CS406 Study Guide

Navigating this Study Guide

Study Guide Structure

In this study guide, the sections in each unit (1a., 1b., etc.) are the learning outcomes of that unit. 

Beneath each learning outcome are:

• questions for you to answer independently;
• a brief summary of the learning outcome topic; and
• and resources related to the learning outcome. 

At the end of each unit, there is also a list of suggested vocabulary words.

How to Use this Study Guide

1. Review the entire course by reading the learning outcome summaries and suggested resources.
2. Test your understanding of the course information by answering questions related to each unit learning outcome and defining and memorizing the vocabulary words at the end of each unit.

By clicking on the gear button on the top right of the screen, you can print the study guide. Then you can make notes, highlight, and underline as you work.

Through reviewing and completing the study guide, you should gain a deeper understanding of each learning outcome in the course and be better prepared for the final exam!

Unit 1: Introduction to Information Security

1a. Discuss how the need for information security has changed as information technology has evolved

• How did the Department of Defense (DoD) influence the evolution of information security?
• What prompted the three elements of information security?
• Why is the focus of information security today mostly concerned with the protection of personal information?

The Department of Defense (DoD) developed the first computer network by linking computers over telephone lines in the Advanced Research Projects Agency Network (ARPANET). This network is attributed as being the predecessor of the Internet. As the internet evolved into a global network the systems on the network began storing information that needed protection, invoking the development of information security methods.

Before the invention of the network, the protection of systems was more focused on preventing access to systems. The DoD developed the first network, and due to the nature of defense was primarily concerned with the confidentiality of data. When commercial systems came online the concern shifted to integrity. When the Morris Worm was successful in bringing down the internet using the first denial of service (DoS) attack, more concern became apparent for system availability.

The focus today is primarily on protecting personal information. As e-commerce has grown exponentially, more personal data has been collected and stored online raising more concern for personal privacy and the protection of data stored by information systems. Hacking has become more widespread, heightening the demand for information systems security.

To review, see Information Security History and Timeline of the History of Information Security.

1b. Explain how confidentiality, integrity, and availability (CIA triad) applies to information security

• What are the three main categories of harm that can occur with information systems?
• What are the three elements that are the basis of information security and what is the difference between the elements?
• What are the limitations of security in respect to the CIA triad?

The three main categories of harm to information systems are the theft or loss of data, the alteration of data, and the denial of access to data or systems that contain the data. The three elements of information security are confidentiality, integrity, and availability. These three terms collectively are known as the CIA triad. Confidentiality addresses the protection of data from unauthorized access. Integrity addresses the inadvertent modification of data, and availability addresses protecting the system to ensure the data is readily accessible.

The limitations of security are that there must be a balance between information security and functionality. Locking a system down to conform to the tenets of the CIA triad so tightly that it cannot function appropriately is unacceptable. Also, when attempting to secure a system by conforming to one element of the CIA triad, another element may suffer. For instance, the most secure way to protect a system's confidentiality is to unplug it from the internet and lock it away so it cannot be accessed. Of course, this is not feasible as then the system does not provide for availability.

To review, watch The CIA Triad.

1c. Compare threats, vulnerabilities, and risks

• What is the difference between threats, vulnerabilities, and risks?
• What are two ways to reduce risk?
• What can be used to protect against threats and vulnerabilities?

A threat is the possibility of a system exploit, and a vulnerability is a weakness in a system. A risk is the result of a threat exploiting a vulnerability. A threat agent can be a person or hacker that attacks a system through a vulnerability. Vulnerabilities can be weaknesses in procedures such as a weak password policy or a back door in the software.

Risk is the sum of threats and vulnerabilities, and the asset value is sometimes added. The asset value does not change, but controls can be used to decrease threats and vulnerabilities. To reduce risk either threats, vulnerabilities, or both threats and vulnerabilities must be decreased.

Controls are used to mitigate threats and vulnerabilities. This means that safeguards are put in place to protect the confidentiality, integrity, and availability of a system. Just as was discussed in the previous section, controls must not protect one tenet of the CIA triad while another element suffers. Controls must be effective while still providing a balance between security and system functionality.

To review, see Threats and Vulnerabilities and The Elements of Security: Vulnerability, Threat, Risk.

1d. List steps in the risk management process

• Why is risk management important in information systems?
• What are the four steps of the risk management process?
• What are the basic activities that occur in each of the four steps?

As we have seen in previous units, it is not possible to eliminate all risk in a system. The level of threats and vulnerabilities can change over time and can vary when there are changes in the system environment. Therefore, it is important to have a continuous process to manage and monitor risk.

The risk management process defined by NIST SP 800-39 identifies the four steps of the risk management process as risk framing, risk assessment, risk response, and risk monitoring. Risk framing is evaluating an organization's risk management approach such as the acceptable level of risk tolerance, organizational policies, laws, and regulations. The most important part of this step is getting senior leadership's commitment to implement the risk management strategy.

Risk assessment is where the risk is identified and classified, and the value of the assets is determined. In this step, risk is determined by identifying the threats and the vulnerabilities that can affect the organization. Risk assessment measures the impact of a potential risk to an organization using either a qualitative or a quantitative method.

How to address or mitigate the risk is called risk response. This is the step where a determination is made about the appropriate controls needed to mitigate risks. Risk can be accepted, avoided, mitigated, shared, or transferred. If a risk is less than the acceptable risk tolerance level of the organization the risk can be accepted. If a risk level is too high, it can be avoided by removing the software or product that is responsible for the risk. Mitigating a risk means to fix or close a vulnerability. Sharing risk means to lessen the level of the risk by sharing it with another organization, possibly by outsourcing. Transferring risk can occur by purchasing insurance.

Risk monitoring is the perpetual evaluation of the controls and of the changes needed to manage the risk. In this step, an organization will determine the appropriate type of monitoring such as compliance monitoring to determine if the risk response or risk controls are being implemented correctly, effectiveness monitoring to determine if the controls selected are effective, and a determination on monitoring changes due to changes in the system hardware, software, or the environment. The organization will document changes and identify weaknesses in new technology and will continue to evaluate the effectiveness of the controls.

To review, see Risk Management, NIST SP 800-39, and More on Risk Management.

1e. Assess the stages of the incident response process

• Why is there a need for incident response?
• What are the four steps of the incident response process?
• What are the main activities that occur in each of the four steps of the incident response process?

The need for incident response is due to the frequency of attacks on systems. When a breach occurs, an organization should have a plan that outlines the steps to take to respond to the attack quickly and systematically. Knowing how to respond and being able to respond quickly helps to minimize the effect of the attack on the system and to secure system data. The information gained when responding to the attack should be used to protect from future events and to strengthen the methods used to secure the system.

The four steps of the incident response process are; preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. To prepare for incident response, all elements of the system should first be secured to protect against an attack. An incident response team is established as well as the tools the team may need to respond to an incident such as forensic software, laptops, and cell phones for communication.

In the detection and analysis phase, detection occurs first and then the attack is analyzed. Detection may occur through automated capabilities such as intrusion detection systems (IDSs), security information and event management (SIEM), antivirus or file checking software, monitoring services, and system logs, or manually by users or technicians. Incident analysis is where the detected attack is analyzed, and a determination is made if an attack is occurring or if the indicator detected a false positive. Another option is that the indicator is positive but an attack did not actually occur, such as in a system failure. The team should record all facts of the incident, should prioritize incidents, and should notify those that need to respond to the incident.

In the containment, eradication, and recovery phase the team determines the containment strategy and stops the attack from occurring. Evidence is gathered and documented, and the attacking host may be identified if there is time. Once contained, the systems are recovered by restoring them to normal operating condition and eradicating the components of the attacker, such as removing malware.

The post-incident activity consists of reviewing the incident to ensure it does not again occur. A meeting is held to review the lessons learned and to determine what could have been done better by the incident response team. The documents collected may be important for the risk assessment process that was reviewed in the previous section.

To review, read NIST SP 800-61 and watch Incident Response.

1f. Categorize security controls by type (administrative, physical, or technical) and function (preventive, detective, deterrent, or compensating)

• What are some examples of the three types of security controls?
• What type of controls can be preventive, detective, deterrent, and compensating?
• What is an example of a physical control that is a deterrent?

The three types of security controls are administrative, physical, and technical controls. Administrative controls are the development of written policies and procedures for an organization. Some examples of administrative controls are hiring and disciplinary policies, or security awareness training. Physical controls protect the system resources and can be locked doors, access controls to a server room, or environmental controls. Technical controls protect the hardware and software resources and can be encryption or authentication and access controls for the software and hardware.

