CYB 333 Final

What is the key-space of an 8-bit key?

256

Monthly Availability formula

30 day calendar- 30 days X 24 hours/day X 60 mins/hour = 43,200 mins

Logic Bomb

: a form of malware that executes when a certain predefined event occurs.

Virus

: a virus attaches itself to or copies itself into another program on a computer. It infects a host program and causes that host program to replicate itself to other computers.

Need to know

: concept that prevents people from gaining access to information they don't need to carry out their job function

Access controls fall into 2 categories

: logical access controls and physical access controls. Logical access controls allow access into a system or network; physical access allows access into buildings and protected areas.

Childrens Internet Protection Act (CIPA)

A federal law enacted by Congress to address concerns about access to offensive content over the Internet on school and library computers. Passed in 2000, updated in 2011.

A personnel safety plan should

ALWAYS include an escape plan.

Buffer overflows

An attack conducted by supplying more data than is expected. Buffer overflow attacks takes advantage of a system that does not properly account for the amount of data input into an application.

Phreaking

Hacking of the systems and computers used by phone companies is known as

BYOD security issues

Network speed, usability, and security

Visa, MasterCard, and other payment card vendors helped to create the

PCI DSS

Seven layers of the OSI model

Physical, Data Link, Network, Transport, Session, Presentation, and Application

Backdoors

Programs that attackers install after gaining unauthorized access to a system, to ensure that they can continue to have unrestricted access

Principle of least privilege

The idea that users should be granted only the levels of permissions they need in order to perform their duties.

Creating a digital signature

To create a digital signature, the sender of information encrypts the hash value of the information with their private key (the sender's private key). To verify a digital signature, the receiver of the information decrypts the hash value of the information with the sender's public key and compares the hash value with the hash value of the message. If they match then nothing was changed in the transmission of the message. Hash functions, referred to as message digests, do not use a key, but instead create a unique and fixed-length hash value (referred to as a hash) based on the original message or file. The critical point is that hashes create a fixed-length, not a variable-length, value based on the original message.

Ethics:

Users should not assume that information is free and respect intellectual property rights. Assuming that information should be free is one of the common fallacies about ethics.

Under HIPPA (Health Insurance Portability and Accountability Act of 1996),

a breach is any impermissible use or disclosure of unsecured PHI that harms its security or privacy. Protected health information (PHI) is any individually identifiable information about a person's health

Security Kernel

a central point of access control and implements the reference monitor concept. It mediates all access requests and permits access only when the appropriate rules or conditions are met.

gap analysis

a comparison of the security controls you have in place and the controls you need in order to address all identified threats

Kerberos

a computer network authentication protocol that allows nodes communicating over a nonsecure network to prove their identity to one another in a secure manner. the user sends their ID and access request through the __ client to the key distribution center. The authentication server of the KDC verifies that the user and requested service are in the KDC database and sends a ticket (key).

National Institute of Standards and Technology (NIST)

a federal agency within the U.S. Department of Commerce. Their mission is to mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life."

Joule

a measure of energy

Weber

a measure of magnetic flux

Gauss

a measurement of a magnetic field

Cipher

a method used to encode characters to hide their value

Privacy

a person's right to control the use and disclosure of his or her own personal information. This means that people have the opportunity to assess a situation and determine how their data are used.

Trojan horse

a program that on the surface appears safe but is malicious

Lightweight Directory Access Protocol (LDAP)

a protocol for defining and using distributed directory services. provides handling access control credentials. makes it easy for administrators to manage logon and access credentials on computers and devices across a network.

Worm

a self-contained program that replicates and sends copies of itself to other computers without any user input or action

The waterfall model is

a sequential process for developing software. The essence of the waterfall model is that no phase begins until the previous phase is complete.

Certificate Authority (CA)

a trusted entity that handles digital certificates.

A Key

a value that is applied using an algorithim to unencrypted text to produce encrypted text, or to decrypt encrypted text

vulnerability

a weakness that allows a threat to be realized or have an effect on an asset

Information systems security

about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise.

Authorization Controls

access control lists, physical access control, and network traffic filters. A biometric device is an authentication control

Key Escrow

addresses the possibility that a third party may need to access keys

The Gramm-Leach-Bliley Act (GLBA)

addresses the privacy and security of consumer financial information, ) applies to the financial activities of consumers

False positives are

alerts that seem malicious but are not real security events

Under Federal Information Security Management Act (FISMA),

all federal agencies must report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT)

Compliance liaisons make sure

all personnel are aware of and comply with an organization's policies.

Hash Functions (referred to as)

also referred to as message digests

During an audit

an auditor compares the current setting of a computer or device with a benchmark to help identify differences

Caesar Cipher

an example of a shift cipher

PGP

an example of hybrid encryption

Vigenere Cipher

an example of polyalphabetic substitution cipher

PCI DSS (Payment Card Industry Data Security Standard)

an international standard for handling transactions involving payment cards. developed, publishes, and maintains the standard.

