401 Reading 3 - marsecguy/reading-notes-cyberops GitHub Wiki

CIA Triad

1. Consider a bank ATM that allows users to access bank account balances. What measures can the ATM incorporate to cover the principles of the CIA triad?

• Confidentiality: Require multi-factor authentication; do not print names, full account numbers or other PII on the screen or printed receipts; provide side cover to prevent others from peering at the screen.
• Integrity: Keep system information up to date to prevent accidental access to someone else's accounts; MFA can also prevent integrity problems from someone withdrawing from an account that isn't theirs.
• Accessibility: Build in system redundancy for power supply and communications to prevent downtime. Have a user-friendly GUI that works in multiple languages.

2. Name three best practices that support the CIA triad.

• Principle of least privilege
• Need-to-know
• Mandatory vacations

3. What are the three stages of the risk management lifecycle? What is each stage’s main goal or objective?

• Assessment: determining what assets you have, what they are worth and the threats and vulnerabilities they each have.
• Analysis: determining what each asset is worth and the likelihood of a successful attack to give a numerical or grade-based level of risk.
• Mitigation/response: developing and implementing strategies to lower the risk level through avoidance or transference, or accepting the risk level and preparing to respond if an event should occur.

Source: Infosec