Section 2: Key Concepts, Identification and Authorization Flashcards
5 things that would make you’re information insecure.
- Not applying security patches or app updates to your system
- using weak passwords such as ‘password”
- Downloading programs from the internet
- Opening email attachments from unknown senders
- Using wireless networks without encryption
4 examples of ways confidentiality could be compromised (ATM example)
- You could lose your laptop containing data
- Someone could look over your shoulder while you enter the password.
- You could send an email attachment to the wrong person
- Attackers could penetrate your system
Two things needed to maintain integrity
- you need to have the means to prevent unauthorized changes to your data
- you need the ability to reverse unwanted authorized changes.
When is integrity particularly important?
when it concerns data that provides the foundation for other decisions
4 examples of things that may cause you to lose availability of your data.
- power loss
- operating system or application problems
- network attacks
- a compromised system
What is it called when an outside party like an attacker causes availability issues.
a DoS attack
(Denial of Service)
What 6 principles make up the Parkerian Hexad?
- Confidentiality
- Integrity
- Availability
- Possession / Control
- Authenticity
- Utility
How is Integrity defined differently in the Parkerian Hexad model than it is in the CIA Triad.
In Parkerian Hexad, integrity doesn’t account for authorized but incorrect modification of data. The data must be whole and completely unchanged from its previous state.
IF you send an email message that’s altered so it appears to have come from a different email than the one it was sent from, which Parkerian Hexad principle was violated?
Authenticity
Which principle of the Parkerian Hexad isn’t necessarily binary in nature?
Utility
What are the 4 categories of attacks?
- Interception
- Interruption
- Modification
- Fabrication
What type or types of attacks primarily affect Confidentiality?
(CIA Triad)
Interception
What type or types of attacks primarily affect Integrity?
(CIA Triad)
- Interruption
- Modification
- Fabrication
What type or types of attacks primarily affect Availability?
(CIA Triad)
- Interruption
- Modification
- Fabrication
What are interception attacks?
1.
2.
3.
- Unauthorized file viewing or copying
- Eavesdropping on phone conversations
- Reading someone else’s email
What kind of data can interception attacks be conducted?
Data at rest and data in motion
Where is data at rest usually stored?
- hard drive
- flash drive
- database
(Can be more)
What kind of protection does data at rest usually have?
some sort of encryption, often at the level of the file or the entire storage device
What kind of protection does data in motion usually have?
encryption, but the encryption protects the network protocol or path used to move data from one place to another lol.
What kind of protections surround data in use?
Permissions and authentication of users
What are interruption attacks?
They make your assets unusable or unavailable either temporarily or permanently
What are modification attacks?
Involve tampering with an asset
What are Fabrication Attacks?
Involve generating data, processes, communications, or other similar material.
What is a threat?
Something that has the potential to cause harm and tends to be specific to certain environments
What is vulnerability?
Weaknesses, or holes that threats can exploit to cause you harm.
What do you need to have risk in an environment?
You must have both a threat and a matching vulnerability that that the threat could exploit.
What are the 5 steps of the risk management process?
- Identify Assets
- Identify Threats
- Assess Vulnerabilities
- Assess Risks
- Mitigate Risks
How would you identify your assets?
Enumerate your assets and evaluate the importance of each one.
Once you’ve identified assets in use, decide which ones are critical business assets.
How would you determine which assets are critical to conducting business?
Generally would require the input of functions that make sue of that asset, those that support the asset itself, and potentially other parties as well.
How would you Identify threats?
After enumerating critical business assets, you can begin to identify threats that might affect them.
What 2 frameworks can be used to assess threats against business critical assets?
- CIA Triad
- Parkerian Hexad
How would you assess vulnerabilities?
Should be done in the context of potential threats.
Any asset can have millions of threats but only a small number will be relevant
How should you assess risks?
Once you’ve identified threats and vulnerabilities for a given asset, you can assess overall risk.
You MUST have a matching threat and vulnerability to have a risk.
