Domain 3 Flashcards
3 components of security education
Policy - what to do
Training - skills for doing it
Awareness - changes behavior
BPA, MOU/A, ISA
Business Partership Agreement: good for addressing ownership, profit & loss, clearly lays out who makes what decision, who owns what part of company
Memorandum of Understanding/Agreement: when two organizations connect their networks together, who owns what info, who is responsible for what actions, who has liabilities for particular exposures
Interconnection Security Agreement: typically part of MOU, involves who is allowed to keep info if partners separate. dictates technical security requirements associated with two organizations connecting networks
CIA Triad vs DAD
CIA: Confidentiality (preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary data), Integrity (guarding against improper data modification, includes ensuring information non-repudiation and authenticity), Availability (ensuring timely and reliable access to and use of information)
DAD (logical opposite of CIA): Disclosure, Alteration, Destruction
Controls are implemented across what three levels? Give examples for each
Administrative (aka directive): background checks, policies/procedures
Technical: encryption, smart cards
Physical: locks, securing laptops/magnetic media, protection of cable
Criminal vs Civil
Criminal: possible to get jail time, burden of proof is beyond a reasonable doubt (99.9%)
Civil: tip of scale (50.1%)
CVSS
Common Vulnerability Scoring System
Draw chart of 5 types of documentation
refer to “Types of Documentation - Drawing 1B”
Draw the qualitative RA matrix
Qualitative Risk Analysis Matrix helps identify most significant risks to organization
Likelihood on left vertical, Impact top horizontal (high med low)
Refer to “Qualitative RA Matrix - Domain 1 pg 67”
Due Care vs Due Diligence
Due Care: minimal customary practice aka the “Prudent Man Rule”; are you doing what a reasonable organization would do when implementing security
If you trip and fall on property with steak knives sticking up from the ground you could sue for due care since Eric didn’t do what a normal person would do
Due Diligence: maintaining proper environment
If someone else did it and Eric was aware but didn’t change or alter it, then someone could sue Eric for Due Diligence
Excessive risk
means above acceptable level of risk for executive / data owner; excessive does NOT mean a lot of risk
Fork bomb
attack that says while 1=1 (which is always the case) keep forking out (starting new process) until all memory is used and system crashes
Formula for Risk
risk = threat x vulnerability
threat drives calculation, vulnerability reduces the risk
threat: potential for harm, can be internal/external/competitor/govt (hurricanes, snowstorms, viruses, worms)
vulnerability: weakness (unpatched system, default install)
Fraggle
variation of smurf involving spoofed UDP datagrams sent to UDP port 7
IAAA
Identification: means by which users claim their identities to a system
Authentication: establishes, tests or reconciles a user’s identity
Authorization: rights/permissions granted to an individual (or process) that enable access to a computer
Accountability: system’s ability to determine actions of single individual within a system, shows that a particular individual performed a particular action e.g. audit trails and logs
LAND attack
creates recursive loop which crashes system e.g. from 192.168.1.1 to 192.168.1.1 on 8080
List all quantitative formulas
SLE (Single Loss Expectancy) = EF (exposure factor) x AV (asset value)
ARO (Annualized Rate of Occurrence)
ALE (Annualized Loss Expectancy) = SLE x ARO
TCO (Total Cost of Ownership)
ROI (Return on Investment)
Cost/Benefit Analysis
List all types of controls and examples of each
Preventative: locks on doors, firewalls
Detective: goes off during attack (alarm systems, IDS), means preventative failed
Corrective: short-term fix to prevent future attacks (police guards, evacuation)
Compensating: alternative control (one-way firewall in hospital if MRI system could never be connected to network but doctors need info from it)
Recovery: long-term fix
Suppressive: where you detect and respond to deal with a problem
Name a directive control that is a strategic user-focused document?
