Intro to Security Terms

Question 1

What are the goals of Information Security?

Answer 1

Those fundamental goals are confidentiality, integrity (data integrity), and availability—also referred to as CIA.

Question 2

What is Confidentiality?

Answer 2

One of the goals of information security is to ensure confidentiality such that only required persons can gain access to information and are able to read the information.

Question 3

What are Access Control/Permissions?

Answer 3

Most network administrators will secure information on the company network by implementing permissions on the files and folders. This is known as building an access control list (ACL) on the files because you are controlling who can access the files.

Question 4

What is Encryption?

Answer 4

Encrypting the information puts the information in an unreadable format until an authorized person decrypts the information, which places it in a readable format.

You can encrypt the file at two levels—either encrypt the file in storage or encrypt the file while the file is in transit from one location to another. The benefit of encrypting the file in storage is that if the hackers can get physical access to the system, they can normally bypass the permissions set by the system. If you encrypt the data in storage and a hacker somehow circumvents the permissions, you will have ensured that the data is unreadable.
When you encrypt the information in transit, you are typically encrypting the communication channel between two systems, that is, all data that runs through the communication channel. By encrypting the information in transit, you have ensured that someone who taps into the communication cannot read the information they have tapped into.

Question 5

What is Steganography?

Answer 5

Steganography is a method of hiding information, such as a text file, in a graphic file. The information is placed in the graphic file using a program, and a password is placed on the file. After sending the graphic to the intended receiver, the intended receiver would use the steganography application to read the text information out of the file.

Question 6

What is Integrity?

Answer 6

The concept of data integrity is to ensure that when data is sent from a source to a destination, the information received at the destination has not been altered in transit. Data integrity also means that if you store a file on the drive and open it later, you can be certain that the data has not been altered while in storage.

Question 7

What is Hashing?

Answer 7

To ensure data integrity when communicating over a network, the sending system runs the data through a mathematical algorithm, known as a hashing algorithm, which then generates an answer (known as the hash value). This hash value is then sent with the data. On the receiving end of the transmission, the destination system runs the data through the same mathematical algorithm to generate an answer (hash value). Once the destination system has its own calculated hash value, it then compares that to the hash value sent with the message—if they are the same, then it is assumed the data has not been altered.

Data integrity is not only about the integrity of the data in transit, but also about the data in storage. In highly secure environments, you may want to ensure that after a user stores a file, the file cannot be altered until the user opens the file again. To verify the integrity of the file, you can use a file integrity program that calculates hash values on the file when the file is saved and then compares the stored hash value with the calculated hash value when the file is opened again. If the file has changed since the last time the user worked with the file, the hash values will be different, and notification that the file has been changed will be sent to the user.

Data integrity is used in many scenarios today; a few of those scenarios follow:

Downloading files:  When you download a program from the Internet, most vendors tell you the hash value of the file you are downloading so that you can do your own integrity check on the file after downloading it. Performing an integrity check on the downloaded file will ensure that the file was not altered during the download.

Law enforcement:  When law enforcement agencies perform an investigation on a suspect’s computer, they need to generate a hash value on the data before they even look at it so that they can prove later in court that they did not plant the information. If the evidence comes into question, the hash values of the data before and after the investigation are compared—if they are the same, then the data was not altered.

Another point to make about data integrity is that implementing solutions such as permissions can help protect the data integrity of information, because if you control who is allowed to modify the data, you can then protect it from unauthorized changes.

Question 8

What are some Other Integrity Concepts?

Answer 8

Digital signature:  A digital signature is created on a message in order to prove the integrity of the sender of the message. Because the signature is created using a person’s private key and only that person has access to their private key, it proves the sender is who they say they are.

Certificate:  A digital certificate is an electronic file used to transport keys used to encrypt or digitally sign messages.

Nonrepudiation:  Nonrepudiation is the concept of ensuring that someone cannot dispute that they sent a message or made a change, which adds to the integrity of the system. You can use digital signatures or auditing as a method to implement nonrepudiation.

Question 9

What is Availability?

Answer 9

Availability is the last fundamental goal of information security, and it is the concept of ensuring that the information is available when the user wants it. This is an overlooked aspect of information security.

