Info Security Final Review

Briefly describe five different types of security audits.

* Compliance Audits - verify that security complies with an external standard ISO 27001, PCI DSS, etc. Requires review by external auditor * Internal security reviews - internally-driven security assessments Review compliance with established policies Vulnerability scan or penetration test Audit log reviews to seek unexpected activities or to investigate an incident * vulnerability scan that checks for indications of a list of known vulnerabilities. * penetration test ("pen test") that tries to penetrate established defenses. * Security Scans A typical security scan is an automated vulnerability scan in which an analyst scans the network for indicators of known vulnerabilities. The basic concept is similar to the "nmap" tool (Section 11.5.2), except that the scan results are compared against a database of known vulnerabilities. If the scan indicates the presence of a particular version of network software, then the scan reports any vulnerabilities associated with that software.

Provide a step-by-step description of how a packet is routed, assuming that it must traverse at least one router.

- A packet can only be routed if the target user of the other side is belong within the same LAN connection.

What is a socket? How does it relate to a typical networking API?

- A standard API that provides internet services to application programs

Explain the relationship between layers of software in the network protocol stack and headers appearing in a packet.

- Application layer; - Transport layer; - Link layer; the connection between the user and

Explain the role of autonomous systems and ISPs in the structure of the global Internet.

- Autonomous systems: collection of IP routing prefixes administer by one or more network worker. - Internet Service Provider: a company that provides internet services

Briefly describe the common cipher modes.

- Counter Mode: generates key stream and applies xor to implement a stream cipher. Instead of using feedback, the counter mode encrypts successive values of a counter. - Cipher Feedback Mode: combines properties of stream ciphers and block ciphers. We generate a key stream one block at a time and combine it with the text using xor - Cipher Block Chaining Mode: considered as block oriented. The plaintext must be a multiple of the cipher's block size. If it is shorter, it requires to add padding.

Describe the different categories of asymmetric encryption algorithms and how they are used in practice.

- Diffie-Hellman algorithm is not for encryption or decryption but it enables two parties who are involved in communication to generate a shared secret key for exchanging information confidentially. - Rivest-Shamir-Adleman (RSA) public key algorithm in 1978. This algorithm can be used for encrypting and signing data. The encryption and signing processes are performed through a series of modular multiplications. - Elliptic Curve Cryptography (ECC) provides similar functionality to RSA. Elliptic Curve Cryptography (ECC) is being implemented in smaller devices like cell phones. It requires less computing power compared with RSA. ECC encryption systems are based on the idea of using points on a curve to define the public/private key pair. - El Gamal is an algorithm used for transmitting digital signatures and key exchanges. The method is based on calculating logarithms. El Gamal algorithm is based on the characteristics of logarithmic numbers and calculations. The Digital Signature Algorithm (DSA) is based on El Gamal algorithm. - Digital Signature Algorithm can be used only for signing data and it cannot be used for encryption. The DSA signing process is performed through a series of calculations based on a selected prime number. When DSA is used, the process of creating the digital signature is faster than validating it. When RSA is used, the process of validating the digital signature is faster than creating it. An unpredictable (typically large and random) number is used to begin generation of an acceptable pair of keys suitable for use by an asymmetric key algorithm. In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt.

Summarize the six qualities of good encryption algorithms

- Explicitly designed for encryption: we exploit an encryption algorithm for a different purpose, such as to produce one-way hash. - Security does not rely on its secrecy: if the algorithms security relies on its secrecy then everyone who looks at the algorithm will be a member of its cryptonet. - Available for analysis: we must often analyze the algorithm so it can last for long term and so that it will not fall in simple attacks. - Subjected to analysis: This must undergo in a peer-reviewed publication conducted by experts and if they supports the algorithm, we can trust it. - No practical weaknesses: since we use new ways in algorithms, they become vulnerable to new attack. - Implementation has completed a formal cryptographic evaluation: we have to make sure that the developers uses the right tricks to keep the encryption secure.

Describe the steps performed in a typical block cipher.

