Section 2: Key Concepts, Identification and Authorization Flashcards
1
Q
5 things that would make you’re information insecure.
A
- Not applying security patches or app updates to your system
- using weak passwords such as ‘password”
- Downloading programs from the internet
- Opening email attachments from unknown senders
- Using wireless networks without encryption
2
Q
4 examples of ways confidentiality could be compromised (ATM example)
A
- You could lose your laptop containing data
- Someone could look over your shoulder while you enter the password.
- You could send an email attachment to the wrong person
- Attackers could penetrate your system
3
Q
Two things needed to maintain integrity
A
- you need to have the means to prevent unauthorized changes to your data
- you need the ability to reverse unwanted authorized changes.
4
Q
When is integrity particularly important?
A
when it concerns data that provides the foundation for other decisions
5
Q
4 examples of things that may cause you to lose availability of your data.
A
- power loss
- operating system or application problems
- network attacks
- a compromised system
6
Q
What is it called when an outside party like an attacker causes availability issues.
A
a DoS attack
(Denial of Service)
7
Q
What 6 principles make up the Parkerian Hexad?
A
- Confidentiality
- Integrity
- Availability
- Possession / Control
- Authenticity
- Utility
8
Q
How is Integrity defined differently in the Parkerian Hexad model than it is in the CIA Triad.
A
In Parkerian Hexad, integrity doesn’t account for authorized but incorrect modification of data. The data must be whole and completely unchanged from its previous state.
9
Q
IF you send an email message that’s altered so it appears to have come from a different email than the one it was sent from, which Parkerian Hexad principle was violated?
A
Authenticity
10
Q
Which principle of the Parkerian Hexad isn’t necessarily binary in nature?
A
Utility
11
Q
What are the 4 categories of attacks?
A
- Interception
- Interruption
- Modification
- Fabrication
12
Q
What type or types of attacks primarily affect Confidentiality?
(CIA Triad)
A
Interception
13
Q
What type or types of attacks primarily affect Integrity?
(CIA Triad)
A
- Interruption
- Modification
- Fabrication
14
Q
What type or types of attacks primarily affect Availability?
(CIA Triad)
A
- Interruption
- Modification
- Fabrication
15
Q
What are interception attacks?
1.
2.
3.
A
- Unauthorized file viewing or copying
- Eavesdropping on phone conversations
- Reading someone else’s email
16
Q
What kind of data can interception attacks be conducted?
A
Data at rest and data in motion
17
Q
Where is data at rest usually stored?
A
- hard drive
- flash drive
- database
(Can be more)
18
Q
What kind of protection does data at rest usually have?
A
some sort of encryption, often at the level of the file or the entire storage device
19
Q
What kind of protection does data in motion usually have?
A
encryption, but the encryption protects the network protocol or path used to move data from one place to another lol.
20
Q
What kind of protections surround data in use?
A
Permissions and authentication of users
21
Q
What are interruption attacks?
A
They make your assets unusable or unavailable either temporarily or permanently
22
Q
What are modification attacks?
A
Involve tampering with an asset
23
Q
What are Fabrication Attacks?
A
Involve generating data, processes, communications, or other similar material.
24
Q
What is a threat?
A
Something that has the potential to cause harm and tends to be specific to certain environments
25
What is vulnerability?
Weaknesses, or holes that threats can exploit to cause you harm.
26
What do you need to have risk in an environment?
You must have both a threat and a matching vulnerability that that the threat could exploit.
27
What are the 5 steps of the risk management process?
1. Identify Assets
2. Identify Threats
3. Assess Vulnerabilities
4. Assess Risks
5. Mitigate Risks
28
How would you identify your assets?
Enumerate your assets and evaluate the importance of each one.
Once you’ve identified assets in use, decide which ones are critical business assets.
29
How would you determine which assets are critical to conducting business?
Generally would require the input of functions that make sue of that asset, those that support the asset itself, and potentially other parties as well.
30
How would you Identify threats?
After enumerating critical business assets, you can begin to identify threats that might affect them.
31
What 2 frameworks can be used to assess threats against business critical assets?
1. CIA Triad
2. Parkerian Hexad
32
How would you assess vulnerabilities?
Should be done in the context of potential threats.
