Fundamental Information Security Final Exam

Select the advantages of outsourcing physical security

-It frees your organization up to concentrate more on your primary objectives. -It uses the experience and knowledge of a company that specializes in physical security.

In addition to the CA and RA, what other components are included in the typical PKI solution?

1. Certificate directories to provide a single access point for certificate administration and distribution 2. Management protocols to organize and manage communications among CAs, RAs, and end users 3. Policies and procedures to assist an organization in the application and management of certificates, in the formalization of legal liabilities and limitations, and in actual business use

When developing and implementing an InfoSec performance management program, NIST SP 800-55 states that measurements must yield quantifiable information (percentages, averages, and numbers). What other factors must be considered?

1. Data that supports the measurements needs to be readily obtainable. 2. Only repeatable InfoSec processes should be considered for measurement. 3. Measurements must be useful for tracking performance and directing resources.

If gap analysis reveals that the project is fallen behind, which three planning parameters may have to be corrected?

1. Effort and money allocated 2. Elapsed time or scheduling impact 3. Quality or quantity of the deliverable

Order the phases in the waterfall model.

1. Investigation 2. Anaysis 3. Logical Design 4. Physical Design 5. Implementation 6. Maintenance and change

What does a sender use to to create a digital signature?

1. Message or file to be signed 2. Hash algorithm 3. Sender's private key

NIST SP 800-55 also states that strong upper-level management support is critical to the success of an InfoSec performance program. List three other factors that are critical.

1. Practical InfoSec policies and procedures 2. Quantifiable performance measurements 3. Results-oriented measurement analysis

A WBS identifies the work to be accomplished (activities and deliverables) for each task. List the other six attributes for each task.

1. The people or skill sets assigned to perform the task 2. Start and end dates for the task, when known 3. Amount of effort required for completion, in hours or work days 4. Estimated capital expenses for the task 5. Estimated noncapital expenses for the task 6. Identification of dependencies between and among tasks

What are the three stages in the Lewin change model?

1. Unfreezing—Thawing hard-and-fast habits and established procedures. Preparing the organization for upcoming changes facilitates the implementation of new processes, systems, and procedures. Training and awareness programs assist in this preparation. 2. Moving—Transitioning between the old way and the new. The physical implementation of new methods, using the strategies outlined earlier in this module, requires the organization to recognize the cessation of old ways of work and reinforces the need to use the new methods. 3. Refreezing—The integration of the new methods into the organizational culture. This integration is accomplished by creating an atmosphere in which the changes are accepted as the preferred way of accomplishing the necessary tasks.

Symmetric (private-key) encryption

A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message.

Asymmetric (public-key) Encryption

A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message; either key can be used to encrypt a message, but the other key is required to decrypt it.

Transposition (permutation) cipher

A cryptographic operation that involves simply rearranging the values within a block based on an established pattern.

Methodology

A formal approach to solving a problem based on a structured sequence of procedures.

Exclusive OR operation (XOR)

A function within Boolean algebra used as an encryption function in which two bits are compared; identical bits result in a binary 0 while different bits result in a binary 1.

Diffie-Hellman key exchange

A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption.

Secret key

A key that can be used in symmetric encryption both to encipher and decipher the message.

Method authentication code (MAC)

A key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest.

Work Breakdown Structure (WBS)

A list of the tasks to be accomplished in a project, the skill sets or individual employees needed to perform the tasks, the start and end dates for tasks, the estimated resources required, and the dependencies among tasks.

Bulls-eye model

A method for prioritizing a program of complex change that requires issues to be addressed from the general to the specific and focuses on systematic solutions instead of individual problems.

Change control

A method of regulating the modification of systems within the organization by requiring formal review and approval for each change.

Software assurance

A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages.

Systems Development Life Cycle (SDLC)

A methodology for the design and implementation of an information system, which may contain different phases depending on the methodology deployed, but generally addresses the investigation, analysis, design, implementation, and maintenance of an information system.

Secure facility

A physical location with access barriers and controls in place to minimize the risk of attacks from physical threats.

InfoSec performance management

A process of designing, implementing, and managing the use of specific measurements to determine the effectiveness of the overall security program.

Technology governance

A process that organizations use to manage the effects and costs of technology implementation, innovation, and obsolescence.

