The document discusses several key concepts in information security including the goals of security like prevention, detection and recovery. It covers threats, vulnerabilities, attacks and different types of controls. It also explains authentication methods like passwords, tokens, biometrics and multifactor authentication. Finally, it summarizes cryptography fundamentals including encryption, ciphers, hashing and symmetric/asymmetric encryption algorithms.

1. Security Fundamentals The Information Security Cycle Information Security Controls Authentication Methods Cryptography Fundamentals Security Policy Fundamentals

2. Security Fundamentals The Information Security Cycle Information Security Controls Authentication Methods Cryptography Fundamentals Security Policy Fundamentals

3. What Is Information Security? Protection of available information or information resources. Necessary for a responsible individual or organization to secure confidential information. Minimize business risks and other consequences of losing crucial data.

4. What to Protect If the security of organization’s data and resources is compromised, it may cause collateral damage to the organization, in the form of compromised reputation, loss of goodwill , reduced investor confidence, loss of customers, and various financial losses. Data Resource

5. Goals of Security Security Goal Description Prevention Personal information, company information, and information on intellectual property must be protected. If security is breached in any of these departments, then the organization may have to put a lot of effort into recovering losses. Detection Detection is the step that occurs when a user is discovered trying to access unauthorized data or the information has been lost. Recovery You need to employ a process to recover vital data present in files or folders from a crashed system or data storage devices. Recovery can also pertain to physical resources.

6. A Vulnerability Any condition that leaves a system open to attack: Improperly configured or installed hardware or software Bugs in software or operating systems The misuse of software or communication protocols Poorly designed networks Poor physical security Insecure passwords Design flaws in software or operating systems Unchecked user input Attacker Information System Unsecured Router

7. Threats Any event or action that could potentially result in the violation of a security requirement, policy, or procedure. Information Security Threats Changes to Information Interruption of Services Interruption of Access Damage to Hardware Damage to Facilities Unintentional or intentional

8. Attacks A technique that is used to exploit a vulnerability in any application on a computer system without the authorization to do so. Physical Security Attacks Software-Based Attacks Social Engineering Attacks Web Application-Based Attacks Network-Based Attacks

9. Intrusions An attacker accesses your computer system without the authorization to do so.

10. Risk A concept that indicates exposure to the chance of damage or loss. Risk is often associated with the loss of a system, power, or network, and other physical losses. Risk also affects people, practices, and processes. Disgruntled Former Employees Threat of Improper Access

11. Controls The countermeasures that you need to put in place to avoid, mitigate or counteract security risks due to threats or attacks. Types Prevention controls — These help to prevent a threat or attack from exposing a vulnerability in the computer system. Detection controls — These help to discover if a threat or vulnerability has entered into the computer system. Correction controls — These help to mitigate a consequence of a threat or attack from adversely affecting the computer system. Prevention Control Detection Control Correction Control

12. Security Fundamentals The Information Security Cycle Information Security Controls Authentication Methods Cryptography Fundamentals Security Policy Fundamentals

13. The CIA Triad This is the fundamental principle of keeping information and communications private and protecting them from unauthorized access. This is the property of keeping organization information accurate, free of errors, and without unauthorized modifications. This is the fundamental principle of ensuring that systems operate continuously and that authorized persons can access the data that they need. Availability Integrity Confidentiality

14. Non-repudiation Supplemental to the CIA triad. The goal of ensuring that the party that sent a transmission or created data remains associated with that data.

15. Authentication A method of uniquely validating a particular entity or individual’s credentials. Password User Name

16. Identification A method that ensures that the entity requesting authentication is the true owner of the credentials. Password User Name

17. The Four As Authorization is the process of determining what rights and privileges a particular entity has. Access control is the process of determining and assigning privileges to various resources, objects, or data. Accountability is the process of determining who to hold responsible for a particular activity or event. Auditing or accounting is the process of tracking and recording system activities and resource access.

18. Access Control Methods Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-Based Access Control (RBAC) Rule-Based Access Control

19. Common Security Practices Implicit deny Least privilege Separation of duties Job rotation Mandatory vacation Time of day restrictions Privilege management

20. Implicit Deny Everything that is not explicitly allowed is denied Default Deny Read Access Granted Write Access Denied

21. Least Privilege Dictates that users and software should only have the minimal level of access that is necessary for them to perform the duties required of them. User 1 User 4 User 2 User 3 Data Entry Clerks Financial Coordinators Perform their job with fewer privileges Perform their job with more privileges

22. Separation of Duties No one person should have too much power or responsibility Audit Backup Restore

23. Job Rotation No one person stays in a vital job role for too long a time period. Helps Prevent abuse of power Reduces boredom Enhances individuals’ professional skills

24. Mandatory Vacation The typical mandatory vacation policy requires that employees take at least one vacation a year in a full-week increment. During that time, the corporate audit and security employees have time to investigate and discover any discrepancies in employee activity. When employees understand the security focus of the mandatory vacation policy, the chance fraudulent activities deceases.

25. Time of Day Restrictions Controls that allow users to access a system for a certain time period, which can be set using a group policy.

26. Privilege Management The use of authentication and authorization mechanisms to provide centralized or decentralized administration of user and group access control. Auditing Administrator Authentication Access Control Authorization

27. Security Fundamentals The Information Security Cycle Information Security Controls Authentication Methods Cryptography Fundamentals Security Policy Fundamentals

28. Authentication Factors Something you know Password, PIN Something you have Key, ID card Something you are Fingerprints, retinal patterns Password

29. User Name/Password Authentication Password User Name

30. Tokens Tokens are physic or virtual objects, such as smart cards, ID badges, or data packets, that store authentication information. Tokens can store personal identification numbers (PINs), information about users, or passwords. PIN Unique value User information Password

31. Biometrics Biometrics are authentication schemes based on individuals’ physical characteristics. Fingerprint scanner Retinal scanner Hand geometry scanner Voice-recognition software Facial-recognition software Fingerprint Scanner

32. Multi-Factor Authentication Multi-factor authentication is any authentication scheme that requires validation of at least two of the possible authentication factors. Password

33. Mutual Authentication A security mechanism that requires that each party in a communication verifies each other’s identity. A service or reserve or resource verifies the client’s credentials, and the client verifies the resource’s credentials. Mutual authentication prevents a client from inadvertently submitting confidential information to a non-secure server. Mutual authentication helps in avoiding man-in-the-middle and session hijacking attacks.

34. Security Fundamentals The Information Security Cycle Information Security Controls Authentication Methods Cryptography Fundamentals Security Policy Fundamentals

35. Cryptography Cryptography is the science of hiding information. Used to secure sensitive data transmissions Electronic Commerce ATM Cards Computer Security

36. Encryption Cryptographic technique that converts data from plain, or cleartext form, into coded, or ciphertext form. Only authorized parties with the necessary decryption information can decode and read the data. Encryption Ciphertext Plaintext

37. Ciphers A cipher is a specific set of actions used to encrypt data. Plaintext is the original, un-encoded data. Cipher Types Stream Cipher Cipher Ciphertext block Plaintext block Block Cipher Original Information Cipher Encrypted Information Cipher Ciphertext Plaintext

38. Encryption and Security Goals Encryption supports: Confidentiality Integrity Non-repudiation Authorization Access An Encryption Algorithm The rule, system, or mechanism used to encrypt data. An encryption key Specific piece of information Used in conjunction with an algorithm to perform encryption and decryption =Two Letters Following Text Vgzv

39. Steganography Steganographic techniques include: Hiding information in blocks. Hiding information within images. Invisibly altering the structure of a digital image.

40. Hashing Encryption One-way encryption that transforms cleartext into ciphertext that is not intended to be decrypted. Algorithms MD5 SHA NTLM versions 1 and 2 RIPEMD HMAC Hashing is one-way encryption

41. Two-way encryption scheme in which encryption and decryption are both performed by the same key. Algorithms DES 3DES AES Blowfish Twofish RC 4, 5, 6 Skipjack CAST-128 Symmetric Encryption Encrypts data Decrypts data Same key on both sides

42. Using public and private keys The private key never shared The public key is given to anyone Algorithms Rivist Shamir Adelman (RSA ‏ ) Diffie-Hellman Elgamal Paillier Cryptosystem Elliptic curve cryptography (ECC) Asymmetric Encryption Private key decrypts Public key encrypts

43. Digital Signatures A message digest that has been encrypted with a user’s private key. Used with hashing algorithms Support message integrity Support non-repudiation Hash value of signature Hash value matches

44. Security Fundamentals The Information Security Cycle Information Security Controls Authentication Methods Cryptography Fundamentals Security Policy Fundamentals

45. A Security Policy A formalized statement that defines how security will be implemented within a particular organization. Individual policy Formal policy statement Implementation measures Resources to protect

46. Security Policy Components Policy Components Description Policy statement Outlines the plan for the individual security component. Standards Define how to measure the level of adherence to the policy. Guidelines Suggestions, recommendations, or best practices for how to meet the policy standard. Procedures Step-by-step instructions that detail how to implement components of the policy.

47. Security Policy Issues Acceptable use Privacy Separation of duties Job rotation Mandatory vacation Need to know Least privilege Implicit deny

48. Common Security Policy Types Policy Type Description Acceptable use policy (AUP) Defines the acceptable use of organization’s physical and intellectual resources. Audit policy Details the requirements and parameters for risk assessment and audits of the organization’s information and resources. Extranet policy Sets the requirements for third-party entities that desire access to an organization’s networks. Password policy Defines standards for creating password complexity. Wireless standards policy Defines which wireless devices can connect to an organization’s network and how use them in a safe manner that protects the organization’s security.

49. Security Document Categories Security Document Description System architecture Physical documentation about the setup and configuration of your network and systems must be stored securely. Change documentation Changes in the configuration of data, systems, and services are often tracked and documented to provide an official record of the correct current configuration. Logs System logs, especially those generated by the auditing security function, need to be protected from unauthorized access or tampering. Inventories Equipment and asset inventories provide a valuable source of information for attackers, whether they plan to mount an electronic attack against the system or resort to physical damage or theft.

50. Change Management A systematic way of approving and executing change in order to assure maximum security, stability, and availability of information technology services.