Domain 1: Security and Risk Management Written Products – ensure they are done CIRT – implement and operate

Security Awareness – provide leadership Communicate – risk to higher

Concepts (10) management
CIA Report to as high a level as possible Security is everyone’s responsibility
DAD - NEGATIVE -(disclosure alteration and destruction) Control Frameworks (17)
Confidentiality - prevent unauthorized disclosure, need to know, and least Consistent – approach & application
privilege. Assurance that information is not disclosed to unauthorized
programs, users, processes, encryption, logical and physical access control, Measurable – way to determine progress
Integrity - no unauthorized modifications, consistent data, protecting data or a Standardized – all the same
resource from being altered in an unauthorized fashion
Comprehension – examine everything
Availability - reliable and timely, accessible, fault tolerance and recovery
procedures, WHEN NEEDED Modular – to help in review and adaptive. Layered, abstraction

IAAA - requirements for accountability Due Care – Which means when a company did all that it could have
reasonably done to try and prevent security breach / compromise / disaster,
Identification - user claims identity, used for user access control and took the necessary steps required as countermeasures / controls
(safeguards). The benefit of “due care” can be seen as the difference between
Authentication - testing of evidence of users identity the damage with or without “due care” safeguards in place. AKA doing
something about the threats, Failing to perform periodic security audits can
Accountability - determine actions to an individual person
result in the perception that due care is not being maintained
Authorization - rights and permissions granted
Due Diligence – means that the company properly investigated all of its
Privacy - level of confidentiality and privacy protection possibly weaknesses and vulnerabilities AKA understanding the threat

Risk (12) Intellectual property laws (24)

Not possible to get rid of all risk. Patent - grants ownership of an invention and provides enforcement for
owner to exclude others from practicing the invention. After 20 years the idea
Get risk to acceptable/tolerable level is open source of application
Baselines – minimum standards Copyright - protects the expression of ideas but not necessarily the idea itself
ex. Poem, song @70 years after author dies
ISO 27005 – risk management framework
Trade Secret - something that is propriety to a company and important for its
Budget – if not constrained go for the $$$ survival and profitability (like formula of Coke or Pepsi) DON’T REGISTER
Responsibilities of the ISO (15) – no application
Trademarks - words, names, product shape, symbol, color or a combination • Directs public directories to be subjected to tight controls
used to identify products and distinguish them from competitor products
(McDonald’s M) @10 years • Takes an OPT-IN approach to unsolicited commercial electronic
communications
Wassenaar Arrangement (WA) – Dual use goods & trade, International
cryptographic agreement, prevent destabilizing • User may refuse cookies to be stored and user must be provided with
information
Computer Crimes – loss, image, penalties
• Member states in the EU can make own laws e.g. retention of data
Regulations
COBIT - examines the effectiveness, efficiency, confidentiality, integrity,
SOX, Sarbanes Oxley, 2002 after ENRON and World Online debacle availability, compliance, and reliability of high level control objectives.
Independent review by external accountants. Having controls, GRC heavy auditing, metrics, regulated industry.
Section 302: CEO’s CFO’s can be sent to jail when information they sign is Data Breaches (27)
incorrect. CEO SIGN
Incident – an event that has potential to do harm
Section 404 is the about internal controls assessment: describing logical
controls over accounting files; good auditing and information security. Breach – incident that results in disclosure or potential disclosure of data

Corporate Officer Liability (SOX) Data Disclosure – unauthorized acquisition of personal information

- Executives are now held liable if the organization they represent is not Event – Threat events are accidental and intentional exploitations of
compliant with the law. vulnerabilities

Negligence occurs if there is a failure to implement recommended Laws (28)

precautions, if there is no contingency/disaster recovery plan, failure to
ITAR, 1976. Defense goods, arms export control act
conduct appropriate background checks, failure to institute appropriate
information security measures, failure to follow policy or local laws and FERPA – Education
regulations.
GLBA, Graham, Leach, Bliley; credit related PII (21)
COSO – framework to work with Sarbanes-Oxley 404 compliance
ECS, Electronic Communication Service (Europe); notice of breaches
European laws: TREADWAY COMMISSION
Fourth Amendment - basis for privacy rights is the Fourth Amendment to the
Need for information security to protect the individual. Constitution.
Privacy is the keyword here! Only use information of individuals for what it 1974 US Privacy Act - Protection of PII on federal databases
was gathered for (remember ITSEC, the European version of TCSEC that
came from the USA/Orange Book, come together in Common Criteria, but 1980 Organization for Economic Cooperation and Development (OECD) -
there still is some overlap) Provides for data collection, specifications, safeguards

• strong in anti-spam and legitimate marketing

1986 (amended in 1996) US Computer Fraud and Abuse Act - Trafficking in Just because something is legal doesn’t make it right. Within the ISC context:
computer passwords or information that causes a loss of $1,000 or more or Protecting information through CIA
could impair medical treatment.
ISC2 Code of Ethics Canons
1986 Electronic Communications Privacy Act - Prohibits eavesdropping or
interception w/o distinguishing private/public • Protect society, the commonwealth, and the infrastructure.

Communications Assistance for Law Enforcement Act (CALEA) of 1994 - • Act honorably, honestly, justly, responsibly, and legally.
amended the Electronic
• Provide diligent and competent service to principals.
Communications Privacy Act of 1986. CALEA requires all communications
• Advance and protect the profession.
carriers to make wiretaps possible for law enforcement with an appropriate
court order, regardless of the technology in use. Internet Advisory Board (IAB)
1987 US Computer Security Act - Security training, develop a security plan, Ethics and Internet ( 1087)
and identify sensitive systems on govt. agencies.
Don’t compromise the privacy of users. Access to and use of Internet is a
1991 US Federal Sentencing Guidelines - Responsibility on senior privilege and should be treated as such It is defined as unacceptable and
management with fines up to $290 million. Invoke prudent man rule. Address unethical if you, for example, gain unauthorized access to resources on the
both individuals and organizations internet, destroy integrity, waste resources or compromise privacy
1996 US Economic and Protection of Propriety Information Act - industrial Business Continuity plans development (38)
and corporate espionage
• Defining the continuity strategy
1996 Health Insurance and Portability Accountability Act (HIPPA) –
amended • Computing strategy to preserve the elements of HW/SW/ communication
lines/data/application
1996 US National Information Infrastructure Protection Act - Encourage
other countries to adopt similar framework. • Facilities: use of main buildings or any remote facilities

Health Information Technology for Economic and Clinical Health Act of People: operators, management, technical support persons
2009 (HITECH) - Congress amended HIPAA by passing this Act. This law
updated many of HIPAA’s privacy and security requirements. One of the Supplies and equipment: paper, forms HVAC
changes is a change in the way the law treats business associates (BAs), Documenting the continuity strategy
organizations who handle PHI on behalf of a HIPAA covered entity. Any
relationship between a covered entity and a BA must be govern ed by a BIA (39)
written contract known as a business associate agreement (BAA). Under the
new regulation, BAs are directly subject to HIPAA and HIPAA Goal: to create a document to be used to help understand what impact a
disruptive event would have on the business
enforcement actions in the same manner as a covered entity. HITECH also
introduced new data breach notification requirement. Gathering assessment material

Ethics (33) • Org charts to determine functional relationships

• Examine business success factors Rotation of duties - limiting the amount of time a person is assigned to
perform a security related task before being moved to different task to
Vulnerability assessment prevent fraud; reduce collusion
• Identify Critical IT resources out of critical processes, Identify disruption Mandatory vacations - prevent fraud and allowing investigations, one week
impacts and minimum; kill processes
Maximum, Tolerable Downtime (MTD) Need to know - the subject is given only the amount of information required
to perform an assigned task, business justification
• Loss Quantitative (revenue, expenses for repair) or Qualitative (competitive
edge, public embarrassment). Presented as low, high, medium. Agreements – NDA, no compete, acceptable use
• Develop recovery procedures Employment (48)
Analyze the compiled information staff members pose more threat than external actors, loss of money stolen
equipment, loss of time work hours, loss of reputation declining trusts and
• Document the process Identify inter-dependability
loss of resources, bandwidth theft, due diligence
• Determine acceptable interruption periods
Voluntary & involuntary - Exit interview!!
Documentation and Recommendation
Third Party Controls (49)
RTO<MTD
• Vendors
Administrative Management Controls (47)
• Consultants
Separation of duties - assigns parts of tasks to different individuals thus no
• Contractors
single person has total control of the system’s security mechanisms; prevent
collusion M of N Control - requires that a minimum number of agents (M) Properly supervised, rights based on policy
out of the total number of agents (N) work together to perform high-security
tasks. So, implementing three of eight controls would require three people out Risk Management Concepts (52)
of the eight with the assigned work task of key escrow recovery agent to
work together to pull a single key out of the key escrow database Threat – damage Vulnerability – weakness to threat vector (never does
anything) Likelihood – chance it will happen Impact – overall effects
Least privilege - a system’s user should have the lowest level of rights and Residual Risk – amount left over Organizations own the risk Risk is
privileges necessary to perform their work and should only have them for the determined as a byproduct of likelihood and impact
shortest time. Three types: Read only, Read/write and Access/change
ITIL (55)
Two-man control - two persons review and approve the work of each other,
for very sensitive operations ITIL – best practices for IT core operational processes, not for audit

Dual control - two persons are needed to complete a task • Service

• Change
• Release Preliminary Security Examination (PSE): Helps to gather the elements that
you will need when the actual Risk Analysis takes place.
• Configuration
ANALYSIS Steps: Identify assets, identify threats, and calculate risk.
Strong end to end customer focus/expertise
ISO 27005 – deals with risk
About services and service strategy
Risk Assessment Steps (60)
Risk Management (52)
Four major steps in Risk assessment?
GOAL - Determine impact of the threat and risk of threat occurring
Prepare, Perform, Communicate, Maintain
The primary goal of risk management is to reduce risk to an acceptable level.
Qualitative (57)
Step 1 – Prepare for Assessment (purpose, scope, etc.)
Approval – Form Team – Analyze Data – Calculate Risk – Countermeasure
Step 2 – Conduct Assessment Recommendations -
• ID threat sources and events REMEMBER HYBRID
• ID vulnerabilities and predisposing conditions Quantitative Risk Analysis (58)
• Determine likelihood of occurrence • Quantitative VALUES!!
• Determine magnitude of impact • SLE (single Loss Expectancy) = Asset Value * Exposure factor (% loss of
asset)
• Determine risk
• ALE (Annual loss expectancy) = SLE * ARO (Annualized Rate of
Step 3 – Communicate Risk/results
occurrence)
Step 4 – Maintain Assessment/regularly
Accept, mitigate(reduce by implementing controls calculate costs-),
Types of Risk
Assign (insure the risk to transfer it), Avoid (stop business activity)
Inherent chance of making an error with no controls in place
Loss= probability * cost
Control chance that controls in place will prevent, detect or control errors
Residual risk - where cost of applying extra countermeasures is more than the
Detection chance that auditors won’t find an error estimated loss resulting from a threat or vulnerability (C > L). Legally the
remaining residual risk is not counted when deciding whether a company is
Residual risk remaining after control in place liable.
Business concerns about effects of unforeseen circumstances Controls gap - is the amount of risk that is reduced by implementing
safeguards. A formula for residual risk is as follows: total risk – controls gap
Overall combination of all risks aka Audit risk = residual risk
RTO – how quickly you need to have that application’s information available • Security
after downtime has occurred
• Protection for CIA of assets
RPO - Recovery Point Objective: Point in time that application data must be
recovered to resume business functions; AMOUNT OF DATA YOUR • Other issues created?
WILLING TO LOSE
If it leaves residual data from its function
MTD - Maximum Tolerable Downtime: Maximum delay a business can be
Controls (68)
down and still remain viable * MTD minutes to hours: critical * MTD 24
hours: urgent * MTD 72 hours: important * MTD 7 days: normal * MTD 30 Primary Controls (Types) – (control cost should be less than the value of the
days non-essential asset being protected)
PLAN Accept Build Risk Team Review Administrative/Managerial Policy
Once in 100 years = ARO of 0.01 • Preventive: hiring policies, screening security awareness (also called soft-
measures!)
SLE is the dollar value lost when an asset is successfully attacked
• Detective: screening behavior, job rotation, review of audit records
Exposure Factor ranges from 0 to 1
Technical (aka Logical)
Determination of Impact (61)
• Preventive: protocols, encryption, biometrics smartcards, routers, firewalls
Life, dollars, prestige, market share
• Detective: IDS and automatic generated violation reports, audit logs,
Risk Response (61)
CCTV(never preventative)
Risk Avoidance – discontinue activity because you don’t want to accept risk
• Preventive: fences, guards, locks
Risk Transfer – passing on the risk to another entity
• Detective: motion detectors, thermal detectors video cameras
Risk Mitigation – elimination or decrease in level of risk
Physical (Domain 5)– see and touch
Risk Acceptance – live with it and pay the cost
• Fences, door, lock, windows etc.
Background checks – mitigation, acceptance, avoidance
Prime objective - is to reduce the effects of security threats and vulnerabilities
Risk Framework Countermeasures (63) to a tolerable level

• Accountability Risk analysis - process that analyses threat scenarios and produces a
representation of the estimated
• Auditability
Potential loss
• Source trusted and known
Main Categories of Access Control (67)
• Cost-effectiveness
• Directive: specify rules of behavior Blue team - had knowledge of the organization, can be done frequent and
least expensive Red team - is external and stealthy
• Deterrent: discourage people, change my mind
White box - ethical hacker knows what to look for, see code as a developer
• Preventative: prevent incident or breach
Grey Box - partial knowledge of the system, see code, act as a user
• Compensating: sub for loss of primary controls
Black box - ethical hacker not knowing what to find
• Detective: signal warning, investigate
4 stages: planning, discovery, attack, reporting
• Corrective: mitigate damage, restore control
vulnerabilities exploited: kernel flaws, buffer overflows, symbolic links, file
• Recovery: restore to normal after incident descriptor attacks other model: footprint network (information gathering) port
scans, vulnerability mapping, exploitation, report scanning
Control Accuracy Security Consistency
tools are used in penetration tests
Preventative Data checks, validity checks Labels, traffic padding, encryption
DBMS, data dictionary flaw hypotheses methodology = operation system penetration testing
Control Accuracy Security Consistency Egregious hole – tell them now!
Detective Cyclic Redundancy IDS, audit trails Comparison tools Strategies - External, internal, blind, double-blind
Corrective Checkpoint, backups Emergency Response Database controls Categories – zero, partial, full knowledge test
Functional order in which controls should be used. Deterrence, Denial, Pen Test Methodology (79)
Detection, Delay
Recon/discover - Enumeration - vulnerability analysis -
Penetration Testing (77) execution/exploitation - document
Testing a networks defenses by using the same techniques as external findings/reporting - SPELL OUT AND DEFINE!!!!
intruders
Control Assessment 76 Look at your posture
Scanning and Probing – port scanners
Deming Cycle (83)
• Demon Dialing – war dialing for modems
Plan – ID opportunity & plan for change Do – implement change on small
• Sniffing – capture data packets scale Check – use data to analyze results of change Act – if change
successful, implement wider scale, if fails begin cycle again
• Dumpster Diving – searching paper disposal areas
Identification of Threat (86)
• Social Engineering – most common, get information by asking
Individuals must be qualified with the appropriate level of training.
Penetration testing
• Develop job descriptions
• Contact references Technical training to react to situations, best practices for Security and
network personnel; Employees, need to understand policies then use
• Screen/investigate background presentations and posters etc. to get them aware
• Develop confidentiality agreements Formal security awareness training – exact prep on how to do things
• Determine policy on vendor, contractor, consultant, and temporary staff Terms
access
Wire Tapping eavesdropping on communication - only legal with prior
DUE DILIGENCE consent or warrant
Software Licenses (91) Data Diddling act of modifying information, programs, or documents to
commit fraud, tampers with INPUT data
Public domain - available for anyone to use
Privacy Laws data collected must be collected fairly and lawfully and used
Open source - source code made available with a license in which the
only for the purpose it was collected.
copyright holder provides the rights to study, change, and distribute the
software to anyone Water holing – create a bunch of websites with similar names
Freeware - proprietary software that is available for use at no monetary cost. Work Function (factor): the difficulty of obtaining the clear text from the
May be used without payment but may usually not be modified, re-distributed cipher text as measured by cost/time
or reverse-engineered without the author's permission
Fair Cryptosystems - In this escrow approach, the secret keys used in a
Assurance (92) communication are divided into two or more pieces, each of which is given to
an independent third party. When the government obtains legal authority to
Degree of confidence in satisfaction of security requirements
access a particular key, it provides evidence of the court order to each of the
Assurance = other word for security third parties and then reassembles the secret key.

THINK OUTSIDE AUDIT SLA – agreement between IT service provider and customer, document
service levels, divorce; how to dissolve relationship
Successful Requirements Gathering 92
SLR (requirements) – requirements for a service from client viewpoint
• Don’t assume what client wants
Service level report – insight into a service providers ability to deliver the
• Involve users early agreed upon service quality
• Define and agree on scope Legislative drivers?
• MORE FISMA(federal agencies)
Security Awareness (96) Phase 1 categorizing, selecting minimum controls, assessment
Phase 2: create national network of secures services to assess
Domain 2: Asset Security Policies first and highest level of documentation
Information classification (110) Very first is called Senior management Statement of Policy, Stating
importance, support and commitment
Categorization – Process of determining the impact of loss of CIA of
information to an organization. Types
Identifies the value of the data to the organization. Not all data has same • Regulatory (required due to laws, regulations, compliance and specific
value, demonstrates business commitment to security, Identify which industry standards!)
information is most sensitive and vital
• Advisory (not mandatory but strongly suggested)
Criteria - Value, age, useful life, personal association
• Informative to inform the reader
Levels
Information policy - classifications and defines level of access and method to
Government, military store and transmit information
• Unclassified (have FOUO also) Security policies - authenticates and defines technology used to control
information access and distribution
• Sensitive but unclassified
SYSTEM security policy - lists hardware / software to be used and steps to
• Confidential (some damage) undertake to protect infrastructure
• Secret (Serious damage) (Can have Country specific restrictions also – Standards - Specify use of specific technologies in a uniform way Guidelines
NZAUS SECRET for New Zealand, Australia and US secret) - same as standards but not forced to follow Procedures - detailed steps to
perform a task Baseline - minimum level of security
• Top Secret (Grave damage)
Security planning - involves security scope, providing security management
Private sector (113)
responsibilities and testing security measures for effectiveness.
• Public; used by public or employees
• Strategic - 5 years
• Company Confidential; viewed by all employees but not for general use
• Tactical - shorter than strategic
• Company Restricted – restricted to a subset of employees
• Operational - day to day, short term
• Private; Ex. SSN, credit card info., could cause damage
Data Classification Policy (111)
• Confidential; cause exceptionally grave damage, Proprietary; trade secrets
• Who will have access to data?
• Sensitive; internal business
• How is the data to be secured?
TS = Confidential/Prop, Secret = Private, Confidential = sen
• How long is data to be retained?
Security policies, standards & guidelines (119)
• What method(s) should be used to dispose of data?
• Does data need to be encrypted? Directive on Data Protection; Seven Tenets
• What is the appropriate use of the data? • Notice; data subjects should be given notice when their data is being
collected
Proper Assess Man REQUIRES (113)
• Choice; data should not be disclosed without the data subject’s consent
1. Inventory Management – all things
• Onward Transfer; data subjects should be informed as to who is collecting
2. Configuration Management - +patching their data
IT Asset Management (ITAM) (114) • Security; collected data should be kept secure from any potential abuses
Full life cycle management of IT assets • Data Integrity; reliable, only stated purpose
• CMBD; holds relationships between system components • Access; data subjects should be allowed to access their data and make
corrections to any inaccurate data
• incidents, problems, known error, changes, and releases
• Enforcement; accountability, data subjects should have a method available
• Single repository
to them to hold data collectors accountable for not following the above
• Organizationally aligned - scalable principles

US-EU (Swiss) Safe Harbor (124) NOT REASON or RETENTION TIME

The EU Data Protection Directive To be replaced, in 2018, by the General US Org is Data Processors when they classify and handle data, EU company
Data Protection Regulation (GDPR) would be Business/Mission owners, US org. would also be Data
Administrators
Bridge differences in approach and provide a streamlined means for U.S.
organizations to comply with European Commissions. Data processors have responsibility to protect privacy of data Dpt. of
Commerce holds list of participants
STRENGTHENING INDIVIDUALS RIGHTS
Can transfer to non-Safe Harbor entities with permission
• Data obtained fairly and lawfully
FTC – overseas compliance framework for organizations wishing to use
• Data only used for original purpose personal data of EU citizens
• Adequate, relevant, and not excessive to purpose Self-certify but Dpt. Of Transportation or FTC can enforce
• Accurate and up to date Gramm/Leach/Bailey Act delaying application to financial markets.
• Accessible to the subject Roles and responsibilities
• Kept secure Senior Manager ultimate responsibility
• Destroyed after purpose is complete Information security Officer functional responsibility
• Ensure policies etc. are written by app. Unit • Ensure accessibility, maintain and monitor security
• Implement/operate CIRTs • Dataset maintenance, archiving
• Provide leadership for security awareness • Documentation, including updating
• Communicate risk to senior management • QA, validation and audits
• Stay abreast of current threats and technology • Run regular backups/restores and validity of them
Security Analyst Strategic, develops policies and guide • Insuring data integrity and security (CIA)
Data Ownership (128) • Maintaining records in accordance to classification
Data Life - Creation, use, destruction(subservient to security policy) • Applies user authorization
Data/Information Owner • Implement security controls
• Ultimate organizational responsibility for data System Owners - Select security controls
• Categorize systems and data, determine level of classification Administrators - Assign permission to access and handle data
• Required controls are selected for each classification End-user
• Select baseline security standards • Uses information as their job
• Determine impact information has on organization • Follow instructions in policies and guidelines
• Understand replacement cost (if replaceable) • Due care (prevent open view by e.g. Clean desk)
• Determine who needs the information and circumstances for release • Use corporation resources for corporation use
• Determine when information should be destroyed Auditor examines security controls
• Responsible for asset review and change classification QC & QA (131)
• Can delegate responsibility to data custodian Quality Control (QC) – assessment of quality based on internal standards
• Authorize user privilege Quality Assurance (QA) – assessment of quality based on standards external
to the process and involves reviewing of the activities and quality control
Data Custodian Responsibilities (129) processes.
• Day-to-day tasks, grants permission to users in DAC Benefits of Data Standards (134)
• Adhere to data policy and data ownership guidelines Increased data sharing
Considerations (134) Clearing – Prepping media for reuse at same level. Removal of sensitive data
from storage devices in such a way that the data may not be reconstructed
Borders using normal system functions or utilities. May be recoverable with special
lab equipment. Data just overwritten.
Encryption
Purging – More intense than clearing. Media can be reused in lower systems.
Data Modeling (135)
Removal of sensitive data with the intent that the data cannot be
Smallest bits of information the Db will hold –granularity reconstructed by any known technique.

