Transcript How I Passed the CISSP Test: Lessons Learned in Certification Presented by Kirk A.

How I Passed the CISSP Test:
Lessons Learned in Certification
Presented by Kirk A. Burns, CISSP
Admin Data
Emergency Exits
Breaks
Phones
Other Admin Data
Introduction
Instructor
What is this class going to provide me?
What should I expect to get out of this class?
Class Structure
• Broken up into 12 parts
• Part 1: introduction
• Parts 2 – 11: will be the domains
• Part 12: will be examples of types of questions you might see.
• THESE ARE NOT copies of the questions from the exam
What is (ISC)²?
(ISC)²
• International Information Systems Security Certification Consortium
• Non-profit organization which specializes in information security
education and certifications
• Often described as the “world’s largest IT security organization”
• Based in Palm Harbor, Florida, USA
• Offices in London, Tokyo, Hong Kong, Vienna, Virginia
• Over 85,000 certified professionals in 135 countries
• http://www.isc2.org
(ISC)² Code of Ethics
Preamble:
• The safety and welfare of society and the common good, duty to our
principals, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.
Code of Ethics Canons:
• Protect society, the common good, necessary public trust and
confidence, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession
BENEFITS OF (ISC)² MEMBERSHIP
• Member Benefits
• Continuing Education
• Security Leadership Series events
• Discounts
• Worldwide receptions, conferences, RSA, InfoSec, SecureAmerica
• Face-to-Face Networking
• Virtual Networking
• Career Tools, InterSeC
BENEFITS OF (ISC)² MEMBERSHIP
• Industry Awards
• Resources
• InfoSecurity Professional Magazine
• Information Security Perspective journal
• Member submitted security awareness materials
• Volunteer Opportunities
• http://staysafeonline.org
What is CISSP?
•
•
•
•
•
Certified Information Systems Security Professional
Governed by (ISC)²
Worldwide recognition of competence
Practical understanding of information security issues and solutions
ANSI accreditation based on the ISO/IEC 17024:2003 standard
(obtained in June 2004)
• Awareness of security challenges
• As of November 2013, reported to have 90,198 members worldwide in
149 countries
ROLE OF THE CISSP
• CISSPs often hold job functions such as:
•
•
•
•
•
•
•
•
•
•
Security Consultant
Security Manger
IT Director/Manager
Security Auditor
Security Architect
Security Analyst
Security Systems Engineer
Chief Information Security Officer
Director of Security
Network Architect
ROLE OF THE CISSP
• Develops and oversees the implementation of the organization’s
information security policies and procedures
• Provide advice on implementation of information security solutions and
technologies
• Monitoring compliance with regulatory bodies and employees,
contractors, alliances and other 3rd parties
COMMON BODY OF KNOWLEDGE
CBK
• The (ISC)² CBK is a compendium of topics relevant to information
security professionals around the world. The (ISC)² CBK is the accepted
standard in the industry, the subject of many books written on information
security, and the core of the university information assurance programs
around the globe. The CBK continues to be updated annually by (ISC)²
CBK Committees comprised of members from many industries and
regions around the world, to reflect the most current and relevant topics
required to practice in the field. (ISC)² uses the CBK domains to assess a
candidate’s level of mastery of information security.
How to Get Your CISSP Certification
1) Obtain the Required Experience
a) must have a minimum of five (5) years cumulative paid full-time work
experience in two (2) or more of the ten (10) domains.
b) May receive a one year experience waiver with a four-year college degree,
or regional equivalent OR additional credential from the (ISC) approved list
(requiring four (4) years of direct full-time professional security work
experience in two or more of the ten domains)
2) Study for the Exam
3) Schedule the Exam
4) Pass the Exam
5) Complete the Endorsement Process
6) Maintain the CISSP Certification
CISSP EXAM
The CISSP exam
•
•
•
•
•
•
•
•
250 questions
6 hours
To pass must get 700 points out of 1000
BE ON TIME!!!!!!
Bring admission letter
Must have government issued Photo ID
Bring pencil and eraser
~$500
ENDORSEMENT PROCESS
What is needed for the Endorsement Process
• Provide a recent resume
• Complete the Examination Registration Form
• Submit a completed and executed Endorsement Form
MAINTENANCE REQUIREMENTS
• To maintain the CISSP certification and remain in “good standing” with
(ISC)², you are required to:
• Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of
each certification year
• Earn and submit 120 credits over three years. A minimum of 20 CPEs
must be posted during each year of the three year certification cycle
THE DOMAINS
•
•
•
•
•
•
•
•
•
•
Access Control
Business Continuity and Disaster Recovery Planning
Cryptography
Information Security Governance and Risk Management
Legal, Regulations, Investigations, and Compliance
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Software Development Security
Telecommunications and Network Security
Golden Rule
1.
2.
3.
4.
5.
People Safety First
Management buy-is is Critical
Everyone is responsible for Security
Training is Essential
Policy is the Key to (nearly) everything
What If I Don’t Have The Experience?
•
For those who don’t have the experience, there is the Systems Security
Certified Practitioner (SSCP)
• Only need 1 year of experience
• Domains covered:
• Access Controls
• Cryptography
• Malicious Code and Activity
• Monitoring and Analysis
• Networks and Communications
• Risk, Response and Recovery
• Security Operations and Administration
Access Control
Domain Objectives
•
•
•
•
•
Provide definitions and key concepts
Identify access control categories and types
Discuss access control threats
Review system access control measures
Understand Intrusion Detection and Intrusion Prevention
systems
• Understand Access Control assurance methods
Access Control
• Is the basic foundation of information security
• Implemented differently depending on whether the are of
implementation is physical, technical or administrative.
• Categories include:
• Preventive
• Detective
• Corrective
• Deterrent
• Recovery
• Directive
• Compensating
• Often used in combination
Access Control
•
•
•
•
•
A comprehensive threat analysis will identify the areas that will provide
the greatest cost-benefit impact.
The field of access control is constantly evolving. Organizations need to
know what is available and what methods will best address their issues.
Data and system access control are NOT the same. User might have
access to a system but not to the data. Think “need-to-know”
Access control assurance addresses the due diligence aspect of
security.
Implementing a control is part of due care, but due diligence involves
regularly checking to ensure that the control is working as expected.
Information Security TRIAD
Domain Objectives
• Definitions of Key Concepts
•
•
•
•
•
•
Access Control Categories and Types
Access Control Threats
Access to System
Access to Data
Intrusion Prevention and Detection Systems
Access Control Assurance
Basic Requirements
•
•
•
•
•
•
•
•
Security – ensure only authorized users and processes are able to access or
modify
Reliability – ensure control mechanisms work as expected, every time
Transparency – have minimal impact on the ability of authorized users to
interface with the system and do their job
Scalability – should be able to handle a wide range of changing systems and
user load without compromising system performance
Maintainability – if too time-consuming or complicated, admins may not keep
them up to date
Auditability – should provide audit trails
Integrity – must be designed to protect from unauthorized changes
Authentic – help ensure that data input is authentic
Key Concepts
•
Separation of duties
•
•
•
No one person should have control over the process. Allowing this could
allow a person to manipulate the system for personal gain. Process should
be broken down into individual steps executed by different people.
• Rotation of duties prevents collusion between two or more people. This
minimizes the chance of or exposes fraud. Forced vacation can provide
the same effect.
• Core element of the Clark-Wilson Integrity model
Least privilege – only allow access to resources that are absolutely needed
for work
Need-to-know – just because you have the clearance doesn’t mean you
really need to know the data or process
Information Classification
•
•
•
•
•
Is the PROPER assessment of the sensitivity and criticality of information
• Ensures that info is neither improperly disclosed nor overprotected
Objectives:
• Identify info that needs to be protected
• Standardize labeling
• Alert authorized holders of protection requirements
• Comply with laws, regulation, etc.
Benefits – keeps cost down
Example of classification:
• Public, internal use only and company confidential
Compartmentalized information – information that requires special
privilege to access
Information Classification Procedures
•
•
•
•
Scope – risk analysis will evaluate data for classification. Things to consider:
• Exclusive possession (trade secrets, etc.)
• Usefulness
• Cost to recreate
• Legal or regulatory liability
• Operational impact
• Etc.
Process – goal is to achieve a consistent approach to handling classified
information
Marking and labeling – for all types of media to include video
• Human readable
• Machine readable
Assurance – regular internal and possibly external audits should be done
Domain Objectives
• Definitions of Key Concepts
• Access Control Categories and Types
•
•
•
•
•
Access Control Threats
Access to System
Access to Data
Intrusion Prevention and Detection Systems
Access Control Assurance
Access Control Types
• Administrative – policies and procedures.
• Technical/logical – use of hardware and software controls
• Physical – manual, structural or environmental controls to protect
facilities and resources
Access Control Categories
• Preventive – block unwanted actions. However, only effective if
employees see these as necessary
• Detective – identify, log and alert management of unwanted
actions (during or after event)
• Corrective – remedy the circumstances that enabled event
• Directive – controls dictated by organizational and legal authorities
• Deterrent – Prescribe some sort of punishment
• Recovery – restore lost resources or capabilities
• Compensating – backup controls that come into effect when
normal controls are unavailable
Domain Objectives
• Definitions of Key Concepts
• Access Control Categories and Types
• Access Control Threats
•
•
•
•
Access to System
Access to Data
Intrusion Prevention and Detection Systems
Access Control Assurance
Access Control Threats
• Denial of service
• Password crackers
• Dictionary
• Brute force
• Rainbow tables
• Keystroke loggers
• Spoofing/masquerading
•
•
Machine
Impersonation
•
•
•
•
•
Sniffers
Shoulder surfing/swiping
Dumpster diving
Emanations
Time of Check (TOC)/Time
of Use (TOU)
Domain Agenda
• Definitions of Key Concepts
• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
System Access Control
• Identification – process of recognizing users or resources as valid
accounts
• Authentication – verification of the identity of the person or node
• Authorization – determines what a user or node is allowed to do
once identified and authenticated
• Accountability – ability to track user activity
Identification
• Methods
•
•
•
•
•
•
Most common is UserID, account number, email or PIN
Biometrics can also be used
Guidelines – unique UserID unless anonymity is required
RFID – can be used in place of above methods to identify user
MAC and IP address – used primarily to identify a node on the network
Security user registration – user interacts with a registration authority to
become an authorized member of the domain
1. UserID, encryption keys, job title, email, etc.
2. User validation
Authentication Methods
• Knowledge (something you know)
• Ownership (something you have)
• Characteristics (something you are)
Identity and Access Management
• Need for identity management – needed to manage,
authenticate, authorize, provision, de-provision and protect
identities
• Challenges – the more complex a network and data protection
system, the more challenging to manage
• Identity management technologies – designed to centralize and
streamline the management of user ids, authentication and
authorization
Identity Management Challenges
• Consistency – user data entered across different systems MUST
be consistent
• Reliability – user profile data should be reliable. Especially if used
to control access to data or resources
• Usability – multiple logins over multiply systems might not be the
best idea
• Efficiency – using an identity management system can decrease
costs and improve productivity for both users and administrators
• Scalability – the management system used must be able to scale
to support the data, systems and peak transaction rates
Identity Management Challenges
• Principals
•
•
•
Insiders – employees and contractors
Outsiders – customers, partners, vendors, etc.
Data – different types of data about principals must be managed
• Personal, legal and access control
• Some of this data might have regulatory requirements
• Life Cycle
•
•
•
Initial setup – when user joins
Change and maintenance – routine pw change, name changes, etc.
Tear-down – when user leaves
Identity Management Technologies
• Web Access Management (WAM)
• Password management
• Account management
• Profile update
Access Control Technologies
•
Single sign-on
•
Kerberos
•
SESAME - protocol developed by the European Union. Also known as
SSO
•
Web Portal Access
•
Directory services
•
Security domains
Domain Objectives
•
•
•
•
Definitions of Key Concepts
Access Control Categories and Types
Access Control Threats
Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
Access to Data
Implementations
• Mandatory
• Temporal
• Discretionary
• Role
• Rule
• Content
• Privacy
Descriptions
• List
• Matrix
• Capabilities
• Non-discretionary
• Constraints
• Centralized
• Decentralized
Access Control Lists (ACL)
•
•
Most common implementation of Discretionary Access Control (DAC)
Provide easy method to specify which users are allowed access to which
objects
•
•
•
Objects/subjects
Files/users
O.S. dependent
•
Each OS has its own way of representing ACLs.
• UNIX – 3 subjects: owner, group and world w/ 3 permissions: Read ,Write,
Execute
• ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and
SGI XFS
• Microsoft has unlimited # of subjects and 26 permissions
Centralized/Decentralized Access Control
•
Centralized access control – one entity makes network access decisions.
Owners decide which users can access specific objects and the administration
supports these directives.
• RADIUS
• TACACS+
• Diameter (RADIUS base but enhanced to overcome inherent limitations)
•
Decentralized access control – decisions and admin are implemented
locally, allowing people closer to the resource security controls.
• Often causes confusion because it can lead to non-standardization,
overlapping rights, etc.
• P2P
Domain Objectives
•
•
•
•
•
Definitions of Key Concepts
Access Control Categories and Types
Access Control Threats
Access to System
Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
Intrusion Detection Systems
• Network Based
• = Packet
• NIDS
• Host-Based
• = Permission
• HIDS
• Application-Based
• AIDS
• APIDS
• =Process
Intrusion Prevention Systems
• Host-based
• Network-based
• Content-based
• Rate-based
• KPI (Key Performance Indicator) - measure effectiveness
Analysis Engine Methods
• Pattern or signature-based
• Pattern matching
• Stateful matching
• Anomaly-based
• Statistical
• Traffic
• Protocol
• Heuristic scanning
IDS/IPS Examples
• Anomaly
•
•
•
•
•
Multiple failed logins
User logged in at unusual times
Unexplained changes to system clocks
Unusual number of error messages
Unexplained system shutdowns/restarts
• Response
•
•
•
•
Dropping suspicious packets
Denying access to suspicious users
Reporting suspicions to other system hosts/firewalls
Changing IDS configurations
• Alert
•
•
•
•
IM
Email
Pager
Audible alarm
Domain Objectives
•
•
•
•
•
•
Definitions of Key Concepts
Access Control Categories and Types
Access Control Threats
Access to System
Access to Data
Intrusion Prevention and Detection Systems
• Access Control Assurance
Access Control Assurance
• Audit trail monitoring
• Vulnerability assessment tools
Penetration Testing Overview
• Definition
• Areas to test
• Methods of testing
• Testing procedures
• Testing hazards
Areas to Test
• Application security
• Denial of Service (DoS)
• War dialing
• Wireless penetration
• Social engineering
• PBX and IP telephony
Penetration Testing Methods
• Attack perspectives
• External
• Internal
• Attack strategies
• Zero-knowledge
• Partial-knowledge
• Full-knowledge
• Targeted
• Double-blind
Testing Steps
• Discovery
• Enumeration
• Vulnerability mapping
• Exploitation
Testing Hazards and Reporting
• Production interruption
• Application abort
• System crash
• Documentation
• Idetified vulnerabilities
• Countermeasure effectiveness
• Recommendations
• KPI – Key Performance Indicators
Access Control Domain Summary
•
•
•
•
•
•
•
Definitions of Key Concepts
Access Control Categories and Types
Access Control Threats
Access to System
Access to Data
Intrusion Prevention and Detection Systems
Access Control Assurance
Business Continuity and
Disaster Recovery Planning
Domain Objectives
• Business Continuity Management (BCM) Project
Planning
•
•
•
•
•
Understanding the Organization
Recovery Strategy Selection
Creating the Plan(s)
Developing and Implementing Response
Testing, Update, and Maintenance of the Plan
Planning Should Occur BEFORE You Need It
BS 25999: Business Continuity Management
• Risk Management
• Health & Safety
• Disaster Recovery
• Knowledge Management
• Facilities Management
• Emergency Management
• Supply Chain Management
• Security
• Quality Management
• Crisis Communications and PR
Information Security Priorities
• Keeping CRITICAL products and services going
• Availability
• Integrity
• Confidentiality
Out of Business!!!
• What should be done in a crisis when most controls are missing?
The Business Continuity Life Cycle Overview
• Analyze the business
• Assess the risks
• Develop the BC strategy
• Develop the BC plan
• Rehearse the plan
BCM Project Management
• Senior management support
• Policy
• Access to key personnel
• Budget
• Immediate and ongoing budget
BCM Project Management
• Project management
•
•
•
•
•
Scope
Timelines
Deliverables
Team members
Tools
Initiating BCP
• Awareness, data and implementation
• Staff and budget
• Result must be a long-term, sustainable program
• Review progress monthly (suggestion)
Documentation
•
•
•
•
•
Review current BCP, if available
Documentation may not equal capability
Staff must be trained to use any necessary software
Types of BCM document
• Policy, including scope and principles
• Business impact analysis
• Risk and threat assessment
• Strategies, including (if able) papers supporting the choice of strategies
adopted
• Response plans
• Test schedule and reports
• Awareness and training program
• Service level agreements with customers and suppliers
• Contracts for 3rd party recovery services such as workspace and salvage
Review/update as directed by policy
Domain Objectives
• Business Continuity Management (BCM) Project Planning
• Understanding the Organization
•
•
•
•
Recovery Strategy Selection
Creating the Plan(s)
Developing and Implementing Response
Testing, Update, and Maintenance of the Plan
Understanding BCM Priorities
• Business priorities
• Policy/culture
• Critical services and products
• Legal and regulatory requirements
Risk Assessment and Management
• Management is often NOT an IT person. Might have different
priorities
• Risk management versus business continuity planning
• Risk management – tactical
• Business continuity – strategic
• Coordination between risk assessment and business impact
analysis
• Purpose of risk management?
Threat Identification
• Natural/environmental
• Human/man-made
• Utility
• Supply chain
• Equipment
• Facility
• Loss of key personnel
Understanding the Organization
• Business Impact Analysis (BIA)
• Benefits
• Objectives
• Indicators of critical business functions
• Time sensitivity
• Data integrity
• Classification
Business Impact Analysis
• Identifies, quantifies, and qualifies loss over time
• Business impact analysis process
• Workshops
• Questionnaires
• Interviews
• Observation
Business Impact Analysis
• Business justifications for budget
• Maximum Tolerable Downtime (MTD)/ Maximum Tolerable Period
of Downtime/Disruption (MTPD)
• Recovery Point objective (RPO)
• Document dependencies
• Third party dependencies and liabilities
• Service level agreements
Incident Readiness & Response
• Planners become leaders
• Be prepared
• Triage
• Incident management
• Success = return to operations
• Application of lessons learned
Continuity Requirement Analysis
• Identify supporting activities and resources
• Outcomes feed BCP strategy selection
• Reviewed with BIA
Domain Objectives
• Business Continuity Management (BCM) Project Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan
Determining Recovery Strategy
• Determining BC strategies
• Strategy options
• Data
• Activity continuity options
• Resource-level consolidation
Determining Recovery Strategy
• High-level strategies – purpose is to ensure overall continuity
strategy appropriately supports the delivery of orgs
products/services
• Recovery Time Objective (RTO) < Maximum Tolerable
Downtime/Disruption (MTPD)
• Separation distance – how far away is recovery site
• Cost/benefit analysis – best strategy is often determined by cost
• Address specific business types
•
Different business functions have different recovery solutions
Recovery Alternatives
Alternative
Description
Readiness
Cost
Multiple
processing/mirrored site
Fully redundant identical Highest level of availability
equipment & data
& readiness
Highest
Mobile site/trailer
Designed, self-contained IT Variable drive time; load
& communications
data, & test systems
High
Hot site
Fully provisioned IT & Short time to load data,
office, HVAC, infrastructure, test systems. May be yours
& communications
or vendor staff
High
Warm site
Partially IT equipped, some Days or weeks.
office, data & voice equipment,
infrastructure
communications
Cold site
Minimal
HVAC
Need
data,
Moderate
infrastructure, Weeks or more. Need all IT,
office
equipment,
&
communications
Lowest
Processing Agreements
Agreement
Description
Considerations
Reciprocal or Mutual Aid
Two or more organizations agree to Technology upgrades/obsolescence
recover critical operations for each or business growth. Security and
other
access by partner users.
Contingency
Alternate arrangements if primary Providers may share paths or lease
provider is interrupted, i.e., voice or from each other. Question them
data communications
Service Bureau
Agreement with application service Evaluate their loading, geography
provider to process critical business and ask about backup mode.
functions
Remote Working Arrangements
Ability to telecommute or work from Sensitive data controls, unauthorized
home
equipment
Domain Objectives
• Business Continuity Management (BCM) Project Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan
Business Continuity Plan
• Master Plan
• Modular in design
• Executive endorsement
• Review quarterly
BCP Contents
• When will team be activated?
• How will the team be activated?
• Where will everyone meet?
• Is there an Action Plan/Task List?
• Is there any reporting? If so, to whom?
BCP Contents
• Responsibilities of the team or specific individuals
•
•
•
•
•
•
Liaising with emergency services (fire, police, ambulance)
Receiving or seeking information from response teams
Reporting information to the incident management team
Mobilizing third-party suppliers of salvage and recovery
services
Allocating available resources to recovery teams
Location/mobilization instructions
Developing Response Plans
•
•
•
•
Incident response structure - plans that answer “What do we do
now?” Emergency response procedures, Personnel notification,
Backup and offsite storage, Etc.
Emergency response procedures
• Personnel – executive succession plan, executive crisis
management roles, BC coordinator and teams, notification lists, PR
• Communications – emergency systems, business systems
communications and networks
Alternate site considerations – utilities, communications,
environmental protection, workspace protection
Logistics and supplies – personnel and materials transport,
personnel support and welfare, remote worker activation, emergency
funds, protection against fraud and looting, safety and legal issues,
escalated management authority
Creating Recovery Plans
• Recovery procedures
• Recovery priorities
• Activation of alternate site or processes
• Data recovery
• Business resumption plan
Creating Disaster Recovery Plans
• Disaster recovery
• Recover out to the alternate – MOST critical first
• Recover back to the primary – LEAST critical first
• Responsibilities and authority
• Outlines what needs to be done
• Outlines who will do the work
• Since this may be happening at the same time as
the incident, recovery should be done (if possible)
by a different team comprised of technical experts
and system engineers who can rebuild the failed
systems
Creating Restoration Plans
• Rebuilding of primary site
• Facility restoration
• System restoration
• Priorities
• Data synchronization
• Salvage
• Closure of alternate site
Topics to Address in Plans
• Equipment
• Procurement (vendor agreement)
• Facilities
• Environmental controls
• Fire and water protection
• Personnel
Topics to Address in Plans
• Data
• Offsite storage requirements
• Utilities
• Communications
• Logistics and supplies
Resource-Level Consolidation
• Consolidation plan
• Availability of solutions
• Consolidate, approve and implement
• Outcomes and deliverables
Domain Objectives
•
•
•
•
Business Continuity Management (BCM) Project Planning
Understanding the Organization
Recovery Strategy Selection
Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan
Incident Response Management
•
•
•
Strategic Level: Incident Management Plan (IMP) – defines how the
strategic issues of a crisis will be managed by chief executive/senior
managers. May include crises that do not result in interruptions (hostile
takeover, media exposure, etc.).
Tactical Level: Business Continuity Plan (BCP) – addresses business
disruption, interruption, or loss from the initial response till normal business
resumes.
Operational Level: Activity Resumption Plans – provide plans for
resuming normal business functions. Might provide logical and technical
structure for restoring services or use of alternate facilities.
Implementing Incident Management
•
Crisis management
•
Rapid response is critical
• Triage (alerts)
• Notification
• Health and safety of personnel (people first)
• Escalation
• Executive succession
Initial Assessment
•
Damage assessment
•
Declaring a disaster
•
Mobilization of response teams
•
Permanent and virtual teams
Documentation and Communication
•
Documentation of the incident
•
Feedback and analysis
•
Communications
•
Public relations
Domain Objectives
•
•
•
•
•
Business Continuity Management (BCM) Project Planning
Understanding the Organization
Recovery Strategy Selection
Creating the Plan(s)
Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan
Testing the Program
• Find the flaws
• Outsourcing
• Timetable for tests
• Designing a test
• Define success/failure BEFORE test begins
Testing Types
Types
Process
Participants
•
•
Check the contents of the plan
Aid in maintenance
Author
•
Check interaction and roles of participants
Author and main
people
•
Includes: business plans, buildings and
communication
Main people and
auditors
Parallel
testing
•
•
Moves work to another site
Recreates the existing work from the displaced site
Everyone at test
location
Full
Interruption
•
Shuts down and relocates all work
Everyone at both
locations
Desk check
Walk through
Simulation
Frequency
Complexity
Often
LOW
Seldom
HIGH
Testing BCP Arrangements
• Test, rehearsal and exercise
• Combining individual tests to ensure complete coverage
• Stringency, realism, and minimal exposure
• Risks of testing
• Scope and documentation of a test
• Outcomes
Embedding BCP into the Organization
• Assessing level of awareness and training
• Develop levels of training for individuals
• Developing BCP within the culture
• Educate employees not only of what they are supposed to do
but WHY they are doing it that way
• Monitoring cultural change
• Get feedback. Sometimes the best solution to a problem will
come from the most unexpected person
Specialized Training Needs
• EOC (Emergency Operations Center)
• Specialized skills
• Forensic
• Interviewing
• Technical
• Crisis management
• PR
• Etc.
Maintaining BCP Arrangements
• Ready and embedded
• Aligned with change-management procedures
• Owners keep information current
• Documented
• Review as needed
BCP Maintenance
• Updating
• Annual review – at a minimum
• Subsequent to tests – to immediately identify fail points and
needed changes
• Response to audits – to address issues found
• Version control – to insure everyone is working off the most
current plan
• Distribution of plan – to insure everyone is working off the most
current plan
Reviewing BCP
• Audit
• Independent BCP audit opinion
• As directed by audit policy
Factors for BCM Success
• Supported by senior management
• Everyone is aware
• Everyone is invested
• Consensus
Business Continuity and Disaster
Recovery Planning
Domain Summary
•
•
•
•
•
•
Business Continuity Management (BCM) Project Planning
Understanding the Organization
Recovery Strategy Selection
Creating the Plan(s)
Developing and Implementing Response
Testing, Update, and Maintenance of the Plan
Cryptography
Domain Objectives
• Definitions
•
•
•
•
•
•
•
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Concepts and Definitions
• Cryptology – the study of cryptography and cryptanalysis
• Cryptanalysis – practice of defeating the protective properties of
cryptography. Reading protected info, altering messages or
integrity values and violating authentication. The practice of testing
cryptographic algorithms to determine their strength or resistance
to compromise.
• Cryptography – from Greek words “kryptos” (hidden) and
“graphia” (writing). Mathematical manipulation of information to
prevent the information from being disclosed or altered.
Basic Goals of Cryptography
•
•
•
•
•
•
Confidentiality – prevent unauthorized people from being able to detect
or understand a message
Integrity – detect if a message has been tampered with or corrupted
Authenticity – ensure that message has been sent to correct person
and in correct order, including prevention of replay attacks
Non-repudiation – sender cannot deny sending
Access control – encrypted passwords, token-based access control
devices provide protection for systems and applications
Make compromise difficult – make the attack either too expensive or
too time-consuming to be worth the effort
Concepts & Definitions
•
•
•
•
•
•
Cryptosystem – device or process used to perform encryption and
decryption operations
Plaintext/Cleartext – human readable message
Ciphertext/Cryptogram – enciphered, encrypted, or scrambled
message
Cryptographic Algorithm – mathematical function that determines the
cryptographic operations
Cryptovariable (key) – often secret value used to transform the
message in the encrypted message
Key Space – total number of keys available to the user of a
cryptosystem
Concepts & Definitions
•
Encrypt/Encipher – scrambling a plaintext message by using an
algorithm, usually in conjunction with a key
•
Encode – similar to enciphering or encrypting except that it does not use
a key
•
Decipher/Decrypt/Decode – descrambling an encrypted message and
converting it to plaintext
Basic Transformation Techniques
•
•
•
•
•
Substitution – change value, not position.
Transposition/Permutation – change the relative position of values
without replacing them (bit-shuffling)
Compression – change position, not value. Decrease redundancy
before plaintext is encrypted. Used to save on bandwidth and storage.
• Entropy – maximum amount of compression that can be applied
Expansion – typically used to increase the size of plaintext to match the
size of keys or subkeys
Padding – adding additional material to plaintext before encrypting.
Addresses weaknesses in an algorithm and foils traffic analysis
XOR – Exclusive Or
•
Fast arithmetic function used in many computer operations
•
Binary math
•
Add two values
• If both input values are the same the output is a Zero (i.e., 1+1=0;
0+0=0)
• If the input values are different the output is a One (i.e., 1+0=1;
0+1=1)
Keys and Cryptovariables
•
•
•
•
•
•
Key management – refers to the principles and practices of protecting the keys throughout the lifecycle
Key expiry/cryptoperiod – keys should be changed on a regular basis. Length of time should be based on
algorithm and level of protection required
Key mixing/Key schedule – DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16
rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original
56 bit. AES uses key schedulers to generate completely new keys from the original key for each round.
Keystreams – pseudo-random sequence that is generated from the input key and mixed with the input
message.
•
Synchronous – keystream is generated based on original key, bit-by-bit, in sync with plaintext
•
Non or self-synchronous – keystream is generated based upon previously generated ciphertext and
cryptovariable
Key storage – key must be protected in transit and storage
Key clustering – term used to represent a weakness that exists in a cryptosystem if two different keys
generate the same ciphertext from the same plaintext
Initialization Vector (IV)
• Encrypting similar messages will create patterns of ciphertext even
when using different keys. Predictability is an enemy of
cryptography.
• An IV is a random value added to the plaintext message before
encrypting so that each ciphertext will be substantially different.
• The recipient will also need the IV to decrypt the message
Work Factor
• An estimate of the effort/time needed to overcome a protective
measure by an attacker with specified expertise and resources.
• Commonly used as a way to measure the amount of resources that
would be required to brute-force an algorithm or cryptosystem.
• System is said to be broken when there is a way to decrease the
work factor to a reasonable level.
• All cryptosystems will be crackable eventually. Objective is to use
a system that is computationally infeasible to crack.
• Work factor has nothing to do with normal encryption/decrytion
Kerckhoff’s Principle
•
•
•
•
•
States that the strength of a cryptosystem is based on the secrecy of the key
and not on the secrecy of the algorithm.
Work factor for the cryptanalyst is the effort required to determine the correct
key.
Key length is the primary method used to determine the strength of the
cryptosystems.
Brittleness – measure of how badly a system fails. A resilient system is
dynamic and designed to fail only partially or degrade gracefully. In general,
automated systems which only do one thing are be definition brittle.
“Security by Obscurity” – concept that system is secure as long as no one
outside the “group” is allowed to find out anything about its internal
mechanisms.
Key Algorithms
• Symmetric key – same key used for both the encryption and
decryption operation
• Asymmetric key – pair of mathematically related keys (A and B)
used separately for encryption and decryption
Certificates
• Certificate proves who owns a public key
• Digitally signed, special block of data that contains public key
and identifying information for the entity that owns the private
key
• Issued by a Certification Authority (CA) – trusted entity or 3rd
party that issues and signs public key certificates, attesting to the
validity of the public key.
• Registration Authority – is the primary organization that verifies a
Certificate Applicant’s information and identity. Works with CA to
verify applicant’s information before issuing a certificate
Hash Functions
• Message integrity
• Computed value for a message, program, data, etc to be
transmitted or stored
• One way function
• Cannot decrypt/reverse a hash
Digital Signatures
•
•
•
•
Message Integrity and Proof of Origin
Proves message has not been altered
Proves who sent the message
Created by encrypting a hash of the message with the private
asymmetric key of the sender. Creates a signed hash that can only
be unlocked using the public asymmetric key of the sender.
• Reason for signing the hash of the message instead of the
message is that asymmetric algorithms tend to be very slow and
computationally intensive to use. So signing the hash saves time
and money.
Domain Objectives
• Definitions
• History
•
•
•
•
•
•
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Historical Development
• Cryptographic techniques
•
•
•
•
•
Manual – cryptographic methods performed by hand using a variety of
tools (still used on some one-time pads)
Mechanical – use of mechanical tools to perform encryption and
decryption (cipherdisk)
Electro-mechanical –use of electro-mechanical devices (Enigma
machine)
Electronic – computer based tech used to perform complex and secure
cryptographic operations (software and hardware based algorithms – AES,
RSA, etc.)
Quantum cryptography – using single photon light emissions to provide
secure key negotiation
Domain Objectives
• Definitions
• History
• Uses
•
•
•
•
•
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Uses of Cryptography
• Protecting information
• Transit
• Email, VPNs, e-commerce, VOIP, etc.
• Storage
• Disk encryption
• System access
• Passwords, remote login
Domain Objectives
• Definitions
• History
• Uses
• Cryptographic Methods
•
•
•
•
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Making Secure Algorithms
•
Problems – simple systems are not very secure
• Discernible – if you know the language of the original message, “frequency
analysis” can be performed
• Redundancies – make the cryptoanalyst’s job easier
• Statistical patterns – can be revealed in ciphertext if algorithm doesn’t obscure
them
•
Solutions
• Confusion – principle of hiding patterns in the plaintext by substitution
• Diffusion – act of transposing the input plaintext throughout the ciphertext so that
a character in the ciphertext would not line up directly in the same position in the
plaintext
• Avalanche – achieved with plaintext bits affect the entire ciphertext so that
changing one bit in the plaintext would change half of the entire cipher text
Stream Ciphers
• Keystream
• Statistically unpredictable and unbiased
• Not linearly related to the key
• Operates on individual bits or bytes
Uses of Stream Cipher and Stream-Mode
Block Ciphers
• Wireless
• Audio/video streaming
• SRTP (Secure Real-time Transport Protocol)
Block Cipher
• Blocks of plaintext are encrypted into ciphertext blocks
• Multiple modes of operation
• Variable key size, block size, rounds
Block Cipher Uses
• Data transport – SSL, TLS. Both protocols can use AES and Triple
DES. IPSec based VPNs also use block ciphers to encrypt
communication between endpoints
• Data storage – even though block ciphers take more time, used
because of their greater ability to frustrate cryptanalysis. TrueCrypt
is an example of block cipher used to encrypt data
Domain Objectives
•
•
•
•
Definitions
History
Uses
Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Simple Substitution Ciphers
• Substitution of one value for another
• Caesar Cipher
• Shift alphabet (by 3)
• A B C D E F …. FACE
• D E F G H I …. IDFH
• Scramble alphabet
• A B C D E F …. FACE
• Q E Y R T M …. MQYT
• Vulnerable to frequency analysis
Simple Transposition/Permutation
• Columnar – rearranging the
message in a table
• Plaintext “This is an example of
transposition”
• Cipher “tsaoni hamfst inptpi selroo
ixeasn”
• Key: grid shape & reading
direction
• Example: the Spartan Scytale
T
H
I
S
I
S
A
N
E
X
A
M
P
L
E
O
F
T
R
A
N
S
P
O
S
I
T
I
O
N
Polyalphabetic Ciphers
A
B
C
D
E
F
G
H
I
J
K
L
M N
O
P
Q
R
S
T
U
V
W X
1
Z
A
B
C
D
E
F
G
H
I
J
K
2
Y
Z
A
B
C
D
E
F
G
H
I
3
X
Y
Z
A
B
C
D
E
F
G
4
W X
Y
Z
A
B
C
D
E
F
Y
Z
L
M N
O
P
Q
R
S
T
U
V
W X
Y
J
K
L
M N
O
P
Q
R
S
T
U
V
W X
H
I
J
K
L
M N
O
P
Q
R
S
T
U
V
W
G
H
I
J
K
L
M N
O
P
Q
R
S
T
U
V
…
• Encrypt the plaintext FEEDBACK using a key of 3241
• Try encrypting your name
Running Key Ciphers
• Done by using the numerical value of letters in the plaintext and is
coded and decoded by using a copy of the text in a book as the
key.
• Sender and recipient determine the key by agreeing on a point in
the book (i.e. page number) from which to start the encryption.
• Key would “run” as long as the plaintext, and the value of each
letter of the key would be “added” to the value of each letter of the
plaintext.
• If total of the two letters is greater than 25, then 26 would be
subtracted from the result. The combined value of the letters
would be the value of the ciphertext letter.
One-Time Pads (OTP)
• Truly random key values
• Both sides have same pad of key values
• Keys are only used once
• Unbreakable algorithm
• Mathematically proven that it can never be broken
Steganography
• The art of hiding information
• Plaintext hidden/disguised
• Prevents a third party from knowing that a secret
message exists
• Traditionally accomplished in a number of ways:
• Physical techniques
• Null ciphers
Image-Based Steganography
Original image
File size is identical (260 kb)
If hashed, values would be different
Stegged image
Watermarking/Rights Management
• Digital watermarking – similar to physical watermarking.
Either visible or invisible markings embedded within a digital
file to indicate copyright or other handling instructions, or to
embed a fingerprint to detect unauthorized copying and
distribution of images.
• Digital Rights Management/Digital Restriction Management
(DRM) – extends digital watermarking in order to place strict
usage conditions on the display and reproduction of digital
media.
Domain Objectives
•
•
•
•
•
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Modes of Symmetric Block Ciphers
• Block Modes
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Stream Modes
• Cipher Feed Back (CFB)
• Output Feed Back (OFB)
• Counter (CTR)
• Counter with CBC-MAC (CCMP)
Electronic Code Book (ECB)
• Each block of plaintext is encrypted independently using the same
key
Cipher Block Chaining (CBC)
• The first plaintext block is XOR’d with an Initialization Vector (IV)
• Result is ciphertext is chained into the next plaintext block
Cipher Feed Back (CFB)
• Similar to CBC
• IV is encrypted and then XOR’d with the first plaintext block
Output Feed Back (OFB)
• Operates very much like CFB
• Only the RESULT of encrypting the IV is feed back to the next
operation
Counter (CTR)
• Similar to OFB
• Counter value is used instead of an IV
Counter With CBC-MAC (CCMP)
•
•
•
•
•
Provides confidentiality and authenticity
Works with 128 bit block size
Mandatory in 802.11i
Adds one more block for confidentiality
Counter mode lacks integrity. CCMP solves that problem.
