CISSP

Incremental

A backup method use when time and space are a high importance

Wiretapping

A passive attack that eavesdrops on communications, only legal with prior consent or warrant

Differential power analysis

A side-channel attack carry-out on smart cards that examining the power emission release during processing

Electromagnetic analysis

A side-channel attack on smart cards that examine the frequencies emitted and timing

Kerberos

A trusted third party authentication protocol

X.400

Active Directory standard

3 distinct categories for control types

Administrative, Technical, Physical

Subject

An active entity (such as an individual or process) that accesses or acts on an object.

Sequence Attack

An attack involving the hijacking of a TCP session by predicting a sequence number.

Tan Book

Audit

Authentication

Authentication (who can log in) is actually a two step process consisting of identification & authentication.

3 access control services

Authentication, Authorization, Accountability

Access control modules

Bell-la-padula, Biba, and Clark-Wilson are examples of what

Internet Architecture Board

Committee for internet design, engineering, and management, responsible for the architectural oversight of the IETF

Criminal

Conduct that violates government laws developed to protect society

C2

Controlled Access DAC

RAID 0

Creates one large disk by using several disks

Trade secrets

Deemed proprietary to a company and often include information that provides a competitive edge, the information is protected as long the owner takes protective actions

Mitigate

Defined as real-time monitoring and analysis of network activity and data for potential vulnerabilities and attacks in progress.

C1

Discretionary DAC

System high

Each subject must have clearance for ALL information on system and valid need to know SOME of the information ——All users may not have need to know ——

Dedicated

Each subject must have clearance for ALL information on system and valid need to know for ALL information.

Compartmented

Each subject must have clearance for MOST RESTRICTED information on system and valid need to know THAT information.

Discretionary

Enables data owners to dictate what subjects have access to the objects they own

Asynchronous

Encrypt/Decrypt are processes in queues, key benefit utilization of hardware devices and multiprocessor systems

5 necessary factors for an effective biometrics access control system

accuracy, speed & throughput, data storage requirements, reliability & acceptability

1996 Health Insurance and Portability Accountability Act (HIPAA) (Kennedy-Kassenbaum Act)

addresses the issues of personal health care information privacy and health plan portability in the United States

1973 U.S. Code of Fair Information Practices

applies to personal record-keeping.

Data Access Controls

controls in this category are specifically implemented to protect the data contained on the system

System Access Controls

controls in this category protect the entire system and provide a first line of defense for the data contained on the system

Access Control Process

1- Defining resources 2- Determining users 3- Specifying how users use recourse

1029

18 USC - Fraud and Related Activity in Connection with Access Devices

Fraggle

A Denial of Service attack initiated by sending spoofed UDP echo request to IP broadcast addresses.

Non-repudiation

(closely related to Accountability), means that a user can't deny an action because you can irrefutably associate him or her with that action.

Physical controls

Ensure the safety & security of the physical environment. These are primarily preventive or detective in nature. **Preventive (e.g. HVAC, security perimeters & guards) **Detective (e.g. motion detectors, video cameras, environmental sensors) //they are also deterrent in nature

Brown Book

Facility management

Synchronous token

Generates a one-time password that is only valid for a short period of time

Class C

Has 256 hosts

802.5

IEEE standard defines the Token Ring media access method

Administrative Controls

Include the policies & procedures that an organization implements as part of its overall information security strategy. **most often preventive & detective **ensures that technical & physical controls are understood & properly implemented

Internal use only

Information that can be distribute within the organization but could harm the company if disclosed externally

B1

Labeled Security MAC (labels for AC)

Electronic Vaulting

Makes copies of files as they are modified and periodically transmits them to an off-site backup site

636

Many implementations run LDAP on SSL on this port

Digital Signatures

Message encrypted is input into the hash function then the hash value is encrypted with the sender's private key

D

Minimal system( tested and failed)

30 to 90 Days

Most organizations enforce policies to change password ranging from

Green Book

Password Management

7 Control types

Preventive, Detective, Corrective, Deterrent, Recovery and Compensating...**Most controls are Preventive

Isochronous

Process must within set time constrains, applications are video related where audio and video must match perfectly

Race Condition

Processes carry out their tasks on a shared resource in an incorrect order

Trademarks

Protect words, names, product shapes, symbols, colors, or a combination of these, used to identify product a company

Copyright

Protects the expression of an idea, rather than the idea itself

Secure HTTP

Protocol designed to same individual message securely

1024-49151

Registered ports as defined by IANA

Structured Walk-through

Representatives from each functional area or department review the plan in its entirely

B3

Security domain MAC (TCB; security administrator and auditing; configuration management)

6

Semiformally verified design and tested

Multilevel

Some subjects do not have clearance for ALL information —— Each subject has a need to know ALL information to which they will have access.

