The flashcards below were created by user usma1976 on FreezingBlue Flashcards.

  1. Different ciphers
    • MARS - IBM
    • RC6 - RSA
    • Rijndael - Joan Daemon and Vincent Rijmen
    • Serpent - Ross ANderson, Eli Biham, Lars Knudsen
    • Twofish - Bruce Schneier; John Kelsey; Doug Ehiting; David Wagner; Chris Hall; Niels Ferguson
  2. AES Transformation
    • 4 transformations
    • Addround key - XOR round key with state
    • SubBytes
    • ShiftRows
    • MixColumns
  3. IDEA
    • International Data Encryption Algorithm
    • 64 bit blocks with 128 bit key
    • operates like DES but difficult to break
    • uses 8 rounds on 16 bit sub-blocks
    • can be done in hardware
  4. Blowfish and Twofish
    • symmetrical
    • considered unbreakable
  5. RC5
    • Ronald Rivest in 1994
    • block cipher with variable BLOCK lengths (32, 64, 128)
    • key from 0 to 2048 bits
    • patented by RSA in 1997
  6. Tractable vs Intractable
    • Easy = polynomial time = symmetric
    • Hard = intractable = exponential or super-polynomial

    • Intractable - asymmetric
    • difficult
    • Example RSA - factoring large numbers

    • Discrete logarithm for finite fields
    • Difficult
    • Example: El Gamal; Diffie Hellman; Schnorr signature; NIST's DSA (Digital signature algorithm)

    • Elliptic curves
    • Difficult
    • Same examples as above
    • used for mobile telephones, smart cards, ATM
  7. Diffie Hellman Key Exchange
    • does not provide confidentiality
    • provides a key; not an encryption algorithm
  8. Digital signatures
    • provides non-repudiation which is a combination of authentication and integrity
    • uses both asymmetric encryption and a hash; example RSA and SHA1

    plaintext - hash to message digest - encrypt with private key - attach signature to document - send - run local hash - decrypt with public key - compare message digest (hashs)

    like PGP
  9. Code signing
    • applies digital signature to an application
    • PKI and Certificate authorities
  10. HMAC
    • hashed message authentication code
    • digital signature with a pre-shared symmetric key
    • example: DNS TSIG (transaction signature)

    may be used for zone transfers; places where PKI is not necessary

    usually used for integrity; but can help with authentication (must be authorized if I gave you my key)
  11. Real-world encryption
    • Symmetric - fast, strong but needs secure way to share key (DES)
    • Asymmetric - slow; weaker; no pre-shared key (RSA)
    • DES may be 100 times (software) or 1000 times faster than RSA

    • Best of both worlds = TLS
    • public key - private key - symmetric session key - hashes

    First session on secure website = asymmetric; then create symmetric session key
  12. ECC
    • Elliptic curve cryptography (asymmetric)
    • far stronger than RSA or DSA
    • but weaker than symmetric
    • MOST EFFICIENT of the asymmetric algorithms; requiring fewer resources for computation
    • makes this the ideal choice for cell phones and wireless devices

    Symmetric like DES and AES are far stronger than RSA or DSA asymmetric
  13. PKI
    • Public key infrastructure
    • hierarchy of systems to create digital certificates

    RSA has developed main algorithms used by PKI vendors

    Military Common Access Card (CAC) contain a certificate
  14. PKI components (5)
    • CA
    • organizational registration authority (ORA)
    • certificate holders
    • clients
    • repositories (also publish certificate revocation lists CRL)
  15. CPS
    • Certificate Practice Statement
    • provided by the CA
    • covers how certificates are issued, protected; how users are eligible
  16. PKI server types (3)
    • Root certificate authorities
    • Intermediate certificate authorities
    • Issuing certificate authorities

    • Examples:
    • Microsoft certificate services
    • Entrust authority
    • Verizon/Cybertrust
    • OpenSSL

    can create Internal PKI or use external PKI or both
  17. PKI trust models (4)
    • Hierarchical - tree and leafs
    • Bridge - connects 2 organizations
    • Mesh - connects 3 organizations
    • Hybrid - some combination of above
  18. Key Management Lifecycle (7)
    • registration - via a Distinguished Name (DN); initialization generates public/private key pair
    • creation
    • distribution - share public key but securely store private key (protect with pwd); may be stored by software or hardware (HSM) (TPM) (CAC)
    • validation
    • key recovery - escrow is controversial
    • expiration - only good for 1 to 2 years
    • revocation - certificate revocation list (CRL)

    some CAs store a copy of the users private key (for recovery)
  19. X509
    • standard for digital certificates
    • contains demographics, validity period, algorithm used, public/private key pair, signature by issuing CA
    • 2 sections: data and signature
    • may also contain other details like extensions

    • bind the individual's identity to the public key
    • PGP allows the user to create the public key but most PKI has the CA create it for you
  20. OCSP
    • ONLINE certificate status protocol
    • real-time; faster than CRL
    • supported by most browsers
    • recommended by the IETF (Internet Engineering Task Force)
  21. Escrowed encryption
    • divide key into 2 parts and store them with separate organizations
    • in the govt clipper chip
    • - uses the skipjack secret key algorithm
  22. PGP
    • decentralized
    • 1991 - Phil Zimmerman
    • free and easy
    • uses symmetric, asymmetric and hash ciphers; no key pre-sharing
    • commercial version owned by Symantec
    • Gnu Privacy Guard (GPG) free and open source
  23. Web of trust
    • PGP uses this idea versus PKI which is centralized
    • trust may be transitive through introducers (creates the web concept)

    you trust me then you trust everyone I trust
  24. Transport encryption
    • data in motion
    • VPN (encrypted tunnels)
    • - may use IPSec, SSL/TLS, SSH and others

    focuses on confidentiality but can provide all four
  25. SSL/TLS
    • TLS 1.0 is SSL version 3.1 (transport layer security) versus (secure sockets layer)
    • protect data above the transport layer
    • TLS 1.0 is backward compatible with SSL

    current version of TLS is 1.2
  26. SSL Crypto
    • client request
    • server response
    • client validate certificate
    • client encrypts session key
    • exchange keys
    • server decrypts
    • exchange encrypted messages
  27. IPSec
    • two encryption protocols
    • - AH (Authentication Header)
    • - ESP (Encapsulating Security Payload)

    • AH protects the entire packet, including headers
    • - provides authentication and integrity but no confidentiality
    • - like a digital signature

    • ESP protects the payload only
    • - provides confidentiality, integrity and authentication

    IPSec VPN may use AH, ESP or both
  28. IPSec Security Association
    • SA
    • must have for communication
    • one-way simplex connection; but need bi-directional so each end needs it's own SA (2 or 4)
    • 3 parts;
    • - security parameter index (SPI) (32 bit number)
    • - Destination IP Address (IP
    • - identity of the security protocol (AH or ESP)

    • 2 modes:
    • - tunnel mode (most common)
    • - transport mode
  29. Perfect Forward Secrecy
    • protects session keys
    • used in IPSec VPNs

    ensures private keys are not kept in persistent storage
  30. SSH
    • Secure SHell
    • designed to replace insecure protocols like Telnet, FTP, rlogin, rshell etc.

    may be used as a VPN to tunnel other protocols

    operates on Port 22

    SSHv2 recommended over SSHv1

    uses asymmetric encryption to derive a symmetric session key (AES, Blowfish and 3DES)
  31. Cryptoattacks
    • Brute force
    • Man in the middle
    • Known plaintext
    • Ciphertext only
    • chosen plaintext
    • adaptive chosen plaintext

    • chosen ciphertex
    • adaptive chosen ciphertext
    • chosen key
  32. Birthday attack
    • probability and hash collisions
    • with 23 people together, odds are better than 50% that two people share the same birthday

    any two messages that generate the same hash is called a COLLISION
  33. Crypto vs steganography (Stego)
    crypto provides confidentiality but not secrecy; you know when someone is sending an encrypted massage

    stego provides secrecy
  34. CCD
    charge coupled discharge (CCD) cameras provide a better picture

    • CCTV levels can include:
    • - detection
    • - recognition
    • - Identification
  35. Fences
    • 3 to 4 ft = deter
    • 6 to 7 ft = can't easily climb
    • 8 ft + barbed wire (prevents determined intruder)
  36. Gates (4)
    • Class 1 - residential
    • Class 2 - commercial (like a garage)
    • Class 3 - industrial (loading dock)
    • Class 4 - restricted access (like a prison or airport)
  37. Fresnel lenses
    special lenses with concentric thin rings that have the properties of heavier lenses (possibly a searchlight)
  38. Preventive and detective
    • Preventive - locks, fences
    • Detective - motion detectors, sensors, alarms

    deploy several technologies together
  39. Physical security
    Adds SAFETY to CIA
  40. Server room fire rating
    all walls, doors, windows etc need to have a 1 hour rating
  41. Temp and Humidity
    temp for server room between 70 and 74; but usually around 60 (70 degrees F = 21.1 degrees C)

    humidity between 40% and 60%
  42. Electric power
    • Fault- momentary loss
    • Brownout - prolonged low voltage
    • Blackout - loss of all power
    • Spike - momentary high voltage
    • Sag - momentary low voltage
    • Surge - prolonged high voltage
    • Transient - short duration noise interference
  43. Heat sensors and flame detectors
    Detection measures; not prevention
  44. Fire classes
    • A: combustible (wood) (water or soda acid)
    • B: liquid (petroleum) (Gas, CO2)
    • C: Electrical (gas, CO2)
    • D: Metals (dry opowder)
  45. Wet pipe vs dry pipe
    Wet is filled with water to the sprinkler head

    Dry is held back at a distance from the sprinkler head

    • Pre-action is wet and dry - once dry pipe fills, the sprinkler head still needs to melt (buys time)
    • Deluge - dry pipe that releases all water immediately
  46. COBIT Vs. ITIL
    • COBIT - framework developed by ISACA (Information Systems Audit and Control Association)
    • COBIT - defines IT goals; ensure IT maps to business needs (not just security) ("what to achieve"); was derived from COSO

    • ITIL - defacto standard of best practice for IT service management
    • ITIL - customizable; provides IT goals and processes ("how to achieve it")

    COSO is a model for corporate governance (Committee of Sponsoring Organizations of the Treadway Commmission) specifically developed to deal with fraudulent financial activities and reporting; "cooking the books"
  47. Safe Harbor
    how an entity will move private data to and from Europe
  48. European Union Principles on Privacy
    • not required for US
    • 6 principles for transmitting sensitive information
    • all European entities must comply
  49. Organization for Economic Cooperation and Development (OECD)
    guidelines for various countries to properly protect data and ensure everyone follows the same rules
  50. Security steering committee
    • responsible for making decisions on tactical and strategic security issues
    • meets at least quarterly
    • vision plus support for CIA
  51. masquerading
    • attempt to gain unauthorized access by impersonating an authorized user; phishing
    • considered an active attack
  52. Residual risk
    • Risk leftover after mitigation
    • total risk = threats x vulnerability x asset value

    residual risk = (threats x vulnerability x asset value) x control gap

    ALE (annual loss expectancy) = SLE x frequency
  53. Least privilege vs. need to know
    Least privilege is a principle that states users should be given the least amount of privileges necessary to do their job

    Need to know is a concept that users are only given rights to resources that they need to fulfill their job
  54. Data user vs data owner vs custodian
    • owner - exercises due care and follows security rules and principles
    • owner - responsible for classifying the data; reviewing classification levels; delegating data protection to the custodian
    • custodian - responsible for implementation and maintenance of security controls as dictated by the data owner; technical caretaker
  55. ANZ 4360
    NOT used to analyze security risks; used to understand a company's financial, capital, human safety and business decision risks
  56. OCTAVE
    used to manage risk within an organization
  57. NIST SP 800-30
    specific to IT threats and how they relate to information security risks; focuses mainly on systems, network and security practice assessments
  58. Risk transfer
  59. 3 types of policies
    • Regulatory - detailed, specific
    • Informative - not enforceable; but teaches
    • Advisory - strongly advises
  60. Awareness vs Training vs Education
    • Awareness = "what"; information; recognition and retention; short-term
    • - management; staff; technical employees

    Training = "how"; knowledge; skill; intermediate

    Education = "why"; insight; understanding; long term
  61. Risk analysis approach - qualitative vs. quantitative
    Qualitative - does not assign monetary values; analyzes and ranks seriousness of threats

    Quantitative - assigns monetary values to ALL aspects of risk evaluation to include SLE, ALE, business impact, effectiveness etc.; will show percentages and monetary values
  62. ISO standards - which ones
    • ISO 27002 = code of practice for information security management
    • ISO 27003 = guideline for ISMS implementation; process and design
    • ISO 27004 = guideline for metrics and measurement
    • ISO 27005 = how to perform risk management in an ISMS
  63. CMMI (Capability Maturity Model)
    • Level 1 = Initial
    • Level 2 = Managed
    • Level 3 = Defined
    • Level 4 = Quantitatively Managed
    • Level 5 = Optimizing
  64. SABSA
    Sherwood Applied Business Security Architecture - model and methodology for development of security architectures
  65. PRINCE2
    distractor answer; process based method for project management; not related to security!
  66. ALE
    ALE = SLE x ARO = single loss expectancy x annualized rate of occurence

    40000 = 400 x 1 in a hundred years or 400 x .01
  67. Administrative controls
    polices, procedures
  68. Detective controls
  69. Preventive controls
    location, PIN, lock and key; smart card
  70. Compensating control
    implemented when the primary control is too expensive or negatively affects business operations
  71. Directory services
    • Based on X500 standard (not X509)
    • LDAP allows subjects and applications to interact with the directory
    • assigns DNs (distinguished names) to each object in the database
    • each DN represents a collection of attributes about a specific object

    directory service handles Identification, Authentication, Authorization and Access Control
  72. Web access management (WAM) software
    used to control external entities requesting access to internal objects; basically a web server validating user's credentials
  73. Side channel attacks
    non-invasive attacks such as differential power analysis, electromagnetic analysis, timing and software attacks
  74. 3 types of access control and the differences between them
    Discretionary Access Control (DAC) - where a data owner determines who has access to what (at their discretion)

    Mandatory Access Controls (MAC) -

    Role Based Access Control (RBAC) - includes privacy-aware roles;
  75. Standard Generalized Markup Languages (SGML)
    • followed Generalized Markup Language (GML)
    • markup language is a way to structure text and how it will be viewed

    HTML came from SGML which came from GML

    XML is a specification for markup languages that came after SGML
  76. Identity store
    stores user attributes (like HR data) or authentication information (like a Kerberos server) or role and group identification in a SQL database

    a virtual directory integrates all of the identity stores into one unified view
  77. Phishing vs. Pharming
    • Similar in that they are both technical attacks BUT
    • Phishing is tricking a user to go to a false website while

    Pharming is using DNS poisoning to force a user to a false website; uses a legitimate domain name but is redirected
Card Set:
2015-08-23 18:47:00

smaller set
Show Answers: