System Security Final

RSA

A commonly used encryption and authentication algorithm named for MIT students, An asymmetric algorithm used to encrypt data and digitally sign transmissions. It is named after its creators, Rivest, Shamir, and Adleman, and RSA is also the name of the company they founded together. RSA relies on the mathematical properties of prime numbers when creating public and private keys.

Risk Methodology

A description of how you will manage risks. Includes the approach, required information, and the techniques to address each risk.

Switch

A device for transmitting data on a network. A switch makes decisions, based on the media access control (MAC) address of the data, as to where the data is to be sent.

Router

A device that forwards data packets between computer networks

Hub

A device that is the central connecting point of a LAN. A hub is little more than a multi-port repeater taking incoming signals on one port and repeating them to all other ports. Ethernet hubs have been largely replaced by Ethernet switches.

What is a security audit?

A security audit is to make sure your system and security controls work as expected.

Firewall

A software program or hardware device designed to prevent unauthorized access to computers or networks.

Risk Assignment

Allows the organization to transfer the risk to another entity.

What are the activities/responsibilities happening on each layer of the OSI Model?

Application Layer, Presentation Layer, Session Layer, Transport Layer, Network Layer, Data Link Layer, and Physical Layer.

Confidential

Applies to information that the classifying authority finds would cause damage to national security.

Top Secret

Applies to information that the classifying authority finds would cause grave damage to national security if it were disclosed.

Secret

Applies to information that the classifying authority finds would cause serious damage to national security if it were disclosed.

Authorization

Approving someone to do a specific task or access certain data.

What could be proved by an asymmetric digital signature vs a symmetric digital signature and what is the fancy name for the thing that can be proved?

Asymmetric Digital Signature - Data encrypted with one key can be decrypted only with the other key. Symmetric Digital Signature -uses the same key to encrypt and decrypt.

Quantitative Risk Analysis

Attempts to describe risk in financial terms and put a dollar value on all the elements of a risk.

What are the components of a business continuity plan?

BCP &DRP

What are the components of a business continuity plan?

BCP and DRP

Types of hackers

Black-hat Hackers, Gray-hat Hackers, and White-hat Hackers

Remote Access Domain Vulnerabilty

Brute-force attacks on access and private data, Unauthorized remote access to resources, and Data leakage from remote access or lost storage devices.

BCP

Business continuity plan. A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage.

What SSID beaconing and why is it considered a weakness of Wireless LANs?

By default, wireless networks brodcast their presence to the public sending out announcements containing the network's service identifier (SSID).

Penetration Testing

Method of evaluating the security of a computer system or network, by simulating a malicious attack instead of just scanning for vulnerabilities

What are the primary components of Risk Management?

Mitigation, assignment, acceptance and avoidance.

What is an advantage of IPv6 over IPv4

More host addresses

What is a backdoor?

Obtaining admin access to a computer system while attempting to remain undetected

How does Risk Management affect security roles?

Pages 252-253

What is the difference between a broad firewall and a multi-layered firewall and when is i appropriate to use each type?

Pages 330-332

Health Insurance Portability and Accountability Act (HIPPA)

Passed in 1996, requires health care organizations to secure to secure patient information.

Compliance Laws - Gramm-Leach-Bliley Act

Passed in 1999, requires all types of financial institutions to protect customers' private financial information.

Children's Internet Protection Act (CIPA)

Passed in 2000, requires public schools and public libraries to use an Internet safety policy. The policy must address the following: Children's access to inappropriate matter on the Internet, Children's security when using e-mail, chat rooms, and other electronic communications, restricting hacking and other unlawful activities by children online, disclosing and distributing personal information about children without permission, and restricting children's access to harmful materials.

Compliance Laws - Sarbanes Oxley Act

Passed in 2002, it requires publicly traded companies to submit accurate financial reporting. It does not require securing private information, but it does require security controls to protect the confidentiality and integrity of the reporting itself.

What are the types of Access Control?

Physical access controls - Control entry into buildings, parking lots and protected areas. Logical - Control access to a computer system or network.

IT Security Policy Framework

Policy, Standard, Procedures and Guidelines.

What are the four security objectives for internal security and what do they mean?

Privacy, Integrity, Authorization and Access Control

Identify and define router, switch, hub and firewalls? Which one would you not see on a corporate network?

Hub - because it broadcasts to everyone, increasing traffic.