Any asset can have millions of threats but only a small number will be relevant
33
How should you assess risks?
Once you’ve identified threats and vulnerabilities for a given asset, you can assess overall risk.
You MUST have a matching threat and vulnerability to have a risk.
34
What 3 categories are controls divided into?
1. physical
2. logical
3. administrative
35
What kind of control would a lock be?
physical
36
what kind of control would a camera be?
physical
37
what kind of control would heating and air conditioning be?
physical
38
what kind of control would a backup power generator be?
physical
39
Logical controls are also called what?
tehchnical controls.
40
what kind of control is a password?
logical
41
what kind of control is encryption?
Logical
42
what kind of control are access controls?
logical
43
what kind of control is an intrusion detection system?
logical
44
what do logical controls do?
enable you to prevent unauthorized activities.
45
which kind of control, if implemented properly and is successful, would an attacker or unauthorized user be unable to access your applications and data without subverting the controls?
logical
46
what do administrative controls represent?
authority
47
Administrative controls are useless without what?
The authority or ability to ensure that people comply with your controls.
They can actively harm you by giving you a false sense of security.
48
Incident response process consists of what 6 things?
1. Preparation
2. Detection and analysis
3. Containment
4. Eradication
5. Recovery
6. Post-incident activity
49
Preparation phase of an incident response consists of what?
All of the activities you can perform ahead of time to better handle an incident.
50
What activities are typically involved in preparation of an incident response?
1. Creating policies and procedures that govern indecent response and handling
2. Conducting training and education for both incident handlers and those who are expected to report incidences
3. Developing and maintaining documentation.
51
What is the detection and analysis phase?
(3)
Where action begins in an incident response. This is where you:
1. Detect an issue
2. Decide whether it’s actually an incident
3. Respond appropriately
52
What are the common detection tools you’ll use? (6)
1. IDS (Intrustion detection system)
2. AV (Antivirus) software
3. Firewall logs
4. Proxy logs
5. Alerts from a security information and event monitoring (SIEM) tool
6. Managed security service provider (MSSP)
53
The analysis portion of detection and analysis in incident response is often a combination of what? (2)
Automation from a tool or service, usually a SIEM tool, and human judgment.
54
What might human intervention looks like in analyzing incidences?
1. A review of logs output by various security, network and infrastructure devices.
2. Contact with the party who reported the incident
3. General evaluation of the situation.
55
What is Containment in incident response?
Taking steps to ensure that the situation doesn’t cause any more damage than it already has—or at least lessen any ongoing harm.
56
What is eradication in incident response?
Attempt to remove the effects of the issue from your environment.
57
What is recovery in incident response?
Recover the state you were in prior to the incident.
58
What is post-incident activity?
You’ll attempt to determine specifically what happened, why it happened, and what you can do to keep it from happening again.
59
What is defense in depth?
Formulate a multilayered defense that will allow you to still mount a successful resistance should one or more of your defensive measures fail.
60
What is the lowest standard of defenses you would want?
1. Data
2. Applications
3. Host
4. Internal network
5. External network
61
What is the goal of defense in depth?
To place enough defensive measures between your truly important asses and the attacker so that you’ll notice that an attack is in progress and have enough time to prevent it.
62
What is insufficient entropy?
Not enough unpredictability
63
What are 6 defensive measures for external networks?
1. DMZ (Demilitarized zone—subnetwork containing an organizations exposed outward facing services. Acts as the exposed point to an untrusted network)
2. VPN
3. Logging
4. Auditing
5. Penetration testing
6. Vulnerability analysis
64
Name 7 defensive measures of network perimeters.
1. Firewalls
2. Proxy
3. Logging
4. State full packet inspection
5. Auditing
6. Penetration testing
7. Vulnerability analysis
65
Name 6 defensive measures for internal networks
1. IDS (Intrusion detection system)
2. IPS (Intrusion prevention system)
3. Logging
4. Auditing
5. Penetration testing
6. Vulnerability Analysis
66
Name 11 defensive measures for hosts.
