Module 12,13,14,15
a) secure the crime scene i) steps in damage control include: ii) Once the incident response team arrives, first job is to secure the scene, which includes the following actions:
- individuals in the immediate vicinity should perform damage control, which is the effort to minimize any loss of evidence i) ----contacting the incident response team, ---- securing and then quarantining the electronic equipment involved, --- reporting the incident to the appropriate external authorities. ii) ------The physical surroundings of the device computer should be clearly documented. ------Photographs of the area should be taken before anything is touched to help document that the computer was working prior to the attack. ------Any cables connected to a device should be labeled to document the hardware components and how they are connected. -----The team should take custody of the device along with any peripherals. In addition, USB flash drives and any other media must be secured. -----The team must speak with those present to perform witness interviews and everyone who had access to the system and document their findings, including what those people were doing with the system, what its intended functions were, and how it has been affected by the unauthorized actions.
iv) something you do/behavioral biometrics. -behavioral biometrics: 1. behavioral biometrics
- is based on actions that the user is uniquely qualified to perform, or something you do 1. recognizes a user's unique typing rhythm. -two unique typing variables: >>>>dwell time, -time it takes for a key to be pressed and then released >>>>flight time, - time between keystrokes (both "down" when the key is pressed and "up" when the key is released are measured)
e) enable recovery. i) strategic intelligence ii) strategic counterintelligence
- recovering the data from the security event and the lessons that can be learned from it i) The collection, processing, analysis, and dissemination of intelligence for forming policy changes. ii) Gaining information about the attacker's intelligence collection capabilities.
ii) cloud forensics. a) When dealing with a cloud incident, the following should be considered: b) right to audit clause c) data breach notification law d) regulatory/jurisdiction
----A primary concern is to ensure that the digital evidence has not been tampered with by third parties so it can be admissible in a court of law. -----When a cloud customer is notified by its cloud service provider that an incident occurred, the immediate response from the customer's in-house legal and IT teams will be to ask for details about the scope of the impact -----The legal regulatory/jurisdiction laws that govern the site in which the cloud data resides may present difficulties b) A part of a cloud contract that gives the customer the legal right to review logs. c) law that requires user notification of a data breach. d) A law that governs the site in which cloud data resides.
f) authentication framework protocols. i) Challenge-Handshake Authentication Protocol (CHAP) ii) MS-CHAP iii) Password Authentication Protocol (PAP)
-A framework for transporting the authentication protocols is known as the Extensible Authentication Protocol (EAP) i) A weak authentication framework protocol that has been replaced by more secure versions. ii) The Microsoft version of CHAP. iii) A weak version of Extensible Authentication Protocol (EAP).
c) hardware modules. i) Secure Digital (SD) ii) three sizes of SD cards: >>>full SD, >>>miniSD, >>>microSD
-A hardware security module (HSM) is a removable external cryptographic device -HSM can be a USB device, an expansion card, a device that connects directly to a computer through a port, or a secure network server -example of an HSM in a small consumer-oriented form factor is a MicroSD HSM. i)is a small form factor storage media and has evolved from its inception in 1999 from a single card type and size to a variety of different types and sizes ii)>>>typically used in personal computers, video cameras, digital cameras, and other large consumer electronics devices >>>>MicroSD and miniSD cards are commonly used in smaller electronic devices like smartphones and tablets.
b) password keys
-A hardware-based device to store passwords. -often serve as a hardware-based password manager, two-factor security key, and file encryption device.
Module 14:
-Cybersecurity Resilience
b) preserve the evidence, i) tags ii) types of seals: >>>>tamper-evident seal >>>>tamper-resistant seal iii) admissibility iv) e-discovery v) legal hold
-Ensuring that important proof is not corrupted or even destroyed. i) identifying labels for evidence bags that have a description of the item, a numeric identifier, date, collection location, and other relevant data ii)>>> seal or tape that cannot be removed and reapplied without leaving obvious visual evidence. >>>>is designed to deter tampering with the bag. However, it does not necessarily produce visual evidence if tampering has occurred: iii) Evidence that can hold up to judicial scrutiny and can be entered as evidence. iv) Identifying, collecting, and producing electronically stored information (ESI) in response to a request in an investigation or lawsuit. v) A judicial act that mandates data in an investigation cannot be modified, deleted, erased, or otherwise edited.
----impact of a risk being successful. 2. Two risk calculation formulas are commonly used to calculate expected losses: i) Single Loss Expectancy (SLE) ii) Annualized Loss Expectancy (ALE) 3. tools used to represent risks: i) risk register ii) risk matrix/heatmap
-Once historical data is gathered so that the ARO can be calculated, the next step is to determine the impact of that risk. -This can be done by comparing it to the monetary loss associated with an asset to determine how much money would be lost if the risk occurred. 2i) The expected monetary loss every time a risk occurs. SLE = AV*EF ii) expected monetary loss for an asset due to a risk over a one-year period. ALE= SLE*ARO 3i) list of potential threats and associated risks often shown as a table. ii) visual color-coded tool that lists the impact and likelihood of risks.
2. Performing Exercises
-Simulated activities used to test an incident response plan.
>>> poor access control. i) Identification ii) authentication. iii) Authorization, iv) accounting v) Authentication, authorization, accounting/ AAA 1. terminology that describes how computer systems impose this technical access control: a) Object b) Subject c) Operation 2. access control scheme b) privileged access management 3. five major access control schemes: a) Discretionary Access Control/DAC b) Mandatory Access Control,/MAC i) SEAndroid ii) two key elements to MAC: >>>Labels >>>Levels
-access control is granting or denying approval to use specific resources; it is controlling access. -technical access control consists of technology restrictions that limit users on digital devices from accessing resources and data i) process of recognizing and distinguishing the user from any other user. ii) Checking the delivery person's credentials to be sure that they are authentic and not fabricated iii) granting permission to take an action, iv) A record that is preserved of who accessed the network, what resources they accessed, and when they disconnected from the network. v) provide a framework for controlling access to computer resources. 1a) specific resource, such as a file or a hardware device. b) user or a process functioning on behalf of the user that attempts to access an object. c) action that is taken by the subject over the object 2. framework embedded in hardware and software that can be used for controlling access. b) Technologies and strategies for controlling elevated privilege access. 3a) An access control scheme that is the least restrictive, giving an owner total control over objects. -. DAC is used on major operating systems -Weaknesses: >>>although it gives a degree of freedom to the subject, DAC poses risks in that it relies on decisions made by the user to set the proper level of security. incorrect permissions might be granted to a subject or permissions might be given to an unauthorized subject >>>>a subject's permissions will be "inherited" by any programs that the subject executes. . Threat actors often take advantage of this inheritance because users frequently have a high level of privileges b) An access control scheme that is the most restrictive by assigning users' access controls strictly according to the custodian's desires. -is considered the most restrictive access control scheme because the user has no freedom to set any controls or distribute access to other subjects. i) A security-enhanced version of the Android operating system that uses MAC. ii)>>>>In a system using MAC, every entity is an object (laptops, files, projects, and so on) and is assigned a classification label >>>>>Top secret has a higher level than secret, which has a higher level than confidential.
