Cissp security guide, Study Guides, Projects, Research of Computer Security

Security admin guide to learn cissp cism ceh cisa crisc

Typology: Study Guides, Projects, Research

2018/2019

Uploaded on 10/15/2019

kazihusain2003
kazihusain2003 🇶🇦

5

(3)

2 documents

1 / 37

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25

Partial preview of the text

Download Cissp security guide and more Study Guides, Projects, Research Computer Security in PDF only on Docsity!

Concepts (10)

CIA

DAD - NEGATIVE - (disclosure alteration and destruction) Confidentiality - prevent unauthorized disclosure, need to know, and least privilege. assurance that information is not disclosed to unauthorized programs, users, processes, encryption, logical and physical access control, Integrity - no unauthorized modifications, consistent data, protecting data or a resource from being altered in an unauthorized fashion Availability - reliable and timely, accessible, fault tolerance and recovery procedures, WHEN NEEDED IAAA – requirements for accountability Identification - user claims identity, used for user access control Authentication - testing of evidence of users identity Accountability - determine actions to an individual person Authorization - rights and permissions granted Privacy - level of confidentiality and privacy protections

Risk (12)

Not possible to get rid of all risk. Get risk to acceptable/tolerable level Baselines – minimum standards ISO 27005 – risk management framework Budget – if not constrained go for the $$$

Responsibilities of the ISO (15)

Written Products – ensure they are done CIRT – implement and operate Security Awareness – provide leadership Communicate – risk to higher management Report to as high a level as possible Security is everyone’s responsibility

Control Frameworks (17)

Consistent – approach & application Measurable – way to determine progress Standardized – all the same Comprehension – examine everything Modular – to help in review and adaptive. Layered, abstraction Due Care Which means when a company did all that it could have reasonably done to try and prevent security breach / compromise / disaster, and took the necessary steps required as countermeasures / controls (safeguards). The benefit of "due care" can be seen as the difference between the damage with or without "due care" safeguards in place. AKA doing something about the threats, Failing to perform periodic security audits can result in the perception that due care is not being maintained Due Diligence means that the company properly investigated all of its possibly weaknesses and vulnerabilities AKA understanding the threats

Intellectual property laws (24)

Patent - grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention. After 20 years the idea is open source of application Copyright protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70 years after author dies Trade Secret - something that is propriety to a company and important for its survival and profitability (like formula of Coke or Pepsi) DON’T REGISTER – no application Trademarks - words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M) @10 years Wassenaar Arrangement (WA) – Dual use goods & trade, International cryptographic agreement, prevent destabilizing Computer Crimes – loss, image, penalties

Regulations

SOX, Sarbanes Oxley, 2002 after ENRON and World Online debacle Independent review by external accountants. Section 302: CEO’s CFO’s can be sent to jail when information they sign is incorrect. CEO SIGN Section 404 is the about internal controls assessment: describing logical controls over accounting files; good auditing and information security.

Corporate Officer Liability (SOX)

  • Executives are now held liable if the organization they represent is not compliant with the law. Negligence occurs if there is a failure to implement recommended precautions, if there is no contingency/disaster recovery plan, failure to conduct appropriate background checks, failure to institute appropriate information security measures, failure to follow policy or local laws and regulations. COSO – framework to work with Sarbanes-Oxley 404 compliance European laws: TREADWAY COMMISSION Need for information security to protect the individual. Privacy is the keyword here! Only use information of individuals for what it was gathered for (remember ITSEC, the European version of TCSEC that came from the USA/Orange Book, come together in Common Criteria, but there still is some overlap)
  • strong in anti-spam and legitimate marketing
  • Directs public directories to be subjected to tight controls
  • Takes an OPT-IN approach to unsolicited commercial electronic communications
  • User may refuse cookies to be stored and user must be provided with information
  • Member states in the EU can make own laws e.g. retention of data COBIT – examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated industry

Data Breaches (27)

Incident – an event that has potential to do harm Breach – incident that results in disclosure or potential disclosure of data Data Disclosure – unauthorized acquisition of personal information Event – Threat events are accidental and intentional exploitations of vulnerabilities.

Laws (28)

ITAR, 1976. Defense goods, arms export control act FERPA – Education GLBA, Graham, Leach, Bliley; credit related PII (21) ECS, Electronic Communication Service (Europe); notice of breaches Fourth Amendment - basis for privacy rights is the Fourth Amendment to the Constitution. 1974 US Privacy Act - Protection of PII on federal databases 1980 Organization for Economic Cooperation and Development (OECD) - Provides for data collection, specifications, safeguards 1986 (amended in 1996) US Computer Fraud and Abuse Act - Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment. 1986 Electronic Communications Privacy Act - Prohibits eavesdropping or interception w/o distinguishing private/public Communications Assistance for Law Enforcement Act (CALEA) of 1994 - amended the Electronic Communications Privacy Act of 1986. CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use. 1987 US Computer Security Act - Security training, develop a security plan, and identify sensitive systems on govt. agencies. 1991 US Federal Sentencing Guidelines - Responsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations 1996 US Economic and Protection of Propriety Information Act - industrial and corporate espionage 1996 Health Insurance and Portability Accountability Act (HIPPA) – amended 1996 US National Information Infrastructure Protection Act - Encourage other countries to adopt similar framework. Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) - Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and security requirements. One of the changes is a change in the way the law treats business associates (BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a covered entity and a BA must be governed by a written contract known as a business associate agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach notification requirements

Quantitative Risk Analysis (58)

  • Quantitative VALUES!!
  • SLE (single Loss Expectancy) = Asset Value * Exposure factor (% loss of asset)
  • ALE (Annual loss expectancy) = SLE * ARO (Annualized Rate of occurrence) Accept, mitigate(reduce by implementing controls calculate costs-), Assign (insure the risk to transfer it), Avoid (stop business activity) Loss= probability * cost Residual risk - where cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L). Legally the remaining residual risk is not counted when deciding whether a company is liable. Controls gap - is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows: total risk – controls gap = residual risk RTO – how quickly you need to have that application’s information available after downtime has occurred RPO - Recovery Point Objective: Point in time that application data must be recovered to resume business functions; AMOUNT OF DATA YOUR WILLING TO LOSE MTD - Maximum Tolerable Downtime: Maximum delay a business can be down and still remain viable MTD minutes to hours: critical MTD 24 hours: urgent MTD 72 hours: important MTD 7 days: normal MTD 30 days non-essential PLAN Accept Build Risk Team Review Once in 100 years = ARO of 0. SLE is the dollar value lost when an asset is successfully attacked Exposure Factor ranges from 0 to 1 NO – ALE is the annual % of the asset lost when attacked – NOT

Determination of Impact (61)

Life, dollars, prestige, market share

Risk Response (61)

Risk Avoidance – discontinue activity because you don’t want to accept risk Risk Transfer – passing on the risk to another entity Risk Mitigation – elimination or decrease in level of risk Risk Acceptance – live with it and pay the cost Background checks – mitigation, acceptance, avoidance

Risk Framework Countermeasures (63)

  • Accountability
  • Auditability
  • Source trusted and known
  • Cost-effectiveness
  • Security
  • Protection for CIA of assets
  • Other issues created? If it leaves residual data from its function

Controls (68)

Primary Controls (Types) – (control cost should be less than the value of the asset being protected) Administrative/Managerial Policy

  • Preventive: hiring policies, screening security awareness (also called soft-measures!)
  • Detective: screening behavior, job rotation, review of audit records Technical (aka Logical)
  • Preventive: protocols, encryption, biometrics smartcards, routers, firewalls
  • Detective: IDS and automatic generated violation reports, audit logs, CCTV(never preventative)
  • Preventive: fences, guards, locks
  • Detective: motion detectors, thermal detectors video cameras Physical (Domain 5) – see and touch
  • Fences, door, lock, windows etc. Prime objective - is to reduce the effects of security threats and vulnerabilities to a tolerable level Risk analysis - process that analyses threat scenarios and produces a representation of the estimated Potential loss Main Categories of Access Control (67)
  • Directive: specify rules of behavior
  • Deterrent : discourage people, change my mind
  • Preventative: prevent incident or breach
  • Compensating: sub for loss of primary controls
  • Detective: signal warning, investigate
  • Corrective: mitigate damage, restore control
  • Recovery: restore to normal after incident Control Accuracy Security Consistency Preventive Data checks, validity checks Labels, traffic padding, encryption DBMS, data dictionary Detective Cyclic Redundancy IDS, audit trails Comparison tools Corrective Checkpoint, backups Emergency response Database controls Functional order in which controls should be used. Deterrence, Denial, Detection, Delay

Penetration Testing (77)

Testing a networks defenses by using the same techniques as external intruders Scanning and Probing – port scanners

  • Demon Dialing – war dialing for modems
  • Sniffing – capture data packets
  • Dumpster Diving – searching paper disposal areas
  • Social Engineering – most common, get information by asking Penetration testing Blue team - had knowledge of the organization, can be done frequent and least expensive Red team - is external and stealthy White box - ethical hacker knows what to look for, see code as a developer Grey Box - partial knowledge of the system, see code, act as a user Black box - ethical hacker not knowing what to find 4 stages: planning, discovery, attack, reporting vulnerabilities exploited: kernel flaws, buffer overflows, symbolic links, file descriptor attacks other model: footprint network (information gathering) port scans, vulnerability mapping, exploitation, report scanning tools are used in penetration tests flaw hypotheses methodology = operation system penetration testing Egregious hole – tell them now! Strategies - External, internal, blind, double-blind Categories – zero, partial, full knowledge tests

Pen Test Methodology (7 9 )

Recon/discover - Enumeration - vulnerability analysis - execution/exploitation - document findings/reporting - SPELL OUT AND DEFINE!!!! Control Assessment 76 Look at your posture

Deming Cycle (83)

Plan – ID opportunity & plan for change Do – implement change on small scale Check – use data to analyze results of change Act – if change successful, implement wider scale, if fails begin cycle again

Identification of Threat (86)

Individuals must be qualified with the appropriate level of training.

  • Develop job descriptions
  • Contact references
  • Screen/investigate background
  • Develop confidentiality agreements
  • Determine policy on vendor, contractor, consultant, and temporary staff access DUE DILIGENCE

Software Licenses (91)

Public domain - available for anyone to use Open source - source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone Freeware - proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author's permission

Assurance (92)

Degree of confidence in satisfaction of security requirements Assurance = other word for security THINK OUTSIDE AUDIT

Successful Requirements Gathering 92

Don’t assume what client wants Involve users early Define and agree on scope MORE

Security Awareness (96)

Technical training to react to situations, best practices for Security and network personnel; Employees, need to understand policies then use presentations and posters etc. to get them aware Formal security awareness training – exact prep on how to do things

Terms

Wire Tapping eavesdropping on communication - only legal with prior consent or warrant Data Diddling act of modifying information, programs, or documents to commit fraud, tampers with INPUT data Privacy Laws data collected must be collected fairly and lawfully and used only for the purpose it was collected. Water holing – create a bunch of websites with similar names Work Function (factor): the difficulty of obtaining the clear text from the cipher text as measured by cost/time Fair Cryptosystems - In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party. When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key. SLA – agreement between IT service provider and customer, document service levels, divorce; how to dissolve relationship SLR (requirements) – requirements for a service from client viewpoint Service level report – insight into a service providers ability to deliver the agreed upon service quality

Legislative drivers?

FISMA(federal agencies) Phase 1 categorizing, selecting minimum controls, assessment Phase 2: create national network of secures services to assess

Benefits of Data Standards (134)

Increased data sharing

Considerations (134)

Borders Encryption

Data Modeling (135)

Smallest bits of information the Db will hold – granularity When do we replace – then think about next one CRITICAL = AVAILABILITY

Data Remanence (140)

Residual physical representation of data that has been in some way erased. PaaS deals with it best in Cloud Remanence - Residual data left on media after erase attempts Remove unwanted remnant data from magnetic tapes

  • Physical destruction
  • Degaussing
  • Overwriting
  • NOT Reformatting Sanitizing – Series of processes that removes data, ensures data is unrecoverable by any means. Removing a computer from service and disposed of. All storage media removed or destroyed. Degaussing – AC erasure; alternating magnetic fields , DC erasure; unidirectional magnetic field or permanent magnet, can erase tapes Erasing – deletion of files or media, removes link to file, least effective Overwriting/wiping/shredding – overwrites with pattern, may miss Zero fill – wipe a drive and fill with zeros Clearing – Prepping media for reuse at same level. Removal of sensitive data from storage devices in such a way that the data may not be reconstructed using normal system functions or utilities. May be recoverable with special lab equipment. Data just overwritten. Purging– More intense than clearing. Media can be reused in lower systems. Removal of sensitive data with the intent that the data cannot be reconstructed by any known technique. Destruction – Incineration, crushing, shredding, and disintegration are stages of this Encrypt data is a good way to secure files sent through the internet SSD Data Destruction (142)
  • NIST says to “disintegrate”
  • SSD drives cannot be degaussed, space sectors, bad sectors, and wear space/leveling may hide nonaddressable data, encrypt is the solution
  • Erase encryption key to be unreadable
  • Crypto erase, sanitization, targeted overwrite (best) Buy high quality media – value of data exceeds cost of media Sanitation is business normal, not destruction for costs reasons Reuse - Downgrading equipment for reuse will probably be more expensive than buying new Metadata – helps to label data and prevent loss before it leaves the organization, Data mart - metadata is stored in a more secure container

Baselines (154)

Select based on the data classification of the data stored/handled

  • Which parts of enterprise can be protected by the same baseline?
  • Should baseline be applied throughout whole enterprise?
  • At what security level should baseline aim? How will the controls be determined? Baseline – Starting point that can be tailored to an organization for a minimum security standard. Common security configurations, Use Group Policies to check and enforce compliance

Scoping and Tailoring (157)

Narrows the focus and of the architecture to ensure that appropriate risks are identified and addressed. Scoping – reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect. Tailoring – modifying the list of security controls within a baseline so that they align with the mission of the organization. Supplementation – adding assessment procedures or assessment details to adequately meet the risk management needs of the organization.

