Академический Документы
Профессиональный Документы
Культура Документы
Admin Data
Emergency Exits
Breaks
Phones
Other Admin Data
Introduction
Instructor
What is this class going to provide me?
What should I expect to get out of this class?
Class Structure
Broken up into 12 parts
Part 1: introduction
Parts 2 11: will be the domains
Part 12: will be examples of types of questions you might see.
THESE ARE NOT copies of the questions from the exam
What is (ISC)?
(ISC)
International Information Systems Security Certification Consortium
Non-profit organization which specializes in information security
education and certifications
Often described as the worlds largest IT security organization
Based in Palm Harbor, Florida, USA
Offices in London, Tokyo, Hong Kong, Vienna, Virginia
Over 85,000 certified professionals in 135 countries
http://www.isc2.org
What is CISSP?
Security Consultant
Security Manger
IT Director/Manager
Security Auditor
Security Architect
Security Analyst
Security Systems Engineer
Chief Information Security Officer
Director of Security
Network Architect
CISSP EXAM
The CISSP exam
250 questions
6 hours
To pass must get 700 points out of 1000
BE ON TIME!!!!!!
Bring admission letter
Must have government issued Photo ID
Bring pencil and eraser
~$500
ENDORSEMENT PROCESS
What is needed for the Endorsement Process
Provide a recent resume
Complete the Examination Registration Form
Submit a completed and executed Endorsement Form
MAINTENANCE REQUIREMENTS
To maintain the CISSP certification and remain in good standing with
(ISC), you are required to:
Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of
each certification year
Earn and submit 120 credits over three years. A minimum of 20 CPEs
must be posted during each year of the three year certification cycle
THE DOMAINS
Access Control
Business Continuity and Disaster Recovery Planning
Cryptography
Information Security Governance and Risk Management
Legal, Regulations, Investigations, and Compliance
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Software Development Security
Telecommunications and Network Security
Golden Rule
1.
2.
3.
4.
5.
For those who dont have the experience, there is the Systems Security
Certified Practitioner (SSCP)
Only need 1 year of experience
Domains covered:
Access Controls
Cryptography
Malicious Code and Activity
Monitoring and Analysis
Networks and Communications
Risk, Response and Recovery
Security Operations and Administration
Access Control
Domain Objectives
Access Control
Is the basic foundation of information security
Implemented differently depending on whether the are of
implementation is physical, technical or administrative.
Categories include:
Preventive
Detective
Corrective
Deterrent
Recovery
Directive
Compensating
Often used in combination
Access Control
A comprehensive threat analysis will identify the areas that will provide
the greatest cost-benefit impact.
The field of access control is constantly evolving. Organizations need to
know what is available and what methods will best address their issues.
Data and system access control are NOT the same. User might have
access to a system but not to the data. Think need-to-know
Access control assurance addresses the due diligence aspect of
security.
Implementing a control is part of due care, but due diligence involves
regularly checking to ensure that the control is working as expected.
Domain Objectives
Basic Requirements
Security ensure only authorized users and processes are able to access or
modify
Reliability ensure control mechanisms work as expected, every time
Transparency have minimal impact on the ability of authorized users to
interface with the system and do their job
Scalability should be able to handle a wide range of changing systems and
user load without compromising system performance
Maintainability if too time-consuming or complicated, admins may not keep
them up to date
Auditability should provide audit trails
Integrity must be designed to protect from unauthorized changes
Authentic help ensure that data input is authentic
Key Concepts
Separation of duties
No one person should have control over the process. Allowing this could
allow a person to manipulate the system for personal gain. Process should
be broken down into individual steps executed by different people.
Rotation of duties prevents collusion between two or more people. This
minimizes the chance of or exposes fraud. Forced vacation can provide
the same effect.
Core element of the Clark-Wilson Integrity model
Least privilege only allow access to resources that are absolutely needed
for work
Need-to-know just because you have the clearance doesnt mean you
really need to know the data or process
Information Classification
Scope risk analysis will evaluate data for classification. Things to consider:
Exclusive possession (trade secrets, etc.)
Usefulness
Cost to recreate
Legal or regulatory liability
Operational impact
Etc.
Process goal is to achieve a consistent approach to handling classified
information
Marking and labeling for all types of media to include video
Human readable
Machine readable
Assurance regular internal and possibly external audits should be done
Domain Objectives
Domain Objectives
Access to System
Access to Data
Intrusion Prevention and Detection Systems
Access Control Assurance
Machine
Impersonation
Sniffers
Shoulder surfing/swiping
Dumpster diving
Emanations
Domain Agenda
Access to System
Access to Data
Intrusion Prevention and Detection Systems
Access Control Assurance
Identification
Methods
Authentication Methods
Life Cycle
Single sign-on
Kerberos
Directory services
Security domains
Domain Objectives
Access to Data
Intrusion Prevention and Detection Systems
Access Control Assurance
Access to Data
Implementations
Mandatory
Temporal
Discretionary
Role
Rule
Content
Privacy
Descriptions
List
Matrix
Capabilities
Non-discretionary
Constraints
Centralized
Decentralized
Objects/subjects
Files/users
O.S. dependent
Domain Objectives
= Packet
= Permission
=Process
Host-Based
HIDS
Application-Based
AIDS
APIDS
Anomaly-based
Statistical
Traffic
Protocol
Heuristic scanning
IDS/IPS Examples
Anomaly
Multiple failed logins
User logged in at unusual times
Unexplained changes to system clocks
Unusual number of error messages
Unexplained system shutdowns/restarts
Response
Dropping suspicious packets
Denying access to suspicious users
Reporting suspicions to other system hosts/firewalls
Changing IDS configurations
Alert
IM
Email
Pager
Audible alarm
Domain Objectives
Definition
Areas to test
Methods of testing
Testing procedures
Testing hazards
Areas to Test
Application security
Denial of Service (DoS)
War dialing
Wireless penetration
Social engineering
PBX and IP telephony
Testing Steps
Discovery
Enumeration
Vulnerability mapping
Exploitation
Domain Objectives
Risk Management
Knowledge Management
Emergency Management
Security
Disaster Recovery
Facilities Management
Supply Chain Management
Quality Management
Out of Business!!!
Scope
Timelines
Deliverables
Team members
Tools
Initiating BCP
Awareness, data and implementation
Staff and budget
Result must be a long-term, sustainable program
Review progress monthly (suggestion)
Documentation
Domain Objectives
Threat Identification
Natural/environmental
Human/man-made
Utility
Supply chain
Equipment
Facility
Loss of key personnel
Domain Objectives
Recovery Alternatives
Alternative
Description
Readiness
Cost
Multiple
processing/mirrored
site
Fully
redundant Highest
level
identical equipment & availability
data
readiness
of
&
Highest
Mobile site/trailer
Designed,
contained
IT
communications
High
Hot site
High
Warm site
Moderate
Cold site
Minimal
Lowest
Processing Agreements
Agreement
Description
Considerations
Contingency
Service Bureau
Remote Working
Arrangements
Ability to telecommute
work from home
or Sensitive
data
controls,
unauthorized equipment
Domain Objectives
BCP Contents
When will team be activated?
