Appendix B
Memory Tables Answer Key
Chapter 1
As part of determining how critical an asset is, you need to understand the following terms:
Maximum tolerable downtime (MTD): The maximum amount of time that an organization can tolerate a single resource or function being down. This is also referred to as maximum period time of disruption (MPTD).
Mean time to repair (MTTR): The average time required to repair a single failed component or device when a disaster or disruption occurs.
Mean time between failure (MTBF): The estimated amount of time a device will operate before a failure occurs. This amount is calculated by the device vendor. System reliability is increased by a higher MTBF and lower MTTR.
Recovery time objective (RTO): The time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences. RTO assumes that an acceptable period of downtime exists. RTO should be smaller than MTD.
Work recovery time (WRT): The amount of time that is needed to verify system and/or data integrity.
Recovery point objective (RPO): The maximum targeted period in which data might be lost from an IT service due to a major incident.
Table 1-3 Administrative (Management) Controls
Administrative (Management) Controls |
Compensative |
Corrective |
Detective |
Deterrent |
Directive |
Preventive |
Recovery |
|---|---|---|---|---|---|---|---|
Personnel procedures |
|
|
|
|
|
X |
|
Security policies |
|
|
|
X |
X |
X |
|
Monitoring |
|
|
X |
|
|
|
|
Separation of duties |
|
|
|
|
|
X |
|
Job rotation |
X |
|
X |
|
|
|
|
Information classification |
|
|
|
|
|
X |
|
Security awareness training |
|
|
|
|
|
X |
|
Investigations |
|
|
X |
|
|
|
|
Disaster recovery plan |
|
|
|
|
|
X |
X |
Security reviews |
|
|
X |
|
|
|
|
Background checks |
|
|
X |
|
|
|
|
Termination |
|
X |
|
|
|
|
|
Supervision |
X |
|
|
|
|
|
|
Table 1-4 Logical (Technical) Controls
Logical (Technical) Controls |
Compensative |
Corrective |
Detective |
Deterrent |
Directive |
Preventive |
Recovery |
|---|---|---|---|---|---|---|---|
Password |
|
|
|
|
|
X |
|
Biometrics |
|
|
|
|
|
X |
|
Smart cards |
|
|
|
|
|
X |
|
Encryption |
|
|
|
|
|
X |
|
Protocols |
|
|
|
|
|
X |
|
Firewalls |
|
|
|
|
|
X |
|
IDS |
|
|
X |
|
|
|
|
IPS |
|
|
|
|
|
X |
|
Access control lists |
|
|
|
|
|
X |
|
Routers |
|
|
|
|
|
X |
|
Auditing |
|
|
X |
|
|
|
|
Monitoring |
|
|
X |
|
|
|
|
Data backups |
|
|
|
|
|
|
X |
Antivirus software |
|
|
|
|
|
X |
|
Configuration standards |
|
|
|
|
X |
|
|
Warning banners |
|
|
|
X |
|
|
|
Connection isolation and termination |
|
X |
|
|
|
|
|
Table 1-5 Physical Controls
Physical (Technical) Controls |
Compensative |
Corrective |
Detective |
Deterrent |
Directive |
Preventive |
Recovery |
|---|---|---|---|---|---|---|---|
Fencing |
|
|
|
X |
|
X |
|
Locks |
|
|
|
|
|
X |
|
Guards |
|
|
X |
|
|
X |
|
Fire extinguisher |
|
X |
|
|
|
|
|
Badges |
|
|
|
|
|
X |
|
Swipe cards |
|
|
|
|
|
X |
|
Dogs |
|
|
X |
|
|
X |
|
Man traps |
|
|
|
|
|
X |
|
Biometrics |
|
|
|
|
|
X |
|
Lighting |
|
|
|
X |
|
|
|
Motion detectors |
|
|
X |
|
|
|
|
CCTV |
X |
|
X |
|
|
X |
|
Data backups |
|
|
|
|
|
|
X |
Antivirus software |
|
|
|
|
|
X |
|
Configuration standards |
|
|
|
|
X |
|
|
Warning banner |
|
|
|
X |
|
|
|
Hot, warm, and cold sites |
|
|
|
|
|
|
X |
Chapter 2
Determining the impact from a loss of confidentiality of PII should take into account relevant factors including
Identifiability: How easily PII can be used to identify specific individuals
Quantity of PII: How many individuals are identified in the information
Data field sensitivity: The sensitivity of each individual PII data field, as well as the sensitivity of the PII data fields together
Context of use: The purpose for which PII is collected, stored, used, processed, disclosed, or disseminated
Obligation to protect confidentiality: The laws, regulations, standards, and operating practices that dictate an organization’s responsibility for protecting PII
Access to and location of PII: The nature of authorized access to PII
When working with relational database management systems (RDBMSs), you should understand the following terms:
Relation: A fundamental entity in a relational database in the form of a table.