Link vs. End to End Encryption (174)

Link - is usually point to point EVERYTHING ENCRYPTED “Black pipe, black oil, black ping pong balls” all data is encrypted, normally did by service providers End to End – You can see ALL BUT PAYLOAD, normally done by users YOU CAN LAYER THESE ENCRYPTION TYPES Email is not secured unless encrypted NETSCAPE INVENTED SSL, SSLv3 still used USE TLSv1.2 now for test PGP = GnuPG (GNP)– not rely on open S/MIME – secure email

Nice to Know

Classifying Costs – cost are not a factor in classifying data but are in controls FTP and Telnet are unencrypted! SFTP and SSH provide encryption to protect data and credentials that are used to log in Record Retention Policies – how long data retained and maintained Removable Media – use strong encryption, like AES256, to ensure loss of media does not result in data breach Personnel Retention – Deals with the knowledge that employees gain while employed. Record Retention – retaining and maintaining information for as long as it’s needed Label Data – to make sure data is identifiable by its classification level. Some label all media that contains data to prevent reuse of Public media for sensitive data. Data in RAM is Data in use. CIS – Center for Internet Security; creates list of security controls for OS, mobile, server, and network devices

Standards Selection (158 - 18 5)

NIST – National Institute of Standards and Technology NIST SP 800 series - address computer security in a variety of areas 800 - 14 NIST SP – GAPP for securing information technology systems 800 - 18 NIST – How to develop security plans 800 - 27 NIST SP - Baseline for achieving security, five lifecycle planning phases (defined in 800-14), 33 IT security principles

  • Initiation
  • Development/Acquisition
  • Implementation
  • Operation/Maintenance
  • Disposal 800 - 88 - NIST guidelines for sanitation and disposition, prevents data remanence 800 - 122 - NIST Special Publication – defines PII as any information that can be used to trace a person identity such as SSN, name, DOB, place of birth, mother’s maiden name 800 - 137 - build/implement info security continuous monitoring program: define, establish, implement, analyze and report, 800 - 145 - cloud computing FIPS – Federal Information Processing Standards; official series of publications relating to standards and guidelines adopted under the FISMA, Federal Information Security Management Act of 2002. FIPS 199 – Standards for categorizing information and information systems. FIPS 200 – minimum security requirements for Federal information and information systems DOD 8510.01 – establishes DIACAP ISO 15288 – International systems engineering standard covering processes and life cycle stages
  • Agreement
  • Organization Project-enabling
  • Technical Management
  • Technical

Nice to Know

COPPA – California Online Privacy Protection Act, operators of commercial websites post a privacy policy if collecting personal information on CA residents Curie Temperature – Critical point where a material’s intrinsic magnetic alignment changes direction. Dar – Data at rest; inactive data that is physically stored, not RAM, biggest threat is a data breach, full disk encryption protects it (Microsoft Bitlocker and Microsoft EFS, which use AES, are apps) DLP – Data Loss/Leakage Prevention, use labels to determine the appropriate control to apply to data. Won’t modify labels in real- time. ECM – Enterprise Content Management; centrally managed and controlled Non-disclosure Agreement – legal agreement that prevents employees from sharing proprietary information PCI-DSS – Payment and Card Industry – Security Standards Council; credit cards, provides a set of security controls /standards Watermark – embedded data to help ID owner of a file, digitally label data and can be used to indicate ownership.

Systems Engineering & Modeling (194)

Common Criteria ISO 15408 - Structured methodology for documenting security requirements, documenting and validating **** A SECURITY PRODUCT MAY BE CERTIFIED Defines a protection profile that specifies the security requirements and protections of a product that is to be evaluated. Organized around TCB entities. Evaluation Assurance Levels (EAL)

  • EAL0 – Inadequate assurance
  • EAL1 – Functionally tested
  • EAL2 – Structurally tested
  • EAL3 – Methodically tested and checked
  • EAL4 – Methodically designed, tested and reviewed
  • EAL5 – Semi formally designed and tested
  • EAL6 – Semi formally verified design and tested
  • EAL7 – Formally verified design and tested Target of Evaluation (TOE): the product Protection Profile (PP): set of security requirements for a category of products that meet specific consumer security needs Security Target (ST): identifies the security properties of TOE Security Functional Requirements (SFRs): Specific individual security functions

Engineering Principles for IT Security (194)

NIST SP 800- 27

 Initiation; need expressed, purpose documented, impact assessment  Development/Acquisition; system designed, purchased, programmed, developed or constructed.  Implementation; system tested and installed, certification and accreditation  Operation/Maintenance; performs function, security operations, audits Disposal; disposition of information, HW and SW Physical controls are your first line of defense, and people are your last.

ISO/IEC 21827:2008 SSE-CMM (Maturity Model)

BIGGEST JUMP IN MATURITY MODEL? 2 – 3. FROM

REACTIVE TO PROACTIVE

OS Kernel ()

Loads & runs binary programs, schedules task swapping, allocates memory & tracks physical location of files on computers hard disk, manages IO/OP requests from software, & translates them into instructions for CPU

Common System Components (198)

Primary Storage – is a temporary storage area for data entering and leaving the CPU Random Access Memory (RAM ) – is a temporary holding place for data used by the operating systems. It is volatile; meaning if it is turned off the data will be lost. Two types of RAM are dynamic and static. Dynamic RAM needs to be refreshed from time to time or the data will be lost. Static RAM does not need to be refreshed. Read-Only Memory (ROM) – is non-volatile, which means when a computer is turned off the data is not lost; for the most part ROM cannot be altered. ROM is sometimes referred to as firmware. Erasable and Programmable Read-Only Memory (EPROM) is non- volatile like ROM, however EPROM can be altered. Process states :

  • Stopped; process finishes or must be terminated
  • Waiting; the process is ready for continued execution but is waiting for a device or access request
  • Running; executes on the CPU and keeps going until it finishes, its time slice expires, or it is blocked
  • Ready; process prepared to execute when CPU ready Multitasking – execute more than one task at the same time Multiprocessing – more than one CPU is involved. Multi-Threading : execute different parts of a program simultaneously Single state machine – operates in the security environment at the highest level of classification of the information within the computer. In other words, all users on that system must have clearance to access the info on that system. Multi-state machine – can offer several security levels without risk of compromising the system’s integrity. CICS – complex instructions. Many operations per instruction. Less number of fetches RISC – reduced instructions. Simpler operations per instruction. More fetches. Software 1 GL: machine language (used directly by a computer) 2GL: assembler 3GL: FORTRAN. Basic pl/1 and C++ 4GL: Natural / focus and SQL 5GL: Prolog, lisp artificial intelligence languages based on logic

Memory Protection (200)

Segmentation – dividing a computer’s memory into segments. Protection Keying – Numerical values, Divides physical memory up into particular sized blocks, each of which has an associated numerical value called a protection key. Paging – divides memory address space into even size blocks called pages. To emulate that we have more RAM than we have. SYSTEM KERNAL KNOWS THE LOCATION OF THE PAGE FILE

DEP, Data Execution Prevention – a system-level

memory protection feature that is built into the OS

DEP prevents code from being run from data pages

such as the default heap, stacks, and memory pools.

ITIL (208)

The ITIL Core includes five publications addressing the overall life cycle of systems. ITIL as a whole identifies best practices that an organization can adopt to increase overall availability, and the Service Transition publication addresses configuration management and change management processes.

  • Service Strategy
  • Service Design
  • Service Transition
  • Service Operations
  • Continuous Service Improvement

Types of Security Models (210)

Defining allowed interactions between subjects (active parties) and objects (passive parties) at a particular moment in time. State Machine Model – describes a system that is always secure no matter what state it is in. If all aspects of a state meet the requirements of the security policy, that state is considered secure. A transition occurs when accepting input or producing output. A transition always results in a new state (also called a state transition). A secure state machine model system always boots into a secure state, maintains a secure state across all transitions, and allows subjects to access resources only in a secure manner compliant with the security policy. Information Flow Model – focuses on the flow of information. Information flow models are based on a state machine model. The Bell-LaPadula and Biba models are both information flow models. Information flow models don’t necessarily deal with only the direction of information flow; they can also address the type of flow. Information flow models are designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security (these are often referred to as multilevel models). The information flow model also addresses covert channels by specifically excluding all non-defined flow pathways. Noninterference Model – is loosely based on the information flow model. However, instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level. Basically, the actions of subject A (high) should not affect the actions of subject B (low) or even be noticed by subject B. The noninterference model can be imposed to provide a form of protection against damage caused by malicious programs such as Trojan horses. Southerland Model

Techniques for Ensuring CIA

Confinement – to restrict the actions of a program. Simply put, process confinement allows a process to read from and write to only certain memory locations and resources. This is also known as sandboxing. Bounds – a process consist of limits set on the memory addresses and resources it can access. The bounds state the area within which a process is confined or contained. Isolation – When a process is confined through enforcing access bounds that process runs in isolation. Process isolation ensures that any behavior will affect only the memory and resources associated with the isolated process.

