CS406: Information Security

This exhibit gives a history of the evolution of users, key technologies, threats, concerns, and security techniques in information security since 1960. Click on the links in the pre-web computing (1960s-'90s), open web (1990s-2000s), and mobile and cloud (2000s-future) section. What were the threats and concerns of each time period? How did security technology or techniques develop in response to those threats?

Read section 1.3. When you are new to the information security industry, you may use the words vulnerability, threat, and risk interchangeably, though they actually have very different meanings. As you read, think about the differences between these terms and try to explain each term in the context of information security.

Read this page and watch the video to learn more about the purpose of risk management and the four stages of the risk management process. Before you move on, make sure you have a good understanding of the formulas, and that you are able to use the formulas on this page to calculate single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).

You learned about the goals of security based on the CIA triad from a previous section, and you have an understanding of the terms vulnerability, threats and risks. Now, watch this video to understand the types of controls and their functions to ensure the confidentiality, availability, and integrity of information systems.

Controls are broken down into control types such as administrative, physical, and technical. Read this section, which will help you differentiate between administrative, technical, and physical control types.

Defense-in-depth is a layered strategy to provide security to information systems. The layers are often comparted to the layers of an onion, when one layer is peeled back there is another layer of defense or protection. Watch the first two minutes of this video for an introduction to the concept of defense-in-depth.

Watch this video from 24:00 to 27:00 for a practical example of how layers of defense protect a system when defense-in-depth mechanisms are in place.

Read the section on defense-in-depth. Pay attention to how it compares defense-in-depth to protecting of a castle, and note how it recalls the CIA triad. After you read, you should be able to explain the concept of defense-in-depth and be able to propose a defense-in-depth security strategy for a simple system.

So far, we have discussed security control types and functions and how layers of controls provide defense-in-depth. These controls protect data from outside threats, but an even greater area of concern is the "inside threat" – people. Read the introduction and the two sections on social engineering in this article about the human factor. Why are people a threat to information security?

Humans are the weakest link in information security. Giving someone access to information systems involves an element of trust. Watch this video about how people, not machines, are the biggest concern in cybersecurity. Then, read this article, which describes how humans the last line of defense for an organization. How can people, either intentionally or unintentionally, expose their organizations to risks?

The most effective way to combat the risk posed by people is to provide formal security awareness training. Read this section on conducting a formal security awareness training. Once read, you should understand the need for training programs, the types of security awareness training, and how to evaluate a training program.

Although formal training is the most effective way to build security awareness, computer-based training is another option. Read this section on delivering security awareness training. After you read, you should be able to explain the benefits and limitations of computer-based and instructor-led security awareness training. How can human behavior be modified through security awareness and training programs?

While working in the area of information security, it is important to have an understanding of the common security standards or frameworks. While reading this article, you will obtain some knowledge of the controls specified by ISO/IEC 27001, the Federal Information Processing Standards (FIPS), the NIST cybersecurity framework and NIST Special Publication 800-53, as well as COBIT5.

The Center for Internet Security (CIS) has developed 20 controls called the CIS Top 20, to secure an organization's system against cyber attacks or threats. While watching, pay attention to the 20 controls. You are not expected to memorize all 20 controls, but it is important to know the first six controls as the implementation of these controls will protect against approximately 91 percent of security breaches.

The Payment Card Industry Data Security Standard (PCI DSS) is a standard that protects the security of credit card data. While watching this video you will learn about the penalties that can be inflicted on a business for non-compliance with PCI DSS. What are some of the requirements of PCI DSS compliance?

Many types of malicious or suspicious activities are presented to information systems. To understand how to protect systems, you first need to understand the nature of these threats and attacks. To begin, watch this video to understand threats and attacks. What are the differences between these two concepts?

Review this article to understand that there are many types of threats to systems and to be able to define the five types of hackers and their techniques.

Watch this video to learn about threat models, how to identify threats, and the utility of anti-forensics.

Information security personnel need to be aware of common types of malicious attacks on information systems. This video will describe the difference between passive and active attacks. The two passive attacks described are release message contents and traffic analysis. The four active attacks are masquerade, replay, modifications, and denial of service. Pay attention to the characteristics of passive and active attacks. You should learn the method of attack and the mechanism to mitigate each of the two passive and the four active attacks.

Read this section, which describes threat agent, the actions a threat agent can take, and how to classify threat agents as non-target specific, employees, criminals, corporations, human-unintentional, human-intentional, or natural.

The birthday attack is a cryptographic attack based on the birthday paradox, or the probability of a group of people having the same birthday. The use of the theory of the birthday paradox improves the probability of creating a hash collision. Watch this video to understand the mathematics behind the birthday paradox. Do not be concerned with learning the mathematics. Instead, pay attention to how the probability increases as the number of people in the room increase, and how the brute attack effort decreases with the birthday paradox.

Botnets are a group of networked computers that are infected with malware. Watch this video to learn the terminology used with botnets such as botnet master and zombie, the purpose of botnets, and how to detect that a computer is infected by a botnet.

While you read, think about these questions: what kinds of people might choose to operate a botnet? Why might they do so? How can botnets be controlled? How big are most botnets?

Man-in-the-middle attacks are a type of information interception that when it occurs is unknown to both the sender and the receiver. What methods can be used to create a man-in-the-middle attack?

This page explains the concept of a teardrop attack, the effect these attacks have on a system, and the operating systems that are vulnerable to this kind of attack. Older versions of Windows and Linux are vulnerable to teardrop attacks, including Windows 7 and Windows Vista.

War dialing is a type of attack that exploits dial-up service. While dial-up service has been almost completely replaced by broadband, it still exists in some areas.

War dialing is a brute-force attack. How can auditing and monitoring reveal indicators of a war dialing attack?

"Zero-day exploit" refers to the day that a vulnerability is identified by the vendor, or the day before. Zero-day threats or attacks are dangerous because there are no ways to mitigate them. What should happen once a zero-day exploit is identified?

Spoofing is posing as someone you are not. Read this page, which explains the concept of spoofing, popular spoofing techniques, and countermeasures for spoofing attacks.

This article gives an in-depth explanation of internet protocol (IP) and email address spoofing. What are the steps for IP spoofing? Why might an attacker would want to spoof an IP or email address?

