Security + - Risk Management

Maicon Alencar
Mind Map by Maicon Alencar, updated 8 months ago
Maicon Alencar
Created by Maicon Alencar 8 months ago
0
0

Description

Primeiro modulo do curso Udemy

Resource summary

Security + - Risk Management
1 Aula 2 - The CIA - Confidentiality, integrity, Availability
1.1 Objetivos da Segurança da Informação
1.1.1 THE CIA // O CID
1.1.1.1 Confidencialidade
1.1.1.1.1 Visualização / manuseio de dados
1.1.1.1.1.1 Manter os dados secretos de quem não precisa acessá-los
1.1.1.2 Integridade
1.1.1.2.1 Enviar / Transmitir / Receber / Guardar
1.1.1.2.1.1 Nenhuma alteração/deleção sem autorização pode ocorrer
1.1.1.3 Disponibilidade
1.1.1.3.1 Garantir que informaçao esteja disponivel
1.1.1.3.1.1 Acesso de um usuário autorizado
1.1.1.4 Complementar o CID
1.1.1.4.1 Accountability & Audition
1.1.1.4.1.1 Logging
1.1.1.4.1.1.1 Quem acessou esse arquivo?
1.1.1.4.1.1.2 Quem fez esta alteração?
1.1.1.4.2 Non Repudiation
1.1.1.4.2.1 Usuario
1.1.1.4.2.1.1 Não pode negar que fez tal ação. Ele não pode apagar rastros
1.2 Quick Review
1.2.1 The goal of security is Defined as CIA
1.2.1.1 CIA stands for confidentiality, integrity, and availability
1.2.1.1.1 Dont forget auditing, accountability and non-repudiation
2 Aula 3 - Threat Actors
2.1 Attributes
2.1.1 Internal? / External?
2.1.2 What is the intention? What's the goal?
2.1.3 How Sophisticated is? More sophisticated = more dangerous
2.1.4 Using open user inteligence? It means, facebook, twitter, shodan, etc etc
2.2 Types of Threat Actors
2.2.1 Script kiddies
2.2.1.1 easily blocked
2.2.1.2 Dont have sophistication
2.2.1.3 Use Pre-made tools
2.2.1.4 Trivial attack knowledge
2.2.2 Hacktivist
2.2.2.1 Motivation/intent/ ideology
2.2.3 Organized crime
2.2.3.1 Group of people working togetter
2.2.3.1.1 money
2.2.4 Nation States / Advanced Persistent Threat (APT)
2.2.4.1 probably the biggest issue
2.2.4.2 Big resources
2.2.4.3 Big sophistication
2.2.4.4 between governments
2.2.5 Insiders
2.2.5.1 somebody who is in the structure of company
2.2.5.1.1 not always an employee
2.2.5.2 has access to information
2.2.5.3 who can access asset
2.2.6 Competitors
2.2.6.1 between organizations
2.2.6.1.1 Its like coca cola vs pepsi
2.2.6.2 less common today
3 Aula 4 - What is Risk?
3.1 Assets
3.1.1 Computers
3.1.2 equipments
3.1.3 plants
3.1.4 people
3.1.5 intangible things
3.2 Vulnerabilities
3.2.1 weakness to an asset
3.2.1.1 leaves it open to bad things happening to it
3.2.1.1.1 example
3.2.1.1.1.1 default user name in a server
3.2.1.1.1.2 server room unlocked
3.2.1.1.1.3 garbage in street with confidential data
3.3 Threats
3.3.1 Action
3.3.1.1 Negative event that exploits a vulnerability
3.3.1.1.1 Example
3.3.1.1.1.1 someone reads the garbage
3.3.1.1.1.2 someone unauthorized running into your server room
3.3.1.1.1.3 someone unauthorized get access to your server
3.4 method to Protect our stuff from bad things
3.5 Likelihood
3.5.1 The level of certainty (certeza) that something will happen
3.5.1.1 two ways to measure
3.5.1.1.1 Quantitative likelihood
3.5.1.1.1.1 numbers, statistics, historic
3.5.1.1.1.1.1 your power supply have a MTBF of 100 000 hours
3.5.1.1.2 Qualitative likelihood
3.5.1.1.2.1 things that its so hard put numbers to measure
3.5.1.1.2.1.1 customer loyalty (lealdade de cliente)
3.6 Impact
3.6.1 The harm caused by a threat
3.6.1.1 measurements
3.6.1.1.1 quantitative
3.6.1.1.1.1 cost
3.6.1.1.2 labor (trabalho)
3.6.1.1.2.1 people work hours lost
3.6.1.1.3 time
3.6.1.1.3.1 how is the ETR?
3.6.1.1.4 qualitative
3.6.1.1.4.1 corporate reputation
3.7 Guide for risk management
3.7.1 N1ST SP 800-300
3.8 quick review
3.8.1 Threats exploit vulnerabilities to harm assets
3.8.2 assets can have vulnerabilities
3.8.3 use SP 800-30 as part of risk assessment
Show full summary Hide full summary

Similar

CET_TARDE - Security Fundamentals 2017 - Part 2
Hawerth Castro
CET_TARDE - Security Fundamentals 2017 - Preparing for the certified
Hawerth Castro
ARKAN SYSTEM
rafael.harada
CET_TARDE - Security Fundamentals 2017 - Part 1
Hawerth Castro
Security Plus
celoramires
ATI - Accountability and Talent Improvement
Leandro de Oliveira
(1) Obtenção de Informações
Rafael Silva
CET_TARDE - Security Fundamentals 2017 - Part 3
Hawerth Castro
ARKAN SYSTEM
fernandomartinsl
CET_TARDE - Security Fundamentals 2017 - Part 1
Filipe Lopes
ATI - Accountability and Talent Improvement
Leandro de Oliveira