CYSE 101 Midterm 1 Study Guide PDF

Preview

Summary

Very helpful study guide for the midterm for CYSE 101. ...

Description

Chapter 1 Key Terms: ●

Information Security: “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction , ”. In a more general sense, it refers to protection of assets.

●

Confidentiality: Confidentiality is a necessary component of privacy and refers to our ability to protect our data from those who are not authorized to view it.

●

Integrity: Integrity refers to the ability to prevent our data from being changed in an unauthorized or undesirable manner. This could mean the unauthorized change or deletion of our data or portions of our data, or it could mean an authorized, but undesirable, change or deletion of our data.

●

Availability: Availability refers to the ability to access our data when we need it.

●

The Parkerian Hexad: Where the CIA triad consists of confidentiality, integrity, and availability, the Parkerian hexad consists of these three principles, as well as possession or control, authenticity, and utility, for a total of six principles.

●

Possession: Possession or control refers to the physical disposition of the media on which the data is stored. Authenticity: Authenticity allows us to talk about the proper attribution as to the owner or creator of the data in question. Utility: Utility refers to how useful the data is to us

b

● ●

Types of attacks possible for each component of the CIA triad

● ● ●

●

● ● ●

Interception: Interception attacks allow unauthorized users to access our data, applications, or environments, and are primarily an attack against confidentiality. Interruption: Interruption attacks cause our assets to become unusable or unavailable for our use, on a temporary or permanent basis. Modification: Modification attacks involve tampering with our asset. If we access a file in an unauthorized manner and alter the data it contains, we have affected the integrity of the data contained in the file. Fabrication: Fabrication attacks involve generating data, processes, communications, or other similar activities with a system. Threats: something that has the potential to cause us harm. Vulnerabilities: Vulnerabilities are weaknesses that can be used to harm us. Risk: Risk is the likelihood that something bad will happen.

Risk Management Process ● ● ● ●

●

Identify Assets: Refers to the analysis of assets within a network and the evaluation of their value prior to possible attacks Identify Threats: Use either the CIA triad or Parkerian Hexad to determine vulnerabilities of assets and assess threats towards them Assess Vulnerabilities: Replicate a real world scene in which assets are threatened and determine the causes of threats in order to mitigate them Assess risks: Explore the likelihood of a real attack being carried out against assets of a network. I.e., If there is highly lucrative data containing private information for attackers, then risk is higher. Mitigate Risks: Lower the likelihood of threats turning into attacks by properly assessing a network’s assets. Work to set up proper measures to protect valuable assets through controls. ○ Physical controls: Physical controls are those controls that protect the physical environment in which our systems sit, or where our data is stored. ○ Logical and Technical Controls: Logical controls, sometimes called technical controls, are those that protect the systems, networks, and environments that process, transmit, and store our data. ○ Administrative controls: Administrative controls are based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature. In essence,

administrative controls set out the rules for how we expect the users of our environment to behave. ●

Incident Response: In the event that our risk management efforts fail, incident response exists to react to such events. ○ Preparation: The preparation phase of incident response consists of all of the activities that we can perform, in advance of the incident itself, in order to better enable us to handle it. ○ Detection and Analysis: detect the occurrence of an issue and decide whether or not it is actually an incident so that we can respond to it appropriately ○ Containment, eradication, and recovery: The containment, eradication, and recovery phase is where the majority of the work takes place to actually solve the incident, at least in the short term. ■ Containment: Containment involves taking steps to ensure that the situation does not cause any more damage than it already has, or to at least lessen any ongoing harm. ■ Eradication: During eradication, we will attempt to remove the effects of the issue from our environment. ■ Recovery: Restoring devices or data from backup media, rebuilding systems, reloading applications, or any of a number of similar activities. ●

Post incident activity: In the post incident activity phase, often referred to as a postmortem (latin for after death), we attempt to determine specifically what happened, why it happened, and what we can do to keep it from happening again.

Defense In Depth ● No matter how many layers we put in place, or how many defensive measures we place at each layer, we will not be able to keep every attacker out for an indefinite period of time, nor is this the ultimate goal of defense in depth in an information security setting. The goal is to place enough defensive measures between our truly important assets and the attacker so that we will both notice that an attack is in progress and also buy ourselves enough time to take more active measures to prevent the attack from succeeding.

