ITN262 Final Exam Prep - Chapter Review Questions
Summarize risks that are more significant to enterprises than to individuals.
1. Disclosure • Theft of trade secrets—giving secret company information to competitors. This may include lists of customers or clients as well as secret technical data like product designs or manufacturing processes. • Data breach—theft or loss of information collected by the company about individuals (employees, clients, suppliers, or customers). We reviewed examples of this in Section 6.1.3. • Insider trading—using secret company information to anticipate changes in its publicly traded stock price and buying and selling stock accordingly. 2. M asquerade • Fraud—using a bogus identity to trick the company into delivering goods or making unnecessary payments. • Social engineering—tricking people into providing sensitive information or physical access to company resources. 3. Service loss • Extortion—interrupting company services and threatening interruption unless the attacker receives a ransom payment. Some cyber criminals have shut down company websites with DOS attacks and demanded payment to refrain from additional attacks. The CryptoLocker malware also uses extortion (see Section 3.2.4). • Vandalism—attacks on company equipment or services that cause disruptions but aren't tied to ransom payments. • Logic bombs—attacks implemented by employees that take effect unless the employee deactivates them on a regular basis. The bomb triggers if the employee is fired and is not present to deactivate it. 4. Subversion • Fraud again—an employee might rig the system to provide improper periodic payments and hide them from auditors. • Rootkits—employee computers become infested with backdoor software that opens them to other attacks, including theft of authentication credentials or of other sensitive information. • Network subversion—someone infiltrates the company's network infrastructure (routers, firewalls, etc.) and uses this access to manipulate network traffic. 5. Physical theft • Equipment theft—someone steals computing or networking equipment. • Laptop theft—someone steals a company laptop, which may contain sensitive company information.
Identify and describe the four different approaches ("design patterns") for authentication.
1. Local: All components of the system reside within its security boundary, from the input device (keyboard, biometric) to the authentication database. Each local device contains an authentication database that is completely independent from the others. 2. Direct: The system contains its own, independent authentication database, but users authenticate to it from remote locations. 3. Indirect: The system accepts remote logins, but relies on a separate system, the authentication server, to perform the authentication process. The system itself doesn't keep an authentication database for regular users. 4. Offline: This is a variant of direct authentication in which the database uses public-key certificates to authenticate its users.
Describe two techniques to help reduce the insider threat.
1. Monitoring. People are more likely to behave if they think they are being watched. Monitoring may double check periodic results, like the cash held by cashiers, or may scan for unauthorized activity, like access to nonbusiness websites during business hours. 2. Two-person or multiperson control. Most employee misbehavior is by individuals, not conspiracies. Companies can greatly reduce the risk by involving two or more people in important transactions. This may be procedural, as with checks for accounts payable, in which one person makes the list of checks, another prints the checks, and a third signs them. This also may be implemented with automated systems, as with nuclear missile launching or automated workflow systems. 3. Job rotation. Ongoing cases of employee fraud often rely on "cooking the books" on a regular basis. If a critical activity is performed by different employees in rotation, it is more difficult for one of them to exploit it. There is a notable example of bank fraud that was uncovered when a loyal employee was forced to take some long-neglected vacation. The replacement discovered a serious discrepancy that the regular employee had systematically hidden in order to mask an ongoing theft of funds.
Give two examples of social engineering attacks.
1. Phishing: is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. 2. Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims' personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target to confirm their identity.
Identify and describe the four phases of a large-scale attack.
1. Surveillance. The attacker studies the attack target, collecting information about it. 2. Infiltration. The attacker takes steps to enter the system so that the attack may take place. This by itself "compromises" the system by placing a malicious process within its environment. 3. Execution. The attacker takes the steps needed to achieve the attack's objective. 4. Disengagement. The attacker withdraws, having achieved the attack's objective. Often, this step tries to erase evidence of the attack or eliminate any trail that points to the attacker.
Describe the role of a business impact analysis in disaster planning.
A business impact analysis (BIA) is a report that assesses the enterprise's ability to recover from a major disaster. This is often the first step in the disaster-planning process. If the enterprise already has plans in place, the BIA provides an assessment of how effectively those plans work. The BIA does the following: • Estimates the impact of a worst-case scenario on business operations. These include tangible financial impacts and intangible impacts, like those on reputation. • Identifies work processes affected by such a scenario. • Estimates how long it will take for the work processes to recover.
List and explain the three basic recovery strategies.
A delayed recovery requires the least up-front expense, but the enterprise can't resume its computer-based operations immediately. The strategy is to salvage, rent, or buy the equipment needed to resume operations, reinstall systems, software, and databases from backups, and then resume operations. If the existing premises are usable, then the enterprise resumes operations in place. If not, the enterprise rents space for equipment and employees to use. A cold standby is a computing environment, geographically distant from the main site, that we leave idle in case of a disaster. If a disaster occurs, the enterprise activates the cold standby environment, installs its backups, populates the site with employees, and resumes operation. Hot standby If an enterprise needs to keep operations going at all times despite potential disasters, it implements a hot standby. This is essentially a dedicated cold standby site with all equipment already in place and preloaded with the necessary software and data.
Describe the three functions provided by a low-cost commercial internet gateway product.
A few functions of the internet gateway products could include, analyzing packets entering and leaving the network. Changing ports to being opened or closed, and detecting what traffic is flowing through those ports.
Briefly describe mature network technologies. Which ones do you use or have you used? Briefly describe your experience.
A mature technology is a technology that has been in use for long enough and used heavily. These systems may evolve into new and different services or they might fade away like the telegram. I never used a telegram before, but I have seen one. I know telegram is a device used to transmit messages over long distance using an electrical signal. I witnessed the landline phones which I used for long period of my lifetime. We could make calls nationally and internationally.
