Unit 1: General Security Concepts Flashcards

1
Q

Control Categories

A

Technical, Managerial, Operational, and Physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Technical Controls

A
  • Controls implemented using systems
  • Operating system controls
  • Firewalls, anti-virus
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Managerial Controls

A
  • Controls that address security design and implementation
  • Security policies, standard operating procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Operational Controls

A
  • Controls that are implemented by people
  • Security guards, awareness programs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Physical Controls

A
  • Controls limiting physical access to buildings, rooms, etc.
  • Fencing, door locks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Preventative Controls

A

Controls that block access to a resource (firewalls, guard shacks, door locks).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Deterrent Controls

A

Controls designed to discourage people from violating security directives (threat of demotion, warning signs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Detective Controls

A

Controls designed to identify and log intrusions/intrusion attempts (system logs, motion detectors).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Corrective Controls

A

Controls that are applied after an event to reverse impact or continue operating (backup restoration, fire extinguisher, law enforcement).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Compensation Controls

A

Additional security controls put in place to compensate for weaknesses in other controls (separation of duties, backup generator, blocking instead of patching).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Directive Controls

A

Controls that direct subjects towards security compliance - seen as a weak control (fire storage policies, compliance policies).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

C.I.A. Triad

A

Confidentiality, Integrity, Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Confidentiality

A

Ensures that only authorized parties can view information (i.e. encryption).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Integrity

A

Safeguarding the accuracy & completeness of information (i.e. hashing).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Availability

A

Ensuring that authorized users have access to information when required (i.e. reliable backups).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Non-repudiation

A

Proof of the origin, authenticity and integrity of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Proof of Integrity

A

Verifying that data has not changed by hashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Hashing

A

A code that represents data as a short string of text, like a digital fingerprint.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Proof of Origin

A

Verifying the person who sent the data is who they claim to be (authentication).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

AAA Framework

A

Authentication, Authorization, Accounting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Authentication

A

Proving you are who you say you are which can be done by: what you know and what you have, or two factor authentication (i.e. password and phone for confirmation code).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Authorization

A

What access do specific authenticated users have, often done by abstraction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Accounting

A

A record of login time, data sent, accessed, or edited, logout time, and more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Abstraction

A

Defining users by roles, attributes, tags, etc. to avoid white or blacklisting individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Gap Analysis

A

A method for examining and evaluating the current state of a process in order to identify opportunities for improvement in the future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Zero Trust

A

Security design paradigm where any request (device, process, or person) must be authenticated before being allowed. Done using planes of operation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Planes of Operation

A

Breaking the network into functional planes, smaller components to efficiently authenticate requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Data Plane

A

The actual contact made between physical devices and data transmissions as these messages traverse a network (i.e. ports).

29
Q

Control Plane

A

The process of decision making, such as routing, blocking, and forwarding, that is performed by protocols (i.e. network address configs/settings).

30
Q

Adaptive Identity

A

Relies on real-time validation that takes into account the user’s behavior, device, location, and more.

31
Q

Threat Scope Reduction

A

Limiting the number of possible entry points.

32
Q

Policy-Driven Access Control

A

Entails developing, managing, and enforcing user access policies based on their roles and responsibilities (i.e. “no editing data” policy only applies to irrelevant employee rolls).

33
Q

Policy Enforcement Point (PEP)

A

This entity protects the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information. Contains Policy Decision Point (PDP).

34
Q

Policy Engine

A

Part of the PDP that cross references the access request with its pre-defined policies.

35
Q

Policy Admin

A

Part of the PDP that is a communicator between PEP and Policy Engine. Provides access tokens, credentials, etc.

36
Q

Physical Security

A

Weak security measures that physical prevent intrusion. Includes but is not limited to barricades, access control vestibules, video surveillance, lighting, sensors, etc.

37
Q

Honeypots

A

A seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.

38
Q

Honeynets

A

Collection of honeypots connecting several honey pot systems on a subnet for a more realistic environment.

