Section 1 General Security Concepts Flashcards
1
Q
What are security risks?
A
come in many different categories and types.
2
Q
What are the varied assets in security?
A
Assets include data, physical property, and computer systems.
3
Q
What is the purpose of security controls?
A
To prevent security events, minimize the impact, and limit the damage.
4
Q
What are technical controls?
A
Controls implemented using systems, such as operating system controls, firewalls, and anti-virus.
5
Q
What are managerial controls?
A
Administrative controls associated with security design and implementation, including security policies and standard operating procedures.
6
Q
What are operational controls?
A
Controls implemented by people instead of systems, such as security guards and awareness programs.
7
Q
What are physical controls?
A
Controls that limit physical access, including guard shacks, fences, locks, and badge readers.
8
Q
What is a preventive control?
A
A control that blocks access to a resource.
9
Q
What are examples of preventive controls?
A
Firewall rules, following security policy, guard shack checks all identification, and enabling door locks.
10
Q
What is a deterrent control?
A
A control that discourages an intrusion attempt but does not directly prevent access.
11
Q
What are examples of deterrent controls?
A
Application splash screens, threat of demotion, front reception desk, and posted warning signs.
12
Q
What is the purpose of preventive controls?
A
To block access to resources and prevent unauthorized access.
13
Q
What is the purpose of deterrent controls?
A
To make an attacker think twice before attempting an intrusion.
14
Q
What are detective control types?
A
Detective control types identify and log an intrusion attempt but may not prevent access.
15
Q
What actions are involved in detecting the issue?
A
Collect and review system logs, review login reports, regularly patrol the property, and enable motion detectors.
16
Q
What are corrective control types?
A
Corrective control types apply a control after an event has been detected, reverse the impact of an event, and continue operating with minimal downtime.
17
Q
What actions are involved in correcting the problem?
A
Restoring from backups can mitigate a ransomware infection, create policies for reporting security issues, contact law enforcement to manage criminal activity, and use a fire extinguisher.
18
Q
What are compensating control types?
A
Compensating control types use other means when existing controls aren’t sufficient and may be temporary.
19
Q
What actions can compensate the exploitation of a weakness?
A
A firewall blocks a specific application instead of patching the app, implement a separation of duties, require simultaneous guard duties, and use a generator after a power outage.
20
Q
What is a directive control type?
A
A directive control type directs a subject towards security compliance.
It is considered a relatively weak security control.
21
Q
What are some examples of directive controls?
A
Examples include:
- Store all sensitive files in a protected folder
- Create compliance policies and procedures
- Train users on proper security policy
- Post a sign for ‘Authorized Personnel Only’
22
Q
What are security controls?
A
measures implemented to manage and mitigate risks.
They can be categorized into various types.
23
Q
Are the lists of security controls inclusive?
A
No, the lists of security controls are not inclusive; there are many categories of control.
24
Q
What are the main categories of security controls?
A
The main categories of security controls are Technical, Managerial, Operational, and Physical.
25
What is an example of a technical security control?
An example of a technical security control is a firewall.
26
What is an example of a managerial security control?
An example of a managerial security control is an on-boarding policy.
27
What is an example of a physical security control?
An example of a physical security control is a door lock.
28
What are some types of security controls?
Types of security controls include Preventive, Detective, Corrective, Deterrent, and Compensating.
29
What is an example of a detective security control?
An example of a detective security control is system logs.
30
What is an example of a corrective security control?
An example of a corrective security control is backup recovery.
31
What is an example of a compensating security control?
An example of a compensating security control is blocking instead of patching.
32
Can security controls exist in multiple categories?
Yes, some security controls may exist in multiple types or categories.
33
How do security controls evolve?
New security controls are created as systems and processes evolve.
34
What is the CIA Triad?
A combination of principles that form the fundamentals of security.
## Footnote
Sometimes referenced as the AIC Triad.
35
What does Confidentiality in the CIA Triad refer to?
Preventing disclosure of information to unauthorized individuals or systems.
36
What does Integrity in the CIA Triad ensure?
Messages can't be modified without detection.
37
What is the focus of Availability in the CIA Triad?
Ensuring systems and networks must be up and running.
38
What is a key aspect of Confidentiality?
Certain information should only be known to certain people.
39
What is Encryption?
Encoding messages so only certain people can read it.
40
What are Access controls?
Selectively restricting access to a resource.
41
What is Two-factor authentication?