Policy
Name and define the 5 types of documentation
- Policy - high level statement of what to do, should be specific, measurable, achievable e.g. All servers must be properly hardened by patching and turning off services
- Procedure - details of how to do it e.g. the security configuration must be applied when a system is built
- Standard - specifies a certain way something should be done or a certain brand/type of equipment to be used e.g. Admins must use Windows Server 2012 R2 as the base operating system
- Baseline - more specific implementation of a standard, specific technical details of how a system’s hardware/software should be configured; usually a baseline starts off as a guideline until it has been properly modified to meet the needs of org; e.g. The specific settings for Win Server 2012 R2 should match those in the CIS Security Benchmark
- Guideline (optional) - recommended way of doing something; best practice might start off as a guideline and if analysis shows there is great benefit, it may become a standard (mandatory) e.g. to ease the config, local GPOs can be used to roll out the changes
Name different types of DoS attacks
DoS attacks:
- Crafted Packets
- Ping of Death
- LAND attack
- Tear drop
- Flooding
- Syn flood
- Smurf
- Fraggle
DDoS - compromising multiple machines to attack the victim
-Fork bomb
OCTAVE
Operationally Critical Threat, Asset and Vulnerability Evaluation
password guessing vs password cracking
Guessing (online, where you try to guess at website login prompt but subject to account lockout)
Cracking (offline, no account lockout but need raw encrypted passwords)
PCI DSS
Payment Card Industry Data Security Standard - aka dirty dozen (12 requirements), know in general the 12 goals (don’t need to know order):
Install/maintain firewalls, no vendor default passwords/parameters, protect stored data, encrypt transmission of data across public network, use/update antivirus, develop/maintain secure systems and applications, restrict access to cardholder data by business need to know, authenticate access to system components, restrict physical access to cardholder data, track and monitor all access to network resources to cardholder data, regularly test security systems/processes, maintain a policy that addresses information security for all personnel
Ping of Death
buffer overflow attack, if you send ping packet larger than the largest size you can
Privacy Act of 1974
Info about individuals will be kept private and if it needs to be disclosed the person will be notified; regulated at state level
RFI, RFP, RFQ
Request for Information - helps you tailor the RFP
Request for Proposal - stage of procurement to determine which providers will bid for project and what their proposal looks like, more detailed than RFQ
Request for Quote - can sometimes ask for RFQ to make sure we have enough budget before doing a full RFP
SLA, OLA, ELA
Service Level Agreement: delivering certain level of service and if you don’t there’s penalties e.g. ISP delivers certain level of bandwidth with certain reliability
Operating Level Agreement: internal agreement that supports SLA e.g. you need to make sure you have enough staff to meet the SLA
Enterprise License Agreement: site licensing for software e.g. Microsoft licensing agreement for Windows software
Smurf attack
spoof victim’s IP and sends ICMP Echo Request (ping) to directed broadcast; adversary sends out one request to broadcast address saying to 1 million computers to reply to “me” which is spoofed source address of person you want to bring down (smurfs singing down the street with hundreds joining like multiple packets growing together)
Syn flood
has table that keeps track of connections, if you fill up, no new connections can come in
Tear drop
putting a bunch of different puzzle pieces that could never be put together
Third party governance
Before purchasing third party products, assess exposures and risks, validate software, etc. COTS (Commercial Off the Shelf software) e.g. Windows/Office
Types of IP
Intellectual Property
Formal methods of protection:
Patent: public, can’t just be an idea, needs to be reduced to practice, show how it actually works; govt does it to encourage people to share best way to do something and share with society, then we’ll give you 20 yr monopoly
Copyright: creator of work is implied owner of copyright e.g. monkey who took selfies had copyright, not photographer
Trademark: “Ultimate driving machine”, “Just do it”
Informal means of protection:
Trade secret: formula for coca cola (if it were patent it would be public)
What is an internal SLA?
OLA (Operating Level Agreement)
What is OECD?
Organization for Economic Co-operation and Development, 34 countries in Europe, strict controls for information held on your behalf
-Working Party on Information Security and Privacy develops non-binding guidance (member countries do not have to implement recommendations)
EUDPD (European Union’s Data Protection Directive) - binding requirement for EU member states, considered more stringent than US Privacy laws
What is the ultimate output of threat mapping or attack services?
Security dashboard: visual representation that shows you where high exposures are and what systems they are on
What is TOC/TOU?
Time of Check / Time of Use; difference should always be zero e.g. if you put system online for two hours before it’s fully patched and secured there’s a good chance it will be compromised
What methodology is most common for scoring vulnerabilities? Name a second system as well.
