18. Exam Essentials for Incidents and Ethics

Computer crime is a crime that is directed against, or directly involves, a computer.

Computer crimes are grouped into six categories: military, business, financial, terrorist, grudge, and thrill.

As soon as you discover an incident, you must being to collect evidence and as much information about the incident as possible. The evidence should be treated in a way that it can be legally used in court. Evidence collection can also assist you in determining the extent of damage.

Incidents should be defined in your security policy. Even though specific incidents may not be outlined, the existence of the policy sets the standard for the use of your system. An incident is any event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization’s data.

An incident occurs when an attack or other violation of your security policy is carried out against your system. Incidents can be grouped into four categories: scanning, compromises, malicious code and DoS/DDoS.

Attacks will generate some activity that is not normal. Recognizing abnormal and suspicious activity is the first step toward detecting incidents.

You must have possession of equipment, software, or data to analyze it and use it as evidence. You must acquire the evidence without modifying it or allowing anyone else to modify it.

3 basic alternatives for confiscating evidence.
First, the person who owns the evidence could voluntarily surrender it. Second, a subpoena could be used to compel the subject to surrender the evidence. Thirdly, a search warrant is most useful when you need to confiscate evidence without giving the subject an opportunity to alter it.

Use logging and store it for a reasonable amount of time as it may take some time to actually realize an incident has occurred.

Establish a working relationship with the corporate and law enforcement personnel with whom you will work to resolve an incident. When you have a need to report an incident, gather as much descriptive information as possible and make your report in a timely manner.

To be admissible, evidence must be relevant to a fact at issue in the case, the fact must be material to the case, and the evidence must be competent or legally collected.

Real evidence consists of actual objects that can be brought into the courtroom. Documentary evidence consists of written documents that provide insight into the facts. Testimonial evidence consists of verbal or written statements made by witnesses.

Security practitioners are granted a very high level of authority and responsibility to execute their job functions. The potential for abuse exists, and without a strict code of personal behaviour, security practitioners could be regarded as having unchecked power. Adherence to a code of ethics helps ensure that such power is not abused.

RFC 1087 is about ethics and the (ISC)^2 has a code of ethics that CISSP candidates must subscribe to.

17. Exam Essentials for Laws, Regulations, and Compliance

The differences between criminal law, civil law,and administrative law are:
Criminal law protects society against acts that violate the basic principles we believe in. Violations of criminal law are prosecuted by federal and state governments.

Civil law provides the framework for the transaction of business between people and organizations.

Violations of civil law are brought to the court and argued by the two affected parties. Administrative law is used by government agencies to effectively carry out their day-to-day business.

The computer fraud and abuse act protects computers used by the government or in interstate commerce from a variety of abuses. The computer security act outlines steps the government must take to protect its own systems from attack. The government information security reform act further develops the federal government information security program.

Copyrights protect original works of authorship, such as books, articles, poems, and songs. Trademarks are names, slogans, and logos that identify a company, product, or service. Patents provide protection to the creators of new inventions. Trade secret law protects the operating secrets of a firm.

The digital millennium copyright act prohibits the circumvention of copy protection mechanisms placed in digital media and limits the liability of Internet service providers for the activities of their users.

The economic espionage act provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the individual knows that the information will benefit a foreign government.

Contractual license agreements are written agreements between a software vendor and user. Shrink-wrap agreements are written on software packaging and take effect when a user opens the package. Click-wrap agreements are included in a package but require the user to accept the terms during the software installation process.

The uniform computer information transactions act provides a framework for the enforcement of shrink-wrap and click-wrap agreements by federal and state goverments.

Ni high-performance computers or encryption technology may be exported to tier 4 countries. The export of hardware capable of operating in excess of 0.75 weighted teraflops to tier 3 countries must be approved by the department of commerce. New rules permit the easy exporting of “mass market” encryption software.

The united states has a number of privacy laws that affect the government’s use of information as well as the use of information by specific industries, such as financial services companies and health-care organizations that handle sensitive information. The EU has a more comprehensive directive on data privacy that regulates the use and exchange of personal information.

Most organizations are subject to a wide variety of legal and regulatory requirements related to information security. Building a compliance program ensures that you become and remain compliant with these often overlapping requirements.

The expanded use of cloud services by many organizations requires added attention to conducting reviews of information security controls during the vendor selection process and as part of ongoing vendor governance.

