no more cubes

Category: Security & Privacy

  • Packet Switching / WAN Technology

    • X.25: defines communication between DTE and DCE devices.
    • Switched multimegabit data services (SMDS):
      • Is a connectionless protocol and can provide bandwidth for exchange of large amounts of data.
      • A connectionless, high-speed, datagram-based WAN technology for communication over public data networks.
    • Frame Relay: Forwards packets to their destinations and doesn’t unpack frames at each node.
    • Link access procedure balanced (LAPB): Ensures that frames are conrrectly sequenced and error free.
    • Asynchronous transfer mode (ATM):
      • transmits data in fixed size cells of 53 byte and can provide bandwidth on demand.
      • Connection oriented switching technology that uses a cell-switching method.
    •  Synchronous data link control (SDLC): bit oriented synchronous protocol.
    • High level data link control (HDLC): A bit oriented data link protocol.
    • Switching: A virtual connection which acts like a dedicated link between the sender and the receiver devices.
    • Password authentication protocol (PAP): uses an authentication server to compare supplied credentials against stored credentials.
    • Challenge handshake authentication protocol (CHAP): enables user auth without revealing a shared password between two entities.
    • Extensible Authentication Protocol (EAP): works directly at the data link layer.
    • Point-to-point protocol (PPP): Supports asynchronous and synchronous connections and network protocol multiplexing.
    • Serial Line Internet Protocol (SLIP): Frames datagrams for transmission but doesn’t provide error detection or data compression.

  • Change management process

    1. Submit the change
    2. Approve the change
    3. Document the change
    4. Test the change
    5. Implement the change
    6. Report the change

  • Reconnaissance Methods

    • FIN Scan: Uses an IP-bases server’s error-handling mechanism against it.
    • Operation System (OS) Identification: users an operating system’s weaknesses to obtain valuable information.
    • Port sweep: Bombards a servers’s IP address with packets to identify active services.
    • Evasive sweep: Identifies a server’s systems and services without ever completely connecting to it.

  • Components od a basic information system architecture

    • Network architecture
    • Protection mechanisms
    • Platform architecture
    • Security Models
    • Enterprise architecture

  • Security Models

    Address security, integrity and information flow

    • Graham-Denning: Defines the commands that a subject can execute to create or delete an object.
    • Noninterference: Prevents covert channels and interference attacks.
    • Brewer & Nash

    Address security and integrity

    Further Descriptions

    • Lipner: Was the first security model to separate objects into data and programs
    • Harrison-Ruzzo-Ullman: Comprised of generic rights and a small set of commands

  • Operating System States

    • Supervisory: A system routine, or highly privileged routine, is being executed by the system.
    • Ready: Processing can be resumed for an application.
    • Wait: A specific event must be completed before another process resumes.
    • (Needs review: Problem: An application is being run by the system.(?))

  • Control Objects for Information and Related Technology (COBIT)

    Control Objects for Information and Related Technology (COBIT)

    • can be used to as the basis for internal and external security audits.
    • determines the security mechanisms to be implemented for a system.

  • ISO / IEC 27001:2005

    ISO / IEC 27001:2005

    • can be used for certifying a company’s ISMS and making comaprisons to other companies’ ISMSs.
    • Defines a company’s ISMS and how it’s structured, controlled, run, and maintained.

  • ISO / IEC 27002

    ISO / IEC 27002

    • Defines the way in which security mechanisms should be run
    • Provides guidelines for ensuring that security controls are consistent with industry best practices

  • Information Technology Security Evaluation Criteria (ITSEC)

    Information Technology Security Evaluation Criteria (ITSEC) involves evaluation assurance by reviewing the development practices, documentation, configuration management and testing mechanisms of a system. Also, it provides separate ratings for functionality and assurance.