Term
| WEB SERVERS HAVE BECOME THE FOCUS FOR INDIVIDUALS WHO WISH TO WHAT? 3 THINGS |
|
Definition
a. This trusted connection is not to be confused with a Microsoft Domain trust.
b. A trusted connection can be an attachment to Microsoft shares, in UNIX as Network File System (NFS) mounts, as well as connections to interior enclave printers.
c. This relationship can also be found with connections from public web servers to interior enclave databases. |
|
|
Term
| WHAT ARE THE RESPONSIBILITIES OF THE IAM/IAO, SA, AND WEB MANAGER. |
|
Definition
| 1. The ISSM/IAM is responsible for the security of all ISs and media assigned to the organization and under his/her purview. To protect these assets, he or she must ensure the security measures and policies contained within this chapter are followed. Additionally, the ISSM/IAM will publish supplemental organizational procedures (SOPs, etc.), if needed, to implement the requirements. |
|
|
Term
|
Definition
| a. Static: contain content that is displayed to the web user; no interaction with the web page is involved after it is displayed. |
|
|
Term
|
Definition
| b. Dynamic: accept and retrieve information from the web user, produce specialized or customized content, query databases, and generate web pages. This is accomplished via scripting embedded in a web page. |
|
|
Term
|
Definition
| Common Gateway Interface (CGI) is a standard for interfacing external applications with information servers, such as HTTP or web servers. The definition of CGI as web-based applications is not to be confused with the more specific .cgi file extension. CGI applications can be written in most programming language. |
|
|
Term
|
Definition
1. JavaScript is a scripting extension of HTML. JScript is the Microsoft equivalent of JavaScript. It extends the ability of the server to respond to client events without the need for client/server communications. JavaScript cannot exist outside of HTML code. To function, JavaScript must be embedded in a web page. However, server-side statements that connect to databases or access the file system on the server can exist.
2. JavaScript is an interpreted language designed for controlling the browser. It has the ability to open and close windows, manipulate form elements, adjust browser settings, and download and execute Java applets. (Applets are mini application modules embedded in web pages [e.g., for animating a picture].) |
|
|
Term
| HOW DO YOU HARDEN A WEBSERVER? |
|
Definition
2. Configure syn cookie at OS level to protect against SYN flood attacks
3. Web-server hosts should be updated with the latest security fixes for the OS and web server software in accordance with local procedures
4. Web-server hosts should have a minimum number of accounts in the system
5. Configure NTFS and IIS Web site permissions with the least privileges required
6. Enable only essential web service extensions
7. Remove all sample directories and pages shipped with the web servers
1. Web-server hosts should have non-essential services disabled and all non-essential files removed |
|
|
Term
|
Definition
| a. Designed and intended to administer the database storage architecture, grant privileges, and provide oversight management to all database objects within the database and, in some cases, to start, stop, and configure the database process. |
|
|
Term
|
Definition
a. SQL Server requires individual user logons
b. Database objects are owned by individual database accounts
c. By default, the owner of an object is the only account with privileges to allow access to that object
d. Only authorized users or the owner can grant access to an object to other accounts, roles, or to PUBLIC |
|
|
Term
|
Definition
1. Access controls of database objects are an integrated feature of the SQL Server DBMS. Access permissions fall into three categories:
a. Statement permissions: grant database accounts the ability to create and configure the database and its items
b. Object permissions: grant the ability to manipulate data and execute procedures within the database
c. Implied permissions: are the privileges granted through membership in fixed server roles or through object ownership. (ex. Database object owners have implied permissions to perform all activities on the objects they own.) |
|
|
Term
|
Definition
1. Auditing is a mandatory requirement. Once auditing is enabled at the database level, specific auditing instructions have to be issued from a DBA account.
2. Logon audit data is stored in both the Windows event log as well as the SQL Server 2000 error log.
3. Event auditing may be turned on by setting the C2 trace flag or by defining a trace using SQL Profiler and configuring it for autostart. |
|
|
Term
|
Definition
| MSDE (Microsoft SQL Server Desktop Engine) is a fully functional version of Microsoft SQL Server. MSDE 2000 is included on the Microsoft Office 2000 CD. An earlier version of MSDE Version 1.0 was named Microsoft Database Engine. |
|
|
Term
|
Definition
1. Access controls of database objects are an integrated feature of the Oracle DBMS.
2. Oracle defines two types of database accounts and access levels:
a. non-administrative
b. administrative: Full privileges are entrusted to administrative database accounts to manage the database structure, database objects, and other database accounts. |
|
|
Term
| WINDOWS DNS PROVIDES CRYPTOGRAPHIC AUTHENTICATION THROUGH THE SECURE DYNAMIC UPDATES FEATURE. |
|
Definition
| A. The Domain Name System (DNS) is a hierarchically structured, distributed database that provides name resolution services to Internet Protocol (IP) networks such as the Internet, Infrastructure, File, Print, Internet Information Services (IIS), Microsoft Internet Authentication Service (IAS), Certificate, and Bastion Host servers. |
|
|
Term
| WHAT INTERNET NAMING SERVICE WINS |
|
Definition
A. Prior to Windows 2000, Windows operating systems used NetBIOS rather than DNS names for most internal network communication, including file, print and messaging services. Microsoft developed Windows Internet Naming Service (WINS) to provide a central host-name-to-IP-address resolution capability and other services similar to those provided by DNS.
