Total Comp TIA - Online class Flashcards
What is risk management
risk is the likelihood of a threat actor taking advantage of a vulnerability by using a threat against an IT asset
What is an asset
any part of an IT infrasture that has value
what is likelihood
the probability of an asset being damaged over time
what are threat actors
anyeone or anything with with the motive and resourcees to attach anothers IT infrastructure
what are nine the different threat actor groups
- Hacker - ppl trying to crack into IT inf.
- Hacktivist- someone with an activist attitude- ex. greenpeace
- script kitties- someone who uses known scrips and trying stuff ( premade attacks)
- insiders - somebody that has access to internal structure
- Competitors
- shadow IT - any form of IT inf that is being put in in an unofficial or illegal way
- criminal syndicates - denial of service attacks
- state actors - ex. - state sponser, long term type of actors
- advanced persistent threat(APT) - long term hacking of something to get information over time
what is a vulnerability
a weakness inherit in the protection of an asset . ex. firewalls that have holes in them
what is a threat
an action (attack or exploit) by a malicious threat actor that they can use against an vulnerability to preform harm to an asset
how can you get rid of threats
you go through remediation - lets look at all threat actors, threats , infrustructure, at their vulnerability and based on likelyhood elts make decision on hat we are going to do to remediate these threats
what does the CIA triad stand for
C- CONFIDENTIALITY
I-INTEGRITY
A- AVAILABILITY
what is an example of a script kitty
Kali linux
what are attack vectors
pathways to gain access to infrastructure
-example- open firewall ports
-weak configurations
-lack of security awareness
-missing patches
-infected USB thumb drive
-supply chain attacks
threat intelligence sources
-facilitate risk management
hardening can reduce incident response time
-provide cyber security insight - ex.threat maps
what are the threat intelligent sources
- closed/ proprietary- pay
-OSINT- Open source intelligent ex. goverment reports ex. NSA
-CVE- Common vulnerability and exposures
-dark web- anonymous connections ( TOR Network)
-AIS- Automated indicator sharing- exchange of cyber security intelligence between entities ( ex. STIX)
what is STIX
Structred threat information Expression - special format to package information that is understood between similar systems
what is TAXII
trusted automates exchange of intelligence iformation : ex- real time threat indicator feeds
describe OSINT
open sourced intelligence
-rferes to publis cybersecurity intelligence resources
* ex: CVE- Common vulenabilities and exposures database
what is the dark web
an encypted and anonymized inter access mechanism allowing access to unindexed contect
what could be some attack vectors
ex- mISSION CRITICAL it SYSTEMS - PAYMENT PROCESSING
-Third party access- software components
what are physical risk vector
ex- access control vestibules - mantraps
-Server room access
how can you manage risk vectors
with a risk management framework (RMF)
-ex. CIS- center for internet security
-NIST- national institute of risk management
what are some financial RMF’S
SSAE SOC 2
what is NIST
national institute of standards and technology
-It is a guide for conduction risk assessment
what is a GDPR
general data protection regulation
-protect EU citizens private data
ex. in the US- HIPPA ( health insurance portability and accountability act ) - protect health insurance info
-PCI DSS- Payment card industry data security standards
what are types of security policies
AUP- Acceptable use policy
-ex. email, account policies, web browsing , Data retention
define risk management frameworks
provide guidence on identifying and managing risk
what does a security control do
a solution that mitigates threat
-ex. running malware to prevent infections
What are the different security control categories
-Managerial/ adminitrative- WHAT
-operations- HOW OFTEN - POLICY REVIEWS
-technical - HOW - Technical controls
what is a cloud security control document
- cloud security alliance ( CSA)
- or CCM - cloud control matriculation
what are the security control types
-physical - ex. mantrap
-detective ( log files, tv)
-corrective- patching vulnerabilities
-detterent- device logon warning - ex. you are logging into
-compensating - ex. using alternative
what is risk assessment
prioritization of threats against assets and determining what to do about it
what is the risk assessment process
- risk awareness
-evaluate security controls
-implememt security controls
-periodic review
what are the different types of risk types
- Environmental - floods
-man made - terrorism
-internal - malicious insider
-external - competitors
-
what are the catagories for risk treatments
-risk acceptance - current level of risk is acceptable - mitigation/reduction of risk ( security controls before undertaking risk)
-transference/sharings - some risk transfered to someone else - ex. cybersecurity insurance)
-risk avoidance - avoid activity
what is a quantitative risk assessment
risk assesment based on numeric value- we are focusing on dollar amount
-what is the asset value (AV)
what is the exposure factor
amoutn of asset that is considered lost when a negative incident occurs
-ex. 1 –> 100% - one incident will be a complete loss of asset
what is the single loss expectancy
SLE- how much loss is experienced uring one negative incident