The most known functions of controls are preventive, detective, deterrent, and compensating. A preventive control is used to prevent an attack from occurring. An example of a preventive control is a lock on a server room door. The lock will prevent unauthorized access to the server room that contains system resources. A detective control identifies an event or identifies that there is the risk that an event could occur. Intrusion detection system (IDS) software is an example of a detective control. A deterrent is used to discourage an event from occurring. The threat of being disciplined keeps most people from stealing, so it is a deterrent for theft. The last function is compensating and can be explained using the example of insurance. If data that is insured is lost and is insured, the insurance provider will pay to have the data restored or for legal proceedings.

Control types and functions are combined and they work together. For instance, an administrative control type with a deterrent function is the consequence given when an employee violates a policy. A preventive and technical action could be a firewall. A physical control that is a deterrent could be a high fence or lights at night.

To review, see Security Control Types, Security Control, and Security Control Functions.

1g. Propose a defense-in-depth security strategy

• What is the purpose of the multiple layers of security controls in the defense-in-depth principle?
• What typically occurs with the number and placement of security devices with the defense-in-depth strategy?
• What is a typical defense-in-depth security strategy?

The principle of defense-in-depth provides for multiple layers of security, so that if one layer fails there is another layer beneath the failed layer to protect the system. The principle of defense-in-depth is often compared to the layers of an onion; just as in the onion, when you peel back one layer there is another layer underneath. Each layer protects against a system breach and each layer provides additional protection.

The layers of defense are placed at different levels and in different places in the network. If the layers are all in the same place there can still be a point of failure. This means that there may be redundancy with equipment and controls, such as more than one firewall to protect the system.

A typical defense-in-depth strategy could be routers that secure the perimeter, and the next layer might be firewalls that use stateful packet filtering, and the last layer is intrusion detection and intrusion protection systems.

To review, see Introduction to Defense-in-Depth, Defense-in-Depth Example, and Defense-in-Depth.

1h. Explain why humans are the weakest link in security and how human behavior can be modified through security awareness and training programs

• What is the main reason that humans are the weakest link in security?
• What is the easiest way for a hacker to obtain login information?
• What is the best way to modify human behavior to prevent an attack?

Humans are the weakest link in security because of human behavioral issues. The most common issue with humans is that they are prone to making errors. For instance, human error can be attributed to system viruses due to antivirus software being disabled by users, the leaking of a company's sensitive information by sharing data on devices that are lost or stolen, the use of unapproved devices and software by employee's, or the lack of technical knowledge to appropriately secure a system.

If a hacker plans to attack a system, the simplest way is to obtain the login information from a user through social engineering. The reason that social engineering is so successful is that humans are prone to be trusting of other humans. Attackers using social engineering techniques may obtain system credentials from authorized users that will allow them unauthorized access to a system.

Security awareness and training programs are the best way to modify human behavior and to prevent an attack. An organization usually has policies and standards written to prevent a security breach, but employees must be made aware of the policies for them to be effective. The type of training for employees should be geared toward position types, such as managerial, administrative, or technical. 

To review, see The Human Factor, Humans are the Weakest Link, Security Awareness, Training, and Education, and Security Threats and the Human Factor.

1i. Describe the purpose of prominent security frameworks

• What are five of some of the main security regulations and security frameworks in information security?
• Of the five security regulations, which one is the standard used across the information technology (IT) industry?
• Which regulation would be of primary concern in an industry that processes payment cards?
• Which regulation is of most concern for state and local governments?

Five of the main security regulations and frameworks in information security are ISO/IEC 27001, Federal Information Processing Standards (FIPS), Control Objectives for Information and Related Technologies (COBIT) 5, Payment Card Industry Data Security Standard (PCI DSS), and the Center for Internet Security (CIS) Top 20 Controls.

ISO/IEC 27001 is an international standard that provides best practices for information security management systems. The standard addresses people, processes, and technology. The document provides 114 controls in 35 control categories. A control is a way to counter or to safeguard against a security risk. 

The payment card industry strictly follows the guidance of the Payment Card Industry Data Security Standard (PCI DSS). This guidance is for all organizations that process credit or debit cards. The reason that those in the industry closely abide by this standard is because of the penalties that can be dealt with when abusing the system. Those that follow the guidance of PCI DSS also adhere to the Top 20 Controls. As is stated in the name of the framework, there is a list of 20 controls, and these controls map to PCI DSS. Twenty controls were chosen because they protect against approximately 91% of attacks.

State and local governments pay more attention to the Federal Information Processing Standards (FIPS), although FIPS is required for all U.S. government agencies. FIPS compliance means that an organization complies with the Federal Information Security Management Act of 2002, also known as FISMA. This regulation requires organizations to reduce risk in information technology to an acceptable level but doing so at a cost that is considered reasonable.

To review, see Security Frameworks, Center for Internet Security (CIS) Controls, and Payment Card Industry Data Security Standard (PCI DSS).

Unit 1 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• administrative
• analysis
• asset
• availability
• awareness
• behavior
• confidentiality
• containment
• controls
• detection
• detective
• deterrent
• eradication
• exploit
• hacker
• incident
• integrity
• intrusion
• mitigate
• physical
• policy
• recovery
• regulation
• risk
• technical
• tenet
• threat
• vulnerability

Unit 2: Threats and Attack Modes

2a. Distinguish between threats, attacks, and threat agents

• What is the difference between a threat and an attack?
• What is a threat agent?
• How are threats identified and prioritized?

A threat is the potential for an attack, and an attack is an assault on a system. A threat can be an attacker that means to cause harm when possible, an employee or insider that intentionally or unintentionally attacks a system, or a threat could be the environment such as the possibility of a hurricane or a tornado. An attack is an action to interrupt services or to bypass controls to access a system. There are many types of attacks that are discussed in additional sections in this unit.

A threat agent, sometimes called a threat actor, is the individual or group that exploits vulnerabilities. A threat agent attacks a system and can be a type of malware, a hacker, an employee, or a nation-state. Each type of threat agent has a different motivation for being an attacker.

The threat landscape changes often and is what is known as a moving target. There are so many threats today that no one person can identify or know them all. The best way is to pay attention to data breach reports and news on cyber threats. Threats should be identified and then prioritized according to the possible impact of the threat.

To review, see Threat Terminology, Privacy Threats, and An Overview of Threats.

2b. Discuss access control attacks, such as brute-force attacks, man-in-the-middle attacks, and zero-day exploits

• What is the difference between passive and active attacks?
• What is the significance of the brute-force birthday attack as related to the birthday paradox?
• What is the purpose of a man-in-the-middle attack?
• When is a zero-day exploit identified?

Passive attacks gather data or information about a system, but the attack will not attack the system resources to alter the functionality of the system. These types of attacks are more difficult to detect but simpler to prevent. An active attack may change the way a system operates and is more easily detected, but more difficult to prevent.

In cryptography, the birthday attack is a brute-force attack. For example, when obtaining a password by brute-force, an attacker tries all possible password combinations to gain access. The birthday attack is the possibility that a hash can be duplicated without changing the original message, and this duplication is called a collision. The birthday paradox is the possibility of people in one room having the same birthday which statistically is a 50% chance if there are 253 random people in a room. The birthday attack is based on the statistical occurrence of the birthday paradox.

A man-in-the-middle attack is when the communication between two parties is intercepted by an attacker. The parties usually do not know that the attacker is intercepting the communication. Man-in-the-middle attacks are used by hackers for several different purposes; to steal information, to analyze traffic, or to corrupt data to become part of a denial-of-service attack (DoS).

Zero-day exploits are vulnerabilities in software that are known to attackers but unknown to system maintainers. Zero days refers to the number of days that the maintainers know about the vulnerability. Vulnerabilities, once known, are listed in databases that are usually available to the public. One commonly known database is the common vulnerabilities and exposures (CVE) database maintained by the MITRE Corporation.

To review, watch Types of Attacks, Birthday Attacks, What is a Botnet?, and Zero-Day Exploits. Also, read Classifying Threats, More on Botnets, Man-in-the-Middle Attacks, Teardrop Attacks, What is War Dialing?, and More on War Dialing.

2c. Examine spoofing attacks, such as email, phone number, and internet protocol (IP) spoofing

• What is meant by spoofing and what is the primary goal of spoofing?
• What are some common spoofing techniques?
• How can a spoofed email be identified?
• How should a receiver respond to a spoofed telephone call?

Spoofing is pretending to be someone or something that you are not. There are many reasons or goals for spoofing, but the primary reason an attacker may use spoofing is for financial gain. Another reason may be to gain access to a system to obtain protected information.

