Chapter 9 Data

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Hot site

AKA active backup model immediately available few minutes to hours tolerate only short period of downtime fully configured with cable infrastructure fully configured with mirror duplicate servers most effective backup site for disaster recovery expensive includes mirror site includes rolling hot site

Digital certificate

aka public key certificate, identity certificate binds public key with identity name of person/computer/org/object identifier

Analytic

algebraic manipulation to reduce complexity of algorithm

Security association dictates

algorithm selection cryptographic keys digital certificates manual/auto through Internet key exchange IKE

Diffie hellman key exchange

generates symmetric keys at sender/receiver over insecure channels first asymmetric algorithm

Location selection

geographic considerations

Low power devices

given that energy is required for device to en/decrypt

Hardware root of trust

hardware TMP is implementation of root of trust malware can't tamper with functions

Full disk encryption an dself encrypting drive

hardware based (FDE) require password or key to access encrypted data hard drive known as self encrypting drive (SED)

Collision resistance

hash algoriems ability to avoid same output from two guessed inputs

Digital signature

hash value for message hash value asym encrypted using sender's private encrypted hash value and message sent receiver decrypts with sender's public key receiver hashes the message integrity and nonrepudiation if two hashes match

Internet key exchange IKE

helps establish automatic SA helps 2 endpoints set up secure tunnel by providing secure exchange of shared keys before full IPsec transmission starts Diffie hellman key exchange to set up shared session, where cryptographic key sare derived mutual authentication by pre shared keys on both endpoints or certificate issued by CA can automate selection of best SA for each connection UDP 500

Public key infrastructure PKI

hierarchy of computers that issues and manages certificates CA issues certificates

Information classification

high medium low

Mirror site

hot site that has instant failover parallel processing immediate absolutely no downtime fully configured with infrastructure network systems telephone Internet fully configured functional servers up-to-date mirror of production system expensive

File level dlp

identify sensitive files in file system embed org security policy to file as it travels

Supporting obfuscation

only good if eyes don't know which camo is used reverse letters substitution cipher ROT13 XOR operation

Output Feedback (OFB)

output blocks fed back into block cipher acting as a key generated, these blocks make strings of bits to feed encryption algo

Approval policy manual

admin approve/deny all requests

Hybird attack

adding appendages to known dictionary words

Bitlocker

aka full volume encryption protects offline data access on lost/stolen devices

Bitlocker

aka full volume encryption protects offline data on lost devices

Restore

copying backup data to original storage location

Supporting authentication

cost effective multifactor methods for login

Cloud access security broker CASB

gatekeeper extending orgs security policies into cloud stroage infrastrcutre

Symmetric

sender uses private key to encrypt, receiver uses same key

Security association SA

shared security info between two network entities goal is secure communications

Medium

significant financial loss serious personal or org injury confidence reputation hardship/embarrassment

Diffusion

simple char change in plaintext cause change in cipher text

BitLocker without TPM

100MB system partition that contains boot files BIOS RAM

Code Signing

A Code Signing certificate allows software developers to sign their products before the distribute them. In this way users who download the software can be confident that it has not been modified since it was signed by the developer.

Cryptographic Service Provider

A Cryptographic Service Provider (CSP) resides on the client and generates the key pair.

PFX

A PFX file can contain multiple certificates. It contains both the public and private keys for the certificates and should never be shared outside the organization.

SAN

A Subject Alternate Name (SAN) certificate can protect more than one FQDN, even if there is no relationship to the names. For example a SAN could protect corpnet.xyz, corpnet.com and newcorp.org.

Online and Offline Certificate Authorities

A chain of trusted authorities begins with a root CA. Once the root CA is installed and its root certificate is created, it can be used to issue certificates authorizing intermediate CAs. An intermediate CA can issue, distribute and revoke certificates without the root CA. If a root CA is compromised, it requires that every certificate in the chain of trusted authorities is re-issued. To ensure the security and integrity of root CAs, they are commonly kept it in an offline state and only brought online when needed.

Cross Certification

A cross-certification or bridge model is used when one organization with a CA structure needs to trust certificates from another organization that has its own CA structure. By default, clients in an organization will trust certificates issued by their organization, but they don't trust other root CAs unless they are in an official third party list on the internet for trusted root CAs. Cross certification can be set up so both hierarchies trust each other. A root-to-root configuration allows clients in one organization to trust any certificate issued by the other organization's CAs, and vice versa. A mesh configuration provides trust paths that can be configured for more restrictive certificate validation. This could include root-to-subordinate CA, or even subordinate-to-subordinate.

Domain Validation

A domain validation certificate is typically used for Transport layer security. It is used to validate the identity of domain name servers who have control over a DNS domain.

DER

A file with a DER extension indicates that the certificate is DER encoded. A DER file contains a single certificate.

PEM

A file with a PEM extension indicates that the certificate is ASCII (Base64) encoded.

Data Producers

A person responsible for creating or capturing data. Most people in an organization are data producers.

Data Custodian

A person that is responsible for the quality of the data on a day-to-day basis.

Data Consumers

A person who is using the data. The data must be good enough for them to perform their work. They define what is good data.

Privacy Officer

A person who oversees data activities to ensure they are in compliance with government laws.

Registration Authority

A registration authority (RA) can be used in large enterprise environments to offload client enrollment request processing by handling verification of clients prior to certificates being issued. The RA: Accepts registrations. Distributes certificates and keys. Validates identities in a certificate request for the CA. Does not issue certificates directly. Though certificates are not issued until the RA validates the information, the RA cannot issue certificates.

Root

A root certificate is issued by a trusted certificate authority and identifies a root certificate authority. The private key in a root certificate is used to sign other certificates.

Data Owner

A senior person in an organization with the authority to make decisions regarding the quality of data created, stored, consumed and retired.

