Domain 3: Security Engineering Flashcards Preview

CISSP > Domain 3: Security Engineering > Flashcards

Flashcards in Domain 3: Security Engineering Deck (256):
1

Ceaser Cipher

substitution cipher, shift 3 letters to the right

2

Four Fundamental Goals of Cryptography

Confidentiality, Integrity, Authentication, Nonrepudiation

3

Key space

defined by bit size. a 128 bit key has a value from 0 to 2^128

4

The Kerchoff Principle

a cryptographic system should be secure even if everything about the system, except the key, is public knowledge

5

Cryptovariables

cryptographic keys

6

Crptography

the art of creating and implementing secret codes and ciphers

7

Cryptanalysis

the study of methods to defeat codes and ciphers

8

Cryptology

Cryptography + Cryptanalysis

9

Boolean mathematics

defines rules used for bits and bytes

10

modulo function

remainder after division

11

One- way function

operation that easily produces output values for each possible combinations of input but makes it impossible to reverse engineer

12

Nonce

random number that acts as a placeholder variable, must be random and used one time only ex: Initialization Vector

13

IV

Initialization Vector - a random bit string as long as the block that is XORed with the message

14

Zero-knowledge proof

The magic door - watch someone go in one entrance and come back before buying their password

15

Work function

time and effort required to perform a complete brute-force attack, directly proportional to the security and protection of the crytosystem

16

Difference between Codes and Ciphers

codes are not meant to provide confidentiality

17

Transposition Ciphers

rearrange the letters of the plaintext

18

Substitution Cipher

replace each bit of plaintext with a different character

19

Ceaser Cipher encryption function

C = (P+3) mode 26

20

Vigenere Cipher

polyalphabetic - alphabet written 26 times

21

Period Analysis

examination of frequency based on the repeated use of the key

22

One-Time Pads

substitution cipher, use a different substitution alphabet for each letter

23

One-Time Pad encryption function

C = (P+K) mod 26, K = key

24

One-Time Pad Security Requirements (4)

Random, used once, physically protected, as long as the message

25

Running Key or Book Cipher

key is as long as the message itself and is often from a book

26

Block Ciphers

operate on chunks of messages

27

Steam Cipher

act on on bit at a time

28

Confusion

relationship btwn plaintext and ciphertext is so complicated that an attacker can't determine the key

29

Diffusion

a change in the plaintext results in multiple changes spread through the ciphertext

30

Symmetric Key Algorithm Pros and Cons

Pro - Very Fast, used for bulk encryption
Cons - key distribution, does not implement non repudiation, not scalable, keys must be regenerated often

31

Symmetric Key Algorithm

relies on a shared key given to all members used to encrypt and decrypt, aka secret key and private key

32

Asymmetic Key Algorithm

public key, each user has a public and private key, receivers public key encrypts, receivers private key decrypts, also digital signature tech

33

Asymmetic Key Algorithm Pros and Cons

Pros - adding new users only requires 1 public-private key pair, easier to remove users, less key regeneration, provides integrity, authentication, nonrepudiation, key distribution is easy, no preexisting relationship is necessary
Cons - speed

34

Which key algorithm?
Single shared key vs key pair
Confidentiality, Integrity, Nonrepudiation, authentication vs Confidentidality
Slow vs Fast
Non Scalable vs Scalable
In-Band vs Out of band exchange
Bulk encyrption vs small blocks of data

Symmetic = Single shared key, Confidentidality, Fast, Non Scalable, Out of band exchange, Bulk encyrption
Asymmetric = Key pair, Confidentiality, Integrity, Nonrepudiation, authentication, Slow, Scalable, In-Band, Small blocks of data

35

Message Digest

Summary of a messages content produced by hashing

36

Hashing provides ____

Integrity

37

DES

Data Encryption Standard - no longer secure, 64 bit block cipher with 5 modes of operation, key is 56 bits, uses 16 rounds of XOR operations to generate ciphertext