Some common spoofing techniques are: Man-in-the-middle attacks where an attacker intercepts messages between two parties; IP address spoofing is falsifying an IP address to impersonate a sender, or to conceal the address of a sender; phishing is masquerading as a trusted person to gain protected information; email address spoofing is to conceal the address of the originator.

To identify a spoofed email review the address bar to confirm the email address is from the sender. Pay particular attention to the domain name to ensure it is correct. When in question, call the company and ask if the message is legitimate.

Spoofed telephone calls are from false caller ID numbers. To protect from spoofed calls, do not answer when the caller ID shows as unknown, or is from an unrecognized number. If you answer and there is a recording asking you to select a number to stop getting the calls do not respond. Not answering or responding is the best way to respond to spoofed calls.

To review, read Spoofing Attacks, A Comprehensive Analysis of Spoofing, Email Spoofing, Caller ID Spoofing, and ID Address Spoofing.

2d. Identify social engineering attacks, such as dumpster diving, shoulder surfing, tailgating, phishing, spear-phishing, whaling, and pretexting

• What is social engineering and what are the two categories of social engineering attacks?
• What kinds of security leaks can be found in the trash and what is this kind of attack?
• What can attackers gain by shoulder surfing and how is it different from tailgating?
• What is the purpose of whaling and who is the target?

Social engineering is when attackers influence individuals to disclose protected information. The two categories of social engineering attacks are human-based and computer-based. A human-based attack is when the attacker contacts the target. A computer-based attack is gathering information from technology such as cell phones or social media websites.

Dumpster diving is when an attacker finds protected information or equipment in the trash. To prevent information from being stolen, documents should be shredded before discarding and devices should be erased.

Shoulder surfing is watching over an individual's shoulder by standing behind them, by watching through a window, using a camera, or other methods that allow the monitor to be viewed as information is entered into a system. Login and information and protected data may be compromised while shoulder surfing. To protect against this type of attack, users should remain aware of their surroundings when entering protected information into a system.

Tailgating is when one person follows another through a secure entry point. The person that tailgates may or may not have authorized access to the area. To ensure this does not happen, the person that enters the secure location should ensure that the door or entry device closes behind them and that no one follows them into the secure location.

Whaling-phishing, usually referred to as whaling, is a type of spear-phishing attack. Spear-phishing is a type of targeted phishing attack, and whaling is targeting a person with a high profile in a company. The only difference between phishing, spear-phishing, and whaling is the target.

There are other types of social engineering that have not been mentioned. One that is commonly used is pretexting or designing scenarios that will make victims trust the attacker, and then providing the attacker with protected information. A typical way this occurs is when an attacker telephones a user and impersonates company help desk personnel. The user feels comfortable and trusts the attacker, and provides the attacker with protected or personal information, such as passwords and usernames.

To review, read An Overview of Social Engineering, Dumpster Diving, One Man's Trash is Another Man's Treasure, Shoulder Surfing, Tailgating, Phishing, Spear-phishing, and Whaling, Pretexting, and watch How to Protect Against Tailgating.

2e. Discuss application attacks, such as buffer overflows, time of check to time of use, back doors, and escalation of privilege

• Why are attacks often launched against applications?
• What effect can a buffer overflow have on an application?
• How can a time of check to time of use (TOCTTOU) and an escalation of privilege attack be prevented?

Attacking an application can give an attacker the same result as when attacking a network, only the attack on an application is easier to successfully achieve. Applications are often unprotected by common defense methods and they are not as secure as networks. An attacker can gain control of a system through an attack on an application when performed correctly.

A buffer is temporary memory and is a place where information is temporarily stored while in use. If an attacker sends too much information to the buffer, the overflow information will be stored outside the buffer. If an attacker's data moves outside the buffer, the attacker can gain control of the system.

A TOCTTOU attack is a race condition that is caused by a software bug. When an authorized change is in progress and the system is locked down, the change may still occur because access to the software was already authorized. One technique that can be used to prevent the TOCTTOU attack is exception handling.

Escalation of privilege is when an attacker gains access at a low level and has the capability to raise their access to a higher level. This may occur by an attacker accessing a system and then taking over an account of a user at a higher level. Different methods can be used to prevent escalation of privilege, but the primary method is through least privilege. Least privilege is when users are limited only to the access needed to perform their jobs. When the method of least privilege is used and an attacker takes over another account the privileges gained will be limited.

To review, watch Application Attacks, Types of Application Attacks, The Basics of Buffer Overflows, More on Buffer Overflows, and Escalation of Privilege. Also, read Time of Check to Time of Use and  Application and Escalation of Privilege.

2f. Describe web application attacks, such as those involving cross-site scripting (XSS) and SQL injection

• What is the best defense against application attacks?
• How can a cross-site scripting (XSS) attack be prevented?
• What kind of injection attacks affects databases?

Since networks are hardened and are a more challenging target for attackers, applications have now become the focus of attackers. The best protection against application attacks is an improved design approach by application developers. When developers incorporate appropriate data validation techniques into the application and the techniques are properly tested for effectiveness by someone outside the organization, attackers find it more difficult to successfully attack the application.

Cross-site scripting (XSS) is used as a method to attack applications. Malicious code is inserted in a form on a web page. The code is then relayed to the server where the web page resides and is sent to a client system to be executed. One of the most important methods to prevent XSS is through data validation. Validation is testing the data to verify that the appropriate format is submitted before it is accepted into the system.

Cross-site scripting attacks database servers, and structured query language (SQL) injection attacks can attack a database. In SQL injection attacks, an attacker inputs SQL commands into the system from a form or an input field, and the commands are passed on to the database. The malicious SQL commands may modify or retrieve information in the system's database.

To review, read Cross-Site Scripting, Examples of Cross-Site Scripting, How Does XSS Work?, SQL Injection, Examples of SQL Injection Attacks, How Application Flaws Enable SQL Injection, and watch Types of Application Attacks.

2g. Distinguish between types of malware attacks, such as viruses, logic bombs, Trojan horses, and worms

• What are three types of malware and how do they differ?
• What is the purpose of spyware and adware?
• How can a logic bomb be used in a DDoS attack?

 Three common types of malware are viruses, trojans, and worms. A virus needs a host, and to be effective it must replicate and activate its malicious code. A trojan disguises itself as something needed or wanted by a user. A trojan is used to get a user to download a virus. A worm differs from a virus in that it can replicate itself across a network without the assistance of a host.

Spyware collects system information and sends it to an attacker, and adware entices users to make purchases. Spyware is accomplished through malicious code that may make changes to system settings. Adware may load advertisements, possibly as pop-ups, and may cause poor system performance.

Another type of malware is logic bombs. Code is inserted into a system that can be set to cause harm once certain conditions have been met. A logic bomb may be inserted into many other systems and all set to launch at the same time creating zombies to launch a distributed denial-of-service attack (DDoS).

To review, watch Common Types of Malware, Malware Functions, and The Security Risks of Viruses, Worms, and Trojan Horses, and read Computer Viruses, Worms, Trojan Horses, Spyware, and Adware, Types of Trojan Horses, and Logic Bombs.

2h. Examine denial of service (DoS) and distributed denial of service (DDoS) attacks

• What is the goal for an attacker that commits a denial of service (DoS) attack?
• What leg of the CIA triad is affected by a DoS attack?
• What systems are used to initiate a distributed denial of service (DDoS) attack?

A denial of service (DoS) attack is when many requests are sent to a system, so many requests that the system cannot manage the traffic. An attacker attempting a denial-of-service attack differs from other attacks in that the attacker is not trying to gain access to a system, nor is the attacker trying to steal information. When an attacker launches a DoS attack, the attacker is attempting to disrupt the operation of the system.

The CIA triad represents confidentiality, integrity, and availability. If a DoS attack is successful, the system will shut down and will not be available to users. If the system shuts down, the tenet of the CIA triad that is affected is availability.

The difference between a DoS attack and a distributed denial of service (DDoS) attack is the number of systems that are used in the attack. A DoS attacks one system using one other system, but DDoS attacks a system using multiple compromised machines to attack one other system. The machines attack the system by sending more traffic than the system can handle, resulting in a system shut down.

To review, read How DoS Attacks Work and watch Denial of Service (DoS), Distributed Denial of Service (DDoS) and Types of DoS and DDoS Attacks.

Unit 2 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• adware
• application
• attack
• birthday
• brute-force
• buffer overflow
• code
• distributed
• dumpster
• exploit
• injection
• internet protocol
• logic bomb
• malicious
• phishing
• pretexting
• shoulder surfing
• spear phishing
• spoofing
• spyware
• tailgating
• threat
• threat actor
• threat agent
• traffic
• trojan
• validation
• vulnerability
• web application
• whaling
• worm
• zero-day

Unit 3: Cryptographic Models

3a. Describe the history of cryptography and the role of cryptography in information security systems

• How did WWI and WWII influence the history of cryptography?
• What is the significance of the data encryption standard (DES)?
• What was the important cryptographic development made by Diffie and Hellman?

