Information security Study Guide

📖 Core Concepts Information Security – Protecting information (electronic, physical, or intangible) from unauthorized access, alteration, loss, or disclosure. CIA Triad – Confidentiality, Integrity, Availability: the three primary security goals. Risk Management – Identifying assets, threats, and vulnerabilities; estimating likelihood & impact; selecting controls to reduce residual risk. Security Controls – Safeguards (technical, administrative, physical) chosen based on risk assessments to protect CIA. Defense in Depth – Layered security (administrative → logical → physical) so a single failure doesn’t compromise the whole system. Access Control – Identification (who you claim to be) → Authentication (prove it) → Authorization (what you may do). Cryptography – Transforming data (encryption) and verifying authenticity (digital signatures, MACs) using keys. Due Care & Due Diligence – Documented, verifiable protections (care) plus ongoing monitoring/maintenance (diligence). Incident Response & Business Continuity – Structured steps to detect, contain, recover from incidents and keep critical functions running. --- 📌 Must Remember CIA: Confidentiality = no unauthorized disclosure; Integrity = no unauthorized modification; Availability = ready when needed. Risk = Threat × Vulnerability × Impact (qualitative or quantitative). Residual Risk = risk left after controls are applied. Risk Treatment Options: Accept, Mitigate, Transfer, Avoid. Control Types: Technical (firewalls, encryption), Administrative (policies, training), Physical (locks, cameras). Access Control Models: DAC (owner decides), MAC (classification‑based), RBAC (role‑based). Multi‑Factor Authentication = ≥2 factors (something you know, have, or are). Encryption Key Length – longer keys = stronger security; short/weak keys are easily broken. PKI – manages public/private keys, certificates, and revocation. Incident Response Phases: Preparation → Detection → Containment → Eradication → Recovery → Lessons‑learned. Business Continuity vs. Disaster Recovery – Continuity keeps essential functions running; DR restores IT systems after a catastrophe. Key Legal Frameworks – PCI‑DSS (card data), HIPAA (health data), GDPR/EU Directive (personal data), State breach‑notification laws. --- 🔄 Key Processes Risk Management Cycle Identify assets → Assess threats → Assess vulnerabilities → Estimate impact → Calculate risk → Select controls → Implement → Monitor & review. Control Selection (ISO/IEC 27001/27002) Map assets → Choose controls from catalog (technical, administrative, physical) → Document justification (cost vs. risk). Access Control Workflow Identify (username) → Authenticate (password, token, biometrics) → Authorize (ACL, role, policy) → Audit (log success/failure). Change Management Process Request → Preliminary review → Approval → Planning (scope, impact, resources) → Testing (incl. back‑out) → Scheduling → Communication → Implementation → Post‑change review. Incident Response Activation Detect breach → Activate IR plan → Assemble IR team → Contain → Eradicate → Recover → Conduct post‑mortem. Business Continuity Planning Identify critical functions → Perform risk assessment → Define recovery objectives (RTO, RPO) → Design redundancy (HA, backups) → Test exercises → Maintain & improve. --- 🔍 Key Comparisons DAC vs. MAC vs. RBAC DAC – Owner‑centric, flexible, prone to over‑granting. MAC – Classification‑driven, rigid, used in high‑security environments. RBAC – Role‑centric, simplifies large‑scale permission management. Technical vs. Administrative vs. Physical Controls Technical – Enforce policy via technology (firewalls). Administrative – Define policy & procedures (training). Physical – Protect hardware/facilities (locks). Due Care vs. Due Diligence Due Care – “What we did” (documented safeguards). Due Diligence – “What we keep doing” (continuous monitoring). Incident Response vs. Disaster Recovery IR – Immediate containment & eradication. DR – Restoring IT infrastructure after the event. --- ⚠️ Common Misunderstandings “Encryption alone guarantees confidentiality.” – Keys must be protected; weak algorithms or short keys nullify protection. “Firewalls protect against all attacks.” – Firewalls are network controls; insider threats, application flaws, and physical breaches need other layers. “If a risk is low, we can ignore it.” – Low‑likelihood but high‑impact risks may still require mitigation (e.g., ransomware). “RBAC eliminates the need for any other access model.” – RBAC works best with supplemental DAC or MAC for special cases. “Compliance = security.” – Meeting standards (PCI, HIPAA) is necessary but not sufficient; controls must be effective. --- 🧠 Mental Models / Intuition Onion Model – Visualize security as concentric layers (physical → network → host → application → data). Breach must cut through each layer. Risk = Likelihood × Impact – Treat risk like “expected loss” in finance; prioritize high‑impact and high‑likelihood items. Least Privilege = “Need‑to‑Know” – Give users only the minimal rights required; reduces attack surface. Defense in Depth = “Multiple Nets” – If one net (control) fails, the next catches the fall. --- 🚩 Exceptions & Edge Cases Short Encryption Keys – DES (56‑bit) is obsolete; avoid in any modern system. PKI Certificate Revocation – Revoked certificates may still be cached; ensure CRL/OCSP checks are enforced. Physical Access in Cloud Environments – Data may be physically hosted off‑site; physical controls extend to provider’s facilities. Zero‑Day Exploits – Unknown vulnerabilities bypass known controls; rely on layered defense and rapid patching processes. --- 📍 When to Use Which Choose MAC when dealing with classified government data or strict regulatory labeling. Use RBAC for large organizations with well‑defined job functions; simplifies permission audits. Apply ECC (Elliptic Curve Cryptography) over RSA when you need strong security with short keys (e.g., mobile devices). Select WPA2‑PSK for small office/home networks; use WPA2‑Enterprise with RADIUS/802.1X for larger, centrally managed environments. Adopt ISO/IEC 27001 if you need an auditable, certifiable ISMS; use NIST CSF for a flexible, risk‑based framework. --- 👀 Patterns to Recognize Repeated “Confidentiality‑Integrity‑Availability” phrasing → question likely about CIA trade‑offs. Mention of “risk treatment options” → expect answer about Accept, Mitigate, Transfer, Avoid. Reference to “layered” or “onion” → indicates defense‑in‑depth scenario. Key terms “authentication factor” → look for two‑factor or multi‑factor answer. Legal citations (PCI‑DSS, HIPAA, GDPR) → focus on required controls (encryption, breach notification). --- 🗂️ Exam Traps Choosing “Encryption” as the sole control for ransomware – ransomware also exploits availability; need backup & incident response. Selecting “firewall” to satisfy “physical security” – firewalls are logical controls; physical security needs locks, badges, CCTV. Confusing “due care” with “due diligence” – care is documented steps; diligence is ongoing monitoring. Assuming “AES‑256” is always the best choice – key management, algorithm mode (CBC vs GCM), and implementation matter as much as key length. Picking “MAC” for all access decisions – MAC is classification‑based; many environments rely on DAC/RBAC. ---