When do we replace –then think about next one Destruction – Incineration, crushing, shredding, and disintegration are stages
of this
CRITICAL = AVAILABILITY
Encrypt data is a good way to secure files sent through the internet
Data Remanence (140)
SSD Data Destruction (142)
Residual physical representation of data that has been in some way erased.
PaaS deals with it best in Cloud • NIST says to “disintegrate”

Remanence - Residual data left on media after erase attempts • SSD drives cannot be degaussed, space sectors, bad sectors, and wear
space/leveling may hide
Remove unwanted remnant data from magnetic tapes
• nonaddressable data, encrypt is the solution
• Physical destruction
• Erase encryption key to be unreadable
• Degaussing
• Crypto erase, sanitization, targeted overwrite (best)
• Overwriting
Buy high quality media – value of data exceeds cost of media Sanitation is
• NOT Reformatting business normal, not destruction for costs reasons
Sanitizing – Series of processes that removes data, ensures data is Reuse - Downgrading equipment for reuse will probably be more expensive
unrecoverable by any means. than buying new
Removing a computer from service and disposed of. All storage media Metadata – helps to label data and prevent loss before it leaves the
removed or destroyed. organization,
Degaussing – AC erasure; alternating magnetic fields, DC erasure; Data mart - metadata is stored in a more secure container
unidirectional magnetic field or permanent magnet, can erase tapes
Baselines (154)
Erasing – deletion of files or media, removes link to file, least effective
Select based on the data classification of the data stored/handled
Overwriting/wiping/shredding – overwrites with pattern, may miss
• Which parts of enterprise can be protected by the same baseline?
Zero fill – wipe a drive and fill with zeros
• Should baseline be applied throughout whole enterprise? Nice to Know
• At what security level should baseline aim? Classifying Costs – cost are not a factor in classifying data but are in controls
How will the controls be determined? and Telnet are unencrypted! SFTP and SSH provide encryption to protect
data and credentials that are used to log in
Baseline – Starting point that can be tailored to an organization for a
minimum security standard. Record Retention Policies – how long data retained and maintained
Common security configurations, Use Group Policies to check and enforce Removable Media – use strong encryption, like AES256, to ensure loss of
compliance media does not result in data breach
Scoping and Tailoring (157) Personnel Retention – Deals with the knowledge that employees gain while
employed.
Narrows the focus and of the architecture to ensure that appropriate risks are
identified and addressed. Record Retention – retaining and maintaining information for as long as it’s
needed
Scoping – reviewing baseline security controls and selecting only those
controls that apply to the IT system you’re trying to protect. Label Data – to make sure data is identifiable by its classification level. Some
label all media that contains data to prevent reuse of Public media for
Tailoring – modifying the list of security controls within a baseline so that sensitive data.
they align with the mission of the organization.
Data in RAM is Data in use.
Supplementation – adding assessment procedures or assessment details to
adequately meet the risk management needs of the organization CIS – Center for Internet Security;creates list of security controls for ,
mobile, server, and network devices
Link vs. End to End Encryption (174)
Standards Selection (158-185)
Link - is usually point to point EVERYTHING ENCRYPTED “Black pipe,
black oil, black ping pong balls” all data is encrypted, normally did by NIST – National Institute of Standards and Technology
service providers
NIST SP 800 series - address computer security in a variety of areas
End to End – You can see ALL BUT PAYLOAD, normally done by users
800-14 NIST SP – GAPP for securing information technology systems
YOU CAN LAYER THESE ENCRYPTION TYPES
800-18 NIST – How to develop security plans
Email is not secured unless encrypted
800-27 NIST SP - Baseline for achieving security, five lifecycle planning
NETSCAPE INVENTED SSL, SSLv3 still used phases (defined in 800-14), 33 IT security principles
USE TLSv1.2 now for test • Initiation
PGP = GnuPG (GNP) – not rely on open • Development/Acquisition
S/MIME – secure email • Implementation
• Operation/Maintenance COPPA – California Online Privacy Protection Act, operators of commercial
websites post a privacy policy if collecting personal information on CA
• Disposal residents
800-88 - NIST guidelines for sanitation and disposition, prevents data Curie Temperature – Critical point where a material’s intrinsic magnetic
remanence alignment changes direction.
800-122 - NIST Special Publication – defines PII as any information that can Dar – Data at rest; inactive data that is physically stored, not RAM, biggest
be used to trace a person identity such as SSN, name, DOB, place of birth, threat is a data breach, full disk encryption protects it (Microsoft Bitlocker
mother’s maiden name and Microsoft EFS, which use AES, are apps)
800-137 - build/implement info security continuous monitoring program: DLP – Data Loss/Leakage Prevention, use labels to determine the appropriate
define, establish, implement, analyze and report, control to apply to data.
800-145 - cloud computing Won’t modify labels in real-time.
FIPS – Federal Information Processing Standards; official series of ECM – Enterprise Content Management; centrally managed and controlled
publications relating to standards and guidelines adopted under the FISMA,
Federal Information Security Management Act of 2002. Non-disclosure Agreement – legal agreement that prevents employees from
sharing proprietary information
FIPS 199 – Standards for categorizing information and information systems.
PCI-DSS – Payment and Card Industry –Security Standards Council; credit
FIPS 200 – minimum security requirements for Federal information and cards, provides a set of security controls /standards
information systems
Watermark – embedded data to help ID owner of a file, digitally label data
DOD 8510.01 – establishes DIACAP and can be used to indicate ownership.
ISO 15288 – International systems engineering standard covering processes Domain 3: Security Engineering
and life cycle stages
Systems Engineering & Modeling (194)
• Agreement
Common Criteria ISO 15408 - Structured methodology for documenting
• Organization Project security requirements, documenting and validating
• enabling A SECURITY PRODUCT MAY BE CERTIFIED
• Technical Management Defines a protection profile that specifies the security requirements and
protections of a product that is to be evaluated. Organized around TCB
• Technical
entities. Evaluation Assurance Levels (EAL)
Nice to Know
• EAL0 – Inadequate assurance
• EAL1 – Functionally tested
• EAL2 – Structurally tested OS Kernel ()
• EAL3 – Methodically tested and checked Loads & runs binary programs, schedules task swapping, allocates memory &
tracks physical location of files on computers hard disk, manages IO/OP
• EAL4 – Methodically designed, tested and reviewed requests from software, & translates them into instructions for CPU
• EAL5 – Semi formally designed and tested Common System Components (198)
• EAL6 – Semi formally verified design and tested Primary Storage – is a temporary storage area for data entering and leaving
the CPU
• EAL7 – Formally verified design and tested
Random Access Memory (RAM) – is a temporary holding place for data used
Target of Evaluation (TOE): the product
by the operating systems. It is volatile; meaning if it is turned off the data will
Protection Profile (PP): set of security requirements for a category of be lost. Two types of RAM are dynamic and static. Dynamic RAM needs to
products that meet specific consumer security needs be refreshed from time to time or the data will be lost. Static RAM does not
need to be refreshed.
Security Target (ST): identifies the security properties of TOE
Read-Only Memory (ROM) – is non-volatile, which means when a computer
Security Functional Requirements (SFRs): Specific individual security is turned off the data is not lost; for the most part ROM cannot be altered.
function ROM is sometimes referred to as firmware. Erasable and Programmable
Read-Only Memory (EPROM) is non-volatile like ROM, however EPROM
Engineering Principles for IT Security (194) can be altered.
NIST SP 800-27 Process states:
• Initiation; need expressed, purpose documented, impact assessment • Stopped; process finishes or must be terminated
• Development/Acquisition; system designed, purchased, programmed, • Waiting; the process is ready for continued execution but is waiting for a
developed or constructed. device or access request
• Implementation; system tested and installed, certification and accreditation • Running; executes on the CPU and keeps going until it finishes, its time
• Operation/Maintenance; performs function, security operations, audits slice expires, or it is blocked

Disposal; disposition of information, HW and SW • Ready; process prepared to execute when CPU ready

Physical controls are your first line of defense, and people are your last Multitasking – execute more than one task at the same time

ISO/IEC 21827:2008 SSE-CMM (Maturity Model) (196) Multiprocessing – more than one CPU is involved.

BIGGEST JUMP IN MATURITY MODEL? Multi-Threading: execute different parts of a program simultaneously

2 –3. FROM REACTIVE TO PROACTIVE

Single state machine – operates in the security environment at the highest The ITIL Core includes five publications addressing the overall life cycle of
level of classification of the information within the computer. In other words, systems. ITIL as a whole identifies best practices that an organization can
all users on that system must have clearance to access the info on that system. adopt to increase overall availability, and the Service Transition publication
addresses configuration management and change management processes.
Multi-state machine – can offer several security levels without risk of
compromising the system’s integrity. • Service Strategy
CICS – complex instructions. Many operations per instruction. Less number • Service Design
of fetches
• Service Transition
RISC – reduced instructions. Simpler operations per instruction. More
fetches. • Service Operations

Software • Continuous Service Improvement

• 1 GL: machine language (used directly by a computer) Types of Security Models (210)

• 2GL: assembler Defining allowed interactions between subjects (active parties) and objects
(passive parties) at a particular moment in time.
• 3GL: FORTRAN. Basic pl/1 and C++
State Machine Model – describes a system that is always secure no matter
• 4GL: Natural / focus and SQL what state it is in. If all aspects of a state meet the requirements of the
security policy, that state is considered secure. A transition occurs when
• 5GL: Prolog, lisp artificial intelligence languages based on logic accepting input or producing output. A transition always results in a new state
(also called a state transition). A secure state machine model system always
Memory Protection (200)
boots into a secure state, maintains a secure state across all transitions, and
Segmentation – dividing a computer’s memory into segments. allows subjects to access resources only in a secure manner compliant with
the security policy.
Protection Keying – Numerical values, Divides physical memory up into
particular sized blocks, each of which has an associated numerical value Information Flow Model – focuses on the flow of information. Information
called a protection key. flow models are based on a state machine model. The Bell-LaPadula and
Biba models are both information flow models.
Paging – divides memory address space into even size blocks called pages.
To emulate that we have more RAM than we have. Information flow models don’t necessarily deal with only the direction of
information flow; they can also address the type of flow. Information flow
SYSTEM KERNAL KNOWS THE LOCATION OF THE PAGE FILE models are designed to prevent unauthorized, insecure, or restricted
information flow, often between different levels of security (these are often
DEP, Data Execution Prevention – a system-level memory protection feature referred to as multilevel models). The information flow model also addresses
that is built into the DEP prevents code from being run from data pages such covert channels by specifically excluding all non-defined flow pathways.
as the default heap, stacks, and memory pools
Noninterference Model – is loosely based on the information flow model.
ITIL (208) However, instead of being concerned about the flow of information, the
noninterference model is concerned with how the actions of a subject at a
higher security level affect the system state or the actions of a subject at a • Cannot read up (simple e=read security rule)
lower security level. Basically, the actions of subject A (high) should not
affect the actions of subject B (low) or even be noticed by subject B. The • Cannot write down (* property rule AKA CONFINEMENT PROPERTY).
noninterference model can be imposed to provide a form of protection against Exception is a trusted subject.
damage caused by malicious programs such as Trojan horses.
• Uses access matrix to specify discretionary access control
Southerland Model
• Use need to know principle
Techniques for Ensuring CIA
• Strong star rule: read and write capabilities at the same level
Confinement – to restrict the actions of a program. Simply put, process
• First mathematical model defined
confinement allows a process to read from and write to only certain memory
locations and resources. This is also known as sandboxing. • tranquility principle in Bell-LaPadula prevents security level of subjects
from being changed once they are created
Bounds – a process consist of limits set on the memory addresses and
resources it can access. The bounds state the area within which a process is • Bell-LaPadula is concerned with preventing information flow from a high
confined or contained. security level to a low security level.
Isolation – When a process is confined through enforcing access bounds that BIBA – MAC “if I in it INTEGRITY MODEL”
process runs in isolation.
• Integrity model
Process isolation ensures that any behavior will affect only the memory and
resources associated with the isolated process • Cannot read down (simple e=read integrity rule)

Models (211) • Simple integrity property

ACCESS CONTROL MATRIX • cannot write up (* integrity)

• Provides access rights to subjects for objects • lattice based (least upper bound, greatest lower bound, flow policy)

• Access rights are read, write and execute • subject at one level of integrity cant invoke subject at a higher level of
integrity
• Columns are ACL’s
• Biba is concerned with preventing information flow from a low security
• Rows are capability lists level to a high security level.
• Supports discretionary access control • Focus on protecting objects from external threat
BELL-LAPADULA = MAC SUBJECTS/OBJECTS/CLEARANCES/ CLARK WILSON
• Confidentiality model • integrity model
• developed by DOD, thus classification • Cannot be tampered, logged, and consistency
• Enforces segregation of duty Grant rule Allows a subject to grant rights to an object
• Requires auditing Create rule Allows a subject to create new rights
• Commercial use Remove rule Allows a subject to remove rights it has
• Works with SCI Constrained Data items, data item whose integrity is to be SEE IMAGE IN ORIGINAL
preserved
Composition Theories
• Access to objects only through programs
Some other models that fall into the information flow category build on the
• An integrity verification procedure (IVP) is a procedure that scans data notion of how inputs and outputs between multiple systems relate to one
items and confirms their integrity. another—which follows how information flows between systems rather than
within an individual system. These are called composition theories because
Information flow model they explain how outputs from one system relate to inputs to another system.
Each object is assigned a security class and value, and information is There are three recognized types of composition theories:
constrained to flow in the directions that are permitted by the security policy.
Thus flow of information from one security level to another. (Bell & Biba) • Cascading: Input for one system comes from the output of another system.
Brewer and Nash • Feedback: One system provides input to another system, which reciprocates
by reversing those roles (so that system A first provides input for system B
The Chinese Wall model provides a dynamic access control depending on and then system B provides input to system A).
user’s previous actions. This model prevents conflict of interests from
members of the same organization to look at information that creates a • Hookup: One system sends input to another system but also sends input to
conflict of another member of that organization. external entities.
Lipner Model MAC – Subjects are labeled as to their level of clearance. Objects are labeled
as to their level of classification or sensitivity.
• Confidentiality and Integrity, BLP + Biba
Subjects – Users(perform work task), Data Owners(protect data), and Data
• 1st Commercial Model Custodians (classify and protect data)
Graham-Denning ITSEC (216)
focused on relationship between subjects and objects • refers to any system being evaluated as a target of evaluation (TOE).
TAKE-GRANT • does not rely on the notion of a TCB, and it doesn’t require that a system’s
security components be isolated within a TCB.
• uses a direct graph to specify the rights that subjects can transfer to objects
or that subjects can take from other subjects • includes coverage for maintaining targets of evaluation after changes occur
without requiring a new formal evaluation.
• Uses STATES and STATE TRANSITIONS
Certification and Accreditation (216)
Take rule Allows a subject to take rights over an object
Certification – is evaluation of security features and safeguards if it meets ISO 27002 – (inspired from ISO 17799) – a guideline which lists security
requirements. Certification is the comprehensive evaluation of the technical control objectives and recommends a range of specific security controls;
and nontechnical security features of an IT system and other safeguards made more granular than 27001. 14 areas BOTH INSPIRED FROM BS7799
in support of the accreditation process to establish the extent to which a
particular design and implementation meets a set of specified security Control Frameworks (223)
requirements.
Consider the overall control framework or structure of the security solution
Accreditation – the formal declaration by the designated approving authority desired by the organization.
(DAA) that an IT system is approved to operate in a particular security mode
COBIT – Control Objectives for Information and Related Technology, is a
using a prescribed set of safeguards at an acceptable level of risk. Once
documented set of best IT security practices crafted by the Information
accreditation is performed, management can formally accept the adequacy of
Systems Audit and Control Association (ISACA). It prescribes goals and
the overall security performance of an evaluated system.
requirements for security controls and encourages the mapping of IT security
System accreditation – a major application or general support system is ideals to business objectives.
evaluated.
COBIT 5 – is based on five key principles for governance and management
Site accreditation – the applications and systems at a specific, self-contained of enterprise IT:
location are evaluated.
• Principle 1: Meeting Stakeholder Needs
Type accreditation – an application or system that is distributed to a number
• Principle 2: Covering the Enterprise End-to-End
of different locations is evaluate
• Principle 3: Applying a Single, Integrated Framework
Product Evaluation Models (216)
• Principle 4: Enabling a Holistic Approach
TCSEC - SEE ORIGINAL
• Principle 5: Separating Governance from Management
Information Technology Security Evaluation Criteria ITSEC: it is used in
Europe only, not USA. COBIT is used not only to plan the IT security of an organization but also as
a guideline for auditors.
Addresses CIA. Unlike TCSEC it evaluates Functionality and assurance
separately Virtualization (229)
Assurance from E0 to E6 (highest) and F1 to F10 (highest). Therefore a Used to host one or more operating systems within the memory of a single
system can provide low assurance and high functionality or vice-versa. host computer. Such an is also known as a guest operating system. From the
perspective that there is an original or host installed directly on the computer
Security Standards (222)
hardware, the additional Oses hosted by the hypervisor system are guests.
ISO 27001 – focused on the standardization and certification of an
• Virtual machine – simulated environment created by the to provide a safe
organization’s information security management system (ISMS), security
and efficient place for programs to execute.
governance, a standard; ISMS. Info security minimum systems
• Virtual SAN – software-defined shared storage system is a virtual re-
creation of a SAN on top of a virtualized network or an SDN
Timing (233) on the same memory page as the instruction being executed. Direct
addressing is more flexible than immediate addressing since the contents of
TOCTTOU attack - race condition exploits, and communication disconnects the memory location can be changed more readily than reprogramming the
are known as state attacks because they attack timing, data flow control, and immediate addressing’s hard-coded data.
transition between one system state to another.
• Indirect Addressing - uses a scheme similar to direct addressing. However,
RACE - two or more processes require access to the same resource and must the memory address supplied to the CPU as part of the instruction doesn’t
complete their tasks in the proper order for normal functions contain the actual value that the CPU is to use as an operand. Instead, the
memory address contains another memory address (perhaps located on a
Memory Components
different page). The CPU reads the indirect address to learn the address where
Register – CPU also includes a limited amount of onboard memory, known the desired data resides and then retrieves the actual operand from that
as registers, that provide it with directly accessible memory locations that the address.
brain of the CPU, the arithmetic-logical unit (ALU), uses when performing
• Base + Offset Addressing – uses a value stored in one of the CPU’s
calculations or processing instructions, small memory locations directly in the
registers as the base location from which to begin counting. The CPU then
CPU.
adds the offset supplied with the instruction to that base address and retrieves
Stack Memory Segment - used by processors to communicate instructions the operand from that computed memory location.
and data to each other
Cloud Service Models (241)
Monolithic Operating System Architecture – all of the code working in kernel
Original service models – SaaS, PaaS; original deployment model-
mode/system mode in an ad hoc and non-modularized
community & hybrid PaaS – Platform-as-a-Service is the concept of
Memory Addressing – When using memory resources, the processor must providing a computing platform and software solution stack as a virtual or
have some means of referring to various locations in memory. The solution to cloud-based service. Essentially, this type of cloud solution provides all the
this problem is known as addressing, aspects of a platform (that is, the operating system and complete solution
package). The primary attraction of PaaS is the avoidance of having to
• Register Addressing – When the CPU needs information from one of its purchase and maintain high-end hardware and software locally.
registers to complete an operation, it uses a register address (for example,
“register 1”) to access its contents. Customer supplies application code that the vendor then executes on its own
infrastructure SaaS – Software-as-a-Service, is a derivative of PaaS. SaaS
• Immediate Addressing – is not a memory addressing scheme per se but provides on-demand online access to specific software applications or suites
rather a way of referring to data that is supplied to the CPU as part of an without the need for local installation. In many cases, there are few local
instruction. For example, the CPU might process the command “Add 2 to the hardware and limitations.
value in register 1.” This command uses two addressing schemes. The first is
immediate addressing—the CPU is being told to add the value 2 and does not IaaS – Infrastructure-as-a-Service, takes the PaaS model yet another step
need to retrieve that value from a memory location—it’s supplied as part of forward and provides not just on-demand operating solutions but complete
the command. The second is register addressing; it’s instructed to retrieve the outsourcing options. This can include utility or metered computing services,
value from register 1. administrative task automation, dynamic scaling, virtualization services,
policy implementation and management services, and managed/ filtered
• Direct Addressing – In direct addressing, the CPU is provided with an Internet connectivity. Deployment Models, parent organization still
actual address of the memory location to access. The address must be located responsible for patching of virtual hosts.
CaaS – not a TERM! Substitution – like shifting and rotating alphabets, can be broken by statistical
looking at repeating characters or repeats
• Private; cloud-based assets for a single organization. Organizations can
create and host private clouds using their own resources. Vernam – cipher (one time pad): - key of a random set of non-repeating
characters
• Community; provides cloud-based assets to two or more organizations.
Maintenance responsibilities are shared based on who is hosting the assets Information Theory – Claude Elmwood Shannon
and the service models.
Transposition – Permutation is used, meaning that letters are scrambled. The
• Public; model includes assets available for any consumers to rent or lease key determines positions that the characters are moved to, for example
and is hosted by an external CSP. Service level agreements can be effective at vertical instead of horizontal
ensuring the CSP provides the cloud- based services at a level acceptable to
the organization. Null Cipher – used in cases where the use of encryption is not necessary but
yet the fact that no encryption is needed must be configured in order for the
• Hybrid – mix of public and private system to work. Ex. Testing, stenography
Database Security (237) Key Length – use with each algorithm based on the sensitivity of information
transmitted, longer key the better!
Aggregation – SQL provides a number of functions that combine records
from one or more tables to produce potentially useful information. Key space – is the range of values that are valid for use as a key for a specific
Aggregation is not without its security vulnerabilities. algorithm. A key space is defined by its bit size. Bit size is nothing more than
the number of binary bits (0s and 1s) in the key.
Aggregation attacks are used to collect numerous low-level security items
and combine them to create something of a higher security level or value. The key space is the range between the key that has all 0s and the key that has
all 1s. Key space doubles each time you add a bit to key length, which makes
Inference – involve combining several pieces of non-sensitive information to cryptanalysis more difficult.
gain access to information that should be classified at a higher level.
However, inference makes use of the human mind’s deductive capacity rather Key Clustering – when different encryption keys generate the same ciphertext
than the raw mathematical ability of modern database platforms. from the same plaintext message BAD
Data Warehousing – large databases, store large amounts of information from Synchronous – each encryption or decryption request is performed
a variety of databases for use with specialized analysis techniques. immediately
Data Mining – technique allow analysts to comb through data warehouses Asynchronous – encrypt/decrypt request are processed in queues.
and look for potential correlated information.
Hash Function – one-way mathematical operation that reduces a message or
Data dictionary – commonly used for storing critical information about data, data file into a smaller fixed length output. Encrypted using private key of
including usage, type, sources, DBMS software reads the data sender.
Key Encryption Concepts and Definitions (243) Registration Authority – performs certificate registration services on behalf of
a CA. RA verifies user credentials
Purpose: protect transmitted information from being read and understood
except by the intended recipient
Certificate Authority – PKI, entity trusted by one or more users as an Cryptographic Algorithm – Step by step procedure to encipher plaintext and
authority in a network that issues, revokes, and manages digital certificates. decipher cipher text
Key Space – represents the total number of possible values of keys in a Cryptography – the art and science of hiding the meaning of communications
cryptographic algorithm for the encryption of a plaintext block sequence to from unintended
increase security by introducing additional cryptographic variance. HOW
HARD TO BRUTE FORCE recipients. (Greek: kryptos=hidden, graphein=to write)

