Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
118 Cards in this Set
- Front
- Back
Asset
|
something that has value
|
|
Threat
|
An event or object that may defeat the security measures in place and result in loss
|
|
Threat agent
|
A person or thing that has the power to carry out a threat
|
|
Vulnerability
|
Weakness that allows a threat agent to bypass security (exploit)
|
|
Risk
|
- The likelihood that a threat agent will exploit a vulnerability
- Realistically, risk cannot ever be entirely eliminated |
|
Characteristics of security
|
- Confidentiality
- Integrity - Availability - Authentication |
|
Passive Attack
|
Attempts to learn or make use of information from the system but does not affect system resources
|
|
Active Attack
|
Attempts to alter system resources or affect their operations
|
|
Types of Passive Attacks
|
1) Release of message contents
2) Traffic analysis |
|
Types of Active Attacks
|
1) Masquerade
2) Replay 3) Modification of messages 4) Denial of service |
|
Masquerade
|
Takes place when one entity pretends to be a different entity
|
|
Replay
|
Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
|
|
Modification of Messages
|
Some portion of a legitimate message is altered, or messages are delayed or reordered to produce an unauthorized effect
|
|
Denial of Service
|
Prevents or inhibits the normal use or management of communications facilities
|
|
Security Mechanism
|
A process that is designed to detect, protect, or recover from a security attack
- No single mechanism will support all services required |
|
Security Services
|
A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. Intended to counter security attacks and make use of one or more security mechanisms.
|
|
X.800 Divisions of Security Services
|
1) Authentication
2) Access control 3) Data confidentiality 4) Data integrity 5) Non repudiation |
|
Access Control
|
The process by which resources or services are granted or denied on a computer system or network
|
|
Typical Steps in Access Control
|
1) Identification - review of credentials
2) Authentication - validate credentials as genuine 3) Authorization - permission granted for admittance 4) Access - right given to access specific resources |
|
Password Attack Methods
|
- Brute Force
- Dictionary attack - Rainbow tables |
|
Password Management Strategies
|
1. User education
2. Computer-generated passwords 3. Reactive password checking 4. Proactive password checking |
|
Rainbow Tables
|
mypass - H - 821EB342 - R - frithy - H - A31D9E21 - R - ucnrez
- uses hash and reduction functions |
|
Salted Hash
|
h(salt value|password)
|
|
Estimated Password Safe Time
|
- Applies only to brute force attacks
R = transmission rate (characters/second) E = number of characters exchanged in a login attempt L = length of the password A = size of the alphabet Time = (1/2) *(A^L)*(R*E) |
|
Time-synchronized One-time Passwords (OTP)
|
- Most common one-time passwords (dynamic passwords that change frequently)
- Used in conjunction with a token |
|
Cryptography
|
The science of transforming information into an unintelligible form while it is being transmitted or stored so that unauthorized users cannot access it
|
|
Steganography
|
- Hides the existence of the data
- What appears to be a harmless image can contain hidden data embedded within the image - Can use image files, audio files, or even video files to contain hidden information |
|
Plaintext
|
readable strings of characters
|
|
Ciphertext
|
Scrambled plaintext - not readable
Encryption |
|
Encryption
|
Converting plaintext to ciphertext
|
|
Decryption
|
Converting ciphertext to plaintext
|
|
Encryption fundamentals
|
1) Substitution - replaces characters of plaintext with other characters
2) Transposition - permutes plaintext characters |
|
Caesar Cipher
|
- Earliest known substitution cipher
- First used in military affairs |
|
Polyalphabetic Cipher
|
Add alphabetic positions of aligned characters
|
|
Transposition Cipher
|
Rearrange the letter order by writing the message in a rectangle, row by row, and read the message, column by column but permute the order of the columns
|
|
Block Encryption
|
Breaks messages into blocks of a fixed length (64 or 128 bits)
- Considered more secure - Cipher is reset to its original state after each block is processed - Makes ciphertext more difficult to break |
|
Steam Encryption
|
Encrypts a digital data stream one bit or one byte at a time
- Fast when plaintext is short - Can consume a large amount of processing power - Does not vary so may be easier to determine key |
|
Symmetric Key Sharing
|
- Both parties must have same key
- Key distribution is critical |
|
Number of Symmetric Keys Needed
|
If you have n parties with which you communicate with, you need
n(n-1)/2 keys |
|
Symmetric Encryption Methods
|
- DES
- 3DES - AES |
|
DES
|
-Block cipher that encrypts data in 64-bit blocks
|
|
3DES
|
- Designed to replace DES
- Uses 3 rounds of encryption instead of just one |
|
AES
|
- Approved as a replacement fr DES
- Performs three steps on every 128-bit block of plaintext |
|
Categories of cryptographic algorithms
|
1) Symmetric encryption algorithms (2-way function)
2) Hashing algorithms (1-way function) 3) Asymmetric encryption algorithms (2-way function) |
|
Characteristics of Hashing Algorithms
|
1) Ciphertext hash is a fixed size
