(ISC)2 - SSCP
- Key Escrow - KEK (Key Encrypting Key) - Zeroisation or Clearing
- A process in which keys are held in a secure environment in case access is required to them. Usually managed by a third party, such as a trusted CA. - This is a shared master key that is used to encrypt and exchange session keys between two parties - This is a technique used to complete erase a key from a device or memory
- Safe Harbor Regulations
- A set of conditions that, if applied in good faith, may temporarily or indefinitely protect an organization from legal action or penalties imposed by a new regulation or law
- Federated Access - A travel booking site where a hotel & rental car chain may operate on separate networks but allow users a one-time authentication to book a room and a car while using the booking site - SAML (Security Assertion Markup Language)
- A single sign on (SSO) technology that allows users in different networks pr different companies to access multiple systems after logging on once. The systems can be using different operating systems owned and managed by different organizations. - What is an example of this? - What is an XML-based data format commonly used with this?
- View-based access control - Data-level access control - Contextual or Content-based access control
- A specific security control mechanism in a database or program that restricts the user's actions or displays only the data available to them based upon their rights and privileges. Can also restrict certain functions of a program - This deals with protecting data in any of its three states - This is based upon the form or content of the actual data. It is constructed using data content rules
- NAC (Network Access Control) - Endpoint Defense
- A technique that examines the current state of a system or network device before it is allowed to connect to the network; popular in BYOD scenarios and describes in the 802.1x standard - A technique of installing protective measures on a hardware device which can access the internet or a LAN; for example, firewall, HIDS, or antivirus software
- RBAC (Role-Based Access Control) - RAC or RuBAC (Rule-Based Access Control) - Session-level Access Controls
- An access control method implemented by assigning a job name label to subjects. Grants rights to all individuals in a group based upon their membership in the group. This type of administration is ideal for large groups. - This access control method is based upon explicit rules that have been established to control the activities of subjects. Various rules may be created to allow or restrict access to objects, such as a time of day restriction - These restrict or allow actions during a specific communication session. These controls terminate when the session is terminated
- ISOC (Information Security Operations Center) or SOC - Threat Intelligence
- An in-house or third party group that monitors the physical perimeter, CCTVs, applications, databases, websites, servers, and networks - A method by which an organization has up to the minute information concerning zero day attacks, threat profiles, malware signatures, etc
- Known Plaintext Attack - Chosen Ciphertext Attack - Chosen Plaintext Attack - Ciphertext-only attack - Birthday attack
- Attacker has samples of both plaintext and cipher text - Attacker has access to the encryption mechanism and public or private key - Attacker has access to some of the plaintext or can predict plaintext included in the ciphertext, like if messages frequently use the word "From" in the same place. Then they process plaintext through the cryptosystem to determine result - Attacker has no information other than the ciphertext; most difficult type of attack - An attack typically used against hash values to find collisions from two different plaintexts
- Cipher Suites - Perfect Forward Secrecy
- Combination of cryptographic algorithms that provide several layers of security for TLS and SSL. When two systems connect, they identify one of these that is acceptable to both systems and then use the protocols within. - This property states that a session key won't be compromised if one of the long-term keys used to generate it is compromised in the future.
- Subjects are always active (like requesting a resource) while objects are passive (they are the resource waiting to be accessed). They can exchanges places depending on what's happening. - If a user requests information from a web server, the web server is an object, but it may also request information from a back end database. When making a request to the database, the web server would also be a subject
- How can you tell a subject from an object? - When can an object also be a subject?
Negative Testing
Ensures the application can gracefully handle invalid input or unexpected user behavior.
- By encrypting a hash with the sender's private key - Integrity, authentication of source, and non-repudiation
- How is a digital signature created? - Which security services are provided by digital signatures?
- Deniability - Disclosure
- What is the term used to describe the violation of non-repudiation? - What term is used to describe the violation of confidentiality?
1. Software 2. Hardware
What are two categories of Logical Access Controls?
- TCB (Trusted Computing Base) - Security Kernel - Reference Monitor - Audit
- Mandatory Access Control (MAC) uses this instead of an ACL. Consists of three parts - First part consists of the hardware, firmware, and software components of a computer system that implement the security policy of a system; is able to implement an ACL - The second part mediates all access to objects by subjects. It must always be invoked and available, verifiable as correct, and protected from modification - Final part records all failed & successful data access attempts and file changes
- Traffic Shaping - QoS (Quality of Service)
- Manipulating certain characteristics of packets, data streams, or connections to manage the type and amount of traffic traversing a network or interface at any moment. - The prioritization of some network traffic over others
- MAC (Message Authentication Code) - HMAC (Hashed MAC)
- Proving the integrity and authenticity of a message by encrypting a small block of data with a shared secret key. - Same as the above, but a secret key is appended to the original message then hashed by the sender. Original message & this new value are then sent separately to the receiver
- Electronic Vaulting - Journaling - Clustering - Load-balancing clustering
- Service whereby data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. - A database term that refers to recording transactions and creating a transaction log - This refers to using a combination of servers or systems to reduce the risk associated with a single point of failure - This technique uses algorithms to spread the work around an array of systems
- X.509 - The user's public key - Certificate Authority (CA) - Registration Authority (RA) - Certificate Revocation List (CRL) - OCSP (Online Certificate Status Protocol) - PKI (Public Key Infrastructure)
- The most widely accepted format for digital certificates - What does a digital certificate contain? - This is the trusted issuer of a cerfificate - This entity obtains and maintains certificate owner information - This informs people of invalid certificates - An internet service used to determine the status of a certificate - A method for issuance, validation, and revocation of certificates
- ARO (Annualized Rate of Occurrence) - EF (Exposure Factor)
- The probability that a risk will occur in a particular year. - This refers to the harm or amount of loss that might be experienced by an asset during a risk event.
