eJPT-CheatSheets
Bartosz Pokrywka
Usefull info and commands for eJPT cert exam
- Personally Identifiable Information
- Healthcare Information
- Financial Data
- Intellectual Property
- Business Secrets
- Business Operations
- Criminals
- Competitors
- Insider Threats
- Malicious Actors
Confidentialty - it involves protecting sensitive data private and safe from unauthorized access. This includes protecting information from bad actors with malicious intent, as well as limiting access to only authorized individuals within an organization. You could think of confidentiality as privacy. When you send an email, for example, you're directing the contents of that email to a specific person or group of people. The protections in place that keep your email private are measures related to confidentiality. Passwords, locks, and tokens are among these measures.
Integrity - Maintaining data integrity is important to make sure data and business analysts are accessing accurate information. Data shown to the public must also maintain integrity so that customers can trust the organization. A system with integrity keeps data safe from unnecessary changes, whether malicious or accidental. Cybersecurity professionals might implement access levels, enable tracking when making changes, and protect data when transferring or storing it. Returning to our email example, when you send an email, you assume that the information you relay is the information that arrives to the recipient. If that information were altered along the way—say, for example, a third party intercepted the email and changed some key points—that data has lost integrity.
Availabilty - Availability refers to the idea that the people who need access to data can get it—without affecting its confidentiality or integrity. You want the recipients of that email you sent to be able to access it, display it, and even save it for future use. Ensuring availability in data systems can be tricky because it may compete with the other factors in the triad. One of the best ways to protect data is to limit access to it. If you have an information security role, you may have experienced pushback from customers or coworkers about information availability.
Is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
Payment Card Industry Data Security Standard
- Mandated by cards brands
- Administered by the Payment Card Industry Security Standards Council
- Created to increase controls around cardholder data to reduce credit card fraud
Health Insurance Portability and Accountability Act of 1996
- US regulations for the use and disclosure of Protected Health Information (PHI)
- The Final Rule on Security Standards was issued on February 20, 2003
- Standards and Specifications
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
General Data Protection Regulation
- Data protection adn privacy law in the European Union and the European Economic Area (EEA)
- Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles
California Consumer Privacy Act
- Intended to enhance privacy rights and consumer protection for residents of California, United States
- Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages
- Liability may also apply in respect of businesses in overseas countries who ship items into California
Sarbanes-Oxley Act of 2002
- US federal law mandates certain practices in financial record keeping and reporting for corporations
- Requires strong internal control processes over the IT infrastructure and applications that house the financial information that flows into its financial reports in order to enable them to make timely disclosures to the public if a breach were to occur
International Organization for Standardization and the International Electrotechnical Commission
- Deliberately broad in scope
- Covering more than just privacy, confidentiality and IT/technical/cybersecurity issues
- Applicable to organizations of all shapes and sizes
- ISO/IEC 27001
- Information technology - Security Techniques - Information security management systems - Requirements
- ISO/IEC 27002
- Code of practice for information security controls
Control Objectives for Information and Related Technologies
- Created by ISACA for information technology (IT) management and IT governance
- Business focused and defines a set of generic processes fort hte management of IT
National Institute of Standards and Technology
- Catalog of security and privacy controls for all U.S. federal information systems except those related to national security
- Agencies are expected to be compliant with NIST security standards and guidelines
- NIST Special Publication 800-53B provides a set of baseline security controls and privacy controls for information systems and organizations
Center for Internet Security
- Set of 18 prioritized safeguards to mitigate the most prevalent cyber-attacks
- A defense-in-depth model to help prevent and detect malware
- Offers a free, hosted software product called the CIS Controls Self Assessment Tool (CIS-CSAT)
Cybersecurity Maturity Model Certification
- A training, certification, and third party assessment program of cybersecurity in the United States goverment Defense Industrial Base
- Requires a third party assessor to verify the cybersecurity maturation level
- 5 levels
Austrailan Cyber Security Centre Essential Eight Maturity Model
- Help organisations protect themselves against various cyber threats
- Designed to protect Microsoft Windows-based internet-connected networks
- 4 maturity levels
It's important to match the solutions of pentest to the frameworks and other standards that some company uses.
- Interviews
- Review Paperwork
- Assessments (i.e. nessus or solarwinds)
- Take Good Notes (Joplin, Sublime Text, One Note)
- Mind Map (good for reporing)
- Reports (that's what you get paid for)