CISSP NOTES
Chapter 1: Security Governance Through Principles and Policies
Confidentiality
• Concepts of confidentiality:
o Sensitivity – The quality of information, which could cause harm or damage if disclosed.
o Discretion – An act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
o Criticality – The level of which information is mission critical is its measure or criticality.
o Concealment – The act of hiding or preventing disclosure via cover, obfuscation or distraction.
o Secrecy – The act of keeping something a secret or preventing the disclosure of information.
o Privacy – Keeping information confidential that is personally identifiable, or that might cause harm, embarrassment, or disgrace to someone if revealed.
o Seclusion – Storing something in an out-of-the-way location.
o Isolation – The act of keeping something separated from others.
Integrity
• For integrity to be maintained, objects must retain their veracity and be intentionally modified by only authorized subjects. If a security mechanism offers integrity, it offers a high level of assurance that the data, objects and resources are unaltered from their original protected state.
• Integrity can be examined from three perspectives:
o Preventing unauthorized subjects from making modifications
o Preventing unauthorized subjects from making unauthorized modification, such as mistakes.
o Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent and verifiable.
• Other concepts of integrity:
o Accuracy – Being correct and precise
o Truthfulness – Being a true reflection of reality
o Authenticity – Being authentic or genuine
o Validity – Being factually or logically sound
o Nonrepudiation – Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event.
o Accountability – Being responsible or obligated for actions and results
o Responsibility – Being in charge or having control over something or someone
o Completeness – Having all needed and necessary components or parts.
o Comprehensiveness – Being complete in scope; the full inclusion of all needed elements.
Availability
• Concepts of availability:
o Usability – The state of being easy to use or learn or being able to be understood and controlled by a subject.
o Accessibility – The assurance that the widest range of subjects can interact with a resource regardless of the capabilities or limitations.
o Timeliness – Being prompt, on time, within a reasonable time frame, or providing low latency response.
Other Security Concepts
• AAA Service (five elements). Missing any of them can result in an incomplete security mechanism.
o Identification – Claiming to be an identity when attempting to access a secured area or system.
o Authentication – Proving that you are that identity.
o Authorization – Defining the permissions (i.e., allowing/grant and/or deny) of a resource and object access for a specific identity.
o Auditing – Recoding a log of the events and activities related to the system and subjects.
o Accounting (aka Accountability) – Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions.
• Layering – Defense in depth.
o The use of multiple controls in a series.
o Analogous to going through security line at an airport – several checkpoints and only one way through.
• Abstraction – Placing similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
o Abstraction simplifies security by enabling you to assign security controls to a group of objects collected by type or function.
• Data Hiding – Positioning data in a logical storage compartment that is not accessible or seen by the subject.
• Security through Obscurity – The idea of not informing a subject about an object being present and thus hoping that the subject will not discover the object.
• Governance – The goal is to maintain business processes while striving toward growth and resiliency.
o Top-down-approach –
Upper management is responsible for initiating and defining policies for the organization.
Security policies provide direction for all levels of the organization.
Middle management is responsible for setting standards, baselines, guidelines and procedures.
Operational managers or security professionals must then implement the configurations prescribed in the security management documentation.
End users must comply with all the security policies within the organization.
o Bottoms-up-approach –
The opposite of a top down approach (duh)
IT staff make security decisions without input from senior management.
Considered problematic in the IT industry.
• Tiers of Plans
o Strategic Plan – Long term pan that is fairly stable
Useful for about five years if it is maintained and updated annually
Should include a risk assessment
Essentially long term goals and visions for the future
o Tactical Plan – Midterm plan developed to provide more details on accomplishing the goals set forth in a strategic plan
Typically useful for about a year
E.g. Project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans.
o Operational Plan – Short term, highly detailed plan based on strategic and tactical plans
Include details on how the implementation processes are in compliance with the organization’s security policy
E.g. Training plans, system deployment plans, product design plans
o S.T.O.P.
Data Classification
• Numerous generalities can be gleaned from common or standardized classification systems:
o Usefulness of data
o Timelines of data
o Value or cost of data
o Maturity or age of data
o Lifetime or expiry of data
o Association with personnel
o Data disclosure damage assessment (how disclosure would affect the organization)
o Data modification damage assessment (how modification would affect the organization)
o National Security Implications of the data
o Authorized access to the data
o Restriction from the data
o Maintenance and monitoring of the data
o Storage of the data
• Seven steps to implement a data classification scheme
o Identify the custodian and define their responsibilities
o Specify the evaluation criteria of how the information will be classified and labeled.
o Classify and label each resource (owner conducts, supervisor reviews)
o Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria
o Select the security controls that will be applied to each classification level to provide the necessary level of protection.
o Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external party
o Create an enterprise-wide awareness program to instruct all personnel about the classification system.
• Levels of Government Classification
o Top Secret – Highest level of classification. Unauthorized disclosure could have grave effects on national security.
o Secret – used for data that is restricted in nature.
o Confidential -used for data of a sensitive, proprietary, or highly valuable nature. Unauthorized disclosure will have noticeable effects and cause serious damage to national security.
o Sensitive but Unclassified – SBU – internal data for office use only (FOUO). Data that could violate the privacy rights of individuals.
o Unclassified – Neither sensitive nor classified.
o WAY TO REMEMBER FROM BOTTOM UP – US Can Stop Terrorism
o Classified data is exempt from FOI requests.
• Commercial business / private sector Classifications
o Confidential – highest level of classification. Data that is extremely sensitive and for internal use only. Significant negative impact could occur if disclosed.
o Private – Intended for internal use, and is of sensitive or private nature. Same as confidential, but is in regard to a specific individual.
o Sensitive – More sensitive than public. Some negative impact could occur.
o Public – Lowest level of classification. Use for all data not considered a classification from above.
Due Care and Due Diligence
• Due Care – Reasonable care to protect the interests of the organization.
• Due Diligence – Practicing the activities that maintain the due care effort.
Security Policy Structure
• Security Policy – Document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection.
• Standards – Define compulsory requirements for the homogenous use of hardware, software, technology and security control.
• Baselines – minimum level of security that every system throughout the organization must meet.
• Guidelines – offers recommendations on how standards and baselines are implemented and serve as an operational guide for both security professionals and users.
• Procedures – Detailed, step by step how to document that describes the exact actions necessary to implement a specific security mechanism.
Key Security Roles (REVISIT)
• Senior Manager – Individual ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of the assets. Decision maker.
• Security professional – Trained and experienced network, systems and security engineers responsible for following the directives mandated by senior management. CIO / CISO.
• User – any person who has access to a secured system.
• Data owner – person who is responsible for classifying information for placement and protection within the security solution
• Data custodian – User who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.
• Auditor – Responsible for reviewing and verifying that the security policy is properly implemented and derived security solutions are adequate.
COBIT
• Five key principles
o Meeting stakeholder needs
o Covering the enterprise end-to-end
o Applying a single, integrated framework
o Enabling a holistic approach
o Separating governance from management
Threat Modeling
• The security process where potential threats are identified, categorized and analyzed
o A reactive approach to threat modeling takes place after a product has been created and deployed.
Also known as the adversarial approach.
o Approaches to identifying threats:
Focused on Assets – attempts to identify threats to valuable assets. E.g. a specific asset can be evaluated to determine if it is susceptible to an attack.
Focused on Attackers – identifies potential attackers and can identify the threats they represent based on the attacker’s goals. E.g. Government knows Russians are trying to get their shit.
Focused on Software – Considers potential threats to software an organization develops.
o Threat Categorization Methods:
STRIDE:
• Spoofing – attack with a goal of gaining access to a target system through the use of falsified identities
• Tampering – Any action resulting in unauthorized changes or manipulation of data, whether in transit or storage
• Repudiation – The ability of a user or attacker to deny having performed an action or activity.
• Information disclosure – Distribution of private, confidential or controlled information to eternal or unauthorized entities.
• Denial of Service – Prevention of authorized use of a resource.
• Elevation of Privilege – Attack where a limited user account is transformed into an account with greater privileges.
Process for Attack Simulation and Threat Analysis (PASTA):
• Stage I - Definition of the Objectives for the Analysis of Risks (DO)
• Stage II - Definition of Technical Scope (DTS)
• Stage III - Application Decomposition and Analysis (ADA)
• Stage IV - Threat Analysis (TA)
• Stage V – Weakness and vulnerability analysis (WVA)
• Stage VI – Attack Modeling and Simulation (AMS)
• Stage VII – Risk Analysis and Management (RAM)
o Reduction Analysis – Also known as decomposing the application/system/environment
Gain a greater understanding of the logic of the product as well as its interaction with external elements
Each identified sub element (e.g. modules, subroutines, computers, OS’s, protocols, etc.) should be evaluated in order to understand its:
• Inputs
• Processing
• Security
• Data management
• Storage
• Outputs
Five key concepts:
• Trust boundaries - Any location where the level of trust or security changes
• Data Flow Paths – The movement of data between locations
• Input Points – Locations where external input is received
• Privileged Operations – Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security
• Details about Security Stance and Approach – The declaration of the security policy, security foundations, and security assumptions.
o Prioritization and Response via the DREAD system
Damage Potential – How sever is the damage likely to be if the threat is realized?
Reproducibility – How complication is it for attackers to reproduce the exploit?
Exploitability – How hard is it to perform the attack?
Affected Users – How many users are likely to be affected by the attack?
Discoverability – How hard is it for an attacker to discover the weakness?
Chapter 1 Exam Essentials:
• Understand the CIA Triad elements of confidentiality, integrity and availability.
• Be able to explain how identification works.
• Understand the process of authentication.
• Know how authorization fits into a security plan.
• Understand security governance.
• Be able to explain the auditing process.
• Understand the importance of accountability.
• Be able to explain nonrepudiation.
• Understand security management planning (strategic, tactical, operational)
• Know the elements of a formalized security policy structure
• Understand key security roles
• Know how to implement security awareness training
• Know how layering simplifies security
• Be able to explain the concept of abstraction
• Understand data hiding
• Understand the need for encryption
• Be able to explain the concepts of change control and change management
• Know why and how data is classified
• Understand the importance of declassification
• Know the basics of COBIT
• Know the basics of threat modeling (NEED VAST AND TRIKE STILL)
• Understand the need to apply risk-based management concepts to the supply chain
Chapter 2: Personnel Security and Risk Management Concepts
Humans are the weakest element in any security solution.
Personally Identifiable Information (PII)
• Any data item that can easily and/or obviously traced back to a specific person. Includes:
o Phone Number
o Email Address
o Mailing Address
o SSN
o IP / MAC (in the EU)
Documentation Review – process of reading the exchanged materials and verifying them against standards and expectations. Typically performed before an on-site inspection takes place.
• May decide to postpone an on site visit if documentation review comes back incomplete.
ATO – Authorization to Operate – Ability to provide services to government / military
• Can be revoked for failure to demonstrate proper governance
• Can be downgraded to a Temporary Authorization to Operate (TATO)
Risk Analysis
• Risk – Possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.
• Threat – Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.
• Vulnerability – Weakness in an asset or the absence or the weakness of a safeguard or countermeasure
• Attack – Exploitation of a vulnerability by a threat agent.
Quantitative Risk Analysis – Six Steps
1. Inventory Assets and Assign a value (AV – See Asset Valuation)
2. Research each asset and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF, also referred to as loss potential) and single loss expectancy (SLE)
3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year – the Annualized Rate of Occurrence (ARO)
4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response for each threat.
QUANTITATIVE = NUMBERS, VALUES
Calculations / Mathematics
• Asset Value (AV) – value of the asset (i.e. a $50,000 facility).
o Includes the following considerations:
Purchase cost
Development cost
Administrative or management cost
Maintenance and upkeep cost
Cost in acquiring asset
Cost to protect or sustain asset
Value to owners and users
Value to competitors
Intellectual property or equity value
Market Valuation
Replacement Cost
Productivity enhancement or degradation
Operational costs of assets presence and loss
Liability of asset loss
Usefulness
• Exposure Factor (EF) – The expected overall asset value lost by the realization of a risk (i.e. 50% of the facility, 25% of the server, etc.).
• Single Loss Expectancy (SLE) – the cost associated with a single realized risk against a specific asset.
o SLE = AV * EF
o Expressed as a dollar value
o i.e. a $200,000 facility with an exposure factor of 45 percent
AV = $200,000
EF = .45
SLE = $200,000 * .45 = $90,000
• Annualized Rate of Occurrence (ARO) – The expected frequency with which a specific threat or risk will occur within a single year. Also known as probability determination.
o Essentially – how many times do we expect this to happen each year
o Hopefully won’t have to calculate it unless we’re reverse engineering the ALE formula (below).
• Annualized Loss Expectancy (ALE, or ALE1 in the grand scheme) – Possible yearly cost of all instances of a specific realized threat against a specific asset.
o ALE = SLE * ARO
o i.e. if the SLE of an asset is $90,000, and the ARO for a specific threat (i.e. power loss) is .5, the ALE is $45,000.
ALE = $90,000 * .5
ALE = $45,000
o If, the ARO is 15, then the ALE is $1,350,000
ALE = $90,000 * 15
ALE = $1,350,000
• Calculating ALE with a safeguard (ALE2) –
o The safeguard (control) should not change the Exposure Factor EF (i.e. if the control fails, you’re still fucked – e.g. body armor).
o The safeguard should reduce the ARO.
This should be intuitive – a good control should stop the risk from occurring.
o One should calculate the ALE before the control and after the control.
The control should bring he ALE down, hopefully significantly.
• Calculating Safeguard Costs (ACS, or Annualized Safeguard Cost) –
o Must compile a deployment cost for each safeguard.
If the safeguard’s cost is more than the value of the protected asset, risk should be accepted.
Avoid the old $10 fence around a $5 cow
o Safeguard costs should consider:
Cost of purchase, development and licensing.
Cost of implementation and customization.
Cost of annual operation, maintenance, administration, etc.
Cost of annual repairs and upgrades
Productivity improvement or loss
Changes to environment
Cost of testing and evaluation
Again – these costs should not exceed the value of the protected asset, or they are immediately not worth it.
• Calculating safeguard cost/benefit –
o Annualized Loss Expectancy before safeguard (ALE1) – Annualized Loss Expectancy after safeguard (ALE2) – Annualized Safeguard Cost (ACS)
(ALE1 – ALE2) – ACS
The countermeasure with the highest value of this calculation is the most economic countermeasure to deploy.
Qualitative Risk Analysis – scenario based. Rather than assign specific values, rank threats on a scale to evaluate the risks costs, and effects.
• Hybrid analysis – combining qualitative and quantitative analysis.
• Delphi Technique – anonymous feedback on risks by a group of participants. Keep repeating until a consensus is reached.
Risk Responses –
• Risk Mitigation / Risk Reduction – implementing countermeasures to reduce the risk. Can include risk avoidance.
• Risk Transfer / Risk Assignment – placement of the cost of loss a risk represents to another entity or organization (e.g. insurance).
• Risk Acceptance / Risk Tolerance – Fuck it, we’re not doing anything about it. Should be documented as to why.
• Risk Deterrence – Process of implementing deterrents to would-be violators (e.g. cameras, ‘this house is protected by BRINKS, etc.).
• Risk Avoidance – Selecting alternative options or activities that have less associated risk than the default (e.g. choosing to fly instead of drive, dropping a service line, etc.).
• Risk Rejection – Ignore or pretend the risk isn’t there. DO NOT DO THIS ONE.
Types of Controls
• Deterrent – deployed to discourage violation of security policies. Often depend on individuals deciding not to take an unwanted action (e.g. locks, fences, badges, cameras, signs, etc.)
• Preventative – Deployed to thwart or stop unwanted or unauthorized activity from occurring.
• Detective – deployed to discover or detect unwanted or unauthorized activity.
• Corrective – Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. Attempts to correct any problems that occurred as a result of a security incident (e.g. AV that quarantines a virus, backup and restore plans).
• Recovery – An extension of corrective controls but have more advanced or complex capabilities (e.g. backup processes, hot sites, reciprocal agreements, etc.)
• Directive – Deployed to direct, confine, or control the action of subjects to force or encourage compliance with security policies (e.g. escape route and exit signs, monitoring and supervisory procedures).
Risk Management Framework (RMF) – Six Steps, per NIST SP 800-37
1. Categorize the information system – and the information processed, stored, and transmitted by the system based on an impact analysis.
2. Select an initial set of baseline security controls – for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
3. Implement the security controls – and describe how the controls are employed within the information system and its environment of operation.
4. Assess the security controls – using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
5. Authorize information system operation – based on determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
6. Monitor the Security Controls – in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analysis of the associated changes, and reporting the security state of the system to designated organization officials.
May want to familiarize with:
• OCTAVE – Operationally Critical Threat, Asset and Vulnerability Evaluation
• FAIR – Factor Analysis of Information Risk
• TARA – Threat Agent Risk Assessment
Chapter 2 Exam Essentials:
• Understand the security implications of hiring new employees.
• Be able to explain separation of duties.
• Understand the principles of least privilege.
• Know why job rotation and mandatory vacations are necessary.
• Understand vendor, consultant and contractor controls.
• Be able to explain proper termination policies.
• Know how privacy fits into the realm of IT security.
• Be able to discuss third party governance of security.
• Be able to define overall risk management.
• Understand risk analysis and key elements involved.
• Know how to evaluate threats.
• Understand quantitative risk analysis.
• Be able to explain the concept of exposure factor.
• Know what single loss expectancy is and how to calculate it.
• Understand annualized rate of occurrence.
• Know what annualized loss expectancy is and how to calculate it.
• Know the formula for safeguard evaluation.
• Understand qualitative risk analysis.
• Understand the Delphi technique.
• Know the options for handling risk.
• Be able to explain total risk, residual risk, and control gap.
• Understand control types.
• Know how to implement security awareness training and education.
• Understand how to manage the security function.
• Know the six steps of the risk management framework.
Chapter 3: Business Continuity Planning
Business Continuity Planning
• Four Main Steps of BCP process
1. Project Scope and Planning
Business Organization Analysis - Structured Analysis of the Business’s Organization from a crisis planning point of view.
BCP Team Selection - The creation of a BCP team with the approval of senior management
Resource Requirements - An assessment of the resources available to participate in business continuity activities. Involves resources required by three distinct phases.
• BCP Development – Putting it together
• BCP Testing, Training and Maintenance – Prepping for when it’s needed
• BCP Implementation – letting that bitch fly when it’s needed.
Legal and Regulatory Requirements - An analysis of the legal and regulatory landscape that governs an organization’s response to a catastrophic event.
2. Business Impact Assessment – Identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. Also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business.
Identify Priorities –
• Create a list of assets and assign an asset value.
• Develop the Maximum Tolerable Downtime (MTD or Maximum Allowable Outage (MTO)) – the maximum length of time a business function can be down without causing irreparable harm to the business.
• Develop Recovery Time Objectives (RTOs) – The time in which the organization believes they can feasibly recover the function in the event of a disruption.
o The goal of BCP is to ensure that RTOs are less than MTOs/MTDs, resulting in a situation in which a function should never be unavailable beyond the maximum tolerable downtime.
Risk Identification –
• Figure out what risks are posed to the organization.
Likelihood Assessment –
• Usually expressed in terms of the Annualized Rate of Occurrence (ARO)
• AROs should be developed for each risk identified.
Impact Assessment –
• Uses the SLE, ALE formulas from Chapter 2.
Resource Prioritization –
• Prioritize the allocation of business continuity resources to the various risk that have been identified and assessed in the previous task.
• Create a list of all risks analyzed during the BIA process and sort them in descending order according to the ALE computed during the impact assessment phase.
3. Continuity Planning –
Strategy Development – BCP team should look back to the MTD estimates created during the early stages of the BIA and determine which risks are deemed acceptable and which must be mitigated by the BCP continuity provisions.
Provisions and Processes – BCP team designs the specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development stage, amongst three asset categories:
• People –
• Buildings and facilities –
• Infrastructure –
4. Approval and Implementation –
The plan should be approved by the top executive. Plan should be maintained, and training and education should be performed.
• Key Documentation Components of BCP –
1. Continuity Planning Goals – describes the goals of continuity planning as set forth by the BCP team and senior management.
2. Statement of Importance – Takes the form of a letter to the organization’s employees stating the reasons that the organization devoted significant resources to the BCP development process and requesting the cooperation of all personnel in the BCP implementation phase.
3. Statement of Priorities – Lists the functions considered critical to the continued business operations in a prioritized order.
4. Statement of Organizational Responsibility – Restates the organization’s commitment to business continuity planning and informs employees, vendors, and affiliates that they are individually expected to do everything they can to assist with the BCP process.
5. Statement of Urgency and Timing – Expresses the criticality of implementing the BCP and outlines the implementation timetable decided on by the BCP team and agreed to by upper management.
6. Risk Assessment – Should include discussion of all the risks considered during the BIA, as well as the AV, EF, ARO, SLE, and ALE figures from Chapter 2.
7. Risk Acceptance / Mitigation Section – Contains the outcome of the strategy development portion of the BCP process. Should outline reasons for finding risks acceptable or unacceptable.
8. Vital Records Program – States where critical business records will be stored and the procedures for making and storing backup copies of the records.
9. Emergency Response Guidelines – Outlines the organizational and individual responsibilities for immediate response to an emergency situation.
10. Testing and Exercise – Outlines a formalized exercise program to ensure that the plan remains current and that all personnel are adequately trained to perform their duties in the event of a disaster.
Chapter 3 Exam Essentials:
• Understand the four steps of the business continuity planning process.
• Describe how to perform the business organization analysis.
• List the necessary members of the business continuity team.
• Know the legal and regulatory requirements that face business continuity planners.
• Explain the steps of the business impact assessment process.
• Describe the process used to develop a continuity strategy.
• Explain the importance of fully documenting an organization’s business continuity plan.
Chapter 4: Laws, Regulation and Compliance
Categories of Law
• Criminal Law – Fuck up and go to Jail
• Civil Law – Fuck up and get sued
• Administrative Law – How the law / government works.
Laws You’ll Need to Know
• Comprehensive Crime Control Act (CCCA) – 1984. Made it a crime to do any of the following:
o Access classified information or financial information in a federal system without authorization or in excess of authorized privileges.
o Access a computer used exclusively by the federal government without authorization.
o Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself)
o Cause malicious damage to a federal computer in excess of $1,000
o Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual.
o Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system.
• Computer Fraud and Abuse Act (CFAA) – 1986. Expanded CCCA:
o Expands application to “federal interest” computers, which includes:
• Any computer used exclusively by the U.S. Government
• Any computer used exclusively by a financial institution.
• Any computer used by the government or a financial institution when the offense impedes the ability of the government or institution to use the system
• Any combination of computers used to commit an offense when they are not all located in the same area
o Upped damage total to be malicious damage to a computer system in excess of $5,000
• Computer Abuse Amendments Act (CAAA) – 1994. Provisions included the following:
o Outlawed the creation of any type of malicious code that might cause damage to a computer system.
o Modified the CFAA to cover any computer use din interstate commerce rather than just “federal interest” computer systems.
o Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage.
o Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages.
• National Infrastructure Protection Act – 1996. Included the following main new areas of coverage:
o Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce.
o Extends similar protections to portions of the national infrastructure to other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits.
o Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony.
• Federal Information Security Management Act (FISMA) – 2002.
o Requires that federal agencies implement an information security program that covers the agency’s operations.
o Requires that government agencies include the activities of contractors in their security management program.
o Outlines the following elements of an effective information security program (per NIST):
• Periodic assessment of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization.
• Policies and Procedures that are based on risk assessments, cost-effectively reducing information security risks to an acceptable level and ensuring that information security is addressed throughout the lifecycle of each organizational information system.
• Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate.
• Security awareness training to inform personnel (including contractors) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks.
• Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually.
• A Process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization.
• Procedures for detecting, reporting, and responding to security incidents.
• Plans and Procedures to ensure continuity of operations for information systems that support the operations and assets of the organization.
• Federal Cybersecurity Laws of 2014. Three laws:
1. Federal Information Systems Modernization Act – Modified 2002 FISMA by centralizing cybersecurity within the department of homeland security.
2. Cybersecurity Enhancement Act – Charges NIST with coordinating nationwide work on voluntary cybersecurity standards.
• NIST produced the 800 series of Special Publications.
• 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations
• 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
• NIST Cybersecurity Framework (CSF) – Set of standards designed to serve as a voluntary risk-based framework for securing information and systems.
3. National Cybersecurity Protection Act – Charged Department of Homeland Security with establishing a national cybersecurity and communications integration center that serves as an interface between federal agencies and civilian organizations for sharing cybersecurity risks, incidents, analysis and warnings.
Federal Sentencing Guidelines – 1991. Three Major provisions
1. Formalized the prudent man rule which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.
2. Allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties.
3. Outlined three burdens of proof for negligence:
1. Person accused of negligence must have a legally recognized obligation.
2. Person must have failed to comply with recognized standards.
3. Must be a causal relationship between the act of negligence and subsequent damages.
Copyright
• Guarantees the creators of ‘original works of authorship’ protection against the unauthorized duplication of their work.
• Eight broad categories of works quality:
1. Literary Works
This includes computer software, however the law only protects the expression inherent in computer software (the actual source code).
2. Musical Works
3. Dramatic Works
4. Pantomimes and Choreographic Works
5. Pictorial, graphical, and sculptural works
6. Motion pictures and other audiovisual works
7. Sound recordings
8. Architectural works
• Copyright Ownership always defaults to the creator of a work.
• Exception is work considered “for hire” – made for an employer during the course of an employee’s normal work day.
• Protects the material for:
• One or more authors – until 70 years after the death of the last surviving author.
• Works for hire / anonymous works – 95 years from date of first publication or 120 years from the date of creation, whichever is shorter.
• Digital Millennium Copyright Act (DMCA) – 1998. Major provisions:
• Prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder.
Penalties up for $1,000,000 and 10 years in prison for repeat offenders.
Nonprofit institutions (schools, libraries) are exempt.
• Limits liability of ISPs when their circuits are used to violate law, as long as:
The transmission is initiated by a person other than the provider.
The transmission, routing, provision of connections, or copying must be carried out by an automated process without selection of material by the service provider.
The service provider must not determine the recipients of the material.
Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients and must not be retained for longer than reasonably necessary.
Material must transmitted with no modification to its content.
• Exempts service providers related to system caching, search engines, and storage of information on a network, provided the service provider take prompt action to remove materials upon notification of infringement (e.g. the DMCA shut down shit on youtube).
Trademarks
• Protection of words, slogans, and logos used to identify a company and its products or services.
o Company would copyright a sales brochure, but trademark a company name and specific product names.
• Do not need to be officially registered to gain protection under law.
o If you use a trademark in the course of your public activities, you are automatically protected under any relevant trademark law and can use the TM symbol to show that you intend to protect the words or slogans in the rademark.
o Can go through United States Patent and Trademark Office (USPTO) to register a trademark.
USPTO does a comprehensive search of trademarks.
If it comes back clear, can you the ® to indicate it is a registered trademark.
o Can not be a description of goods or services offered (e.g. Justin’s software company).
