Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
164 Cards in this Set
- Front
- Back
Threat environment
|
the types of attackers and attacks companies face
|
|
3 Security goals
|
CIA
Confidentiality Integrity Availability |
|
Confidentiality
|
people cannot read sensitive information, either while it is on a computer or while it is traveling across a network
|
|
Integrity
|
attackers cannot change or destroy information; or if info is changed the receiver can detect the change or restore destroyed data
|
|
Availability
|
people who are authorized to use info are not prevented from doing so.
|
|
Compromises
|
successful attacks (also called incidents or breaches)
|
|
Countermeasures
|
tools used to thwart attacks (also called safeguards, protections, and controls,)
|
|
3 Types of countermeasures
|
preventative (keep attacks from succeeding), detective (identify threats), corrective (get business back on track)
|
|
Goal of countermeasures
|
to keep business processes on track despite the presence of threats and actual compromises
|
|
What does PCI-DSS stand for?
|
Payment card industry - data security standard
|
|
Why are employees dangerous? 4
|
1. They have extensive knowledge of systems.
2. The have credentials to sensitive parts of the system 3. Know corporate control mechanisms 4. Companies tend to trust employees. |
|
employee sabotage
|
destruction of hardware, software, or data
|
|
employee hacking
|
intentionally access a computer resource w/o authorization or in excess of authorization
|
|
What is the key issue in hacking?
|
authorization, are you authorized?
|
|
IP (intellectual property)
|
info owned by company and protected by law; copyrights, patents, trade names, trademarks
|
|
trade secrets
|
pieces of sensitive info that firm acts to keep secret (plans, formulations, processes, lists, etc.)
|
|
employee extortion
|
perpetrator tries to get money/goods by threatening to take actions that would be against victim's interest
|
|
abuse
|
activites that violate a company's IT use policies or ethics
|
|
contract workers
|
work for the firm for brief periods of time
|
|
traditional external attackers
|
use internet to send malware into corporations
|
|
Malware
|
generic term for evil software
|
|
viruses
|
programs that attach themselves to legit programs; spread by email;
|
|
worms
|
full programs (do not attach to other programs);
|
|
direct propagation
|
does not require user action
|
|
blended threats
|
combo of viruses and worms
|
|
payloads
|
pieces of code that do damage; executed by worms/viruses
|
|
malicious payloads
|
heavy damage
|
|
How do most viruses spread today?
|
Thru email
|
|
Trojan Horse
|
program that replaces an existing system file, taking its name
|
|
Remote Access Trojans (RAT)
|
Allow the attacker to control your computer remotely
|
|
Downloaders
|
small trojan horses that download Trojan horses after the downloader is installed
|
|
Spyware
|
programs that gather info about you and make it available to adversaries
|
|
Cookies
|
can be spyware when they keep too much info on you
|
|
Keystroke loggers
|
capture all keystokes
|
|
password stealing spyware
|
says you have been logged out of the server you are visiting and asks you to retype your username/password, then sends them to the attacker
|
|
rootkits
|
take over the root account and use its privileges to hide themselves.
|
|
Mobile code
|
Executable code on a webpage (javascript is popular); can do damage if computer has vulnerability
|
|
social engineering attacks
|
take advantage of flawed human judgment by convincing the victim to take actions that are counter to security policies
|
|
SPAM
|
unsolicited commercial email
|
|
phishing
|
email messages that appear to come from a bank or another firm; everything looks real, but its FAKE
|
|
spear phishing
|
in contrast to phishing, spear phishing is targeted at a single person or group; note to CEO that looks urgent, ex.
|
|
hoaxes
|
try to persuade victim to damage their own system
|
|
traditional hackers
|
motivated by thrill, validation of skills, sense of power, increased population; do damage; petty crimes
|
|
What is that anatomy of an attack?
|
Reconnaissance probes (IP address ICMP echo scans to find victims; port scans to find open ports)
Exploit: specific attack method |
|
spoofing
|
attacker place a different ip address in the source IP address field so they cannot locate the attacker
|
|
chain attack of computers
|
commands are passed thru the chain of compromised computers, victims can only trace back a couple computers
|
|
piggybacking
|
running through a secure door before it closes
|
|
shoulder surfing
|
looking over a shoulder to see the password to a door/computer
|
|
pretexting
|
attacker calls claiming to be a certain customer in order to get private information about that customer
|
|
DoS attacks (denial of service)
|
makes a server/network unavailable to legitimate users; attacks the availability of computers
|
|
distributed DoS attack (DDOS)
|
bots are placed on many internet hosts, then the botmaster sends message to all bots to flood server
|
|
the botmaster can send software updates to the bots
|
It is true
|
|
wizard hackers
|
highly skilled hackers
|
|
hacker scripts
|
programs written by hackers; easy to use; look like commercial products
|
|
script kiddie
|
relatively unskilled hackers who use pre-made scripts
|
|
2 characteristics of skilled hackers?
|
High technical expertise and dogged persistance
|
|
career criminals
|
attack to make money illegally
|
|
cybercrime
|
execution of crime on the internet
|
|
transhippers
|
receive shipped goods at US offices and then ship them to the criminal gang in another country.