i) protecting password digest files
-by using: >>>>salts -consists of a random string that is used in hash algorithms. Passwords can be protected by adding this random string to the user's plaintext password before it is hashed. -----Salts make dictionary attacks and brute force attacks for cracking large number of passwords much more difficult and limit the impact of rainbow tables ----two users choosing the same password does not help the attacker. By adding salts, however, each password digest is different. -----Salts can also be applied to sensitive information contained in a database >>>> key stretching -A password hashing algorithm that requires significantly more time than standard hashing algorithms to create the digest. -Two popular key stretching password hash algorithms are: <<<<<bcrypt and <<<<<<PBKDF2. ***problem with key stretching is that CPUs continue to process faster and faster, so yesterday's key stretching algorithms may become too fast with tomorrow's processors.
d) directory services,
-database stored on the network itself that contains information about users and network devices. It contains information such as the user's name, telephone extension, email address, login name, and other facts
ii) helping users manage their passwords. 1. technology used for securing passwords includes:
-formula for determining the number of possible passwords requires knowing only two items: >>>>the character set being used >>> the password length -average attempts to break a password is calculated as one-half of the total number of possible passwords 1a) using password vaults, b) password keys, c) hardware modules.
i) include log files 1. log 2. authentication servers 3. dump file 4. Session Initiation Protocol (SIP) 5. call manager 6. Voice over IP (VoIP) 7. problems associated with log management/transmitting, collecting, analyzing, and disposing of log data. i) Multiple devices generating log ii) Very large volume of data iii) Different log formats
-involves identifying log file sources, collecting data, and analyzing data 1. record of events that occur. -security logs can reveal the type of attack that was directed at the network and how it successfully circumvented existing security defenses. 2. Servers that facilitate authentication of an entity to access a network. -provide valuable information about failed authentication attempts and brute force attacks. -application log files can give information about attacks focused on different applications. 3. snapshot of the process that was executing and any modules that were loaded for an app at a specific point in time. 4. A signaling protocol that is used to create "sessions" between multiple participants and is widely found in voice telephony products. 5. A platform used to provide telephony, video, and web conferences. 6. convergence of voice and data traffic over a single Internet Protocol (IP) network. 7i) Each device may interpret an event in a different context, so that a router looks at a single event differently than a firewall does. This can create a confusing mix of log data. ii) Filtering through this large volume of data can be overwhelming. iii) Combining multiple logs, each with a different format, can be a major challenge.
ii) using control types, a) three broad categories of controls. b) Specific types of controls are found within the three broad categories of controls. include the following: i) Deterrent controls. ii) Preventative controls. iii) Physical controls. iv) Compensating controls v) Corrective controls. c) Inherent risk d) Residual risk. e) control risk. f) regulations that affect risk posture.
-is a safeguard or countermeasure employed within an organizational information system to protect the confidentiality, integrity, and availability of the technology system ---managerial-Controls that use administrative methods ----operational-Controls implemented and executed by people ----technical-Controls incorporated as part of hardware, software, or firmware bi) Controls that attempt to discourage security violations before they occur. ii) Controls that prevent the threat from coming in contact with the vulnerability. iii) Controls that implement security in a defined structure and location. iv) Controls that provide an alternative to normal controls that for some reason cannot be used. v) Controls that are intended to mitigate or lessen the damage caused by an incident. c) The current risk level given the existing set of controls. d) The risk level that remains after additional controls are applied. e) The probability that financial statements are materially misstated because of failures in the system of controls used by an organization. f) Controls based upon regulatory requirements that may be required regardless of risk.
1a) using password vaults/password manager ---three basic types:
-is a secure repository in which users can store their password >>>Password generators -are web browser extensions that generate passwords. The user enters a master password and the password generator creates a password based on the master password and the website's URL "on the fly." >>>Password generators -uses a web browser extension, but instead of creating the user's password each time, it retrieves the password from a central online repository. The disadvantage is that online sites storing the passwords are vulnerable to attackers. >>>Password management applications -is a program installed on a computer through which the user can create and store multiple strong passwords in a single user "vault" file that is protected by one strong master password. -Users can retrieve individual passwords as needed by opening the user file, thus freeing the user from need to memorize multiple passwords. -disadvantage is that the program must be carried with the user or installed on multiple computers. -is recognized as having the highest level of security. -these applications are more than a password-protected list of passwords: they typically include drag-and-drop capabilities, enhanced encryption, in-memory protection that prevents the OS cache from being exposed to reveal retrieved passwords, and timed clipboard clearing.
e) security Assertion Markup Language/SAML
-is an XML standard that allows secure web domains to exchange user authentication and authorization data. This allows a user's login credentials to be stored with a single identity provider instead of being stored on each web service provider's server.
c) Terminal Access Control Access Control Systems/TACACS+
-is an authentication service commonly used on UNIX devices that communicates by forwarding user authentication information to a centralized server. -first version was simply called TACACS -later version introduced in 1990 was known as Extended TACACS (XTACACS). -The current version is TACACS+.
b) Kerberos
-is an authentication system developed by the Massachusetts Institute of Technology (MIT) in the 1980s and used to verify the identity of networked users - typically used when a user attempts to access a network service and that service requires authentication. The user is provided a ticket that is issued by the Kerberos authentication server, much as a driver's license is issued by the DMV.
b) cognitive biometrics/knowledge-based authentication
-is related to the perception, thought process, and understanding of the user. -Using perception, thought processes, and understanding for a biometric identifier. -examples: include requiring someone to identify specific faces or recall "memorable events," such as taking a special vacation, celebrating a personal achievement, or attending a specific family dinner.
