Security Primer

Question 1

Confidentiality

Examples of confidentiality protections

Answer 1

Protecting information from unauthorized access/dissemination

Protect secrets

ex. Encryption, Data Classification, NDA, TPM/HSM, Access Control

Question 2

Integrity

Examples of integrity protections

Answer 2

maintains the accuracy, validity, and completeness of information
Ensures the data has not been tampered with by anyone other than an authorized party for an authorized purpose

Protect accuracy and authenticity; verifies that information is processed correctly and is not modified either at rest, in use or in transit

Ex. Hasing, Message Authentication Code (MAC), Digital Signatures

Question 3

Availability

Examples of availability protections

Answer 3

Ensuring that authorized users can access the information when they are permitted to do so

Protects stability and reliability; ensures systems and data are up and running so that the y may be accessed as needed by authenticated and authorized users

ex. UPS, Clustering, Load Balancing, HVAC

Question 4

Checksum

Answer 4

a value derived from a piece of data that uniquely identifies that data and is used to detect changes that may have been introduced during storage or transmission

generated based on cryptographic hashing algorithm

Question 5

Least Privilege

Answer 5

Asserts that access to information should only be granted on a need to know basis

Question 6

DDOS

Answer 6

Distributed Denial of Service

coordinated attack by multiple compromised machines causing a disruption to a systems availability

Question 7

Threat

Answer 7

anything capable of intentionally or accidentally compromising an assets security

something that may harm an asset

Question 8

Vulnerability

Answer 8

a weakness or gap existing within a system that may be exploited to compromise an assets CIA

Question 9

Risks

Answer 9

the intersection of threat and vulnerability that defines the likelihood of a vulnerability being exploited and the impact should that exploit occur

Question 10

Identification

Answer 10

act of establishing who or what someone or something is

Question 11

Authentication

Answer 11

Validates identification (user’s/system identity)

Question 12

Generally what are the 3 factors/methods of authentication

Answer 12

1. Something you know - password, PIN
2. Something you have - security token, smart card
3. Something you are - fingerprints, iris scan, voice analysis, other biometrics

Question 13

Authorization

Answer 13

Process for granting access to a user based on their authenticated identity and the policies set for them

Question 14

Cryptography

Answer 14

science of encrypting or decrypting information to protect its confidentiality or integrity

Question 15

Encryption

Answer 15

process of using an algorithm or cipher to convert plain text into cipher text

Question 16

Decryption

Answer 16

allows authorized party to convert cipher text back to its original plain text using the encryption key - a piece of information that allows the holder to encrypt or decrypt

Question 17

Symmetric Key Encryption

Describe, AKA, Benefits, Drawbacks

Answer 17

AKA - Secret Key Encryption
Desc - Uses the same key (e.g. secret key) to decrypt and encrypt and the key must given to the recipient before the message can be decrypted
Benefits - simple, fast, cheap
Drawbacks - requires secure channel for initial key exchange

Question 18

Asymmetric Encryption

AKA, Desc, Drawbacks

Answer 18

AKA - Public Key Encryption
Desc - Uses two keys, one public and one private, public key is public available for encryption, while private key remains secret for decryption
Drawbacks - slower than symmetric encryption

Question 19

TLS

Desc, What Type of Encryption is used to implement?

Answer 19

Transport Layer Security
used to encrypt traffic over the network when privacy and data integrity need to be maintained
uses a combination of asymmetric and symmetric encryption

Question 20

Digital Signature

Answer 20

asserts or proves the identity of the user
used in public key schemes
requires the sender to use their private key to sign a message
recipients can use the senders public key to verify their identity

Question 21

VPN

Desc, What Type of Encryption is Used?

Answer 21

Virtual Private Network
Encrypts traffic between two networks over the internet by creating a secure tunnel for communication
Mix of symmetric and asymmetric encryption

Question 22

Business Continuity

Answer 22

policies, procedures, and tools you put in place to ensure critical business functions continue during and after a disaster or crisis

Question 23

Disaster Recovery

Answer 23

subset of Business Continuity focusing on recovering IT systems that are lost or damaged during a disaster

restoration of full operation of and access to hardware, software, and data as quickly as possible after a disaster

Question 24

Difference between BC and DR

Answer 24

BC - broadly focuses on procedures and systems you have in place to keep a business up and running during and after a disaster

DR - narrowly focuses on getting systems and data back after a crisis

Question 25

RTO

Answer 25

Recovery Time Objective
the amount of time within which business processes must be restored in order to avoid significant consequences associated with the disaster

How much time can pass before an outage or disruption has unacceptably affected the business?