2) Two different sets of data cannot produce the same hash (collision) 3) It should be impossible to produce a data set that has a desired or predefined hash 4) Can be applied to a set of data of any size 5) It should be easy to compute a hash from a message |
|
Secure Hash Algorithm (SHA)
|
SHA-1 - Patterned after MD4 but creates a hash that is 160 bits in length
SHA-2 - Comprised of four variations, considered a secure hash |
|
Uses of Asymmetric Cryptographic Algorithms
|
- Authenticate sender
- Prevent the sender from disowning the message - Prove the integrity of the message |
|
Symmetric cryptography
|
Also called private key cryptography
Uses a single key to encrypt and decrypt a message |
|
Asymmetric cryptography
|
Also called public key cryptography
Uses two keys instead of one |
|
Advantages of Symmetric Encryption
|
- Computationally efficient
- Modern methods are quite secure |
|
Disadvantages of Symmetric Encryption
|
- Requires sender and receiver to agree on a key before transmission of data
- Security lies only with the key - Must have a key for every pair of correspondents |
|
Advantages of Asymmetric Encryption
|
- Key management is relatively easy
- Don't have to create a key for every receiver |
|
Disadvantages of Asymmetric Encryption
|
- Computationally more intensive
- Security of keys can be compromised when malicious users post phony keys |
|
Message Integrity Techniques
|
- Hashing (MD5, SHA-1)
- Message authentication code (MAC) |
|
Message Authentication Code (MAC)
|
- One-way function
- Requires a key - Appends checksum to message - A function of the message and a secret shared key |
|
Probability of Collision
|
k = 1.117(sqrt(n)) yields a collision with probability of 50%
|
|
Equation for Encrypting M
|
C = M^e mod n
|
|
Equation for Decrypting C
|
M = C^d mod (fi)
|
|
Add Authentication to Messages
|
Encrypt with sender's private key
|
|
Add Confidentiality to Messages
|
Encrypt with recipient's public key
|
|
Add Integrity to Messages
|
Include a hash of the message
|
|
Digital Signature Schemes
|
- Senders include public key in each message
- Senders can store public keys on a site of their own that is readily accessible - Public keys may be stored in one or more centrally managed directories |
|
Digital Certificate
|
Associates a user's identity to a public key
- The user's public key that has itself been digitally signed a by a trustworthy source |
|
Certificate Authority
|
- An entity that issues digital certificates for others
|
|
Class 1 Certificates
|
Designed for casual web browsing and secure email use
Certifies only the uniqueness of a name or email address |
|
Class 2 Certificates
|
Requires third party of name, address, etc
Online registration |
|
Class 3 Certificates
|
Must appear in person and present identification credentials
|
|
Class 4 Certificates
|
Issued only after the subject is thoroughly investigated
|
|
Certificate Revocation List (CRL)
|
A list of revoked certificates that is maintained by the certificate authority (CA)
|
|
Types of Certificates
|
1) Personal
2) Server certificates 3) Software publisher certificates |
|
Web of Trust
|
- Decentralized trust model
- Alternative to the centralized trust model of PKI - Flexible and leaves trust decisions in hands of users |
|
Transport Layer Protocol
|
Layer 3 in OSI model
Sends data using TCP/IP |
|
IP Security (IPSec)
|
A set of protocols developed to support the secure exchange of packets
|
|
Areas of Protection in IPSec
|
- Authentication
- Confidentiality - Key management |
|
Tunnel Mode
|
- Encrypts both the header and data portion of the IP packet
- Protects the entire IP packet (including IP header) - Typically used for connecting secure gateways |
|
Authentication Header (AH)
|
- Provides authentication but not confidentiality
- Adds extra field to traditional IP packet that is used to verify authenticity of the packet |
|
Encapsulating Security Payload (ESP)
|
- Provides packet encryption and, optionally, authentication
- Content of IP packet is encrypted and encapsulated between header and trailer fields |
|
Security Association (SA)
|
- Must be set up in order for pairs of hosts to communicate with each other
- Acts as a virtual connection - Used in VPN establishment, low-cost remote access, and extranet connectivity |
|
Transport mode
|
Encrypts only the data portion (payload) of each packet yet leaves the header unencrypted
|
|
SSL
|
- Provides web security services between TCP and applications that use TCP
- URLs start with "https" - Provides confidentiality using symmetric encryption (DES, 3DES or RC4) - Provides integrity using MAC - Employed by all major browsers to secure Internet messages |
|
SET
|
An open encryption and security specification designed to protect credit card transactions on the Internet
|
|
TLS
|
- IP version of SSL
|
|
SSL/TLS Counter Attacks
|
- Brute force search of key space
- Known plaintext dictionary attack - Man in the middle attack - Spoofing |
|
Malicious software that need host programs
|
- Trapdoors
- Logic bombs - Trojan horses - Viruses |
|
Malicious software that is independent
|
- Worm
- Zombie |
|
Malicious software that replicates
|
- Viruses
- Worm - Zombie |
|
Virus
|
- Software that attaches itself to a program and propagates itself to other programs
- Carries code to make copies of itself - As well as code to perform some covert task |
|
Worm
|
- Program that propagates copies of itself to other computers
- Actively searches for other systems by examining host tables or similar repositories of remote addresses |
