Partial preview of the text
Download Fundamentals of Information Security: CIA Triad, Parkerian Hexad, and Risk Management and more Exams Organization and Business Administration in PDF only on Docsity!
WGU D430 FUNDAMENTALS OF
INFORMATION SECURITY WITH
VERIFIED ANSWERS 100% CORRECT
DEFINE THE CONFIDENTIALITY IN THE CIA TRIAD.
OUR ABILITY TO PROTECT DATA FROM THOSE WHO ARE NOT AUTHORIZED TO VIEW IT.
EXAMPLES OF CONFIDENTIALITY
A PATRON USING AN ATM CARD WANTS TO KEEP THEIR PIN NUMBER CONFIDENTIAL.
AN ATM OWNER WANTS TO KEEP BANK ACCOUNT NUMBERS CONFIDENTIAL.
HOW CAN CONFIDENTIALITY BE BROKEN?
LOSING A LAPTOP
AN ATTACKER GETS ACCESS TO INFO
A PERSON CAN LOOK OVER YOUR SHOULDER
DEFINE INTEGRITY IN THE CIA TRIAD.
THE ABILITY TO PREVENT PEOPLE FROM CHANGING YOUR DATA AND THE ABILITY TO REVERSE
UNWANTED CHANGES.
HOW DO YOU CONTROL INTEGRITY?
PERMISSIONS RESTRICT WHAT USERS CAN DO (READ, WRITE, ETC.)
EXAMPLES OF INTEGRITY
DATA USED BY A DOCTOR TO MAKE MEDICAL DECISIONS NEEDS TO BE CORRECT OR THE
PATIENT CAN DIE.
DEFINE THE AVAILABILITY IN THE CIA TRIAD.
OUR DATA NEEDS TO BE ACCESSIBLE WHEN WE NEED IT.
HOW CAN AVAILABILITY BE BROKEN?
LOSS OF POWER, APPLICATION PROBLEMS. IF CAUSED BY AN ATTACKER, THIS IS A DENIAL OF
SERVICE ATTACK.
DEFINE INFORMATION SECURITY.
THE PROTECTION OF INFORMATION AND INFORMATION SYSTEMS FROM UNAUTHORIZED
ACCESS, USE, DISCLOSURE, DISRUPTION, MODIFICATION, OR DESTRUCTION IN ORDER TO
PROVIDE CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY.
DEFINE THE PARKERIAN HEXAD AND ITS PRINCIPLES.
THE PARKERIAN HEXAD INCLUDES CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY FROM THE
CIA TRIAD. IT ALSO INCLUDES POSSESSION (OR CONTROL), AUTHENTICITY, AND UTILITY.
AUTHENTICITY
WHETHER THE DATA IN QUESTION COMES FROM WHO OR WHERE IT SAYS IT COMES FROM (I.E.
DID THIS PERSON ACTUALLY SEND THIS EMAIL?)
CONFIDENTIALITY IS AFFECTED BY WHAT TYPE OF ATTACK?
INTERCEPTION (EAVES DROPPING)
INTEGRITY IS AFFECTED BY WHAT TYPE OF ATTACKS?
INTERRUPTION (ASSETS ARE UNUSABLE), MODIFICATION (TAMPERING WITH AN ASSET),
FABRICATION (GENERATING FALSE DATA)
AUTHENTICITY IS AFFECTED BY WHAT TYPE OF ATTACKS?
INTERRUPTION (ASSETS ARE UNUSABLE), MODIFICATION (TAMPERING WITH AN ASSET),
FABRICATION (GENERATING FALSE DATA)
UTILITY
HOW USEFUL THE DATA IS TO YOU (CAN BE A SPECTRUM, NOT JUST YES OR NO)
POSSESSION
DO YOU PHYSICALLY HAVE THE DATA IN QUESTION? USED TO DESCRIBE THE SCOPE OF A LOSS
IDENTIFY THE FOUR TYPES OF ATTACKS
INTERCEPTION, INTERRUPTION, MODIFICATION, AND FABRICATION
INTERCEPTION ATTACKS
MAKE YOUR ASSETS UNUSABLE OR UNAVAILABLE
DEVELOPMENT OF ROBUST POLICIES
IDENTIFICATION OF EMERGENT RECENT
IDENTIFY ELEMENTS OF INTERNAL WEAKNESS
IDENTIFY THE LAYERS OF A DEFENSE-IN-DEPTH STRATEGY.
EXTERNAL NETWORK
INTERNAL NETWORK
HOST
APPLICATION
DATA
DEFINE IDENTIFICATION
THE CLAIM OF WHO WE/NETWORKS ARE
DEFINE IDENTITY VERIFICATION.