Chapter 1 Questions & Answers: Q1: E  xplain the difference between a vulnerability and a threat

A1: Threats are things or people that have the capability of causing harm to a user or system, while vulnerabilities are weak points within a system or user that allow an attacker to cause harm to said entity. Q2: List five items that might be considered logical controls. A2: Five items that might be considered logical controls include passwords, encryption, logical access controls, firewalls, and intrusion detection systems. Q3: What term might we use to describe the usefulness of data? A3: Utility is the term that is usually used to describe the usefulness of data. Q4: Which category of attack is primarily an attack against confidentiality? A4: Interception attacks primarily affect the confidentiality of systems. Q5: How do we know at what point we can consider our environment to be secure? A5: Following a post incident activity report, the victims of a cyberattack can analyze exactly what happened, why it happened, and plan on the proper steps to take to prevent another cyberattack from happening. The environment is never necessarily fully secure, even with multiple layer protection implemented, there are always ways to breach a system in a cyberattack. Q6: Using the concept of defense in depth, what layers might we use to secure ourselves against someone removing confidential data from our office on a USB flash drive? A6 (0.5  OUT OF 1):  A secure internal network layer with proper authentication protocols would prevent the unauthorized removal of data on a USB flash drive. Q7: Based on the Parkerian hexad, what principles are affected if we lose a shipment of encrypted backup tapes that contain personal and payment information for our customers? A7: The principle of possession or control would be affected if we lose a ship of encrypted backup tapes. Q8: If the Web servers in our environment are based on Microsoft’s Internet Information Server (IIS) and a new worm is discovered that attacks Apache Web servers, what do we not have? A8: It would not be an immediate threat to the web servers in our environment as the worm would be unable to do much the IIS servers since it was coded to attack Apache Web servers.

Q9: If we develop a new policy for our environment that requires us to use complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as!Hs4(j0qO$&zn1%2SK38cn^!Ks620!, what will be adversely impacted? A9: Availability would be adversely impacted as a password of that length and complexity would be nearly impossible for anyone to remember or type in when trying to access the environment. Q10: Considering the CIA triad and the Parkerian hexad, what are the advantages and disadvantages of each model? A10: The CIA triad is the most used model of operations in cybersecurity, while the Parkerian Hexad is a more complete model that includes more aspects such as possession, authenticity, and utility. While the Parkerian Hexad model is more complete, for the purposes of defining aspects of cybersecurity, the CIA triad does a better job as it is a more simplified version of the Parkerian Hexad.

Chapter 2 Key Terms: ●

●

●

● ●

●

●

●

Identification: Identification is simply an assertion of who we are. This may include who we claim to be as a person, who a computer system claims to be over the network, who the originating party of an e-mail claims to be, what authority we claim to have, or similar transactions. Authentication: Authentication is, in an information security sense, the set of methods we use to establish a claim of identity as being true. It is important to note that authentication only establishes whether the claim of identity that has been made is correct. Factor of authentication: In terms of authentication, there are several methods we can use, with each category referred to as a factor. Within each factor, there are a number of possible methods we can use. Multifactor Authentication: Multifactor authentication uses one or more factors. Also known as two-factor authentication which many systems use. Mutual Authentication: Mutual authentication refers to an authentication mechanism in which both parties authenticate each other. Both parties authenticate themselves before beginning data exchange. Biometrics: The use of technology as a trusted authentication factor to ensure that someone does not falsely authenticate themselves. Will eventually be able to be reproduced and no longer be a trusted authentication factor. Biometric Characteristics: Biometric factors are defined by seven characteristics: universality, uniqueness, permanence, collectability, performance, acceptability, and circumvention ○ Universality: Universality stipulates that we should be able to find our chosen biometric characteristic in the majority of people we expect to enroll in the system ○ Uniqueness: Uniqueness is a measure of how unique a particular characteristic is among individuals ○ Permanence: Permanence tests show how well a particular characteristic resists change over time and with advancing age. ○ Collectability: Collectability measures how easy it is to acquire a characteristic with which we can later authenticate a user. ○ Performance: Performance is a set of metrics that judge how well a given system functions. ○ Acceptability: Acceptability is a measure of how acceptable the particular characteristic is to the users of the system. ○ Circumvention: Circumvention describes the ease with which a system can be tricked by a falsified biometric identifier. Hardware Tokens: Many hardware tokens contain an internal clock that, in combination with the device’s unique identifier, an input PIN or password, and potentially other factors, is used to generate a code, usually output to a display on the token. This code changes on a regular basis, often every 30 s. The infrastructure used to keep track of

such tokens can predict, for a given device, what the proper output will be at any given time and can use this to authenticate the user.

Chapter 2 Questions & Answers: Q1: What is the difference between verification and authentication of an identity? A1: Authentication follows verification in ensuring that the person or party is who they claim to be. While verification asks for proof of identity, such as a driver's license, authentication runs that ID through a mode of authentication, i.e. black lighting the ID, scanning a barcode, etc., to ensure that the method of verification provided is valid and the person is therefore who they claim to be. Q2: How do we measure the rate at which we fail to authenticate legitimate users in a

biometric system? A2: The false acceptance rate (FAR) occurs when we accept a user whom we should actually have rejected. Q3: What do we call the process in which the client authenticates to the server and the server authenticates to the client? A3: Mutual authentication is the process by which both parties authenticate each other for added security. Q4: A key would be described as which type of authentication factor? A4: A key would fall into the category of something you have, as it is a physical form of authentication. Q5: What biometric factor describes how well a characteristic resists change over time? A5: Permanence is the biometric factor that tests how well a characteristic resists change over time. Q6: If we are using an identity card as the basis for our authentication scheme, what steps might we add to the process in order to allow us to move to multifactor authentication? A6: We could add some form of biometric authentication such as a fingerprint scanner or iris scanner. Additionally, a final pin or passphrase could be used in the final step of verification. Q7: If we are using an 8-character password that contains only lowercase characters, would increasing the length to 10 characters represent any significant increase in strength?

