Skip to content

Instantly share code, notes, and snippets.

@gary23w

gary23w/cissp_notes

Last active October 7, 2024 15:19
Show Gist options
  • Save gary23w/fa5d3f27475ca396dc96784c9a47ff05 to your computer and use it in GitHub Desktop.
Save gary23w/fa5d3f27475ca396dc96784c9a47ff05 to your computer and use it in GitHub Desktop.
Download ZIP
cissp notes
Raw
cissp_notes
Security and Risk Management
The CIA Triad:
- Confidentialility
- no unauthorized person can access (password protect)
- Integrity
- encryption of data
- cryptography
- Availability
- must always be available.
- backups provide Availability.
---------------------
Common Security Terms:
Asset - Anything of value that could be compromised, stolen or harmed, including information, physical resources and reputation
Threat - Any event or action that could potentially cause damage to an asset or an interruption of services.
Attack - The intentional act of attempting to bypass one or more security services or controls of an information system.
Vulnerability - A condition that leaves the system and its assets open to harm.
Exploit - A technique that takes advantage of a vulnerability to perform an attack.
Risk - the likelihood of a threat occuring, as well as its potential damage to assets.
Control - A countermeasure that you put in place to avoid, mitigate or counteract security risks due to threats or attacks.
Social engineering - the practice of using deception and trickery against human beings as a method of attack.
Defense in depth - the practice of providing security in multiple layers for more comprehensive protection against attack.
---------------------
Governence Requirements
- Strategic alignment of information security with business strategies to support organizational objectives.
- Risk management by risk mitigation and reducing potential impact on resources
- Resources management by use of information security knowledge and infrastructures.
- Performance measurement by evaluating, monitoring, and reporting information security governance metrics to achieve objectives.
- Value delivery by optomizing information security investments that support organizational objectives.
---------------------
Due Car and Due Diligence
- Due care: behavioural expectations that organizations must adhere to.
- Act responsibly and reasonably: "prudent person" or "reasonable person" rule.
- Ex: provide appropriate security training for all employees.
- Failing in due care is negligence, a legal offense.
- Liability: legal responsibility for damage caused by an individual or business entity.
- Organizations must protect themselves from liability
- Due diligence: research necessary to make good, informed decisions.
- Ex:
- Background checks on employees
- Risk assessment of physical security systems.
- Testing of backup services.
---------------------
Q/A
5. Which factor is the most important item when it comes to ensuring security is successful in an organization?
- Senior management support. **
---------------------
Compliance.
- Awareness of an adherence to relevant laws and regulations.
- Can be:
- Set forth by governments and other private organizations
- Internal and self imposed
- Consult with legal department to determine how laws and regulations impact security operations.
---------------------
Legislative and Regulatory Compliance.
- Security professionals must understand all laws that apply to their organization.
- Specific conditions must be met in certain cases.
- Identify any safe harbors that could help the organization avoid penalties.
- Safe harbors are practices or actions that are deemed not to be in violation of the law.
- Policies and other documentation should be consistent with applicable laws and regulations.
---------------------
Privacy Issues
- Personally identifiable information (PII) could be used to identify an individual.
- Only a few pieces of information can expose a person's identity.
- Criminals can use PII for extortion, fraud, or shaming
- Ex:
- Names
- Social Security numbers
- Addresses
- Personal Characteristics
- PII, once exposed, may not be " recoverable "
---------------------
The purpose of Ethics
- The organizations principles, proper conduct, and system of moral values.
- Code of ethics helps professionals cooperate and pursue common goals.
- Code can guard against competitive pressures to act unscrupulously.
- Provides a guide for what other professionals will do.
---------------------
Organizational Ethics
- Organizations often document ethical expectations.
- May also be bound by ethics outlined in laws and standards.
- Ethical codes can also minimize risk.
- Employees with a track record of ethical behavior can help the oragnization avoid harm.
- Organizations are also responsible for acting ethically to their employees, customers, and other stakeholders.
---------------------
Regulatory Requirements for Ethics Programs.
- Ethics enforced by organizations and governmental agencies may apply if you do business with them.
- Beware of ethical codes pertaining to your organization.
- SOX, HIPAA, and GLBA require adoption of ethical standards.
---------------------
Internet Architecture Board Ethics
- IAB actions to avoid include.
- Seeking to gain unauthorized access to internet resources.
- Disrupting intended internet use.
- wasting resources such as people, capacity, and computers through unprincipled actions.
- Destroying the integrity of computer-based information.
- Compromising user privacy.
---------------------
Ethical Minefields for Security Professionals
- Expendiency requires temporary suspension of proper security practice.
- Inability to find licensed software required for a one-time purpose.
- A direct order from a supervisor to shortcut ethics to accomplish a critical goal.
---------------------
(ISC)2 Code of Ethics
- Protect society, the common good, necessary public trust and confidence, and infrastructure.
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competitive service to principals.
- Advance and protect the profession.
---------------------
Q/A
The "Ethics and the Internet" RFC 1087 states which of the following?
*** internet is a privilege and should be treated that way. ***
internet components include the broadband media and the localuser components.
Software viruses and Internet viruses should be treated differently.
Internet professionals are subject to same ethical responsibilities as any other industry.
---------------------
The value of security Documentation
- Lack of documentation creates organizational chaos.
- Documentation provides a framework for people to work together in achieving organizational goals.
- Security documentation can also act as a road map governance.
- Everything must be documented***
---------------------
Security Document Types:
Policy - High-level statement of management intentions. Contains purpose, scope and compliance expected of every employee.
EX: Information security will ensure the protection of information by implementing security best practices.
Standard - Required implementation or use of tools.
EX: The corporation must implement 802.1x security for all wireless networks.
Guideline - Recommended or suggested action or best practice.
EX: When travelling with laptops, users should use safety precautions to prevent laptop theft, damage, or data loss.
Procedure - Step-by-step description of how to implement a system or process.
EX: To implement Secure Shell(SSH) on the router, enter the enable mode and then enterthe appropriate commands for the router.
Baseline - Minimum security required for a system or process.
EX: Trivial File Transfer Protocol(TFTP) must be disabled in all servers except for those specifically used for the TFTP service.
---------------------
See Policy Sample 1.
---------------------
The Relationship Between Security Document Types.
Laws and Requirements.
|||
Strategic \/
Policies TYPES: ADVISORY/INFORMATIVE/REGULATORY
statement of management
Intentions
Tactical \/
||| ||| |||
Standards Guidelines
Mandatory Recommended
implementation Actions
Operational \/
||| ||| |||
Procedures Baselines
Step-By-Step Consistent
Instructions Comparison Points
---------------------
What is Risk?
---
Risk = Threats X Vulnerabilities X Consequences
Fire (FLAME) (NO EXTINGUISHER) - Building damage.
- Data loss
- Loss of productivity
- Loss of life
Thief (THEFT) (NO POLICE) - Loss of equipment.
---
Risk will never be eliminated.