38

Symmetric Standards

DES, 3DES, IDEA, Blwofish, Skipjack, AES

39

DES Modes of Operation

Cipher Block Chaining Mode, Cipher Feedback Mode, Output Feedback Mode, Counter Mode, Electronic Codebook Mode

40

ECB

Electronic Codebook mode - least secure, simply encrypts block with same key, enemy could build a code book

41

CBC

Cipher Block Chaining Mode - each block is XORed with the ciphertext block proceeding it before encyrption, IV

42

CFB

Cipher Feedback Mode - streaming cipher version of CBC, real time operation, IV and chaining

43

OFB

Output Feedback Mode - same as CFB but XORs with a seed value, no chaining, uses previous seed value to determine next

44

CTR

Counter Mode - stream cipher, uses a counter for XOR operation

45

3DES

Triple DES - adapted version of DES

46

3DES Versions

DES - EEE3 = 168 bit key length
DES - EDE3 = 168 bit key length
DES - EEE2 = 112 bit key length
DES - EDE2 = 112 bit key length

47

DES-EEE3

encrypts plaintext 3 times using 3 different keys,
C= E (K1, E (K2, E (K3,P)))

48

DES-EDE3

C= E (K1, D (K2, E (K3,P)))

49

DES-EEE2

C= E (K1, E (K2, E (K1,P)))

50

DES-EDE2

C= E (K1, E (K2, E (K1,P)))

51

IDEA

International Data Encryption Algorithm = 64-bit block with 128 bit key, uses 52 16-bit subkeys, open to all, in PGP, same modes as DES

52

Blowfish

64 bit blocks of text, allows use of variable length keys ranging from 32 to 448 bits

53

Skipjack

64 bit block, supports escrow of encryption keys

54

AES

Advanced Encryption Standard - 3 key strengths, 128 bit (10 round of encryption), 192 bit (12 rounds), 256 bit (14 rounds). Processes 128 bit blocks

55

Block Size and Key Size:
AES
Rijndael
Blowfish
DES
IDEA
RC2
RC4
RC5
Skipjack
3DES
Twofish

Block size and key size
AES = 128 bit block, 128, 192 or 256 bit key
Rijndael = Variable block, 128, 192 or 256 bit key
Blowfish = 64 bit block, 32-338 bit key
DES = 64 bit block, 56 bit key
IDEA = 64 bit block, 128 bit key
RC2 = 64 bit block, 128 bit
RC4 = Streaming, 128 bit
RC5 = 32, 64 or 128 bit block, 0-2040 bit key
Skipjack = 64 bit block, 80 bit key
3DES = 64 bit block, 112 or 168 bit key
Twofish = 123 bit, 256 bit key

56

Three Main methods to distribute Symmetric Keys

Offline distribution, Public key encryption, Diffie-Hellmen Key exchange

57

Fair Crytosystems Key Escrow

key is divided into two or more pieces and given to independent third parties

58

Escrow Encryption Standard Key Escro

provides gov't with technical means to decrypt ciphertext

59

RSA

Most famous asymmetric algorithm - depends on the difficulty of factoring large prime numbers, key length of 1088 bits

60

El Gamal

asymmetric encryption, doubles the length of any message it encrypts

61

Asymmetric Key Algorithms

RSA, El Gamal, Elliptic Curve

62

Elliptic Curve

more difficult to solve, only 160 bit kit equivalent to 1088 RSA key. Good for small devices with less processing power

63

Hash Functions

take a long message and generate a unique output known as the message digest

64

5 Requirements for a Cryptographic Hash Function

1. Input can be any length
2. Output has a fixed length
3. Hash Function in relatively easy to compute
4. Hash Function is one-way
5. Hash Function is collision free

65

SHA

Secure Hashing Algorithm, SHA 2 is the most secure
SHA-1 = 512 bit blocks, 160 bit message digest
SHA-256 = 512 bit blocks, 256 bit message digest
SHA-224 = 512 bit blocks, 224 bit message digest
SHA-512 = 1024 bit blocks, 512 bit message digest
SHA-382 = 1024 but blocks, 834 bit message digest

66

MD2

no longer used, 128 bit message digest

67

MD4

message padded to be 64 bits smaller than 512 bit multiple, 3 rounds of computation, 128 bit message digest, no longer used

68

MD5

512 bit blocks, same padding as MD4, reduce the speed, no longer secure, 128 bit message digest

69

Goals of Digital Signatures

Nonrepudiation and Integrity and Authentication

70

How to Digitally sign

Alice hashes plaintext, encrypt message digest using her private key (this is the digital signature), Append signed message digest to plaintext message, Send to Bob, Bob decrypts digital signature using Alice's Public Key, Bob hases the plaintext message, Bob compares the decrypted message digest to his message digest

71

HMAC

Hashed Message Authentication Code implements a partial digital signature, integrity but not non repudiation

72

DSS

Digital Signature Standard - by NIST, aka FIPS 186-4

73

Certificates

provide communicating parties with the assurance that the people they are communicating with are who they claim to be - endorsed copies of an individuals public key

74

Certificate Authority

neutral organization which offer notarization services for digital certificates

75

Enrollment

the process of proving your identity to the CA to obtain a certificate

76

CRL

certificate revocation list

77

OCSP

Online Certificate Status Protocol - eliminates latency of CRL

78

Asymmetric Key Management

Choose encryption system wisely, select keys wisely, keep your private key secret, retire old keys, back up your key

79

If your email needs confidentiality, _________

encrypt the message

80

If your email needs integrity, ___________

hash the message

81

If your email needs authentication, integrity, and/or nonrepudiation

digitally sign the message

82

If your email needs confidentiality, integrity, authentication, and nonrepudiation

encrypt and digitally sign the message

83

PGP

Pretty Good Privacy is a secure email system combining CA concept with web of trust

84

S/MIME

Secure Multipurpose Internet Mail Extensions - de factor standard for encrypted email, uses RSA and X.509 certificates

85

Steganography

embed secret messages within another message

86

DRM

Digital Rights Management - uses encryption to enforce copyright restrictions on digital media

87

Link Encryption

used to protect data in transit - protects entire communication circuits by creating a secure tunnel between two points, encrypts header info so you need to decrypt at points

88

End to End Encryption

used to protect data in transit - protects comms between two parties, more susceptible to eavesdroppers, faster, does not encrypt header info, ex: TLS, Banking, VPN

89

IPsec

provides a complete infrastructure for secured network communications

90

IPsec AH

Authentication Header - provides assurances of message integrity and nonrepudiation

91

IPsec ESP

Encapsulating Security Payload - provides confidentiality and integrity

92

ISAKMP

Internet Security Association and Key Management Protocol - provides background security support services for IPsec by negotiating, establishing, modifying, and deleting SAs

93

Two modes of IPsec

Transport mode - only packet is encrypted
Tunnel mode - entire packet is encrypted

94

Security Association

created to set up IPsec, represents the communication session and records any config and status info about the session, need one SA for each direction of data flow

95

WEP

Wired Equivalent Privacy - protect comms within wireless LAN, outdates

96

WPA

WiFi Protected Access, improves on WEP by implementing Temporal Key Integrity Protocol, outdated

97

WPA

adds AES cryptography

98

Analytical Attack

algebraic manipulation that attempts to reduce the complexity of the algorithm

99

Implementation Attack

exploits weaknesses in implementation, focus on sw code

100

Statistical Attack

focuses on inability to produce totally random numbers

101

Frequency Analysis and the Ciphertext Only Attack

uses known letter frequencies

102

Known Plaintext Attack

Attacker has a copy of the plaintext and ciphertext

103

Chosen Ciphertext

attacker has ability to decrypt chosen portion of the ciphertext

104

Chosen Plaintext

attacker has the ability to encrypt plaintext messages

105

Meet in the Middle Attack

attacker uses a known plaintext and encypts, decrypts equivalent ciphertext and finds which keys match up

106

Man in the Middle Attack

attacker sits between two communication parties and intercepts communications

107

Birthday attack

finds flaws in one to one nature of hasing

108

Replay Attack

attacker intercepts message and later replays it to start a new session

109

Confinement

allows a process to read from and write to only certain memory location and resources aka sandboxing

