





























Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Security admin guide to learn cissp cism ceh cisa crisc
Typology: Study Guides, Projects, Research
1 / 37
This page cannot be seen from the preview
Don't miss anything!






























DAD - NEGATIVE - (disclosure alteration and destruction) Confidentiality - prevent unauthorized disclosure, need to know, and least privilege. assurance that information is not disclosed to unauthorized programs, users, processes, encryption, logical and physical access control, Integrity - no unauthorized modifications, consistent data, protecting data or a resource from being altered in an unauthorized fashion Availability - reliable and timely, accessible, fault tolerance and recovery procedures, WHEN NEEDED IAAA – requirements for accountability Identification - user claims identity, used for user access control Authentication - testing of evidence of users identity Accountability - determine actions to an individual person Authorization - rights and permissions granted Privacy - level of confidentiality and privacy protections
Not possible to get rid of all risk. Get risk to acceptable/tolerable level Baselines – minimum standards ISO 27005 – risk management framework Budget – if not constrained go for the $$$
Written Products – ensure they are done CIRT – implement and operate Security Awareness – provide leadership Communicate – risk to higher management Report to as high a level as possible Security is everyone’s responsibility
Consistent – approach & application Measurable – way to determine progress Standardized – all the same Comprehension – examine everything Modular – to help in review and adaptive. Layered, abstraction Due Care Which means when a company did all that it could have reasonably done to try and prevent security breach / compromise / disaster, and took the necessary steps required as countermeasures / controls (safeguards). The benefit of "due care" can be seen as the difference between the damage with or without "due care" safeguards in place. AKA doing something about the threats, Failing to perform periodic security audits can result in the perception that due care is not being maintained Due Diligence means that the company properly investigated all of its possibly weaknesses and vulnerabilities AKA understanding the threats
Patent - grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention. After 20 years the idea is open source of application Copyright protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70 years after author dies Trade Secret - something that is propriety to a company and important for its survival and profitability (like formula of Coke or Pepsi) DON’T REGISTER – no application Trademarks - words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M) @10 years Wassenaar Arrangement (WA) – Dual use goods & trade, International cryptographic agreement, prevent destabilizing Computer Crimes – loss, image, penalties
SOX, Sarbanes Oxley, 2002 after ENRON and World Online debacle Independent review by external accountants. Section 302: CEO’s CFO’s can be sent to jail when information they sign is incorrect. CEO SIGN Section 404 is the about internal controls assessment: describing logical controls over accounting files; good auditing and information security.
Incident – an event that has potential to do harm Breach – incident that results in disclosure or potential disclosure of data Data Disclosure – unauthorized acquisition of personal information Event – Threat events are accidental and intentional exploitations of vulnerabilities.
ITAR, 1976. Defense goods, arms export control act FERPA – Education GLBA, Graham, Leach, Bliley; credit related PII (21) ECS, Electronic Communication Service (Europe); notice of breaches Fourth Amendment - basis for privacy rights is the Fourth Amendment to the Constitution. 1974 US Privacy Act - Protection of PII on federal databases 1980 Organization for Economic Cooperation and Development (OECD) - Provides for data collection, specifications, safeguards 1986 (amended in 1996) US Computer Fraud and Abuse Act - Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment. 1986 Electronic Communications Privacy Act - Prohibits eavesdropping or interception w/o distinguishing private/public Communications Assistance for Law Enforcement Act (CALEA) of 1994 - amended the Electronic Communications Privacy Act of 1986. CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use. 1987 US Computer Security Act - Security training, develop a security plan, and identify sensitive systems on govt. agencies. 1991 US Federal Sentencing Guidelines - Responsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations 1996 US Economic and Protection of Propriety Information Act - industrial and corporate espionage 1996 Health Insurance and Portability Accountability Act (HIPPA) – amended 1996 US National Information Infrastructure Protection Act - Encourage other countries to adopt similar framework. Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) - Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and security requirements. One of the changes is a change in the way the law treats business associates (BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a covered entity and a BA must be governed by a written contract known as a business associate agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach notification requirements
Life, dollars, prestige, market share
Risk Avoidance – discontinue activity because you don’t want to accept risk Risk Transfer – passing on the risk to another entity Risk Mitigation – elimination or decrease in level of risk Risk Acceptance – live with it and pay the cost Background checks – mitigation, acceptance, avoidance
Primary Controls (Types) – (control cost should be less than the value of the asset being protected) Administrative/Managerial Policy
Testing a networks defenses by using the same techniques as external intruders Scanning and Probing – port scanners
Recon/discover - Enumeration - vulnerability analysis - execution/exploitation - document findings/reporting - SPELL OUT AND DEFINE!!!! Control Assessment 76 Look at your posture
Plan – ID opportunity & plan for change Do – implement change on small scale Check – use data to analyze results of change Act – if change successful, implement wider scale, if fails begin cycle again
Individuals must be qualified with the appropriate level of training.