Which headers are left in plaintext when we use link encryption? Network encryption? Application encryption?
A network encryption because it is the only way we can route a packet through protocol stacks is if the appropriate packet headers remain in plaintext.
What is a socket? How does it relate to typical networking API?
A network socket is an internal endpoint for sending or receiving data within a node on a computer network. The socket APIs allow applications to communicate and interact with the other layers of the OSI model such as the Transport and Networking layers.
Identify the basic features of a reference monitor and explain its purpose.
A reference monitor is a mechanism that always enforces its security policy. The features includes: 4 Non-passable - The reference monitor makes all access control decisions. Tamperproof - There is no way for attackers or other system users to damage or disable the reference monitor. Verified - The reference monitor must be small enough so that it may analyze and test it thoroughly to assure that it operates correctly. Always Invoked - Without this property, it is possible for the mechanism to not perform when intended, allowing an attacker to violate the security policy.
Explain the role of the network mask in Internet routing.
A subnet mask hides (or masks) the network part of a system's IP address and leaves only the host part as the machine identifier.
Explain the role of ARP and how it works.
ARP is the address resolution protocol. ARP uses simple messaging format containing one address resolution to map MAC addresses.
Why does a typical low-cost network gateway need to provide special mechanisms to handle inbound connections? Why doesn't it simply forward the packets to the chosen host address?
Because the gateway's NAT function typically ignores unsolicited inbound traffic, which is arguably the most dangerous. If all traffic is solicited by local clients, the traffic is unlikely to be risky, because local clients are less likely to connect to risky locations. Unsolicited, hostile connections from malicious sites pose a much greater risk.
Why is it a challenge to achieve Separation of Duty if all steps take place on a single computer system?
Because the system administrator, could give himself access to all access steps and complete them by himself—or he could create bogus identities on the system and give them access to the steps.
Why does the US government put special efforts into COMSEC instead of simple relying on commercial cryptographic products and mechanisms?
COMSEC is particularly important because as the information rides on the same network a single failure will allow an attacker access to the entire network. It is important that the tools mitigating the attack are not available for people to access and discover additional ways to break into it.
Identify features of US COMSEC measures that make them different from commercial practices described in earlier chapters.
COMSEC policies and procedures include those involving the use of cryptographic security measures, emissions security, transmission security, and physical security of COMSEC aids and hardware used to encrypt and protect sensitive or classified communications.
Summarize basic attacks on DNS.
Cache poisoning: A resolver receives a bogus response to a DNS query. All subsequent queries will receive the wrong information and redirect connections to the wrong IP. DOS attack on major DNS servers: Attackers try to disable DNS service in parts of the Internet by attacking major DNS servers. DOS attack using a shared resolver: An attacker transmits numerous bogus DNS queries to the shared resolver. Attacks either trick DNS into returning incorrect information, or they attack DNS services in a way that disrupts other Internet services. We examine each attack and also review proposed DNS security improvements.
Explain the difference between a security classification and a security clearance. How do they interact?
Classification - identifies a special category of information called classified information and identifies classification levels that indicates different degrees of risk of disclosure, whereas Clearances - are a process to establish permissions to receive classified information in which we investigate individuals to assess their trustworthiness. A person must receive a security clearance to be granted access to classified information
Describe the different types of security markings that may appear on a classified document. Distinguish between genuine classification levels and other markings. What is meant by "above top secret"?
Classified devices or equipment likewise carry a label. The outside label indicates the most sensitive information contained therein. Document cover sheets and paper labels to apply to equipment o rother items often use this color code: Top Secret - orange or gold, Secret - red, Confidential - blue. Top Secret information is standard across the U.S. government, access to special programs and certain types of intelligence may require a more elaborate investigation and clearance process. This is referred to as "Above Top Secret."
Briefly explain how TCP establishes a connection.
Connections typically take place in a client/server environment, we will call the initiator the client and the recipient the server. The client opens the TCP connection to the server by exchanging a three-way handshake: three packets with particular Status flag settings: • Client sends first packet: SYN ("Synchronize") flag set • Server sends second packet: both SYN and ACK flags set • Client sends third packet: ACK flag set The fourth packet contains data sent by the client to the server ("GET/ncsa.txt"). The fifth packet contains data sent to the client by the server ("HTTP/1.1"). The final packets exchange the FIN ("Finish") flag to close the connection.
Describe the fours modes of operation. Identify the most common mode used today.
Dedicated - Places the fewest requirements on the computer itself, but places the most restrictions on the data being processed an on the user community. System High - The system may process data at multiple classification levels. The entire user community must be cleared for the highest-level present on the system, but they do not all require a Need to Know. Compartmented or Partitioned - Everyone who uses the system is cleared for Top Secret and for access to special program or intelligence data. Not all users have formal access permission to all compartments or code words. Multilevel - The system may serve users with different security clearance and may store data which some users aren't cleared to receive. The system must implement a reliable and effective multilevel security mechanism.
What is the purpose of a background investigation? Do enterprises perform such investigations on all new employees?
Enterprises consult third parties to verify the applicant's history. This may involve a drug check, verification of employment history, and a criminal background check. Companies tend to perform the same checks on all employees for particular types of jobs; it doesn't make sense to do background checks on some cash-handling employee applicants and not on others. Certain jobs may require more extensive background checks. In government and military enterprises, this involves "security clearances" (see Section 17.2). Nongovernment jobs may do additional checks on people employed in security-related or IT-related roles, because such people have exceptional access to sensitive company resources. Typically, an organization conducts an investigation to ask specific questions. In particular, most organizations want to confirm that the employee has been completely accurate and honest on the employment application. They then may make an employment decision or a decision to appoint someone to a sensitive position, based on information the employee has provided.
Describe different techniques to produce and manage backups.
File-oriented synchronized backups: The user backs up a selected collection of files, often gathered into a specific folder or directory. The process preserves two copies of the latest files: one copy on a USB drive and another on a computer's hard drive. File-oriented incremental backups The user periodically save all changes made on the system since the previous backup. Typically, the backup software writes the backup files to a separate hard drive. If our main hard drive fails, we should be able to restore the backed-up files onto a replacement hard drive. Full-image backups These are bit-by-bit copies of one mass storage device to another. We then save the copy. If disaster occurs, we retrieve the copy and transcribe it back to the original drive or to a hardware replacement. RAID as backup A redundant array of independent disks (RAID) storage system contains two or more separate hard drives used together to increase reliability, performance, or both.
List the elements of an incident handling policy.
How to grade incidents by seriousness • Who to contact in the IT or security organization when incidents occur • Roles and responsibilities within IT and within other enterprise departments • What technical steps to take to mitigate further damage • What procedural steps to take to report the incident to other enterprise departments or to senior management • Which incidents should be reported to law enforcement In general, information on an incident is handled on a Need-to-Know basis. Public announcements are the province of other departments or of senior management.
Describe the two parts of an IP address.
IP addresses have of two parts, the network part and the host part. one that describes / identifies the network, and the other the identifies the host. These two parts can vary in size if they are either a class A B C D or E network.
Explain how the different IPsec modes apply encryption either above or below the IP layer.
IPSec provides security services at the IP layer by enabling a system to select required security protocols to determine algorithms to use for services and put in place cryptographic keys required to provide the requested services.
Describe the difference between IPv4 and IPv6 addresses. Which is most widely used?
IPv4 uses a 32-bit addressing system that allows a total of around 4 billion addresses at any given time. IPv6 is the next generation of the Internet Protocol that allows 340 undecillion addresses or 2^128. IPv4 is more widely used than IPv6 and more devices run off the older Internet Protocol system. IPv4 is a legacy system that is slowly being phased out for IPv6 since it theoretically will never be out of IP addresses out unlike IPv4.
Explain the role of autonomous systems and ISPs in the structure of the global internet.
ISPs provide services mainly internet to other organizations and individuals. Autonomous systems could do several different things such as collect IP routing prefixes and act essentially as large relay agents providing umbrella service to a specific network of users.
Describe how to create a shared key using shared secret hashing.
If two sites share a secret, they can combine the shared secret with additional shared entropy to establish traffic encryption keys. First, each host generates a random nonce and sends it to other. Next, each host uses a one-way hash to combine the shared secret, the nonces, and other connection-specific information. We use the hash result to construct our traffic key.
Describe how Diffie-Hellman and RSA are used to share a secret on a network.
In Diffie-Hellman two users can construct a shared secret by sharing public keys. Each combines their own private key with the other's public key to yield the shared secret. In RSA, sender encrypts the secret with the public key and the receiver decrypts it with the private key.
Summarize elements of government and military information operation of intelligence operations, and of operations security.
Information operations - Within the U.S. military, information operations are intended to influence or disrupt the decision making of adversaries. The operations rely on a variety of measures that are rarely used in private or commercial activities like electronic warfare, computer network operations, military deception, operation security, and psychological operations. Operations security - OPSEC is process for assessing publicly visible friendly aspects of military operation from the point of view of adversaries to ensure that adversaries can't deduce sensitive information from its publicly visible actions. An OPSEC analysis may restrict public activities or lead to cover and deception activities.
What features does a simple, low-cost network gateway provide to protect a small local network from attack?
Install a gateway that contains a firewall to control what kind of traffic allowed or not. Many gateways also contain an event log. This keeps a record of major events, like DHCP address assignments by the ISP and by the gateway itself. This lets the owner track connections by computers on the LAN. Some products also detect certain types of Internet attacks. Typical gateways will email the log to the owner on a periodic basis. The firewall feature of typical gateways may provide the LAN with an extra measure of protection.
Why is key management hard to do when we provide end-to-end crypto?
Key management is hard to do when we provide end-to-end crypto because end-to-end encryption is different from other types of encryption because the actual sender applies the protection and the actual recipient decrypts the message and verifies the digital signature unlike other types of encryption. End-to-end crypto relies on personal graphic keys.
Explain how key wrapping works on a network. Compare network based key wrapping with file-based key wrapping.
Key wrapping uses a KEK to encrypt the key we distribute. When encrypting the contents of a file, we encrypt it with a content encrypting key (CEK). We then wrap the CEK with a key encrypting key (KEK) when sharing it. When encrypting network traffic, we use slightly different terms; we encrypt network traffic with a traffic encrypting key (TEK). We then wrap the TEK with a KEK when sharing it.
What is the relationship between the employee life cycle and security management?
Life cycle activities mark the beginning and ending of an employee's work at an enterprise. In fact, security related activities take place even before hiring. The hiring decision itself relies on information about the employee's skills and trustworthiness. The hiring process almost always involves a personal interview with potential supervisors and managers. Although most supervisors value an interview because the interaction is a good way to assess a potential employee, it also provides an opportunity to authenticate the applicant. Subsequent investigations should use authenticated information about the applicant, like name, address, and date of birth taken from a driver's license or other authentic identity card. Statistically, a person's name, place of residence, and date of birth taken together almost always identify unique individuals.
Explain the multilevel security problem and the Bell-LaPadula model.