---------------------
The Risk Analysis Process
1. Asset identification
2. Vulnerability Identification
3. Threat Assessment
4. Probability Quantification
5. Probability Qualification
6. Financial Impact Evaluation
7. Countermeasures Determination
---------------------
Asset Valuation Methods
- Asset management system
- Accounting system
- Insurances valuation
- Delphi method
---
Formula:
ARO = Event number / Years
SLE = EF * AV
ALE = ARO * SLE
Example:
AV = 100.000
Exposure Factor = 30%
SLE(single loss expectancy) = AV * EF = 30.000
ARO(annual rate occurency) = 1/N(one over occurence) -- 1/3 = 0.3
ALE(annual loss expectancy) = SLE * ARO = 30.000 * 0.3 = 9000
--------------
Risk Types
- Natural disasters
- Earthquake
- Wildfire
- Flooding
- Man made disasters
- Intentional
- Arson
- Theft
- Unintentional
- Employee mistake.
--------------
Risk Probability and Prioritization
Phase 1 - perform risk analysis
Phase 2 - List risks identified
Phase 3 - Determine probability
Phase 4 - Prioritize
---
Quantitative vs. Qualitative Risk Analysis
Quantitative - A mathematical estimate based on the historical occurences of an incident
Qualitative - A best-guess estimate based on the judgement and experience of analysts.
---
Safeguard Selectiion Criteria
- Cost effectiveness
- Risk reduction
- Practicality
---
Q/A
Risk management can be very complex and overwhelming. It is virtually impossible to consider every possible scenario during a risk analysis, however, there are methods available that can produce better results.
Which of the following would provide the best results when carrying out a risk analysis?
- Do more qualitative analysis
- Use manual auditing
- Use existing automated tools ***
- Focus primarily on the critical assets
---
Automated tools that are used in risk analysis have a lot of necessary questions pre-programmed in, which allows the team to just enter the answers and helps to ensure nothing has been missed.
The tools also contain the necessary mathematical formulas and contain the necessary mathematical formulas and different scenario parameters. This means that the team can enter the information that
has been gathered one time and the tool can run it through several different scenarios. The tools can decrease the time involved in risk analysis and provide better quality results when compared to manual process.
--------------
Business continuity and disaster recovery planning
- Business continuity plan fundamentals
- Business Continuity plan implementation
- Disaster recovery plan fundamentals
- Disaster recovery plan implementation
BCP is a business document.
DRP is a technical document.
---
the NFPA Business planning framework
1. Business initiation
2. Risk evaluation
3. Business impact analysis
4. Developing business continuity strategies
5. Emergency response and operations.
6. Developing and implementing BCP's
7. Awareness and training programs
8. Maintaining and Exercising BCP's
9. Public relations and crisis communications.
10. Coordination with public authorities.
---
NIST SP 800-34
1. Develop the Policy statement
2. Conduct business impact analysis
3. Identify preventative controls
4. Develop recovery strategies
5. Develop an IT contigency plan
6. Plan for testing, training and exercises
7. Plan for maintenance
--------------
Business impact analysis
Prioritization of critical processes Estimates of tolerable downtime.
---------
Possibility of reduced efficiency operations | BIA | Impact of finacial loss
---------
Resources needed to restore Estimates of tolerable downtime.
--------------
BIA organizational goals
- Ensure human health and safety
- Ensure constinuous company operations
- maintain delivery to customers
- provide safe workplace incase of disaster
---
BIA Process
1. Project planning and development
2. Data collection
3. Criticality assessment
4. Vulnerability assessment
--------------
Maximum Tolerable Downtime
EVENT MTD
----------------->>> BUSINESS FAILS
time
- acceptable downtime by management.
---
Recovery Time Objectives
________________________________________
| Business recovers if RTO is before MTD |
|
RPO EVENT RTO MTD
------------------------------------>>>>>
- the maximum amount of time is 5 hour
- resources shows it cannot be back up in 5 hour. (RTO)
---
Recovery Point Objectives
RPO Event MTD
--------------------------------->>>>
--------------
MTTF( Mean time to failure )
- time between any failure
- ex: server fails every 6 month. MTTF = 6 months.
MTTR( Mean time to repair )
- ex: 3 hours to repair crashed server. MTTR = 3 hours.
--------------
BCP Team responsibilities.
- Determining threats and vu;nerabilities
- Providing probability estimates of threats and vulnerabilities
- Performing a BIA
- Prioritizing recovery efforts
- Evaluating alternate sites to use in an emergency
- Determining disaster action plans in the event of a disaster
- Writing policies, guidelines, standards, and procedures on BCP implementation
- Testing the BCP
- Ensuring legal requirements are fulfilled during the disaster.
---
BCP Contents
- Statement of policy from senior management
- Statement of authority
- Roles and responsibilities of the plan's team members
- Plan goals, objectives, anjd evaluation methods
- Applicable laws, regulations, authorities, and or industry codes of practice
- Budget and project schedule
- Records management practices
---
Business Plan Evaluations.
- Plan coverage adequecy in all areas of the business
- Threat and vulnerability identification
- Proper response prioritization
- Training and plan testing
- Communications methods
- BCP team staffing and time allocation
- Plan update frequency and methods.
---
Business Plan Testing
- REviewing contents
- Analyzing solution
- Using checklists
- Performing walkthroughs
- Parallel testing
- Conducting simulations
- Full iterruption testing.
--------------
Disaster Recovery Plans
---
Disaster Recovery Strategy
- Risks
- Cost vs benefits
- Prioritization
---
Disaster Recovery Priority Levels
- Short-Terms
- Mid-Terms
- Long-Terms
- Not required
---
Disaster recovery response approaches
- short term - Mirrored sites
- mid term - rebuilding
---
Backup strategies
- Tape/disk backup
- Mirrored backup
- Remote journaling(databases)
- Electronic vaulting
---
Alternate sites
- Hot site(mirror)
- Warm site
- Cold site
- Portable site
---
Multiple centers
Processing is spread over several computer centers. Can be managed by same corporation or with another organization. Advantage: costs, multiple sites will share resources and support. Disadvantage: a major disaster could affect both sites; multiple configurations have to be administered.
---
Recovery team
- implement procedures and control operations
- Provide immediate response and restore.
- meet RTO and MTD
---
Salvage team
- Restore primary site
- Clean, repair, salvage, assessment
- Create a plan and obtain budget approval
---
DRP evaluation and maintenance
- evaluate periodically
- maintain on onmgoing basis
- use BRP techniques.
---
Disaster Recovery Testing
- checklist and desktop
- Offsite restoration
- Mirrored site cutover
---
Reflective Questions
1. Have you ever experienced a business disruption based on any of the event categories in this lesson? Was it natural or human caused event?