The following are popular solutions you can implement to help maintain availability:

Permissions:  Implementing permissions on a resource is a way to help ensure availability because if you limit who can delete the data, then chances are high it will still be available when needed.

Backups:  Ensure you perform regular backups of critical information so that if the data becomes corrupt or unavailable, you can restore it from backup.

Fault tolerance:  You can implement data redundancy solutions to ensure the data is available so that if one of the hard drives fails, the other drives have a copy of the information.

Clustering:  To ensure availability of services such as e-mail or database servers, you can use a high-availability solution such as clustering. Clustering allows you to have multiple servers acting as one unit so if one server fails, the other server takes over the workload. For example, you can have your e-mail server installed on both servers (called nodes), with one server acting as the active node (currently online) and the other server acting as the passive node (not online). When the active node fails, the passive node will become the active node so that users still have access to e-mail.

Patching:  To aid in the availability of the system, you should ensure you keep the system up to date with patching. Patching a system by applying service packs and security hot fixes helps reduce vulnerabilities in the system and reduces the chances of attack.

Question 10

What is Accountability?

Answer 10

Accountability is ensuring that employees are accountable for their actions—if they delete a file, you will ensure they take responsibility for deleting the file.

You implement accountability in the organization by implementing auditing and logging features on the systems, routers, firewalls, and in the applications. The concept here is if you log the activity and are able to identify who caused a certain event to occur, then you can hold that person accountable for their actions. The following are some popular methods to implement accountability within the organization:

Log files:  Most network services either implement logging by default or can be configured to log activity to log files. Be sure to enable logging for all core services on the network so that if an incident arises, you can review the logged data.

Audit files:  Most operating systems have a security auditing feature that allows you to review the security-related events that occur on a system. In Windows, this is the security log in Event Viewer. Be sure to review the security audit logs on a regular basis.

Firewalls and proxy servers:  Most firewalls and proxy servers can log outbound user activity, such as web sites that are visited and applications used for outbound communication. Be sure to review the firewall and proxy server logs on a regular basis to hold the users accountable for their actions.

Application logging:  It is becoming more important for applications to log activity within the application. For example, if someone deletes a customer record or a purchase from the purchasing system, you want to know about it. Find out what levels of logging are available in all your critical applications, and let users know you are logging activity. This will help keep them accountable for their actions within the business software. For example, Microsoft SQL Server has features that allow the database developers to implement logging and auditing in the database application.

Question 11

What is Identification and Authentication?

Answer 11

Identification happens before authentication and is the process of having users identify themselves to the system. The most popular method companies use to identify individual users is to give each a unique username. The users type their username into the system in order to identify themselves.

After the user inputs the identifying information (the username) and the password for that account, the information is then sent to an authentication system that is responsible for verifying that the username and password are valid. If the username and password are correct, the user is granted access to the system, but if the information is incorrect, an error is displayed and access is denied.

Users can identify themselves and authenticate to the system in a number of ways. The following lists a few popular methods used for identification and authentication purposes:

Username:  The most popular method of identifying users on the network is to give them each a unique username. For the users to identify themselves, they will type the username into a logon screen. To be authenticated, they would type the password associated with that username.

Smartcard: The smartcard can be used to identify the unique owner of that specific smartcard. Once the smartcard is inserted into the system, the user will need to type a PIN associated with the smartcard in order to authenticate to the system.

Token:  A security token is a small device that is typically used to identify an individual and is used in the authentication process. Of the different types of tokens, the most popular is a device that displays a random number on it for 30 to 60 seconds. The random number, username, and password are used to log on.
 
Biometrics: Biometrics is the concept of using part of your physical self to authenticate to the system. For example, you can scan a fingerprint or a retina to authenticate to a system. You typically use biometrics in highly secure environments because it is difficult for anyone else to obtain your physical characteristics.

Question 12

What is Authorization?

Answer 12

Once the user has been authenticated, they are given access to different resources; this is known as authorization. You have many ways to authorize individuals for different resources. One of the most popular methods of authorization is to give the user permissions to a file or folder. The following are some examples of authorization:
Permissions  You may authorize individuals to access a file by giving them permission to the file or giving a group that the individual is a member of permission to the file.

