Authorizing access to data > application owner
Data owners are responsible for the use of data.
Data owner holds the privilege and responsibility for formally establishing the access rights.
Qualified persons in IS who have knowledge of IS and user requirements > System analysis
Sharing password > user accountability may not be established.
Access control > prevent unauthorized access to data
Logical access controls > securing software and data within an information processing facility.
Call back features > hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the follow-up and further review of potential breaches.
Call forwarding > bypassing callback control.
Logical access security > unencrypted password is the greatest concern.
Logical access control review > to determine whether access is granted per the organization’s authorities.
Line grabbing > enable eavesdropping, thus allowing unauthorized data access.
First step of data classification is establish ownership of the data.
Biometric system review steps > 1. Enrollment.
Sensitive > can be performed manually at a tolerable cost for an extended period of time.
Critical > can’t be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods.
Vital > can be performed manually but only for a brief period of time
Non critical > may be interrupted for an extended period of time at little or no cost to the company, require little time or cost to restore.
Defense-in-depth > Firewall as well as logical access control on the hosts to control incoming network traffic.
Diversity-in-defense > Using two firewalls of different vendors to consecutively check the incoming network traffic.
Shoulder surfing > masking password
Piggybacking > unauthorized persons following, either physically or virtually, authorized persons into restricted areas.
Impersonation > someone acting as an employee in an attempt to retrieve desired information.
Dumpster diving > looking through an organization’s trash for valuable information.
Data diddling > changing data before they are entered into the computer.
Neural network based IDS > monitors the general patterns of activity and traffic ont eh network and creates a database.
Statistical-based IDS > Like Neural IDS but has self-learning.
Signature-based IDS > Intrusive patterns identified are stored in the form of signatures.
The need-to-know basis is the best approach to assigning privileges during the authorization process.
Steganography > digital right management (DRM)
Remote booting is a method of preventing viruses, and can be implemented through hardware.
Hashing is irreversible. Encryption is reversible. Hashing creates an output that is smaller than the original message and encryption creates an output of the same length as the original message.
Asymmetric algorithm requires more processing time than symmetric algorithms.
Immunizers defend against viruses by appending sections of themselves to files.
Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record. Cyclical redundancy checkers (CRC) compute a binary number on an known virus-free program that is then stored in a database file. Active monitors interpret disk operating system and read only memory, basic input output system call.
Computation speed > elliptic curve encryption over RSA encryption. It use encryption methods support digital signatures, used for public key encryption and distribution and are of similar strength.
PKI > cryptography provides for encryption, digital signatures and no repudiation controls for confidentiality and reliability.
SSL > confidentiality
IDS > detective control
VPN > confidentiality and authentication (reliability)
Passive attack > traffic analysis,
Active attack > brute force, masquerading, packet reply, message modification, unauthorized access through the internet or web based services, denial-of-service attacks, dial-in penetration attacks, email bombing and spamming and email spoofing.
Forward error control > transmitting additional redundant information with each character or frame to facilitate detection and correction of errors.
Feedback error control > additional information is transmitted so the receiver can identify that an error has occurred.
CRC > a single set of check digits is generated, based on the contents of the frame for each frame transmitted.
Biometric solution accuracy > False Rejection Rate (FRR), Cross Error Rate(CER): When the false-rejection rate equals the false-acceptance rate and False Acceptance Rate (FAR): How often valid individuals are rejected.
False Acceptance Rate (FAR) > accepting an unauthorized person as authorized.
False Rejection Rate (FRR) > deny access to an authorized individual.
Equal Error Rate (ERR) > point where FAR equal the FRR
False Identification Rate (FIR) > probability that an authorized person is identified but is assigned a false ID.
Los EER is the measure of the more effective biometrics control device.
Degaussing the tapes is the process of magnetic tapes disposal.
Message digests in digital signature show if the message has been altered after transmission.
CA (Certificate Authority) maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication.
Registration Authority (RA) > responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the CA.
Certificate Relocation List (CRL) > instrument for checking the continued validity of the certificates.
Certification practice statement > is a detailed set of rules governing the certificate authority’s operations.
Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is a public key algorithm.
The calculation of a hash, or digest of the data that are transmitted and its encryption require the public key of the client (receiver) and is called a signature of the message, or digital signature.
Digital signature provide integrity and nonrepudiation. If we add hash it will provide confidentiality.
Digital signature features > Data Integrity, Authentication, Nonrepudiation, Replay Protection.
Nonrepudiation > claimed sender can’t later deny generating the sending the message.
Data Integrity > changes in the plaintext message that would result in the recipient failing to compute the same message hash.
Authentication > ensure that the message has been sent by the claimed sender.
Replay protection > method that a recipient can use to check that the message was not intercepted and replayed.
Password sniffing > gain access to systems on which proprietary information is stored.
Spoofing > enable one party to act as if they are another party.
Data modification > modify the contents of certain transactions
Repudiation of transactions > cause major problems with billing systems and transaction processing agreements.
Digital Certificates > sender authentication method
Digital Signature > authentication and confidentiality, but the identity of the sender would still be confirmed by the digital certificate.
Message authentication > used for message integrity verification.
Authenticity > prehash code using the sender’s private key.
Integrity > Mathematically deriving the prehash code
Confidentiality > Encrypting the prehash code and message using the secret key
SSL provides > data encryption, server authentication, message integrity and optional client authentication.
SSL use symmetric key for message encryption.
SSL use authentication code for data integrity.
SSL use hash function for generating message digest.
SSL use digital signature certificates for server authentication.
Double-blind testing > users are not aware about the penetration testing.
Targeted testing > IT team is aware of the testing and penetration testers are provided with information related to target and network design.
Internal testing > attacks and control circumvention attempts on the target from within the perimeter.
External testing > generic term that refers to attacks and control circumvention attempts on the target from outside that target system.
Web of trust > feasible for small group
Key distribution center > distribution method suitable for internal communication for a large group with in an institution and it will distribute symmetric keys for each session.
CA > is a trusted third party that ensures the authenticity of the owner of the certificate.
Kerberos Authentication system > the function of a key distribution center by generating tickets to define the facilities on networked machines which are accessible to each user.
Replay attack > residual biometric characteristics, such as fingerprintes left on a biometric capture device may be reused to gain access.
Brute force > feeding the biometric capture device numerous different biometric samples.
Cryptographic attack > Targets the algorithm or the encrypted data
Mimic Attack > reproduce characteristics similar to those of the enrolled user such as forging a signature or imitating a voice.