Domain 3: Security Architecture and Engineering 13% Flashcards
DAC (Discretionary Access Control)
gives the subjects full control of objects they have created or been given access to.
MAC (Mandatory Access Control)
is system-enforced access control based on a subject’s clearance and an object’s labels.
RBAC (Role Based Access Control)
is where access to objects is granted based on the role of the subject.
ABAC (Attribute Based Access Control)
is where access to objects is granted based on subjects, objects AND environmental conditions.
RUBAC (Rule Based Access Control)
is access that’s granted based on IF/THEN statements.
Bell-LaPadula: Confidentiality (MAC)
Simple Security Property “No Read UP”
Security Property “No Write DOWN”
StrongProperty “No Read or Write UP and DOWN”
BIBA: Integrity (MAC)
Simple Integrity Axiom “No Read DOWN”
*Integrity Axiom “No Write UP”
Invocation Property “No Read or Write UP”
Lattice Based Access Control (LBAC)(MAC)
e.g. “Top Secret” crypto. chemical
Graham-Denning Model
uses Objects, Subjects, and Rules. The 8 rules that a specific subject can execute on an object are:
- Transfer Access
- Grant Access
- Delete Access
- Read Object
- Create Object
- Destroy Object
- Create Subject
- Destroy Subject.
HRU model (Harrison, Ruzzo, Ullman)
An OS level comp security model that deals with the integrity of access rights in the system. It is an extension of the Graham-Denning model. Considers Subjects to be Objects too. Uses 6 primitive operations: 1. Create object 2. Create subject 3. Destroy subject 4. Destroy object 5. Enter right into access matrix 6. Delete right from access matrix.
Clark-Wilson - Integrity
Separates end users from the backend data through ‘Well-formed transactions’ and ‘Separation of Duties’. The model uses Subject/Program/Object
Separation of duties
The certifier of a transaction and the implementer are different entities. The person making purchase orders should not be paying the invoices.
Well-formed transactions
is a series of operations that transition a system from one consistent state to another consistent state.
Brewer-Nash (Chinese Wall or Informaton Barriers)
Designed to provide controls that mitigate conflict of interest in commercial orgs, and is built upon an information flow model. No information can flow between the subjects and objects in a way that would create a conflict of interest.
Non-Interference Model
Ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. The model is not concerned with data flow, but with what a subject knows about the state of the system. Any change by a higher level subject, will never be noticed by a lower level subject.
Take-Grant Protection Model
Uses rules that govern the interactions between subjects and objects. It uses permissions that subjects can grant to (or take from) other subjects. It has 4 rules:
1. Take rule allows a subject to take rights of another object. 2. Grant rule allows a subject to grant own rights to another object. 3. Create rule allows a subject to create new objects. 4. Remove rule allows a subject to remove rights it has over another object.
Access Control Matrix
Model describing the rights of every subject for every object in the system.
Zachman Framework (for Enterprise Architecture)
Provides 6 frameworks: What, How, Where, Who, When, Why
Mapping those frameworks to rules for: Planner, Owner, Designer, Builder, Programmer, User
Dedicated security mode
All users must have:
Signed NDA for ALL information on the system. Proper clearance for ALL information on the system. Formal access approval for ALL information on the system. A valid need to know for ALL information on the system. All users can access ALL data
System high security mode
All users must have: Signed NDA for ALL informaton on the system. Proper clearance for ALL information on the system. Formal access approval for ALL information on the system. A valid need to know for SOME information on the system. All users can access SOME data, based on their need to know.
Compartmented security mode
Signed NDA for ALL informaton on the system. Proper clearance for ALL information on the system. Formal access approval for SOME information on the system. A valid need to know for SOME information on the system. All users can access SOME data, based on their need to know and formal access approval.
Multilevel security mode - (Controlled Security Mode)
Signed NDA for ALL informaton on the system. Proper clearance for SOME information on the system. Formal access approval for SOME information on the system. A valid need to know for SOME information on the system. All users can access SOME data, based on their need to know, clearance and formal access approval.
The Orange Book
DOD Trusted Computer Systems Evaluations Criteria (TCSEC)
ITSEC (The European Info Tech Sec Evaluation Criteria)
Was the first successful int model. Contains a lot of references from The Orange Book, but both are retired now.