An additional confirmation before information is disclosed.
42
What does integrity in data refer to?
Data is stored and transferred as intended. Any modification to the data would be identified.
43
What is hashing?
Hashing maps data of an arbitrary length to data of a fixed length.
44
What is the purpose of digital signatures?
Digital signatures are a mathematical scheme to verify the integrity of data.
45
How do certificates work in data integrity?
Certificates combine with a digital signature to verify an individual.
46
What is non-repudiation?
Non-repudiation provides proof of integrity and can be asserted to be genuine.
47
What does availability in data security mean?
Information is accessible to authorized users and is always at your fingertips.
48
What is redundancy in the context of availability?
Redundancy involves building services that will always be available.
49
What is fault tolerance?
Fault tolerance means the system will continue to run, even when a failure occurs.
50
What is the purpose of patching in data security?
Patching ensures stability and closes security holes.
51
What are the main objectives of data security?
The main objectives are integrity, availability, and confidentiality.
52
What is non-repudiation?
You can't deny what you've said; there's no taking it back.
53
How does signing a contract relate to non-repudiation?
Your signature adds non-repudiation; you really did sign the contract and others can see your signature.
54
What perspective does non-repudiation add for cryptography?
It provides proof of integrity and proof of origin, with high assurance of authenticity.
55
What is proof of integrity?
It verifies that data does not change; the data remains accurate and consistent.
56
How is data represented in cryptography for integrity?
We use a hash, which represents data as a short string of text, known as a message digest or fingerprint.
57
What happens if the data changes?
If the data changes, the hash changes; if the person changes, you get a different fingerprint.
58
Does hashing associate data with an individual?
No, it only tells you if the data has changed.
59
What happens when one character is changed in a file?
The hash changes
## Footnote
If the hash is different, something has changed, indicating data integrity has been compromised.
60
What does integrity prove in a message?
It proves the message was not changed.
61
What does authentication prove in a message?
It proves the source of the message.
62
What does non-repudiation ensure?
It ensures that the signature isn't fake.
63
How is a message signed?
Sign with the private key
## Footnote
The message doesn't need to be encrypted, and nobody else can sign this.
64
How is a signature verified?
Verify with the public key
## Footnote
Any change to the message will invalidate the signature.
65
What is the first step of the AAA framework?
Identification: This is who you claim to be, usually your username.
66
What is the second step of the AAA framework?
Authentication: Prove you are who you say you are, using a password and other authentication factors.
67
What is the third step of the AAA framework?
Authorization: Based on your identification and authentication, what access do you have?
68
What is the fourth step of the AAA framework?
Accounting: Resources used include login time, data sent and received, and logout time.
69
Why is authenticating systems challenging?
You have to manage many devices, often devices that you'll never physically see.
70
Why can't a system type a password?
A system can't type a password, and you may not want to store one.
71
How can you truly authenticate a device?
Put a digitally signed certificate on the device.
72
What business processes rely on the certificate?
Access to the VPN from authorized devices and management software can validate the end device.
73
What is a trusted Certificate Authority (CA)?
An organization has a trusted Certificate Authority (CA). Most organizations maintain their own CAs.
74
How is a certificate created for a device?
The organization creates a certificate for a device and digitally signs the certificate with the organization's CA.
75
How is a certificate used as an authentication factor?
The CA's digital signature is used to validate the certificate.
76
What happens after a user or device has authenticated?
They need to know what they have access to.
## Footnote
This is the time to apply an authorization model.
77
What does associating individual users directly to access rights not do?
It does not scale.
78
What should be placed in the middle of user access?
An authorization model.
79
What can an authorization model be defined by?
Roles, Organizations, Attributes, etc.
80
What is a simple relationship in authorization?
User -> Resource.
81
What are some issues with the simple relationship method?
It is difficult to understand why an authorization may exist and does not scale.
82
What is the purpose of using an authorization model?
To add an abstraction, reduce complexity, and create a clear relationship between the user and the resource.
83
How does an authorization model streamline administration?
It makes authorizations easy to understand and supports any number of users or resources.
84
What is Gap Analysis?
It is the comparison of where you are with where you want to be, identifying the 'gap' between the two.
85
What may be required when collecting information in a Gap Analysis?
Extensive research may be required, considering various factors.
86
How long can Gap Analysis take?
It can take weeks or months, involving an extensive study with numerous participants.
87
What should you prepare for during Gap Analysis?