2. How did you and your organization handle the business disruption.
--
practice quiz website.
https://www.mhprofessionalresources.com//sites/CISSPExams/exam.php?id=AccessControl
--------------
The need for personnel security
- Employees can be a bigger threat than outside individuals
- Close to your data
- Know the weaknesses of your processes and controls
- Weakest link - potential targets for social engineering attacks
---
Job position sensitivity profiling
- Data owners determine need-to-know information for each job Roles
- Create a job sensitivity profile that includes what kind of security is required
- Based on job tasks, not individuals performing the tasks
- Administrators use the profile to assign authorization permissions.
---
Baseline hiring procedures
- Personal interview
- Work history verification
- Criminal history checklist
- Drug use check
- Reference checks
Position sensitivity screening
- Financial and or credit history REviewing
- Personality screening
- Lie detector testing
- Extended background investigation
- Security clearance
---
Employment Agreements
- Non disclosure agreements to protect sensitive information
- A code of conduct
- Ethics agreements
- Conflict of interest agreements.
---
Employment policies
- Seperation of duties (SoD)
- Need to know
- Least privilege
- Job rotation
- Mandatory vacations
- Regular password and access control updates
- Frequent reviews of user privileges
---
Clipping level
- identify the level of error where you expect something malicious
- EX: minimum login attempts
Repeated login attempts
Full log
Set clipping level
Reduced log size
---
Security Audit Events
- Identification of the event
- Time of the event
- Identification of the individual.
---
Security threat list
- Disclosure
- Destruction
- Interruption of service
- Theft
- Espionage
- Hackers and Crackers(not white people)
- Malicious code
---
Incident Responsiveness
- Detection
- Containment
- System cleaning
- Reporting and documentation
- ASsessing training and awareness
- Evaluating protection
- Vulnerability testing.
--------------
Termination
Type Level
Friendly - Complete an exit interview
- Collect access tools
- Collect company property
- Disable access
Unfriendly - Disable access immediately(or even before notification)
- Have security escort individual from the building
- Disable individual access codes
- Change passwords on all systems
--------------
Security Awareness
- Employees are the weakest link in security
- Help employees understand
- Risks
- Impact for company and themselves
- Security policies and procedures
- Focus on attitude, motivation, and attention
--------------
Asset Security
- Asset classification
- Privacy protection
- Asset retention
- Data security controls
- Secure data handling
---
Asset management
- Assets include hardware, software, data, physical systems, and documentation.
- ITAM is managing the lifecycle of these assets.
- In secure ITAM:
- Strike balance between cost and need
- Distinguish between data ownership/data custodianship.
- implement controls to secure private data.
- implement asset security to protect against liability.
- Apply classification to senstive data.
- Be very clear about regulatory policy requirements.
- In your policy, have a process in place to respond to legal requests for your data.
--------------
classification policies
- Classification policy includes:
- Organizations data classifications.
- Criteria for determining classification.
- Protection requirements of each classification.
- Roles and responsibilities: data owners, data custodians, data users.
- users may drive classification types based on how they handle assets.
- Regular reviews determine if appropriate classification is maintained
---
Classification principles
- Use labeling to minimize risk of loss or modification.
- Labeling schemes are known as classficications.
- management must determine:
- the assets sensitivity level.
- the purpose of the asset
- the value of the asset
- the criticality of the asset
- the owner of the asset.
--------------
Classification schemes
Military
- Employed by US governmental
- Strictly defined, rigid
Commercial
- Employed by non governmental organizations.
---
Military Classification Risk if information is Disclosed
Scheme level
Top secret Grave damage
Secret Serious damage
Confidential Damage to national security
Unclassified No damage
---
Corporate Classification Description
Scheme level
Confidential Information that should not be provided to individuals outside of the enterprise
Personal and Confidential Information of a personal nature that should be protected
Private Correspondence of a private nature between two or more people that should be safeguarded
Trade secret Corporate intellectual property that, if released, will present serious damage to the companys ability to p[rotect patents and processes.
Client confidential personal information that if released will result in identity theft.
--------------
See asset inventory examples.
--------------
Privacy
- Privacy requirements present legal challenges.
- Should define:
- What will be collected
- How collected data should and will be protected
- How long private information will be kept
- How collected data will be shared
- How private information will be disposed of.
---
Privacy laws
- Most governments have privacy laws in place
- Laws provide citizens with more control over how PII is gathered, used, store, disseminated
- Some laws may reduce privacy protections in interests of national and public security/safety.
- You must assist your organization in complying with these laws.
---
Privacy Data ownership
- Private data is owned by a person the data is about.
- Makes compliance challenging - organizations handle data.
- Organizations must balance protection requirements against business value of using data.
- Consider both ethics and legal restrictions when protecting private data.
---
Collect limitations
- can only collect data if useful and relevant to specific purpose
- if not, do not collect, even if beneficial to the business!!!!
---
Databases
- Databases with PII often are high-profile for major attacks.
- Attackers may sell PII on online black markets.
- Database protection is paramount due to both business value and legal requirements.
---
Retention
- the act of storing a business asset
- asset that you may retain:
- data
- media
- hardware
- software
- personnel
- consider compliance requirements when retaining assets.
"" KEEP SURVELLIENCE FOR 90 DAYS ""
---
Retention Policies
- Retention policies need to be comprehensive, not just for data.
- Write clear policies and train users.
- Older systems need special care for disposal.
- Develop a retention policy:
- Evaluate statutory requirements, litigation, obligations, and business needs.
- Classify types of records.
- Determine retention periods and destruction practices.
- Draft and justify record retention policies.
- Train staffing
- Audit retention and destruction practices.
- periodically review policy
- document policy, implementation, training, and audits.
---
Retention policy considerations.
- Every organization needs and information retention policy.
- Avoid compliance issues and lawsuits regarding retrieving and retaining information.
- demonstrate that you have a secure storage environment.
- information storage mechanism should allow for timely data search/retrieval.
- emails, instant messages, policies, procedures, and audit reports are business records.
- you may need certain records to protect against litigation or audits.
- verify the mazimum retention time for all assets you handle.
- IT department should not be the sole managerof business records retention.
- Do not expect users to help the company comply with retention requirements.
- In investigations, dont deviate from normal backup and retention procedures.
- Expect that after data is destroyed someone will still have a copy.
- Expect that archived information may take time to retrieve.
- Find a balance between deleting everything and saving everything.
- Dont rely on attorney for IT retention compliance.
---
Data retention
- Data is the organizations most critical non-human asset.
- Different data will require different retention times.
- other types of data may need to be disposed of quickly, even if only after a few months.
- Even if data isnt privacy related, still consider it in the context of retention.
---
Media retention.
Media ex:
- Tape
- CD/DVD/BluRay
- Hard Disks
- Flash drives
- Cloud storage
- Paper printout
- Best practices for taking care of media:
- protect from sunlight, heat and other natural resources.
- When locked in safes, include silica gel packets to prevent moisture/mildew.
- stand tapes/floppy disks on edge
- Keep magnetic media away from magnetic fields.
- know the lifecycle of the backup tape you are using.
- create authorized user list
- use automated system with bar code scanning that tracks movement.