A7: Not necessarily, as it would only add a a few hours more to the time it take to crack. Diversifying the types of characters in a password and increasing the length would make for a more secure password. Q8: Name three reasons why an identity card alone might not make an ideal method of authentication. A8: 1. Fairly easy to replicate and falsify certain information on, i.e. fake ID's 2. Not the best at storing biometric data such as fingerprints, which can be smudged 3. Easy to lose or have stolen Q9: What factors might we use when implementing a multi factor authentication scheme for users who are logging on to workstations that are in a secure environment and are used by more than one person? A9: Location (place you are) authentication, password (something you know) authentication, and identity (something you are) authentication are all factors of authentication that are implemented in this particular multifactor authentication scheme. Q10: If we are developing a multi factor authentication system for an environment where we might find larger-than-average numbers of disabled or injured users, such as a hospital, which authentication factors might we want to use or avoid? Why? A10: Something you do, something you are, and the place you are, are authentication factors that we should avoid as something you do factors would require disabled patients to perform some sort of physical movement to authenticate, something you are factors might also exclude some people from the verification system, i.e. missing limbs and cannot give fingerprints, and place you are factors would require disabled or injured users to move to a certain place in order to pass authentication.

Chapter 3 Key Terms: ● ●

●

●

●

●

●

●

Authorization: Authorization enables us to determine, once we have authenticated the party in question, exactly what they are allowed to do. Principle of least privilege: The principle of least privilege dictates that we should only allow the bare minimum of access to a party—this might be a person, user account, or process—to allow it to perform the functionality needed of it. For example, someone working in a sales department should not need access to data in our internal human resources system in order to do their job. Access Control: Access controls are the means by which we implement authorization and deny or allow access to parties, based on what resources we have determined they should be allowed access to. When we look at access controls, we have four basics tasks we might want to carry out: allowing access, denying access, limiting access, and revoking access. ○ Allowing access: Allowing access lets us give a particular party, or parties, access to a given resource. ○ Denying access: Denying access is simply the opposite of granting access. When we deny access, we are preventing access by a given party to the resource in question. ○ Limiting access: Limiting access refers to allowing some access to our resource, but only up to a certain point. ○ Revoking access: Revocation of access is a very important idea in access control. It is vital that once we have given a party access to a resource, we be able to take that access away again. If we were, for instance, to fire an employee, we would want to revoke any accesses that they might have. Access control lists: ACLs are usually used to control access in the file systems on which our operating systems run and to control the flow of traffic in the networks to which our systems are attached. Capabilities: capabilities are oriented around the use of a token that controls our access. We can think of a token in a capability as being analogous to the personal badge we might use to open the door in a building. We have one door, and many people have a token that will open it, but we can have differing levels of access. Confused deputy problem: The crux of the confused deputy problem is seen when the software with access to a resource has a greater level of permission to access the resource than the user who is controlling the software. If we, as the user, can trick the software into misusing its greater level of authority, we can potentially carry out an attack Discretionary Access Controls: Discretionary access control (DAC) is a model of access control based on access being determined by the owner of the resource in question. The owner of the resource can decide who does and does not have access, and exactly what access they are allowed to have. Mandatory Access Control: Mandatory access control (MAC) is a model of access control in which the owner of the resource does not get to decide who gets to access it,

●

●

●

but instead access is decided by a group or individual who has the authority to set access on resources. Role Based Access Control: Role-based access control (RBAC) is a model of access control that, similar to MAC, functions on access controls set by an authority responsible for doing so, rather than by the owner of the resource. Attribute Based Access Control: Attribute-based access control (ABAC) is, logically, based on attributes. These can be the attributes of a particular person, of a resource, or of an environment. Multilevel Access Control: Multilevel access control models are used where the simpler access control models that we just discussed are considered to not be robust enough to protect the information to which we are controlling access.

Chapter 3 Questions & Answers: Q1: Discuss the difference between authorization and access control.

A1: Authorization dictates what a user is permitted to do in a system. Access control determines which users are given access, denied access, given controlled access or revoked access. Q2: What does the Brewer and Nash model protect against? A2: The Brewer and Nash model ensures that only authorized users are able to view and modifiy files within a system. It protects against possible conflicts of interest. Q3: Why does access control based on the MAC address of the systems on our network not represent strong security? A3: MAC addresses are located pretty easily and can even be searched for on the Internet, so they are very bad in terms of security. Q4: Which should take place first, au...