CISSP

How I Passed the CISSP Test:
Lessons Learned in Certification

Presented by Kirk A. Burns, CISSP
Admin Data
Emergency Exits
Breaks
Phones
Other Admin Data

Introduction
Instructor
What is this class going to provide me?
What should I expect to get out of this class?

Class Structure
• Broken up into 12 parts
• Part 1: introduction
• Parts 2 – 11: will be the domains
• Part 12: will be examples of types of questions you might see.

• THESE ARE NOT copies of the questions from the exam
What is (ISC)²?
(ISC)²
• International Information Systems Security Certification Consortium
• Non-profit organization which specializes in information security
education and certifications
• Often described as the “world’s largest IT security organization”
• Based in Palm Harbor, Florida, USA
• Offices in London, Tokyo, Hong Kong, Vienna, Virginia
• Over 85,000 certified professionals in 135 countries
• http://www.isc2.org
(ISC)² Code of Ethics
Preamble:
• The safety and welfare of society and the common good, duty to our
principals, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.
Code of Ethics Canons:

• Protect society, the common good, necessary public trust and
confidence, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession
BENEFITS OF (ISC)² MEMBERSHIP
• Member Benefits
• Continuing Education
• Security Leadership Series events
• Discounts
• Worldwide receptions, conferences, RSA, InfoSec, SecureAmerica
• Face-to-Face Networking
• Virtual Networking
• Career Tools, InterSeC
BENEFITS OF (ISC)² MEMBERSHIP
• Industry Awards
• Resources
• InfoSecurity Professional Magazine
• Information Security Perspective journal
• Member submitted security awareness materials
• Volunteer Opportunities
• http://staysafeonline.org
What is CISSP?
• Certified Information Systems Security Professional

• Governed by (ISC)²
• Worldwide recognition of competence
• Practical understanding of information security issues and solutions
• ANSI accreditation based on the ISO/IEC 17024:2003 standard
(obtained in June 2004)
• Awareness of security challenges
• As of November 2013, reported to have 90,198 members worldwide in
149 countries
ROLE OF THE CISSP
• CISSPs often hold job functions such as:
• Security Consultant
• Security Manger
• IT Director/Manager
• Security Auditor
• Security Architect
• Security Analyst
• Security Systems Engineer
• Chief Information Security Officer
• Director of Security
• Network Architect
ROLE OF THE CISSP
• Develops and oversees the implementation of the organization’s

information security policies and procedures
• Provide advice on implementation of information security solutions and

technologies
• Monitoring compliance with regulatory bodies and employees,

contractors, alliances and other 3rd parties
COMMON BODY OF KNOWLEDGE
CBK
• The (ISC)² CBK is a compendium of topics relevant to information
security professionals around the world. The (ISC)² CBK is the accepted
standard in the industry, the subject of many books written on information
security, and the core of the university information assurance programs
around the globe. The CBK continues to be updated annually by (ISC)²
CBK Committees comprised of members from many industries and
regions around the world, to reflect the most current and relevant topics
required to practice in the field. (ISC)² uses the CBK domains to assess a
candidate’s level of mastery of information security.
How to Get Your CISSP Certification
1) Obtain the Required Experience

a) must have a minimum of five (5) years cumulative paid full-time work
experience in two (2) or more of the ten (10) domains.
b) May receive a one year experience waiver with a four-year college degree,
or regional equivalent OR additional credential from the (ISC) approved list
(requiring four (4) years of direct full-time professional security work
experience in two or more of the ten domains)
2) Study for the Exam
3) Schedule the Exam
4) Pass the Exam
5) Complete the Endorsement Process
6) Maintain the CISSP Certification
CISSP EXAM
The CISSP exam
• 250 questions
• 6 hours
• To pass must get 700 points out of 1000
• BE ON TIME!!!!!!
• Bring admission letter
• Must have government issued Photo ID
• Bring pencil and eraser
• ~$500
ENDORSEMENT PROCESS
What is needed for the Endorsement Process
• Provide a recent resume

• Complete the Examination Registration Form
• Submit a completed and executed Endorsement Form
MAINTENANCE REQUIREMENTS
• To maintain the CISSP certification and remain in “good standing” with

(ISC)², you are required to:
• Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of
each certification year
• Earn and submit 120 credits over three years. A minimum of 20 CPEs
must be posted during each year of the three year certification cycle
THE DOMAINS
• Access Control
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security Governance and Risk Management
• Legal, Regulations, Investigations, and Compliance
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Software Development Security
• Telecommunications and Network Security
Golden Rule
1. People Safety First

2. Management buy-is is Critical
3. Everyone is responsible for Security
4. Training is Essential
5. Policy is the Key to (nearly) everything
What If I Don’t Have The Experience?
• For those who don’t have the experience, there is the Systems Security
Certified Practitioner (SSCP)
• Only need 1 year of experience
• Domains covered:
• Access Controls
• Cryptography
• Malicious Code and Activity
• Monitoring and Analysis
• Networks and Communications
• Risk, Response and Recovery
• Security Operations and Administration
Access Control
Domain Objectives
• Provide definitions and key concepts

• Identify access control categories and types
• Discuss access control threats
• Review system access control measures
• Understand Intrusion Detection and Intrusion Prevention
systems
• Understand Access Control assurance methods
Access Control
• Is the basic foundation of information security

• Implemented differently depending on whether the are of
implementation is physical, technical or administrative.
• Categories include:
• Preventive
• Detective
• Corrective
• Deterrent
• Recovery
• Directive
• Compensating
• Often used in combination
Access Control
• A comprehensive threat analysis will identify the areas that will provide
the greatest cost-benefit impact.
• The field of access control is constantly evolving. Organizations need to
know what is available and what methods will best address their issues.
• Data and system access control are NOT the same. User might have
access to a system but not to the data. Think “need-to-know”
• Access control assurance addresses the due diligence aspect of
security.
• Implementing a control is part of due care, but due diligence involves
regularly checking to ensure that the control is working as expected.
Information Security TRIAD
Domain Objectives
• Definitions of Key Concepts

• Access Control Categories and Types
• Access Control Threats
• Access to System
• Access to Data
• Intrusion Prevention and Detection Systems
• Access Control Assurance
Basic Requirements
• Security – ensure only authorized users and processes are able to access or
modify
• Reliability – ensure control mechanisms work as expected, every time
• Transparency – have minimal impact on the ability of authorized users to
interface with the system and do their job
• Scalability – should be able to handle a wide range of changing systems and
user load without compromising system performance
• Maintainability – if too time-consuming or complicated, admins may not keep
them up to date
• Auditability – should provide audit trails
• Integrity – must be designed to protect from unauthorized changes
• Authentic – help ensure that data input is authentic
Key Concepts
• Separation of duties
• No one person should have control over the process. Allowing this could
allow a person to manipulate the system for personal gain. Process should
be broken down into individual steps executed by different people.
• Rotation of duties prevents collusion between two or more people. This
minimizes the chance of or exposes fraud. Forced vacation can provide
the same effect.
• Core element of the Clark-Wilson Integrity model
• Least privilege – only allow access to resources that are absolutely needed
for work
• Need-to-know – just because you have the clearance doesn’t mean you
really need to know the data or process
Information Classification
• Is the PROPER assessment of the sensitivity and criticality of information

• Ensures that info is neither improperly disclosed nor overprotected
• Objectives:
• Identify info that needs to be protected
• Standardize labeling
• Alert authorized holders of protection requirements
• Comply with laws, regulation, etc.
• Benefits – keeps cost down
• Example of classification:
• Public, internal use only and company confidential
• Compartmentalized information – information that requires special
privilege to access
Information Classification Procedures
• Scope – risk analysis will evaluate data for classification. Things to consider:
• Exclusive possession (trade secrets, etc.)
• Usefulness
• Cost to recreate
• Legal or regulatory liability
• Operational impact
• Etc.
• Process – goal is to achieve a consistent approach to handling classified
information
• Marking and labeling – for all types of media to include video
• Human readable
• Machine readable
• Assurance – regular internal and possibly external audits should be done
Domain Objectives

• Access to Data
Access Control Types
• Administrative – policies and procedures.
• Technical/logical – use of hardware and software controls
• Physical – manual, structural or environmental controls to protect

facilities and resources
Access Control Categories
• Preventive – block unwanted actions. However, only effective if

employees see these as necessary
• Detective – identify, log and alert management of unwanted
actions (during or after event)
• Corrective – remedy the circumstances that enabled event
• Directive – controls dictated by organizational and legal authorities
• Deterrent – Prescribe some sort of punishment
• Recovery – restore lost resources or capabilities
• Compensating – backup controls that come into effect when
normal controls are unavailable
Domain Objectives

• Access to Data
Access Control Threats
• Denial of service • Sniffers

• Password crackers • Shoulder surfing/swiping
• Dictionary • Dumpster diving
• Brute force • Emanations
• Rainbow tables
• Time of Check (TOC)/Time
• Keystroke loggers of Use (TOU)
• Spoofing/masquerading
• Machine
• Impersonation
Domain Agenda

• Access to Data
System Access Control
• Identification – process of recognizing users or resources as valid

accounts
• Authentication – verification of the identity of the person or node
• Authorization – determines what a user or node is allowed to do

once identified and authenticated
• Accountability – ability to track user activity

Identification
• Methods
• Most common is UserID, account number, email or PIN
• Biometrics can also be used
• Guidelines – unique UserID unless anonymity is required
• RFID – can be used in place of above methods to identify user
• MAC and IP address – used primarily to identify a node on the network
• Security user registration – user interacts with a registration authority to
become an authorized member of the domain
1. UserID, encryption keys, job title, email, etc.
2. User validation
Authentication Methods
• Knowledge (something you know)
• Ownership (something you have)
• Characteristics (something you are)

Identity and Access Management
• Need for identity management – needed to manage,

authenticate, authorize, provision, de-provision and protect
identities
• Challenges – the more complex a network and data protection

system, the more challenging to manage
• Identity management technologies – designed to centralize and

streamline the management of user ids, authentication and
authorization
Identity Management Challenges
• Consistency – user data entered across different systems MUST

be consistent
• Reliability – user profile data should be reliable. Especially if used
to control access to data or resources
• Usability – multiple logins over multiply systems might not be the
best idea
• Efficiency – using an identity management system can decrease
costs and improve productivity for both users and administrators
• Scalability – the management system used must be able to scale
to support the data, systems and peak transaction rates
Identity Management Challenges
• Principals
• Insiders – employees and contractors
• Outsiders – customers, partners, vendors, etc.
• Data – different types of data about principals must be managed
• Personal, legal and access control
• Some of this data might have regulatory requirements
• Life Cycle
• Initial setup – when user joins
• Change and maintenance – routine pw change, name changes, etc.
• Tear-down – when user leaves
Identity Management Technologies
• Web Access Management (WAM)
• Password management
• Account management
• Profile update
Access Control Technologies
• Single sign-on
• Kerberos
• SESAME - protocol developed by the European Union. Also known as

SSO
• Web Portal Access
• Directory services
• Security domains
Domain Objectives

• Access to Data
Access to Data
Implementations Descriptions
• Mandatory • List
• Temporal • Matrix
• Discretionary • Capabilities
• Role • Non-discretionary
• Rule • Constraints
• Content • Centralized
• Privacy • Decentralized
Access Control Lists (ACL)
• Most common implementation of Discretionary Access Control (DAC)

• Provide easy method to specify which users are allowed access to which
objects
• Objects/subjects
• Files/users
• O.S. dependent
• Each OS has its own way of representing ACLs.
• UNIX – 3 subjects: owner, group and world w/ 3 permissions: Read ,Write,
Execute
• ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and
SGI XFS
• Microsoft has unlimited # of subjects and 26 permissions
Centralized/Decentralized Access Control
• Centralized access control – one entity makes network access decisions.

Owners decide which users can access specific objects and the administration
supports these directives.
• RADIUS
• TACACS+
• Diameter (RADIUS base but enhanced to overcome inherent limitations)
• Decentralized access control – decisions and admin are implemented

locally, allowing people closer to the resource security controls.
• Often causes confusion because it can lead to non-standardization,
overlapping rights, etc.
• P2P
Domain Objectives

• Access to Data
Intrusion Detection Systems
• Network Based • = Packet

• NIDS
• Host-Based • = Permission
• HIDS
• Application-Based • =Process
• AIDS
• APIDS
Intrusion Prevention Systems
• Host-based
• Network-based
• Content-based
• Rate-based
• KPI (Key Performance Indicator) - measure effectiveness

Analysis Engine Methods
• Pattern or signature-based
• Pattern matching
• Stateful matching
• Anomaly-based
• Statistical
• Traffic
• Protocol
• Heuristic scanning
IDS/IPS Examples
• Anomaly
• Multiple failed logins
• User logged in at unusual times
• Unexplained changes to system clocks
• Unusual number of error messages
• Unexplained system shutdowns/restarts
• Response
• Dropping suspicious packets
• Denying access to suspicious users
• Reporting suspicions to other system hosts/firewalls
• Changing IDS configurations
• Alert
• IM
• Email
• Pager
• Audible alarm
Domain Objectives

• Access to Data
Access Control Assurance
• Audit trail monitoring
• Vulnerability assessment tools

Penetration Testing Overview
• Definition
• Areas to test
• Methods of testing
• Testing procedures
• Testing hazards
Areas to Test
• Application security
• Denial of Service (DoS)
• War dialing
• Wireless penetration
• Social engineering
• PBX and IP telephony

Penetration Testing Methods
• Attack perspectives
• External
• Internal
• Attack strategies
• Zero-knowledge
• Partial-knowledge
• Full-knowledge
• Targeted
• Double-blind
Testing Steps
• Discovery
• Enumeration
• Vulnerability mapping
• Exploitation
Testing Hazards and Reporting
• Production interruption
• Application abort
• System crash
• Documentation
• Idetified vulnerabilities
• Countermeasure effectiveness
• Recommendations
• KPI – Key Performance Indicators

Access Control Domain Summary

• Access to Data
Business Continuity and
Disaster Recovery Planning
Domain Objectives
• Business Continuity Management (BCM) Project

Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan
Planning Should Occur BEFORE You Need It
BS 25999: Business Continuity Management
• Risk Management • Health & Safety
• Disaster Recovery • Knowledge Management
• Facilities Management • Emergency Management
• Supply Chain Management • Security
• Quality Management • Crisis Communications and PR

Information Security Priorities
• Keeping CRITICAL products and services going
• Availability
• Integrity Out of Business!!!
• Confidentiality
• What should be done in a crisis when most controls are missing?

The Business Continuity Life Cycle Overview
• Analyze the business
• Assess the risks
• Develop the BC strategy
• Develop the BC plan
• Rehearse the plan

BCM Project Management
• Senior management support
• Policy
• Access to key personnel
• Budget
• Immediate and ongoing budget
BCM Project Management
• Project management
• Scope
• Timelines
• Deliverables
• Team members
• Tools
Initiating BCP
• Awareness, data and implementation
• Staff and budget
• Result must be a long-term, sustainable program
• Review progress monthly (suggestion)

Documentation
• Review current BCP, if available
• Documentation may not equal capability
• Staff must be trained to use any necessary software
• Types of BCM document
• Policy, including scope and principles
• Business impact analysis
• Risk and threat assessment
• Strategies, including (if able) papers supporting the choice of strategies
adopted
• Response plans
• Test schedule and reports
• Awareness and training program
• Service level agreements with customers and suppliers
• Contracts for 3rd party recovery services such as workspace and salvage
• Review/update as directed by policy
Domain Objectives
• Business Continuity Management (BCM) Project Planning

Understanding BCM Priorities
• Business priorities
• Policy/culture
• Critical services and products
• Legal and regulatory requirements

Risk Assessment and Management
• Management is often NOT an IT person. Might have different

priorities
• Risk management versus business continuity planning

• Risk management – tactical
• Business continuity – strategic
• Coordination between risk assessment and business impact
analysis
• Purpose of risk management?

Threat Identification
• Natural/environmental
• Human/man-made
• Utility
• Supply chain
• Equipment
• Facility
• Loss of key personnel

Understanding the Organization
• Business Impact Analysis (BIA)

• Benefits
• Objectives
• Indicators of critical business functions

• Time sensitivity
• Data integrity
• Classification
Business Impact Analysis
• Identifies, quantifies, and qualifies loss over time
• Business impact analysis process

• Workshops
• Questionnaires
• Interviews
• Observation
Business Impact Analysis
• Business justifications for budget
• Maximum Tolerable Downtime (MTD)/ Maximum Tolerable Period

of Downtime/Disruption (MTPD)
• Recovery Point objective (RPO)
• Document dependencies
• Third party dependencies and liabilities
• Service level agreements
Incident Readiness & Response
• Planners become leaders
• Be prepared
• Triage
• Incident management
• Success = return to operations
• Application of lessons learned

Continuity Requirement Analysis
• Identify supporting activities and resources
• Outcomes feed BCP strategy selection
• Reviewed with BIA

Domain Objectives

Determining Recovery Strategy
• Determining BC strategies
• Strategy options
• Data
• Activity continuity options
• Resource-level consolidation
Determining Recovery Strategy
• High-level strategies – purpose is to ensure overall continuity

strategy appropriately supports the delivery of orgs
products/services
• Recovery Time Objective (RTO) < Maximum Tolerable
Downtime/Disruption (MTPD)
• Separation distance – how far away is recovery site
• Cost/benefit analysis – best strategy is often determined by cost
• Address specific business types
• Different business functions have different recovery solutions
Recovery Alternatives
Alternative Description Readiness Cost

Multiple Fully redundant identical Highest level of availability Highest
processing/mirrored site equipment & data & readiness
Mobile site/trailer Designed, self-contained IT Variable drive time; load High
& communications data, & test systems
Hot site Fully provisioned IT & Short time to load data, High
office, HVAC, infrastructure, test systems. May be yours
& communications or vendor staff
Warm site Partially IT equipped, some Days or weeks. Need Moderate
office, data & voice equipment, data,
infrastructure communications
Cold site Minimal infrastructure, Weeks or more. Need all IT, Lowest
HVAC office equipment, &
communications
Processing Agreements
Agreement Description Considerations

Reciprocal or Mutual Aid Two or more organizations agree to Technology upgrades/obsolescence
recover critical operations for each or business growth. Security and
other access by partner users.
Contingency Alternate arrangements if primary Providers may share paths or lease

provider is interrupted, i.e., voice or from each other. Question them
data communications
Service Bureau Agreement with application service Evaluate their loading, geography
provider to process critical business and ask about backup mode.
functions
Remote Working Arrangements Ability to telecommute or work from Sensitive data controls, unauthorized
home equipment
Domain Objectives

Business Continuity Plan
• Master Plan
• Modular in design
• Executive endorsement
• Review quarterly
BCP Contents
• When will team be activated?
• How will the team be activated?
• Where will everyone meet?
• Is there an Action Plan/Task List?
• Is there any reporting? If so, to whom?

