Domain 5 Flashcards
First step to IT security
Baseline security plan
4 types of power failure
1) blackout
2) brownout
3) sags, spikes, surges
4) EMI (electromagnetic interference)
Fire suppression systems not safe for human life
-Halon systems
-Carbon dioxide
Can use:
-argonite
-FM-200 (preferred)
Mandatory access controls (MACs)
Logical access control filters used to validate access credentials that can’t be controlled/modified by normal users or data owners
Discretionary access controls (DACs)
Controls that may be configured or modified but the users or data owners
*DACs should be aligned with MACs to be effective
Kerberos
An authentication service that validates services and users in a DCE (distributed computing environment)
Denial of service (DoS)
Remote users may not be able to access data/apps vital to carry out day to day business
1st step in implementing logical access controls
Prepare an inventory of IS resources
Most effective control against identity theft
Two-factor authentication
Authentication (3)
-something you know (password)
-something you have (token card)
-something you are/do (biometric)
4 steps to implement logical access controls
1) inventory of IS resources
2) classify IS resources
3) perform grouping/labeling of IS resources
4) create access control list
Default deny access
Allows approved traffic and rejects all other traffic
Default allow access
Denies specific traffic and allows all other traffic
False rejection rate
(FRR or type-1error rate)
of times an individual w/ authority to use the system is falsely rejected by the system
Failure to enroll rate (FER)
Proportion of openly who fail to be enrolled successfully
False acceptance rate
(FAR or type-2 error rate)
of times an individual NOT granted authority to use the system is falsely accepted by the system
- best performance indicator
Cross error/equal error rate
(CER/EER)
Rate at which FAR and FRR are equal
-lowest is the most effective
-overall
Biometric attacks
Replay
Brute force
Cryptographic
Mimic
Replay (biometric attack)
Residual biometric characteristic is used by attacker to gain access (ex fingerprint left on device)
Brute force (biometric attack)
Sending numerous different biometric samples to a biometric device
Cryptographic (biometric attack)
Targets algorithm or encrypted data transmitted between biometric device and access control system
Mimic (biometric attack)
Attacker attempts to fake the biometric characteristics similar to those of the enrolled user
What has the highest reliability and lowest FAR
Retina/iris scan
Biometric life cycle
1) enrollment
2) transmission & storage
3) verification
4) identification/termination
Dedicated circuit
Symmetric telecommunication line connecting 2 locations
Switched circuit
Does not permanently connect 2 locations, be set up on demand:
Circuit switching (telephone network)
Packet switching (lower cost)
7 layers to OSI architecture
- Physical (Please)
- Data link layer (Do)
- Network layer (Not)
- Transport layer (Teach)
- Session layer (Stupid)
- Presentation layer (People)
- Application layer (Anything)
- Physical layer
Relates to electrical signal or hardware devices
- Data link layer
Relates to MAC address or bit conversion
- Network layer
Relates to routing or IP address
- Transport layer
Related to
-reliable delivery
-connection oriented
-delivery in proper order
-congestion control
- Session layer
Relates to managing connection
- Presentation layer
Converts data into presentable format
- Application layer
Relates to end users
LAN components
- Hub & repeater (dumb device)
- Switch & bridge (more capable)
- Router (most capable - layer 3)
Layer-2-switches
Devices that can divide and interconnect network segments & help to reduce collision in domains in Ethernet based networks
Fiber optics
Most secure mode of data transmission
Shielded twisted pair (STP)=
Less crosstalk
Unshielded twisted pair (UTP)=
More crosstalk
Higher attenuation
Attenuation
Wired or wireless - the weakening of signals during transmission
(Impacted by length of wire)
Crosstalk
Electromagnet interference from one UTP to another twisted pair, normally running in parallel (only wired)
EMI (electromagnetic interference)
Disturbance generated by an external source that affects an electrical circuit
DHCP (dynamic host configuration protocol)
Protocol to manage network configuration by assigning an IP address & other parameters to every device on a network so they can communicate with other IP networks
RISK- access to network port is not restricted
Secure shell (SSH)
protocol that uses cryptography to secure encrypted communication, remote login/execution between 2 networked computers or data in transmission
-cannot encrypt data at rest (like on USB drives)
Latency
The delay that a message or packet will experience on its way from source to destination
Middleware
Software employed by Client server applications
Firewalls (3)
- Packet filtering router
- Stateful inspection
- a.application level
b.circuit level
Bastion host
Only host computer that a company allows to be addressed directly from the public network and is designed to protect the rest of its network from exposure
-heavily forfeited against attack
Proxy server
Stands between internal and external network & will not allow direct communication between 2 networks
