Define Confidentiality? What enforces Confidentiality ?
Ensures data is only viewable by authorized users. Encryption enforces confidentiality, any data should be protected with access controls to enforce confidentiality.
Define Integrity ? What verifies Integrity?
Is used to verify data has not been modified, and loss of integrity can occur through unauthorized or unintended changes. Hashing Algorithms such as MD5m HMAC or SHA1 can calculate hashes to verify integrity.
Define Availability? What increases Availability?
Ensures systems are up and operational when needed and often address single points of failure. You can increase availability by adding fault tolerance such as RAID, clustering, backups, and generators. HVAC systems also increase availability.
Define Non-repudiation? What prevents it ?
Non-repudiation - is used to prevent entities from denying they took action. Digitally signed email, prevents individuals from later denying they sent it. An audit log provides non-repudiation since an audit log entries include who took and action in addition to what the action was, where the action took place, and when it occurred.
What is "Defense in Depth" ?
Defense in Depth - refers to the security practice of implementing several layers of protection. Security is never done. Instead security and IT professionals constant monitor, update, add to, and improve existing methods. A single lay of security is easily beatable. Defense in depth employs multiple layer to make it harder for attacks to exploit a system or network.
Threat - any circumstances or event that has the potential to compromise confidentiality, integrity or availability.
Define a Vulnerability?
Vulnerability - is a weakness in hardware, software the configuration or users operating the system.
Define A Risk ?
Risk - is the likelihood that a threat will exploit a vulnerability. Risk mitigation reduces the chance that a threat will exploit a vulnerability by implementing controls.
Define Risk mitigation?
Risk Mitigation - reduces risk by reducing chance a threat will exploit a vulnerability.
Controls - actions taken to reduce risks . access controls, business continuity plan, anti virus software.
Name some Authentication concepts ?
Identification, Authentication, Authorization.
Identification - occurs when a user claims and identity.
Authentication - occurs when the user proves the identity (password) AND the credentials are verified.
Authorization - is granted to resources based on a proven identity.
What are the Three factors of authentication?
Something you know - password or pin
Something you have - smart-card, key fob or proximity card
Something you are - biometrics
Define password history.
A list of previous passwords, combined with minimum password age to prevent users from re-using the same passwords.
What is a Self Service password recovery system?
An automated password recovery system, web site, email for users to reset their own passwords.
Define strong passwords.
Use a mix of characters types with a minimum password length such as eight or ten characters. The key space of a password is calculated as C^N where C indicates the number of possible characters in the password and N = password length.
Define Account lockout policy?
Account lockout policy - lock out an account after incorrect password is entered too many times.
Define smart card ?
smart cards - credit card with embedded microchip and certificate. embedded certificate is a private key stored in the card, that is matched to the public key available to all others.to allow access.
What is a CAC ? OR PIV ?
CAC - common access card - card used by DoD includes a picture of the user on the card.
PIV - personal identity Verification used by other United State Federal Agencies.
CAC and PIV both have photo identification to gain access to secure locations. And can be used to log on to computer systems.
In biometrics, what is FAR ?
False acceptance rate - when a biometrics system falsely identifies an unauthorized user as an authorized user. FAR - False Accept Rate (type 2 error) identifies the percentage of times the false acceptance occurs.
In biometrics, what is FRR ?
False rejection - When a biometrics system incorrectly reject and authorized user. FRR false rejection rate (type 1 error) identifies the percentage of times false rejection occurs.
In biometrics, what is CER ?
CER - Crossover error rate - is where both FAR and FRR are equal. The accuracy of the biometric system is determined by the CER, lower is more accurate.
Name three Authentication Services.
Kerberos, LDAP, Single Sign ON
Kerberos - is a network authentication protocol within a Microsoft Windows Active Directory domain or UNIX system. It uses a database of objects such as Active directory or KDC (Key Distribution Center) to issue time stamped tickets that expire after a certain amount of time. Kerberos requires internal time synchronization and uses port 88
What is LDAP ?
LDAP - Lightweight Directory Access Protocol - specifies the formats and method to query directories. It provides a single point of management for objects, such as users and computers in an Active Directory Domain.
What is Single Sign on ?
Single Sign ON - Enhances security by requiring users to use and remember only one password. SSO can provide central authentication for different operating systems.
What is RAS?
RAS - Remote Access Services used to provide access to an internal network from outside source.
What is PAP?
PAP - Password Authentication Protocol - Not used, Passwords sent in clear text.
What is CHAP?
CHAP - Challenge Handshake Authentication Protocol - handshake process where the server challenges the client. The client responds with appropriates authentication information.
What is MS-CHAP?
MS-CHAP - Microsoft's version of CHAP
What is MS-CHAPv2?
MS-CHAPv2 - improvement - ability to use mutual authentication.
What is RADIUS?