Security Standards (222) Memory Components Cloud Service Models (241)

Original service models – SaaS, PaaS; original deployment model- community & hybrid PaaS – Platform-as-a-Service is the concept of providing a computing platform and software solution stack as a virtual or cloud- based service. Essentially, this type of cloud solution provides all the aspects of a platform (that is, the operating system and complete solution package). The primary attraction of PaaS is the avoidance of having to purchase and maintain high-end hardware and software locally. Customer supplies application code that the vendor then executes on its own infrastructure SaaS – Software-as-a-Service, is a derivative of PaaS. SaaS provides on-demand online access to specific software applications or suites without the need for local installation. In many cases, there are few local hardware and OS limitations. IaaS – Infrastructure-as-a-Service, takes the PaaS model yet another step forward and provides not just on-demand operating solutions but complete outsourcing options. This can include utility or metered computing services, administrative task automation, dynamic scaling, virtualization services, policy implementation and management services, and managed/ filtered Internet connectivity. Deployment Models, parent organization still responsible for patching OS of virtual hosts, CaaS – not a TERM!

  • Private; cloud-based assets for a single organization. Organizations can create and host private clouds using their own resources.
  • Community; provides cloud-based assets to two or more organizations. Maintenance responsibilities are shared based on who is hosting the assets and the service models.
  • Public; model includes assets available for any consumers to rent or lease and is hosted by an external CSP. Service level agreements can be effective at ensuring the CSP provides the cloud-based services at a level acceptable to the organization. Hybrid – mix of public and private

Database Security (237)

Aggregation – SQL provides a number of functions that combine records from one or more tables to produce potentially useful information. Aggregation is not without its security vulnerabilities. Aggregation attacks are used to collect numerous low-level security items and combine them to create something of a higher security level or value. Inference – involve combining several pieces of non-sensitive information to gain access to information that should be classified at a higher level. However, inference makes use of the human mind’s deductive capacity rather than the raw mathematical ability of modern database platforms. Data Warehousing – large databases, store large amounts of information from a variety of databases for use with specialized analysis techniques. Data Mining – technique allow analysts to comb through data warehouses and look for potential correlated information. Data dictionary – commonly used for storing critical information about data, including usage, type, sources, DBMS software reads the data ISO 27001 – focused on the standardization and certification of an organization’s information security management system (ISMS), security governance, a standard; ISMS. Info security minimum systems ISO 27002 – (inspired from ISO 17799) – a guideline which lists security control objectives and recommends a range of specific security controls; more granular than 27001. 14 areas BOTH INSPIRED FROM BS

Control Frameworks (223)

Consider the overall control framework or structure of the security solution desired by the organization. COBIT – Control Objectives for Information and Related Technology, is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT 5 – is based on five key principles for governance and management of enterprise IT:  Principle 1: Meeting Stakeholder Needs  Principle 2: Covering the Enterprise End-to-End  Principle 3: Applying a Single, Integrated Framework  Principle 4: Enabling a Holistic Approach  Principle 5: Separating Governance from Management. COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors.

Virtualization (229)

Used to host one or more operating systems within the memory of a single host computer. Such an OS is also known as a guest operating system. From the perspective that there is an original or host OS installed directly on the computer hardware, the additional Oses hosted by the hypervisor system are guests.

  • Virtual machine – simulated environment created by the OS to provide a safe and efficient place for programs to execute.
  • Virtual SAN – software-defined shared storage system is a virtual re-creation of a SAN on top of a virtualized network or an SDN.

Timing (233)

TOCTTOU attack - race condition exploits, and communication disconnects are known as state attacks because they attack timing, data flow control, and transition between one system state to another. RACE - two or more processes require access to the same resource and must complete their tasks in the proper order for normal functions Register – CPU also includes a limited amount of onboard memory, known as registers, that provide it with directly accessible memory locations that the brain of the CPU, the arithmetic-logical unit (ALU), uses when performing calculations or processing instructions, small memory locations directly in the CPU. Stack Memory Segment – used by processors to communicate instructions and data to each other Monolithic Operating System Architecture – all of the code working in kernel mode/system mode in an ad hoc and non- modularized OS Memory Addressing – When using memory resources, the processor must have some means of referring to various locations in memory. The solution to this problem is known as addressing,

  • Register Addressing – When the CPU needs information from one of its registers to complete an operation, it uses a register address (for example, “register 1”) to access its contents.
  • Immediate Addressing – is not a memory addressing scheme per se but rather a way of referring to data that is supplied to the CPU as part of an instruction. For example, the CPU might process the command “Add 2 to the value in register 1.” This command uses two addressing schemes. The first is immediate addressing— the CPU is being told to add the value 2 and does not need to retrieve that value from a memory location— it’s supplied as part of the command. The second is register addressing; it’s instructed to retrieve the value from register 1.
  • Direct Addressing – In direct addressing, the CPU is provided with an actual address of the memory location to access. The address must be located on the same memory page as the instruction being executed. Direct addressing is more flexible than immediate addressing since the contents of the memory location can be changed more readily than reprogramming the immediate addressing’s hard-coded data. Indirect Addressing
  • Indirect addressing – uses a scheme similar to direct addressing. However, the memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps located on a different page). The CPU reads the indirect address to learn the address where the desired data resides and then retrieves the actual operand from that address.
  • Base + Offset Addressing – uses a value stored in one of the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to that base address and retrieves the operand from that computed memory location.

Key Encryption Concepts and Definitions (243)

Purpose: protect transmitted information from being read and understood except by the intended recipient Substitution – like shifting and rotating alphabets, can be broken by statistical looking at repeating characters or repeats Vernam – cipher (one time pad): - key of a random set of non- repeating characters Information Theory – Claude Elmwood Shannon Transposition – Permutation is used, meaning that letters are scrambled. The key determines positions that the characters are moved to, for example vertical instead of horizontal Null Cipher – used in cases where the use of encryption is not necessary but yet the fact that no encryption is needed must be configured in order for the system to work. Ex. Testing, stenography Key Length – use with each algorithm based on the sensitivity of information transmitted, longer key the better! Key space – is the range of values that are valid for use as a key for a specific algorithm. A key space is defined by its bit size. Bit size is nothing more than the number of binary bits (0s and 1s) in the key. The key space is the range between the key that has all 0s and the key that has all 1s. Key space doubles each time you add a bit to key length, which makes cryptanalysis more difficult. Key Clustering – when different encryption keys generate the same ciphertext from the same plaintext message BAD Synchronous – each encryption or decryption request is performed immediately Asynchronous – encrypt/decrypt request are processed in queues. Hash Function – one-way mathematical operation that reduces a message or data file into a smaller fixed length output. Encrypted using private key of sender. Registration Authority – performs certificate registration services on behalf of a CA. RA verifies user credentials Certificate Authority – PKI, entity trusted by one or more users as an authority in a network that issues, revokes, and manages digital certificates. Key Space – represents the total number of possible values of keys in a cryptographic algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance. HOW HARD TO BRUTE FORCE Transposition/permutation – process of reordering plaintext to hide the message rambo = ombar SP-network – process described by Claude Shannon used in most block ciphers to increase their strength Confusion – mixing the key values during repeated rounds of encryption, make the relationship between ciphertext and key as complex as possible Diffusion – mix location of plaintext throughout ciphertext, change of a single bit should drastically change hash, dissipate pattern Meet in the Middle – Attackers might use a meet-in-the-middle attack to defeat encryption algorithms that use two rounds of encryption. This attack is the reason that Double DES (2DES) was quickly discarded as a viable enhancement to the DES encryption (it was replaced by Triple DES (3DES, TDES, EEE, EDE).