• Granted for an initial period of 10 years and can be renewed for unlimited successive 10-year periods.
Patents
• Apply to inventions
• Three main requirements:
1. Invention must be new
2. Invention must be useful (must work and accomplish a task)
3. Invention must not be obvious.
Trade Secrets
• Intellectual property that is absolutely critical to the business, and significant damage would results if it were disclosed to competitors and/or the public. (e.g. Coca Cola Recipe, KFC herbs and spices)
o Must ensure anyone who has access has signed an NDA.
o Must implement adequate controls to ensure only authorized people can access.
o Must take steps to demonstrate that the organization values and protects its intellectual property.
• Protected by Economic Espionage Act of 1996 – Two major provisions
o Anyone found guilty of stealing trade secrets from a U.S. corporation with the intent of benefiting a foreign government or agent may be fined up to $500,000 and imprisoned for up to 15 years.
o Anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years.
Licensing
• Four common types of software licensing agreements:
o Contractual License Agreements – Use a written contract between the vendor and customer, outlining the responsibilities of each.
o Shrink-Wrap License Agreements – Written on the outside of software packaging. Commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package.
o Click-Through License Agreements – Contract terms are written on the software box or included in the software documentation. During the installation process, user must click a button indicating that they have read and agree to abide by terms.
o Cloud Services License Agreements – Flash legal terms on the screen for review. May simply provide a link to legal terms and a check box for users to confirm they have read and agree to the terms.
Privacy Law
• Fourth Amendment is the basis for privacy rights in the U.S. Constitution.
• Privacy Act of 1974 –
o Limits federal government’s ability to disclose private information to other individuals or agencies without express consent.
o Mandates federal government only maintain records that are necessary for conducting their business, and must be destroyed when no longer needed.
o ONLY APPLIES TO FEDERAL AGENCIES
• Electronic Communications Privacy Act of 1986 –
o Makes it illegal to invade the electronic privacy of an individual.
o Illegal to monitor mobile telephone conversations.
o Punishable by fine up to $500 and five years in prison.
• Communications Assistance for Law Enforcement Act (CALEA) – 1994. Requires all communications carries to make wiretaps possible for law enforcement with an appropriate court order, regardless of technology in use.
• Economic Espionage Act of 1996 – Extends the definition of property to include proprietary economic information.
• HIPAA - 1996
• HITECH – 2009
• Children’s Online Privacy Protection Act of 1998 (COPPA) – websites that cater to children must
o have a clear privacy notice
o provide parents with opportunity to view what’s collected on their children
o Get verifiable consent to collect information about children younger than 13.
• GLBA – 1999
o Relaxed the limitations on what services financial institutions could provide and information they could share between each other and their subsidiaries.
• Patriot act – 2001
o Wiretapping, shithead government gets powers to spy.
o Amends CFAA coverage and makes penalty up to 20 years in jail.
• Family Educational Rights and Privacy Act (FERPA) –
o Education Sector
o Parents of minors or Students over 18 may:
Inspect any educational records maintained by the institution on the student.
Have the right to request correction of records that are erroneous or have a statement in the record saying they contest the record.
o Schools may not release personal information from student records without written consent, outside of certain circumstances.
• Identify Theft and Assumption Deterrence Act – 1998
o Makes it a crime against the person whose identity was stolen.
o Up to 15 years in prison or $250,000 fine.
• EU Privacy Law / GDPR
• PCI DSS
Chapter 4 Exam Essentials:
• Understand the difference between criminal law, civil law, and administrative law.
• Be able to explain the basic provisions of the major laws designed to protect society against computer crime.
• Know the differences between copyrights, trademarks, patents, and trade secrets.
• Be able to explain the basic provisions of the Digital Millennium Copyright Act of 1998.
• Know the basic provisions of the Economic Espionage Act of 1996.
• Understand the various types of license agreements.
• Understand the notification requirements placed on organizations that experience a data breach.
• Understand the major laws that govern privacy of personal information in both the US and the EU.
• Explain the importance of a well rounded compliance program.
• Know how to incorporate security into the procurement and vendor governance process.
Chapter 5: Protecting Security of Assets
Personally Identifiable Information (PII) –
• Any information about an individual maintained by an agency, including:
o Any information that can be used to distinguish or trace an individual’s identify, such as name, social security number, date and place of birth
o Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Protected Health Information (PHI) –
• Any information, whether oral or recorded in any form or medium, that:
o Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and
o Relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual.
Data Classifications –
• Identifies the value of the data to the organization and is critical to protect data confidentiality and integrity. The policy identifies classification labels used within the organization. It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification.
• US Government provides clear definitions:
• Top Secret – applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.
• Secret – applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.
• Confidential – applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.
• Unclassified – Any data that doesn’t meet one of the descriptions for the above.
Asset classifications should match the data classifications. Backup tapes should match the classification level of the data.
Marking (also called labelling) sensitive information ensures that users can easily identify the classification level of any data.
• Simple method is to include the classification as a header and/or footer in a document, or embed it as a watermark.
o DLP systems can identify classification levels easier with this method.
Data Remanence –
Data that remains after the data was supposedly erased.
One way to remove remanence is with a degausser.
Other forms of destroying data:
• Erasing – performing a delete operation against media.
o Mostly just removes the directory or catalogue link to the file
o Data remains on the drive.
• Clearing /Overwriting – writing over all addressable location on the media with unclassified data.
• Purging – More intense form of clearing that repeats the clearing process multiple times and may combine it with other processes.
• Degaussing - Generates a heavy magnetic field, which realigns the magnetic fields in magnetic media.
o Works on hard drives, magnetic tape and floppy disks.
o Only effective on magnetic media.
o Will NOT work on SSDs, CDs or DVDs.
o SSD needs to be destroyed or remaining data needs to be encrypted.
• Destruction – most secure – totally destroys media.
o Includes incineration, crushing, shredding, disintegration, and using caustic chemicals.
o Some organizations remove disk platters and destroy them independently
Determining Ownership –
Data / Information Owner – the person who has ultimate organizational responsibility for the data.
• Typically the CEO, president, or a department head
• Identify the classification of the data and ensure that it is properly labeled.
• Establishes the rules for appropriate use and protection of the subject data/information
• Provides input to information system owners regarding the security requirements an security controls for the information systems where the information resides.
• Decides who has access to the information system and with what types of privileges or access rights.
• Assists in the identification and assessment of the common security controls where information resides.
Asset / System Owner – the person who owns the asset or system that processes sensitive data.
• Develops, maintains and updates a system security plan
• Ensure system users and support personnel receive training and instruction
• Assists in the identification and assessment of the common security controls where information resides.
• Identifies highest level of data that a system processes.
Data Administrator – Responsible for granting appropriate access to personnel.
Data Custodian – Helps protect the integrity and security of data by ensuring that it is properly stored and protected. Usually delegated these responsibility by data owner.
Users – any person who accesses data
Pseudonymization – process for using pseudonyms to represent other data. E.g. patient 24356 instead of patient’s name.
Tokenization – Uses tokens to represent other data, similar to pseudonymization.
Anonymization / Masking data – The process for removing all relevant data so that it is impossible to identify the original subject or owner. Can not be reversed.
CalOPPA – California’s badass privacy law.
Chapter 5 Exam Essentials:
• Understand the importance of data and asset classification
• Know PII and PHI
• Know how to manage sensitive information.
• Understand record retention
• Know the difference between different roles
• Understand GDPR security controls.
• Know about security baselines.
Chapter 6: Cryptography and Symmetric Key Algorithms
Four Fundamental Goals:
• Confidentiality – Ensures that data remains private in three different situations – at rest (stored in a permanent place), in transit (aka - on the wire), in use (in active memory).
o Symmetric Cryptosystems
o Asymmetric Cryptosystems
• Integrity – Ensures that data is not altered without authorization.
o Enforced through use of encrypted message digests, known as digital signatures
• Authentication – verifies the claimed identify of system users and is a major function of cryptosystems
• Nonrepudiation – Provides assurance to the recipient that the message was originated by the sender and not someone pretending to be the sender.
o Prevents the sender from claiming that they never sent the message.
o Offered only by public key (asymmetric) cryptosystems.
Cryptology
• Symmetric Cryptosystems – Use a shared secret key available to all users of the cryptosystem.
o AKA Secret Key
o AKA Private Key
• Asymmetric Cryptosystems – Use individual combinations of public and private keys for each user of the system.
o AKA Public Key
• Code – Cryptographic system of symbols that represent words or phrase.
o Not necessarily meant to protect confidentiality
o E.g. 10-4 on cop scanners.
• Cipher – Always meant to hide the true meaning of a message.
• Plaintext – message prior to being put into a coded form. Cryptography encrypts a plaintext message and produce a ciphertext message.
• Key – A number / password
o AKA Cryptovariables.
• Cryptography – art of creating and implementing secret codes and ciphers.
• Cryptanalysis – Study of methods to defeat codes and ciphers
• Cryptology – Combination of cryptography and cryptanalysis (kind of like good versus evil).
• Cryptosystems – Specific implementations of a code or cipher in hardware and software
• Kerchoff’s Assumption – AKA Kerchoff’s Principle – A system should be secure een if everything about the system, except the key, is public knowledge.
• One Way Function – easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values.
• Nonce – Random number that acts as a placeholder variable in mathematical functions. When the function is executed, the nonce is replaced by a randomly generated number.
o Initial Vector is an example of a nonce.
• M of N Control – Subset out of population required to work together to perform high security tasks.
o E.g. Three of Eight controls requires 3 of the 8 available agents to perform the task.
• Work Function – the amount of effort required to break a cryptographic algorithm.
Logical Operations (See page 204)
• AND “^” – both values need to be true
• OR “v” – One value needs to be true
• NOT “~” or “!” – opposite of the input
• EXCLUSIVE OR (XOR) – “like a circle with a cross in it” – only one can be true. If both true, its false.
• Modulo – number left over.
o 8 mod 2 = 2
o 6 mod 8 = 6
o 10 mod 3 = 1
o 10 mod 2 = 0
o 32 mod 8 = 0
Ciphers
• Transposition Ciphers – Use an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message. (See page 208)
• Substitution Ciphers – Replace each character or bit of the plaintext message with a different character. (See page 209)
• One Time Pad – Use a different substitution alphabet for each letter o the plaintext message.
o AKA – Vernam ciphers
o When used properly they are unbreakable.
Must be randomly generated.
Must be physically protected against disclosure.
Each one time pad must only be used once
Key must be as long as the message to be encrypted
o Major obstacle is the difficulty of generating, distributing and safeguarding the lengthy keys required. Can only be realistically used for short messages.
• Running Key Cipher – AKA book cipher – Encryption key is as long s the message itself and is often chosen from a common book. (See page 213)
• Block Ciphers – Operate in “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time.
o Most modern encryption algorithms implement some sort of block cipher.
• Stream Ciphers – Operate on one character or bit of a message (the data stream) at a time.
• Confusion – occurs when the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key.
• Diffusion – Occurs when a change in the plaintext results in multiple changes spread throughout the ciphertext.
Number of possible keys = 2^n where n=bits
Symmetric Key Algorithms
• Rely on a “shared secret” encryption key that is distributed to all members who participate in the communications.
o Also called Secret Key cryptography
o Also called Private Key cryptography
• Only provides for confidentiality
• Several Weaknesses:
o Key distribution is a major problem – Parties must have a secure method of exchanging the secret key before establishing communication.
o Does not implement non-repudiation -Any communicating party can encrypt and decrypt messages with the shared secret key, there is not way to prove where a given message originated.
o Algorithm is not scalable – difficult in large groups to communicate using symmetric key cryptography
o Keys must be regenerated often – Each time a participant leaves the group, all keys known by that participant must be discarded.
• Major strength – very fast.
• Number of keys required = n(n-1) / 2
• Creation and Distribution of Keys –
o Offline Distribution – One party provides the other with a sheet of paper or piece of storage media containing the secret key.
o Public Key Encryption – In a twist of irony, public key encryption is used to exchange private keys.
o Diffie-Helman – Used when two parties can not physically exchange their keys.
• Storage and Destruction of Keys –
o Never store an encryption key on the same system where encrypted data resides. Idiot.
o For sensitive keys, consider split knowledge.
o When a user with knowledge of the secret key leaves an organization, all keys must be changed and encrypted documents must be re-encrypted with a new key.
Asymmetric key Algorithms – wait till I see your ass in public
• Also known as public key encryption
• Also known as public key algorithms
• Can provide integrity, authentication and nonrepudiation
• Each user has two keys –
o Public key which is shared with all users
o Private key which is kept secret and known only by the user
o Opposite and related keys must be used in tandem to encrypt in decrypt
E.g. if the public key encrypts, only the corresponding private key can decrypt it and vice versa
• If Alice want to send a message to Bob, she encrypts the message using Bob’s public key. The only way to decrypt this message is to use Bob’s private key, of which only Bob knows. Alice can’t even decrypt it herself once it is encrypted. If Bob wants to send a reply to Alice, he encrypts it using her public key, and she’s the only one who can decrypt it with her private key.
• If Bob wants to assure other users that a message with his name on it was actually by him, he creates a message digest by using a hashing algorithm. He then encrypts the digest using his private key. Any user who wants to verify the signature would decrypt the message digest using Bob’s public key and then verifies that the decrypted message digest is accurate.
• Number of keys required = number of people x 2. Makes sense – everyone has a private and public key.
• Major Strengths –
o The addition of new users requires the generation of only one public-private key pair
o Users can be removed far more easily than symmetric systems
o Key regeneration is required only when a user’s private key is compromised
o Key distribution is a simple process
o No preexisting communication link is needed – two individuals can easily begin communicating securely from the moment they start communicating. Asymmetric cryptography does not require a preexisting relationship to provide a secure mechanism for data exchange.
• Major Weakness – Slow as fuck
Symmetric Symmetric Asymmetric
Also Called Private Key Cryptography, Secret Key Cryptography Public Key Cryptography
Exchange Out-of-Band (not within the communication) In-Band
Scalability Not Scalable Scalable
Provides Confidentiality Confidentiality, Integrity, Authenticity, Nonrepudiation
Style Bulk Encryption Small blocks of data, digital signatures, digital envelopes, digital certificates
Speed Fast as fuck Slow as fuck
Keys Needed (N*(N-1)) / 2 N*2
Encrypt / Decrypt Encrypt and decrypt using same private (secret) key Encrypt using public, decyrypt usingn private (confidentiality)
Encrypt using private, decrypt using public (integrity, authenticity, nonrepudiation)
Types of Encryption
• Data Encryption Standard (DES) –
o Published by the U.S. Government in 1977
o Building block for triple DES
o Uses XOR command and Performs 16 rounds of encryption
o Not considered secure
o Has five modes
Electronic Code Book Mode (ECB) – last secure. Encrypts each block the same way. Has a ‘code book’ of all possible encrypted values.
Cipher Block Chaining Mode (CBC) – each block of unencrypted text is XORed with the block of ciphertext immediately preceding it before it is encrypted using the DES algorithm. Decryption decrypts the ciphertext and reverses the XOR operation.
Cipher Feedback Mode (CFB) – operates against data produced in real time. Instead of breaking a message into blocks, it uses memory buffers of the same block size. As the buffer becomes full it is encrypted and sent to recipients.
Output Feedback Mode (OFB) – Operates similar to CFB, but XORs the previous text with a seed value instead.
Counter Mode (CTR) – uses a stream cipher similar to that used in CFB and OFB modes.
• Triple DES (3DES) – adapted version of DES to overcome DES’s security issues.
o There are four variants of 3DES
DES-EEE3
DES-EDE3
DES-EEE2
DES-EDE2
• All are considered to be equally secure
• International Data Encryption Algorithm (IDEA)
o Popular implementation is PGP (Pretty Good Privacy)
• Blowfish
o Often used in SSH
o Block Cipher
o Public use with no license required
• Skipjack
o Government
o NIST and the Department of Treasury hold a portion of the information required to decrypt
o People do not trust this shit
• Advanced Encryption Standard (AES)
o Rjindael (“rhine-doll”) – chosen to replace DES
o Mandated to be used t encrypt all sensitive but unclassified data by US Government
Name Block Size Key Size Secure
Advanced Encryption Standard (AES) 128 128, 192, 256 Fuck Yes
Rijndael Variable 128, 192, 256 Fuck Yes
Blowfish 64 32 - 448 Fuck Yes
Data Encryption Standard (DES) 64 56 Fuck No
International Data Encryption Algorithm (IDEA) 64 128 Nah
Rivest Cipher 2 (RC2) 64 128 Variable
Rivest Cipher 5 (RC5) 32, 64, 128 0 - 2,040 Variable
Skipjack 64 80 Probably nah
Triple DES (3DES) 64 112-168 Fuck Yes
Twofish 128 1 - 256 Fuck Yes
REMEMBER - THESE ARE ALL SYMMETRIC YOU IDIOT
Chapter 6 Exam Essentials:
• Understand the role that confidentiality, integrity and nonrepudiation play in cryptosystems
• Know how cryptosystems can be used to achieve authentication goals
• Be familiar with the basic terminology of cryptography
• Understand the difference between code and a cipher and explain the basic types of ciphers
• Know the requirements for a successful use of a one-time pad
• Understand the concept of zero-knowledge proof
• Understand split knowledge
• Understand work function (work factor)
• Understand the importance of key security
• Know the differences between symmetric and asymmetric cryptosystems
• Be able to explain the basic operational modes of the Data Encryption Standard (DES)and Triple DES (3DES)
• Know the Advanced Encryption Standard (AES)
Chapter 7: Public Key Infrastructure (PKI) and Cryptography Applications
Length of a cryptographic key is the most important security parameter that can be set by security administrators.
Hash functions – Take a potentially long message and generate antique output value derived from the content of the message.
Message Digest – Output of a hash function
Five requirements of a hash function:
1. Input can be of any length
2. Output has a fixed length
3. Hash function is relatively easy to compute for any input
4. The hash function is one-way
5. The hash function is collision free (meaning that it is extremely hard to find two messages that produce the same hash value)
El Gamal – Uses RSA and doubles the length of any message it encrypts. Based on Diffie Helman
RSA 1024 and DSA 1024 keys are the same as an Elliptical Curve of 160 bits.
Common Hashing Algorithms:
• Secure Hashing Algorithm (SHA) –
o Takes an input of any length and produces a 160 bit message digest.
o Processe a message in 512 bit blocks. If not that length, it’s padded.
o Currently on SHA-3
• Message Digest 2 (MD2) –
o Not a one way function. Should not be used.
o Blocks are 16 bits.
o Produces a 128 bit message digest. (ALL MD’s are 128 bit digests)
• Message Digest 4 (MD4) –
o Message is padded so that it’s 64 bits smaller than a multiple of 512.
o Processes the 512 bit blocks in 3 rounds so the output is a 128 bit message.
• Message Digest 5 (MD5) –
o Also processes 512 bit blocks of message.
Name Hash Value Length
Hash of Variable Length (HAVAL, an MD5 Variant) 128, 160, 192, 224, 256 bits
Hash Message Authenticating Code (HMAC) Variable
MD2 128 bits
MD4 128 bits
MD5 128 bits
Secure Hashing Algorithm (SHA-1) 160 bits
SHA2-224/SHA3-224 224 bits
SHA2-256/SHA3-256 256 bits
SHA2-384/SHA3-384 384 bits
SHA2-512/SHA3-512 512 bits
Digital Signatures
• Two distinct goals -
o Nonrepudiation
o Message integrity during transmission
• Rely on two major concepts
o Cryptography
o Hashing functions
• If Alice wants to digitally sign a message she’s sending to Bob:
1) Alice generates a message digest of the original plaintext message using a hashing algorithm
2) Alice encrypts ONLY the message digest using her private key. The encrypted message digest is the digital signature.
3) Alice appends the signed message digest to the plaintext message.
4) Alice transmits the appended message to Bob.
WHEN BOB RECEIVES THE MESSAGE, HE REVERSES IT.
5) Bob decrypts the digital signature using Alice’s public key.
6) Bob uses the same hashing function to create a message digest of the full plaintext message received from Alice.
7) Bob compares the decrypted message digest he received from Alice with message digest he computed himself. If they match, he knows it’s from her and has not been altered. If they don’t match, either she didn’t send it, or it was altered.
Note that above does not address privacy of the message. For that, Alice could encrypt the entire message with Bob’s public key, and he could decrypt it with his private key.
Rules for Public Key Cryptography
• If you want to encrypt a message, use the recipient’s public key.
• If you want to decrypt a message you receive, use your private key.
• If you want to digitally sign a message you are sending to someone else, use your private key.
• If you want to verify a signature on a message sent by someone else, use the sender’s public key.
Just know the name of these two digital signature algorithms – Schnorr’s signature algorithm and Nyber-Ruppel’s signature algorithm.
Certificates:
• Provides communicating parties with the assurance that the people they are communicating with truly are who they claim to be.
• Essentially these are endorsed copies of an individual’s public key.
o When users verify that a certificate was signed by a trusted certificate authority, they know that the public key is legitimate.
• Construction is governed by X.509 standard. Certificates that conform to the X.509 standard contain the following data (CAN CHECK THESE BY RIGHT CLICKING THE LOCK SYMBOL):
o Version of X.509
o Serial Number
o Signature algorithm identifier
o Issuer name (certificate authority)
o Validity Period
o Subject’s name
o Subject’s public key – the actual public key the certificate owner used to set up secure communications
o
• Certificate Authorities – Neutral organizations that offer notarization services for digital certificates. To Obtain a digital certificate from a reputable CA, you must prove your identify to the satisfaction of the CA.
• Registration Authorities – Assist Certificate Authorities with the burden of verifying users’ identities prior to issuing digital certificates. They do not directly issue certificates themselves, but play an important role in the certification process, allowing Cas to remotely validate user identities.
• Certificate Lifecycle:
o Enrollment – An entity must prove its identify to the CA in some manner.
Once the CA is satisfied, they create an X.509 digital certificate containing the information necessary
The CA then digitally signs the certificate using the CA’s private key.
o Verification – Confirming the certificate by checking the CA’s digital signature using the CA’s public key.
Next, must check certificate was not revoked via one of two methods:
• Checking the Certificate Revocation List (CRL)
• Using the Online Certificate Status Protocol (OCSP). This protocol eliminates the latency inherent to the CRL. When a client receives a certificate, they use this protocol to send an OCSP request to the CA’s OCSP server.
o Revocation – May occur for several reasons:
Certificate was compromised (e.g. the owner gave out their private key)
Certificate was erroneously issued
Details of the certificate have changed
Security association has changed (e.g. the person under the certificate left the company)
• Hardware Security Modules (HSMs) – Store and manage encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys.
Secure Email Standards:
• Pretty Good Privacy (PGP) - Uses "web of trust" - Must become trusted by one or more PGP users to being using the system. Has two Versions:
o Commercial – Uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production.
o Freeware – Uses Diffey-Helman key exchange, the Carlisle Adams/Stafford Traveres (CAST) 128 bit encryption/decryption algorithm, and the SHA-1 Hashing Function.
• Secure/Multipurpose Internet Mail Extensions (S/MIME) – de facto standard for encrypted email.
o Uses RSA asymmetric encryption.
This is the only public key cryptographic protocol supported by S/MIME
o Uses AES and 3DES symmetric encryption algorithms
o Relies on the use of X.509 certificates for exchange of symmetric keys.
Web Applications for Encryption
• Secure Socket Layer (SSL) – Relies on the exchange of server digital certificates to negotiate encryption/decryption parameters between the browser and the web server.
o Uses port 443
o Goal is to create secure communication channels that remain open for an entire web browsing session. It depends on a combination of symmetric and asymmetric cryptography. Use the following steps:
When a user accesses a website, the browser retrieves the web server’s certificate and extracts the server’s public key from it.
The browser then creates a random symmetric key, uses the server’s public key to encrypt it, and then sends the encrypted symmetric key to the server.
The server decrypts the symmetric key using its own private key, and the two systems exchange all future messages using the symmetric encryption key.
Digital Rights Management – Uses encryption to enforce copyright restriction on digital media.
• Music DRM
• E-book DRM
• Video Game DRM
• Document DRM
• Movie DRM
o High Bandwidth Digital Content Protection (HDCP) – Provides DRM protection for content sent over digital connections such as HDMI. Rendered ineffective in 2010.
o Advanced Access Content Systems (AACS) – Protects the content stored on Blu-Ray and HD DVD media.
Networking Encryption
Circuit Encryption – Two primary techniques to protect data traveling over networks:
• Link Encryption – protects entire communication circuits by creating a secure tunnel between two points using either a hardware solution or a software solution that encrypts all traffic entering one end of the tunnel and decrypts all traffic entering the other end of the tunnel.
o In link encryption, all the data, including the header, trailer, address and routing data, is encrypted. This is the key difference.
o E.g. a company with two offices connected via a data circuit might use link encryption to protect against attackers monitoring at a point in between the two offices.
o Usually done at the lower end of the OSI model.
• End-to-End Encryption – Protects communications between two parties (e.g. a client and a server) and is performed independently of link encryption.
o E.g. the use of TLS to protect communications between a user and a web server. This protects against an intruder who might be monitoring traffic on the secure side of an encrypted link or traffic sent over an unencrypted link.
o Usually done at the higher end of the OSI model.
o SSH is an example of end-to-end encryption.
IPSEC – Security architecture that supports secure communications.
• Standard architecture set forth by the Internet Engineering Task Force (IETF) for setting up a secure channel to exchange information between two entities.
o Generally used to connect two networks.
Can also be used to connect individual computers, such as a server and workstation or a pair of workstations.
• Relies on security associations. Two main components:
o Authentication Header (AH) – provides assurances of message integrity and nonrepudiation. AH also provides authentication and access controls and prevents replay attacks.
o Encapsulating Security Payload (ESP) – provides confidentiality and integrity of packet contents. Provides encryption and limited authentication and prevents replay attacks.
• Uses public key cryptography to provide encryption, access control, nonrepudiation, and message authentication, all using IP based protocols.
• Primary use of IPSEC is for VPNs.
• Two Modes:
o Transport Mode – only the packet payload is encrypted.
o Tunnel Mode – The entire packet, including the header, is encrypted.
• At runtime, you set up an IPsec session by creating a security association (SA). The SA represents the communication session and records any configuration and status information about the message.
o Represents a simplex connection.
o If you want a two way channel, you need two SAs.
o If you want a bi-directional using both AH and ESP, you’ll need four SA’s.
• Internet Security Association and Key Management Protocol (ISAKMP) – Provides background security support services for IPsec by negotiating, establishing, modifying and deleting SAs.
o This is how IPsec SAs are managed.
o Has four basic requirements, as set forth in Internet RFC 2408:
Authenticate communicating peers
Create and manage security associations
Provide key generation mechanisms
Protect against threats.
Wireless Networking
• Wired Equivalent Protection (WEP) – Provides 64 and 128 bit encryption options to protect communications within the wireless LAN.
o IEEE 802.11
• Wifi Protected Access (WPA) – Imrpoves on WEP by implementing the Temporal Key Integrity Protocol (TKIP), eliminating weaknesses in WEP).
o WPA2 adds AES cryptography.
o IEEE 802.1x
Cryptographic Attacks –
• Analytic Attack – An algebraic manipulation that attempts to reduce the complexity of the algorithm. Focus on the logic of the algorithm itself.