SOMEONE CLAIMS WHO THEY ARE AND YOU TAKE IT ONE STEP FATHER AND ASK FOR ID
DEFINE AUTHENTICATION
A SET OF METHODS USED TO DETERMINE IF A CLAIM OF IDENTITY IS TRUE.
COMPARE AUTHENTICATION TYPES.
MULTIFACTOR AUTHENTICATION
MUTUAL AUTHENTICATION
IDENTIFY PASSWORD SECURITY BEST PRACTICES.
UPPER CASE
LOWER CASE
NUMBERS
SYMBOLS
IDENTIFY THE FACTORS INVOLVED IN A MULTIFACTOR AUTHENTICATION TECHNIQUE.
SOMETHING YOU DO
SOMETHING YOU HAVE
WHERE YOU ARE
DEFINE ACCOUNTABILITY AND ITS BENEFITS
NONREPUDIATION, DETERRENCE, INTRUSION DETECTION AND PREVENTION, AND
ADMISSIBILITY OF RECORDS
AUDITING
HOLD USERS OF YOUR SYSTEM ACCOUNTABLE. A METHODICAL EXAMINATION AND REVIEW OF
AN ORGANIZATION'S RECORDS.
NONREPUDIATION MEASURES
MAKE IT SO THAT SOMEONE CAN'T SEND AN EMAIL AND THEN DENY SENDING IT. USUALLY
WITH A DIGITAL SIGNATURE.
WHICH STANDARDS APPLY TO ANY FINANCIAL ENTITY POLICIES?
GRAMM-LEECH-BLILEY
WHICH STANDARDS APPLY TO PUBLICLY TRADED COMPANIES DOING BUSINESS IN THE U.S?
SARBANES-OXLEY ACT (SOX)
WHICH STANDARDS APPLY TO CREDIT CARD INDUSTRY?
PCI DSS
WHICH CHARACTERISTIC FALLS UNDER ACCOUNTABILITY?
IDENTITY
WHAT COMPANY AUDITS OTHER COMPANIES FOR LICENSING REQUIREMENTS?
BSA
DEFINE CRYPTOGRAPHY, INCLUDING ITS ORIGINS AND INFLUENCERS.
THE SCIENCE OF PROTECTING THE CONFIDENTIALITY AND INTEGRITY OF DATA
SYMMETRIC KEY CRYPTOGRAPHY
THE SENDER AND RECEIVER USE THE SAME KEY FOR ENCRYPTION AND DECRYPTION
ASYMMETRIC KEY CRYPTOGRAPHY
ENCRYPTION THAT USES TWO SEPARATE KEYS- A PUBLIC KEY AND A PRIVATE KEY. ADVANTAGE IS
THAT YOU CAN POST THE PUBLIC KEY AND ANYONE CAN SEND YOU AN ENCRYPTED MESSAGE.
HASH FUNCTIONS
MATHEMATICAL ALGORITHMS THAT GENERATE A MESSAGE SUMMARY OR DIGEST (SOMETIMES
CALLED A FINGERPRINT) TO CONFIRM MESSAGE IDENTITY AND INTEGRITY
DIGITAL SIGNATURE
COMPANIES. INCLUDED WITHIN GLBA ARE MULTIPLE SECTIONS RELATING TO THE PRIVACY OF
FINANCIAL INFORMATION. COMPANIES MUST PROVIDE WRITTEN NOTICE TO CONSUMERS OF
THEIR PRIVACY RIGHTS AND EXPLAIN THE COMPANY'S PROCEDURES FOR SAFEGUARDING DATA.
PRIVACY GUIDELINES
GUIDELINES TO FOLLOW TO PROTECT PRIVATE INFORMATION OF PATIENTS
FISMA
FEDERAL INFO SECURITY MANAGEMENT ACT - US LAW REQUIRES FEDERAL AGENCIES TO
CREATE, DOCUMENT AND IMPLEMENT SECURITY PROGRAM
HIPPA
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT. PROTECTS PATIENT PRIVACY.
FERPA
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT
SOX
SARBANES-OXLEY ACT. THIS LAW REQUIRES PUBLICLY TRADED COMPANIES AND THEIR
INDEPENDENT AUDITORS TO DEMONSTRATE THAT THEIR NUMBERS ARE ACCURATE AND THAT
THEY HAVE PROCESSES IN PLACE TO ENSURE ACCURATE REPORTING. SEVERAL SECTIONS OF THE
LAW HAVE IMPORTANT IMPLICATIONS FOR HUMAN RESOURCE ACTIVITIES.
