Sybex Chps 1-7 Flashcards
(122 cards)
1
Q
Integrity is dependent on what?
Confidentiality
Availability
A
Confidentiality
Without confidentiality then integrity cannot be maintained.
2
Q
Availability depends on what?
Confidentiality
Integrity
A
Both.
Without Integrity and Confidentiality, Availability cannot be maintained.
3
Q
True / False
Identification and authentication are always used together as a single two-step process
A
True
4
Q
Should layers be used in serial or in parallel?
A
Serial - these are very narrow but deep configurations
5
Q
__________ simplifies security by enabling you to assign controls to a group of objects collected by type or function.
A
Abstraction
6
Q
True or False
Security governance is the implementation of a security solution and a management method that are loosely connected.
A
False
Security governance is the implementation of a security solution and a management method that are TIGHTLY connected.
7
Q
It is the responsibility of __________ to flesh out the security policy into standards, baselines, guidelines, and procedures.
A
Middle Management
8
Q
Security management is a responsibility of
A
Upper Management
9
Q
Developing and implementing a security plan is evidence of __________ on the part of senior management.
Due Care
Due Diligence
A
Both Due Care and Due Diligence
10
Q
Long term plan that is fairly stable (5 years of so)
Strategic Plan
Tactical Plan
Operational Plan
A
Strategic Plan
11
Q
Short-term plan, highly detailed
Strategic Plan
Tactical Plan
Operational Plan
A
Operational Plan
12
Q
midterm plan (about a year)
Strategic Plan
Tactical Plan
Operational Plan
A
Tactical Plan
13
Q
Change Management is a requirement for systems complying with what classifications of ITSEC?
A
B2, B3, A1
14
Q
True of False
Change Management requires:
1) Detailed inventory of every component and configuration
2) collection and maintenance of complete documentation for every system component
A
True
15
Q
True or False
Data Classification is used to determine how much effort, money, and resources are allocated to protect data and control access to it.
A
True
16
Q
What are the seven major steps to implement a classification scheme?
A
- Identify the custodian
- Specify the evaluation material
- Classify and label each resource
- Document any exceptions
- Select the security controls
- Specify procedures for declassifying resources / transferring custody
- Create an enterprise-wide awareness program
17
Q
Will cause significant effects / critical damage
Top Secret Secret Confidential Sensitive but Unclassified Unclassified
A
Secret
18
Q
Will cause drastic effects / grave damage
Top Secret Secret Confidential Sensitive but Unclassified Unclassified
A
Top Secret
19
Q
Will cause noticeable effects / serious damage
Top Secret Secret Confidential Sensitive but Unclassified Unclassified
A
Confidential
20
Q
Does not compromise or cause any noticeable effects
Top Secret Secret Confidential Sensitive but Unclassified Unclassified
A
Unclassified
21
Q
In the private sector classification levels, which level is used for private or personal nature?
Confidential
Private
Sensitive
Public
A
Private
22
Q
In the private sector classification levels, which level is sometimes labeled proprietary?
Confidential
Private
Sensitive
Public
A
Confidential
23
Q
In the private sector classification levels, which level may contain medical information or PHI?
Confidential
Private
Sensitive
Public
A
Private
24
Q
Responsible for understanding and upholding the security policy by following the prescribed operational procedures and operating within defined security parameters.
Security Professional Data Owner Data Custodian User Auditor
A
User
25
Ultimately responsible for data protection
```
Security Professional
Data Owner
Data Custodian
User
Auditor
```
Data Owner
26
Performs all activities necessary to provide adequate protection to CIA of data to fulfill requirements
```
Security Professional
Data Owner
Data Custodian
User
Auditor
```
Data Custodian
27
Responsible for implementing security policy
Security Professional
28
True / False
COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors.
True
29
What is STRIDE used for?
Assessing threats against applications or operating systems.
30
What does STRIDE stand for?
Used in Threat Modeling
```
Spoofing
Tampering
Repudiation
Information disclosure
DoS
Elevation of privledge
```
31
What three things do company's face threats from?
Nature
Technology
People
32
What are the basics of Threat Modeling?
Threat Modeling is the security process where potential threats are identified, categorized, and analyzed.
Key concepts include:
- -assets / attackers / software
- -STRIDE
- -Diagramming
- -Reduction analysis
- -Rate threats (DREAD)
33
What is DREAD stand for?
