Domain 3: Security Architecture and Engineering 13% Flashcards

1
Q

DAC (Discretionary Access Control)

A

gives the subjects full control of objects they have created or been given access to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

MAC (Mandatory Access Control)

A

is system-enforced access control based on a subject’s clearance and an object’s labels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

RBAC (Role Based Access Control)

A

is where access to objects is granted based on the role of the subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ABAC (Attribute Based Access Control)

A

is where access to objects is granted based on subjects, objects AND environmental conditions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

RUBAC (Rule Based Access Control)

A

is access that’s granted based on IF/THEN statements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Bell-LaPadula: Confidentiality (MAC)

A

Simple Security Property “No Read UP”
Security Property “No Write DOWN”
Strong
Property “No Read or Write UP and DOWN”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

BIBA: Integrity (MAC)

A

Simple Integrity Axiom “No Read DOWN”
*Integrity Axiom “No Write UP”
Invocation Property “No Read or Write UP”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Lattice Based Access Control (LBAC)(MAC)

A

e.g. “Top Secret” crypto. chemical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Graham-Denning Model

A

uses Objects, Subjects, and Rules. The 8 rules that a specific subject can execute on an object are:

  1. Transfer Access
  2. Grant Access
  3. Delete Access
  4. Read Object
  5. Create Object
  6. Destroy Object
  7. Create Subject
  8. Destroy Subject.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

HRU model (Harrison, Ruzzo, Ullman)

A
An OS level comp security model that deals with the integrity of access rights in the system. It is an extension of the Graham-Denning model. Considers Subjects to be Objects too. 
Uses 6 primitive operations: 
1. Create object
2. Create subject
3. Destroy subject
4. Destroy object
5. Enter right into access matrix
6. Delete right from access matrix.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Clark-Wilson - Integrity

A

Separates end users from the backend data through ‘Well-formed transactions’ and ‘Separation of Duties’. The model uses Subject/Program/Object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Separation of duties

A

The certifier of a transaction and the implementer are different entities. The person making purchase orders should not be paying the invoices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Well-formed transactions

A

is a series of operations that transition a system from one consistent state to another consistent state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Brewer-Nash (Chinese Wall or Informaton Barriers)

A

Designed to provide controls that mitigate conflict of interest in commercial orgs, and is built upon an information flow model. No information can flow between the subjects and objects in a way that would create a conflict of interest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Non-Interference Model

A

Ensures that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. The model is not concerned with data flow, but with what a subject knows about the state of the system. Any change by a higher level subject, will never be noticed by a lower level subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Take-Grant Protection Model

A

Uses rules that govern the interactions between subjects and objects. It uses permissions that subjects can grant to (or take from) other subjects. It has 4 rules:
1. Take rule allows a subject to take rights of another object. 2. Grant rule allows a subject to grant own rights to another object. 3. Create rule allows a subject to create new objects. 4. Remove rule allows a subject to remove rights it has over another object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Access Control Matrix

A

Model describing the rights of every subject for every object in the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Zachman Framework (for Enterprise Architecture)

A

Provides 6 frameworks: What, How, Where, Who, When, Why

Mapping those frameworks to rules for: Planner, Owner, Designer, Builder, Programmer, User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Dedicated security mode

A

All users must have:
Signed NDA for ALL information on the system. Proper clearance for ALL information on the system. Formal access approval for ALL information on the system. A valid need to know for ALL information on the system. All users can access ALL data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

System high security mode

A

All users must have: Signed NDA for ALL informaton on the system. Proper clearance for ALL information on the system. Formal access approval for ALL information on the system. A valid need to know for SOME information on the system. All users can access SOME data, based on their need to know.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Compartmented security mode

A

Signed NDA for ALL informaton on the system. Proper clearance for ALL information on the system. Formal access approval for SOME information on the system. A valid need to know for SOME information on the system. All users can access SOME data, based on their need to know and formal access approval.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Multilevel security mode - (Controlled Security Mode)

A

Signed NDA for ALL informaton on the system. Proper clearance for SOME information on the system. Formal access approval for SOME information on the system. A valid need to know for SOME information on the system. All users can access SOME data, based on their need to know, clearance and formal access approval.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The Orange Book

A

DOD Trusted Computer Systems Evaluations Criteria (TCSEC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

ITSEC (The European Info Tech Sec Evaluation Criteria)

