Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Information Security and Assurance Study Guide, Exams of Computer Applications

An overview of information security and assurance, covering topics such as confidentiality, integrity, availability, defense in depth, risk assessment and analysis, security controls, and the Trusted Computing Base. It also discusses security governance and risk management, security architecture and design, and the different roles involved in information security. various concepts and principles used to design, implement, monitor, and secure operating systems, equipment, networks, and applications. It also covers different types of security controls and risk analysis methods.

Typology: Exams

2022/2023

Available from 02/23/2023

oliver001
oliver001 🇺🇸

4

(10)

1.1K documents

1 / 23

Toggle sidebar

Related documents


Partial preview of the text

Download Information Security and Assurance Study Guide and more Exams Computer Applications in PDF only on Docsity!

C725 Information Security and

Assurance Study Guide

Confidentiality - ✔ Referred to as Least privileged -users should be given only enough privilege to perform their duties, and no more. ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible. Integrity - ✔ Keep data pure and trustworthy by protecting system data from intentional or accidental changes. Prevent unauthorized users from making modifications to data or programs Prevent authorized users from making improper or unauthorized modifications Maintain internal and external consistency of data and programs Availability - ✔ Keep data and resources available for authorized use, especially during emergencies or disasters. Defense in Depth - ✔ Implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response Makes sure that no one mechanism is responsible for the security of the entire system Verification - ✔ Process of confirming that one or more predetermined requirements or specifications are met Validation - ✔ Determines the correctness or quality of the mechanisms used to meet the needs Functional - ✔ What a system should do Assurance - ✔ How functional requirements should be implemented Functional and Assurance - ✔ Does the system do the right things (behave as promised)? Does the system do the right things in the right way? Security through obscurity - ✔ Hiding the details of the security mechanisms is sufficient to secure the system alone - NOT TRUE

Risk assessment and Risk analysis - ✔ Concerned with placing an economic value on assets to best determine appropriate countermeasures that protect them from losses. Degree of risk - ✔ What is the consequence of a loss? What is the likelihood that this loss will occur? Vulnerability - ✔ Known problem within a system or program Exploit - ✔ Program or "cook-book" on how to take advantage of a specific vulnerability. Risk - ✔ Probability that a threat to an information system will materialize Three types of security controls - ✔ People, process, and technology - Preventative, Detective and Responsive Seperation of Duties - ✔ No one person in an organization should have the ability to control or close down a security activity. Processes controls - ✔ Ensure that different people can perform the same operations exactly in the same way each time. They are documented as procedures on how to carry out an activity related to security. Makes sure that a single person cannot gain complete control over a system. Information Security Governance and Risk Management - ✔ Which (ISC)2 domain emphasizes the importance of a comprehensive security plan that includes security policies and procedures for protecting data and how it is administered. A compilation and distillation of all security information collected internationally of relevance to information security professionals. Security Architecture and Design - ✔ Which (ISC)2 domain discusses concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and other controls to enforce various levels of confidentiality, integrity, and availability. 8 domains - ✔ How many domains are contained within the CBK? Information Security Governance and Risk Management - ✔ These are included in which domain? Documented policies, standards, procedures, and guidelines Management of risk to corporate assets

Legal Regulations, investigations, and Compliance - ✔ This domain covers the different targets of computer crimes, bodies of law, and the different types of laws and regulations as they apply to computer security. Physical (Environmental) Security - ✔ Topics covered in this domain include securing the physical site using policies and procedures coupled with the appropriate alarm and intrusion detection systems, monitoring systems, and so forth. Operations Security - ✔ This domain covers the kind of operational procedures and tools that eliminate or reduce the capability to exploit critical information. It includes defining the controls over media, hardware, and operators with special systems privileges. Access Control - ✔ Which domain covers who may access the system, and what they can do after they are signed on? Cryptography - ✔ Which domain involves encrypting data so that authorized individuals may view the sensitive data and unauthorized individuals may not Telecommunications and Network Security - ✔ Which domain includes not just network topologies, but also their weaknesses and defenses. Software Development Security - ✔ Which domain focuses on sound and secure application development techniques. Certified Information Systems Auditor (CISA) - ✔ Which certification Certification for senior-level personnel and management. Focuses more on business procedures than technology. Certified Information Security Manager (CISM) - ✔ Which certification Geared toward experienced information security managers and people with information security management responsibilities. Business oriented and focuses on information risk management while addressing management, design, and technical security issues. Certified in Risk and Information Systems Control (CRISC) - ✔ Which certification help enterprises understand business risk and have the technical knowledge to implement appropriate information systems controls. Global information assurance certifications (GIAC) - ✔ 26 certifications - Which certification is primarily for practitioners or hands on personnel such as a system administrator, network engineers, software developers, and the people who manage them. CCFP: Certified Cyber Forensics Professional - ✔ Which certification expertise in forensics techniques and procedures, standards of practice, and legal and ethical