B2

Structured protection MAC (addresses covert channels and trusted facility management; configuration management)

Access Control Categories

System Access Controls & Data Access Controls

Yellow book

TCSEC in Specific Environments

Incident response

Team should consist of: management, IT, legal, human resources, public relations, security etc.

Checklist

Test is one in which copies of the plan are handed out to each functional area to ensure the plan deal with their needs

Recovery Time Objective

The balance against the cost of recover and the cost of disruption

Physical access control (one-to-many search)

The individual presents the required biometric characteristic and the system attempts to identify the individual by matching the input characteristic to its database of authorized personnel

2002 The Sarbanes-Oxley Act (SOX)

The law, applies to any company that is publicly traded on United States markets. Much of the law governs accounting practices and the methods used by companies to report on their financial status. However, some parts, Section 404 in particular, apply directly to information technology.

Enticement

The legal act of luring an intruder, with intend to monitor their behavior

Data Remanence

The remains of partial or even the entire data set of digital information

1984 Computer Fraud and Abuse Act (CFAA)

This law was carefully written to exclusively cover computer crimes that crossed state boundaries to avoid infringing upon states' rights and treading on thin constitutional ice.

Orange Book

Trusted Computer System Evaluation Criteria

Red book

Trusted Network Interpretation book

Technical (logical) controls

Use hardware & software technology to implement access control. **Preventive (e.g. encryption, access control mechanisms, access control lists, remote access authentication protocols) **Detective (e.g. violation reports, audit trails, network monitoring & intrusion detection).

Gateway

Used to connect two networks using dissimilar protocols at different layers of the OSI model

NIDS

Usually inspect the header, because the data payload is encrypted in most cases

A

Verified Protection (configuration management)

Authorization or establishment

defines the rights and permissions granted to a user account or process (what you can do). After a system authenticates a user, authorization determines what that user can do with a system or resource.

Decentralized

examples of what type of access control system: Multiple domains and trusts, databases

1987 Federal Computer Security Act

first to require government agencies to do security training and adopt security plan

access control methodologies

generally classified as either centralized or decentralized

1977 U.S. Foreign Corrupt Practices Act

imposes civil and criminal penalties if publicly held organizations fail to maintain adequate controls over their information. Organizations must take reasonable steps to ensure not only the integrity of their data, but also the system controls the organization put in place.

Object

is a passive entity (such as a system or process) that a subject acts upon or accesses.

Discretionary access control

is an access policy determined by the owner of a file (or other resource). The owner decides who's allowed access to the file and what privileges they have. **in DAC the owner determines the access policy

Mandatory access control

is an access policy determined by the system rather than by the owner

Access Control

is the ability to permit or deny the use of an object (a passive entity such as a system or file) by a subject (an active entity such as an individual or process).

1986 US Electronic Communications Privacy Act

prohibits eavesdropping or interception of message contents without distinguishing between private or public systems

data access controls

protect systems and information by restricting access to system files & user data based on object identity

1980 Organization for Economic Cooperation and Development (OECD) Guidelines

provides for data collection limitations, the quality of the data, specifications of the purpose for data collection, limitations on data use, information security safeguards, openness, participation by the individual on whom the data is collected, and accountability of the data controller

1974 U.S. Privacy Act

provides for the protection of information about private individuals that is held in federal databases

1999 Gramm Leach Bliley (GLB) Act

requires financial institutions to develop privacy notices and give their customers the option to prohibit the banks from sharing their information with nonaffiliated third parties

3 factors of authentication

something you know, something you have, something you are (e.g. fingerprint, voice, iris, etc) **strong authentication is based upon 2 out of 3 of these requirements

Accountability

the ability to associate users & processes with their actions (what they did). Audit trails and system logs are components of accountability.

Identification & Authentication

the means by which a user (subject) presents a specific identity (e.g. user id) to a system (object), and the process of verifying that identity.

Logical access controls (one-to-one search)

the user enters a username or PIN (or inserts a smartcard) and then presents the required biometric characteristic for verification. The system attempts to authenticate the user by matching the claimed identity & the stored biometric image file for that account.

Biba, Clark-Wilson

these access control modules address integrity

Centralized

these systems are examples of what type of access control system: LDAP, RAS, RADIUS, DIAMETER, TACACS

Bell-la-padula

this access control module addresses confidentiality

2001 USA PATRIOT Act of 2001

this law greatly broadened the powers of law enforcement organizations and intelligence agencies across a number of areas, including when monitoring electronic communications.

Decentralized

this type of access control system maintains user account info in separate locations by different administrators throughout an organization or enterprise

Centralized

this type of access control system maintains user account information in a central location