BCP Contents
• Responsibilities of the team or specific individuals
• Liaising with emergency services (fire, police, ambulance)

• Receiving or seeking information from response teams
• Reporting information to the incident management team
• Mobilizing third-party suppliers of salvage and recovery
services
• Allocating available resources to recovery teams
• Location/mobilization instructions
Developing Response Plans
• Incident response structure - plans that answer “What do we do

now?” Emergency response procedures, Personnel notification,
Backup and offsite storage, Etc.
• Emergency response procedures
• Personnel – executive succession plan, executive crisis
management roles, BC coordinator and teams, notification lists, PR
• Communications – emergency systems, business systems
communications and networks
• Alternate site considerations – utilities, communications,
environmental protection, workspace protection
• Logistics and supplies – personnel and materials transport,
personnel support and welfare, remote worker activation, emergency
funds, protection against fraud and looting, safety and legal issues,
escalated management authority
Creating Recovery Plans
• Recovery procedures
• Recovery priorities
• Activation of alternate site or processes
• Data recovery
• Business resumption plan

Creating Disaster Recovery Plans
• Disaster recovery
• Recover out to the alternate – MOST critical first
• Recover back to the primary – LEAST critical first
• Responsibilities and authority
• Outlines what needs to be done
• Outlines who will do the work
• Since this may be happening at the same time as
the incident, recovery should be done (if possible)
by a different team comprised of technical experts
and system engineers who can rebuild the failed
systems
Creating Restoration Plans
• Rebuilding of primary site

• Facility restoration
• System restoration
• Priorities
• Data synchronization
• Salvage
• Closure of alternate site

Topics to Address in Plans
• Equipment
• Procurement (vendor agreement)
• Facilities
• Environmental controls
• Fire and water protection
• Personnel
Topics to Address in Plans
• Data
• Offsite storage requirements
• Utilities
• Communications
• Logistics and supplies

Resource-Level Consolidation
• Consolidation plan
• Availability of solutions
• Consolidate, approve and implement
• Outcomes and deliverables

Domain Objectives

Incident Response Management
• Strategic Level: Incident Management Plan (IMP) – defines how the

strategic issues of a crisis will be managed by chief executive/senior
managers. May include crises that do not result in interruptions (hostile
takeover, media exposure, etc.).
• Tactical Level: Business Continuity Plan (BCP) – addresses business
disruption, interruption, or loss from the initial response till normal business
resumes.
• Operational Level: Activity Resumption Plans – provide plans for
resuming normal business functions. Might provide logical and technical
structure for restoring services or use of alternate facilities.
Implementing Incident Management
• Crisis management
• Rapid response is critical

• Triage (alerts)
• Notification
• Health and safety of personnel (people first)
• Escalation
• Executive succession
Initial Assessment
• Damage assessment
• Declaring a disaster
• Mobilization of response teams
• Permanent and virtual teams

Documentation and Communication
• Documentation of the incident
• Feedback and analysis
• Communications
• Public relations
Domain Objectives

Testing the Program
• Find the flaws
• Outsourcing
• Timetable for tests
• Designing a test
• Define success/failure BEFORE test begins

Testing Types
Types Process Participants Frequency Complexity
• Check the contents of the plan Author Often LOW

Desk check • Aid in maintenance
• Check interaction and roles of participants Author and main

Walk through people
• Includes: business plans, buildings and Main people and

Simulation communication auditors
Parallel • Moves work to another site Everyone at test

testing • Recreates the existing work from the displaced site location
Full • Shuts down and relocates all work Everyone at both Seldom HIGH
Interruption locations
Testing BCP Arrangements
• Test, rehearsal and exercise
• Combining individual tests to ensure complete coverage
• Stringency, realism, and minimal exposure

• Risks of testing
• Scope and documentation of a test
• Outcomes
Embedding BCP into the Organization
• Assessing level of awareness and training

• Develop levels of training for individuals
• Developing BCP within the culture

• Educate employees not only of what they are supposed to do
but WHY they are doing it that way
• Monitoring cultural change

• Get feedback. Sometimes the best solution to a problem will
come from the most unexpected person
Specialized Training Needs
• EOC (Emergency Operations Center)
• Specialized skills
• Forensic
• Interviewing
• Technical
• Crisis management
• PR
• Etc.
Maintaining BCP Arrangements
• Ready and embedded
• Aligned with change-management procedures
• Owners keep information current
• Documented
• Review as needed
BCP Maintenance
• Updating
• Annual review – at a minimum

• Subsequent to tests – to immediately identify fail points and
needed changes
• Response to audits – to address issues found
• Version control – to insure everyone is working off the most
current plan
• Distribution of plan – to insure everyone is working off the most
current plan
Reviewing BCP
• Audit
• Independent BCP audit opinion
• As directed by audit policy

Factors for BCM Success
• Supported by senior management
• Everyone is aware
• Everyone is invested
• Consensus
Business Continuity and Disaster
Recovery Planning
Domain Summary

Cryptography
Domain Objectives
• Definitions
• History
• Uses
• Cryptographic Methods
• Encryption Systems
• Algorithms
• Cryptanalysis and Attacks
• Implementations
Concepts and Definitions
• Cryptology – the study of cryptography and cryptanalysis

• Cryptanalysis – practice of defeating the protective properties of
cryptography. Reading protected info, altering messages or
integrity values and violating authentication. The practice of testing
cryptographic algorithms to determine their strength or resistance
to compromise.
• Cryptography – from Greek words “kryptos” (hidden) and
“graphia” (writing). Mathematical manipulation of information to
prevent the information from being disclosed or altered.
Basic Goals of Cryptography
• Confidentiality – prevent unauthorized people from being able to detect

or understand a message
• Integrity – detect if a message has been tampered with or corrupted
• Authenticity – ensure that message has been sent to correct person
and in correct order, including prevention of replay attacks
• Non-repudiation – sender cannot deny sending
• Access control – encrypted passwords, token-based access control
devices provide protection for systems and applications
• Make compromise difficult – make the attack either too expensive or
too time-consuming to be worth the effort
Concepts & Definitions
• Cryptosystem – device or process used to perform encryption and

decryption operations
• Plaintext/Cleartext – human readable message
• Ciphertext/Cryptogram – enciphered, encrypted, or scrambled
message
• Cryptographic Algorithm – mathematical function that determines the
cryptographic operations
• Cryptovariable (key) – often secret value used to transform the
message in the encrypted message
• Key Space – total number of keys available to the user of a
cryptosystem
Concepts & Definitions
• Encrypt/Encipher – scrambling a plaintext message by using an

algorithm, usually in conjunction with a key
• Encode – similar to enciphering or encrypting except that it does not use

a key
• Decipher/Decrypt/Decode – descrambling an encrypted message and

converting it to plaintext
Basic Transformation Techniques
• Substitution – change value, not position.

• Transposition/Permutation – change the relative position of values
without replacing them (bit-shuffling)
• Compression – change position, not value. Decrease redundancy
before plaintext is encrypted. Used to save on bandwidth and storage.
• Entropy – maximum amount of compression that can be applied
• Expansion – typically used to increase the size of plaintext to match the
size of keys or subkeys
• Padding – adding additional material to plaintext before encrypting.
Addresses weaknesses in an algorithm and foils traffic analysis
XOR – Exclusive Or
• Fast arithmetic function used in many computer operations
• Binary math
• Add two values

• If both input values are the same the output is a Zero (i.e., 1+1=0;
0+0=0)
• If the input values are different the output is a One (i.e., 1+0=1;
0+1=1)
Keys and Cryptovariables
• Key management – refers to the principles and practices of protecting the keys throughout the lifecycle
• Key expiry/cryptoperiod – keys should be changed on a regular basis. Length of time should be based on
algorithm and level of protection required
• Key mixing/Key schedule – DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16
rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original
56 bit. AES uses key schedulers to generate completely new keys from the original key for each round.
• Keystreams – pseudo-random sequence that is generated from the input key and mixed with the input
message.
• Synchronous – keystream is generated based on original key, bit-by-bit, in sync with plaintext
• Non or self-synchronous – keystream is generated based upon previously generated ciphertext and
cryptovariable
• Key storage – key must be protected in transit and storage
• Key clustering – term used to represent a weakness that exists in a cryptosystem if two different keys
generate the same ciphertext from the same plaintext
Initialization Vector (IV)
• Encrypting similar messages will create patterns of ciphertext even

when using different keys. Predictability is an enemy of
cryptography.
• An IV is a random value added to the plaintext message before

encrypting so that each ciphertext will be substantially different.
• The recipient will also need the IV to decrypt the message

Work Factor
• An estimate of the effort/time needed to overcome a protective

measure by an attacker with specified expertise and resources.
• Commonly used as a way to measure the amount of resources that
would be required to brute-force an algorithm or cryptosystem.
• System is said to be broken when there is a way to decrease the
work factor to a reasonable level.
• All cryptosystems will be crackable eventually. Objective is to use
a system that is computationally infeasible to crack.
• Work factor has nothing to do with normal encryption/decrytion
Kerckhoff’s Principle
• States that the strength of a cryptosystem is based on the secrecy of the key
and not on the secrecy of the algorithm.
• Work factor for the cryptanalyst is the effort required to determine the correct
key.
• Key length is the primary method used to determine the strength of the
cryptosystems.
• Brittleness – measure of how badly a system fails. A resilient system is
dynamic and designed to fail only partially or degrade gracefully. In general,
automated systems which only do one thing are be definition brittle.
• “Security by Obscurity” – concept that system is secure as long as no one
outside the “group” is allowed to find out anything about its internal
mechanisms.
Key Algorithms
• Symmetric key – same key used for both the encryption and
decryption operation
• Asymmetric key – pair of mathematically related keys (A and B)

used separately for encryption and decryption
Certificates
• Certificate proves who owns a public key

• Digitally signed, special block of data that contains public key
and identifying information for the entity that owns the private
key
• Issued by a Certification Authority (CA) – trusted entity or 3rd
party that issues and signs public key certificates, attesting to the
validity of the public key.
• Registration Authority – is the primary organization that verifies a
Certificate Applicant’s information and identity. Works with CA to
verify applicant’s information before issuing a certificate
Hash Functions
• Message integrity
• Computed value for a message, program, data, etc to be

transmitted or stored
• One way function
• Cannot decrypt/reverse a hash

Digital Signatures
• Message Integrity and Proof of Origin

• Proves message has not been altered
• Proves who sent the message
• Created by encrypting a hash of the message with the private
asymmetric key of the sender. Creates a signed hash that can only
be unlocked using the public asymmetric key of the sender.
• Reason for signing the hash of the message instead of the
message is that asymmetric algorithms tend to be very slow and
computationally intensive to use. So signing the hash saves time
and money.
Domain Objectives
• Definitions
• History
• Uses
• Algorithms
• Implementations
Historical Development
• Cryptographic techniques
• Manual – cryptographic methods performed by hand using a variety of
tools (still used on some one-time pads)
• Mechanical – use of mechanical tools to perform encryption and
decryption (cipherdisk)
• Electro-mechanical –use of electro-mechanical devices (Enigma
machine)
• Electronic – computer based tech used to perform complex and secure
cryptographic operations (software and hardware based algorithms – AES,
RSA, etc.)
• Quantum cryptography – using single photon light emissions to provide
secure key negotiation
Domain Objectives
• Definitions
• History
• Uses
• Algorithms
• Implementations
Uses of Cryptography
• Protecting information
• Transit
• Email, VPNs, e-commerce, VOIP, etc.
• Storage
• Disk encryption
• System access
• Passwords, remote login
Domain Objectives
• Definitions
• History
• Uses
• Algorithms
• Implementations
Making Secure Algorithms
• Problems – simple systems are not very secure

• Discernible – if you know the language of the original message, “frequency
analysis” can be performed
• Redundancies – make the cryptoanalyst’s job easier
• Statistical patterns – can be revealed in ciphertext if algorithm doesn’t obscure
them
• Solutions
• Confusion – principle of hiding patterns in the plaintext by substitution
• Diffusion – act of transposing the input plaintext throughout the ciphertext so that
a character in the ciphertext would not line up directly in the same position in the
plaintext
• Avalanche – achieved with plaintext bits affect the entire ciphertext so that
changing one bit in the plaintext would change half of the entire cipher text
Stream Ciphers
• Keystream
• Statistically unpredictable and unbiased
• Not linearly related to the key
• Operates on individual bits or bytes
Uses of Stream Cipher and Stream-Mode
Block Ciphers
• Wireless
• Audio/video streaming
• SRTP (Secure Real-time Transport Protocol)
Block Cipher
• Blocks of plaintext are encrypted into ciphertext blocks

• Multiple modes of operation
• Variable key size, block size, rounds
Block Cipher Uses
• Data transport – SSL, TLS. Both protocols can use AES and Triple
DES. IPSec based VPNs also use block ciphers to encrypt
communication between endpoints
• Data storage – even though block ciphers take more time, used
because of their greater ability to frustrate cryptanalysis. TrueCrypt
is an example of block cipher used to encrypt data
Domain Objectives
• Definitions
• History
• Uses
• Algorithms
• Implementations
Simple Substitution Ciphers
• Substitution of one value for another
• Caesar Cipher
• Shift alphabet (by 3)
• A B C D E F …. FACE
• D E F G H I …. IDFH
• Scramble alphabet
• A B C D E F …. FACE
• Q E Y R T M …. MQYT
• Vulnerable to frequency analysis

Simple Transposition/Permutation
• Columnar – rearranging the T H I S I

message in a table
• Plaintext “This is an example of S A N E X
transposition”
A M P L E
• Cipher “tsaoni hamfst inptpi selroo
ixeasn”
O F T R A
• Key: grid shape & reading
direction N S P O S
• Example: the Spartan Scytale I T I O N

Polyalphabetic Ciphers
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
2 Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
3 X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
4 W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
…
• Encrypt the plaintext FEEDBACK using a key of 3241

• Try encrypting your name
Running Key Ciphers
• Done by using the numerical value of letters in the plaintext and is

coded and decoded by using a copy of the text in a book as the
key.
• Sender and recipient determine the key by agreeing on a point in
the book (i.e. page number) from which to start the encryption.
• Key would “run” as long as the plaintext, and the value of each
letter of the key would be “added” to the value of each letter of the
plaintext.
• If total of the two letters is greater than 25, then 26 would be
subtracted from the result. The combined value of the letters
would be the value of the ciphertext letter.
One-Time Pads (OTP)
• Truly random key values
• Both sides have same pad of key values
• Keys are only used once
• Unbreakable algorithm
• Mathematically proven that it can never be broken
Steganography
• The art of hiding information

• Plaintext hidden/disguised
• Prevents a third party from knowing that a secret
message exists
• Traditionally accomplished in a number of ways:
• Physical techniques
• Null ciphers
Image-Based Steganography
Original image Stegged image
File size is identical (260 kb)

If hashed, values would be different
Watermarking/Rights Management
• Digital watermarking – similar to physical watermarking.