What are controls that monitor activity?

IDS, IPS and Firewalls

What are the controls that monitor activity?

IDS, IPS andFirewalls

How does identification and authorization work together in the access control process?

Identification is the method a subject uses to request access to a system or resource. Authorization is the process of deciding who has access to which computer and network resources.

What is a baseline and how does it pertain to security monitoring?

In order to recognize something as abnormal, you first must know what normal looks like. The baseline is the normal state of the system.

Public Domain Data

Information or data shared with the public such as web site content, white papers, etc.

Confidential Data

Information or data that is owned by the organization. Intellectual property such as customer lists, pricing information, and patents.

IDS

Intrusion detection system. A detective control used to detect attacks after they occur. A signature-based IDS (also called definition-based) uses a database of predefined traffic patterns.

Privacy

Keeps information readable only by authorized people.

Confidentiality

Keeps information secret from all but authorized people.

User Domain Vulnerability

Lack of awareness or concern for security policy, Accidental acceptable use policy violation, Intentional malicious activity, and Social engineering

What are monitoring issues for logging?

Logging produces too much information and takes up disk space.

Data classification standards, know the types of data and how they are classified.

Private data,Confidential, Internal use only, and public domain data.

Identify the different Asymmetric Cryptographic Applications?

RSA, DSA & SHA

Transposition Cipher

Rearranges characters or bits of data.

When developing, implementing and designing and organization you often must comply with the rules on what level?

Regulatory Compliance

Substitution Cipher

Replaces bits, characters, or blocks of information with other bits, characters, or blocks.

Access Control

Restricting information to the right people.

What are the primary components of Risk Management?

Risk Mitigation (reduction), Risk assignment (transference), Risk Acceptance, and Risk Avoidance.

SHA

Secure Hash Algorithm - A one way hash algorithm designed to ensure the integrity of a message.

What is a worm and how does it propagate?

Self-contained programs designed to propagate from one host machine to another, using the host's own network communication protocols.

Operating System Defense

Serves as an interface between application software and hardware resources. Controls to secure the operating system are important. These include: Deploying change-detection and integrity-checking software and maintaining logs, deploying or enabling change-detection and integrity-checking software on all servers, ensuring that all operating systems are consistent and have been patched with the latest updates from vendors, ensuring that only trusted sources are used when installing and upgrading OS code, and disabling any unnecessary OS services and processes that may pose a security vulnerability.

LAN Domain Vulnerability

Unauthorized network access, transmitting private data unencrypted, and spreading malicious software.

System/Application Domain Vulnerability

Unauthorized physical or logical access to resources, Weakness in server operating system or application software, and Data loss from errors, failures or disasters.

Workstation Domain Vulnerability

Unauthorized user access, Malicious software introduced, and weaknesses in installed software.

What are the four types of attacks?

Unstructured, Structured, Direct and Indirect.

Risk Mitigation

Uses various controls to mitigate or reduce identified risks. These controls might be administrative, technical or physical.

Standard

a detailed written definition for hardware and software and how it is to be used. Standards ensure that consistent security controls are used throughout the IT system.

IPS

a device that can take immediate action during an attack to block traffic, blacklist an IP address, or segment an infected host

Gray-hat Hackers

a hacker with average abilities who may one day become a Black-hat or White-hat hacker.

Policy

a short written statement that the people in charge of the organization have set as a course of action or direction. A Policy comes from upper management and applies to the entire organization.

Guidelines

a suggested course of action for using the policy, standards, or procedures. Guidelines can be specific or flexible regarding use.

Vulnerability

a weakness that allows a threat to be realized or to have an effect on an asset.

Threats

any action that could damage an asset. Threats include natural and human-induced threats.

Procedures

are written instructions for how to use polices and standards. The may include a plan of action, installation, testing and auditing of security controls.

Brewer and Nash Integrity Model

based on the mathematical theory published in 1989 to ensure fair competition. It is used to apply dynamically changing access permissions.

Private Data

information which is confidential and only ethically available to selected individual.. The right to keep certain things to yourself; not for public viewing.

Risks

the likelihood that something bad will happen to an asset. The exposure to some event that has an effect on an asset.

Black-hat Hackers

tries to break IT security for the challenge and to prove technical prowess. They tend to poke holes in a system but do not attempt to disclose vulnerabilities they find to the administration.