Link encryption

A series of encryptions and decryptions between a number of systems, wherein each system in a network decrypts the message sent to it, re-encrypts the message using different keys, and sends it to the next neighbor. This process continues until the message reaches the final destination.

Projectitis

A situation in project planning in which a project manager spends more time manipulating and adjusting aspects of the project management software than accomplishing meaningful project work.

Mantrap

A small room or enclosure with separate entry and exit points, designed to restrain a person who fails an access authorization attempt.

Secure Hash Standard (SHS)

A standard issued by the National Institute of Standards and Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file.

Monoalphabetic substitution

A substitution cipher that incorporates a single alphabet in the encryption process.

polyalphabetic substitution

A substitution cipher that incorporates two or more alphabets in the encryption process.

What hard-and-fast rule helps you identify when a task or subtask should be an action step?

A task or subtask becomes an action step when it can be completed by one person or skill set and has a single deliverable.

Metric

A term traditionally used to describe any detailed statistical analysis technique on performance, but now commonly synonymous with performance measurement.

Waterfall model

A type of SDLC in which each phase of the process "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.

Hash Value (hash, message digest)

A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient's locally calculated value of the same message.

Triple DES (3DES)

Advanced application of DES developed to extend its lifespan as computer hardware caught up with the 56-bit key size of DES.

Vigenere Cipher

An advanced type of substitution cipher that uses a simple polyalphabetic code.

Configuration and change management (CCM) or configuration management (CM)

An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation.

Subsitution Cipher

An encryption method in which one value is substituted for another.

Bit stream cipher

An encryption method that involves converting plaintext to ciphertext one bit at a time.

Block cipher

An encryption method that involves dividing the plaintext into blocks or sets of bits and then converting the plaintext to ciphertext one block at a time.

Public Key Infrastructure (PKI)

An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates.

Why should we tackle the bull's-eye model layers in this particular order? Match each layer to the reason. The items in this ring are much more specific in nature, so any single control in the other rings tend to provide broader improvements to security than a single control in this ring.

Applications

Planning & risk assessment

Assessments of the security program, new IT projects, and operational risks

Fail-safe defaults

Base access decisions on permission rather than exclusion.

Disposal

Building and executing a disposal/transition plan, archiving critical information, sanitizing media, disposing hardware and software.

How can management help develop a resilient corporate culture?

By successfully accomplishing many projects that require change.

List the three-step process through which project managers can help reduce resistance to change.

Communicate, educate, and involve.

Operations and Maintenance

Conducting operational readiness reviews, managing system configuration, performing reauthorization as needed.

Hybrid cryptography systems

Cryptosystems that use asymmetric encryption to exchange session keys, then switch to symmetric encryption using the session keys. Provides the speed of symmetric encryption while getting rid of symmetric encryption's key-exchange problems.

Match the physical-security areas with the related concerns.: -Direct observation, electromagnetic emissions -Ground faults, power outages, electrical noise -High temperatures, low temperatures, humidity, ventilation shafts -Laptop and mobile device theft, poor home security

Data interception Power management HVAC Mobile and portable systems

Performance measurements

Data or the trends in data that may indicate the effectiveness of security countermeasures or technical and managerial controls implemented in the organization.

RSA

De facto standard for public-use encryption applications; developed in 1977.

Development / acquisition

Designing security architecture, performing functional and security testing, preparing initial documents for system certification and accreditation.

Digital signatures

Encrypted message components that can be mathematically proven as authentic.

Complete mediation

Every access to every object must be checked for authority.

Least Privilege

Every program and every user of the system should operate using the least set of privileges necessary to complete the job.

Match the CIS Controls to the categories. Data Protection Inventory and Control of Hardware Assets Malware Defenses Penetration Tests and Red Team Exercises Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Security Awareness and Training Program

Foundational Controls Basic Controls Foundational Controls Organizational Controls Basic Controls Organization Controls

How long does it take to crack a 64-bit symmetric key on a single workstation?

Give me a year or so

Match the protocols with the communications they protect. IP Security (IPsec) Pretty Good Privacy (PGP) Privacy-Enhanced Mail (PEM) Secure Electronic Transactions (SET) Secure HTTP (HTTPS)

IP Email and TCP/IP cimmunications Email Credit card transactions Browser communications

Order the steps in the NIST SP 800-65 Rev 1 process for prioritizing security activities and corrective actions for funding purposes.

