Information Security Exam Memorization Guide(Based on Provided Documentation)

1. Computer Security & Access Control

Fundamental Concepts

Computer Security: Protection of systems/data from theft, damage, or unauthorized access.

Three Core Techniques:

• Authentication: Verify user identity (e.g., passwords, biometrics).
• Access Control: Limit resource access to authorized parties (e.g., ACLs, RBAC).
• Memory Protection: Segmented virtual memory prevents cross-process interference.

Access Control Models

Access Control Matrix (ACM):

• Rows = subjects (users), Columns = objects (files), Entries = permissions (e.g., read, write).
• Example:
  User/File a.out b.out
Jason {r,w} {r,w,x}
Mick - {r,x}

Access Control Lists (ACLs): Permissions attached to objects (e.g., Unix file permissions).
Capability Lists: Permissions held by subjects (e.g., user-held tokens).

Role-Based Access Control (RBAC):

• Hierarchical RBAC: Roles inherit permissions from parent roles.
• Constrained RBAC: Separation of Duties (SoD) to prevent conflicts.

Examples

received
Unix Access Control: User/Group/Other permissions (rwx).
Windows ACLs: Fine-grained control with permission inheritance.

---

2. Cryptography

Symmetric Cryptography

Block Ciphers:

• Operate on fixed-length blocks (e.g., DES: 64-bit, AES: 128-bit).
• DES: 16-round Feistel network; criticized for short 56-bit key.
• AES: Substitution-Permutation Network (SPN) with 128/192/256-bit keys.

Modes of Operation:

• ECB (Electronic Codebook): Encrypts blocks independently (weak for repetitive data).
• CBC (Cipher Block Chaining): XORs plaintext with prior ciphertext (requires IV).
• CTR (Counter Mode): Uses counter nonce for parallel encryption.

Public Key Cryptography (PKC)

RSA Encryption:

• Key generation:
  n = p*q, φ(n) = (p-1)(q-1), select e (coprime to φ(n)), solve d ≡ e⁻¹ mod φ(n).
• Encryption: c ≡ mᵉ mod n. Decryption: m ≡ cᵈ mod n.

Advantages: No pre-shared key; supports digital signatures.
Disadvantages: Slower than symmetric; requires PKI for key authenticity.

---

3. Network Security

Fundamental Threats

CIA Triad:

• Confidentiality (leakage), Integrity (tampering), Availability (DoS).

Threat Types:

• Passive (eavesdropping), Active (spoofing, modification).

Layered Security

IPsec (Network Layer):

• Provides confidentiality (AH/ESP protocols), operates in transport/tunnel modes.

TLS (Transport Layer):

• Encrypts HTTP/SMTP traffic; uses handshake protocol for session keys.

Intrusion Prevention/Detection

Firewalls:

• Stateless Packet Filtering: Blocks based on IP/port.
• Stateful Inspection: Tracks TCP sessions (e.g., SYN/ACK flags).

IDS (Intrusion Detection Systems):

• Signature-based: Matches known attack patterns.
• Anomaly-based: Detects deviations from normal traffic.

---

4. Authentication & Identity Systems

Password Schemes:

• Weaknesses: Short length, reuse, dictionary attacks.
• Mitigations: Salting, hashing (e.g., bcrypt), MFA.

Federated Identity:

• Single Sign-On (SSO): Use one credential for multiple services (e.g., OAuth).
• Identity Federation: Cross-enterprise trust (e.g., SAML).

---

5. Payment Card Security (EMV)

Roles:

• Issuing Bank: Provides cards to customers.
• Acquiring Bank: Processes merchant transactions.
• Payment Network: Routes authorization requests (e.g., Visa, Mastercard).

Security Features: Chip authentication, dynamic cryptograms.

---

6. Key Management

Symmetric Key Challenges:

• Secure distribution, scalability (n users → n(n-1)/2 keys).

Public Key Infrastructure (PKI):

• Digital Certificates: Bind public keys to identities (signed by CAs).
• Certificate Authorities (CAs): Trusted third parties (e.g., Let’s Encrypt).

---

7. Attack Models & Cryptanalysis

Attack Types:

• Ciphertext-only, Known-plaintext, Chosen-plaintext/ciphertext.

Security Goals:

• Semantic security, resistance to brute force/differential cryptanalysis.

---

7. Attack Models & Cryptanalysis

Attack Types:

• Ciphertext-only, Known-plaintext, Chosen-plaintext/ciphertext.

Security Goals:

• Semantic security, resistance to brute force/differential cryptanalysis.

---

8. Standards & Protocols

ISO 7498-2 Security Services:

• Authentication, Access Control, Confidentiality, Integrity, Non-repudiation.

Security Mechanisms:

• Encryption, Digital Signatures, Access Control Lists, Traffic Padding.

---

Memorization Tips

1. Access Control: Focus on ACM vs. ACL vs. Capabilities.
2. Cryptography: Distinguish DES vs. AES; know RSA math.
3. Layered Security: IPsec (network) vs. TLS (transport).
4. Firewalls/IDS: Stateless vs. stateful; signature vs. anomaly detection.

Print and Review!