Tuple: A row in a table.
Attribute: A column in a table.
Schema: Description of a relational database.
Record: A collection of related data items.
Base relation: In SQL, a relation that is actually existent in the database.
View: The set of data available to a given user. Security is enforced through the use of views.
Degree: The number of columns in a table.
Cardinality: The number of rows in a relation.
Domain: The set of allowable values that an attribute can take.
Primary key: Columns that make each row unique.
Foreign key: An attribute in one relation that has values matching the primary key in another relation. Matches between the foreign key and the primary key are important because they represent references from one relation to another and establish the connection among these relations.
Candidate key: An attribute in one relation that has values matching the primary key in another relation.
Referential integrity: Requires that for any foreign key attribute, the referenced relation must have a tuple with the same value for its primary key.
Chapter 3
Table 3-13 Symmetric Algorithm Strengths and Weaknesses
Strengths |
Weaknesses |
|---|---|
1,000 to 10,000 times faster than asymmetric algorithms |
Number of unique keys needed can cause key management issues |
Hard to break |
Secure key distribution critical |
Cheaper to implement than asymmetric |
Key compromise occurs if one party is compromised, thereby allowing impersonation |
Table 3-14 Asymmetric Algorithm Strengths and Weaknesses
Strengths |
Weaknesses |
|---|---|
Key distribution is easier and more manageable than with symmetric algorithms. |
More expensive to implement than symmetric algorithms. |
Key management is easier because the same public key is used by all parties. |
1,000 to 10,000 times slower than symmetric algorithms. |
Table 3-15 Symmetric Algorithms Key Facts
Algorithm Name |
Block or Stream Cipher? |
Key Size |
Number of Rounds |
Block Size |
|---|---|---|---|---|
DES |
Block |
64 bits (effective length 56 bits) |
16 |
64 bits |
3DES |
Block |
56, 112, or 168 bits |
48 |
64 bits |
AES |
Block |
128, 192, or 256 bits |
10, 12, or 14 (depending on block/key size) |
128, 192, or 256 bits |
IDEA |
Block |
128 bits |
8 |
64 bits |
Skipjack |
Block |
80 bits |
32 |
64 bits |
Blowfish |
Block |
32–448 bits |
16 |
64 bits |
Twofish |
Block |
128, 192, or 256 bits |
16 |
128 bits |
RC4 |
Stream |
40–2,048 bits |
Up to 256 |
N/A |
RC5 |
Block |
Up to 2,048 |
Up to 255 |
32, 64, or 128 bits |
RC6 |
Block |
Up to 2,048 |
Up to 255 |
32, 64, or 128 bits |
RC7 |
Block |
Up to 2,048 |
Up to 255 |
256 bits |
Table 3-16 Protection Requirements for Cryptographic Keys
Key Type |
Security Service |
Security Protection |
Period of Protection |
|---|---|---|---|
Private signature key |
Source authentication Integrity authentication Support nonrepudiation |
Integrity Confidentiality |
From generation until the end of the cryptoperiod |
Public signature verification key |
Source authentication Integrity authentication Support nonrepudiation |
Integrity |
From generation until no protected data needs to be verified |
Symmetric authentication key |
Source authentication Integrity authentication |
Integrity Confidentiality |
From generation until no protected data needs to be verified |
Private authentication key |
Source authentication Integrity authentication |
Integrity Confidentiality |
From generation until the end of the cryptoperiod |