Email spoofing is common today, and can be dangerous by introducing malware into your system or by exploiting your identity. How can you identify a spoofed email? Why do attackers try to spoof emails? How can you combat email spoofing?

Phone number spoofing has become popular today, especially for telemarketers. Read this article and watch the video about caller ID spoofing. How can you avoid spoofing? How should you react to spoofed calls?

Read this article, which explains IP address spoofing and what an attacker can gain with this type of attack.

Social engineering preys on the fact that humans are the weakest link in information security. This article explains the social engineering model, outlines the two categories of social engineering attacks, and discusses techniques for preventing and mitigating social engineering.

Dumpster diving is a way to obtain information that is has been improperly disposed. What kinds of security leaks that can be found "in the trash"?

Read this article, which gives another perspective on improperly disposed items and why they are valuable to dumpster diving attackers.

We should all be cognizant of "shoulder surfing" – people who can see our computer screens or keyboards. What can attackers gain by shoulder surfing? How can you tell when you might be vulnerable to a shoulder surfing attack?

Tailgating is going through a door without authorization. How does tailgating work? What are some of the factors used by successful tailgaters?

Watch this video, which explains how to prevent tailgating from happening in a secure area.

Phishing is a deceptive way to obtain sensitive information. Spear-phishing is a targeted way to attack systems within a particular organization using email addressed to specific individuals. Spear-phishing and whaling are very similar, but the target of the attack differs. Read this article, which explains methods of phishing, spear-phishing, and whaling. What is the purpose of whaling, and who is its target?

Pretexting is a way to gain passwords. Read this article, which explains the steps involved in pretexting.

Attackers often exploit applications because they are not as secure as networks. An attack on an application can provide the attacker the same desired result. Watch this video, which describes application attacks and gives some examples of common application attacks. Notice that applications can also have zero-day attacks, which we discussed previously.

This video discusses application attacks further. What is the goal of application attacks? How can features such as cookies, attachments, malicious add-ons, header manipulations, and session hijacking make an application more vulnerable to attacks?

Buffer overflow attacks can often be avoided with proper system configurations. In this video, you will learn about buffers and how a buffer can be exploited in a buffer overflow attack. Pay attention to the seriousness of a buffer overflow attack and the possible outcome of this type of attack. What affect can the attack have on a system? How would a buffer overflow attack be initiated against a system? What procedures should be in place to avoid a buffer overflow attack? What programming languages are vulnerable to buffer overflow attacks?

Watch this video to learn more about buffer overflows to include stack-based and heap-based, buffer overflow myths, and ways to reduce buffer overflow attacks in code.

Time of check to time of use (TOCTTOU) is a race condition that affects software. While you read, pay attention to the mechanics of a TOCTTOU attack as provided in the attack examples. Remember the most common platform where you might find a TOCTTOU bug. What methods can be used to prevent TOCTTOU from occurring in UNIX and in Microsoft Windows?

Privilege is the level of access a user has on a system. Read the section in this article about escalation of privilege to learn the meaning of the term. What is the difference between vertical and horizontal escalation of privilege? Who has the highest level of privilege, that of a user at the application level or a system administrator at the kernel level? How can this kind of attack be prevented?

Watch this video to learn more about privilege escalation from the viewpoint of a hacker. What is privilege escalation? Why is privilege escalation difficult to execute? What types of things might an attacker look for on a system to escalate their privileges?

Some attacks work specifically against websites or applications. This video will discuss some basic application attacks such as cross-site scripting, SQL injection attacks, buffer overflow attacks, integer overflow attack, directory traversal command injection attack, lightweight directory access protocol (LDAP) injection attack, extensible markup language (XML) injection attack, and zero day attacks. You will how an attacker performs each type of attack. As you watch this video, think about why an attacker might attack an application instead of a network. What is the best defense against application attacks?

Read this article to learn about cross-site scripting (XSS). How does an attacker exploit an XSS vulnerability? Describe reflected and persistent XSS vulnerabilities. How can an XSS attack be prevented?

Review this selection to understand why cross-site scripting attacks (XSS) are categorized as injection attacks. Under what conditions do XSS attacks occur? You saw reflected attacks in the previous section but review this category again and learn about another category: stored XSS attacks. Also, in this article, pay attention to the consequences of XSS attacks, ways to find flaws to prevent XSS attacks, and how to protect from an XSS attack.

Read parts two and three of this article to understand the actors in cross-site scripting (XSS), persistent, reflected, and DOM-based XSS types, and methods to prevent XSS.

You have learned about cross-site scripting as an injection attack on applications. This article will introduce you to another type of injection attack on databases, SQL injection. After reading, be able to explain what occurs during a SQL injection attack, how to prevent the attack, and how a SQL injection can compromise a system.

Read this article to understand the concept of SQL injection attacks. Although you are not expected to know how to code, review the code examples and attempt to comprehend how the safe version provided in each example can prevent the attack.

In this unit, you previously learned about cross-site scripting and SQL injection attacks. In this article, you will learn how to define injection, and the terms threat agents, attack vectors, security weaknesses, technical impacts, and business impact as related to injection attacks. There is also a detailed example of how an injection attack works within code.

Watch this video to learn the definition of malware and what it can potentially do to a system. Pay attention to a method that can prevent introducing malware into a system when installing new software. You will learn about some common types of malware as well as their mode of attack, and what they attack in a system. The types of malware you will learn about are virus, trojan, worm, rootkit, logic bomb, ransomware, botnet, adware, spyware, polymorphic virus, armored virus, and backdoor access.

As you learned in the previous section, depending on the function or type of malware used the harmful effect on the system will differ. In this section, you will learn about the seven common effects malware can have on a system, such as overwhelming system resources, running malicious adware, running spyware, running ransomware, creating backdoors, disabling security functions, and creating botnets. Pay attention to the type of malware and the method used to create each affect.

Read this article on computer viruses, worms, Trojan horses, spyware, and adware. Be able to describe how a computer virus can spread throughout a system or network, and the effect a virus might have on a system. Think about how a worm affects a computer system, and how a worm is similar or different from a virus. A Trojan horse is malicious software that is named after the Trojan horse known in mythology. Learn what a trojan horse is and what it can do once activated in a system. What is the purpose of spyware and adware?