Question 26

RPO

Answer 26

Recovery Point Objective
the maximum amount of data loss thats tolerable to the organization

How much data can be lost before the business is unacceptably impacted by the disaster?

RPO plays an important role in determining frequency of backup

Question 27

Incident Handling

Answer 27

preparing for, addressing and recovering from security incidents

Question 28

Event
Desc, NIST item #
Adverse Event

Answer 28

NIST SP 800-61
observable occurrence in an system or network
Events with negative consequences

Question 29

Computer Security Incident

Answer 29

a violation or imminent threat of violation of computer security policies, acceptable use policies or standard security practices

Question 30

What are the steps in the IR Lifecycle?

Answer 30

1. Preparation
2. Detection
3. Containment
4. Eradication
5. Recovery
6. Post Mortem

Question 31

IR Lifecycle: Preparation

Answer 31

1. Develop Incident Response Plan
2. Periodically test IRP - tabletop exercises or incident simulation
3. Implementing preventative measures to keep the number of incidents low - vulnerability identification, threat assessment, and applying layered security
4. Setting up incident analysis equipment - e.g. forensic workstation, back up media, evidence gathering accessories

Question 32

Incident Response Plan

Answer 32

procedures that follow when an incident occurs and roles and responsibilities of all stakeholders

Question 33

IR Lifecycle: Detection

Answer 33

Acknowledge the incident has occurred, gathering data and analyzing to gain insights into the origin and impact e.g.

1. Conducting log analysis and looking for unusual behavior
2. Identify impacts
3. Notification of appropriate individuals
4. Documentation of findings

Question 34

IR Lifecycle: Containment

Answer 34

stop the bleeding and prevent further damage, could include things like

disabling internet connectivity for affected systems
isolating/quarantining malware infected systems from the rest of the network
reviewing and/or changing potentially compromised passwords
capturing forensic images and memory dumps from impacted systems

Question 35

IR Lifecycle: Eradication

Answer 35

Remove the threat from the system; eliminate all components of the incident that remain e.g.
Securely remove all traces of malware
Disabling or recreating impacted user and system accounts
Identifying and patching vulnerabilities
Restore known good backups
Wipe or rebuild critically damaged systems

Question 36

IR Lifecycle: Recovery

Answer 36

Bring impacted systems back into your operational environment and fully resume business operations e.g.
Confirm vulnerabilities have been patched or fully remediated
Validating systems are functioning normally
Restoring systems to normal operations (e.g. restore internet access, networks, etc.)
Closely monitor systems for remaining signs of undesirable activity

Question 37

IR Lifecycle: Post Mortem

Answer 37

Document lessons learned and implemented the changes required to prevent a similar type of incident from happening again
All members of the IR team meet to discuss what worked, what didn’t, and what needs to change

Question 38

What questions or documentation should be considered during IR post mortem lifecycle?

Answer 38

What vulnerabilities did this breach exploit?
What could’ve been done differently to prevent this incident or decrease the impact?
How can you respond more effectively during future incidents?
What policies need to be updated and with what content?
How should you train your employees differently?
What security controls need to be modified?
Do you have the proper funding to ensure you re prepared to handle future breaches?

Question 39

Defense In-Depth

AKA, Desc

Answer 39

AKA - Layered Security
Desc - application of multiple distinct layers of security technology and strategies for greater overall protection

Each layer has strengths and weaknesses, with each one hopefully compensating for another, so that weaknesses are compensated by strengths in other layers

Question 40

What does DAD stand for and what is it?

Answer 40

Disclousure, Alteration and Destruction

The negative of the CIA security triad with each being the negative of
Confidentiality, Integrity, and Availability

Question 41

What are the 3 types of Enterprise Security Controls

Answer 41

Administrative - policies, procedures, and training?? controls
Technical - often controls access
Physical - Protect physical assets e.g. locks, fire sprinklers

Question 42

List and Describe Enterprise Security categories

Answer 42

1. Directive - controls focused on management, policies and/or procedures- e.g. posted signs - authorized personnel only
2. Deterrent - controls focused on consequences
3. Preventive - controls to stop unwanted behavior or activity
4. Detective - controls to identify and monitor
5. Corrective - controls to mitigate an incident or reduce damage
6. Recovery - control focused on restoration
7. Compensating - alternative when best controls are not available or feasible

Question 43

OSI Reference Model

Answer 43

1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application

Question 44

Describe steps in TLS/SSL connection

Answer 44

1. Client issues Hello to server
2. Server passes client its public key
3. Client generates a random number for the shared (symmetric session key)
4. Client encrypts with the server public key
5. Server decrypts with it’s private key
6. Shared session key is established to generate encrypted messages

Question 45

OSI Layers

Answer 45

1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application

Question 46

Describe Physical layer of OSI model?