CVSSv2 (Common Vulnerability Scoring System) is most common. Another is OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
Which country does not have one set of privacy laws?
The US since privacy laws are at a state level, not federal. All of Europe has one set of laws.
Your company has decided to perform a major technology overhaul. Which would best describe impact to the organization:
a) policies and procedures will need major revisions
b) policies and procedures will need minor revisions
c) minor revisions to policy and major revisions to procedures
d) minor revisions to procedures and major revisions to policy
Answer: c
__ is for industries where we are constantly in litigation, no one can say any info was modified or changed because it is not possible with this technology.
WORM (Write Once Read Many)
__ is volatile memory.
RAM (Random Access Memory): real/primary memory, volatile memory e.g. data lost when power is lost
DRAM (dynamic, dumb/slow): cheap which means its slow and you have a lot of it; needs to be constantly refreshed
SRAM (static, speed): expensive which means
A __ creates/manages info e.g. salary data managed by HR dept, and is ultimately responsible even if the __ (internal/external entity accessing the data e.g. outsourced payroll company) gets breached.
Data controller, data processor
Customizing a standard for an organization, beginning with scoping, and then adding compensating controls and parameters (security configuration settings).
Tailoring
Data classification process
- Identify who’s in charge (Identify administrator/custodian)
- Criteria for classification (Specify criteria for how information will be classified and labelled)
- Classify the data with approval by the supervisor (Classify the data by its owner who is subject to review by a supervisor)
- Document exceptions (Specify and document exceptions to the classification policy)
- Determine controls (Specify controls that will be applied to each classification level)
- Determine declassification (Specify the termination procedures for declassifying the information or for transferring custody of the information to another entity)
- Make people aware of the classification process (Create an enterprise awareness program about the classification controls
Degaussing and sector-by-sector overwrite are good for __ media.
Magnetic media e.g. HDD
-degaussing (changing magnetic field on device destroys data)
-sector-by-sector overwrite
-physical destruction
EEPROMs e.g. Flash drives/SSDs
-use ATA Secure Erase (all blocks in physical address space completely erased)
-physical destruction
Describe FIPS 199 levels of impact for CIA
limited adverse effect=low impact
serious adverse effect=moderate impact
severe or catastrophic=high impact
Describe options for securely erasing drives
Magnetic media e.g. HDD
-degaussing (changing magnetic field on device destroys data)
-sector-by-sector overwrite
-physical destruction
EEPROMs e.g. Flash drives/SSDs
-use ATA Secure Erase (all blocks in physical address space completely erased)
-physical destruction (more expensive but more secure)
-NOT effective on EEPROMs: sector-by-sector overwrites can miss data (since writes randomly), degaussing (since not magnetic)
Describe the house analogy in terms of who owns and manages the data
Data owner (CEO, board): designs the house, makes the high-level strategic decisions, ultimately responsible System owner: designs the HVAC/electrical subsystem in the house; plans design/updates, supports system processes; delegated a portion of the design but ultimately the data owner can still overrule Business owner: focuses on security priorities to support the mission Custodian (DBA, engineer): builds the house; very tactical, does all activities that need to be performed on behalf of owner, hardening/locking down, changing network User: lives in the house; running application to perform function, analyzes info
How can an EEPROM device be securely erased?
Magnetic media e.g. HDD
-degaussing (changing magnetic field on device destroys data)
-sector-by-sector overwrite
-physical destruction
EEPROMs e.g. Flash drives/SSDs
-use ATA Secure Erase (all blocks in physical address space completely erased)
-physical destruction
Process that involves determining applicable portions of a standard that will be followed.
Scoping
The __ describes SBU data where the impact for CIA is:
limited adverse effect=low impact
serious adverse effect=moderate impact
severe or catastrophic=high impact
FIPS (Federal Information Processing Standards Publication) 199
SBU (Sensitive but Unclassified)
The __ documents computer security best practices. Their 800 series publications cover which general areas of security?
