Domain 1 (General Security Concepts) Flashcards
Practice Questions unofficial sources
CIA C
Confidentiality
CIA I
Integrity
CIA A
Availability
This protects information and systems from unauthorized access
Confidentiality defintion
This protects information and systems from unauthorized modification
Integrity definition
____ attacks seek to undermine confidentiality
Disclosure
____ attacks seek to undermine integrity
Alteration
This ensures that information and systems are available for authorized users when needed
Availability definition
____ attacks seek to undermine availibility
Denial
Steps of the access control process
Identification, authentication, authorization
When an individual makes a claim about their identity (this could be a true or false claim)
Identification defintion
When an individual proves their identity to the satisfaction of the access control system
Authentication definition
These are procedures and mechanisms that an organization puts in place to manage security risks
Security Controls definition
When multiple controls are used for one objective, the same control objective
Defense in Depth definition
____ controls stops a security issue from occurring in the first place
Preventive
____ controls identifies that a potential security issue has taken place
Detective
____ controls remediates security issues that have already occurred
Corrective
____ controls prevents an attacker from seeking to violate security policies
Deterrent
____ controls informs employees and others what they must do to achieve security objectives
Directive
____ controls fills a known gap in a security environment
Compensating
____ controls use technology to achieve security control objectives
Technical
____ controls use human-driven processes to manage technology in a secure manner
Operational
____ controls improve the security of the risk management process itself
Managerial
____ controls that impact the physical world
Physical
Desired state of your information security program weighed against the security analysis of your current state
Gap analysis
Zero trust applies ___ ___ to network access
least privilege
Zero trust relies on strong
authentication and identity management practices, rather than things such as trusting IP addresses
ZTNA
zero trust network access
Where all of the network policy decisions are made
Control plane
Data plane
Where network policy decisions are enforced, and access is granted or not granted
ZTNA separates the networking world into two realms
Control plane and data plane
ZT adaptive identity
the environment provides support for multiple types of users whose roles and identities might evolve as the environment changes
ZT threat scope reduction
supports agility and complexity while keeping the environment as simple as possible to minimize security risks
ZT policy-drive access control
provides a flexible environment that realizes that access needs may change, and creates a technical environment that can support whatever policy decisions are made
ZT implicit trust zones
offer easily configured zones for data that must be protected, such as PII
SASE
Secure Access Service Edge
SDN
Software defined networking
CASBs
Cloud access security brokers
___ locks use physical keys
Preset
___ locks require the user to enter the correct combination
Cipher
____ locks use a physical characteristic of a person to permit access
Biometric
____ locks require that the user present a magnetic stripe or proximity access card
Card reader
Video surveillance systems act as both ___ and ___ controls
deterrent and detective
When two people must enter sensitive areas together
Two person integrity
When two people must jointly approve sensitive actions
Two person control
These are unused but monitored IP address spaces. Administrators set aside a portion of their normal IP address space with no legitimate system using it. If there is activity it is suspicious and likely an attacker
Darknets
Fake records inserted into databases to detect malicious activity
Honeytoken
False stores of sensitive information, files specifically created to resemble sensitive data
Honeyfiles
Systems designed to attract and trap attackers; systems placed on a network with the purpose of intentionally attracting attackers
Honeypots
Large-scale deployments of honeypots
Honeynets
Altered DNS records to reroute botnet traffic, a deception technique
DNS Sinkhole
This plans, implements, and monitors changes to protect organizations from unforeseen consequences/ a systematic approach of planning, implementing, and monitoring modifications to systems and processes
Change management
First step in change management
Changes should follow a well-defined approval process to ensure changes are carefully evaluated, authorized, and documented to reduce the risk of unauthorized modifications
2nd step change management
Every change should have an assigned owner; clearly define ownership streamlines communication and maintains accountability
3rd step change management
identify and engage stakeholders
4th step change management
conduct an impact analysis
The use of mathematical algorithms to transform information into an encrypted form that is not readable by unauthorized individuals
Cryptography
This converts information from plaintext into ciphertext
Encryption
This converts ciphertext messages back into their plaintext form
Decryption
These serve as mathematical recipes, they’re a set of mathematical instructions that you follow
Algorithms
Encryption algorithms have two inputs :
The plaintext message and an encryption key
Where the encryption and decryption use the same secret key
Symmetric encryption
Where encryption and decryption use different keys from the same pair
Asymmetric encryption
Formula for the number of keys needed for symmetric cryptography
(n(n-1))/2
n: number of people who want to communicate
Public key and private key for each user describes __
Asymmetric encryption keys
Bob encrypts a message for Alice using her public key. She decrypts it using her private key. This is ___ encryption
Asymmetric
In asymmetric cryptography, the keys must be __
from the same pair
Five goals of cryptography
Confidentiality, integrity, authentication, obfuscation, non-repudiation
Data stored on a hard drive or other storage
Data at Rest
Data transmitted over a network connection
Data in transit
Data in memory being actively used by an application
Data in use
1st goal cryptography
Confidentiality
2nd goal cryptography
Integrity
3rd goal crypography
authentication
Hiding sensitive data
Obfuscation
Non-repudiation is only possible with symmetric or asymmetric cryptography?