Give example of HW/SW that operates at this layer

Answer 46

Protocols here are responsible for encoding and transmission of data onto the network ( i.e turns bits - 0’s and 1’s
into electricity/protons/radio signals, then sends and receives them)

Hubs and cables work at Layer 1

Question 47

Describe Data Link layer of OSI model?

Give example of HW/SW that operates at this layer

Answer 47

Protocols are responsible for node to node or NIC to NIC communications between systems on the same network (ex. ethernet MAC address, frame-rely)

Switches, Bridges, and Wireless Access Points - WAP work at Layer 2 - they all forward based on MAC address

Question 48

Describe Network layer of OSI model?

Give example of HW/SW that operates at this layer

Answer 48

Protocols responsible for network to network, router, or gateway to gateway communications

ex. IP, ICMP, IPSEC, routing protocols like RIP, OSPF, EIGRP

Routers work at Layer 3 - they forward based on IP address

Question 49

Describe Transport layer of OSI model?

Give example of HW/SW that operates at this layer

Answer 49

Protocols that are responsible for end to end, host to host, or application to application communication -

Ex. TCP and UDP Ports

Question 50

Describe Session layer of OSI model?

Give example of HW/SW that operates at this layer

Answer 50

Protocols that coordinate the orderly exchange of information. The session layer keeps track of request on the way out, then matches incoming reply packets back to the program that requested the data

Ex. client request/server response

Question 51

Describe Presentation layer of OSI model?

Give example of HW/SW that operates at this layer

Answer 51

Protocols that ensure compatible syntax to make sure systems understand each other

Ex. File formats like .jpg, .gif, .tif

Question 52

Describe Application layer of OSI model?

Give example of HW/SW that operates at this layer

Answer 52

This layer interfaces with your applications. Here we have network services that make themselves available to your applications to use

ex. HTTP, HTTPS, DNS, FTP, SMTP, VOIP

Question 53

Data Encapsulation

Answer 53

Packaging up the payload - adding headers or footers to payload- to transmit via network

Example:
Data Link Layer (Frames ) - adds ethernet header, and trailer
Network Layer (Packets) - adds IP header
Transport Layer (UDP, TCP) - adds protocol header
Application gets data

Question 54

Data Decapsulation

Answer 54

happens when data is received and Headers and footers are stripped away from payload and only the data is delivered to the application

Question 55

Dynamic Host Configuration

Answer 55

A protocol used to automatically assign IP addresses, subnet mask, DNS, and Default Gateway to devices

Question 56

How are IPv4 classes determined

Answer 56

The number in the first byte or octet of the IPv4 address

Question 57

List address allocation for Private Internet IP address ranges (RFC 1918) according to class

Also describe reserved IP spaces, by class

Answer 57

Class A (1 - 126): 10.0.0.0 - 10.255.255.255 (10.x.x.x)

Class B (127 - 191) : 172.16.0.0 - 172.31.255.255 (172.16.x.x - 172.31.x.x)

Class C (192 - 223) : 192.168.0.0 - 192.168.255.255 (192.168.x.x)

Class D (224 - 239) : Reserved for Multicast

Class E (240 - 255): Reserved for research

Addresses in the 127 range are reserved for Loopback (self-diagnostic testing)
127.0.0.1 or 127.0.0.0 aka home or localhost

Question 58

Describe IPv6 addresses

Answer 58

128 bits and formatted as 8 groups of 4 hexidecimal characters (character set of 16 chars so 0-9 and A-F) delimited by :

Leading zeros can be eliminated, 0000 is reduced to 0

:: (double colon) can represent one or more consecutive blocks of 4 0’s

Only one double colon is valid, triple colon is not valid

Question 59

IPv6 addresses link local address space and Loopback

Answer 59

FE80 prefix means its a link local address - similar to IPv4 private

::1 (0:0:0:0:0:0:0:1)

Question 60

Domain Name System (DNS)

Answer 60

A hierarchical naming system for computers and other resources connected to the Internet on a private network

It associates IP addresses and other information to the Fully Qualified Domain Name (FQDN)

Question 61

List Types of DNS records and what they are used for

Answer 61

1. Alias record, Host A, maps a name to an IPv4 address
2. Alias records, Host AAA, maps a name to IPv6 address
3. Pointer Record - Pointer PTR - reverse look up, IP to name
4. Name Server Record - NS - records for your DNS server
5. Mail Exchange Record - MS - points to your mail server