Used in Threat Modeling
```
Damage Potential
Reproducibility
Exploitability
Affected Users (% number)
Discoverability
```
34
What needs to happen before actual security training can take place?
Security awareness needs to be created first.
35
What is the primary purpose of the exit interview?
to review the liabilities and restrictions placed on the former employee based on the employment agreement, NDA, and other security documents.
36
What is the primary goal of risk management?
To reduce risk to an acceptable level
37
How is risk management achieved?
Primarily achieved through risk analysis (qualitative and quantitative)
38
The absence or the weakness of a safeguard or countermeasure
```
Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration
```
Vulnerability
39
The possibility that a vulnerability can or will be exploited by a threat agent or event
```
Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration
```
Exposure
40
Threat * Vulnerability =
```
Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration
```
Risk
41
Anything that removes or reduces a vulnerability
```
Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration
```
Safeguard
42
The exploitation of a vulnerability by a threat agent
```
Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration
```
Attack
43
The occurrence of a safety mechanism being bypassed by a threat agent
```
Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration
```
Breach
44
When a breach is combined with an attack this can result
```
Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration
```
penetration or intrusion
45
AV * EF =
SLE
46
SLE * ARO =
ALE
47
What is the whole point of a safeguard?
The whole point of a safeguard is to reduce the Annualized Rate of Occurrence (ARO).
Even if the EF stays the same, a safeguard should change the ARO
48
Should you accept the risk if:
The cost of the countermeasure is greater than the value of the asset?
Yes, accept the risk if the cost of the countermeasure is greater than the value of the asset
49
How do you calculate the safeguard cost / benefit?
ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company
OR
(ALE1 - ALE2) - ACS
50
This provides anonymous feedback and response to gain a consensus.
Delphi Technique
51
True or False
If a security control's benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security.
True
52
True or False
If an asset has no value - you do not need to protect it.
True
53
True or False
Annual cost of safeguards should not exceed the annual cost of asset loss.
True
54
What are the six steps of the NIST Risk Management Framework?
```
Categorize
Select
Implement
Assess
Authorize
Monitor
```
55
True or False
Training established a minimum standard common denominator or foundation of security understanding.
False
Awareness established a minimum standard common denominator or foundation of security understanding.
56
__________ is the amount of risk an organization would face if no safeguards were implemented.
Residual Risk
Total Risk
Controls Gap
Vulnerability
Total Risk
threats * vulnerabilities * asset value = total risk
57
What is the difference between total risk and residual risk?
Residual Risk
Total Risk
Controls Gap
Vulnerability
The controls gap (the amount of risk that is reduced by implementing safeguards)
58
Risk that remains after implementing a safeguard
Residual Risk
Total Risk
Controls Gap
Vulnerability
Residual Risk
total risk - controls gap = residual risk
59
Copyright law protects works by one or more authors for __________ years
70 years after the last surviving author
60
Copyright law protects works for hire for __________ years
95 years from the first date of publication or 120 years from the date of creation, whichever is shorter.
61
Protects words, slogans, and logos
Copyright
Trademark
Patent
Trade Secret
Trademark
62
Protects intellectual property rights of inventors
Copyright
Trademark
Patent
Trade Secret
Patent
63
Patent law protects inventions for __________ years
20 beginning at the time of the patent application
64
One of the best ways to protect computer software
Copyright
Trademark
Patent
Trade Secret
Trade Secret
65
The best way to sanitize an SSD is:
The best way to sanitize a solid state drive is to destroy it.
66
Oftentimes IPSec is combined with __________ for VPNs
L2TP
67
What are the seven EU Data Protection Safe Harbor Principals?
```
Notice
Choice
Onward transfer
Security
Data integrity
Access
Enforcement
```
68
ROT3 is another name for:
Caesar cipher
69
Caesar Cipher is vulnerable to:
frequency analysis
70
This type of cryptosystem does not guarantee non-repudiation
Secret key (symmetric key)
Public key or asymmetric key provides this
71
What is the Kerchoff Principal?
a concept that algorithms known and made public are more secure (the enemy knows the system)
72
AND (^) truth table:
0 ^ 0 = 0
0 ^ 1 = 0
1 ^ 0 = 0
1 ^ 1 = 1
73
OR (˅) truth table
0 ˅ 0 = 0
0 ˅ 1 = 1
1 ˅ 0 = 1
1 ˅ 1 = 1
74
NOT (~) truth table
```
~0 = 1
~1 = 0
```
75
XOR truth table (circle with a plus inside it)
0 XOR 0 = 0
0 XOR 1 = 1
1 XOR 0 = 1
1 XOR 1 = 0
76
modulo (mod) is remainder math.
