CYSE 101 FINAL STUDY SET
What is risk analysis?
Evaluates risks and controls to help make reasonable decisions.
Haas' Laws of Operations Security: The Third Law
"If you are not protecting it, the dragon wins!"
Haas' Laws of Operations Security: The First Law
"If you don't know the threat, how do you know what to protect?"
Haas' Laws of Operations Security: The Second Law
"If you don't know what to protect, how do you know you are protecting it?"
Application Level Gateways
(Proxies) combine some of the attributes of packet-filtering firewalls with those of circuit-level gateways. They filter packets not only according to the service for which they are intended (as specified by the destination port), but also by certain other characteristics such as HTTP request string. While they do provide considerable data security, they can dramatically impact network performance.
Wireless Connectivity Strengths
1). NFC (1-2 inches) 2). Bluetooth (30-300 feet) 3). WiFi (150-300 feet) 4). Cell (miles)
Four provisions of the Federal Privacy Act of 1974?
1). Require government agencies to show an individual any records kept on him or her. 2). Requires agencies to follow certain principles (fair information practices), when gathering and handling personal data. 3). Places restrictions on how agencies can share an individual's data with other people and agencies. 4). Lets individuals sue the government for violating its provisions.
Six Ways To Decrease Attack Surface
1. Removing unnecessary software 2. Removing or turning off unessential services 3. Making alterations to common accounts 4. Applying the principle of least privelege 5. Applying software updates in a timely manner 6. Making use of logging and auditing features
DMZ
A combination of a network design feature and a protective device such as a firewall.
Firewall
A firewall is a mechanism for maintaining control over the traffic that flows into and out of our network(s).
Asymmetric Cryptography (Public Key Cryptography)
A form of cryptography that uses two separate, but mathematically related, keys for encryption and decryption; also called public key cryptography. Public Key and Private Key The main advantage of asymmetric key cryptography over symmetric key cryptography is the loss of the need to distribute the key. The key does not have to be shared between the sender and receiver
Honeypot
A honeypot can detect, monitor, and sometimes tamper with the activities of an attacker. Honeypots are configured to deliberately display vulnerabilities or materials that would make the system attractive to an attacker. To falsely attract an attacker and monitor their malicious activity
What is a software virus?
A malicious software program loaded onto a user's computer without the user's knowledge and performs malicious actions. It can self-replicate, inserting itself onto other programs or files, infecting them in the process. Not all computer viruses are destructive though.
What is an insider threat?
A malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.
Principle of Least Privilege
A security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job. Provide the minimum privilege necessary to complete a task.
Regulatory Compliance
A matter that is very specific to the industry in which a given company or organization is operating and how it is structured, although it is often more far-reaching than we might imagine. If we look at a bank for instance, we might assume that they need to be compliant with banking-related regulations and stop there. We might think items such as GLBA, FCRA, and audits from the Federal Deposit Insurance Corporation (FDIC) would be the limit of their concern. We would also add PCI DSS (Data Security Standard), as they likely issue cards with a Visa or MasterCard logo, HIPPA, as they have employee health insurance data, PII in the form of employee data, and any of a number of other areas.
What is multi-factor authentication?
A method of computer access control in which a user is only granted access after successfully presenting evidence to an authentication mechanism It decreases the probability of a false positive and increases the probability of a false negative
Discretionary Access Control (DAC)
A model of access control based on access being determined by the owner of the resource in question. The owner of the resource can decide who does and does not have access, and exactly what access they are allowed to have.
Mandatory Access Control (MAC)
A model of access control in which the owner of the resource does not get to decide who gets to access it, but instead access is decided by a group or individual who has the authority to set access on resources.
Role-Based Access Control (RBAC)
A model of access control that, similar to MAC, functions on access controls set by an authority responsible for doing so, rather than by the owner of the resource. The difference between RBAC and MAC is that access control in RBAC is based on the role the individual being granted access is performing. For example, if we have an employee whose only role is to enter data into a particular application, through RBAC we would only allow the employee access to that application, regardless of the sensitivity or lack of sensitivity of any other resource he might potentially access.
Intranet
A network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization A local or restricted communications network, especially a private network created using World Wide Web software
VPN (Virtual Private Network)
A network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.
Post-Incident Activity
A phase we can easily overlook, but should ensure that we do not. In the post incident activity phase, often referred to as a postmortem (latin for after death), we attempt to determine specifically what happened, why it happened, and what we can do to keep it from happening again.
Configuration Management
A process that ensures that the descriptions of a project's products are correct and complete
Why might using the wireless network in a hotel with a corporate laptop be dangerous? A). The network may not be secure B). It may be slow C). It may be expensive
A). The network may not be secure
What is access control?
A security technique that regulates who or what can view or use resources in a computing environment It enables administrators to manage access at a more granular level
Botnet
A set of computers that has been infected by a control program that enables attackers to collectively exploit those computers to mount attacks. Used to coordinate DOS attacks, send spam email, and mine for personal info or passwords.
What is a logic bomb?
A set of instructions secretly incorporated into a program so that if a particular condition is satisfied they will be carried out, usually with harmful effects.
What is a rootkit?
A set of software tools that enable an unauthorized user to gain control of a computer system without being detected.
Caesar Cipher
A substitution cipher that shifts characters a certain number of positions in the alphabet FROM THE TEXTBOOK: The Caesar cipher is based on transposition and involves shifting each letter of the plaintext message by a certain number of letters, historically three. The ciphertext can be decrypted by applying the same number of shifts in the opposite direction. This type of encryption is known as a substitution cipher, due to the substitution of one letter for another in a consistent fashion.
What is a zero-day vulnerability?
A vulnerability for which there is no currently existing fix.
