Confidentiality
Unauthorized users cannot access sensitive information.
Integrity
Information is complete and
... [Show More] corrupted.
Availability
Authorized users can get to the information or resources.
Vulnerability
A flaw, weakness, or hole in a system or component.
Examples of Vulnerabilities.
*Software buffer overflow
*System: weak or no password
*Comm: no authentication or encryption.
Threat
Something that exploits a vulnerability to affect C,I, A.
Examples of Threats
People: Hackers, actors, terrorist.
Code: worm, virus, phish
nature: flood, wind, solar, storm.
Risk.
Vulnerabilities + Threats.
Countermeasures.
Tools and techniques we use to reduce risk.
Examples of countermeasures.
Protect (block, prevent)
Detect
React
Offensively
our adversaries are in a similar position so we aim to disrupt their mission capabilities and o collect intelligence and conduct operations via cyber means.
Deception
can used to defensively or offensively.
Identification
"Who are you?"
Verification
Confirming who you are
Authentication.
Proving who you are
Authorization
What you can do
FAR
False Acceptance rate. (False Positive.)
FRR
False Rejection Rate. (false negative.)
rate at which we fail to authenticate legitimate users in a bio metric system.
circumvention
Hard to fool
Types of Biometrics
*Fingerprint
*Hand
*Face
*Voice
*Retina
*Iris
*DNA
*Odor
*Sweat pores
*Lips
Biometrics
Something you are
Access Control
How the system enforces what you are authorized to do
MAC
Mandatory Access Control.
DAC
Discretionary Access Control
Principle of Least Privilege
provide the minimum privilege necessary to complete a task.
Accountability
What did you do
Auditing
Review what you did, test systems, collect information.
Finding installed but unlicensed software on systems
Vulnerability Assessment
Scan for Vulnerabilities.
Penetration Test
Exploit Vulnerabilities.
Crypotgraphy
making codes
Cryptanalysis
breaking codes
Encryption
plain text -> Cipher text
Decryption
Cipher text -> Plain text
Symmetric key
key a = key a
Asymmetric key
key a = key b
Scytale Cipher
Transposition cipher
wrap paper around staff
Caesar Cipher
A substitution cipher that shifts characters a certain number of positions in the alphabet
Vigenere Cipher
a method of encrypting text by applying a series of Caesar ciphers based on the letters of a keyword.
Enigma Machine
a piece of spook hardware invented by a German and used by Britain's code breakers as a way of deciphering German signals traffic during World War Two.
What will happen to 4 digit pin passwords?
Brute force password hackers will break into them quickly.
What are Logical(technical ) controls?
*Intrusion detection systems.
*Encryption
*Firewalls
*passwords.
CIA triad vs. Parkerian hexad
Pakerian is more complete but is not as widely known.
A physical key (like for a door lock) would be described as which type of authentication factor?
Something you have
Why are identity cards alone no a secure method of authentication?
*Subject to change
*may be duplicated
*may be spoofed.
Permanence
How well a characteristic resist change over time
Universality
everybody has one
uniqueness
everybody's is different
collectability
I can easily get it
Acceptability
people will let me get it
What is the difference between verification and authentication of an identity?
verification is a weaker confirmation of identity than authentication
What do we call the process in which the client authenticates to the server and the server authenticates to the client?
Mutual authentication
What is the difference between Mandatory Access Control (MAC) and Discretionary Access Control (DAC)?
In DAC, the owner of the resource determines access; in MAC, the owner of the resource does not determines access
Which type of access control would be used in the case where we wish to prevent users from logging in to their accounts after business hours?
Attribute Based Access Control
The Bell-LaPadula and Biba multilevel access control models each have a different primary security focus. Can these two models be used in conjunction?
yes
What does the Brewer and Nash model protect against?
Conflict of interest
The confused deputy problem can allow unauthorized privilege escalation to take place; how does this happen?
software has greater privilege than the user of the software
What is the difference between authorization and access control?
Authorization specifies what a user can do, and access control enforces what a user can do
Which should take place first, authorization or authentication?
Authentication
What is the difference between authentication and accountability
authentication proves who you are, and accountability records what you did
What impact can good accountability mechanisms have on the admissibility of evidence in court cases?
maintain chain of custody
What does nonrepudiation mean?
sufficient evidence exists such that a user cannot deny an action
What is one direct benefit of logging?
provides a history of system activities
Useful things to audit
Physical security
passwords
software and licenses.
When dealing with legal or regulatory issues, why do we need accountability
to ensure compliance
What is the difference between a block and a stream cipher?
block ciphers operate on a predetermined number of bits at a time; stream ciphers operate on a single bit at a time
Explain how Triple DES (3DES) differs from DES.
3DES encrypts each block 3 times using DES and a different key
Kerckhoff's Principles
1. The system must be substantially, if not mathematically, undecipherable.
2. The system must not require secrecy and can be stolen by the enemy without
causing trouble.
3. It must be easy to communicate and remember the keys without requiring
written notes, and it must be easy to change or modify the keys with different
participants.
4. The system ought to be compatible with telegraph communication.
5. The system must be portable, and its use must not require more than one person.
6. Finally, regarding the circumstances in which such system is applied, it must
be easy to use and must require neither the stress of mind nor the knowledge
of a long series of rules
ECC
Elliptic curve cryptography. An asymmetric encryption algorithm commonly used with smaller wireless devices. It uses smaller key sizes and requires less processing power than many other encryption methods
Logging benefits
*accountability and liability to users.
*Keeps a record of user activity
*detect an prevent intrusion
*preparing material for legal proceedings. [Show Less]