a) involves physiological biometrics 1. Biometric Disadvantages b) false acceptance rate (FAR) c) false rejection rate (FRR) d) crossover error rate (CER) e) efficacy rate
-means relating to the way in which a body part functions. - can be divided into: >>>specialized biometric scanners and those that use standard -retina ----A layer at the back (posterior) portion of the eyeball that contains cells sensitive to light and can be used for biometric authentication. -fingerprint -A layer at the back (posterior) portion of the eyeball that contains cells sensitive to light and can be used for biometric authentication. -two basic types of fingerprint scanners: <<<<static fingerprint scanner requires the user to place the entire thumb or finger on a small oval window on the scanner. <<<<<dynamic fingerprint scanner. -vein - One of the "tubes" that form part of the blood circulation system in the human body that carries oxygen-depleted blood back toward the heart. -gait -A person's manner of walking that can be used as a physiological biometric identifier. - A dynamic fingerprint scanner has a small slit or opening ****A person's manner of walking that can be used as a physiological biometric identifier.*** -voice -A physiological biometric identifier. -iris -A thin circular structure in the eye that can be used for authentication -facial recognition -A biometric authentication that views the user's face and is becoming increasingly popular on smartphones. >>>technology input devices for recognition. 1. first is the cost for specialized biometric scanners. -biometric authentication is not foolproof: genuine users may be rejected while imposters are accepted. -Not only do biometric sensors provide false positives and false negatives; often biometric systems can be "tricked." Security researchers have demonstrated that fingerprints can be collected from water glasses and used to trick fingerprint readers on smartphones. -While biometrics can aid in authentication, some experts question the sacrifice of user privacy: as individuals provide their biometric characteristics, how can this data be kept secure? b) The frequency at which imposters are accepted as genuine when using biometric authentication. c) The frequency that legitimate users are rejected when using biometric authentication. d) The biometric error rate in which the FAR and FRR are equal over the size of the population. e)
a) RADIUS/Remote Authentication Dial-In User Service,
-originally designed for remote dial-in access to a corporate network. -RADIUS client is typically a device such as a wireless access point (AP) or dial-up server that is responsible for sending user credentials and connection parameters in the form of a RADIUS message to a RADIUS server. -RADIUS allows an organization to maintain user profiles in a central database that all remote servers can share
1. Single Sign-On i) identity management ii) federation iii) single sign-on (SSO)
1 have one username and password to gain access to all accounts so that the user has only one username and password to remember. i) using a single authentication credential that is shared across multiple networks ii) Single sign-on for networks owned by different organizations, also called federated identity management (FIM). iii) Using one authentication credential to access multiple accounts or applications.
1. creating an incident response plan a) incident response plan should contain the following information: i) Documented incident definitions ii) Incident response teams iii) Reporting requirements/escalation iv) Retention policy v) Stakeholder management. vi) Communication plan.
1. A set of written instructions for reacting to a security incident. 1ai) plan should provide clear descriptions of the types and categories of documented incident definitions, which outline in detail what is—and is not—an incident that requires a response. ii) A group that is responsible for responding to security incidents. iii) indicates to whom information should be distributed and at what point the security event has escalated to the degree that specific actions should be implemented. iv) Part of an incident response plan that outlines how long the evidence of the incident should be retained. v) An incident response plan must identify the relevant stakeholders within the organization who need to be initially informed of an incident and then kept up to date. -includes areas such as operations, legal, technical, finance, and even human resources. vi) A formalized plan that outlines the internal and external constituents who need to be informed of an incident, how they should be informed, and when it should take place.
Module 15:
1. Define risk 2. Describe strategies for reducing risk 3. Explain concerns surrounding data privacy 4. List methods for protecting data
Module 12:
1. Describe the different types of authentication credentials 2. Explain the different attacks on authentication 3. Describe how to implement authentication security solutions
v) data policies - includes: 1. how it should be classified, i) data classification policy 2. governed, i) data governance policy 3. retained. i) data retention policy/records retention policy
1. Some is critical and must be protected at all costs (such as research and development data), while other data is of lesser importance (such as marketing data). i) A policy that outlines how to assign data type labels to data. 2i) policy that defines who is responsible for the data, how it can be accessed, how it should be used, and how its integrity can be maintained. 3i) policy that specifies how long data should retained after it has fulfilled its initial purpose.
1. separation of duties
1. The practice of requiring that processes should be divided between two or more individuals.
1. asset b) qualities of an asset: c) Examples of enterprise assets d) asset value e) likelihood of occurrence 2. risk b) Risk types can be grouped into these broad categories: i) Internal and external ii) Legacy systems iii) Multiparty iv) Intellectual property (IP) theft. v) Software compliance and licensing
1. any item that has a positive economic value b) ---they provide value to the enterprise; ----they cannot easily be replaced without a significant investment in expense, time, worker skill, and/or resources --- they can form part of the enterprise's corporate identity. c) people (employees, customers, business partners, contractors, and vendors) ----physical assets (buildings, automobiles, and plant equipment). d) The relative worth of an asset. e) A determination of how realistic the chance is that a given threat will compromise an asset. 2. A situation that involves exposure to some type of danger. -can be described as a function of threats, consequences of those threats, and the resulting vulnerabilities. bi) An internal risk comes from within an organization (such as employee theft), -An external risk is from the outside (like the actions of a hactivist). ii) is no longer in widespread use, often because it has been replaced by an updated version of the earlier technology. iii) Risks that impact multiple organizations iv) is an invention or a work that is the result of creativity. v) Risks associated with violating software license agreements.
a. recipe that attackers generally follow in an attack:
1. attackers first conduct reconnaissance against the systems, looking for vulnerabilities. 2. When a path to a vulnerability is exposed, they gain access to the system through the vulnerability. 3. Once access is gained, the attackers escalate that access to acquire more advanced privileges. 4. With the advanced privileges, they tunnel through the network looking for additional systems they can access from their elevated position. 5. Attackers install tools on the compromised systems to gain even deeper access to the network. 6. Attackers may install a backdoor that allows them repeated and long-term access to the system. The backdoors are not related to the initial vulnerability, so access remains even if the initial vulnerability is corrected. 7. Once the backdoor is installed, the attackers continue to probe until they find their ultimate target and perform their intended malicious action.
E. 1. standard 2. guideline 3a) policy b) policy characteristics: c) types of security policies:
1. collection of requirements specific to the system or a procedure that must be met by everyone. 2. collection of suggestions that should be implemented. 3a) document that outlines specific requirements or rules that must be met. b. ----Communicates a consensus of judgment ----Defines appropriate behavior for users ----Identifies what tools and procedures are needed ----Provides directives for human resources action in response to inappropriate behavior ----May be helpful if it is necessary to prosecute violators ci) account management policies, ii) mobile device location-based policies, iii) personnel policies, iv) organizational policies, v) data policies.