Decrypt this message: V qb abg srne pbzchgref. V srne gur ynpx bs gurz. -Vfnnp Nfvzbi. (hint: it's a caesar cipher with a 13-character shift, i.e., ROT-13; if stumped, try http://www.xarg.org/tools/caesar-cipher/). A). "I do not fear computers. I fear the lack of them." -Isaac Asimov B). "Any sufficiently advanced technology is indistinguishable from magic." -Arthur C. Clarke C). "Real knowledge is to know the extent of one's ignorance" -Confucius D). "Never trust a computer you can't throw out a window." -Steve Wozniak
A). "I do not fear computers. I fear the lack of them." -Isaac Asimov
If we are using an 4-character password that contains only lowercase English alphabetic characters (26 different characters), how many more possible passwords are there if we use a 5-character password (still only lowercase English alphabetic characters? A). 11,424,400 more possibilities B). 26 more possibilities C). Same number of possibilities because still using lowercase English alphabetic characters D). 456,976 more possibilities
A). 11,424,400 more possibilities
How does an XSRF attack works? A). A link or script on one web page is executed in the context of another open web page or web application B). A buffer overflow on one site is executed by a remote user on a another site C). A link or script on one web page is executed in the context of that same web page D). A user's credentials compromised in one attack are used to log in to another target
A). A link or script on one web page is executed in the context of another open web page or web application
What is the difference between a stateful packet filtering firewall and a basic packet filtering firewall? A). A stateful packet filtering firewall tracks sessions between systems B). A basic packet filtering firewall inspects all bytes in every packet C). A stateful packet filtering firewall does not track sessions between systems D). A basic packet filtering firewall tracks sessions between systems
A). A stateful packet filtering firewall tracks sessions between systems
What is the primary purpose of a network firewall? A). Control the traffic allowed in and out of a network B). Encrypt network traffic C). Allow connections to any internal system IP address D). Allow connections to any internal system port number
A). Control the traffic allowed in and out of a network
Did the formal OPSEC methodology emerge from the government/military or commercial/industrial sectors? A). Government/military B). Commercial/industry
A). Government/military
Why might we want a (software) firewall (FW) on our host if one already exists on the network? A). Host FWs know more about the local system B). Host FWs see more network-wide traffic than network FWs C). Host FWs provide no advantage over network FWs D). Host FWs know less about the local system
A). Host FWs know more about the local system
How can we prevent buffer overflows in our applications? A). Implement proper bounds checking B). Use strong passwords C). Only run programs on Linux D). Add network capacity
A). Implement proper bounds checking
What is the key point of Kerckhoffs second principle (i.e., the one principle most applicable to modern cryptographic algorithms)? A). It is OK if the enemy knows the cryptographic system B). Energy is conserved C). It is not OK if the enemy knows the cryptographic system D). It is OK if the enemy knows the cryptographic key
A). It is OK if the enemy knows the cryptographic system
Why might we want to use information classification? A). It makes the task of identifying our critical information considerably easier B). It creates extra paperwork and bureaucracy C). It makes the task of identifying our critical information considerably harder D). It helps confuse the adversary
A). It makes the task of identifying our critical information considerably easier
Why might extradition be a delicate issue when prosecuting computer crimes? A). Lack of a consistent set of laws regarding extradition B). Currency exchange rates C). Lack of a common world-wide operating system D). A consistent set of laws regarding computer crime means you can prosecute anywhere
A). Lack of a consistent set of laws regarding extradition
Would weak physical security make cryptographic security of data more or less important? A). MORE B). LESS C). NEITHER
A). MORE
Which category of physical control listed would not include a lock? A). Mimicry B). Deterrent C). Detective D). Preventive
A). Mimicry
How do we know at what point we can consider our environment to be secure? A). Never; perfect security does not exist B). When we follow industry best practices C). When we spend 10% of our organization's annual budget D). If we make it 10 years without a reported incident
A). Never; perfect security does not exist
When we have cycled through the entire operations security process, are we finished? A). No, we continue to iterated through the steps B). Yes, after one cycle we are done
A). No, we continue to iterated through the steps
How does a spear phishing attack differ from a general phishing attack? A). Number of targets and custom messages B). Size of the message C). Whether message has embedded JavaScript or not D). Whether message has malware attached or not
A). Number of targets and custom messages
Which of the following would not be part of a solution in the Polycom case study? A). Off site backups B). Code review C). Firewall rules D). Traffic encryption
A). Off site backups
What is the difference between vulnerability assessment and penetration testing? A). Penetration testing is more in depth than vulnerability assessment B). Penetration testing is automated and vulnerability assessment is manual C). They mean the same thing D). Vulnerability assessment is more in depth than penetration testing
A). Penetration testing is more in depth than vulnerability assessment
What is the difference between a port scanner and a vulnerability assessment tool? A). Port scanners discover listening ports; vulnerability assessment tools report known vulnerabilities on listening ports B). Port scanners discover listening ports; vulnerability assessment tools report known vulnerabilities on listening ports C). Vulnerability assessment tools close listening ports; port scanners open listening ports D). Vulnerability assessment tools discover listening ports; port scanners report known vulnerabilities on listening ports
A). Port scanners discover listening ports; vulnerability assessment tools report known vulnerabilities on listening ports
What does executable space protection do for us and how?. A). Prevents virus attacks from working by detecting specific byte strings in the code B). Prevents buffer overflow attacks from working by allowing code execution on the memory stack C). Prevents virus attacks from working by preventing an application from running D). Prevents buffer overflow attacks from working by blocking code execution on the memory stack
A). Prevents buffer overflow attacks from working by blocking code execution on the memory stack
Which of the following is not something we can do to more effectively reach users in our security awareness and training efforts? A). Randomly fire employees regardless of their actions B). Offer repeated and varied avenues for communication C). Posters D). Make the training more interesting and produce positive results E). Gamification
A). Randomly fire employees regardless of their actions
According to the text, which of the following is not a security professional's obligation relating to information protection and unauthorized disclosure? A). Release test data to see where it shows up B). Be able to catalog and categorize what information was taken if there is a leak C). Prevent information from unauthorized release
A). Release test data to see where it shows up
What is a key difference between signature and anomaly detection in IDSs? A). Signature detection uses fingerprints or distinct patterns of attacks to detect intrusions; anomaly detection uses deviation from baseline activity to detect instructions B). Signature detection uses software behaviors to detect intrusions; anomaly detection uses deviation from baseline activity to detect instructions C). Anomaly detection uses fingerprints or distinct patterns of attacks to detect intrusions; signature detection uses deviation from baseline activity to detect instructions D). Anomaly detection uses code genealogy (derived code) to detect instructions; signature detection uses fingerprints or distinct patterns of attacks to detect intrusions
A). Signature detection uses fingerprints or distinct patterns of attacks to detect intrusions; anomaly detection uses deviation from baseline activity to detect instructions
Why is it important to identify our critical information? A). So we can focus on protecting those assets first B). It's impossible to distinguish between critical information and the rest C). It's not possible D). All information your organization has is equally important
A). So we can focus on protecting those assets first
Why might we want to use RAID? A). To ensure that we do not lose data from hardware failures in individual disks B). To protect against theft of the computer housing RAID disks C). To encrypt data D). To destroy data
A). To ensure that we do not lose data from hardware failures in individual disks
Why is input validation important from a security perspective? A). To prevent certain types of attacks B). To ensure bank balances are correct C). To authenticate users D). To catch brute force attacks
A). To prevent certain types of attacks
Which of the following is an example of a race condition? A). Two bank transactions (withdrawals) run concurrently and the balances are not properly accumulated (recorded) B). A malicious user leaves a Trojan horse program for a later user to execute C). Two bank transactions (withdrawals) run sequentially and the balances are not properly accumulated (recorded) D). An attacker sends high volumes of network traffic to overwhelm a target
A). Two bank transactions (withdrawals) run concurrently and the balances are not properly accumulated (recorded)
Which of the following is probably not a useful item to audit for cyber security purposes? A). Typing speed and accuracy B). Passwords C). Physical security D). Software licenses
A). Typing speed and accuracy
What is the "principal of least privilege"? A). Users are only provided the level of access needed for the task B). Don't grant any users administrator or root level system access C). Provide additional logging for administrator or root level actions D). Penalize users who perform administrator or root level actions
A). Users are only provided the level of access needed for the task
What is pretexting? A). Using a fake identity and creating a believable scenario for malicious purposes B). Texting a remote site before connecting to it over a network C). Send text message before sunrise D). Inserting hidden text before the start of a message
A). Using a fake identity and creating a believable scenario for malicious purposes
What is the difference between verification and authentication of an identity? A). Verification is weaker confirmation of identity than authentication B). Authentication always includes a biometric mechanism C). Authentication is a weaker confirmation of identity than verification D). Nothing. They mean the same thing
A). Verification is weaker confirmation of identity than authentication
Which of the following is NOT true? A). Voice authentication requires speech to text capability B). Facial recognition may be used for authentication C). The human iris is unique to an individual D). Fingerprints have features such bifurcations, islands and crossovers
A). Voice authentication requires speech to text capability
In the operations security process, what is the difference between a vulnerability and a threat? A). Vulnerabilities are weaknesses, threats are actors B). Threats only affect the operating system C). Threats are weaknesses, vulnerabilities are actors D). Vulnerabilities only exist in software
A). Vulnerabilities are weaknesses, threats are actors
Why are humans considered to be the weak link? A). Technical solutions are not effective B). User actions can bypass all of our other security measures C). Good cryptography is not in place D). We have no other security measures in place
B). User actions can bypass all of our other security measures
Cryptanalysis
The practice and study of determining and exploiting weaknesses in cryptographic techniques. Also, the practice of breaking code to obtain the meaning of encrypted data. The science of breaking through the encryption used to create the ciphertext.