DES – Data Encryption Standard
•
•
•
DES
• 56 bit key
• 16 rounds of transposition and substitution
• Fixed 64 bit block size
Double DES (DDES)
• Uses two 56 bit keys
• Message is encrypted by one key and re-encrypted by the second
• Was thought to provide 112 bit cipher but was successfully attacked by the
“meet-in-the-middle” analytic attack
Triple DES (TDES)
• Input data is encrypted three times
• Strength depends on the mode of the operation picked and the number of
keys being used
• Effective key size is 168 bit
AES – Advanced Encryption Standard
• Based on Rijndael algorithm
• Developed by Daemen and Rijmen in 1998
• Block sizes: 128, 192, and 256
• Variable number of rounds
• Variable key size
Other Block Ciphers
• RC5 and RC6
• Blowfish
• Twofish
• CAST
• SAFER
• Serpent
RC-4
• Symmetric stream cipher
• Arbitrary key size
• Many applications
Strengths & Weaknesses – Symmetric
Ciphers
Strengths
• Fast
• Difficult to crack
• Algorithms and tools freely
available
• Stream ciphers ensure highly
efficient serial
communications
• Block ciphers offer multiple
modes
Weaknesses
• A different form of key
negotiation/ exchange/
distribution must be used
• Poor scalability
• Limited security
• On noisy channels, error
correcting is a must
Asymmetric Key Cryptography
• Diffie-Hellman, 1976
• Public key cryptography
• Uses a pair of mathematically related keys
• Private key
• Public key
Public Key Algorithms
• Ensures confidentiality
• Encrypting message with the receiver’s public key provides confidential
transmission of the message because the only key that can open the
message is the corresponding private key of the recipient
• Ensure proof of origin
• When a message is encrypted (signed) with the sender’s private key, the
recipient can verify the source of the message because the message can
only be opened with the sender’s public key
• Confidentiality and proof of origin
• Double encrypting a message with the private key of the sender and then
with the public key of the receiver will provide both confidentiality and proof
of origin
RSA Algorithm
• Rivest-Shamir-Adleman, 1977
• Encryption
• Digital signatures
• Key distribution
• Adjustable key size
• PKCS#1 is the implementation of the algorithm. Currently in V2.1
• How does it work?
• Find 2 prime numbers and call them p and q
• Multiply them and call the result n
• Choose a public value less than n relatively prime with (p-1) and (q-1) and
call it e
• Find d such that e*d=1 mod (p-1)*(q-1)
• Make n and e PUBLIC, and keep d, p and q SECRET
• To encrypt message m, ciphertext c = me mod n
• To decrypt, m = cd mod n
Other Algorithms
• Diffie-Hellman Key Exchange Protocol
• Perfect Forward Secrecy (PFS) – principle used in D-H that even if 2 private
keys are used in negotiating a secret value (shared secret), and one of
those private keys is later compromised, it will not be possible to determine
either the secret key or the other private key from the compromised private
key
• Diffie-Hellman Groups – determine the length of the base prime numbers
that will be used in calculating the key pairs.
• STS/Unified Diffie-Hellman – one weakness of D-H was the man-in-themiddle attack. This led to development of the Station to Station (STS) key
agreement protocol by Diffie, Van Oorscht and Weiner in 1992.
• Menzies/Qu/Vanstone
• Elgamal – retired
• Elliptic Curve Cryptography (ECC) – fewer bits. Extremely slow
Knapsack Algorithms
• Merkle-Hellman knapsack
• Developed in 1978
• Chor-Rivest knapsack
• Developed in 1984 and revised in 1988
• Both schemes have been broken
Asymmetric Key Cryptography
Strengths
• Confidentiality/privacy
• Access control
• Authentication
• Integrity
• Non-repudiation
Weaknesses
• Computationally
intensive
• Very slow
Common Hash Functions
• Message Digest
• MD2, MD4, MD5
• Secure Hash Algorithm (SHA)
• SHA-1 (160 bit), SHA-256, SHA-384
• SHA-512 (best practice)
• SHA-3
• HAVAL
• RIPEMD
• Tiger
• WHIRLPOOL
Hash Function Characteristics
• Condensed representation of the message
• One-way function
• Non-linear relationship
• Hash calculated from whole, original message
Keyed Hashes (SALT)
• Basic hash can be intercepted and changed
• To solve that problem, mix a HASH algorithm with a pre-shared
key
• Adversary would need to know the key to create a collision
• Implemented in IPSec for integrity checking of both ESP
(Encapsulating Security Payload) & AH (Authentication
Header)
Digital Signatures
• (Asymmetric cryptography) + (Hash of message)
• Only authenticity and non-repudiation (not confidentiality)
• Legality – if the encryption is intact and the private key is held by the
rightful owner, it must be accepted by all parties in the transaction.
• American Bar Association has developed guidelines for accepting digital
signatures that have been adopted in some US states and other countries
• Not accepted globally for transactions and specifically not for highdollar/high-risk situations
• Examples
• DSA, RSA, Elgmal, Schnorr, ECC
Digital Signatures Uses
• E-commerce
• Non-repudiation of origin (with private key)
• Integrity of message (with private key encrypted hash)
• Software distribution (integrity and non-repudiation)
• Email and secure document distribution
Key Management Challenges
• Greatest challenge with secure cryptographic implementation is
the management of the keys. Keys must be kept secret. Yet,
they must be available when needed. Even OLD keys have to
be kept to decrypt old backup files or data.
• Key distribution
• Key storage
• Key change
• Expire – how long to use a key
Functions of Key Management
• Operations
• Dual control – require the active participation of 2 or more. No
one person can misuse.
• Threshold schemes – require more than one person to
successfully complete the task
• Key recovery
• Split knowledge – 2 or more people have info about the key.
Must be combined to work.
• Multi-party key recovery – break the key into 3 or more parts and
each part go to a different person.
• Escrow – Key held
Functions of Key Management
• Creation
• Automated key generation – prevents user bias and provides quick
key production
• Truly random – only true random generators are things like radioactive
decay, noisy diodes, etc. Computers produce pseudo-random.
• Suitable length – generators must generate enough bits for a complete
key. Generating 64 bits and concatenating them does not make them
128.
• Key encrypting keys (KEK) – keys used to encrypt other keys. Care
must be taken to ensure that the data used to generate the KEK is
NOT related to the keys being produced.
Functions of Key Management
• Distribution
• Out of band – does not guarantee security delivery, but it increases its
likelihood
• Public key encryption – most common solution
• Secret key construction – using D-H (or similar), exchange values online that
generate a new secret key
• Secret key delivery – using RSA (or similar), party encrypts secret key with receiving
party’s public key.
• Key distribution center – think Kerberos
• Certificates – used to distribute public keys
• Storage
• Trusted hardware – hardware evaluated (typically) by FIPS 140-2 or
Common Criteria
• Smartcard – non-volatile storage
Public Key Infrastructure (PKI)
• Binds people/entities to their public keys
• Prevent Man-in-the-Middle attack
• Public keys are published and are certified by digital signatures
Strong Cryptographic PKI Solutions
• Use evaluated solutions
• High work factor
• Publicly-evaluated cryptographic algorithms
• Training
• Import and export of cryptography
• Wassenaar Agreement – is an agreement between several countries
that governs the movement of cryptographic algorithms between those
countries. The restrictions are usually based on key length and
whether the product is commercially available
• Law enforcement issues
Certificates and CAs
• Certificates link a public key to its owner
• Classes of certificates
• Certification Authorities (CAs)
• Registration Authority (RA)
• Cross-certification
• Certificate Revocation Lists (CRLs)
• Online Certificate Status Protocol (OCSP)
• X.509
Domain Objectives
•
•
•
•
•
•
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
• Cryptanalysis and Attacks
• Implementations
Cryptanalysis
• Art and science of breaking codes
• Attack vectors
• Key
• Algorithm
• Implementation
• Data (ciphertext or plaintext)
• People – social engineering
• Assumptions
Brute Force Attack
• Trying all possible key combinations
• Two factors: cost and time
• Moore’s Law
• Processing speed doubles every 18 months for the same
price
• Advances in technology and computing performance will
always make brute force an increasingly practical attack on
keys of a fixed length
• Measured in MIPS per year – 1 computer running 1,000,000
calculations per second for a year
Brute Force Attack
Bits
Number of keys
56
Brute Force Attack Time
Bits
Number of keys
Brute Force Attack Time
7.2 x 10^16
56
7.2 x 10^16
20 hours
80
1.2 x 10^24
80
1.2 x 10^24
54,800 years
128
3.4 x 10^38
128
3.4 x 10^38
1.5 x 10^19 years
256
1.15 x 10^77
256
1.15 x 10^77
5.2 x 10^57 years
• Data shown is as of 1998 when “Deep Crack” was used in RSA DES
challenge.
• Cost $250,000 to build. Today the same thing can be done for under
$10,000.
• With today’s tech, can break DES in 8.7 days or less for under $10,000.
Plaintext Attacks
• Known plaintext attack – attacker has both the plaintext and
ciphertext. Uses analysis to try to determine key.
• Chosen plaintext attack – attacker has access to the crypto
machine. Runs plaintext through machine to get encrypted
data. Uses statistical information to try to determine key.
• Adaptive chosen plaintext attack – attacker has encryption
device for more than one message. Patterns may emerge if
the attacker puts similar texts into the device
Ciphertext Attacks
• Ciphertext only – assume attacker has samples of encrypted text
but not the algorithm, key or system. Most difficult attack because
the attacker has the least to work with.
• Chosen ciphertext attack – attacker has access to ciphertext and
system used to generate. Attacker can run pieces of ciphertext
through to obtain the plaintext. Leads to Known Plaintext Attack or
Differential or Linear Cryptanalysis attack.
• Adaptive chosen ciphertext attack – attacker has access to the
cryptosystem and can now modify and run ciphertext through the
system to see what the effect of the modification is on the plaintext.
Attack Against Ciphers
• Stream
• Frequency analysis – knows characteristics of plaintext language
• IV or keystream analysis – examines large numbers of generated IVs for
weaknesses, statistical biases, etc.
• Block
• Linear cryptanalysis – large amounts of plaintext and associated ciphertext to
find info about the key
• Differential cryptanalysis – 2 or more similar plaintexts are encrypted using
same key and compared
• Linear-differential cryptanalysis – combo of linear and differential
• Algebraic attacks – examines the algorithm
• Frequency analysis – uses the statistics of the language to break a ciphertext
Attacks Against Hash Functions
• Dictionary Attacks
• Based on known lists of common words
• Birthday attacks – group of 23 people, 50% chance 2 will have same birthday.
60 people, 99% chance. Relevant because it describes the amount of effort that
must be made to determine when 2 randomly-chosen values will be the same
(collisions). Weak hash causes many collisions
• Attack the hash value
• Attack the initialization vector
• Rainbow table attacks
• Hash reductions
• Salts
Social Engineering
• Persuasion
• Coercion (rubber-hose cryptanalysis)
• Bribery (purchase-key attack)
Other Common Attacks
• Meet-in-the-Middle
• Mathematical analysis that attacks a problem from both ends and
attempts to find the solution by working toward the center of the
operation from both sides.
• Man-in-the-Middle
• Attacker intercepts and modifies the data before transmitting to
intended person.
• Poor Random Number Generation
Domain Objectives
•
•
•
•
•
•
•
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
• Implementations
Common Secure Email Protocols
•
•
•
Privacy Enhanced Mail (PEM)
• Uses DES in Cipher-Block-Chaining (CBC) mode for confidentiality
• Can also use Electronic Code Book (ECB) or 3DES for key
management
• For message integrity it uses either MD2 or MD5 hash
• Not compatible with Multipurpose Internet Mail Extensions (MIME) so
not often used
Pretty Good Privacy (PGP)
• Uses symmetric and asymmetric key cryptography
• Can use RSA, D-H, and Elgamal for asymmetric key
Secure Multipurpose Internet Mail Extensions (S/MIME)
• De facto standard for email privacy
Internet Security
•
Uses
• Remote Access
• VPNs
• E-commerce
•
Tools
• IPSec
• SSL/TLS
• Secure HTTP
• TLS
Cryptography Domain Summary
•
•
•
•
•
•
•
•
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Information Security Governance
and Risk Management
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Information Security Environment
• Organizations must contend
with complex laws, regulations,
requirements, technology,
competitors and partners while
pursuing their business
objectives.
• Management must take many
things into account including
moral, labor relations,
productivity, cost, etc.
• Must develop an effective
security program
• Overarching Organizational
Policy
• Management’s Security
Statement
•
•
•
•
•
•
Regulations
Competition
Organizational Objectives
Organizational Goals
Laws
Shareholders’ Interests
Information Security Triad
• Security planning
• Budget
• Business requirements
• Security metrics
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Roles and Responsibilities
•
•
•
•
•
•
•
Specific
• Delegate certain responsibilities for security to individuals
• Define acceptable and unacceptable behavior
General
• Rules that let everyone know they are responsible for security
Communicated at hiring
• Tell new hires the rules and consider annual review
Verified capabilities and limitations
• Access to resources defined by job
Third-party considerations
• Brief vendors, temps, contract staff on security requirements
Good practices
• Keep it simple, relevant, understandable and communicate
Reinforced via training
• Annual security training
Internal Roles
• Executive management
• set policy, allocate budget
• Board level
• “C” level
• Information systems security professionals
• advise management
• Developers
• create secure code
• Custodians and Operations staff
• Custodians – care of data
• Ops – run the computers
Internal Roles
• Security staff
• Data and system owners
• Classify
• Access permissions
• Users
• Task as assigned
• Legal, compliance, and privacy officer
• Inform/implement laws/regs
• Internal auditors
• Check on procedures
• Physical security
• Is IT or traditional security responsible
External Roles
• Vendors/suppliers
• Contractors/consultants
• Service level agreements
• Temporary employees
• Customers
External Roles
• Business partners
• Outsourced relationships
• Outsourced security
• External audit
Human Resources
• Employee development and training
• Employee management
• Hiring and termination of employment
Hiring New Staff
• Background checks/security clearances
• Verify references and education records
Signed Employment Agreements
• Acceptable use
• Non-disclosure
• Non-compete
• Ethics
Personnel Good Practices
• Job descriptions/defined roles and responsibilities
• Least privilege
• Need to know
• Separation of duties
• Job rotation
• Mandatory vacations
Security Awareness, Training, and Education
• Awareness Training
• Delivery methods
• Topics
• Job training
• Task based
• Professional education
• Understanding
General knowledge
Good Training Practices
• Be relevant
• Scope properly
• Address the audience
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Documented Security Program
• Focus on the mission of the
organization
• Organizations are different
• Cost effective/risk based
Promiscuous
1
Permissive
Prudent
Paranoid
10
Documented Security Program
• Strategic
•
•
Long term planning
Decide on job to do
• Tactical
•
•
Medium term planning
Manage jobs being done
• Operational
•
•
Day to day operations
Job being done
Security Program Management
• Staffing
•
•
Not just workers but look at management
Evaluate numbers needed
• Reporting
•
Make sure everyone knows who they are to report to.
Understand chain of command/reporting
Security Blueprints
• Identify and design security requirements
• Infrastructure security blueprints
• Holistic
•
•
By Scott Berinato and Sarah Scalet:
“Holistic security means making security part of everything
and not making it its own thing. It means security isn’t added
to the enterprise; it’s woven into the fabric of the application.
Here’s an example. The non-holistic thinker sees a virus
threat and immediately starts spending money on virusblocking software. The holistic security guru will set a policy
around e-mail usage; subscribe to news services that warn
of new threats; re-evaluate the network architecture; host
best practices seminars for users; and use virus blocking
software and, probably, firewalls.” (www.cio.com)
ISO/IEC 27000 Series = ISMS Blueprints
•
•
•
•
•
•
•
•
27000:2009 – Overview and vocabulary
27001:2005 – Attainable certification
27002:2005/Cor 1:2007 – Code of practice
27003:2010 – ISMS implementation guidance
27004:2009 – Information security measurement
27005:2008 – Information security – risk management
27006:2007 – Certification vendor process
27799:2008 – Information security for health care
organizations
•
ISO 27000 = IT Risk Management
IT Security Requirements
• Complete Security Solutions
•
Define security behavior of the control measure
•
•
What is the problem you are trying to solve?
Provide confidence that security function is performing as
expected
•
Does it solve the problem?
• Does your solution
•
•
•
Solve the problem (best)
Move the problem (good)
Make it worse (bad)
Single Point of Failure
• Identify the processes
• Identify risks to the plan
•
Who has too much control
• Be prepared
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Security Policy
• Management’s goals and objective IN WRITING
• Documents compliance
• Creates security culture
Examples of Functional Policies
• Data classification
• Certification and accreditation
• Access control
• Outsourcing
• Remote access
• Internet acceptable use
• Privacy
• Acquisition
• Change control
• Employment agreements,
ethics
• IMPORTANT
• Say what to do NOT how to do it
Procedures
• Step by step actions
• Required
• Be detailed
Policy
Standard
Risk
Assessment
Baseline
Procedures
Incident
Management
Guideline
Identity
Management
Software
Installation
Standards
• Common hardware and software products
Policy
Standard
Desktop
Antivirus
Baseline
Firewall
Be decisive. Will say something like:
• We [verb]
• We drug test
• We use Norton AV software
Procedures
Guideline
Baselines
• Establish consistent implementation of mechanisms
• Platform unique
• Know minimum and understand what is normal
Policy
Standard
VPN
Setup
Baseline
IDS
Configuration
Procedures
Password
Rules
Guideline
Guidelines
• Recommendations for implementations, procurement
and planning
Policy
Standard
Baseline
Procedures
Recommendations
Guideline
Best
Practices
ISO
Good Policy?
Area IV Buddy System Policy
THE AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY
SERVICE MEMEBERS WILL USE THE “BUDDY SYSTEM” AT ALL
TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY
INSTALLATION.
THE “BUDDY SYSTEM” IS NOT REQUIRED, BUT HIGHLY
RECOMMENDED FOR PERSONNEL TRAVELING DIRECTLY TO AND
FROM THEIR DOMICILE
ALL PERSONNEL WILL CARRY A S.O.F.A AND AN EMERGENCY
TELEPHONE NUMBER CARD AT ALL TIMES.
LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES.
BY ORDER OF THE AREA IV COMMANDER
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Risk Management Overview
• Identifying and reducing total risks
• Choosing mitigation strategies
• Setting residual risk at an acceptable level
• Integrating risk management processes into the organization
(Total risk) – (countermeasures) = (residual risk)
Risk Management Purpose
• The principal goal of an organization’s risk
management process should be to protect the
organization and its ability to perform its mission.
