how i passed the cissp test: lessons learned in certification

How I Passed the CISSP Test: Lessons Learned in

CertificationPresented by Kirk A. Burns, CISSP

Admin Data

Emergency Exits

Breaks

Phones

Other Admin Data

Introduction

Instructor

What is this class going to provide me?

What should I expect to get out of this class?

Class Structure

• Broken up into 12 parts

• Part 1: introduction

• Parts 2 – 11: will be the domains

• Part 12: will be examples of types of questions you might see.• THESE ARE NOT copies of the questions from the exam

What is (ISC)²?

(ISC)²• International Information Systems Security Certification Consortium• Non-profit organization which specializes in information security

education and certifications• Often described as the “world’s largest IT security organization”• Based in Palm Harbor, Florida, USA• Offices in London, Tokyo, Hong Kong, Vienna, Virginia• Over 85,000 certified professionals in 135 countries• http://www.isc2.org

(ISC)² Code of Ethics

Preamble:• The safety and welfare of society and the common good, duty to our

principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

Code of Ethics Canons:• Protect society, the common good, necessary public trust and

confidence, and the infrastructure• Act honorably, honestly, justly, responsibly, and legally• Provide diligent and competent service to principals• Advance and protect the profession

BENEFITS OF (ISC)² MEMBERSHIP

• Member Benefits• Continuing Education

• Security Leadership Series events• Discounts

• Worldwide receptions, conferences, RSA, InfoSec, SecureAmerica

• Face-to-Face Networking

• Virtual Networking• Career Tools, InterSeC

BENEFITS OF (ISC)² MEMBERSHIP

• Industry Awards

• Resources• InfoSecurity Professional Magazine• Information Security Perspective journal

• Member submitted security awareness materials

• Volunteer Opportunities• http://staysafeonline.org

What is CISSP?

• Certified Information Systems Security Professional• Governed by (ISC)²• Worldwide recognition of competence• Practical understanding of information security issues and solutions• ANSI accreditation based on the ISO/IEC 17024:2003 standard

(obtained in June 2004)• Awareness of security challenges• As of November 2013, reported to have 90,198 members worldwide in

149 countries

ROLE OF THE CISSP

• CISSPs often hold job functions such as:

• Security Consultant• Security Manger• IT Director/Manager• Security Auditor• Security Architect• Security Analyst• Security Systems Engineer• Chief Information Security Officer• Director of Security• Network Architect

ROLE OF THE CISSP

• Develops and oversees the implementation of the organization’s information security policies and procedures

• Provide advice on implementation of information security solutions and technologies

• Monitoring compliance with regulatory bodies and employees, contractors, alliances and other 3rd parties

COMMON BODY OF KNOWLEDGECBK

• The (ISC)² CBK is a compendium of topics relevant to information security professionals around the world. The (ISC)² CBK is the accepted standard in the industry, the subject of many books written on information security, and the core of the university information assurance programs around the globe. The CBK continues to be updated annually by (ISC)² CBK Committees comprised of members from many industries and regions around the world, to reflect the most current and relevant topics required to practice in the field. (ISC)² uses the CBK domains to assess a candidate’s level of mastery of information security.

How to Get Your CISSP Certification

1) Obtain the Required Experiencea) must have a minimum of five (5) years cumulative paid full-time work

experience in two (2) or more of the ten (10) domains.b) May receive a one year experience waiver with a four-year college degree,

or regional equivalent OR additional credential from the (ISC) approved list (requiring four (4) years of direct full-time professional security work experience in two or more of the ten domains)

2) Study for the Exam3) Schedule the Exam4) Pass the Exam5) Complete the Endorsement Process6) Maintain the CISSP Certification

CISSP EXAMThe CISSP exam

• 250 questions• 6 hours• To pass must get 700 points out of 1000• BE ON TIME!!!!!!• Bring admission letter• Must have government issued Photo ID• Bring pencil and eraser• ~$500

ENDORSEMENT PROCESS

What is needed for the Endorsement Process

• Provide a recent resume• Complete the Examination Registration Form• Submit a completed and executed Endorsement Form

MAINTENANCE REQUIREMENTS

• To maintain the CISSP certification and remain in “good standing” with (ISC)², you are required to:

• Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of each certification year

• Earn and submit 120 credits over three years. A minimum of 20 CPEs must be posted during each year of the three year certification cycle

THE DOMAINS

• Access Control• Business Continuity and Disaster Recovery Planning• Cryptography• Information Security Governance and Risk Management• Legal, Regulations, Investigations, and Compliance• Operations Security• Physical (Environmental) Security• Security Architecture and Design• Software Development Security• Telecommunications and Network Security

Golden Rule

1. People Safety First2. Management buy-is is Critical3. Everyone is responsible for Security4. Training is Essential5. Policy is the Key to (nearly) everything

What If I Don’t Have The Experience?

• For those who don’t have the experience, there is the Systems Security Certified Practitioner (SSCP)• Only need 1 year of experience

• Domains covered:• Access Controls• Cryptography• Malicious Code and Activity• Monitoring and Analysis• Networks and Communications• Risk, Response and Recovery• Security Operations and Administration

Access Control

Domain Objectives

• Provide definitions and key concepts• Identify access control categories and types• Discuss access control threats• Review system access control measures• Understand Intrusion Detection and Intrusion Prevention

systems• Understand Access Control assurance methods

Access Control

• Is the basic foundation of information security• Implemented differently depending on whether the are of

implementation is physical, technical or administrative.• Categories include:

• Preventive• Detective• Corrective• Deterrent• Recovery• Directive• Compensating• Often used in combination

Access Control

• A comprehensive threat analysis will identify the areas that will provide the greatest cost-benefit impact.

• The field of access control is constantly evolving. Organizations need to know what is available and what methods will best address their issues.

• Data and system access control are NOT the same. User might have access to a system but not to the data. Think “need-to-know”

• Access control assurance addresses the due diligence aspect of security.

• Implementing a control is part of due care, but due diligence involves regularly checking to ensure that the control is working as expected.

Information Security TRIAD

Domain Objectives

• Definitions of Key Concepts• Access Control Categories and Types• Access Control Threats• Access to System• Access to Data• Intrusion Prevention and Detection Systems• Access Control Assurance

Basic Requirements

• Security – ensure only authorized users and processes are able to access or modify

• Reliability – ensure control mechanisms work as expected, every time• Transparency – have minimal impact on the ability of authorized users to

interface with the system and do their job• Scalability – should be able to handle a wide range of changing systems and

user load without compromising system performance• Maintainability – if too time-consuming or complicated, admins may not keep

them up to date• Auditability – should provide audit trails• Integrity – must be designed to protect from unauthorized changes• Authentic – help ensure that data input is authentic

Key Concepts

• Separation of duties• No one person should have control over the process. Allowing this could

allow a person to manipulate the system for personal gain. Process should be broken down into individual steps executed by different people.

• Rotation of duties prevents collusion between two or more people. This minimizes the chance of or exposes fraud. Forced vacation can provide the same effect.

• Core element of the Clark-Wilson Integrity model• Least privilege – only allow access to resources that are absolutely needed

for work• Need-to-know – just because you have the clearance doesn’t mean you

really need to know the data or process

Information Classification

• Is the PROPER assessment of the sensitivity and criticality of information• Ensures that info is neither improperly disclosed nor overprotected

• Objectives:• Identify info that needs to be protected• Standardize labeling• Alert authorized holders of protection requirements• Comply with laws, regulation, etc.

• Benefits – keeps cost down• Example of classification:

• Public, internal use only and company confidential• Compartmentalized information – information that requires special

privilege to access

Information Classification Procedures

• Scope – risk analysis will evaluate data for classification. Things to consider:• Exclusive possession (trade secrets, etc.)• Usefulness• Cost to recreate• Legal or regulatory liability• Operational impact• Etc.

• Process – goal is to achieve a consistent approach to handling classified information

• Marking and labeling – for all types of media to include video• Human readable• Machine readable

• Assurance – regular internal and possibly external audits should be done

Domain Objectives

Access Control Types

• Administrative – policies and procedures.

• Technical/logical – use of hardware and software controls

• Physical – manual, structural or environmental controls to protect facilities and resources

Access Control Categories

• Preventive – block unwanted actions. However, only effective if employees see these as necessary

• Detective – identify, log and alert management of unwanted actions (during or after event)

• Corrective – remedy the circumstances that enabled event• Directive – controls dictated by organizational and legal authorities• Deterrent – Prescribe some sort of punishment• Recovery – restore lost resources or capabilities• Compensating – backup controls that come into effect when

normal controls are unavailable

Domain Objectives

Access Control Threats

• Denial of service• Password crackers

• Dictionary• Brute force• Rainbow tables

• Keystroke loggers• Spoofing/masquerading

• Machine• Impersonation

• Sniffers• Shoulder surfing/swiping• Dumpster diving• Emanations• Time of Check (TOC)/Time

of Use (TOU)

Domain Agenda

System Access Control

• Identification – process of recognizing users or resources as valid accounts

• Authentication – verification of the identity of the person or node

• Authorization – determines what a user or node is allowed to do once identified and authenticated

• Accountability – ability to track user activity

Identification

• Methods• Most common is UserID, account number, email or PIN• Biometrics can also be used

• Guidelines – unique UserID unless anonymity is required• RFID – can be used in place of above methods to identify user• MAC and IP address – used primarily to identify a node on the network• Security user registration – user interacts with a registration authority to

become an authorized member of the domain1. UserID, encryption keys, job title, email, etc.2. User validation

Authentication Methods

• Knowledge (something you know)

• Ownership (something you have)

• Characteristics (something you are)

Identity and Access Management

• Need for identity management – needed to manage, authenticate, authorize, provision, de-provision and protect identities

• Challenges – the more complex a network and data protection system, the more challenging to manage

• Identity management technologies – designed to centralize and streamline the management of user ids, authentication and authorization

Identity Management Challenges

• Consistency – user data entered across different systems MUST be consistent

• Reliability – user profile data should be reliable. Especially if used to control access to data or resources

• Usability – multiple logins over multiply systems might not be the best idea

• Efficiency – using an identity management system can decrease costs and improve productivity for both users and administrators

• Scalability – the management system used must be able to scale to support the data, systems and peak transaction rates

Identity Management Challenges

• Principals• Insiders – employees and contractors• Outsiders – customers, partners, vendors, etc.

• Data – different types of data about principals must be managed• Personal, legal and access control• Some of this data might have regulatory requirements

• Life Cycle• Initial setup – when user joins• Change and maintenance – routine pw change, name changes, etc.• Tear-down – when user leaves

Identity Management Technologies

• Web Access Management (WAM)

• Password management

• Account management

• Profile update

Access Control Technologies

• Single sign-on

• Kerberos

• SESAME - protocol developed by the European Union. Also known as SSO

• Web Portal Access

• Directory services

• Security domains

Domain Objectives

Access to Data

• Mandatory• Temporal• Discretionary• Role• Rule• Content• Privacy

• List• Matrix• Capabilities• Non-discretionary• Constraints• Centralized• Decentralized

Implementations Descriptions

Access Control Lists (ACL)

• Most common implementation of Discretionary Access Control (DAC)• Provide easy method to specify which users are allowed access to which

objects

• Objects/subjects• Files/users• O.S. dependent

• Each OS has its own way of representing ACLs.• UNIX – 3 subjects: owner, group and world w/ 3 permissions: Read ,Write,

Execute• ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and

SGI XFS• Microsoft has unlimited # of subjects and 26 permissions

Centralized/Decentralized Access Control

• Centralized access control – one entity makes network access decisions. Owners decide which users can access specific objects and the administration supports these directives.• RADIUS• TACACS+• Diameter (RADIUS base but enhanced to overcome inherent limitations)

• Decentralized access control – decisions and admin are implemented locally, allowing people closer to the resource security controls. • Often causes confusion because it can lead to non-standardization,

overlapping rights, etc.• P2P

Domain Objectives

Intrusion Detection Systems

• Network Based• NIDS

• Host-Based• HIDS

• Application-Based• AIDS• APIDS

• = Packet

• = Permission

• =Process

Intrusion Prevention Systems

• Host-based

• Network-based

• Content-based

• Rate-based

• KPI (Key Performance Indicator) - measure effectiveness

Analysis Engine Methods

• Pattern or signature-based• Pattern matching• Stateful matching

• Anomaly-based• Statistical• Traffic• Protocol

• Heuristic scanning

IDS/IPS Examples

• Anomaly• Multiple failed logins• User logged in at unusual times• Unexplained changes to system clocks• Unusual number of error messages• Unexplained system shutdowns/restarts

• Response• Dropping suspicious packets• Denying access to suspicious users• Reporting suspicions to other system hosts/firewalls• Changing IDS configurations

• Alert• IM• Email• Pager• Audible alarm

Domain Objectives

Access Control Assurance

• Audit trail monitoring

• Vulnerability assessment tools

Penetration Testing Overview

• Definition

• Areas to test

• Methods of testing

• Testing procedures

• Testing hazards

Areas to Test

• Application security

• Denial of Service (DoS)

• War dialing

• Wireless penetration

• Social engineering

• PBX and IP telephony

Penetration Testing Methods

• Attack perspectives• External• Internal

• Attack strategies• Zero-knowledge• Partial-knowledge• Full-knowledge• Targeted• Double-blind

Testing Steps

• Discovery

• Enumeration

• Vulnerability mapping

• Exploitation

Testing Hazards and Reporting

• Production interruption• Application abort• System crash

• Documentation• Idetified vulnerabilities• Countermeasure effectiveness• Recommendations

• KPI – Key Performance Indicators

Access Control Domain Summary

Business Continuity and Disaster Recovery Planning

Domain Objectives

• Business Continuity Management (BCM) Project Planning

• Understanding the Organization• Recovery Strategy Selection• Creating the Plan(s)• Developing and Implementing Response• Testing, Update, and Maintenance of the Plan

Planning Should Occur BEFORE You Need It

BS 25999: Business Continuity Management

• Risk Management

• Disaster Recovery

• Facilities Management

• Supply Chain Management

• Quality Management

• Health & Safety

• Knowledge Management

• Emergency Management

• Security

• Crisis Communications and PR

Information Security Priorities

• Keeping CRITICAL products and services going

• Availability• Integrity Out of Business!!!• Confidentiality

• What should be done in a crisis when most controls are missing?

The Business Continuity Life Cycle Overview

• Analyze the business

• Assess the risks

• Develop the BC strategy

• Develop the BC plan

• Rehearse the plan

BCM Project Management

• Senior management support

• Policy• Access to key personnel• Budget

• Immediate and ongoing budget

BCM Project Management

• Project management

• Scope• Timelines• Deliverables• Team members• Tools

Initiating BCP

• Awareness, data and implementation

• Staff and budget

• Result must be a long-term, sustainable program

• Review progress monthly (suggestion)

Documentation• Review current BCP, if available• Documentation may not equal capability• Staff must be trained to use any necessary software• Types of BCM document

• Policy, including scope and principles• Business impact analysis• Risk and threat assessment• Strategies, including (if able) papers supporting the choice of strategies

adopted• Response plans• Test schedule and reports• Awareness and training program• Service level agreements with customers and suppliers• Contracts for 3rd party recovery services such as workspace and salvage

• Review/update as directed by policy

Domain Objectives

• Business Continuity Management (BCM) Project Planning• Understanding the Organization• Recovery Strategy Selection• Creating the Plan(s)• Developing and Implementing Response• Testing, Update, and Maintenance of the Plan

Understanding BCM Priorities

• Business priorities

• Policy/culture

• Critical services and products

• Legal and regulatory requirements

Risk Assessment and Management

• Management is often NOT an IT person. Might have different priorities

• Risk management versus business continuity planning• Risk management – tactical• Business continuity – strategic • Coordination between risk assessment and business impact

analysis

• Purpose of risk management?