1. objective of managing risk: b) risk appetite c) Managing risk involves:
1. create a level of protection that mitigates the vulnerabilities to the threats and reduces the potential consequences — reduce risk to a level that is considered acceptable for the organization (called a risk appetite) b) level of risk that is considered acceptable. c) i) using specific strategies ii) using control types, iii) addressing third-party risk, iv) incorporating user training.
1. preparing for an incident i) steps to take in preparation are:
1. creating an incident response plan, 2. performing exercises, 3. studying attack frameworks.
1. plans for preparing for an incident can be divided into three areas:
1. incident preparation, 2. incident response, 3. follow-up investigation as to how the incident occurred and how similar future events can be mitigated.
1. Data Privacy b) Data protection
1. is concerned with the authorized access of data, namely who has it and how it is being used. - data privacy is a legal issue. 2. involves securing data against unauthorized access -data protection is a technical issue
i) on-prem forensics 1. Forensics/forensic science, 2. Digital forensics 3. Forensics Procedures:
1. is the application of science to questions that are of interest to the legal profession 2. uses technology to search for evidence pertaining to a cybercrime or damage that occurred during a cyber incident. -Digital evidence can be retrieved from computers, mobile devices, cell phones, digital cameras, and any device that has a processor, memory, or storage. 3. a) secure the crime scene b) preserve the evidence, c) document the chain of custody, d) examine the evidence, e) enable recovery.
1. Authentication b. authentication credentials c. factors d. attributes e. most common in IT are:
1. process of ensuring that the person or system desiring access to resources is authentic and not an imposter b. types of authentications that can confirm a person's identity and thus give access to restricted areas or materials while also denying access by an imposter c. Three of these elements: >>>>something you know, >>>>something you have, >>>> something you are d. remaining four: ----- somewhere you are, ------something you can do, -------something you exhibit, -------someone you know e. i) something you know, ii) something you have, iii) something you are, iv) something you can do.
1. risk analysis, b) seeing the risk can be difficult because: c) These biases could easily lead to: d) Risk Control Self-Assessment (RCSA) e) goal of RCSA: f) two risk assessment approaches: i) qualitative risk assessment ii) quantitative risk assessment a) Quantitative risk calculations can be divided into:
1. process to identify and assess the factors that may jeopardize the success of a project or reaching a stated goal. b) ----risks can be elusive and often hard to identify. ----unconscious human biases. All individuals have their own set of biases developed through preferences, intuition, or past experiences c) --- identifying the wrong individual as the source of a risk, ----making incorrect estimates about the potential impact of a risk, ----spending too much time on incorrect theories. d) A methodology by which management and staff at all levels collectively work to identify and evaluate risks. e) not only minimize biases and prejudices but also to integrate risk management practices into the culture of the organization. fi) An approach that uses an "educated guess" based on observation. -assigns a numeric value (1-10) or label (High, Medium, or Low) that represents the risk. ii) An approach that attempts to create "hard" numbers associated with the risk of an element in a system by using historical data. a) ---the likelihood of a risk ---- impact of a risk being successful.
iii) personnel policies, a) include:
1. separation of duties, 2. job rotation, 3. mandatory vacations, 4. clean desk space, 5. least privilege, 6. onboarding and offboarding, 7. acceptable use.
1. service-level agreement (SLA) 2. business partnership agreement (BPA) 3. memorandum of understanding (MOU) 4. nondisclosure agreement (NDA) 5. measurement system analysis (MSA) 6. End of life (EOL)
1. service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service. 2. contract between two or more business partners that is used to establish the rules and responsibilities of each partner. 3. document that describes an agreement between two or more parties that is not legally enforceable. 4. legal contract between parties that specifies how confidential material will be shared between the parties but restricted to others 5. Using scientific tools to determine the amount of variation that is added to a process by a measurement system. 6. statement that a product has reached the end of its "useful life" and the manufacturer will no longer market, sell, or update it after a specified date.
1. Windows Group Policy,
1. setting technology restrictions regarding the creation and use of passwords. - can be made on an individual computer (Local Group Policy) but will only apply to that computer, while settings applied to users in a domain will apply to all users (Domain Group Policy). - password parameters, such as length and expiration, can also be set through Group Policy.
b) secure authentication technologies. -include:
1. single sign-on 2. authentication services.
1. incident preparation a) response and recovery controls b) reasons a cybersecurity incident can occur:
1a) Steps that should be taken when responding to an incident in order to recoup from it b) >>>weak account types >>>> poor access control.
1. two tests to determine if files other than those stored on the local hard drive are at risk from ransomware: 2. defense against this next level of ransomware involves a different approach to storage devices and the cloud: 3. suggestions for devices include: a) External USB storage device b) Secondary hard disk drive c) Network attached storage (NAS) d) Cloud storage. 4. key for an organization to continue to function following any type of disaster is resilience,
1a)---- if a remote storage device is "mounted" on the local computer and displays a drive letter (such as "D:"), then those files are at risk from a ransomware attack ---if a cloud storage repository is configured so that files automatically placed in a local folder are synchronized to the cloud storage, they too are at risk. This is because the ransomware can move encrypted files into the folder, where they will be replicated onto the cloud. 2. ----. Users should first think about having an "air gap," or physically isolating (putting distance between) the computer and the remote backup files. -----. . "Manual authentication" that requires the user to enter a username and password, not automatically applied authentication, can also mitigate this next level of ransomware. 3a) Unplug the storage device from the computer when not using it. b) Unmount the drive when it is not needed and then mount it again when needed. (Unmounting the drive hides it from the computer but retains the data.) c) Create a new share ("admin") and then create a new user account that is the only account with access to the share. Give this user account a strong username and password, and then log in to (and out of) that share as needed. d) Consider turning off automatic synchronization so that files placed in a local folder are not immediately synced to cloud storage. 4. capacity to recovery quickly from difficulties and spring back into shape. ******************************************************************** ***what is business continuity? ***why is it important. *** how to prevent disruptions through redundancy. *** how business policies can help provide resilience to an organization.
1. Users are increasingly concerned over the collection, usage, and protection of their personal data. -These user concerns revolve around the risks associated with the use of their private data. This falls into three broad categories: i) Individual inconveniences and identity theft ii) Associations with groups. iii) Statistical inferences
1i)Data that has been collected on individuals is frequently used to direct personalized ad marketing campaigns ii) Individuals might be offered fewer services or the wrong types of services based on their association with a group.
2. job rotation, i) Disadvantages:
2. The act of moving individuals from one job responsibility to another. i)----employees may not be in a specific job long enough to develop proficiency, ---- productivity may be lost in the time it takes to train employees in new tasks. ---- job rotation is often limited to less specialized positions
2. Active Directory b) time-based login
2a) policy that allows a network administrator to create the privileges that the user is given based on a role-based access control scheme. b) user account login that is based on a specific day and time.
