CISSP
Incremental
A backup method use when time and space are a high importance
Wiretapping
A passive attack that eavesdrops on communications, only legal with prior consent or warrant
Differential power analysis
A side-channel attack carry-out on smart cards that examining the power emission release during processing
Electromagnetic analysis
A side-channel attack on smart cards that examine the frequencies emitted and timing
Kerberos
A trusted third party authentication protocol
X.400
Active Directory standard
3 distinct categories for control types
Administrative, Technical, Physical
Subject
An active entity (such as an individual or process) that accesses or acts on an object.
Sequence Attack
An attack involving the hijacking of a TCP session by predicting a sequence number.
Tan Book
Audit
Authentication
Authentication (who can log in) is actually a two step process consisting of identification & authentication.
3 access control services
Authentication, Authorization, Accountability
Access control modules
Bell-la-padula, Biba, and Clark-Wilson are examples of what
Internet Architecture Board
Committee for internet design, engineering, and management, responsible for the architectural oversight of the IETF
Criminal
Conduct that violates government laws developed to protect society
C2
Controlled Access DAC
RAID 0
Creates one large disk by using several disks
Trade secrets
Deemed proprietary to a company and often include information that provides a competitive edge, the information is protected as long the owner takes protective actions
Mitigate
Defined as real-time monitoring and analysis of network activity and data for potential vulnerabilities and attacks in progress.
C1
Discretionary DAC
System high
Each subject must have clearance for ALL information on system and valid need to know SOME of the information ——All users may not have need to know ——
Dedicated
Each subject must have clearance for ALL information on system and valid need to know for ALL information.
Compartmented
Each subject must have clearance for MOST RESTRICTED information on system and valid need to know THAT information.
Discretionary
Enables data owners to dictate what subjects have access to the objects they own
Asynchronous
Encrypt/Decrypt are processes in queues, key benefit utilization of hardware devices and multiprocessor systems
5 necessary factors for an effective biometrics access control system
accuracy, speed & throughput, data storage requirements, reliability & acceptability
1996 Health Insurance and Portability Accountability Act (HIPAA) (Kennedy-Kassenbaum Act)
addresses the issues of personal health care information privacy and health plan portability in the United States
1973 U.S. Code of Fair Information Practices
applies to personal record-keeping.
Data Access Controls
controls in this category are specifically implemented to protect the data contained on the system
System Access Controls
controls in this category protect the entire system and provide a first line of defense for the data contained on the system
Access Control Process
1- Defining resources 2- Determining users 3- Specifying how users use recourse
1029
18 USC - Fraud and Related Activity in Connection with Access Devices
Fraggle
A Denial of Service attack initiated by sending spoofed UDP echo request to IP broadcast addresses.
Non-repudiation
(closely related to Accountability), means that a user can't deny an action because you can irrefutably associate him or her with that action.
Physical controls
Ensure the safety & security of the physical environment. These are primarily preventive or detective in nature. **Preventive (e.g. HVAC, security perimeters & guards) **Detective (e.g. motion detectors, video cameras, environmental sensors) //they are also deterrent in nature
Brown Book
Facility management
Synchronous token
Generates a one-time password that is only valid for a short period of time
Class C
Has 256 hosts
802.5
IEEE standard defines the Token Ring media access method
Administrative Controls
Include the policies & procedures that an organization implements as part of its overall information security strategy. **most often preventive & detective **ensures that technical & physical controls are understood & properly implemented
Internal use only
Information that can be distribute within the organization but could harm the company if disclosed externally
B1
Labeled Security MAC (labels for AC)
Electronic Vaulting
Makes copies of files as they are modified and periodically transmits them to an off-site backup site
636
Many implementations run LDAP on SSL on this port
Digital Signatures
Message encrypted is input into the hash function then the hash value is encrypted with the sender's private key
D
Minimal system( tested and failed)
30 to 90 Days
Most organizations enforce policies to change password ranging from
Green Book
Password Management
7 Control types
Preventive, Detective, Corrective, Deterrent, Recovery and Compensating...**Most controls are Preventive
Isochronous
Process must within set time constrains, applications are video related where audio and video must match perfectly
Race Condition
Processes carry out their tasks on a shared resource in an incorrect order
Trademarks
Protect words, names, product shapes, symbols, colors, or a combination of these, used to identify product a company
Copyright
Protects the expression of an idea, rather than the idea itself
Secure HTTP
Protocol designed to same individual message securely
1024-49151
Registered ports as defined by IANA
Structured Walk-through
Representatives from each functional area or department review the plan in its entirely
B3
Security domain MAC (TCB; security administrator and auditing; configuration management)
6
Semiformally verified design and tested
Multilevel
Some subjects do not have clearance for ALL information —— Each subject has a need to know ALL information to which they will have access.