principles to ensure accurate, complete and reliable digital evidence admissible to a court of law. Certified Ethical Hacker (CEH) - ✔ Which certification help the organization take preemptive measures against malicious attacks by attacking the system itself, all while staying within legal limits. Policies - ✔ Once established, become the basis for protecting both information and technology resources and for guiding employee behavior. - need to be considered long before technology is acquired. High-level statements that provide management beliefs, goals and objectives. Statement of managements intent Program-Level Policy - ✔ Which policy is used for creating a management-sponsored computer security program. The need for information security and can delegate the creation and management of the program to a role within IT department. Program-Framework Policy - ✔ Which Policy establishes the overall approach to computer security. Describes the elements and organization of the program and department that will carry out the security mission. Issue-Specific Policy - ✔ Which policy addresses specific issues of concern to the organization. Could be PCI data security, Sarbanes-Oxley (SOX) etc. System-Specific Policy - ✔ Which policy focuses on policy issues that management has decided for a specific system. IT security Measures - ✔ Tailored to meet organizational security goals Security objectives - ✔ First step in system security policy development. Consist of a series of statements to describe meaningful actions about specific resources. These objectives should be based on system functionality or mission requirements, but should also state the security actions to support the requirements. Operational Security - ✔ List the rules for operating a system policy implementation - ✔ organization must determine the role technology plays in enforcing or supporting the policy Standards - ✔ Topic-Specific documents that describe overall requirements for security Baselines - ✔ System-Specific documents that describe overall requirements for security

Guidelines - ✔ Documentation that aids in compliance with standard considerations, hints, tips, and best practices in implementation Procedures - ✔ Step-by-step instructions on how to perform a specific activity. Embodies all the detailed actions that personnel are required to follow. Quantitative Risk Analysis - ✔ Attempts to establish and maintain an independent set of risk metrics and statistics. Annualized Loss Expectancy (ALE) - ✔ Single Loss expectancy (SLE) * Annualized rate of occurrence (ARO) Probability - ✔ Chance or likelihood, in a finite sample, that an event will occur or that a specific loss value might be realized if the event occurs Threat - ✔ An event whose occurrence could have an undesired impact Control - ✔ Risk-reducing measure that acts to detect, prevent, or minimize loss associated with the occurrence of a specified threat or category of threats Vulnerability - ✔ The absence or weakness of a risk-reducing safeguard. Qualitative Risk Analysis - ✔ Probability data is not required, and only estimated potential loss is used Threats - ✔ Things that can go wrong or attack the system Vulnerabilities - ✔ Make a system more prone to attack or make an attack more likely to have some success or impact. Deterrent Controls - ✔ Control to reduce likelihood of a deliberate attack Preventative Controls - ✔ Control to protect vulnerabilities and either make an attack unsuccessful or reduce its impact. Corrective Controls - ✔ Control to reduce the effect of an attack Detective Controls - ✔ Control to discover attacks and trigger preventative or corrective controls Recovery Controls - ✔ Control to restore lost computer resources or capabilities to recover from security violations Risk Anaylsis - ✔ What answers these questions: What am i trying to protect?

What is threatening my system? How much time, effort, and money am I willing to spend? A Learning Management System (LMS) - ✔ a software application for administrating, documenting, tracking, and reporting employee progress in training programs. CISO (chief information security officer) - ✔ Establishes and maintains security and risk-management programs for information resources. Information Resources Manager - ✔ Maintains policies and procedures that provide for security and risk management of information resources Information resources security officer - ✔ Directs policies and procedures designed to protect information resources (identifies vulns, develops security awareness program etc.) Owners of information resources - ✔ Have the responsibility of carrying out the program that uses the resources. (program managers or delegates for the owner) Custodians of information resources - ✔ Provide technical facilities, data processing, and other support services to owners and users of information resources. Technical Managers (network and system administrators) - ✔ Provide technical support for security of information resources Internal Auditors - ✔ Conduct periodic risk-based reviews of information resources security policies and procedures Users - ✔ Have access to information resources in accordance with the owner-defined controls and access rules. The Trusted Computing Base (TCB) - ✔ Totality of protection mechanisms within a computer system, including hardware, firmware, and software. Consists of one or more components that together enforce a unified security policy over a product or system. Reference Monitor - ✔ Software model or abstract machine that mediates all access from any subject to any object; it cannot be bypassed. Security Kernel - ✔ An implementation of a reference monitor for a specific hardware base Mandatory Access Control (MAC) - ✔ What type of control is part of TCB - Requires that access control policy decisions stay beyond the control of the individual owner of an object, thus requiring the system to make the decisions.

