Tier 2C (Revised) — Security Operations

Plaintext

Information in normal, readable form

Ciphertext

Encrypted, unreadable form

Encryption algorithm

The mathematical formula used to encrypt or decrypt

Encryption key

The password/input to the algorithm used to encrypt or decrypt

Symmetric encryption

SAME key encrypts and decrypts — very fast, but key management gets hard with many users

Asymmetric encryption

Uses a public/private key pair — slower but scales better with many users

Symmetric vs asymmetric

Symmetric is FAST; asymmetric SCALES better with many users

AES (Advanced Encryption Standard)

The standard SYMMETRIC encryption algorithm — fast bulk encryption

RSA (Rivest-Shamir-Adleman)

Classic ASYMMETRIC encryption algorithm — uses public/private key pairs

TLS (Transport Layer Security)

Modern encryption for data in transit — successor to SSL; what makes HTTPS secure

HTTPS

HTTP with TLS encryption running on port 443 — secures web data in transit

Data at rest

Stored data — protect with full-disk encryption, file encryption

Data in transit

Data moving over a network — protect with TLS, HTTPS, VPN

Data in use

Data being actively processed in memory — hardest of the three states to protect

Hash function

A one-way function that turns variable-length input into a fixed-length output

Message digest

The fixed-length output produced by a hash function

Hash characteristic - one-way

The output cannot be reversed back to the input

Hash characteristic - fixed length

Output is always the same length regardless of input size

Hash characteristic - collision resistance

No two different inputs should ever produce the same output

MD5

128-bit hash created by Ron Rivest in 1991 — NO LONGER secure

SHA-1

160-bit hash — NO LONGER secure

SHA-2

Hash family producing 224, 256, 384, or 512-bit outputs — currently secure

SHA-3

Newer hash released 2015, user-selected length, different approach than SHA-2 — very secure

RIPEMD

Non-government hash alternative from Belgian researchers — 160-bit version used in Bitcoin

Data lifecycle stage 1 - Create

New data is created or existing data is modified

Data lifecycle stage 2 - Store

Data is placed in a storage repository

Data lifecycle stage 3 - Use

Data is read or processed

Data lifecycle stage 4 - Share

Data is shared with vendors, partners, or authorized parties

Data lifecycle stage 5 - Archive

Data no longer actively used moves to long-term storage

Data lifecycle stage 6 - Destroy

Data is disposed of using a secure method

Top Secret

Highest government/military classification

Secret

Second-highest government/military classification

Confidential

Third-tier government/military classification

Unclassified

Lowest government/military classification

Highly Sensitive

Highest business classification

Sensitive

Second-highest business classification

Internal

Third-tier business classification

Public

Lowest business classification

Clearing

Destruction technique that overwrites data to frustrate casual recovery (lowest severity)

Purging

Destruction technique using advanced methods to frustrate laboratory analysis (medium severity)

Destroying

Complete obliteration of media — shredding, melting, burning, pulverizing (highest severity)

Degaussing

Strong magnetic field destroys magnetic media — does NOT work on SSDs

Remanence

Residual data left on storage media after deletion — the reason wiping or destruction is necessary

Cross-cut shredding

The required method for sensitive paper destruction — ribbon-cut can be reassembled

Ingress monitoring

Watching data coming INTO the network

Egress monitoring

Watching data going OUT of the network — key for detecting exfiltration

Accountability

Identity attribution — identifies who caused an event

Traceability

Uncovers the chain of all related events

Auditability

Clear documentation of events that can be reviewed

Event

Any observable occurrence in a system or network

Incident

An event that violates security policy or threatens CIA

Breach

A confirmed incident where unauthorized party actually accessed data

Zero day

A vulnerability unknown to defenders — no patch exists yet

APT (Advanced Persistent Threat)

Sophisticated, long-running, well-resourced attacker — often nation-state

Exploit

A specific technique used to take advantage of a vulnerability

Intrusion

Unauthorized access to a system

RFC (Request for Change)

Formal proposal to make a change — submitted for review and approval

Rollback

Reverting to a previous known-good state if a change fails or causes problems

Patch management

Process for testing, approving, deploying, and verifying software patches

Hardening

Reducing the attack surface by disabling unneeded services, removing default accounts, applying secure configs

CDN (Content Delivery Network)

Geographically distributed servers that deliver content quickly by serving from the nearest location

MTTR (Mean Time To Repair)

Average time it takes to fix a failed component after a failure

MTBF (Mean Time Between Failures)

Expected time between system failures — a reliability measure

Wet pipe fire suppression

Pipes full of water, ready to deploy when sensor triggers — risk of leak damaging electronics

Dry pipe fire suppression

Pipes empty until alarm opens a valve — slight delay, no incidental water damage

Chemical fire suppression

Deprives fires of oxygen — dangerous to people in the room