General Concept (Chapter 1) Flashcards
CIA Triad
Confidentiality
- protects systems and data form unauthorized access
Integrity
- ensures data and systems have not been tampered with
Availability
- ensures that data and systems can still be access by authorised users and systems when needed
Security, Functionality, Usability
An interlocked systems where if security is increased both Usability and functionality decrease
Defense in depth
Are layers of security control that provides redundancy incase one layer has been breached
Vulnerability
Is a weakness/flaw in a system
Threat
Anything that can potentially take advantage of a vulnerability
Exploit
A mechanism that takes advantage of a vulnerability
Payload
Is the part of an exploit that damages the system/steals information
Zero-day attack
A new/unseen attack that the vendor has not seen
Control
A policy that is employed to help protect systems
Mitigation
An actions or control that helps reduce the impact of a negative attack
Non-repudiation
A security concept that prevents the denial of involvement or responsibility of an individual by applying a digital signature to all actions of a user
Principle of least privilege
A security concept that allows only the bare minimum access to the data that a user needs to perform their job
Accountability
Ensure that responsible parties are held liable for their actions
Authenticity
The proven fact that something is legitimate
Gap analysis
A thorough analysis of an organisations security defenses that identify security flaws
Authentication, Authorization, Accounting
An Architectural framework to provide, enforce and audit access to a network or data resources.
- Authentication request are forwarded to a central AAA server (RADIUS, TACACS) which checks users credentials against the directory service server
Zero Trust
A security strategy that assumes that all systems on the network (public & private) are compromised and each have to be authorised to access the rest of the network.
Three principles of zero Trust
1) Least Privilege
2) Access Privileges must be constantly reauthorized
3) Continuous monitoring
Honeypot
A decoy system intended to look legitimate to divert an attack so that information of the attacker can be gathered
Honeynet
A decoy networking containing 1 or multiple honeypots,
Honeyfile
A fake file located in a network file share or server
Honey token
Fake data deployed that legitimate users won’t need access to it, so that only an attacker would access it thus signalling an attack
Physical Control
Are tangible mechanisms designed to prevent unauthorized access to rooms, equipment, documents and other items
Administrative/Managerial control
Procedures and policies that inform people on how the business is to be run and how day to day operations are to be conducted
Technical control
Any measures taken to protect assets and reduce risk via technological means
Operational Controls
Security controls that are primarily implemented and executed by people
Preventive control
Designed to prevent attacks from occuring in the first place
Detective Control
Designed to detect and promptly correct attacks that have occured
Deterrent Control
Designed to discourage would-be attacked
Mitigation/recovery control
Designed to minimise the impact of security incidents
Compensating Control
Alternative fixes to cover any gaps in other control types
Corrective control
Seeks to reverse/Remediate a security incident after it occurred
Directive control
Designed to establish desired outcomes by guiding the execution of security within an organisation
Cryptography
Is the process of converting plain text into unintelligible Cipher text and reverting it back. This creates data intrigity and confidentiality
Block Cipher
Symmetric Encryption
Is a Cipher that encrypted data in a fixed-size block (64-bits), it converts plain text into Cipher text one block at a time, often taki g part of the previous block into the new block.
Good for large files and data at rest
AES (Advances Encryption Standard)
- a symmetric key algorithm that encrypts data in 128bits and has key sizes of either 128, 192, 256
Stream Cipher
Symmetric Encryption
Data encryption used for a continuous streams of data. It uses a pseudo randomly generated stream of bits that is used in an XOR function with the data stream to encode the data one bit at a time. The data is decrypt with the key and the pseudo randomly generated bits
Used for real time communication
Symmetric Encryption
Uses the same key to Encrypt and decrypt data
Key management is very important so not to compromise the data
Asymmetric Encryption
A form of encryption that uses a public and a private key to encrypt/decrypt data and confirm data integrity
Public key
- is a key of a devices that is known to other devices on a network which those devices will uses to encrypted data intended for the original devices
Private key
- is a key of a devices that is only know to itself. It is used to decrypt data that has been encrypted with it’s public key
RSA Cipher
The internet standard for asymmetric Encryption that is based on the practical difficulty of factoring the product of two large prime number
Diffie-Hellman cipher
Is a protocol used for exchange asymmetric keys
Elliptic Curve Cryptography (ECC)
A Cipher based on algebraic structure of elliptic curves over finite fields.