Multics (Multiplexed Information and Computing Service) - ✔ The first operating system to provide a hierarchical file system. Trust in a system moves from the outside to the inside in a unidirectional mode - uses a reference monitor to communicate flow between layers - ✔ How does trust move in the TCB ring of trust? Process isolation - ✔ Design objective in which each process has its own distinct address space for its application code and data. Make it possible to prevent each process from accessing another process's data. Prevents data leakage and modification of data while in memory Least Privilege - ✔ A process have no more privilege than what it really needs to perform its functions. Any model that requires supervisor or root are embedded in the OS kernel Hardware Segmentation - ✔ segmentation of memory into protected segments Kernel allocates required amount of memory for the process to load its application code, process data, and application code. System prevents user processes from accessing another processes allocated memory and system memory Layering - ✔ Process operation that is divided into layers by function. Lower layers perform basic tasks, higher (inner) layers perform more complex or protected tasks Abstraction - ✔ Process that defines a specific set of permissible values for an object and the operations that are permissible on that object. Data Hiding - ✔ Mechanism used to ensure that information available at one process level is not available in another, regardless of whether it is higher or lower. Also in OOP when information is encapsulated within an object and can be directly manipulated only by the services provided within that object. Primary Storage - ✔ Main memory that is directly accessible by the CPU. Volatile Secondary Storage - ✔ Nonvolatile that can store application and system code plus data when the system is not in use.

Real Memory - ✔ Definite storage location for a program in memory and direct access to a peripheral device. Virtual Memory - ✔ extends the volume of primary storage by using secondary storage to hold the memory contents. Swapped in and out of primary memory when needed for processing. Random Memory - ✔ Computers primary working and storage area. Addressable directly by the CPU and stores application or system code in addition to data. Sequential Storage - ✔ Computer memory that is accessed sequentially ex. magnetic tape Volatile memory - ✔ Experiences a complete loss of any stored information when the power is removed Closed Systems - ✔ Proprietary in nature. Specific OS and hardware. Lack std. interfaces to allow connection to other systems. User is limited in applications and programming languages available. Open Systems - ✔ Employs a std. interfaces to allow connections between different systems. Give user full access to the total system capability. Multitasking - ✔ Technique used by a system that is capable of running two or more tasks in a concurrent performance or interleaved execution. Multiprogramming - ✔ System permits the interleaved execution of two or more programs on a processor Multiprocessing - ✔ Simultaneous execution of two or more programs by the CPU. Can be done through parallel processing of a single program by two or more processors in a multiprocessor system that all have common access to main storage. Finite-State Machine - ✔ Any device that stores the status or state of something at a give time that can operate based on inputs to change the stored status and/or cause an action or output to take place. Security Policy - ✔ Formal description of the rules for subjects and objects that a trusted system needs to determine whether a given subject is authorized to access a specific object. Orange Book - ✔ Complete description of all the protection mechanisms computer systems use.

D: minimal protection C: Discretionary Protection C1: Discretionary Security Protection C2: Controlled Access Protection B: Mandatory Protection B1: Labeled Security Protection B2: Structured Protection B3: Security Domains A: Verified Protection - ✔ List the divisions/classes of Orange book from least to best Division D: Minimal Protection - ✔ This division/class of the orange book is systems that have been formally evaluated but fail to meet the requirements for a higher evaluation class. Classification also used for unrated or untested systems Division C: Discretionary Protection - ✔ This division/class of the orange book is Based on need-to-know or least privilege principle, and for audit control mechanisms that enforce the personal accountability of subjects for the actions they take while using the system In commercial world - data owner (human) gets to decide who is authorized to access his or her objects. Class C1: Discretionary Security Protection - ✔ This division/class of the orange book satisfies the discretionary access control requirements by separating users and data. It incorporates mechanisms that are capable of enforcing access limitations on an individual basis. Give users the capability to protect project or private information and to keep other users from accidentally reading or destroying their data. Typically used among group of users who share the same level of clearance Class C2: Controlled Access Protection - ✔ This division/class of the orange book enforce a more finely grained discretionary access control. Making users individually accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation. No program can gain access to the memory areas other programs use. Division B: Mandatory Protection - ✔ This division/class of the orange book TCB must preserve the integrity of sensitivity labels and use them to enforce a set of mandatory access control rules. Reference monitor implemented and verified.