Identify the baseline Identifying prioritization requirements Conduct enterprise-level prioritizations Conduct system-level prioritizations Develop supporting materials Implement an investment review board (IRB) and portfolio management Submit any required budget approved paperwork

Time and scheduling considerations

If a control must be in place before an organization can implement its electronic commerce product, the selection process is likely to be influenced by the speed of acquisition and implementation of the various alternatives.

Staffing considerations

If no one knows how to configure a new firewall, you'll need to train or hire people.

Training and indoctrination considerations

Implementation might have to be phased in if you're unable to train everyone at the same time.

Certificate Revocation List (CRL)

In PKI, a published list of revoked or terminated digital certificates.

Certificate authority (CA)

In PKI, a third party that manages users' digital certificates.

Registration authority

In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions.

What is password hash salting, and how does it defeat rainbow cracking?

In password hash salting, a random piece of data (the salt) is added to the password being hashed. The salt is stored along with the user name and password hash so that the same salt can be used when verifying passwords. Since different users will be given different random salts, the password hashes will be different even if two users both use, say, Password1 as their password. This defeats rainbow cracking because attackers now have two choices: 1. Compute rainbow tables for every salt in use (which will be different for each user on each system being attacked), or 2. Give up on rainbow cracking and do it the old-fashioned way: choose a candidate password, add the salt, compute and compare the hash, wash/rinse/repeat.

List the thirteen information security areas identified by NIST SP 800-100.

Information Security Governance Systems Development Life Cycle Awareness and Training Capital Planning and Investment Control Interconnecting Systems Performance Measurement Security Planning Information Technology Contingency Planning Risk Management Certification, Accreditation, and Security Assessments Security Services and Products Acquisition Incident Response Configuration and Change Management

Initiation

Initial identification of business risks and CIA Triad requirements.

Match the Waterfall Model phases to the NIST SDLC phases. Note that some NIST SDLC phases map to more than one Waterfall phase. Analysis Implementation Investigation Logical Design Maintenance and Change Physical Design

Initiation Implementation/Assessment Initiation Development/ Acquisition Both operation / Maintenance and disposal Development/ Acquisition

Implementation / assessment

Integrating the system into its environment, planning and conducting certification activities, completing system accreditation activities.

phased implementation

Involves a measured rollout of the planned system; only part of the system is brought out and disseminated across an organization before the next piece is implemented.

Pilot implementation

Involves implementing the entire system into a single office, department, or division and dealing with issues that arise before expanding to the rest of the organization.

Parallel operations

Involves running the new system concurrently with the old system.

Direct Changeover

Involves stopping the old system and starting the new one without any overlap.

How does steganography hide messages?

It changes bits within otherwise innocent files that: 1. Doesn't change the file's actual data at all (by changing parts of the file that don't contain actual data), or 2. Does change the file's actual data, but not enough to be detected by users (like the least significant bits for each color of each pixel in a graphics file).

Psychological acceptability

It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.

Economy of mechanism

Keep the design as simple and small as possible.

Hash functions

Mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm the message's identity and integrity.

Least common

Minimize mechanisms (or shared variables) common to more than one user and depended on by all users.

Match Donn P. Parker's Seven Major Sources of Physical Loss with examples of each. -Collapse, shearing, shaking, vibration, liquefaction, flow waves, separation, slide -Commercial vapors, humid or dry air, suspended particles -Electrical surge or failure; magnetism; static electricity; aging circuitry; radiation, including sound, light, radio, microwave, electromagnetic, and atomic -Heat, cold -Tangible objects in motion, powered objects -Viruses, bacteria, people, animals, insects -Water, chemicals

Movement Gases Energy anomal Extreme temperature Projectiles Living organisms Liquids

Internal Monitoring

Network and IT infrastructure inventories, IDPSes, IT governance activities, automated difference-detection activities

Match the protocols with the communications they protect. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Secure/Multipurpose Internet Mail Extensions (S/MIME) Wi-Fi Protected Access version 2 (WPA2) Wired Equivalent Privacy (WEP)

Network communications Email WiFi WiFi (but not really)

Why should we tackle the bull's-eye model layers in this particular order? Match each layer to the reason. Security in this ring helps make systems and applications more secure.

Networks

Why should we tackle the bull's-eye model layers in this particular order? Match each layer to the reason. This ring establishes the ground rules that govern all the other layers.