Public domain - available for anyone to use Open source - source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone Freeware - proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author's permission
Degree of confidence in satisfaction of security requirements Assurance = other word for security THINK OUTSIDE AUDIT
Don’t assume what client wants Involve users early Define and agree on scope MORE
Technical training to react to situations, best practices for Security and network personnel; Employees, need to understand policies then use presentations and posters etc. to get them aware Formal security awareness training – exact prep on how to do things
Wire Tapping eavesdropping on communication - only legal with prior consent or warrant Data Diddling act of modifying information, programs, or documents to commit fraud, tampers with INPUT data Privacy Laws data collected must be collected fairly and lawfully and used only for the purpose it was collected. Water holing – create a bunch of websites with similar names Work Function (factor): the difficulty of obtaining the clear text from the cipher text as measured by cost/time Fair Cryptosystems - In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party. When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key. SLA – agreement between IT service provider and customer, document service levels, divorce; how to dissolve relationship SLR (requirements) – requirements for a service from client viewpoint Service level report – insight into a service providers ability to deliver the agreed upon service quality
FISMA(federal agencies) Phase 1 categorizing, selecting minimum controls, assessment Phase 2: create national network of secures services to assess
Increased data sharing
Borders Encryption
Smallest bits of information the Db will hold – granularity When do we replace – then think about next one CRITICAL = AVAILABILITY
Residual physical representation of data that has been in some way erased. PaaS deals with it best in Cloud Remanence - Residual data left on media after erase attempts Remove unwanted remnant data from magnetic tapes
Select based on the data classification of the data stored/handled
Narrows the focus and of the architecture to ensure that appropriate risks are identified and addressed. Scoping – reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect. Tailoring – modifying the list of security controls within a baseline so that they align with the mission of the organization. Supplementation – adding assessment procedures or assessment details to adequately meet the risk management needs of the organization.
Link - is usually point to point EVERYTHING ENCRYPTED “Black pipe, black oil, black ping pong balls” all data is encrypted, normally did by service providers End to End – You can see ALL BUT PAYLOAD, normally done by users YOU CAN LAYER THESE ENCRYPTION TYPES Email is not secured unless encrypted NETSCAPE INVENTED SSL, SSLv3 still used USE TLSv1.2 now for test PGP = GnuPG (GNP)– not rely on open S/MIME – secure email
Classifying Costs – cost are not a factor in classifying data but are in controls FTP and Telnet are unencrypted! SFTP and SSH provide encryption to protect data and credentials that are used to log in Record Retention Policies – how long data retained and maintained Removable Media – use strong encryption, like AES256, to ensure loss of media does not result in data breach Personnel Retention – Deals with the knowledge that employees gain while employed. Record Retention – retaining and maintaining information for as long as it’s needed Label Data – to make sure data is identifiable by its classification level. Some label all media that contains data to prevent reuse of Public media for sensitive data. Data in RAM is Data in use. CIS – Center for Internet Security; creates list of security controls for OS, mobile, server, and network devices
NIST – National Institute of Standards and Technology NIST SP 800 series - address computer security in a variety of areas 800 - 14 NIST SP – GAPP for securing information technology systems 800 - 18 NIST – How to develop security plans 800 - 27 NIST SP - Baseline for achieving security, five lifecycle planning phases (defined in 800-14), 33 IT security principles
COPPA – California Online Privacy Protection Act, operators of commercial websites post a privacy policy if collecting personal information on CA residents Curie Temperature – Critical point where a material’s intrinsic magnetic alignment changes direction. Dar – Data at rest; inactive data that is physically stored, not RAM, biggest threat is a data breach, full disk encryption protects it (Microsoft Bitlocker and Microsoft EFS, which use AES, are apps) DLP – Data Loss/Leakage Prevention, use labels to determine the appropriate control to apply to data. Won’t modify labels in real- time. ECM – Enterprise Content Management; centrally managed and controlled Non-disclosure Agreement – legal agreement that prevents employees from sharing proprietary information PCI-DSS – Payment and Card Industry – Security Standards Council; credit cards, provides a set of security controls /standards Watermark – embedded data to help ID owner of a file, digitally label data and can be used to indicate ownership.
Common Criteria ISO 15408 - Structured methodology for documenting security requirements, documenting and validating **** A SECURITY PRODUCT MAY BE CERTIFIED Defines a protection profile that specifies the security requirements and protections of a product that is to be evaluated. Organized around TCB entities. Evaluation Assurance Levels (EAL)
Initiation; need expressed, purpose documented, impact assessment Development/Acquisition; system designed, purchased, programmed, developed or constructed. Implementation; system tested and installed, certification and accreditation Operation/Maintenance; performs function, security operations, audits Disposal; disposition of information, HW and SW Physical controls are your first line of defense, and people are your last.