Either visible or invisible markings embedded within a digital
file to indicate copyright or other handling instructions, or to
embed a fingerprint to detect unauthorized copying and
distribution of images.
• Digital Rights Management/Digital Restriction Management

(DRM) – extends digital watermarking in order to place strict
usage conditions on the display and reproduction of digital
media.
Domain Objectives
• Definitions
• History
• Uses
• Algorithms
• Implementations
Modes of Symmetric Block Ciphers
• Block Modes
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Stream Modes
• Cipher Feed Back (CFB)
• Output Feed Back (OFB)
• Counter (CTR)
• Counter with CBC-MAC (CCMP)
Electronic Code Book (ECB)
• Each block of plaintext is encrypted independently using the same

key
Cipher Block Chaining (CBC)
• The first plaintext block is XOR’d with an Initialization Vector (IV)

• Result is ciphertext is chained into the next plaintext block
Cipher Feed Back (CFB)
• Similar to CBC
• IV is encrypted and then XOR’d with the first plaintext block
Output Feed Back (OFB)
• Operates very much like CFB

• Only the RESULT of encrypting the IV is feed back to the next
operation
Counter (CTR)
• Similar to OFB
• Counter value is used instead of an IV
Counter With CBC-MAC (CCMP)
• Provides confidentiality and authenticity

• Works with 128 bit block size
• Mandatory in 802.11i
• Adds one more block for confidentiality
• Counter mode lacks integrity. CCMP solves that problem.
DES – Data Encryption Standard
• DES
• 56 bit key
• 16 rounds of transposition and substitution
• Fixed 64 bit block size
• Double DES (DDES)
• Uses two 56 bit keys
• Message is encrypted by one key and re-encrypted by the second
• Was thought to provide 112 bit cipher but was successfully attacked by the
“meet-in-the-middle” analytic attack
• Triple DES (TDES)
• Input data is encrypted three times
• Strength depends on the mode of the operation picked and the number of
keys being used
• Effective key size is 168 bit
AES – Advanced Encryption Standard
• Based on Rijndael algorithm

• Developed by Daemen and Rijmen in 1998
• Block sizes: 128, 192, and 256
• Variable number of rounds
• Variable key size

Other Block Ciphers
• RC5 and RC6
• Blowfish
• Twofish
• CAST
• SAFER
• Serpent
RC-4
• Symmetric stream cipher
• Arbitrary key size
• Many applications
Strengths & Weaknesses – Symmetric
Ciphers
Strengths Weaknesses
• Fast • A different form of key
• Difficult to crack negotiation/ exchange/
• Algorithms and tools freely distribution must be used
available • Poor scalability
• Stream ciphers ensure highly • Limited security
efficient serial
communications • On noisy channels, error
• Block ciphers offer multiple correcting is a must
modes
Asymmetric Key Cryptography
• Diffie-Hellman, 1976
• Public key cryptography
• Uses a pair of mathematically related keys

• Private key
• Public key
Public Key Algorithms
• Ensures confidentiality
• Encrypting message with the receiver’s public key provides confidential
transmission of the message because the only key that can open the
message is the corresponding private key of the recipient
• Ensure proof of origin

• When a message is encrypted (signed) with the sender’s private key, the
recipient can verify the source of the message because the message can
only be opened with the sender’s public key
• Confidentiality and proof of origin

• Double encrypting a message with the private key of the sender and then
with the public key of the receiver will provide both confidentiality and proof
of origin
RSA Algorithm
• Rivest-Shamir-Adleman, 1977
• Encryption
• Digital signatures
• Key distribution
• Adjustable key size
• PKCS#1 is the implementation of the algorithm. Currently in V2.1
• How does it work?
• Find 2 prime numbers and call them p and q
• Multiply them and call the result n
• Choose a public value less than n relatively prime with (p-1) and (q-1) and
call it e
• Find d such that e*d=1 mod (p-1)*(q-1)
• Make n and e PUBLIC, and keep d, p and q SECRET
• To encrypt message m, ciphertext c = me mod n
• To decrypt, m = cd mod n
Other Algorithms
• Diffie-Hellman Key Exchange Protocol

• Perfect Forward Secrecy (PFS) – principle used in D-H that even if 2 private
keys are used in negotiating a secret value (shared secret), and one of
those private keys is later compromised, it will not be possible to determine
either the secret key or the other private key from the compromised private
key
• Diffie-Hellman Groups – determine the length of the base prime numbers
that will be used in calculating the key pairs.
• STS/Unified Diffie-Hellman – one weakness of D-H was the man-in-the-
middle attack. This led to development of the Station to Station (STS) key
agreement protocol by Diffie, Van Oorscht and Weiner in 1992.
• Menzies/Qu/Vanstone
• Elgamal – retired
• Elliptic Curve Cryptography (ECC) – fewer bits. Extremely slow
Knapsack Algorithms
• Merkle-Hellman knapsack
• Developed in 1978
• Chor-Rivest knapsack
• Developed in 1984 and revised in 1988
• Both schemes have been broken

Asymmetric Key Cryptography
Strengths Weaknesses
• Confidentiality/privacy • Computationally
• Access control intensive
• Authentication • Very slow
• Integrity
• Non-repudiation
Common Hash Functions
• Message Digest
• MD2, MD4, MD5
• Secure Hash Algorithm (SHA)
• SHA-1 (160 bit), SHA-256, SHA-384
• SHA-512 (best practice)
• SHA-3
• HAVAL
• RIPEMD
• Tiger
• WHIRLPOOL
Hash Function Characteristics
• Condensed representation of the message
• One-way function
• Non-linear relationship
• Hash calculated from whole, original message

Keyed Hashes (SALT)
• Basic hash can be intercepted and changed
• To solve that problem, mix a HASH algorithm with a pre-shared

key
• Adversary would need to know the key to create a collision
• Implemented in IPSec for integrity checking of both ESP

(Encapsulating Security Payload) & AH (Authentication
Header)
Digital Signatures
• (Asymmetric cryptography) + (Hash of message)

• Only authenticity and non-repudiation (not confidentiality)
• Legality – if the encryption is intact and the private key is held by the
rightful owner, it must be accepted by all parties in the transaction.
• American Bar Association has developed guidelines for accepting digital
signatures that have been adopted in some US states and other countries
• Not accepted globally for transactions and specifically not for high-
dollar/high-risk situations
• Examples
• DSA, RSA, Elgmal, Schnorr, ECC
Digital Signatures Uses
• E-commerce
• Non-repudiation of origin (with private key)
• Integrity of message (with private key encrypted hash)
• Software distribution (integrity and non-repudiation)
• Email and secure document distribution

Key Management Challenges
• Greatest challenge with secure cryptographic implementation is

the management of the keys. Keys must be kept secret. Yet,
they must be available when needed. Even OLD keys have to
be kept to decrypt old backup files or data.
• Key distribution
• Key storage
• Key change
• Expire – how long to use a key
Functions of Key Management
• Operations
• Dual control – require the active participation of 2 or more. No
one person can misuse.
• Threshold schemes – require more than one person to
successfully complete the task
• Key recovery
• Split knowledge – 2 or more people have info about the key.
Must be combined to work.
• Multi-party key recovery – break the key into 3 or more parts and
each part go to a different person.
• Escrow – Key held
• Creation
• Automated key generation – prevents user bias and provides quick
key production
• Truly random – only true random generators are things like radioactive
decay, noisy diodes, etc. Computers produce pseudo-random.
• Suitable length – generators must generate enough bits for a complete
key. Generating 64 bits and concatenating them does not make them
128.
• Key encrypting keys (KEK) – keys used to encrypt other keys. Care
must be taken to ensure that the data used to generate the KEK is
NOT related to the keys being produced.
• Distribution
• Out of band – does not guarantee security delivery, but it increases its
likelihood
• Public key encryption – most common solution
• Secret key construction – using D-H (or similar), exchange values online that
generate a new secret key
• Secret key delivery – using RSA (or similar), party encrypts secret key with receiving
party’s public key.
• Key distribution center – think Kerberos
• Certificates – used to distribute public keys
• Storage
• Trusted hardware – hardware evaluated (typically) by FIPS 140-2 or
Common Criteria
• Smartcard – non-volatile storage
Public Key Infrastructure (PKI)
• Binds people/entities to their public keys
• Prevent Man-in-the-Middle attack
• Public keys are published and are certified by digital signatures

Strong Cryptographic PKI Solutions
• Use evaluated solutions

• High work factor
• Publicly-evaluated cryptographic algorithms
• Training
• Import and export of cryptography
• Wassenaar Agreement – is an agreement between several countries
that governs the movement of cryptographic algorithms between those
countries. The restrictions are usually based on key length and
whether the product is commercially available
• Law enforcement issues
Certificates and CAs
• Certificates link a public key to its owner

• Classes of certificates
• Certification Authorities (CAs)
• Registration Authority (RA)
• Cross-certification
• Certificate Revocation Lists (CRLs)
• Online Certificate Status Protocol (OCSP)
• X.509
Domain Objectives
• Definitions
• History
• Uses
• Algorithms
• Implementations
Cryptanalysis
• Art and science of breaking codes

• Attack vectors
• Key
• Algorithm
• Implementation
• Data (ciphertext or plaintext)
• People – social engineering
• Assumptions
Brute Force Attack
• Trying all possible key combinations

• Two factors: cost and time
• Moore’s Law
• Processing speed doubles every 18 months for the same
price
• Advances in technology and computing performance will
always make brute force an increasingly practical attack on
keys of a fixed length
• Measured in MIPS per year – 1 computer running 1,000,000
calculations per second for a year
Brute Force Attack
Bits Number of keys Brute Force Attack Time Bits Number of keys Brute Force Attack Time
56 7.2 x 10^16 56 7.2 x 10^16 20 hours
80 1.2 x 10^24 80 1.2 x 10^24 54,800 years
128 3.4 x 10^38 128 3.4 x 10^38 1.5 x 10^19 years
256 1.15 x 10^77 256 1.15 x 10^77 5.2 x 10^57 years
• Data shown is as of 1998 when “Deep Crack” was used in RSA DES
challenge.
• Cost $250,000 to build. Today the same thing can be done for under
$10,000.
• With today’s tech, can break DES in 8.7 days or less for under $10,000.
Plaintext Attacks
• Known plaintext attack – attacker has both the plaintext and

ciphertext. Uses analysis to try to determine key.
• Chosen plaintext attack – attacker has access to the crypto

machine. Runs plaintext through machine to get encrypted
data. Uses statistical information to try to determine key.
• Adaptive chosen plaintext attack – attacker has encryption

device for more than one message. Patterns may emerge if
the attacker puts similar texts into the device
Ciphertext Attacks
• Ciphertext only – assume attacker has samples of encrypted text

but not the algorithm, key or system. Most difficult attack because
the attacker has the least to work with.
• Chosen ciphertext attack – attacker has access to ciphertext and

system used to generate. Attacker can run pieces of ciphertext
through to obtain the plaintext. Leads to Known Plaintext Attack or
Differential or Linear Cryptanalysis attack.
• Adaptive chosen ciphertext attack – attacker has access to the

cryptosystem and can now modify and run ciphertext through the
system to see what the effect of the modification is on the plaintext.
Attack Against Ciphers
• Stream
• Frequency analysis – knows characteristics of plaintext language
• IV or keystream analysis – examines large numbers of generated IVs for
weaknesses, statistical biases, etc.
• Block
• Linear cryptanalysis – large amounts of plaintext and associated ciphertext to
find info about the key
• Differential cryptanalysis – 2 or more similar plaintexts are encrypted using
same key and compared
• Linear-differential cryptanalysis – combo of linear and differential
• Algebraic attacks – examines the algorithm
• Frequency analysis – uses the statistics of the language to break a ciphertext
Attacks Against Hash Functions
• Dictionary Attacks
• Based on known lists of common words
• Birthday attacks – group of 23 people, 50% chance 2 will have same birthday.
60 people, 99% chance. Relevant because it describes the amount of effort that
must be made to determine when 2 randomly-chosen values will be the same
(collisions). Weak hash causes many collisions
• Attack the hash value

• Attack the initialization vector
• Rainbow table attacks

• Hash reductions
• Salts
Social Engineering
• Persuasion
• Coercion (rubber-hose cryptanalysis)
• Bribery (purchase-key attack)

Other Common Attacks
• Meet-in-the-Middle
• Mathematical analysis that attacks a problem from both ends and
attempts to find the solution by working toward the center of the
operation from both sides.
• Man-in-the-Middle
• Attacker intercepts and modifies the data before transmitting to
intended person.
• Poor Random Number Generation

Domain Objectives
• Definitions
• History
• Uses
• Algorithms
• Implementations
Common Secure Email Protocols
• Privacy Enhanced Mail (PEM)

• Uses DES in Cipher-Block-Chaining (CBC) mode for confidentiality
• Can also use Electronic Code Book (ECB) or 3DES for key
management
• For message integrity it uses either MD2 or MD5 hash
• Not compatible with Multipurpose Internet Mail Extensions (MIME) so
not often used
• Pretty Good Privacy (PGP)
• Uses symmetric and asymmetric key cryptography
• Can use RSA, D-H, and Elgamal for asymmetric key
• Secure Multipurpose Internet Mail Extensions (S/MIME)
• De facto standard for email privacy
Internet Security
• Uses
• Remote Access
• VPNs
• E-commerce
• Tools
• IPSec
• SSL/TLS
• Secure HTTP
• TLS
Cryptography Domain Summary
• Definitions
• History
• Uses
• Algorithms
• Implementations
Information Security Governance
and Risk Management
Domain Objectives
• Business Drivers
• Governance
• Roles and Responsibilities
• Security Planning
• Security Administration
• Risk Management
• Ethics
Information Security Environment
• Organizations must contend • Overarching Organizational

with complex laws, regulations, Policy
requirements, technology, • Management’s Security
competitors and partners while Statement
pursuing their business
objectives.
• Management must take many • Regulations
things into account including • Competition
moral, labor relations,
productivity, cost, etc. • Organizational Objectives
• Must develop an effective • Organizational Goals
security program • Laws
• Shareholders’ Interests
Information Security Triad
• Security planning
• Budget
• Business requirements
• Security metrics
Domain Objectives
• Governance
• Risk Management
• Ethics
Roles and Responsibilities
• Specific
• Delegate certain responsibilities for security to individuals
• Define acceptable and unacceptable behavior
• General
• Rules that let everyone know they are responsible for security
• Communicated at hiring
• Tell new hires the rules and consider annual review
• Verified capabilities and limitations
• Access to resources defined by job
• Third-party considerations
• Brief vendors, temps, contract staff on security requirements
• Good practices
• Keep it simple, relevant, understandable and communicate
• Reinforced via training
• Annual security training
Internal Roles
• Executive management
• set policy, allocate budget
• Board level
• “C” level
• Information systems security professionals
• advise management
• Developers
• create secure code
• Custodians and Operations staff
• Custodians – care of data
• Ops – run the computers
Internal Roles
• Security staff
• Data and system owners
• Classify
• Access permissions
• Users
• Task as assigned
• Legal, compliance, and privacy officer
• Inform/implement laws/regs
• Internal auditors
• Check on procedures
• Physical security
• Is IT or traditional security responsible
External Roles
• Vendors/suppliers
• Contractors/consultants
• Service level agreements
• Temporary employees
• Customers
External Roles
• Business partners
• Outsourced relationships
• Outsourced security
• External audit
Human Resources
• Employee development and training
• Employee management
• Hiring and termination of employment

Hiring New Staff
• Background checks/security clearances
• Verify references and education records

Signed Employment Agreements
• Acceptable use
• Non-disclosure
• Non-compete
• Ethics
Personnel Good Practices
• Job descriptions/defined roles and responsibilities
• Least privilege
• Need to know
• Job rotation
• Mandatory vacations
Security Awareness, Training, and Education
• Awareness Training
• Delivery methods General knowledge
• Topics
• Job training
• Task based
• Professional education
• Understanding
Good Training Practices
• Be relevant
• Scope properly
• Address the audience

Domain Objectives
• Governance
• Risk Management
• Ethics
Documented Security Program
• Focus on the mission of the Promiscuous 1

organization
• Organizations are different Permissive
• Cost effective/risk based

Prudent
Paranoid 10
Documented Security Program
• Strategic
• Long term planning
• Decide on job to do
• Tactical
• Medium term planning
• Manage jobs being done
• Operational
• Day to day operations
• Job being done
Security Program Management
• Staffing
• Not just workers but look at management
• Evaluate numbers needed
• Reporting
• Make sure everyone knows who they are to report to.
Understand chain of command/reporting
Security Blueprints
• Identify and design security requirements
• Infrastructure security blueprints
• Holistic
• By Scott Berinato and Sarah Scalet:
• “Holistic security means making security part of everything
and not making it its own thing. It means security isn’t added
to the enterprise; it’s woven into the fabric of the application.
Here’s an example. The non-holistic thinker sees a virus
threat and immediately starts spending money on virus-
blocking software. The holistic security guru will set a policy
around e-mail usage; subscribe to news services that warn
of new threats; re-evaluate the network architecture; host
best practices seminars for users; and use virus blocking
software and, probably, firewalls.” (www.cio.com)
ISO/IEC 27000 Series = ISMS Blueprints
• 27000:2009 – Overview and vocabulary

• 27001:2005 – Attainable certification
• 27002:2005/Cor 1:2007 – Code of practice
• 27003:2010 – ISMS implementation guidance
• 27004:2009 – Information security measurement
• 27005:2008 – Information security – risk management
• 27006:2007 – Certification vendor process
• 27799:2008 – Information security for health care
organizations
• ISO 27000 = IT Risk Management

IT Security Requirements
• Complete Security Solutions
• Define security behavior of the control measure
• What is the problem you are trying to solve?
• Provide confidence that security function is performing as
expected
• Does it solve the problem?
• Does your solution

• Solve the problem (best)
• Move the problem (good)
• Make it worse (bad)
Single Point of Failure
• Identify the processes
• Identify risks to the plan

• Who has too much control
• Be prepared
Domain Objectives
• Governance
• Risk Management
• Ethics
Security Policy
• Management’s goals and objective IN WRITING
• Documents compliance
• Creates security culture

Examples of Functional Policies
• Data classification • Privacy

• Certification and accreditation • Acquisition
• Access control • Change control
• Outsourcing • Employment agreements,
• Remote access ethics
• Internet acceptable use
• IMPORTANT
• Say what to do NOT how to do it
Procedures
• Step by step actions
• Required
Policy
• Be detailed Standard Baseline Procedures Guideline
Risk Incident Identity Software

Assessment Management Management Installation
Standards
• Common hardware and software products
Policy
Standard Baseline Procedures Guideline
Desktop Antivirus Firewall
Be decisive. Will say something like:

• We [verb]
• We drug test
• We use Norton AV software
Baselines
• Establish consistent implementation of mechanisms

• Platform unique
• Know minimum and understand what is normal
Policy
VPN IDS Password

Setup Configuration Rules
Guidelines
• Recommendations for implementations, procurement

and planning
Policy
Best
Recommendations ISO
Practices
Good Policy?
Area IV Buddy System Policy
THE AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY

SERVICE MEMEBERS WILL USE THE “BUDDY SYSTEM” AT ALL
TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY
INSTALLATION.
THE “BUDDY SYSTEM” IS NOT REQUIRED, BUT HIGHLY

RECOMMENDED FOR PERSONNEL TRAVELING DIRECTLY TO AND
FROM THEIR DOMICILE
ALL PERSONNEL WILL CARRY A S.O.F.A AND AN EMERGENCY

TELEPHONE NUMBER CARD AT ALL TIMES.
LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES.
BY ORDER OF THE AREA IV COMMANDER

Domain Objectives
• Governance
• Risk Management
• Ethics
Risk Management Overview
• Identifying and reducing total risks
• Choosing mitigation strategies
• Setting residual risk at an acceptable level
• Integrating risk management processes into the organization
(Total risk) – (countermeasures) = (residual risk)

Risk Management Purpose
• The principal goal of an organization’s risk

management process should be to protect the
organization and its ability to perform its mission.
Including, but not limited to its IT assets.
• Risk is a function of the likelihood of a given threat

exercising a particular vulnerability and the resulting
impact of that adverse event on the organization.
Risk Management Benefits
• Focuses policy and resources
• Identifies areas with specific risk requirements
• Directs budget
• Supports
• Business continuity process
• Insurance and liability decisions
• Legitimizes security awareness programs
Risk Management Definitions
• Asset – something that is of value to the organization

• Threat-source/agent – any circumstance or event with
the potential to cause harm to an IT system.
• Threat – any potential danger to information or an
information system
• Exposure – an opportunity for a threat to cause loss, or
the amount of loss suffered as a result of an attack
• Vulnerability – flaw or weakness in system security
procedure, design, implementation, etc.
• Likelihood – probability that a potential vulnerability
happens
Risk Management Definitions
• Attack/Exploitation – action intending to cause harm