16. Exam Essentials for Disaster Recovery Planning

Natural disasters that commonly threaten organizations include earthquakes, floods, storms, fires, tsunamis, and volcanic eruptions.

Explosions, electrical fires, terrorist acts, power outages, other utility failures, infrastructure failures, hardware/software failures, labor difficulties, theft, and vandalism are all common man-made disasters.

The common types of recovery facilities are cold sites, warm sites, hot sites, mobile sites, service bureaus, and multiple sites. Be sure you understand the benefits and drawbacks for each such facility. The better the more expensive.

Mutual assistance agreements (MAAs) provide an inexpensive alternative to disaster recovery sites, but hey are not commonly used because they are difficult to enforce. Organizations participating in MAA may also be shut down by the same disaster, and MAAs raise confidentiality concerns.

Databases benefit from three backup technologies. Electronic vaulting is used to transfer database backups to a remote site as part of a bulk transfer. In remote journaling, data transfers occur on a more frequent basis. With remote mirroring technology, database transactions are mirrored at the backup site in real time.

The five types of disaster recovery plan tests are:

  1. Checklist tests
  2. Structured Walk-throughs
  3. simulation tests
  4. Parallel tests
  5. Full interruption tests.

Checklist tests are purely paperwork exercises, whereas structured walk-throughs involve a project team meeting. Neither has an impact on business operations. Simulation tests may shut down noncritical business units. Parallel tests involve relocating personnel but do not affect day-to-day operations. Full-interruption tests involve shutting down primary systems and shifting responsibility to the recovery facility.

15. Exam Essentials for Business Continuity Planning

Business continuity planning involves four distinct phases: project scope and planning, business impact assessment, continuity planning, and approval and implementation. Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency situation.

In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis is used as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development.

The BCP team should contain, at a minimum, representatives from each of the operational and support departments technical experts from the IT department; security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management. Additional team members depend on the structure and nature of the organization.

Business leaders must exercise due diligence to ensure that shareholder’s interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that must be met, before and after a disaster.

The five steps of the business impact assessment proecess are identification of priorities, risk identification, likelihood assessment, impact assessment, and resource prioritization.

During the strategy development phase, the BCP team determines which risks will be mitigated. In the provisions and the processes phase, mechanisms and procedures that will mitigate the risks are designed. The plan must be approved by senior management and implemented. Personnel must be also receive training on their roles in the BCP process.

Committing the plan to writing provides the organization with a written record of the procedures to follow when disaster strikes. It prevents the “it’s in my head” syndrome and ensures the orderly progress of events in an emergency.

14. Exam Essentials for Incident Management

Incident response steps are specifically listed in the CIB as:

  1. Detection
  2. Response
  3. Reporting
  4. Recovery
  5. Remediation and Review

Once an incident is detected, the first response sohould be to limit or contain the scope fo the incident while protecting evidence. Based on governing laws, the incident may need to be reported to official authorities, and if PII is affected, individuals need to be informed. The remediation and review stage includes root cause analysis to determine the cause and recommend a solution to prevent reoccurrence.

Basic preventive measures can prevent many incidents from occurring and they are repeated often. Like keeping systems up-to-date, removing or disabling unneeded protocols and services, using antivirus software, enabling firewalls and using IDSs.

Malicious code is thwarted with a combination of tools. Updated antivirus is the primary tool on each system, at the boundary of the network and on email servers.

Don’t foget about policies enforcing basic security principles such as least privilege to prevent regular users from installing software that may be malicious. Additionally, educating users from installing software that may be malicious. Additionally educating users about the risks and the methods attackers commonly use to spread viruses, helps users understand and avoid dangerous behaviors.

A zero-day exploit is an attack that uses a vulnerability that is either unknown to anyone bu the attacker or known only to a limited group of people. On the surface, it sounds like you can’t protect against an unknown vulnerability, but basic security practices go a long way to preventing zero-day exploits. Removing or disabling unneeded protocols and services reduces the attack surface, enabling firewalls blocks many access points, and using intrusion detection systems helps detect potential attacks. Additionally, using tools such as honeypots and padded cells helps protect live networks.

DoS attacks prevent a system from responding to legitimate requests for service. A common DoS attack still used is the SYN flood attack, which disrupts the TCP three-way handshake. Even though older attacks are not as common today because basic precautions block them, you may still be tested on them because many newer attacks are often variations on older methods. Smurf attacks employ an amplification network to send numerous response packets to a victim. Ping-of-death attacks send numerous oversized ping packets to the victim, causing the victim to freeze, crash, or reboot.

