Security Fundamentals Flashcards
0
Q
What to protect or what information to secure
A
Data. The information assets
Resources. Virtual or physical system components
1
Q
Information security refers to
A
The protection of information resources from unauthorized access, attacks, thefts, or data damage
2
Q
The three primary goals of security
A
Prevention. Prevent users gaining unauthorized access to confidential information.
Detection. Users discovered trying to access unauthorized data
Recovery. Employ a process to recover vital data
3
Q
In terms of security what is collateral damage
A
Compromised reputation, loss of goodwill, reduce investor confidence, loss of customers and financial losses.
4
Q
Risk is
A
Exposure to the chance of damage or loss. The likelihood of a hazard or threat occurring. Associated with the loss of a system, power, or network.
5
Q
A threat is
A
Any action that could cause damage to an asset.
6
Q
Some potential threats to computer and network security
A
Unauthorized access or changes to data Interruption of services Interruption of access to assets Damage to hardware Unauthorized access or damage to facilities
7
Q
A vulnerability is
A
Any condition that leaves a system open to harm
8
Q
List some vulnerabilities in terms of security
A
Improperly configured or installed hardware or software Untested software or firmware patches Bugs in software or OS misuse of software or communication protocols Poorly designed networks Poor physical security Insecure passwords Design flaws in software or OS Unchecked user Input
9
Q
An intrusion occurs when
A
An attacker accesses a computer system without the authorization. Occurs when the system is vulnerable to Attacks.
10
Q
Three types of intrusions
A
Physical
Host-based
Network-based
11
Q
An attack is
A
Exploit a vulnerability in a system without the authorization
12
Q
Attacks on a computer system and network security include
A
Physical Network-based Software-based Social engineering Web application-based
13
Q
Controls are
A
The countermeasures (solutions and activities) put in place to avoid, mitigate, or counteract security risks due to threats or attacks.
14
Q
Type of controls
A
Prevention controls
Detection controls
Correction controls
15
Q
Prevention controls help to
A
Prevent a threat or attach from exposing a vulnerability
16
Q
Detection controls help to
A
Discover If a threat or vulnerability has entered the computer system
17
Q
Correction controls help to
A
Mitigate the consequences of a threat or attack from adversely affecting the computer system
18
Q
The security management process involves
A
Identify security controls detect problems and determine how to protect a system
Implement security controls installing control mechanisms to prevent problems in a system
Monitor security controls detecting and solving security issues that arise
19
Q
Information security seeks to address three specific principles
A
Confidentiality
Integrity
Availability
20
Q
Confidentiality is the fundamental principle of
A
Keeping information and communication private and protecting them from unauthorized access
21
Q
Integrity is the fundamental principle of
A
Keeping organization information accurate, free of errors, and without unauthorized modifications.
22
Q
Confidentiality is typically controlled through
A
Encryption, access controls and steganography
23
Q
Integrity is typically controlled through
A
Hashing, digital signature, certificates, and non-reputation.
24
Availability is the fundamental principle of
Ensuring that systems operate continuously and that authorized users can access the data they need.
25
Availability is typically controlled through
Redundancy, fault tolerance, and patching.
26
Non-repudiation is
Ensuring that the part that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
27
Identification is a method that
Ensures that an entity requesting access to resources by using a set of credentials is the true owner of the credentials.
28
Authentication is the method of
Validating unique credentials
29
Authorization is the process of
Determining what rights and privileges a particular entity has.
30
Access control is the process of
Determining and assigning privileges.
| How authorization is managed.
31
The four access control models
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Rule-Based Access Control
32
In security terms accounting is
The process of tracking and recording system activities and resource access
33
In security terms auditing is
Examining logs of what was recorded.
34
Implicit deny dictates that
Everything that is not explicitly allowed is denied. Users only allowed to access data and perform actions when permissions are specifically granted to them.
35
Principle of least privilege
Users and software should only have the minimal level of access necessary for them to perform their duties.
36
List common security practices
```
Implicit deny
Least privilege
Separation of duties
Job rotation
Mandatory vacation
Time of day restrictions
Privilege management
```
37
Separations of duties states that
No one person should have too much power or responsibility. Duties Divided among individuals to prevent ethical conflicts or abuse of powers
38
Job rotation is
No one person stays in a vital Job role too long. Helps prevent abuse of power, reduces boredom, and enhances professional skills.
39
Mandatory vacations is used to
Provide an opportunity to review employees activities. Requires that employees take at least one vacation a year for a full week. The corporate audit and security employees have time to investigate and discover any discrepancies
40
Time of day restrictions are
Controls that restrict the period of time when users are allowed to access systems. Can be applied to individual systems and wireless access points also.
41
What is an orphaned account
User accounts that remain active even after the employees have left the organization.
42
Privilege management is
The use authentication and authorization mechanisms to provide centralized or decentralized administration of user and group access control. Should include an auditing component. Single sign on can offer this.
43
What is the purpose of PMI
Privileged management infrastructure purpose is to issue specific permissions to users within the infrastructure. Leveraged along side PKI (public key infrastructure) which is used to validate signatures for
44
Describe user name/password authentication
A users credentials are compared against credentials stores in a database. Not very secure because doesn't necessarily identify the correct user. Most basic and widely used.
45
Describe (MAC) mandatory access control
Access is controlled by comparing an objects security designation and a users security clearance. Clearance level just correspond to the objects security level.
46
Describe discretionary access control (DAC)
Access to each object is controlled on a customized basis based on a users identity.
47
Describe role-based access control (RBAC)
Users are assigned to predefined roles and network objects are configured to allow access only to specific roles
48
Describe rule-based access control
Non-discretionary technique based on a set of operational rules or restrictions
49
What are tokens
Physical or virtual objects (smart cards, ID badges or data packets) that store authentication information (PINs, info about user, passwords)
50
What are smart cards
An example of token based authentication. A plastic card containing an embedded computer chip that stores electronic information
51
Biometrics are
Use physical characteristics as authentication. Involves fingerprint scanner, retinal scanner. Hand geometry, voice recognition, and facial recognition software.
52
What is geolocation authentication
Authentication from an approved location. Performed by associating a geographical location with an IP address or MAC Address for example.
53
Describe keystroke authentication
Describes exactly when a keyboard key is pressed and released. Each user has certain tendencies and patterns that can be recorded and measured o compare against future keystrokes.
54
What is multi-factor authentication
Any authentication scheme that requires validation of two or more authentication factors. Any combination of who you are, what you have, what you know, where you are or are not, and what you do.
55
What is mutual authentication
Security mechanism that requires each party in a communication verifies each other's identity.
56
Cryptography
The science of hiding information
57
Encryption is
A cryptographic technique that converts data from plain text or clear text into coded or cipher text form
58
Decryption is
Converts cipher text back to clear text
59
Quantum cryptography is
An experimental method of data encryption based upon quantum communication and computation.
60
A qubit is
A unit of data that is encrypted by entangling data with a photon or electron that has a particular spin cycle which can be read using a polarization filter that controls spin.
61
A cypher is
An algorithm used to encrypt or decrypt data.
| Operates on individual letters or bits and scrambles the message
62
An algorithm in electronic cryptography is
A complex mathematical function
63
Enciphering is
Applying a cipher to plaintext or clear text
64
Deciphering is
Translating cipher text to clear text
65
Two major categories if encryption ciphers
Stream and block
66
Describe steam cipher
Encrypts data one bit at a time. Each plaintext bit is transformed into encrypted cipher text. Fast time execute. When errors occur they inky affect one bit.
67
Describe block cipher
Encrypts data one block at a time often in 74-bit blocks. Stronger and more secure but slower performance.
68
List some encryption and security goals
```
Confidentiality
Integrity
Non-repudiation
Authentication
Access control
```
69
Steganography is
An alternative cipher process that hides information by enclosing it in another file. Obscures the fact they information is even present.
70
An encryption key is
A specific piece of information that is used with an algorithm to perform encryption and decryption
71
Two states of encryption keys
Static or ethemeral
72
Static keys are
Keys Intended to be used for a long time and for many instances within a key establishment process
73
Ephemeral keys are
Keys generated for each communication or session
74
What's a one time pad
An encryption algorithm developed assuming the key is used once created randomly and kept secret.
75
Hashing encryption is
One-way encryption the transforms clear text into cipher text and not intended to be decrypted.
76
The several uses of hashing
Hashing is used in password authentication allied hash of a password
A hash value is embedded in an electronic message
Hash of a file used to verify integrity of the file after transfer
77
What is SHA
Secure Hash Algorithm
A Hashing encryption algorithm
Modeled after MD5 (message digest 5)
78
List hashing encryption algorithms
MD5 message digest 5
SHA secure hash algorithm
NTLM v1&2 NT Lan Manager authentication protocol created by Microsoft
RIPEMD RACE Integrity Evaluation Message Digest
HMAC Hash-based Message Authentication Code
Verify both the integrity and authenticity of a message by combining cryograohic hash functions
79
What is symmetric encryption
Two-way encryption where encryption and decryption are performed by the same key.
Configured in software or coded in hardware.
Fast but vulnerable to loss or being compromised.
80
Common names for symmetric encryption
Secret key
Shared key
Private key encryption
81
List symmetric encryption algorithms
DES Data Encryption Standard a block cipher
3DES Triple DES encrypts data by processing each block of data three times using a different key each time
AES Advanced Encryption Standard algorithm. A block cipher
Blowfish freely available 64-block cipher uses variable key length
Two fish block cipher
Rivest Cipher 4,5 & 6 (RC) all have variable key lengths. RC4 is stream cipher. RC5 & RC6 are variable size block ciphers
82
What is asymmetric encryption
Uses public and private keys.
The private key is kept secret during two-way encryption.
The public key is given to anyone.
The private key in a pair can decrypt data encoded with the corresponding public key.
83
List some of the Asymmetric encryption techniques
RSA Rivest Shamir Adelman. First successful algorithm for public key encryption. Variable length and block size
DH Diffie-Hellman cryptographic technique provides secure key exchange
ECC Elliptic Curve Cryptography public key encryption used with wireless and mobile devices
DHE Diffie-Hellman Ephemeral variant of DH provide secure key exchange
ECDHE Elliptic Curve Diffie-Helleman Ephermal incorporates use of ECC and ephemeral keys
84
What is key exchange
Cryptographic keys transferred among users enabling the use of a cryptographic algorithm
85
Two types of key exchanges
In band and out of band
In band key exchanges use the same path as other data.
Out of band key exchanges use a different path
86
Symmetric key encryption requires this type if key exchange to avoid keys being intercepted
Out of band key exchange
87
A digital signature is
A message digest that has been encrypted again with a users private key
88
Asymmetric encryption algorithms can be used with this to create digital signatures
Hashing algorithms
89
A cipher suite is
A collection of asymmetric and symmetric encryption algorithms used to establish a secure connection between hosts.
90
A cipher suite is commonly associated with these network protocols
TLS Transport Layer security
| SSL Secure sockets layer
91
Name the four cipher suite components
Key exchange algorithm
Bilk encryption algorithm
Message authentication code algorithm
Pseudorandom function
92
What is a session key
A single use symmetric key that is used for encrypting all messages in a single series of related communication
93
What are the two primary reasons to use session keys
Limit the amount of SATA encrypted by that key
| Faster and more efficient that using asymmetric encryption alone
94
Perfect forward secrecy is
A property of public key cryptographic systems that ensures that any key derived from a set of long term keys cannot be compromised if one of the keys is compromised at a future date. Examples DHE & ECDHE
95
What is key stretching
Strengthens potentially weak cryptographic keys against brute force attacks.
The original key is enhanced by running it through an algorithm.
96
List some key stretching techniques
Repeatedly looping cryptographic hash functions
Repeatedly looping block ciphers
Increase time for key to be set up
Use key derivation function such as PBKDF2
Password Based Key Derivation Function 2 &
Bcrypt
97
A security policy is
A formalized statement indicating how security will be implemented in an organization
98
List the components that make up a security policy
Policy statement. The plan for individual security
Standards. How to measure the level of adherence
Guidelines. Best practices for how to meet the standards
Procedures. Instructions for implementing the policy
99
What is a group policy
A centralized account management feature on windows server systems.
Controls certain desktop workstation features, security features and granting permissions to access servers
100
List the security document categories that need to be securely maintained
System architecture. Documentation about the configuration of your network. Network mapping & diagnostic software
Change documentation. Changes in configuration.
Logs. System logs of audits
Inventories. Equipment and asset inventories.
101
Explain change management
A systematic way if approving and executing change to assure maximum security, stability, and availability of information technology services. An organization can properly asses risk, quantify cost of training, support, maintenance or implementation and weigh the benefits of against the complexity of the proposed changes.
102
Documentation handling measures for sensitive documents
Classification of documents. Public, internal. Confidential, and restricted
Retention and storage. Plan for how long docs are retained for legal requirements
Disposal and destruction. Plan for outdated docs
