Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
448 Cards in this Set
- Front
- Back
|
Guideline
|
A recommendation, an administrative control
|
|
|
Procedure
|
Step by step guide for accomplishing a task, and administrative control
|
|
|
Standard
|
Describes the specific use of technology, often applied to hardware and software, an administrative control
|
|
|
Policy
|
High level management directives, an administrative control
|
|
|
Principle of least privilege
|
Granting subjects the minimum amount of authorization required to do their jobs, also know as minimum necessary access
|
|
|
Separation of duties
|
Dividing sensitive transactions among multiple subjects
|
|
|
Mandatory vacations (leave)
|
Forcing staff to take vacation or time away from the office, also known as forced vacation
|
|
|
Collusion
|
An agreement between two or more individuals to subvert the security of a system.
|
|
|
EF Exposure factor
|
The percentage of value an asset lost due to an incident.
|
|
|
AV Asset value
|
The value of a protected asset.
|
|
|
ARO Annualized rate of occurrence
|
The number of losses suffered per year.
|
|
|
Qualitative risk analysis
|
Risk analysis method that uses approximate values.
|
|
|
Quantitative risk analysis
|
Risk analysis method that uses hard metrics such as dollars.
|
|
|
XOR
|
Exclusive OR Binary operation that is true if one or two inputs (but not both) is true.
|
|
|
MD5
|
Message Digest 5 a hash function that creates a 128bit message digest.
|
|
|
Symmetric Key Algorithms
|
class of algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and decryption of cipher text. The keys may be identical of there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to publickey encryption.
|
|
|
Asymmetric Algorithms
|
public key cryptography/asymmetric cryptography are a class of cryptographic algorithms which require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plain text or to verify a digital signature whereas the private key is used to decrypt cipher text or to create a digital signature.
|
|
|
OCSP (Online Certificate Status Protocol)
|
a client server method used for looking up revoked certificates
|
|
|
Web of Trust
|
concept used in PGP, GnuPG, and other OpenPGP compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). As with computer networks there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs.
|
|
|
GnuPG GNU Privacy Guard
|
or GPG is a GPL licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, with is the current IETF standards track specification of OpenPGP. Although the basic GnuPg program has a command line interface, there exist various front ends that provide it with a graphical user interface the most popular are for linux desktops. Hybrid encryption software program in that it uses a combination of conventional symmetric key cryptography for speed and public key cryptography (asymmetric) for ease of secure key exchange, typically by using the recipient’s public key to encrypt a session key which is only used once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version. By default uses the CAST5 symmetrical algorithm.
|
|
|
PGP Pretty Good Privacy
|
Software that integrates symmetric, asymmetric and hash cryptography. Used for signing, encrypting, and decrypting texts, emails, files, directories and whole disk partitions and increase the security of email communications (Phil Zimmermann in 91).
|
|
|
OSI Model
|
A network model with seven layers:
|
|
|
Physical
|
describes units of data such as bits represented by energy (such as light, electricity, or radio waves) and the medium used to carry them (such as copper or fiber optic cables). WLANs have a physical layer, even though we cannot physically touch it. Cabling standards such as Thinnet, Thicknet, and Unshielded Twisted Pair exist at Layer1. Devices include hubs and repeaters.
|
|
|
Data link
|
handles access to the physical layer as well as local area network communication. An Ethernet card and its MAC address are at layer 2, as are switches and bridges. Layer 2 is divided in two sub layers: Media Access Control (MAC) and Logical Link Control (LLC). The MAC layer transfers data to and from the physical layer, and the LLC layer handles LAN communications. MAC touches layer 1 and LLC touches layer 3.
|
|
|
Network
|
describes routing: moving data from a system on one LAN to a system on another. IP addresses and routers exist at layer 3. Layer 3 protocols include IPv4 and IPv6, among others.
|
|
|
Transport
|
handles packet sequencing, flow control, and error detection. TCP and User Datagram Protocol (UDP) are layer 4 protocols. Layer 4 makes a number of features available, such as resending or re sequencing packets. Taking advantage of these features is a protocol implementation decision. As we will see later, TCP takes advantage of these features, at the expense of speed. Many of these features are not implemented in UDP, which chooses speed over reliability.
|
|
|
Session
|
manages sessions, which provide maintenance on connections. Mounting a file share via a network requires a number of maintenance sessions, such as Remote Procedure Calls (RPCs), which exist at the session layer. A good way to remember the function of the Session Layer is “connections between applications.” The Session Layer users simplex, half-duplex, and full-duplex communication.
|
|
|
Presentation
|
presents data to the application (and user) in a comprehensible way. Presentation Layer concepts include data conversion, characters sets such as ASCII, and image formats such as Graphics Interchange Format (GIF), Joint Photographic Experts Group (JPEG), and Tagged Image File Format (TIFF).
|
|
|
Application
|
where you interface with your computer application. Your web browser, word processor, and instant messaging client exist at layer 7. The protocols Telnet and FTP are application layer protocols.
|
|
|
IGMP Internet Group Management Protocol
|
is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. It is an integral part of IP multicast. IGMP can be used for one to many networking applications such as online streaming video and gaming, and allows more efficient use of resources when supporting these types of applications. IGMP is used on IPv4 networks. Multicast management on IPv6 networks is handled by Multicast listener Discovery (MLD) which uses ICMPv6 messaging in contrast to IGMPs bare IP encapsulation. IGMP operates between the client computer and the local multicast router.
|
|
|
ICMP Internet Control Message Protocol
|
used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages. It is assigned protocol number 1. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, not is it regularly employed by end user network application, with the exception of some diagnostic tools like ping an traceroute. Part of the Internet Protocol Suite as defined in RFC 792. Messages are typically used for diagnostic or control purposed or generated in response to errors in IP operations. Errors are directed to the source IP address of the originating packet. IE, every device forwarding an IP datagram first decrements the time to live (TTL) filed in the IP header by one. If the resulting TTL is 0, the packet is discarded and the ICMP time to live exceeded in transit message is sent to the datagram’s source address.
|
|
|
Multicast
|
one to many network traffic, where the “many” is preselected. Most common protocol is UDP but that is sometimes unreliable so Pragmatic General Multicast (PGM) have been developed. IGMP is used to route via IPv4 networks and MLD on IPv6 networks
|
|
|
EMI External Machine Interface
|
and extension to Universal Computer Protocol (UCP), is a protocol primarily used to connect to short message service centers (SMSCs) for mobile telephones. The protocol was developed by CMG Wireless Data Solutions.
|
|
|
EMI/RFI
|
Electromagnetic Interference/Radio Frequency Interferenc
|
|
|
RFI Remote File Inclusion
|
altering web URLs to include remote content usually done through a PHP (Hypertext Preprocessor) attack. This is a web attack. Done through a legitimate site attacker will force down a file like something.php to client computer and it will launch stealing info, create a backdoor or other nefarious things.
|
|
|
FDDI Fiber Distributed Data Interface
|
Legacy lab technology that uses light. Runs on a logical network ring via a primary and secondary counter-rotating fiber optic ring. Secondary ring was used for fault tolerance. Runs at 100 megabits and uses a “token bus” a different token passing mechanism that token ring. In addition to reliability another advantage of FDDI is light as fiber cable is not affected by electromagnetic interference.
|
|
|
DSSS Direct Spread Spectrum Sequence
|
A method for sending wireless traffic via a radio band. Uses the entire wireless band at once. Designed to maximize throughput while minimizing the effects of interference.
|
|
|
FHSS Frequency Hopping Spectrum Sequence
|
A method for sending wireless traffic via a radio band. Uses the a number of small frequency channels throughout the band and hops through them in pseudorandom order. Designed to maximize throughput while minimizing the effects of interference.
|
|
|
OFDM Orthogonal Frequency-Division Multiplexing
|
is a newer multiplexing method, allowing simultaneous transmission using multiple independent wireless frequencies that do not interfere with each other.
|
|
|
CDMA Code Division Multiple Access
|
this is an example of multiple access, which is where several transmitters can send information simultaneously over a single communication channel. This allows several users to a share a band of frequencies. Uses spread spectrum technology and special coding scheme. I would use the term modulation.
|
|
|
MPPE Microsoft Point-to-Point Encryption
|
encrypts data in point to point protocol (PPP) based dial up connections or point to point tunneling protocol (PPTP) virtual private network (VPN) connections. 128 bit key (strong), 56 bit key, and 40 bit key (standard) MPPE encryption schemes are supported. Provides data security for the PPTP connection that is between the VPN client and the VPN server. MPPE alone does not compress or expand data, but the protocol is often used in conjunction with Microsoft point to point compression which compresses data across PPP or VPN links.
|
|
|
L2F Layer 2 Forwarding
|
Designed to tunnel Point-to-Point Protocol (PPP). Developed by Cisco Systems. Does not provide encryption or confidentiality by itself, it relies on the protocol being tunneled to provide the privacy.
|
|
|
L2TP Layer 2 Tunneling Protocol
|
Combines PPTP and L2F. The entire L2TP packet, including payload and L2TP header, is sent within a User Datagram Protocol (UPD) datagram. It is common to carry PPP session within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing CIA. The combination of these two protocols is generally known as L2TP/IPsec.