A

Was the first successful int model. Contains a lot of references from The Orange Book, but both are retired now.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
The International Common Criteria (ISO/IEC 15408)
Common Criteria evaluations are performed on computer security products and systems. To be of practical use, the evaluation must verify the target's security features. This is done through the following: Target of Evaluation, Protection Profile, Security Target.
26
The International Common Criteria (ISO/IEC 15408) Evaluation Assurance Level (EAL)
How did the product score on the testing? EAL Level 1-7 EAL1: Functionally Tested EAL2: Structurally Tested EAL3: Methodically Tested and Checked EAL4: Methodically Designed, Tested, and Reviewed. EAL5: Semi-formally Designed and Tested EAL6: Semi-formally Verifed Design and Tested EAL7: Formally Verified Designed and Tested.
27
Layering
Separates hardware ans software functionality into layers.Layers can influeence layers next to themselves, but not past that.
28
Abstraction
Hiding unnecessary details fro teh user, it provides a seamless experience for the user, they don't see the millions of background calculations.
29
Security Domains
A list of Objects a Subject is allowed to access, groups of Objects and Subjects with similar security requirements.
30
Kernel mode (Supervisor mode)
is where the kernel lives, allowing low-level unrestricted access to memory, CPU, disk, etc. Crashes are not recoverable
31
User mode (Problem mode)
has no direct access to hardware, it is directed through an API. Crashes are recoverable. This is most of what happens on a PC.
32
Open systems
use open standards, and can use standard components from multiple vendors.
33
Closed systems
use proprietary hardware and software. This is "security through obscurity."
34
The Ring Model
``` 4-ring model that seperates Users (Untrusted) from the Kernel (Trusted). Ring 3: User applications Ring 2: Device drivers Ring 1: Other OS Ring 0: Kernel Ring -1: Hypervisor mode ```
35
Northbridge (Mem controller Hub)
connected to it are: CPU, Video mem, RAM, and Southbridge
36
Southbridge
connected to it are: Mouse/keyboard, HD, USB, CD DVD
37
CPU
contains Arithmetic logic unit (ALU) for math functions and Control Unit (CU) traffic cop.
38
CPU 4 base functions
Fetch, Decode, Execute, Store | Pipelining- combining multiple steps into one process: can do many functions in same clock cycle.
39
CPU Interrupt
An interrrupt is a signal to the processor emitted by hardware or software indicating an event that needs immediate attention.
40
CPU Process
An executable program and its associated data loaded and running in memory. A heavy weight process (HWP) is also called a task. A parent process may spawn additional child processes called threads.
41
CPU Thread
Light Weight Process (LWP) Threads can share memory, resulting in lower overhead compared to heavy weight processes.
42
CPU Multithreading
is teh ability of a CPU or single core in a multi-core processor to execute multiple processes or threads concurrently, appropriately supported by the OS.
43
CPU multiprocessing
A comp using more than one CPU at a time for a task.
44
CPU Multitasking
tasks sharing a common resource ( 1 CPU)
45
CPU Multiprogramming
A computer running more than one program at a time (Word and Chrome at the same time).
46
CPU Memory protection
prevents one process from affecting the confid, integr, or availability of another.
47
CPU Process isolation
is a logical control that tries to prevent one process from Interfering with another.
48
CPU Hardware segmentation
takes that a step furhter by mapping processes to specific memory locations.
49
CPU Virtual Mem
provides virtual address mapping between applicaitons and hardware memory.
50
CPU Swapping
moves entire processes from primary mem (RAM) from/to secondary mem (HD)
51
CPU Paging
copies a block from primary memory (RAM) from/to secondary mem (HD)
52
BIOS
(Low level OS) BIOS runs a asic POST. Once the POST process is complet and successful, it locates the boot sector for the OS. The Kernel loads and exe, and teh OS boots. BIOS is stored on ROM most likely EEPROM
53
WORM Media (Write Once Read Many)
CD/DVDs can be WORM media (R)
54
TPM (Trusted Platform Module)
Is an int std for secure cryptoprocessor, which is dedicated microcont designed to secure hrdwr by integrating cryptographic keys into devices. Its is most commonly used to ensure boot integrity.
55
Data Execution Prevention (DEP)
is a security feature that can prevent damage to your computer from viruses and other security threats.
56
Address Space Layout Randomization (ASLR)
