CISSP Domain 1: Security and Risk Management - Cornerstone information Security Concepts

1. Confidentiality

   Anotações:

   • - Its opposing force is Disclosure. - An example of a confidentiality attack would be the theft of Personally Identifiable Information - An example of Laws that govern confidentiality is Health Insurance Portability and Accountability Act (HIPAA) 
2. Integrity

   Anotações:

   • - A system "back door" will violate system integrity.
   1. Data Integrity

      Anotações:

      • - it seeks to protect information from unauthorized modification
   2. System Integrity

      Anotações:

      • - It seeks to protect a system
3. Availibility

   Anotações:

   • - A Denial of Service (DoS) Attack which seeks to deny the availibility of a system.

1. Disclosure

   Anotações:

   • - unauthorized release of information
2. Alteration
3. Distruction

1. Finding balance within CIA

1. Identity and Authentication
   1. identity: username

      Anotações:

      • - identity along is weak because it has no proof - You could claim to be someone that you are not. - Identities must be unique
   2. Authentication: password

      Anotações:

      • - authentication is the method of proving you are who you identified yourself to be. - this can be done by giving a thing that only you posses such as a password.
2. Authorization

   Anotações:

   • - describes the actions you can perform on a system once . - action may include read, write and execution permissions.
   1. Least Privilege

      Anotações:

      • -the user should only be granted the minimum amount of access to do there job.
   2. Need to know

      Anotações:

      • - it is more granular than least privilege - the user must need to know that specific piece of information before accessing it.
3. Accountability

   Anotações:

   • - holding a person responsible for thier actions. - this requires that auditing and logging of data.
   1. Non-Repuditation

      Anotações:

      • - this means that a user cant deny having performed a transaction. You must have both authentication and integrity to have non repudiation.

Anotações:

• - A subject is a active entity on a data system. such as people trying to access data files. -Active programs and scripts can be considered subjects.

Anotações:

• - is any passive data with a system. such as documents, database tables and text files.

Anotações:

• - also called layered defense - a single security control can fail , but multiple controls improve the CIA of your data

1. Due Care

   Anotações:

   • - is doing what a reasonable person would do. - It is also called the prudent man rule. - Expecting your staff to patch there systems is expecting them to exercise due care
   1. Gross Negligence

      Anotações:

      • - This is the opposite of due care -
2. Due Dilignece

   Anotações:

   • - is the management of due care.