2. incident response/response and recovery controls 1. steps include:
2a) taking advantage of SOAR (Security Orchestration, Automation, and Response (SOAR) runbooks and playbooks, b) performing containment, c) making configuration changes.
3. mandatory vacations,
3. Requirement that all employees take vacations.
3. Cloud App Security. a) Impossible Travel b) Risky IP address. c) Activity from Infrequent Country, d) Activity from Anonymous IP Address, e) Activity Performed by Terminated User, f) Suspicious Inbox Forwarding, g) Unusual Multiple File Download Activities, h) Unusual File Share Activities. 1. lockout 2. disablement
3. accumulation and analysis of real-time data that is processed in the cloud. a) Analyzing and denying a second user login attempt based on the time and distance of the prior attempt. b) Examining the IP address that was used to attempt a login and comparing it against a list of IP addresses involved in malicious activities. 1. An automatic action that prevents access to an account until a security administrator reviews the incident and removes the lockout. 2. An action by an administration to suspend an account.
3. studying attack frameworks. i) exploitation frameworks ii) Three common attack frameworks include: a) MITRE ATT&CK b) The Diamond Model of Intrusion Analysis c) Cyber Kill Chain i) kill chain
3i) series of documented processes that serve as models of the thinking and actions of threat actors. a) A knowledge base of attacker techniques that have been broken down and classified in detail. b) A framework for examining network intrusion events that uses four core interconnected elements that comprise any event. c) Cyber Kill ChainAn exploitation framework that outlines the steps of an attack in an integrated and end-to-end process like a "chain." i) military term used to describe the systematic process to target and engage an enemy.
3. Incident Investigation i) The investigation is to: ii) involves:
3i)--- pinpoint how the incident occurred so that future incidents can be prevented ---- for regulatory compliance reporting. ii) a) analyzing data sources b) performing a digital forensics investigation.
4. clean desk space,
4. A policy designed to ensure that all confidential or sensitive materials, either in paper form or electronic, are removed from a user's workspace and secured.
5. least privilege,
5. A policy that ensures only the minimum amount of privileges necessary to perform a job or function should be allocated.
7. acceptable use policy
7. A policy that defines the actions users may perform while accessing systems and networking equipment.
A. Business continuity a) environmental disasters b) man-made disasters c) external disasters d) internal disasters 1. business continuity plan (BCP) b) BCP generally has three goals: i) Business recovery planning. ii) Crisis management and communications. iii) Disaster recovery 2. BCP should include the following elements: i) High availability ii) Scalability iii) Diversity iv) On-prem and cloud. 3. continuity of operation planning (COOP)
A. ability of an organization to maintain its operations and services in the face of a disruptive event or a major disaster. a) Disasters such as floods, hurricanes, and tornados that can impact an enterprise. b) Disasters such as industrial accidents, oil spills, terrorist attacks, and transportation accidents that can impact an enterprise. c) Disasters such as environmental disasters that are outside the organization. d) Disasters such as a fire in a data center that are inside the organization. 1. strategic document that provides alternative modes of operation for business activities that, if interrupted, could result in a significant loss to the enterprise. bi) involves resuming critical business functions and processes that relate to and support the delivery of the core products or services to a customer. ii) process of giving an effective response to an event. It is intended to stabilize the situation through effective leadership communication. iii) addresses the recovery of critical information technology (IT) assets, including systems, applications, databases, storage, and network assets. 2i) The ability to withstand all outages while providing continuous processing for critical applications. ii) must have the capability to cover increased capacity iii) The ability to include different technologies, third-party vendors, controls, and cryptographic solutions in a BCP. iv) the flexibility to address this movement without needing to continually rewrite the plan. 3. federal initiative that is intended to encourage organizations to address how critical operations will continue under a broad range of negative circumstances.
B. Business Impact Analysis (BIA) a) site risk assessment b) functional recovery plan c) mission-essential function d) identification of critical systems e) single point of failure
B. A process that identifies the business functions and quantifies the impact a loss of these functions may have on business operations. a) detailed evaluation of the processes performed at a site and how they can be impacted. b) plan that addresses the steps to be taken to restore processes if necessary. c) The activity that serves as the core purpose of the enterprise d) Recognizing processes that aid the mission-essential function. e) component or entity in a system that, if it no longer functions, will disable the entire system.
C. Disaster Recovery Plan (DRP) a) restoration order
C. A written document that details the process for restoring IT resources following an event that causes a significant disruption in service. a) The sequence in which different systems are reinstated after a disaster.
D. Resilience through Redundancy a) fault tolerance b) redundancy c) mean time to recovery (MTTR) d) Redundancy planning can involve redundancy for:
Da) system's ability to deal with malfunctions. b) The use of duplicated equipment to improve the availability of the system. c) The average time for a device to recover from a failure that is not a terminal failure d) i) endpoints, ii) servers, iii) disks, iv) networks, v) power, vi) sites, vii) data.
Module 13:
Incident Preparation, Response, and Investigation
v) power a) dual power supply b) power distribution unit (PDU) c) uninterruptible power supply (UPS) d) types of UPS i) offline UPS ii) online UPS
a) A specialized computer power supply that can provide redundancy. b) device fitted with multiple electrical outputs and designed to distribute electric power, especially to racks of computers and networking equipment located within a data center. c) A device that maintains power to equipment in case of an interruption in the primary electrical power source. di) least expensive and simplest solution. During normal operation, the equipment being protected is served by the standard primary power source. ii) always running off its battery while the main power runs the battery charger. -----it is not affected by dips or sags in voltage. -----can clean the electrical power before it reaches the server to ensure that a correct and constant level of power is delivered to the server. -----can serve as a surge protector, which keeps intense spikes of electrical current, common during thunderstorms, from reaching systems.
iii) disks -two hardware redundancies for disks that store data a) RAID ((Redundant Array of Independent Drives) i) RAID Level 0 (striped disk array without fault tolerance). ii) RAID Level 1 (mirroring). iii) RAID 5 (independent disks with distributed parity) b) SAN (storage area network) i) Multipath 1. mean time between failures (MTBF)
a) A technology that uses multiple hard disk drives for increased reliability and performance. -most common levels of RAID are Level 0, 1, 5, 6, and 10. i) is based on striping. Striping partitions divides the storage space of each hard drive into smaller sections (stripes), which can be as small as 512 bytes or as large as several megabytes. ii) uses disk mirroring. Disk mirroring involves connecting multiple drives in the server to the same disk controller card. -A variation of RAID Level 1 is to include disk duplexing. Instead of having a single disk controller card that is attached to all hard drives, disk duplexing has separate cards for each disk. iii) RAID Level 5 distributes parity data (a type of error checking) across all drives instead of using a separate drive to hold the parity error checking information. b) A dedicated network storage facility that provides access to data storage over a high-speed network. i) technique for creating more than one physical path between devices and a SAN. 1. A statistical value that is the average time until a component fails, cannot be repaired, and must be replaced.