is a memory-protection proess for OS'; it guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.
57
At the core of the OS is the Kernel
It interfaces between the OS (and applications) and the hardware.
58
Monolithic kernel
is one static executable and the kernel runs in supervisor mode.
59
Microkernels
are modular kernels
60
Reference monitor
is a core function fo the kernel; it handles all access between subjects and objects. It is always on and can't be bypassed.
61
Windows NTFS
is a type of DAC (Discretionary Access Control)
62
Virtualization
we have many servers (clients) on the same hardware platform (host). Virtualization is software running under the OS and above the Hardware (Ring-1)
63
Hypervisor
control the access between the virtual guest/clients and the host hardware.
64
Type 1 hypervisor (Bare Metal)
is a part of a Virtualization OS that runs on top of the host hardware.
65
Type 2 hypervisor
runs on top of a regular OS like Win 10.
66
VM Escape
is when an attacker can jump from the host or a client to another client.
67
Cloud Computing
There is no 'Cloud' it is just another computer somewhere else.
68
IaaS (Infrastructure as a Service)
The vendor provides infrasturcutre up to the OS, the customer adds the OS and up.
69
SaaS (Software as a Service)
The vendor provides the OS and applications/programs. (O365, Gmail, Payroll)
70
PaaS (Platform as a Service)
The vendor provides pre-configured OSs, then the customer adds all the programs and applications.
71
Grid Computing
can make use of resources not currently in use from 100 or 100,000's of computers to perform very complex tasks.
72
Peer to Peer (P2P0
Any system can be a client and/ or a server. Most commonly used on torrent networks.
73
Internet of Things (IoT)
Anything that connects to the Internet is some way (that didn't before)
74
Emanations
often Electromagnetic Emanations. Info that can be disseminated from the electrical changes from a system or a wire.
75
Covert Channels
Creates the capability to transfer info. using channels not intended to do so.
76
Covert Timing Channels
Operations that affect the "real response time observed" by the receiver.
77
Covert Storage Channels
Hidden info through the modification of a stored object.
78
Steganography
hiding a message within another media
79
Digital Watermarks
encode data into a file
80
Virus
require some sort of huma interaction and are often transmitted by USB or other portable devices.
81
Polymorphic viruses
Change their signature to avoid the antivirus signature definitions
82
Multipart (Multipartite) Viruses
Spread across multiple vectors. They are often hard to get rid of because even if you clean the file infections, the virus may still be in the boot sector and vice-versa.
83
Worms
spread through self propagation.
84
Trojan
malicous code embedded in a program that is normal
85
Rootkits
replaces some of the OS/Kernel with a malicous payload.
86
Logic Bombs
Malicious code that executes at a certian time or event.
87
Packers
Programs to compress *.exe files, which can be used to hide malware in an executable, neutral tech.
88
Antivirus software
Signature based - looks for known malware signatures | Heuristic (Behavioral) based - looks for a abnormal behavior
89
Server (Service) Side Attack
Attack directly from an attacker to a target.
90
Client Side Attacks
The client initiates, then gets infected with malicious constent usually from web browsers or IM apps (You go to them)
91
Applets
small apps often embedded into other software (web browser)
92
Java
applets run in a sandbox environment - segmenting the Java from the OS (limiting some threats); OS agnostic
93
Active X
runs with certificates (not sandbox) - since Active x is a MS prod it interacts more with the OS (Win only)
94
SOA (Service-Oriented Architecture)
is a style of software design where services are provided to the other components by application components, through a communication protocol over a network.
95
Polyinstantiation (Alternative Facts)
Two (or more) instances of the same file depending on who accesses it.
96
Aggregation
is a collection of gathering of data together for the purpose of statistical analysis.
97
Inference
requires deducing from evidence and reasoning rather than from explicit statements
98
Data mining
is the computing process of discovering patterns in large data sets.
99
Data Analytics
is looking at what normal operations look like, then allowing us to more proactively identify abuse from insider threats or compromised accounts.
100
ICS (Industrial Control Sys)
is a general term for several types of control sys and associated inst used in indust prod technology
101
SCADA (Supervisory Control and Data Acquistion)