Class B1: Labeled Security Protection - ✔ This division/class of the orange book requires all the features class C2 require. Requires an informal statement of the security policy model, data labeling, and mandatory access control over named subjects and objects. System capability to label exported information from the system and any flaws identified during testing must be removed. Class B2: Structured Protection - ✔ This division/class of the orange book TCB is based on a clearly defined and documented formal security policy model that requires extending the discretionary and mandatory access control enforcement in B1 to all subjects and objects in the system. Covert channels are addressed. Protection-critical and non-protection-critical elements. Class B3: Security Domains - ✔ This division/class of the orange book the TCB must satisfy the reference monitor requirements to do:

  1. Mediate all accesses of subjects to objects
  2. Resist tampering
  3. Have a small enough size that it can be subjected to analysis and tests This system is highly resistant to penetration Division A: Verified Protection - ✔ This division/class of the orange book characterized by the use of formal security verification methods to ensure that the mandatory and discretionary security controls employed within the system effectively protect classified or other sensitive information that the system stores or processes. Class A1: Verified Design - ✔ This division/class of the orange book has a formal model of security policy and a formal top-level specification of the design. This class is used for design verification. Requirements:
  4. Formal model of security policy with mathematical proof
  5. Formal top-level specification with abstract definitions of the functions performed and hardware/ firmware
  6. Formal top-level specification of TCB to be consistent with model using techniques
  7. TCB implementation must be informally shown to be consistent with top-level specification.
  8. Formal analysis techniques to identify and analyze covert channels The Trusted Network Interpretation - ✔ Red book of the Rainbow series

The information Technology Security Evaluation Criteria (ITSEC) - ✔ European- developed criterion that fills a role roughly equivalent to the TCSEC for use through European Community Places emphasis on integrity and availability and attempts to provide a uniform approach to the evaluation of both products and systems Introduces the concept of target of evaluation Target of Evaluation (TOE) - ✔ Product or system under evaluation Are the specific products or systems that fall into an evaluation against an existing PP Bell-LaPadula Model - ✔ The orange book is founded upon which security model? Confidentiality - ✔ What did the orange book address? Integrity and availability - ✔ What did the ITSEC address that the orange book did not? Common Criteria (CC) - ✔ Was intended to resolve the conceptual and technical differences in the various source criteria and to deliver the results to the International Organization for Standardization (ISO) as proposed international standard under development Common Criteria (CC) - ✔ provides a common language and structure to express IT security requirements and enables the creation of catalogs of standards broken down into components and packages. The CC breaks apart the functional and assurance requirements into distinct elements that users can select for customized security device implementation. Protection Profiles (PPs) - ✔ an implementation-independent collection of objectives and requirements for any given category of products or systems that must meet similar needs (such as firewalls). needed to support defining functional standards and serve as an aid in specifying needs for procurement purposes. Audit - ✔ involve recognizing, recording, storing, and analyzing information related to security-relevant activities. The resulting records can be examined to determine which security-relevant activities took place and which user is responsible for them. Cryptographic Support - ✔ These functions are used when the TOE implements cryptographic functions in hardware, firmware or sofware Communications - ✔ These Functional requirements are related to ensuring both the identity of a transmitted information originator and the identity of the recipient.

Ensure that an originator cannot deny having sent the message, nor can the recipient deny having received it. User data protection - ✔ Functions is related to protecting user data within a TOE during import, export, and storage Identification and Authentication - ✔ Functions ensure that users are associated with the proper security attributes Security Management - ✔ Functions are intended to specify the management of several aspects of the TOE security functions, security attributes and security data. Privacy - ✔ These requirements protect a user against discovery and misuse of identity by other users Protection of the TOE security functions (TSF) - ✔ These requirements relate to the integrity and management of the mechanisms that provide the TSF and to the integrity of TSF data Resource Utilization - ✔ These Functions support the availability of required resources such as CPU and storage capacity. TOE access - ✔ These requirements control the establishment of a user's session Bell-LaPadula Model - ✔ A confidentiality model intended to preserve the principle of least privilege. Biba Integrity Model - ✔ Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data. Subjects cannot read objects of lesser integrity and cannot write to objects of higher integrity. Covert Channel - ✔ A communication channel that allows two cooperating processes of different security levels (one higher than the other) to transfer information in a way that violates a system's security policy. Business Continuity Plan (BCP) - ✔ Describes the critical processes, procedures, and personnel that must be protected in the event of an emergency. Business Impact Analysis (BIA) - ✔ Evaluates risks to the organization and prioritizes the systems in use for purposes of recovery.

