Unit 1: General Security Concepts Flashcards
Control Categories
Technical, Managerial, Operational, and Physical
Technical Controls
- Controls implemented using systems
- Operating system controls
- Firewalls, anti-virus
Managerial Controls
- Controls that address security design and implementation
- Security policies, standard operating procedures
Operational Controls
- Controls that are implemented by people
- Security guards, awareness programs
Physical Controls
- Controls limiting physical access to buildings, rooms, etc.
- Fencing, door locks
Preventative Controls
Controls that block access to a resource (firewalls, guard shacks, door locks).
Deterrent Controls
Controls designed to discourage people from violating security directives (threat of demotion, warning signs).
Detective Controls
Controls designed to identify and log intrusions/intrusion attempts (system logs, motion detectors).
Corrective Controls
Controls that are applied after an event to reverse impact or continue operating (backup restoration, fire extinguisher, law enforcement).
Compensation Controls
Additional security controls put in place to compensate for weaknesses in other controls (separation of duties, backup generator, blocking instead of patching).
Directive Controls
Controls that direct subjects towards security compliance - seen as a weak control (fire storage policies, compliance policies).
C.I.A. Triad
Confidentiality, Integrity, Availability
Confidentiality
Ensures that only authorized parties can view information (i.e. encryption).
Integrity
Safeguarding the accuracy & completeness of information (i.e. hashing).
Availability
Ensuring that authorized users have access to information when required (i.e. reliable backups).
Non-repudiation
Proof of the origin, authenticity and integrity of data.
Proof of Integrity
Verifying that data has not changed by hashing
Hashing
A code that represents data as a short string of text, like a digital fingerprint.
Proof of Origin
Verifying the person who sent the data is who they claim to be (authentication).
AAA Framework
Authentication, Authorization, Accounting
Authentication
Proving you are who you say you are which can be done by: what you know and what you have, or two factor authentication (i.e. password and phone for confirmation code).
Authorization
What access do specific authenticated users have, often done by abstraction.
Accounting
A record of login time, data sent, accessed, or edited, logout time, and more.
Abstraction
Defining users by roles, attributes, tags, etc. to avoid white or blacklisting individuals.
Gap Analysis
A method for examining and evaluating the current state of a process in order to identify opportunities for improvement in the future.
Zero Trust
Security design paradigm where any request (device, process, or person) must be authenticated before being allowed. Done using planes of operation.
Planes of Operation
Breaking the network into functional planes, smaller components to efficiently authenticate requests.
Data Plane
The actual contact made between physical devices and data transmissions as these messages traverse a network (i.e. ports).
Control Plane
The process of decision making, such as routing, blocking, and forwarding, that is performed by protocols (i.e. network address configs/settings).
Adaptive Identity
Relies on real-time validation that takes into account the user’s behavior, device, location, and more.
Threat Scope Reduction
Limiting the number of possible entry points.
Policy-Driven Access Control
Entails developing, managing, and enforcing user access policies based on their roles and responsibilities (i.e. “no editing data” policy only applies to irrelevant employee rolls).
Policy Enforcement Point (PEP)
This entity protects the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information. Contains Policy Decision Point (PDP).
Policy Engine
Part of the PDP that cross references the access request with its pre-defined policies.
Policy Admin
Part of the PDP that is a communicator between PEP and Policy Engine. Provides access tokens, credentials, etc.
Physical Security
Weak security measures that physical prevent intrusion. Includes but is not limited to barricades, access control vestibules, video surveillance, lighting, sensors, etc.
Honeypots
A seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.
Honeynets
Collection of honeypots connecting several honey pot systems on a subnet for a more realistic environment.
Honeyfiles
A file pretending to be legitimate, in order to detect malicious activity (BankAcctAndRoutingNumbersWPassIncludedNoMFA.txt!)
Honeytokens
Digital data created specifically to monitor the behavior of potential attackers.
Public Key Infrastructure (PKI)
The system for issuing and managing pairs of public and private keys and corresponding digital certificates.
Symmetric Encryption
A single shared key used to encrypt and decrypt.
Asymmetric encryption
Two keys with an establish mathematical relationships are made simultaneously. One key is private to be used by the person decrypting only, and one key is public to encrypt data.
Full Disk Encryption (FDE)
A technology that encrypts everything stored on a storage medium automatically, without any user interaction (i.e. BitLocker).
Individual File Encryption
Service usually built into OS, but may also be 3rd party application that encrypts certain data by request.
Database Encryption
An encryption method that targets databases and the data they contain, rather than individual files or whole disks.
Key Stretching
A technique used to increase the strength of stored data. it adds additional bits (called salts) and can help thwart brute force and rainbow table attacks.
Trusted Platform Module (TPM)
A chip on the motherboard of the computer that provides cryptographic services. May have private keys burned onto the chip.
Hardware Security Module (HSM)
A device that can safely store and manage encryption keys in large environments (data centers). This can be used in servers, data transmission, protecting log files, etc.
Key Management System
Integrated approach for generating, distributing and managing, cryptographic keys for devices and applications all from one console.
Secure Enclave
Extensions which allow a trusted process to create an encrypted container for sensitive data.
Obfuscation
the action of making something obscure, unclear, or unintelligible - Hiding information in plain sight.
Steganography
Greek for “concealed writing” - the art and science of hiding information by embedding messages within other, seemingly harmless messages.
Tokenization
A deidentification method where a unique token is substituted for real data (i.e. sending a placeholder SSN through a network instead of your real SSN, incase there is a middle man).
SHA256
Common cryptographic hash algorithm that generates an almost-unique, fixed size 256-bit (32-byte) hash. Of the strongest hash functions available.
MD5
128 bits hashing algorithm similar to SHA256. A possible collision problem was recorded in 1996, and consequently it is not recommended.
Practical Hashing
Storing salted hashes instead of plaintext passwords.
Salt
Random data added to a password when hashing. Performed so users with the same password get different hashes.
Rainbow Table
A table of every possible input and their hashes, rendered unusable with salt hashing. Makes harder for hackers to get golden goose of information.
Digital Signature Hashing
Proves a message was not changed (integrity), helps prove source (authentication, and makes sure the signature isn’t fake (non-repudiation). Users sign with their private key, which public can verify with public key based on the established mathematical relationship.
Blockchain Technology
Refers to a decentralized “public ledger” of all transactions that have ever been executed. It is constantly expanding, as “completed” blocks are added to the ledger with each new transaction.
Digital Certificate
a data file that identifies individuals or organizations online and is comparable to a digital signature.
X.509
The standard format for digital certificates.
Web of Trust
A decentralized model used for sharing certificates without the need for a centralized CA. Multiple sources can sign each other’s certificate.
Root of Trust
An inherently trusted component including hardware, software, secure enclave, etc. (i.e. browsers will most likely tell you if websites you’re connecting to are secure or not).
Certificate Signing Request (CSR)
A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate. A keypair is created, the public key is sent to a Certificate Authority, CA digitally signs or denies requests.
Certificate Authority (CA)
A trusted third-party agency that is responsible for issuing digital certificates.
Certificate Revocation List (CRL)
A repository that lists revoked digital certificates.