|
|
|
PPTP Point-to-Point Tunneling Protocol
|
Uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
|
|
|
GRE Generic Routing Encapsulation
|
is a tunneling protocol developed by Cisco that can encapsulate a wide variety of network layer protocols inside virtual point to point links over an internet protocol internetwork..
|
|
|
IPsec Internet Protocol Security
|
A suite of protocols that provide a cryptographic layer to both IPv4 and IPv6. It uses Authentication Headers (AH) that provide integrity and origin authentication, Encapsulation Security Payloads (ESP) that provides confidentiality, data-origin authentication, connectionless integrity and Security Associations (SA) that provides a framework for authentication and key exchange with actual authenticated keying material provided wither by manual configuration with pre-shared keys, internet keyexhange, kerberixzed internet negotiation of keys or ipseckey dns records.
|
|
|
AH Authentication Header
|
guarantees connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packets.
|
|
|
Tunnel Mode
|
in IPsec in tunnel mode the entire IP packet is encrypted and or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create a virtual private networks for network to network communication (e.g. between routers to link sites), host to network communications (e.g. remote user access) and host to host communications (e.g. private chat). Tunnel mode support NAT traversal.
|
|
|
SOCKS Socket Secure
|
Popular circuit level proxy. Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server practically, a SAOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. SOCKS performs at Layer 5 of the OSI model (session layer). De facto standard for circuit level gateways.
|
|
|
Beacon Frame
|
is one of the management frames in IEEE 802.11 based WLANs. It contains all the information about the network. Beacon frames are transmitted periodically to announce the presence of a Wireless LAN. Beacon frames are transmitted by the Access Point (AP) in an infrastructure basic service set (IBSS). In IBSS network beacon generation is distributed among the stations.
|
|
|
PRI Primary Rate Interface
|
Provides 23 64-K digital ISDN channels. It is a standardized telecommunication service level within the ISDN specification for carrying multiple DSO voice and data transmission between a network and a user. PRI is the standard for providing telecommunication services to offices. It is padded on the T-carrier (T1) in the US and Canada, and the E-carrier (E1) line in Europe. The T1 line consists of 24 channels, while and E1 has 32.
|
|
|
DOCSIS Data Over Cable Service Interface Specification
|
international telecommunications standard that permits the addition of high-speed data transfer to an existing cable tv (CATV) system. It is employed by many cable television operators to provide internet access over their existing hybrid fiber-coaxial infrastructure.
|
|
|
ActiveX
|
The functional equivalent of Java applets, they use digital certificates instead of a sandbox to provide security.
|
|
|
Jscript
|
Microsoft’s implantation of Java script in windows. Jscript is implemented as an Active Scripting engine, which means it can be plugged into OLE automation applications that support active scripting, such as Internet Explorer, Active server Pages and Windows Script Host. It also means such applications can use multiple active scripting languages (e.g. Jscript, VBScript, PerlScript,…).
|
|
|
Java
|
An object-oriented language used not only to write applets but also as a general-purpose programming language.
|
|
|
JavaScript
|
is a dynamic computer programming language, most commonly used as part of web browsers, whose implementations allow client side scripts to interact with the user, control the browser, communicate asynchronously, and alter the document content that is displayed. It is also being used in server side network programing with node.js. Big thing is to place the code into the sandbox to test and it does not affect the rest of the network.
|
|
|
Java Applet
|
small application which is written in java and delivered to users in the form of bytecode. The user launches the applet from a web page, and the applet is then executed within the java virtual machine (JVM) in a process separate from the web browser itself. Java applets are executed in a sandbox by most web browsers, preventing them from accessing local data like the clipboard or file system.
|
|
|
CMM - Capability Maturity Model
|
A maturity framework for evaluating and improving the software development process. There are five levels of the CMM.
|
|
|
1. Initial
|
The software process is characterized as ad hoc and occasionally even chaotic. Few processes are defined, and success depends on individual effort.
|
|
|
2. Repeatable
|
Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
|
|
|
3. Defined
|
The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. Projects use an approved, tailored version of the organization’s standard software process for developing and maintaining software.
|
|
|
4. Managed
|
Detailed measures of the software process and product quality are collected, analyzed, and used to control the process. Both the software process and products are quantitatively understood and controlled.
|
|
|
5. Optimizing
|
Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.
|
|
|
SDLC - System Development Life Cycle
|
This system is broader than other life cycle plans and it focuses on security in every phase.
|
|
|
• Prepare a Security Plan
|
Ensure that security is considered during all phases of the IT system life cycle, and that security activities are accomplished during each of the phases.
|
|
|
• Initiation
|
the need for a system is expressed and the purpose of the system is documented.
|
|
|
o Conduct a Sensitivity Assessment
|
Look at the security sensitivity of the system and the information to be processed.
|
|
|
• Development/Acquisition
|
The system is designed, purchased, programmed, or developed.
|
|
|
o Determine Security Requirements
|
Determined technical features (e. g., access controls), assurances (e.g., background checks for system developers), or operational practices (e.g., awareness and training).
|
|
|
o Incorporate Security Requirements into Specifications
|
Ensure that the previously gathered information is incorporated in the project plan.
|
|
|
o Obtain the System and Related Security Activities
|
May include developing the system’s security features, monitoring the development process itself for security problems, responding to changes, and monitoring threats.
|
|
|
• Implementation
|
The system is tested and installed.
|
|
|
o Install/Turn-On controls
|
a system often comes with security features disabled. These need to be enabled and configured.
|
|
|
o Security Testing
|
Used to certify a system; may include testing security management, physical facilities, personnel, procedures, the use of commercial or in-house services (such as networking services), and contingency planning.
|
|
|
o Accreditation
|
The formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk.
|
|
|
• Operations/Maintenance
|
The system is modified by the addition of hardware and software and by other events.
|
|
|
o Security Operations and Administration
|
Examples include backup, training, managing cryptographic keys, user administration, and patching,
|
|
|
o Operational Assurance
|
Examines whether a system is operated according to its current security requirements.
|
|
|
o Audits and Monitoring
|
a system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users.
|
|
|
• Disposal
|
The secure decommission of a system.
|
|
|
o Information
|
Information may be moved to another system, archived, discarded, or destroyed.
|
|
|
o Media Sanitization
|
There are three general methods of purging media: (1) overwriting, (2) degaussing (for magnetic media only), and (3) destruction.
|
|
|
Waterfall Method |
An application development model that uses rigid phases; when one phase ends, the next begins. It is linear and was first used in manufacturing. Consists of the following 7 phases, system requirements, software requirements, analysis, program design, coding, testing, operations. The modified model allowed a return to the previous phase for verification or validation. |
|
|
Spiral Method
|
Software development model designed to control risk. Boehm created the model. This process repeats steps of a project starting with modest goals and expanding outwards in ever wider spiral called rounds. These round consist of Concept of Operations (COOP), Software Requirements, Software Product Design, Detailed Design and at each of these a risk analysis. When a failure of lack of value was identified earlier it was easier and cheaper to mitigate.
|
|
|
Exploratory Model
|
when a domain is not very well understood or open-ended, or it's not clear what algorithms and data structures might be needed for an implementation, it's useful to be able to interactively develop and debug a program without having to go through the usual constraints of the edit-compile-run-debug cycle
|
|
|
Method
|
a function performed by an object. Is a subroutine (procedure or function) associated with an object, and which has access to its data, its member variables.
|
|
|
Behavior
|
any action of a system that changes to its environment. Behavior provides outputs from the system to the environment.
|
|
|
Coupling and Cohesion
|
coupling - Object Oriented Programing concept that connects objects to others; highly coupled objects have low cohesion. Cohesion OOP concept that describes an independent object; objects with high cohesion have low coupling. You could have high cohesion and low coupling.
|
|
|
Polymorphism
|
based on the Greek poly and morph meaning many and forms respectively. For instance the ability to overload the plus (+) operator performing different methods depending on the context of the input message number + number or string + string.
|
|
|
Polyinstantiation
|
means many instances, two instances with the same names that contain different data. This may be used in different environments to keep top secret and secret data separate, database polyinstantiation means two rows have the same primary key but different data
|
|
|
Security Kernel
|
central part of a computer of communications system hardware, firmware, and software that implements the basic security procedures for controlling access to system resources. A self-contained usually small collection of key security-related statements that (a) works as a part of an operating system to prevent unauthorized access to, or use of, the system and (b) contains criteria that must be met before specified programs can be accessed.
|
|
|
Security Policy
|
definition of what it means to be secure for a system, organization or other entity. For an organization, it addressed the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and wall. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
|
|
|
Change Management
|
the process of understanding, communicating, and documenting changes.
|
|
|
Stealth Virus
|
a virus that hides itself from the OS and other protective software, such as antivirus software.
|
|
|
Polymorphic Virus
|
A virus that changes its signatures upon infection of a new system, attempting to evade signature-based antivirus software.
|
|
|
Oligomorphic Virus
|
An encrypted virus that has several forms of its decrption code, selecting between them (usually randomly) when writing its decryptor ta new replicant.
|
|
|
Candidate Key
|
Any attribute (column) in the table with unique values.
|
|
|
Primary Key
|
Unique attribute in a relational database table, used to join tables
|
|
|
Attribute
|
A column in a relational database table.
