Chapter 1 Flashcards
1
Q
What are the four categories of security controls?
A
Technical, managerial, operational, physical
2
Q
Technical controls
A
- controls implemented using systems
- operation systems controls
- firewalls, antivirus
3
Q
Operational controls
A
-Controls implanted by people instead of systems
-security guards, awareness of programs
4
Q
Control types
A
Preventive, deterrent, detective, compensating, directive
5
Q
Preventive control
A
- block access to a resource
- you shall not pass
6
Q
Deterrent control
A
- discourage an intrusion attempt
- does not directly prevent access
7
Q
Detective control
A
- identify and log and intrusion attempt
- may not prevent access
8
Q
Corrective control
A
-Apply a control an enemy has been detected
- can reverse the impact with minimal downtime
9
Q
Compensating control
A
-control using other means
- existing controls aren’t sufficient
-may be temporary
10
Q
Directive control
A
- directive subject to data security compliance
- a relatively weak security control
11
Q
Preventive technical
A
Firewall
12
Q
Preventive managerial
A
Onboarding policy
13
Q
Preventive operational
A
Guard shack
14
Q
Preventive physical
A
Door lock
15
Q
Deterrent technical
A
Splash screen
16
Q
Deterrent managerial
A
Demotion
17
Q
Deterrent operational
A
Reception desk
18
Q
Deterrent physical
A
Warning signs
19
Q
Detective technical
A
System log
20
Q
Detective managerial
A
Review login reports
21
Q
Detective operational
A
Property patrols
22
Q
Detective physical
A
Motion detector
23
Q
Corrective technical
A
Back up recovery
24
Q
Corrective managerial
A
Policies for reporting issues
25
Corrective operational
Contact authorities
26
Corrective physical
Fire extinguisher
27
Compensating technical
Block instead of patch
28
Compensating Managerial
Separation of duties
29
Compensating operational
Require multiple security staff
30
Compensating physical
Power generator
31
Directive technical
File storage policy
32
Directive managerial
Compliance policy
33
Directive operational
Security policy training
34
Directive physical
Sign: Authorized Personnel only
35
Are control types inclusive
No there are many types of control and some organizations will combine types
36
What is the three pillars of the triad?
Confidentiality, integrity, availability
37
Confidentiality
Prevent disclosed of information to unauthorized individuals or systems
38
Integrity
Messages won’t be modified without detection
39
Availability
Systems and networks must be up and running
40
Encryption
Encoded messages so only certain people can read it
41
Access control
Selectively restrict access to resources
42
Two-factor authentication
Additional confirmation before information is disclosed
43
Hashing
Map data of an arbitrary length to data of a fixed length
44
Digital signatures
Mathematical scheme to verify integrity of data
45
Non-repudiation
Provides proof of integrity, can be asserted to be genuine
46
Redundancy
Build services that will always be available
47
Fault tolerance
Systems will continue to run even when a failure occurs
48
Patching
-stability
-close security holes
49
What does a digital signature provide?
- you can’t deny what you’ve said
- adds a different perspective for cryptography
50
Why use hash in cryptography ?
-represents data as a short string of text
- a message digest, a fingerprint
51
What does hash not tell you?
Doesn’t necessarily associate data with an individual
52
Proof of origin: Authentication
Prove the source/s of the data received
53
Sign with private key
- message doesn’t need to be encrypted
- no one else can sign this
54
Verify with public key
Any change to the message will invalidate the signature
55
Identification
- this is who you claim to be
- usually your username
56
Login authentication
- prove you are who you say you are
- password and other authentication factors
57
User authorization
- based on your identification and authorization, what access do you have?
58
Accounting
- resources: login time, data sent and received, logout time
59
How can you truly authenticate a device?
Put a digitally signed certificate on the device
60
What happens after The organization creates a certificate for a device
The organization digitally signs the certificate with the organization’s CA
61
Why is a certificate included on a Device as an authentication factor
The CA’s digital signature is used to validate the certificate therefore the device
62
Users and services —> data and applications
Associating individual users to access rights does not scale
63
Why is this more efficient? Put an authorization model in the middle of (user and services—> authorization model —> data and applications)
Authorization model is Defined by roles, organizations, attributes, etc.