Multilevel security works effectively only if all data paths between processes are controlled by the system security mechanisms. The virus problem - The Bell-LaPadula rules do not - and cannot - prevent a virus present at a lower classification level from propagating to higher classification levels. The redaction problem - User routinely rely on large and unreliable application program to edit classified documents and to create less-classified versions of such documents by removing the more-sensitive data.
Explain how DNS looks up a domain name using redirection.
Names in the DNS form a hierarchy, and different servers are assigned to different sections of the hierarchy. These sections are called "zones." A server assigned to a zone is considered the authority for answering questions about domain names in that zone. If we need to resolve a domain name like "www.stthomas.edu" and we don't know where to start, we go to a root server. The root server then refers us to a more specialized server to answer our question. The process repeats until we find the server with the answer. Our first query goes to the root server. The server looks at the top-level domain in the name: ".edu" in this case. The server doesn't know the whole answer itself, so it refers us to a server with better information. We send our query a second time, this time to the ".edu" server. This server looks up the subdomain name "stthomas" and finds a server that can answer queries about it. Our second query, like our first, yields a referral to another name server. Our third query goes to the "stthomas.edu" server, which finally returns a response. Because "stthomas" belongs to a university with a large IT department, it runs its own domain name server. Personal domain names often are directed to a server belonging to a domain registrar. If the subdomain has subdomains, those usually are interpreted by the same server
Briefly describe evolving technologies. Which ones do you use or have you used? Briefly describe your experience.
Newer communications technologies fuel major changes to long-distance communications. It's tricky to predict the future, however. These new technologies could supplant one or more mature technologies or an innovation may provide a mature technology with new capabilities or economies. Optical Fiber Networks: Modern optical fiber transmits signals using light waves. The fiber serves as a "light pipe" to carry the signal. Because the fiber must transmit the light signal, it does not bend the same way as traditional wire. On the other hand, optical fiber avoids certain radio interference and induction problems that arise in wired connections. High-quality optical fiber yields a much higher transmission capacity than a comparable wired connection. Bidirectional Satellite Communications: Digital satellite broadcasts have become commonplace; the equipment is practically free to satellite TV subscribers. Bidirectional communication is a bit more challenging; a compact device must send a signal to a satellite hundreds or thousands of miles overhead. The "Iridium" system deployed a satellite-based cell phone system in the 1990s; subscriber phones worked almost anywhere on the planet.
Describe four types of secrecy practiced by enterprises.
Obligations - Companies may have legal or contractual obligations to keep certain types of information secret. Legal obligations address employee privacy, health records privacy, and information that could affect a public company's stock price. Contractual obligations may include trade secrets shared with others, licensed software management, and rules for handling credit card transactions. Trade secrets - Companies keep information secret that would give competitors a commercial advantage. These include inventions and processes that may be subject to patent or unpatentable techniques that would benefit competitors. Other trade secrets include business details that might help competitors anticipate price decisions or identify customers that a competitor might try to lure away. Managing publicity - As noted previously, companies may keep things secret that might not yield positive publicity. Secrecy culture - Some companies have a tradition of keeping their internal activities secret, even without compelling business or legal reasons to do so.
Briefly describe older network technologies. Have you encountered any of these technologies? Briefly describe the encounter.
Older network technologies: Are old technology network devices that been used to transmit signals between hosts. Examples of old technologies: Analog Broadcast Networks: To transmit voice and music, the system used microphones to convert sound into varying amounts of electrical current. These varying currents in turn drove the radio signal. TV used the same technique, but it broke the signal into horizontal lines that scanned across the television tube's surface. Circuit-Switched Telephone Systems: The telephone network established a call by constructing a circuit between two telephones. The network carried electrical signals produced by a phone's transmitter to the other phone's earpiece and vice versa. Analog-Based Digital Networks: To connect two remote computers, the owner leased a dedicated line between them. The telephone company usually provided the modem; the computer manufacturer usually provided the network interface, which exchanged digital signals with the modem. The wiring between a modem and a computer traditionally used "Recommended Standard" RS-232, or the similar V.24 standard from the International Telecommunications Union (ITU). Microwave Networks: Microwave networks consist of tall antenna towers within the line of sight of one another, though many miles apart. The signal-handling antenna points at a matching microwave antenna on a distant tower. Basically, I have witnessed all the above technologies starting from analog radio and how my father search annually for a good signal. Old TV had the same mechanism by finding a good signal manually. Eventually I have used a dial up network connection by installing a modem to my computer and still remember the unique sound of the dial up during to start up the connection.
Identify the four types of protection applied to storage systems.
Physical protection of storage systems. Potential attackers must not have physical access to critical storage systems like file servers. • Protection of external storage traffic. As storage distribution systems become more sophisticated, it becomes easier to physically distribute data at very low levels. If a site transmits lowlevel storage traffic between protected server rooms, the cabling itself should be shielded from eavesdropping. In many cases, it may be sufficient to use fiber optic connections instead of traditional wiring. • Ensure recovery from hardware failures. This may be provided through technical means like RAID systems (see Section 13.5.1). • Ensure recovery from physical disasters. This includes fires, floods, or storm damage. This requires off-site backups, which themselves must be protected from unauthorized access.
Why do some websites block "ping" requests? Explain whether websites still need to do this.
Ping Floods In a "ping flood," one or more hosts conspire to flood a victim with ping requests. The flood of requests keeps the victim's protocol stack and network very busy. Any ping responses the host produces will simply add to the network's congestion. Some networks block pings, or all ICMP messages, to avoid such attacks.
Explain the difference between a profit center and a cost center. How is this distinction relevant to budgeting for information security?
