assigned.
Cognitive Password (aka security questions)
A variant of the password authentication factor that asks a series of questions about facts or predefined responses that only the subject should know.
Spear Phishing
A variation of phishing in which the phisher sends fraudulent emails to a certain organization's employees.
Cryptographic Erasure
A wiping technique that encrypts the data on a media device and destroys the encryption key.
Contractual License Agreement
A written contract between the software vendor and the customer outlining the responsibilities of each.
Job Description
A written description of the basic tasks, duties, and responsibilities required of an employee holding a particular job
Attribute-Based Access Control
Access is based on attributes (of a person, a resource, or an environment). Commonly used in software-defined networks (SDN).
Threat Events
Accidental or intentional exploitations of vulnerabilities. They can also be natural or man-made.
Single Sign-On (SSO)
Allows a user to authenticate once to gain access to multiple systems, without requiring the user to independently authenticate with each system.
Bring Your Own Device (BYOD)
Allows employees to use their personal mobile devices and computers to access enterprise data and applications.
Risk Assignment (Transferring)
Allows the organization to transfer risk to another entity. (insurance).
Crossover Error Rate (CER)
Also called the equal error rate, the point at which the rate of false rejections equals the rate of false acceptances. Devices with lower CERs are more accurate than devices with higher CERs.
Computer Abuse Amendments Act of 1994
Amended 1984 act- made writing viruses illegal
Advanced persistent threat (APT)
An APT says what it does and does what it says—it's a coordinated, persistent, resilient, adaptive attack against a target. APTs are primarily used to steal data. They can take a long time to research, plan, coordinate, and execute, but when they succeed, they are frequently devastating.
Rule-Based Access Control
An access control model that based on a list of predefined rules that determine what accesses should be granted for subjects.
Role-Based Access Control (RBAC)
An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. Based on organization's hierarchy.
Service Account
An account used by a service or application.
Children's Online Privacy Protection Act (COPPA)
An act, directed at Web sites catering to children, that requires site owners to post comprehensive privacy policies and to obtain parental consent before they collect any personal information from children under 13 years of age.
Subject
An active entity that accesses a passive object to receive information from, or data about, an object.
Nondisclosure Agreement (NDA)
An agreement between two parties that defines which information is considered confidential and cannot be shared outside the two parties.
Delphi Technique
An anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Used in the qualitative risk analysis process. Used to elicit honest and uninfluenced responses from all participants.
Spoofing attack
An attempt by someone or something to masquerade as someone else.
OpenID Connect (OIDC)
An authentication layer that sits on top of the OAuth 2.0 authorization protocol. Uses a JavaScript Object Notation (JSON) web token (JWT).
multifactor authentication (MFA)
An authentication process that requires the client to provide two or more pieces of information. The three categories of authentication factors are knowledge (something you know), possession (something you have), and inherence (something you are).
Kerberos
An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users. Provides a single sign-on solution for users and protects logon credentials. Utilizes a ticket system.
Pass-The-Hash Attack
An exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
Background Check
An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.
Security Assertion Markup Language (SAML)
An open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations. It provides SSO capabilities for browsers. Utilizes a principal (such as a user), a service provider (such as a website), and an identity provider (a third party that holds the authentication and authorization information).
OpenID
An open standard and decentralized authentication protocol.
OAuth 2.0
An open standard for authorization used for websites and applications
Fast Identity Online (FIDO) Alliance
An open-industry association with a stated mission of reducing the over-reliance on passwords.
User and Entity Behavior Analytics (UEBA)
Analysis of behaviors and activities of human and nonhuman users, and of the software and hardware entities associated with those users and activities, as a way of detecting inappropriate or unauthorized activity, including fraud detection, malware and insider attacks.
Spoofing
Any action to hide a valid identity.
Data in Transit
Any data sent over a network. It's common to encrypt sensitive data-in-transit.
Data at Rest
Any data stored on media. It's common to encrypt sensitive data-at-rest.
Proprietary Data
Any data that helps an organization maintain a competitive edge.
Protected Health Information (PHI)
Any health-related information that can be related to a specific person.
Personally Identifiable Information (PII)
Any information that could identify a particular individual.
User (End User)
Any person that has access to the secured system.