Watch this video to learn more about viruses, worms, and Trojan horses. After watching you should be able to describe a virus and how it spreads, and the affect a virus can have on a system. You should also be able to describe a worm and a Trojan horse. Why this type of malware is called a Trojan horse should become clear, as well as why it should NOT be termed a virus. You will also learn how a worm spreads, and some history about the infamous Stuxnet worm.

After reading the section on the types of Trojan horses, you should be able to describe all seven Trojan horse types. Think about how Trojan horses are different from viruses and worms.

Read the section on logic bombs and DOS to comprehend the ability of this type of code, and how it can be used in a DOS attack.

This video will explain the concept of a denial of service (DoS) attack. What is the goal for an attacker when committing a DoS attack? How is this type of attack accomplished?

A denial of service (DoS) attack and a distributed denial of service (DDoS) attack are similar but one is more difficult to defend against. Watch this video as an introduction to the concept of a distributed denial of service (DDoS) attack. What is the intent of an attacker when initiating a DDoS? What systems are used to initiate the attack?

Read this to understand the objective of a denial of service (DoS) attack. When a DoS attack occurs, what happens to a system? Be able to explain how a DoS and a DDoS attack are related and how they differ.

Watch this video for an in-depth explanation of the types of DoS and DDoS attacks and how they work. Once complete, you should recognize the terms and associate them to denial of service attack methods. Thinking about the CIA triad, what leg of the triad does a DoS attack affect? 

Read this article to learn about the evolution of cryptography; the methods used to secure communication. One of the earliest methods of encryption you will read about is substitution ciphers. The beginning of WWI brought advancements in computational power; advancements that encouraged the development of electromechanical cipher machines used in WWII. One such infamous machine was the German Enigma machine, and the cracking of the enigma code was pivotal for the war. Today's modern cryptography uses computers to devise complex ciphers. As you read, take note of some important names and abbreviations in cryptographic history. Who was Shannon, Diffie, and Hellman? What do the abbreviations DES and AES represent and in what years were they developed? When was symmetric key cryptography used, and when was asymmetric cryptography developed?

Read this section on classical cryptosystems. Pay attention to the substitution cipher, the Vigenere cipher, and the Enigma cipher. As you read, consider these study questions: Who was the Vigenere cipher named after, and who first cracked the Vigenere cipher? Who cracked the Enigma cipher, and what repeated phrase at the end of every message helped to break the cipher? What is perfect secrecy?

After reading, you should be able to explain why this cipher is called the Caesar cipher, and you will be able to encipher a simple message using the Caesar substitution cipher.

Use this source as a tool to assist you to encipher a short message.

Read this source to understand why a one-time pad (OTP) is considered to be secure. Take note of the conditions that must be met to ensure the OTP cannot be broken.

There are four main goals in cryptography: confidentiality, integrity, authentication, and non-repudiation Read the section on the goals of cryptography to understand each concept. Notice how the cryptographic goals segue with the CIA triad discussed in the previous unit with one addition: non-repudiation. Non-repudiation will be discussed in more detail in the next section of this unit.

Cryptology provides for confidentiality and non-repudiation. Confidentiality is protecting from unauthorized view, while non-repudiation is that the sender cannot deny sending the message. What method of encryption ensures confidentiality? What ensures non-repudiation? You should be able to explain how confidentiality and non-repudiation work together.

Cryptographic methods protect for confidentiality, authenticity, and integrity. Authenticity is proving who you are, and integrity is protecting the data from unauthorized changes. By reading this article you should be able to explain the concepts of confidentiality, authenticity, and integrity. What cryptographic methods can be used to provide for all three concepts?

Authentication was discussed in the previous section. This section will discuss different cryptographic methods to provide for authentication to include symmetric and asymmetric authentication. After watching, you should be able to explain authentication, the risks of impersonation, and be able to define certificates and certificate authorities.

This article describes symmetric key ciphers. As you read the article, take note of the major issue associated with key distribution of symmetric key ciphers and the advantage of symmetric key ciphers over asymmetric key ciphers.

Watch this video where Alice sends a message to Bob that has been encrypted with a symmetric key. If Bob wants to read the message, what key does he use to decrypt the message?

Asymmetric ciphers have two keys: public and private. While reading, take note of which key encrypts the message and which key decrypts the message. What is a known weakness to this type of encryption?

Watch this video where this time Alice sends a message to Bob that has been encrypted with an asymmetric key. If Bob wants to read the message, what key does he use to decrypt the message?

A cryptographic hash algorithm can provide for integrity. When reading this article, pay attention to the section on applications of hash functions. The scenario with Alice and Bob is a good example of how a cryptographic hash can provide for message integrity. Be sure to understand the concept of a digest and try to comprehend the issue of a collision and the birthday paradox. You will learn more about the birthday paradox in a subsequent section.

This video will provide a more in-depth view of hashing. From this video, you should learn more about hash collisions, the avalanche affect, and make note of the names of hashing algorithms. You will learn more about the hashing algorithms mentioned in the video later in this unit.

You already learned about symmetric key ciphers and the major issue with symmetric keys. Read the section in this article on symmetric key encryptions to learn more about the advantages and disadvantages of symmetric keys. There is more information about symmetric key ciphers in this article that will be covered in more detail later in this unit, but this article will give you a preview of 3DES, IDEA, and AES ciphers. View the flashcard tool as well to better understand and to learn the terms used in cryptography such as plaintext, ciphertext, key, encryption, decryption, countermeasure, symmetric key encryption, and block cipher.

This article explains data encryption standard (DES), an algorithm used in symmetric encryption. To understand the timeline of encryption algorithms in history, pay attention to the year this algorithm was created, the name of company that created it, and the name of the technique that made DES a vulnerable algorithm. Note that DES could also be cracked via brute force. What makes DES vulnerable to a brute force attack?

DES is no longer used but was a very popular algorithm at one time. The principal of DES is important to understand because it is used in other ciphers. If DES encrypts 64 message bits, why is the effective key size only 56 bits? Why is DES no longer used?