110

Bounds

limits set on the memory addresses and resources it can access

111

Isolation

a process is confined through enforcing access bounds

112

Controls

uses access rules to limit the access of a subject to an object

113

Trusted System

a system in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment

114

Assurance

the degree of confidence in satisfaction of security needs

115

Security Model

gives software designers something against which to measure their design and implementation

116

Trusted Computing Base

a combination of hw, sw and controls that work together to enforce your security policy, provide methods to access resources inside and outside TCB

117

Security Perimeter

an imaginary boundary that separated the TCB from the rest of the system, prevents insecure comms, need trusted paths for secure comms

118

Reference Monitor

part of the TCB that validates access to every resource prior to granting access requests

119

Security Kernel

collection of components in the TBC that work together to implement reference monitor functions

120

State Machine Model

a system that is always secure no matter what state it is in

121

Information Flow Model

designed to prevent unauthorized, insecure, or restricted information flow

122

Noninterference Model

loosely based on information flow, concerned with how the actions of a subject at a higher security level affect the system state of the actions of a subject at a lower security level

123

Take-Grant Model

shows how rights can be passed from one subject to another or from a subject to an object

124

Access Control Matrix

table of subjects and objects that indicated the actions or functions that each subject can perform on each other

125

Bell-LaPadula Model

No read up, No write down, enforced through DAC, confidentiality is upheld

126

Biba Model

No read down, no write up, Integrity is up held

127

Clark-Wilson Model

objects can only be accessed through an interface

128

Brewer and Nash (Chinese Wall)

blocks conflicting data/access based on competition

129

Goguen-Meseguer Model

subjects are allowed only to perform predetermined actions against predetermined objects

130

Sutherland Model

prevents interference in support of integrity, defines states

131

Graham-Denning Model

secure creation and deletion of both subjects and objects

132

TCSEC or Rainbow Series

set of standards that attempted to specify minimum acceptable security criteria

133

ITSEC

European Model, more focused on integrity and availability

134

TCSEC Categories

A = Verified Protection (all phases of development are evaluated), B= Mandatory Protection (security labels, Bell La-Padula Model), C = Discretionary Protection (basic controls and complete documentation), D = Minimal Protection

135

Red Book

TCSEC for networks

136

Green Book

password creation and management guidelines

137

Common Criteria

global effort to validate products,

138

Structure of Common Criteria

Part 1: Intro and General Model
Part 2: Security Functionality Requirements
Part 3: Security Assurance

139

CC Evaluation Assurance Levels (EAL 1- EAL 7)

EAL1 - Functionally Tested
EAL2 - Structurally Tested
EAL3 - Methodically Tested and Checked
EAL4 - Methodically Designed, Tested and Reviewed
EAL5 - Semi-formally Designed and Tested
EAL6 - Semi-formally Verified, Designed and Tested
EAL7 - Formally Verified, Designed, and Tested

140

PCI-DSS

Payment Card Industry - Data Security Standard, requirements for improving security of electronic payment transactions

141

ISO

International Organization of Standardization

142

Certification

comprehensive evaluation of the technical and nontechnical security features of an IT system

143

Accredidation

management reviews the certification information and decides if it meets the security needs of the org

144

Virtualization

used to host one or more OSs within the memory of a single host computer

145

TPM

Trusted Platform Module - store and process cryptographic keys for the process of hard drive encryption

146

Fault Tolerance

ability of a system to suffer a fault but continue to operate

147

Fault Tolerance is generally achieved through the use of _________

RAID

148

Hardware

tangible part of the system

149

Multitasking

handle two or more tasks at once (not truly multitasking)

150

Multiprocessing

harnessing the power of more than one processor

151

Multiprogramming

pseudosimultaneous execution of two tasks on a single processor, , special software, usually large scale systems

152

Multithreading

multiple tasks performed in a single process (i.e. opening multiple word docs)

153

Single State Systems

use policy mechanisms to manage different levels of info, handle one level at a time