Botnets represent significant threats due to the massive number of computers that can launch attacks, so it’s important to know what they are.

A botnet is a collection of compromised PCs organized in a network controlled by a criminal known as a bot herder. Bot herders use a command and control server to remotely control the zombies and often use the botnet to launch attacks on other systems or send spam or phishing emails. Bot herders also rent botnet access out to other criminals.

A man in the middle attack occurs when a malicious user is able to gain a position between the two endpoints of a communications link. While it takes a significant amount of sophistication on the part of an attacker to complete a man in the middle attack, the amount of data obtained from the attack can be significant.

Malicious insiders can perform sabotage against an organization if they become disgruntled for some reason. Espionage is when a competitor tries to steal information, and they may use an internal employee. Basic security principles and immediately disabling accounts for terminated employees limit the damage from these employees.

IDSs and IPSs are important detective and preventive measures against attacks.

Knowledge based using a database. Behavior based using a baseline to create a normal.

An IDS can respond passively by logging and sending notifications, or actively by changing the environment. Some people refer to an active IDS as an IPS, but its important to recognize that an IPS is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target.

HIDS can monitor activity on a single system only and can be discovered by attackers and disabled. NIDS can monitor activity on a network and aren’t as visible to attackers.

A honeypot is a system that often uses pseudo flaws and fake data to lure intruders. Administrators can observe the activity of attackers while they are in the honeypot, as long as attackers are in the honeypot, they are not in the live network. Some IDSs have the ability to transfer attackers into a padded cell after detection. While a honeypot and padded cell are similar, note that a honeypot lures the attacker but the attacker is transferred into the padded cell.

Penetration tests start by discovering vulnerabilities and then mimic an attack to identify what vulnerabilities can be exploited. It’s important to remember pen tests should not be done without express consent and knowledge from management.

Additionally, since pen tests can result in damage, they should be done on isolated systems whenver possible. Remember black box vs white box, vs gray box testing.

Fault tolerance is a common method used to eliminate single points of failure and increase availability. RAID protects against disk failures, failover clusters protect against server failuers, and UPS and generators protect against power failures. It’s important to remember that fault tolerance does not negate the need for backups.

13. Exam Essentials for Security Operations

Need to Know & The principle of least privilege are two standard IT security principles implemented in secure networks. They limit access to data and system so that users and other subjects have access only to what they require.
When these principles are not followed, security incidents result in far greater damage to an organization.

Separation of duties is a basic security principle that ensures that no single person can control all the elements of a critical function or system.

Job rotation, employees are rotated into different jobs or tasks are assigned to different employees.

Collusion is an agreement among multiple persons to perform some unauthorized or illegal actions.

Privileged entities are trusted, but they can abuse their privileges, Because of this, it’s important to monitor all assignment of privileges and the use of privileged operations.

Sensitive information is any type of classified information, and proper management helps prevent unauthorized disclousr resulting in a loss of confidentiality.

Proper management includes marking, handling, storing and destroying sensitive information. The two areas where organization often miss the mark are adequately protecting backup media holding sensitive information and sanitizing media or equipment when it is at the end of its life cycle.

record retention policies ensure that data is kept in a usable state while it is needed and destroyed when it is no longer needed. many laws and regulations mandate keeping data for a specific amount of time, but in the absence of formal regulations, organizations specify the retention period within a policy. Audit trail data needs to be kept long enough to reconstruct past incidents, but the organization must identify how far back they want to investigate. A current trend with many organization sis to reduce legal liabilities by implementing short retention policies with email.

Patch management ensures that systems are kept up-to-date with current patches. you should know that an effective patch management program will evaluate, test, approve, and deploy patches. additionally, be aware that system audits verify the deployment of approved patches to systems. Patch management is often intertwined with change and configuration management to ensure that documentation reflects the changes. when an organization does not have a patch management program it will often experience outages and incidents from known issues that could have been prevented.

Vulnerability management includes routine vulnerability scans and periodic vulnerability assessments. Vulnerability scanners are used to detect known security vulnerabilities and weaknesses such as the absence of patches or weak passwords. They are used to generate reports that indicate the technical vulnerabilities of a system and are an effective check for a patch management program. Vulnerability assessments extend beyond just technical scans and can include reviews and audits to detect vulnerabilities.

Many outages and incidents can be prevented with effective configuration and change management programs. Configuration management ensures that systems are configured similarly and the configuration of systems are known and documented. Baselining ensures that systems are deployed with a common baseline or starting point, and imaging is a common baselining method. Change management helps reduce outages or weakened security from unauthorized changes. A change management process requires changes to be requested, approved, and documented. Versioning uses a labeling or numbering system to track changes in updated versions of software.

Security audits and reviews help ensure that management programs are effective and being followed. They are commonly associated with account management practices and prevent violations with least privilege or need to know principles. However, they can also be performed to oversee patch management, vulnerability management, change management, and configuration management programs.

12. Exam Essentials for Security Architecture, Vulnerabilities, Threats, and Countermeasures

What is multitasking? It is the simultaneous execution of more than one application on a computer and is managed by the operating system.
What is multithreading? Multithreading permits multiple concurrent tasks to be performed within a single process.
Multiprocessing? It is the use of more than one processor to increase computing power.
Multiprogramming? It is similar to programming but takes place on mainframe systems and requires specific programming.

Single State Processors are capable of operating at only one security level at a time. Multistate processors can simultaneously operate at multiple security levels.

Four security modes approved by the federal government for processing information are:
Dedicated systems require that all users have appropriate clearance, access permissions, and need to know for all information stored on a system.
System high mode removes the need-to-know requirement and the access permission requirement. Multilevel mode removes all three requirements.

Two layered operating modes used by most modern processors:
User applications operate in a limited instruction set environment known as user mode. the operating system performs controlled operations in privilged mode, also known as system mode, kernel mode, and supervisory mode.

Types of memory in a computer:
ROM, nonvolatile and can’t be written to by the user
PROM, can be written to by the user
EPROM may be erased using ultraviolet light and then can have new data written.
EEPROM can be erased with electrical current and then have new data written on them.
RAM are volatile and lose their contents when the computer is off.

Security issues surrounding memory components:
3 main security issues:
Data may remain on the chip after power is removed.
Memory chips is highly pilferable
Control of access to memory in a multiuser system.

Describe the different characteristics of storage devices used by computers.
Primary storage is the same as memory
Secondary storage consists of magnetic and optical media that must be first read into primary memory before the CPU can use the data.
Random access storage devices can be read at any point, whereas sequential access devices require scanning through all the data physically stored before the desired location.

There are three main security issues surrounding secondary storage devices: removable media can be used to steal data, access controls must be applied to protect data, and data can remain in media after file deletion or media formatting.

Understand security risks that input and output devices can pose.
They are subject to eavesdropping and tapping, used to smuggle data out of an organization or used to create unauthorized, insecure points of entry into an organization’s system and networks. be prepared to recognize and mitigate such vulnerabilities.

Working with legacy PC devices requires some understanding or IRQs, DMA, and memory-mapped I/O. Be prepared to recognize and work around potential address conflicts and misconfigurations and to integrate legacy devices with Plug and Play counterparts.

Firmware is the software stored on a ROM chip. At the computer level, it contains the basic instructions to start a computer. Firmware is used to provide operating instructions in peripheral devices such as printers.

Process isolation ensures that individual processes can access only their own data.
Layering creates different realms of security within a process and limits communication between them.
Abstraction creates “black-box” interfaces for programmers to use without requiring knowledge of an algorithm’s or device’s inner workings.
Data hiding prevents information from being read from a different security level
Hardware segmentation enforces process isolation and physical controls.

The role of a security policy is to inform and guide the design, development, implementation, testing, and maintenance of some particular system.

Cloud computing is a popular term referring to a concept of computing where processing and storage are performed elsewhere over a network connection rather than locally.
AKA Internet-based computing.

Least privilege ensures that only a minimum number of processes are authorized to run in supervisory mode.
Separation of privilege increases the granularity of secure operations. Accountability ensures that an audit trail exists to trace operations back to their source.

Avoiding single points of failure includes incorporating fault-tolerant systems and solutions into an environment’s design. Fault tolerant systems include redundant or mirrored systems, TFTP servers, and RAID. You should also address power issues and maintain a backup solution.

A covert channel is any method that is used to pass information but that is not normally used for information.

A buffer overflow occurs when the programmer fails to check the size of input data prior to writing the data into a specific memory location. In fact, any failure to validate input data could result in a security violation.

In addition to buffer overflows, programmers can leave back doors and privileged programs on a system after it is deployed. Even well-written systems can be susceptible to time-of-check-to-time-of-use (TOCTTOU) attacks. Any state change could be a potential window of opportunity for an attacker to compromise a system.