• Implementation Attack – Type of attack that exploits weaknesses in the implementation of cryptographic systems. Focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system.
• Statistical Attack – Exploits statistical weaknesses in a cryptosystem, such as floating point errors and inability to produce truly random numbers. Attempt to find a vulnerability in the hardware or operating system hosting the cryptographic application.
• Brute Force Attack – Attempts every possible valid combination for a key. Two modifications that can enhance the effectiveness:
o Rainbow Tables – Provide precomputed values for cryptographic hashes. Commonly used to crack passwords stored on a system in hashed form.
o Specialized, Scalable Computing Hardware – designed specifically for brute force attacks.
• Frequency Analysis / Cyphertext Only – Uses the frequency of occurrence of certain letters prevalent at higher levels in the English language.
• Known Plaintext – Attacker has a copy of the encrypted message as well as the plaintext message used to generate the ciphertext. Uses this relationship to rip through the encryption.
• Chosen Ciphertext – Attacker has the ability to decrypt chosen parts of the ciphertext message and use the decrypted portion of the message to discover the key.
• Chosen Plaintext – Attacker has the ability to encrypt plaintext messages of their choosing, and can examine the ciphertext output of the encryption algorithm.
• Meet in the Middle – Can be used to defeate encryption algorithms that use two rounds of encryption.
• Man in the Middle – Malicious individual sits between two communicating parties and intercepts all communications. Attacker responds to the originator’s initialization requests and sets up a secure session with originator. Attacker then establishes a second secure session with the intended recipient using a different key and posing as the originator.
• Birthday – Seeks to find flaws in the one-to-one nature of hashing algorithms. Malicious individual seeks to substitute in a digitally signed communication
o AKA the collision attack or reverse hash matching
• Replay – Used against cryptographic algorithms that don’t incorporate temporal protections. Malicious individual intercepts an encrypted message between two parties, and then later “replays” the captured message to open a new session. This attack can be defeated by incorporating a time stamp and expiration period into each message.
Chapter 7 Exam Essentials:
• Understand the key types used in asymmetric cryptography
• Be familiar with the three major public key cryptosystems
o RSA
o El Gamal
o Elliptic Curve
• Know the fundamental requirements of a hash function
• Be familiar with the major hashing algorithms
• Know how cryptographic salts improve the security of password hashing
• Understand how digital signatures are generated and verified
• Know the components of the Digital Signature Standard (DSS)
o SHA-1, SHA-2, SHA-3
o Digital Signature Algorithm (DSA), Rivest,Shamir and Adleman (RSA) or Elliptic Curve DSA (ECDSA)
• Understand the public key infrastructure (PKI)
• Known the common applications of cryptography to secure email
• Know the common applications of cryptography to secure web activity
• Know the common applications of cryptography to secure networking
• Be able to describe IPSec
• Be able to explain common cryptographic attacks.
• Understand the uses of digital rights management.
Chapter 8: Principles of Security Models, Design and Capabilities
Controlling access to any resource in a secure system involves two entities:
• The Subject – the user or process that makes a request to access a resource
• The Object – the resource a user or process wants to access.
Transitive Trust Property – if A trusts B, and B trust C, then A trusts C.
Philosophies for designing and building systems
• Closed System – designed to work well with a narrow range of other systems, generally all from the same manufacturer.
• Open System – designed using agreed-upon industry standards.
Process Confinement – Allows a process to read from and write to only certain memory and resources
• Also known as sandboxing
• OS, or some other security component, disallows illegal read/write requests.
• Can be implemented in the OS itself (e.g. through process isolation and memory protection), through the use of a confinement application or service (e.g. sandboxie.com), or through a virtualization or hypervisor solution (e.g. VMWare)
• This is done via bounds
Bounds – Limits set on the memory addresses and resources a process can access.
• State the area within which a process is confined or contained.
• More secure systems may require physically bounded processes. Physical bounds require each bounded process to run in an area of memory that is physically separated from other bounded processes, not just logically bounded within the same memory space.
Isolation – When a process is confined through enforcing access bounds, that process runs in isolation.
• Used to protect the operating environment, the kernel of the OS, and other independent applications. Essential component of a stable OS.
• Isolation is what prevents an application from access the memory or resources of another application.
Trusted System – one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.
• Can be built into a system by implementing specific security features
Assurance – the degree of confidence in satisfaction of security needs.
• Must be continually maintained, updated and reverified.
• An assessment of the reliability and usability of those security features in a real world situation.
Security Model – Provides a way for designers to map abstract statements into a security policy that describes the algorithms and data structures necessary to build hardware and software. Gives software developers something against which to measure their design and implementation. There are many security models:
• Trusted Computing Base (TCB) – combination of hardware, software, and controls that work together to form a trusted base to enforce security policy.
o Subset of a complete information system – it should be as small as possible so that a detailed analysis can reasonably ensure that the system meets.
o Security Perimeter – imaginary boundary that separates the TCB from the rest of the system.
Ensures that no insecure communications or interactions occur between the TCB and the remaining elements of the system.
To communicate, it must create secure channels, called the trusted path.
Trusted Path – A channel established with strict standards to allow necessary communication not occur without exposing the TCB to security vulnerabilities.
• Protects users from compromise as a result of a TCB interchange.
o Reference Model – Part of the TCB that validates access to every resource prior to granting access requests.
Stands between the every subject and object, verifying that a requesting suject’s credentials meet the objects access requirements before any requests are allowed to proceed.
Effectively this is the access control mechanism for a TCB.
o Security Kernel – The collection of components in the TCB that work together to implement refence monitor functions.
The hardware and software implemented to put a refence monitor into place.
Requires descriptive information about each resource that it protects, including classification and designation.
• State Machine Model – a system that is always secure no matter what state it is in.
o Based on a finite state model.
o State – A snapshot of a system at a specific moment in time.
If all aspects of a state meet the requirements of the security policy, that state is considered secure.
A transition occurs when accepting input or producing output.
• A transition always results in a new state (also called a state transition)
• All state transitions must be evaluated. If each transition results in another secure state, the system can be called a secure state machine.
• A Secure State Machine model always boots into a secure state, maintains a secure state across all transitions, and allows subjects to access resources only in a secure manner compliant with the security policy.
• Information Flow Model – Focuses on the flow of information.
o Bell Lapadula – Multilevel security policy that states that a subject with any level of clearance can access resources at or below its clearance level.
However, within higher clearance levels, access is granted only on a need-to-know basis. In other words, access to a specific object is only granted to the classified levels only if a specific work task requires such access.
Blocks lower classified levels from accessing higher classified levels.
Addresses confidentiality. Does not address integrity or availability.
Three basic properties of the state machine required:
• Simple Security Property – a subject may not read information at a higher sensitivity level (no read up)
• * (star) Security Property – A subject may not write information to an object at a lower sensitivity level (no write down). Also known as the confinement property. NOTE that a trusted subject may violate the * Property without it being an issue.
• Discretionary Security Property – System uses an access matrix to enforce discretionary access control.
“Bell and Lapadula were idiots. They couldn’t read up. They couldn’t write down.”
o Biba – concerned with Integrity. Pretty much an inverted Bell LaPadula.
Two basic properties:
• Simple Integrity Property – states that a subject cannot read an object at a lower integrity level (no read-down).
• * Integrity Property – states that a subject cannot modify an object at a higher integrity level (no write-up).
Designed to address three integrity issues:
• Prevent modification of objects by unauthorized subjects
• Prevent unauthorized modification of objects by authorized subjects.
• Protect internal and external object consistency.
o Clark-Wilson Model (THINK OF DELTEK) –
Uses a multi-faceted approach to enforcing data integrity. Instead of defining a formal state machine, the model defines each data item and allows modification only through a small set of programs.
• Uses a three part relationship known as the triple or the access triple
o Through Subject/ Program/ Object (or subject/ transaction/ object)
Defines the following items and procedures:
• A Constrained Data Item (CDI) – any data item whose integrity is protected by the security model.
• An Unconstrained Data Item (UDI) – Any data item that is not controlled by the security model.
o Any data that is to be input that hasn’t been validated, or any output would be considered a UDI.
• Integrity Verification Procedure (IVP) – Procedure that scans data items and confirms their integrity.
• Transformation Procedure (TPs) – The only procedures that are allowed to modify the CDI. The limited access to CDIs through TPs forms the backbone of the Clark-Wilson integrity model.
Use security labels to grant access to objects, but only through transformation procedures and a restricted interface model
• One subject at one classification level will see one set of data and have access to one set of functions, whereas another subject at a different classification level will see a different set of data and have access to a different set of functions.
o Noninterference model – actions of subject A (high) should not affect the action of subject B (low)
• Brewer Nash Model (AKA Chinese Wall) –
o Seeks to create security domains that are sensitive to the notion of conflict of interest
for example, someone who works at company C who has access to proprietary data from Company A should be also be allowed access to similar data for Company B if these two companies compete with each other.
Known as Chinese Wall model because it creates a class of data that defines which security domains are potentially in conflict and prevents any subject with access to one domain that belongs to a specific conflict class from accessing any other domain that belongs to the same conflict class. Metaphorically, puts a wall around all other information in any conflict class.
• Goguen-Meseguer Model –
o Focused on integrity
o Predetermining a list of objects that each subject can access.
Subjects are allowed only to perform predetermined actions against predetermined objects.
When similar users are grouped into their own domain (that is, collective), the members of one subject domain cannot interfere with the members of another subject domain.
• Sutherland Model –
o Focused on Integrity
o Does not directly indicate specific mechanisms for protection of integrity. Instead, the model is based on the idea of defining a set of system states, initial states, and state transitions.
• Take-Grant Model – Employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object.
o Take Rule – Allows a subject to take rights over an object
o Grant Rule – Allows a subject to grant rights to an object
o Create Rule – Allows a subject to create new rights
o Remove Rule – Allows a subject to remove rights it has.
• Access Control Matrix – table of subjects and objects that indicates the actions or functions that each subject can perform on each object.
• Graham-Denning Model – Focused on the secure creation and deletion of both subjects and objects. Eight primary protection rules:
o Securely Create an Object
o Securely Create a Subject
o Securely Delete an Object
o Securely Delete a Subject
o Securely provide read access rights
o Securely provide grant access rights
o Securely provide delete access rights
o Securely provide transfer access rights
Model Rules Focus e.g. sytsem
Bell Lapadula No Read up, No write down Security
Biba No Read Down, No Write Up Integrity
Clark-Wilson Enforces Segregation of Duties Integrity Deltek
Brewer and Nash (Chinese Wall) Someone who works at company C who has access to proprietary data from Company A should be also be allowed access to similar data for Company B if these two companies compete with each other Security
Take-Grant Table of subjects and objects that indicates the actions or functions that each subject can perform on each object. Security
Access Matrix Take-Grant Model – Employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object.
o Take Rule – Allows a subject to take rights over an object
o Grant Rule – Allows a subject to grant rights to an object
o Create Rule – Allows a subject to create new rights
o Remove Rule – Allows a subject to remove rights it has. Security
Goguen-Meseguer Model Predetermining a list of objects that each subject can access.
Subjects are allowed only to perform predetermined actions against predetermined objects.
When similar users are grouped into their own domain (that is, collective), the members of one subject domain cannot interfere with the members of another subject domain. Integrity
Sutherland Model Does not directly indicate specific mechanisms for protection of integrity. Instead, the model is based on the idea of defining a set of system states, initial states, and state transitions. Integrity
Graham-Denning Model Focused on the secure creation and deletion of both subjects and objects. Eight primary protection rules:
o Securely Create an Object
o Securely Create a Subject
o Securely Delete an Object
o Securely Delete a Subject
o Securely provide read access rights
o Securely provide grant access rights
o Securely provide delete access rights
o Securely provide transfer access rights Security
Formal Evaluations traditionally follow a two step process:
• System is tested and a technical evaluation is performed to make sure that the system’s security capabilities meet criteria laid out for its intended use.
• System is subjected to a formal comparison of its design and security criteria and its actual capabilities and performance, and individuals responsible for the security and veracity of such a system must decide whether to adopt them, reject them, or make some changes to their criteria and try against.
• Trusted Computer System Evaluation Criteria (TCSEC) –
o Category A – Verified protection – highest level of security
Similar to a B3, but difference is in the development system.
Each phase of the development cycle is controlled using formal feedback methods. Each phase is documented, evaluated and verified before the next step.
o Category B – Mandatory protection - More granularity of control is mandated. Security administrators can apply specific controls that allow only a very limited sets of subject/object access. Based on Bell-Lapadula, based on security labels.
Labeled Security (B1) – Each subject and each object has a security label. Grants access by matching up the subject and the object labels and comparing their permission compatibility. Can house classified data.
Structured Protection (B2) – In addition to requiring security labels, must ensure that no covert channels exist. Operator and administrator functions are separated and process isolation is maintained.
Security Domains (B3) – Further increases separation and isolation of unrelated processes. Administrative functions are clearly defined and separated. Secure state is addressed during initial boot processes. Good for sensitive or serte data.
o Category C – Discretionary protection – Provide basic access control. Some security controls, but lacking in more sophisticated and stringent controls that address specific needs for secure systems.
Discretionary Security Protection (C1) – controls access by user IDs and/or groups. Although there are some controls in place that limit object access, system in this category provide only weak protection.
Controlled Access Protection (C2) – Stronger than C1.
• Users must be identified individually to gain access to objects.
• Enforce media cleansing such that any media reused must have no remnant of the previous data remains available.
• Strict logon procedures must be enforced.
o Category D – Minimal Protection. Reserved for systems that have been evaluated but do not meet requirements to belong to any other category.
Level Label Name Rules ITSEC Level CC Description
D Minimal Protection Catch all for ones that don't fit in others. F-D+E0 EAL0, EAL1
C1 Discretionary Protection Controls access by user IDs and/or groups. Although there are some controls in place that limit object access, system in this category provide only weak protection. F-C1+E1 EAL2
C2 Controlled Access Protection • Users must be identified individually to gain access to objects.
• Enforce media cleansing such that any media reused must have no remnant of the previous data remains available.
• Strict logon procedures must be enforced. C=C2+E2 EAL3
B1 Labeled Security • Each subject and each object has a security label.
• Grants access by matching up the subject and the object labels and comparing their permission compatibility.
• Can house classified data. F-B1+E3 EAL4
B2 Structured Protection • In addition to requiring security labels, must ensure that no covert channels exist.
• Operator and administrator functions are separated and process isolation is maintained. F-B2+E4 EAL5
B3 Security Domains • Further increases separation and isolation of unrelated processes.
• Administrative functions are clearly defined and separated.
• Secure state is addressed during initial boot processes.
• Good for sensitive or secret data. F-B3+E5 EAL6
A1 Verified Protection • Similar to a B3, but difference is in the development system.
• Each phase of the development cycle is controlled using formal feedback methods. Each phase is documented, evaluated and verified before the next step.
• Handles top-secret data. F-B3+E6 EAL7
Certification and Accreditation – Certification is often an internal verification of security and results of that assessment can only be trusted by the organization. Accreditation is performed by a third party testing service, and results are trusted by everyone who trusts the test group.
• Certification – Evaluation of the technical and nontechnical security features of an IT system and other safeguards made in support of the accreditation process to establish the extent to which a particular design and implementation meets a set of specified security requirements.
o First, one must choose the evaluation criteria
o After the entire system has been assessed, results can be evaluated to determine the security level the system supports.
o Complete the phase when you have evaluated all factors and determined the level of security for the system.
• Accreditation – If management decides that the certification of the system satisfies their needs, the system is ‘accredited.’ Accreditation is the formal declaration by the designated approving authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.
o Phase 1 – Definition
o Phase 2 – Verification
o Phase 3 – Validation
o Phase 4 – Post Accreditation
o Three types of accreditation that may be granted:
For a system accreditation - a major application or general support system is evaluated.
For a site accreditation – applications and systems at a specific, self-contained location are evaluated.
For a type accreditation – an application or system that is distributed to a number of different locations is evaluated.
Chapter 8 Exam Essentials:
• Know details about each of the access control models
• Know the definition of certification and accreditation
• Be able to describe open and closed systems
• Know what confinement, bounds and isolation are
• Be able to define object and subject in terms of access
• Know how security controls work and what they do
• Be able to list the classes if TCSEC, ITSEC and Common Criteria
• Define a trusted computing base (TCB) –
• Be able to explain what a security perimeter is
• Know what the reference monitor and the security kernel are
• Understand the security capabilities of information systems
Chapter 9: Security Vulnerabilities, Threats and Countermeasures
CPU = Central Processing Unit = Processor
Execution Types –
• Multitasking – handling two or more tasks simultaneously
• Multicore – Most CPUs are multicore, meaning CPUs or microprocessor chips now contain up to dozens of independent execution cores that can operate simultaneously
o Effectively a SINGLE CPU with multiple execution units.
• Multiprocessing – More than one CPU. For example, a database server might run on a server that contains multiple CPUs, and if the database application receives multiple queries, it can send them out to separate processors. Two types:
o Symmetric Multiprocessing (SMP) – Example above is SMP. Single computer contains multiple processors that are treated equally and controlled by a single operation.
Processors share a common OS and a common data bus and memory resources.
Designed for processing operations at extremely high rates.
o Massively Parallel Processing (MPP) – house hundreds to thousands of processors, each with its own OS and data bus and resources.
Database application sees a computationally difficult task, assigns it to a processor, which in turn breaks it up into smaller parts and distributes them to other processors for execution.
Extremely powerful.
Adept at processing very large, complex, computationally intensive tasks.
• Multiprogramming – Similar to multitasking. Found in legacy systems.
• Multithreading – Permits multiple concurrent tasks to be performed within a single process.
o Good example occurs when multiple documents are opened at the same time in a word processing program. In this situation, multiple instances of the word processor are not being run. Instead each document is treated as a single thread within a single word processor process, and the software choose which thread it works with.
Processing Types –
• Single State – require the use of policy mechanisms to manage information at different levels.
o Security administrators approve a processor and system to handle only one security level at a time.
o E.g. a system may be labeled to handle only top secret information.
• Multistate – capable of implementing a much higher level of security.
o Certified to handle multiple security levels simultaneously by using specialized security mechanisms called protection rings.
o Designed to prevent information from crossing between security levels.
Protection Mechanisms –
• Protection Rings - Organize code and components in an operating system into concentric rings.
o The deeper inside you go, the higher the privilege level associated with the code that occupies a specific ring.
Ring 0 – OS Kernel/Memory
Ring 1 – Other OS Components
Ring 2 – Drivers, Protocols, etc.
• Rings 0-2 operate in supervisory or privilege mode
Ring 3 – User-Level Programs and Applications
• Ring 3 operates in user mode
o Process with the lowest ring number always runs before the process with a higher number.
• Process States – Also known as operating states.
o Operating systems can operate in two states:
Supervisor State – Privileged, all access mode.
Problem state (user mode) – Privileges are low and all access requests must be checked against credentials for authorization before they are granted or denied.
o Processes can run in several states:
Ready State – A process is ready to resume or begin processing as soon as it is scheduled for execution. Process has all the memory and other resources it needs to begin.
Waiting State – Can also be understood as ‘waiting for a resource.’ Waiting for something to become available for its use.
Running State (or Problem state) – problem as in ‘math problem.’ The process executes on the CPU and keeps going until it finishes, its time slice expires, or it is blocked for some reason. If time ends and it’s not done, it goes back to waiting state
Stopped State – When a process finishes or must be terminated (e.g. due to error). OS can recover all memory and other resources allocated to the process and reuse them for other processes.
Supervisory State – Used when a process must perform an action that requires privileges that are great than the problem state’s set of privileges.
• Basically any function not occurring in the user mode (ring 3).
• Security Modes –
o Three elements must exist:
Hierarchical mandatory access control (MAC) environment
Total physical control over which subjects can access the computer console
Total physical control over which subjects can enter into the same room as the computer console.
o Dedicated Mode – essentially the equivalent to the single-state system. Has three requirements.
Each user must have a security clearance that permits access to all information processed by the system.
Each user must have access approval for all information processed by the system.
Each user must have a valid need to know for all information processed by the system.
o System High Mode – Major difference from dedicated mode is that all users on system high do not necessarily have a need to know for all information processed on the computing device.
Each user must have a valid security clearance that permits access to all information processed by the system.
Each user must have access approval for all information processed by the system.
Each user must have a valid need to know for some information processed by the system, but not necessarily all information.
o Compartmented Mode – Users do not necessarily have access approval for all the information on the system.
Three requirements:
• Each user must have a valid security clearance that permits access to all information processed by the system.
• Each user must have access approval for any information they will have access to on the system.
• Each user must have a valid need to know for all information they will have access to on the system.
Specialized implementation – Compartmented mode workstations (CMWs)
• Users with the necessary clearances can process multiple compartments of data at the same time.
• Require two forms of security labels to be placed on objects.
o Sensitivity Labels – Describe the levels at which an object must be protected.
o Information Labels – Prevent data overclassification and associate additional information with the objects, which assists in proper and accurate data labeling not related to access control.
o Multilevel Mode –
Some users do not have a valid security clearance for all information processed by the system. Thus, access is controlled by whether the subject’s clearance level dominates the object’s sensitivity label.
Each user must have access approval for all information they will have access to on the system.
Each user must have a valid need to know for all information they will have access to on the system.
Mode Clearance Need to Know CMW implementations used?
Dedicated All users must be the same None No
System High All users must be the same Yes No
Compartmented All users must be the same Yes Yes
Multilevel Users may be Different Yes Yes
Operating Modes – Processors support two modes of operation:
o User Mode – Basic mode used by the CPU when executing user applications.
CPU allows the execution of only a portion of its full instruction set.
Designed to protect users from accidentally damaging the system through the execution of poorly designed code or unintentional misuse of that code.
o Privileged Mode – Designed to give the OS access to the full range of instructions supported by the CPU.
Grants a wide range of permissions to the process executing on the CPU. For this reason, well designed Oss do not let any user applications execute in Privileged Mode.
Goes by several names –
• Privileged Mode
• Supervisory Mode
• System Mode
• Kernel Mode
Mode / Levels State Information
Process States - OS Level Supervisor State Privileged - all access
Problem State (User Mode) Privileges are low and all access requests must be checked against credentials for authorization before they are granted or denied.
Process States - Process Level Ready State A process is ready to resume or begin processing as soon as it is scheduled for execution. Process has all the memory and other resources it needs to begin.
Waiting State Can also be understood as ‘waiting for a resource.’ Waiting for something to become available for its use
Running State (Problem State) problem as in ‘math problem.’ The process executes on the CPU and keeps going until it finishes, its time slice expires, or it is blocked for some reason. If time ends and it’s not done, it goes back to waiting state
Stopped State When a process finishes or must be terminated (e.g. due to error). OS can recover all memory and other resources allocated to the process and reuse them for other processes.
Supervisory State Used when a process must perform an action that requires privileges that are great than the problem state’s set of privileges
Security Modes Dedicated § Each user must have a security clearance that permits access to all information processed by the system.
§ Each user must have access approval for all information processed by the system.
§ Each user must have a valid need to know for all information processed by the system.
System High Major difference from dedicated mode is that all users on system high do not necessarily have a need to know for all information processed on the computing device.
§ Each user must have a valid security clearance that permits access to all information processed by the system.
§ Each user must have access approval for all information processed by the system.
§ Each user must have a valid need to know for some information processed by the system, but not necessarily all information.
Compartmented Users do not necessarily have access approval for all the information on the system.
§ Three requirements:
• Each user must have a valid security clearance that permits access to all information processed by the system.
• Each user must have access approval for any information they will have access to on the system.
• Each user must have a valid need to know for all information they will have access to on the system.
Multilevel § Some users do not have a valid security clearance for all information processed by the system. Thus, access is controlled by whether the subject’s clearance level dominates the object’s sensitivity label.
§ Each user must have access approval for all information they will have access to on the system.
§ Each user must have a valid need to know for all information they will have access to on the system.
Operating Modes User Mode Basic mode used by the CPU when executing user applications.
§ CPU allows the execution of only a portion of its full instruction set.
§ Designed to protect users from accidentally damaging the system through the execution of poorly designed code or unintentional misuse of that code.
Privileged Mode Designed to give the OS access to the full range of instructions supported by the CPU.
§ Grants a wide range of permissions to the process executing on the CPU. For this reason, well designed Oss do not let any user applications execute in Privileged Mode.
§ Goes by several names –
• Privileged Mode
• Supervisory Mode
• System Mode
• Kernel Mode
Memory
• Read Only Memory (ROM) – Memory the PC can read but can’t change (no writing allowed)
o Has several subtypes which are all fucking corny and suck
Programmable Read-Only Memory (PROM) – a basic PROM chip is similar to a ROM chip in functionality, except the user burns in the chip’s contents after purchase by the user (standard ROM does this at the factory).
• Once data is written to a PROM chip, no further writing is available.
• Provides software developers opportunity to store information permanently on high-speed chips.
Erasable Programmable Read-Only Memory (EPROM) – Two subtypes
• Electronically Erasable Programmable Read-Only Memory (EEPROM) – Uses electric voltages delivered to the pins of the chip to enforce erasure.
• Ultraviolet EPROM (UVEPROM) – can be erased with light.
Flash Memory – Whereas EPROM needs to be fully erased (think zero sum game) to be rewritten, flash memory can rewrite it in blocks or pages.
ROM Type (Think CD ROM) Information
Programmable Read-Only Memory (PROM) a basic PROM chip is similar to a ROM chip in functionality, except the user burns in the chip’s contents after purchase by the user (standard ROM does this at the factory).
• Once data is written to a PROM chip, no further writing is available.
• Provides software developers opportunity to store information permanently on high-speed chips.
Electronically Erasable Programmable Read-Only Memory (EEPROM) – Uses electric voltages delivered to the pins of the chip to enforce erasure.
Ultraviolet EPROM (UVEPROM) – can be erased with light.
Flash Memory Whereas EPROM needs to be fully erased (think zero sum game) to be rewritten, flash memory can rewrite it in blocks or pages.
• Random Access Memory – Readable and writable memory that contains information a computer uses during processing.
o Only useful for temporary storage.
o RAM retains its contents only when power is continuously supplied. When a computer is powered off, all data within RAM disappears (it’s volatile memory).
o Types:
Real Memory – AKA Main Memory or Primary Memory – Typically the largest RAM storage resource available to a computer.
• Main RAM source
• Normally composed of a number of dynamic RAM chips.
Cache Memory – Memory stored on faster devices when repeated use is likely.
• Keep data more likely to be used closer on hand for improved speed.
• Peripheral devices (e.g. printers or thumb drives) usually have a cache.
o This is dynamic memory.
o This is why you need to safely remove disks to ensure
Dynamic – Uses capacitors that hold a charge or don’t, representing bits. Need to be refreshed electrically every so often since they naturally lose their charge.
• Cheaper
Static RAM – utilizes flip-flops instead of electric charge. Doesn’t need the continuous electrical refresh.