i) endpoints a) revert to known state b) last known good configuration c) live boot media d) nonpersistent
a) An OS feature to restore it to an earlier point in time prior to a problem. b) A Microsoft Windows option for earlier versions in which the OS can be rolled back to the last time that the device properly booted. c) A bootable OS on an external device such as a USB device that contains a complete OS that may be used in recovery. d) A characteristic of a system so that any changes or additions are not saved when the system returns to its original state.
iv) networks a) NIC teaming
a) Configuring multiple network interface card (NIC) adapters into one or more software-based virtual network adapters for redundancy and speed.
vii) data a) data backup b) Two elements are used in the calculation of when backups should be performed: i) recovery point objective (RPO) ii) recovery time objective (RTO) c) image backup e) storing backups: i) onsite, ii) offsite, iii) cloud. f) Internet services available that provide similar features: (cloud) i) Automatic continuous backup. ii) Universal access iii) Delayed deletion. iv) Online or media-based restore.
a) Copying information to a different medium and storing it so that it can be used in the event of a disaster. bi) The maximum length of time that an organization can tolerate between backups. ii) The length of time it will take to recover data that has been backed up. c) backup that captures the entire contents of the disk to enable an entire restoration of the contents of the disk to a new hard disk or computer. d) A copy of the original data backup. ei) stored locally onsite on media (local magnetic disk, optical disk, or magnetic tape) that is accessible. It can also be stored on a SAN or a network-attached storage (NAS) device. ****(A NAS is a single storage device that serves files over the network**** ii) vendor's secure site. iii) using an online cloud repository.
iii) Implement Third-Party Risk Management a) vendors. b) business partners c) supply chain d) risks associated with using third parties: e) risks associated with this integration include the following: i) On-boarding and off-boarding. ii) Application and social media network sharing iii) Data considerations. iv) Privacy and risk awareness.
a) Entities from whom an organization purchases goods and services. b) Commercial entities with whom an organization has an alliance. c) a network that moves a product from the supplier to the customer d) ----it can be difficult to coordinate their diverse activities with the organization. ----it can be difficult to coordinate their diverse activities with the organization. ----principle of the weakest link: if the security of the third party has a vulnerability, it can provide an opening for attackers to infiltrate the organization's computer network. ----principle of the weakest link: if the security of the third party has a vulnerability, it can provide an opening for attackers to infiltrate the organization's computer network. ei) Partner on-boarding refers to the startup relationship between partners, -partner off-boarding is the termination of such an agreement ii) How will applications be shared between the partners? iii) All parties must have a clear understanding of who owns data generated through the partnership and how that data will be backed up. iv) All parties must have a clear understanding of who owns data generated through the partnership and how that data will be backed up.
2. authentication services. -Different services can be used to provide authentication which include:
a) RADIUS, b) Kerberos, c) Terminal Access Control Access Control Systems, d) directory services, e)Security Assertion Markup Language, f) authentication framework protocols.
iv) Provide User Training b) techniques employed for user training: i) Computer-based training (CBT) ii) Role-based awareness training iii) Gamification iv) Capture the flag (CTF) v) Phishing simulations.
a) Raising of understanding of what risks exist, their potential impacts, and how they are managed. i) Using a computer to deliver instruction. ii) Specialized training that is customized to the specific role that an employee holds in the organization. iii) Using game-based scenarios for instruction. iv) Using game-based scenarios for instruction. v) Exercises to help employees recognize phishing emails.
ii) Something You Have: Smartphone and Security Keys a) multifactor authentication (MFA) b) single-factor authentication c) two-factor authentication (2FA)
a) Using more than one type of authentication credential. b) Using just one type of authentication c) using two types authentication -most common items that are used for this type of authentication are: >>>>specialized devices, >>>>smartphones >>>>security keys.
a) SOAR (Security Orchestration, Automation, and Response (SOAR) product i) Two elements that are closely associated with using SOARs are: >>>>SOAR playbook >>>>runbook.
a) can help security teams manage and respond to security warnings and alarms. -allows a security team to automate incident responses. i) >>>A linear-style checklist of required steps and actions needed to successfully respond to specific incident types and threats. -gives a top-down step-by-step approach to incident response by establishing formalized incident response processes and procedures. -help ensure that required steps are systematically followed, particularly when it is necessary to comply with regulatory frameworks -focuses more on manual steps to be performed >>>>series of automated conditional steps (like threat containment) that are part of an incident response procedure. -is usually actions that are performed automatically -most runbooks are automated action-based steps.
>>>>>specialized devices: a) smart cards i) disadvantages to smart cards: b) windowed tokens. i) two types of OTP: >>>time-based one-time password (TOTP) >>>>HMAC-based one-time password (HOTP)
a) card that contains information used as part of the authentication process. -common access card (CAC) is a U.S. Department of Defense (DoD) smart card that is used for identification of active-duty and reserve military personnel along with civilian employees and special contractors. -The smart card standard covering all U.S. government employees is the Personal Identity Verification (PIV) standard. i) Each device that uses smart card authentication must have a specialized hardware reader and device driver software installed., ----smart cards that have a magnetic strip (called magnetic stripe cards) are subject to unauthorized duplication called card cloning. -----Stealing this information is often done by a process called skimming, in which a threat actor attaches a small device that fits just inside the card readers so that when the card is inserted and removed, both the actual reader and the skimming device capture the information from the magnetic strip. b) A small device with a window display. -windowed token does not display a value that never changes (static code); instead, the value dynamically changes. -This value is a one-time password (OTP), which is an authentication code that can be used only once or for a limited period of time. i)>>>A onetime password that changes after a set period of time. >>>>onetime password that changes when a specific event occurs.
ii) servers a) clustering b) server cluster c) public cluster connection d) private cluster e) asymmetric server cluster f) symmetric server cluster g) replication
a) combining two or more devices to appear as a single unit b) server cluster is the combination of two or more servers that are interconnected to appear as one c) clients see them as a single unit d) servers can exchange data when necessary. e) a standby server exists only to take over for another server in the event of its failure. f) every server in the cluster performs useful work. If one server fails, the remaining servers continue to perform their normal work as well as that of the failed server. g) A copy of a virtual machine that is automatically launched.
iii) something you are: -involves:
a) involves physiological biometrics and b) cognitive biometrics.
