InfoSec Midterm Studyguide

Bell-LaPadula Model

Focuses on confidentiality; no read up, no write down.

Biba's Model

Integrity through MAC; no write up and no read down

Clark-Wilson Model

Designed for Businesses to protect Integrity at all levels ("Well formed" Separation of duties and transactions)

Chinese Wall Model

Model designed to avoid conflicts of interest

RBAC Model

Bases controls on Job functions

Confidentiality

John copies Marys homework

Integrity

Gina Forges Rogers signature

Availability

Rhonda registers the domain name \Cocacola.com" and refuses to the soft drink company buy or use that domain name.

TLP:RED

For the eyes and ears of individual recipients only, no further disclosure

TLP:AMBER

Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients

TLP:AMBER+STRICT

Restricts sharing to organization only

TLP:GREEN

Limited disclosure, recipients can spread this within their community

TLP:CLEAR

Recipients can spread this to the world, there is no limit on disclosure

Community

a group who share common goals, practices, and informal trust relationships

Organization

A group who share a common affiliation by formal membership and are bound by common policies.

Clients

people or entities that receive cybersecurity services from an organization.

Govern (GV)

The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored

Identify(ID)

The organizations current cybersecurity risks are understood

Protect(PR)

Safeguards to manage the organization's cybersecurity risks are used

Detect(DE)

Possible cybersecurity attacks and compromises are found and analyzed

Respond(RS)

Actions regarding a detected cybersecurity incident are taken

Recover(RC)

Assets and operations affected by a cybersecurity incident are restored.

CSF Functions are represented as a wheel because all of the functions relate to one another

True

The CSF provides a basis for improved communication regarding cybersecurity expectations, planning, and resources.

True

Cybersecurity risk management is not essential for addressing privacy risks related to the loss of the confidentiality, integrity, and availability of individuals' data

False

CSF Core

A taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. Its components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome.

CSF Function

The highest level of organization for cybersecurity outcomes. There are six CSF Functions: Govern, Identify, Protect, Detect, Respond, and Recover

CSF Tier

A characterization of the rigor of an organization's cybersecurity risk governance and management practices.

One-Way

The original data could not be reconstructed from the hash

Diffusion

any variation in the input data should result in changing at least half of the output hash.

Determinism

hashing a given input will always produce the same digest.

Collision resistance

getting the same digest from two different input data should be extremely hard.

Non-predictable

the hash value could not be predicted.

Data Encryption Standard (DES)

One of the earliest symmetric encryption algorithms. It is no longer considered secure and should be avoided.

Triple DES

Performs faster in hardware than software. Although better than DES, it is not the strongest symmetric encryption algorithm

Advanced Encryption Standard (AES)

One of the most popular symmetric encryption algorithms today. There are no known attacks thus, it is often the recommended symmetric encryption algorithm to use

In Asymmetric encryption; if the private key encrypts the data, only the public key can decrypt it. If the public key encrypts the data, only the private key can decrypt it.

RSA is an acronym for its inventors Rivest, Shamir, and Adleman.

True

A digital signature can verify the sender's identity, prevent the sender from denying that they sent the message (known as non-repudiation), and prove the integrity of the message.

True

Digital Signatures leverage the mathematical relationship between symmetric keys

False

Diffie Hellman (DH) is a popular symmetric encryption algorithm that allows two parties that have no prior knowledge of each other to agree on a shared secret over an insecure channel.

False

A computer system without integrity can provide confidentiality

False

A computer system without confidentiality can provide integrity

False

A01:2021 – Broken Access Control

moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category

A02:2021 – Cryptographic Failures

shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise.

A03:2021-Injection

slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.

A04:2021 – Insecure Design

is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

A06:2021-Vulnerable and Outdated Components

was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.

A07:2021-Identification and Authentication Failures

was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping

A08:2021-Software and Data Integrity Failures i

is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.

A09:2021-Security Logging and Monitoring Failures

was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.

A10:2021-Server-Side Request Forgery

is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.

HTTP

Port 80

HTTPS

Port 443

FTP

Ports 20 and 21

SSH

Port 22

DNS

Port 53

A 05:2021-Security Misconfiguration

moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category