• Runs faster
RAM Type Information
Real Memory AKA Main Memory or Primary Memory – Typically the largest RAM storage resource available to a computer.
• Main RAM source
• Normally composed of a number of dynamic RAM chips.
Cache Memory Memory stored on faster devices when repeated use is likely.
• Keep data more likely to be used closer on hand for improved speed.
• Peripheral devices (e.g. printers or thumb drives) usually have a cache.
o This is dynamic memory.
o This is why you need to safely remove disks to ensure
Dynamic Memory Uses capacitors that hold a charge or don’t, representing bits. Need to be refreshed electrically every so often since they naturally lose their charge.
• Cheaper
Static Memory utilizes flip-flops instead of electric charge. Doesn’t need the continuous electrical refresh.
• Runs faster
• Registers – CPUs also include a limited amount of onboard memory, known as registers.
o Arithmetic-Logical unit (ALU) – Brain of CPU.
• Memory Addressing – Means for processor to refer to various locations in memory. Multiple methods exist:
o Register Addressing – When CPU needs information from one of its registers to complete an operation, it uses this to access the CPU’s register’s contents.
o Immediate Addressing – Values are directly supplied to the CPU as part of instruction, do not need to be retrieved. E.g. – “Add 2 to the value of register 1” – Because the 2 is a direct input, it’s immediate addressing.
Note that the second half, “to register 1” is register addressing.
o Direct Addressing – CPU is provided with an actual address of the memory location. More flexible than immediate addressing since the contents of the memory location can be changed more readily than reprogramming the immediate addressing’s hard coded data.
o Indirect Addressing – Uses a scheme similar to direct addressing. However, memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps on a different page).
o Base+Offset Addressing – Uses a value stored in the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied within the instruction to that base address and retrieves the operand from that computed memory location.
Addressing Type Description
Register Addressing When CPU needs information from one of its registers to complete an operation, it uses this to access the CPU’s register’s contents.
Immediate Addressing Values are directly supplied to the CPU as part of instruction, do not need to be retrieved. E.g. – “Add 2 to the value of register 1” – Because the 2 is a direct input, it’s immediate addressing.
§ Note that the second half, “to register 1” is register addressing.
Direct Addressing CPU is provided with an actual address of the memory location. More flexible than immediate addressing since the contents of the memory location can be changed more readily than reprogramming the immediate addressing’s hard coded data.
Indirect Addressing Uses a scheme similar to direct addressing. However, memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps on a different page).
Base+Offset Addressing Uses a value stored in the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied within the instruction to that base address and retrieves the operand from that computed memory location.
• Secondary Memory – Magnetic, optical, or flash-based media or other storage devices that contain data not immediately available to the CPU.
o Disks, flash drives, optical media, etc.
o Can also be virtual memory.
Storage
• Primary Storage – Same thing as primary memory.
• Secondary Storage – Things like SDB’s. Same as secondary memory.
• Volatile Storage – Storage devices designed to lose their data once powered to them is off.
o There are some sophisticated devices that can extract memory from powered-off volatile storage.
• Nonvolatile Storage – Storage devices designed to retain data during power off.
• Random Storage – Devices allow an operating system to read immediately from any point within the device by using some type of addressing system. Almost all primary storage devices are random access devices.
• Sequential Storage – Do not provide flexibility.
o Required to read all data stored prior to the data you’re requesting
o Much slower, but can hold MASSIVE amounts of data for low cost.
This is good for things like backups.
TEMPEST – Technology that allows the reading of van Eck radiation emitted from computer monitors. Also works on keyboard and mouse.
Firmware – term used to describe software that is stored in a ROM chip.
• Basic Input / Output System (BIOS) – Contains the operating system-independent primitive instructions that a computer needs to start up and load the operating system from disk.
o Contained in a firmware device that is immediately accessible by the computer at boot time.
o Generally stored in EEPROM chips to facilitate version updates.
• Unified Extensible Firmware Interface (UEFI) – More advanced version of BIOS. On most modern systems.
Client Based Systems –The direct data or machine of the user.
• Applets – directions from a server to the client.
o Opposite of ‘Agents’ where a user sends query instructions to a server
o Java applets no longer supported in web browsers.
• Local Cache – Anything temporarily stored on a client for future reuse.
o Usually there are many local caches on a client (.e.g. ARP or DNS).
o Five forms of DNS cache poisoning –
HOSTS poisoning – false information planted into HOSTS file. When system boots contents of HOSTS file will become effective and misdirect to another IP.
Authorized DNS Server attacks – Altering the primary record of the fully qualified domain name (FQDN) on its original host system. Changes will quickly be propagated throughout the entire network.
Caching DNS Server Attacks – Implanting false information directly into the caching server.
DNS Lookup address changing – Using a script to alter the DNS lookup address to a DNS server controlled by a hacker, who responds with poisoned results
DNS Query Spoofing – Occurs when a hacker can eavesdrop on a client’s query to a DNS server. Attacker replies to a query with false information, which then goes into the DNS cache.
Database Systems Security
• Aggregation – combining records from one or more tables to produce potentially useful information. E.g. querying transfers to a military base will aggregate all the records, and a user may be able to count force size.
• Inference – Combining several pieces of non-sensitive information to gain access to information that should be classified at a higher level. E.g. knowing person A was hired on date B, and comparing the payroll register totals from before and after hiring them to ‘infer’ the person’s salary.
• Data Mining and Data Warehousing – ‘
o Data Warehouse – Large databases storing large amounts of information from a variety of databases for use with specialized analysis techniques.
o Data Dictionary – Used for storing critical information about data, including usage, type, sources, relationships and formats.
DMBS software reads the data dictionary to determine access rights for users attempting to access data.
o Data Mining – Techniques that allow analysts to comb through data warehouses and look for potential correlated information.
Metadata is the data about data produced via data mining.
o Data Mart – Since metadata is more valuable than the actual data, metadata is stored in a data mart.
• Data Analytics – the science of raw data examination with the focus of extracting useful information out of the bulk information set.
o Big Data – Collections of data that have become so large that traditional means of analysis don’t work.
Client-Server Model – Most current computing models. Use your own machine, but access resources located on a server.
This is distributed architecture.
Fortress Mentality – opposite of defense in depth. Thought that only one security mechanism is needed. Wrong!
Cloud Based Systems and Cloud Computing
• Cloud Computing is the popular term referring to a concept in computing where processing and storage are performed elsewhere over a network connection, rather than locally.
• Virtual Machine Monitor (VMM) – AKA the hypervisor – component of virtualization that creates, manages, and operates virtual machines.
o Host OS - Computer Running the hypervisor is known as the host OS.
o Guest OS – OS running inside a hypervisor-supported virtual environment.
o Type I Hypervisor – Bare metal or native hypervisor.
No host OS.
Hypervisor installs directly onto the hardware where the hos OS would normally reside.
Used for server virtualization.
Benefit is that it conserves resources (by not requiring an OS)
o Type II Hypervisor – a hosted hypervisor. Standard regular OS is present on the hardware, and then the hypervisor is installed as another software application (e.g. our environment).
Often used in desktop deployments.
• Cloud Storage – idea of using storage capacity provide by a cloud vendor as a means to host data files for an organization.
• Elasticity – the flexibility of the virtualization and cloud solutions to expand or contract based on need.
• Concepts in Cloud Computing:
o Security-as-a-Service (SECaaS) – cloud provider in which security is provided to an organization through or by an online entity. Think of DataSure.
o Platform-as-a-Service (PaaS) – Concept of providing a computing platform and software solution stack as a virtual or cloud-based service.
Provides all the aspects of a platform (OS and solution package).
Avoidance of having to purchase and maintain high-end hardware and software locally.
o Software-as-a-Service (SaaS) – Derivative of PaaS that provides on-demand online access to specific software applications or suites without the need for local installation.
E.g. Google docs, Office 365.
o Infrastructure-as-a-Service (IaaS) – Takes PaaS model another step forward, but provides complete outsourcing options.
Can include utility or metered services, policy implementation and management, task automation, dynamic scaling, virtualization services, policy implementation and management.
Service
Description Examples When to Use
Platform-as-a-Service (PaaS) Concept of providing a computing platform and software solution stack as a virtual or cloud-based service.
§ Provides all the aspects of a platform (OS and solution package).
§ Avoidance of having to purchase and maintain high-end hardware and software locally. AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine, Apache Stratos, OpenShift There are many situations where utilizing PaaS is beneficial or even necessary. If there are multiple developers working on the same development project, or if other vendors must be included as well, PaaS can provide great speed and flexibility to the entire process. PaaS is also beneficial if you wish to be able to create your own customized applications. This cloud service also can greatly reduce costs and it can simplify some challenges that come up if you are rapidly developing or deploying an app.
Software-as-a-Service (SaaS) Derivative of PaaS that provides on-demand online access to specific software applications or suites without the need for local installation.
§ E.g. Google docs, Office 365. Google Apps, Dropbox, Salesforce, Cisco WebEx, Concur, GoToMeeting There are many different situations in which SaaS may be the most beneficial option, including:
If you are a startup or small company that needs to launch ecommerce quickly and don’t have time for server issues or software
For short-term projects that require collaboration
If you use applications that aren’t in-demand very often, such as tax software
For applications that need both web and mobile access
Infrastructure-as-a-Service (IaaS) § Can include utility or metered services, policy implementation and management, task automation, dynamic scaling, virtualization services, policy implementation and management. DigitalOcean, Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod, Microsoft Azure, Google Compute Engine (GCE) Just as with SaaS and PaaS, there are specific situations when it is the most advantageous to use IaaS. If you are a startup or a small company, IaaS is a great option because you don’t have to spend the time or money trying to create hardware and software. IaaS is also beneficial for large organizations that wish to have complete control over their applications and infrastructures, but are looking to only purchase what is actually consumed or needed. For rapidly growing companies, IaaS can be a good option since you don’t have to commit to a specific hardware or software as your needs change and evolve. It also helps if you are unsure what demands a new application will require as there is a lot of flexibility to scale up or down as needed.
Security-as-a-Service (SECaaS) cloud provider in which security is provided to an organization through or by an online entity. Think of DataSure.
o On Premise Solution – Traditional deployment in which an organization owns the hardware, licenses the software, and operates and maintains the systems on its own within its own building.
Provide local control over updates and changes
Do not require an internet connection
Upfront cost and install. No monthly fees.
o Hosted Solution – Deployment where the organization must license software and then operates and maintains the software.
Hosting provider owns, operates, and maintains the hardware that supports the organization’s software.
o Cloud Solution – A deployment where an organization contracts with a third-arty cloud provider. Cloud provider owns, operates, and maintains the hardware and the software. Organization pays a monthly fee, usually per user. Multiple types of cloud solutions:
Private Cloud – Cloud service within a corporate network and isolated from the internet. For internal use only.
Public Cloud – Cloud service that is accessible to the general public via internet connection. May require some form of subscription or pay-per-use.
Hybrid Cloud – Mix of public and private. For example, an organization may host a private cloud for exclusive internal use but distributes some resources to a public cloud
Community Cloud – A cloud environment maintained, used, and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange.
Cloud Details
Private Cloud service within a corporate network and isolated from the internet. For internal use only.
Public Cloud service that is accessible to the general public via internet connection. May require some form of subscription or pay-per-use.
Hybrid Mix of public and private. For example, an organization may host a private cloud for exclusive internal use but distributes some resources to a public cloud
Community A cloud environment maintained, used, and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange.
Industrial Control System (ICS) – A form of computer-management device that controls industrial processes and machines.
• Distributed Control Systems (DCSs) – Typically found in industrial process plans where the need to gather data and implement control over a large-scale environment from a single location is essential.
o Controls elements are distributed across the monitored environment, such as a manufacturing floor or a production line, and the centralized monitoring location sends commands out of those localized controllers while gathering status and performance data.
• Programable Logic Controllers (PLCs) – Effectively single-purpose digital computers.
o Typically deployed for management and automation of various industrial electromechanical operations, such as controlling systems on an assembly lineor a large-scale digital light display.
• Supervisory Control and Data Acquisition (SCADA) – Can not operate as a stand-alone device, be networked together with other SCADA systems, or be networked with traditional technology. Most SCADA systems are designed with limited human interface in mind.
BYOD Concerns
• Several alternatives to BYOD:
o Company Owned, Personally Enabled (COPE) – for organization to purchase devices and provide them to employees.
Each user is then able to customize the device and use it for both work and personal activities.
Allows the organization to select exactly what devices are to be allowed on the organizational network.
o Choose Your Own Device (CYOD) – Provides users with a list of approved devices from which to select the device to implement.
Can be implemented so that employees purchase their own devices from an approved list, or company can purchase the devices for the employee.
Embedded Systems –
• A computer implemented as part of a larger system.
• Typically designed around a limited set of specific functions in relation to the larger product of which it’s component.
• Examples include the following:
o HVAC controls, smart appliances, Smart TVs, HVAC controls, self-driving cars, medical devices.
Static System – A set of conditions, events, and surroundings that don’t change. A static IT environment is any system that is intended to remain unchanged by users and administrators.
Network Enabled Devices – Any tpe of portable or nonportable device that has native network capabilities. E.g. smartphone, chromecast, firestick, etc.
Covert Channel – Method of communication that was not intended to be a method of communication, used to harm the organization. Two types:
• Covert Timing Channel – Use timing issues to sneak stuff out
• Covert Storage Channel – Use storage to sneak stuff by
Chapter 9 Exam Essentials:
• Be able to explain the differences between multitasking, multithreading, multiprocessing and multiprogramming
• Understand the differences between single-state processors and multi-state processors.
• Describe the four security modes approved by the federal government for processing classified information.
• Explain the two layered operating modes used by most modern processors.
• Describe the different types of memory used by a computer.
• Know the security issues surrounding memory components.
• Describe the different characteristics of storage devices used by computers.
• Know the security issues surrounding secondary storage devices.
• Understand security risks that input and output devices can pose.
• Know the purpose of firmware.
• Be able to describe process isolation, layering, abstraction, data hiding, and hardware segmentation.
• Understand how a security policy drives system design, implementation, testing, and deployment.
• Understand cloud computing.
• Understand the risks associated with cloud computing and virtualization.
• Understand Hypervisors.
• Know about a type I hypervisor.
• Know about a type II hypervisor.
• Define CASB.
• Understand SECaaS.
• Understand smart devices.
• Comprehend IoT
• Understand mobile device security.
• Understand mobile device application security.
• Understand BYOD.
• Understand embedded systems and static environments.
• Understand embedded systems and static environment security concerns.
• Understand how the principle of least privilege, separation of privilege, and accountability apply to computer architecture.
• Be able to explain what covert channels are.
• Understand what buffer overflows and input checking are.
• Describe common flaws in security architectures.
Chapter 10: Physical Security Requirements
Functional order in which controls should be used (logical, makes sense).
1) Deterrence
2) Denial
3) Detection
4) Delay
Hardware Maintenance –
• Schedule for maintenance should be based on the Mean Time To Failure (MTTF) and Mean Time To Repair (MTTR) – Average length of time required to perform a repair on the device.
• Mean Time To Failure (MTTF) – Expected typical functional lifetime of the device given a specific operating environment.
• Mean Time Between Failures (MTBF) – Estimation of the time between the first and any subsequent failures.
• Devices should be scheduled for maintenance before their MTTF runs out.
Proximity Readers –
• Activated when person holding one walks within range of proximity reader. Can be one of three types:
o Passive Device – Has no active electronics. It is just a small magnet with specific properties.
E.g. shit they put in DVDs / BluRay cases / Banana Republic suits.
o Field-Powered Device – Has electronics that activate when the device enters the electromagnetic field that the reader generates.
o Transponder Device – Self-powered and transmits a signal received by the reader. This can occur consistently or only at the press of a button
E.g. - A garage door opener or a car alarm key fob).
Access Abuses
• Masquerading – Pretending to be someone else / using someone else’s badge.
• Piggy-backing – following an authorized user through a security checkpoint.
Emanation Security
• TEMPEST countermeasures – Countermeasures and safeguards designed to protect against emanation attacks.
o Faraday Cage – blocks the electromagnetic energy.
o White Noise – broadcasting false traffic
o Control Zone – Use of Faraday Cage or White Noise at a specific physical location. All other locations unaffected.
Electric Terms
• Fault – Momentary loss of power
• Blackout – Complete loss of power
• Sag – Momentary low voltage
• Brownout – Prolonged low voltage
• Spike – Momentary high voltage
• Surge – Prolonged high voltage
• Inrush – Initial surge of power usually associated with connecting to a power source, whether primary or alternate/secondary
• Noise – A steady interfering power disturbance or fluctuation
• Transient – A short duration of line noise disturbance
• Clean – Nonfluctuating pure power
• Ground – The wire in an electrical circuit that is grounded
Electromagnetic Interference (EMI) – Generates noise. Two types:
• Common mode noise – Generated by a difference in power between the hot and ground wires of a power source or operating electrical equipment.
• Traverse Mode Noise – Generated by a difference in power between the hot and neutral wires of a power source or operating electrical equipment.
Radio-Frequency Interference (RFI) – Radio frequencies generated by common appliances doing the same thing as EMI.
Computer Rooms should be kept between 60 and 75 degrees
Humidity in a Computer Room should be kept between 40 and 60 percent (remember the two together add up to 100% and are rounded to the 10s. This is the only one that makes sense)
Static volts at 40 cause destruction of sensitive circuits or electronic components.
Static volts at 17,000 causes permanent damage.
Fires – need Heat, Fuel (source), and Oxygen to exist.
• Different suppression medium target different aspects of the fire:
o Water suppresses the temperature
o Soda acid and other dry powders suppress the fuel supply
o CO2 suppresses the oxygen supply
o Halon substitutes and other nonflammable gases interfere with the chemistry of combustion and/or suppress oxygen supply
• Stages of Fire – Earlier detection means less damage and easier to extinguish.
o Stage 1 – Incipient Stage – At this stage there is only air ionization but not smoke.
o Stage 2 – Smoke Stage – At this stage, smoke is visible from the point of ignition.
o Stage 3 – Flame Stage – Flame can be seen with the naked eye.
o Stage 4 – Heat Stage – Fire is considerably further down the timescale to the point where there is an intense heat buildup and everything in the area burns.
• Fire Extinguishers – Should only be used when a fire is in the incipient stage. Classes:
o Class A – Common Combustibles – Uses water, soda acid
o Class B – Liquids – Uses CO2, halon, soda acid
o Class C – Electrical – Uses CO2, halon
o Class D – Metal – Uses Dry Powder
• Fire Detection Systems –
o Fixed-Temperature Detection – trigger suppression once a specific temperature has been reached.
Trigger is usually a metal or plastic component that is in the sprinkler head and melts at a specific temperature.
Also a version with a small glass vial containing chemicals that vaporize to overpressurize the container at a specific temperature.
o Rate-of-Rise Detection – Trigger suppression when the speed at which the temperature changes reaches a specific level.
o Flame-Actuated – Trigger suppression based on the infrared energy of flames.
o Smoke-Actuated – Trigger suppression based on photoelectric or radioactive ionization
o Incipient Smoke Detection Systems – AKA aspirating sensors – able to detect chemicals typically associated with very early stages of combustion before a fire is otherwise visible.
• Water Suppression Systems
o Wet Pipe System – AKA Closed Head – always full of water. Water discharges immediately when suppression is triggered.
o Dry Pipe System – Contains compressed air. Once suppression is triggered, air escapes, opening water valves to discharge water.
o Deluge System – Another form of dry pipe that uses larger pipes and therefore delivers a significantly larger volume of water. Inappropriate for environments that contain computers and electronics.
o Preaction System – a combination of wet pip and dry pipe. Exists as a dry pipe until the initial stages of afire are detected, and then the pipes are filled with water. The water is released only after the sprinkler head actiation triggers are melted by sufficient heat.
If the fire is quenched before sprinklers are triggered, pipes can be manually emptied and reset. This also allows manual intervention to stop the release of water before sprinkler triggering occurs.
Most appropriate water-based system for environments that house both computers and humans together.
• Gas Discharge Systems
o FM-200
o CEA-410
o NAF-S-III
o FE-13
o Argon or Argonite
o Inergen
o Aero-K
Three Components of Electronic Access Controls –
• An electromagnetic to keep the door closed.
• A credential reader to authenticate subjects and to disable the electromagnet
• A sensor to reengage the electromagnet when the door is closed.
Motion Detector Types –
• Infrared motion detector – Monitors for significant or meaningful changes in the infrared lighting pattern of a monitored area.
• Heat-based motion detector – Monitors for significant or meaningful changes in the heat levels and patterns in a monitored area.
• Wave pattern motion detector – Transmits a consistent low ultrasonic or high microwave frequency signal into a monitored area and monitors for significant or meaningful changes or disturbances in the reflected pattern.
• Capacitance motion detector – Sense changes in the electrical or magnetic field surrounding a monitored object.
• Photoelectric motion detector – Senses changes is visible light levels for the monitored area. Usually deployed in internal rooms that have no windows and are kept dark.
• Passive Audio motion detector – Listens for abnormal sounds in the monitored area.
Intrusion Alarms –
• Deterrent Alarms – Alarms that trigger deterrents may engage additional locks, shut doors, and so on. The goal of such an alarm is to make further intrusion or attack more difficult.
• Repellant Alarms – Alarms that trigger repellants usually sound an audio siren or bell and turn on lights. These types of alarms are used to discourage intruders or attackers from continuing their malicious or trespassing activities and force them off the premises.
• Notification Alarms – Alarms that trigger notification are often silent from the intruder / attacker perspective but record data about the incident and notify administrators, security guards, and law enforcement.
• Alarms are also categorized by where they are located:
o Local Alarm System – Must broadcast an audible alarm signal that can easily be heard 400 feet away.
Must be protected from tampering and disablement, usually by security guards.
o Central Station System – Alarm is usually silent locally, but offsite monitoring agents are notified so they can respond to the security breach.
Most residential security systems are of this type.
o Auxiliary Station – Can be added to either local or centralized alarm systems. When the security perimeter is breached, emergency services are notified to respond to the incident and arrive at the location. This could include fire, police, and medical services.
Chapter 10 Exam Essentials:
• Understand why there is no security without physical security.
• Be able to list administrative physical security controls.
• Be able to list technical physical security controls.
• Be able to name the physical controls for physical security.
• Know the functional order of controls.
• Know the key elements in making a site selection and designing a facility for construction.
• Know how to design and configure secure work areas.
• Understand the security concerns of a wiring closet.
• Understand how to handle visitors in a secure facility.
• Know the three categories of security controls implemented to manage physical security and be able to name examples of each.
• Understand security needs for media storage.
• Understand the concerns of evidence storage.
• Know the common threats to physical access controls.
• Understand the need for audit trails and access logs.
• Understand the need for clean power.
• Know the terms associated with power issues.
• Understand how to control the environment.
• Know about static electricity.
• Understand the need to manage water leakage and flooding.
• Understand the importance of fire detection and suppression.
• Understand the possible containment and damage caused by a fire suppression.
• Understand personnel privacy and safety.
Chapter 11: Secure Network Architecture and Securing Network Components
7 Application
6 Presentation
5 Session
4 Transport
3 Nework
2 DataLink
1 Phyiscal
Protocol – Set of rules and restrictions that define how data is transmitted over a network medium.
• Protocols on the OSI model employ encapsulation
o Encapsulation – the addition of a header, and possibly a footer, to the data received by each layer from the layer above before it’s handed off to a layer below.
As the message is encapsulated at each layer, the previous layer’s header and payload combine to become the payload of the current layer.
This occurs as the data move down the OSI stack from Application to Physical.
o Deencapsulation – Opposite of encapsulation.
Occurs as data moves UP the OSI Stack.
o Description of the process:
1. Application layer creates a message
2. Application layer passes the message to the Presentation layer
3. Presentation layer encapsulates the message by adding information to it.
4. Process of passing the message down and adding layer-specific information continues until the message reaches the physical layer.
5. At the physical layer, the message is converted into electrical impulses that represent bits and is transmitted over the physical connection.
6. The receiving computer captures the bits from the physical connection and re-creates the message in the Physical layer.
7. They Phyisical layer converts the message from bits into a Data Link frame and sends the message to the Data Link layer.
8. The Data Link layer strips its information and sends the message up the Network layer.
9. The process of deencapsulation continues until the message reaches the Application layer.
10. When the message reaches the Application layer, the data in the message is sent to the intended software recipient.
OSI MODEL
• Layer 1 / Physical Layer – Accepts the frame from the Data Link layer and converts the frame into bits for transmission over the physical connection medium.
o Is also responsible for receiving bits from the physical connection medium and converting them in a frame to be used by the Data Link layer.
o Contains device drivers that tell the protocol how to employ the hardware for the transmission and reception of bits.
o Network hardware devices that function here are network interface cards (NICs), hubs, repeaters, concentrators, amplifiers. These devices perform hardware based signal operations.
o Has the following specs/protocols/interfaces:
EIA/TIA-232 and EIA/ITA-449
X.21
High-Speed Serial Interface (HSSI)
Synchronous Optical Network (SONET)
V.24 and V.35
• Layer 2 / Data Link Layer – Responsible for formatting the packet from the Network layer into the proper format for transmission.
o Proper format is determined by the hardware and the technology of the network.
o Adds the hardware source and destination address (MAC addresses) to the frame.
o Uses the following protocols:
Serial Line Internet Protocol (SLIP)
Point-to-Point Protocol (PPP)
Address Resolution Protocol (ARP) – Resolves IP addresses into MAC addresses
Layer 2 Forwarding (L2F)
Layer 2 Tunneling Protocol (L2TP)
Point-to-Point Tunneling Protocol (PPTP)
Integrated Services Digital Network (ISDN)
o Network devices that function here:
Switches and bridges – Support MAC based traffic routing.
• Layer 3 / Network Layer – Responsible for adding routing and addressing information to the data. Accepts the segment from the Transport layer and adds information to it to create a packet. The packet includes the source and destination address.
o Responsible for providing routing or delivery information.
Not responsible for verifying guaranteed delivery.
o Manages error detection and node data traffic.
o Network hardware devices functioning on this layer are routers and bridge routers (brouters) – Determine best logical path for packets
o Uses the following routing protocols:
Internet Control Message Protocol (ICMP)
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
Border Gateway Protocol (BGP)
Internet Group Message Protocol (IGMP)
Internet Protocol (IP)
Internet Protocol Security (IPSec)
Internetwork Packet Exchange (IPX)
Network Address Translation (NAT)
Simple Key Management for Internet Protocols (SKIP)
• Layer 4 / Transport Layer – Responsible for managing the integrity of a connection and controlling the session. Accepts the PDU from the Session Layer.
o Establishes communication connections between nodes and defines the rules of the session.
Session rules specify how much data each segment can contain, how to verify the integrity of the data transmitted, and how to determine whether data has been lost.