|
|
money mules
|
used to transfer money
|
|
black market websites
|
sites for stolen information
|
|
Dominant type of attacker today?
|
career criminal
|
|
fraud
|
attacker deceives the victim into doing something against the victim's financial self-interest
|
|
click fraud
|
program created by criminal to click on a link repeatedly
|
|
extortion
|
using threat of harm to get the victim to comply with demands
|
|
carding
|
credit card number theft; use number until the card is invalidated
|
|
bank account theft
|
more serious that credit card number theft; can drain the victim's bank account
|
|
public intelligence gathering
|
competitor looking at a company's website and other public info to find info that the victim company divulges
|
|
trade secrets are only protected by law if a company makes a reasonable effort to keep them secret
|
it's true
|
|
trade secret espionage
|
illegally steal a company's trade secrets
|
|
cyberwar
|
computer based attacks made by national governments
|
|
cyberterror
|
attacker is a terrorist or group of them
|
|
is the plan-based creation and operation of countermeasures
|
protection
|
|
specifically addresses data protection requirements at financial institutions.
|
GBLA
|
|
Which companies does PCI-DSS affect?
|
Companies that accept credit card payments
|
|
What security functions typically are outsourced
|
Intrusion detection, vulnerability testing
|
|
...means responding to risk by taking out insurance.
|
(risk transference)
|
|
Mandatory vacations should be enforced…
|
(to expose employee schemes)
|
|
Which is more important, security management or security technology?
|
security management
|
|
comprehensive security
|
closing all routes of attack of systems
|
|
Security is a...
|
process, not a product
|
|
Another reason why security management is difficult is that some protections have many components that must all work for the countermeasure to succeed.
|
IF the failure of a single element of a system will ruin security, this is a weakest link failure.
|
|
Plan Protect Respond cyle
|
Plan = having a plan
Protection = plan-based creation and operation of countermeasures Respond = recovery according to the plan |
|
What stage of the PPR cycle consumes the most amount of time?
|
Protect
|
|
In developing an IT security plan, what should a company do first?
|
Assess current security
|
|
What are the driving forces that a company must consider for the future? 3
|
Threat environment
Compliance laws and regulations Corporate structure changes (like mergers) |
|
What are driving forces?
|
things that require a firm to change its security planning, protections, and response.
|
|
Under what act of congress must companies report whether they have any material control deficiencies in their financial reporting process?
|
Sarbanes Oxley Act of 2002
|
|
What act requires strong protection for personal data in financial institutions?
|
GLBA (Gramm-Leach-Bliley Act)
|
|
What act requires strong protection for private data in health care organizations?
|
HIPAA (Health Insurance Portability and Accountability Act)
|
|
What do you call the broad set of rules ensuring privacy rights in Europe?
|
European Union Data Protection Directive
|
|
What is a CSO?
|
Chief Security Officer
|
|
Who is the manager of the security department?
|
the CSO
|
|
Pros/cons to placing IT Security in IT?
|
Pros: compatible technical skills; CIO is responsible for security
Cons: Security has no independence |
|
What is the most commonly advised choice when considering where to place security? Within IT, Outside IT, or a hybrid?
|
Outside IT = the need for independence from IT is too important to consider placing security within IT
|
|
Outsourcing IT: most common way to do it?
|
Email
|
|
MSSP is...?
|
managed security service provider, another outsourcing alternative is to delegate even more controls to an outside firm; gives independence
|
|
In terms of risk, what is the goal of companies?
|
To manage risks, not to eliminate (it's impossible)
|
|
What do you call the process of comparing probably losses with the costs of security protections?
|
risk analysis
|
|
Companies must think in terms of reasonable risk.
|
Security tends to impede functionality.
|
|
What is TCI?
|
Total cost of incident; gives estimates of the complete cost of a compromise (repairs, lawsuits, etc.)
|
|
adopting countermeasures (firewalls, etc) is aka???
|
risk reduction
|
|
what is risk acceptance?
|
implementing no countermeasures and absorbing any damages that occur; usually for small companies where countermeasures far outweigh breach
|
|
what is risk transference?
|
having someone else absorb the risk (like insurance);
|
|
what is risk avoidance?
|
not taking an action that is too risky
|
|
what are legacy security technologies?
|
security technologies that a company implemented in the past and that now are at least somewhat ineffective
|
|
defense in depth
|
attacker must break thru multiple countermeasures to succeed.
|
|
single point of vulnerability
|
attacker can do great deal of damage by compromising a single system
|
|
What are policies?
|
statements of what should be done, not how
|
|
AUP
|
acceptable use policy; summarizes key point of special importance to users
|
|
standards are mandatory
|
guidelines are discretionary
|
|
what three elements make up the fraud and abuse triangle?
|
Opportunity, Rationalization, and Pressure
|
|
what is a sanction?
|
disciplinary action;
|
|
the use of mathematical operations to protect messages traveling between parties or stored on a computer
|
cryptography
|
|
confidentiality
|
people who intercept message cannot read them
|
|
what was the original purpose of cryptography?