- Generate the key schedule - Divide the key schedule into subsections, one per round. - For each subsection, perform a round: • For the first round, take the plaintext as the input text; for the remaining rounds, take the output of the previous round as the input text. • Take the next unused subsection of the key schedule as the key input • Scramble the input text using permutations and substitutions as specified in the encryption algorithm

What is the difference between a global IP address and a private IP address?

- Global IP Address: provides by ISP to determine network network - Private IP Address: provides by router to certain network inside our network

List the elements of an incident handling policy.

- How to grade incidents by seriousness - Who to contact in the IT or security organization when incidents occur - Roles and responsibilities within IT and within other enterprise departments - What technical steps to take to mitigate further damage - What procedural steps to take to report the incidents to other enterprise departments or to senior management - Which incidents should be reported to law enforcement

Describe the difference between IPv4 and IPv6 addresses. Which is most widely used

- IPv4: most common IP addresses, 32 bits long, represents them with a dotted decimal notation. - IPv6: 129 bits long, four times the size of an IPv4 address

Explain the role of ARP and how it works.

- If a host send a packet to another host on the same LAN, the ARP will convert the IP address into correct MAC address

Describe methods and techniques used to improve software security

- Internal security labels: information must secured and requires special handling - Need-to-know controls: one must prevents users from seeing information that they do not specifically need to know. - Encryption: The software should take steps to avoid disclosing the decrypted data except to the necessary and authorized recipients - Integrity Checking: Software should perform the check and inform the user of the result of the integrity checking

Briefly describe and compare the five basic network topologies.

- Point-to-point network: connects exactly two endpoints together. - Star network: connects three or more endpoints through a central mode - Bus network: connects all endpoints to a single, shared communications medium - Tree network: connects endpoints through a hierarchy of nodes. - Mesh network: connects endpoints through a network of arbitrarily connected nodes

Describe a typical approach to resource sharing on a network. What is the delegation problem?

- Resource sharing means two or more entity can share something, for example, printer. It was mentioned that printer before is too expensive, it then results for printer sharing. Also, this allow for anyone on the LAN to use the resource if they had the client software. Delegation problems refer to the problem of relying on a remote process to enforce the correct access rights

Explain the fundamental difference between block and stream ciphers.

- Stream ciphers encrypt bit by bit, while block ciphers encrypt fixed-sized blocks of bits

Identify and describe the four phases of a large-scale attack.

- Surveillance: The attacker studies the attack target, collecting information about it - Infiltration: the attacker take steps to enter the system so that the attack may ake place. - Execution: the attacker takes the steps needed to achieve the attack's objective - Disengagement: the attacker withdraws, having achieved the attack's objective

Explain how collisions are handled on a wireless LAN. Compare it to how collisions are handled on a wired Ethernet LAN.

- The transmitter and intended recipient both transmit messages to warn away other traffic. Next, the recipient will immediately request a retransmission if a transmission fails.

Summarize residual risks to information protected by volume encryption. Include key-handling risks.

- Untrustworthy encryption: arises if the encryption implementation is faulty. The encryption might use a weak algorithm or apply the algorithm in a way that weakens its protection - Encryption integrity: regardless of the quality of algorithm, an attacker might be able to weaken, disable, or bypass the encryption. We must install the software correctly and then rely on the operating system to protect its integrity. - Leaking the plaintext: Before anything else, an attacker must look for an opportunity to retrieve the data before encryption or after decryption. - Data integrity:

Explain how a typical acknowledgment protocol works, and why it provides reliable data transmission. How can the protocol produce duplicate packets?

- When a packet arrives at its destination, the recipient verifies the packet's checksum. If the checksum fails, it discards the packet. If the packet arrives intact, the recipient transmits the ACK or the acknowledgment protocol. - If the ACK was lost, the retransmission creates a duplicate packets.

Describe two techniques to help reduce the insider threat.

1. Monitoring. People are more likely to behave if they think they are being watched. Monitoring may double-check periodic results, like the cash held by cashiers, or may scan for unauthorized activity, like access to nonbusiness websites during business hours. 2. Two-person or multiperson control. Most employee misbehavior is by individuals, not conspiracies. Companies can greatly reduce the risk by involving two or more people in important transactions. This may be procedural, as with checks for accounts payable, in which one person makes the list of checks, another prints the checks, and a third signs them. This also may be implemented with automated systems, as with nuclear missile launching or automated workflow systems. This "Two person concept" is also used to work on nuclear weapons it also called the "no lone zone".