B2
Structured protection MAC (addresses covert channels and trusted facility management; configuration management)
Access Control Categories
System Access Controls & Data Access Controls
Yellow book
TCSEC in Specific Environments
Incident response
Team should consist of: management, IT, legal, human resources, public relations, security etc.
Checklist
Test is one in which copies of the plan are handed out to each functional area to ensure the plan deal with their needs
Recovery Time Objective
The balance against the cost of recover and the cost of disruption
Physical access control (one-to-many search)
The individual presents the required biometric characteristic and the system attempts to identify the individual by matching the input characteristic to its database of authorized personnel
2002 The Sarbanes-Oxley Act (SOX)
The law, applies to any company that is publicly traded on United States markets. Much of the law governs accounting practices and the methods used by companies to report on their financial status. However, some parts, Section 404 in particular, apply directly to information technology.
Enticement
The legal act of luring an intruder, with intend to monitor their behavior
Data Remanence
The remains of partial or even the entire data set of digital information
1984 Computer Fraud and Abuse Act (CFAA)
This law was carefully written to exclusively cover computer crimes that crossed state boundaries to avoid infringing upon states' rights and treading on thin constitutional ice.
Orange Book
Trusted Computer System Evaluation Criteria
Red book
Trusted Network Interpretation book
Technical (logical) controls
Use hardware & software technology to implement access control. **Preventive (e.g. encryption, access control mechanisms, access control lists, remote access authentication protocols) **Detective (e.g. violation reports, audit trails, network monitoring & intrusion detection).
Gateway
Used to connect two networks using dissimilar protocols at different layers of the OSI model
NIDS
Usually inspect the header, because the data payload is encrypted in most cases
A
Verified Protection (configuration management)
Authorization or establishment
defines the rights and permissions granted to a user account or process (what you can do). After a system authenticates a user, authorization determines what that user can do with a system or resource.
Decentralized
examples of what type of access control system: Multiple domains and trusts, databases
1987 Federal Computer Security Act
first to require government agencies to do security training and adopt security plan
access control methodologies
generally classified as either centralized or decentralized
1977 U.S. Foreign Corrupt Practices Act
imposes civil and criminal penalties if publicly held organizations fail to maintain adequate controls over their information. Organizations must take reasonable steps to ensure not only the integrity of their data, but also the system controls the organization put in place.
Object
is a passive entity (such as a system or process) that a subject acts upon or accesses.
Discretionary access control
is an access policy determined by the owner of a file (or other resource). The owner decides who's allowed access to the file and what privileges they have. **in DAC the owner determines the access policy
Mandatory access control
is an access policy determined by the system rather than by the owner
Access Control
is the ability to permit or deny the use of an object (a passive entity such as a system or file) by a subject (an active entity such as an individual or process).
1986 US Electronic Communications Privacy Act
prohibits eavesdropping or interception of message contents without distinguishing between private or public systems
data access controls
protect systems and information by restricting access to system files & user data based on object identity
1980 Organization for Economic Cooperation and Development (OECD) Guidelines
provides for data collection limitations, the quality of the data, specifications of the purpose for data collection, limitations on data use, information security safeguards, openness, participation by the individual on whom the data is collected, and accountability of the data controller
1974 U.S. Privacy Act
provides for the protection of information about private individuals that is held in federal databases
1999 Gramm Leach Bliley (GLB) Act
requires financial institutions to develop privacy notices and give their customers the option to prohibit the banks from sharing their information with nonaffiliated third parties
3 factors of authentication
something you know, something you have, something you are (e.g. fingerprint, voice, iris, etc) **strong authentication is based upon 2 out of 3 of these requirements
Accountability
the ability to associate users & processes with their actions (what they did). Audit trails and system logs are components of accountability.
Identification & Authentication
the means by which a user (subject) presents a specific identity (e.g. user id) to a system (object), and the process of verifying that identity.
Logical access controls (one-to-one search)
the user enters a username or PIN (or inserts a smartcard) and then presents the required biometric characteristic for verification. The system attempts to authenticate the user by matching the claimed identity & the stored biometric image file for that account.
Biba, Clark-Wilson
these access control modules address integrity
Centralized
these systems are examples of what type of access control system: LDAP, RAS, RADIUS, DIAMETER, TACACS
Bell-la-padula
this access control module addresses confidentiality
2001 USA PATRIOT Act of 2001
this law greatly broadened the powers of law enforcement organizations and intelligence agencies across a number of areas, including when monitoring electronic communications.
Decentralized
this type of access control system maintains user account info in separate locations by different administrators throughout an organization or enterprise
Centralized
this type of access control system maintains user account information in a central location