One of the earliest methods of cryptography was substitution ciphers as was seen in the Caesar cipher. When WWI began, there were advancements in computational power such as the breaking of the German Enigma code by Rejewski in Poland. When the Germans changed the way the Enigma was used, more resources were required, and Turing stepped in to build an electronic machine to break code in much less time than what was done previously by hand.

Modern cryptography began in the late 1940s, and twenty years later a significant development was designed by IBM. The National Bureau of Standards, now known as the National Institute of Technology (NIST), submitted the data encryption standard (DES). The cipher was developed to support secure communication for financial organizations. The DES was the first publicly accessible cipher algorithm that was acknowledged by a crypto agency, the National Security Administration (NSA).

Diffie and Hellman published a paper on a new method of key distribution. Prior to their publication, symmetric keys were used that had the logistical problem of secret keys being disbursed to both the sender and the receiver. Diffie and Hellman's method of asymmetric keys used a private and public key, and only the private key is kept secret. This method is still in use today.

To review, read History of Cryptography, Classical Cryptosystems, Caesar Cipher, and One-time Pads.

3b. Discuss the goals of cryptography

• What are the four main goals of cryptography?
• How does cryptography support non-repudiation?
• How do certificate authorities support authentication?

The four main goals of cryptography segue with the CIA triad, but are not identical to the three tenets of the CIA triad. Cryptography cannot directly protect for availability but can protect for integrity and confidentiality. Thus, the four goals of cryptography are confidentiality, integrity, authentication, and non-repudiation. Confidentiality and integrity can be reviewed from the discussion in a previous unit. Authentication is proving who you are, and non-repudiation means the sender cannot deny sending the message.

Non-repudiation can be confirmed using digital signatures. A message is hashed, and then the hashed method is encrypted using asymmetric encryption. The digital signature is the encrypted-hashed data and the sender's public key. The sender encrypts the message using their private key, and the receiver decrypts the message using the sender's public key.

Certificate authorities (CA) are vital to asymmetric encryption and authentication. The CA is a trusted third party that generates certificates and certifies the ownership of public keys. Without the third-party CA, asymmetric encryption would not be available.

To review, read Cryptographic Goals and Confidentiality, Integrity, and Authenticity, and watch Confidentiality and Non-Repudiation and Cryptographic Authentication.

3c. Compare symmetric key and asymmetric key algorithms

• What is the main difference between symmetric and asymmetric key encryption?
• Is symmetric or asymmetric key encryption faster?
• What are the advantages of each type of encryption?

Symmetric key encryption uses one secret key. The same key is used by both the sender and the receiver to encrypt and decrypt. In asymmetric key encryption, encryption and decryption are accomplished using two keys: a public and a private key. The public key is used for encryption and the private key is used for decryption.

Symmetric key encryption is faster than asymmetric key encryption. The key lengths used for symmetric key encryption are shorter than those used for asymmetric key encryption. Asymmetric key encryption uses longer key lengths for a more complex algorithm to make it more difficult for attackers to crack the keys.

As stated in the previous paragraph, an advantage of symmetric key encryption is that encryption is faster due to the shorter key length. Symmetric keys also provide for confidentiality and authenticity. An advantage of asymmetric keys is that they are easier to distribute than symmetric keys. Asymmetric keys also provide for non-repudiation.

To review, read Symmetric Key Ciphers, Asymmetric Key Ciphers, and Cryptographic Hash, and watch What is Symmetric Key Encryption?, What is Asymmetric Encryption? and Hashing.

3d. Discuss the different types of symmetric and asymmetric key algorithms

• What are the eight types of symmetric encryption and the six types of asymmetric key algorithms that were discussed in the curriculum?
• What method was used to crack the data encryption standard (DES), and what replaced the DES algorithm?
• What method was used to exchange cryptographic keys over a non-secure channel?

In this course, eight types of symmetric and six types of asymmetric key algorithms were discussed. The symmetric algorithms were DES, 3DES, AES, RC4, RC5, RC6, Blowfish, and Twofish. The asymmetric algorithms were RSA, DSA, PGP, GPG, Diffie-Hellman, and Elliptic-curve.

Data encryption standard was readily cracked by brute force due to the short key length of 56 bits. To make this algorithm cryptographically stronger, the algorithm was used to encrypt each block of data three times with different keys. Due to the number of times the data was encrypted, the algorithm was named 3DES.

 The Diffie-Hellman key exchange was designed by Diffie and Hellman in 1976. The key exchange used public and private keys that were securely exchanged over non-secure communications lines. Diffie-Hellman was the first to introduce the idea of public and private keys.

To review, see Symmetric Key Algorithms and Asymmetric Key Algorithms.

3e. Identify hashing algorithms and their role in creating digital certificates

• What is the purpose of hashing?
• How does hashing differ from symmetric and asymmetric encryption?
• What are two ways that a hash is used?

Hashing is an algorithm that produces a message digest or hash value. This value represents the contents of a message. If the message is altered the hash will not be the same as no two messages will have the same hash value. A receiver will know if a message has been altered because the hash value will be different. Hashing protects data integrity.

Hashing differs from symmetric and asymmetric encryption in that it is a one-way encryption tool. A hash computes quickly and will always produce the same result on the exact same message. If a message is slightly altered the hash or message digest will change greatly. A hash does not use a public or private key.

A hash is used in a digital certificate. The message is first hashed, and then the message digest and the public key is encrypted and sent to the receiver. A hash can also be used for patching downloads. The hash for the patch is published, and before downloading the hash of the patch is compared to the patch to be downloaded. This protects from accidentally downloading malware to a system.

To review, see Cryptographic Hash, Message Digest History, Digital Certificates, Message Digest 5 (MD5), Secure Hash Algorithm (SHA-0, SHA-1, and SHA-2), FIPS PUB 202: SHA-3, and Hashed Message Authentication Code (HMAC).

Unit 3 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• algorithm
• asymmetric encryption
• authentication
• certificate authority (CA)
• cipher
• decrypt
• digital certificate
• encrypt
• enigma
• hash
• malware
• message digest
• National Institute of Technology (NIST)
• National Security Administration (NSA)
• non-repudiation
• private key
• public key
• substitution
• symmetric encryption

Unit 4: Access Control

4a. Discuss the need for access control in information systems

• What are some challenges of access control?
• What is the role of access control?
• Describe three main areas of access control to include authentication, authorization, and audit.

Access control is used to protect the confidentiality of data. The challenge is that not all users require the same level of access or have the same clearance level to view data. An employee's role is always changing, and employees in an organization constantly change as well.

Access control is controlling what can be done and by whom on a computer. This means restricting access to data on a system. When gaining access to a system, access control requires a user to authenticate and to be allowed authorization to the system. 

Authentication means that the user proves who they are, usually by entering a password. When the system acknowledges the username and password combination as correct, the system authorizes the user's access to the system. Auditing is recording the user's activity on a server, or that the user accessed the system.

To review, see Access Control.

4b. Describe access control terms such as privilege creep, need-to-know, least privilege, separation of duties, access control matrix, and access control list (ACL)

• How are least privilege and need-to-know related?
• How does separation of duties protect from fraud?
• What is the relationship between an access control list (ACL) and an access control matrix (ACM)?

Least privilege means to give a user the least amount of access needed to perform their job. Need-to-know means to give a user access only to the systems and data needed to perform their job. Least privilege and need-to-know are related as both are based on the level of access a user needs to perform their job.

Separation of duties is when more than one person is required to complete a task. This may mean that the same person that builds a server does not also audit the same server. Separation of duties prevents fraud by requiring the collusion of two or more people to commit fraud.

An access control list (ACL) is a list of subjects, the objects they are authorized to access, and the level of authorization. An access control matrix is a table that links a subject's permissions to objects in a system. In the columns of the ACM resides the ACL.

To review, see:

• Least Privilege, Separation of Duties, and Need-to-Know
• Relationship Between Least Privilege and Need-to-Know
• Separation of Duties
• Access Control Matrix and Access Control List (ACL)
• Least Privilege and Privilege Creep
• Least Privilege Affect on Attacks

4c. Compare and contrast mandatory access control (MAC) and discretionary access control (DAC), and the advantages and drawbacks of each

• What is the main difference between mandatory access control (MAC) and discretionary access control (DAC)?
• What type of agency typically uses mandatory access control (MAC) and discretionary access control (DAC)?
• What are the advantages of mandatory access control (MAC) and discretionary access control (DAC)?

