|
time-based model of security |
|
focuses on the relationship between preventative, detective, and corrective controls |
| |
|
defense in depth |
|
to employ multiple layers of controls in order to avoid having a single point of failure |
| |
|
authentication |
|
focusses on verifying the identity of the person or device attempting to access the system |
| |
|
biometric identifier |
|
users authenticated by verifying some physical characteristic |
| |
|
multifactor authentication |
|
the use of two or all three methods in conjunction |
| |
|
authorization |
|
restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform |
| |
|
access control matrix |
|
a table specifying which portions of the system users are permitted to access and what actions they can perform |
| |
|
compatibility test |
|
matches the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action |
| |
|
social engineering |
|
uses deception to obtain unauthorized access to info resources (tricks) |
| |
|
border router |
|
connects an orgs info system to the internet |
| |
|
firewall |
|
behind the border router
special purpose hardware device or software running on a general purpose computer |
| |
|
demilitarized zone (DMZ) |
|
separate network that permits controlled access from the internet to selected resources |
| |
|
transmission Control Protocol (TCP) |
|
specifies the procedures for dividing files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination |
| |
|
Internet protocol (IP) |
|
specifies the structure of those packets and how to route them to the proper destination. |
| |
|
routers |
|
special purpose devices designed to read the destination address fields in IP packet headers to decided where to send (route) the packet next |
| |
|
access control list |
|
(ACL)
a set of rules that determines which packets are allowed entry and which are dropped |
| |
|
static packet filtering |
|
screens individual IP packets based solely on the contents of the sources and or destination fields in the IP packet header |
| |
|
stateful packet filtering |
|
maintains a table that lists all established connections between the organization's computers and the internet |
| |
|
deep packet inspection |
|
when the firewall examines the data in the body of an IP packet rather than only looking at the info in the IP header |
| |
|
intrusion prevention systems (IPS) |
|
designed to identify and drop packets that are part of an attack |
| |
|
remote authentication Dial-In user service (RADIUS) |
|
standard method for verifying the identity of users attempting to connect via dial in access.
user connects to remote access server, which passes credentials to RADIUS server which performs compatibility tests |
| |
|
war dialing |
|
calls every telephone number assigned to the organization to identify those which are connected to modems |
| |
|
hosts |
|
the workstations servers, printers and other devices that comprise the organization's network |
| |
|
vulnerabilities |
|
every program running on a host represents a potential point of attack because it probably contains flaws |
| |
|
hardening |
|
the process of turning off unnecessary program features |
| |
|
encryption |
|
process of transforming normal text (plaintext) into unreadable gibberish (ciphertext) |
| |
|
decryption |
|
reverses the process of encryption
transforms ciphertext back into plaintext |
| |
|
key escrow |
|
involves making copies of all encryption keys used by employees and storing those copies securely |
| |
|
symmetric encryption systems |
|
use the same key both to encrypt and decrypt
(DES, AES) |
| |
|
asymmetric encryption systems |
|
uses a public and private key(PKI)
(RSA, PGP) |
| |
|
public key |
|
widely distributed and available to everyone |
| |
|
private key |
|
kept secret and known only to the owner of that pair of keys |
| |
|
hashing |
|
a process that takes plaintext of any length and transforms it into a short code called a hash |
| |
|
hash |
|
plaintext that has been transformed into short code |
| |
|
digital signature |
|
information encrypted with the creator's private key |
| |
|
digital certificate |
|
electronic document, created and digitally signed by a trusted third party, that certifies the identity of the owner of a particular public key |
| |
|
public key infrastructure (PKI) |
|
the system and processes used to issue and manage asymmetric keys and digital certificates |
| |
|
certificate authority |
|
an independent org that issues public and private keys and records the public key in a digital certificate |
| |
|
e-signature |
|
a cursive style imprint of a person's name that is applied to an electronic document |
| |
|
log analysis |
|
process of examining logs to monitor security |
| |
|
intrusion detection systems (IDS) |
|
create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful inrusions |
| |
|
vulnerability scans |
|
use automated tools designed to identify whether a given system possesses any well-known vulnerabilities |
| |
|
penetration test |
|
authorized attempt by either an internal audit team or external security consulting firm to break into the orgs info system |
| |
|
computer emergency response team (CERT) |
|
a team responsible for dealing with major security incidents |
| |
|
exploit |
|
set of instructions for taking advantage of a vulnerability |
| |
|
patch |
|
code released by software developers that fixes a particular vulnerability |
| |
|
patch mgmt |
|
process for regularly applying patches and updates to all software used by the org |
| |
