Domain 4 Flashcards
IKE
Internet Key Exchange uses diffie-hellman style of negotiation Use public key certificates
IPSec
IP Security
Which Port is IPSEC on
UDP port 500
Phase 2 of IPSec
Tunnel is created and is the “production channel”
What gets hashed in ESP Auth
old combined fields 3,4 and payload
Phase 1 of IPsec
Negotiation of tunnel
Define SPI in IPSec
Security Parameter Index (SPI) is an identification tag added to the header while using IPsec for tunneling the IP traffic
L2TP
Layer 2 tunneling protocol
what layer does IPSec operate on
Layer 3
ESP
Encapsulating Security Payload
When Combining two systems on a network with IPSec the risk is
There could be duplicate IPs
Define RFC 1918
Request for Comment 1918 (RFC 1918), “Address Allocation for Private Internets,”
MTU
Maximum Transmission Units
PPTP
Point-to-point tunneling protocol
ESP Header
Contains info showing which security association to ue and the packet sequence number
MPLS
Multi-protocol label switching
Define MPLS
Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses
ESP Payload
Contains the encrypted part of the packet. If the encryption to use when the security association is establsihed
ISAKMP
Internet security association key management protocol
Characteristics of ISAKMP
Bi Directional. RFC 2048
ESP Trailer
May include padding (filler bytes) if requires by the encryption ALGO or to align fields
Authentication field (ESP Auth)
This field contains the integrity check (hash) of the ESP packet.
Steps of IPSec
- Sender created segment with port address set to 500 2. sender sends segment to device that is set to create and ipsec tunnel if “interesting traffic” shows up 3. interesting traffic arrives at device, device looks at layer 3 header and figures out where its going to tunnel to 4. device invokes ISAKMP and builds bi-directional tunnel 5. If key pairs, uses diffie hellmen called ISAKMP-Oakily 6. Security Parameter Index appears on each device 7. Enter Phase 2, creates permanent tunnel 8. Data is then passed between phase 2 tunnel
SSAE 16
Replaced SAS 70 Auditing Standard. Replaced by SSAE18
SSAE 18
Newer version of SSAE 16 Scope is to look for control gaps referred to as a “finding”
AT 801
AT 801 applies to examination engagements to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.
ISAE 3402
Global Standard of Auditing
Auditing type 1
Audits a Point in time. Checks on that the process of what you are currently doing (snap shot) ( present time only)
Auditing type 2
Audits a period of time. Checks on historical business operations. Most in depth and covers a period of time (ex. past 10 years)
Auditing Word Pair
Qualified Report - A qualified report is one in which the auditor concludes that most matters have been dealt with adequately, except for a few issues. An auditor’s report is qualified when there is either a limitation of scope in the auditor’s work, or when there is a disagreement with management regarding application, acceptability or adequacy of accounting policies. For auditors an issue must be material or financially worth consideration to qualify a report. The issue should not be pervasive, that is, the issue should not misrepresent the factual financial position. Unqualified Report - In an unqualified report, the auditors conclude that the financial statements of your business present fairly its affairs in all material aspects. The opinion embodies the assumptions that your business observed compliance with generally accepted accounting principles and statutory requirements. Also known as a clean report, such a report implies that any changes in the accounting policies, their application and effects, are adequately determined and divulged.
SAS 70 (old) consists of two types of audits
Type 1. “report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. Type 2: report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period”
SOC 1
Requirements describe system, control objective, finances
SOC 2
cyber security needs
SOC 3
systrust, webtrust, trust services (smaller in effort, cost, and size)
SOC
Service Organization Control
Only SOC 2/3 have type 1 and type 2 Audits
True
gold standard of Auditing is
SOC 2, Technology, Type 2 (most in depth and shows historical process)
Which type of Auditing report do you desire to get
unqualified
Which type of Auditing report do you desire to get
unqualified
high trust audit, PCI audits are not included in SOC audits
True
high trust audit, PCI audits are not included in SOC audits
True
Steps of planning phase
- RFP (request for Proposal) 2. Response (bids) 3. Negotiate Contract (terms, and terms of disposal and decommission) 4. Statement of work (what you can, cannot do, will, will not do) signing “as is” statement 5. Follow on - routine maintenance, updates, improvements, patches to software 6. disposal and decommission
Importance of signing statement of work
This is the “as is” signing. Any issues or bugs found before this point will be paid for by developer (contracted company) Any issues or bugs found after this point will be paid for by the customer company
SDLC
Software Development Lifecycle
