Network Security Concepts and Policies Flashcards
How can unauthorized access by a hacker to a company’s information hurt that company?
1) It can cause damage or destruction to proprietary data
2) It can negatively affect company productivity
3) It can impede the capability to compete
4) It can harm relationships with customers and business partners who question the capability of the company to protect it’s confidential information.
Though Individuals and corporations benefit from the elastic deployment of services in the cloud, what have these dramatic changes in business services done?
They have exacerbated the risks in protecting data and the entities using it (Individuals, businesses, governments, etc).
What are four (4) things to consider when planning network security?
1) Examine the need for security
2) Look at what you are trying to protect
3) Examine the different trends for attacks and protection
4) Examine principles of secure network design
As companies move more of their business functions to the public network what should they do?
There is a need for them to take precautions to ensure that:
1) the data cannot be compromised
2) The data is not accessible to anyone who is not authorized to see it.
What are the Basic Security Assumptions?
1) Modern networks are very large, interconnected and run both ubiquitous and proprietary protocols. Therefore, they care often open to access, and a potential attacher can with relative ease attach to, or remotely access, such networks. Widespread IP inter-networking increases the probability that more attacks will be carried out over large, heavy interconnected networks such as the internet.
2) Computer systems and applications that are attached to these networks are becoming increasingly complex. In terms of security, it becomes more difficult to analyze, secure, and properly test the security of the computer system and applications. It is even more so when virtualization is involved. When these systems and their applications are attached to the large network, the risk to computing dramatically increases.
What are the three (3) things that must be guaranteed in order to provide adequate protection of network resources?
1) Confidentiality - guarantees that only authorized users can view sensitive information.
2) Integrity - guarantees that only authorized users can change sensitive information and provides a way to detect whether data has been tampered with during transmission; this might also guarantee authenticity of data.
3) Availability of systems and data - provides uninterrupted access by authorized users to important computing resources and data.
When designing network security what are the 4 things a designer must be aware of?
1) The threats (possible attacks) that could compromise security
2) The associated risks of the threats (how relevant those threats are for a particular system)
3) The cost to implement the proper security countermeasures for a threat
4) A cost vs benefit analysis to determine whether it’s worthwhile to implement the security countermeasure.
True or false?
Although viruses, worms and hackers monopolize the headlines about information security, risk management is the most important aspect of security architecture for administrators.
True
Risk management is based on specific principles and concepts that are related to asset protection and security management.
What is an asset?
An asset is something of value to an organization.
By knowing which assets you are trying to protect, as well as their value, location, and exposure, you can more effectively determine the time, effort, and money to spend in securing those assets.
What is a vulnerability?
It is a weakness in a system or it’s design that could be exploited by a threat.
Vulnerabilities can be found in protocols, operating systems, applications, written security policies, etc
What is a threat?
A threat is any potential danger to assets. It is realized when someone or something identifies a specific vulnerability and exploits it, creating exposure.
A latent threat is one that exists theoretically but has not yet been exploited.
The entity that takes advantage of the vulnerability is known as a threat agent or threat vector.
What is a risk?
A likelihood that a particular threat using a specific attack will exploit a particular vulnerability of a system that results in an undesirable consequence.
If you have A vulnerability but there is no threat toward the vulnerability, technically you have no risk.
If you have a vulnerability but there is no threat toward the vulnerability, technically you have no risk.
What is an exploit?
An Exploit is an attack performed against a vulnerability
What is a countermeasure?
A countermeasure is a safeguard/protection that mitigates the potential risk.
What kind of data has little or no confidentiality, integrity or availability requirements and therefore little effort is made to secure it.
Unclassified Data
What kind of data if leaked could have undesirable effects on the organization?
Restricted data.
This classification is common among NATO countries but not used by all nations.
What kind of data must comply with confidentiality requirements
Confidential Data. It is the lowest level of classified data in this scheme.
What kind of data would you take significant effort to keep secure because its disclosure could lead to serious damage?
Secret Data.
The number of individuals who have access to Secret Data is usually considerably fewer than the number who are authorized to access confidential data.
What kind of data would you make great effort and sometimes incur considerable costs to guarantee its secrecy since disclosure could lead to exceptionally grave damage.
Top Secret Data
Usually a small number of individuals have access to top-secret data, on condition that there is a need to know.
What data classification, popular among governments, designates data that could prove embarrassing if revealed, but no great security breach would occur.
Sensitive But Unclassified (SBU)
SBU is a broad category that also includes the “For Official Use Only” designation.
Private Sector Classification Scheme:
What classification designates data that’s often displayed in marketing literature or on publicly accessible websites?
Public
Private Sector Classification Scheme:
What classification designates data that if disclosed potentially leads to embarrassment but no serious security breach?
Sensitive
Data in this classification is similar to the SBU classification in the government model
Private Sector classification Scheme:
What data classification designates data that is important to an organization.
Private
You make an effort to maintain the secrecy and accuracy of this data.
Private Sector Classification Scheme:
What data classification designates data that companies make the greatest effort to secure? e.g. Trade secrets, employee personnel files
Confidential
What factors are considered when classifying data?
Value - #1 Criterion. Not all data has the same value
Age - For many types of data, its importance changes with time
Useful life - Data is usually valuable for only a set window of time. After the window expires its usually declassified.
Personal association - data of this type usually involves something of a personal nature. Steps are usually taken to protect this data until the person is deceased.
What are the most common roles associated with data?`
Owner
Custodian
User
Which role is ultimately responsible for the information?
Owner
Usually a senior-level manager who is in charge of a business unit. The owner:
Classifies the data
Selects the custodian of the data
Directs the actions of the custodian
Should periodically review classified data
Is Ultimately responsible.
Which role is usually a member of the IT staff who has the day-to-day responsibility for data maintenance?
Custodian
The custodian marks the data to enforce the security controls (decided by owner).
Custodian maintains availability of data by regularly backing up data and ensuring backup media are secure.
Review security settings of the data as part of their maintenance responsibility.
Which role bears no responsibility for the classification or maintenance of classified data?
Users
Users bear responsibility for using the data in accordance with established operational procedures in order to maintain the security of the data while it’s in their possession.
What are the broad categories used to classify vulnerabilities?
Policy flaws Design errors Protocol weaknesses Software vulnerabilities Misconfiguration Hostile code Human Factor
What are the three countermeasure category classifications
Administrative - Controls are are largely policies and procedures
Technical - Controls that involve electronics, hardware, software, etc
Physical - Controls that are mostly mechanical
The following controls are examples of which control category?
Security Awareness training
Security Policies and standards
Change controls and configuration controls
Security Audits and tests
Good hiring practices
Background checks of contractors and employees
Administrative Controls
The following controls are examples of which control category?
Security Awareness training
Security Policies and standards
Change controls and configuration controls
Security Audits and tests
Good hiring practices
Background checks of contractors and employees
Administrative Controls
The following controls are examples of which control category?
Firewalls Intrusion Prevention Systems Virtual Private Network (VPN) concentrators and clients TACACS+ and RADIUS servers One-Time Password (OTP) solutions Smart carts Biometric authentication devices Network Admission Control (NAC) systems Routers with ACLs
Technical Controls
The following controls are examples of which control category?
Locked doors Intruder detection systems Locks Safes Racks Uninterruptible power supplies (UPS) Fire-Suppression systems Positive air-flow systems
Physical controls
What are the three (3) types of controls?
Preventive: the control prevents access
Deterrent: the control deters access
Detective: the control detects access
All three categories of controls (Administrative, Technical or Physical) can be one of the three types (Preventive, deterrent or detective).
True or false? A security control is any mechanism that you put in place to reduce risk of compromise of any of the three CIA objectives.
True
Preventative controls exist to prevent compromise.
A good security design also prepares for failure, recognizing that prevention will not always work. Detective controls enable you to detect a security breach and to determine how the network was breached.
Without detective controls it’s extremely difficult to determine what you need to change.
True
Deterrent controls are designed to scare away a certain percentage of adversaries to reduce the number of incidents.
True
What are the two key questions involved in risk management?
What does the cost-benefit analysis of your security system tell you?
How will the latest attack techniques play out in your network environment
What are the 4 ways to deal with [Security] risks?
Mitigate
Ignore
Accept
Transfer
What 4 activities contribute to reducing/mitigating risks?
Limitation/Avoidance - Creating a secure environment by not allowing actions that would cause risks to occur… eg. installing a firewall, using encryption systems, strong authentication.
Assurance - Ensuring policies, standards and practices are followed.
Detection - Detecting intrusion attempts and taking appropriate action to terminate the intrusion.
Recovery - Restoring the system to operational state
What are the key factors you should consider when designing a secure network?
Business needs Risk Analysis Security Policy Industry best practices Security Operations
What are the key factors you should consider when designing a secure network?
Business needs Risk Analysis Security Policy Industry best practices Security Operations