|
|
|
Foreign Key
|
A key in a related database table that matches a primary key in the parent database.
|
|
|
Concurrency
|
is a property of systems in which several computations are executing simultaneously, and potentially interacting with each other. The computations may be executing on multiple cores in the same chip, preemptively time-shared threads on the same processor, or executed on physically separated processors. A number of mathematical models have been developed for general concurrent computation including Petri nets, process calculi, the parallel random access machine model, the actor model, and the reo coordination language. Because computation in a concurrent system can interact with each other while they are executing, the number of possible execution paths in the system can be extremely large, and the resulting outcome can be indeterminate. Concurrent use of shared resources can be a source of indeterminacy leading to issues such as deadlock and starvation.
|
|
|
Deadlocking
|
is a situation in which two or more competing action are each waiting for the other to finish, and thus neither ever does. In a transaction database, a deadlock happens when two processes each within its own transaction updates two rows of information but in the opposite order. For example process A updates row 1 then row 2 in the exact timeframe that process B updates row 2 then row 1. Process A can’t finish updating row 2 until process B is finished, but it cannot finish updating row 1 until process A finishes. No matter how much time is allowed to pass, this situation will never resolve itself and because of this database management systems will typically kill the transaction of the process that has done the least amount of work. In an operation system a deadlock is a situation which occurs when a process or thread enters awaiting state because a resource requested is being held by another waiting process, which in turn is waiting for another resource. If a process is unable to change its state indefinitely because the resources requested by it are being used by another waiting process, then the system is said to be in a deadlock.
|
|
|
Inference
|
Deductive attack where a user is able to use lower level access to learn restricted information.
|
|
|
ACID Atomicity Consistency Isolation Durability
|
a set of properties that guarantee that database transaction are processed reliably. In the context of databases, a single logical operation on the data is called a transaction. For example, a transfer of funds from on bank account to another, even involving multiple changes such as debiting one account and crediting another, is a single transaction. Atomicity requires that each transaction is all or nothing. If one part of the transaction fails the entire transaction fails and the database state is left unchanged. Consistency property ensure that any transaction will bring the database from one valid state to another. (programing errors will not violate any defined rules). Isolation ensures that the execution of transitions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.
|
|
|
Rollback
|
restores a database after a failed commit.
|
|
|
Two-Phase Commit
|
used during replication of databases to ensure integrity. Before committing the DBMS request a vote. If the DBMSs on each agree then the data is written and ensured, if not the vote fails and changes are not committed and not made permanent.
|
|
|
Asynchronous Dynamic Token
|
are not synchronized with the central sever. The most common variety is challenge-response token authentication systems produce a challenge, or input for the token device. The user then manually enters the information into the device along with the user’s PIN and the device produces an output. This output is then sent to the system. The system is assured the user is authenticated because the response is tied to the challenge, a specific token, the encryption algorithm used by the token, and the user’s PIN.
|
|
|
Synchronous Dynamic Token
|
use time or counter to synchronize a displayed token code with the code expected by the authentication server; the codes are synchronized. Time-based synchronous dynamic tokens display dynamic token does that change frequently, such as every 60 seconds. The dymanic code is only good during that window. The authentication server know the serial number of each authorized toke, the user it is associated with, and the time, It can predict the dynamic code on each token using these three pieces of information. Counter based are just that they increment by whatever.
|
|
|
Biometric Type I Error
|
when the biometric points are increased and authorized personnel are stopped from gaining access this is a False Reject Rate and is called a type I error.
|
|
|
Biometric Type II Error
|
when the data point are lowered in the biometric system this cause a False Accept Rate (FAR) allowing unauthorized personnel to gain access. This is a type II error.
|
|
|
The Key Distribution center (KDC)
|
a Kerberos service that authenticates principals.
|
|
|
Sesame Secure European system for Applications in a Multivendor Environment
|
is a single sign-on system that supports heterogeneous environments. Can be thought of as a sequel of sorts to Kerberos: Sesame add to Kerberos: heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation. Of those improvements, the addition of public key (asymmetric) encryption is the most compelling. It addresses on of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys. Uses Privilege Attribute Certificates (PACs) in place of Kerberos’ tickets.
|
|
|
Kerberos
|
a third-party authentication service that may be used to support SSO (Single Sign On). Authentication, Authorization, and Accountability (AAA). The client, the key distribution center (KDC), and the server. Operational Steps 1. Kerberos principal Alice contact the KDC, which acts as an authentication server, to request authentication. 2. The KDC sends Alice a session key, encrypted with Alice’s secret key. The KDC also sends a TGT, encrypted with TGS secret key. 3. Alice decrypts the session key and uses it to reqest permission to print from the TGS. 4. Seeing Alice has a valid session key (and therefore has proven her identity claim) the TGS sends Alice a C/S session key (second session key) to use to print. The TGS also sends a service ticket, encrypted with the printer’s key. 5. Alice connects to the printer. The printer, seeing a valid C/S session key, knows Alice has permission to print and also knows that Alice is authentic.
|
|
|
LDAP Lightweight Directory Access Protocol
|
used for accessing and maintaining distributed directory information service over IP network. Vendor neutral. Uses TCP and UDP port 389.
|
|
|
MS-Chap
|
is used a one authentication option in Microsoft’s implementation of the PPTP protocol for VPNs. It also uses an authentication with RADIUS servers which are used for Wi-Fi security. It is further used as the main authentication option of the Protected Extensible Authentication Protocol (PEAP)
|
|
|
MAC - Mandatory Access Control
|
System enforced access control based on subjects’ clearances and objects’ labels.
|
|
|
DAC - Discretionary Access Control
|
Gives subjects full control of object they have been given access to, including sharing the objects with other subjects.
|
|
|
RBAC Role-Based Access Control
|
subjects are grouped into roles and each defined role has access permission based on the role, not the individual.
|
|
|
Rule-Based Access Control
|
Uses a series of defined rules, restrictions, and filters for accessing objects within a system. Made in the form of if/then statements.
|
|
|
IDS in Passive Mode NIDS
|
Network Intrusion Detection System Detects malicious traffic on a network. Usually require promiscuous network access in order to analyze all traffic including al unicast traffic.
|
|
|
Anomaly Detection
|
is the identification of items, events or observation which do not conform to an expected patern or other items in a dataset.
|
|
|
Signature-Based Detection
|
uses samples of code to identify the virus or malware. If this is not contained in the dictionary then it is not effective.
|
|
|
4 Types of IDS Events
|
False Positive User surf the web to an allowed site, and NIDS alerts. False Negative Conficker worm is spreading on a trusted network, and NIDS is silent. True Positive Conficker worm is spreading on trusted network, and the NIDS alerts. True Negative User surfs the Web to an allowed site, and NIDS is silent.
|
|
|
Forking Proxy
|
A Session Initiation Protocol (SIP) proxy servers that route messages to more than one destination are called forking proxies. Example of this would to have your desk phone and your cell phone ring at the same time so you could take the call at either device.
|
|
|
Volatile Memory
|
Ram is volatile memory used to hold instruction and data of currently running programs. It loses integrity after loss of power.
|
|
|
Non-Volatile Memory
|
Read-only memory (ROM) is nonvolatile: Data stored in ROM maintains integrity after loss of power. The basic input/output system (BIOS) firmware is stored in ROM.
|
|
|
SAM - Sequential Memory
|
is a class of data storage devices that read their data in sequence. This is in contrast to random access memory (RAM) where data can be accessed in any order. Sequential access devices are usually a for of magnetic memory. Examples of SAM devise still in use include hard disks, cd-roms and magnetic tapes.
|
|
|
Secondary Memory
|
flash memory, optical discs, magnetic disk, magnetic tapes.
|
|
|
Supervisor State Supervisor Mode
|
is a hardware mediated flag which can be changed by code running in system level software. System tasks or threads will have this flag set while they are running, whereas user space application will not. This flag determines whether it would be possible to execute machine code operations such as modifying registers for various descriptor tables, or performing operations such as disabling interrupts. The idea aof having two different modes to operate in comes from with more control comes more responsibility a program in supervisor mode is trusted never to fail, since a failure may cause the whole computer system to crash.
|
|
|
Dedicated
|
Dedicated mode of operation means that the system contains objects of one classification label (e.g., secret) only. All subjects must possess a clearance equal to or greater than the label of the objects (a secret or higher clearance, using the previous example). Each subject must have the appropriate clearance, formal access approval, and need to know for all the information stored and processed on the system.
|
|
|
System High
|
In a system high mode of operation, the system contains objects of mixed labels (e.g. confidential, secret, and top secret). All subjects must possess a clearance equal to the system’s highest object (top secret, using the previous example).
|
|
|
Compartmented
|
In a compartmented mode of operation system, all subjects accessing the system have the necessary clearance but do not have the appropriate formal access approval, nor do they need to know for all the information found on the system. Objects are placed into “compartments” and require a formal (system-enforced) need to know to access. Compartmented mode systems use technical controls to enforce need to know (as opposed to a policy-based need to know).
|
|
|
Multi-Level
|
Multilevel mode of operation stores objects of differing sensitivity labels and allows system access by subjects with differing clearances. The reference monitor mediates access between subjects and objects: If a top secret subject (with a need to know) accesses a top secret object, access is granted. If a secret subject attempts to access a top secret object, access is denied.