- Privilege Management or Privilege Lifecycle - Rights and Privilege Audit - Account Deactivation - Orphan account
- These are events related to things like an employee getting promoted, getting fired, leaving the company, or retiring - This ensures that a user's permissions match the minimum required to do their job and do not exceed it - This ensures that access rights are taken away immediately upon a user getting fired, leaving, or retiring. - What is an account called when an employee has been gone for a long time but it is still active?
- Audit Logs - Event Logs
- These logs offer crucial information about the actions and activities on a network - These are almost every other type of log
- Bell-LaPadula model - Biba model - Clark-Wilson model - Brewer-Nash model (Chinese Wall)
- This MAC model is used in the US military & gov't. It features a strict "no read-up" and "no write-down" policy. The goal is that a user cannot read information at a higher level and cannot write information at their security level down to a lower level. - This MAC model is primarily concerned with information regularity/integrity. It is the reverse of the above model: "no read-down, no write-up". The goal is that an individual at a certain security level may not read information at a lower level and the individual may not create (write) information at a higher level than their security level. Used primarily in business. - This MAC model is concerned with object integrity and separation of duties. It enforces well-formed transactions. Places a mechanism such as a software program between an object and user. - This model helps to prevent conflict of interest situations within the same business. Isolates branches from the activities of other branches.
- Prudent Man - Due Dilligence - Due Care
- This concept refers to actions that may be reasonably taken (or are obvious) to safeguard corporate assets and data, as well as following best practices from similar organizations - This is verifying that a control or process is performing as intended - This refers to taking actions that are prudent and reasonable to protect the assets of the organization
- Risk Treatment Plan - Risk Treatment Schedule - Risk Register
- This details how an organization plans to respond to potential risks - This documents the plan for implementing risk mitigation strategies for dealing with identified risks. This lists risks in order of priority - This is a primary document used to maintain a record of risks
- Confusion - Diffusion - Salt
- This increases the complexity of an encrypted message by modifying the key during the encryption process which increases the work factor - This also increases complexity by having very small changes to the input during encryption result in major changes to the encrypted output - The process of adding additional bits of data to a cleartext key or password prior to it being hashed. Extends the length of a password and makes attacking the hash more difficult
- Compensating Control - Countermeasures - IRM (Information Risk Management)
- This is a device, procedure, or mechanism that addresses the inherent weakness of the primary control. It addresses situations or conditions that the primary control misses - This describes specific activities, procedures, or devices put in place to mitigate an identified risk or vulnerability which was identified during the risk analysis - This is the process whereby risks to IT hardware, software, and information assets are identified and threats and vulnerabilities are reduced to an acceptable level and controls are implemented to maintain that level
- Algorithm - Key - One-way Algorithm (hashes) - Two-way Algorithm (Symmetric and Asymmetric) - Initialization Vector
- This is a mathematical function that produces a binary output based on the input of either plaintext or ciphertext - This is the input required by the above - This is a mathematical calculation that takes the input of a plaintext message and outputs a ciphertext message. - This can both encrypt and decrypt a message - An unencrypted random number that is used to generate complexity during the encryption process. It seeds the encryption algorithm to enhance the effects of the key
- ERM (Enterprise Risk Management) 1. Passive Monitoring: capturing network traffic and logs 2. Active Monitoring: special packets are introduced to the network to measure performance. Testing QoS falls under this 3. Real-time Monitoring: this includes NIPS or other devices/software which continuously monitor the network and can take real-time action when threats are detected. The CERT (Computer Emergency Response Team) may act during this 4. SIEM (Security Information & Event Management): software products combined with hardware devices to provide real-time analysis of alerts.
- This is a program designed to change the risk culture from reactive to proactive and accurately forecast and mitigate the risk on any key programs; must become part of the overall culture to be successful - What are four types of Continuous Monitoring that could be part of the above program?
- Back door - Adware - Virus - File Extension Attack - Pharming
- This is aka a "maintenance hook", access device for developers to access an app during development. Can be delivered by trojans - This will display an ad banner and solicit clicks from a user, then will install something like a keylogger or trojan. Used to create ad revenue stream for attacker - Unlike a worm, these need assistance to reproduce and usually attach themselves to an .exe file - This is an attack enabled by NTFS's long filenames, usually hiding a double file extension - A type of social engineering attack to obtain user credentials, usually by redirecting a website via DNS
- SCI (Sensitive Compartmented Information) - SAP (Special Access Program)
- This is an added layer of security for information that is classified as top-secret. With this information, top secret clearance is not enough protection and the information must be certified "need to know." This level of classification is given to sensitive material that may have special access categories. - These are established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level. Typically identified by two unclassified, unrelated code words.
