Information Security Midterm
Message Integrity Controls:
Hash Function, Checksum and Parity.
Non-repudiation
The sender of a message cannot deny that they sent a message or something after the fact. You are able to prove that they sent something.
Kerckhoff's Principle
The strength of the encryption algorithm relies of the secrecy of the key (both parties need to keep the key secret). -This goes hand in hand with the cryptanalysis assumptions of DES.
Parity Bits
The way that the packet itself provides information to the receiver so that they know how to reassemble it and what order (a puzzle piece with the number of the sequence on the back of it).
Access controls help protect against _______ & ____________.
Threats & Vulnerabilites
The main reason to protect audit records is:
To preserve the integrity of data used in detective controls.
Information Security:
The business function of protecting organizational information assets from harm. -Directly includes data, information, and systems. -Indirectly includes physical facilities & people.
Information Security
The business function of protecting organizational information assets from harm. -Directly includes data, information, and systems. -Indirectly includes physical facilities and people.
Biometric Authentication Devices:
The individual's identity is confirmed by either: -Physiological trait: Unique; fingerprint, retina, iris, etc. -Behavioral characteristic: Keystroke, signature pattern.
False Accept Rate (Type II Error):
Unauthorized or imposters are accepted as authentic. (In regards to accuracy elements of biometric device issues). REALLY WORRIED ABOUT THIS ONE!
Passphrase:
Used as an alternative to a password. They are longer to enter and usually harder to crack. -Don't have to change, if at all, b/c they are length and hard to break via brute force.
Digital Signatures Schemes (DSS) (Most Common One)
Uses a Digital Signature Algorithm (DSA) and a Secure Hash Algorithm (SHA-1) which condenses message to 160 bits. Others include RSA, Nyberg-Rueppel, El Gamal, Fiat-Shamir, and Schnorr.
Social Engineering:`
Uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.
Asymmetric Key Cryptography Weaknesses
-Computationally intensive. -Slow (1000 or more times slower than symmetric).
Encipher/Encrypt/Encode
Act of scrambling using a key.
Compensating
Alternative control (e.g., Supervision)
Steganography
Art of hiding communications. -Deny message exists. -Data hidden in picture files, sound files, slack space on floppies. -i.e., least significant bits of bitmap image can be used to hide messages, usually without material change to original file. -Unlike encryption, which uses an algorithm and a seed value to scramble or encode a message to make it unreadable, steganography makes the communication invisible. -Steganography simply takes one piece of information and hides it within another. Only through a direct, visual comparison of the original and processed image can the analyst detect the possible use of steganography. -Usually the suspect system only stores the processed image, so the analyst has nothing to use for a comparison and has no way to tell that the image in question contains hidden data.
What is the primary use of a password?
Authenticate the user
Preventive
Avoid incident
Truncating, masking, or hiding part of an employees SSN on a printed pay stub would be an example of which foundational information security concept?
Confidentiality
Which is the best known example of a symmetric key cipher?
DES
Decipher/Decrypt/Decode
Descrambling with key
Functional Requirements (IT Security Requirements)
For defining security behavior of the IT product or system.
A legally recognized obligation that is not preformed by a corporate officer who is responsible for said obligation is and results in harm is:
Negligence
Availability
Prevent disruption of service and productivity for user data, information, or systems. The las core security principle for the TRIAD of Info Sec.
Confidentiality
Prevent unauthorized access of data, information or systems. One of the core security principles for the TRIAD of Info Sec.
Integrity
Prevent unauthorized modification of data, information, or systems. One of the core security principles for the TRIAD of Info Sec. Only those who are authorized to create, modify, or delete data/information/or systems should be allowed to do so.
Rijndael (AES)
Probably the most popular algorithm form a symmetric perspective today (Specifically AES 256 -standard algorithm for a symmetric process!!!) -Not a set number rounds of transposition and substitution. (Therefore, each algorithm can very a little bit). -Very strong algorithm. -For symmetric key cryptography: The larger the key size the stronger the algorithm!
Corrective
Remedy circumstances/mitigate damage. Restore controls.
Recovery
Restore conditions to normal.
Single Loss Expectancy (SLE):
SLE = Asset Value ($) X Exposure Factor (%age of asset loss when threat is successful).
Original Caesar Cipher
Shift the alphabet in one direction (move the letters 3 spaces).
XOR
Simply assigns a value to each character that is going to be encrypted (Assigns a 1 or a 0 to each character).
Social Engineer:
Someone who uses deception, influence, and persuasion, against businesses or individuals, usually targeting their information.