How will the team be activated?
Where will everyone meet?
Is there an Action Plan/Task List?
Is there any reporting? If so, to whom?
BCP Contents
Responsibilities of the team or specific individuals
Resource-Level Consolidation
Consolidation plan
Availability of solutions
Consolidate, approve and implement
Outcomes and deliverables
Domain Objectives
Crisis management
Initial Assessment
Damage assessment
Declaring a disaster
Communications
Public relations
Domain Objectives
Testing Types
Types
Process
Participants
Author
Author and
main people
Main people
and auditors
Parallel
testing
Everyone at
test location
Full
Interruptio
n
Everyone at
both locations
Desk check
Walk
through
Simulation
Frequen
cy
Complexity
Often
LOW
Seldom
HIGH
BCP Maintenance
Updating
Annual review at a minimum
Subsequent to tests to immediately identify fail points and
needed changes
Response to audits to address issues found
Version control to insure everyone is working off the most
current plan
Distribution of plan to insure everyone is working off the most
current plan
Reviewing BCP
Audit
Independent BCP audit opinion
As directed by audit policy
Cryptography
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
XOR Exclusive Or
Binary math
Key management refers to the principles and practices of protecting the keys throughout the lifecycle
Key expiry/cryptoperiod keys should be changed on a regular basis. Length of time should be based on
algorithm and level of protection required
Key mixing/Key schedule DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16
rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original
56 bit. AES uses key schedulers to generate completely new keys from the original key for each round.
Keystreams pseudo-random sequence that is generated from the input key and mixed with the input
message.
Synchronous keystream is generated based on original key, bit-by-bit, in sync with plaintext
Non or self-synchronous keystream is generated based upon previously generated ciphertext and
cryptovariable
Key storage key must be protected in transit and storage
Key clustering term used to represent a weakness that exists in a cryptosystem if two different keys
generate the same ciphertext from the same plaintext
Work Factor
An estimate of the effort/time needed to overcome a protective
measure by an attacker with specified expertise and resources.
Commonly used as a way to measure the amount of resources that
would be required to brute-force an algorithm or cryptosystem.
System is said to be broken when there is a way to decrease the
work factor to a reasonable level.
All cryptosystems will be crackable eventually. Objective is to use
a system that is computationally infeasible to crack.
Work factor has nothing to do with normal encryption/decrytion
Kerckhoffs Principle
States that the strength of a cryptosystem is based on the secrecy of the key
and not on the secrecy of the algorithm.
Work factor for the cryptanalyst is the effort required to determine the correct
key.
Key length is the primary method used to determine the strength of the
cryptosystems.
Brittleness measure of how badly a system fails. A resilient system is
dynamic and designed to fail only partially or degrade gracefully. In general,
automated systems which only do one thing are be definition brittle.
Security by Obscurity concept that system is secure as long as no one
outside the group is allowed to find out anything about its internal
mechanisms.
Key Algorithms
Symmetric key same key used for both the encryption and
decryption operation
Asymmetric key pair of mathematically related keys (A and B)
used separately for encryption and decryption
Certificates
Certificate proves who owns a public key
Digitally signed, special block of data that contains public key
and identifying information for the entity that owns the private
key
Issued by a Certification Authority (CA) trusted entity or 3rd
party that issues and signs public key certificates, attesting to the
validity of the public key.
Registration Authority is the primary organization that verifies a
Certificate Applicants information and identity. Works with CA to
verify applicants information before issuing a certificate
Hash Functions
Message integrity
Computed value for a message, program, data, etc to be
transmitted or stored
One way function
Cannot decrypt/reverse a hash
Digital Signatures
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Historical Development
Cryptographic techniques
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Uses of Cryptography
Protecting information
Transit
Email, VPNs, e-commerce, VOIP, etc.
Storage
Disk encryption
System access
Passwords, remote login
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Solutions
Confusion principle of hiding patterns in the plaintext by substitution
Diffusion act of transposing the input plaintext throughout the ciphertext so that a
character in the ciphertext would not line up directly in the same position in the
plaintext
Avalanche achieved with plaintext bits affect the entire ciphertext so that
changing one bit in the plaintext would change half of the entire cipher text
Stream Ciphers
Keystream
Statistically unpredictable and unbiased
Not linearly related to the key
Operates on individual bits or bytes
Block Cipher
Blocks of plaintext are encrypted into ciphertext blocks
Multiple modes of operation
Variable key size, block size, rounds
Data transport SSL, TLS. Both protocols can use AES and Triple
DES. IPSec based VPNs also use block ciphers to encrypt
communication between endpoints
Data storage even though block ciphers take more time, used
because of their greater ability to frustrate cryptanalysis. TrueCrypt
is an example of block cipher used to encrypt data
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Simple Transposition/Permutation
Columnar rearranging
the message in a table
Plaintext This is an
example of transposition
Cipher tsaoni hamfst inptpi
selroo ixeasn
Polyalphabetic Ciphers
A B C D E
G H I
D E
D E
D E
W X
G H I
F
K L
M N O P Q R S T
U V W X Y Z
M N O P
U V
M N O P
Q R
U V
M N O P
Q R
U V
Q R
G H I
F
D E
G H I
F
G H I
Q R
M N O P
W X
W X
W
U V
Steganography
The art of hiding information
Plaintext hidden/disguised
Prevents a third party from knowing that a secret
message exists
Traditionally accomplished in a number of ways:
Physical techniques
Null ciphers
Image-Based Steganography
Original image
Stegged image
Watermarking/Rights Management
Digital watermarking similar to physical watermarking.
Either visible or invisible markings embedded within a digital
file to indicate copyright or other handling instructions, or to
embed a fingerprint to detect unauthorized copying and
distribution of images.
Digital Rights Management/Digital Restriction Management
(DRM) extends digital watermarking in order to place strict
usage conditions on the display and reproduction of digital
media.
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Counter (CTR)
Similar to OFB
Counter value is used instead of an IV
DES
56 bit key
16 rounds of transposition and substitution
Fixed 64 bit block size
Double DES (DDES)
Uses two 56 bit keys
Message is encrypted by one key and re-encrypted by the second
Was thought to provide 112 bit cipher but was successfully attacked by the
meet-in-the-middle analytic attack
Triple DES (TDES)
Input data is encrypted three times
Strength depends on the mode of the operation picked and the number of
keys being used
Effective key size is 168 bit
RC-4
Symmetric stream cipher
Arbitrary key size
Many applications
Weaknesses
Fast
Difficult to crack
Poor scalability
Limited security
RSA Algorithm
Rivest-Shamir-Adleman, 1977
Encryption
Digital signatures
Key distribution
Other Algorithms
Diffie-Hellman Key Exchange Protocol
Perfect Forward Secrecy (PFS) principle used in D-H that even if 2 private
keys are used in negotiating a secret value (shared secret), and one of those
private keys is later compromised, it will not be possible to determine either
the secret key or the other private key from the compromised private key
Diffie-Hellman Groups determine the length of the base prime numbers
that will be used in calculating the key pairs.
STS/Unified Diffie-Hellman one weakness of D-H was the man-in-themiddle attack. This led to development of the Station to Station (STS) key
agreement protocol by Diffie, Van Oorscht and Weiner in 1992.
Menzies/Qu/Vanstone
Elgamal retired
Elliptic Curve Cryptography (ECC) fewer bits. Extremely slow
Knapsack Algorithms
Merkle-Hellman knapsack
Developed in 1978
Chor-Rivest knapsack
Developed in 1984 and revised in 1988
Strengths
Confidentiality/privacy
Access control
Authentication
Integrity
Non-repudiation
Weaknesses
Computationally intensive
Very slow
HAVAL
RIPEMD
Tiger
WHIRLPOOL
Digital Signatures
(Asymmetric cryptography) + (Hash of message)
Only authenticity and non-repudiation (not confidentiality)
Legality if the encryption is intact and the private key is held by the
rightful owner, it must be accepted by all parties in the transaction.
American Bar Association has developed guidelines for accepting digital
signatures that have been adopted in some US states and other countries
Not accepted globally for transactions and specifically not for high-dollar/highrisk situations
Examples
DSA, RSA, Elgmal, Schnorr, ECC
Storage
Trusted hardware hardware evaluated (typically) by FIPS 140-2 or Common
Criteria
Smartcard non-volatile storage
Cross-certification
Certificate Revocation Lists (CRLs)
Online Certificate Status Protocol (OCSP)
X.509
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis
Art and science of breaking codes
Attack vectors
Key
Algorithm
Implementation
Data (ciphertext or plaintext)
People social engineering
Assumptions
Number of
keys
56
80
Bit
s
Number of
keys
7.2 x 10^16
56
7.2 x 10^16
20 hours
1.2 x 10^24
80
1.2 x 10^24
54,800 years
Data shown is as of 1998 when Deep Crack was used in RSA DES
challenge.
Cost $250,000 to build. Today the same thing can be done for under
$10,000.
With todays tech, can break DES in 8.7 days or less for under $10,000.
Plaintext Attacks
Known plaintext attack attacker has both the plaintext and
ciphertext. Uses analysis to try to determine key.
Chosen plaintext attack attacker has access to the crypto
machine. Runs plaintext through machine to get encrypted data.
Uses statistical information to try to determine key.
Adaptive chosen plaintext attack attacker has encryption device
for more than one message. Patterns may emerge if the attacker
puts similar texts into the device
Ciphertext Attacks
Ciphertext only assume attacker has samples of encrypted text but not the
algorithm, key or system. Most difficult attack because the attacker has the
least to work with.
Chosen ciphertext attack attacker has access to ciphertext and system used
to generate. Attacker can run pieces of ciphertext through to obtain the
plaintext. Leads to Known Plaintext Attack or Differential or Linear
Cryptanalysis attack.
Adaptive chosen ciphertext attack attacker has access to the cryptosystem
and can now modify and run ciphertext through the system to see what the
effect of the modification is on the plaintext.
Block
Linear cryptanalysis large amounts of plaintext and associated ciphertext to find info
about the key
Differential cryptanalysis 2 or more similar plaintexts are encrypted using same key and
compared
Linear-differential cryptanalysis combo of linear and differential
Algebraic attacks examines the algorithm
Frequency analysis uses the statistics of the language to break a ciphertext
Birthday attacks group of 23 people, 50% chance 2 will have same birthday. 60 people, 99%
chance. Relevant because it describes the amount of effort that must be made to determine when
2 randomly-chosen values will be the same (collisions). Weak hash causes many collisions
Attack the hash value
Attack the initialization vector
Social Engineering
Persuasion
Coercion (rubber-hose cryptanalysis)
Bribery (purchase-key attack)
Man-in-the-Middle
Attacker intercepts and modifies the data before transmitting to intended
person.
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Internet Security
Uses
Remote Access
VPNs
E-commerce
Tools
IPSec
SSL/TLS
Secure HTTP
TLS
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Domain Objectives
Business Drivers
Governance
Roles and Responsibilities
Security Planning
Security Administration
Risk Management
Ethics
Regulations
Competition
Organizational Objectives
Organizational Goals
Laws
Shareholders Interests
Business requirements
Security metrics
Domain Objectives
Business Drivers
Governance
Roles and Responsibilities
Security Planning
Security Administration
Risk Management
Ethics
Specific
Delegate certain responsibilities for security to individuals
Define acceptable and unacceptable behavior
General
Rules that let everyone know they are responsible for security
Communicated at hiring
Tell new hires the rules and consider annual review
Verified capabilities and limitations
Access to resources defined by job
Third-party considerations
Brief vendors, temps, contract staff on security requirements
Good practices
Keep it simple, relevant, understandable and communicate
Reinforced via training
Annual security training
Internal Roles
Executive management
set policy, allocate budget
Board level
C level
Information systems security professionals
advise management
Developers
create secure code
Custodians and Operations staff
Custodians care of data
Ops run the computers
Internal Roles
Security staff
Data and system owners
Classify
Access permissions
Users
Task as assigned
Legal, compliance, and privacy officer
Inform/implement laws/regs
Internal auditors
Check on procedures
Physical security
Is IT or traditional security responsible
External Roles
Vendors/suppliers
Contractors/consultants
Service level agreements
Temporary employees
Customers
External Roles
Business partners
Outsourced relationships
Outsourced security
External audit
Human Resources
Employee development and training
Employee management
Hiring and termination of employment
Awareness Training
Delivery methods
Topics
Job training
Task based
Professional education
Understanding
General knowledge
Be relevant
Scope properly
Address the audience
Domain Objectives
Business Drivers
Governance
Roles and Responsibilities
Security Planning
Security Administration
Risk Management
Ethics
Promiscuo
us
Permissive
Prudent
Paranoid
10
Tactical
Operational
Staffing
Reporting
Security Blueprints
Identify and design security requirements
Infrastructure security blueprints
Holistic
IT Security Requirements
Complete Security Solutions
Be prepared
Domain Objectives
Business Drivers
Governance
Roles and Responsibilities
Security Planning
Security Administration
Risk Management
Ethics
Security Policy
Privacy
Acquisition
Change control
IMPORTANT
Procedures
Step by step actions
Required
Be detailed
Policy
Standa
rd
Risk
Assessme
nt
Baselin
e
Procedur
es
Incident
Managem
ent
Guideli
ne
Identity
Manageme
nt
Software
Installatio
n
Standards
Common hardware and software products
Policy
Standa
rd
Deskt
op
Antivir
us
Baselin
e
Firewa
ll
Procedur
es
Guideli
ne
Baselines
Establish consistent implementation of mechanisms
Platform unique
Know minimum and understand what is normal
Policy
Standa
rd
VPN
Setup
Baselin
e
IDS
Configurati
on
Procedur
es
Passwo
rd
Rules
Guideli
ne
Guidelines
Recommendations for implementations, procurement
and planning
Policy
Standa
rd
Baselin
e
Procedur
es
Recommendati
ons
Guideli
ne
Best
Practic
es
IS
O
Good Policy?
Area IV Buddy System Policy
THE AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE
MEMEBERS WILL USE THE BUDDY SYSTEM AT ALL TIMES, WITH THE
EXCEPTION BELOW WHEN OFF A MILITARY INSTALLATION.
THE BUDDY SYSTEM IS NOT REQUIRED, BUT HIGHLY RECOMMENDED
FOR PERSONNEL TRAVELING DIRECTLY TO AND FROM THEIR DOMICILE
ALL PERSONNEL WILL CARRY A S.O.F.A AND AN EMERGENCY
TELEPHONE NUMBER CARD AT ALL TIMES.
LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES.
BY ORDER OF THE AREA IV COMMANDER
Domain Objectives
Business Drivers
Governance
Roles and Responsibilities
Security Planning
Security Administration
Risk Management
Ethics
System characterization
Threat identification
Vulnerability identification
Control analysis
Likelihood determination
Impact analysis
Risk determination
Control recommendations
Results documentation
Tangible assets
Can buy/sell
Hardware, software, facilities, documentation,
customer lists, and intellectual property
Intangible assets
Personnel, reputation/brand, and moral
Exclusive possession
Utility
Liability
Convertibility
Operational impact
Timing
Modified Delphi
Facilitated sessions
Survey
Interview
Checklist
AV (Asset Value)
EF (Exposure Factor)
Ongoing review
Periodic review
Domain Objectives
Business Drivers
Governance
Roles and Responsibilities
Security Planning
Security Administration
Risk Management
Ethics
Ethical Environments
Ethics are difficult to define
Do No Harm
Begins with senior management
Guidelines for Establishment of Ethics
Ethical Responsibility
Global responsibility
National
Organizational
Personal
Religion
Law
National interest
Individual rights
Common good/interest
Enlightened self-interest
Professional ethics/practices
Standards of good practice
Tradition/culture
(ISC)
RFC 1087
Internet Architecture Board
RFC 1087
Access and use of the Internet is a PRIVILEGE and should be treated as such by all users
RFC 1087 refers to Negligence in the conduct of Internet-wide experiments as irresponsible and unacceptable, but does not
specifically label such conduct unethical.
http://www.ietf.org/
Legal, Regulations,
Investigations, and Compliance
Domain Objectives
Common law
Criminal law
Civil law
Administrative law
Religious law
Customary law
Mixed law
Maritime law
Jurisdiction
Law, economics, beliefs and politics
Law enforcement agencies will work together, even cross borders. But
sometimes countries dont agree.
Sovereignty of nations
Laws arent always the same country to country. Nations are making an
effort to harmonize their laws in order to promote uniform enforcement and
cooperation where possible.
Traditional Crime
Violent
Property
Public order
Computer Crime
Real property
Virtual property
Computer Crime
Ego
Financial gain
Revenge
Attack vector
etc.
International Cooperation
Theft
Loss
Corporate espionage
Improper duplication
Purpose of a trademark
Characteristics of a trademark
Word
Name
Symbol
Color
Sound
Product shape
Writings
Recordings
Computer programs
Etc.
Must be confidential
Freeware
Shareware
Commercial
Academic
No enemy states
Wassenaar Arrangement
Domain Objectives
Liability
Legal responsibility
Know responsibilities to employees, customers, etc.
Penalties
Can range from compensation to criminal penalties for violation
of law
Negligence and liability
Important factor in determining liability
Determined by courts or other quasi-legal body
Protection of Assets
Legal obligation
Prudent person rule
Must demonstrate practice of due care
Negligence
Acting without care
Due care
Due Diligence
= Action
Regulation or
Best Practice
Negligence = Gap
Negligence = Gap
Individuals
Identity theft
Organizations
Collection, sharing, storage, processing of personal info
International Privacy
Organization for Economic Co-operation and Development
8.
Global effect
Employee Privacy
Employee monitoring
Training
Political boundaries
Privacy
Investigations
Jurisdiction
Domain Objectives
Incident Management
Forensic Investigation
Compliance
Incident Management
Incident event that causes harm
Protect
Prepare
Sustain
Improve
Protect
Infrastructure
Respond
Detect
Triage
Containment
Investigation
Analysis and treatment
Recovery
Debriefing
Metrics
Public disclosure
Detecting a problem
Determining its cause
Minimizing the damage it causes
Resolving the problem
Documenting each step of the response for future reference
Effectively and appropriately communicating issues
Response Capability
Policy
Authority
Procedures
Approved
Management of evidence
Triage
Investigation
Containment
Analysis and tracking
Triage
Detection
False positives
Classification
Notification
Investigation Considerations
The investigative phase must consider:
Investigation Process
Identify suspects
Identify witnesses
Identify system
Identify team
Search warrants
Investigation Techniques
Ownership and possession analysis
Means, opportunity, and motive (MOM)
Interviewing vs Interrogation
Open-ended Questioning
Closed-ended Questioning
General gathering
Cooperation
Seek truth
Specific aim
Hostile
Dangerous
Analysis
Interpretation
Reaction
recovery
Containment
Law
Court proceedings
Policy
Regulations
Protect evidence
Public disclosure
Domain Objectives
Forensic Investigation
Compliance
Evidence: Hearsay
Hearsay
Second-hand evidence
Normally not admissible
Computer-generated information
Process of creation description
Presentation of findings
Computer Forensics
Key components
Crime scenes
Digital evidence
Non-criminal cases
Recent activity
Keyword search
Slack space
Documented
Media Analysis
File system
Timeline analysis
Modified
Accessed
Created
Searching data
Software Analysis
What is does
What files it creates
Network Analysis
Domain Objectives
Compliance
Compliance
Knowing legislation
Following legislation
Gramm-Leach-Bliley (GLB)
Basel II
Information owner
Local manager
Auditor
Individual
Introduction
Background
Audit perspective
Scope & objectives
What was done
Executive summary
Internal audit opinion
Detailed report including auditee responses
Appendix
Exhibits
Operations Security
Domain Objectives
Operator Privileges
Initial program load (IPL)
Monitor system execution
Control job flow
Mount I/O volumes
Bypass label processing (BLP)
Renaming/relabeling resources
Reassigning ports/lines
Administrators
Systems administrators
Network administrators
Database administrators
Backup Types
File image
System image
Data mirroring
Electronic vaulting