Be ready for emails, data gathering, and technical research.
88
What is important when choosing a framework?
Work towards a known baseline, which may be an internal set of goals or formal standards.
89
What regulations should be determined as part of the framework?
The end goal, such as NIST Special Publication 800-171 Revision 2 or ISO/IEC 27001.
90
What does NIST Special Publication 800-171 Revision 2 focus on?
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
91
What does ISO/IEC 27001 pertain to?
Information security management systems.
92
What is the first step in evaluating people and processes?
Get a baseline of employees, including formal experience, current training, and knowledge of security policies and procedures.
93
What should be examined in current processes?
Research existing IT systems and evaluate existing security policies.
94
What is the purpose of comparison in security analysis?
To evaluate existing systems and identify weaknesses along with the most effective processes.
95
What does a detailed analysis in security involve?
Examining broad security categories and breaking those into smaller segments.
96
What does the final comparison in an analysis and report include?
Detailed baseline objectives and a clear view of the current state.
97
What is necessary to transition from the current security state to the goal?
A path that will almost certainly include time, money, and lots of change control.
98
What is created during the gap analysis report?
A formal description of the current state and recommendations for meeting the baseline.
99
What is Zero Trust?
Zero trust is a holistic approach to network security that covers every device, every process, and every person.
100
What is a key principle of Zero Trust?
Everything must be verified; nothing is inherently trusted.
101
What are some methods used in Zero Trust?
Multi-factor authentication, encryption, system permissions, additional firewalls, monitoring, and analytics.
102
What does splitting the network into functional planes involve?
It applies to both physical, virtual, and cloud components.
103
What is the data plane?
The data plane processes the frames, packets, and network data, including processing, forwarding, trunking, encrypting, and NAT.
104
What is the control plane?
Manages the actions of the data plane, defines policies and rules, and determines how packets should be forwarded.
## Footnote
Includes routing tables, session tables, and NAT tables.
105
What is adaptive identity?
Considers the source and the requested resources, utilizing multiple risk indicators such as relationship to the organization, physical location, type of connection, and IP.
106
What are subjects and systems in policy enforcement?
Includes end users, applications, and non-human entities.
107
What is a policy enforcement point (PEP)?
Acts as the gatekeeper to allow, monitor, and terminate connections.
## Footnote
Can consist of multiple components working together.
108
What is the Policy Decision Point?
There's a process for making an authentication decision.
109
What does the Policy Engine do?
Evaluates each access decision based on policy and other information sources. It can grant, deny, or revoke access.
110
What is the role of the Policy Administrator?
Communicates with the Policy Enforcement Point, generates access tokens or credentials, and instructs the PEP to allow or disallow access.
111
How can the Policy Administrator enhance security?
By making the authentication stronger, if needed.
112
What is threat scope reduction?
Decrease the number of possible entry points.
113
What is policy-driven access control?
Combine the adaptive identity with a predefined set of rules.
114
What is the nature of security relationships?
Security is more than a one-to-one relationship. Broad categorizations provide a security-related foundation.
115
What are the key categories for security zones?
Trusted, untrusted, internal network, external network, VPN 1, VPN 5, VPN 11, Marketing, IT, Accounting, Human Resources.
116
What can using security zones achieve?
Using the zones may be enough by itself to deny access.
## Footnote
For example, Untrusted to Trusted zone traffic.
117
What is an example of an implicitly trusted zone?
Some zones are implicitly trusted.
## Footnote
For example, Trusted to Internal zone traffic.
118
What is the primary function of barricades and bollards?
Prevent access, channel people through a specific access point, and identify safety concerns.
119
How do barricades and bollards manage access?
They allow people while preventing cars and trucks.
120
What extreme measures can barricades take?
Concrete barriers, bollards, and moats.
121
What is an access control vestibule?
A system where opening one door causes others to lock.
122
What happens when all doors are normally locked in an access control vestibule?
Unlocking one door prevents others from being unlocked.
123
What is the function of having one door open and the other locked?
When one door is open, the other cannot be unlocked.
124
What is meant by 'one at a time, controlled groups' in access control?
Managed control through an area.
125
What is the purpose of fencing?
To build a perimeter, which is usually very obvious.
126
What are the characteristics of fencing?
Fencing can be transparent or opaque, robust, and designed to prevent climbing.
127
What is the role of video surveillance?
CCTV can replace physical guards.
128
What are important features of surveillance cameras?