Policies

Order the bull's-eye model layers from first (outer) to last (inner).

Policies Networks Systems Applications

Readiness & Review

Policy reviews, program reviews, rehearsals and war games

Hash algorithms

Public functions that create a hash value, also known as a message digest, by converting variable-length messages into a single fixed-length value.

Digital certificate

Public-key container file that allows PKI system components and end users to validate a public key and identify its owner.

Financial considerations

Public-sector funding tends to be locked in once the budget has been set. Private-sector budgets are determined by the marketplace.

A recipient uses the signed message and the hash algorithm to verify a digital signature. What else does the recipient need to verify the signature?

Sender's public key

Data Encryption Standard (DES)

Symmetric cryptosystem with a 64-bit block size and 56-bit key. Adopted by NIST in 1976 as a federal standard for encryption of non-classified information, after which it became widely employed in commercial applications.

Why should we tackle the bull's-eye model layers in this particular order? Match each layer to the reason. Securely configuring and operating the items in this layer become more difficult as the number and complexity grows.

Systems

Digital Signature Standard (DSS)

The NIST standard for digital signature algorithm usage by federal information systems; based on a variant of the ElGamal signature scheme.

Work factor

The amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message.

Facilities management

The aspect of organizational management focused on the development and maintenance of buildings and physical infrastructure

Advanced Encryption Standard (AES)

The current federal standard for the encryption of data, as specified by NIST. Based on the Rijndael algorithm. Symmetric cryptosystem with variable block lengths and key lengths of 128, 192, or 256 bits.

Open design

The design should not be secret, but rather depend on the possession of keys or passwords.

Project Plan

The documented instructions for participants and stakeholders in a project that provide details on its goals, objectives, tasks, scheduling, and resource management.

Keyspace

The entire range of values that can be used to construct an individual key.

Cryptology

The field of science that encompasses cryptography and cryptanalysis.

Priority considerations

The implementation of controls are generally guided by the prioritization of threats, but a less important control may be bumped up if it addresses a group of specific vulnerabilities.

Key (cryptovariable)

The information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in an algorithm or the knowledge of how to manipulate the plaintext.

Algorithm

The mathematical formula or method used to convert an unencrypted message into an encrypted message; sometimes refers to the programs that enable the cryptographic processes.

Plaintext or cleartext

The original unencrypted message that is encrypted and the message that results from successful decryption.

Gap analysis

The process of comparing measured results against expected results and then using the resulting "gap" as a measure of project success and as feedback for project management.

Decryption (deciphering)

The process of converting an encoded or enciphered message back to its original readable form.

Encryption (enciphering)

The process of converting an original message into a form that cannot be used by unauthorized individuals.

Code

The process of converting components (words or phrases) of an unencrypted message into encrypted components.

Tailgating

The process of gaining unauthorized entry into a facility by closely following another person through an entrance and using the credentials of the authorized person to bypass a control point.

Project Management

The process of identifying and controlling the goals, objectives, tasks, scheduling, and resources of a project.

Cryptography

The process of making and using codes to secure information.

Cryptanalysis

The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption.

Nonrepudiation

The process of reversing public-key encryption to verify that a message was sent by the user and thus cannot be refuted.

Physical security

The protection of physical items, objects, or areas from unauthorized access and misuse.

Ciphertext or Cryptogram

The unintelligible encrypted or encoded message resulting from an encryption.

External monitoring

Vendors, CERTs, public mailing lists and web sites, membership sites

Vulnerability Assessment & Remediation

Vulnerability information from the risk/threat/attack database

Why can rainbow cracking (or time-memory trade-off attacks) be a more efficient method of password cracking?

Well-constructed passwords that are of sufficient length can take a long time to crack even using the fastest computers. (The book doesn't mention this, but you want password hash algorithms to be just fast enough to verify a single password in an acceptable time, but slow enough that a whole bunch of password attempts--as in a password attack--becomes extremely painful!) With a database of precomputed hashes, it's a lot faster to simply compare hashes, find a match, and see which password goes with the hash.

Cipher

When used as a verb, the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components or vice versa; when used as a noun, the process of encryption or the algorithm used in encryption, and a term synonymous with "cryptosystem."

Separation of privilege

Where feasible, a protection mechanism should require two keys to unlock, rather than one.

Procurement considerations

You might not be able to buy equipment because the vendor isn't on the authorized vendor list.