Key Encryption Concepts and Definitions (cont.)

Block Cipher – segregating plaintext into blocks and applying identical encryption algorithm and key Cipher – cryptographically transformation that operates on characters or bits. DES, word scramble, shift letters Cipher text or Cryptogram – unintelligible message, encrypt text Clustering – situation wherein plain text messages generates identical cipher text messages using the same algorithm but with different crypto-variables or keys Codes – cryptographic transformation that operates at the level of words or phrases , one by land, two by sea Cryptanalysis – breaking the cipher text, Cryptographic Algorithm – Step by step procedure to encipher plaintext and decipher cipher text Cryptography – the art and science of hiding the meaning of communications from unintended recipients. (Greek: kryptos=hidden, graphein=to write) Cryptology: cryptography + cryptanalysis Cryptosystem – set of transformations from a message space to cipher space Decipher – To make the message readable, undo encipherment process Encipher – make message unintelligible End-to-end encryption – Encrypted information that is sent from point of origin to destination. In symmetric encryption this means both having the same identical key for the session Exclusive OR – Boolean operation that performs binary addition Key or Crypto variable – Information or sequence that controls the enciphering and deciphering of messages Link encryption – stacked encryption using different keys to encrypt each time One Time Pad – encipher each character with its own unique key that is used only once, unbreakable supposedly PGP (GPG) – encrypt attached files Plaintext – message in clear text readable form Steganography – secret communications where the existence of a message is hidden (inside images for example) Dumpster Diving – of going through someone’s trash to find useful or confidential info – it is legal but unethical in nature Phishing – act of sending spoofed messages that pretend to originate from a source the user trusts (like a bank) Social Engineering – act of tricking someone into giving sensitive or confidential info that may be used against the company Script kiddie – someone with moderate hacking skills, gets code from the Internet. Red boxing – pay phones cracking Black Boxing – manipulates toll-free line voltage to phone for free Blue Boxing – tone simulation that mimics telephone co. system and allows long distance call authorization White box – dual tone, multifrequency generator to control phone system Phreakers – hackers who commit crimes against phone companies Salami – removal of a small amount of money otherwise known as skimming

Key Encryption Concepts and Definitions (cont.)

Zero-knowledge proof – is a communication concept. A specific type of information is exchanged but no real data is transferred, as with digital signatures and digital certificates. Understand split knowledge. “magic door” Split knowledge – means that the information or privilege required to perform an operation is divided among multiple users. This ensures that no single person has sufficient privileges to compromise the security of the environment. M of N Control (multiparty key recovery) is an example of split knowledge. Skipjack – Like many block ciphers, Skipjack operates on 64-bit blocks of text. It uses an 80-bit key and supports the same four modes of operation supported by DES. Skipjack was quickly embraced by the US government and provides the cryptographic routines supporting the Clipper and Capstone encryption chips. However, Skipjack has an added twist— it supports the escrow of encryption keys.

Goals of Cryptography

Confidentiality Integrity Proof of origin Non-repudiation Protect data at rest Protect data in transit

Cryptographic Concepts

Key Clustering – when different encryption keys generate the same ciphertext from the same plaintext message Work Factor – time and effort required to break a protective measure Kirchhoff’s Principle – all but key, secure Synchronous and self-synchronous Random Number Generators (RNGs) Vigenere Cipher – uses key words and numerous rows (traditionally 26), each one of which is offset by one.

Security Monitoring

  • Reference Monitor and security kernel are used to determine whether a user should be allowed to access an object
  • “complete mediation” means that all subjects must be authenticated and their access rights verified before they can access any object

PKI (289)

Understand the public key infrastructure (PKI). In the public key infrastructure, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients verify a certificate using the CA’s public key. X.509 standard = PKI. Serial number, owner, issuer name Integrity (hash code and message digest), access control, confidentiality (by encryption), authentication (digital certificates) and non-repudiation (digital signatures) issuer signs a certificate If you only want to check if a mail is not altered: use digital signature! Proves that the signature was provided by the intended signer trust anchor = public key that has been verified and that’s trusted

Digital signatures (296)

  • no modifications allowed
  • identity can be derived
  • Works with a one-way hash (message digest), like SHA- 1 (512 bit blocks) or MD5 (128 bits digest) or HMAC that uses a key
  • Acceptable encryption algorithms choices – DSA, RSA, ECDSA HASH it and ENCRYPT message digest Correct way to create and use a digital signature – hash the document, encrypt only the hash with the sender’s private key, send both the plain text document and the encrypted hash to recipient.

Email Security (297)

S/Mime - Confidentiality (encryption) Integrity (using PKCS X. PKI) and non-rep through signed message digests PEM - Privacy Enhanced Email Encryption (AES) PKI X.509 and RSA Message Security protocol - Military X.400. Sign, Encrypt, Hash Pretty Good Privacy - uses IDEA and RSA instead

Digital Certificates

contain specific identifying information and their construction is governed by international standard (X.509), creation and validation of digital certificates Who signs a digital certificate – someone vouching for person not the person. CRLs - Certificate Revocation Lists are maintained by the various certificate authorities and contain the serial numbers of certificates that have been issued by a CA and have been revoked along with the date and time the revocation went into effect.

Hashing (300)

ATTACK HASH BY BRUTE FORCE and dictionary CRYPTANALYSIS Basic Technique – BRUTE Force will win with no constraints input of any length and generate a fixed length output Hash algorithms (Message Digests) Requirements for HASH

  • works on non-fixed length input
  • must be relatively easy to compute for any input
  • function must be one way
  • function must be one way Most used are MD5 (message Digest 128 bits) and SHA (signature hashing algorithm 160 bits) MD5 – hashing algorithm. It also processes 512-bit blocks of the message, but it uses four distinct rounds of computation to produce a digest of the same length as the MD2 and MD algorithms (128 bits). MD5 has the same padding requirements as MD4— the message length must be 64 bits less than a multiple of 512 bits. MD5 implements additional security features that reduce the speed of message digest production significantly. Unfortunately, recent cryptanalytic attacks demonstrated that the MD5 protocol is subject to collisions, preventing its use for ensuring message integrity. it is possible to create two digital certificates from different public keys that have the same MD5 hash. CRL’s of a PKI environment holds serial numbers SHA1 - was designed by NIST and NSA to be used in digital signatures Standard is SHA3 most still use SHA root Certificate Authority (CA) must certify its own public key pair cross certification does not check authenticity of the certificates in the certificates path; MD5 not good for securing passwords Traffic analysis - inference of information from analysis of traffic Traffic padding - generation of spurious data units Collision - Same message digest as a result of hashing. Cryptographic Attacks Ciphertext Only - attacker sees only the ciphertext, one of the most difficult Known Plaintext - attacker knowns both cipher and plaintext Chosen Plaintext - offline attack (attacker prepares list of plaintexts) - lunch box attack online attack - (attacker chooses the plaintext based on the ciphertext already received) Chosen ciphertext - attacker chooses both the plaintext values and the ciphertext values, cherry picking, feed info and based on what you learned get key Birthday Attack - Collisions appear much fasters, birthdays match POODLE - (Padding Oracle on Downgraded Legacy Encryption) attack helped force the movement from SSL 3.0 to TLS because it allowed attackers to easily access SSL encrypted messages. CRIME/BEAST - earlier attacks against SSL STUXNET – worm aimed at Iranian nuclear capability

Other things to know

Objects of sensitivity labels are: single classification and component set ‘dominate’ in access control means access to higher or equal access class Security perimeter = line between TCB and outside Validating TCB = formal for system integrity

Digital Rights Management (298)

uses encryption to enforce copyright restrictions on digital media. serves to bring U.S. copyright law into compliance with terms of two World Intellectual Property Organization (WIPO) treaties. The first major provision of the DMCA is the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder. Skip - s a distribution protocol RC4 - is a stream cipher RC5 and RC 6 are block cipher FIPS 140 hardware and software requirements

Applets

Applets – these code objects are sent from a server to a client to perform some action. In fact, applets are actually self-contained miniature programs that execute independently of the server that sent them. Java applets – are simply short Java programs transmitted over the Internet to perform operations on a remote system. ActiveX – controls are Microsoft’s answer to Sun’s Java applets. Operate in a similar fashion, but they are implemented using a variety of languages(C, C + +, Java). Two key distinctions between Java applets and ActiveX controls. First, ActiveX controls use proprietary Microsoft technology and, therefore, can execute only on systems running Microsoft browsers. Second, ActiveX controls are not subject to the sandbox restrictions placed on Java applets. They have full access to the Windows operating environment and can perform a number of privileged actions.

Network Layers OSI MODEL (347)

(later succeeded by TCP/IP)

HINT: All People Seems to Need Data Processing It encapsulates data when going through the layers Application – layer 7 – C, AU, I, NR FTP, SNMP, TELNET, TFTP, SMTP, HTTP, NNTP, CDP, GOPHER, SMB, NDS, AFP, SAP, NCP, SET, LDAP. Technology: Gateways. User data Secure HTTP, S-HTTP - encrypting HTTP documents. Also overtaken by SSL SSL, Secure Socket Layer - e ncryption technology to provide secure transactions like credit card numbers exchange. Two layered: SSL record protocol and handshake protocol. Same as SSH it uses symmetric encryption for private connections and asymmetric or public key cryptography for peer authentication. Secure Electronic Transaction (SET) - authentication for credit card transactions. Overtaken by SSL Also uses message authentication code for integrity checking. Telnet - terminal emulation enables user to access resources on another machine. Port 23 FTP, File Transfer Protocol - for file transfers. Cannot execute remote files as programs. Authentication. Port 20 and 21 TFTP, Trivial File Transfer Protocol - stripped down, can only send/receive but not browse directories. No authentication thus insecure. Port 69 SMTP, Simple Mail Transfer protocol - email queuing. Port 25 SNMP, Simple Networking Management Protocol collection of network information by polling the devices from a management station. Sends out alerts – called traps- to an database called Management Information Bases (MIBs) Presentation – layer 6 – C, AU, Encryption Translations like EBCDIC/ANSI; compression/decompression and encryption/decryption. Uses a common format to represent data, Standards like JPEG, TIFF, MID, HTML; Technology: Gateway. Messages Session - layer 5 -- None Inter-host communication, logical persistent connection between peer hosts, a conversation, simplex, half duplex, full duplex. Protocols as NSF, SQL, RADIUS, and RPC. Protocols: PAP, PPTP, RPC Technology: Gateway PAP – Password Authentication Protocol PPTP – Point-to-Point Tunneling Protocol RPC – Remote Procedure Call Protocol NFS, Network File System - protocol that supports file sharing between two different file systems NetBIOS – SSL/TLS -

Network Layers OSI MODEL (cont.) (347)

Transport – layer 4 – C, AU, I End-to-end data transfer services and reliability. Technology: Gateways. Segmentation, sequencing, and error checking at this layer. Datagrams TCP Three-way Handshake – SYN, SYN-/ACK, ACK Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBIOS, ATP Secure Shell (SSH-2) - Authentication, compression, confidentiality and integrity. Uses RSA certificates for authentication and triple DES for encryption TCP, Transmission control protocol – reliable, sequences and works with acknowledgements. Provides a manageable data flow to avoid congestions overloading and data loss. (Like having a telephone conversation with someone). Connection Oriented. User UDP, Datagram protocol – unreliable, scaled down version of TCP, no error correction, no sequencing. Less overhead. (Like sending a letter to someone). Connectionless. Network – layer 3 – C, AU, I Path selection and logical/network addressing. Technology: Virtual circuits (ATM), routers. Packets Addressing – IP uses the destination IP to transmit packets thru networks until delivered Fragmentation – IP will subdivide a packet if its size is greater than the maximum allowed on a local network Message routing, error detection and control of node data are managed. IP, IPSEC, ICMP, BGP, OSPF, RIP, BOOTP, DHCP, ZIP, DDP, X.25, NAT and IGMP OSPF Open Shortest Path First – routing protocol short path SKIP, Simple Key Management for Internet Protocols - provides high availability in encrypted sessions to protect against crashes. Exchanges keys on a session by session basis. ARP, Address resolution protocol - Used to match an IP address to a hardware MAC address. ARP sends out broadcast to a network node to reply with its hardware address. It stores the address in a dynamic table for the duration of the session, so ARP requests are only sent the first time ICMP, Internet control message protocol - sends messages between network nodes regarding the health of the network. Also informs about rerouting in case of errors. Utility PING uses ICMP messages to check physical connectivity of the network machines IPX, Appletalk, and NetBEUI are non-IP protocols. IP, Internet protocol - all hosts have an IP address. Each data packet has an IP address of sender and recipient. Routing in network is based upon these addresses. Datagram service is considered unreliable because there’s no guarantee that the packet will be delivered, not even that its delivered only once and no guarantee that its delivered in the same sequence that its sent 32 bits long, IPv6 is 128 bits long DHCP : Dynamic Host Configuration Protocol BootP, Bootstrap Protocol when wireless workstation is on-lined it sends out a BootP request with its MAC address to get an IP address and the file from which it should boot. Replaced by DHCP

Network Layers OSI MODEL (cont.) (347)

Data Link – layer 2 - C This layer deals with addressing physical hardware. FRAMES Translates data into bits and formats them into data frames with destination header and source address. Error detection via checksums. LLC, the Logical Link Control Sub layer - Flow control and error notification MAC: the Media Access Control layer - Physical addressing. Concerns frames, logical topologies and MAC-addresses Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP, RARP, SLARP, IARP, SNAP, BAP, CHAP, LCP, LZS, MLP, Frame Relay, Annex A, Annex D, HDLC, BPDU, LAPD, ISL, MAC, Ethernet, Token Ring, FDDI RARP, Reverse address resolution protocol - When a hardware address is known but the IP address has to be found. (like an diskless machine) Switches, bridges, hardware addressing Physical – layer 1 - C Physical signaling. Coverts bits into voltages or light impulses. Electrical, Hardware and software drivers are on this level. It sends and receives bits. Repeaters, hubs, cables, USB, DSL, ISDN, ATM Physical topologies: BUS, MESH, STAR, TREE, RING

Network layers TCP/IP Model (353)

Developed by Department of Defense in the 1970s to support the construction of the internet HINT: AHIN Application – layer 4 (Application/Presentation/Session) Applications and processes that uses the network Host-to-Host – Layer 3 (Transport) End-to-end data delivery Protocols: TCP and UDP Internet – Layer 2 (corresponds to OSI network layer) Defines the IP datagram and handles routing of data across networks Protocols: IP, ARP, RARP, ICMP Network access – Layer 1 (Data link, Physical) Routines for accessing physical networks and the electrical connection LPD, Line printer daemon for printing and spooling X Windows graphical user interface

Security Modes (used in MAC)

Dedicated security mode :

  • All users can access all data.
  • Clearance for all information.
  • Need to know for ALL data system high security mode:
  • All users can access some data , based on need to know
  • Clearance for all information
  • Need to know for SOME data compartmented security mode:
  • All users can access some data , based on their need to know and approval.
  • Clearance for all information they access
  • Need to know for SOME data
  • Use of information labels Multi-level:
  • All users can access some data , based on their need to know, approval and clearance.
  • Clearance for all information they access
  • Need to know for SOME data Others: controlled type of multilevel security where a limited amount of trust is placed in the system’s hardware/software along with classification limited access: minimum user clearance is not cleared and the maximum data classification is unclassified but sensitive

Firewalls

A method of guarding a private network by analyzing the data leaving and entering. Firewalls can also provide network address translation, so the IP addresses of computers inside the firewall stay hidden from view. Packet-filtering firewalls (layer 3/4) - use rules based on a packet’s source, destination, port or other basic information to determine whether or not to allow it into the network. Stateful packet filtering firewalls (layer 7) - have access to information such as; conversation, look at state table and context of packets; from which to make their decisions. Application Proxy firewalls (layer 7) (3-7 actually)- which look at content and can involve authentication and encryption, can be more flexible and secure but also tend to be far slower. Circuit level proxy (layer 5)- looks at header of packet only, protects wide range of protocols and services than app-level proxy, but as detailed a level of control. Basically once the circuit is allowed all info is tunneled between the parties. Although firewalls are difficult to configure correctly, they are a critical component of network security. SPF, Static Packet Firewall (layer 3) -

Wireless (364)

IEEE 802.15 is the standard for Bluetooth. IEEE 802.3 defines Ethernet, 802.11 defines wireless networking, and 802.20 defines LTE. Amendment Speed Freq. Range Comp. 802.11 2 Mbps 2.4 GHz FHSS/DSSS 802.11a 54 Mbps 5 GHz 150 - OFD A 802.11b 11 Mbps 2.4 GHz 300 - DSSSS b/g/n 802.11g 54 Mbps 2.4 GHz 300 b/g/n 802.11n 200+ Mbps 2.4 or 5 GHz 300 a/b/g 802.11ac 1 Gbps 5 GHz 300 a/b/g 802.16 IEEE 802

WBA

802.11i AES CCMP WPA

Security Enhancement Protocols

TELNET: Remote terminal access and Secure Telnet REMOTE PROCEDURE CALL: Secure remote procedure call (SRA) SSH – Secure Shell over Telnet for remote server administration via the command line

Terms

Broadband Technologies – ISDN, cable modems, DSL, and T1/T3 lines that can support multiple simultaneous signals. They are analog and not broadcast technologies. Broadcast Domain – set of systems that can receive a broadcast from each other CHAP – Challenge-Handshake Authentication Protocol, used by PPP servers to authenticate remote clients. Encrypts username and PW and performs periodic re authentication while connected using techniques to prevent replay attacks. CIR – (committed Information Rate) minimum bandwidth guarantee provided by service provider to customers Collision Domain – set of systems that could cause a collision if they transmitted at the same time, more number of systems in domain increases likelihood of network congestion due to more collisions Data Streams – occur at Application, Presentation, and Session layers. EAP, Extensible Authentication Protocol - an authentication framework. Effectively, EAP allows for new authentication technologies to be compatible with existing wireless or point-to- point connection technologies, extensible was used for PPP connections FCoE – Fiber Channel Over Ethernet, allows existing high-speed networks to be used to carry storage traffic FDDI – Fiber Distributed Data Interface, token-passing network uses a pair of rings with traffic flowing in opposite directions, uses tokens FTP – File Transfer Protocol Gateway – translates between protocols ICMP – Internet Control Message Protocol, means to send error messages for non-transient error conditions and provides a way to probe the network in order to determine general characteristics about the network, ping iSCI – Internet Small Computer Interface, Converged protocol that allows location-independent file services over traditional network technologies. Cost less than Fiber. Standard for linking data storage sites ISDN – PRI (Primary Rate Interface) bandwidth of 1.544 Mbps, faster than BRI’s 144 Kbps MAC – Machine Access Control, hardware address of machine, can tell manufacturer, Multilayer Protocols – allow encryption at various layers, support a range of protocols at higher levels. Bad – conceal covert channels, filters can be bypassed, sometimes logical boundaries can be bypassed MPLS – Multiprotocol Label Switching, high performance networking, uses path labels instead of network addresses, wide area networking protocol, label switching, finds final destination and then labels route for others to follow PAP – Password Authentication Protocol, sends PW unencrypted PEAP – provides encryption for EAP methods and can provide authentication, does not implement CCMP, encapsulates EAS in a TLS tunnel Port Based Authentication – 802.1x, can be used with EAP

Terms (Cont)

PPP – Point-to-Point Protocol, most common, used for dial up connections, replaced SLIP Proxy – form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems PVCs – Private Virtual Circuits, RST flag – used to reset or disconnect a session, resumed by restarting the connection via a new three-way handshake Converged Network – carries multiple types of traffic like voice, video, and data SDN – Software designed networking, defined and configured as code or software, quickly change the network based on organizational requirements Hypervisor-based Network – may be software defined, but it could also use traditional network devices running as virtual machines SSID – normally disabled for secure networks Site Survey – identify areas where wireless network may be accessible SONET – protocol for sending multiple optical streams over fiber SUBNET – logical division of a network Supernet – made up of two or more networks UDP – User Datagram Protocol, lightweight service for connectionless data transfer without error detection and correction WAF – Web Application Firewall Wired Extension Mode – uses WAP to link wireless clients to a wired network AMP - Asymmetric multiprocessing - used in applications that are dedicated, such as embedded systems, when individual processors can be dedicated to specific tasks at design time. SMP – Symmetric Multiprocessors, hardware and software architecture where two or more identical processors are connected to a single, shared main memory, have full access to all I/O devices, and are controlled by a single operating system instance that treats all processors equally, reserving none for special purposes.

Attacks, Malware, and Bad Stuff

ARP Spoofing – Bluejacking – when attackers send unsolicited messages via Bluetooth Bluesnarfing – targets the data or information on Bluetooth- enabled devices CAIN Attack - DNS Spoofing – when an attacker sends false replies to a requesting system, beating valid replies from the real DNS server DNS Poisoning – when an attacker changes the domain name to IP address mappings of a system to redirect traffic to alternative systems RDP – provides terminal sessions w/out Screenscraper – copy actual screen, subset of remote control SPIT attacks – Spam over Internet Telephony and targets VoIP systems Things to Know Nikto, Burp Suite, Wapiti – web application vulnerability scanners

Network Attacks – Denial of Service

Used to overwhelm a targets resources

  • Filling up hard drive by using huge email attachments or file transfers
  • Sends messages to reset targets host subnets masks
  • Using up all system resources DOS - performed by sending malformed packets to a system; can interrupt service or completely deny legitimate users of system resources, an attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding. DDOS – botnet, zombie, massive dos attack using multiple computers SMURF – ICMP requires three players (attacker, victim and amplifying network); attacker spoofs packet header to make it appear that it originated on the victim system with amplifying network broadcasting the message. Countermeasures – disable broadcast at border routers; border routers should not accept packets that originate within network; restrict ICMP traffic (Hint IC = Its Smurf though spelled wrong) FRAGGLE – similar to Smurf but uses UDP Countermeasures – disable broadcast at border routers; border routers should not accept packets that originate within network; restrict UDP traffic; employ IDS; apply appropriate patches, block UDP port 7 & 9 from entering network Land Attack - The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address and an open port as both source and destination. The reason a LAND attack works is because it causes the machine to reply to itself continuously. SYN FLOOD - TCP packets requesting a connection (SYN bit set) are sent to the target network with a spoofed source address. The target responds with a SYN-ACK packet, but the spoofed source never replies. This can quickly overwhelm a system’s resources while waiting for the half-open connections to time out. This causes the system to crash or otherwise become unusable. Counter: sync cookies/proxies, where connections are created later Teardrop - The length and fragmentation offset fields of sequential IP packets are modified, causing the target system to become confused and crash. Uses fragmented packets to target a TCP flaw in how the TCP stack reassembles them. DOS Common Session Hijacking Attacks: Session hijacking (Spoofing) - IP spoofing involves altering a TCP packet so that it appears to be coming from a known, trusted source, thus giving the attacker access to the network. Intercept cookies from a request header TCP sequence number attack – intruder tricks target to believe it is connected to a trusted host and then hijacks the session by predicting the targets choice of an initial TCP sequence number

Packet switching technologies

X25 defines point-to-point communication between Data terminal Equipment (DTE) and Data Circuit Terminating Equipment (DCE) Link Access Procedure-Balanced (LAPB) created for use with X25, LAPB defines frame types and is capable of retransmitting, exchanging and acknowledging frames as detecting out of sequence or missing frames Frame Relay High performance WAN protocol designed for use across ISDN interfaces. Is fast but has no error correction, supports multiple PVCs, unlike X.25, packet switched technology that provides CIR, requires DTE/DCE at each connection point Switched Multimegabit DATA Service (SMDS ) high speed communication over public switches networks for exchanging ‘bursts of data’ between enterprises Asynchronous Transfer mode (ATM) very high bandwidth. It uses 53-byte fixed size cells instead of frames like Ethernet. It can allocate bandwidth up on demand making it a solution for Busty applications. Requires fiber optics. Voice over IP (VOIP) combines many types of data into a single IP packet. Cost, interoperability and performance wise it’s a major benefit.

Other important WLAN protocols

Synchronous Data Link Control (SDLC) - created by IBM for mainframes to connect to their remote offices. Uses a polling media access method. Works with dedicated leased lines permanent up. Data link layer of OSI model High-level Data Link Control (HDLC) - extension to SDLC also for mainframes. Uses data encapsulation on synchronous serial links using frame characters and checksums. Also data link layer High Speed Serial Interface (HSSI) - Defines electrical and physical interfaces to use for DTE/DCE communications. Physical layer of OSI

LAN Cables (378)

Twisted pair Shielded (STP) or unshielded (UTP) Cat 3=10BaseT, Cat5=100BaseT Coaxial More EMI resistant. Baseband: only one single channel, Broadband: multiple signal types like data, video, audio Fiber Optic Most expensive, but hard to tap and resistant to EMI

Firewalls (376)

TYPES

First generation – ( static) Packet filtering firewall AKA screening router Examines source/destination address, protocol and ports of the incoming package. Based on ACL’s access can be denied or accepted. Is considered a firewall and operates at Network or Transport layer of OSI Second generation - Application level firewall AKA proxy server While transferring data stream to another network, it masks the data origin. operating at Application layer of OSI Third generation - Stateful inspection firewall (also known as Dynamic) All packages are inspected at the Networking layer so it’s faster. By examining the state and context of the data packages it helps to track connectionless protocols like UDP and RPC. Analyzed at all OSI Layers. Fourth generation - Dynamic Packet Filtering firewall Enables modification of the firewall rule. It provides limited support for UDP by remembering UDP packages across the network. Fifth generation - Kernel Proxy Firewall / Application level Firewall Runs in windows NT, modular, kernel based, multiplayer session evaluation. Uses dynamic TCP/IP stacks to inspect network packages and enforce security policies.

Firewall architecture (377)

Packet filtering routers Sits between trusted and un-trusted network, sometimes used as boundary router. Uses ACL’s. Protects against standard generic external attacks. Has no user authentication, has minimal auditing. Screened-Host firewall system Has both a packet-filter router and a bastion host. Provides both network layer (package filtering) as application layer (proxy) server. Dual homed host firewall Consists of a host with 2 NIC’s. One connected to trusted, one to un-trusted. Can thus be used as translator between 2 network types like Ethernet/token ring. Internal routing capabilities must not be enabled to make it impossible to circumvent inspection of data. Screened-subnet firewalls Has also defined a De-Militarized Zone (DMZ) : a small network between trusted an untrusted. Socks firewall Every workstation gets some Socks software to reduce overhead Tiers – design separates distinct protected zones and can be protected by a single firewall that has multiple interfaces

Access Control Methodologies Remote Access

Authentication Systems (390)

Centralized access control CALLBACK; system calls back to specific location (danger in user forwarding number) somewhere you are CHAP (part of PPP) supports encryption XTACACS separates authentication, authorization and accounting processes TACACS+: stronger through use of tokens Terminal Access Controller Access Control System TACACS User passwords are administrated in a central database instead of individual routers. A network device prompts user for a username and static password then the device queries a TACACS server to verify the password. TACACSs does not support prompting for password change or use of dynamic password tokens. Port 49 TACACS: user-id and static password for network access via TCP TACACS+ Enhanced version with use of two factor authentication, ability to change user password, ability of security tokens to be resynchronized and better audit trails and session accounting Remote Authentication Dial-In User Service RADIUS Client/server protocol, often leads to TACACS+. Clients sends their authentication request to a central radius server that contains all of the user authentication and network ACL’s RADIUS does not provide two way authentication, therefore it’s not used for router- to-router authentication. Port 1812. Contains dynamic password and network service access information (Network ACLs) NOT a SSO solution, TLS over TCP – to encrypt, Default UDP, PW encrypted, supports TCP and TLD if set, Remote connectivity via dial in (user dials in to access server, access server prompt for credentials, user enters credentials and forwards to radius server, radius server accepts or rejects). USES UDP. Incorporates an AS and dynamic/static password user can connect to any network access server, which then passes on the user’s credentials to the RADIUS server to verify authentication and authorization and to track accounting. In this context, the network access server is the RADIUS client and a RADIUS server acts as an authentication server. The RADIUS server also provides AAA services for multiple remote access servers. DIAMETER - remote connectivity using phone wireless etc, more secure than radius, cordless phone signal is rarely encrypted and easily monitored

Remote Access Technologies (390)

Asynchronous Dial-Up Access This is how everyone connects to the internet. Using a public switched telephone network to access an ISP Integrated Serviced Digital Network (ISDN) communication protocol that permits telephone line to carry data, voice and other source traffic. Two types: BRI Basic rate interface and Primary Rate Interface (PRI) xDSL uses regular telephone lines for high speed digital access Cable Modems Via single shared coaxial cable, insecure because of not being filtered or firewalled