CISSP Domain 1: Security and Risk Management - Cornerstone information Security Concepts
Descripción
Certificate CISSP Mapa Mental sobre CISSP Domain 1: Security and Risk Management - Cornerstone information Security Concepts, creado por reginaldsands el 26/02/2016.
CISSP Domain 1: Security and Risk
Management - Cornerstone information
Security Concepts
Cornerstone of information Security Concepts
CIA Triad
Confidentiality
Nota:
- Its opposing force is Disclosure.
- An example of a confidentiality attack would be the theft of Personally Identifiable Information
- An example of Laws that govern confidentiality is Health Insurance Portability and Accountability Act (HIPAA)
Integrity
Nota:
- A system "back door" will violate system integrity.
Data
Integrity
Nota:
- it seeks to protect information from unauthorized modification
System
Integrity
Nota:
- It seeks to protect a system
Availibility
Nota:
- A Denial of Service (DoS) Attack which seeks to deny the availibility of a system.
DAD opposing Triad
Disclosure
Nota:
- unauthorized release of information
Alteration
Distruction
Tension Between the Concepts
Finding balance within CIA
AAA
Identity and
Authentication
identity:
username
Nota:
- identity along is weak because it has no proof
- You could claim to be someone that you are not.
- Identities must be unique
Authentication:
password
Nota:
- authentication is the method of proving you are who you identified yourself to be.
- this can be done by giving a thing that only you posses such as a password.
Authorization
Nota:
- describes the actions you can perform on a system once .
- action may include read, write and execution permissions.
Least Privilege
Nota:
-the user should only be granted the minimum amount of access to do there job.
Need to
know
Nota:
- it is more granular than least privilege
- the user must need to know that specific piece of information before accessing it.
Accountability
Nota:
- holding a person responsible for thier actions.
- this requires that auditing and logging of data.
Non-Repuditation
Nota:
- this means that a user cant deny having performed a transaction.
You must have both authentication and integrity to have non repudiation.
Subjects
Nota:
- A subject is a active entity on a data system. such as people trying to access data files.
-Active programs and scripts can be considered subjects.
Object
Nota:
- is any passive data with a system. such as documents, database tables and text files.
Defense-in-Depth
Nota:
- also called layered defense
- a single security control can fail , but multiple controls improve the CIA of your data
Due Care and Due Diligence
Due Care
Nota:
- is doing what a reasonable person would do.
- It is also called the prudent man rule.
- Expecting your staff to patch there systems is expecting them to exercise due care