Accountability
Accountability through monitoring and logging on systems and networks gives us the ability to maintains higher security posture. It also gives us the tools to achieve non-repudiation by helping us deter those that would misuse our resources, detect and prevent intrusions, and assist us in preparing materials for legal proceedings. It gives incentives to users for following proper guidelines in environments.
Physical Access Control Systems (PACS)
Allows authorized security personnel to simultaneously manage and monitor multiple entry points from a single, centralized location. Access control for individuals often revolves around controlling movement into and out of buildings or facilities. We can see simple examples of such controls on the buildings of many organizations in the form of badges that moderate opening doors into or within the facility. Such badges are typically configured on an ACL that permits or denies their use for certain doors and regulates the time of day that they can be used.
What is NAT?
Allows the private IP addresses defined in RFC 1918 to be used in a private network while still being able to communicate with the Internet.
Buffer Overflows
Also referred to as buffer overruns, occur when we do not properly account for the size of the data input into our applications. If we are taking data into an application, most programming languages will require that we specify the amount of data we expect to receive and set aside storage for that data. If we do not set a limit on the amount of data we take in, called bounds checking, we may receive 1000 characters of input where we had only allocated storage for 50 characters.
What is a countermeasure?
An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.
Federated Identity Management
An arrangement that can be made among multiple enterprises that lets subscribers use the same identification data to obtain access to the networks of all enterprises in the group The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. Related to single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or organizations. SSO is a subset of federated identity management as it relates to authentication.
What is a threat agent?
An individual or group that acts, or has the power to, exploit a vulnerability or conduct other damaging activities.
SQL (Structured Query Language)
An international standard language for processing a database In the case of databases connected to Web applications, entering specially crafted data into the Web forms that interact with them can sometimes produce results not anticipated by the application developers.
Are nmap results always accurate, or is it sometimes necessary to verify nmap output with another tool? A). You do not need to verify nmap results with another tool or data source B). You should verify nmap results with another tool or data source
B). You should verify nmap results with another tool or data source
What is the primary purpose of a Network Intrusion Detection System? A). encrypt network traffic B). detect possible attack traffic C). block malicious network traffic D). attack (hack back) against the source of malicious traffic
B). detect possible attack traffic
Which of the following is NOT a protocol for wireless encryption? A). WPA B). kismet C). WEP D). WPA2
B). kismet
What tool mentioned in the text might we use to scan for devices on a network, to include fingerprinting the operating system and detecting versions of services on open ports? A). honeypots B). nmap C). wireshark D). WPA2
B). nmap
WHICH OF THE FOLLOWING IS THE WEAKEST PASSWORD? A). R*u&3mI66& B). qocneycvmw C). L988Jinalkdyih D). YiJ7^^2kM^))134
B). qocneycvmw
Which of the following is not a reason to use a honeypot? A). alert us to an attacker's presence B). release classified or PII data C). detect, monitor, and sometimes tamper with the activities of an attacker D). attract the attention of attackers in order to study them and their tools
B). release classified or PII data
Stateful Inspection Firewalls
Examines each packet, and also keeps track of whether or not that packet is part of an established TCP session. This offers more security than either packet filtering or circuit monitoring alone, but exacts a greater toll on network performance.
What is a Trojan horse?
Malware that is disguised as a useful utility, but is embedded with a malicious code to infect computer systems.
What is cryptography?
Transformation of meaningful data into something else and vice versa. The science of keeping information secure. Commonly referred to as encryption.
From a security perspective, why might we not want to allow personal equipment to be attached to the network of our organization? A). Lost work hours B). Malware and intellectual property issues C). Inequity among employees D). Electricity cost
B). Malware and intellectual property issues
What does the European Union s (EU) Data Protection Directive (Directive 95/46/EC) deal with? A). AES B). PII C). XKCD D). RSA E). PGP
B). PII
Name the three major priorities for physical security, in order of importance. (Most important --> least important) A). Equipment, data, people B). People, data, equipment C). Data, people, equipment D). People, equipment, data
B). People, data, equipment
What biometric factor describes how well a characteristic resists change over time? A). Universality B). Permanence C). Uniqueness D). Circumvention
B). Permanence
What is the foremost concern as related to physical security? A). Protect profits B). Protect people C). Protect equipment D). Protect data
B). Protect people
What is the purpose of a network DMZ? A). Encrypt the traffic to and from sensitive systems B). Provide external access to systems that need to be exposed to external networks such as the Internet in order to function C). Encrypt the hard drives of sensitive systems D). Isolate systems so that they cannot be reached from external networks such as the Internet
B). Provide external access to systems that need to be exposed to external networks such as the Internet in order to function
What does a fuzzing tool do? A). Decrypts strongly encrypted content B). Provide multiple data and inputs to discover vulnerabilities C). Decrypts poorly encrypted content D). Guesses a password to gain system access
B). Provide multiple data and inputs to discover vulnerabilities
Which of the following is not an example of how a living organism (e.g., insects or small animals) might constitute a threat to our equipment? A). Interfere with cooling fans B). Steal passwords C). Cause electrical shorts D). Chew on wiring
B). Steal passwords
What does nonrepudiation mean? A). Failed logins are recorded in a log B). Sufficient evidence exists such that a user cannot deny an action C). Crashed processes are automatically restarted D). Insufficient evidence exists to prove that a user took an action
B). Sufficient evidence exists such that a user cannot deny an action
What is a cyber attack surface? A). The number of vulnerabilities in the network area of security B). The total of the number of available avenues through which our system might be attacked C). The number of vulnerabilities in the human area of security D). The size of the facility housing our critical systems
B). The total of the number of available avenues through which our system might be attacked
Why is it important from a security perspective to remove extraneous files from a Web server? A). They may be misunderstood by legitimate users or customers B). They may provide information or vulnerabilities useful to an attacker C). They take up memory D). They take up disk space
B). They may provide information or vulnerabilities useful to an attacker
When dealing with legal or regulatory issues, why do we need accountability? A). To prevent malware infections B). To ensure compliance C). To support authorization D). To allow software piracy
B). To ensure compliance
What is malware?
Any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware.
Exploit Frameworks
Applications designed to speed up the attack process and automate many activities. Such tools can be used by individuals without much technical skill.
Multilevel Access Control
Are used where the simpler access control models that we just discussed are considered to not be robust enough to protect the information to which we are controlling access. Such access controls are used extensively by military and government organizations, or those that often handle data of a very sensitive nature. We might see multilevel security models used to protect a variety of data, from nuclear secrets to protected health information (PHI).
ECC is classified as which type of cryptographic algorithm?
Asymmetric
What is a zero-day attack?
Attacks that exploit unknown vulnerabilities that have not yet been discovered but have been disclosed to the proper person(s).
Which type of access control would be used in the case where we wish to prevent users from logging in to their accounts after business hours?
Attribute Based Access Control
Which should take place first, authorization or authentication?
Authentication
Authentication
Authentication is the step after identification It is to determine whether the claim of the identity is true Because access control is typically based on the identity of the user who requests access to a resource, authentication is essential to effective security.
What is the role of authorization in access control?
Authorization is the step after authentication. Authorization allows us to specify where the party should be allowed or denied access.