Motion recognition can alarm and alert, while object detection can identify a license plate or face.
129
How are surveillance cameras typically organized?
Often many different cameras are networked together and recorded over time.
130
What is the role of a security guard?
Provides physical protection at the reception area of a facility and validates identification of existing employees.
131
What is two-person integrity/control?
Minimizes exposure to an attack by ensuring no single person has access to a physical asset.
132
What details are included on an access badge?
Includes a picture, name, and other details. Must be worn at all times and is electronically logged.
133
How does lighting contribute to security?
More light means more security as attackers avoid the light, making it easier to see when lit.
134
What is the importance of lighting design?
Consider overall light levels and angles, which are important for facial recognition and to avoid shadows and glare.
135
What does an infrared sensor detect?
Detects infrared radiation in both light and dark, commonly used in motion detectors.
136
What does a pressure sensor detect?
Detects a change in force, used in floor and window sensors.
137
What is the function of a microwave sensor?
Detects movement across large areas.
138
How does an ultrasonic sensor work?
Sends ultrasonic signals and receives reflected sound waves to detect motion and collisions.
139
What is the purpose of honeypots?
Honeypots attract the bad guys and trap them there.
140
Who is typically the attacker in honeypots?
The 'attacker' is probably a machine, which makes for interesting reconnaissance.
141
What do honeypots create?
Honeypots create a virtual world to explore.
142
What are the options for honeypots?
There are many different options, most of which are open source and available to download.
143
What is the challenge associated with honeypots?
There is a constant battle to discern the real from the fake.
144
What is a honeynet?
A honeynet is a real network that includes more than a single device, such as servers, workstations, routers, switches, and firewalls.
145
What does a honeynet do?
A honeynet builds a larger deception network with one or more honeypots.
146
What is the benefit of a honeynet?
A honeynet provides more than one source of information.
147
What are honeyfiles?
Honeyfiles attract attackers with more honey by creating files with fake information.
148
What characteristics do honeyfiles have?
Honeyfiles contain something bright and shiny.
149
What are honeyfiles?
Bait for the honeynet (e.g., passwords.txt)
## Footnote
Add many honeyfiles to file shares.
150
What happens when a honeyfile is accessed?
An alert is sent if the file is accessed
## Footnote
It acts as a virtual bear trap.
151
What are honeytokens?
Data used to track malicious actors
## Footnote
Add some traceable data to the honeynet.
152
What happens if honeytoken data is stolen?
You'll know where it came from.
153
What are API credentials in the context of honeytokens?
They do not actually provide access
## Footnote
Notifications are sent when used.
154
How can fake email addresses be used as honeytokens?
Add it to a contact list
## Footnote
Monitor the Internet to see who posts it.
155
What are some other examples of honeytokens?
Database records, browser cookies, web page pixels.
156
What is change management?
The process of making changes such as upgrading software, patching applications, changing firewall configurations, or modifying switch ports.
157
What is one of the most common risks in the enterprise?
Change management risks occur very frequently and are often overlooked or ignored.
## Footnote
Did you feel that bite?
158
What should be established for effective change management?
Clear policies regarding frequency, duration, installation process, and rollback procedures.
159
What makes change management sometimes extremely difficult?
It can be hard to change corporate culture.
160
What is the change approval process?
A formal process for managing change to avoid downtime, confusion, and mistakes.
161
What are the steps in a typical change approval process?
1. Complete the request forms
2. Determine the purpose of the change
3. Identify the scope of the change
4. Schedule a date and time of the change
5. Determine affected systems and the impact
6. Analyze the risk associated with the change
7. Get approval from the change control board
8. Get end-user acceptance after the change is complete.
162
What is ownership in the context of process change?
An individual or entity needs to make a change and they own the process. They don't (usually) perform the actual change.
163
What does the owner of a process do?
The owner manages the process, receives updates, and ensures the process is followed and acceptable.
164
Who owns the process for upgrading address label printers?
The Shipping and Receiving department owns the process, while IT handles the actual change.
165
Who are stakeholders in a change management process?
Stakeholders are those who are impacted by the change and will want to have input on the change management process.
166
Can a single change impact multiple stakeholders?
Yes, a single change can include one individual or the entire company.
167
What are some examples of stakeholders affected by upgrading software for shipping labels?
Shipping/receiving, accounting reports, product delivery timeframes, and revenue recognition (CEO visibility).
168
What is impact analysis?