Public authentication key |
Source authentication Integrity authentication |
Integrity |
From generation until no protected data needs to be authenticated |
Symmetric data encryption/decryption key |
Confidentiality |
Integrity Confidentiality |
From generation until the end of the lifetime of the data or the end of the cryptoperiod, whichever comes later |
Symmetric key-wrapping key |
Support |
Integrity Confidentiality |
From generation until the end of the cryptoperiod or until no wrapped keys require protection, whichever is later |
Symmetric RBG key |
Support |
Integrity Confidentiality |
From generation until replaced |
Symmetric master key |
Support |
Integrity Confidentiality |
From generation until the end of the cryptoperiod or the end of the lifetime of the derived keys, whichever is later |
Private key-transport key |
Support |
Integrity Confidentiality |
From generation until the end of the period of protection for all transported keys |
Public key-transport key |
Support |
Integrity |
From generation until the end of the cryptoperiod |
Symmetric key-agreement key |
Support |
Integrity Confidentiality |
From generation until the end of the cryptoperiod or until no longer needed to determine a key, whichever is later |
Private static key-agreement key |
Support |
Integrity Confidentiality |
From generation until the end of the cryptoperiod or until no longer needed to determine a key, whichever is later |
Public static key-agreement key |
Support |
Integrity |
From generation until the end of the cryptoperiod or until no longer needed to determine a key, whichever is later |
Private ephemeral key-agreement key |
Support |
Integrity Confidentiality |
From generation until the end of the key-agreement process; after the end of the process, the key is destroyed |
Public ephemeral key-agreement key |
Support |
Integrity |
From generation until the key-agreement process is complete |
Symmetric authorization key |
Authorization |
Integrity Confidentiality |
From generation until the end of the cryptoperiod of the key |
Private authorization key |
Authorization |
Integrity Confidentiality |
From generation until the end of the cryptoperiod of the key |
Public authorization key |
Authorization |
Integrity |
From generation until the end of the cryptoperiod of the key |
Chapter 4
Table 4-1 Common TCP/UDP Port Numbers
Application Protocol |
Transport Protocol |
Port Number |
|---|---|---|
Telnet |
TCP |
23 |
SMTP |
UDP |
25 |
HTTP |
TCP |
80 |
SNMP |
TCP and UDP |
161 and 162 |
FTP |
TCP and UDP |
20 and 21 |
FTPS |
TCP |
989 and 990 |
SFTP |
TCP |
22 |
TFTP |
UDP |
69 |
POP3 |
TCP and UDP |
110 |
DNS |
TCP and UDP |
53 |
DHCP |
UDP |
67 and 68 |
SSH |
TCP |
22 |
LDAP |
TCP and UDP |
389 |
NetBIOS |
TCP and UDP |
137 (TCP), 138 (TCP), and 139 (UDP) |
CIFS/SMB |
TCP |
445 |
NFSv4 |
TCP |
2049 |
SIP |
TCP and UDP |
5060 |
XMPP |
TCP |
5222 |
IRC |
TCP and UDP |
194 |
RADIUS |
TCP and UDP |
1812 and 1813 |
rlogin |
TCP |
513 |
rsh and RCP |
TCP |
514 |
IMAP |
TCP |
143 |
HTTPS |
TCP and UDP |
443 |
RDP |
TCP and UDP |
3389 |
AFP over TCP |
TCP |
548 |
Table 4-2 Classful IP Addressing
Class |
Range |
Mask |
Initial Bit Pattern of First Octet |
Network/Host Division |
|---|---|---|---|---|
Class A |
0.0.0.0–127.255.255.255 |
255.0.0.0 |
01 |
net.host.host.host |
Class B |
128.0.0.0–191.255.255.255 |
255.255.0.0 |
10 |
net.net.host.host |
Class C |
192.0.0.0–223.255.255.255 |
255.255.255.0 |