In the fake finger video from class, what was the printed circuit board used for? A). To capture a fingerprint from a camera application B). To etch the fingerprint C). To build a circuit to bypass the phone's authentication program D). To write code that simulated the fingerprint
B). To etch the fingerprint
What is competitive counterintelligence? A). Actions to spy on your competition B). Actions to defeat competitive intelligence activities C). Actions your competition uses to spy on you
B). Actions to defeat competitive intelligence activities
What is the difference between authentication and accountability? A). Accountability describes what you can do, and authentication records what you did B). Authentication proves who you are, and accountability records what you did C). Accountability proves who you are, and authentication records what you did D). Authentication describes what you can do, and accountability records what you did
B). Authentication proves who you are, and accountability records what you did
Name the two main categories of Web security. A). Buffer overflows and SQL injection B). Client-side attacks and server-side attacks C). Denial of Service (DoS) and Distributed Denial of Service (DDoS) D). Race conditions and input validation
B). Client-side attacks and server-side attacks
Which of the following is NOT a physical control that constitutes a deterrent? A). Signs in public places that indicate that video monitoring is in place B). Encryption C). Dogs D). Fences E). Regulations F). Policies G). Yard signs with alarm company logos that we might find in residential areas H). Guards I). Locks J). Well-lit areas
B). Encryption
Which of the following is not true about logging user and program actions on a computer? A). Log files may be deleted after the fact B). Every action on a system is recorded in the kernel log C). Log data may be changed after the fact D). Logging may act as a deterrent to user activity
B). Every action on a system is recorded in the kernel log
What is the third law of operations security? A). If you are not protecting it (the information), . . . DON'T WORRY, SOMEONE ELSE WILL! B). If you are not protecting it (the information), . . . THE DRAGON WINS! C). If you are not protecting it (the information), . . . POLISH YOUR RESUME! D). If you are not protecting it (the information), . . . YOU ARE OK!
B). If you are not protecting it (the information), . . . THE DRAGON WINS! No clue what this means. I found it somewhere.
What impact can good accountability mechanisms have on the admissibility of evidence in court cases? A). Enables encryption of the evidence B). Maintain chain of custody C). There is no impact D). Prevents nonrepudiation
B). Maintain chain of custody
What does applying a vendor OS update (patch) usually do? A). Creates vulnerabilities in the OS code B). Exploits a vulnerability in the OS code C). Fixes vulnerabilities in the OS code D). Detects a vulnerability in the OS code
C). Fixes vulnerabilities in the OS code
How does the principle of least permissions relate to authorization?
Because it performs similar duty it is an important concept promoting minimal user profile privileges not giving too much permission to do his/her job.
Why is it important to consider utilities?
Because they can provide temporary power in case of a power outage occurs, preventing loss of data.
What is the difference between a block and a stream cipher?
Block ciphers operate on a predetermined number of bits at a time; stream ciphers operate on a single bit at a time.
COMPLETE THE SENTENCE: Vertical cylinders that can be used to prevent vehicle access are called ________.
Bollards
When two unencrypted passwords are the same how could they be different when encrypted?
By adding a salt to the password
COMPLETE THE SENTENCE: An electrical fire in a data center needs a Class ________ fire extinguisher.
C
What does California's SB 1386 deal with? A). Handling unauthorized exposure of data relating to all US residents B). How US federal agencies can share an individual s data with other people and agencies C). Handling unauthorized exposure of data relating to California residents D). Requirements to show an individual any records kept on him or her
C). Handling unauthorized exposure of data relating to California residents
Which of the following is not a reason why clicking on a shortened URL from a service such as bit.ly be dangerous? A). The user doesn't know the real URL B). The real URL might be malicious C). It is easier than typing the long URL
C). It is easier than typing the long URL
Explain how Triple DES (3DES) differs from DES. A). 3DES encrypts each block 3 times using DES and the same key B). 3DES encrypts 3-character blocks instead of 1-character blocks C). 3DES encrypts each block 3 times using DES and a different key D). 3DES encrypts each block 3 times using DES and a default key of all zeros
C). 3DES encrypts each block 3 times using DES and a different key
Which of the following about vulnerabilities and threats is NOT true? A). Vulnerability is a weakness that may be exploited by a threat B). Vulnerabilities and threats combine to create risk C). A vulnerability or a threat, but not both, are required to create risk D). Threat is an actor that may exploit a vulnerability
C). A vulnerability or a threat, but not both, are required to create risk
Which of the following is true regarding the history of cybersecurity as presented in class and the associated document? A). None of the attack perpetrators were caught or identified B). No actual data was exposed nor harm done in any of the events C). Advances (firewalls, intrusion detection, encryption algorithms, etc.) often followed attacks or apparent weaknesses D). All of the events were perpetrated by non-US governments against the US government
C). Advances (firewalls, intrusion detection, encryption algorithms, etc.) often followed attacks or apparent weaknesses
COMPLETE THE SENTENCE: Finding installed but unlicensed software on systems is primarily a function of... A). Authentication B). Authorization C). Auditing D). Nonrepudiation
C). Auditing
Which of the following is not true about complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as !Hs4(j0qO$&zn1%2SK38cn^!Ks620! ? A). They may cause users to write the password down B). For most users, they are difficult to remember C). Brute force password crackers will break them as quickly as a 4-digit PIN D). For most users, they make system access less convenient than user-chosen passwords
C). Brute force password crackers will break them as quickly as a 4-digit PIN
Which of the following is not part of operating system hardening? A). Making alterations to common accounts B). Applying software updates in a timely manner C). Changing the main network firewall rule set D). Applying the principle of least privilege E). Making use of logging and auditing functions F). Removing or turning off unessential services G). Removing unnecessary software
C). Changing the main network firewall rule set
In a data breach (such as the OPM case) which security characteristic of data has been violated? A). Availability B). Integrity C). Confidentiality D). Authenticity
C). Confidentiality
What does the Brewer and Nash model protect against? A). Phishing B). Network traffic sniffing C). Conflict of interest D). Brute force password guessing
C). Conflict of interest
Does an SQL injection attack compromise content in the database or content in the Web application? A). Web application B). Neither C). Database D). Both
C). Database
COMPLETE THE SENTENCE: Exploit frameworks make it... A). Harder to recognize possible attacks on the network B). Harder for amateurs to launch cyber attacks C). Easier for amateurs to launch cyber attacks
C). Easier for amateurs to launch cyber attacks
Which of the following is not a types or categories of control we use for physical security? A). Detective measures B). Deterrent measures C). Evidence measures D). Preventive measures
C). Evidence measures
Why does access control based on the Media Access Control (MAC) address of the systems on our network not represent strong security? A). MAC addresses are not associated with specific hardware B). The MAC address is the same as the IP address C). MAC addresses can be easily spoofed or changed D). MAC addresses are commonly shared among multiple systems
C). MAC addresses can be easily spoofed or changed
What do we call the process in which the client authenticates to the server and the server authenticates to the client? A). Single Sign On B). Biometric authentication C). Mutual Authentication D). Verification
C). Mutual Authentication
Which if the following is not a reason that accountability is important for security? A). Acts as a deterrent B). Assists with preparing C). Prevents weak passwords D). Enables nonrepudiation
C). Prevents weak passwords
What does the concept of defense in depth mean? A). Hide your data and systems deep underground B). Encrypt your data multiple times C). Protect your data and systems with tools and techniques from different layers D). Use every available tool at a particular layer to protect you data and systems
C). Protect your data and systems with tools and techniques from different layers
The term operations security and the acronym OPSEC were coined by what Vietnam War-era study? A). Red Dragon B). Operation Barbarossa C). Purple Dragon D). The Tet Offensive
C). Purple Dragon
What is residual data and why is it a concern when protecting the security of our data? A). Residual data is data that is encrypted after it has been used, thus alleviating any concerns B). Residual data is data stolen from a breached database; the data may later be made public C). Residual data is data that remains after it has been used; not erasing or destroying it may be exposing data that we would not normally want made public D). Residual data is data that is destroyed after it has been used, thus alleviating any concerns
C). Residual data is data that remains after it has been used; not erasing or destroying it may be exposing data that we would not normally want made public
At a high level, what does the Federal Privacy Act of 1974 do? A). Provides for the electronic surveillance of US citizens without a warrant B). Proposes security standards as a condition of processing credit card transactions C). Safeguards privacy through creating four rights in personal data D). Provides algorithms for the strong encryption of data
C). Safeguards privacy through creating four rights in personal data
A physical key (like for a door lock) would be described as which type of authentication factor? A). Something you bought B). Something you made C). Something you have D). Something you stole
C). Something you have
When considering possible risk mitigation actions, which relationship between risk reduction and cost of the action would cause us to recommend the action? A). The relationship between reduction in risk and cost of the action is not relevant B). The reduction in risk is less than the cost of the action C). The reduction in risk is greater than the cost of the action
C). The reduction in risk is greater than the cost of the action
CIA vs Parkerian Hexad
CIA Triad Advantages: The model is focused on security concepts in terms of data. Disadvantages: The model is very restrictive in evaluating every situation. Parkerian Hexad Advantages: The model is more extensive than the CIA triad and descriptively detail in specification the nature of the attack or issue. Disadvantages: The Parkerian hexad is less known that the CIA, and discusses the definition of integrity differently.
Can you give examples of physical devices used in access control?
Cameras Locks on doors
Multi-layer Inspection Firewalls
Combine packet filtering with circuit monitoring, while still enabling direct connections between the local and remote hosts, which are transparent to the network. They accomplish this by relying on algorithms to recognize which service is being requested, rather than by simply providing a proxy for each protected service.
If we are using an identity card such as a driver's license as the basis for our authentication scheme, which of the following additions would NOT represent multi-factor authentication? A). A fingerprint B). A PIN (personal identification number) C). A voice print D). A birth certificate
D). A birth certificate
Which of the following would not be a type of physical access control might we put in place in order to block access to a vehicle? A). Fences B). Concrete barriers C). Security landscaping D). Cameras
D). Cameras
Which of the following is not a types or categories of control we use for physical security? A). Detective measures B). Deterrent measures C). Preventive measures D). Evidence measures
D). Evidence measures
What do we call the rate at which we fail to authenticate legitimate users in a biometric system? A). True Acceptance Rate (TAR) B). False Acceptance Rate (FAR) C). True Rejection Rate (TRR) D). False Rejection Rate (FRR)
D). False Rejection Rate (FRR)
Which of the following is NOT a reason why an identity card alone might not make an ideal method of authentication? A). May be spoofed B). May be duplicated C). Subject to change D). Issued by the government
D). Issued by the government
Which of the following is NOT a provision of the Federal Privacy Act of 1974? A). It requires agencies to follow certain principles, called fair information practices, when gathering and handling personal data B). It places restrictions on how agencies can share an individual s data with other people and agencies C). It requires government agencies to show an individual any records kept on him or her D). It provides individuals the "right to be removed from the Internet" E). It lets individuals sue the government for violating its provisions
D). It provides individuals the "right to be removed from the Internet"
COMPLETE THE SENTENCE: The primary vulnerability in the Lodz Tram Hack case study was... A). Over use of encryption B). Lack of train speed control C). Interference from the surrounding environment D). Lack of authentication
D). Lack of authentication
Why does network segmentation generally improve security? A). Traffic on each isolated segment is faster B). Different people are in charge of different networks C). Network segmentation does not generally improve security D). Malicious traffic cannot freely traverse the internal network
D). Malicious traffic cannot freely traverse the internal network.
Which category of physical control listed would NOT include a lock? A). Deterrent B). Preventive C). Detective D). Mimicry
D). Mimicry
Is it OK to use the same password for all of our accounts? A). Yes because sites use SSL/TLS to secure the communication. B). Yes because using different passwords is hard to remember. C). Yes as long as the password is strong. D). No because a compromise of one account leads to a compromise of all accounts using the same password.
D). No because a compromise of one account leads to a compromise of all accounts using the same password.
Considering the CIA triad and the Parkerian hexad, which of the following is true? A). They both have three key elements B). They both have six key elements C). Confidentiality, integrity, and availability are only in the CIA triad D). Parkerian is more complete but not as widely known
D). Parkerian is more complete but not as widely known
What does PII stand for? A). Privacy, Identify, and Integrity B). Protocol Independent Identity C). Protocol Independent Integrity D). Personally Identifiable Information
D). Personally Identifiable Information
How does the principle of least privilege apply to operating system hardening? A). Allows attack actions that require administrator or root privilege B). Prevents attacks by blocking known malicious code from executing C). Prevents attacks by blocking code execution on the memory stack D). Prevents attack actions that require administrator or root privilege
D). Prevents attack actions that require administrator or root privilege
What is one direct benefit of logging? A). Blocks certain network traffic B). Blocks certain processes from executing C). Enforces password changes D). Provides a history of system activities
D). Provides a history of system activities
What is the quantitative formula for risk presented in class? A). RISK = P(impact) * P(E|V,T) B). RISK = P(V,T|E) * Impact C). RISK = P(V|T) * Impact D). RISK = P(E|V,T) * Impact
D). RISK = P(E|V,T) * Impact
Which of the following is not something we can do to more effectively reach users in our security awareness and training efforts? A). Posters B). Offer repeated and varied avenues for communication C). Gamification D). Randomly fire employees regardless of their actions E). Make the training more interesting and produce positive results
D). Randomly fire employees regardless of their actions
What is one of the best steps we can take to protect people? A). Require two factor authentication B). Give them oxygen masks C). Lock all doors from the outside D). Remove them from the dangerous situation
D). Remove them from the dangerous situation
What does the tool Nikto do? A). Guesses a password to gain system access B). Decrypts poorly encrypted content C). Decrypts strongly encrypted content D). Scans a web server for common vulnerabilities
D). Scans a web server for common vulnerabilities
What did the PCI DSS establish? A). Maximum dollar values for electronic financial transactions B). Protocols for encryption on credit and debit card chips C). Encryption algorithm performance requirements D). Security standards as a condition of processing credit card transactions
D). Security standards as a condition of processing credit card transactions
If an antivirus tool is looking for specific bytes in a file (e.g., hex 50 72 6F etc.) to label it malicious, what type of AV detection is this? A). Behavior B). Reputation C). Zero-Day D). Signature
D). Signature
The confused deputy problem can allow unauthorized privilege escalation to take place; how does this happen? A). One user tries to access a resource already opened by a more privileged user B). One user steals or cracks another user's password C). The user has greater privilege than the software they are using D). Software has greater privilege than the user of the software
D). Software has greater privilege than the user of the software
Which of the following is not an example of how a living organism (e.g., insects or small animals) might constitute a threat to our equipment? A). Cause electrical shorts B). Interfere with cooling fans C). Chew on wiring D). Steal passwords
D). Steal passwords
Why is it important to use strong passwords? A). A strong password can be safely shared across multiple sites B). Weak passwords are just as good as strong ones C). Strong passwords are easier to remember D). Strong passwords are harder (take longer) to brute force
D). Strong passwords are harder (take longer) to brute force
What was the primary topic of the material that Edward Snowden released? A). Vault7 cyber tools B). CIA human assets (spies) overseas C). Nuclear weapons D). Surveillance of electronic communications of US citizens
D). Surveillance of electronic communications of US citizens
COMPLETE THE SENTENCE: In a security context, tailgating is... A). Removing a door from its hinges in order to bypass security B). Enjoying the weather, friends, and food before a football game C). Following too closely in a car D). The act of following someone through an access control point
D). The act of following someone through an access control point
For what might we use the tool Kismet? A). To block network traffic B). To patch computers C). To detect wireless devices D). To detect wired devices
D). To detect wireless devices
How might we use a sniffer to increase the security of our applications? A). To read (decrypt) encrypted traffic B). To slow down network traffic C). To speed up network traffic D). To watch the network traffic being exchanged with a particular application or protocol
D). To watch the network traffic being exchanged with a particular application or protocol
Given a file containing sensitive data and residing in a Linux operating system with some users who should not have access to the data, would setting the file's permissions to "rw-rw-rw-" cause a potential security issue? A). No, because no users can execute the file B). No, because other users cannot modify the file C). Yes, because all users have full permissions for the file D). Yes, because other users can read and modify the file
D). Yes, because other users can read and modify the file
Deep Packet Inspection
Deep packet inspection firewalls are capable of analyzing the actual content of the traffic that is flowing through them. Although packet filtering firewalls and stateful firewalls can only look at the structure of the network traffic itself in order to filter out attacks and undesirable content, deep packet inspection firewalls can actually reassemble the contents of the traffic to look at what will be delivered to the application for which it is ultimately destined.