Session rules are established through the TCP three way handshake.
o Establishes a logical connection between two devises and provides end-to-end transport services to ensure delivery.
o Includes mechanisms for segmentation, sequencing, error checking, controlling the flow of data, error correction and network series optimization.
o Following protocols function here:
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Sequenced Packet Exchange (SPX)
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
• Layer 5 / Session Layer – Responsible for establishing, maintaining, and terminating communication sessions between two computers.
o Manages Dialogue Discipline (simplex/half-duplex/full duplex)
Simplex – One way communication
Half-Duplex – Two way communication, but only one direction can send data at a time (e.g. Walkie talkie)
Full-Duplex – Two way, simultaneous communication (e.g. cell phone)
o Establishes Checkpoints for grouping and recovery
o Retransmits PDUs that have failed or been lost since the last verified checkpoint
o Protocols that operate on this layer:
Network File System (NFS)
Structured Query Language (SQL)
Remote Procedure Call (RPC)
• Layer 6 / Presentation Layer – Responsible for transforming data received from the Application layer into a format that any system following the OSI model can understand.
o Impose common or standardized structure and formatting rules onto the data.
o Also responsible for encryption and compression.
o Allows various applications to interact over a network, and does so by ensuring that the data formats are supported by both systems.
o Most file or data formats operate within this layer, including formats for images, video, sound, documents, email, web pages, etc. Includes:
American Standard Code for Information Interchange (ASCII)
Extended Binary-Coded Decimal Interchange Mode (EBCDICM)
Tagged Image File Format (TIFF)
Joint Photographic Experts Group (JPEG)
Moving Picture Experts Group (MPEG)
Musical Instrument Digital Interface (MIDI)
• Layer 7 / Application Layer – Responsible for interfacing user applications, network services, or the operating system with the protocol stack.
o Allows applications to communicate with the protocol stack.
o Determines whether a remote communication partner is available or not.
o Ensures sufficient resources are available to support the requested communications.
o Application Specific Protocols found in this layer:
Hypertext Transfer Protocol (HTTP)
File Transfer Protocol (FTP)
Line Print Daemon (LPD)
Simple Mail Transfer Protocol (SMTP)
Telnet
Trivial File Transfer Protocol (TFTP)
Electronic Data Interchange (EDI)
Post Office Protocol Version 3 (POP3)
Internet Message Access Protocol (IMAP)
Simple Network Management Protocol (SNMP)
Network News Transport Protocol (NNTP)
Secure Remote Procedure Call (S-RPC)
Secure Electronic Transaction (SET)
o Gateways and application layer firewalls function as a network device on this layer.
Layer 4 / Transport Layer Protocols - TCPIP –
• Transport Layer Protocols – Two main ones on TCP/IP –
o Transmission Control Protocol (TCP) – Full duplex connection oriented protocol
Operates on Layer 4
Establishing Connection - SYN/AC Handshake
• Three step process
o Client sends a SYN flagged packet to Server
o Server responds with SYN/ACK flagged packet back to Client.
o Client responds to Server with ACK flagged packet.
To Disconnect – Two Methods
• Use FIN flagged packets instead of SYN flagged packets.
o Each side will transmit a FIN flagged packet once all of its data is transmitted, triggering the opposing side to confirm with an ACK flagged packet. Thus it takes four packets to gracefully tear down a TCP session.
• Use of a RST flagged packet, which cause an immediate and abrupt session termination.
Segments are tagged with a sequence number which allows the receiver to rebuild the original communication by reordering received segments back into their proper arrangement in spite of order in which they were received.
o User Datagram Protocol (UDP) – Simplex connectionless protocol
Operates at Layer 4
No error detection or correction
Very low overhead
Unreliable
Should only be used when delivery of data is unessential.
Often used for media.
UDP Headers:
• Source Port
• Destination Port
• Message Length
• Checksum
• TCP Headers –
o Source Port
o Destination Port
o Sequence Number
o Data Offset
o Reserved for Future Use
o Flags
o Window Size
o Check Sum
o Urgent Pointer
o Variable
• TCP Flags – Unskilled Attackers Pester Real Security Folk
Flag Name Description
URG Urgent Indicates Urgent Data
ACK Acknowledgment Acknowledges synchronization or shutdown request.
PSH Push Indicates a need to push data immediatley to application
RST Reset Causes immediate disconnect of TCP session
SYN Synchronization Requests syncrhonization with new sequencing numbers
FIN Finish Requests graceful shutdown of TCP session.
• Ports
o TCP and UDP have 65,536 ports
o Socket - Combination of IP address and port number
o Ports 0 through 1,023 – Well known ports or service ports.
o Ports 1,024 through 49,151 – Registered Software Ports.
Have one or more networking software products specifically regsitsered with the IANA in order to provide standardized port number system for clients attempting to connect to their products.
o Ports 49,152 through 65,535 – Random, Dynamic, or Ephemeral Ports.
Often used randomly and temporarily by clients as a source port.
Layer 3 / Network Layer Protocols –
• Internet Protocol (IP) – Provides route addressing for data packets.
o Similar to UDP – Connectionless and is unreliable datagram service.
o Does not offer guarantees of packet delivery or correct order.
This is why you employ TCP o IP to gain the reliability of the communication session.
o CIDR Notation –
/X = Number of bits ‘1’. So /20 means 20 ‘1’ bits
• 11111111.11111111.11110000.00000
• Same as 255.255.something.0
o .255 means this portion of the octet is dedicated to the network address.
• Internet Control Message Protocol (ICMP) – used to determine the health of a network or a specific link.
o Utilized by ping, traceroute, pathping, and other network management tools.
Ping used to determine if a remote system is online.
o Features were often exploited in various forms of bandwidth based DoS attacks
Ping Floods – Basic DOS attack utilized to hog up your bandwidth
Smurf attacks – spoof broadcast pings to generate large amounts of network traffic.
Ping of Death – Sends malformed ping larger than 65,535 bytes.
o IP Header protocol field value for ICMP is 1 (0x01)
o ICMP header defines the type or purpose of the message contained within the ICMP payload. Over 40 defined types, only 7 commonly used:
0 – Echo Reply
3 – Destination Unreachable
5 – Redirect
8 – Echo Request
9 – Router Advertisement
10 – Router Solicitation
11 – Time Exceeded
• Internet Group Message Protocol (IGMP) – Allows systems to support multicasting
o Multicasting – Transmission of data to multiple specific recipients.
o IGMP is used by IP hosts to register their dynamic multicast group membership.
o Through IGMP multicasting, a server can initially transmit a single data signal for the entire group rather than a separate initial data signal for each intended recipient.
o IP header protocol field value for IGMP is 2 (0x02).
• Address Resolution Protocol (ARP) – essential to the interoperability of logical and physical addressing scheme.
o Used to resolve IP addresses into MAC addresses
o Uses caching and broadcasting to perform its operations
o ARP Cache Poisoning – attacker inserts bogus information into the ARP cache.
Layer 7 / Application Layer Protocols –
• Telnet, TCP Port 23 – terminal emulation network application that supports remote connectivity for executing commands and running applications but does not support transfer of files.
• File Transfer Protocol (FTP), TCP Ports 20 and 21 (Passive/Ephemeral/Active Data versus Control Connection) – Network application that supports an exchange of files that requires anonymous or specific authentication.
• Trivial File Transfer Protocol (TFTP), UDP Port 69 – Network application that supports an exchange of files that does not require authentication.
• Simple Mail Transfer Protocol (SMPT), TCP Port 25 – Used to transmit email messages from a client to an email server and from one email server to another.
• Post Office Protocol (POP3), TCP Port 110 – Used to pull email messages from an inbox on an email server down to an email client.
• Internet Message Access Protocol (IMAP), TCP Port 143 – Used to pull email messages from an inbox on an email server down to an email client. More secure than POP3 and offers the ability to pull headers down from the email server as well as delete messages directly off the email server without having to download to the local client first.
• Dynamic Host Configuration Protocol (DHCP), UDP Ports 67 and 68 – Uses port 67 as the destination port on the server to receive client communication and port 68 as the source port from client requests. Used to assign TCP/IP configuration settings to systems upon bootup. Enables centralized control of network addressing.
• Hypertext Transfer Protocol (HTTP), TCP Port 80 – The protocol used to transmit web page elements from a web server to web browsers.
• Secure Socket Layer (SSL), TCP Port 443 (for HTTP Encryption) – VPN like security protocol that operates at the Transport Layer. SSL was originally designed to support secured web communications, but is capable of securing any Application layer protocol communications.
• Line Print Daemon (LPD), TCP Por 515 – This is a network service that is used to spool print jobs and to send print jobs to printers.
• X Window, TCP Ports 6000-6063 – GUI API for command line operating systems.
• Network File Systems (NFS), TCP Port 2049 – Ntwork service used to support file sharing between dissimilar systems.
• Simple Network Management Protocol (SNMP), UPD Port 161 and 162 for Trap Messages – Network service used to collect network health and status information by polling monitoring devices from a central monitoring station.
Multi-Layer Protocols –
• Pros –
o Wide range of protocols can be used at higher layers
o Encryption can be incorporated at various layers
o Flexibility and resiliency in complex network structures is supported.
• Cons –
o Covert channels are allowed
o Filters are bypassed
o Logically imposed network segment boundaries can be overstepped.
Converged Protocols – Merging of specialty or proprietary protocols with standard protocols, such as those from the TCP/IP suite. Primary benefit of converged protocols is the ability to use existing TCP/IP supporting network infrastructure to host special or proprietary services without the need for unique deployments of alternate networking hardware, resulting in significant cost savings:
• Fibre Channel over Ethernet (FCoE) – Used to encapsulate Fibre Channel communications over Ethernet networks.
• Multiprotocol Label Switching (MPLS) – a high throughput high-performance network technology that directs data across a network based on short path labels rather than longer network addresses. Saves significant time over traditional IP-based routing processes.
o Designed to handle a wide range of protocols through encapsulation.
• Internet Small Computer System Interface (iSCSI) – networking storage standard based on IP. This technology can be used enable location-independent file storage, transmission, and retrieval over LAN, WAN, or public internet connections. iSCSI often viewed as low cost alternative to Fibre Channel.
• Voice over IP (VoIP) – tunneling mechanism used to transport voice and/or data over a TCP/IP network.
• Software Defined Network (SDN) – Offers a network design directly programmable from a central location.
o Vendor neutral
• Content Distribution Network (CDN) – Collection of resource services deployed in numerous data centers across the internet in order to provide low latency, high performance, and high availability hosted content.
Domain Name System –
• Three Layers
o MAC Address – physical hardware address
o IP Address – “Temporary” logical address assigned over or onto the MAC address
o Domain Name – “Temporary” human-friendly convention given to the IP Address. The human friendly convention is on the Fully Qualified Domain Names (FQDN)
• The DNS links the FQDN to IP addresses.
o Top Level Domain (TLD) – the com in www.google.com
o Registered domain name – the google in www.google.com
o Subdomain(s) or hostname – the www in www.google.com
• Original TLDs – com, org, edu, mil, gov and net
• Operates over TCP and UDP on port 53.
Wireless Networks
• Wireless Cells – areas within a physical environment where a wireless device can connect to a wireless access point.
• 802.11 is the IEEE standard for wireless network communications.
• When deploying wireless networks, do so in infrastructure mode and not ad hoc mode.
o Infrastructure mode – requires that a wireless access point is required, wireless NICs on systems can’t interact directly, and the restrictions of the wireless access point for wireless network are enforced.
o Ad Hoc Mode – Any two wireless networking devices, including two wireless network interface cards, can communicate without a centralized authority.
o Stand Alone Mode – Occurs when there is a wireless access point connecting wireless clients to each other but not to any wired resources. Serves as a hub exclusively.
o Wired Extension Mode – wireless access point acts as a connection point to link the wireless clients to the wired network.
o Enterprise Extended Mode – Occurs when multiple wireless access points are used to connect a large physical area to the same wired network. Can walk around and stay on the same network, although NIC switches from WAPs.
o Bridge Mode – Occurs when a wireless connection is used to link two wired networks.
• Service Set Identifier (SSID) – unique name associated with a wireless network.
o Broadcast by the WAP via a special transmission called a beacon frame.
o Should disable before deployment
• A site survey – process of investigating the presence, strength, and reach of wireless access points deployed in an environment.
• Two methods that wireless clients can use to authenticate to WAPs before normal network communications can occur across the wireless link:
o Open System Authentication (OSA) – No authentication required. Come on in!
o Shared Key Authentication (SKA) – some form of authentication must take place before network communications can occur.
• Wi-fi Protected Access (WPA) – based on the LEAP and Temporal Key Integrity (TKIP) cryptosystems and often employs a secret passphrase for authentication.
o Static passwords can be brute forced.
• Wi-fi Protected Access 2 (WPA2) – considered secure
• 802.1X/EAP – Standard port-based network access control that ensures that clients cannot communicate with a resource until proper authentication has taken place.
o Extensible Authentication Protocol (EAP) – not a specific mechanism of authentication, rather an authentication framework.
• Protected Extensible Authentication Protocol (PEAP) – Encapsulates EAP methods within a TLS tunnel that provides authentication and encryption.
• Lightweight Extensible Authentication Protocol (LEAP) – Sucks – insecure.
• MAC Filter – a listing of authorized wireless client interface MAC addresses that is used by a wireless access point to block access to all nonauthorized devices.
o Hackers with basic wireless hacking tools can figure your MAC out in like 10 minutes and spoof it.
• Temporal Key Integrity Protocol (TKIP) – Designed as a replacement for WEP without requiring replacement of legacy wireless hardware.
o Officially replaced by WPA2.
• Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) – uses AES 128 bit key. Preferred standard security protocol of 802.11 wireless networking.
o To date, no attacks have ever been successful against AES/CCMP encryption.
• Wi-Fi Protected Setup (WPS) – sucks. Turn it off.
• Antennas (wifi)
o Omnidirectional – sends in all directions perpendicular to the line of the antenna itself.
o Directional – focus their sending and receiving capabilities in one primary direction.
o Should avoid
Solid physical obstructions
Reflective or other flat metal surfaces
Electrical equipment
• Captive Portal – directs sign on to a web page that they have to enter shit. Think Hilton wifi.
Secure Network Components:
• Intranet – Private network that is designed to host eh same information services found on the internet.
o Provide users with access to the web, email, and other services on the internal servers that are not accessible to anyone outside the private network.
• Extranet – A cross between the internet and intranet. A section of the organization’s network that has been sectioned off so that it acts as an intranet for the private network but also serves information to the public internet.
Firewalls
• Static Packet-Filtering Firewalls – AKA Screening Routers - filters traffic by examining data from a message header. Usually, the rules are concerned with source, destination, and port addresses. Using static filtering, a firewall is unable to provide user authentication or to tell whether a packet originated from inside or outside the private network, and it is easily fooled with spoofed packets.
o Known as first-gen firewalls
o Operate on layer 3
o AKA screening routers
• Application Level Gateway Firewall – AKA a proxy firewall – Filters traffic based on the internet service used to transmit or receive the data.
o Each type of application must have its own unique proxy server. Thus an application level gateway firewall comprise numerous individual proxy servers.
o Negatively affects performance.
o Known as second-gen firewalls
o Operate on layer 7
• Circuit Level Gateway Firewall – AKA Circuit Proxies – Used to establish communication sessions between trusted partners. Permit or deny forwarding decisions based solely on the endpoint designations of the communication circuit.
o Considered second-gen firewall
o Operate at layer 5 – Session Layer
• Stateful Inspection Firewalls – AKA Dynamic Packet Filtering Firewalls – Evaluate the state or the context of network traffic. By examining source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets of the same session, stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for an block unauthorized users and activities.
o Operate more efficiently than application level gateway firewalls.
o Known as third-gen firewalls.
o Operate at Layers 3 and 4.
• Deep Packet Inspection (DPI) Firewalls – filtering mechanism that operates typically at the application layer in order to filter the payload contents of a communication rather than only on the header values.
o Known as complete packet inspection and information extraction (IX)
o Able to block domain names, malware, spam, or other identifiable elements in the payload of a communication.
o Often integrated with application layer firewalls and/or stateful inspection firewalls
o Operates at Layer 7
• Next Gen Firewalls – Multifunction device (MFD) composed of several security features in addition to a firewall, including IDS, IPS, TLS/SSL proxy, web filtering, QoS management, NATing, bandwidth throttling.
• Multihomed Firewalls – More than one interface. Must have at least two interfaces to filter traffic.
o Should have IP Forwarding
• Firewall Deployment Architectures:
o Single-Tier – private network behind a firewall, which is then connected via router to the internet.
o Two-Tier – Two styles
Firewall with three or more interfaces – DMZ located off one of the interfaces of the primary firewall
Two firewalls in a series – DMZ is located between the two serial firewalls
o Three-Tier – Deployment of multiple subnets between the private network and the internet separated by firewalls.
Each subsequent firewall has more stringent filtering rules
Outer-most subnet is usually a DMZ
End Point Security – ‘Each device is responsible for its own security.’
Collision Domain – A group of networked systems that could cause a collision if any two or more of the systems in that group transmitted simultaneously. Any system outside the collision domain cannot cause a collision with any member of that collision domain.
Broadcast Domain – Group of networked systems in which all other members receive a broadcast signal when one of the members of the group transmits it. Any system outside of a broadcast domain would not receive a broadcast from that broadcast domain.
Network Equipment –
• Bridges – used to connect two networks together – even networks on different topologies, cabling types, and speeds.
o Store-And-Forward – bridges that connect networks using different tranmissions speeds that have a buffer to store packets until they can be forwarded to the slower network.
o Operates on Layer 2
o Systems on either side of the bridge are in the same broadcast domain, but separate collision domains.
• Switches – Know the addresses of the systems connected on each outbound port. Instead of repeating traffic on every outbound port, a switch repeats traffic only out of the port on which the destination is known to exist. Switches offer greater efficiency for traffic delivery, create separate collision domains, and improve the overall throughput of data.
o Operate primarily at OSI layer 2.
When they have additional features, such as routing, they are also Layer 3.
o Either side of the switch are in the same broadcast domain, but different collision domains.
o Use to connect network segments that use different protocols.
• Brouters – combination devices comprising a router and a bridge. Attempts to route first, but if it fails, it attempts to do bridging.
o A brouter operates primarily at layer 3, but can also operate at Layer 2.
o Used to connect network segments that use the same protocol
o Systems on either side of a brouter operating at layer 2 are part of the same broadcast domain, but are in different collision domains.
• Gateways – A gateway connects networks that are using different network protocols.
o Used to connect network segments that use different protocols.
o Responsible for transferring traffic from one network to another by transforming the format of that traffic into a form compatible with the protocol or transport method used by each network.
Also known as protocol translators
o Can be standalone devices or software service.
o Systems on either side are part of a different broadcast domain and different collision domains.
o Operate on Layer 7 (Application)
• Proxies – Form of gateway that does not translate across protocols. Instead, proxies serve as mediators, filters, caching servers, and even NAT/PAT servers for a network.
o Performs a function or requests a service on behalf of another system and connects network segments that use the same protocol.
o Most often used in the context of providing clients on a private network with internet access while protecting the identify of the clients.
o Systems on either side of the proxy are on different collision addresses and different broadcast addresses
• LAN Extenders – Remote access, multilayer switch used to connect distant networks over WAN links.
o Local Area Network (LAN) – typically spanning a single floor or building
o Wide Area Network (WAN) – Long distance connection between geographically remote networks.
Cables –
• Types
o Coaxial Cables – Thinnet and Thicknet. Haha.
o Twisted Pair (TX) – Extremely thin and flexible
Problems –
• Using the wrong type of twisted pair cable for high throughouput networking
• Deploying a twisted-pair cable longer than its maximum recommended length (e.g. over 100 meters)
• Using UTP in environments with significant interference.
Unshielded Twisted Pair (UTP) – twisted pair not sheathed. Multiple Classes:
• Cat 1 – Voice Only – Not suitable for networks but usable by modems.
• Cat 2 – 4Mbps – Not suitable for most networks, often employed for host to terminal connections on mainframes
• Cat 3 – 10Mbps – Primarily use in 10BaseT Ethernet networks (offers only 4 Mbps when used on Token Ring networks) as telephone cables
• Cat 4 – 16 Mbps – Primarily used in Token ring networks
• Cat 5 – 100 Mbps – Used in 100BasTX, FDDI, and ATM networks.
• Cat 6 – 1,000 Mbps – Used in high speed networks
• Cat 7 – 10Gbps – Used on 10 gigabit-speed networks
Shielded Twisted Pair (STP) – Twisted pair that’s sheathed
• Baseband and Broadband
o Baseband – transmit only a single signal at a time
o XXyyyyZZ
XX = maximum speed the cable type offers.
• The 10 in 10base2 is 10MBs
Yyyy = baseband or broadband.
• The ‘base’ in 10base2 is baseband
ZZ = either maximum distance or shorthand of technology of the cable
• Maximum distance the 2 in 10base2 is for 200 meters
• Technology the TX in 100BaseTX is for twisted pair
Network Topologies
• Ring Topology – connects points in a circle.
• Bus Topology – Connects each system to a trunk or a backbone cable. All systems on the bus can transmit data simultaneously, which can result in collisions.
o When data is transmitted on a bus topology, all systems on the network hear the data. If the data is not addressed to a specific system, that system just ignores the data.
o Benefit is that if a single segment fails, communications on all other segments continue uninterrupted. However, the central trunk remains a single point of failure.
o Two types:
Linear: Employs a single trunk line with all systems directly connected to it.
Tree: Employs a single trunk line with branches that can support multiple systems.
• Star Topology – Employs a centralized connection device, which can be a hub or switch.
o Each system is connected to the central hub by a dedicated segment. If any one segment fails the other segments can continue functioning. However, the central hub is a single point of failure.
o Generally the star topology use less cabling than other topologies and makes identification of damaged cables easier.
• Mesh Topology – Connects systems to other systems using numerous paths.
o Full mesh connects a system to every other system in the network.
o Provide redundant connections to systems, allow multiple segment failures without seriously affecting connectivity.
Spread Spectrum Communications – Occurs over multiple frequencies at the same time. Thus a message is broken into pieces, and each piece is sent at the same time but using a different frequency. Effectively this is a parallel communication rather than a serial communication.
• Frequency Hopping Spread Spectrum (FHSS) – Employs one frequency at a time, hops to the next. Listener must be doing the same.
• Direct Sequence Spread Spectrum (DSSS) – Employs all available frequencies simultaneously in parallel.
• Orthogonal Frequency-Division Multiplexing (OFDM) – Employs a digital multicarrier modulation scheme that allows for amore tightly impact transmission.
Blue Tooth –
• 802.15 standard
• Attacks
o Bluejacking – allows an attacker to transmit Short Message Service (SMS)-like messages to your device.
o Bluesnarfing – Allows hackers to connect with your Bluetooth device without your knowledge and extract information from them.
o Bluebugging – Attack that grants hackers remote control over the feature and functions of a Bluetooth device.
Radio Frequency Identification (RFID) – tracking technology based on the ability to power a radio transmitter using current generated in an antenna when placed in a magnetic field.
• Concern is that RFID can be privacy violating technology. If you are in possession of a device with an RFID chip, anyone with an RFID reader can take note of the signal from your chip.
Near-Field Communication (NFC) – a standard that establishes radio communications between devices in close proximity (like a few inches versus a few feet for RFID).
LAN Technologies – Three Types:
• Ethernet – Shared media LAN technology that does broadcast.
o Supports full duplexing
o Employs twisted pair cabling
o Most often deployed on star or bus topologies
• Token Ring – Hasn’t been used on a network in a long time.
• Fiber Distributed Data Interface (FDDI) – High speed token-passing technology that employs two rings with traffic flowing in opposite directions.
• Sub technologies:
o Analog and Digital
Analog Communications – Occur with a continuous signal that varies in frequency, amplitude phase, voltage and so on. The variances in the continuous signal produce a wave shape (as opposed to a square shape of a digital signal). The actual communication occurs by variances in the constant signal.
Digital Communications – Occur through the use of discontinuous electrical signal and state change or on-off pulses.
o Synchronous and Asynchronous
Synchronous Communications – Rely on a timing or clocking mechanism based on either an independent clock or a time stamp embedded in the data stream. Typically able to support very high levels of data transport.
Asynchronous Communications – Rely on a stop and start delimiter bit to manage the transmission of data. Because of the use of delimiter bits and the stop and start nature of its transmission, asynchronous communication is best suited for smaller amounts of data. Public switched telephone network (PSTN) modems are good example of asynchronous communication devices.
o Baseband Versus Broadband
Baseband Technology – Can support a single communication channel. It uses a direct current applied to the cable. A current that is at a higher level represents binary signal of 1, and a current that is at a lower level represents a binary signal of 0.
• Form of digital signal.
• Ethernet is baseband.
Broadband Technology – Can support multiple simultaneous signals. Uses frequency modulation to support numerous channels, each supporting a distinct communication session.
• Broadband is suitable for high throughput rates, especially when several channels are multiplexed.
• Form of analog signal.
• Cable, ISDN, DSL, T1 and T3 are examples of broadband technologies.
o Broadcast, Multicast, Unicast
Broadcast – Supports communications to all possible recipients.
Multicast – Supports communications to multiple specific recipients.
Unicast – Supports only a single communication to a specific recipient
LAN Media Access – Used to avoid or prevent transmission technology.
• Carrier Sense Multiple Access (CSMA) – Performs using the following steps:
o Host listens to the LAN media to determine whether it is in use.
o If the LAN media is not being used, the host transmits its communication.
o The host waits for an acknowledgment.
o If no acknowledgement is received after a time-out period, the host starts over at step 1.
• Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) – Uses following steps:
o Host has two connections to the LAN – inbound and outbound. Host listens on the inbound connection to determine whether the LAN media is use.
o If the LAN is not being used, the host requests permission to transmit.
If permission is not granted after a time-out period, the host starts over at step 1.
If permission IS granted, the host transmits its communication over the outbound connection.
Host waits for an acknowledgment.
If no acknowledgment is received after a time-out period, host starts over at step 1.
• Carrier Sense Multiple Access with Collision Detection (CSMA/CD) – Performs communication using the following steps.
o Host listens to the LAN media to determine whether it is in use.
o If the LAN media is not being used, the host transmits its communication.
o While transmitting, the host listens for collisions.
o If a collision is detected , the host transmits a jam signal.
o If a jam signal is received, all hosts stop transmitting. Each host waits a random period of tie then starts over at step 1.
o ETHERNET works on CMSA/CD
Chapter 11 Exam Essentials:
• Know the OSI model layers and which protocols are found at each.
• Have a thorough knowledge of TCP/IP.
• Know the different cabling types and their lengths and maximum throughput rate.
• Be familiar with common LAN technologies.
• Understand the secure network architecture and design.
• Understand the various types and purposes of network segmentation.
• Understand the different wireless technologies.
• Understand fibre channel.
• Understand FCoE.
• Understand iSCSI.
• Understand 802.11 and 802.11a, b, g, n, ac.
• Understand site survey.
• Understand WPA2.
• Understand EAP.
• Understand PEAP.
• Understand LEAP.
• Understand MAC Filtering.
• Understand SSID Broadcast.
• Understand TKIP.
• Understand CCMP.
• Understand captive portals.