|
|
|
Bell-LaPadula Model
|
It was developed for the U.S. Department of Defense. It is focused on maintaining the confidentiality of objects. Protecting confidentiality means not allowing users at a lower security level to access objects at a higher security lever. Bell-LaPadula operates by observing two rules: the Simple Security Property and the * Security Property.
|
|
|
Simple Security Property
|
States that there is no read up; that is, a subject at a specific classification level cannot read an object a a higher classification level. Subjects with a secret clearance cannot access top secret objects, for example.
|
|
|
* Security Property
|
States that there is no write down; that is, a subject at a higher classification level cannot write to a lower classification level. Subjects who are logged into a top secret system cannot send emails to a secret system, for example.
|
|
|
Biba Model
|
is the model of choice when integrity protection is vital. The Biba model has two primary rules: the simple Integrity axiom and the * Integrity Axiom.
|
|
|
Simple Integrity Axiom
|
is “no read down”; that is, a subject at a specific classification level cannot read data at a lower classification. This prevents subjects from accessing information at a lower integrity level. This protects integrity by preventing bad information from moving up from lower integrity levels.
|
|
|
* Integrity Axiom
|
is “no write up”; that is, a subject at a specific classification level cannot write to data at a higher classification. This prevents subjects from passing information up to a higher integrity level that they have clearance to change. This protects integrity by preventing bad information from moving up t higher integrity levels.
|
|
|
Clark-Wilson Model
|
is a real world integrity model that protects integrity by requiring subjects to access objects via programs. Because the programs have specific limitations to what they can and cannot do to objects, Clark-Wilson effectively limits the capabilities of the subject. Clark-Wilson uses two primary concepts to ensure that security policy is enforced: well-formed transactions and separation of duties.
|
|
|
Chinese Wall Model/ Brewer and Nash
|
is designed to avoid conflicts of interests by prohibiting one person, such as a consultant, from accessing multiple conflict of interest categories (CoIs). It is also called Brewer and Nash designed to address the risks inherent with employing consultants working within banking and financial institutions.
|
|
|
Graham Denning Model
|
has three parts: objects, subjects and rules. It provide a more granular approach for interactions between subjects and objects. There are eight rules: R1 Transfer Access, R2 Grant Access, R3 Delete Access, R4 Read Object, R5 Create Object, R6 Destroy Object, R7 Create Subject, R8 Destroy Subject.
|
|
|
Process Isolation
|
Process can’t interfere with other processes logical control
|
|
|
Common Criteria
|
The common Criteria uses specific terms when defining specific portions of the testing process.
|
|
|
Target of evaluation (ToE)
|
the system or product that is being evaluated.
|
|
|
Security Target (ST)
|
the documentation describing the ToE, including the security reqirements and operational environment.
|
|
|
Protection Profile (PP)
|
an independent set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems.
|
|
|
Evaluation Assurance Level (EAL)
|
The evaluation score of the tested product or system. EAL1 Functionally tested. EAL2 Structurally tested. EAL3 Methodically tested and checked. EAL4 Methodically tested and checked and reviewed. EAL5 Semi-formally designed, and tested. EAL6 Semi-formally verified and designed, and tested. EAL7 Formally verified, designed and tested
|
|
|
TCSEC - Trusted Computer System Evaluation Criteria
|
Also known as The Orange Book. One of the first security standards implemented, and major portions of those standard are still used today in the form of U.S. government Protection Profiles within the International Common Criteria framework. Division D is the lowest form of security and A is the highest. The orange book was the first significant attempt to define differing levels of security and access control implementation within an IT system.
|
|
|
ITSEC
|
the European Information Technology Security Evaluation Criteria (ITSEC) was the first successful international evaluation model. It refers to TCSEC orange book levels, separating functionality from assurance. There are two types of assurance: effectiveness (Q) and correctness (E).
|
|
|
PCI-DSS Payment Card Industry Data Security Standard
|
is a security standard created by the payment card industry security standards council (PCI-SSC). The council is comprised of the four large credit card companies and others. They seek to protect credit cards by requiring vendors using them to take specific security precautions
|
|
|
Fault Tolerance
|
In order for systems and solution within an organization to be able to continually provide operational availability, they must be implemented with fault tolerance in mind. Availability is not solely focused on system uptime requirements but also requires that data be accessible in a timely fashion. Both system and data fault tolerance will be attended to within this section.
|
|
|
Full Backup
|
Is the easiest type of backup to understand; it simply is a replica of all allocated data on a hard disk. Most costly shortest amount of time to restore in catastrophe.
|
|
|
Incremental Backup
|
Only files that have changed since the last backup of any kind was performed.
|
|
|
Differential Backup
|
Only files that have changed since the last full backup has been performed.
|
|
|
RAID
|
Redundant Array of Inexpensive Disks
|
|
|
RAID0
|
employs striping to increase the performance of read and write. Offers no data redundancy.
|
|
|
RAID1
|
mirrored set, write performance decreased, read performance increased, half disks are dedicated to redundancy, cost is high.
|
|
|
RAID2
|
is not considered commercially viable for hard disks and is not used.
|
|
|
RAID3
|
striped set with dedicated parity, data at they byte level is striped across multiple disks, an additional disk is leveraged for storage of parity information in the event of a failure.
|
|
|
RAID4
|
stripped set with dedicated parity at the block level just like level 3 but at block level.
|
|
|
RAID5
|
striped set with distributed parity, one of the most popular configurations, block level striping, parity is spread across multiple disks.
|
|
|
RAID6
|
stripped set with dual distributed parity, unlike raid 5, raid 6 allows for 2 disks to fail and still function. This redundancy is achieved by writing the same parity information to two different disks.
|
|
|
RAID10
|
is just raid0 and raid1 together. This makes it stripped and mirrored and encapsulated together.
|
|
|
Blackout
|
Total loss of electrical power.
|
|
|
Brownout
|
A perceptible reduction in the electrical line voltage supplied is usually caused by an excessive electrical demand on the electric utility or by an insufficient power-generation capability. This is also known as a brown down.
|
|
|
Sag
|
A temporary, usually very fast, drop in electrical voltage. It is usually associated with the supply voltage to the computer, not inside the computer. Sags are the opposite of spikes and are sometimes called brown downs when the sag is not momentary. They are very often damaging to computer equipment.
|
|
|
Static Electricity
|
A form of electrical voltage and current generated in usually an accidental action. This in not electricity from a battery or the normal house or office electrical supply. It is more like lightning in that it is a quick but substantial discharge that can do great damage. It is the same type of charge that happens when clothes have been dried in a dryer and they cling to themselves upon removal. It occurs more frequently in cold weather, often whil waling on carpet. It can destroy electrical components, disks, diskettes, tapes and other forms of magnetic storage media. It usually does this by demagnetizing the data and formatting markers on the media, and by over-charging electrical components capabilities.
|
|
|
BCP - Business Continuity Plan
|
provides long term continuity planning to ensure that in the wake of a disruption that the business can still perform the critical business functions.
|
|
|
DRP - Disaster Recovery Plan
|
Focuses on efficiently attempting to mitigate the impact of a disaster and the immediate response and recovery of a critical IT systems in the face of a significant disruptive event.
|
|
|
MTD - Maximum Tolerable Downtime
|
the total time a system can be inoperable before an organization is severely impacted. Also called Maximum Allowable Downtime (MAD), Maximum Tolerable Outage (MTO), and Maximum Acceptable Outage (MAO). RTO + WRT = MTD
|
|
|
RTO Recovery Time Objective
|
describes the maximum time allowed to recover business or IT systems. Is also called Systems Recovery Time.
|
|
|
WRT Work Recovery Time
|
describes the time required to configure a recovered system.
|
|
|
RPO - Recovery Point Objective
|
is the amount of data loss or system inaccessibility (measured in time) that an organization can withstand. NASDAQs RPO is the point when someone can make a trade. So that is almost never to be down. Some places may be a week of data.
|
|
|
Hot Site
|
Will have all necessary hardware and critical applications data mirrored in real time. A hot site will have the capability to allow the organization to resume critical operations within a very short period of time, sometimes in less than an hour.
|
|
|
Cold Site
|
Least expensive. Usually can be up within weeks and has a raised floor, power, utilities, and physical security but not much beyond that.
|
|
|
Warm Site
|
Can be up in some instances of 24 to 48 hours. Has some aspects of a hot site with readily accessible hardware and connectivity but will have to run backups in order to reconstitute a system
|
|
|
Mobile Site
|
this is just as it sounds. Provide power and network and it works.
|
|
|
CMP - Crisis Management Plan
|
is designed to provide effective coordination among the managers of the organization in the event of an emergency or disruptive event. The CMP details the actions management must take to ensure that life and safety of personnel and property are immediately protected in case of a disaster.
|
|
|
Real Evidence
|
the first and most basic category of evidence which consists of tangible or physical objects. Hard drives, DVDs, USB storage devices, or printed business records.
|
|
|
Best Evidence Rule
|
Courts prfer the best evidence possible. Original documents are preferred over copies; conclusive tangible objects are preferred over oral testimony. Recall that the five desirable criteria for evidence suggest that, where possible, evidence should be relevant, authentic, accurate, complete and convincing.