1. Authentication
2. Antivirus
3. Firewall
4. IDS (Intrusion detection system)
5. IPS (Intrustion protection system)
6. Passwords
7. Hashing
8. Logging
9. Auditing
10. Penetration testing
11. Vulnerability analysis
67
Name 6 defensive measures for applications
1. SSO (Single sign on)
2. Content filtering
3. Data validation
4. Auditing
5. Penetration testing
6. Vulnerability analysis
68
Name 5 defensive measures for data
1. Encryption
2. Access controls
3. Backups
4. Penetration testing
5. Vulnerability analysis
69
Areas of Information Security (8)
1. Security and risk management
2. Asset security
3. Security architecture and engineering
4. communications and network security
5. identity and access management
6. security assessment and testing
7. security operations
8. software development security
70
Implicit deny is what?
Common in network security
An ACL rule that blocks all traffic that hasn’t been explicitly allowed via another acl rule.
ACL= Access Control List
71
What is FISMA (Federal Information Security Act)?
US law that puts together information security framework that government organizations must follow
72
What is the Gramm-Leach-Bliley Act?
If you’re a financial institution—you must explain your information sharing activities with customer data and making sure you safeguard that data.
How are you proactively securing that Data
73
What is Due Care?
Often called the “prudent man” rule.
Doing what any responsible person would do, in other works implementing a security measure to mitigate against certain risks.
74
What is due diligence?
Essentially the management of due care.
Ensuring the implemented security measure was done correctly.
75
What is gross negligence?
The opposite of due care.
If you’re not performing due care, or what a “prudent man” would do, and you suffer a negative loss, you could be held legally liable, I.e. you acted with gross negligence.
76
Authentication can be used to prove the identity of: (4)
1. A user
2. A service or process running on a computer or server
3. A workstation or server itself
4. A network device
77
What is a common example of authentication?
Username and password
78
What are 3 aspects of IT management?
1. People
2. Processes (things running on our servers)
3. Technology (devices themselves)
79
What are the 5 factors of authentication?
1. Something you know
2. Something you have
3. Something you are
4. Something you do
5. Somewhere you are
80
Name 2 examples of something you know form of authentication?
1. Password
2. Pin
81
Name 3 examples of something you have types of authentication.
1. Smart card
2. RSA token
3. ATM card to get cash .
Things you must physically have in front of you
82
Name an example of something you are types of authentication.
Biometrics
83
Name 5 types of physiological Biometrics
1. Face
2. Fingerprint
3. Hand scan
4. Iris scan
5. DNA
84
Name 3 kinds of behavioral biometrics?
1. Keystroke
2. Signature
3. Voice
85
What is two-factor authentication?
Uses a combination of two of the three factors of authentication.
1. Something you have
2. Something you know
3. Something you are
86
What is non-repudiation?
Used to prevent an entity from denying an action took place.
87
Name two examples of non-repudiation.
1. Digitally signed documents
2. Auditing system logs
88
What is information security governance?
The process of how an organization manages its information security program via policies, procedures, roles, and responsibilities.
Determines how much security is enough security.
89
Why is information security governance important?
It provides strategic direction for security activities and ensures that cybersecurity objectives such as effective risk management are achieved.
90
What is identity proofing?
Validating someone’s identity before credentials are issued.
91
What is a risk assessment score?
probability X impact.
92
What is avoidance?
The process of eliminating a risk by not engaging in an activity.
We avoid a risk by eliminating it’s source altogether.
93
What is acceptance?
Accepting an identified risk, meaning no action will be taken when a risk assessment score is low.
94
What is mitigation?
The process of taking steps the minimize the impact of risk
95
What is Transference?
Transferring the responsibility of a risk to a third party, such as insurance.
96
What is residual risk?
The risk that remains when after risk mitigation or transference activities have taken place.
97
Name 5 types of risk? (loss)
1. Monetary
2. Reputation
3. Loss of Asset
4. Intellectual Property
5. Legal
98
Name 3 sources of threats.
1. Natural
2. Unintentional
3. Intentional
99
What is Qualitative Risk?
More subjective way of analyzing risk
100
What is Quatitative Risk?
More objective way of analyzing risk.
May include specific monetary values, how often it occurs, uses mathematics etc.
101
What is AV? (Asset Value)
The value of an asset
102
What is EF (exposure factor)?
the percentage loss of a specific asset if a risk is realized.
103
What is SLE (Single loss expectancy)?