Loads & runs binary programs, schedules task swapping, allocates memory & tracks physical location of files on computers hard disk, manages IO/OP requests from software, & translates them into instructions for CPU
Primary Storage – is a temporary storage area for data entering and leaving the CPU Random Access Memory (RAM ) – is a temporary holding place for data used by the operating systems. It is volatile; meaning if it is turned off the data will be lost. Two types of RAM are dynamic and static. Dynamic RAM needs to be refreshed from time to time or the data will be lost. Static RAM does not need to be refreshed. Read-Only Memory (ROM) – is non-volatile, which means when a computer is turned off the data is not lost; for the most part ROM cannot be altered. ROM is sometimes referred to as firmware. Erasable and Programmable Read-Only Memory (EPROM) is non- volatile like ROM, however EPROM can be altered. Process states :
Segmentation – dividing a computer’s memory into segments. Protection Keying – Numerical values, Divides physical memory up into particular sized blocks, each of which has an associated numerical value called a protection key. Paging – divides memory address space into even size blocks called pages. To emulate that we have more RAM than we have. SYSTEM KERNAL KNOWS THE LOCATION OF THE PAGE FILE
The ITIL Core includes five publications addressing the overall life cycle of systems. ITIL as a whole identifies best practices that an organization can adopt to increase overall availability, and the Service Transition publication addresses configuration management and change management processes.
Defining allowed interactions between subjects (active parties) and objects (passive parties) at a particular moment in time. State Machine Model – describes a system that is always secure no matter what state it is in. If all aspects of a state meet the requirements of the security policy, that state is considered secure. A transition occurs when accepting input or producing output. A transition always results in a new state (also called a state transition). A secure state machine model system always boots into a secure state, maintains a secure state across all transitions, and allows subjects to access resources only in a secure manner compliant with the security policy. Information Flow Model – focuses on the flow of information. Information flow models are based on a state machine model. The Bell-LaPadula and Biba models are both information flow models. Information flow models don’t necessarily deal with only the direction of information flow; they can also address the type of flow. Information flow models are designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security (these are often referred to as multilevel models). The information flow model also addresses covert channels by specifically excluding all non-defined flow pathways. Noninterference Model – is loosely based on the information flow model. However, instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level. Basically, the actions of subject A (high) should not affect the actions of subject B (low) or even be noticed by subject B. The noninterference model can be imposed to provide a form of protection against damage caused by malicious programs such as Trojan horses. Southerland Model
Confinement – to restrict the actions of a program. Simply put, process confinement allows a process to read from and write to only certain memory locations and resources. This is also known as sandboxing. Bounds – a process consist of limits set on the memory addresses and resources it can access. The bounds state the area within which a process is confined or contained. Isolation – When a process is confined through enforcing access bounds that process runs in isolation. Process isolation ensures that any behavior will affect only the memory and resources associated with the isolated process.
Original service models – SaaS, PaaS; original deployment model- community & hybrid PaaS – Platform-as-a-Service is the concept of providing a computing platform and software solution stack as a virtual or cloud- based service. Essentially, this type of cloud solution provides all the aspects of a platform (that is, the operating system and complete solution package). The primary attraction of PaaS is the avoidance of having to purchase and maintain high-end hardware and software locally. Customer supplies application code that the vendor then executes on its own infrastructure SaaS – Software-as-a-Service, is a derivative of PaaS. SaaS provides on-demand online access to specific software applications or suites without the need for local installation. In many cases, there are few local hardware and OS limitations. IaaS – Infrastructure-as-a-Service, takes the PaaS model yet another step forward and provides not just on-demand operating solutions but complete outsourcing options. This can include utility or metered computing services, administrative task automation, dynamic scaling, virtualization services, policy implementation and management services, and managed/ filtered Internet connectivity. Deployment Models, parent organization still responsible for patching OS of virtual hosts, CaaS – not a TERM!
Aggregation – SQL provides a number of functions that combine records from one or more tables to produce potentially useful information. Aggregation is not without its security vulnerabilities. Aggregation attacks are used to collect numerous low-level security items and combine them to create something of a higher security level or value. Inference – involve combining several pieces of non-sensitive information to gain access to information that should be classified at a higher level. However, inference makes use of the human mind’s deductive capacity rather than the raw mathematical ability of modern database platforms. Data Warehousing – large databases, store large amounts of information from a variety of databases for use with specialized analysis techniques. Data Mining – technique allow analysts to comb through data warehouses and look for potential correlated information. Data dictionary – commonly used for storing critical information about data, including usage, type, sources, DBMS software reads the data ISO 27001 – focused on the standardization and certification of an organization’s information security management system (ISMS), security governance, a standard; ISMS. Info security minimum systems ISO 27002 – (inspired from ISO 17799) – a guideline which lists security control objectives and recommends a range of specific security controls; more granular than 27001. 14 areas BOTH INSPIRED FROM BS
Consider the overall control framework or structure of the security solution desired by the organization. COBIT – Control Objectives for Information and Related Technology, is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT 5 – is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance from Management. COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors.
Used to host one or more operating systems within the memory of a single host computer. Such an OS is also known as a guest operating system. From the perspective that there is an original or host OS installed directly on the computer hardware, the additional Oses hosted by the hypervisor system are guests.