• Controls – admin, technical or physical measures and
actions taken to try to protect system
• Countermeasures – controls applied after the fact;
reactive in nature
• Safeguards – controls applied before the fact;
proactive in nature
• Total Risk – included the factors of threats,
vulnerabilities, and current value of the asset
• Residual Risk – amount of risk remaining after
countermeasures and safeguards are applied
Risk Assessment Steps: SP 800-30
1. System characterization
2. Threat identification
3. Vulnerability identification
4. Control analysis
5. Likelihood determination
6. Impact analysis
7. Risk determination
8. Control recommendations
9. Results documentation
Risk Assessment – Asset Valuation
• Tangible assets
• Can buy/sell
• Hardware, software, facilities, documentation,
customer lists, and intellectual property
• Intangible assets
• Personnel, reputation/brand, and moral
Information Valuation Considerations
• Exclusive possession
• Utility
• Cost to acquire or create
• Liability
• Convertibility
• Operational impact
• Timing
Information/Risk Valuation Methods
• Modified Delphi
• Facilitated sessions
• Survey
• Interview
• Checklist
Quantitative Risk Analysis
• Assign Monetary values

• Labor and time intensive
• Difficult to achieve
• 100% quantitative is impossible. Why? There

are always QUALITATIVE issues.
RISK = MONEY
Quantitative Analysis Steps - Overview
1. Estimate potential losses – single loss expectancy

(SLE)
2. Conduct a threat likelihood analysis

• Annualized rate of occurrence (ARO)
3. Calculate annual loss expectancy (ALE)

Step One: Estimate Potential Losses
Single Loss Expectancy (SLE)
SLE = AV ($) x EF (%)
AV (Asset Value)
EF (Exposure Factor)
Step Two: Threat Likelihood Analysis
Annual Rate of Occurrence (ARO)
• Number of exposures or incidents that can be

expected in a given year
• Likelihood of an unwanted event occurring
Step Three: Calculate ALE
Annual Loss Expectancy (ALE)
ALE = SLE * ARO
• Magnitude of risk = ALE

• Purpose: Justify security countermeasures
Qualitative Risk Analysis
• Scenario oriented
• No $ values
• Rank seriousness of threats and sensitivity of assets
• Perform a carefully reasoned risk assessment

Hybrid Risk Analysis
• Quantitative
• Qualitative
• FMEA (failure modes and effects analysis)
• Risk assessment originally concerned with manufacturing
defects
• Focuses on the upstream and downstream impact of a
failure
• Defines risk in immediate, near-term and long-term impact
• FTA (fault tree analysis)
• Analytical technique for system safety
• Used to consider all possible threats and then “trim” down to
the most relevant risks
Risk Management Options
• Acceptance = Absorb the effect of an incident
• Mitigation = Implement controls
• Transference = Insurance
• Avoidance = Stop it
Security Control Selection Principles
• Cost/benefit analysis
• Don’t spend more to protect than it is worth
• Accountability
• At least one person for every control
• Include accountability in performance reviews
• Absence of design secrecy
• Ability to change out the controls at some time in
the future without having extraordinary cost to
rework, interoperability with other controls,
confidence in the design
• Audit capability
• Controls must be testable
• Include auditors in design and implementation
• Vendor trustworthiness
• Independence of control and subject
• Universal application
• Compartmentalization
• Defense in depth
• Isolation, economy, and least common mechanism

• Acceptance and tolerance of personnel (pushback)
• Minimum human intervention
• Sustainability
• Reaction and recovery
• Override and fail-safe defaults
• Residuals and reset

Risk Evaluation and Assurance
• Cyclical nature of risk – U.S. and EU regulatory bodies have

mandated risk management as a business process. Frequency for re-
evaluation is based upon the speed of change in each industry or
organization
• Ongoing review
• Periodic review
• Liability – management has the responsibility of remaining informed

about risk management activities and to make the final decisions. If they
fail to do so, they are potentially in violation of regulatory or industry
standards. This is one of the reasons why internal auditors should report
directly to senior executives rather than through the normal chain of
command.
Domain Objectives
• Governance
• Risk Management
• Ethics
Ethical Environments
• Ethics are difficult to define

• Do No Harm
• Begins with senior management
• Guidelines for Establishment of Ethics
• Corporate ethics to include ethical use of computers
• In functional policies (privacy, email, acceptable use, etc)
• Active monitoring of network activities combined with responsible investigation of incidents
and enforcement
• Handbooks and guides
• Training
• Reviews
Ethical Responsibility
• Global responsibility
• National
• Organizational
• Personal
Ethical Responsibility of all CISSPs
• “Set the Example” *********
• Encourage adoption of ethical guidelines and standards
• Inform users about ethical responsibilities through security

awareness training
Basis and Origin of Ethics
• Religion
• Law
• National interest
• Individual rights
• Common good/interest
• Enlightened self-interest
• Professional ethics/practices
• Standards of good practice
• Tradition/culture
Formal Ethical Theories
• Teleology (Star Trek – needs of the many)

• Ethics in terms of goals, purposes, or ends
• Deontology (duty of most powerful to protect least powerful)

• Ethical behavior is a duty
• Informed consent – notified and agree

Relevant Professional Codes of Ethics
• (ISC)²
• RFC 1087
• Internet Architecture Board

(ISC)² Code of Ethics Preamble
• “Safety of the commonwealth, duty to our principals, and to

each other requires that we adhere, and be seen to adhere, to
the highest ethical standards of behavior.”
• “Therefore, strict adherence to this code is a condition of

certification.”
(ISC)² Code of Ethics Canons
• “Protect society, the commonwealth, and the infrastructure.”
• “Act honorably, honestly, justly, responsibly, and legally.”
• “Provide diligent and competent service to principals.”
• “Advance and protect the profession.”
In that order
Internet Architecture Board (IAB)
Any activity is unethical and unacceptable that purposely:
• Seeks to gain unauthorized • Destroys the integrity of

access to Internet resources computer-based information
• Disrupts the intended use of • Compromises the privacy of
the Internet users
• Wastes resources (people, • Involves negligence in the
capacity, computer) through conduct of Internet-wide
such actions experiments
RFC 1087
• Access and use of the Internet is a PRIVILEGE and

should be treated as such by all users
• RFC 1087 refers to “Negligence in the conduct of Internet-

wide experiments” as “irresponsible and unacceptable,”
but does not specifically label such conduct “unethical”.
• Internet Engineering Task Force (IETF)

• http://www.ietf.org/
Information Security Governance and
Risk Management
Domain Summary
• Governance
• Risk Management
• Ethics
Legal, Regulations,
Investigations, and Compliance
Domain Objectives
• Computer Crime and International Legal Issues

• Liability and Privacy Issues
• Incident Management
• Forensic Investigation
• Compliance
International Legal Systems
• Common law
• Criminal law
• Civil law
• Administrative law
• Religious law
• Customary law
• Mixed law
• Maritime law
Jurisdiction
• Law, economics, beliefs and politics

• Law enforcement agencies will work together, even cross borders. But
sometimes countries don’t agree.
• Sovereignty of nations
• Laws aren’t always the same country to country. Nations are making an
effort to harmonize their laws in order to promote uniform enforcement and
cooperation where possible.
Computer Crimes vs. Traditional Crimes
Traditional Crime Computer Crime

• Violent • Real property
• Property • Virtual property
• Public order
Computer Crime
• Crime against a computer
• Crimes using a computer
• Electronic equipment as source of evidence

Reasons for Criminal Behavior
• Ego
• Financial gain
• Revenge
Advanced Persistent Threat (APT)
• Source – group with capabilities and intent to persistently and

effectively target a specific entity
• Attack vector – infected media, supply chain compromise,

social engineering, etc.
• Advanced – have full spectrum of intelligence gathering

techniques at their disposal
• Persistent – priority to a specific task. Implies that they are

guided by external entities.
• Threat – capability and intent. Coordinated human action

instead of automation, specific objective. Skilled, motivated,
organized and well funded
International Cooperation
• Initiatives related to international cooperation in dealing

with computer crime
• The Council of Europe (CoE) Cybercrime Convention

• Example of multilateral attempt to draft an international response to
criminal behaviors targeted at technology and the Internet.
Intellectual Property Protection
• Organizations must protect intellectual property

• Theft
• Loss
• Corporate espionage
• Improper duplication
• Intellectual property must have value

• Organization must demonstrate actions to protect IP
Intellectual Property: Trademark
• Purpose of a trademark
• Characteristics of a trademark
• Word
• Name
• Symbol
• Color
• Sound
• Product shape
Intellectual Property: Copyright
• Covers the expression of ideas

• Writings
• Recordings
• Computer programs
• Etc.
• Weaker than patent protection

Intellectual Property: Trade Secrets
• Must be confidential
• Protection of trade secret

Intellectual Property: Software Licensing
• Categories of software licensing:

• Freeware
• Shareware
• Commercial
• Academic
• Master agreements and end user licensing agreements

(EULAs)
Encryption Import and Export Law
• Strong encryption restrictions
• Previously anything over 40 bits was considered strong encryption
• U.S. companies can now export any encryption software to
individuals, commercial firms or other non-government end users in
any country
• No enemy states
• Many countries require the importer of equipment containing strong
cryptography to provide the government or law enforcement with a
copy of their private keys.
• Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
• Controls on dual-use goods
• Cryptography has long been considered a munition or weapon of
war. Can be used for commercial or military purposes, therefor
considered dual-use and protected as a military weapon
• Wassenaar Arrangement
• 39 countries are parties to the agreement which specifies all
controlled dual-use goods, including encryption products and
products that use encryption
Domain Objectives

• Compliance
Liability
• Legal responsibility
• Know responsibilities to employees, customers, etc.
• Penalties
• Can range from compensation to criminal penalties for violation
of law
• Negligence and liability

• Important factor in determining liability
• Determined by courts or other quasi-legal body
Protection of Assets
• Legal obligation
• Prudent person rule
• Must demonstrate practice of due care

Negligence
• Acting without care
• Due care
Negligence = Gap
Regulation or
Best Practice
Due Care = Policy
Negligence = Gap
Due Diligence =
Action
Privacy Laws and Regulations
• Rights and Obligations of:
• Individuals
• Identity theft
• Organizations
• Collection, sharing, storage, processing of personal info
• Actual laws depend on jurisdiction

International Privacy
• Organization for Economic Co-operation and Development
• Group of 30 member countries
• Eight core principles
1. Limits to collection of personal data and should be obtained legally
2. Personal data should be relevant to use
3. Purpose for gathering personal data should be specified no later than the time the
data is collected
4. Personal data should not be disclosed, made available, or otherwise used for
purposes other than specified above
5. Personal data should be protected by reasonable security
6. General policy of openness about developments, practices and policies with
respect to personal data
7. Individual should have the right to find out if data controller has data about
him/her. To have communication with data controller about data relating to
him/her. And to be able to challenge data and if successful have the data erased,
rectified, completed or amended.
8. Data controller should be accountable for complying with measures
Personally Identifiable Information (PII)
• Identify or locate an individual
• Controls on collection and use

• Many countries have laws governing this
• Global effect
• Laws are different in each country. What laws govern?
Employee Privacy
• Employee monitoring
• Authorized usage policies
• Training
Transborder Data Flow
• Political boundaries
• Privacy
• Investigations
• Jurisdiction
Privacy Law Examples
• Health Insurance Portability and Accountability Act

(HIPAA)
• Personal Information Protection and Electronic

Documents Act (PIPEDA)
• European Union Data Protection Directive

Domain Objectives

• Compliance
Incident Management
• Incident – event that causes harm
Protect
Prepare
Sustain Protect
Improve Infrastructure
Respond
Detect
Incident Response: Overview
• Response capability
• Policy and guidelines
• Response
• Incident response phases
• Triage
• Containment
• Investigation
• Analysis and treatment
• Recovery
• Debriefing
• Metrics
• Public disclosure
Incident Response: Objectives
• Incident response in its simplest form is the practice of:
• Detecting a problem
• Determining its cause
• Minimizing the damage it causes
• Resolving the problem
• Documenting each step of the response for future reference
• Effectively and appropriately communicating issues
Response Capability
• The foundation for incident response (IR) is comprised of:
• Policy
• Authority
• Procedures
• Approved
• Management of evidence
Incident Response – External Parties
• Escalation process
• Employees should be trained and have approved procedures that
include when an incident or crime must be reported to higher
management, outside agencies or law enforcement
• Interaction with third-party entities

• Complex issues involving:
• Jurisdiction (who has control)
• Status of crime (already committed, in progress, or planned)
• Nature of the evidence (circumstantial, conclusive)
• Nature of the crime (in many jurisdictions, some crimes MUST be
reported)
Incident Response and Handling Phases
• Triage
• Investigation
• Containment
• Analysis and tracking

Triage
• Detection
• False positives
• Classification
• Internal versus external
• One system or many
• What is the root cause versus the symptoms
• Notification
• Priorities and escalation
• Senior management or other departments
• Business partners
• Law enforcement
• Note: Prioritization is one of the most important aspects

Investigation Phase Objectives
• Desired outcomes of this phase are:
• Reduce the impact

• Identify the cause
• Get back up and running in the shortest possible time
• Prevent the incident from re-occurring
Investigation Considerations
• The investigative phase must consider:
• Adherence to company policy

• Confidentiality
• Applicable laws and regulations
• Proper evidence management and handling
Investigation Process
• Identify suspects
• Identify witnesses
• Identify system
• Identify team
• Search warrants
Investigation Techniques
• Ownership and possession analysis
• Means, opportunity, and motive (MOM)

Behavior of Computer Criminals
• Computer criminals have specific MOs

• Hacking software/tools
• Types of systems or networks attacked, etc.
• Signature behaviors
• Profiling
Interviewing vs Interrogation
Open-ended Questioning Closed-ended Questioning

• General gathering • Specific aim
• Cooperation • Hostile
• Seek truth • Dangerous
• Should only be done by

TRAINED professionals
Investigation Phase Components
• Components of this phase:
• Analysis
• Interpretation
• Reaction
• recovery
Containment
• Reduce the potential impact of the incident

• Systems, devices, or networks that can become “infected”
• The containment strategy depends on:

• Category of the attack
• Asset(s) affected
• Criticality of the data or system
Analysis and Tracking Goals
• Obtain sufficient information to stop the current incident
• Prevent future “like” incidents from occurring
• Identify what or who is responsible

Analysis and Tracking Logs
• Dynamic nature of the logs
• Feeds into the tracking process
• Working relationship with other entities

Reporting and Documentation
• Law
• Court proceedings
• Policy
• Regulations
Recovery Phase Goal
• To get back up and running

• The business (worst case)
• Affected systems (best case)
• Protect evidence
Recovery and Repair
• Recovery into production of affected systems
• Ensure system can withstand another attack

• Test for vulnerabilities and weaknesses
Closure of the Incident and Feedback
• Incident response is an iterative process
• Improve processes and controls
• Closure of the incident
• Feedback from all participants

Communication about the Incident
• Public disclosure
• Authorized personnel only

Domain Objectives

• Compliance
Computer Forensics: Evidence
• Potential evidence
• Digital Forensic Science Research Workshop (DFRWS) defines digital
forensic science as – “The use of scientifically derived and proven methods
toward the preservation, collection, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence derived
from digital sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to anticipate
unauthorized action shown to be disruptive to planned operations.”
• Evidence and legal systems
• Computer forensics is generally applied according to the standards of
evidence admissible in a court of law
Computer Forensics: Evidence
• Identification of evidence
• Collecting of evidence
• Use appropriate collection techniques
• Reduce contamination
• Protect the scene
• Maintain the chain of custody and authentication
Collection of Digital Evidence
• Volatile and fragile
• Short lifespan
• Collect quickly
• By order of volatility
• Document, document, document

Chain of Custody for Evidence
• Who
• What
• When
• Where
• How
Forensic Evidence Procedure
• Receive media
• Disk write blocker
• Bit for bit image
• Cryptographic checksum
• Store the source drive

Evidence: Hearsay
• Hearsay
• Second-hand evidence
• Normally not admissible
• Business records exception

• Computer-generated information
• Process of creation description
• Can you cross examine it?

