Security and Encryption Notes

How may components are there of systems reliability

5

What is the foundation of systems reliability?

security

What contributes to systems reliability (5)?

Security
Privacy
Confidentiality
Availability
Processing Integrity

What is the most important thing to know about Security?

Security is a MANAGEMENT ISSUE

What must management take responsibility for? (4 factors related to security)

Policy development
Effective communication of these policies
Design of appropriate control policies
Monitoring of the system and, if necessary, take corrective actions

shows the relationship between prevention, detection, and response

time based model of security

What is the equation for the time based model of security

P>D+R

What does P stand for in the equation for time based model of security?

time for an attacker to break through the preventative controls

What does D stand for in the equation for time based model of security?

time for company to detect that an attack occurred

What does R stand for in the equation for time based model of security?

time for the company to respond and correct the effects of the attach

When the time based model off security is true then:

security is adequate

multiple layers of controls

defense in depth

What was the example we used in class for defense in depth?

Shrek

What are the layers within defense in depth?

Preventative
Detective
Corrective

What is included in the preventative layers of defense in depth (8)?

Authentication
Authorization
Training
Physical Access
Remote Access and Host and Applications Hardening
Anti-malware
Encryption

ensures that the people using the system are the people that are really using them

Authentication

What are the three ways to authenticate people?

Something you HAVE
Something you KNOW
Some physical characteristic

What is the most common form of authentication?

passwords

What is needed to make a password effective?

Secrecy
Length
Complexity
Unique
Not personal Info
Not common password

What is the problem with passwords that make them sometimes ineffective?

Remembering them

What are the remedies to the ineffectiveness of passwords?

Dont write them down
Passphrase
Multifactor identification

Usually have a short password followed by an additional verification of authentification

multifactor authentication

What is the disadvantage of passphrases

Only have to know the phrase, but it can be stolen in the same way as a password

What is the disadvantage of multifactor authentification

must know/have all the different facets

What is an example of Authorization in SAP?

Roles and profiles (access control matrix)

tells the system what someone is allowed to do

authorization

What does the access control matrix ensure?

separation of duties

process oof taking a message and converting it into cipher text that cannot be read and then decrypt it back into the original message

encryption

What are the problems with symmetric encryption?

Must meet to agree on the key
Must have a key BEFORE message sent
Would need separate keys to everyone you are talking to

means that the key is the same on both sides

symmetric encryption

What is the benefits of symmetric encryption?

Very fast and easy to understand

key that encrypts something is different from the key that decrypts

asymmetric encryption

What is asymmetric based on?

prime number factoring- there is a public code and a private code

When sending something using asymmetric encryption, encrypt based on:

public keys

When sending something using asymmetric encryption, decrypt based on:

private key

The private key is the ___ of the public key

personal prime number factors

How do you make a signature block?

Hash a document and then encrypt with your private key

Gives keys and certificates

key authority

What are the advantages of asymmetric encryption?

Authentication
Don’t need to maintain keys with everyone (use PUBLIC key)
Very secure (due to prime number factoring)
Parties do not have to meet to exchange keys

What are the disadvantages of asymmetric encryption?

People might encrypt it wrong
Very slow

If you encrypt with YOUR public key, then:

only YOU can decrypt it with YOUR private key.

If you encrypt with YOUR private key, then:

anyone can open it with the public key

If you encrypt with someone else’s public key, then:

Only that person can open it

What is the hybrid model of encryption?

Uses asymmetric to transfer a symmetric key for fast data encryption.

What are the advantages to hybrid model of encryption

Fast and effective communication
Secure

What are the four things needed for training to be effective?

Explain why you have these policies and procedures
Explain to employees that we will support them for following training
Explain what to do if someone is pushing them to violate/bend the rules
Explain what fraud/security scams look like so that they can recognize it

convincing someone that they should feel sorry for someone or that they will lose their job

social engineering

What is included in remote access controls?

Fire walls
TCPIP

What we run software on

host

turning off unnecessary features

Hardening

What are the two ways to harden applications

On certain hosts
On certain software

software to make sure there are no malware downloaded

anti malware

What are the 3 detective controls for security?

Log analysis
Intrusion Detection Systems (IDS)
Security Testing (Penetration Tests and Vulnerabilities Scan)

Detective control used to see who accessed the system and what they were accessing; can make reports from this

log analysis

detective control that takes log analysis and automates it to show if people are accessing things that can show it might be an attack; looking for unusual and infrequent activities

Intrusion detection system (IDS)

Detective control; form of security testing where hackers are paid to try and break into system; used to determine where there are/are not controls

Penetration Tests

Detective control; form of security testing where company hires a consultant to come in and look for known problems in the system

Vulnerability scan

What are the corrective controls of security?

Computer Incident Response Teams (CIRT or CERT)
Chief Information Security Officer (CISO)

What is the role of the CIRT/CERT? (4 Steps)

Recognize/identify problem
Contain/minimize/stop risk
Recover/notify/fines
Follow up/monitor and make changes

Who leads the effort of security (bc it is a management issue)

Chief Info Security Officer (CISO)

Who does the CISO report to?

COO or CEO

The CISO must be:

independent of other info systems efforts

What is the job of the CISO?

Evaluate and assess info security environment

deals with other people’s information (think HIPPA/FERPA); how do we protect the info of others

privacy

Dealing with things that belong to the company; how do we ensure that the company’s data stays secret (think secret recipe)

Confidentiality