Impact analysis involves determining a risk value, categorized as high, medium, or low.
169
What types of risks can be identified?
Risks can be minor or far-reaching, including issues where the 'fix' doesn't actually resolve the problem or breaks something else.
170
What are some examples of risks?
Examples include operating system failures and data corruption.
171
What is the risk of NOT making a change?
Not making a change can lead to security vulnerabilities, application unavailability, and unexpected downtime to other services.
172
What is a sandbox testing environment?
A sandbox testing environment has no connection to the real world or production system, serving as a technological safe space.
173
When should a sandbox be used?
A sandbox should be used before making a change to production, such as trying an upgrade or applying a patch.
174
What should be confirmed before deploying a system change?
It is important to confirm the backout plan to move everything back to the original state.
175
What is a limitation of a sandbox?
A sandbox can't consider every possibility.
176
What is a backout plan?
A backout plan is a strategy to revert changes if they do not work as intended.
## Footnote
Prepare for the worst, hope for the best.
177
Why should you always have a way to revert changes?
You should always have a way to revert your changes to mitigate potential issues.
178
Is reverting changes always easy?
No, some changes are difficult to revert.
179
What is essential to have when implementing changes?
Always have backups to ensure data safety.
180
What is a maintenance window?
A maintenance window is the scheduled time for implementing changes.
181
When might changes be scheduled?
Changes might be scheduled during off-peak hours to minimize disruption.
182
Why might the workday not be the best option for changes?
Potential downtime during the workday could affect a large part of production.
183
What is often a better choice for scheduling changes?
Overnight changes are often a better choice.
184
What is a challenge with overnight changes?
Overnight changes can be challenging for 24-hour production schedules.
185
What seasonal consideration should be taken into account?
The time of year may be a consideration, as retail networks are frozen during the holiday season.
186
Why is change management critical?
Change management is critical because it affects everyone in the organization.
187
What must the change management process be?
The process must be well documented and available on the Intranet.
188
What should be included with the change management documentation?
All standard processes and procedures should be included.
189
How are changes to the process reflected?
Changes to the process are reflected in the standards, making it a living document.
190
What is the first step in technical change management?
Put the change management process into action.
191
What does executing the plan in change management entail?
It involves implementing the planned changes.
192
Is there such a thing as a simple upgrade?
No, there are often many moving parts involved.
193
What may be required during a technical change?
Separate events may be required.
194
What is change management primarily concerned with?
'what' needs to change.
195
What is the technical team's focus in change management?
'how' to change it.
196
What can any application potentially be?
Any application can be dangerous due to vulnerabilities, trojan horses, and malware.
197
How can security policy control application execution?
Through an allow list or deny/block list.
198
What is an allow list?
An allow list means nothing runs unless it's approved, making it very restrictive.
199
What is a deny list?
A deny list means nothing on the 'bad list' can be executed, often used in anti-virus and anti-malware.
200
Why is the scope of a change important?
It defines exactly which components are covered.
201
Does a change approval allow for any change?
No, a change approval isn't permission to make any change; it is very specific.
202
What may happen to the scope during the change window?
The scope may need to be expanded, as it's impossible to prepare for all possible outcomes.
203
What determines the next steps in the change management process?
The change management process itself determines the next steps.
204
What is in place to ensure a successful change?
There are processes in place to make the change successful.
205
What is downtime?
Downtime refers to the period when services are unavailable.
## Footnote
Services will eventually be unavailable due to the change process, which can be disruptive and is usually scheduled during non-production hours.
206
How can downtime be prevented?
Downtime can be prevented by switching to a secondary system, upgrading the primary, and then switching back.
## Footnote
If possible, this method helps to maintain service availability.
207
What are strategies to minimize downtime events?
Minimizing downtime events involves automating the process, switching back to the secondary system if issues arise, and including this in the backout plan.
## Footnote
The process should be as automated as possible.
208
What communication should be done before downtime?
Emails and calendar updates should be sent to inform relevant parties about downtime.
## Footnote
This ensures that everyone is aware of the service interruptions.
209
What is a common requirement during system changes?
It is common to require a restart to implement the new configuration.
## Footnote
This may involve rebooting the OS, power cycling the switch, or bouncing the service.
210
Can the system recover from a power outage?
It is important to assess whether the system can recover from a power outage.
## Footnote
This consideration is crucial for maintaining service continuity.
211
What can you do with services failure?