|
|
|
Secondary Evidence
|
class of evidence common in cases involving computers. Consists of copies of original documents and oral descriptions. Computer generated logs and documents might also constitute secondary rather than best evidence; however, Rule 1001 of the US federal rules of evidence can allow readable reports of data contained on a computer to be considered original as opposed to secondary evidence.
|
|
|
Direct Evidence
|
is testimony provided by a witness regarding what the witness actually experienced with his or her five senses. Witnesses must have experienced what they are testifying to, rather than having gained the knowledge indirectly through another person (hearsay).
|
|
|
Chain of Custody
|
requires that once evidence is acquired, who, what, when , and where with regard to the handling of evidence must be fully documented. Initials and/or signatures on the chain of custody form indicate that the signers attest to the accuracy of the information concerning their role noted on the chain of custody form.
|
|
|
Recovery
|
means that they system must be recovered (e.g. reinstalled from OS media or image, dat restored from backups).
|
|
|
Detective
|
controls that alert during or after a successful attack. Intrusion detection systems alerting after a successful attack, closed circuit television cameras (CCTV) that alert guards to an intruder, and a building alarm system that is triggered by an intruder are all examples of detective controls.
|
|
|
Corrective
|
Work by correcting a damaged system or process. Works hand in hand with the detective controls.
|
|
|
Deterrent
|
deter users from performing actions on a system. Examples include a beware of dog sign. A thief facing two building, one with a guard dogs one without he breaks into the one without.
|
|
|
Fiduciary Responsibility
|
have a trust and confidence to manage and protect property and or money or assets of business to the consumer or shareholder.
|
|
|
Due Diligence
|
is the investigation of a business or person prior to signing a contract, or an act with a certain standard of care. It can be a legal oblication, but the term will more commonly apply to voluntary investigations.
|
|
|
Due Care
|
The conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others.
|
|
|
Liability
|
describes the condition of being actually or potentially subject to a legal obligation.
|
|
|
Locard’s Principle
|
holds that the perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence.
|
|
|
Heisenberg’s Principle
|
has to do with disturbing cryptographic tapping and of encryption and the fact that it will cause a disturbance. His uncertainty principle applied to this.
|
|
|
Running State
|
Process being executed by the CPU. Page 263
|
|
|
Waiting State
|
the processor needs to access external memory, it starts placing the address of the requested information on the address bus. It then must wait for the answer, Each of the cycles spent waiting is called a wait state.
|
|
|
Stopped State
|
processor or service has stopped execution of the code.
|
|
|
Ready State
|
Process waiting to be executed by the CPU. Page 263
|
|
|
Pre-Emptive Multi-Tasking
|
a computer operating system uses some criteria to decide how long to allocate to any one task before giving another task a turn to use the operating system.
|
|
|
Cooperative Multi-Tasking
|
a method where multiple tasks are performed during the same period of time they are executed concurrently (in overlapping time periods, new tasks starting before others have ended) instead of sequentially (one completing before the next starts). The tasks share common processing resources, such as a CPU and main memory.
|
|
|
Multi-Threading
|
the ability of a program or an operating system process to manage its use by more than one user at a time and to even manage multiple requests by the same user without having to have multiple copies of the programming running in the computer.
|
|
|
Static Token
|
the device which does the authentication does not compute anything, it has a set value stored on the device.
|
|
|
Cost/Benefit risk analysis
|
ALE (before safeguard)-ALE (after safeguard)-Annual cost of safeguard = value of safeguard. Is it worth it to mitigate threat?
|
|
|
Job rotation
|
rotation of responsibilities, build skill redundancy, administrative control
|
|
|
Project Initiation
|
Systems development life cycle, first phase.
|
|
|
Message
|
how objects communicate
|
|
|
Damage Assessment Team
|
perform damage assessment as prescribed in the operations briefing and in accordance with the teams’ prioritized list of sites.
|
|
|
Backup Activation Team
|
Emergency Response Team: retrieve offsite records and recovery information from offsite storage, report to the alt site execute the business recovery procedures in prioritized order, communicate status, identify issues and establish shifts, identify replacement equipment/software needed for recovery.
|
|
|
Common Law
|
Criminal Law “protect people”, Civil Law (Tort Law) “wrongs inflicted on people or business
|
|
|
Patents
|
Good for 20 years, invention must be new, useful. Inventor granted exclusive rights during patent period. It is an intellectual property right granted by the Government of the United States of America to an inventor “to exclude others from making, using, offering for sale, or selling the invention throughout the United States or importing the invention into the United States” for a limited time in exchange for public disclosure of the invention when the patent is granted.
|
|
|
Trade Secrets
|
Intellectual property that is absolutely critical to a business. Protection is solely the responsibility of the business. Commonly protected by non-compete or non-disclosure agreements. Lasts forever or until it becomes public knowledge by legal means.
|
|
|
Safe harbor
|
allows US companies to pass data without prosecution as long as they comply with regulations. EU citizen personal data can not be transmitted, even with permission of the individual, outside the EU.
|
|
|
Negligence
|
opposite of due care. Can be legally found if the due care was not performed.
|
|
|
Legal Responsibility
|
requirements by law, legal obligation
|
|
|
Prudent Man Rule
|
directs trustees "to observe how men of prudence, discretion and intelligence manage their own affairs, not in regard to speculation, but in regard to the permanent disposition of their funds, considering the probable income, as well as the probable safety of the capital to be invested."
|
|
|
Evidence To Be Admissible
|
must be legally obtained to be considered in court of law.
|
|
|
Corrosion
|
the gradual destruction of materials (usually metals) by chemical reaction with its environment.
|
|
|
Smoke/Fire Detectors
|
heat, flame and smoke detectors. Ionization (smoke), Heat (rate of rise), Photoelectric (Smoke), Ultaviolet//Infared (flame).
|
|
|
Fire Extiguisher classes
|
A : common comustibles, B: Liquids, C: Electrical, D: Metal, K: Kitchen Fires.
|
|
|
Turnstile
|
personnel entries, one at a time. Designed to prevent tailgating.
|
|
|
Gate
|
vehicular gates: Class I - residential, Class II - commercial, Class III - Industrial, Class IV - restricted access requiring security personnel (prison, airport)
|
|
|
Bollard
|
pillars placed to prevent vehicular access
|
|
|
Mantrap
|
a double-door single-person access control space, first door must close and lock prior to the second opening. Each door requires different form of authentication to open.
|
|
|
Pan/Tilt/Zoom
|
closed circuit television, change view of camera
|
|
|
Drill frequency
|
how often procedures are practiced
|
|
|
Security Requirements Profile
|
a document used as part of the certification process. a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.
|
|
|
Crime Prevention Through Environmental Design
|
a multi-disciplinary approach to deterring criminal behavior through environmental design. the ability to influence offender decisions that precede criminal acts.
|
|
|
Data Center/Server Room
|
physically secured room which houses servers and data storage devices. Located in core area of facility, not directly accessible from public areas, not located on top floors, on a different electrical grid from building.
|
|
|
Timing and Storage Covert Channels
|
the two types of covert channels The Orange book requires protection against
|
|
|
Change Control Process
|
One of the key security aspects of revision control and configuration management is the capability to track changes. If problems occur, administrators can examine the system in the context of the software and other installed components to see what might have caused the problem. The first step in creating these traces is to have a policy that mandates a formal change control procedure for all hardware and software systems. This policy should provide for written requests to perform system changes that can include a review for security. Using the policy as the base, the standards and procedures can be written to support the processes that log every change to any information component.
|
|
|
Problem Management
|
process of tracking an event back to its root cause to discover and address the underlying cause
|
|
|
Archive Bit
|
Used to mark a backup state - ALL data is backed up and saved - the archive bit is cleared; The differential does not change the archive bit value; an incremental backup changes the archive bit to ZERO
|
|
|
Vulnerability Scanner
|
A process to discover poor configurations and missing patches in an environment (use a vulnerability scanner to determine vulnerabilities)
|
|
|
Port Scanner
|
A port scan is a method used by hackers to determine what ports are open or in use on a system or network. By using various tools a hacker can send data to TCP or UDP ports one at a time. Based on the response received the port scan utility can determine if that port is in use. Using this information the hacker can then focus their attack on the ports that are open and try to exploit any weaknesses to gain access.
|
|
|
Packet Sniffer
|
Packet sniffing is the act of capturing packets of data flowing across a computer network. The software or device used to do this is called a packet sniffer. Packet sniffing is to computer networks what wire tapping is to a telephone network. Packet sniffing has legitimate uses to monitor network performance or troubleshoot problems with network communications. However, it is also widely used by hackers and crackers to gather information illegally about networks they intend to break into. Using a packet sniffer it is possible to capture data like passwords, IP addresses, protocols being used on the network and other information that will help the attacker infiltrate the network.
|
|
|
Conclusive Evidence
|
nonrefutable evidance aka.. the smoking gun
|
|
|
European Union Privacy
|
The 1995 Directive was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.
|
|
|
Backup Operations Team
|
Team that takes over the more routine operations of the processes while restoration proceedures are initated.
|
|
|
Joint Application Development Model
|
Collective activity involving users and top management IT professionals. Centers on a structured workshop. Results in a final document containing definitions for data elements, work flows, screens, reports, and general system specifications.