The International Common Criteria (ISO/IEC 15408)
Common Criteria evaluations are performed on computer security products and systems. To be of practical use, the evaluation must verify the target’s security features. This is done through the following: Target of Evaluation, Protection Profile, Security Target.
The International Common Criteria (ISO/IEC 15408) Evaluation Assurance Level (EAL)
How did the product score on the testing? EAL Level 1-7
EAL1: Functionally Tested
EAL2: Structurally Tested
EAL3: Methodically Tested and Checked
EAL4: Methodically Designed, Tested, and Reviewed.
EAL5: Semi-formally Designed and Tested
EAL6: Semi-formally Verifed Design and Tested
EAL7: Formally Verified Designed and Tested.
Layering
Separates hardware ans software functionality into layers.Layers can influeence layers next to themselves, but not past that.
Abstraction
Hiding unnecessary details fro teh user, it provides a seamless experience for the user, they don’t see the millions of background calculations.
Security Domains
A list of Objects a Subject is allowed to access, groups of Objects and Subjects with similar security requirements.
Kernel mode (Supervisor mode)
is where the kernel lives, allowing low-level unrestricted access to memory, CPU, disk, etc. Crashes are not recoverable
User mode (Problem mode)
has no direct access to hardware, it is directed through an API. Crashes are recoverable. This is most of what happens on a PC.
Open systems
use open standards, and can use standard components from multiple vendors.
Closed systems
use proprietary hardware and software. This is “security through obscurity.”
The Ring Model
4-ring model that seperates Users (Untrusted) from the Kernel (Trusted). Ring 3: User applications Ring 2: Device drivers Ring 1: Other OS Ring 0: Kernel Ring -1: Hypervisor mode
Northbridge (Mem controller Hub)
connected to it are: CPU, Video mem, RAM, and Southbridge
Southbridge
connected to it are: Mouse/keyboard, HD, USB, CD DVD
CPU
contains Arithmetic logic unit (ALU) for math functions and Control Unit (CU) traffic cop.
CPU 4 base functions
Fetch, Decode, Execute, Store
Pipelining- combining multiple steps into one process: can do many functions in same clock cycle.
CPU Interrupt
An interrrupt is a signal to the processor emitted by hardware or software indicating an event that needs immediate attention.
CPU Process
An executable program and its associated data loaded and running in memory. A heavy weight process (HWP) is also called a task. A parent process may spawn additional child processes called threads.
CPU Thread
Light Weight Process (LWP) Threads can share memory, resulting in lower overhead compared to heavy weight processes.
CPU Multithreading
is teh ability of a CPU or single core in a multi-core processor to execute multiple processes or threads concurrently, appropriately supported by the OS.
CPU multiprocessing
A comp using more than one CPU at a time for a task.
CPU Multitasking
tasks sharing a common resource ( 1 CPU)
CPU Multiprogramming
A computer running more than one program at a time (Word and Chrome at the same time).
CPU Memory protection
prevents one process from affecting the confid, integr, or availability of another.
CPU Process isolation
is a logical control that tries to prevent one process from Interfering with another.
CPU Hardware segmentation
takes that a step furhter by mapping processes to specific memory locations.
CPU Virtual Mem
provides virtual address mapping between applicaitons and hardware memory.
CPU Swapping
moves entire processes from primary mem (RAM) from/to secondary mem (HD)
CPU Paging
copies a block from primary memory (RAM) from/to secondary mem (HD)
BIOS
(Low level OS) BIOS runs a asic POST. Once the POST process is complet and successful, it locates the boot sector for the OS. The Kernel loads and exe, and teh OS boots. BIOS is stored on ROM most likely EEPROM
WORM Media (Write Once Read Many)
CD/DVDs can be WORM media (R)
TPM (Trusted Platform Module)
Is an int std for secure cryptoprocessor, which is dedicated microcont designed to secure hrdwr by integrating cryptographic keys into devices. Its is most commonly used to ensure boot integrity.
Data Execution Prevention (DEP)
is a security feature that can prevent damage to your computer from viruses and other security threats.
Address Space Layout Randomization (ASLR)
is a memory-protection proess for OS’; it guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.