The next step up from DES is triple DES, or 3DES. Watch this video to learn why triple DES was used instead of double DES. Explain what 3DES is in relation to DES.

In this video the three key versions of 3DES, the length of each effective key, and the strength of each version is explained. If all three keys were the same, do you understand why 3DES would just be DES?

In this video, you will learn the process of encryption using AES. Notice what year AES was developed and why there was a need for a new encryption algorithm. How much faster is AES than 3DES?

While you watch, consider these questions: What type of cipher is RC4? Who designed RC4 and in what year? In what applications is RC4 used? What are the limitations and the benefits of using RC4?

Read the section on RC4 in this article. Try to mentally follow the steps for encryption with the algorithm. What are some of the strengths and weaknesses of RC4 as noted in this article?

The RC5 algorithm was derived from the RC4 algorithm. While you read take note of the year RC5 was published. How much time was there between the development of RC4 and RC5? What type of symmetric cipher is RC5? Compare the three components of RC5 with the components of AES, do you see any similarities?

RC6 was developed for an advanced encryption standard (AES) competition but was not selected by the National Institute of Standards and Technology (NIST). In what year was it published, and who developed it? How is RC6 different from RC5?

The Blowfish cipher has been studied in information security for more than 20 years. As you learn about this cipher, pay attention to the creator and the year it was created. Is Blowfish still in use? Why is it in use, or why is it not in use? What type of cipher is Blowfish? What is the key length of Blowfish? Why would the Twofish cipher be chosen over Blowfish? Why would Blowfish be chosen over DES or IDEA?

Twofish succeeded blowfish and was also designed by Schneier. Read the section on the twofish cipher to learn about the length of the algorithm, and the types of environments where twofish can be used.

Previously you learned about asymmetric key algorithms and you should understand that asymmetric encryption requires two keys: public and private. As a review, using the flashcards define asymmetric key encryption, public key, private key, and digital certificate. Then read the section on asymmetric encryption.

Do you find asymmetric encryption and the use of a public and private key difficult to comprehend or explain? This video will explain asymmetric encryption, or non-secret encryption, and leads into RSA the first symmetric algorithm. Watch this video for a visual explanation of asymmetric encryption and RSA. On what principle is RSA based? Make note of the year RSA was developed and why it is called RSA.

RSA is an asymmetric algorithm and is attributed to three people but reading this article will explain who developed the algorithm years earlier. When reading this article, try to understand the section on key generation, encrypting messages, decrypting messages, and signing messages. Most importantly, note the speed of RSA in comparison to DES that was discussed in the section on symmetric key encryption. Also note how attacks such as man-in-the-middle and RSA blinding attacks can be avoided.

Digital signature algorithm (DSA) is used for authentication and is considered a signature algorithm. When reading section three of this article, pay the most attention to the steps in the scenario with Alice and Bob on how to obtain a digital signature using a private and public key, and how a digital signature verification is produced. To keep a basic idea on a timeline, also pay attention to the year that DSA was proposed. Attempt to follow through the reading on DSA key generation, signature generation, and signature verification although you are not expected to be able to explain these steps.

Pretty good privacy, known as PGP, is an open-source program that provides data encryption and is often used for email. This program uses a public and a private key for encryption and decryption, as you might expect. Read this article to understand how you can use PGP to encrypt email sent from your personal computer.

Now that you understand how PGP can be used, read this article to learn who developed PGP while taking note of the year it was developed. Be sure to read the sections on how PGP works as well as the encryption-decryption process using the public and private keys. As you will notice, the public keys versions are RSA that was previously discussed, and Diffie-Hellman that will be discussed in a later section.

To learn more in-depth information about PGP such as downloading and installing and learning how to create a key using, you may choose to watch this video.

GPG, also known as GNU privacy guard, is the successor to PGP discussed in the previous section. While watching, determine is GPG uses symmetric or asymmetric cryptography. What is a key pair, and what is the purpose of the passphrase in GPG? You can continue to watch this video to learn how to use GPG in MS Windows.

If you use Linux and are interested, watch this video to learn how to install and use GPG in a Linux system. You will learn to generate a key pair and to encrypt files using GPG.

In the history of cryptography section, you read about two important people: Diffie and Hellman. This article will discuss the Diffie-Hellman algorithm and how it is used to encrypt and decrypt. What year was the Diffie-Hellman algorithm published? What algorithm that have you already learned about works similar to Diffie-Hellman?

Watch this video that works through a scenario to communicate a secret over the Internet using a Diffie-Hellman algorithm. Pay attention to the actions of Alice and Bob, what they can see or cannot see, and notice the size of the prime numbers used to calculate the Diffie-Hellman algorithm.

Elliptic curve cryptography is based elliptic curve theory that uses smaller key sizes thereby increasing speed. The mathematics used is that of elliptic curves and finite fields. In this article, note that the mathematical equations are based on algebra and calculus, but the finite fields are based on modular mathematics. While you are not expected to memorize formulas or calculate the algorithm, viewing this page should help you to understand why elliptic curve cryptography is difficult to break.

In this video, you will see why elliptic curve cryptography is an important algorithm. The video will also show the mathematics behind the algorithm. While you are not expected to understand the mathematics behind the algorithm, be sure to make note of how elliptic curve cryptography compares to RSA, which was discussed in a previous section.

A hash is a cryptographic algorithm, but it differs from symmetric and asymmetric cryptography in that it does not use a public or private key. The input to a hash cannot be reverse calculated from the hash. Watch this video and note the computational and inversion requirements of a hash. Does hashing provide for confidentiality or integrity?

Your typed name at the bottom of an email is not proof that you are the sender of an email. Public keys are used to create digital certificates to provide proof of the identity of a sender. Read this article to understand the need for digital certificates. Pay attention to certificate chains and the importance of the element of trust.

The history of message digests and algorithms is discussed in this video. According to this narrator, which tenet of the CIA triad is the most important, and which tenet does a message digest protect? Pay attention to the fact that a message digest does not involve the use of a key. What inspires the development of new ciphers? How do you get more security when adding crypto algorithms? What ciphers are considered the industry standards and are in use today?

Read this article about MD5, a hash function. You should learn who developed MD5 and note the approximate year. Pay attention to the purposes of MD5, the size of the output, and why it is no longer used for digital certificates.