39
Q

Honeyfiles

A

A file pretending to be legitimate, in order to detect malicious activity (BankAcctAndRoutingNumbersWPassIncludedNoMFA.txt!)

40
Q

Honeytokens

A

Digital data created specifically to monitor the behavior of potential attackers.

41
Q

Public Key Infrastructure (PKI)

A

The system for issuing and managing pairs of public and private keys and corresponding digital certificates.

42
Q

Symmetric Encryption

A

A single shared key used to encrypt and decrypt.

43
Q

Asymmetric encryption

A

Two keys with an establish mathematical relationships are made simultaneously. One key is private to be used by the person decrypting only, and one key is public to encrypt data.

44
Q

Full Disk Encryption (FDE)

A

A technology that encrypts everything stored on a storage medium automatically, without any user interaction (i.e. BitLocker).

45
Q

Individual File Encryption

A

Service usually built into OS, but may also be 3rd party application that encrypts certain data by request.

46
Q

Database Encryption

A

An encryption method that targets databases and the data they contain, rather than individual files or whole disks.

47
Q

Key Stretching

A

A technique used to increase the strength of stored data. it adds additional bits (called salts) and can help thwart brute force and rainbow table attacks.

48
Q

Trusted Platform Module (TPM)

A

A chip on the motherboard of the computer that provides cryptographic services. May have private keys burned onto the chip.

49
Q

Hardware Security Module (HSM)

A

A device that can safely store and manage encryption keys in large environments (data centers). This can be used in servers, data transmission, protecting log files, etc.

50
Q

Key Management System

A

Integrated approach for generating, distributing and managing, cryptographic keys for devices and applications all from one console.

51
Q

Secure Enclave

A

Extensions which allow a trusted process to create an encrypted container for sensitive data.

52
Q

Obfuscation

A

the action of making something obscure, unclear, or unintelligible - Hiding information in plain sight.

53
Q

Steganography

A

Greek for “concealed writing” - the art and science of hiding information by embedding messages within other, seemingly harmless messages.

54
Q

Tokenization

A

A deidentification method where a unique token is substituted for real data (i.e. sending a placeholder SSN through a network instead of your real SSN, incase there is a middle man).

55
Q

SHA256

A

Common cryptographic hash algorithm that generates an almost-unique, fixed size 256-bit (32-byte) hash. Of the strongest hash functions available.

56
Q

MD5

A

128 bits hashing algorithm similar to SHA256. A possible collision problem was recorded in 1996, and consequently it is not recommended.

57
Q

Practical Hashing

A

Storing salted hashes instead of plaintext passwords.

58
Q

Salt

A

Random data added to a password when hashing. Performed so users with the same password get different hashes.

59
Q

Rainbow Table

A

A table of every possible input and their hashes, rendered unusable with salt hashing. Makes harder for hackers to get golden goose of information.

60
Q

Digital Signature Hashing

A

Proves a message was not changed (integrity), helps prove source (authentication, and makes sure the signature isn’t fake (non-repudiation). Users sign with their private key, which public can verify with public key based on the established mathematical relationship.

61
Q

Blockchain Technology

A

Refers to a decentralized “public ledger” of all transactions that have ever been executed. It is constantly expanding, as “completed” blocks are added to the ledger with each new transaction.

62
Q

Digital Certificate

A

a data file that identifies individuals or organizations online and is comparable to a digital signature.

63
Q

X.509

A

The standard format for digital certificates.

64
Q

Web of Trust

A

A decentralized model used for sharing certificates without the need for a centralized CA. Multiple sources can sign each other’s certificate.

65
Q

Root of Trust

A

An inherently trusted component including hardware, software, secure enclave, etc. (i.e. browsers will most likely tell you if websites you’re connecting to are secure or not).

66
Q

Certificate Signing Request (CSR)

A

A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate. A keypair is created, the public key is sent to a Certificate Authority, CA digitally signs or denies requests.

67
Q

Certificate Authority (CA)

A

A trusted third-party agency that is responsible for issuing digital certificates.

68
Q

Certificate Revocation List (CRL)

A

A repository that lists revoked digital certificates.