Transposition/permutation – process of reordering plaintext to hide the Cryptology: cryptography + cryptanalysis

message rambo = ombar
Cryptosystem – set of transformations from a message space to cipher space
SP-network – process described by Claude Shannon used in most block
Decipher – To make the message readable, undo encipherment process
ciphers to increase their strength
Encipher – make message unintelligible
Confusion – mixing the key values during repeated rounds of encryption,
make the relationship between ciphertext and key as complex as possible End-to-end encryption – Encrypted information that is sent from point of
origin to destination. In symmetric encryption this means both having the
Diffusion – mix location of plaintext throughout ciphertext, change of a
same identical key for the session
single bit should drastically change hash, dissipate pattern
Exclusive OR – Boolean operation that performs binary addition
Meet in the Middle – Attackers might use a meet-in-the-middle attack to
defeat encryption algorithms that use two rounds of encryption. This attack is Key or Crypto variable – Information or sequence that controls the
the reason that Double DES (2DES) was quickly discarded as a viable enciphering and deciphering of messages
enhancement to the DES encryption (it was replaced by Triple DES (3DES,
Link encryption – stacked encryption using different keys to encrypt each
TDES, EEE, EDE) time
Block Cipher – segregating plaintext into blocks and applying identical One Time Pad – encipher each character with its own unique key that is used
encryption algorithm and key only once, unbreakable supposedly
Cipher – cryptographically transformation that operates on characters or bits. PGP (GPG) – encrypt attached files
DES, word scramble, shift letters
Plaintext – message in clear text readable form
Cipher text or Cryptogram – unintelligible message, encrypt text
Steganography – secret communications where the existence of a message is
Clustering – situation wherein plain text messages generates identical cipher hidden (inside images for example) Dumpster Diving – of going through
text messages using the same algorithm but with different crypto-variables or someone’s trash to find useful or confidential info – it is legal but unethical in
keys nature
Codes – cryptographic transformation that operates at the level of words or Phishing – act of sending spoofed messages that pretend to originate from a
phrases, one by land, two by sea source the user trusts (like a bank)
Cryptanalysis – breaking the cipher text,
Social Engineering – act of tricking someone into giving sensitive or • Proof of origin
confidential info that may be used against the company
• Non-repudiation
Script kiddie – someone with moderate hacking skills, gets code from the
Internet. • Protect data at rest

Red boxing – pay phones cracking • Protect data in transit

Black Boxing – manipulates toll-free line voltage to phone for free Cryptographic Concepts

Blue Boxing – tone simulation that mimics telephone co. system and allows Key Clustering – when different encryption keys generate the same ciphertext
long distance call authorization from the same plaintext message

White box – dual tone, multifrequency generator to control phone system Work Factor – time and effort required to break a protective measure

Phreakers – hackers who commit crimes against phone companies Kirchhoff’s Principle – all but key, secure Synchronous and self-synchronous
Random Number Generators (RNGs)
Salami – removal of a small amount of money otherwise known as skimming
Vigenere Cipher – uses key words and numerous rows (traditionally 26), each
Zero-knowledge proof – is a communication concept. A specific type of one of which is offset by one.
information is exchanged but no real data is transferred, as with digital
signatures and digital certificates. Understand split knowledge. “magic door” Security Monitoring

SEE IMAGE IN ORIGINAL • Reference Monitor and security kernel are used to determine whether a user
should be allowed to access an object
Split knowledge – means that the information or privilege required to
perform an operation is divided among multiple users. This ensures that no • “complete mediation” means that all subjects must be authenticated and
single person has sufficient privileges to compromise the security of the their access rights verified before they can access any object
environment. M of N Control (multiparty key recovery) is an example of split
Methods of Cryptography (247)
knowledge.
Stream-based Ciphers – operate on one character or bit of a message (or data
Skipjack – Like many block ciphers, Skipjack operates on 64-bit blocks of
stream) at a time. The Caesar cipher is an example of a stream and shift
text. It uses an 80-bit key and supports the same four modes of operation
cipher. The one-time pad is also a stream cipher because the algorithm
supported by DES. Skipjack was quickly embraced by the US government
operates on each letter of the plaintext message independently.
and provides the cryptographic routines supporting the Clipper and Capstone
encryption chips. However, Skipjack has an added twist—it supports the SUBSTITUTION, real-time.
escrow of encryption keys.
Advantages
Goals of Cryptography
• bit by bit substitution with XOR & keystream;
• Confidentiality
• Emulates one time pad
• Integrity
• No size difference between plaintext and ciphertext
Disadvantages Does not provide mechanisms for authentication and non-repudiation
• Can be difficult to implement correctly DES (data Encryption Standard) comes from IBM
• Generally weaker than block mode cipher • DEA Data Encryption Algorithm x3.92, using 64 block size and 56bit key
with 8bits parity
• Difficult to generate a truly random unbiased keystream
16-rounds of substitution and transposition cryptosystem
Wireless Stream Cipher Uses: WEP, WPA –use WEP if you have nothing
else, RC4 • Adds confusion(conceals statistical connect between cipher text and
plaintext) and Diffusion (spread the influence of plaintext characters over
Audio Visual many cipher text characters by means of transposition like HIDE→IHED
Block-based Ciphers – ciphers operate on “chunks,” or blocks, of a message • Triple des = three times encrypted DES, preferably with 3 different keys =
and apply the encryption algorithm to an entire message block at the same DES-EE3. Actual key length = 168 bits. Uses 48 rounds of computations
time. The transposition ciphers are examples of block ciphers. (3×16)
SUBSTITUTION & TRANSPOSITION
• Replaced by AES Advanced Encryption Standard
No longer common/effective attack on wireless networks
AES Advanced Encryption Standard
Cipher Modes (249)
• one of the most popular symmetric encryption algorithms
CBC Cipher Block Chaining - blocks of 64 bits with -64bits initialization
vector. Errors will propagate • NIST selected it as a standard replacement for the older Data Encryption
Standard (DES) in 2001.
ECB Electronic Code Book - right block/left block pairing 1-1. Replication
occurs. Secure short messages • BitLocker (a full disk encryption application used with a Trusted Platform
Module) uses AES
Cipher Feedback CFB - stream cipher where the cipher text is used as
feedback into key generation. errors will propagate • Microsoft Encrypting File System (EFS) uses AES for file and folder
encryption
Output Feedback OFB - stream cipher that generates the key but XOR-ing the
plaintext with a key stream. No errors will propagate • AES supports key sizes of 128 bits, 192 bits, and 256 bits, and the US
government has approved its use to protect classified data up to top secret
Counter (CTR) – secure long messages
• Larger key sizes add additional security, making it more difficult for
See 111000111000 it’s XOR unauthorized personnel to decrypt the data.
Symmetric Cryptography (254) • Keys are 128, 192, and 256 bits, blocks 128 bits.
Both the receiver and the sender share a common secret key. Rijndael Block Cipher Algorithm - for speed, simplicity and resistance
against known attacks.
Larger key size is safer > 128
Variable block length and variable key lengths (128,192 and 256 bits)
Can be time-stamped (to counter replay attacks)
Not selected for AES were: power systems (mobile phones etc.) BOTH a hashing and an asymmetric key
algorithm; MD5 & ECC
• RC5 - variable algorithm up 0 to 2048 bits key size
Hybrid Cryptography (266)
• Rivest Cipher 5, or RC5, is a symmetric algorithm patented by Rivest,
Shamir, and Adleman (RSA) Data Security, the people who developed the Uses both asymmetrical and symmetrical encryption
RSA asymmetric algorithm. RC5 is a block cipher of variable block sizes (32,
64, or 128 bits) that uses key sizes between 0 (zero) length and 2,040 bits. • asymmetrical for key exchange

• IDEA - International Data Encryption Algorithm 64 bit plaintext and 128 • symmetrical for the bulk
key length with confusion and diffusion used in PGP software patented
• thus it is fast
requires licenses fees/free noncom.
• example: SSL, PGP, IPSEC S/MIME
• Two fish - key lengths 256 bits blocks of 128 in 16rounds BEAT OUT BY
Rijndal for AES, based on Blowfish Message Digest – summaries of a message’s content (not unlike a file
checksum) produced by a hashing algorithm, checksum?
• Blowfish - by Bruce Schneider key lengths 32 to 448 bits, used on Linux
systems that use bcrypt (DES alternative) MAC – Message Authentication Code
Asymmetric Cryptography (262) Security Assertion Markup Language (SAML) (271)
• Sender and receiver have public and private keys. SAML is an XML-based convention for the organization and exchange of
communication authentication and authorization details between security
• Public to encrypt a message, private to decrypt
domains, often over web protocols. SAML is often used to provide a web-
• Slower than symmetric, secret key (100 to 1000) based SSO (single sign-on) solution. If an attacker can falsify SAML
communications or steal a visitor’s access token, they may be able to bypass
Public Key Algorithms authentication and gain access
RSA - (Rivest, Shamir, & Adleman) works with one way math with large SAML is a common protocol used for SSO on the Internet.
prime numbers (aka trap door functions). Can be used for encryption, key
exchange and digital signatures) Best choice to support a federated identity management system,

Diffie Hellman Key exchange - about exchanging secret keys over an Does not have a security mode and relies on TLS and digital signatures
insecure medium without exposing the keys
If home organization offline implement a cloud based system user training
el Gamal – works with discrete logarithms, based on Diffie Hellman about SSO directs a good idea

DSA Digital Signature Algorithm – the US Government Equivalent of the Service Provisioning Markup Language (SPML) (271)
RSA algorithm
Allow platforms to generate and respond to provisioning requests It is a
ECC -Elliptic Curve Cryptosystem - mathematical properties of elliptical newer framework based on XML but specifically designed for exchanging
curves, IT REQUIRES FEWER RESOURCES THAN RSA. Used in low user information for federated identity single sign-on purposes. It is based on
the Directory Service Markup Language (DSML), which can display LDAP- certificates to people with whom they want to communicate. Certificate
based directory service information in an XML format recipients verify a certificate using the CA’s public key.
Cyber-Physical Systems (CPS) (278) X.509 standard = PKI
Smart networked systems with embedded sensors, processors, and actuators Serial number, owner, issuer name
that are designed to sense and interact with the physical world
Integrity (hash code and message digest), access control, confidentiality (by
History of Crypto (284) encryption), authentication (digital certificates) and non-repudiation (digital
signatures) issuer signs a certificate
Hieroglyphics -sacred carvings
If you only want to check if a mail is not altered: use digital signature! Proves
Scythe - wound papyrus around a wooden rod to see message that the signature was provided by the intended signer trust anchor = public
key that has been verified and that’s trusted
Substitution character - shifting 3 character (C3) for example in the one
(mono-alphabet) alphabet system Digital signatures (296)
Cipher disks - 2 rotating disks with an alphabet around it • no modifications allowed
Jefferson disks - 26 disks that cipher text using an alignment bar • identity can be derived
Unix - uses rot 13 rotate 13 places in the alphabet • Works with a one-way hash (message digest), like SHA-1 (512 bit blocks)
or MD5 (128 bits digest) or HMAC that uses a key
Hagelin machine (M-209) - mechanical cryptographic machine
• Acceptable encryption algorithms choices – DSA, RSA, ECDSA
Enigma - poly-alphabetic substitution cipher machine
HASH it and ENCRYPT message digest
SABSA – Sherwood Applied business security architecture chain of
traceability, 6 layers Correct way to create and use a digital signature – hash the document,
encrypt only the hash with the sender’s private key, send both the plain text
TOGAF – method step by step process and framework. These are the tools to
document and the encrypted hash to recipient
go forward
Email Security (297)
FRAMEWORK AND METHOD
S/Mime - Confidentiality (encryption) Integrity (using PKCS X.509 PKI) and
Zachman Framework – common context to understand a complex
non-rep through signed message digests
architecture, communication and collaboration
PEM - Privacy Enhanced Email Encryption (AES) PKI X.509 and RSA
SEE PAGE 13 FROM ORIGINAL
Message Security protocol - Military X.400. Sign, Encrypt, Hash
PKI (289)
Pretty Good Privacy - uses IDEA and RSA instead
Understand the public key infrastructure (PKI). In the public key
infrastructure, certificate authorities (CAs) generate digital certificates Digital Certificates
containing the public keys of system users. Users then distribute these
contain specific identifying information and their construction is governed by create two digital certificates from different public keys that have the same
international standard MD5 hash.
(X.509), creation and validation of digital certificates CRL’s of a PKI environment holds serial numbers
Who signs a digital certificate – some one vouching for person not the SHA1 - was designed by NIST and NSA to be used in digital signatures
person.
Standard is SHA3 most still use SHA2
CRLs - Certificate Revocation Lists are maintained by the various certificate
authorities and contain the serial numbers of certificates that have been issued root Certificate Authority (CA) must certify its own public key pair
by a CA and have been revoked along with the date and time the revocation
cross certification does not check authenticity of the certificates in the
went into effect
certificates path; MD5 not good for securing passwords
Hashing (300)
Traffic analysis - inference of information from analysis of traffic
ATTACK HASH BY BRUTE FORCE and dictionary
Traffic padding - generation of spurious data units
CRYPTANALYSIS
Collision - Same message digest as a result of hashing.
Basic Technique – BRUTE Force will win with no constraints input of any
Cryptographic Attacks
length and generate a fixed length output
Ciphertext Only - attacker sees only the ciphertext, one of the most difficult
Hash algorithms (Message Digests)
Known Plaintext - attacker knowns both cipher and plaintext
Requirements for HASH
Chosen Plaintext - offline attack (attacker prepares list of plaintexts) -lunch
• works on non-fixed length input
box attack
• must be relatively easy to compute for any input
online attack - (attacker chooses the plaintext based on the ciphertext already
• function must be one way received)

Most used are MD5 (message Digest 128 bits) and SHA1 (signature hashing Chosen ciphertext - attacker chooses both the plaintext values and the
algorithm 160 bits) ciphertext values, cherry picking, feed info and based on what you learned
get key
MD5 – hashing algorithm . It also processes 512-bit blocks of the message,
but it uses four distinct rounds of computation to produce a digest of the same Birthday Attack - Collisions appear much faster, birthdays match
length as the MD2 and MD4 algorithms (128 bits). MD5 has the same adding
POODLE - (Padding Oracle on Downgraded Legacy Encryption) attack
requirements as MD4—the message length must be 64 bits less than a
helped force the movement from SSL 3.0 to TLS because it allowed attackers
multiple of 512 bits. MD5 implements additional security features that reduce
to easily access SSL encrypted messages.
the speed of message digest production significantly. Unfortunately, recent
cryptanalytic attacks demonstrated that the MD5 protocol is subject to CRIME/BEAST - earlier attacks against SSL
collisions, preventing its use for ensuring message integrity. it is possible to
STUXNET – worm aimed at Iranian nuclear capability
Other things to know • Second, ActiveX controls are not subject to the sandbox restrictions placed
on Java applets.
Objects of sensitivity labels are: single classification and component set
‘dominate’ in access control means access to higher or equal access class They have full access to the Windows operating environment and can
perform a number of privileged actions
Security perimeter = line between TCB and outside
Threats (317)
SEE IMAGE IN ORIGINAL
Natural environment threats (earthquakes floods, tornadoes)
Validating TCB = formal for system integrity
Supply system threats (power communications water gas)
Digital Rights Management (298)
Manmade threats (vandalism, fraud, theft)
uses encryption to enforce copyright restrictions on digital media. serves to
bring U.S. copyright law into compliance with terms of two World Politically motivated threats (terroristic attacks, riots bombings)
Intellectual Property Organization (WIPO) treaties. The first major provision
of the DMCA is the prohibition of attempts to circumvent copyright Life safety takes precedence!!
protection mechanisms placed on a protected work by the copyright holder.
Layered defense model: all physical controls should be work together in a
Skip - is a distribution protocol tiered architecture (stacked layers) Vulnerability=weakness threat = someone
will identify the weakness and use it against you and becomes the threat agent
RC4 - is a stream cipher
Risk analysis–>Acceptable risk level–>baseline>implement countermeasures
RC5 and RC6 are block cipher
Major sources:
FIPS 140 hardware and software requirements
• Temperature, Gases, Liquids
Applets
• Organism: viruses, bacteria
Applets – these code objects are sent from a server to a client to perform
some action. In fact, applets are actually self-contained miniature programs • Projectiles: cars, trucks, bullets
that execute independently of the server that sent them.
• Movement: Collapse, earthquakes
Java applets – are simply short Java programs transmitted over the Internet to
• Energy: radio, radiation
perform operations on a remote system.
Nice to Know
ActiveX – controls are Microsoft’s answer to Sun’s Java applets. Operate in a
similar fashion, but they are implemented using a variety of languages(C, C + SMSD - Switched Multimegabit Data Service, a connectionless packet-
+, Java). switching technology. Often, SMDS is used to connect multiple LANs to
form a metropolitan area network (MAN) or a WAN.
Two key distinctions between Java applets and ActiveX controls.
SMDS was often a preferred connection mechanism for linking remote LANs
• First, ActiveX controls use proprietary Microsoft technology and, therefore,
that communicate infrequently, a forerunner to ATM because of the similar
can execute only on systems running Microsoft browsers.
technologies used.
DHCP Snooping – used to shield networks from unauthenticated DHCP Clean=no interference
clients
Line noise: can be EMI or RFI
ICS - industrial control system is a form of computer-management device
that controls industrial processes and machines. ICSs are used across a wide Transient: short duration of noise Counter: voltage regulators,
range of industries, including manufacturing, fabrication, electricity grounding/shielding and line conditioners
generation and distribution, water distribution, sewage processing, and oil
EMI
refining. There are several forms of ICS, including distributed control
systems (DCSs), programmable logic controllers (PLCs), and (SCADA). • COMMON mode noise: difference between hot and ground
SCADA - supervisory control and data acquisition • Traverse mode noise: difference between hot and neutral
Kerchoff principle - a cryptographic system should be secure even if • HINT: common-grounds
everything about the system, except the key, is public knowledge.
Excesses
Input and Parameter Checking - limit how much data can be offered as input.
Proper data validation is the only way to do away with buffer overflows. • SPIKE: short high voltage

Side-channel attack - is a passive, noninvasive attack intended to observe the • SURGE: long high voltage
operation of a device.
• Counter: surge protector
When the attack is successful, the attacker is able to learn valuable
information contained within the smartcard, such as an encryption key Losses

Trust – () • FAULT: short outage

Transitive Trust – Transitive trust is the concept that if A trusts B and B trusts • BLACKOUT: long outage
C, then A inherits trust of C through the transitive property — which works • Counter: Backup power
like it would in a mathematical equation: if a = b, and b = c, then a = c. A
transitive trust extends the trust relation ship between the two security • Long term: Backup Power generator
domains to all of their subdomains. Within the context of least privilege, it’s
important to examine these trust relationships. • Short term: UPS

Nontransitive trust - exists between two security domains, which could be UPS
within the same organization or between different organizations. It allows
• Online uses ac line voltage to charge batteries, power always though UPS
subjects in one domain to access objects in the other domain. A nontransitive
trust enforces the principle of least privilege and grants the trust to a single • Standby UPS, inactive till power down
domain at a time.
Degradation
Electrical Power (319)
• SAG/DIP: short low voltage
Interference
• BROWNOUT: long low voltage
• Counter: constant voltage transformers as an EMI absorbing capacitor control zone - the implementation of either a
Faraday cage or white noise generation or both to protect a specific area in an
Other environment
• Inrush Surge: surge of current required to power on devices Fire (328)
• Common-mode noise: radiation from hot and ground wires Prevention
• Traverse-mode noise: radiation from hot and neutral wires. • Training construction,
Static charge • supplies,
• 40 volts sensitive circuits • reach ability
• 1000 scramble monitor display Detection
• 1500 disk drive data loss • Manual: pull boxes
• 2000 system shutdown • Automatic dial-up: Fire department, aka Auxiliary station alarm
• 4000 Printer Jam • Detectors:
• 17000 Permanent chip damage • Smoke activated,
Humidity (326) • Heat activated,
<40% static electricity up to 20.000 volts • Flame activated(infrared)
NORMAL 40-60% up to 4000 volts Classes
60% corrosion • A Common WATER, SODA ACID (take away temp)
Tempest • B Liquids GAS/CO2, SODA ACID (takes away fuel)
shielding and other emanations-reducing mechanism, a technology that • C Electrical GAS/CO2 (displace O2)
allows the electronic emanations that every monitor produces (known as Van
Eck radiation) to be read from a distance (this process is known as Van Eck • D Metals DRY POWDER
phreaking)
• WATER suppress temperature
White noise - broadcasting false traffic at all times to mask and hide the
presence of real emanations. • SODA ACID reduces fuel supply

Faraday cage - a box, mobile room, or entire building designed with an • CO2 reduces oxygen
external metal skin, often a wire mesh that fully surrounds an area on all sides
• HALON chemical reaction
(in other words, front, back, left, right, top, and bottom). This metal skin acts
Fire extinguishers should be 50 feet from equipment and toward the door Constrained or restricted interface - is implemented within an application to
restrict what users can do or see based on their privileges
Heat
Domain 4: Communications and Network
• Computer hardware 175F (80c)
Security
• Magnetic storage 100F (37c)
Network Layers OSI MODEL (347)
• Paper 350F (176c)
(later succeeded by TCP/IP)
Sprinklers
HINT: All People Seems to Need Data Processing
• Wet pipe always contains water, fuse nozzle melts at 165F
It encapsulates data when going through the layers
• Dry pipe water in tank until clapper valve releases it –only begins to fill
when triggered by excessive heat Application – layer 7 – C, AU, I, NR
• Douches, large amounts of water/foam , SNMP, TELNET, TFTP, SMTP, HTTP, NNTP, CDP, GOPHER, SMB,
NDS, AFP, SAP, NCP, SET, LDAP.
• Pre-action (MOST RECOMMENDED) water in tanks, first water in pipes
when air is lost when heat is detected, then thermal link in nozzle melts to Technology: Gateways.
release water
User data
HALON
Secure HTTP, S-HTTP - encrypting HTTP documents. Also overtaken by
• 1211 = portable SSL
• 1301 = flooding SSL, Secure Socket Layer - encryption technology to provide secure
transactions like credit card numbers exchange. Two layered: SSL record
• FM-200 most common replacement (others: CEA, NAF, FE-13 Argon protocol and handshake protocol. Same as SSH it uses symmetric encryption
INERGEN Low Pressure Water) for private connections and asymmetric or public key cryptography for peer
authentication.
RESISTANCE
Secure Electronic Transaction (SET)- authentication for credit card
• Walls: 1 hour fire rating and adjacent room with paper 2 hours
transactions. Overtaken by SSL
Security Capabilities of Information Systems
Also uses message authentication code for integrity checking.
TPM - Trusted Platform Module is both a specification for a cryptoprocessor
Telnet - terminal emulation enables user to access resources on another
chip on a mainboard and the general name for implementation of the
machine. Port 23
specification. A TPM chip is used to store and process cryptographic keys for
the purposes of a hardware supported/ implemented hard drive encryption File Transfer Protocol - for file transfers. Cannot execute remote files as
system. Generally, a hardware implementation, rather than a software-only programs. Authentication. Port 20 and 21
implementation of hard drive encryption, is considered to be more secure.
TFTP, Trivial File Transfer Protocol - stripped down, can only send/receive TCP Three-way Handshake – SYN, SYN-/ACK, ACK
but not browse directories. No authentication thus insecure. Port 69
Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBIOS, ATP
SMTP, Simple Mail Transfer protocol - email queuing. Port 25
Secure Shell (SSH-2) - Authentication, compression, confidentiality and
SNMP, Simple Networking Management Protocol - collection of network integrity.
information by polling the devices from a management station. Sends out
alerts – called traps - to an database called Management Information Bases Uses RSA certificates for authentication and triple DES for encryption
(MIBs)
TCP, Transmission control protocol – reliable, sequences and works with
Presentation – layer 6 – C, AU, Encryption acknowledgements. Provides a manageable data flow to avoid congestions
overloading and data loss. (Like having a telephone conversation with
Translations like EBCDIC/ANSI; compression/decompression and someone). Connection Oriented.
encryption/decryption. Uses a common format to represent data, Standards
like JPEG, TIFF, MID, ; Technology: Gateway. Messages User UDP, Datagram protocol – unreliable, scaled down version of TCP, no
error correction, no sequencing. Less overhead. (Like sending a letter to
Session - layer 5 -- None someone). Connectionless.
Inter-host communication, logical persistent connection between peer hosts, a Network – layer 3 –C, AU, I
conversation, simplex, half duplex, full duplex.
Path selection and logical/network addressing.
Protocols as NSF, SQL, RADIUS, and RPC. Protocols: PAP, PPTP, RPC
Technology: Virtual circuits (ATM), routers.
Technology: Gateway
Packets
PAP – Password Authentication Protocol
Addressing – IP uses the destination IP to transmit packets thru networks
PPTP – Point-to-Point Tunneling Protocol until delivered
RPC – Remote Procedure Call Protocol Fragmentation – IP will subdivide a packet if its size is greater than the
maximum allowed on a local network
NFS, Network File System - protocol that supports file sharing between two
different file systems Message routing, error detection and control of node data are managed. IP,
IPSEC, ICMP, BGP, OSPF, RIP, BOOTP, DHCP, ZIP, DDP, X.25, NAT and
NetBIOS – IGMP
SSL/TLS - OSPF Open Shortest Path First – routing protocol short path
Transport – layer 4 – C, AU, I SKIP, Simple Key Management for Internet Protocols - provides high
availability in encrypted sessions to protect against crashes. Exchanges keys
End-to-end data transfer services and reliability. Technology: Gateways.
on a session by session basis.
Segmentation, sequencing, and error checking at this layer.
ARP, Address resolution protocol - Used to match an IP address to a
Datagrams
hardware MAC address. ARP sends out broadcast to a network node to reply
with its hardware address. It stores the address in a dynamic table for the Physical – layer 1 - C
duration of the session, so ARP requests are only sent the first time ICMP,
Internet control message protocol - sends messages between network nodes Physical signaling. Coverts bits into voltages or light impulses.
regarding the health of the network. Also informs about rerouting in case of
Electrical, Hardware and software drivers are on this level. It sends and
errors. Utility PING uses ICMP messages to check physical connectivity of
receives bits.
the network machines IPX, Appletalk, and NetBEUI are non-IP protocols.
Repeaters, hubs, cables, USB, DSL, ISDN, ATM
IP, Internet protocol - all hosts have an IP address. Each data packet has an IP
address of sender and recipient. Routing in network is based upon these Physical topologies: BUS, MESH, STAR, TREE, RING
addresses. Datagram service is considered unreliable because there’s no
guarantee that the packet will be delivered, not even that its delivered only Network layers TCP/IP Model (353)
once and no guarantee that its delivered in the same sequence that its sent 32
bits long, IPv6 is 128 bits long Developed by Department of Defense in the 1970s to support the construction
of the internet
DHCP: Dynamic Host Configuration Protocol
HINT: AHIN / ATIN
BootP, Bootstrap Protocol when wireless workstation is on-lined it sends out
a BootP request with its MAC address to get an IP address and the file from Application – layer 4 (Application/Presentation/Session)
which it should boot. Replaced by DHCP Applications and processes that uses the network
Data Link – layer 2 - C Host-to-Host – Layer 3 (Transport)
This layer deals with addressing physical hardware. End-to-end data delivery
FRAMES Protocols: TCP and UDP
Translates data into bits and formats them into data frames with destination Internet – Layer 2 (corresponds to OSI network layer) Defines the IP
header and source address. Error detection via checksums. datagram and handles routing of data across networks
LLC, the Logical Link Control Sub layer - Flow control and error notification Protocols: IP, ARP, RARP, ICMP
MAC: the Media Access Control layer - Physical addressing. Concerns Network access – Layer 1 (Data link, Physical)
frames, logical topologies and MAC-addresses
Routines for accessing physical networks and the electrical connection
Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP, RARP, SLARP, IARP,
SNAP, BAP, CHAP, LCP, LZS, MLP, Frame Relay, Annex A, Annex D, LPD, Line printer daemon for printing and spooling
HDLC, BPDU, LAPD, ISL, MAC, Ethernet, Token Ring, FDDI
X Windows graphical user interface
RARP, Reverse address resolution protocol - When a hardware address is
known but the IP address has to be found. (like an diskless machine) SEE CHART ON NEXT PAGE

Switches, bridges, hardware addressing Security Modes (used in MAC)

Dedicated security mode: A method of guarding a private network by analyzing the data leaving and
entering. Firewalls can also provide network address translation, so the IP
• All users can access all data. addresses of computers inside the firewall stay hidden from view.
• Clearance for all information. Packet-filtering firewalls (layer 3/4) - use rules based on a packet’s source,
destination, port or other basic information to determine whether or not to
• Need to know for ALL data
allow it into the network.
• system high security mode:
Stateful packet filtering firewalls (layer 7) - have access to information such
• All users can access some data, based on need to know as; conversation, look at state table and context of packets; from which to
make their decisions.
• Clearance for all information
Application Proxy firewalls (layer 7)(3-7 actually) - which look at content
• Need to know for SOME data and can involve authentication and encryption, can be more flexible and
secure but also tend to be far slower.
• compartmented security mode:
Circuit level proxy (layer 5) - looks at header of packet only, protects wide
• All users can access some data, based on their need to know and approval. range of protocols and services than app-level proxy, but as detailed a level of
• Clearance for all information they access control. Basically once the circuit is allowed all info is tunneled between the
parties. Although firewalls are difficult to configure correctly, they are a
• Need to know for SOME data critical component of network security.

• Use of information labels SPF, Static Packet Firewall (layer 3)-

Multi-level: Wireless (364)

• All users can access some data, based on their need to know, approval and IEEE 802.15 is the standard for Bluetooth. IEEE 802.3 defines Ethernet,
clearance. 802.11 defines wireless networking, and 802.20 defines LTE

• Clearance for all information they access Amendment Speed Freq. Range Comp.

• Need to know for SOME data 802.11 2 Mbps 2.4 Ghz FHSS/DSSS

Others: 802.11a 54 Mbps 5 Ghz 150 - OFD A

• controlled: type of multilevel security where a limited amount of trust is 802.11b 11 Mbps 2.4 Ghz 300 - DSSSS b/g/n
placed in the system’s hardware/software along with classification
802.11g 54 Mbps 2.4 Ghz 300 b/g/n
• limited access: minimum user clearance is not cleared and the maximum
data classification is unclassified but sensitive 802.11n 200+ Mbps 2.4 or 5 Ghz 300 a/b/g

Firewalls 802.11ac 1 Gbps 5 Ghz 300 a/b/g

802.16 IEEE 802 WBA
802.11i AES CCMP WPA2 Attenuation - is a decrease in amplitude as a signal propagates along a
transmission medium
Security Enhancement Protocols
SSL session key length is from 40bit to 256 bit
TELNET: Remote terminal access and Secure Telnet
The bridge connects multiple networks at the data link layer, while router
REMOTE PROCEDURE CALL: Secure remote procedure call (SRA) connects multiple networks at the network layer.
SSH – Secure Shell over Telnet for remote server administration via the Data backups addresses availability, integrity and recovery but not
command line confidentiality
Netwok IPV4 (354) IP headers contain 32-bit addresses (in IPv4) and 128 in IPv6. In an Ethernet ,
however, addresses for attached devices are 48 bits long.
TCPIP Classes
Subnet Masks
• Class A network number values begin at 1 and end at 127
• Class A 255.0.0.0
• Class B network number values begin at 128 and end at 191
• Class B 255.255.0.0
• Class C network number values begin at 192 and end at 223
• Class C 255.255.255
ISDN
Types of Wireless Networks (364)
• BRI B-channel 64Kbps, D-channel 16Kbps
Uses the 802.11x specification to create a wireless
• PRI B-and D-channels are 64Kbps
Ad hoc Mode – directly connect two+ clients, no access point
80211 has CSMA/CA as protocol. Can use DSSS and FHSS (ss stands for
spread spectrum) 802.11b uses only DSSS Infrastructure Mode – connects endpoints to a central network, not directly to
each other, need access point and wireless clients for IM mode wireless
Before a computer can communicate with the internet, it needs an IP-address,
a default gateway and a subnet mask Stand-alone Mode – isolated system
To connect multiple segments you can use Bridges, Switches and Routers WEP – don’t use can be cracked in seconds, predecessor to WPA and WPA2,
confidentiality, uses RC4
Fast Ethernet 100Base-TX has as characteristics: 100Mbps data transmission,
1 pairs Cat5 UTP and max segment of 100 meters (328 feet) for encryption, weakened by use of RC4 use of common key and a limited
number of initialization vectors
Unsubnetted netmask is shown as /24
WPA – uses TKIP for data encryption
Other word for DMZ is screened subnet
WPA2 – based on 802.11i, uses AES, key management, reply attack
, RLOGIN and TELNET never uses UDP but TCP
protection, and data integrity, most secure, CCMP included, WPA2
ENTERPRISE Mode - uses RADIUS account lockout if a password- cracker • TCP 1521; Oracle: TCP 3389; RDP
is used
• TCP 3268/3269; global catalog (unsecure/secure)
TKIP – Temporal Key Integrity Protocol, uses RC4
• TCP/UDP; 137-139; NetBIOS services
LEAP – Lightweight Extensible Authentication Protocol, Cisco proprietary
protocol to handle problems with TKIP, security issues don’t use. Provides Switched Networks (378)
reauthentication but was designed for WEP
Coaxial - many workstations, length. 1000Base-T – 100 M Twisted pair to
TCP Ports long. Cat 5 better than cat3 for interference Fiber optics immune to EMI, can
be broken and high cost/expertise Topology failures
• TCP 20 & 21;
Ethernet twisted pair - more resistant than coaxial
• UDP 21; not used for any common file transfer protocol
Token Ring because a token is passed by every station, a NIC that’s is set to
• TCP 22; SSH (SFTP operates over SSH) wrong speed or error can take all network down
• TCP 23; telnet: TCP 515; LPD -print Fiber Distributed Data Interface - form of token ring that has second ring that
activates on error
• TCP 25; SMTP (Simple Mail Transfer Protocol)
Leased lines use multiple lines and/or multiple vendors
• TCP 53; ;
Frame Relay WAN - over a public switched network. High Fault tolerance by
• TCP 110; POP3 relaying fault segments to working.
• TCP 80; HTTP - no confidentiality Speeds: T-1 – 1.544 Mbps, T-3 – 44,736 Mbps (45), ATM – 155 Mbps,
ISDN – 64 or 128 Mbps, CAT 3
• TCP 143; IMAP (Internet Message Access Protocol)
UTP; 10 Mbps, CAT 5; 100 Mbps CAT 5e/6 – 1,000 Mb
• TCP 389; unsecure LDAP
Email Security Solutions & Certs (368)
• TCP 636; LDAP-S over SSL or TLS
LDAP – Lightweight Directory Access Protocol, client/server based directory
• TCP 9100; network printers
query protocol loosely based upon X.500, commonly manages user
• UDP 69; TFTP (Trivial ) information, for accessing directory services and manage certificates Ex.
Active directory, cn=ben+ou=sales Zero or more, comma separated, no semi-
• 6000-6063; X Windows, Linux colon, + to join
• TCP 443; HTTPS – Nikto to scan SASL – provides secure LDAP authentication
• TCP 445; Active Directory OpenLDAP – default, stores user PW in the clear
• TCP; 1433; Microsoft SQL, Db Client SSL Certificates – used to identify clients to servers via SSL (client
authentication)
S/MIME Certificates – used for signed and encrypted emails, can form sign, Repeaters - amplify data signals to extend range (physical)
and use as part of a SSO solution
HUBS - connect multiple devices into a concentrator. Is actually a multi-port
MOSS – MIME Object Security Services, provides authentication, repeater (physical)
confidentiality, integrity, and nonrepudiation
Bridges - Forwards data to all other network segments if it’s not on the local
PEM – provides authentication, confidentiality, integrity, and nonrepudiation segment. Operates at level 2 (thus no IP-addressing)
DKIM – Domain Keys Identified Mail, domain validation tool Switches - Will only send data to the specific destination address. It’s actually
a multi-port bridge.
OAuth – ability to access resources from another service
(Data link)
OpenID – paired with OAuth is a RESTful, JSON-based authentication
protocol can provide identity verification and basic profile information, Routers - opens up data packet, reads hardware or network address and then
phishing attack possible by sending fake data forwards it to the correct network
Security Perimeter (370) Gateway - software that acts as access point to another network or device that
translates between different protocols
The first line of protection between trusted and untrusted networks. Generally
includes a firewall and router that help filter traffic. May also include proxies, extenders - remote access, multi layer switch that connects LANs over a
IDSs, and IPSs. WAN
Zero Day – application white list Terms
Operations of Hardware (374) Broadband Technologies – ISDN, cable modems, DSL, and T1/T3 lines that
can support multiple simultaneous signals. They are analog and not broadcast
Multiplexors - device that enables more than one signal to be send out of one technologies.
physical circuit
Broadcast Domain – set of systems that can receive a broadcast from each
WAN switches - multi-port networking devices that are used in carrier other
networks. Connect private data over public data by using digital signals. Data
link layer. CHAP – Challenge-Handshake Authentication Protocol, used by PPP servers
to authenticate remote clients. Encrypts username and PW and performs
Access servers - server that provides dial-in and dial-out connections to the periodic re authentication while connected using techniques to prevent replay
network attacks.
Modems - transmits data over telephone lines CIR – (committed Information Rate) minimum bandwidth guarantee
provided by service provider to customers
Channel Service Unit (CSU)/Data service unit (DSU) - digital interface
device used to terminate the physical interface on a DTE device. They Collision Domain – set of systems that could cause a collision if they
connect to the closest telephone company switch in a central office (CO) transmitted at the same time, more number of systems in domain increases
likelihood of network congestion due to more collisions
LAN Devices (374)
Data Streams – occur at Application, Presentation, and Session layers. CCMP, encapsulates EAS in a TLS tunnel
EAP, Extensible Authentication Protocol - an authentication framework. Port Based Authentication – 802.1x, can be used with EAP
Effectively, EAP allows for new authentication technologies to be compatible
with existing wireless or point-to-point connection technologies, extensible PPP – Point-to-Point Protocol, most common, used for dial up connections,
was used for PPP connections replaced SLIP

FCoE – Fiber Channel Over Ethernet, allows existing high-speed networks to Proxy – form of gateway that provide clients with a filtering, caching, or
be used to carry storage traffic other service that protects their information from remote systems

FDDI – Fiber Distributed Data Interface, token-passing network uses a pair PVCs – Private Virtual Circuits,
of rings with traffic flowing in opposite directions, uses tokens
RST flag – used to reset or disconnect a session, resumed by restarting the
Gateway – translates between protocols connection via a new three- way handshake

ICMP – Internet Control Message Protocol, means to send error messages for Converged Network – carries multiple types of traffic like voice, video, and
non-transient error conditions and provides a way to probe the network in data
order to determine general characteristics about the network, ping
SDN – Software designed networking, defined and configured as code or
iSCI – Internet Small Computer Interface, Converged protocol that allows software, quickly change the network based on organizational requirements
location-independent file services over traditional network technologies. Cost
Hypervisor-based Network – may be software defined, but it could also use
less than Fiber. Standard for linking data storage sites
traditional network devices running as virtual machines
ISDN – PRI (Primary Rate Interface) bandwidth of 1.544 Mbps, faster than
SSID – normally disabled for secure networks
BRI’s 144 Kbps
Site Survey – identify areas where wireless network may be accessible
MAC – Machine Access Control, hardware address of machine, can tell
manufacturer SONET – protocol for sending multiple optical streams over fiber
Multilayer Protocols – allow encryption at various layers, support a range of SUBNET – logical division of a network
protocols at higher levels. Bad –conceal covert channels, filters can be
bypassed, sometimes logical boundaries can be bypassed Supernet – made up of two or more networks

MPLS – Multiprotocol Label Switching, high performance networking, uses UDP – User Datagram Protocol, lightweight service for connectionless data
path labels instead of network addresses, wide area networking protocol, transfer without error detection and correction
label switching, finds final destination and then labels route for others to
follow WAF – Web Application Firewall

PAP – Password Authentication Protocol, sends PW unencrypted Wired Extension Mode – uses WAP to link wireless clients to a wired
network
PEAP – provides encryption for EAP methods and can provide
authentication, does not implement
AMP - Asymmetric multiprocessing - used in applications that are dedicated, DOS - performed by sending malformed packets to a system; can interrupt
such as embedded systems, when individual processors can be dedicated to service or completely deny legitimate users of system resources, an attack
specific tasks at design time. that attempts to prevent authorized use of a resource.
SMP – Symmetric Multiprocessors, hardware and software architecture This can be done through flaw exploitation, connection overloading, or traffic
where two or more identical processors are connected to a single, shared main flooding.
memory, have full access to all I/O devices, and are controlled by a single
operating system instance that treats all processors equally, reserving none DDOS – botnet, zombie, massive dos attack using multiple computers
for special purposes
SMURF – ICMP requires three players (attacker, victim and amplifying
Attacks, Malware, and Bad Stuff network); attacker spoofs packet header to make it appear that it originated on
the victim system with amplifying network broadcasting the message.
Bluejacking – when attackers send unsolicited messages via Bluetooth Countermeasures – disable broadcast at border routers; border routers should
Bluesnarfing – targets the data or information on Bluetooth-enabled devices not accept packets that originate within network; restrict ICMP traffic (Hint
IC = Its Smurf though spelled wrong)
Spoofing – when an attacker sends false replies to a requesting system,
beating valid replies from the real server FRAGGLE – similar to Smurf but uses UDP Countermeasures – disable
broadcast at border routers;
Poisoning – when an attacker changes the domain name to IP address
mappings of a system to redirect traffic to alternative systems border routers should not accept packets that originate within network;
restrict UDP traffic; employ IDS; apply ppropriate patches, block UDP port 7
RDP – provides terminal sessions w/out & 9 from entering network
Screenscraper – copy actual screen, subset of remote control Land Attack - The attack involves sending a spoofed TCP SYN packet
(connection initiation) with the target host's IP address and an open port as
SPIT attacks – Spam over Internet Telephony and targets VoIP systems
both source and destination. The reason a LAND attack works is because it
Things to Know causes the machine to reply to itself continuously.

Nikto, Burp Suite, Wapiti – web application vulnerability scanners SYN FLOOD - TCP packets requesting a connection (SYN bit set) are sent to
the target network with a spoofed source address. The target responds with a
Network Attacks – Denial of Service SYN-ACK packet, but the spoofed source never replies. This can quickly
overwhelm a system’s resources while waiting for the half-open connections
Used to overwhelm a targets resources to time out. This causes the system to crash or otherwise become unusable.
• Filling up hard drive by using huge email attachments or file transfers Counter: sync cookies/proxies, where connections are created later

• Sends messages to reset targets host subnets masks Teardrop - The length and fragmentation offset fields of sequential IP packets
are modified, causing the target system to become confused and crash. Uses
• Using up all system resources fragmented packets to target a TCP flaw in how the TCP stack reassembles
them. DOS
Common Session Hijacking Attacks:
Session hijacking (Spoofing) - IP spoofing involves altering a TCP packet so High-level Data Link Control (HDLC) - extension to SDLC also for
that it appears to be coming from a known, trusted source, thus giving the mainframes. Uses data encapsulation on synchronous serial links using frame
attacker access to the network. Intercept cookies from a request header characters and checksums. Also data link layer
TCP sequence number attack – intruder tricks target to believe it is connected High Speed Serial Interface (HSSI) - Defines electrical and physical
to a trusted host and then hijacks the session by predicting the targets choice interfaces to use for DTE/DCE communications. Physical layer of OSI
of an initial TCP sequence number.
LAN Cables (378)
Packet switching technologies
Twisted pair
X25 defines point-to-point communication between Data terminal Equipment
(DTE) and Data Circuit Shielded (STP) or unshielded (UTP) Cat 3=10BaseT, Cat5=100BaseT

Terminating Equipment (DCE) Coaxial

Link Access Procedure-Balanced (LAPB) created for use with X25, LAPB More EMI resistant. Baseband: only one single channel, Broadband: multiple
defines frame types and is capable of retransmitting, exchanging an d signal types like data, video, audio
acknowledging frames as detecting out of sequence or missing frames
Fiber Optic
Frame Relay High performance WAN protocol designed for use across ISDN
Most expensive, but hard to tap and resistant to EMI
interfaces. Is fast but has no error correction, supports multiple PVCs, unlike
X.25, packet switched technology that provides CIR, requires DTE/DCE at Firewalls (376)
each connection point
TYPES
Switched Multimegabit DATA Service (SMDS) high speed communication
over public switches networks for exchanging 'bursts of data' between First generation – (static) Packet filtering firewall AKA screening router
enterprises Examines source/destination address, protocol and ports of the incoming
package. Based on ACL’s access can be denied or accepted. Is considered a
Asynchronous Transfer mode (ATM) very high bandwidth. It uses 53-byte firewall and operates at Network or Transport layer of OSI
fixed size cells instead of frames like Ethernet. It can allocate bandwidth up
on demand making it a solution for Busty applications. Requires fiber optics. Second generation - Application level firewall AKA proxy server While
transferring data stream to another network, it masks the data origin.
Voice over IP (VOIP) combines many types of data into a single IP packet. operating at Application layer of OSI
Cost, interoperability and performance wise it’s a major benefit
Third generation - Stateful inspection firewall (also known as Dynamic) All
Other important WLAN protocols packages are inspected at the Networking layer so it’s faster. By examining
the state and context of the data packages it helps to track connectionless
Synchronous Data Link Control (SDLC) - created by IBM for mainframes to
protocols like UDP and RPC. Analyzed at all OSI Layers.
connect to their remote offices. Uses a polling media access method. Works
with dedicated leased lines permanent up. Data link layer of OSI model Fourth generation - Dynamic Packet Filtering firewall Enables modification
of the firewall rule. It provides limited support for UDP by remembering
UDP packages across the network.
Fifth generation - Kernel Proxy Firewall / Application level Firewall Runs in Terminal Access Controller Access Control System TACACS - User
windows NT, modular, kernel based, multiplayer session evaluation. Uses passwords are administrated in a central database instead of individual
dynamic TCP/IP stacks to inspect network packages and enforce security routers. A network device prompts user for a username and static password
policies then the device queries a TACACS server to verify the password. TACACSs
does not support prompting for password change or use of dynamic password
Firewall architecture (377) tokens. Port 49
Packet filtering routers - Sits between trusted and un-trusted network, TACACS: user-id and static password for network access via TCP
sometimes used as boundary router. Uses ACL’s. Protects against standard
generic external attacks. Has no user authentication, has minimal auditing. TACACS+ Enhanced version with use of two factor authentication, ability to
change user password, ability of security tokens to be resynchronized and
Screened-Host firewall system - Has both a packet-filter router and a bastion better audit trails and session accounting Remote Authentication Dial-In User
host. Provides both network layer (package filtering) as application layer Service RADIUS - Client/server protocol, often leads to TACACS+.
(proxy) server.
Clients sends their authentication request to a central radius server that
Dual homed host firewall - Consists of a host with 2 NIC’s. One connected to contains all of the user authentication and network ACL’s RADIUS does not
trusted, one to un- trusted. Can thus be used as translator between 2 network provide two way authentication, therefore it’s not used for router-to-router
types like Ethernet/token ring. Internal routing capabilities must not be authentication. Port 1812. Contains dynamic password and network service
enabled to make it impossible to circumvent inspection of data. access information (Network ACLs) NOT a SSO solution, TLS over TCP –
to encrypt, Default UDP, PW encrypted, supports TCP and TLD if set,
Screened-subnet firewalls - Has also defined a De-Militarized Zone (DMZ) :
Remote connectivity via dial in (user dials in to access server, access server
a small network between trusted an untrusted.
prompt for credentials, user enters credentials and forwards to radius server,
Socks firewall - Every workstation gets some Socks software to reduce radius server accepts or rejects). USES UDP. Incorporates an AS and
overhead dynamic/static password user can connect to any network access server,
which then passes on the user’s credentials to the RADIUS server to verify
Tiers – design separates distinct protected zones and can be protected by a authentication and authorization and to track accounting. In this context, the
single firewall that has multiple interfaces network access server is the RADIUS client and a RADIUS server acts as an
authentication server. The RADIUS server also provides AAA services for
Access Control Methodologies Remote Access multiple remote access servers.
Authentication Systems (390) DIAMETER - remote connectivity using phone wireless etc, more secure
Centralized access control than radius, cordless phone signal is rarely encrypted and easily monitored

CALLBACK; system calls back to specific location (danger in user Remote Access Technologies (390)
forwarding number) somewhere you are Asynchronous Dial-Up Access - This is how everyone connects to the
CHAP (part of PPP) supports encryption internet. Using a public switched telephone network to access an ISP

XTACACS separates authentication, authorization and accounting processes Integrated Serviced Digital Network (ISDN) communication - protocol that
permits telephone line to carry data, voice and other source traffic. Two
TACACS+: stronger through use of tokens types: BRI Basic rate interface and Primary Rate Interface (PRI) xDSL uses
regular telephone lines for high speed digital access Cable Modems Via DATA NETWORK SIGNALS
single shared coaxial cable, insecure because of not being filtered or
firewalled. Analog signal - Infinite wave form, continuous signal, varied by
amplification
Remote Access Security Technologies
Digital signal - Saw-tooth form, pulses, on-off only, digital signals are a
Restricted Address - incoming calls are only allowed from specific addresses means of transmission that involves the use of a discontinuous electrical
on an approval list. This authenticates the node, not the user! signal and a state change or on‐off pulses.
Callback - User initiates a connection, supplies identifying code, and then the Asynchronous - sends bits of data sequentially. Same speed on both sides.
system will call back a predetermined telephone number. Also less useful for Modems and dial-up remote access systems
traveling users
Synchronous - very high speed governed by electronic clock timing signals
Caller ID - checks incoming telephone number against an approval list and
then uses Callback. Less useful for traveling users Asynchronous communications, broadband connections, and half‐duplex
links can be digital or analog
Remote Node Security Protocols
LAN Media Access (398)
Password Authenticate Protocol PAP
Ethernet IEEE 802.3 using CSMA with an BUS-topology
Provides identification and authentication of the user using static replayable
passwords. No encryption of user-id or password during communication Thinnet: 10base2 with coax cables up to 185 meters

Challenge Handshake Authenticate Protocol (CHAP) non-replayable Thicknet: 10Base5, coax up to 500 meters
challenge/response dialog
UTP:
LAN Topologies (394)
• 10BaseT=10MBps
• BUS - all transmissions have to travel the full length of the cable
• 100baseT=Fast Ethernet =100MBps
• RING - Workstations are connected to form a closed loop
• 1000BaseT=Gigabit Ethernet=1GBps
• STAR - nodes are connected to a central device
Ethernet networks were originally designed to work with more sporadic
• TREE - bus type with multiple branches traffic than token ring networks

• MESH - all nodes interconnected ARCnet - uses token passing in a star technology on coax

LAN Transmission Methods (396) Token Ring IEEE 802.5 - IBM created. All end stations are connected to a
MAU Multi Access Unit.
• Unicast - Packet is sent from single source to single destination
CAU: Controlled Access Units – for filtering allowed MAC (Extended
• Multicast - source packet is copied and sent to multiple destinations Unique Identifier) addresses.
• Broadcast - source packet is copied and sent to all nodes
FDDI, Fiber Distributed Data Interface - token - passing dual token ring with Virtual Private Networks VPN (388)
fiber optic. Long distances, minimal EMI interference permits several tokens
at the time active. A VPN is created by dynamically building a secure communications link
between two nodes, using a secret encapsulation method via network address
LAN Transmission Protocols (398) translation (NAT) where internal IP addresses are translated to external IP
addresses. Cannot double NAT with the same IP range, same IP address
Carrier Sense Multiple Access CSMA - for Ethernet. Workstations send out cannot appear inside and outside of a NAT router.
packet. If it doesn’t get an acknowledgement, it resends
VPN Protocols
CSMA with collision Avoidance workstations - are attached by 2 coax
cables. In one direction only. Hint: TP at end for Tunneling Protocols
Wireless 802.11 PPTP, Point to Point tunneling protocol
CSMA with Collision Detection - Only one host can send at the time, using • Works at data link layer of OSI
jamming signals for the rest.
• Only one single point-to-point connection per session
Polling - Host can only transmit when he polls a secondary to see if its free
• Point To Point protocol (PPP) for authentication and tunneling
Token-passing - Used in token rings, Hosts can only transit when they
receive a clear to send token • Dial-up network use

DATA NETWORK TYPES • Does not support EAP

Local Area Network • Sends initial packets in plaintext

Limited geographically to e.g. a building. Devices are sharing resources like L2F, Layer 2 Forwarding
printers, email and files.
• Cisco developed its own VPN protocol called which is a mutual
Connected through copper wire or fiber optics. authentication tunneling mechanism.

CAN: campus area network, multiple building connected to fast backbone on • L2F does not offer encryption. L2F was not widely deployed and was soon
a campus replaced by L2TP.

MAN: metropolitan network extends over cities • both operate at layer 2. Both can encapsulate any protocol.

Wide Area network WAN L2TP, Layer 2 tunneling protocol

Connects LANS over a large geographical area • Also in data-link layer of OSI

Internet intranet and extranet • Single point-to-point connection per session

Internet is global, intranet local for use within companies and extranet can be • Dial-up network use
used e.g. by your customers and clients but is not public
• Port 115
• Uses IPsec • TLS - MOST CURRENT not SSL!!!
IPSEC PVC - Permanent virtual circuits, is like a dedicated leased line; the logical
circuit always exists and is
• Operates at Network Layer of OSI
waiting for the customer to send data. Like a walkie-talkie
• Enables multiple and simultaneous tunnels
SVC – switched virtual circuit, is more like a shortwave or ham radio. You
• Encrypt and authenticate must tune the transmitter and receiver to a new frequency every time you
want to communicate with someone
• Built into IPv6
VPN Devices
• Network-to-network use
Is hardware or software to create secure tunnels
• Creates a private, encrypted network via a public network
IP-sec compatible
• Encryption for confidentiality and integrity
• Encryption via Tunnel mode (entire data package encrypted) or Transport
2 protocols: AH Authentication header and ESP Encapsulated Security
mode (only datagram encrypted)
Payload
• Only works with IP at Network layer of OSI NON IP-sec compatible
works with Security Associations (SA's)
Socks-based proxy servers Used to reach the internal network from the
works with IKE protocols IKE IS FOR MANAGING SECURITY
outside. Also contains strong encryption and authentication methods
ASSOCIATIONS
PTP used in windows machines. Multiprotocol, uses PAP or CHAP
2 modes:
Dial-up VPN’s remote access servers using PPTP commonly used by ISP’s
• transport: data is encrypted header is not
Secure Shell SSH2 not strictly a VPN product but opens a secure encrypted
• tunneled: new uses rc6; IP header is added, old IP header and data is
shell session from the internet through a firewall to a SSH server
encrypted cipher types: block (padding to blocks of fixed size) like DES
3DES AES or stream (bit/byte one by one o padding) like RC4, Sober Encapsulating Security Payload (389)
TLS – Transport Layer Security Encrypts IP packets and ensured integrity.
• encrypt and protect transactions to prevent sniffing while data is in transit • ESP Header – contains information showing which security association to
along with VPN and use and the packet sequence number. Like the AH, the ESP sequences every
packet to thwart replay attacks.
IPsec
• ESP Payload
• most effective control against session hijacking
Spread Spectrum
• ephemeral session key is used to encrypt the actual content of
communications between a web server and client
FHSS – Frequency Hopping Spread Spectrum, The entire range of available Integrated Services Digital Network (ISDN) combination of digital telephony
frequencies is employed, but only one frequency at a time is used. and data transports.
DSSS – Direct Sequence Spread Spectrum, employs all the available Overtaken by xDSL, not all useable due to “D Channel” used for call
frequencies simultaneously in parallel. This provides a higher rate of data management not data
throughput than FHSS. DSSS also uses a special encoding mechanism known
as chipping code to allow a receiver to reconstruct data even if parts of the xDSL Digital subscriber Line - uses telephone to transport high bandwidth
signal were distorted because of interference. data to remote subscribers

OFDM – Orthogonal Frequency-Division Multiplexing, employs a digital • ADSL - Asymmetric. More downstream bandwidth up to 18,000 feet over
multicarrier modulation scheme that allows for a more tightly compacted single copper cable pair
transmission. The modulated signals are perpendicular and thus do not cause
• SDSL - Symmetric up to 10,000 feet over single copper cable pair
interference with each other.
• HDSL - High Rate T1 speed over two copper cable pairs up to 12,000 feet
All use spread spectrum techniques to transmit on more than one frequency at
the same time. Neither FHSS nor DHSS uses orthogonal modulation, while • VDSL - Very High speed 13-52MBps down, 1,5-2,3 Mbps upstream over a
multiplexing describes combining multiple signals over a shared medium of single copper pair over 1,000 to 4,500 feet
any sort. Wi-Fi may receive interference from FHSS systems but doesn’t use
Circuit-switched networks
it.
There must be a dedicated physical circuit path exist during transmission. The
WAN Protocols (404) right choice for networks that have to communicate constantly. Typically for
a telephone company network Voice oriented.
Private Circuit technologies
Sensitive to loss of connection
• Dedicated line reserved communication, always available
Message switching networks
• Leased line can be reserved for communications. Type of dedicated line.
Involves the transmission of messages from node-to-node.
• T1 1,5 Mbps through telephone line
Messages are stored on the network until a forwarding path is available.
• T3 44,7 Mbps through telephone line
Packet-switched networks (PSN or PSDN)
• E1 European 2048 Mbps digital transmission
Nodes share bandwidth with each other by sending small data units called
• Serial Line IP (SLIP) TCP/IP over slow interfaces to communicate with
packets. Packets will be send to the other network and reassembled. Data
external hosts (Berkley UNIX, windows NT RAS), no authentication,
oriented. Sensitive to loss of data. More cost effective than circuit switching
supports only half-duplex communications, no error detection, manual link
because it creates virtual circuits only when they are needed.
establishment and teardown
Converged Protocols (406)
Point to Point protocol (PPP) improvement on slip, adds login, password and
error (by CHAP and PAP) and error correction. Data link. Converged Protocols - are the merging of specialty or proprietary protocols
with standard protocols, such as those from the TCP/ IP suite. The primary
benefit of converged protocols is the ability to use existing TCP/ IP ACCESS - is flow of information between a subject and an object
supporting network infrastructure to host special or proprietary services
without the need for unique deployments of alternate networking hardware. CONTROL - security features that control how users and systems
communicate and interact with other systems and resources
Fibre Channel over Ethernet (FCoE) - a form of network data-storage
solution (SAN or NAS) that allows for high-speed file transfers at upward of Subject - active entity that requests access to an object or data within the
16 GBps. It was designed to be operated over fiber- optic cables; support for object (user, program)
copper cables was added later to offer less-expensive options. Fibre channel
Object - is a passive entity that contains information (computer, database,
over Ethernet (FCoE) can be used to support it over the existing network
file, program) access control techniques support the access control models
infrastructure. FCoE is used to encapsulate Fibre Channel communications
over Ethernet networks. Fibre Channel operates as a Network layer or OSI Approaches to Administration (441)
layer 3 protocol, replacing IP as the payload of a standard Ethernet network.
Centralized administration – one element responsible for configuring access
MPLS - (Multiprotocol Label Switching) is a high-throughput high- controls. Only modified through central administration, very strict control,
performance network technology that directs data across a network based on
short path labels rather than longer network addresses. Decentralized administration – access to information is controlled by owners
or creators of information, may not be consistency with regards to
MPLS is designed to handle a wide range of protocols through encapsulation. procedures, difficult to form system wide view of all user access at any given
time
iSCSI - Internet Small Computer System Interface (iSCSI) is a networking
storage standard based on IP. This technology can be used to enable location- Hybrid – centralized control is exercised for some information and
independent file storage, transmission, and retrieval over , WAN, or public decentralized for other information
Internet connections. It is often viewed as a low-cost alternative to
FibreChannel. Identity Management (448)

VoIP - Voice over IP - a tunneling mechanism used to transport voice and/ or IAAA - Four key principles upon which access control relies
data over a TCP/ IP network. VoIP has the potential to replace or supplant
PSTN because it’s often less expensive and offers a wider variety of options • Identification/Assertion-
and features. • Registration – verify an individual’s identity and adds a unique identifier to
SDN - a unique approach to network operation, design, and management. an identity system
SDN aims at separating the infrastructure layer (i.e., hardware and hardware- • ensuring that a subject is who he says he is
based settings) from the control layer (i.e., network services of data
transmission management). Furthermore, this also removes the traditional • bind a user to the appropriate controls based on the unique user instance
networking concepts of IP addressing, subnets, routing, and so on from
needing to be programmed into or be deciphered by hosted applications. SDN • Unique user name, account number etc. OR an issuance (keycard)
offers a new network design that is directly programmable from a central
• Authentication-
location, is flexible, is vendor neutral, and is open-standards based.
• Process of Verifying the user
Domain 5: Identity and Access Management
• User provides private data
Access Control (440)
• Establish trust between the user and the system for the allocation of Kerberos Is based on symmetric key cryptology (and is not a propriety
privileges control)
• Authorization – resources user is allowed to access must be defined and Time synchronization is critical, 5 minutes is bad
monitored
MIT project Athena
• First piece of credentials Authorization
AES from user to KDC, encrypted key, time stamped TGT and hash of PW,
• Accountability – who was responsible for an action? install TGT and decrypt key
• Logging – best way to provide accountability, change log for approved Kerberos is included in windows now (replaced NTLM=NT- Manager)
changes and change management process
Passwords are never exchanged only hashes of passwords
Relationship between Identity, Authentication, and Authorization
Benefits: inexpensive, loads of OS’s, mature protocol
• Identification provides uniqueness
Disadvantage: takes time to administer, can be bottleneck or single point of
• Authentication provides validity failure
• Authorization provides control Realm - indicates an authentication administrative domain. Its intention is to
establish the boundaries within which an authentication server has the
Logical Access Controls: tools used for IAAA authority to authenticate a user, host or service.
MAC Address – 48 bit number, supposed to be globally unique, but now can Uses symmetric Key cryptography -
be changed by software, not a strong ID or auth. Tool
• KDC - Key Distribution Center, grants tickets to client for specific servers.
Single Sign On (SSO) (462) Knows all secret keys of all clients and servers from the network, TGS and
AS, single point of failure
SSO referred to as reduced sign-on or federated ID management
• AS (Authentication server)
Advantage - ability to use stronger passwords, easier administration, less time
to access resources. • TGS - Ticket granting server
Disadvantage - once a key is compromised all resources can be accessed, if The Kerberos logon process works as follows:
Db compromised all PWs compromised
• The user types a username and password into the client.
Thin client is also a single sign on approach
• The client encrypts the username with AES for trans. to the KDC.
KERBEROS (463)
• The KDC verifies the username against a database of known credentials.
Guards a network with three elements: authentication, authorization, &
auditing. SYMMETRIC KEYS • The KDC generates a symmetric key that will be used by the client and the
Kerberos server. It encrypts this with a hash of the user’s password. The KDC
Kerberos addresses Confidentiality and integrity and authentication, not
availability, can be combined with other SSO solutions
also generates an encrypted time- stamped TGT. The KDC then ransmits the Type 2 - authentication factor is something you have. Physical devices that a
encrypted symmetric key and the encrypted time-tamped TGT to the client. user possesses can help them provide authentication. Examples include a
smartcard (CAC), hardware token, smartcard, memory card, or USB drive.
• The client installs the TGT for use until it expires. The client also decrypts
the symmetric key using a hash of the user’s password. Type 3 - authentication factor is something you are or something you do. It is
a physical characteristic of a person identified with different types of
• Then the user can use this ticket to service to use the service as an biometrics
application service
Something a user knows TYPE 1
SESAME
PASSWORDS
• Public Key Cryptology
cheap and commonly used password generators user chooses own (do
• European triviality and policy checking)
• Needham-Schroeder protocol Longer PW more effective than all else
Weakness: only authenticates the first block and not the complete message PWs never stored for web applications in a well-designed environment.
Salted hashes are stored and compared
Two tickets:
62 choices (upper, lower, 10 numbers), add single character to PW and
• One authentication, like Kerberos
complexity goes up 62X
• Other defines the access privileges a user has
One-time password aka dynamic password used only once
• Works with PACS (Privileged Attribute Certificates)
Static password Same for each logon
• sesame uses both symmetric as asymmetric encryption (thus improvement
Passphrase easiest to remember. Converted to a virtual password by the
upon Kerberos)
system.
KRYPTOKNIGHT -IBM –thus RACF
Cognitive password: easy to remember like your mother’s maiden name
Peer-to-peer relationship between KDC and parties
Hacking - access password file
SCRIPTING -scripts contain logon information that auths. users
brute force attack - (try many different characters) aka exhaustive
DIRECTORY SERVICE - a centralized database that includes information
dictionary attack - (try many different words)
about subjects and objects, .Hierarchical naming schema, active directory has
sophisticated security resources (group policy, user rights accounts, services) Social engineering - convince an individual to give access
Single/Multiple Factor Authentication (467) Rainbow Tables - (tables with passwords that are already in hash format, pre-
hashed PW paired with high-speed look up functions
Type 1 - authentication factor is something you know. Examples include a
password, PIN, or passphrase.
Implementation Attack - This is a type of attack that exploits weaknesses in synchronous – timing, asynchronous - challenge
the implementation of a cryptography system. It focuses on exploiting the
software code, not just errors and flaws but the methodology employed to Something a user is TYPE 3
program the encryption system
What you do: behavioral
Statistical Attack - exploits statistical weaknesses in a cryptosystem, such as
What you are: physical
floating-point errors and inability to produce truly random numbers.
Statistical attacks attempt to find a vulnerability in the hardware or operating BIOMETRICS
system hosting the cryptography application.
• Most expensive & Acceptable 2 minutes per person for enrollment time
password checker and password hacker - both programs that can find
passwords (checker to see if its compliant, hacker to use it by the hacker) • Acceptable 10 people per minute throughput time
hashing and encryption
• IRIS is the same as long as you live
• On windows system with utility SYSKEY. The hashed passwords will be
encrypted in their store • TYPE 1 error: False rejection rate FRR

LM hash and NT Hash • TYPE 2 error: False Acceptance rate FAR

• some OS’s use Seed SALT or NONCE, random values added to the • CER Crossover Error Rate or EER Equal Error rate, where FRR = FAR.
encryption process to add more complexity The lower CER/ERR

• HAVAL - Hash of Variable Length (HAVAL) is a modification of MD5. the more accurate the system. No sunlight in iris scanner zephyr chart = iris
HAVAL uses 1,024-bit blocks and produces hash values of 128, 160, 192, scans
224, and 256 bits. Not a encryption algorithm • Finger print: stores full fingerprint (one-to-many identification),
Something a user has TYPE 2 • finger scan only the features (one to one identification).
Key, swipe card, access card, badge, tokens • Finger scan most widely used today
Static password token - owner authenticates to token, token authenticates to Acceptability Issues: privacy, physical, psychological
the information system
TYPES OF BIOMETRICS
Synchronous (TIME BASED) dynamic - uses time or a counter between the
token and the authentication server, secure-ID is an example • Fingerprints: Are made up of ridge endings and bifurcations exhibited by
the friction ridges
Asynchronous (NOT TIME BASED) - server sends a nonce (random value)
This goes into token device, encrypts and delivers a one-time password, with and other detailed characteristics that are called minutiae.
an added PIN its strong authentication
• Retina Scans: Scans the blood-vessel pattern of the retina on the backside of
Challenge/response token - generates response on a system/workstation the eyeball. Can
provided challenge;
show medical conditions MOST ACCURATE
• Iris Scans: Scan the colored portion of the eye that surrounds the pupil. Identity as a Service (IDaaS) (486)
• Facial Scans: Takes attributes and characteristics like bone structures, nose IDaaS - Identity as a Service, or Identity and Access as a Service is a third-
ridges, eye widths, party service that provides
forehead sizes and chin shapes into account. identity and access management, Effectively provides SSO for the cloud and
is especially useful when
• Palm Scans: The palm has creases, ridges and grooves throughout it that are
unique to a specific person. Appropriate by itself as a Type 3 authenticator internal clients access cloud-based Software as a Service (SaaS) applications.
• Hand Geometry: The shape of a person’s hand (the length and width of the • Ability to provision identities held by the service to target applications
hand and fingers) measures hand geometry.
• Access includes user authentication, SSO, authorization enforcement
• Voice Print: Distinguishing differences in people’s speech sounds and
patterns. • Log events , auditing

• Signature Dynamics: Electrical signals of speed and time that can be • Federation - sharing identity and authentication behind the scenes (like
captured when a person writes a signature. booking flight → booking hotel without re authenticating) by using a federate
identity so used across business boundaries
• Keyboard Dynamics: Captures the electrical signals when a person types a
certain phrase. • SSO

• Hand Topology: Looks at the size and width of an individual’s hand and • Access Management enforces RULES!
fingers
Manage User Accounts within a Cloud (492)
SAML (478) __(SOAP/XML)__
Cloud Identity – users are created and managed in Office 365 Directory
To exchange authentication and authorization data between security domains. Synchronization – users are created and managed in an on premises identity
provider
SAML 2.0 enables web-based to include SSO
Federated Identity – on-premises identity provider handles login request.
Roles Usually used to implement
• Principal (user) SSO
• Identity provider (IdP) • MS AD using MS AD Federation Services
• Service provider (SP) • Third Party based identity
Most used federated SSO • Shibboleth SAML 2.0
XML Signature – use digital signatures for authentication and message Authorization Mechanisms (496)
integrity based on XML signature standard.
The method of authorizing subjects to access objects varies depending on the
Relies on XML Schema access control method used by the IT system.
A subject is an active entity that accesses a passive object and an object is a Mandatory Access Control BELL Model!
passive entity that provides information to active subjects.
Lattice based, Label–all objects and subjects have a label
There are several categories for access control techniques and the CISSP CIB
specifically mentions four: discretionary access control (DAC), mandatory Authorization depended on security labels which indicate clearance and
access control (MAC), role-based access control (role-BAC), and rule-based classification of objects
access control (rule-BAC).
(Military). Restriction: need to know can apply. Lattice based is part of it! (A
Windows uses Kerberos for authentication. RADIUS is typically used for as in mAndatory!). Rule based access control. Objects are: files, directories
wireless networks, modems, and network devices, while OAuth is primarily and devices;
used for web applications. TACACS+ is used for network devices.
Non-discretionary access control / Mandatory
Authorization Mechanisms (496)
Non-discretionary access control / Mandatory
Role-BAC (RBAC)
A central authority determines what subjects have access based on policies.
Role-BAC (RBAC) - task-based access controls define a subject’s ability to Role based/task based.
access an object based on the subject’s role or assigned tasks, is often
Also lattice based can be applied (greatest lower, least upper bounds apply)
implemented using groups, form of nondiscretionary. OFF
Discretionary Access Control
BUSINESS DESIGN
Discretionary Access Control
• Hybrid RBAC
Graham Denning
• Limited RBAC
Access through 's. Discretionary can also mean: Controlled access protection
CAN MODEL ALL GROUPS OFF ORGANIZATION #! USED
(object reuse, protect audit trail). User directed Performs all of IAAA,
Rule-BAC identity based access control model

Rule-BAC – based on rules within an , uses a set of rules, restrictions, or • hierarchical x500 standard protocol like LDAP for allowing subjects to
filters to determine what can and cannot occur on a system. It includes interact with the directory
granting a subject access to an object, or granting the subject the ability to
• Organized through name spaces (Through Distinguished names )
perform an action. A distinctive characteristic about rule-BAC models is that
they have global rules that apply to all subjects. One common example of a • Needs client software to interact
rule-BAC model is a firewall.
• META directory gathers information from multiple sources and stores them
Firewalls include a set of rules or filters within an , defined by an into once central directory and synchronizes
administrator. The firewall examines all the traffic going through it and only
allows traffic that meets one of the rules. Government #1 • VIRTUAL directory only points where the data resides

Mandatory Access Control

DACs allows the owner, creator, or data custodian of an object to control and ACLs are object focused and identify access granted to subjects for any
define access to that object. All objects have owners, and access control is specific object. Capability tables are subject focused and identify the objects
based on the discretion or decision of the owner. that subjects can access.
As the owner, the user can modify the permissions of the file to grant or deny Comparing Permissions, Rights, and Privileges When studying access control
access to other users. topics, you’ll often come across the terms permissions, rights, and privileges.
Some people use these terms interchangeably, but they don’t always mean the
Identity-based access control is a subset of DAC because systems identify same thing.
users based on their identity
Permissions - refer to the access granted for an object and determine what
and assign resource ownership to identities. A DAC model is implemented you can do with it. If you have read permission for a file, you’ll be able to
using access control lists open it and read it. You can grant user permissions to create, read, edit, or
delete a file on a file server. Similarly, you can grant user access rights to a
(ACLs) on objects. Each defines the types of access granted or denied to
file, so in this context, access rights and permissions are synonymous
subjects. It does not offer a centrally controlled management system because
owners can alter the ACLs on their objects at will . Rights - refers to the ability to take an action on an object. For example, a
user might have the right to modify the system time on a computer or the
Access to objects is easy to change, especially when compared to the static
right to restore backed-up data. This is a subtle distinction and not always
nature of mandatory access controls.
stressed. You’ll rarely see the right to take action on a system referred to as a
Access Control Models permission.