Sarbanes-Oxley Act (SOX) Section 404 REQUIRES

an organization's executive officers to establish, maintain, review, and report on the effectiveness of the company's internal controls over financial reporting (ICFR)

HIPAA (Health Insurance Portability and Accountability Act of 1996)

applies specifically to health records

Company-related classifications

are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies

Assigning privileges

authorization

Performing security testing includes

both vulnerability testing and penetration testing.

Single sign on

can provide for stronger passwords because with only one password to remember, users are generally willing to use stronger passwords

Anomaly-based intrusion detection systems

compare current activity with stored profiles of normal (expected) activity.

availability

concerned with ensuring that information is readily accessible to unauthorized users at all times

confidentiality

concerned with privacy and secrecy

CIA Triad

confidentiality, integrity, availability

Deterrent

controls deter an action that could result in a violation.

Detective

controls identify that a threat has landed in your system.

The IEEE 802.11 series of standards

covers wireless LAN technology, including 802.11a, 802.11b, 802.11g, 802.11n, and 802.11ac.

security policy

defines a risk-mitigating definition or solution for your organization

Disaster Recovery plan

defines how a business can get back on its feet after a major disaster (hurricane, fire). The steps involved in creating a comprehensive DRP should be completed in this order: define potential threats, document likely impact scenarios, and document the business and technical requirements to initiate the implementation phase

Acceptable use policy

defines what users are allowed to do with organization-owned IT assets

A disaster recovery plan (DRP

details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.

Administrative controls

develop and ensure compliance with policy and procedures.

Hash Functions

do not use a key, but instead create a unique fixed length hash-value (referred to as hash) based on the original message or file. The critical point is that hashes create a fixed-length, not a variable-length, value based on the original message

Written security policies

document management's goals and objectives

FERPA (The Family Educational Rights and Privacy Act of 1974)

doesn't require that specific information security controls be implemented to protect student records

Federal Information Security Modernization Act (FISMA)

enacted to update __ 2012 with information on modern threats as well as security controls and best practices. Passed in 2014

Hardening a system

ensure controls are in place to control known threats.

RSA(most common), Elliptic Curve Cryptography

examples of asymmetric key encryption algorithms

AES, DES, 3DES, RC4, Blowfish

examples of symmetric key encryption algorithms

Types of biometrics

fingerprint, palm print, retina scan, hand geometry, facial recognition, voice patterns, keystroke dynamics.

Remediation involves

fixing something that is broken or defective

Service Level Agreements (SLAs) are

formal contracts that detail the specific services a vendor will provide. Notification of security breaches is a common requirement found in SLAs.

Bluesnarfing

gaining unauthorized access through a Bluetooth device

Business Continuity Plan

gives priorities to the functions an organization needs to keep going. A business continuity plan is a written plan for a structured response to any events that result in an interruption to critical business activities or functions

PCI DSS

governs how credit cards, includes provisions that Gwen should implement before accepting credit card transactions

The IoT

has five critical challenges to overcome: security, privacy, interoperability, legal and regulatory compliance, and emerging social and economic issues. An example of an industry that implemented and embraced IoT is the auto industry. Today's vehicles have smart computers, "always-on" Wi-Fi Internet access, and more

PCI Council

has two major priorities. The first priority is to assist merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data. Its second priority is to help vendors understand and implement the PCI standards and requirements for ensuring secure payment solutions are properly implemented.

SIEM systems

help organizations manage the explosive growth of log files. SIEMs provide a platform to capture and analyze logs from many different sources.

business impact plan

identifies the resources for which a business continuity plan (BCP) is necessary.

Compliance

includes the actual state of being compliant and the steps and processes taken to become compliant.

PII (Personal Identifiable Information)

information that you can use to uniquely identify an individual, includes names, addresses, Social Security and driver's license numbers, financial account information, health records, and credentials

A business impact analysis (BIA)

is an analysis of the business to determine what kinds of events will have an impact on what systems.

threat

is any action that could damage an asset. Information systems face both natural and human-induced threats.

Risk

is the likelihood that a particular threat will be realized against a specific vulnerability.

Security

is the process; privacy is a result

An auditing benchmark

is the standard by which a system is compared to determine whether it is securely configured.

Certificate

links a public key (not a private key) to a particular individual

Ransomware

malware that forces a victim organization to pay money to prevent the deletion of data.

Trojan horse

malware that masquerades as a useful program

Botnet

many Internet-connected computers under the control of a remote hacker

It's important that all configuration changes occur

only within a controlled process. Uncontrolled configuration changes often result in conflicts and even new security vulnerabilities

to ensure the confidentiality of sensitive data

organizations typically implement role-based access control mechanisms in their application

Role-based access control

permission to access a system or resource is dependent upon the person's role (or job title) in an organization

Mandatory access controls

permission to access a system or resource is determined by the sensitivity of the resource through the user's security level.

