Security Primer Flashcards
Confidentiality
Examples of confidentiality protections
Protecting information from unauthorized access/dissemination
Protect secrets
ex. Encryption, Data Classification, NDA, TPM/HSM, Access Control
Integrity
Examples of integrity protections
maintains the accuracy, validity, and completeness of information
Ensures the data has not been tampered with by anyone other than an authorized party for an authorized purpose
Protect accuracy and authenticity; verifies that information is processed correctly and is not modified either at rest, in use or in transit
Ex. Hasing, Message Authentication Code (MAC), Digital Signatures
Availability
Examples of availability protections
Ensuring that authorized users can access the information when they are permitted to do so
Protects stability and reliability; ensures systems and data are up and running so that the y may be accessed as needed by authenticated and authorized users
ex. UPS, Clustering, Load Balancing, HVAC
Checksum
a value derived from a piece of data that uniquely identifies that data and is used to detect changes that may have been introduced during storage or transmission
generated based on cryptographic hashing algorithm
Least Privilege
Asserts that access to information should only be granted on a need to know basis
DDOS
Distributed Denial of Service
coordinated attack by multiple compromised machines causing a disruption to a systems availability
Threat
anything capable of intentionally or accidentally compromising an assets security
something that may harm an asset
Vulnerability
a weakness or gap existing within a system that may be exploited to compromise an assets CIA
Risks
the intersection of threat and vulnerability that defines the likelihood of a vulnerability being exploited and the impact should that exploit occur
Identification
act of establishing who or what someone or something is
Authentication
Validates identification (user’s/system identity)
Generally what are the 3 factors/methods of authentication
- Something you know - password, PIN
- Something you have - security token, smart card
- Something you are - fingerprints, iris scan, voice analysis, other biometrics
Authorization
Process for granting access to a user based on their authenticated identity and the policies set for them
Cryptography
science of encrypting or decrypting information to protect its confidentiality or integrity
Encryption
process of using an algorithm or cipher to convert plain text into cipher text
Decryption
allows authorized party to convert cipher text back to its original plain text using the encryption key - a piece of information that allows the holder to encrypt or decrypt
Symmetric Key Encryption
Describe, AKA, Benefits, Drawbacks
AKA - Secret Key Encryption
Desc - Uses the same key (e.g. secret key) to decrypt and encrypt and the key must given to the recipient before the message can be decrypted
Benefits - simple, fast, cheap
Drawbacks - requires secure channel for initial key exchange
Asymmetric Encryption
AKA, Desc, Drawbacks
AKA - Public Key Encryption
Desc - Uses two keys, one public and one private, public key is public available for encryption, while private key remains secret for decryption
Drawbacks - slower than symmetric encryption
TLS
Desc, What Type of Encryption is used to implement?
Transport Layer Security
used to encrypt traffic over the network when privacy and data integrity need to be maintained
uses a combination of asymmetric and symmetric encryption
Digital Signature
asserts or proves the identity of the user
used in public key schemes
requires the sender to use their private key to sign a message
recipients can use the senders public key to verify their identity
VPN
Desc, What Type of Encryption is Used?
Virtual Private Network
Encrypts traffic between two networks over the internet by creating a secure tunnel for communication
Mix of symmetric and asymmetric encryption
Business Continuity
policies, procedures, and tools you put in place to ensure critical business functions continue during and after a disaster or crisis
Disaster Recovery
subset of Business Continuity focusing on recovering IT systems that are lost or damaged during a disaster
restoration of full operation of and access to hardware, software, and data as quickly as possible after a disaster
Difference between BC and DR
BC - broadly focuses on procedures and systems you have in place to keep a business up and running during and after a disaster
DR - narrowly focuses on getting systems and data back after a crisis
RTO
Recovery Time Objective
the amount of time within which business processes must be restored in order to avoid significant consequences associated with the disaster
How much time can pass before an outage or disruption has unacceptably affected the business?
RPO
Recovery Point Objective
the maximum amount of data loss thats tolerable to the organization
How much data can be lost before the business is unacceptably impacted by the disaster?
RPO plays an important role in determining frequency of backup
Incident Handling
preparing for, addressing and recovering from security incidents
Event
Desc, NIST item #
Adverse Event
NIST SP 800-61
observable occurrence in an system or network
Events with negative consequences
Computer Security Incident
a violation or imminent threat of violation of computer security policies, acceptable use policies or standard security practices
What are the steps in the IR Lifecycle?
- Preparation
- Detection
- Containment
- Eradication
- Recovery
- Post Mortem
IR Lifecycle: Preparation
- Develop Incident Response Plan
- Periodically test IRP - tabletop exercises or incident simulation
- Implementing preventative measures to keep the number of incidents low - vulnerability identification, threat assessment, and applying layered security
- Setting up incident analysis equipment - e.g. forensic workstation, back up media, evidence gathering accessories
Incident Response Plan
procedures that follow when an incident occurs and roles and responsibilities of all stakeholders
IR Lifecycle: Detection
Acknowledge the incident has occurred, gathering data and analyzing to gain insights into the origin and impact e.g.
- Conducting log analysis and looking for unusual behavior
- Identify impacts
- Notification of appropriate individuals
- Documentation of findings
IR Lifecycle: Containment
stop the bleeding and prevent further damage, could include things like
disabling internet connectivity for affected systems
isolating/quarantining malware infected systems from the rest of the network
reviewing and/or changing potentially compromised passwords
capturing forensic images and memory dumps from impacted systems
IR Lifecycle: Eradication
Remove the threat from the system; eliminate all components of the incident that remain e.g.
Securely remove all traces of malware
Disabling or recreating impacted user and system accounts
Identifying and patching vulnerabilities
Restore known good backups
Wipe or rebuild critically damaged systems
IR Lifecycle: Recovery
Bring impacted systems back into your operational environment and fully resume business operations e.g.
Confirm vulnerabilities have been patched or fully remediated
Validating systems are functioning normally
Restoring systems to normal operations (e.g. restore internet access, networks, etc.)
Closely monitor systems for remaining signs of undesirable activity
IR Lifecycle: Post Mortem
Document lessons learned and implemented the changes required to prevent a similar type of incident from happening again
All members of the IR team meet to discuss what worked, what didn’t, and what needs to change
What questions or documentation should be considered during IR post mortem lifecycle?
What vulnerabilities did this breach exploit?
What could’ve been done differently to prevent this incident or decrease the impact?
How can you respond more effectively during future incidents?
What policies need to be updated and with what content?
How should you train your employees differently?
What security controls need to be modified?
Do you have the proper funding to ensure you re prepared to handle future breaches?
Defense In-Depth
AKA, Desc
AKA - Layered Security
Desc - application of multiple distinct layers of security technology and strategies for greater overall protection
Each layer has strengths and weaknesses, with each one hopefully compensating for another, so that weaknesses are compensated by strengths in other layers
What does DAD stand for and what is it?
Disclousure, Alteration and Destruction
The negative of the CIA security triad with each being the negative of
Confidentiality, Integrity, and Availability
What are the 3 types of Enterprise Security Controls
Administrative - policies, procedures, and training?? controls
Technical - often controls access
Physical - Protect physical assets e.g. locks, fire sprinklers
List and Describe Enterprise Security categories
- Directive - controls focused on management, policies and/or procedures- e.g. posted signs - authorized personnel only
- Deterrent - controls focused on consequences
- Preventive - controls to stop unwanted behavior or activity
- Detective - controls to identify and monitor
- Corrective - controls to mitigate an incident or reduce damage
- Recovery - control focused on restoration
- Compensating - alternative when best controls are not available or feasible
OSI Reference Model
- Physical
- Data Link
- Network
- Transport
- Session
- Presentation
- Application
Describe steps in TLS/SSL connection
- Client issues Hello to server
- Server passes client its public key
- Client generates a random number for the shared (symmetric session key)
- Client encrypts with the server public key
- Server decrypts with it’s private key
- Shared session key is established to generate encrypted messages
OSI Layers
- Physical
- Data Link
- Network
- Transport
- Session
- Presentation
- Application
Describe Physical layer of OSI model?
Give example of HW/SW that operates at this layer
Protocols here are responsible for encoding and transmission of data onto the network ( i.e turns bits - 0’s and 1’s
into electricity/protons/radio signals, then sends and receives them)
Hubs and cables work at Layer 1
Describe Data Link layer of OSI model?
Give example of HW/SW that operates at this layer
Protocols are responsible for node to node or NIC to NIC communications between systems on the same network (ex. ethernet MAC address, frame-rely)
Switches, Bridges, and Wireless Access Points - WAP work at Layer 2 - they all forward based on MAC address
Describe Network layer of OSI model?
Give example of HW/SW that operates at this layer
Protocols responsible for network to network, router, or gateway to gateway communications
ex. IP, ICMP, IPSEC, routing protocols like RIP, OSPF, EIGRP
Routers work at Layer 3 - they forward based on IP address
Describe Transport layer of OSI model?
Give example of HW/SW that operates at this layer
Protocols that are responsible for end to end, host to host, or application to application communication -
Ex. TCP and UDP Ports
Describe Session layer of OSI model?
Give example of HW/SW that operates at this layer
Protocols that coordinate the orderly exchange of information. The session layer keeps track of request on the way out, then matches incoming reply packets back to the program that requested the data
Ex. client request/server response
Describe Presentation layer of OSI model?
Give example of HW/SW that operates at this layer
Protocols that ensure compatible syntax to make sure systems understand each other
Ex. File formats like .jpg, .gif, .tif
Describe Application layer of OSI model?
Give example of HW/SW that operates at this layer
This layer interfaces with your applications. Here we have network services that make themselves available to your applications to use
ex. HTTP, HTTPS, DNS, FTP, SMTP, VOIP
Data Encapsulation
Packaging up the payload - adding headers or footers to payload- to transmit via network
Example:
Data Link Layer (Frames ) - adds ethernet header, and trailer
Network Layer (Packets) - adds IP header
Transport Layer (UDP, TCP) - adds protocol header
Application gets data
Data Decapsulation
happens when data is received and Headers and footers are stripped away from payload and only the data is delivered to the application
Dynamic Host Configuration
A protocol used to automatically assign IP addresses, subnet mask, DNS, and Default Gateway to devices
How are IPv4 classes determined
The number in the first byte or octet of the IPv4 address
List address allocation for Private Internet IP address ranges (RFC 1918) according to class
Also describe reserved IP spaces, by class
Class A (1 - 126): 10.0.0.0 - 10.255.255.255 (10.x.x.x)
Class B (127 - 191) : 172.16.0.0 - 172.31.255.255 (172.16.x.x - 172.31.x.x)
Class C (192 - 223) : 192.168.0.0 - 192.168.255.255 (192.168.x.x)
Class D (224 - 239) : Reserved for Multicast
Class E (240 - 255): Reserved for research
Addresses in the 127 range are reserved for Loopback (self-diagnostic testing)
127.0.0.1 or 127.0.0.0 aka home or localhost
Describe IPv6 addresses
128 bits and formatted as 8 groups of 4 hexidecimal characters (character set of 16 chars so 0-9 and A-F) delimited by :
Leading zeros can be eliminated, 0000 is reduced to 0
:: (double colon) can represent one or more consecutive blocks of 4 0’s
Only one double colon is valid, triple colon is not valid
IPv6 addresses link local address space and Loopback
FE80 prefix means its a link local address - similar to IPv4 private
::1 (0:0:0:0:0:0:0:1)
Domain Name System (DNS)
A hierarchical naming system for computers and other resources connected to the Internet on a private network
It associates IP addresses and other information to the Fully Qualified Domain Name (FQDN)
List Types of DNS records and what they are used for
- Alias record, Host A, maps a name to an IPv4 address
- Alias records, Host AAA, maps a name to IPv6 address
- Pointer Record - Pointer PTR - reverse look up, IP to name
- Name Server Record - NS - records for your DNS server
- Mail Exchange Record - MS - points to your mail server