Mandatory access control (MAC) is based on the security clearance level of the user. A user cannot access data that has a higher security level than that of the user. Discretionary access control (DAC) is identity-based access control. The owner of the data controls who is allowed access.

Mandatory access control (MAC) is typically used by the government and the military. In these organizations, the desire is to own, control, and protect the data. Discretionary access control (DAC) is typically used by most other agencies. In these agencies, users have control over the files they create.

Mandatory access control (MAC) is more secure than discretionary access control (DAC). MAC is not automatically scalable, and users must request access and cannot configure their own access. Discretionary access control (DAC) is easier to maintain and to implement than MAC, but DAC has a lower level of protection than MAC and there is no central access management control.

To review, see:

• Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
• Comparing Bell-LaPadula and Biba Models
• Comparing MAC and DAC
• Bell-LaPadula Model
• Simple Security, Star Property, and Discretionary Security Property
• Biba Model

4d. Differentiate between role-based access control (RBAC) and rule-based access control (RB-RBAC)

• What is the set of rules used in an RBAC system?
• When would role-based access control (RBAC) be used?
• How does the rule-based access control (RB-RBAC) model differ from the role-based access control (RBAC) model?

Role-based access control (RBAC) is based on the role of a user in a system. The role can be defined by a particular user, a group, a default role, or specially defined roles. Rules are set by policies that define the access needed for roles.

Role-based access control (RBAC) is used to control access for users based on the role of a user. If an organization has a large turnover of employees RBAC is desired for easier account deletion. When new employees are hired it is also easier to add them and give them permissions based on their job description.

Rule-based access control (RB-RBAC) is based on rules or policies that are set for everyone. If a company wants to restrict hours that employees can work a policy can be written in an RB-RBAC model. Role-based access control (RBAC) sets policies for users based on their role in the organization. 

To review, see Role-Based Access Control (RBAC), Rule-Based Access Control (RB-RBAC), RB-RBAC versus the RBAC Model, and RBAC Access Control.

Unit 4 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• access control list
• access control matrix
• audit
• authentication
• authorization
• confidentiality
• discretionary access control
• least privilege
• mandatory access control
• need-to-know
• role
• role-based access control
• rule-based access control
• separation of duties

Unit 5: Identification and Authentication

5a. Explain identification and authentication, and the methods used for each, such as passwords, tokens, and biometrics

• What are the differences between identification, authentication, and authorization?
• What is the most common form of authentication?
• What are some drawbacks with tokens and biometrics?

Identification is evidence of who a subject claims to be. Identification may be provided by a username or an identifying number such as an account number. Authentication means proving that the identification is valid. For example, a user may authenticate using a password or pin number. Authorization is one the subject has identified and authenticated, then access is given or authorized.

Passwords are the most common form of authentication and are typically characters used to identify a subject. To be secure methods of authentication, passwords should be properly managed. One way to manage passwords is to limit sign-on attempts, and when stored on a system, passwords should be encrypted and hashed. Most importantly, passwords should be kept secret and should not be shared.

Tokens and biometrics are very secure but are also costly. Tokens require a lot of overhead to manage, the employees must be trained on how to use them, and tokens are often lost and must be replaced. Biometrics cannot be lost like a token but are more costly to maintain. Biometrics also have the issue of privacy as some feel that their privacy is invaded by providing biometric data to be used as a method of authentication.

To review, see Identification, Authentication, and Authorization, Password Security, Biometrics, Authentication and Authorization Basics, Tokens and Biometrics, and Security and Accuracy of Biometrics.

5b. Discuss human authentication factors: something you know, something you have, something you are

• What are three common methods of authentication?
• What are some common factors that represent something you are?
• How can the three authentication factors be made more secure?

The three methods of authentication are something you know, something you are, and something you have. Something you know can be a password. Something you are can be your fingerprints. Something you have can be a token or smart card.

Biometric data represents the factor of something you are and is the most secure of the three factors. The most common biometric used today is fingerprints. As technology has developed, some other methods that are becoming more common are DNA, voice recognition, facial recognition, and retinal patterns.

 Using a combination of the factors, or using multifactor authentication is more secure than the use of one factor alone. For instance, using a token and a pin is something you have and something you know. Multifactor authentication is the use of two or more factors and should not be confused with using two of the same factor such as a pin and a password.

To review, see Human Factors Used in Authentication, Methods of Authentication, and Authentication Factor Descriptions.

5c. Differentiate between single-factor, two-factor, multi-factor, and mutual authentication

• What is the purpose of multifactor authentication?
• What is the weakest level of authentication?
• What level of authentication is the most secure?

Multifactor authentication increases the level of security. For instance, if an attacker knows a user's login information, they can log into a system as that user. But if multifactor authentication is in use the system may send a one-time passcode to the user's cell phone. This would prevent the attacker from accessing the system even when the username and password were known.

Single-factor authentication using a username and password is the weakest level of security. As stated previously, if an attacker knows the username and password they can log in as the user. When the password is unknown an attacker can use methods such as brute force or a dictionary attack to guess the password.

The most secure authentication method is two-factor or multifactor authentication. Two-factor authentication is authenticating twice using two different human authentication methods. Multifactor authentication is using two or more different authentication methods. For instance, using two passwords or a password and a pin are both something you know and do not qualify as two-factor or multifactor authentication. A password and a token are something you know and something you have, so together they qualify as two-factor or multifactor authentication.

To review, see Multifactor Authentication, Authentication Forms, Authentication, and Mutual Authentication.

5d. Explain the purpose, advantages, and disadvantages of single sign-on (SSO)

• Why would a user want to use single sign-on (SSO) technology?
• What are some limitations of single sign-on (SSO) technology?
• What is a disadvantage of single sign-on (SSO) technology?

Users often have many systems to log into with different passwords and password requirements. When this happens and employees cannot remember the passwords, they often bend the rules and write their passwords down. To alleviate trying to remember passwords, single sign-on can be implemented so that users log into one system and access is granted to all authorized systems.

Single sign-on is a good tool to alleviate the need for remembering passwords and for decreasing the amount of time needed to log into multiple systems, but it has limitations. To log into applications using single sign-on the applications must accept the same credential format and interpret the format the same. Otherwise, the user will log into the application using the credentials provided by the application without the benefit of using a single sign-on.

Even though there are advantages to using single sign-on technology and users prefer it, there are disadvantages. When using one password to access many systems the vulnerability increases. This means that if an attacker gains access to the single sign-on password the attacker will have access to all the systems that grant access via single sign-on. Another problem can be when a user forgets their single sign-on password access to all systems may be prohibited.

To review, see Kerberos, Kerberos History, Single Sign-On (SSO), Kerberos Facts, and Kerberos Weaknesses.

5e. Explain Kerberos-based authentication and its dependency on the key distribution center (KDC)

• What makes the key distribution center an important part of Kerberos?
• What are the five keys used in Kerberos?
• What are some weaknesses of Kerberos?

Every time a user logs into a system by entering a password, that password is sent over the internet. Kerberos uses encryption and the key distribution center to avoid sending the password over the internet. When a user authenticates, Kerberos stores a session ticket on the user's machine that is used for authentication.

Kerberos uses a principal key, a session key, the ticket-granting service (TGS), the service key, and the service session key. The important keys to understand are the principal key which is the user's password, and the session key that is created by the key distribution center (KDC). One other key that should be understood is the session key used to encrypt communication during the initiated session.

Kerberos is a tool that can provide more system security, but it also has its weaknesses. If the key distribution center (KDC) fails all users will be prohibited from accessing the system. In addition, Kerberos is not immune to attackers. If a dictionary attack is successful Kerberos will authenticate to the attacker.

To review, see Kerberos, Kerberos History, Kerberos Facts, and Kerberos Weaknesses.

5f. Discuss the use and functionality of Lightweight Directory Access Protocol (LDAP)

• What is a directory service?
• What is the protocol structure of lightweight directory access protocol (LDAP)?
• What is the purpose of lightweight directory access protocol (LDAP)?

Directory services store and organize data and can be used for lookups and searches, like an address book. The first directory service program containing information on users' accounts was the X.500 that defined a directory access protocol (DAP) based on the open systems interconnection (OSI) network protocols. The lightweight directory access protocol (LDAP) was developed from DAP and the transmission control protocol/internet protocol (TCP/IP) internet protocols. Some of the features of DAP are included in LDAP, but not all, and there are some new features as well.

Lightweight directory access protocol (LDAP) has a tree-like structure called a directory information tree (DIT). The top of the tree is the root, representing the owner of the directory. Other entries are called objects and have a designated place in the tree. The path to an entry is called the distinguished name (DN). The tree structure allows for users and applications to interact with the directory.

