SSCP Systems Security Certified Practitioner All-in-One Exam Guide, Third Edition

by Darril Gibson

The three primary goals of an information security program are to prevent the loss of confidentiality, the loss of integrity, and the loss of availability for any IT systems and data.

Personally identifiable information (PII) is information that identifies an individual and includes items such as the person’s name, national identification number such as the U.S. Social Security number, and birthdate.

Protected health information (PHI) is any information about an individual’s medical and health history.

A defense in depth strategy provides a layered approach to security by implementing multiple controls at different layers.

Nonrepudiation ensures that a party cannot believably deny (or repudiate) taking an action. Audit logging and digital signatures are two common methods used to enforce nonrepudiation.

Authentication provides identification for users, and accounting tracks their activities in audit logs.

Due diligence refers to the investigative steps that an organization takes prior to taking on something new, such as signing a contract or making a major purchase.

Management is responsible for any losses that occur because of residual risk.

Hashing

Audit logs

Defense in depth provides a layered approach to security and protects an organization even if one or more security elements fail.

Something you are (type 3)

written password policy

Passwords are the least secure method of authentication;

Don’t write down passwords

Users should be encouraged to create passphrases

The HOTP protocol creates asynchronous dynamic passwords.

One-time Password In Everything (OPIE)

Iris The area surrounding the eye’s pupil is the iris, which is almost as unique as the retina. Iris scans are more acceptable to users because they don’t require physical contact and cameras can take pictures of the iris from a distance. However, lighting can affect the accuracy of an iris scan, and some iris scanners can be tricked with a high-quality picture.

With single sign-on (SSO), a user authenticates once and then the system uses the same credentials for the entire session.

not the user’s password.

encrypts a time-stamped ticket-granting ticket (TGT) with a separate key,

decrypts the symmetric key with a hash of its password.

also provides an encrypted symmetric key that systems use to encrypt information between the client and the target server.

Identity provider

authentication

OAuth

OpenID Connect.

OAuth 2.0

TIP Kerberos, SAML, OAuth, and OpenIDConnect each provide SSO capabilities. With SSO, users only have to log on once and then use the same credentials to access multiple resources.

Non-Discretionary Access Control

Role-based Access Control

Rule-based Access Control

Simple security property rule—no read up

integrity

Biba is a MAC model that uses the no read down and no write up rules to enforce integrity. Integrity protects against unauthorized data modifications.

The certification rules are integrity-monitoring rules, and the enforcement rules are integrity-preserving rules.

Provisioning refers to creating accounts for users and granting them access to appropriate resources.

HMAC-based One-Time Password (HOTP).

One-time Password In Everything (OPIE),

RBAC model

The MAC model provides the highest level of security when compared to DAC and RBAC models.

labels,

DHCP uses UDP ports 67 and 68.

ARP resolves IP addresses to physical or hardware addresses (MAC addresses).

Berkeley Internet Name Domain (BIND) is a version of DNS software that runs on UNIX systems.

• Authentication Header (AH)

personal area networks (PANs).

passive (without a battery).

Two important protocols operate on the Transport layer (layer 4). They are TCP and UDP.