Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
45 Cards in this Set
- Front
- Back
What is RAND R-609 |
Written by William H. Ware, it attempted to define the multiple controls and mechanisms necessary for protection of a computerized data processing system |
|
What is CIA? What does each word mean? |
Confidentiality – protected from disclosure to unauthorized individuals Integrity – Describes how data is whole, complete, and uncorrupted Availability – Data is accessible and correctly formatted for use without obstruction |
|
Who invented the Internet? |
Dr. Larry Roberts |
|
Is technological obsolesce good or bad in regard to security? Why/Why Not? |
When new products come out making old products obsolete. Like blackberries getting replaced by other Smartphones. Or house phone replaced by cellphone. Can have people make up laptops with different chargers, so reusing tech is lower, meaning more spending and waste of utility and resources |
|
Password Strength: Length or Complexity is better? What is the formula for possible passwords. |
different combinations = number of possible characters ^password length Longer is better |
|
What is the difference between phishing and pharming? |
Phishing - defrauding an online account holder of financial information by posing as a legitimate company. Pharming - directing Internet users to a bogus website that mimics the appearance of a legitimate one, in order to obtain personal information such as passwords, account numbers, etc. |
|
Computer Fraud and Abuse Act of 1986 |
Made hacking “illegal”; cornerstone to many computer-related federal laws |
|
USA PATRIOT ACT of 2001 |
Allowed the Government the ability to monitor activity when investigating terrorism |
|
Computer Security Act of 1987 |
Requires systems to have acceptable security practices |
|
Health Insurance Portability and Accountability Act |
Mandates industry-wide standards for health care information on electronic billing |
|
Sarbanes–Oxley Act of 2002 |
Established accountability for executives at publicly traded companies |
|
Children’s Internet Protection Act |
Requires K-12 schools and libraries to use Internet filters |
|
Calculating Risk |
(Likelyhood % * Attack Success %) * (Asset Value * Probably Loss %) + Uncertainty |
|
Learn the OSI Model |
Physical, Data Link, Network, Transmission, Session, Presentation, Application |
|
Cost Benefit Analysis (CBA) |
ALE(prior) – ALE(post) – Annualized Cost of Safeguard(ACS) |
|
Annualized Loss Expectancy (ALE) |
SLE * Annual Rate of Occurrence (ARO) |
|
Single Loss Expectancy (SLE) |
Exposure Factor (EF) * Asset Value (AV) |
|
How does Kerberos work? |
1) Computer lets Kerberos know that its a PC 2) Kerberos acknowledges it 3) Computer asks for a ticket 4) kerberos grants ticket 5) computer tries to use ticket 6) kerberos checks to see that the ticket is good 7) server takes out the document/performs task 8) server checks with kerberos that the actions were done right 9) Kerberos acknowledges 10) process granted back to the computer |
|
The difference between identification,authentication, authorization, andaccountability |
Identification - when a user claims to have some form of identity Authentification - provides a way of identifying a user via name or password Authorization - after logging in the user may try to issue commands. authorization determines whether you have the ability to issue commands. Accountability - Logs the user's actions to make sure they didnt use too many resources that they don't have |
|
What is the purpose of NAT? (Not what does itdo, why?) |
Think of a receptionist at an office. NAT operated on a router, usually connecting two networks together, and translates the private addresses in the internal network into legal address. |
|
What are some examples of Firewalls? How dothey work? |
Can be software or hardware Hardware can be a dedicated server designed to catch weird OP connections and time them out. Software is the piece that regulates which websites you can access and what can reach you on your PC online. |
|
What does Lightweight Directory AccessProtocol (LDAP) do? |
directory service protocol that runs on a layer above IT stack. provides a mechanism used to connect to internet. |
|
What are honeypots and how do padded cellsystems utilize them? |
Honeypot - is a deception trap designed to entice an attacker into attempting to compromise the information. Dummy info. Padded Cells are honeypots that are hard to crack. Hardened Honey Pot |
|
What is Snort an example of? |
Snort is a free and open source network intrusion prevention system |
|
What vulnerability does the DROWN attack exploit? |
cross-protocol security bug that attacks servers supporting modern protocol suites making them obsolete. Drowning a security guard. If they control security you snuff them out |
|
Be able to translate using the Vigenère and XORCiphers |
Viginere: Make a graph, with ABC going X and Y. In the center write out the alphabet in the center. use key under the code.: Codecodecodecode keykeykeykeykeyke and top line is code. left is key. find middle letter that crosses the x and y and use that. repeat XoR. Take your phrase as number. Place key under it. Add them up. If its 1 + 1 = 0 if its 0 + 0 = 0 if its 1 and 0 = 1 If its same its 0. if its different its a 1 done |
|
What is a shifting substitution cipher? |
if the number is 3 then: ABCDEFGHI XYZABCDEF scoots the number over a bit by the given number |
|
What is DES based off? What is DES’s successor? |
Data Encryption Sandbar. gotten at IBM. alhorith at National Bureau of Standards. Replaced by AES (advanced Encryption Standard) |
|
What is the difference between brute-force,dictionary, and rainbow table attacks? |
Brute Force - try all the possible combinations Dictionary - guessing attack using precompiled list of options, using options that are likely to work Rainbow - optimized for hashes and passwords with great space optimization while maintaining look-up speed. In essence a specific dictionary |
|
Why is WEP considered less effective than WPA? |
WEP uses statick IP |
|
What is steganography? |
practice of concealing messages or information within other nonsecret text of data |
|
What fire extinguisher classes should be in the event ofan electrical fire? Flammable liquid/gas? |
Dry Powder against Flamable liquid / gas Probably same for electrical fire |
|
What is are the different classes and their mnemonic? (When covering Fire Extinguishers) |
A - Ash B - Barrel C - Current D - Dynamite K - Kitchen |
|
What is the importance of UPS? |
making sure power doesnt go out completely destroying the machine or the files in it |
|
Janitors are often required to have access tosensitive areas, what policies/procedures can beused to ensure safety of information? |
track their cards and make them a different identification than most |
|
What are the different types of locks? How doeseach one differ? |
electro magnetic - accepts variety of input as keys fail safe- auto releases when power goes out mechanical - physical lock that requires a key fail secure - locks when power goes out |
|
What is change culture? What is the LewinChange Model? |
unlock the system. change the components. lock it down so no editing can happen |
|
What are deliverables? Milestones |
deliverable is a tangible outcome of a project milestone is the expected milestone |
|
Why are job rotation, separation of duties, andleast privilege considered good securitypractices? |
evereyone can do a bit of everything. not give one person all the power. provides split responsibility rather than relying on one person |
|
Be able to explain why Misha Glenny says “Hirethe hackers” (specifically why he says it |
because hackers know how to break things, so use that knowledge in terms of how to fix the breaks |
|
Be able to explain the different steps ofemployment (from interview to termination) |
-job description -interview -background checks -contracts -orientation -on-site security trininig -termination ---exit interviews --hostile vs friendly department |
|
What is SQL Injection? How did you extract passwords from thedatabase?Could you do it again? (Hint hint) |
injecting different commands to extract information from a file that uses SQL injection |
|
What is the HOSTS file for? |
allows you to define domain names from DNS servers. IP is the number. domain name is the site name |
|
What are the different types of account policy controls that can beapplied to passwords? |
age max and min history length complexity how long it lasts lock out time lock out period |
|
Difference between telnet and SSH? Remote desktop? |
Telnet is unencrypted text only connection to a remote computer using command shell SSH is encrypted cousin of Telnet Remote Desktop is an encrypted connection to a Windows machine that allows you to run the full Windows interface remotely |