Including, but not limited to its IT assets.
• Risk is a function of the likelihood of a given threat
exercising a particular vulnerability and the resulting
impact of that adverse event on the organization.
Risk Management Benefits
• Focuses policy and resources
• Identifies areas with specific risk requirements
• Directs budget
• Supports
• Business continuity process
• Insurance and liability decisions
• Legitimizes security awareness programs
Risk Management Definitions
• Asset – something that is of value to the organization
• Threat-source/agent – any circumstance or event with
the potential to cause harm to an IT system.
• Threat – any potential danger to information or an
information system
• Exposure – an opportunity for a threat to cause loss, or
the amount of loss suffered as a result of an attack
• Vulnerability – flaw or weakness in system security
procedure, design, implementation, etc.
• Likelihood – probability that a potential vulnerability
happens
Risk Management Definitions
• Attack/Exploitation – action intending to cause harm
• Controls – admin, technical or physical measures and
actions taken to try to protect system
• Countermeasures – controls applied after the fact;
reactive in nature
• Safeguards – controls applied before the fact;
proactive in nature
• Total Risk – included the factors of threats,
vulnerabilities, and current value of the asset
• Residual Risk – amount of risk remaining after
countermeasures and safeguards are applied
Risk Assessment Steps: SP 800-30
1.
2.
3.
4.
5.
6.
7.
8.
9.
System characterization
Threat identification
Vulnerability identification
Control analysis
Likelihood determination
Impact analysis
Risk determination
Control recommendations
Results documentation
Risk Assessment – Asset Valuation
•
Tangible assets
• Can buy/sell
• Hardware, software, facilities, documentation,
customer lists, and intellectual property
•
Intangible assets
• Personnel, reputation/brand, and moral
Information Valuation Considerations
•
Exclusive possession
•
Utility
•
Cost to acquire or create
•
Liability
•
Convertibility
•
Operational impact
•
Timing
Information/Risk Valuation Methods
•
Modified Delphi
•
Facilitated sessions
•
Survey
•
Interview
•
Checklist
Quantitative Risk Analysis
•
•
•
Assign Monetary values
Labor and time intensive
Difficult to achieve
•
100% quantitative is impossible. Why? There
are always QUALITATIVE issues.
RISK = MONEY
Quantitative Analysis Steps - Overview
1. Estimate potential losses – single loss expectancy
(SLE)
2. Conduct a threat likelihood analysis
• Annualized rate of occurrence (ARO)
3. Calculate annual loss expectancy (ALE)
Step One: Estimate Potential Losses
Single Loss Expectancy (SLE)
SLE = AV ($) x EF (%)
AV (Asset Value)
EF (Exposure Factor)
Step Two: Threat Likelihood Analysis
Annual Rate of Occurrence (ARO)
• Number of exposures or incidents that can be
expected in a given year
• Likelihood of an unwanted event occurring
Step Three: Calculate ALE
Annual Loss Expectancy (ALE)
ALE = SLE * ARO
• Magnitude of risk = ALE
• Purpose: Justify security countermeasures
Qualitative Risk Analysis
• Scenario oriented
• No $ values
• Rank seriousness of threats and sensitivity of assets
• Perform a carefully reasoned risk assessment
Hybrid Risk Analysis
• Quantitative
• Qualitative
• FMEA (failure modes and effects analysis)
•
•
•
Risk assessment originally concerned with manufacturing
defects
Focuses on the upstream and downstream impact of a
failure
Defines risk in immediate, near-term and long-term impact
• FTA (fault tree analysis)
•
•
Analytical technique for system safety
Used to consider all possible threats and then “trim” down to
the most relevant risks
Risk Management Options
• Acceptance = Absorb the effect of an incident
• Mitigation = Implement controls
• Transference = Insurance
• Avoidance = Stop it
Security Control Selection Principles
• Cost/benefit analysis
• Don’t spend more to protect than it is worth
• Accountability
• At least one person for every control
• Include accountability in performance reviews
• Absence of design secrecy
• Ability to change out the controls at some time in
the future without having extraordinary cost to
rework, interoperability with other controls,
confidence in the design
• Audit capability
•
•
Controls must be testable
Include auditors in design and implementation
Security Control Selection Principles
• Vendor trustworthiness
• Independence of control and subject
• Universal application
• Compartmentalization
• Defense in depth
• Isolation, economy, and least common mechanism
Security Control Selection Principles
• Acceptance and tolerance of personnel (pushback)
• Minimum human intervention
• Sustainability
• Reaction and recovery
• Override and fail-safe defaults
• Residuals and reset
Risk Evaluation and Assurance
• Cyclical nature of risk – U.S. and EU regulatory bodies have
mandated risk management as a business process. Frequency for reevaluation is based upon the speed of change in each industry or
organization
•
•
•
Ongoing review
Periodic review
Liability – management has the responsibility of remaining informed
about risk management activities and to make the final decisions. If they
fail to do so, they are potentially in violation of regulatory or industry
standards. This is one of the reasons why internal auditors should report
directly to senior executives rather than through the normal chain of
command.
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Ethical Environments
• Ethics are difficult to define
• Do No Harm
• Begins with senior management
• Guidelines for Establishment of Ethics
•
•
•
•
•
•
Corporate ethics to include ethical use of computers
In functional policies (privacy, email, acceptable use, etc)
Active monitoring of network activities combined with responsible investigation of incidents
and enforcement
Handbooks and guides
Training
Reviews
Ethical Responsibility
• Global responsibility
• National
• Organizational
• Personal
Ethical Responsibility of all CISSPs
• “Set the Example” *********
• Encourage adoption of ethical guidelines and standards
• Inform users about ethical responsibilities through security
awareness training
Basis and Origin of Ethics
•
•
•
•
•
•
•
•
•
Religion
Law
National interest
Individual rights
Common good/interest
Enlightened self-interest
Professional ethics/practices
Standards of good practice
Tradition/culture
Formal Ethical Theories
• Teleology (Star Trek – needs of the many)
• Ethics in terms of goals, purposes, or ends
• Deontology (duty of most powerful to protect least powerful)
• Ethical behavior is a duty
• Informed consent – notified and agree
Relevant Professional Codes of Ethics
• (ISC)²
• RFC 1087
• Internet Architecture Board
(ISC)² Code of Ethics Preamble
• “Safety of the commonwealth, duty to our principals, and to
each other requires that we adhere, and be seen to adhere, to
the highest ethical standards of behavior.”
• “Therefore, strict adherence to this code is a condition of
certification.”
(ISC)² Code of Ethics Canons
• “Protect society, the commonwealth, and the infrastructure.”
• “Act honorably, honestly, justly, responsibly, and legally.”
• “Provide diligent and competent service to principals.”
• “Advance and protect the profession.”
In that order
Internet Architecture Board (IAB)
Any activity is unethical and unacceptable that purposely:
• Seeks to gain unauthorized
access to Internet resources
• Disrupts the intended use of
the Internet
• Wastes resources (people,
capacity, computer) through
such actions
• Destroys the integrity of
computer-based information
• Compromises the privacy of
users
• Involves negligence in the
conduct of Internet-wide
experiments
RFC 1087
• Access and use of the Internet is a PRIVILEGE and
should be treated as such by all users
• RFC 1087 refers to “Negligence in the conduct of Internetwide experiments” as “irresponsible and unacceptable,”
but does not specifically label such conduct “unethical”.
• Internet Engineering Task Force (IETF)
• http://www.ietf.org/
Information Security Governance and
Risk Management
Domain Summary
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Legal, Regulations,
Investigations, and Compliance
Domain Objectives
• Computer Crime and International Legal Issues
•
•
•
•
Liability and Privacy Issues
Incident Management
Forensic Investigation
Compliance
International Legal Systems
•
•
•
•
•
•
•
•
Common law
Criminal law
Civil law
Administrative law
Religious law
Customary law
Mixed law
Maritime law
Jurisdiction
• Law, economics, beliefs and politics
•
Law enforcement agencies will work together, even cross borders. But
sometimes countries don’t agree.
• Sovereignty of nations
•
Laws aren’t always the same country to country. Nations are making an
effort to harmonize their laws in order to promote uniform enforcement and
cooperation where possible.
Computer Crimes vs. Traditional Crimes
Traditional Crime
• Violent
• Property
• Public order
Computer Crime
• Real property
• Virtual property
Computer Crime
• Crime against a computer
• Crimes using a computer
• Electronic equipment as source of evidence
Reasons for Criminal Behavior
• Ego
• Financial gain
• Revenge
Advanced Persistent Threat (APT)
• Source – group with capabilities and intent to persistently and
effectively target a specific entity
• Attack vector – infected media, supply chain compromise,
social engineering, etc.
• Advanced – have full spectrum of intelligence gathering
techniques at their disposal
• Persistent – priority to a specific task. Implies that they are
guided by external entities.
• Threat – capability and intent. Coordinated human action
instead of automation, specific objective. Skilled, motivated,
organized and well funded
International Cooperation
• Initiatives related to international cooperation in dealing
with computer crime
• The Council of Europe (CoE) Cybercrime Convention
• Example of multilateral attempt to draft an international response to
criminal behaviors targeted at technology and the Internet.
Intellectual Property Protection
• Organizations must protect intellectual property
•
•
•
•
Theft
Loss
Corporate espionage
Improper duplication
• Intellectual property must have value
• Organization must demonstrate actions to protect IP
Intellectual Property: Trademark
• Purpose of a trademark
• Characteristics of a trademark
•
•
•
•
•
•
Word
Name
Symbol
Color
Sound
Product shape
Intellectual Property: Copyright
• Covers the expression of ideas
•
•
•
•
Writings
Recordings
Computer programs
Etc.
• Weaker than patent protection
Intellectual Property: Trade Secrets
• Must be confidential
• Protection of trade secret
Intellectual Property: Software Licensing
• Categories of software licensing:
•
•
•
•
Freeware
Shareware
Commercial
Academic
• Master agreements and end user licensing agreements
(EULAs)
Encryption Import and Export Law
• Strong encryption restrictions
• Previously anything over 40 bits was considered strong encryption
• U.S. companies can now export any encryption software to
individuals, commercial firms or other non-government end users in
any country
• No enemy states
• Many countries require the importer of equipment containing strong
cryptography to provide the government or law enforcement with a
copy of their private keys.
• Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
• Controls on dual-use goods
• Cryptography has long been considered a munition or weapon of
war. Can be used for commercial or military purposes, therefor
considered dual-use and protected as a military weapon
• Wassenaar Arrangement
• 39 countries are parties to the agreement which specifies all
controlled dual-use goods, including encryption products and
products that use encryption
Domain Objectives
• Computer Crime and International Legal Issues
• Liability and Privacy Issues
• Incident Management
• Forensic Investigation
• Compliance
Liability
• Legal responsibility
• Know responsibilities to employees, customers, etc.
• Penalties
• Can range from compensation to criminal penalties for violation
of law
• Negligence and liability
• Important factor in determining liability
• Determined by courts or other quasi-legal body
Protection of Assets
• Legal obligation
• Prudent person rule
• Must demonstrate practice of due care
Negligence
• Acting without care
• Due care
Negligence = Gap
Due Diligence =
Action
Due Care = Policy
Regulation or
Best Practice
Negligence = Gap
Privacy Laws and Regulations
• Rights and Obligations of:
•
Individuals
• Identity theft
•
Organizations
• Collection, sharing, storage, processing of personal info
• Actual laws depend on jurisdiction
International Privacy
• Organization for Economic Co-operation and Development
•
Group of 30 member countries
• Eight core principles
1.
2.
3.
4.
5.
6.
7.
8.
Limits to collection of personal data and should be obtained legally
Personal data should be relevant to use
Purpose for gathering personal data should be specified no later than the time the
data is collected
Personal data should not be disclosed, made available, or otherwise used for
purposes other than specified above
Personal data should be protected by reasonable security
General policy of openness about developments, practices and policies with
respect to personal data
Individual should have the right to find out if data controller has data about
him/her. To have communication with data controller about data relating to
him/her. And to be able to challenge data and if successful have the data erased,
rectified, completed or amended.
Data controller should be accountable for complying with measures
Personally Identifiable Information (PII)
• Identify or locate an individual
• Controls on collection and use
•
Many countries have laws governing this
• Global effect
•
Laws are different in each country. What laws govern?
Employee Privacy
• Employee monitoring
•
Authorized usage policies
• Training
Transborder Data Flow
• Political boundaries
•
Privacy
•
Investigations
•
Jurisdiction
Privacy Law Examples
• Health Insurance Portability and Accountability Act
(HIPAA)
• Personal Information Protection and Electronic
Documents Act (PIPEDA)
• European Union Data Protection Directive
Domain Objectives
• Computer Crime and International Legal Issues
• Liability and Privacy Issues
• Incident Management
• Forensic Investigation
• Compliance
Incident Management
• Incident – event that causes harm
Protect
Prepare
Sustain
Improve
Protect
Infrastructure
Respond
Detect
Incident Response: Overview
• Response capability
•
•
Policy and guidelines
Response
• Incident response phases
•
•
•
•
•
Triage
Containment
Investigation
Analysis and treatment
Recovery
• Debriefing
•
•
Metrics
Public disclosure
Incident Response: Objectives
• Incident response in its simplest form is the practice of:
•
•
•
•
•
•
Detecting a problem
Determining its cause
Minimizing the damage it causes
Resolving the problem
Documenting each step of the response for future reference
Effectively and appropriately communicating issues
Response Capability
• The foundation for incident response (IR) is comprised of:
•
•
•
•
•
Policy
Authority
Procedures
Approved
Management of evidence
Incident Response – External Parties
• Escalation process
•
Employees should be trained and have approved procedures that
include when an incident or crime must be reported to higher
management, outside agencies or law enforcement
• Interaction with third-party entities
•
Complex issues involving:
• Jurisdiction (who has control)
• Status of crime (already committed, in progress, or planned)
• Nature of the evidence (circumstantial, conclusive)
• Nature of the crime (in many jurisdictions, some crimes MUST be
reported)
Incident Response and Handling Phases
• Triage
• Investigation
• Containment
• Analysis and tracking
Triage
• Detection
•
False positives
• Classification
•
•
•
Internal versus external
One system or many
What is the root cause versus the symptoms
• Notification
•
•
•
•
Priorities and escalation
Senior management or other departments
Business partners
Law enforcement
• Note: Prioritization is one of the most important aspects
Investigation Phase Objectives
• Desired outcomes of this phase are:
•
•
•
•
Reduce the impact
Identify the cause
Get back up and running in the shortest possible time
Prevent the incident from re-occurring
Investigation Considerations
• The investigative phase must consider:
•
•
•
•
Adherence to company policy
Confidentiality
Applicable laws and regulations
Proper evidence management and handling
Investigation Process
• Identify suspects
• Identify witnesses
• Identify system
• Identify team
• Search warrants
Investigation Techniques
• Ownership and possession analysis
• Means, opportunity, and motive (MOM)
Behavior of Computer Criminals
• Computer criminals have specific MOs
• Hacking software/tools
• Types of systems or networks attacked, etc.
• Signature behaviors
• Profiling
Interviewing vs Interrogation
Open-ended Questioning
• General gathering
• Cooperation
• Seek truth
Closed-ended Questioning
• Specific aim
• Hostile
• Dangerous
• Should only be done by
TRAINED professionals
Investigation Phase Components
• Components of this phase:
•
•
•
•
Analysis
Interpretation
Reaction
recovery
Containment
• Reduce the potential impact of the incident
• Systems, devices, or networks that can become “infected”
• The containment strategy depends on:
• Category of the attack
• Asset(s) affected
• Criticality of the data or system
Analysis and Tracking Goals
• Obtain sufficient information to stop the current incident
• Prevent future “like” incidents from occurring
• Identify what or who is responsible
Analysis and Tracking Logs
• Dynamic nature of the logs
• Feeds into the tracking process
• Working relationship with other entities
Reporting and Documentation
• Law
• Court proceedings
• Policy
• Regulations
Recovery Phase Goal
• To get back up and running
• The business (worst case)
• Affected systems (best case)
• Protect evidence
Recovery and Repair
• Recovery into production of affected systems
• Ensure system can withstand another attack
• Test for vulnerabilities and weaknesses
Closure of the Incident and Feedback
• Incident response is an iterative process
• Improve processes and controls
• Closure of the incident
• Feedback from all participants
Communication about the Incident
• Public disclosure
• Authorized personnel only
Domain Objectives
• Computer Crime and International Legal Issues
• Liability and Privacy Issues
• Incident Management
• Forensic Investigation
• Compliance
Computer Forensics: Evidence
• Potential evidence
•
Digital Forensic Science Research Workshop (DFRWS) defines digital
forensic science as – “The use of scientifically derived and proven methods
toward the preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence derived
from digital sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to anticipate
unauthorized action shown to be disruptive to planned operations.”
• Evidence and legal systems
•
Computer forensics is generally applied according to the standards of
evidence admissible in a court of law
Computer Forensics: Evidence
• Identification of evidence
• Collecting of evidence
• Use appropriate collection techniques
• Reduce contamination
• Protect the scene
• Maintain the chain of custody and authentication
Collection of Digital Evidence
• Volatile and fragile
• Short lifespan
• Collect quickly
• By order of volatility
• Document, document, document
Chain of Custody for Evidence
• Who
• What
• When
• Where
• How
Forensic Evidence Procedure
• Receive media
• Disk write blocker
• Bit for bit image
• Cryptographic checksum
• Store the source drive
Evidence: Hearsay
• Hearsay
•
•
Second-hand evidence
Normally not admissible
• Business records exception
•
•
Computer-generated information
Process of creation description
• Can you cross examine it?
Evidence Analysis and Reporting
• Scientific methods for analysis
•
•
•
Characteristics of the evidence
Comparison of evidence
Event reconstruction
• Presentation of findings
•
•
Interpretation and analysis
Format appropriate for the intended audience
Computer Forensics
• Key components
•
Computer forensics is not a piece of software or hardware. It is a set of
procedures and protocols. Methodical, Repeatable, Defensible, Auditable
• Crime scenes
• Digital evidence
• Non-criminal cases
•
Divorce, breach of contract, dissolution of corporation or partnership,
embezzlement, personal injury, etc.
Forensic Evidence Analysis Procedure
• Recent activity
• Keyword search
• Slack space
• Documented
Media Analysis
• Recognizing operating system artifacts
•
•
•
Types of files created as the system runs
Where they should be
What their contents are likely to be
• File system
• Timeline analysis
•
•
•
Modified
Accessed
Created
• Searching data
Software Analysis
• What is does
• What files it creates
Network Analysis
• Data on the wire
• Ports
• Traffic hiding
Domain Objectives
•
•
•
•
Computer Crime and International Legal Issues
Liability and Privacy Issues
Incident Management
Forensic Investigation
• Compliance
Compliance
• Knowing legislation
• Following legislation
Regulatory Environment Examples
• Sarbanes-Oxley (SOX)
•
Meant to enhance corporate governance through measures that will
strengthen internal checks and balances and, ultimately, strengthen
corporate accountability.
• Gramm-Leach-Bliley (GLB)
•
Protects the privacy of consumer information held by financial institutions
• Basel II
•
Regulatory harmony in the international banking community
Compliance Roles and Responsibilities
• Information owner
• Local manager
• Auditor
• Individual
Audit Report Format
• Introduction
•
•
•
•
•
•
•
•
•
Background
Audit perspective
Scope & objectives
What was done
Executive summary
Internal audit opinion
Detailed report including auditee responses
Appendix
Exhibits
Legal, Regulations, Investigations, and
Compliance Domain Summary
•
•
•
•
•
Computer Crime and International Legal Issues
Liability and Privacy Issues
Incident Management
Forensic Investigation
Compliance
Operations Security
Domain Objectives
• Operator and Administrator Security
• Monitoring of Special Privileges
• Misuse of Resources
• System Recovery
• Resource Protection
• Environmental Issues and Controls
• Media Management
• Personnel Privacy and Safety
Control Over Privileged Entities
• Review of access rights
• Supervision
• Monitoring/audit
Operator Privileges
• Initial program load (IPL)
• Monitor system execution
• Control job flow
• Mount I/O volumes
• Bypass label processing (BLP)
• Renaming/relabeling resources
• Reassigning ports/lines
Administrators
• Systems administrators
• Network administrators
• Database administrators
Administrator Privileges Summary
• Control network operations
•
•
•
•
•
Server startup and shutdown
Reset system configurations
Backups
System maintenance
Customer service
• Network administrator duties
Backup Types
• File image
• System image
• Data mirroring
• Electronic vaulting
• Remote journaling
• Database shadowing
• Redundant servers
• Standby services
Software and Data Backup
• Operations controls must ensure adequate backups of:
•
•
•
•
•
•
Data
Operating Systems
Applications
Transactions
Configurations
Reports
Backup Integrity
• Backup storage locations
• Backups must be tested
• Alternate site recovery plan
• Site specific software
RAID – Redundant Array of Independent
Disks
• Hardware based
• Software based
• Hot Spare
• Global Hot Spare (all disk in array)
• Dedicated Hot Spare (individual disk in array)
RAID Level 0
• Striping
• Two or more disks
• No redundancy
• Performance only
RAID Level 1
• Exact copy (mirror)
• Two or more disks
• Fault tolerant
• 200% cost
RAID Level 2
• Striping of data with error correcting codes (ECC)
• Requires more disks than RAID 3/4/5
• Not used
RAID Level 3/4
• Byte/block level stripes
• 1 drive from parity
• All other drives are for data
Stripe 1A
Stripe 2A
Stripe 3A
Stripe 4A
Stripe 1B
Stripe 2B
Stripe 3B
Stripe 4B
P(1A, 1B)
P(2a, 2B)
P(3A, 3B)
P(4A, 4B)
Disk A
Disk B
Parity
RAID Level 5
• Block-level stripes
• Data and parity interleaved amongst all drives
• The most popular RAID implementation
Stripe 1A
P(2B, 2C)
Stripe 3A
Stripe 4A
Stripe 1B
Stripe 2B
P(3A, 3C)
Stripe 4B
P(1A, 1B)
Stripe 2C
Stripe 3C
P(4A, 4B)
Disk A
Disk B
Disk C
RAID Level 6
• Block-level stripes
• All drives used for data AND parity
• Two parity types
• Higher costs
• More fault tolerant than RAID implementations 2 - 5
RAID Level 0+1
• Mirroring and striping
• Higher cost
• Higher speed
RAID 0+1
RAID 1
RAID 0
A1
A3
A5
A7
A2
A4
A6
A8
RAID 0
A1
A3
A5
A7
A2
A4
A6
A8
RAID Level 10
• Mirroring and striping
• Higher cost
• Higher speed
RAID 10
RAID 0
RAID 1
A1
A3
A5
A7
A1
A3
A5
A7
RAID 1
A2
A4
A6
A8
A2
A4
A6
A8
Configuration Management Elements
• Hardware inventory
• Hardware configuration chart
• Software licensing management
• Firmware
• Documentation requirements
• Testing
Hardware Inventory
• Up-to-date listing of all equipment
• Location
• Owner
• Serial and model numbers
Change Control Management
• Policy
• Business and technology balance
• Defines a process for authorized change
• Process of changes
• Ownership of changes
• Changes are reviewed for impact on security
Patch Management
• Knowledge of patches
• Know when patches for all software you own are released by
the vendor
• Testing
• Test all patches, and new software, in a test environment prior
to going live
• Deployment
• Can be challenging. Should be automated to insure no
machine is missed.
• Zero-day challenges
• Vulnerable time between patch pushed out and able to apply
Software Issues
• Pirating software
• Version control
Job Documentation
• Scheduling
• Dependencies
• Error codes
• Inputs and outputs
• Backout procedures
Security Administrator Roles
• Policy
• Development
• Implementation
• Maintenance and compliance
• Vulnerability assessments
• Incident response
Security Administrator Responsibilities
• User-oriented activity management
• Information classification implementation
• Audit log monitoring and review
• Security tool oversight and management
Domain Objectives
• Operator and Administrator Security
• Monitoring of Special Privileges
• Misuse of Resources
• System Recovery
• Resource Protection
• Environmental Issues and Controls
• Media Management
• Personnel Privacy and Safety
Misuse Prevention
Threats
Countermeasures
Personal Use
Acceptable use policy, workstation controls, web content
filtering, and email filtering
Theft of Media
Appropriate media controls
Fraud
Balancing of input/output reports, separation of duties, and
verification of information
Sniffers
Encryption and policy
Domain Objectives
• Operator and Administrator Security
• Monitoring of Special Privileges
• Misuse of Resources
• System Recovery
• Resource Protection
• Environmental Issues and Controls
• Media Management
• Personnel Privacy and Safety
System Recovery – Trusted Recovery
• Correct implementation according to Policy
• Failures don’t compromise a system’s secure operation
• Trusted path
Types of Trusted Recovery
• System Reboot – shutting down computer in a normal fashion
after a failure
• Emergency System Restart – done when a system fails in
an uncontrolled manner. Media may be in an inconsistent state.
System enters maintenance mode, automatically performs
recovery, and system restarts with no user processes in progress.
• System Cold Start – system fails and cannot restart without
human intervention
Control Failure Modes
• Fail secure (fail closed)
• Fail soft (fail open)
• Fail safe (fails in a way that will cause no or minimal
harm)
Fault Tolerance
• Hardware failure is planned for
• System recognizes a failure
• Automatic corrective action
• Standby systems
• Cold – configured, not on, lost connections
• Warm – on, some lost data or transactions (TRX)
• Hot – ready, failover
Domain Objectives
• Operator and Administrator Security
• Monitoring of Special Privileges
• Misuse of Resources
• System Recovery
• Resource Protection
• Environmental Issues and Controls
• Media Management
• Personnel Privacy and Safety
Facility Support Systems
• Fire protection
• HVAC
• Electrical power goals
• UPS
• Water
• Communications
• Alarm system
Domain Objectives
• Operator and Administrator Security
• Monitoring of Special Privileges
• Misuse of Resources
• System Recovery
• Resource Protection
• Environmental Issues and Controls
• Media Management
• Personnel Privacy and Safety
Media Management Practices
• Sensitive Media Controls
•
•
•
•
•
Marking
Labeling
Handling
Storing
Declassifying
Media Management
• Tapes
• Storage
• Encryption
• Retrieval
• Disposal
Object Reuse
• Securely reassigned
• Disclosure
• Contamination
• Recoverability
Clearing of Magnetic Media
• Overwriting
• Degaussing
• Data remanence
• Physical destruction
Records Management
• Considerations for records management program
development
• Business need
• Guidelines for developing a records management program
• Records retention
• Declassification
• Legal requirements
• Privacy
• Absent law or regulation to the contrary, a business can set
any retention policy it wishes
Protection of Operational Files
• Library maintenance – protect production programs and
applications as well as data
• Backups
• Source code
• Object code
• Configuration files
• Librarian - sole person with write access to the main system
files, backups and application libraries. Should never be filled by
a developer or person initiating the change request
Domain Objectives
• Operator and Administrator Security
• Monitoring of Special Privileges
• Misuse of Resources
• System Recovery
• Resource Protection
• Environmental Issues and Controls
• Media Management
• Personnel Privacy and Safety
Personnel Privacy and Safety – Mobile
Computing
• Components
• Devices
• Limitations (e.g. privacy, safety, etc.)
• Mobile device management
Personnel Privacy and Safety – Social
Networks
• Social networks
• Connection services
• Social dynamics
• Storage of data
• Potential dangers
Operations Security Domain Summary
• Operator and Administrator Security
• Monitoring of Special Privileges
• Misuse of Resources
• System Recovery
• Resource Protection
• Environmental Issues and Controls
• Media Management
• Personnel Privacy and Safety
Physical (Environmental) Security
Domain Objectives
• Physical Security Threats and Controls
• Perimeter Security
• Building and Inside Security
• Secure Operational Areas
Goals of Physical Security
• Deter would be intruders
• Delay long enough to detect and respond before
damage occurs
• Detect in a timely manner
• Assess method of attack
• Respond appropriately without overreacting
• Recovery to normal operating status
The Primary Goal
Remember that life, health, and
safety are always the first
priorities in physical security!
Threats to Physical Security
• Natural/environmental
• History of natural disasters in the area
• Utilities
• Communications outages, power outages, etc.
• Circumstantial
• Fire or break-in at a neighboring building, strike at a critical
point in supply chain, etc.
• Human-made/political events
• Explosions, vandalism, theft, terrorist attacks, strikes, activism,
riots, etc.
Threat Sources
• External activists
• Staff
• Intelligence agents/foreign governments
• Petty criminals
Threat Sources and Controls
Threat
• Theft
• Espionage
• Dumpster diving
• Social engineering
• Shoulder surfing
• HVAC access
Controls
• Locks
• Background checks
• Disposal procedures
• Awareness
• Screen filters
• Motion sensors in ventilation
ducts
Facility Vulnerabilities
• Location
• Layout and design
• Age and condition
Location Security Considerations
• Emergency services
• Fire
• Security
• Visibility
• Controlled access
• public transit
Countermeasures and Controls
• Environmental controls may be:
• Physical
• Administrative/managerial
• Technical
• Layered defense/defense in depth
Crime Prevention Through
Environmental Design (CPTED)
• Principle of deterring crime through managing the potential
crime scene
• Territoriality
• Restricted access
• Surveillance
• Monitoring
• Access control
• Entrances
• Maintenance
Domain Objectives
• Physical Security Threats and Controls
• Perimeter Security
• Building and Inside Security
• Secure Operational Areas
Perimeter and Building Boundary
Protection
• First line of defense
• Protective barriers
• Natural
• structural
Fences
• May be restricted by local regulations
• Inspections
• Parking should not be allowed near fences
•
•
•
•
1 meter/3-4 feet – will deter casual trespassers
2 meters/6-7 feet – too high to climb easily
2.5 meters/8 feet – will delay the determined intruder
Top guard will add 2-3 feet. Can be defeated by blanket,
mattress, towel, etc.
Controlled Access Points
• Gates are the minimum necessary layer
• Bollards
• Permanent or retractable post used to deter vehicle-based
attacks
Perimeter Intrusion Detection Systems
• Detect unauthorized access into an area
• Electronic “eyes”
• Note that some perimeter IDS can function inside the
perimeter as well
• Physical IDS
•
•
•
•
•
•
•
•
Photoelectric
Ultrasonic
Microwave
Passive IR
Pressure sensitive
Sounds/vibration
Electrical circuits
Motion sensors
Closed Circuit Television (CCTV)
• CCTV capability requirements
• Detection
• Recognition
• Identification
• Mixing capabilities
• Adding IR/thermal
• Virtual CCTV systems
• Fake systems
CCTV Concerns
• Total surveillance requirements
• Operating parameters (correct lens, angle?)
• Size depth, height, and width
• Pan, tilt, and zoom
• Lighting
• Contrast
CCTV Protection and Image Retention
• Storage of images
• Maintenance
• Privacy
Guards and Guard Stations
• Guards
• Deterrent
• Possible liability
• Contractors
• Guard stations
Domain Objectives
• Physical Security Threats and Controls
• Perimeter Security
• Building and Inside Security
• Secure Operational Areas
Building Entry Points
• Doors
• Windows
• Loading ramps
• Elevator shafts
• Ventilation ducts
• Crawlspaces
• Sewage or steam lines
Doors
•
•
•
•
Isolation of critical areas
Lighting of doorways
Contact devices
Guidelines
•
•
•
•
•
•
•
•
Solid core
Hinges fixed to frame with minimum of 3 hinges per door
Lighting
Should not open out except as required by building codes
Locks should be daytime (push button) and 24 hour (deadbolt)
Door frame should be permanently fixed to the adjoining wall studs
Have same fire-resistance rating as adjacent walls
Etc.
Access and Visitor Logs
• Identification/sign in and out
• Temporary badges
• Vehicles
• Escort
Turnstiles and Mantraps
• Tailgating/piggybacking
Types of Locks
• Something you have – keyed
• Something you know – combinations
• Something you are – biometric
Keyed Locks
• Lock components
•
•
•
•
•
Body
Strike
Strike plate
Key
Cylinder
Lock Controls
• Lock and key control system
• Key control procedures
•
•
•
•
Who has access to keys
Keys issued
Key inventory
Default settings changed
• Change combinations
• Fail
• Soft (unlocked)
• Secure (locked)
• Safe (allow exit but not entry)
Electronic Physical Controls
• Card access
• Biometric access methods
Windows and Glass
• Standard plate glass
• Tempered glass
• 5 – 7 times more break resistant than plate and breaks into small,
less dangerous fragments
• Acrylic materials
• Stronger than plate
• Burn and produce toxic fumes, scratch easy and yellow over time
• Polycarbonate windows
• Resistant to abrasion, chemicals, fires and are even anti-ballistic
• Very expensive
Glass and Window Protection
• Laminate
• Solar film
• Bomb blast film/curtains
• Wired glass
• Intrusion detection/glass breakage sensors
Internal Intrusion Detection Systems
• Closed circuit television
• Sensors and monitors
Types of Lighting
• Continuous lighting
• Trip lighting
• Standby/backup lighting
• Emergency exit/egress lighting
• Infrared/night vision
Domain Objectives
• Physical Security Threats and Controls
• Perimeter Security
• Building and Inside Security
• Secure Operational Areas
Equipment Room
• Perimeter enclosure
• Controls
• Policy
• Emergency power off (EPO) switch
Data Processing Facility
• Small devices threat
•
•
•
•
Digital camera
Cell phone cameras
USB drive
Etc.
• Server room
• Most important requirements are space, power, air
conditioning, access control and security monitoring
• Mainframes
• Storage
Communications
• Wireless access points
• Network access control
• Cabling
• conduit
Access to Utility Rooms
• Power rooms
• Breaker panels
• Water
• Ventilation
• Gas
Work Area
• Keeping a work area safe is important for
everyone
• Operators
• Only allow access as needed/monitor
• System administrators
• Only allow access as needed/monitor
• Restricted work areas
• Only a select few people need access
Equipment Protection
• Inventory
• Locks and tracing equipment
• Data encryption
• Disabling I/O ports
Environmental Controls
System
• Electric power
• HVAC
• Water/plumbing
• Gas
• Refrigeration
Threat
• Loss of power
• Overheating
• Flood/dripping
• Explosion
• Leakage
Fire Protection
• Prevention – reduce causes
• Detection – alert occupants
• Suppression – contain or extinguish
• Wet-pipe sprinkler
• Most reliable
• Simple
• Water under pressure, when sprinkler head breaks water comes out
• Dry-pipe sprinkler
• Water is held back by valve and is released when sensor activates
• Pipes then fill with water and sprinkler engages
Materials and Suppression Agents
Class
Type
Suppression Agents
A
Common combustibles
Water, foam, dry chemicals
B
Combustible liquids
Inert gas, CO2, foam, dry chemicals
C
Electrical
Inert gas, CO2, dry chemicals
D
Combustible metals
Dry powders
K
Cooking media (fats)
Wet chemicals
• Suggested way to remember each:
•
•
•
•
•
Ash
Boil
Current
Drive
Kitchen
Three Legs of a Common Fire
Displace: CO2/foam
Bind: Halon & alike
Reduce: Water
Bind:
Purple K
Remove:
Fireman
Flooding Area Coverage
• Water – sprinkler systems
• Gas – halon/CO2/argon systems
• Best practices for systems
• Portable extinguishers
Loss of Electrical Power
• UPS
• Generators
• Goals of power – clean and steady power
• Power controls
• Emergency power off (EPO) switch
• Power line monitors
• Total load
Heating, Ventilation, Air Conditioning
• Location
• Positive pressure
• Can indicate unauthorized physical breach
• Helps minimize dust
• Maintenance
Other Infrastructure Threats
• Vermin
• Electromagnetic fields
• Excess vibration
Physical (Environmental) Security
Domain Summary
•
•
•
•
Physical Security Threats and Controls
Perimeter Security
Building and Inside Security
Secure Operational Areas
Security Architecture and Design
Domain Objectives
• System and Component Security
• Definitions and Key Concepts
•
•
•
•
• Architecture Components
System Design Principles
Security Models
Information Systems Evaluation Models
Security Frameworks
Definitions and Key Concepts
• Information security management system (ISMS)
• Set of standards for addressing security throughout the
development, deployment and implementation schedule
• Enterprise security architecture (ESA)
• Includes all areas of security for an organization: leadership,
strategy, planning, etc.
• Information security architecture (ISA)
• Another term for ISO/IEC 27002
• Best practice
• Well-recognized and accepted approach to designing,
developing, managing/monitoring and enhancing processes
Definitions and Key Concepts
• Architecture
• High-level perspective of how business requirements are to be
structured and aligned with technology and processes
• Framework
• Defined approach to the process used to achieve the goals of
an architecture, based on policy
• Infrastructure
• Integrated building blocks that support the goals of the
architecture
• Model
• Outlines how security is to be implemented within the
organization
Definitions and Key Concepts
• Good security architecture
• Strategic
• Provides a long-range perspective that is less subject to tactical
changes in technology
• Business requirements based
• Understand business and security and design a system that meets
those requirements
• Holistic
• Understanding all the parts of the business and interconnecting them
• Design
• Blueprint
• Integration and development of technology infrastructure into the business
process
• Multiple implementations
• Flexibility due to location and business constraints
Definitions and Key Concepts
• Benefits of a good security architecture
•
•
•
•
•
Consistently manage risk
Reduce the costs of managing risk
Accurate security-related decisions
Promote interoperability, integration, and ease of access
Provide a frame of reference (for other organizations
interacting with the enterprise)
Domain Objectives
• System and Component Security
• Definitions and Key Concepts
• Architecture Components
•
•
•
•
System Design Principles
Security Models
Information Systems Evaluation Models
Security Frameworks
Architecture Components
• What are the security limitations and benefits of each
component?
•
•
•
•
•
•
•
Hardware
Firmware
Central processing units
Input/output devices
Software
Architectural structures
Storage and memory
Hardware: Computers
• Mainframe
• Minicomputers
• Microcomputers/desktops
• Servers
• Laptop/notebook
• Embedded
• From a security perspective, each security risk must be
addressed individually
Hardware: Mobile Devices
• USB storage
• Portable hard drives
• PDAs and mobile phones
Hardware: Printers
• Multifunctional
• Network aware
• More than output device
• Full operating system
Hardware: Communication Devices
• Modem
• Network Interface Card (NIC)
Hardware: Wireless
• Wireless network interface card
• Wireless access point
• Wireless Ethernet bridge
• Wireless router
• Wireless range extender
Firmware: Pre-Programmed Chips
• ROM (read-only memory)
• PROMs (programmable read-only memory)
• EPROMs (erasable programmable read-only memory)
• EEPROMs (electrically erasable, programmable, readonly memory)
• Field programmable gate arrays (FPGAs)
• Flash chips
• Embedded system
CPU Functionality
• Multitasking
• Multiprogramming
• Multiprocessing
• Multiprocessor
• Multi core
• Multithreading
• Direct memory access (DMA)
Real-Time Systems
• Time and mission critical systems – systems that
support mission critical services such as flight controls, alarms
and monitoring sensors
• Immediate processing
• High levels of tolerance
• Failover
Virtual Machines
• Mimic the architecture of the actual system
• Resources provided by the host system
CPU and Processor Privilege States
• Supervisor state
• Problem (user) state
• Running
• Ready
• Blocked
• Masked/interruptible
Input/Output (I/O) Devices
• I/O controller
• Managing memory
• Hardware
Software: Operating System
• Hardware control
• Hardware abstraction
• Resource manager
• Design
• Kernel
Software: Utilities and Drivers
• System utilities
• Maintenance
• System drivers
• Application/hardware interface
• Plug and play
Commercial Software Programs
(Applications)
• Commercial off the shelf (COTS)
• Function first
• Unless the software is inherently a security-focused
application (such as a firewall), attention will first be
devoted to functionality. Security is usually an
afterthought.
• Evaluation
• Make sure to consider the information security aspects
of the application such as authentication methods, audit
capabilities, edit checks and error reporting, etc.
Software: Custom
• Business application
• No two businesses do business the same way. Custom
software is the solution used as a natural progression
from manual processes to automation of tasks
• System development life cycle
Software: convergent Technologies
• Customer relationship management (CRM)
• Workflow management systems
• SharePoint, Lotus Notes
• Unified messaging
• Allows different technologies to work together. Fax to a PDA,
access internet from TV
CPU and OS Support for
Applications
• Applications were originally self-contained
• OS capable of accommodating more than one
application at a time
• Security
• Reinforced by the OS since the OS has the ability to control
the activity of the applications and ensure that one or more
application threads do not affect another
Applications - Today
• Today’s applications are modular
• Execute multiple process threads
• Security
• Problems lie in the fact that independent sections are frequently
written by someone else and may be malicious. Module may also
be used in a way not intended by the author. Modules and threads
will often communicate directly and not involve the OS. This
prevents the OS from being able to manage the activity of the
process threads.
• Programs spawn processes. Processes spawn threads.
Memory is allocated to processes. So, threads share
memory.
Systems Architecture Approaches
• Open – standards based interfaces. Considered more
vulnerable but often result in a more robust set of security
features
• Closed – proprietary interfaces. Illusion that security through
obscurity works
• Dedicated – single level of processing permitted
• Single level – permit users to execute any instruction available
• Mutilevel – processing at two levels is permitted through some
form of user authentication and authorization. Most common
today and allow system to be accessed by users holding different
levels of privilege.
• Embedded – single purpose computer
Architectural Structures
• Client server
• Centralized architecture
• Distributed architectures
• Thin client architecture
• Diskless computing
• Clusters
Cloud Computing
• Provisioning of services
• Cost models
• Supplement/consumption/delivery model
• Involves provisioning of dynamically scalable and often
virtualized resources
• Characteristics
• Layers
Cloud Computing
• Deployment models
•
•
•
•
Public cloud
Community cloud
Private cloud
Hybrid cloud
• Architecture
• Intercloud
• Cloud Engineering
• Issues
•
•
•
•
Privacy
Compliance
Open source
Open standards
• Security
• Issues surrounding cloud
computing are due in large part
to the private and public sectors
unease surrounding the
external management of
security based services
Service-Oriented Architecture
• Technology benefits
• More flexible architecture, integration of existing applications,
improved data integration, supports business process
management, facilitates enterprise portal initiatives, speeds custom
application development
• Security issues
• A system that relies on distributed processing must have adequate
bandwidth and high availability.
• Business benefits
• More effective integration with business partners, supports
customer-service initiatives, enables employee self-service,
streamlines the supply chain, more effective use of external service
providers, facilitates global sourcing
Virtualization
• Virtual copy of physical system
• System virtual machine – complete operating environment that can
support user needs and multiple environment
• Hypervisor – interface between the physical and virtual environments
• Process virtual machine – systems that are dedicated to supporting
one process or program
Types of Memory Addressing
• Logical
• Refers to a memory location that is independent of the current
assignment of data to memory. Requires a translation to the
physical address.
• Relative
• Address expressed as a location relative to a known point
• Physical
• Absolute address or actual location
Memory Management Requirements
• Relocation
• Programmer does not know where the program will be placed
in memory when it is executed. It may be swapped to disk
and returned to main memory at a different location.
• Protection
• Processes should not be able to reference memory locations
in another process without permission.
• Sharing
• Allows several processes to access the same portion of
memory. OS allows each process access to the same copy of
the program rather than having its own separate copy.
Memory Protection Benefits
• Memory reference
• Different data classes
• Users can share access
• Users cannot generate addresses
Primary Storage
• Registers
• Very high-speed storage structures built into the CPU chip set
and are often used to store timing and state information for
the CPU to maintain control over processes.
• Cache
• Very fast memory directly on the CPU chip body. Not
upgradeable. Three types (level 1-3).
• Random access memory (RAM)
• Main memory of the system
Secondary Storage
• Internal
• External
• Virtual memory
• SANs
• Clusters
Virtual Memory
• = primary + secondary or RAM + Disk
• Extends apparent memory to accommodate larger
program execution space than is possible using only
physical memory and involves paging and swapping
operations.
• Generally 4 or 8 kb in length
Storage Systems
• Network Attached Storage (NAS)
• Simple, cost effective solution. Box on network that extends
storage area.
• Storage Area Network (SAN)
• Complex, expensive solution. Offers large capacity storage
for servers over high-speed (usually fiber) links
Blade Systems
• Server chassis
• Processing power
• Management simplification
• Is simply a series of motherboards housed in a box with
a high speed backbone
Domain Objectives
• System and Component Security
• Definitions and Key Concepts
• Architecture Components
• System Design Principles
• Security Models
• Information Systems Evaluation Models
• Security Frameworks
Separation
• Temporal isolation
• Accomplished through time limits. Person cannot access an
area of the building or an area of the network, or an
application outside of certain authorized hours.
• Physical isolation
• Refers to separating out sensitive areas from common access,
such as setting up compartmentalized areas or secure rooms.
• Virtual isolation
• Protects against malicious activity by not permitting a process
to execute outside of a strict set of boundaries.
Ring Protection
• Based on the Honeywell Multics Operating System
architecture.
• Set of segments in concentric numbered rings. Ring number
determines the access level.
• Procedure assumes its appropriate ring number when
executing. This prohibits a process from unregulated
execution of commands at a higher level.
• Program may call services residing on the same or more
privileged ring.
• Program may only access data that resides on the same
ring.
Privilege Levels
• Identifying, authenticating, and authorizing subjects
• Subjects of higher trust can access more system
instructions and operate in privileged mode
• Subjects with lower trust can access a smaller portion of
system instructions and operate only in user mode
Process Isolation
• Preserves Object’s integrity and subjects adherence to
access controls
• Prevents interaction – prevents objects from interacting with each
other and their resources
• Independent states – actions of one object should not affect the
state of other objects
• Process isolation method
• Encapsulation – objects, data, and functions are packaged together
• Time multiplexing – assignment specific time slots for processing
information
• Naming distinctions – to distinguish between processes
• Virtual mapping/domains – mapping info objects to virtual locations to
ensure applications can find their data
Trusted Computing Base (TCB)
• Trusted computer base – includes all the components and
their operating processes and procedures that ensure that the
security policy of the organization is enforced.
• Hardware
• Firmware
• Software
• Processes
• Inter-process communications
• Simple and testable
Trusted Computing Base (TCB)
• Enforces security policy – must be able to enforce security
policy regardless of user input and be protected from interference
or tampering
• Monitors four basic functions
•
•
•
•
Process activation
Execution domain switching
Memory protection
Input/output operations
Reference Monitor Concept
• Abstract machine concept – abstract machine that is regulating all access
on the system and enforcing security controls
• Must be tamperproof
• Always invoked
• Verifiable
• Security kernel
• Components of an OS perform various protection tasks designed to control
and monitor system evens and prevent things from occurring that might
disrupt normal execution or threaten the stability of the system or any of its
resources.
• Subject
• Active entity
• Object
• Passive entity
Attested Boot/TPM/Processing
• Ensures secure configuration and integrity of
software/hardware
• Uses cryptographic hash functions to ensure integrity
• Can also be used remotely
Secure System Design
• Availability – must be designed to meet needs
• Criticality – design of system must ensure that the critical processes
run effectively
• Redundancy
• Single points of failure – must be designed to avoid
• Defense in depth – ensures the security of the system cannot
be circumvented through one vulnerability
Domain Objectives
• System and Component Security
• Definitions and Key Concepts
• Architecture Components
• System Design Principles
• Security Models
• Information Systems Evaluation Models
• Security Frameworks
Security Models Introduction
• Information-flow model – tracks the movement of
information from one object to another
• Non-interference model – based upon rules to prevent
processes that are operating in different domains from
affecting each other in violation of security policy
• State-machine model – abstract mathematical model
where state variables represent the system state
• Lattice-based model – hierarchical model defining
access control privilege levels
Bell-LaPadula Confidentiality Model
• Lattice-based model
• Described using rows and columns
• State-machine model
• Hierarchical based model with dominance relationships
between higher and lower security levels
• Three fundamental modes
• Read only, write only , read and write
• Secure state
• Defines access rules
• ***** very important to know *****
Biba Integrity Model
• Lattice-based model
• Addressed first goal of integrity
• Subject – object tuple
• State machine model
• When you mix clean & dirty, dirty wins
• Read & write are opposite from Bell-LaPadula
• ***** very important to know *****
Clark-Wilson Integrity Model
• Addresses all three integrity goals
• Defines well-formed transactions
• Separation of duties
1. Authorized users limited to authorized transactions
2. Unauthorized users do no tasks
3. Maintain internal & external consistency
• ***** very important to know *****
Brewer and Nash Model
• Chinese Wall security policy
• Designed to prevent conflicts of interest
• ***** very important to know *****
Other Models
• Graham-Denning
• Harrison-Ruzzo-Ullman (HRU) result
• Variations of Biba
Security Models
• Integrity
•
•
•
•
•
•
Clark-Wilson
Biba
G&M
Sutherland
Graham-Denning
HRU
• Need to know
• Confidentiality
• Brewer-Nash
• BLP
• Implementations
•
•
•
•
•
Gong
Lipner
Karger
Jueneman
Lee & Shockley
Domain Objectives
• System and Component Security
• Definitions and Key Concepts
• Architecture Components
• System Design Principles
• Security Models
• Information Systems Evaluation Models
• Security Frameworks
Evaluation Standards
• TCSEC (U.S. DoD)
• ITSEC (European Union)
• Common Criteria (ISO Standard 15408)
TCSEC or Orange Book
• DoD-centric
• Security and functionality
• Product evaluation
• Rainbow series – was a part of the Rainbow Series of books
dealing with security topics
• TNI – Trusted Network Interpretation (another of the series)
ITSEC
• International origin
• ITSEM
• Assurance
• Fucntionality
Common Criteria (ISO 15408)
• Origins
• Documents
• EAL 1-7 (evaluation assurance level)
• Protection profile (PP)
• Target of evaluation (TOE)
• Software, firmware, and/or hardware
• Security target (ST)
• Requested level of testing
Domain Objectives
• System and Component Security
• Definitions and Key Concepts
• Architecture Components
• System Design Principles
• Security Models
• Information Systems Evaluation Models
• Security Frameworks
ISO 7498-2
• Defined secure communications
• NOT an implementation
• Takes 7-layer OSI model and maps it to a 2-layer
functional model
Zachman Framework
• Complete overview of IT
business alignment
• Intent
• Scope
• Two-dimensional
• Principles
SABSA
• What are the business
requirements?
• Follow-on to Zachman
• Operational security focus
The Open Group Architecture
Framework
• Governance
• Business
• Application
• Data
• Technology
DoD Architecture Framework
• OMB A-130 requirement
• View sets:
•
•
•
•
All view
Operational view
Systems view
Technical standards view
ISO/IEC 42010
• International standard for information security
management systems (ISMS)
• Practice for architectural description of softwareintensive systems
ISO 27001 - ISMS
• Information security management system
•
•
•
•
Ensures best practices are met
Sets standards for security areas
Based on BS7799-2
Measurable and certifiable standard
IT Infrastructure library (ITIL)
• Focuses on IT services
• Supporting products
COSO Enterprise Risk Management
Framework
• Emphasizes the importance of identifying and managing
risks
•
•
•
•
Process
People
Reasonable assurance
Objectives
• If moving money, probably want to use this
Capability Maturity Model
• Developed by SEI (Software Engineering Institute)
• Based on TQM concepts (Total Quality Management)
• Framework for improving process
• Benefits
• Top 3 are proactive, bottom 2 reactive
PCI-DSS
• Payment card industry – data security standard
• Standards for the protection of payment card data (e.g.
credit cards, debit cards, etc.)
• Covered more in Domain 5 (Legal, Regulations,
Investigations, and Compliance)
Security Architecture and Design
Domain Summary
• System and Component Security
• Definitions and Key Concepts
• Architecture Components
• System Design Principles
• Security Models
• Information Systems Evaluation Models
• Security Frameworks
Software Development Security
Domain Objectives
• Overview of Applications Security
• System Life Cycle Security
• Applications Security Issues
• Malware and Other Attacks
• Database Security
Need for Applications Security
• While this model is important
to all domains, AIC is
probably most important to
this one
• Interface to critical and
sensitive data
• Thousands of exploits
Secure Systems Development Policies
• Organizations require security development methodology
• Many corporations are beginning to require and provide guidelines
for developing secure applications
• Security climate has changed
• Vendors are focused on functionality of their products and on
increasing their return on investment instead of security
• Security as built-in instead of add-on
• Compliance – many regulations and compliance requirements now
demand that systems track and control access permissions of users
and other entities
Organizational Standards
• Web Application Security Consortium (WASC)
• Build Security in (BSI)
• International Organization for Standardization
(ISO)/International Electrotechnical Commission (IEC)
27034
• These orgs provide information for software vendors and
the public that is intended to create secure environments
for software development, to aid in developing internal
code standards, to incorporate security features in
software products, and to deploy into secure
environments.
Software Configuration Management
(SCM)
• Versioning
• Technologist
• Protection of code
• Protection of project
• Scope creep vs Statement of Work
• Process Integrity
System Development Controls
• Project Management
• Complexity of Systems and Projects
• Security by Design
• Controls Built in to Software
• Secure by Default
Secure Development Excuses
• You cannot build security around an application, you
have to build it in
• “We need security? Then we’ll use SSL”
• “We need strong authentication? PKI will solve all our
problems”
• “We use a secret/military-grade encryption”
• “We had a hacking contest and no one broke it”
• “We have an excellent firewall”
• “We’ll add it later; let’s have the features first”
Secure Development Concerns
• Push to Market – pressure to deliver a product quickly
• Protect Source Code
•
•
•
•
From tampering
Pirating
Accidental loss
Protection against attacks
Secure Development - Physical
• Controlled access areas
• Development vs Operations
• Project security
• Probably best to only develop and work on projects in a
secure area.
Personnel Security
• Hiring controls – background checks for everyone involved
• Trust – several attacks come from developers
• Skills – don’t post to blogs asking for assistance on programming
problems
• Changes in employment
• If internal, adjust permissions on things no longer needed
• If leaving company, remind to keep company secrets
• Protection of privacy from employees
• Privacy Impact Rating – part of risk assessment. Looks at the data
that would be accessible by programs and identifies sensitive data
Separating Test Data From Production
• Never test on a production system
• Never use real data
• Protection of sensitive data
• Test for failure – test error routines and the resilience of
system to failure
• Ranges – test using both acceptable and unacceptable data values
• Stress Tests – make sure system can handle the number of
transactions or users that may be using the system at once
• Always try to test for what the bad guy and stupid user
would do
Certification and Accreditation
• Certification of secure design and deployment
• Production environment
• Accreditation of acceptance of risk
• Management approval for implementation
• Ensure that systems meet, and continue to meet, their
security requirements
Domain Objectives
• Overview of Applications Security
• System Life Cycle Security
• Applications Security Issues
• Malware and Other Attacks
• Database Security
System and Project Management
• Project Management-Based Methodology
• Systems Security Engineering-Compatibility Maturity Model
Integration (SSE-CMMI)
• 1-initial (chaotic, immature), 2-managed (disciplined, capable), 3-defined
(documented, consistent), 4-quantitatively managed (predictable), 5optimizing (constant improvement)
• SLC vs SDLC
• Systems Life Cycle – development, post-development,
maintenance phases
• System Development Life Cycle – development and ends
shortly after implementation
Software Development Methods
• Waterfall
• Spiral Method
• Clean-Room
• Structured
Programming
Development
• Iterative Development
• Joint Analysis
Development
• Prototyping
Software Development Methods
• Modified Prototype
Model
• Exploratory Model
• Rapid Application
Development
• Agile Development
• Computer Aided
Software Engineering
• Component-Based
Development
• Reuse Model
• Extreme Programming
Programming Language Examples
Interpreted
• Basic
• REXX
• PostScript
• Pascal
• Perl
• Ruby
• Python
Compiled
•
•
•
•
•
•
•
•
Basic
Fortran
COBOL
Pascal
C, C++, C#
ADA
Python
Visual Basic
Oldest
Newest
Program Utilities
• Assembler – program that translates an assembly
language program into machine language.
• Compiler – translates a high-level (source) language
into machine language
• Interpreter – instead of compiling a program all at once,
the interpreter translates it statement-by-statement
• Drivers – used to interface a program with the system
• Hybrid – compilation and interpretation. Code is
compiled into an intermediate stage. In Java, known as
bytecode. Needed for compatibility between systems.
Transaction Processing
•
•
•
•
Separation of Duties
Need to Know
Logging
Transaction:
• Integrity – data not inappropriately altered
• Edit checks, balancing, data/input validation, error handling/information
leakage, logging/auditing, cryptography, secure code environment,
session management
• Availability – large queries that affect performance should be limited.
Critical systems should be designed with redundancy and failover
• Confidentiality – provide necessary security measures for data
Object-Oriented Programming
• OOP Concepts
• Classes – templates for objects
• Objects – instances of the classes
• Message – objects request services by sending messages to other
objects
• Inheritance – an object that is called by another object or program
derives its data and functionality from the calling object
• Polymorphism – different objects may respond to the same
command in different ways
• Polyinstantiation – creating a new version of the object by
changing its attributes. Prevents Inference Violations by allowing
different versions of the same information to exist at different
classification levels
Distributed Programming
• Distributed Component Object Model (DCOM)
• Simple Object Access Protocol (SOAP)
• Common Object-Request Broker Architecture (CORBA)
• Enterprise Java Beans (EJB)
• Distributed programming requires abstract
communication between hosts. Entails programs
located on different computers be able to use the same
program at the same time.
Software Security Effectiveness
• Senior management participation
• Software security group
• Many organizations implement this. Charged with directly
executing or facilitating the software security activities.
• Understand, measure and plan
• Result of many activities
• Software security is the result of many activities. People,
process and automation are all key components.
• 15 core activities
Software Security Effectiveness
• BSIMM (Build Security In Maturity Model)
• Organization observed
• Business objectives
• Roles
• Framework
Domain Objectives
• Overview of Applications Security
• System Life Cycle Security
• Applications Security Issues
• Malware and Other Attacks
• Database Security
Applications Security Issues
• Building security in
• Adding defense-in-depth
• Cryptographic protection of data
• Secure architecture
Applications Security Principles
• Validate all input and output
• Fail secure (closed)
• Make it simple
• Defense in Depth
• Only as secure as your weakest link
Secure Coding Issues
• Buffer overflow
• SQL injection
• Cross-site-scripting (XSS)
• Dangling pointer
• Invalid hyperlink
• Secure (encrypted) web application traffic risks
• JavaScript attacks vs sandbox
Secure Coding Issues
• Application programming interface (API)
• Open source
• Vendor proprietary software
• Escrow
• iFrames
• Race condition
Secure Coding Issues
• Risks of push technology
• Information disclosure – error handling
• Infrastructure flaws
• Misconfiguration
Secure Coding Issues
• Incomplete parameter check and enforcement
• Covert channels
• Inadequate granularity of controls
• Privileged programs/privilege escalation
• Social engineering
• Multiple paths to information
Secure Coding Issues
• Object reuse
• Garbage collection
• Trap door/maintenance hooks
Domain Objectives
• Overview of Applications Security
• System Life Cycle Security
• Applications Security Issues
• Malware and Other Attacks
• Database Security
Malware and Attack Types
• Malformed input
•
•
•
•
Injection (SQL injection)
Input manipulation/malicious file execution
URL manipulation
Unicode attack
Malware and Attack Types
• Cryptographic storage
• Hijacking
• Insecure communications
Malware and Attack Types
• Denial of Service (DoS)
• Distributed Denial of Service (DDoS)
• Botnets
• Fast flux botnets
• Data hiding
• Alternate data streams (ADS)
• Non-technical
Malware and Attack Types
• Executable content/mobile code
• Web applets
• Dynamic email
• Cookie poisoning (manipulation)
Malware and Attack Types
• Keystroke logging
• Adware and spyware
• SPAM
• Phishing
• Spear phishing
• Whaling
• Pharming
Malware and Attack Types
• Remote Access Trojans (RAT)
• Rootkits and RATs
• HTTP Response Splitting
• Cross Site Request Forgeries (CSRF)
Malware Structure
• Infection/reproduction
• Target search
• Infection
• Trigger
• Payload
Malware Anti-Detection
• Stealth
• Tunneling
• Polymorphism
• Self-decrypting
• Antivirus (anti-malware) disabling
Virus
• Central characteristic is reproduction
• Generally requires some action by user
• May or may not carry payloads
Virus Types
•
•
•
•
•
File infector
Boot Sector Infector
System infector
Email virus
Multipartit
• Use to mean a virus that was able to infect boot sectors and programs
• Now means virus that can infect more than one type of object or to infect or
reproduce in more than one way
• Macro Virus
• Script Virus
• visual basic file that can be seen as a data file but is executable (.vbs)
The Hoax, Chain Letters and Pranks
• Social engineering
• Hoax
• Chain Letters
• Pranks
• Forms of spam. More annoying that anything else but
can eat up bandwidth
Worm
• Reproduces
• No user action required
• Loopholes
• Often probe the computer looking to exploit specific
weaknesses and/or compromise other computers
• Attacks server software
Trojan Horse
• Purported to be a positive utility
• Hidden negative payload
• Social engineering
Logic Bomb
• Generally implanted by an insider
• Waits for condition or time
• Triggers negative payload
Diddlers, Backdoors and RATs
• Data diddler
• Salami technique
• Office Space – fractions of a cent moved to bank account
• Payload in a Trojan or virus that deliberately corrupts
data, generally by small increments over time.
Protection From Malware Code
• Policies
• Tools
• Monitoring
• Operation
• Egress scanning
• Integrity checkers
Emerging Threats and Chained Exploits
• New application services
• Cell phones/mobile phones
• Telephony
• Chained exploits
Domain Objectives
• Overview of Applications Security
• System Life Cycle Security
• Applications Security Issues
• Malware and Other Attacks
• Database Security
Database Security
• Database (day to day) and data warehousing (strategic)
environment
• Eliminate duplication of data
• Consistency of data
• Network access
• Databases provide consistency of data. Data can be saved
in one place allowing anyone with access to see data
without the need for duplicate. Greater consistency or
accuracy of data
• Data warehousing is a new concept where large volumes of
information from many databases are stored. May lead to
privacy concerns.
Database Management Systems
(DBMS) Models
• Hierarchical DBMS
•
•
•
•
Stores records in a single table
Parent/child relationships
Limited to a single tree
Difficult to link branches
Car
Toyota
Honda
Mazda
CRV
Accord
Civic
2-door
4-door
Network DBMS Model
• Extended form of the hierarchical database structure
• Does not refer to database being sorted on a network
but rather to the method by which data is linked to other
data.
Regular
Mazda 3
Truck E
Series
5 speed
transmission
BMW
Mazda
Ford
Regular
Mazda 6
4x4
X3
Leather
Interior
Truck
Freestar
4x4
X5
Front and Rear
Climate Controls
Relational DBMS Model
• Most frequently used model
• Data are structured in table
• Columns are “variables” (attributes)
• Rows contain the specific instances (records) of data
• Primary key
• Must exist
• Not null
• Index/optimize the table
• Foreign key
• Optimize
• Attribute in table
RDBMS Tables, Joins and Unions
Author Table
Primary
Key
Author No
Last Name
First Name
State
123456
Smithson
Mary
CA
234567
Rogers
Mike
NY
345678
Tucker
Sally
CT
456789
Gleason
Sarah
IL
Foreign
Key
Book Table
Book No
Book Title
Book Type
Book Price Author No
PC1234
Learning Database Models
Computer
39.99
123456
PC4321
Data modeling Techniques
69.99
234567
PC6789
Designing a Database
Computer
39.99
345678
PC9876
Secrets of Databases
Computer
19.99
456789
Data Warehouse
• Consolidated view of enterprise data
• Data mart
• Designed to support decision making through Data
Mining
• Metadata
Knowledge discovery in Databases
(KDD)
• Methods of identifying patters in data
• KDD and AI techniques
•
•
•
•
•
•
•
Probabilistic models
Statistical models
Classification approach
Deviation and trend analysis
Neural networks
Expert system approach
Hybrid approach
Database Security Issues
• Inference (guess)
• Aggregation (conclusion)
• Unauthorized access
• Improper modification of data
• Unauthorized data mining
• Query attacks
• Bypass attacks
• Interception of data
• Web security
Database Controls
• Access controls
• Grants – user is given access to specific data using
various privilege types
• Cascading permissions – individual grants access to
others, loses access, so does everyone else
• Lock controls
• Backup and recovery
• Data contamination control
• Polyinstantiation
View-Based Access Controls
• Constrained views
• What portion of the data in the database is the user authorized
to see
• Sensitive data is hidden from unauthorized users
• Controls located in the front-end application (user
interface)
Transaction Controls
• Content-based access control
• Commit statement
• Writes any and all changes that have occurred to the data during
the current transaction
• Three-phase commit
• Client requests permission to make a change to a database, the
database approves the change but doesn’t make the change until
the client returns a reply indicating the transaction completed
correctly.
• Database rollback
• Journals/logs
• Error controls
The ACID Test
• Atomicity – all or none. All transactions execute or rollback
• Consistency – changes maintain consistency. Transformed
from one valid state to another valid state, remaining
compliant with the rules of the database
• Isolation – transactions in progress are invisible to others.
Guarantees that the results of a transaction are invisible to
other transactions until the transaction is complete.
• Durability – say it is done, stays done. Ensures that the
results of the completed transaction can survive future
system and media failures.
Database Interface Languages/Methods
• Structured Query Language (SQL)
• Open Database Connectivity (ODBC)
• Extensible markup Language (XML)
• Object Linking and Embedding (OLE)
• Active X Data Object (ADO)
• Dynamic data
Application and Database
Languages: Security Issues
• Poorly designed
• More privileges than necessary
• DBA account use
• Lack of audit
• Input validation
Software Development Security
Domain Summary
• Overview of Applications Security
• System Life Cycle Security
• Applications Security Issues
• Malware and Other Attacks
• Database Security
Telecommunications and
Network Security
Domain Objectives
• Network Security Overview
•
•
•
•
•
•
•
•
•
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Network Security Overview
• What is network security?
• Encompasses the STRUCTURES, TRANSMISSION
METHODS, TRANSPORT FORMATS AND SECURITY
MEASURES used to provide INTEGRITY,
AVAILABILITY, AUTHENTICATION, and
CONFIENTIALITY for transmissions over PRIVATE and
PUBLIC communications networks and media.
Information Security TRIAD
Security Issues and Concerns
• Message protection
• Confidentiality
• Integrity
• Non-repudiation
• Availability
• Redundancy
• Single point of failure
Defense in Depth
• Series of hurdles
• Collection of controls
• Any form of protection can be defeated but when
layered it becomes much harder to defeat.
OSI Reference Model
People Don’t Need To Smoke Pot Anymore
TCP/IP Model
Network-Based Attacks
• Network as a channel for attacks
• Most frequent network security threat today. Example, viruses
exploit networks in order to spread without actually breaching the
security of the network itself
• Inbound and outbound attacks
• Network as a target of attack
• DoS
• DDoS
Network Attacks
• Network attack phases
•
•
•
•
•
Intelligence gathering and target selection
Target analysis
Gaining access
Escalation of privileges
Sustaining control
Domain Objectives
• Network Security Overview
• Physical
•
•
•
•
•
•
•
•
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
• Concepts &
Architecture
•
•
•
Technology & Implementation
Standards
Threats & Countermeasures
Layer 1: Physical Layer
• Bits are converted into signals
• All signal processing is handled here
• Physical topologies
• Physical layer describes the networking
hardware, the format of the communications (bits,
bytes, or optical pulses), as well as cable,
wireless connections, etc.
Communication Technology
• Analog and digital communications
• Digital communication brings quantitative and
qualitative enhancements
•
•
•
•
From higher throughput
Better signal-to-noise ratio
fault tolerant error correction
Ability to immediately process digital signals in a computer
Network Topology
• Even small networks are complex
• Network topology and layout affect scalability and
security
• Wireless networks also have a topology
Mesh
Ring
Star
Network
Topology
Tree
Bus
Bus Topology
• LAN with a central cable to which all nodes connect
• Advantages
• Scalable
• Permits node failure
• Disadvantages
• Bus failure
Ring Topology
• Closed-loop topology
• Advantages
• Deterministic
• Disadvantages
• Single point of failure
Star Topology
• All of the nodes connect to a central device
• Advantages
• Permits node/cable failure
• Scalable
• Disadvantages
• Single point of failure
Tree Topology
• Devices connect to a branch on the network
• Advantages
• Scalable
• Permits node failure
• Disadvantages
• Failures split the network
Mesh Topology
• In a full mesh network, every node in the network is
connected to every other node in the network
• Advantages
• Redundancy
• Disadvantages
• Expensive
• Complex
• Scalability
Domain Objectives
• Network Security Overview
• Physical
• Concepts & Architecture
•
•
•
•
•
•
•
•
• Technology &
Implementation
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
•
•
Standards
Threats & Countermeasures
Media Selection Considerations
• Throughput
• Distance between devices
• Data sensitivity/confidentiality
• Environment
• Cost
Twisted Pair
Coax
Fiber
Wireless
Twisted Pair
• One of the simplest and cheapest cabling technologies
• Unshielded (UTP) or shielded (STP)
Coaxial Cable (Coax)
• Conducting wire is thicker than twisted pair
• Bandwidth
• Length
• Expensive and physically stiff
Fiber Optics
• Three components
• Light source
• Optical fiber cable
• Two types
• Light detector
• Advantages
• High bandwidth
• Immune to EMI and RFI
• Difficult to tap
• Disadvantages
• Expensive
• Difficult to install
Wireless Transmission Technologies
• 802.11 – WLAN
• From wired network to station, wireless LAN
• 802.16 – WMAN, WiMAX
• From neighborhood to station, wireless metropolitan area networks,
or WiMAX®
• Satellite
• From orbit to station
• Microwave
• High bandwidth, line of sight, point-to-point communications that
require licensing (ground to ground OR ground to orbit to ground)
• Optical
• High bandwidth, line of sight, point-to-point communications that do
not require licensing
Patch Panels
• Provide a physical cross-connect point for devices
• Alternative to directly connecting devices
• Centralized management
Modems
• Convert a digital signal to analog
• Provide little security
• War dialing
• Unauthorized modems
Hubs and Repeaters
• Hubs
• Used to implement a physical star/logical bus topology
• All devices can read and potentially modify the traffic of other
devices
• Repeaters
• Allow greater distances between devices
Wireless Access Points (WAPs)
• Access Point (AP)
• Point where wireless signals are converted to wired
• Go from radio waves to typically copper
• Multiple input/multiple output (MIMO)
• Uses multiple antennas at both the sending and receiving
ends and transmits different signals on each antenna
• Avoids some of the interference experienced by single
antenna units and increases performance and message
quality
Cloud Computing
• Access to IT services over the Internet
•
•
•
•
•
Data storage
Software
Security
Communications
Etc.
• Security issues (3rd party trust)
• VPN connections – use when accessing secure data or
services
• Sharing of data – 3rd party trust
• Cross-border data transfer – is your data in the U.S.?
Domain Objectives
• Network Security Overview
• Physical
•
•
•
•
•
•
•
•
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology & Implementation
• Standards
•
Threats & Countermeasures
Standard Connections
• Types of connectors
•
•
•
•
RJ-11
RJ-45
BNC (British Naval Connector)
RS-232 (serial ports)
• Cabling Standards
• TIA/EIA-568 (Telecommunications Industry
Association/electronic Industries Association)
Domain Objectives
• Network Security Overview
• Physical
•
•
•
•
•
•
•
•
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
•
•
•
•
Concepts & Architecture
Technology & Implementation
Standards
Threats &
Countermeasures
Physical Layer Threats
• Attack vectors
• Wire
• Tapping
• Wireless
• Sniffing
• Equipment
• Modems
• Authorized and unauthorized modems
• Emanations and TEMPEST
• EMI and RFI
Physical Controls
• Wire
• Shielding
• Conduit
• Faraday cage
• Penetration index
• Wireless
• Encryption
• Authentication
• Equipment
• Locked doors & cabinets
Domain Objectives
• Network Security Overview
• Physical
• Data Link
•
•
•
•
•
•
•
Network
Transport
Session
Presentation
Application
Telephony
Services
• Concepts and
Architecture
• Technology & Implementation
• Protocols
• Threats & Countermeasures
Layer 2: Data Link Layer
• Connects Layers 1 and 3
• Converts data from a signal into a frame
• Transmits frames to devices
• Link-layer encryption
• Determines network transmission format
Local Architecture Security
• Perimeter-based security
• The “egg” concept of security
• Hardened outside defenses
• Lack of internal defenses?
• Security domains
• Internal layers of defense
• Isolating networks within the organization
Network Partitioning
• Bastion host
• Dual-homed host
• Screened host and subnet
• Demilitarized zone (DMZ)
Network Partitioning
• Three-legged firewall
• Disadvantages
• Single point of failure
• No defense in depth
• Managing firewall rules can be complex
Token Ring and Token Passing
• A token is a special frame that circulates through the
ring
• Device must possess the token to transmit
• Token passing is used in token ring (IEEE 802.5) and
FDDI
Synchronous/Asynchronous
• Synchronous
• Timing mechanism synchronized data transmission
• Robust error checking
• Practical for high-speed, high-volume data
• Asynchronous
• Clocking mechanism is not used
• Surrounds each byte with bits that mark the beginning and
end of transmission
Unicast, Multicast, and Broadcast
• Unicast
• Sending of message from one host to another
• Multicasts
• Message (video, teleconference, etc) sent to a defined set of
recipients
• IGMP (Internet Group Management Protocol) – used to manage
multicasting groups (hosts on a network that are interested in a
particular multicast)
• Broadcasts
• Sends to an unlimited number of recipients. Can send to everyone
on network and sub-networks
• Often used to launch DoS
Circuit-Switched vs Packet-Switched
• Circuit-switched network
• Dedicated circuit between endpoints
• Endpoints have exclusive use of the circuit and its bandwidth
• Cost based on duration of the connection. Makes it costeffective only for steady communication streams
• Packet-switched network
• Data is divided into packets and transmitted on a shared
network
• Each packet can be independently routed on the network
• Cost based on amount of data transmitted. Appropriate for
transmissions with significant idle time
Switched/Permanent Virtual Circuits
Virtual circuits provide connection between endpoints over
high-bandwidth multiuser cable or fiber networks, which cause
them to behave with similar performance characteristics as if
the circuit were a dedicated physical circuit
• Permanent virtual circuits (PVC)
• Carrier configs route through packet-switched network. Unless
changed, route stays the same
• Switched virtual circuits (SVC)
• Traffic routing is configured dynamically by the routers each time the
circuit is used
Unicast – Point-to-Point
• ISDN (integrated services digital network)
• High speed before DSL, cable.
• Ts (T carriers)
• Time division multiplexing
• 1.544 Mbit/s over 24 channels (8000 frames/sec X 193 bits/frame)
• Es (E carriers)
• Time division multiplexing
• 2.048 Mbps over 30 channels
• OCs (optical carriers)
• T3, E3, SONET (3.45% of any speed)
X.25
• Suite of protocols for unreliable networks
• Has a strong focus on error correction
• Users and hosts connect through a packet switched
network
• Most organizations now opt for frame relay and ATM
instead of X.25 for packet switching
Frame Relay
• Network cloud of switches
• Customers share resources in the cloud
• The cloud is assumed to be reliable
• Customers are charged only for bandwidth used
Asynchronous Transfer Mode (ATM)
• Connection-oriented
• Uses virtual circuits
• Guarantees quality of service but not the delivery of
cells
• Types of virtual circuits
•
•
•
•
Constant Bit Rate (CBR)
Variable Bit Rate (VBR)
Unspecified Bit Rate (UBR)
Available Bit Rate (ABR)
Multi-Protocol Label Switching
(MPLS)
• Bandwidth management and scalability
• Permits traffic engineering
• Provides quality of service and defense against network
attacks
• Operates at Layers 2 and 3
• Operates over most other packet switching technologies
such as frame relay and ATM
• Created for performance but has the effect of being a
tunnel
Digital Subscriber Lines (DSL)
• Uses CAT-3 cables and the local telecom loop
• Asymmetric digital subscriber line (ADSL)
• Downstream speeds greater than upstream
• Rate-adaptive DSL (RADSL)
• Upstream transmission rate is auto tuned depending on the
quality of the line
• Symmetric digital subscriber line (SDSL)
• Same transmission rate up and down
• Very high bit-rate DSL (VDSL)
• Higher transmission rate. 13Mbps down and 2Mbps up
Cable Modem
• PC Ethernet NIC connects to a cable modem
• Speeds from 256Kbps to 50Mbps
• Bridging device between computers and ISP
• Modem and head-end exchange cryptographic key
• Cable modems increase the need to observe good
security practices
Domain Objectives
• Network Security Overview
• Physical
• Data Link
•
•
•
•
•
•
•
Network
Transport
Session
Presentation
Application
Telephony
Services
• Concepts and Architecture
• Technology &
Implementation
• Protocols
• Threats & Countermeasures
Concentrators, Multiplex/Demultiplex
• Combining or splicing signals
• Division multiplexing technologies
• TDM – time
• FDM – frequency
• WDM – wave
• Concentrator combines channels together. Often used to
permit several remote access connections to terminate on
the network at the same time.
• Multi/Demultiplex combines several signals into a single data
stream or breaks them apart.
Switches and Bridges
• Multiport devices to connect LAN hosts
• Forward frames only to the specified MAC address
• Increasingly sophisticated
• Also forward broadcasts
Wireless Local Area Networks
• Allow mobile users to remain connected
• Extend LANs beyond physical boundaries
Wireless Standards: IEEE 802.11
• 802.11b – 11 Mbit/s
• 802.11a – 54 Mbit/s + error correcting code
• 802.11g – max 54 Mbit/s w/ avg 22 Mbit/s
• 802.11n (multiple input/output) – 54 to 600 Mbit/s
• 802.11i (security)
• 802.16 (WiMAX)
• 802.15 (Bluetooth)
• Wireless multiplexing
• OFDM/DSSS/FHSS (AFH)
Authentication
• Paramount to the security of wireless LANs
• SSID
• SSID broadcast
• Open systems authentication
• Shared key authentication
• MAC address filtering
• Extensible authentication protocol
Wireless Encryption
• WEP – shared secret. Can be cracked in 3 to 30 sec
• WPA – uses RC4 w/ 128 bit keys. IV of 48 bits. Temporal Key
Integrity Protocol (TKIP) providing different key per packet
• WPA2 – AES instead of RC4. TKIP replace w/ CounterMode/CBC-MAC protocol (CCMP)
• Extensible authentication protocol
• EAP-TLS – client and server mutually authenticate & use certs
• EAP-TTLS – less secure than EAP-TLS
• EAP-PEAP – encrypted tunnel but less secure than EAP-TLS
Domain Objectives
• Network Security Overview
• Physical
• Data Link
•
•
•
•
•
•
•
Network
Transport
Session
Presentation
Application
Telephony
Services
• Concepts and Architecture
• Technology & Implementation
• Protocols
• Threats & Countermeasures
Point-to-Point Protocols (PPP)
• RFC 1331
• Encapsulation
• Link control protocol (LCP)
• Network control protocols
• PPP provides a standard method of encapsulating
Network Layer protocol information over point-to-point
links
Address Resolution Protocol (ARP)
• ARP (RFC 826)
• Generic address-resolution protocol. Was designed to be able
to convert any network protocol address to any data-link
address. Use today is normally to resolve 802.x addresses to
IP addresses
• RARP (RFC903)
• Used to map a devices MAC address to its IP address
• ARP cache poisoning
• Valid request is answered by an invalid authority
Password Authentication Protocol
(PAP)
•
•
•
•
Identification and authentication of remote entity
Uses a cleartext, reusable (static) password
Supported by most network devices
Advantages
• Standards based solution that provides interoperability in a
multivendor network
• Inexpensive to install and operate
• DB is encrypted
• Disadvantages
• PW is transmitted in the clear
• Reply is either an ACK or NAK. No replay protection.
Challenge Handshake
Authentication Protocol
• CHAP
•
•
•
•
Periodically revalidates users
Standard password database is unencrypted
Password is sent on a one-way hash
MSCHAP
• Server stores an encrypted hash of user’s pw
Domain Objectives
• Network Security Overview
• Physical
• Data Link
•
•
•
•
•
•
•
Network
Transport
Session
Presentation
Application
Telephony
Services
• Concepts and Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
Link Layer Threats
• Confidentiality
•
•
•
•
Eavesdropping
Sniffing from reconnaissance
Offline brute force
Unapproved wireless
• Integrity
• Modification/injection/highjacking
• Man-in-the-middle
• Force weaker authentication
• Availability
• DoS/jamming
• Others
• Rogue access points/ad hoc
networks
• War driving
• Open wireless networks
Controls for Wireless Threats
• Encryption
• Authentication
• RF management
Domain Objectives
• Network Security Overview
• Physical
• Data Link
• Network
•
•
•
•
•
•
Transport
Session
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
Layer 3: Network Layer
• Moves information between two hosts that are not
physically connected
• Uses logical addressing
Local Area Network (LAN)
• LANs service a relatively small area
• Most LANs have connectivity to other networks
• VLANs are software-based LAN segments implemented
by switching technology
Metropolitan Area Network (MAN)
• Optimization for city
• Uses wireless infrastructure, fiber optics, or Ethernet to
connect sites together
• Still needs security
• Switched multi-megabit data service (SMDS)
• SONET/SDH
Storage Area Network (SAN)
• Hard drive space problem
• Server of servers
• Fiber backbone
• Switched
Wide Area Network (WAN)
• A WAN is a network connecting local networks or
access points
• Connections are often shared and tunneled through
other connections
Internet/Intranet/Extranet
• Internet
• Collection of all interconnected IP networks
• Intranet
• Company’s internal Internet
• Extranet
• Company will grant other controlled access to an isolated
segment of its own network to allow exchange of information
• Granting access to external organizations - risky
Domain Objectives
• Network Security Overview
• Physical
• Data Link
• Network
•
•
•
•
•
•
Transport
Session
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology &
Implementation
• Protocols
• Threats & Controls
IPSEC
• Authentication header (AH)
• Encapsulating security payload (ESP)
• Security parameter index (SPI)
• Security associations
• Transport mode/tunnel mode
• Internet key exchange (IKE)
Tunneling Protocols
• Point-to-point tunneling protocol (PPTP) – Microsoft
• Layer 2 forwarding (L2F) – Cisco
• Layer 2 tunneling protocol (L2TP) – from Cisco &
Microsoft
• Add IPSEC, becomes VPN
Routers
• Network routing
• Layer 3
• Find best path to destination
Firewalls
• Filtering
• Filtering by address
• Filtering by service
• Static packet filtering
• Stateful inspection or dynamic packet filtering
• Personal firewalls
• Filter on any field in header
Firewalls
• Enforce administrative security policies
• Separate trusted networks from untrusted networks
• Firewalls should be placed between security domains
Proxy Firewalls
• Circuit-Level proxy
• Application-level proxy
Firewalls
Firewall Type
OSI Model Layer
Characteristics
Packet filtering
Network Layer
• Routers using ACLs dictate
acceptable access to a
network
• Looks at destination and
source addresses, ports,
and services requested
Application-level proxy
Application Layer
• Deconstructs packets and
makes granular access
control decisions
• Requires one proxy per
service
Firewalls
Firewall Type
OSI Model Layer
Characteristics
Circuit-level proxy
Session Layer
• Deconstructs packet
• Protects wider range of
protocols and services than
app-level proxies, but is not
as detailed as a level of
control
Stateful
Network Layer
• Keeps track of each
conversation using a state
table
• Looks at state and context
of packets
End Systems
• Servers and mainframes
• Operating systems
• Notebooks/laptops/tablet PCs
• Workstations
• Smartphones
• Personal digital assistants
• Network Attached Storage (NAS)
End System Protection
• Antivirus
• Personal Firewalls
• Host-based IDS/IPS
• Patch management
Domain Objectives
• Network Security Overview
• Physical
• Data Link
• Network
•
•
•
•
•
•
Transport
Session
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
Routing Protocols
• Routing information protocol (RIP)
• Routing table compromise
• Virtual router redundancy protocol (VRRP)
• Open shortest path first (OSPF)
• Exterior gateway protocol (EGP) – obsolete
• Border gateway protocol (BGP)
• Intermediate system-to-intermediate system (ISIS)
• Interior gateway routing protocol (IGRP)
• Enhanced IGRP (EIGRP)
Connectivity Protocols
• ICMP
• Redirect attacks
• Traceroute
• Ping scanning
Internet Protocol (IP)
• Internet Protocol (IP) is responsible for routing packets
over a network
• Unreliable protocol – no error checking
• IP will subdivide packets
• IPv4 address structure
IPv6
• A larger IP address field
• Improved security
• A more concise IP packet header
• Improved quality of service (QoS)
Internetwork Packet Exchange (IPX)
• Vendor specific
• Retired
Domain Objectives
• Network Security Overview
• Physical
• Data Link
• Network
•
•
•
•
•
•
Transport
Session
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
IP Attacks
• Fragmentation attacks
• Teardrop attack
• Overlapping fragment attacks
• Traceroute exploitation
• Sniffing
Smurf and Fraggle Attacks
• Smurf attack misuses the ICMP echo request
• Fraggle attack uses UDP instead of ICMP
• Ping through UDP
• Ping of death
Encryption as a Threat
• Can be used for inappropriate purposes
• External attackers
• Can plant encrypted backdoors that will allow them to access
system
• Internal attackers
• Utilize commonly available tools (SSL, TLS, SSH) to encrypt
traffic to subvert controls
•
•
•
•
•
Encrypted backdoors
Tunnels to home computer
Tunnels setup to use company resources for personal pursuits
Tunnels setup to protect criminal/improper behavior
Etc.
IP Addressing Spoofing
• Packets are sent with a bogus source address
• Takes advantage of a protocol flaw
Controls
• Policy
• Inbound and outbound traffic controls
• Network partitioning
Domain Objectives
•
•
•
•
Network Security Overview
Physical
Data Link
Network
• Transport
•
•
•
•
•
Session
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Protocols
• Threats & Controls
Layer 4: Transport Layer
• End-to-end transport between peer hosts
• Connection-oriented and connectionless protocols
Domain Objectives
•
•
•
•
Network Security Overview
Physical
Data Link
Network
• Concepts & Architecture
• Transport
• Protocols
•
•
•
•
•
• Threats & Controls
Session
Presentation
Application
Telephony
Services
Transmission Control Protocol (TCP)
• Well-known ports – 0 to 1023
• Registered ports – 1024 to 49151
• Dynamic and/or private ports – 49152 to 65,535
• Total of 65,536 ports
User Datagram Protocol (UDP)
• Fast
• Low overhead
• No error correction/replay protection
Transport Layer Security (TLS)
• Mutual authentication
• Encryption
• Integrity
Domain Objectives
•
•
•
•
Network Security Overview
Physical
Data Link
Network
• Transport
•
•
•
•
•
Session
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Protocols
• Threats & Controls
Attacks
• SYN Flood
• Denial of Service
Threats
• Port scanning
•
•
•
•
FIN, NULL and XMAS scanning
SYN scanning
TCP sequence number attacks
Session hijacking
Controls
• SYN proxies
• Honeypots and honeynets
• Tarpits
• Similar to honeypots. Entice hackers by presenting legitimate
looking systems that they will spend time attempting to crack.
• Particularly useful against spamming and network (port)
scanning
• Continuous or periodic authentication
Domain Objectives
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
• Session
•
•
•
•
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
Layer 5: Session Layer
• Client-server model
• Middleware and three-tiered architecture
• Many implementations are designed to spread
the workload of a complex process to specialized
computer in a network
• Mainframe
• Keeps sessions local, unless remote terminals
are implemented
• Centralized systems
• RADIUS and TACACS+ enable remote
connection
Domain Objectives
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
• Session
•
•
•
•
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology &
Implementation
• Protocols
• Threats & Controls
Technology and Implementation
• Java RMI (remote method invocation)
• Allows a program running on one Java VM to invoke methods
running on another JVM
• Microsoft .NET
Domain Objectives
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
• Session
•
•
•
•
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
Protocols
• Real-time protocol – RTP
• End-to-end delivery services for data such as interactive audio
and video
• RTP control protocol – RTCP
• Used to monitor the quality of service and to communicate
information about the users during the session
• Remote procedure calls – RPC
• Execute objects across hosts
• Open network computing remote procedure call (ONCRPC)
• Sun’s version
Remote User Authentication
• RADIUS
• TACACS+
Domain Objectives
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
• Session
•
•
•
•
Presentation
Application
Telephony
Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
RPC Threats and Controls
• Threats
• Unauthorized sessions
• Invalid RPC exchanges
• Controls
• Patch
• Block at firewall
• Disable unnecessary protocols
Domain Objectives
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
• Presentation
• Application
• Telephony
• Services
• Concepts & Architecture
• Protocols
Layer 6: Presentation Layer
• Data conversion
• Ensures a common format for data
• Services for encryption and compression
• JPEG
Mainframe to PC Translation
• Extended binary coded decimal interchange code
(EBCDIC)
• American standard code for information interchange
(ASCII)
• Gateway
• Specialized equipment used to translate presentation-layer
protocols
• NOT “default gateway”
Domain Objectives
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
• Presentation
• Application
• Telephony
• Services
• Concepts & Architecture
• Protocols
Audio & Video Compression
• Codec
• Compression/decompression
• Conserves bandwidth and storage
VoIP Protocols
• H.323
• Session initiation protocol (SIP)
• Proprietary applications and services
Domain Objectives
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
• Application
• Telephony
• Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
Layer 7: Application Layer
• The application layer is not the graphical
user interface (GUI)
• Performs communication between peer
applications
Domain Objectives
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
• Application
• Telephony
• Services
• Concepts & Architecture
• Technology &
Implementation
• Protocols
• Threats & Controls
Implementations
• Client/Server
• IM
• XMPP (Jabber)
• IRC
• Email
• WWW
• Peer to Peer
• File sharing
Domain Objectives
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
• Application
• Telephony
• Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
Protocol Examples
•
•
•
•
•
•
•
•
•
•
FTP – File Transfer Protocol
RSH – Remote Shell
IMAP – Internet Message Access Protocol
IRC – Internet Relay Chat
MIME – Multipurpose Internet Mail Extensions
POP3 – Post Office Protocol (v3)
Rlogin – Remote login in UNIX systems
SOAP – Simple Object Access Protocol
SSH – Secure Shell
TELNET – Terminal Emulation Protocol
Communication Services
• Synchronous messaging
• Instant messaging (IM)
• Internet relay chat (IRC)
• Asynchronous messaging
•
•
•
•
Simple mail transfer protocol (SMTP)
Post office protocol (POP)
Internet message access protocol (IMAP)
Network news transfer protocol (NNTP)
Remote Communication Services
• TCP/IP terminal emulation protocol (TELNET)
• Remote login (RLOGIN), remote shell (RSH), remote
copy (RCP)
• X Window system (XII)
• Video and multimedia
Storage Data Services
• File transfer protocol (FTP)
• Trivial file transfer protocol (TFTP)
• Hypertext transfer protocol (HTTP)
• HTTP over TLS (HTTPS)
• Secure hypertext transfer protocol (S-HTTP)
• Proxies
Domain Objectives
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
• Application
• Telephony
• Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
Threats and Controls
• Authenticity
• Eavesdropping
• Scripting
• Social engineering
• Spam over instant messaging (SPIM)
• Tunneling firewalls
• Email spoofing
• Spam
Domain Objectives
•
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
• Telephony
• Services
• Concepts & Architecture
• Technology & Implementation
• Threats & Controls
Mobile Telephony – Cellular Service
• Analog
• Advanced mobile phone service (AMPS)
• Digital
• Global service for mobile communications (GSM)
• EDGE (enhanced data rate for GSM evolution)
• General packet radio service (GPRS)
• Data
Domain Objectives
•
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
• Telephony
• Services
• Concepts & Architecture
• Technology &
Implementation
• Threats & Controls
Telephony Technology
• PSTN
• PBX
• Facsimile
• Voice firewalls
• VOIP
• SIP, H.323
• TDMA, CDMA, FDMA
Voice over IP
• Reduced cost
• Coverged technology
• Security
Domain Objectives
•
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
• Telephony
• Services
• Concepts & Architecture
• Technology & Implementation
• Threats & Controls
Common Threats
• War dialing
• PBX administration
• War driving
• Fraudulent toll
• Voice eavesdropping
Domain Objectives
•
•
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
• Services
• Concepts & Architecture
• Technology &
Implementation
• Protocols
• Threats & Controls
Directory Services
• Domain name service (DNS)
• Lightweight directory access protocol (LDAP)
• Network basic input output system (NetBIOS)
• Network information service (NIS/NIS+)
Configuration Services
• Simple network management protocol (SNMP)
• Dynamic host configuration protocol (DHCP)
• Network time protocol (NTP)
• Finger user information protocol
Storage Server Services
• Common internet file system (CIFS)/server message
block (SMB)
• Network file system (NFS)
• Secure NFS (SNFS)
Domain Objectives
•
•
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
• Services
• Concepts & Architecture
• Technology & Implementation
• Protocols
• Threats & Controls
DSN Threats
• Spoofing
• Query manipulation:
• Hosts file manipulation
• Social engineering
• Information disclosure
• Domain litigation
• Cybersquatting
Email Threats
• Spoofing
• Open mail relay servers
• Spam and filtering
• Phishing
Server Message Block (SMB)
Threats
• Buffer overflows
Controls
• DNS security extensions (DNSSEC)
• Mail filtering
• IM policy
• Turn off SMB
Telecommunications and Network
Security Domain Summary
•
•
•
•
•
•
•
•
•
•
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
CISSP Summary
•
•
•
•
•
•
•
•
•
•
Domain 1 – Access Control
Domain 2 – Business continuity and Disaster Recovery Planning
Domain 3 – Cryptography
Domain 4 – Information Security Governance and Risk
Management
Domain 5 – Legal, Regulations, Investigations, and Compliance
Domain 6 – Operations Security
Domain 7 – Physical (Environmental) Security
Domain 8 – Security Architecture and Design
Domain 9 – Software Development Security
Domain 10 – Telecommunications and Network Security
Questions?