Authentication by Ownership:
What a person has.
Data Encryption Standard (DES)
-A symmetric block mode cipher that uses a 64-bit input and output block size to encrypt data. -The key variable is the 64-bits used to key DES crypto equipment. -Eight bits are used for parity checking and 56 bits are used in the DES device for encrypting and decrypting . -The parity bits are used as check digits for the true key bits. -A 56-bit true key plus 8 parity bits (72 quadrillion possible keys = 2 raised to the 56th power) - 16 rounds of transposition and substitution to encrypt and decrypt.
Public-key cryptosystems
-Are based on (presumed) trap-door one-way functions. -The public key gives information about the particular instance of the function; -The private key gives information about the trap door. Whoever knows the trap door can compute the function easily in both directions, but anyone lacking the trap door can only perform the function easily in the forward direction. -The forward direction is used for encryption and signature verification; the inverse direction is used for decryption and signature generation.
Identification:
-Asserts user/process identity (unique). -Provides accountability (with protected audit trail). --Traces activities to individuals. --Holds users responsible for actions. (One of the 4 access control services).
Asymmetric Key Cryptography
-Based on a different mathematical concept than the symmetric encryption process. -Instead of a single key, there is a 'key pair.' -The two keys are related to each other mathematically. -One of the keys is kept secret (Private Key). -The other is made available to everyone (Public Key). -'Computationally infeasible' to derive the private key from knowledge of the public key. -When data is encrypted with either one of the keys, the other key is the only one that can decrypt the ciphertext. -One key is the inverse of the other!
Good cryptographic Hash Functions should have the following properties:
-Be unable to compute hash value of two messages combined given their individual hash values. -Hash should be computed on the entire message. -Hash functions should be one-way (messages cannot be generated from their signature). -It should be computationally infeasible to compute the same hash value on two different messages. -Should resist birthday attacks.
Separation of Duties
-Define elements of a process or work function. -Divide elements among different functions.
List the threats to access controls:
-Denial of Service. -Buffer Overflows. -Mobile Code. -Malicious Software (viruses, worms, trojan horses, logic bombs).
Symmetric Encryption Systems
-Encryption systems that use the same key both to encrypt and to decrypt. (Also referred to as private key/single key/secret key. -Both parties use the same key to encrypt and decrypt the message. -Both sides of the key are the same for both parties. -A significant problem with single key crypto is getting the key to the recipient without it being disclosed to anyone else. -The speed with Symmetric Cryptography is 10-100 million bits/sec - is very significant because it is about 1000 times faster than the initial versions of asymmetric crypto. -Ex: DES, Double DES (2DES), Triple DES (3DES), AES/ Rijndael, IDEA, RC4, RC5/RC6
Blowfish
-Highly efficient block cipher. -Key length up to 448 bits. -64 bit block size. -Optimized for 32 bit microprocessors.
Simple MIC (checksum/parity):
-Is a weak form of integrity control. -Only detects accidental alteration; forgery possible. -Algorithm examines bitstream and calculates MIC value; output appended to bitstream. -Receiver must generate new MIC and compare with the original.
Transposition Cipher
-Is based on rearranging the characters in a message. -The key is the technique used to rearrange letters, whether done manually by a person, or mathematically using a computer. -Transpositioning or rearranging the order of the letters.
Symmetric Key Cryptography Weaknesses:
-Key Management and Implementation (Ensure that sender and receiver can agree upon a key, and how they exchange a key). -Key Distribution (Same key used to both encrypt and decrypt). (Requires very secure mechanism for key distribution). (Keys and data must be delivered separately. -Scalability: Since a unique symmetric key must be used between the sender and each recipient, number of keys grows exponentially with the number of users: N (N-1) / 2 Ex. 10 users = 45 keys. -Limited Security: (Symmetric keys only encrypt data and restrict its access. Does not provide proof of origin or non-repudiation).
Least Privilege
-Limit users and processes to access only resources necessary to perform assigned functions.
Codes
-List of words/phrases (code) with corresponding random groups of number/letters (code groups) -Ex: Colored flags for navy ships, Morse Code.
A stream cipher algorithm should have these features:
-Long periods with no repeating. -Functionally complex. -Statistically unpredictable -Statistically unbiased key stream (as many 0's as 1's). - Key stream not linearly related to key.
Stream Ciphers
-Operate on Continuous Streams of plain text (as 1's and 0's). -Usually implemented in hardware. -Well suited for serial communications.