154

Multistate Systems

handle multiple security levels simultaneously

155

Protection Rings

Ring 0- highest level of privilege, kernel/Memory
Ring 1 - Other OS Components
Ring 2 - Drivers, protocols
Ring 3 - User Level programs and apps

156

Dedicated Security Mode

Valid Clearance, Access Approval, & Need to Know for all info

157

Security Modes Need 2 things _____

MAC environment & physical control

158

System High Security Mode

Valid Clearance & Access Approval for all info, Need to Know for some info

159

Compartmented Security Mode

Valid Clearance and Need to Know for all info, access approval for any info

160

Multilevel Security Mode

Not all users have clearance, access approval and need to know for all info

161

ROM

Read Only Memory - has PROM, EPROM, Flash Memory

162

RAM

Random Access Memory - readable and writable, volatile

163

Registers

On board memory

164

Secondary Memory

magnetic, optical or flash based media that contain data not immediately available to the CPU

165

Memory Security Issues

data retention, controlling access, ability to get data off of chips

166

Storage Media Security

Data remanence, sanitization issues, prone to theft

167

Firmware

software that is stored in a ROM chip, BIOS and device firmware

168

Applet

code objects sent from a server to a client to perform some action

169

Java Applets

programs transmitted over the internet to perform operations on remote systems

170

ActiveX Controls

proprietary Microsoft tech, no sandbox restrictions

171

Aggregation

combine records from one or more tables to produce potentially useful info , combine low level info and can get higher level info

172

Interference

use deductive capability to combine prices of nonsensitive data to get classified data

173

Data Mining

comb through data warehouses and look for potentially correlated info

174

Data Warehousing

large databases to store large amount of info

175

Data Analytics

science of raw data examination with the focus of extracting useful info out of bulk info

176

Cloud Computing

processing and storage are performed elsewhere over a network connection

177

Platform as a Service

operating system as a cloud based service

178

Software as a Service

Google Docs, Office 365

179

Infrastructure as a Service

platform + computing services

180

Grid Computing

groups of processors that work together to reach a specific goal

181

P2P

networked app solutions that share tasks and workload

182

ICS

Industrial Control System

183

DCS

Distributed Control Systems - large scale environment from a single location

184

PLC

Programmable Logic Controllers - single purpose digital computers

185

SCADA

Supervisory Control and Data Acquisition - stand alone device or networked

186

Application Control

device mgmt solution on mobile device that limits installation of apps

187

Storage Segmentation

isolate the OS and preinstalled apps from user apps and data

188

Asset Tracking

maintain oversight over an inventory

189

MDM

Mobile Device Management - push or remove apps, manage data, config settings

190

Ways to Secure Mobile Devices

MDM, Storage Segmentation, Asset Tracking, Disabling Unused Features, Remote Wiping, FDE, etc.

191

Application Whitelisting

Implicit Deny

192

BYOD Concerns

data ownership, support ownership, patch mgmt, AV mgmt, forensics, privacy, on-boarding/off-boarding, adherence to corporate policy, user acceptance, Infrastructure considerations, legal concerns, Acceptable Use Policy, Camera/Video

193

Embedded Systems

a computer implemented as part of a larger system ex: smart TVs, HVAC controls, smart appliances, etc.

194

Cyber-physical

any computational device that can cause a movement to occur

195

Methods of Securing Embedded Devices

Network Segmentation, Security Layers, App Firewalls, Manual Updates, Firmware Version Control, Wrappers, Control Redundancy and Diversity

196

Network Segmentation

controlling traffic among networked devices to isolate the static environment - VLANS, MAC Address, IP Addresses, TCP/UDP ports

197

Layering

Protection Mechanism Used to separate functions based on security, only allow communications through specific interfaces

198

Abstraction

object-oriented programming, "black-box" doctrine, don't need to know the details of how the object works just how to use it

199

Data Hiding

data existing at one level of security is not visible to processes running at different security levels

200

Process Isolation

requires the operating system provide separate memory spaces for each process, prevents reading and writing to other processes