Incident Response
Definition: The response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively. Preparation: consists of all of the activities that we can perform, in advance of the incident itself, in order to better enable us to handle it. This typically involves having the policies and procedures that govern incident response and handling in place, conducting training and education for both incident handlers and those who are expected to report incidents, conducting incident response exercises, developing and maintaining documentation, and numerous other such activities. Detection and analysis: The detection and analysis phase is where the action begins to happen in our incident response process. In this phase, we will detect the occurrence of an issue and decide whether or not it is actually an incident so that we can respond to it appropriately. Containment: Containment involves taking steps to ensure that the situation does not cause any more damage than it already has, or to at least lessen any ongoing harm. If the problem involves a malware infected server actively being controlled by a remote attacker, this might mean disconnecting the server from the network, putting firewall rules in place to block the attacker, and updating signatures or rules on an Intrusion Prevention System (IPS) in order to halt the traffic from the malware. Eradication: To remove the effects of the issue from our environment. In the case of our malware infected server, we have already isolated the system and cut it off from its command and control network. Now we will need to remove the malware from the server and ensure that it does not exist elsewhere in our environment. This might involve additional scanning of other hosts in the environment to ensure that the malware is not present, and examination of logs on the server and activities from the attacking devices on the network in order to determine what other systems the infected server had been in communication with. Recovery: potentially involve restoring devices or data from backup media, rebuilding systems, reloading applications, or any of a number of similar activities. Additionally we need to mitigate the attack vector that was used. Again, this can be a more painful task than it initially sounds to be, based on potentially incomplete or unclear knowledge of the situation surrounding the incident and what exactly did take place.
Detective
Detective controls serve to detect and report undesirable events that are taking place. The classic example of a detective control can be found in burglar alarms and physical intrusion detection systems. Such systems typically monitor for indicators of unauthorized activity, such as doors or windows opening, glass being broken, movement, and temperature changes, and also can be in place to monitor for undesirable environmental conditions such as flooding, smoke and fire, electrical outages, and excessive carbon dioxide in the air.
What are the three types of countermeasures?
Detective, antivirus, system monitoring, IDS. Preventative - keep something from happening in the first place. Corrective - occurs after an event has occurred. An attempt to minimize damage and fix the issue.
Controlling Physical Security
Deterrent Detective Preventive
Deterrent
Deterrent controls are designed to discourage those who might seek to violate our security controls from doing so, whether the threat is external or internal. A variety of controls might be considered to be a deterrent, including, as we discussed earlier in this section, several that overlap with the other categories. In the sense of pure detective controls, we can point to specific items that are intended to indicate that other controls may be in place.
Three Main Categories Of Physical Security
Deterrent, Detective, and Preventive.
Symmetric Cryptography
Encryption that uses a single key to encrypt and decrypt a ciphertext (message). The key itself must be shared between the sender and the receiver, and this process, known as key exchange, constitutes an entire subtopic of cryptography.
Case Study: Automobile Hacking (video)
Exploited through injection or modification of messages. This led to physically being able to access the car's features
COMPLETE THE SENTENCE: A ________ offers some prevention from unauthorized access, but depending on the type, might be easy for an individual to breach.
Fence
Can you give examples of common biometric technologies?
Fingerprinting Iris recognition
Can you name, explain, and give examples of categories of outsiders who could be a threat?
Foreign powers - government agencies, citizens. Business competitors. Hackers, highly skilled hackers, competent technicians, and script kiddies. Criminals - amateurs, professionals, organized crime syndicates.
Social Engineering
Hackers use their social skills to trick people into revealing access credentials or other valuable information.
Hash Functions
Hash functions represent a third cryptography type alongside symmetric and asymmetric cryptography, what we might call keyless cryptography. Hash functions, also referred to as message digests, do not use a key, but instead create a largely unique and fixed-length hash value, commonly referred to as a hash, based on the original message, something along the same lines as a fingerprint. Any slight change to the message will change the hash. Hashes cannot be used to discover the contents of the original message, or any of its other characteristics, but can be used to determine whether the message has changed. In this way, hashes provide confidentiality, but not integrity.
Why is it important to identify and eliminate single points of vulnerability?
Having a single point at which an attacker can do a great deal of damage could make the whole system collapse if just one point is compromised.
Case Study: Stuxnet
How Exploited: Centrifuge failures at Iran nuclear plant due to virus discovered in USB Impact: Integrity and Availability Vulnerabilities: External media (what's allowed in) Code integrity Weak internal security Threats: Hackers for hire Nation states Hactivists Terrorists Insiders Controls: (Most controls apply) No media allowed in/out File integrity checkers Disable services/ports
Case Study: Ukraine Power Grid
How Exploited: Phishing led to IT network access Compromised workstations Vulnerabilities: Weak anti-malware Weak human anti-phishing 1 factor authentication Threats: Hackers for hire Nation states Hactivists Terrorists, Insiders Other Controls: Most controls apply
Case Study: RQ-170 Sentinel (UAV)
How It Was Exploited: UAV's (Unmanned Aerial Vehicles) blocked communication Vulnerabilities: Insecure communication Untrusted navigation Unencrypted data Exposed designs and tech Threat Nation States Controls: Mainly Cryptography and Physical Security (encryption)
Case Study: Hainan Island Incident
How It Was Exploited: Physical access to systems; not all encrypted (and keys present for some) Impacts: MAINLY CONFIDENTIALITY (exposure of data, code, and designs); possibly integrity and availability Vulnerabilities: Unencrypted data at rest and in process Threat: Nation States Controls: Mainly Cryptography and Physical Security (encryption)
IP Traffic (Common Types)
ICMP, UDP, & TCP
OPSEC Process
IDENTIFY CRITICAL INFORMATION - The first step in the OPSEC process, and arguably the most important: to identify the assets that most need protection and will cause us the most harm if exposed IDENTIFY THREATS - The second step in the OPSEC process: to look at the potential harm or financial impact that might be caused by critical information being exposed, and who might exploit that exposure IDENTIFY VULNERABILITIES - The third step in the OPSEC process: to look at the weaknesses that can be used to harm us ASSESSMENT OF RISKS - The fourth step in the OPSEC process: to determine what issues we really need to be concerned about (areas with matching threats and vulnerabilities) APPLICATION OF COUNTERMEASURES: The fifth step in the OPSEC process: to put measures in place to mitigate risks
Why is a formal process needed?