Remote journaling
Database shadowing
Redundant servers
Standby services
Data
Operating Systems
Applications
Transactions
Configurations
Reports
Backup Integrity
Backup storage locations
Backups must be tested
Alternate site recovery plan
Site specific software
RAID Level 0
Striping
Two or more disks
No redundancy
Performance only
RAID Level 1
Exact copy (mirror)
Two or more disks
Fault tolerant
200% cost
RAID Level 2
Striping of data with error correcting codes (ECC)
Requires more disks than RAID 3/4/5
Not used
Stripe
1A
Stripe
2A
Stripe
3A
Stripe
4A
Disk
A
Stripe
1B
Stripe
2B
Stripe
3B
Stripe
4B
Disk
B
P(1A,
1B)
P(2a,
2B)
P(3A,
3B)
P(4A,
4B)
Parit
y
RAID Level 5
Block-level stripes
Data and parity interleaved amongst all drives
The most popular RAID implementation
Stripe
1A
P(2B,
2C)
Stripe
3A
Stripe
4A
Disk
A
Stripe
1B
Stripe
2B
P(3A,
3C)
Stripe
4B
Disk
B
P(1A,
1B)
Stripe
2C
Stripe
3C
P(4A,
4B)
Disk
C
RAID Level 6
Block-level stripes
All drives used for data AND parity
Two parity types
Higher costs
More fault tolerant than RAID implementations 2 - 5
RAID 0+1
RAID 1
RAID 0
RAID 0
A
1
A
3
A
5
A
7
A
1
A
3
A
5
A
7
A
2
A
4
A
6
A
8
A
2
A
4
A
6
A
8
RAID Level 10
Mirroring and striping
Higher cost
Higher speed
RAID 10
RAID 0
RAID 1
RAID 1
A
1
A
3
A
5
A
7
A
2
A
4
A
6
A
8
A
1
A
3
A
5
A
7
A
2
A
4
A
6
A
8
Hardware Inventory
Up-to-date listing of all equipment
Location
Owner
Serial and model numbers
Patch Management
Knowledge of patches
Know when patches for all software you own are released by the
vendor
Testing
Test all patches, and new software, in a test environment prior to
going live
Deployment
Can be challenging. Should be automated to insure no machine
is missed.
Zero-day challenges
Vulnerable time between patch pushed out and able to apply
Software Issues
Pirating software
Version control
Job Documentation
Scheduling
Dependencies
Error codes
Inputs and outputs
Backout procedures
Vulnerability assessments
Incident response
Domain Objectives
Misuse of Resources
System Recovery
Resource Protection
Environmental Issues and Controls
Media Management
Personnel Privacy and Safety
Misuse Prevention
Threats
Countermeasures
Personal
Use
Theft of
Media
Fraud
Sniffers
Domain Objectives
System Recovery
Resource Protection
Environmental Issues and Controls
Media Management
Personnel Privacy and Safety
Fault Tolerance
Hardware failure is planned for
System recognizes a failure
Automatic corrective action
Standby systems
Cold configured, not on, lost connections
Warm on, some lost data or transactions (TRX)
Hot ready, failover
Domain Objectives
Resource Protection
Environmental Issues and Controls
Media Management
Personnel Privacy and Safety
Water
Communications
Alarm system
Domain Objectives
Resource Protection
Environmental Issues and Controls
Media Management
Personnel Privacy and Safety
Marking
Labeling
Handling
Storing
Declassifying
Media Management
Tapes
Storage
Encryption
Retrieval
Disposal
Object Reuse
Securely reassigned
Disclosure
Contamination
Recoverability
Physical destruction
Records Management
Considerations for records management program development
Business need
Domain Objectives
Resource Protection
Environmental Issues and Controls
Media Management
Domain Objectives
Physical Security Threats and Controls
Perimeter Security
Building and Inside Security
Secure Operational Areas
Circumstantial
Fire or break-in at a neighboring building, strike at a critical point in
supply chain, etc.
Human-made/political events
Explosions, vandalism, theft, terrorist attacks, strikes, activism, riots, etc.
Threat Sources
External activists
Staff
Intelligence agents/foreign governments
Petty criminals
Theft
Espionage
Dumpster diving
Social engineering
Shoulder surfing
HVAC access
Controls
Background checks
Disposal procedures
Locks
Awareness
Screen filters
Facility Vulnerabilities
Location
Emergency services
Fire
Security
Visibility
Controlled access
public transit
Physical
Administrative/managerial
Technical
Territoriality
Restricted access
Surveillance
Monitoring
Access control
Entrances
Maintenance
Domain Objectives
Physical Security Threats and Controls
Perimeter Security
Building and Inside Security
Secure Operational Areas
Fences
May be restricted by local regulations
Inspections
Parking should not be allowed near fences
1 meter/3-4 feet will deter casual trespassers
2 meters/6-7 feet too high to climb easily
2.5 meters/8 feet will delay the determined intruder
Top guard will add 2-3 feet. Can be defeated by blanket, mattress,
towel, etc.
Note that some perimeter IDS can function inside the perimeter as well
Physical IDS
Photoelectric
Ultrasonic
Microwave
Passive IR
Pressure sensitive
Sounds/vibration
Electrical circuits
Motion sensors
Mixing capabilities
Adding IR/thermal
CCTV Concerns
Total surveillance requirements
Operating parameters (correct lens, angle?)
Size depth, height, and width
Pan, tilt, and zoom
Lighting
Contrast
Storage of images
Maintenance
Privacy
Guard stations
Domain Objectives
Physical Security Threats and Controls
Perimeter Security
Doors
Isolation of critical areas
Lighting of doorways
Contact devices
Guidelines
Solid core
Hinges fixed to frame with minimum of 3 hinges per door
Lighting
Should not open out except as required by building codes
Locks should be daytime (push button) and 24 hour (deadbolt)
Door frame should be permanently fixed to the adjoining wall studs
Have same fire-resistance rating as adjacent walls
Etc.
Types of Locks
Something you have keyed
Something you know combinations
Something you are biometric
Keyed Locks
Lock components
Body
Strike
Strike plate
Key
Cylinder
Lock Controls
Lock and key control system
Key control procedures
Change combinations
Fail
Soft (unlocked)
Secure (locked)
Safe (allow exit but not entry)
Acrylic materials
Stronger than plate
Burn and produce toxic fumes, scratch easy and yellow over time
Polycarbonate windows
Resistant to abrasion, chemicals, fires and are even anti-ballistic
Very expensive
Types of Lighting
Continuous lighting
Trip lighting
Standby/backup lighting
Emergency exit/egress lighting
Infrared/night vision
Domain Objectives
Physical Security Threats and Controls
Perimeter Security
Building and Inside Security
Equipment Room
Perimeter enclosure
Controls
Policy
Emergency power off (EPO) switch
Digital camera
Cell phone cameras
USB drive
Etc.
Server room
Most important requirements are space, power, air
conditioning, access control and security monitoring
Mainframes
Storage
Communications
Wireless access points
Network access control
Cabling
conduit
Water
Ventilation
Gas
Work Area
Keeping a work area safe is important for
everyone
Operators
Only allow access as needed/monitor
System administrators
Only allow access as needed/monitor
Equipment Protection
Inventory
Locks and tracing equipment
Data encryption
Disabling I/O ports
Environmental Controls
System
Electric power
HVAC
Water/plumbing
Gas
Refrigeration
Threat
Loss of power
Overheating
Flood/dripping
Explosion
Leakage
Fire Protection
Wet-pipe sprinkler
Most reliable
Simple
Water under pressure, when sprinkler head breaks water comes out
Dry-pipe sprinkler
Water is held back by valve and is released when sensor activates
Pipes then fill with water and sprinkler engages
Type
Suppression Agents
Common
combustibles
Electrical
Combustible
metals
Dry powders
Cooking media
(fats)
Wet chemicals
Ash K
Boil
Current
Drive
Kitchen
Displace: CO2/foam
Bind: Halon & alike
Reduce: Water
Bind:
Purple
K
Remov
e:
Firema
n
Portable extinguishers
UPS
Generators
Power controls
Location
Positive pressure
Maintenance
Vermin
Electromagnetic fields
Excess vibration
Domain Objectives
Architecture Components
System Design Principles
Security Models
Information Systems Evaluation Models
Security Frameworks
Best practice
Architecture
Framework
Infrastructure
Model
Strategic
Provides a long-range perspective that is less subject to tactical changes in
technology
Holistic
Understanding all the parts of the business and interconnecting them
Design
Blueprint
Integration and development of technology infrastructure into the business
process
Multiple implementations
Flexibility due to location and business constraints
Domain Objectives
Architecture Components
Architecture Components
Hardware
Firmware
Central processing units
Input/output devices
Software
Architectural structures
Storage and memory
Hardware: Computers
Mainframe
Minicomputers
Microcomputers/desktops
Servers
Laptop/notebook
Embedded
USB storage
Hardware: Printers
Multifunctional
Network aware
Modem
Hardware: Wireless
Wireless router
Flash chips
Embedded system
CPU Functionality
Multitasking
Multiprogramming
Multiprocessing
Multiprocessor
Multi core
Multithreading
Real-Time Systems
Virtual Machines
Supervisor state
Running
Ready
Blocked
Masked/interruptible
I/O controller
Managing memory
Hardware
Hardware control
Hardware abstraction
Resource manager
Design
Kernel
System utilities
Maintenance
System drivers
Application/hardware interface
Plug and play
Function first
Evaluation
Software: Custom
Business application
Unified messaging
Security
Applications - Today
Security
Programs spawn processes. Processes spawn threads. Memory is allocated to processes. So, threads share memory.
Dedicated
Single level
Embedded
Architectural Structures
Client server
Centralized architecture
Distributed architectures
Diskless computing
Clusters
Cloud Computing
Provisioning of services
Cost models
Supplement/consumption/delivery model
Characteristics
Layers
Cloud Computing
Deployment models
Public cloud
Community cloud
Private cloud
Hybrid cloud
Architecture
Intercloud
Cloud Engineering
Issues
Privacy
Compliance
Open source
Open standards
Security
Service-Oriented Architecture
Technology benefits
More flexible architecture, integration of existing applications, improved
data integration, supports business process management, facilitates
enterprise portal initiatives, speeds custom application development
Security issues
A system that relies on distributed processing must have adequate
bandwidth and high availability.
Business benefits
More effective integration with business partners, supports customerservice initiatives, enables employee self-service, streamlines the supply
chain, more effective use of external service providers, facilitates global
sourcing
Virtualization
Virtual copy of physical system
System virtual machine complete operating environment that can
support user needs and multiple environment
Hypervisor interface between the physical and virtual environments
Relative
Address expressed as a location relative to a known point
Physical
Absolute address or actual location
Protection
Processes should not be able to reference memory locations in
another process without permission.
Sharing
Allows several processes to access the same portion of memory.
OS allows each process access to the same copy of the program
rather than having its own separate copy.
Primary Storage
Registers
Very high-speed storage structures built into the CPU chip set
and are often used to store timing and state information for
the CPU to maintain control over processes.
Cache
Very fast memory directly on the CPU chip body. Not
upgradeable. Three types (level 1-3).
Secondary Storage
Internal
External
Virtual memory
SANs
Clusters
Virtual Memory
= primary + secondary or RAM + Disk
Extends apparent memory to accommodate larger
program execution space than is possible using only
physical memory and involves paging and swapping
operations.
Generally 4 or 8 kb in length
Storage Systems
Network Attached Storage (NAS)
Simple, cost effective solution. Box on network that extends
storage area.
Blade Systems
Server chassis
Processing power
Management simplification
Domain Objectives
Separation
Temporal isolation
Physical isolation
Virtual isolation
Ring Protection
Set of segments in concentric numbered rings. Ring number determines the access level.
Procedure assumes its appropriate ring number when executing. This prohibits a process from unregulated execution of
commands at a higher level.
Program may call services residing on the same or more privileged ring.
Program may only access data that resides on the same ring.
Privilege Levels
Subjects of higher trust can access more system instructions and operate in privileged mode
Subjects with lower trust can access a smaller portion of system instructions and operate only in user mode
Process Isolation
Prevents interaction
resources
Independent states
objects
Process activation
Execution domain switching
Memory protection
Input/output operations
Security kernel
Subject
Active entity
Object
Passive entity
Attested Boot/TPM/Processing
Availability
Redundancy
Single points of failure must be designed to avoid
Defense in depth ensures the security of the system cannot
be circumvented through one vulnerability
Domain Objectives
Security Models
Information Systems Evaluation Models
Security Frameworks
Information-flow model tracks the movement of information from one object to another
Non-interference model based upon rules to prevent processes that are operating in different domains from affecting each other
in violation of security policy
State-machine model abstract mathematical model where state variables represent the system state
Lattice-based model
State-machine model
Secure state
Lattice-based model
Separation of duties
1.
2.
3.
Other Models
Graham-Denning
Variations of Biba
Security Models
Integrity
Clark-Wilson
Biba
G&M
Sutherland
Graham-Denning
HRU
Need to know
Confidentiality
Brewer-Nash
BLP
Implementations
Gong
Lipner
Karger
Jueneman
Lee & Shockley
Domain Objectives
Evaluation Standards
DoD-centric
Product evaluation
Rainbow series
ITSEC
International origin
ITSEM
Assurance
Fucntionality
Origins
Documents
Domain Objectives
Security Frameworks
ISO 7498-2
NOT an implementation
Zachman Framework
Intent
Scope
Two-dimensional
Principles
SABSA
What are the business
requirements?
Follow-on to Zachman
Operational security focus
All view
Operational view
Systems view
Technical standards view
ISO/IEC 42010
International standard for information security
management systems (ISMS)
Practice for architectural description of softwareintensive systems
Process
People
Reasonable assurance
Objectives
PCI-DSS
Payment card industry data security standard
Standards for the protection of payment card data (e.g.
credit cards, debit cards, etc.)
Covered more in Domain 5 (Legal, Regulations,
Investigations, and Compliance)
Domain Objectives
Organizational Standards
Web Application Security Consortium (WASC)
Build Security in (BSI)
International Organization for Standardization
(ISO)/International Electrotechnical Commission (IEC)
27034
These orgs provide information for software vendors and
the public that is intended to create secure environments for
software development, to aid in developing internal code
standards, to incorporate security features in software
products, and to deploy into secure environments.
Process Integrity
Security by Design
Controls Built in to Software
Secure by Default
From tampering
Pirating
Accidental loss
Protection against attacks
Project security
Probably best to only develop and work on projects in a
secure area.
Personnel Security
Hiring controls background checks for everyone involved
Trust several attacks come from developers
Skills dont post to blogs asking for assistance on programming problems
Changes in employment
If internal, adjust permissions on things no longer needed
If leaving company, remind to keep company secrets
Always try to test for what the bad guy and stupid user would
do
Domain Objectives
SLC vs SDLC
Systems Life Cycle development, post-development, maintenance
phases
System Development Life Cycle development and ends shortly after
implementation
Iterative Development
Prototyping
Component-Based Development
Reuse Model
Extreme Programming
Basic
REXX
PostScript
Pascal
Perl
Ruby
Python
Compiled
Oldest
Basic
Fortran
COBOL
Pascal
C, C++, C#
ADA
Python
Visual Basic
Newes
t
Program Utilities
Assembler program that translates an assembly language program into machine language.
Interpreter instead of compiling a program all at once, the interpreter translates it statement-by-statement
Hybrid compilation and interpretation. Code is compiled into an intermediate stage. In Java, known as bytecode. Needed for
compatibility between systems.
Transaction Processing
Separation of Duties
Need to Know
Logging
Transaction:
Object-Oriented Programming
OOP Concepts
Distributed Programming
Distributed programming requires abstract communication between hosts. Entails programs located on different computers be able
to use the same program at the same time.
15 core activities
Organization observed
Business objectives
Roles
Framework
Domain Objectives
iFrames
Race condition
Social engineering
Multiple paths to information
Domain Objectives
Botnets
Fast flux botnets
Data hiding
Alternate data streams (ADS)
Non-technical
Pharming
Malware Structure
Infection/reproduction
Target search
Infection
Trigger
Payload
Malware Anti-Detection
Stealth
Tunneling
Polymorphism
Self-decrypting
Virus
Central characteristic is reproduction
Generally requires some action by user
May or may not carry payloads
Virus Types
File infector
Boot Sector Infector
System infector
Email virus
Multipartit
Use to mean a virus that was able to infect boot sectors and programs
Now means virus that can infect more than one type of object or to infect or
reproduce in more than one way
Macro Virus
Script Virus
visual basic file that can be seen as a data file but is executable (.vbs)
Worm
Reproduces
No user action required
Loopholes
Often probe the computer looking to exploit specific
weaknesses and/or compromise other computers
Trojan Horse
Purported to be a positive utility
Hidden negative payload
Social engineering
Logic Bomb
Generally implanted by an insider
Waits for condition or time
Triggers negative payload
Integrity checkers
Chained exploits
Domain Objectives
Database Security
Database Security
Database (day to day) and data warehousing (strategic)
environment
Eliminate duplication of data
Consistency of data
Network access
Car
Toyot
a
Hond
a
Mazd
a
CRV
Accor
d
Civic
2door
4door
Ford
Regula
r
Mazda
3
Truck
E
Series
5 speed
transmissi
on
Regular
Mazda
6
Leather
Interior
BMW
4x4
X3
Truck
Freesta
r
4x4
X5
Front and
Rear Climate
Controls
Foreign key
Optimize
Attribute in table
Author
No
Last
Name
First
Name
State
123456
Smithson Mary
CA
234567
Rogers
Mike
NY
345678
Tucker
Sally
CT
456789
Gleason
Sarah
IL
Foreig
n Key
Book Table
Book
No
Book Title
Author
No
Computer
39.99
123456
69.99
234567
39.99
345678
Computer
Data Warehouse
Data mart
Metadata
Probabilistic models
Statistical models
Classification approach
Deviation and trend analysis
Neural networks
Expert system approach
Hybrid approach
Inference (guess)
Aggregation (conclusion)
Unauthorized access
Query attacks
Bypass attacks
Interception of data
Web security
Database Controls
Access controls
Grants
Lock controls
Polyinstantiation
Constrained views
Transaction Controls
Commit statement
Writes any and all changes that have occurred to the data
during the current transaction
Three-phase commit
Database rollback
Journals/logs
Error controls
Consistency changes maintain consistency. Transformed from one valid state to another valid state, remaining compliant with
the rules of the database
Isolation transactions in progress are invisible to others. Guarantees that the results of a transaction are invisible to other
transactions until the transaction is complete.
Durability say it is done, stays done. Ensures that the results of the completed transaction can survive future system and media
failures.
Dynamic data
Poorly designed
Lack of audit
Input validation
Telecommunications and
Network Security
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Encompasses the STRUCTURES, TRANSMISSION METHODS, TRANSPORT FORMATS AND SECURITY MEASURES used to
provide INTEGRITY, AVAILABILITY, AUTHENTICATION, and CONFIENTIALITY for transmissions over PRIVATE and PUBLIC
communications networks and media.
Message protection
Confidentiality
Integrity
Non-repudiation
Availability
Redundancy
Single point of failure
Defense in Depth
Series of hurdles
Collection of controls
TCP/IP Model
Network-Based Attacks
DoS
DDoS
Network Attacks
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Concepts &
Architecture
Physical topologies
Physical layer describes the networking hardware, the format of the communications (bits, bytes, or optical pulses),
as well as cable, wireless connections, etc.
Communication Technology
Network Topology
Mesh
Ring
Star
Network
Topology
Tree
Bus
Bus Topology
Advantages
Scalable
Permits node failure
Disadvantages
Bus failure
Ring Topology
Closed-loop topology
Advantages
Deterministic
Disadvantages
Star Topology
Advantages
Disadvantages
Tree Topology
Advantages
Scalable
Permits node failure
Disadvantages
Mesh Topology
In a full mesh network, every node in the network is connected to every other node in the network
Advantages
Redundancy
Disadvantages
Expensive
Complex
Scalability
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Technology &
Implementation
Standards
Threats & Countermeasures
Throughput
Data sensitivity/confidentiality
Environment
Cost
Twisted
Pair
Coax
Fiber
Wireless
Twisted Pair
Bandwidth
Length
Fiber Optics
Three components
Light source
Optical fiber cable
Two types
Light detector
Advantages
High bandwidth
Immune to EMI and RFI
Difficult to tap
Disadvantages
Expensive
Difficult to install
802.11 WLAN
Satellite
Microwave
Optical
Patch Panels
Centralized management
Modems
War dialing
Unauthorized modems
Hubs
Repeaters
Cloud Computing
Data storage
Software
Security
Communications
Etc.
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Standards
Standard Connections
Types of connectors
RJ-11
RJ-45
BNC (British Naval Connector)
RS-232 (serial ports)
Cabling Standards
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Wireless
Sniffing
Equipment
Modems
Authorized and unauthorized modems
Physical Controls
Wire
Shielding
Conduit
Faraday cage
Penetration index
Wireless
Encryption
Authentication
Equipment
Locked doors & cabinets
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Concepts and
Architecture
Protocols
Link-layer encryption
Perimeter-based security
Security domains
Network Partitioning
Bastion host
Dual-homed host
Network Partitioning
Three-legged firewall
Disadvantages
Synchronous/Asynchronous
Synchronous
Asynchronous
Unicast
Multicasts
Broadcasts
Circuit-Switched vs Packet-Switched
Circuit-switched network
Packet-switched network
Virtual circuits provide connection between endpoints over high-bandwidth multiuser cable or fiber networks, which cause them to
behave with similar performance characteristics as if the circuit were a dedicated physical circuit
Unicast Point-to-Point
Ts (T carriers)
Es (E carriers)
X.25
Most organizations now opt for frame relay and ATM instead of X.25 for packet switching
Frame Relay
Connection-oriented
Operates over most other packet switching technologies such as frame relay and ATM
Cable Modem
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Technology &
Implementation
Protocols
Concentrators, Multiplex/Demultiplex
TDM time
FDM frequency
WDM wave
Concentrator combines channels together. Often used to permit several remote access connections to terminate on the network at
the same time.
Multi/Demultiplex combines several signals into a single data stream or breaks them apart.
Increasingly sophisticated
802.11b 11 Mbit/s
802.11i (security)
802.16 (WiMAX)
802.15 (Bluetooth)
Wireless multiplexing
OFDM/DSSS/FHSS (AFH)
Authentication
SSID
SSID broadcast
Wireless Encryption
shared secret. Can be cracked in 3 to 30 sec
WEP
WPA
WPA2
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
RFC 1331
Encapsulation
Link control protocol (LCP)
Network control protocols
PPP provides a standard method of encapsulating Network Layer protocol information over point-to-point links
RARP (RFC903)
Advantages
Disadvantages
Challenge Handshake
Authentication Protocol
CHAP
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Eavesdropping
Sniffing from reconnaissance
Offline brute force
Unapproved wireless
Integrity
Modification/injection/highjacking
Man-in-the-middle
Force weaker authentication
Availability
DoS/jamming
Others
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Concepts &
Architecture
Protocols
Moves information between two hosts that are not physically connected
SONET/SDH
Server of servers
Fiber backbone
Switched
Internet/Intranet/Extranet
Internet
Intranet
Extranet
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Technology &
Implementation
Protocols
IPSEC
Security associations
Tunneling Protocols
Routers
Network routing
Layer 3
Firewalls
Filtering
Filtering by address
Filtering by service
Personal firewalls
Firewalls
Proxy Firewalls
Circuit-Level proxy
Application-level proxy
Firewalls
Firewall Type
Characteristics
Packet filtering
Network Layer
Application-level proxy
Application Layer
Deconstructs packets
and makes granular
access control
decisions
Requires one proxy
per service
Firewalls
Firewall Type
Characteristics
Circuit-level proxy
Session Layer
Deconstructs packet
Protects wider range
of protocols and
services than applevel proxies, but is
not as detailed as a
level of control
Stateful
Network Layer
End Systems
Operating systems
Notebooks/laptops/tablet PCs
Workstations
Smartphones
Antivirus
Personal Firewalls
Host-based IDS/IPS
Patch management
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Routing Protocols
Connectivity Protocols
ICMP
Redirect attacks
Traceroute
Ping scanning
IPv6
Improved security
Vendor specific
Retired
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
IP Attacks
Fragmentation attacks
Teardrop attack
Overlapping fragment attacks
Traceroute exploitation
Sniffing
Ping of death
Encryption as a Threat
External attackers
Internal attackers
Encrypted backdoors
Tunnels to home computer
Tunnels setup to use company resources for personal pursuits
Tunnels setup to protect criminal/improper behavior
Etc.
IP Addressing Spoofing
Controls
Policy
Network partitioning
Domain Objectives
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Domain Objectives
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Fast
Low overhead
Mutual authentication
Encryption
Integrity
Domain Objectives
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Attacks
SYN Flood
Denial of Service
Threats
Port scanning
Controls
SYN proxies
Tarpits
Domain Objectives
Session
Presentation
Application
Telephony
Services
Protocols
Client-server model
Mainframe
Centralized systems
Domain Objectives
Session
Presentation
Application
Telephony
Services
Technology &
Implementation
Protocols
Microsoft .NET
Domain Objectives
Session
Presentation
Application
Telephony
Services
Protocols
Protocols
RADIUS
TACACS+
Domain Objectives
Session
Presentation
Application
Telephony
Services
Protocols
Threats
Unauthorized sessions
Invalid RPC exchanges
Controls
Patch
Block at firewall
Disable unnecessary protocols
Domain Objectives
Presentation
Application
Telephony
Services
Protocols
Data conversion
Mainframe to PC Translation
Gateway
Domain Objectives
Presentation
Application
Telephony
Services
Protocols
Codec
Compression/decompression
VoIP Protocols
H.323
Domain Objectives
Application
Telephony
Services
Protocols
Domain Objectives
Application
Telephony
Services
Technology &
Implementation
Protocols
Implementations
Client/Server
IM
XMPP (Jabber)
IRC
Email
WWW
Peer to Peer
File sharing
Domain Objectives
Application
Telephony
Services
Protocols
Protocol Examples
Communication Services
Synchronous messaging
Asynchronous messaging
Proxies
Domain Objectives
Application
Telephony
Services
Protocols
Authenticity
Eavesdropping
Scripting
Social engineering
Tunneling firewalls
Email spoofing
Spam
Domain Objectives
Telephony
Services
Analog
Digital
Data
Domain Objectives
Telephony
Services
Technology &
Implementation
Telephony Technology
PSTN
PBX
Facsimile
Voice firewalls
VOIP
SIP, H.323
Voice over IP
Reduced cost
Coverged technology
Security
Domain Objectives
Telephony
Services
Common Threats
War dialing
PBX administration
War driving
Fraudulent toll
Voice eavesdropping
Domain Objectives
Services
Directory Services
Configuration Services
Domain Objectives
Services
Protocols
DSN Threats
Spoofing
Query manipulation:
Information disclosure
Domain litigation
Cybersquatting
Email Threats
Spoofing
Phishing
Buffer overflows
Controls
Mail filtering
IM policy
CISSP Summary
Domain 3 Cryptography
Questions?