- Encoding - Key Clustering - Collision
- This is different from encryption b/c it alters the characters and changes the message from one format to another. For example, changing letters into ASCII - This is when two different keys generate the same ciphertext from the same plaintext; it is a flaw in the algorithm - This is when two different plaintext values create the same output hash value
- SLE (Single Loss Expectancy) - SLE = Asset Value (AV) * EF (Exposure Factor) - An example is an asset worth $10,000, and we would expect it to lose half its value in a risk event - $10,000 (AV) * 0.5 (50% EF) = $5,000 (SLE)
- This is the cost (in dollars) that can be lost if a risk event happens. - What is the equation for this? - What is an example of how this works?
- ALE (Annualized Loss Expectancy) - ALE = Asset Value (AV) * Exposure Factor (EF) * Annualized Rate of Occurrance (ARO); remember that AV * EF = Single Loss Expectancy (SLE) - The SLE is $5,000 and we expect two risk events to happen in a year - $5,000 (SLE) x 2 (200% ARO) = $10,000 (ALE)
- This is the total cost (in dollars) for all of the SLEs during the year - What is the equation for this? - What is an example of how this works?
- SSL - TLS
- This is used in email, VoIP, instant messaging, and web browsing. Located at the Transport layer of the TCP/IP model and utilizes a shared secret key. Is now considered insecure b/c it's vulnerable to a POODLE attack - This is the successor of the above. - Remember that both of the above things utilize symmetric cryptography after a handshake session. they are always set up between a server and client internet browser
- WIPS (Wireless Intrusion Prevention System) 1. WIPS Sensor: antenna/radio receiver that scans the spectrum and collects packets 2. WIPS Processing Server: centralized server that analyzes captured packets 3. WIPS Multi-Network Controller: for large organizations, made up of several sensors & servers in different locations
- This is used to mitigate the possibility of a rogue access point. - What three components make this up?
- Buffer Overflow - Pointer Attack - XSS (Cross Site Scripting) - XSRF (Cross Site Request Forgery) - Virus hoax
- This is when more data is placed into a memory location than the location can accept - This uses the above technique to attack what indexes the process within a process stack and makes it look at malicious code - This attack exploits the trust a user has in a website or app. Inserts client-side script into a genuine site. The user usually doesn't know an attack has taken place - This attack exploits the trust a site has in a user's browser. According to the text, it tricks the user's web browser by making it issue unauthorized commands so it appears that the user is performing them - These are false warnings about potential virus attacks which end up causing a DoS attack
- M of N requirement - Two-Man Rule - Transparency
- This process allows multiple people out of a group to be able to take a certain action, and can also require a certain number of individuals to agree prior to action being taken - This is a procedure popular in very high-security locations and situations. It features two individuals who must agree upon action yet are physically separated and must therefore take action independent of the other - This principle allows anyone to access, view, and test hardware or software systems. For example: testing a new cryptographic algorithm
- Quantitative Risk Analysis - Qualitative Risk Analysis
- This process involves accumulating various facts and figures about an asset. It considers monetary facts and figures as well as other measurable quantities that may be expressed as costs to arrive at asset valuation - This is a subjective process usually based on a number of related aspects of the asset. The value of the asset may be simply listed as high, medium, and low
- Key Space - Encryption - Work Factor
- This represents the total number of possible values of keys in a cryptographic algorithm or other security measure, such as a password. - The process whereby ciphertext is created by processing a plaintext message through an algorithm and creating a key - The amount of time & effort it would take to break a specific encrypted text
- Device authentication - Reverse authentication
- This requires digital certificates installed on a device - This is when a user knows they are on a trusted site. An example would be the site displaying a specific picture chosen by the user when they log in or answering personal security questions.
- DAC (Discretionary Access Control) - Non-DAC (Non-Discretionary Access Control) - MAC (Mandatory Access Control)
- This type of access control is determined by the data owner. For example: the owner assigns specific permissions to different user accounts. These permissions are recorded in an ACL - This type of access control is when a system administrator, management, or an information tagging/labeling system controls access to objects by subjects. In this case, the access might be granted by policy to a specific group of users. The system administrator is carrying out policy administration. - Under this type of access control, subjects and objects are assigned labels or tags
- Circuit-Switched Network - Packet-Switched Network - Virtual Circuit Network 1. Permanent Virtual Circuit (PVC): a connection between endpoints where the carrier configures the circuit routes to provide the requested speed and bandwidth using dedicated equipment 2. Switched Virtual Circuit (SVC): dynamically configures the circuit routes each time the circuit is used by the end user. Less expensive and billed only for time of use
- This type of network connection is created by physically connecting to endpoints through a series of wires and mechanical switches where the signal voltage generated at one endpoint is received by the other endpoint. POTS and ISDN are examples - This type is typical of most WANs today. It makes use of a large number of devices with nondedicated connections and uses routers to transport data - This is usually made with a special contract for organizations that need high-bandwidth connections between offices - What are two methods of establishing this third type of network connection?
