NIST SP 800-12
An Introduction to Computer Security: The NIST Handbook
NIST SP 800-88
Guidelines for Media Sanitization
NIST SP 800-60
Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP 800-18
system owner should update the system sec plan when the system undergoes a significant change
NIST SP 800-53
Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.
NIST Risk Management Framework (RMF)
Step 1 Categorize Systems & Data (Data Owner)
Step 2 Select Controls (System Owner)
Step 3 Implement Controls (Custodians)
Step 4 Assess Controls
Step 5 Authorize Information System
Step 5 Monitor
Clark-Wilson Model
Real-world integrity model that protects integrity by having subjects access objects via programs.
Biba Model
An access control model used to ensure integrity. It uses two primary rules: no read down and no write up. Compare to BellLaPadula model.
BellLaPadula model
An access control model used to ensure confidentiality. It uses two primary rules: no read up and no write down. Compare to Biba model.
Brewer and Nash Model
Designed to prevent conflicts of interest; commonly used in industries that handle sensitive data. Three main resources classes are considered in this model: objects, company groups, and conflict classes
Government Data Security Classifications
Top Secret
Secret
Classified
Non-Govt Data Security Classifications
Confidential/ Proprietary
Private
Sensitive
AES Encryption
Specifically, AES is an iterative, symmetric-key block cipher that can use keys of 128, 192, and 256 bits, and encrypts and decrypts data in blocks of 128 bits (16 bytes). DATA at REST
TLS (Transport Layer Security)
A security protocol that uses certificates and public key cryptography for mutual authentication and data encryption over a TCP/IP connection. DATA in MOTION
Data Remanence
The residual physical representation of data that has been in some way erased. Either Data Removed or Destroyed (Sanitization /No Garbage left)
Quantitative Risk Analysis
A complex analysis technique that uses a mathematical approach to numerically analyze the probability and impact of risk events.
Digital Millennium Copyright Act (DMCA)
Makes it illegal to circumvent technology-based protections of copyrighted materials. ISP's must react quickly if stored or cached
GLBA (Gramm-Leach-Bliley Act)
Data security in the financial industry
SOX (Sarbanes-Oxley Act)
Requires companies to review internal control and take responsibility for the accuracy and completeness of their financial reports.
HIPAA (Health Insurance Portability and Accountability Act)
Health Information (PHI)
FERPA (Federal Educational Rights and Privacy Act)
Allows students access to their school records, opportunity to seek to amend their records, and some control over the disclosure of the records
FISMA (Federal Information Security Management Act)
Government Contractor
PCI DSS (Payment Card Industry Data Security Standard)
Credit Card Information
Quantitative Risk Assessment
An assessment that measures risk by using exact monetary values.
Economic Espionage Act
A federal statute that makes it a crime for any person to convert a trade secret for his or her own or another's benefit, knowing or intending to cause injury to the owners of the trade secret.
SOC 2 Type 1 Report
The service auditor provides an opinion regarding fairness of the service organization's description of controls, but does not test the controls or express an opinion regarding the effectiveness of the controls
SOC 2
Focus is on systems reliability, and includes a description of the service auditor's tests of controls and results. Involves "generally" restricted distribution
STRIDE Model
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
Risk Formula
Risk = Threat * Vulnerability
ISO 27002
The ISO (International Organization for Standardization) 27002 standard is a code of practice for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of "organiza
CALEA (Communications Assistance for Law Enforcement Act)
TelCo's to work with Law Enforcement
CIS Benchmarks
Using Industry Standards for Security Baselines
EU Data Protection Directive
Several directives deal with personal data usage in the EU, but the most overarching is the general policy approved by the European Commission in 1995 (95/46EC) which protects individuals' privacy and personal data use.
POODLE Attack
SSL Weakness
Time Generated Token
...
NIST 800-53A assessment objects
Security and Privacy Controls
ITIL (Information Technology Infrastructure Library)
...
NIST SP 800-137
...