INDUSTRY COMPLIANCE VS. REGULATORY COMPLIANCE
INDUSTRY COMPLIANCE ISN'T ENFORCED BY THE GOVERNMENT, LIKE REGULATORY
COMPLIANCE. IT'S A GROUP OF STAKEHOLDERS IN THE INDUSTRY THAT GET TOGETHER AND
DECIDE WHAT COMPLIANCE LOOKS LIKE.
COPPA
CHILDREN'S ONLINE PRIVACY PROTECTION ACT
ECC
ASYMMETRIC KEY ALGORITHM, PROVIDES ENCRYPTION, DIGITAL SIGNATURES, KEY EXCHANGE,
BASED ON THE IDEA OF USING POINTS ON A CURVE TO DEFINE THE PUBLIC/PRIVATE KEY, USED
IN WIRELESS DEVICES AND SMART CARDS
RSA
ASYMMETRIC ALGORITHM
SHA
HASHING ALGORITHM
DES
BLOCK CIPHER SYMMETRIC ALGORITHM
MD
MESSAGE DIGEST 5. A HASHING FUNCTION USED TO PROVIDE INTEGRITY.
PGP
PRETTY GOOD PRIVACY. COMMONLY USED TO SECURE E-MAIL COMMUNICATIONS BETWEEN
TWO PRIVATE INDIVIDUALS BUT IS ALSO USED IN COMPANIES. IT PROVIDES CONFIDENTIALITY,
INTEGRITY, AUTHENTICATION, AND NON-REPUDIATION. IT CAN DIGITALLY SIGN AND ENCRYPT E-
MAIL. IT USES BOTH ASYMMETRIC AND SYMMETRIC ENCRYPTION.
OPERATIONS SECURITY PROCESS
1. IDENTIFICATION OF CRITICAL INFORMATION
2. ANALYSIS OF THREATS
3. ANALYSIS OF VULNERABILITIES
4. ASSESSMENT OF RISKS
5. APPLICATION OF COUNTERMEASURES
OPERATIONS SECURITY
A SECURITY AND RISK MANAGEMENT PROCESS THAT PREVENTS SENSITIVE INFORMATION
FROM GETTING IN THE WRONG HANDS.
COMPETITIVE INTELLIGENCE
THE PROCESS OF GATHERING AND ANALYZING INFORMATION TO SUPPORT BUSINESS
DECISIONS
HAASE'S LAWS: KNOW THE THREATS
IF YOU DON'T KNOW THE THREAT, HOW DO YOU KNOW WHAT TO PROTECT? KNOW THE
THREATS FOR YOUR DATA BASED ON YOUR LOCATION.
HAASE'S LAWS: KNOW WHAT TO PROTECT
IF YOU DON'T KNOW WHAT TO PROTECT, HOW DO YOU KNOW YOU'RE PROTECTING IT? SOME
ORGS CLASSIFY INFORMATION (TOP SECRET).
PORT 80
PROVIDES HYPERTEXT TRANSFER PROTOCOL (HTTP) SERVICES, WHICH SERVES WEB CONTENT.
AES
AES IS THE STANDARD ENCRYPTION ALGORITHM USED BY THE US FEDERAL GOVERNMENT.
SSRF
(SERVER-SIDE REQUEST FORGERY) AN ATTACK THAT TAKES ADVANTAGE OF A TRUSTING
RELATIONSHIP BETWEEN WEB SERVERS. ATTACKER FINDS VULNERABLE WEB APPLICATION,
SENDS REQUEST TO WEB SERVER, WEB SERVER PERFORMS REQUEST ON BEHALF OF ATTACKER.
KISMET
KISMET IS A TOOL COMMONLY USED TO DETECT WIRELESS ACCESS POINTS.
HPING
A TOOL USED TO TEST THE SECURITY OF FIREWALLS AND MAP NETWORK TOPOLOGY.
- CONSTRUCTS SPECIALLY CRAFTED ICMP PACKETS TO EVADE MEASURES TO HIDE DEVICES
BEHIND FIREWALL
- SCRIPTING FUNCTIONALITY TO TEST FIREWALL/IDS
BURP SUITE
BURP SUITE IS A WEB ASSESSMENT AND ANALYSIS TOOL THAT LOOKS FOR ISSUES ON WEBSITES
SUCH AS CROSS-SITE SCRIPTING OR SQL INJECTION FLAWS.
FUZZER
A TYPE OF TOOL THAT WORKS BY BOMBARDING OUR APPLICATIONS WITH ALL MANNER OF
DATA AND INPUTS FROM A WIDE VARIETY OF SOURCES, IN THE HOPE THAT WE CAN CAUSE THE
APPLICATION TO FAIL OR TO PERFORM IN UNEXPECTED WAYS