The monetary value expected from the occurrence of a risk on an asset
104
What is the formula for SLE
SLE = AV x EF
(Single loss expectancy = Asset Value X Exposure Factor)
105
What is ARO (Annual rate of occurrence?)
the estimated frequency of a threat occurring in a single year
106
What is ALE (Annualized Loss Expectancy)
the expected monetary loss that can be expected from an asset due to a risk over a one year period
107
What is the formula to calculate ALE (Annualized loss expectancy)
ALE = SLE x ARO
(Annualized loss expectancy = Single loss expectancy X Annual rate of occurrence)
108
What is an attack surface?
Is a vulnerability. It’s any way an attacker can gain access to pose a security risk.
109
What are 3 common attack surfaces?
1. Application: that are running on our network
2. Network (itself)
3. User
110
When analyzing our applications for attack surfaces we commonly look at:
1. The amount of code (Higher chance of back doors and errors)
2. Data inputs (should be validated data)
3. System Services
4. Network Communication ports (Applications that are communicating on the network through port, attacker might be able to attack server/system through open port)
111
When analyzing our network for attack surfaces, we will commonly look at: (4)
1. Overall network design
2. Placement of Mission critical servers and systems
3. Placement & configuration of network firewalls
4. Other security-Related devices and services: IDS, IPS, VPN, etc.
112
When analyzing user for attack surfaces, well commonly look at: (4)
1. Effectiveness of Policies, Procedures, and Training
2. Risk of social engineering
3. Potential for human error
4. Risk of Malicious Behavior
113
Name 7 types of assets
1. People
2. Information
3. Data
4. Hardware
5. Software
6. Processes
7. Ideas
Anything of value to the company
114
What are the 5 steps to the Assett identification and classification process?
1. Inventory your assets
2. Assign Ownership
3. Classify based on value
4. protect based on value classification
5. Periodically assess and review
115
What are the 5 steps in the asset lifecycle
1. identify and classify (new assets should be)
2. secure (based on classified value)
3. monitor (regularly for changes in value and effectiveness of security controls)
4. recovery (if an asset is adversely impacted, recovery measures should be in place)
5. disposition
116
What are the 2 methods of disposing of an asset?
1. archiving for long-term storage
2. defensible destruction : insuring there is no data remanence
117
What is a reverse shell?
enables an attacker to gain remote access to and control of a machine by bypassing firewall safeguards
118
What is identification?
Makes a claim about what someone or something is
119
What is authentication?
Establishes whether something or someone is what they’re supposed to be
120
Is identity verification less or more strong than authentication?
It’s less strong than authentication.
121
What is the difference between authentication and authorization?
Authentication is a set of methods used to establish whether a claim of identity is true.
Authorization determines what someone is permitted to do.
122
What is mutual authentication?
An authentication mechanism in which both parties in a transaction authenticate each other.
These are typically software based. (Client-server; server-client)
123
What does mutual authentication generally rely on?
Digital certificates.
124
What kind of attack do you leave yourself vulnerable to when you don’t perform mutual authentication?
MITM (Man in the middle)
125
How does a MITM (man in the middle) attack work?
attacks where the attacker inserts themselves between the client and the server and impersonates the server to the client and the client to the server.
They circumvent the normal pattern of traffic and then intercept and forward the traffic that would normally flow directly between the client and the server
126
What is manual synchronization of passwords?
Using the same password everywhere
127
What is minutiae?
Noting elements that appear at certain parts of the image
128
What 7 characteristics are biometric factors defined by?
1. Universality
2. Uniqueness
3. Permanence
4. Collectibility
5. Performance
6. Acceptability
7. Circumvention
129
What is universality
Should be able to find your chosen biometric characteristic in the majority of people you expect to enroll in the system.
130
What is uniqueness?
A measure of how unique a characteristic is among individuals
131
What is permanence?
Tests how well a characteristic resists changes over time and with advancing age.
132
What is collectability?
Measures how easy it is to acquire a characteristic.
133
What is performance?
How well a given biometric system functions based on factors such a s speed, accuracy, and error rate.
134
Hat is acceptability?
A measure of how acceptable the characteristic is to the users of the system.
In general, systems that are slow, difficult to use or awkward to use are less likely to be acceptable.
