SlideShare a Scribd company logo

Midterm Exam Review Information Systems 365 With Your Host Nicholas Davis

Download as PPT, PDF
Nicholas Davis
Nicholas Davis
1 of 114
Midterm Exam Review Information Systems 365 With Your Host Nicholas Davis >> 0 >> 1 >> 2 >> 3 >> 4 >>
8 >> 0 >> 1 >> 2 >> 3 >> 4 >>
7 >> 0 >> 1 >> 2 >> 3 >> 4 >>
6 >> 0 >> 1 >> 2 >> 3 >> 4 >>
5 >> 0 >> 1 >> 2 >> 3 >> 4 >>
4 >> 0 >> 1 >> 2 >> 3 >> 4 >>
3 >> 0 >> 1 >> 2 >> 3 >> 4 >>
>> 0 >> 1 >> 2 >> 3 >> 4 >>
>> 0 >> 1 >> 2 >> 3 >> 4 >>
PICTURE START >> 0 >> 1 >> 2 >> 3 >> 4 >>
The Basics • Information Systems 365/765 midterm exam is this Thursday, October 23rd • You may elect to take the exam on Tuesday, October 28th, by sending me an email prior to midnight on Wednesday, October 22nd >> 0 >> 1 >> 2 >> 3 >> 4 >>
The Format • The format of the exam will be 50 multiple choice questions • Some are easy • Some are hard • You may hate me once you see the exam • Multiple choices range A thru J in some cases, with lots of “all of the above” and “none of the above” choices appearing >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
Keep the Five Pillars Of Information Security in Mind Throughout the Course • Protection • Detection • Reaction • Documentation • Prevention >> 0 >> 1 >> 2 >> 3 >> 4 >>
Benefits of Technical Controls • Strong and consistent, treat everyone equally • Can be audited with real assurance of the truthfulness of the data >> 0 >> 1 >> 2 >> 3 >> 4 >>
Drawbacks of Technical Controls • Costly • Complex and time consuming • When they break, they either fail open or fail closed, neither of which may be desirable >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
Administrative Controls • Using policies, procedures, safety signs, training or supervision, or a combination of these, to control risk. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Benefits of Administrative Controls • Usually inexpensive • Easy to implement • Very flexible >> 0 >> 1 >> 2 >> 3 >> 4 >>
Drawbacks of Administrative Controls • Difficult to enforce • Difficult to audit • Impossible to verify • Easy to evade by a dedicated individual >> 0 >> 1 >> 2 >> 3 >> 4 >>
Data Classification Levels • Top Secret • Highly Confidential • Proprietary • Internal Use Only • Public Documents • Terminology varies by organization >> 0 >> 1 >> 2 >> 3 >> 4 >>
Authentication Defined of “Electronic authentication provides a level assurance as to whether someone or something is who or what it claims to be in a digital environment. Thus, electronic authentication plays a key role in the establishment of trust relationships for electronic commerce, electronic government and many other social interactions. It is also an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorised access or identity theft. Electronic authentication is therefore essential for establishing accountability online.” >> 0 >> 1 >> 2 >> 3 >> 4 >>
Encryption • Encryption is the coding or scrambling of information so that it can only be decoded and read by someone who has the correct decoding key. >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
Single Factor vs. Multifactor vs Dual Factor • Single Factor – Using one method to authenticate. • Dual Factor – Using two different types of authentication mechanism to authenticate • Multifactor – Using multiple forms of the same factor. (Password + identifying an image) • Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these? >> 0 >> 1 >> 2 >> 3 >> 4 >>
If You Choose to Use Passwords.. • Be as long as possible (never shorter than 6 characters). • Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any language. • Expire on a regular basis and may not be reused • May not contain any portion of your name, birthday, address or other publicly available information >> 0 >> 1 >> 2 >> 3 >> 4 >>
One Time Password Devices Demystified • Have an assigned serial number which relates to user-id. For example, ndavis = serial QB43 • Device generates a new password every 30 seconds • Server on other end knows what to expect from serial QB43 at any point in time >> 0 >> 1 >> 2 >> 3 >> 4 >>
One Time Password Devices • Time based • Event based • Sold by RSA, Vasco, Verisign, Aladdin, Entrust and others • How can event based OTPs be defeated? >> 0 >> 1 >> 2 >> 3 >> 4 >>
Entrust Identity Guard Can Be Beaten With a Photocopier! >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
One Time Passwords - Benefits • Provides true Dual Factor authentication, making it very difficult to share • Constantly changing password means it can’t be stolen, shoulder surfed or sniffed • Coolness factor! >> 0 >> 1 >> 2 >> 3 >> 4 >>
One Time Passwords - Drawbacks • Cost! • Rank very low on the washability index • Uncomfortable • Expiration • Battery Life • Can be forgotten at home • Video 1 >> 0 >> 1 >> 2 >> 3 >> 4 >>
Biometrics • Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint >> 0 >> 1 >> 2 >> 3 >> 4 >>
Biometrics Benefits • Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device • Absolute uniqueness of authentication factor • Coolness factor >> 0 >> 1 >> 2 >> 3 >> 4 >>
Biometrics Drawbacks • Cost • Complexity of Administration • Highly invasive • Not always reliable – false negatives • Not foolproof • The Gummi Bear thief! >> 0 >> 1 >> 2 >> 3 >> 4 >>
Digital Certificates • A digital passport, either contained on a secure device, or on a hard disk • Secured with a password, making them truly a dual factor solution • Can be used to authenticate machines as well as humans >> 0 >> 1 >> 2 >> 3 >> 4 >>
Digital Certificate Benefits • True Dual Factor Authentication • Low variable cost to produce • Can contain authorization data as well as authentication data >> 0 >> 1 >> 2 >> 3 >> 4 >>
Digital Certificate Drawbacks • High fixed cost to build initial infrastructure • Can be copied and shared if not properly stored • Expiration • Often require access to an interface such as a card reader of USB port, not always available at kiosks >> 0 >> 1 >> 2 >> 3 >> 4 >>
Knowledge Based Authentication • Authenticates the user via verification of life events, usually financial in nature, such as: • Looks great at first! • However, most of this is public information and that which isn’t public can be easily stolen • The credit reports on which this knowledge based authentication is based are often contain factual errors • Cost! >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
Steganography • Steganography is the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message >> 0 >> 1 >> 2 >> 3 >> 4 >>