Asymmetric cryptography
Phrase meaning security of an algorithm depends upon the secrecy of the approach
Security through obscurity
security because nobody knows how it works
Phase 1 cryptography lifecycle
Initiation
The organization realizes they need a new cryptographic system and gathers the requirements for that system
Phase 2 cryptography lifecycle
Development and Acquisition
The organization finds an appropriate combination of hardware, software, and algorithms that meet objectives
Phase 3 cryptography lifecycle
Implementation and Assessment
Configure and test the cryptographic system whether it meets security objectives
Phase 4 cryptography lifecycle
Operations and Maintenance
Ensure the continued secure operation of the cryptographic system
Phase 5 cryptography lifecycle
Sunset
Phase out the system and destroy/archive keying material
The process of transforming personally identifying information into a form where it is no longer possible to tie it to an individual person
Data Obfuscation
The process of removing obvious identifiers
Deidentification
When an attacker compares hash values with precomputed hashes
Rainbow Table Attack
Using random values to defeat the rainbow tables (hashing attack)
Salting
Replacing sensitive fields with a random identifier/a unique identifier using a lookup table
Tokenization
The process of redacting sensitive information from a file by replacing the information with blank values
Masking
DES
Data Encryption Standard
Uses an encryption operation called the Feistel function for 16 rounds of encryption
DES Data Encryption Standard
A symmetric encryption algorithm, block cipher operating on 64-bit blocks, key length of 56 bits, and is now considered insecure
DES Data Encryption Standard
Workaround for DES becoming insecure
Triple DES
Three rounds of DES encryption
Double DES is insecure due to vulnerability from what attack?
Meet in the middle
Symmetric encryption, operating on 128 bit blocks, considered secure
AES
(Advanced Encryption Standard)
Symmetric encryption, public domain algorithm, no longer secure
Blowfish cipher
Symmetric encryption, public domain algorithm, 128 bit blocks, secure
Twofish
Users create RSA key pairs using:
two large prime numbers
One of the earliest asymmetric algorithms and still used today, 1024 bit version isn’t secure, 4096 version is secure
RSA algorithm
Rivest-Shamir-Adleman
Framework for combining symmetric and asymmetric algorithms, widely used today
PGP algorithm (Pretty Good Privacy)
Does not depend on prime factorization, uses the EC discrete log problem
Elliptic curve cryptography
May be able to defeat cryptographic algorithms if the theory becomes applicable
Quantum cryptography
Finding a way to solve the __ __ problem efficiently would break modern cryptography
Prime Factorization
Uses quantum mechanics principles to perform computing tasks, mostly theoretical
Quantum computing
More susceptible to to quantum attack than prime factorization
Elliptic curve cryptography
A software package that uses encryption and relay nodes to facilitate anonymous internet access
Tor (Onion Router)
PFS
Perfect Forward Secrecy
Uses encryption to hide the details of a communication from participants in the communication/ hides nodes’ identity from each other
PFS Perfect Forward Secrecy
Exchange of encryption keys in someway that all parties trust; uses a different communication channel, is difficult and time consuming
Out of Band Key Exchange
Securely exchanging keys digitally
In Band Key Exchange
Key exchange for symmetric encryption; secure way to digitally exchange; exchange of prime numbers to begin
Diffie-Hellman algorithm
Variant of Diffie-Hellman; Relies upon complexity drawn from the elliptic curve
Elliptic Curve Diffie Hellman algorithm
Allows government access to keys
Encryption Key Escrow
Closest we’ve achieved to key escrow technology, performs encryption but has a special law enforcement access field, source of controversy
Clipper Chip
LEAF
Law Enforcement Access Field
These allow internal access to lost keys
Recovery Agents
This takes a relatively insecure value, such as a password, and uses mathematical techniques to strengthen it, making it harder to crack
Key Stretching
Key stretching combines two different techniques to add strength to an encryption key:
Salting and hashing
Algorithm used to perform key stretching, uses salting and hashing, should be repeated at least 40,000 times
PBKDF2
Password Based Key Derivation Function V2
Algortithm used to perform key stretching, based on the Blowfish cipher for hashing and uses salting
bcrypt
Special purpose computing devices that manage encryption keys and perform cryptographic operations
Hardware Security Modules (HSMs)
Ways to prevent imposters with cryptography public key exchange
Personal knowledge, Web of trust (WOT), Public Key Infrastructure (PKI)
Relies on indirect relationships, participants digitally sign the public keys of people they know personally to verify, decentralized, high barrier to entry for new people
Web of Trust
