Lesson 13: Explaining Common Security Concepts Flashcards
What are the 3 concepts of the CIA triad?
- Confidentiality
- Integrity
- Availability
Define confidentiality in the CIA triad
Confidentiality means that certain information should only be known to certain people.
Define integrity in the CIA triad
Integrity means that the data is stored and transferred as intended and that any modification is authorized.
Define availability in the CIA triad
Availability means that information is accessible to those authorized to view or modify it.
Define a vulnerability
A weakness that could be accidentally triggered or intentionally exploited to cause a security breach
Define a threat
The potential for someone or something to exploit a vulnerability and breach security. A threat may be intentional or unintentional. The person or thing that poses the threat is called a threat actor or threat agent.
Define an attack vector
The path or tool used by a threat actor
Define risk
The likelihood and impact (or consequence) of a threat actor exercising a vulnerability
Define risk management
A process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform
Define risk assessment
A subset of risk management where a company’s systems and procedures are evaluated
Define a mission essential function (MEF)
Business or organizational activity/process that is too critical to be deferred for anything more than a few hours, if at all
Define Business impact analysis (BIA)
Activity that identifies organizational risks and asses their effect on ongoing, mission critical operations as well as what losses might occur for a range of threat scenarios
Define business continuity planning (BCP)
Identifies controls and processes that enable an organization to maintain critical workflows in the face of some adverse event
Define an exploit
Specific code or method of using a vulnerability to gain control of a system or to cause damage
Define a zero-day vulnerability/exploit
A vulnerability that is exploited before the developer knows about it or can release a patch
Define a legacy system
A legacy system is one where the software vendor no longer provides support or fixes for problems
Define a vulnerability assesment
An evaluation of a system’s security and ability to meet compliance requirements based on the configuration state of the system; determines if the current configuration matches the ideal configuration (the baseline)
What does CVE stand for?
Common Vulnerabilities and Exposers
What is the purpose of a CVE?
A scheme for identifying vulnerabilities
What is the construction of a CVE identifier?
CVE-YEAR-ORDER DISCOVERED
Define an external threat
A threat actor that has no account or authorized access to the targeted system
Define an internal threat
A threat actor that has been granted permissions/access on the system
Define Security Information and Event Management (SIEM)
Solution that provides real-time or near-real-time analysis of security alerts/logs generated by network hardware and applications
What is the primary function of SIEM?
To aggregate logs from multiple sources, and to correlate individual events into indicators of compromise (IOC)
What is a pen test?
Active test that uses tools and security utilities to evaluate security by simulating a live attack on a system
Define Privileged Account Management (PAM)
Policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts and to mitigate risks from weak configuration control over privileges
What are the 3 principals of Priviledged Account Management (PAM)
- Least privilege
- Role-based access
- Zero trust
Define least privilege
Principle of security stating that a user should be allocated the minimum necessary rights, privileges, or information to perform its role
What is the purpose of least privilege?
Mitigates the risk if the account becomes compromised
Define authorization creep
Refers to when a user requires more rights over time
Define role-based access
Access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions (read, write, modify, etc) based on job functions
Define zero trust
Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed
What are the ways to implement zero trust?
- Uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise
- Micro segmentation - is a security process that is capable of applying policies to a single node, as though it was in a zone of its own
What is the purpose of an access control system?
Set of technical security controls that govern how subjects are permitted to interact with objects
Define a subject
A user, device, or software process; anything that can request and be granted access to a resource
Define an object
networks, servers, databases, files, etc
Define an Access Control List (ACL)
Collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given
Define Identity and Access Management (IAM)
Security system that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets
What processes does an Identity and Access Management (IAM) system perfrom?
