SSCP
CIANA Security Paradigm - correct answer ✔✔1. Confidentiality
2. Integrity
3. Authorization
4. Nonrepudiation
5. Authentication
Confidentiality - correct answer ✔✔violated if any process or person can read, copy, redistribute, or
make use of data we deem private or of competitive advantage worthy of protection as trade secrets,
proprietary, or restricted information ; the first of the CIANA security paradigm ; sharing secrets ; legal
and ethical concept abut privileged communications or privileged information ; How much we can trust
that the information we're about to use to make a decision has not been seen by unauthorized people
Integrity - correct answer ✔✔lost if any person or process can modify data or metadata, or execute
processes out of sequence or with bad input data ; the second of the CIANA security paradigm ;
something is whole and complete and its parts are smoothly joined together
Authorization - correct answer ✔✔Granting of permission to use data - cannot make sense if there's no
way to validate to whom or what we are granting that permission ; the third of the CIANA security
paradigm ; requires a 2 step process and is the 2nd step of the triple A of identity management and
access control
1. Assigning privileges during provisioning (which permissions or privileges to grant to an identity and
whether additional constraints or conditions apply to those permissions)
2. Authorizing a specific access request - determine whether specifics of the access request are allowed
by the permissions et in the access control tables
Nonrepudiation - correct answer ✔✔Can't exist if we can't validate or prove that the person or process
in question is in fact who they claim to be and that their identity hasn't been spoofed by a man-in the
middle kind fo attacker ; the fourth of the CIANA security paradigm ; use of public key infrastructure and
its use of asymmetric encryption
,Availability - correct answer ✔✔Rapidly dwindles to zero if nothing stops data or metadata from
unauthorized modification or deletion ; the fifth of the CIANA security paradigm
Process of Identifying a Subject - correct answer ✔✔1. Ask (or device offers) a claim as to who or what it
is
2. Claimant offers further supporting information that attests to the truth of that claim
3. Verify the believability (credibility or trustworthiness) of that supporting information
4. Ask for additional supporting information or ask a trusted 3rd party to AUTHENTICATE that
information
5. Conclude subject is whom or what it claims to be
Identity Management Lifecycle - correct answer ✔✔Describes series of steps in which a subject's identity
is initially created, initialized for use, modified as needs and circumstances change, and finally retired
from authorized used in a particular information system ; provisioning —> review —> revocation
Provisioning - correct answer ✔✔Starts with initial claim of identity and a request to create a set of
credentials for that identity and distributes it throughout the organization's identity and access control
systems and data structures, starting with management's review and approval of the access request,
identifying information to be used, and privileges requested ; key to this step is IDENTITY PROOFING ;
push of this can take minutes, hours, or even a day or more; an urgent push can force a near-real-time
update if management deems necessary ; 1st step of identity management lifecycle
Review - correct answer ✔✔Ongoing process that checks whether the set of access privileges granted to
a subject are still required or if any should be modified or removed ; be careful of PRIVILEGE CREEP
during this ; 2nd step of identity management lifecycle
Revocation - correct answer ✔✔Formal process of terminating access privileges for a specific identity in
a system ; 3rd and final step of identity management lifecycle
Identity Proofing - correct answer ✔✔Separately validates that the evidence of identity as submitted by
the applicant is truthful, authoritative, and current ; a key step of provisioning In the Identity
Management Lifecycle
,Privilege Creep - correct answer ✔✔Duties have changed and yet privileges that are no longer actually
needed remain in effect for a given user ; be careful of this during the REVIEW step in the Identity
Management Lifecycle ; The only weakness of role-based access control
Revoking - correct answer ✔✔Blocks identity from further access but changes no other data pertaining
to that identity, no matter where it might be stored in your systems
Deleting - correct answer ✔✔Catastrophic loss of information
Triple A of Identity Management And Access Control - correct answer ✔✔Authenticate, Authorize, and
Accounting
Authentication - correct answer ✔✔Where everything must start ; act of examining or testing the
identity credentials provided by a subject that is requesting access, and based on information in the
access control list, either GRANTING (accepts) access, DENYING it, or REQUESTING ADDITIONAL
credential information before making an access determination ; 1st step of triple A of identity
management and access control ; provided by identity management and access control
Accounting - correct answer ✔✔Trust but verify ; gathers data from within the access control process to
monitor the lifecycle of an access, from its initial request and permissions being granted through the
interactions by the subject with the object, to capturing the manner in which the access is terminated ;
3rd step of triple A of identity management and access control
Subject - correct answer ✔✔Try to perform an action upon an object (i.e. reading, changing, executing,
or doing anything) ; can be anything requesting access to or attempting to access anything in our system,
whether data or metadata, people, devices or another process ; can be people, software processes,
devices, or services being provided by other web-based systems ; an access control concept
Object - correct answer ✔✔Gatekeeper of information ; thing that has access ; an access control concept
Example of Subject - correct answer ✔✔Example: as user of your company's systems you have in your
possession knowledge of your user ID, password, and the proper ways to log on and access certain
information of assets. You long on as what when you access that information?
, Example of Object (attacker) and Subject (user) - correct answer ✔✔Example: as user of your company's
systems, an attacker tries to get you to disclose your user ID and password. In this example the attacker
is the _____ while you are the _____
TLP: RED - correct answer ✔✔US-Cert Traffic Light Protocol - when information cannot be effectively
acted upon by additional parties and could lead to impact on party's privacy, reputation, or operations ;
may not share with any parties outside specific exchange and only information is limited to those
present in the meeting ; should be exchanged verbally or in person
How TLP:RED May Be Shared - correct answer ✔✔US-Cert Traffic Light Protocol that should be
exchanged verbally or in person ; not for disclosure and restricted to participants only
TLP: Amber - correct answer ✔✔US-Cert Traffic Light Protocol - when information requires support to be
effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the
organizations involved ; recipients may only share information with members of their OWN ORG or with
CLIENTS OR CUSTOMERS WHO NEED TO KNOW ; sources are at liberty to specify additional intended
limits of the sharing
How TLP:Amber May be Shared - correct answer ✔✔US-Cert Traffic Light Protocol - Limited disclosure,
restricted to participants' organization - sources are at liberty to specify additional intended limits of the
sharing: these must be adhered to
TLP: Green - correct answer ✔✔US-Cert Traffic Light Protocol - useful for awareness of all participating
organizations as well as with peers within broader community or sector ; may share within sector or
community but NOT via publicly accessible channels ; information can be circulated widely within a
particular community and may NOT be released outside of the community
How TLP:Green May Be Shared - correct answer ✔✔US-Cert Traffic Light Protocol in which sharing
includes within sector or community but NOT via publicly accessible channels ; limited disclosure and
restricted to the community ; may not be released outside of the community
TLP:White - correct answer ✔✔US-Cert Traffic Light Protocol - information carries minimal or no
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release ; may
be distributed without restriction