11. Exam Essentials for Principles of Security Models, Design, and Capabilities

know the details about each of the access control models and their functions:
The state machine model ensures that all instances of subjects accessing objects are secure.
The information flow model is designed to prevent unauthorized, insecure, or restricted information flow.
The noninterference model prevents the actions of one subject from affecting the system state or actions of another subject.
The Take-Grant model dictates how rights can be passed from subject to another or from a subject to an object.
An access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on each object.
Bell-LaPadula subjects have a clearance level that allows them to access only those objects with corresponding classification levels and below, plus its based on need to know at the current level.
Biba prevents subjects w2ith lower security levels from writing to objects at higher security levels.
Clark-Wilson is an integrity model that relies on auditing to ensure that unauthorized subjects cannot access objects and that authorized users access objects properly.
Biba and Clark-Wilson enforce integrity.
Goguen-Meseguer and Sutherland focus on integrity.
Graham-Denning focuses on the secure creation and deletion of both subjects and objects.

Know the definitions of certification and accreditation.
Certification is the technical evaluation of each part of a computer system to assess its concordance with security standards.
Accreditation is the process of formal acceptance of a certified configuration from a designated authority.

Describe open and closed systems
Open systems are designed using industry standards and are usually easy to integrate with other open systems.
Closed systems are generally proprietary hardware and/or software. Their specifications are not nromally published, and they are usually harder to integrate with other systems.

Confinement, Bounds, and Isolation
Confinement restricts a process to reading from and writing to certain memory locations.
Bounds are the limits of memory a process cannot exceed when reading or writing.
Isolation is the mode a process runs in when it is confined through the use of memory bounds.

Objects and Subjects
Subjects are users or processes that make requests for access to a resource
Objects are the resource.
Security controls use access rules to limit access by a subject to an object.

Here is a list of classes of the TCSEC, ITSEC, and Common Criteria.
D F-D+E0 EAL0, EAL1 Minimal/no protection
C1 F-C1+E1 EAL2 Discretionary security mechanisms
C2 F-C2+E2 EAL3 Controlled access protection
B1 F-B1+E3 EAL4 Labeled security protection
B2 F-B2+E4 EAL5 Structured security protection
B3 F-B3+E5 EAL6 Security domains
A1 F-B3+E6 EAL7 Verified security design

A TCB or Trusted Computing Base is the combination of hardware, software, and controls that form a trusted base that enforces the security policy.

A security perimeter is the imaginary boundary that separates the TCB from the rest of the system. TCB components communicate with non-TCB components using trusted paths.

The reference monitor is a logical part of the TCB that confirms whether a subject has the right to sue a resource prior to granting access. The security kernel is the collection of the TCB components that implement the functionality of the reference monitor.

Common security capabilities include memory protection, virtualization, and trusted platform module (TPM).

10. Exam Essentials for PKI and Cryptographic Applications

Asymmetric key cryptography is another way of saying public key encryption.

Understand the key types used in asymmetric cryptography: public keys are freely shared whereas private keys are kept secret. to encrypt a message, the use the recipient’s public key. To decrypt a message, use your own private key.
To sign a message, use your own private key. to validate a signature, use the sender’s public key.

Be familiar with the three major public key cryptosystems: RSA (which depends upon the difficulty of factoring the product of prime numbers), El Gamal (an extension of the Diffie-Hellman key exchange algorithm that depends upon modular arithmetic), the Elliptic Curve Algorithm (depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length).

A good hash function has the following fundamentals:
They must allow input of any length
Provide a fixed-length output
Make it relatively easy to compute the hash function for any input
Provide one-way functionality
Be collision free

Major hashing algorithms:
SHA-1 (160-bit message digest)
SHA-2 (variable lengths up to 512 bits)

Digital signatures are generated and verified, first using a hashing function to generate a message digest, then encrypt the digest with your private key. to verify the digital signature on a message, decrypt the signature with the sender’s public key and then compare the message digest to the one you generate yourself, if they match, its authentic.

know the components of the Digital Signature Standard (DSS).
DSS uses the SHA-1 message digest function along with one of three encryption algorithms: DSA, RSA or ECDSA
(Digital Signature Algorithm, Rivest, Shamir Adleman, Elliptic Curve DSA)

Understand the PKI.
In the pki, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients certify a certificate using the CA’s public key.