White-hat Hackers

uses different penetration-test tools to uncover vulnerabilities so that they can be fixed.

What are monitoring issues for logging?

...

What does a bushiness impact analysis determine?

...

Steps of the System Life Cycle

1. Project initiation and planning 2. Functional requirements and definition 3. System-design specification 4. Build (develop) and document 5. Acceptance testing 6. Implementation

In the change management process, what are the configuration control and change control?

Configuration control is the management of the baseline settings for a system device. The baseline settings meet security requirements. They require that you implement them carefully and only with prior approval. Change control is the management of changes to the configuration. Unmanaged changes introduce risk, because they might affect security operations or controls. An improper change could even disable the system or equipment. Change control ensures that any changes to a production system are tested, documented, and approved. The change itself must follow a change control process that ensures you make the changes correctly and report it to management.

Authentication

Confirms the identity of an entity.

Risk Avoidance

Deciding not to take the risk by discontinuing use because the potential loss to the company exceeds the potential value gained.

Network Infrastructure Defense

Deploys controls to protect your network by creating choke points in the network, Using proxy services and bastion hosts to protect critical services, using content filtering at choke poi to screen traffic, disabling any unnecessary network services and processes that may pose a security vulnerability, maintaining up-to-date IDS signature databases, and applying security patches to network devices to ensure protection against new threats and to reduce vulnerabilities.

Qualitative Risk Analysis

Describes a risk scenario and then figures out what impact the event would have on business operations.

What does a business impact analysis determine?

Determines the impact that a particular incident would have on business operations over time and drives the choice of the recovery strategy and the critical business functions.

DSA

Digital Signature Algorithm. A digital signature is an encrypted hash of a message. The sender's private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender's public key, and, if successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation is used with online transactions and prevents the sender from later denying they sent the e-mail.

DRP

Disaster recovery plan. A document designed to help a company respond to disasters, such as hurricanes, floods, and fires. It includes a hierarchical list of critical systems and often prioritizes services to restore after an outage. Testing validates the plan. Recovered systems are tested before returning them to operation, and this can include a comparison to baselines. The final phase of disaster recovery includes a review to identify any lessons learned and may include an update of the plan.

What are the formal models of access control?

Discretionary access control (DAC) - the owner of the resource decides who gets in. The owner can give that job to others. Mandatory access control (MAC) - permission to enter a system is kept by the owner and cannot be given to someone else. Non-discretionary access control - access controls are closely monitored by the security administrator. Rule-based access control - a list of rules, maintained by the data owner, determines which users have access to objects.

Non-replication

Enables you to prevent a party from denying a previous statement or action.

Integrity

Ensures no one, even the sender, changes information after transmitting it.

Integrity

Ensures that no one has changed or deleted data.

LAN-to-WAN Domain Vulnerability

Exposure and unauthorized access of internal resources to the public, Introduction of malicious software, and Loss of productivity due to internet access.

Application Defenses

Software applications provide end users with access to shared data. Some common controls include the following: Implementing regular antivirus screening on all host systems, ensuring that virus definition files are up to date, requiring scanning of all removable media, installing personal firewall and IDS software on hosts as an additional security layer, deploying change detection software and integrity checking software and maintaining logs, implementing e-mail usage controls and ensuring that e-mail attachments are scanned, establishing a clear policy regarding software installations and upgrades, ensuring that only trusted sources are used when obtaining, installing, and upgrading software through digital signatures and other validations.

What is a transposition cipher, a substitution cipher and which one is a Caesar Cipher?

Substitution is a Caesar Cipher.

Security Gap

The difference between the security controls in place and the control you need in order to address all vulnerabilities.

Data Classifications Standards

The goal and objective of data classification standard is to provide a consistent definition for how an organization should handle and secure different types of data. (Private Data, Confidential Data, Internal Use Only and Public Domain Data.

Risk Vulnerability

The likelihood that something bad will happen.

Principles of least privilege

The principles of least privilege, means giving a user account only those privileges which are essential to that user's work.

What is a security audit?

The purpose of a security audit is to make sure your systems and security controls work as expected. Includes Monitor, Audit, Improve & Secure.

Know the government data classification standards.

Top Secret, Secret and Confidential

WAN Domain Vulnerability

Transmitting private data unencrypted, Malicious attacks from anonymous sources, Denial of Service attacks, and Weaknesses in software.