The purpose of using lightweight directory access protocol (LDAP) is to store usernames and passwords in one location. Users can be authenticated by using the directory to validate credentials. Do not confuse active directory with LDAP, LDAP is a protocol that communicates with active directory.

To review, see Lightweight Directory Access Protocol (LDAP), Directory Services Overview, and Kerberos and Lightweight Directory Access Protocol (LDAP).

5g. Compare and contrast the characteristics, advantages, and limitations of authentication protocols like Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS+), and Diameter

• What is the first step in the system authorization process?
• What services are provided by an authentication service?
• What does remote authentication dial-in user service (RADIUS), and terminal access controller access control system (TACACS) encrypt?
• What are some advantages to using Diameter as an authentication protocol?

The first step in the system authorization process is authentication. Users provide credentials to prove their identity and then the credentials are compared to a database. If the credentials are accepted, either the authorization is granted by the system, or the credentials are sent to an authorization service.

An authentication service is a protocol that provides authentication, authorization, and accounting services. Authentication is validating a user's identity, authorization is providing authorized access to authenticated users, and accounting is logging usage activity. 

Remote authentication dial-in user service (RADIUS) is an authentication protocol with robust accounting features. RADIUS encrypts the end user's password. Terminal access controller access control system (TACACS+) is an authentication protocol, and the accounting features are less robust than RADIUS. TACACS+ encrypts all transmissions that occur between devices.

Diameter was designed to overcome the limitations of RADIUS as it provides end-to-end security. Although RADIUS uses encryption, Diameter is more secure because it is protected by the transport layer security (TLS).

To review, see Authentication Protocols, Diameter, and Authentication Services.

5h. Explain public-key infrastructure (PKI) and the use of digital certificates

• What is the role of the certificate authority (CA) in public-key infrastructure?
• What is a digital certificate?
• How does a registration authority (RA) differ from a certificate authority (CA)?

Public-key infrastructure relies on certificate authorities (CA) to issue digital certificates. The private key is used in digital certificates, and the CA verifies the owner of the public key. The CA is the third party that is trusted by both the sender and the receiver.

A digital signature proves that the message was from the sender, meaning it provides for non-repudiation. A digital certificate is a hashed message encrypted with the sender's private key. The receiver knows that the message was signed by the sender and the message has not been altered.

The CA verifies and publishes the user's public keys using the CA's private key. A registration authority (RA) is also a trusted third party like the CA. The RA registers and deletes users from the PKI database, and verifies the identity of users to be entered into the database.

To review, see Certificate and Registration Authorities, Digital Certificate Defined, Certificate Authorities, and Digital Certificate.

Unit 5 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• authentication
• authorization
• biometric
• certificate authority (CA)
• digital certificate
• directory access protocol (DAP)
• directory information tree
• distinguished name (DN)
• encrypt
• facial recognition
• fingerprint
• identification
• internet protocol (IP)
• Kerberos
• key distribution center (KDC)
• lightweight directory access protocol (LDAP)
• limitation
• multifactor
• one-time passcode
• pin
• principal key
• private key
• public key
• public-key infrastructure (PKI)
• registration authority (RA)
• remote authentication dial-in user service (RADIUS)
• retinal patterns
• service key
• session key
• sign on
• single-factor
• terminal access controller access control system (TACACS+)
• third-party
• token
• transmission control protocol (TCP)
• two-factor
• voice recognition

Unit 6: Network Security

6a. Describe how network designs such as segmentation, zoning, and redundancy can protect networks

• What are the security advantages of demilitarized zones (DMZ), network address translation (NAT), network access control (NAC), virtualization, subnetting, and segmentation?
• What is meant by redundancy and how can it be accomplished in information systems?
• What type of network design could be used to create a honeypot?

The security advantage of a demilitarized zone (DMZ) is by using two routers, it allows traffic into the DMZ but keeps that traffic from entering the internal network. A network address translation (NAT) router also protects the internal network by hiding the private internet protocol (IP) addresses from untrusted networks. Network access control (NAC) protects networks, and wireless networks, from granting access to devices that meet certain criteria such as type of operating system, or devices that are not patched or do not have current anti-malware versions installed. Virtualization provides security by making it simpler to recover or fix compromised systems and then bring them back online. Subnetting can increase the security of a network by segmenting systems and grouping them by security level. Resource segmentation uses virtual local networks (VLANS) to increase security by segmenting and layering a network based on user groups, resource types, or a combination of the two.

The primary purpose of redundancy is to ensure system availability and reliability in case of failure. Redundancy is the duplication of critical elements of a system and can be thought of as the backup of a system. In information systems, this can be accomplished using two computer processing units (CPUs), when one fails the other takes over. On the internet, it can be using different paths. If one path fails, for instance, if one cable is cut, there is an alternate path.

A honeypot is a way to deflect attackers from areas of sensitive system data. Once the attacker has entered this area their methods can be tracked and studied to determine how to make the system more secure. To create a honeypot, network segmentation can be used. Segmentation protects the regular traffic from the attacker.

To review, see section 6.1: Network Security Design.

6b. Explain how firewalls filter or block traffic, the appropriate placement of firewalls in networks, and common firewall terminology such as stateless packet filtering, stateful packet inspection, and deep packet inspection

• How does a firewall block traffic?
• Where would a stateful or stateless firewall be placed?
• Where should firewalls be located around a demilitarized zone?
• Where should firewalls be located around a demilitarized zone?
• What are the three techniques used in deep packet inspection (DPI)?

Firewalls block traffic according to a predetermined set of rules. The rules are set to accept, reject, or drop packet traffic. The rules are followed in order, from first to last. The placement of firewalls varies according to the way a packet is examined and filtered. For instance, packet filtering views the header of a packet, and deep packet inspection examines the data in the packet.

Firewall placement in a network is based on the way the firewall examines packets. For instance, stateful firewalls are best placed on the perimeter of a network and they take longer to make the initial connection but with improved performance. Stateless inspection firewalls are placed internally in a network and they connect faster and require less memory.

A demilitarized zone (DMZ) allows external access to a network while protecting the internal network from outside traffic. To accomplish this, two firewalls are used, and the DMZ lies between the two firewalls. One firewall faces the outside traffic, and one is internal to protect the outside traffic from entering the internal network.

Deep packet inspection (DPI) allows the network to be analyzed in real time, and examines the internet protocol (IP) packet content, including encrypted data. Deep packet inspection can be used in intrusion detection systems (IDS) and intrusion prevention systems (IPS) to thwart malware from entering the network. The three techniques used by DPI are flow tracking, pattern matching, and statistical analysis.

To review, see What is a Firewall and How Does it Work?, Packet Filtering, Stateful Packet Inspection, Deep Packet Inspection, Firewall Basics and Firewall Placement, Inbound and Outbound Packet Processing, and Deep Packet Inspection and Routers.

6c. Analyze wireless networking encryption types, tunneling, and the vulnerabilities associated with bring your own device (BYOD)

• Why is it important to encrypt wireless networks?
• How close does a wireless eavesdropper have to be to intercept a signal between a computer and a router?
• What do you call a device that both transmits and receives?
• How does BYOD increase the risk to a company's data and information systems? 

When setting up a wireless network, the traffic will travel over an unlicensed band and will be less secure than a wired network. Attackers can easily intercept traffic traveling over an unlicensed band, so it is important to encrypt the data. Wired equivalent privacy (WEP), and Wi-Fi protected access (WPA) have been used to encrypt wireless signals, but both have been broken and should not be used. The current method of wireless encryption is Wi-Fi protected access 2 (WPA2) that uses advanced encryption standard (AES).

Wireless networking is transmitted by radio waves. An attacker does not have to be between a system and its router to intercept a transmission. Radio waves emanate from 100 to 300 feet in all directions. Radios waves can be intercepted by anyone with a receiver, so it is very important to use a method of encryption that cannot be broken.

Wireless systems use different types of devices. A transmitter sends signals while a receiver accepts a signal sent by a transmitter. Some devices that can both transmit and receive and are called transceivers. Some commonly used transceivers are routers and cell phones.

Bring your own device (BYOD) means that users can connect personal devices to a company network, but at an increase in risk to a company's information system. The risk is the result of many different possibilities with devices, but one reason is that collectively employees use so many different types of devices that it is impractical for the employer to examine and approve every device allowed on the system. Another reason is that employee's devices are often not securely locked down to prevent being infected with malware. There is also the issue of lost devices that have company information downloaded to the device.

