Fundamentals IT Flashcards
Ceasar Cipher
An encryption that is subsituition cipher which requires you to shift letter a certain amount to decipher as letter were replaced by other letters to cipher the plaintext
Kerckhoff’s Principles
6 principles that should serve as the basis for all cryptographic systems.
Symmetric cryptography
uses a single key to both encrypt the plaintext and decrypt the ciphertext
Asymmetric cryptography
uses 2 keys, a public and a private key
Block Cipher
take predetermined number of bits like binary numbers which is a block and encrpts the block
Stream Cipher
encypts each bit of plaintext one bit at a time
ECC ( elliptic curve cyptography}
use short keys while maintaining a higher cyptography strength
DES
a block cipher that use 56 bits, the lenght of the key determines the strength of the algorithm
3DES
3DES uses 3 round of DES
Detterence
letting people or employees known that they will be held accountable for their actions if they step out of line dettering them from even trying to have bad intentions
The brewer and nash model
if you access (A) files you lose access to (B) files and vice versa
The Biba Model
those with high level access cannot have access to lower classification and those with lower classification cannot alter higher classification
Attribute Based Access Control
specific attributes of a person, resource, or environment have access
Mandatory Access control
the owner doesn’t get decide who has access, but a seperate group or individual has the authority to set who accesses
DAC (Discretionary access control)
the owner gets to decide who hass access and what level of access they have
Capabilities
a user’s token or key known as capability also could be like a badge to enter. The capability is that everyone can enter the same door but others have the capability to enter anytime while others only can enter on a specific timeframe
Clickjacking
an attacker must hold some portion of a website control and place a invinsible layer on top of something a person might click which executes a command to do what the attacker wants like make purchases or steal info
Black Holes
large scale filtering which traffic is sent to filtered destinations which appear to have vanished into a black hole
FAR (False acceptance rate)
how often you accept a user who should be rejected
FRR (false rejection rate)
how often we reject a legitimate user
Mutual Authentication
authenitcation methos where both parties in a transaction authenticate each other
Entropy in passwords
classic strong contruction scheme of creating passwords 8 characters or longer which us symbols, numbers, charcters, lower and uppercase
Fabrication attack
generating fake information
Interception attack
affects confidentiality, take forms of unauthorized viewing, copying, eavesdropping, reading someone elses’ email
Modification attack
modifies or tampers with data of a file or other information
Interrupption attack
makes assets unusable or unavailable for a set period of time or permanent
Pakerian Hexad
uses CIA Triad model but also inludes 3 more models, possesion of control, autheniticity, and utility
Possesion of control
physical disposition of media on which data is stored,
Authenticity
allows to say whether you’ve attributed the data to the proper owner or cretor
Utility
how useful a data is to you
Regulatory Compliance
adherence to the laws to the specific industry that you are operating in
Industry Compliance
regulations that are not mandated by law but have severe consequences to your business if not being compliant
PCI DSS (Payment Card Industry Data Security Standard)
regulations that govern proccessing credit cards any info associated with the card
FISMA (Federal Information Security Management Act)
applies to all federal agencies to implement security controls
SOX (Sarbanes Oxley Act)
regulates financial data operstions and assets for publiclicly held companies
GLBA (Gramm Leach Bliley Act)
aims to protect (PII) Personal identifiable information
CIPA (Childrens Internet Protection Act)
requires schools and libraries to prevent from children accessing harmful content on the internet
COPPA (Childrens Online Privacy Protection Act)
protects minors younger than 13 by restricting organizations from collecting PII
FERPA (Family Educational Rights and Privacy Act)
protects students records once students turn 18 the rights to the records shift from the parents to the students
GDPR (General Data Protection Regulation)
cover data protection and privacy for all individuals in the European Union
Laws of OPSEC
First law: if you don’t know the threat how do you know what to protect?
Second Law: if you don’t know what you are protecting then how do you know you are protecting it?
Third Law:if you are not protecting it, the DRAGON WINS
Competitive intellegence
conducting intelligence gathering information to make business decisions
Pretexting
atttacker use information gathered to disguise as a manager, customer, reporter,etc. to convince targets to give up senstive information
Phishing
attacker uses communications apps like, email, phone calls, texts and try to get user to click on a malicious link that contain malware
RAID (Redundant Array of Independant Disks)
takes multiple hard drives and allows them to be used a one large hard drive with benefits
Firewall
network security that maintains control of traffic that flow in and out of networks
Packet Filtering
the firewall looks at the contents of each packet entering and decides whether to allows or disallows it
Stateful Packet Inspection
watches traffic over a given connection
Deep Packet Inspection
the same as stateful packet inspection but goes futher with actually inspecting the contents in the packet
Proxy Servers
provides a layer of security on devices usually on apps like mail or web browsing and adds choke points
DMZ(Demilitirized zone)
seperate a device from the rest of the network as and example of INTRANET zone, Extranet zone, and Internet
Scanners
hardware or software tools that enable you to interrogate devices and networks for information. Like a port scanners that scans info on ports and vulnurability scanners to find weak points in a system
Packet Sniffers
a tool that can intercept traffic on a network and see if you were intended to recieve it or not
Honeypot
are bait as a fake vulnerability where attackers are tricked to think that thst they are attacked the real thing but instead they are being monitored and observed on how they carry attacks and learn on how they think
Operating system hardening
reducing every way vulnerabilites can be exposed to attackers by, uninstalling software not being used, closing ports that arn’t used, adding anti virus software, perform updates, adding principle of least privledge, turn on logging and auditing
Buffer Overflow
when you put in ore data that the application is expecting, example you put in 10 digits when the app only requires 8 digits in the field
Jailbreaking
modifying and removing restrictions on a device bypass security features
Authentication attacks
attacks tha attempt to gain access to resouces without the proper credentials to do so
Authorization attacks
attack to gain access to resources without the proper authorization to do so
Client side attacks
attacks that take advantage of weaknesses on software loaded users clients or social enginering on clients
Server side attacks
vulnerabilities on the server side of transactions, web server, software and its version, scripting languages
Arbitrary code exection
attackers have the ability to execute commands on a system they choose without restriction they are able to do this because of secuirty flaws in scripting languages
Priviledge Escalation
attacks that increase the level of access of what you are authorized, to gain higher access control to carry out attacks on a higher level
Black Box
penetration texting where the tester has no knowledge environment or entity
Grey Box
penetration testing where the tester has some insider knowledge of the environment but not everything
White box
penetration testing where the tester has all insider knowledge of the environment
Bug bounty programs
an organizations offers rewards to individuals who find vulnertbilities in their resouces, depending on severtiy of the bug they will get compensated with monetary value or other ways