PKI Hierarchy

A typical PKI involves multiple certificate authorities (CAs) arranged in a hierarchy. A root CA is the first CA in the hierarchy and the first CA to be set up. The root CA has a self-signed certificate and is often offline to protect the CA from compromise. The root CA does not usually issue certificates to end users or computers, unless the PKI structure is very small. A subordinate CA is a CA authorized by the root CA to issue certificates to other CAs, users, computers. The subordinate CA gets its certificate from the root CA. Subordinate CAs are added to the hierarchy in order to to distribute the workload of issuing certificates, or to designate specific CAs to issue certificates for specific uses. A subordinate CA is responsible for issuing certificates, holding the CPS, and publishing the Certificate Revocation List (CRL). Qualified subordination is implemented on a subordinate CA to restrict the issuance and usage of certificates. The following are two types of subordinate CAs: An issuing CA is at the bottom of the hierarchy, and actually issues the certificate to the clients. An intermediate CA is in the middle of a multi-tier system, and certifies issuing CAs or other intermediate CAs.

Enrollment Agent

An enrollment agent is a user who is authorized to request certificates for other users. Enrollment agents are typically authorized to request certificates that are used on smart cards. These agents can request the certificate and create the smart card that the authorized user can then use.

Extended Validation

An extended validation certificate is the highest form of SSL certificate. It is granted by a CA after the company's ownership, organizational information, physical location, and legal existence are verified.

backups, avoid single point of failure

Availability

BitLocker with TPM will secure

BIOS master boot record boot sector boot manager windows loader

Daily

Backs up all files modified that day regardless of the archive bit status. Resets the Archive Bit No

Copy

Backs up all files regardless of the archive bit status. Resets the Archive Bit No

Full

Backs up all files regardless of the archive bit. Resets the Archive Bit Yes

incremental

Backs up files on which the archive bit is set. This will back up only the data changed since the last full or incremental backup. Resets the Archive Bit Yes

Burning

Burning is the method of building a small fire somewhere legal and safe. Use metal tongs to burn your documents one by one or a few at a time. It's important to ensure that each document is turned into ash--if sensitive information escapes the flames and flies away, it might fall into the wrong hands.

CER

CER is the Microsoft convention for a CRT file which contains a certificate that is DER or PEM encoded.

Certificate Renewal

Certificate renewal is the process of extending the validity of a certificate. Certificates that are nearing expiration do not need to be reissued; instead, they can be renewed. To ensure that certificates remain valid, they should be renewed before they expire.

Certificate Revocation

Certificate revocation is the process of breaking the bond of a public key pair to a specific individual. Revocation occurs when the end entity falls out of the PKI system's scope of trust. The following are situations in which a digital certificate would be revoked: The identity of the subject (either a person or the computer) changes, such as changing from a maiden name to a married name. An employee is terminated. An organization sells a division or changes its name. A private key is compromised by a hacker. A laptop with a PKI-enabled application is lost or stolen. Revoked certificates that are On Hold can be unrevoked. Certificates revoked for other reasons cannot be unrevoked.

Certificate Validation

Certificate validation is the process used by recipients of certificates to verify the identity of the certificate holder. The following are important considerations: Most certification validation occurs by PKI-enabled applications that receive the certificate and use the information in the certificate to validate the identity of the subject. The more information or points that are validated, the stronger the validation process, and the stronger the security of the PKI system. A requirement for the release of PKI-enabled applications should be the validation of the subject's digital certificate.

Confidential

Confidential information is the lowest level of classified information used by the military. It allows restriction of release of information under the Freedom of Information Act. Release of this information could cause damage to military efforts.

Degaussing

Degaussing purges the hard disk by exposing it to high magnetic pulse that destroys all of the data on the disk. It also ruins the motors inside the drive.

File system encryption

EFS GPG Bitlocker FEK

EFS security considerations

EFS encryption tied to user account if password is compromised, EFS is compromised file cannot be encrypted if user key is corrupted or user account deleted encryption process is transparent to user and applications using file all directories under are encrypted auto decrypt when to non-NTFS auto decrypt when SMB protocol

Dual Key Pairs

Each certificate that is issued has a corresponding public and private key pair. If users are issued a single key pair, that key pair is used for both digital signatures and encryption. In an enterprise environment, it might be beneficial to use two key pairs: one key pair for digital signatures, and the other for encryption. The private key used for digital signatures is kept completely private. Only the user has access to this key and the key is never archived.The private key used for encryption is archived so that encrypted documents can be recovered if the private key is lost.If a single key pair is used for both digital signatures and encryption, it is possible for a recovery agent to obtain the private key from the key archive and use that key for signing documents. This violates the principle of non-repudiation, because someone other than the original user could have signed the document.

Email

Email certificates are used on mail servers to protect username, passwords and email correspondence.

Encrypting implementations

Encrypting File system GNU Privacy Guard and Pretty good Privacy Bitlocker

FACTA

FACTA, the Fair and Accurate Credit Transactions Act, was created to protect against identity theft. It applies to the disposal of consumer reports and related information. FACTA includes credit reports, credit scores, employment history information, check writing history, insurance claims, residential or tenant history, and medical history. Every business handles FACTA-protected information, and every business must comply with FACTA laws.

FISMA

FISMA, the Federal Information Security Management Act, protects government information. It is primarily concerned with proper data destruction and has detailed disposal requirements.

Differential

Fastest Backs up files on which the archived bit is set. This will back up only the data changed since the last full backup. Resets the Archive Bit No

Applications of cryptography

File system encryption digital signature digital envelope trusted platform module full disk encryption and self encrypting drive hardware root of trust hardware security modules

Public key infrastructure be aware of

PKI Hierarchy Cross Certification Dual Key Pairs

Full + Differential

Full backup performed periodically (for example, once per week) followed by differential backups (for example, once each day). Differential backups take progressively longer to complete as the period of time increases since the last full backup. To restore, restore the last full backup and the last differential backup. Next to a full backup, this is the fastest restore method.

Full + Incremental

Full backup performed periodically (for example, once per week), followed by incremental backups (for example, once each day). Incremental backups are quick to perform. This is the fastest backup method. To restore, restore the full backup and every subsequent incremental backup.