You can stop and restart the service or daemon. It may take seconds or minutes.
212
What actions can be performed on applications?
You can close the application completely or launch a new application instance.
213
What are legacy applications?
Legacy applications were present before you arrived and will remain after you leave.
214
What is a common issue with legacy applications?
They are often no longer supported by the developer, making you the support team.
215
What should you do when facing fear of the unknown with legacy systems?
Face your fears and document the system; it may not be as bad as you think.
216
What is a characteristic of legacy applications?
They may be quirky, so it's important to create specific processes and procedures.
217
What should you aim to become regarding legacy applications?
Become the expert on the legacy applications.
218
What are dependencies in the context of services and applications?
To complete A, you must complete B; for example, a service will not start without other active services.
219
What is a potential challenge when modifying components?
Modifying one component may require changing or restarting other components.
220
How can dependencies occur across systems?
For example, you may need to upgrade the firewall code first, then upgrade the firewall management software.
221
What should be upgraded in network management?
Upgrade the firewall management software.
222
What is a challenge in maintaining documentation?
It can be challenging to keep up with changes.
223
How quickly can documentation become outdated?
Documentation can become outdated very quickly.
224
What is required with the change management process?
Updating diagrams, modifications to network configurations, and address updates.
225
What may be required when adding new systems?
New procedures may be required.
226
What is version control?
Track changes to a file or configuration data over time.
227
What is a benefit of version control?
Easily revert to a previous setting.
228
What are some ways to see previous versions?
Router configurations, Windows OS patches, and application registry entries.
229
Is version control always straightforward?
Not always straightforward.
230
What do some devices and operating systems provide?
Version control features.
231
What may be required for version control management?
Additional management software.
232
What is Public Key Infrastructure (PKI)?
Policies, procedures, hardware, software, people involved in creating, distributing, managing, storing, and revoking digital certificates.
## Footnote
PKI also refers to the binding of public keys to people or devices, emphasizing trust.
233
What are digital certificates used for?
To create, distribute, manage, store, and revoke keys.
## Footnote
Digital certificates are essential in establishing trust within PKI.
234
What is a characteristic of symmetric encryption?
It uses a single, shared key for both encryption and decryption.
## Footnote
If the key is compromised, a new key is needed.
235
What is a secret key algorithm?
A method that relies on a shared secret key for encryption.
## Footnote
This method does not scale well and can be challenging to distribute.
236
What are the advantages of symmetric encryption?
It is very fast to use and has less overhead than asymmetric encryption.
## Footnote
Symmetric encryption is often combined with asymmetric encryption.
237
What defines asymmetric encryption?
It involves public key cryptography with two or more mathematically related keys.
## Footnote
This includes a private key, which must be kept private, and a public key, which can be shared.
238
What is the role of the private key in asymmetric encryption?
The private key must be kept confidential and secure.
## Footnote
It is essential for decrypting information that was encrypted with the corresponding public key.
239
What is the role of the public key in asymmetric encryption?
The public key can be shared with anyone and is used for encrypting data.
## Footnote
It allows secure communication without needing to share a secret key.
240
What is the role of the private key in asymmetric encryption?
The private key is the only key that can decrypt data encrypted with the public key.
241
Can you derive the private key from the public key?
No, you can't derive the private key from the public key.
242
What is asymmetric encryption also known as?
Public Key Cryptography.
243
What is involved in key generation for asymmetric encryption?
Build both the public and private key at the same time with lots of randomization, large prime numbers, and lots of math.
244
Who can have the public key?
Everyone can have the public key, but only Alice has the private key.
245
What is key escrow?
Someone else holds your decryption keys, meaning your private keys are in the hands of a 3rd-party.
246
Can key escrow be a legitimate business arrangement?
Yes, a business might need access to employee information, and government agencies may need to decrypt partner data.
247
Is key escrow controversial?
Yes, it is controversial, but may still be required.
248
What is essential for managing encryption keys?
Need clear process and procedures as keys are incredibly important pieces of information.
249
What must you be able to do with your 3rd-party in key escrow?
You must be able to trust your 3rd-party since access to the keys is at their control.
250
Under what conditions should key access be controlled?
Access should be under carefully controlled conditions, such as legal proceedings and court orders.
251
What is the purpose of encrypting stored data?
To protect data on storage devices such as SSDs, hard drives, USB drives, and cloud storage. This is known as data at rest.
252
What are the methods for encrypting stored data?