135
What is circumvention?
Describes how easy it is to trick a system by using a falsified biometric identifier.
136
What is a gummy finger?
A type of biometric identification attack where a fingerprint is lifted from a surface and used to create a mold with which the attacker can cast a positive image of the fingerprint in gelatin.
137
What secondary features of biometric systems have been put in place to defeat gummy attacks?
Measuring skin temperature, pulse, or pupillary response.
138
What are 2 of the mot important measures of biometric performance?
1. FAR (false acceptance rate)
2. FRR (False rejection rate)
139
What is ERR equal error rate?
A balance between false acceptance and false rejection of biometric data.
Is often used as a measure of the accuracy of biometric systems.
140
What are hardware tokens?
A small device, typically in the general form factor of a credit card or keychain fob.
Contains a certificate or unique identifier.
141
What do more complex hardware tokens have that differentiates them?
LCD’s (Liquid crystal displays),
Keypads for entering passwords
Biometric readers
Wireless devices
Additional features to enhance security
142
What are access controls?
Generally how you implement authorization, by using tools and systems you use to deny or allow access.
143
What 4 basic tasks would you probably want to use access control for?
1. Allowing access
2. Denying access
3. Limiting access
4. Revoking access
144
Name one example of a sandbox?
JVM Java virtual Machine
145
What are the two main methods of implementing access controls?
1. Access control lists
2. Capabilities
146
What are access control lists?
Lists containing information about what kind of access certain parties are allowed to have in a given system.
147
What are the three types of permissions in an ACL access control list file system?
1. Read allowing user to access the contents of the file or directory
2. Write allowing a user to write a file or directory
3. Execute allowing a user to execute the contents of that file if the file contains a program or script capable or running on the system in question.
148
What command would you issue on a Linux-based OS to view the three sets of permissions? (For viewing files)
Ls -la
149
In Linux, when looking at ACL permissions, what do each of the 4 sections represent
- | r w - | r - - | r - -
1. First character = file type. R=regular D=Directory
2. Represents the user who owns the files permissions and is set to r w. Meaning user can read and write but not execute.
3. Group permissions= set to r - - meaning that members of the group that was given ownership and read it but not write or execute it.
4. Other is also set to r - - meaning anyone who is not the user who owns the file or in the group that owns the file can also read it but not write or execute it.
150
What do you use to filter access in network ACL’s
(3)
1. IP (Internet Protocol) addresses
2. Media Access Control Addresses
3. Ports
151
What network infrastructure can you see network ACL’s
(3)
1. Routers
2. Switches
3. Firewall devices including software firewalls such as google, facebook, email, etc.
152
How to network ACL’s work?
Tend to be binary, either allow or deny by granting or denying access to traffic.
153
What is media access control addresses?
Unique identifiers hard-coded into each network interface in a given system.
154
Why is media access control not a good choice for a unique identifier of a device on a network?
Because software settings in most OS can override this address, thus changing it is easy.
155
Why aren’t IP adresses a good form of network ACL?
Because you can falsify an IP address, they’re not unique to a network and they’re issued by ISP’s and are subject to frequently change.
156
What is blackholing?
It’s the use of large-scale filtering to block out known attacks, spammers, or undesirable traffic and can be applied to IP addresses, ISP’s or even entire countries.
157
What are network ports?
A numerical designation for one side of a connection between two devices and are used to identify applications to which traffic should be routed.
158
Why aren’t network ports a great method of ACL?
Because while ports being used for specific applications are conventions, they aren’t absolute rules and you can thus with relative ease change the ports that applications use to entirely different ones
159
What is a socket?
A combination of an IP address and a network port.
160
Systems that use ACL’s to manage permissions are vulnerable to what kind of attack?
Confused deputy problem
161
What is the confused deputy problem?
It’s a type of attack used when ACL’s are used to manage permissions and occurs when software with access to a resource (the deputy) has a greater level of permission to access the resource than the user who is controlling the software. If you can trick the software into misusing its greater level of authority, you can potentially carry out an attack.
162
What are client-side attacks?
Tricking the user into taking some action when they really think they are doing something else entirely. They take advantage of weaknesses in applications running on the users computers.