TOCTTOU attack - race condition exploits, and communication disconnects are known as state attacks because they attack timing, data flow control, and transition between one system state to another. RACE - two or more processes require access to the same resource and must complete their tasks in the proper order for normal functions Register – CPU also includes a limited amount of onboard memory, known as registers, that provide it with directly accessible memory locations that the brain of the CPU, the arithmetic-logical unit (ALU), uses when performing calculations or processing instructions, small memory locations directly in the CPU. Stack Memory Segment – used by processors to communicate instructions and data to each other Monolithic Operating System Architecture – all of the code working in kernel mode/system mode in an ad hoc and non- modularized OS Memory Addressing – When using memory resources, the processor must have some means of referring to various locations in memory. The solution to this problem is known as addressing,
Purpose: protect transmitted information from being read and understood except by the intended recipient Substitution – like shifting and rotating alphabets, can be broken by statistical looking at repeating characters or repeats Vernam – cipher (one time pad): - key of a random set of non- repeating characters Information Theory – Claude Elmwood Shannon Transposition – Permutation is used, meaning that letters are scrambled. The key determines positions that the characters are moved to, for example vertical instead of horizontal Null Cipher – used in cases where the use of encryption is not necessary but yet the fact that no encryption is needed must be configured in order for the system to work. Ex. Testing, stenography Key Length – use with each algorithm based on the sensitivity of information transmitted, longer key the better! Key space – is the range of values that are valid for use as a key for a specific algorithm. A key space is defined by its bit size. Bit size is nothing more than the number of binary bits (0s and 1s) in the key. The key space is the range between the key that has all 0s and the key that has all 1s. Key space doubles each time you add a bit to key length, which makes cryptanalysis more difficult. Key Clustering – when different encryption keys generate the same ciphertext from the same plaintext message BAD Synchronous – each encryption or decryption request is performed immediately Asynchronous – encrypt/decrypt request are processed in queues. Hash Function – one-way mathematical operation that reduces a message or data file into a smaller fixed length output. Encrypted using private key of sender. Registration Authority – performs certificate registration services on behalf of a CA. RA verifies user credentials Certificate Authority – PKI, entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates. Key Space – represents the total number of possible values of keys in a cryptographic algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance. HOW HARD TO BRUTE FORCE Transposition/permutation – process of reordering plaintext to hide the message rambo = ombar SP-network – process described by Claude Shannon used in most block ciphers to increase their strength Confusion – mixing the key values during repeated rounds of encryption, make the relationship between ciphertext and key as complex as possible Diffusion – mix location of plaintext throughout ciphertext, change of a single bit should drastically change hash, dissipate pattern Meet in the Middle – Attackers might use a meet-in-the-middle attack to defeat encryption algorithms that use two rounds of encryption. This attack is the reason that Double DES (2DES) was quickly discarded as a viable enhancement to the DES encryption (it was replaced by Triple DES (3DES, TDES, EEE, EDE).
Block Cipher – segregating plaintext into blocks and applying identical encryption algorithm and key Cipher – cryptographically transformation that operates on characters or bits. DES, word scramble, shift letters Cipher text or Cryptogram – unintelligible message, encrypt text Clustering – situation wherein plain text messages generates identical cipher text messages using the same algorithm but with different crypto-variables or keys Codes – cryptographic transformation that operates at the level of words or phrases , one by land, two by sea Cryptanalysis – breaking the cipher text, Cryptographic Algorithm – Step by step procedure to encipher plaintext and decipher cipher text Cryptography – the art and science of hiding the meaning of communications from unintended recipients. (Greek: kryptos=hidden, graphein=to write) Cryptology: cryptography + cryptanalysis Cryptosystem – set of transformations from a message space to cipher space Decipher – To make the message readable, undo encipherment process Encipher – make message unintelligible End-to-end encryption – Encrypted information that is sent from point of origin to destination. In symmetric encryption this means both having the same identical key for the session Exclusive OR – Boolean operation that performs binary addition Key or Crypto variable – Information or sequence that controls the enciphering and deciphering of messages Link encryption – stacked encryption using different keys to encrypt each time One Time Pad – encipher each character with its own unique key that is used only once, unbreakable supposedly PGP (GPG) – encrypt attached files Plaintext – message in clear text readable form Steganography – secret communications where the existence of a message is hidden (inside images for example) Dumpster Diving – of going through someone’s trash to find useful or confidential info – it is legal but unethical in nature Phishing – act of sending spoofed messages that pretend to originate from a source the user trusts (like a bank) Social Engineering – act of tricking someone into giving sensitive or confidential info that may be used against the company Script kiddie – someone with moderate hacking skills, gets code from the Internet. Red boxing – pay phones cracking Black Boxing – manipulates toll-free line voltage to phone for free Blue Boxing – tone simulation that mimics telephone co. system and allows long distance call authorization White box – dual tone, multifrequency generator to control phone system Phreakers – hackers who commit crimes against phone companies Salami – removal of a small amount of money otherwise known as skimming
Zero-knowledge proof – is a communication concept. A specific type of information is exchanged but no real data is transferred, as with digital signatures and digital certificates. Understand split knowledge. “magic door” Split knowledge – means that the information or privilege required to perform an operation is divided among multiple users. This ensures that no single person has sufficient privileges to compromise the security of the environment. M of N Control (multiparty key recovery) is an example of split knowledge. Skipjack – Like many block ciphers, Skipjack operates on 64-bit blocks of text. It uses an 80-bit key and supports the same four modes of operation supported by DES. Skipjack was quickly embraced by the US government and provides the cryptographic routines supporting the Clipper and Capstone encryption chips. However, Skipjack has an added twist— it supports the escrow of encryption keys.