- repeatedly test you back and restore procedures.
- Have a backup of any cloud data.
---
Hardware retention
- use hardware as long as possible, as cost can add up.
- consider hardwares role in protecting data.
- maintain hardware so you can retrieve old data.
- include non media hardware components in retention plans.
- create a retention plan that focuses on entire lifecycle
- create disposal plans for hardware if deprecated/obsolete.
- scrub hardware of all data before disposal.
- consider proper disposal procedures for electronic waste.
---
Software retention
- Purchased or in-house software has a lifecycle and requires a retention plan
- might need to do mor than one uninstall.
- consider other system dependencies; can they function without this software?
- keep track of software dependencies in retention policies.
- Software may require special scrubbing of data.
- Failing to completely wipe software may leave sensitive data unsecured.
---
Personnel retention
- Knowledge often trapped in departmental "silos"
- Knowledge may not be documented.
- Avoid depending on a single person for critical business needs and processes
- Include provisions for transferring operational kowledge in personnell retention policy.
- Include rotation of duties and multidisciplinary teams to help break up the "silo" of information.
--------------
Data security control implementation
Highlights of SANS.org checklist for implementing data security controls:
- Use approved drive encryption software on mobile devices.
- Assess data to identify what is sensitive enough to require encryption and integrity controls.
- Review cloud storage providers security practices for protecting your data.
- Implement automated tool on network borders to ensure sensitive information does not leave the network.
- Periodically scan servers to see if any sensitive data exists in clear text.
- Limit the use of USB flash drives to those that use encryption.
- Implement network-based data loss prevention (DLP) mechanisms to:
- Automatically backup critical data
- Control the movement of data across networks.
---
Data at rest
- Data is stored on media for long term retention
- Physical and logical loss of data are risks.
- Data at rest controls:
- Data recovery plan.
- Strong encryption
- Access control
- Password management tool
- Control of removable media
- Labeling practices
- Data safe storage for removable media
- Documentation of location of removable data.
---
Data in transit.
- Data being transferred from one host to another,
- Exposure of data is a primary risk.
- Exposures differ depending on the transmission media.
- Data in transit controls:
- Protect web traffic with SSL
- Encrypt sensitive email data with PGP or S/MIME.
- Non web covered data traffic encrypted with application level encryption
- Encrypted connections between application servers and database servers.
- Tunneling protocols if no application level encryption.
- Encryption for high sensitivity data even in protected subnets.
---
Encryption
- The process of scrambling data so that only authorized persons can read it.
- The best control to implement, whether on data at rest or in transit.
- Can be done through hardware or software.
- Data at rest will be protected, even if the data is stolen.
- With data in transit, encryption can happen at any point in the network:
- the link itself could be encrypted.
- the link might not be encrypted, but the data itself could be.
--------------
Security architecture and engineering
- Security in the Engineering lifecycle
- System componenet security
- Security models
- Controls and countermeasures in Enterprise Security
- Information System security capabilities
- Design and architecture vulnerability mitigation
- Vulnerability mitigation in embedded, Mobile, and web based systems,
- Cryptography concepts
- Cryptography techniques
- Site and facility design for Physical Security
- Physical Security implementation in Sites and Facilities
---
Security and engineering lifecycle
- Always assume you are under attack.
- Create a framework for consistency
- Securing communications
- Protecting data sources and storage.
- Hardening all systems
- Ensuring data integrity and confidentiality through business processes
- Entire information system must incorporate security intentionally
- Consider security when implementing upgrading or reviewing any system
- Integrate security across entire lifecycle
- Place for longevity - current system and potential future systems.
---
5 phases of security engineering
1 initiation
2 development
3 implementation
4 operations/maintenance
5 disposal
---
common security frameworks
- SP 800-14
- Organizational level of perspective on creating new systems, policies, or practices.
- Eight principles in 14 practices for IT security
- NIST SP 800-27 (special publication for system security)
- comprehensive set of engineering principles for system security.
- Structures approach to designing, developing and implementing IT security.
- Thirty three principles in six categories.
---
NIST SP 800-27 Principles.
Help security professionals appreacite the depth/scope of challenge in including security design into system lifecycle
Security foundations
- establish security policy as design foundation.
- treat security as integral
- delineate physical and logical security boundaries
- ensure developers are trained in secure design practices.
Risk based (reduce)
- reduce risk to acceptable level
- assume external systems are insecure
- identify trade offs between reducing risks and costs/decreased operational effectiveness
- tailor measures to meet organizational security goals
- protect information during processing, in transite and in storage
- consider custom security products
- protect against all likely classes of attacks
Ease of used
- base security on open standards for portability and interoperability
- use common language for security requirements
- account for upgrades and adoption of new technology
- strive for operational ease of use.
Increase resilience
- use layers to prevent single points of vulnerability
- design to limit damage and be resilient in response
- provide assurance system if resilient in face of expected threats
- limit or contain vulnerabilities
- isolate public access systems from mission critical resources
- use boundary mechanisms
- design audit mechanisms to detect unauthorized use and support incident investigations
- develop and use contigency plans and disaster recovery procedures
Reduce vulnerabilities
- strive for simplicity
- minimize system elements to be trusted
- implement least privilege
- avoid unnecessary security mechanisms
- ensure proper security in shutdown/system disposal
- prevent common errors and vulnerabilities.
Design with network in mind
- Use combination of measures distributed physically and logically.
- address overlapping information domains
- use authentication to provide access control within and across domains
- use unique identities to ensure accountability
--------------
Trusted Computing Base
outer: OS
inner: FIRMWARE
center: HARDWARE
---
Hardware architecture components
- CPU
- Primary Storage
- Secondary storage
- Virtual memory
- I/O devices
- Computer bus
- Drivers
--
ALU - arithmetic logic unit
MU - memory unit
CU - control unit
--
Memory
L1 Cache
L2 Cache
RAM Nanoseconds
VM virtual memory milleseconds
--
--------------
TCB Vulnerabilities
Trusted computer base
- Backdoors and trapdoors
- Maintenance hooks
- TOC/TOU
- Race condition
- Buffer overflow
- Covert channels
--------------
Security model list ideas or concepts
- Lattice
- BLP
- confidentiality
- no read up
- no write down
- Biba
- no write up
- no read down
- Clark-Wilson
- user uses information to program
- Access to objects only through programs.
- integrity
- no interference
- Harrison-Ruzzo-Ullman
- Brewer-Nash
- conflict of interest
- " lawyer with two clients against each other. need to select one. if I select client A I should be prevented from seeing client B's information. "
--------------
TCSEC - Orange Book
Evaluation criteria
Trusted Computer System Evaluation Criteria.
TCSEC:(orange book) from the US DoD, it evaluates operating systems, application and systems. It doesn't touch the network part. It only addresses confidentiality.
D - minimal
C1 - Discrentionary protection
C2 - And controlled access protection(object reuse, protect audit trail)
B1 - Mandatory protection
B2 - and structured protection
B3 - AND saecurity domain
A1 - verified design
A - verified protection
---
Security Modes
Dedicated security mode:
- All users can access all data.
- Clearance for all information
- Need to know ALL data
System high security mode:
- All users can access some data, based on need to know
- Clearance for all information
- Need to know for SOME data.
Compartmented security mode:
- All users can access some data, based oin need to know
- Clearance for all information
- Need to know SOME data
Multi Level:
- All users can access some data, based on their need to know. approval and clearance
--------------
Information Systems Security Standards
- ITSEC
- Common Criteria
- CMMI
- ISO 27002
--
ITSEC: it is used in Europe only, not USA. Addresses CIA. Unlike TCSEC it evaluates functionality and assurance seperately. Assurance from E0 to E6(highest) and F1 to F10(highest).
Therefore a system can provide low assurance and high functionaility or vice versa.
Common criteria ISO 15408
Defines a protection profile that specifies the security requirements and protections of a product that is to be evaluated. Organized around TCB entities. Evaluation Assurance Levels(EAL)
- EAL0 - Inadequate assurance
- EAL1 - functionality tested.
- EAL2 - structurally tested.
- EAL3 - methodically tested and checked
- EAL4 - methodically designed, tested and reviewed
- EAL5 - Semi formally designed and tested
- EAL6 - semi formally verified design and tested
- EAL7 - formally verified design and tested
- Protection profile(PP): security requirements for a class of security devices
- Security target (ST): identifies the security properties of TOE
- Security Functional Requirements (SFRs): specific individual security functions.
---
Enterprise security architecture building blocks
- Boundary control services
- determine how/when information moves from one system to another.
- Access control services.
- Limit access to data/system to only authorized users, systems, or processes.
- Integrity services
- focus on keeping your data and your systems correct and free of corruption.
- Cryptographic services
- provide for confidentiality
- Auditing and monitoring services
- view what attempts are made against the systems and data you're trying to protect.
-------------
Virtualization
VM is "sandboxed" - isolated from host and other VMs.
- Tool is consolidated systems onto a single computer.
- Increases CPU and memory utilization.
- More efficient use of floor/rack space.
- saves power consumption
- Security benefits
- convenient isolation of malfunctioning system.
- Easy replacement of compromised system with known good copy.
- Easy to backup and restore whole system.
- Risk - guest processes might break out of sandbox.
---
Fault tolerance
- Allows for quick recovery if fault occurs.
- Uses redundant hardware, software, communication links or entire systems.
- Multiple levels:
- extra power supply
- spare hard drives
- redundant network links
- redundant peripherals, computers, servers
- design for automatic failover - unnoticed by users.
- hot spares (duplicate devices)
- cold spares in storage until failure.
- service down until spare can be manually failover implemented
- cold spares might not be configured to current state of system.
- best practice - keep data seperate from device to no single dependency.
---
Server fault tolerance techniques.
Clustering - Multiple servers run same service with shared data storage. One active node, while others remain passive until needed.
Network load balancing - All nodes actively servicing client requests with seperate copies of the data.
Virutalization - VMs can provide backup/redundancy at reduced cost
Redundancy and Replication - Replication of databases to another server.
---
New technology?
New technologies bring connectiveness, social enjoyment, and productivity:
- remote users
- mobile devices
- embedded systems
- web apps
- iot
and never before seen security challenges
- not all vulnerabilities have been discovered
- mitigation is often less clear than in the past.
---
Risks from remote computing and mobile workers
** HARDEN THE PROCESS **
- remote users identity is not guaranteed
- laptops are sometimes lost or stolen
- allowing laptop to connect to LAN vs DMZ
- if remote device becomes compromised, connection is already past the firewall
- No network access control remediation.
- insufficient controls that are easily bypassed by hackers/malware
- multiple device synchronization including password management in the cloud.
- presents the risk of data leakage
---
mobile device vulnerabilities
- physical access
- social engineering
- rooted or jailbroken devices
- bluetooth, wifi or infrared or other short range wireless connectivity.
- email
- bluetooth
- SMS
- third party apps
- USB or memory cards
- Operating system vulnerabilities
- MySQL database vulnerabilities
- GPS/location information
- camera/microphone
- cached credentials
- downloads.
---
Cryptography
- ciphers and cryptography
- symmetric key cryptography
- asymmetric key cryptography
- hashing and message digests
- email internet and wireless security
- cryptographic weaknesses
Unprotected Data -> Encryption -> Protected data -> decryption -> unprotected data
---
Cryptography and the CIA triad
Confidentiality - Encryption hides contents except from intended recipient
Integrity - Identifying encrypted data changes
Availability - Encrypted credentials support identity and authorization.
-
The enigma cryptosystem.
Used by germans in World War 2 to encrypt and decrypt messages.
-
Cipher evolution
- Early or manual era
- Mechanical era
- Software or modern era
- The future.
---
The ideal cipher
- Usability - simple keys and algorithms
---
Alternative Ciphers
- Steganography
- Watermark
- Code book
- One-time pad
---
Symmetric Encryption Key Cipher Types
Stream Cipher
KEY -> Keystream
Generator
||
Plaintext->XOR->Ciphertext
Block cipher
KEY
||
||
||
Plaintext->Cipher->Ciphertext
Block Block
---
DES(data encryption Standard) comes from IBM
- DEA data encryption algorithm x3.92, using 64 block size and 56bit key with 8bits parity
- 16 rounds of substitution and transposition
- Adds confusion and Diffusion
- Triple des = threa times encrypted DES, preferably with 3 different keys = DES-EE3. Actual key length = 168
bits. Uses 48 rounds of computations(3x16)
- replaced by AES advanced encryption standard.
---
XOR """
It is symbolized by the prefix operator J[2] and by the infix operators XOR (/ˌɛks ˈɔːr/ or /ˈzɔːr/), EOR, EXOR, ⊻, ⩒, ⩛, ⊕, ↮ {\displaystyle \nleftrightarrow } \nleftrightarrow, and ≢. The negation of XOR is the logical biconditional, which yields true if and only if the two inputs are the same.
It gains the name "exclusive or" because the meaning of "or" is ambiguous when both operands are true; the exclusive or operator excludes that case. This is sometimes thought of as "one or the other but not both". This could be written as "A or B, but not, A and B".
Since it is associative, it may be considered to be an n-ary operator which is true if and only if an odd number of arguments are true. That is, a XOR b XOR ... may be treated as XOR(a,b,...).
""" - wikipedia
---
Initialization Vectors
With key: abcdefghisjklmnopqrstuvwxyz
Plaintext message: "attack at dawn"
encrypted as: i8xfe zieam 5e3xy
IV: i8j3k0x12axejq9drfwxyqkdszzy
NOW: aqn7e zy8n2 qplm5
---
Symmetric Encryption Algorithms
- DES - US gov standard protocol.
- Ex: EEE3 / encrypted three times
EDE2 / encrypted using 2 keys
- 2DES
- 3DES
- IDEA
- AES
- Rc2, 4, 5, and 6
- Blowfish
- CAST-128
--
Symmetric Algorithm issues
* Transportation
* number of keys
****n(n-1)/2
-------------
Asymmetric Encryption Algorithms
- RSA
- Elgamel
- ECC
smartphone/tablet
- SET
- credit cards
-------------
hashing
- one-way encryption
--
Physical Security
- Physical Access Control
- Physical Access Monitoring
- Physical Security Methods
- Facilities Security.
--
- Power problems
- Fire/ Firefighting tools
- Data center/location/specification(most suitable place)/ No windows!
---
What is physical security
- The implementation and practice of various control mechanisms that are intended to restrict physical access to Facilities.
Communications
__
Devices / LOCK \ Buildings and grounds
--------
---
Layered protection
Physical protection works at four levels:
1. DETER - "a fence"
2. DETECT
3. DELAY
4. RESPOND
---
Layered protection areas
Physical security from facility boundaries to interior
- PERIMETER access
- FACILITY access
- SECURED AREA access
---
Physical Access Barriers
- Fencing
- small mesh and high gauge is most secure
- 3 4 feet deters casual trespasser
- 6 to 7 feet hard to clib easily
- 8 feet + wires deters intruders
no one STOPS a determined intruder!!!!!!
- Walls
- Doors
- Windows
- Lighting
- Bollards
---
Lock types
- Key lock
- Deadbolt lock
- Keyless lock or cipher lock
- Combination lock
- Intelligent lock
---
Facility control devices
- Automatic access control
- Card entry systems
- Biometric entry systems
- Guards
- most expensive
- can make judgement calls.
- Man traps
- jail
- IDS
- Alarms and responses
---
Facility control system components
- Entry restrictions
- Exit restrictions
- Intrusion detection
- Activity logging
---
Physical Access Logs
1. the name of the individual attempting access
2. the date and time of access
3. the access portal used
4. the ID used
5. the location of access to internal spaces, if required
6. unsuccessful or off-hours access atempts.
---
Alarm systems
- lights
- bells and sirens
- local activation/local response
- local activation/remote response
- remote activation/local response
- remote activation/remote response
---
Personnel Safety
- Personnel ALWAYS come first
- establish policies and procedures
- enforce personnel safety priorities
---
Power Issues
- affect security devices
- affect availability of data and resources.
--
Electrical Power
Interference
- clean = no interference
- line noise: can be EMI or RFI
- transient: short duration or noise
- counter: voltage regulators, grounding/shielding and line conditioners
EMI
- COMMON mode noise: difference between hot and ground
- Traverse mode noise: difference between hot and neutral
HINT: common--grounds
Excesses
- SPIKE: short high voltage
- SURGE: long high voltage
- COUNTER: surge protector
Losses
- FAULT: short outage
- BLACKOUT: long outage.
- COUNTER: Backup power
- Long term: Generator
- Short term: UPS
Degradation
- SAG/DIP: short low voltage
- BROWNOUT: long low voltage
- COUNTER: constant voltage transformers
Other
- Inrush Surge: surge of current required to power on devices
- Common mode noise: radiation from hot and ground wires
- Traverse-mode noise: radiation from hot and neutral wires
Static charge
40 sensitive circuits
1000 scramble monitor display
1500 disk drive dataloss
2000 system shutdown
4000 printer jam
17000 permanent chip damage
Use antistatic spray and flooring.(ground areas effectively)
---
Fire
- Fire drills
- Maintenanceof stairwells.
--
Classes
A Common WATER, SODA ACID
B Liquids -- GAS/Co2, SODA ACID
C Electrical -- GAS/Co2
D Metals -- DRY POWDER
WATER suppress temperature
SODA ACID reduces fuel supply
CO2 reduces oxygen
HALON chemical reaction / replacedwith FM200
--
- Fire distinguishers should be 50 feet from equipment and toward door.
---
Sprinklers
- Wet pipe
always contains water, fues nozzle melts at 165F
- Dry pipe
water in tank until clapper valve releases it
- Deluge
Douches, large amounts of water/foam
---
Network and telecommunications Security
- Data network design
- Remote data access
- Data network security
- Data network management
---
OSI model - *"All People Seem To Need Data Processing"* - OSI mnemonic
- application
- presentation
- session
- Transportation
- network
- data link
- physical
ES:
Physical Layer
The lowest layer of the OSI Model is concerned with electrically or optically transmitting raw unstructured data bits across the network from the physical layer of the sending device to the physical layer of the receiving device. It can include specifications such as voltages, pin layout, cabling, and radio frequencies. At the physical layer, one might find “physical” resources such as network hubs, cabling, repeaters, network adapters or modems.
Data Link Layer
At the data link layer, directly connected nodes are used to perform node-to-node data transfer where data is packaged into frames. The data link layer also corrects errors that may have occurred at the physical layer.
The data link layer encompasses two sub-layers of its own. The first, media access control (MAC), provides flow control and multiplexing for device transmissions over a network. The second, the logical link control (LLC), provides flow and error control over the physical medium as well as identifies line protocols.
Protect Your Network Layers with Forcepoint NGFW
Network Layer
The network layer is responsible for receiving frames from the data link layer, and delivering them to their intended destinations among based on the addresses contained inside the frame. The network layer finds the destination by using logical addresses, such as IP (internet protocol). At this layer, routers are a crucial component used to quite literally route information where it needs to go between networks.
Transport Layer
The transport layer manages the delivery and error checking of data packets. It regulates the size, sequencing, and ultimately the transfer of data between systems and hosts. One of the most common examples of the transport layer is TCP or the Transmission Control Protocol.
Session Layer
The session layer controls the conversations between different computers. A session or connection between machines is set up, managed, and termined at layer 5. Session layer services also include authentication and reconnections.
Presentation Layer
The presentation layer formats or translates data for the application layer based on the syntax or semantics that the application accepts. Because of this, it at times also called the syntax layer. This layer can also handle the encryption and decryption required by the application layer.
Application Layer
At this layer, both the end user and the application layer interact directly with the software application. This layer sees network services provided to end-user applications such as a web browser or Office 365. The application layer identifies communication partners, resource availability, and synchronizes communication.
---
TCP/UDP
Header
1/4 2/4 3/4
Address
IP Destination RI-MEIGRP OSPF protocols
MAC address
---
Application - layer 7 - C, AU, I, NR
FTP, SMB, TELNET, TFTP, SMTP, HTTP, NNTP, CDP, GOPHER, SNMP, NDS, AFP, SAP, NCP, SET. Technology Gateways. User data***
Presentation - layer 6 - C, AU, Encryption
Translations like EBCDIC/ANSI; compression/decompression and encryption/decryption. Standard like jpeg, tiff, MID. Technology: Gateway. MESSAGES
Session - layer 5 -- None
Inter-host communication, simplex, half duplex, full duplex.
Protocols as NSF, SQL, RADIUS, and RPC. Technology: Gateway
Transport - layer 4 - C, AU, I
End to end data transfer services and reliability. Technology: Gateways. Datagrams
Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBios, ATP
Network - layer 3 - C, AU, I
Path selection and logical addressing. Technology: Virtual circuits(ATM), routers. Packets
Message routing, error detection and control of node data are managed.
IP, IPSEC, ICMP, BGP, OSPF, RIP, BOOTP, DHCP, ZIP, DDP, X.25 and IGMP
Data link - layer 2 - C
layer deals with addressing physical hardware.
Translates data into bits and formats them into data frames with destination header and source address. Error detection via checksums.
LLC: the Logical Link control sub layer. Flow control and error identification.
---
TCP/IP Model/Protocols
- DNS, DHCP, SMTP, POP, IMAP
- TCP/UDP
- IP, ARP, RARP, IGMP, ICMP
- Ethernet
---
Network architecture components
----------------------------------
ROUTER
SWITCH FIREWALL
GATEWAY APPLIANCE
----------------------------------
---
Switch
A network switch (also called switching hub, bridging hub, and, by the IEEE, MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device .
sends via mac address table.
A switch builds its MAC address table by recording the MAC address of each device connected to each of its ports. The switch uses the information in the MAC address table to send frames destined for a specific device out the port, which has been assigned to that device.
prevents data broadcasting.
ARP request to everyone. collects mac address table
ARP has no validation
spoof arp response
---
Router
Static routing
Dynamic routing
- let router decide
- assign network protocol
1 - Distance Vector Protocol ex RIP/RIPv2
- chooses according to less hook count
2 - LINK STATE - OSPF - Open Shortest Path First
- calculates all factors
- most effective
- hard to configure
3 - Hybrid Protocol - EIGRP - Enhanced Interior Gateway Routing Protocol
---
Firewall
Stateless firewall - Stateless firewalls are designed to protect networks based on static information such as source and destination. ... For example, stateless firewalls can't consider the overall pattern of incoming packets, which could be useful when it comes to blocking larger attacks happening beyond the individual packet
- EX
- allow port 80 - request -> response via random port
Statefull firewall - A stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic and looking for potential traffic and data risks. This firewall is situated at Layers 3 and 4 of the Open Systems Interconnection (OSI) model.
- EX
-allow port 80 - request -> response is being traced for dynamic port forwarding
--
Packet filtering routers - Packet filtering routers operate at the network and transport layers and in addition to performing the basic function of routing, they use screening rules to filter packets. These rules use IP addresses, IP options, TCP/UDP ports, and ICMP message types in making filtering decisions.
Screened-Host firewall system - A screened host firewall architecture uses a host (called a bastion host) to which all outside hosts connect, rather than allowing direct connection to other, less secure, internal hosts. To achieve this, a filtering router is configured so that all connections to the internal network from the outside network are directed toward the bastion host.
Screened-subnet firewalls - """ In network security a screened subnet refers to the use of one or more logical screening routers as a firewall to define three separate subnets: an external router (sometimes called an access router), that separates the external network from a perimeter network, and an internal router (sometimes called a choke router) that separates the perimeter network from the internal network. The perimeter network, also called a border network or demilitarized zone (DMZ), is intended for hosting servers (sometimes called bastion hosts) that are accessible from or have access to both the internal and external networks.[1][2][3] The purpose of a screened subnet or DMZ is to establish a network with heightened security that is situated between an external and presumed hostile network, such as the Internet or an extranet, and an internal network. """ - wikipedia
- two routers. one forwards DMZ another hosts network. *harden*
Dual homed host firewall - """ Dual-homed or dual-homing can refer to either an Ethernet device that has more than one network interface, for redundancy purposes, or in firewall technology, one of the firewall architectures for implementing preventive security. """ - wikipedia
--
Data Network Types
- LAN
- CAN
- MAN
- WAN
- PAN
- Switched networks
- Routed networks
---
Data network topology types
--
Start Topology
MACHINE MACHINE
\ /
HUB
/ \
MACHINE MACHINE
--
Bus topology
MACHINE MACHINE
T T
TERMINATOR---------------------------------------------------TERMINATOR
--
Ring Topology
MACHINE
/ \
MACHINE MACHINE
\ MACHINE /
--
Mesh Topology
MACHINE---------MACHINE
| \ / |
| X |
| / \ |
MACHINE---------MACHINE
--
Remote access technologies
- two different sides. side a, side b.
- requested to connect sides. options:
1 - Lease line - dedicated connection
- T1 line 1.44 mbps
- T3 Line 44.7 mbps
- E1 Line 2048 mbps European
2 - Serial Line IP(SLIP) TCP/IP over slow interfaces to communicate with external hosts
3 - Point to point protocol(PPP) improvement on slip, adds login, password and error(by CHAP and PAP) and error correction.
4 - Integrated Services Digital Network(ISDN) combinations of digital telephony and data transports. overtaken by xDSL.
5 - xDSL digital subscriber line uses telephone to transport high bandwidth data to remote subscribers.
- ADSL - Asymmetric. More downstream bandwidth up to 18000 feet over single copper cable pair
- SDSL - Symmetric up to 10000 feet over single copper cable pair
- HDSL High Rate T1 speed over two copper cable pairs up to 12 000 ft
- VDSL Very high speed 13 - 52 mbps down, 1.5-2.3 mbps upstream over a single copper pair over 1.00 to 4500 ft
6 - Internet - VPN connection
- PPTP
- works at data link layer of OSI
- Point to point PPP for authentication and tunneling
- Dial up network use.
- L2TP
- also in data link layer of OSI
- single point to point connection per session
- dial up network used
- port 115
- IPSEC
- operates at network layer os OSI
- enables multiple and simultaneous tunnels
- encrypts and authenticate
- build into IPv6
- network to network used
7 - Frame relay, ATM, MPLS
- bandwidth all the time.
- Frame relay is a protocol that defines how frames are routed through a fast-packet network based on the address field in the frame . Frame relay takes advantage of the reliability of data communications networks to minimize the error checking done by the network nodes.