Which of the following is not part of an Access Control System Service?
Non-Repudiation
Authentication by Characteristic:
What a person is/does.
Authentication by Knowledge:
What a person knows.
Ciphertext/Cryptogram
scrambled data
Deterrent
Discourage incident
Block Ciphers
-Operate on Fixed size Blocks of plain text. -More suitably implemented in software to execute on general purpose computer. -Overlap when block operated as stream. -Block Ciphers are completely different from stream ciphers in a way that they do not operate in real time, they typically take a chunk of the data and encrypt in a block and then send the message in blocks. Then the software uses a road map to organize the blocks and decrypt the message.
Characteristics of Block Ciphers
-Operates on a fixed size text blocks (Usually 8-byte (64-bit) ASCII text in block ciphers with length a multiple of 8 bits. (Every 8 bits of the text gets encoded, very slow)! -Block mode ciphers are generally slower than stream mode. -Data Encryption Standard (DES) is the best-known block cipher.
Cryptanalysis
-Practice of defeating attempts to hide information. -Reduction or solution of secret messages without knowledge of the system or the key or the possession of a code book.
Cryptography is now typically used for many applications such as:
-Prevent unauthorized disclosure of information. -Prevent unauthorized access for information, computers, web sites, application, etc -Detect tampering -Detect injection of false data -Detect deletion of data -Prevent repudiation
Asymmetric Key Cryptography Strengths:
-Provides efficient encryption and digital signature services. -Efficient symmetric key distribution. -Scalability (only two keys needed per user, 1,000 people need total of 2,000 keys (easier to manage than the 499,500 needed for symmetric). -Can provide 5 security elements: 1) Confidentiality/Privacy: Data cannot be decrypted without the appropriate private key. 2) Access Control: The private key should be limited to one person. 3) Authentication: Identity of sender is confirmed. 4) Integrity: Data has not been tampered with. 5) Non-repudiation: Sender cannot deny sending.
Digital Signatures Benefits:
-Provides non-repudiation (ensures that the sender cannot deny sending the message and the recipient cannot claim receiving a different message than the original). -Used to authenticate software, data, images, users, machines (protects software against viruses, and a smart card with a digital signature can verify a user to a computer Ex: Seth's Military ID Badge).
Access controls enable management to:
-Specify which users can access the system. -Specify what resources they can access. -Specify what operations they can perform. -Provide individual accountability. (The environment for access control is the entire system).
Concealment Cipher
-True letters of plaintext hidden/disguised by device or algorithm. - The key in this simple minded cipher is how many words are between the words of the true message. Otherwise the encrypted or cipher text looks like a totally different message.
Hash Function:
-Used to condense arbitrary length messages and produce fixed-size representation of message. -Used for subsequent signature by a digital signature algorithm. (Digest: A unique value that is produced from the message with a hash function. Serves the same purpose of a checksum). -Hash Functions Ex: Most Common "Secure Hash Algorithm" -SHA-1, SHA-256, SHA-384, SHA-512. Others: RSA Message Digest, TIGER, HAVAL, RIPE MD-160, RIPE MD-128, MD2, MD4 and MD5 algorithms.
Symmetric Key Cryptography Strengths:
-Very fast which allows for large amounts of data to be encrypted in a very little time. -Very difficult to break data encrypted with large keys. -Availability- algorithms and tools used for symmetric encryption are freely available.
Hybrid Cipher Systems:
-Will use each technology where it is best suited. -Symmetric Key algorithm for bulk data encryption. -Asymmetric Key algorithm for automated key distribution. -Since the receiver's public key is used to encrypt the symmetric key the receiver is the only person that can decrypt it because the receiver's private key is the only one that can decrypt anything encrypted using the corresponding public key.
What is the key length of the 3DES algorithm?
168-bits ( 56 bits x 3)
Algorithm
A 'mathematical' function that takes plaintext and a key as input, and produces ciphertext as output.
One Way Function
A one-way function is a mathematical function that is significantly easier to compute in one direction (the forward direction) than in the opposite direction (the inverse direction). It might be possible, for example, to compute the function in the forward direction in seconds but to compute its inverse could take months or years.
Role-Based Access Control (RBAC):
A role-based access control policy bases the access control authorizations on the functions that the user is allowed to perform within an organization. Determination of what roles have access to a file is at the owner's discretion. Hence, this is another example of DAC.