Disaster Recovery Plan (DRP) - ✔ describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations.

  1. Identify Scope
  2. Create Business Impact Assessment (BIA)
  3. Obtain organizational and financial commitment - sign off on plan
  4. Each department needs to understand role - Thorough examination of best practices within an org. needed to meet objectives in plan
  5. BCP project team must implement the plan - includes necessary training, testing and ongoing review. - ✔ What are the steps for a Business Continuity Plan? c, a, d, b - ✔ Question : Place the following steps of the BCP in the correct sequence: (a) create the BIA; (b) obtain signoff of the tested BCP; (c) identify the scope of the BCP; (d) write the BCP: Shared-Site Agreement - ✔ Arrangements between companies with similar data processing centers. Allows companies that enter into an agreement to back up each other when one partner has an emergency. Using Alternate Sites - ✔ In this agreement The vendor is responsible for providing backup services if the company experiences a critical failure in its systems. Hot-Site - ✔ Facility assumes the entire burden of providing backup computing services for the customer. Uninterrupted service in a relatively quick time. Most expensive solution. Security Risk - data is now stored, backed up and theoretically accessible to a third party. Cold-Site - ✔ Provides facilities necessary to run a data processing center. Does not have any of the hardware or software. Customer must deliver the hardware and software. Warm-Site - ✔ Provides the building and environmental services, with addition to hardware and communication links already established. The customer applications are not installed, nor are workstations provided. Service Bureaus - ✔ Provide backup processing services at a remote location. Quick response but high cost. Perform primary application processing such as payroll systems and have extra capacity for DRP services.

Mobile Units - ✔ third-party vendor provides a data processing center on wheels, air conditioning and power system The Cloud - ✔ Virtualized storage of applications and their data, the customer finds its data backed up and available for immediate recovery Multiple centers - ✔ Processing is distributed across multiple centers that are in-house or part of a shared site agreement. Walk-throughs - ✔ Method of testing the DRP members of the key business units meet to trace their steps through the plan, looking for omissions and inaccuracies Simulations - ✔ Method of testing the DRP Critical personnel meet to perform a dry run of the emergency, mimicking the response to a true emergency as closely as possible. Checklists - ✔ Method of testing the DRP a more passive type of testing, members of departments check off the tasks for which they are responsible for Parallel testing - ✔ Method of testing the DRP the backup processing occurs in parallel with production services that never stop. Full interruption - ✔ Method of testing the DRP True/False test, production systems are stopped as if a disaster occurred to see how the backup services perform. Military and Intelligence attacks - ✔ What type of attack is criminals and intelligence agents illegally obtain classified and sensitive military information and police files. Business attacks - ✔ Increasing competition between companies frequently leads to illegal access of proprietary information Financial Attacks - ✔ Banks and other financial institutions provide attractive targets for computer criminals Grudge Attacks - ✔ Companies are increasingly wary of disgruntled employees who feel mistreated and exact their revenge using computer systems Thrill Attacks - ✔ Hack computer systems for the fun of it, for bragging rights, or simply for a challenge Rouge Code - ✔ What type of computer crime the user inadvertently launches software that can log a user's keystrokes and either send them to a remote server or perform other undesirable activities such as deleting files or destroying OS Dumpster Diving - ✔ What type of computer crime no-tech criminal technique is the primary cause of ID theft. Criminal digs through trash

Spoofing of Internet Protocol Addresses - ✔ What type of computer crime the attacker sends a message with a false originating IP address to convince the recipient that the sender is someone else. Masquerades as a legitimate Internet site by using that site's IP address Emanation eavesdropping - ✔ What type of computer crime the attacker intercepts radio frequency signals emanated by wireless computers to extract sensitive or classified information. TEMPEST program addresses this problem by requiring shields on computers transmitting such data. TEMPEST program has created a cottage industry of companies that create protective equipment to prevent foreign spies from collecting stray computer signals issued from DOD labs or embassies. Embezzlement - ✔ What type of computer crime steal money by manipulating software or databases Information warfare - ✔ What type of computer crime includes attacks upon a country's computer network to gain economic or military advantage. Civil Law - ✔ Law written to compensate individuals who were harmed through wrongful acts know as torts. A tort can be intentional or unintentional. Compensation is financial but does not involve imprisonment Criminal Law - ✔ Law punishes those who violate government laws and harm an individual or group. Includes imprisonment in addition to financial penalties. Regulatory Law - ✔ Administrative Laws that regulate the behavior of administrative agencies. Addresses issues that arise between the individual and a public entity. Can exact financial penalties and imprisonment Administrative Access Controls - ✔ This is a physical control that addresses the procedural and codified application of physical controls. ex planning for and designing the site selection before it is constructed. Restricting Work Areas - ✔ This is a physical control that restricts different access privileges based on the department or area they are attempting to enter. Visitor Control - ✔ This is a physical control that requires someone visiting the building to sign in and specify the purpose of their visit. Physical Security Controls - ✔ This control is needed to support defense in depth. Controls for the perimeter of the data center, employee and visitor badging, guard dogs and building lighting Perimeter Security Controls - ✔ This control prevents unauthorized access to the facility. Have different states or behaviors depending on the time of the day.