B. WINS is not secure because it will accept dynamic updates without authentication, allowing adversaries to easily modify WINS records. Integrating DNS and WINS creates the potential for DNS to be poisoned with bogus entries in WINS. Therefore, administrators must never integrate WINS with DNS. |
|
|
Term
|
Definition
a. Runs once per forest; it extends the Active Directory schema to include specific Exchange information.
b. Creates objects in Active Directory and gives permissions on those objects to the account designated as the Exchange 2000 administrator. |
|
|
Term
| WHAT IS INSTALLATION DIRECTORY. |
|
Definition
| a. It is recommended the operating system reside in its own partition for integrity reasons. For this reason a new partition should be set up for Exchange 2000. |
|
|
Term
|
Definition
| POSES RISKS TO CLIENT INFRASTRUCTURE AND NETWORK. IM COULD CONTAIN VIRUSES,WORMS, AND OTHER FORMS OF MALWARE. |
|
|
Term
|
Definition
| PROHIBITS EXECUTION OF SOME TYPES OF MOBILE CODE. THEREFOR AUTOMATIC EXECUTION OF ALL MOBILE CODE IN EMAILS AND ATTACHMENTS MUST BE DISABLED. |
|
|
Term
| WHAT IS SPYWARE AND ADWARE |
|
Definition
Adware is software that presents a user with advertising messages based on an analysis of collected data to determine the types of items or services that may be of interest to the user. Many times the terms are used together in the context of adware/spyware.
Spyware is any software that covertly gathers information about a user without his or her knowledge, and transmits this data to a third party through an Internet connection. Many times the term is associated with adware. |
|
|
Term
| SYMANTEC NORTON ANTIVIRUS CORPORATE EDITION IS ALSO KNOWN AS WHAT? |
|
Definition
|
|
Term
| WEB BROWSERS ARE THE CLIENT APPLICATIONS THAT COMMINICATE WITH WEBSERVERS t/f |
|
Definition
|
|
Term
| DATA HTML WEB PAGES AND FILES SENT TO THE BROWSER CAN CONTAIN MAL CODE T/F? |
|
Definition
|
|
Term
| THE SA/IAO WILL ENSURE THAT THE BROWSER IS CONFIGURED TO WHAT. |
|
Definition
|
|
Term
| WHAT ARE THREE CRYPTOGRAPHIC ALGORITHMS |
|
Definition
| SYMETRIC, ASYMETRIC, AND HASH |
|
|
Term
| WHAT IS THE FUNCTION OF A PRIVATE KEY. |
|
Definition
| The private key is retained by the entity that “owns” the key pair and must be kept secret. |
|
|
Term
| CRYPTOGRAPHY RELIES HEAVILY ON TWO BASIC COMPONENTS |
|
Definition
1. An algorithm (or cryptographic methodology), which is a mathematical function.
2. A key which is a parameter used in the transformation. |
|
|
Term
|
Definition
A. Symmetric key algorithms, often called secret key algorithms, use a single key to both apply the protection and to remove or check the protection. For example, the key used to encrypt data is also used to decrypt the encrypted data. This key must be kept secret if the data is to retain its cryptographic protection. Symmetric algorithms are used to provide confidentiality via encryption, or an assurance of authenticity or integrity via authentication, or are used during key establishment.
B. Symmetric cryptography: A unique key needs to be generated for each relationship (a relationship may be one-to-one or one-to-many (e.g., broadcast)) and for each purpose (e.g., encryption, authentication and key wrapping). For example, if there are four entities (A, B, C, and D) using encryption, there are six possible relationships (A-B, A-C, A-D, B-C, B-D, C-D). If a key is to be provided for encryption for each relationship, six keys are required. If there are, instead, l000 entities there are 499,500 possible relationships, and a unique key would be required for each relationship. The method for transferring the key from the sending party to each recipient must provide for both confidentiality and data integrity protection for the key.
C. The primary advantage of symmetric cryptography is speed. There are approved symmetric key algorithms that are significantly faster than any currently available asymmetric key algorithm. In addition, advances in factoring efficiency, other cryptographic methods, and computational efficiency have tended to reduce the protection provided by public key cryptography more rapidly than that provided by symmetric key cryptography.
D. In some situations, asymmetric cryptography is not necessary, and symmetric cryptography alone is sufficient. This includes environments where secure symmetric key establishment can take place, environments where a single authority knows and manages all the keys, and a single-user |
|
|
Term
|
Definition
1. Public key and Private key
a. They are mathematically related to each other.
b. The public key may be made public; the private key must remain secret if the data is to retain its cryptographic protection.
c. Even though there is a relationship between the two keys, the private key cannot be determined from the public key.
d. The private key is retained by the entity that “owns” the key pair and must be kept secret.
e. The public key is distributed to the other entities and requires integrity protection. Depending on the service to be provided, different keys are used to apply, versus remove or check the protection. For example, a digital signature is computed using a private key, and the signature is verified using the public key. For those algorithms also capable of encryption, the encryption is performed using the public key, and the decryption is performed using the private key. |
|
|
Term
|
Definition
| A hash function is used in the signature generation process to obtain a condensed version of data to be signed, called a message digest or hash value. |
|
|
Term
| PRIVATE KEY ALGORITHMS USE 2 KEYS WHAT ARE THEY? |
|
Definition
|
|
Term
|
Definition
| 1. The TDEA, also known as Triple DES, uses the DES cryptographic engine to transform data in three operations. NIST SP 800-67, Recommendation for the TDEA Block Cipher, specifies the TDEA block cipher algorithm. TDEA will be supported for Federal use only until 2030 (see NIST SP 800-57). |
|
|