1. Hacker: broad terms, covers lots of people, usually things like stealing credit card info for personal gain 2. Commercial Hacker (Comhacker): may be hired by a third party to infiltrate a target for a specific agenda. For example: stealing intellectual property, exfiltration of documents, changing information, and engaging in targeted disruption activities. 3. Certified Ethical Hacker (CEH): aka white hat hacker or pentester 4. Script Kiddie: unskilled copypasta attacker 5. Cracker: ethical hackers claim that only a black hat hacker should be referred to as a cracker. 6. Nation State: hostile country which may plant advanced persistent threats (APTs) and conduct Cyberwarfare 7. Hacktivist: they have a political message or agenda. 8. Insider Attack: disgruntled employee
- What are 8 types of hackers?
1. Macro Virus: triggered by macros such as MS Office files 2. File Infecting Virus: infects, damages, & alters .exe files 3. Boot Sector Virus: infects MBR (Master Boot Record); was more popular in days of floppy disks 4. Polymorphic Virus: changes as it replicates through a system to avoid detection by antivirus scans. AKA mutation virus 5. Stealth Virus: masks itself as another type of program by changing file extension or modifying file name 6. Retrovirus: directly attacks antivirus software by destroying virus definition database, so program appears to be working 7. Multipartite Virus: attacks many different parts of the host system so it is very difficult to completely remove 8. Armored Virus: highly resistant to examination or removal
- What are 8 types of viruses?
1. Packet Filter Firewall: passes data based upon packet addressing. Does not analyze based on information inside the packet. Will reject if a packet addresses a blocked port 2. Proxy Firewall: can cache information from frequently used webpages or documents. Acts as an intermediary between two systems, hosts, or networks. Uses increased intelligence to filter packets 3. Dual-Homed Firewall: contains two NICs, one connected to the external network and one to the internal network 4. Stateful Packet Inspection (SPI) Firewall: checks to see if packets are part of an existing conversation and also tries to determine origin as well as destination 5. Web Application Firewall (WAF): used to regulate traffic to and from web servers and web apps. Utilizes specialized rules such as content filtering, access control, and intelligent rulesets. Operates at OSI layer 7 with applications. Can protect against XSS, injection attacks, and HTTP forgeries
- What are five types of firewalls?
1. Parking lot attack: done from a vehicle in close proximity to a network with sophisticated equipment 2. Drive-by attack: target is chosen and the network is either jammed or communications are intercepted 3. Bluesnarfing: when Bluetooth is used to access information from a device 4. Bluejacking: when Bluetooth is used to send unsolicited messages 5. Bluebugging: a Bluetooth method where the attacker accesses all phone features
- What are five types of wireless network attacks?
1. Behavior-Based Detection: compares with baseline and looks for unusually high traffic, high-volume traffic destined for a specific port, high-volume traffic destined for specific IP address, and unusual control or request packets. 2. Signature-Based Detection: similar to an anti-malware identification system, can identify known malware signatures from library or known types of attacks. 3. Anomaly-Based Detection: looks for something completely outside of the ordinary. Usually more intelligent and learns what normal looks like from the typical traffic flow and activity on the network. 4. Heuristic-Based Detection: monitors network traffic and provides a solution based on good enough information. A type of learning system, it uses just enough information to arrive at a solution. Is very fast, but can be inaccurate if not adjusted correctly. Uses algorithms in conjunction with other techniques to analyze traffic passing through a network
- What are four types of network monitoring used by both IPS and IDS?
1. Point-to-Point Tunneling Protocol (PPTP): encapsulates and encrypts point-to-point protocol (PPP) packets. Major weaknesses is that all channel negotiation is done in the clear. After the tunnel is created, the data is encrypted. 2. Layer 2 Forwarding (L2F): created by Cisco as a method of creating tunnels that do not require encryption. Used primarily for dial-up and uses TCP for connections. 3: Layer 2 Tunneling Protocol (L2TP): combination of MS and Cisco's tunneling protocols (PPTP & L2F). L2TP can be used in many networks besides TCP/IP and will support multiple network protocols. Can be used as a bridge across many types of systems. L2TP does not provide security encryption, so it requires the use of such security protocols as IPsec for encryption. 4. Secure Shell (SSH): Originally for Unix, but also on Windows. Tunneling protocol that uses encryption to establish a secure connection between two systems. SSH also provides an information exchange protocol for such standards as Telnet and FTP, and many other communications-oriented applications. Preferred method of security for Telnet and other cleartext-oriented programs. - IPSec
- What are four types of tunneling protocols? - What protocol is sometimes used to add encryption to VPN connections?
1. RSA: most famous, leverages prime number characteristics 2. ECC (Elliptical Curve Cryptography): leverages discrete logarithm characteristics; commonly used with mobile devices 3. El Gamal: digital signature scheme, not patented, used in recent versions of PGP. Doubles length of any encrypted message, creating a lot of work for large messages. 4. DSA: federal information processing standard 5. Diffie Hellman (DH): used for key exchange, but no authentication so is vulnerable to MITM attacks
- What are the five asymmetric ciphers and their characteristics? - Remember that all other types of ciphers you will see are probably symmetric ciphers or hashing algorithms
1. Preshared Credential 2. Unique session key 3. TGT (Ticket Granting Ticket) 4. ST (Session Ticket): used to prove a subject's identity to a resource host - KDC (Key Distribution Center): this is what issues the TGT
- What are the four credentials required in Kerberos authentication? - Which element of Kerberos accepts the user's credentials and creates the access ticket?
1. User requests to authenticate to Key Distribution Center server 2. KDC authenticates user 3. KDC provides Ticket Granting Ticket; this is a timed ticket and usually expires in less than a day 4. User presents TGT to Ticket Granting Server to obtain Session Ticket 5. TGS sends user a Session Ticket for the requested resource 6. User presents Session Ticket to the resource requesting access
- What are the six steps in Kerberos authentication?
- Ad hoc mode: devices freely connect to each other - Infrastructure mode: authentication is used and devices connect through a WAP to a wired network
- What are the two main types of wireless network modes?
1. Control Plane: concerned with determining the path that should be used to forward a data packet. Maintains the Routing Database and determines proper port to use. Can have Static Routes manually entered, or can learn Dynamic Routes from other routers. 2. Forwarding Plane or Data Plane: receives arriving packets and routes them through an output interface to the destination address. Utilizes address obtained through the Control Plane
- What are the two types of operational stages for routers called?
1. Physical: tangible things like the building and hardware 2. Digital: data stored in IT systems 3. Information: what is stored inside the data - People - Assurance Procedures
- What are three types of assets? - What is the most important asset to protect? - What are procedures that ensure the access control mechanisms correctly implement the security policy?
1. LDAP (Lightweight Directory Access Protocol): X.500 format directory protocol that allows queries from an LDAP client to an LDAP database. Used with MS's Active Directory. 2. Kerberos: developed at MIT, allows SSO. Does not pass passwords over the network. Most of the work is done by host workstations & not the Kerberos server. Uses Key Distribution Center & TGS - SSO (Single Sign On): in Kerberos, the session ticket will allow any "Kerberized" resource to accept a user as valid. Active Directory (used with LDAP) retains information about access rights for all users & groups in the network and will issue the user a GUID (Globally Unique Identifier); access control to multiple resources such as email, internet, etc are controlled through the GUID.
- What are two types of local user authentication services? - What process can be enabled with these which allows users to access multiple resources with one set of credentials, and how does this work with each of the above?
1. Subnetting: accomplished by using subnet masks and using segments of the IP address. Can be logically, topologically, or physically. Subnetting provides security. 2. VLANs: created by grouping hosts together all connected to a network switch which controls traffic based on MAC addresses. Members do not need to be in the same area. VLANs do not provide security. 3. DMZ: network segment created between two firewalls, one of which faces an untrusted network like the internet. Purpose is to allow untrusted users to access resources without exposing the internal network, which is shielded from both the internet and the DMZ by a firewall. Anything in the DMZ, however, is subject to attack 4. NAT (Network Address Translation): this is used to extend the number of IPv4 addresses. Allows an organization to present a single IP address to the internet for all hosts & servers on an internal network. Performed by firewall or router at the boundary of a network.
- What are types of network segmentation?
- NIST Special Publication 800-30, Rev 1 1. Preparing for the Risk Assessment 2. Conducting the RA 3. Communicating and sharing RA information 4. Maintaining the assessment
- What document is a guide for conducting Risk Assessments? - What are the four steps in a Risk Assessment?
- It records all of the transactions since the last full backup. You only need the most recent file and last full backup to restore - Makes a record of only each day's transactions. You need all of the incremental files plus the last full backup to restore
- What is a differential backup and what is needed to restore it? - What is an incremental backup and what is needed to restore it?
- Spyware - Legal Botnet - Worm - Proof of Concept - Rootkit
- What is software that is placed on the host computer and monitors actions and activities and often creates log of some sort? Logs are usually sent somewhere - What were internet-connected computers linked by Internet Relay Chat (IRC)? - What software replicates itself without assistance and is usually used for DoS attacks? - What is a prototype used to prove an attack works? - What attack disguises itself by appearing as authentic OS software to hide from antivirus scans and grants the attacker high-level privileges?
- RMF (Risk Management Framework) 1. Categorize — The information system is examined to determine a category for the system. During this process, the information that the system processes, stores, and transmits is evaluated. 2. Select — Baseline security controls are selected based on the category of the system. For example, a system that processes classified data must include a selection of controls that mitigate risks for federal information systems in that category. 3. Implement — the selected security controls are installed and properly initiated throughout the system. The controls must be documented to show the implementation 4. Assess — An assessment process is utilized to determine if the controls are installed and set up correctly, operating effectively, and meeting the risk mitigation requirements 5. Authorize — occurs when an acceptable level of risk is achieved based upon the implementation of controls. 6. Monitor — ongoing assessment of the baseline operation of a control and its risk mitigation effectiveness. This process also includes a change management process
- What is the six step process called which is outlined in NIST SP 800-37? - What are the six steps?
- The situation in which the same secret key encrypting the same block of plaintext will always produce the same ciphertext - ECB (Electronic Code Book): For very short messages; least secure, should not use - CBC (Cipher Block Chaining): Introduces use of XOR and IV - CFB (Cipher Feedback Mode): Stream cipher, allows encryption of partial blocks; encrypts one character at a time, bit by bit - OFB (Output Feedback Mode): Turns block cipher into synchronous stream cipher. Similar to CFB but uses the encrypted IV as input to second block cipher encryption. Allows keystream to be prepared and stored prior to encryption - CTR (Counter Mode): Turns block into stream cipher, but instead of an IV it uses a 64-bit random data counter; separates keystream from data to encrypt several blocks in parallel
- What issue do Block Cipher Modes address? - What are five types of Block Cipher Modes?
- Security Baseline - Regression Analysis
- What must be established in order to evaluate device & network security? - What is performed to determine if any changes have been made to devices or the network, and compared to the above?
- ICMP 1. Managed Device: a device on the network being managed by SNMP and has the SNMP agent installed on it 2. SNMP Manager: a separate entity that is responsible for communicating with the SNMP agent implemented network devices. This is typically a computer that is used to run one or more network management systems. 3. SNMP Agent: program that is packaged within the network device. Enabling the agent allows it to collect the management information database from the device locally and makes it available to the SNMP manager when it is queried. 4. Management Information Database (MIB): populated with information sent be SNMP agents and the database is queried by the SNMP Manager
- What protocol other than SNMP can be used to get information about network & device health? - What are the four components of the SNMP (Simple Network Management) Protocol?
- 802.1x - Mutual certificate-based authentication
- What technology is also known as port authentication or authentication proxy and can replace poor native authentication? - What is the most secure form of authentication which protects against eavesdropping and MITM attacks?
- WiMAX
- Wireless technology created with the intention of replacing wifi. Can connect devices over large distances and is specified in the 802.16 standard
Tree Topology
A network that combines the characteristics of bus and star topologies. Groups of star topologies are connected to a central cable, usually placed one on top of the other
1. Incident: an event that could cause harm to the organization. All incidents are events, but not vice versa 2. Clipping Level: a threshold of activity that, after crossed, sets off an operator alarm or alert. For example, an IDS system reacting to a DoS attack 3. Alert, Warning, Alarm: a method of gaining the operator's attention. 4. Baseline: an established criteria for measuring normal events as well as normal activity and traffic on the network. 5. Tuning: the act of adjusting a device such as an intrusion detection system or intrusion prevention system to detect events, intrusions, and other anomalies that have exceeded the clipping level set for the device.
An Event is any occurrence of state change on a network, a system, a device, or software. What are five types of Events?
Hybrid Cryptography
Combined use of symmetric and asymmetric algorithms where the symmetric key encrypts data and an asymmetric key encrypts the symmetric key. This is the foundation of SSL/TLS sessions most commonly used in e-commerce
- RAID-0: This configuration stripes data across multiple hard drives. The benefit is speed and access. There is no data redundancy. - RAID-1: Mirroring. It offers a simple data redundancy configuration by having identical information written to two different locations. - RAID-2: This configuration stripes data across multiple disk drives at the bit level. It is difficult to implement and generally not used. - RAID-3: This configuration stripes data across multiple drives at the bit level and uses a separate disk drive for the parity bit. This RAID level is rarely used. RAID-4: This configuration is similar to RAID-3, but it stripes data across multiple drives at the block level. It also uses a separate disk for the parity bit. RAID-5: This configuration is one of the most popular RAID configurations. RAID-5 uses a technique of striping data across multiple drives and incorporating the parity bit on each of the drives. If a drive fails, the data may be reconstructed using the data and parity bit contained on the other drives. A minimum of three drives must be used in a RAID-5 implementation.
Describe RAID levels 0-5
- Code 0 (Emergency): This is the highest alert, possibly affecting major sections of the network or applications. - Code 1 (Alert): This indicates a major problem, such as the loss of a central application or communication method. - Code 2 (Critical): This represents the loss of a backup or secondary device. - Code 3 (Error): When detected, this means that the failure of an application or system was not critical in nature. - Code 4 (Warning): Warnings are usually set to indicate that a threshold is near. For instance, server utilization is at 90 percent. - Code 5 (Notice): These messages indicate potential problems that should be investigated. - Code 6 (Information): These are status messages and no action is usually required. - Code 7 (Debug): Debug messages are utilized by developers and programmers.
What are the eight types of syslogs?
Auditing
What is the act of reviewing or monitoring data obtained during the Accounting process?
N*(N-1)/2, where N equals the number of devices on the network
What is the equation for how many connections are required for a Mesh Topology?
- PAT (Port Address Translation): uses a single external address and shares the port with the entire network. Much more limited and typically only used in smaller, home-based networks.
What may be used in addition to NAT to help hide the internal network?