1. elements of cybersecurity are of high importance to both enterprises and users: 2. ---about risk ----study strategies for mitigating risks ---explore data privacy and the issues that surround it. ----defining what risk is, ---- understanding risk types, ----knowing different methods of risk analysis, --- realizing how to manage risk.
a) risk b) data privacy
i) something you know: Passwords a) password b) Passwords place heavy loads on human memory in multiple ways: c) weak password d) when users attempt to create stronger passwords, they generally follow predictable patterns: 1. Attacks on passwords: i) pass the hash ii) password cracker. iii) password spraying iv) brute force attack v) online brute force attack vi) Rule Attack 2. three basic steps in a rule attack: vii) dictionary attack >>>pre-image attack, >>>>birthday attack >>>hybrid attack viii) Rainbow tables
a) secret combination of letters, numbers, and/or characters that only the user should have knowledge of. b) most effective passwords are long and complex. However, these are difficult for users to memorize and then accurately recall when needed. -most effective passwords are long and complex. However, these are difficult for users to memorize and then accurately recall when needed. -For the highest level of security, each account password should be unique, which further strains human memory. -Many security policies mandate that passwords expire after a set period of time, such as every 45-60 days, when a new one must be created. Some security policies even prevent a previously used password from being recycled and used again, forcing users to repeatedly memorize new passwords. c) use a common word as a password, a short word, a predictable sequence of characters, or personal information in a password d)---Appending -When users combine letters, numbers, and punctuation (character sets), they do it in a pattern. ----Replacing -Users also use replacements in predictable patterns 1i) -attack in which the attacker steals the digest of an NTLM password and pretends to be the user by sending that hash to the remote system to be authenticated. ii) Software designed to break passwords through matching. -Password crackers create known digests (called candidates) and then compare them against the stolen digests. -different means of creating candidates include brute force, rule, dictionary, rainbow tables, and password collections. iii) attack that uses one or a small number of commonly used passwords when trying to log in to several different user accounts. iv) attack in which every possible combination of letters, numbers, and characters is combined to attempt to determine the user's password. v) attack in which the same account is continuously attacked by entering different passwords. vi) conducts a statistical analysis on the stolen passwords. The results of this analysis is then used to create a mask of the format of the candidate password. 2.----three basic steps in a rule attack:, ----Statistical analysis is performed on the sample to determine the length and character sets of the passwords, ----A series of mask
1. solutions for securing authentication (on-prem protections) include:
a) security surrounding passwords b) secure authentication technologies.
1. forensics tools:
a) software forensics tools b) hardware forensics tools
ii) data from other sources. -Includes: a) IP monitors i) NetFlow ii) Echo iii) sFlow iv) IPFIX (IP Flow Information Export) b) Metadata c) Analyzers d) Vulnerability scans
ai) A session sampling protocol feature on Cisco routers that collects IP network traffic as it enters or exits an interface. ii) Request packets used by the TCP/IP Internet Control Message Protocol. iii) A packet sampling protocol that gives a statistical sampling instead of the actual flow of packets. iv) A session sample protocol similar to NetFlow but with additional capabilities. b) data that describes information about other data. Analyzing file, web, mobile, and email metadata can give clues regarding an attack. c) such as bandwidth monitors and protocol analyzers. d) Data from a vulnerability scan and Security Information and Event Management (SIEM) products that consolidate real-time security monitoring and management of security information with analysis and reporting of security events is useful
i) using specific strategies a) four strategies for dealing with risks: i) Risk Acceptance. ii) Risk Transference >>>cybersecurity insurance iii) Risk Avoidance iv) Risk Mitigation
ai) means that the risk is acknowledged but no steps are taken to address it. ii) Transferring the responsibility of a risk to a third party. >>>>Insurance that protects an organization by monetary compensation in the event of a successful attack. iii) identifying the risk but making the decision to not engage in the activity iv) attempt to address risk by making it less serious.
vi) sites a) types of redundant sites: i) Hot site. ii) Cold site iii) Warm site b) geographic dispersal
ai) run by a commercial disaster recovery service that allows a business to continue computer and network operations to maintain business continuity. A hot site is essentially a duplicate of the production site and has all the equipment needed for an organization to continue running, ii) provides office space, but the customer must provide and install all the equipment needed to continue operations. iii) has all the equipment installed but does not have active Internet or telecommunications facilities and does not have current backups of data b) Spreading sites across a larger area to mitigate the impact of an environmental disaster.
b) performing containment, i) zero trust, ii) isolation
b) limiting the spread of the attack i) strategic initiative about secure network design ii) Segregating both the attacker and the infected systems from reaching other devices. -During isolation, the compromised systems are either disconnected or disabled until the incident is resolved.
c) making configuration changes.
c) To limit the spread of the attack, Configuration changes may need to be applied to the following: ----Firewall rules ----Content/URL filters ----Digital certificates ----Data loss prevention settings -----Mobile device management settings
ci) account management policies, a) credential policies c) technologies that can be used to enforce these policies:
ci) involves the restrictions regarding user accounts - includes not only who is authorized to access resources, but when, how, and from what location they can do so. a) Policies that address requirements for authentication credentials, such as the length and complexity of passwords. c) 1. Windows Group Policy, 2. Active Directory, 3. Cloud App Security.
d) examine the evidence, i) artifacts ii) order of volatility iii) cache iv) snapshot v) OS event logs vi) mirror image backup/bit-stream backup vii) hashing algorithms viii) swap file vv) pagefile vvi) slack vvii) time stamp vviii) time offset
di) Technology devices that may contain evidence in a forensics investigation. ii) specific order in which evidence from an incident should be examined. iii) A type of high-speed memory that stores recently used information so that it can be quickly accessed again at a later time. iv) The current state of all settings and data used for forensics and data backups. v) Logs produced by an operating system that document incorrect login attempts, system setting modifications, application or system failures, and other event vi) an evidence-grade backup because its accuracy meets evidence standards. -A mirror image backup is not the same as a normal copy of the data vii) To guarantee the integrity of the data, mirror image backup programs rely upon this as part of the validation process. viii) A file that contains data moved from RAM to the hard drive due to a lack of RAM space. vv) A file that contains data moved from RAM to the hard drive due to a lack of RAM space. vvi) source of hidden data vvii) The recorded time that an event took place irrespective of the location of the endpoint. vviii) The amount of time added to or subtracted from Coordinated Universal Time (UTC) to arrive at the current "actual" (called civil) time.