Builds on the Web of Trust, depends on centralized highly trusted certificate authorities (CAs)
Public Key Infrastructure (PKI)
(CA), highly trusted and centralized service providers; trusted third party organizations that verify the identity of individuals or organizations and then issue digital certificates containing both identity information and a copy of the subject’s public key
Certificate Authorities
One way functions that transform a variable length input into a unique, fixed length output
Hash Functions
The __ of a function will always be __ regardless of ___ size
input/different/output
input/the same/output
output/the same/input
output/the same/input
Hash functions may fail if:
they are reversible, they aren’t collision resistant
The fifth in a series of hash functions, they became increasingly secure, produces 128 bit hashes, no longer considered secure
MD5, Message Digest 5
Message Digest
another term for hash
approved by the NIST, produces 160 bit value, flaws make it insecure,
SHA Secure Hash Algorithm 1
approved by NIST, Consists of six hash functions, produces output of 224, 256, 384, and 512 bits, mathematically similar to SHA1 and MD5, still widely used but susceptible to attacks
SHA Secure Hash Algorithm 2
approved by NIST, Keccak algorithm, uses completely different approach than version before it, produces hash of user selected length
SHA Secure Hash Algorithm 3
an alternative to government sponsored functions, produces 128, 160, 256, and 320 bit output, the 128 version is not secure, 160 version is widely used
RIPEMD
Combines symmetric cryptography and hashing, provides authentication and integrity, user creates and verifies message authentication code by using secret key in conjunction with hash function
HMAC Hash based Message Authentication Code
For digital signatures we use the ___ key for encryption and the ___ key for decryption
Private, public
DSS
Digital Signature Standard
US government federal standard for appropriate digital signature algorithms, published by NIST
Approved DSS algorithms
Rivest-Shamir-Adleman (RSA), Elliptic curve digital signature algorithm (ECDSA), Edwards curve digital signature algorithm (EdDSA)
Reduce the burden of authenticating users from the CA server
Certificate Stapling
Certificate stapling
CAs receive a request for certificate authentication from the user, it has a validity period of usually 24 hours, they don’t have to request from the CA again in that time; the 24 hour authentication is stapled to the certificate
This allows the use of intermediate CAs
Certificate Chaining
The certificate’s subject is:
The owner of the public key
Strings of numbers that look like IP addresses on a digital certificate; used to uniquely identify each element of the certificate
Object Identifiers
protects certificates against fraud; a technology that tells users of certificates that they should not expect certificates to change; ties a certificate to a subject for a period of time
Certificate Pinning
The core certificates at the heart of a CA; protect CA private keys; the first certificate in chain certificates
Root certificates
Able to match many different subjects; cover an entire domain, must be carefully secured, have special names
Wildcard certificates
CA verifies domain ownership; lowest level of trust
Domain validation certification
CA verifies business name; second level of trust
Organizational validation certification
Requires extensive investigation by the CA, the highest level of trust
Extended validation certification
Binary certificate format, stored as .DER, .CRT, and .CER files
Distinguished Encoding Rules (DER) certificate format
ASCII text equivalents of DER certificates, easily convert to text certificates, stored as .PEM or .CRT files
Privacy Enhanced Email (PEM) certificate format
___ files may be either DER binary certificates or PEM text certificates
CRT files
Binary certificate format, commonly used by Windows systems, .PFX and .P12 files
Personal Information Exchange (PFX) format
ASCII text equivalent of PFX certificates, commonly used by Windows systems,
P7B format
A transport encryption technology that uses certificates to facilitate secure communication over public networks; encrypts network communications; a protocol using pairings of encryption and hash functions/cipher suites; insecure or secure depending on the cipher suites
TLS
Transport Layer Security
The combination of encryption algorithms and hash functions used for encryption
Cipher Suites
Session keys are also known as:
Ephemeral Keys
A random encryption key used for a single communication period; symmetric encryption
Session Keys
An encryption technology; predecessor to TLS; insecure; sometimes incorrectly used as a generic term for encryption protocols including TLS
SSL
Secure Sockets Layer
A distributed and immutable, sometimes public, ledger; can store records in a way that distributes the records among may different systems around the world
The Blockchain
Blockchain technology was created to support ___
cryptocurrencies such as bitcoin
