More on this book
Community
Kindle Notes & Highlights
Read between
January 2 - November 9, 2020
CompTIA
Blue - Theories/concept/keywords/terms
Pink - Protocols/Formulas/Laws/Dates
Orange - Links
http://blogs.getcertifiedgetahead.com/,
Crypto
Project Management Institute Agile Certified Practitioner (PMI-ACP) certification.
Confidentiality prevents the unauthorized disclosure of data.
You control confidentially with encryption, access control, stenography and Obfuscation
Encryption scrambles data to make it unreadable by unauthorized personnel.
Encryption supports confidentiality.
Identification, authentication, and authorization combined provide access controls
Identification. Users claim an identity with a unique username.
Authentication. Users prove their identity with authentication, such as with a password.
Authorization. Next, you can grant or restrict access to resources using an authorization method, such
as permissions.
steganography
practice of hiding data within data.
Obfuscation
it’s called security by obscurity or security through obscurity.
Confidentiality ensures that data is only viewable by authorized users.
The best way to protect the confidentiality of data is by encrypting it.
Integrity provides assurances that data has not changed.
Hashing supports integrity.
You can use hashing techniques to enforce integrity.
Message authentication code (MAC) provides integrity similar to how a hash is used.
Some email programs use a message authentication code (MAC) instead of a hash to verify integrity,
http://gcgapremium.com/501labs/.
Integrity provides assurances that data has not been modified, tampered with, or corrupted.
You can also use digital signatures for integrity.
Digital signatures can verify the integrity of emails and files and they also provide authentication and non-repudiation.
single point of failure (SPOF).
Virtualization can also increase availability of servers by reducing unplanned downtime.
Load balancing. Load balancing uses multiple servers to support a single service, such
The alternate site can be a hot site (ready and available 24/7),
a cold site (a location where equipment, data, and personnel can be moved to when needed),
warm site (a compromise between a hot site and cold site).
Backups. If personnel back up important data, they can restore it if the original data is lost.
Alternate power. Uninterruptible power supplies (UPSs) and power generators can provide power
Cooling systems. Heating, ventilation, and air conditioning (HVAC) systems improve the availability of systems by reducing outages
Availability ensures that systems are up and operational when needed and often addresses single points of failure.
increase availability by adding fault tolerance and redundancies, such as RAID, failover clusters, backups, and generators.
Another method of ensuring systems stay available is with patching.
One of the basic goals of implementing IT security is to reduce risk.
Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss.
A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability. A vulnerability is a weakness.
A security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability
Risk mitigation reduces the chances that a threat will exploit a vulnerability.
Risk is the likelihood that a threat will exploit a vulnerability.
Technical controls use technology. • Administrative controls use administrative or management methods. • Physical controls refer to controls you can physically touch. • Preventive controls attempt to prevent an incident from occurring. • Detective controls attempt to detect incidents after they have occurred. • Corrective controls attempt to reverse the impact of an incident. • Deterrent controls attempt to discourage individuals from causing an incident. • Compensating controls are alternative controls used
Most security controls can be classified as technical (implemented with technology), administrative (implemented using administrative or management methods), or physical (items you can touch).
Encryption. Encryption is a strong technical control used to protect the confidentiality of data.
Risk assessments help quantify and qualify risks within an organization
a quantitative risk assessment uses cost and asset values
qualitative risk assessment uses judgments to categorize risks based on probability and impact.