Profit center: A division, department, or other component that makes money for the company. In a manufacturing company, for example, each factory or major product line might be organized as a profit center. The manager of a profit center may have more budget flexibility as long as the center makes the expected level of profit. The manager may decide independently to invest in new equipment and services if they pay for themselves in cost savings. Cost centers: Business units that do not directly produce revenue or profits. Typical examples include marketing, IT operations, customer service, human resources, and so on. Some enterprises treat all divisions as cost centers.
Explain the role of revision control and configuration management in software development.
Revision control: Often is managed by special software that keeps track of all changes made to the source files that produce the software. When a file is first created, the author stores the initial version in the revision control system. Each revision is subsequently stored, keeping track of which changes were applied in which revision. Configuration management: Tracking changes to the components selected to be in a software product. The configuration management process specifies the actual components that will go into the final product or into specific versions of the product. At the software level, this may consist of extracting particular files—and particular versions of files—from the revision control system in order to compile and build the system.
Describe the SSL key negotiation in terms of the keying techniques introduced in Section
SSL is the most successful example of Internet encryption. Unlike email, SSL handles encryption keys automatically and rarely relies on users. Moreover, websites may themselves decide which connections require encryption. Because cryptography requires additional computing power, this lets the site managers optimize performance while providing security where needed.
Identify and briefly explain two or more denial-of-service attacks that exploit TCP/IP protocols.
SYN Flood Attack: The attacker sent a series of SYN packets to the victim, each specifying a different socket. The source addresses were usually forged, because there was no need to process the responses. Each SYN packet produced a half-open connection. The connection persisted until the protocol stack timed it out. The attack was very effective when it first emerged in 1996, because victim hosts only had a small number of data structures to handle incoming connections, and those were very quickly used up. Attackers sent SYNs much faster than the victim host would detect and close the half-open connections. The general solution was to improve management of half-open connections. For example, some hosts would discard and reuse the oldest half-open connection if another request came in. Source Routing Attack: This is a clever variant of the redirection attacks just noted: The IP header contains an option for "source routing," which allows the sender to direct the traffic through a series of hosts. The attacker forges a packet from a trustworthy host and puts the attacker's host on the packet's route. The attacker directs the packet at the victim. The victim typically will respond using the source route provided in the original packet. This takes the packet back to the attacker's host, route to the trustworthy host. The attacker's host simply processes the packet and doesn't forward it further. There are various approaches to address this risk. For example, hosts might want to discard source routing information when talking to a trusted host. More often, however, we want to rely on cryptographic authentication of the trusted host.
Summarize the security measures applied to classified information.
Secrecy procedures often rely on a collection of simple strategies. When we combine the strategies, and apply them consistently, the secrets should remain safe. Basic strategies include Secrets are secured by default. Secrets ae never left unattended. Avoid identifying secrets as secrets. Secrets are revealed only in safe places. Verify permissions before sharing.
Identify four roles and/or job titles associated with information security management.
Senior Corporate Officer Chief Technical Officer (CTO) Chief Information Officer (CIO) System Administration
Explain the problems related to TEMPEST and five basic techniques used to address those problems.
Shielding - Put shields around the equipment to block acoustical or electromagnetic signals. Filtering - Put filters on the power lines and other outbound connections to ensure that sensitive data wasn't radiated through power fluctuations or other signals. Masking - Structure the device to emanate signals that don't distinguish between different data values. Attenuation - Adjust the device so that it uses less power and radiates a weaker signal. Zoning - Establish a controlled area between the vulnerable, emanating equipment and potential attackers.
Explain two techniques used for simple rekeying. Why do we avoid simple rekeying?
Simple rekeying is an unreliable trick to replace an existing key. We rekey periodically to reduce the risk of vulnerabilities to cryptanalysis - rekey whenever some major even occurs (distribution on a major new version of the file) - rekey more often on larger cryptonets - when key has been leaked - when a person who knows key leaves cryptonet - can reuse passphrase as long as program uses different inner key for each file Using simple rekey is not as much reliable to protect data because they are vulnerable if attackers recover an older key because simple rekeying transforms an existing key into a new one.
Identify and briefly explain two or more attacks on TCP/IP that may route packets to the wrong hosts.
Source Routing Attack: This is a clever variant of the redirection attacks just noted: The IP header contains an option for "source routing," which allows the sender to direct the traffic through a series of hosts. The attacker forges a packet from a trustworthy host and puts the attacker's host on the packet's route. The attacker directs the packet at the victim. The victim typically will respond using the source route provided in the original packet. This takes the packet back to the attacker's host, route to the trustworthy host. The attacker's host simply processes the packet and doesn't forward it further. There are various approaches to address this risk. For example, hosts might want to discard source routing information when talking to a trusted host. More often, however, we want to rely on cryptographic authentication of the trusted host. IP Spoofing Attacks: In general, "IP spoofing" refers to any attack that forges the sender's IP address. A spoofing attack that relied on predicting TCP sequence numbers. The attack attempted to send the minimum number of packets necessary to open a connection and provide data; in this case, a series of keyboard commands that enabled the attacker to penetrate the victim host. Because the source address belonged to a trusted host and the sequence numbers looked correct, the victim accepted the data as a legitimate keyboard command from the trusted host. In a practical attack, the attacker may open other connections with the victim host to detect the pattern by which the host assigns sequence numbers. Then the attacker floods the victim with packets, each containing a guess at the correct sequence number. Traditionally, the erroneous packets were simply discarded, while the correctly guessed packet was accepted.