Threat
Any potential occurrence that may cause an undesirable outcome for an organization, or for a specific asset.
Declassification
Any process that purges media or a system in preparation for reuse in an unclassified environment. Many times, media is destroyed rather that declassified.
Safeguards
Anything that removes or reduces a vulnerability or protects against one or more specific threats.
Asset
Anything used in a business process or task.
Risk Maturity Model (RMM)
Assesses the key indicators and activities of a mature, sustainable, and repeatable risk management process. They generally relate the assessment of risk maturity against a five-level model: 1. Ad Hoc 2. Preliminary 3. Defined 4. Integrated 5. Optimized
Business Continuity Planning (BCP)
Assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur. There are four main steps: 1. Project Scope and Planning 2. Business Impact Analysis 3. Continuity Planning 4. Approval and Implementation
Quantitative Risk Analysis
Assigns real dollar figures to the loss of an asset and is based on mathematical calculations.
Impersonation attack
Attacker assumes the identity of one of the legitimate parties in a network
Horizontal Privilege Escalation
Attacker grants themselves the same access levels they already have but assumes the identity of another user.
Data Loss Prevention (DLP) Systems
Attempt to detect and block data exfiltration attempts.
Dictionary Attack
Attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.
Brute-Force Attack
Attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symbols. Attackers typically use programs that try all password combinations.
Rainbow Table Attack
Attempts to discover the password from the hash using databases of precomputed hashes; countermeasure is salting.
Business Model for Information Security (BMIS)
BMIS is a business-oriented model for managing information security utilizing systems thinking to clarify complex relationships within an enterprise. The four elements and six dynamic interconnections form the basis of a three dimensional model that establish the boundaries of an information security program and models how the program functions and reacts to internal and external change. BMIS provides the context for frameworks such as COBIT.
Smartcard
Badge that has an integrated circuit chip embedded in it to *provide identity and auth* -most have microprocessor and 1+ certificates (used for asymm crypto like enc'ing data or digitally signing email) -common to require users to enter a PIN to provide two factor auth -CAC (common access cards) and PIV (personal id verification) cards are used by US govt
Candidate Screening
Based on sensitivity and classification defined by the job description. Background checks, reference checks, education verification, etc.
Exposure
Being susceptible to asset loss because of a threat; There is the possibility that a vulnerability can or will be exploited by a threat agent or event.
Sniffing
Capturing and recording network traffic
Remote Authentication Dial-In User Service (RADIUS)
Centralizes authentication for remote access connections, such as with VPNs or dial-up access. Encrypts only the password's exchange by default, but it is possible to use RADIUS/TLS to encrypt the entire session. Provides AAA services between network access servers and a shared authentication server.
Credential Surfing Attack
Checks single username and password on multiple sites.
Device Fingerprinting
Collects unique information from a user's browser or smartphone that can be combined with other data files to identify specific devices and users.
Privacy by Design
Companies should promote consumer privacy throughout their organizations and at every stage of development of their products and services.
Government vs. Nongovernmental Data Classification Chart
Comparison of Government and Nongovernmental data classifications.
Pillars of Cyber Security
Confidentiality, Integrity, Availability, and Safety (Introduced to address issues related to Internet of Things (IoT))
Compliance
Conforming to or adhering to rules, policies, regulations, standards, or requirements.
Supply Chain
Consists of all parties involved, directly or indirectly, in obtaining raw materials or a product.
Key Trends Influencing Threat Agents
Consumerization of cybercrime, Low barriers to entry for technical novices, Dark net mystique, Low rates of attributions.
click-through license agreements
Contract terms are either written on the software box or include in the software documentation. you are required to click a button indicating you have read the terms during installation process.
Chief Executive Officer (CEO)
Corporate officer who has overall responsibility for managing the business and delegates responsibilities to other corporate officers.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Covers personal information that is identifiable to Canadian residents.
SMAC Applications
Currently driving organization innovation: 1. Social 2. Mobile 3. Analytics 4. Cloud
Examples of Threat Agents
Cybercriminals, Insiders (e.g., employees), Nation-States, Corporations, Hacktivists, Cyber-Fighters, Cyberterrorists, Script Kiddies.
Confidential
Damage to national security.
Sensitive
Data breach would cause damage to the mission or organization.
Unclassified
Data is not sensitive or classified. Available to anyone.
Public Data
Data that is available to anyone. It might be in brochures, in press releases, or on web sites.
Data in Use
Data that is in the process of being created, updated, destroyed, or changed.
Private
Data that should stay private within the organization but that doesn't meet the definition of confidential or proprietary data.
Standards
Define compulsory requirements for the homogenous use of hardware, software, technology, and security controls.
Acceptable Use Policy
Defines a level of acceptable performance and expectation of behavior and activity.
Directive Control
Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.
Compensating Controls
Designed to compensate for the failure or absence of other controls and mitigate the damage from an attack. Examples include having a hot failover site (a geographically separate site that mirrors your environment, available the instant you need it), isolating critical systems from the Internet (aka air-gapping), and, in general, backup and disaster recovery plans that can keep the lights on while everyone else is in the dark.
Detective Controls
Designed to identify that an attack is occurring, including what kind of an attack, where it came from, what it used, and, if you're lucky, who may be behind it.
Corrective Controls
Designed to minimize the damage from an attack. Examples include restoring from backup, patching the systems with the latest security fixes, upgrading to the latest version of applications and operating systems, and the like.
Preventive Controls
Designed to prevent the attack from reaching the asset in the first place.
Education
Detailed endeavor in which students and users learn much more than they actually need to know to perform their work tasks.
Procedure
Detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.
Detect Function
Detect is the set of plans and actions that you will use to identify, classify, etc., an attack against your assets.
Detective Control
Detects undesirable events that have already occurred
Deterrence Function
Deterrence is not a question of education alone. It is also built on reducing what's called your attack surface. As part of the deter function you need to take a close look at your business. What do you do, who are your partners, what are the threats, and how have they changed over time?
DAD Triad
Disclosure, Alteration, and Destruction. The opposite of the CIA triad.
Denial of Service (DoS) Attack
DoS attacks come in two flavors: single-source and distributed. A single-source DoS attack occurs when one computer is used to drown another computer with so many requests that the targeted one can't function while a distributed DoS (DDoS) attack achieves the same result through many (meaning thousands or millions of) computers.
Control Objectives for Information and Related Technology (COBIT)
Documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.
Trusts
Established between domains to create a security bridge and allow users from one domain to access resources on another. Trusts can be one-way only, or two-way.
Due Diligence
Establishing a plan, policy, and process to protect the interests of an organization.
Annual Cost of the Safeguard (ACS)
Estimated yearly cost for the safeguard to be present in the organization.
Discretionary Access Control (DAC)
Every object has an owner and the owner can grant or deny access to any other subjects.
Risk Assessment
Examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of damage it would cause, and assessing various countermeasures for each risk.
Top Secret
Exceptionally grave damage to national security.
Single Loss Expectancy (SLE)
Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.
Economic Espionage Act (1996)
Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage.
Recovery Control
Extension of corrective controls but have more advanced or complex abilities. Attempts to repair or restore resources, functions, and capabilities after a security policy violation.
Offboarding
Facilitates employee departure from the company by assisting the completion of exit tasks, including exit interviews, forms completion, the return of company property, and ensuring that employees receive the appropriate extended benefits.
Gramm-Leach-Bliley Act (GLBA)
Federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
Destruction
Final stage in the lifecycle of media and the most secure method of sanitizing media.
Chief Technical Officer (CTO)
Focuses on ensuring that equipment and software work properly to support the business functions.
Continuity of Operations Plan (COOP)
Focuses on how an organization will carry out critical business functions beginning shortly after a disruption occurs and extending for up to one month of sustained operations.
Social Engineering
Form of attack that exploits human nature and human behavior.
Hoax
Form of social engineering designed to convince targets to perform an action that will cause problems or reduce their IT security.
Service-Level Agreement (SLA)
Formal contract between customers and their service providers that defines the specific responsibilities of the service provider and the level of service expected by the customer
Criminal Law
Forms the bedrock of the body of laws that preserve the peace and keep our society safe. Contains prohibitions against murder, assault, robbery, arson, etc. Penalties include community service, fines, and prison/jail time.
Shoulder Surfing
Gaining compromising information through observation (as in looking over someone's shoulder).