-multiply asset value by exposure factor
calculate SLE:
ASSET: 24,000
Exposure Factor: 12.5 %
24,000 x .125 = 3,000 SLE
when one negative occurance happens we are loosing about 3,000 dollars
How do you calculate the SLE ( SINGLE LOSS EXPECTANCY )
MULTIPLE THE ASSET VALUE X THE EXPOSURE FACTOR
what is the Annualized rate of occurance
ARO: - EXPECTED NUMBER OF YEARLY OCCURANCES DOWNTINE- ex. 3 times a years
how do you calculate the annualized loss expectancy
total yearly cost of bad things happening
1.) determining cost of single loss expectancy ( 1 negative occurance)
2.) multiple by number of occurances in one year BASED ON HISTORICAL KNOWLEDGE
what is a qualitative risk assesment
based on subjective opinions regarding
-thread likelihood
-impact of threat
threats are given a severity rating
what is a risk resgister
it is a cetralized list of risk, severities, responsibilities and mitigations - QUALITATIVE
what is a risk heat map
take risk severity levels and map them visually - by color
what is a risk matrix
table of risk details minus colors
what is a business impact analysis ( BIA)
-Allows us to prioritize mission critical processes
-ASSESS risk
*** identifies how negative incidents will impact business processes and sentitive data
What are the diffrent types of business impact
-financial
-Reputation laws
-Data Loss
-Data Exfiltration
Failed components Impact - different times
MTBF- Mean time between failures
* average time that passes between repairable compoent failures - EX. SOFTWARE
-Mean time to Failure ( MTTF)
-* average time between non repairable component failURES - ex. hard disk
-MTTR- Mean time to repair-
what is MTBF
MTBF- Mean time between failures
* average time that passes between repairable compoent failures - EX. SOFTWARE
what is MTTF
-Mean time to Failure ( MTTF)
-* average time between non repairable component
What is MTTR
-mean time to repair
*time required to repair a failed component
what is a privacy threshold assessment (PTA)
First step before implementing solutions related to sensitive data
-where is our sensitive data
what is the RPO
RECOVERY POINT OBJECTIVE ( MAXIMUM TOLERABLE Amount of data loss)
-EX. 1 hour maximum - then you should be backing up at least once every hour
what is the RTO
RECOVERY TIME Objective (maximum of downtime that we can tolerate) -EX. 2 hours - ex. after two hours it would have a great impact on the organization
-Get it up and running between two hours
what are the different data roles
- Data Owner - legal owner - sets rules
- Data Controlelr - data complies
- Data processor- handles data but follow laws for that data
- Data Custodian- Managing data - day to day - acts the rules
- DPO- Data privacy officer- ensures data privacy
explain the information life cycle of
collect data
store data
process data
share data
archive and delete
what is PII
Personally identifiable information
-one or more pieces of sentitive ino that can be traced back to an individuaL
-ex. social security numbers
-CC
-address
What is PHI
protected health information
-one or more pieces of MEDICAL information that can be traced back to individual
-ex. BLOOD TYPE
-PATIENT MEDICAL ELEMENTS
-health insurance information
what are some privacy enhansing technologies
-anonymization
What are some aunomization techniques
-pseudo- replace PII with fake identifiers
-Data minimization- limit stored or retained information- EX. cc info- shread it
-Tokenization- ex. for Credit cards
-DATA data masking- ex. blurring rest of info
what is data sovereignty
where is the data located
-location of data and laws that apply to it
what does data sanitation do
ensures sensitive data cannot be recovered
what are some meathods to do data sanitication
-burning
-shredding
-cryptographic erasure
-disk wiping tools
-degaussing - MAGNET
how can you secure personnel management
job rotation
mandatory vacation
separation of duties
what is included in user onboarding
it occurs after hiring and included taining and account provisioning
What are the third party risk management
-MSA- Measurement system analysis - QUALITY ASSURANCE
what are supply chain security risk
-unstable or unsecure hardware - ex. EOL, EOSL- end of life
-cloud service providers - software
-contractors - data privacy notice
-suppliersm
what are third party risk management
DLP- Data loss prevention- can control the intentional or unintentional disclosure of sensite data
-storing data in the cloud
what is MSA
MEASUREMENT SYSTEM ANALYSIS - CAN IDENTIfy supply chain improvements
what is an interconnection security agreement (ISA)
-Linking companies , legal review, vulneraability scans) w
-apply when connecting different entities together
what is a service level agreement (SLA)
contractual document stating level of service , guaranteed service uptime and consequences)
what is a memorandum of understanding (MOU)
BROAD Terms of agreement between parties)
-MOA- Memorandum of agreemnt - a bit more detailed
what is a business partnership agreement
legal document , responisbilities , investment
NDA- Non disclosure agreement
prevent sentitive data disclosure
WHAT IS CRYPTOGRAPHY
THE study of taking data, and making it hidden in some way to other people cant see it and then bringing the data back
-providing confidentiality
what is obfuscation
take something that makes sense and hide it
how can obfuscation be done
-Difussion- less obvious
-confusion-
what is the ceaser cipher
each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet.