Another hash or one-way algorithm is the secure hash algorithm (SHA). What hash is SHA based on, who created it, and what are the names of the three SHA algorithms? Which SHA is no longer in use?

The Federal Information Processing Standards Publication 202 (FIPS PUB 202) discusses the secure hash algorithm-3, known as SHA-3. When reading the introductory section on pages 1 and 2, pay attention to the origin of the algorithm, and the terms hash function, message digest, and extendable-output function (XOF). What special properties was SHA-3 designed to provide? What are the digest lengths in the FIPS-approved hash functions?

To understand a hashed message authentication code (HMAC) you must understand a message authentication code (MAC). First, view the diagram with the subtitle "computing a MAC versus computing an HMAC". Then read the text below the diagram. How does a MAC become an HMAC? What is the purpose of an HMAC?

In information security, access control is imperative to ensure confidentiality, integrity, and availability. Controlling who has access to a system and the breadth of access a user has is vital to ensure the security of systems and data on the systems. Read this article to understand the terms access control, access, subject, and resource. Note the challenges, the principles, the criteria, and the practices used in access control.

This article discusses the principles least privileges and need-to-know are related. You should be able to explain how least privileges and need-to-know can be controlled with correct data labeling and by assigning user roles. Pay attention to how too much security can sometimes be a bad thing.

When considering the principles of least privilege and privilege creep, start with no privilege granted to a user, then grant access as needed. This video explains this concept in more detail.

Watch this video to see how using the principle of least privilege can reduce the impact of an attack on a system.

Separation of duties is used to restrict work and system access to a narrower focus. This principle is more difficult to provide in a smaller organization than in a larger organization, but it is an important concept to understand and to address. Read the section on separation of duties to understand how this concept prevents individuals from attacking systems on their own and requires collusion with other individuals to commit fraud. How does separation of duties protect against fraud? What are some mechanisms that can be used to enforce separation of duties?

The section in this article on access control matrix describes the matrix and discusses how it is related to the access control list (ACL). This section will introduce you to the access control matrix and the ACL. Pay attention to the term Kerberos, which was used in the previous unit.

The access control matrix describes the security state and can be represented by a table or matrix form. Every subject and object are listed as well as the permissions allowed for each subject. The access given to a subject follow the organization's security policy that is written to protect the confidentiality, integrity, and availability of the system. The access control list (ACL) stores the permissions of each object or file. After watching this video, you should be able to explain the concept of access control matrices and the ACL. Where do the rules come from for access control?

In the previous section, you learned some common ways that access should be limited such as by need-to-know, least privilege, and separation of duties. In this section, you will learn about four access control models: mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and rule-based access control (RB-RBAC). Read the section in this article on access control models. Pay attention to the basis of each control model and the type of agency that would use each model. This article does not cover RBAC, but it will be discussed in a subsequent section.

Read section 3 on Discretionary Access Control (DAC) and section 4 on Mandatory Access Control (MAC). Why is DAC called discretionary and MAC non-discretionary? What is the main drawback or vulnerability presented when using DAC, and why is MAC not vulnerable as well? What do no read-up and no write-down mean?

Watch this video. Who writes the rules and who owns the files in MAC and DAC? Which type of access control is typically used by military or government agencies, and which type is used in consumer operating systems? What type of security labels are attached to files, and what type of label is attached to a subject?

Watch this video on the Bell-LaPaudula model, which supports both mandatory and discretionary access control. What agency developed the Bell-LaPadula model? What does this model protect, and what tenet of the CIA triad was it designed to protect? Does this mean the model is no read up or no read down? What concept is the Bell-LaPadula model built on?

The Biba model was developed after the Bell-LaPadula model, and it also supports both mandatory and discretionary access control. Which tenet of the CIA triad does the Biba Model address? Was the model no read up or no read down? Why are the Biba and the Bell-LaPadula models used together? On what concept is the model built?

You have encountered the terms read up and read down, but what do these terms mean? To clarify, watch this video and you will learn some new terms as well. While watching, be sure to take note and to be able to explain the simple security property, the star security property, and the discretionary security property.

You have already learned a lot about the Bell-LaPadula and Biba models, but this article will provide some information that has not yet been addressed. View the sections on the Bell-LaPadula and Biba models and compare the two models while you read. What are the rules of each model? When was each model developed? Do the models have other similarities?

Role-based access control (RBAC) is a method that allows and restricts access to subjects or users based on the role of the user. When reading, pay attention to the description of an RBAC system and be able to describe the system, as well as to name the user that only RBAC can restrict. How does this one restriction increase the difficulty for an attacker to compromise the system? What is the set of rules called that manages the RBAC system? Although you will not be asked to create an RBAC policy, read through the rest of the document and try to follow the examples of how an RBAC policy is coded on a system.

Role-based access control (RBAC) is based on roles. Access rights are assigned to roles and users are assigned to roles. After watching, you will be able to describe how this model is implemented using two matrices. Is this access control model similar to discretionary or mandatory access control? When would this access control model be used? What are some constraints of this model?

This section explains the basic of the rule-based access control (RB-RBAC) model. As you read you will understand why this model is called rule-based as this model is based on meeting a set of rules versus being identity-based as in the other models discussed. What is an example of a rule-based access control on a system?

Section 4.2 in this article describes the rule-based RBAC (RB-RBAC) model. This model is an extension of the RBAC model, but is not identical to it. How does it differ from the RBAC model?

If you are interested in more information about biometrics, watch this video. The panel discuss various methods of voice, facial, and DNA-recognition technology as well as issues of security, privacy, and the accuracy of biometrics.

You learned about using passwords, tokens, and biometrics to authenticate a user. Authentication factors are discussed in terms of something you know, something you have, and something you are. This article explains these three factors.

Watch this video to learn about authentication forms. There is a difference between authentication and authorization. This video discusses those three factors in terms of what you know, what you are, and what you have. The factors can be used alone or can be combined into multifactor authentication. What is the purpose of multifactor authentication? What is single sign-on?

Watch this video to understand the concept of single sign-on (SSO). Why would a user want to use or not want to use a SSO? What is the name of a modern SSO and is it used for authorization, authentication, or both?