• Understand antenna types.
• Know the standard network topologies.
• Know the common network devices.
• Understand the different types of firewalls.
• Know the protocol services used to connect LAN and WAN communication technologies.
Chapter 12: Secure Communications and Network Attacks
Common Secure Communication protocols:
• Internet Protocol Security (IPSec) – uses public key cryptography to provide encryption, access control, nonrepudiation, and message authentication, all using IP-based protocols.
o Primary use of IPSec is for VPNs, IPSec can operate in either transport or tunnel mode.
• Kerberos – Offers a single sing-on solution for users and provides protection for logon credentials.
• Secure Shell (SSH) – end-to-end encryption technique.
o Can be used to encrypt numerous plaintext utilities.
o Can serve as a protocol encrypter
o Can function as a VPN
• Signal Protocol – Cryptographic protocol that provides end-to-end encryption for voice communications, videoconferencing, and text message services.
• Secure Remote Procedure Call (S-RPC) – Authentication service and simply a means to prevent unauthorized execution of code on remote systems.
• Secure Sockets Layer (SSL) – Encryption protocol developed by Netscape to protect the communications between a web server and a web browser.
o Can be used to secure web, email, FTP or even Telnet traffic.
o Superseded by TLS.
• Transport Layer Security (TLS) – functions in same general manner as SSL, but it uses stronger authentication and encryption protocols.
o Both TLS and SSL feature:
Support secure client-server communications across an insecure network while preventing tampering, spoofing, and eavesdropping.
Support one-way authentication.
Support two-way authentication using digital certificates.
Open implemented as the initial payload of a TCP package, allowing it to encapsulate all high-layer protocol payloads.
Can be implemented at lower layers, sch as layer 3 to operate as a VPN. This implementation is known as open VPN.
o In addition, TLS can be used to encrypt UDP and SIP (Session Initiation Protocol) connections.
Common Authentication protocols: After a connection has been established between a remote system and a server or a network, the first activity that should take place is to verify the identity of the remote user. This activity is known as authentication. Can be done through several protocols:
• Challenge Handshake Authentication Protocol (CHAP) – Used over PPP links. Encrypts usernames and passwords. Performs authentication using a challenge-response dialogue that cannot be replayed.
o Also periodically reauthenticates the remote system throughout an established communication session to verify a persistent identity of the remote client.
• Password Authentication Protocol (PAP) – A standardized authentication protocol for PPP.
o Transmits usernames and passwords in cleartext.
o Offers no form of encryption; simply offers a means to transport the logon credentials from the client to the authentication server.
• Extensible Authentication Protocol (EAP) – Framework instead of an actual protocol. Allows customized authentication security standards. NOTE TO SELF – USE PEAP.
Email – Basically email servers are:
• Using SMTP – to accept messages from clients, transport those messages to other servers, and deposit them into a users server based inbox.
• Clients retrieve email from their server based inboxes using Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP)
• These protocols do not employ encryption natively. Hence need for email security solutions:
o Secure Multipurpose Internet Mail Extensions (S/MIME) – email security standard that offers authentication and confidentiality to email through public key encryption and digital signatures.
Privacy is provided through the use of Public Key Cryptography Standards (PKCS) encryption.
Two types of S/MIME
• Signed Messages – provides integrity, sender authentication, and nonrepudiation
• Secured Enveloped Messages – provides integrity, sender authentication, and confidentiality.
o MIME Object Security Services (MOSS) –
Can provide authentication, confidentiality, integrity, and nonrepudiation for email messages.
Employs MD2, MD5, RSA and DES
o Privacy Enhanced Mail (PEM) –
Provides authentication, integrity, confidentiality and nonrepudiation.
Uses RSA, DES, and X.509
o DomainKeys Identified Mail (DKIM) –
Means to assert that valid mail is sent by an organization through verification of domain name identity.
o Opportunistic TLS for SMTP Gateways (RFC 3207) –
Will attempt to set up an encrypted email connection with every other email server in the event that it is supported.
o Sender Policy Framework (SPF) – Operates by checking that inbound messages originate from a host authorized to send messages by the owners of the SMTP origin domain.
For example, if I receive a message from mark.nugget@abccorps.com, then SPF checks with the administrators of smtp.abccorps.com that mark.nugget is authorized to send messages through their system before the inbound message is accepted and sent into the recipient inbox.
Remote Access Technology – Four main types
• Service Specific – Gives users the ability to remotely connect to and manipulate or otherwise interact with a specific service such as email.
• Remote Control – Grants a remote user the ability to fully control another system that is physically distant from them. Monitor and keyboard act as if they are directly connected to the remote system.
• Screen Scraper – refers either to
o remote control, remote access or remote desktop services, or
o a Technology that can allow an automated tool to interact with a human interface. For example, some stand alone data gathering tools use search engines in their operation.
• Remote Node Operation – Remote node operation is just another name for dial-up connectivity. A remote system connects to a remote access server. That server provides the remote client with network services and possible internet access.
• Security Considerations:
o Choose Correct Remote Technology
o Ensure Transmission Protection (security protocol)
o Ensure Authentication Protection
o Remote User Assistance (help desk)
Dial Up Protocols – Two primary examples of dial up protocols
• Pont-to-Point Protocol (PPP) – Full-duplex protocol used for transmitting TCP/IP packets over various non-LAN connections, such as modems, ISDN, VPNs, etc.
o Transport protocol of choice for dial-up internet connections.
o Authentication protected through use of various protocols like CHAP and PAP.
• Serial Line Internet Protocol (SLIP) – older technology developed to support TPC/IP communication over asynchronous serial connections such as serial cables modem.
Centralized Remote Authentication Services – layers of security between remote clients and a private network.
• Remote Authentication Dial-In User Service (RADIUS) – used to centralize the authentication of remote dial-up connections.
o A network that employs a RADIUS server is configured so the remote access server passes dial-up user logon credentials to the RADISU server for authentication.
o Process is similar to the process used by domain clients sending logon credentials to a domain controller for authentication.
o Enhanced version of RADIUS called Diameter.
Uses TCP Port 3868, providing better reliability than UDP used by RADIUS.
Supports IPsec and TLS.
• Terminal Access Controller-Access-Control System (TACACS+) – alternative to RADIUS, available in three versions:
o TACACS – integrates the authentication and authorization processes.
o Extended TACACS (XTACACS) – separates the authentication, authorization and accounting processes.
o TACACS+ - Improves on XTACACS by adding two factor authentication. Goes on TPC port 49.
Virtual Private Network (VPN) – Tunnel that provides point-to-point transmission of both authentication and data traffic over an intermediary untrusted network.
• Most use encryption to protect encapsulated traffic, but encryption is not required for it to be considered VPN.
• Tunneling – network communications process that protects the contents of protocol packets by encapsulating them in packets of another protocol.
o Sending a regular piece of mail is the same concept.
You create a personal letter (primary content protocol packet)
Place it in an envelope (the tunneling protocol).
Envelope is delivered through a postal service (untrusted intermediary network)
Received by intended recipient.
o Protects the contents of the inner protocol and traffic packets by encasing, or wrapping, it in an authorized protocol used by the intermediary network or connection.
o Can be used if the primary protocol is not routable and to keep the total number of protocols supported on the network to a minimum.
• How VPN Works:
o A VPN link can be established over any other network communication connection.
o A VPN link acts just like a typical direct LAN cable connection; the only possible difference would be speed based on the intermediary network and on the connection types between the client system and the server system.
o Over a VPN link, a client can perform the same activities and access the same resources as if they were directly connected via a LAN cable.
o VPNs can connect two individual systems or two entire networks.
Only difference is that the transmitted data is protected only while it is within the VPN tunnel.
o Remote access servers or firewalls on the network’s border acts as the start points and endpoints for VPNs.
Thus traffic is unprotected within the source LAN, protected between the border VPN servers, and then unprotected again once it reaches the destination LAN.
• Common VPN Protocols:
o Point-to-Point Tunneling Protocol (PPTP) – encapsulation protocol developed from the dial up Point-to-Point Protocol (PPP).
Operates at the Data Link Layer and is used on IP networks.
PPTP creates a point-to-point tunnel between two systems and encapsulates PPP packets.
Offers protection for authentication traffic through the same authentication protocols supported by PPP
Does not support TACACS+ or RADIUS
o Layer 2 Forwarding Protocol (L2F)
No encryption.
Sucks, wasn’t used much, replaced by L2TP.
o Layer 2 Tunneling Protocol (L2TP) –
Creates a point-to-point tunnel between communication endpoints.
Lacks built in encryption scheme
Typically relies on IPsec as its security mechanism .
Supports TACACS+ and RADIUS. I
o IP Security Protocol (IPsec)
Most commonly used VPN protocol.
Stand alone VPN protocol as well as security mechanism for L2TP
Can only be used on IP traffic
Consists of the security elements of IPv6 crafted into an add-on package for IPv4.
Provides for secured authentication as well as encrypted data transmission
TWO Primary components, or functions:
• Authentication Header (AH) – Provides authentication, integrity, and nonrepudiation.
• Encapsulating Security Payload (ESP) – Provides encryption to protect the confidentiality of transmitted data, but it can also perform limited authentication.
Operates at Layer 3
Can be used in transport mode or tunnel mode.
• Transport mode – Packet data is encrypted but the packet header is not.
• Tunnel Mode – entire IP packet is encrypted and a new header is added to the packet to govern transmission through the tunnel.
Virtual Local Area Network (VLAN) – hardware imposed network segmentation created by switches.
• By default, all ports on a switch are part of VLAN 1.
• A switch administrator changes the VLAN assignment on a port-by-port basis, and groups various ports together and keeps them distinct from other VLAN port designations.
• Can also be assigned or created based on device MAC address, mirroring the IP subnetting, around specified protocols, or based on authentication.
• Treated like subnets, but they are not actually subnets.
o VLANs are created by switches.
o Subnets are created by IP address and subnet mask assignments.
• Used to segment a network logically without altering its physical topology.
• Easy to implement, have little administrative overhead, and are a hardware-based solution.
• Operate at layer 3 via switch.
Virtualization – used to host one or more operating systems within the memory of a single host computer.
• This mechanism allows virtually any OS to operate on any hardware.
• The OS that operating in the virtual environment is the guest operating system.
• Allows multiple operating system to operate simultaneously on the same hardware.
• Has several benefits:
o Being able to launch individual instances of servers or services as needed
o Real time scalability
o Being able to run the exact OS version needed for the needed application.
• Several security benefits as well:
o Easier and faster to make backups of entire virtual systems than the equivalent native hardware installed system.
o If there’s an error or problem, the virtual system can be replaced by a backup in minutes. Malicious code compromise or infection of virtual systems rarely affects the host OS.
o Allows for safe testing and experimentation
• VM Escaping – when software within a guest OS is able to breach the isolation protection provided by the hypervisor in order to violate the container of other guest OS’s or to infiltrate a host OS.
o To avoid:
Keep highly sensitive systems and data on separate physical machines.
Keep all hypervisor software current with vendor-released patches (especially with updates related to VM escaping vulnerabilities).
• Virtual Software
o A virtual application is a software product deployed in such a way that it is fooled into believing it is interacting with a full host OS.
Virtual application has been packaged or encapsulated to make it portable and able to operate without the full installation of its original host OS.
E.g. running a Windows application within a Linux OS.
o Virtual Desktop refers to at least three different types of technology:
A remote access tool that grants the user access to a distant computer system by allowing remote viewing and control of the distant desktop’s display, keyboard, mouse, and so on.
An extension of the virtual application concept encapsulating multiple applications and some form of “desktop” or shell for portability or cross-OS operation.
• Offers some of the features/benefits/applications one platform to users of another without the need for multiple computers, dual-booting, or virtualizing an entire OS platform.
An extended or expanded desktop larger than the display being used allows the user to employ multiple application layouts, switching between them using keystrokes or mouse movements
o Network Virtualization is the combination of hardware and software networking components into a single integrated entity.
The resulting system allows for software control over all network functions:
• Management
• Traffic Shaping
• Address Assignment
• Etc.
A single management console or interface can be used to oversee every aspect of the network, a task requiring physical presence at each hardware component in the past.
Allows organizations to implement or adapt other interesting network solutions, including software-defined networks, virtual SANs, guest operating systems and port isolation.
Software Defined Networking – based on the theory that the complexities of a traditional network with on-device configuration (i.e., routers and switches) often force an organization to stick with a single device vendor, such as Cisco, and limit the flexibility of the network to adapt to changing physical and business conditions.
• Aims to separate the infrastructure layer (e.g. the hardware) from the control layer (e.g. network services of data transmission management)
• Also removes the traditional networking concepts of IP addressing, subjets, routing, and the like from needing to be programmed into or be deciphered by hosted applications.
• Traits:
o Directly programmable from a central location
o Is Flexible
o Vendor Neutral
o Open standards based
Network Address Translation (NAT) – Goal of hiding the identify of internal clients, masking the design of your private network, and keeping public IP address leasing costs to a minimum are all simple to achieve through the use of NAT.
• NAT is a mechanism for converting the internal IP addresses found in packet headers into public IP addresses for transmission over the internet.
• NAT was developed to allow private networks to use any IP address wet without causing collisions or conflicts with public internet hosts with the same IP addresses.
• In effect NAT translates the IP addresses of your internal clients to leased addresses outside your environment.
• NAT offers multiple benefits:
o You can connect an entire network to the internet using only a single or just a few leased public IP addresses.
o You can use the private IP addresses in RFC 1918 in a private network and still be able to communicate with the internet.
o NAT hides the IP addressing scheme and network topography from the internet.
o NAT restricts connections so that only traffic stemming from connections originating from the internal protected network is allowed back into the network from the internet.
• How NAT Works:
o NAT operates by maintaining a mapping between requests made by internal clients, a client’s internal IP address, and the IP address of the internet service contacted.
o When a request packet is received by NAT from a client, it changes the source address in the packet from the client’s to the NAT server’s.
o This change is recorded in the NAT mapping database along with the destination address
o Once a reply is received from the internet server, NAT matches the reply’s source address to an address stored in its mapping database and then use the linked client address to redirect response packet to its intended destination.
o This is called stateful mapping because it maintains information about the communication sessions between clients and external systems.
• Static versus Dynamic
o Static NAT – Use static mode NAT when a specific internal client’s IP address is assigned a permanent mapping to a specific external public IP address.
o Dynamic NAT – Use dynamic mode NAT to grant multiple internal clients access to a few leased public IP addresses. Thus, a large internal network can still access the internet without having to lease a large block of public IP addresses. This keeps public IP address usage abuse to a minimum and helps keep internet access costs to a minimum.
• NAT is not directly compatible with IPsec since it involves changing headers, which IPsec needs. NAT Traversal was designed to support IPsec VPNs through the use of UDP encapsulation of IKE.
Notable IP Addresses to memorize.
• Private IP Addresses: The following IP addresses are commonly called the private IP addresses, per RFC 1918:
• 10.0.0.0 to 10.255.255.255 (a full Class A range [10.’s])
• 172.16.0.0 to 172.31.255.255 (16 Class B ranges [.16. to .31.])
• 192.168.0.0 to 192.168.255.255 (256 Class C ranges)
• All routers and traffic directing devices are configured by default not to forward traffic to or from these IP addresses.
o The Private IP addresses are not routed by default.
o Cannot be directly used to communicate over the internet.
• Automatic Private IP Addressing (APIPA) – assigns an IP address to a system in the event of a DHCP assignment failure.
o Assigns each failed DHCP client with IP address from the range of 169.254.0.1 to 169.254.255.254
o Class B subnet mask 255.255.0.0.
• Loopback address – allows for testing of local network setting in spite of missing, damaged, or nonfunctional network hardware and related device driver.
Notable IP Range
Privat IP Addresses 10.0.0.0 to 10.255.255.255 (a full Class A range [10.’s])
Privat IP Addresses 172.16.0.0 to 172.31.255.255 (16 Class B ranges [.16. to .31.])
Privat IP Addresses 192.168.0.0 to 192.168.255.255 (256 Class C ranges)
APIPA Addresses 169.254.0.1 to 169.254.255.254 class C ranges
Loopback Address 127.x.x.x - all of the class A 127 network.
Switching –
• Circuit Switching – Originally developed to manage telephone calls over the public switched telephone network. In circuit switching, a dedicated physical pathway is created between two parties. NOT really used anymore.
• Packet Switching – Occurs when the message or communication is broken up into small segments (usually fixed-length packets, depending on the protocols and technologies employed) and sent across the intermediary networks to the destination.
o Each segment of data has its own header that contains source and destination information. The header is read by each intermediary system and is used to route each packet to its intended destination.
• Virtual Circuit – a logical pathway or circuit created over a packet-switched network between two specific endpoints. Within packet switching systems are two types of virtual circuits.
o Permanent Virtual Circuits (PVCs) – Like a dedicated leased line; the logical circuit always exists and is waiting for the customer to send data. Effectively a predefined circuit that was always available.
Like a two-way radio or walkie-talkie.
o Switched Virtual Circuits (SVCs) – more like a dial-up connection because a virtual circuit has to be created using the best paths currently available before it can be used and then disassembled after the transmission is complete.
Like a ham radio because you have to tune into new frequency every time you want to communicate with someone.
WAN Technologies – Used to connect distant networks, nodes, or individual devices together. Can be divided into two primary categories:
• Dedicated versus nondedicated
o Dedicated Line – AKA Leased Line – one that is continually reserved for use by a specific customer
o Nondedicated Line – One that requires a connection to be established before data transmission can occur. A nondedicated line can be used to connect with any remote system that use the same type of nondedicated line.
• X.25 WAN Connection – An older packet switching technology that was widely used in Europe.
• Frame Relay Connections – A packet-switching technology that also uses PVCs. Unlike X.25, supports multiple PVCs over a single WAN carrier service connection.
o Operates in Layer 2.
o Committed Information Rate (CIR) – The guaranteed minimum bandwidth a service provider grants to its customers. Usually significantly less than the actual maximum capability of the provider network.
• Asynchronous Transfer Mode (ATM) – Cell Switching WAN communication technology, opposed to a packet-switching technology like Frame Relay.
o Fragments communications into fixed-length 53 byte cells.
o Very efficient and offer high throughputs.
o Use PVCs or SVCs
• Switched Multimegabit Data Service (SMDS) – A connectionless packet-switching technology used to connect multiple LANs to form a metropolitan area network or WAN.
o Supports high-speed bursty traffic and bandwidth on demand.
o Fragments data into small transmission cells.
• Synchronous Digital Hierarchy (SDH) – Fiber optic high speed network standard
• Synchronous Optical Network (SONET) – Fiber optic high speed network standard
• Specialized WAN Protocols –
o Synchronous Data Link Control (SDLC) – Used on permanent physical connections of dedicated leased lines to provide connectivity for mainframes, such as IBM Systems Network Archtecture (SNA) systems.
SDLC uses polling,
operates at Layer 2
o High Level Data Link Control (HDLC) – refined version of SDLC designed specifically for serial synchronous connections.
Chapter 12 Exam Essentials:
• Understand the issues around remote access security management.
Remote access security management requires that security system designers address the hardware and software components of an implementation along with issues related to policy, work tasks, and encryption.
• Be familiar with the various protocols and mechanisms that may be used on LANs and WANs for data communications.
These are:
o SKIP
o SWIPE
o SSL
o SET
o PPP
o SLIP
o CHAP
o PAP
o EAP
o S-RPC
o Also can include VPN, TLS/SSL, and VLAN
• Know what tunneling is.
Tunneling is the encapsulation of a protocol-deliverable message within a second protocol. The second protocol often performs encryption to protect the message contents.
• Understand VPNs.
VPNs are based on encrypted tunneling. They can offer authentication and data protection as a point-to-point solution. Common VPN protocols are PPTP, L2F, L2TP and IPsec.
• Be able to Explain NAT.
NAT protects the addressing scheme of a private network, allows the use of the private IP addresses, and enables multiple internal clients to obtain internet access through a few public IP addresses. NAT is supported by many security border devices, such as firewalls, routers, gateways, and proxies.
• Understand the difference between packet switching and circuit switching.
In circuit switching, a dedicated physical pathway is created between the two communicating parties. Packet switching occurs when the message or communication is broken up into small segments (packets) and sent across the intermediary networks to the destination. Within packet switching systems are two types of communication paths, or virtual circuits: permanent virtual circuits (PVCs) and switched virtual circuits (SVCs).
• Understand the difference between dedicated and nondedicated lines.
A dedicated line is always on and is reserved for a specific customer. Examples of dedicated lines include T1, T3, E1, E3, and cable modems. A nondedicated line requires a connection to be established before data transmissions can occur. It can be used to connect with any remote system that uses the same type of nondedicated line. Standard modems, DSL, and ISDN are examples of nondedicated lines.
• Know various issues related to remote access security.
Be familiar with remote access, dial-up connections, screen scrapers, virtual applications/desktops, and general telecommuting security concerns.
• Know the various types of WAN technologies.
Know that most WAN technologies require a channel service nit/data service unit (CSU/DSU), sometimes called a WAN switch. There are many types of carrier networks and WAN connection technologies, such as X.25, Frame Relay, ATM, SMDS, SDH, and SONET.
Some WAN connection technologies require additional specialized protocols to support various types of specialized systems ort tools.
• Understand the differences between PPP and SLIP.
The Point-to-Point Protocol (PPP) is encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links.
PPP includes a wide range of communication services, including assignment and management of IP addresses, management of synchronous communications, stanrdardized encapsulation, multiplexing, link configuration, link quality testing, error detection, and fature or option negotiation (such as compression). PPP was originally designed to support CHAP and APAP for authentication. However, recent versions of PPP also support MS-CHAP, EAP, SPAP. PPP Replaced Serial Line Internet Protocol (SLIP).
SLIP offered no authentication, supported only half-duplex communications, had no error detection capabilities, and required manual link establishment and teardown.
• Understand common characteristics of security controls.
Security controls should be transparent to users. Hash totals and CRC checks can be used to verify message integrity. Record sequences are used to ensure sequence integrity of a transmission. Transmission logging helps detect communication abuses.
• Understand how email security works.
Internet based SMTP, POP3, and IMAP. It is inherently insecure. It can be secured, but the methods used must be addressed in a security policy. Email security solutions include using S/MIME, MOSS, PEM or PGP.
• Know how fax security works.
Primarily based on using encrypted transmissions or encrypted communication lines to protect the faxed materials. The primary goal is to prevent interception. Activity logs and exception reports can be used to detect anomalies in fax activity that could be symptoms of attack.
• Know the threats associated with PBX systems and the countermeasures to PBX fraud.
Countermeasures to PBX fraud and abuse include many of the same precautions you would employ to protect a typical computer network: logical or technical controls, administrative controls, and physical controls.
• Understand the security issues related to VoIP.
VoIP is at risk for caller ID spoofing, vishing, SPIT, call manager software/firmware attacks, phone hardware attacks, DoS, MitM, spoofing, and switch hopping.
• Recognize what a phreaker is.
Phreaking is a specific type of attack in which various types of technology are used to circumvent the telephone system to make free long-distance calls, to alter the function of telephone service, to steal specialized services, or even to cause service disruptions. Common tools of phreakers include black, red, blue, and white boxes.
• Understand voice communications security.
Voice communications are vulnerable to many attacks, especially as voice communications become an important part of network services. You can obtain confidentiality by using encrypted communications. Countermeasures must be deployed to protect against interception, eavesdropping, tapping, and other types of exploitation. Be familiar with voice communication topics, such as POTS, PSTN, PBX, VoIP.
• Be able to explain what social engineering is.
Social engineering is a means by which an unknown person gains the trust of someone inside your organization by convincing employees that they are, for example, associated with upper management, technical support, or the help desk. The victim is often encouraged to make a change to their user account on the system, such as reset their password, so the attacker can use it to gain access to the network. The primary countermeasure for this sort of attack is user training.
• Explain the concept of security boundaries.
A security boundary can be the division between one secured area and another secured area. It can also be the division between a secured area and an unsecured area. Both must be addressed in a security policy.
• Understand the various network attacks and countermeasures associated with communications security.
Chapter 13: Managing Identity and Authentication
Assets, in this context include:
• Information
• Systems
• Devices
• Facilities
• Personnel
Subject – An active entity that accesses a passive object to receive information from, or data about, an object.
• Subjects can be users, programs, processes, services, computers, anything else that can access a resource.
• When authorized, subjects can modify objects.
Object – A passive entity that provides information to active subjects.
• Some examples of objects include files, databases, computers, programs, processes, services, printers, and storage media.
Access Control
• Access control includes the following overall steps:
o Identify and authenticate users or other subjects attempting to access resources.
o Determine whether the access is authorized.
o Grant or restrict access based on the subject’s identity.
o Monitor and record access attempts.
• There are multiple types of access controls:
o Preventative access controls
o Detective access controls
o Corrective access controls
o Deterrent access controls
o Directive access controls
o Compensating access controls
o Administrative access controls
o Logical/Technical controls
o Physical controls
• Identification versus authentication
o Identification is the process of a subject claiming, or professing, an identify.
Step 1 in the process
Might entail typing a user name, swiping a smart card, etc.
o Authentication verifies the identity of the subject by comparing one or more factors against a database of valid identities, such as user accounts.
Step 2 in the process.
Authentication Factors:
• Type I – Something you know.
o Weakest
• Type 2 – Something you have.
• Type 3 – Something you are.
o Strongest
• There is also “Somewhere you are” using IP
Context-Aware Authentication – Can identify multiple elements such as the location of the user, the time of day, and the mobile device.
• Authorization versus Accountability
o Authorization – Subjects are granted access to objects based on proven identities. For example, administrators grant users access to files based on the user’s proven identity.
o Accountability – Users and other subjects can be held accountable for their actions when auditing in implemented.
Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs. For example, auditing can record when a user reads, modifies, or deletes a file.
• Auditing provides accountability.
Cognitive Passwords – Annoying ones like “what’s your first pet,” or, “What is your favorite sport.”
Smart Cards and Tokens
• Smart Cards – credit card sized ID badges with circuit chip embedded.
• Token Device – AKA token or hardware token – password generating device that users carry with them.
o Synchronous Dynamic Password Tokens – Hardware tokens create synchronous dynamic passwords are time-based and synchronized with an authentication server.
Generate a new password periodically, such as every 60 seconds.
o Asynchronous Dynamic Password Tokens – Does not use a clock. Instead, the hardware token generates passwords based on an algorithm and an incrementing counter.
Technical term is a ‘nonce’ – A ‘number used once.’
Two-Step Authentication – LIKE THE EVANS WEBSITE. Log in with password, confirmation text sent to cell with a password you gotta enter and match to their database. Takes advantage of the following standards:
• HMAC-based One-Time Password (HOTP) – Typically creates a HOTP values of six to eight numbers. Similar to asynchronous dynamic passwords created by tokens. HOTP value remains valid until used.
o Hash Message Authentication Code (HMAC)
• Time Based One Time Password (TOTP) – Similar to HOTP, except it use a timestamp and remains valid for a certain timeframe, such as 30 seconds. Password expires if the user doesn’t use within the timeframe. This is similar to the synchronous dynamic passwords used by tokens.