Confidentiality Integrity Proof of origin Non-repudiation Protect data at rest Protect data in transit
Key Clustering – when different encryption keys generate the same ciphertext from the same plaintext message Work Factor – time and effort required to break a protective measure Kirchhoff’s Principle – all but key, secure Synchronous and self-synchronous Random Number Generators (RNGs) Vigenere Cipher – uses key words and numerous rows (traditionally 26), each one of which is offset by one.
Understand the public key infrastructure (PKI). In the public key infrastructure, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients verify a certificate using the CA’s public key. X.509 standard = PKI. Serial number, owner, issuer name Integrity (hash code and message digest), access control, confidentiality (by encryption), authentication (digital certificates) and non-repudiation (digital signatures) issuer signs a certificate If you only want to check if a mail is not altered: use digital signature! Proves that the signature was provided by the intended signer trust anchor = public key that has been verified and that’s trusted
S/Mime - Confidentiality (encryption) Integrity (using PKCS X. PKI) and non-rep through signed message digests PEM - Privacy Enhanced Email Encryption (AES) PKI X.509 and RSA Message Security protocol - Military X.400. Sign, Encrypt, Hash Pretty Good Privacy - uses IDEA and RSA instead
contain specific identifying information and their construction is governed by international standard (X.509), creation and validation of digital certificates Who signs a digital certificate – someone vouching for person not the person. CRLs - Certificate Revocation Lists are maintained by the various certificate authorities and contain the serial numbers of certificates that have been issued by a CA and have been revoked along with the date and time the revocation went into effect.
ATTACK HASH BY BRUTE FORCE and dictionary CRYPTANALYSIS Basic Technique – BRUTE Force will win with no constraints input of any length and generate a fixed length output Hash algorithms (Message Digests) Requirements for HASH
Objects of sensitivity labels are: single classification and component set ‘dominate’ in access control means access to higher or equal access class Security perimeter = line between TCB and outside Validating TCB = formal for system integrity
uses encryption to enforce copyright restrictions on digital media. serves to bring U.S. copyright law into compliance with terms of two World Intellectual Property Organization (WIPO) treaties. The first major provision of the DMCA is the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder. Skip - s a distribution protocol RC4 - is a stream cipher RC5 and RC 6 are block cipher FIPS 140 hardware and software requirements
Applets – these code objects are sent from a server to a client to perform some action. In fact, applets are actually self-contained miniature programs that execute independently of the server that sent them. Java applets – are simply short Java programs transmitted over the Internet to perform operations on a remote system. ActiveX – controls are Microsoft’s answer to Sun’s Java applets. Operate in a similar fashion, but they are implemented using a variety of languages(C, C + +, Java). Two key distinctions between Java applets and ActiveX controls. First, ActiveX controls use proprietary Microsoft technology and, therefore, can execute only on systems running Microsoft browsers. Second, ActiveX controls are not subject to the sandbox restrictions placed on Java applets. They have full access to the Windows operating environment and can perform a number of privileged actions.
HINT: All People Seems to Need Data Processing It encapsulates data when going through the layers Application – layer 7 – C, AU, I, NR FTP, SNMP, TELNET, TFTP, SMTP, HTTP, NNTP, CDP, GOPHER, SMB, NDS, AFP, SAP, NCP, SET, LDAP. Technology: Gateways. User data Secure HTTP, S-HTTP - encrypting HTTP documents. Also overtaken by SSL SSL, Secure Socket Layer - e ncryption technology to provide secure transactions like credit card numbers exchange. Two layered: SSL record protocol and handshake protocol. Same as SSH it uses symmetric encryption for private connections and asymmetric or public key cryptography for peer authentication. Secure Electronic Transaction (SET) - authentication for credit card transactions. Overtaken by SSL Also uses message authentication code for integrity checking. Telnet - terminal emulation enables user to access resources on another machine. Port 23 FTP, File Transfer Protocol - for file transfers. Cannot execute remote files as programs. Authentication. Port 20 and 21 TFTP, Trivial File Transfer Protocol - stripped down, can only send/receive but not browse directories. No authentication thus insecure. Port 69 SMTP, Simple Mail Transfer protocol - email queuing. Port 25 SNMP, Simple Networking Management Protocol collection of network information by polling the devices from a management station. Sends out alerts – called traps- to an database called Management Information Bases (MIBs) Presentation – layer 6 – C, AU, Encryption Translations like EBCDIC/ANSI; compression/decompression and encryption/decryption. Uses a common format to represent data, Standards like JPEG, TIFF, MID, HTML; Technology: Gateway. Messages Session - layer 5 -- None Inter-host communication, logical persistent connection between peer hosts, a conversation, simplex, half duplex, full duplex. Protocols as NSF, SQL, RADIUS, and RPC. Protocols: PAP, PPTP, RPC Technology: Gateway PAP – Password Authentication Protocol PPTP – Point-to-Point Tunneling Protocol RPC – Remote Procedure Call Protocol NFS, Network File System - protocol that supports file sharing between two different file systems NetBIOS – SSL/TLS -