|
encryption for confidentiality
|
|
only one cryptographic protection
|
confidentiality
|
|
means proving one’s identity to another so they can trust you more
|
Authentication
|
|
means that the message cannot be changed or, if it is change, that this change will be detected
|
integrity
|
|
original message is called
|
plaintext
|
|
cryptographic process that turns the plaintext into seemingly random stream of bits called ciphertext
|
encryption
|
|
mathematical process used in encryption and decryption
|
cipher
|
|
...is a random string of bits (ones and zeros)
|
A key
|
|
What law says that, in order to have confidentiality, communication partners only need to keep the key secret, not the cipher?
|
Kerckhoff's Law
|
|
Can a cipher be kept secret?
|
no
|
|
Do keys need to be kept secret?
|
Yes
|
|
how many keys are used in symmetric key encryption?
|
ONE
|
|
...a single key is used for encryption and decryption in both directions
|
In symmetric key encryption
|
|
T/F Nearly all encryption for confidentiality uses symmetric key encryption
|
True
|
|
Kinds of ciphers?
|
transposition (letters are moved around within a message, but the letters themselves are not changed)
substitution ciphers (one character is substituted for another, but the order of characters is not changed) |
|
T/F Ciphers can encrypt any message expressed in binary
|
True
|
|
What is more dominant for encryption today? Codes or ciphers?
|
Ciphers
|
|
What are codes?
|
They use code symbols to represent complete words or phrases
|
|
...is trying all possible keys until the right one is found.
|
Exhaustive search
|
|
WHy is key length important?
|
because each additional bit doubles the amount of time it would take to crack the key
|
|
How long must a key be in order to be considered strong?
|
at least 100 bits
|
|
What is the weakest cipher in common use today?
|
RC4 (ark four); extremely fast and uses small amount of RAM; good for handheld devices; broad range of key lengths
|
|
DES
|
Data Encryption STandard; key size of 56 bits; too short for major business transactions; sufficient for most residential consumer applications; this is a block encryption standard (encrypts 64 bits at a time); weak key length
|
|
Triple DES (3DES)
|
168 bits, very strong; strong symmetric key encryption, but very slow and $$$;
|
|
AES (Advanced Encryption Standard)
|
128, 192, or 256 bits; strong key length; low processing and RAM reqs; todays GOLD STANDARD for symmetric key encryption
|
|
...is the principle of relying on attackers not to obtain learnable info that would result in a catastrophic loss of security if known
|
Security through obscurity
|
|
...a packaged set of cryptographic countermeasures for protecting dialogues
|
A cryptographic system. (it has a system standard)
|
|
Name the 3 handshaking stages of cryptographic systems:
|
1. Initial negotiation of security parameters
2. Initial authentication 3. Keying (secure exchange of keys and other secrets) |
|
...is a specific set of options for a particular cryptographic system standard.
|
A cipher suite
|
|
In authentication, the party trying to prove its identity to the other is called the...
|
supplicant.
|
|
Who is the other party in authentication besides the supplicant?
|
the verifier; the supplicant sends credentials to the verifier.
|
|
T/F Hashing is reversible.
|
FALSE
|
|
What is todays most widely used hashing method?
|
MD5, produces 128 bit hashes
|
|
MD5 and SHA-1 should not be used because have been shown to be unsecure
|
yes...
|
|
What does MS-CHAP stand for?
|
MicroSoft Challege - Handshake Authenication Protocol
|
|
T/F In MS CHAP, both the user and server know the password.
|
True; the password becomes a shard secret known by both the supplicant and the verifier
|
|
In MS CHAP, the verifier send a challenge message to the supplicant. The supplicant then...
|
adds the password to the challenge message, hashes the result, and sends the has back as the response message.
|
|
Why are they called session keys?
|
Becuase they are only used for a single communication session; if they communicate again, they will exchange a different session key.
|
|
In .... key encryption, each party has a public key and a private key that are .... changed.
|
public; never
|
|
A person's public key is available to ?
|
Anyone
|
|
A person's private key is available to ?
|
Just themselves.
|
|
Public key encryption is also known as...?
|
asymmetric key encryption
|
|
How many keys are used in public key encryption?
|
4.
Encrypt with Tom's public key, decrypt with Tom's private key. Encrypt with Ben's public key, decrypt with Ben's private key. |
|
T/F Public key encryption ciphers are easy, fast, and inexpensive
|
FALSE; typically takes 100 to 1000 times longer than symmetric key encryption
|
|
Name two public key encryption ciphers
|
RSA and Elliptic curve cryptography (ECC)
|
|
T/F public key encryption can only be used for confidentiality
|
False, can also be used for authentication
|
|
Describe how to make a digital signature...start with plaintext.
|
The sender (supplicant) first hashes the plaintext message. The result is called the Message Digest. Then the sender encrypts the MD with the sender's private key; this creates the Digital Signature (DS). The sender then sends the DS + Plaintext, encrypted with symmetric key encryption.
|
|
...is an independent and trusted source of information about the public keys of true parties.
|
CA (certificate authority)
|
|
Digital certifications follow what syntax?
|
X.509
|