Outsourcing
What policy describes access controls for the privacy and security of corporate assets?
1. Value of the information: this is subjective depending on the organization 2. Method of accessing the information: how the information is made available
What two requirements do System-Level Access Controls address?
Mobile Code
Software that is transmitted across the network from a remote source to a local system then executed at the local system. This usually occurs without the user's intervention or knowledge
OPIE: One-time Password In Everything
This is a type of one-time password based on S/Key in Unix systems. Usually a user's password combined with other data, then hashed with MD4 or MD5
Challenge Handshake Authentication Protocol (CHAP)
This mechanism of authentication is based on the exchange of a random number and response that can be can non-encrypted, but still secure. It is a weak authentication protocol that has been replaced by the Extensible Authentication Protocol (EAP).
Agile Development
This type of project management is based on the concept of iterative development, which is the idea that feedback from deployed products is used to guide improvement in subsequent development cycles
1. Enrollment Time: setting up the device with user's information 2. Error Rate: biometric devices compare a current reading with a recorded reading and are not always accurate, e.g. when your finger is wet and fails a fingerprint scan 3. Acquire Time: time is takes to perform various biometric scans when a user wants access 4. Throughput Time: how long it takes to compare the current sample from the user to historical sample for authenticaion 5. One-to-one Search: errors can occur when data points do not match
What are five challenging aspects to using biometrics?
1. Offsite Commercial Storage: Specific storage companies offer services to warehouse secure information. 2. Formal Access Policy: A formal sign-out or access control policy should be followed. 3. Data Retention Period: Data should be destroyed at the end of a retention period. 4. Media Destruction Policy: A policy should outline the proper destruction or recycling techniques for all paper, hard drives, optical media, PCs, cell phones, and magnetic tapes.
What are four common types of Physical Data and Printed Media access controls?
1. Standards: represent the criteria that must be met by the policy. Standards may be imposed by legislation, regulation, or industry requirements, or they may be imposed by the organization. 2. Baselines: established as the normal or minimal criteria that must be met by the policy. Baselines may list a specific configuration setting for a piece of hardware, such as a firewall, an IDS, or a router. 3. Procedures: detailed steps that provide a set of instructions for performing a specific task. Some companies have what is called a standard operating procedure (SOP). 4. Guidelines: differ from procedures in that they are generally considered optional and may take the form of a suggested practice. They generally allow the individual to make a discretionary judgment on how to proceed when executing procedural steps.
What are four components of a Security Policy?
1. Identifying Evidence: Responding individuals must begin documenting everything that they find at an incident scene. 2. Collecting or Acquiring Evidence: Adhering to proper evidence collection and documentation techniques while minimizing incident scene contamination is vitally important. A chain of custody must be provided whereby every transition of possession is completely documented. 3. Examining or Analyzing the Evidence: The evidence is investigated and analyzed using sound scientific tests and methods which are acceptable both in the forensic community as well as in the court of law. 4. Presentation of Evidence and Findings: Forensics examiners must present their evidence, findings, and professional opinions in documentation such as court presentations and legal briefs.
What are four guidelines for evidence in digital forensics investigations?
1. New Hire Orientation: the individual is typically made aware of the dos and don'ts of the company's security policies and may sign an AUP 2. Mandatory Security Training: required under various regulations such as HIPAA in the medical field as well as various privacy regulations with respect to financial, banking, and credit card industry information 3. Specialty Security Training: includes training programs made available for vendors, customers, extranet users, senior executives, and department managers or offered in special situations 4. Corporate-wide Security Training: generally required at least once a year by most corporations
What are four types of security awareness training?
1. Trusted Domain: contains the user requesting access to a resource in another domain. 2. Trusting Domain: contains the resource to which access is desired. 3. Simple Trust Relationship: the resource maintains an ACL that identifies authorized users & permissions 4. One-Way Trust: users in one domain may access resources in a second domain, but users in the second domain may not access resources in the first domain. 5. Two-Way Trust: both domains trust each other and each user in either domain may access the resources of the other. 6. Transitive Trust: A transitive trust relationship is defined by a simple logical equation that if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C. 7. Web of trust or Peer trust: when all members of a group are on equal footing
What are seven concepts of Internetwork Trust Architectures?
1. Login Notification: The system provides the user with the last login date and time for user verification. 2. User Inactivity 3. Multiple Logon Control: Restricting to allow only one login from a specific user at one time. 4. Origination Location: Allowing based on location of the requester per company policy 5. Session Connection Time Limit 6. Continuous Authentication: the user is authenticated through every packet sent to the receiver.
What are six common session-level access controls?
1. Prevent and Protect: the network should be regularly monitored and all events should be logged appropriately. This is an ongoing process 2. Detect: When prevention and protection efforts are unsuccessful, an operator should be alerted to take immediate action and implement an incident response plan. 3. Analyze: Analysis of a suspicious event is conducted to discover whether the event is in fact an incident and whether it is malicious or unintentional and to assess its impact, scope, and severity. 4. Respond: Response should be immediate in an effort to mitigate damage and contain the intrusion. Various actions undertaken by the team should be recorded for future reference. 5. Resolve: The resolution of any cyber incident involves mitigating immediate damages and taking the actions required to prohibit additional attacks from the same vector. The resolution may include determining a source of attack, if possible, and taking actions such as adding firewall rules to guard against future activities.