is a control sys arch that uses comp, network data comm and GUI for high-level process supervisory management.
102
DCS (Distributed Control Systems)
is a comp control sys for a process or plant in which autonomous controllers are distributed throughout the system, but there is central operator supervisory control.
103
PLC (Programmable Logic Controllers)
is an industrial digital computer which has been ruggedized and adapted for the control and manufacturing processes.
104
DNP3 (Distributed Network Protocol)
a set of comm protocols used between components in process automation systems. Comm between a master station and remote terminal units (RTU) or IEDs.
105
Cryptology
is the science of securing comm
106
Cryptography
creates messages where the meaning is hidden
107
Cryptanalysis
is the science of breaking encrypted communication.
108
Cipher
is a cryptographic algorithm.
109
Ciphertext
is an encrypted message
110
Encryption
converts the plaintext to a ciphertext
111
Decryption
turns ciphertext back into plaintext
112
Book Cipher
Use of a well-known text (Often a book) as the key.
113
Running-Key Cipher
uses a well-known test as a key as well, but uses a previously agreed upon phrase
114
Monoalphabetic Ciphers
Substitues one letter for another - T would be W
115
Polyalphabetic Ciphers
Similar but uses different starting points each round
116
Frequency Analysis
analyzing the frequency of a certain character - In English E is used 12.7% of the time
117
Exclusive Or (XOR)
XOR is very useful in basic cryptography; we add a key to the plaintext to make the ciphertext
118
Confusion
is the relationship between the plaintext and ciphertext; it should be as random (confusing) as possible
119
Diffusion
is how the order of the plaintext should be "diffused (dispersed) in the ciphertext
120
Substitution
replaces one character for another, this provides diffusion
121
Permutation (transportation)
provides confusion by rearranging the characters of the plaintext
122
Spartan Scytale
Message written lenghtwise on a long thin piece of parchment wrapped arond a certain size round stick.
123
Caesar Cipher (substitution)
Done by switching letters a certain numbers of spots in the alphabet.
124
Vigenere cipher
a polyslphabetic cipher. The alphabet is repeated 26 times to form a matrix (Vigenere Square)
125
Cipher Disk
2 concentric disks with alphabets on them
126
Enigma
rotary based. Breaking the Enigma was responsible for ending the war early and saving millions of lives.
127
Purple (US name)
Japanese rotary based, very similar to the Enigma
128
One-Time Pad
Cryptogrpahic algorithm where plaintext is combined with a random key. It is the only existing mathematically unbreakable encryption.
129
Vernam Cipher
First known use of a one-time pad.
130
Project VENONA
was a project by the US and UK to break KGB's encryption from 1943 to 1980 only broken because KBG reused pads.
131
Jefferson Disk (Vazeries Cylinder)
a cipher sys using a set of wheels or disks, each with the 26 letters of the alpha bet arranged around the edge.
132
SIGABA
A rotor machine used by the US throughout WW2 similar to the Enigma. It used 3x 5 sets of rotors
133
COCOM
was used to prevent export of "Critical Technologies" from Western countries to the Iron Curtain
134
Wassenaar Arrnagment
currently in use. Limits exports on military and dual-use tech. Cryptography is part of that.
135
Asymmetric
Pros: It does not need a pre-shared key, only 2x users = total keys Cons: It is much slower, it is weaker per bit.
136
Symmetric
Pros: Much faster, stronger per bit. Cons: Needs a pre-shared key, n(n-1)/2 users, become unmanageable with many users.
137
Hybrid Encryption
Uses Asymmetric encryption to share a Symmetic Key (session key)
138
DES Data Encryption Standard (Single DES)
For the exam it may be called DEA (algorithm) or DES (standard) Symmetric - 64 bit block cipher - 56 bit key. Has 5 different modes it can encrypt data with, they include: Block, Stream, Initialization Vector, if errors occurr they propagate to teh next block.
139
3 DES (Triple DES)
Symmetric - 64 bit block cipher - 56 bit key. K1 (keymode1) - 3 different keys with 112 bit key strength. Considered secure until 2030 and is still commonly used
140
IDEA (Internation Data Encryption Algorithm)
Symmetric, 128bit key, 64 bit block size, considered safe. Not widely used now, since it is patented and slower than AES
141
AES, Advanced Encryption Standard (Rijndael)
Symmetric, considered secure, open source, 4x4 column-major order matrix of bytes
142
Initial round AddRoundKey
each byte is combined with a block of the round key using bitwise XOR
143
AES Rounds SubBytes