|
|
|
The Delphi technique
|
a group process that anonymously generates ideas or judgments from physically dispersed experts. Brainstorming
|
|
|
Plan Test Methods
|
???
|
|
|
Guideline
|
a recommendation, administrative control
|
|
|
Procedure
|
a step by step guide for accomplishing a task, administrative control
|
|
|
Standard
|
describes the specific us of technology, often applied to hardware and software, administrative control
|
|
|
Policy
|
high-level management directives, administrative control
|
|
|
Job rotation
|
rotation of responsibilities, build skill redundancy, administrative control
|
|
|
Principle of least privilege
|
only has privileges needed for job, administrative control
|
|
|
Separation of duties
|
critical functions are broken up among multiple subjects, prevents authorized subjects from making improper modifications to objects, administrative control
|
|
|
Mandatory vacations
|
forced vacations or time away from the office, usually suspected of abuse of authority, administrative control.
|
|
|
Collusion
|
an agreement between two or more individuals to subvert the security of a system
|
|
|
Exposure factor
|
the percentage of value an asset lost due to an incident
|
|
|
Asset value
|
the value of a protected asset
|
|
|
Annualized rate of occurrence
|
the number of losses suffered per year
|
|
|
Qualitative risk analysis
|
Risk analysis method which uses approximate values. Brainstorming, storyboarding, focus groups, Delphi technique, surveys/questions, checklists, interviews, 1-on-1 meetings
|
|
|
Quantitative risk analysis
|
RA method which uses hard metrics such as dollars. 6 steps or phases, Asset valuation, threat identification, threat analysis, derive overall loss potential, research countermeasures, perform cost/benefit analysis
|
|
|
Cost/benefit risk analysis
|
ALE (before safeguard) - ALE (after safeguard) - Annual cost of safeguard = value of safeguard. Is it worth it to mitigate threat?
|
|
|
Delphi technique
|
anonymous feedback & response process, elicits honest and uninfluenced responses, virtual meetings
|
|
|
XOR
|
binary mathematical operation which adds 2 bits together. If values are same, result is 0, if values are different, result is 1
|
|
|
MD5
|
hashing algorithm, 512 bit blocks, digest size: 128 bits, 4 rounds, 32 character output
|
|
|
Symmetric algorithms
|
1 shared key, n*(n-1)/2, stream cipher, block cipher, DES, Triple DES, blowfish, twofish, IDEA, AES, CAST, SAFER, RC4, RC5, RC6
|
|
|
Asymmetric algorithms
|
uses different key for encryption and decryption, 2 key pair, public and private, RSA, Diffie-Hellman, Elliptical Curve, ElGamal, digital signature
|
|
|
Online certificate status protocol (OCSP)
|
is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
|
|
|
Web of trust
|
all parties involved trust each other equally. No CA to certify certificate owners.
|
|
|
GNU privacy guard
|
a version of pretty good privacy cryptographic software
|
|
|
Pretty good Privacy
|
is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991
|
|
|
OSI model
|
1 physical, 2 data link, 3 network, 4 transport, 5 session, 6 presentation, 7 application
|
|
|
IGMP
|
multicast control protocol, 1 signal to be sent to multiple addresses. Network layer protocol.
|
|
|
ICMP
|
protocol, IP’s toolbox, ping, traceroute, network layer protocol
|
|
|
Multicast
|
one to many, controlled by group management protocols
|
|
|
EMI
|
electromagnetic interference, generated by electrical impulses. Noise on a wire
|
|
|
RFI
|
radio frequency interference, wireless interference.
|
|
|
Fiber
|
Fiber optics, light transmitted thru glass fibers in a cable.
|
|
|
DSSS
|
wireless transmission large band, small amplitude
|
|
|
FHSS
|
Wireless transmission rapidly changes frequencies
|
|
|
OFDM
|
wireless transmission multiplexes sub-frequency bands
|
|
|
FDMA
|
wireless transmission each call has separate frequency
|
|
|
CDMA
|
wirelss transmission unique code to each call and spreads it over the available frequencies
|
|
|
MPPE
|
microsoft point-to-point encryption, data encryption protocol
|
|
|
L2F
|
tunneling protocol by cisco, VPN
|
|
|
L2TP
|
tunneling protocol for VPNs by ISPs.
|
|
|
PPTP
|
point to point tunneling protocol. VPNs
|
|
|
IPSec
|
a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session
|
|
|
Tunnel Mode
|
Gateway-to-gateway, Server-to-gateway, Server-to-server
|
|
|
AH
|
encapsulates an IP packet with an Authentication Header and IP header and signs the entire packet for integrity and authentication.
|
|
|
SOCKS
|
SocketSecure. Circuit proxy server. Layer 5 of OSI. a Internet protocol that routes network packets between a client and server through a proxy server
|
|
|
Beacon Frame
|
transmitted periodically to announce the presence of a Wireless LAN, It contains all the information about the network, SSID.
|
|
|
Primary rate interface (PRI)
|
a standardized telecommunications service level within the Integrated Services Digital Network (ISDN) specification for carrying multiple DS0 voice and data transmissions between a network and a user. PRI is the standard for providing telecommunication services to offices. It is based on the T-carrier (T1) line in the US and Canada, and the E-carrier (E1) line in Europe. The T1 line consists of 24 channels, while an E1 has 32.
|
|
|
Data over cable service interface specification (DOCSIS)
|
an international telecommunications standard that permits the addition of high-speed data transfer to an existing cable TV (CATV) system. It is employed by many cable television operators to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure.
|
|
|
ActiveX
|
a software framework created by Microsoft which adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly in the context of the World Wide Web
|
|
|
Jscript
|
Active Scripting engine, microsoft
|
|
|
JavaScript
|
a dynamic computer programming language. It is most commonly used as part of web browsers, whose implementations allow client-side scripts to interact with the user, control the browser, communicate asynchronously, and alter the document content that is displayed
|
|
|
Java Applet
|
a small application which is written in Java and delivered to users in the form of byte-code.
|
|
|
Capability maturity model
|
a development model created to improve existing software-development processes, but it can also be applied to other processes.
|
|
|
Systems development life cycle
|
Planning, Analysis, Design, Implementation, Maintenance.
|
|
|
Waterfall method
|
a sequential design process, often used in software development processes, in which progress is seen as flowing steadily downwards (like a waterfall) through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation, and Maintenance.
|
|
|
Spiral Method
|
a risk-driven process model generator for software projects. Based on the unique risk patterns of a given project, the spiral model guides a team to adopt elements of one or more process models, such as incremental, waterfall, or evolutionary prototyping.
|
|
|
Project Initiation
|
Systems development life cycle, first phase.
|
|
|
Joint Application Development
|
management process that allows developers to work directly with users.
|
|
|
Exploratory Model
|
requirements built on what is available, on assumptions as to how the system might work, planning and trying different designs before development, not cost effective, results in less than optimal systems.
|
|
|
Message
|
how objects communicate
|
|
|
Method
|
functionality an object can carry out
|
|
|
Behavior
|
results or output of an object
|
|
|
Coupling and Cohesion
|
coupling: level of interaction between objects, low coupling means less interaction and easier to troubleshoot. Cohesion: degree to which an object depends on other objects, high cohesion has low dependence on other objects and is easier to troubleshoot.
|
|
|
Polymorphism
|
how different objects respond to the same command
|
|
|
Polyinstantiation
|
creating 2 versions of the same object, versions are distinguished by security levels, prevents inference attacks, enables a relation to contain multiple rows with the same primary key.
|
|
|
Security Kernel
|
ring level 0, reference monitor. All access to information must go through the kernel, kernel must be protected from any type of unauthorized access or modification.
|
|
|
Security policy
|
set of rules that dictates how information and resources is going to be managed, framework for the security architecture.
|
|
|
Change Management
|
a process by which all system changes are tracked, audited, controlled, identified and approved.
|
|
|
Stealth virus
|
a virus that hides itself from the OS and other protective software, such as anti-virus software.
|
|
|
Polymorphic virus
|
virus that changes its signature upon infection of a new system, attempting to evade signature-based anti-virus software.
|
|
|
Oligomorphic virus
|
code similar to polymorphic, but has a decryptor that does not show up on signature list.
|
|
|
Metamorphic virus
|
reprograms itself, carries various versions of itself. Translates ifself into temporary representations and then back to normal code. Capable of infecting more that one OS.
|
|
|
Candidate Key
|
attributes identifying a record
|
|
|
Primary Key
|
unique identifier
|
|
|
Attribute
|
field (column)
|
|
|
Foreign Key
|
attribute related to another table
|
|
|
Concurrency
|
allows one change at a time (Database)
|
|
|
Deadlocking
|
access to data at the same time, both are denied
|
|
|
Inference
|
the act or process of deriving logical conclusions from premises known or assumed to be true.
|
|
|
ACID
|
Atomicity, Consistency, Isolation, Durability is a set of properties that guarantee that database transactions are processed reliably
|
|
|
Rollback
|
ends current transactions, cancels changes, database returns to previous state.
|
|
|
Two-Phase Commit
|
a type of atomic commitment protocol (ACP). It is a distributed algorithm that coordinates all the processes that participate in a distributed atomic transaction on whether to commit or abort (roll back) the transaction (it is a specialized type of consensus protocol).