Describe the IKE protocol in terms of the keying techniques introduced in Section 14.2
The IKE protocol establishes the security associations (SAs) between a pair of hosts. The protocol identifies the cryptographic algorithms to use and negotiates keys to use. Diffie-Hellman creates a new shared secret for each session, it provides perfect forward secret. If an attacker manages to recover the shared secret from a different session, it provides no information about the shared secrets used in other sessions. The Internet Key Exchange (IKE) protocol uses this technique.
Explain the role of protocol Layer 3 in internet protocols.
The Network layer examines the source and destination of the frames are examined to determine that the data has reached its destination. The Network layer maps logical and physical addresses using the ARP Address Resolution Protocol.
What mechanisms does TCP use to provide acknowledgments and flow control?
The TCP uses sequence and acknowledgement numbers to transmit and acknowledge the data as well as the three-way handshake system using a syn, ack, and syn-ack discussed previously.
Provide a step-by-step description of how a packet is routed, if it must traverse a least one router.
The computer would start off by sending out a broadcast signal to the gateway on the router, then the communication would send the address out to the router on the internet in transcode requesting the homepage. Then that homepage information is sent back through the router and unloaded and read on the original computer
How is classified information different from other sensitive information?
The concept of classified information refers to information explicitly protected by laws or regulation and marked to indicate the status. Typically, a government classifies information associated with national security or intelligence. On the other hand, FOUO information is not classified information. Recipients don't need a security clearance. Recipients only need a bona fide reason to receive the data. Individual organization may establish their own rules for sharing and handling such information. Rules even may be contradictory between different organizations.
marize the five steps in the contingency planning process.
The contingency planning process involves the following: • Identify, characterize, and prioritize critical and essential tasks that must be resumed following a disaster. This should be provided by the BIA. • Identify roles and responsibilities for developing, approving, and implementing the plan within the enterprise. • Establish backup requirements for working data and determine how the backups will be retrieved and used to recover from a disaster. • Develop procedures for off-site processing to resume essential activities. • Develop a strategy for how to transition from off-site, temporary processes to back-to-routine processes.
How is end-to-end encryption different from other types of encryption? At what layer does it take place?
The end-to-end encryption is different from other types of encryption because the actual sender applies the protection and the actual recipient decrypts the message and verifies the digital signature unlike other types of encryption. Lower crypto uses host-related or network node-related keys while end-to-end encryption relies on personal graphic keys. It takes place in application layer.
Briefly explain the end-to-end principle.
The failure of network-based reliable transport influenced a central design principle of Internet-oriented networks: the end-to-end principle. The concept embodies the notion of dumb networks by placing most network protocols in the connection's endpoint hosts. The network itself simply transmits packets and possibly loses a few on occasion.
Briefly summarize the evolution of information security management standards.
The first computer security standards focused on product security. Examples include the Common Criteria and the Orange Book, the latter of which was developed in the 1980s. At the same time, Japanese manufacturers flourished while many U.S. and European manufacturers were failing. The Japanese success arose from innovative techniques in product quality improvement. Meanwhile, an engineering research group at Carnegie-Mellon University (CMU) developed a "Capability Maturity Model" (CMM) for software development. This was a five-level model of how organizations create software. This technique applied the Deming cycle to software development. As organizations achieved higher levels, they enhanced their ability to measure software quality and to improve it. The CMM did not require specific development activities. Instead, it specified that an organization should assess quality and measure its performance. As an organization achieved higher levels of the CMM, they incorporated more sophisticated techniques to establish and assess quality goals and to improve the quality of their work.
What is the difference between a global IP address and a private IP address?
The global or public IP address is one that is used to access the internet and make communications outside of your own personal network. The private IP address is used to make specific connections and communications within the network.
Explain the role of port numbers in establishing a connection between two processes.
The port numbers identify specific processes of internet and network messages to be forwarded when they arrive in the server. Administrators can control the ports to allow or disallow specific traffic to flow to a port.
Explain the redaction problem and how the exposure and quarantine model apply to sensitive information.
The redaction problem is how we can remove sensitive information from a document and be confident that we removed all the sensitive information. Computer systems follow this exposure and quarantine model when handling highly sensitive information. If any data in a system is considered highly sensitive, then all data on the system is treated as being equally sensitive. If an operator produces a document containing no sensitive data, the operator must take special steps to export the non-sensitive data and nothing else.
Explain how compartments or code words might be used to protect particularly sensitive information.
The system assigns different levels to information. In the U.S. information is classified into one of three levels. The classification reflects the degree of damage to national security that unauthorized disclosure could reasonably be expected to cause: Confidential - damage, Secret - serious damage, and Top Secret - exceptionally grave damage. On the other hand, FOUO information is not classified information. Recipients don't need a security clearance. Recipients only need a bona fide reason to receive the data. Individual organization may establish their own rules for sharing and handling such information. Rules even may be contradictory between different organizations.
Explain the two parts of the policy used by the US military to ensure the proper management of nuclear weapons.
There are two parts to the U.S. military policy for controlling nuclear weapons: Positive control - The weapons shall always be deployed when a legitimate order is given. Force surety (or "negative control") - The weapons shall never be deployed without a legitimate order.
Give three circumstances in which secret-key cryptography is a better choice for network encryption.
Three circumstances in which secret-key cryptography is a better choice for network encryption are: Computational resources are limited: Secret-Key algorithms require far fewer computing resources that public-key algorithms offering similar security. Secret keys are far smaller. Revocation must be timely and reliable: Because we know who our users are, and we know who has which keys, we can revoke a person's access reliably. Small-user community: If we don't have trustworthy central servers to manage and distribute keys, then key distribution becomes a serious headache as the community grows. We achieve the highest level of security when we minimize the size of our cryptonets and ideally only have two users in each one.
Explain the difference between ticket-based and service-based authentication.