RADIUS - Remote Authentication Dial-in User Services - Provides centralized method of authentication for multiple access services. RADIUS encrypts the passwords, but not the entire authentication process.
What is TACACS?
TACACS - Terminal Access Controller Access Control System - remote authentication from UNIX.
What is TACACS+ ?
TACACS+ - developed by Cisco alternative to RADIUS - encrypts the entire authentication process. uses port 49.
AAA protocols - provide authentication, authorization and accounting. Both RADIUS and TACACS+ are AAA
What are Technical Controls ?
Technical Controls - use technology to reduce vulnerabilities. Some examples include least privilege, antivirus software, IDS's and firewalls.
What are Management Controls ?
Management Controls - are primarily administrative and include items such as risk and vulnerability assessments.
What are Operational Controls ?
Operation Controls - help ensure that day-to-day operations of an organization comply with their overall security plan. Some examples include training, configuration management, and change management.
What are Preventive Controls ?
Preventive Controls - attempt to prevent an incident from occurring. Examples include change management plans, security guards, account disablement policies, and user training.
What are Detective Controls?
Detective Controls - can detect when a vulnerability has been exploited.Examples include security audits, such as periodic review of user rights, and CCTV system that can record an provide proof of a persons' actions, such as theft of resources.
What are Corrective Controls ?
Corrective Controls - is attempt to reverse the impact of an incident or problem after it has occurred. Examples include active intrusion detection systems, backups, and system recovery plans
RBAC - models user roles (groups) to grant access by placing users into roles based on job function or tasks. RBAC supports the use of user templates to enforce least privilege.
What is Rule Based Access Controls?
RBAC - model is based on a set of approved instructions such as access control list rules in a firewall.
What is DAC ?
Discretionary Access Control - DAC - model every object has an owner. The owner has explicit access and established access for any other user. Microsoft NTFS uses DAC with every object having a Discretionary Access Control List DACL. It identifies who has access and what access the are granted. A major flaw of DAC is susceptibility to Trojan horses.
What is Mandatory Access Control ?
Mandatory Access Control - MAC - uses security or sensitivity to identify objects (what) and subjects (users). The administrator establishes access based on predefined security labels that are typically defined with a lattice to specify the upper and lower boundaries.
What are some Physical security controls?
Cipher locks and proximity cards are two examples of systems that control access to a door.
proximity card - electronically lock a door and prevent unauthorized access. it falls into "something you have" factor of authentication.
Security guards - preventative physical security control, for unauthorized personnel from a secure area.Closed Circuit Television
CCTV - provide video surveillance - proof of a persons location and activity - verifies theft.
Physical security - includes, basic locks on doors and cabinets. Locked cabinets prevent theft of unused resources. Cable locks secure mobile computers.
Name 4 Access control models ?
Role Based Access Control - RBAC
Rule Based Access Control - RBAC
Discretionary Access Control - DAC
Mandatory Access Control - MAC
Name 6 logical access controls.
Account disablement policy
Time restrictions policy
Account log on events
What is least privilege?
Specifies individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.
What is Group policy ?
Manages users and computers in a domain, and is implemented on a domain controller. Administrators create password policies, lock down the GUI, configure host based firewalls, and much more.
What is Password policy ?
Password Policies - provide a means to ensure users employ secure password practices.
Min password age
Max password age
When Administrators reset passwords they should be expired immediately.
What is a time restrictions policy ?
Prevent users from logging in or access the network resources during specific hours.
What are Account logon events?
Either locally or over the network, are logged and monitored.
What is account disablement policy ?
Ensures inactive accounts are disabled. Accounts for employees that resign or are terminated should be disabled. Temporary accounts should disabled automatically.
What is the difference between SFTP and FTPS ?
FTP is used to upload and download files. It can be secured with SFTP using SSH or FTPS using SSL.
What ports does FTP use ? for control ? for transport ?
FTP uses port 20 for data and 21 from control.
How many bits in an IPv6 address ?
Uses 128 bit addresses and is displayed as eight groups of four hexadecimal characters
What port does an SQL server use ?
What port does remote desktop services use ?
What does a Web Security gateway do ?
Performs content filtering (including filtering for malicious attachments, malicious code, block URLs and more )
What does a load balancer do ?
A load balancer can optimize an distribute data loads across multiple computers.
What ports do Net BIOS use ?
NetBIOS uses ports 137-139.
Define IDS ?
IDS - intrusion detection system is a detective control and detects activity after it occurs.
HIDS -host based intrusion detection system - can detect attacks on local systems such as workstations and servers. The HIDS protects local resources on the host such as the Operating system files.
NIDS - detects attacks on networks such as smurf attacks.
Define Signature based IDS?
Signature based IDS - uses signatures to detect known attacks.
Define Anomaly based (or behavior based) IDS?
Anomaly based (or behavior based) IDS - requires a baseline and detects attacks based on anomalieas or when traffic is outside expected boundries.
What is a honeypot ?
honeypot - is a server designed to look valuable to an attacker and can divert malicious attacks and help administrators lean about zero day exploits, previously known attacks.
IPS - Intrusion Prevention System - place in-line with traffic and can stop attacks in progress. An IPS can activley monitor data streams and detect malicious content, and mitigate the effect of malicious activity.
Define footprint ?
The power level and antenna placement of a wireless access point (WAP) affects the footprint. You can increase the footprint by increasing the power levels and reduces the foot print by reducing the pwer levels, or modify the the footprint by the placement of the antenna
Define WEP ?
WEP is and old and insecure, it uses RC4 incorrectly using a small initialization vector (IV). IV attacks can easily crack the encryption key. WEP should not be used.
Define WPA and WPA2?
WPA and WPA2 - support the compromised TKIP encryption, but also WPA2 supports the more secure CCMP that is based on AES. WPA was an initial improvement over WEP. WPA2 is a permanent improvement, WPA2 should be used where possible.
Define WPA personal ?
WPA/WPA2 personal - uses a preshared key (PSK) and is easily to implement in small networks.
Define WPA enterprise?
WPA/WPA2 enterprise - is more secure and adds authentication. It uses 802.1X authentication server (often RADIUS) to provide authentication.
What is MAC filtering ?
MAC filtering - You can restrict what devices can connect to a WAP by using MAC Filtering. an attacker with a wireless sniffer can circumvent this security.
What is a rogue access point ?
A rogue access point - is an unauthorized WAP. Attacker can capture data on the network. and can access the network via the rogue access point.
What is an evil twin ?
An evil twin - is a rogue access point using the same SID as an authorized WAP
What encompasses a wireless audit ?
A wireless audit - - check power levels, antenna placement, wireless footprint, and encryption techniques. It will often include war driving techniques, and can detect rogue access points.
What is war driving ?
War driving - the practice of looking for a wireless network.
What is isolation mode ?
isolation mode - WAPs in hot spots often use isolation mode to segment or separate wireless users from each other.
What is bluejacking ?
bluejacking -involves sending unsolicited messages to a phone. messaging etc for advertizing purposes.
What is bluesnarfing?
bluesnarfing - unauthorized access of information from a wireless device through a bluetooth connection.
What is IPsec?
IPsec uses port 500 for IKE (Internal key exchange),PPTP on port 1723 Microsoft's (point to point tunneling protocol)to create a secure channel also has known vulnerabilities.
IPsec is a common tunneling protocol used with VPN's. It can secure in traffic in a site to site tunnel and from clients to the VPN. IPsec uses tunnel mode for VPN's. ESP encrypts VPN traffic and provides confidentiality, integrity and authentication.
Name 5 topics about host security
Disable unnecessary services this protects systems from day zero attacks, malware and risks from open ports.
Group Policy and security templates standardize system configuration and security settings from multiple systems.
Configuration baselines document system configuration and should be updated when systems are modified.
Baseline reporting documents normal behavior of a system. You can compare current performance against a baseline to detect abnormal behavior.
Standard images increase security by including mandated security configurations and they reduce overall costs. Virtualized server images have the same logical security requirements as physical servers.
Explain 3 topics about virtualization.
Virtualization helps reduce costs, reduce and organizations foot print, and eliminate wasted resources. Additionally, less physical equipment results in reduced physical security requirements.
Security researchers use the virtual systems to test and investigate malware in isolated virtual systems, reducing risks to production environments.
VM escape is an attack that allows an attacker to access the host system from within the cirtual system. The best protection is keeping systems up to dat
Explain 3 topics about Patch management?
Patch management combats operating systems vulnerabilities by keeping systems up to date with patches.
Patches are tested before deployment in a test environment that mirrors the production environment. Regression testing verifies that a patch does not introduce problems.
A Patch management policy provides guidance on patch management. This documents the process and provides a timeline.
Explain 2 topic about change management?
Change management helps reduce unintended outages from changes.
Changes management defines the process for making chnages, and provides the accounting structure or method to document change.
What is the difference between Hardware and Software encryption ?
Hardware encryption is faster and more efficient that software encryption.
What is the main disadvantage of cloud computing ?
Physical control of data is a key security control and organization loses with cloud computing.
Name 7 different Server attacks.
Cross-site request forgery XSRF
Fuzzing or Fuzz testing
What is TPM ?
A trusted Platform Module (TPM) is a chip in a mother board included with many laptops. The TPM stores a RSA encryption keys and supports full disk encryption.
What is HSM ?
Hardware security module (HSM) is a removable ror external device for encryption. An HSM generates and stores RSA encryption keys and can be integrated with servers to provide hardware encryption. High performance servers such as those with SSL accelerators or is clustered environments use HSM's.
What is DLP ?
Network-based Data Loss Prevention (DLP) devices reduce the risk of data leakage. They can analyze outgoing data such as emails, and detect when employees send out confidential company data.
What is SaaS ?
Software as a service (SaaS) includes web-based applications sucj as web based email
What is IaaS?
Infrastructure as a Service (IaaS) provides hardware resources via the cloud. It can help and organizations limit the size of their hardware foot print and reduce personnel costs.
What is PaaS ?
Platform as a service (Paas) provides an easy to configure operating system and on demand computing for customers
What is a worm ?
worm - is self-replicating, unlike a virus which must be executed
What is a Trojan ?
Trojan - it appears to be one thing, such as pirated software or free antivirus software, but is something malicious. Trojans also infect systems through USB flash drives.
What is a logic bomb?
logic bomb - executes in response to an event such as time or a condition. Malicious insiders plant logic bombs into existing systems.
What is a Rootkit ?
Rootkits - take root level or kernel level control of a system. They hide their processes to avoid detection . They can remove user privileges and modify system files.
What is a file integrity checker ?
A file integrity checker - can detect files files modified by a rootkit and an inspection of RAM can discover hooked processes.
What is spam ?
Spam - frequently includes malicious attachments and malicious links. Anti-Spam software can block unsolicited email.
What is Spyware ?
Spyware - is software installed on user systems without their knowledge or consent. It can result in the loss of confidentiality as it steals secrets and can cause systems to run slow. Anti-spyware software and some antivirus software can detect spyware.
What is Intivirus Software ?
Antivirus software - can detect and block different types of malware, such as worms, viruses, and Trojans. Anti virus software uses signatures to detect known malware.
What is social engineering ?
Social Engineering - is the practice of using social tactics to gain information or trick users into performing an action they wouldn't normally take.
What is phishing?
Phishing - is the practice of sending e-mail to users with the purposes of tricking them into reveling sensitive information or clicking on a link.
What is Spear Phishing ?
Spear phishing - attacks target specific groups of users or even a single user.
What is Whaling ?
Whaling - is a phishing attck that targets high-level executives.
What is vishing ?
Vishing is a form of phishing that uses recorded voice over the telephone (VOIP)
What is tailgating ?
Tailgating - also called piggybacking - is the practice of one person following closely behind another without showing credentials. Mantraps help prevent tailgating and security guards should watch for tailgating in high traffic areas.
What is dumpster diving ?
Dumpster Divers - search through trash looking for information and document shredding reduces the risk of dumpster diving.
What is shoulder surfing ?
Shoulder surfing - is an attempt to gain unauthorized information through casual observation, such as looking over someone's shoulder. You can mitigate shoulder surfing with privacy screens and password masking.
What is a DoS attack ?
DoS attack - is an attack launched from a single system and attempts to disrupt services. Examples include SYN flood (mitigated with flood guards) smurf, and some buffer overflow attacks.
What is a DDos attack ?
DDoS attacks - from multiple computers, systems experience sustained, abnormally high network traffic. Administrators use performance baselines to help detect DDos attacks.
What is a Botnet ?
Botnets - groups of computers (zombies) controlled with command and control servers, and frequently launch DDoS attacks. A computer can join a botnet after a malware infection. suspicious activity includes hundreds of outbound connections. Some botnets communicate vi IRC
What is an xmas attack ?
Xmas attack is a specific type of port scan used by many scanners. It analyzes returned packets to identify the operating system and other details about the scanned system.
What is a man-in-the-middle-attack?
Man-in-the-middle attack - are a form of active interception. They can intercept traffic and insert malicious code into network conversations. Kerberos provides provides mutual authentication and helps prevent man-in-the-middle attacks
What is session hijacking ?
session hijacking - the attacker impersonates the user in a browsing session, using the users session id. Attackers use header manipulation to modify flags and data within' the packets.
What is ARP poisoning ?
APR Poisoning - attack can redirect traffic by sending false hardware address (MAC), updates. VLAN segregation helps to prevent poisoning attacks across a network.
What is domain name kiting?
Domain name kiting reserves domain names for short periods to avoid paying
Name 5 things that can be done to secure applications ?
Application hardening - starts by hardening the operating system. It includes basics such as disabling unnecessary services, disabling default accounts and changing default passwords.
Vendor Documentation - provides important information on hardening steps for off-the-shelf applications.
In-house developed software - should include code review and testing steps. Code review is the most thorough was to discover software vulnerabilities. the most effective method if application testing is third party black box testing.
Error Handling - routines within an application can prevent application failures and many application attacks.
Input validation - check input data, such as data entered into web page forms. It can help mitigate buffer overflow, SQL injection and cross-site scripting attacks.
What is buffer overflow ?
Buffer overflow - occurs when and application receives an unexpected data it can't handle and exposes access to system memory. Also exploiting buffer overflow vulnerabilities. A common method uses NOOP instructions or NOOP sleds. Two primary protection method against buffer over flow attacks are input validation and keeping the system up to date.
What is SQL injections ?
SQL injections - attacks provide information about a database and can allow an attacker to read and modify data within a database from a web page. Input validation and stored procedures provide the best protection.
What is Cross-site scripting ?
What is cross site forgery ?
Cross site request forgery (XSRF) - causes users to perform actions on websites without their knowledge and allows attackers to steal cookies and harvest passwords.
What is Command injection ?
Command injection - attacks run operating system commands. Directory traversal is a type of command injection attack where an attack attempts to access files stored on the system.
What is Fuzzing ?
Fuzzing or fuzz testing - sends randoms data to applications to detect vulnerabilities.
What is a NOP-sled ?
A NOP-sled is the oldest and most widely known technique for successfully exploiting a stack buffer overflow. It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area. To do this much larger sections of the stack are corrupted with the no-op machine instruction. At the end of the attacker-supplied data, after the no-op instructions, an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer it will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shell code.
What is DNS poisoning ?
DNS poisoning - modifies data in DNS cache from forward to reverse lookups. Pharming redirects webiste traffic to another website.
What is risk management ?
Risk management - attempts to reduce risk to a level that an organization is able to accept. Senior management is responsible for managing risk and the losses associated from residual risk.
Name five risk management methods.
You cannot eliminate risk - Risk management methods include risk avoidance, transference, acceptance, mitigation and deterrence. You avoid a risk by not providing a service or participating in a risky activity. Purchasing insurance transfers the risk to the another entity. Security controls mitigate or reduce a risk. Some controls such as security guards deter a risk.
What is a quantitative risk assessment ?
Quantitative risk assessments - use numbers such as costs and asset values.
What is SLE ?
The Single loss expectancy (SLE) is the cost of any single loss.
What is ARO ?
The annualized rate of occurrence (ARO) indicates how many times the loss will occur annually.
What is ALE ?
The annualized loss expectancy rate (ALE) is calculated as SLE x ARO.
What is a qualitative risk assessment ?
Qualitative risk assessments - use judgements to prioritize risks based on probability and impact. These judgements provide a subjective ranking .
Name Three port scanning tools.
Nmap, Netcat, and Nessus are three common vulnerability scanners. They can detect open ports identify security and configuration errors, identify missing patches, discover weak passwords, and more.
What is a vulnerability scanner ?
Vulnerability scanners passively test security controls to identify vulnerabilities, a lack of security controls and common misconfiguration. They are effective at discovering systems susceptible to an attack without exploiting the systems. A vulnerability scan will not negatively affect normal operations or user activity.
What is a penetration test ?
penetration test - is an active test that attempts to exploit discovered vulnerabilities. It starts with a vulnerability scan and then bypasses or actively test security controls to exploit vulnerabilities. Since it can compromise a system, it can test home well employees respond to a compromised system.
What is a data ex-filtration?
Data ex-filtration- tests attempt to extract data from a system. They will normally attempt privilege escalation after gaining access to a system.
What is the difference between a vulnerability test and a penetration test ?
A significant difference between a - vulnerability scan - and a - penetration test - is that a vulnerability scan is passive and a penetration test is active. The vulnerability scan identifies the vulnerabilities and the penetration test demonstrates the result of exploiting the vulnerabilities.
What is Black, Grey and white testing ?
black box testing - tester perform a penetration test with zero prior knowledge of the environment. White box testing indicates the testers have full knowledge of the environment including documentation and source code. for tested applications. Gray box testing indicates some knowledge of the environment.
What is rules-of-engagement ?
Penetration testers should gain consent prior to starting a penetration test. A rule-of-engagement document identifies the boundaries of the test.
What are 6 different security tools ?
Routine audits - help an organization verify they are following the own policies.
User Rights - and permissions review - is a system audit. It verifies that users have appropriate privileges and no more. It also verifies that inactive accounts are disabled.
Protocol analyzers (sniffers) can capture an analyze data sent over a network. you can examine IP headers in the packet. You can also read any data sent in clear text to identify data sent across the network. Attackers can use these to capture passwords sent in clear text.
Password cracker - can discover, recover, or bypass passwords. This includes passwords sent over the network, passwords used fro authentication, passwords used to secure files such as WinZip archives and more.
Security logs - track logon and logoff activity on systems. System logs identify when services start and stop.
Centralized log management protect logs when systems are attacked or compromised .
What is a vulnerability assessment ?
Vulnerability assessment - is prioritized based on the severity of the vulnerability and their ability to affect the high value asset items. Also checks for the existence of security controls such as password policy, and can include user rights and access review to identify unused accounts. or accounts with unneeded permissions, however does not make changes.
What is a single point of failure ?
single point of failure - and component that can cause the entire system to fail if it fails.
What is RAID 1 and Raid 5 ?
RAID 1 and Raid 5 - disk subsystems provide fault tolerance and increased availability. RAID 1 - mirroring uses 2 disks and RAID 5 uses 3 or more disks.
What is a fail over cluster ?
Failover clusters - remove a server as a single point of failure. If one node in a cluster fails another node can take over.
What is a UPS ?
UPS - system provides fault tolerance for power fluctuations and provides short term power for systems during power outages. Generators provide long-term power for systems during extended power outages.
Name 2 different backup strategies.
Backup Strategies - include full, full/differential, and full/incremental. A full backup strategy alone allows the quickest recovery time.
What are hot and cold isles ?
Hot and Cold Isles - are often used with temperature control systems to regulate cooling and increase availability of the systems. Humidity controls reduce potential damage from static discharge.
What is a test restore?
Test restores - verify the integrity of backups. A test restore of a full backup verifies a backup can be restores in its entirety.
What is a a hot, warm and cold site ?
Hot Site - includes everything needed to be operational within sixty minutes. It is the most effective recovery solution an the most expensive.
Cold Site - has power and connectivity requirements and little else. It is the cheapest to maintain.
Warm site - is a compromise between a hot site and a cold site
What is BIA, BCP, RPO, RTO and COOP ?
A business impact analysis (BIA) is part of business continuity plan (BCP) and it identifies critical business functions based on business requirements.the BIA identifies the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). RPO and RTO drive recovery strategys. Continuity of operations (COOP) sites provide alternate locations to operate critical business functions after a major disaster.
What is DRP ?
Disaster recovery planning is part of overall business continuity planning. A disaster recovery plan (DRP) includes the steps to return one or more systems to full operation. BCP or DRP include a hiearchial list of critical systems identifying the order of restoration. Periodic testing validates BCP's and DRP's. Disaster recovery exercises validate the steps to restore individual systems. active alternate sites, and other actions documented within a DRP. Fucntionality of restored systems are validated by comparing against baselines. The last phase of DRP includes a review of lessons learned and may require a rewrite or update of the plan.
What is failing open or closed ?
If security is more important than availability, a system should be designed to fail in a closed state. If availability is more important that security, a system should be designed to fail in a open state.
What is LANMAN ?
LANMAN is an older hashing algorithm that stores passwords bys first dividing the password into 2 seven character blocks and then converting all lower case letters to uppercase. NTLMv1 superseded LANMAN and NTLMv2 superseded NTLMv1
What is MD5, SHA-1, and SHA256 ?
Md5 is a hashing algorithm creating 128 bit fixed-size keys, SHA is a family of hashing algorithms. SHA-1 creates 160 bit hashes and SHA-256 creates 256-bit hashes.
What is a hash?
A hash - is a number and hashing algorithms create a fixes-size string of bits (such as 128 bits or 256 bits) regardless of the size of the hashed data.
What is hashing ?
hashing - provides integrity by verifying that data has not bee modified or corrupted. Hashing can provide integrity for email, files stored on drives and files downloaded from the internet.
What is confidentiality ?
Confidentiality - ensures that data is only viewable by authorized users. Encryption provides confidentiality of data, including data at rest. and data in motion.
What are the two components of encryption ?
two basic components of encryption are an algorithm and a key.
What is AES, DES, 3DES ?
AES - popular symmetric encryption algorithm, and it uses 128, 192, or 256, bits for the keys.
DES - is an older weak, symmetric encryption algorithm. using 56 bit keys. 3DES - was created a an improvements over DES.
3DES uses multiple keys and multiple cryptographic passes using the DES algorithm. AES is preferred today, but 3DES is used when hardware does not support AES.
What is a one time pad ?
one time pad - is a hardcopy printout of encryption keys on individual pieces of paper within a pad of paper.
What is symmetric encryption ?
Symmetric encryption uses the same key to encrypt and decrypt data. Transmitted data uses the same key at both ends of the transmission media. for encryption and decryption. Data at rest uses the same key to encrypt and decrypt data.
What is Asymmetric encryption ?
Asymmetric encryption - uses public and private keys as matching pairs. If the public key encrypted information, only the matching private key can decrypt it. If the private key encrypted information, only the matching public key can decrypt it. Private keys are always kept private and never shared. Public keys are freely shared by embedding them in a certificate.
What is RSA ?
RSA - popular asymmetric algorithm. many cryptographic protocols use RSA to secure data such as emails and data transmitted over the Internet. RSA uses prime numbers to generate pubic and private keys.
What is Diffie-hellman ?
Diffie-Hellman - addresses key management and provides a method to privately share a symmetric key between 2 parties.
What is Elliptic curve cryptography?
Elliptic curve cryptography - is an encryption technology commonly used with small wireless devices. it uses smaller key sizes and requires less processing power than traditional encryption methods.
What is TLS ?
TLS - is the replacement for SSL, and many other applications use TLS. It requires certificates issued from a CA.PEAP-TLS uses TLS for the authentication process.
What is stenography ?
Stenography - is the practice of hiding data within a file. A simple way is by reducing the font of text so small it looks like a dot or a dash.A more sophisticated method is by modifying bits within a file. Capturing and comparing hashes of files can discover stenography attempts.
When using digital signatures with email, which key encrypt? decrypts ?
When using digital signatures with email : The sender's private key encrypts (or signs) The Senders public key decrypts.
How does digital signature provide authentication, non-repudiation and integrity ?
A digital signature provides authentication (verified identification) of the sender, non-repudiation and integrity of the message. Senders create a digital signature by hashing a message and encryption the hash with the senders's private key. recipients decrypt the digital signature with the senders matching public key
What key is used to encrypt email ? decrypt ?
When encrypting email : the recipient's public key encrypts the recipient's private key decrypts many email applications use the public key to encrypt a symmetric key and then use the symmetric key to encrypt the email contents.
What key encrypts website traffic ? Decrypts ?
when encrypting website traffic with SSL or TLS: The websites public key encrypts a symmetric key. The websites private key decrypts the symmetric key the symmetric key encrypts data in the session
What is S/MIME?
S/MIME (Secure/Multipurpose Internet Mail Extensions)and PGP secure email with encryption and digital signatures. They both use RSA, certificates, and depend on a PKI. They can encrypt email at rest, stores on a drive and in transit, sent over the network.
What is PKI ?
A public key Infrastructure (PKI) - is a groups of technologies used to request, create, manage, store, distribute, and revoke digital certificates, A PKI allows two entities to privately share symmetric keys without any prior communication.
What is a CA, CRL, and root certificate of trusted CA's ?
CA - issue, manages, validates, and revokes certificates.
Root Certificate of trusted CA's - stores in the trusted root certificate authority store. If a Ca's root certificate is not in the trusted store, web users will see errors indicating the certificate is not trusted or the CA is not recognized.
Ca's revoke certificates when private key is compromised or the CA is compromised. A CRL identifies revoked certificates as a list of certificate serial numbers.
The CA publishes the CRL, making it available to anyone. Web browsers can check certificates they receive from a web server against a copy of the CRL to determine if a received certificate is revoked.
What is a key escrow ?
A key escrow stores a copy of private keys used within a PKI. If an original private key is lost or inaccessible, the copy is retrieved from escrow preventing data loss.
What is a PKI recovery agent ?
PKI recovery agents can recover data secured with a private key, or recover a private key, depending on how the recover agent is configured.
How is the integrity of email messages kept ?
MD5 is a hashing algorithm that can ensure integrity of data including email messages.
What is EAP, PEAP?
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections.
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.
TLS is the replacement for SSL. Both TLS and SSL require certificate authorities.
Explain the 3 steps of Sally digitally signing an email and sending to Joe. Explain the 4 step of Joe receiving the message.
signing email with digital signatures :Sally creates a email message and clicks send:
1)the application hashes the message
2)the application retrives Sally's private key and encypts the hash using the private key
3)the pplication send both the encrypted hash and the unencrypted message to joe.Joe's system recieves the message :
1)Joes system retrieves Sally's public key (which is in Sally's public certificate) in a dimaon the key is auto fetched, otherwise may be send allong with the email.
2)the application decrypts the hash with the public key
3) the application calculates the hash of the message
4) compare the decrypted has with the calculated hash
IF THEY MATCH
authentication: Sally sent the message
Non-repudiation: Sally can't deny sending the message
Integrity: the message has not changed
explain the process of encrypting email.
encrypting email:The recipients public key encrypts when encrypting an email message. the recipient uses the recipient's private key to decrypt the email. Most cases the public key does not actually encrypt the message. but instead encrypts a symmetric key used to encrypt the message. The private key decrypts the symmetric key to decrypt the message.
explain how TLS and SSL work.
SSL and TLS
1)client requests secure session
2) Server responds with certificate including a public key
3) Client creates a symmetric key and encrypts it with the public key
4) encrypted symmetric key is set to web server
5) server decrypts the symmetric key with private key
6) session is encrypted using symmetric key (both directions)
What is a CRL?
CRL - Certificate revoke list - list of all revoked Certificate serial numbers.
What is a trust model ?
Trust model - all certificates issued by a trusted CA are trusted CA. Root certificated of trusted CAs are stored in the trusted root certification store. Web browsers display an error when a site uses and un trusted certificate.
What is S/MIME and PGP
S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP secure email with encryption and digital signatures. They both use RSA, certificates, and depend on a PKI. They can encrypt email at rest, stores on a drive and in transit, sent over the network.
What is a Security Policy?
Security Policy - written document that identifies a security plan for an organization. Security Controls enforce security policies.
What is a Clean desk policy ?
Clean Desk Policy - require users to organize their desks and surrounding areas to reduce the risk of possible data theft and password compromise.
What is a user privilege policy ?
User privilege policy - enforce the principal of least privilege and ensure users have only the rights of permissions needed to perform their job and no more. Rights and permissions identify when user privilege policies are not enforced.
What is account policy ?
Account policy - often require administrators to have two accounts. This helps prevent privilege escalation and other attacks.
What is account disablement policy ?
Account disablement policy - or expiration policies ensure that inactive accounts are disabled.
What are 2 problems with USB thumb drives ?
USB thumb drives - are a source of data leakage and malware distribution.. Security policies often restrict the use of USB thumb drives and other portable devices such as music players.
What is acceptable use policy ?
Acceptable use policy - defines proper system usage for users. Users are often required to read and sign acceptable use policy when hired, and in conjunction with refresher training.
What is mandatory vacation policy ?
Mandatory Vacation policy - require employees to take time away from their job. these policies help prevent employees from continuing with fraudulent activities.
What is Job rotation policy ?
Job Rotation policy - require employees to change roles on a regular basis. The policies help to prevent employees from continuing with fraudulent activities.
What is separation of duties policy ?
Separation of duties policy - separates individual tasks of an overall function between different entities or different people.
What is Security awareness training ?
Security awareness and training - practices reinforce user compliance with security policies and help reduce risks posed by users.
What is information classification ?
Information Classification - practices help protect sensitive data by ensuring users understand the value of data. Data Labeling ensures that users know what data they are handling and processing.
What are storage and retention policies ?
Storage and retention policies - identify how long data is retained. They can limit a companies exposure to legal proceedings and reduce the amount of labor required to respond to court orders.
What is PII ?
Personally identifiable information (PII) - is used to personally identify an individual. Examples include full name, birth date, addresses, medical information, and more
PII requires special handling and policies for data retention. Many laws mandate the protection of PII, and require information individuals when an attack results in the compromise of PII
What is P2P software ?
P2P Software is a source of data leakage. Organizations often block P2P software at the firewall and run scans to detect P2P on end user systems.
What are problems with social networking sites ?
Improper us of social networking sites can result in a inadvertent information disclosure. Attackers gather information from these sites to launch attacks against users.
What are sanitation procedures ?
Sanitation procedures - ensure data is removed from decommissioned systems. Specialized applications erase disk drives by writing a series of ones and zeroes multiple times on the drive.
What is an incident response policy ?
incident response policy - defines an incident and response procedures
What is the first step to take after an incident has occurred?
The first step to take after identifying an incident is to contain or isolate the system. Disconnecting a computer from a network will isolate it.
What is the order of volatility ?
Some data is more volatile that other data and the order of volatility refers to the order experts collect evidence.
What is memory forensic analysis ?
Memory forensics analysis - retrieves information from RAM such as data a user has been working on, system processes, network processes, application remnants and more. RAM is volatile and must be captured before a system is powered down.
What is hard drive imaging ?
Hard Drive imaging - creates a forensic copy an prevents the forensic capture and analysis from modifying the original evidence. A forensic image is a bit by bit copy of the data and does not modify the data during capture
What is a chain of custody ?
Chain of custody - documetns how evidence has been controlled and who has handled it after the initial collection. It provides assurances that evidence has been controlled and handled properly
What is IPsec, SA and ESP ?
IPsec is a common tunneling protocol used with VPN's. It can secure in traffic in a site to site tunnel and from cleients to the VPN. IPsec uses tunnel mode for VPN's. ESP encrypts VPN traffic and provides confidentiality, integrity and authentication. SA - security associations. ESP - encapsulation security payload.
What is AH?
AH - authentication Header Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packets (see below)
How do firewalls identify IPsec ESP and AH traffic ?
Firewalls identify IPsec ESP traffic with protocol 50 and AH traffic with protocol ID 51. IKE crates the security association for the IPsec tunnel and used port 500
What is NAC
NAC inspects clients for specific health conditions and can redirect access to a remediation netowork for unhealthy clients.NAC can be used with VPN clients and with internal clients. MAC filtering is a form of network access control.this network admission control
device analyzes systems attempting to access the network and prevents
vulnerable computers from joining the network. The system usually
installs an application known as the Clean Access Agent on computers
that will be connected to the network.
What is L2TP ?
L2TP on port 1701 (Layer 2 tunneling protocol) both Cisco and Microsoft does not encrypt the tunnel itself but uses IPsec for encryption.
What is SSTP ?
SSTP on port 443 (Secure socket tunneling protocol)using SSL useful when the VPN tunnel must use NAT (no firewall need to be opened).
What is a VPN concentrator ?
VPN Concentrators provide secure remote access to a large number of remote users.
How does a firewall allow VPN traffic ?
VPN's provide remote access to mobile users to a corporate network. Firewall ACL's include rules to allow VPN traffic based on tunneling protocol.