This short video will describe the origin of Kerberos, what it protects, and the type of cryptography that is used with Kerberos. Can you describe end-to-end security?

Kerberos can only be used within a trusted environment, and passwords are never sent over the network. Review the terms principal, realm, and ticket. What is the authentication flow for Kerberos? What are its limitations?

You should be aware of some of the vulnerabilities of Kerberos. After watching this video name two Kerberos vulnerabilities and describe under what conditions an attacker can exploit these vulnerabilities.

Watch this video on Kerberos and lightweight directory access protocol (LDAP). Pay attention to the terms key distribution center (KDC), authentication server (AS), ticket-granting service (TGS), ticket granting ticket (TGT), and token. How do Kerberos and LDAP work? What ports are used by each protocol?

To understand Lightweight Directory Access Protocol (LDAP) you must first understand directory services. This article defines directory services and how LDAP structures the entries in a directory service. Pay attention to the basic LDAP components such as attributes, entries, and data information trees (DITs). How does LDAP organize data, and what is LDAP inheritance? Note that there are some variations in LDAP protocols.

This video discusses secure network components like demilitarized zones (DMZ), network address translation (NAT), network access control (NAC), virtualization, subnetting, and segmentation. You should learn the purpose of each component, how each component is set up, what hardware they require, if any. What are the security advantages of each of these components?

This video describes network segmentation, and how the networks can be segmented at the physical and data link layers. Networks can be segmented for many reasons: compliance, optimizing or improving performance, separating private communications from public, protecting legacy systems, creating testing environments, securing data flow, or creating honeynets. Pay attention to supervisory control and data acquisition (SCADA) systems and why they should be segmented. This video also discusses the Stuxnet virus. What type of system was it designed to attack?

You can think of network segmentation like compartments of a submarine. Each compartment is separated from the others, so if a flood happens in one compartment, it can be sealed off to protect the others. As with all secure methods, segmentation has drawbacks as well as benefits. In a network, how could a security team identify application flows to determine border placement, appropriate policies for segmentation, and how the segmentation scheme can be managed and maintained?

This video explains redundancy and hardware that can be used to maintain redundancy. What physical devices provide for data and for hardware redundancy? What is the benefit of using RAID? Note the differences between hardware, software, and firmware-based RAID. How do load balancing and failovers work with redundancy?

Firewalls are an important part of network security. Firewalls act like filters and help protect against malicious network traffic. This article discusses three types of firewalls: stateless, stateful, and application. Firewalls use rules to accept, reject, and drop network traffic. Incoming and outgoing traffic have different firewall rules. This article covers some basic tools that you should be able to discuss, including IP tables, uncomplicated firewalls (UFW), FirewallD, and Fail2ban.

This video goes into detail about more types of firewalls, as well as firewall settings and techniques. You should be able to describe each type of firewall, and know what circumstances each type should be used for. What is the difference between stateless and stateful inspection firewalls? What is a virtual firewall? When discussing firewall settings and techniques, it is important that you can explain what an access control list (ACL) is. What should the last rule in an ACL be? Where should a stateful or a stateless firewall be placed? What is a demilitarized zone (DMZ), and where should a DMZ be placed?

This article explains packets, packet headers, and packet filtering. What can the option of allowing or disallowing packets be based on? What are the weaknesses and advantages of packet filtering? After you read, you should be able to describe packets and packet headers.

It can be difficult to understand how packet processing works. This video gives a visual explanation using decision tables on how all inbound and outbound packets are processed. See if you can follow the process. While you don't need to know the specifics, you should be able to explain the inbound and outbound process in general terms.

Stateful packet inspection is also known as dynamic packet filtering. What type of table does stateful packet inspection use for filtering? What are the attributes that are part of the state of the connection? How is stateful packet inspection different from static packet filters? How can stateful packet inspection improve network performance?

This article describes how deep packet inspection (DPI) is different from other types of packet processing. Most packet processing is done via the IP header, but deep packet processing inspects the packet contents. How does DPI help to secure a network? What are the different approaches to DPI? Make sure you can explain the three techniques used in DPI and name some of the tools used for packet analysis.

This section discusses wireless networking, encryption, and the 802.11 wireless network standards. Wireless networking is advantageous, since it removes the cost of installing cables and doesn't require systems to use a wired connection. What does the term half-duplex mean? What are the most common RF bands used in the United States, and why they are used? Why is it important to encrypt wireless networks? You might remember advanced encryption standard (AES) from the unit on encryption. Which encryption standard for 802.11 networks uses AES? Why should wired equivalent privacy (WEP) and Wi-Fi protected access (WPA) no longer be used for encrypting wireless networks?

This video discusses six names for wireless Internet connections, and how to view the wireless connection manager program on a device to determine if the connection is encrypted. Why is it important to know if the connection is encrypted? How close does a wireless eavesdropper have to be to intercept a signal between a computer and a router?

This article explains the types of wireless signal. What makes these signals different? What is the difference between a transmitter and a receiver? What do you call a device that both transmits and receives? Make sure you can name two types of antennas and the reason for choosing each type.

Tunneling is a way to connect networks through a secure connection across a public network. The secure connection is called a virtual private network (VPN). Watch this video for more on tunneling and the mechanism of a VPN. What are encapsulation, tunneling, and authentication? Why is encryption important when sending data via a tunnel? What is the purpose of a split tunnel?

A "bring your own device (BYOD)" policy is when an organization allows employees to use their own devices on the company network. While this can save the organization money and allow for more employee freedom, there are security risks associated with it. This article explains the principles of BYOD, some benefits of BYOD for an organization, and the many ways that BYOD can increase the risk to a company's data and information systems.

Honeypots are decoys used attract network attackers. Read pages 10 through 12 in this article to understand how honeypots are used to protect networks. When would you prefer to use a honeypot instead of an intrusion detection system (IDS)?

Read this brief article to understand how a honeynet is configured. What is the difference between a honeypot and a honeynet? What is the purpose of a honeynet?

This article discusses the legality of the data collected by honeypots and honeynets, and how they relate to liability and entrapment in US and EU law. After you read, you should be able to describe the four core elements of a honeynet and the issues associated with honeynets. How are honeypots classified according to their level of interaction and their purpose?