Payment Card Industry Data Security Standard (PCI DSS)
Governs the security of credit card information.
Risk-Based Access Control
Grants access after evaluating risk. Makes risk-based decisions using policies embedded within software code. Can require users to authenticate with multifactor authentication.
Copyright Law
Guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work. Protected until 70 years after the date of the last author.
Third-Party Audit
Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity's security infrastructure, based on Service Organization Control (SOC) (SOC) reports.
Confidential (Nongovernmental Organizations)
Highest level of classified data.
Business Impact Analysis (BIA)
Identifies all critical business functions and the effect that a specific disasters or threats may have upon them.
Data Classification
Identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.
NIST Framework
Identify, Protect, Detect, Respond, Recover
Brute Force Attack
If there is any elegance in hacking a system, then this method lacks it. A brute force attack, much like a brute, doesn't use any brains, only force—in this case, computing force. So, if I wanted to guess your password with a brute force attack, I would use a very fast computer to try every single combination possible of the number—a task that can take a large amount of time or a startlingly brief amount, depending on the complexity of the password.
Man-in-the-Middle Attack
In this type of an attack, the hacker intercepts the communication between two systems, replacing it with his own, eventually leading to his gaining control of both systems.
Trade Secrets
Information owned by the company by which the company gains a competitive advantage
Intellectual Property (IP)
Intangible property that is the result of intellectual activity.
Threat agent/actor
Intentionally exploit vulnerabilities. Usually people, but could also be programs, hardware, or systems.
Document Exchange and Review
Investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews.
Technical or Logical Controls
Involve the hardware or software mechanisms used to manage access and to provide protection for IT resources and systems.
Dumpster Diving
Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away.
Single-Factor Authentication
Involves the use of simply one of the three available factors solely in order to carry out the authentication process being requested.
ISACA
Issues standards, guidance, and procedures for conducting information system audits
Awareness
Knowledge or perception of a situation or fact.
Sarbanes-Oxley Act (SOX)
Law that requires publicly traded companies to maintain adequate systems of internal control. Used to reduce unethical corporate behavior.
Electronic Communications Privacy Act of 1986 (ECPA)
Made it a crime to invade the electronic privacy of an individual.
Human Impact Management for Information Security (HIMIS)
Managing human risks to information security through awareness and behavior management.
Supply Chain Risk Management (SCRM)
Means to ensure that all of the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners. Each link in the supply chain should be responsible and accountable to the next link in the chain.
Centralized Access Control
Method of control in which all authorization verification is performed by a single entity within a system.
Tactical Plan
Midterm plan, developed to provide more details on accomplishing the goals set forth in the strategic plan. Useful for about a year.
Baseline
Minimum level of security that every system throughout the organization must meet.
Corrective Control
Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.
Tailoring
Modifying the list of security controls within a baseline so that they align with the mission of the organization.
Purging
More intense form of clearing that prepares media for reuse in less secure environments. Provides a level of assurance that the original data is not recoverable using any known methods.
Outsourcing
Obtain (goods or a service) from an outside or foreign supplier, especially in place of an internal source.
Guideline
Offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
Mimikatz
One of the tools to gather credential data from Windows systems. Mimikatz It's now well known to extract plaintext password, hash, PIN code, and kerberos tickets from memory. Capabilities include: 1. Read passwords from memory 2. Extract kerberos tickets 3. Extract certificates and private keys 4. Read LM and NTLM password hashes in mempry 5. Read cleartext passwords in Local Security Authority Subsystem Service (LSASS) 6. List running processes
Senior Manager
Organizational owner, who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. Must approve all policies before they are carried out.
Business Continuity Management System (BCMS)
Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity.
Scoping
Part of the tailoring process and refers to reviewing a list of baseline security controls and applying only those controls that apply to the IT systems you're trying to protect.
Security Champion
People that take the lead in security-related projects. Often, they are non-security employees.
Assets Include
Personnel, Information, Systems, Devices, Facilities, and Applications
Phishing Attack
Phishing and spear phishing are attacks that use social engineering methods. Social engineering in this context is just a fancy word for lying. Hackers convince a victim that the attacker is a trusted entity (such as a friend, established business, institution, or government agency) and trick the victim into giving up their data willingly.