Threat Identification• Natural/environmental

• Human/man-made

• Utility

• Supply chain

• Equipment

• Facility

• Loss of key personnel

Understanding the Organization

• Business Impact Analysis (BIA)• Benefits• Objectives

• Indicators of critical business functions• Time sensitivity• Data integrity• Classification

Business Impact Analysis

• Identifies, quantifies, and qualifies loss over time

• Business impact analysis process• Workshops• Questionnaires• Interviews• Observation

Business Impact Analysis

• Business justifications for budget

• Maximum Tolerable Downtime (MTD)/ Maximum Tolerable Period of Downtime/Disruption (MTPD)

• Recovery Point objective (RPO)

• Document dependencies• Third party dependencies and liabilities• Service level agreements

Incident Readiness & Response

• Planners become leaders

• Be prepared

• Triage

• Incident management

• Success = return to operations

• Application of lessons learned

Continuity Requirement Analysis

• Identify supporting activities and resources

• Outcomes feed BCP strategy selection

• Reviewed with BIA

Domain Objectives

Determining Recovery Strategy

• Determining BC strategies

• Strategy options• Data

• Activity continuity options

• Resource-level consolidation

Determining Recovery Strategy

• High-level strategies – purpose is to ensure overall continuity strategy appropriately supports the delivery of orgs products/services

• Recovery Time Objective (RTO) < Maximum Tolerable Downtime/Disruption (MTPD)

• Separation distance – how far away is recovery site

• Cost/benefit analysis – best strategy is often determined by cost

• Address specific business types• Different business functions have different recovery solutions

Recovery Alternatives

Alternative Description Readiness Cost

Multiple processing/mirrored site

Fully redundant identical equipment & data

Highest level of availability & readiness

Highest

Mobile site/trailer Designed, self-contained IT & communications

Variable drive time; load data, & test systems

Hot site Fully provisioned IT & office, HVAC, infrastructure, & communications

Short time to load data, test systems. May be yours or vendor staff

Warm site Partially IT equipped, some office, data & voice infrastructure

Days or weeks. Need equipment, data, communications

Moderate

Cold site Minimal infrastructure, HVAC

Weeks or more. Need all IT, office equipment, & communications

Lowest

Processing Agreements

Agreement Description Considerations

Reciprocal or Mutual Aid Two or more organizations agree to recover critical operations for each other

Technology upgrades/obsolescence or business growth. Security and access by partner users.

Contingency Alternate arrangements if primary provider is interrupted, i.e., voice or data communications

Providers may share paths or lease from each other. Question them

Service Bureau Agreement with application service provider to process critical business functions

Evaluate their loading, geography and ask about backup mode.

Remote Working Arrangements Ability to telecommute or work from home

Sensitive data controls, unauthorized equipment

Domain Objectives

Business Continuity Plan

• Master Plan

• Modular in design

• Executive endorsement

• Review quarterly

BCP Contents

• When will team be activated?

• How will the team be activated?

• Where will everyone meet?

• Is there an Action Plan/Task List?

• Is there any reporting? If so, to whom?

BCP Contents

• Responsibilities of the team or specific individuals

• Liaising with emergency services (fire, police, ambulance)• Receiving or seeking information from response teams• Reporting information to the incident management team• Mobilizing third-party suppliers of salvage and recovery

services• Allocating available resources to recovery teams• Location/mobilization instructions

Developing Response Plans

• Incident response structure - plans that answer “What do we do now?” Emergency response procedures, Personnel notification, Backup and offsite storage, Etc.

• Emergency response procedures• Personnel – executive succession plan, executive crisis

management roles, BC coordinator and teams, notification lists, PR• Communications – emergency systems, business systems

communications and networks• Alternate site considerations – utilities, communications,

environmental protection, workspace protection• Logistics and supplies – personnel and materials transport,

personnel support and welfare, remote worker activation, emergency funds, protection against fraud and looting, safety and legal issues, escalated management authority

Creating Recovery Plans

• Recovery procedures

• Recovery priorities

• Activation of alternate site or processes

• Data recovery

• Business resumption plan

Creating Disaster Recovery Plans

• Disaster recovery• Recover out to the alternate – MOST critical first• Recover back to the primary – LEAST critical first

• Responsibilities and authority• Outlines what needs to be done• Outlines who will do the work• Since this may be happening at the same time as

the incident, recovery should be done (if possible) by a different team comprised of technical experts and system engineers who can rebuild the failed systems

Creating Restoration Plans

• Rebuilding of primary site• Facility restoration

• System restoration• Priorities• Data synchronization

• Salvage

• Closure of alternate site

Topics to Address in Plans

• Equipment• Procurement (vendor agreement)

• Facilities• Environmental controls• Fire and water protection

• Personnel

Topics to Address in Plans

• Data• Offsite storage requirements

• Utilities

• Communications

• Logistics and supplies

Resource-Level Consolidation

• Consolidation plan

• Availability of solutions

• Consolidate, approve and implement

• Outcomes and deliverables

Domain Objectives

Incident Response Management

• Strategic Level: Incident Management Plan (IMP) – defines how the strategic issues of a crisis will be managed by chief executive/senior managers. May include crises that do not result in interruptions (hostile takeover, media exposure, etc.).

• Tactical Level: Business Continuity Plan (BCP) – addresses business disruption, interruption, or loss from the initial response till normal business resumes.

• Operational Level: Activity Resumption Plans – provide plans for resuming normal business functions. Might provide logical and technical structure for restoring services or use of alternate facilities.

Implementing Incident Management

• Crisis management

• Rapid response is critical• Triage (alerts)• Notification• Health and safety of personnel (people first)• Escalation

• Executive succession

Initial Assessment

• Damage assessment

• Declaring a disaster

• Mobilization of response teams

• Permanent and virtual teams

Documentation and Communication

• Documentation of the incident

• Feedback and analysis

• Communications

• Public relations

Domain Objectives

Testing the Program

• Find the flaws

• Outsourcing

• Timetable for tests

• Designing a test

• Define success/failure BEFORE test begins

Testing Types

Types Process Participants Frequency Complexity

Desk check• Check the contents of the plan• Aid in maintenance

Author Often LOW

Walk through• Check interaction and roles of participants Author and main

people

Simulation• Includes: business plans, buildings and

communicationMain people and auditors

Parallel testing

• Moves work to another site• Recreates the existing work from the displaced site

Everyone at test location

Full Interruption

• Shuts down and relocates all work Everyone at both locations

Seldom HIGH

Testing BCP Arrangements

• Test, rehearsal and exercise

• Combining individual tests to ensure complete coverage

• Stringency, realism, and minimal exposure• Risks of testing

• Scope and documentation of a test

• Outcomes

Embedding BCP into the Organization

• Assessing level of awareness and training• Develop levels of training for individuals

• Developing BCP within the culture• Educate employees not only of what they are supposed to do

but WHY they are doing it that way

• Monitoring cultural change• Get feedback. Sometimes the best solution to a problem will

come from the most unexpected person

Specialized Training Needs

• EOC (Emergency Operations Center)

• Specialized skills• Forensic• Interviewing• Technical• Crisis management• PR• Etc.

Maintaining BCP Arrangements

• Ready and embedded

• Aligned with change-management procedures

• Owners keep information current

• Documented

• Review as needed

BCP Maintenance

• Updating

• Annual review – at a minimum• Subsequent to tests – to immediately identify fail points and

needed changes• Response to audits – to address issues found• Version control – to insure everyone is working off the most

current plan• Distribution of plan – to insure everyone is working off the most

current plan

Reviewing BCP

• Audit

• Independent BCP audit opinion

• As directed by audit policy

Factors for BCM Success

• Supported by senior management

• Everyone is aware

• Everyone is invested

• Consensus

Business Continuity and Disaster Recovery PlanningDomain Summary

Cryptography

Domain Objectives

• Definitions• History• Uses• Cryptographic Methods• Encryption Systems• Algorithms• Cryptanalysis and Attacks• Implementations

Concepts and Definitions

• Cryptology – the study of cryptography and cryptanalysis• Cryptanalysis – practice of defeating the protective properties of

cryptography. Reading protected info, altering messages or integrity values and violating authentication. The practice of testing cryptographic algorithms to determine their strength or resistance to compromise.

• Cryptography – from Greek words “kryptos” (hidden) and “graphia” (writing). Mathematical manipulation of information to prevent the information from being disclosed or altered.

Basic Goals of Cryptography

• Confidentiality – prevent unauthorized people from being able to detect or understand a message

• Integrity – detect if a message has been tampered with or corrupted• Authenticity – ensure that message has been sent to correct person

and in correct order, including prevention of replay attacks• Non-repudiation – sender cannot deny sending• Access control – encrypted passwords, token-based access control

devices provide protection for systems and applications• Make compromise difficult – make the attack either too expensive or

too time-consuming to be worth the effort

Concepts & Definitions

• Cryptosystem – device or process used to perform encryption and decryption operations

• Plaintext/Cleartext – human readable message• Ciphertext/Cryptogram – enciphered, encrypted, or scrambled

message• Cryptographic Algorithm – mathematical function that determines the

cryptographic operations• Cryptovariable (key) – often secret value used to transform the

message in the encrypted message• Key Space – total number of keys available to the user of a

cryptosystem

Concepts & Definitions

• Encrypt/Encipher – scrambling a plaintext message by using an algorithm, usually in conjunction with a key

• Encode – similar to enciphering or encrypting except that it does not use a key

• Decipher/Decrypt/Decode – descrambling an encrypted message and converting it to plaintext

Basic Transformation Techniques

• Substitution – change value, not position.• Transposition/Permutation – change the relative position of values

without replacing them (bit-shuffling)• Compression – change position, not value. Decrease redundancy

before plaintext is encrypted. Used to save on bandwidth and storage.• Entropy – maximum amount of compression that can be applied

• Expansion – typically used to increase the size of plaintext to match the size of keys or subkeys

• Padding – adding additional material to plaintext before encrypting. Addresses weaknesses in an algorithm and foils traffic analysis

XOR – Exclusive Or

• Fast arithmetic function used in many computer operations

• Binary math

• Add two values• If both input values are the same the output is a Zero (i.e., 1+1=0;

0+0=0)• If the input values are different the output is a One (i.e., 1+0=1;

0+1=1)

Keys and Cryptovariables

• Key management – refers to the principles and practices of protecting the keys throughout the lifecycle• Key expiry/cryptoperiod – keys should be changed on a regular basis. Length of time should be based on

algorithm and level of protection required• Key mixing/Key schedule – DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16

rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original 56 bit. AES uses key schedulers to generate completely new keys from the original key for each round.

• Keystreams – pseudo-random sequence that is generated from the input key and mixed with the input message.• Synchronous – keystream is generated based on original key, bit-by-bit, in sync with plaintext• Non or self-synchronous – keystream is generated based upon previously generated ciphertext and

cryptovariable• Key storage – key must be protected in transit and storage• Key clustering – term used to represent a weakness that exists in a cryptosystem if two different keys

generate the same ciphertext from the same plaintext

Initialization Vector (IV)

• Encrypting similar messages will create patterns of ciphertext even when using different keys. Predictability is an enemy of cryptography.

• An IV is a random value added to the plaintext message before encrypting so that each ciphertext will be substantially different.

• The recipient will also need the IV to decrypt the message

Work Factor

• An estimate of the effort/time needed to overcome a protective measure by an attacker with specified expertise and resources.

• Commonly used as a way to measure the amount of resources that would be required to brute-force an algorithm or cryptosystem.

• System is said to be broken when there is a way to decrease the work factor to a reasonable level.

• All cryptosystems will be crackable eventually. Objective is to use a system that is computationally infeasible to crack.

• Work factor has nothing to do with normal encryption/decrytion

Kerckhoff’s Principle

• States that the strength of a cryptosystem is based on the secrecy of the key and not on the secrecy of the algorithm.

• Work factor for the cryptanalyst is the effort required to determine the correct key.

• Key length is the primary method used to determine the strength of the cryptosystems.

• Brittleness – measure of how badly a system fails. A resilient system is dynamic and designed to fail only partially or degrade gracefully. In general, automated systems which only do one thing are be definition brittle.

• “Security by Obscurity” – concept that system is secure as long as no one outside the “group” is allowed to find out anything about its internal mechanisms.

Key Algorithms

• Symmetric key – same key used for both the encryption and decryption operation

• Asymmetric key – pair of mathematically related keys (A and B) used separately for encryption and decryption

Certificates

• Certificate proves who owns a public key• Digitally signed, special block of data that contains public key

and identifying information for the entity that owns the private key

• Issued by a Certification Authority (CA) – trusted entity or 3rd party that issues and signs public key certificates, attesting to the validity of the public key.

• Registration Authority – is the primary organization that verifies a Certificate Applicant’s information and identity. Works with CA to verify applicant’s information before issuing a certificate

Hash Functions

• Message integrity

• Computed value for a message, program, data, etc to be transmitted or stored

• One way function

• Cannot decrypt/reverse a hash

Digital Signatures

• Message Integrity and Proof of Origin• Proves message has not been altered• Proves who sent the message • Created by encrypting a hash of the message with the private

asymmetric key of the sender. Creates a signed hash that can only be unlocked using the public asymmetric key of the sender.

• Reason for signing the hash of the message instead of the message is that asymmetric algorithms tend to be very slow and computationally intensive to use. So signing the hash saves time and money.

Domain Objectives

Historical Development

• Cryptographic techniques• Manual – cryptographic methods performed by hand using a variety of

tools (still used on some one-time pads)• Mechanical – use of mechanical tools to perform encryption and

decryption (cipherdisk)• Electro-mechanical –use of electro-mechanical devices (Enigma

machine)• Electronic – computer based tech used to perform complex and secure

cryptographic operations (software and hardware based algorithms – AES, RSA, etc.)

• Quantum cryptography – using single photon light emissions to provide secure key negotiation

Domain Objectives

Uses of Cryptography

• Protecting information

• Transit• Email, VPNs, e-commerce, VOIP, etc.

• Storage• Disk encryption

• System access• Passwords, remote login

Domain Objectives

Making Secure Algorithms

• Problems – simple systems are not very secure• Discernible – if you know the language of the original message, “frequency

analysis” can be performed• Redundancies – make the cryptoanalyst’s job easier• Statistical patterns – can be revealed in ciphertext if algorithm doesn’t obscure

• Solutions• Confusion – principle of hiding patterns in the plaintext by substitution• Diffusion – act of transposing the input plaintext throughout the ciphertext so that

a character in the ciphertext would not line up directly in the same position in the plaintext

• Avalanche – achieved with plaintext bits affect the entire ciphertext so that changing one bit in the plaintext would change half of the entire cipher text

Stream Ciphers

• Keystream• Statistically unpredictable and unbiased• Not linearly related to the key

• Operates on individual bits or bytes

Uses of Stream Cipher and Stream-Mode Block Ciphers

• Wireless

• Audio/video streaming• SRTP (Secure Real-time Transport Protocol)

Block Cipher

• Blocks of plaintext are encrypted into ciphertext blocks• Multiple modes of operation

• Variable key size, block size, rounds

Block Cipher Uses

• Data transport – SSL, TLS. Both protocols can use AES and Triple DES. IPSec based VPNs also use block ciphers to encrypt communication between endpoints

• Data storage – even though block ciphers take more time, used because of their greater ability to frustrate cryptanalysis. TrueCrypt is an example of block cipher used to encrypt data

Domain Objectives

Simple Substitution Ciphers

• Substitution of one value for another

• Caesar Cipher• Shift alphabet (by 3)

• A B C D E F …. FACE• D E F G H I …. IDFH

• Scramble alphabet• A B C D E F …. FACE• Q E Y R T M …. MQYT

• Vulnerable to frequency analysis

Simple Transposition/Permutation

• Columnar – rearranging the message in a table

• Plaintext “This is an example of transposition”

• Cipher “tsaoni hamfst inptpi selroo ixeasn”

• Key: grid shape & reading direction

• Example: the Spartan Scytale

T H I S I

S A N E X

A M P L E

O F T R A

N S P O S

I T I O N

Polyalphabetic Ciphers

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

1 Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

2 Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

3 X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

4 W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

• Encrypt the plaintext FEEDBACK using a key of 3241• Try encrypting your name

Running Key Ciphers

• Done by using the numerical value of letters in the plaintext and is coded and decoded by using a copy of the text in a book as the key.

• Sender and recipient determine the key by agreeing on a point in the book (i.e. page number) from which to start the encryption.

• Key would “run” as long as the plaintext, and the value of each letter of the key would be “added” to the value of each letter of the plaintext.

• If total of the two letters is greater than 25, then 26 would be subtracted from the result. The combined value of the letters would be the value of the ciphertext letter.

One-Time Pads (OTP)

• Truly random key values

• Both sides have same pad of key values

• Keys are only used once

• Unbreakable algorithm• Mathematically proven that it can never be broken

Steganography

• The art of hiding information• Plaintext hidden/disguised• Prevents a third party from knowing that a secret

message exists• Traditionally accomplished in a number of ways:

• Physical techniques• Null ciphers

Image-Based Steganography

Original image Stegged image

File size is identical (260 kb)If hashed, values would be different

Watermarking/Rights Management

• Digital watermarking – similar to physical watermarking. Either visible or invisible markings embedded within a digital file to indicate copyright or other handling instructions, or to embed a fingerprint to detect unauthorized copying and distribution of images.

• Digital Rights Management/Digital Restriction Management (DRM) – extends digital watermarking in order to place strict usage conditions on the display and reproduction of digital media.

Domain Objectives

Modes of Symmetric Block Ciphers

• Block Modes• Electronic Code Book (ECB)• Cipher Block Chaining (CBC)

• Stream Modes• Cipher Feed Back (CFB)• Output Feed Back (OFB)• Counter (CTR)• Counter with CBC-MAC (CCMP)

Electronic Code Book (ECB)

• Each block of plaintext is encrypted independently using the same key

Cipher Block Chaining (CBC)

• The first plaintext block is XOR’d with an Initialization Vector (IV)• Result is ciphertext is chained into the next plaintext block

Cipher Feed Back (CFB)

• Similar to CBC• IV is encrypted and then XOR’d with the first plaintext block

Output Feed Back (OFB)

• Operates very much like CFB• Only the RESULT of encrypting the IV is feed back to the next

operation

Counter (CTR)

• Similar to OFB• Counter value is used instead of an IV

Counter With CBC-MAC (CCMP)

• Provides confidentiality and authenticity• Works with 128 bit block size• Mandatory in 802.11i• Adds one more block for confidentiality• Counter mode lacks integrity. CCMP solves that problem.

