Information Security Fundament
Information Security Fundament IT 223
Popular in Course
verified elite notetaker
Isis Dana Kanakri
verified elite notetaker
verified elite notetaker
verified elite notetaker
verified elite notetaker
verified elite notetaker
Popular in Information technology
This 6 page Class Notes was uploaded by Adonis Nader on Monday September 28, 2015. The Class Notes belongs to IT 223 at George Mason University taught by Margaret Leary in Fall. Since its upload, it has received 21 views. For similar materials see /class/215226/it-223-george-mason-university in Information technology at George Mason University.
Reviews for Information Security Fundament
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/28/15
IT 223 Information Security Fundamentals Spring 2013 Midterm Exam Study Guide This Study Guide is intended to assist students in reviewing the course content in preparation for the midterm exam It contains a summary of the topics covered in course activities through Lecture 5 The recommended usage of this Guide is as follows Read each topic shown here If you are con dent you understand the topic and are able to write about it in enough detail to complete a Short Answer proceed to the next topic If you are not con dent you can write a Short Answer on the topic review the assigned reading the lecture slides and your own notes from the lecture associated with the topic Remember that the ability to understand and be able to use correct terminology is essential in IT in general and in information security and assurance in particular Lecture 1 Information de nition difference between information and data Security de nitions freedom thing measure Historic perspectives isolation resource sharing likelihood of attack Components of information security models from textbooks Traditional CIA model additional characteristicsservices InfoSec is security of information and information systems components of an information system Information security implementation driven topdown at each point in the SDLC Information assurance vs information security reasons for understanding government initiatives Protectdetectreact model The IATF source objectives highlevel structure Security is not absolute tradeoff between security and usability Terminology need to understand reference source Copyright 2013 l chael X Lyons All rights reserved Page 1 of 6 Lecture 2 Information security service de nition Con dentiality secrecy privacy synonymous in everyday English not in ISIA Con dentiality de nitions anonymity is a subset What is the difference between con dentiality and privacy Two techniques isolation ob lscation can you de ne each The con dentiality of certain information indirectly provides con dentiality of the true data Steganography hides existence of data but not the data itself Can you give a modern example of steganography Cryptography cryptanalysis cryptology can you de ne each Cryptography named for quothidden writingquot but is not steganography Encrypt encipher encode are o en synonymous An encryption algorithm uses a key to turn into decryption does the reverse Can you de ne the terms associated with encryption decryption Two lndamental operations substitution transposition can you de ne each How does a typical product cipher combine substitution and transposition A good cipher scheme produces ciphertext that is pseudorandom even from structured plaintext Why is symmetric cryptography called quotsymmetricquot What is the major challenge with symmetric cryptography Con dentiality of the shared key indirectly provides con dentiality of the plaintext Encryption is used because the communications channel is insecure the key must shared quotout of bandquot Why is the quotout of bandquot channel is not practical for sending bulk data Do you understand the notation on slide 42 If a key is quotcrackedquot which messages is are revealed How can we limit the damage if a key is quotcrackedquot Why is asymmetric cryptography called quotasymmetricquot Ifa certain key is used for asymmetric encryption which key must be used for decryption Typically one key is kept private the other made public What is the major challenge with asymmetric cryptography Which information security service is enabled by encryption with the public key of the recipient Why Most asymmetric schemes are based on modular or discrete exponentiation of integers Why We don39t know any feasible way to calculate modular or discrete logarithms RSA algorithm performs a second modular exponentiation with a different exponent exponents 139 6 keys are related such that the result is the original value plaintext Modern asymmetric algorithms are relatively slow compared to modern symmetric algorithms Why It is not practical to encrypt bulk data with an asymmetric scheme so a hybrid approach used 7 see Homeworks l and 2 below Can you describe types of attack against encryption What is tralTic analysis How can you counter it Copyright 2013 l chael X Lyons All rights reserved Page 2 of 6 Lecture 3 Authenticity de nition the truth of some claim can be veri ed Authentication of the origin of data and of the integrity of data o en provided together by a single mechanism why does a recipient need both ofthese What do we mean by quotintegrityquot in this context It does not mean quotaccuracyquot Origin can be authenticated by sending additional data based on shared or private data Integrity can be authenticated by sending additional data based on the message content Generic authentication protocol sender and recipient perform same sequence of operations if recipient s result matches sender s message is accepted What isare the inputs to a message authentication code MAC lnction What are the characteristics of a MAC value Recipient s MAC will match only if same message and same key are used Which information security service is provided if the same message is shown to have been used Which information security service is provided if the same key is shown to have been used What isare the inputs to a hash function A digital signature is produced by asymmetrically encrypting a hash value Which key is used A digital signature is verified by asymmetrically decrypting a hash value which key is used and comparing it to a hash value generated for the received message content If the hash values match what does this tell the recipient Which information security services are enabled See Homeworks 3 and 4 below How does this provide non repudiation of the origin Why is nonrepudiation of receipt not practical with typical messaging systems Why is nonrepudiation a deterrent not a preventive measure What does nonrepudiation allow a recipient to do in the event of a dispute A MAC does not provide nonrepudiation because two or more entities have the shared key and either one could in theory produce a message apparently from the sender with a valid MAC Accuracy depends on the relationship of data to the real world Accuracy is n0t the same as integrity 7 you could have one but not the other A publickey certi cate is used to authenticate the origin and integrity of a public key A certificate contains public key value attributes of key attributes of subject attributes of issuer The certificate data is digitally signed by the issuer 7 how Which key is used Veri cation of the signature requires the issuer s public key which is in another certi cate A certificate chain ends with a selfissued certi cate for a root certi cate authority root CA Strength of PKI is based on trust in the set of root CA certi cates lack of trusted platform is a concern Copyright 2013 l chael X Lyons All rights reserved Page 3 of6 Lecture 4 Access control de nitions Access control can you de ne it How does it relate to policy How does it relate to other services What are the four steps in access control Hint 1 is identi cation and authentication IampA Identity meaning contexts How can you prove your identity especially remotely IampA Identifying an entity and authenticating that identi cation when access is requested Identity needs to be unique to prevent masquerade a unique attribute or a unique set is required Identity must be in the form of data a system can process Le bits A unique identi er may be generated by the system Can you give examples A User ID commonly used to identify a user a person or a process The User ID will be bound to a set of attributes pro le for the user When access is requested user will send the User ID and some data to authenticate the claim of identity Authentication by something you w is considered weak Can you give examples Should a system store your password as plaintext As ciphertext As something else Explain It is theoretically possible that two passwords have the same hash value What is a much more likely reason someone quotcracksquot your password We must not send authentication data that can be quotreplayedquot Authentication by something you w is considered strong Can you give examples Possession of the device indirectly shows authentication of identity assuming no loss of possession Modern devices generate onetime values that cannot be quotreplayedquot Authentication by something you Q is considered strong Can you give examples What is quotbiometricsquot What is the origin of the word Biometrics is based on statistically rare probably not unique physiology andor behavior It is limited by the precision of the measurement and matching processes The most important limitation of a biometric process is that it can produce false negatives and false positives Can you explain these terms What is the major advantage of biometrics over the other two techniques Multifactor authentication applies defenseindepth to authentication It typically adds a password or similar to either a device or biometrics Authentication of identity of user by host mutual via trusted third party Authorization represents what an authenticated user is allowed to do should be based on policy It Needs to be presented by codi ed data the system can process Le bits O en done by assigning users to groups privileges to groups thus indirectly privileges to users UNIX ACL an example of authorization data Decision process is a system implementation of an access control policy It may be simple or complex What is mandatory access control What is discretionary access control What is rolebased access control Can you give an example A multi level security MLS scheme assigns classi cations to objects clearances to subjects What is allowed by the Simple Security Property What is its slang name What is allowed by the Star or quotquot Security Property What is its slang name Decision needs to be communicated to an enforcement process where the control actually occurs Kerberos tickets one example of a way to communicate decision to enforcement Possession of a tangible object is mutually exclusive easy to understand Possession of digital data very difficult to control since every copy is the same as the original Copyright 2013 lIichael X Lyons All rights reserved Page 4 of 6 Lecture 5 Threat threat action threat agent de nitions as discussed in class Attack de nition as discussed in class What is required to consider something an attack Availability de nition as discussed in class It is closely related to access control utility Scheduled downtime usually is not considered a lack of availability but constant 24x7 availability is becoming a common requirement Constant availability requires continual support One technique for providing continual support is quotfollow the sunquot Can you explain it Threats to availability six categories discusses din class Some of these are threats of attacks Hardware failure is inevitable What is a quotbathub curvequot Software engineering relatively immature what is the typical release process Natural events may damage or destroy system components or knock out required utilities Excessive legitimate demand can overwhelm a system catering for peak demand means a lot of underutilization most of the time How can unauthorized use impact legitimate use as a sideeffect if not a deliberate effect D08 is a deliberate attack on which information security service DoS may be a secondary attack if the primary attack fails What is a DDoS Can you give an example real or hypothetical DoS solutions awareness detection prevention response but really not much you can do if the attack is external and the origin is spoofed other than moving to a new IP address or domain Availability measures redundancy load balancing backup copies of data Backup issues limitations multiple copies etc avoid wasted time cost Can you describe a typical backup process that uses both lll and incremental backups How is data restored when this process is used Power supply quality incidents impact countermeasures Utility de nition ability to make decisions relationship to other services Copyright 2013 l chael X Lyons All rights reserved Page 5 of 6 Homework 1 Student creates a text message and uses hybrid encryption A session key is generated pseudorandomly and encrypted asymmetrically Which key is used Which algorithm is used The message is encrypted symmetrically Which key is used What operations are performed in the symmetric algorithm Who can decrypt this message What information security services are enabled Homework 2 Student receives a message and attempts to decrypt its content The first part is decrypted asymmetrically Which key is used What data value is recovered The second part is then decrypted symmetrically Which key is used What operations are performed in the symmetric algorithm Who can decrypt this message What information security services are enabled Homework 3 Student creates a text message and a digital signature for it A hash value is calculated for the message content and encrypted asymmetrically Which key is used Which algorithm is used Who is capable of producing this message with exactly this content Assume the key used is known only to the student What information security services are enabled Homework 4 Student receives a digitally signed message and attempts to verify its signature The second part is decrypted asymmetrically Which key is used What data value is recovered A hash value is calculated for the first part and compared to the decrypted value If the hash values match what does this tell the recipient What information security services are enabled Copyright 2013 l chael X Lyons All rights reserved Page 6 of 6
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'