(Circuit or application level firewall)
Packet filtering - firewall
-simplest
-network layer (3)
-examines header or every packet of data traveling between internet and corporate network
Stateful inspection - firewall
-keeps track of destination of each packet that leaves internal network & ensures incoming message matches IP address
-complex
-network layer
A.Application/B.circuit layer- firewall
A. Application layer (7)/most secured
-works on concept of bastion host & proxy servers separate for each application
B. Session layer (5); works on bastion host and proxy server too but same proxy for all services
Firewall implementations (3)
Dual homed
Screened host
DMZ / screened subset
Screened host
-Uses packet filtering router firewall and bastion host
-implements basic network layer security and application server security
Dual homed
-uses packet filtering router firewall and bastion host but with 2 NIC (network interface cards)
-more restrictive
-acts to block or filter some or all traffic trying to pass between networks
DMZ (demilitarized)/Screened subset
-Most secure
-uses 2 packet filtering routers and 1 bastion host
-limits supervised available to use
-supports network&application level security while defining a separate DMZ network
Shadow IT
IT app, took, service, or system used for various purposes but is NOT reviewed/tested/approved
Symmetric encryption
-Single key is used to encrypt/decrypt
-faster
-inexpensive
Asymmetric encryption
-2 keys: private & public
-slower
-expensive
-more security tho for sharing
Asymmetric encryption - ensure confidentiality
Encrypt using receivers Public key
Decrypt using receivers private key
Asymmetric encryption - ensure authenticity & integrity
Create a hash of the message and encrypt using senders private key
Defense-in-depth
Security arrangement includes the use of multiple security mechanisms that support & complement each other
-centralized firewalls + logical access controls
Secure socket layer (SSL)
Uses cryptographic functions to protect the confidentiality, reliability, and integrity of private data traveling through the internet
SBC
Session border controllers - deployed to protect VoIP networks & DoS/DDoS attacks
-prevents fraud
-encrypts signals
-provides quality of service
DDoS
Distributed denial of service - attack aims to bring down VoIP infrastructure by flooding with heavy traffic from multiple sources
PBX (private branch exchange)
Computer based switch/basically an in house phone company for org
-protection of PBX is high priority
Segregation of VoIP infrastructure using VLAN ensures
Security and reliability
Address resolution protocol (ARP)
Communication protocol used to map IP and MAC addresses
-data traffic in VoIP can be eavesdropped by corrupting ARP
Digital signature ensures
(Email) authenticity
War driving
Used by hackers in wireless networks
-most relevant technique to test the security of an orgs WiFi
Botnets
Zombie computers/used to run malicious software for DDoS attacks
Buffer overflow
Common software coding mistake;
more data in a buffer than can handle and overflows to adjacent storage
Data diddling
No preventative controls
Data is altered as it entered a computer system
Man in the middle attack
Attacker interferes while 2 devices are establishing a connection
-avoids 2 factor authentication
Spoofing
Appearing to originate from an internal source
IDS (intrusion detection systems) components
Sensor - collects data
Analyzer
User interface
Admin console
Where should the IDS be located in a network
Between the firewall and the orgs internal network
Statistical based IDS generates the most
False positives
Neural network IDS
Creates database & is most effective in detecting fraud
Honeypot
Software application, that pretends to be a vulnerable server on the Internet, and is not set up to actively protect against break-ins, so it acts as a decoy system that lures hackers 
IDS limitations
- Will not be able to detect application level vulnerabilities.
- Back doors into applications
- IDS will not be able to detect encrypted traffic
Programmers should not have access to the
Production database
Hash values ensure data has
Not been changed during transmission
Data mining
Technique used to detect trends or patterns of transactions or data
Storage devices (usb) can be a vehicle for
Infecting other computers with malware
Advanced encryption standard (AES) provides
Strongest encryption and greatest assurance that data is protected
Steganography
-Technique for concealing the existence of messages or information
-digital water marking
-hides date within data
Digital signatures provide
Integrity
Message digest
Calculated & included in a digital signature to prove the message hasn’t been altered
Encapsulation or tunneling
Technique used to encrypt the traffic payload so that it can be securely transmitted over an insecure network
For confidentiality and authenticity; sign a message using
The senders private key &
Encrypt using receivers public key
Digital signatures - encrypt & decrypt
Encrypt with receivers public key and decrypt with senders private key
USB
Universal Serial Bus
Which of the following is the most reliable method to ensure identity of sender for messages transferred across Internet ? 
Digital certificates (not digital signatures - identity is confirmed by DC)