DES – Data Encryption Standard• DES

• 56 bit key• 16 rounds of transposition and substitution• Fixed 64 bit block size

• Double DES (DDES)• Uses two 56 bit keys• Message is encrypted by one key and re-encrypted by the second• Was thought to provide 112 bit cipher but was successfully attacked by the

“meet-in-the-middle” analytic attack• Triple DES (TDES)

• Input data is encrypted three times• Strength depends on the mode of the operation picked and the number of

keys being used• Effective key size is 168 bit

AES – Advanced Encryption Standard

• Based on Rijndael algorithm• Developed by Daemen and Rijmen in 1998

• Block sizes: 128, 192, and 256

• Variable number of rounds

• Variable key size

Other Block Ciphers

• RC5 and RC6

• Blowfish

• Twofish

• CAST

• SAFER

• Serpent

• Symmetric stream cipher

• Arbitrary key size

• Many applications

Strengths & Weaknesses – Symmetric Ciphers

Strengths• Fast• Difficult to crack• Algorithms and tools freely

available• Stream ciphers ensure highly

efficient serial communications• Block ciphers offer multiple

Weaknesses• A different form of key

negotiation/ exchange/ distribution must be used

• Poor scalability• Limited security• On noisy channels, error

correcting is a must

Asymmetric Key Cryptography

• Diffie-Hellman, 1976

• Public key cryptography

• Uses a pair of mathematically related keys• Private key• Public key

Public Key Algorithms

• Ensures confidentiality• Encrypting message with the receiver’s public key provides confidential transmission of

the message because the only key that can open the message is the corresponding private key of the recipient

• Ensure proof of origin• When a message is encrypted (signed) with the sender’s private key, the recipient can

verify the source of the message because the message can only be opened with the sender’s public key

• Confidentiality and proof of origin• Double encrypting a message with the private key of the sender and then with the

public key of the receiver will provide both confidentiality and proof of origin

RSA Algorithm• Rivest-Shamir-Adleman, 1977

• Encryption• Digital signatures• Key distribution

• Adjustable key size• PKCS#1 is the implementation of the algorithm. Currently in V2.1• How does it work?

• Find 2 prime numbers and call them p and q• Multiply them and call the result n• Choose a public value less than n relatively prime with (p-1) and (q-1) and call it e• Find d such that e*d=1 mod (p-1)*(q-1)• Make n and e PUBLIC, and keep d, p and q SECRET• To encrypt message m, ciphertext c = me mod n• To decrypt, m = cd mod n

Other Algorithms

• Diffie-Hellman Key Exchange Protocol• Perfect Forward Secrecy (PFS) – principle used in D-H that even if 2

private keys are used in negotiating a secret value (shared secret), and one of those private keys is later compromised, it will not be possible to determine either the secret key or the other private key from the compromised private key

• Diffie-Hellman Groups – determine the length of the base prime numbers that will be used in calculating the key pairs.

• STS/Unified Diffie-Hellman – one weakness of D-H was the man-in-the-middle attack. This led to development of the Station to Station (STS) key agreement protocol by Diffie, Van Oorscht and Weiner in 1992.

• Menzies/Qu/Vanstone• Elgamal – retired• Elliptic Curve Cryptography (ECC) – fewer bits. Extremely slow

Knapsack Algorithms

• Merkle-Hellman knapsack• Developed in 1978

• Chor-Rivest knapsack• Developed in 1984 and revised in 1988

• Both schemes have been broken

Asymmetric Key Cryptography

Strengths• Confidentiality/privacy• Access control• Authentication• Integrity• Non-repudiation

Weaknesses• Computationally

intensive• Very slow

Common Hash Functions

• Message Digest• MD2, MD4, MD5

• Secure Hash Algorithm (SHA)• SHA-1 (160 bit), SHA-256, SHA-384• SHA-512 (best practice)• SHA-3

• HAVAL• RIPEMD• Tiger• WHIRLPOOL

Hash Function Characteristics

• Condensed representation of the message

• One-way function

• Non-linear relationship

• Hash calculated from whole, original message

Keyed Hashes (SALT)

• Basic hash can be intercepted and changed

• To solve that problem, mix a HASH algorithm with a pre-shared key

• Adversary would need to know the key to create a collision

• Implemented in IPSec for integrity checking of both ESP (Encapsulating Security Payload) & AH (Authentication Header)

Digital Signatures

• (Asymmetric cryptography) + (Hash of message)• Only authenticity and non-repudiation (not confidentiality)• Legality – if the encryption is intact and the private key is held by the

rightful owner, it must be accepted by all parties in the transaction.• American Bar Association has developed guidelines for accepting digital

signatures that have been adopted in some US states and other countries• Not accepted globally for transactions and specifically not for

high-dollar/high-risk situations• Examples

• DSA, RSA, Elgmal, Schnorr, ECC

Digital Signatures Uses

• E-commerce• Non-repudiation of origin (with private key)

• Integrity of message (with private key encrypted hash)

• Software distribution (integrity and non-repudiation)

• Email and secure document distribution

Key Management Challenges

• Greatest challenge with secure cryptographic implementation is the management of the keys. Keys must be kept secret. Yet, they must be available when needed. Even OLD keys have to be kept to decrypt old backup files or data.

• Key distribution

• Key storage

• Key change• Expire – how long to use a key

Functions of Key Management

• Operations• Dual control – require the active participation of 2 or more. No one

person can misuse.• Threshold schemes – require more than one person to successfully

complete the task

• Key recovery• Split knowledge – 2 or more people have info about the key. Must be

combined to work.• Multi-party key recovery – break the key into 3 or more parts and each

part go to a different person.• Escrow – Key held

• Creation

• Automated key generation – prevents user bias and provides quick key production

• Truly random – only true random generators are things like radioactive decay, noisy diodes, etc. Computers produce pseudo-random.

• Suitable length – generators must generate enough bits for a complete key. Generating 64 bits and concatenating them does not make them 128.

• Key encrypting keys (KEK) – keys used to encrypt other keys. Care must be taken to ensure that the data used to generate the KEK is NOT related to the keys being produced.

• Distribution• Out of band – does not guarantee security delivery, but it increases its likelihood• Public key encryption – most common solution

• Secret key construction – using D-H (or similar), exchange values online that generate a new secret key

• Secret key delivery – using RSA (or similar), party encrypts secret key with receiving party’s public key.

• Key distribution center – think Kerberos• Certificates – used to distribute public keys

• Storage• Trusted hardware – hardware evaluated (typically) by FIPS 140-2 or Common

Criteria• Smartcard – non-volatile storage

Public Key Infrastructure (PKI)

• Binds people/entities to their public keys

• Prevent Man-in-the-Middle attack

• Public keys are published and are certified by digital signatures

Strong Cryptographic PKI Solutions

• Use evaluated solutions• High work factor• Publicly-evaluated cryptographic algorithms• Training• Import and export of cryptography

• Wassenaar Agreement – is an agreement between several countries that governs the movement of cryptographic algorithms between those countries. The restrictions are usually based on key length and whether the product is commercially available

• Law enforcement issues

Certificates and CAs

• Certificates link a public key to its owner• Classes of certificates

• Certification Authorities (CAs)• Registration Authority (RA)

• Cross-certification• Certificate Revocation Lists (CRLs)

• Online Certificate Status Protocol (OCSP)• X.509

Domain Objectives

Cryptanalysis

• Art and science of breaking codes• Attack vectors

• Key• Algorithm• Implementation• Data (ciphertext or plaintext)• People – social engineering

• Assumptions

Brute Force Attack

• Trying all possible key combinations• Two factors: cost and time

• Moore’s Law• Processing speed doubles every 18 months for the same

price• Advances in technology and computing performance will

always make brute force an increasingly practical attack on keys of a fixed length

• Measured in MIPS per year – 1 computer running 1,000,000 calculations per second for a year

Brute Force Attack

Bits Number of keys Brute Force Attack Time

56 7.2 x 10^16 20 hours

80 1.2 x 10^24 54,800 years

128 3.4 x 10^38 1.5 x 10^19 years

256 1.15 x 10^77 5.2 x 10^57 years

Bits Number of keys Brute Force Attack Time56 7.2 x 10^16

80 1.2 x 10^24

128 3.4 x 10^38

256 1.15 x 10^77

• Data shown is as of 1998 when “Deep Crack” was used in RSA DES challenge.

• Cost $250,000 to build. Today the same thing can be done for under $10,000.

• With today’s tech, can break DES in 8.7 days or less for under $10,000.

Plaintext Attacks

• Known plaintext attack – attacker has both the plaintext and ciphertext. Uses analysis to try to determine key.

• Chosen plaintext attack – attacker has access to the crypto machine. Runs plaintext through machine to get encrypted data. Uses statistical information to try to determine key.

• Adaptive chosen plaintext attack – attacker has encryption device for more than one message. Patterns may emerge if the attacker puts similar texts into the device

Ciphertext Attacks

• Ciphertext only – assume attacker has samples of encrypted text but not the algorithm, key or system. Most difficult attack because the attacker has the least to work with.

• Chosen ciphertext attack – attacker has access to ciphertext and system used to generate. Attacker can run pieces of ciphertext through to obtain the plaintext. Leads to Known Plaintext Attack or Differential or Linear Cryptanalysis attack.

• Adaptive chosen ciphertext attack – attacker has access to the cryptosystem and can now modify and run ciphertext through the system to see what the effect of the modification is on the plaintext.

Attack Against Ciphers

• Stream• Frequency analysis – knows characteristics of plaintext language• IV or keystream analysis – examines large numbers of generated IVs for

weaknesses, statistical biases, etc.

• Block• Linear cryptanalysis – large amounts of plaintext and associated ciphertext to find

info about the key• Differential cryptanalysis – 2 or more similar plaintexts are encrypted using same

key and compared• Linear-differential cryptanalysis – combo of linear and differential• Algebraic attacks – examines the algorithm• Frequency analysis – uses the statistics of the language to break a ciphertext

Attacks Against Hash Functions

• Dictionary Attacks• Based on known lists of common words

• Birthday attacks – group of 23 people, 50% chance 2 will have same birthday. 60 people, 99% chance. Relevant because it describes the amount of effort that must be made to determine when 2 randomly-chosen values will be the same (collisions). Weak hash causes many collisions

• Attack the hash value• Attack the initialization vector

• Rainbow table attacks• Hash reductions• Salts

Social Engineering

• Persuasion

• Coercion (rubber-hose cryptanalysis)

• Bribery (purchase-key attack)

Other Common Attacks

• Meet-in-the-Middle• Mathematical analysis that attacks a problem from both ends and

attempts to find the solution by working toward the center of the operation from both sides.

• Man-in-the-Middle• Attacker intercepts and modifies the data before transmitting to

intended person.

• Poor Random Number Generation

Domain Objectives

Common Secure Email Protocols

• Privacy Enhanced Mail (PEM)• Uses DES in Cipher-Block-Chaining (CBC) mode for confidentiality• Can also use Electronic Code Book (ECB) or 3DES for key

management • For message integrity it uses either MD2 or MD5 hash• Not compatible with Multipurpose Internet Mail Extensions (MIME) so

not often used• Pretty Good Privacy (PGP)

• Uses symmetric and asymmetric key cryptography• Can use RSA, D-H, and Elgamal for asymmetric key

• Secure Multipurpose Internet Mail Extensions (S/MIME)• De facto standard for email privacy

Internet Security

• Uses• Remote Access• VPNs• E-commerce

• Tools• IPSec• SSL/TLS• Secure HTTP• TLS

Cryptography Domain Summary

Information Security Governance and Risk Management

Domain Objectives

• Business Drivers• Governance

• Roles and Responsibilities• Security Planning• Security Administration

• Risk Management• Ethics

Information Security Environment

• Organizations must contend with complex laws, regulations, requirements, technology, competitors and partners while pursuing their business objectives.

• Management must take many things into account including moral, labor relations, productivity, cost, etc.

• Must develop an effective security program

• Overarching Organizational Policy• Management’s Security Statement

• Regulations• Competition• Organizational Objectives• Organizational Goals• Laws• Shareholders’ Interests

Information Security Triad

• Security planning• Budget

• Business requirements

• Security metrics

Domain Objectives

Roles and Responsibilities• Specific

• Delegate certain responsibilities for security to individuals• Define acceptable and unacceptable behavior

• General• Rules that let everyone know they are responsible for security

• Communicated at hiring• Tell new hires the rules and consider annual review

• Verified capabilities and limitations• Access to resources defined by job

• Third-party considerations• Brief vendors, temps, contract staff on security requirements

• Good practices• Keep it simple, relevant, understandable and communicate

• Reinforced via training• Annual security training

Internal Roles• Executive management

• set policy, allocate budget• Board level• “C” level

• Information systems security professionals• advise management

• Developers• create secure code

• Custodians and Operations staff• Custodians – care of data• Ops – run the computers

Internal Roles• Security staff• Data and system owners

• Classify • Access permissions

• Users• Task as assigned

• Legal, compliance, and privacy officer• Inform/implement laws/regs

• Internal auditors• Check on procedures

• Physical security• Is IT or traditional security responsible

External Roles

• Vendors/suppliers

• Contractors/consultants• Service level agreements

• Temporary employees

• Customers

External Roles

• Business partners

• Outsourced relationships• Outsourced security

• External audit

Human Resources

• Employee development and training

• Employee management

• Hiring and termination of employment

Hiring New Staff

• Background checks/security clearances

• Verify references and education records

Signed Employment Agreements

• Acceptable use

• Non-disclosure

• Non-compete

• Ethics

Personnel Good Practices

• Job descriptions/defined roles and responsibilities

• Least privilege

• Need to know

• Separation of duties

• Job rotation

• Mandatory vacations

Security Awareness, Training, and Education

• Awareness Training• Delivery methods General knowledge• Topics

• Job training• Task based

• Professional education• Understanding

Good Training Practices

• Be relevant

• Scope properly

• Address the audience

Domain Objectives

Documented Security Program

• Focus on the mission of the organization

• Organizations are different• Cost effective/risk based

Promiscuous 1

Permissive

Prudent

Paranoid 10

Documented Security Program

• Strategic• Long term planning• Decide on job to do

• Tactical• Medium term planning• Manage jobs being done

• Operational• Day to day operations• Job being done

Security Program Management

• Staffing• Not just workers but look at management• Evaluate numbers needed

• Reporting• Make sure everyone knows who they are to report to.

Understand chain of command/reporting

Security Blueprints

• Identify and design security requirements• Infrastructure security blueprints• Holistic

• By Scott Berinato and Sarah Scalet:• “Holistic security means making security part of everything

and not making it its own thing. It means security isn’t added to the enterprise; it’s woven into the fabric of the application. Here’s an example. The non-holistic thinker sees a virus threat and immediately starts spending money on virus-blocking software. The holistic security guru will set a policy around e-mail usage; subscribe to news services that warn of new threats; re-evaluate the network architecture; host best practices seminars for users; and use virus blocking software and, probably, firewalls.” (www.cio.com)

ISO/IEC 27000 Series = ISMS Blueprints

• 27000:2009 – Overview and vocabulary• 27001:2005 – Attainable certification• 27002:2005/Cor 1:2007 – Code of practice• 27003:2010 – ISMS implementation guidance• 27004:2009 – Information security measurement• 27005:2008 – Information security – risk management• 27006:2007 – Certification vendor process• 27799:2008 – Information security for health care

organizations

• ISO 27000 = IT Risk Management

IT Security Requirements

• Complete Security Solutions• Define security behavior of the control measure

• What is the problem you are trying to solve?• Provide confidence that security function is performing as

expected• Does it solve the problem?

• Does your solution• Solve the problem (best)• Move the problem (good)• Make it worse (bad)

Single Point of Failure

• Identify the processes

• Identify risks to the plan• Who has too much control

• Be prepared

Domain Objectives

Security Policy

• Management’s goals and objective IN WRITING

• Documents compliance

• Creates security culture

Examples of Functional Policies

• Data classification• Certification and accreditation• Access control• Outsourcing• Remote access• Internet acceptable use

• Privacy• Acquisition• Change control• Employment agreements,

ethics

• IMPORTANT• Say what to do NOT how to do it

Procedures

• Step by step actions

• Required

• Be detailed

Policy

Standard Baseline Procedures Guideline

Risk Assessment

IncidentManagement

IdentityManagement

SoftwareInstallation

Standards

• Common hardware and software products

Policy

Desktop Antivirus Firewall

Be decisive. Will say something like:• We [verb]• We drug test• We use Norton AV software

Baselines

• Establish consistent implementation of mechanisms• Platform unique• Know minimum and understand what is normal

Policy

VPNSetup

IDSConfiguration

PasswordRules

Guidelines

• Recommendations for implementations, procurement and planning

Policy

Recommendations BestPractices ISO

Good Policy?Area IV Buddy System Policy

THE AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE MEMEBERS WILL USE THE “BUDDY SYSTEM” AT ALL TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY INSTALLATION.

