Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
63 Cards in this Set
- Front
- Back
Types of Controls |
Logical Access Controls Application Controls Network Security Controls Physical & Environmental Controls |
|
What is Logical Access Controls |
Logical access controls are protectionmechanisms that limit users' access to data and restrict their access on the system to only what is appropriate for them. |
|
Paths of Logical Access(4) |
A machine connected to the network A network device that is part of the network and with a free port to which a personal computer can be attached Dialup device capable of connecting to network A machine having access to the network through wireless mode |
|
Logical Access Exposures |
Data Leakage Wire tapping Scavenging Emanation Interception Data diddling Piggybacking Masquerading Spoofing Asyn Attacks Keystrok monitoring Rounding down Salami techniques Trap Doors Remote shut down Denial of service Social engineering |
|
Logical Access Controls |
Identification and Authentication Access Controls in Operating Systems Access Control Lists Database Controls Audit Trail |
|
Identification and Authentication |
Identification: Identification is a process bywhich a user provides a claimed identity to the system such as an account number.Authentication: Authentication is a mechanism through which the user’s claim is verified.Authorisation: The authenticated user is allowed to perform a pre-determined set of actions on eligible resources. |
|
Authentication Techniques |
Passwords and PINs Token Based Authentication Biometric Security |
|
Weaknesses of PIN/PW mechanism |
Shared PW Revealing inadvertingly Repeating PW Too short easy to hack Too long may write down Guessed, spoofed, captured |
|
Recomentations for PW |
Don't share Easy to remember hard to guess First PW must be changed Changed periodically Concurrent logins not permited Special No of guesses |
|
Token Based Authentication |
Plastic Cards Proximity Readers Single Sign-on |
|
Biometrics |
Fingerprint Facial Scan Hand Geometry Signature Voice Keystroke Dynamics Iris Scanners/Retina Scanners |
|
Access Controls in OperatingSystems |
Authentication of the user User Management Restrict Logon IDs to specific workstations and / or specific times Manage account policies Password Policy Account Lockout Policy Manage audit policy \ Log events Report capabilities |
|
Database controlls |
Database Roles and Permissions Views Stored Procedures Triggers |
|
Database restrictions |
Name-Dependent Content Dependent Context Dependent History Dependent |
|
Audit trail |
An Audit Trail is a record to enable thereconstruction and examination of the sequence of events of a transaction |
|
Audit trail levels |
Operating systems Network component Application Database |
|
Components of Application Controls |
Application Boundary Controls Input Controls Data Processing Controls Datafile Controls Output Controls |
|
Application Boundary Controls |
The objective of boundary controls is toprevent unauthorized access to applications and their data. |
|
Application boundary controls Techniques |
Logon ids and passwords Access to application from specified terminals only Using Cryptographic Controls Using audit trails |
|
Why input controls |
Input controls are responsible for ensuring theaccuracy and completeness of data and instruction input |
|
Input controls |
Source Document Design Data entry screen design Data code controls Batch Controls Data Input Validation Controls Data Input Error Handling and Reporting Instruction Input Controls |
|
Source Document Design |
It reduces data entry errors Increases speed of data entry Ensures better control over the process Assists subsequent reference |
|
Data entry screen design |
Screen organisation Caption design Data entry field design Tabbing and skipping Colour Display rate Prompting and help facilities |
|
Data Entry: Types of data coding errors: |
Addition: Addition of an extra character in a code Truncation: Omission of characters in the code Transcription: Recording wrong characters Transposition: Reversing adjacent (end to end) characters Double transposition: Reversing characters separated by one or more characters i.e., 45123 is entered as 42153. |
|
Data code controls |
Length of the code Alphabetic numeric mix Choice of characters Mixing uppercase/lowercase fonts Sequence of characters |
|
Types of batch controls |
Total financial amount Total items Hash totals Total documents |
|
Input Validation Controls |
Sequence checks Range and Limit chec Missing data check Duplicate check Programmed Validity Check Dependency Match Completeness check Reasonableness check Table lookups |
|
Input errors can be handled in the following ways |
Rejecting only transaction with errors Reject the whole batch of transactions Accepting batch in suspense Accepting the batch and marking error transactions |
|
Instruction Input Controls |
Menu Driven Applications Question Answer dialogs Command Languages |
|
Processing Controls |
Run-to-run totals Reasonableness verification Edit checks Field initialization Exception reports |
|
Datafile Controls |
Version usage Internal and external labelling Data file security Before and after image and logging File updating and maintenance authorization Parity Checking |
|
Network Security Controls |
Anonymity (Privacy) Automation Opaqueness (Cloudiness) Distance Routing diversity |
|
characteristics of Networks |
Anonymity (Privacy) Automation Opaqueness (Cloudiness) Distance Routing diversity |
|
Threats and Vulnerabilities |
Information Gathering Communication Subsystem Vulnerabilities Protocol Flaws Impersonation Message Confidentiality Threats Message Integrity Threats Web Site Defacement Denial of Service |
|
Network threat Gathering Info |
Port Scan Social Engineering Reconnaissance (Scouting) Operating System and Application Fingerprinting Bulletin Boards and Chats |
|
Communication Subsystem Vulnerabilities |
Eavesdropping and Wiretapping Microwave signal tapping Satellite Signal Interception Wireless Optical Fiber |