At the core of the OS is the Kernel
It interfaces between the OS (and applications) and the hardware.
Monolithic kernel
is one static executable and the kernel runs in supervisor mode.
Microkernels
are modular kernels
Reference monitor
is a core function fo the kernel; it handles all access between subjects and objects. It is always on and can’t be bypassed.
Windows NTFS
is a type of DAC (Discretionary Access Control)
Virtualization
we have many servers (clients) on the same hardware platform (host). Virtualization is software running under the OS and above the Hardware (Ring-1)
Hypervisor
control the access between the virtual guest/clients and the host hardware.
Type 1 hypervisor (Bare Metal)
is a part of a Virtualization OS that runs on top of the host hardware.
Type 2 hypervisor
runs on top of a regular OS like Win 10.
VM Escape
is when an attacker can jump from the host or a client to another client.
Cloud Computing
There is no ‘Cloud’ it is just another computer somewhere else.
IaaS (Infrastructure as a Service)
The vendor provides infrasturcutre up to the OS, the customer adds the OS and up.
SaaS (Software as a Service)
The vendor provides the OS and applications/programs. (O365, Gmail, Payroll)
PaaS (Platform as a Service)
The vendor provides pre-configured OSs, then the customer adds all the programs and applications.
Grid Computing
can make use of resources not currently in use from 100 or 100,000’s of computers to perform very complex tasks.
Peer to Peer (P2P0
Any system can be a client and/ or a server. Most commonly used on torrent networks.
Internet of Things (IoT)
Anything that connects to the Internet is some way (that didn’t before)
Emanations
often Electromagnetic Emanations. Info that can be disseminated from the electrical changes from a system or a wire.
Covert Channels
Creates the capability to transfer info. using channels not intended to do so.
Covert Timing Channels
Operations that affect the “real response time observed” by the receiver.
Covert Storage Channels
Hidden info through the modification of a stored object.
Steganography
hiding a message within another media
Digital Watermarks
encode data into a file
Virus
require some sort of huma interaction and are often transmitted by USB or other portable devices.
Polymorphic viruses
Change their signature to avoid the antivirus signature definitions
Multipart (Multipartite) Viruses
Spread across multiple vectors. They are often hard to get rid of because even if you clean the file infections, the virus may still be in the boot sector and vice-versa.
Worms
spread through self propagation.
Trojan
malicous code embedded in a program that is normal
Rootkits
replaces some of the OS/Kernel with a malicous payload.
Logic Bombs
Malicious code that executes at a certian time or event.
Packers
Programs to compress *.exe files, which can be used to hide malware in an executable, neutral tech.
Antivirus software
Signature based - looks for known malware signatures
Heuristic (Behavioral) based - looks for a abnormal behavior
Server (Service) Side Attack
Attack directly from an attacker to a target.
Client Side Attacks
The client initiates, then gets infected with malicious constent usually from web browsers or IM apps (You go to them)
Applets
small apps often embedded into other software (web browser)
Java
applets run in a sandbox environment - segmenting the Java from the OS (limiting some threats); OS agnostic
Active X
runs with certificates (not sandbox) - since Active x is a MS prod it interacts more with the OS (Win only)
SOA (Service-Oriented Architecture)
is a style of software design where services are provided to the other components by application components, through a communication protocol over a network.
Polyinstantiation (Alternative Facts)
Two (or more) instances of the same file depending on who accesses it.
Aggregation
is a collection of gathering of data together for the purpose of statistical analysis.
Inference
requires deducing from evidence and reasoning rather than from explicit statements
Data mining
is the computing process of discovering patterns in large data sets.
Data Analytics
is looking at what normal operations look like, then allowing us to more proactively identify abuse from insider threats or compromised accounts.
ICS (Industrial Control Sys)
is a general term for several types of control sys and associated inst used in indust prod technology
SCADA (Supervisory Control and Data Acquistion)
is a control sys arch that uses comp, network data comm and GUI for high-level process supervisory management.
DCS (Distributed Control Systems)
is a comp control sys for a process or plant in which autonomous controllers are distributed throughout the system, but there is central operator supervisory control.
PLC (Programmable Logic Controllers)
is an industrial digital computer which has been ruggedized and adapted for the control and manufacturing processes.
DNP3 (Distributed Network Protocol)
a set of comm protocols used between components in process automation systems. Comm between a master station and remote terminal units (RTU) or IEDs.
Cryptology
is the science of securing comm
Cryptography
creates messages where the meaning is hidden
Cryptanalysis
is the science of breaking encrypted communication.
Cipher
is a cryptographic algorithm.
Ciphertext
is an encrypted message
Encryption
converts the plaintext to a ciphertext
Decryption
turns ciphertext back into plaintext
Book Cipher
Use of a well-known text (Often a book) as the key.
Running-Key Cipher
uses a well-known test as a key as well, but uses a previously agreed upon phrase
Monoalphabetic Ciphers
Substitues one letter for another - T would be W
Polyalphabetic Ciphers
Similar but uses different starting points each round
Frequency Analysis
analyzing the frequency of a certain character - In English E is used 12.7% of the time
Exclusive Or (XOR)
XOR is very useful in basic cryptography; we add a key to the plaintext to make the ciphertext
Confusion
is the relationship between the plaintext and ciphertext; it should be as random (confusing) as possible
Diffusion
is how the order of the plaintext should be “diffused (dispersed) in the ciphertext
Substitution
replaces one character for another, this provides diffusion
Permutation (transportation)
provides confusion by rearranging the characters of the plaintext
Spartan Scytale
Message written lenghtwise on a long thin piece of parchment wrapped arond a certain size round stick.
Caesar Cipher (substitution)
Done by switching letters a certain numbers of spots in the alphabet.
Vigenere cipher
a polyslphabetic cipher. The alphabet is repeated 26 times to form a matrix (Vigenere Square)
Cipher Disk
2 concentric disks with alphabets on them
Enigma
rotary based. Breaking the Enigma was responsible for ending the war early and saving millions of lives.
Purple (US name)
Japanese rotary based, very similar to the Enigma
One-Time Pad
Cryptogrpahic algorithm where plaintext is combined with a random key. It is the only existing mathematically unbreakable encryption.
Vernam Cipher
First known use of a one-time pad.
Project VENONA
was a project by the US and UK to break KGB’s encryption from 1943 to 1980 only broken because KBG reused pads.
Jefferson Disk (Vazeries Cylinder)
a cipher sys using a set of wheels or disks, each with the 26 letters of the alpha bet arranged around the edge.
SIGABA
A rotor machine used by the US throughout WW2 similar to the Enigma. It used 3x 5 sets of rotors
COCOM
was used to prevent export of “Critical Technologies” from Western countries to the Iron Curtain
Wassenaar Arrnagment
currently in use. Limits exports on military and dual-use tech. Cryptography is part of that.
Asymmetric
Pros: It does not need a pre-shared key, only 2x users = total keys
Cons: It is much slower, it is weaker per bit.
Symmetric
Pros: Much faster, stronger per bit. Cons: Needs a pre-shared key, n(n-1)/2 users, become unmanageable with many users.
Hybrid Encryption
Uses Asymmetric encryption to share a Symmetic Key (session key)
DES Data Encryption Standard (Single DES)
For the exam it may be called DEA (algorithm) or DES (standard) Symmetric - 64 bit block cipher - 56 bit key. Has 5 different modes it can encrypt data with, they include: Block, Stream, Initialization Vector, if errors occurr they propagate to teh next block.
3 DES (Triple DES)
Symmetric - 64 bit block cipher - 56 bit key. K1 (keymode1) - 3 different keys with 112 bit key strength. Considered secure until 2030 and is still commonly used
IDEA (Internation Data Encryption Algorithm)
Symmetric, 128bit key, 64 bit block size, considered safe. Not widely used now, since it is patented and slower than AES
AES, Advanced Encryption Standard (Rijndael)
Symmetric, considered secure, open source, 4x4 column-major order matrix of bytes
Initial round AddRoundKey
each byte is combined with a block of the round key using bitwise XOR
AES Rounds SubBytes
a non-linear subsititution step where each byte is replaced with another according to a lookup table.
AES Rounds ShiftRows
a transportation step where the last three rows of the state are shifted a certain number of steps.
AES Rounds MixColumns
a mixing operation which operates on the columns, combining the four bytes in each column
AES Final Round (no MixColumns)
subbytes, shiftrows, addrounkey
AES cycles depend on key lenght
10 cycles for 128-bit keys
12 cycles for 192-bit keys
14 cycles for 256-bit keys
Blowfish
publish domain, uses Fistel, no longer considered secure
Twofish
uses Fistel, considered secure
Fistel cipher (Fistel network)
The cipher splits a plaintext block into two halves (L and R) The process goes through several rounds, the right half of the block does not change. The right half is XOR’ed with a subkey for each round.
RC4
Used by WEP/WPA/SSL/TLS
Pseudorandom keystream, no longer considered secure, Symmetric, Stream cipher, 40-2048 bit key lenght
RC5
Symmetric, block cipher, 32, 64,128bit blocks, key length 0-2040 bits, uses Fistel. considered secure (if enough blocks/key)
RC6
AES Finalist, based on RC5, but changed to meet AES require, uses Fistel, Symmetric, Block Cipher, 128bit blocks, 128, 192, 256 bit key length, considered secure
Asymmetric Encryption (Public Key Encryption)
DH and RSA, uses 2 keys: a Public Key and a Private Key (key pair). Public key is publicly available, used by others to encrypt messages sent to you. Private key (you keep safe) used to decrypt messages sent with your public key. Also used for digital signatures, slightly reversed. You encrypt with your private key and teh recipient decrypts with your public key.
Prime number factorization
factoring large Prime numbers using a one-way factorization - It is easy to multiply 2 numbers, but hard to discern the 2 numbers multiplied form the result.
Discrete Logarithms
one way function - this one uses logarithms, which is teh opposite fo expenentiation.
RSA
new keypari from very large prime numbers - creates public/private key pair. Used to exchange symmetric keys, it is slow, Asymmetric, 1094-4096bit key, considered secure.
Asymmetric key
DH, ECC, RSA, El Gamal, DSA, Knapsak
Diffie-Hellman (DH)
was one of the 1st public key protocols
Clliptic Curve Cryptography (ECC)
often found in low-power devices
ElGamal
used in GNU Privacy Guard software and PGP
Knapsack
no longer considered secure
Hash Functions (1-way Functions)
are used for Integrity. A variable-lenght plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Just 1 bit change completely changes the hash. Variable-lenght input, fixed-length output.
Hash Collisions
When 2 hashes of different data provide the same has.
MD5 (Message Digest 5)
128-bit Fixed-lenght has, used very widely until a flaw was found.
MD6 (Message Digest 6)
Was not used for very long, was supposed to replace MD5, but SHA2/3 were better.
SHA1 (Secure Has Algorithm 1)
160bit Hash Value. Found to have weak collision avoidance, but still commonly used.
SHA2
Considered collision resistant. Somewhat used now, relatively new.
SHA3
Finalized in August 2015
HAVAL (Hash of Variable Length)
The MD length is variable 128,169,192,224,256bits. Uses the MD design principles, but is faster. Not widely used.
RIPEMD
Developed outside of defense to ensure no gov backdoors. Not widely used, no longer secure
RIPEMD160
Redesigned, fixing flaws of RIPEMD. 160bit hashes. Not widely used. Considered secure.
Salt (Salting)
random data that is used as an additional input to a 1-way function that “hashes” a password or passphrase. Defends against dictionary attacks or rainbow table attack.
Nonce (arbitrary # that may only be used 1)
Random number issed in an authentication protocol to ensure that old comm cannot be be reused in reply attacks.
Steal the Key
Modern enryption is so difficult to break, it is easier to recover the private key. Law enfrocement does this with search warrants. Attackers do this by gaining access to your system or key repository.
Brute Forse
Uses the entire key space (every possible key); with enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad.
Key stretching
adding 1-2 seconds to password verification
Digraph attack
Similar to frequency analysis/attacks, but looks at common pairs of letters (th, he, in, er)
Man-in-the-Middle Attack (MITM)
The attacker secretly relays and may alter communication between 2 parties, who believe they are directly comm with each other.
Session Hijacking (TCP Session Hijacking)
An attacker takes over a web user’s session ID and masquerades as the authorized user.