>>>>smartphones i) Authentication through using a smartphone can be accomplished by the following:
i) ----Phone call -An automated phone call to the user's smartphone asks if the user has requested to log in and, if so, to press a digit on the keypad for approval or to decline if the user has not just tried to log in. ---SMS text message The user must then manually enter the OTP. ----Authentication app -smartphone application that can be used to verify a user's login attempt. ***push notification -message displayed on a smartphone through an authentication app.
>>weak account types i) user account ii) shared account iii) generic account iv) guest account.
i) An approved identity between a user and an endpoint, network, or service. ii) An account used by more than one user. iii) An account not tied to a specific person e.g. helpdesk iv) An account given to a temporary user
c) document the chain of custody, i) provenance ii) chain of custody
i) Evidence in a forensics investigation that can be traced to the very beginning. ii) A process that shows evidence was always under strict control and no unauthorized person was given the opportunity to corrupt the evidence. -includes: >>>>documenting all the serial numbers of the systems involved, >>>>who handled and had custody of the systems >>> for what length of time, >>>>how the computer was shipped, >>>>and any other steps in the process -chain of custody form helps to document that evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt it
6. onboarding and offboarding, i) onboarding ii) Background checks iii) social media analysis iv) nondisclosure agreement (NDA) v) offboarding. 1. Orphaned accounts 2. Account expiration
i) The tasks associated with hiring a new employee. ii) Examining the history of a job candidate. iii) Viewing social media posts of potential candidates to look for important insights. iv) A legal contract between parties that specifies how confidential material will be shared but not disclosed to others without permission. v) Actions to be taken when an employee leaves an enterprise. 1. user accounts that remain active after an employee has left an organization 2. process of setting a user's account to expire
b) forensic hardware tools i) Digital forensic workstations ii) mobile device forensics tool iii) Forensic information that can be uniquely extracted from a mobile device includes:
i) are typically configured with the latest computer hardware, such as multiple gigabit network ports and USB ports, along with up to 10 drive "hot swap" bays to hold as many as eight drives. -two additional empty bays can be used for backups or additional processing, such as copying data directly to a network attached storage (NAS) device. -. These workstations also are configured with eight or more 6 TB hard drives configured in RAID 5 for redundancy, and they have 1000-watt power supply units, multiple fans for cooling, and the latest high-end CPUs. ii) designed to perform forensics on smartphones, tablets, and other similar devices. iii) >>>Call detail records >>>Global Positioning System (GPS) data. >>>>App data >>>Short Message Service (SMS) texts. >>>>Photos and videos.
---the likelihood of a risk i) Mean Time Between Failure (MTBF) ii) Mean Time To Recovery (MTTR)/Mean Time To Repair iii) Mean Time To Failure (MTTF) iv) Failure In Time (FIT) 1. Annualized Rate of Occurrence (ARO)
i) calculates the average (mean) amount of time until a component fails, cannot be repaired, and must be replaced -It is a reliability term used to provide the amount of failures. - Calculating the MTBF involves dividing the total time measured by the total number of failures observed. -MTBF is considered more important for industries than for consumers. ii) average amount of time that it will take a device to recover from a nonterminal failure. iii) basic measure of reliability for systems that cannot be repaired. - is the average amount of time expected until the first failure of a piece of equipment. iv) can report the number of expected failures per one billion hours of operation for a device 1. calculation for determining the likelihood of a risk occurring within a year.
a) analyzing data sources -Includes:
i) include log files ii) data from other sources.
>>>>security keys i) attestation
i) key pair that is "burned" into a security key during manufacturing and is specific to a device model that can verify authentication. -security keys do not transmit OTPs that can be intercepted or phished and are considered easier to use.
b) performing a digital forensics investigation:
i) on-prem forensics ii) cloud forensics.
a) forensic software tools i) imaging utility ii) dd/GNU dd, iii) memdump iv) WinHex v) Autopsy vi) FTK Imager
i) used for generating a physical copy. ii) An imaging utility used for generating a physical copy. -dd is a command-line program and lacks some of the useful features found in more modern imagers, such as metadata gathering, error correction, and a user-friendly interface. iii) A Linux utility that "dumps" system memory. iv) A hexadecimal editor that can be used for forensics. v) A digital forensics platform. vi) A package of multiple forensics tools combined into a single suite that has a common user interface and can more easily exchange information among the different tools.
ii) mobile device location-based policies, 1. technologies for identification and enforcement include the following: a) Geolocation b) Geo-tagging. c) Geofencing
ii) based on the location of the device a) identifying the geographical location of the device b) adding geographical identification data to media such as digital photos taken on a mobile device c) using the device's GPS to define geographical boundaries where an app can be used.
****continuation from previous card no. 35 as it was too long**** iii) Mandatory Integrity Control (MIC) iv) security identifier (SID) c) Role-Based Access Control/RBAC/Non-Discretionary Access Control. d) Rule-Based Access Control/Rule-Based Role-Based Access Control (RB-RBAC) scheme/automated provisioning i) conditional access e) Attribute-Based Access Control/ABAC 4. access control list (ACL) i) filesystem, ii) filesystem permissions iii) ACLs limitations:
iii) MAC implementation used by Microsoft Windows iv) unique number issued to the user, group, or session c) An access control scheme that is considered a more "real-world" access control that based on a user's job function within an organization. d) An access control scheme that can dynamically assign roles to subjects based on a set of rules defined by a custodian. i) Dynamically assigning roles to subjects based on a set of rules. e) An access control scheme that uses flexible policies that can combine attributes. 4. is a set of permissions that is attached to an object. i) method for storing and organizing computer files to facilitate access ii) A method for protecting files managed by the OS. iii)----using ACLs is not efficient. The ACL for each file, process, or resource must be checked every time the resource is accessed. ----they can be difficult to manage in an enterprise setting where many users need to have different levels of access to many different resources.
a) Password security
includes i) protecting password digest files ii) helping users manage their passwords.
iv) organizational policies, a) include the following: 1. Change management i) change management policy 2. Change control i) change control policy 3. Asset management i) asset management policy
iv) Policies that relate to the management and functioning of the organization as a whole. 1. formal process for making modifications to a system and keeping track of those changes. i) written document that defines the types of changes that can be made and under what circumstances. 2i) policy that stipulates the processes to be followed for implementing system changes. 3i) policy that provides the guidelines and practices that govern decisions about how assets should be acquired, maintained, and disposed.