Summarize the challenges of key management.

1. Sharing keys with exactly the right people, no more, or less.2.Choosing keys that attackers can guess.3.Handling keys so that attackers can guess or intercept them.

Summarize the basic security features of a well-written file encryption program.

1.) Built in File Encryption 2.) Separate Encryption Applications 3.) Policies that require file encryption AES algorithm, or similarly secure Restricts access to plaintext file Overwrites plaintext file after encryption Handle keys safely Third-party evaluation

Summarize basic considerations for secure, trustworthy software.

1.) Certificates (trusted third party or certificate authority) 2.) Authenticated Software Updates

Summarize the different situations in which people use file encryption software.

1.Protect a file while sending a copy to someone else. 2.Protect a file while it resides on the computer's hard drive. This involves three separate risks: a.Access by a Trojan horse b.Access by a separately booted operating systemc. Access to low-level data written to the hard driveIn the first case, we might send an electronic file via email, or we might copy it onto a USB drive and deliver it physically.

What is the difference between a stream cipher and a one-time pad?

A (synchronous) stream cipher is an algorithm which maps some fixed-length key to an arbitrary-length key-stream (i.e. a sequence of bits): C:{0,1}k→{0,1}∞. This key-stream is then XOR-ed with the plain text stream, giving the ciphertext stream. For decrypting, the same key-stream (generated from the key at the receiver side) will be XOR-ed with the ciphertext stream, giving again the key stream. A One-time pad is an algorithm which takes a key of large size (at least message size), and XORs its start with the plaintext to get the ciphertext. For decryption, we XOR the start of the key with the ciphertext to get back the plaintext.

Describe the components of a digital stream cipher.

A digital cipher is the work is in bit patterns that can be sectioned off in two ways, one is when the key is generated and the other is when the key works with the data flow. A steam cipher is when work is continuous streams of symbols, which can be secured in wireless communications

Explain how one might establish trust in a self-signed certificate

A self-signed certificate only is useful if it is going to be used over time for a series of transactions. As the transactions is perform successfully, we develop increased confidence in the certificates validity. Self-signed certificate provides useful assurance in two cases. 1. If the certificate contains other data that we can independently verify 2. If the certificate is used for a series of transactions.

Describe how key wrapping may be applied to file encryption

According to Smith, Key wrapping uses two separate and unrelated keys to encrypt the file. We encrypt the actual data in the file with the content encryption key (CEK). We generate a new, truly random CEK whenever we encrypt the file. We than use passphrase to produce a key encrypting key (KEK). We produce the wrapped key by encrypting the CEK with the KEK. 1. The program collects the passphrase from the user. 2. The program hashes the password to produce the KEK. 3. The program uses a reliable source of random numbers to generate the CEK. 4. The program "wraps" the CEK by encrypting it with the KEK. 5. The program encrypts the plaintext file using the CEK as the key 6. The program creates the encrypted file by combining the wrapped key with the ciphertext. (Smith).

Describe the different categories of symmetric encryption algorithms

Codes - apply transformations to words and phrases in the plaintext. Ciphers - apply transformations to individual symbols in the raw text. Transposition - a cipher in which the original symbols in the message are simply rearranged but not replaced. Mixed - a combination of categories.

Describe four types of secrecy practiced by enterprises

Company secrecy falls roughly into four categories: 1. Obligations. Companies may have legal or contractual obligations to keep certain types of information secret. Legal obligations address employee privacy, health records privacy, and information that could affect a public company's stock price. Contractual obligations may include trade secrets shared with others, licensed software management, and rules for handling credit card transactions. 2. Trade secrets. Companies keep information secret that would give competitors a commercial advantage. These include inventions and processes that may be subject to patent or unpatentable techniques that would benefit competitors. Other trade secrets include business details that might help competitors anticipate price decisions or identify customers that a competitor might try to lure away. 3. Managing publicity. As noted previously, companies may keep things secret that might not yield positive publicity. 4. Secrecy culture. Some companies have a tradition of keeping their internal activities secret, even without compelling business or legal reasons to do so.