Social Engineering
much easier than breaking the key is convincing the key holder to hand it over to the “help desk”
Rainbow tables
pre-made list of plaintext and matching ciphertext. Often passwords and matching Hashes.
Known Plaintext
you know the plaintext and the ciphertext, and using those you try to figure out the key.
Chosen plaintext
similar to known plaintext, but the attacker choses the plaintext, then tries to figure out the key.
Adaptive Chosen Plaintext
Same as Chosen Plaintext, the attacker “adapts” the following rounds dependent on the previous rounds.
Meet-in-the-Middle
A known plaintext attack, the intruder has to know some parts of plaintext and their ciphertexts, used to break ciphers, which have two or more secrets key for multiple encryption using the same algorithm.
Known Key
the attacker knows something about the key, making it easier to break it.
Differential Cryptanalysis
Tries to find the “difference” between the related plaintexts
Linear Cryptanalysis
A type of known plaintext attack where the attacker has a lot of plaintext/ciphertext pairs created with the same key.
Differential Linear Cryptanalysis
is Differential and Linear Cryptanalysis combined.
Side Channel Attacks
Attackers use physical data to break a crypto sys. This can be CPU cycles, power consumption while encrypting/decrypting
Implementation attacks
Some vulnerability is left from the implementation of the application, system or service.
Key Clustering
When 2 different Symmetric Keys used on the same plaintext produces the same ciphertext, both can decrypt ciphertext from teh other key.
PKI (Public Key Infrastructure)
Uses Asymmetric and Symmetric Encryption as well as Hashing to provide and manage digital certficates. To ensure PKI works well, we keep the private key secret.
Key Escrow
keys are kept by a 3rd party org (often law enforcement)
Digital certificates
are public signed with a digital signature
Server-based
SSL for ie - is assigned to the server (stored on the server)
Client based
Digital Signature - is assigned to a person (stored on your PC)
CA (Certificate Authority)
Issues and revokes certificates. Can be internal or public (Verisign or GoDaddy)
ORA (Organizational Registration Authorities)
Done within an organization. Authenticates the certificate holder prior to certificate issuance.
CRL (Certification Revocation List)
Maintained by the CA. Certificates are revoked if a private key is compromised, if an employee leaves the organization. Server side, starting to be replace by OCSP (client/server side hybrid)
OCSP (Online Certification Status Protocol)
Client/server hybrid, better balance, faster, keeps lists of revoked certificates.
Clipper chip
a chipset developed and promoted by NSA was abandoned after public outcry, and was later found to have many security flaws.
Digital Signatures
provide integrity and non-repudiation
IPSEC
Set of protocols that provide cryptographic layer to IP traffic (IP v4/v6). Is often used for VPNs.
IPSEC AH (Authentication Header)
Provides Authentication and Integrity for each packet. Does not provie confidentiality. Protects against “replay attacks”
IPSEC ESP (Encapsulation Security Payload)
Provides confidentiality. It can provide Authentication and Integrity.
IPSEC SA (Security Association)
Simplex one-way comm (like walkie talkie). Can be used to negotiate ESPor AH parameters. If 2 sys use ESP they need 2 channels. If they use AH and ESP, they will use 4 SA’s
IPSEC ISAMKP (Internet Security And Key Management Protocol)
Manages the SA creation process and key exchange mechanics.
IPSEC Tunnel mode
encrypts and authenticates the entire package (including headers)
IPSEC Transport mode
only encrypts and authenticates the payload. This is used for systems that speak ITSEC.
IPSEC IKE (Internet Key Exchange)
IPSEC can use different types of encryp and hashes. IKE negotiates the highest and fastest level of security algorithm
Pretty Good Privacy (PGP)
Provides privacy and authentication for data comm. Can provide confidentiality, integrity, authentication, and non-repudiation
MIME (Multipurpose Internet Mail Ext)
provides a standard way to format email, including characters, sets, and attackments.
S/MIME (Secure/MIME)
uses PKI to encryt and authenticate MIME-encoded email. The client or client’s email server (called an S/MIME gateway) can perform the encryption.
MAC (Message Authentication Code)
Hash function using a key. Provides integrity and authenticity.
HMAC (Hashed MAC)
A pre-shared key is exchanged. The sender uses XOR to combine the plaintext with a shared key, then hashes the output using a hashing algorithem.