Vishing
Phishing attacks committed using telephone calls or VoIP systems.
SMishing (SMS Phishing)
Phishing using text messages.
Air Gap
Physical security control and means that systems and cables from the classified network never physically touch systems and cables from the unclassified network.
Administrative Controls
Policies and procedures defined by an organization's security policy and other regulations or requirements. Focused on personnel oversight and business practices.
Due Care
Practicing the individual activities that maintain the due diligence effort.
Data Hiding
Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
Health Insurance Portability and Accountability Act (HIPAA)
Privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store Private medical information about individuals.
Documentation Review
Process of reading the exchanged materials and verifying them against standards and expectations.
End-Of-Service-Life (EOSL)
Products that no longer receive updates or support from the vendor. Sometimes referred to as End-Of-Support (EOS)
Drive-By Download
Program which automatically downloads when a user visits a web page, usually without their knowledge or consent.
Protect Function
Protect is your set of plans and actions that put in place the right controls (remember: controls do stuff) to protect the assets.
NIST SP 800-171
Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Often included as a contractual requirement by government agencies.
Categories of security controls in a defense-in-depth implementation
Protection Layers: 1. Administrative Controls (Policies) 2. Logical/Technical Controls 3. Physical Controls
Fourth Amendment
Protects against unreasonable search and seizure.
Patents
Protects the intellectual property rights of inventors. Inventor granted exclusive rights for a period of 20 years.
Family Educational Rights and Privacy Act (FERPA)
Protects the privacy of student education records
Baseline
Provide a starting point and ensure a minimum security standard.
Six key principals for governance and management of enterprise IT that COBIT is based on
Provide stakeholder value Holistic Approach Dynamic Governance System Governance Distinct from Management Tailored to Enterprise Needs End-to-end Governance System
Credential Management Services
Provide storage space for usernames and passwords. Many web browsers can remember usernames and passwords for any site that a user has visited.
Least Privilege
Providing only the minimum amount of privileges necessary to perform a job or function.
Defense in Depth
Putting multiple and diverse barriers (controls) between the attacker and the asset.
Recover Function
Recover refers to whatever plans or protocols you have in place to bring things back to normal after an attack.
Typo Squatting
Redirecting a user to a fictitious website based on a misspelling of the URL. Also called URL hijacking.
Permissions
Refer to access granted for an object and determine what you can do with it.
AAA Services
Refers to five elements: Identification - Claiming an identity Authentication - Proving identity Authorization - Defining allows/denies for an identity Auditing - Recording log of events Accounting - Review log files
Rights
Refers to the ability to take an action on an object.
Security Through Obscurity
Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices.
Process/Policy Review
Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review.
Need to Know
Requirement of access to data for a clearly defined purpose.
Communications Assistance for Law Enforcement Act (CALEA) of 1994
Requires communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.
Prudent person rule
Requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.
Context-Dependent Access Control
Requires specific activity before granting users access.
Federal Information Security Management Act (FISMA)
Requires that federal agencies implement an information security program that covers the agency's operations.
Respond Function
Respond is the set of activities that you engage in response to an attack.
Asset Owner
Responsible for classifying information for placement and protection within the security solution.
Auditor
Responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.
Data Custodian
Responsible for storage, maintenance, and protection of information.
Custodian
Responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.
Constrained Interface
Restrictions on interfaces that restrict users on what they can see and do based on their privileges
Content-Dependent Access Control
Restricts access to data based on the content within an object.
Record Retention
Retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed.
Three Common Types of Security Evaluation
Risk Assessment, Vulnerability Assessment, and Penetration Testing
Code of Federal Regulations (CFR)
Rules and regulations published by executive agencies of the U.S. federal government. These administrative laws are just as enforceable as statutory laws (known collectively as federal law), which must be passed by Congress.
Collusion
Secret agreement or cooperation. Working together to perpetrate a crime.
NIST SP 800-53
Security and Privacy Controls for Federal Information Systems and Organizations. Commonly used as an industry cybersecurity benchmark.
Physical Controls
Security mechanisms focused on providing protection to the facility and real-world objects.
Threat Modeling
Security process where potential threats are identified, categorized, and analyzed.
Gamification
Selective use of game design and game mechanics to drive employee engagement in non-gaming business scenarios.