Ticket-Based Authentication: The user contacts the authentication server and asks to speak to the mail server. Next, the authentication server issues the client a ticket, which is a block of encrypted data intended for the mail service. Tickets are encrypted with secret keys assigned to individual users, clients, and services. The client then contacts the mail service itself and provides a copy of the ticket. The mail service uses its secret key to validate the ticket and ensure that the correct client and user presented it. If the ticket is valid and the client has permission, the service grants the request and delivers the mailbox contents to the client. Service-Based Authentication: The service operates a software package called an "agent" that mediates the authentication exchange between the client and the authentication server. The agent administers the login process, collects the credentials, and delivers them to the authentication server. If the credentials are correct, the authentication server sends back an "Accept" message. Service-based authentication appears most often in network-oriented and authentication-oriented products. Many organizations find it much easier to administer 802.11 access centrally via a RADIUS server. Most of the one-time password products encountered in Section 6.5.2, like SecurID and Safeword, use a centralized authentication server.
Summarize the major facets of national cybersecurity policy.
To support system security in compliance with national standards, it is important to recognize certain essential areas of interest These include physical security, communications security, cybersecurity, and security procedures. Appropriate security controls for these elements are enumerated in NIST SP 800-53 which provides a strategy for selecting security controls within the six-step framework described in SP 800-37.
Described the security problems associated with TRANSEC and common techniques used to address them.
Traffic analysis - even with traffic encrypted, hackers can learn by watching communication patterns. This is a confidential problem. Solution: Jamming - Attackers can disrupt operations by blocking messages from commanders or from surveillance systems that detect and report targets. This is an availability problem. There are several techniques to achieve this: Low power transmission - Keep the transmitted signals so low that opponents can't detect them and target them for jamming. Burst transmission - Avoid two-way radio transmission and rely instead on brief, highly compressed messages. Directional transmission - Use either directional radio transmissions or optical techniques, like a directed laser, to minimize the likelihood of interception, detection and jamming. Spread spectrum transmission - Disperse the transmission across a range of frequencies to make it harder to detect.
Describe how a gateway converts a private IP address into a global IP address using NAT.
Typically, hosts behind a NAT gateway are assigned local IP addresses, like 10.x.x.x, as described in the earlier chapter. Thus, an IP address that starts with 10 must be a local address. The translation process takes place as follows: • The client process tells the protocol stack to send a packet to the host with global IP address 27.4 on its port 80. This may be a Web page request, because port 80 typically is used by Web servers. The protocol stack establishes a socket to handle the traffic between the client process and the destination host. • The host's protocol stack assigns an arbitrary port number to the source side of the socket: port 49204. The stack also fills in the host's IP address of 10.2. • The host transmits the packet over the LAN. Because the packet's destination is outside the LAN, the packet is sent to the site gateway. • The gateway begins the NAT process. It assigns a port number to this socket (30001 in this case) and remembers the local host's IP address and chosen port number (IP 10.2, port 49204). • The gateway rewrites the packet's header so that the source socket address refers to the gateway's global IP address (17.8) and the gateway's chosen port number (30001). • The gateway forwards the modified packet to the next router on its trip to its destination. • Upon arrival at the destination host (IP 27.4), the recipient believes that the sending host's IP address is 17.8, because that is what the packet contains. This is, of course, the gateway's address. When the recipient sends a packet back to the sender, the packet contains the gateway's IP address and port number. When the gateway receives the packet, it looks up the port number in its NAT data. This provides the gateway with the correct local host address and port number. The gateway rewrites the packet header. Then the gateway delivers the packet as if it had always been addressed to IP 10.4, port 49204. Note that while Figure 12.16 suggests that we are changing the private IP address and port number by substituting a single packet header, that is not what happens. The private IP address resides in the IP header, and the port number is in the TCP/UDP header. NAT must change the appropriate IP address and port in each header.
Why are there two separate, standard internet transport protocols: TCP and UDP? How are they similar? How are they different?
We have two separate, standard internet transport protocols because some connections and packets transmissions that guarantee the delivery and returning to where coming from. Some packets transmission does not care about delivery guarantee and any errors that checks comes along with it, so they send the packets and hope it will deliver. TCP and UDP are the two-separate standard internet transport protocols. UDP is unreliable, but faster. TCP is slower, but much more reliable and sends out request verifying that the packets of information have been received.
Briefly describe and compare the five basic network topologies.
a. Ring Topology is a network in which each user is connected to two other users to form the shape of a ring, data must flow through each user until it arrives at its destination. b. Star Topology has a central computer that all traffic must flow through, each user is connected to this central computer. c. Bus Topology has a main wire that connects each user to the LAN called the backbone. d. Tree Topology is a hybrid topology combining the traits of the bus and star topologies creating a backbone that branches off into star networks. e. Point-to-Point is a dedicated link between two points, most simple
Identify cybersecurity risks and threat agents that apply particularly to information systems in government organizations.
when we talk about risks and threat agents in the national arena, we often speak of adversaries. The term refers to threat agents motivated by loyalty to a nation or causes who see our nation as a threat. Unlike threat agents associated with private or commercial risk, these agents often are willing to sacrifice their lives to achieve their objectives. They may also, have greater resources than those in the private industry.
Briefly explain the structure and components of a three-part domain name, like www.amawig.com.
www : Local subdomain optiona: amawig: Subdomain .com: Top-level domain (TLD) Local subdomains are controlled by the subdomain owner. Some subdomain owners use them, while others don't. In many cases, the "www" is optional when using a browser: The DNS for the two-part domain name yields the same address as a three-part name beginning with www.
Explain the difference between passive and active attacks on a network. Give an example of each.