|
|
|
Asynchronous token
|
generates an one time password, but do not use time synchronization between token and authentication server. a random challenge is generated and sent to the user who enters the challenge into the token. The token displays a result that the user sends back to the authenticator.
|
|
|
Synchronous token
|
time-synchronized to an authentication server for the purpose of creating a One-Time Password. The token and the server each have independent clocks that must be synchronized to the same timebase.
|
|
|
Static token
|
the device which does the authentication does not compute anything, it has a set value stored on the device.
|
|
|
Biometric Type 1 error
|
False reject rate (FRR) user is authorize, but is rejected.
|
|
|
Biometric Type 2 error
|
False accept rate (FAR) user is unauthorized but is accepted.
|
|
|
Key distribution Center (KDC)
|
consists of a ticket granting service and authentication server.
|
|
|
SESAME
|
secure European system for applications in a multi-vendor environment. Uses symmetric and asymmetric encryption. Compatible with Kerberos v.5. Uses privilege attribute certificates (PAC) instead of Kerberos tickets.
|
|
|
Kerberos
|
a trusted third-party authentication protocol, establishes single-sign on. Uses symmetric keys for encryption. No PKI or asymmetric encryption involved.
|
|
|
LDAP
|
Lightweight Directory Access Protocol, an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
|
|
|
MS-Chap
|
the Microsoft version of the Challenge-Handshake Authentication Protocol.
|
|
|
Mandatory Access control
|
based on sensitivity labels, controlled by security policy administrators, users cannot over-ride security policy.
|
|
|
Discretionary Access Control
|
Users set privileges on information they own, sensitivity labels are not required, dynamic and allows the sharing of information.
|
|
|
Rule-Based Access Control
|
roles are created based on functions and tasks. Users are assigned to roles, permissions are assigned to the roles and users only acquire permissions on the assumption of the role.
|
|
|
Rule-Based Access Control
|
access is allowed or denied to resource objects based on a set of rules defined by a system administrator.
|
|
|
IDS in passive mode
|
looks for security breaches, but effectively takes on action.
|
|
|
Anomaly detection
|
the identification of items, events or observations which do not conform to an expected pattern.
|
|
|
Signature-based detection
|
evaluates attacks based on a database of signatures written by the vendor or operator.
|
|
|
False positive
|
accepted activity identified as malicious activity.
|
|
|
False negatives
|
malicious activity that is not reported.
|
|
|
True Positive
|
malicious activity identified as malicious activity
|
|
|
True Negative
|
normal traffic identified as normal traffic.
|
|
|
Pre-emptive multi-tasking
|
a computer operating system uses some criteria to decide how long to allocate to any one task before giving another task a turn to use the operating system.
|
|
|
Cooperative multi-tasking
|
a method where multiple tasks are performed during the same period of time - they are executed concurrently (in overlapping time periods, new tasks starting before others have ended) instead of sequentially (one completing before the next starts). The tasks share common processing resources, such as a CPU and main memory.
|
|
|
Multi-threading
|
the ability of a program or an operating system process to manage its use by more than one user at a time and to even manage multiple requests by the same user without having to have multiple copies of the programming running in the computer.
|
|
|
Forking
|
developers take a copy of source code from one software package and start independent development on it, creating a distinct piece of software.
|
|
|
Volatile memory
|
computer memory that requires power to maintain the stored information. It retains its contents while powered, but when power is interrupted stored data is immediately lost.
|
|
|
Non-volatile memory
|
memory that maintains its content even when unpowered.
|
|
|
Sequential memory
|
a class of data storage devices that read their data in sequence. This is in contrast to random access memory (RAM) where data can be accessed in any order. Sequential access devices are usually a form of magnetic memory.
|
|
|
Secondary memory
|
not accessed directly by the CPU. Instead, data accessed from secondary memory is first loaded into RAM and is then sent to the processor. Refers to storage devices, such as hard drives and solid state drives. It may also refer to removable storage media, such as USB flash drives, CDs, and DVDs.
|
|
|
Running State
|
A process moves into the running state when it is chosen for execution. The process's instructions are executed by one of the CPUs (or cores) of the system. There is at most one running process per CPU or core.
|
|
|
Waiting State
|
the processor needs to access external memory, it starts placing the address of the requested information on the address bus. It then must wait for the answer, Each of the cycles spent waiting is called a wait state.
|
|
|
Stopped State
|
processor or service has stopped execution of the code.
|
|
|
Supervisor State
|
a hardware mode in which the operating system executes instructions unavailable to an application program; for example, I/O instructions.
|
|
|
Dedicated
|
system dedicated to particular level. Security clearance for all data, Approved to access all data, Need-to-know for all information.
|
|
|
System High
|
Security clearance required for all data, Approved to access all data, Need-to-know for all information.
|
|
|
Compartmented/partitioned
|
Security clearance for all data, Approved to access data they will have access to, need to know for data they will have access to.
|
|
|
Multilevel Security
|
Security clearance where security clearance dominates the file’s security label. Approved access to data they will have access to, need to know for data they will have access to
|
|
|
Bell La-Padula simple security property
|
a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public").
|
|
|
Biba Simple Integrity Axiom
|
a subject at a given level of integrity must not read an object at a lower integrity level (no read down).
|
|
|
Biba * Integrity Axiom
|
a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up).
|
|
|
Clark-Wilson
|
Focuses on integrity, uses a subject/program/object relationship, separation of duties.
|
|
|
Chinese Wall
|
information barrier implemented within a firm organization to prevent exchanges of information that could cause conflicts of interest.
|
|
|
Brewer and Nash
|
provide information security access controls that can change dynamically. This security model, also known as the Chinese wall model, was designed to provide controls that mitigate conflict of interest in commercial organizations, and is built upon an information flow model.
|
|
|
Graham Denning model
|
made up of subjects, objects and rights. Subjects can manipulate objects or other subjects based upon their rights. Create/Delete object, subject, read/grant/delete/transfer access right.
|
|
|
Process isolation
|
each process has its own memory space.
|
|
|
Common Criteria
|
assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use.
|
|
|
TCSEC and ITSEC
|
TCSEC focuses on confidentiality, ITSEC focuses on CIA triangle. TCSEC: A1, B3, B2, B1, C2, C1, ITSEC: E0-E6, F1-F10
|
|
|
Protection Profile
|
security requirements to be specified “I want”
|
|
|
Target of Evaluation
|
a vendor’s product.
|
|
|
Security Target
|
vendor’s claims of security “I will provide”
|
|
|
Security Requirements Profile
|
a document used as part of the certification process. a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.
|
|
|
Crime Prevention through Environmental Design
|
a multi-disciplinary approach to deterring criminal behavior through environmental design. the ability to influence offender decisions that precede criminal acts.
|
|
|
Data Center/Server Room
|
physically secured room which houses servers and data storage devices. Located in core area of facility, not directly accessible from public areas, not located on top floors, on a different electrical grid from building.
|
|
|
Fault
|
Momentary loss of power
|
|
|
Blackout
|
Prolonged loss of power
|
|
|
Sag
|
sag/dip Momentary low voltage
|
|
|
Brownout
|
Prolonged low voltage
|
|
|
Static Electricity
|
an imbalance of electric charges within or on the surface of a material. The charge remains until it is able to move away by means of an electric current or electrical discharge.
|
|
|
Corrosion
|
the gradual destruction of materials (usually metals) by chemical reaction with its environment.
|
|
|
Smoke/fire detectors
|
heat, flame and smoke detectors. Ionization (smoke), Heat (rate of rise), Photoelectric (Smoke), Ultaviolet//Infared (flame).
|
|
|
Fire extinguisher classes
|
A : common comustibles, B: Liquids, C: Electrical, D: Metal, K: Kitchen Fires.
|
|
|
Turnstile
|
personnel entries, one at a time. Designed to prevent tailgating.
|
|
|
Gate
|
vehicular gates: Class I - residential, Class II - commercial, Class III - Industrial, Class IV - restricted access requiring security personnel (prison, airport)
|
|
|
Bollard
|
pillars placed to prevent vehicular access
|
|
|
Mantrap
|
a double-door single-person access control space, first door must close and lock prior to the second opening. Each door requires different form of authentication to open.
|
|
|
Pan/tilt/zoom
|
closed circuit television, change view of camera
|
|
|
Drill Frequency
|
how often procedures are practiced
|
|
|
Business continuity plan
|
Focuses on the business as a whole (everything), Identifies risks to time-critical business processes and functions. Ensures business operations continues in the event of an emergency or disruptive event. Includes disaster recovery plan and continuity of operations.
|
|
|
Disaster Recovery Plan
|
Focuses on short term fixes for IT oriented disruptions. Designed to minimize decision-making during disruptive events.
|
|
|
RTO
|
Recovery Time Objective - time required to restore business process before business impact becomes fatal.
|
|
|
Recovery Point Objective
|
how fresh does the data need to be. When last backed up.
|
|
|
Time Critical Business Process
|
process with the potential to degrade the ability to do business.
|
|
|
Maximum Tolerable Downtime
|
Nonessential: 30 days, Normal: 7 days, Important: 72 hours, Urgent: 24 hours, Critical: minutes to hours.