Full-disk and partition/volume encryption using tools like BitLocker and FileVault.
253
What is file encryption?
Encrypting individual files using EFS (Encrypting File System) or third-party utilities.
254
What is database encryption?
Protecting stored data and the transmission of that data.
255
What is transparent encryption in databases?
Encrypting all database information with a symmetric key.
256
What is record-level encryption?
Encrypting individual columns in a database and using separate symmetric keys for each column.
257
What is transport encryption?
Protecting data traversing the network.
258
How is data encrypted in applications?
Browsers can communicate using HTTPS.
259
What is a VPN?
A Virtual Private Network that encrypts all data transmitted over the network, regardless of the application.
260
What are the types of VPN?
Client-based VPN using SSL/TLS and site-to-site VPN using IPsec.
261
What are encryption algorithms?
There are many different ways to encrypt data.
262
What must be used during encryption and decryption?
The proper 'formula' must be used.
263
Who decides on the algorithm before encrypting the data?
Both sides decide on the algorithm.
264
Are the details of the encryption algorithm visible to the end user?
The details are often hidden from the end user.
265
What are some factors to consider when choosing an encryption algorithm?
There are advantages and disadvantages between algorithms, such as security level, speed, and complexity of implementation.
266
What is known about the cryptographic process?
There's very little that isn't known about the cryptographic process. The algorithm is usually a known entity. The only thing you don't know is the key.
267
What does the key determine in cryptography?
The key determines the output, which includes encrypted data, hash value, and digital signature.
268
Why is it important to keep your key private?
It's the only thing protecting your data.
269
How does key length relate to security?
Larger keys tend to be more secure and prevent brute-force attacks.
270
What are common key lengths for symmetric encryption?
128-bit or larger symmetric keys are common.
271
What are common key lengths for asymmetric encryption?
Common to see key lengths of 3,072 bits or larger.
272
What is key stretching?
Key stretching involves making a weak key stronger by performing multiple processes, such as hashing a password multiple times.
273
How do brute force attacks relate to key stretching?
Brute force attacks would require reversing each of those hashes, making it much more time-consuming for the attacker.
274
What is a key exchange?
A logistical challenge of sharing an encryption key across an insecure medium without physically transferring the key.
275
What is out-of-band key exchange?
A method where the symmetric key is not sent over the internet, but shared through telephone, courier, in-person, etc.
276
What is in-band key exchange?
A method where the key is shared over the network, protected with additional encryption, and uses asymmetric encryption to deliver a symmetric key.
277
What is the need for real-time encryption/decryption?
There is a need for fast security without compromising the security part.
278
How is a symmetric session key shared using asymmetric encryption?
The client encrypts a random symmetric key with the server's public key, and the server decrypts this shared key to encrypt data.
279
What are session keys?
Keys that need to be changed often (ephemeral keys) and must be unpredictable.
280
How can a symmetric key be created from asymmetric keys?
By using public and private key cryptography to create a symmetric key.
## Footnote
The math is powerful.
281
What is a Trusted Platform Module (TPM)?
A specification for cryptographic functions.
282
What are the key components of a Trusted Platform Module (TPM)?
Cryptography hardware on a device, cryptographic processor, random number generator, and key generators.
283
What type of memory does a Trusted Platform Module (TPM) use?
Persistent memory with unique keys burned in during manufacturing.
284
What is versatile memory in a Trusted Platform Module (TPM)?
It stores keys and hardware configuration information, including securely storing BitLocker keys.
285
How does a Trusted Platform Module (TPM) protect passwords?
It is password protected and prevents dictionary attacks.
286
What is a Hardware Security Module (HSM)?
Used in large environments to securely store thousands of cryptographic keys.
287
What are the features of a Hardware Security Module (HSM)?
High-end cryptographic hardware, key backup, and cryptographic accelerators.
288
What is a key management system?
A system that manages various keys from a centralized manager.
289
Where can key management services be found?
On-premises and cloud-based.
290
What are the functions of a key management system?
Create keys for specific services, associate keys with users, rotate keys, and log key use.
291
Why is keeping data private challenging?
Data is located in many places, constantly changing, and attackers are always finding new techniques.
292
What is a secure enclave?
A protected area for secrets, often implemented as a hardware processor isolated from the main processor.
293
What security features does a secure enclave provide?
boot ROM, system boot monitoring, true random number generator, real-time memory encryption, and root cryptographic keys.