THE “BUDDY SYSTEM” IS NOT REQUIRED, BUT HIGHLY RECOMMENDED FOR PERSONNEL TRAVELING DIRECTLY TO AND

FROM THEIR DOMICILE

ALL PERSONNEL WILL CARRY A S.O.F.A AND AN EMERGENCY TELEPHONE NUMBER CARD AT ALL TIMES.

LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES.

BY ORDER OF THE AREA IV COMMANDER

Domain Objectives

Risk Management Overview

• Identifying and reducing total risks

• Choosing mitigation strategies

• Setting residual risk at an acceptable level

• Integrating risk management processes into the organization

(Total risk) – (countermeasures) = (residual risk)

Risk Management Purpose

• The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission. Including, but not limited to its IT assets.

• Risk is a function of the likelihood of a given threat exercising a particular vulnerability and the resulting impact of that adverse event on the organization.

Risk Management Benefits

• Focuses policy and resources

• Identifies areas with specific risk requirements

• Directs budget

• Supports• Business continuity process• Insurance and liability decisions• Legitimizes security awareness programs

Risk Management Definitions

• Asset – something that is of value to the organization• Threat-source/agent – any circumstance or event with

the potential to cause harm to an IT system.• Threat – any potential danger to information or an

information system• Exposure – an opportunity for a threat to cause loss, or

the amount of loss suffered as a result of an attack• Vulnerability – flaw or weakness in system security

procedure, design, implementation, etc.• Likelihood – probability that a potential vulnerability

happens

Risk Management Definitions

• Attack/Exploitation – action intending to cause harm• Controls – admin, technical or physical measures and

actions taken to try to protect system• Countermeasures – controls applied after the fact;

reactive in nature• Safeguards – controls applied before the fact;

proactive in nature• Total Risk – included the factors of threats,

vulnerabilities, and current value of the asset• Residual Risk – amount of risk remaining after

countermeasures and safeguards are applied

Risk Assessment Steps: SP 800-30

1. System characterization2. Threat identification3. Vulnerability identification4. Control analysis5. Likelihood determination6. Impact analysis7. Risk determination8. Control recommendations9. Results documentation

Risk Assessment – Asset Valuation

• Tangible assets• Can buy/sell• Hardware, software, facilities, documentation,

customer lists, and intellectual property

• Intangible assets• Personnel, reputation/brand, and moral

Information Valuation Considerations

• Exclusive possession

• Utility

• Cost to acquire or create

• Liability

• Convertibility

• Operational impact

• Timing

Information/Risk Valuation Methods

• Modified Delphi

• Facilitated sessions

• Survey

• Interview

• Checklist

Quantitative Risk Analysis

• Assign Monetary values• Labor and time intensive• Difficult to achieve

• 100% quantitative is impossible. Why? There are always QUALITATIVE issues.

RISK = MONEY

Quantitative Analysis Steps - Overview

1. Estimate potential losses – single loss expectancy (SLE)

2. Conduct a threat likelihood analysis• Annualized rate of occurrence (ARO)

3. Calculate annual loss expectancy (ALE)

Step One: Estimate Potential Losses

Single Loss Expectancy (SLE)

SLE = AV ($) x EF (%)

AV (Asset Value)EF (Exposure Factor)

Step Two: Threat Likelihood Analysis

Annual Rate of Occurrence (ARO)

• Number of exposures or incidents that can be expected in a given year

• Likelihood of an unwanted event occurring

Step Three: Calculate ALE

Annual Loss Expectancy (ALE)

ALE = SLE * ARO

• Magnitude of risk = ALE• Purpose: Justify security countermeasures

Qualitative Risk Analysis

• Scenario oriented

• No $ values

• Rank seriousness of threats and sensitivity of assets

• Perform a carefully reasoned risk assessment

Hybrid Risk Analysis

• Quantitative

• Qualitative

• FMEA (failure modes and effects analysis)• Risk assessment originally concerned with manufacturing

defects• Focuses on the upstream and downstream impact of a

failure• Defines risk in immediate, near-term and long-term impact

• FTA (fault tree analysis)• Analytical technique for system safety• Used to consider all possible threats and then “trim” down to

the most relevant risks

Risk Management Options

• Acceptance = Absorb the effect of an incident

• Mitigation = Implement controls

• Transference = Insurance

• Avoidance = Stop it

Security Control Selection Principles

• Cost/benefit analysis• Don’t spend more to protect than it is worth

• Accountability• At least one person for every control• Include accountability in performance reviews

• Absence of design secrecy• Ability to change out the controls at some time in

the future without having extraordinary cost to rework, interoperability with other controls, confidence in the design

• Audit capability• Controls must be testable• Include auditors in design and implementation

• Vendor trustworthiness

• Independence of control and subject

• Universal application

• Compartmentalization

• Defense in depth

• Isolation, economy, and least common mechanism

• Acceptance and tolerance of personnel (pushback)

• Minimum human intervention

• Sustainability

• Reaction and recovery

• Override and fail-safe defaults

• Residuals and reset

Risk Evaluation and Assurance

• Cyclical nature of risk – U.S. and EU regulatory bodies have mandated risk management as a business process. Frequency for re-evaluation is based upon the speed of change in each industry or organization• Ongoing review• Periodic review

• Liability – management has the responsibility of remaining informed about risk management activities and to make the final decisions. If they fail to do so, they are potentially in violation of regulatory or industry standards. This is one of the reasons why internal auditors should report directly to senior executives rather than through the normal chain of command.

Domain Objectives

Ethical Environments

• Ethics are difficult to define• Do No Harm

• Begins with senior management

• Guidelines for Establishment of Ethics• Corporate ethics to include ethical use of computers• In functional policies (privacy, email, acceptable use, etc)• Active monitoring of network activities combined with responsible investigation of incidents

and enforcement• Handbooks and guides• Training• Reviews

Ethical Responsibility

• Global responsibility

• National

• Organizational

• Personal

Ethical Responsibility of all CISSPs

• “Set the Example” *********

• Encourage adoption of ethical guidelines and standards

• Inform users about ethical responsibilities through security awareness training

Basis and Origin of Ethics

• Religion• Law• National interest• Individual rights• Common good/interest• Enlightened self-interest• Professional ethics/practices• Standards of good practice• Tradition/culture

Formal Ethical Theories

• Teleology (Star Trek – needs of the many)• Ethics in terms of goals, purposes, or ends

• Deontology (duty of most powerful to protect least powerful)• Ethical behavior is a duty

• Informed consent – notified and agree

Relevant Professional Codes of Ethics

• (ISC)²

• RFC 1087

• Internet Architecture Board

(ISC)² Code of Ethics Preamble

• “Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.”

• “Therefore, strict adherence to this code is a condition of certification.”

(ISC)² Code of Ethics Canons

• “Protect society, the commonwealth, and the infrastructure.”

• “Act honorably, honestly, justly, responsibly, and legally.”

• “Provide diligent and competent service to principals.”

• “Advance and protect the profession.”

In that order

Internet Architecture Board (IAB)

Any activity is unethical and unacceptable that purposely:

• Seeks to gain unauthorized access to Internet resources

• Disrupts the intended use of the Internet

• Wastes resources (people, capacity, computer) through such actions

• Destroys the integrity of computer-based information

• Compromises the privacy of users

• Involves negligence in the conduct of Internet-wide experiments

RFC 1087

• Access and use of the Internet is a PRIVILEGE and should be treated as such by all users

• RFC 1087 refers to “Negligence in the conduct of Internet-wide experiments” as “irresponsible and unacceptable,” but does not specifically label such conduct “unethical”.

• Internet Engineering Task Force (IETF)• http://www.ietf.org/

Information Security Governance and Risk ManagementDomain Summary

Legal, Regulations, Investigations, and Compliance

Domain Objectives

• Computer Crime and International Legal Issues• Liability and Privacy Issues• Incident Management• Forensic Investigation• Compliance

International Legal Systems

• Common law• Criminal law• Civil law• Administrative law• Religious law• Customary law• Mixed law• Maritime law

Jurisdiction

• Law, economics, beliefs and politics• Law enforcement agencies will work together, even cross borders. But

sometimes countries don’t agree.

• Sovereignty of nations• Laws aren’t always the same country to country. Nations are making an

effort to harmonize their laws in order to promote uniform enforcement and cooperation where possible.

Computer Crimes vs. Traditional Crimes

Traditional Crime• Violent• Property• Public order

Computer Crime• Real property• Virtual property

Computer Crime

• Crime against a computer

• Crimes using a computer

• Electronic equipment as source of evidence

Reasons for Criminal Behavior

• Ego

• Financial gain

• Revenge

Advanced Persistent Threat (APT)

• Source – group with capabilities and intent to persistently and effectively target a specific entity

• Attack vector – infected media, supply chain compromise, social engineering, etc.

• Advanced – have full spectrum of intelligence gathering techniques at their disposal

• Persistent – priority to a specific task. Implies that they are guided by external entities.

• Threat – capability and intent. Coordinated human action instead of automation, specific objective. Skilled, motivated, organized and well funded

International Cooperation

• Initiatives related to international cooperation in dealing with computer crime

• The Council of Europe (CoE) Cybercrime Convention• Example of multilateral attempt to draft an international response to

criminal behaviors targeted at technology and the Internet.

Intellectual Property Protection

• Organizations must protect intellectual property• Theft• Loss• Corporate espionage• Improper duplication

• Intellectual property must have value• Organization must demonstrate actions to protect IP

Intellectual Property: Trademark

• Purpose of a trademark

• Characteristics of a trademark• Word• Name• Symbol• Color• Sound• Product shape

Intellectual Property: Copyright

• Covers the expression of ideas• Writings• Recordings• Computer programs• Etc.

• Weaker than patent protection

Intellectual Property: Trade Secrets

• Must be confidential

• Protection of trade secret

Intellectual Property: Software Licensing

• Categories of software licensing:• Freeware• Shareware• Commercial• Academic

• Master agreements and end user licensing agreements (EULAs)

Encryption Import and Export Law

• Strong encryption restrictions• Previously anything over 40 bits was considered strong encryption• U.S. companies can now export any encryption software to individuals,

commercial firms or other non-government end users in any country• No enemy states

• Many countries require the importer of equipment containing strong cryptography to provide the government or law enforcement with a copy of their private keys.

• Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria• Controls on dual-use goods

• Cryptography has long been considered a munition or weapon of war. Can be used for commercial or military purposes, therefor considered dual-use and protected as a military weapon

• Wassenaar Arrangement• 39 countries are parties to the agreement which specifies all controlled dual-

use goods, including encryption products and products that use encryption

Domain Objectives

Liability

• Legal responsibility• Know responsibilities to employees, customers, etc.

• Penalties• Can range from compensation to criminal penalties for violation

of law

• Negligence and liability• Important factor in determining liability• Determined by courts or other quasi-legal body

Protection of Assets

• Legal obligation

• Prudent person rule

• Must demonstrate practice of due care

Negligence

• Acting without care

• Due care

Negligence = Gap

Privacy Laws and Regulations

• Rights and Obligations of:

• Individuals• Identity theft

• Organizations• Collection, sharing, storage, processing of personal info

• Actual laws depend on jurisdiction

International Privacy

• Organization for Economic Co-operation and Development• Group of 30 member countries

• Eight core principles1. Limits to collection of personal data and should be obtained legally2. Personal data should be relevant to use3. Purpose for gathering personal data should be specified no later than the time the

data is collected4. Personal data should not be disclosed, made available, or otherwise used for

purposes other than specified above5. Personal data should be protected by reasonable security6. General policy of openness about developments, practices and policies with

respect to personal data7. Individual should have the right to find out if data controller has data about

him/her. To have communication with data controller about data relating to him/her. And to be able to challenge data and if successful have the data erased, rectified, completed or amended.

8. Data controller should be accountable for complying with measures

Personally Identifiable Information (PII)

• Identify or locate an individual

• Controls on collection and use• Many countries have laws governing this

• Global effect• Laws are different in each country. What laws govern?

Employee Privacy

• Employee monitoring

• Authorized usage policies

• Training

Transborder Data Flow

• Political boundaries

• Privacy

• Investigations

• Jurisdiction

Privacy Law Examples

• Health Insurance Portability and Accountability Act (HIPAA)

• Personal Information Protection and Electronic Documents Act (PIPEDA)

• European Union Data Protection Directive

Domain Objectives

Incident Management

• Incident – event that causes harm

Protect

Detect

Respond

PrepareSustainImprove

ProtectInfrastructure

Incident Response: Overview

• Response capability• Policy and guidelines• Response

• Incident response phases• Triage• Containment• Investigation• Analysis and treatment• Recovery

• Debriefing• Metrics• Public disclosure

Incident Response: Objectives

• Incident response in its simplest form is the practice of:

• Detecting a problem• Determining its cause• Minimizing the damage it causes• Resolving the problem• Documenting each step of the response for future reference• Effectively and appropriately communicating issues

Response Capability

• The foundation for incident response (IR) is comprised of:

• Policy• Authority• Procedures• Approved• Management of evidence

Incident Response – External Parties

• Escalation process• Employees should be trained and have approved procedures that

include when an incident or crime must be reported to higher management, outside agencies or law enforcement

• Interaction with third-party entities• Complex issues involving:

• Jurisdiction (who has control)• Status of crime (already committed, in progress, or planned)• Nature of the evidence (circumstantial, conclusive)• Nature of the crime (in many jurisdictions, some crimes MUST be

reported)

Incident Response and Handling Phases

• Triage

• Investigation

• Containment

• Analysis and tracking

Triage

• Detection• False positives

• Classification• Internal versus external• One system or many• What is the root cause versus the symptoms

• Notification• Priorities and escalation• Senior management or other departments• Business partners• Law enforcement

• Note: Prioritization is one of the most important aspects

Investigation Phase Objectives

• Desired outcomes of this phase are:

• Reduce the impact• Identify the cause• Get back up and running in the shortest possible time• Prevent the incident from re-occurring

Investigation Considerations

• The investigative phase must consider:

• Adherence to company policy• Confidentiality• Applicable laws and regulations• Proper evidence management and handling

Investigation Process

• Identify suspects

• Identify witnesses

• Identify system

• Identify team

• Search warrants

Investigation Techniques

• Ownership and possession analysis

• Means, opportunity, and motive (MOM)

Behavior of Computer Criminals

• Computer criminals have specific MOs• Hacking software/tools• Types of systems or networks attacked, etc.• Signature behaviors

• Profiling

Interviewing vs Interrogation

Open-ended Questioning• General gathering• Cooperation• Seek truth

Closed-ended Questioning• Specific aim• Hostile• Dangerous

• Should only be done by TRAINED professionals

Investigation Phase Components

• Components of this phase:

• Analysis• Interpretation• Reaction• recovery

Containment

• Reduce the potential impact of the incident• Systems, devices, or networks that can become “infected”

• The containment strategy depends on:• Category of the attack• Asset(s) affected• Criticality of the data or system

Analysis and Tracking Goals

• Obtain sufficient information to stop the current incident

• Prevent future “like” incidents from occurring

• Identify what or who is responsible

Analysis and Tracking Logs

• Dynamic nature of the logs

• Feeds into the tracking process

• Working relationship with other entities

Reporting and Documentation

• Law

• Court proceedings

• Policy

• Regulations

Recovery Phase Goal

• To get back up and running• The business (worst case)• Affected systems (best case)

• Protect evidence

Recovery and Repair

• Recovery into production of affected systems

• Ensure system can withstand another attack• Test for vulnerabilities and weaknesses

Closure of the Incident and Feedback

• Incident response is an iterative process

• Improve processes and controls

• Closure of the incident

• Feedback from all participants

Communication about the Incident

• Public disclosure

• Authorized personnel only

Domain Objectives

Computer Forensics: Evidence

• Potential evidence• Digital Forensic Science Research Workshop (DFRWS) defines digital

forensic science as – “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized action shown to be disruptive to planned operations.”

• Evidence and legal systems• Computer forensics is generally applied according to the standards of

evidence admissible in a court of law

Computer Forensics: Evidence

• Identification of evidence

• Collecting of evidence• Use appropriate collection techniques• Reduce contamination• Protect the scene• Maintain the chain of custody and authentication

Collection of Digital Evidence

• Volatile and fragile

• Short lifespan

• Collect quickly

• By order of volatility

• Document, document, document

Chain of Custody for Evidence

• Who

• What

• When

• Where

• How

Forensic Evidence Procedure

• Receive media

• Disk write blocker

• Bit for bit image

• Cryptographic checksum

• Store the source drive

Evidence: Hearsay

• Hearsay• Second-hand evidence• Normally not admissible

• Business records exception• Computer-generated information• Process of creation description

• Can you cross examine it?

Evidence Analysis and Reporting

• Scientific methods for analysis• Characteristics of the evidence• Comparison of evidence• Event reconstruction

• Presentation of findings• Interpretation and analysis• Format appropriate for the intended audience

Computer Forensics

• Key components• Computer forensics is not a piece of software or hardware. It is a set of

procedures and protocols. Methodical, Repeatable, Defensible, Auditable

• Crime scenes

• Digital evidence

• Non-criminal cases• Divorce, breach of contract, dissolution of corporation or partnership,

embezzlement, personal injury, etc.

Forensic Evidence Analysis Procedure

• Recent activity

• Keyword search

• Slack space

• Documented

Media Analysis

• Recognizing operating system artifacts• Types of files created as the system runs• Where they should be• What their contents are likely to be

• File system• Timeline analysis

• Modified• Accessed• Created

• Searching data

Software Analysis

• What is does

• What files it creates

Network Analysis

• Data on the wire

• Ports

• Traffic hiding

Domain Objectives

Compliance

• Knowing legislation

• Following legislation

Regulatory Environment Examples

• Sarbanes-Oxley (SOX)• Meant to enhance corporate governance through measures that will

strengthen internal checks and balances and, ultimately, strengthen corporate accountability.

• Gramm-Leach-Bliley (GLB)• Protects the privacy of consumer information held by financial institutions

• Basel II• Regulatory harmony in the international banking community

Compliance Roles and Responsibilities

• Information owner

• Local manager

• Auditor

• Individual

Audit Report Format

• Introduction• Background• Audit perspective• Scope & objectives• What was done

• Executive summary• Internal audit opinion• Detailed report including auditee responses• Appendix• Exhibits

Legal, Regulations, Investigations, and Compliance Domain Summary

Operations Security

Domain Objectives

• Operator and Administrator Security• Monitoring of Special Privileges• Misuse of Resources• System Recovery

• Resource Protection• Environmental Issues and Controls• Media Management• Personnel Privacy and Safety

Control Over Privileged Entities

• Review of access rights

• Supervision

• Monitoring/audit

Operator Privileges

• Initial program load (IPL)• Monitor system execution• Control job flow• Mount I/O volumes• Bypass label processing (BLP)• Renaming/relabeling resources• Reassigning ports/lines

Administrators

• Systems administrators

• Network administrators

• Database administrators

Administrator Privileges Summary

• Control network operations• Server startup and shutdown• Reset system configurations• Backups• System maintenance• Customer service

• Network administrator duties

Backup Types

• File image• System image• Data mirroring• Electronic vaulting• Remote journaling• Database shadowing• Redundant servers• Standby services

Software and Data Backup

• Operations controls must ensure adequate backups of:

• Data• Operating Systems• Applications• Transactions• Configurations• Reports

Backup Integrity

• Backup storage locations

• Backups must be tested

• Alternate site recovery plan• Site specific software

RAID – Redundant Array of Independent Disks

• Hardware based

• Software based

• Hot Spare• Global Hot Spare (all disk in array)• Dedicated Hot Spare (individual disk in array)

RAID Level 0

• Striping

• Two or more disks

• No redundancy

• Performance only

RAID Level 1

• Exact copy (mirror)

• Two or more disks

• Fault tolerant

• 200% cost

RAID Level 2

• Striping of data with error correcting codes (ECC)

• Requires more disks than RAID 3/4/5

• Not used

RAID Level 3/4

• Byte/block level stripes• 1 drive from parity• All other drives are for data

Stripe 1A Stripe 1B P(1A, 1B)Stripe 2A Stripe 2B P(2a, 2B)Stripe 3A Stripe 3B P(3A, 3B)Stripe 4A

Disk A

Stripe 4B P(4A, 4B)

Disk B Parity

RAID Level 5

• Block-level stripes• Data and parity interleaved amongst all drives• The most popular RAID implementation

Stripe 1A Stripe 1B P(1A, 1B)P(2B, 2C) Stripe 2B Stripe 2CStripe 3A P(3A, 3C) Stripe 3CStripe 4A

Disk A

Stripe 4B P(4A, 4B)

Disk B Disk C

RAID Level 6

• Block-level stripes• All drives used for data AND parity• Two parity types• Higher costs• More fault tolerant than RAID implementations 2 - 5

RAID Level 0+1

• Mirroring and striping• Higher cost• Higher speed

A1 A2 A2A1A3 A3A4 A4

A6A7 A8A5 A5 A6

RAID 0 RAID 0

RAID 1RAID 0+1

RAID Level 10

• Mirroring and striping• Higher cost• Higher speed

A1 A1 A2A2A3 A4A3 A4

A5A7 A7A5 A6 A6

RAID 1 RAID 1

RAID 0RAID 10

Configuration Management Elements

• Hardware inventory

• Hardware configuration chart

• Software licensing management

• Firmware

• Documentation requirements

• Testing

Hardware Inventory

• Up-to-date listing of all equipment

• Location• Owner• Serial and model numbers

Change Control Management

• Policy

• Business and technology balance

• Defines a process for authorized change• Process of changes• Ownership of changes

• Changes are reviewed for impact on security

Patch Management

• Knowledge of patches• Know when patches for all software you own are released by

the vendor• Testing

• Test all patches, and new software, in a test environment prior to going live

• Deployment• Can be challenging. Should be automated to insure no

machine is missed.• Zero-day challenges

• Vulnerable time between patch pushed out and able to apply

Software Issues

• Pirating software

• Version control

Job Documentation

• Scheduling• Dependencies

• Error codes

• Inputs and outputs

• Backout procedures

Security Administrator Roles

• Policy• Development• Implementation• Maintenance and compliance

• Vulnerability assessments

• Incident response

Security Administrator Responsibilities

• User-oriented activity management

• Information classification implementation

• Audit log monitoring and review

• Security tool oversight and management

Domain Objectives

Misuse Prevention

Threats Countermeasures

Personal Use Acceptable use policy, workstation controls, web content filtering, and email filtering

Theft of Media Appropriate media controls

Fraud Balancing of input/output reports, separation of duties, and verification of information

Sniffers Encryption and policy

Domain Objectives

System Recovery – Trusted Recovery

• Correct implementation according to Policy

• Failures don’t compromise a system’s secure operation

• Trusted path

Types of Trusted Recovery

• System Reboot – shutting down computer in a normal fashion after a failure

• Emergency System Restart – done when a system fails in an uncontrolled manner. Media may be in an inconsistent state. System enters maintenance mode, automatically performs recovery, and system restarts with no user processes in progress.

• System Cold Start – system fails and cannot restart without human intervention

Control Failure Modes

• Fail secure (fail closed)

• Fail soft (fail open)

• Fail safe (fails in a way that will cause no or minimal harm)

Fault Tolerance

• Hardware failure is planned for

• System recognizes a failure

• Automatic corrective action

• Standby systems• Cold – configured, not on, lost connections• Warm – on, some lost data or transactions (TRX)• Hot – ready, failover

Domain Objectives

Facility Support Systems

• Fire protection

• HVAC

• Electrical power goals• UPS

• Water

• Communications

• Alarm system

Domain Objectives

Media Management Practices

• Sensitive Media Controls

• Marking• Labeling• Handling• Storing• Declassifying

Media Management

• Tapes

• Storage

• Encryption

• Retrieval

• Disposal

Object Reuse

• Securely reassigned

• Disclosure

• Contamination

• Recoverability

Clearing of Magnetic Media

• Overwriting

• Degaussing• Data remanence

• Physical destruction

Records Management

• Considerations for records management program development• Business need

• Guidelines for developing a records management program

• Records retention• Declassification• Legal requirements• Privacy

• Absent law or regulation to the contrary, a business can set any retention policy it wishes

Protection of Operational Files

• Library maintenance – protect production programs and applications as well as data

• Backups• Source code• Object code• Configuration files

• Librarian - sole person with write access to the main system files, backups and application libraries. Should never be filled by a developer or person initiating the change request

Domain Objectives

Personnel Privacy and Safety – Mobile Computing

• Components

• Devices

• Limitations (e.g. privacy, safety, etc.)

• Mobile device management

Personnel Privacy and Safety – Social Networks

• Social networks

• Connection services

• Social dynamics

• Storage of data

• Potential dangers

Operations Security Domain Summary

Physical (Environmental) Security

Domain Objectives

• Physical Security Threats and Controls• Perimeter Security• Building and Inside Security• Secure Operational Areas

Goals of Physical Security

• Deter would be intruders• Delay long enough to detect and respond before

damage occurs• Detect in a timely manner• Assess method of attack• Respond appropriately without overreacting• Recovery to normal operating status

The Primary Goal

Remember that life, health, and safety are always the first priorities in physical security!

Threats to Physical Security

• Natural/environmental• History of natural disasters in the area• Utilities

• Communications outages, power outages, etc.

• Circumstantial• Fire or break-in at a neighboring building, strike at a critical point in

supply chain, etc.

• Human-made/political events• Explosions, vandalism, theft, terrorist attacks, strikes, activism, riots,

Threat Sources

• External activists

• Staff

• Intelligence agents/foreign governments

• Petty criminals

Threat Sources and Controls

Threat• Theft• Espionage• Dumpster diving• Social engineering• Shoulder surfing• HVAC access

Controls• Locks• Background checks• Disposal procedures• Awareness• Screen filters• Motion sensors in ventilation

Facility Vulnerabilities

• Location

• Layout and design

• Age and condition

Location Security Considerations

• Emergency services• Fire• Security

• Visibility

• Controlled access• public transit

Countermeasures and Controls

• Environmental controls may be:• Physical• Administrative/managerial• Technical

• Layered defense/defense in depth

Crime Prevention Through Environmental Design (CPTED)

• Principle of deterring crime through managing the potential crime scene

• Territoriality• Restricted access

• Surveillance• Monitoring

• Access control• Entrances

• Maintenance

Domain Objectives

Perimeter and Building Boundary Protection

• First line of defense

• Protective barriers• Natural• structural

Fences

• May be restricted by local regulations

• Inspections

• Parking should not be allowed near fences

• 1 meter/3-4 feet – will deter casual trespassers• 2 meters/6-7 feet – too high to climb easily• 2.5 meters/8 feet – will delay the determined intruder• Top guard will add 2-3 feet. Can be defeated by blanket, mattress,

towel, etc.

Controlled Access Points

• Gates are the minimum necessary layer

• Bollards• Permanent or retractable post used to deter vehicle-based

attacks

Perimeter Intrusion Detection Systems

• Detect unauthorized access into an area• Electronic “eyes”

• Note that some perimeter IDS can function inside the perimeter as well

• Physical IDS• Photoelectric• Ultrasonic• Microwave• Passive IR• Pressure sensitive• Sounds/vibration• Electrical circuits• Motion sensors

Closed Circuit Television (CCTV)

• CCTV capability requirements• Detection• Recognition• Identification

• Mixing capabilities• Adding IR/thermal

• Virtual CCTV systems• Fake systems

CCTV Concerns

• Total surveillance requirements

• Operating parameters (correct lens, angle?)• Size depth, height, and width

• Pan, tilt, and zoom

• Lighting

• Contrast

CCTV Protection and Image Retention

• Storage of images

• Maintenance

• Privacy

Guards and Guard Stations

• Guards• Deterrent• Possible liability• Contractors

• Guard stations

Domain Objectives

Building Entry Points

• Doors• Windows• Loading ramps• Elevator shafts• Ventilation ducts• Crawlspaces• Sewage or steam lines

• Isolation of critical areas• Lighting of doorways• Contact devices• Guidelines

• Solid core• Hinges fixed to frame with minimum of 3 hinges per door• Lighting• Should not open out except as required by building codes• Locks should be daytime (push button) and 24 hour (deadbolt)• Door frame should be permanently fixed to the adjoining wall studs• Have same fire-resistance rating as adjacent walls• Etc.

Access and Visitor Logs

• Identification/sign in and out

• Temporary badges

• Vehicles

• Escort

Turnstiles and Mantraps

• Tailgating/piggybacking

Types of Locks

• Something you have – keyed

• Something you know – combinations

• Something you are – biometric

Keyed Locks

• Lock components

• Body• Strike• Strike plate• Key• Cylinder

Lock Controls

• Lock and key control system

• Key control procedures• Who has access to keys• Keys issued• Key inventory• Default settings changed

• Change combinations

• Fail• Soft (unlocked)• Secure (locked)• Safe (allow exit but not entry)

Electronic Physical Controls

• Card access

• Biometric access methods

Windows and Glass

• Standard plate glass• Tempered glass

• 5 – 7 times more break resistant than plate and breaks into small, less dangerous fragments

• Acrylic materials• Stronger than plate• Burn and produce toxic fumes, scratch easy and yellow over time

• Polycarbonate windows• Resistant to abrasion, chemicals, fires and are even anti-ballistic• Very expensive

Glass and Window Protection

• Laminate• Solar film• Bomb blast film/curtains• Wired glass• Intrusion detection/glass breakage sensors

Internal Intrusion Detection Systems

• Closed circuit television

• Sensors and monitors

Types of Lighting

• Continuous lighting• Trip lighting• Standby/backup lighting• Emergency exit/egress lighting• Infrared/night vision

Domain Objectives

Equipment Room

• Perimeter enclosure• Controls• Policy• Emergency power off (EPO) switch

Data Processing Facility

• Small devices threat• Digital camera• Cell phone cameras• USB drive• Etc.

• Server room• Most important requirements are space, power, air

conditioning, access control and security monitoring• Mainframes• Storage

Communications

• Wireless access points

• Network access control

• Cabling• conduit

Access to Utility Rooms

• Power rooms• Breaker panels

• Water

• Ventilation

• Gas

Work Area

• Keeping a work area safe is important for everyone

• Operators• Only allow access as needed/monitor

• System administrators• Only allow access as needed/monitor

• Restricted work areas• Only a select few people need access

Equipment Protection

• Inventory• Locks and tracing equipment• Data encryption• Disabling I/O ports

Environmental Controls

System• Electric power• HVAC• Water/plumbing• Gas• Refrigeration

Threat• Loss of power• Overheating• Flood/dripping• Explosion• Leakage

Fire Protection

• Prevention – reduce causes• Detection – alert occupants• Suppression – contain or extinguish

• Wet-pipe sprinkler• Most reliable• Simple• Water under pressure, when sprinkler head breaks water comes out

• Dry-pipe sprinkler• Water is held back by valve and is released when sensor activates• Pipes then fill with water and sprinkler engages

Materials and Suppression Agents

Class Type Suppression Agents

A Common combustibles Water, foam, dry chemicals

B Combustible liquids Inert gas, CO2, foam, dry chemicals

C Electrical Inert gas, CO2, dry chemicals

D Combustible metals Dry powders

K Cooking media (fats) Wet chemicals

• Suggested way to remember each:• Ash• Boil• Current• Drive• Kitchen

Three Legs of a Common Fire

Reduce: Water

Bind: Purple KRemove: Fireman

Displace: CO2/foamBind: Halon & alike

Flooding Area Coverage

• Water – sprinkler systems

• Gas – halon/CO2/argon systems

• Best practices for systems

• Portable extinguishers

Loss of Electrical Power

• UPS• Generators• Goals of power – clean and steady power• Power controls

• Emergency power off (EPO) switch• Power line monitors• Total load

Heating, Ventilation, Air Conditioning

• Location

• Positive pressure• Can indicate unauthorized physical breach• Helps minimize dust

• Maintenance

Other Infrastructure Threats

• Vermin

• Electromagnetic fields

• Excess vibration

Physical (Environmental) Security Domain Summary

Security Architecture and Design

Domain Objectives

• System and Component Security• Definitions and Key Concepts• Architecture Components

• System Design Principles• Security Models• Information Systems Evaluation Models• Security Frameworks

Definitions and Key Concepts

• Information security management system (ISMS)• Set of standards for addressing security throughout the

development, deployment and implementation schedule• Enterprise security architecture (ESA)

• Includes all areas of security for an organization: leadership, strategy, planning, etc.

• Information security architecture (ISA)• Another term for ISO/IEC 27002

• Best practice• Well-recognized and accepted approach to designing,

developing, managing/monitoring and enhancing processes

• Architecture• High-level perspective of how business requirements are to be

structured and aligned with technology and processes• Framework

• Defined approach to the process used to achieve the goals of an architecture, based on policy

• Infrastructure• Integrated building blocks that support the goals of the

architecture• Model

• Outlines how security is to be implemented within the organization

• Good security architecture• Strategic

• Provides a long-range perspective that is less subject to tactical changes in technology

• Business requirements based• Understand business and security and design a system that meets those

requirements• Holistic

• Understanding all the parts of the business and interconnecting them• Design

• Blueprint• Integration and development of technology infrastructure into the business

process• Multiple implementations

• Flexibility due to location and business constraints

• Benefits of a good security architecture

• Consistently manage risk• Reduce the costs of managing risk• Accurate security-related decisions• Promote interoperability, integration, and ease of access• Provide a frame of reference (for other organizations

interacting with the enterprise)

Domain Objectives

Architecture Components

• What are the security limitations and benefits of each component?

• Hardware• Firmware• Central processing units• Input/output devices• Software• Architectural structures• Storage and memory

Hardware: Computers

• Mainframe• Minicomputers• Microcomputers/desktops• Servers• Laptop/notebook• Embedded

• From a security perspective, each security risk must be addressed individually

Hardware: Mobile Devices

• USB storage• Portable hard drives• PDAs and mobile phones

Hardware: Printers

• Multifunctional• Network aware

• More than output device

• Full operating system

Hardware: Communication Devices

• Modem

• Network Interface Card (NIC)

Hardware: Wireless

• Wireless network interface card• Wireless access point• Wireless Ethernet bridge• Wireless router• Wireless range extender

Firmware: Pre-Programmed Chips

• ROM (read-only memory)• PROMs (programmable read-only memory)• EPROMs (erasable programmable read-only memory)• EEPROMs (electrically erasable, programmable, read-

only memory)• Field programmable gate arrays (FPGAs)• Flash chips• Embedded system

CPU Functionality

• Multitasking• Multiprogramming• Multiprocessing• Multiprocessor• Multi core• Multithreading• Direct memory access (DMA)

Real-Time Systems

• Time and mission critical systems – systems that support mission critical services such as flight controls, alarms and monitoring sensors

• Immediate processing• High levels of tolerance• Failover

Virtual Machines

• Mimic the architecture of the actual system

• Resources provided by the host system

CPU and Processor Privilege States

• Supervisor state• Problem (user) state• Running• Ready• Blocked• Masked/interruptible

Input/Output (I/O) Devices

• I/O controller

• Managing memory

• Hardware

Software: Operating System

• Hardware control• Hardware abstraction• Resource manager• Design• Kernel

Software: Utilities and Drivers

• System utilities• Maintenance

• System drivers• Application/hardware interface• Plug and play

Commercial Software Programs (Applications)

• Commercial off the shelf (COTS)• Function first

• Unless the software is inherently a security-focused application (such as a firewall), attention will first be devoted to functionality. Security is usually an afterthought.

• Evaluation• Make sure to consider the information security aspects

of the application such as authentication methods, audit capabilities, edit checks and error reporting, etc.

Software: Custom

• Business application• No two businesses do business the same way. Custom

software is the solution used as a natural progression from manual processes to automation of tasks

• System development life cycle

Software: convergent Technologies

• Customer relationship management (CRM)

• Workflow management systems• SharePoint, Lotus Notes

• Unified messaging• Allows different technologies to work together. Fax to a PDA,

access internet from TV

CPU and OS Support for Applications

• Applications were originally self-contained

• OS capable of accommodating more than one application at a time

• Security• Reinforced by the OS since the OS has the ability to control

the activity of the applications and ensure that one or more application threads do not affect another

Applications - Today

• Today’s applications are modular• Execute multiple process threads• Security

• Problems lie in the fact that independent sections are frequently written by someone else and may be malicious. Module may also be used in a way not intended by the author. Modules and threads will often communicate directly and not involve the OS. This prevents the OS from being able to manage the activity of the process threads.

• Programs spawn processes. Processes spawn threads. Memory is allocated to processes. So, threads share memory.

Systems Architecture Approaches

• Open – standards based interfaces. Considered more vulnerable but often result in a more robust set of security features

• Closed – proprietary interfaces. Illusion that security through obscurity works

• Dedicated – single level of processing permitted• Single level – permit users to execute any instruction available• Mutilevel – processing at two levels is permitted through some

form of user authentication and authorization. Most common today and allow system to be accessed by users holding different levels of privilege.

• Embedded – single purpose computer

Architectural Structures

• Client server• Centralized architecture• Distributed architectures• Thin client architecture• Diskless computing• Clusters

Cloud Computing

• Provisioning of services• Cost models• Supplement/consumption/delivery model

• Involves provisioning of dynamically scalable and often virtualized resources

• Characteristics• Layers

Cloud Computing

• Deployment models• Public cloud• Community cloud• Private cloud• Hybrid cloud

• Architecture• Intercloud• Cloud Engineering

• Issues• Privacy• Compliance• Open source• Open standards

• Security• Issues surrounding cloud

computing are due in large part to the private and public sectors unease surrounding the external management of security based services

Service-Oriented Architecture

• Technology benefits• More flexible architecture, integration of existing applications, improved

data integration, supports business process management, facilitates enterprise portal initiatives, speeds custom application development

• Security issues• A system that relies on distributed processing must have adequate

bandwidth and high availability.• Business benefits

• More effective integration with business partners, supports customer-service initiatives, enables employee self-service, streamlines the supply chain, more effective use of external service providers, facilitates global sourcing

Virtualization

• Virtual copy of physical system

• System virtual machine – complete operating environment that can support user needs and multiple environment

• Hypervisor – interface between the physical and virtual environments

• Process virtual machine – systems that are dedicated to supporting one process or program

Types of Memory Addressing

• Logical• Refers to a memory location that is independent of the current

assignment of data to memory. Requires a translation to the physical address.

• Relative• Address expressed as a location relative to a known point

• Physical• Absolute address or actual location

Memory Management Requirements

• Relocation• Programmer does not know where the program will be placed

in memory when it is executed. It may be swapped to disk and returned to main memory at a different location.

• Protection• Processes should not be able to reference memory locations

in another process without permission.• Sharing

• Allows several processes to access the same portion of memory. OS allows each process access to the same copy of the program rather than having its own separate copy.

Memory Protection Benefits

• Memory reference• Different data classes• Users can share access• Users cannot generate addresses

Primary Storage

• Registers• Very high-speed storage structures built into the CPU chip set

and are often used to store timing and state information for the CPU to maintain control over processes.

• Cache• Very fast memory directly on the CPU chip body. Not

upgradeable. Three types (level 1-3).• Random access memory (RAM)

• Main memory of the system

Secondary Storage

• Internal• External• Virtual memory• SANs• Clusters

Virtual Memory

• = primary + secondary or RAM + Disk• Extends apparent memory to accommodate larger

program execution space than is possible using only physical memory and involves paging and swapping operations.

• Generally 4 or 8 kb in length

Storage Systems

• Network Attached Storage (NAS)• Simple, cost effective solution. Box on network that extends

storage area.• Storage Area Network (SAN)

• Complex, expensive solution. Offers large capacity storage for servers over high-speed (usually fiber) links

Blade Systems

• Server chassis• Processing power• Management simplification

• Is simply a series of motherboards housed in a box with a high speed backbone

Domain Objectives

Separation

• Temporal isolation• Accomplished through time limits. Person cannot access an

area of the building or an area of the network, or an application outside of certain authorized hours.

• Physical isolation• Refers to separating out sensitive areas from common access,

such as setting up compartmentalized areas or secure rooms.• Virtual isolation

• Protects against malicious activity by not permitting a process to execute outside of a strict set of boundaries.

Ring Protection

• Based on the Honeywell Multics Operating System architecture.

• Set of segments in concentric numbered rings. Ring number determines the access level.

• Procedure assumes its appropriate ring number when executing. This prohibits a process from unregulated execution of commands at a higher level.

• Program may call services residing on the same or more privileged ring.

• Program may only access data that resides on the same ring.

Privilege Levels

• Identifying, authenticating, and authorizing subjects

• Subjects of higher trust can access more system instructions and operate in privileged mode

• Subjects with lower trust can access a smaller portion of system instructions and operate only in user mode

Process Isolation

• Preserves Object’s integrity and subjects adherence to access controls

• Prevents interaction – prevents objects from interacting with each other and their resources

• Independent states – actions of one object should not affect the state of other objects

• Process isolation method• Encapsulation – objects, data, and functions are packaged together• Time multiplexing – assignment specific time slots for processing information• Naming distinctions – to distinguish between processes• Virtual mapping/domains – mapping info objects to virtual locations to

ensure applications can find their data

Trusted Computing Base (TCB)

• Trusted computer base – includes all the components and their operating processes and procedures that ensure that the security policy of the organization is enforced.

• Hardware• Firmware• Software• Processes• Inter-process communications

• Simple and testable

Trusted Computing Base (TCB)

• Enforces security policy – must be able to enforce security policy regardless of user input and be protected from interference or tampering

• Monitors four basic functions• Process activation• Execution domain switching• Memory protection• Input/output operations

Reference Monitor Concept

• Abstract machine concept – abstract machine that is regulating all access on the system and enforcing security controls

• Must be tamperproof• Always invoked• Verifiable

• Security kernel• Components of an OS perform various protection tasks designed to control and

monitor system evens and prevent things from occurring that might disrupt normal execution or threaten the stability of the system or any of its resources.

• Subject• Active entity

• Object• Passive entity

Attested Boot/TPM/Processing

• Ensures secure configuration and integrity of software/hardware

• Uses cryptographic hash functions to ensure integrity

• Can also be used remotely

Secure System Design

• Availability – must be designed to meet needs

• Criticality – design of system must ensure that the critical processes run effectively

• Redundancy

• Single points of failure – must be designed to avoid• Defense in depth – ensures the security of the system cannot

be circumvented through one vulnerability

Domain Objectives

Security Models Introduction

• Information-flow model – tracks the movement of information from one object to another

• Non-interference model – based upon rules to prevent processes that are operating in different domains from affecting each other in violation of security policy

• State-machine model – abstract mathematical model where state variables represent the system state

• Lattice-based model – hierarchical model defining access control privilege levels

Bell-LaPadula Confidentiality Model

• Lattice-based model• Described using rows and columns

• State-machine model• Hierarchical based model with dominance relationships between

higher and lower security levels• Three fundamental modes

• Read only, write only , read and write• Secure state• Defines access rules

• ***** very important to know *****

Biba Integrity Model

• Lattice-based model• Addressed first goal of integrity• Subject – object tuple• State machine model

• When you mix clean & dirty, dirty wins• Read & write are opposite from Bell-LaPadula

Clark-Wilson Integrity Model

• Addresses all three integrity goals• Defines well-formed transactions• Separation of duties

1. Authorized users limited to authorized transactions2. Unauthorized users do no tasks3. Maintain internal & external consistency

Brewer and Nash Model

• Chinese Wall security policy• Designed to prevent conflicts of interest

Other Models

• Graham-Denning• Harrison-Ruzzo-Ullman (HRU) result

• Variations of Biba

Security Models

• Integrity• Clark-Wilson• Biba• G&M• Sutherland• Graham-Denning• HRU

• Need to know

• Confidentiality• Brewer-Nash• BLP

• Implementations• Gong• Lipner• Karger• Jueneman• Lee & Shockley

Domain Objectives

Evaluation Standards

• TCSEC (U.S. DoD)

• ITSEC (European Union)

• Common Criteria (ISO Standard 15408)

TCSEC or Orange Book

• DoD-centric

• Security and functionality

• Product evaluation

• Rainbow series – was a part of the Rainbow Series of books dealing with security topics

• TNI – Trusted Network Interpretation (another of the series)

• International origin• ITSEM• Assurance• Fucntionality

Common Criteria (ISO 15408)

• Origins

• Documents

• EAL 1-7 (evaluation assurance level)

• Protection profile (PP)

• Target of evaluation (TOE)• Software, firmware, and/or hardware

• Security target (ST)• Requested level of testing

Domain Objectives

ISO 7498-2

• Defined secure communications

• NOT an implementation

• Takes 7-layer OSI model and maps it to a 2-layer functional model

Zachman Framework

• Complete overview of IT business alignment

• Intent• Scope• Two-dimensional• Principles

• What are the business requirements?

• Follow-on to Zachman• Operational security focus

The Open Group Architecture Framework

• Governance• Business• Application• Data• Technology

DoD Architecture Framework

• OMB A-130 requirement

• View sets:• All view• Operational view• Systems view• Technical standards view

ISO/IEC 42010

• International standard for information security management systems (ISMS)

• Practice for architectural description of software-intensive systems

ISO 27001 - ISMS

• Information security management system

• Ensures best practices are met• Sets standards for security areas• Based on BS7799-2• Measurable and certifiable standard

IT Infrastructure library (ITIL)

• Focuses on IT services

• Supporting products

COSO Enterprise Risk Management Framework

• Emphasizes the importance of identifying and managing risks

• Process• People• Reasonable assurance• Objectives

• If moving money, probably want to use this

Capability Maturity Model

• Developed by SEI (Software Engineering Institute)• Based on TQM concepts (Total Quality Management)• Framework for improving process• Benefits

• Top 3 are proactive, bottom 2 reactive

PCI-DSS

• Payment card industry – data security standard• Standards for the protection of payment card data (e.g.

credit cards, debit cards, etc.)• Covered more in Domain 5 (Legal, Regulations,

Investigations, and Compliance)

Security Architecture and Design Domain Summary

Software Development Security

Domain Objectives

• Overview of Applications Security• System Life Cycle Security• Applications Security Issues

• Malware and Other Attacks• Database Security

Need for Applications Security

• While this model is important to all domains, AIC is probably most important to this one

• Interface to critical and sensitive data

• Thousands of exploits

Secure Systems Development Policies

• Organizations require security development methodology• Many corporations are beginning to require and provide guidelines

for developing secure applications

• Security climate has changed• Vendors are focused on functionality of their products and on

increasing their return on investment instead of security• Security as built-in instead of add-on• Compliance – many regulations and compliance requirements

now demand that systems track and control access permissions of users and other entities

Organizational Standards

• Web Application Security Consortium (WASC)• Build Security in (BSI)• International Organization for Standardization

(ISO)/International Electrotechnical Commission (IEC) 27034• These orgs provide information for software vendors and the

public that is intended to create secure environments for software development, to aid in developing internal code standards, to incorporate security features in software products, and to deploy into secure environments.

Software Configuration Management (SCM)

• Versioning• Technologist• Protection of code• Protection of project

• Scope creep vs Statement of Work• Process Integrity

System Development Controls

• Project Management• Complexity of Systems and Projects

• Security by Design• Controls Built in to Software

• Secure by Default

Secure Development Excuses

• You cannot build security around an application, you have to build it in

• “We need security? Then we’ll use SSL”• “We need strong authentication? PKI will solve all our

problems”• “We use a secret/military-grade encryption”• “We had a hacking contest and no one broke it”• “We have an excellent firewall”• “We’ll add it later; let’s have the features first”

Secure Development Concerns

• Push to Market – pressure to deliver a product quickly

• Protect Source Code• From tampering• Pirating• Accidental loss• Protection against attacks

Secure Development - Physical

• Controlled access areas• Development vs Operations

• Project security

• Probably best to only develop and work on projects in a secure area.

Personnel Security

• Hiring controls – background checks for everyone involved• Trust – several attacks come from developers• Skills – don’t post to blogs asking for assistance on programming

problems

• Changes in employment• If internal, adjust permissions on things no longer needed• If leaving company, remind to keep company secrets

• Protection of privacy from employees• Privacy Impact Rating – part of risk assessment. Looks at the data that

would be accessible by programs and identifies sensitive data

Separating Test Data From Production

• Never test on a production system• Never use real data

• Protection of sensitive data• Test for failure – test error routines and the resilience of system to

failure• Ranges – test using both acceptable and unacceptable data values• Stress Tests – make sure system can handle the number of transactions or

users that may be using the system at once

• Always try to test for what the bad guy and stupid user would do

Certification and Accreditation

• Certification of secure design and deployment• Production environment

• Accreditation of acceptance of risk• Management approval for implementation

• Ensure that systems meet, and continue to meet, their security requirements

Domain Objectives

System and Project Management

• Project Management-Based Methodology• Systems Security Engineering-Compatibility Maturity Model

Integration (SSE-CMMI)• 1-initial (chaotic, immature), 2-managed (disciplined, capable), 3-defined

(documented, consistent), 4-quantitatively managed (predictable), 5-optimizing (constant improvement)

• SLC vs SDLC• Systems Life Cycle – development, post-development,

maintenance phases• System Development Life Cycle – development and ends shortly

after implementation

Software Development Methods

• Waterfall• Spiral Method• Clean-Room• Structured

Programming Development

• Iterative Development• Joint Analysis

Development• Prototyping

Software Development Methods

• Modified Prototype Model

• Exploratory Model• Rapid Application

Development• Agile Development

• Computer Aided Software Engineering

• Component-Based Development

• Reuse Model• Extreme Programming

Programming Language Examples

Interpreted• Basic• REXX• PostScript• Pascal• Perl• Ruby• Python

Compiled• Basic• Fortran• COBOL• Pascal• C, C++, C#• ADA• Python• Visual Basic

Oldest

Newest

Program Utilities

• Assembler – program that translates an assembly language program into machine language.

• Compiler – translates a high-level (source) language into machine language

• Interpreter – instead of compiling a program all at once, the interpreter translates it statement-by-statement

• Drivers – used to interface a program with the system• Hybrid – compilation and interpretation. Code is compiled

into an intermediate stage. In Java, known as bytecode. Needed for compatibility between systems.

Transaction Processing

• Separation of Duties• Need to Know• Logging• Transaction:

• Integrity – data not inappropriately altered• Edit checks, balancing, data/input validation, error handling/information

leakage, logging/auditing, cryptography, secure code environment, session management

• Availability – large queries that affect performance should be limited. Critical systems should be designed with redundancy and failover

• Confidentiality – provide necessary security measures for data

Object-Oriented Programming

• OOP Concepts

• Classes – templates for objects• Objects – instances of the classes• Message – objects request services by sending messages to other

objects• Inheritance – an object that is called by another object or program

derives its data and functionality from the calling object• Polymorphism – different objects may respond to the same command

in different ways• Polyinstantiation – creating a new version of the object by changing its

attributes. Prevents Inference Violations by allowing different versions of the same information to exist at different classification levels

Distributed Programming

• Distributed Component Object Model (DCOM)• Simple Object Access Protocol (SOAP)• Common Object-Request Broker Architecture (CORBA)• Enterprise Java Beans (EJB)

• Distributed programming requires abstract communication between hosts. Entails programs located on different computers be able to use the same program at the same time.

Software Security Effectiveness

• Senior management participation• Software security group

• Many organizations implement this. Charged with directly executing or facilitating the software security activities.

• Understand, measure and plan• Result of many activities

• Software security is the result of many activities. People, process and automation are all key components.

• 15 core activities

Software Security Effectiveness

• BSIMM (Build Security In Maturity Model)• Organization observed• Business objectives• Roles• Framework

Domain Objectives

Applications Security Issues

• Building security in• Adding defense-in-depth• Cryptographic protection of data• Secure architecture

Applications Security Principles

• Validate all input and output• Fail secure (closed)• Make it simple• Defense in Depth• Only as secure as your weakest link

Secure Coding Issues

• Buffer overflow• SQL injection• Cross-site-scripting (XSS)• Dangling pointer• Invalid hyperlink• Secure (encrypted) web application traffic risks• JavaScript attacks vs sandbox

• Application programming interface (API)• Open source• Vendor proprietary software

• Escrow• iFrames• Race condition

• Risks of push technology• Information disclosure – error handling• Infrastructure flaws• Misconfiguration

• Incomplete parameter check and enforcement• Covert channels• Inadequate granularity of controls

• Privileged programs/privilege escalation• Social engineering• Multiple paths to information

• Object reuse• Garbage collection• Trap door/maintenance hooks

Domain Objectives

Malware and Attack Types

• Malformed input• Injection (SQL injection)• Input manipulation/malicious file execution• URL manipulation• Unicode attack

• Cryptographic storage• Hijacking• Insecure communications

• Denial of Service (DoS)• Distributed Denial of Service (DDoS)

• Botnets• Fast flux botnets

• Data hiding• Alternate data streams (ADS)• Non-technical

• Executable content/mobile code• Web applets• Dynamic email

• Cookie poisoning (manipulation)

• Keystroke logging• Adware and spyware• SPAM• Phishing

• Spear phishing• Whaling

• Pharming

• Remote Access Trojans (RAT)• Rootkits and RATs• HTTP Response Splitting• Cross Site Request Forgeries (CSRF)

Malware Structure

• Infection/reproduction• Target search• Infection

• Trigger

• Payload

Malware Anti-Detection

• Stealth

• Tunneling

• Polymorphism• Self-decrypting

• Antivirus (anti-malware) disabling

• Central characteristic is reproduction• Generally requires some action by user

• May or may not carry payloads

Virus Types

• File infector• Boot Sector Infector• System infector• Email virus• Multipartit

• Use to mean a virus that was able to infect boot sectors and programs• Now means virus that can infect more than one type of object or to infect

or reproduce in more than one way• Macro Virus• Script Virus

• visual basic file that can be seen as a data file but is executable (.vbs)

The Hoax, Chain Letters and Pranks

• Social engineering• Hoax• Chain Letters• Pranks

• Forms of spam. More annoying that anything else but can eat up bandwidth

• Reproduces• No user action required• Loopholes

• Often probe the computer looking to exploit specific weaknesses and/or compromise other computers

• Attacks server software

Trojan Horse

• Purported to be a positive utility

• Hidden negative payload

• Social engineering

Logic Bomb

• Generally implanted by an insider

• Waits for condition or time

• Triggers negative payload

Diddlers, Backdoors and RATs

• Data diddler• Salami technique

• Office Space – fractions of a cent moved to bank account

• Payload in a Trojan or virus that deliberately corrupts data, generally by small increments over time.

Protection From Malware Code

• Policies

• Tools

• Monitoring• Operation

• Egress scanning

• Integrity checkers

Emerging Threats and Chained Exploits

• New application services• Cell phones/mobile phones• Telephony

• Chained exploits

Domain Objectives

Database Security

• Database (day to day) and data warehousing (strategic) environment

• Eliminate duplication of data• Consistency of data• Network access

• Databases provide consistency of data. Data can be saved in one place allowing anyone with access to see data without the need for duplicate. Greater consistency or accuracy of data

• Data warehousing is a new concept where large volumes of information from many databases are stored. May lead to privacy concerns.

Database Management Systems (DBMS) Models

• Hierarchical DBMS• Stores records in a single table• Parent/child relationships• Limited to a single tree• Difficult to link branches

2-door

HondaToyota Mazda

CRV CivicAccord

4-door

Network DBMS Model

• Extended form of the hierarchical database structure• Does not refer to database being sorted on a network

but rather to the method by which data is linked to other data.

4 x 4 X3

Regular Mazda 6

Truck E Series

4 x 4X5

5 speed transmission

Front and Rear Climate Controls

Leather Interior

Truck Freestar

Regular Mazda 3

BMWFord

Relational DBMS Model

• Most frequently used model• Data are structured in table• Columns are “variables” (attributes)• Rows contain the specific instances (records) of data• Primary key

• Must exist• Not null• Index/optimize the table

• Foreign key• Optimize• Attribute in table

RDBMS Tables, Joins and Unions

Book TableBook No Book Title Book Type Book Price Author No

PC1234 Learning Database Models Computer 39.99 123456

PC4321 Data modeling Techniques 69.99 234567

PC6789 Designing a Database Computer 39.99 345678

PC9876 Secrets of Databases Computer 19.99 456789

Author TableAuthor No Last Name First Name State

123456 Smithson Mary CA

234567 Rogers Mike NY

345678 Tucker Sally CT

456789 Gleason Sarah IL

Primary Key

Foreign Key

Data Warehouse

• Consolidated view of enterprise data• Data mart• Designed to support decision making through Data

Mining• Metadata

Knowledge discovery in Databases (KDD)

• Methods of identifying patters in data• KDD and AI techniques

• Probabilistic models• Statistical models• Classification approach• Deviation and trend analysis• Neural networks• Expert system approach• Hybrid approach

Database Security Issues

• Inference (guess)• Aggregation (conclusion)• Unauthorized access• Improper modification of data• Unauthorized data mining• Query attacks• Bypass attacks• Interception of data• Web security

Database Controls

• Access controls• Grants – user is given access to specific data using

various privilege types• Cascading permissions – individual grants access to

others, loses access, so does everyone else

• Lock controls• Backup and recovery• Data contamination control• Polyinstantiation

View-Based Access Controls

• Constrained views• What portion of the data in the database is the user authorized

to see

• Sensitive data is hidden from unauthorized users

• Controls located in the front-end application (user interface)

Transaction Controls

• Content-based access control• Commit statement

• Writes any and all changes that have occurred to the data during the current transaction

• Three-phase commit• Client requests permission to make a change to a database, the

database approves the change but doesn’t make the change until the client returns a reply indicating the transaction completed correctly.

• Database rollback• Journals/logs• Error controls

The ACID Test

• Atomicity – all or none. All transactions execute or rollback• Consistency – changes maintain consistency.

Transformed from one valid state to another valid state, remaining compliant with the rules of the database

• Isolation – transactions in progress are invisible to others. Guarantees that the results of a transaction are invisible to other transactions until the transaction is complete.

• Durability – say it is done, stays done. Ensures that the results of the completed transaction can survive future system and media failures.

Database Interface Languages/Methods

• Structured Query Language (SQL)• Open Database Connectivity (ODBC)• Extensible markup Language (XML)• Object Linking and Embedding (OLE)• Active X Data Object (ADO)• Dynamic data

Application and Database Languages: Security Issues

• Poorly designed• More privileges than necessary• DBA account use• Lack of audit• Input validation

Software Development Security Domain Summary

Telecommunications and Network Security

Domain Objectives

• Network Security Overview• Physical• Data Link• Network• Transport• Session• Presentation• Application• Telephony• Services

Network Security Overview

• What is network security?

• Encompasses the STRUCTURES, TRANSMISSION METHODS, TRANSPORT FORMATS AND SECURITY MEASURES used to provide INTEGRITY, AVAILABILITY, AUTHENTICATION, and CONFIENTIALITY for transmissions over PRIVATE and PUBLIC communications networks and media.

Information Security TRIAD

Security Issues and Concerns

• Message protection• Confidentiality• Integrity

• Non-repudiation

• Availability• Redundancy• Single point of failure

Defense in Depth

• Series of hurdles

• Collection of controls• Any form of protection can be defeated but when

layered it becomes much harder to defeat.

OSI Reference Model

People Don’t Need To Smoke Pot Anymore

TCP/IP Model

Network-Based Attacks

• Network as a channel for attacks• Most frequent network security threat today. Example, viruses

exploit networks in order to spread without actually breaching the security of the network itself

• Inbound and outbound attacks• Network as a target of attack

• DoS• DDoS

Network Attacks

• Network attack phases

• Intelligence gathering and target selection• Target analysis• Gaining access• Escalation of privileges• Sustaining control

Domain Objectives

• Concepts & Architecture

• Technology & Implementation• Standards• Threats & Countermeasures

Layer 1: Physical Layer

• Bits are converted into signals• All signal processing is handled here• Physical topologies• Physical layer describes the networking

hardware, the format of the communications (bits, bytes, or optical pulses), as well as cable, wireless connections, etc.

Communication Technology

• Analog and digital communications• Digital communication brings quantitative and

qualitative enhancements• From higher throughput• Better signal-to-noise ratio• fault tolerant error correction• Ability to immediately process digital signals in a computer

Network Topology

• Even small networks are complex• Network topology and layout affect scalability and

security• Wireless networks also have a topology

Network Topology

Tree Bus

Bus Topology

• LAN with a central cable to which all nodes connect• Advantages

• Scalable• Permits node failure

• Disadvantages• Bus failure

Ring Topology

• Closed-loop topology• Advantages

• Deterministic• Disadvantages

• Single point of failure

Star Topology

• All of the nodes connect to a central device• Advantages

• Permits node/cable failure• Scalable

• Disadvantages• Single point of failure

Tree Topology

• Devices connect to a branch on the network• Advantages

• Scalable• Permits node failure

• Disadvantages• Failures split the network

Mesh Topology

• In a full mesh network, every node in the network is connected to every other node in the network

• Advantages• Redundancy

• Disadvantages• Expensive• Complex• Scalability

Domain Objectives

• Concepts & Architecture• Technology &

Implementation• Standards• Threats & Countermeasures

Media Selection Considerations

• Throughput• Distance between devices• Data sensitivity/confidentiality• Environment• Cost

Wireless

Twisted Pair

• One of the simplest and cheapest cabling technologies• Unshielded (UTP) or shielded (STP)

Coaxial Cable (Coax)

• Conducting wire is thicker than twisted pair• Bandwidth• Length

• Expensive and physically stiff

Fiber Optics

• Three components• Light source• Optical fiber cable

• Two types• Light detector

• Advantages• High bandwidth• Immune to EMI and RFI• Difficult to tap

• Disadvantages • Expensive• Difficult to install

Wireless Transmission Technologies

• 802.11 – WLAN• From wired network to station, wireless LAN

• 802.16 – WMAN, WiMAX• From neighborhood to station, wireless metropolitan area networks, or

WiMAX®• Satellite

• From orbit to station• Microwave

• High bandwidth, line of sight, point-to-point communications that require licensing (ground to ground OR ground to orbit to ground)

• Optical• High bandwidth, line of sight, point-to-point communications that do not

require licensing

Patch Panels

• Provide a physical cross-connect point for devices• Alternative to directly connecting devices• Centralized management

Modems

• Convert a digital signal to analog• Provide little security

• War dialing• Unauthorized modems

Hubs and Repeaters

• Hubs• Used to implement a physical star/logical bus topology• All devices can read and potentially modify the traffic of other

devices

• Repeaters• Allow greater distances between devices

Wireless Access Points (WAPs)

• Access Point (AP)• Point where wireless signals are converted to wired• Go from radio waves to typically copper

• Multiple input/multiple output (MIMO)• Uses multiple antennas at both the sending and receiving

ends and transmits different signals on each antenna• Avoids some of the interference experienced by single

antenna units and increases performance and message quality

Cloud Computing

• Access to IT services over the Internet• Data storage• Software• Security• Communications• Etc.

• Security issues (3rd party trust)• VPN connections – use when accessing secure data or services• Sharing of data – 3rd party trust• Cross-border data transfer – is your data in the U.S.?

Domain Objectives

• Concepts & Architecture• Technology & Implementation• Standards• Threats & Countermeasures

Standard Connections

• Types of connectors• RJ-11• RJ-45• BNC (British Naval Connector)• RS-232 (serial ports)

• Cabling Standards• TIA/EIA-568 (Telecommunications Industry

Association/electronic Industries Association)

Domain Objectives

• Concepts & Architecture• Technology & Implementation• Standards• Threats &

Countermeasures

Physical Layer Threats

• Attack vectors• Wire

• Tapping• Wireless

• Sniffing• Equipment

• Modems• Authorized and unauthorized modems

• Emanations and TEMPEST• EMI and RFI

Physical Controls

• Wire• Shielding• Conduit• Faraday cage

• Penetration index• Wireless

• Encryption• Authentication

• Equipment• Locked doors & cabinets

Domain Objectives

• Concepts and Architecture

• Technology & Implementation• Protocols• Threats & Countermeasures

Layer 2: Data Link Layer

• Connects Layers 1 and 3• Converts data from a signal into a frame• Transmits frames to devices• Link-layer encryption• Determines network transmission format

Local Architecture Security

• Perimeter-based security• The “egg” concept of security

• Hardened outside defenses• Lack of internal defenses?

• Security domains• Internal layers of defense• Isolating networks within the organization

Network Partitioning

• Bastion host• Dual-homed host• Screened host and subnet• Demilitarized zone (DMZ)

Network Partitioning

• Three-legged firewall• Disadvantages

• Single point of failure• No defense in depth• Managing firewall rules can be complex

Token Ring and Token Passing

• A token is a special frame that circulates through the ring

• Device must possess the token to transmit• Token passing is used in token ring (IEEE 802.5) and

Synchronous/Asynchronous

• Synchronous• Timing mechanism synchronized data transmission• Robust error checking• Practical for high-speed, high-volume data

• Asynchronous• Clocking mechanism is not used• Surrounds each byte with bits that mark the beginning and end

of transmission

Unicast, Multicast, and Broadcast

• Unicast• Sending of message from one host to another

• Multicasts• Message (video, teleconference, etc) sent to a defined set of recipients• IGMP (Internet Group Management Protocol) – used to manage

multicasting groups (hosts on a network that are interested in a particular multicast)

• Broadcasts• Sends to an unlimited number of recipients. Can send to everyone on

network and sub-networks• Often used to launch DoS

Circuit-Switched vs Packet-Switched

• Circuit-switched network• Dedicated circuit between endpoints• Endpoints have exclusive use of the circuit and its bandwidth• Cost based on duration of the connection. Makes it cost-

effective only for steady communication streams• Packet-switched network

• Data is divided into packets and transmitted on a shared network

• Each packet can be independently routed on the network• Cost based on amount of data transmitted. Appropriate for

transmissions with significant idle time

Switched/Permanent Virtual Circuits

Virtual circuits provide connection between endpoints over high-bandwidth multiuser cable or fiber networks, which cause them to behave with similar performance characteristics as if the circuit were a dedicated physical circuit

• Permanent virtual circuits (PVC)• Carrier configs route through packet-switched network. Unless

changed, route stays the same• Switched virtual circuits (SVC)

• Traffic routing is configured dynamically by the routers each time the circuit is used

Unicast – Point-to-Point

• ISDN (integrated services digital network)• High speed before DSL, cable.