Transport – layer 4 – C, AU, I End-to-end data transfer services and reliability. Technology: Gateways. Segmentation, sequencing, and error checking at this layer. Datagrams TCP Three-way Handshake – SYN, SYN-/ACK, ACK Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBIOS, ATP Secure Shell (SSH-2) - Authentication, compression, confidentiality and integrity. Uses RSA certificates for authentication and triple DES for encryption TCP, Transmission control protocol – reliable, sequences and works with acknowledgements. Provides a manageable data flow to avoid congestions overloading and data loss. (Like having a telephone conversation with someone). Connection Oriented. User UDP, Datagram protocol – unreliable, scaled down version of TCP, no error correction, no sequencing. Less overhead. (Like sending a letter to someone). Connectionless. Network – layer 3 – C, AU, I Path selection and logical/network addressing. Technology: Virtual circuits (ATM), routers. Packets Addressing – IP uses the destination IP to transmit packets thru networks until delivered Fragmentation – IP will subdivide a packet if its size is greater than the maximum allowed on a local network Message routing, error detection and control of node data are managed. IP, IPSEC, ICMP, BGP, OSPF, RIP, BOOTP, DHCP, ZIP, DDP, X.25, NAT and IGMP OSPF Open Shortest Path First – routing protocol short path SKIP, Simple Key Management for Internet Protocols - provides high availability in encrypted sessions to protect against crashes. Exchanges keys on a session by session basis. ARP, Address resolution protocol - Used to match an IP address to a hardware MAC address. ARP sends out broadcast to a network node to reply with its hardware address. It stores the address in a dynamic table for the duration of the session, so ARP requests are only sent the first time ICMP, Internet control message protocol - sends messages between network nodes regarding the health of the network. Also informs about rerouting in case of errors. Utility PING uses ICMP messages to check physical connectivity of the network machines IPX, Appletalk, and NetBEUI are non-IP protocols. IP, Internet protocol - all hosts have an IP address. Each data packet has an IP address of sender and recipient. Routing in network is based upon these addresses. Datagram service is considered unreliable because there’s no guarantee that the packet will be delivered, not even that its delivered only once and no guarantee that its delivered in the same sequence that its sent 32 bits long, IPv6 is 128 bits long DHCP : Dynamic Host Configuration Protocol BootP, Bootstrap Protocol when wireless workstation is on-lined it sends out a BootP request with its MAC address to get an IP address and the file from which it should boot. Replaced by DHCP
Data Link – layer 2 - C This layer deals with addressing physical hardware. FRAMES Translates data into bits and formats them into data frames with destination header and source address. Error detection via checksums. LLC, the Logical Link Control Sub layer - Flow control and error notification MAC: the Media Access Control layer - Physical addressing. Concerns frames, logical topologies and MAC-addresses Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP, RARP, SLARP, IARP, SNAP, BAP, CHAP, LCP, LZS, MLP, Frame Relay, Annex A, Annex D, HDLC, BPDU, LAPD, ISL, MAC, Ethernet, Token Ring, FDDI RARP, Reverse address resolution protocol - When a hardware address is known but the IP address has to be found. (like an diskless machine) Switches, bridges, hardware addressing Physical – layer 1 - C Physical signaling. Coverts bits into voltages or light impulses. Electrical, Hardware and software drivers are on this level. It sends and receives bits. Repeaters, hubs, cables, USB, DSL, ISDN, ATM Physical topologies: BUS, MESH, STAR, TREE, RING
Developed by Department of Defense in the 1970s to support the construction of the internet HINT: AHIN Application – layer 4 (Application/Presentation/Session) Applications and processes that uses the network Host-to-Host – Layer 3 (Transport) End-to-end data delivery Protocols: TCP and UDP Internet – Layer 2 (corresponds to OSI network layer) Defines the IP datagram and handles routing of data across networks Protocols: IP, ARP, RARP, ICMP Network access – Layer 1 (Data link, Physical) Routines for accessing physical networks and the electrical connection LPD, Line printer daemon for printing and spooling X Windows graphical user interface
Dedicated security mode :
A method of guarding a private network by analyzing the data leaving and entering. Firewalls can also provide network address translation, so the IP addresses of computers inside the firewall stay hidden from view. Packet-filtering firewalls (layer 3/4) - use rules based on a packet’s source, destination, port or other basic information to determine whether or not to allow it into the network. Stateful packet filtering firewalls (layer 7) - have access to information such as; conversation, look at state table and context of packets; from which to make their decisions. Application Proxy firewalls (layer 7) (3-7 actually)- which look at content and can involve authentication and encryption, can be more flexible and secure but also tend to be far slower. Circuit level proxy (layer 5)- looks at header of packet only, protects wide range of protocols and services than app-level proxy, but as detailed a level of control. Basically once the circuit is allowed all info is tunneled between the parties. Although firewalls are difficult to configure correctly, they are a critical component of network security. SPF, Static Packet Firewall (layer 3) -
IEEE 802.15 is the standard for Bluetooth. IEEE 802.3 defines Ethernet, 802.11 defines wireless networking, and 802.20 defines LTE. Amendment Speed Freq. Range Comp. 802.11 2 Mbps 2.4 GHz FHSS/DSSS 802.11a 54 Mbps 5 GHz 150 - OFD A 802.11b 11 Mbps 2.4 GHz 300 - DSSSS b/g/n 802.11g 54 Mbps 2.4 GHz 300 b/g/n 802.11n 200+ Mbps 2.4 or 5 GHz 300 a/b/g 802.11ac 1 Gbps 5 GHz 300 a/b/g 802.16 IEEE 802
802.11i AES CCMP WPA
TELNET: Remote terminal access and Secure Telnet REMOTE PROCEDURE CALL: Secure remote procedure call (SRA) SSH – Secure Shell over Telnet for remote server administration via the command line
Broadband Technologies – ISDN, cable modems, DSL, and T1/T3 lines that can support multiple simultaneous signals. They are analog and not broadcast technologies. Broadcast Domain – set of systems that can receive a broadcast from each other CHAP – Challenge-Handshake Authentication Protocol, used by PPP servers to authenticate remote clients. Encrypts username and PW and performs periodic re authentication while connected using techniques to prevent replay attacks. CIR – (committed Information Rate) minimum bandwidth guarantee provided by service provider to customers Collision Domain – set of systems that could cause a collision if they transmitted at the same time, more number of systems in domain increases likelihood of network congestion due to more collisions Data Streams – occur at Application, Presentation, and Session layers. EAP, Extensible Authentication Protocol - an authentication framework. Effectively, EAP allows for new authentication technologies to be compatible with existing wireless or point-to- point connection technologies, extensible was used for PPP connections FCoE – Fiber Channel Over Ethernet, allows existing high-speed networks to be used to carry storage traffic FDDI – Fiber Distributed Data Interface, token-passing network uses a pair of rings with traffic flowing in opposite directions, uses tokens FTP – File Transfer Protocol Gateway – translates between protocols ICMP – Internet Control Message Protocol, means to send error messages for non-transient error conditions and provides a way to probe the network in order to determine general characteristics about the network, ping iSCI – Internet Small Computer Interface, Converged protocol that allows location-independent file services over traditional network technologies. Cost less than Fiber. Standard for linking data storage sites ISDN – PRI (Primary Rate Interface) bandwidth of 1.544 Mbps, faster than BRI’s 144 Kbps MAC – Machine Access Control, hardware address of machine, can tell manufacturer, Multilayer Protocols – allow encryption at various layers, support a range of protocols at higher levels. Bad – conceal covert channels, filters can be bypassed, sometimes logical boundaries can be bypassed MPLS – Multiprotocol Label Switching, high performance networking, uses path labels instead of network addresses, wide area networking protocol, label switching, finds final destination and then labels route for others to follow PAP – Password Authentication Protocol, sends PW unencrypted PEAP – provides encryption for EAP methods and can provide authentication, does not implement CCMP, encapsulates EAS in a TLS tunnel Port Based Authentication – 802.1x, can be used with EAP
PPP – Point-to-Point Protocol, most common, used for dial up connections, replaced SLIP Proxy – form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems PVCs – Private Virtual Circuits, RST flag – used to reset or disconnect a session, resumed by restarting the connection via a new three-way handshake Converged Network – carries multiple types of traffic like voice, video, and data SDN – Software designed networking, defined and configured as code or software, quickly change the network based on organizational requirements Hypervisor-based Network – may be software defined, but it could also use traditional network devices running as virtual machines SSID – normally disabled for secure networks Site Survey – identify areas where wireless network may be accessible SONET – protocol for sending multiple optical streams over fiber SUBNET – logical division of a network Supernet – made up of two or more networks UDP – User Datagram Protocol, lightweight service for connectionless data transfer without error detection and correction WAF – Web Application Firewall Wired Extension Mode – uses WAP to link wireless clients to a wired network AMP - Asymmetric multiprocessing - used in applications that are dedicated, such as embedded systems, when individual processors can be dedicated to specific tasks at design time. SMP – Symmetric Multiprocessors, hardware and software architecture where two or more identical processors are connected to a single, shared main memory, have full access to all I/O devices, and are controlled by a single operating system instance that treats all processors equally, reserving none for special purposes.
ARP Spoofing – Bluejacking – when attackers send unsolicited messages via Bluetooth Bluesnarfing – targets the data or information on Bluetooth- enabled devices CAIN Attack - DNS Spoofing – when an attacker sends false replies to a requesting system, beating valid replies from the real DNS server DNS Poisoning – when an attacker changes the domain name to IP address mappings of a system to redirect traffic to alternative systems RDP – provides terminal sessions w/out Screenscraper – copy actual screen, subset of remote control SPIT attacks – Spam over Internet Telephony and targets VoIP systems Things to Know Nikto, Burp Suite, Wapiti – web application vulnerability scanners
Used to overwhelm a targets resources
X25 defines point-to-point communication between Data terminal Equipment (DTE) and Data Circuit Terminating Equipment (DCE) Link Access Procedure-Balanced (LAPB) created for use with X25, LAPB defines frame types and is capable of retransmitting, exchanging and acknowledging frames as detecting out of sequence or missing frames Frame Relay High performance WAN protocol designed for use across ISDN interfaces. Is fast but has no error correction, supports multiple PVCs, unlike X.25, packet switched technology that provides CIR, requires DTE/DCE at each connection point Switched Multimegabit DATA Service (SMDS ) high speed communication over public switches networks for exchanging ‘bursts of data’ between enterprises Asynchronous Transfer mode (ATM) very high bandwidth. It uses 53-byte fixed size cells instead of frames like Ethernet. It can allocate bandwidth up on demand making it a solution for Busty applications. Requires fiber optics. Voice over IP (VOIP) combines many types of data into a single IP packet. Cost, interoperability and performance wise it’s a major benefit.
Synchronous Data Link Control (SDLC) - created by IBM for mainframes to connect to their remote offices. Uses a polling media access method. Works with dedicated leased lines permanent up. Data link layer of OSI model High-level Data Link Control (HDLC) - extension to SDLC also for mainframes. Uses data encapsulation on synchronous serial links using frame characters and checksums. Also data link layer High Speed Serial Interface (HSSI) - Defines electrical and physical interfaces to use for DTE/DCE communications. Physical layer of OSI
Twisted pair Shielded (STP) or unshielded (UTP) Cat 3=10BaseT, Cat5=100BaseT Coaxial More EMI resistant. Baseband: only one single channel, Broadband: multiple signal types like data, video, audio Fiber Optic Most expensive, but hard to tap and resistant to EMI
First generation – ( static) Packet filtering firewall AKA screening router Examines source/destination address, protocol and ports of the incoming package. Based on ACL’s access can be denied or accepted. Is considered a firewall and operates at Network or Transport layer of OSI Second generation - Application level firewall AKA proxy server While transferring data stream to another network, it masks the data origin. operating at Application layer of OSI Third generation - Stateful inspection firewall (also known as Dynamic) All packages are inspected at the Networking layer so it’s faster. By examining the state and context of the data packages it helps to track connectionless protocols like UDP and RPC. Analyzed at all OSI Layers. Fourth generation - Dynamic Packet Filtering firewall Enables modification of the firewall rule. It provides limited support for UDP by remembering UDP packages across the network. Fifth generation - Kernel Proxy Firewall / Application level Firewall Runs in windows NT, modular, kernel based, multiplayer session evaluation. Uses dynamic TCP/IP stacks to inspect network packages and enforce security policies.
Packet filtering routers Sits between trusted and un-trusted network, sometimes used as boundary router. Uses ACL’s. Protects against standard generic external attacks. Has no user authentication, has minimal auditing. Screened-Host firewall system Has both a packet-filter router and a bastion host. Provides both network layer (package filtering) as application layer (proxy) server. Dual homed host firewall Consists of a host with 2 NIC’s. One connected to trusted, one to un-trusted. Can thus be used as translator between 2 network types like Ethernet/token ring. Internal routing capabilities must not be enabled to make it impossible to circumvent inspection of data. Screened-subnet firewalls Has also defined a De-Militarized Zone (DMZ) : a small network between trusted an untrusted. Socks firewall Every workstation gets some Socks software to reduce overhead Tiers – design separates distinct protected zones and can be protected by a single firewall that has multiple interfaces
Centralized access control CALLBACK; system calls back to specific location (danger in user forwarding number) somewhere you are CHAP (part of PPP) supports encryption XTACACS separates authentication, authorization and accounting processes TACACS+: stronger through use of tokens Terminal Access Controller Access Control System TACACS User passwords are administrated in a central database instead of individual routers. A network device prompts user for a username and static password then the device queries a TACACS server to verify the password. TACACSs does not support prompting for password change or use of dynamic password tokens. Port 49 TACACS: user-id and static password for network access via TCP TACACS+ Enhanced version with use of two factor authentication, ability to change user password, ability of security tokens to be resynchronized and better audit trails and session accounting Remote Authentication Dial-In User Service RADIUS Client/server protocol, often leads to TACACS+. Clients sends their authentication request to a central radius server that contains all of the user authentication and network ACL’s RADIUS does not provide two way authentication, therefore it’s not used for router- to-router authentication. Port 1812. Contains dynamic password and network service access information (Network ACLs) NOT a SSO solution, TLS over TCP – to encrypt, Default UDP, PW encrypted, supports TCP and TLD if set, Remote connectivity via dial in (user dials in to access server, access server prompt for credentials, user enters credentials and forwards to radius server, radius server accepts or rejects). USES UDP. Incorporates an AS and dynamic/static password user can connect to any network access server, which then passes on the user’s credentials to the RADIUS server to verify authentication and authorization and to track accounting. In this context, the network access server is the RADIUS client and a RADIUS server acts as an authentication server. The RADIUS server also provides AAA services for multiple remote access servers. DIAMETER - remote connectivity using phone wireless etc, more secure than radius, cordless phone signal is rarely encrypted and easily monitored
Asynchronous Dial-Up Access This is how everyone connects to the internet. Using a public switched telephone network to access an ISP Integrated Serviced Digital Network (ISDN) communication protocol that permits telephone line to carry data, voice and other source traffic. Two types: BRI Basic rate interface and Primary Rate Interface (PRI) xDSL uses regular telephone lines for high speed digital access Cable Modems Via single shared coaxial cable, insecure because of not being filtered or firewalled