Access control models use many different types of authorization mechanisms, Privileges - are the combination of rights and permissions. For example, an
or methods, to control who can access specific objects. administrator for a computer will have full privileges, granting the
administrator full rights and permissions on the computer. The administrator
Implicit Deny - basic principle that most authorization mechanisms use it. will be able to perform any actions and access any data on the computer.
The implicit deny principle ensures that access to an object is denied unless
access has been explicitly granted to a subject. Understanding Authorization Mechanisms

Access Control Matrix - An access control matrix is a table that includes Access control models use many different types of authorization mechanisms,
subjects, objects, and assigned privileges. When a subject attempts an action, or methods, to control who can access specific objects.
the system checks the access control matrix to determine if the subject has the
Constrained Interface Applications – (restricted interfaces) to restrict what
appropriate privileges to perform the action
users can do or see based on their privileges. Applications constrain the
Capability Tables - They are different from ACLs in that a capability table is interface using different methods. A common method is to hide the capability
focused on subjects (such as users, groups, or roles). For example, a if the user doesn’t have permissions to use it. Other times, the application
capability table created for the accounting role will include a list of all objects displays the menu item but shows it dimmed or disabled.
that the accounting role can access and will include the specific privileges
Content-Dependent – internal data of each field, data stored by a field, restrict
assigned to the accounting role for these objects.
access to data based on the content within an object. A database view is a
The difference between an and a capability table is the focus. content-dependent control. A view retrieves specific columns from one or
more tables, creating a virtual table.
Context-Dependent - require specific activity before granting users access. IP Probes - (also called IP sweeps or ping sweeps) are often the first type of
For example, it’s possible to restrict access to computers and applications network reconnaissance carried out against a targeted network. With this
based on the current day and/or time. If users attempt to access the resource technique, automated tools simply attempt to ping each address in a range.
outside of the allowed time, the system denies them access. Systems that respond to the ping request are logged for further analysis.
Work Hours – context-dependent control Addresses that do not produce a response are assumed to be unused and are
ignored.
Need to Know - ensures that subjects are granted access only to what they
need to know for their work Nmap tool - one of the most common tools used to perform both IP probes
and port scans. IP probes are extremely prevalent on the Internet today.
tasks and job functions. Subjects may have clearance to access classified or Indeed, if you configure a system with a public IP address and connect it to
restricted data but are not granted authorization to the data unless they the Internet, you’ll probably receive at least one IP probe within hours of
actually need it to perform a job. booting up. The widespread use of this technique makes a strong case for
disabling ping functionality, at least for users external to a network. Default
Least Privilege - ensures that subjects are granted only the privileges they
settings miss @64 K ports
need to perform their work tasks and job functions.
When nmap scans a system, it identifies the current state of each network port
This is sometimes lumped together with need to know. The only difference is
on the system. For ports where nmap detects a result, it provides the current
that least privilege will also include rights to take action on a system.
status of that port:
Separation of Duties and Responsibilities - ensures that sensitive functions
• Open - The port is open on the remote system and there is an application
are split into tasks performed by two or more employees. It helps to prevent
that is actively accepting connections on that port.
fraud and errors by creating a system of checks and balances.
• Closed - The port is accessible on the remote system, meaning that the
Service Provisioning Markup Language, or SPML is an XML-based language
firewall is allowing access, but there is no application accepting connections
designed to allow platforms to generate and respond to provisioning requests.
on that port.
SAML is used to make authorization and authentication data, while XACML
Filtered Nmap - is unable to determine whether a port is open or closed
is used to describe access controls. SOAP, or Simple Object Access Protocol,
because a firewall is interfering with the connection attempt
is a messaging protocol and could be used for any XML messaging, but is not
a markup language itself. Port Scans - After an attacker performs an IP probe, they are left with a list of
active systems on a given network. The next task is to select one or more
Reconnaissance Attacks (506)
systems to target with additional attacks. Often, attackers have a type of
While malicious code often relies on tricking users into opening or accessing target in mind; web servers, file servers, and other servers supporting critical
malware, other attacks directly target machines. operations are prime targets.

Performing reconnaissance can allow an attacker to find weak points to target To narrow down their search, attackers use port scan software to probe all the
directly with their attack code. To assist with this targeting, attacker-tool active systems on a network and determine what public services are running
developers have created a number of automated tools that perform network on each machine. For example, if the attacker wants to target a web server,
reconnaissance. they might run a port scan to locate any systems with a service running on
port 80, the default port for HTTP services.
Vulnerability Scans - The third technique is the vulnerability scan. • Impact of the test on normal business operations
Once the attacker determines a specific system to target, they need to After assessing each of these factors, security teams design and validate a
discover a specific vulnerability in that system that can be exploited to gain comprehensive assessment and testing strategy.
the desired access permissions. A variety of tools available on the Internet
assist with this task. Some of the more popular tools for this purpose include Verification & Validation (523)
Nessus, OpenVAS, Qualys, Core Impact, and Nexpose. These packages
Verification – objective evidence that the design outputs of a phase of the
contain a database of known
SDLC meet requirements.
vulnerabilities and probe targeted systems to locate security flaws. They then
3rd party sometimes
produce very attractive reports that detail every vulnrability detected. From
that point, it’s simply a matter of locating a script that exploits a specific Validation – develop “level of confidence” that the software meets all
vulnerability and launching an attack against the victim. requirements and expectations, software improve over time
Domain 6: Security Assessment and Testing Find back doors thru structured walk through
Security Testing (522) Logs (530)
Security Testing - verifies that a control is functioning properly. Network Flow – captured to provide insight into network traffic for security,
troubleshooting, and performance management
These tests include automated scans, tool-assisted penetration tests and
manual attempts to undermine security. When scheduling security controls Audit logging – provides information about events on the routers
for review, information security managers should consider the following
factors: NTP - Network Time Protocol, One important consideration is ensuring that
logs have accurate time stamps and that these time stamps remain consistent
• Availability of security testing resources throughout the environment. A common method is to set up an internal NTP
server that is synchronized to a trusted time source such as a public NTP
• Criticality of the systems and applications protected by the tested controls
server. Other systems can then synchronize with this internal NTP server.
Sensitivity of information contained on tested systems and applications
Syslog – message logging standard commonly used by network devices,
• Likelihood of a technical failure of the mechanism implementing the control
Linux and Unix systems and other devices (firewalls)
• Likelihood of a misconfiguration of the control that would jeopardize
Reboot – generates an information log entry
security
• Errors – significant problem
• Risk that the system will come under attack
• Warnings – future problem
• Rate of change of the control configuration
• Information – successful operations
• Other changes in the technical environment that may affect the control
performance • Success Audits – successful security accesses
• Difficulty and time required to perform a control test • Failure Audits – failed security access attempts
Inconsistent Time Stamps – often caused by improperly set time zones or due Response box - is a part of an IDS that initiates alarm or activity
to differences in how system clocks are set
Components: Information source/sensor, centralized monitor software, data
Modified logs – often a sign of intrusion or malicious intent and even report analysis, database components and response to an event or
intrusion
NetFlow is a feature that was introduced on Cisco routers that provides the
ability to collect IP IPS Intrusion prevention system - detect attack and PREVENT that attack
being successful
network traffic as it enters or exits an interface. a network administrator can
determine things such as the source and destination of traffic, class of service, Remote Access Software – granted and secured through VPNs
and the causes of congestion.
Web Proxies – intermediate hosts, restrict access
Security Software (534)
Vulnerability Management Software – patching
Antimalware and Antivirus – records instances of detected malware,
Authentication Servers – SSO servers
IDS/IPS = security testing, NIST 800-4
Routers – permit or block traffic based on policy
War driving - driving a car with notebook to find open access points
Firewalls – more sophisticated than routers to examine traffic
IDS intrusion detection system
Monitoring and auditing (537)
NETWORK BASED
Companies can set predefined thresholds for the number of certain types of
• Detects intrusions on the behind a firewall. errors that will be allowed before the activity is considered suspicious. This
baseline is referred to as clipping level
• Is passive while it acquires data.
Audit trails
• Reviews packets and headers
• Transaction date/time
• Problem with network based is that it will not detect attacks by users logged
into hosts • Who processed the transaction
HOST BASED • At which terminal
• monitoring servers through EVENT LOGS AND SYSTEM LOGS Protecting Logs (538)
• as good as the completeness of the host logging easier to discover and Breaches – protect from breaches of confidentiality and integrity.
disable
Availability – archival process to prevent loss by overwritten logs
Signature based method (AKA Knowledge based)- compared with signature
attack database (aka misuse detector) Log Analysis – study logs for events of interest Set maximum size. If too
small, attacker can make little changes and push them out of window
Statistical anomaly based - defines a ‘normal’ behavior and detects abnormal
behaviors. Synthetic Transactions (540)
Real User Monitoring – aims to capture and analyze every transaction of a Use cases – used as part of test coverage calculation that divides the tested
user use case by total use cases
Synthetic Performance Monitoring – uses scripted or recorded data. Traffic Code Review Report – generated if the organization was manually reviewing
capture, Db performance the application’s source code
monitoring, website performance monitoring can be used. NOT User Session Black-box testing observes the system external behavior, no internal details
Monitoring known
Types Dynamic Testing – does not require access to source code, evaluates code in
a runtime environment
• Proactive monitoring involves having external agents run scripted
transactions against a web application White-box testing (crystal) is a detailed exam of a logical path, checking the
possible conditions.
• Db monitoring; availability of Db
Requires access to source code
• TCP port monitoring; availability of website, service, or application
Static Testing – requires access to source code, performs code analysis
Code Review and Testing (542)
CSV – Comma Separated Values
Code review is the foundation of software assessment programs. During a
code review, also known as a “peer review,” developers other than the one CVE - Common Vulnerability and Exposures dictionary. The CVE dictionary
who wrote the code review it for defects. The most formal code review provides a standard convention used to identify vulnerabilities, list by
processes, known as Fagan inspections, follow a rigorous review and testing MITRE
process with
CVSS – Common Vulnerability Scoring System, metrics and calculation
six steps: tools for exploitability, impact, how mature exploit code is, and how
vulnerabilities can be remediated, also to score vulnerabilities against unique
• Planning requirements.
• Overview NVD – National Vulnerability Db
• Preparation Compiled code poses more risk than interpreted code because malicious code
can be embedded in the compiled code and can be difficult to detect.
• Inspection
Regression testing is the verification that what is being installed does not
• Rework
affect any portion of the application system already installed. It generally
• Follow-up requires the support of automated process to repeat tests previously
undertaken. Known inputs against an application then compares results to
Code Coverage Report – information on the functions, statements, branches, earlier version results
and conditions covered in testing.
nonRegression testing – code works as planned
Code comparison is normally used to identify the parts of the source code • Number of compromised accounts
that have changed.
• Number of software flaws detected in preproduction scanning & Repeat
Integration testing is aimed at finding bugs in the relationship and interfaces audit findings
between pairs of components. It does not normally test all functions.
• User attempts to visit known malicious sites
Attack surface - exposure
Performing Vulnerability Assessments
Threat Assessment Modeling (544)
Vulnerability scans - automatically probe systems, applications, and
STRIDE - is often used in relation to assessing threats against applications or networks, looking for weaknesses that may be exploited
operating systems, threat categorization scheme, spoofing, tampering,
repudiation, information disclosure, denial of service, and elevation of Network discovery scanning - uses a variety of techniques to scan a range of
privilege. IP addresses, searching for systems with open ports.

Spoofing - An attack with the goal of gaining access to a target system TCP SYN Scanning - Sends a single packet to each scanned port with the
through the use of a falsified identity. Spoofing can be used against IP SYN flag set. This indicates a request to open a new connection. If the
addresses, MAC address, usernames, system names, wireless network SSIDs, scanner receives a response that has the SYN and ACK flags set, this
and other types of logical identification. indicates that the system is moving to the second phase in the three-way TCP
handshake and that the port is open. TCP SYN scanning is also known as
Tampering - Any action resulting in the unauthorized changes or “half-open” scanning.
manipulation of data, whether in transit or in storage. Tampering is used to
falsify communications or alter static information. Such attacks are a TCP Connect Scanning - Opens a full connection to the remote system on the
violation of integrity as well as availability. specified port. This scan type is used when the user running the scan does not
have the necessary permissions to run a half-open scan.
Repudiation - The ability for a user or attacker to deny having performed an
action or activity. TCP ACK Scanning - Sends a packet with the ACK flag set, indicating that it
is part of an open connection.
Information disclosure - The revelation or distribution of private,
confidential, or controlled information to external or unauthorized entities. Xmas Scanning - Sends a packet with the FIN, PSH, and URG flags set. A
packet with so many flags set is said to be “lit up like a Christmas tree,”
Elevation of privilege - An attack where a limited user account is transformed leading to the scan’s name.
into an account with greater privileges/powers/access
Passive Scanning – user scan wireless to look for rogue devices in addition to
Key Performance and Risk Indicators (562) IDS
Security managers should also monitor key performance and risk indicators Bluetooth Scans – time consuming, many personal devices
on an ongoing basis. The exact metrics they monitor will vary by
organization but may include the following: • Active; strength of PIN, security mode

• Number of open vulnerabilities • Passive; only active connections, multiple visits

• Time to resolve vulnerabilities Authenticated scans – read-only account to access config files
Testing Software (549) Interface testing - is an important part of the development of complex
software systems. In many cases, multiple teams of developers work on
Static Testing - evaluates the security of software without running it by different parts of a complex application that must function together to meet
analyzing either the source business objectives. The handoffs between these separately developed
modules use well-defined interfaces so that the teams may work
code or the compiled application. Static analysis usually involves the use of
independently. Interface testing assesses the performance of modules against
automated tools designed to detect common software flaws, such as buffer
the interface specifications to ensure that they will work together properly
overflows.
when all of the development efforts are complete.
Dynamic Testing - evaluates the security of software in a runtime
• Application Programming Interfaces (APIs) - Offer a standardized way for
environment and is often the only option for organizations deploying
code modules to interact and may be exposed to the outside world through
applications written by someone else. In those cases, testers often do not have
web services. Developers must test APIs to ensure that they enforce all
access to the underlying source code. One common example of dynamic
security requirements.
software testing is the use of web application scanning tools to detect the
presence of cross-site scripting, SQL injection, or other flaws in web • User Interfaces (UIs) - Examples include graphic user interfaces (GUIs) and
applications. Testing may include the use of synthetic transactions to verify command-line interfaces. UIs provide end users with the ability to interact
system performance. with the software. Interface tests should include reviews of all user interfaces
to verify that they function properly.
Fuzz Testing - is a specialized dynamic testing technique that provides many
different types of input to software to stress its limits and find previously Physical Interfaces - Exist in some applications that manipulate machinery,
undetected flaws. Fuzz testing software supplies invalid input to the software, logic controllers, or other objects in the physical world. Software testers
either randomly generated or specially crafted to trigger known software should pay careful attention to physical interfaces because of the potential
vulnerabilities. Often limited to simple errors, does find important, consequences if they fail.
exploitable issues, don’t fully cover code
Levels of Development Testing (550)
Mutation (Dumb) Fuzzing - Takes previous input values from actual
operation of the software and manipulates (or mutates) it to create fuzzed Unit testing - testing small piece of software during a development stage by
input. It might alter the characters of the content, append strings to the end of developers and quality assurance, ensures quality units are furnished for
the content, or perform other data manipulation techniques. integration into final product
Generational (Intelligent) Fuzzing - develops inputs based on models of Integration level testing – focus on transfer of data and control across a
expected inputs to perform the same task. The zzuf tool automates the process programs interfaces
of mutation fuzzing by manipulating input according to user specifications.
Integration level testing – focus on transfer of data and control across a
Misuse Case testing - Software testers use this process or abuse case testing programs interfaces
to evaluate the vulnerability of their software to known risks.
System level testing – demonstrates that all specified functionality exists and
Misuse Case diagrams – threats and mitigate that the software product is trustworthy
Test Coverage Analysis - method used to assess how well software testing Things to Know
covered the potential use of an application
SAS 70 – outdated 2011, based on ISAE 3402
SOC Reports - service organization control report. (569) • Formal modeling
• SOC-1 report, covers only internal controls over financial reporting. SSAE • Security architecture
16 is the same most common synonym (SOC 1 - Finances)
• ISO 9000 quality techniques
• SOC-2 (design and operational effectiveness) If you want to verify the
security, integrity, privacy, and availability controls, in detail for business • Assurance – degree of confidence that the implemented security measures
partners, auditors @security work as intended

• SOC-3 report; shared with broad community, website seal, support Piggybacking - when an unauthorized person goes through a door behind an
organizations claims about their ability to provide CIA authorized person.

• Type 1 – point in time covering design Tailgating – authorized person circumventing controls

• Type 2 – period of time covering design and operating effectiveness Supervisor mode - processes running in inner protected ring

Passive monitoring only works after issues have occurred because it requires Domain 7: Security Operations
actual traffic Log Management System – volume of log data, network
Incident Scene (581)
bandwidth, security of data, and amount of effort to analyze. NOT enough
log sources • ID the Scene
OPSEC process - Understanding your day-to-day operations from the • Protect the environment
viewpoint of a competitor, enemy, or hacker and then developing and
applying countermeasures. • ID evidence and potential sources of evidence

Pen-test – testing of network security as would a hacker do to find • Collect evidence – hash +
vulnerabilities. Always get management approval first
• Minimize the degree of contamination
Port scanner - program that attempts to determine whether any of a range of
ports is open on a particular computer or device Locard’s Exchange Principle –perps leave something behind

Ring zero - inner code of the operating system. Reserved for privileged Evidence (581)
instructions by the itself Sufficient – persuasive enough to convince one of its validity
War dialer - dials a range of phone numbers as in the movie wargames Reliable – consistent with fact, evidence has not been tampered with or
Superzapping - system utility or application that bypasses all access controls modified
and audit/logging functions to make updates to code or data Relevant – relationship to the findings must be reasonable and sensible, Proof
Operational assurance – Verification that a system is operating according to of crime,
its security requirements documentation of events, proof of acts and methods used, motive proof,
• Design & development reviews identification of acts
Permissible – lawful obtaining of evidence, avoid: unlawful search and • Not as strong as best evidence.
seizure, secret recording, privacy violations, forced confessions, unlawful
obtaining of evidence • A copy, Secondary Evidence, is not permitted if the original, Best Evidence,
is available –
Preserved and identifiable – collection, reconstruction
Copies of documents.
Identification labeling, recording serial number etc. Evidence must be
preserved and identifiable • Oral evidence like Witness testimony

Collection, documentation, classification, comparison, reconstruction Direct Evidence:

EVIDENCE LIFECYCLE • Can prove fact by itself and does not need any type of backup.

1. Discovery • Testimony from a witness –one of their 5 senses:

2. Protection Oral Evidence is a type of Secondary Evidence so the case can’t simply stand
on it alone
3. Recording
But it is Direct Evidence and does not need other evidence to substantiate
4. Collection and identification
Conclusive evidence
5. Analysis
• Irrefutable and cannot be contradicted
6. Storage, preservation, transportation
• Requires no other corroboration
7. Present in court
Circumstantial evidence
8. Return to owner
• Used to help assume another fact
Witnesses that evidence is trustworthy, description of procedures, normal
business methods collections, error precaution and correction • Cannot stand on its own to directly prove a fact

Live evidence (582) Corroborative Evidence:

Best Evidence: • Supports or substantiates other evidence presented in a case

• Primary Evidence – is used at the trial because it is the most reliable. Hearsay Evidence something a witness hears another one say. Also business
records are hearsay and all that’s printed or displayed. One exception to
• Original documents – are used to document things such as contracts NOTE: business records: audit trails and business records are not considered hearsay
no copies! when the documents are created in the normal course of business
• Note: Oral is not best evidence though it may provide interpretation of Interviewing and Interrogation (584)
documents, etc.
Interviewing – gather facts and determine the substance of the case.
Secondary Evidence
Interrogation – Evidence retrieval method, ultimately obtain a confession • Any agency that is responsible for seizing, accessing, storing, or transferring
digital evidence is responsible for compliance with these principles.
The Process - Due Process
Media analysis - a branch of computer forensic analysis, involves the
• Prepare questions and topics, put witness at ease, summarize information identification and extraction of information from storage media. This may
include the following: Magnetic media (e.g., hard disks, tapes) Optical media
interview/interrogation plan
(e.g., CDs, DVDs, Blu-ray discs) Memory (e.g., RAM, solid state storage)
• Have one person as lead and 1-2 others involved as well
Techniques used for media analysis may include the recovery of deleted files
• never interrogate or interview alone from unallocated sectors of the physical disk, the live analysis of storage
media connected to a computer system (especially useful when examining
Witnesses encrypted media), and the static analysis of forensic images of storage media.
Opinion Rule Network Analysis - Forensic investigators are also often interested in the
activity that took place over the network during a security incident. Network
• Requires witnesses to testify only about the facts of the case, cannot be used forensic analysis, therefore, often depends on either prior knowledge that an
as evidence in the case. incident is underway or the use of preexisting security controls that log
Expert Witnesses network activity. These include: Intrusion detection and prevention system
logs Network flow data captured by a flow monitoring system Packet
• Used to educate the jury, can be used as evidence captures deliberately collected during an incident Logs from firewalls and
other network security devices The task of the network forensic analyst is to
Digital Evidence (584) collect and correlate information from these disparate sources and produce as
comprehensive a picture of network activity as possible.
Six principles to guide digital evidence technicians as they perform media
analysis, network analysis, and software analysis in the pursuit of forensically Software Analysis - Forensic analysts may also be called on to conduct
recovered evidence: forensic reviews of applications or the activity that takes place within a
running application. In some cases, when malicious insiders are suspected,
• When dealing with digital evidence, all of the general forensic and
the forensic analyst may be asked to conduct a review of software code,
procedural principles must be applied.
looking for back doors, logic bombs, or other security vulnerabilities. In other
• Upon seizing digital evidence, actions taken should not change that cases, forensic analysis may be asked to review and interpret the log files
evidence. from application or database servers, seeking other signs of malicious
activity, such as SQL injection attacks, privilege escalations, or other
• When it is necessary for a person to access original digital evidence, that application attacks.
person should be trained for the purpose.
Hardware/ Embedded Device Analysis - Forensic analysts often must review
• All activity relating to the seizure, access, storage, or transfer of digital the contents of hardware and embedded devices. This may include a review
evidence must be fully documented, preserved, and available for review. of Personal computers & Smartphones
• An individual is responsible for all actions taken with respect to digital Evidence (584)
evidence while the digital evidence is in their possession.
Admissible Evidence
• The evidence must be relevant to determining a fact. Victimology – why certain people are victims of crime and how lifestyle
affects the chances that a certain person will fall victim to a crime
• The fact that the evidence seeks to determine must be material (that is, Investigation
related) to the case.
Types
• The evidence must be competent, meaning it must have been obtained
legally. Evidence that results from an illegal search would be inadmissible • Operational
because it is not competent.
• Criminal
Digital Forensics (585)
• Civil
Five rules of evidence:
• eDiscovery
• Be authentic; evidence tied back to scene
When investigating a hard drive, don’t use message digest because it will
• Be accurate; maintain authenticity and veracity change the timestamps of the files when the file-system is not set to Read-
Only Slack space on a disk should be inspected for hidden data and should be
• Be complete; all evidence collected, for & against view included in a disk image
• Be convincing; clear & easy to understand for jury Law
• Be admissible; be able to be used in court Common law - USA, UK Australia Canada (judges)
Forensic Disk Controller – intercepting and modifying or discarding Civil law - Europe, South America
commands sent to the storage
Islamite and other Religious laws – ME, Africa, Indonesia
device
USA - 3 branches for laws:
• Write Blocking, intercepts write commands sent to the device and prevents
them from modifying data on the device • Legislative: writing laws (statutory laws).
• Return data requested by a read operation • Executive: enforces laws (administrative laws)
• Returning access-significant information from device • Juridical: Interprets laws (makes common laws out of court decisions)
• Reporting errors from device to forensic host 3 categories
LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS Criminal law – individuals that violate government laws. Punishment mostly
imprisonment
Investigation (590)
Civil law – wrongs against individual or organization that result in a damage
MOM means, opportunity and motive or loss. Punishment can include financial penalties. AKA tort law (I’ll Sue
You!) Jury decides liability
Determine suspects
Administrative/Regulatory law – how the industries, organizations and detection is a specific form of monitoring that monitors recorded information
officers have to act. Wrongs can be penalized with imprisonment or financial and real-time events to detect abnormal activity indicating a potential incident
penalties or intrusion.
Uniform Computer Information Transactions Act (UCITA) - is a federal law IDS - intrusion detection system automates the inspection of logs and real-
that provides a common framework for the conduct of computer-related time system events to detect intrusion attempts and system failures. IDSs are
business transactions. UCITA contains provisions that address software an effective method of detecting many DoS and DDoS attacks. They can
licensing. The terms of UCITA give legal backing to the previously recognize attacks that come from external connections, such as an attack from
the Internet, and attacks that spread internally such as a malicious worm.
questionable practices of shrink-wrap licensing and click-wrap licensing by Once they detect a suspicious event, they respond by sending alerts or raising
giving them status as legally binding contracts. alarms. In some cases, they can modify the environment to stop an attack. A
primary goal of an IDS is to provide a means for a timely and accurate
Computer Crime Laws - 3 types of harm
response to intrusions. An IDS is intended as part of a defense-in-depth
• unauthorized intrusion, security plan. It will work with, and complement, other security mechanisms
such as firewalls, but it does not replace them.
• unauthorized alteration or destruction
IPS - intrusion prevention system includes all the capabilities of an IDS but
• malicious code can also take additional steps to stop or prevent intrusions. If desired,
administrators can disable these extra features of an IPS, essentially causing it
Admissible evidence relevant, sufficient, reliable, does not have to be to function as an IDS
tangible
DLP (597) Data Loss Prevention
Hearsay second-hand data not admissible in court
PROTECT SENSITIVE INFORMATION
Enticement is the legal action of luring an intruder, like in a honeypot
Data loss prevention systems attempt to detect and block data exfiltration
Entrapment is the illegal act of inducing a crime, the individual had no intent attempts. These systems have the capability of scanning data looking for
of committing the crime at first Federal Sentencing Guidelines provides keywords and data patterns.
judges and courts procedures on the prevention, detection and reporting
Network-based DLP - scans all outgoing data looking for specific data.
Security incident and event management Administrators would place it on the edge of the negative to scan all data
(SIEM) (595) leaving the organization. If a user sends out a file containing restricted data,
the DLP system will detect it and prevent it from leaving the organization.
Automating much of the routine work of log review. The DLP system will send an alert, such as an email to an administrator.

Provide real‐time analysis of events occurring on systems throughout an Endpoint-based DLP-can scan files stored on a system as well as files sent to
organization but don’t necessarily scan outgoing traffic external devices, such as printers. For example, an organization endpoint-
based DLP can prevent users from copying sensitive data to USB flash drives
Intrusion Detection and Prevention (594) or sending sensitive data to a printer.
An intrusion occurs when an attacker is able to bypass or thwart security 3 states of information
mechanisms and gain access to an organization’s resources. Intrusion
• data at rest (storage) FAIL SAFE: doors UNLOCK
• data in transit (the network) FAIL SECURE: doors LOCK
• data being processed (must be decrypted) / in use / end-point Trusted Path (606)
Can look for sensitive information stored on hard drives Protect data between users and a security component. Channel established
with strict standards to allow necessary communication to occur without
Configuration Management (603) exposing the TCB to security vulnerabilities. A trusted path also protects
system users (sometimes known as subjects) from compromise as a result of a
Configuration item (CI) - component whose state is recorded Version:
TCB interchange.
recorded state of the CI
ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY
Configuration - collection of component CI’s that make another CI
Incident Response (624)
Building - assembling a version of a CI using component CI’s
Events: anything that happens. Can be documented verified and analyzed
Build list - set of versions of component CI’s used to build a CI Software
Library- controlled area only accessible for approved users Security Incident - event or series of events that adversely impact the ability
of an organization to do business
ARTIFACTS – CONFIGURATION MANAGEMENT
Security incident – suspected attack
Recovery procedures (606)
Security intrusion – evidence attacker attempted or gained access
Recovery procedures: system should restart in secure mode
Lifecycle -
Startup should occur in maintenance mode that permits access only by
privileged users from privileged terminals • Response Capability (policy, procedures, a team),
Fault-tolerant continues to function despite failure • Incident response and handling (Triage, investigation, containment, and
analysis & tracking),
Fail safe system, program execution is terminated and system protected from
compromise when hardware or software failure occurs DOORS usually • Recovery (Recovery / Repair),
Fail Closed/secure – most conservative from a security perspective • Debriefing / Feedback (External Communications)
Fail Open • Mitigation – limit the effect or scope of an incident
Fail Hard – BSOD, human to see why it failed Detection→Response→Mitigation→Reporting→Recovery→Remediation→
Lessons Learned→cycle back to response
Fail soft or resilient system, reboot, selected, non-critical processing is
terminated when failure occurs RCA, Root Cause Analysis (632)
Failover, switches to hot backup. Tree / Boolean - FAULT TREE ANALYSIS
• 5Ways Server clustering – group of independent servers which are managed as a
single system. All servers are online and take part in processing service
• Failure Mode and Effects analysis requests.
• Pareto Analysis Individual computing devices on a cluster vs. a grid system – cluster devices
all share the same and application software but grid devices can have
• Fault Tree Analysis
different OSs while still working on same problem
• Cause Mapping
Tape Rotation Schemes
Firewalls (636)
• GF/Father/Son,
HIDS - Host-based IDS, monitors activity on a single computer, including
• Tower of Hanoi,
process calls and information recorded in firewall logs. It can often examine
events in more detail than an NIDS can, and it can pinpoint specific files • Six Cartridge Weekly
compromised in an attack. It can also track processes employed by the
attacker. A benefit of HIDSs overNIDSs is that HIDSs can detect anomalies RAIT – robotic mechanisms to transfer tapes between storage and drive
on the host system that NIDSs cannot detect. mechanisms (similar to RAID but for tapes)
NIDS - Network-based IDS, monitors and evaluates network activity to Disaster Processing Continuity plan (659)
detect attacks or event anomalies. It cannot monitor the content of encrypted
traffic but can monitor other packet details. A single NIDS can monitor a Mutual aid agreements (aka reciprocal agreement)
large network by using remote sensors to collect data at key network
Arrangement with another similar corporation to take over processes.
locations that send data to a central management console.
Advantage: cheap. Disadvantage: must be exact the same, is there enough
Backup types (658) capability, only for short term and what if disaster affects both corporations.
Is not enforceable.
Full - All files, archive bit and modify bit are cleared. Advantage: only
previous day needed for full restore, disadvantage: time consuming Subscription services

Incremental - only modified files, archive bit cleared, Advantage: least time Third party, commercial services provide alternate backups and processing
and space, Disadvantage: first restore full then all incremental backups, thus facilities. Most common of implementations!
less reliable because it depends on more components
Redundant – Mirrored site, potential 0 down time
Differential - only modified files, doesn’t clear archive bit. Advantage: full
HOT SITE–Internal/External, Fully configured computer facility. All
and only last diff needed, Intermediate time between full and diff.
applications are installed, up- to-date mirror of the production system. For
Redundant servers – applies raid 1 mirroring concept to servers. On error extremely urgent critical transaction processing.
servers can do a fail-over.
Advantage: 24/7 availability and exclusive use are assured. Short and long
This AKA server fault tolerance term. Disadvantage: extra administrative overhead, costly, security controls
needs to be installed at the remote facility too.
Exclusive to one company hours to be up
WARM SITE - Cross between hot and cold site. The computer facility is • RTO 3-5 days=mobile site;
available but the applications may not be installed or need to be configured.
External connections and other data elements that take long time to order are • RTO 1-2 weeks=cold site
present. Workstations have to be delivered and data has to be restored.
Raid Levels (665)
Advantage: Less costly, more choices of location, less administrative
RAID 0 Striped, one large disk out of several –Improved performance but no
resources. Disadvantage: it will take some time to start production
fault tolerance
processing. Nonexclusive. 12 hours to be up
RAID 1 Mirrored drives – fault tolerance from disk errors and single disk
COLD SITE - Least ready but most commonly used. Has no hardware
failure, expensive; redundancy only, not speed
installed only power and HVAC. Disadvantage: Very lengthy time of
restoration, false sense of security but better than nothing. RAID 2 not used commercially. Hammering Code Parity/error
Advantage: Cost, ease of location choice. Nonexclusive. week RAID 3 Striped on byte level with extra parity drive – Improved performance
and fault tolerance, but parity drive is a single point of failure and write
SERVICE BUREAU - Contract with a service bureau to fully provide
intensive. 3 or more drives
alternate backup processing services. Advantage: quick response and
availability, testing is possible. Disadvantage: expense and it is more of a RAID4 Same as Raid 3 but striped on block level; 3 or more drives
short time option.
RAID 5 Striped on block level, parity distributed over all drives – requires all
Multiple centers (aka dual sites) drives but one to be present to operate hot-swappable. Interleave parity,
recovery control; 3 or more drives
Processing is spread over several computer centers. Can be managed by same
corporation (in-house) or with another organization (reciprocal agreement). RAID 6 Dual Parity, parity distributed over all drives – requires all drives but
Advantage: costs, multiple sites will share resources and support. two to be present to operate hot-swappable
Disadvantage: a major disaster could affect both sites; multiple
configurations have to be administered. Other data center backup alternatives RAID 7 is same as raid5 but all drives act as one single virtual disk

• Rolling/mobile sites - Mobile homes or HVAC trucks. Could be considered Backup storage media
a cold site
• Tape: sequential, slow read, fast write 200GB an hour, historically cheaper
• In-house or external - supply of hardware replacements. Stock of hardware than disk (now changing), robotic libraries
either onsite or with a vendor. May be acceptable for warm site but not for
hot site. • Disk fast read/write, less robust than tape

Prefabricated buildings - A very cold site. • Optical drive: CD/DVD. Inexpensive

RTO: recovery time objectives. Refers to business processes not hardware. • Solid state: USB drive, security issues, protected by AES

• RTO 5 minutes or hours=Hot site; MTTF (mean time to failure) MTTR (mean time to repair) MTBF Mean time
between failures
• RTO 1-2 days=warm site;
(Useful Life) = MTTF + MTTR JBOD MOST BASIC TYPE OF STORAGE It will be officially over when the data has been verified at the primary site,
JBOD (which stands for “just a bunch of disks”) generally refers to a as accurate
collection of hard disks that have not been configured to act as a redundant
array of independent disks (RAID) array. Disaster recovery process (673)

Transaction Redundancy Implementations (667) TEAMS

Electronic vaulting - transfer of backup data to an offsite storage location via Recovery team mandated to implement recovery after the declaration of the
communication lines disaster

Remote Journaling - parallel processing of transactions to an alternative site Salvage team goes back to the primary site to normal processing
via communication lines environmental conditions. Clean, repair, Salvage. Can declare when primary
site is available again
Database shadowing - live processing of remote journaling and creating
duplicates of the database sets to multiple servers Normal Operations Resume plan has all procedures on how the company will
return processing from the alternate site
Data destruction and reuse (143)
Other recovery issues
Object reuse - use after initial use
Interfacing with other groups: everyone outside the corporation
Data remanence - remaining data after erasure Format magnetic media 7
times (orange book) Employee relations: responsibility towards employees and families

Clearing - overwriting media to be reused Fraud and Crime: like vandalism, looting and people grabbing the
opportunity
Purging - degaussing or overwriting to be removed
Financial disbursement, Media relations
Destruction - complete destroy preferably by burning
1. Find someone to run it
Disaster Recovery Planning (672)
• Documenting the Plan
End Goal - Restore normal business operations. Statement of actions that
have to be taken before, during and after a disruptive event that causes a • Activation and recovery procedures
significant loss of information Goal: provide organized way for decision
• Plan management
making, reduce confusion and deal with the crisis. Planning and development
must occur before the disaster • HR involvement
BIA has already been done, now were going to protect! • Costs
Disaster – any event, natural or manmade, that can disrupt normal IT • Required documentation
operations
• Internal /external communications
The disaster is not over until all operations have been returned to their normal
location and function • Detailed plans by team members
GET COMMUNICATIONS UP FIRST THEN MOST CRITICAL 1. Use BIA to develop BCP (strategy development phase bridges the gap
BUSINESS FUNCTIONS between the business impact assessment and the continuity planning phases
of BCP development)
Disaster Recovery Test (679)
2. Testing
Desk Check – review plan contents
4. Plan approval and implementation
Table-top exercise - members of the disaster recovery team gather in a large
conference room and role- play a disaster scenario. 1. Management approval
Simulation tests - are more comprehensive and may impact one or more 2. Create awareness
noncritical business units of the organization, all support personnel meet in a
practice room Update plan as needed, At least once a year testing

Parallel tests -involve relocating personnel to the alternate site and Disaster Recovery – Recover as quickly as possible
commencing operations there.
• Heavy IT focus
Critical systems are run at an alternate site, main site open also
• Allows the execution of the BCP
Full-interruption tests - involve relocating personnel to the alternate site and
• Needs Planning
shutting down operations at the primary site.
• Needs Testing
BCP (685)
CRITICAL, URGENT, IMPORTANT
Plan for emergency response, bakup operations and post disaster recovery
maintained by an activity as a part of its security program that will ensure the Business Continuity plans development
availability of critical resources and facilitate the continuity of operations in
an emergency situation • Defining the continuity strategy

BCP (proactive) & DRP (reactive) Goals • Computing: strategy to preserve the elements of
hardware/software/communication lines/applications/data
Business continuity - Ensuring the business can continue in an emergency, 1
st business organization analysis • Facilities: use of main buildings or any remote facilities

Focus on business processes • People: operators, management, technical support persons

1. Scope and plan initiation - Consider amount of work required, resources • Supplies and equipment: paper, forms HVAC
required, management practice
• Documenting the continuity strategy
2. BIA – helps to understand impact of disruptive processes
Roles and responsibilities
3. Business Continuity Plan development
BCP committee
• Senior staff (ultimate responsibility, due care/diligence) Fences
• Various business units (identify and prioritize time critical systems) Small mesh and high gauge is most secure
• Information Systems • 3-4 feet deters casual trespasser
• Security Administrator • 6-7 feet too hard to climb easily
• People who will carry out the plan (execute) • 8 feet + barbed wires deters intruders, difficult to climb
• representatives from all departments no/nothing one STOPS a determined intruder
CCTV (692) ALARMS (697)
Multiplexer allows multiple camera screens shown over one cable on a Local alarms - audible alarm for at least 4000 feet far
monitor
Central stations - less than 10mins travel time for e.g. an private security firm
Via coax cables (hence closed) Proprietary systems - owned and operated by the customer. System provides
many of the features in-house
Attacks: replayed (video images)
Auxiliary Station systems - on alarm ring out to local fire or police
Fixed mounting versus PTZ Pan Tilt Zoom
Line supervision check - if no tampering is done with the alarm wires
accunicator system (detects movements on screen and alerts guards)
Power supplies - alarm systems needs separate circuitry and backup power
Recording (for later review) = detective control
Intrusion detection (698)
CCTV enables you to compare the audit trails and access logs with a visual
recording PHYSICAL PARAMETER DETECTION
Lightning (694) Electromechanical - detect a break or change in a circuit magnets pulled lose,
wires door, pressure pads
Glare protection - against blinding by lights
Photoelectric - light beams interrupted (as in an store entrance)
Continuous lightning - evenly distributed lightning
Passive infrared - detects changes in temperature
Controlled lightning - no bleeding over no blinding
Acoustical detection - microphones, vibrations sensors
Standby Lightning - timers
MOTION
Responsive areas illumination - IDS detects activities and turns on lightning
wave pattern motion detectors - detects motions
NIST: for critical areas the area should be illuminated 8 feet in height with 2-
foot candle power proximity or capacitance detector - magnetic field detects presence around an
object
Locks (702) Ensures that the security is not breached when a system crash or failure
occurs. Only required for a B3 and A1 level systems
Warded lock - hanging lock with a key (padlock) Tumbler lock - cylinder slot
Combination lock - 3 Failure preparation Backup critical information thus enabling data recovery
digits with wheels Cipher Lock - Electrical Device lock - bolt down hardware System recovery after a system crash
Preset - ordinary door lock Programmable - combination or electrical lock
Raking - circumvent a pin tumbler lock 1. Rebooting system in single user mode or recovery console, so no user
access is enabled
Audit trails
2. Recovering all file systems that were active during failure
• Date and time stamps
3. Restoring missing or damaged files
• Successful or not attempt
4. Recovering the required security characteristic, such as file security labels
• Where the access was granted
5. Checking security-critical files such as system password file
• Who attempted access
Common criteria hierarchical recovery types
• Who modified access privileges at supervisor level
1. Manual System administrator intervention is required to return the system
Security access cards to a secure state
Photo id card: dumb cards Digital-coded cards: 2. Automatic Recovery to an secure state is automatic when resolving a single
failure (though system administrators are needed to resolve additional
• Swipe cards failures)
• Smartcards 3. Automatic without Undo Loss Higher level of recovery defining
prevention against the undue loss of protected objects
Wireless proximity cards
4. Function system can restore functional processes automatically
• User activated
Types of system failure
• System sensing
System reboot System shuts itself down in a controlled manner after detecting
• Passive device, no battery, uses power of the field
inconsistent data structures or runs out of resources
• Field Powered device: active electronics, transmitter but gets power from
Emergency restart when a system restarts after a failure happens in an
the surrounding field from the reader
uncontrolled manner. E.g. when a low privileged user tries to access
Transponders: both card and receiver holds power, transmitter and electronics restricted memory segments

Trusted recovery () System cold start when an unexpected kernel or media failure happens and
the regular recovery procedure cannot recover the system in a more consistent
state.
Things to know • Accountability
Hackers and crackers - want to verify their skills as intruders Noise and perturbation: inserting bogus information to hope to mislead an
attacker
Entitlement - refers to the amount of privileges granted to users, typically
when first provisioning an account. A user entitlement audit can detect when First step by change process = management approval.
employees have excessive privileges
NB: when a question is about processes, there must always be management’s
Aggregation - Privilege Creep, accumulate privileges approval as First step.
Hypervisor - software component that manages the virtual components. The PROTOTYPING: customer view taken into account
hypervisor adds an additional attack surface, so it’s important to ensure it is
deployed in a secure state and kept up-to-date with patches, controls access to SQL – SUDIGR, 6 basic SQL commands:
physical resources
Select, Update, Delete, Insert, Grant, Revoke
Notebook - most preferred in the legal investigation is a bound notebook,
Bind variables are placeholders for literal values in SQL query being sent to
pages are attached to a binding.
the database on a server
Exigent circumstances allows officials to seize evidence before its destroyed
Bind variables in SQL used to enhance performance of a database
(police team fall in)
Monitor progress and planning of projects through GANTT and PERT charts
Data haven is a country or location that has no laws or poorly enforced laws
Piggybacking: looking over someone’s shoulder to see how someone gets
Chain of custody = collection, analysis and preservation of data Forensics
access. ?
uses bit-level copy of the disk
Data center should have:
Darknet – unused network space that may detect unauthorized activity
• Walls from floor to ceiling
Pseudo flaw – false vulnerability in a system that may attract an attacker
• Floor: Concrete slab: 150 pounds square foot
FAIR INFORMATION PRACTICES
• No windows in a datacenter
• Openness
• Air-conditioning should have own Emergency Power Off (EPO)
• Collection Limitation
Electronic Access Control (EAC): proximity readers, programmable locks or
• Purpose Specification
biometric systems
• Use Limitation
Location
• Data Quality
CPTED Crime Prevention Through Environmental design
• Individual Participation
• Natural Access control: guidance of people by doors fences bollards
• Security Safeguards lightning. Security zones defined
• Natural surveillance: cameras and guards access to manipulate critical aspects of the environment, and has become
disgruntled.
• Territorial Reinforcements: walls fences flags
Espionage - is the malicious act of gathering proprietary, secret, private,
• Target Hardening: focus on locks, cameras guards sensitive, or confidential information about an organization. Attackers often
commit espionage with the intent of disclosing or selling the information to a
Facility site: CORE OF BUILDING (thus with 6 stores, on 3rd floor)
competitor or other interested organization (such as a foreign government).
Attacks ()
Attackers can be dissatisfied employees, and in some cases, employees who
Hacktivists - combination of hacker and activist), often combine political are being blackmailed from someone outside the organization.
motivations with the thrill of hacking. Countermeasures against espionage are to strictly control access to all
nonpublic data, thoroughly screen new employee candidates, and efficiently
Thrill attacks - are the attacks launched only for the fun of it. Pride, bragging track all employee activities.
rights
Integrity breaches - unauthorized modification of information, violations are
Script kiddies - Attackers who lack the ability to devise their own attacks will not limited to intentional attacks. Human error, oversight, or ineptitude
often download programs that do their work for them. The main motivation accounts for many instances
behind these attacks is the “high” of successfully breaking into a system.
Service interruption. An attacker may destroy data, the main motivation is to Confidentiality breaches – theft of sensitive information
compromise a system and perhaps use it to launch an attack against another
Domain 8: Software Development Security
victim.
System Development Life Cycle (SDLC) (720)
Common to do website defacements,
Project initiation - Feasibility, cost, risk analysis, Management approval,
Business Attacks - focus on illegally obtaining an organization’s confidential
basic security objectives
information. The use of the information gathered during the attack usually
causes more damage than the attack itself. Functional analysis and planning - Define need, requirements, review
proposed security controls
Financial Attacks - carried out to unlawfully obtain money or services.
System design specifications - Develop detailed design specs, Review
Terrorist Attacks - purpose of a terrorist attack is to disrupt normal life and
support documentation,
instill fear
Examine security controls
Military or intelligence attack - designed to extract secret information.
Software development - Programmers develop code. Unit testing Check
Grudge Attacks - are attacks that are carried out to damage an organization or
modules. Prototyping, Verification, Validation
a person. The damage could be in the loss of information or information
processing capabilities or harm to the organization or a person’s reputation. Acceptance testing and implementation - Separation of duties, security
testing, data validation, bounds checking, certification, accreditation , part of
Sabotage - is a criminal act of destruction or disruption committed against an
release control
organization by an employee. It can become a risk if an employee is
knowledgeable enough about the assets of an organization, has sufficient System Life Cycle (SLC) (extends beyond SDLC)
Operations and maintenance - release into production. Configuration Audit - periodic configuration audit should be conducted to
Certification/accreditation ensure that the actual production environment is consistent with the
accounting records and that no unauthorized configuration changes have
Revisions/Disposal - remove. Sanitation and destruction of unneeded data taken place
Change Management Process SDLC
Together, change and configuration management techniques form an • Conceptual definition
important part of the software engineer’s arsenal and protect the organization
from development-related security issues. • Functional requirements definition
The change management process has three basic components: • Control specifications development
Request Control - provides an organized framework within which users can • Design review
request modifications, managers can conduct cost/ benefit analysis, and
developers can prioritize tasks. • Code review

Change Control - provides an organized framework within which multiple • System test review
developers can create and test a solution prior to rolling it out into a
• Maintenance and change management
production environment. Change control includes conforming to quality
control restrictions, developing tools for update or change deployment, Software Capability Maturity model (CMM)
properly documenting any coded changes, and restricting the effects of new
code to minimize diminishment of security. (725)

Release Control - Once the changes are finalized, they must be approved for Quality of software is a direct function of quality of development and
release through the release control procedure. maintenance

Configuration Management Process Defined by Carnegie Mellon University SEI (Software Engineering Institute)

This process is used to control the version(s) of software used throughout an Describes procedures, principles, and practices that underlie software
organization and formally track and control changes development process maturity

Configuration Identification - administrators document the configuration of 1-2 REACTIVE, 3-5 PROACTIVE
covered software products throughout the organization.
5 levels of SW-CMM
Configuration Control - ensures that changes to software versions are made in
accordance with the change control and configuration management policies. 1. initiating – competent people, informal processes, ad-hoc, absence of
Updates can be made only from authorized distributions in accordance with formal process
those policies. 2. repeatable – project management processes, basic life-cycle management
Configuration Status Accounting - Formalized procedures are used to keep processes
track of all authorized changes that take place.
3. defined – engineering processes, presence of basic life-cycle management • Software Development,
processes and reuse of code, use of requirements management, software
project planning, quality assurance, configuration management practices • Quality Assurance

4. managed – product and process improvement, quantitatively controlled • IT Operations

5. Optimizing – continuous process improvement Works with an IDEAL NOT SECURITY

model.
Software Development Methods (732)
IDEAL Model:
MODELS
• Initiate = begin effort,
Simplistic model
• Diagnose = perform assessment,
This model was simplistic in that it assumed that each step could be
• Establish = an action plan, completed and finalized without any effect from the later stages that may
require rework.
• Action =implement improvements,
Waterfall model
• Leverage = reassesses and continuously improve
Can be managed if developers are limited going back only one step. If rework
Project Management Tools may be done at any stage it’s not manageable. Problem: it assumes that a
phase or stage ends at a specific time. Stages:
Gantt Chart - a type of bar chart that shows the interrelationships over time
between projects and schedules. It provides a graphical illustration of a 1. System Requirements→
schedule that helps to plan, coordinate, and track specific tasks in a project.
WBS a subpart 2. Software Requirements→

PERT - Program Evaluation Review Technique is a project-scheduling tool 3. Analysis →

used to judge the size of a software product in development and calculate the
4. Program Design →
standard deviation (SD) for risk assessment. PERT relates the estimated
lowest possible size, the most likely size, and the highest possible size of 5. Coding →
each component. PERT is used to direct improvements to project
management and software coding in order to produce more efficient software. 6. Testing →

DevOps (728) 7. Operations & Maintenance

The DevOps approach seeks to resolve issues by bringing the three functions Waterfall including Validation and Verification (V&V)
together in a single operational model. The word DevOps is a combination of
Development and Operations, symbolizing that these functions must merge Reinterpretation of the waterfall model where verification evaluates the
and cooperate to meet business requirements. product during development against specification and validation refers to the
work product satisfying the real-world requirements and concepts.
Integrates:
• Verification=doing the job right
• Validation:= doing the right job DBMS - refers to a suite of software programs that maintains and provides
controlled access to data components store in rows and columns of a table
Spiral model
Types
• Angular = progress made
• Hierarchical= tree (sons with only one parent), one to many relationship
• Radial = cost
• Network = tree (all interconnected)
• Lower left = development plans
• Mesh
• Upper left = objectives of the plans, alternatives checked
• Object-orientated
• Upper right = assessing alternatives, risk analysis
• Relational – one-to-one relationships, has DDL and DML, has TUPLES and
• Lower right = final development ATTRIBUTES (rows and columns)
• Left horizontal axis = includes the major review required to complete each • Key-Value Store -key-value database, is a data storage paradigm designed
full cycle for storing, retrieving, and managing associative arrays, a data structure more
commonly known today as a dictionary or hash.
Cleanroom – write code correctly first time, quality thru design
DDL – Data definition language defines structure and schema
Cleanroom design – prove original design
DML – Data manipulation language view, manipulate and use the database
Agile Software Development (733)
via VIEW, ADD,
Developers increasingly embraced approaches that placed an emphasis on the
MODIFY, SORT and DELETE commands.
needs of the customer and on quickly developing new functionality that
meets those needs in an iterative fashion. Degree of Db – number of attributes (columns) in table
• Individuals and interactions over processes and tools Cardinality - rows
• Working software over comprehensive documentation Tuple – row or record
• Customer collaboration over contract negotiation DDE – Dynamic data exchange enables applications to work in a client/server
model by providing the inter-process communications mechanism (IPC)
• Responding to change over following a plan
DCL – Data control language subset of SQL used to control access to data in
WORKING SOFTWARE PRIMARY MEASURE OF SUCCESS
a database, using GRANT and REVOKE statements
Database Systems (736)
Semantic integrity - make sure that the structural and semantic rules are
Database - general mechanism for defining, storing and manipulating data enforced on all data types, logical values that could adversely affect the
without writing specific programs structure of the database
Referential integrity - all foreign keys reference existing primary keys,
Candidate Key – an attribute that is a unique identifier within a given table, ODBC - Open Database Connectivity is a database feature that allows
one of the candidate keys is chosen to be the primary key and the others are applications to communicate with different types of databases without having
alternate keys, A candidate key is a subset of attributes that can be used to to be directly programmed for interaction with each type. ODBC acts as a
uniquely identify any record in a table. No two records in the same table will proxy.
ever contain the same values for all attributes composing a candidate key.
Each table may have one or more candidate keys, which are chosen from Multilevel security - it’s essential that admins and developers strive to keep
column headings. data with different security requirements separate.

Primary Key – provide the sole tuple-level addressing mechanism within the Database contamination - Mixing data with different classification levels and/
relational model. Cannot contain a null value and cannot change or become or need-to-know requirements and is a significant security challenge. Often,
null during the life of each entity. When the primary key of one relation is administrators will deploy a trusted front end to add multilevel security to a
used as an attribute in another relation, it is the foreign key in that relation. legacy or insecure DBMS.

Uniquely identify a record in a database Database partitioning - is the process of splitting a single database into
multiple parts, each with a unique and distinct security level or type of
Foreign Key – represents a reference to an entry in some other table that is a content.
primary key there. Link between the foreign and primary keys represents the
relationship between the tuples. Enforces referential integrity Polyinstantiation - occurs when two or more rows in the same relational
database table appear to have identical primary key elements but contain
Main Components of a Db using Db different data for use at differing classification levels. It is often used as a
defense against inference attacks
• Schemas; blueprints
Database transactions
• tables
Four required characteristics: atomicity, consistency, isolation, and durability.
• views Together, these attributes are known as the ACID model, which is a critical
concept in the development of database management systems.
Incorrect Summaries – when one transaction is using an aggregate function to
summarize data stored in a Db while a second transaction is making Atomicity - Database transactions must be atomic—that is, they must be an
modifications to a Db, causing summary to include incorrect information “all-or-nothing” affair. If any part of the transaction fails, the entire
transaction must be rolled back as if it never occurred.
Dirty Reads – when one transaction reads a value from a Db that was written
by another transaction that did not commit, Db concurrency issue Consistency - All transactions must begin operating in an environment that is
consistent with all of the database’s rules (for example, all records have a
Lost Updates – when one transaction writes a value to the Db that overwrites
unique primary key). When the transaction is complete, the database must
a value needed by transactions that have earlier precedence
again be consistent with the rules, regardless of whether those rules were
Dynamic Lifetime Objects: Objects created on the fly by software in an violated during the processing of the transaction itself. No other transaction
Object Oriented should ever be able to use any inconsistent data that might be generated
during the execution of another transaction.
Programming environment. An object is preassembled code that is a self-
contained module Isolation - principle requires that transactions operate separately from each
other. If a database
receives two SQL transactions that modify the same data, one transaction • Based on function of biologic neurons
must be completed in its entirety before the other transaction is allowed to
modify the same data. This prevents one transaction from working with • Works with weighted inputs
invalid data generated as an intermediate step by another transaction.
• If a threshold is exceeded there will be output
Durability - Database transactions must be durable. That is, once they are
• Single-layer: only one level of summoning codes
committed to the database, they must be preserved. Databases ensure
durability through the use of backup mechanisms, such as transaction logs • Multi-level: more levels of summoning codes
Knowledge Management (755) • Training period needed to determine input vectors - adaptability (learning
process)
Expert Systems - Expert systems seek to embody the accumulated knowledge
of experts on a particular subject and apply it in a consistent fashion to future Programming Language Generations (762)
decisions.
First-generation languages (1GL) include all machine languages.
Every expert system has two main components: the knowledge base and the
inference engine. Second-generation languages (2GL) include all assembly languages.

• Based on human reasoning Third-generation languages (3GL) include all compiled languages.

• Knowledge base of the domain in the form of rules Fourth-generation languages (4GL) attempt to approximate natural languages
and include SQL, which is used by databases.
• If-then statements=called forward chaining
Fifth-generation languages (5GL) allow programmers to create code using
• Priority in rules are called salience visual interfaces.
• Interference system = decision program Programs
• Expert system = inference engine + knowledge base Compiler Translates higher level program into an executable file
• Degree of uncertainty handled by approaches as Bayesian Interpreter reads higher level code, one line at the time to produce machine
networks(probability of events), certainty factors(probability an event is true) instructions
or fuzzy logic(to develop conclusions)
Assembler converts machine-code into binary machine instructions. Translate
• Two modes: assembly language into machine language
• Forward chaining: acquires info and comes to a conclusion Object Orientated Technology (769)
• Backward chaining: backtracks to determine IF a hypothesis is correct Objects behave as a black box; they are encapsulated to perform an action.
Can be substituted if they have compatible operations. It can store objects like
Neural Networks
video and pictures
• Use complex computations to replace partial functions of the human mind
Encapsulation (Data Hiding) – only data it needs, no accidental access to data
Message - communication to object to perform an action ORBs, Object Request Brokers - middleware that acts as locators and
distributors of the objects across networks.
Method - code that defines an action an object performs in response to a
message Standards
Behavior - results exhibited by an object in response to a msg. CORBA, Common object request - broker architecture enables programs
written in different languages and using different platforms and OS’s through
Class - collection of methods that defines the behavior of objects IDL (Interface Definition Language)
Instance - objects are instances of classes that contain their methods COM, Common Object Model - support exchange of objects amongst
programs. This used to be called OLE. DCOM is the network variant
Inheritance - allows a subclass to access methods belonging to a superclass
(distributed)
Multiple Inheritance - class inherits characteristics from more than one parent
Conclusion - Object orientation (e.g. with C++ and Smalltalk) supports reuse
class
of objects and reduces development risk, natural in its representation of real
Delegation - forwarding a request to another object world entities.

Polymorphism: objects of many different classes that are related by some Cohesion: ability to perform without use of other programs, strength of the
common super class. When different subclasses may have different methods relationship between the purposes of methods within the same class
using the same interfaces that respond differently
High cohesion - without use of other modules
Poly-instantiation - occurs when two or more rows in the same relational
Low cohesion - must interact with other modules
database table appear to have identical primary key elements but contain
different data for use at differing classification levels. Coupling - effect on other modules. Level of interaction between objects
It is often used as a defense against some types of inference attacks High coupling - module largely affects many more modules
5 phases of object orientation Low coupling - it doesn’t affect many other modules
OORA, Requirements Analysis - defines classes of objects and their High cohesion GOOD | Low coupling GOOD
interactions
Technical Security Protection Mechanisms
OOA, Analysis - understanding and modeling a particular problem Domain
Analysis (DA) seeks to identify classes and objects that are common to all Abstraction - one of the fundamental principles behind object-oriented
applications in a domain programming. It is the “black- box” doctrine that says that users of an object
(or operating system component) don’t necessarily need to know the details
OOD, Design - Objects are the basic units, and instances of classes of how the object works; they need to know just the proper syntax for using
the object and the type of data that will be returned as a result
OOP, Programming - employment of objects and methods
Separation of privilege - builds on the principle of least privilege. It requires
If class = airplane, objects like fighter plane, cargo plane, passenger plane can
the use of granular access permissions; that is, different permissions for each
be created. Method would be what a plane would do with a message like:
type of privileged operation. This allows designers to assign some processes
climb, dive, and roll.
rights to perform certain supervisory functions without granting them Malicious code threats (787)
unrestricted access to the system.
Virus - reproduces using a host application. It inserts or attaches itself to the
Process isolation - requires that the operating system provide separate file, spread thru infected media
memory spaces for each process’s instructions and data. It also requires that
the operating system enforce those boundaries, preventing one process from Worm - reproduces on its own without host application
reading or writing data that belongs to another process.
Logic Bomb/Code Bomb - executes when a certain event happens (like
• It prevents unauthorized data access. Process isolation is one of the accessing a bank account or employee being fired) or a data/time occurs
fundamental requirements in a multilevel security mode system.
Trojan Horse - program disguised as a useful program/tool
• It protects the integrity of processes.
HOAXES – False warnings like: DON’T OPEN X SEND TO ALL YOUR
Layering processes - you implement a structure similar to the ring model used COLLEAGUES
for operating modes and apply it to each operating system process.
RAT, Remote Access Trojan - remote control programs that have the
Hardware segmentation - is similar to process isolation in purpose. malicious code and allow for unauthorized remote access Back orifice, sub
Difference is that hardware segmentation enforces these requirements seven, net bus )
through the use of physical hardware controls rather than the logical process
Buffer Overflow - Excessive information provided to a memory buffer
isolation controls imposed by an operating system.
without appropriate bounds checking which can result in an elevation of
Covert channels (778) privilege. If executable code is loaded into the overflow, it will be run as if it
were the program.
Is a way to receive information in an unauthorized manner, information flood
that is not protected by a security mechanism Buffer overflows can be detected by disassembling programs and looking at
their operations.
2 types
Buffer overflows must be corrected by the programmer or by directly
• Storage covert channel - processes communicate via storage space on the patching system memory.
system
Trap Door - An undocumented access path through a system. This typically
• Covert timing channel - one process relays to another by modulating its use bypasses the normal security mechanisms and is to plant any of the malicious
of system resources. Typing rhythm of Morse Code is an example code forms.
Countermeasures: eal6 systems have less than eal3 systems because covert Backdoor - program installed by an attacker to enable him to come back on a
channels are normally a flaw in design. later date without going through the proper authorization channels,
maintenance hook for developers sometimes
Mobile code
Covert Channel - a way to receive information in an unauthorized manner.
Java – sandboxes, no warnings, programs are compiled to bytecode Information flood that is not protected by a security mechanism.
ActiveX – Authenticode, relies on digital signatures, annoying dialogs people Covert Storage Channel - Writing to storage by one process and reading by
click away another of lower security level.
Covert Timing Channel - One process relays to another by modulating its use control or other malicious features into a device. UEFI – replacement for
of system resources. BIOS
Countermeasures - EAL6 systems have less than EAL3 systems because Compression – appended to executables
covert channels are normally a flaw in design.
Companion virus - A specific type of virus where the infected code is stored
LOKI - is a tool used for covert channel that writes data directly after the not in the host program,
ICMP header
but in a separate ‘companion’ files. For example, the virus might rename the
Botnet - compromise thousands of systems with zombie codes can be used in standard NOTEPAD.EXE
DDOS attacks or spammers, send spam messages, conduct brute force
attacks, scan for vulnerable systems file to NOTEPAD.EXD and create a new NOTEPAD.EXE containing the
virus code. When the user subsequently runs the Notepad application, the
Directory Traversal Attack – attacker attempts to force the web application to virus will run first and then pass control to the original program, so the user
navigate up the file hierarchy and retrieve a file that should not normally be doesn’t see anything suspicious. Takes advantage of search order of an
provided to a web user.
Stealth virus – hides modifications to files or boot records and itself
Macro Virus – Most common in office productivity documents .doc/.docx
Multipart virus - infects both the boot sector and executable files; becomes
Trojans – pretends to do one thing while performing another resident first in memory and then infects the boot sector and finally the entire
system, uses two or more propagation mechanisms
Worms – reproduces and spreads, capacity to propagate independent of user
action Self-garbling virus – attempts to hide by garbling its code; as it spreads, it
changes the way its code is encoded
MDM, Mobile device management - a software solution to manage the
myriad mobile devices that employees use to access company resources. The Polymorphic virus – this is also a self-garbling virus where the virus changes
goals of MDM are to improve security, provide monitoring, enable remote the “garble” pattern each time is spreads. As a result, it is also difficult to
management, and support troubleshooting. detect.
Collisions – two different files produce the same result from a hashing Macro virus – usually written in Word Basic, Visual Basic or VBScript and
operation used with MS Office
Virus (784) Resident virus – Virus that loads when a program loads in memory
Boot sector – moves or overwrites the boot sector with the virus code. Master boot record/boot sector - (MBR) virus attack the MBR—the portion
of bootable media (such as a hard disk, USB drive, or CD/ DVD) that the
System infector – infects BIOS command other system files. It is often a computer uses to load the operating system during the boot process. Because
memory resident virus. the MBR is extremely small (usually 512 bytes), it can’t contain all the code
Phlashing - a malicious variation of official BIOS or firmware is installed that required to implement the virus’s propagation and destructive functions. To
introduces remote bypass this space limitation, MBR viruses store the majority of their code on
another portion of the storage media. When the system reads the infected
MBR, the virus instructs it to read and execute the code stored in this
alternate location, thereby loading the entire virus into memory and • Ring 1 - Remaining parts of the operating system
potentially triggering the delivery of the virus’s payload.
• Ring 2 - I/O drivers and utilities
Non-resident virus - attached to .exe
• Ring 3 - Applications and programs
ANTI-Virus
Layers 1 and 2 contain device drivers but are not normally implemented in
Signature based - cannot detect new malware practice. Layer 3 contains user applications. Layer 4 does not exist.
Heuristic behavioral - can detect new malware Terms
Threats CSRF (XSRF) – Cross site request forgery, attacks exploit the trust that sites
have in a user’s browser by attempting to force the submission of
Natural (Fires, explosions water, storm) authenticated request to third-party sites.
Man-made (bombing, strikes, toxin spills) Cross-site Scripting – uses reflected input to trick a user’s browser into
executing untrusted code from a trusted site
Protection mechanisms (795)
Session Hijacking – attempt to steal previously authenticated sessions but do
Protection domain
not force the browser to submit request.
Execution and memory space assigned to each process
SQL Injection – directly attacks a database through a web app,,
TRUSTED COMPUTER BASE CARROT’1=1; - quotation mark to escape out of input field

Combination of protection systems within a computer system, which include Blue Screen of Death – when a Windows system experiences a dangerous
the hardware, software and firmware that are trusted to enforce the security failure and enters a full secure state (reboot)
policy.
Hotfix, update, Security fix – single patch, patches provide updates to
Security Kernel - hardware, software, firmware, elements of TCB that operating systems and applications.
implement the reference monitor concept — must be isolated from reference
Service Pack – collection of unrelated patches released in a large collection
monitor (reference monitor: isolation, completeness and verifiability, that
compares the security labels of subjects and objects) Patch management system - prevents outages from known attacks by
ensuring systems are patched.
Multistate systems - capable of implementing a much higher level of security.
These systems are certified to handle multiple security levels simultaneously Patches aren’t available for new attacks. However, the patch management
by using specialized mechanisms system doesn’t provide the updates. Ensuring systems are patched reduces
vulnerabilities but it does not eliminate them
Protection rings - (MIT’s MULTICS design)
Nice to Know
• Ring 0 - Operating system kernel. The OS’ core. The kernel manages the
HW (for example, processor cycles and memory) and supplies fundamental Code Review - peer-driven process that includes multiple developers, may be
services that the HW does not provide. automated, may review several hundred lines of code an hour, done after
code developed
Strong Passwords – social engineering best attack method to beat Keys - like passwords and should be treated as very sensitive information.
They should always be stored in secure locations and transmitted only over
Threat Modeling – reduce the number of security-related design and coding encrypted communications channels. If someone gains access to your key,
flaws, reduce severity of non-security related files, not to reduce number of they can interact with a web service as if they were you! Limit access to
threat vectors
Nessus - is a popular vulnerability scanner managed by Tenable Network
Aggregate – summarize large amounts of data and provide only summary Security, and it combines multiple techniques to detect a wide range of
information as a result vulnerabilities. It uses port scans to detect open ports and identify the services
and protocols that are likely running on these systems. Once Nessus discovers
Port Scan – attacking system sends connection attempts to the targets system
against a series of commonly used ports basic details about systems, it can then follow up with queries to test the
systems for known vulnerabilities, such as if the system is up-to-date with
Class Class
current patches. Attacker can use to best identify vulnerabilities in a targeted
Account [name of class] system

Balance: currency = 0 [attributes of class] CASE - tool for development, if concerned about security

Owner: string [attributes of class] OWASP – Open Web Application Security Project, most authoritative source
on web application security issues
AddFunds(deposit: currency) [method of class]
Shadow Password File -, /etc./ shadow. This file contains the true encrypted
RemoveFunds (withdrawal: currency)[method of class] PWs of each user, but it is not accessible to anyone but the administrator. The
publicly accessible /etc./ passwd file then simply contains a list of usernames
JavaScript – is an interpreted language that does not make use of a complier without the data necessary to mount a dictionary attack. “x”
to transform code into an executable state. Java, C, and C++ are all compiled
languages. User Mode – processor mode used to run the system tools used by admins to
make configuration changes to a machine
Directory Traversal Attack - %252E%252Fetc/passwd, %252E = . & %252F
=/ Kernel Mode – used by processor to execute instructions from
Open system - is one with published APIs that allow third parties to develop
products to interact with it.
Closed system - is one that is proprietary with no third-party product support,
does not define if it’s code can be viewed
Open source - is a coding stance that allows others to view the source code of
a program, distributed free or for a fee
Closed source - is an opposing coding stance that keeps source code
confidential. can be reverse engineered or decompiled