CYB 333 Final
What is the key-space of an 8-bit key?
256
Monthly Availability formula
30 day calendar- 30 days X 24 hours/day X 60 mins/hour = 43,200 mins
Logic Bomb
: a form of malware that executes when a certain predefined event occurs.
Virus
: a virus attaches itself to or copies itself into another program on a computer. It infects a host program and causes that host program to replicate itself to other computers.
Need to know
: concept that prevents people from gaining access to information they don't need to carry out their job function
Access controls fall into 2 categories
: logical access controls and physical access controls. Logical access controls allow access into a system or network; physical access allows access into buildings and protected areas.
Childrens Internet Protection Act (CIPA)
A federal law enacted by Congress to address concerns about access to offensive content over the Internet on school and library computers. Passed in 2000, updated in 2011.
A personnel safety plan should
ALWAYS include an escape plan.
Buffer overflows
An attack conducted by supplying more data than is expected. Buffer overflow attacks takes advantage of a system that does not properly account for the amount of data input into an application.
Phreaking
Hacking of the systems and computers used by phone companies is known as
BYOD security issues
Network speed, usability, and security
Visa, MasterCard, and other payment card vendors helped to create the
PCI DSS
Seven layers of the OSI model
Physical, Data Link, Network, Transport, Session, Presentation, and Application
Backdoors
Programs that attackers install after gaining unauthorized access to a system, to ensure that they can continue to have unrestricted access
Principle of least privilege
The idea that users should be granted only the levels of permissions they need in order to perform their duties.
Creating a digital signature
To create a digital signature, the sender of information encrypts the hash value of the information with their private key (the sender's private key). To verify a digital signature, the receiver of the information decrypts the hash value of the information with the sender's public key and compares the hash value with the hash value of the message. If they match then nothing was changed in the transmission of the message. Hash functions, referred to as message digests, do not use a key, but instead create a unique and fixed-length hash value (referred to as a hash) based on the original message or file. The critical point is that hashes create a fixed-length, not a variable-length, value based on the original message.
Ethics:
Users should not assume that information is free and respect intellectual property rights. Assuming that information should be free is one of the common fallacies about ethics.
Under HIPPA (Health Insurance Portability and Accountability Act of 1996),
a breach is any impermissible use or disclosure of unsecured PHI that harms its security or privacy. Protected health information (PHI) is any individually identifiable information about a person's health
Security Kernel
a central point of access control and implements the reference monitor concept. It mediates all access requests and permits access only when the appropriate rules or conditions are met.
gap analysis
a comparison of the security controls you have in place and the controls you need in order to address all identified threats
Kerberos
a computer network authentication protocol that allows nodes communicating over a nonsecure network to prove their identity to one another in a secure manner. the user sends their ID and access request through the __ client to the key distribution center. The authentication server of the KDC verifies that the user and requested service are in the KDC database and sends a ticket (key).
National Institute of Standards and Technology (NIST)
a federal agency within the U.S. Department of Commerce. Their mission is to mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life."
Joule
a measure of energy
Weber
a measure of magnetic flux
Gauss
a measurement of a magnetic field
Cipher
a method used to encode characters to hide their value
Privacy
a person's right to control the use and disclosure of his or her own personal information. This means that people have the opportunity to assess a situation and determine how their data are used.
Trojan horse
a program that on the surface appears safe but is malicious
Lightweight Directory Access Protocol (LDAP)
a protocol for defining and using distributed directory services. provides handling access control credentials. makes it easy for administrators to manage logon and access credentials on computers and devices across a network.
Worm
a self-contained program that replicates and sends copies of itself to other computers without any user input or action
The waterfall model is
a sequential process for developing software. The essence of the waterfall model is that no phase begins until the previous phase is complete.
Certificate Authority (CA)
a trusted entity that handles digital certificates.
A Key
a value that is applied using an algorithim to unencrypted text to produce encrypted text, or to decrypt encrypted text
vulnerability
a weakness that allows a threat to be realized or have an effect on an asset
Information systems security
about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise.
Authorization Controls
access control lists, physical access control, and network traffic filters. A biometric device is an authentication control
Key Escrow
addresses the possibility that a third party may need to access keys
The Gramm-Leach-Bliley Act (GLBA)
addresses the privacy and security of consumer financial information, ) applies to the financial activities of consumers
False positives are
alerts that seem malicious but are not real security events
Under Federal Information Security Management Act (FISMA),
all federal agencies must report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT)
Compliance liaisons make sure
all personnel are aware of and comply with an organization's policies.
Hash Functions (referred to as)
also referred to as message digests
During an audit
an auditor compares the current setting of a computer or device with a benchmark to help identify differences
Caesar Cipher
an example of a shift cipher
PGP
an example of hybrid encryption
Vigenere Cipher
an example of polyalphabetic substitution cipher
PCI DSS (Payment Card Industry Data Security Standard)
an international standard for handling transactions involving payment cards. developed, publishes, and maintains the standard.
Sarbanes-Oxley Act (SOX) Section 404 REQUIRES
an organization's executive officers to establish, maintain, review, and report on the effectiveness of the company's internal controls over financial reporting (ICFR)
HIPAA (Health Insurance Portability and Accountability Act of 1996)
applies specifically to health records
Company-related classifications
are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies
Assigning privileges
authorization
Performing security testing includes
both vulnerability testing and penetration testing.
Single sign on
can provide for stronger passwords because with only one password to remember, users are generally willing to use stronger passwords
Anomaly-based intrusion detection systems
compare current activity with stored profiles of normal (expected) activity.
availability
concerned with ensuring that information is readily accessible to unauthorized users at all times
confidentiality
concerned with privacy and secrecy
CIA Triad
confidentiality, integrity, availability
Deterrent
controls deter an action that could result in a violation.
Detective
controls identify that a threat has landed in your system.
The IEEE 802.11 series of standards
covers wireless LAN technology, including 802.11a, 802.11b, 802.11g, 802.11n, and 802.11ac.
security policy
defines a risk-mitigating definition or solution for your organization
Disaster Recovery plan
defines how a business can get back on its feet after a major disaster (hurricane, fire). The steps involved in creating a comprehensive DRP should be completed in this order: define potential threats, document likely impact scenarios, and document the business and technical requirements to initiate the implementation phase
Acceptable use policy
defines what users are allowed to do with organization-owned IT assets
A disaster recovery plan (DRP
details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.
Administrative controls
develop and ensure compliance with policy and procedures.
Hash Functions
do not use a key, but instead create a unique fixed length hash-value (referred to as hash) based on the original message or file. The critical point is that hashes create a fixed-length, not a variable-length, value based on the original message
Written security policies
document management's goals and objectives
FERPA (The Family Educational Rights and Privacy Act of 1974)
doesn't require that specific information security controls be implemented to protect student records
Federal Information Security Modernization Act (FISMA)
enacted to update __ 2012 with information on modern threats as well as security controls and best practices. Passed in 2014
Hardening a system
ensure controls are in place to control known threats.
RSA(most common), Elliptic Curve Cryptography
examples of asymmetric key encryption algorithms
AES, DES, 3DES, RC4, Blowfish
examples of symmetric key encryption algorithms
Types of biometrics
fingerprint, palm print, retina scan, hand geometry, facial recognition, voice patterns, keystroke dynamics.
Remediation involves
fixing something that is broken or defective
Service Level Agreements (SLAs) are
formal contracts that detail the specific services a vendor will provide. Notification of security breaches is a common requirement found in SLAs.
Bluesnarfing
gaining unauthorized access through a Bluetooth device
Business Continuity Plan
gives priorities to the functions an organization needs to keep going. A business continuity plan is a written plan for a structured response to any events that result in an interruption to critical business activities or functions
PCI DSS
governs how credit cards, includes provisions that Gwen should implement before accepting credit card transactions
The IoT
has five critical challenges to overcome: security, privacy, interoperability, legal and regulatory compliance, and emerging social and economic issues. An example of an industry that implemented and embraced IoT is the auto industry. Today's vehicles have smart computers, "always-on" Wi-Fi Internet access, and more
PCI Council
has two major priorities. The first priority is to assist merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data. Its second priority is to help vendors understand and implement the PCI standards and requirements for ensuring secure payment solutions are properly implemented.
SIEM systems
help organizations manage the explosive growth of log files. SIEMs provide a platform to capture and analyze logs from many different sources.
business impact plan
identifies the resources for which a business continuity plan (BCP) is necessary.
Compliance
includes the actual state of being compliant and the steps and processes taken to become compliant.
PII (Personal Identifiable Information)
information that you can use to uniquely identify an individual, includes names, addresses, Social Security and driver's license numbers, financial account information, health records, and credentials
A business impact analysis (BIA)
is an analysis of the business to determine what kinds of events will have an impact on what systems.
threat
is any action that could damage an asset. Information systems face both natural and human-induced threats.
Risk
is the likelihood that a particular threat will be realized against a specific vulnerability.
Security
is the process; privacy is a result
An auditing benchmark
is the standard by which a system is compared to determine whether it is securely configured.
Certificate
links a public key (not a private key) to a particular individual
Ransomware
malware that forces a victim organization to pay money to prevent the deletion of data.
Trojan horse
malware that masquerades as a useful program
Botnet
many Internet-connected computers under the control of a remote hacker
It's important that all configuration changes occur
only within a controlled process. Uncontrolled configuration changes often result in conflicts and even new security vulnerabilities
to ensure the confidentiality of sensitive data
organizations typically implement role-based access control mechanisms in their application
Role-based access control
permission to access a system or resource is dependent upon the person's role (or job title) in an organization
Mandatory access controls
permission to access a system or resource is determined by the sensitivity of the resource through the user's security level.
Fencing and mantraps are examples of
physical controls.
Bring Your Own Device (BYOD)
policy allows employees to use their personal mobile devices and computers to access enterprise data and applications.
Principle of least privilege
privilege means granting someone the minimum access that allows them to do their job.
accountability
process of associating actions with users for later reporting and research
During the audit phase of a security review,
professionals review the logs and overall environment to provide independent analysis of how well the security policy and controls work.
In security testing
reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.
An organization can never
reduce risk to zero, even with adequate security controls and defenses
integrity
refers to the ability to prevent data from being changed in an undesireable or unauthorized manner
Impact
refers to the amount of harm a threat exploiting a vulnerability can cause
Hertz
represents frequency and is expressed as the number of cycles per second.
The Federal Trade Commission (FTC) Safeguards Rule
requires a financial institution to create a written information security program that must state how the institution collects and uses customer data.
Gramm-Leach-Bliley Act (GLBA)
requires all types of financial institutions to protect customers private financial information. Passed in 1999
Health Insurance Portability and Accountability Act (HIPAA)
requires health care organizations to have security and privacy controls implemented to ensure patient privacy. Passed in 1996
Sarbanes-Oxley Act
requires publicly traded companies to submit accurate and reliable financial reporting. Doesn't require securing private information, but it requires security controls to protect the confidentiality and integrity of the reporting itself. Passed in 2002
Certificate Authorities
responsible for issuing, revoking, and distributing certificates. These third-party authorities manage public keys and issue certificates which verify the validity of a sender's message.
Organizations should
seek a balance between the utility and cost of various risk management options.
Organizations
should seek a balance between the utility and cost of various risk management options.
Rootkits
software programs that have the ability to hide certain things from the operating system.
5 types of authentication
something you know (knowledge), something you have (ownership), something that is unique to you (characteristics, like fingerprints, retina, or signature), somewhere you are (location), and something you do or how you do it (action). Using controls from one category is single factor authentication. Using controls from two categories is two-factor authentication or multi-factor authentication (2 or more).
Least significant bit (LSB)
steganography techniques modify the least significant bits in each color of a 24-bit image.
In a black-box test
the assessor uses test methods that aren't directly based on knowledge of a program's architecture or deign. The tester does not have the source code.
Evil twin attack
the attacker deploys a fake open or public wireless network to use a packet sniffer on any user who connects to it
False negatives are
the failure of the alarm system to detect a serious event.
How does hashing help security systems?
the hashes are used to ensure that transmitted messages have not been tampered with
Risk:
the likelihood that something bad will happen to an asset
Discretionary access system
the owner of the resource decides who gets in and changes permissions as needed. The owner can delegate that responsibility to others.
brute force attack
the password cracker tries every possible combination of characters
System owners:
the person or group that manages the infrastructure.
Data owner:
the person who owns the data or of someone the owner assigns.
The International Electrotechnical Commission (IEC)
the predominant organization for developing and publishing international standards for technologies related to electrical and electronic devices and processes.
Decryption
the process of converting ciphertext to plaintext
Separation of duties
the process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task.
Risk Management
the process of identifying, assessing, prioritizing, and addressing risks
Information security
the process used to keep data private
The main goal of SOX (Sarbanes-Oxley Act)
to protect investors from financial fraud. It supplements other federal securities laws. It applies to publicly traded companies that must register with the Securities and Exchange Commission
Uptime
total amount of time that a system, application, and data are available. Measured in seconds, minutes, and hours within a given calendar month.
Downtime
total amount of time that a system, application, and data are not available. Measured in seconds, minutes, and hours within a given calendar month
Signature detection systems
use rule-based detection and rely upon pattern matching to compare current traffic with activity patterns of known network attacks
Masking
used to "X out" pertinent characters of sensitive data.
The Key
used to change plaintext into ciphertext, or ciphertext into plain text.
Digital Signatures
used to enable the detection of changes to message contents, ensure that the message was legitimately sent by the expected party and to prevent the sender from denying that they sent the message.
Hybrid Cryptosystems
uses a combination of keys; a symmetric key to encrypt and decrypt the message and public/private key to encrypt and decrypt the symmetric key.
Asymmetric Key Encryption
uses a public key and a private key
Symmetric Key Encryption
uses one key to both encrypt and decrypt
Network mapping
uses software tools that scan for services running on an organization's systems and networks.
Classification decisions:
value, sensitivity, and criticality
dictionary attack
works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match
Outsourcing
you are most likely to achieve access to a high level of expertise because security vendors focus exclusively on providing advanced security services. However, your costs are likely to increase rather than decrease with outsourcing, and this decision also inhibits developing internal knowledge and talent.