Router ACLs: Another example of implementing authorization is by configuring access control lists (ACLs) on a router. These ACLs determine whether the router is allowed to accept certain traffic and route it to a different network.

Proxy servers:  Another popular example of authorization is allowing or denying access to different web content at the proxy server. The proxy server is a server on the network that all traffic headed out to the Internet passes through. The proxy server can control what web sites can be visited or even what types of Internet applications can be used by the internal users.

Facility:  A final example of authorization is to control access to different areas of the building. For example, Bob’s smartcard may give him access to the area of the building that he works in, but the card does not open doors to other areas of the building—he is not authorized to access those areas.

Question 13

What is Physical Security?

Answer 13

The first type of security to be familiar with is physical security. Physical security is the concept of being able to control who has physical access to the assets within the organization. For example, most companies will control access to the servers by placing the servers in a locked room known as the server room.

Physical security also deals with controlling who can gain entry to the premises of the business by placing a fence around the perimeter of the facility and maybe using guards at the entry gate.

Question 14

What is Communication Security?

Answer 14

Communication security is an often overlooked aspect of security because companies seem to put a lot of focus on physical security and also on setting permissions on files and folders. Setting permissions on files and folders will help secure the asset only as it is stored on the server—what about when someone accesses the file from across the network? If a user who has permission to the file accesses the file from across the network, the file is downloaded to the client computer. While the file is being downloaded to the client computer, it is possible for untrusted parties to tap into that communication and see the information.

Communication security deals with protecting the information that is traveling between the source and destination by encrypting the communication.

Question 15

What is Computer Security?

Answer 15

Computer security is one of the most popular types of security—it deals with securing the computer systems by implementing a number of best practices such as authentication, access control, data redundancy, malware protection, and system-hardening techniques. The point to understand about computer security is that you are securing the system and not the communication between the systems.

Question 16

What is Network Security?

Answer 16

Network security is another popular type of security and deals with securing the network, not a particular system. Network security deals with such things as controlling who gains access to the network (switch security) and what type of traffic can enter the network (firewalls). This is complemented by monitoring network traffic for suspicious activity (an intrusion detection system).

Question 17

What is Least Privilege?

Answer 17

Least privilege ensures that you always give a user the minimal permissions needed. You do not want to give more permissions than needed because then the user or administrator can do more than what is expected with the resource.

For example, if Bob is responsible for doing the backups of a Windows server, you do not want to place him in the Administrators group because he will have the capability to do more than backups—he can make any change to the system he wants. In this example, you want to place him in the Backup Operator group so that his focus is backups.

Another example involves file permissions—if a user needs to be able to read the contents of a file, be sure to give them just the read permission and no more because they could accidentally delete content out of the file if you make the mistake of giving too much privilege. If this were to happen, who do you think would be at fault—the person who deleted the content or the person who gave the privilege to delete the content?

Question 18

What is Separation of Duties?

Answer 18

Separation of duties means that you ensure that all critical tasks are broken down into different processes and that each process is performed by a different employee. For example, in most companies the person who writes the check to pay for a purchase is different from the person who signs the check. Typically, the person who writes the check is someone in the accounting department, but the check is usually signed by the chief financial officer (CFO) of the company.

An example of implementing the concept of separation of duties that is technology focused is that when the company decides to do a security assessment, it is important that the assessment be performed by a security professional and not by the network administrator for the company.

The concept of separation of duties is used to keep everyone honest and to prevent fraudulent activity within the company. Be aware that separation of duties will not protect you from collusion—collusion is the term used to describe when parties conspire together to commit the fraudulent act. For example, the person writing the check and the person signing the check decide to start writing checks for their own joint business.

Question 19

What is Rotation of Duties?

Answer 19

Rotation of duties is the principle that you will have multiple employees rotate through different job roles. For example, you have a team of network administrators, and this month Bob will take care of account management, but next month Sue will take over that duty, and Bob will take over the job role that Sue had.

Separation of duties offers multiple benefits. First, it is a way to ensure accountability for employee actions. If Bob has been intentionally or accidentally misusing his privileges, then Sue will notice that the following month and report it. The other benefit of separation of duties is the business does not depend on one person being the only person able to perform a job role. Because you have been rotating multiple employees through different roles, you have some redundancy in skill sets in case an employee is sick or goes on leave.

