Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
41 Cards in this Set
- Front
- Back
Communicating Risk (well-formed risk statement) |
Asset, Threat, Vulnerability, Mitigation Impact, Probability Well-Formed Risk Statement |
|
What are internal controls? |
Policies, procedures, practices and org. structures implemented to reduce risks |
|
Classification of internal controls |
1. Preventive 2. Detective 3. Corrective |
|
What does SOX address? |
Auditing, financial statements, internal control, executive responsibility.
Aimed at restoring investor trust
Response to Enron/WorldCom scandals |
|
What does HIPAA address? |
Federal regulation that healthcare providers must comply with
Protects patient's health information (privacy, security, confidentiality)
PHI = Protected Health Information |
|
What does Gramm-Leach-Bliley Act (GLBA) address? |
-Financial Privacy Rule -Safeguards Rule -Pretexting Protection |
|
GLBA |
Federal law that regulates security and confidentiality of customer nonpublic personal information by financial institutions |
|
Social Engineering |
Tactic of making people buy into an attackers good intentions (pretend to be in need of help, pretend to be able to help)
Ex: spoof email from network admin "we have a big virus notification from Microsoft, they emailed us this patch, please apply it to your system immediately" |
|
Payment Card Industry Data Security Standard (PCI DSS) |
Applies to merchants that store, process, or transmit cardholder data
Applies to all payment acceptance channels (brick & mortar, phone, e-commerce)
Includes 12 requirements |
|
Policies |
Formal, brief, high-level statement or plan that embraces a company's general beliefs, goals, objectives, and acceptable procedures for a specific subject area
Require compliance (mandatory)
Focus on desired results, not means of implementation |
|
Policy types |
-Security -Privacy -Data Classification -Passwords -Acceptable Use -HR Related -Mandatory Vacations |
|
Standards |
Mandatory rule designed to support and conform to a policy
Makes a policy more meaningful and effective |
|
Guidelines |
General statements or recommendations designed to achieve the policy objectives by providing framework to implement procedures
Can change frequently based on environment, should be reviewed more frequently than standards/policies
Not mandatory, rather suggestion of best practice |
|
Access Control |
Process by which resources or services are granted or denied on a computer system |
|
Authentication & Authorization |
Authentication = checking users credentials to be sure they are authentic and not fabricated
Authorization = granting permission to take action on the resource
Identification: user enters username Authentication: user provides password Authorization: user authorized to log in Access: user allowed to access only specific data |
|
Access Control Models |
MAC (Mandatory Access Control): end user cannot implement, modify, or transfer any controls. Owner and custodian are responsible for managing access controls (military)
DAC (Discretionary Access Control): subject has total control over any object that he/she owns along with programs that are associated with those objects. Relies on end-user subject to set proper level of security
RBAC (Role Based Access Control): "non-discretionary access control", considered more real world approach than other models. Assigns permission to particular roles in the org, then assigns users to those roles. Objects are set to be a certain type, to which subjects with particular role have access |
|
Separation of duties |
Concept of having more than one person required to complete a task
Ex: person approving access should not perform provisioning |
|
Implicit Deny |
If a condition is not explicitly met, then it is to be rejected |
|
Job Rotation |
Instead of one person having sole responsibility for a function, people are periodically moved from one job to another |
|
Least Privilege |
Each user only given the minimal amount of privileges necessary to perform his/her job function |
|
Access Control List (ACL) |
Set of permissions that is attached to an object
Specifies which subjects are allowed to access the object and what operations they can perform on it |
|
Attacks on passwords |
Dictionary attack = begins with attacker creating hashes of common dictionary words from a list
Brute force attack = simply trying to guess a password through combining a random combination of characters |
|
Standard Biometrics |
Uses a person's unique characteristics for authentication (something you are)
Fingerprints, faces, hands, irises, retinas |
|
Behavioral Biometrics |
Authenticates by normal actions that the user performs
Ex: keystroke dynamics (attempts to recognize a user's unique typing rhythm) |
|
Wide-area-network (WAN) |
Generally function at lower 3 layers of OSI model: -Physical layer -Data Link layer -Network layer |
|
IP address prefix & suffix |
Prefix: identifies the network to which a computer is attached
Suffix: identifies the computer within that network |
|
IP classes |
Class of an address is identified by first 4 bits
Class A, B, C = primary classes Class D = multicast Class E = reserved
Range of values: A: 0-127 B: 128-191 C: 192-223 D: 224-239 E: 240-255 |
|
Special ID numbers |
127.x.x.x = local loopback, not sent to network
255.255.255.255 = limited broadcast, not sent to external network
0.0.0.0 = local host
Private address (non-routable on internet) -10.x.x.x -172.16.x.x - 172.31.x.x -192.168.x.x
|
|
What is a protocol? |
Allows entities from different systems to communicate
Shared conventions for communicating information are called protocols
Includes syntax, semantics, and timing |
|
Need for ICMP |
IP provides best-effort delivery; delivery problems can be ignored, datagrams can be dropped
ICMP (internet control message protocol) provides error-reporting mechanism |
|
ARP |
Address Resolution Protocol
Two-part protocol: -Request from source asking for hardware address -Reply from destination carrying hardware address |
|
Transport protocols |
TCP and UDP
Provide end-to-end delivery between endpoints of a connection
TCP uses IP for data delivery |
|
Ports |
Sit on Transport layer
16-bit numbers 0-1023 = well known ports 1024-49151 = registered ports 49152-65535 = dynamic/private ports
Combining computers IP address with a port, becomes a socket
End-to-end communication between two computers is identified by two sockets |
|
Banner Grabbing |
An easy way of determining which services are associated with open ports
Can provide info about what type and version of software is running
Done with NetCat, TelNet, FTP |
|
Port Scanning |
Testing waters to find potential points of entry into a system, determine what services/apps are running
NMap most popular tool
TCP Connect: complete 3-way handshake TCP SYN: complete first two steps of 3-way handshake TCP FIN: send FIN to target port, closed ports respond with RST TCP Null: send packet with no flags, if OS has implemented per RFC 793, closed ports will return RST TCP XMAS: send packet with FIN, URG, PSH flags, closed ports return RST |
|
Access attack |
Attempt to see information that attacker is not authorized to see
Snooping = looking through information files to find something interesting
Eavesdropping = listening in on a conversation not a part of
Sniffer = computer that is configured to capture all traffic on a network
Correct access permissions will prevent most casual snooping for electronic info |
|
Denial-of-Service (DoS) |
Deny use of resources, info, or capabilities to legitimate users
Information may be destroyed, converted to unusable form, or shifted to inaccessible location
System and information are left untouched, but lack of communication prevents access to them
|
|
Spoofing |
Dsniff and Ettercap can spoof ARP
|
|
IDS (Intrusion Detective System) Components |
Traffic collector (collects activities/events for IDS to examine)
Analysis engine (examines collected network traffic and compares to known patterns of suspicious activity stored in signature database)
Signature database (collection of patterns and definitions of known suspicious activity)
User interface/reporting (interfaces with human element, providing alerts when appropriate and giving user a means to interact with and operate IDS) |
|
Honeypot |
Deception-oriented approach
Emulate production servers while actually having no production value |
|
Honeypots advantages/disadvantages |
Advantages: -Data collection -Resources -Failure to attack successfully may deter attackers to attack real systems
Disadvantages: -Isolation (recognize honeypot and avoid it, attack production system) -Risk (certain config may allow intruders to launch new attacks) -Legal issues (lure attackers...liable?) |