701 - Section 1 Flashcards
1
Q
What is OCSP?
A
Online certificate, status protocol
2
Q
What does CIA stand for?
A
Confidentiality, integrity, availability
3
Q
What are the control categories?
A
Technical, managerial, operational, physical
4
Q
Controls implemented using systems, operating system controls, firewalls, and antivirus are example of what type of control?
A
Technical
5
Q
Administrative controls associated with security design and implementation security, Pop policies and standard operating procedures are what type of control?
A
Managerial
6
Q
Controls implemented by people instead of Systems, security guards and awareness programs are what type of control?
A
Operational
7
Q
What control limits physical access for example a guard, shack, fences, and locks and or bad readers?
A
Physical
8
Q
What are the different control types?
A
Preventative, deterrent, detective directive, corrective, and compensating
9
Q
What control type blocks access to a resource by using such things as firewall rules following security policy a guard shack which checks all identification and or door locks?
A
Preventative
10
Q
What type of control type discourages and intrusion attempt, but does not directly prevent access. These make an attacker think twice by using such things as application, splash screens, thread of demotion, front reception, desk, and posted warning signs?
A
Deterrent
11
Q
Name the control type that identifies and logs and intrusion attempt, but may not prevent access it assist with finding the issue, for example collecting and reviewing system logs review login reports regularly patrol, the property and enabling motion detectors
A
Detective
12
Q
What is the control type that applies to control after an event has been tested, it reverses the impact of an event and allows to continue operating with minimal downtime. Examples include back up restoration creating new policies for reporting security issues contacting law enforcement, and a fire extinguisher.
A
Corrective
13
Q
What control type uses other means when existing controls aren’t sufficient and may be temporary. Examples include a firewall blocking a specific application instead of patching the application implementing a separation of duties require simultaneous guard duties and using a generator after a power outage.
A
Compensating
14
Q
What control type directs a subject towards security compliance and is a relatively weak security control. Examples include storing all sensitive files and a protective folder, creating compliance policies and procedures training users on proper security policy or posting a sign for authorized personnel only.
A
Directive
15
Q
What does CIA stand for?
A
Confidentiality, integrity, availability
16
Q
In the CIA triad, which one allows only for certain information to be known by certain people and or preventing unauthorized information disclosure?
A
Confidentiality
17
Q
In the CIA Triad, which one insures data is stored and transferred as intended, and that any modification to the data would be identified?
A
Integrity
18
Q
And the CIA Triad, which one ensures information is accessible to authorize users and is always at the users fingertips?
A
Availability
19
Q
Name three ways that confidentiality is achieved?
A
Encryption, access controls, two factor authentication
20
Q
Name four ways that integrity is achieved?
A
Hashing, digital signatures, certificates, non-repudiation
21
Q
How is availability achieved?
A
Redundancy, fault tolerance, patching
22
Q
What does non-repudiation add to cryptography?
A
Proof of integrity, proof of origin with high assurance of authenticity
23
Q
What does proof of integrity offer?
A
It verifies the data does not change and it remains accurate and consistent
24
Q
En cryptography what do we use to ensure proof of integrity?
A
A hash
25
True or false a hash associates data with an individual?
False… A hash only tells you if the data has changed
26
Public/private keys are what type of key?
Asymmetric
27
A non-repudiation, how do we achieve proof of origin?
By proving the message was not changed, integrity… By proving the source of the message, authentication… And by making sure the signature isn’t fake, non-repudiation
28
What are the A’s in the AAA framework?
Authentication, authorization, accounting
29
In the AAA framework which one proves you are who you say you are?
Which one controls the access that you have?
Which one logs resources used?
Authentication
Authorization
Accounting
30
What do Systems use to authenticate?
A digitally signed certificate on the device
31
What do organizations use to assist with certificate authentication?
A trusted certificate authority
32
What does using an authorization model do for you?
It adds a layer of it of abstraction which reduces complexity, and it provides for easier to understand administration that scales very well
33
What compares with where you want to be with where you are currently at?
Gap analysis
34
True or false, a gap analysis is a easy process?
False a gap analysis is an extensive process that requires much planning and communication with stakeholders
35
In gap analysis, what does a standard framework provide?
It provides a known baseline and an end goal
36
What are the three high-level steps to a gap analysis?
Evaluation of people and processes, comparing and contrasting to identify weaknesses, and the final analysis and report
37
What is a holistic approach to network security where everything must be verified and nothing is inherently trusted?
Zero trust
38
What are the two planes of operation in zero trust?
Data and control
39
Which of the planes defines policy rules and determines how packets should be forwarded?
Control
40
Which plane processes, the frames packets, and network data?
Data plane
41
What acts as the gatekeeper, by allowing monitoring and terminating connections?
The policy enforcement point
42
Where is the process for making an Authentication decision?
Policy decision point
43
What evaluates each access decision based on policy and other information sources and provides grant deny or revoke access?
Policy engine
44
What communicates with the policy enforcement point and generates access, tokens or credentials and allows or disallows access?