|
Virus Countermeasures
|
- Simple scanners
- Heuristic scanners - look for fragments of code often associated with viruses - Activity traps - identify virus-type actions taking place |
|
Logic Bomb
|
- Triggers action when specified condition occurs
- Code embedded in legitimate program - When triggered it will typically damage system |
|
Trojan Horse
|
- Program that contains unexpected additional functionality
- Program is usually superficially attractive - When run performs some additional tasks - Often used to propagate a virus/worm or install a backdoor |
|
Trapdoors
|
- Secret entry point into a program
- Allows those who know access bypassing usual security procedures - Have been commonly used by developers - A threat when left in production programs allowing exploited by attackers |
|
Zombie
|
- Program which secretly takes over another networked computer
- Uses that computer indirectly to launch attack - Often used to launch DoS attacks - Exploits known flaws in network systems |
|
Buffer Overflow
|
Occurs when a process attempts to store data in RAM beyond the boundaries of a fixed length storage buffer
|
|
Firewall
|
- Forms a barrier through which traffic in both directions must pass
- Can be designed to work as a filter at the packet level or may operate at a higher protocol level |
|
Types of Firewalls
|
1. Packet-filtering routers
2. Application-level gateways 3. Circuit-level gateways |
|
Packet-filtering Router
|
- Operate mainly at network layer
- Applies a set of rules to each incoming and outgoing packet - If there is a match to a rule, that rule is invoked to determine whether to forward or discard the packet - Treat each packet individually - Are "stateless" = no memory |
|
Application-level Gateways
|
- Operate mainly at application layer
- Also called proxy server - Acts as a relay of application-level traffic - Traffic is funneled through small programs called proxies - Internal computers communicate with proxies, which in turn communicate with the external network |
|
Circuit-level Gateways
|
- Operate mainly at transport layer
- Also works as a proxy server, but just for TCP/IP (not applications) - Maintains a table of valid connections - TCP/IP packets arrive at circuit level gateway and go no further - New TCP/IP packets are then created and sent to the destination |
|
Stateful Inspection Firewalls
|
- Examine each IP packet in context
- Keeps track of client-server sessions - Check each packet validly belongs to one of the current sessions |
|
Advantages of Proxy Servers
|
- Higher security than packet filters
- Only need to scrutinize a few allowable applications - Easy to log and audit all incoming traffic |
|
Disadvantages of Proxy Servers
|
- Additional processing overhead on each connection (gateway as splice point)
|
|
Common Complex Firewall Configurations
|
1. Screened host firewall system (single-homed bastion host)
2. Screened host firewall system (dual-homed bastion host) 3. Screened subnet firewall system |
|
Screened Host firewall System (single-homed bastion host)
|
- Two-part firewall (packet-filter & bastion host)
- Only packets from and to the bastion host are allowed to pass through the router - Implements packet-level and application-level filtering |
|
Screened Host Firewall System (dual-homed bastion host)
|
- Separate physical connections in and out of Bastion host to make sure it can't be bypassed if packet-filtering router is compromised
|
|
Screened-subnet Firewall System
|
- Most secure configuration
- Two packet-filtering routers are used - Creation of an isolated sub-network (known as DMZ) |
|
Advantages of Screened-subnet Firewall Systems
|
- Three levels of defense
- Outside router advertises only the existence of the screened subnet to the internet - The inside router advertises only the existence of the screened subnet to the internal network |
|
Honeypot
|
- Intended to trap or trick attackers
- Typically a computer located in a DMZ that is loaded with software and data files that appear to be authentic |
|
Three primary purposes of a honeypot
|
1. Deflect attention
2. Early warnings of new attacks 3. Examine attackers techniques |
|
Intrusion Detection Systems (IDS)
|
- Attempt to detect unusual patterns of activity or those known to correlate with intrusions
|
|
IDS Purposes
|
- Detect attacks
- Enforce policies - Provide an audit trail |
|
IDS Actions
|
- Configure the firewall to filter out the IP address of the intruder
- Save packets in a file for further analysis - Send an entry to a system log file - Send email, page, or a phone message to the network administrator |
|
Anomaly-Based IDS
|
- One type of IDS that looks for suspicious patterns
- Compares new behavior against "normal" or "acceptable" behavior |
|
Pros to Anomaly Based Detection
|
- Robust against new types of attacks
- No need to write rules |
|
Cons to anomaly based attacks
|
- Prone to false alarms
- Computationally intensive |
|
Rule Based IDS (Snort)
|
- Identify the exploit of interest
- Runt he exploit on a test network recording all traffic between the target and attack hosts - Analyze the data for a unique signature - Condense the signature into a rule |
|
Pros of Rule Based Detection
|
- Good against known attacks
- Keep false positives low - Less computation |
|
Cons of Rule Based Detection
|
- Not good against unusual or novel attacks
- Writing rules can be tedious |