Read this article to learn about network sniffers and the reasons sniffers are used. How are network sniffers detected? What are two common network sniffers?

Recall that you learned about the perils of unencrypted wireless connections in a previous section. Watch this video to learn how a hacker can use a sniffer to intercept unencrypted traffic.

A packet analyzer can be used to capture packets containing data. This video shows how simple it is to capture packets using the packet analyzer tcpdump and then view the data using Wireshark. Be sure to watch both videos. You only need to understand what is happening here; you will not be asked to capture packets using tcpdump or Wireshark.

When watching this video you will learn the difference between http and https. How is text transmitted across the Internet using http and how is it transmitted using https? Which one is more secure?

This video describes secure sockets layer (SSL) and transport layer security (TLS). After watching you should be able to desribe SSL and TLS and the purpose of each. What type of encryption is used? What is the relationship between SSL and TLS? What is the name of a well-known attack on TLS?

As you watch this video, pay attention to the descriptions of domain name system (DNS) and domain name system security extensions (DNSSEC). Why do we use domain names instead of internet protocol (IP) addresses? What is a fully qualified domain name (FQDN)? How does DNSSEC protect from forged DNS data, and what is used to provide this protection?

The only way to ensure a system is completely secure is to eliminate any connectivity and to place the system in a secure area. Since this defeats the purpose of resource connectivity, the next best thing is to harden the operating system (OS). Hardening the OS means to remove all vulnerabilities possible from the system. What can be removed, avoided, disabled, or configured to harden an OS? How can you harden your personal devices?

When hardening servers, there are some common techniques that should be observed. This video describes how to address the presence of things like telnet, tcpwrappers, and shadow passwords. What should you do when hardening a server?

When hardening a system, it is important to set up logging and to monitor the log files. It is also important to remove or disable unnecessary accounts and services. As you watch this video, note how security can be enhanced with log files, and take note of the system logs that should be reviewed. How should logs be formatted to make viewing of anomalous activity easy? When hardening individual systems, what should be disabled and what should be protected?

Once a user is authenticated and is allowed access files on a system, how can limitations be placed on the tasks a user can perform? A user is granted permissions so that a user may be able to read a file while another can read and edit the same file. Watch this video to understand how user and group settings in a Windows system are used to allow or disallow an authorized user access to files. What is the difference between a user and an administrator account? What is the difference between a power user, a standard user, and a guest account? Name some permissions a user may be given.

It can be costly for an organization to not have a regular patching schedule and ongoing updates. Even though patching an operating system (OS) is important, patching applications is just as important. Read this article to understand why organizations sometimes do not make patching a priority. Make note of why patching is important and the reasons why patching is often neglected.

As you read in the previous section, there are many reasons why patching does not occur within an organization. One main reason for refusing to patch is that the patches may break the system. While reading, note how some organizations handle system patching to ensure patching does not break their production systems.

Read the section on access control assurance in this article to learn about system auditing. Auditing a system is important to verify that security policies are being followed. When reading, learn what auditing is and what should be audited on a system. Why information can be tracked through system auditing? How should audit and log data be protected to ensure confidentiality and integrity?

Antivirus software protects a system from becoming infected with a virus. This video discusses what antivirus software is, how it works, and how to use the software once it is installed on a system. How do antivirus applications find viruses on a system? Why is it important to update your antivirus software as updates are available? What does antivirus software do with infected files?

You learned about malware and about viruses in unit two and you should now understand the two terms. But what is the difference between antivirus and antimalware software? Do you need both types to secure your operating system (OS)? Read this article to learn why antimalware is needed and be able to explain why it is needed on systems today. What is meant by the term heuristics?

Firewalls are tools that can protect an OS. Linux has iptables and firewalld, which contain firewall rules and can manage firewall rules in Linux. Essentially, iptables and firewalld are configured by the systems administrator to reject or accept traffic. While you are not expected to be able to configure a system, read this article to see how iptables can control incoming or outgoing traffic. Why does the order of the rules matter?

Scanners detect vulnerabilities in systems, but how does a scanner find the vulnerabilities? Watch this video and be able to describe six steps in the scanning process. Do scanners exploit the vulnerabilities found in a system?

A data breach can cause a loss of reputation as well as a financial impact to an organization. The assessment of vulnerabilities on a system before a breach happens can help to circumvent a breach. Watch this video to learn what a vulnerability assessment is and why organizations need them. Be prepared to describe a vulnerability assessment to include identifying vulnerabilities, the business impact, vulnerability scans, and the risk management strategy in brief detail.

OpenSCAP is a tool to find vulnerabilities and configuration errors on a Windows or on a Linux system. SCAP is a security content automation protocol, or a set of security standards developed by the National Institute of Standards and Technology (NIST). The tool is installed on a computer system and ran on the system to evaluate known vulnerabilities. You should understand the concept of OpenSCAP and how it checks vulnerabilities on a system. What are the limitations of OpenSCAP and why does it have these limitations?

Tools that monitor systems for malicious activity are called intrusion detection systems, or IDS. Read this article to learn the common components and functions of an IDS, and some kinds of IDS, like signature, anomaly, and rule-based. What is the difference between and IDS and an intrusion protection systems (IPS)? Obviously, network detection systems (NIDS) are installed on networks and host-based intrusion detection systems (HIDS) are installed on hosts. The purpose of NIDS and HIDS are similar; they both detect intrusion, but they operate differently. What does each one do?

This video goes into more detail about intrusion detection systems (IDS) and intrusion prevention systems (IPS), the differences between an IPS and an IDS, and how a signature-based and an anomaly-based IDS functions. You should be able to explain what true positives, false positives, true negatives, and false negatives are. When using a detection system, which type of response would be of the most concern? Pay attention to the differences between a network-based IDS and a host-based IDS. What is an IDPS? What is the correct placement of an IDS and an IPS? What are some weaknesses and limitations in IDS detection? How is packet fragmentation used to avoid detection by an IDS? What are the names of some of the IDS vendors?