Strong encryption will being very efficient
Hashing
Is a type of encryption that uses a mathematical formula to created a fixed-length string of characters, the hashed result cannot be decrypted but is used to insure that the original data has not been tampered with
Salting
Is a method of adding complexity to a hashing function by adding random bits to the beginning or end of the data. Allowing 2 or more data that are the same to have a different hash output.
Both hash data and salt must be stored together
Digital certificates
Is a public key stored in a document which includes metadata about the key.
Certificate are issued by a Certification Authority accompanied by a related private key
-Public keys are stored on .cer or .der file formats
- Private keys are stored on .pfx or .pvk file format
Certificate Authority
Is a service that issues certificates
Certificate revocation (CRL)
A list of certificates that were administratively revoked before they expired
Online Certificate Status Protocol (OCSP)
Used to balance the load for validating certificates by quickly responding to CRL requests
Root of trust
Highly reliable hardware, software and firmware used to generate and protect root and CA keys
Self-signed certificate
Is a certificate that is created locally, rather than by a CA, which is ment for internal uses.
Certificate signing request (CSR)
A messages sent to a CA requesting a digital certificate
- request files are stored as .csr
Wildcard certificate
A certificate that includes any possible subdomain or host names under a parent domain.
Represented by *
Digital signature
Is a security property that uses asymmetrical cryptography to sign digital forms (document, network packets, certificates, ect) which can be used to verify the authenticity and identify of the users signing, by using the users private key and hash
Public key Infrastructure (PKI)
Is an arrangement that binds public keys with the respective entities which uses policies and procedures to create, manage, distribute, store and revoke digital certificate and manage public key encryption
PKI components
Certificate Authority (CA)
- a service that registers and issues certificates
Registration Authority
- a service responsible for accepting digital certificate request and authenticating the entity making the request
Validation Authority
- validates the identity of the entity with the certificate
Key Escrow
A component of PKI that is used to store the private key by a third party which helps protect against unauthorized access or compromise
Key Stretching
The practice of taking a weak key (password) and transforming it into something that is computationally harder to crack
Perfect forward Secrecy
Refers to an encryption system that changes the keys used to encrypt and decrypt data frequently and automatically, thus preventing an attack to use a compromised key to access the data
Pass-the-hash Attack
Is a password craking attack that is used to authenticate by supplying the password hash over the network.
- The password hash can be acquired by performing a hash dump
Secure Socket Layer (SSL)
Is a protocol that establishes a secure connection between a clients and a host to secure confidentiality and integrity of data transmission (HTTPS).
- It uses RSA asymmetry encryption to create a temporary secure session (perfect key secrecy) by exchanging public keys
Transport Layer Security (TLS)
Is the successor of SSL which fixes its vulnerabilities
OpenSSL
Is an open source implementation of SSL/TLS protocols
Secure/Multipurpose Internet Mail Extension (S/MIME)
A protocol used for sending digitally signed encrypted email messages
Pretty Good Privacy (PGP)
A system for creating asymmetric key pairs and trading public keys,
Provides authentication and cryptographic privacy
Blockchain
A mechanism used to store and secure digital data as an open ledger, each new entry becomes a block with a unique identifying hash.
- Old blocks needs the approval of all parties to be able to change the data stored in the block
Accessing data from a blockchain
It’s too impractical to try to access data directly from the blockchain, so to get around that a local database is created that stores all previous blocks and is updated when new blocks are created. The local database can then be used to access data from the blockchain
Steganography
A method of concealing secret data within a data form that is non-secret (image, text video)
Data masking
A method of disguising data by replacing the data with a fake but realistic version, with the goal of creating a version that cannot be deciphered or reverse engineered
Tokenization
The process of substituting sensitive data with a non-sensitive equivalent which acts as a pointer to the sensitive data