|
Protocole Flaws |
Many problems with protocols have beenidentified by reviewers and corrected before the protocol was established as a standard. |
|
Impersonation (Imitation) |
Authentication foiled by eavesdropping or wiretapping Authentication Foiled by Avoidance Nonexistent Authentication Well-Known Authentication Spoofing and Masquerading Session Hijacking Man-in-the-Middle Attack |
|
Message Confidentiality Threats |
Misdelivery Exposure Traffic Analysis (or Traffic Flow Analysis |
|
Message Integrity Threats |
Changing some or all of the content of amessage Replacing a message entirely, including the date, time, and sender/ receiver identification Reusing (replaying) an old message Combining pieces of different messages into one false message Changing the apparent source of a message Redirecting a message Destroying or deleting a message |
|
Web Site Defacement |
Web site defacement is common not only because ofits visibility but also because of the ease with which one can be done. |
|
Denial of Service |
Connection Flooding Ping of death Traffic Redirection DNS Attacks |
|
Distributed Denial of Service |
In distributed denial of service (DDoS) attackmore than one machine are used by the attacker to attack the target. These machines have some vulnerability thatcan be exploited to use it to attack another machine. |
|
Other threats |
Threats from cookies Threats from Scripts Threats from active code Threats from mobile code |
|
Network Security Controls |
Architecture Cryptography/Encryption Content Integrity Strong Authentication Remote Access Security Firewalls Intrusion Detection Systems |
|
Architecture |
Segmentation / Zonin Redundancy Eliminate Single Points of Failure |
|
Cryptography/Encryption |
Link Encryption End-to-End Encryption PKI and Certificates SSL Encryption IPSec Signed Code Encrypted E-Mail |
|
Content Integrity |
Error Correcting Codes Parity Check Checksum and CRC Other Codes Message Digests (Cryptographic Checksums) |
|
Strong Authentication |
One Time Passwords Challenge Response Systems Kerberos |
|
Remote Access Security |
Virtual Private Networking (VPN) Dial back procedures Authentication Servers |
|
Firewalls |
Virtual Private Networks Intranet Extranets |
|
Securing a Firewall |
Any unused networking protocols should be removed from the firewall operating system build Any unused network services or applications should be removed or disabled Any unused user or system accounts should be removed or disabled Applying all relevant operating system patches is also critical Unused physical network interfaces should be disabled or removed from the server chassis |
|
Intrusion Detection Systems |
Intrusion detection systems complement preventive controls as the next line of defence. An intrusion detection system (IDS) is a device, usually another separate computer, that monitors activity to identify malicious or suspicious events. An IDS is a sensor, that raises an alarm if specific things occur. The alarm can range from writing an entry in an audit log, to something significant, such as paging the system security administrator. |
|
Physical & Environmental Controls Physical Access Threats and Exposures |
Unauthorized persons gaining access to restricted areas. Examples are prospective suppliers gaining access to computer terminal of purchases department, thereby viewing list of authorized suppliers and rates being displayed on the screen during data entry. Employees gaining access to areas not authorized, e.g. sales executives gaining access to server room. Damage, vandalism or theft of equipments orother IS resources. Abuse of data processing resources, e.g. employees using internet for personal purposes. Damage due to civil disturbances and war. Embezzlement of computer supplies, e.g. floppies, cartridges, printer consumables. Public disclosure of sensitive information, e.g. Information regarding location of servers, confidential or embarrassing information. |
|
ClassificationPhysical & Environmental Controls |
Accidental: Deliberate: |
|
The perpetrators or source of physical threats |
Interested or Informed outsiders such ascompetitors, thieves, organized criminals and hackers Former Employees Accidental Ignorant Discontented or disgruntled employees Employees on strike Employees under termination or suspendedpending termination Addicted to substances or gamblers Experiencing financial or emotional problems |
|
Physical Access Control Techniques - Admin |
Choosing and Designing a Secure Site Security Management Emergency Procedures |
|
Physical Access Control Techniques - Technical |
Guards Dogs Compound walls and perimeter fencing Lighting Deadman Doors Bolting door locks Combination or Cipher locks Electronic Door Locks Biometric Door Locks Video Cameras Identification badges Manual Logging Electronic Logging Controlled single point access Controlled Visitor access Bonded Personnel Wireless Proximity Readers Alarm Systems/Motion detectors Secured Distribution Carts Cable locks Port controls Switch controls Peripheral switch controls Biometric Mouse Laptops Security |
|
Environmental Access Controls |
Hardware and Media: Information Systems Supporting Infrastructureor Facilities Documentation Supplies People |
|
Environmental Threats and Exposures |
Natural Man-made |
|
Techniques of Environmental Control |
Admin/ Technical |
|
Administrative Controls |
Visibility Local considerations Natural disasters Transportation External services |
|
Technical Controls |
Fire-resistant Walls, Floors and Ceilings Concealed Protective Wiring Ventilation and Air Conditioning Power Supplies Uninterruptible Power Supply(UPS)/ Generator Electrical Surge Protectors/Line Conditioners Power leads from two sub-stations Smoke Detectors and Fire Detectors Fire Alarms Emergency Power Water detectors Centralized Disaster monitoring and control Systems Fire Suppression Systems Water Based Systems Wet Pipe Sprinklers Dry-Pipe Sprinklers Pre-action Gas Based Systems Carbon-dioxide Halon |