If one does not know why security is needed and what needs to be protected, focusing on technology may be useless or even counterproductive.
Example of Social Engineering (FROM THE TEXTBOOK)
If someone is attempting to gain unauthorized access to a building where a proximity badge is normally required to enter, this could pose a problem of such a badge were not available; not so for our social engineer. We would start by studying the location in order to determine when the shift changes took place in order to determine when the flow of people entering our door would be likely to take place. We would also want to observe the people entering and exiting the building in order to get an idea of the appropriate way to dress. We might also investigate different door in the building in order to find one that was not manned by a security guard, lacking secondary physical access controls such as a turnstile, and preferably one without a camera. Once appropriately dressed, we would then proceed to the building at the time selected based on our observations, and carrying our prop. In this case we might select a large box so as to not have free hands to reach for our (not actually present) proximity badge. In the majority of cases, unless we are targeting a very high security facility, when we walk up to the door right behind someone and are clearly struggling with our heavy parcel, they will hold the door open for us and will not ask a single question regarding our authorization to enter the door. This is social engineering, and more specifically, pretexting.
What is the difference between Mandatory Access Control (MAC) and Discretionary Access Control (DAC)?
In DAC, the owner of the resource determines access; in MAC, the owner of the resource does not determines access.
Client Side vs. Server Side
In terms of Web security, the areas of concern break out into client-side issues and server-side issues. Client-side issues involve attacks against the client software we are running, or the people using the software. We can help mitigate these by ensuring that we are on the most current version of the software and associated patches, and sometimes by adding extra security tools or plug-ins. On the other side, we have attacks that are directly against the Web server itself. Such attacks often take advantage of lack of strict permissions, lack of input validation, and leftover files from development or troubleshooting efforts. Fixing such issues requires careful scrutiny by both developers and security personnel.
What are other names for a successful attack?
Incident, compromise, or breach.
Symmetric Cryptography Weakness
One of the chief weaknesses of symmetric key cryptography lies in the use of one key. If the key is exposed beyond the sender and the receiver, it is possible for an attacker who has managed to intercept it to decrypt the message or, worse to decrypt the message, alter it, then encrypt it once more and pass it on to the receiver in place of the original message. Since such issues are present, symmetric key cryptography by itself provides only confidentiality, and not integrity.
Confidentiality
Is a concept similar to, but not the same as, privacy. Confidentiality is a necessary component of privacy and refers to our ability to protect our data from those who are not authorized to view it. Confidentiality is a concept that may be implemented at many levels of a process.
What is a PKI? What are its components? What is its purpose?
Is public key infrastructure and is where public key authentication is used with digital certificates.
False Rejection rate (FRR)
Is the problem of rejecting a legitimate user when we should have accepted him. This type of issue is commonly known outside the world of biometrics as a false negative.
OSI Security Architecture
It defines a systematic approach for managers, describing a way of organizing the task of providing security.
What is the purpose of auditing?
One of the primary ways we can ensure accountability through technical means is by ensuring that we have accurate records of who did what and when they did it. Auditing provides us with the data with which we can implement accountability. If we do not have the ability to assess our activities over a period of time, then we do not have the ability to facilitate accountability on a large scale. Particularly in larger organizations, our capacity to audit directly equates to our ability to hold anyone accountable for anything.
How does a substitution cipher work?
One plaintext letter or block of letters is exchanged for another in a consistent fashion.
Kismet
Kismet is used as tool to detect wireless access points, and thus has the potential break through networks.
Why does access control based on the Media Access Control (MAC) address of the systems on our network not represent strong security?
MAC addresses can be easily spoofed or changed.
What are important issues to remember when disposing of computer equipment?
Make sure the hard disk has to be wiped regardless of how it will be used in the future to prevent data to be recovered. Making sure someone is there to supervise proper destruction of equipment.
What is a zero-day exploit?
Malicious code that takes advantage of a vulnerability that has no fix.
What is a software worm?
Malware designed to hop from one system to the next.
What is plaintext?
Meaningful data that is not yet encrypted.
Circuit Level Gateways
Monitors the TCP handshaking going on between the local and remote hosts to determine whether the session being initiated is legitimate -- whether the remote system is considered "trusted." They don't inspect the packets themselves, however.
Can you give examples of common policy requirements for passwords?
Not using same passwords at multiple sites. Disabling passwords that are no longer valid or if employee is not working anymore. Passwords must be stored as hashes. Make them long and complex.
What is a backdoor?
Obtaining admin access to a computer system while attempting to remain undetected. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.
Race Conditions
Occur when multiple processes or multiple threads within a process control or share access to a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions.
Authorization Creep
Occurs when an employee changes from one role or position to another and acquires an increase in additional permissions and privileges, without having their previous privileges properly withdrawn.
False Acceptance Rate (FAR)
Occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive.
Intrusion Prevention System (IPS)
Often working from information sent by the IDS, can actually take action based on what is happening in the environment. In response to an attack over the network, an IPS might refuse traffic from the source of the attack.
Packet Filtering Firewalls
Operates at the router and compare each packet received to a set of established criteria (such as allowed IP addresses, packet type, port number, etc.) before being either dropped or forwarded.
COMPLETE THE SENTENCE: Class A fire extinguishers are used primary for ________.
Ordinary Combustibles
OSI MODEL
PHYSICAL LAYER 1: Defines connections between device and physical transmission media; cabling, wiring, hubs, repeaters, switches, and adapters. DATA LINK LAYER 2: Link between two directly connected nodes as well as detecting and fixing physical errors in the physically Layer; (Point To Point Protocol) - encryption, authentication, and compression between nodes. NETWORK LAYER 3: Provides the protocols for transferring data from one node to another in a system with multiple nodes with unique addresses (a network); IP, ICMP, RIP. TRANSPORT LAYER 4: Controls the reliability of data transmission between nodes on a network for the benefit of higher layers; TCP & ACK, UDP, SCTP - combines TCP and UDP. SESSION LAYER 5: Controls the connection between computers through checkpointing so that connections, when terminated, may be recovered; (Network File System) NFS, (Socket Secure) SOCKS. PRESENTATION LAYER 6: Transforms data into a format that can be understood by the programs in the application layer above it; ICA. APPLICATION LAYER 7: Allows client interaction with software by identifying resource and communication requirements; HTTP, FTP, DNS
How might an attacker compromise a PKI?
PKI needs a way to generate public/private key. If an impostor can deceive the provisioning authority, the system breaks down controlling the giving of access credentials is the prime authentication issue.
Packet Filtering
Packet filtering looks at the contents of each packet in the traffic individually and makes a gross determination, based on the source and destination IP addresses, the port number, and the protocol being used, of whether the traffic will be allowed to pass. Since each packet is examined individually and not in concert with the rest of the packets comprising the content of the traffic, it can be possible to slip attacks through this type of firewall.
What is the difference between passive and active security threats?
Passive attacks have to do with eavesdropping on, or monitoring transmissions. Email, file transfers, and client/server exchanges are examples of transmissions that can be monitored. Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems.
Security Management
People that make sure systems are secure and protected from internal and external threats
Intrusion Detection System (IDS)
Performs strictly as a monitoring and alert tool, only notifying us that an attack or undesirable activity is taking place.
Preventive
Preventive controls are used to physically prevent unauthorized entities from breaching our physical security. An excellent example of preventive security can be found in the simple mechanical lock. Locks are nearly ubiquitous for securing various facilities against unauthorized entry, including businesses, residences, and other locations.