Access Control Services:
A system that provides these services: -Identification: Asserts user identity. -Authentication: Verifies who the user is and whether access is allowed. -Authorization: What the user is allowed to do. -Accountability: Tracks what the user did and when it was done. (These access control services involve the user of another server, commonly called the Network Access Server (NAS)).
Message Integrity Controls (MIC)
A value calculated using an algorithm that is highly sensitive to bit changes.
SOX applies to all of the following organizations EXCEPT....
ANS: Auburn University Federal Credit Union -Citi Bank -Intel -ExxonMobil
RSA
Algorithm developed in 1977. -Ronald Rivest, Adi Shamir, Leonard Adleman inspired by Diffie-Hellman paper. -RSA algorithm published in 1978.
RC4
An example of a stream cipher that is a symmetric key algorithm. Good for live stream broadcast (best option). -Implemented in hardware and is efficient for real time broadcast or real time data transmissions.
Annualized Loss Expectancy (ALE)
Annual expected loss if a specific vulnerability is exploited and how it affects a single asset. SLE × ARO = ALE. ALE = amount of loss/incident multiplied by the rate/year. SLE "Single Loss Expectancy" ARO "Annualized Rate of Occurrence"
Technical (Logical):
Anti-virus software, password protection, firewalls, auditing.
Access Controls:
Are a collection of mechanisms that work together to protect the assets of the enterprise.
Symmetric Algorithms:
Are fast and strong (given sufficiently long keys).
Asymmetric Algorithms:
Are good at key management but terribly slow.
Which of the IT Security Requirements focuses on establishing measurements that the IT security functions will be performed as intended?
Assurance Requirements
RSA
Asymmetric Cryptographic Algorithm (most commonly used). Based on Diffie-Hellman idea form 1976. -Public Key algorithm, meets all three asymmetric needs: 1) Data Encryption 2) Key Distribution of symmetric keys. 3) Digital signatures for non-repudiation. -Mathematical problem of factoring the product of large prime integers. -100 times slower than symmetric key encryption software. -1,000 - 10,000 times slower than symmetric key encryption in hardware. (512 and 768 bit key lengths are considered weak, 1024 is moderately secure, and larger keys are even better ex: 2048).
Block Mode Cipher
Chop up the data into 8 bit chunks. The only exception to this is RC4.
A Trap Door One Way Function
is a one-way function for which the inverse direction is easy given a certain piece of information (the trap door), but difficult otherwise.
Phishing
Attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as CC #'s, account usernames and passwords, SSN and etc.
Digital Signatures:
Authentication tool to verify a message origin and sender identity. -Resolve authentication issues. -Block of data attached to message (document, file, record, etc.). -Binds messages to individual whose signature can be verified (By receiver or third party, Difficult to forge). -Each user has public-private key pair. (Private key signs (creates signature), public key verifies it). -A digital signature is created by encrypting a digest or hash value of a message with the senders private key.
False Reject Rate (Type I Error):
Authorized users are rejected as unidentified or unverified. (In regards to accuracy elements of biometric device issues).
Which of the cornerstone principals of information security focus on the prevention of disruption of service?
Availability
Two Factor Identification:
Casey's personal favorite authentication method for business from a cost perspective and a robust perspective. (Using this with your VPN and the password from a text on your phone (Something that you know and something that you have in your possession)).
Digital Signatures do not allow for:
Confidentiality of the message
Plaintext/Cleartext
Data in unscrambled form.
A user access log is an example of which category of Access Control?
Dectective
Functionality for CIA
Designing, development, deploying. -Development: writing the application. -Deploying: installing it on our services. Functionality is the more technical side.
DES
Developed in 1976. -Designed by IBM based on Lucifer, improved by National Security Agency. -Worldwide acceptance due to its strength.
The notion that corporate offices must adhere to maintaining a certain level of security for the organization and the organizational assets in their control is known as:
Due Care
Triple DES
Encrypt something or a message 3 different times. However, you encrypt something with an algorithm. Then you try and decrypt it with the wrong key. And then re-encrypt it with a different key.
Double DES
Encrypt something the first time with an algorithm, then use that same algorithm to encrypt the message again. -Intended key length 112 bits -Turned out to be no more secure than DES (Meet-in-the-Middle-Attack).
To make sure that a message is confidential and has proof of origin with asymmetric encryption you should:
Encrypt the message with the Originator's Private Key. Then you take the encrypted message now and you encrypt it using your public key. So the only thing that will open it is your private key.
Using Asymmetric (Public Key) Encryption to provide the recipient of a message with "Proof of Origin" requires that the sender
Encrypt the message with the sender's Private Key
A stream mode cipher would be most applicable for which of the following tasks?