To review, read More Wireless Basics, Risks Associated with BYOD, Introduction to Wireless Networks and Wireless Encryption, Wireless Network Basics, and Virtual Ethernet Tunneling.

6d. Assess how tools such as honeypots, network sniffers, and packet capturing are used to protect networks

• When would you prefer to use a honeypot instead of an intrusion detection system (IDS)?
• What is the difference between a honeypot and a honeynet?
• How are network sniffers detected?

Honeypots are decoys that attract attackers, and then examines the methods the attacker is using and may identify system vulnerabilities. Honeypots do not have legitimate traffic, so any traffic is from an attacker, therefore honeypots do not use a lot of resources and have few false positives. In comparison, intrusion

detection systems (IDS) use more resources and produce false positives. Honeypots do not detect breaches and cannot identify attackers and must be secure so that attackers cannot enter the production network through the honeypot. Honeypot data can be used to improve the configuration of IDSes to reduce false positives. Honeypots can be used alone or with an IDS and may be the tool of choice when resources are limited.

Honeypots and honeynets are similar, as honeynets use a collection or network of honeypots. A honeynet could be a network containing honeypots that have different environments such as a Windows and a Linux honeypot server. The purpose of a honeynet is to fake a real network.

Network sniffers can be hardware or software and are used by attackers or by network administrators to examine the packets on a network. Passive network sniffing is generally impossible to detect because it only collects data, but active sniffing can be identified as it generates traffic. The best way to ensure that there is not a sniffer on the system is to determine if the network interface card is in promiscuous mode. Send requests using the internet protocol (IP) address of the machine with an incorrect media access control (MAC) address. If there is a response there is a sniffer, if not the machine is in non-promiscuous mode and the packet will be dropped.

To review, see Honeypots, Honeypots and Honeynets, Privacy Issues with Honeypots and Honeynets, Network Sniffers, Wireless Sniffing, and Packet Capturing Using tcpdump and Wireshark.

6e. Describe the methods used to secure the web such as HTTPS, TLS/SSL, and DNS/DNSSEC

• What makes hypertext transfer protocol secure (HTTPS) more secure than hypertext transfer protocol (HTTP)?
• What is the relationship between secure sockets layer (SSL) and transport layer security (TLS)?
• Why do we use domain names instead of internet protocol (IP) addresses?

Hypertext transfer protocol (HTTP) is a method of communication in browsers and in web servers. Hypertext transfer protocol secure (HTTPS) is more secure than hypertext transfer protocol (HTTP) because of the mode of transmission. Hypertext transfer protocol (HTTP) transmits data in clear text, while HTTPS transmits encrypted data.

Transport layer security (TLS) is the improved version of secure sockets layer (SSL). Both TLS and SSL are network protocols used on web servers and web browsers to securely transmit data. Transport layer security uses a handshake process to establish a secure line of communication through a bidirectional tunnel, then the data is encrypted before it is sent.

Computers use internet protocol (IP) addresses to communicate. Internet protocol addresses are numbers that are long and difficult for humans to remember, so instead, humans use words or domain names. Domain name servers (DNS) maps, or resolves domain names to IP addresses.

To review, see Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS), Secure Sockets Layer (SSL) and Transport Layer Security (TLS), and Domain Name System (DNS) and Domain Name System Security Extensions (DNSSEC).

Unit 6 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• advanced encryption standard (AES)
• breach
• bring your own device (BYOD)
• communicate
• computer processing unit (CPU)
• decoy
• deep packet inspection (DPI)
• demilitarized zone (DMZ)
• eavesdropper
• encryption
• firewall
• hardware
• honeynet
• honeypot
• hypertext transfer protocol
• hypertext transfer protocol secure
• internet protocol
• intrusion detection system (IDS)
• intrusion prevention system (IPS)
• malware
• media access control
• network address control (NAC)
• network address translation (NAT)
• network sniffer
• packet capturing
• promiscuous
• receive
• receiver
• redundancy
• router
• secure sockets layer
• segmentation
• software
• subnetting
• transmit
• transport layer security
• virtual local networks (VLANS)
• virtualization
• Wi-Fi protected access (WPA)
• wired equivalent privacy (WEP)

Unit 7: Operating System (OS) Security

7a. Describe the methods used to harden an OS and minimize threats

• What does it mean to harden a system?
• Why is patching often neglected?
• How is system auditing performed?

System hardening is performing techniques known as best practices to secure a system by reducing vulnerabilities. The techniques used to harden a system can vary by system type, but the basic methods are to remove or disable unnecessary applications, use methods to protect system access such as least privilege, set up and review log files, and patch regularly.

Although system patching is important to system security, patching is often neglected due to funds or technical expertise. The cost of patching is often viewed as adding no value to a system. Patching requires a qualified technician to install the patches and sometimes the technician is not available in the organization. This is a serious issue within any organization and should be resolved.

System auditing is done to ensure that policies are followed and are enforced. Auditing is completed by reviewing system logs and system performance. Logs contain information about login attempts, device use and device failure, and application-level events. Audits can be manual or automated. 

To review, see section 7.1: OS Hardening.

7b. Discuss how antivirus and antimalware tools provide OS protection

• Why is it important to update antivirus software as updates become available?
• What is the difference between antivirus and antimalware software?
• Are both antivirus and antimalware software needed on a system?

Antivirus software detects viruses in a system and is specific for each type of operating system. The software has a database of viruses that are compared to files on a system. As new viruses become known, the software database is updated. For a system to recognize newly identified viruses, the software must be updated on a regular basis. Once a virus is detected the infected file is quarantined and the user is prompted to choose whether to repair or delete the file.

Viruses are code that copies itself to do damage to a system. Malware refers to many types of malicious software such as Trojans, ransomware, viruses, and spyware. Viruses are a type of malware, but malware includes many other types of malicious code as well.

Antivirus software detects viruses, and antimalware software detects all types of malware. Both antivirus and antimalware software are needed on a system because antivirus software protects against traditional versions of viruses and antimalware protects against new threats. New threats may be polymorphic, or code that changes each time it is run.

To review, see Antivirus Versus Anti-Malware and What is Antivirus Software?.

7c. Explain the method of protection provided by an OS firewall

• By what method does a firewall protect a system?
• How are IPtables implemented in a system?
• Why is the order of the rules in IPtables important?

The first line of defense to protect a system from malicious traffic is using a firewall. Firewalls filter incoming and outgoing traffic to protect against attackers that may be attempting to enter the system. The network administrator can change the rules when needed as the system or the method of attack changes.

The rules for firewalls in a Linux system are defined in the IPtables. The packet protocol, the origin, and the packet target are examined when entering the system. When a packet meets the requirements of a specific rule in IPtables, the packet is handled by the method as designated in that rule which can be to accept, allow, deny, or drop the packet.

When traffic is examined by IPtables the rules are examined in the order listed. When there is a match, the packet receives the treatment of that rule and it is not examined for any other rules in the table. This can be important as the last rule in IPtables is port 22 for secure socket shell (SSH). This rule allows for SSH, or remote access to a system and if not configured properly will disallow access to remote users.

To review, see Linux IPtables.

7d. Describe security tools used to assess the vulnerabilities of an OS

• What is a vulnerability assessment?
• What are the steps scanners perform before running a vulnerability assessment?
• How does a scanner examine the vulnerabilities in a system?

A vulnerability assessment is a process that identifies security weaknesses on a system. The weaknesses of all system components are examined to include the network, the software, and the hardware. The weaknesses are prioritized and are items that need attention or remediation to ensure the security of a system.

The first step a scanner performs before running a vulnerability assessment is to probe the ports to determine if the host is alive. This avoids wasting time trying to scan a host that is offline. The second step is to determine if the host is behind a firewall or filtering device. The third step is to detect all open ports on the host to determine the type of services running on the system. The fourth step is determining the operating system (OS) running on the host. The fifth step is to identify the services running on each open port.

Once the scanner knows the OS running on the system, it identifies the OS version. The scanner then reviews the vulnerabilities applicable to that OS version that resides on the system. A security content automation protocol (SCAP) tool can be installed and run on a system to evaluate known vulnerabilities.

To review, see How Scanners Work, What is a Vulnerability Assessment?, and Vulnerability Assessment Using SCAP.

Unit 7 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• antimalware
• antivirus
• auditing
• automated
• firewall
• host
• IPtables
• least privilege
• Linux
• malicious software
• malware
• manual
• network administrator
• operating system (OS)
• patching
• polymorphic
• protocol
• ransomware
• remediation
• scanner
• secure socket shell (SSH)
• security content automation protocol (SCAP)
• spyware
• system hardening
• trojan
• virus

Unit 8: Intrusion Detection and Prevention Systems

8a. Discuss intrusion detection systems (IDS) and intrusion prevention systems (IPS) the purpose and the need for each system

• What is the difference between intrusion detection systems (IDS) and intrusion prevention systems (IPS)?
• What are four intrusion detection evasion techniques?
• What are four terms associated with the terminology used to determine if detection is successful?