|
|
|
Hotsite
|
a offsite backup that can be operational in a few minutes or hours. Usually operational in a few seconds.
|
|
|
Coldsite
|
facility offsite that has no infrastructure in place, but can be operational in 1-2 weeks.
|
|
|
Warmsite
|
facility offsite that has some infrastructure in place, can be operation within 5 days.
|
|
|
Mobilesite
|
movable site that can be made operational within 3-5 days.
|
|
|
Crisis management planning
|
Provides effective coordination between managers int eh event of a disruptive event. Crisis communications plan, call trees, emergency operations center, vital records.
|
|
|
Damage Assessment Team
|
perform damage assessment as prescribed in the operations briefing and in accordance with the teams’ prioritized list of sites.
|
|
|
Recovery Management Team
|
Emergency Management Team, made up of senior executives, responsible for overall recover of organization, not concerned with day to day operations, responds to and assists with resolution of issues, spokesperson for organization to the media, decision maker on how to manage the business impacts of the event.
|
|
|
Backup Activation Team
|
Emergency Response Team: retrieve offsite records and recovery information from offsite storage, report to the alt site execute the business recovery procedures in prioritized order, communicate status, identify issues and establish shifts, identify replacement equipment/software needed for recovery.
|
|
|
Common Law
|
Criminal Law “protect people”, Civil Law (Tort Law) “wrongs inflicted on people or business
|
|
|
Patents
|
Good for 20 years, invention must be new, useful. Inventor granted exclusive rights during patent period. It is an intellectual property right granted by the Government of the United States of America to an inventor “to exclude others from making, using, offering for sale, or selling the invention throughout the United States or importing the invention into the United States” for a limited time in exchange for public disclosure of the invention when the patent is granted.
|
|
|
Trade Secrets
|
Intellectual property that is absolutely critical to a business. Protection is solely the responsibility of the business. Commonly protected by non-compete or non-disclosure agreements. Lasts forever or until it becomes public knowledge by legal means.
|
|
|
PCI DSS
|
Payment Card Industry Data Security Standards, sets the security standards for credit card companies.
|
|
|
Safe Harbor
|
allows US companies to pass data without prosecution as long as they comply with regulations. EU citizen personal data can not be transmitted, even with permission of the individual, outside the EU.
|
|
|
Negligence
|
opposite of due care. Can be legally found if the due care was not performed.
|
|
|
Legal Responsibility
|
requirements by law, legal obligation
|
|
|
Prudent Man Rule
|
directs trustees "to observe how men of prudence, discretion and intelligence manage their own affairs, not in regard to speculation, but in regard to the permanent disposition of their funds, considering the probable income, as well as the probable safety of the capital to be invested."
|
|
|
Evidence to be admissible
|
must be legally obtained to be considered in court of law.
|
|
|
Real Evidence
|
Physical evidence
|
|
|
Secondary Evidence
|
class of evidence common in cases involving computers. Consists of copies of original documents and oral descriptions. Computer generated logs and documents might also constitute secondary rather than best evidence; however, Rule 1001 of the US federal rules of evidence can allow readable reports of data contained on a computer to be considered original as opposed to secondary evidence.
|
|
|
Direct Evidence
|
is testimony provided by a witness regarding what the witness actually experienced with his or her five senses. Witnesses must have experienced what they are testifying to, rather than having gained the knowledge indirectly through another person (hearsay).
|
|
|
Chain of Custody
|
requires that once evidence is acquired, who, what, when , and where with regard to the handling of evidence must be fully documented. Initials and/or signatures on the chain of custody form indicate that the signers attest to the accuracy of the information concerning their role noted on the chain of custody form.
|
|
|
Recovery
|
means that they system must be recovered (e.g. reinstalled from OS media or image, dat restored from backups).
|
|
|
Detective
|
controls that alert during or after a successful attack. Intrusion detection systems alerting after a successful attack, closed circuit television cameras (CCTV) that alert guards to an intruder, and a building alarm system that is triggered by an intruder are all examples of detective controls.
|
|
|
Corrective
|
Work by correcting a damaged system or process. Works hand in hand with the detective controls.
|
|
|
Deterrent
|
deter users from performing actions on a system. Examples include a beware of dog sign. A thief facing two building, one with a guard dogs one without he breaks into the one without.
|
|
|
Fiduciary Responsibility
|
trust and confidence to manage and protect property and or money or assets of business to the consumer or shareholder.
|
|
|
Due Diligence
|
is the investigation of a business or person prior to signing a contract, or an act with a certain standard of care. It can be a legal oblication, but the term will more commonly apply to voluntary investigations.
|
|
|
Due Care
|
The conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others.
|
|
|
Liability
|
describes the condition of being actually or potentially subject to a legal obligation.
|
|
|
Locard’s Principle
|
holds that the perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence.
|
|
|
RAID
|
Redundant Array of Inexpensive Disks
|
|
|
RAID0
|
employs striping to increase the performance of read and write. Offers no data redundancy.
|
|
|
RAID1
|
mirrored set, write performance decreased, read performance increased, half disks are dedicated to redundancy, cost is high.
|
|
|
RAID2
|
is not considered commercially viable for hard disks and is not used.
|
|
|
RAID3
|
striped set with dedicated parity, data at they byte level is striped across multiple disks, an additional disk is leveraged for storage of parity information in the event of a failure.
|
|
|
RAID4
|
stripped set with dedicated parity at the block level just like level 3 but at block level.
|
|
|
RAID5
|
striped set with distributed parity, one of the most popular configurations, block level striping, parity is spread across multiple disks.
|
|
|
RAID6
|
stripped set with dual distributed parity, unlike raid 5, raid 6 allows for 2 disks to fail and still function. This redundancy is achieved by writing the same parity information to two different disks.
|
|
|
RAID10
|
is just raid0 and raid1 together. This makes it stripped and mirrored and encapsulated together.
|
|
|
Heisenberg Principle
|
principle where you cannot know both a particle's position and momentum with unlimited accuracy at the same time
|
|
|
Timing and Storage Covert Channels
|
the two types of covert channels The Orange book requires protection against
|
|
|
Change Control Process
|
One of the key security aspects of revision control and configuration management is the capability to track changes. If problems occur, administrators can examine the system in the context of the software and other installed components to see what might have caused the problem. The first step in creating these traces is to have a policy that mandates a formal change control procedure for all hardware and software systems. This policy should provide for written requests to perform system changes that can include a review for security. Using the policy as the base, the standards and procedures can be written to support the processes that log every change to any information component.
|
|
|
Hardware Change Control
|
Ideally, every time new hardware and configurations are added to the network, an entry is made to a change control system to track what has occurred. Considering that this is rarely the case, the best way to start this process is to use the risk analysis to determine the hardware inventory. With the hardware inventory, an effort should be made to place the configurations under change management control. Many organizations use the same procedures as software change management to track the changes of the configuration of the various systems. They realize that it is critical to maintain the configuration of firewalls, switches, and intrusion detection systems to ensure that someone does not change them to cover up her bad intentions. Hardware change control does not just keeping track of system and network components. Documentation should also be kept up-to-date on the network configuration, including information on where the network and telephone cables are located. Undocumented network segments might not be protected or can be used to support insider hacking capabilities. Additionally, you might want to document the various telecommunication access points into the network. Unknown and unprotected modems can be used by anyone with access to a telephone to gain access using the software on the user's desktop, which might not be properly configured to protect the network.
|
|
|
Software Change Control
|
Software change control can have a few components. The most common topic of change control is what is used to track software development. In this case, the change management system can be used to re-create software to a certain revision to roll back from changes that might have caused security concerns or bugs.
|
|
|
Problem management
|
process of tracking an event back to its root cause to discover and address the underlying cause
|
|
|
Archive bit
|
Used to mark a backup state - ALL data is backed up and saved - the archive bit is cleared; The differential does not change the archive bit value; an incremental backup changes the archive bit to ZERO
|
|
|
Backup methods |
Full, Incremental (You need the last full and ALL subsiquent incremental), Differential (You need the last full and last differential) |
|
|
Vulnerability Scanner
|
A process to discover poor configurations and missing patches in an environment (use a vulnerability scanner to determine vulnerabilities)
|
|
|
Port Scanner
|
A port scan is a method used by hackers to determine what ports are open or in use on a system or network. By using various tools a hacker can send data to TCP or UDP ports one at a time. Based on the response received the port scan utility can determine if that port is in use. Using this information the hacker can then focus their attack on the ports that are open and try to exploit any weaknesses to gain access.
|
|
|
Packet Sniffer
|
Packet sniffing is the act of capturing packets of data flowing across a computer network. The software or device used to do this is called a packet sniffer. Packet sniffing is to computer networks what wire tapping is to a telephone network. Packet sniffing has legitimate uses to monitor network performance or troubleshoot problems with network communications. However, it is also widely used by hackers and crackers to gather information illegally about networks they intend to break into. Using a packet sniffer it is possible to capture data like passwords, IP addresses, protocols being used on the network and other information that will help the attacker infiltrate the network.
|
|
|
Conclusive Evidence
|
nonrefutable evidance aka.. the smoking gun
|
|
|
Backup Operations Team
|
Team that takes over the more routine operations of the processes while restoration proceedures are initated.
|
|
|
European Union Privacy
|
The 1995 Directive was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.
|