- Identification
- Authentication
- Authorization
- Accounting
Define the Identification process
Creating an account or ID that identifies the user, device, or process on the network
Define the authentication process
Proving that a subject is who or what it claims to be when it attempts to access the resource when the account holder submits credentials to the system to request access and the system compares the submitted credentials to credentials stored in the system
Define the authorization process
Determining what rights subjects should have on each resource and enforcing those rights
Define the accounting process
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted
Name the different authentication factors
- Knowledge factor
- Ownership factor
- Biometric factor
- Behavioral factor
- location factor
Define a knowledge authentication factor
Something you know (password/passphrase)
Define a ownership authentication factor
Something you have (smartcard)
Define a human/biometric authentication factor
something you are (fingerprint)
Define a behavioral authentication factor
Something you do (making a signature)
Define a location authentication factor
Somewhere you are (a mobile device with location services)
Define multifactor authentication
Authentication scheme that requires the user to present at least two or more different factors as credentials
What is the default authentication factor for local authenticaiton?
Knowledge factor - A password or PIN
How is knowledge factor authentication secured in a credential database?
By cryptographic hashes
What is a cryptographic hash?
A function that converts any string to a unique, fixed-length code
How does an authenticator verify a password?
By converting the user submitted password into a hash, and and comparing it against the one in the database
Define windows local sign-in
The Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry
Define windows network sign-in
The local security authority (LSA) can pass the credentials for authentication to Kerberos
Where are user account names stored in linux?
in /etc/passwd
Where does the linux system store password hashes?
in /etc/shadow
Define a pluggable authentication module (PAM)
A PAM is a package for enabling smart cards
Define Single Sign-On (SSO)
Authentication technology that enables a user to authenticate once and receive authorizations for multiple services
Define Kerberos
Provides SSO authentication in a windows domain.
What is the purpose of a Key Distribution Center (KDC)
A technology that verifies the identity of a client and the server its requesting resources from such as a domain controller
What are the two functions that make up a Key Distribution Center (KDC)?
- The authentication service
- Ticket granting service
What is the purpose of the authentication service of a Key Distribution Center (KDC)
Responsible for authenticating user logon requests and services
What does a Key Distribution Center (KDC) do after authenticating a service/user?
Once the client/service has authenticated, the KDC presents the user with a ticket granting ticket
What is a ticket granting ticket?
Allows user to request service ticket that grant access to a target resource
How does a client/service gain access to a resource?
By requesting a service ticket by supplying the Ticket Granting Ticket to the Ticket Granting Service
What is the purpose of a digital certificate?
Identification and authentication information presented in the X.509 format and issued by a Certificate Authority (CA) as a guarantee that a key pair (as identified by the public key embedded in the certificate) is valid for a particular subject (user or host)
Define asymmetric encryption
Public key cryptography; allows users to encrypt information using key pairs
List one way cryptographic key pairs are used
When receiving data, the public key pair is given to encrypt the data before transmission, and the message can only be decrypted by the private key pair that only the recipient has
List another way cryptographic key pairs are used
When authenticating to a remote system, create a signature and sign it by encrypting it with the private key, and when its received by the recipient they will decrypt it with the public key
What is the biggest problem with public key cryptography?
Proving the identity of the owner of a public key
What is the purpose of Public Key Infrastructure (PKI)?
Aims to prove the identity of the owners of a public key
What purpose does a digital certificate serve?
A wrapper/placeholder for a pubic key as well as information about the subject (entity)
Define the Extensible Authentication Protocol (EAP)
Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication
How is 802.1X Port-based Network Access Control (NAC) implemented?
Encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication
What authentication protocol does 802.1X port-based Network Access Control (NAC)
AAA
Define AAA architecture
Authentication, authorization, accounting
What is RADIUS (remote authentication dial-in user service)?
AAA protocol used to manage remote and wireless authentication infrastructures over UDP ports 1812 and 1813
What is TACACS+ (Terminal Access Controller Access Control System)?
AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management over TCP port 49
Define LDAP (Lightweight directory access protocol)
Network protocol used to access network directory databases, which store information about authorized users and their privileges over TCP/UDP port 389
Define simple bind authentication
The client must supply its distinguished name (DN)/identity and password, but these are passed as plaintext
Define Simple Authentication and Security Layer (SASL)
The client and server negotiate the use of a supported authentication mechanism, such as Kerberos
What is LDAP Secure (LDAPS)
The LDAP server is installed with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange over TCP port 636
Which kind of bandwidth management technology uses a header field to indicate a priority value for a layer 3 (IP) packet?
DiffServ