United States NIST (National Insitute of Standards & Technology). NIST Special Publications (800 series) include NIST 800-37: Risk Mgmt, NIST 800-53A: Recommended Security Controls, NIST 800-34: Contingency Planning, NIST 800-115: Security Testing & Assessment
The __ manages/monitors protocols and specifications of the Internet. They specify requirements via RFCs which must be followed by everyone e.g. TCP/IP protocols.
IETF (Internet Engineering Task Force)
The __ says that at least 85% of targeted cyber intrusions could be prevented by top 4 mitigation strategies:
- application whitelisting
- patch applications
- patch OS vulnerabilities
- restrict admin priveleges and applications based on duties
ASD (Australian Signals Directorate)
Types of primary memory
RAM (Random Access Memory): real/primary memory, volatile memory e.g. data lost when power is lost
DRAM (dynamic, dumb/slow): cheap which means its slow and you have a lot of it; needs to be constantly refreshed
SRAM (static, speed): expensive which means its faster and you have less of it; SRAM is cache
Good to be familiar with “Computer Architecture (Map of Targets) - Drawing 3C” but basically just need to know and be able to draw out “Memory diagram - Drawing 2A”
Types of ROM
ROM (Read only memory): non-volatile
PROM (Programmable): modifiable once e.g. firmware
EPROM (Erasable & Programmable): not the norm
EEPROM (Electrically Erasable): flash memory, can be written e.g. USB flash drives, SSDs, BIOS chips so can be upgraded
PLD (Programmable Logic Devices): integrated circuit that can be modified programmatically, general technology for all EPROM
Types of secondary memory
Slower memory e.g. magnetic disks (HDD)
Types of sequential memory
Sequentially searching from beginning rather than directly accessing location e.g. tape, advantage is they are very cheap
What are valid ways to distribute classified data?
Valid Freedom of Information Act request, Non-Disclosure Agreements, Government contracts, court ordering you to distribute the data
NOT a valid way: age of data (that’s just not possible; this is declassifying data, not distributing)
What does ISO stand for?
What does ISO 27001 and 27002 focus on.
Which one replaced ISO 17799?
International Organization for Standardization
ISO 27001: focuses on auditing (verifying that you’re doing what you say you’re doing)
ISO 27002: focuses on best practices, formalized process of setting up ISMS (InfoSec Mgmt System)
27002 is replacement for ISO 17799
Which role is responsible for computer hardware and software design plans and updates and also ensures that proper training is in place?
System owners
Which role sets the information security priorities to support the mission of the organization?
Business owner
Which term describes writing data to an EEPROM?
Flashing
__ encompasses __ and cryptanalysis
Cryptology, cryptography (hidden writing)
Cryptanalysis (verifying security of algorithms)
__ has replaced CRLs.
OCSP (Online Certificate Status Protocol)
Analogous to police officer looking up status of one driver’s license rather than downloading entire list of revoked licenses and comparing against that.
__ is the art and science of hiding the meaning of communication from unintended recipients.
Cryptography (hidden writing)
___ and ____ substitution are subject to frequency analysis.
Arbitrary and Rotation substitution
___ destroys patterns connecting the key to the ciphertext.
Confusion; substitution provides confusion
___ destroys patterns connecting the plaintext to the ciphertext.
Diffusion; permutation provides diffusion
___ is a block cipher that has replaced DES. It has 3 key sizes (128-bit, 192-bit and 256-bit) and it is the new FIPS (Federal Information processing standard) publication 197.
AES (Advanced Encryption Standard)
___ is a DES mode stream cipher. Ciphertext is used as feedback into the key generation source to develop the next stream. Ciphertext generated by performing an xor of the plaintext with the key stream. Ciphertext has same number of bits as plaintext. In this mode errors will propogate.
CFB (Cipher Feedback Mode)
___ is a DES mode that operates with plaintext blocks of 64 bits, uses randomly generated 64-bit IV that is xored with the first block of plaintext, and the result is encrypted using the DES key
CBC (Cipher Block Chaining)
- CBC fixes ECB by encrypting every message block with a different key
- IV (initialization vector, just random data) is combined with key to start, then at each block after that the ciphertext is combined (XOR-ed) with a different key to create the next block’s key
___ is native mode of DES, is a block cipher, is applied to 64-bit blocks of plaintext and produces corresponding 64-bit blocks of ciphertext.
ECB (Electronic code book) creates patters in ciphertext, this is fixed by CBC
____ substitution is one-to-many and therefore counters frequency analysis.
Polyalphabetic e.g. A=RW,WT,SM, therefore RW can only map to A and so forth
__fish is symmetrical encryption. __fish is adaptive version of it.
Blowfish and twofish (adaptive version, unbreakable) are symmetric.
A __ reflects a current security posture captured in time.
State Machine
Policy dictates and guarantees secure state changes
A ___ ___ binds an individual’s identity to the public key.
Digital certificate
A ___ is a newer type of computer monitor that is better quality and more expensive.
CCD (Charge Coupled Discharge)
A ___ is an older, lower cost computer monitor.
CRT
A ____ cookie exists in memory and is deleted upon browser exit.
Session cookie
A ____ cookie is saved to disk and may be used long-term.
Persistent cookie
A collection of related data about an organization intended for sharing by multiple users.
Database
A commercial garage is which type of gate?
Class II Commerical gate
A hole on the side of a boat or building to let our water and avoid flooding is a __. This is a __ measure.
bilge pump (or sump pump), corrective evacuation is another corrective measure
A momentary power loss is a __.
fault
A prison gate falls under which class?
Class IV Restricted gate e.g. prison, airport
A record or row in a database
Tupl (TUP-el)
A residential gate is which class?
Class I Residential gate
A set of low level commands a CPU knows how to execute could be a __ or __.
CISC (Complex Instruction Set Computer) or RISC (Reduced Instruction Set Computer)
A stream cipher generates the ciphertext key by xoring the plaintext with a keystream. Feedback is used to generate the key stream, therefore the key stream varies. IV is required in this DES mode.
OFB (Output feedback mode)
A type of control where you detect and respond to deal with a problem.
Suppressive
A type of cryptographic attack where you are changing plaintext and looking for differences in ciphertext
Differential analysis
A type of cryptographic attack where you are looking for patterns across messages trying to find weaknesses in crypto
Linear analysis
A type of probability where two different messages using the same hash function can produce a common message digest at a higher frequency than you would think.
birthday attack
applies to collisions in hashing, teaches us that it will happen with higher frequency than you would think
A type of research model that ensures high-level actions (inputs) do not determine low-level user visibility (outputs). Given input there should be no way to predict an output.
Noninterference
A type of research which is similar to BLP in that objects are labeled based on security classes in the form of a lattice (graph). Data can flow in either direction.
Information flow
A user deduces information of higher sensitivity from lower sensitivity information
Inference
A virtual machine hosted by a third-party internet hosting company
VPS (Virtual Private Server); building block for cloud computing, providing IaaS (Infrastructure as a Service)
A way to verify that an entire database transaction has been completed and if it hasn’t, we have the option to roll back to the original point and then re-run the transaction.
2-phase commit: vote first before committing (distributed databases)
Allowed to access certain pieces of info e.g. there’s no system that will let me get address where you live but can go into one system and find out your zip code, another the street, another the house number and combine all that to find out where you live. This is called __.
aggregation
Alternative to Halon (which is no longer produced since it releases ozone-depleting substances)
FM200
Need more of FM200 (7% concentration rather than 5% with Halon) and it takes longer to put fire out
An “Employees Only” or “Unauthorized Personnel will be prosecuted” sign is a ___ control.
Deterrent, deterring unauthorized access
An airport gate falls under which class?
Class IV Restricted gate e.g. prison, airport
Asymmetric encryption is the __ channel for the ____ key
Asymmetric, secure, secret
Asymmetric is a difficult (intractable) problem to solve via which three methods?
Factoring a large number into its prime (RSA)
Solving the discrete logarithm problem for finite fields (e.g. El Gamal)
Solving discrete logarithmic problems for elliptic curves (ECC)
Asymmetric requires smaller or larger key lengths to have the same effect as symmetric?
Asymmetric requires larger key lengths which makes it slower
Because DES is not a ___, multiple encryptions increase security.
group
If something is a group then E(K2,E(K,M)) = E(K3,M)
Boolean operation that outputs 1 (true) when both inputs differ.
XOR (Exclusive OR)
CCTV are traditionally thought of as ___ controls.
Detective
Centralized vs Decentralized vs Distributed Data
Centralized: all your data is in one place, Decentralized: minimal or no sharing between sites, Distributed: there is sharing between locations
First ask yourself # of locations, if one it’s centralized; if multiple ask if sharing, if so it’s distributed, if no sharing it’s decentralized
Changing the order of letters e.g. position 1 in message goes to position 4 in ciphertext, is called ___.
Permutation aka scrambling
Chosen plaintext attack with iterations of input based on knowledge of output
Adaptive chosen plaintext
After choosing the plaintext that gets encyrpted, the cryptanalyst can also choose other blocks to be encrypted which allows more analysis.
Contraband checks are primarily ___ measures
Detective but can also deter someone from doing something if they know there is a high chance they are going to be caught
Contraband checks include x-ray scanners, metal detectors, bag inspection
Crypto attack where plaintext is inserted into device with unknown secret key and corresponding ciphertext is generated
Chosen plaintext
Cryptanalyst is able to choose what plaintext gets encrypted and see the resulting ciphertext. Sometimes this can reveal info about the key.
In a __ attack, the attacker has the ciphertext of several messages encrypted with the same encryption algorithm. His goal is to discover the plaintext of the messages by figuring out the key used in the encryption process.
Ciphertext only
In a __ attack, the attacker has the plaintext and the ciphertext of one or more messages.
Known plaintext
Goal is to find the key used to encrypt the plaintext or an alternate algorithm to decrypt any message with a key the cryptanalyst knows.
Crypto attack where there is chosen ciphertext attack with iterations dependent upon previous results
adaptive chosen ciphertext
Cryptographic attack where you get information from the chipset to find the cryptographic keys?
Side channel attack
Cryptographic attack where you use algorithms and mathematics to deduce key or reduce key space to be searched.
Analytic attack
Datacenter recommended temperature and RH (relative humidity)
70-74 F (21-23 C) ideal temperature range
40-60% ideal humidity range
Dedicated hardware chip that stores encryption keys?
TPM (Trusted Platform Module); can be used to authenticate the integrity of the BIOS, also supports/enhances full disk encryption
Describe the steps of Common Criteria
created by ISO (2nd intl attempt after Europeans’ ITSEC classes); Need to know 7 layers pg 23, all have “tested” in them; EAL (Evaluation Assurance Level) is applied to product rather than system
EAL 1: Functionally tested, EAL 2: Structurally tested, EAL 3: Methodically tested and checked, EAL 4: Methodically designed, tested, and checked, EAL 5: Semi-formally designed and tested, EAL 6: Semi-formally verified, designed, and tested, EAL 7: Formally verified, designed and tested
Describe the type of attack where an adversary gets you to click on link that has embedded scripting that causes you to connected to a legitimate site and bounce your credentials back to the adversary.
XSS (Cross-site scripting) reflects a script via a trusted website. XSS attacks commonly use JavaScript. XSS attack is based on lack of input validation or output encoding by websites e.g. where tags such as script (with less than sign before and greater than after) are allowed as input
Describe/Draw out the Ring Layer Protection
CPU/Memory/HDD are bones in your body, OS is muscle/skin that wraps around the bones; kernel is the brains of the computer. Refer to “Ring layer protection - Drawing 3A”. Example of ring protection scheme (pg 37): Ring 3: User, applications, programs (least trusted), Ring 2: I/O drivers and utiltiies, Ring 1: OS components that are not part of the kernel, Ring 0: Operating system kernel (most trusted)
Difficulty in recovering the plaintext from the ciphertext as measured by cost and/or time
Work function (factor)
Digital certificates are the ____ channel for the ____ key.
trusted, public
Ensuring that if a session key is compromised, previously captured communications may not also be decrypted. This is called __.
PFS (Perfect Forward Secrecy)
Escrowed encryption standard is embodied in the US Government’s clipper chip which used the ___ secret key algorigthm (now unclassified).
skipjack
Example of an algorithm used for solving the discrete logarithmic problem for finite fields
El Gamal