Biometrics
• include the following:
o Fingerprints
o Face Scans
o Retina Scans
o Iris Scans
o Palm Scans
o Hand Geometry
o Hear/Pulse Patterns
o Voice Pattern Recognition
o Signature Dynamics
o Keystroke Patterns
• Error Ratings
o False Rejection Rate (FRR) – False Rejection occurs when a valid subject is not authenticated.
Occurs when a device is calibrate to too high a sensitivity level.
Dawn usually has her fingerprint work on the scanner. Says nope, not today bitch.
Ratio of false rejections is known as the False Rejection Rate (FRR)
A Type I Error
o False Acceptance Rate (FAR) – False Acceptance Occurs when a nonvalid subject is successfully authenticated.
Occurs when a device is not calibrated to a high enough degree of sensitivity.
Ratio of false positives to valid authentications is called the FAR.
o Crossover Error Rate (CER) – AKA Equal Error Rate (ERA) – The point where the FRR and the FRR percentages are equal.
Devices with Lower CERs are more accurate than devices with higher CERs.
Not necessary, and often not desirable, to operate a device with the sensitivity set at the CER level. E.g. a higher degree of security area would want the CER to be very high since it’s better to have a false rejection over a false acceptance.
• Biometric Registration:
o For a biometric device to work as an identification or authentication mechanism, a processed call enrollment (registration) must take place.
During Enrollment, a subject’s biometric factor is sampled and stored in the device’s database. This stored sample of a biometric factor is the reference profile or reference template.
• Throughput Rate is the amount of time the system requires to scan a subject and approve a deny access. The more complex or detailed a biometric characteristic, the longer processing takes.
o Subjects typically accept a throughput of about 6 seconds or faster.
Authentication
• Multifactor Authentication –
o Multifactor Authentication – any authentication using two or more factors.
o Two Factor or Dual Factor Authentication – requires two different factors to provide authentication.
• Device Authentication – When the user logs on from the device, the authentication system checks the user account for a registered device. It then verifies the characteristics of the user’s device with the registered device.
o Even though some of these characteristics change over time, this has proven to be a successful device authentication method.
• Service Authentication – Many services also require authentication, and they typically use a username and password. A service account is simply a user account that is created for a service instead of a person.
Implementing Identity Management – Fall into one of two categories:
• Centralized versus Decentralized Access Control
o Centralized Access Control – Implies that all authorization verification is performed by a single entity within a system.
o Decentralized Access Control – Implies that various entities located throughout a system perform authorization verification.
• Single Sign-On – Centralized access control technique that allows a subject to be authenticated once on a system and to access multiple resources without authenticating again.
o Very convenient for users, but it also increases security - When users have to remember multiple user names and passwords, they are more prone to write them down.
o Disadvantage is that one compromise fucks the entire system.
o Include methods to protect user credentials:
o Several Common Mechanisms:
Lightweight Directory Access Protocol (LDAP) – Like a telephone directory for network services and assets. Users, clients, and processes can search the directory service to find where a desired system or resource resides.
• Subjects must authenticate to the directory service before performing any queries.
• Directory service will reveal only certain information to a subject, based on that subject’s assigned privileges.
• PKI uses LDAP when integrating digital certificates into transmissions.
Kerberos – Ticket authentication mechanism that employs a third party entity to prove identification and provide authentication.
• Provides confidentiality and integrity for authentication traffic using end-to-end security and helps protect against eavesdropping and replay attacks.
• It uses several different elements that are important to understand:
o Key Distribution Center (KDC) – the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the KDC, and it maintains the secret keys for all network members.
o Kerberos Authentication Server – Hosts the functions of the KDC: a ticket granting service (TGS) and an authentication service (AS).
AS – Verifies or rejects the authenticity and timeliness of tickets.
TGS – Several components:
• Ticket Granting Ticket (TGT) – provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects.
o A TGT is encrypted and includes a symmetric key, and expiration time, and the user’s IP address.
o Subjects present the TGT when requesting tickets to access objects.
o Federated Identity Management and SSO – Many cloud based application use federated identify management (FIM), which is a form of SSO.
Like an @ub.com address.
Federated identify systems use markup language to address the challenge of finding a common language. Uses:
• Hypertext Markup Language (HTML) – Commonly used to display static web pages.
o Describes how data is displayed using tags.
• Extensible Markup Language (XML) – goes beyond describing how to display the data but actually describing the data.
• Security Assertion Markup Language (SAML) – An XML-based language that is commonly used to exchange authentication and authorization (AA) information between federated organizations. It is often used to provide SSO capabilities for browser access.
• Service Provisioning Markup Language (SPML) – Newer framework based on XML and is specifically designed for exchanging user information for federated identity SSO purposes.
• Extensible Access Control Markup Language (XACML) – A standard used to define access control policies within an XML format. Commonly implements policies as an attributed based access control system but can also use role based access controls.
• OAuth 2.0 – Open Authenticaiton – open standard used for access delegation.
o Like when you get an app that interacts with twitter, so it brings you to a Twitter login, and you have to grant it access there after logging in.
o Benefit is never giving your twitter credentials to the app.
• OpenID – When users go to an OpeID-enabled website, (also known as Relying Party), they are prompted to provide their OpenID identity as a URL.
o The two sites exchange data and create a secure channel.
o The user is then redirected to the OpenID provider and is prompted to provide the password.
o If correct, the user is redirected to the OpenID-enabled site.
• OpenID Connect – An authentication layer using the OAuth 2.0 framework. Like OpenID, it is maintained by the OpenID Foundation. It builds on the technologies created with OpenID but uses JavaScript Object Notation (JSON) Web Token (JWT), also called and ID Token.
o OpenID uses a Representational State Transfer (REST) – compliant web service to retrieve the JWT.
o In addition to providing authentication, the JWT can also provide profile information about the user.
Chapter 13 Exam Essentials:
• Know the difference between subjects and objects.
• Know the various types of access controls.
• Know the implementation methods of access controls.
• Understand the difference between identification and authentication.
• Understand the difference between authorization and accountability.
• Understand the details of the primary authentication factors.
• Understand single sing-on.
• Understand the purpose of AAA protocols.
• Understand the identity and access provisioning lifecycle.
Chapter 14: Controlling and Monitoring Access
Permissions – In general, refer to the access granted for an object and determine what you can do with it. If you have read permission for a file, you’ll be able to open it and read it.
• Can grant user permission to create, read, edit or delete a file.
Rights – Primarily refers to the ability to take an action of an object. E.g. right to modify system time, right to restore backed up data.
Privileges – the combination of rights and permissions. E.g. an administrator for a computer will have full privileges, granting the administrator full rights and permissions to the computer.
Authorization Mechanisms:
• Implicit Deny – Ensures that access to an object is denied unless access has been explicitly granted to a subject.
• Access Control Matrix – a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks the access control matrix to determine if the subject has the appropriate privileges to perform the action.
o OBJECT focused – identify access granted to subjects for any specific object.
• Capability Tables – Different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles).
o E.g. – capability table created for the accounting role will include a list of all objects that the accounting role can access and will include the specific privileges assigned to the accounting role for these objects.
In contracts, ACLs are focused on objects.
An ACL for a file would list all the users and/or groups that are authorized access to the file and the specific access granted for each.
o SUBJECT focused – identify the objects that the subjects can access.
• Constrained Interface – Applications use these to restrict what users can do or see based on their privileges. Users with full privileges have access to all the capabilities of the application.
• Content-Dependent Control – Restricts access to data based on the content of the object.
o E.g. a customer table in a database could include customer names, email addresses, phone numbers and credit card data. A customer-based view might show only the customer names and email addresses but nothing else.
o Users granted access to the view can see the customer names and email addresses but cannot access data in the underlying table.
• Context-Dependent Control – Requires a specific activity before granting users access.
o E.g. consider data flow for a transaction selling digital products online:
Users add products to a shopping cart and begin the checkout process.
First page in the checkout flow shows the products in the shopping cart, the next page collects credit card data, and the last page confirms the purchase and provides instruction for downloading the digital products.
Download page won’t present until purchase process has been completed.
Access Control Models:
• Discretionary Access Control – A key characteristic of the Discretionary Access Control model is that every object has an owner and the owner can grant or deny access to any other subjects. For example, if you create a file, you are the owner and can grant permissions to any other user to access the file.
o Uses Access Control Lists (ACLs)
• Mandatory Access Control (MAC) – Uses labels applied to both subjects and objects.
o E.g. if a user has a label of top secret, the user can be granted access to a top-secret document.
In this case, the subject and object have matching labels.
o Three types of environments:
Hierarchical Environment – relates various classification labels in an ordered structure from low security to medium security to high security, such as Confidential, Secret, and Top Secret, respectively. Each level or classification label in the structure is related. Clearance in one level grants the subject access to all objects in less sensitive levels.
Compartmentalized Environment – There is no relationship between one security domain and another. Each domain represents a separate isolated compartment. To gain access to an object, the subject must have specific clearance for its security domain.
Hybrid Environment – A hybrid environment combines both hierarchical and compartmentalized concepts so that each hierarchical level may contain numerous subdivisions that are isolated from the rest of the security domain. A subject must have the correct clearance and the need to know data within a specific compartment to gain access to the compartmentalized object.
• Attribute Based Access Control (ABAC) – uses rules that can include multiple attributes. Allows ABAC to be more flexible than a rule-based access control model that applies rules equally.
o Many software-defined networks use the ABAC model.
o Additionally, ABAC allows administrators to create rules within a policy using plain language statements such as ‘Allow Managers to access the WAN using a mobile device.’
• Role Based Access Control (RBAC) – Uses roles or groups. Instead of being assigned directly to each user, users are put into roles and roles receive permissions.
o Task Based Access Control (TBAC) – Similar to RBAC, but instead of being assigned to one or more roles, each user is assigned an array of tasks. These items all relate to assigned worked tasks for the person associated with a user account.
Under TBAC, the focus is on controlling access by assigned tasks rather than by user identity.
• Rule Based Access Control – Applies global rules that apply to all subjects. E.g. a firewall uses rules that allow or block traffic to all users equally.
Threat Modeling Approaches –
• Focused on Assets – Uses asset valuation results and attempts to identify threats to the valuable assets.
• Focused on Attackers – Some organizations identify potential attackers and identify the threats they represent based on the attackers’ goals.
• Focused on Software – Consideration of potential development threats for developed software.
Chapter 14 Exam Essentials:
• Identify Common Authorization Mechanisms.
• Know details about each of the access control models.
• Understand basic risk elements.
• Know how brute-force and dictionary attacks works.
• Understand the need for strong passwords.
• Understand how salt and pepper thwarts password attacks.
• Understand sniffer attacks
• Understand Spoofing attacks
• Understand Social Engineering
• Understand Phishing
Chapter 15: Security Assessment and Training
Different Security Shit:
• Security Tests verify that a control is functioning properly.
• Security Assessments are comprehensive reviews of the security of a system, application, or other tested environment.
• Security Audits use many of the same techniques followed during the security assessments, but must be performed by independent auditors.
• Internal Audits are performed by an organization’s internal audit staff and are typically intended for internal audiences.
Security Content Automation Protocol (SCAP) – NIST framework for facilitating discussion and automation of interactions between different security systems. Includes the following:
• Common Vulnerabilities and Exposures (CVE) – Provides a naming system for describing security vulnerabilities.
• Common Vulnerability Scoring System (CVSS) – Provides a standardized scoring system for describing the severity of security vulnerabilities.
• Common Configuration Enumeration (CCE) – Provides a naming system for system configuration issues.
• Common Platform Enumeration (CPE) – Provides a naming system for operating systems, applications, and devices.
• Extensible Configuration Checklist Description Format (XCCDF) – Provides a language for specifying security checklists.
• Open Vulnerability and Assessment Language (OVAL) – provides a language for describing security testing procedures.
Network Discovery Scanning – Uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports. Network discovery scanners do not actually probe systems for vulnerabilities but provide a report showing the systems detected on a network and the list of ports that are exposed through the network and server firewalls that lie on the network path between the scanner and the scanned system.
• Nmap is the most common tool used to do this. Nmap identifies the ports’ status as follows:
o Open – The port is open on the remote system and there is an application that is actively accepting connection on that port.
o Closed – The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port.
o Filtered – Nmap is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt.
• Common techniques:
• TCP SYN Scanning – Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open.
o TCP SYN scanning is also known as “half-open” scanning.
• TCP Connect Scanning – Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
• TCP ACK Scanning – Sends a packet with the ACK flag set, indicating that it is part of an open connection. This type of scan may be done in an attempt to determine the rules enforced by a firewall and the firewall methodology.
• Xmas Scanning – Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be ‘lit up like a Christmas tree,’ leading to the scan’s name.
Network Vulnerability Scanning – goes deeper than discovery scans – continue to probe targeted system or network for the presence of known vulnerabilities. These tools contain databases of thousands of known vulnerabilities, along with tests they can perform to identify whether a system is susceptible to each vulnerability in the system’s database.
• By default these cans are unauthenticated, testing the target systems without having passwords or other special information that would grant the scanner special privileges.
o Allows the scan to run from the perspective of an attacker but also limits the ability of the scanner to fully evaluate possible vulnerabilities.
• Authenticated scans have read only access to servers being scanned and can use this access to read configuration information
• Nessus is most commonly used scanner, but there are also many others available, including:
o QualysGuard
o NeXpose
o OpenVAS
Web Vulnerability Scanning – scans web applications for known vulnerabilities (surprise!).
• In addition to Nessus
o Acunetix scanner, Nikto, Wapiti, Burp Suite
Database Vulnerability Scanning – scans databases and web applications for vulnerabilities that ma affect database security.
• Sql-map is a commonly used tool.
Vulnerability Management Workflow
• Detection – the initial identification of a vulnerability normally takes place as the result of a vulnerability scan.
• Validation – Once a scanner detects a vulnerability, administrators should confirm the vulnerability to determine that it is not a false positive.
• Remediation – Validated vulnerabilities should then be remediated. This may include applying a vendor-supplied security patch, modifying a device configuration, implementing a workaround to avoid the vulnerability, or installing a web application firewall or other control that prevents the exploitation of the vulnerability.
Penetration Testing –
• Consists of the following stages:
o Planning
o Information gathering and discovery
o Vulnerability scanning
o Exploitation
o Reporting
• Testing Box Types:
o White Box Penetration Test – Provides the attackers with detailed information about the systems they target. This bypasses many of the reconnaissance steps that normally precede attacks, shortening the time of the the attack and increasing the likelihood that it will find security flaws.
o Gray Box Penetration Test – Also known as partial knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of white and black box penetration tests. This is particularly common when black box results re desired but costs or time constraints mean that some knowledge is needed to complete the testing.
o Black Box Penetration Test – Does not provide attackers with any information prior to the attack. This simulates an external attacker trying to gain access to information about the business and technical environment before engaging in an attack.
Software Testing
• Code Review – Developers other than the one who wrote the code review it for defects.
o Most formal form of code review is a Fagan Inspection, which follows six steps:
Planning
Overview
Preparation
Inspection
Rework
Follow-up
• Static Testing – Evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows. In mature development environments, application developers are given access to static analysis tools and use them throughout the design, build, and test process.
• Dynamic Testing – Evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code. One common example of this is the use of web application scanning tools to detect the presence of vulnerabilities like XSS.
o May use synthetic transactions for testing purposes.
• Fuzz Testing – Specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.
o Supplies invalid input to the software crafted to trigger known software vulnerabilities.
o Two main categories:
Mutation (Dumb) Fuzzing – Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input.
• It might alter the characteristics of the content, appends strings to the end of the content, or perform other data manipulation techniques.
Generational (Intelligent) Fuzzing – Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
• Interface Testing – an important part of the development of complex software systems. Multiple teams of developers work on different parts of a complex application that must function together to meet business objectives.
o Three types:
Application Programming Interfaces (APIs) – Offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test APIs to ensure they enforce all security requirements.
User Interfaces (UIs) – Examples include graphic user interfaces (GUIs) and command-line interfaces. UIs provide end users with the ability to interact with the software. Interface tests should include reviews of all user interfaces to verify that they function properly.
Physical Interfaces – Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.
• Misuse Case Testing – Test first enumerate the known misuse cases. They then attempt to exploit those use cases with manual and/or automated attack techniques.
• Test Coverage Analysis – Computed using the formula (number of use cases tested / total number of use cases). Test coverage analysis formula can be adapted to use many different criteria:
o Branch Coverage: Has every if statement been executed under all if and else conditions?
o Condition Coverage: Has every logical test in the code been executed under all sets of inputs?
o Function Coverage: Has every function in the code been called and returned results?
o Loop Coverage: Has every loop in the code been executed under conditions that cause code execution multiple times, only once, and not al all?
o Statement Coverage: Has every line of code been executed during the test?
• Website Monitoring: Two techniques:
o Passive Monitoring: analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server. This provides real-world monitoring data that provides administrators with insight into what is actually happening on a network.
Real User Monitoring (RUM) is a variant of passive monitoring where a monitoring tool reassembles the activity of individual users to track their interaction with a website.
o Synthetic Monitoring: AKA Active Monitoring: performs artificial transactions against a website to assess performance. This may be as simple as requesting a page from the site to determine the response time, or it may execute a complex script designed to identify the results of a transaction.
Chapter 15 Exam Essentials
• Understand the Importance of security assessment and testing programs.
• Conduct vulnerability assessments and penetration tests.
• Perform software testing to validate code moving into production.
• Understand the difference between static and dynamic software testing.
• Explain the concept of fuzzing.
• Perform security management tasks to provide oversight to the information security program.
• Conduct or facilitate internal and third-party audits.
Chapter 16: Managing Security Operations
Concepts one should know when implementing need-to-know and least privilege
• Entitlement – The amount of privileges granted to users, typically when first provisioning an account. In other words, when administrators create user accounts, they ensure that the accounts are provisioned with the appropriate amount of resources, and this includes privileges.
o Proper user provisioning processes follow the principle of least privilege.
• Aggregation – the amount of privileges that users collect over time.
o Good transfer processes should be used to avoid this issue. Access reviews would detect as well.
• Transitive Trust – One domain trusts another, so the trust relationship extends from the original domain to the child domain. Gotta be careful on that shit that you don’t give someone access accidentally this way.
Managing Virtual Assets:
• Virtual Machines (VMs) – run as guest operating systems on physical servers. The physical servers include extra processing power, memory, and disk storage to handle the VM requirements.
• Virtual Desktop Infrastructure (VDI) – AKA Virtual Desktop Environment (VDE) – Hosts a user’s desktop as a VM on a server.
o Users can connect to the server to access their desktop from almost any system, including from mobile devices.
o Persistent virtual desktops retain accustom desktop for the user.
o Nonpersistent virtual desktops are identical for all users. Desktops revert to a known state after the user logs off.
• Software-Defined Networks (SDNs) – decouple the control plane from the data plane (or forwarding plane). The control plane uses protocols to decide where to send traffic, and the data plane includes rules that decide whether traffic will be forwarded. Instead of traditional networking equipment such as routers and switches, an SDN controller handles traffic routing using simpler network devices that accept instructions from the controller. This eliminates some of the complexity related to traditional networking protocols.
• Virtual Storage Area Networks (VSANs) – A SAN is a dedicated high speed network that hosts multiple storage devices. They are often used with servers that need high speed access to data. Thes have historically been expensive due to the complex hardware requirements of the SAN. VSANs bypass these complexities with virtualization
Baselining – e.g. using Group Policy configuration to automatically have its setting applied to all the computers in the domain.
Microsoft issues patches on the second Tuesday of every month. Known as Patch Tuesday.
Chapter 16 Exam Essentials
• Understand need-to-know and principle of least privilege.
• Understand separation of duties and job rotation.
• Understand the importance of monitoring privileged operations.
• Understand the information lifecycle.
• Understand service level agreements.
• Understand secure provisioning concepts.
• Understand virtual assets.
• Recognize security issues wit cloud-based assets
• Explain configuration and change control management.
• Understand patch management.
• Explain Vulnerability management.
Chapter 17: Preventing and Responding to Incidents
Many ways to define a security ‘incident.’ All these bitches do it different ways.
• Incident Response Steps
o Detection:
Intrusion Detection and Prevention Systems
Anti-Malware software
Automated tools to scan audit logs for predefined events
End user detection
o Response
After detecting and then verifying an incident
NEVER UNPLUG A COMPUTER YOU WILL PURGE THE RAM!
Incident Response Team (or derivative name) is deployed per policy
o Mitigation
o Reporting
o Recovery
o Remediation
o Lessons Learned
• Intrusion Detection and Prevention Systems
o Intrusion Detection – form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.
o Intrusion Detection System – automates the inspection of logs and real-tie system events to detect intrusion attempts and system failures.
Primary Goal is to provide a means for a timely and accurate response to intrusions.
o IPS is an IDS that can take it a few steps further.
o Knowledge versus Behavior Based Detection:
Knowledge Based - AKA Signature Based – uses a database, and if the IDS finds a match, it raises an alert.
• Signatures need to be updated
Behavior Based – AKA Statistical – starts with a baseline, and once it has accumulated enough baseline data to determine normal activity, it can detect abnormal activity that may indicate a malicious intrusion or event.
• Baselines often created over a finite period such as a week.
• Can be labeled an expert system or pseudo AI because it learns.
• Can detect newer attacks that don’t have signatures.
o Host Based versus Network Based:
Host Based (HIDS) – Monitors activity on a single computer, including process calls and information recorded in system, application, security, and host-based firewall logs.
• Often examines events in more detail than a NIDS
• Can detect anomalies on a host system that a NIDS can not.
• Expensive
• Cannot detect network level attacks
• Consume significant resources
• Easier for intruder to discover and disable
Network Based (NIDS) – Monitors and evaluates network activity to detect attacks and event anomalies.
• A single NIDS can monitor a large network by using remote sensors to collect data at key network locations.
o Can monitor traffic at routers, firewalls, network switches that support port mirroring, and other types of network taps.
• Central console often stored on a single purpose computer that is hardened against attacks.
• Has very little impact on network performance.
• May have a hard time with large networks with high volume.
• Can discover the source of an attack by performing Reverse Address Resolution Protocol (RARP) or DNS lookups
o A Passive Response logs it and sends a note.
o An Active Response will take action – e.g. reconfiguring ACLs to block traffic.
o IPS versus IDS difference – IPS is place in line with traffic. All traffic must pass through the IPS and the IPS can choose what traffic to forward and what traffic to block after analyzing it.
• Specific Preventative Measures:
o Honeypots – individual computers created as a trap for intruders.
Honeynet – two or more networked honeypots used together to simulate a network.
o Pseudo Flaws – the false vulnerabilities used to entice attackers.
o Enticement versus Entrapment
Enticement – leaving a computer with open vulnerabilities
Entrapment – Actively soliciting visitors to access a site and charging them with unauthorized intrusion. Tricking or trapping someone is entrapment.
o Padded Cell – A system similar to a honey pot. When an IDPS detects an intruder it automatically transfers them to a padded cell. The padded cell is a simulated environment that offers fake data to retain an intruder’s interest similar to a honeypot.
o Sandboxing – Provides a security boundary for applications and prevents the applications from interacting with other applications.
• Pen Testing Techniques:
o Black Box Testing – “Zero Knowledge Team” knows nothing about the target site except for publicly available information, such as domain name and company address.
o White Box Testing – “Full Knowledge Team” has full access to all aspects of the target environment. They know what patches and upgrades are installed, and the exact configuration of all relevant devices. If the target is an application, they would have access to the source code. Full knowledge teams perform white box testing.
AKA crystal-box or clear-box testing.
Commonly recognized as being more efficient and cost effective in locating vulnerabilities because less tie is needed for discovery.
o Gray Box Testing – “Partial Knowledge Team” that has some knowledge of the target performs the testing, but they are not provided access to all of the information. May be given information on the network design and configuration details so that they can focus on attacks and vulnerabilities for specific targets.
• Log Types:
o Security Logs – Record access to resources such as files, folder, printers, ands so on.
o System Logs – Record system events such as when a system starts or stops, or when services start or stop.
o Application Logs – record information for specific applications.
o Firewall Logs – Firewall logs can record events related to any traffic that reaches a firewall.
o Proxy Logs – Proxy logs include the ability to record details such as what sites specific users visit and how much time they spend on these sites. They can also record when users attempt to visit known prohibited sites.
o Change Logs – Record change requests, approvals, and actual changes to a system as part of an overall change management process.
• Log Analysis – detailed and systematic form of monitoring in which the logged information is analyzed for trends and patterns as well as abnormal, unauthorized, illegal and policy violating activities.
• Clipping Level – A form of nonstatistical sampling. It selects only events that exceed a clipping level, which is a predefined threshold of the event.
• Traffic Analysis and Trend Analysis – Forms of monitoring that examine the flow of packets rather than actual packet contents. Sometimes referred to as a network flow monitoring.
• Egress Monitoring ¬– Refers to monitoring outgoing traffic to prevent data exfiltration.
Data Loss Prevention – attempt ot detect and block data exfiltration attempts. These systems have the capability of scanning unencrypted data looking for keywords and data patterns.
• Network Based DLP – Network based DLP scans all outgoing data looking for specific data. Administrators would place it on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP system will send an alert.
• Endpoint Based DLP – Can scan files stored on a system as well as files sent to external devices, such as printers.
o For example, an organization’s endpoint based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer. Admins would configure the DLP to scan the files with the appropriate keywords, and if it detects files with these keywords, it will block the copy or print job. It’s also possible to configure an endpoint-based DLP system to regularly scan files (such as on a file server) for files containing specific keywords or patterns, or even for unauthorized file types, such as MP3 files.
o Have the ability to perform deep level examinations.
o Doesn’t have the ability to decrypt data.
Chapter 17 Exam Essentials
• Know incident response steps
• Know basic preventative measures
• Know what denial of service attacks are
• Understand botnets, botnet controllers, and bot herders
• Understand zero-day exploits
• Understand man-in-the-middle attacks
• Understand sabotage and espionage
• Understand intrusion detection and intrusion prevention
• Recognize IDS/IPS responses
• Understand the differences between HIDS and NIDS
• Understand honeypots, padded cells, and pseudo flaws
• Understand methods to block malicious codes
• Understand penetration testing
• Know the types of log files
• Understand monitoring and uses of monitoring tools
• Understand audit trails
• Understand sampling
• Understand how to maintain accountability
• Understand the importance of security audits and reviews
• Understand auditing and the need for frequent security audits
• Understand that auditing is an aspect of due care
• Understand the need to control access to audit reports
• Understand access review and user entitlement audits
• Audit access controls.
Chapter 18: Disaster Recovery Planning
System Resiliency -
• Single Point of Failure (SPOF) – any component that can cause an entire system to fail.
• Fault Tolerance – the ability of a system to suffer a fault but continue to operate.
• System Resilience – The ability of a system to maintain an acceptable level of service during an event.
Redundant Array of Inexpensive Disks (RAID)
• RAID-0 – AKA Striping - Uses two or more disks and improves the disk subsystem performance, but it does not provide fault tolerance.