Evidence Analysis and Reporting
• Scientific methods for analysis

• Characteristics of the evidence
• Comparison of evidence
• Event reconstruction
• Presentation of findings
• Interpretation and analysis
• Format appropriate for the intended audience
Computer Forensics
• Key components
• Computer forensics is not a piece of software or hardware. It is a set of
procedures and protocols. Methodical, Repeatable, Defensible, Auditable
• Crime scenes
• Digital evidence
• Non-criminal cases
• Divorce, breach of contract, dissolution of corporation or partnership,
embezzlement, personal injury, etc.
Forensic Evidence Analysis Procedure
• Recent activity
• Keyword search
• Slack space
• Documented
Media Analysis
• Recognizing operating system artifacts

• Types of files created as the system runs
• Where they should be
• What their contents are likely to be
• File system
• Timeline analysis
• Modified
• Accessed
• Created
• Searching data
Software Analysis
• What is does
• What files it creates

Network Analysis
• Data on the wire
• Ports
• Traffic hiding
Domain Objectives

• Compliance
Compliance
• Knowing legislation
• Following legislation
Regulatory Environment Examples
• Sarbanes-Oxley (SOX)
• Meant to enhance corporate governance through measures that will
strengthen internal checks and balances and, ultimately, strengthen
corporate accountability.
• Gramm-Leach-Bliley (GLB)
• Protects the privacy of consumer information held by financial institutions
• Basel II
• Regulatory harmony in the international banking community
Compliance Roles and Responsibilities
• Information owner
• Local manager
• Auditor
• Individual
Audit Report Format
• Introduction
• Background
• Audit perspective
• Scope & objectives
• What was done
• Executive summary
• Internal audit opinion
• Detailed report including auditee responses
• Appendix
• Exhibits
Legal, Regulations, Investigations, and
Compliance Domain Summary

• Compliance
Operations Security
Domain Objectives
• Operator and Administrator Security

• Monitoring of Special Privileges
• Misuse of Resources
• System Recovery
• Resource Protection
• Environmental Issues and Controls
• Media Management
• Personnel Privacy and Safety
Control Over Privileged Entities
• Review of access rights
• Supervision
• Monitoring/audit
Operator Privileges
• Initial program load (IPL)

• Monitor system execution
• Control job flow
• Mount I/O volumes
• Bypass label processing (BLP)
• Renaming/relabeling resources
• Reassigning ports/lines
Administrators
• Systems administrators
• Network administrators
• Database administrators
Administrator Privileges Summary
• Control network operations

• Server startup and shutdown
• Reset system configurations
• Backups
• System maintenance
• Customer service
• Network administrator duties

Backup Types
• File image
• System image
• Data mirroring
• Electronic vaulting
• Remote journaling
• Database shadowing
• Redundant servers
• Standby services
Software and Data Backup
• Operations controls must ensure adequate backups of:
• Data
• Operating Systems
• Applications
• Transactions
• Configurations
• Reports
Backup Integrity
• Backup storage locations
• Backups must be tested
• Alternate site recovery plan

• Site specific software
RAID – Redundant Array of Independent
Disks
• Hardware based
• Software based
• Hot Spare
• Global Hot Spare (all disk in array)
• Dedicated Hot Spare (individual disk in array)
RAID Level 0
• Striping
• Two or more disks
• No redundancy
• Performance only
RAID Level 1
• Exact copy (mirror)
• Two or more disks
• Fault tolerant
• 200% cost
RAID Level 2
• Striping of data with error correcting codes (ECC)
• Requires more disks than RAID 3/4/5
• Not used
RAID Level 3/4
• Byte/block level stripes

• 1 drive from parity
• All other drives are for data
Stripe 1A Stripe 1B P(1A, 1B)

Stripe 2A Stripe 2B P(2a, 2B)
Disk A Disk B Parity

RAID Level 5
• Block-level stripes
• Data and parity interleaved amongst all drives
• The most popular RAID implementation

P(2B, 2C) Stripe 2B Stripe 2C
Stripe 3A P(3A, 3C) Stripe 3C
Disk A Disk B Disk C

RAID Level 6
• Block-level stripes
• All drives used for data AND parity
• Two parity types
• Higher costs
• More fault tolerant than RAID implementations 2 - 5
RAID Level 0+1
• Mirroring and striping

• Higher cost RAID 0+1
RAID 1
• Higher speed
RAID 0 RAID 0
A1 A2 A1 A2
A3 A4 A3 A4
A5 A6 A5 A6
A7 A8 A7 A8
RAID Level 10
• Mirroring and striping

• Higher cost RAID 10
RAID 0
• Higher speed
RAID 1 RAID 1
A1 A1 A2 A2
A3 A3 A4 A4
A5 A5 A6 A6
A7 A7 A8 A8
Configuration Management Elements
• Hardware inventory
• Hardware configuration chart
• Software licensing management
• Firmware
• Documentation requirements
• Testing
Hardware Inventory
• Up-to-date listing of all equipment
• Location
• Owner
• Serial and model numbers
Change Control Management
• Policy
• Business and technology balance
• Defines a process for authorized change

• Process of changes
• Ownership of changes
• Changes are reviewed for impact on security

Patch Management
• Knowledge of patches
• Know when patches for all software you own are released by
the vendor
• Testing
• Test all patches, and new software, in a test environment prior
to going live
• Deployment
• Can be challenging. Should be automated to insure no
machine is missed.
• Zero-day challenges
• Vulnerable time between patch pushed out and able to apply
Software Issues
• Pirating software
• Version control
Job Documentation
• Scheduling
• Dependencies
• Error codes
• Inputs and outputs
• Backout procedures
Security Administrator Roles
• Policy
• Development
• Implementation
• Maintenance and compliance
• Vulnerability assessments
• Incident response
Security Administrator Responsibilities
• User-oriented activity management
• Information classification implementation
• Audit log monitoring and review
• Security tool oversight and management

Domain Objectives

• System Recovery
Misuse Prevention
Threats Countermeasures
Personal Use Acceptable use policy, workstation controls, web content
filtering, and email filtering
Theft of Media Appropriate media controls
Fraud Balancing of input/output reports, separation of duties, and
verification of information
Sniffers Encryption and policy
Domain Objectives

• System Recovery
System Recovery – Trusted Recovery
• Correct implementation according to Policy
• Failures don’t compromise a system’s secure operation
• Trusted path
Types of Trusted Recovery
• System Reboot – shutting down computer in a normal fashion

after a failure
• Emergency System Restart – done when a system fails in

an uncontrolled manner. Media may be in an inconsistent state.
System enters maintenance mode, automatically performs
recovery, and system restarts with no user processes in progress.
• System Cold Start – system fails and cannot restart without

human intervention
Control Failure Modes
• Fail secure (fail closed)
• Fail soft (fail open)
• Fail safe (fails in a way that will cause no or minimal

harm)
Fault Tolerance
• Hardware failure is planned for
• System recognizes a failure
• Automatic corrective action
• Standby systems
• Cold – configured, not on, lost connections
• Warm – on, some lost data or transactions (TRX)
• Hot – ready, failover
Domain Objectives

• System Recovery
Facility Support Systems
• Fire protection
• HVAC
• Electrical power goals

• UPS
• Water
• Communications
• Alarm system
Domain Objectives

• System Recovery
Media Management Practices
• Sensitive Media Controls
• Marking
• Labeling
• Handling
• Storing
• Declassifying
Media Management
• Tapes
• Storage
• Encryption
• Retrieval
• Disposal
Object Reuse
• Securely reassigned
• Disclosure
• Contamination
• Recoverability
Clearing of Magnetic Media
• Overwriting
• Degaussing
• Data remanence
• Physical destruction
Records Management
• Considerations for records management program

development
• Business need
• Guidelines for developing a records management program
• Records retention
• Declassification
• Legal requirements
• Privacy
• Absent law or regulation to the contrary, a business can set

any retention policy it wishes
Protection of Operational Files
• Library maintenance – protect production programs and

applications as well as data
• Backups
• Source code
• Object code
• Configuration files
• Librarian - sole person with write access to the main system

files, backups and application libraries. Should never be filled by
a developer or person initiating the change request
Domain Objectives

• System Recovery
Personnel Privacy and Safety – Mobile
Computing
• Components
• Devices
• Limitations (e.g. privacy, safety, etc.)
• Mobile device management

Personnel Privacy and Safety – Social
Networks
• Social networks
• Connection services
• Social dynamics
• Storage of data
• Potential dangers
Operations Security Domain Summary

• System Recovery
Physical (Environmental) Security
Domain Objectives
• Physical Security Threats and Controls

• Perimeter Security
• Building and Inside Security
• Secure Operational Areas
Goals of Physical Security
• Deter would be intruders

• Delay long enough to detect and respond before
damage occurs
• Detect in a timely manner
• Assess method of attack
• Respond appropriately without overreacting
• Recovery to normal operating status
The Primary Goal
Remember that life, health, and

safety are always the first
priorities in physical security!
Threats to Physical Security
• Natural/environmental
• History of natural disasters in the area
• Utilities
• Communications outages, power outages, etc.
• Circumstantial
• Fire or break-in at a neighboring building, strike at a critical
point in supply chain, etc.
• Human-made/political events
• Explosions, vandalism, theft, terrorist attacks, strikes, activism,
riots, etc.
Threat Sources
• External activists
• Staff
• Intelligence agents/foreign governments
• Petty criminals
Threat Sources and Controls
Threat Controls
• Theft • Locks
• Espionage • Background checks
• Dumpster diving • Disposal procedures
• Social engineering • Awareness
• Shoulder surfing • Screen filters
• HVAC access • Motion sensors in ventilation
ducts
Facility Vulnerabilities
• Location
• Layout and design
• Age and condition

Location Security Considerations
• Emergency services
• Fire
• Security
• Visibility
• Controlled access
• public transit
Countermeasures and Controls
• Environmental controls may be:

• Physical
• Administrative/managerial
• Technical
• Layered defense/defense in depth

Crime Prevention Through
Environmental Design (CPTED)
• Principle of deterring crime through managing the potential
crime scene
• Territoriality
• Restricted access
• Surveillance
• Monitoring
• Access control
• Entrances
• Maintenance
Domain Objectives

Perimeter and Building Boundary
Protection
• First line of defense
• Protective barriers
• Natural
• structural
Fences
• May be restricted by local regulations

• Inspections
• Parking should not be allowed near fences
• 1 meter/3-4 feet – will deter casual trespassers

• 2 meters/6-7 feet – too high to climb easily
• 2.5 meters/8 feet – will delay the determined intruder
• Top guard will add 2-3 feet. Can be defeated by blanket,
mattress, towel, etc.
Controlled Access Points
• Gates are the minimum necessary layer
• Bollards
• Permanent or retractable post used to deter vehicle-based
attacks
Perimeter Intrusion Detection Systems
• Detect unauthorized access into an area

• Electronic “eyes”
• Note that some perimeter IDS can function inside the
perimeter as well
• Physical IDS
• Photoelectric
• Ultrasonic
• Microwave
• Passive IR
• Pressure sensitive
• Sounds/vibration
• Electrical circuits
• Motion sensors
Closed Circuit Television (CCTV)
• CCTV capability requirements

• Detection
• Recognition
• Identification
• Mixing capabilities
• Adding IR/thermal
• Virtual CCTV systems

• Fake systems
CCTV Concerns
• Total surveillance requirements
• Operating parameters (correct lens, angle?)

• Size depth, height, and width
• Pan, tilt, and zoom
• Lighting
• Contrast
CCTV Protection and Image Retention
• Storage of images
• Maintenance
• Privacy
Guards and Guard Stations
• Guards
• Deterrent
• Possible liability
• Contractors
• Guard stations
Domain Objectives

Building Entry Points
• Doors
• Windows
• Loading ramps
• Elevator shafts
• Ventilation ducts
• Crawlspaces
• Sewage or steam lines
Doors
• Isolation of critical areas

• Lighting of doorways
• Contact devices
• Guidelines
• Solid core
• Hinges fixed to frame with minimum of 3 hinges per door
• Lighting
• Should not open out except as required by building codes
• Locks should be daytime (push button) and 24 hour (deadbolt)
• Door frame should be permanently fixed to the adjoining wall studs
• Have same fire-resistance rating as adjacent walls
• Etc.
Access and Visitor Logs
• Identification/sign in and out
• Temporary badges
• Vehicles
• Escort
Turnstiles and Mantraps
• Tailgating/piggybacking
Types of Locks
• Something you have – keyed
• Something you know – combinations
• Something you are – biometric

Keyed Locks
• Lock components
• Body
• Strike
• Strike plate
• Key
• Cylinder
Lock Controls
• Lock and key control system
• Key control procedures
• Who has access to keys
• Keys issued
• Key inventory
• Default settings changed
• Change combinations
• Fail
• Soft (unlocked)
• Secure (locked)
• Safe (allow exit but not entry)
Electronic Physical Controls
• Card access
• Biometric access methods

Windows and Glass
• Standard plate glass

• Tempered glass
• 5 – 7 times more break resistant than plate and breaks into small,
less dangerous fragments
• Acrylic materials
• Stronger than plate
• Burn and produce toxic fumes, scratch easy and yellow over time
• Polycarbonate windows
• Resistant to abrasion, chemicals, fires and are even anti-ballistic
• Very expensive
Glass and Window Protection
• Laminate
• Solar film
• Bomb blast film/curtains
• Wired glass
• Intrusion detection/glass breakage sensors
Internal Intrusion Detection Systems
• Closed circuit television
• Sensors and monitors

Types of Lighting
• Continuous lighting
• Trip lighting
• Standby/backup lighting
• Emergency exit/egress lighting
• Infrared/night vision
Domain Objectives

Equipment Room
• Perimeter enclosure
• Controls
• Policy
• Emergency power off (EPO) switch
Data Processing Facility
• Small devices threat

• Digital camera
• Cell phone cameras
• USB drive
• Etc.
• Server room
• Most important requirements are space, power, air
conditioning, access control and security monitoring
• Mainframes
• Storage
Communications
• Wireless access points
• Network access control
• Cabling
• conduit
Access to Utility Rooms
• Power rooms
• Breaker panels
• Water
• Ventilation
• Gas
Work Area
• Keeping a work area safe is important for

everyone
• Operators
• Only allow access as needed/monitor
• System administrators
• Only allow access as needed/monitor
• Restricted work areas
• Only a select few people need access
Equipment Protection
• Inventory
• Locks and tracing equipment
• Data encryption
• Disabling I/O ports
Environmental Controls
System Threat
• Electric power • Loss of power
• HVAC • Overheating
• Water/plumbing • Flood/dripping
• Gas • Explosion
• Refrigeration • Leakage
Fire Protection
• Prevention – reduce causes

• Detection – alert occupants
• Suppression – contain or extinguish
• Wet-pipe sprinkler
• Most reliable
• Simple
• Water under pressure, when sprinkler head breaks water comes out
• Dry-pipe sprinkler
• Water is held back by valve and is released when sensor activates
• Pipes then fill with water and sprinkler engages
Materials and Suppression Agents
Class Type Suppression Agents

A Common combustibles Water, foam, dry chemicals
B Combustible liquids Inert gas, CO2, foam, dry chemicals
C Electrical Inert gas, CO2, dry chemicals
D Combustible metals Dry powders
K Cooking media (fats) Wet chemicals
• Suggested way to remember each:

• Ash
• Boil
• Current
• Drive
• Kitchen
Three Legs of a Common Fire
Displace: CO2/foam
Reduce: Water
Bind: Halon & alike
Bind:
Purple K
Remove:
Fireman
Flooding Area Coverage
• Water – sprinkler systems
• Gas – halon/CO2/argon systems
• Best practices for systems
• Portable extinguishers
Loss of Electrical Power
• UPS
• Generators
• Goals of power – clean and steady power
• Power controls
• Emergency power off (EPO) switch
• Power line monitors
• Total load
Heating, Ventilation, Air Conditioning
• Location
• Positive pressure
• Can indicate unauthorized physical breach
• Helps minimize dust
• Maintenance
Other Infrastructure Threats
• Vermin
• Electromagnetic fields
• Excess vibration
Physical (Environmental) Security
Domain Summary

Security Architecture and Design
Domain Objectives
• System and Component Security

• Definitions and Key Concepts
• Architecture Components
• System Design Principles
• Security Models
• Information Systems Evaluation Models
• Security Frameworks
Definitions and Key Concepts
• Information security management system (ISMS)
• Set of standards for addressing security throughout the
development, deployment and implementation schedule
• Enterprise security architecture (ESA)
• Includes all areas of security for an organization: leadership,
strategy, planning, etc.
• Information security architecture (ISA)
• Another term for ISO/IEC 27002
• Best practice
• Well-recognized and accepted approach to designing,
developing, managing/monitoring and enhancing processes
• Architecture
• High-level perspective of how business requirements are to be
structured and aligned with technology and processes
• Framework
• Defined approach to the process used to achieve the goals of
an architecture, based on policy
• Infrastructure
• Integrated building blocks that support the goals of the
architecture
• Model
• Outlines how security is to be implemented within the
organization
• Good security architecture
• Strategic
• Provides a long-range perspective that is less subject to tactical
changes in technology
• Business requirements based
• Understand business and security and design a system that meets
those requirements
• Holistic
• Understanding all the parts of the business and interconnecting them
• Design
• Blueprint
• Integration and development of technology infrastructure into the business
process
• Multiple implementations
• Flexibility due to location and business constraints
• Benefits of a good security architecture
• Consistently manage risk

• Reduce the costs of managing risk
• Accurate security-related decisions
• Promote interoperability, integration, and ease of access
• Provide a frame of reference (for other organizations
interacting with the enterprise)
Domain Objectives

• Security Models
Architecture Components
• What are the security limitations and benefits of each

component?
• Hardware
• Firmware
• Central processing units
• Input/output devices
• Software
• Architectural structures
• Storage and memory
Hardware: Computers
• Mainframe
• Minicomputers
• Microcomputers/desktops
• Servers
• Laptop/notebook
• Embedded
• From a security perspective, each security risk must be

addressed individually
Hardware: Mobile Devices
• USB storage
• Portable hard drives
• PDAs and mobile phones
Hardware: Printers
• Multifunctional
• Network aware
• More than output device
• Full operating system

Hardware: Communication Devices
• Modem
• Network Interface Card (NIC)

Hardware: Wireless
• Wireless network interface card

• Wireless access point
• Wireless Ethernet bridge
• Wireless router
• Wireless range extender
Firmware: Pre-Programmed Chips
• ROM (read-only memory)

• PROMs (programmable read-only memory)
• EPROMs (erasable programmable read-only memory)
• EEPROMs (electrically erasable, programmable, read-
only memory)
• Field programmable gate arrays (FPGAs)
• Flash chips
• Embedded system
CPU Functionality
• Multitasking
• Multiprogramming
• Multiprocessing
• Multiprocessor
• Multi core
• Multithreading
• Direct memory access (DMA)
Real-Time Systems
• Time and mission critical systems – systems that

support mission critical services such as flight controls, alarms
and monitoring sensors
• Immediate processing
• High levels of tolerance
• Failover
Virtual Machines
• Mimic the architecture of the actual system
• Resources provided by the host system

CPU and Processor Privilege States
• Supervisor state
• Problem (user) state
• Running
• Ready
• Blocked
• Masked/interruptible
Input/Output (I/O) Devices
• I/O controller
• Managing memory
• Hardware
Software: Operating System
• Hardware control
• Hardware abstraction
• Resource manager
• Design
• Kernel
Software: Utilities and Drivers
• System utilities
• Maintenance
• System drivers
• Application/hardware interface
• Plug and play
Commercial Software Programs
(Applications)
• Commercial off the shelf (COTS)
• Function first
• Unless the software is inherently a security-focused
application (such as a firewall), attention will first be
devoted to functionality. Security is usually an
afterthought.
• Evaluation
• Make sure to consider the information security aspects
of the application such as authentication methods, audit
capabilities, edit checks and error reporting, etc.
Software: Custom
• Business application
• No two businesses do business the same way. Custom
software is the solution used as a natural progression
from manual processes to automation of tasks
• System development life cycle

Software: convergent Technologies
• Customer relationship management (CRM)
• Workflow management systems

• SharePoint, Lotus Notes
• Unified messaging
• Allows different technologies to work together. Fax to a PDA,
access internet from TV
CPU and OS Support for
Applications
• Applications were originally self-contained
• OS capable of accommodating more than one

application at a time
• Security
• Reinforced by the OS since the OS has the ability to control
the activity of the applications and ensure that one or more
application threads do not affect another
Applications - Today
• Today’s applications are modular

• Execute multiple process threads
• Security
• Problems lie in the fact that independent sections are frequently
written by someone else and may be malicious. Module may also
be used in a way not intended by the author. Modules and threads
will often communicate directly and not involve the OS. This
prevents the OS from being able to manage the activity of the
process threads.
• Programs spawn processes. Processes spawn threads.

