1.1 Flashcards
CIA Triad
-confidentiality
-availability
-integrity
confidentiality
Involves using techniques to allow only approved subjects with the ability to view information
what technique does confidentiality generally use?
cryptography
what does confidentiality measure?
Measures an attacker’s ability to get unauthorized access to data or information from an application or
system
confidentiality info includes:
-passwords
-cryptographic keys
-personally identifiable (PII)
-personal health info (PHI)
-intellectual property (IP)
examples of confidentiality:
- Using an IPsec virtual private network (VPN)
- Leveraging mutual Transport Layer Security (TLS) between a web browser and web server or controller
- Storing sensitive data or credentials in a mobile device partition or secure enclave
- Implementing Advanced Encryption Standard (AES) encryption on data at rest
in storage (file, block, object, databases, etc.)
integrity
Involves safeguarding against improper information
modification or destruction
Is a property that data or information have not been
altered or damaged in an unauthorized way
examples of integrity:
- An operating system that performs a mathematical checksum when a file is moved or copied from one volume to another
- A frame check sequence conducted on an Ethernet frame when sent from one MAC address to another
- A hashed message authentication code applied to advertisements sent between neighbor systems such as routers or gateways
- Implementation of a mandatory access model technique such as Biba or ClarkWilson
Availability
the process of ensuring timely
and reliable access to and use of information
availability is a property of:
data, information, applications, systems, or services that are accessible and usable upon demand by an authorized subject
high availability
a failover feature to
ensure availability during device or
component interruptions both, planned and unplanned
examples of availability:
Implementing security controls that protect systems and services from spoofing, flooding, denial-of service (DDoS), poisoning, and other attacks that negatively affect the ability to deliver data, content,
or services
non-repudiation
refers to enforcing the
inability of a subject to deny that they participated in a digital transaction, agreement, contract, or communication such as an email
non-repudiation example:
if you take a pen and sign a
(legal) contract, your signature is a nonrepudiation device
what is the 3 components of AAA?
-Authentication
-Authorization
-Accounting
Authentication
the process of validating that an
entity (user, application, or system) is who or what they claim to be
-mandatory
Authorization
the process of granting an
authenticated entity permission to access a resource or perform a specific function
-optional
Accounting
– basically, when did the entity begin, when did it end, and how long did they do it?
Character mode
sends keystrokes
and commands (characters) to a
network admission device for the
purpose of configuration or
administration on THAT same device
Packet (or network) mode
occurs when the network admission device serves as an authentication proxy on behalf of services in other networks such as the web, File Transfer Protocol (FTP), domain name system (DNS), etc.
Transmission Control Protocol (TCP)
three-way communication handshake before the
authentication process
Accounting is generally implemented for two use cases:
- Monitoring, visibility, and reporting
- Billing, chargeback, and reporting
Remote Authentication Dial-in User Service (RADIUS)
one of the most popular Internet Engineering Task Force (IETF)-based AAA services, and it is known for exceptional accounting capabilities
authenticating people
confirming that they are who they claim to be
This confirms only those with authorized credentials
gain access to secure systems
the most common factors for authenticating people:
Usernames/webmail/email and a password
The subjects that can also be authenticated besides people are often called “non-person entities” (NPEs):
- Laptops and pads
- Mobile devices
- Gateways and load balancers
- Robotics systems
- Embedded devices
- Internet of Things (IoT) endpoints
Endpoint (or device) authentication
a security technique designed to ensure that only authorized devices can connect to a given network, site, or service
Endpoint fingerprinting
one way to enable authentication of non-traditional network
endpoints such as smart card readers, HVAC systems, medical equipment, and IP-enabled door
locks
endpoint authentication methods
- A shared secret key stored on endpoints (wireless) or infrastructure devices
- An X.509 v3 device certificate stored in a software application
- A cryptographic key, certificate, or other credential stored at the hardware level in a trusted platform module
- A key stored in a hardware security module (HSM)
- A protected access file (PAC) in a Cisco infrastructure
Authorization model: Discretionary access control (DAC)
grants access control decisions to the resource owners and custodians
**most prone to privilege creep
DAC offers:
flexibility and allows resource owners to have fine-grained control over access, but it can also
result in inconsistent access control decisions
privilege creep
gradual accumulation of access rights beyond what individuals need to do their job
Authorization model: Role-based access control (RBAC)
grants access based on predefined roles or job titles
Users are assigned roles, and access rights are associated with these roles
examples of RBAC
- Various roles in a hospital or medical center
- Built-in roles in a database management system
Authorization model: Mandatory access control (MAC)
a strict mathematical model where access to resources is
determined by the system based on predefined security labels and rules
**This is a “non-discretionary” model
examples of principals that are assigned security clearances or classification levels:
-top secret
-secret
-confidential
Authorization model: Attribute-based access control (ABAC)
grants access based on a combination of characteristics associated with users,
resources, and environmental conditions
ABAC attributes can include:
user attributes (job title, department)
resource attributes (sensitivity level,
classification)
environmental attributes (time of access, location)
Authorization model: Attribute-based dynamic access control (ABDAC)
combines the principles of attribute-based access
control (ABAC) with dynamic access control (DAC)
It considers dynamic factors such as risk assessment, user attributes, resource attributes, and contextual
information to make access control decisions in real time
Access control rules define:
conditions or criteria that
must be met for access to be granted
access control rules can be based of several factors:
user attributes,
resource attributes
time of access
Access decisions are made by:
comparing these rules
against the context of the access request – usually IP transport and network layer header metadata
security control categories (4):
-technical
-managerial
-operational
-physical
technical controls
Are security mechanisms that the specific systems run – either manually or, more often,
automated and orchestrated
technical controls deliver:
confidentiality, integrity, authenticity, and availability protections
common technical controls:
*Identity and access management (IAM) engines
*Infrastructure security and device
hardening
*Cryptographic key management and HSMs
*Cloud-based threat modeling tools
*SIEM and SOAR systems
managerial (administrative) controls
define policies, procedures, best practices, and guidelines
examples of managerial controls
- No piggybacking (tailgating)
- Acceptable use policies
- Best practices and guidelines
- Password policies
- Screening, hiring, and termination procedures
- Mandatory vacations
- Training and awareness
operational controls
support ongoing maintenance,
due care, and continual improvement
examples of operational controls:
- Optimizing the change and configuration management database
- Performing tested patch management
- Conducting awareness and training
- Monitoring physical and environmental controls
- Conducting incident response and disaster planning testing and drills
- Performing software assurance initiatives
- Managing mobile devices and mobile applications on an ongoing basis
physical controls
are introduced to protect the
campus, facility, environment, and people
examples of physical controls
- Various physical barriers
- Guards and security teams
- Cameras and surveillance equipment
- Different types of sensors and alarms
- Locking mechanisms
- Secure safes, cabinets, cages, and areas
- Mantraps and Faraday cages
- Fire detection and suppression systems
- Environmental controls
security control types (6):
-Preventative
-Deterrent
-Detective
-Corrective
-Compensating
-Directive
Preventative
Stops an attacker
from successfully
conducting an exploit
or advanced
persistent threat
Deterrent
Discourages an
attacker from initiating or
continuing an attack
Detective
Identifies an attack
that is occurring as
well as the steps of
the kill chain
Corrective
Restores a system to
state before the negative event
occurred; can simply rectify or correct an identified problem
Compensating
Aids controls that are
already in place or provides a temporary stopgap solution
Directive
Consists of mandatory policies
and regulations that are in place to maintain consistency and compliance