11 |
net.net.net.host |
Class D |
224.0.0.0–239.255.255.255 |
Used for multicasting |
|
|
Class E |
240.0.0.0–255.255.255.255 |
Reserved for research |
|
|
Table 4-3 Private IP Address Ranges
Class |
Range |
|---|---|
Class A |
10.0.0.0–10.255.255.255 |
Class B |
172.16.0.0–172.31.255.255 |
Class C |
192.168.0.0–192.168.255.255 |
Table 4-4 Differences Between IPv4 and IPv6 (Adapted from NIST SP 800-119)
Property |
IPv4 |
IPv6 |
|---|---|---|
Address size and network size |
32 bits, network size 8–30 bits |
128 bits, network size 64 bits |
Packet header size |
20–60 bytes |
40 bytes |
Header-level extension |
Limited number of small IP options |
Unlimited number of IPv6 extension headers |
Fragmentation |
Sender or any intermediate router allowed to fragment |
Only sender may fragment |
Control protocols |
Mixture of non-IP (ARP), ICMP, and other protocols |
All control protocols based on ICMPv6 |
Minimum allowed MTU |
576 bytes |
1280 bytes |
Path MTU discovery |
Optional, not widely used |
Strongly recommended |
Address assignment |
Usually one address per host |
Usually multiple addresses per interface |
Address types |
Use of unicast, multicast, and broadcast address types |
Broadcast addressing no longer used; use of unicast, multicast, and anycast address types |
Address configuration |
Devices configured manually or with host configuration protocols like DHCP |
Devices configure themselves independently using stateless address autoconfiguration (SLAAC) or use DHCP |
Table 4-6 WPA and WPA2
Variant |
Access Control |
Encryption |
Integrity |
|---|---|---|---|
WPA Personal |
Preshared key |
TKIP |
Michael |
WPA Enterprise |
802.1X (RADIUS) |
TKIP |
Michael |
WPA2 Personal |
Preshared key |
CCMP, AES |
CCMP |
WPA2 Enterprise |
802.1X (RADIUS) |
CCMP, AES |
CCMP |
Table 4-7 EAP Type Comparison
802.1X EAP Types Feature/Benefit |
MD5 |
TLS |
TTLS |
FAST |
LEAP |
PEAP |
|---|---|---|---|---|---|---|
Client-side certificate required |
No |
Yes |
No |
No (PAC) |
No |
No |
Server-side certificate required |
No |
Yes |
No |
No (PAC) |
No |
Yes |
WEP key management |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Rogue AP detection |
No |
No |
No |
Yes |
Yes |
No |
Provider |
MS |
MS |
Funk |
Cisco |
Cisco |
MS |
Authentication attributes |
One way |
Mutual |
Mutual |
Mutual |
Mutual |
Mutual |
Deployment difficulty |
Easy |
Difficult (because of client certificate deployment) |
Moderate |
Moderate |
Moderate |
Moderate |
Wi-Fi security |
Poor |
Very high |
High |
High |
High when strong protocols are used |
High |
Chapter 5
When considering biometric technologies, security professionals should understand the following terms:
Enrollment time: The process of obtaining the sample that is used by the biometric system. This process requires actions that must be repeated several times.
Feature extraction: The approach to obtaining biometric information from a collected sample of a user’s physiological or behavioral characteristics.
Accuracy: The most important characteristic of biometric systems. It is how correct the overall readings will be.
Throughput rate: The rate at which the biometric system will be able to scan characteristics and complete the analysis to permit or deny access. The acceptable rate is 6–10 subjects per minute. A single user should be able to complete the process in 5–10 seconds.
Acceptability: Describes the likelihood that users will accept and follow the system.