Common applications of cryptography to secure email are: s/mime protocol, another popular security tool is Phil Zimmerman’s PGP.

Common applications of cryptography to secure web activity: The de facto standard for secure web traffic is the HTTP over TLS or the older SSL.

Common applications of cryptography to secure networking: IPSec protocol standard provides a common framework for encrypting network traffic and is built in to a number of common operating systems. In IPSec transport mode, packet contents are encrypted for peer-to-peer communication, in tunnel mode, the entire packet, including header information, is encrypted for gateway-to-gateway communications.

IPSec is a security architecture framework that supports secure communication over IP. IPSec establishes a secure channel in either transport mode of tunnel mode, for direct communication between computers or to setup a VPN between networks. IPSec uses two protocols: AH (authentication header) and ESP (encapsulating security payload).

Common cryptographic attacks:
Brute-Force: or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.

Known plain-text: the attacker has samples of both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys and code books. The term “crib” originated at Bletchley Park, the British World War II decryption operation.[1][2]

Chosen ciphertext: the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

Chosen plain-text: the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could reveal the scheme’s secret key.

Meet-in-the-middle: a generic attack, applicable on several cryptographic systems. The internal structure of a specific system is therefore negligible to this attack. It is possible though to combine it with other kinds of attack as has been done.
Naturally it requires the ability to encrypt and decrypt, and the possession of pairs of plaintexts and corresponding ciphertexts.
When trying to improve the security of a block cipher, a tempting idea is to simply use several independent keys to encrypt the data several times using a sequence of functions (encryptions). Then one might think that this doubles or even n-tuples the security of the multiple-encryption scheme, depending on the number of encryptions the data must go through.
The Meet-in-the-Middle attack attempts to find a value using both of the range (ciphertext) and domain (plaintext) of the composition of several functions (or block ciphers) such that the forward mapping through the first functions is the same as the backward mapping (inverse image) through the last functions, quite literally meeting in the middle of the composed function.

Man-in-the-middle: a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances.

Birthday: Exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations (pigeonholes), as described in the birthday problem/paradox.

Replay: network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).

9. Exam Essentials for Cryptography and Symmetric Key Algorithms

Understand the role that confidentiality, integrity, and nonrepudiation play in cryptosystems.

Know how cryptosystems can be used to achieve authentication goals by providing assurances as to the identity of the user. one possible scheme that uses authentication is the challenge-response protocol, in which the remote user is asked to encrypted a message using a key known only to the both of them communicating parties. using either symmetric or asymmetric cryptosystems.

The basic terminology of cryptography.

Understand the difference between a code and a cipher and explain the basic types of ciphers. Codes are cryptographic systems of symbols that operate on word or phrases and are sometimes secret but don’t always provide confidentiality. ciphers, however are always meant to hide the true meaning of a message. know how the following types of ciphers work;
transposition ciphers, substitution ciphers (include 1 time pads), stream ciphers and block ciphers.

Know the requirements for successful use of a one-time pad.
The key must be randomly generated, at least be as long as the message to be encrypted, must be protected against physical disclosure and must be only one time used then discarded.

The concept of zero knowledge proof.

Understand split knowledge: It ensures that no single person has sufficient privileges to compromise the security of the environment.

Understand work function. (or work factor). It’s a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages. usually the time and effort required to perform a complete brute-force attack against an encryption system is what a work function rating represents.

The importance of key security: The cryptographic keys provide the necessary elements of secrecy to a cryptosystem. modern cryptosystems utilize keys that are at least 128 bits long to provide adequate security.It’s generally agreed that the 56-bit key of the des is no longer sufficiently long enough to provide security.

Know the difference between symmetric and asymmetric cryptosystems.
Symmetric key cryptosystems are fast, rely on a shared secret key but lack support for scalability, easy key distribution, and nonrepudiation. Asymmetric cryptosystems use public-private key pairs for communication between parties but operate much more slowly than symmetric algorithms.

Be able to explain basic operational modes of DES and 3DES.
ECB: Electronic Code Book
CBC: Cipher Block Chaining
CFB: Cipher Feedback Mode,
OFB: Output Feedback Mode (least secure)

3DES uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits, respectively.

AES is the Advanced Encryption Standard and is the US government standard for the secure exchange of sensitive but unclassified data. AES uses key lengths of 128, 192, and 256 bits and a fixed block size of 128 bits to achieve a much higher level of security than that provided by the older DES algorithm.