OpenPGP procedure

GPG/PGP generate random symmetric key symmetric key encrypted using receiver's public key encrypted symmetric key and message sent to receiver GPG/PGP decrypts symmetric key with receiver private key decrypted symmetric key decrypts rest of message

High availability cluster HA

Group of computers that are configured with the same service one node is configured as master other nodes configured as slaves Slave and master continually communicate when master fails slave takes over point of failure eliminated with use of redundant nodes

HIPAA

HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA protects medical records and personal health information. Companies that provide healthcare insurance handle HIPAA-protected information. And, of course, companies that provide health-related services also handle HIPAA-protected information.

Hypertext Transport Protocol Secure

Hypertext Transport Protocol Secure (HTTPS) uses HTTP over SSL (Secure Socket Layer). It has replaced S-HTTP as the method of securing HTTP (web) traffic. It is a session-based encryption technology, meaning that the keys used for that session are valid for that session only. HTTP-S is used predominantly throughout the internet. HTTPS operates over TCP port 443.

Internet Protocol Security

Internet Protocol Security (IPsec) is a data encryption protocol for LAN-based applications. IPsec: Is widely deployed in VPN technology. Can be used with IP only. Can be used to encrypt any traffic supported by the IP protocol. This includes web, email, TELNET, file transfer, and SNMP traffic, as well as countless others. Includes both encryption and authentication mechanisms. Is fully capable of providing a secure communication means for any LAN or internet-based system using TCP/IP. Can be used with L2TP or alone to protect data. Requires either certificates or pre-shared keys. Functions at the Network layer of the OSI model. Generally can't be used when a NAT proxy is deployed. Operates at the Network layer (Layer 3). Uses UDP port 500.

PKI management areas

Key Protection Certificate Validation Key Archival Key Escrow Certificate Revocation Crypto Period Certificate Renewal Key Disposal

Key Archival

Key archival is the backup and archival of private keys for end users in case they lose their private keys. Normally, private keys are kept secret and the CA would never get a copy of the private key. Key archival and recovery is a complex, highly secure process that requires a significant amount of administrative overhead. With a key archival system: Private keys are sent to the CA and backed up by the CA. To protect the private keys during transit, they are encapsulated in a secure transmission of data to the CA. The location of the private keys' backup is secured. Recovery agents are usually administrators who are given the rights to restore private keys from the archive. Key archival uses a centralized approach to key management, where keys are managed by the CA and not only by individual users.

Key Disposal

Key disposal refers to removing the key when the it (or the storage mechanism) is no longer being used. Keys should not be disposed of until all data that was encrypted with those keys has been unencrypted or is no longer used. Use degaussing, overwriting, or media destruction to prevent the key from being recovered.

Virtual IP VIP

address presented to outside world does not correspond to actual physical network interface load balancing environment responsible for forwarding service request from client to physical server who will respond

Key Escrow

Key escrow is a form of key archival. The main difference between key escrow and key archival is that escrow stores keys with a trusted third party, either to increase security or to allow access only under controlled circumstances. With key escrow, keys might be retrieved by a business that needs access to employee files, or it might allow key access to law enforcement with the proper authorization to investigate crimes or enforce laws.

Key Protection

Key protection refers to using a different key structure for each service or function, such as files, messages, email attachments, transactions, etc. This allows an organization to limit its exposure if a key is compromised. Private keys should be protected and should never be shared or exposed. Public keys can be freely distributed.

Hashing algorithms

MD5 4, 3 SHA1, 2, 3 RIPEMD

Merkle hellman knapsack

MH subset sum problem given list of numbers and sum determine subset used to create sum earliest public key cryptosystem broken by Adi Shamir 1988 comeback but broken too

Machine/Computer

Machine or Computer certificates are used as proof of identity for a computer.

Maximum Tolerable Downtime

Maximum Tolerable Downtime (MTD) combines the RPO, RTO, MTBF, and MTTR to identify the length of time an organization can survive with a specified service, asset, or process down.

Message Security Protocol

Message security protocol (MSP) is a military implementation of PEM.

SHA1

NIST NSA 160 bit message digest

Copy backup

NTBACKUP.exe windows server backs up all regardless of archive bit does not mark them as having been backup.

OSCP Stapling

OCSP stapling is an efficient way to handle the verification of certificate information. Stapling allows the CA to be queried regularly and the responses to be cached.Otherwise, a request to a CA's server must be made for each certificate verification action.

Hybird cryptography

OS, apps, components use hybrid system combines symmetric and asymmetric combines symmetric systems to process large amounts of data and asymmetric to securely distribute keys

IPsec

OSI 3 Network layer mutual authentication integrity non-repudiation confidentiality authentication header encapsulating security payload

P12

P12 (or, more formally, PKCS #12), is a format for storing multiple certificates in a single file. It is commonly used to package a private key with its certificate or package all members of a chain of trust.

P7B

P7B is a format used by Microsoft for certificate interchange.

Pinning

Pinning is the process of associating a host with its expected certificate. Once the certificate is obtained for a host is is pinned to the host. Thereafter, all communication with that host should use the same certificate. If not, the communication is suspect.

Pretty Good Privacy

Pretty Good Privacy (PGP) is a commercial asymmetric cryptosystem used for email. PGP provides all four cryptographic services and uses the RSA public key encryption system for key exchange and digital signatures. It relies upon the IDEA or 3DES algorithm for encryption and is based on a pass phrase and a web of trust, not a hierarchy of trust. The public keys used in a PGP system are stored in a key ring. PGP can also secure the email attachments to the messages.

Privacy Enhanced Mail

Privacy Enhanced Mail (PEM) was one of the first email securing technologies. It supports digital signatures, digital certificates, and asymmetric key cryptography.

Private Internal

Private internal information is restricted to individuals within the organization. Private internal information might include: Personnel records Financial records Customer lists

Private Restricted

Private restricted information is restricted to limited authorized personnel within the organization. Private restricted information might include: Trade secrets Strategic information Highly sensitive information

Proprietary

Proprietary information is information that a company wishes to keep confidential. Proprietary information can include secret formulas, processes, and methods used in production.