Encryption • To encode information in such a way as to make it unreadable by anyone aside from its intended recipient • Symmetric Encryption, where a single secret key is used for both encryption and decryption. • Asymmetric Encryption, where a pair of keys is used -- one for Encryption and the other for Decryption. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Symmetric Encryption • Simple substitution C=5 O=1 W=7 517 = COW • Shifting Add two letters to each character (letter + 2) AMU = COW (A + 2 = C, M + 2 = 0, etc) Hmm, everything appears to = COW >> 0 >> 1 >> 2 >> 3 >> 4 >>
Advantages and Disadvantages of Symmetric Encryption • Easy to use • Decryption key can be memorized • Easy to determine patterns and guess decryption key (frequency of letters in the English language) • Anyone with the key can decrypt the message even if it was not intended for them >> 0 >> 1 >> 2 >> 3 >> 4 >>
Asymmetric Encryption • Uses one key to encrypt and a different key to decrypt • Public key to encrypt • Private key to decrypt • Keys are related, but not the same >> 0 >> 1 >> 2 >> 3 >> 4 >>
Advantages and Disadvantages of Asymmetric Encryption • Much stronger, more complex keys than used in symmetric encryption • Only the intended recipient can REALLY read the message since only they possess the private key • Far more complex than symmetric encryption, requires larger infrastructure to manage • If private key is lost, you are out of luck >> 0 >> 1 >> 2 >> 3 >> 4 >>
Digital Certificates Do a Couple of Things • Authentication • Digital signing • Encryption >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
Public and Private Keys The digital certificate has two parts, a PUBLIC key and a PRIVATE key The Public Key is distributed to everyone The Private Key is held very closely And NEVER shared Public Key is used for encryption and verification of a digital signature Private Key is used for Digital signing and decryption >> 0 >> 1 >> 2 >> 3 >> 4 >>
Public Key Cryptography >> 0 >> 1 >> 2 >> 3 >> 4 >>
Getting Someone’s Public Key The Public Key must be shared to be Useful It can be included as part of your Email signature It can be looked up in an LDAP Directory Can you think of the advantages and disadvantages of each method? >> 0 >> 1 >> 2 >> 3 >> 4 >>
What is PKI? • PKI is an acronym for Public Key Infrastructure • It is the system which manages and controls the lifecycle of digital certificates • The PKI has many features >> 0 >> 1 >> 2 >> 3 >> 4 >>
What Is In a PKI? • Credentialing of individuals • Generating certificates • Distributing certificates • Keeping copies of certificates • Reissuing certificates • Revoking Certificates >> 0 >> 1 >> 2 >> 3 >> 4 >>
Keeping Copies – Key Escrow • Benefit – Available in case of emergency • Drawback – Can be stolen • Compromise is the best! • Use Audit Trails, separation of duties and good accounting controls for key escrow >> 0 >> 1 >> 2 >> 3 >> 4 >>
Certificate Renewal • Just like your passport, digital certificates expire • This is for the safety of the organization and those who do business with it • Short lifetime – more assurance of validity but a pain to renew • Long lifetime – less assurance of validity, but easier to manage • Use a Certificate Revocation List if you are unsure of certificate validity >> 0 >> 1 >> 2 >> 3 >> 4 >>
Trusted Root Authorities • A certificate issuer recognized by all computers around the globe • Root certificates are stored in the computer’s central certificate store • Requires a stringent audit and a lot of money! >> 0 >> 1 >> 2 >> 3 >> 4 >>
It Is All About Trust >> 0 >> 1 >> 2 >> 3 >> 4 >>
Digital Signing of Email • Proves that the email came from you • Invalidates plausible denial • Proves through a checksum that the contents of the email were not altered while in transit • Provides a mechanism to distribute your public key • Does NOT prove when you sent the email >> 0 >> 1 >> 2 >> 3 >> 4 >>
Social Engineering Defined • The use of psychological tricks in order to get useful information about a system • Using psychological tricks to build inappropriate trust relationships with insiders >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
Kevin Mitnick • World’s most famous Social Engineer • “The weakest link in the security chain is the human element” • Half of his exploits involved using social engineering • See the master in action! >> 0 >> 1 >> 2 >> 3 >> 4 >>
Social Engineering • Social Engineering goes back to the first lie ever told and will continue into the future. • Social Engineering is successful because people are generally helpful, especially to those who are: • Nice • Knowledgeable • Insistent >> 0 >> 1 >> 2 >> 3 >> 4 >>
Three Primary Methods of Social Engineering • Flattery • Authority Impersonation • Threatening Behavior >> 0 >> 1 >> 2 >> 3 >> 4 >>
How to Keep Social Engineering From Working • Administrators need to: • Establish Policies • Train Employees • Run Drills • Office Workers: • Need to be aware of Social Engineering tactics • Follow policies >> 0 >> 1 >> 2 >> 3 >> 4 >>
Road Apples • Road Apples are also known as Baiting • Uses physical media and relies on the curiosity or greed of the victim • USB drives or CDs found in the parking lot, with label: 3M Executive Salaries • Autorun on inserted media >> 0 >> 1 >> 2 >> 3 >> 4 >>
Digital Forensics • Defined: Pertains to legal evidence found in computers and digital storage mediums. • Goal: To explain the current state of a “digital artifact.” • A digital artifact is a computer system, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Digital Forensics • Can be as simple as retrieving a single piece of data • Can be as complex as piecing together a trail of many digital artifacts >> 0 >> 1 >> 2 >> 3 >> 4 >>
Why Use Digital Forensics? • In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). >> 0 >> 1 >> 2 >> 3 >> 4 >>
Why Use Digital Forensics? • To recover data in the event of a hardware or software failure. • To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Why Use Digital Forensics? • To gather evidence against an employee that an organization wishes to terminate. • To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering. >> 0 >> 1 >> 2 >> 3 >> 4 >>
• “Chain of Custody” is a fancy way of saying “The ability to Chain of Custody demonstrate who has had access to the digital information being used as evidence” • Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Chain of Custody One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court. >> 0 >> 1 >> 2 >> 3 >> 4 >>
5 Steps in Performing Digital • Preparation (of Forensics the investigator, not the data) • Collection (the data) • Examination • Analysis • Reporting >> 0 >> 1 >> 2 >> 3 >> 4 >>
A Great Tool Which YOU Can Impress People With • Knoppix • An OS which runs directly from a CD • Will not alter data on hard disk • Great for grabbing copies of files from a hard disk! • Can be loaded from a USB flash drive >> 0 >> 1 >> 2 >> 3 >> 4 >>
Knoppix • Can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Knoppix >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
