1.2 Core principles

Question 1

What is the principle of least privilege

Answer 1

• Everyone can do everything they need to do, and nothing more
• Everyone can do everything: If security gets in the way of the mission security is wrong not the mission – your security implementation must not prevent others from doing their jobs. For example, some security measures increase latency, which makes the network extremely slow.
• Nothing more: Users should only have access to parts of the network that they require to perform their duties. If everyone has access to everything, when a malicious actor compromises one account they can access the entire system.

Question 2

What is the CIA non-triad

Answer 2

• Confidentiality: Only those who require access have that access
• Integrity: Data is kept pristine, meaning it is modified only by the correct people, in the correct way, and with the correct information
• Availability: Available to use when you need it

In reality the three of these are not equal parts
* Government and pharmaceuticals: confidentiality is the number #1 priority in a classified space. For example, pharmaceutical companies who didn’t receive a patent yet while do whatever it takes to protect its exact formula
* Online banking: Integrity is most important here – if someone can change your balance, it means that they’ve stolen your money.
* E-commerce: The availability of an e-commerce website like amazon is most important, a DDoS attack can result in a $734,410 lose in one minute
* Key takeaway: There is no CIA triad because you cannot prioritize all three equally, you need to use it as a measure of prioritization to figure out which of the three is most important to an organization or a specific department

Question 3

What is the AAA

Answer 3

• Authentication: Verification of someone’s identity. We force the user to authenticate so that we know for certain he is who he says he is.
• Authorization: Once authenticated, what files will we allow the user to access, what resources will be available to them?
• Accountability: What did the user do, did they try to access unauthorized files, services, or resources, did they visit inappropriate websites?

Question 4

What is the PPT

Answer 4

• Policy: Broad general statement of management’s intent – they describe the step-by-step procedures to implement the management’s intent.
• Procedure: Detailed steps to dictate how policy should be put into place.
• Training: How everyone knows what the policies and procedures say. You need an awareness program that at minimum makes people aware of the policies and procedures they need to uphold.

Question 5

What is patch management

Answer 5

• Software bugs are inevitable – and fixed via patching
• Keeping systems updated is important to ensuring security and stability
• Microsoft Windows 10 has 50 million lines of code – there’s no way you can debug all of the bugs, so they will always be a problem
• Patch management is about ensuring all systems are kept completely up-to-date on all patches

Question 6

What is prevent/detect/respond

Answer 6

• Prevention: Organizations should put all prevention mechanisms and technologies that defend against a malicious attack occurring in the first place.
• Detection: Since any human defence can be broken by other humans with enough time and resources, you want to be able to detect all the cases that you can’t prevent. When failure of prevention occurs you need detection.
• Respond: Once a failure is detected – you must do something about it. Companies who IDS but don’t respond once an incident is detected, that’s useless. Response consists of incident management to restore operations and forensic analysis to determining what went wrong to prevent it again.

Question 7

What is the role of senior manager, data owner, data custodian, user, and security manager

Answer 7

• Senior manager: the legal responsibility to protect the assets of the organization – because the security program is all about protecting assets, this means that they also have the ultimate responsibility for security.
• Data owner: the person with the primary responsibility of a particular piece of data, they set the classification and protective measures
• Data custodian: the person or group who actually protects the data – they make the decisions of the owner become reality – they often act as advisors to the owners, as owners may not know what security measures are possible
• User: Clear that the user is the one who uses the data but is also implied that they are simultaneously custodians as they have the responsibility to protect the data they use
• Security manager: advises, recommends, teaches the senior manager, data owner, custodian, and user but does not actually make any decisions.