• RAID-1 – AKA Mirroring – Uses two disks, which both hold the same data. If one disk fails, the other disk includes the data so a system can continue to operate after a single disk fails. Depending on the hardware used and which drive fails, the system may be able to continue to operate without intervention, or the system may need to be manually configured to use the drive that didn’t fail.
• RAID-5 – AKA Striping with Parity – Uses three or more disks with the equivalent of one disk holding parity information. If any single disk fails, the RAID array will continue to operate, though it will be slower.
• RAID-10 – AKA Raid 1+0 or a Stripe of Mirrors – Configured as two or more mirrors (RAID-1) configured in a striped (RAID-0) configuration.
RAID AKA Information
0 Striping Uses two or more disks and improves the disk subsystem performance, but it does not provide fault tolerance
1 Mirroring Uses two disks, which both hold the same data. If one disk fails, the other disk includes the data so a system can continue to operate after a single disk fails. Depending on the hardware used and which drive fails, the system may be able to continue to operate without intervention, or the system may need to be manually configured to use the drive that didn’t fail.
5 Striping with Parity Uses three or more disks with the equivalent of one disk holding parity information. If any single disk fails, the RAID array will continue to operate, though it will be slower.
10 Raid 1+0 / Stripe of Mirrors Configured as two or more mirrors (RAID-1) configured in a striped (RAID-0) configuration.
Failover Cluster – includes two or more servers, and if one server fails, another server in the cluster can take over its load in an automatic process called failover.
Line Interactive UPS – can adjust the overvoltage and undervoltage events without draining the battery. When power is lost, the battery will provide power to the system will provide power to the system for a short period of time.
Trusted Recovery – Provides assurance that after failure or crash, the system is just as secure as it was before the failure or cash occurred.
• Fail-Secure – will default to a secure state in the event of a failure, blocking all access.
• Fail-Open – will fail into an open state, granting all access.
• Four Types of Trusted Recovery –
o Manual Recovery – if a system fails, it does not fail in a secure state. Instead, an administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or a system crash.
o Automated Recovery – The system is able to perform trusted recovery activities to restore itself against at least one type of failure. For example, a hardware RAID provides automated recovery against the failure of a hard drive but not against the failure of the entire server. Some times of failures will require manual recovery.
o Automated Recovery without Undue Loss - Similar to automated recovery in that a system can restore itself against at least one type of failure. However, it includes mechanisms to ensure that specific objects are protected to prevent their loss. A method of automated recovery that protects against undue loss would include steps to restore data or other objects. It may include additional protection mechanisms to restore corrupted files, rebuild data from transaction logs, and verify the integrity of key system and security components.
o Function Recovery – Systems that support function recovery are able to automatically recover specific functions. This state ensures that the system is able to successfully complete the recovery for the functions, or that the system will be able to roll back the changes to return to a secure state.
Recovery Type Description
Manual Recovery if a system fails, it does not fail in a secure state. Instead, an administrator is required to manually perform the actions necessary to implement a secured or trusted recovery after a failure or a system crash.
Automated Recovery The system is able to perform trusted recovery activities to restore itself against at least one type of failure. For example, a hardware RAID provides automated recovery against the failure of a hard drive but not against the failure of the entire server. Some times of failures will require manual recovery.
Automated Recovery without Undue Loss Similar to automated recovery in that a system can restore itself against at least one type of failure. However, it includes mechanisms to ensure that specific objects are protected to prevent their loss. A method of automated recovery that protects against undue loss would include steps to restore data or other objects. It may include additional protection mechanisms to restore corrupted files, rebuild data from transaction logs, and verify the integrity of key system and security components.
Function Recovery Systems that support function recovery are able to automatically recover specific functions. This state ensures that the system is able to successfully complete the recovery for the functions, or that the system will be able to roll back the changes to return to a secure state.
Factors Contributing to Quality of Service:
• Bandwidth – The network capacity available to carry communications.
• Latency – The time that it takes a packet to travel from source to destination.
• Jitter – The variation in latency between different packets.
• Packet Loss – Some packets may be lost between source and destination, requiring retransmission.
• Interference – Electrical noise, faulty equipment, and other factors may corrupt the content of packets.
Alternative Sites:
• Cold Sites – standby facilities large enough to handle the processing load of an organization and equipped and appropriate electrical and environmental support systems.
o Has no computing facilities (hardware or software) preinstalled and also has no active broadband communication links.
• Hot Sites – Exact opposite of the cold site. A backup facility is maintained in constant working order.
• Warm Site – Occupy the middle ground between hot and cold sites. Always contain the equipment and data circuitry necessary.
o Typically take at least 12 hours from the time a disaster is prepared.
• Mobile Site – Consist of self-contained trailers or other easily relocated units.
• Service Bureau – Company that leases computer time. Can usually provide support for all IT needs in the event of a disaster, even desktops for workers to use.
Backups:
• Electronic Vaulting – Database backups are moved to a remote site using bulk transfers. The remote location may be a dedicated alternative recovery site, or simply an offsite location managed within the company or by a contractor for the purpose of maintaining backup data.
o May be a significant delay between the time a disaster is declared, and the time the database is ready for operation with current data.
• Remote Journaling – Data transfers are performed in a more expeditious manner. Data transfers will occur in a bulk transfer mode, but they occur on a more frequent basis usually once every hour and sometimes more frequently.
o Unlike electronic vaulting scenarios, where entire database backup files are transferred, remote journaling setups transfer copies of the database transaction logs containing the transactions that occurred since the previous bulk transfer.
• Remote Mirroring – Most advanced database backup solution (also most expensive). In this, a live database server is maintained at the backup site. The remote server receives copies of the database modification at the same time.
o Popular if an organization is implementing a hot site.
Backup Types
• Full Backups – store a complete copy of the data contained on the protected device.
o Duplicate every file on the system, regardless of the archive bit. After backup, the archive bit is changed back to 0.
• Incremental Backups – store only those files that have been modified since the most recent full or incremental backup.
o Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. Once the backup has completed, it goes from 1 back to 0.
• Differential Backups – store all files that have been modified since the time of that most recent full backup.
o Only files that have the archive bit turned on, enabled, or set to 1 are duplicated.
o Unlike full and incremental backups, the differential backup process does not change the archive bit.
Types of Backup Tests:
• Read Through – distribute copies of DRP to members for review. Accomplish three goals:
o Ensures key personnel are aware of their responsibilities.
o Provides individuals with an opportunity to review the plans for obsolete information and update any items that require modification because of changes within the organization.
o In large organizations, it helps identify situations in which key personnel have left the company and nobody bothered to reassign their disaster recovery responsibilities.
• Structured Walk-Through – AKA Table Top – role play of a disaster scenario. The team refers to their copies of the DRP and says what to do next.
• Simulation Test – Disaster Recovery team members are presented with various scenarios and asked to develop an appropriate response.
• Parallel Test – Relocate disaster recovery personnel to a recovery site and implementing site activation procedures.
• Full-Interruption Test – Actually shut that shit down and try to recover. Very unlikely – no BOD will go for this.
Chapter 18 Exam Essentials
• Know the common types of natural disaster that may threaten an organization.
o Earthquakes, floods, storms, fires, tsunamis, volcanic eruptions
• Know the common types of man-made disasters that have threaten an organization.
o Explosions, electrical fires, terrorist acts, power outages, other utility failures, infrastructure failures, hardware/software failures, labor difficulties, theft and vandalism.
• Be familiar with the common types of recovery facilities.
o Cold site
o Warm site
o Hot site
o Service bureaus
o Multiple sites
• Explain the potential benefits behind mutual assistance agreements as well as the reasons they are not commonly implemented in business today.
o Inexpensive
• Understand the technologies that may assist with database backup.
o Electronic vaulting – used to transfer database backups to a remote site as part of a bulk transfer.
o Remote journaling – Data transfer occurs on a more frequent basis.
o Mirroring – Mirrored at the backup site in real time.
• Know the five types of disaster recovery plan test and the impact each has on normal business operations.
o Read through tests
o Structured walk-throughs
o Simulation tests
o Parallel tests
o Full-interruption tests
Chapter 19: Investigations and Ethics
Nine steps of eDiscovery:
1. Information Governance ensures that information is well organized for future eDiscovery efforts.
2. Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely.
3. Preservation ensures that potentially discoverable information is protected against alteration or deletion.
4. Collection gathers the responsive information centrally for use in the eDiscovery process.
5. Processing screens the collected information to perform a “rough cut” of irrelevant information , reducing the amount of information requiring detailed screening.
6. Review examines the remaining information to determine what information is responsive to the request and removing any information protected by attorney-client privilege.
7. Analysis performs deeper inspection of the content and context of remaining information.
8. Production places the information into a format that may be shared with others.
9. Presentation displays the information to witnesses, the court, and other parties.
Requirements for evidence to be admissible:
• Must be relevant
• Must be material (related to) the case
• Evidence must be competent, meaning it must have been obtained legally
Real Evidence – Consists of thing that may actually be brought into a court of law (physical objects). Must be identified by a witness or authenticated through a documented chain of custody.
Documentary Evidence – includes any written items brought into court to prove a fact at hand. Two additional evidence rules apply:
• Best Evidence Rule – When a document is used as evidence in a court proceeding, the original document must be introduced. Copies or descriptions of original evidence (known as secondary evidence) will not be accepted as evidence unless certain exceptions to the rule apply.
• Parole Evidence Rule – States that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.
Testimonial Evidence – Evidence consisting of witness testimony. Witnesses can offer two types of evidence:
• Direct Evidence – oral testimony that proves or disproves a claim based on their own direct observation.
• Expert Opinion – Based on the other facts presented and their personal knowledge of the field.
• Can Not Be Hearsay Evidence – Cannot testify as to what someone else told them outside of court.
Six Principles of Evidence Collection and Forensic Procedure
• When dealing with digital evidence, all of the general forensic and procedural principles must be applied.
• Upon seizing digital evidence, actions taken should not change that evidence.
• When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
• All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
• An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
• Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
Analysis Types:
• Media Analysis – branch of computer forensic analysis, involves the identification and extraction of information from storage media.
• Network Analysis – Collection and correlation of information from network devices (IDS, firewalls, logs, etc.)
• Software Analysis – Forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities.
• Hardware/Embedded Device Analysis – Forensic analysts often must review the contents of hardware and embedded devices. May include a review of personal computers, smartphones, tablet, embedded car computers, etc.
An Interview simply seeks to gather information. An Interrogation means the person is a suspect.
Major Categories of Computer Crime:
• Military and Intelligence Attacks
• Business Attacks – Stealing confidential information.
• Financial Attacks – Unlawfully obtain money or services.
• Terrorist Attacks
• Grudge Attacks
• Thrill Attacks
Code of Ethics Preambles:
• The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
• Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Cannons –
• Protect society, the common good, necessary public trust and confidence, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.
Chapter 19 Exam Essentials
• Know the definition of computer crime.
o A crime that is directed against, or directly involves, a computer.
• Be able to list and explain the six categories of computer crimes.
o Grouped into six categories:
Military and intelligence attack
Business attack
Financial attack
Grudge attack
Thrill attack
Terrorist attack
• Know the importance of collecting evidence.
o Collect as soon as an incident is discovered.
• Understand the eDiscovery process.
o Includes information governance, identification, preservation, collection, processing, review, analysis, production and presentation.
• Know how to investigate intrusions and how to gather sufficient information from the equipment, software, and data
o Must have possession of equipment, software, or data to analyze it and use it as evidence. Must acquire evidence without modifying it.
• Know the three basic alternatives for confiscating evidence and when each one is appropriate.
o Voluntary surrender
o Subpoena
o Search warrant
• Know the importance of retaining investigatory data.
o Critical log file are retained for a reasonable period of time.
• Know the basic requirements for evidence to be admissible in a court of law.
o Relevant
o Material
o Competent
• Explain the various types of evidence that may be used in a criminal or civil trial.
o Real Evidence
o Documentary Evidence.
o Testimonial Evidence.
• Understand the importance of ethics to security personnel.
o Adherence to ethics helps ensure that power is not abused.
• Know the Code of Ethics and RFC 1087 “Ethics and the Internet.”
o Be familiar with the code of ethics.
Chapter 20: Software Development Security
Programming Languages –
• Machine Learning – binary – 0’s and 1’s.
• Higher Level Languages – Python, C++, Ruby, R, Java and Visual Basic
• Compiled Languages – C, Java, FORTRAN – Use a Compiler to convert higher level language into an executable file designed for use on a specific operating system. Executable sent to end user, who may use it as they see fit.
• Interpreted Languages – Programmer distributes the source code, which contains instructions in the higher-level language. End users then use an interpreter to execute that source code on their systems. They’re able to view the original instructions written by the programmer.
Object Oriented Programming (OOP) – Focuses on the objects involved in the interaction.
• E.g. a banking program might have three object classes that correspond to accounts, account holders, and employees, respectively.
• Common OOP terms:
o Message – A message is a communication to or input of an object.
o Method – A method is internal code that defines the actions an object performs in response to a message.
o Behavior – The results or output exhibited by an object is a behavior. Behaviors are the results of a message being processed through a method.
o Class – A collection of the common methods from a set of objects that defines the behavior of those objects.
o Instance – Objects are instances of or examples of classes that contain their methods.
o Inheritance – Occurs when methods from a class (parent or superclass) are inhered by another class (child)
o Delegation – Forwarding of a request by an object to another object or delegate. An object delegates if it does not have a method to handle the message.
o Polymorphism – Characteristic of an object that allows it to respond with different behaviors to the same message or method because of changes in external conditions.
o Cohesion – The strength of the relationship between the purposes of the methods within the same class.
o Coupling – Level of interaction between objects. Lower coupling means less interaction.
Lower coupling provides better software design because objects are more independent.
Lower coupling is easier to troubleshoot and update.
Objects that have low cohesion require lots of assistance from other objects to perform tasks and have high coupling.
Debugging mode should be disabled on any servers and applications that are publicly accessible.
OWASP Secure Coding Guidelines suggested logging events:
• Input validation failures
• Authentication attempts, especially failures
• Access control failures
• Tampering attempts
• Use of invalid or expired session tokens
• Exceptions raised by the OS or applications
• Use of administrative privileges
• Transport Layer Security (TLS) failures
• Cryptographic errors
STOP error – When an undesirable error occurs, despite the OS’s efforts, the system simply stops everything rather than support a fucked up environment.
• The Blue Screen of Death (BSOD) is an example of a STOP error.
• This is an example of a fail-safe
System Development Lifecycle
• Conceptual Definition –
o Involves creating the basic concept statement for a system. This is a simple statement agreed on by all interested stakeholders, that states the purpose of the project as well as the general system requirements.
o Very high level – no longer than two paragraphs.
• Functional Requirements Determination – Specific system functionalities are listed, and developers begin to think about how the parts of the system should interoperate to meet the functional requirements.
o The deliverables phase of development is a functional requirements document that lists the specific system requirements. Has three major requirements:
Inputs – Data provided to a function.
Behavior – Business logic describing what actions the system should take in response to different inputs.
Outputs – Data provided from a function.
• Control Specifications Development – Developing controls.
o Takes place soon after the development of functional requirements and often continues as the design and design review phases progress.
• Design Review – Designers determine exactly how the various parts of the system will interoperate and how the modular system structure will be laid out. During this phase the design management team commonly sets specific tasks for various teams and lays out initial timelines for the completion of coding milestones.
• Code Review Walkthrough –
• UAT – Once complete, code can move to deployment.
Lifecycle Models:
• Waterfall Model – as each stage (below) is completed, the project moves into the next phase.
o Feedback loop characteristic - Allows to move backward in the development stage
o Seven Stages:
1. System Requirements
2. Software Requirements
3. Preliminary Design
4. Detailed Design
5. Code and Debug
6. Testing
7. Operations and Maintenance
o Boehm’s Spiral Model provides a solution to the major criticism of the waterfall model – it allows developers to return to the planning stages as changing technical demands and customer requirements necessitate the evolution of a system.
• Agile Manifesto – Put together as a fuck you to documentation and rules.
o Has the following values:
1. Individuals and interactions over processes and tools
2. Working software over comprehensive documentation
3. Customer Collaboration over contract negotiation
4. Responding to change over following a plan.
o Still value the shit on the right, but prioritize the stuff on the left.
o 12 principles:
1. Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.
2. Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.
3. Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.
4. Business people and developers must work together daily throughout the project.
5. Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.
6. The most efficient and effective method of conveying information to and within a development team is face-to-face conversation
7. Working software is the primary measure of progress
8. Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
9. Continuous attention to technical excellence and good design enhances agility.
10. Simplicity p the art of maximizing the amount of work not done – is essential.
11. The best architectures, requirements, and designs emerge from self-organizing teams.
12. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.
Software Capability Maturity Model (SW-CMM) – intended to help software organizations improve the maturity and quality of their software processes by implementing an evolutionary path from ad hoc, chaotic processes to mature, disciplined software processes.
• Stages:
Level SW-CMM Description IDEAL Description
1 Initial In this phase, you'll often find hardworking people charging ahead in a disorganized fashion. There is usually little or no defined software development process. Initiating Business reasons behind the change are outlined, support is built for the initiative, and the appropriate infrastructure is put in place.
2 Repeatable In this phase, basic lifecycle management processes are introduced. Reuse of code in an organized fashion begins to enter the picture, and repeatable results are expected from similar projects. Diagnosing Engineers analyze the current state of the organization and make general recommendations for change.
3 Defined Software developers operate according to asset of formal, documented software development processes. All development projects take place within the constraints of the new standardized model. Establishing Taking general recommendations from the diagnosing phase and developing a specific plan of action that helps achieve those changes.
4 Managed Management of the software process proceeds to the next level. Quantitative measures are utilized to gain a detailed understanding of the development process. Acting Develops solutions and then tests, refines, and implements them.
5 Optimizing A process of continuous improvement occurs. Feedback processes are in place. Learning Lessons learned kinda thing.
II.DR.ED.AM.LO
Change Management Processes
• Request Control – Process provides an organized framework within which users can request modification, managers can conduct cost/benefit analysis, and developers can prioritize tasks.
• Change Control – The change control process is used by developers to re-create the situation encountered by the user and analyze the appropriate changes to remedy the situation. It also provides an organized framework within which multiple developers can create and test a solution prior to rolling it out into a production environment.
• Release Control – Approval process for releases of application changes.
• Configuration Management – used to control the version of software used throughout an organization an formally track and control changes to the software configuration. Four components:
o Configuration Identification – administrators document the configuration of covered software products throughout the organizations.
o Configuration Control – Ensures that changes to software versions are made in accordance with the change control and configuration management policies. Updates can be made only from authorized distributions in accordance with those policies.
o Configuration Status Accounting – Formalized procedures are used to keep track of all authorized changes that take place.
o Configuration Audit – A periodic configuration audit should be conducted to ensure that the actual production environment is consistent with the accounting records and that no unauthorized configuration changes have taken place.
DevOps – closely aligned with Agile development approach and aims to dramatically decrease the time required to develop, test, and deploy software changes.
• Ven-diagram of Software Development, Operations and Quality Assurance.
Application Programming Interfaces (APIs) – Allow application developers to bypass traditional web pages and interact directly with the underlying service through function calls. For instance, social media APIs may include the following API function calls:
• Post Status
• Follow User
• Unfollow User
• Like/Favorite a Post
Software Testing –
• White-Box Testing – Examines the internal logical structure of a program and steps through the code line by line, analyzing the program for potential errors.
• Black-Box Testing – Examines the program from a user perspective by providing a wide variety of input scenarios and inspecting the output.
o Black Box testers do NOT have access to the internal code.
• Gray-Box Testing – Combines the two approaches and is popular for software validation. Testers examine the software from a user perspective, analyzing inputs and outputs.
o Also have access to source code.
o Do not, however, analyze the inner workings of the program during their testing.
• Static Testing – Evaluates the security of software without running it by analyzing either the source code or the compiled application.
o Usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.
• Dynamic Testing – Evaluates the security of software in a run-time environment.
Database Management System Architectures
• Hierarchical – logical tree structure, where each node may have zero, one, or many children but only one parent.
o Think traditional org chart.
• Relational Databases – Tables consisting of records.
o Each table contains a number of attributes, or fields. Each attribute corresponds to a column in the table.
• Tuple – Record
• Fields – Attributes in a table.
• Cardinality – Number of rows in a table
• Degree – Number of columns
• Domain – Set of allowable values that an attribute can take.
• The table below has a cardinality of 3, and a degree of 5.
Name Last SSN Address Phone
• Keys – subsets of the fields of a table and are used to uniquely identify records.
o Candidate Keys – used to uniquely identify any record in a table.
No two records in the same table will ever contain the same values for all attributes composing a candidate key.
Each table may have one or more candidate keys, which are chose from column headings.
o Primary Keys – Selected from the set of candidate keys for a table to be used to uniquely identify the records in a table.
Each table has only one primary key, selected by the database designer from the set of candidate keys.
The RDBMS enforces the uniqueness of primary keys by disallowing the insertion of multiple records with the same primary key.
o Foreign Keys – Used to enforce the relationships between two tables, also known as referential integrity. Ensures that references to other tables are to the primary key within the referenced table
E.g. having a salesman ID to record a sale in a sales table, and that refers to a primary salesman ID column in the salesman table.
• Structured Query Language (SQL) – All relational database use standard language to provide users with a consistent interface for the storage, retrieval, and modification of data and for administrative control of the DBMS.
o SQL’s primary feature is that it allows you to set permissions at a very fine level of detail (table, row, column, or even individual cell in some cases).
o SQL is divided into two distinct components:
Data Definition Language (DDL) – Allows for creation and modification of the databases structure.
Data Manipulation Language (DML) – Allows users to interact with the data contained within that schema.
• ACID model – All database transactions have four required characteristics, under the ACID model:
o Atomicity – All-or-nothing affair. If any part of the transaction fails, the whole thing fails.
o Consistency – All transactions must begin operating in an environment that is consistent with all of the database’s rules.
o Isolation – Transactions operate separately from each other. If a database receives two SQL transactions that modify the same data, one transaction must be completed in its entirety before the other transaction is allowed to modify the same data.
o Durability – Once a transaction is committed to the database, they must be preserved. Databases ensure durability through the use of backup mechanisms, such as transaction logs.
• Database Contamination – Mixing data with different classification levels and/or need-to-know requirements.
• Concurrency – a preventative security mechanism that endeavors to make certain that the information stored in the database is always correct or at least has its integrity and availability protected.
o Uses a ‘lock’ feature to allow one user to make changes but deny other users access to view or make changes to data elements at the same time
E.g. trying to open a word/excel file when someone else is in it.
o Databases that fail to maintain concurrency will have one of two issues:
Lost Updates – Occur when two different processes make updates to a database unaware of each other’s activity.
Dirty Reads – When a process reads a record from a transaction that did not successfully commit.
• Polyinstantiation – Occurs when two or more rows in the same relational database table appear to have identical primary key elements but contain different data for use a differing classification levels.
Open Database Connectivity (ODBC) – database feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type.
• Acts as a proxy between applications and backend database drivers, giving application programmers greater freedom in creating solutions without having to worry about the backend database system.
Types of Storage:
• Primary Memory – AKA Real Memory – main memory resources directly available to a system’s CPU.
o Normally consists of volatile random-access memory (RAM) and is usually the most high-performance storage resource available to a system.
• Secondary Storage – Something like USB or DVDs
• Virtual Memory – Allows a system to simulate additional primary memory resources through the use of secondary storage.
o E.g. A system low on expensive RAM might make a portion of the hard disk available for direct CPU addressing.
• Virtual Storage – Allows a system to simulate secondary storage resources through the use of primary storage.
Knowledge-Based Systems –
• Expert System – Seek to embody the accumulated knowledge of experts on aparticular subject and apply it in a consistent fashion to future decisions. Two main components:
o Knowledge Base – Contains the rules known by an expert system.
o Inference Engine – Analyzes information
• Machine Learning – Two Major Categories:
o Supervised Learning – Use labeled data for training. E.g. the data would say “analyze these logins, and I’ve labeled all the ones that were malicious ones”
o Unsupervised Learning – Use unlabeled data for training.
• Neural Networks – An extension of machine learning techniques and are also commonly referred to as ‘Deep Learning’
o Delta Rule / Learning Rules – Rules that let the neural networks learn from experience.
Chapter 20 Exam Essentials:
• Explain the basic architecture of a relational database management system.
o Tables (relations)
o Rows (records/Tuples)
o Columns (Fields/Attributes)
• Know the various types of storage.
o Primary Memory
o Virtual Memory
o Secondary Storage
o Virtual Storage
• Explain how expert system, machine learning, and neural networks function.
o Expert system – use of knowledge base and inference engine.
o Machine learning -attempt to algorithmically discover knowledge from datasets.
o Neural networks simulate the function of the human mind.
• Understand the models of systems development.
o Waterfall model
o Spiral Model
o Agile Development
• Describe software development maturity models.
o SW-CMM and IDEAL
• Understand the importance of change and configuration management
o Three basic components of change control – request control, change control, release control.
• Understand the importance of testing.
o Should be part of the development process
Chapter 21 – Malicious Code and Application Attacks
Virus Propagation Techniques:
• Master Boot Record (MBR) Viruses – Attacks the boot loader used to load the OS during the boot process.
• File Infector Viruses – Infect different types of executable files and trigger when the operating system attempts to execute them.
• Companion Virus – Self contained executable files that escape detection by using a filename similar to, but slightly different from, a legitimate operating system file.
• Macro Viruses – Use of VBA to execute malicious code.
• Service Injection Viruses – Viruses inject themselves into trusted runtime processes of the OS. Since these services are trusted, the virus can get past undetected.
Virus Technologies:
• Multipartite Viruses – use more than one propagation technique in an attempt to penetrate systems that defend against only one method or the other.
• Stealth Viruses – Hide themselves by actually tampering with the operating system to fool antivirus packages into the thinking that everything is functioning normally.
• Polymorphic Viruses – Modify their own code as they travel from system to system.
• Logic Bomb – Malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions such as time.
• Trojan Horses – Software program that appears benevolent but carries a malicious, behind the scenes payload that has the potential to wreak havoc on a system or network.
• Worms – Propagate themselves without the use of human intervention.
Antivirus:
• Signature based – Looks for telltale patters of known viruses.
• Behavior based (AKA Heuristic based) – Monitoring for unusual activity and flagging or blocking it.
Chapter 21 Exam Essentials:
• Understand the propagation techniques used by viruses.
o File infection
o Service injection
o Boot sector infection
o Macro infection
• Know how antivirus software packages detect known viruses.
o Signature based detection
o Behavior based detection
• Explain the techniques that attackers use to compromise password security.
o Password crackers
o Dictionary attacks
o Social engineering attacks
o Phishing
• Be familiar with the various types of application attacks attackers use to exploit poorly written software.
o Buffer overflows
o TOCTOU
o Back doors
o rootkits
• Understand common web application vulnerabilities and countermeasures.
o XSS
o SQL injection
• Know the network reconnaissance techniques used by attackers preparing to attack a network.
o IP Sweeps to search out active hosts
o Hosts are then subjected to port scans and other vulnerability probes.