Fencing and mantraps are examples of

physical controls.

Bring Your Own Device (BYOD)

policy allows employees to use their personal mobile devices and computers to access enterprise data and applications.

Principle of least privilege

privilege means granting someone the minimum access that allows them to do their job.

accountability

process of associating actions with users for later reporting and research

During the audit phase of a security review,

professionals review the logs and overall environment to provide independent analysis of how well the security policy and controls work.

In security testing

reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.

An organization can never

reduce risk to zero, even with adequate security controls and defenses

integrity

refers to the ability to prevent data from being changed in an undesireable or unauthorized manner

Impact

refers to the amount of harm a threat exploiting a vulnerability can cause

Hertz

represents frequency and is expressed as the number of cycles per second.

The Federal Trade Commission (FTC) Safeguards Rule

requires a financial institution to create a written information security program that must state how the institution collects and uses customer data.

Gramm-Leach-Bliley Act (GLBA)

requires all types of financial institutions to protect customers private financial information. Passed in 1999

Health Insurance Portability and Accountability Act (HIPAA)

requires health care organizations to have security and privacy controls implemented to ensure patient privacy. Passed in 1996

Sarbanes-Oxley Act

requires publicly traded companies to submit accurate and reliable financial reporting. Doesn't require securing private information, but it requires security controls to protect the confidentiality and integrity of the reporting itself. Passed in 2002

Certificate Authorities

responsible for issuing, revoking, and distributing certificates. These third-party authorities manage public keys and issue certificates which verify the validity of a sender's message.

Organizations should

seek a balance between the utility and cost of various risk management options.

Organizations

should seek a balance between the utility and cost of various risk management options.

Rootkits

software programs that have the ability to hide certain things from the operating system.

5 types of authentication

something you know (knowledge), something you have (ownership), something that is unique to you (characteristics, like fingerprints, retina, or signature), somewhere you are (location), and something you do or how you do it (action). Using controls from one category is single factor authentication. Using controls from two categories is two-factor authentication or multi-factor authentication (2 or more).

Least significant bit (LSB)

steganography techniques modify the least significant bits in each color of a 24-bit image.

In a black-box test

the assessor uses test methods that aren't directly based on knowledge of a program's architecture or deign. The tester does not have the source code.

Evil twin attack

the attacker deploys a fake open or public wireless network to use a packet sniffer on any user who connects to it

False negatives are

the failure of the alarm system to detect a serious event.

How does hashing help security systems?

the hashes are used to ensure that transmitted messages have not been tampered with

Risk:

the likelihood that something bad will happen to an asset

Discretionary access system

the owner of the resource decides who gets in and changes permissions as needed. The owner can delegate that responsibility to others.

brute force attack

the password cracker tries every possible combination of characters

System owners:

the person or group that manages the infrastructure.

Data owner:

the person who owns the data or of someone the owner assigns.

The International Electrotechnical Commission (IEC)

the predominant organization for developing and publishing international standards for technologies related to electrical and electronic devices and processes.

Decryption

the process of converting ciphertext to plaintext

Separation of duties

the process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task.

Risk Management

the process of identifying, assessing, prioritizing, and addressing risks

Information security

the process used to keep data private

The main goal of SOX (Sarbanes-Oxley Act)

to protect investors from financial fraud. It supplements other federal securities laws. It applies to publicly traded companies that must register with the Securities and Exchange Commission

Uptime

total amount of time that a system, application, and data are available. Measured in seconds, minutes, and hours within a given calendar month.

Downtime

total amount of time that a system, application, and data are not available. Measured in seconds, minutes, and hours within a given calendar month

Signature detection systems

use rule-based detection and rely upon pattern matching to compare current traffic with activity patterns of known network attacks

Masking

used to "X out" pertinent characters of sensitive data.

The Key

used to change plaintext into ciphertext, or ciphertext into plain text.

Digital Signatures

used to enable the detection of changes to message contents, ensure that the message was legitimately sent by the expected party and to prevent the sender from denying that they sent the message.

Hybrid Cryptosystems

uses a combination of keys; a symmetric key to encrypt and decrypt the message and public/private key to encrypt and decrypt the symmetric key.

Asymmetric Key Encryption

uses a public key and a private key

Symmetric Key Encryption

uses one key to both encrypt and decrypt

Network mapping

uses software tools that scan for services running on an organization's systems and networks.

Classification decisions:

value, sensitivity, and criticality

dictionary attack

works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match

Outsourcing

you are most likely to achieve access to a high level of expertise because security vendors focus exclusively on providing advanced security services. However, your costs are likely to increase rather than decrease with outsourcing, and this decision also inhibits developing internal knowledge and talent.