Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/99

Click to flip

99 Cards in this Set

  • Front
  • Back

According to ISC2, without an appropriate classification scheme, there is no ____________

Data Security


What is the first step to a classification scheme?

Security Classification Guide (SCG)


What are the commercial classification levels order (highest to lowest)?
Sensitive, Private, Public, Confidential
Highest to lowest:
Confidential
Private
Sensitive
Public

The __________ is the subject responsible for classifying and labeling objects and for protecting and storing data on any system. (They protect CIA)

Owner (or Data Owner)

The data owner is responsible for classifying and labeling objects and for protecting and storing data on any system. Do they personally do all of the work mentioned?

No. They hire others to do it. (sys admin?)

Categorize the information system and the information processed, stored, and transmitted by that system based on an _____________.

impact analysis

FIPS 199 establishes 3 potential levels of impact (______,_______,______) on CIA.

- Low (Limited Adverse Effect)


- Moderate (Serious Adverse Effect)


- High (Severe/Catastrophic Adverse Effect)

What is the term that defines the range you will be working with?

Scope

After the scope is defined, the next step is to zoom in and determine what your specific assets are and how they can be properly protected. This allows you to perform ___________.

Tailoring, or customization

What are the Scoping and Tailoring metrics?


(Hint: KGI KPI)

Key Goal Indicators


Key Performance Indicators

Data ownership is a ________ process that details an organization's legal ownership of enterprise-wide data

Governance

What is FIPPS?

Fair Information Practice Principles


- Open framework defining privacy principles


- Considers the privacy implications as part of cybersecurity

What level are data owners, data custodians, and data processors?

Upper Mgmnt


Administrators


Users

What is the 2nd step in the NIST RMF?

Select an initial set of security controls for the information system, based on the security categorization.

What is the use of anti-spam filtering software to allow only specified e-mail addresses to get through.

Whitelisting

What is the difference between need-to-know and least privilege?

Need-to-know is only human beings




Least Privilege can be users and/or processes (users only get those access they need to perform official duties)

What is an agreement between two or more parties to subvert security?

Collusion

If data is sensitive, it is appropriate to keep it in a locked area (physical) called a ___________.

Vault

What is the residual information remaining on storage media?

Data Remanence

What are the two Data Remanence Countermeasures?

- Clearing (sanitizing through deleting/rewriting)


- Purging (physical or logical techniques that render data unrecoverable even in a state-of-the art laboratory)

What are 4 purging operations?

Overwriting (7 times)


Encryption (encrypt then destroy key)


Degaussing (magnetic fluctuation)


Physical destruction (pow)

2 types of encryption for data at rest?

- Whole Drive (decrypted to access)


- File/folder level encryption (copied with encryption)

What are the two original common hash functions?

SHA1 and MD5

What replaced SHA1 and MD5?

SHA2 (or SH256) - (longer, more collision resistant)




Note: MD5 is no longer secure

How many bits is the MD5 hash?


SHA1?


SHA2?

MD5: 128 Bits


SHA1: 160 Bits


SHA2: 256 Bits

What is hashing collision?

Two different binary files creating the same hash

What are the two primary uses of hashes?

1: Verify file has not been altered (especially those sent over the Internet)


2: Storing passwords

What adds padding to passwords before they are hashed?

Salting (padding, or initial vector)

What are the Asymmetric Algorithms (A REED)

RSA (PKI) , ECC, ElGamal, Diffie Hellman - A REED

What are the Symmetric Algorithms?

RC4, AES, IDEA, DES, Triple DES, Blowfish

What is a string of bits used by an algorithm for encryption? (typically shown to humans as a hex string)

Cryptographic Key

What is the speed difference between symmetric and asymmetric encryption?

Sym = fast


Asym = slow(er)

Most common Asymmetric Algorithms?

RSA, ECC


(PKI is not an algorithm. It is an infrastructure based on public key cryptography).

Most common Symmetric Algorithm(s)?

AES, (also RC4, only in early WiFi)

What are the AES encryption key bit length?

128 to 256 bit keys

What block cipher, that divides a message into64-bit blocks and employs S-box-type functions, was replaced by AES.

Data Encryption Standard (DES)

In AES, why use 128 bit key?


What abut 256?

128: Session Key (doesn't need to be as secure)


256: Data at rest (needs more security)

When utilizing encryption of data-at-rest on an entire hard drive, what is the module you would use with BitLocker?


(Hint: TPM)

TPM (Trusted Platform Module) Chip

What does AES stand for and what type of encryption is it?

Advanced Encryption Standard - Symmetric

What is the De facto asymmetric algorithm?

RSA (Named for Rivest, Shamir, and Adleman

What is the federal Asymmetric digital signature standard adopted by most companies/modern PKI processes?

Asymmetric DSS

What crypto method uses both Asymmetric and Symmetric encryption?

Hybrid

Who is the trusted third party that creates digital certificates and creates public/private key pairs, manages security credentials, and publishes CRLs?

Certificate Authority

What is X.509?

A format for digital certificates

Who is a licensed certificate distributor or middleman, regarding PKI?

Registration Authority (RA)

What are the two types of Certificate Authorities?

Public (outside) - Internet CA's sell digital certs

- Good on Internet

Private (inside) - Create your own CA


- Not valid on Internet (not trusted)

What is a trust relationship that exists between two or more CAs through a third CA they both trust?