Terminal Access Controller Access-Control System Plus (TACACS+)
Separates authentication, authorization, and accounting into separate processes, which can be hosted on three different servers if desired. Encrypts all authentication information, not just the password. Developed by CISCO.
Secret
Serious damage to national security.
Export Administration Regulations (EAR)
Set of United States government regulations that control the export and reexport of "dual use" items, information and software that are primarily commercial in nature but also have potential military applications.
Process for Attack Simulation and Threat Analysis (PASTA)
Seven stage risk-centric threat-modeling methodology: 1. Definition of the objectives (DO) for the analysis of risks. 2. Definition of the technical scope (DTS). 3. Application Decomposition and Analysis (ADA). 4. Threat Analysis (TA). 5. Weakness and vulnerability analysis (WVA) 6. Attack modeling and simulation (AMS). 7. Risk analysis and management (RAM).
Operational Plan
Short-term, highly detailed plan based on the strategic and tactical plans. Valid only for a short time. must be updated often.
Abstraction
Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
Cloud Service License Agreements
Simply flash legal terms on the screen, display a link and check box for review. May bind an organization to onerous terms and conditions.
Influence Campaigns
Social engineering attacks that attempt to guide, adjust, or change public opinion, often waged by nation-states against their real or perceived foreign enemies.
Vendor Management System (VMS)
Software solution that assists with the management and procurement of staffing services, hardware, software, and other needed products or services.
ISO 27001:2013
Specifies the requirements for establishing, implementing continually improving information security.
STRIDE
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
USA Patriot Act (2001)
Strengthens the federal government's power to conduct surveillance, perform searches, and detain individuals in order to combat terrorism.
Security Control Framework
Structure of the security solution desired by the organization.
Authorization
Subjects are granted access to objects based on proven identities.
How do you measure any cyber security effort's success?
Success in cybersecurity will be the absence of impact on confidentiality, integrity, and availability of digital information no matter where it is (stationary/stored, traveling/transmitted, or processed).
Decentralized Access Control
System of access control in which authorization verification is performed by various entities located throughout a system.
DREAD Rating System
System used to determine threat prioritization: - Damage Potential - Reproducibility - Exploitability - Affected Users - Discoverability
Impersonation
Taking on the identity of an individual to get access into the system or communications protocol.
Whaling
Targeted to senior business executives and government leaders.
Training
Teaching employees to perform their work tasks and to comply with the security policy. Targeted to groups of employees with similar job functions.
Elements of the Risk Management Framework (RMF)
The RMF utilizes six cyclical phases.
Prepending
The adding of a term, expression, or phrase to the beginning or header of some other communication.
Total Risk
The amount of risk an organization would face if no safeguards were implemented. Total Risk = Threats * Vulnerabilities * Asset Value
Recovery Time Objective (RTO)
The amount of time allowed for the recovery of a business function or resource after a disaster occurs.
Risk Tolerance
The amount or level of risk that an organization will accept per individual asset-threat pair.
Security Function
The aspect of operating a business that focuses on the task of evaluating and improving security over time
Administrative Law
The body of law created by administrative agencies (in the form of rules, regulations, orders, and decisions) in order to carry out their duties and responsibilities.
Doxing
The collection of information about an individual or an organization to disclose the collected data publicly for the purpose of chaining the perception of the target.
Security Governance
The collection of practices related to supporting, defining, and directing the security efforts of an organization.
Identity and Access Provisioning Lifecycle
The creation, management, and deletion of accounts. Provisioning refers to granting accounts with appropriate privileges when they are created and during the lifetime of the account.
Data Remanence
The data that remains on media after the data was supposedly erased.
Controls Gap
The difference between total risk and residual risk. The amount of risk that is reduced by implementing safeguards. Total Risk - Controls Gap = Residual Risk
Reference Profile
The digitally stored sample of a biometric factor. Also known as a reference template.
Annualized Rate of Occurrence (ARO)
The expected frequency that a specific threat or risk will occur (in other words, become realized) within a single year. Also known as probability determination.
Security Control Assessment (SCA)
The formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation.
Identity Theft
The fraudulent acquisition and use of a person's private identifying information, usually for financial gain.
