Domain 4 simple Flashcards
Internet Key Exchange uses diffie-hellman style of negotiation Use public key certificates
IKE
IP Security
IPSec
UDP port 500
Which Port is IPSEC on
Tunnel is created and is the “production channel”
Phase 2 of IPSec
old combined fields 3,4 and payload
What gets hashed in ESP Auth
Negotiation of tunnel
Phase 1 of IPsec
Security Parameter Index (SPI) is an identification tag added to the header while using IPsec for tunneling the IP traffic
Define SPI in IPSec
Layer 2 tunneling protocol
L2TP
Layer 3
what layer does IPSec operate on
Encapsulating Security Payload
ESP
There could be duplicate IPs
When Combining two systems on a network with IPSec the risk
Request for Comment 1918 (RFC 1918), “Address Allocation for Private Internets,”
Define RFC 1918
Maximum Transmission Units
MTU
Point-to-point tunneling protocol
PPTP
Contains info showing which security association to ue and the packet sequence number
ESP Header
Multi-protocol label switching
MPLS
Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses
Define MPLS
Contains the encrypted part of the packet. If the encryption to use when the security association is establsihed
ESP Payload
Internet security association key management protocol
ISAKMP
Bi Directional. RFC 2048
Characteristics of ISAKMP
May include padding (filler bytes) if requires by the encryption ALGO or to align fields
ESP Trailer
This field contains the integrity check (hash) of the ESP packet.
Authentication field (ESP Auth)
- Sender created segment with port address set to 5002. sender sends segment to device that is set to create and ipsec tunnel if “interesting traffic” shows up3. interesting traffic arrives at device, device looks at layer 3 header and figures out where its going to tunnel to4. device invokes ISAKMP and builds bi-directional tunnel5. If key pairs, uses diffie hellmen called ISAKMP-Oakily6. Security Parameter Index appears on each device7. Enter Phase 2, creates permanent tunnel8. Data is then passed between phase 2 tunnel
Steps of IPSec
Replaced SAS 70Auditing Standard. Replaced by SSAE18
SSAE 16
Newer version of SSAE 16Scope is to look for control gaps referred to as a “finding”
SSAE 18
AT 801 applies to examination engagements to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.
AT 801
Global Standard of Auditing
ISAE 3402
Audits a Point in time. Checks on that the process of what you are currently doing (snap shot) ( present time only)
Auditing type 1
Audits a period of time. Checks on historical business operations. Most in depth and covers a period of time (ex. past 10 years)
Auditing type 2
Qualified Report - A qualified report is one in which the auditor concludes that most matters have been dealt with adequately, except for a few issues. An auditor’s report is qualified when there is either a limitation of scope in the auditor’s work, or when there is a disagreement with management regarding application, acceptability or adequacy of accounting policies. For auditors an issue must be material or financially worth consideration to qualify a report. The issue should not be pervasive, that is, the issue should not misrepresent the factual financial position.Unqualified Report - In an unqualified report, the auditors conclude that the financial statements of your business present fairly its affairs in all material aspects. The opinion embodies the assumptions that your business observed compliance with generally accepted accounting principles and statutory requirements. Also known as a clean report, such a report implies that any changes in the accounting policies, their application and effects, are adequately determined and divulged.
Auditing Word Pair
Type 1. “report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.Type 2: report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period”
SAS 70 (old) consists of two types of audits
Requirements describe system, control objective, finances
SOC 1
cyber security needs
SOC 2
systrust, webtrust, trust services (smaller in effort, cost, and size)
SOC 3
Service Organization Control
SOC
True
Only SOC 2/3 have type 1 and type 2 Audits
SOC 2, Technology, Type 2 (most in depth and shows historical process)
gold standard of Auditing is
unqualified
Which type of Auditing report do you desire to get
unqualified
Which type of Auditing report do you desire to get
True
high trust audit, PCI audits are not included in SOC audits
True
high trust audit, PCI audits are not included in SOC audits
- RFP (request for Proposal)2. Response (bids)3. Negotiate Contract (terms, and terms of disposal and decommission)4. Statement of work (what you can, cannot do, will, will not do) signing “as is” statement5. Follow on - routine maintenance, updates, improvements, patches to software6. disposal and decommission
Steps of planning phase
This is the “as is” signing.Any issues or bugs found before this point will be paid for by developer (contracted company)Any issues or bugs found after this point will be paid for by the customer company
Importance of signing statement of work
Software Development Lifecycle
SDLC