Policy administrator
45
The policy engine and policy administrator make up what?
The policy decision point
46
What sits between the Untrust d external world and the trusted enterprise world and communicates with the policy decision point?
The policy enforcement point
47
How is threat scope reduction achieved?
By decreasing the number of possible entry points
48
What is a security zone? What are examples?
A broad category that provides a security related foundation. Examples include trusted and Untrust, internal and external network, and grouping by organization, for example marketing, accounting, HR
49
What are seven examples of physical security?
Barricades, access control, vestibules, fencing, video, surveillance, guards, and access badges, lighting sensors 
50
What are four methods for disruption and deception?
Honey pots, honey nets, honey files, honey tokens
51
What is a honeypot?
A single device that is used to attract attackers and trap them there
52
What is a Honeynet?
It is a real deception network with servers, workstations, router, switches, and firewalls, and with one or more honeypots
53
What is a honey file?
Files that are used to attract attackers, an alert can be added, for when the file is accessed creating a virtual bear trap.
54
What are honey tokens?
These are traceable data that will be used to track the attackers. Examples of honey tokens are fake API credentials, fake email, addresses, etc..
55
What is change management?
Change management is the formal process for applying a change to a system within an organization.
56
What are the steps for the change approval process?
Completing the requested forms, determining the purpose of the change, identifying the scope of the change, scheduling a date and time for the change, performing an impact analysis, performing a risk assessment, receiving approval, and user acceptance testing
57
Within the change process, what is the difference between ownership and stakeholders?
Ownership are the people who need the change to be made, and they own the process. Stay holders are the people who will be impacted by the change and they will have input regarding the change.
58
Within change process, what is the impact analysis?
It is the process to identify risks and to identify the scope of the change
59
Within the change process, what is the backout plan used for?
It will be used in the event of a complete failure of the implementation of the change, and it provides a roadmap to revert the changes
60
What is technical change management?
It is putting the change management process into action and or executing the plan
61
What are the technical considerations within technical change management?
The allow and or denial list, restricted activities/defining the scope, expected system downtime, expected system, restarts, legacy applications with little or no support, system dependencies, documentation
62
What all does PKI encompass?
The policies, procedures, hardware, software, and people to create distribute, manage, store, and revoke digital certificates
63
What does PKI provide?
Trust in the people and the devices
64
What is symmetric encryption and what is asymmetric encryption?
Symmetric encryption is the use of a single shared key to encrypt and decrypt data. Asymmetric encryption is the use of a private and public key to encrypt and decrypt data.
65
What is a disadvantage and an advantage to symmetric encryption?
Disadvantage, it does not scale very well. Advantage is it is very fast to use with less overhead than asymmetric encryption. It is often combined with a symmetric encryption.
66
What is the key escrow? And why is it necessary?
It is someone else, a third party, who holds the private keys. It is necessary in the event someone within the organization may require access to a person’s data for legitimate reasons
67
True or false the private key can be distributed to anyone?
False… the private key should be kept private and in the hands of only the person it belongs to and or the key escrow. the public key can be provided to anyone.
68
How does basic asymmetric encryption work?
Person one send an email to person too. Person one combines the content with person twos public key to create a cipher-text. When person to receives the cipher-text, they use their private key to decrypt the cipher-text into the original format.
69
How do you protect #DATA at rest on storage devices?
Use encryption
70
What are two types of database encryption?
Transparent encryption, which encrypts all database information with a symmetric key or record level encryption, which encrypts individual columns, using separate symmetric keys for each column
71
What type of encryption protects data traversing the network? Provide examples
Transport encryption, examples include browsers using HTTPS, VPNs using SSL/TLS for client based VPNs, IPsec used for site to site VPN
72
Explain encryption algorithms
There are many many different ways to encrypt data and the same algorithm, must be used during encryption and decryption which is agreed-upon before the encryption occurs. there are advantages and disadvantages between the different algorithms, for example security level, speed, complexity of implementation
73
True or false the cryptographic process is very transparent, with the only unknown being the private key
True
74
What do larger key lengths do for encryption?
They help prevent brute force attacks for symmetric encryption 128 bit or larger is common and these numbers get larger and larger as time goes on. With asymmetric encryption the keys are larger as they require prime numbers with common key lengths of 3072 bits or larger.
75
What two processes help with a weak key that is by itself not very secure and subject to brute force attacks?
Key stretching, and key strengthening. By performing multiple hashing processes on a weak key, it makes it stronger.
76
What are some of the different methods to exchange keys?
Out of band key exchange where the key is physically provided to the other person, for example in person or by courier.
In band key exchange where the key is provided on a shared network and the key is protected with additional encryption, for example, using asymmetric encryption to deliver a symmetric key.
Creating an symmetric key from a symmetric key
77
How does real time encryption/decryption work?
The client encrypts a random symmetric key with a servers public key. The server will then decrypt this shared key and use it to encrypt the data. This is known as a session key
78
How is a symmetric key created from an asymmetric key?
Object one combines their private key with object twos public key to create a symmetric key
79
What is a TPM and what are some of the characteristics of it?
A TPM provides cryptography hardware on a device. Some characteristics are it provides a random number/key generators, persistent memory that has unique keys burned in during the manufacturing process and versatile memory to allow for storage of secure keys.
80
What is an HSM and how is it used?
Hardware, security module, it is high-end cryptographic hardware and it is used in large computing environment to securely store many cryptographic keys.
81
What manages all organization keys from a centralized manager?
A key management system
82
What are some of the services that a key management system provides?
Creation of keys for a specific service, associates keys with specific users, rotates keys on regular intervals and provides logging for key use and important events
83
What is a protected area for for our security needs that often implemented as a hardware processor, which is isolated from the main processor?
A secure enclave
84
What are the security features of a secure enclave?
It has its own boot ROM, a true random number generator, real time memory encryption, performs AES encryption in the hardware
85
What is the process of making something unclear and much more difficult to understand?
Obfuscation
86
What is the obfuscation used within an image?
Steganography
87
In steganography, what is the cover text?
The container document or file
88
What are common steganography techniques?
Using an image, using invisible watermarks on printed documents, embedding network based messages in TCP packets
89
What are other steganography types?
Audio and video
90
What is the type of obfuscation of replacing sensitive data with a non-sensitive placeholder?
Tokenization
91
What is tokenization commonly used for and how does it work?
Credit card processing. It uses a temporary, one time usage, pre established token in place of the sensitive data which is sent for reverse DNS look up at time of usage.
92
What form of obfuscation is used to hide some of the original data and or sensitive data? Provide examples
DATA masking… using Asterix in place of sensitive characters or only showing part of the sensitive data
93
What is a hash?
A short string of text that represents a larger set of data
94
What is a another term for hash?
A message digest or a fingerprint
95
What is a collision?
Two separate sets of data that produce the same hash value. A hash value should be unique.
96
What are two practical uses of hashing?
Verifying a downloaded file and password storage
97
What is meant by salting a hash?
Adding random data to a password when hashing
98
What are two purposes of salting a hash?
The same password will create a different hash for each salted value, and it will slow down a brute force attack
99
What type of attack won’t work with salted ashes?
A rainbow table
100
What is the key structure of Blockchain?
A distributed ledger that everyone on the Blockchain network maintains.
101
What are the five steps to a Blockchain transaction?
A transaction is requested, the transaction is sent to every computer on the Blockchain network, the verify transaction is added to the ledger, a secure hash is calculated from the previous blocks of track transaction data in the ledger, and that hash is added to the new block, the block is distributed throughout the chain.
102
How can a Blockchain be rejected?
If any blocks are altered, it’s hash, and all of the subsequent ashes in the chain are automatically recalculated. This alter chain will no longer match the other chains.
103
What is a public key certificate?
The binding of a public key with a digital signature that also contains other details about the keyholder.
104
What are the two methods for adding trust to a signature?
A certificate authority, and a web of trust
105
What is a web of trust?
When person 1 trust persons 2 and person 2 trust person 3 then person 1 trust person 3
106
What is the standard format for a digital certificate?
X. 509.
107
What are some of the other details stored with a digital certificate?
Serial number, version, signature, algorithm, issuer, name of the certificate holder, public key
108
How is root of trust established?
When someone or something trustworthy provides their approval
109
What entities can provide root of trust?
A certificate authority, an HSM, a secure, enclave, or any trusted component
110
What is the CA role when fulfilling a certificate request for a website?
They will vet the request by confirming the owner/requester. There will be additional information that they will require for verification.
111
What are the steps for a CA to sign a certificate?
A certificate signing request is generated, the CA validates the request and the CA digitally signs the certificate and returns it to the applicant
112
What are the three ways to establish digitally signed certificates?
A third-party CA, an organizational in-house CA, self signed certificates
113
In all instances of digital certificates, what is required in the browser?
Installation of the CA certificate/trusted chain on all devices
114
What is another name for wild card certificates?
Subject, alternative name, SAN
115
What is the purpose of a SAN?
It allows a certificate to support many different domains
116
What is a wildcard domain?
A wildcard domain will apply to all server names in a domain for example *.google.com
117
How is a certificat revocation handled and by whom?
A certificate revocation list, which is maintained by the certificate authority. This list is changing all of the time.
118
What does OCSP stand for?
Online certificate, status protocol
119
What does OCSP stapling provide?
It provides scalability for OCSP checks
120
How does OSCP work?
The certificate holder verifies their own status and this information is stored on the certificate holders server. This status is then attached or stapled to the SSL/TLS handshake.
121
How does OSCP stapling work?
The certificate holder verifies their own status and this information is stored on the certificate holders server. This status is then attached or stapled to the SSL/TLS handshake.
122
What are advantages and disadvantages to 0SCP
Advantages are that it’s easy to support over the Internet and it is more efficient than downloading a CRL. Disadvantages are that not all browsers and/or applications support OCP, and if they do some, don’t bother checking.