The purpose of an intrusion detection system (IDS) is to protect the confidentiality, integrity, and availability of a system. Intrusion detection systems (IDS) are designed to detect specific issues, and are categorized as signature-based (SIDS) or anomaly-based (AIDS). IDS can be software or hardware. How do SIDS and AIDS detect malicious activity? What is the difference between the two? What are the four IDS evasion techniques discussed, and how do they evade an IDS?

This video explains what an intrusion detection system (IDS) does in general terms. You will learn about two common techniques used by IDS to identify threats. What are these two common techniques and how do they detect system attacks? Where can IDS software be placed on a small network, and where can it be placed to keep from slowing down systems on the network? What is a popular opensource IDS software? What are the two types of protection offered by IDS software?

Read section 2 of this article to learn about signature-based intrusion detection systems (IDS). You should be able to explain what signature-based IDS detects on a system, as well as some advantages and disadvantages of the system. What is a popular signature-based network intrusion detection system?

Anomaly-based intrusion detection systems (IDS) detect anomalies. This is different from signature detection, which matches patterns. While you read, try to explain how an anomaly is different from a signature. An anomaly-based IDS can be either host or network based. When reading this article, note the explanation of the host based and the network-based anomalies. What are some of the network anomalies? How would you define a static and a dynamic anomaly? What is the advantage and disadvantage of an anomaly-based IDS as compared to a signature-based IDS?

Another type of intrusion detection system is a rule-based intrusion detection system (IDS). Read the section on intrusion detection systems, focusing on rule-based IDSes and how they function. What are two techniques used by rule-based IDSes? What are two downsides to a rule-based IDS?

This video provides a good visual example of rules coded in a system. As you watch, you will see rule headers, snort rules, and rule options. This example will help you to understand a rule-based attack as related to rule-based IDS.

Read sections 22.4 and 22.4.1. What is the main idea behind network intrusion detection? What is the basis for network intrusion detection systems (NIDS)? What is the issue that occurs when NIDS has to reassemble TCP streams?

The counterpart to network intrusion detection systems are host-based intrusion detection systems (HIDS). Pay attention to the description of a HIDS, the purpose of a HIDS, and what type of attacks HIDS can detect. What are the types of HIDS and what are they based on? What are three categories of measurement that can implicate an instrusion?

In retrospect, you have learned about host-based intrusion detection systems (HIDS) and network-based intrusion detection systems (NIDS). Read this article on intrusion detection systems and note the strengths of HIDS and NIDS, and the overall pros and cons of intrusion detection systems.

Read the section on intrusion prevention in this article for an explanation of an intrusion prevention systems (IPS). What are the main functions of IPS?

This video will discuss some system information and event management (SIEM) tools. When reviewing this video, pay attention to the purpose of a SIEM and the difference between events and incidents when using a SIEM tool. What are some examples of SIEM tools?

Vulnerability analysis is performed on systems to determine the weaknesses of a system. When watching this video on vulnerability analysis, pay attention to the benefits of a vulnerability scan and to some popular types of scanners such as Nessus and Retina.

Scans can be performed on networks as well. TCP, port, or host scans are performed depending on the type of data to be collected by the scan. While watching, you should learn the types of network scans and the purpose of each type of scan.

Web scanners are used to find vulnerabilities in websites to protect them from being hacked. A web application vulnerability scanner (WAVS) is used to scan websites. Are these scans white, black, or gray box scanning? What are the two types of WAVS? Once viewed, you should have a general idea of how WAVS scan for vulnerabilities. Pay attention to the description of cross-site scripting (XSS) and cross site request forgery (CSRF) attacks.

Watch this video to get a basic understanding of the purpose for using Splunk. What output does Splunk produce that provides assistance to security personnel? What is the benefit of Splunk to security personnel?

Maintaining and protecting privacy in information systems is an ethical as well as a legal issue. When individuals' private data is protected, the confidentiality tenet of the CIA triad is supported. Read this article about the balancing act between technology and privacy. Think about some of the ways that helpful technological advances may be invading your privacy. This article makes some good points about technology and the data trail that you may not have thought about previously.

Privacy is protected by law in many countries and by international law. Read section 5.3, which discusses privacy rights and the laws that protect privacy. Make note of what is considered to be privacy and what is protected by the US constitution, by the United Nations (UN), and by the European Union (EU).

This video discusses the challenges of protecting privacy as digital technology and artificial intelligence (AI) rapidly evolve. You will learn more about the European General Data Protection Regulation (GDPR) in a subsequent section, but after you watch this video you should be able to explain how the GDPR has affected privacy regulations around the world. Are there laws that parallel the GDPR in the United States or in other countries?

Depending on where you work or do business, there could be many privacy laws to you should be aware of. This article discusses important privacy laws in the United States, and the European Union's General Data Protection Regulation (GDPR). Note the different aspects that the US Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Children’s Online Privacy Act (COPPA) of 2000, the California Consumer Privacy Act (CCPA), and the GDPR protect. How would you compare the GDPR to the CCPA?

Review this article on the US Privacy Act of 1974. Why has this privacy law been difficult to apply? Could that be related to the legislative history of the act? What are the objectives of the act, and what infamous scandal prompted the enactment of the act?

This article goes into more detail about the US Privacy Act of 1974. What protections does the act provide? Who is not protected under this act, as compared to the EU Data Protection Directive?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in the US in 1996 to protect individuals' health information. This video explains the history of the bill. What kinds of information is protected under the act? What is PHI and HITECH, and how is HITECH related to HIPAA? What is the role of information technology (IT) in protecting health information?

This article gives a supplementary overview of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Pay attention to who is covered by HIPAA, and the information protected by HIPAA. What are the technical safeguards that must be in place when an organization collects privacy information covered by HIPAA?

The European Union General Data Protection Regulation (GDPR) is very complex, but this video breaks it down. Take note of the right to be forgotten and the exemptions to this rule.

The European General Data Protection Regulation (GDPR) has affected how organizations protect personal data around the world. If an organization in any country wants to do business with another organization or with individuals in the European Union, then that organization must follow the rules of the GDPR. When watching this video, learn how personal data is defined by the GDPR, the categories of personal data that has special or extra restrictions, and why these restrictions were added to the GDPR. What is considered processed data under the GDPR, and who is responsible for the security of the data under the GDPR? Who is protected under the GDPR and what are their rights?