Memory is allocated to processes. So, threads share
memory.
Systems Architecture Approaches
• Open – standards based interfaces. Considered more

vulnerable but often result in a more robust set of security
features
• Closed – proprietary interfaces. Illusion that security through
obscurity works
• Dedicated – single level of processing permitted
• Single level – permit users to execute any instruction available
• Mutilevel – processing at two levels is permitted through some
form of user authentication and authorization. Most common
today and allow system to be accessed by users holding different
levels of privilege.
• Embedded – single purpose computer
Architectural Structures
• Client server
• Centralized architecture
• Distributed architectures
• Thin client architecture
• Diskless computing
• Clusters
Cloud Computing
• Provisioning of services
• Cost models
• Supplement/consumption/delivery model
• Involves provisioning of dynamically scalable and often
virtualized resources
• Characteristics
• Layers
Cloud Computing
• Deployment models • Issues

• Public cloud • Privacy
• Community cloud • Compliance
• Private cloud • Open source
• Hybrid cloud • Open standards
• Architecture • Security
• Intercloud • Issues surrounding cloud
computing are due in large part
• Cloud Engineering to the private and public sectors
unease surrounding the
external management of
security based services
Service-Oriented Architecture
• Technology benefits
• More flexible architecture, integration of existing applications,
improved data integration, supports business process
management, facilitates enterprise portal initiatives, speeds custom
application development
• Security issues
• A system that relies on distributed processing must have adequate
bandwidth and high availability.
• Business benefits
• More effective integration with business partners, supports
customer-service initiatives, enables employee self-service,
streamlines the supply chain, more effective use of external service
providers, facilitates global sourcing
Virtualization
• Virtual copy of physical system
• System virtual machine – complete operating environment that can

support user needs and multiple environment
• Hypervisor – interface between the physical and virtual environments
• Process virtual machine – systems that are dedicated to supporting

one process or program
Types of Memory Addressing
• Logical
• Refers to a memory location that is independent of the current
assignment of data to memory. Requires a translation to the
physical address.
• Relative
• Address expressed as a location relative to a known point
• Physical
• Absolute address or actual location
Memory Management Requirements
• Relocation
• Programmer does not know where the program will be placed
in memory when it is executed. It may be swapped to disk
and returned to main memory at a different location.
• Protection
• Processes should not be able to reference memory locations
in another process without permission.
• Sharing
• Allows several processes to access the same portion of
memory. OS allows each process access to the same copy of
the program rather than having its own separate copy.
Memory Protection Benefits
• Memory reference
• Different data classes
• Users can share access
• Users cannot generate addresses
Primary Storage
• Registers
• Very high-speed storage structures built into the CPU chip set
and are often used to store timing and state information for
the CPU to maintain control over processes.
• Cache
• Very fast memory directly on the CPU chip body. Not
upgradeable. Three types (level 1-3).
• Random access memory (RAM)
• Main memory of the system
Secondary Storage
• Internal
• External
• Virtual memory
• SANs
• Clusters
Virtual Memory
• = primary + secondary or RAM + Disk

• Extends apparent memory to accommodate larger
program execution space than is possible using only
physical memory and involves paging and swapping
operations.
• Generally 4 or 8 kb in length
Storage Systems
• Network Attached Storage (NAS)

• Simple, cost effective solution. Box on network that extends
storage area.
• Storage Area Network (SAN)
• Complex, expensive solution. Offers large capacity storage
for servers over high-speed (usually fiber) links
Blade Systems
• Server chassis
• Processing power
• Management simplification
• Is simply a series of motherboards housed in a box with

a high speed backbone
Domain Objectives

• Security Models
Separation
• Temporal isolation
• Accomplished through time limits. Person cannot access an
area of the building or an area of the network, or an
application outside of certain authorized hours.
• Physical isolation
• Refers to separating out sensitive areas from common access,
such as setting up compartmentalized areas or secure rooms.
• Virtual isolation
• Protects against malicious activity by not permitting a process
to execute outside of a strict set of boundaries.
Ring Protection
• Based on the Honeywell Multics Operating System

architecture.
• Set of segments in concentric numbered rings. Ring number
determines the access level.
• Procedure assumes its appropriate ring number when
executing. This prohibits a process from unregulated
execution of commands at a higher level.
• Program may call services residing on the same or more
privileged ring.
• Program may only access data that resides on the same
ring.
Privilege Levels
• Identifying, authenticating, and authorizing subjects
• Subjects of higher trust can access more system

instructions and operate in privileged mode
• Subjects with lower trust can access a smaller portion of

system instructions and operate only in user mode
Process Isolation
• Preserves Object’s integrity and subjects adherence to

access controls
• Prevents interaction – prevents objects from interacting with each
other and their resources
• Independent states – actions of one object should not affect the
state of other objects
• Process isolation method
• Encapsulation – objects, data, and functions are packaged together
• Time multiplexing – assignment specific time slots for processing
information
• Naming distinctions – to distinguish between processes
• Virtual mapping/domains – mapping info objects to virtual locations to
ensure applications can find their data
Trusted Computing Base (TCB)
• Trusted computer base – includes all the components and

their operating processes and procedures that ensure that the
security policy of the organization is enforced.
• Hardware
• Firmware
• Software
• Processes
• Inter-process communications
• Simple and testable
Trusted Computing Base (TCB)
• Enforces security policy – must be able to enforce security

policy regardless of user input and be protected from interference
or tampering
• Monitors four basic functions

• Process activation
• Execution domain switching
• Memory protection
• Input/output operations
Reference Monitor Concept
• Abstract machine concept – abstract machine that is regulating all access
on the system and enforcing security controls
• Must be tamperproof
• Always invoked
• Verifiable
• Security kernel
• Components of an OS perform various protection tasks designed to control
and monitor system evens and prevent things from occurring that might
disrupt normal execution or threaten the stability of the system or any of its
resources.
• Subject
• Active entity
• Object
• Passive entity
Attested Boot/TPM/Processing
• Ensures secure configuration and integrity of

software/hardware
• Uses cryptographic hash functions to ensure integrity
• Can also be used remotely

Secure System Design
• Availability – must be designed to meet needs
• Criticality – design of system must ensure that the critical processes

run effectively
• Redundancy
• Single points of failure – must be designed to avoid

• Defense in depth – ensures the security of the system cannot
be circumvented through one vulnerability
Domain Objectives

• Security Models
Security Models Introduction
• Information-flow model – tracks the movement of

information from one object to another
• Non-interference model – based upon rules to prevent
processes that are operating in different domains from
affecting each other in violation of security policy
• State-machine model – abstract mathematical model
where state variables represent the system state
• Lattice-based model – hierarchical model defining
access control privilege levels
Bell-LaPadula Confidentiality Model
• Lattice-based model
• Described using rows and columns
• State-machine model
• Hierarchical based model with dominance relationships
between higher and lower security levels
• Three fundamental modes
• Read only, write only , read and write
• Secure state
• Defines access rules
• ***** very important to know *****

Biba Integrity Model
• Lattice-based model
• Addressed first goal of integrity
• Subject – object tuple
• State machine model
• When you mix clean & dirty, dirty wins

• Read & write are opposite from Bell-LaPadula

Clark-Wilson Integrity Model
• Addresses all three integrity goals
• Defines well-formed transactions
1. Authorized users limited to authorized transactions

2. Unauthorized users do no tasks
3. Maintain internal & external consistency

Brewer and Nash Model
• Chinese Wall security policy
• Designed to prevent conflicts of interest

Other Models
• Graham-Denning
• Harrison-Ruzzo-Ullman (HRU) result
• Variations of Biba
Security Models
• Integrity • Confidentiality
• Clark-Wilson • Brewer-Nash
• Biba • BLP
• G&M • Implementations
• Sutherland • Gong
• Graham-Denning • Lipner
• HRU • Karger
• Jueneman
• Lee & Shockley
• Need to know
Domain Objectives

• Security Models
Evaluation Standards
• TCSEC (U.S. DoD)
• ITSEC (European Union)
• Common Criteria (ISO Standard 15408)

TCSEC or Orange Book
• DoD-centric
• Security and functionality
• Product evaluation
• Rainbow series – was a part of the Rainbow Series of books

dealing with security topics
• TNI – Trusted Network Interpretation (another of the series)
ITSEC
• International origin
• ITSEM
• Assurance
• Fucntionality
Common Criteria (ISO 15408)
• Origins
• Documents
• EAL 1-7 (evaluation assurance level)
• Protection profile (PP)
• Target of evaluation (TOE)

• Software, firmware, and/or hardware
• Security target (ST)

• Requested level of testing
Domain Objectives

• Security Models
ISO 7498-2
• Defined secure communications
• NOT an implementation
• Takes 7-layer OSI model and maps it to a 2-layer

functional model
Zachman Framework
• Complete overview of IT
business alignment
• Intent
• Scope
• Two-dimensional
• Principles
SABSA
• What are the business

requirements?
• Follow-on to Zachman
• Operational security focus
The Open Group Architecture
Framework
• Governance
• Business
• Application
• Data
• Technology
DoD Architecture Framework
• OMB A-130 requirement
• View sets:
• All view
• Operational view
• Systems view
• Technical standards view
ISO/IEC 42010
• International standard for information security

management systems (ISMS)
• Practice for architectural description of software-

intensive systems
ISO 27001 - ISMS
• Information security management system
• Ensures best practices are met

• Sets standards for security areas
• Based on BS7799-2
• Measurable and certifiable standard
IT Infrastructure library (ITIL)
• Focuses on IT services
• Supporting products
COSO Enterprise Risk Management
Framework
• Emphasizes the importance of identifying and managing
risks
• Process
• People
• Reasonable assurance
• Objectives
• If moving money, probably want to use this

Capability Maturity Model
• Developed by SEI (Software Engineering Institute)

• Based on TQM concepts (Total Quality Management)
• Framework for improving process
• Benefits
• Top 3 are proactive, bottom 2 reactive

PCI-DSS
• Payment card industry – data security standard

• Standards for the protection of payment card data (e.g.
credit cards, debit cards, etc.)
• Covered more in Domain 5 (Legal, Regulations,
Investigations, and Compliance)
Security Architecture and Design
Domain Summary

• Security Models
Software Development Security
Domain Objectives
• Overview of Applications Security

• System Life Cycle Security
• Applications Security Issues
• Malware and Other Attacks
• Database Security
Need for Applications Security
• While this model is important

to all domains, AIC is
probably most important to
this one
• Interface to critical and
sensitive data
• Thousands of exploits
Secure Systems Development Policies
• Organizations require security development methodology

• Many corporations are beginning to require and provide guidelines
for developing secure applications
• Security climate has changed

• Vendors are focused on functionality of their products and on
increasing their return on investment instead of security
• Security as built-in instead of add-on
• Compliance – many regulations and compliance requirements now
demand that systems track and control access permissions of users
and other entities
Organizational Standards
• Web Application Security Consortium (WASC)

• Build Security in (BSI)
• International Organization for Standardization
(ISO)/International Electrotechnical Commission (IEC)
27034
• These orgs provide information for software vendors and
the public that is intended to create secure environments
for software development, to aid in developing internal
code standards, to incorporate security features in
software products, and to deploy into secure
environments.
Software Configuration Management
(SCM)
• Versioning
• Technologist
• Protection of code
• Protection of project
• Scope creep vs Statement of Work
• Process Integrity
System Development Controls
• Project Management
• Complexity of Systems and Projects
• Security by Design
• Controls Built in to Software
• Secure by Default
Secure Development Excuses
• You cannot build security around an application, you

have to build it in
• “We need security? Then we’ll use SSL”
• “We need strong authentication? PKI will solve all our
problems”
• “We use a secret/military-grade encryption”
• “We had a hacking contest and no one broke it”
• “We have an excellent firewall”
• “We’ll add it later; let’s have the features first”
Secure Development Concerns
• Push to Market – pressure to deliver a product quickly
• Protect Source Code

• From tampering
• Pirating
• Accidental loss
• Protection against attacks
Secure Development - Physical
• Controlled access areas

• Development vs Operations
• Project security
• Probably best to only develop and work on projects in a

secure area.
Personnel Security
• Hiring controls – background checks for everyone involved

• Trust – several attacks come from developers
• Skills – don’t post to blogs asking for assistance on programming
problems
• Changes in employment
• If internal, adjust permissions on things no longer needed
• If leaving company, remind to keep company secrets
• Protection of privacy from employees

• Privacy Impact Rating – part of risk assessment. Looks at the data
that would be accessible by programs and identifies sensitive data
Separating Test Data From Production
• Never test on a production system

• Never use real data
• Protection of sensitive data
• Test for failure – test error routines and the resilience of
system to failure
• Ranges – test using both acceptable and unacceptable data values
• Stress Tests – make sure system can handle the number of
transactions or users that may be using the system at once
• Always try to test for what the bad guy and stupid user
would do
Certification and Accreditation
• Certification of secure design and deployment

• Production environment
• Accreditation of acceptance of risk

• Management approval for implementation
• Ensure that systems meet, and continue to meet, their

security requirements
Domain Objectives

System and Project Management
• Project Management-Based Methodology

• Systems Security Engineering-Compatibility Maturity Model
Integration (SSE-CMMI)
• 1-initial (chaotic, immature), 2-managed (disciplined, capable), 3-defined
(documented, consistent), 4-quantitatively managed (predictable), 5-
optimizing (constant improvement)
• SLC vs SDLC
• Systems Life Cycle – development, post-development,
maintenance phases
• System Development Life Cycle – development and ends
shortly after implementation
Software Development Methods
• Waterfall • Iterative Development

• Spiral Method • Joint Analysis
• Clean-Room Development
• Structured • Prototyping
Programming
Development
Software Development Methods
• Modified Prototype • Computer Aided

Model Software Engineering
• Exploratory Model • Component-Based
• Rapid Application Development
Development • Reuse Model
• Agile Development • Extreme Programming
Programming Language Examples
Interpreted Compiled
Oldest
• Basic • Basic
• REXX • Fortran
• COBOL
• PostScript
• Pascal
• Pascal
• C, C++, C#
• Perl • ADA
Newest
• Ruby • Python
• Python • Visual Basic
Program Utilities
• Assembler – program that translates an assembly

language program into machine language.
• Compiler – translates a high-level (source) language
into machine language
• Interpreter – instead of compiling a program all at once,
the interpreter translates it statement-by-statement
• Drivers – used to interface a program with the system
• Hybrid – compilation and interpretation. Code is
compiled into an intermediate stage. In Java, known as
bytecode. Needed for compatibility between systems.
Transaction Processing
• Separation of Duties
• Need to Know
• Logging
• Transaction:
• Integrity – data not inappropriately altered
• Edit checks, balancing, data/input validation, error handling/information
leakage, logging/auditing, cryptography, secure code environment,
session management
• Availability – large queries that affect performance should be limited.
Critical systems should be designed with redundancy and failover
• Confidentiality – provide necessary security measures for data
Object-Oriented Programming
• OOP Concepts
• Classes – templates for objects
• Objects – instances of the classes
• Message – objects request services by sending messages to other
objects
• Inheritance – an object that is called by another object or program
derives its data and functionality from the calling object
• Polymorphism – different objects may respond to the same
command in different ways
• Polyinstantiation – creating a new version of the object by
changing its attributes. Prevents Inference Violations by allowing
different versions of the same information to exist at different
classification levels
Distributed Programming
• Distributed Component Object Model (DCOM)

• Simple Object Access Protocol (SOAP)
• Common Object-Request Broker Architecture (CORBA)
• Enterprise Java Beans (EJB)
• Distributed programming requires abstract

communication between hosts. Entails programs
located on different computers be able to use the same
program at the same time.
Software Security Effectiveness
• Senior management participation

• Software security group
• Many organizations implement this. Charged with directly
executing or facilitating the software security activities.
• Understand, measure and plan
• Result of many activities
• Software security is the result of many activities. People,
process and automation are all key components.
• 15 core activities
Software Security Effectiveness
• BSIMM (Build Security In Maturity Model)

• Organization observed
• Business objectives
• Roles
• Framework
Domain Objectives

Applications Security Issues
• Building security in
• Adding defense-in-depth
• Cryptographic protection of data
• Secure architecture
Applications Security Principles
• Validate all input and output

• Fail secure (closed)
• Make it simple
• Defense in Depth
• Only as secure as your weakest link
Secure Coding Issues
• Buffer overflow
• SQL injection
• Cross-site-scripting (XSS)
• Dangling pointer
• Invalid hyperlink
• Secure (encrypted) web application traffic risks
• JavaScript attacks vs sandbox
• Application programming interface (API)

• Open source
• Vendor proprietary software
• Escrow
• iFrames
• Race condition
• Risks of push technology

• Information disclosure – error handling
• Infrastructure flaws
• Misconfiguration
• Incomplete parameter check and enforcement

• Covert channels
• Inadequate granularity of controls
• Privileged programs/privilege escalation
• Multiple paths to information
• Object reuse
• Garbage collection
• Trap door/maintenance hooks
Domain Objectives

Malware and Attack Types
• Malformed input
• Injection (SQL injection)
• Input manipulation/malicious file execution
• URL manipulation
• Unicode attack
• Cryptographic storage
• Hijacking
• Insecure communications
• Denial of Service (DoS)

• Distributed Denial of Service (DDoS)
• Botnets
• Fast flux botnets
• Data hiding
• Alternate data streams (ADS)
• Non-technical
• Executable content/mobile code

• Web applets
• Dynamic email
• Cookie poisoning (manipulation)