163
Name 3 forms client-side attacks could take. (examples of how they may be carried out)
1. Code sent through web browser and executed on the local machine.
2. Malformed PDF files
3. Images and videos with attack code embedded.
164
Name 2 of the more common attacks exploiting the confused deputy problem.
1. Cross-site request forgery (CSRF)
2. Clickjacking
165
What is CSRF (cross-site request forgery)?
An attack that misuses the authority of the browser on the user’s computer.
If the attacker knows of or can guess a website that has already been authenticated by the user such as amazon.com, the attacker can embed a link in a web page or HTML-based email, generally to an image hosted from a site controlled by the attacker. When the targets browser attempts to retrieve the image in the link, it also executes the additional commands the attacker has embedded in it, often completely invisible to the target.
166
What is clickjacking?
Also known as user interface redressing.
Takes advantage of some of the page rendering features that are available in newer web browsers.
Attacker must legitimately control or have taken control of some portion of a website. Attacker constructs or modifies the site by placing an invisible layer over something the client would normally click. This causes the client to execute a command that’s different than the one they think they’re performing.
Can be used to trick the client into making purchases, changing permissions on applications or operating systems, or performing other unwanted activities.
167
What is a capability?
It’s a way of controlling access and permissions based on a user’s token or key.
These generally aren’t physical tokens.
168
In a capability-based system how is the right to access a resource decided?
Based on possession of the token rather than who possesses the token. Anyone can use the token and anyone who has that token can use it to access anything granted to that token.
169
What is an access control model?
A way of determining who should be allowed to access what resources.
170
What are the 6 most common access control models?
1. Discretionary access control
2. Mandatory access control
3. Rule-based access control
4. Role-based access control
5. Attribute-based access control
6. Multi-level access control
171
What is DAC (Discretionary Access Control)
The owner of the resource d determines who gets access to it and exactly what level of access they can have.
172
What is MAC (mandatory access control)
The owner of a resource doesn’t get to decide who gets access to it. Instead, a separate group or individual has the authority to set access to resources.
MAC is often implemented in government organizations where access to a given resource is largely dictated by the sensitivity label applied to it.
173
What is rule-based access control?
Allows access according to a set of rules defined by the system administrator. If the rule is matched, access to the resource will be granted or denied accordingly.
174
What is role-based access control. (RBAC)
Allows access based on the role of the individual being granted access.
175
What type of access control is RBAC?
Role based access control
(Not rule-based access control)
176
What is ABAC? (Attribute-based access control)
Based on the specific attributes of a person, resource, or environment. You can often find it implemented on infrastructure systems such as those in network or telecommunication environments.
177
What are subject attributes?
A potential attribute in attribute-based access control.
Belong to an individual. Could be height, or captcha’s
178
What are resource attributes?
A potential attribute in attribute-based access control.
Belong to a resource such as an operating system or application. You’ll often see access controlled by resource attributes.
Sometimes this is technical such as software only running on a particular OS.
179
What are environmental attributes?
A kind of attribute that may be used in attribute-based access control.
Enables access controls based on environmental conditions. People commonly use time to control access to physical and logical resources.
180
What is multilevel access control?
Combine several of the access control models. Used when simpler access control models aren’t considered robust enough to protect the information to which you’re controlling access.
181
What kind of access control is the Bell-LaPadula Model?
Multilevel access control
182
What is the Bell-LaPadula Model?
Implements a combination of discretionary and mandatory access controls (DAC and MAC) and is primarily concerned with the confidentiality of the resource in question.
183
What is the simple security property?
Level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to access it.
Individual cannot read a resource classified at a higher level but they can red resources at a lower level.
184
What is the * property (or star property)
Anyone accessing a resource can only write (copy) its contents to another resource classified at the same level or higher.
185
What is the Biba model?
Primarily concerned with protecting the integrity of data, even at the expense of confidentiality.
186
what 2 security rules does Biba have?
1. The simple integrity axiom level of access granted to an individual must be no lower than the classification of the resource. Ie, access to one level does not grant access to lower levels
2. The integrity axiom (or star integrity axiom) anyone accessing a resource can only write its contents to a resource classified at the same level or lower.
187
No read down, no write up
The Biba model
188
No read up, no write down
The Bell-LaPadula model