Question 20

What is the Concept of Need to Know?

Answer 20

Need to know means that you give employees access only to information that they need to know about. For example, instead of giving all managers access to the accounting data, you want to ensure that only the accounting manager gets access to the accounting data. You don’t give other managers such as the marketing manager access to accounting data because the marketing manager doesn’t need this access.

Another example of implementing the concept of need to know is with military environments. Just because a commander has been given top secret clearance does not mean that they should be able to view all top secret data in the organization. For example, if the commander is not involved with a certain operation, they do not need to know the information being presented to the personnel involved in that operation.

Question 21

What is Layered Security and Diversity of Defense?

Answer 21

Layered security is the concept of not putting all of your eggs in one basket by relying on one type of security solution to create a secure environment. For example, although firewalls are a critical part of the security for any organization, if someone brings a flash drive that is infected with a virus into the office, the firewall is not going to help protect the systems. Taking a layered approach to security means that you will rely on many different types of security controls such as authentication, virus protection, patching systems, and firewalls. Taking a layered approach to security is also known as “defense in depth.”

Diversity of defense is the concept that you should use different products to increase the level of security in your environment. For example, when designing a firewall strategy, you will most likely have multiple layers of firewalls, and it is important to not use the same firewall product at each layer. If the hacker figures out how to hack into the first firewall and you are using the same firewall product elsewhere on the network, the hacker will use the same technique to bypass that firewall. If you use different products provided by different manufacturers, then the method used to hack into the first firewall will not necessarily work on the second firewall. The concept here is that although all products have vulnerabilities, the vulnerabilities are different for each of the different products, and the hacker will have to work extra hard to get through each different product.

Question 22

What is Due Care, Due Diligence?

Answer 22

The concepts of due care and due diligence are to ensure that the business is taking actions to do the right thing to protect its employees and assets.

Due care is the concept of doing the right thing. When it relates to security, due care is about implementing the correct security controls to ensure the protection of company assets. Examples include the creation of the security policy, performing regular backups, and performing regular virus scans. The key thing to note with due care is that you are implementing an action.

Due diligence is about identifying your risk so that you know what security controls to put in place (due care). Due diligence involves performing regular assessments and analyzing the assessment results to identify security issues in the environment.

Question 23

What is Vulnerability and Exploit?

Answer 23

A vulnerability is a weakness in a piece of software or hardware that was created by the manufacturer by accident.
I consider a hacker to be someone with the knowledge to compromise a system, network, or facility. The type of hacker depends on the intent of the hacker:

White-hat hacker:  A white-hat hacker learns how to compromise system security for defensive purposes, meaning they are doing it to better learn how to protect the system or network.

Black-hat hacker:  A black-hat hacker compromises systems or networks for malicious reasons—whether for financial reasons, bragging rights, or simply to cause havoc.

Script kiddie:  A script kiddie does not have a lot of education about how an attack works, but downloads a program from the Internet to perform the attack.

Question 24

What is System and Data Owner?

Answer 24

The owner—either the system owner or the data owner—is the person who decides how valuable the asset is and what types of security controls should be put in place to protect the asset. The owner also decides the sensitivity of the information, such as top secret when dealing with classification systems.

The owner of the asset is upper-level management and holds the ultimate responsibility of securing the asset and security within the organization.

Question 25

What is Custodian?

Answer 25

The custodian is the person who implements the security control based on the value of the asset determined by the owner. The custodian is the IT administrator who performs common tasks such as backups, configuring permissions, configuring firewalls, and hardening systems. Remember that the owner determines the controls needed, while the custodian actually secures the asset by implementing those controls.

Question 26

What is User?

Answer 26

The user is the person who accesses the resources within the business and is considered a user of the asset. The user is affected by the security controls put in place by the custodian, which were determined by the owner.

Question 27

What is Security Officer?

Answer 27

The security officer has a very important role and is the liaison between management (the owner) and the IT staff (custodian). The security officer is responsible for making sure that policies are being followed by educating everyone on their role within the organization.

The security officer has the challenge of helping management understand the value of the security controls put in place by ensuring they understand their legal responsibilities and the financial benefits of implementing the controls.