a non-linear subsititution step where each byte is replaced with another according to a lookup table.
144
AES Rounds ShiftRows
a transportation step where the last three rows of the state are shifted a certain number of steps.
145
AES Rounds MixColumns
a mixing operation which operates on the columns, combining the four bytes in each column
146
AES Final Round (no MixColumns)
subbytes, shiftrows, addrounkey
147
AES cycles depend on key lenght
10 cycles for 128-bit keys 12 cycles for 192-bit keys 14 cycles for 256-bit keys
148
Blowfish
publish domain, uses Fistel, no longer considered secure
149
Twofish
uses Fistel, considered secure
150
Fistel cipher (Fistel network)
The cipher splits a plaintext block into two halves (L and R) The process goes through several rounds, the right half of the block does not change. The right half is XOR'ed with a subkey for each round.
151
RC4
Used by WEP/WPA/SSL/TLS | Pseudorandom keystream, no longer considered secure, Symmetric, Stream cipher, 40-2048 bit key lenght
152
RC5
Symmetric, block cipher, 32, 64,128bit blocks, key length 0-2040 bits, uses Fistel. considered secure (if enough blocks/key)
153
RC6
AES Finalist, based on RC5, but changed to meet AES require, uses Fistel, Symmetric, Block Cipher, 128bit blocks, 128, 192, 256 bit key length, considered secure
154
Asymmetric Encryption (Public Key Encryption)
DH and RSA, uses 2 keys: a Public Key and a Private Key (key pair). Public key is publicly available, used by others to encrypt messages sent to you. Private key (you keep safe) used to decrypt messages sent with your public key. Also used for digital signatures, slightly reversed. You encrypt with your private key and teh recipient decrypts with your public key.
155
Prime number factorization
factoring large Prime numbers using a one-way factorization - It is easy to multiply 2 numbers, but hard to discern the 2 numbers multiplied form the result.
156
Discrete Logarithms
one way function - this one uses logarithms, which is teh opposite fo expenentiation.
157
RSA
new keypari from very large prime numbers - creates public/private key pair. Used to exchange symmetric keys, it is slow, Asymmetric, 1094-4096bit key, considered secure.
158
Asymmetric key
DH, ECC, RSA, El Gamal, DSA, Knapsak
159
Diffie-Hellman (DH)
was one of the 1st public key protocols
160
Clliptic Curve Cryptography (ECC)
often found in low-power devices
161
ElGamal
used in GNU Privacy Guard software and PGP
162
Knapsack
no longer considered secure
163
Hash Functions (1-way Functions)
are used for Integrity. A variable-lenght plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Just 1 bit change completely changes the hash. Variable-lenght input, fixed-length output.
164
Hash Collisions
When 2 hashes of different data provide the same has.
165
MD5 (Message Digest 5)
128-bit Fixed-lenght has, used very widely until a flaw was found.
166
MD6 (Message Digest 6)
Was not used for very long, was supposed to replace MD5, but SHA2/3 were better.
167
SHA1 (Secure Has Algorithm 1)
160bit Hash Value. Found to have weak collision avoidance, but still commonly used.
168
SHA2
Considered collision resistant. Somewhat used now, relatively new.
169
SHA3
Finalized in August 2015
170
HAVAL (Hash of Variable Length)
The MD length is variable 128,169,192,224,256bits. Uses the MD design principles, but is faster. Not widely used.
171
RIPEMD
Developed outside of defense to ensure no gov backdoors. Not widely used, no longer secure
172
RIPEMD160
Redesigned, fixing flaws of RIPEMD. 160bit hashes. Not widely used. Considered secure.
173
Salt (Salting)
random data that is used as an additional input to a 1-way function that "hashes" a password or passphrase. Defends against dictionary attacks or rainbow table attack.
174
Nonce (arbitrary # that may only be used 1)
Random number issed in an authentication protocol to ensure that old comm cannot be be reused in reply attacks.
175
Steal the Key
Modern enryption is so difficult to break, it is easier to recover the private key. Law enfrocement does this with search warrants. Attackers do this by gaining access to your system or key repository.
176
Brute Forse
Uses the entire key space (every possible key); with enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad.
177
Key stretching
adding 1-2 seconds to password verification
178
Digraph attack
Similar to frequency analysis/attacks, but looks at common pairs of letters (th, he, in, er)
179
Man-in-the-Middle Attack (MITM)
The attacker secretly relays and may alter communication between 2 parties, who believe they are directly comm with each other.
180
Session Hijacking (TCP Session Hijacking)