64
No authorization model
- a simple relationship
•user—> resources
- issues with this method
• difficult to understand why an authorization may exist
• does not scale
65
Using an authorization model
- add an abstraction
• reduce complexity
• create a clear relationship between the user and the resource
- administration is streamlined
• easy to understand the authorizations
• support any number of users or resources
66
Gap analysis
- where you are compared with where you want to be
- the is can take weeks or months
• extensive study with numerous participants
• get ready for emails,data gathering, and technical research
67
Choosing framework for gap analysis
- work towards known baseline
• internal set of goals
• some organization should use formal standards example: )NIST special publication 800-171 Revision 2, Protecting controlled unclassified information in non federal systems and organizations) or (ISO/IEC 27001, information security management systems
68
Gap analysis evaluate people
- get a baseline of employees
• formal experience
• current training
• knowledge of security policies and procedures
69
Gap analysis evaluating process
-research existing IT systems
- evaluate existing security policies
70
Gap analysis compare and contrast
- the comparison
• evaluate existing systems
- identify weaknesses
• along with most effective processes
- a detailed analysis
• examine a broad security categories
• break those down into smaller segments
71
Gab analysis final comparison
-detailed baseline objectives
- a clear view of the current state
72
Gab analysis: what resources will it take on the pathway from the current security to goal
Time, money, and lot of change control will occur
73
Zero trust
-holistic approach to network security
- covers every device, every process, every person
74
Zero trust: how is everything verified ?
-nothing is inherently trusted
- multi-factor authentication, encryption, system permission, additional firewalls, monitoring, and analytics, etc
75
Planes of operation
Split the network into functional planes such as physical, virtual, and component
76
Planes of operation: Data plane
- process the frames, packets, and network data
- processing, forward, trunking, encrypting , NAT
77
Planes of operation: Control plane
- manages the actions of the data plane
- define policies and rules
- determine how packets should be forwarded
- routing tables, session tables,NAT tables
78
NAT
network address translation: performed by firewalls or routers
79
Controlling trust
-adaptive identity:consider source and requested resources
-threat scope reduction: decrease number of possible entry points
- policy-driven access control: combine adaptive identity with a predefined set of rules
80
Security zones
-broad categories provides a security-related foundation
- where you are coming from and where are you going (trusted, untrusted)( marketing,it, accounting, HR)
-using zones may be enough by itself to deny traffic
- some zones are implicitly trusted
81
Policy enforcement point
-subject and systems: end users, applications, non-human entities
-policy enforcement point (PEP): gate keeper
- Allow, monitor, and terminate connections: multiple components working together
82
What policies are need to be applied to put trust in the plane?
- policy decision point: there’s a process for making an authentication decision
- policy engine: evaluates each access decision based on policy and other information sources ( grant deny revoke)
-policy administration: communicates with policy enforcement point, generates access tokens and credentials and tells PEP to allow or disallow access
83
Physical security includes
-Baracades/ballards
-Access control vestibules
- fencing
-video surveillance
-guards and access badges
-lighting
-sensors
84
Physical security: Barricades/bollards
-prevent access: there are limits to prevention
- channel people through specific access point: allow people and prevent cars, trucks, and other things
-identify safety concerns and prevent injuries
- can be used to an extreme: concrete barriers/ bollards, moats
85
Physical security: access control vestibules
-all doors normally unlocked: opening one door causes others to lock
- all doors normal locked: unlocking one door prevents others from being unlocked
-one door open other locked: when one is open the other doors cannot lock
-one at a time controlled groups: manage control through an area
86
Physical security: fencing
- build a perimeter: usually very obvious, may not be what your looking for
- transparent or opaque: see through fence or solid
- robust: difficult to cut
-prevent climbing: razor wire, building or high
87
Physical security: video surveillance
-CCTV (close circuit television: can replicate guards
-camera features: motion recognition that can alarm and alert when something moves, object detection and identification
- often many different cameras: networked together and recorded overtime
88
Physical security: guard and access badges
-Guards: physical protection at the reception area of a facility, they can validate identification of existing employees
-two-person integrity/control: minimize exposer to attack and no single person has access to a physical asset
89
Physical security: lighting
-more lighting means more security: attackers avoid light, easier to see lit, IR cameras can see better
- specialized design: consider overall light levels,lighting angles for facial recognition, avoid shadows or glare
90
Physical security: sensors
-infrared: detects infrared reaction in both lighting and darkness, common in motion detectors
-pressure: detects change in force, floor and window sensors
-microwave: detects movement across large areas
-ultrasonic: send signals, receive sound waves,detect motion, collision detection
91
Deception and disruption includes
-Honey pots
-honey nets
-honey files
-honey tokens
92
Deception and disruption: Honey pots
-create a virtual world to explore
-attract the bad guys and trap them there
- attacker is probably a machine
-Different options for honey pots: most are open source and available to download
93
Deception and disruption: honey nets
-build a larger deception network with one or more honeypots
- a real network includes more than a single device: servers, workstations, routers,firewalls,switches
- more than one source of information
94
Deception and disruption: honey files
-bait for the honeypot (passwords.txt),and many honey files to file share
-attract the attackers with more honey:create files with fake information, something bright and shiny
-an alert is sent if the file is accessed: a virtual bear trap
95
Deception and disruption: Honey tokens
-attract the malicious actors: add traceable data to the honey pot, if the data is stolen you will know where it came from
- API credentials: does not actually provide access, notification are sent when used
- fake email addresses: add it to contact list, monitor the internet to see who posted it
-honey token examples: database records, browser cookies, webpage pixel
