Академический Документы
Профессиональный Документы
Культура Документы
Emergency Exits
Breaks
Phones
Instructor
• Part 1: introduction
(ISC)²
• International Information Systems Security Certification Consortium
• Non-profit organization which specializes in information security
education and certifications
• Often described as the “world’s largest IT security organization”
• Based in Palm Harbor, Florida, USA
• Offices in London, Tokyo, Hong Kong, Vienna, Virginia
• Over 85,000 certified professionals in 135 countries
• http://www.isc2.org
(ISC)² Code of Ethics
Preamble:
• The safety and welfare of society and the common good, duty to our
principals, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.
• Member Benefits
• Continuing Education
• Security Leadership Series events
• Discounts
• Worldwide receptions, conferences, RSA, InfoSec, SecureAmerica
• Face-to-Face Networking
• Virtual Networking
• Career Tools, InterSeC
BENEFITS OF (ISC)² MEMBERSHIP
• Industry Awards
• Resources
• InfoSecurity Professional Magazine
• Information Security Perspective journal
• Volunteer Opportunities
• http://staysafeonline.org
What is CISSP?
• Security Consultant
• Security Manger
• IT Director/Manager
• Security Auditor
• Security Architect
• Security Analyst
• Security Systems Engineer
• Chief Information Security Officer
• Director of Security
• Network Architect
ROLE OF THE CISSP
• 250 questions
• 6 hours
• To pass must get 700 points out of 1000
• BE ON TIME!!!!!!
• Bring admission letter
• Must have government issued Photo ID
• Bring pencil and eraser
• ~$500
ENDORSEMENT PROCESS
• Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of
each certification year
• Earn and submit 120 credits over three years. A minimum of 20 CPEs
must be posted during each year of the three year certification cycle
THE DOMAINS
• Access Control
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security Governance and Risk Management
• Legal, Regulations, Investigations, and Compliance
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Software Development Security
• Telecommunications and Network Security
Golden Rule
• For those who don’t have the experience, there is the Systems Security
Certified Practitioner (SSCP)
• Only need 1 year of experience
• Domains covered:
• Access Controls
• Cryptography
• Malicious Code and Activity
• Monitoring and Analysis
• Networks and Communications
• Risk, Response and Recovery
• Security Operations and Administration
Access Control
Domain Objectives
• A comprehensive threat analysis will identify the areas that will provide
the greatest cost-benefit impact.
• The field of access control is constantly evolving. Organizations need to
know what is available and what methods will best address their issues.
• Data and system access control are NOT the same. User might have
access to a system but not to the data. Think “need-to-know”
• Access control assurance addresses the due diligence aspect of
security.
• Implementing a control is part of due care, but due diligence involves
regularly checking to ensure that the control is working as expected.
Information Security TRIAD
Domain Objectives
• Security – ensure only authorized users and processes are able to access or
modify
• Reliability – ensure control mechanisms work as expected, every time
• Transparency – have minimal impact on the ability of authorized users to
interface with the system and do their job
• Scalability – should be able to handle a wide range of changing systems and
user load without compromising system performance
• Maintainability – if too time-consuming or complicated, admins may not keep
them up to date
• Auditability – should provide audit trails
• Integrity – must be designed to protect from unauthorized changes
• Authentic – help ensure that data input is authentic
Key Concepts
• Separation of duties
• No one person should have control over the process. Allowing this could
allow a person to manipulate the system for personal gain. Process should
be broken down into individual steps executed by different people.
• Rotation of duties prevents collusion between two or more people. This
minimizes the chance of or exposes fraud. Forced vacation can provide
the same effect.
• Core element of the Clark-Wilson Integrity model
• Least privilege – only allow access to resources that are absolutely needed
for work
• Need-to-know – just because you have the clearance doesn’t mean you
really need to know the data or process
Information Classification
• Scope – risk analysis will evaluate data for classification. Things to consider:
• Exclusive possession (trade secrets, etc.)
• Usefulness
• Cost to recreate
• Legal or regulatory liability
• Operational impact
• Etc.
• Process – goal is to achieve a consistent approach to handling classified
information
• Marking and labeling – for all types of media to include video
• Human readable
• Machine readable
• Assurance – regular internal and possibly external audits should be done
Domain Objectives
• Methods
• Most common is UserID, account number, email or PIN
• Biometrics can also be used
• Guidelines – unique UserID unless anonymity is required
• RFID – can be used in place of above methods to identify user
• MAC and IP address – used primarily to identify a node on the network
• Security user registration – user interacts with a registration authority to
become an authorized member of the domain
1. UserID, encryption keys, job title, email, etc.
2. User validation
Authentication Methods
• Principals
• Insiders – employees and contractors
• Outsiders – customers, partners, vendors, etc.
• Data – different types of data about principals must be managed
• Personal, legal and access control
• Some of this data might have regulatory requirements
• Life Cycle
• Initial setup – when user joins
• Change and maintenance – routine pw change, name changes, etc.
• Tear-down – when user leaves
Identity Management Technologies
• Password management
• Account management
• Profile update
Access Control Technologies
• Single sign-on
• Kerberos
• Directory services
• Security domains
Domain Objectives
• Host-Based • = Permission
• HIDS
• Application-Based • =Process
• AIDS
• APIDS
Intrusion Prevention Systems
• Host-based
• Network-based
• Content-based
• Rate-based
• Pattern or signature-based
• Pattern matching
• Stateful matching
• Anomaly-based
• Statistical
• Traffic
• Protocol
• Heuristic scanning
IDS/IPS Examples
• Anomaly
• Multiple failed logins
• User logged in at unusual times
• Unexplained changes to system clocks
• Unusual number of error messages
• Unexplained system shutdowns/restarts
• Response
• Dropping suspicious packets
• Denying access to suspicious users
• Reporting suspicions to other system hosts/firewalls
• Changing IDS configurations
• Alert
• IM
• Email
• Pager
• Audible alarm
Domain Objectives
• Definition
• Areas to test
• Methods of testing
• Testing procedures
• Testing hazards
Areas to Test
• Application security
• War dialing
• Wireless penetration
• Social engineering
• Attack perspectives
• External
• Internal
• Attack strategies
• Zero-knowledge
• Partial-knowledge
• Full-knowledge
• Targeted
• Double-blind
Testing Steps
• Discovery
• Enumeration
• Vulnerability mapping
• Exploitation
Testing Hazards and Reporting
• Production interruption
• Application abort
• System crash
• Documentation
• Idetified vulnerabilities
• Countermeasure effectiveness
• Recommendations
• Availability
• Integrity Out of Business!!!