• Keystroke logging
• Adware and spyware
• SPAM
• Phishing
• Spear phishing
• Whaling
• Pharming
• Remote Access Trojans (RAT)

• Rootkits and RATs
• HTTP Response Splitting
• Cross Site Request Forgeries (CSRF)
Malware Structure
• Infection/reproduction
• Target search
• Infection
• Trigger
• Payload
Malware Anti-Detection
• Stealth
• Tunneling
• Polymorphism
• Self-decrypting
• Antivirus (anti-malware) disabling

Virus
• Central characteristic is reproduction

• Generally requires some action by user
• May or may not carry payloads
Virus Types
• File infector
• Boot Sector Infector
• System infector
• Email virus
• Multipartit
• Use to mean a virus that was able to infect boot sectors and programs
• Now means virus that can infect more than one type of object or to infect or
reproduce in more than one way
• Macro Virus
• Script Virus
• visual basic file that can be seen as a data file but is executable (.vbs)
The Hoax, Chain Letters and Pranks
• Hoax
• Chain Letters
• Pranks
• Forms of spam. More annoying that anything else but

can eat up bandwidth
Worm
• Reproduces
• No user action required
• Loopholes
• Often probe the computer looking to exploit specific
weaknesses and/or compromise other computers
• Attacks server software
Trojan Horse
• Purported to be a positive utility
• Hidden negative payload
Logic Bomb
• Generally implanted by an insider
• Waits for condition or time
• Triggers negative payload

Diddlers, Backdoors and RATs
• Data diddler
• Salami technique
• Office Space – fractions of a cent moved to bank account
• Payload in a Trojan or virus that deliberately corrupts

data, generally by small increments over time.
Protection From Malware Code
• Policies
• Tools
• Monitoring
• Operation
• Egress scanning
• Integrity checkers
Emerging Threats and Chained Exploits
• New application services

• Cell phones/mobile phones
• Telephony
• Chained exploits
Domain Objectives

Database Security
• Database (day to day) and data warehousing (strategic)

environment
• Eliminate duplication of data
• Consistency of data
• Network access
• Databases provide consistency of data. Data can be saved

in one place allowing anyone with access to see data
without the need for duplicate. Greater consistency or
accuracy of data
• Data warehousing is a new concept where large volumes of
information from many databases are stored. May lead to
privacy concerns.
Database Management Systems
(DBMS) Models
• Hierarchical DBMS
• Stores records in a single table
• Parent/child relationships
• Limited to a single tree Car
• Difficult to link branches
Toyota Honda Mazda
CRV Accord Civic
2-door 4-door
Network DBMS Model
• Extended form of the hierarchical database structure

• Does not refer to database being sorted on a network
but rather to the method by which data is linked to other
data.
Ford Mazda BMW
Regular Truck E Regular 4x4 Truck 4x4

Mazda 3 Series Mazda 6 X3 Freestar X5
5 speed Leather Front and Rear

transmission Interior Climate Controls
Relational DBMS Model
• Most frequently used model

• Data are structured in table
• Columns are “variables” (attributes)
• Rows contain the specific instances (records) of data
• Primary key
• Must exist
• Not null
• Index/optimize the table
• Foreign key
• Optimize
• Attribute in table
RDBMS Tables, Joins and Unions
Author Table
Author No Last Name First Name State
Primary 123456 Smithson Mary CA
Key
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Foreign
Key
Book Table
Book No Book Title Book Type Book Price Author No
PC1234 Learning Database Models Computer 39.99 123456
PC4321 Data modeling Techniques 69.99 234567
PC6789 Designing a Database Computer 39.99 345678
PC9876 Secrets of Databases Computer 19.99 456789
Data Warehouse
• Consolidated view of enterprise data

• Data mart
• Designed to support decision making through Data
Mining
• Metadata
Knowledge discovery in Databases
(KDD)
• Methods of identifying patters in data
• KDD and AI techniques
• Probabilistic models
• Statistical models
• Classification approach
• Deviation and trend analysis
• Neural networks
• Expert system approach
• Hybrid approach
Database Security Issues
• Inference (guess)
• Aggregation (conclusion)
• Unauthorized access
• Improper modification of data
• Unauthorized data mining
• Query attacks
• Bypass attacks
• Interception of data
• Web security
Database Controls
• Access controls
• Grants – user is given access to specific data using
various privilege types
• Cascading permissions – individual grants access to
others, loses access, so does everyone else
• Lock controls
• Backup and recovery
• Data contamination control
• Polyinstantiation
View-Based Access Controls
• Constrained views
• What portion of the data in the database is the user authorized
to see
• Sensitive data is hidden from unauthorized users
• Controls located in the front-end application (user

interface)
Transaction Controls
• Content-based access control

• Commit statement
• Writes any and all changes that have occurred to the data during
the current transaction
• Three-phase commit
• Client requests permission to make a change to a database, the
database approves the change but doesn’t make the change until
the client returns a reply indicating the transaction completed
correctly.
• Database rollback
• Journals/logs
• Error controls
The ACID Test
• Atomicity – all or none. All transactions execute or rollback

• Consistency – changes maintain consistency. Transformed
from one valid state to another valid state, remaining
compliant with the rules of the database
• Isolation – transactions in progress are invisible to others.
Guarantees that the results of a transaction are invisible to
other transactions until the transaction is complete.
• Durability – say it is done, stays done. Ensures that the
results of the completed transaction can survive future
system and media failures.
Database Interface Languages/Methods
• Structured Query Language (SQL)

• Open Database Connectivity (ODBC)
• Extensible markup Language (XML)
• Object Linking and Embedding (OLE)
• Active X Data Object (ADO)
• Dynamic data
Application and Database
Languages: Security Issues
• Poorly designed
• More privileges than necessary
• DBA account use
• Lack of audit
• Input validation
Software Development Security
Domain Summary

Telecommunications and
Network Security
Domain Objectives
• Network Security Overview

• Physical
• Data Link
• Network
• Transport
• Session
• Presentation
• Application
• Telephony
• Services
Network Security Overview
• What is network security?
• Encompasses the STRUCTURES, TRANSMISSION

METHODS, TRANSPORT FORMATS AND SECURITY
MEASURES used to provide INTEGRITY,
AVAILABILITY, AUTHENTICATION, and
CONFIENTIALITY for transmissions over PRIVATE and
PUBLIC communications networks and media.
Information Security TRIAD
Security Issues and Concerns
• Message protection
• Confidentiality
• Integrity
• Non-repudiation
• Availability
• Redundancy
• Single point of failure
Defense in Depth
• Series of hurdles
• Collection of controls
• Any form of protection can be defeated but when
layered it becomes much harder to defeat.
OSI Reference Model
People Don’t Need To Smoke Pot Anymore

TCP/IP Model
Network-Based Attacks
• Network as a channel for attacks

• Most frequent network security threat today. Example, viruses
exploit networks in order to spread without actually breaching the
security of the network itself
• Inbound and outbound attacks
• Network as a target of attack
• DoS
• DDoS
Network Attacks
• Network attack phases
• Intelligence gathering and target selection

• Target analysis
• Gaining access
• Escalation of privileges
• Sustaining control
Domain Objectives

• Physical • Concepts &
• Data Link Architecture
• Network • Technology & Implementation
• Transport • Standards
• Session • Threats & Countermeasures
• Presentation
• Application
• Telephony
• Services
Layer 1: Physical Layer
• Bits are converted into signals

• All signal processing is handled here
• Physical topologies
• Physical layer describes the networking
hardware, the format of the communications (bits,
bytes, or optical pulses), as well as cable,
wireless connections, etc.
Communication Technology
• Analog and digital communications

• Digital communication brings quantitative and
qualitative enhancements
• From higher throughput
• Better signal-to-noise ratio
• fault tolerant error correction
• Ability to immediately process digital signals in a computer
Network Topology
• Even small networks are complex

• Network topology and layout affect scalability and
security
• Wireless networks also have a topology
Mesh
Ring Star
Network
Topology
Tree Bus
Bus Topology
• LAN with a central cable to which all nodes connect

• Advantages
• Scalable
• Permits node failure
• Disadvantages
• Bus failure
Ring Topology
• Closed-loop topology
• Advantages
• Deterministic
• Disadvantages
Star Topology
• All of the nodes connect to a central device

• Advantages
• Permits node/cable failure
• Scalable
• Disadvantages
Tree Topology
• Devices connect to a branch on the network

• Advantages
• Scalable
• Permits node failure
• Disadvantages
• Failures split the network
Mesh Topology
• In a full mesh network, every node in the network is

connected to every other node in the network
• Advantages
• Redundancy
• Disadvantages
• Expensive
• Complex
• Scalability
Domain Objectives

• Physical • Concepts & Architecture
• Data Link • Technology &
• Network Implementation
• Transport • Standards
• Presentation
• Application
• Telephony
• Services
Media Selection Considerations
• Throughput
• Distance between devices
• Data sensitivity/confidentiality
• Environment Twisted Pair
• Cost
Coax
Fiber
Wireless
Twisted Pair
• One of the simplest and cheapest cabling technologies

• Unshielded (UTP) or shielded (STP)
Coaxial Cable (Coax)
• Conducting wire is thicker than twisted pair

• Bandwidth
• Length
• Expensive and physically stiff
Fiber Optics
• Three components
• Light source
• Optical fiber cable
• Two types
• Light detector
• Advantages
• High bandwidth
• Immune to EMI and RFI
• Difficult to tap
• Disadvantages
• Expensive
• Difficult to install
Wireless Transmission Technologies
• 802.11 – WLAN
• From wired network to station, wireless LAN
• 802.16 – WMAN, WiMAX
• From neighborhood to station, wireless metropolitan area networks,
or WiMAX®
• Satellite
• From orbit to station
• Microwave
• High bandwidth, line of sight, point-to-point communications that
require licensing (ground to ground OR ground to orbit to ground)
• Optical
• High bandwidth, line of sight, point-to-point communications that do
not require licensing
Patch Panels
• Provide a physical cross-connect point for devices

• Alternative to directly connecting devices
• Centralized management
Modems
• Convert a digital signal to analog

• Provide little security
• War dialing
• Unauthorized modems
Hubs and Repeaters
• Hubs
• Used to implement a physical star/logical bus topology
• All devices can read and potentially modify the traffic of other
devices
• Repeaters
• Allow greater distances between devices
Wireless Access Points (WAPs)
• Access Point (AP)

• Point where wireless signals are converted to wired
• Go from radio waves to typically copper
• Multiple input/multiple output (MIMO)

• Uses multiple antennas at both the sending and receiving
ends and transmits different signals on each antenna
• Avoids some of the interference experienced by single
antenna units and increases performance and message
quality
Cloud Computing
• Access to IT services over the Internet

• Data storage
• Software
• Security
• Communications
• Etc.
• Security issues (3rd party trust)
• VPN connections – use when accessing secure data or
services
• Sharing of data – 3rd party trust
• Cross-border data transfer – is your data in the U.S.?
Domain Objectives

• Data Link • Technology & Implementation
• Network • Standards
• Transport • Threats & Countermeasures
• Session
• Presentation
• Application
• Telephony
• Services
Standard Connections
• Types of connectors
• RJ-11
• RJ-45
• BNC (British Naval Connector)
• RS-232 (serial ports)
• Cabling Standards
• TIA/EIA-568 (Telecommunications Industry
Association/electronic Industries Association)
Domain Objectives

• Network • Standards
• Transport • Threats &
• Session Countermeasures
• Presentation
• Application
• Telephony
• Services
Physical Layer Threats
• Attack vectors
• Wire
• Tapping
• Wireless
• Sniffing
• Equipment
• Modems
• Authorized and unauthorized modems
• Emanations and TEMPEST
• EMI and RFI
Physical Controls
• Wire
• Shielding
• Conduit
• Faraday cage
• Penetration index
• Wireless
• Encryption
• Authentication
• Equipment
• Locked doors & cabinets
Domain Objectives

• Physical • Concepts and
• Data Link Architecture
• Transport
• Protocols
• Session
• Presentation • Threats & Countermeasures
• Application
• Telephony
• Services
Layer 2: Data Link Layer
• Connects Layers 1 and 3

• Converts data from a signal into a frame
• Transmits frames to devices
• Link-layer encryption
• Determines network transmission format
Local Architecture Security
• Perimeter-based security
• The “egg” concept of security
• Hardened outside defenses
• Lack of internal defenses?
• Security domains
• Internal layers of defense
• Isolating networks within the organization
Network Partitioning
• Bastion host
• Dual-homed host
• Screened host and subnet
• Demilitarized zone (DMZ)
Network Partitioning
• Three-legged firewall
• Disadvantages
• No defense in depth
• Managing firewall rules can be complex
Token Ring and Token Passing
• A token is a special frame that circulates through the

ring
• Device must possess the token to transmit
• Token passing is used in token ring (IEEE 802.5) and
FDDI
Synchronous/Asynchronous
• Synchronous
• Timing mechanism synchronized data transmission
• Robust error checking
• Practical for high-speed, high-volume data
• Asynchronous
• Clocking mechanism is not used
• Surrounds each byte with bits that mark the beginning and
end of transmission
Unicast, Multicast, and Broadcast
• Unicast
• Sending of message from one host to another
• Multicasts
• Message (video, teleconference, etc) sent to a defined set of
recipients
• IGMP (Internet Group Management Protocol) – used to manage
multicasting groups (hosts on a network that are interested in a
particular multicast)
• Broadcasts
• Sends to an unlimited number of recipients. Can send to everyone
on network and sub-networks
• Often used to launch DoS
Circuit-Switched vs Packet-Switched
• Circuit-switched network
• Dedicated circuit between endpoints
• Endpoints have exclusive use of the circuit and its bandwidth
• Cost based on duration of the connection. Makes it cost-
effective only for steady communication streams
• Packet-switched network
• Data is divided into packets and transmitted on a shared
network
• Each packet can be independently routed on the network
• Cost based on amount of data transmitted. Appropriate for
transmissions with significant idle time
Switched/Permanent Virtual Circuits
Virtual circuits provide connection between endpoints over

high-bandwidth multiuser cable or fiber networks, which cause
them to behave with similar performance characteristics as if
the circuit were a dedicated physical circuit
• Permanent virtual circuits (PVC)

• Carrier configs route through packet-switched network. Unless
changed, route stays the same
• Switched virtual circuits (SVC)
• Traffic routing is configured dynamically by the routers each time the
circuit is used
Unicast – Point-to-Point
• ISDN (integrated services digital network)

• High speed before DSL, cable.
• Ts (T carriers)
• Time division multiplexing
• 1.544 Mbit/s over 24 channels (8000 frames/sec X 193 bits/frame)
• Es (E carriers)
• Time division multiplexing
• 2.048 Mbps over 30 channels
• OCs (optical carriers)
• T3, E3, SONET (3.45% of any speed)
X.25
• Suite of protocols for unreliable networks

• Has a strong focus on error correction
• Users and hosts connect through a packet switched
network
• Most organizations now opt for frame relay and ATM
instead of X.25 for packet switching
Frame Relay
• Network cloud of switches

• Customers share resources in the cloud
• The cloud is assumed to be reliable
• Customers are charged only for bandwidth used
Asynchronous Transfer Mode (ATM)
• Connection-oriented
• Uses virtual circuits
• Guarantees quality of service but not the delivery of
cells
• Types of virtual circuits
• Constant Bit Rate (CBR)
• Variable Bit Rate (VBR)
• Unspecified Bit Rate (UBR)
• Available Bit Rate (ABR)
Multi-Protocol Label Switching
(MPLS)
• Bandwidth management and scalability
• Permits traffic engineering
• Provides quality of service and defense against network
attacks
• Operates at Layers 2 and 3
• Operates over most other packet switching technologies
such as frame relay and ATM
• Created for performance but has the effect of being a
tunnel
Digital Subscriber Lines (DSL)
• Uses CAT-3 cables and the local telecom loop

• Asymmetric digital subscriber line (ADSL)
• Downstream speeds greater than upstream
• Rate-adaptive DSL (RADSL)
• Upstream transmission rate is auto tuned depending on the
quality of the line
• Symmetric digital subscriber line (SDSL)
• Same transmission rate up and down
• Very high bit-rate DSL (VDSL)
• Higher transmission rate. 13Mbps down and 2Mbps up
Cable Modem
• PC Ethernet NIC connects to a cable modem

• Speeds from 256Kbps to 50Mbps
• Bridging device between computers and ISP
• Modem and head-end exchange cryptographic key
• Cable modems increase the need to observe good

security practices
Domain Objectives

• Physical • Concepts and Architecture
• Data Link • Technology &
• Network Implementation
• Transport
• Protocols
• Session
• Presentation • Threats & Countermeasures
• Application
• Telephony
• Services
Concentrators, Multiplex/Demultiplex
• Combining or splicing signals

• Division multiplexing technologies
• TDM – time
• FDM – frequency
• WDM – wave
• Concentrator combines channels together. Often used to

permit several remote access connections to terminate on
the network at the same time.
• Multi/Demultiplex combines several signals into a single data

stream or breaks them apart.
Switches and Bridges
• Multiport devices to connect LAN hosts

• Forward frames only to the specified MAC address
• Increasingly sophisticated
• Also forward broadcasts
Wireless Local Area Networks
• Allow mobile users to remain connected

• Extend LANs beyond physical boundaries
Wireless Standards: IEEE 802.11
• 802.11b – 11 Mbit/s
• 802.11a – 54 Mbit/s + error correcting code
• 802.11g – max 54 Mbit/s w/ avg 22 Mbit/s
• 802.11n (multiple input/output) – 54 to 600 Mbit/s
• 802.11i (security)
• 802.16 (WiMAX)
• 802.15 (Bluetooth)
• Wireless multiplexing
• OFDM/DSSS/FHSS (AFH)
Authentication
• Paramount to the security of wireless LANs

• SSID
• SSID broadcast
• Open systems authentication
• Shared key authentication
• MAC address filtering
• Extensible authentication protocol
Wireless Encryption
• WEP – shared secret. Can be cracked in 3 to 30 sec

• WPA – uses RC4 w/ 128 bit keys. IV of 48 bits. Temporal Key
Integrity Protocol (TKIP) providing different key per packet
• WPA2 – AES instead of RC4. TKIP replace w/ Counter-
Mode/CBC-MAC protocol (CCMP)
• Extensible authentication protocol

