Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
38 Cards in this Set
- Front
- Back
- 3rd side (hint)
IS Risk Management. |
Threats (bad things, cause harm); Vulnerabilities (weakness in systems/policies; exploited to cause damage. Impacts ( consequences when threat exploits vulnerability ) |
|
|
Computer crime |
Using a computer to commit an illegal act. |
|
|
Hacking |
Gain access without permission |
|
|
Cracking |
Illegal access, do damage or commit crime. |
|
|
Hacktivists |
Political/ideological graffiti (website defacement) |
|
|
Cyberterrorist |
Plant destructive programs; threaten to activate for ransom. |
|
|
Industrial Espionage |
Covert activities; theft; trade secrets; blackmail etc. |
|
|
Risk |
Possibility that threat will exploit a vulnerability |
|
|
Asset |
Monetary value of a configuration item |
|
|
Vulnerability |
Weakness that can be exploited |
|
|
Threat |
Exploits a vulnerability |
|
|
Risk Management Process |
1. Identify Risk 2. Analyze and Prioritize 3. Mitigate 4. Audit the RM plan |
|
|
Breach impact |
Fines Loss of intellectual property Loss of reputation and customers Loss of employees Loss of stakeholders confidence |
|
|
Network Address Translation (NAT) |
Many computers share same public IP address |
|
|
Risk Analysis |
Quantitative (mathematical) Qualitative (severity level) |
|
|
Defense in depth (layers) |
Network security |
|
|
Mission critical system protection |
Information Assurance Risk Management Defense in depth Contingency planning |
|
|
Cybersecurity goals |
Confidentiality Integrity Availability Nonrepudiation Authentication |
|
|
Encryption |
Maintains confidentiality |
|
|
Obstacles |
Human Technological |
|
|
CIA |
Confidentiality Integrity Availability |
|
|
AAA |
Assurance Authenticity Anonymity |
|
|
Assurance = trust |
Policies Permissions Protections |
|
|
Authenticity |
Nonrepudiation - cannot be denied Digital signatures |
|
|
Anonymity |
Aggregation Mixing Proxies Pseudonyms |
|
|
Threats |
Eavesdropping -- data interception Alteration -- data modification Denial-of-service -- data interruption Masquerading -- data fabrication Repudiation -- denial of data assurance Correlation -- data integration to discover the source |
|
|
Economy of mechanism |
Simplicity in design or implementation of security measures |
|
|
Fail-safe defaults |
Default configuration should have a conservative protection scheme |
|
|
Complete mediation |
Access to a resource must be checked for compliance with the protection scheme. |
|
|
Open design |
Security shouldn't rely on keeping source code secret. It should rely only on keeping cryptographic keys secret. Security through obscurity. |
|
|
Separation of privilege |
Access control through meeting multiple conditions. Component separation. |
|
|
Least privilege |
Bare minimum privileges to accomplish task. |
|
|
Least common mechanism |
Minimize sharing of resources. Users should use separate channels to access a shared resource. |
|
|
Psychological acceptability |
Well designed and intuitive UI. Minimize differences to avoid user confusion. |
|
|
Work factor |
Security scheme should fit the risk. No need to use a sledgehammer to kill a mosquito. |
|
|
Compromise recording |
Sometimes better to log an intrusion than to spend resources preventing the break in. |
|
|
Risk framework |
Threat Vulnerability Risk Attack Target |
You need all five of these to have a problem. Take away any one of them and you eliminate the problem. |
|
Unified Threat Management (UTM) |
Blacklist Firewall, antivirus, IDS Whitelist Applocker |
|