A Bridge Trust

Which Certificate Authority vouches for themselves?

Root CA

Who vouches for Subordinate Certificate Authorities?

Root CA

Difference between key suspension and revocation

suspension - put on hold (Maternity Leave)


revocation - revoked before expiration

PKI key revocation includes Expiration, Renewal, and Destruction. Define Each.

Expiration: self explanatory


Renewal: Losing a CAC


Destruction: end of life cycle or compromise

The CA can store a copy of a private key offline. What is this called?

Escrow (Only Key Recovery Agents (KRA) can pull them from "storage".)

________________ is a list (file) of revoked or suspended certificate serial numbers.

CRL (Certificate Revocation List)

What is a more modern CRL name?




(Hint: OCSP)

OCSP (Online Certification Status Protocol)

What digital certificate is primarily used to prove identity (authentication)

X.509

What is a popular numbered set of PKI standards that have been defined by the RSA corporation?




(Hint: PKCS)

Public-Key Cryptography Standards

What PKI Standards (other than PKCS) exist?

FIPS (Federal Information Processing)



How are public keys stored?

Embedded within digital certificates

What cryptography method exchanges keys between smartphones?

ECC (Elliptical Curve Cryptography)

What is the key exchange protocol used for secure VPN?

IPSec (Internet Protocol Security)

Where can private keys be stored?

On a CAC or on the local user's system

What protocols provide email security?

PGP (Pretty Good Privacy)
SMIME/Exchange(allows MIME to encrypt and digitally sign email messages and encrypt attachments

Which is considered the weaker system?


Link or End-to-End encryption and why?

Link, because the packets are decrypted at each hop.

Within IPSec, what are the two primary features for:


1. Encryption


2. Integrity

1. Encapsulating Security Payload (ESP)


2. Authentication Header (AH)

What protocol uses the Diffie-Hellman technique to establish session keys?

OAKLEY

IPSec uses ________, the de facto standard, exchange keys

IKE = Hybrid (ISAKMP + OAKLEY)

List 3 main secure Point-to-Point Tunneling Protocols?



HTTPS


SSL (Secure Socket Layer)


TLS (Transport Layer Security)



What are 2 protocols that replaced FTP, allowing secure file transfer?

SSH (Secure Socket Host)


S-FTP (S-FTP uses SSH)

In cryptanalytic attacks, what is a Frequency Analysis?

e.g. Looking for frequency of a or e in English...

In cryptanalytic attacks, what is an algorithm error?

Exploiting known weaknesses in program (engineers built without crypto in mind)

In cryptanalytic attacks,what is a dictionary attack?

List of common passwords using dictionary files (lists)

What is a rubber hose attack?

Extortion, bribery, or threats of violence

What is a birthday attack?

Trying to force a collision against hash passwords - (reverse hash matching)

What is a legitimate use to hide copyright information called?

Digital Watermarking (a photographer protecting their images)

What is an attack in which Messages usually start with the same type of beginning and close with the same type of ending, allowing an attacker to "brute force" the rest of a message?

Known Plaintext

What is the attack called when an attacker has only several cyphertext messages?

Cipher-text only

In this attack, the attacker has the plaintext and ciphertext, but can choose the plaintext that gets encrypted to see the corresponding ciphertext

Chosen Plain-text (goal is to figure out the key)

In this attack, the attacker can choose the ciphertext to be decrypted and has access to the resulting decrypted plaintext. Again, the goal is to figure out the key.This is a harder attack to carry out compared to the previously mentioned attacks, andthe attacker may need to have control of the system that contains the cryptosystem.

Chosen cipher-text (goal is to figure out the key)

Digital signatures have to do with what type of cryptography?

Asymmetric

What are the 2 main things Asymmetric crypto provides?

Confidentiality and Authentication

What key do you use to encrypt keys for confidentiality mode? (sending symmetric session key)

Recipients Public Key

What key do you use to encrypt hashes for Authentication mode (proving your identity)

Sender's private key

____________ is an encrypted hash generated by a sender of data to provide origin authentication (proof of sender ID)

Digital Signature

Digital signatures provide confidentiality.


T/F

False! Only authentication!

A message digest is another name for a ____?

Hash

What are the 2 main Asymmetric Algorithms?

RSA and ECC

How long are RSA keys?

1024 Bit (largely obsolete)


2048 Bit (Norm)

What is RSA mainly used for?

To transfer and protect keys

1. How long are ECC keys?


2. Are they public and private?


3. How are they used?

1. 256 Bit (smaller, but with same strength as RSA) (mystery 160 bit)
2. Yes!

3. Smartphones and tablets

What cryptography algorithm streams one bit at a time?

RS4 (stream cipher)

What is El Gamal?

Asymmetric encryption algorithm based on Diffie-Hellman

What are the 3 levels of Certificate Authorities?

Top: Root CA


Middle: CA


Lower: RA

What type of encryption is used on removable media?

File/folder encryption

What type of encryption is used for data in motion?

AES (Symmetric)

PKI uses what algorithm?

RSA

How are Public Private keys initially created?

Multiplying two large prime numbers

What is the protocol used for session communication (client to client or client to server)?

TLS (Transport Layer Security) or SSL (Secure Socket Layer)

The session key can also be called the __________.

secret key

What is a one-time pad?

A one-time use encryption method. Use the key, then throw it away.




(First unbreakable paper cipher)