• EAP-TLS – client and server mutually authenticate & use certs
• EAP-TTLS – less secure than EAP-TLS
• EAP-PEAP – encrypted tunnel but less secure than EAP-TLS
Domain Objectives

• Network • Protocols
• Transport
• Presentation
• Application
• Telephony
• Services
Point-to-Point Protocols (PPP)
• RFC 1331
• Encapsulation
• Link control protocol (LCP)
• Network control protocols
• PPP provides a standard method of encapsulating

Network Layer protocol information over point-to-point
links
Address Resolution Protocol (ARP)
• ARP (RFC 826)

• Generic address-resolution protocol. Was designed to be able
to convert any network protocol address to any data-link
address. Use today is normally to resolve 802.x addresses to
IP addresses
• RARP (RFC903)
• Used to map a devices MAC address to its IP address
• ARP cache poisoning
• Valid request is answered by an invalid authority
Password Authentication Protocol
(PAP)
• Identification and authentication of remote entity
• Uses a cleartext, reusable (static) password
• Supported by most network devices
• Advantages
• Standards based solution that provides interoperability in a
multivendor network
• Inexpensive to install and operate
• DB is encrypted
• Disadvantages
• PW is transmitted in the clear
• Reply is either an ACK or NAK. No replay protection.
Challenge Handshake
Authentication Protocol
• CHAP
• Periodically revalidates users
• Standard password database is unencrypted
• Password is sent on a one-way hash
• MSCHAP
• Server stores an encrypted hash of user’s pw
Domain Objectives

• Network • Protocols
• Transport
• Session
• Threats & Controls
• Presentation
• Application
• Telephony
• Services
Link Layer Threats
• Confidentiality • Availability
• Eavesdropping • DoS/jamming
• Sniffing from reconnaissance • Others
• Offline brute force • Rogue access points/ad hoc
• Unapproved wireless networks
• Integrity • War driving
• Modification/injection/highjacking • Open wireless networks
• Man-in-the-middle
• Force weaker authentication
Controls for Wireless Threats
• Encryption
• Authentication
• RF management
Domain Objectives

• Physical
• Data Link • Concepts & Architecture
• Transport • Protocols
• Session
• Presentation
• Application
• Telephony
• Services
Layer 3: Network Layer
• Moves information between two hosts that are not

physically connected
• Uses logical addressing
Local Area Network (LAN)
• LANs service a relatively small area

• Most LANs have connectivity to other networks
• VLANs are software-based LAN segments implemented
by switching technology
Metropolitan Area Network (MAN)
• Optimization for city

• Uses wireless infrastructure, fiber optics, or Ethernet to
connect sites together
• Still needs security
• Switched multi-megabit data service (SMDS)
• SONET/SDH
Storage Area Network (SAN)
• Hard drive space problem

• Server of servers
• Fiber backbone
• Switched
Wide Area Network (WAN)
• A WAN is a network connecting local networks or

access points
• Connections are often shared and tunneled through
other connections
Internet/Intranet/Extranet
• Internet
• Collection of all interconnected IP networks
• Intranet
• Company’s internal Internet
• Extranet
• Company will grant other controlled access to an isolated
segment of its own network to allow exchange of information
• Granting access to external organizations - risky
Domain Objectives

• Physical
• Network • Technology &
• Transport Implementation
• Session • Protocols
• Presentation
• Application
• Telephony
• Services
IPSEC
• Authentication header (AH)

• Encapsulating security payload (ESP)
• Security parameter index (SPI)
• Security associations
• Transport mode/tunnel mode
• Internet key exchange (IKE)
Tunneling Protocols
• Point-to-point tunneling protocol (PPTP) – Microsoft

• Layer 2 forwarding (L2F) – Cisco
• Layer 2 tunneling protocol (L2TP) – from Cisco &
Microsoft
• Add IPSEC, becomes VPN

Routers
• Network routing
• Layer 3
• Find best path to destination

Firewalls
• Filtering
• Filtering by address
• Filtering by service
• Static packet filtering
• Stateful inspection or dynamic packet filtering
• Personal firewalls
• Filter on any field in header

Firewalls
• Enforce administrative security policies
• Separate trusted networks from untrusted networks
• Firewalls should be placed between security domains

Proxy Firewalls
• Circuit-Level proxy
• Application-level proxy
Firewalls
Firewall Type OSI Model Layer Characteristics

Packet filtering Network Layer • Routers using ACLs dictate
acceptable access to a
network
• Looks at destination and
source addresses, ports,
and services requested
Application-level proxy Application Layer • Deconstructs packets and
makes granular access
control decisions
• Requires one proxy per
service
Firewalls
Firewall Type OSI Model Layer Characteristics

Circuit-level proxy Session Layer • Deconstructs packet
• Protects wider range of
protocols and services than
app-level proxies, but is not
as detailed as a level of
control
Stateful Network Layer • Keeps track of each
conversation using a state
table
• Looks at state and context
of packets
End Systems
• Servers and mainframes

• Operating systems
• Notebooks/laptops/tablet PCs
• Workstations
• Smartphones
• Personal digital assistants
• Network Attached Storage (NAS)
End System Protection
• Antivirus
• Personal Firewalls
• Host-based IDS/IPS
• Patch management
Domain Objectives

• Physical
• Session
• Presentation
• Application
• Telephony
• Services
Routing Protocols
• Routing information protocol (RIP)

• Routing table compromise
• Virtual router redundancy protocol (VRRP)
• Open shortest path first (OSPF)
• Exterior gateway protocol (EGP) – obsolete
• Border gateway protocol (BGP)
• Intermediate system-to-intermediate system (ISIS)
• Interior gateway routing protocol (IGRP)
• Enhanced IGRP (EIGRP)
Connectivity Protocols
• ICMP
• Redirect attacks
• Traceroute
• Ping scanning
Internet Protocol (IP)
• Internet Protocol (IP) is responsible for routing packets

over a network
• Unreliable protocol – no error checking
• IP will subdivide packets
• IPv4 address structure
IPv6
• A larger IP address field

• Improved security
• A more concise IP packet header
• Improved quality of service (QoS)
Internetwork Packet Exchange (IPX)
• Vendor specific
• Retired
Domain Objectives

• Physical
• Session
• Presentation
• Application
• Telephony
• Services
IP Attacks
• Fragmentation attacks
• Teardrop attack
• Overlapping fragment attacks
• Traceroute exploitation
• Sniffing
Smurf and Fraggle Attacks
• Smurf attack misuses the ICMP echo request
• Fraggle attack uses UDP instead of ICMP

• Ping through UDP
• Ping of death
Encryption as a Threat
• Can be used for inappropriate purposes

• External attackers
• Can plant encrypted backdoors that will allow them to access
system
• Internal attackers
• Utilize commonly available tools (SSL, TLS, SSH) to encrypt
traffic to subvert controls
• Encrypted backdoors
• Tunnels to home computer
• Tunnels setup to use company resources for personal pursuits
• Tunnels setup to protect criminal/improper behavior
• Etc.
IP Addressing Spoofing
• Packets are sent with a bogus source address

• Takes advantage of a protocol flaw
Controls
• Policy
• Inbound and outbound traffic controls
• Network partitioning
Domain Objectives

• Physical
• Data Link
• Network • Concepts & Architecture
• Session • Threats & Controls
• Presentation
• Application
• Telephony
• Services
Layer 4: Transport Layer
• End-to-end transport between peer hosts

• Connection-oriented and connectionless protocols
Domain Objectives

• Physical
• Data Link
• Presentation
• Application
• Telephony
• Services
Transmission Control Protocol (TCP)
• Well-known ports – 0 to 1023

• Registered ports – 1024 to 49151
• Dynamic and/or private ports – 49152 to 65,535
• Total of 65,536 ports

User Datagram Protocol (UDP)
• Fast
• Low overhead
• No error correction/replay protection

Transport Layer Security (TLS)
• Mutual authentication
• Encryption
• Integrity
Domain Objectives

• Physical
• Data Link
• Presentation
• Application
• Telephony
• Services
Attacks
• SYN Flood
• Denial of Service
Threats
• Port scanning
• FIN, NULL and XMAS scanning
• SYN scanning
• TCP sequence number attacks
• Session hijacking
Controls
• SYN proxies
• Honeypots and honeynets
• Tarpits
• Similar to honeypots. Entice hackers by presenting legitimate
looking systems that they will spend time attempting to crack.
• Particularly useful against spamming and network (port)
scanning
• Continuous or periodic authentication
Domain Objectives

• Physical
• Network
• Transport • Technology & Implementation
• Presentation • Threats & Controls
• Application
• Telephony
• Services
Layer 5: Session Layer
• Client-server model
• Middleware and three-tiered architecture
• Many implementations are designed to spread
the workload of a complex process to specialized
computer in a network
• Mainframe
• Keeps sessions local, unless remote terminals
are implemented
• Centralized systems
• RADIUS and TACACS+ enable remote
connection
Domain Objectives

• Physical
• Network
• Transport
• Technology &
Implementation
• Session
• Presentation • Protocols
• Application • Threats & Controls
• Telephony
• Services
Technology and Implementation
• Java RMI (remote method invocation)

• Allows a program running on one Java VM to invoke methods
running on another JVM
• Microsoft .NET
Domain Objectives

• Physical
• Network
• Technology & Implementation
• Transport
• Application
• Telephony
• Services
Protocols
• Real-time protocol – RTP

• End-to-end delivery services for data such as interactive audio
and video
• RTP control protocol – RTCP
• Used to monitor the quality of service and to communicate
information about the users during the session
• Remote procedure calls – RPC
• Execute objects across hosts
• Open network computing remote procedure call (ONCRPC)
• Sun’s version
Remote User Authentication
• RADIUS
• TACACS+
Domain Objectives

• Physical
• Network
• Technology & Implementation
• Transport
• Protocols
• Session
• Application
• Telephony
• Services
RPC Threats and Controls
• Threats
• Unauthorized sessions
• Invalid RPC exchanges
• Controls
• Patch
• Block at firewall
• Disable unnecessary protocols
Domain Objectives

• Physical
• Data Link
• Transport
• Presentation
• Application
• Telephony
• Services
Layer 6: Presentation Layer
• Data conversion
• Ensures a common format for data
• Services for encryption and compression
• JPEG
Mainframe to PC Translation
• Extended binary coded decimal interchange code

(EBCDIC)
• American standard code for information interchange
(ASCII)
• Gateway
• Specialized equipment used to translate presentation-layer
protocols
• NOT “default gateway”
Domain Objectives

• Physical
• Data Link
• Transport
• Presentation
• Application
• Telephony
• Services
Audio & Video Compression
• Codec
• Compression/decompression
• Conserves bandwidth and storage

VoIP Protocols
• H.323
• Session initiation protocol (SIP)
• Proprietary applications and services

Domain Objectives

• Physical
• Data Link
• Network
• Transport • Concepts & Architecture
• Session • Technology & Implementation
• Presentation
• Protocols
• Application
• Telephony • Threats & Controls
• Services
Layer 7: Application Layer
• The application layer is not the graphical

user interface (GUI)
• Performs communication between peer

applications
Domain Objectives

• Physical
• Data Link
• Network
• Session • Technology &
• Presentation Implementation
• Application • Protocols
• Services
Implementations
• Client/Server
• IM
• XMPP (Jabber)
• IRC
• Email
• WWW
• Peer to Peer
• File sharing
Domain Objectives

• Physical
• Data Link
• Network
• Presentation
• Protocols
• Application
• Services
Protocol Examples
• FTP – File Transfer Protocol

• RSH – Remote Shell
• IMAP – Internet Message Access Protocol
• IRC – Internet Relay Chat
• MIME – Multipurpose Internet Mail Extensions
• POP3 – Post Office Protocol (v3)
• Rlogin – Remote login in UNIX systems
• SOAP – Simple Object Access Protocol
• SSH – Secure Shell
• TELNET – Terminal Emulation Protocol
Communication Services
• Synchronous messaging
• Instant messaging (IM)
• Internet relay chat (IRC)
• Asynchronous messaging
• Simple mail transfer protocol (SMTP)
• Post office protocol (POP)
• Internet message access protocol (IMAP)
• Network news transfer protocol (NNTP)
Remote Communication Services
• TCP/IP terminal emulation protocol (TELNET)

• Remote login (RLOGIN), remote shell (RSH), remote
copy (RCP)
• X Window system (XII)
• Video and multimedia
Storage Data Services
• File transfer protocol (FTP)

• Trivial file transfer protocol (TFTP)
• Hypertext transfer protocol (HTTP)
• HTTP over TLS (HTTPS)
• Secure hypertext transfer protocol (S-HTTP)
• Proxies
Domain Objectives

• Physical
• Data Link
• Network
• Presentation • Protocols
• Application
• Telephony
• Services
Threats and Controls
• Authenticity
• Eavesdropping
• Scripting
• Spam over instant messaging (SPIM)
• Tunneling firewalls
• Email spoofing
• Spam
Domain Objectives

• Physical
• Data Link
• Network
• Transport
• Session • Concepts & Architecture
• Presentation • Technology & Implementation
• Application
• Telephony
• Services
Mobile Telephony – Cellular Service
• Analog
• Advanced mobile phone service (AMPS)
• Digital
• Global service for mobile communications (GSM)
• EDGE (enhanced data rate for GSM evolution)
• General packet radio service (GPRS)
• Data
Domain Objectives

• Physical
• Data Link
• Network
• Transport
• Presentation • Technology &
• Application Implementation
• Services
Telephony Technology
• PSTN
• PBX
• Facsimile
• Voice firewalls
• VOIP
• SIP, H.323
• TDMA, CDMA, FDMA
Voice over IP
• Reduced cost
• Coverged technology
• Security
Domain Objectives

• Physical
• Data Link
• Network
• Transport
• Application
• Telephony
• Services
Common Threats
• War dialing
• PBX administration
• War driving
• Fraudulent toll
• Voice eavesdropping
Domain Objectives

• Physical
• Data Link
• Network
• Session
• Technology &
• Presentation Implementation
• Application
• Telephony
• Protocols
• Services
Directory Services
• Domain name service (DNS)

• Lightweight directory access protocol (LDAP)
• Network basic input output system (NetBIOS)
• Network information service (NIS/NIS+)
Configuration Services
• Simple network management protocol (SNMP)

• Dynamic host configuration protocol (DHCP)
• Network time protocol (NTP)
• Finger user information protocol
Storage Server Services
• Common internet file system (CIFS)/server message

block (SMB)
• Network file system (NFS)
• Secure NFS (SNFS)
Domain Objectives

• Physical
• Data Link
• Network
• Transport
• Concepts & Architecture
• Session
• Application • Protocols
• Services
DSN Threats
• Spoofing
• Query manipulation:
• Hosts file manipulation
• Information disclosure
• Domain litigation
• Cybersquatting
Email Threats
• Spoofing
• Open mail relay servers
• Spam and filtering
• Phishing
Server Message Block (SMB)
Threats
• Buffer overflows
Controls
• DNS security extensions (DNSSEC)

• Mail filtering
• IM policy
• Turn off SMB
Telecommunications and Network
Security Domain Summary
• Physical
• Data Link
• Network
• Transport
• Session
• Presentation
• Application
• Telephony
• Services
CISSP Summary
• Domain 1 – Access Control

• Domain 2 – Business continuity and Disaster Recovery Planning
• Domain 3 – Cryptography
• Domain 4 – Information Security Governance and Risk
Management
• Domain 5 – Legal, Regulations, Investigations, and Compliance
• Domain 6 – Operations Security
• Domain 7 – Physical (Environmental) Security
• Domain 8 – Security Architecture and Design
• Domain 9 – Software Development Security
• Domain 10 – Telecommunications and Network Security
Questions?

CISSP

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CISSP

Загружено:

Авторское право:

Доступные форматы

How I Passed the CISSP Test:

Lessons Learned in Certification

Other Admin Data

What is this class going to provide me?

What should I expect to get out of this class?

• Broken up into 12 parts

• Parts 2 – 11: will be the domains

• Part 12: will be examples of types of questions you might see.

Code of Ethics Canons:

• Member submitted security awareness materials

• Certified Information Systems Security Professional

• CISSPs often hold job functions such as:

• Develops and oversees the implementation of the organization’s

• Provide advice on implementation of information security solutions and

• Monitoring compliance with regulatory bodies and employees,

1) Obtain the Required Experience

What is needed for the Endorsement Process

• Provide a recent resume

• To maintain the CISSP certification and remain in “good standing” with

1. People Safety First

• Provide definitions and key concepts

• Is the basic foundation of information security

• Definitions of Key Concepts

• Is the PROPER assessment of the sensitivity and criticality of information

• Definitions of Key Concepts

• Administrative – policies and procedures.

• Technical/logical – use of hardware and software controls

• Physical – manual, structural or environmental controls to protect

• Preventive – block unwanted actions. However, only effective if

• Definitions of Key Concepts

• Denial of service • Sniffers

• Definitions of Key Concepts

• Identification – process of recognizing users or resources as valid

• Authentication – verification of the identity of the person or node

• Authorization – determines what a user or node is allowed to do

• Accountability – ability to track user activity

• Knowledge (something you know)

• Ownership (something you have)

• Characteristics (something you are)

• Need for identity management – needed to manage,

• Challenges – the more complex a network and data protection

• Identity management technologies – designed to centralize and

• Consistency – user data entered across different systems MUST

• Web Access Management (WAM)

• SESAME - protocol developed by the European Union. Also known as

• Web Portal Access

• Definitions of Key Concepts

• Most common implementation of Discretionary Access Control (DAC)

• Centralized access control – one entity makes network access decisions.

• Decentralized access control – decisions and admin are implemented

• Definitions of Key Concepts

• Network Based • = Packet

• KPI (Key Performance Indicator) - measure effectiveness

• Definitions of Key Concepts

• Audit trail monitoring

• Vulnerability assessment tools

• Denial of Service (DoS)

• PBX and IP telephony

• KPI – Key Performance Indicators

• Definitions of Key Concepts

• Business Continuity Management (BCM) Project

• Risk Management • Health & Safety

• Disaster Recovery • Knowledge Management

• Facilities Management • Emergency Management