Nonrepudiation
Prevents someone from taking an action, such as sending an e-mail, and then later denying that he or she has done so. This is critical to e-commerce and is defined by the laws governing the transactions.
What is decryption?
Process that converts ciphertext back to plaintext.
What are two important parts of the biometric process that are never perfect?
Promises to make reusable passwords obsolete Requires an enrollment scan The scanning process is not perfectly repeatable
Three Priorities of Physical Security
Protecting People Protecting Data Protecting Equipment
Proxy Servers
Proxy servers are ultimately a specialized variant of a firewall. These servers provide security and performance features, generally for a particular application, such as mail or Web browsing. Proxy servers can serve as a choke point in order to allow us to filter traffic for attacks or undesirable content such as malware or traffic to Web sites hosting adult content. They also allow us to log the traffic that goes through them for later inspection, and they serve to provide a layer of security for the devices behind them, by serving as a single source for requests.
Industry Compliance
Regulations which are not mandated by law, but which can nonetheless have severe impacts upon our ability to conduct business. The primary example of this which is in common use is compliance with the PCI DSS, often simply referred to as PCI compliance. In this particular case, a body composed of credit card issuers (Visa, American Express, and MasterCard, among others) has set up a body of security standards as a condition of processing credit card transactions using cards issued by their various members.
What are three different purposes for which biometric are commonly used?
Replacing passwords Ease of access Verification Identification Watch lists
Can you name, explain, and give examples of the four risk control strategies?
Risk avoidance - attempts to eliminate risks by making the risk event impossible to occur. For an example, if it is too risky to use an outsourcer to store private customer or employee data. Risk Transference - eliminate impact of a risk event by transferring the impact. An example is insurance. When an insurance company charges money annually in return for paying when damages occur. Risk Reduction - attempt to reduce the effect of a risk event by reducing the probability of it occurring or the impact should it occur. An example is installing firewalls. Risk acceptance - does not attempt to alter the situation by accepting the way it is. An example of this is when the cost of a countermeasure would be higher than the cost or impact of a breach.
COMPLETE THE SENTENCE: A centralized room in many small businesses that houses the main IT equipment is called a ________.
Server Room
Exploit
Small bits of software that exploit (take advantage of) flaws in other software to cause them to behave in ways that were not intended by the creators.
What things are audited?
Software Licensing Network Data / Internet usage
What is spyware?
Software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.
What is adware?
Software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process.
Threat
Something that has the potential to cause us harm. Threats tend to be specific to certain environments, particularly in the world of information security.
A physical key (like for a door lock) would be described as which type of authentication factor?
Something you have.
COMPLETE THE SENTENCE: An e-mail attack in which the recipients are deliberately chosen is called a ________ attack.
Spear Phishing
HSPD-12
Stands for Homeland Security Presidential Directive 12 Federal Agencies are required to use Personal Identification Verification authentication for network access to privileged and non-privileged accounts and for local access to privileged accounts.
Stateful Packet Inspection
Stateful packet inspection firewalls (generally referred to as stateful firewalls) function on the same general principle as packet filtering firewalls, but they are able to keep track of the traffic at a granular level. While a packet filtering firewall only examines an individual packet out of context, a stateful firewall is able to watch the traffic over a given connection, generally defined by the source and destination IP addresses, the ports being used, and the already existing network traffic. A stateful firewall uses what is called a state table to keep track of the connection state and will only allow traffic through that is part of a new or already established connection.
What are the main differences between symmetric and asymmetric key cryptography?
Symmetric key cryptography uses a single key for encryption and decryption; asymmetric key cryptography uses two keys, one for encryption and one for decryption.
What is federated identity management?
System in which two companies can pass identity assertions to each other without allowing to access internal data.
The Bell-LaPadula and Biba multilevel access control models each have a different primary security focus. Can these two models be used in conjunction? TRUE OR FALSE
TRUE
How does a multi-level security (MLS) system work?
The application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. Classified information requires complex layers of control that far exceed basic clearance granting and badge granting policies.
Attack Surface
The code that can be executed by unauthorized users in a software program. The total area of the number of available avenues through which our OS might be attacked. Large is bad small is good
Fault Management
The detection and signaling of device, link, or component faults.
Cryptology
The field of study that covers cryptography and cryptanalysis. Also known as the science of interpreting secret writings, codes, ciphers, and the like.
How should an organization handle someone who quits or is fired?
The manager should allow them to leave immediately with pay so no further intimate information is gathered. They should not be allowed to attend any further business meetings.
What is ciphertext?
The meaningless data plain text is turned into.
Performance Management
The process through which managers ensure that employees' activities and outputs contribute to the organization's goals.
What is cybersecurity?
The protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
Cryptographic Algorithm
The specifics of the process used to encrypt the plaintext or decrypt the ciphertext is referred to as a cryptographic algorithm. To put it in simple terms it is a procedure for encryption or decryption. These algorithms generally use a key, or multiple keys, in order to encrypt or decrypt the message, this being roughly analogous to a password.
Attribute-Based Access Control
These can be the attributes of a particular person, of a resource, or of an environment. Subject attributes are those of a particular individual. We could choose any number of attributes, such as the classic "you must be this tall to ride" access control, which exists to prevent the vertically challenged from riding on amusement park rides that might be harmful to them.
Why is an ex-employee a threat?
They may harbor malice against the organization and have intimate knowledge of the system and may tell unauthorized people.
What is the goal of information security?
To manage security risks.
Accounting Management
To measure network utilization parameters so individual or group usage on the network can be regulated appropriately.
Nmap Port Scanner
Tool used to scan for devices on a network, to include fingerprinting the operating system and detecting versions of services on open ports.
What does "biometrics" mean literally? In the I.T. context?
Use of biological measurements for authentication Based on something you are or something you do
What is the role of the password in access control?
Used to gain access to the server and is reusable over a period of time.
How do users sometimes misuse passwords?
Using someone else's to the answer to reset a password Sharing passwords; makes auditing challenging. Social engineering is calling a call center on someone else's behalf in order to gain unauthorized access.
Polymorphic Virus
Virus in which the encryption is altered each time it infects a file, making it very difficult to detect.
Armored Virus
Virus that obscures its true location in a system and lead the antivirus software to believe that it resides somewhere else.
Vulnerability assessments vs. Penetration Testing
Vulnerability assessments generally involve using vulnerability scanning tools to find vulnerabilities. Penetration testing is less practical and involves mimicking the actions of an attacker. Testing might bring to light the severity of the vulnerability.
What is the role of auditing in access control?
We perform audits to ensure that compliance with applicable laws, policies, and other bodies of administrative control is being accomplished as well as detecting misuse. We may audit a variety of activities, including compliance with policy, proper security architecture, configuration management, personal behavior of users, or other activities.
What are 4 different ways to authenticate a claim of identity?
What you know - a password for an account What you have - a door key, a smart card Who you are - fingerprint What you do - how you pronounce a passphrase
What is defense in depth? Give an example.
When multiple independent countermeasures are placed in series, so when one fails there are others. An example of this is in the game World of Warcraft, if a hacker gets through the password screen, there is an authentication key you need after that, that only the owner of the account can generate.
What are ways in which a biometric process can fail?
When the system cannot recognize the individual Something is blocking the camera
What is authentication of origin?
Where the message comes from. Can refer to "is it really you?" Also known as authentication of identity or authentication of integrity.
Does an organization's location or the national origin or location of data they are transmitting or storing affect the organization's use of encryption or how they treat employee information? YES or NO
YES
What are some risks when performing offensive security operations?
You might leave other parts open or lose sight of defense.