What are the five phases of an incident response plan?
1. Identification: user provides identification 2. Authentication: second type of identification proving the user is who they claim to be 3. Authorization: assigns rights & privileges based on user's profile after they are authenticated 4. Accounting: tracing and recording the use of assets.
What are the four steps of Access Control?
1. Internet Key Exchange (IKE): exchanging or deriving a symmetric key for encryption purposes. A key may be exchanged out of band or maybe created using the Diffie-Hellman key exchange. 2. Security Associations (SAs): each party agrees upon the encryption algorithm to be utilized during the session. 3. Authentication Header (AH): provides authentication & an integrity hash of the packet. Supports access control, packet origination authentication, and connectionless integrity. Encryption is not performed by the AH. Used with the encapsulating security payload header. 4. Encapsulating Security Payload (ESP): the encryption mechanism in IPsec; totally encapsulates & encrypts the original packet. It provides for a header and a trailer that encapsulates the packet. This includes authentication as well as integrity for the packet. ESP provides protection against replay attacks. 5. Security Parameter Index (SPI): a unique value assigned to a communication between two parties. It is a tag that identifies preselected encryption rules and algorithms when more than one transmission session is being conducted. 6. ISAKMP (Internet Security Association Key Management Protocol): provides for support of multiple simultaneous VPNs. Can maintain multiple pairs of SAs and is a collection of cryptography attributes
What are the six components of IPsec?
1. False Rejection Rate (FRR): aka a Type I error; how often a biometric system rejects a good user 2. False Acceptance Rate (FAR): aka a Type 2 error; how often a biometric system incorrectly IDs a bad user as a good user 3. Crossover Error Rate (CER): Where the FAR and FRR cross over. The lower the CER, the better the system.
What are the three error rates for biometrics?
1. Prevention: something like a lock on the door 2. Detection: something like an alarm system 3. Recovery: actions taken after an unwanted occurrence
What are the three security categories?
1. Data in process: data is being acted upon by an application. Protections are rollback provisions, error flags, warnings, input validation, and integrity checking 2. Data in motion: data in transit from one location to another. Protections are verification of identity, authentication, encryption, and integrity 3. Data at rest: data is in storage and not being used. Protections are requiring identification and authentication to access, backups, and encryption
What are the three states of data and how does Data-Level Access Control protect them?
1. Transport Mode: used for host to host, peer-to-peer, and endpoint-to-endpoint communication. In this mode, the packet contents are protected while the original IP header is exposed for internal routing. 2. Tunnel Mode:used for encrypting VPN traffic, for network-to-network, gateway-to-gateway, or firewall-to-firewall communication. Used across insecure networks such as the Internet. In tunnel mode, the original IP packet, including the payload, is encapsulated into a new packet with a new header.
What are the two modes of IPsec?
1. Baseband: only one signal can be broadcast 2. Broadband: multiple types of signals can be broadcast
What are the two ways data can be broadcast across media at OSI Layer 1?
1. FISMA: The National Institute of Standards and Technology was given statutory responsibilities under the Federal Information Security Management Act (FISMA). Under the law, NIST is responsible for developing information security standards and guidelines. 2. FIPS: Federal Information Processing Standards (FIPS) are standards approved by the secretary of commerce as compulsory and binding standards for federal agencies. 3. SP: Special Publications (SP) are documents issued by NIST with recommendations and guidance for federal agencies.
What are three terms associated with NIST publications?
1. Physical: locks, doors, fences, etc 2. Logical: ACLs, IDS, firewalls, routers, etc 3. Administrative Controls: banners, signs, company policies, log-on screen stating appropriate use, etc
What are three types of controls?
1. Organizational Policies: established by a person or group with a high level of authority, such as a senior manager or corporate office, and it's usually very broad in nature. Affects entire organization. 2. Functional Policies: address specific issues or concerns of the organization. They may be used to define requirements related to particular areas of security, such as access control, acceptable use, change management requirements, hardware and software updates, and other operational concerns. 3. Operational Policies: used to clarify and provide a clear direction on operational topics such as access to specific database information, application software, or networking facilities.
What are three types of security policies?
1. Virtual Site: cloud provider offers IaaS recovery site 2. Partnership/Cooperative/Reciprocal Site: agreement between two companies to share resources in the event of a disaster
What are two additional Disaster Planning Alternate Sites besides the Hot/Warm/Cold sites?
1. RADIUS (Remote Authentication Dial-In User Service): standards-based technology available on many systems. Server can be managed centrally. Single server can perform all authentications, but many organisations use multiple servers to prevent a single point of failure 2. TACACS (Terminal Access Controller Access Control System): client-server environment that is similar to RADIUS, but it is proprietary, not standards based, and only available on Cisco hardware. Has authentication and authorization as well as logging, which enables auditing.
What are two types of remote user authentication services?