C836 Fundamentals of Information security Terms, Exams of Computer Security

Download C836 Fundamentals of Information security Terms and more Exams Computer Security in PDF only on Docsity! C836 Fundamentals of Information security Terms Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction - ✓Information Security Companies that process credit card payments must comply with this set of standards - ✓Payment Card Industry Data Security Standard (PCI DSS) Used to keep something private or minimally known - ✓Confidentially Refers to the ability to prevent our data from being changed in an unauthorized or undesirable manner. - ✓Integrity Refers to the ability to access our data when we need it - ✓Availability A type of attack, primarily against confidentiality - ✓Interception Something that has the potential to cause harm to our assets - ✓Threat A weakness that can be used to harm us - ✓Vulnerability The likelihood that something bad will happen - ✓ Risk An attack that causes our assets to become unusable or unavailable for our use, on a temporary or permanent basis - ✓Interruption attack An attack that involves tampering with our assets - ✓Modification attack A model that adds three more principles to the CIA triad: Possession or Control, Authenticity, and Utility - ✓Parkerian hexad The physical disposition of the media on which the data is stored - ✓possession or control Allows for attribution as to the owner or creator of the data in question - ✓Authenticity Refers to how useful the data is to us - ✓Utility An attack that involves generating data, processes, communications, or other similar activities with a system - ✓Fabrication attack One of the first and most important steps of the risk management process - ✓Identify assets A multilayered defense that will allow us to achieve a successful defense should one or more of our defensive measures fail - ✓defense in depth Based on rules, laws, policies, procedures, guidelines, and other items that are "paper" in nature - ✓administrative controls Sometimes called technical controls, these protect the systems, networks, and environments that process, transmit, and store our data - ✓logical controls Controls that protect the physical environment in which our systems sit, or where our data is stored - ✓physical controls Involves putting measures in place to help ensure that a given type of threat is accounted for - ✓migrating risk The risk management phase that consists of all of the activities that we can perform in advance of the incident itself, in order to better enable us to handle it - ✓preparation phase The risk management phase where we detect the occurrence of an issue and decide whether it is actually an incident so that we can respond to it appropriately - ✓detection and analysis phase The risk management phase where we determine specifically what happened, why it happened, and what we can do to keep it from happening again - ✓Post-incident activity phase To completely remove the effects of the issue from our environment - ✓Eradication Taking steps to ensure that the situation does not cause any more damage than it already has, or at the very least, lessen any ongoing harm - ✓Sandbox The ability to remove access from a resource at any point in time - ✓Revocation Typically built to a certain resource, these contain the identifiers of the party allowed to access the resource and what the party is allowed to do. - ✓Access control lists (ACLs) In this method of security, a person's capabilities are oriented around the use of a token that controls their access (e.g. a personal badge) - ✓Capability-based security A type of attack that is more common in systems that use ACLs rather than capabilities - ✓The confused deputy problem A type of attack that misuses the authority of the browser on the user's computer - ✓Cross-site request forgery (CSRF) A client-side attack that takes advantage of some of the page rendering features that are available in newer browsers - ✓Clickjacking Access is determined by the owner of the resource in question - ✓Discretionary access control (DAC) Similar to MAC in that access controls are set by an authority responsible for doing so, rather than by the owner of the resource. In this model, access is based on the role the individual is performing - ✓Role-based access control (RBAC) Access is based on attributes (of a person, a resource, or an environment) - ✓Attribute-based access control Attributes of a particular individual, such as height - ✓Subject attributes Attributes that relate to a particular resource, such as operating system or application - ✓Resource attributes Attributes that relate to environmental conditions, such as time of day or length of time - ✓Environmental attributes Designed to prevent conflicts of interest; commonly used in industries that handle sensitive data. Three main resource classes are considered in this model: objects, company groups, and conflict classes. - ✓The Brewer and Nash model A combination of DAC and MAC, primarily concerned with the confidentiality of the resource. Two security properties define how information can flow to and from the resource: the simple security property and the * property. - ✓The Bell-LaPadula model Primarily concerned with protecting the integrity of data, even at the expense of confidentiality. Two security rules: the simple integrity axiom and the * integrity axiom. - ✓The Biba model Access controls that regulate movement into and out of buildings or facilities - ✓Physical access controls An access control model that includes many tiers of security and is used extensively by military and government organizations and those that handle data of a very sensitive nature - ✓Multilevel access control model (MAC) Access is decided by a group or individual who has the authority to set access on resources - ✓Mandatory access control (MAC) This provides us with the means to trace activities in our environment back to their source - ✓Accountability Refers to a situation in which sufficient evidence exists as to prevent an individual from successfully denying that he or she has made a statement, or taken an action - ✓Nonrepudiation Refers to elements that discourage or prevent misbehavior in our environments - ✓Deterrence A monitoring tool that alerts when an attack or other undesirable activity is taking place - ✓Intrusion detection system (IDS) A tool that can take action based on what is happening in the environment - ✓Intrusion prevention system (IPS) A methodical examination and review that ensures accountability through technical means - ✓Auditing A process that provides a history of the activities that have taken place in the environment - ✓Logging A subset of auditing that focuses on observing information about the environment in order to discover undesirable conditions such as failures, resource shortages, security issues, and trends - ✓Monitoring An activity involving the careful examination of our environment using vulnerability scanning tools in order to discover vulnerabilities - ✓Vulnerability assessment A more active method of finding security holes that includes using the kinds of tools attackers use to mimic an attack on our environment - ✓Penetration testing A well-known vulnerability scanning tool - ✓Nessus The science of keeping information secure - ✓Cryptography The science of breaking through the encryption used to create the ciphertext - ✓Cryptanalysis The overarching field of study that covers cryptography and cryptanalysis - ✓Cryptology The specifics of the process used to encrypt the plaintext or decrypt the ciphertext - ✓Cryptographic algorithm Another name for unencrypted data - ✓Plaintext (or cleartext) Another name for encrypted data - ✓Ciphertext An example of ancient cryptography based on transposition and involving the shifting of each letter of the plaintext message by a certain number of letters, historically three - ✓Caesar cipher This more recent cipher uses the same mechanism as the Caesar cipher but moves each letter 13 places forward - ✓ROT13 cipher Also known as private key cryptography, this uses a single key for both encryption of the plaintext and decryption of the ciphertext - ✓Symmetric key cryptography A type of cipher that takes a predetermined number of bits in the plaintext message (commonly 64 bits) and encrypts that block - ✓Block cipher Rights relating to the protection of an individual's personal information - ✓Privacy rights The process we use to protect our information - ✓Operations security (OPSEC) A Chinese military general who lived in the sixth century BC and wrote The Art of War, a text that shows early examples of operations security principles - ✓Sun Tzu The codename of a study conducted to discover the cause of an information leak during the Vietnam War; is now a symbol of OPSEC - ✓Purple Dragon The process of intelligence gathering and analysis in order to support business decisions - ✓Competitive intelligence Name the five steps of the operations security process - ✓1. Identification of critical information 2. Analysis of threats 3. Analysis of vulnerabilities 4. Assessment of risks 5. Application of countermeasures Haas' Laws of Operations Security: The First Law - ✓If you don't know the threat, how do you know what to protect? Haas' Laws of Operations Security: The Second Law - ✓If you don't know what to protect, how do you know you are protecting it? Haas' Laws of Operations Security: The Third Law - ✓If you are not protecting it, the dragon wins! Refers to services that are hosted, often over the Internet, for the purposes of delivering easily scaled computing services or resources - ✓Cloud computing The first step in the OPSEC process, and arguably the most important: to identify the assets that most need protection and will cause us the most harm if exposed - ✓Identification of critical information The second step in the OPSEC process: to look at the potential harm or financial impact that might be caused by critical information being exposed, and who might exploit that exposure - ✓Analysis of threats The third step in the OPSEC process: to look at the weaknesses that can be used to harm us - ✓Analysis of vulnerabilities The fourth step in the OPSEC process: to determine what issues we really need to be concerned about (areas with matching threats and vulnerabilities) - ✓Assessment of risks The fifth step in the OPSEC process: to put measures in place to mitigate risks - ✓Application of countermeasures Name the most common security awareness issues - ✓Protecting data, passwords, social engineering, network usage, malware, the use of personal equipment, clean desk, policy knowledge Why is protecting data a security awareness issue? - ✓Users need to understand the criticality of carefully handling data from both a compliance and a customer retention and reputation perspective Why are passwords a security awareness issue? - ✓Users need to understand the importance of strong passwords and password handling best practices A technique used by an attacker that relies on the willingness of people to help others - ✓Social engineering A technique involving a fake identity and a believable scenario that elicits the target to give out sensitive information or perform some action which they would not normally do for a stranger - ✓Pretexting A social engineering technique that uses electronic communications (email, texts, or phone calls) to convince a potential victim to give out sensitive information or perform some action - ✓Phishing A social engineering technique that targets a specific company, organization, or person, and involves knowing specifics about the target to appear valid - ✓Spear phishing A method by which a person follows directly behind another person who authenticates to the physical access control measure, thus allowing the follower to gain access without authenticating - ✓Tailgating (also known as piggybacking) Why is network usage a security awareness issue? - ✓Users need to understand the security issues around connecting devices to networks, such as connecting outside devices to the corporate network, and connecting corporate resources to a public network Why is malware a security awareness issue? - ✓Users need to be educated in what malware is and how to avoid it Why is the use of personal equipment a security awareness issue? - ✓Users need to be made aware of policies regarding personal devices in the workplace to protect a company's assets Why is the clean desk policy a security awareness issue? - ✓Users need to be made aware of the clean desk policy to protect sensitive information at all times, even when away from one's desk Why is policy and regulatory knowledge a security awareness issue? - ✓Users need to be aware of established corporate policies and regulations to maintain compliance throughout the organization A program that seeks to make users aware of the risk they are accepting through their current actions and attempts to change their behavior through targeted efforts - ✓Security Awareness, Training, and Education (SATE) A type of security that is concerned with the protection of people, equipment, and data - ✓Physical security The plans we put in place to ensure that critical business functions can continue operations in the event of an emergency - ✓Business continuity planning (BCP) The plans we put in place in preparation for a potential disaster, and what exactly we will do during and after - ✓Disaster recovery planning (DRP) Name the major categories of physical threats - ✓Extreme temperature, gases, liquids, living organisms, projectiles, movement, energy anomalies, people, toxins, smoke and fire The devices, systems, people, and other methods we put in place to ensure our security in a physical sense - ✓Physical security controls Name three main types of physical controls - ✓Deterrent, detective, and preventive Controls designed to discourage those who might seek to violate our security controls - ✓Deterrent controls Controls designed to detect and report undesirable events that are taking place - ✓Detective controls Controls designed to physically prevent unauthorized entities from breaching our physical security - ✓Preventive controls The process of reducing the number of available avenues through which our operating system might be attacked - ✓Operating system hardening The total of the areas through which our operating system might be attacked - ✓Attack surface Name the six main hardening categories - ✓1. Removing unnecessary software 2. Removing or turning off unessential services 3. Making alterations to common accounts 4. Applying the principle of least privilege 5. Applying software updates in a timely manner 6. Making use of logging and auditing functions A principle that states we should only allow a party the absolute minimum permission needed for it to carry out its function - ✓The principle of least privilege The process of anomaly detection used by anti-malware tools to detect malware without signatures - ✓Heuristics A hardware- and software-based technology that prevents certain portions of the memory used by the operating system and applications from being used to execute code - ✓Executable space protection The act of inputting more data than an application is expecting from a particular input, creating the possibility of executing commands by specifically crafting the excess data - ✓Buffer overflow attack A security method that involves shifting the contents of memory around to make tampering difficult - ✓Address space layout randomization (ASLR) This type of firewall generally contains a subset of the features on a large firewall appliance but is often capable of similar packet filtering and stateful packet inspection activities - ✓Software firewall A system used to analyze the activities on or directed at the network interface of a particular host - ✓Host intrusion detection system (HIDS) A type of tool that can detect various security flaws when examining hosts - ✓Scanner A tool that is aimed specifically at the task of finding and reporting network services on hosts that have known vulnerabilities - ✓Vulnerability assessment tool A well-known vulnerability assessment tool (it also includes a port scanner) - ✓Nessus A group of tools that can include network mapping tools, sniffers, and exploits - ✓Exploit framework Small bits of software that take advantage of flaws in other software or applications in order to cause them to behave in ways that were not intended by their creators - ✓Exploits Name three examples of exploit frameworks - ✓Metasploit, Immunity CANVAS, Core Impact A type of software development problem that occurs when we do not properly account for the size of the data input into our applications - ✓Buffer overflows/overruns A type of software development vulnerability that occurs when multiple processes or multiple threads within a process control or share access to a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions - ✓Race conditions A type of attack that can occur when we fail to validate the input to our applications or take steps to filter out unexpected or undesirable content - ✓Input validation attack A type of attack that can occur when we fail to use strong authentication mechanisms for our applications - ✓Authentication attack A type of attack that can occur when we fail to use authorization best practices for our applications - ✓Authorization attack A type of attack that can occur when we fail to properly design our security mechanisms when implementing cryptographic controls in our applications - ✓Cryptographic attack A type of attack that takes advantage of weaknesses in the software loaded on client machines, or one that uses social engineering techniques to trick us into going along with the attack - ✓Client-side attack An attack carried out by placing code in the form of a scripting language into a web page, or other media, that is interpreted by a client browser - ✓Cross-site scripting (XSS) In this type of attack, the attacker places a link on a web page in such a way that it will be automatically executed, in order to initiate a particular activity on another web page or application where the user is currently authenticated - ✓Cross-site request forgery (XSRF) An attack that takes advantage of the graphical display capabilities of our browser to trick us into clicking on something we might not otherwise - ✓Clickjacking A type of attack on the web server that can target vulnerabilities such as lack of input validation, improper or inadequate permissions, or extraneous files left on the server from the development process - ✓Server-side attack Name the four main categories of database security issues - ✓1. Protocol issues 2. Unauthenticated access 3. Arbitrary code execution 4. Privilege escalation A type of tool that analyzes web pages or web-based applications and searches for common flaws such as XSS or SQL injection flaws, and improperly set permissions, extraneous files, outdated software versions, and many more such items - ✓Web application analysis tool A web server analysis tool that performs checks for many common server-side vulnerabilities, and creates an index of all the files and directories it can see on the target web server (a process known as spidering) - ✓Nikto/Wikto A well-known web analysis tool that offers a free and a professional version; the pro version includes advanced tools for conducting more in-depth attacks - ✓Burp Suite A type of tool that works by bombarding our applications with all manner of data and inputs from a wide variety of sources, in the hope that we can cause the application to fail or to perform in unexpected ways - ✓Fuzzer A tool developed by Microsoft to find flaws in file-handling source code - ✓MiniFuzz File Fuzzer A tool developed by Microsoft to examine source code for general good practices - ✓BinScope Binary Analyzer A tool developed by Microsoft for testing certain pattern-matching expressions for potential vulnerabilities - ✓SDL Regex Fuzzer