• Confidentiality
• Policy
• Access to key personnel
• Budget
• Immediate and ongoing budget
BCM Project Management
• Project management
• Scope
• Timelines
• Deliverables
• Team members
• Tools
Initiating BCP
• Business priorities
• Policy/culture
• Human/man-made
• Utility
• Supply chain
• Equipment
• Facility
• Document dependencies
• Third party dependencies and liabilities
• Service level agreements
Incident Readiness & Response
• Planners become leaders
• Be prepared
• Triage
• Incident management
• Determining BC strategies
• Strategy options
• Data
• Resource-level consolidation
Determining Recovery Strategy
Service Bureau Agreement with application service Evaluate their loading, geography
provider to process critical business and ask about backup mode.
functions
Remote Working Arrangements Ability to telecommute or work from Sensitive data controls, unauthorized
home equipment
Domain Objectives
• Master Plan
• Modular in design
• Executive endorsement
• Review quarterly
BCP Contents
• Recovery procedures
• Recovery priorities
• Data recovery
• Disaster recovery
• Recover out to the alternate – MOST critical first
• Recover back to the primary – LEAST critical first
• Responsibilities and authority
• Outlines what needs to be done
• Outlines who will do the work
• Since this may be happening at the same time as
the incident, recovery should be done (if possible)
by a different team comprised of technical experts
and system engineers who can rebuild the failed
systems
Creating Restoration Plans
• System restoration
• Priorities
• Data synchronization
• Salvage
• Equipment
• Procurement (vendor agreement)
• Facilities
• Environmental controls
• Fire and water protection
• Personnel
Topics to Address in Plans
• Data
• Offsite storage requirements
• Utilities
• Communications
• Consolidation plan
• Availability of solutions
• Crisis management
• Damage assessment
• Declaring a disaster
• Communications
• Public relations
Domain Objectives
• Outsourcing
• Designing a test
Full • Shuts down and relocates all work Everyone at both Seldom HIGH
Interruption locations
Testing BCP Arrangements
• Outcomes
Embedding BCP into the Organization
• Specialized skills
• Forensic
• Interviewing
• Technical
• Crisis management
• PR
• Etc.
Maintaining BCP Arrangements
• Documented
• Review as needed
BCP Maintenance
• Updating
• Audit
• Everyone is aware
• Everyone is invested
• Consensus
Business Continuity and Disaster
Recovery Planning
Domain Summary
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Concepts and Definitions
• Binary math
• Key management – refers to the principles and practices of protecting the keys throughout the lifecycle
• Key expiry/cryptoperiod – keys should be changed on a regular basis. Length of time should be based on
algorithm and level of protection required
• Key mixing/Key schedule – DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16
rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original
56 bit. AES uses key schedulers to generate completely new keys from the original key for each round.
• Keystreams – pseudo-random sequence that is generated from the input key and mixed with the input
message.
• Synchronous – keystream is generated based on original key, bit-by-bit, in sync with plaintext
• Non or self-synchronous – keystream is generated based upon previously generated ciphertext and
cryptovariable
• Key storage – key must be protected in transit and storage
• Key clustering – term used to represent a weakness that exists in a cryptosystem if two different keys
generate the same ciphertext from the same plaintext
Initialization Vector (IV)
• States that the strength of a cryptosystem is based on the secrecy of the key
and not on the secrecy of the algorithm.
• Work factor for the cryptanalyst is the effort required to determine the correct
key.
• Key length is the primary method used to determine the strength of the
cryptosystems.
• Brittleness – measure of how badly a system fails. A resilient system is
dynamic and designed to fail only partially or degrade gracefully. In general,
automated systems which only do one thing are be definition brittle.
• “Security by Obscurity” – concept that system is secure as long as no one
outside the “group” is allowed to find out anything about its internal
mechanisms.
Key Algorithms
• Symmetric key – same key used for both the encryption and
decryption operation
• Message integrity
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Historical Development
• Cryptographic techniques
• Manual – cryptographic methods performed by hand using a variety of
tools (still used on some one-time pads)
• Mechanical – use of mechanical tools to perform encryption and
decryption (cipherdisk)
• Electro-mechanical –use of electro-mechanical devices (Enigma
machine)
• Electronic – computer based tech used to perform complex and secure
cryptographic operations (software and hardware based algorithms – AES,
RSA, etc.)
• Quantum cryptography – using single photon light emissions to provide
secure key negotiation
Domain Objectives
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Uses of Cryptography
• Protecting information
• Transit
• Email, VPNs, e-commerce, VOIP, etc.
• Storage
• Disk encryption
• System access
• Passwords, remote login
Domain Objectives
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Making Secure Algorithms
• Keystream
• Statistically unpredictable and unbiased
• Not linearly related to the key
• Operates on individual bits or bytes
Uses of Stream Cipher and Stream-Mode
Block Ciphers
• Wireless
• Audio/video streaming
• SRTP (Secure Real-time Transport Protocol)
Block Cipher
• Data transport – SSL, TLS. Both protocols can use AES and Triple
DES. IPSec based VPNs also use block ciphers to encrypt
communication between endpoints
• Data storage – even though block ciphers take more time, used
because of their greater ability to frustrate cryptanalysis. TrueCrypt
is an example of block cipher used to encrypt data
Domain Objectives
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Simple Substitution Ciphers
• Substitution of one value for another
• Caesar Cipher
• Shift alphabet (by 3)
• A B C D E F …. FACE
• D E F G H I …. IDFH
• Scramble alphabet
• A B C D E F …. FACE
• Q E Y R T M …. MQYT
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
2 Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
3 X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
4 W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
…
• Unbreakable algorithm
• Mathematically proven that it can never be broken
Steganography
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Modes of Symmetric Block Ciphers
• Block Modes
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Stream Modes
• Cipher Feed Back (CFB)
• Output Feed Back (OFB)
• Counter (CTR)
• Counter with CBC-MAC (CCMP)
Electronic Code Book (ECB)
• Similar to CBC
• IV is encrypted and then XOR’d with the first plaintext block
Output Feed Back (OFB)
• Similar to OFB
• Counter value is used instead of an IV
Counter With CBC-MAC (CCMP)
• Blowfish
• Twofish
• CAST
• SAFER
• Serpent
RC-4
• Many applications
Strengths & Weaknesses – Symmetric
Ciphers
Strengths Weaknesses
• Fast • A different form of key
• Difficult to crack negotiation/ exchange/
• Algorithms and tools freely distribution must be used
available • Poor scalability
• Stream ciphers ensure highly • Limited security
efficient serial
communications • On noisy channels, error
• Block ciphers offer multiple correcting is a must
modes
Asymmetric Key Cryptography
• Diffie-Hellman, 1976
• Ensures confidentiality
• Encrypting message with the receiver’s public key provides confidential
transmission of the message because the only key that can open the
message is the corresponding private key of the recipient
• Merkle-Hellman knapsack
• Developed in 1978
• Chor-Rivest knapsack
• Developed in 1984 and revised in 1988
Strengths Weaknesses
• Confidentiality/privacy • Computationally
• Access control intensive
• Authentication • Very slow
• Integrity
• Non-repudiation
Common Hash Functions
• Message Digest
• MD2, MD4, MD5
• Secure Hash Algorithm (SHA)
• SHA-1 (160 bit), SHA-256, SHA-384
• SHA-512 (best practice)
• SHA-3
• HAVAL
• RIPEMD
• Tiger
• WHIRLPOOL
Hash Function Characteristics
• One-way function
• Non-linear relationship
• E-commerce
• Non-repudiation of origin (with private key)
• Key distribution
• Key storage
• Key change
• Expire – how long to use a key
Functions of Key Management
• Operations
• Dual control – require the active participation of 2 or more. No
one person can misuse.
• Threshold schemes – require more than one person to
successfully complete the task
• Key recovery
• Split knowledge – 2 or more people have info about the key.
Must be combined to work.
• Multi-party key recovery – break the key into 3 or more parts and
each part go to a different person.
• Escrow – Key held
Functions of Key Management
• Creation
• Automated key generation – prevents user bias and provides quick
key production
• Truly random – only true random generators are things like radioactive
decay, noisy diodes, etc. Computers produce pseudo-random.
• Suitable length – generators must generate enough bits for a complete
key. Generating 64 bits and concatenating them does not make them
128.
• Key encrypting keys (KEK) – keys used to encrypt other keys. Care
must be taken to ensure that the data used to generate the KEK is
NOT related to the keys being produced.
Functions of Key Management
• Distribution
• Out of band – does not guarantee security delivery, but it increases its
likelihood
• Public key encryption – most common solution
• Secret key construction – using D-H (or similar), exchange values online that
generate a new secret key
• Secret key delivery – using RSA (or similar), party encrypts secret key with receiving
party’s public key.
• Key distribution center – think Kerberos
• Certificates – used to distribute public keys
• Storage
• Trusted hardware – hardware evaluated (typically) by FIPS 140-2 or
Common Criteria
• Smartcard – non-volatile storage
Public Key Infrastructure (PKI)
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Cryptanalysis
Bits Number of keys Brute Force Attack Time Bits Number of keys Brute Force Attack Time
56 7.2 x 10^16 56 7.2 x 10^16 20 hours
80 1.2 x 10^24 80 1.2 x 10^24 54,800 years
128 3.4 x 10^38 128 3.4 x 10^38 1.5 x 10^19 years
256 1.15 x 10^77 256 1.15 x 10^77 5.2 x 10^57 years
• Data shown is as of 1998 when “Deep Crack” was used in RSA DES
challenge.
• Cost $250,000 to build. Today the same thing can be done for under
$10,000.
• With today’s tech, can break DES in 8.7 days or less for under $10,000.
Plaintext Attacks
• Stream
• Frequency analysis – knows characteristics of plaintext language
• IV or keystream analysis – examines large numbers of generated IVs for
weaknesses, statistical biases, etc.
• Block
• Linear cryptanalysis – large amounts of plaintext and associated ciphertext to
find info about the key
• Differential cryptanalysis – 2 or more similar plaintexts are encrypted using
same key and compared
• Linear-differential cryptanalysis – combo of linear and differential
• Algebraic attacks – examines the algorithm
• Frequency analysis – uses the statistics of the language to break a ciphertext
Attacks Against Hash Functions
• Dictionary Attacks
• Based on known lists of common words
• Birthday attacks – group of 23 people, 50% chance 2 will have same birthday.
60 people, 99% chance. Relevant because it describes the amount of effort that
must be made to determine when 2 randomly-chosen values will be the same
(collisions). Weak hash causes many collisions
• Persuasion
• Meet-in-the-Middle
• Mathematical analysis that attacks a problem from both ends and
attempts to find the solution by working toward the center of the
operation from both sides.
• Man-in-the-Middle
• Attacker intercepts and modifies the data before transmitting to
intended person.
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Common Secure Email Protocols
• Uses
• Remote Access
• VPNs
• E-commerce
• Tools
• IPSec
• SSL/TLS
• Secure HTTP
• TLS
Cryptography Domain Summary
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Information Security Governance
and Risk Management
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Information Security Environment
• Security planning
• Budget
• Business requirements
• Security metrics
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Roles and Responsibilities
• Specific
• Delegate certain responsibilities for security to individuals
• Define acceptable and unacceptable behavior
• General
• Rules that let everyone know they are responsible for security
• Communicated at hiring
• Tell new hires the rules and consider annual review
• Verified capabilities and limitations
• Access to resources defined by job
• Third-party considerations
• Brief vendors, temps, contract staff on security requirements
• Good practices
• Keep it simple, relevant, understandable and communicate
• Reinforced via training
• Annual security training
Internal Roles
• Executive management
• set policy, allocate budget
• Board level
• “C” level
• Information systems security professionals
• advise management
• Developers
• create secure code
• Custodians and Operations staff
• Custodians – care of data
• Ops – run the computers
Internal Roles
• Security staff
• Data and system owners
• Classify
• Access permissions
• Users
• Task as assigned
• Legal, compliance, and privacy officer
• Inform/implement laws/regs
• Internal auditors
• Check on procedures
• Physical security
• Is IT or traditional security responsible
External Roles
• Vendors/suppliers
• Contractors/consultants
• Service level agreements
• Temporary employees
• Customers
External Roles
• Business partners
• Outsourced relationships
• Outsourced security
• External audit
Human Resources
• Employee management
• Acceptable use
• Non-disclosure
• Non-compete
• Ethics
Personnel Good Practices
• Least privilege
• Need to know
• Separation of duties
• Job rotation
• Mandatory vacations
Security Awareness, Training, and Education
• Awareness Training
• Delivery methods General knowledge
• Topics
• Job training
• Task based
• Professional education
• Understanding
Good Training Practices
• Be relevant
• Scope properly
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Documented Security Program
Paranoid 10
Documented Security Program
• Strategic
• Long term planning
• Decide on job to do
• Tactical
• Medium term planning
• Manage jobs being done
• Operational
• Day to day operations
• Job being done
Security Program Management
• Staffing
• Not just workers but look at management
• Evaluate numbers needed
• Reporting
• Make sure everyone knows who they are to report to.
Understand chain of command/reporting
Security Blueprints
• Identify and design security requirements
• Infrastructure security blueprints
• Holistic
• By Scott Berinato and Sarah Scalet:
• “Holistic security means making security part of everything
and not making it its own thing. It means security isn’t added
to the enterprise; it’s woven into the fabric of the application.
Here’s an example. The non-holistic thinker sees a virus
threat and immediately starts spending money on virus-
blocking software. The holistic security guru will set a policy
around e-mail usage; subscribe to news services that warn
of new threats; re-evaluate the network architecture; host
best practices seminars for users; and use virus blocking
software and, probably, firewalls.” (www.cio.com)
ISO/IEC 27000 Series = ISMS Blueprints
• Be prepared
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Security Policy
• Documents compliance
• Required
Policy
Policy
Policy
Policy
Best
Recommendations ISO
Practices
Good Policy?
Area IV Buddy System Policy
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Risk Management Overview
• Directs budget
• Supports
• Business continuity process
• Insurance and liability decisions
• Legitimizes security awareness programs
Risk Management Definitions
1. System characterization
2. Threat identification
3. Vulnerability identification
4. Control analysis
5. Likelihood determination
6. Impact analysis
7. Risk determination
8. Control recommendations
9. Results documentation
Risk Assessment – Asset Valuation
• Tangible assets
• Can buy/sell
• Hardware, software, facilities, documentation,
customer lists, and intellectual property
• Intangible assets
• Personnel, reputation/brand, and moral
Information Valuation Considerations
• Exclusive possession
• Utility
• Liability
• Convertibility
• Operational impact
• Timing
Information/Risk Valuation Methods
• Modified Delphi
• Facilitated sessions
• Survey
• Interview
• Checklist
Quantitative Risk Analysis
RISK = MONEY
Quantitative Analysis Steps - Overview
AV (Asset Value)
EF (Exposure Factor)
Step Two: Threat Likelihood Analysis
• Scenario oriented
• No $ values
• Transference = Insurance
• Avoidance = Stop it
Security Control Selection Principles
• Cost/benefit analysis
• Don’t spend more to protect than it is worth
• Accountability
• At least one person for every control
• Include accountability in performance reviews
• Absence of design secrecy
• Ability to change out the controls at some time in
the future without having extraordinary cost to
rework, interoperability with other controls,
confidence in the design
• Audit capability
• Controls must be testable
• Include auditors in design and implementation
Security Control Selection Principles
• Vendor trustworthiness
• Universal application
• Compartmentalization
• Defense in depth
• Sustainability
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Ethical Environments
• Global responsibility
• National
• Organizational
• Personal
Ethical Responsibility of all CISSPs
• Religion
• Law
• National interest
• Individual rights
• Common good/interest
• Enlightened self-interest
• Professional ethics/practices
• Standards of good practice
• Tradition/culture
Formal Ethical Theories
• (ISC)²
• RFC 1087
In that order
Internet Architecture Board (IAB)
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Legal, Regulations,
Investigations, and Compliance
Domain Objectives
• Common law
• Criminal law
• Civil law
• Administrative law
• Religious law
• Customary law
• Mixed law
• Maritime law
Jurisdiction
• Sovereignty of nations
• Laws aren’t always the same country to country. Nations are making an
effort to harmonize their laws in order to promote uniform enforcement and
cooperation where possible.
Computer Crimes vs. Traditional Crimes
• Ego
• Financial gain
• Revenge
Advanced Persistent Threat (APT)
• Purpose of a trademark
• Characteristics of a trademark
• Word
• Name
• Symbol
• Color
• Sound
• Product shape
Intellectual Property: Copyright
• Must be confidential
• Legal responsibility
• Know responsibilities to employees, customers, etc.
• Penalties
• Can range from compensation to criminal penalties for violation
of law
• Legal obligation
• Due care
Negligence = Gap
Regulation or
Best Practice
Negligence = Gap
Due Diligence =
Action
Privacy Laws and Regulations
• Individuals
• Identity theft
• Organizations
• Collection, sharing, storage, processing of personal info
• Global effect
• Laws are different in each country. What laws govern?
Employee Privacy
• Employee monitoring
• Training
Transborder Data Flow
• Political boundaries
• Privacy
• Investigations
• Jurisdiction
Privacy Law Examples
Protect
Prepare
Sustain Protect
Improve Infrastructure
Respond
Detect
Incident Response: Overview
• Response capability
• Policy and guidelines
• Response
• Incident response phases
• Triage
• Containment
• Investigation
• Analysis and treatment
• Recovery
• Debriefing
• Metrics
• Public disclosure
Incident Response: Objectives
• Detecting a problem
• Determining its cause
• Minimizing the damage it causes
• Resolving the problem
• Documenting each step of the response for future reference
• Effectively and appropriately communicating issues
Response Capability
• Policy
• Authority
• Procedures
• Approved
• Management of evidence
Incident Response – External Parties
• Escalation process
• Employees should be trained and have approved procedures that
include when an incident or crime must be reported to higher
management, outside agencies or law enforcement
• Triage
• Investigation
• Containment
• Identify suspects
• Identify witnesses
• Identify system
• Identify team
• Search warrants
Investigation Techniques
• Profiling
Interviewing vs Interrogation
• Analysis
• Interpretation
• Reaction
• recovery
Containment
• Law
• Court proceedings
• Policy
• Regulations
Recovery Phase Goal
• Protect evidence
Recovery and Repair
• Public disclosure
• Potential evidence
• Digital Forensic Science Research Workshop (DFRWS) defines digital
forensic science as – “The use of scientifically derived and proven methods
toward the preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence derived
from digital sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to anticipate
unauthorized action shown to be disruptive to planned operations.”
• Evidence and legal systems
• Computer forensics is generally applied according to the standards of
evidence admissible in a court of law
Computer Forensics: Evidence
• Identification of evidence
• Collecting of evidence
• Use appropriate collection techniques
• Reduce contamination
• Protect the scene
• Maintain the chain of custody and authentication
Collection of Digital Evidence
• Short lifespan
• Collect quickly
• By order of volatility
• Who
• What
• When
• Where
• How
Forensic Evidence Procedure
• Receive media
• Cryptographic checksum
• Hearsay
• Second-hand evidence
• Normally not admissible
• Presentation of findings
• Interpretation and analysis
• Format appropriate for the intended audience
Computer Forensics
• Key components
• Computer forensics is not a piece of software or hardware. It is a set of
procedures and protocols. Methodical, Repeatable, Defensible, Auditable
• Crime scenes
• Digital evidence
• Non-criminal cases
• Divorce, breach of contract, dissolution of corporation or partnership,
embezzlement, personal injury, etc.
Forensic Evidence Analysis Procedure
• Recent activity
• Keyword search
• Slack space
• Documented
Media Analysis
• What is does
• Ports
• Traffic hiding
Domain Objectives
• Knowing legislation
• Following legislation
Regulatory Environment Examples
• Sarbanes-Oxley (SOX)
• Meant to enhance corporate governance through measures that will
strengthen internal checks and balances and, ultimately, strengthen
corporate accountability.
• Gramm-Leach-Bliley (GLB)
• Protects the privacy of consumer information held by financial institutions
• Basel II
• Regulatory harmony in the international banking community
Compliance Roles and Responsibilities
• Information owner
• Local manager
• Auditor
• Individual
Audit Report Format
• Introduction
• Background
• Audit perspective
• Scope & objectives
• What was done
• Executive summary
• Internal audit opinion
• Detailed report including auditee responses
• Appendix
• Exhibits
Legal, Regulations, Investigations, and
Compliance Domain Summary
• Supervision
• Monitoring/audit
Operator Privileges
• Systems administrators
• Network administrators
• Database administrators
Administrator Privileges Summary
• File image
• System image
• Data mirroring
• Electronic vaulting
• Remote journaling
• Database shadowing
• Redundant servers
• Standby services
Software and Data Backup
• Data
• Operating Systems
• Applications
• Transactions
• Configurations
• Reports
Backup Integrity
• Hardware based
• Software based
• Hot Spare
• Global Hot Spare (all disk in array)
• Dedicated Hot Spare (individual disk in array)
RAID Level 0
• Striping
• No redundancy
• Performance only
RAID Level 1
• Fault tolerant
• 200% cost
RAID Level 2
• Not used
RAID Level 3/4
• Block-level stripes
• Data and parity interleaved amongst all drives
• The most popular RAID implementation
• Block-level stripes
• All drives used for data AND parity
• Two parity types
• Higher costs
• More fault tolerant than RAID implementations 2 - 5
RAID Level 0+1
A1 A2 A1 A2
A3 A4 A3 A4
A5 A6 A5 A6
A7 A8 A7 A8
RAID Level 10
A1 A1 A2 A2
A3 A3 A4 A4
A5 A5 A6 A6
A7 A7 A8 A8
Configuration Management Elements
• Hardware inventory
• Firmware
• Documentation requirements
• Testing
Hardware Inventory
• Location
• Owner
• Serial and model numbers
Change Control Management
• Policy
• Knowledge of patches
• Know when patches for all software you own are released by
the vendor
• Testing
• Test all patches, and new software, in a test environment prior
to going live
• Deployment
• Can be challenging. Should be automated to insure no
machine is missed.
• Zero-day challenges
• Vulnerable time between patch pushed out and able to apply
Software Issues
• Pirating software
• Version control
Job Documentation
• Scheduling
• Dependencies
• Error codes
• Backout procedures
Security Administrator Roles
• Policy
• Development
• Implementation
• Maintenance and compliance
• Vulnerability assessments
• Incident response
Security Administrator Responsibilities
Threats Countermeasures
Personal Use Acceptable use policy, workstation controls, web content
filtering, and email filtering
Theft of Media Appropriate media controls
Fraud Balancing of input/output reports, separation of duties, and
verification of information
Sniffers Encryption and policy
Domain Objectives
• Trusted path
Types of Trusted Recovery
• Standby systems
• Cold – configured, not on, lost connections
• Warm – on, some lost data or transactions (TRX)
• Hot – ready, failover
Domain Objectives
• HVAC
• Water
• Communications
• Alarm system
Domain Objectives
• Marking
• Labeling
• Handling
• Storing
• Declassifying
Media Management
• Tapes
• Storage
• Encryption
• Retrieval
• Disposal
Object Reuse
• Securely reassigned
• Disclosure
• Contamination
• Recoverability
Clearing of Magnetic Media
• Overwriting
• Degaussing
• Data remanence
• Physical destruction
Records Management
• Records retention
• Declassification
• Legal requirements
• Privacy
• Devices
• Social networks
• Connection services
• Social dynamics
• Storage of data
• Potential dangers
Operations Security Domain Summary
• Natural/environmental
• History of natural disasters in the area
• Utilities
• Communications outages, power outages, etc.
• Circumstantial
• Fire or break-in at a neighboring building, strike at a critical
point in supply chain, etc.
• Human-made/political events
• Explosions, vandalism, theft, terrorist attacks, strikes, activism,
riots, etc.
Threat Sources
• External activists
• Staff
• Petty criminals
Threat Sources and Controls
Threat Controls
• Theft • Locks
• Espionage • Background checks
• Dumpster diving • Disposal procedures
• Social engineering • Awareness
• Shoulder surfing • Screen filters
• HVAC access • Motion sensors in ventilation
ducts
Facility Vulnerabilities
• Location
• Emergency services
• Fire
• Security
• Visibility
• Controlled access
• public transit
Countermeasures and Controls
• Surveillance
• Monitoring
• Access control
• Entrances
• Maintenance
Domain Objectives
• Protective barriers
• Natural
• structural
Fences
• Bollards
• Permanent or retractable post used to deter vehicle-based
attacks
Perimeter Intrusion Detection Systems
• Mixing capabilities
• Adding IR/thermal
• Lighting
• Contrast
CCTV Protection and Image Retention
• Storage of images
• Maintenance
• Privacy
Guards and Guard Stations
• Guards
• Deterrent
• Possible liability
• Contractors
• Guard stations
Domain Objectives
• Doors
• Windows
• Loading ramps
• Elevator shafts
• Ventilation ducts
• Crawlspaces
• Sewage or steam lines
Doors
• Temporary badges
• Vehicles
• Escort
Turnstiles and Mantraps
• Tailgating/piggybacking
Types of Locks
• Lock components
• Body
• Strike
• Strike plate
• Key
• Cylinder
Lock Controls
• Lock and key control system
• Key control procedures
• Who has access to keys
• Keys issued
• Key inventory
• Default settings changed
• Change combinations
• Fail
• Soft (unlocked)
• Secure (locked)
• Safe (allow exit but not entry)
Electronic Physical Controls
• Card access
• Laminate
• Solar film
• Bomb blast film/curtains
• Wired glass
• Intrusion detection/glass breakage sensors
Internal Intrusion Detection Systems
• Continuous lighting
• Trip lighting
• Standby/backup lighting
• Emergency exit/egress lighting
• Infrared/night vision
Domain Objectives
• Perimeter enclosure
• Controls
• Policy
• Emergency power off (EPO) switch
Data Processing Facility
• Cabling
• conduit
Access to Utility Rooms
• Power rooms
• Breaker panels
• Water
• Ventilation
• Gas
Work Area
• Inventory
• Locks and tracing equipment
• Data encryption
• Disabling I/O ports
Environmental Controls
System Threat
• Electric power • Loss of power
• HVAC • Overheating
• Water/plumbing • Flood/dripping
• Gas • Explosion
• Refrigeration • Leakage
Fire Protection
Displace: CO2/foam
Reduce: Water
Bind: Halon & alike
Bind:
Purple K
Remove:
Fireman
Flooding Area Coverage
• Portable extinguishers
Loss of Electrical Power
• UPS
• Generators
• Goals of power – clean and steady power
• Power controls
• Emergency power off (EPO) switch
• Power line monitors
• Total load
Heating, Ventilation, Air Conditioning
• Location
• Positive pressure
• Can indicate unauthorized physical breach
• Helps minimize dust
• Maintenance
Other Infrastructure Threats
• Vermin
• Electromagnetic fields
• Excess vibration
Physical (Environmental) Security
Domain Summary
• Mainframe
• Minicomputers
• Microcomputers/desktops
• Servers
• Laptop/notebook
• Embedded
• USB storage
• Portable hard drives
• PDAs and mobile phones
Hardware: Printers
• Multifunctional
• Network aware
• Modem
• Multitasking
• Multiprogramming
• Multiprocessing
• Multiprocessor
• Multi core
• Multithreading
• Direct memory access (DMA)
Real-Time Systems
• Supervisor state
• Problem (user) state
• Running
• Ready
• Blocked
• Masked/interruptible
Input/Output (I/O) Devices
• I/O controller
• Managing memory
• Hardware
Software: Operating System
• Hardware control
• Hardware abstraction
• Resource manager
• Design
• Kernel
Software: Utilities and Drivers
• System utilities
• Maintenance
• System drivers
• Application/hardware interface
• Plug and play
Commercial Software Programs
(Applications)
• Commercial off the shelf (COTS)
• Function first
• Unless the software is inherently a security-focused
application (such as a firewall), attention will first be
devoted to functionality. Security is usually an
afterthought.
• Evaluation
• Make sure to consider the information security aspects
of the application such as authentication methods, audit
capabilities, edit checks and error reporting, etc.
Software: Custom
• Business application
• No two businesses do business the same way. Custom
software is the solution used as a natural progression
from manual processes to automation of tasks
• Unified messaging
• Allows different technologies to work together. Fax to a PDA,
access internet from TV
CPU and OS Support for
Applications
• Applications were originally self-contained
• Security
• Reinforced by the OS since the OS has the ability to control
the activity of the applications and ensure that one or more
application threads do not affect another
Applications - Today
• Client server
• Centralized architecture
• Distributed architectures
• Thin client architecture
• Diskless computing
• Clusters
Cloud Computing
• Provisioning of services
• Cost models
• Supplement/consumption/delivery model
• Involves provisioning of dynamically scalable and often
virtualized resources
• Characteristics
• Layers
Cloud Computing
• Technology benefits
• More flexible architecture, integration of existing applications,
improved data integration, supports business process
management, facilitates enterprise portal initiatives, speeds custom
application development
• Security issues
• A system that relies on distributed processing must have adequate
bandwidth and high availability.
• Business benefits
• More effective integration with business partners, supports
customer-service initiatives, enables employee self-service,
streamlines the supply chain, more effective use of external service
providers, facilitates global sourcing
Virtualization
• Logical
• Refers to a memory location that is independent of the current
assignment of data to memory. Requires a translation to the
physical address.
• Relative
• Address expressed as a location relative to a known point
• Physical
• Absolute address or actual location
Memory Management Requirements
• Relocation
• Programmer does not know where the program will be placed
in memory when it is executed. It may be swapped to disk
and returned to main memory at a different location.
• Protection
• Processes should not be able to reference memory locations
in another process without permission.
• Sharing
• Allows several processes to access the same portion of
memory. OS allows each process access to the same copy of
the program rather than having its own separate copy.
Memory Protection Benefits
• Memory reference
• Different data classes
• Users can share access
• Users cannot generate addresses
Primary Storage
• Registers
• Very high-speed storage structures built into the CPU chip set
and are often used to store timing and state information for
the CPU to maintain control over processes.
• Cache
• Very fast memory directly on the CPU chip body. Not
upgradeable. Three types (level 1-3).
• Random access memory (RAM)
• Main memory of the system
Secondary Storage
• Internal
• External
• Virtual memory
• SANs
• Clusters
Virtual Memory
• Server chassis
• Processing power
• Management simplification
• Temporal isolation
• Accomplished through time limits. Person cannot access an
area of the building or an area of the network, or an
application outside of certain authorized hours.
• Physical isolation
• Refers to separating out sensitive areas from common access,
such as setting up compartmentalized areas or secure rooms.
• Virtual isolation
• Protects against malicious activity by not permitting a process
to execute outside of a strict set of boundaries.
Ring Protection
• Security kernel
• Components of an OS perform various protection tasks designed to control
and monitor system evens and prevent things from occurring that might
disrupt normal execution or threaten the stability of the system or any of its
resources.
• Subject
• Active entity
• Object
• Passive entity
Attested Boot/TPM/Processing
• Redundancy
• Graham-Denning
• Harrison-Ruzzo-Ullman (HRU) result
• Variations of Biba
Security Models
• Integrity • Confidentiality
• Clark-Wilson • Brewer-Nash
• Biba • BLP
• G&M • Implementations
• Sutherland • Gong
• Graham-Denning • Lipner
• HRU • Karger
• Jueneman
• Lee & Shockley
• Need to know
Domain Objectives
• DoD-centric
• Product evaluation
• International origin
• ITSEM
• Assurance
• Fucntionality
Common Criteria (ISO 15408)
• Origins
• Documents
• NOT an implementation
• Complete overview of IT
business alignment
• Intent
• Scope
• Two-dimensional
• Principles
SABSA
• View sets:
• All view
• Operational view
• Systems view
• Technical standards view
ISO/IEC 42010
• Focuses on IT services
• Supporting products
COSO Enterprise Risk Management
Framework
• Emphasizes the importance of identifying and managing
risks
• Process
• People
• Reasonable assurance
• Objectives
• Project Management
• Complexity of Systems and Projects
• Security by Design
• Controls Built in to Software
• Secure by Default
Secure Development Excuses
• Project security
• Changes in employment
• If internal, adjust permissions on things no longer needed
• If leaving company, remind to keep company secrets
• Always try to test for what the bad guy and stupid user
would do
Certification and Accreditation
• SLC vs SDLC
• Systems Life Cycle – development, post-development,
maintenance phases
• System Development Life Cycle – development and ends
shortly after implementation
Software Development Methods
Interpreted Compiled
Oldest
• Basic • Basic
• REXX • Fortran
• COBOL
• PostScript
• Pascal
• Pascal
• C, C++, C#
• Perl • ADA
Newest
• Ruby • Python
• Python • Visual Basic
Program Utilities
• Separation of Duties
• Need to Know
• Logging
• Transaction:
• Integrity – data not inappropriately altered
• Edit checks, balancing, data/input validation, error handling/information
leakage, logging/auditing, cryptography, secure code environment,
session management
• Availability – large queries that affect performance should be limited.
Critical systems should be designed with redundancy and failover
• Confidentiality – provide necessary security measures for data
Object-Oriented Programming
• OOP Concepts
• Classes – templates for objects
• Objects – instances of the classes
• Message – objects request services by sending messages to other
objects
• Inheritance – an object that is called by another object or program
derives its data and functionality from the calling object
• Polymorphism – different objects may respond to the same
command in different ways
• Polyinstantiation – creating a new version of the object by
changing its attributes. Prevents Inference Violations by allowing
different versions of the same information to exist at different
classification levels
Distributed Programming
• Building security in
• Adding defense-in-depth
• Cryptographic protection of data
• Secure architecture
Applications Security Principles
• Buffer overflow
• SQL injection
• Cross-site-scripting (XSS)
• Dangling pointer
• Invalid hyperlink
• Secure (encrypted) web application traffic risks
• JavaScript attacks vs sandbox
Secure Coding Issues
• Object reuse
• Garbage collection
• Trap door/maintenance hooks
Domain Objectives
• Malformed input
• Injection (SQL injection)
• Input manipulation/malicious file execution
• URL manipulation
• Unicode attack
Malware and Attack Types
• Cryptographic storage
• Hijacking
• Insecure communications
Malware and Attack Types
• Keystroke logging
• Adware and spyware
• SPAM
• Phishing
• Spear phishing
• Whaling
• Pharming
Malware and Attack Types
• Infection/reproduction
• Target search
• Infection
• Trigger
• Payload
Malware Anti-Detection
• Stealth
• Tunneling
• Polymorphism
• Self-decrypting
• File infector
• Boot Sector Infector
• System infector
• Email virus
• Multipartit
• Use to mean a virus that was able to infect boot sectors and programs
• Now means virus that can infect more than one type of object or to infect or
reproduce in more than one way
• Macro Virus
• Script Virus
• visual basic file that can be seen as a data file but is executable (.vbs)
The Hoax, Chain Letters and Pranks
• Social engineering
• Hoax
• Chain Letters
• Pranks
• Reproduces
• No user action required
• Loopholes
• Often probe the computer looking to exploit specific
weaknesses and/or compromise other computers
• Attacks server software
Trojan Horse
• Social engineering
Logic Bomb
• Data diddler
• Salami technique
• Office Space – fractions of a cent moved to bank account
• Policies
• Tools
• Monitoring
• Operation
• Egress scanning
• Integrity checkers
Emerging Threats and Chained Exploits
• Chained exploits
Domain Objectives
2-door 4-door
Network DBMS Model
Foreign
Key
Book Table
Book No Book Title Book Type Book Price Author No
PC1234 Learning Database Models Computer 39.99 123456
PC4321 Data modeling Techniques 69.99 234567
PC6789 Designing a Database Computer 39.99 345678
PC9876 Secrets of Databases Computer 19.99 456789
Data Warehouse
• Inference (guess)
• Aggregation (conclusion)
• Unauthorized access
• Improper modification of data
• Unauthorized data mining
• Query attacks
• Bypass attacks
• Interception of data
• Web security
Database Controls
• Access controls
• Grants – user is given access to specific data using
various privilege types
• Cascading permissions – individual grants access to
others, loses access, so does everyone else
• Lock controls
• Backup and recovery
• Data contamination control
• Polyinstantiation
View-Based Access Controls
• Constrained views
• What portion of the data in the database is the user authorized
to see
• Poorly designed
• More privileges than necessary
• DBA account use
• Lack of audit
• Input validation
Software Development Security
Domain Summary
• Message protection
• Confidentiality
• Integrity
• Non-repudiation
• Availability
• Redundancy
• Single point of failure
Defense in Depth
• Series of hurdles
• Collection of controls
• Any form of protection can be defeated but when
layered it becomes much harder to defeat.
OSI Reference Model
Ring Star
Network
Topology
Tree Bus
Bus Topology
• Closed-loop topology
• Advantages
• Deterministic
• Disadvantages
• Single point of failure
Star Topology
• Throughput
• Distance between devices
• Data sensitivity/confidentiality
• Environment Twisted Pair
• Cost
Coax
Fiber
Wireless
Twisted Pair
• Three components
• Light source
• Optical fiber cable
• Two types
• Light detector
• Advantages
• High bandwidth
• Immune to EMI and RFI
• Difficult to tap
• Disadvantages
• Expensive
• Difficult to install
Wireless Transmission Technologies
• 802.11 – WLAN
• From wired network to station, wireless LAN
• 802.16 – WMAN, WiMAX
• From neighborhood to station, wireless metropolitan area networks,
or WiMAX®
• Satellite
• From orbit to station
• Microwave
• High bandwidth, line of sight, point-to-point communications that
require licensing (ground to ground OR ground to orbit to ground)
• Optical
• High bandwidth, line of sight, point-to-point communications that do
not require licensing
Patch Panels
• Hubs
• Used to implement a physical star/logical bus topology
• All devices can read and potentially modify the traffic of other
devices
• Repeaters
• Allow greater distances between devices
Wireless Access Points (WAPs)
• Types of connectors
• RJ-11
• RJ-45
• BNC (British Naval Connector)
• RS-232 (serial ports)
• Cabling Standards
• TIA/EIA-568 (Telecommunications Industry
Association/electronic Industries Association)
Domain Objectives
• Attack vectors
• Wire
• Tapping
• Wireless
• Sniffing
• Equipment
• Modems
• Authorized and unauthorized modems
• Emanations and TEMPEST
• EMI and RFI
Physical Controls
• Wire
• Shielding
• Conduit
• Faraday cage
• Penetration index
• Wireless
• Encryption
• Authentication
• Equipment
• Locked doors & cabinets
Domain Objectives
• Perimeter-based security
• The “egg” concept of security
• Hardened outside defenses
• Lack of internal defenses?
• Security domains
• Internal layers of defense
• Isolating networks within the organization
Network Partitioning
• Bastion host
• Dual-homed host
• Screened host and subnet
• Demilitarized zone (DMZ)
Network Partitioning
• Three-legged firewall
• Disadvantages
• Single point of failure
• No defense in depth
• Managing firewall rules can be complex
Token Ring and Token Passing
• Synchronous
• Timing mechanism synchronized data transmission
• Robust error checking
• Practical for high-speed, high-volume data
• Asynchronous
• Clocking mechanism is not used
• Surrounds each byte with bits that mark the beginning and
end of transmission
Unicast, Multicast, and Broadcast
• Unicast
• Sending of message from one host to another
• Multicasts
• Message (video, teleconference, etc) sent to a defined set of
recipients
• IGMP (Internet Group Management Protocol) – used to manage
multicasting groups (hosts on a network that are interested in a
particular multicast)
• Broadcasts
• Sends to an unlimited number of recipients. Can send to everyone
on network and sub-networks
• Often used to launch DoS
Circuit-Switched vs Packet-Switched
• Circuit-switched network
• Dedicated circuit between endpoints
• Endpoints have exclusive use of the circuit and its bandwidth
• Cost based on duration of the connection. Makes it cost-
effective only for steady communication streams
• Packet-switched network
• Data is divided into packets and transmitted on a shared
network
• Each packet can be independently routed on the network
• Cost based on amount of data transmitted. Appropriate for
transmissions with significant idle time
Switched/Permanent Virtual Circuits
• Connection-oriented
• Uses virtual circuits
• Guarantees quality of service but not the delivery of
cells
• Types of virtual circuits
• Constant Bit Rate (CBR)
• Variable Bit Rate (VBR)
• Unspecified Bit Rate (UBR)
• Available Bit Rate (ABR)
Multi-Protocol Label Switching
(MPLS)
• Bandwidth management and scalability
• Permits traffic engineering
• Provides quality of service and defense against network
attacks
• Operates at Layers 2 and 3
• Operates over most other packet switching technologies
such as frame relay and ATM
• Created for performance but has the effect of being a
tunnel
Digital Subscriber Lines (DSL)
• 802.11b – 11 Mbit/s
• 802.11a – 54 Mbit/s + error correcting code
• 802.11g – max 54 Mbit/s w/ avg 22 Mbit/s
• 802.11n (multiple input/output) – 54 to 600 Mbit/s
• 802.11i (security)
• 802.16 (WiMAX)
• 802.15 (Bluetooth)
• Wireless multiplexing
• OFDM/DSSS/FHSS (AFH)
Authentication
• RFC 1331
• Encapsulation
• Link control protocol (LCP)
• Network control protocols
• Confidentiality • Availability
• Eavesdropping • DoS/jamming
• Sniffing from reconnaissance • Others
• Offline brute force • Rogue access points/ad hoc
• Unapproved wireless networks
• Integrity • War driving
• Modification/injection/highjacking • Open wireless networks
• Man-in-the-middle
• Force weaker authentication
Controls for Wireless Threats
• Encryption
• Authentication
• RF management
Domain Objectives
• Internet
• Collection of all interconnected IP networks
• Intranet
• Company’s internal Internet
• Extranet
• Company will grant other controlled access to an isolated
segment of its own network to allow exchange of information
• Granting access to external organizations - risky
Domain Objectives
• Network routing
• Layer 3
• Filtering
• Filtering by address
• Filtering by service
• Static packet filtering
• Stateful inspection or dynamic packet filtering
• Personal firewalls
• Circuit-Level proxy
• Application-level proxy
Firewalls
• Antivirus
• Personal Firewalls
• Host-based IDS/IPS
• Patch management
Domain Objectives
• ICMP
• Redirect attacks
• Traceroute
• Ping scanning
Internet Protocol (IP)
• Vendor specific
• Retired
Domain Objectives
• Fragmentation attacks
• Teardrop attack
• Overlapping fragment attacks
• Traceroute exploitation
• Sniffing
Smurf and Fraggle Attacks
• Ping of death
Encryption as a Threat
• Policy
• Network partitioning
Domain Objectives
• Fast
• Low overhead
• Mutual authentication
• Encryption
• Integrity
Domain Objectives
• SYN Flood
• Denial of Service
Threats
• Port scanning
• FIN, NULL and XMAS scanning
• SYN scanning
• TCP sequence number attacks
• Session hijacking
Controls
• SYN proxies
• Honeypots and honeynets
• Tarpits
• Similar to honeypots. Entice hackers by presenting legitimate
looking systems that they will spend time attempting to crack.
• Particularly useful against spamming and network (port)
scanning
• Continuous or periodic authentication
Domain Objectives
• Client-server model
• Middleware and three-tiered architecture
• Many implementations are designed to spread
the workload of a complex process to specialized
computer in a network
• Mainframe
• Keeps sessions local, unless remote terminals
are implemented
• Centralized systems
• RADIUS and TACACS+ enable remote
connection
Domain Objectives
• Microsoft .NET
Domain Objectives
• RADIUS
• TACACS+
Domain Objectives
• Threats
• Unauthorized sessions
• Invalid RPC exchanges
• Controls
• Patch
• Block at firewall
• Disable unnecessary protocols
Domain Objectives
• Data conversion
• Ensures a common format for data
• Services for encryption and compression
• JPEG
Mainframe to PC Translation
• Codec
• Compression/decompression
• H.323
• Client/Server
• IM
• XMPP (Jabber)
• IRC
• Email
• WWW
• Peer to Peer
• File sharing
Domain Objectives
• Synchronous messaging
• Instant messaging (IM)
• Internet relay chat (IRC)
• Asynchronous messaging
• Simple mail transfer protocol (SMTP)
• Post office protocol (POP)
• Internet message access protocol (IMAP)
• Network news transfer protocol (NNTP)
Remote Communication Services
• Authenticity
• Eavesdropping
• Scripting
• Social engineering
• Spam over instant messaging (SPIM)
• Tunneling firewalls
• Email spoofing
• Spam
Domain Objectives
• Analog
• Advanced mobile phone service (AMPS)
• Digital
• Global service for mobile communications (GSM)
• EDGE (enhanced data rate for GSM evolution)
• General packet radio service (GPRS)
• Data
Domain Objectives
• PSTN
• PBX
• Facsimile
• Voice firewalls
• VOIP
• SIP, H.323
• TDMA, CDMA, FDMA
Voice over IP
• Reduced cost
• Coverged technology
• Security
Domain Objectives
• War dialing
• PBX administration
• War driving
• Fraudulent toll
• Voice eavesdropping
Domain Objectives
• Spoofing
• Query manipulation:
• Hosts file manipulation
• Social engineering
• Information disclosure
• Domain litigation
• Cybersquatting
Email Threats
• Spoofing
• Open mail relay servers
• Spam and filtering
• Phishing
Server Message Block (SMB)
Threats
• Buffer overflows
Controls