· Passive attacks have to do with eavesdropping on, or monitoring, transmissions. Electronic mail, file transfers, and client/server exchanges are examples of transmissions that can be monitored. For instance, if an attacker simply eavesdropped without interfering communications, we call it a passive attack. · Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems. If an attacker is curious about victim's response. Attacker constructs a message to victim telling him to pay the attacker some ransom, this is an active attack.
List five types of security policy directives often published by organizations.
• AUP for enterprise computing equipment, like desktop or laptop computers assigned to individuals • AUP for Internet Web surfing and email • Procedures for controlling licensed software and other copyrighted material • Standards and procedures for updating antivirus and other security-critical software • Standards for password management • Standards and procedures for employee separation or termination • Standards and procedures for the physical protection of assets
Briefly describe five different types of security audits.
• An audit against system-specific security requirements • An audit of software source code to verify compliance with software design standards. • A review of internal audit logs to search for unusual or unexpected patterns, behaviors, or activities. • An audit to verify compliance with a specific security standard, like PCI DSS or ISO/IEC 27001. • A vulnerability scan that checks for indications of a list of known vulnerabilities. • A penetration test ("pen test") that tries to penetrate established defenses.
Summarize five mechanisms for security education, training, and awareness.
• Culture. People living in particular cultures have particular expectations of an employer or other enterprise. Most enterprises try to fulfill cultural expectations. When the enterprise takes exception to expectations, it must clearly explain the exceptions to its employees, clients, and other participants. • Written instructions. When an enterprise communicates with outside participants like customers and clients, it provides written explanations. Retail sellers provide "terms and conditions" to potential buyers. Clubs and organizations provide bylaws. Employees often receive, or have access to, an "employee guide" that outlines company rules, benefits, and restrictions. There also may be a large and elaborate set of enterprise policies and procedures. • Personal instructions. Employees usually receive direct instruction from their supervisor regarding their duties and responsibilities. Personnel responsible for other aspects of work, like IT administrators, may provide additional instruction when providing employees with computer and network access. Informal training can demand a great deal of time from existing employees. • Formal training. Some organizations provide formal training courses to teach employees and other participants about special expectations that might be new or peculiar to the organization. This helps ensure consistent behavior. For example, scouting organizations provide training courses for adult leaders. Some organizations provide training to all employees on the use of computer and network resources, instead of relying on terse briefings by IT administrators. • Public announcements. Enterprises often teach employees and participants about new or important activities or responsibilities through periodic announcements. Some announcements simply serve to remind participants of particular rules and obligations.
Summarize the steps in a typical change control process.
• Establish system objectives. This is a management-level discussion that determines what the system must do for the enterprise and what resources it may use. • Define system requirements. This is a combination of management and technical analysis that outlines more precisely what the system must do and how it must fit into existing systems. • Assess risks. This identifies the highest priority risks the system faces and develops additional security-oriented requirements to address those risks. The policy statements may prompt changes to the system requirements. 2. Implementation • Design the system. This is a technical activity that identifies specific technical solutions to implement the system's features. Once finished, compare the design to the system requirements and the risk assessment to ensure that the design fits our needs. • Implement the system. This is the technical activity that creates a version of the system. • Test the system. This is a technical activity that compares the implemented system with its published requirements. 3. Deployment • Approve the system. This is a management activity that reviews test and analysis results to decide if the system can be deployed. • Deploy the system. This is the technical activity that puts the system online.
Describe methods and techniques used to improve software security.
• Internal security labels: A security label is an identifier that distinguishes data items that require different types of protection. In military circles, the labels may correspond to classification markings like Secret or Top Secret. In other settings, they may correspond to materials such as health information or private information that require special handling. • Need-to-Know controls: These are protections that prevent users from seeing information that they do not specifically need to know. If the system does not need to release sensitive information to a user, it should not display that information. In some cases, this is a matter of identifying the role belonging to the user; in other cases, it involves designing the system according to the roles its users are known to play. • Encryption: Some security software encrypts or decrypts data during processing. The software should take steps to avoid disclosing the decrypted data except to the necessary and authorized recipients. For example, the decrypted data should not be saved on the hard drive unless the user is expected to save an unprotected copy. • Integrity checking: Some security software provides and implements integrity checking. When this is available, the software should perform the check and inform the user of the result. In some environments, the software might need to decide on its own whether to accept data if the integrity is damaged.
Summarize five methods used to manage electric power.
• Protected power controls. Once power enters the enterprise's secure boundary, it goes into control panels protected with fuses and circuit breakers. These panels may be secured by lock and key simply because the operating currents pose a hazard. The panels also present a possible point of a denialof- service attack, so service personnel must be trustworthy. • Power filtering. The power supplies in modern computing equipment can adapt to a broad range of voltages, but the equipment works most effectively with reliable, consistent power. Moreover, spikes due to lightning strikes may exceed the power supply's operating range. Thus, power filtering provides important protection. • U ninterruptable power systems (UPS). These were once the exclusive province of larger, enterprise-level computing systems. Today, even households can afford an effective UPS. A high-end UPS may include its own motor-driven generator to handle lengthy power outages. The capacity and duration of a site's UPS depends on their disaster planning (Section 13.5.3). • Protected power cabling. If an enterprise is a particularly attractive target of vandalism or denialof- service attacks, then they need to protect their power cabling. In some high-security environments, attackers can try to infer sensitive information from a system's power variations. This would call for protected power cabling. • Power alarms. The power system should provide an alarm when it switches from line power to the UPS, and when there are significant changes in the power being provided or being used. Any of these may indicate an impending attack or a risk of losing services. Enterprises may benefit from alarms that provide email, text, or voice mail alerts.