• Ts (T carriers)• Time division multiplexing• 1.544 Mbit/s over 24 channels (8000 frames/sec X 193 bits/frame)

• Es (E carriers)• Time division multiplexing• 2.048 Mbps over 30 channels

• OCs (optical carriers)• T3, E3, SONET (3.45% of any speed)

• Suite of protocols for unreliable networks• Has a strong focus on error correction• Users and hosts connect through a packet switched

network• Most organizations now opt for frame relay and ATM

instead of X.25 for packet switching

Frame Relay

• Network cloud of switches• Customers share resources in the cloud• The cloud is assumed to be reliable• Customers are charged only for bandwidth used

Asynchronous Transfer Mode (ATM)

• Connection-oriented• Uses virtual circuits• Guarantees quality of service but not the delivery of

cells• Types of virtual circuits

• Constant Bit Rate (CBR)• Variable Bit Rate (VBR)• Unspecified Bit Rate (UBR)• Available Bit Rate (ABR)

Multi-Protocol Label Switching (MPLS)

• Bandwidth management and scalability• Permits traffic engineering• Provides quality of service and defense against network

attacks• Operates at Layers 2 and 3• Operates over most other packet switching technologies

such as frame relay and ATM• Created for performance but has the effect of being a

tunnel

Digital Subscriber Lines (DSL)

• Uses CAT-3 cables and the local telecom loop• Asymmetric digital subscriber line (ADSL)

• Downstream speeds greater than upstream• Rate-adaptive DSL (RADSL)

• Upstream transmission rate is auto tuned depending on the quality of the line

• Symmetric digital subscriber line (SDSL)• Same transmission rate up and down

• Very high bit-rate DSL (VDSL)• Higher transmission rate. 13Mbps down and 2Mbps up

Cable Modem

• PC Ethernet NIC connects to a cable modem• Speeds from 256Kbps to 50Mbps• Bridging device between computers and ISP

• Modem and head-end exchange cryptographic key

• Cable modems increase the need to observe good security practices

Domain Objectives

• Concepts and Architecture• Technology &

Implementation• Protocols• Threats & Countermeasures

Concentrators, Multiplex/Demultiplex

• Combining or splicing signals• Division multiplexing technologies

• TDM – time• FDM – frequency• WDM – wave

• Concentrator combines channels together. Often used to permit several remote access connections to terminate on the network at the same time.

• Multi/Demultiplex combines several signals into a single data stream or breaks them apart.

Switches and Bridges

• Multiport devices to connect LAN hosts• Forward frames only to the specified MAC address• Increasingly sophisticated• Also forward broadcasts

Wireless Local Area Networks

• Allow mobile users to remain connected• Extend LANs beyond physical boundaries

Wireless Standards: IEEE 802.11

• 802.11b – 11 Mbit/s• 802.11a – 54 Mbit/s + error correcting code• 802.11g – max 54 Mbit/s w/ avg 22 Mbit/s• 802.11n (multiple input/output) – 54 to 600 Mbit/s• 802.11i (security) • 802.16 (WiMAX)• 802.15 (Bluetooth)• Wireless multiplexing

• OFDM/DSSS/FHSS (AFH)

Authentication

• Paramount to the security of wireless LANs• SSID

• SSID broadcast• Open systems authentication• Shared key authentication• MAC address filtering• Extensible authentication protocol

Wireless Encryption

• WEP – shared secret. Can be cracked in 3 to 30 sec

• WPA – uses RC4 w/ 128 bit keys. IV of 48 bits. Temporal Key Integrity Protocol (TKIP) providing different key per packet

• WPA2 – AES instead of RC4. TKIP replace w/ Counter-Mode/CBC-MAC protocol (CCMP)

• Extensible authentication protocol• EAP-TLS – client and server mutually authenticate & use certs• EAP-TTLS – less secure than EAP-TLS• EAP-PEAP – encrypted tunnel but less secure than EAP-TLS

Domain Objectives

• Concepts and Architecture• Technology & Implementation• Protocols• Threats & Countermeasures

Point-to-Point Protocols (PPP)

• RFC 1331

• Encapsulation• Link control protocol (LCP)• Network control protocols

• PPP provides a standard method of encapsulating Network Layer protocol information over point-to-point links

Address Resolution Protocol (ARP)

• ARP (RFC 826)• Generic address-resolution protocol. Was designed to be able

to convert any network protocol address to any data-link address. Use today is normally to resolve 802.x addresses to IP addresses

• RARP (RFC903)• Used to map a devices MAC address to its IP address

• ARP cache poisoning• Valid request is answered by an invalid authority

Password Authentication Protocol (PAP)

• Identification and authentication of remote entity• Uses a cleartext, reusable (static) password• Supported by most network devices• Advantages

• Standards based solution that provides interoperability in a multivendor network

• Inexpensive to install and operate• DB is encrypted

• Disadvantages• PW is transmitted in the clear• Reply is either an ACK or NAK. No replay protection.

Challenge Handshake Authentication Protocol

• CHAP• Periodically revalidates users• Standard password database is unencrypted• Password is sent on a one-way hash• MSCHAP

• Server stores an encrypted hash of user’s pw

Domain Objectives

• Concepts and Architecture• Technology & Implementation• Protocols• Threats & Controls

Link Layer Threats

• Confidentiality• Eavesdropping• Sniffing from reconnaissance• Offline brute force• Unapproved wireless

• Integrity• Modification/injection/highjacking• Man-in-the-middle• Force weaker authentication

• Availability• DoS/jamming

• Others• Rogue access points/ad hoc

networks• War driving• Open wireless networks

Controls for Wireless Threats

• Encryption

• Authentication

• RF management

Domain Objectives

• Concepts & Architecture• Technology & Implementation• Protocols• Threats & Controls

Layer 3: Network Layer

• Moves information between two hosts that are not physically connected

• Uses logical addressing

Local Area Network (LAN)

• LANs service a relatively small area• Most LANs have connectivity to other networks• VLANs are software-based LAN segments implemented

by switching technology

Metropolitan Area Network (MAN)

• Optimization for city• Uses wireless infrastructure, fiber optics, or Ethernet to

connect sites together• Still needs security• Switched multi-megabit data service (SMDS)• SONET/SDH

Storage Area Network (SAN)

• Hard drive space problem• Server of servers• Fiber backbone• Switched

Wide Area Network (WAN)

• A WAN is a network connecting local networks or access points

• Connections are often shared and tunneled through other connections

Internet/Intranet/Extranet

• Internet• Collection of all interconnected IP networks

• Intranet• Company’s internal Internet

• Extranet• Company will grant other controlled access to an isolated

segment of its own network to allow exchange of information• Granting access to external organizations - risky

Domain Objectives

Implementation• Protocols• Threats & Controls

• Authentication header (AH)• Encapsulating security payload (ESP)• Security parameter index (SPI)• Security associations• Transport mode/tunnel mode• Internet key exchange (IKE)

Tunneling Protocols

• Point-to-point tunneling protocol (PPTP) – Microsoft• Layer 2 forwarding (L2F) – Cisco• Layer 2 tunneling protocol (L2TP) – from Cisco &

Microsoft

• Add IPSEC, becomes VPN

Routers

• Network routing• Layer 3

• Find best path to destination

Firewalls

• Filtering• Filtering by address• Filtering by service

• Static packet filtering• Stateful inspection or dynamic packet filtering• Personal firewalls

• Filter on any field in header

Firewalls

• Enforce administrative security policies

• Separate trusted networks from untrusted networks

• Firewalls should be placed between security domains

Proxy Firewalls

• Circuit-Level proxy• Application-level proxy

Firewalls

Firewall Type OSI Model Layer Characteristics

Packet filtering Network Layer • Routers using ACLs dictate acceptable access to a network

• Looks at destination and source addresses, ports, and services requested

Application-level proxy Application Layer • Deconstructs packets and makes granular access control decisions

• Requires one proxy per service

Firewalls

Firewall Type OSI Model Layer Characteristics

Circuit-level proxy Session Layer • Deconstructs packet• Protects wider range of

protocols and services than app-level proxies, but is not as detailed as a level of control

Stateful Network Layer • Keeps track of each conversation using a state table

• Looks at state and context of packets

End Systems

• Servers and mainframes• Operating systems• Notebooks/laptops/tablet PCs• Workstations• Smartphones• Personal digital assistants• Network Attached Storage (NAS)

End System Protection

• Antivirus• Personal Firewalls• Host-based IDS/IPS• Patch management

Domain Objectives

Routing Protocols

• Routing information protocol (RIP)• Routing table compromise

• Virtual router redundancy protocol (VRRP)• Open shortest path first (OSPF)• Exterior gateway protocol (EGP) – obsolete• Border gateway protocol (BGP)• Intermediate system-to-intermediate system (ISIS)• Interior gateway routing protocol (IGRP)• Enhanced IGRP (EIGRP)

Connectivity Protocols

• ICMP• Redirect attacks• Traceroute• Ping scanning

Internet Protocol (IP)

• Internet Protocol (IP) is responsible for routing packets over a network

• Unreliable protocol – no error checking• IP will subdivide packets• IPv4 address structure

• A larger IP address field• Improved security• A more concise IP packet header• Improved quality of service (QoS)

Internetwork Packet Exchange (IPX)

• Vendor specific• Retired

Domain Objectives

IP Attacks

• Fragmentation attacks• Teardrop attack• Overlapping fragment attacks

• Traceroute exploitation

• Sniffing

Smurf and Fraggle Attacks

• Smurf attack misuses the ICMP echo request

• Fraggle attack uses UDP instead of ICMP• Ping through UDP

• Ping of death

Encryption as a Threat

• Can be used for inappropriate purposes• External attackers

• Can plant encrypted backdoors that will allow them to access system

• Internal attackers• Utilize commonly available tools (SSL, TLS, SSH) to encrypt

traffic to subvert controls• Encrypted backdoors• Tunnels to home computer• Tunnels setup to use company resources for personal pursuits• Tunnels setup to protect criminal/improper behavior• Etc.

IP Addressing Spoofing

• Packets are sent with a bogus source address• Takes advantage of a protocol flaw

Controls

• Policy

• Inbound and outbound traffic controls

• Network partitioning

Domain Objectives

• Concepts & Architecture• Protocols• Threats & Controls

Layer 4: Transport Layer

• End-to-end transport between peer hosts• Connection-oriented and connectionless protocols

Domain Objectives

Transmission Control Protocol (TCP)

• Well-known ports – 0 to 1023• Registered ports – 1024 to 49151• Dynamic and/or private ports – 49152 to 65,535

• Total of 65,536 ports

User Datagram Protocol (UDP)

• Fast

• Low overhead

• No error correction/replay protection

Transport Layer Security (TLS)

• Mutual authentication• Encryption• Integrity

Domain Objectives

Attacks

• SYN Flood• Denial of Service

Threats

• Port scanning• FIN, NULL and XMAS scanning• SYN scanning• TCP sequence number attacks• Session hijacking

Controls

• SYN proxies• Honeypots and honeynets• Tarpits

• Similar to honeypots. Entice hackers by presenting legitimate looking systems that they will spend time attempting to crack.

• Particularly useful against spamming and network (port) scanning

• Continuous or periodic authentication

Domain Objectives

Layer 5: Session Layer

• Client-server model• Middleware and three-tiered architecture

• Many implementations are designed to spread the workload of a complex process to specialized computer in a network

• Mainframe• Keeps sessions local, unless remote terminals are

implemented• Centralized systems

• RADIUS and TACACS+ enable remote connection

Domain Objectives

Technology and Implementation

• Java RMI (remote method invocation)• Allows a program running on one Java VM to invoke methods

running on another JVM

• Microsoft .NET

Domain Objectives

Protocols

• Real-time protocol – RTP• End-to-end delivery services for data such as interactive audio

and video• RTP control protocol – RTCP

• Used to monitor the quality of service and to communicate information about the users during the session

• Remote procedure calls – RPC• Execute objects across hosts• Open network computing remote procedure call (ONCRPC)

• Sun’s version

Remote User Authentication

• RADIUS

• TACACS+

Domain Objectives

RPC Threats and Controls

• Threats• Unauthorized sessions• Invalid RPC exchanges

• Controls• Patch• Block at firewall• Disable unnecessary protocols

Domain Objectives

• Concepts & Architecture• Protocols

Layer 6: Presentation Layer

• Data conversion• Ensures a common format for data• Services for encryption and compression• JPEG

Mainframe to PC Translation

• Extended binary coded decimal interchange code (EBCDIC)

• American standard code for information interchange (ASCII)

• Gateway• Specialized equipment used to translate presentation-layer

protocols• NOT “default gateway”

Domain Objectives

• Concepts & Architecture• Protocols

Audio & Video Compression

• Codec• Compression/decompression

• Conserves bandwidth and storage

VoIP Protocols

• H.323

• Session initiation protocol (SIP)

• Proprietary applications and services

Domain Objectives

Layer 7: Application Layer

• The application layer is not the graphical user interface (GUI)

• Performs communication between peer applications

Domain Objectives

Implementations

• Client/Server• IM

• XMPP (Jabber)• IRC

• Email• WWW

• Peer to Peer• File sharing

Domain Objectives

Protocol Examples

• FTP – File Transfer Protocol• RSH – Remote Shell• IMAP – Internet Message Access Protocol• IRC – Internet Relay Chat• MIME – Multipurpose Internet Mail Extensions• POP3 – Post Office Protocol (v3)• Rlogin – Remote login in UNIX systems• SOAP – Simple Object Access Protocol• SSH – Secure Shell• TELNET – Terminal Emulation Protocol

Communication Services

• Synchronous messaging• Instant messaging (IM)• Internet relay chat (IRC)

• Asynchronous messaging• Simple mail transfer protocol (SMTP)• Post office protocol (POP)• Internet message access protocol (IMAP)• Network news transfer protocol (NNTP)

Remote Communication Services

• TCP/IP terminal emulation protocol (TELNET)• Remote login (RLOGIN), remote shell (RSH), remote

copy (RCP)• X Window system (XII)• Video and multimedia

Storage Data Services

• File transfer protocol (FTP)• Trivial file transfer protocol (TFTP)• Hypertext transfer protocol (HTTP)• HTTP over TLS (HTTPS)• Secure hypertext transfer protocol (S-HTTP)• Proxies

Domain Objectives

Threats and Controls

• Authenticity• Eavesdropping• Scripting• Social engineering• Spam over instant messaging (SPIM)• Tunneling firewalls• Email spoofing

• Spam

Domain Objectives

• Concepts & Architecture• Technology & Implementation• Threats & Controls

Mobile Telephony – Cellular Service

• Analog• Advanced mobile phone service (AMPS)

• Digital• Global service for mobile communications (GSM)

• EDGE (enhanced data rate for GSM evolution)• General packet radio service (GPRS)

• Data

Domain Objectives

Implementation• Threats & Controls

Telephony Technology

• PSTN• PBX• Facsimile• Voice firewalls

• VOIP• SIP, H.323

• TDMA, CDMA, FDMA

Voice over IP

• Reduced cost• Coverged technology• Security

Domain Objectives

• Concepts & Architecture• Technology & Implementation• Threats & Controls

Common Threats

• War dialing• PBX administration• War driving• Fraudulent toll• Voice eavesdropping

Domain Objectives

Directory Services

• Domain name service (DNS)• Lightweight directory access protocol (LDAP)• Network basic input output system (NetBIOS)• Network information service (NIS/NIS+)

Configuration Services

• Simple network management protocol (SNMP)• Dynamic host configuration protocol (DHCP)• Network time protocol (NTP)• Finger user information protocol

Storage Server Services

• Common internet file system (CIFS)/server message block (SMB)

• Network file system (NFS)• Secure NFS (SNFS)

Domain Objectives

DSN Threats

• Spoofing• Query manipulation:

• Hosts file manipulation• Social engineering

• Information disclosure• Domain litigation• Cybersquatting

Email Threats

• Spoofing• Open mail relay servers• Spam and filtering• Phishing

Server Message Block (SMB) Threats

• Buffer overflows

Controls

• DNS security extensions (DNSSEC)• Mail filtering• IM policy• Turn off SMB

Telecommunications and Network Security Domain Summary

CISSP Summary

• Domain 1 – Access Control• Domain 2 – Business continuity and Disaster Recovery Planning• Domain 3 – Cryptography• Domain 4 – Information Security Governance and Risk Management• Domain 5 – Legal, Regulations, Investigations, and Compliance• Domain 6 – Operations Security• Domain 7 – Physical (Environmental) Security• Domain 8 – Security Architecture and Design• Domain 9 – Software Development Security• Domain 10 – Telecommunications and Network Security

Questions?

how i passed the cissp test: lessons learned in certification

Documents

cissp week 26

cissp week 20

cissp mindmap

cissp study notes from cissp prep guide - edy susanto

reasons to become cissp certified keith a. watson, cissp...

cissp week 6

63739262 cissp exercise

lessons learned from implementing existing standards dos and...

pass4sure cissp

cissp dumps is success shortcut | get now cissp actual...

cissp – chapter 7

cissp® training seminar registration...

cissp summary v1.1

cissp: certified information systems security professional...

cissp week 14

cissp week

cissp aide memoire20v4

5 ¾ things we learned brokering clouds · 5 ¾ things we...

cissp week 16

guide tothe cissp*cbk - verbundzentrale des · pdf...