Organizational Security Policy
The highest-level security policy adopted by an organization that outlines security goals.
Identity Function
The identify function is where you develop an understanding of what your risks are, what your assets are, and what your capabilities are.
Risk Mitigation
The implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats.
Data Subject
The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store.
Attack
The intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss, or disclosure of assets.
Inherent Risk
The level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed. Sometimes referred to as initial risk, or starting risk.
Security Boundary
The line of intersection between any two areas, subnets, or environments that have different security requirements or needs.
Strategic Plan
The long-term plan for future activities and operations, usually involving at least five years.
Risk Capacity
The maximum amount of risk the organization can assume.
Maximum Tolerable Downtime (MTD)
The maximum length of time a business function can be inoperable without causing irreparable harm to the business.
Risk Limit
The maximum level of risk above the risk target that will be tolerated before further risk management actions are taken.
Biometrics
The measurement and analysis of unique physical or behavioral characteristics (as fingerprint or voice patterns) especially as a means of verifying personal identity. Methods include fingerprints, face scans, retina scans (The most accurate), iris scans, palm scans, and voice patterns.
Breach
The occurrence of a security mechanism being bypassed or thwarted by a threat agent. A successful attack.
Security Role
The part an individual plays in the overall scheme of security implementation and administration within an organization.
Threat Vector (Attack Vector)
The path or means by which an attack or attacker can gain access to a target in order to cause harm.
Attack Vector
The path that the attacker takes to compromise your asset. Although most attack vectors are pointing inward (ingress) toward systems and assets, there are attacks that point outward (egress). Those outward attacks focus on ways to extract data and assets as opposed to gaining access and potentially damaging data.
Data Owner
The person responsible for classifying information for placement and protection within the security solution.
End-Of-Life (EOL)
The point at which a manufacturer no longer produces a product.
Recovery Point Objective (RPO)
The point in time to which data must be restored in order to successfully resume processing.
Risk
The possibility of likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result. Risk = Threat * Vulnerability
Annualized Loss Expectancy (ALE)
The possible yearly loss of all instances of a specific realized threat against a specific asset. ALE is calculated using the following formula: ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)
Single-Loss Expectancy (SLE)
The potential loss associated with a single realized threat against a specific asset. SLE is calculated using the following formula: SLE = Asset Value (AV) * Exposure Factor (EF)
Exposure Factor (EF)
The potential percentage of loss to an asset if a threat is realized.
Separation of Duties
The practice of requiring that processes should be divided between two or more individuals.
Implicit Deny
The principle that establishes that everything that is not explicitly allowed is denied. Think of it as deny by default.
Risk Response
The procedures that are implemented if an identified risk occurs.
Identification
The process of a subject claiming, or professing, and identity.
Risk Awareness
The process of being consistently informed about the risks in one's organization or specific department.
Privilege Escalation
The process of gaining elevated rights and permissions. Malware typically uses a variety of techniques to gain elevated privileges.
Risk Deterrence
The process of implementing deterrents to would-be violators of security and policy.
Anonymization
The process of removing all relevant data so that it is impossible to identify the original subject or person.
Degaussing
The process of removing or rearranging the magnetic field of a disk in order to render the data unrecoverable
Risk Avoidance
The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.
User Behavior Analytics (UBA)
The process of tracking user behavior to detect malicious attacks, potential threats, and financial frauds.
Pseudonymization
The process of using pseudonyms to represent other data.
Reduction Analysis (AKA Decomposing)
The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if focusing on software; computers, operating systems, and protocols if focusing on systems or networks; or departments, tasks, and networks if focusing on an entire business infrastructure. Each identified subelement should be evaluated in order to understand inputs, processing, security, data management, storage, and outputs. This is also sometimes referred to as decomposing the application, system, or environment.
False Acceptance Rate (FAR)
The rate at which a biometric solution allows in individuals it should have rejected. Referred to as a type 2 error.
False Rejection Rate (FRR)
The rate at which a biometric solution rejects individuals it should have allowed. Referred to as a type 1 error.
Clearing
The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software file/data recovery utilities.
Risk Acceptance
The result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk.
Privacy
The right of people not to reveal information about themselves.