False rejection rate (FRR): A measurement of valid users that will be falsely rejected by the system. This is called a Type I error.
False acceptance rate (FAR): A measurement of the percentage of invalid users that will be falsely accepted by the system. This is called a Type II error. Type II errors are more dangerous than Type I errors.
Crossover error rate (CER): The point at which FRR equals FAR. Expressed as a percentage, this is the most important metric.
Chapter 6
Vulnerability assessments usually fall into one of three categories:
Personnel testing: Reviews standard practices and procedures that users follow.
Physical testing: Reviews facility and perimeter protections.
System and network testing: Reviews systems, devices, and network topology.
Network discovery tools can perform the following types of scans:
TCP SYN scan: Sends a packet to each scanned port with the SYN flag set. If a response is received with the SYN and ACK flags set, the port is open.
TCP ACK scan: Sends a packet to each port with the ACK flag set. If no response is received, then the port is marked as filtered. If an RST response is received, then the port is marked as unfiltered.
Xmas scan: Sends a packet with the FIN, PSH, and URG flags set. If the port is open, there is no response. If the port is closed, the target responds with an RST/ACK packet.
Table 6-1 Server-Based vs. Agent-Based Scanning
Type |
Technology |
Characteristics |
|---|---|---|
Agent-based |
Pull technology |
Can get information from disconnected machines or machines in the DMZ Ideal for remote locations that have limited bandwidth Less dependent on network connectivity Based on policies defined in the central console |
Server-based |
Push technology |
Good for networks with plentiful bandwidth Dependent on network connectivity Central authority does all the scanning and deployment |
Chapter 7
The following types of media analysis can be used:
Disk imaging: Creates an exact image of the contents of the hard drive.
Slack space analysis: Analyzes the slack (marked as empty or reusable) space on the drive to see whether any old (marked for deletion) data can be retrieved.
Content analysis: Analyzes the contents of the drive and gives a report detailing the types of data by percentage.
Steganography analysis: Analyzes the files on a drive to see whether the files have been altered or to discover the encryption used on the file.
Software analysis techniques include the following:
Content analysis: Analyzes the content of software, particularly malware, to determine for which purpose the software was created.
Reverse engineering: Retrieves the source code of a program to study how the program performs certain operations.
Author identification: Attempts to determine the software’s author.
Context analysis: Analyzes the environment the software was found in to discover clues to determining risk.
Network analysis techniques include the following:
Communications analysis: Analyzes communication over a network by capturing all or part of the communication and searching for particular types of activity.
Log analysis: Analyzes network traffic logs.
Path tracing: Traces the path of a particular traffic packet or traffic type to discover the route used by the attacker.
Table 7-1 RAID Levels
RAID Level |
Min. Number of Drives |
Description |
Strengths |
Weaknesses |
|---|---|---|---|---|
RAID 0 |
2 |
Data striping without redundancy |
Highest performance |
No data protection; one drive fails, all data is lost |
RAID 1 |
2 |
Disk mirroring |
Very high performance; very high data protection; very minimal penalty on write performance |
High redundancy cost overhead; because all data is duplicated, twice the storage capacity is required |
RAID 3 |
3 |
Byte-level data striping with dedicated parity drive |
Excellent performance for large, sequential data requests |
Not well suited for transaction-oriented network applications; single parity drive does not support multiple, simultaneous read and write requests |
RAID 5 |
3 |
Block-level data striping with distributed parity |
Best cost/performance for transaction-oriented networks; very high performance, very high data protection; supports multiple simultaneous reads and writes; can also be optimized for large, sequential requests |
Write performance is slower than RAID 0 or RAID 1 |
RAID 10 |
4 |
Disk mirroring with striping |
Same fault tolerance as RAID 1; same overhead as with mirroring; provides high I/O rates; can sustain multiple simultaneous drive failures |
Very expensive; all drives must move in parallel to properly track, which reduces sustained performance; very limited scalability at a very high cost |