8 mod 6 =
2
6 will go into 8 only 1 time with a remainder of 2
77
modulo (mod) is remainder math.
10 mod 3 =
1
3 will go into 10 3 times with a remainder of 1
78
modulo (mod) is remainder math.
10 mod 2 =
0
2 will go into 10 5 times with a remainder of 0
79
True or False
A nonce is used in an IV as a random bit string that is the same length as the block size and is XORed with the message
True
80
An example of Split knowledge is
M of N Control
81
What is the difference between a code and a cipher?
A code are symbols that represent words or phrases that may or may not be secret.
Ciphers are always meant to be secret
82
Rearrange letters of plaintext message
Transposition Cipher
Substitution Cipher
Transposition Cipher
83
Replace each character or bit of the plaintext message with a different character.
Transposition Cipher
Substitution Cipher
Substitution Cipher
84
What are the four rules of a one-time pad?
1. One-time pad must be randomly generated
2. physically protected against disclosure
3. Only used once
4. Key must be at least as long as the message
85
What is another name for a running key cipher?
Book Cipher
86
Major strength of symmetric key cryptography:
great speed that it can operate (1,000 to 10,000 times faster that asymmetric)
87
Major weaknesses of symmetric key cryptography:
1. Key distribution (out of band)
2. no non-repudiation
3. not scaleable (number of keys needed for large implementations)
4. Keys must be regenerated often (each time a participant needs to leave the group)
5. Provides confidentiality only
88
Major strengths of asymmetric key cryptography:
1. New users only require two new keys (public and private)
2. Users can be removed from the system very easily (key revocation)
3. Key regeneration is only required when a private key is compromised
4. Provides confidentiality plus integrity, authentication, and non-repudiation
5. Key distribution is simple process
6. No preexisting communication links need to exist
89
Major weakness of asymmetric key cryptography:
Slow speed
90
DES (Data Encryption Standard)
Symmetric Block Cipher
64-bit blocks of text
Key is 56 bits long
Electronic Codebook Mode (ECB)
- -vulnerable to creating a code book of all possible values (block)
- -do not use except for short transmissions
Cipher Block Chaining Mode (CBC)
- -IV must be sent to recipient
- - chaining (errors propagate)
Cipher Feedback Mode (CFB)
- -Streaming version of CBC
- -uses an IV and chaining (errors propagate)
Output Feedback Mode (OFB)
- -IV is a seed value (stream)
- -no chaining, errors do not propagate
Counter Mode (CTR)
- -stream, errors do not propagate
- -allows encrypt or decrypt to be broken into multiple independent steps - good for parallel computing
91
Electronic Codebook Mode (ECB)
- -block
- -vulnerable to creating a code book of all possible values
- -do not use except for short transmissions
92
Cipher Block Chaining Mode (CBC)
- -chaining
- -IV must be sent to recipient
- -errors propagate
93
Cipher Feedback Mode (CFB)
- -Streaming version of CBC
- -uses an IV and chaining
- -errors propagate
94
Output Feedback Mode (OFB)
- -stream
- -IV is a seed value
- -no chaining
- -errors do not propagate
95
Counter Mode (CTR)
- -stream
- -errors do not propagate
- -allows encrypt or decrypt to be broken into multiple independent steps - good for parallel computing
96
3DES
Do not use DES (Replacement for DES)
Uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits respectively.
97
IDEA (International Data Encryption Algorithm)
Symmetric Block Cipher
64-bit blocks of text
Key is 128 bits long
Capable of the same five modes as DES
(ECB, CBC, CFB, OFB, CTR)
98
Blowfish
Symmetric Block Cipher
64-bit blocks of text
Key is 32 to 448 bits long
Faster than DES and IDEA
Available for public use
99
Skipjack
Symmetric Block Cipher
64-bit blocks of text
Key is 80 bits long
Supports the escrow of encryption keys (NIST and US Treasury)
Capable of the same five modes as DES
(ECB, CBC, CFB, OFB, CTR)
100
AES (Advanced Encryption Standard)
```
Symmetric Block Cipher
128-bit blocks of text
Key is:
128-bit requires 10 rounds of encryption
192-bit requires 12 rounds of encryption
256-bit requires 14 rounds of encryption
```
101
RC-4 (Rivest Cipher)
Symmetric Stream Cipher
Streaming (no block size)
Key is 128 bits long
102
Three main ways to exchange symmetric keys
1. offline distribution
2. public key encryption
3. Diffie-Hellman (uses large integers and modular arithmetic to facilitate the secret exchange of keys over insecure channels)
103
Modern keys should be at least what size to provide adequate protection?
128 bits long
104
RSA
Asymmetric Cipher
Depends on the computational difficulty inherent in factoring large prime numbers
105
El Gamal
Asymmetric Cipher
An extension of the Diffie-Hellman key exchange algorithm that depends on modular (remainder) math.
106
Elliptical Curve
Asymmetric Cipher
Depends on the elliptic curve discrete logarithm problem
Provides more security than other algorithms when using the same key length (1088-bit RSA key is equal to a 160-bit Elliptical curve key)
107
What are the five basic requirements for a hash function?
1. The input can be any length
2. The output has to be a fixed length
3. The hash function is relatively easy to compute for any input
4. The hash function is one-way
5. The hash function is collision free
108
SHA
SHA-2 or SHA-256
512-bit blocks of text produces
256-bit message digest
SHA-1 is broken
109
Two goals of Digital Signatures
1. create non-repudiation
| 2. assure integrity of message (has not changed in transit)
110
In email, if you need confidentiality, what do you do?
Encrypt the message
Sender always encrypts the message
111
In email, if you need integrity, what do you do?
Hash the message
Sender always hashes the message
112
In email if you need authentication, integrity, or non-repudiation, what do you do?
Digitally sign the message
Sender always digitally signs the message
113
In email, if you need confidentiality, authentication, integrity, or non-repudiation, what do you do?
Encrypt and digitally sign the message
Sender ALWAYS is responsible for using proper mechanisms to ensure the CIA of the email message
114
PGP commercial version uses what?
RSA for key exchange
IDEA for encryption
MD5 for message digest
115
PGP free version uses what?
Diffie-Hellman for key exchange
CAST 128-bit for encryption
SHA-1 for message digest
116
MD5
MD5
512-bit blocks of text produces
128-bit message digest
Uses four distinct rounds
Padding: message length must be 64-bits less than 512-bits
117
S/MIME
Secure Multipurpose Internet Mail Extensions
Supported by Outlook, Mozilla Thunderbird, MAC OS X Mail
Uses:
- -RSA encryption (public key)
- -AES encryption (symmetric key)
- -3DES encryption (symmetric key)
118
True or False
SSL relies on the exchange of server digital certificates to negotiate encryption
True
1. User accesses a website, browser retrieves web server's certificate and extracts server's public key
2. Browser creates random symmetric key, uses server's public key to encrypt it, and sends it back to the server.
3. Server decrypts the symmetric key using it's own private key, and the two systems exchange all future messages via symmetric key encryption
119
Protects the entire communications circuit by creating a secure tunnel between two points (using hardware or software that encrypts all traffic entering one end of the tunnel and decrypts all traffic exiting the other end)
End-to-end encryption
Link encryption
Link encryption
All data, including the header , trailer, address, and routing data is encrypted.
This slows down traffic routing as each packet has to be decrypted and encrypted at each hop to understand routing information.
When encryption happens at lower OSI layers, it is usually link encryption
120
Protects communications between two parties (for example, a client and a server) and is performed independently of link encryption. Example: TLS between a user and a web server
End-to-end encryption
Link encryption
End-to-end encryption
Does not encrypt header, trailer, address, and routing data so it moves faster from point to point but is more susceptible to sniffers and ease-droppers.
When encryption happens at higher OSI layers, it is usually end-to-end encryption (TLS, SSH)
121
True or False
IPSec relies on public key cryptography
True
IPSec uses public key cryptography to provide encryption, access control, non-repudiation, and message authentication using all IP-based protocols
Primary use of IPSec is VPNs and is commonly paired with L2TP
122
True of False
WPA provides end-to-end encryption
False
WPA only encrypts traffic between the wireless computer and the AP. After the AP, the traffic is in the clear again.