What 3 categories are controls divided into?
- physical
- logical
- administrative
What kind of control would a lock be?
physical
what kind of control would a camera be?
physical
what kind of control would heating and air conditioning be?
physical
what kind of control would a backup power generator be?
physical
Logical controls are also called what?
tehchnical controls.
what kind of control is a password?
logical
what kind of control is encryption?
Logical
what kind of control are access controls?
logical
what kind of control is an intrusion detection system?
logical
what do logical controls do?
enable you to prevent unauthorized activities.
which kind of control, if implemented properly and is successful, would an attacker or unauthorized user be unable to access your applications and data without subverting the controls?
logical
what do administrative controls represent?
authority
Administrative controls are useless without what?
The authority or ability to ensure that people comply with your controls.
They can actively harm you by giving you a false sense of security.
Incident response process consists of what 6 things?
- Preparation
- Detection and analysis
- Containment
- Eradication
- Recovery
- Post-incident activity
Preparation phase of an incident response consists of what?
All of the activities you can perform ahead of time to better handle an incident.
What activities are typically involved in preparation of an incident response?
- Creating policies and procedures that govern indecent response and handling
- Conducting training and education for both incident handlers and those who are expected to report incidences
- Developing and maintaining documentation.
What is the detection and analysis phase?
(3)
Where action begins in an incident response. This is where you:
- Detect an issue
- Decide whether it’s actually an incident
- Respond appropriately
What are the common detection tools you’ll use? (6)
- IDS (Intrustion detection system)
- AV (Antivirus) software
- Firewall logs
- Proxy logs
- Alerts from a security information and event monitoring (SIEM) tool
- Managed security service provider (MSSP)
The analysis portion of detection and analysis in incident response is often a combination of what? (2)
Automation from a tool or service, usually a SIEM tool, and human judgment.
What might human intervention looks like in analyzing incidences?
- A review of logs output by various security, network and infrastructure devices.
- Contact with the party who reported the incident
- General evaluation of the situation.
What is Containment in incident response?
Taking steps to ensure that the situation doesn’t cause any more damage than it already has—or at least lessen any ongoing harm.
What is eradication in incident response?
Attempt to remove the effects of the issue from your environment.
What is recovery in incident response?
Recover the state you were in prior to the incident.
What is post-incident activity?
You’ll attempt to determine specifically what happened, why it happened, and what you can do to keep it from happening again.
What is defense in depth?
Formulate a multilayered defense that will allow you to still mount a successful resistance should one or more of your defensive measures fail.
What is the lowest standard of defenses you would want?
- Data
- Applications
- Host
- Internal network
- External network
What is the goal of defense in depth?
To place enough defensive measures between your truly important asses and the attacker so that you’ll notice that an attack is in progress and have enough time to prevent it.
What is insufficient entropy?
Not enough unpredictability
What are 6 defensive measures for external networks?
- DMZ (Demilitarized zone—subnetwork containing an organizations exposed outward facing services. Acts as the exposed point to an untrusted network)
- VPN
- Logging
- Auditing
- Penetration testing
- Vulnerability analysis
Name 7 defensive measures of network perimeters.
- Firewalls
- Proxy
- Logging
- State full packet inspection
- Auditing
- Penetration testing
- Vulnerability analysis
Name 6 defensive measures for internal networks
- IDS (Intrusion detection system)
- IPS (Intrusion prevention system)
- Logging
- Auditing
- Penetration testing
- Vulnerability Analysis
Name 11 defensive measures for hosts.
- Authentication
- Antivirus
- Firewall
- IDS (Intrusion detection system)
- IPS (Intrustion protection system)
- Passwords
- Hashing
- Logging
- Auditing
- Penetration testing
- Vulnerability analysis
Name 6 defensive measures for applications
- SSO (Single sign on)
- Content filtering
- Data validation
- Auditing
- Penetration testing
- Vulnerability analysis
Name 5 defensive measures for data
- Encryption
- Access controls
- Backups
- Penetration testing
- Vulnerability analysis
Areas of Information Security (8)
- Security and risk management
- Asset security
- Security architecture and engineering
- communications and network security
- identity and access management
- security assessment and testing
- security operations
- software development security
Implicit deny is what?
Common in network security
An ACL rule that blocks all traffic that hasn’t been explicitly allowed via another acl rule.
ACL= Access Control List
What is FISMA (Federal Information Security Act)?
US law that puts together information security framework that government organizations must follow
What is the Gramm-Leach-Bliley Act?
If you’re a financial institution—you must explain your information sharing activities with customer data and making sure you safeguard that data.
How are you proactively securing that Data
What is Due Care?
Often called the “prudent man” rule.
Doing what any responsible person would do, in other works implementing a security measure to mitigate against certain risks.
What is due diligence?
Essentially the management of due care.
Ensuring the implemented security measure was done correctly.
What is gross negligence?
The opposite of due care.
If you’re not performing due care, or what a “prudent man” would do, and you suffer a negative loss, you could be held legally liable, I.e. you acted with gross negligence.
Authentication can be used to prove the identity of: (4)
- A user
- A service or process running on a computer or server
- A workstation or server itself
- A network device
What is a common example of authentication?
Username and password
What are 3 aspects of IT management?
- People
- Processes (things running on our servers)
- Technology (devices themselves)
What are the 5 factors of authentication?
- Something you know
- Something you have
- Something you are
- Something you do
- Somewhere you are
Name 2 examples of something you know form of authentication?
- Password
- Pin
Name 3 examples of something you have types of authentication.
- Smart card
- RSA token
- ATM card to get cash .
Things you must physically have in front of you
Name an example of something you are types of authentication.
Biometrics
Name 5 types of physiological Biometrics
- Face
- Fingerprint
- Hand scan
- Iris scan
- DNA
Name 3 kinds of behavioral biometrics?
- Keystroke
- Signature
- Voice
What is two-factor authentication?
Uses a combination of two of the three factors of authentication.
- Something you have
- Something you know
- Something you are
What is non-repudiation?
Used to prevent an entity from denying an action took place.
Name two examples of non-repudiation.
- Digitally signed documents
- Auditing system logs
What is information security governance?
The process of how an organization manages its information security program via policies, procedures, roles, and responsibilities.
Determines how much security is enough security.
Why is information security governance important?
It provides strategic direction for security activities and ensures that cybersecurity objectives such as effective risk management are achieved.
What is identity proofing?
Validating someone’s identity before credentials are issued.
What is a risk assessment score?
probability X impact.
What is avoidance?
The process of eliminating a risk by not engaging in an activity.
We avoid a risk by eliminating it’s source altogether.
What is acceptance?
Accepting an identified risk, meaning no action will be taken when a risk assessment score is low.
What is mitigation?
The process of taking steps the minimize the impact of risk
What is Transference?
Transferring the responsibility of a risk to a third party, such as insurance.
What is residual risk?
The risk that remains when after risk mitigation or transference activities have taken place.
Name 5 types of risk? (loss)
- Monetary
- Reputation
- Loss of Asset
- Intellectual Property
- Legal
Name 3 sources of threats.
- Natural
- Unintentional
- Intentional
What is Qualitative Risk?
More subjective way of analyzing risk
What is Quatitative Risk?
More objective way of analyzing risk.
May include specific monetary values, how often it occurs, uses mathematics etc.
What is AV? (Asset Value)
The value of an asset
What is EF (exposure factor)?
the percentage loss of a specific asset if a risk is realized.
What is SLE (Single loss expectancy)?
The monetary value expected from the occurrence of a risk on an asset
What is the formula for SLE
SLE = AV x EF
(Single loss expectancy = Asset Value X Exposure Factor)
What is ARO (Annual rate of occurrence?)
the estimated frequency of a threat occurring in a single year
What is ALE (Annualized Loss Expectancy)
the expected monetary loss that can be expected from an asset due to a risk over a one year period
What is the formula to calculate ALE (Annualized loss expectancy)
ALE = SLE x ARO
(Annualized loss expectancy = Single loss expectancy X Annual rate of occurrence)
What is an attack surface?
Is a vulnerability. It’s any way an attacker can gain access to pose a security risk.
What are 3 common attack surfaces?
- Application: that are running on our network
- Network (itself)
- User
When analyzing our applications for attack surfaces we commonly look at:
- The amount of code (Higher chance of back doors and errors)
- Data inputs (should be validated data)
- System Services
- Network Communication ports (Applications that are communicating on the network through port, attacker might be able to attack server/system through open port)
When analyzing our network for attack surfaces, we will commonly look at: (4)
- Overall network design
- Placement of Mission critical servers and systems
- Placement & configuration of network firewalls
- Other security-Related devices and services: IDS, IPS, VPN, etc.
When analyzing user for attack surfaces, well commonly look at: (4)
- Effectiveness of Policies, Procedures, and Training
- Risk of social engineering
- Potential for human error
- Risk of Malicious Behavior
Name 7 types of assets
- People
- Information
- Data
- Hardware
- Software
- Processes
- Ideas
Anything of value to the company
What are the 5 steps to the Assett identification and classification process?
- Inventory your assets
- Assign Ownership
- Classify based on value
- protect based on value classification
- Periodically assess and review
What are the 5 steps in the asset lifecycle
- identify and classify (new assets should be)
- secure (based on classified value)
- monitor (regularly for changes in value and effectiveness of security controls)
- recovery (if an asset is adversely impacted, recovery measures should be in place)
- disposition
What are the 2 methods of disposing of an asset?
- archiving for long-term storage
- defensible destruction : insuring there is no data remanence
What is a reverse shell?
enables an attacker to gain remote access to and control of a machine by bypassing firewall safeguards
What is identification?
Makes a claim about what someone or something is
What is authentication?
Establishes whether something or someone is what they’re supposed to be
Is identity verification less or more strong than authentication?
It’s less strong than authentication.
What is the difference between authentication and authorization?
Authentication is a set of methods used to establish whether a claim of identity is true.
Authorization determines what someone is permitted to do.
What is mutual authentication?
An authentication mechanism in which both parties in a transaction authenticate each other.
These are typically software based. (Client-server; server-client)
What does mutual authentication generally rely on?
Digital certificates.
What kind of attack do you leave yourself vulnerable to when you don’t perform mutual authentication?
MITM (Man in the middle)
How does a MITM (man in the middle) attack work?
attacks where the attacker inserts themselves between the client and the server and impersonates the server to the client and the client to the server.
They circumvent the normal pattern of traffic and then intercept and forward the traffic that would normally flow directly between the client and the server
What is manual synchronization of passwords?
Using the same password everywhere
What is minutiae?
Noting elements that appear at certain parts of the image
What 7 characteristics are biometric factors defined by?
- Universality
- Uniqueness
- Permanence
- Collectibility
- Performance
- Acceptability
- Circumvention
What is universality
Should be able to find your chosen biometric characteristic in the majority of people you expect to enroll in the system.
What is uniqueness?
A measure of how unique a characteristic is among individuals
What is permanence?
Tests how well a characteristic resists changes over time and with advancing age.
What is collectability?
Measures how easy it is to acquire a characteristic.
What is performance?
How well a given biometric system functions based on factors such a s speed, accuracy, and error rate.
Hat is acceptability?
A measure of how acceptable the characteristic is to the users of the system.
In general, systems that are slow, difficult to use or awkward to use are less likely to be acceptable.
What is circumvention?
Describes how easy it is to trick a system by using a falsified biometric identifier.
What is a gummy finger?
A type of biometric identification attack where a fingerprint is lifted from a surface and used to create a mold with which the attacker can cast a positive image of the fingerprint in gelatin.
What secondary features of biometric systems have been put in place to defeat gummy attacks?
Measuring skin temperature, pulse, or pupillary response.
What are 2 of the mot important measures of biometric performance?
- FAR (false acceptance rate)
- FRR (False rejection rate)
What is ERR equal error rate?
A balance between false acceptance and false rejection of biometric data.
Is often used as a measure of the accuracy of biometric systems.
What are hardware tokens?
A small device, typically in the general form factor of a credit card or keychain fob.
Contains a certificate or unique identifier.
What do more complex hardware tokens have that differentiates them?
LCD’s (Liquid crystal displays),
Keypads for entering passwords
Biometric readers
Wireless devices
Additional features to enhance security
What are access controls?
Generally how you implement authorization, by using tools and systems you use to deny or allow access.
What 4 basic tasks would you probably want to use access control for?
- Allowing access
- Denying access
- Limiting access
- Revoking access
Name one example of a sandbox?
JVM Java virtual Machine
What are the two main methods of implementing access controls?
- Access control lists
- Capabilities
What are access control lists?
Lists containing information about what kind of access certain parties are allowed to have in a given system.
What are the three types of permissions in an ACL access control list file system?
- Read allowing user to access the contents of the file or directory
- Write allowing a user to write a file or directory
- Execute allowing a user to execute the contents of that file if the file contains a program or script capable or running on the system in question.
What command would you issue on a Linux-based OS to view the three sets of permissions? (For viewing files)
Ls -la
In Linux, when looking at ACL permissions, what do each of the 4 sections represent
- | r w - | r - - | r - -
- First character = file type. R=regular D=Directory
- Represents the user who owns the files permissions and is set to r w. Meaning user can read and write but not execute.
- Group permissions= set to r - - meaning that members of the group that was given ownership and read it but not write or execute it.
- Other is also set to r - - meaning anyone who is not the user who owns the file or in the group that owns the file can also read it but not write or execute it.
What do you use to filter access in network ACL’s
(3)
- IP (Internet Protocol) addresses
- Media Access Control Addresses
- Ports
What network infrastructure can you see network ACL’s
(3)
- Routers
- Switches
- Firewall devices including software firewalls such as google, facebook, email, etc.
How to network ACL’s work?
Tend to be binary, either allow or deny by granting or denying access to traffic.
What is media access control addresses?
Unique identifiers hard-coded into each network interface in a given system.
Why is media access control not a good choice for a unique identifier of a device on a network?
Because software settings in most OS can override this address, thus changing it is easy.
Why aren’t IP adresses a good form of network ACL?
Because you can falsify an IP address, they’re not unique to a network and they’re issued by ISP’s and are subject to frequently change.
What is blackholing?
It’s the use of large-scale filtering to block out known attacks, spammers, or undesirable traffic and can be applied to IP addresses, ISP’s or even entire countries.
What are network ports?
A numerical designation for one side of a connection between two devices and are used to identify applications to which traffic should be routed.
Why aren’t network ports a great method of ACL?
Because while ports being used for specific applications are conventions, they aren’t absolute rules and you can thus with relative ease change the ports that applications use to entirely different ones
What is a socket?
A combination of an IP address and a network port.
Systems that use ACL’s to manage permissions are vulnerable to what kind of attack?
Confused deputy problem
What is the confused deputy problem?
It’s a type of attack used when ACL’s are used to manage permissions and occurs when software with access to a resource (the deputy) has a greater level of permission to access the resource than the user who is controlling the software. If you can trick the software into misusing its greater level of authority, you can potentially carry out an attack.
What are client-side attacks?
Tricking the user into taking some action when they really think they are doing something else entirely. They take advantage of weaknesses in applications running on the users computers.
Name 3 forms client-side attacks could take. (examples of how they may be carried out)
- Code sent through web browser and executed on the local machine.
- Malformed PDF files
- Images and videos with attack code embedded.
Name 2 of the more common attacks exploiting the confused deputy problem.
- Cross-site request forgery (CSRF)
- Clickjacking
What is CSRF (cross-site request forgery)?
An attack that misuses the authority of the browser on the user’s computer.
If the attacker knows of or can guess a website that has already been authenticated by the user such as amazon.com, the attacker can embed a link in a web page or HTML-based email, generally to an image hosted from a site controlled by the attacker. When the targets browser attempts to retrieve the image in the link, it also executes the additional commands the attacker has embedded in it, often completely invisible to the target.
What is clickjacking?
Also known as user interface redressing.
Takes advantage of some of the page rendering features that are available in newer web browsers.
Attacker must legitimately control or have taken control of some portion of a website. Attacker constructs or modifies the site by placing an invisible layer over something the client would normally click. This causes the client to execute a command that’s different than the one they think they’re performing.
Can be used to trick the client into making purchases, changing permissions on applications or operating systems, or performing other unwanted activities.
What is a capability?
It’s a way of controlling access and permissions based on a user’s token or key.
These generally aren’t physical tokens.
In a capability-based system how is the right to access a resource decided?
Based on possession of the token rather than who possesses the token. Anyone can use the token and anyone who has that token can use it to access anything granted to that token.
What is an access control model?
A way of determining who should be allowed to access what resources.
What are the 6 most common access control models?
- Discretionary access control
- Mandatory access control
- Rule-based access control
- Role-based access control
- Attribute-based access control
- Multi-level access control
What is DAC (Discretionary Access Control)
The owner of the resource d determines who gets access to it and exactly what level of access they can have.
What is MAC (mandatory access control)
The owner of a resource doesn’t get to decide who gets access to it. Instead, a separate group or individual has the authority to set access to resources.
MAC is often implemented in government organizations where access to a given resource is largely dictated by the sensitivity label applied to it.
What is rule-based access control?
Allows access according to a set of rules defined by the system administrator. If the rule is matched, access to the resource will be granted or denied accordingly.
What is role-based access control. (RBAC)
Allows access based on the role of the individual being granted access.
What type of access control is RBAC?
Role based access control
(Not rule-based access control)
What is ABAC? (Attribute-based access control)
Based on the specific attributes of a person, resource, or environment. You can often find it implemented on infrastructure systems such as those in network or telecommunication environments.
What are subject attributes?
A potential attribute in attribute-based access control.
Belong to an individual. Could be height, or captcha’s
What are resource attributes?
A potential attribute in attribute-based access control.
Belong to a resource such as an operating system or application. You’ll often see access controlled by resource attributes.
Sometimes this is technical such as software only running on a particular OS.
What are environmental attributes?
A kind of attribute that may be used in attribute-based access control.
Enables access controls based on environmental conditions. People commonly use time to control access to physical and logical resources.
What is multilevel access control?
Combine several of the access control models. Used when simpler access control models aren’t considered robust enough to protect the information to which you’re controlling access.
What kind of access control is the Bell-LaPadula Model?
Multilevel access control
What is the Bell-LaPadula Model?
Implements a combination of discretionary and mandatory access controls (DAC and MAC) and is primarily concerned with the confidentiality of the resource in question.
What is the simple security property?
Level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to access it.
Individual cannot read a resource classified at a higher level but they can red resources at a lower level.
What is the * property (or star property)
Anyone accessing a resource can only write (copy) its contents to another resource classified at the same level or higher.
What is the Biba model?
Primarily concerned with protecting the integrity of data, even at the expense of confidentiality.
what 2 security rules does Biba have?
- The simple integrity axiom level of access granted to an individual must be no lower than the classification of the resource. Ie, access to one level does not grant access to lower levels
- The integrity axiom (or star integrity axiom) anyone accessing a resource can only write its contents to a resource classified at the same level or lower.
No read down, no write up
The Biba model
No read up, no write down
The Bell-LaPadula model