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) both detect system intrusions. The main difference is that an IPS will detect and will also attempt to protect against traffic gaining access to the system. Intrusion protection systems perform as preventive and proactive technology, whereas IDSes are more of a detective technology that recognizes an intrusion after it has occurred.

Four intrusion detection evasion techniques are fragmentation, flooding, obfuscation, and encryption. Fragmentation occurs by sending fragmented packets that must be reassembled but the packets are sent over longer periods of time so that the target computer will time out before the packets can be assembled. Flooding is when so many requests are sent that the IDS is overwhelmed, resulting in all traffic being allowed into the system. Obfuscation is concealing the data in a message so that it is not identified as nefarious code. Encryption is used on malware so that an IDS will not match the code to the signatures in the database, and the code will be allowed into the system.

The four terms associated with intrusion detection are true positive, false positive, true negative, and false negative. A true positive means that an intrusion has been correctly identified. An IDS indicates the system is being attacked and it is correct in that the system is being attacked. A false positive means that the IDS indicates there is an attack but when there no attack is occurring. A true negative means that the IDS indicates there is no attack in progress and nothing has happened. A false negative means that the IDS is not detecting an attack when an attack has occurred. The false negative is the worst-case scenario because the IDS is not recognizing an attack that has occurred or is in progress.

To review, see The Basics of Intrusion Detection Systems, Intrusion Detection Systems, and Comparison of IDS and IPS.

8b. Compare and contrast the characteristics of signature-based, anomaly-based, and rule-based IDS technologies

• What is the difference between signature and anomaly-based intrusion detection systems (IDS)?
• Why would an anomaly-based intrusion detection system (IDS) be the best type of IDS to identify zero-day attacks?
• How is a rule-based intrusion detection system (IDS) similar to a firewall?

Both signature-based and anomaly-based intrusion detection systems (IDS) identify system intrusions, but in a different way. Signature-based IDS looks for patterns, also known as the intruder's signature. Anomaly-based IDS looks for unusual behaviors. Signature-based IDS works best for known methods of attack, and anomaly-based IDS works best to detect unknown methods of attack.

Zero-day attacks are methods of attack that are unknown to those who would normally mitigate the attack. A signature-based IDS would not identify a zero-day attack because it compares the signature of known attacks to a database. Rule-based IDS identifies attacks based on a set of rules. An anomaly-based IDS would be the best type of IDS because it detects unknown methods of attack.

Firewalls use a set of rules, called IPtables in Linux systems, to determine if traffic should be allowed. A rule-based IDS also uses rules but to determine if there is an attack on a system. A subject must meet a specific rule before access to an object is allowed, and the rule can be applied to all subjects without regard to identity. This type of rule is sometimes called if/then; if something happens then something else is allowed.

To review, see Signature-based IDS, Anomaly-based IDS, Rule-based IDS, Signature and Anomaly-based IDS, and Rule-based IDS Example.

8c. Compare and contrast network-based intrusion detection system (NIDS) and host-based intrusion detection systems (HIDS)

• What type of technology can be used by network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS)?
• What are the advantages of intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS)?
• What are the disadvantages of intrusion detection systems (IDS)?

Network-based intrusion detection systems (NIDS) are used on networks, and host-based intrusion detection systems (HIDS) are used with hosts. Both NIDS and HIDS can use knowledge-based, signature-based, statistical anomaly-based, and rule-based intrusion detection systems. When NIDS is used, the network interface card (NIC) is set to promiscuous mode to allow all network traffic to be examined, while HIDS examines activity on a host.

Using both NIDS and HIDS at the same time is advantageous as what one system may not detect the other may identify. An advantage of NIDS is that the system can detect attacks that were unsuccessful and can identify attacks in real time as they are occurring. HIDS can verify that an attack occurred and can monitor system activities.

The disadvantages of IDS are that the system can be expensive, and false positives and false negatives are generated. For these reasons, qualified technicians must be on staff to monitor the systems. The disadvantages are attributed to cost and to time and resources.

To review, see Network Intrusion Detection, A Review of Intrusion Detection, and Host-based Intrusion Detection Systems (HIDS).

8d. Explain the methodology of common system information and event management (SIEM) systems

• What is the purpose of a system information and event management system (SIEM)?
• When is a SIEM a necessary tool?
• What is a common vulnerability exposure (CVE)?

A system information and event management system (SIEM) is a software tool that collects data and log information generated by systems. The information is then compiled into one platform to be viewed and analyzed by technicians. The advantage to using a SIEM is that all the data for the system can be seen at one time which helps to identify the origins of an issue or an attack.

Often when a system is large or has a lot of activity, many logs and incidents are generated. A lot of time must be spent reviewing each log to look for malicious activity. This is a time-consuming, difficult, and tedious task that takes a lot of manpower. The use of a SIEM tool can make reviewing these logs much more efficient and faster.

 A common vulnerability exposure (CVE) identifies known vulnerabilities. CVE's are numbers assigned to vulnerabilities, and the CVE describes the vulnerability and provides links to important information connected to that vulnerability. The list of CVE's is kept in a freely accessed database and is funded by the Department of Homeland Security (DHS).

To review, see Security Incident and Event Management (SIEM), Scanners, Network Scans, Web Application Scans, and Splunk for Security.

Unit 8 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• anomaly-based intrusion detection system (IDS)
• common vulnerability exposure (CVE)
• evasion
• false negative
• false positive
• firewall
• flooding
• fragment
• host-based intrusion detection system (HIDS)
• intrusion detection systems
• intrusion prevention systems
• Linux
• malware
• network-based intrusion detection system (NIDS)
• preventive
• proactive
• rule-based intrusion detection system (IDS)
• signature-based intrusion detection system (IDS)
• system information and event management system (SIEM)
• true negative
• true positive
• zero-day

Unit 9: Privacy Laws, Penalties, and Privacy Issues

9a. Discuss the need for electronic data privacy protection

• What type of data is private information?
• What are some ways that technology has intruded on the privacy of individuals?
• Why is there a need for electronic data privacy protection?

Information about an individual may be privacy information if an individual can be identified by the information. Some types of private information are names, social security numbers, address, biometric data, date or place of birth, educational information, and more. Information that cannot be used to identify a person, such as statistical data, is not considered to be private information.

As technology has advanced to make life easier, technology has also intruded on individual privacy. The use of smartphones can identify the location of the owner, the internet of things (IoT) such as a thermostat can indicate that a homeowner is out of town. Cameras now use facial recognition to track the location of individuals.

Electronic data privacy protection is needed to prevent harm from coming to a person. Harm can be nefarious such as a burglar entering a home while the owner is away, or it can be to prevent the use of services that can be costly to a company. For instance, if a company insures a person for cancer but then learns from medical data that the individual is prone to have cancer, then the insurance company may elect to cancel the insured's policy.

To review, see Data and Protecting the Right to Privacy and The Right to Privacy.

9b. Identify key global laws that protect privacy, such as the US Privacy Act of 1974 and the European General Data Protection Regulation (GDPR)

• Who is protected under the European Union's (EU's) General Data Protection Regulation (GDPR)?
• How does the European Union's (EU's) General Data Protection Regulation (GDPR) compare to the California Consumer Privacy Act (CCPA)?
• What information is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

The European Union's (EU's) General Data Protection Regulation (GDPR) protects the personal data of all EU citizens and its residents. Whether the business that collects the data resides in the EU or not, the business must adhere to the protection requirements of the GDPR when collecting data from EU citizens and residents.

The California Consumer Privacy Protection Act (CCPA) was written based on the European Union's General Data Protection Regulation (GDPR). Therefore, the CCPA is very similar to the GDPR. Both the CCPA and the GDPR have monetary punishments, but that imposed by the CCPA is less than the GDPR.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has two sections that include a privacy rule and a security rule. The privacy rule contains the standards for protecting health information and the security rule sets the standards for how electronic health information is protected while being stored or in transit. HIPAA protects the individually identifiable health information collected, held, or transmitted by a business.

To review, see section 9.2: Global Privacy Laws.

Unit 9 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• artificial intelligence (AI)
• California Consumer Privacy Act (CCPA)
• Children's Online Privacy Act (COPPA) of 2000
• European General Data Protection Regulation (GDPR)
• European Union (EU)
• Health Information Technology for Economic and Clinical Health (HITECH) Act
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Protected Health Information (PHI)
• US Privacy Act