Professional Documents
Culture Documents
Sunflower CISSP - Crash Cram
Sunflower CISSP - Crash Cram
CIA Patent - grants ownership of an invention and provides enforcement Incident – an event that has potential to do harm
DAD - NEGATIVE - (disclosure alteration and destruction) for owner to exclude others from practicing the invention. After 20 Breach – incident that results in disclosure or potential disclosure
Confidentiality - prevent unauthorized disclosure, need to know, years the idea is open source of application of data
and least privilege. assurance that information is not disclosed to Copyright protects the expression of ideas but not necessarily the Data Disclosure – unauthorized acquisition of personal
unauthorized programs, users, processes, encryption, logical and idea itself ex. Poem, song @70 years after author dies information
physical access control, Trade Secret - something that is propriety to a company and Event – Threat events are accidental and intentional exploitations
Integrity - no unauthorized modifications, consistent data, important for its survival and profitability (like formula of Coke or of vulnerabilities.
protecting data or a resource from being altered in an unauthorized Pepsi) DON’T REGISTER – no application
fashion Trademarks - words, names, product shape, symbol, color or a Laws (28)
Availability - reliable and timely, accessible, fault tolerance and combination used to identify products and distinguish them from ITAR, 1976. Defense goods, arms export control act
recovery procedures, WHEN NEEDED competitor products (McDonald’s M) @10 years FERPA – Education
IAAA – requirements for accountability Wassenaar Arrangement (WA) – Dual use goods & trade, GLBA, Graham, Leach, Bliley; credit related PII (21)
Identification - user claims identity, used for user access control International cryptographic agreement, prevent destabilizing ECS, Electronic Communication Service (Europe); notice of
Authentication - testing of evidence of users identity Computer Crimes – loss, image, penalties breaches
Accountability - determine actions to an individual person Fourth Amendment - basis for privacy rights is the Fourth
Authorization - rights and permissions granted Amendment to the Constitution.
Regulations
Privacy - level of confidentiality and privacy protections 1974 US Privacy Act - Protection of PII on federal databases
SOX, Sarbanes Oxley, 2002 after ENRON and World Online
1980 Organization for Economic Cooperation and
debacle Independent review by external accountants. Development (OECD) - Provides for data collection,
Risk (12)
Section 302: CEO’s CFO’s can be sent to jail when information they specifications, safeguards
Not possible to get rid of all risk.
Get risk to acceptable/tolerable level sign is incorrect. CEO SIGN 1986 (amended in 1996) US Computer Fraud and Abuse Act -
Baselines – minimum standards Section 404 is the about internal controls assessment: describing Trafficking in computer passwords or information that causes a
ISO 27005 – risk management framework logical controls over accounting files; good auditing and information loss of $1,000 or more or could impair medical treatment.
Budget – if not constrained go for the $$$ security. 1986 Electronic Communications Privacy Act - Prohibits
eavesdropping or interception w/o distinguishing private/public
Corporate Officer Liability (SOX) Communications Assistance for Law Enforcement Act
Responsibilities of the ISO (15) (CALEA) of 1994 - amended the Electronic Communications
Written Products – ensure they are done - Executives are now held liable if the organization they
Privacy Act of 1986. CALEA requires all communications carriers
CIRT – implement and operate represent is not compliant with the law.
to make wiretaps possible for law enforcement with an
Security Awareness – provide leadership Negligence occurs if there is a failure to implement recommended
appropriate court order, regardless of the technology in use.
Communicate – risk to higher management precautions, if there is no contingency/disaster recovery plan, failure
to conduct appropriate background checks, failure to institute 1987 US Computer Security Act - Security training, develop a
Report to as high a level as possible
security plan, and identify sensitive systems on govt. agencies.
Security is everyone’s responsibility appropriate information security measures, failure to follow policy or
local laws and regulations. 1991 US Federal Sentencing Guidelines - Responsibility on
COSO – framework to work with Sarbanes-Oxley 404 compliance senior management with fines up to $290 million. Invoke prudent
Control Frameworks (17) man rule. Address both individuals and organizations
Consistent – approach & application European laws: TREADWAY COMMISSION
1996 US Economic and Protection of Propriety
Measurable – way to determine progress Need for information security to protect the individual.
Information Act - industrial and corporate espionage
Standardized – all the same Privacy is the keyword here! Only use information of individuals for
1996 Health Insurance and Portability Accountability Act
Comprehension – examine everything what it was gathered for (HIPPA) – amended
Modular – to help in review and adaptive. Layered, abstraction (remember ITSEC, the European version of TCSEC that came from 1996 US National Information Infrastructure Protection
the USA/Orange Book, come together in Common Criteria, but there Act - Encourage other countries to adopt similar framework.
Due Care Which means when a company did all that it could have still is some overlap) Health Information Technology for Economic and Clinical
reasonably done to try and prevent security breach / compromise / Health Act of 2009 (HITECH) - Congress amended HIPAA by
disaster, and took the necessary steps required as • strong in anti-spam and legitimate marketing
• Directs public directories to be subjected to tight controls passing this Act. This law updated many of HIPAA’s privacy and
countermeasures / controls (safeguards). The benefit of "due care" security requirements. One of the changes is a change in the way
• Takes an OPT-IN approach to unsolicited commercial
can be seen as the difference between the damage with or without the law treats business associates (BAs), organizations who
"due care" safeguards in place. AKA doing something about the electronic communications
handle PHI on behalf of a HIPAA covered entity. Any relationship
threats, Failing to perform periodic security audits can result in the • User may refuse cookies to be stored and user must be between a covered entity and a BA must be governed by a
perception that due care is not being maintained provided with information written contract known as a business associate agreement
Due Diligence means that the company properly investigated all of • Member states in the EU can make own laws e.g. (BAA). Under the new regulation, BAs are directly subject to
its possibly weaknesses and vulnerabilities AKA understanding the retention of data HIPAA and HIPAA enforcement actions in the same manner as a
threats COBIT – examines the effectiveness, efficiency, confidentiality, covered entity. HITECH also introduced new data breach
integrity, availability, compliance, and reliability of high level control notification requirements
objectives. Having controls, GRC heavy auditing, metrics, regulated
industry
.Ethics (33) Administrative Management Controls (47) Risk Management (52)
Just because something is legal doesn’t make it right. Separation of duties - assigns parts of tasks to different GOAL - Determine impact of the threat and risk of threat occurring
Within the ISC context: Protecting information through CIA individuals thus no single person has total control of the The primary goal of risk management is to reduce risk to an
ISC2 Code of Ethics Canons system’s security mechanisms; prevent collusion acceptable level.
- Protect society, the commonwealth, and the M of N Control - requires that a minimum number of agents (M) Step 1 – Prepare for Assessment (purpose, scope, etc.)
infrastructure. out of the total number of agents (N) work together to perform Step 2 – Conduct Assessment
- Act honorably, honestly, justly, responsibly, and legally. high-security tasks. So, implementing three of eight controls would - ID threat sources and events
- Provide diligent and competent service to principals. require three people out of the eight with the assigned work task of - ID vulnerabilities and predisposing conditions
- Advance and protect the profession. key escrow recovery agent to work together to pull a single key out - Determine likelihood of occurrence
Internet Advisory Board (IAB) of the key escrow database - Determine magnitude of impact
Ethics and Internet (RFC 1087) Least privilege - a system’s user should have the lowest level of - Determine risk
Don’t compromise the privacy of users. Access to and use of rights and privileges necessary to perform their work and should Step 3 – Communicate Risk/results
Internet is a privilege and should be treated as such only have them for the shortest time. Three types: Step 4 – Maintain Assessment/regularly
It is defined as unacceptable and unethical if you, for example, gain Read only, Read/write and Access/change Types of Risk
unauthorized access to resources on the internet, destroy integrity, Two-man control - two persons review and approve the work of Inherent chance of making an error with no controls in place
waste resources or compromise privacy. each other, for very sensitive operations Control chance that controls in place will prevent, detect or control
Dual control -two persons are needed to complete a task errors
Business Continuity plans development (38) Rotation of duties - limiting the amount of time a person is Detection chance that auditors won’t find an error
- Defining the continuity strategy assigned to perform a security related task before being moved to Residual risk remaining after control in place
- Computing strategy to preserve the elements of HW/SW/ different task to prevent fraud; reduce collusion Business concerns about effects of unforeseen circumstances
communication lines/data/application Mandatory vacations - prevent fraud and allowing investigations, Overall combination of all risks aka Audit risk Preliminary
- Facilities: use of main buildings or any remote facilities one week minimum; kill processes Security Examination (PSE): Helps to gather the elements that
People: operators, management, technical support persons Need to know - the subject is given only the amount of you will need when the actual Risk Analysis takes place.