Perimeter Intrusion and Detection assessment system (PIDAS) - ✔ Fencing that uses passive vibration sensors to detect intruders or any attempts to compromise the system. Operations Security - ✔ Used to identify the controls over software, hardware, media, and the operators and administrators who possess elevated access privileges to any of these resources. Application-level controls - ✔ Minimize and detect software operational irregularities Transaction-level controls - ✔ Provide control over various stages of a transaction Process Controls - ✔ Necessary for secure data center operations. Ensure that the principles are implemented in human-based process activities and software-based utilities and other data center management systems. Trusted Recovery Controls - ✔ Ensure that security is not breached when a computer system crashes Fail-Secure system controls - ✔ Preserve the state of the system before the crash and prevent further damage or unauthorized access to the system Configuration and Change Management Controls - ✔ Used for tracking and approving changes to a system Personnel Security - ✔ Pre-employment screening and Mandatory vacation time. Record Retention Processes - ✔ Refers to how long transactions and other types of computerized or process records should be retained. Resource Protection - ✔ Protect company resources and assets Privileged Entity Controls - ✔ Given to operators and system administrators as special access to computing resources. Ensure individual accountability for all actions taken while logged in as administrator. Media Viability Controls - ✔ Needed for properly marking and handling assets Operations Process Controls - ✔ Impose controls to limit the damage they can cause and protect them from themselves Identification - ✔ Uniquely identify the users of an information system Authentication - ✔ Permit the system to verify someone's identification credential Least Privilege - ✔ Ensure confidentiality. Give people the least amount of access to a system that they need to perform the job they are doing.

Information owner - ✔ Maintains overall responsibility for the information within an information system. Must make the decisions about who uses the system and how to recover the system in case a disaster. Discretionary Access Control (DAC) - ✔ Dictates that the information owner is the one who decides who gets access to the system. Access Control Lists (ACL) - ✔ A list or a file of users who are given the privilege of access to a system or a resource. User Provisioning - ✔ The activity of bringing new employees into an organization includes granting them access to the systems that they need to perform their duties. Mandatory Access Control (MAC) - ✔ Also called non-discretionary access control. The system decides who gains access to information based on the concepts of subjects, objects and labels. - Mainly used in military and governmental systems Role-Based Access Control (RBAC) - ✔ Groups users with a common access need. Assign a role for a group of users who perform the same job functions and require similar access to resources. Repudiation - ✔ Act of denying participation in a transaction or system access. Two-Factor Authentication - ✔ Something you have plus something you know Three-Factor Authentication - ✔ Something you have plus something you know plus something you are single sign-on (SSO) - ✔ System where users have on password for all corporate and back-office systems and applications that they need to perform their jobs Password or PIN Vault - ✔ Programs use secure methods to locally store IDs and passwords that are protected by a master password that unlocks the vault when its needed. Kerberos - ✔ Network authentication protocol. Designed to provide authentication for client/server applications by using symmetric key cryptography Federated Identity - ✔ Examples include Facebook, where sites that have an arrangement with Facebook can log in users to their site without requiring them to create a unique ID and password. Remote Access Dial-In User Service (RADIUS) - ✔ A client/server protocol and software that enables remote access users to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.