An attacker takes over a web user's session ID and masquerades as the authorized user.
181
Social Engineering
much easier than breaking the key is convincing the key holder to hand it over to the "help desk"
182
Rainbow tables
pre-made list of plaintext and matching ciphertext. Often passwords and matching Hashes.
183
Known Plaintext
you know the plaintext and the ciphertext, and using those you try to figure out the key.
184
Chosen plaintext
similar to known plaintext, but the attacker choses the plaintext, then tries to figure out the key.
185
Adaptive Chosen Plaintext
Same as Chosen Plaintext, the attacker "adapts" the following rounds dependent on the previous rounds.
186
Meet-in-the-Middle
A known plaintext attack, the intruder has to know some parts of plaintext and their ciphertexts, used to break ciphers, which have two or more secrets key for multiple encryption using the same algorithm.
187
Known Key
the attacker knows something about the key, making it easier to break it.
188
Differential Cryptanalysis
Tries to find the "difference" between the related plaintexts
189
Linear Cryptanalysis
A type of known plaintext attack where the attacker has a lot of plaintext/ciphertext pairs created with the same key.
190
Differential Linear Cryptanalysis
is Differential and Linear Cryptanalysis combined.
191
Side Channel Attacks
Attackers use physical data to break a crypto sys. This can be CPU cycles, power consumption while encrypting/decrypting
192
Implementation attacks
Some vulnerability is left from the implementation of the application, system or service.
193
Key Clustering
When 2 different Symmetric Keys used on the same plaintext produces the same ciphertext, both can decrypt ciphertext from teh other key.
194
PKI (Public Key Infrastructure)
Uses Asymmetric and Symmetric Encryption as well as Hashing to provide and manage digital certficates. To ensure PKI works well, we keep the private key secret.
195
Key Escrow
keys are kept by a 3rd party org (often law enforcement)
196
Digital certificates
are public signed with a digital signature
197
Server-based
SSL for ie - is assigned to the server (stored on the server)
198
Client based
Digital Signature - is assigned to a person (stored on your PC)
199
CA (Certificate Authority)
Issues and revokes certificates. Can be internal or public (Verisign or GoDaddy)
200
ORA (Organizational Registration Authorities)
Done within an organization. Authenticates the certificate holder prior to certificate issuance.
201
CRL (Certification Revocation List)
Maintained by the CA. Certificates are revoked if a private key is compromised, if an employee leaves the organization. Server side, starting to be replace by OCSP (client/server side hybrid)
202
OCSP (Online Certification Status Protocol)
Client/server hybrid, better balance, faster, keeps lists of revoked certificates.
203
Clipper chip
a chipset developed and promoted by NSA was abandoned after public outcry, and was later found to have many security flaws.
204
Digital Signatures
provide integrity and non-repudiation
205
IPSEC
Set of protocols that provide cryptographic layer to IP traffic (IP v4/v6). Is often used for VPNs.
206
IPSEC AH (Authentication Header)
Provides Authentication and Integrity for each packet. Does not provie confidentiality. Protects against "replay attacks"
207
IPSEC ESP (Encapsulation Security Payload)
Provides confidentiality. It can provide Authentication and Integrity.
208
IPSEC SA (Security Association)
Simplex one-way comm (like walkie talkie). Can be used to negotiate ESPor AH parameters. If 2 sys use ESP they need 2 channels. If they use AH and ESP, they will use 4 SA's
209
IPSEC ISAMKP (Internet Security And Key Management Protocol)
Manages the SA creation process and key exchange mechanics.
210
IPSEC Tunnel mode
encrypts and authenticates the entire package (including headers)
211
IPSEC Transport mode
only encrypts and authenticates the payload. This is used for systems that speak ITSEC.
212
IPSEC IKE (Internet Key Exchange)
IPSEC can use different types of encryp and hashes. IKE negotiates the highest and fastest level of security algorithm
213
Pretty Good Privacy (PGP)
Provides privacy and authentication for data comm. Can provide confidentiality, integrity, authentication, and non-repudiation
214
MIME (Multipurpose Internet Mail Ext)
provides a standard way to format email, including characters, sets, and attackments.
215
S/MIME (Secure/MIME)
uses PKI to encryt and authenticate MIME-encoded email. The client or client's email server (called an S/MIME gateway) can perform the encryption.
216
MAC (Message Authentication Code)
Hash function using a key. Provides integrity and authenticity.
217
HMAC (Hashed MAC)
