Zusammenfassung der Ressource
CISSP Domain 1: Security and Risk
Management - Cornerstone information
Security Concepts
- Cornerstone of information Security Concepts
- CIA Triad
- Confidentiality
Anmerkungen:
- - Its opposing force is Disclosure.
- An example of a confidentiality attack would be the theft of Personally Identifiable Information
- An example of Laws that govern confidentiality is Health Insurance Portability and Accountability Act (HIPAA)
- Integrity
Anmerkungen:
- - A system "back door" will violate system integrity.
- Data
Integrity
Anmerkungen:
- - it seeks to protect information from unauthorized modification
- System
Integrity
Anmerkungen:
- - It seeks to protect a system
- Availibility
Anmerkungen:
- - A Denial of Service (DoS) Attack which seeks to deny the availibility of a system.
- DAD opposing Triad
- Disclosure
Anmerkungen:
- - unauthorized release of information
- Alteration
- Distruction
- Tension Between the Concepts
- Finding balance within CIA
- AAA
- Identity and
Authentication
- identity:
username
Anmerkungen:
- - identity along is weak because it has no proof
- You could claim to be someone that you are not.
- Identities must be unique
- Authentication:
password
Anmerkungen:
- - authentication is the method of proving you are who you identified yourself to be.
- this can be done by giving a thing that only you posses such as a password.
- Authorization
Anmerkungen:
- - describes the actions you can perform on a system once .
- action may include read, write and execution permissions.
- Least Privilege
Anmerkungen:
- -the user should only be granted the minimum amount of access to do there job.
- Need to
know
Anmerkungen:
- - it is more granular than least privilege
- the user must need to know that specific piece of information before accessing it.
- Accountability
Anmerkungen:
- - holding a person responsible for thier actions.
- this requires that auditing and logging of data.
- Non-Repuditation
Anmerkungen:
- - this means that a user cant deny having performed a transaction.
You must have both authentication and integrity to have non repudiation.
- Subjects
Anmerkungen:
- - A subject is a active entity on a data system. such as people trying to access data files.
-Active programs and scripts can be considered subjects.
- Object
Anmerkungen:
- - is any passive data with a system. such as documents, database tables and text files.
- Defense-in-Depth
Anmerkungen:
- - also called layered defense
- a single security control can fail , but multiple controls improve the CIA of your data
- Due Care and Due Diligence
- Due Care
Anmerkungen:
- - is doing what a reasonable person would do.
- It is also called the prudent man rule.
- Expecting your staff to patch there systems is expecting them to exercise due care
- Gross Negligence
Anmerkungen:
- - This is the opposite of due care
-
- Due Dilignece
Anmerkungen:
- - is the management of due care.