Encrypting a real-time broadcast of a digital video conference between heads of state.
Polyalphabetic Chiper
Establishing a different alphabet for each letter of the message that we are going to encrypt.
Public Key Asymmetric Systems are based on what mathematical techniques:
Factoring the product of large prime integers. Or using the Discrete Log problem.
Assurance Requirements (IT Security Requirements)
For establishing confidence that the security function will perform as intended.
Sarah works in the IT Department for ABC Corp developing and implementing technical solutions in the information systems of the company. In her job, Sarah performs which of the type of information security requirement?
Functional Requirements
Which of the following is TRUE?
HiTech requires any business entity that stores, manages, or transfer healthcare data to comply with HIPAA.
Public Key Cryptography
Idea introduced in 1976. -Whitfield Diffie and Martin Hellman published 'New Directions in Cryptography'
Detective
Identify incident
Rule-Based Access Control:
In a rule-based system, access is based on a list of rules that determine what accesses should be granted. The rules, created or authorized by system owners, specify the privileges granted to users (i.e., read, write, execute, etc.). This is an example of DAC, because the owner writes the rules.
Cryptology
Includes both cryptography and cryptanalysis.
Establishing a control on a sales transaction database so that only an authorized sales associate can modify data they previously created would be an example of which foundational information security concept?
Integrity
IDEA
International Data Encryption Algorithm developed by Xuejia Lai and James Massey - Switzerland, 1990. -Developed to replace DES -Uses 128-bit key
Asymmetric Key Cryptography
Involves 2 keys, 1 private and 1 public
Asynchronous token device (Not in your possession):
Is really challenge response technology. Dialogue is required between the authentication service and the remote entity trying to authenticate. (The authentication server will provide a challenge to the remote entity that can only be answered by the token that the individual holds in his hands. The token will give the correct response, which is then provided to the authentication server. Without the asynchronous token device, a correct answer to the challenge cannot be generated.
Authentication:
Is the process of verifying the identity of the sender and/or receiver or information. This establishes what the user is allowed to do once the user has been identified and authenticated by the system. (One of the 4 access control services).
What does cryptography address?
It is the method of protecting information and communications through the use of codes so that only those for whom the information is intended can read and process it. The purpose of cryptography is to protect information and prevent it from being used by anyone who it was not intended for.
The three methods of authentication are presenting something you ______, something you ______, or something you _______.
Know, Have, Are
Which of the following security principles are supported by role-based access control?
Least privileged, separation of duties, discretionary access control.
Physical:
Locks, alarms, badge systems.
Assurance form of CIA
Measurement of whether the functional side is working as it is intended. On the assurance side we test everything. The testing, monitoring and measuring side. This is also know as auditing the system.
When a manager fails to exercise due diligence, it most likely can be considered....
Negligence
Diffie-Hellman
Pioneered the concept to develop a viable asymmetric encryption process.
Administrative:
Policies and procedures, including personnel controls such as security clearances, background checks.
Scramble Alphabet Cipher
Substitute one letter for another.
An employee attempts to navigate to a restricted website and receives a message the reads "This site is not approved by the company for access - Press OK to continue" This is an example of what type of control?
Technical
Which one of the following entities has the primary responsibility for determining access to a data file in a DAC environment?
The Owner
Crossover Error Rate (CER):
The point at which the false rejection rates and the false acceptance rates are equal. The smaller the value of the CER, the more accurate the system (biometric device metric between error rate and sensitivity).
Issuance:
The process of issuing identifiers must be secure and documented. This refers back to Identification.
Which of the following is TRUE regarding symmetric cryptography:
The same key is used by both the sender (encryptor) and receiver (decryptor).
Digital Signatures Operation:
To "sign" a message, -Sender computes digest of message (using public hash function). -Crypto "signature" is mage by sender's private key (applied to digest creates digital signature). -Digital signature sent along with message. -The message itself is not made private. To "verify" a message -Receiver computes digest of received message. -Decrypts the signature with the sender's public key to extract the original sender's digest. -Verifies if the recomputed and decrypted digests match (signature decryption identifies sender and verifies integrity of the message.
Identity management is a much used term that refers to a set of technologies intended to manage a basic problem:
information about the identity of employees, contractors, customers, partners and vendors, is distributed among too many systems, and is consequently difficult to manage.
Substitution Cipher
is a method of encrypting by which units of plaintext are replaced with ciphertext, according to a fixed system; the "units" may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth.