How I Passed the CISSP Test: Lessons Learned in Certification

How I Passed the CISSP Test: Lessons Learned in Certification

How I Passed the CISSP Test: Lessons Learned in Certification Presented by Kirk A. Burns, CISSP Admin Data Emergency Exits Breaks Phones Other Admin Data Introduction

Instructor What is this class going to provide me? What should I expect to get out of this class? Class Structure Broken up into 12 parts Part 1: introduction Parts 2 11: will be the domains Part 12: will be examples of types of questions you might see. THESE ARE NOT copies of the questions from the exam What is (ISC)?

(ISC) International Information Systems Security Certification Consortium Non-profit organization which specializes in information security education and certifications Often described as the worlds largest IT security organization Based in Palm Harbor, Florida, USA Offices in London, Tokyo, Hong Kong, Vienna, Virginia Over 85,000 certified professionals in 135 countries http://www.isc2.org (ISC) Code of Ethics Preamble: The safety and welfare of society and the common good, duty to our

principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Advance and protect the profession BENEFITS OF (ISC) MEMBERSHIP Member Benefits Continuing Education Security Leadership Series events

Discounts Worldwide receptions, conferences, RSA, InfoSec, SecureAmerica Face-to-Face Networking Virtual Networking Career Tools, InterSeC BENEFITS OF (ISC) MEMBERSHIP Industry Awards Resources InfoSecurity Professional Magazine Information Security Perspective journal Member submitted security awareness materials Volunteer Opportunities

http://staysafeonline.org What is CISSP? Certified Information Systems Security Professional Governed by (ISC) Worldwide recognition of competence Practical understanding of information security issues and solutions

ANSI accreditation based on the ISO/IEC 17024:2003 standard (obtained in June 2004) Awareness of security challenges As of November 2013, reported to have 90,198 members worldwide in 149 countries ROLE OF THE CISSP CISSPs often hold job functions such as:

Security Consultant Security Manger IT Director/Manager Security Auditor Security Architect Security Analyst Security Systems Engineer

Chief Information Security Officer Director of Security Network Architect ROLE OF THE CISSP Develops and oversees the implementation of the organizations information security policies and procedures Provide advice on implementation of information security solutions and technologies Monitoring compliance with regulatory bodies and employees, contractors, alliances and other 3rd parties

COMMON BODY OF KNOWLEDGE CBK The (ISC) CBK is a compendium of topics relevant to information security professionals around the world. The (ISC) CBK is the accepted standard in the industry, the subject of many books written on information security, and the core of the university information assurance programs around the globe. The CBK continues to be updated annually by (ISC) CBK Committees comprised of members from many industries and regions around the world, to reflect the most current and relevant topics required to practice in the field. (ISC) uses the CBK domains to assess a candidates level of mastery of information security. How to Get Your CISSP Certification

1) Obtain the Required Experience a) must have a minimum of five (5) years cumulative paid full-time work experience in two (2) or more of the ten (10) domains. b) May receive a one year experience waiver with a four-year college degree, or regional equivalent OR additional credential from the (ISC) approved list (requiring four (4) years of direct full-time professional security work experience in two or more of the ten domains) 2) Study for the Exam 3) Schedule the Exam 4) Pass the Exam 5) Complete the Endorsement Process 6) Maintain the CISSP Certification

CISSP EXAM The CISSP exam 250 questions 6 hours

To pass must get 700 points out of 1000 BE ON TIME!!!!!! Bring admission letter Must have government issued Photo ID Bring pencil and eraser ~$500 ENDORSEMENT PROCESS What is needed for the Endorsement Process Provide a recent resume Complete the Examination Registration Form Submit a completed and executed Endorsement Form

MAINTENANCE REQUIREMENTS To maintain the CISSP certification and remain in good standing with (ISC), you are required to: Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of each certification year Earn and submit 120 credits over three years. A minimum of 20 CPEs must be posted during each year of the three year certification cycle THE DOMAINS

Access Control Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations, and Compliance Operations Security

Physical (Environmental) Security Security Architecture and Design Software Development Security Telecommunications and Network Security Golden Rule 1. 2. 3. 4. 5. People Safety First

Management buy-is is Critical Everyone is responsible for Security Training is Essential Policy is the Key to (nearly) everything What If I Dont Have The Experience? For those who dont have the experience, there is the Systems Security Certified Practitioner (SSCP) Only need 1 year of experience Domains covered: Access Controls

Cryptography Malicious Code and Activity Monitoring and Analysis Networks and Communications Risk, Response and Recovery Security Operations and Administration Access Control Domain Objectives

Provide definitions and key concepts Identify access control categories and types Discuss access control threats Review system access control measures Understand Intrusion Detection and Intrusion Prevention systems Understand Access Control assurance methods Access Control Is the basic foundation of information security

Implemented differently depending on whether the are of implementation is physical, technical or administrative. Categories include: Preventive Detective Corrective Deterrent Recovery Directive Compensating Often used in combination Access Control

A comprehensive threat analysis will identify the areas that will provide the greatest cost-benefit impact. The field of access control is constantly evolving. Organizations need to know what is available and what methods will best address their issues. Data and system access control are NOT the same. User might have access to a system but not to the data. Think need-to-know Access control assurance addresses the due diligence aspect of

security. Implementing a control is part of due care, but due diligence involves regularly checking to ensure that the control is working as expected. Information Security TRIAD Domain Objectives Definitions of Key Concepts

Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance Basic Requirements

Security ensure only authorized users and processes are able to access or modify Reliability ensure control mechanisms work as expected, every time Transparency have minimal impact on the ability of authorized users to interface with the system and do their job Scalability should be able to handle a wide range of changing systems and

user load without compromising system performance Maintainability if too time-consuming or complicated, admins may not keep them up to date Auditability should provide audit trails Integrity must be designed to protect from unauthorized changes Authentic help ensure that data input is authentic Key Concepts Separation of duties

No one person should have control over the process. Allowing this could allow a person to manipulate the system for personal gain. Process should be broken down into individual steps executed by different people. Rotation of duties prevents collusion between two or more people. This minimizes the chance of or exposes fraud. Forced vacation can provide the same effect. Core element of the Clark-Wilson Integrity model Least privilege only allow access to resources that are absolutely needed for work Need-to-know just because you have the clearance doesnt mean you

really need to know the data or process Information Classification Is the PROPER assessment of the sensitivity and criticality of information Ensures that info is neither improperly disclosed nor overprotected Objectives:

Identify info that needs to be protected Standardize labeling Alert authorized holders of protection requirements Comply with laws, regulation, etc. Benefits keeps cost down Example of classification: Public, internal use only and company confidential Compartmentalized information information that requires special privilege to access Information Classification Procedures

Scope risk analysis will evaluate data for classification. Things to consider: Exclusive possession (trade secrets, etc.) Usefulness Cost to recreate Legal or regulatory liability Operational impact Etc. Process goal is to achieve a consistent approach to handling classified information

Marking and labeling for all types of media to include video Human readable Machine readable Assurance regular internal and possibly external audits should be done Domain Objectives Definitions of Key Concepts Access Control Categories and Types

Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance Access Control Types Administrative policies and procedures. Technical/logical use of hardware and software controls

Physical manual, structural or environmental controls to protect facilities and resources Access Control Categories Preventive block unwanted actions. However, only effective if employees see these as necessary Detective identify, log and alert management of unwanted actions (during or after event) Corrective remedy the circumstances that enabled event Directive controls dictated by organizational and legal authorities Deterrent Prescribe some sort of punishment Recovery restore lost resources or capabilities Compensating backup controls that come into effect when

normal controls are unavailable Domain Objectives Definitions of Key Concepts Access Control Categories and Types Access Control Threats

Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance Access Control Threats Denial of service Password crackers Dictionary Brute force Rainbow tables Keystroke loggers Spoofing/masquerading

Machine Impersonation Sniffers

Shoulder surfing/swiping Dumpster diving Emanations Time of Check (TOC)/Time of Use (TOU) Domain Agenda Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System

Access to Data Intrusion Prevention and Detection Systems Access Control Assurance System Access Control Identification process of recognizing users or resources as valid accounts Authentication verification of the identity of the person or node Authorization determines what a user or node is allowed to do once identified and authenticated Accountability ability to track user activity

Identification Methods Most common is UserID, account number, email or PIN Biometrics can also be used Guidelines unique UserID unless anonymity is required

RFID can be used in place of above methods to identify user MAC and IP address used primarily to identify a node on the network Security user registration user interacts with a registration authority to become an authorized member of the domain 1. UserID, encryption keys, job title, email, etc. 2. User validation Authentication Methods Knowledge (something you know) Ownership (something you have) Characteristics (something you are)

Identity and Access Management Need for identity management needed to manage, authenticate, authorize, provision, de-provision and protect identities Challenges the more complex a network and data protection system, the more challenging to manage Identity management technologies designed to centralize and streamline the management of user ids, authentication and authorization Identity Management Challenges Consistency user data entered across different systems MUST be consistent

Reliability user profile data should be reliable. Especially if used to control access to data or resources Usability multiple logins over multiply systems might not be the best idea Efficiency using an identity management system can decrease costs and improve productivity for both users and administrators Scalability the management system used must be able to scale to support the data, systems and peak transaction rates Identity Management Challenges Principals

Insiders employees and contractors Outsiders customers, partners, vendors, etc. Data different types of data about principals must be managed Personal, legal and access control Some of this data might have regulatory requirements Life Cycle

Initial setup when user joins Change and maintenance routine pw change, name changes, etc. Tear-down when user leaves Identity Management Technologies Web Access Management (WAM) Password management Account management Profile update Access Control Technologies

Single sign-on Kerberos SESAME - protocol developed by the European Union. Also known as SSO

Web Portal Access Directory services Security domains Domain Objectives

Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

Access to Data Implementations Mandatory Temporal Discretionary Role Rule Content Privacy Descriptions List

Matrix Capabilities Non-discretionary Constraints Centralized Decentralized Access Control Lists (ACL) Most common implementation of Discretionary Access Control (DAC)

Provide easy method to specify which users are allowed access to which objects Objects/subjects Files/users O.S. dependent

Each OS has its own way of representing ACLs. UNIX 3 subjects: owner, group and world w/ 3 permissions: Read ,Write, Execute ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and SGI XFS Microsoft has unlimited # of subjects and 26 permissions Centralized/Decentralized Access Control Centralized access control one entity makes network access decisions. Owners decide which users can access specific objects and the administration

supports these directives. RADIUS TACACS+ Diameter (RADIUS base but enhanced to overcome inherent limitations) Decentralized access control decisions and admin are implemented locally, allowing people closer to the resource security controls. Often causes confusion because it can lead to non-standardization, overlapping rights, etc. P2P

Domain Objectives Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data

Intrusion Prevention and Detection Systems Access Control Assurance Intrusion Detection Systems Network Based = Packet NIDS Host-Based HIDS

Application-Based AIDS APIDS = Permission =Process Intrusion Prevention Systems Host-based Network-based Content-based

Rate-based KPI (Key Performance Indicator) - measure effectiveness Analysis Engine Methods Pattern or signature-based Pattern matching Stateful matching Anomaly-based Statistical Traffic Protocol

Heuristic scanning IDS/IPS Examples Anomaly Multiple failed logins User logged in at unusual times Unexplained changes to system clocks Unusual number of error messages Unexplained system shutdowns/restarts Response Dropping suspicious packets Denying access to suspicious users

Reporting suspicions to other system hosts/firewalls Changing IDS configurations Alert IM Email Pager Audible alarm Domain Objectives

Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

Access Control Assurance Audit trail monitoring Vulnerability assessment tools Penetration Testing Overview Definition Areas to test Methods of testing Testing procedures Testing hazards

Areas to Test Application security Denial of Service (DoS) War dialing Wireless penetration Social engineering PBX and IP telephony Penetration Testing Methods Attack perspectives External Internal

Attack strategies Zero-knowledge Partial-knowledge Full-knowledge Targeted Double-blind Testing Steps Discovery Enumeration Vulnerability mapping Exploitation

Testing Hazards and Reporting Production interruption Application abort System crash Documentation Idetified vulnerabilities Countermeasure effectiveness Recommendations KPI Key Performance Indicators Access Control Domain Summary

Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems

Access Control Assurance Business Continuity and Disaster Recovery Planning Domain Objectives Business Continuity Management (BCM) Project Planning

Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan Planning Should Occur BEFORE You Need It BS 25999: Business Continuity Management Risk Management

Health & Safety Disaster Recovery Knowledge Management Facilities Management Emergency Management Supply Chain Management

Security Quality Management Crisis Communications and PR Information Security Priorities Keeping CRITICAL products and services going Availability Integrity Confidentiality Out of Business!!!

What should be done in a crisis when most controls are missing? The Business Continuity Life Cycle Overview Analyze the business Assess the risks Develop the BC strategy Develop the BC plan Rehearse the plan BCM Project Management Senior management support Policy

Access to key personnel Budget Immediate and ongoing budget BCM Project Management Project management Scope

Timelines Deliverables Team members Tools Initiating BCP Awareness, data and implementation Staff and budget Result must be a long-term, sustainable program Review progress monthly (suggestion) Documentation

Review current BCP, if available Documentation may not equal capability Staff must be trained to use any necessary software Types of BCM document Policy, including scope and principles Business impact analysis Risk and threat assessment

Strategies, including (if able) papers supporting the choice of strategies adopted Response plans Test schedule and reports Awareness and training program Service level agreements with customers and suppliers Contracts for 3rd party recovery services such as workspace and salvage Review/update as directed by policy Domain Objectives Business Continuity Management (BCM) Project Planning

Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan Understanding BCM Priorities Business priorities

Policy/culture Critical services and products Legal and regulatory requirements Risk Assessment and Management Management is often NOT an IT person. Might have different priorities Risk management versus business continuity planning Risk management tactical Business continuity strategic Coordination between risk assessment and business impact analysis Purpose of risk management?

Threat Identification Natural/environmental Human/man-made Utility Supply chain Equipment Facility Loss of key personnel Understanding the Organization Business Impact Analysis (BIA) Benefits

Objectives Indicators of critical business functions Time sensitivity Data integrity Classification Business Impact Analysis Identifies, quantifies, and qualifies loss over time Business impact analysis process Workshops Questionnaires Interviews Observation

Business Impact Analysis Business justifications for budget Maximum Tolerable Downtime (MTD)/ Maximum Tolerable Period of Downtime/Disruption (MTPD) Recovery Point objective (RPO) Document dependencies Third party dependencies and liabilities Service level agreements Incident Readiness & Response Planners become leaders Be prepared

Triage Incident management Success = return to operations Application of lessons learned Continuity Requirement Analysis Identify supporting activities and resources Outcomes feed BCP strategy selection Reviewed with BIA Domain Objectives Business Continuity Management (BCM) Project Planning

Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan Determining Recovery Strategy Determining BC strategies Strategy options Data Activity continuity options Resource-level consolidation

Determining Recovery Strategy High-level strategies purpose is to ensure overall continuity strategy appropriately supports the delivery of orgs products/services Recovery Time Objective (RTO) < Maximum Tolerable Downtime/Disruption (MTPD) Separation distance how far away is recovery site Cost/benefit analysis best strategy is often determined by cost Address specific business types Different business functions have different recovery solutions

Recovery Alternatives Alternative Description Readiness Cost Multiple processing/mirrored site

Fully redundant identical Highest level of availability equipment & data & readiness Highest Mobile site/trailer Designed, self-contained IT Variable drive time; load & communications data, & test systems

High Hot site Fully provisioned IT & Short time to load data, test office, HVAC, infrastructure, systems. May be yours or & communications vendor staff High Warm site

Partially IT equipped, some Days or weeks. office, data & voice equipment, infrastructure communications Cold site Minimal HVAC Need data,

Moderate infrastructure, Weeks or more. Need all IT, office equipment, & communications Lowest Processing Agreements Agreement

Description Considerations Reciprocal or Mutual Aid Two or more organizations agree to Technology upgrades/obsolescence recover critical operations for each or business growth. Security and other access by partner users. Contingency

Alternate arrangements if primary Providers may share paths or lease provider is interrupted, i.e., voice or from each other. Question them data communications Service Bureau Agreement with application service Evaluate their loading, geography provider to process critical business and ask about backup mode. functions Remote Working Arrangements Ability to telecommute or work from Sensitive data controls, unauthorized

home equipment Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

Business Continuity Plan Master Plan Modular in design Executive endorsement Review quarterly BCP Contents When will team be activated? How will the team be activated? Where will everyone meet? Is there an Action Plan/Task List? Is there any reporting? If so, to whom?

BCP Contents Responsibilities of the team or specific individuals Liaising with emergency services (fire, police, ambulance) Receiving or seeking information from response teams Reporting information to the incident management team Mobilizing third-party suppliers of salvage and recovery

services Allocating available resources to recovery teams Location/mobilization instructions Developing Response Plans Incident response structure - plans that answer What do we do now? Emergency response procedures, Personnel notification,

Backup and offsite storage, Etc. Emergency response procedures Personnel executive succession plan, executive crisis management roles, BC coordinator and teams, notification lists, PR Communications emergency systems, business systems communications and networks Alternate site considerations utilities, communications, environmental protection, workspace protection Logistics and supplies personnel and materials transport, personnel support and welfare, remote worker activation, emergency funds, protection against fraud and looting, safety and legal issues, escalated management authority

Creating Recovery Plans Recovery procedures Recovery priorities Activation of alternate site or processes Data recovery Business resumption plan Creating Disaster Recovery Plans Disaster recovery Recover out to the alternate MOST critical first Recover back to the primary LEAST critical first Responsibilities and authority Outlines what needs to be done

Outlines who will do the work Since this may be happening at the same time as the incident, recovery should be done (if possible) by a different team comprised of technical experts and system engineers who can rebuild the failed systems Creating Restoration Plans Rebuilding of primary site Facility restoration System restoration Priorities Data synchronization

Salvage Closure of alternate site Topics to Address in Plans Equipment Procurement (vendor agreement) Facilities Environmental controls Fire and water protection Personnel Topics to Address in Plans Data

Offsite storage requirements Utilities Communications Logistics and supplies Resource-Level Consolidation Consolidation plan Availability of solutions Consolidate, approve and implement Outcomes and deliverables Domain Objectives

Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

Incident Response Management Strategic Level: Incident Management Plan (IMP) defines how the strategic issues of a crisis will be managed by chief executive/senior managers. May include crises that do not result in interruptions (hostile takeover, media exposure, etc.). Tactical Level: Business Continuity Plan (BCP) addresses business disruption, interruption, or loss from the initial response till normal business resumes.

Operational Level: Activity Resumption Plans provide plans for resuming normal business functions. Might provide logical and technical structure for restoring services or use of alternate facilities. Implementing Incident Management Crisis management Rapid response is critical Triage (alerts)

Notification Health and safety of personnel (people first) Escalation Executive succession Initial Assessment Damage assessment Declaring a disaster

Mobilization of response teams Permanent and virtual teams Documentation and Communication Documentation of the incident

Feedback and analysis Communications Public relations

Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response

Testing, Update, and Maintenance of the Plan Testing the Program Find the flaws Outsourcing Timetable for tests Designing a test Define success/failure BEFORE test begins Testing Types Types

Process Participants Check the contents of the plan Aid in maintenance Author

Check interaction and roles of participants Author and main people Includes: business plans, buildings and communication Main people and auditors

Parallel testing Moves work to another site Recreates the existing work from the displaced site Everyone at test location

Full Interruption Shuts down and relocates all work Everyone at both locations Desk check Walk through

Simulation Frequency Complexity Often LOW Seldom

HIGH Testing BCP Arrangements Test, rehearsal and exercise Combining individual tests to ensure complete coverage Stringency, realism, and minimal exposure Risks of testing Scope and documentation of a test Outcomes Embedding BCP into the Organization Assessing level of awareness and training

Develop levels of training for individuals Developing BCP within the culture Educate employees not only of what they are supposed to do but WHY they are doing it that way Monitoring cultural change Get feedback. Sometimes the best solution to a problem will come from the most unexpected person Specialized Training Needs EOC (Emergency Operations Center) Specialized skills Forensic

Interviewing Technical Crisis management PR Etc. Maintaining BCP Arrangements Ready and embedded Aligned with change-management procedures Owners keep information current Documented Review as needed

BCP Maintenance Updating Annual review at a minimum Subsequent to tests to immediately identify fail points and needed changes Response to audits to address issues found Version control to insure everyone is working off the most current plan Distribution of plan to insure everyone is working off the most current plan

Reviewing BCP Audit Independent BCP audit opinion As directed by audit policy Factors for BCM Success Supported by senior management Everyone is aware Everyone is invested Consensus

Business Continuity and Disaster Recovery Planning Domain Summary Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection

Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan Cryptography Domain Objectives Definitions

History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations Concepts and Definitions Cryptology the study of cryptography and cryptanalysis

Cryptanalysis practice of defeating the protective properties of cryptography. Reading protected info, altering messages or integrity values and violating authentication. The practice of testing cryptographic algorithms to determine their strength or resistance to compromise. Cryptography from Greek words kryptos (hidden) and graphia (writing). Mathematical manipulation of information to prevent the information from being disclosed or altered. Basic Goals of Cryptography

Confidentiality prevent unauthorized people from being able to detect or understand a message Integrity detect if a message has been tampered with or corrupted Authenticity ensure that message has been sent to correct person and in correct order, including prevention of replay attacks Non-repudiation sender cannot deny sending Access control encrypted passwords, token-based access control devices provide protection for systems and applications Make compromise difficult make the attack either too expensive or

too time-consuming to be worth the effort Concepts & Definitions Cryptosystem device or process used to perform encryption and decryption operations Plaintext/Cleartext human readable message

Ciphertext/Cryptogram enciphered, encrypted, or scrambled message Cryptographic Algorithm mathematical function that determines the cryptographic operations Cryptovariable (key) often secret value used to transform the message in the encrypted message Key Space total number of keys available to the user of a cryptosystem Concepts & Definitions Encrypt/Encipher scrambling a plaintext message by using an

algorithm, usually in conjunction with a key Encode similar to enciphering or encrypting except that it does not use a key Decipher/Decrypt/Decode descrambling an encrypted message and converting it to plaintext Basic Transformation Techniques

Substitution change value, not position. Transposition/Permutation change the relative position of values without replacing them (bit-shuffling) Compression change position, not value. Decrease redundancy before plaintext is encrypted. Used to save on bandwidth and storage. Entropy maximum amount of compression that can be applied Expansion typically used to increase the size of plaintext to match the

size of keys or subkeys Padding adding additional material to plaintext before encrypting. Addresses weaknesses in an algorithm and foils traffic analysis XOR Exclusive Or Fast arithmetic function used in many computer operations Binary math

Add two values If both input values are the same the output is a Zero (i.e., 1+1=0; 0+0=0) If the input values are different the output is a One (i.e., 1+0=1; 0+1=1) Keys and Cryptovariables

Key management refers to the principles and practices of protecting the keys throughout the lifecycle Key expiry/cryptoperiod keys should be changed on a regular basis. Length of time should be based on algorithm and level of protection required Key mixing/Key schedule DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16 rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original 56 bit. AES uses key schedulers to generate completely new keys from the original key for each round. Keystreams pseudo-random sequence that is generated from the input key and mixed with the input message. Synchronous keystream is generated based on original key, bit-by-bit, in sync with plaintext

Non or self-synchronous keystream is generated based upon previously generated ciphertext and cryptovariable Key storage key must be protected in transit and storage Key clustering term used to represent a weakness that exists in a cryptosystem if two different keys generate the same ciphertext from the same plaintext Initialization Vector (IV) Encrypting similar messages will create patterns of ciphertext even when using different keys. Predictability is an enemy of cryptography. An IV is a random value added to the plaintext message before encrypting so that each ciphertext will be substantially different.

The recipient will also need the IV to decrypt the message Work Factor An estimate of the effort/time needed to overcome a protective measure by an attacker with specified expertise and resources. Commonly used as a way to measure the amount of resources that would be required to brute-force an algorithm or cryptosystem. System is said to be broken when there is a way to decrease the work factor to a reasonable level. All cryptosystems will be crackable eventually. Objective is to use a system that is computationally infeasible to crack. Work factor has nothing to do with normal encryption/decrytion

Kerckhoffs Principle States that the strength of a cryptosystem is based on the secrecy of the key and not on the secrecy of the algorithm. Work factor for the cryptanalyst is the effort required to determine the correct key. Key length is the primary method used to determine the strength of the cryptosystems.

Brittleness measure of how badly a system fails. A resilient system is dynamic and designed to fail only partially or degrade gracefully. In general, automated systems which only do one thing are be definition brittle. Security by Obscurity concept that system is secure as long as no one outside the group is allowed to find out anything about its internal mechanisms. Key Algorithms Symmetric key same key used for both the encryption and decryption operation Asymmetric key pair of mathematically related keys (A and B) used separately for encryption and decryption

Certificates Certificate proves who owns a public key Digitally signed, special block of data that contains public key and identifying information for the entity that owns the private key Issued by a Certification Authority (CA) trusted entity or 3rd party that issues and signs public key certificates, attesting to the validity of the public key. Registration Authority is the primary organization that verifies a Certificate Applicants information and identity. Works with CA to verify applicants information before issuing a certificate Hash Functions

Message integrity Computed value for a message, program, data, etc to be transmitted or stored One way function Cannot decrypt/reverse a hash Digital Signatures Message Integrity and Proof of Origin

Proves message has not been altered Proves who sent the message Created by encrypting a hash of the message with the private asymmetric key of the sender. Creates a signed hash that can only be unlocked using the public asymmetric key of the sender. Reason for signing the hash of the message instead of the message is that asymmetric algorithms tend to be very slow and computationally intensive to use. So signing the hash saves time and money. Domain Objectives Definitions

History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks

Implementations Historical Development Cryptographic techniques Manual cryptographic methods performed by hand using a variety of tools (still used on some one-time pads) Mechanical use of mechanical tools to perform encryption and

decryption (cipherdisk) Electro-mechanical use of electro-mechanical devices (Enigma machine) Electronic computer based tech used to perform complex and secure cryptographic operations (software and hardware based algorithms AES, RSA, etc.) Quantum cryptography using single photon light emissions to provide secure key negotiation Domain Objectives Definitions History

Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

Uses of Cryptography Protecting information Transit Email, VPNs, e-commerce, VOIP, etc. Storage Disk encryption System access Passwords, remote login Domain Objectives Definitions History Uses

Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations Making Secure Algorithms

Problems simple systems are not very secure Discernible if you know the language of the original message, frequency analysis can be performed Redundancies make the cryptoanalysts job easier Statistical patterns can be revealed in ciphertext if algorithm doesnt obscure them Solutions Confusion principle of hiding patterns in the plaintext by substitution

Diffusion act of transposing the input plaintext throughout the ciphertext so that a character in the ciphertext would not line up directly in the same position in the plaintext Avalanche achieved with plaintext bits affect the entire ciphertext so that changing one bit in the plaintext would change half of the entire cipher text Stream Ciphers Keystream Statistically unpredictable and unbiased Not linearly related to the key Operates on individual bits or bytes Uses of Stream Cipher and Stream-Mode

Block Ciphers Wireless Audio/video streaming SRTP (Secure Real-time Transport Protocol) Block Cipher Blocks of plaintext are encrypted into ciphertext blocks Multiple modes of operation Variable key size, block size, rounds Block Cipher Uses Data transport SSL, TLS. Both protocols can use AES and Triple

DES. IPSec based VPNs also use block ciphers to encrypt communication between endpoints Data storage even though block ciphers take more time, used because of their greater ability to frustrate cryptanalysis. TrueCrypt is an example of block cipher used to encrypt data Domain Objectives Definitions

History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations Simple Substitution Ciphers Substitution of one value for another Caesar Cipher Shift alphabet (by 3)

A B C D E F . FACE D E F G H I . IDFH Scramble alphabet A B C D E F . FACE Q E Y R T M . MQYT Vulnerable to frequency analysis Simple Transposition/Permutation Columnar rearranging the message in a table Plaintext This is an example of transposition Cipher tsaoni hamfst inptpi selroo

ixeasn Key: grid shape & reading direction Example: the Spartan Scytale T H I S

I S A N E X

A M P L E O F

T R A N S P

O S I T I O N

Polyalphabetic Ciphers A B C D E

F G H I J K L

M N O P Q R S

T U V W X 1 Z A

B C D E F G

H I J K 2 Y Z

A B C D E F

G H I 3 X Y Z

A B C D E F

G 4 W X Y Z A B

C D E F Y Z

L M N O P Q R S

T U V W X Y J

K L M N O P Q R

S T U V W X H

I J K L M N O P

Q R S T U V

W G H I J K L

M N O P Q R S

T U V Encrypt the plaintext FEEDBACK using a key of 3241 Try encrypting your name Running Key Ciphers Done by using the numerical value of letters in the plaintext and is

coded and decoded by using a copy of the text in a book as the key. Sender and recipient determine the key by agreeing on a point in the book (i.e. page number) from which to start the encryption. Key would run as long as the plaintext, and the value of each letter of the key would be added to the value of each letter of the plaintext. If total of the two letters is greater than 25, then 26 would be subtracted from the result. The combined value of the letters would be the value of the ciphertext letter. One-Time Pads (OTP) Truly random key values

Both sides have same pad of key values Keys are only used once Unbreakable algorithm Mathematically proven that it can never be broken Steganography The art of hiding information Plaintext hidden/disguised Prevents a third party from knowing that a secret message exists Traditionally accomplished in a number of ways: Physical techniques Null ciphers

Image-Based Steganography Original image Stegged image File size is identical (260 kb) If hashed, values would be different Watermarking/Rights Management Digital watermarking similar to physical watermarking. Either visible or invisible markings embedded within a digital

file to indicate copyright or other handling instructions, or to embed a fingerprint to detect unauthorized copying and distribution of images. Digital Rights Management/Digital Restriction Management (DRM) extends digital watermarking in order to place strict usage conditions on the display and reproduction of digital media. Domain Objectives

Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations Modes of Symmetric Block Ciphers

Block Modes Electronic Code Book (ECB) Cipher Block Chaining (CBC) Stream Modes Cipher Feed Back (CFB) Output Feed Back (OFB) Counter (CTR) Counter with CBC-MAC (CCMP) Electronic Code Book (ECB) Each block of plaintext is encrypted independently using the same key

Cipher Block Chaining (CBC) The first plaintext block is XORd with an Initialization Vector (IV) Result is ciphertext is chained into the next plaintext block Cipher Feed Back (CFB) Similar to CBC IV is encrypted and then XORd with the first plaintext block Output Feed Back (OFB) Operates very much like CFB Only the RESULT of encrypting the IV is feed back to the next operation

Counter (CTR) Similar to OFB Counter value is used instead of an IV Counter With CBC-MAC (CCMP) Provides confidentiality and authenticity Works with 128 bit block size

Mandatory in 802.11i Adds one more block for confidentiality Counter mode lacks integrity. CCMP solves that problem. DES Data Encryption Standard DES 56 bit key

16 rounds of transposition and substitution Fixed 64 bit block size Double DES (DDES) Uses two 56 bit keys Message is encrypted by one key and re-encrypted by the second Was thought to provide 112 bit cipher but was successfully attacked by the meet-in-the-middle analytic attack Triple DES (TDES) Input data is encrypted three times Strength depends on the mode of the operation picked and the number of keys being used Effective key size is 168 bit

AES Advanced Encryption Standard Based on Rijndael algorithm Developed by Daemen and Rijmen in 1998 Block sizes: 128, 192, and 256 Variable number of rounds Variable key size Other Block Ciphers RC5 and RC6 Blowfish Twofish CAST SAFER

Serpent RC-4 Symmetric stream cipher Arbitrary key size Many applications Strengths & Weaknesses Symmetric Ciphers Strengths Fast Difficult to crack

Algorithms and tools freely available Stream ciphers ensure highly efficient serial communications Block ciphers offer multiple modes Weaknesses A different form of key negotiation/ exchange/ distribution must be used Poor scalability

Limited security On noisy channels, error correcting is a must Asymmetric Key Cryptography Diffie-Hellman, 1976 Public key cryptography Uses a pair of mathematically related keys Private key Public key Public Key Algorithms Ensures confidentiality

Encrypting message with the receivers public key provides confidential transmission of the message because the only key that can open the message is the corresponding private key of the recipient Ensure proof of origin When a message is encrypted (signed) with the senders private key, the recipient can verify the source of the message because the message can only be opened with the senders public key Confidentiality and proof of origin Double encrypting a message with the private key of the sender and then with the public key of the receiver will provide both confidentiality and proof of origin

RSA Algorithm Rivest-Shamir-Adleman, 1977 Encryption Digital signatures Key distribution Adjustable key size PKCS#1 is the implementation of the algorithm. Currently in V2.1 How does it work?

Find 2 prime numbers and call them p and q Multiply them and call the result n Choose a public value less than n relatively prime with (p-1) and (q-1) and call it e Find d such that e*d=1 mod (p-1)*(q-1) Make n and e PUBLIC, and keep d, p and q SECRET To encrypt message m, ciphertext c = me mod n To decrypt, m = cd mod n Other Algorithms

Diffie-Hellman Key Exchange Protocol Perfect Forward Secrecy (PFS) principle used in D-H that even if 2 private keys are used in negotiating a secret value (shared secret), and one of those private keys is later compromised, it will not be possible to determine either the secret key or the other private key from the compromised private key Diffie-Hellman Groups determine the length of the base prime numbers that will be used in calculating the key pairs. STS/Unified Diffie-Hellman one weakness of D-H was the man-in-themiddle attack. This led to development of the Station to Station (STS) key agreement protocol by Diffie, Van Oorscht and Weiner in 1992. Menzies/Qu/Vanstone Elgamal retired

Elliptic Curve Cryptography (ECC) fewer bits. Extremely slow Knapsack Algorithms Merkle-Hellman knapsack Developed in 1978 Chor-Rivest knapsack Developed in 1984 and revised in 1988 Both schemes have been broken Asymmetric Key Cryptography Strengths

Confidentiality/privacy Access control Authentication Integrity Non-repudiation Weaknesses Computationally intensive Very slow

Common Hash Functions Message Digest MD2, MD4, MD5 Secure Hash Algorithm (SHA) SHA-1 (160 bit), SHA-256, SHA-384 SHA-512 (best practice) SHA-3 HAVAL RIPEMD Tiger WHIRLPOOL

Hash Function Characteristics Condensed representation of the message One-way function Non-linear relationship Hash calculated from whole, original message Keyed Hashes (SALT) Basic hash can be intercepted and changed To solve that problem, mix a HASH algorithm with a pre-shared key Adversary would need to know the key to create a collision Implemented in IPSec for integrity checking of both ESP

(Encapsulating Security Payload) & AH (Authentication Header) Digital Signatures (Asymmetric cryptography) + (Hash of message) Only authenticity and non-repudiation (not confidentiality) Legality if the encryption is intact and the private key is held by the rightful owner, it must be accepted by all parties in the transaction. American Bar Association has developed guidelines for accepting digital signatures that have been adopted in some US states and other countries Not accepted globally for transactions and specifically not for high-dollar/high-risk situations Examples

DSA, RSA, Elgmal, Schnorr, ECC Digital Signatures Uses E-commerce Non-repudiation of origin (with private key) Integrity of message (with private key encrypted hash) Software distribution (integrity and non-repudiation) Email and secure document distribution Key Management Challenges Greatest challenge with secure cryptographic implementation is the management of the keys. Keys must be kept secret. Yet, they

must be available when needed. Even OLD keys have to be kept to decrypt old backup files or data. Key distribution Key storage Key change Expire how long to use a key Functions of Key Management Operations Dual control require the active participation of 2 or more. No one person can misuse. Threshold schemes require more than one person to successfully complete the task

Key recovery Split knowledge 2 or more people have info about the key. Must be combined to work. Multi-party key recovery break the key into 3 or more parts and each part go to a different person. Escrow Key held Functions of Key Management Creation Automated key generation prevents user bias and provides quick key production Truly random only true random generators are things like radioactive decay, noisy diodes, etc. Computers produce pseudo-random.

Suitable length generators must generate enough bits for a complete key. Generating 64 bits and concatenating them does not make them 128. Key encrypting keys (KEK) keys used to encrypt other keys. Care must be taken to ensure that the data used to generate the KEK is NOT related to the keys being produced. Functions of Key Management Distribution Out of band does not guarantee security delivery, but it increases its likelihood Public key encryption most common solution Secret key construction using D-H (or similar), exchange values online that generate a new secret key

Secret key delivery using RSA (or similar), party encrypts secret key with receiving partys public key. Key distribution center think Kerberos Certificates used to distribute public keys Storage Trusted hardware hardware evaluated (typically) by FIPS 140-2 or Common Criteria Smartcard non-volatile storage Public Key Infrastructure (PKI) Binds people/entities to their public keys

Prevent Man-in-the-Middle attack Public keys are published and are certified by digital signatures Strong Cryptographic PKI Solutions Use evaluated solutions High work factor Publicly-evaluated cryptographic algorithms Training Import and export of cryptography Wassenaar Agreement is an agreement between several countries that governs the movement of cryptographic algorithms between those countries. The restrictions are usually based on key length and whether the product is commercially available

Law enforcement issues Certificates and CAs Certificates link a public key to its owner Classes of certificates Certification Authorities (CAs) Registration Authority (RA) Cross-certification Certificate Revocation Lists (CRLs) Online Certificate Status Protocol (OCSP)

X.509 Domain Objectives Definitions History Uses

Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations Cryptanalysis Art and science of breaking codes Attack vectors Key Algorithm Implementation

Data (ciphertext or plaintext) People social engineering Assumptions Brute Force Attack Trying all possible key combinations Two factors: cost and time Moores Law Processing speed doubles every 18 months for the same price Advances in technology and computing performance will always make brute force an increasingly practical attack on keys of a fixed length

Measured in MIPS per year 1 computer running 1,000,000 calculations per second for a year Brute Force Attack Bits Number of keys 56 Brute Force Attack Time Bits

Number of keys Brute Force Attack Time 7.2 x 10^16 56 7.2 x 10^16 20 hours

80 1.2 x 10^24 80 1.2 x 10^24 54,800 years 128 3.4 x 10^38

128 3.4 x 10^38 1.5 x 10^19 years 256 1.15 x 10^77 256

1.15 x 10^77 5.2 x 10^57 years Data shown is as of 1998 when Deep Crack was used in RSA DES challenge. Cost $250,000 to build. Today the same thing can be done for under $10,000. With todays tech, can break DES in 8.7 days or less for under $10,000. Plaintext Attacks Known plaintext attack attacker has both the plaintext and ciphertext. Uses analysis to try to determine key.

Chosen plaintext attack attacker has access to the crypto machine. Runs plaintext through machine to get encrypted data. Uses statistical information to try to determine key. Adaptive chosen plaintext attack attacker has encryption device for more than one message. Patterns may emerge if the attacker puts similar texts into the device Ciphertext Attacks Ciphertext only assume attacker has samples of encrypted text but not the algorithm, key or system. Most difficult attack because the attacker has the least to work with. Chosen ciphertext attack attacker has access to ciphertext and system used to generate. Attacker can run pieces of ciphertext through to obtain the

plaintext. Leads to Known Plaintext Attack or Differential or Linear Cryptanalysis attack. Adaptive chosen ciphertext attack attacker has access to the cryptosystem and can now modify and run ciphertext through the system to see what the effect of the modification is on the plaintext. Attack Against Ciphers Stream Frequency analysis knows characteristics of plaintext language IV or keystream analysis examines large numbers of generated IVs for weaknesses, statistical biases, etc. Block

Linear cryptanalysis large amounts of plaintext and associated ciphertext to find info about the key Differential cryptanalysis 2 or more similar plaintexts are encrypted using same key and compared Linear-differential cryptanalysis combo of linear and differential Algebraic attacks examines the algorithm Frequency analysis uses the statistics of the language to break a ciphertext Attacks Against Hash Functions Dictionary Attacks Based on known lists of common words Birthday attacks group of 23 people, 50% chance 2 will have same birthday. 60 people,

99% chance. Relevant because it describes the amount of effort that must be made to determine when 2 randomly-chosen values will be the same (collisions). Weak hash causes many collisions Attack the hash value Attack the initialization vector Rainbow table attacks Hash reductions Salts Social Engineering Persuasion Coercion (rubber-hose cryptanalysis)

Bribery (purchase-key attack) Other Common Attacks Meet-in-the-Middle Mathematical analysis that attacks a problem from both ends and attempts to find the solution by working toward the center of the operation from both sides. Man-in-the-Middle Attacker intercepts and modifies the data before transmitting to intended person. Poor Random Number Generation

Domain Objectives Definitions History Uses

Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations Common Secure Email Protocols

Privacy Enhanced Mail (PEM) Uses DES in Cipher-Block-Chaining (CBC) mode for confidentiality Can also use Electronic Code Book (ECB) or 3DES for key management For message integrity it uses either MD2 or MD5 hash Not compatible with Multipurpose Internet Mail Extensions (MIME) so not often used Pretty Good Privacy (PGP) Uses symmetric and asymmetric key cryptography Can use RSA, D-H, and Elgamal for asymmetric key Secure Multipurpose Internet Mail Extensions (S/MIME) De facto standard for email privacy

Internet Security Uses Remote Access VPNs E-commerce Tools IPSec SSL/TLS

Secure HTTP TLS Cryptography Domain Summary

Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations Information Security Governance and Risk Management Domain Objectives

Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics Information Security Environment Organizations must contend with complex laws, regulations, requirements, technology,

competitors and partners while pursuing their business objectives. Management must take many things into account including moral, labor relations, productivity, cost, etc. Must develop an effective security program Overarching Organizational Policy Managements Security Statement Regulations Competition

Organizational Objectives Organizational Goals Laws Shareholders Interests Information Security Triad Security planning Budget Business requirements Security metrics Domain Objectives

Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics Roles and Responsibilities

Specific Delegate certain responsibilities for security to individuals Define acceptable and unacceptable behavior General Rules that let everyone know they are responsible for security Communicated at hiring Tell new hires the rules and consider annual review

Verified capabilities and limitations Access to resources defined by job Third-party considerations Brief vendors, temps, contract staff on security requirements Good practices Keep it simple, relevant, understandable and communicate Reinforced via training Annual security training Internal Roles Executive management set policy, allocate budget Board level

C level Information systems security professionals advise management Developers create secure code Custodians and Operations staff Custodians care of data Ops run the computers Internal Roles Security staff Data and system owners Classify

Access permissions Users Task as assigned Legal, compliance, and privacy officer Inform/implement laws/regs Internal auditors Check on procedures Physical security Is IT or traditional security responsible External Roles Vendors/suppliers Contractors/consultants

Service level agreements Temporary employees Customers External Roles Business partners Outsourced relationships Outsourced security External audit Human Resources Employee development and training Employee management

Hiring and termination of employment Hiring New Staff Background checks/security clearances Verify references and education records Signed Employment Agreements Acceptable use Non-disclosure Non-compete Ethics

Personnel Good Practices Job descriptions/defined roles and responsibilities Least privilege Need to know Separation of duties Job rotation Mandatory vacations Security Awareness, Training, and Education Awareness Training Delivery methods Topics

Job training Task based Professional education Understanding General knowledge Good Training Practices Be relevant Scope properly Address the audience

Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics Documented Security Program

Focus on the mission of the organization Organizations are different Cost effective/risk based Promiscuous 1 Permissive Prudent Paranoid

10 Documented Security Program Strategic Long term planning Decide on job to do Tactical

Medium term planning Manage jobs being done Operational Day to day operations Job being done Security Program Management

Staffing Not just workers but look at management Evaluate numbers needed Reporting Make sure everyone knows who they are to report to. Understand chain of command/reporting

Security Blueprints Identify and design security requirements Infrastructure security blueprints Holistic By Scott Berinato and Sarah Scalet: Holistic security means making security part of everything and not making it its own thing. It means security isnt added to the enterprise; its woven into the fabric of the application. Heres an example. The non-holistic thinker sees a virus

threat and immediately starts spending money on virusblocking software. The holistic security guru will set a policy around e-mail usage; subscribe to news services that warn of new threats; re-evaluate the network architecture; host best practices seminars for users; and use virus blocking software and, probably, firewalls. (www.cio.com) ISO/IEC 27000 Series = ISMS Blueprints

27000:2009 Overview and vocabulary 27001:2005 Attainable certification 27002:2005/Cor 1:2007 Code of practice 27003:2010 ISMS implementation guidance 27004:2009 Information security measurement 27005:2008 Information security risk management 27006:2007 Certification vendor process 27799:2008 Information security for health care organizations

ISO 27000 = IT Risk Management IT Security Requirements Complete Security Solutions Define security behavior of the control measure What is the problem you are trying to solve?

Provide confidence that security function is performing as expected Does it solve the problem? Does your solution Solve the problem (best) Move the problem (good)

Make it worse (bad) Single Point of Failure Identify the processes Identify risks to the plan Who has too much control Be prepared Domain Objectives

Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics Security Policy

Managements goals and objective IN WRITING Documents compliance Creates security culture Examples of Functional Policies Data classification Certification and accreditation Access control Outsourcing Remote access Internet acceptable use Privacy

Acquisition Change control Employment agreements, ethics IMPORTANT Say what to do NOT how to do it Procedures Step by step actions Required Be detailed Policy

Standard Risk Assessment Baseline Procedures Incident Management

Guideline Identity Management Software Installation Standards Common hardware and software products Policy

Standard Desktop Antivirus Baseline Firewall Be decisive. Will say something like: We [verb] We drug test We use Norton AV software

Procedures Guideline Baselines Establish consistent implementation of mechanisms Platform unique Know minimum and understand what is normal Policy Standard VPN Setup

Baseline IDS Configuration Procedures Password Rules Guideline Guidelines Recommendations for implementations, procurement

and planning Policy Standard Baseline Procedures Recommendations Guideline Best

Practices ISO Good Policy? Area IV Buddy System Policy THE AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE MEMEBERS WILL USE THE BUDDY SYSTEM AT ALL TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY INSTALLATION. THE BUDDY SYSTEM IS NOT REQUIRED, BUT HIGHLY RECOMMENDED FOR PERSONNEL TRAVELING DIRECTLY TO AND FROM THEIR DOMICILE ALL PERSONNEL WILL CARRY A S.O.F.A AND AN EMERGENCY

TELEPHONE NUMBER CARD AT ALL TIMES. LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES. BY ORDER OF THE AREA IV COMMANDER Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management

Ethics Risk Management Overview Identifying and reducing total risks Choosing mitigation strategies Setting residual risk at an acceptable level Integrating risk management processes into the organization (Total risk) (countermeasures) = (residual risk) Risk Management Purpose The principal goal of an organizations risk management process should be to protect the organization and its ability to perform its mission.

Including, but not limited to its IT assets. Risk is a function of the likelihood of a given threat exercising a particular vulnerability and the resulting impact of that adverse event on the organization. Risk Management Benefits Focuses policy and resources Identifies areas with specific risk requirements Directs budget Supports Business continuity process Insurance and liability decisions Legitimizes security awareness programs

Risk Management Definitions Asset something that is of value to the organization Threat-source/agent any circumstance or event with the potential to cause harm to an IT system. Threat any potential danger to information or an information system Exposure an opportunity for a threat to cause loss, or the amount of loss suffered as a result of an attack Vulnerability flaw or weakness in system security procedure, design, implementation, etc. Likelihood probability that a potential vulnerability happens

Risk Management Definitions Attack/Exploitation action intending to cause harm Controls admin, technical or physical measures and actions taken to try to protect system Countermeasures controls applied after the fact; reactive in nature Safeguards controls applied before the fact; proactive in nature Total Risk included the factors of threats, vulnerabilities, and current value of the asset Residual Risk amount of risk remaining after countermeasures and safeguards are applied

Risk Assessment Steps: SP 800-30 1. 2. 3. 4. 5. 6. 7. 8. 9. System characterization

Threat identification Vulnerability identification Control analysis Likelihood determination Impact analysis Risk determination Control recommendations Results documentation Risk Assessment Asset Valuation Tangible assets

Can buy/sell Hardware, software, facilities, documentation, customer lists, and intellectual property Intangible assets Personnel, reputation/brand, and moral Information Valuation Considerations Exclusive possession

Utility Cost to acquire or create Liability

Convertibility Operational impact Timing Information/Risk Valuation Methods

Modified Delphi Facilitated sessions Survey

Interview Checklist Quantitative Risk Analysis Assign Monetary values

Labor and time intensive Difficult to achieve 100% quantitative is impossible. Why? There are always QUALITATIVE issues. RISK = MONEY Quantitative Analysis Steps - Overview 1. Estimate potential losses single loss expectancy (SLE)

2. Conduct a threat likelihood analysis Annualized rate of occurrence (ARO) 3. Calculate annual loss expectancy (ALE) Step One: Estimate Potential Losses Single Loss Expectancy (SLE) SLE = AV ($) x EF (%) AV (Asset Value) EF (Exposure Factor) Step Two: Threat Likelihood Analysis Annual Rate of Occurrence (ARO)

Number of exposures or incidents that can be expected in a given year Likelihood of an unwanted event occurring Step Three: Calculate ALE Annual Loss Expectancy (ALE) ALE = SLE * ARO Magnitude of risk = ALE Purpose: Justify security countermeasures Qualitative Risk Analysis Scenario oriented No $ values

Rank seriousness of threats and sensitivity of assets Perform a carefully reasoned risk assessment Hybrid Risk Analysis Quantitative Qualitative FMEA (failure modes and effects analysis) Risk assessment originally concerned with manufacturing defects

Focuses on the upstream and downstream impact of a failure Defines risk in immediate, near-term and long-term impact FTA (fault tree analysis) Analytical technique for system safety Used to consider all possible threats and then trim down to the most relevant risks Risk Management Options

Acceptance = Absorb the effect of an incident Mitigation = Implement controls Transference = Insurance Avoidance = Stop it Security Control Selection Principles Cost/benefit analysis Dont spend more to protect than it is worth Accountability At least one person for every control Include accountability in performance reviews Absence of design secrecy Ability to change out the controls at some time in

the future without having extraordinary cost to rework, interoperability with other controls, confidence in the design Audit capability Controls must be testable Include auditors in design and implementation Security Control Selection Principles Vendor trustworthiness Independence of control and subject

Universal application Compartmentalization Defense in depth Isolation, economy, and least common mechanism Security Control Selection Principles Acceptance and tolerance of personnel (pushback) Minimum human intervention Sustainability Reaction and recovery Override and fail-safe defaults Residuals and reset

Risk Evaluation and Assurance Cyclical nature of risk U.S. and EU regulatory bodies have mandated risk management as a business process. Frequency for reevaluation is based upon the speed of change in each industry or organization Ongoing review Periodic review Liability management has the responsibility of remaining informed

about risk management activities and to make the final decisions. If they fail to do so, they are potentially in violation of regulatory or industry standards. This is one of the reasons why internal auditors should report directly to senior executives rather than through the normal chain of command. Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration

Risk Management Ethics Ethical Environments Ethics are difficult to define Do No Harm Begins with senior management Guidelines for Establishment of Ethics

Corporate ethics to include ethical use of computers In functional policies (privacy, email, acceptable use, etc) Active monitoring of network activities combined with responsible investigation of incidents and enforcement Handbooks and guides Training Reviews Ethical Responsibility Global responsibility

National Organizational Personal Ethical Responsibility of all CISSPs Set the Example ********* Encourage adoption of ethical guidelines and standards Inform users about ethical responsibilities through security awareness training Basis and Origin of Ethics

Religion Law National interest Individual rights Common good/interest

Enlightened self-interest Professional ethics/practices Standards of good practice Tradition/culture Formal Ethical Theories Teleology (Star Trek needs of the many) Ethics in terms of goals, purposes, or ends Deontology (duty of most powerful to protect least powerful) Ethical behavior is a duty Informed consent notified and agree Relevant Professional Codes of Ethics

(ISC) RFC 1087 Internet Architecture Board (ISC) Code of Ethics Preamble Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of certification.

(ISC) Code of Ethics Canons Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. In that order Internet Architecture Board (IAB) Any activity is unethical and unacceptable that purposely: Seeks to gain unauthorized access to Internet resources

Disrupts the intended use of the Internet Wastes resources (people, capacity, computer) through such actions Destroys the integrity of computer-based information Compromises the privacy of users Involves negligence in the conduct of Internet-wide experiments

RFC 1087 Access and use of the Internet is a PRIVILEGE and should be treated as such by all users RFC 1087 refers to Negligence in the conduct of Internetwide experiments as irresponsible and unacceptable, but does not specifically label such conduct unethical. Internet Engineering Task Force (IETF) http://www.ietf.org/ Information Security Governance and Risk Management Domain Summary

Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics Legal, Regulations, Investigations, and Compliance Domain Objectives

Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance International Legal Systems

Common law Criminal law Civil law Administrative law Religious law

Customary law Mixed law Maritime law Jurisdiction Law, economics, beliefs and politics Law enforcement agencies will work together, even cross borders. But sometimes countries dont agree. Sovereignty of nations

Laws arent always the same country to country. Nations are making an effort to harmonize their laws in order to promote uniform enforcement and cooperation where possible. Computer Crimes vs. Traditional Crimes Traditional Crime Violent Property Public order Computer Crime

Real property Virtual property Computer Crime Crime against a computer Crimes using a computer Electronic equipment as source of evidence Reasons for Criminal Behavior Ego Financial gain

Revenge Advanced Persistent Threat (APT) Source group with capabilities and intent to persistently and effectively target a specific entity Attack vector infected media, supply chain compromise, social engineering, etc. Advanced have full spectrum of intelligence gathering techniques at their disposal Persistent priority to a specific task. Implies that they are guided

by external entities. Threat capability and intent. Coordinated human action instead of automation, specific objective. Skilled, motivated, organized and well funded International Cooperation Initiatives related to international cooperation in dealing with computer crime The Council of Europe (CoE) Cybercrime Convention Example of multilateral attempt to draft an international response to

criminal behaviors targeted at technology and the Internet. Intellectual Property Protection Organizations must protect intellectual property Theft Loss Corporate espionage

Improper duplication Intellectual property must have value Organization must demonstrate actions to protect IP Intellectual Property: Trademark Purpose of a trademark Characteristics of a trademark

Word Name Symbol Color Sound Product shape Intellectual Property: Copyright Covers the expression of ideas

Writings Recordings Computer programs Etc. Weaker than patent protection Intellectual Property: Trade Secrets

Must be confidential Protection of trade secret Intellectual Property: Software Licensing Categories of software licensing: Freeware

Shareware Commercial Academic Master agreements and end user licensing agreements (EULAs) Encryption Import and Export Law Strong encryption restrictions Previously anything over 40 bits was considered strong encryption U.S. companies can now export any encryption software to individuals, commercial firms or other non-government end users in any country

No enemy states Many countries require the importer of equipment containing strong cryptography to provide the government or law enforcement with a copy of their private keys. Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria Controls on dual-use goods Cryptography has long been considered a munition or weapon of war. Can be used for commercial or military purposes, therefor considered dual-use and protected as a military weapon Wassenaar Arrangement 39 countries are parties to the agreement which specifies all controlled dualuse goods, including encryption products and products that use encryption

Domain Objectives Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance Liability Legal responsibility Know responsibilities to employees, customers, etc.

Penalties Can range from compensation to criminal penalties for violation of law Negligence and liability Important factor in determining liability Determined by courts or other quasi-legal body Protection of Assets Legal obligation Prudent person rule Must demonstrate practice of due care Negligence

Acting without care Due care Due Diligence = Action Due Care = Policy Regulation or Best Practice Negligence = Gap

Negligence = Gap Privacy Laws and Regulations Rights and Obligations of: Individuals Identity theft Organizations Collection, sharing, storage, processing of personal info

Actual laws depend on jurisdiction International Privacy Organization for Economic Co-operation and Development Group of 30 member countries Eight core principles 1. 2. 3.

4. 5. 6. 7. 8. Limits to collection of personal data and should be obtained legally Personal data should be relevant to use Purpose for gathering personal data should be specified no later than the time the data is collected Personal data should not be disclosed, made available, or otherwise used for purposes other than specified above

Personal data should be protected by reasonable security General policy of openness about developments, practices and policies with respect to personal data Individual should have the right to find out if data controller has data about him/her. To have communication with data controller about data relating to him/her. And to be able to challenge data and if successful have the data erased, rectified, completed or amended. Data controller should be accountable for complying with measures Personally Identifiable Information (PII) Identify or locate an individual Controls on collection and use

Many countries have laws governing this Global effect Laws are different in each country. What laws govern? Employee Privacy Employee monitoring

Authorized usage policies Training Transborder Data Flow Political boundaries Privacy

Investigations Jurisdiction Privacy Law Examples Health Insurance Portability and Accountability Act (HIPAA) Personal Information Protection and Electronic Documents Act (PIPEDA)

European Union Data Protection Directive Domain Objectives Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance Incident Management Incident event that causes harm

Protect Prepare Sustain Improve Protect Infrastructure Respond Detect Incident Response: Overview Response capability

Policy and guidelines Response Incident response phases

Triage Containment Investigation Analysis and treatment Recovery Debriefing Metrics Public disclosure

Incident Response: Objectives Incident response in its simplest form is the practice of: Detecting a problem Determining its cause Minimizing the damage it causes Resolving the problem

Documenting each step of the response for future reference Effectively and appropriately communicating issues Response Capability The foundation for incident response (IR) is comprised of: Policy

Authority Procedures Approved Management of evidence Incident Response External Parties Escalation process Employees should be trained and have approved procedures that include when an incident or crime must be reported to higher management, outside agencies or law enforcement

Interaction with third-party entities Complex issues involving: Jurisdiction (who has control) Status of crime (already committed, in progress, or planned) Nature of the evidence (circumstantial, conclusive) Nature of the crime (in many jurisdictions, some crimes MUST be reported) Incident Response and Handling Phases Triage

Investigation Containment Analysis and tracking Triage Detection False positives Classification

Internal versus external One system or many What is the root cause versus the symptoms Notification Priorities and escalation

Senior management or other departments Business partners Law enforcement Note: Prioritization is one of the most important aspects Investigation Phase Objectives Desired outcomes of this phase are:

Reduce the impact Identify the cause Get back up and running in the shortest possible time Prevent the incident from re-occurring Investigation Considerations The investigative phase must consider: Adherence to company policy

Confidentiality Applicable laws and regulations Proper evidence management and handling Investigation Process Identify suspects Identify witnesses Identify system Identify team Search warrants Investigation Techniques Ownership and possession analysis

Means, opportunity, and motive (MOM) Behavior of Computer Criminals Computer criminals have specific MOs Hacking software/tools Types of systems or networks attacked, etc. Signature behaviors Profiling Interviewing vs Interrogation Open-ended Questioning General gathering Cooperation

Seek truth Closed-ended Questioning Specific aim Hostile Dangerous Should only be done by TRAINED professionals Investigation Phase Components Components of this phase:

Analysis Interpretation Reaction recovery Containment Reduce the potential impact of the incident Systems, devices, or networks that can become infected The containment strategy depends on:

Category of the attack Asset(s) affected Criticality of the data or system Analysis and Tracking Goals Obtain sufficient information to stop the current incident Prevent future like incidents from occurring Identify what or who is responsible Analysis and Tracking Logs Dynamic nature of the logs Feeds into the tracking process Working relationship with other entities

Reporting and Documentation Law Court proceedings Policy Regulations Recovery Phase Goal To get back up and running The business (worst case) Affected systems (best case) Protect evidence

Recovery and Repair Recovery into production of affected systems Ensure system can withstand another attack Test for vulnerabilities and weaknesses Closure of the Incident and Feedback Incident response is an iterative process Improve processes and controls Closure of the incident Feedback from all participants Communication about the Incident

Public disclosure Authorized personnel only Domain Objectives Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance Computer Forensics: Evidence

Potential evidence Digital Forensic Science Research Workshop (DFRWS) defines digital forensic science as The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized action shown to be disruptive to planned operations. Evidence and legal systems

Computer forensics is generally applied according to the standards of evidence admissible in a court of law Computer Forensics: Evidence Identification of evidence Collecting of evidence Use appropriate collection techniques Reduce contamination Protect the scene Maintain the chain of custody and authentication Collection of Digital Evidence

Volatile and fragile Short lifespan Collect quickly By order of volatility Document, document, document Chain of Custody for Evidence Who What When Where How

Forensic Evidence Procedure Receive media Disk write blocker Bit for bit image Cryptographic checksum Store the source drive Evidence: Hearsay Hearsay Second-hand evidence

Normally not admissible Business records exception Computer-generated information Process of creation description Can you cross examine it? Evidence Analysis and Reporting Scientific methods for analysis

Characteristics of the evidence Comparison of evidence Event reconstruction Presentation of findings Interpretation and analysis

Format appropriate for the intended audience Computer Forensics Key components Computer forensics is not a piece of software or hardware. It is a set of procedures and protocols. Methodical, Repeatable, Defensible, Auditable Crime scenes Digital evidence Non-criminal cases

Divorce, breach of contract, dissolution of corporation or partnership, embezzlement, personal injury, etc. Forensic Evidence Analysis Procedure Recent activity Keyword search Slack space Documented Media Analysis

Recognizing operating system artifacts Types of files created as the system runs Where they should be What their contents are likely to be File system Timeline analysis

Modified Accessed Created Searching data Software Analysis What is does What files it creates

Network Analysis Data on the wire Ports Traffic hiding Domain Objectives

Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance Compliance Knowing legislation Following legislation Regulatory Environment Examples Sarbanes-Oxley (SOX)

Meant to enhance corporate governance through measures that will strengthen internal checks and balances and, ultimately, strengthen corporate accountability. Gramm-Leach-Bliley (GLB) Protects the privacy of consumer information held by financial institutions Basel II

Regulatory harmony in the international banking community Compliance Roles and Responsibilities Information owner Local manager Auditor Individual Audit Report Format Introduction

Background Audit perspective

Scope & objectives What was done Executive summary Internal audit opinion Detailed report including auditee responses Appendix Exhibits Legal, Regulations, Investigations, and Compliance Domain Summary

Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance Operations Security Domain Objectives

Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety Control Over Privileged Entities Review of access rights Supervision

Monitoring/audit Operator Privileges Initial program load (IPL) Monitor system execution Control job flow Mount I/O volumes Bypass label processing (BLP) Renaming/relabeling resources Reassigning ports/lines Administrators Systems administrators

Network administrators Database administrators Administrator Privileges Summary Control network operations Server startup and shutdown Reset system configurations

Backups System maintenance Customer service Network administrator duties Backup Types File image System image Data mirroring Electronic vaulting Remote journaling Database shadowing

Redundant servers Standby services Software and Data Backup Operations controls must ensure adequate backups of: Data

Operating Systems Applications Transactions Configurations Reports Backup Integrity Backup storage locations Backups must be tested Alternate site recovery plan Site specific software RAID Redundant Array of Independent

Disks Hardware based Software based Hot Spare Global Hot Spare (all disk in array) Dedicated Hot Spare (individual disk in array) RAID Level 0 Striping Two or more disks No redundancy Performance only

RAID Level 1 Exact copy (mirror) Two or more disks Fault tolerant 200% cost RAID Level 2 Striping of data with error correcting codes (ECC) Requires more disks than RAID 3/4/5 Not used RAID Level 3/4 Byte/block level stripes

1 drive from parity All other drives are for data Stripe 1A Stripe 2A Stripe 3A Stripe 4A Stripe 1B Stripe 2B Stripe 3B Stripe 4B

P(1A, 1B) P(2a, 2B) P(3A, 3B) P(4A, 4B) Disk A Disk B Parity RAID Level 5 Block-level stripes

Data and parity interleaved amongst all drives The most popular RAID implementation Stripe 1A P(2B, 2C) Stripe 3A Stripe 4A Stripe 1B Stripe 2B P(3A, 3C) Stripe 4B

P(1A, 1B) Stripe 2C Stripe 3C P(4A, 4B) Disk A Disk B Disk C RAID Level 6 Block-level stripes

All drives used for data AND parity Two parity types Higher costs More fault tolerant than RAID implementations 2 - 5 RAID Level 0+1 Mirroring and striping Higher cost Higher speed RAID 0+1 RAID 1 RAID 0

A1 A3 A5 A7 A2 A4 A6 A8 RAID 0 A1 A3

A5 A7 A2 A4 A6 A8 RAID Level 10 Mirroring and striping Higher cost Higher speed

RAID 10 RAID 0 RAID 1 A1 A3 A5 A7 A1 A3 A5 A7

RAID 1 A2 A4 A6 A8 A2 A4 A6 A8 Configuration Management Elements Hardware inventory

Hardware configuration chart Software licensing management Firmware Documentation requirements Testing Hardware Inventory Up-to-date listing of all equipment Location Owner Serial and model numbers Change Control Management

Policy Business and technology balance Defines a process for authorized change Process of changes Ownership of changes Changes are reviewed for impact on security Patch Management Knowledge of patches Know when patches for all software you own are released by the vendor

Testing Test all patches, and new software, in a test environment prior to going live Deployment Can be challenging. Should be automated to insure no machine is missed. Zero-day challenges Vulnerable time between patch pushed out and able to apply Software Issues Pirating software

Version control Job Documentation Scheduling Dependencies Error codes Inputs and outputs Backout procedures Security Administrator Roles Policy Development

Implementation Maintenance and compliance Vulnerability assessments Incident response Security Administrator Responsibilities User-oriented activity management Information classification implementation Audit log monitoring and review Security tool oversight and management Domain Objectives

Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety Misuse Prevention

Threats Countermeasures Personal Use Acceptable use policy, workstation controls, web content filtering, and email filtering Theft of Media Appropriate media controls

Fraud Balancing of input/output reports, separation of duties, and verification of information Sniffers Encryption and policy Domain Objectives Operator and Administrator Security Monitoring of Special Privileges

Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety System Recovery Trusted Recovery Correct implementation according to Policy Failures dont compromise a systems secure operation Trusted path

Types of Trusted Recovery System Reboot shutting down computer in a normal fashion after a failure Emergency System Restart done when a system fails in an uncontrolled manner. Media may be in an inconsistent state. System enters maintenance mode, automatically performs recovery, and system restarts with no user processes in progress. System Cold Start system fails and cannot restart without human intervention

Control Failure Modes Fail secure (fail closed) Fail soft (fail open) Fail safe (fails in a way that will cause no or minimal harm) Fault Tolerance Hardware failure is planned for System recognizes a failure Automatic corrective action Standby systems Cold configured, not on, lost connections Warm on, some lost data or transactions (TRX)

Hot ready, failover Domain Objectives Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

Facility Support Systems Fire protection HVAC Electrical power goals UPS Water Communications Alarm system Domain Objectives

Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety Media Management Practices Sensitive Media Controls

Marking Labeling Handling Storing Declassifying Media Management

Tapes Storage Encryption Retrieval Disposal Object Reuse Securely reassigned Disclosure Contamination Recoverability Clearing of Magnetic Media

Overwriting Degaussing Data remanence Physical destruction Records Management Considerations for records management program development Business need Guidelines for developing a records management program Records retention Declassification

Legal requirements Privacy Absent law or regulation to the contrary, a business can set any retention policy it wishes Protection of Operational Files Library maintenance protect production programs and applications as well as data Backups Source code Object code Configuration files

Librarian - sole person with write access to the main system files, backups and application libraries. Should never be filled by a developer or person initiating the change request Domain Objectives Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery

Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety Personnel Privacy and Safety Mobile Computing Components Devices Limitations (e.g. privacy, safety, etc.) Mobile device management

Personnel Privacy and Safety Social Networks Social networks Connection services Social dynamics Storage of data Potential dangers Operations Security Domain Summary Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources

System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety Physical (Environmental) Security Domain Objectives Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

Goals of Physical Security Deter would be intruders Delay long enough to detect and respond before damage occurs Detect in a timely manner Assess method of attack Respond appropriately without overreacting Recovery to normal operating status The Primary Goal Remember that life, health, and

safety are always the first priorities in physical security! Threats to Physical Security Natural/environmental History of natural disasters in the area Utilities Communications outages, power outages, etc. Circumstantial Fire or break-in at a neighboring building, strike at a critical point in supply chain, etc.

Human-made/political events Explosions, vandalism, theft, terrorist attacks, strikes, activism, riots, etc. Threat Sources External activists Staff Intelligence agents/foreign governments Petty criminals Threat Sources and Controls Threat Theft

Espionage Dumpster diving Social engineering Shoulder surfing HVAC access Controls Locks Background checks Disposal procedures Awareness Screen filters Motion sensors in ventilation

ducts Facility Vulnerabilities Location Layout and design Age and condition Location Security Considerations Emergency services Fire Security Visibility

Controlled access public transit Countermeasures and Controls Environmental controls may be: Physical Administrative/managerial Technical Layered defense/defense in depth Crime Prevention Through Environmental Design (CPTED)

Principle of deterring crime through managing the potential crime scene Territoriality Restricted access Surveillance Monitoring Access control Entrances Maintenance

Domain Objectives Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas Perimeter and Building Boundary Protection First line of defense Protective barriers Natural structural

Fences May be restricted by local regulations Inspections Parking should not be allowed near fences 1 meter/3-4 feet will deter casual trespassers 2 meters/6-7 feet too high to climb easily 2.5 meters/8 feet will delay the determined intruder Top guard will add 2-3 feet. Can be defeated by blanket, mattress, towel, etc. Controlled Access Points Gates are the minimum necessary layer

Bollards Permanent or retractable post used to deter vehicle-based attacks Perimeter Intrusion Detection Systems Detect unauthorized access into an area Electronic eyes Note that some perimeter IDS can function inside the perimeter as well Physical IDS

Photoelectric Ultrasonic Microwave Passive IR Pressure sensitive Sounds/vibration

Electrical circuits Motion sensors Closed Circuit Television (CCTV) CCTV capability requirements Detection Recognition Identification Mixing capabilities Adding IR/thermal Virtual CCTV systems

Fake systems CCTV Concerns Total surveillance requirements Operating parameters (correct lens, angle?) Size depth, height, and width Pan, tilt, and zoom Lighting Contrast CCTV Protection and Image Retention Storage of images

Maintenance Privacy Guards and Guard Stations Guards Deterrent Possible liability Contractors Guard stations Domain Objectives Physical Security Threats and Controls

Perimeter Security Building and Inside Security Secure Operational Areas Building Entry Points Doors Windows Loading ramps Elevator shafts Ventilation ducts Crawlspaces Sewage or steam lines

Doors Isolation of critical areas Lighting of doorways Contact devices Guidelines

Solid core Hinges fixed to frame with minimum of 3 hinges per door Lighting Should not open out except as required by building codes Locks should be daytime (push button) and 24 hour (deadbolt) Door frame should be permanently fixed to the adjoining wall studs Have same fire-resistance rating as adjacent walls Etc. Access and Visitor Logs Identification/sign in and out

Temporary badges Vehicles Escort Turnstiles and Mantraps Tailgating/piggybacking Types of Locks Something you have keyed Something you know combinations Something you are biometric Keyed Locks

Lock components Body Strike Strike plate Key Cylinder

Lock Controls Lock and key control system Key control procedures Who has access to keys Keys issued Key inventory Default settings changed

Change combinations Fail Soft (unlocked) Secure (locked) Safe (allow exit but not entry) Electronic Physical Controls Card access Biometric access methods Windows and Glass Standard plate glass Tempered glass

5 7 times more break resistant than plate and breaks into small, less dangerous fragments Acrylic materials Stronger than plate Burn and produce toxic fumes, scratch easy and yellow over time Polycarbonate windows Resistant to abrasion, chemicals, fires and are even anti-ballistic Very expensive Glass and Window Protection Laminate

Solar film Bomb blast film/curtains Wired glass Intrusion detection/glass breakage sensors Internal Intrusion Detection Systems Closed circuit television Sensors and monitors Types of Lighting Continuous lighting Trip lighting Standby/backup lighting

Emergency exit/egress lighting Infrared/night vision Domain Objectives Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas Equipment Room Perimeter enclosure Controls

Policy Emergency power off (EPO) switch Data Processing Facility Small devices threat Digital camera Cell phone cameras USB drive

Etc. Server room Most important requirements are space, power, air conditioning, access control and security monitoring Mainframes Storage Communications Wireless access points Network access control Cabling

conduit Access to Utility Rooms Power rooms Breaker panels Water Ventilation Gas Work Area Keeping a work area safe is important for everyone

Operators Only allow access as needed/monitor System administrators Only allow access as needed/monitor Restricted work areas Only a select few people need access Equipment Protection Inventory Locks and tracing equipment Data encryption

Disabling I/O ports Environmental Controls System Electric power HVAC Water/plumbing Gas Refrigeration Threat Loss of power Overheating

Flood/dripping Explosion Leakage Fire Protection Prevention reduce causes Detection alert occupants Suppression contain or extinguish Wet-pipe sprinkler Most reliable Simple Water under pressure, when sprinkler head breaks water comes out

Dry-pipe sprinkler Water is held back by valve and is released when sensor activates Pipes then fill with water and sprinkler engages Materials and Suppression Agents Class Type Suppression Agents A

Common combustibles Water, foam, dry chemicals B Combustible liquids Inert gas, CO2, foam, dry chemicals C Electrical

Inert gas, CO2, dry chemicals D Combustible metals Dry powders K Cooking media (fats)

Wet chemicals Suggested way to remember each: Ash Boil Current Drive

Kitchen Three Legs of a Common Fire Displace: CO2/foam Bind: Halon & alike Reduce: Water Bind: Purple K Remove: Fireman

Flooding Area Coverage Water sprinkler systems Gas halon/CO2/argon systems Best practices for systems Portable extinguishers Loss of Electrical Power UPS Generators Goals of power clean and steady power Power controls Emergency power off (EPO) switch

Power line monitors Total load Heating, Ventilation, Air Conditioning Location Positive pressure Can indicate unauthorized physical breach Helps minimize dust Maintenance Other Infrastructure Threats Vermin

Electromagnetic fields Excess vibration Physical (Environmental) Security Domain Summary Physical Security Threats and Controls Perimeter Security Building and Inside Security

Secure Operational Areas Security Architecture and Design Domain Objectives System and Component Security Definitions and Key Concepts

Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks Definitions and Key Concepts Information security management system (ISMS) Set of standards for addressing security throughout the development, deployment and implementation schedule Enterprise security architecture (ESA) Includes all areas of security for an organization: leadership,

strategy, planning, etc. Information security architecture (ISA) Another term for ISO/IEC 27002 Best practice Well-recognized and accepted approach to designing, developing, managing/monitoring and enhancing processes Definitions and Key Concepts Architecture High-level perspective of how business requirements are to be structured and aligned with technology and processes

Framework Defined approach to the process used to achieve the goals of an architecture, based on policy Infrastructure Integrated building blocks that support the goals of the architecture Model Outlines how security is to be implemented within the organization

Definitions and Key Concepts Good security architecture Strategic Provides a long-range perspective that is less subject to tactical changes in technology Business requirements based Understand business and security and design a system that meets those requirements Holistic Understanding all the parts of the business and interconnecting them

Design Blueprint Integration and development of technology infrastructure into the business process Multiple implementations Flexibility due to location and business constraints Definitions and Key Concepts Benefits of a good security architecture

Consistently manage risk Reduce the costs of managing risk Accurate security-related decisions Promote interoperability, integration, and ease of access Provide a frame of reference (for other organizations interacting with the enterprise) Domain Objectives System and Component Security

Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

Architecture Components What are the security limitations and benefits of each component? Hardware Firmware

Central processing units Input/output devices Software Architectural structures Storage and memory Hardware: Computers Mainframe Minicomputers Microcomputers/desktops Servers Laptop/notebook Embedded

From a security perspective, each security risk must be addressed individually Hardware: Mobile Devices USB storage Portable hard drives PDAs and mobile phones Hardware: Printers Multifunctional Network aware More than output device

Full operating system Hardware: Communication Devices Modem Network Interface Card (NIC) Hardware: Wireless Wireless network interface card Wireless access point Wireless Ethernet bridge Wireless router Wireless range extender

Firmware: Pre-Programmed Chips ROM (read-only memory) PROMs (programmable read-only memory) EPROMs (erasable programmable read-only memory) EEPROMs (electrically erasable, programmable, readonly memory) Field programmable gate arrays (FPGAs) Flash chips Embedded system CPU Functionality Multitasking Multiprogramming Multiprocessing

Multiprocessor Multi core Multithreading Direct memory access (DMA) Real-Time Systems Time and mission critical systems systems that support mission critical services such as flight controls, alarms and monitoring sensors Immediate processing High levels of tolerance Failover

Virtual Machines Mimic the architecture of the actual system Resources provided by the host system CPU and Processor Privilege States Supervisor state Problem (user) state Running Ready Blocked Masked/interruptible

Input/Output (I/O) Devices I/O controller Managing memory Hardware Software: Operating System Hardware control Hardware abstraction Resource manager Design Kernel Software: Utilities and Drivers

System utilities Maintenance System drivers Application/hardware interface Plug and play Commercial Software Programs (Applications) Commercial off the shelf (COTS) Function first Unless the software is inherently a security-focused application (such as a firewall), attention will first be

devoted to functionality. Security is usually an afterthought. Evaluation Make sure to consider the information security aspects of the application such as authentication methods, audit capabilities, edit checks and error reporting, etc. Software: Custom Business application No two businesses do business the same way. Custom software is the solution used as a natural progression from manual processes to automation of tasks

System development life cycle Software: convergent Technologies Customer relationship management (CRM) Workflow management systems SharePoint, Lotus Notes Unified messaging Allows different technologies to work together. Fax to a PDA, access internet from TV CPU and OS Support for

Applications Applications were originally self-contained OS capable of accommodating more than one application at a time Security Reinforced by the OS since the OS has the ability to control the activity of the applications and ensure that one or more application threads do not affect another Applications - Today Todays applications are modular Execute multiple process threads Security

Problems lie in the fact that independent sections are frequently written by someone else and may be malicious. Module may also be used in a way not intended by the author. Modules and threads will often communicate directly and not involve the OS. This prevents the OS from being able to manage the activity of the process threads. Programs spawn processes. Processes spawn threads. Memory is allocated to processes. So, threads share memory. Systems Architecture Approaches Open standards based interfaces. Considered more vulnerable but often result in a more robust set of security

features Closed proprietary interfaces. Illusion that security through obscurity works Dedicated single level of processing permitted Single level permit users to execute any instruction available Mutilevel processing at two levels is permitted through some form of user authentication and authorization. Most common today and allow system to be accessed by users holding different levels of privilege.

Embedded single purpose computer Architectural Structures Client server Centralized architecture Distributed architectures Thin client architecture Diskless computing Clusters Cloud Computing Provisioning of services Cost models

Supplement/consumption/delivery model Involves provisioning of dynamically scalable and often virtualized resources Characteristics Layers Cloud Computing Deployment models

Public cloud Community cloud Private cloud Hybrid cloud Architecture Intercloud Cloud Engineering Issues

Privacy Compliance Open source Open standards Security Issues surrounding cloud computing are due in large part to the private and public sectors unease surrounding the external

management of security based services Service-Oriented Architecture Technology benefits More flexible architecture, integration of existing applications, improved data integration, supports business process management, facilitates enterprise portal initiatives, speeds custom application development Security issues A system that relies on distributed processing must have adequate bandwidth and high availability.

Business benefits More effective integration with business partners, supports customerservice initiatives, enables employee self-service, streamlines the supply chain, more effective use of external service providers, facilitates global sourcing Virtualization Virtual copy of physical system System virtual machine complete operating environment that can support user needs and multiple environment Hypervisor interface between the physical and virtual environments Process virtual machine systems that are dedicated to supporting

one process or program Types of Memory Addressing Logical Refers to a memory location that is independent of the current assignment of data to memory. Requires a translation to the physical address. Relative Address expressed as a location relative to a known point Physical Absolute address or actual location

Memory Management Requirements Relocation Programmer does not know where the program will be placed in memory when it is executed. It may be swapped to disk and returned to main memory at a different location. Protection Processes should not be able to reference memory locations in another process without permission. Sharing Allows several processes to access the same portion of

memory. OS allows each process access to the same copy of the program rather than having its own separate copy. Memory Protection Benefits Memory reference Different data classes Users can share access Users cannot generate addresses Primary Storage Registers Very high-speed storage structures built into the CPU chip set and are often used to store timing and state information for

the CPU to maintain control over processes. Cache Very fast memory directly on the CPU chip body. Not upgradeable. Three types (level 1-3). Random access memory (RAM) Main memory of the system Secondary Storage Internal External Virtual memory

SANs Clusters Virtual Memory = primary + secondary or RAM + Disk Extends apparent memory to accommodate larger program execution space than is possible using only physical memory and involves paging and swapping operations. Generally 4 or 8 kb in length Storage Systems Network Attached Storage (NAS)

Simple, cost effective solution. Box on network that extends storage area. Storage Area Network (SAN) Complex, expensive solution. Offers large capacity storage for servers over high-speed (usually fiber) links Blade Systems Server chassis Processing power Management simplification Is simply a series of motherboards housed in a box with

a high speed backbone Domain Objectives System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

Separation Temporal isolation Accomplished through time limits. Person cannot access an area of the building or an area of the network, or an application outside of certain authorized hours. Physical isolation Refers to separating out sensitive areas from common access, such as setting up compartmentalized areas or secure rooms. Virtual isolation Protects against malicious activity by not permitting a process to execute outside of a strict set of boundaries.

Ring Protection Based on the Honeywell Multics Operating System architecture. Set of segments in concentric numbered rings. Ring number determines the access level. Procedure assumes its appropriate ring number when executing. This prohibits a process from unregulated execution of commands at a higher level. Program may call services residing on the same or more privileged ring. Program may only access data that resides on the same ring.

Privilege Levels Identifying, authenticating, and authorizing subjects Subjects of higher trust can access more system instructions and operate in privileged mode Subjects with lower trust can access a smaller portion of system instructions and operate only in user mode Process Isolation Preserves Objects integrity and subjects adherence to access controls Prevents interaction prevents objects from interacting with each other and their resources

Independent states actions of one object should not affect the state of other objects Process isolation method Encapsulation objects, data, and functions are packaged together Time multiplexing assignment specific time slots for processing information Naming distinctions to distinguish between processes Virtual mapping/domains mapping info objects to virtual locations to ensure

applications can find their data Trusted Computing Base (TCB) Trusted computer base includes all the components and their operating processes and procedures that ensure that the security policy of the organization is enforced. Hardware Firmware Software Processes Inter-process communications Simple and testable

Trusted Computing Base (TCB) Enforces security policy must be able to enforce security policy regardless of user input and be protected from interference or tampering Monitors four basic functions

Process activation Execution domain switching Memory protection Input/output operations Reference Monitor Concept Abstract machine concept abstract machine that is regulating all access on the system and enforcing security controls Must be tamperproof Always invoked Verifiable Security kernel

Components of an OS perform various protection tasks designed to control and monitor system evens and prevent things from occurring that might disrupt normal execution or threaten the stability of the system or any of its resources. Subject Active entity Object Passive entity Attested Boot/TPM/Processing Ensures secure configuration and integrity of software/hardware

Uses cryptographic hash functions to ensure integrity Can also be used remotely Secure System Design Availability must be designed to meet needs Criticality design of system must ensure that the critical processes run effectively Redundancy Single points of failure must be designed to avoid Defense in depth ensures the security of the system cannot be circumvented through one vulnerability

Domain Objectives System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks Security Models Introduction Information-flow model tracks the movement of

information from one object to another Non-interference model based upon rules to prevent processes that are operating in different domains from affecting each other in violation of security policy State-machine model abstract mathematical model where state variables represent the system state Lattice-based model hierarchical model defining access control privilege levels Bell-LaPadula Confidentiality Model Lattice-based model Described using rows and columns

State-machine model Hierarchical based model with dominance relationships between higher and lower security levels Three fundamental modes Read only, write only , read and write Secure state Defines access rules ***** very important to know ***** Biba Integrity Model Lattice-based model

Addressed first goal of integrity Subject object tuple State machine model When you mix clean & dirty, dirty wins Read & write are opposite from Bell-LaPadula ***** very important to know ***** Clark-Wilson Integrity Model Addresses all three integrity goals Defines well-formed transactions Separation of duties 1. Authorized users limited to authorized transactions 2. Unauthorized users do no tasks

3. Maintain internal & external consistency ***** very important to know ***** Brewer and Nash Model Chinese Wall security policy Designed to prevent conflicts of interest ***** very important to know ***** Other Models Graham-Denning Harrison-Ruzzo-Ullman (HRU) result Variations of Biba

Security Models Integrity Clark-Wilson Biba G&M Sutherland

Graham-Denning HRU Need to know Confidentiality Brewer-Nash BLP Implementations

Gong Lipner Karger Jueneman Lee & Shockley Domain Objectives System and Component Security Definitions and Key Concepts

Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks Evaluation Standards TCSEC (U.S. DoD) ITSEC (European Union) Common Criteria (ISO Standard 15408) TCSEC or Orange Book

DoD-centric Security and functionality Product evaluation Rainbow series was a part of the Rainbow Series of books dealing with security topics TNI Trusted Network Interpretation (another of the series) ITSEC International origin ITSEM Assurance Fucntionality

Common Criteria (ISO 15408) Origins Documents EAL 1-7 (evaluation assurance level) Protection profile (PP) Target of evaluation (TOE) Software, firmware, and/or hardware Security target (ST) Requested level of testing Domain Objectives

System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks ISO 7498-2 Defined secure communications NOT an implementation Takes 7-layer OSI model and maps it to a 2-layer

functional model Zachman Framework Complete overview of IT business alignment Intent Scope Two-dimensional Principles SABSA What are the business requirements?

Follow-on to Zachman Operational security focus The Open Group Architecture Framework Governance Business Application Data Technology DoD Architecture Framework OMB A-130 requirement

View sets: All view Operational view Systems view Technical standards view ISO/IEC 42010 International standard for information security

management systems (ISMS) Practice for architectural description of softwareintensive systems ISO 27001 - ISMS Information security management system Ensures best practices are met Sets standards for security areas Based on BS7799-2

Measurable and certifiable standard IT Infrastructure library (ITIL) Focuses on IT services Supporting products COSO Enterprise Risk Management Framework Emphasizes the importance of identifying and managing risks

Process People Reasonable assurance Objectives If moving money, probably want to use this Capability Maturity Model Developed by SEI (Software Engineering Institute) Based on TQM concepts (Total Quality Management) Framework for improving process

Benefits Top 3 are proactive, bottom 2 reactive PCI-DSS Payment card industry data security standard Standards for the protection of payment card data (e.g. credit cards, debit cards, etc.) Covered more in Domain 5 (Legal, Regulations, Investigations, and Compliance) Security Architecture and Design Domain Summary

System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks Software Development Security Domain Objectives Overview of Applications Security

System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security Need for Applications Security While this model is important to all domains, AIC is probably most important to this one Interface to critical and sensitive data Thousands of exploits

Secure Systems Development Policies Organizations require security development methodology Many corporations are beginning to require and provide guidelines for developing secure applications Security climate has changed Vendors are focused on functionality of their products and on increasing their return on investment instead of security Security as built-in instead of add-on Compliance many regulations and compliance requirements now demand that systems track and control access permissions of users and other entities

Organizational Standards Web Application Security Consortium (WASC) Build Security in (BSI) International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27034 These orgs provide information for software vendors and the public that is intended to create secure environments for software development, to aid in developing internal code standards, to incorporate security features in software products, and to deploy into secure environments. Software Configuration Management

(SCM) Versioning Technologist Protection of code Protection of project Scope creep vs Statement of Work Process Integrity System Development Controls Project Management Complexity of Systems and Projects

Security by Design Controls Built in to Software Secure by Default Secure Development Excuses You cannot build security around an application, you have to build it in We need security? Then well use SSL We need strong authentication? PKI will solve all our problems We use a secret/military-grade encryption We had a hacking contest and no one broke it

We have an excellent firewall Well add it later; lets have the features first Secure Development Concerns Push to Market pressure to deliver a product quickly Protect Source Code From tampering Pirating

Accidental loss Protection against attacks Secure Development - Physical Controlled access areas Development vs Operations Project security Probably best to only develop and work on projects in a secure area. Personnel Security Hiring controls background checks for everyone involved

Trust several attacks come from developers Skills dont post to blogs asking for assistance on programming problems Changes in employment If internal, adjust permissions on things no longer needed If leaving company, remind to keep company secrets Protection of privacy from employees Privacy Impact Rating part of risk assessment. Looks at the data that would be accessible by programs and identifies sensitive data Separating Test Data From Production

Never test on a production system Never use real data Protection of sensitive data Test for failure test error routines and the resilience of system to failure Ranges test using both acceptable and unacceptable data values Stress Tests make sure system can handle the number of transactions or users that may be using the system at once Always try to test for what the bad guy and stupid user would do Certification and Accreditation

Certification of secure design and deployment Production environment Accreditation of acceptance of risk Management approval for implementation Ensure that systems meet, and continue to meet, their security requirements Domain Objectives Overview of Applications Security

System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security System and Project Management Project Management-Based Methodology Systems Security Engineering-Compatibility Maturity Model Integration (SSE-CMMI) 1-initial (chaotic, immature), 2-managed (disciplined, capable), 3-defined (documented, consistent), 4-quantitatively managed (predictable), 5-optimizing (constant improvement)

SLC vs SDLC Systems Life Cycle development, post-development, maintenance phases System Development Life Cycle development and ends shortly after implementation Software Development Methods Waterfall Spiral Method Clean-Room Structured Programming Development

Iterative Development Joint Analysis Development Prototyping Software Development Methods Modified Prototype Model Exploratory Model Rapid Application Development Agile Development

Computer Aided Software Engineering Component-Based Development Reuse Model Extreme Programming Programming Language Examples Interpreted Basic REXX PostScript

Pascal Perl Ruby Python Compiled Basic Fortran COBOL Pascal C, C++, C# ADA Python

Visual Basic Oldest Newest Program Utilities Assembler program that translates an assembly language program into machine language. Compiler translates a high-level (source) language into machine language Interpreter instead of compiling a program all at once, the interpreter translates it statement-by-statement

Drivers used to interface a program with the system Hybrid compilation and interpretation. Code is compiled into an intermediate stage. In Java, known as bytecode. Needed for compatibility between systems. Transaction Processing Separation of Duties Need to Know Logging Transaction: Integrity data not inappropriately altered Edit checks, balancing, data/input validation, error handling/information leakage, logging/auditing, cryptography, secure code environment, session

management Availability large queries that affect performance should be limited. Critical systems should be designed with redundancy and failover Confidentiality provide necessary security measures for data Object-Oriented Programming OOP Concepts Classes templates for objects Objects instances of the classes Message objects request services by sending messages to other objects Inheritance an object that is called by another object or program

derives its data and functionality from the calling object Polymorphism different objects may respond to the same command in different ways Polyinstantiation creating a new version of the object by changing its attributes. Prevents Inference Violations by allowing different versions of the same information to exist at different classification levels Distributed Programming Distributed Component Object Model (DCOM) Simple Object Access Protocol (SOAP) Common Object-Request Broker Architecture (CORBA) Enterprise Java Beans (EJB) Distributed programming requires abstract

communication between hosts. Entails programs located on different computers be able to use the same program at the same time. Software Security Effectiveness Senior management participation Software security group Many organizations implement this. Charged with directly executing or facilitating the software security activities. Understand, measure and plan Result of many activities Software security is the result of many activities. People,

process and automation are all key components. 15 core activities Software Security Effectiveness BSIMM (Build Security In Maturity Model) Organization observed Business objectives Roles Framework Domain Objectives

Overview of Applications Security System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security Applications Security Issues Building security in Adding defense-in-depth Cryptographic protection of data Secure architecture

Applications Security Principles Validate all input and output Fail secure (closed) Make it simple Defense in Depth Only as secure as your weakest link Secure Coding Issues Buffer overflow SQL injection Cross-site-scripting (XSS) Dangling pointer Invalid hyperlink

Secure (encrypted) web application traffic risks JavaScript attacks vs sandbox Secure Coding Issues Application programming interface (API) Open source Vendor proprietary software Escrow iFrames Race condition Secure Coding Issues

Risks of push technology Information disclosure error handling Infrastructure flaws Misconfiguration Secure Coding Issues Incomplete parameter check and enforcement Covert channels Inadequate granularity of controls Privileged programs/privilege escalation Social engineering Multiple paths to information

Secure Coding Issues Object reuse Garbage collection Trap door/maintenance hooks Domain Objectives Overview of Applications Security System Life Cycle Security Applications Security Issues Malware and Other Attacks

Database Security Malware and Attack Types Malformed input Injection (SQL injection) Input manipulation/malicious file execution URL manipulation Unicode attack

Malware and Attack Types Cryptographic storage Hijacking Insecure communications Malware and Attack Types Denial of Service (DoS) Distributed Denial of Service (DDoS) Botnets Fast flux botnets

Data hiding Alternate data streams (ADS) Non-technical Malware and Attack Types Executable content/mobile code Web applets Dynamic email Cookie poisoning (manipulation) Malware and Attack Types Keystroke logging

Adware and spyware SPAM Phishing Spear phishing Whaling Pharming Malware and Attack Types Remote Access Trojans (RAT) Rootkits and RATs HTTP Response Splitting Cross Site Request Forgeries (CSRF)

Malware Structure Infection/reproduction Target search Infection Trigger Payload Malware Anti-Detection Stealth Tunneling Polymorphism

Self-decrypting Antivirus (anti-malware) disabling Virus Central characteristic is reproduction Generally requires some action by user May or may not carry payloads Virus Types File infector Boot Sector Infector System infector

Email virus Multipartit Use to mean a virus that was able to infect boot sectors and programs Now means virus that can infect more than one type of object or to infect or reproduce in more than one way Macro Virus Script Virus visual basic file that can be seen as a data file but is executable (.vbs) The Hoax, Chain Letters and Pranks Social engineering Hoax

Chain Letters Pranks Forms of spam. More annoying that anything else but can eat up bandwidth Worm Reproduces No user action required Loopholes Often probe the computer looking to exploit specific weaknesses and/or compromise other computers

Attacks server software Trojan Horse Purported to be a positive utility Hidden negative payload Social engineering Logic Bomb Generally implanted by an insider Waits for condition or time Triggers negative payload Diddlers, Backdoors and RATs

Data diddler Salami technique Office Space fractions of a cent moved to bank account Payload in a Trojan or virus that deliberately corrupts data, generally by small increments over time. Protection From Malware Code Policies Tools Monitoring Operation Egress scanning

Integrity checkers Emerging Threats and Chained Exploits New application services Cell phones/mobile phones Telephony Chained exploits Domain Objectives

Overview of Applications Security System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security Database Security Database (day to day) and data warehousing (strategic) environment Eliminate duplication of data Consistency of data Network access

Databases provide consistency of data. Data can be saved in one place allowing anyone with access to see data without the need for duplicate. Greater consistency or accuracy of data Data warehousing is a new concept where large volumes of information from many databases are stored. May lead to privacy concerns. Database Management Systems (DBMS) Models Hierarchical DBMS

Stores records in a single table Parent/child relationships Limited to a single tree Difficult to link branches Car Toyota Honda

Mazda CRV Accord Civic 2-door 4-door Network DBMS Model

Extended form of the hierarchical database structure Does not refer to database being sorted on a network but rather to the method by which data is linked to other data. Mazda Ford Regular Mazda 3 Truck E Series

5 speed transmission Regular Mazda 6 BMW 4x4 X3 Leather

Interior Truck Freestar 4x4 X5 Front and Rear Climate Controls Relational DBMS Model Most frequently used model

Data are structured in table Columns are variables (attributes) Rows contain the specific instances (records) of data Primary key Must exist Not null Index/optimize the table Foreign key Optimize Attribute in table RDBMS Tables, Joins and Unions

Author Table Primary Key Author No Last Name First Name State 123456

Smithson Mary CA 234567 Rogers Mike

NY 345678 Tucker Sally CT 456789 Gleason

Sarah IL Foreign Key Book Table Book No Book Title

Book Type Book Price Author No PC1234 Learning Database Models Computer 39.99 123456

PC4321 Data modeling Techniques 69.99 234567 PC6789 Designing a Database

Computer 39.99 345678 PC9876 Secrets of Databases Computer 19.99

456789 Data Warehouse Consolidated view of enterprise data Data mart Designed to support decision making through Data Mining Metadata Knowledge discovery in Databases (KDD) Methods of identifying patters in data

KDD and AI techniques Probabilistic models Statistical models Classification approach Deviation and trend analysis

Neural networks Expert system approach Hybrid approach Database Security Issues Inference (guess) Aggregation (conclusion) Unauthorized access Improper modification of data Unauthorized data mining Query attacks Bypass attacks Interception of data

Web security Database Controls Access controls Grants user is given access to specific data using various privilege types Cascading permissions individual grants access to others, loses access, so does everyone else Lock controls Backup and recovery Data contamination control Polyinstantiation

View-Based Access Controls Constrained views What portion of the data in the database is the user authorized to see Sensitive data is hidden from unauthorized users Controls located in the front-end application (user interface) Transaction Controls Content-based access control Commit statement

Writes any and all changes that have occurred to the data during the current transaction Three-phase commit Client requests permission to make a change to a database, the database approves the change but doesnt make the change until the client returns a reply indicating the transaction completed correctly. Database rollback Journals/logs Error controls The ACID Test

Atomicity all or none. All transactions execute or rollback Consistency changes maintain consistency. Transformed from one valid state to another valid state, remaining compliant with the rules of the database Isolation transactions in progress are invisible to others. Guarantees that the results of a transaction are invisible to other transactions until the transaction is complete. Durability say it is done, stays done. Ensures that the results of the completed transaction can survive future system and media failures. Database Interface Languages/Methods

Structured Query Language (SQL) Open Database Connectivity (ODBC) Extensible markup Language (XML) Object Linking and Embedding (OLE) Active X Data Object (ADO) Dynamic data Application and Database Languages: Security Issues Poorly designed More privileges than necessary DBA account use Lack of audit

Input validation Software Development Security Domain Summary Overview of Applications Security System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security Telecommunications and Network Security

Domain Objectives Network Security Overview Physical

Data Link Network Transport Session Presentation Application Telephony Services Network Security Overview What is network security? Encompasses the STRUCTURES, TRANSMISSION METHODS, TRANSPORT FORMATS AND SECURITY

MEASURES used to provide INTEGRITY, AVAILABILITY, AUTHENTICATION, and CONFIENTIALITY for transmissions over PRIVATE and PUBLIC communications networks and media. Information Security TRIAD Security Issues and Concerns Message protection Confidentiality Integrity Non-repudiation

Availability Redundancy Single point of failure Defense in Depth Series of hurdles Collection of controls Any form of protection can be defeated but when layered it becomes much harder to defeat. OSI Reference Model People Dont Need To Smoke Pot Anymore

TCP/IP Model Network-Based Attacks Network as a channel for attacks Most frequent network security threat today. Example, viruses exploit networks in order to spread without actually breaching the security of the network itself Inbound and outbound attacks Network as a target of attack DoS DDoS

Network Attacks Network attack phases Intelligence gathering and target selection Target analysis Gaining access Escalation of privileges

Sustaining control Domain Objectives Network Security Overview Physical

Data Link Network Transport Session Presentation Application Telephony Services Concepts & Architecture

Technology & Implementation Standards Threats & Countermeasures Layer 1: Physical Layer Bits are converted into signals All signal processing is handled here Physical topologies Physical layer describes the networking

hardware, the format of the communications (bits, bytes, or optical pulses), as well as cable, wireless connections, etc. Communication Technology Analog and digital communications Digital communication brings quantitative and qualitative enhancements

From higher throughput Better signal-to-noise ratio fault tolerant error correction Ability to immediately process digital signals in a computer Network Topology Even small networks are complex Network topology and layout affect scalability and security Wireless networks also have a topology Mesh Ring

Star Network Topology Tree Bus Bus Topology LAN with a central cable to which all nodes connect Advantages Scalable

Permits node failure Disadvantages Bus failure Ring Topology Closed-loop topology Advantages Deterministic Disadvantages Single point of failure

Star Topology All of the nodes connect to a central device Advantages Permits node/cable failure Scalable Disadvantages Single point of failure Tree Topology Devices connect to a branch on the network Advantages Scalable

Permits node failure Disadvantages Failures split the network Mesh Topology In a full mesh network, every node in the network is connected to every other node in the network Advantages Redundancy Disadvantages Expensive

Complex Scalability Domain Objectives Network Security Overview Physical Concepts & Architecture

Technology & Implementation Data Link Network Transport Session

Presentation Application Telephony Services Standards Threats & Countermeasures Media Selection Considerations Throughput

Distance between devices Data sensitivity/confidentiality Environment Cost Twisted Pair Coax Fiber Wireless Twisted Pair One of the simplest and cheapest cabling technologies Unshielded (UTP) or shielded (STP)

Coaxial Cable (Coax) Conducting wire is thicker than twisted pair Bandwidth Length Expensive and physically stiff Fiber Optics Three components Light source Optical fiber cable Two types

Light detector Advantages High bandwidth Immune to EMI and RFI Difficult to tap Disadvantages Expensive Difficult to install Wireless Transmission Technologies

802.11 WLAN From wired network to station, wireless LAN 802.16 WMAN, WiMAX From neighborhood to station, wireless metropolitan area networks, or WiMAX Satellite From orbit to station Microwave High bandwidth, line of sight, point-to-point communications that require licensing (ground to ground OR ground to orbit to ground)

Optical High bandwidth, line of sight, point-to-point communications that do not require licensing Patch Panels Provide a physical cross-connect point for devices Alternative to directly connecting devices Centralized management Modems Convert a digital signal to analog Provide little security

War dialing Unauthorized modems Hubs and Repeaters Hubs Used to implement a physical star/logical bus topology All devices can read and potentially modify the traffic of other devices Repeaters Allow greater distances between devices

Wireless Access Points (WAPs) Access Point (AP) Point where wireless signals are converted to wired Go from radio waves to typically copper Multiple input/multiple output (MIMO) Uses multiple antennas at both the sending and receiving ends and transmits different signals on each antenna Avoids some of the interference experienced by single antenna units and increases performance and message quality Cloud Computing

Access to IT services over the Internet Data storage Software Security Communications Etc.

Security issues (3rd party trust) VPN connections use when accessing secure data or services Sharing of data 3rd party trust Cross-border data transfer is your data in the U.S.? Domain Objectives Network Security Overview Physical

Data Link Network Transport Session Presentation Application Telephony Services

Concepts & Architecture Technology & Implementation Standards Threats & Countermeasures Standard Connections Types of connectors

RJ-11 RJ-45 BNC (British Naval Connector) RS-232 (serial ports) Cabling Standards TIA/EIA-568 (Telecommunications Industry Association/electronic Industries Association) Domain Objectives

Network Security Overview Physical Data Link

Network Transport Session Presentation Application Telephony Services

Concepts & Architecture Technology & Implementation Standards Threats & Countermeasures Physical Layer Threats Attack vectors Wire Tapping Wireless Sniffing

Equipment Modems Authorized and unauthorized modems Emanations and TEMPEST EMI and RFI Physical Controls Wire Shielding Conduit Faraday cage

Penetration index Wireless Encryption Authentication Equipment Locked doors & cabinets Domain Objectives Network Security Overview Physical

Data Link Network Transport Session Presentation

Application Telephony Services Concepts and Architecture Technology & Implementation Protocols Threats & Countermeasures Layer 2: Data Link Layer Connects Layers 1 and 3 Converts data from a signal into a frame

Transmits frames to devices Link-layer encryption Determines network transmission format Local Architecture Security Perimeter-based security The egg concept of security Hardened outside defenses Lack of internal defenses? Security domains Internal layers of defense Isolating networks within the organization

Network Partitioning Bastion host Dual-homed host Screened host and subnet Demilitarized zone (DMZ) Network Partitioning Three-legged firewall Disadvantages Single point of failure No defense in depth Managing firewall rules can be complex

Token Ring and Token Passing A token is a special frame that circulates through the ring Device must possess the token to transmit Token passing is used in token ring (IEEE 802.5) and FDDI Synchronous/Asynchronous Synchronous Timing mechanism synchronized data transmission Robust error checking Practical for high-speed, high-volume data

Asynchronous Clocking mechanism is not used Surrounds each byte with bits that mark the beginning and end of transmission Unicast, Multicast, and Broadcast Unicast Sending of message from one host to another Multicasts Message (video, teleconference, etc) sent to a defined set of recipients IGMP (Internet Group Management Protocol) used to manage

multicasting groups (hosts on a network that are interested in a particular multicast) Broadcasts Sends to an unlimited number of recipients. Can send to everyone on network and sub-networks Often used to launch DoS Circuit-Switched vs Packet-Switched Circuit-switched network Dedicated circuit between endpoints Endpoints have exclusive use of the circuit and its bandwidth Cost based on duration of the connection. Makes it costeffective only for steady communication streams

Packet-switched network Data is divided into packets and transmitted on a shared network Each packet can be independently routed on the network Cost based on amount of data transmitted. Appropriate for transmissions with significant idle time Switched/Permanent Virtual Circuits Virtual circuits provide connection between endpoints over high-bandwidth multiuser cable or fiber networks, which cause them to behave with similar performance characteristics as if the circuit were a dedicated physical circuit

Permanent virtual circuits (PVC) Carrier configs route through packet-switched network. Unless changed, route stays the same Switched virtual circuits (SVC) Traffic routing is configured dynamically by the routers each time the circuit is used Unicast Point-to-Point ISDN (integrated services digital network) High speed before DSL, cable. Ts (T carriers)

Time division multiplexing 1.544 Mbit/s over 24 channels (8000 frames/sec X 193 bits/frame) Es (E carriers) Time division multiplexing 2.048 Mbps over 30 channels OCs (optical carriers) T3, E3, SONET (3.45% of any speed) X.25 Suite of protocols for unreliable networks Has a strong focus on error correction

Users and hosts connect through a packet switched network Most organizations now opt for frame relay and ATM instead of X.25 for packet switching Frame Relay Network cloud of switches Customers share resources in the cloud The cloud is assumed to be reliable Customers are charged only for bandwidth used Asynchronous Transfer Mode (ATM) Connection-oriented

Uses virtual circuits Guarantees quality of service but not the delivery of cells Types of virtual circuits Constant Bit Rate (CBR) Variable Bit Rate (VBR) Unspecified Bit Rate (UBR) Available Bit Rate (ABR)

Multi-Protocol Label Switching (MPLS) Bandwidth management and scalability Permits traffic engineering Provides quality of service and defense against network attacks Operates at Layers 2 and 3 Operates over most other packet switching technologies such as frame relay and ATM Created for performance but has the effect of being a tunnel

Digital Subscriber Lines (DSL) Uses CAT-3 cables and the local telecom loop Asymmetric digital subscriber line (ADSL) Downstream speeds greater than upstream Rate-adaptive DSL (RADSL) Upstream transmission rate is auto tuned depending on the quality of the line Symmetric digital subscriber line (SDSL) Same transmission rate up and down Very high bit-rate DSL (VDSL)

Higher transmission rate. 13Mbps down and 2Mbps up Cable Modem PC Ethernet NIC connects to a cable modem Speeds from 256Kbps to 50Mbps Bridging device between computers and ISP Modem and head-end exchange cryptographic key Cable modems increase the need to observe good security practices Domain Objectives Network Security Overview

Physical Data Link Network Transport

Session Presentation Application Telephony Services Concepts and Architecture Technology & Implementation Protocols Threats & Countermeasures

Concentrators, Multiplex/Demultiplex Combining or splicing signals Division multiplexing technologies TDM time FDM frequency WDM wave Concentrator combines channels together. Often used to permit several remote access connections to terminate on the network at the same time. Multi/Demultiplex combines several signals into a single data stream or breaks them apart.

Switches and Bridges Multiport devices to connect LAN hosts Forward frames only to the specified MAC address Increasingly sophisticated Also forward broadcasts Wireless Local Area Networks Allow mobile users to remain connected Extend LANs beyond physical boundaries Wireless Standards: IEEE 802.11 802.11b 11 Mbit/s 802.11a 54 Mbit/s + error correcting code

802.11g max 54 Mbit/s w/ avg 22 Mbit/s 802.11n (multiple input/output) 54 to 600 Mbit/s 802.11i (security) 802.16 (WiMAX) 802.15 (Bluetooth) Wireless multiplexing OFDM/DSSS/FHSS (AFH) Authentication Paramount to the security of wireless LANs SSID SSID broadcast

Open systems authentication Shared key authentication MAC address filtering Extensible authentication protocol Wireless Encryption WEP shared secret. Can be cracked in 3 to 30 sec WPA uses RC4 w/ 128 bit keys. IV of 48 bits. Temporal Key Integrity Protocol (TKIP) providing different key per packet WPA2 AES instead of RC4. TKIP replace w/ Counter-Mode/CBC-MAC protocol (CCMP)

Extensible authentication protocol EAP-TLS client and server mutually authenticate & use certs EAP-TTLS less secure than EAP-TLS EAP-PEAP encrypted tunnel but less secure than EAP-TLS Domain Objectives Network Security Overview Physical Data Link

Network Transport Session Presentation Application Telephony Services

Concepts and Architecture Technology & Implementation Protocols Threats & Countermeasures Point-to-Point Protocols (PPP) RFC 1331 Encapsulation Link control protocol (LCP) Network control protocols PPP provides a standard method of encapsulating

Network Layer protocol information over point-to-point links Address Resolution Protocol (ARP) ARP (RFC 826) Generic address-resolution protocol. Was designed to be able to convert any network protocol address to any data-link address. Use today is normally to resolve 802.x addresses to IP addresses RARP (RFC903) Used to map a devices MAC address to its IP address

ARP cache poisoning Valid request is answered by an invalid authority Password Authentication Protocol (PAP) Identification and authentication of remote entity Uses a cleartext, reusable (static) password Supported by most network devices Advantages Standards based solution that provides interoperability in a multivendor network Inexpensive to install and operate DB is encrypted

Disadvantages PW is transmitted in the clear Reply is either an ACK or NAK. No replay protection. Challenge Handshake Authentication Protocol CHAP

Periodically revalidates users Standard password database is unencrypted Password is sent on a one-way hash MSCHAP Server stores an encrypted hash of users pw Domain Objectives Network Security Overview Physical Data Link

Network Transport Session Presentation Application Telephony Services

Concepts and Architecture Technology & Implementation Protocols Threats & Controls Link Layer Threats Confidentiality

Eavesdropping Sniffing from reconnaissance Offline brute force Unapproved wireless Integrity Modification/injection/highjacking Man-in-the-middle Force weaker authentication Availability DoS/jamming

Others Rogue access points/ad hoc networks War driving Open wireless networks Controls for Wireless Threats Encryption Authentication RF management Domain Objectives

Network Security Overview Physical Data Link Network Transport

Session Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls Layer 3: Network Layer Moves information between two hosts that are not

physically connected Uses logical addressing Local Area Network (LAN) LANs service a relatively small area Most LANs have connectivity to other networks VLANs are software-based LAN segments implemented by switching technology Metropolitan Area Network (MAN) Optimization for city Uses wireless infrastructure, fiber optics, or Ethernet to connect sites together

Still needs security Switched multi-megabit data service (SMDS) SONET/SDH Storage Area Network (SAN) Hard drive space problem Server of servers Fiber backbone Switched Wide Area Network (WAN) A WAN is a network connecting local networks or access points

Connections are often shared and tunneled through other connections Internet/Intranet/Extranet Internet Collection of all interconnected IP networks Intranet Companys internal Internet Extranet Company will grant other controlled access to an isolated segment of its own network to allow exchange of information

Granting access to external organizations - risky Domain Objectives Network Security Overview Physical Data Link Network

Transport Session Presentation Application Telephony Services Concepts & Architecture Technology & Implementation

Protocols Threats & Controls IPSEC Authentication header (AH) Encapsulating security payload (ESP) Security parameter index (SPI) Security associations Transport mode/tunnel mode Internet key exchange (IKE) Tunneling Protocols Point-to-point tunneling protocol (PPTP) Microsoft

Layer 2 forwarding (L2F) Cisco Layer 2 tunneling protocol (L2TP) from Cisco & Microsoft Add IPSEC, becomes VPN Routers Network routing Layer 3 Find best path to destination Firewalls Filtering Filtering by address

Filtering by service Static packet filtering Stateful inspection or dynamic packet filtering Personal firewalls Filter on any field in header Firewalls Enforce administrative security policies Separate trusted networks from untrusted networks Firewalls should be placed between security domains Proxy Firewalls

Circuit-Level proxy Application-level proxy Firewalls Firewall Type OSI Model Layer Characteristics Packet filtering

Network Layer Routers using ACLs dictate acceptable access to a network Looks at destination and source addresses, ports, and services requested Application-level proxy Application Layer

Deconstructs packets and makes granular access control decisions Requires one proxy per service Firewalls Firewall Type OSI Model Layer Characteristics

Circuit-level proxy Session Layer Deconstructs packet Protects wider range of protocols and services than app-level proxies, but is not as detailed as a level of control Stateful

Network Layer Keeps track of each conversation using a state table Looks at state and context of packets End Systems Servers and mainframes Operating systems Notebooks/laptops/tablet PCs

Workstations Smartphones Personal digital assistants Network Attached Storage (NAS) End System Protection Antivirus Personal Firewalls Host-based IDS/IPS Patch management Domain Objectives Network Security Overview

Physical Data Link Network Transport Session

Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls Routing Protocols Routing information protocol (RIP)

Routing table compromise Virtual router redundancy protocol (VRRP) Open shortest path first (OSPF) Exterior gateway protocol (EGP) obsolete Border gateway protocol (BGP) Intermediate system-to-intermediate system (ISIS) Interior gateway routing protocol (IGRP) Enhanced IGRP (EIGRP) Connectivity Protocols ICMP Redirect attacks

Traceroute Ping scanning Internet Protocol (IP) Internet Protocol (IP) is responsible for routing packets over a network Unreliable protocol no error checking IP will subdivide packets IPv4 address structure IPv6 A larger IP address field Improved security

A more concise IP packet header Improved quality of service (QoS) Internetwork Packet Exchange (IPX) Vendor specific Retired Domain Objectives Network Security Overview Physical Data Link Network

Transport Session Presentation Application Telephony Services

Concepts & Architecture Technology & Implementation Protocols Threats & Controls IP Attacks Fragmentation attacks Teardrop attack Overlapping fragment attacks Traceroute exploitation

Sniffing Smurf and Fraggle Attacks Smurf attack misuses the ICMP echo request Fraggle attack uses UDP instead of ICMP Ping through UDP Ping of death Encryption as a Threat Can be used for inappropriate purposes External attackers Can plant encrypted backdoors that will allow them to access

system Internal attackers Utilize commonly available tools (SSL, TLS, SSH) to encrypt traffic to subvert controls Encrypted backdoors Tunnels to home computer

Tunnels setup to use company resources for personal pursuits Tunnels setup to protect criminal/improper behavior Etc. IP Addressing Spoofing Packets are sent with a bogus source address Takes advantage of a protocol flaw Controls Policy Inbound and outbound traffic controls Network partitioning

Domain Objectives Network Security Overview Physical Data Link Network Transport

Session Presentation Application Telephony Services Concepts & Architecture Protocols

Threats & Controls Layer 4: Transport Layer End-to-end transport between peer hosts Connection-oriented and connectionless protocols Domain Objectives Network Security Overview

Physical Data Link Network Concepts & Architecture Transport Protocols

Threats & Controls Session Presentation Application Telephony Services Transmission Control Protocol (TCP) Well-known ports 0 to 1023

Registered ports 1024 to 49151 Dynamic and/or private ports 49152 to 65,535 Total of 65,536 ports User Datagram Protocol (UDP) Fast Low overhead No error correction/replay protection Transport Layer Security (TLS) Mutual authentication Encryption Integrity

Domain Objectives Network Security Overview Physical Data Link Network Transport

Session Presentation Application Telephony Services Concepts & Architecture

Protocols Threats & Controls Attacks SYN Flood Denial of Service Threats Port scanning

FIN, NULL and XMAS scanning SYN scanning TCP sequence number attacks Session hijacking Controls SYN proxies Honeypots and honeynets Tarpits Similar to honeypots. Entice hackers by presenting legitimate looking systems that they will spend time attempting to crack.

Particularly useful against spamming and network (port) scanning Continuous or periodic authentication Domain Objectives Network Security Overview

Physical Data Link Network Transport Session Presentation Application

Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls Layer 5: Session Layer Client-server model Middleware and three-tiered architecture Many implementations are designed to spread the workload of a complex process to specialized

computer in a network Mainframe Keeps sessions local, unless remote terminals are implemented Centralized systems RADIUS and TACACS+ enable remote connection Domain Objectives

Network Security Overview Physical Data Link Network Transport Session

Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls

Technology and Implementation Java RMI (remote method invocation) Allows a program running on one Java VM to invoke methods running on another JVM Microsoft .NET Domain Objectives

Network Security Overview Physical Data Link Network Transport Session

Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls Protocols

Real-time protocol RTP End-to-end delivery services for data such as interactive audio and video RTP control protocol RTCP Used to monitor the quality of service and to communicate information about the users during the session Remote procedure calls RPC Execute objects across hosts Open network computing remote procedure call (ONCRPC) Suns version

Remote User Authentication RADIUS TACACS+ Domain Objectives Network Security Overview Physical

Data Link Network Transport Session Presentation Application Telephony

Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls RPC Threats and Controls Threats Unauthorized sessions Invalid RPC exchanges

Controls Patch Block at firewall Disable unnecessary protocols Domain Objectives

Network Security Overview Physical Data Link Network Transport Session Presentation Application Telephony Services Concepts & Architecture

Protocols Layer 6: Presentation Layer Data conversion Ensures a common format for data Services for encryption and compression JPEG Mainframe to PC Translation Extended binary coded decimal interchange code (EBCDIC) American standard code for information interchange (ASCII)

Gateway Specialized equipment used to translate presentation-layer protocols NOT default gateway Domain Objectives

Network Security Overview Physical Data Link Network Transport Session Presentation Application Telephony Services Concepts & Architecture

Protocols Audio & Video Compression Codec Compression/decompression Conserves bandwidth and storage VoIP Protocols H.323 Session initiation protocol (SIP) Proprietary applications and services

Domain Objectives Network Security Overview Physical Data Link

Network Transport Session Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls

Layer 7: Application Layer The application layer is not the graphical user interface (GUI) Performs communication between peer applications Domain Objectives

Network Security Overview Physical Data Link Network Transport Session Presentation Application Telephony

Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls Implementations Client/Server IM XMPP (Jabber)

IRC Email WWW Peer to Peer File sharing Domain Objectives

Network Security Overview Physical Data Link Network Transport Session Presentation Application

Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls Protocol Examples FTP File Transfer Protocol RSH Remote Shell IMAP Internet Message Access Protocol

IRC Internet Relay Chat MIME Multipurpose Internet Mail Extensions POP3 Post Office Protocol (v3) Rlogin Remote login in UNIX systems SOAP Simple Object Access Protocol SSH Secure Shell TELNET Terminal Emulation Protocol Communication Services Synchronous messaging Instant messaging (IM) Internet relay chat (IRC)

Asynchronous messaging Simple mail transfer protocol (SMTP) Post office protocol (POP) Internet message access protocol (IMAP) Network news transfer protocol (NNTP) Remote Communication Services TCP/IP terminal emulation protocol (TELNET)

Remote login (RLOGIN), remote shell (RSH), remote copy (RCP) X Window system (XII) Video and multimedia Storage Data Services File transfer protocol (FTP) Trivial file transfer protocol (TFTP) Hypertext transfer protocol (HTTP) HTTP over TLS (HTTPS) Secure hypertext transfer protocol (S-HTTP) Proxies

Domain Objectives Network Security Overview Physical Data Link Network

Transport Session Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls

Threats and Controls Authenticity Eavesdropping Scripting Social engineering Spam over instant messaging (SPIM) Tunneling firewalls Email spoofing Spam Domain Objectives

Network Security Overview Physical Data Link Network Transport

Session Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Threats & Controls Mobile Telephony Cellular Service Analog

Advanced mobile phone service (AMPS) Digital Global service for mobile communications (GSM) EDGE (enhanced data rate for GSM evolution) General packet radio service (GPRS) Data Domain Objectives

Network Security Overview Physical Data Link Network Transport Session

Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Threats & Controls Telephony Technology

PSTN PBX Facsimile Voice firewalls VOIP SIP, H.323 TDMA, CDMA, FDMA Voice over IP Reduced cost Coverged technology

Security Domain Objectives Network Security Overview

Physical Data Link Network Transport Session Presentation Application Telephony Services Concepts & Architecture Technology & Implementation

Threats & Controls Common Threats War dialing PBX administration War driving Fraudulent toll Voice eavesdropping Domain Objectives

Network Security Overview Physical Data Link Network Transport

Session Presentation Application Telephony Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls

Directory Services Domain name service (DNS) Lightweight directory access protocol (LDAP) Network basic input output system (NetBIOS) Network information service (NIS/NIS+) Configuration Services Simple network management protocol (SNMP) Dynamic host configuration protocol (DHCP) Network time protocol (NTP) Finger user information protocol Storage Server Services

Common internet file system (CIFS)/server message block (SMB) Network file system (NFS) Secure NFS (SNFS) Domain Objectives

Network Security Overview Physical Data Link Network Transport Session Presentation Application Telephony

Services Concepts & Architecture Technology & Implementation Protocols Threats & Controls DSN Threats Spoofing Query manipulation: Hosts file manipulation Social engineering

Information disclosure Domain litigation Cybersquatting Email Threats Spoofing Open mail relay servers Spam and filtering Phishing Server Message Block (SMB) Threats

Buffer overflows Controls DNS security extensions (DNSSEC) Mail filtering IM policy Turn off SMB Telecommunications and Network Security Domain Summary

Network Security Overview Physical Data Link Network Transport

Session Presentation Application Telephony Services CISSP Summary Domain 1 Access Control Domain 2 Business continuity and Disaster Recovery Planning Domain 3 Cryptography Domain 4 Information Security Governance and Risk Management Domain 5 Legal, Regulations, Investigations, and Compliance Domain 6 Operations Security

Domain 7 Physical (Environmental) Security Domain 8 Security Architecture and Design Domain 9 Software Development Security Domain 10 Telecommunications and Network Security Questions?

Recently Viewed Presentations

  • Frankenstein Activities - Mrs. Jankowski . com

    Frankenstein Activities - Mrs. Jankowski . com

    Philosopher's stone. Alchemy. Rime of the Ancient Mariner, Albatross. ... Fallen Angel. 1-3. Chapters 1-3 Character Development (pg. 17-34) ... Chapters 4-6 Themes/Citing Textual Evidence (pg. 35-54 ) Find support of each, discuss, present The motivation of ambition and its...
  • Austin Comerton Manager, Business Development acomerton@msvlp.com 1 877

    Austin Comerton Manager, Business Development [email protected] 1 877

    Several satellites pick up a call, and this "path diversity" reduces the possibility of blocked or dropped calls. If buildings or terrain obstruct the phone's line-of-sight to a satellite, a "soft hand-off" takes place switching the call to an alternate...
  • title

    title

    Foreign direct investment vs. licensing. Licensing. For a relatively small market. ... Mexican workers immigrate to the U.S. Workers migrate from uses of lower productivity to higher productivity. ... Mexican workers immigrate to the United States; this leads to a...
  • SICIL SERVICE CND S.r.l. Controlli non Distruttivi

    SICIL SERVICE CND S.r.l. Controlli non Distruttivi

    Running the "Table of Complaint" to be presented to ISPESL piping within the scope of Article. 16 of DM 01/12/2004 n ° 329/2004. Execution for the technical report for each individual line in the of the plant and / or...
  • C# GENERICS - Western Washington University

    C# GENERICS - Western Washington University

    C# Generics. Definition. Pros & Cons. In Depth . Greg. Class activity: create a little game where someone has to come up and demonstrate the basic concept of generics for us. It would involve them having to use several different...
  • Love is in the Air - Weebly

    Love is in the Air - Weebly

    Social Homogamy (p. 204 to 205) proximity is a major factor in mate selection: individuals are attracted to, fall in love with, and marry those who live and work nearby, belong to the same religious community, attend the same cultural...
  • ARTL - folk.uio.no

    ARTL - folk.uio.no

    ARTL Applications Presented 2008/2009 to week 51 * First and foremost, RoS needs a clear direction of where we wish to go. ARTL could readily be the foundation for a wider eRegistration approach and future ARTL strategy will need to...
  • Cost-Sensitive Deep Neural Networks to Address Class Imbalance

    Cost-Sensitive Deep Neural Networks to Address Class Imbalance

    Kruy Seng and Man-Leung Wong. Department of Computing and Decision Sciences. Lingnan University. September 07, 2017. background. Machine Learning is a field of study that provides computers with ability to learn without being explicitly programmed .