Administrative controls
security measures implemented to monitor the adherence to organizational policies and
procedures. Those include activities such as hiring and termination policies, employee training
along with creating business continuity and incident response plans.
Physical controls
restrict, detect and monitor access to specific physical areas or assets. Methods include
barriers, tokens, biometrics or other controls such as ensuring the server room doors are
properly locked, along with using surveillance cameras and access cards.
Technical or logical controls
automate protection to prevent unauthorized access or misuse, and include Access Control
Lists (ACL), and Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS) signatures
and antimalware protection that are implemented as a system hardware, software, or firmware
solution.
What is the primary goal of PenTesting?
Reduce overall risk by taking proactive steps to reduce vulnerabilities.
Principle of Least Privilege
Basic principle of security stating that something should be allocated the minimum necessary
rights, privileges, or information to perform its role.
Risk
Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Threat
represents something such as malware or a natural disaster, that can accidentally or
intentionally exploit a vulnerability and cause undesirable results.
Vulnerability
,is a weakness or flaw, such as a software bug, system flaw, or human error. A vulnerability can
be exploited by a threat
Risk Analysis
is a security process used to assess risk damages that can affect an organization.
Unified Threat Management (UTM)
All-in-one security appliances and agents that combine the functions of a firewall, malware
scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so
on.
Main steps of the structured PenTesting Process:
Planning and scoping, Reconnaissance, Scanning, Gaining Access, Maintaining Access,
Covering Tracks, Analysis, Reporting
Unauthorized Hacker
A hacker operating with malicious intent.
Payment Card Industry Data Security Standard (PCI DSS)
Information security standard for organizations that process credit or bank card payments.
An organization must do the following in order to protect cardholder data:
Maintain secure infrastructure using dedicated appliances and software to monitor and prevent
attacks. Implement best practices like changing default passwords, educating users on email
safety, and continuously monitoring for vulnerabilities with updated anti-malware protection.
Enforce strict access controls through the principle of least privilege and regularly test and
monitor networks.
PCI DSS Level 1
Large merchant with over six million transactions a year and external auditor by a Qualified
Security Assessor (QSA), must complete a RoC.
PCI DSS Level 2
merchant with one to six million transactions a year, must complete a RoC.
, PCI DSS Level 3
merchant with 20000 to one million transactions a year
PCI DSS Level 4
small merchant with under 20000 transactions a year
General Data Protection Regulation (GDPR)
Provisions and requirements protecting the personal data of European Union (EU) citizens.
Transfers of personal data outside the EU Single Market are restricted unless protected by
like-for-like regulations, such as the US's Privacy Shield requirements.
GDRP Components:
Require consent, Rescind Consent, Global reach, Restrict data collection, Violation reporting
Stop Hacks and Improve Electronic Data Security (SHIELD)
is a law that was enacted in New York state in March 2020 to protect citizens data. The law
requires companies to bolster their cybersecurity defense methods to prevent a data breach and
protect consumer data.
California Consumer Privacy Act (CCPA)
was enacted in 2020 and outlines specific guidelines on how to appropriately handle consumer
data. To ensure that customer data is adequately protected, vendors should include PenTesting
of all web applications, internal systems along with social engineering assessments.
Health Insurance Portability and Accountability Act (HIPAA)
is a law that mandates rigorous requirements for anyone that deals with patient information.
Computerized electronic patient records are referred to as electronic protected health
information (e-PHI). With HIPAA, the e-PHI of any patient must be protected from exposure, or
the organization can face a hefty fine.
Open Web Application Security Project (OWASP)
A charity and community publishing a number of secure application development resources.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller phylliswambui. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for £8.56. You're not tied to anything after your purchase.