SSL (Secure Socket Layer)
currently on v3. Mostly used for web traffic
TLS (Transport Layer Security)
More secure than SSL v3. Less commonly used for securing web traffic. Used mostly for Internet chat and email client access.
Preventative controls
prevents actions from happening - Tall fences, locked doors, bollards
Detective controls
controls that detect an attack (before, during or after) - CCTV, alarms
Deterrent controls
controls that deter an attack - fences, security guards, dogs, lights, Beware of Dog signs
Compensating controls
compensate other controls that are impossible or too costly to implement.
Administrative controls
controls that give us admin framework - compliance, policies, procedures.
ATSM Standard (access control)
Class 1 residential, Class 2 Commercial/General Access, Class 3 Industrial/Limited access (18-wheeler loading dock), Class 4 Restricted access (airport or prison)
Key Bitting Code
Can be copied and replicated without the key from either the numbers or a photo of it.
Pin Tumbler Lock (Yale lock)
a lock mech that uses pins of varying lengths to prevent the lock form opening without the correct key.
Key Lock Picking
with a lock pick sets or bumping, opening a lock without the key.
Lock Bumping
using a shaved-down key that matches the lock, the attacker “bumps” the key handle with a hammer or screwdriver which makes the pins jump, then the attacker quickly turns the key.
Master Keys
open any lock in a given area or security zone.
Core Key
used to remoe a lock core in “interchangeable core locks.”
Combination locks
Not very secure and have limited accountability even with unique codes. Should be used for low security areas.
Smart Cards
They contain a computer circuit, using Integrated Circuit Card. Contact cards need to be inserted into a machine to be read. Contactless cards can be read by proximity.
Magnetic stripe cards
swiped through a reader, no circuit. Very easy to duplicate.
Mantrap
a room with 2 doors; door 1 must close completely before door 2 can be opened.
Data at Rest should always be encrypted
All storage media should be encrypted.
Power Fluctuation Terms:
Blackout = long loss of power, fault = short loss of power, brownout = long low voltage, Sag = short low voltage, Surge = long high voltage, Spike = Short high voltage.
EMI (Electromagnetic Interference)
Distrubance generated by an external source that affects an electical circuit by electromagnetic induction, electrostatic coupling, or conduction.
Cheapeast secure cables
fiber > copper, because fiber is way more secure.
Heat
common temp levels ranage from 68-77 F with an allowable range of 59- 90F
Pressure
Keeping positive pressure keeps outside contaminanats out.
Humidity
should be kept between 40 and 60% (Relative Humidity)
Personnel safety is always most important.
You may like your servers more, but save the co-workers first.
Fire suppression
is dont by removing one of the 3 requirements a fire has: oxygen (Halon,FM200,Argon), heat (chem/water), fuel (equipment).
Class A fire
Ordinary combustibles
Class C fire
Electrical equipment
Sprinkler System bulbs
for different temperatures: Oranage, Red, maybe Yellow.
Sprinkler Wet Pipe
not advisable in data center has water in the pipe.
Dryp Pipe
sprinkler heads are closed. Pipe contains compressed air and a valve that stays shut as long as the air is present.
Deluge
Sprinkler heads are open. Similar to Dryp Pipe, but sprinkler head is open, a deluge valve holds water back; normal air in pipers.
Pre-Action
Single interlock: water released into pipes when teh fire alarm goes off, and when head opens. Double interlock: Similar to Dry Pipe, water not released until fire alarm and the sprinkler is open.
CO2
Should only be used in unmanned areas.
Halon 1301
industry standard for protecting high-value assets. No longer used. Montreal Accord stopped the use of Halon except.
Fire Extinguishers
Data class C, Office class A PASS method to extingush a fire. Pull the pin in the handle Aim at the base of the fire Squeeze the lever slowly Sweep from side to side
Dry Powder Extinguishers
primarily used for metal fires
Wet Chemical
most common extinguishers.
Class A (Trash)
Normal compustibles
Class B (Barrel)
Flamible liquid and gasses
Class C (Current)
Electric equipment
Class K (Kitchen)
Oils and fats
Class D (Dynamite)
Compustible metals