What does an IDS Detect? • Attacks against a specific service, such as File Transfer Protocol (FTP) • Data driven attacks at the application layer. For example, SQL injection error could be used to crash an application. >> 0 >> 1 >> 2 >> 3 >> 4 >>
What Does and IDS Detect? • Host Based Attacks (privilege escalation) • Malware, Viruses, Trojan Horses, Worms >> 0 >> 1 >> 2 >> 3 >> 4 >>
IDS Components • Sensors - Generate security events such as log files • Console – Monitors events, alerts and controls sensors • Engine – Analyzes the data using artificial intelligence to generate alerts from the events received • 3 in 1 (sometimes all three are in one appliance) >> 0 >> 1 >> 2 >> 3 >> 4 >>
Sensor, Looks Boring >> 0 >> 1 >> 2 >> 3 >> 4 >>
Types of Intrusion Detection Systems • Network Based Intrusion Detection System (NDS) • Protocol Based Intrusion Detection System (PIDS) • Application Protocol Based Intrusion Detection System (APIDS) • Host Based Intrusion Detection System (HIDS) • Hybrid System >> 0 >> 1 >> 2 >> 3 >> 4 >>
How Is A Firewall Different from and IDS? • Firewalls look outwardly and protect from external attacks • An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. • An IDS also watches for attacks that originate from within a system. >> 0 >> 1 >> 2 >> 3 >> 4 >>
What is a Denial of Service Attack Anyway? >> 0 >> 1 >> 2 >> 3 >> 4 >>
Unified Threat Management (UTM) • Next generation devices • Firewall • Virus Scanning • Content Filtering • VPN • Anti-Spam • Intrusion Detection and Prevention >> 0 >> 1 >> 2 >> 3 >> 4 >>
Regulations • Knowing regulations is impressive to employers, I’m not sure why… • GLB, SOX and HIPAA all require similar things • Authentication • Auditing • Protection • Data Integrity Proof • 80% 20% rule!!! >> 0 >> 1 >> 2 >> 3 >> 4 >>
Full Disclosure • Disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity >> 0 >> 1 >> 2 >> 3 >> 4 >>
Full Disclosure • The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. • Fixes are produced faster because vendors and authors are forced to respond in order to save face. • Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Responsible Disclosure • Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
Limited Disclosure • With full details going to a restricted community of developers and vendors, and only the existence of the problem being released to the public, is another possible approach • Nick doesn’t like Limited Disclosure >> 0 >> 1 >> 2 >> 3 >> 4 >>
Buffer Overflow • A condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. • The result is that the extra data overwrites adjacent memory locations. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Buffer Overflow • The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behavior, a memory access exception, program termination (a crash), incorrect results or ― especially if deliberately caused by a malicious user ― a possible breach of system security. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Basic example • In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide. A B 0 0 0 0 0 0 0 0 0 3 >> 0 >> 1 >> 2 >> 3 >> 4 >>
Buffer Overflow Example • Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B: A B 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 'e' 0 >> 0 >> 1 >> 2 >> 3 >> 4 >>
SQL Injection • User input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. >> 0 >> 1 >> 2 >> 3 >> 4 >>
SQL Injection Humor >> 0 >> 1 >> 2 >> 3 >> 4 >>
Email Injection • A security vulnerability that can occur in Internet applications that are used to send e-mail messages. Like SQL injection attacks, this vulnerability is one of a general class of vulnerabilities that occur when one programming language is embedded within another. >> 0 >> 1 >> 2 >> 3 >> 4 >>
>> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
Directory Traversal • The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code. • Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Cross-Site Scripting • (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Time-of-check-to-time-of-use • TOCTTOU − pronounced "TOCK too") is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Confused Deputy • A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important. • Billing example >> 0 >> 1 >> 2 >> 3 >> 4 >>
Blaming The Victim • Prompting a user to make a security decision without giving the user enough information to answer it. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Physical Security • Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts. >> 0 >> 1 >> 2 >> 3 >> 4 >>
3 Elements to Physical Security • Obstacles, to frustrate trivial attackers and delay serious ones; • Alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and • Security response, to repel, catch or frustrate attackers when an attack is detected. >> 0 >> 1 >> 2 >> 3 >> 4 >>
4 Layers to Physical Security • Environmental design • Mechanical and electronic access control • Intrusion detection • Video monitoring >> 0 >> 1 >> 2 >> 3 >> 4 >>
What Are Physical Security Goals? • The goal is to convince potential attackers that the likely costs of attack exceed the value of making the attack. • If you are unable to convince them, then the second goal comes into play—to keep them from entering >> 0 >> 1 >> 2 >> 3 >> 4 >>
Layer One - Physical • The initial layer of security for a campus, building, office, or physical space uses Crime Prevention Through Environmental Design to deter threats. Some of the most common examples are also the most basic - barbed wire, warning signs and fencing, concrete bollards, metal barriers, vehicle height- restrictors, site lighting and trenches. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Layer Two - Mechanical • Includes gates, doors, and locks. • Key control of the locks becomes a problem with large user populations and any user turnover. • Keys quickly become unmanageable forcing the adoption of electronic access control. • Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. • For example a user's access rights could allow access from 0700 to 1900 Monday through Friday and expires in 90 days. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Layer Three – Intrusion Detection • Monitors for attacks. It is less a preventative measure and more of a response measure, although some would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems. >> 0 >> 1 >> 2 >> 3 >> 4 >>
Layer Four - Monitoring • Typically video monitoring systems. Like intrusion detection, these are not much of a deterrent. • Video monitoring systems are more useful for incident verification and historical analysis. • For instance, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. • In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. • Monitoring is ALWAYS active >> 0 >> 1 >> 2 >> 3 >> 4 >>
• Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>

Recommended

00076
0007600076
00076Prasanth Venugopal
 
Access Control System, BMS
Access Control System, BMSAccess Control System, BMS
Access Control System, BMSMohammad Azam Khan
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
System Analysis and Design
System Analysis and DesignSystem Analysis and Design
System Analysis and DesignAamir Abbas
 
Genna's technology report
Genna's technology reportGenna's technology report
Genna's technology reportMarq2014
 
Why I Love Technology
Why I Love TechnologyWhy I Love Technology
Why I Love TechnologyMarq2014
 
Digital Storytelling
Digital StorytellingDigital Storytelling
Digital StorytellingNisa Peek
 
Digital Storytelling
Digital StorytellingDigital Storytelling
Digital StorytellingNisa Peek
 

Recommended

00076
0007600076
00076Prasanth Venugopal
 
Access Control System, BMS
Access Control System, BMSAccess Control System, BMS
Access Control System, BMSMohammad Azam Khan
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
System Analysis and Design
System Analysis and DesignSystem Analysis and Design
System Analysis and DesignAamir Abbas
 
Genna's technology report
Genna's technology reportGenna's technology report
Genna's technology reportMarq2014
 
Why I Love Technology
Why I Love TechnologyWhy I Love Technology
Why I Love TechnologyMarq2014
 
Digital Storytelling
Digital StorytellingDigital Storytelling
Digital StorytellingNisa Peek
 
Digital Storytelling
Digital StorytellingDigital Storytelling
Digital StorytellingNisa Peek
 
Max troilo tech report
Max troilo tech reportMax troilo tech report
Max troilo tech reportMarq2014
 
Technology up in here!!!!
Technology up in here!!!!Technology up in here!!!!
Technology up in here!!!!Marq2014
 
Visual effects and graphics specifications for TV
Visual effects and graphics specifications for TVVisual effects and graphics specifications for TV
Visual effects and graphics specifications for TVAnirban Lahiri
 
Presentacion Upcn
Presentacion UpcnPresentacion Upcn
Presentacion UpcnHector Bentui
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologiesNicholas Davis
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
hr selection
hr selectionhr selection
hr selectionMagiel Amora
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
 
Women & Technology the Conspiracy
Women & Technology the Conspiracy Women & Technology the Conspiracy
Women & Technology the Conspiracy Darine Sabbagh
 
Benjamin Button case study Organizational Behavior (Film Tempelate)
Benjamin Button case study Organizational Behavior (Film Tempelate)Benjamin Button case study Organizational Behavior (Film Tempelate)
Benjamin Button case study Organizational Behavior (Film Tempelate)Ahmed Soliman
 
How Embroidery Digitizing Work
How Embroidery Digitizing WorkHow Embroidery Digitizing Work
How Embroidery Digitizing WorkRoxan0707
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a passwordNicholas Davis
 
Easy learning truck tutorial - Du ha
Easy learning truck tutorial - Du haEasy learning truck tutorial - Du ha
Easy learning truck tutorial - Du hasthomas676
 
Video Learning Teaching Revolution
Video Learning Teaching RevolutionVideo Learning Teaching Revolution
Video Learning Teaching RevolutionDavid Deubelbeiss
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaOlajide Kuku
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 

More Related Content

Similar to Midterm Exam Review Information Systems 365 With Your Host Nicholas Davis

Max troilo tech report
Max troilo tech reportMax troilo tech report
Max troilo tech reportMarq2014
 
Technology up in here!!!!
Technology up in here!!!!Technology up in here!!!!
Technology up in here!!!!Marq2014
 
Visual effects and graphics specifications for TV
Visual effects and graphics specifications for TVVisual effects and graphics specifications for TV
Visual effects and graphics specifications for TVAnirban Lahiri
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologiesNicholas Davis
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
 
Women & Technology the Conspiracy
Women & Technology the Conspiracy Women & Technology the Conspiracy
Women & Technology the Conspiracy Darine Sabbagh
 
Benjamin Button case study Organizational Behavior (Film Tempelate)
Benjamin Button case study Organizational Behavior (Film Tempelate)Benjamin Button case study Organizational Behavior (Film Tempelate)
Benjamin Button case study Organizational Behavior (Film Tempelate)Ahmed Soliman
 
How Embroidery Digitizing Work
How Embroidery Digitizing WorkHow Embroidery Digitizing Work
How Embroidery Digitizing WorkRoxan0707
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a passwordNicholas Davis
 
Easy learning truck tutorial - Du ha
Easy learning truck tutorial - Du haEasy learning truck tutorial - Du ha
Easy learning truck tutorial - Du hasthomas676
 
Video Learning Teaching Revolution
Video Learning Teaching RevolutionVideo Learning Teaching Revolution
Video Learning Teaching RevolutionDavid Deubelbeiss
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaOlajide Kuku
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 

Similar to Midterm Exam Review Information Systems 365 With Your Host Nicholas Davis (20)

Max troilo tech report
Max troilo tech reportMax troilo tech report
Max troilo tech report
 
Technology up in here!!!!
Technology up in here!!!!Technology up in here!!!!
Technology up in here!!!!
 
Visual effects and graphics specifications for TV
Visual effects and graphics specifications for TVVisual effects and graphics specifications for TV
Visual effects and graphics specifications for TV
 
Presentacion Upcn
Presentacion UpcnPresentacion Upcn
Presentacion Upcn
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
 
hr selection
hr selectionhr selection
hr selection
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
 
Women & Technology the Conspiracy
Women & Technology the Conspiracy Women & Technology the Conspiracy
Women & Technology the Conspiracy
 
Benjamin Button case study Organizational Behavior (Film Tempelate)
Benjamin Button case study Organizational Behavior (Film Tempelate)Benjamin Button case study Organizational Behavior (Film Tempelate)
Benjamin Button case study Organizational Behavior (Film Tempelate)
 
How Embroidery Digitizing Work
How Embroidery Digitizing WorkHow Embroidery Digitizing Work
How Embroidery Digitizing Work
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A Password
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a password
 
Easy learning truck tutorial - Du ha
Easy learning truck tutorial - Du haEasy learning truck tutorial - Du ha
Easy learning truck tutorial - Du ha
 
Video Learning Teaching Revolution
Video Learning Teaching RevolutionVideo Learning Teaching Revolution
Video Learning Teaching Revolution
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthautha
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 

More from Nicholas Davis

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development MethodologiesNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewNicholas Davis
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing EducationNicholas Davis
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An OverviewNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNicholas Davis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
 
Demystifying Professional Certifications
Demystifying Professional CertificationsDemystifying Professional Certifications
Demystifying Professional CertificationsNicholas Davis
 

More from Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 
Demystifying Professional Certifications
Demystifying Professional CertificationsDemystifying Professional Certifications
Demystifying Professional Certifications
 

Midterm Exam Review Information Systems 365 With Your Host Nicholas Davis

  • 1. Midterm Exam Review Information Systems 365 With Your Host Nicholas Davis >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 2. 8 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 3. 7 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 4. 6 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 5. 5 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 6. 4 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 7. 3 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 8. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 9. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 10. PICTURE START >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 11. The Basics • Information Systems 365/765 midterm exam is this Thursday, October 23rd • You may elect to take the exam on Tuesday, October 28th, by sending me an email prior to midnight on Wednesday, October 22nd >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 12. The Format • The format of the exam will be 50 multiple choice questions • Some are easy • Some are hard • You may hate me once you see the exam • Multiple choices range A thru J in some cases, with lots of “all of the above” and “none of the above” choices appearing >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 13. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 14. Keep the Five Pillars Of Information Security in Mind Throughout the Course • Protection • Detection • Reaction • Documentation • Prevention >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 15. Benefits of Technical Controls • Strong and consistent, treat everyone equally • Can be audited with real assurance of the truthfulness of the data >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 16. Drawbacks of Technical Controls • Costly • Complex and time consuming • When they break, they either fail open or fail closed, neither of which may be desirable >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 17. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 18. Administrative Controls • Using policies, procedures, safety signs, training or supervision, or a combination of these, to control risk. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 19. Benefits of Administrative Controls • Usually inexpensive • Easy to implement • Very flexible >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 20. Drawbacks of Administrative Controls • Difficult to enforce • Difficult to audit • Impossible to verify • Easy to evade by a dedicated individual >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 21. Data Classification Levels • Top Secret • Highly Confidential • Proprietary • Internal Use Only • Public Documents • Terminology varies by organization >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 22. Authentication Defined of “Electronic authentication provides a level assurance as to whether someone or something is who or what it claims to be in a digital environment. Thus, electronic authentication plays a key role in the establishment of trust relationships for electronic commerce, electronic government and many other social interactions. It is also an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorised access or identity theft. Electronic authentication is therefore essential for establishing accountability online.” >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 23. Encryption • Encryption is the coding or scrambling of information so that it can only be decoded and read by someone who has the correct decoding key. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 24. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 25. Single Factor vs. Multifactor vs Dual Factor • Single Factor – Using one method to authenticate. • Dual Factor – Using two different types of authentication mechanism to authenticate • Multifactor – Using multiple forms of the same factor. (Password + identifying an image) • Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these? >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 26. If You Choose to Use Passwords.. • Be as long as possible (never shorter than 6 characters). • Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any language. • Expire on a regular basis and may not be reused • May not contain any portion of your name, birthday, address or other publicly available information >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 27. One Time Password Devices Demystified • Have an assigned serial number which relates to user-id. For example, ndavis = serial QB43 • Device generates a new password every 30 seconds • Server on other end knows what to expect from serial QB43 at any point in time >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 28. One Time Password Devices • Time based • Event based • Sold by RSA, Vasco, Verisign, Aladdin, Entrust and others • How can event based OTPs be defeated? >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 29. Entrust Identity Guard Can Be Beaten With a Photocopier! >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 30. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 31. One Time Passwords - Benefits • Provides true Dual Factor authentication, making it very difficult to share • Constantly changing password means it can’t be stolen, shoulder surfed or sniffed • Coolness factor! >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 32. One Time Passwords - Drawbacks • Cost! • Rank very low on the washability index • Uncomfortable • Expiration • Battery Life • Can be forgotten at home • Video 1 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 33. Biometrics • Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 34. Biometrics Benefits • Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device • Absolute uniqueness of authentication factor • Coolness factor >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 35. Biometrics Drawbacks • Cost • Complexity of Administration • Highly invasive • Not always reliable – false negatives • Not foolproof • The Gummi Bear thief! >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 36. Digital Certificates • A digital passport, either contained on a secure device, or on a hard disk • Secured with a password, making them truly a dual factor solution • Can be used to authenticate machines as well as humans >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 37. Digital Certificate Benefits • True Dual Factor Authentication • Low variable cost to produce • Can contain authorization data as well as authentication data >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 38. Digital Certificate Drawbacks • High fixed cost to build initial infrastructure • Can be copied and shared if not properly stored • Expiration • Often require access to an interface such as a card reader of USB port, not always available at kiosks >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 39. Knowledge Based Authentication • Authenticates the user via verification of life events, usually financial in nature, such as: • Looks great at first! • However, most of this is public information and that which isn’t public can be easily stolen • The credit reports on which this knowledge based authentication is based are often contain factual errors • Cost! >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 40. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 41. Steganography • Steganography is the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 42. Encryption • To encode information in such a way as to make it unreadable by anyone aside from its intended recipient • Symmetric Encryption, where a single secret key is used for both encryption and decryption. • Asymmetric Encryption, where a pair of keys is used -- one for Encryption and the other for Decryption. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 43. Symmetric Encryption • Simple substitution C=5 O=1 W=7 517 = COW • Shifting Add two letters to each character (letter + 2) AMU = COW (A + 2 = C, M + 2 = 0, etc) Hmm, everything appears to = COW >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 44. Advantages and Disadvantages of Symmetric Encryption • Easy to use • Decryption key can be memorized • Easy to determine patterns and guess decryption key (frequency of letters in the English language) • Anyone with the key can decrypt the message even if it was not intended for them >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 45. Asymmetric Encryption • Uses one key to encrypt and a different key to decrypt • Public key to encrypt • Private key to decrypt • Keys are related, but not the same >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 46. Advantages and Disadvantages of Asymmetric Encryption • Much stronger, more complex keys than used in symmetric encryption • Only the intended recipient can REALLY read the message since only they possess the private key • Far more complex than symmetric encryption, requires larger infrastructure to manage • If private key is lost, you are out of luck >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 47. Digital Certificates Do a Couple of Things • Authentication • Digital signing • Encryption >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 48. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 49. Public and Private Keys The digital certificate has two parts, a PUBLIC key and a PRIVATE key The Public Key is distributed to everyone The Private Key is held very closely And NEVER shared Public Key is used for encryption and verification of a digital signature Private Key is used for Digital signing and decryption >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 50. Public Key Cryptography >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 51. Getting Someone’s Public Key The Public Key must be shared to be Useful It can be included as part of your Email signature It can be looked up in an LDAP Directory Can you think of the advantages and disadvantages of each method? >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 52. What is PKI? • PKI is an acronym for Public Key Infrastructure • It is the system which manages and controls the lifecycle of digital certificates • The PKI has many features >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 53. What Is In a PKI? • Credentialing of individuals • Generating certificates • Distributing certificates • Keeping copies of certificates • Reissuing certificates • Revoking Certificates >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 54. Keeping Copies – Key Escrow • Benefit – Available in case of emergency • Drawback – Can be stolen • Compromise is the best! • Use Audit Trails, separation of duties and good accounting controls for key escrow >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 55. Certificate Renewal • Just like your passport, digital certificates expire • This is for the safety of the organization and those who do business with it • Short lifetime – more assurance of validity but a pain to renew • Long lifetime – less assurance of validity, but easier to manage • Use a Certificate Revocation List if you are unsure of certificate validity >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 56. Trusted Root Authorities • A certificate issuer recognized by all computers around the globe • Root certificates are stored in the computer’s central certificate store • Requires a stringent audit and a lot of money! >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 57. It Is All About Trust >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 58. Digital Signing of Email • Proves that the email came from you • Invalidates plausible denial • Proves through a checksum that the contents of the email were not altered while in transit • Provides a mechanism to distribute your public key • Does NOT prove when you sent the email >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 59. Social Engineering Defined • The use of psychological tricks in order to get useful information about a system • Using psychological tricks to build inappropriate trust relationships with insiders >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 60. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 61. Kevin Mitnick • World’s most famous Social Engineer • “The weakest link in the security chain is the human element” • Half of his exploits involved using social engineering • See the master in action! >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 62. Social Engineering • Social Engineering goes back to the first lie ever told and will continue into the future. • Social Engineering is successful because people are generally helpful, especially to those who are: • Nice • Knowledgeable • Insistent >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 63. Three Primary Methods of Social Engineering • Flattery • Authority Impersonation • Threatening Behavior >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 64. How to Keep Social Engineering From Working • Administrators need to: • Establish Policies • Train Employees • Run Drills • Office Workers: • Need to be aware of Social Engineering tactics • Follow policies >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 65. Road Apples • Road Apples are also known as Baiting • Uses physical media and relies on the curiosity or greed of the victim • USB drives or CDs found in the parking lot, with label: 3M Executive Salaries • Autorun on inserted media >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 66. Digital Forensics • Defined: Pertains to legal evidence found in computers and digital storage mediums. • Goal: To explain the current state of a “digital artifact.” • A digital artifact is a computer system, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 67. Digital Forensics • Can be as simple as retrieving a single piece of data • Can be as complex as piecing together a trail of many digital artifacts >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 68. Why Use Digital Forensics? • In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 69. Why Use Digital Forensics? • To recover data in the event of a hardware or software failure. • To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 70. Why Use Digital Forensics? • To gather evidence against an employee that an organization wishes to terminate. • To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 71. • “Chain of Custody” is a fancy way of saying “The ability to Chain of Custody demonstrate who has had access to the digital information being used as evidence” • Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 72. Chain of Custody One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 73. 5 Steps in Performing Digital • Preparation (of Forensics the investigator, not the data) • Collection (the data) • Examination • Analysis • Reporting >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 74. A Great Tool Which YOU Can Impress People With • Knoppix • An OS which runs directly from a CD • Will not alter data on hard disk • Great for grabbing copies of files from a hard disk! • Can be loaded from a USB flash drive >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 75. Knoppix • Can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 76. Knoppix >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 77. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 78. What does an IDS Detect? • Attacks against a specific service, such as File Transfer Protocol (FTP) • Data driven attacks at the application layer. For example, SQL injection error could be used to crash an application. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 79. What Does and IDS Detect? • Host Based Attacks (privilege escalation) • Malware, Viruses, Trojan Horses, Worms >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 80. IDS Components • Sensors - Generate security events such as log files • Console – Monitors events, alerts and controls sensors • Engine – Analyzes the data using artificial intelligence to generate alerts from the events received • 3 in 1 (sometimes all three are in one appliance) >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 81. Sensor, Looks Boring >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 82. Types of Intrusion Detection Systems • Network Based Intrusion Detection System (NDS) • Protocol Based Intrusion Detection System (PIDS) • Application Protocol Based Intrusion Detection System (APIDS) • Host Based Intrusion Detection System (HIDS) • Hybrid System >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 83. How Is A Firewall Different from and IDS? • Firewalls look outwardly and protect from external attacks • An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. • An IDS also watches for attacks that originate from within a system. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 84. What is a Denial of Service Attack Anyway? >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 85. Unified Threat Management (UTM) • Next generation devices • Firewall • Virus Scanning • Content Filtering • VPN • Anti-Spam • Intrusion Detection and Prevention >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 86. Regulations • Knowing regulations is impressive to employers, I’m not sure why… • GLB, SOX and HIPAA all require similar things • Authentication • Auditing • Protection • Data Integrity Proof • 80% 20% rule!!! >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 87. Full Disclosure • Disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 88. Full Disclosure • The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. • Fixes are produced faster because vendors and authors are forced to respond in order to save face. • Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 89. Responsible Disclosure • Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 90. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 91. Limited Disclosure • With full details going to a restricted community of developers and vendors, and only the existence of the problem being released to the public, is another possible approach • Nick doesn’t like Limited Disclosure >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 92. Buffer Overflow • A condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. • The result is that the extra data overwrites adjacent memory locations. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 93. Buffer Overflow • The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behavior, a memory access exception, program termination (a crash), incorrect results or ― especially if deliberately caused by a malicious user ― a possible breach of system security. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 94. Basic example • In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide. A B 0 0 0 0 0 0 0 0 0 3 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 95. Buffer Overflow Example • Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B: A B 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 'e' 0 >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 96. SQL Injection • User input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 97. SQL Injection Humor >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 98. Email Injection • A security vulnerability that can occur in Internet applications that are used to send e-mail messages. Like SQL injection attacks, this vulnerability is one of a general class of vulnerabilities that occur when one programming language is embedded within another. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 99. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 100. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 101. Directory Traversal • The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code. • Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 102. Cross-Site Scripting • (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 103. Time-of-check-to-time-of-use • TOCTTOU − pronounced "TOCK too") is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 104. Confused Deputy • A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important. • Billing example >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 105. Blaming The Victim • Prompting a user to make a security decision without giving the user enough information to answer it. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 106. Physical Security • Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 107. 3 Elements to Physical Security • Obstacles, to frustrate trivial attackers and delay serious ones; • Alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and • Security response, to repel, catch or frustrate attackers when an attack is detected. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 108. 4 Layers to Physical Security • Environmental design • Mechanical and electronic access control • Intrusion detection • Video monitoring >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 109. What Are Physical Security Goals? • The goal is to convince potential attackers that the likely costs of attack exceed the value of making the attack. • If you are unable to convince them, then the second goal comes into play—to keep them from entering >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 110. Layer One - Physical • The initial layer of security for a campus, building, office, or physical space uses Crime Prevention Through Environmental Design to deter threats. Some of the most common examples are also the most basic - barbed wire, warning signs and fencing, concrete bollards, metal barriers, vehicle height- restrictors, site lighting and trenches. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 111. Layer Two - Mechanical • Includes gates, doors, and locks. • Key control of the locks becomes a problem with large user populations and any user turnover. • Keys quickly become unmanageable forcing the adoption of electronic access control. • Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. • For example a user's access rights could allow access from 0700 to 1900 Monday through Friday and expires in 90 days. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 112. Layer Three – Intrusion Detection • Monitors for attacks. It is less a preventative measure and more of a response measure, although some would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems. >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 113. Layer Four - Monitoring • Typically video monitoring systems. Like intrusion detection, these are not much of a deterrent. • Video monitoring systems are more useful for incident verification and historical analysis. • For instance, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. • In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. • Monitoring is ALWAYS active >> 0 >> 1 >> 2 >> 3 >> 4 >>
  • 114. • Have you done the readings? • It might be a good idea… >> 0 >> 1 >> 2 >> 3 >> 4 >>