8 - dial up
9 - X25 defines point to point communications between data terminal equipment and data circuit terminating equipment
10 - Link access Procedure Balanced LAPB created for use with X25, LAPB defines frame types and is capable of retransmitting, exchanging and acknowledging frames as detecting out of sequence or missing frames
11 - Switched multimegabit DATA service SMDS high speed communication over public switches networks for exchanging bursts of data between enterprises
12 - Voice over IP VOIP
--
Wireless
Wireless Security Protocols
- WEP - Level of security equivalent to wired network
- WPA - Provides additional encryption capabilities for wireless transmissions
- 802.11i or WPA2 - latest in wireless protection protocols
--
Network Attacks
- DoS
icmp Flooding SMURF
syn Flooding
three way handshake
- DDoS
botnet
zombie
massive dos attack using multiple machines
- Main in the middle
- Spam
- viruses
- Worm
- Trojan
- Malicious code
--
Network security mechanisms
- ACL
- FIREWALL
- IDS - intrusion detection system
- IPS - intrusion prevention system
- SEM
--
RAID
- no downtime
- Redundant array of independent disk
- combine physical hdd with same size
__ DISK
|
|
MACHINE ----|- DISK
|
|
__ DISK FAILS <-- Data can be restored if one disk fails
^
|
Data written to multiple disks
-
RAID levels
level 0 - Striping on multiple drives
level 1 - Mirroring or duplexing
level 2 - Striping with ECC
level 3 - Striping with parity on a single drive
level 4 - Striping by block with parity on a single drive
level 5 - Striping with parity information spread across drives
level 6 - Striping with two levels of parity calculation and parity information spread across drives
level 10 - Combination of level 1 and level 0
--
Information Systems Access Control
- Data Access Principles
- System Access and Authentication
- Penetration Test
--
Reference Monitors
Subject-->Reference Monitor-->Object
|
|
Deny Access by Default
--
Service Type
Identification & Authentication
Authorization
Audit
Accountability
--
Access Control Services Implementation
1. Indentify individual or entity attempting access
2. Verify identity of individual or entity
3. Evaluate rules and/or roles to determine permissions
4. Log each access attempt and function performed
5. Review logs.
Access Control Categories
Suffiecient to maintain the CIA triad:
- Preventative
- Detective
- Corrective
- Directive
Additional tools:
- Deterrent
- Recovery
- Compensating
--
DAC - discretionary access control
MAC - mandatory access control
--
Non discretionary Access Control Techniques
- Role based RBAC
- Rule based
- Content dependent
- Time-based
--
Identification Types
- Identities must be unique
- Two common types
ID CARDS // USER IDs
- password
- passphrase
- PIN
--
Biometric Errors
FRR - False rejection error
FAR - False acceptance rate
CER - Closeover Error rate
|
|
FAR FRR
| | |
| | |
\ /
| \ /
| \ /
CER
|
| / \
/ \
| / \
| | |
Type 1 Type 2
|
|__________________________________
---
Single Sign-On
|-- DATABASE
|
|
|
LOGIN---------MACHINE-------|-- PRINTER
|
|
|
|
|-- MEDIA
--
Kerberos
1------------------> | Authentication Server |
<-----------------2 | |
| |> Key distribution server
| |
USER 6------------------> | Ticket Granting Server |
<-----------------4 |
|
|
5------------------> |
<-----------------6 | File Server
Key:
1. I need to authenticate and I need a ticket
2. Here is a TGT
3. Here is my TGT; now I need a ST
4. Here is your ST
5. Here is my ST secure connection to the file server
6. User now has a secure connection to the file server.
---
Other SSO methods
- SESAME
- Addresses limitations of kerberos
- Servers do not require replication
- Uses symmetric and asymmetric keys
- Federations
- Trust between resource and account domains
- Typically uses certificate and PKI
--
Access Control Attack Methods
- Attacking the software
- DOS/ DDoS
- Buffer overflow
- Malicious software
- Mobile code
- Brute Force
- Dictionary Attack
- Sniffing
- Emanation
- Object reuse
- Trapdoor, backdoor, and maintenance hook
- Spoofing
- rainbow table attack
- A rainbow table attack is a password cracking method that uses a special table (a “rainbow table”) to crack the password hashes in a database. ... After the user enters their password to login, it is converted to hashes, and the result is compared with the stored hashes on the server to look for a match.
- encrypt to LM hash and compare
- Attacking the human element
- Guessing
- Shoulder surfing
- Dumpster diving
- Theft
- Social engineering
- Spoofing
--
Intrusion detection systems
IDS
- signature based
- works as anti virus
- behaviour based
- network based IDS
- host based (event viewer log) IDS
--
Security Assessment
- test both adminstrative and technical controls
- examine entire security posture
- policies
- organizations security culture.
- management attitude towards security
- risk of conducting a security assessment
- testers might focus only on technical controls ignoring administrative controls policy and culture.
- the testing process may disrupt normal operations
- the resulting data will not be properly interpreted
- recommendations will be ignored or improperly insufficiently implemented
-
Security Test Strategies
1. Create a security assessment policy
2. Create a security assessment methodology
3. Assign testing roles and responsibilities
4. Determine which systems you will test
5. Determine how you will approach the testing, addressing:
- logistical issues.
- legal regulations
- policy considerations
6. carry out test, addressing any incidents that arise during/because of the test.
7. Maintain the CIA prociples while handling the data through all phases:
- collection
- storage
- transmission
- destruction
8. Analyze data and create a report that will turn technical findings into risk mitigations actions to improve the organizations security posture.
--
Administrative ASsessment Test Output
- Responses by management and users to security related questions
- A list of existing or non existing procedures or documentation.
- recorded observation of user/management activities
- recorded observation of adherence to existing procedures/policies.
--
Technical Assessment Test Output
- Current firewall configuration of each system.
- Antivirus patch level of each system
- List of known or potential vulnerabilities found on each system
- List of default configurations found on each system
- List of unused user accounts found on each system
- List of user privilege levels on each resource or system
--
Vulnerability Assessment
COLLECT --> STORE --> ORGANIZE --> ANALYZE --> REPORT
Perform when:
- First deploy new/updated systems
- New vulnerabilities have been identified.
- A security breach occurs
- Need to document security state of systems.
-
- Port scanner
- Protocol analyzer
- Packet analyzer
- Network enumerator
- Intelligence gathering
-
Penetration Testing
RECONNAISSANCE-->SCANNING-->EXPLOITATION-->MAINTAINING ACCESS-->REPORTING
- Evaluate security by simulating and attack on a system.
- verify a threat exists
- actively test and bypass security controls
- exploit system vulnerabilities
- When compared to vulnerability assessment, it is:
- less common
- More intrusive
- An objective measurement
- A combination of multiple vulnerabilities
- Follow real attackers methodology, including target preparation/reasearch stages.
- difference between pen test and real attack is intent.
- need explicit permission of target organization.
-make sure organization knows test will not stop until attack is fully carried out.
- Report should include
- Steps undertaken
- Weaknesses identified.
- Recommendations.
---
Pen Test preparation
- Who will commision the test?
- Who will conduct the test?
- How will the test be confucted?
- What are the tests limitations?
- What tools will be used in the test?
--
Pen Test approaches
- Black box
- Most effective at real-world evaluation
- Most time and efforts
- Need to carefully consider who should know about the test.
- White box
- More comprehensive evaluation because of broad perspective of organizational systems.
- Most be too simulated - not able to account for attackers out of the box thinking
- Grey box
- Complex parameters needed to strike the perfect balance
FULL AMOUNT NONE
<------------------------------------------------------------>
| | |
| | |
| BLACK BOX | GREY BOX | WHITE BOX
| | |
| | |
| | |
| | |
| | |
-------------------------------------------------------------
---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment