Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
123 Cards in this Set
- Front
- Back
Information System (definition) |
An entire set of hardware, software, data, people, procedures, and networks necessary to use information as a resource in the organization. |
|
Critical Characteristics of Information (10 things) |
Confidentiality Integrity Availability Authenticity Accuracy Utility Possession User Authentication Auditability Non-repudiation |
|
Necessary tools for Information Security (5 things) |
Policy Awareness Training Education Technology |
|
Components of Information Security (3 things) |
Network Security Management of Information Security Computer and Data Security |
|
What is security? |
Control of information in the form of: Appropriate access, integrity, and freedom from danger |
|
When is a computer a subject of an attack? When is it an object? |
Subject - Computer is used as an active tool to conduct an attack Object - Computer is the entity being attacked |
|
Balancing Securty and Access |
Need to protect data but not make it a hassle to get information |
|
ICMP Internet Control Message Protocol |
-Error handling protocol (wrong address, unreachable network, etc) -Also for pinging -ICMP message structure: type, code, plus first 8 bytes of IP datagram causing error |
|
Autonomous Systems |
-Used for finding shortest routes to various places on the interent -Intra-AS: Administrator responsible for setup -Inter-AS: A single standard of BGP |
|
Vulnerability (def) |
Weakness or fault that can lead to an exposure |
|
Threat (def) |
Generic term for objects, people who pose a potential danger to an asset (via attacks) |
|
Threat agent (def) |
Specific object, person who poses such a danger (by carrying out an attack) |
|
Risk (def) |
Probability that “something bad” happens times expected damage to the organization |
|
Exposure (def) |
A successful attack |
|
Vector |
how the attack was carried out, e.g., malicious email attachment! |
|
Malware (def) |
malicious codes such as viruses, worms,Trojan horses, bots, backdoors, spyware, adware, etc. |
|
Disclosure (def) |
responsible, full, partial, none, delayed, etc |
|
Authentication (def) |
determining the identity of a person, computer, or service on a computer |
|
Authorization (def) |
-Determining whether an entity (person, program, computer) has access to object -Can be implicit (email account access) or explicit(attributes specifying users/groups who can read/write/execute file) |
|
Incident (def) |
-Any attack, all attacks using vulnerability, etc. -Anything resulting in service degradation other than problem management, service request fulfillment |
|
Active Worm (def) |
-A program that propagates itself over a network, reproducing itself as it goes |
|
Virus (def) |
-A program that searches out other programs and infects them by embedding a copy of itself in them |
|
Biggest threats to information security (12) |
-Acts of human failure -compromises to intellectual property -espionage or trespass -information extortion -sabotage or vandalism -theft -forces of nature -deviations in quality of service from service providers -technical hardware failures or errors -technical software failures or errors -technological obsolescence -Deliberate software attacks |
|
Acts of Human Error or Failure (5) |
-inadequate training -miscommunication -erroneous data entry -improper data storage -insider threats |
|
Shoulder surfing (def) |
Occurs anywhere a person accesses confidential information |
|
Malicious code attack |
includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information |
|
Backdoor attack |
gaining access to system or network using known or previously unknown/newly discovered access mechanism |
|
Password crack attack |
attempting to reverse calculate a password |
|
Brute force attack |
trying every possible combination of options of a password |
|
Dictionary attack |
selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses |
|
Denial of service attack |
-attacker sends large number of connection or information requests to a target -Target system cannot handle successfully along with other, legitimate service requests -May result in system crash or inability to perform ordinary functions |
|
Distributed denial of service attack |
coordinated stream of requests is launched against target from many locations simultaneously |
|
Spoofing attack |
technique used to gain unauthorized access; intruder assumes a trusted IP address |
|
Man-in-the-middle attack |
attacker monitors network packets, modifies them, and inserts them back into network |
|
Spam attack |
unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks |
|
Mail bombing attack |
attacker routes large quantities of e-mail to target |
|
Sniffer attack |
program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network |
|
Social engineering attack |
using social skills to convince people to reveal access credentials or other valuable information to attacker |
|
Buffer overlfow attack |
application error occurring when more data is sent to a buffer than can be handled |
|
Timing attack |
explores contents of a Web browser’s cache to create malicious cookie |
|
Side-channel attack |
secretly observes computer screen contents/electromagnetic radiation, keystroke sounds, etc. |
|
IInternational Mobile Subscriber Identifier |
Identifies an account - stored in SIM (Subscriber Identification Module) card |
|
Temporary Mobile Subscriber Identifier |
- Assigned by network to prevent IMSI transmission. - Auth with IMSI, use TMSI from then on |
|
IMSI Catcher |
–Network authenticates users –But users do not authenticate the network - Man-in-the-Middle attack |
|
GSM security |
- Stronger signals overwhelm phone, make phone connect to "bad network" - 3G fixed with authentication on both sides |
|
Difference between a worm and a virus |
- Worm-A program that propagates itself over a network, reproducing itself as it goes - Virus-A program that searches out other programs and infects them by embedding a copy of itself in them |
|
How active worm spreads (three steps) |
Scan Probe Transfer copy |
|
Cultural mores (def) |
fixed morals or customs of a group of people,form basis of ethics |
|
Ethics (def) |
Rules that define socially acceptable behavior, not necessarily criminal, not enforced (via authority/courts) |
|
Laws (def) |
Rules that mandate or prohibit behavior, enforced by governing authority (courts) |
|
Policy (def) |
-Body of expectations that defines acceptable workplace behavior -General and broad, not aimed at specific technologies or procedures -To be enforceable, policy must be distributed, readily available,easily understood, and acknowledged by employees |
|
Standards, guidelines, best practices (def) |
define what must be done to comply with policy, how to do so |
|
Jurisdiction (def) |
a court’s right to hear a case if a wrong was committed in its territory or against its citizens |
|
Long-arm jurisdiction (def) |
court’s ability to “reach far” and apply law (another state, country) |
|
Case law (def) |
documentation about application of law in various cases |
|
Liability (def) |
legal obligation beyond what’s required by law,increased if you fail to take due care |
|
Due care (def) |
has been taken when employees know what is/isn’t acceptable, what the consequences are |
|
Due dilligence (def) |
sustained efforts to protect others |
|
Criminal law (def) |
harmful actions to society, prosecuted by the state |
|
Firewall (def) |
device that selectively discriminates against information flowing into or out of organization |
|
Demilitaried Zone (def) |
no-man’s land between inside and outside networks where some organizations place Web servers |
|
Intrusion Detection System (def) |
in effort to detect unauthorized activity within inner network,or on individual machines, organization may wish to implement an IDS |
|
Types of law (five) |
Civil Criminal Tort law Private Public |
|
Risk management (def) |
process of identifying and controlling risks facing an organization |
|
Risk Identification (def) |
process of examining an organization’s current information technology security situation |
|
Risk control (def) |
applying controls to reduce risks to an organization’s data and information systems |
|
Assets (def) |
are targets of various threats and threat agents |
|
Risk management system components (seven) |
Employees Nonemployees Procedures Information Software System devices and peripherals Networking components |
|
Risk Control (four parts) |
Avoidance Transference Mitigation Acceptance |
|
Residual risk (def) |
risk “left over” after identification andcontrol |
|
Four categories of firewalls |
① Processing mode ② Development era ③ Intended deployment structure ④ Architectural implementation |
|
Processing Mode firewalls |
-Packet filtering -Application gateways -Circuit gateways -MAC layer firewalls -Hybrids |
|
Packet filtering firewalls (def) |
Packet filtering firewalls examine header information ofdata packets |
|
Packet filtering subsets (three) |
-Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed -Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event -Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table |
|
Screen Subnet Firewalls |
Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: -Connections from outside (untrusted network) routed through external filtering router -Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ -Connections into trusted internal network allowed only from DMZ bastion host servers -Screened subnet performs two functions: Protects DMZ systems and information from outside threats and protects the internal networks by limiting how external connections can gain access to internal systems |
|
Virtual Private Network |
-Private and secure network connection between systems; uses data communication capability of unsecured and public network -Securely extends organization’s internal network connections to remote locations beyond trusted network |
|
VPNs must accomplish (3 things) |
-Encapsulation of incoming and outgoing data -Encryption of incoming and outgoing data -Authentication of remote computer and (perhaps)remote user as well |
|
VPN Transport Mode |
-Data within IP packet is encrypted, but header information is not -Allows user to establish secure link directly with remote host, encrypting only data contents of packet |
|
VPN Tunnel Mode |
-Organization establishes two perimeter tunnel servers -These servers act as encryption points, encrypting all traffic that will traverse unsecured network -Primary benefit to this model is that an intercepted packet reveals nothing about true destination system -Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration (ISA) Server |
|
Signiture-Based IDS |
-Examine data traffic in search of patterns that match known signature -Widely used because many attacks have clear and distinct signatures -Problem with this approach is that as new attack strategies are identified, the IDS’s database of signatures must be continually updated |
|
Statistical Anomaly-Based IDS |
-The statistical anomaly-based IDS (stat IDS) or behavior-based IDS sample network activity to compare to traffic that is known to be normal -When measured activity is outside baseline parameters or clipping level, IDS will trigger an alert -IDS can detect new types of attacks -Requires much more overhead and processing capacity than signature-based -May generate many false positives |
|
Network Based IDS |
-Resides on computer or appliance connected to segment of an organization’s network; looks for signs of attacks -When examining packets, a NIDS looks for attack patterns -Installed at specific place in the network where it can watch traffic going into and out of particular network segment |
|
Advantages and Disadvantages of NIDS |
-Good network design and placement of NIDS can enable organization to use a few devices to monitor large network -NIDSs are usually passive and can be deployed into existing networks with little disruption to normal network operations -NIDSs not usually susceptible to direct attack and may not be detectable by attackers -Can become overwhelmed by network volume and fail to recognize attacks -Require access to all traffic to be monitored -Cannot analyze encrypted packets -Cannot reliably ascertain if attack was successful or not -Some forms of attack are not easily discerned by NIDSs,specifically those involving fragmented packets |
|
Host-Based IDS
|
Host-based IDS (HIDS) resides on a particular computer or server and monitors activity only on that system -Benchmark and monitor the status of key system files and detect when intruder creates, modifies, or deletes files -Most HIDSs work on the principle of configuration or change management -Advantage over NIDS: can usually be installed so that it can access information encrypted when traveling over network |
|
Advantages and Disadvantages of HIDS |
-Can detect local events on host systems and detect attacks that may elude a network-based IDS -Functions on host system, where encrypted traffic will have been decrypted and is available for processing -Not affected by use of switched network protocols -Can detect inconsistencies in how applications and systems programs were used by examining records stored in audit logs -Pose more management issues -Vulnerable both to direct attacks and attacks against host operating system -Does not detect multi-host scanning, nor scanning of non-host network devices -Susceptible to some denial-of-service attacks -Can use large amounts of disk space -Can inflict a performance overhead on its host systems |
|
IDS Control Strategies (three) |
-Centralized: all IDS control functions are implemented and managed in a central location -Fully distributed: all control functions are applied at the physical location of each IDS component -Partially distributed: combines the two; while individual agents can still analyze and respond to local threats, they report to a hierarchical central facility to enable organization to detect widespread attacks |
|
Trap and Trace Systems |
-Use combination of techniques to detect an intrusion and trace it back to its source -Trap usually consists of honeypot or padded cell and alarm -Legal drawbacks to trap and trace Enticement: process of attracting attention to system by placing tantalizing bits of information in key locations, Entrapment: action of luring an individual into committing a crime to get a conviction, Enticement is legal & ethical, whereas entrapment is not |
|
Packet Sniffers |
-Network tool that collects copies of packets from network and analyzes them -Can provide network administrator with valuable information for diagnosing and resolving networking issues -In the wrong hands, a sniffer can be used to eavesdrop on network traffic -To use packet sniffer legally, administrator must be onnetwork that organization owns, be under direct authorization of owners of network, and have knowledge and consent of the content creators |
|
False Negative Rate |
FalseNeg/ (FalseNeg + TruePos) |
|
False Positive Rate |
FalsePos/ (FalsePos + TrueNeg) |
|
What Makes DDoS Attacks Possible |
-Internet was designed with functionality ¬ security in mind! -Internet security is highly interdependent! -Internet resources are limited! -Power of many greater than power of a few |
|
Addressinlg DDoS Attacks (Ingress Filtering) |
– Block packets that has illegitimate source addresses! – Disadvantage : Overhead makes routing slow! |
|
Addressinlg DDoS Attacks (Trackback) |
– IP spoofing enables attackers to hide their identity! – Many IP traceback techniques are suggested! |
|
Addressing DDoS Attacks (Mitigating Affects) |
- Pushback |
|
IP Traceback |
-Probabilistic Packet Marking – Probabilistically Inscribe local path information – Use constant space in the packet header – Reconstruct attack path with high probability |
|
Pushback |
-Mechanism that lets a router ask adjacent upstream routers to limit the traffic rate -A congested router asks other adjacent routers to limit the rate of traffic for that particular aggregate -Router sends pushback message -Received routers propagates pushback |
|
Cryptography (def) |
the practice/study of rendering information unintelligible to everyone except the intended recipient |
|
Cryptanalysis (def) |
Study of obtaining plaintext without knowing key and/or algorithm
|
|
Cryptology (def) |
Science of encryption |
|
Steganography (def) |
process of hiding messages (and the existence thereof) in images, text, etc. |
|
Cipher, cryptosystem (def) |
encryption method consisting of algorithm, key, and encryption/decryption procedures |
|
Kerchhoffs’ principle (def) |
a cryptosystem should be secure if everything but the key is publicly known |
|
Cipher Methods (7) |
-Bit stream: each plaintext bit transformed into cipher bit one bit at a time -Block cipher: message divided into blocks (e.g.,sets of 8- or 16-bit blocks) and each is transformed into encrypted block of cipher bits using algorithm and key -Substitution cipher: substitute one value for another -Monoalphabetic substitution: uses only one alphabet, e.g.,ROT13, Radio Orphan Annie decoder -Polyalphabetic substitution: more advanced; uses two or more alphabets, e.g., Vigenère cipher -Transposition cipher: rearranges values within a block to create ciphertext -Exclusive OR (XOR): Boolean algebra function that compares two bits:§ If they’re identical, result = 0§ Otherwise, result = 1 |
|
Cryptographic Algorithms |
-Often grouped into two broad categories, symmetric and asymmetric -Today’s popular cryptosystems use hybrid combination thereof -Symmetric and asymmetric algorithms distinguished by types of keys used for encryption and decryption |
|
Symmetric Algorithm |
-Symmetric encryption: uses same “secret key” to encrypt and decrypt message -Encryption methods can be extremely efficient,requiring minimal processing -Both sender and receiver must possess key -If either copy of key is compromised, an intermediate can decrypt and read messages |
|
Data Encryption Standard |
-Data Encryption Standard (DES): one of most popular symmetric encryption cryptosystems-64-bit block size; 56-bit key -Adopted by NIST in 1976 as federal standard for encrypting non-classified information -Triple DES (3DES): created to provide security far beyond DES -Advanced Encryption Standard (AES): developed to replace both DES and 3DES |
|
Asymmetric Algorithms |
-Uses two different but related keys; either key can encrypt or decrypt message -If Key A encrypts message, only Key B can decrypt -Highest value when one key is private key and the other is public key |
|
HTTP |
-Stateless -Client sends connection request -Server accepts -Client sends request for resources -Server sends resources -Server closes connection -Client parses request -Client requests rest of resources |
|
HTTP Responses |
200 OK 301 Moved Permanently 400 Bad Request 404 Not Found 505 HTTP Version Not Supported |
|
Challenges to Invisible Traceback |
-Large scale, loose control -Destination oriented routing and forwarding -> easy to spoof source IP addresses -Intermediate nodes record very little information |
|
Marking |
• Packet marking – Mark embedded in packets – Packet content is changed – It is very difficult, if impossible, to hide such changes when packets are encrypted • Flow marking – Mark is embedded in flow rate changes – No packet content is changed – It is feasible to hide flow rate changes in the Internet, typically with dynamic traffic |
|
Flow Marking |
-A pseudo-noise (PN) code is used for spreading a signal and despreading a spread signal -Marks show a white noise-like pattern in both time, frequency domains -Mark amplitude can be very small -As suspects don’t know the code, it’s very hard for them to recognize marks -Spreading/despreading processes make the mark immune to burst interference introduced by Internet background traffic |
|
Prototyping Embedding Signal
|
-Choose random signal length n: (-1,1) -Signal modulator: Obtain the spread signal -Flow modulator: modulate a target traffic flow by appropriate interference (1 w/o interference, -1 w/interference) |
|
Prototyping Recovering Signal at Sniffer |
-Flow demodulator: Sniff target traffic, Sample target traffic to derive traffic rate time series, Use high-pass filter to remove direct component by Fast Fourier Transform (FFT) -Signal demodulator: Despreading by the PN code, Use low-pass filter to remove high frequency noise -Decision rule: Recovered signal == Original signal? |
|
Issued with Flow Marking |
-Not totally invisible -Not accurate to low rate traffic -Robustness |
|
Keyspace (def) |
The number of values that can be used as a key |
|
Entropy (def) |
The number of different actual values something can have
|
|
Work Factor (def) |
amount of work (CPU time, instructions) required to perform cryptanalysis on ciphertext to recover plaintext without knowing key or algorithm |
|
Psuedo-random Number Generator |
algorithm that creates “random” number sequence whose properties are similar to those of “real” random number sequences |
|
One-way hash function |
Converts a message to a value |
|
Hash collision |
Two messages produce the same MD
|
|
Nonce |
number only used once, helps prevent replay attacks |
|
Attack Replication Vectors (6) |
-IP scan and attack -Web browsing -Virus -Unprotected shares -Mass mail -Simple Network Management Protocol (SNMP) |