New Knowledge Points Flashcards
Diameter vs Radius
Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses. Also provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a network service.
Due diligence vs Due care
Due diligence is planning. Due care is doing the right thing.
Due diligence is first, then due care.
Duo Care - prudent person rule - asking “Would a prudent person do in the same situation?”
ISC2 Code of Ethics Canons
ISC2 Code of Ethics Canons:
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principles.
4. Advance and protect the profession.
PATRIOT Act of 2001
Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure.
Penetration test phases -NIST defines
Planning
Information gathering and discovery
Attack
Reporting
Hash Functions: RIPEMD
RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.
SRAM (Static RAM)
SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.
HIPAA
HIPAA is the Health Insurance Portability and Accountability Act.
Regression testing
Finding defects after a major code change has occurred. Looks for software regressions, as degraded or lost features, including old bugs that have come back.
MTD > RTO + WRT
The time to rebuild the system and configure it for reinsertion into production must be less than or equal to the MTD.
Clipper chip
The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages” with a built-in backdoor. It used SkipJack, a block cipher.
On which layer of the Open Systems Interconnect (OSI) model do we establish the connection between 2 applications?
Layer 5: Session Layer: Establishes connection between 2 applications: Setup > Maintenance > Tear Down.
The purpose of production acceptance testing
Compatibility/production testing: Does the software interface as expected with other applications or systems? Does the software perform as expected in our production environment vs. the development environment
Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of assurance that their data will remain protected by using which protocol?
Extensible Authentication Protocol (EAP)
Static testing
Passively testing the code, it is not running. This is walkthroughs, syntax checking, and code reviews. Looks at the raw source code itself, looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code.
Real Evidence
Real Evidence is tangible and physical objects, in IT Security it is things like hard disks, USB drives and not the data on them.
Polyinstantiation
Polyinstantiation (Alternative Facts) – Two (or more) instances of the same file depending on who accesses it. The real information may be available to subjects with Top Secret clearance, but different information will be available to staff with Secret or lower clearance.
Type of the trust domain
One-way trust, Two-way trust, Trusted domain, Transitive trust and Intransitive trust are all trust domains, there is no reflective trust.
Exigent circumstances
Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.
For access control management, which of these is considered something you have?
A. Fingerprint.
B. Cookie on computer.
C. PIN.
D. MAC address.
B. Cookie on computer.
Explain: Things in your possession, not things you know (knowledge factor) or something you are (biometrics).
Digital forensics should always be done on bit-level copies of the original, never the original. Is it True or false?
True
Fail-open and fail-closed
In the context of the physical world, the terms fail-open
is a synonym for fail-safe, and fail-closed is a synonym for fail-secure
Unstructured audits
Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.
Which of these is NOT covered by the Wassenaar Arrangement?
Rockets.
Encryption algorithms.
SQL Databases.
Munitions.
SQL Databases.
Typosquatting
Typosquatting is a form of cybercrime that involves hackers registering domains with deliberately misspelled names of well-known websites.
Key stretching
Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack. Brute Force attacks uses the entire key space (every possible key), with enough time any plaintext can be decrypted. Effective against all key based ciphers except the one-time pad, it would eventually decrypt it, but it would also generate so many false positives the data would be useless.
Clipping levels
Clipping levels are thresholds of acceptable user errors and suspicious activities. If this threshold is exceeded, it must be logged and the administrator must decide if any malicious activity is taking place or if the user needs some training.
What kind of proof does the Civil Law (Tort Law) require?
Civil Law (Tort Law): Individuals, groups or organizations are the victims and proof must be ”the majority of proof” / “More likely than not”. Financial fines to “Compensate the victim(s)”.
The evidence we collect must be accurate, complete, authentic, convincing, and admissible.
Drill for security awareness training
Drills (exercises): Walkthroughs of the plan; main focus is to train staff, and improve employee response
Servers pull cold air in from the cold aisles and push out in the warm aisles. The cold aisles would be at the front of the rack and the hot aisles at the rear of the rack. Servers have intake in the front and exhaust in the back and switches are often reserved.
Crypto-shredding
Crypto-shredding is a data destruction technique that consists in destroying the keys that allow the data to be decrypted, thus making the data undecipherable. It can be used to destruct data in the cloud server. It uses the symmetric algorithm key.
In the context of security incident response, which of the following is the MOST important consideration when determining the severity of an incident?
A) The number of affected systems
B) The financial impact on the organization
C) The level of media attention
D) The potential harm to the organization’s reputation
B) The financial impact on the organization
S/MIME
The Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol has emerged as a de facto standard for encrypted email. S/MIME uses the RSA encryption algorithm and has received the backing of major industry players, including RSA Security.
ASLR
Address space layout randomization
- isa memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.
TEMPEST
The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations
SSAE
Statement on Standards for Attestation Engagements no. 16 is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 and has been superseded by SSAE No. 18
TACACS+ vs Radius
TACACS+ uses TCP and encrypts the entire session, unlike RADIUS, which only encrypts the password and operates via UDP.
NDA
A nondisclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs.
Authentication Error Type
Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.
Responsibility for the serverless computing model
In a serverless computing model, the vendor does not expose details of the operating system to its customers. Therefore, the vendor retains full responsibility for configuring it securely under the shared responsibility model of cloud computing.
Software Capability Maturity Model (SW-CMM)
Initial – good practices are disorganized and chaotic; poorly controlled.
Repeatable – reactive practices and a bit more organized but not necessarily defined.
Defined – formal practices/processes that are well-understood and proactive.
Managed – quantitative, measured, calculatable, and assessable.
Optimizing – practices/processes are continuously optimized and improved.
A database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command because doing so would violate the atomicity property of the transaction.
NetFlow records
NetFlow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts.
CRL
The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.
IPSec
The Authentication Header provides authentication, integrity, and nonrepudiation for IPsec connections.
The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication.
Limit checks
Input validation ensures that the data provided to a program as input matches the expected parameters. Limit checks are a special form of input validation that ensure that the value remains within an expected range, as is the case described in this scenario.
Take grant protection model
HIPPA
HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.
A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business
Kerckhoffs’ principle
Kerckhoffs’ principle says that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge.
Real user monitoring (RUM)
Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface.
Inference attack
In an inference attack, the attacker uses several pieces of generic nonsensitive information to determine a specific sensitive value.
Salami slicing attack,
In a salami slicing attack, the attacker siphons off minute quantities of money many times to accumulate a large amount of funds.
Data diddling attack, t
In a data diddling attack, the attacker alters the contents of a database.
Dynamic application security tools and static application security testing (SAST) tools.
Dynamic application security tools conduct their testing by actually executing the code. This is the case for both fuzzing and web application vulnerability scanning. Code reviews and static analysis packages analyze the code itself but do not execute it, making them static application security testing (SAST) tools.
Evidence requirements
To be admissible, evidence must be relevant, material, and competent.
BAA
HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).
key escrow
In a key escrow arrangement, a cryptographic key is stored with a third party for safekeeping. When certain circumstances are met, the third party may use the escrowed key to either restore an authorized user’s access or decrypt the material themselves. This third party is known as the recovery agent.
In an M of N control system, at least M of N possible escrow agents work together to perform high-security tasks. For example, M of N agents must collaborate to retrieve an encryption key from the escrow database.
Split Knowledge
When the information or privilege required to perform an operation is divided among multiple users, no single person has sufficient privileges to compromise the security of an environment. This separation of duties and two-person control contained in a single solution is called split knowledge.
Automated recovery without undue loss
In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss.
USPTO VS The Library of Congress
USPTO - United States Patent and Trademark Office
The Library of Congress administers the copyright program.
Parameter checking, or input validation
Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.
ROSI
ROSI - Return on Security Investment.
RoSI = (Benefits of Security Investment – Cost of Security Investment) / Cost of Security Investment
TCO
Total Cost of Ownership (TCO) – The mitigation cost = upfront + ongoing cost (Normally Operational)
Password expiration recommendation
Modern recommendations from the National Institute of Standards and Technology (NIST) are that users should not be forced to change their passwords through the use of password expiration policies. More information on these recommendations may be found in NIST Special Publication (SP) 800-63B, “Digital Identity Guidelines.”
STRIDE
Spoofing – faking an identity
Tampering – modifying the data
Repudiation – maintaining the ability to deny that they’ve done anything (remaining undetected)
Information disclosure – the release or theft of protected data
Denial of service – the impact to availability
Elevation of privilege – typically escalation to administrative rights on a system I highly recommend getting more familiar with these concepts, along with reading the book and other sources.
Information Security Management
It structures, implements and maintains appropriate policies, procedures, standards and guidelines in order to obtain an acceptable level of risk.
Data Classification vs Data Categorization
the difference between classification and categorization is that classification indicates value, and categorization indicates impact. Both will drive the security requirements
CSIS 5 critical tenets
Offense Informs Defense
Prioritization
Metrics
Continuous Diagnostics and Mitigation
Automation
Data Control VS Data assurance
WPA3
The replacement for WPA2, adds security features including a new mode called simultaneous authentication of equals that replaces the pre-shared key mode from WPA2 with a more secure option. Overall, it provides security improvements, but may not be immediately implemented due to time for hardware and software to fully support it.
Backout plan
Backout plans are required in some change management processes to ensure that the thought process and procedures for what to do if something does not go as planned are needed. Validating backout plan quality can be just as important as the change, and you may find, in many organizations, if nobody is watching that backout plans may read, “Undo the change we made.”
DRM
Digital rights management (DRM) is the use of technology to control access to copyrighted material. It also enables copyright holders and content creators to manage what users can do with their content, such as how many devices they can access media on and whether they can share it.
Electronic discovery process
During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.
A. WBS chart
B. PERT chart
C. Gantt chart
D. Wireframe diagram
PERT charts use nodes to represent milestones or deliverables and then show the estimated time to move between milestones. Gantt charts use a different format with a row for each task and lines showing the expected duration of the task. Work breakdown structures are an earlier deliverable that divides project work into achievable tasks. Wireframe diagrams are used in web design.
forensic disk controller
A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.
Windows system and the Syslog server
Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.
Access to a System in System High mode
For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.
Database - Primary keyccccccccccccccccccccccccccccccccccccccccccccccccccc
Any primary key is, by definition, also a candidate key.
SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)
Planning/initiation
Functional requirements definition
System design specifications
Development
Acceptance
Transition to production implementation
Revision/replacement
Maintenance/operation
RFC
RFC - request for change. Each change should result from a reviewed and approved RFC. These RFCs may be approved by the change advisory board (CAB).
CSM and CDM
CSM - Cloud Service Model. IaaS, PaaS and SaaS are the three most popular types of cloud service models.
CDM - Cloud Deployment Model. There are four cloud deployment models: public, private, community, and hybrid.
TOCTOU
TOCTOU - time-of-check to time-of-use, is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.”
Which of the following types of code review is not typically performed by a human?
A. Software inspections
B. Pair programming
C. Static program analysis
D. Software walk-throughs
Answer: C
Static program reviews are typically performed by an automated tool. Program understanding, program comprehension, pair programming, software inspections, and software walk-throughs are all human-centric methods for reviewing code.
Forensic Disk Controller
A forensic disk controller performs four functions.
1. Write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device.
2. Returning data requested by a read operation.
3. Returning access-significant information from the device.
4. Reporting errors from the device back to the forensic host.
The controller should not prevent read commands from being sent to the device because those commands may return crucial information.
Synthetic Monitoring
Usually involving running scripts. Most typically against a web application.
The elements in change management
what elements are part of change management, the elements are:
Schedule and communication plans.
Find project champions
User Acceptance Training (UAT)
Other types of training
Live communication
Support and feedback
Continuous learning
Success analysis
MTTF
Mean time to failure
provides the average amount of time before a device of that particular specification fails.
Fence - 8 feet to deterrent intruders
Light - 8 feet plus 2 feet candle
Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.
Evidence must be relevant, complete, sufficient and reliable
CASB
Cloud Access Security Broker
