Sunflower Cissp

protecting data or a resource from being altered in an unauthorized fashion

fault tolerance and recovery procedures - depends on business and value to business

ensuring that a subject is who he says he is - Unique user name, account number etc OR an issuance keycard - must be non descriptive you can't see what someone can do by the name - First piece of credentials

password, phrase key token, pin - looking at access control matrix /comparing security labels - Stacking of authorizations is called Authorization Creep, too much rights is called excessive privileges - Granted privileges and system granted default access - default no access, give only access that's needed NEED TO KNOW - Second piece of credentials - Strong Authentication if you use 2 out of the three authentications know, has, is AKA 2-factor authentication - Something a person KNOWS, HAS, IS knowledge, ownership, characteristics

testing of evidence of users identity

each subject is uniquely identified and actions are recorded

rights and permissions granted

level of confidentiality and privacy protections

is to reduce the effects of security threats and vulnerabilities to a tolerable level

process that analyses threat scenarios and produces a representation of the estimated Potential loss

Physical, Technical and Administrative

Not all data has same value, demonstrates business commitment to security, Identify which information is most sensitive and vital

Criteria Value, age, useful life, personal association

Unclassified - Sensitive but unclassified answers to test, Healthcare - Confidential some damage- Secret Serious damage- Top Secret Grave damage

Public - Sensitive - Private - Confidential

Losses staff members pose more threat than external hackers loss of money stolen equipment, loss of time work hours loss off reputation declining trusts and loss of resources bandwidth theft

Policies is the first and highest level of documentation Very first is called Senior management Statement of Policy, Stating importance, support and commitment Types - Regulatory required due to laws, regulations, compliance and specific industry standards!) - Advisory not mandatory but strongly suggested - Informative to inform the reader

has classifications and defines level of access and method to store and transmit information

has Authentications and defines technology used to control information access and distribution

lists hard software to be used and steps to undertake to protect infrastructure

Specify use of specific technologies in a uniform way

same as standards but not forced to follow

Detailed steps to perform a task

Minimum level of security

ultimate responsibility

functional responsibility

Strategic, develops policies and guidelines

Responsible for asset - Determine level of classification - Review and change classification - Can delegate responsibility to data custodian - Authorize user privileges

Run regular backups/restores and validity of them - Insuring data integrity and security C I A Maintaining records in accordance to classification - Applies user authorization

Uses information as their job - Follow instructions in policies and guidelines - Due care prevent open view by e.g. Clean desk) - Use corporation resources for corporation use

examines security controls

FISMA(federal agencies) Phase 1 categorizing, selecting minimum controls, assessment Phase 2: create national network of secures services to assess

8 elements reassessments owners have responsibilities. Benefits: consistent; comparable; repeatable

Determine impact of the threat and risk of threat occurring

Primary risk assessment, mitigation methodology Secondary data collection and sources for risk analysis

Inherent chance of making an error with no controls in place Control chance that controls in place with prevent, detect or control errors Detection chance that auditors won't find an error Residual risk remaining after control in place Business concerns about effects of unforeseen circumstances Overall combination of all risks aka Audit risk

Helps to gather the elements that you will need when the actual Risk Analysis takes place.

Steps: Identify assets, identify threats, and calculate risk. Qualitative HAPPY FACES - Higher level , brainstorming, focus groups etc

Quantitative VALUES!! - SLE single Loss Expectancy = Asset Value Times Exposure factor (% lost of asset) - ALE (Annual loss expectancy) = SLE Times ARO (Annualized Rate of occurrence)

Accept, mitigate-reduce by implementing controls calculate costs Assign insure the risk to transfer it Avoid stop business activity Loss= probability Times cost

Planning and information gathering - Access internal controls - Compliancy testing - Substantive tests - Finalize the audit

flow of information between a subject and an object CONTROL security features that control how users and systems

active entity that requests access to an object or data within the object user, program

Is a passive entity that contains information computer, database, file, program

assurance that information is not disclosure to unauthorized programs, users, processes • encryption, logical and physical access control, • The data needs to be classified

Preventive: hiring policies, screening security awareness also called soft-measures! - Detective: screening behavior, job rotation, review of audit records

Preventive: protocols, encryption, biometrics smartcards, routers, firewall. Detective: IDS and automatic generated violation reports, audit logs.

Preventive: fences, guards, locks - Detective: motion detectors, thermal detectors video cameras

Detective, Preventive PASSWORDS TOO Corrective restore controls Restore control ( restore resources deterrents

Authorization depended on security labels which indicate clearance and classification of objects Military Restriction: need to know can apply. Lattice based is part of it! A as in mAndatory Rule based access control. Objects are: files, directories and devices

Access through ACL's. Discretionary can also mean: Controlled access protection object reuse, protect audit trail. User directed access control identity based and hybrid based are also forms of discretionary Identity Based AC

A central authority determines what subjects have access based on policies. Role based/task based. Also lattice based can be applied greatest lower, least upper bounds apply

cheap and commonly used password generators user chooses own do triviality and policy checking

used only once

Same for each logon

easiest to remember. Converted to a virtual password by the system

easy to remember like your mother's maiden name

access password file - brute force attack try many different characters aka exhaustive - dictionary attack try many different words - Social engineering convince an individual to give access - Rainbow Tables tables with passwords that are already in hash format

both programs that can find passwords checker to see if its compliant, hacker to use it by the hacker

On windows system with utility SYSKEY. The hashed passwords will be encrypted in their store LM hash and NT Hash - some OS's use Seed SALT or NONCE, random values added to the encryption process to add more complexity

Key, swipe card, access card, badge PASSWORDS. tokens

owner authenticates to token, token authenticates to the information system

uses time or a counter between the token and the authentication server, secure-ID is an example

server sends a nonce random value This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication

generates response on a system/workstation provided challenge

What you do: behavioral What you are: physical

Most expensive - Acceptable 2 minutes per person for enrollment time - Acceptable 10 people per minute throughput time - IRIS is the same as long as you live - TYPE 1 error: False rejection rate FRR - TYPE 2 error: False Acceptance rate FAR - CER Crossover Error Rate or EER Equal Error rate, where FRR = FAR. The lower CER/ERR the more accurate the system.

iris scan

one- to-many identification

one to one identifications

Finger print

privacy, physical, psychological

made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae

Scans the blood-vessel pattern of the retina on the backside of the eyeball

Scan the colored portion of the eye that surrounds the pupil.

Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.

The palm has creases, ridges and grooves throughout it that are unique to a specific person.

The shape of a person's hand the length and width of the hand and fingers measures hand geometry.

Distinguishing differences in people's speech sounds and patterns

Electrical signals of speed and time that can be captured when a person writes a signature

Captures the electrical signals when a person types a certain phrase.

Looks at the size and width of an individual's hand and fingers.

Advantage: ability to use stronger passwords, easier administration, less time to access resources. Disadvantage: once a key is compromised all resources can be accessed. Thin client is also a single sign on approach

Kerberos addresses Confidentiality and integrity and authentication, not availability

on symmetric key cryptology and is not a propriety control

Critical

KERBEROS

KERBEROS

inexpensive, loads of OS's mature protocol

takes time to administer, can be bottleneck or single point of failure

indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication server has the authority to authenticate a user, host or service.

grants tickets to client for specific servers. Knows all secret keys of all clients and servers from the network

KDC