A pre-shared key is exchanged. The sender uses XOR to combine the plaintext with a shared key, then hashes the output using a hashing algorithem.
218
SSL (Secure Socket Layer)
currently on v3. Mostly used for web traffic
219
TLS (Transport Layer Security)
More secure than SSL v3. Less commonly used for securing web traffic. Used mostly for Internet chat and email client access.
220
Preventative controls
prevents actions from happening - Tall fences, locked doors, bollards
221
Detective controls
controls that detect an attack (before, during or after) - CCTV, alarms
222
Deterrent controls
controls that deter an attack - fences, security guards, dogs, lights, Beware of Dog signs
223
Compensating controls
compensate other controls that are impossible or too costly to implement.
224
Administrative controls
controls that give us admin framework - compliance, policies, procedures.
225
ATSM Standard (access control)
Class 1 residential, Class 2 Commercial/General Access, Class 3 Industrial/Limited access (18-wheeler loading dock), Class 4 Restricted access (airport or prison)
226
Key Bitting Code
Can be copied and replicated without the key from either the numbers or a photo of it.
227
Pin Tumbler Lock (Yale lock)
a lock mech that uses pins of varying lengths to prevent the lock form opening without the correct key.
228
Key Lock Picking
with a lock pick sets or bumping, opening a lock without the key.
229
Lock Bumping
using a shaved-down key that matches the lock, the attacker "bumps" the key handle with a hammer or screwdriver which makes the pins jump, then the attacker quickly turns the key.
230
Master Keys
open any lock in a given area or security zone.
231
Core Key
used to remoe a lock core in "interchangeable core locks."
232
Combination locks
Not very secure and have limited accountability even with unique codes. Should be used for low security areas.
233
Smart Cards
They contain a computer circuit, using Integrated Circuit Card. Contact cards need to be inserted into a machine to be read. Contactless cards can be read by proximity.
234
Magnetic stripe cards
swiped through a reader, no circuit. Very easy to duplicate.
235
Mantrap
a room with 2 doors; door 1 must close completely before door 2 can be opened.
236
Data at Rest should always be encrypted
All storage media should be encrypted.
237
Power Fluctuation Terms:
Blackout = long loss of power, fault = short loss of power, brownout = long low voltage, Sag = short low voltage, Surge = long high voltage, Spike = Short high voltage.
238
EMI (Electromagnetic Interference)
Distrubance generated by an external source that affects an electical circuit by electromagnetic induction, electrostatic coupling, or conduction.
239
Cheapeast secure cables
fiber > copper, because fiber is way more secure.
240
Heat
common temp levels ranage from 68-77 F with an allowable range of 59- 90F
241
Pressure
Keeping positive pressure keeps outside contaminanats out.
242
Humidity
should be kept between 40 and 60% (Relative Humidity)
243
Personnel safety is always most important.
You may like your servers more, but save the co-workers first.
244
Fire suppression
is dont by removing one of the 3 requirements a fire has: oxygen (Halon,FM200,Argon), heat (chem/water), fuel (equipment).
245
Class A fire
Ordinary combustibles
246
Class C fire
Electrical equipment
247
Sprinkler System bulbs
for different temperatures: Oranage, Red, maybe Yellow.
248
Sprinkler Wet Pipe
not advisable in data center has water in the pipe.
249
Dryp Pipe
sprinkler heads are closed. Pipe contains compressed air and a valve that stays shut as long as the air is present.
250
Deluge
Sprinkler heads are open. Similar to Dryp Pipe, but sprinkler head is open, a deluge valve holds water back; normal air in pipers.
251
Pre-Action
Single interlock: water released into pipes when teh fire alarm goes off, and when head opens. Double interlock: Similar to Dry Pipe, water not released until fire alarm and the sprinkler is open.
252
CO2
Should only be used in unmanned areas.
253
Halon 1301
industry standard for protecting high-value assets. No longer used. Montreal Accord stopped the use of Halon except.
254
Fire Extinguishers
``` Data class C, Office class A PASS method to extingush a fire. Pull the pin in the handle Aim at the base of the fire Squeeze the lever slowly Sweep from side to side ```
255
Dry Powder Extinguishers
primarily used for metal fires
256
Wet Chemical
most common extinguishers.
257
Class A (Trash)
Normal compustibles
258
Class B (Barrel)
Flamible liquid and gasses
259
Class C (Current)
Electric equipment
260
Class K (Kitchen)
Oils and fats
261
Class D (Dynamite)
Compustible metals