Multiparty Risk
The risk taken on when there are multiple organizations working on the same project. For example, if a company uses sub-contractors who in turn hire their own sub-contractors, then an attack from any of those entities or even their financial collapse poses a threat to the project.
Residual Risk
The risk that remains after management implements internal controls or some other response to risk.
Chief Information Officer (CIO)
The senior manager responsible for the overall management of information resources in an organization
Job Responsibilities
The specific work tasks an employee is required to perform on a regular basis.
Third-Party Governance
The system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.
Information Security (Infosec) Team
The team or department responsible for security within an organization.
Risk Appetite
The total amount of risk that an organization is willing to shoulder in aggregate across all assets.
Shadow IT
The use of IT solutions that are managed outside of and without the knowledge of the IT department.
Tokenization
The use of a random value to take the place of a data element that has traceable meaning.
two-factor authentication (2FA)
The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication.
Asset Value (AV)
The value of the asset you are trying to protect.
Just-in-time (JIT) Provisioning
These solutions automatically create the relationship between two entities so that new users can access resources.
Attack Payload
Think of this as a container (e.g., the outside of a bomb) that delivers the exploit (the explosives) that take advantage of one or more vulnerabilities exposing the target to the attacker.
Knowledge-Based Authentication (KBA)
This is used for fraud prevention. Consumers probably know this as the "secret question" users must answer before being granted access.
Synchronous Dynamic Password Token
Time-based and synchronized with an authentication server.
Business Case
To demonstrate a business-specific need to alter an existing process or choose an approach to a business task.
Security Professional
Trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.
Spraying Attack
Tries to log onto a system with common passwords before moving on. Used to bypass account lockout security controls.
Chief Information Security Officer (CISO)
Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.
Spam
Unsolicited email.
Health Information Technology for Economical and Clinical Health Act of 2009 (HITECH)
Updated many of HIPAA's privacy and security requirements. Implemented Business Associate Agreements (BAA) that would hold business associates accountable in the same manner as a HIPAA covered entity.
Top-Down Approach
Upper, or senior, management is responsible for initiating and defining policies for the organization.
Cost/Benefit Analysis
Used to determine whether a safeguard actually improves security without costing too much. [ALE Pre-Safeguard - ALE Post-Safeguard] - Annual Cost of Safeguard (ACS) = Value of the safeguard to the company If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then the value represents the annual savings the safeguard provides to the organization.
Managed Service Accounts
Used to run and manage services and applications.
Accountability
Users and other subjects can be held accountable for their actions when auditing is implemented.
Context-Aware Authentication
Uses multiple elements to authenticate a user and a mobile device.
Cloud-Based Federation
Uses third-party services to share federated identities.
Invoice Scams
Using fraudulent invoices to steal from a company.
Asset Valuation
Value assigned to an asset based on a number of factors such as importance to the organization, use in critical processes, actual cost, and non-monetary expenses and costs.
Authentication
Verifies the subject's identity by comparing one or more factors against a database of valid identities, such as user accounts.
On-Site Assessment
Visit the site of the organization to interview personnel and observe their operating habits.
Baiting
When a malicious individual leaves malware-infected removable media, such as a USB drive or optical disc, lying around in plain view.
Federated Identity Management (FIM)
When a user's identity is shared across multiple identity management (IdM) systems.
Mandatory Vacations
When an organization requires that an employee take a certain amount of days of vacation consecutively. This makes it easier to detect fraud, abuse, and negligence by the employee that regularly performs certain duties. Popular in the financial industry.
Tailgating/Piggybacking
When an unauthorized individual enters a restricted-access building by following an authorized user.
Trademarks
Words, slogans, and logos used to identify a company and its products or services. Granted for an initial period of 10 years, and can be renewed for unlimited successive 10-year periods.
Quantitative Risk Analysis Formulas
Yikes math! LOL Think of Exposure Factor (EF) as loss potential to make it easier to remember.
Qualitative Risk Analysis
assigns subjective and intangible values to the loss of an asset and takes into account perspectives, feelings, intuition, preferences, ideas, and gut reactions.
Defense in Depth
employing multiple layers of controls to avoid a single point-of-failure
Identity as a Service (IDaaS)
third party service that provides id and access mgmt. -effectively provides SSO for the cloud and is esp. useful when clients access SaaS app's.