Virtual Private Network (VPN) - ✔ A user connects to the internet via his or her ISP and initiates a connection to the protected network, creating a private tunnel between endpoints that prevents eavesdropping or data modification. Encrypted authentication senders and receivers of messages and traffic so it is invulnerable to MitM Applied Cryptography - ✔ The science of secret writing, enables the storage and transfer of information in forms that reveal it only to those permitted to see it, while hiding that information from everyone else. Cryptosystem - ✔ Disguises messages, allowing only selected people to see through the disguise Cryptography - ✔ The science of designing, building and using cryptosystems Cryptanalysis - ✔ The science of breaking a cryptosystem Cryptology - ✔ The umbrella study of cryptography and cryptanalysis Cryptographers - ✔ Rely on two basic methods of disguising messages: transposition and substitution Transposition - ✔ Letters are rearranged into a different order Substitution - ✔ Letters are replaced by other letters and/or symbols ROT13 - ✔ Rotates alphabet 13 places Substitution - ✔ ROT13 and Caesar ciphers are what? Symmetric Keys - ✔ Use the same key to both encrypt and decrypt a message Asymmetric Keys - ✔ A message is encrypted using one key and can be decrypted only using the other one and vice versa. Public Key and Private key. Two keys are mathematically related but neither can be derived from the other. RSA - ✔ DES uses what algorithm? Rijndeal - ✔ AES uses what algorithm? Symmetric Keys - ✔ DES 3DES AES Hashing - ✔ Transformation of data into distilled forms that are unique to the data.

One-way Hashing - ✔ Easy to do and nearly impossible to undo Digesting Data / Message Digest - ✔ A computer program, a document is run through a one-way hashing formula to produce a small numeric value that is unique but easily repeatable for that exact stream of data. Digesting Data / Message Digest - ✔ What techniques are SHA MD Digital Signature - ✔ What process is after computing message digest you encrypt it using your private key and append the encrypted message digest to your original message Digital Envelope - ✔ Encrypt both the message and the digest with the recipients public key X.509 - ✔ Certificate that attaches a person's identity to a pair of cryptographic keys Message Authentication Code (MAC) - ✔ Hash-type functions used with symmetric key cryptography PPK Cryptography - ✔ What are these: Secure Sockets Layer (SSL) Transport Layer Security (TLS) Pretty Good Privacy (PGP) Secure Multipurpose Internet Main Extensions (S/MIME) Secure Electronic Transactions (SET) Secure Sockets Layer (SSL) - ✔ Most popular form of PPK and has become standard for transporting private information across the internet. Ensure the privacy of the connection, authenticate a peer's identity, and to establish a reliable transport mechanism for the message using integrity checks and hashing functions. Prevents unwanted tampering of data transmission - eavesdropping, data alteration, or message forgery. Transport Layer Security (TLS) - ✔ Provide communications privacy over the internet. Allows communication in ways that are designed to prevent eavesdropping, tampering, or message forgery. Pretty Good Privacy (PGP) - ✔ Distributed key-management approach that does not rely on certificate authorities. Users can sign on another's public keys. Primarily encrypts electronic mail. Uses RSA.

Secure/Multipurpose Internet Mail Extensions (S/MIME) - ✔ Based on RSA. Electronic mail encryption and digital signatures. Secure Electronic Transaction (SET) - ✔ Designed to address most of the consumer demands for privacy when using a credit card to online shop. Uses multiple forms of symmetric key cryptography. 7 layers - ✔ How many layers in the ISO data flow stack? Application Layer - ✔ Which ISO layer consists of standard communication services and applications that everyone can use Presentation Layer - ✔ Which ISO layer ensures that information is delivered to the receiving machine in a form that it can understand Session Layer - ✔ Which ISO layer manages the connections and terminations between cooperating computers Transport Layer - ✔ Which ISO layer manages the transfer of data and assures that received and transmitted data are identical Network Layer - ✔ Which ISO layer Manages data addressing and delivery between networks Data Link - ✔ Which ISO layer handles the transfer of data across the network media Physical Layer - ✔ Which ISO layer defines the characteristics of the network hardware. Transmission Control Protocol (TCP) - ✔ A reliable service that maintains the proper sequence of incoming packets and acknowledges receipt to the user. User Datagram Protocol (UDP) - ✔ A less robust version of TCP. It does not acknowledge receipt of packets and is connectionless and less reliable service. Faster and lower overhead than TCP Transport Layer - ✔ Which layer are: TCP UDP Network Layer - ✔ What layer are: Internet Protocol Address Resolution Protocol Reverse Address Resolution Protocol Internet Control Message Protocol

