1.0 General Security Concepts Flashcards
What do technical controls entail?
File storage policies, Block instead of patch, backup recovery, system logs, splash screen (login page), firewall
What do Managerial controls entail?
People policies like on-boarding, threat of demotion, Login reports, reporting issues, seperation of duties, compliance politices
What do Operational controls entail?
Awareness programs for IT security, using people to set controls, guard shack, security policy training, require multiple security staff, contact authorities, property patrols, reception desk, guard shack
PEOPLE
What do Physical controls entail?
Locks, warning signs, Fire extinguishers, power generators authorized personel signs, badge readers
PHYSICAL THINGS
What is the CIA traid?
Availability, Integrity, Confidentiality
What does non-repudiation mean?
Way to prove that the person who sent a piece of data says who they are
What is proof of integrity and how to validate this?
Prove that the data is the same from when its sent. No tampering involved.
- Hashing algoirhtms
What is proof of origin and how to validate this?
Proof that the person who sent it is actually them
- Private public keys
- Certificates
What is a CA? and what does it do?
CA is a certificate authority that give sout certificates. They do the signing
How is a CA verified?
By a root CA that allows these CAs to create tickets
Best model for allowing multiple people to access certain files/data?
Role based access
What is Gap Analysis?
Comparing where you are now to where you want to be
What are the two planes for zero trust?
Data Plane and Control Plane
How does data plane differ from control plane?
Data plane is the one actually moving the data while the control plane focuses on rules/policies for how that data is transferred
What are two frameworks for gap analysis and what is the goal of frameworks here?
ISO/IEC 27001 and NIST special publication 800-171 revision
Goal is to establish a baseline of where your company is at for different levels of security, CIA traid etc…
How does ISO/IEC 270001 and NIST differ?
ISO/IEC 270001 focuses on information security management systems while NIST special publication 800-171 revision focus on protecting controlled unclassified information in nonfederal systems and organization
What are Honeypots, honeynets, honey files, honey tokens
Honeypots - Delicious files or data for attackers
Honeynets - Bunch of honeypots that look like an actual system or as real as we can get
Honeyfiles - files that contain fake information
Honeytokens - ways to track this piece of data if a hacker gets it
In change management such as patching or updating, what are some key ideas to think about before updating?
Only the owner can update and must make sure everything/everyone is on the same page and working
- Have a backout plan
- Maybe first test in a sandbox
- make sure a approval for all changes is given prior
In technical change management, what are some key ideas here?
Allow and deny lists
- Downtime annoucement
- Restart annoucement
- Legacy Applications
- Dependices - what depends on what if you do update
- Documentation of policies
What is symmetric encryption and what is it good for?
A single shared key, you decrypt and encrypt with it.
Good for small limited uses
What is asymmetric encryption and what is it good for?
A public-private key system where the public key is seen by everyone while the private key is only available for one person.
Encrypt with public keys but only the private key can decrypt it
Key escrow
Someone else holds your decryption keys, third trusted parties
If you wanted to transport data through the internet safely, what would you use?
HTTPS, VPN
What do client based VPNs use?
SSL/TLS
What do site to site VPN use?
IPsec
a suite of protocols that provides security for IP network communications by authenticating and encrypting data packets, commonly used in VPNs to create secure, encrypted tunnels for data transmission.
Which encryption algo is best, AES or DES?
AES
Because its more secure, more widly accepted in modern systems, and faster/stronger
What is key stretching?
Hashing multiple times, hashing the hash
Makes it harader to brute force
What are the two types of key exchange?
Out of band and in band key exchange
Basically in person or over the internet
If we do in band what would we need to add to ensure safety?
Protect key with additional encyprtion like a short timed encrypt decrypt key pair
Temp public private key
What is a symmetric key?
A symmetric key is a single key used for both encryption and decryption in cryptography. Both the sender and receiver must share this same secret key.
Example: AES (Advanced Encryption Standard) is a symmetric key algorithm.
What are some encryption technologies in our computers?
Trusted Platform Module (TPM) and Hardware Security Module (HSM)
What is the difference between TPM and HSM?
TPM (trusted platform module) is usually a little piece of hardware attached to your computer’s hardware that stores keys and protects the device incase stolen
HSM (Hardware security module) is used for more large scale cryptographic keys, has redundant power, keybackup and secure storage
What is Obfuscation?
Opposite of abstraction, making things harder
What is steganography?
Hide information in an image
What is Data Obfuscation?
Making data harder to decypher
- Like adding ** to a credit card
What are tokenization for security?
replace sensitive data with a token
- used in credit card transactions (tokens the transfer of that transaction then decyphers it once delivered)
What is a Raindbow Table and how does it relate to salting?
Rainbow table is how to unhash all passwords, you salt each password hash so that the password is different compared to what is on the rainbow table
What is the standard format for certs?
X.509
What does a cert contain?
A lot of data about itself like signature algo used, the issuer, extensions and more
What is a root of trust?
The piece of hardware/software that we can 100% trust on to be correct that then can allow other hardware/software to be trusted
What are wildcard certs?
Certs that cover a wide range of domains
Usually shown by *.example.com
Will cover domains with example.com at the end
What is key/cert revocation and why can it be a problem?
List of certs/keys that are no longer good
Can be a problem because the list/file that contains all of these revoked lists are HUGE
How to get around the issue of huge revocation lists?
OCSP stapling
Basically, when you send a file/data you attach the OCSP staple that says “hey, this is already validated”
What is created when you want to create a cert?
a CSR (certificate signing request)
The CA will sign and give it back