vigenere cypher
it is a cesaer cipher with expra confusion
-assign key first
What is needed to create a vigenere cypher
- algorithm
2.key or encryption
- only good for alphabet
what is kerckhoffs principle
as long as you dont know what the key is to an encryption you can understand the algorithm completely
what is data at rest
data on mass storage that is sitting on harddrive
-no program or computer looking at doing something to that data
*proprietary information - ex. health insurance info
what is data in use or computation
-the database of information. You are doing something that is doing something to the data itself ( data in use)
-if not encrypted, - shoulder surfing
-key loggers
what is data in transit
data is moving through and it is being intercepted in between. ( sniffing)
-worst case: man in the middle - do something to information anf then send it to end user
what are the three differen types of data
- data rest
- data in use
- data in transit
what is symmetric encryption
using the same key to deal with this piece of information
- it is called session key
* in-band - sent key with data
* out- of band- physically giving key
what is the primary way that data is encrypted
symmetric encyption
what is an ephemeral key
a key that is temporary
-it is a perfel forward secrecy
what is Asymmetric encryption
uses a key pair
-A Private key and a public key
explain the diffrence between a private key and a public key
- public key - only used to encrypt
*private key- only used to decrypt
what is asymmetic encryption mainly used for
to send a secure session key
what is a crypto system
define key properties, communication requirements for thekey exchange and the actions taken through the encryption and decryption process
what is a symmetric block algorithm
encrypts data in chunks
EX-DES- data encription standards
-3des
blowfish
and currently - AES
what is a symmetric block algorithm defined by
key length
block size
number of rounds
What is AES
Advanced encryption standard ( black cypher)
what is a streaming cypher
they encript one bit at a time ( popular with wireless)
RC4
what happens with RSA asymetric cryptography
public keys are paired with a private key
what can ECC do that is better than RSA
can create smaller keys ad provides same security
what is diffie hellman
an asymmetirc algorithm ofter referred to as a key schange aggrement
what do diffie helman groups do
they help define the size or type of key structure to use * can have a very large key)
what are hashes
one way, deterministic, and will produce the same result each time the source is hashed
what happens to hash if length of source changes
it will be the same exact size
what is involved with hashes
password storage and encription
what do digital signatures do
verify that the person who sent the public key legitimately owns the private key
what do digital certificates inclue
they include a thirs party to authenticate the owner of the digital signature
what does the web of trust use
uses a network of mutually trusting peers
what does PKI stand for and what does it mean
PKI- Public KEY INFRASTRUCTURE
-Uses a hierarchi structure with certificate authorities (CAs) AND INTERMEDIATE and intermediate certificate authorities
what does public key cryptography standards to
gives details on digital certificate construction and uses
what are the three main categories for crytographic attacks
- attack the algorithm -almost impossible
- attack implementation- advantages of weeknesses
3.attack the key- figuring out key in order to break in
how are passwords usually stored
in hash format
what are the different types of password attacks
- brute force - try character combinations
- Dictionary attacks- uses list of probable passwords
- rainbow tables - uses pre calculated hashes of words
what can help secure passwords
-Salting and key stretching
what are the big factors of multifactor identification
-identificatoin- claiming identity
-authentication- proving that identity
-authorization- permitting actions once a user has been authenticate d
what are the identification factors
- somthing you know, something you have or something you are
what are the identification atributes
include something you do- typing speed
something you exhibit-
something you know - someone you know
somewhere you are - zip code
what are the AAA ( multifactor authentications)
authentication- identify yourself
authorization- giving eprmisison
Accounting- auditing
descrive accounting in authetication
- auditing( tracking user activity on a system )
-suparate user accounts are important to assure accurate accounting
-even logs can be used to identify unusual or malicious activity
what are password vaults
provide centralized password storage and are protected with a master key
what are OTP’s
ONE TIME PASSWORDS - SIGNLE CODE USED TO ENHANSE AUTHENTICATION
WHAT ARE TOTP’S
time based OTP
-HMAC-based OTPs use encryption for added authentication
what does biometric authentication use
physical characteristics to authenticate people
what are credential policies
defines who gets access to what
what are ABAC ( atribute based access control)
uses attibutes to determine permission - ex. date of birth or devide type
-allows resources access based on user devide, resources attributes
what is RBAC ( role bases access control)
- a role ins a collection of related permissions
what is RBAC (ule based access control)
-conditonal access policies
* we have a series of conditions that must be based:
- ex. mfa, device type and location
what is MAC
Mandatory access control
-resources are labeld
-permission assignments are based on resource abels and security clearance
what is DAC
Discretionary access control
-dta custodian sets permissions at their discretion
what is physical access control
-limited access facility
ex. vestivules, locks on computers *
NTLM V2 passwords
aare salted
what are PAP and MC CHAP
older network authentication protocols
where is karberos used
for authentication and resourceaccesss in an active directory encv
what does SSO allor users to do
to sign in once yet access many services without re-entering credentials