201

Hardware Segmentation

similar to process isolation but enforces through physical access controls

202

Principle of Least Privilege

run in user mode whenever possible

203

Separation of Privilege

least privilege for admins

204

Covert Channel

method used to pass info over a path not normally used for communication, best way to detect is to analyze audit logs

205

Covert Timing Channel

alters system component performance or modifies a resources timing

206

Covert Storage Channel

writes data to a common storage area where another process can read it

207

Maintenance Hooks

entry points into a system known only by developer (back doors)

208

Data diddling attack

attacker makes small, random, or incremental changes to data

209

Salami Attack

stealing small amounts of money from accounts

210

Time of Check

time at which the subject checks the status of the object

211

Time of Use

time at which the procedure accesses the object

212

TOCTTOU

Time of check to time of use- attacker replaces original object with another inbetween TOC and TOU

213

Faraday Cage

enclosure that acts as an EM capacitor

214

Critical Path Analysis

define necessary supporting elements for operations

215

Technology Convergence

systems merge over time and perform similar or redundant

216

A proper level of security must be planned and designed before __________

construction begins

217

Administrative Physical Security Controls

facility construction, site management, awareness training, emergency response...

218

Technical Physical Security Controls

access controls, CCTV, IDS, HVAC, etc.

219

Physical Physical Security Controls

fencing, lighting, locks, dogs, guards, etc.

220

Functional order of physical security control types

1. Deterrent
2. Denial
3. Detection
4. Delay

221

MTTF

Mean time to failure - expected typical functional lifetime of the device

222

MTTR

Mean Time to Repair - time to repair device

223

MTBF

Mean time between failures - time between first and any subsequent failures

224

Premises Wire Distribution Room

Wiring closet

225

Server rooms should be located at the _____ of the building

Core

226

Heartbeat Sensor

communication pathway is constantly or periodically checked

227

TEMPEST Measures (3)

Faraday Cage, White Noise, Control Zone

228

Control Zone

implementation of either a Faraday Cage or white noise generation or both to protect a specific area in a environment

229

UPS

Uninterruptible Power Supply - self charging battery

230

Fault

Momentary loss of power

231

Blackout

complete loss of power

232

Sag

Momentary Low voltage

233

Brownout

Prolonged low voltage

234

Spike

Momentary high voltage

235

Surge

prolonged high votlage

236

Inrush

initial surge of power usually associated with connecting to a power source

237

Noise

steady interfering power disturbance or fluctuation

238

Transient

short duration of line noise disturbance

239

Clean

nonfluctuating power

240

ANSI Power Standards for Brownout

allow for 8% drop in power btwn source and facility meter and 3.5% drop between the facility meter and wall outlet

241

Temp and Humidity for rooms

60-70 degrees F, 40-60% humidity

242

Abrupt system shutdown happens at ______ static volts

2000

243

Destruction of data stored on hard drives happens at ____ static volts

1500

244

Scrambling of monitor displays happens at ______ static volts

1000

245

Destruction of sensitive circuits happens at ______ static volts

40

246

Fire Extinguisher Classes

A: Common combustibles; Water, Soda Acid
B: Liquids; CO2, Halon, Soda Acid
C: Electrical; CO2, Halon
D: Metal: Dry Powder

247

Wet Pipe System

always full of water, immediate discharge

248

Dry Pipe System

contains compressed air, discharges water

249

Deluge System

dry pipe, larger amount of water

250

Preaction System

combination dry and wet pipe - most approriate to use

251

What kind of cryptography does SSL/TLS use?

Hybrid but Asymmetric over Symmetric

252

What kind of cyrptography does SSL/TLS use for data exchange?

Symmetric

253

What kind of cyrptography does SSL/TLS use for key exchange?

Asymmetric

254

What is the formula for symmetric cryptography?

[N*(N-1)]/2

255

What is the formula for asymmetric cryptography?

2N

256

Name the 6 testable asymmetric algorithms

RSA, DSA, ECC, El Gamal, Diffue Hellmen, Knapsack