Summarize five mechanisms for security education, training, and awareness.

Culture. People living in particular cultures have particular expectations of an employer or other enterprise. Most enterprises try to fulfill cultural expectations. When the enterprise takes exception to expectations, it must clearly explain the exceptions to its employees, clients, and other participants. • Written instructions. When an enterprise communicates with outside participants like customers and clients, it provides written explanations. Retail sellers provide "terms and conditions" to potential buyers. Clubs and organizations provide bylaws. Employees often receive, or have access to, an "employee guide" that outlines company rules, benefits, and restrictions. There also may be a large and elaborate set of enterprise policies and procedures. • Personal instructions. Employees usually receive direct instruction from their supervisor regarding their duties and responsibilities. Personnel responsible for other aspects of work, like IT administrators, may provide additional instruction when providing employees with computer and network access. Informal training can demand a great deal of time from existing employees. • Formal training. Some organizations provide formal training courses to teach employees and other participants about special expectations that might be new or peculiar to the organization. This helps ensure consistent behavior. For example, scouting organizations provide training courses for adult leaders. Some organizations provide training to all employees on the use of computer and network resources, instead of relying on terse briefings by IT administrators. • Public announcements. Enterprises often teach employees and participants about new or important activities or responsibilities through periodic announcements. Some announcements simply serve to remind participants of particular rules and obligations.

Summarize basic attacks on DNS.

DNS LOOKUP. Most computer systems have a keyboard command nslookup that uses the resolver to look up domain names. The command works in Unix command shells available in OS-X and Linux and in the MSDOS command shell on Windows. Unlike the nmap command examined earlier, nslookup doesn't take a list of options and parameters. Instead, it starts its own command shell that collects domain names to look up. URL Redirect Check. Check that your server is properly responding to a redirection of an old URL. Type in the old URL and click "Verify Redirection." Find out the IP address and Name Servers (DNS) of your Domain. Try it now! Obtain information about or related to a domain name registration record.

Explain the difference between file encryption and volume encryption.

File encryption means converting a data into a secret code. In order to read this converted file, this needs a key or password to decrypt it. Volume encryption means encrypting all files in the volume.

Describe the differences between a hierarchical PKI and one that relies on a web of trust.

Hierarchical PKI as the name suggest will be hierarchical structure with the authorities to issue certificates. With certificates trust can be established between client and the server. Because of it centralization, it is flexible, suitable for small companies. Web of Trust is decentralized technique. A model of PGP, in the model you can accumulate keys from other people that you may want to call a trusted user. Here whole control and the authority is with the user. He is the one who must decide whether or not to trust.

What is the difference between key splitting and key wrapping

Key Splitting is like it sounds dividing a code number or decryption algorithm into two or more parts so that no part in itself can be used without reconstructing the key by uniting all its parts. Whereas Key Wrapping is class of symmetric encryption algorithms designed to encapsulate cryptographic key material. The Key Wrap algorithms are for applications keys while in untrusted storage, or being transmitting over untrusted datelines. The only difference between a split key and a wrapped key is that we use xor to encrypt the split key. (Smith)

Why are there two separate, standard internet transport protocols: TCP and UDP? How are they similar? How are they different?

Major TCP packet fields. • Acknowledgment number—the sequence number of the last byte reliably received by the sender.• Size—the size of the TCP header. • Status—a set of flags indicating the roles performed by this packet. • Window size—indicates the amount of data the sender can accept on this connection. • Checksum—the checksum for the TCP header and data field. • Urgent pointer—points to "urgent" data; rarely used. These same fields appear in the TCP header when expanded by Wireshark. UDP packet fields. Both TCP and UDP headers carry port numbers that indicate the process sending or receiving the packet at a host. Often the port numbers connect client processes to server processes. When a client opens a connection to a particular server, the client's protocol stack randomly selects the source port. The destination port is chosen according to the application protocol being used; port 80 is traditionally used for Web traffic, while port 25 is used to send an email. USER DATAGRAM PROTOCOL Not all network traffic requires reliable connections. If a particular application simply needs to exchange unreliable datagrams, we don't use TCP, because it involves unnecessary overhead and possible delays. Some application protocols inherently detect lost or damaged packets and retransmit them as needed. These application protocols use UDP instead of TCP.

Summarize and compare the three techniques for transmitting information on communications networks.

Message switching - send whole messages Sending and receiving are independent Recipient gets all of message or nothing Message size limits and longer delays Circuit switching - connect two speakers Send and receive one or many messages Sender and recipient must both be available Packet switching - send message in pieces More efficient, but requires complex endpoints

Describe how a gateway converts a private IP address into a global IP address using NAT.

NAT allows you to use these private IP address on the internal network. to the public network (Internet) then this is where a public address comes into the equation address everyone can see, which would represent your network gateway and this translation of converting a private IP address to public is done by NAT.

Identify the four types of protection applied to storage systems.

Physical protection of storage systems. Potential attackers must not have physical access to critical storage systems like file servers. • Protection of external storage traffic. As storage distribution systems become more sophisticated, it becomes easier to physically distribute data at very low levels. If a site transmits low-level storage traffic between protected server rooms, the cabling itself should be shielded from eavesdropping. In many cases, it may be sufficient to use fiber optic connections instead of traditional wiring. • Ensure recovery from hardware failures. This may be provided through technical means like RAID systems (see Section 13.5.1). • Ensure recovery from physical disasters. This includes fires, floods, or storm damage. This requires off-site backups, which themselves must be protected from unauthorized access.

Summarize five methods used to manage electric power.

Protected power controls. Once power enters the enterprise's secure boundary, it goes into control panels protected with fuses and circuit breakers. These panels may be secured by lock and key simply because the operating currents pose a hazard. The panels also present a possible point of a denial-of-service attack, so service personnel must be trustworthy. • Power filtering. The power supplies in modern computing equipment can adapt to a broad range of voltages, but the equipment works most effectively with reliable, consistent power. Moreover, spikes due to lightning strikes may exceed the power supply's operating range. Thus, power filtering provides important protection. • Uninterruptable power systems (UPS). These were once the exclusive province of larger, enterprise-level computing systems. Today, even households can afford an effective UPS. A high-end UPS may include its own motor-driven generator to handle lengthy power outages. The capacity and duration of a site's UPS depends on their disaster planning (Section 13.5.3). • Protected power cabling. If an enterprise is a particularly attractive target of vandalism or denial-of-service attacks, then they need to protect their power cabling. In some high-security environments, attackers can try to infer sensitive information from a system's power variations. This would call for protected power cabling. • Power alarms. The power system should provide an alarm when it switches from line power to the UPS, and when there are significant changes in the power being provided or being used. Any of these may indicate an impending attack or a risk of losing services. Enterprises may benefit from alarms that provide email, text, or voice mail alerts.

What mechanisms does TCP use to provide acknowledgments and flow control?

SEQUENCE AND ACKNOWLEDGMENT NUMBERS. The sequence and acknowledgment numbers help ensure reliable transmission of all data. The sender sequentially numbers each byte sent in a TCP connection. A packet's SEQ field carries the sequence number of the first byte in each packet. The recipient keeps track of the sequence number of each byte received. The acknowledgment number reports the highest sequence number of all bytes received. When a TCP packet acknowledges data from an earlier packet, Wireshark provides a link to that earlier packet in its "SEQ/ACK Analysis. "There is an interesting difference between the packet's actual contents and Wireshark's expanded header. Sequence numbers and acknowledgment numbers are shown relative to the start of the connection. Thus, byte 1 in the connection yields sequence number 1 in the expanded Wireshark header. In fact, when TCP opens a connection, it tries to select a random and hard-to-predict starting sequence number. In the 1990s, attacks developed against firewalls that sent privileged keyboard commands. The receiving hosts accepted the commands, because the source IP address appeared to belong to a trustworthy host. In fact, the source address was forged; the recipient accepted the packet because the attacker accurately guessed the right TCP sequence number. This tricked the recipient's protocol stack into believing that the trusted host had sent the packet as part of an opened connection. This was called the IP spoofing attack.

Explain the role of revision control and configuration management in software development

Software development security addresses two particular issues in controlling changes to software: 1. Revision control—tracking the changes made to software source code. 2. Configuration management—tracking changes to the components selected to be in a software product. Revision control often is managed by special software that keeps track of all changes made to the source files that produce the software. When a file is first created, the author stores the initial version in the revision control system. Each revision is subsequently stored, keeping track of which changes were applied in which revision. When it is time to construct a copy of the software, the software builder retrieves the appropriate version of each file from the revision control system. Note that the builder may retrieve either the latest version, or any specifically identified version, of each file.

Compare the behavior of built-in Windows file encryption with using a separate encryption application program

The Windows encryption that comes with the pro versions is a convenience feature that many user's will like. Unfortunately, it does not allow a user to send a file that the receiver can decrypt. Other encryption software applications offer a more robust set of features that allow the user to send and receive encrypted files and have better security overall.

Briefly explain the end-to-end principle.

The failure of network-based reliable transport influenced a central design principle of Internet-oriented networks: the end-to-end principle. The concept embodies the notion of dumb networks by placing most network protocols in the connection's endpoint hosts. The network itself simply transmits packets and possibly loses a few on occasion.

Summarize the steps in a typical change control process.

There are three total steps in a typical change control process: planning, implementation, and deployment. To start, one should establish to end goal of what the system will do for the company along with planning exactly how the system will accomplish the goal and assess the highest risks the system could face and develop security for it. Afterwards, the system should be designed, analyzed, and tested to see if it meets the requirements and can stand against the possible risks identified. To finalize the process, the system tests need to be analyzed to see it fit to deploy. After the system is fully evaluated, then the system is put online.

Summarize the differences between a standard drive controller and a self-encrypting drive controller.

To add encryption to the hard drive, we make no changes to the physical hard drive mechanism. All changes are made to the hard drive controller. Section 5.3.1 described the operation of a typical hard drive controller circuit. A self-encrypting drive shares many of the same features and introduces three features: 1. Algorithms to encrypt and decrypt the stored data, described earlier 2. Mechanisms to manage "locking" and "unlocking" the drive, described in Section 9.5.2 3. Mechanisms to handle the encryption key, described in Section 9.6 Figure 9.20 shows the hardware block diagram of a self-encrypting drive controller. This is a revision of Figure 5.4, which shows the controller for a nonencrypting drive. The connections between the different components pass commands (marked "C"), data (marked "D"), or keys (marked "KEK" or "CEK"). Drive locking and unlocking are often implemented through key wrapping. We use the key encrypting key (KEK) to decrypt the content encryption key (CEK).

Outline the symmetric encryption process and explain the components involved in the process.

To encrypt plaintext, we apply the encryption algorithm to the plaintext using the shared secret key. To decrypt the same plaintext, we apply the corresponding decryption algorithm to the cyphertext using the same shared secret key.

Explain the reused key stream problem.

oviet spies reused one-time pad key streams after World War II, and the US cracked manyof the messages (the Venona Project)If you use the same encryption key for two different messages, then an eavesdropper can eliminate the encryption key (and thus, the encryption) by applying xor to the encrypted messages by themselves. Reused keys have cropped up fairly often, both with one-time pads and with stream ciphers.

Identify and briefly explain two or more attacks on TCP/IP that may route packets to the wrong hosts.

• IP Spoofing Attacks In general, "IP spoofing" refers to any attack that forges the sender's IP address. In an earlier section, we examined a particular spoofing attack that relied on predicting TCP sequence numbers. The attack attempted to send the minimum number of packets necessary to open a connection and provide data; in this case, a series of keyboard commands that enabled the attacker to penetrate the victim host. Because the source address belonged to a trusted host and the sequence numbers looked correct, the victim accepted the data as a legitimate keyboard command from the trusted host. TCP/IP ATTACKS. Even though it is simple to forge the source IP address of a UDP packet, it is much harder to believably forge the source of a TCP packet. In general, attackers shouldn't be able to hijack a connection unless they subvert a router that carries the connection's traffic.