Traffic Padding - ✔ Technique by which spurious data is generated to disguise the amount of real data being sent, thus making data analysis or decryption more difficult for the attacker Routing Control - ✔ The internet has routes between networks. When a network drops, the routing control processor determines in real time the optimal path, to reduce downtime Local Area Network (LAN) - ✔ A network configuration designed for a limited space or geographic area, such as a series of offices in the same building. Campus Area Network (CAN) - ✔ Type of LAN used to connect buildings through a network backbone Metroploitan Area Network (MAN) - ✔ Type of LAN used to connect branches of an organization using wireless devices over a long distance between branches. (size of a city) Wide Area Network (WAN) - ✔ A group of smaller LANs connected logically or physically. Covers a larger geographic area than LAN. Can span an entire nation or even globe using staellites. Can combine subnetworks such as intranets, extranets, and VPNs to provide enhanced capabilities. Intranet - ✔ Local or wide are network based on TCP/IP but with fences (firewalls) that limit the networks access to the internet. Extranet - ✔ An intranet that allows select users outside the firewalls to access the site. Network Address Translation (NAT) - ✔ Used on perimeter routes, purpose is to hide the internal device IP addresses from internet users. Packet Filtering - ✔ Matches all packets against a series of rules. If the packet matches a rule, and action is performed; the packet is accepted, rejected, logged and so forth. Allows flow in and out Stateful Inspection Packet Filtering - ✔ Filters traffic based on more than just source, destination, port and protocol type. Keeps track of the state of current connection to help ensure that only desired traffic passes through. Creation of one-way rules. Application-Level Gateway Firewall - ✔ Type of firewall that enables the network administrator to implement stricter security policies than packet-filtering routers can manage. Special purpose code (a proxy service) is installed on the gateway for each desired application.

Proxy Server - ✔ Sits between the user's application, such as web browser and the server providing the application services and resources. Designed to filter websites and improve performance. Bastion Hosts (Application Level Gateway) - ✔ Allow information to flow between systems but do not allow the direct exchange of data. Packet Filtering firewall - ✔ Same as packet filtering router. If the single packet-filtering router is penetrated, every system on the private network could be compromised Screened Host Firewall - ✔ Employs both a packet-filtering router and a bastion host.Implements both Network Layer security (packet filtering) and Application Layer security (proxy services). Intruder has to penetrate two separate systems to compromise. - outside systems can access only the bastion host; traffic addressed to all other internal systems is blocked. demilitarized zone or screened-subnet firewall - ✔ Employs two packet-filtering routers and a bastion host. Network administrator places the bastion host, information servers, modem pools, and other public servers on the DMZ network. DMZ is positioned between the internet and the private network. DMZ is configured so that systems on the internet and systems on the private network can access only a limited number of systems on the DMZ network, but the direct transmission of traffic across the DMZ is prohibited. Restrictive Posture - ✔ Prohibit everything that is not expressly permitted Permissive Policy - ✔ Permit everything that is not expressly denied Misuse intrusions - ✔ Well-defined attacks on known weak points within a system. Detected by watching for certain actions being performed on certain objects. - pattern matching on audit trails. Anomaly Intrusions - ✔ Based on observations of deviations from normal system usage patterns. Detected by building up a profile of the system in question and detecting significant deviations from this profile. - no fixed pattern False positive - ✔ Occurs when the system classifies an action as anomalous ( a possible intrusion) when it is a legitimate action. False negative - ✔ Occurs when an actual intrusive action has occurred, but the system allows it to pass as nonintrusive behavior. Subversion - ✔ Error occurs when an intruder modifies the operation of the intrusion detector to force false negatives to occur.

Intrusion Prevention System (IPS) - ✔ This system sits right behind the firewall, in line with network traffic, and performs an additional layer for the analysis of traffic. Sends alarms to administrator Blocking traffic from the source address Resetting the connection IPSec - ✔ Encapsulating an IP packet within another packet that surrounds it and then encrypts the result Designed to operate at the Network Layer Sender authentication Message integrity Confidentiality - ✔ Requirements for communication using computer networks can be deemed secure only when it meets these characteristics IPSec meets these requirements using Authentication header (AH) encapsulation security protocol (ESP) Transport mode - ✔ Protection is applied to upper-layer protocols Tunnel Mode - ✔ Entire IP packet is wrapped inside a new IP packet and attached with a net IP header before it's transmitted through the public network Authentication Header (AH) - ✔ Modifies IP datagrams by adding an attribute field that enables receivers to check the authenticity of the data within the datagram Encapsulating Security Protocol (ESP) - ✔ Encrypted data is sandwiched between an ESP header and ESP trailer Internet Key Exchange (IKE) - ✔ Combination of Internet security Association and Key Management Protocol (ISAKMP) and Oakley Oakley Key Determination Protocol - ✔ Exchange session keys on Internet hosts and routers. Uses a hybrid Diffie-Hellman (allows two users to exchange a key over an insecure medium without any prior association or set of steps) Fraud - ✔ Stolen credit card data Account takeover - ✔ Stolen log-in Identity Theft - ✔ Stolen personally identifiable information (PII) to open new lines of credit