CISSP Exam Review

How I Passed the CISSP
Test: Lessons Learned in

Certification
Presented by Kirk A. Burns, CISSP
Admin Data
Emergency Exits
Breaks
Phones
Other Admin Data
Introduction
Instructor
What is this class going to provide me?
What should I expect to get out of this class?
Class Structure
Broken up into 12 parts
Part 1: introduction
Parts 2 11: will be the domains
Part 12: will be examples of types of questions you might see.
THESE ARE NOT copies of the questions from the exam
What is (ISC)?
(ISC)
International Information Systems Security Certification Consortium
Non-profit organization which specializes in information security
education and certifications
Often described as the worlds largest IT security organization
Based in Palm Harbor, Florida, USA
Offices in London, Tokyo, Hong Kong, Vienna, Virginia
Over 85,000 certified professionals in 135 countries
http://www.isc2.org
(ISC) Code of Ethics

Preamble:
The safety and welfare of society and the common good, duty to our
principals, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.
Code of Ethics Canons:
Protect society, the common good, necessary public trust and
confidence, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
BENEFITS OF (ISC) MEMBERSHIP

Member Benefits
Continuing Education
Security Leadership Series events
Discounts
Worldwide receptions, conferences, RSA, InfoSec, SecureAmerica
Face-to-Face Networking
Virtual Networking
Career Tools, InterSeC
BENEFITS OF (ISC) MEMBERSHIP

Industry Awards
Resources
InfoSecurity Professional Magazine
Information Security Perspective journal
Member submitted security awareness materials
Volunteer Opportunities
http://staysafeonline.org
What is CISSP?
Certified Information Systems Security Professional

Governed by (ISC)
Worldwide recognition of competence
Practical understanding of information security issues and solutions
ANSI accreditation based on the ISO/IEC 17024:2003 standard
(obtained in June 2004)
Awareness of security challenges
As of November 2013, reported to have 90,198 members worldwide in
149 countries
ROLE OF THE CISSP

CISSPs often hold job functions such as:
Security Consultant
Security Manger
IT Director/Manager
Security Auditor
Security Architect
Security Analyst
Security Systems Engineer
Chief Information Security Officer
Director of Security
Network Architect
ROLE OF THE CISSP
Develops and oversees the implementation of the organizations

information security policies and procedures
Provide advice on implementation of information security solutions and
technologies
Monitoring compliance with regulatory bodies and employees,
contractors, alliances and other 3rd parties
COMMON BODY OF KNOWLEDGE

CBK
The (ISC) CBK is a compendium of topics relevant to information
security professionals around the world. The (ISC) CBK is the accepted
standard in the industry, the subject of many books written on information
security, and the core of the university information assurance programs
around the globe. The CBK continues to be updated annually by (ISC)
CBK Committees comprised of members from many industries and
regions around the world, to reflect the most current and relevant topics
required to practice in the field. (ISC) uses the CBK domains to assess a
candidates level of mastery of information security.
How to Get Your CISSP Certification

1) Obtain the Required Experience
a) must have a minimum of five (5) years cumulative paid full-time work
experience in two (2) or more of the ten (10) domains.
b) May receive a one year experience waiver with a four-year college degree,
or regional equivalent OR additional credential from the (ISC) approved list
(requiring four (4) years of direct full-time professional security work
experience in two or more of the ten domains)
2) Study for the Exam
3) Schedule the Exam
4) Pass the Exam
5) Complete the Endorsement Process
6) Maintain the CISSP Certification
CISSP EXAM
The CISSP exam
250 questions
6 hours
To pass must get 700 points out of 1000
BE ON TIME!!!!!!
Bring admission letter
Must have government issued Photo ID
Bring pencil and eraser
~$500
ENDORSEMENT PROCESS
What is needed for the Endorsement Process
Provide a recent resume
Complete the Examination Registration Form
Submit a completed and executed Endorsement Form
MAINTENANCE REQUIREMENTS
To maintain the CISSP certification and remain in good standing with
(ISC), you are required to:
Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of
each certification year
Earn and submit 120 credits over three years. A minimum of 20 CPEs
must be posted during each year of the three year certification cycle
THE DOMAINS
Access Control
Business Continuity and Disaster Recovery Planning
Cryptography
Information Security Governance and Risk Management
Legal, Regulations, Investigations, and Compliance
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Software Development Security
Telecommunications and Network Security
Golden Rule
1.
2.
3.
4.
5.
People Safety First

Management buy-is is Critical
Everyone is responsible for Security
Training is Essential
Policy is the Key to (nearly) everything
What If I Dont Have The Experience?
For those who dont have the experience, there is the Systems Security
Certified Practitioner (SSCP)
Only need 1 year of experience
Domains covered:
Access Controls
Cryptography
Malicious Code and Activity
Monitoring and Analysis
Networks and Communications
Risk, Response and Recovery
Security Operations and Administration
Access Control
Domain Objectives
Provide definitions and key concepts

Identify access control categories and types
Discuss access control threats
Review system access control measures
Understand Intrusion Detection and Intrusion Prevention
systems
Understand Access Control assurance methods
Access Control
Is the basic foundation of information security
Implemented differently depending on whether the are of
implementation is physical, technical or administrative.
Categories include:
Preventive
Detective
Corrective
Deterrent
Recovery
Directive
Compensating
Often used in combination
Access Control
A comprehensive threat analysis will identify the areas that will provide
the greatest cost-benefit impact.
The field of access control is constantly evolving. Organizations need to
know what is available and what methods will best address their issues.
Data and system access control are NOT the same. User might have
access to a system but not to the data. Think need-to-know
Access control assurance addresses the due diligence aspect of
security.
Implementing a control is part of due care, but due diligence involves
regularly checking to ensure that the control is working as expected.
Information Security TRIAD
Domain Objectives
Definitions of Key Concepts
Access Control Categories and Types

Access Control Threats
Access to System
Access to Data
Intrusion Prevention and Detection Systems
Access Control Assurance
Basic Requirements
Security ensure only authorized users and processes are able to access or
modify
Reliability ensure control mechanisms work as expected, every time
Transparency have minimal impact on the ability of authorized users to
interface with the system and do their job
Scalability should be able to handle a wide range of changing systems and
user load without compromising system performance
Maintainability if too time-consuming or complicated, admins may not keep
them up to date
Auditability should provide audit trails
Integrity must be designed to protect from unauthorized changes
Authentic help ensure that data input is authentic
Key Concepts
Separation of duties
No one person should have control over the process. Allowing this could
allow a person to manipulate the system for personal gain. Process should
be broken down into individual steps executed by different people.
Rotation of duties prevents collusion between two or more people. This
minimizes the chance of or exposes fraud. Forced vacation can provide
the same effect.
Core element of the Clark-Wilson Integrity model
Least privilege only allow access to resources that are absolutely needed
for work
Need-to-know just because you have the clearance doesnt mean you
really need to know the data or process
Information Classification
Is the PROPER assessment of the sensitivity and criticality of information

Ensures that info is neither improperly disclosed nor overprotected
Objectives:
Identify info that needs to be protected
Standardize labeling
Alert authorized holders of protection requirements
Comply with laws, regulation, etc.
Benefits keeps cost down
Example of classification:
Public, internal use only and company confidential
Compartmentalized information information that requires special
privilege to access
Information Classification Procedures
Scope risk analysis will evaluate data for classification. Things to consider:
Exclusive possession (trade secrets, etc.)
Usefulness
Cost to recreate
Legal or regulatory liability
Operational impact
Etc.
Process goal is to achieve a consistent approach to handling classified
information
Marking and labeling for all types of media to include video
Human readable
Machine readable
Assurance regular internal and possibly external audits should be done
Domain Objectives

Access to System
Access to Data
Access Control Types
Administrative policies and procedures.

Technical/logical use of hardware and software controls
Physical manual, structural or environmental controls to protect
facilities and resources
Access Control Categories

Preventive block unwanted actions. However, only effective if
employees see these as necessary
Detective identify, log and alert management of unwanted
actions (during or after event)
Corrective remedy the circumstances that enabled event
Directive controls dictated by organizational and legal authorities
Deterrent Prescribe some sort of punishment
Recovery restore lost resources or capabilities
Compensating backup controls that come into effect when
normal controls are unavailable
Domain Objectives

Access to System
Access to Data

Denial of service
Password crackers
Dictionary
Brute force
Rainbow tables
Keystroke loggers
Spoofing/masquerading
Machine
Impersonation
Sniffers
Shoulder surfing/swiping
Dumpster diving
Emanations
Time of Check (TOC)/Time of Use (TOU)
Domain Agenda

Access to System
Access to Data
System Access Control
Identification process of recognizing users or resources as valid

accounts
Authentication verification of the identity of the person or node
Authorization determines what a user or node is allowed to do
once identified and authenticated
Accountability ability to track user activity
Identification
Methods
Most common is UserID, account number, email or PIN

Biometrics can also be used
Guidelines unique UserID unless anonymity is required
RFID can be used in place of above methods to identify user
MAC and IP address used primarily to identify a node on the network
Security user registration user interacts with a registration authority to
become an authorized member of the domain
1. UserID, encryption keys, job title, email, etc.
2. User validation
Authentication Methods
Knowledge (something you know)

Ownership (something you have)
Characteristics (something you are)
Identity and Access Management

Need for identity management needed to manage,
authenticate, authorize, provision, de-provision and protect
identities
Challenges the more complex a network and data protection
system, the more challenging to manage
Identity management technologies designed to centralize and
streamline the management of user ids, authentication and
authorization
Identity Management Challenges

Consistency user data entered across different systems MUST
be consistent
Reliability user profile data should be reliable. Especially if used
to control access to data or resources
Usability multiple logins over multiply systems might not be the
best idea
Efficiency using an identity management system can decrease
costs and improve productivity for both users and administrators
Scalability the management system used must be able to scale
to support the data, systems and peak transaction rates
Identity Management Challenges

Principals
Insiders employees and contractors

Outsiders customers, partners, vendors, etc.
Data different types of data about principals must be managed
Personal, legal and access control
Some of this data might have regulatory requirements
Life Cycle
Initial setup when user joins

Change and maintenance routine pw change, name changes, etc.
Tear-down when user leaves
Identity Management Technologies

Web Access Management (WAM)
Password management
Account management
Profile update
Access Control Technologies
Single sign-on
Kerberos
SESAME - protocol developed by the European Union. Also known as

SSO
Web Portal Access
Directory services
Security domains
Domain Objectives

Access to System
Access to Data
Access to Data
Implementations
Mandatory
Temporal
Discretionary
Role
Rule
Content
Privacy
Descriptions
List
Matrix
Capabilities
Non-discretionary
Constraints
Centralized
Decentralized
Access Control Lists (ACL)
Most common implementation of Discretionary Access Control (DAC)

Provide easy method to specify which users are allowed access to which
objects
Objects/subjects
Files/users
O.S. dependent
Each OS has its own way of representing ACLs.

UNIX 3 subjects: owner, group and world w/ 3 permissions: Read ,Write,
Execute
ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and
SGI XFS
Microsoft has unlimited # of subjects and 26 permissions
Centralized/Decentralized Access Control
Centralized access control one entity makes network access decisions.

Owners decide which users can access specific objects and the administration
supports these directives.
RADIUS
TACACS+
Diameter (RADIUS base but enhanced to overcome inherent limitations)
Decentralized access control decisions and admin are implemented

locally, allowing people closer to the resource security controls.
Often causes confusion because it can lead to non-standardization,
overlapping rights, etc.
P2P
Domain Objectives

Access to System
Access to Data

Intrusion Detection Systems

Network Based
NIDS
= Packet
= Permission
=Process
Host-Based
HIDS
Application-Based
AIDS
APIDS
Intrusion Prevention Systems

Host-based
Network-based
Content-based
Rate-based
KPI (Key Performance Indicator) - measure effectiveness
Analysis Engine Methods

Pattern or signature-based
Pattern matching
Stateful matching
Anomaly-based
Statistical
Traffic
Protocol
Heuristic scanning
IDS/IPS Examples
Anomaly
Multiple failed logins
User logged in at unusual times
Unexplained changes to system clocks
Unusual number of error messages
Unexplained system shutdowns/restarts
Response
Dropping suspicious packets
Denying access to suspicious users
Reporting suspicions to other system hosts/firewalls
Changing IDS configurations
Alert
IM
Email
Pager
Audible alarm
Domain Objectives

Access to System
Access to Data
Audit trail monitoring

Vulnerability assessment tools
Penetration Testing Overview
Definition
Areas to test
Methods of testing
Testing procedures
Testing hazards
Areas to Test
Application security
Denial of Service (DoS)
War dialing
Wireless penetration
Social engineering
PBX and IP telephony
Penetration Testing Methods

Attack perspectives
External
Internal
Attack strategies
Zero-knowledge
Partial-knowledge
Full-knowledge
Targeted
Double-blind
Testing Steps
Discovery
Enumeration
Vulnerability mapping
Exploitation
Testing Hazards and Reporting

Production interruption
Application abort
System crash
Documentation
Idetified vulnerabilities
Countermeasure effectiveness
Recommendations
KPI Key Performance Indicators
Access Control Domain Summary

Access to System
Access to Data
Business Continuity and

Disaster Recovery Planning
Domain Objectives
Business Continuity Management (BCM) Project

Planning
Understanding the Organization

Recovery Strategy Selection
Creating the Plan(s)
Developing and Implementing Response
Testing, Update, and Maintenance of the Plan
Planning Should Occur BEFORE You Need It
BS 25999: Business Continuity Management
Risk Management
Health & Safety
Knowledge Management
Emergency Management
Security
Crisis Communications and PR
Disaster Recovery
Facilities Management
Supply Chain Management
Quality Management
Information Security Priorities

Keeping CRITICAL products and services going
Availability
Integrity
Confidentiality
Out of Business!!!
What should be done in a crisis when most controls are missing?
The Business Continuity Life Cycle Overview

Analyze the business
Assess the risks
Develop the BC strategy
Develop the BC plan
Rehearse the plan
BCM Project Management

Senior management support
Policy
Access to key personnel
Budget
Immediate and ongoing budget
BCM Project Management

Project management
Scope
Timelines
Deliverables
Team members
Tools
Initiating BCP
Awareness, data and implementation
Staff and budget
Result must be a long-term, sustainable program
Review progress monthly (suggestion)
Documentation
Review current BCP, if available

Documentation may not equal capability
Staff must be trained to use any necessary software
Types of BCM document
Policy, including scope and principles
Business impact analysis
Risk and threat assessment
Strategies, including (if able) papers supporting the choice of strategies
adopted
Response plans
Test schedule and reports
Awareness and training program
Service level agreements with customers and suppliers
Contracts for 3rd party recovery services such as workspace and salvage
Review/update as directed by policy
Domain Objectives
Business Continuity Management (BCM) Project Planning

Understanding BCM Priorities

Business priorities
Policy/culture
Critical services and products
Legal and regulatory requirements
Risk Assessment and Management

Management is often NOT an IT person. Might have different
priorities
Risk management versus business continuity planning
Risk management tactical
Business continuity strategic
Coordination between risk assessment and business impact
analysis
Purpose of risk management?
Threat Identification
Natural/environmental
Human/man-made
Utility
Supply chain
Equipment
Facility
Loss of key personnel

Business Impact Analysis (BIA)
Benefits
Objectives
Indicators of critical business functions
Time sensitivity
Data integrity
Classification
Business Impact Analysis

Identifies, quantifies, and qualifies loss over time
Business impact analysis process
Workshops
Questionnaires
Interviews
Observation
Business Impact Analysis

Business justifications for budget
Maximum Tolerable Downtime (MTD)/ Maximum Tolerable Period
of Downtime/Disruption (MTPD)
Recovery Point objective (RPO)
Document dependencies
Third party dependencies and liabilities
Service level agreements
Incident Readiness & Response

Planners become leaders
Be prepared
Triage
Incident management
Success = return to operations
Application of lessons learned
Continuity Requirement Analysis

Identify supporting activities and resources
Outcomes feed BCP strategy selection
Reviewed with BIA
Domain Objectives


Determining Recovery Strategy

Determining BC strategies
Strategy options
Data
Activity continuity options
Resource-level consolidation
Determining Recovery Strategy

High-level strategies purpose is to ensure overall continuity
strategy appropriately supports the delivery of orgs
products/services
Recovery Time Objective (RTO) < Maximum Tolerable
Downtime/Disruption (MTPD)
Separation distance how far away is recovery site
Cost/benefit analysis best strategy is often determined by cost
Address specific business types
Different business functions have different recovery solutions
Recovery Alternatives
Alternative
Description
Readiness
Cost
Multiple
processing/mirrored
site
Fully
redundant Highest
level
identical equipment & availability
data
readiness
of
&
Highest
Mobile site/trailer
Designed,
contained
IT
communications
self- Variable drive time;

& load data, & test
systems
High
Hot site
Fully provisioned IT &

office,
HVAC,
infrastructure,
&
communications
Short time to load

data, test systems.
May be yours or
vendor staff
High
Warm site
Partially IT equipped, Days or weeks. Need

some office, data & equipment,
data,
voice infrastructure
communications
Moderate
Cold site
Minimal
Weeks or more. Need
Lowest
Processing Agreements
Agreement
Description
Considerations
Reciprocal or Mutual Aid
Two or more organizations Technology

agree to recover critical upgrades/obsolescence
or
operations for each other
business growth.
Security
and access by partner users.
Contingency
Alternate arrangements if Providers may share paths or

primary
provider
is lease from each other.
interrupted, i.e., voice or data Question them
communications
Service Bureau
Agreement with application Evaluate

their
loading,
service provider to process geography and ask about
critical business functions
backup mode.
Remote Working
Arrangements
Ability to telecommute
work from home
or Sensitive
data
controls,
unauthorized equipment
Domain Objectives


Business Continuity Plan

Master Plan
Modular in design
Executive endorsement
Review quarterly
BCP Contents
When will team be activated?
How will the team be activated?
Where will everyone meet?
Is there an Action Plan/Task List?
Is there any reporting? If so, to whom?
BCP Contents
Responsibilities of the team or specific individuals
Liaising with emergency services (fire, police, ambulance)

Receiving or seeking information from response teams
Reporting information to the incident management team
Mobilizing third-party suppliers of salvage and recovery
services
Allocating available resources to recovery teams
Location/mobilization instructions
Developing Response Plans
Incident response structure - plans that answer What do we do

now? Emergency response procedures, Personnel notification,
Backup and offsite storage, Etc.
Emergency response procedures
Personnel executive succession plan, executive crisis
management roles, BC coordinator and teams, notification lists, PR
Communications emergency systems, business systems
communications and networks
Alternate site considerations utilities, communications,
environmental protection, workspace protection
Logistics and supplies personnel and materials transport,
personnel support and welfare, remote worker activation, emergency
funds, protection against fraud and looting, safety and legal issues,
escalated management authority
Creating Recovery Plans

Recovery procedures
Recovery priorities
Activation of alternate site or processes
Data recovery
Business resumption plan
Creating Disaster Recovery Plans

Disaster recovery
Recover out to the alternate MOST critical first
Recover back to the primary LEAST critical first
Responsibilities and authority
Outlines what needs to be done
Outlines who will do the work
Since this may be happening at the same time as
the incident, recovery should be done (if possible)
by a different team comprised of technical experts
and system engineers who can rebuild the failed
systems
Creating Restoration Plans

Rebuilding of primary site
Facility restoration
System restoration
Priorities
Data synchronization
Salvage
Closure of alternate site
Topics to Address in Plans

Equipment
Procurement (vendor agreement)
Facilities
Environmental controls
Fire and water protection
Personnel
Topics to Address in Plans

Data
Offsite storage requirements
Utilities
Communications
Logistics and supplies
Resource-Level Consolidation
Consolidation plan
Availability of solutions
Consolidate, approve and implement
Outcomes and deliverables
Domain Objectives


Incident Response Management
Strategic Level: Incident Management Plan (IMP) defines how the

strategic issues of a crisis will be managed by chief executive/senior
managers. May include crises that do not result in interruptions (hostile
takeover, media exposure, etc.).
Tactical Level: Business Continuity Plan (BCP) addresses business
disruption, interruption, or loss from the initial response till normal business
resumes.
Operational Level: Activity Resumption Plans provide plans for
resuming normal business functions. Might provide logical and technical
structure for restoring services or use of alternate facilities.
Implementing Incident Management
Crisis management
Rapid response is critical

Triage (alerts)
Notification
Health and safety of personnel (people first)
Escalation
Executive succession
Initial Assessment
Damage assessment
Declaring a disaster
Mobilization of response teams
Permanent and virtual teams
Documentation and Communication
Documentation of the incident
Feedback and analysis
Communications
Public relations
Domain Objectives

Testing the Program

Find the flaws
Outsourcing
Timetable for tests
Designing a test
Define success/failure BEFORE test begins
Testing Types
Types
Process
Participants
Check the contents of the plan

Aid in maintenance
Author
Check interaction and roles of participants
Author and
main people
Includes: business plans, buildings and

communication
Main people
and auditors
Parallel
testing
Moves work to another site

Recreates the existing work from the
displaced site
Everyone at
test location
Full
Interruptio
n
Shuts down and relocates all work
Everyone at
both locations
Desk check
Walk
through
Simulation
Frequen
cy
Complexity
Often
LOW
Seldom
HIGH
Testing BCP Arrangements

Test, rehearsal and exercise
Combining individual tests to ensure complete coverage
Stringency, realism, and minimal exposure
Risks of testing
Scope and documentation of a test
Outcomes
Embedding BCP into the Organization
Assessing level of awareness and training

Develop levels of training for individuals
Developing BCP within the culture
Educate employees not only of what they are supposed to do
but WHY they are doing it that way
Monitoring cultural change
Get feedback. Sometimes the best solution to a problem will
come from the most unexpected person
Specialized Training Needs
EOC (Emergency Operations Center)

Specialized skills
Forensic
Interviewing
Technical
Crisis management
PR
Etc.
Maintaining BCP Arrangements
Ready and embedded

Aligned with change-management procedures
Owners keep information current
Documented
Review as needed
BCP Maintenance
Updating
Annual review at a minimum
Subsequent to tests to immediately identify fail points and
needed changes
Response to audits to address issues found
Version control to insure everyone is working off the most
current plan
Distribution of plan to insure everyone is working off the most
current plan
Reviewing BCP
Audit
Independent BCP audit opinion
As directed by audit policy
Factors for BCM Success
Supported by senior management

Everyone is aware
Everyone is invested
Consensus
Business Continuity and Disaster

Recovery Planning
Domain Summary

Cryptography
Domain Objectives
Definitions
History
Uses
Cryptographic Methods
Encryption Systems
Algorithms
Cryptanalysis and Attacks
Implementations
Concepts and Definitions

Cryptology the study of cryptography and cryptanalysis
Cryptanalysis practice of defeating the protective properties of
cryptography. Reading protected info, altering messages or
integrity values and violating authentication. The practice of testing
cryptographic algorithms to determine their strength or resistance
to compromise.
Cryptography from Greek words kryptos (hidden) and
graphia (writing). Mathematical manipulation of information to
prevent the information from being disclosed or altered.
Basic Goals of Cryptography
Confidentiality prevent unauthorized people from being able to detect

or understand a message
Integrity detect if a message has been tampered with or corrupted
Authenticity ensure that message has been sent to correct person
and in correct order, including prevention of replay attacks
Non-repudiation sender cannot deny sending
Access control encrypted passwords, token-based access control
devices provide protection for systems and applications
Make compromise difficult make the attack either too expensive or
too time-consuming to be worth the effort
Concepts & Definitions
Cryptosystem device or process used to perform encryption and

decryption operations
Plaintext/Cleartext human readable message
Ciphertext/Cryptogram enciphered, encrypted, or scrambled
message
Cryptographic Algorithm mathematical function that determines the
cryptographic operations
Cryptovariable (key) often secret value used to transform the
message in the encrypted message
Key Space total number of keys available to the user of a
cryptosystem
Concepts & Definitions
Encrypt/Encipher scrambling a plaintext message by using an

algorithm, usually in conjunction with a key
Encode similar to enciphering or encrypting except that it does not

use a key
Decipher/Decrypt/Decode descrambling an encrypted message and

converting it to plaintext
Basic Transformation Techniques
Substitution change value, not position.

Transposition/Permutation change the relative position of values
without replacing them (bit-shuffling)
Compression change position, not value. Decrease redundancy
before plaintext is encrypted. Used to save on bandwidth and storage.
Entropy maximum amount of compression that can be applied
Expansion typically used to increase the size of plaintext to match the
size of keys or subkeys
Padding adding additional material to plaintext before encrypting.
Addresses weaknesses in an algorithm and foils traffic analysis
XOR Exclusive Or
Fast arithmetic function used in many computer operations
Binary math
Add two values

If both input values are the same the output is a Zero (i.e., 1+1=0;
0+0=0)
If the input values are different the output is a One (i.e., 1+0=1;
0+1=1)
Keys and Cryptovariables
Key management refers to the principles and practices of protecting the keys throughout the lifecycle
Key expiry/cryptoperiod keys should be changed on a regular basis. Length of time should be based on
algorithm and level of protection required
Key mixing/Key schedule DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16
rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original
56 bit. AES uses key schedulers to generate completely new keys from the original key for each round.
Keystreams pseudo-random sequence that is generated from the input key and mixed with the input
message.
Synchronous keystream is generated based on original key, bit-by-bit, in sync with plaintext
Non or self-synchronous keystream is generated based upon previously generated ciphertext and
cryptovariable
Key storage key must be protected in transit and storage
Key clustering term used to represent a weakness that exists in a cryptosystem if two different keys
generate the same ciphertext from the same plaintext
Initialization Vector (IV)

Encrypting similar messages will create patterns of ciphertext even
when using different keys. Predictability is an enemy of
cryptography.
An IV is a random value added to the plaintext message before
encrypting so that each ciphertext will be substantially different.
The recipient will also need the IV to decrypt the message
Work Factor
An estimate of the effort/time needed to overcome a protective
measure by an attacker with specified expertise and resources.
Commonly used as a way to measure the amount of resources that
would be required to brute-force an algorithm or cryptosystem.
System is said to be broken when there is a way to decrease the
work factor to a reasonable level.
All cryptosystems will be crackable eventually. Objective is to use
a system that is computationally infeasible to crack.
Work factor has nothing to do with normal encryption/decrytion
Kerckhoffs Principle
States that the strength of a cryptosystem is based on the secrecy of the key
and not on the secrecy of the algorithm.
Work factor for the cryptanalyst is the effort required to determine the correct
key.
Key length is the primary method used to determine the strength of the
cryptosystems.
Brittleness measure of how badly a system fails. A resilient system is
dynamic and designed to fail only partially or degrade gracefully. In general,
automated systems which only do one thing are be definition brittle.
Security by Obscurity concept that system is secure as long as no one
outside the group is allowed to find out anything about its internal
mechanisms.
Key Algorithms
Symmetric key same key used for both the encryption and
decryption operation
Asymmetric key pair of mathematically related keys (A and B)
used separately for encryption and decryption
Certificates
Certificate proves who owns a public key
Digitally signed, special block of data that contains public key
and identifying information for the entity that owns the private
key
Issued by a Certification Authority (CA) trusted entity or 3rd
party that issues and signs public key certificates, attesting to the
validity of the public key.
Registration Authority is the primary organization that verifies a
Certificate Applicants information and identity. Works with CA to
verify applicants information before issuing a certificate
Hash Functions
Message integrity
Computed value for a message, program, data, etc to be
transmitted or stored
One way function
Cannot decrypt/reverse a hash
Digital Signatures
Message Integrity and Proof of Origin

Proves message has not been altered
Proves who sent the message
Created by encrypting a hash of the message with the private
asymmetric key of the sender. Creates a signed hash that can only
be unlocked using the public asymmetric key of the sender.
Reason for signing the hash of the message instead of the
message is that asymmetric algorithms tend to be very slow and
computationally intensive to use. So signing the hash saves time
and money.
Domain Objectives
Definitions
History
Uses
Encryption Systems
Algorithms
Implementations
Historical Development
Cryptographic techniques
Manual cryptographic methods performed by hand using a variety of

tools (still used on some one-time pads)
Mechanical use of mechanical tools to perform encryption and
decryption (cipherdisk)
Electro-mechanical use of electro-mechanical devices (Enigma
machine)
Electronic computer based tech used to perform complex and secure
cryptographic operations (software and hardware based algorithms AES,
RSA, etc.)
Quantum cryptography using single photon light emissions to provide
secure key negotiation
Domain Objectives
Definitions
History
Uses
Encryption Systems
Algorithms
Implementations
Uses of Cryptography
Protecting information
Transit
Email, VPNs, e-commerce, VOIP, etc.
Storage
Disk encryption
System access
Passwords, remote login
Domain Objectives
Definitions
History
Uses
Encryption Systems
Algorithms
Implementations
Making Secure Algorithms
Problems simple systems are not very secure

Discernible if you know the language of the original message, frequency
analysis can be performed
Redundancies make the cryptoanalysts job easier
Statistical patterns can be revealed in ciphertext if algorithm doesnt obscure
them
Solutions
Confusion principle of hiding patterns in the plaintext by substitution
Diffusion act of transposing the input plaintext throughout the ciphertext so that a
character in the ciphertext would not line up directly in the same position in the
plaintext
Avalanche achieved with plaintext bits affect the entire ciphertext so that
changing one bit in the plaintext would change half of the entire cipher text
Stream Ciphers
Keystream
Statistically unpredictable and unbiased
Not linearly related to the key
Operates on individual bits or bytes
Uses of Stream Cipher and Stream-Mode

Block Ciphers
Wireless
Audio/video streaming
SRTP (Secure Real-time Transport Protocol)
Block Cipher
Blocks of plaintext are encrypted into ciphertext blocks
Multiple modes of operation
Variable key size, block size, rounds
Block Cipher Uses
Data transport SSL, TLS. Both protocols can use AES and Triple
DES. IPSec based VPNs also use block ciphers to encrypt
communication between endpoints
Data storage even though block ciphers take more time, used
because of their greater ability to frustrate cryptanalysis. TrueCrypt
is an example of block cipher used to encrypt data
Domain Objectives
Definitions
History
Uses
Encryption Systems
Algorithms
Implementations
Simple Substitution Ciphers

Substitution of one value for another
Caesar Cipher
Shift alphabet (by 3)
A B C D E F . FACE
D E F G H I . IDFH
Scramble alphabet
A B C D E F . FACE
Q E Y R T M . MQYT
Vulnerable to frequency analysis
Simple Transposition/Permutation
Columnar rearranging
the message in a table
Plaintext This is an
example of transposition
Cipher tsaoni hamfst inptpi
selroo ixeasn
Key: grid shape & reading

direction
Example: the Spartan
Scytale
Polyalphabetic Ciphers
A B C D E
G H I
D E
D E
D E
W X
G H I
F
K L
M N O P Q R S T
U V W X Y Z
M N O P
U V
M N O P
Q R
U V
M N O P
Q R
U V
Q R
G H I
F
D E
G H I
F
G H I
Q R
M N O P
Encrypt the plaintext FEEDBACK using a key of 3241

Try encrypting your name
W X
W X
W
U V
Running Key Ciphers

Done by using the numerical value of letters in the plaintext and is
coded and decoded by using a copy of the text in a book as the
key.
Sender and recipient determine the key by agreeing on a point in
the book (i.e. page number) from which to start the encryption.
Key would run as long as the plaintext, and the value of each
letter of the key would be added to the value of each letter of the
plaintext.
If total of the two letters is greater than 25, then 26 would be
subtracted from the result. The combined value of the letters
would be the value of the ciphertext letter.
One-Time Pads (OTP)

Truly random key values
Both sides have same pad of key values
Keys are only used once
Unbreakable algorithm
Mathematically proven that it can never be broken
Steganography
The art of hiding information
Plaintext hidden/disguised
Prevents a third party from knowing that a secret
message exists
Traditionally accomplished in a number of ways:
Physical techniques
Null ciphers
Image-Based Steganography
Original image
Stegged image
File size is identical (260 kb)

If hashed, values would be different
Watermarking/Rights Management
Digital watermarking similar to physical watermarking.
Either visible or invisible markings embedded within a digital
file to indicate copyright or other handling instructions, or to
embed a fingerprint to detect unauthorized copying and
distribution of images.
Digital Rights Management/Digital Restriction Management
(DRM) extends digital watermarking in order to place strict
usage conditions on the display and reproduction of digital
media.
Domain Objectives
Definitions
History
Uses
Encryption Systems
Algorithms
Implementations
Modes of Symmetric Block Ciphers

Block Modes
Electronic Code Book (ECB)
Cipher Block Chaining (CBC)
Stream Modes
Cipher Feed Back (CFB)
Output Feed Back (OFB)
Counter (CTR)
Counter with CBC-MAC (CCMP)
Electronic Code Book (ECB)

Each block of plaintext is encrypted independently using the same
key
Cipher Block Chaining (CBC)

The first plaintext block is XORd with an Initialization Vector (IV)
Result is ciphertext is chained into the next plaintext block
Cipher Feed Back (CFB)

Similar to CBC
IV is encrypted and then XORd with the first plaintext block
Output Feed Back (OFB)

Operates very much like CFB
Only the RESULT of encrypting the IV is feed back to the next
operation
Counter (CTR)
Similar to OFB
Counter value is used instead of an IV
Counter With CBC-MAC (CCMP)
Provides confidentiality and authenticity

Works with 128 bit block size
Mandatory in 802.11i
Adds one more block for confidentiality
Counter mode lacks integrity. CCMP solves that problem.
DES Data Encryption Standard
DES
56 bit key
16 rounds of transposition and substitution
Fixed 64 bit block size
Double DES (DDES)
Uses two 56 bit keys
Message is encrypted by one key and re-encrypted by the second
Was thought to provide 112 bit cipher but was successfully attacked by the
meet-in-the-middle analytic attack
Triple DES (TDES)
Input data is encrypted three times
Strength depends on the mode of the operation picked and the number of
keys being used
Effective key size is 168 bit
AES Advanced Encryption Standard

Based on Rijndael algorithm
Developed by Daemen and Rijmen in 1998
Block sizes: 128, 192, and 256
Variable number of rounds
Variable key size
Other Block Ciphers

RC5 and RC6
Blowfish
Twofish
CAST
SAFER
Serpent
RC-4
Symmetric stream cipher
Arbitrary key size
Many applications
Strengths & Weaknesses Symmetric

Ciphers
Strengths
Weaknesses
Fast
Difficult to crack
Algorithms and tools freely available
Poor scalability
Stream ciphers ensure highly efficient serial communications
Limited security
Block ciphers offer multiple modes
A different form of key negotiation/ exchange/ distribution must be

used
On noisy channels, error correcting is a must
Asymmetric Key Cryptography

Diffie-Hellman, 1976
Public key cryptography
Uses a pair of mathematically related keys
Private key
Public key
Public Key Algorithms

Ensures confidentiality
Encrypting message with the receivers public key provides confidential transmission of the
message because the only key that can open the message is the corresponding private key of
the recipient
Ensure proof of origin

When a message is encrypted (signed) with the senders private key, the recipient can verify the
source of the message because the message can only be opened with the senders public key
Confidentiality and proof of origin

Double encrypting a message with the private key of the sender and then with the public key of
the receiver will provide both confidentiality and proof of origin
RSA Algorithm
Rivest-Shamir-Adleman, 1977
Encryption
Digital signatures
Key distribution
Adjustable key size

PKCS#1 is the implementation of the algorithm. Currently in V2.1
How does it work?
Find 2 prime numbers and call them p and q

Multiply them and call the result n
Choose a public value less than n relatively prime with (p-1) and (q-1) and call it e
Find d such that e*d=1 mod (p-1)*(q-1)
Make n and e PUBLIC, and keep d, p and q SECRET
To encrypt message m, ciphertext c = me mod n
To decrypt, m = cd mod n
Other Algorithms
Diffie-Hellman Key Exchange Protocol
Perfect Forward Secrecy (PFS) principle used in D-H that even if 2 private
keys are used in negotiating a secret value (shared secret), and one of those
private keys is later compromised, it will not be possible to determine either
the secret key or the other private key from the compromised private key
Diffie-Hellman Groups determine the length of the base prime numbers
that will be used in calculating the key pairs.
STS/Unified Diffie-Hellman one weakness of D-H was the man-in-themiddle attack. This led to development of the Station to Station (STS) key
agreement protocol by Diffie, Van Oorscht and Weiner in 1992.
Menzies/Qu/Vanstone
Elgamal retired
Elliptic Curve Cryptography (ECC) fewer bits. Extremely slow
Knapsack Algorithms
Merkle-Hellman knapsack
Developed in 1978
Chor-Rivest knapsack
Developed in 1984 and revised in 1988
Both schemes have been broken
Asymmetric Key Cryptography
Strengths
Confidentiality/privacy
Access control
Authentication
Integrity
Non-repudiation
Weaknesses
Computationally intensive
Very slow
Common Hash Functions

Message Digest
MD2, MD4, MD5
Secure Hash Algorithm (SHA)

SHA-1 (160 bit), SHA-256, SHA-384
SHA-512 (best practice)
SHA-3
HAVAL
RIPEMD
Tiger
WHIRLPOOL
Hash Function Characteristics

Condensed representation of the message
One-way function
Non-linear relationship
Hash calculated from whole, original message
Keyed Hashes (SALT)

Basic hash can be intercepted and changed
To solve that problem, mix a HASH algorithm with a pre-shared
key
Adversary would need to know the key to create a collision
Implemented in IPSec for integrity checking of both ESP
(Encapsulating Security Payload) & AH (Authentication Header)
Digital Signatures
(Asymmetric cryptography) + (Hash of message)
Only authenticity and non-repudiation (not confidentiality)
Legality if the encryption is intact and the private key is held by the
rightful owner, it must be accepted by all parties in the transaction.
American Bar Association has developed guidelines for accepting digital
signatures that have been adopted in some US states and other countries
Not accepted globally for transactions and specifically not for high-dollar/highrisk situations
Examples
DSA, RSA, Elgmal, Schnorr, ECC
Digital Signatures Uses

E-commerce
Non-repudiation of origin (with private key)
Integrity of message (with private key encrypted hash)

Software distribution (integrity and non-repudiation)
Email and secure document distribution
Key Management Challenges

Greatest challenge with secure cryptographic implementation is the
management of the keys. Keys must be kept secret. Yet, they must
be available when needed. Even OLD keys have to be kept to
decrypt old backup files or data.
Key distribution
Key storage
Key change
Expire how long to use a key
Functions of Key Management

Operations
Dual control require the active participation of 2 or more. No one person can
misuse.
Threshold schemes require more than one person to successfully
complete the task
Key recovery
Split knowledge 2 or more people have info about the key. Must be
combined to work.
Multi-party key recovery break the key into 3 or more parts and each part go
to a different person.
Escrow Key held

Creation
Automated key generation prevents user bias and provides quick key
production
Truly random only true random generators are things like radioactive
decay, noisy diodes, etc. Computers produce pseudo-random.
Suitable length generators must generate enough bits for a complete key.
Generating 64 bits and concatenating them does not make them 128.
Key encrypting keys (KEK) keys used to encrypt other keys. Care must
be taken to ensure that the data used to generate the KEK is NOT related to
the keys being produced.

Distribution
Out of band does not guarantee security delivery, but it increases its likelihood
Public key encryption most common solution
Secret key construction using D-H (or similar), exchange values online that generate a new
secret key
Secret key delivery using RSA (or similar), party encrypts secret key with receiving partys public
key.
Key distribution center think Kerberos

Certificates used to distribute public keys
Storage
Trusted hardware hardware evaluated (typically) by FIPS 140-2 or Common
Criteria
Smartcard non-volatile storage
Public Key Infrastructure (PKI)

Binds people/entities to their public keys
Prevent Man-in-the-Middle attack
Public keys are published and are certified by digital signatures
Strong Cryptographic PKI Solutions

Use evaluated solutions
High work factor
Publicly-evaluated cryptographic algorithms
Training
Import and export of cryptography
Wassenaar Agreement is an agreement between several countries
that governs the movement of cryptographic algorithms between those
countries. The restrictions are usually based on key length and
whether the product is commercially available
Law enforcement issues
Certificates and CAs

Certificates link a public key to its owner
Classes of certificates
Certification Authorities (CAs)

Registration Authority (RA)
Cross-certification
Certificate Revocation Lists (CRLs)
Online Certificate Status Protocol (OCSP)
X.509
Domain Objectives
Definitions
History
Uses
Encryption Systems
Algorithms

Implementations
Cryptanalysis
Art and science of breaking codes
Attack vectors
Key
Algorithm
Implementation
Data (ciphertext or plaintext)
People social engineering
Assumptions
Brute Force Attack

Trying all possible key combinations
Two factors: cost and time
Moores Law
Processing speed doubles every 18 months for the same
price
Advances in technology and computing performance will
always make brute force an increasingly practical attack on
keys of a fixed length
Measured in MIPS per year 1 computer running 1,000,000
calculations per second for a year
Brute Force Attack

Bit
s
Number of
keys
56
80
Bit
s
Number of
keys
Brute Force Attack

Time
7.2 x 10^16
56
7.2 x 10^16
20 hours
1.2 x 10^24
80
1.2 x 10^24
54,800 years
128 3.4 x 10^38
Brute Force Attack

Time
128 3.4 x 10^38
1.5 x 10^19 years
256 1.15 x 10^77
5.2 x 10^57 years
256 1.15 x 10^77
Data shown is as of 1998 when Deep Crack was used in RSA DES
challenge.
Cost $250,000 to build. Today the same thing can be done for under
$10,000.
With todays tech, can break DES in 8.7 days or less for under $10,000.
Plaintext Attacks
Known plaintext attack attacker has both the plaintext and
ciphertext. Uses analysis to try to determine key.
Chosen plaintext attack attacker has access to the crypto
machine. Runs plaintext through machine to get encrypted data.
Uses statistical information to try to determine key.
Adaptive chosen plaintext attack attacker has encryption device
for more than one message. Patterns may emerge if the attacker
puts similar texts into the device
Ciphertext Attacks
Ciphertext only assume attacker has samples of encrypted text but not the
algorithm, key or system. Most difficult attack because the attacker has the
least to work with.
Chosen ciphertext attack attacker has access to ciphertext and system used
to generate. Attacker can run pieces of ciphertext through to obtain the
plaintext. Leads to Known Plaintext Attack or Differential or Linear
Cryptanalysis attack.
Adaptive chosen ciphertext attack attacker has access to the cryptosystem
and can now modify and run ciphertext through the system to see what the
effect of the modification is on the plaintext.
Attack Against Ciphers

Stream
Frequency analysis knows characteristics of plaintext language
IV or keystream analysis examines large numbers of generated IVs for weaknesses,
statistical biases, etc.
Block
Linear cryptanalysis large amounts of plaintext and associated ciphertext to find info
about the key
Differential cryptanalysis 2 or more similar plaintexts are encrypted using same key and
compared
Linear-differential cryptanalysis combo of linear and differential
Algebraic attacks examines the algorithm
Frequency analysis uses the statistics of the language to break a ciphertext
Attacks Against Hash Functions

Dictionary Attacks
Based on known lists of common words
Birthday attacks group of 23 people, 50% chance 2 will have same birthday. 60 people, 99%
chance. Relevant because it describes the amount of effort that must be made to determine when
2 randomly-chosen values will be the same (collisions). Weak hash causes many collisions
Attack the hash value
Attack the initialization vector
Rainbow table attacks

Hash reductions
Salts
Social Engineering
Persuasion
Coercion (rubber-hose cryptanalysis)
Bribery (purchase-key attack)
Other Common Attacks

Meet-in-the-Middle
Mathematical analysis that attacks a problem from both ends and
attempts to find the solution by working toward the center of the
operation from both sides.
Man-in-the-Middle
Attacker intercepts and modifies the data before transmitting to intended
person.
Poor Random Number Generation
Domain Objectives
Definitions
History
Uses
Encryption Systems
Algorithms
Implementations
Common Secure Email Protocols
Privacy Enhanced Mail (PEM)

Uses DES in Cipher-Block-Chaining (CBC) mode for confidentiality
Can also use Electronic Code Book (ECB) or 3DES for key
management
For message integrity it uses either MD2 or MD5 hash
Not compatible with Multipurpose Internet Mail Extensions (MIME) so
not often used
Pretty Good Privacy (PGP)
Uses symmetric and asymmetric key cryptography
Can use RSA, D-H, and Elgamal for asymmetric key
Secure Multipurpose Internet Mail Extensions (S/MIME)
De facto standard for email privacy
Internet Security
Uses
Remote Access
VPNs
E-commerce
Tools
IPSec
SSL/TLS
Secure HTTP
TLS
Cryptography Domain Summary
Definitions
History
Uses
Encryption Systems
Algorithms
Implementations
Information Security Governance

and Risk Management
Domain Objectives
Business Drivers
Governance
Roles and Responsibilities
Security Planning
Security Administration
Risk Management
Ethics
Information Security Environment

Organizations must contend with
complex laws, regulations,
requirements, technology,
competitors and partners while
pursuing their business objectives.
Management must take many
things into account including
moral, labor relations, productivity,
cost, etc.
Must develop an effective security
program
Overarching Organizational Policy
Managements Security Statement
Regulations
Competition
Organizational Objectives
Organizational Goals
Laws
Shareholders Interests
Information Security Triad

Security planning
Budget
Business requirements
Security metrics
Domain Objectives
Business Drivers
Governance
Security Planning
Risk Management
Ethics
Specific
Delegate certain responsibilities for security to individuals
Define acceptable and unacceptable behavior
General
Rules that let everyone know they are responsible for security
Communicated at hiring
Tell new hires the rules and consider annual review
Verified capabilities and limitations
Access to resources defined by job
Third-party considerations
Brief vendors, temps, contract staff on security requirements
Good practices
Keep it simple, relevant, understandable and communicate
Reinforced via training
Annual security training
Internal Roles
Executive management
set policy, allocate budget
Board level
C level
Information systems security professionals
advise management
Developers
create secure code
Custodians and Operations staff
Custodians care of data
Ops run the computers
Internal Roles
Security staff
Data and system owners
Classify
Access permissions
Users
Task as assigned
Legal, compliance, and privacy officer
Inform/implement laws/regs
Internal auditors
Check on procedures
Physical security
Is IT or traditional security responsible
External Roles
Vendors/suppliers
Contractors/consultants
Service level agreements
Temporary employees
Customers
External Roles
Business partners
Outsourced relationships
Outsourced security
External audit
Human Resources
Employee development and training
Employee management
Hiring and termination of employment
Hiring New Staff
Background checks/security clearances

Verify references and education records
Signed Employment Agreements

Acceptable use
Non-disclosure
Non-compete
Ethics
Personnel Good Practices

Job descriptions/defined roles and responsibilities
Least privilege
Need to know
Job rotation
Mandatory vacations
Security Awareness, Training, and Education
Awareness Training
Delivery methods
Topics
Job training
Task based
Professional education
Understanding
General knowledge
Good Training Practices
Be relevant
Scope properly
Address the audience
Domain Objectives
Business Drivers
Governance
Security Planning
Risk Management
Ethics
Documented Security Program
Focus on the mission of the

organization
Promiscuo
us
Organizations are different
Permissive
Cost effective/risk based
Prudent
Paranoid
10
Documented Security Program

Strategic
Long term planning

Decide on job to do
Tactical
Medium term planning

Manage jobs being done
Operational
Day to day operations

Job being done
Security Program Management
Staffing
Not just workers but look at management

Evaluate numbers needed
Reporting
Make sure everyone knows who they are to report to.

Understand chain of command/reporting
Security Blueprints
Identify and design security requirements
Infrastructure security blueprints
Holistic
By Scott Berinato and Sarah Scalet:

Holistic security means making security part of everything and not
making it its own thing. It means security isnt added to the
enterprise; its woven into the fabric of the application. Heres an
example. The non-holistic thinker sees a virus threat and
immediately starts spending money on virus-blocking software. The
holistic security guru will set a policy around e-mail usage; subscribe
to news services that warn of new threats; re-evaluate the network
architecture; host best practices seminars for users; and use virus
blocking software and, probably, firewalls. (www.cio.com)
ISO/IEC 27000 Series = ISMS Blueprints

27000:2009 Overview and vocabulary
27001:2005 Attainable certification
27002:2005/Cor 1:2007 Code of practice
27003:2010 ISMS implementation guidance
27004:2009 Information security measurement
27005:2008 Information security risk management
27006:2007 Certification vendor process
27799:2008 Information security for health care organizations
ISO 27000 = IT Risk Management
IT Security Requirements
Complete Security Solutions
Define security behavior of the control measure
What is the problem you are trying to solve?
Provide confidence that security function is performing as

expected
Does it solve the problem?
Does your solution
Solve the problem (best)

Move the problem (good)
Make it worse (bad)
Single Point of Failure
Identify the processes

Identify risks to the plan
Who has too much control
Be prepared
Domain Objectives
Business Drivers
Governance
Security Planning
Risk Management
Ethics
Security Policy
Managements goals and objective IN WRITING

Documents compliance
Creates security culture
Examples of Functional Policies

Data classification
Certification and accreditation
Access control
Outsourcing
Remote access
Internet acceptable use
Privacy
Acquisition
Change control
Employment agreements, ethics
IMPORTANT
Say what to do NOT how to do it
Procedures
Step by step actions
Required
Be detailed
Policy
Standa
rd
Risk
Assessme
nt
Baselin
e
Procedur
es
Incident
Managem
ent
Guideli
ne
Identity
Manageme
nt
Software
Installatio
n
Standards
Common hardware and software products
Policy
Standa
rd
Deskt
op
Antivir
us
Baselin
e
Firewa
ll
Be decisive. Will say something like:

We [verb]
We drug test
We use Norton AV software
Procedur
es
Guideli
ne
Baselines
Establish consistent implementation of mechanisms
Platform unique
Know minimum and understand what is normal
Policy
Standa
rd
VPN
Setup
Baselin
e
IDS
Configurati
on
Procedur
es
Passwo
rd
Rules
Guideli
ne
Guidelines
Recommendations for implementations, procurement
and planning
Policy
Standa
rd
Baselin
e
Procedur
es
Recommendati
ons
Guideli
ne
Best
Practic
es
IS
O
Good Policy?
Area IV Buddy System Policy
THE AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE
MEMEBERS WILL USE THE BUDDY SYSTEM AT ALL TIMES, WITH THE
EXCEPTION BELOW WHEN OFF A MILITARY INSTALLATION.
THE BUDDY SYSTEM IS NOT REQUIRED, BUT HIGHLY RECOMMENDED
FOR PERSONNEL TRAVELING DIRECTLY TO AND FROM THEIR DOMICILE
ALL PERSONNEL WILL CARRY A S.O.F.A AND AN EMERGENCY
TELEPHONE NUMBER CARD AT ALL TIMES.
LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES.
BY ORDER OF THE AREA IV COMMANDER
Domain Objectives
Business Drivers
Governance
Security Planning
Risk Management
Ethics
Risk Management Overview

Identifying and reducing total risks
Choosing mitigation strategies
Setting residual risk at an acceptable level
Integrating risk management processes into the organization
(Total risk) (countermeasures) = (residual risk)
Risk Management Purpose

The principal goal of an organizations risk
management process should be to protect the
organization and its ability to perform its mission.
Including, but not limited to its IT assets.
Risk is a function of the likelihood of a given threat
exercising a particular vulnerability and the resulting
impact of that adverse event on the organization.
Risk Management Benefits

Focuses policy and resources
Identifies areas with specific risk requirements
Directs budget
Supports
Business continuity process
Insurance and liability decisions
Legitimizes security awareness programs
Risk Management Definitions

Asset something that is of value to the organization
Threat-source/agent any circumstance or event with
the potential to cause harm to an IT system.
Threat any potential danger to information or an
information system
Exposure an opportunity for a threat to cause loss, or
the amount of loss suffered as a result of an attack
Vulnerability flaw or weakness in system security
procedure, design, implementation, etc.
Likelihood probability that a potential vulnerability
happens
Risk Management Definitions

Attack/Exploitation action intending to cause harm
Controls admin, technical or physical measures and
actions taken to try to protect system
Countermeasures controls applied after the fact;
reactive in nature
Safeguards controls applied before the fact;
proactive in nature
Total Risk included the factors of threats,
vulnerabilities, and current value of the asset
Residual Risk amount of risk remaining after
countermeasures and safeguards are applied
Risk Assessment Steps: SP 800-30

1.
2.
3.
4.
5.
6.
7.
8.
9.
System characterization
Threat identification
Vulnerability identification
Control analysis
Likelihood determination
Impact analysis
Risk determination
Control recommendations
Results documentation
Risk Assessment Asset Valuation
Tangible assets
Can buy/sell
Hardware, software, facilities, documentation,
customer lists, and intellectual property
Intangible assets
Personnel, reputation/brand, and moral
Information Valuation Considerations
Exclusive possession
Utility
Cost to acquire or create
Liability
Convertibility
Operational impact
Timing
Information/Risk Valuation Methods
Modified Delphi
Facilitated sessions
Survey
Interview
Checklist
Quantitative Risk Analysis
Assign Monetary values

Labor and time intensive
Difficult to achieve
100% quantitative is impossible. Why? There

are always QUALITATIVE issues.
RISK = MONEY
Quantitative Analysis Steps - Overview
1. Estimate potential losses single loss expectancy

(SLE)
2. Conduct a threat likelihood analysis
Annualized rate of occurrence (ARO)
3. Calculate annual loss expectancy (ALE)
Step One: Estimate Potential Losses

Single Loss Expectancy (SLE)
SLE = AV ($) x EF (%)
AV (Asset Value)
EF (Exposure Factor)
Step Two: Threat Likelihood Analysis

Annual Rate of Occurrence (ARO)
Number of exposures or incidents that can be
expected in a given year
Likelihood of an unwanted event occurring
Step Three: Calculate ALE

Annual Loss Expectancy (ALE)
ALE = SLE * ARO
Magnitude of risk = ALE
Purpose: Justify security countermeasures
Qualitative Risk Analysis

Scenario oriented
No $ values
Rank seriousness of threats and sensitivity of assets
Perform a carefully reasoned risk assessment
Hybrid Risk Analysis

Quantitative
Qualitative
FMEA (failure modes and effects analysis)
Risk assessment originally concerned with manufacturing

defects
Focuses on the upstream and downstream impact of a
failure
Defines risk in immediate, near-term and long-term impact
FTA (fault tree analysis)
Analytical technique for system safety

Used to consider all possible threats and then trim down to
the most relevant risks
Risk Management Options

Acceptance = Absorb the effect of an incident
Mitigation = Implement controls
Transference = Insurance
Avoidance = Stop it
Security Control Selection Principles

Cost/benefit analysis
Dont spend more to protect than it is worth
Accountability
At least one person for every control
Include accountability in performance reviews
Absence of design secrecy
Ability to change out the controls at some time in
the future without having extraordinary cost to
rework, interoperability with other controls,
confidence in the design
Audit capability
Controls must be testable

Include auditors in design and implementation

Vendor trustworthiness
Independence of control and subject
Universal application
Compartmentalization
Defense in depth
Isolation, economy, and least common mechanism

Acceptance and tolerance of personnel (pushback)
Minimum human intervention
Sustainability
Reaction and recovery
Override and fail-safe defaults
Residuals and reset
Risk Evaluation and Assurance

Cyclical nature of risk U.S. and EU regulatory bodies have
mandated risk management as a business process. Frequency for reevaluation is based upon the speed of change in each industry or
organization
Ongoing review
Periodic review
Liability management has the responsibility of remaining informed

about risk management activities and to make the final decisions. If they
fail to do so, they are potentially in violation of regulatory or industry
standards. This is one of the reasons why internal auditors should report
directly to senior executives rather than through the normal chain of
command.
Domain Objectives
Business Drivers
Governance
Security Planning
Risk Management
Ethics
Ethical Environments
Ethics are difficult to define
Do No Harm
Begins with senior management
Guidelines for Establishment of Ethics
Corporate ethics to include ethical use of computers

In functional policies (privacy, email, acceptable use, etc)
Active monitoring of network activities combined with responsible investigation of incidents
and enforcement
Handbooks and guides
Training
Reviews
Ethical Responsibility
Global responsibility
National
Organizational
Personal
Ethical Responsibility of all CISSPs

Set the Example *********
Encourage adoption of ethical guidelines and standards
Inform users about ethical responsibilities through security
awareness training
Basis and Origin of Ethics
Religion
Law
National interest
Individual rights
Common good/interest
Enlightened self-interest
Professional ethics/practices
Standards of good practice
Tradition/culture
Formal Ethical Theories

Teleology (Star Trek needs of the many)
Ethics in terms of goals, purposes, or ends
Deontology (duty of most powerful to protect least powerful)
Ethical behavior is a duty
Informed consent notified and agree
Relevant Professional Codes of Ethics
(ISC)
RFC 1087
Internet Architecture Board
(ISC) Code of Ethics Preamble
Safety of the commonwealth, duty to our principals, and to

each other requires that we adhere, and be seen to adhere, to
the highest ethical standards of behavior.
Therefore, strict adherence to this code is a condition of
certification.
(ISC) Code of Ethics Canons
Protect society, the commonwealth, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
In that order
Internet Architecture Board (IAB)

Any activity is unethical and unacceptable that purposely:
Seeks to gain unauthorized access to Internet resources
Disrupts the intended use of the Internet
Wastes resources (people, capacity, computer) through such actions
Destroys the integrity of computer-based information
Compromises the privacy of users
Involves negligence in the conduct of Internet-wide experiments
RFC 1087
Access and use of the Internet is a PRIVILEGE and should be treated as such by all users
RFC 1087 refers to Negligence in the conduct of Internet-wide experiments as irresponsible and unacceptable, but does not
specifically label such conduct unethical.
Internet Engineering Task Force (IETF)
http://www.ietf.org/
Information Security Governance and

Risk Management
Domain Summary
Business Drivers
Governance
Security Planning
Risk Management
Ethics
Legal, Regulations,
Investigations, and Compliance
Domain Objectives
Computer Crime and International Legal Issues
Liability and Privacy Issues

Incident Management
Forensic Investigation
Compliance
International Legal Systems
Common law
Criminal law
Civil law
Administrative law
Religious law
Customary law
Mixed law
Maritime law
Jurisdiction
Law, economics, beliefs and politics
Law enforcement agencies will work together, even cross borders. But
sometimes countries dont agree.
Sovereignty of nations
Laws arent always the same country to country. Nations are making an
effort to harmonize their laws in order to promote uniform enforcement and
cooperation where possible.
Computer Crimes vs. Traditional Crimes
Traditional Crime
Violent
Property
Public order
Computer Crime
Real property
Virtual property
Computer Crime
Crime against a computer
Crimes using a computer
Electronic equipment as source of evidence
Reasons for Criminal Behavior
Ego
Financial gain
Revenge
Advanced Persistent Threat (APT)
group with capabilities and intent to persistently and effectively

target a specific entity
Source
Attack vector
infected media, supply chain compromise, social engineering,
etc.
have full spectrum of intelligence gathering techniques at their

disposal
Advanced
priority to a specific task. Implies that they are guided by external

entities.
Persistent
capability and intent. Coordinated human action instead of

automation, specific objective. Skilled, motivated, organized and well
funded
Threat
International Cooperation
Initiatives related to international cooperation in dealing with computer crime
The Council of Europe (CoE) Cybercrime Convention

Example of multilateral attempt to draft an international response to
criminal behaviors targeted at technology and the Internet.
Intellectual Property Protection
Organizations must protect intellectual property
Theft
Loss
Corporate espionage
Improper duplication
Intellectual property must have value
Organization must demonstrate actions to protect IP
Intellectual Property: Trademark
Purpose of a trademark
Characteristics of a trademark
Word
Name
Symbol
Color
Sound
Product shape
Intellectual Property: Copyright
Covers the expression of ideas
Writings
Recordings
Computer programs
Etc.
Weaker than patent protection
Intellectual Property: Trade Secrets
Must be confidential
Protection of trade secret
Intellectual Property: Software Licensing
Categories of software licensing:
Freeware
Shareware
Commercial
Academic
Master agreements and end user licensing agreements (EULAs)
Encryption Import and Export Law
Strong encryption restrictions
Previously anything over 40 bits was considered strong encryption

U.S. companies can now export any encryption software to individuals,
commercial firms or other non-government end users in any country
No enemy states
Many countries require the importer of equipment containing strong

cryptography to provide the government or law enforcement with a copy of
their private keys.
Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
Controls on dual-use goods
Cryptography has long been considered a munition or weapon of war. Can

be used for commercial or military purposes, therefor considered dual-use
and protected as a military weapon
Wassenaar Arrangement
39 countries are parties to the agreement which specifies all controlled

dual-use goods, including encryption products and products that use
encryption
Domain Objectives

Incident Management
Compliance
Liability
Legal responsibility
Know responsibilities to employees, customers, etc.
Penalties
Can range from compensation to criminal penalties for violation
of law
Negligence and liability
Important factor in determining liability
Determined by courts or other quasi-legal body
Protection of Assets
Legal obligation
Prudent person rule
Must demonstrate practice of due care
Negligence
Acting without care
Due care
Due Diligence
= Action
Due Care = Policy
Regulation or
Best Practice
Negligence = Gap
Negligence = Gap
Privacy Laws and Regulations

Rights and Obligations of:
Individuals
Identity theft
Organizations
Collection, sharing, storage, processing of personal info
Actual laws depend on jurisdiction
International Privacy
Organization for Economic Co-operation and Development
Group of 30 member countries
Eight core principles

1.
2.
3.
4.
5.
6.
7.
8.
Limits to collection of personal data and should be obtained legally

Personal data should be relevant to use
Purpose for gathering personal data should be specified no later than the time the
data is collected
Personal data should not be disclosed, made available, or otherwise used for
purposes other than specified above
Personal data should be protected by reasonable security
General policy of openness about developments, practices and policies with
respect to personal data
Individual should have the right to find out if data controller has data about
him/her. To have communication with data controller about data relating to
him/her. And to be able to challenge data and if successful have the data erased,
rectified, completed or amended.
Data controller should be accountable for complying with measures
Personally Identifiable Information (PII)
Identify or locate an individual

Controls on collection and use
Many countries have laws governing this
Global effect
Laws are different in each country. What laws govern?
Employee Privacy
Employee monitoring
Authorized usage policies
Training
Transborder Data Flow
Political boundaries
Privacy
Investigations
Jurisdiction
Privacy Law Examples
Health Insurance Portability and Accountability Act

(HIPAA)
Personal Information Protection and Electronic
Documents Act (PIPEDA)
European Union Data Protection Directive
Domain Objectives

Incident Management
Compliance
Incident Management
Incident event that causes harm
Protect
Prepare
Sustain
Improve
Protect
Infrastructure
Respond
Detect
Incident Response: Overview

Response capability
Policy and guidelines

Response
Incident response phases
Triage
Containment
Investigation
Analysis and treatment
Recovery
Debriefing
Metrics
Public disclosure
Incident Response: Objectives

Incident response in its simplest form is the practice of:
Detecting a problem
Determining its cause
Minimizing the damage it causes
Resolving the problem
Documenting each step of the response for future reference
Effectively and appropriately communicating issues
Response Capability
The foundation for incident response (IR) is comprised of:
Policy
Authority
Procedures
Approved
Management of evidence
Incident Response External Parties

Escalation process
Employees should be trained and have approved procedures that

include when an incident or crime must be reported to higher
management, outside agencies or law enforcement
Interaction with third-party entities
Complex issues involving:

Jurisdiction (who has control)
Status of crime (already committed, in progress, or planned)
Nature of the evidence (circumstantial, conclusive)
Nature of the crime (in many jurisdictions, some crimes MUST be
reported)
Incident Response and Handling Phases
Triage
Investigation
Containment
Analysis and tracking
Triage
Detection
False positives
Classification
Internal versus external

One system or many
What is the root cause versus the symptoms
Notification
Priorities and escalation

Senior management or other departments
Business partners
Law enforcement
Note: Prioritization is one of the most important aspects
Investigation Phase Objectives

Desired outcomes of this phase are:
Reduce the impact

Identify the cause
Get back up and running in the shortest possible time
Prevent the incident from re-occurring
Investigation Considerations
The investigative phase must consider:
Adherence to company policy

Confidentiality
Applicable laws and regulations
Proper evidence management and handling
Investigation Process
Identify suspects
Identify witnesses
Identify system
Identify team
Search warrants
Investigation Techniques
Ownership and possession analysis
Means, opportunity, and motive (MOM)
Behavior of Computer Criminals

Computer criminals have specific MOs
Hacking software/tools
Types of systems or networks attacked, etc.
Signature behaviors
Profiling
Interviewing vs Interrogation
Open-ended Questioning
Closed-ended Questioning
General gathering
Cooperation
Seek truth
Specific aim
Hostile
Dangerous
Should only be done by TRAINED professionals
Investigation Phase Components
Components of this phase:
Analysis
Interpretation
Reaction
recovery
Containment
Reduce the potential impact of the incident
Systems, devices, or networks that can become infected
The containment strategy depends on:
Category of the attack

Asset(s) affected
Criticality of the data or system
Analysis and Tracking Goals
Obtain sufficient information to stop the current incident
Prevent future like incidents from occurring
Identify what or who is responsible
Analysis and Tracking Logs
Dynamic nature of the logs
Feeds into the tracking process
Working relationship with other entities
Reporting and Documentation
Law
Court proceedings
Policy
Regulations
Recovery Phase Goal
To get back up and running
The business (worst case)

Affected systems (best case)
Protect evidence
Recovery and Repair
Recovery into production of affected systems
Ensure system can withstand another attack

Test for vulnerabilities and weaknesses
Closure of the Incident and Feedback
Incident response is an iterative process
Improve processes and controls
Closure of the incident
Feedback from all participants
Communication about the Incident
Public disclosure
Authorized personnel only
Domain Objectives

Incident Management
Compliance
Computer Forensics: Evidence

Potential evidence
Digital Forensic Science Research Workshop (DFRWS) defines digital

forensic science as The use of scientifically derived and proven methods
toward the preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence derived
from digital sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to anticipate
unauthorized action shown to be disruptive to planned operations.
Evidence and legal systems
Computer forensics is generally applied according to the standards of

evidence admissible in a court of law
Computer Forensics: Evidence

Identification of evidence
Collecting of evidence
Use appropriate collection techniques
Reduce contamination
Protect the scene
Maintain the chain of custody and authentication
Collection of Digital Evidence

Volatile and fragile
Short lifespan
Collect quickly
By order of volatility
Document, document, document
Chain of Custody for Evidence

Who
What
When
Where
How
Forensic Evidence Procedure

Receive media
Disk write blocker
Bit for bit image
Cryptographic checksum
Store the source drive
Evidence: Hearsay
Hearsay
Second-hand evidence
Normally not admissible
Business records exception
Computer-generated information
Process of creation description
Can you cross examine it?
Evidence Analysis and Reporting

Scientific methods for analysis
Characteristics of the evidence

Comparison of evidence
Event reconstruction
Presentation of findings
Interpretation and analysis

Format appropriate for the intended audience
Computer Forensics
Key components
Computer forensics is not a piece of software or hardware. It is a set of

procedures and protocols. Methodical, Repeatable, Defensible, Auditable
Crime scenes
Digital evidence
Non-criminal cases
Divorce, breach of contract, dissolution of corporation or partnership,

embezzlement, personal injury, etc.
Forensic Evidence Analysis Procedure
Recent activity
Keyword search
Slack space
Documented
Media Analysis
Recognizing operating system artifacts
Types of files created as the system runs

Where they should be
What their contents are likely to be
File system
Timeline analysis
Modified
Accessed
Created
Searching data
Software Analysis
What is does
What files it creates
Network Analysis
Data on the wire

Ports
Traffic hiding
Domain Objectives

Incident Management
Compliance
Compliance
Knowing legislation
Following legislation
Regulatory Environment Examples

Sarbanes-Oxley (SOX)
Meant to enhance corporate governance through measures that will

strengthen internal checks and balances and, ultimately, strengthen
corporate accountability.
Gramm-Leach-Bliley (GLB)
Protects the privacy of consumer information held by financial institutions
Basel II
Regulatory harmony in the international banking community
Compliance Roles and Responsibilities
Information owner
Local manager
Auditor
Individual
Audit Report Format
Introduction
Background
Audit perspective
Scope & objectives
What was done
Executive summary
Internal audit opinion
Detailed report including auditee responses
Appendix
Exhibits
Legal, Regulations, Investigations, and

Compliance Domain Summary

Incident Management
Compliance
Operations Security
Domain Objectives
Operator and Administrator Security

Monitoring of Special Privileges
Misuse of Resources
System Recovery
Resource Protection
Environmental Issues and Controls
Media Management
Personnel Privacy and Safety
Control Over Privileged Entities

Review of access rights
Supervision
Monitoring/audit
Operator Privileges
Initial program load (IPL)
Monitor system execution
Control job flow
Mount I/O volumes
Bypass label processing (BLP)
Renaming/relabeling resources
Reassigning ports/lines
Administrators
Systems administrators
Network administrators
Database administrators
Administrator Privileges Summary

Control network operations
Server startup and shutdown

Reset system configurations
Backups
System maintenance
Customer service
Network administrator duties
Backup Types
File image
System image
Data mirroring
Electronic vaulting
Remote journaling
Database shadowing
Redundant servers
Standby services
Software and Data Backup

Operations controls must ensure adequate backups of:
Data
Operating Systems
Applications
Transactions
Configurations
Reports
Backup Integrity
Backup storage locations
Backups must be tested
Alternate site recovery plan
Site specific software
RAID Redundant Array of Independent

Disks
Hardware based
Software based
Hot Spare
Global Hot Spare (all disk in array)
Dedicated Hot Spare (individual disk in array)
RAID Level 0
Striping
Two or more disks
No redundancy
Performance only
RAID Level 1
Exact copy (mirror)
Two or more disks
Fault tolerant
200% cost
RAID Level 2
Striping of data with error correcting codes (ECC)
Requires more disks than RAID 3/4/5
Not used
RAID Level 3/4

Byte/block level stripes
1 drive from parity
All other drives are for data
Stripe
1A
Stripe
2A
Stripe
3A
Stripe
4A
Disk
A
Stripe
1B
Stripe
2B
Stripe
3B
Stripe
4B
Disk
B
P(1A,
1B)
P(2a,
2B)
P(3A,
3B)
P(4A,
4B)
Parit
y
RAID Level 5
Block-level stripes
Data and parity interleaved amongst all drives
The most popular RAID implementation
Stripe
1A
P(2B,
2C)
Stripe
3A
Stripe
4A
Disk
A
Stripe
1B
Stripe
2B
P(3A,
3C)
Stripe
4B
Disk
B
P(1A,
1B)
Stripe
2C
Stripe
3C
P(4A,
4B)
Disk
C
RAID Level 6
Block-level stripes
All drives used for data AND parity
Two parity types
Higher costs
More fault tolerant than RAID implementations 2 - 5
RAID Level 0+1

Mirroring and striping
Higher cost
Higher speed
RAID 0+1
RAID 1
RAID 0
RAID 0
A
1
A
3
A
5
A
7
A
1
A
3
A
5
A
7
A
2
A
4
A
6
A
8
A
2
A
4
A
6
A
8
RAID Level 10
Mirroring and striping
Higher cost
Higher speed
RAID 10
RAID 0
RAID 1
RAID 1
A
1
A
3
A
5
A
7
A
2
A
4
A
6
A
8
A
1
A
3
A
5
A
7
A
2
A
4
A
6
A
8
Configuration Management Elements

Hardware inventory
Hardware configuration chart
Software licensing management
Firmware
Documentation requirements
Testing
Hardware Inventory
Up-to-date listing of all equipment
Location
Owner
Serial and model numbers
Change Control Management

Policy
Business and technology balance
Defines a process for authorized change
Process of changes
Ownership of changes
Changes are reviewed for impact on security
Patch Management
Knowledge of patches
Know when patches for all software you own are released by the
vendor
Testing
Test all patches, and new software, in a test environment prior to
going live
Deployment
Can be challenging. Should be automated to insure no machine
is missed.
Zero-day challenges
Vulnerable time between patch pushed out and able to apply
Software Issues
Pirating software
Version control
Job Documentation
Scheduling
Dependencies
Error codes
Inputs and outputs
Backout procedures
Security Administrator Roles

Policy
Development
Implementation
Maintenance and compliance
Vulnerability assessments
Incident response
Security Administrator Responsibilities

User-oriented activity management
Information classification implementation
Audit log monitoring and review
Security tool oversight and management
Domain Objectives

Misuse of Resources
System Recovery
Resource Protection
Media Management
Misuse Prevention
Threats
Countermeasures
Personal
Use
Acceptable use policy, workstation controls, web

content filtering, and email filtering
Theft of
Media
Appropriate media controls
Fraud
Balancing of input/output reports, separation of

duties, and verification of information
Sniffers
Encryption and policy
Domain Objectives

Misuse of Resources
System Recovery
Resource Protection
Media Management
System Recovery Trusted Recovery

Correct implementation according to Policy
Failures dont compromise a systems secure operation
Trusted path
Types of Trusted Recovery

System Reboot shutting down computer in a normal fashion
after a failure
Emergency System Restart done when a system fails in
an uncontrolled manner. Media may be in an inconsistent state.

System enters maintenance mode, automatically performs
recovery, and system restarts with no user processes in progress.
System Cold Start system fails and cannot restart without

human intervention
Control Failure Modes

Fail secure (fail closed)
Fail soft (fail open)
Fail safe (fails in a way that will cause no or minimal
harm)
Fault Tolerance
Hardware failure is planned for
System recognizes a failure
Automatic corrective action
Standby systems
Cold configured, not on, lost connections
Warm on, some lost data or transactions (TRX)
Hot ready, failover
Domain Objectives

Misuse of Resources
System Recovery
Resource Protection
Media Management
Facility Support Systems

Fire protection
HVAC
Electrical power goals
UPS
Water
Communications
Alarm system
Domain Objectives

Misuse of Resources
System Recovery
Resource Protection
Media Management
Media Management Practices

Sensitive Media Controls
Marking
Labeling
Handling
Storing
Declassifying
Media Management
Tapes
Storage
Encryption
Retrieval
Disposal
Object Reuse
Securely reassigned
Disclosure
Contamination
Recoverability
Clearing of Magnetic Media

Overwriting
Degaussing
Data remanence
Physical destruction
Records Management
Considerations for records management program development
Business need
Guidelines for developing a records management program

Records retention
Declassification
Legal requirements
Privacy
Absent law or regulation to the contrary, a business can set any

retention policy it wishes
Protection of Operational Files

Library maintenance protect production programs and
applications as well as data
Backups
Source code
Object code
Configuration files
Librarian - sole person with write access to the main system
files, backups and application libraries. Should never be filled by

a developer or person initiating the change request
Domain Objectives

Misuse of Resources
System Recovery
Resource Protection
Media Management
Personnel Privacy and Safety Mobile

Computing
Components
Devices
Limitations (e.g. privacy, safety, etc.)
Mobile device management
Personnel Privacy and Safety Social

Networks
Social networks
Connection services
Social dynamics
Storage of data
Potential dangers
Operations Security Domain Summary

Misuse of Resources
System Recovery
Resource Protection
Media Management
Domain Objectives
Physical Security Threats and Controls
Perimeter Security
Building and Inside Security
Secure Operational Areas
Goals of Physical Security

Deter would be intruders
Delay long enough to detect and respond before
damage occurs
Detect in a timely manner
Assess method of attack
Respond appropriately without overreacting
Recovery to normal operating status
The Primary Goal
Remember that life, health, and

safety are always the first
priorities in physical security!
Threats to Physical Security

Natural/environmental
History of natural disasters in the area
Utilities
Communications outages, power outages, etc.
Circumstantial
Fire or break-in at a neighboring building, strike at a critical point in
supply chain, etc.
Human-made/political events
Explosions, vandalism, theft, terrorist attacks, strikes, activism, riots, etc.
Threat Sources
External activists
Staff
Intelligence agents/foreign governments
Petty criminals
Threat Sources and Controls

Threat
Theft
Espionage
Dumpster diving
Social engineering
Shoulder surfing
HVAC access
Controls
Background checks
Disposal procedures
Locks
Awareness
Screen filters
Motion sensors in ventilation ducts
Facility Vulnerabilities
Location
Layout and design
Age and condition
Location Security Considerations
Emergency services
Fire
Security
Visibility
Controlled access
public transit
Countermeasures and Controls
Environmental controls may be:
Physical
Administrative/managerial
Technical
Layered defense/defense in depth
Crime Prevention Through

Environmental Design (CPTED)
Principle of deterring crime through managing the potential crime scene
Territoriality
Restricted access
Surveillance
Monitoring
Access control
Entrances
Maintenance
Domain Objectives
Perimeter Security
Perimeter and Building Boundary

Protection
First line of defense
Protective barriers
Natural
structural
Fences
May be restricted by local regulations
Inspections
Parking should not be allowed near fences
1 meter/3-4 feet will deter casual trespassers
2 meters/6-7 feet too high to climb easily
2.5 meters/8 feet will delay the determined intruder
Top guard will add 2-3 feet. Can be defeated by blanket, mattress,
towel, etc.
Controlled Access Points

Gates are the minimum necessary layer
Bollards
Permanent or retractable post used to deter vehicle-based
attacks
Perimeter Intrusion Detection Systems
Detect unauthorized access into an area

Electronic eyes
Note that some perimeter IDS can function inside the perimeter as well
Physical IDS
Photoelectric
Ultrasonic
Microwave
Passive IR
Pressure sensitive
Sounds/vibration
Electrical circuits
Motion sensors
Closed Circuit Television (CCTV)

CCTV capability requirements
Detection
Recognition
Identification
Mixing capabilities
Adding IR/thermal
Virtual CCTV systems

Fake systems
CCTV Concerns
Total surveillance requirements
Operating parameters (correct lens, angle?)
Size depth, height, and width
Pan, tilt, and zoom
Lighting
Contrast
CCTV Protection and Image Retention
Storage of images
Maintenance
Privacy
Guards and Guard Stations

Guards
Deterrent
Possible liability
Contractors
Guard stations
Domain Objectives
Perimeter Security

Building Entry Points

Doors
Windows
Loading ramps
Elevator shafts
Ventilation ducts
Crawlspaces
Sewage or steam lines
Doors
Isolation of critical areas
Lighting of doorways
Contact devices
Guidelines
Solid core
Hinges fixed to frame with minimum of 3 hinges per door
Lighting
Should not open out except as required by building codes
Locks should be daytime (push button) and 24 hour (deadbolt)
Door frame should be permanently fixed to the adjoining wall studs
Have same fire-resistance rating as adjacent walls
Etc.
Access and Visitor Logs

Identification/sign in and out
Temporary badges
Vehicles
Escort
Turnstiles and Mantraps

Tailgating/piggybacking
Types of Locks
Something you have keyed
Something you know combinations
Something you are biometric
Keyed Locks
Lock components
Body
Strike
Strike plate
Key
Cylinder
Lock Controls
Lock and key control system
Key control procedures
Who has access to keys

Keys issued
Key inventory
Default settings changed
Change combinations
Fail
Soft (unlocked)
Secure (locked)
Safe (allow exit but not entry)
Electronic Physical Controls

Card access
Biometric access methods
Windows and Glass

Standard plate glass
Tempered glass
5 7 times more break resistant than plate and breaks into small,
less dangerous fragments
Acrylic materials
Stronger than plate
Burn and produce toxic fumes, scratch easy and yellow over time
Polycarbonate windows
Resistant to abrasion, chemicals, fires and are even anti-ballistic
Very expensive
Glass and Window Protection

Laminate
Solar film
Bomb blast film/curtains
Wired glass
Intrusion detection/glass breakage sensors
Internal Intrusion Detection Systems

Closed circuit television
Sensors and monitors
Types of Lighting
Continuous lighting
Trip lighting
Standby/backup lighting
Emergency exit/egress lighting
Infrared/night vision
Domain Objectives
Perimeter Security
Equipment Room
Perimeter enclosure
Controls
Policy
Emergency power off (EPO) switch
Data Processing Facility

Small devices threat
Digital camera
Cell phone cameras
USB drive
Etc.
Server room
Most important requirements are space, power, air
conditioning, access control and security monitoring
Mainframes
Storage
Communications
Wireless access points
Network access control
Cabling
conduit
Access to Utility Rooms

Power rooms
Breaker panels
Water
Ventilation
Gas
Work Area
Keeping a work area safe is important for
everyone
Operators
Only allow access as needed/monitor
System administrators
Only allow access as needed/monitor
Restricted work areas

Only a select few people need access
Equipment Protection
Inventory
Locks and tracing equipment
Data encryption
Disabling I/O ports
Environmental Controls
System
Electric power
HVAC
Water/plumbing
Gas
Refrigeration
Threat
Loss of power
Overheating
Flood/dripping
Explosion
Leakage
Fire Protection
Prevention reduce causes
Detection alert occupants
Suppression contain or extinguish
Wet-pipe sprinkler
Most reliable
Simple
Water under pressure, when sprinkler head breaks water comes out
Dry-pipe sprinkler
Water is held back by valve and is released when sensor activates
Pipes then fill with water and sprinkler engages
Materials and Suppression Agents

Cla
ss
Type
Suppression Agents
Common
combustibles
Water, foam, dry chemicals
Combustible liquids Inert gas, CO2, foam, dry

chemicals
Electrical
Inert gas, CO2, dry chemicals
Combustible
metals
Dry powders
Cooking media
(fats)
Wet chemicals
Suggested way to remember each:
Ash K
Boil
Current
Drive
Kitchen
Three Legs of a Common Fire
Displace: CO2/foam
Bind: Halon & alike
Reduce: Water
Bind:
Purple
K
Remov
e:
Firema
n
Flooding Area Coverage
Water sprinkler systems
Gas halon/CO2/argon systems
Best practices for systems
Portable extinguishers
Loss of Electrical Power
UPS
Generators
Goals of power clean and steady power
Power controls
Emergency power off (EPO) switch

Power line monitors
Total load
Heating, Ventilation, Air Conditioning
Location
Positive pressure
Can indicate unauthorized physical breach

Helps minimize dust
Maintenance
Other Infrastructure Threats
Vermin
Electromagnetic fields
Excess vibration

Domain Summary

Perimeter Security
Domain Objectives
System and Component Security

Definitions and Key Concepts
Architecture Components
System Design Principles
Security Models
Information Systems Evaluation Models
Security Frameworks
Information security management system (ISMS)
Set of standards for addressing security throughout the

development, deployment and implementation schedule
Enterprise security architecture (ESA)
Includes all areas of security for an organization: leadership,

strategy, planning, etc.
Information security architecture (ISA)
Another term for ISO/IEC 27002
Best practice
Well-recognized and accepted approach to designing,

developing, managing/monitoring and enhancing processes
Architecture
High-level perspective of how business requirements are to be

structured and aligned with technology and processes
Framework
Defined approach to the process used to achieve the goals of

an architecture, based on policy
Infrastructure
Integrated building blocks that support the goals of the

architecture
Model
Outlines how security is to be implemented within the

organization
Good security architecture
Strategic
Provides a long-range perspective that is less subject to tactical changes in
technology
Business requirements based

Understand business and security and design a system that meets those
requirements
Holistic
Understanding all the parts of the business and interconnecting them
Design
Blueprint
Integration and development of technology infrastructure into the business
process
Multiple implementations
Flexibility due to location and business constraints
Benefits of a good security architecture
Consistently manage risk

Reduce the costs of managing risk
Accurate security-related decisions
Promote interoperability, integration, and ease of access
Provide a frame of reference (for other organizations
interacting with the enterprise)
Domain Objectives


Security Models
Security Frameworks
What are the security limitations and benefits of each component?
Hardware
Firmware
Central processing units
Input/output devices
Software
Architectural structures
Storage and memory
Hardware: Computers
Mainframe
Minicomputers
Microcomputers/desktops
Servers
Laptop/notebook
Embedded
From a security perspective, each security risk must be addressed individually
Hardware: Mobile Devices
USB storage
Portable hard drives
PDAs and mobile phones
Hardware: Printers
Multifunctional
Network aware
More than output device
Full operating system
Hardware: Communication Devices
Modem
Network Interface Card (NIC)
Hardware: Wireless
Wireless network interface card
Wireless access point
Wireless Ethernet bridge
Wireless router
Wireless range extender
Firmware: Pre-Programmed Chips
ROM (read-only memory)
PROMs (programmable read-only memory)
EPROMs (erasable programmable read-only memory)
EEPROMs (electrically erasable, programmable, read-only memory)
Field programmable gate arrays (FPGAs)
Flash chips
Embedded system
CPU Functionality
Multitasking
Multiprogramming
Multiprocessing
Multiprocessor
Multi core
Multithreading
Direct memory access (DMA)
Real-Time Systems
systems that support mission critical services

such as flight controls, alarms and monitoring sensors
Immediate processing
High levels of tolerance
Failover
Time and mission critical systems
Virtual Machines
Mimic the architecture of the actual system
Resources provided by the host system
CPU and Processor Privilege States
Supervisor state
Problem (user) state
Running
Ready
Blocked
Masked/interruptible
Input/Output (I/O) Devices
I/O controller
Managing memory
Hardware
Software: Operating System
Hardware control
Hardware abstraction
Resource manager
Design
Kernel
Software: Utilities and Drivers
System utilities
Maintenance
System drivers
Application/hardware interface
Plug and play
Commercial Software Programs

(Applications)
Commercial off the shelf (COTS)
Function first
Unless the software is inherently a security-focused

application (such as a firewall), attention will first be
devoted to functionality. Security is usually an
afterthought.
Evaluation
Make sure to consider the information security aspects

of the application such as authentication methods, audit
capabilities, edit checks and error reporting, etc.
Software: Custom
Business application
No two businesses do business the same way. Custom

software is the solution used as a natural progression
from manual processes to automation of tasks
System development life cycle
Software: convergent Technologies
Customer relationship management (CRM)
Workflow management systems
SharePoint, Lotus Notes
Unified messaging
Allows different technologies to work together. Fax to a PDA,

access internet from TV
CPU and OS Support for

Applications
Applications were originally self-contained
OS capable of accommodating more than one application at a time
Security
Reinforced by the OS since the OS has the ability to control

the activity of the applications and ensure that one or more
application threads do not affect another
Applications - Today
Todays applications are modular
Execute multiple process threads
Security
Problems lie in the fact that independent sections are

frequently written by someone else and may be malicious.
Module may also be used in a way not intended by the author.
Modules and threads will often communicate directly and not
involve the OS. This prevents the OS from being able to
manage the activity of the process threads.
Programs spawn processes. Processes spawn threads. Memory is allocated to processes. So, threads share memory.
Systems Architecture Approaches
standards based interfaces. Considered more vulnerable but

often result in a more robust set of security features
Open
proprietary interfaces. Illusion that security through

obscurity works
Closed
Dedicated
single level of processing permitted
Single level
permit users to execute any instruction available
processing at two levels is permitted through some form of

user authentication and authorization. Most common today and
allow system to be accessed by users holding different levels of
privilege.
Mutilevel
Embedded
single purpose computer
Architectural Structures
Client server
Centralized architecture
Distributed architectures
Thin client architecture
Diskless computing
Clusters
Cloud Computing
Provisioning of services
Cost models
Supplement/consumption/delivery model
Involves provisioning of dynamically scalable and often

virtualized resources
Characteristics
Layers
Cloud Computing
Deployment models
Public cloud
Community cloud
Private cloud
Hybrid cloud
Architecture
Intercloud
Cloud Engineering
Issues
Privacy
Compliance
Open source
Open standards
Security
Issues surrounding cloud

computing are due in large part to
the private and public sectors
unease surrounding the external
management of security based
services
Service-Oriented Architecture
Technology benefits
More flexible architecture, integration of existing applications, improved
data integration, supports business process management, facilitates
enterprise portal initiatives, speeds custom application development
Security issues
A system that relies on distributed processing must have adequate
bandwidth and high availability.
Business benefits
More effective integration with business partners, supports customerservice initiatives, enables employee self-service, streamlines the supply
chain, more effective use of external service providers, facilitates global
sourcing
Virtualization
Virtual copy of physical system
System virtual machine complete operating environment that can
support user needs and multiple environment
Hypervisor interface between the physical and virtual environments
Process virtual machine systems that are dedicated to supporting

one process or program
Types of Memory Addressing

Logical
Refers to a memory location that is independent of the current
assignment of data to memory. Requires a translation to the
physical address.
Relative
Address expressed as a location relative to a known point
Physical
Absolute address or actual location
Memory Management Requirements

Relocation
Programmer does not know where the program will be placed in
memory when it is executed. It may be swapped to disk and
returned to main memory at a different location.
Protection
Processes should not be able to reference memory locations in
another process without permission.
Sharing
Allows several processes to access the same portion of memory.
OS allows each process access to the same copy of the program
rather than having its own separate copy.
Memory Protection Benefits

Memory reference
Different data classes
Users can share access
Users cannot generate addresses
Primary Storage
Registers
Very high-speed storage structures built into the CPU chip set
and are often used to store timing and state information for
the CPU to maintain control over processes.
Cache
Very fast memory directly on the CPU chip body. Not
upgradeable. Three types (level 1-3).
Random access memory (RAM)

Main memory of the system
Secondary Storage
Internal
External
Virtual memory
SANs
Clusters
Virtual Memory
= primary + secondary or RAM + Disk
Extends apparent memory to accommodate larger
program execution space than is possible using only
physical memory and involves paging and swapping
operations.
Generally 4 or 8 kb in length
Storage Systems
Network Attached Storage (NAS)
Simple, cost effective solution. Box on network that extends
storage area.
Storage Area Network (SAN)

Complex, expensive solution. Offers large capacity storage
for servers over high-speed (usually fiber) links
Blade Systems
Server chassis
Processing power
Management simplification
Is simply a series of motherboards housed in a box with

a high speed backbone
Domain Objectives


Security Models
Security Frameworks
Separation
Temporal isolation
Accomplished through time limits. Person cannot access an

area of the building or an area of the network, or an
application outside of certain authorized hours.
Physical isolation
Refers to separating out sensitive areas from common access,

such as setting up compartmentalized areas or secure rooms.
Virtual isolation
Protects against malicious activity by not permitting a process

to execute outside of a strict set of boundaries.
Ring Protection
Based on the Honeywell Multics Operating System architecture.
Set of segments in concentric numbered rings. Ring number determines the access level.
Procedure assumes its appropriate ring number when executing. This prohibits a process from unregulated execution of
commands at a higher level.
Program may call services residing on the same or more privileged ring.
Program may only access data that resides on the same ring.
Privilege Levels
Identifying, authenticating, and authorizing subjects
Subjects of higher trust can access more system instructions and operate in privileged mode
Subjects with lower trust can access a smaller portion of system instructions and operate only in user mode
Process Isolation
Preserves Objects integrity and subjects adherence to access controls
Prevents interaction
prevents objects from interacting with each other and their
resources
Independent states
actions of one object should not affect the state of other
objects
Process isolation method
Encapsulation objects, data, and functions are packaged together

Time multiplexing assignment specific time slots for processing
information
Naming distinctions to distinguish between processes

Virtual mapping/domains mapping info objects to virtual locations to
ensure applications can find their data
Trusted Computing Base (TCB)
includes all the components and their operating

processes and procedures that ensure that the security policy of
the organization is enforced.
Hardware
Firmware
Software
Processes
Inter-process communications
Trusted computer base
Simple and testable
Trusted Computing Base (TCB)
must be able to enforce security policy regardless of

user input and be protected from interference or tampering
Enforces security policy
Monitors four basic functions
Process activation
Execution domain switching
Memory protection
Input/output operations
Reference Monitor Concept

abstract machine that is regulating all access on the system and
enforcing security controls
Must be tamperproof
Always invoked
Verifiable
Abstract machine concept
Security kernel
Components of an OS perform various protection tasks designed to control and

monitor system evens and prevent things from occurring that might disrupt
normal execution or threaten the stability of the system or any of its resources.
Subject
Active entity
Object
Passive entity
Attested Boot/TPM/Processing
Ensures secure configuration and integrity of software/hardware
Uses cryptographic hash functions to ensure integrity
Can also be used remotely
Secure System Design
Availability
must be designed to meet needs
Criticality design of system must ensure that the critical processes

run effectively
Redundancy
Single points of failure must be designed to avoid
Defense in depth ensures the security of the system cannot
be circumvented through one vulnerability
Domain Objectives

Security Models
Security Frameworks
Security Models Introduction
Information-flow model tracks the movement of information from one object to another
Non-interference model based upon rules to prevent processes that are operating in different domains from affecting each other
in violation of security policy
State-machine model abstract mathematical model where state variables represent the system state
Lattice-based model hierarchical model defining access control privilege levels
Bell-LaPadula Confidentiality Model
Lattice-based model
Described using rows and columns
State-machine model
Hierarchical based model with dominance relationships

between higher and lower security levels
Three fundamental modes
Read only, write only , read and write
Secure state
Defines access rules
***** very important to know *****
Biba Integrity Model
Lattice-based model
Addressed first goal of integrity
Subject object tuple
State machine model
When you mix clean & dirty, dirty wins
Read & write are opposite from Bell-LaPadula
Clark-Wilson Integrity Model
Addresses all three integrity goals
Defines well-formed transactions
1.
Authorized users limited to authorized transactions
2.
Unauthorized users do no tasks
3.
Maintain internal & external consistency
. ***** very important to know *****
Brewer and Nash Model
Chinese Wall security policy
Designed to prevent conflicts of interest
Other Models
Graham-Denning
Harrison-Ruzzo-Ullman (HRU) result
Variations of Biba
Security Models
Integrity
Clark-Wilson
Biba
G&M
Sutherland
Graham-Denning
HRU
Need to know
Confidentiality
Brewer-Nash
BLP
Implementations
Gong
Lipner
Karger
Jueneman
Lee & Shockley
Domain Objectives

Security Models

Security Frameworks
Evaluation Standards
TCSEC (U.S. DoD)
ITSEC (European Union)
Common Criteria (ISO Standard 15408)
TCSEC or Orange Book
DoD-centric
Security and functionality
Product evaluation
Rainbow series
was a part of the Rainbow Series of books dealing with

security topics
TNI Trusted Network Interpretation (another of the series)
ITSEC
International origin
ITSEM
Assurance
Fucntionality
Common Criteria (ISO 15408)
Origins
Documents
EAL 1-7 (evaluation assurance level)
Protection profile (PP)
Target of evaluation (TOE)
Software, firmware, and/or hardware
Security target (ST)
Requested level of testing
Domain Objectives

Security Models
Security Frameworks
ISO 7498-2
Defined secure communications
NOT an implementation
Takes 7-layer OSI model and maps it to a 2-layer functional model
Zachman Framework
Complete overview of IT business alignment
Intent
Scope
Two-dimensional
Principles
SABSA
What are the business
requirements?
Follow-on to Zachman
Operational security focus
The Open Group Architecture

Framework
Governance
Business
Application
Data
Technology
DoD Architecture Framework

OMB A-130 requirement
View sets:
All view
Operational view
Systems view
Technical standards view
ISO/IEC 42010
International standard for information security
management systems (ISMS)
Practice for architectural description of softwareintensive systems
ISO 27001 - ISMS

Information security management system
Ensures best practices are met

Sets standards for security areas
Based on BS7799-2
Measurable and certifiable standard
IT Infrastructure library (ITIL)

Focuses on IT services
Supporting products
COSO Enterprise Risk Management

Framework
Emphasizes the importance of identifying and managing
risks
Process
People
Reasonable assurance
Objectives
If moving money, probably want to use this
Capability Maturity Model

Developed by SEI (Software Engineering Institute)
Based on TQM concepts (Total Quality Management)
Framework for improving process
Benefits
Top 3 are proactive, bottom 2 reactive
PCI-DSS
Payment card industry data security standard
Standards for the protection of payment card data (e.g.
credit cards, debit cards, etc.)
Covered more in Domain 5 (Legal, Regulations,
Investigations, and Compliance)

Domain Summary
Security Models
Security Frameworks
Domain Objectives
Overview of Applications Security

System Life Cycle Security
Applications Security Issues
Malware and Other Attacks
Database Security
Need for Applications Security

While this model is important
to all domains, AIC is
probably most important to
this one
Interface to critical and
sensitive data
Thousands of exploits
Secure Systems Development Policies
Organizations require security development methodology

Many corporations are beginning to require and provide guidelines for
developing secure applications
Security climate has changed

Vendors are focused on functionality of their products and on increasing
their return on investment instead of security
Security as built-in instead of add-on
Compliance many regulations and compliance requirements now
demand that systems track and control access permissions of users and
other entities
Organizational Standards
Web Application Security Consortium (WASC)
Build Security in (BSI)
International Organization for Standardization
(ISO)/International Electrotechnical Commission (IEC)
27034
These orgs provide information for software vendors and
the public that is intended to create secure environments for
software development, to aid in developing internal code
standards, to incorporate security features in software
products, and to deploy into secure environments.
Software Configuration Management

(SCM)
Versioning
Technologist
Protection of code
Protection of project
Scope creep vs Statement of Work
Process Integrity
System Development Controls

Project Management
Complexity of Systems and Projects
Security by Design
Controls Built in to Software
Secure by Default
Secure Development Excuses

You cannot build security around an application, you
have to build it in
We need security? Then well use SSL
We need strong authentication? PKI will solve all our
problems
We use a secret/military-grade encryption
We had a hacking contest and no one broke it
We have an excellent firewall
Well add it later; lets have the features first
Secure Development Concerns

Push to Market pressure to deliver a product quickly
Protect Source Code
From tampering
Pirating
Accidental loss
Protection against attacks
Secure Development - Physical

Controlled access areas
Development vs Operations
Project security
Probably best to only develop and work on projects in a
secure area.
Personnel Security
Hiring controls background checks for everyone involved
Trust several attacks come from developers
Skills dont post to blogs asking for assistance on programming problems
Changes in employment
If internal, adjust permissions on things no longer needed
If leaving company, remind to keep company secrets
Protection of privacy from employees

Privacy Impact Rating part of risk assessment. Looks at the data that
would be accessible by programs and identifies sensitive data
Separating Test Data From Production

Never test on a production system
Never use real data
Protection of sensitive data
Test for failure test error routines and the resilience of system to
failure
Ranges test using both acceptable and unacceptable data values
Stress Tests make sure system can handle the number of transactions or
users that may be using the system at once
Always try to test for what the bad guy and stupid user would
do
Certification and Accreditation

Certification of secure design and deployment
Production environment
Accreditation of acceptance of risk

Management approval for implementation
Ensure that systems meet, and continue to meet, their

security requirements
Domain Objectives

Database Security
System and Project Management

Project Management-Based Methodology
Systems Security Engineering-Compatibility Maturity Model Integration
(SSE-CMMI)
1-initial (chaotic, immature), 2-managed (disciplined, capable), 3defined (documented, consistent), 4-quantitatively managed
(predictable), 5-optimizing (constant improvement)
SLC vs SDLC
Systems Life Cycle development, post-development, maintenance
phases
System Development Life Cycle development and ends shortly after
implementation
Software Development Methods

Waterfall
Spiral Method
Clean-Room
Structured
Programming
Development
Iterative Development
Joint Analysis Development
Prototyping
Software Development Methods

Modified Prototype
Model
Exploratory Model
Rapid Application
Development
Agile Development
Computer Aided Software Engineering
Component-Based Development
Reuse Model
Extreme Programming
Programming Language Examples

Interpreted
Basic
REXX
PostScript
Pascal
Perl
Ruby
Python
Compiled
Oldest
Basic
Fortran
COBOL
Pascal
C, C++, C#
ADA
Python
Visual Basic
Newes
t
Program Utilities
Assembler program that translates an assembly language program into machine language.
Compiler translates a high-level (source) language into machine language
Interpreter instead of compiling a program all at once, the interpreter translates it statement-by-statement
Drivers used to interface a program with the system
Hybrid compilation and interpretation. Code is compiled into an intermediate stage. In Java, known as bytecode. Needed for
compatibility between systems.
Transaction Processing
Separation of Duties
Need to Know
Logging
Transaction:
Integrity data not inappropriately altered

Edit checks, balancing, data/input validation, error handling/information
leakage, logging/auditing, cryptography, secure code environment,
session management
Availability large queries that affect performance should be

limited. Critical systems should be designed with redundancy
and failover
Confidentiality provide necessary security measures for data
Object-Oriented Programming
OOP Concepts
Classes templates for objects

Objects instances of the classes
Message objects request services by sending messages to other objects
Inheritance an object that is called by another object or program derives
its data and functionality from the calling object
Polymorphism different objects may respond to the same command in
different ways
Polyinstantiation creating a new version of the object by changing its
attributes. Prevents Inference Violations by allowing different versions of
the same information to exist at different classification levels
Distributed Programming
Distributed Component Object Model (DCOM)
Simple Object Access Protocol (SOAP)
Common Object-Request Broker Architecture (CORBA)
Enterprise Java Beans (EJB)
Distributed programming requires abstract communication between hosts. Entails programs located on different computers be able
to use the same program at the same time.
Software Security Effectiveness
Senior management participation
Software security group
Many organizations implement this. Charged with directly

executing or facilitating the software security activities.
Understand, measure and plan
Result of many activities
Software security is the result of many activities. People,

process and automation are all key components.
15 core activities
Software Security Effectiveness
BSIMM (Build Security In Maturity Model)
Organization observed
Business objectives
Roles
Framework
Domain Objectives


Database Security

Building security in
Adding defense-in-depth
Cryptographic protection of data
Secure architecture
Applications Security Principles

Validate all input and output
Fail secure (closed)
Make it simple
Defense in Depth
Only as secure as your weakest link
Secure Coding Issues

Buffer overflow
SQL injection
Cross-site-scripting (XSS)
Dangling pointer
Invalid hyperlink
Secure (encrypted) web application traffic risks
JavaScript attacks vs sandbox

Application programming interface (API)
Open source
Vendor proprietary software
Escrow
iFrames
Race condition

Risks of push technology
Information disclosure error handling
Infrastructure flaws
Misconfiguration

Incomplete parameter check and enforcement
Covert channels
Inadequate granularity of controls
Privileged programs/privilege escalation
Social engineering
Multiple paths to information

Object reuse
Garbage collection
Trap door/maintenance hooks
Domain Objectives


Database Security
Malware and Attack Types

Malformed input
Injection (SQL injection)

Input manipulation/malicious file execution
URL manipulation
Unicode attack

Cryptographic storage
Hijacking
Insecure communications

Denial of Service (DoS)
Distributed Denial of Service (DDoS)
Botnets
Fast flux botnets
Data hiding
Alternate data streams (ADS)
Non-technical

Executable content/mobile code
Web applets
Dynamic email
Cookie poisoning (manipulation)

Keystroke logging
Adware and spyware
SPAM
Phishing
Spear phishing
Whaling
Pharming

Remote Access Trojans (RAT)
Rootkits and RATs
HTTP Response Splitting
Cross Site Request Forgeries (CSRF)
Malware Structure
Infection/reproduction
Target search
Infection
Trigger
Payload
Malware Anti-Detection
Stealth
Tunneling
Polymorphism
Self-decrypting
Antivirus (anti-malware) disabling
Virus
Central characteristic is reproduction
Generally requires some action by user
May or may not carry payloads
Virus Types
File infector
Boot Sector Infector
System infector
Email virus
Multipartit
Use to mean a virus that was able to infect boot sectors and programs
Now means virus that can infect more than one type of object or to infect or
reproduce in more than one way
Macro Virus
Script Virus
visual basic file that can be seen as a data file but is executable (.vbs)
The Hoax, Chain Letters and Pranks

Social engineering
Hoax
Chain Letters
Pranks
Forms of spam. More annoying that anything else but

can eat up bandwidth
Worm
Reproduces
No user action required
Loopholes
Often probe the computer looking to exploit specific
weaknesses and/or compromise other computers
Attacks server software
Trojan Horse
Purported to be a positive utility
Hidden negative payload
Social engineering
Logic Bomb
Generally implanted by an insider
Waits for condition or time
Triggers negative payload
Diddlers, Backdoors and RATs

Data diddler
Salami technique
Office Space fractions of a cent moved to bank account
Payload in a Trojan or virus that deliberately corrupts

data, generally by small increments over time.
Protection From Malware Code

Policies
Tools
Monitoring
Operation
Egress scanning
Integrity checkers
Emerging Threats and Chained Exploits
New application services

Cell phones/mobile phones
Telephony
Chained exploits
Domain Objectives

Database Security
Database Security
Database (day to day) and data warehousing (strategic)
environment
Eliminate duplication of data
Consistency of data
Network access
Databases provide consistency of data. Data can be saved in

one place allowing anyone with access to see data without the
need for duplicate. Greater consistency or accuracy of data
Data warehousing is a new concept where large volumes of
information from many databases are stored. May lead to
privacy concerns.
Database Management Systems

(DBMS) Models
Hierarchical DBMS
Stores records in a single table

Parent/child relationships
Limited to a single tree
Difficult to link branches
Car
Toyot
a
Hond
a
Mazd
a
CRV
Accor
d
Civic
2door
4door
Network DBMS Model

Extended form of the hierarchical database structure
Does not refer to database being sorted on a network
but rather to the method by which data is linked to other
data.
Mazd
a
Ford
Regula
r
Mazda
3
Truck
E
Series
5 speed
transmissi
on
Regular
Mazda
6
Leather
Interior
BMW
4x4
X3
Truck
Freesta
r
4x4
X5
Front and
Rear Climate
Controls
Relational DBMS Model

Most frequently used model
Data are structured in table
Columns are variables (attributes)
Rows contain the specific instances (records) of data
Primary key
Must exist
Not null
Index/optimize the table
Foreign key
Optimize
Attribute in table
RDBMS Tables, Joins and Unions

Author Table
Prima
ry Key
Author
No
Last
Name
First
Name
State
123456
Smithson Mary
CA
234567
Rogers
Mike
NY
345678
Tucker
Sally
CT
456789
Gleason
Sarah
IL
Foreig
n Key
Book Table
Book
No
Book Title
PC1234 Learning Database

Models
Book Type Book

Price
Author
No
Computer
39.99
123456
69.99
234567
39.99
345678
PC4321 Data modeling

Techniques
PC6789 Designing a Database
Computer
Data Warehouse
Consolidated view of enterprise data
Data mart
Designed to support decision making through Data Mining
Metadata
Knowledge discovery in Databases

(KDD)
Methods of identifying patters in data
KDD and AI techniques
Probabilistic models
Statistical models
Classification approach
Deviation and trend analysis
Neural networks
Expert system approach
Hybrid approach
Database Security Issues
Inference (guess)
Aggregation (conclusion)
Unauthorized access
Improper modification of data
Unauthorized data mining
Query attacks
Bypass attacks
Interception of data
Web security
Database Controls
Access controls
Grants
user is given access to specific data using various

privilege types
Cascading permissions individual grants access to
others, loses access, so does everyone else
Lock controls
Backup and recovery
Data contamination control
Polyinstantiation
View-Based Access Controls
Constrained views
What portion of the data in the database is the user authorized

to see
Sensitive data is hidden from unauthorized users
Controls located in the front-end application (user interface)
Transaction Controls
Content-based access control
Commit statement
Writes any and all changes that have occurred to the data
during the current transaction
Three-phase commit
Client requests permission to make a change to a database,

the database approves the change but doesnt make the
change until the client returns a reply indicating the transaction
completed correctly.
Database rollback
Journals/logs
Error controls
The ACID Test
Atomicity all or none. All transactions execute or rollback
Consistency changes maintain consistency. Transformed from one valid state to another valid state, remaining compliant with
the rules of the database
Isolation transactions in progress are invisible to others. Guarantees that the results of a transaction are invisible to other
transactions until the transaction is complete.
Durability say it is done, stays done. Ensures that the results of the completed transaction can survive future system and media
failures.
Database Interface Languages/Methods
Structured Query Language (SQL)
Open Database Connectivity (ODBC)
Extensible markup Language (XML)
Object Linking and Embedding (OLE)
Active X Data Object (ADO)
Dynamic data
Application and Database

Languages: Security Issues
Poorly designed
More privileges than necessary
DBA account use
Lack of audit
Input validation

Domain Summary
Database Security
Telecommunications and
Network Security
Domain Objectives
Network Security Overview
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
What is network security?
Encompasses the STRUCTURES, TRANSMISSION METHODS, TRANSPORT FORMATS AND SECURITY MEASURES used to
provide INTEGRITY, AVAILABILITY, AUTHENTICATION, and CONFIENTIALITY for transmissions over PRIVATE and PUBLIC
communications networks and media.
Information Security TRIAD
Security Issues and Concerns
Message protection
Confidentiality
Integrity
Non-repudiation
Availability
Redundancy
Single point of failure
Defense in Depth
Series of hurdles
Collection of controls
Any form of protection can be defeated but

when layered it becomes much harder to
defeat.
OSI Reference Model
People Dont Need To Smoke Pot

Anymore
TCP/IP Model
Network-Based Attacks
Network as a channel for attacks
Most frequent network security threat today. Example,

viruses exploit networks in order to spread without
actually breaching the security of the network itself
Inbound and outbound attacks
Network as a target of attack
DoS
DDoS
Network Attacks
Network attack phases
Intelligence gathering and target selection

Target analysis
Gaining access
Escalation of privileges
Sustaining control
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Concepts &
Architecture
Technology & Implementation

Standards
Threats & Countermeasures
Layer 1: Physical Layer
Bits are converted into signals
All signal processing is handled here
Physical topologies
Physical layer describes the networking hardware, the format of the communications (bits, bytes, or optical pulses),
as well as cable, wireless connections, etc.
Communication Technology
Analog and digital communications
Digital communication brings quantitative and qualitative enhancements
From higher throughput

Better signal-to-noise ratio
fault tolerant error correction
Ability to immediately process digital signals in a computer
Network Topology
Even small networks are complex
Network topology and layout affect scalability and security
Wireless networks also have a topology
Mesh
Ring
Star
Network
Topology
Tree
Bus
Bus Topology
LAN with a central cable to which all nodes connect
Advantages
Scalable
Permits node failure
Disadvantages
Bus failure
Ring Topology
Closed-loop topology
Advantages
Deterministic
Disadvantages
Star Topology
All of the nodes connect to a central device
Advantages
Permits node/cable failure

Scalable
Disadvantages
Tree Topology
Devices connect to a branch on the network
Advantages
Scalable
Permits node failure
Disadvantages
Failures split the network
Mesh Topology
In a full mesh network, every node in the network is connected to every other node in the network
Advantages
Redundancy
Disadvantages
Expensive
Complex
Scalability
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Concepts & Architecture
Technology &
Implementation
Standards
Media Selection Considerations
Throughput
Distance between devices
Data sensitivity/confidentiality
Environment
Cost
Twisted
Pair
Coax
Fiber
Wireless
Twisted Pair
One of the simplest and cheapest cabling technologies
Unshielded (UTP) or shielded (STP)
Coaxial Cable (Coax)
Conducting wire is thicker than twisted pair
Bandwidth
Length
Expensive and physically stiff
Fiber Optics
Three components
Light source
Optical fiber cable
Two types
Light detector
Advantages
High bandwidth
Immune to EMI and RFI
Difficult to tap
Disadvantages
Expensive
Difficult to install
Wireless Transmission Technologies
802.11 WLAN
From wired network to station, wireless LAN
802.16 WMAN, WiMAX
From neighborhood to station, wireless metropolitan area

networks, or WiMAX
Satellite
From orbit to station
Microwave
High bandwidth, line of sight, point-to-point communications that

require licensing (ground to ground OR ground to orbit to ground)
Optical
High bandwidth, line of sight, point-to-point communications that do

not require licensing
Patch Panels
Provide a physical cross-connect point for devices
Alternative to directly connecting devices
Centralized management
Modems
Convert a digital signal to analog
Provide little security
War dialing
Unauthorized modems
Hubs and Repeaters
Hubs
Used to implement a physical star/logical bus topology

All devices can read and potentially modify the traffic of other
devices
Repeaters
Allow greater distances between devices
Wireless Access Points (WAPs)
Access Point (AP)
Point where wireless signals are converted to wired

Go from radio waves to typically copper
Multiple input/multiple output (MIMO)
Uses multiple antennas at both the sending and receiving

ends and transmits different signals on each antenna
Avoids some of the interference experienced by single
antenna units and increases performance and message
quality
Cloud Computing
Access to IT services over the Internet
Data storage
Software
Security
Communications
Etc.
Security issues (3rd party trust)
VPN connections use when accessing secure data or services

Sharing of data 3rd party trust
Cross-border data transfer is your data in the U.S.?
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services

Standards
Standard Connections
Types of connectors
RJ-11
RJ-45
BNC (British Naval Connector)
RS-232 (serial ports)
Cabling Standards
TIA/EIA-568 (Telecommunications Industry

Association/electronic Industries Association)
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services

Standards
Threats &
Countermeasures
Physical Layer Threats

Attack vectors
Wire
Tapping
Wireless
Sniffing
Equipment
Modems
Authorized and unauthorized modems
Emanations and TEMPEST

EMI and RFI
Physical Controls
Wire
Shielding
Conduit
Faraday cage
Penetration index
Wireless
Encryption
Authentication
Equipment
Locked doors & cabinets
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Concepts and
Architecture
Protocols
Layer 2: Data Link Layer
Connects Layers 1 and 3
Converts data from a signal into a frame
Transmits frames to devices
Link-layer encryption
Determines network transmission format
Local Architecture Security
Perimeter-based security
The egg concept of security

Hardened outside defenses
Lack of internal defenses?
Security domains
Internal layers of defense

Isolating networks within the organization
Network Partitioning
Bastion host
Dual-homed host
Screened host and subnet
Demilitarized zone (DMZ)
Network Partitioning
Three-legged firewall
Disadvantages

No defense in depth
Managing firewall rules can be complex
Token Ring and Token Passing
A token is a special frame that circulates through the ring
Device must possess the token to transmit
Token passing is used in token ring (IEEE 802.5) and FDDI
Synchronous/Asynchronous
Synchronous
Timing mechanism synchronized data transmission

Robust error checking
Practical for high-speed, high-volume data
Asynchronous
Clocking mechanism is not used

Surrounds each byte with bits that mark the beginning and
end of transmission
Unicast, Multicast, and Broadcast
Unicast
Sending of message from one host to another
Multicasts
Message (video, teleconference, etc) sent to a defined set of

recipients
IGMP (Internet Group Management Protocol) used to manage
multicasting groups (hosts on a network that are interested in a
particular multicast)
Broadcasts
Sends to an unlimited number of recipients. Can send to everyone

on network and sub-networks
Often used to launch DoS
Circuit-Switched vs Packet-Switched
Circuit-switched network
Dedicated circuit between endpoints

Endpoints have exclusive use of the circuit and its bandwidth
Cost based on duration of the connection. Makes it costeffective only for steady communication streams
Packet-switched network
Data is divided into packets and transmitted on a shared

network
Each packet can be independently routed on the network
Cost based on amount of data transmitted. Appropriate for
transmissions with significant idle time
Switched/Permanent Virtual Circuits
Virtual circuits provide connection between endpoints over high-bandwidth multiuser cable or fiber networks, which cause them to
behave with similar performance characteristics as if the circuit were a dedicated physical circuit
Permanent virtual circuits (PVC)
Carrier configs route through packet-switched network.

Unless changed, route stays the same
Switched virtual circuits (SVC)
Traffic routing is configured dynamically by the routers each

time the circuit is used
Unicast Point-to-Point
ISDN (integrated services digital network)
High speed before DSL, cable.
Ts (T carriers)
Time division multiplexing

1.544 Mbit/s over 24 channels (8000 frames/sec X 193
bits/frame)
Es (E carriers)
Time division multiplexing

2.048 Mbps over 30 channels
OCs (optical carriers)
T3, E3, SONET (3.45% of any speed)
X.25
Suite of protocols for unreliable networks
Has a strong focus on error correction
Users and hosts connect through a packet switched network
Most organizations now opt for frame relay and ATM instead of X.25 for packet switching
Frame Relay
Network cloud of switches
Customers share resources in the cloud
The cloud is assumed to be reliable
Customers are charged only for bandwidth used
Asynchronous Transfer Mode (ATM)
Connection-oriented
Uses virtual circuits
Guarantees quality of service but not the delivery of cells
Types of virtual circuits
Constant Bit Rate (CBR)

Variable Bit Rate (VBR)
Unspecified Bit Rate (UBR)
Available Bit Rate (ABR)
Multi-Protocol Label Switching

(MPLS)
Bandwidth management and scalability
Permits traffic engineering
Provides quality of service and defense against network attacks
Operates at Layers 2 and 3
Operates over most other packet switching technologies such as frame relay and ATM
Created for performance but has the effect of being a tunnel
Digital Subscriber Lines (DSL)
Uses CAT-3 cables and the local telecom loop
Asymmetric digital subscriber line (ADSL)
Downstream speeds greater than upstream
Rate-adaptive DSL (RADSL)
Upstream transmission rate is auto tuned depending on the

quality of the line
Symmetric digital subscriber line (SDSL)
Same transmission rate up and down
Very high bit-rate DSL (VDSL)
Higher transmission rate. 13Mbps down and 2Mbps up
Cable Modem
PC Ethernet NIC connects to a cable modem
Speeds from 256Kbps to 50Mbps

Bridging device between computers and ISP
Modem and head-end exchange cryptographic key
Cable modems increase the need to observe good security practices
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Concepts and Architecture
Technology &
Implementation
Protocols
Concentrators, Multiplex/Demultiplex
Combining or splicing signals
Division multiplexing technologies
TDM time
FDM frequency
WDM wave
Concentrator combines channels together. Often used to permit several remote access connections to terminate on the network at
the same time.
Multi/Demultiplex combines several signals into a single data stream or breaks them apart.
Switches and Bridges
Multiport devices to connect LAN hosts
Forward frames only to the specified MAC address
Increasingly sophisticated
Also forward broadcasts
Wireless Local Area Networks
Allow mobile users to remain connected
Extend LANs beyond physical boundaries
Wireless Standards: IEEE 802.11
802.11b 11 Mbit/s
802.11a 54 Mbit/s + error correcting code
802.11g max 54 Mbit/s w/ avg 22 Mbit/s
802.11n (multiple input/output) 54 to 600 Mbit/s
802.11i (security)
802.16 (WiMAX)
802.15 (Bluetooth)
Wireless multiplexing
OFDM/DSSS/FHSS (AFH)
Authentication
Paramount to the security of wireless LANs
SSID
SSID broadcast
Open systems authentication
Shared key authentication
MAC address filtering
Extensible authentication protocol
Wireless Encryption
shared secret. Can be cracked in 3 to 30 sec
WEP
WPA
WPA2
Extensible authentication protocol
uses RC4 w/ 128 bit keys. IV of 48 bits. Temporal Key

Integrity Protocol (TKIP) providing different key per packet
AES instead of RC4. TKIP replace w/ Counter-Mode/CBCMAC protocol (CCMP)
EAP-TLS client and server mutually authenticate & use certs
EAP-TTLS less secure than EAP-TLS
EAP-PEAP encrypted tunnel but less secure than EAP-TLS
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Point-to-Point Protocols (PPP)
RFC 1331
Encapsulation
Link control protocol (LCP)
Network control protocols
PPP provides a standard method of encapsulating Network Layer protocol information over point-to-point links
Address Resolution Protocol (ARP)
ARP (RFC 826)
Generic address-resolution protocol. Was designed to be able

to convert any network protocol address to any data-link
address. Use today is normally to resolve 802.x addresses to
IP addresses
RARP (RFC903)
Used to map a devices MAC address to its IP address
ARP cache poisoning
Valid request is answered by an invalid authority
Password Authentication Protocol

(PAP)
Identification and authentication of remote entity
Uses a cleartext, reusable (static) password
Supported by most network devices
Advantages
Standards based solution that provides interoperability in a

multivendor network
Inexpensive to install and operate
DB is encrypted
Disadvantages
PW is transmitted in the clear

Reply is either an ACK or NAK. No replay protection.
Challenge Handshake
Authentication Protocol
CHAP
Periodically revalidates users

Standard password database is unencrypted
Password is sent on a one-way hash
MSCHAP
Server stores an encrypted hash of users pw
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Link Layer Threats

Confidentiality
Eavesdropping
Sniffing from reconnaissance
Offline brute force
Unapproved wireless
Integrity
Modification/injection/highjacking
Man-in-the-middle
Force weaker authentication
Availability
DoS/jamming
Others
Rogue access points/ad hoc

networks
War driving
Open wireless networks
Controls for Wireless Threats

Encryption
Authentication
RF management
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Concepts &
Architecture
Protocols
Threats & Controls
Layer 3: Network Layer
Moves information between two hosts that are not physically connected
Uses logical addressing
Local Area Network (LAN)
LANs service a relatively small area
Most LANs have connectivity to other networks
VLANs are software-based LAN segments implemented by switching technology
Metropolitan Area Network (MAN)
Optimization for city
Uses wireless infrastructure, fiber optics, or Ethernet to connect sites together
Still needs security
Switched multi-megabit data service (SMDS)
SONET/SDH
Storage Area Network (SAN)
Hard drive space problem
Server of servers
Fiber backbone
Switched
Wide Area Network (WAN)
A WAN is a network connecting local networks or access points
Connections are often shared and tunneled through other connections
Internet/Intranet/Extranet
Internet
Collection of all interconnected IP networks
Intranet
Companys internal Internet
Extranet
Company will grant other controlled access to an isolated

segment of its own network to allow exchange of information
Granting access to external organizations - risky
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Technology &
Implementation
Protocols
Threats & Controls
IPSEC
Authentication header (AH)
Encapsulating security payload (ESP)
Security parameter index (SPI)
Security associations
Transport mode/tunnel mode
Internet key exchange (IKE)
Tunneling Protocols
Point-to-point tunneling protocol (PPTP) Microsoft
Layer 2 forwarding (L2F) Cisco
Layer 2 tunneling protocol (L2TP) from Cisco & Microsoft
Add IPSEC, becomes VPN
Routers
Network routing
Layer 3
Find best path to destination
Firewalls
Filtering
Filtering by address
Filtering by service
Static packet filtering
Stateful inspection or dynamic packet filtering
Personal firewalls
Filter on any field in header
Firewalls
Enforce administrative security policies
Separate trusted networks from untrusted networks
Firewalls should be placed between security domains
Proxy Firewalls
Circuit-Level proxy
Application-level proxy
Firewalls
Firewall Type
OSI Model Layer
Characteristics
Packet filtering
Network Layer
Routers using ACLs

dictate acceptable
access to a network
Looks at destination
and source addresses,
ports, and services
requested
Application-level proxy
Application Layer
Deconstructs packets
and makes granular
access control
decisions
Requires one proxy
per service
Firewalls
Firewall Type
OSI Model Layer
Characteristics
Circuit-level proxy
Session Layer
Deconstructs packet
Protects wider range
of protocols and
services than applevel proxies, but is
not as detailed as a
level of control
Stateful
Network Layer
Keeps track of each

conversation using a
state table
Looks at state and
context of packets
End Systems
Servers and mainframes
Operating systems
Notebooks/laptops/tablet PCs
Workstations
Smartphones
Personal digital assistants
Network Attached Storage (NAS)
End System Protection
Antivirus
Personal Firewalls
Host-based IDS/IPS
Patch management
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Routing Protocols
Routing information protocol (RIP)
Routing table compromise
Virtual router redundancy protocol (VRRP)
Open shortest path first (OSPF)
Exterior gateway protocol (EGP) obsolete
Border gateway protocol (BGP)
Intermediate system-to-intermediate system (ISIS)
Interior gateway routing protocol (IGRP)
Enhanced IGRP (EIGRP)
Connectivity Protocols
ICMP
Redirect attacks
Traceroute
Ping scanning
Internet Protocol (IP)
Internet Protocol (IP) is responsible for routing packets over a network
Unreliable protocol no error checking
IP will subdivide packets
IPv4 address structure
IPv6
A larger IP address field
Improved security
A more concise IP packet header
Improved quality of service (QoS)
Internetwork Packet Exchange (IPX)
Vendor specific
Retired
Domain Objectives
Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
IP Attacks
Fragmentation attacks
Teardrop attack
Overlapping fragment attacks
Traceroute exploitation
Sniffing
Smurf and Fraggle Attacks
Smurf attack misuses the ICMP echo request
Fraggle attack uses UDP instead of ICMP
Ping through UDP
Ping of death
Encryption as a Threat
Can be used for inappropriate purposes
External attackers
Can plant encrypted backdoors that will allow them to access

system
Internal attackers
Utilize commonly available tools (SSL, TLS, SSH) to encrypt

traffic to subvert controls
Encrypted backdoors
Tunnels to home computer
Tunnels setup to use company resources for personal pursuits
Tunnels setup to protect criminal/improper behavior
Etc.
IP Addressing Spoofing
Packets are sent with a bogus source address
Takes advantage of a protocol flaw
Controls
Policy
Inbound and outbound traffic controls
Network partitioning
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Layer 4: Transport Layer
End-to-end transport between peer hosts
Connection-oriented and connectionless protocols
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Transmission Control Protocol (TCP)
Well-known ports 0 to 1023
Registered ports 1024 to 49151
Dynamic and/or private ports 49152 to 65,535
Total of 65,536 ports
User Datagram Protocol (UDP)
Fast
Low overhead
No error correction/replay protection
Transport Layer Security (TLS)
Mutual authentication
Encryption
Integrity
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Attacks
SYN Flood
Denial of Service
Threats
Port scanning
FIN, NULL and XMAS scanning

SYN scanning
TCP sequence number attacks
Session hijacking
Controls
SYN proxies
Honeypots and honeynets
Tarpits
Similar to honeypots. Entice hackers by presenting legitimate

looking systems that they will spend time attempting to crack.
Particularly useful against spamming and network (port)
scanning
Continuous or periodic authentication
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Layer 5: Session Layer
Client-server model
Middleware and three-tiered architecture
Many implementations are designed to spread

the workload of a complex process to specialized
computer in a network
Mainframe
Keeps sessions local, unless remote terminals

are implemented
Centralized systems
RADIUS and TACACS+ enable remote

connection
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Technology &
Implementation
Protocols
Threats & Controls
Technology and Implementation
Java RMI (remote method invocation)
Allows a program running on one Java VM to invoke methods

running on another JVM
Microsoft .NET
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Protocols
Real-time protocol RTP
End-to-end delivery services for data such as interactive audio

and video
RTP control protocol RTCP
Used to monitor the quality of service and to communicate

information about the users during the session
Remote procedure calls RPC
Execute objects across hosts

Open network computing remote procedure call (ONCRPC)
Suns version
Remote User Authentication
RADIUS
TACACS+
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
RPC Threats and Controls
Threats
Unauthorized sessions
Invalid RPC exchanges
Controls
Patch
Block at firewall
Disable unnecessary protocols
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Layer 6: Presentation Layer
Data conversion
Ensures a common format for data

Services for encryption and compression
JPEG
Mainframe to PC Translation
Extended binary coded decimal interchange code (EBCDIC)
American standard code for information interchange (ASCII)
Gateway
Specialized equipment used to translate presentation-layer

protocols
NOT default gateway
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Audio & Video Compression
Codec
Compression/decompression
Conserves bandwidth and storage
VoIP Protocols
H.323
Session initiation protocol (SIP)
Proprietary applications and services
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Layer 7: Application Layer
The application layer is not the graphical user interface (GUI)
Performs communication between peer applications
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Technology &
Implementation
Protocols
Threats & Controls
Implementations
Client/Server
IM
XMPP (Jabber)
IRC
Email
WWW
Peer to Peer
File sharing
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Protocol Examples
FTP File Transfer Protocol
RSH Remote Shell
IMAP Internet Message Access Protocol
IRC Internet Relay Chat
MIME Multipurpose Internet Mail Extensions
POP3 Post Office Protocol (v3)
Rlogin Remote login in UNIX systems
SOAP Simple Object Access Protocol
SSH Secure Shell
TELNET Terminal Emulation Protocol
Communication Services
Synchronous messaging
Instant messaging (IM)

Internet relay chat (IRC)
Asynchronous messaging
Simple mail transfer protocol (SMTP)

Post office protocol (POP)
Internet message access protocol (IMAP)
Network news transfer protocol (NNTP)
Remote Communication Services
TCP/IP terminal emulation protocol (TELNET)
Remote login (RLOGIN), remote shell (RSH), remote copy (RCP)
X Window system (XII)
Video and multimedia
Storage Data Services
File transfer protocol (FTP)
Trivial file transfer protocol (TFTP)
Hypertext transfer protocol (HTTP)
HTTP over TLS (HTTPS)
Secure hypertext transfer protocol (S-HTTP)
Proxies
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
Threats and Controls
Authenticity
Eavesdropping
Scripting
Social engineering
Spam over instant messaging (SPIM)
Tunneling firewalls
Email spoofing
Spam
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Threats & Controls
Mobile Telephony Cellular Service
Analog
Advanced mobile phone service (AMPS)
Digital
Global service for mobile communications (GSM)

EDGE (enhanced data rate for GSM evolution)
General packet radio service (GPRS)
Data
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Technology &
Implementation
Threats & Controls
Telephony Technology
PSTN
PBX
Facsimile
Voice firewalls
VOIP
SIP, H.323
TDMA, CDMA, FDMA
Voice over IP
Reduced cost
Coverged technology
Security
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Threats & Controls
Common Threats
War dialing
PBX administration
War driving
Fraudulent toll
Voice eavesdropping
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services

Technology &
Implementation
Protocols
Threats & Controls
Directory Services
Domain name service (DNS)
Lightweight directory access protocol (LDAP)
Network basic input output system (NetBIOS)
Network information service (NIS/NIS+)
Configuration Services
Simple network management protocol (SNMP)
Dynamic host configuration protocol (DHCP)
Network time protocol (NTP)
Finger user information protocol
Storage Server Services
Common internet file system (CIFS)/server message block (SMB)
Network file system (NFS)
Secure NFS (SNFS)
Domain Objectives

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
Protocols
Threats & Controls
DSN Threats
Spoofing
Query manipulation:
Hosts file manipulation

Social engineering
Information disclosure
Domain litigation
Cybersquatting
Email Threats
Spoofing
Open mail relay servers
Spam and filtering
Phishing
Server Message Block (SMB)

Threats
Buffer overflows
Controls
DNS security extensions (DNSSEC)
Mail filtering
IM policy
Turn off SMB
Telecommunications and Network

Security Domain Summary

Physical
Data Link
Network
Transport
Session
Presentation
Application
Telephony
Services
CISSP Summary
Domain 1 Access Control
Domain 2 Business continuity and Disaster Recovery Planning
Domain 3 Cryptography
Domain 4 Information Security Governance and Risk Management
Domain 5 Legal, Regulations, Investigations, and Compliance
Domain 6 Operations Security
Domain 7 Physical (Environmental) Security
Domain 8 Security Architecture and Design
Domain 9 Software Development Security
Domain 10 Telecommunications and Network Security
Questions?

CISSP Exam Review

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CISSP Exam Review

Загружено:

Авторское право:

Доступные форматы

How I Passed the CISSP

Test: Lessons Learned in

(ISC) Code of Ethics

BENEFITS OF (ISC) MEMBERSHIP

BENEFITS OF (ISC) MEMBERSHIP

Certified Information Systems Security Professional

ROLE OF THE CISSP

ROLE OF THE CISSP

Develops and oversees the implementation of the organizations

COMMON BODY OF KNOWLEDGE

How to Get Your CISSP Certification

People Safety First

What If I Dont Have The Experience?

Provide definitions and key concepts

Information Security TRIAD

Definitions of Key Concepts

Access Control Categories and Types

Is the PROPER assessment of the sensitivity and criticality of information

Information Classification Procedures

Definitions of Key Concepts

Access Control Categories and Types

Access Control Threats

Access Control Types

Administrative policies and procedures.

Access Control Categories

Definitions of Key Concepts

Access Control Threats

Access Control Threats

Time of Check (TOC)/Time of Use (TOU)

Definitions of Key Concepts

System Access Control

Identification process of recognizing users or resources as valid

Most common is UserID, account number, email or PIN

Knowledge (something you know)

Identity and Access Management

Identity Management Challenges

Identity Management Challenges

Insiders employees and contractors

Initial setup when user joins

Identity Management Technologies

Access Control Technologies

SESAME - protocol developed by the European Union. Also known as

Web Portal Access

Definitions of Key Concepts

Access Control Lists (ACL)

Most common implementation of Discretionary Access Control (DAC)

Each OS has its own way of representing ACLs.

Centralized/Decentralized Access Control

Centralized access control one entity makes network access decisions.

Decentralized access control decisions and admin are implemented

Definitions of Key Concepts

Intrusion Prevention and Detection Systems

Intrusion Detection Systems

Intrusion Prevention Systems

Analysis Engine Methods

Definitions of Key Concepts

Access Control Assurance

Access Control Assurance

Audit trail monitoring

Penetration Testing Overview

Penetration Testing Methods

Testing Hazards and Reporting

Access Control Domain Summary

Definitions of Key Concepts