PHI

Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This includes any part of a patient's medical record or payment history.

Public with Full Distribution

Public with full distribution allows everyone to have free access to a copy of the information with no restrictions. A public website would be classified as public with full distribution.

Public with limited distribution

Public with limited distribution allows private information to be distributed to only selected individuals for a specific purpose. They may have to sign non-disclosure agreements (NDAs) to protect the information from becoming public knowledge.

Pulping

Pulping is a way of removing all traces of ink from paper by using chemicals and then mashing the paper into pulp. Since these chemicals can ruin carpet and clothing, you sho

Pulverizing

Pulverizing is like shredding, except that it uses a punch press or hammer system to crush a hard disk into a pile of metal confetti.

Purging

Purging is the removal of sensitive data, making sure that the data cannot be reconstructed by any known technique.

MD5

RSA 128 bit message digest

Transport layer security TLS

RSA, Diffie hellman for key exchange successor to SSL 3.0 similar to SSL but not interoperable apps use TLS and SSL Diffie hellman or RSA for session key exchange TLS Record, TLS handshake

PGP algorithm used

RSA/Diffie Hellman for asymmetric IDEA for symmetric

Recovery Point Objective

Recovery Point Objective (RPO) is a measurement of how old data is at the point that it is successfully recovered. Any data that has been lost between the RPO and the present must either be accepted as lost or reconstructed. Another aspect of RPO is the number of backups to choose from. Some systems offer multiple recovery points; others offer only one recovery point.

Recovery Time Objective

Recovery Time Objective (RTO) is the actual time required to successfully recover all operations.

Full Backup

Requires large amounts of storage for each backup. Takes the longest time to perform each backup. To restore, restore only the last backup. This is the fastest restore method.

Secure sockets layer SSL

SSL handshake protocol to establish secure channel certificate issued by CA Asymmetric encryption USA for key exchange protocol OSI 5 session port 443 SSL 3.0, 2.0, 1.0 session keys in 40 56 128 256-bit lengths end to end encryption LDAP communication, LDAPS and FTP, FTPS

Cluster details

San usage shared IP addresses client requests are directed to shared IP cluster members send out periodic heartbeat signals failover clustering provides redundancy convergence allowed cluster members to reach a consistent state clustering ensures service assessable in form of high availability elasticity scalability

Secret

Secret information is information that, if disclosed, could cause severe and permanent damage to military actions. This could include information about: Troop movement Deployments Military capabilities

Secure Electronic Transaction

Secure Electronic Transaction (SET) was developed by VISA and MasterCard to secure transactions. Credit card data and a digital certificate are stored in a plug-in to the user's web browser. An order received by a SET-enabled merchant server passes the encrypted payment information to the bank. Approval is electronically sent to the merchant. SET uses DES and RSA in addition to digital signatures.

Secure Hypertext Transport Protocol

Secure Hypertext Transport Protocol (S-HTTP) is the old method for securing communications on web servers. It is a message-based encryption technique in which each file is encrypted separately. S-HTTP is not used any more.

Secure Multipurpose Internet Mail Extensions

Secure Multipurpose Internet Mail Extensions (S/MIME) uses a standard public key encryption, authenticates through digital signatures, uses X.509 version 3 certificates, and is included in most web browsers. Similar to PGP, S/MIME can secure email attachments.

Secure Shell

Secure Shell (SSH) was developed for the UNIX platform to encrypt or secure communications for remote facilities. SSH operates over TCP port 22.

Secure Sockets Layer

Secure Sockets Layer (SSL) was developed by Netscape to secure internet-based client/server interactions. SSL authenticates the server to the client using public key cryptography and digital certificates and encrypts the entire communication session. SSL can be used to protect web (HTTP) traffic as well as TELNET, FTP, and email. SSL operates over TCP port 443. SSL operates at the Session layer of the OSI model. Session keys employed by SSL (Secure Sockets Layer) are available in 128-bit and 40-bit lengths.

Secure Real-Time Transport Protocol

Secure real-time transport protocol (SRTP) is a secure extension of RTP (real-time transport protocol) that adds enhanced security features. It was developed to secure VoIP (Voice over IP) communications. SRTP uses encryption and authentication and can achieve high throughput in multiple communications environments, including both hard-wired and wireless environments.

Self-signed

Self-signed certificates are not issued by a CA. They are signed by the person or device that created it. They are often used in an internal network to offer the same level of encryption as other certificates. However, they can't be used to prove identity since any attacker can create a self-signed certificate. They should not be used for pubic facing web sites and other applications.

Sensitive but Unclassified

Sensitive but unclassified information, if disclosed, could cause some harm, but not a national disaster.

Shredding

Shredding is running a hard disk through a disk shredder, physically destroying the drive.

Types of backup data

System state application user data

add these to increase protocol security

TLS, SSL, SSH (unsecure protocols)

Image backup

Takes a bit-level copy of a disk or partition. Individual files are not examined, so all data is copied regardless of the archive bit. A snapshot is an example of an image. Resets the Archive Bit No

CRL Distribution Point

The CRL is published at the CRL Distribution Point (CDP). Four areas where the CRL is usually published are: On the issuing CA, On an internet or intranet website, To a file so it can be exported to other distribution points, In a directory service, such as Active Directory

Certificate life cycle

The CSP generates the key pair. A certificate request is made to the CA. The CA approves or denies the request. The certificate is issued. The certificate may be renewed. The certificate may be revoked.

Certificate Authority

The Certificate Authority (CA) is an entity trusted to issue, store, and revoke digital certificates.

Certificate Practice Statement

The Certificate Practice Statement (CPS) is a declaration of the security that the organization is implementing for all certificates issued by the CA holding the CPS. This statement tells potential partners or others relying on the security of the PKI system how well the security of the PKI system is being managed.

Certificate Revocation List

The Certificate Revocation List (CRL) consists of a list of certificates that have been previously revoked and resides at the CA. This list can be accessed by the client to verify the validity of a digital certificate.

Mean Time Between Failures

The Mean Time Between Failures (MTBF) identifies the average lifetime of a system or component. Components should be replaced about the time that the MTBF is reached.

Mean Time to Failure

The Mean Time to Failure (MTTF) measures the average time to failure of a system or component. This metric assumes that the system or component is not repaired at any point in its lifetime, which would extend its useful life.

Mean Time to Repair

The Mean Time to Repair (MTTR) identifies the average amount of time to repair a failed component or to restore operations. This time frame is also referred to as Mean Time to Restore.

Online Certificate Status Protocol

The Online Certificate Status Protocol (OCSP) is a protocol used for checking the status of an individual digital certificate to verify if it is good or has been revoked.

Crypto Period

The crypto period is the amount of time that a pair of keys is valid. When determining the crypto period, take the following into consideration: A long crypto period requires less overhead but provides less security. Use a longer crypto period for less sensitive data. A short crypto period requires more overhead but provides more security. Use a shorter crypto period for data that has high sensitivity and heavy use. The life of a key should not be greater than the life of the entity or object for which it was created.

Subordinate Certificate Authority

The subordinate CA is responsible for issuing certificates, holding the CPS, and publishing the CRL. Subordinate CAs function within the hierarchy in a parent-child relationship with the root CA or another subordinate CA.

Certificate Chaining

There are two types of CAs, root CAs and intermediate CAs. When validating a certificate, the client device (usually a web browser) will check the issuing CA, which may be an intermediate CA. The certificate of the issuing CA is then checked. If it is not trusted, the issuing CA of that certificate is checked and so on up the chain until a root CA is found. If no trusted CA in the chain is found, the browser will normally display an error.

Top Secret

Top secret information is the highest level of classified information used by the military. If top secret information is released, it poses grave consequences to national security. This could include information about: Development of new weapons Intelligence-gathering activities

Transport Layer Security

Transport Layer Security (TLS) was developed by Netscape to secure internet-based client/server interactions. TLS is based on SSL, but they are not interoperable. TLS authenticates the server to the client using public key cryptography and digital certificates. TLS encrypts the entire communication session between a server and a client. TLS can be used to protect web (HTTP) traffic as well as TELNET, FTP, and email. TLS operates over TCP port 443 or port 80. TLS has a specific version for wireless communications known as Wireless Transport Layer Security (WTLS).

Endpoint dlp

USB devices feedback to user as to violations runs on end user workstation/server

Unclassified

Unclassified information can be accessed by the public and poses no security threat.

User

User certificates are used as proof of identity for a person or user.

Authority Information Access

Users can obtain a copy of the CA's certificate from the authority information access (AIA). This is useful if the root CA is offline. It is common for root CAs to be offline so that they are less susceptible to compromise. The CA's certificate can be published to other locations that users can access. A copy of the certificate and the root CA's public key is necessary to verify digital signatures that the CA has implemented.

Wildcard

Wildcard certificates allow you to protects an unlimited number of subdomains within a single domain. For example, a certificate for corpnet.xyz will secure www.corpnet.xyz, help.corpnet.xyz, etc.

Wiping

Wiping is a software-based method of overwriting data to completely destroy all electronic data residing on a hard disk drive or other digital media. Wiping uses zeros and ones to overwrite data onto all sectors of the device. By overwriting the data on the storage device, the data is rendered unrecoverable and achieves data sanitization.

X.509

X.509 is the official standard of ITU Telecommunication Standardization Sector (ITU-T) that identifies the format for public key certificates and certification path validation. All X.509 certificates include the following data: tbsCertificate, Versions that apply to the certificate, Serial number, Signature, Issuer, Validity, Subject, Subject public key information, IssuerUniqueID and SubjectUniqueID, Extensions

Hash

a function that takes variable length string and compresses and transform it into a fixed length value then decrypted to unhashed for original message authenticate messages store passwords maintain data integrity

Fault tolerance

ability to respond to unexpected hardware or software failure without data loss or loss of operation

Duel load balancing

active passive active active

Load balancing tips

all nodes in work balancing cluster are active at all times all processing tasks to be completed and distributed between nodes in cluster nodes can share processing capabilities storage and ram tightly or loosely linked tighter link implies more nodes function as one system the more tightly linked the nodes in the cluster are the more identical the nodes need to be

Approval policy automatic

allows CA to review info and make decision

Secure hypertext transfer protocol S-HTTP

alternative protocol to HTTPS not as secure as HTTPS connectionless message security, so only partial secure channel does not use 443

Single point of failure

anyone failure can cause havoc for entire

Hardware security modules

associated with software/firmware cryptographic functions en/decryption key generation hashing key management plug in card Personal computer security module secure application module hardware cryptographic device cryptographic module

supporting non repudiation

assurance someone cannot deny something digital signature biometric

Weak key attack

attack on an encrypted algo that contains keys with poorly decrypted ciphertext

PKI attack

attacker attempts to have user accept fake or spoofed PKI certificate

Key clustering attack

attacker decrypt encoded message using different key than used in encryption

Chosen ciphertext attack

attacker produces cipher text then sends through a decryption process to see resulting plaintext

Authentication header AH

authenticity non-repudiation integrity no confidentiality packet data not encrypted protection against replay and MITM keyed hash based on all bytes in packet for authentication authenticates packets by digitally sign IP protocol 51

Rolling hot site

back of 18 wheel truck capability of hot site versatile expensive

Mode of operation

block cipher cipher block chaining cipher feedback output feedback counter galois counter mode

Active active

both load balancers work as a team to distribute the service requests

Counter (CTR)

both sender and receiver access reliable counter that computes new shared value each time ciphertext block is exchanged requires sync

Cryptogaphic attack types

brute force plaintext analytics weakness exploitation encryption MITM downgrade

Birthday attack

brute force that focuses on hashing algorithms hash until two plaintext messages found that produce hashed value 2 out of 23 with same bday for selected day, 253 used

EFS additional users

can be given access symmetric key is decrypted using added users private key

Plaintext

chosen cipher attack known plaintext attack chosen plaintext attack

Chosen plaintext attack

chosen plaintext to be encrypted worker steps away aka lunchtime/midnight attack

SSL procedure

client checks server certificate validity period (time) client compares name of cert with name on URL client verifies issuing CA is on list of trusted CA client uses CA public key to validate CA digital signature on server cert session key is used between client and server for SSL session duration MITM: client compares server DNS to DNS on cert continuous checking

SSL inspection procedure

client establishes SSl tunnel with proxy server client decrypts SSL session client scans content, repackages SSL session sends on traffic reverse if server establishes SSL tunnel with proxy proxy server blocks transmission of inappropriate content in either direction

PKI process

client generates public private keypair by cryptographic service provider CSP client requests certificate signing request CSR from CA by sending identifying information along with public key, digital sign with private key CA performs identity proofing by verifying information submitted validate who you say you are using approval policy in CA cert with valid lifetime period issued check for revoked certs with certificate revocation list CRL, Online certificate status protocol OCSP

TLS process

client sends hello to server with highest SSL/TSL version client supports, random number, list of ciphers, compression methods server responds with server hello, protocol version, different random number, selected cipher, compression method, certificate message afterward client responds with client key exchange message, random number echagned used to compute master secret, all further data for connection derived from master secret client sends change cipher spec message (more messages to come) client sends finished message, hash/MAC, server decrypts finished message and verify hash/MAC if fail, connection closes if successful server sends change cipher spec message noting future transmision will be encrypted server send finished message to client, hash/MAC, client decrypts finish message, verify MAC fail stop, succeed considered complete

SSl and certificate process

client uses HTTPS (SSL) browser server sends SSL certificate obtained from CA client verifies info in SSL client asks questions if pass then client trusts issuing CA and in turn trusts server

Node

cluster server connected physically by cables uses software to monitor and maintain connections

Cloud storage services

co-located cloud computing service web service application API app that use API

XOR

combines plaintext with a key 0 XOR 0 = 0 0 XOR 1 = 1 1 XOR 0 = 1 1 XOR 1 = 0 common in complex ciphers

Encrypt file on hard drive is which CIA

confidentiality

Clustering

connected group of independent computers to increase availability each cluster server is called node

Service Bureau

contracted site alternative backup processing services quick response and availability testing may be possible expensive resources buyer beware

Trusted platform module (TPM)

create hash of system components generate and store cryptographic keys required for integrity on Bitlocker system startup key start up key can require password use USB without TMP generates random numbers full support for asym (generate public and private keys)

Supporting confidentiality

data encryption to ensure confidentiality training strong passwords strong usernames multi factor authentication

raid 1 + 0 fault tolerance

data is available if one or more disks in a single set fails data is available even if two disks in different sets fail

Raid 0 + 1 fault tolerance

data is available if one or more disks in a single set fails data is lost if two disks in different mirrored sets fail

Data sovereignty

data laws apply to where data resides

Order of restoration

define order in which systems are services are re stored

Data loss prevention system DLP

detect and stop breaches of sensitive data

RIPEMD

developed by COSIC 128, 160, 256, 320 bit message digest alternative to government SHA hash

Collision

different inputs to cyptographic function produce same results

ElGamal

discrete logarithm problem taher elgamal 1984 extends diffie hellman for use in encryption and digital signatures used in GNU privacy guard and PGP very slow to create digital signatures Digital signature algorithm is variant of ElGamal signature scheme

Raid 1 + 0

disk mirroring and disk stripping multiple disk configured into two mirrored arrays then stripped across other set fault tolerance increase performance requires even number of disk minimum four discs 50% overhead most fast fault tolerant and expensive

Raid 0 + 1

disk stripping and disk monitoring multiple disks stripped creating single volume second set of disks is then added to mirror to the 1st fault tolerance increase performance even number of disks required minimum disks 4 50% overhead

Load balancing cluster

disperses workload between two or more computers or resources resource utilization throughput response time improved performance fault tolerance

Cloud storage

distributed resources but act as one federated cooperative storage highly fault tolerant through redundancy and distribution of data highly durable through versioned copies

Cipher feedback (CFB)

each ciphertext block fed back into encryption and used to encrypted next plaintext block

GNU privacy guard

email digitally signs emails encrypts documents implementation of PGP protocol

EFS

encrypt files and directories on NTFS partitions

Bitlocker procedure

encrypts entire contents of OS partition including OS files swap files, hibernation files all user files special key is required to access can save startup key to TPM TPM is used to perform integrity checking early in boot system won't boot if no pass from TPM integrity check prevents moving hard disk to other computer

DriveLock

encrypts entire contents of hard drive all files

Tunnel mode

encrypts entire packet data inside packet and IP header entire packet encapsulated in new packet

Bitlocker differs from EFS by

encrypts entire volumn instead of each file disk partition containing C:\ master boot does not encrypt system partition that contains boot files volume regardless of user as long as PIN passes only for offline attacks

Encrypting file system

encrypts files and folders NTFS partitions protect unsecured locations only original encrypter and added users can en/decrypt protects against offline access as well as online for unauth users does not provide online protection if auth user creds are compromised

Transport mode

encrypts only payload (data)

Cryptographic service providers (CSP)

enhance encryption libraries emails

Facts about hashes

ensure data integrity of files and messages in transit do not ensure confidentiality one way function aka message digest or digital fingerprint larger message digest more secure small change creates new hash

Certificate management

ensure security and availability of digital certificates planning and maintenance in public key infrastructure PKI

Downgrade

exploited through MITM lowering of encryption prototcols

Implementation attack

exploits implementation weakness in software protocol encryption algo

High

extreme financial loss extremely serious personal or org injury PII PHI

Cold site

few weeks to a few months to activate facility ready for equipment no hardware on site hookups for power HVAC telephone Internet infrastructure not active least expensive most common

Hashing uses

file integrity secure logon credential exchange

Birthday attack

focuses on hashing algorithm brute force attack where attacker hashes messages until one same hash is found

PGP and GPG do

follow OpenPGP standards RFC 4880 for en/decrpyt asymmetric/symmetric supports DSA(default) ELGamal(default) RSA AES 3DES Blowfish MD5 SHA1 GPG can't use IDEA because patent

Clustering load balancers

for high availability clustered in the same way as other server clusters

Round robin

full backup on one day with incremental/differential backups subsequent days when all tapes used, start over with oldest data simple

Mission essential functions

functions that help accomplish goals or missions

Measures for securing cloud storage

implement security controls data classification policy assign info into categories that determine storage, handling, access security classification based on sensitivity and criticality dispose of data when not needed by using tools

IPsec be aware of

included in windows firewall with advanced security called connection security rules NAT errors with IPsec VPN tunnel IPsec tunnels: main, quick most commonly used with L2TP vpns

Raid 0 Stripping

increase performance no fault tolerance minimum of two discs maximum 32 discs no overhead fastest of all types

Redundant array of independent disks RAID

inexpensive disk subsystem multiple physical disks into single logical unit improved performance fault tolerance hardware or software implementation hardware RAID more expensive but better performance

Side channel attack

info gained from physical system

Hashing provides

integrity

Secure shell SSH

interactive control of remote systems RSA public key for connection and authentication IDA by default Blowfish and DES use for unsecure protocols: SFTP, SCP

When replace hardware

just before Mean Time Between Failures MTBF is reached

Stateful

keeps track of client

Encryption attack

key clustering attack replay attack PKI attack side channel attack

Mathematical attack

key containing small data smaller data set provides fewer combinations to decipher 40 bit weak 128 bit strong longer key, more combinations in brute force

Management considerations (asymmetric)

keys can be disturbed, no relation required private always secret Asymmetric scalable for large expanding environments, two keys per user keyspace 1k-30k bits slow processing than symmetric ephemeral/static keys

High resilience

leakage-resilient cryptography secure and resistant to side channel attacks

Legal implications

legal issues if systems fail

Elasticity

level of difficulty involved when removing nodes from data store

Low latency

lightweight ciphers good for size and power consumption lower latency is required for cars process all rounds of cipher in one clock cycle == lower latency in block cipher round unrolling/unfolding

Resources vs security constraints

limitations of hardware IoT protocols that know this

low

limited financial loss limited or no to injury or org operations organizational effectiveness morale embarrassment or inconvenience

GNU privacy guard and Pretty good privacy

linux

Data Recover Agent

local DRA for individual workstation domain wide DRA, must be joined

When choosing cryptographic methods

low power devices low latency high resilience supporting confidentiality supporting integrity supporting obfuscation supporting authentication supporting non-repudiation resources vs security constraints

Supporting integrity

maintaining consistency, accuracy, trust of data over lifecycle cryptographic checksums for verification of integrity backups redundancies

Approval policy

manual or automatic

Object identifier OID

map certificate policy to CA best way to provide non-repudiation, public key belongs to individual

Least response time

member who responds most quickest

Least connections

member with the least number of connections

Redundancy

method of providing fault tolerance by providing duplicate or multiple components

Redundant site considerations

multiple documentations 25 miles from primary site acquire before disaster keep systems up-to-date specify requirements move most critical functions first to back up return least critical functions first to back up

Methods of providing redundancy

multiple network paths duplicate system components identical spare parts alternate means of power implementing raid 1 or raid 5 maintaining data backups duplicate servers separate Internet connection

Tower of hanoi

multiple tapes rotated through daily weekly schedule full and incremental/differential requires more tapes than GFS complicated

Managing backups

must be current to be useful do not combine incremental and differential backups image backups are fast for disk failure/malware backup store offsite backup store securely electronic vaulting rotate backup media type of data back up tech does not need to read file separation of duties: back up vs restore roles test

Reciprocal agreement

mutual aid agreement arrangement with other company share computing needs agreement to disruptive event agreement to take on capacity of other operation system no initial cost warm site may be used at its reciprocal site

DLP implementations

network dlp endpoint dlp file level dlp cloud dlp

Round Robin

no priority for selecting member each member shares requests partitioned out in circular order

secured comm when not stored on hard drive

non-repudiation

Key length

number of bits used to determine strength

Active passive

one load balancer is active and handles service requests passive load balancer is listening mode monitors performance of active if active fails passive becomes active and takes on duties

Electronic vaulting methods

online tape vaulting hierarchical storage remote journaling database shadowing

Warm site

partially configured redundant few days to few weeks to activate may be adequate for maximum tolerable downtime MDT fully configured with infrastructure equipped with communication links and data equipped with servers and clients software may not be installed or configured recovery from backups may be required cheaper than hot site

Secure logon credential exchange process

password used as key to perform hash on challenge text value hashed value is passed not password receiver host uses same method to compare hashes to verify

Cloud storage advantages

pay for what is used energy consumption savings availability and data protection storage maintenance virtual machine/docker copies natural disaster backup

PII

personally identifiable information full name address email national id passport IP VIM drivers lic face/fingerprints/handwriting credit cards digital id DOB birthplace genetic info tele logins

Cipher block chaining (CBC)

plaintext block is combined with previous cipher text block and result is encrypted with key

Email encryption

privacy enchanced mail pretty good privacy secure multipurpose internet mail extensions message security protocol

Round unrolling/unfolding

process al rounds of cipher in one clock cycle low latency

Fall back

process of returning client requests to the failed service or server when it comes back online

Backup

process ofcopying data to second form of storage tape CD removable hard disk flash drive solid state drive Archival bit for notification when file is created

Convergence

process that cluster members use to reach a consistent state

Digital signature

protection of integrity non-repudiation mathematical scheme for demonstrating authenticity of digital message or document credibility guarantee no tampering

Kerberos

prove identity over non-secure environment

Hashing file integrity

prove integrity of downloaded files

Uses

provide confidentiality, strong authentication, and non-repudiation data encryption to secure data digital signing to confirm integrity of message digital signing to confirm authenticity of sender key exchange to ensure keys are secure during transit asymmetric encryption used to securely exchange symmetric keys

Encapsulating security payload ESP

provides all of AH common used IPsec protocol data encryption IP protocol 50

Block cipher

provides confidentiality and authenticity en/decrypt one fixed length block per block en/decrypt combine blocks for additional security used when amount of data is known

Elliptic curve cryptography ECC

public key cryptography groups of numbers in elliptical curve Koblitz Miller 1985 more efficient algo than others used in conjunction with other methods reduce key size small amounts of data for small devices 160-bit key equivalent to 1024-bit RSA less computational power less memory

Perfect forward secrecy

public key cryptography systems random public keys per each session no deterministic algorithm is used while generating public key no single value can be used to compromise multiple messages

Rivest, Shamir, Adleman

public key cryptosystem used to secure data transmission factoring large numbers into prime values 1977 widely used defacto encryption standard asymmetric systems based on difficulty of factoring N (product of two large prime numbers, 201) key length 512-bits to 8k bits (2401 digits) modular arithmetic and elementary number theory

Functionality

public key made available to anyone private key secret one key encrypts, other key decrypts strength of asymmetric encryption lies in security and security of private key if private key is discovered new key pair required keys created by Local security authority (security kernel and cryptographic service provide CSP Asymmetric key ciphers are two associated algorithms that are inverses computationally infeasible to derive second algo from first without private key

Raid levels

raid 0 raid 5 raid 1 raid 0 + 1 raid 1 + 0

Replay attack

re-transmit encryption session keys in hopes of accessing encrypted resource in decrypted mode

Certificate process

request issue manage

Grandfather father son GFS

scheme to identify three categories of backup Monthly > weekly > daily

Cryptography in LAN and web

secure electronic transaction secure sockets layer transport layer security secure hypertext transport protocol hypertext transport protocol secure secure shell internet protocol security secure real time transport protocol

Hyper text transfer protocol secure HTTPS

secure form of HTTP SSL or TLS to encrypt before data transfer stateful requires 443

SFTP vs FTPS

secure shell FTP FTP that uses SSL along with server certificate

SSl end to end encryption disadvantages

security software cannot detect embedded attacks in transit internal users can use SSl to bypass proxy servers or internet content filtering

Known plaintext attack

seen plaintext and resulting ciphertext

Affinity

selection based on Infinity IP addresses of client such as Class C

Key exchange

sender encrypts message with key receiver must decrypt symmetric asymmetric key length

Asymmetric

sender key and receiver key are different distribute symmetric keys (hybrid)

Digital envelope

sender requests copy of receiver public key receiver or CA sends digital certificate contains public key sender asym encrypted message with public key sender sends asym encrypted message receiver uses their private key to decrypt

Output

simple char change in plaintext will cause several char to change in cipher text (diffusion) two different inputs to cryptographic func produce same output (collision)

Unified threat management UTM

single network appliance service on network next gen firewalls anti malware, spam content filtering web filtering firewall intrusion detection VPN

Cloud dlp

software traffic to and from cloud detect sensitive data being in violation of org security policy AWS Macie

Network dlp

software/hardware installed near network perimeter analyzes network traffic detects violations of org security policy

Weakness exploitation types

statistical attack dictionary attack weak key attack implementation attack hybrid attack

Offsite backups

storing backups in another location apart from main campus

Raid 0

stripe set breaks data into units and stores units across series of disks by reading an writing to all disks simultaneously

Hashing security concerns

strong hash outputs large number of bits hash should be made from entire message not portion avalanche effect (amplification) small change means large change

Questions client ask in HTTP SSL

subject name in cert match URL cert expired trust this CA

Chassis intrusion detection

switch sends signal to BIOS when cover removed

Scalability

systems ability to handle a growing level of work

Raid 5 overhead

three discs 33% four discs 25% five discs 20%

IPsec modes of operation

transport tunnel

Brute force

tries every known combination lots of time mathematical attack birthday attack

Collision

two different messages produce same hash value

Raid 1 mirroring

two duplicate disks simultaneously if one fails data is on other instant system switch fault tolerance does not increase performance require two discs 50% overhead most expensive

Secure logon credential exchange

used to secure logon credentials during exchange password used as key to perform hash on challegence text value, honly hashed value passed LANMAN NTLM CHAP MSCHAP

Implementations (asymmetric)

used with protocols SSL/TLS IPsec VPN (pptp, l2tp, sstp) S/MIME and PGP for email SSH tunnels

EFS procedure

user saves file system generates symmetric key or file encryption key FEK (currently: AES SHA ECC) encryption key encrypted using Asymmetric with users public key stored in file header in Data Decryption Field (DDF) encryption key can also be encrypted using public key of Data Recover Agent DRA Trusted agent DRA can decrypt if users private key is lost/corrupted

Galois/Counter mode (GCM)

variation of counter mode does not require high performance hardware

Intent of load balancing

virtualize a service web/database service offered by multiple servers Forward service request from a client to a single member of cluster chooses or schedules members based on algorithm Red Robin affinity least connections lease response time

Raid 5 stripping with distributed parity

volume combines disk stripping across multiple disks with parity for data redundancy parity information stored on disk if one disk fails data can be recovered using parity on remaining disks fault tolerance increase performance no fault tolerance if two or more disks fail require minimum of three discs overhead: 1 / N - 1

Statistical attack

weakness in cryptosystem inability to produce true random numbers floating point errors

DLP states

while in use on endpoint while in motion as transmitted while at rest on storage medium while being transmitted to/from cloud services

Dictionary attack

words and common variations


Set pelajaran terkait

Philosophy Study Guide for February 14, 2017

View Set

BFM CH8 Stocks and Stock Valuation MC

View Set

Electrical Prints SKT 131 Test 2 definitions

View Set

ap gov unit 3 mcq progress check

View Set

PSYCH 101 Exam 2 (Chapters, 7,6,9,10)

View Set

pbhl 1103 chapters 1-8 Ches Jones UARK

View Set

4B Me and Uncle Romie reading questions

View Set