Supplies and equipment: paper, forms HVAC information required to perform an assigned task, business ANALYSIS Steps: Identify assets, identify threats, and calculate
Documenting the continuity strategy justification risk.
Agreements – NDA, no compete, acceptable use ISO 27005 – deals with risk
BIA (39)
Goal: to create a document to be used to help understand what Employment (48) Risk Assessment Steps (60)
impact a disruptive event would have on the business - staff members pose more threat than Four major steps in Risk assessment?
Gathering assessment material external actors, loss of money stolen Prepare, Perform, Communicate, Maintain
- Org charts to determine functional relationships equipment, loss of time work hours, loss of
- Examine business success factors reputation declining trusts and loss of Qualitative (57)
Vulnerability assessment resources, bandwidth theft, due diligence
- Identify Critical IT resources out of critical - Voluntary & involuntary ------------------Exit interview!!! Approval –
processes, Identify disruption impacts and Form Team –
Maximum, Tolerable Downtime (MTD) Third Party Controls (49) Analyze Data –
- Loss Quantitative (revenue, expenses for - Vendors Calculate Risk –
repair) or Qualitative (competitive edge, - Consultants Countermeasure Recommendations -
public embarrassment). Presented as low, - Contractors
high, medium. Properly supervised, rights based on policy REMEMBER HYBRID!
- Develop recovery procedures
Analyze the compiled information Risk Management Concepts (52)
- Document the process Identify inter- Threat – damage
dependability Vulnerability – weakness to threat vector (never does anything)
- Determine acceptable interruption periods Likelihood – chance it will happen
Documentation and Recommendation Impact – overall effects
Residual Risk – amount left over
RTO<MTD Organizations own the risk
Risk is determined as a byproduct of likelihood and impact
ITIL (55)
ITIL – best practices for IT core operational processes, not for
audit
- Service
- Change
- Release
- Configuration
Strong end to end customer focus/expertise
About services and service strategy
Quantitative Risk Analysis (58) Risk Framework Countermeasures (63) Penetration Testing (77)
- Quantitative VALUES!! - Accountability Testing a networks defenses by using the same techniques as
- SLE (single Loss Expectancy) = Asset Value * Exposure - Auditability external intruders
factor (% loss of asset) - Source trusted and known Scanning and Probing – port scanners
- Cost-effectiveness • Demon Dialing – war dialing for modems
- ALE (Annual loss expectancy) = SLE * ARO
- Security • Sniffing – capture data packets
(Annualized Rate of occurrence) - Protection for CIA of assets • Dumpster Diving – searching paper disposal areas
Accept, mitigate(reduce by implementing controls calculate costs-), - Other issues created? • Social Engineering – most common, get information by
Assign (insure the risk to transfer it), Avoid (stop business activity) If it leaves residual data from its function asking
Loss= probability * cost Penetration testing
Residual risk - where cost of applying extra countermeasures is Blue team - had knowledge of the organization, can be done
Controls (68)
more than the estimated loss resulting from a threat or vulnerability Primary Controls (Types) – (control cost should be less than the frequent and least expensive
(C > L). Legally the remaining residual risk is not counted when value of the asset being protected) Red team - is external and stealthy
deciding whether a company is liable. Administrative/Managerial Policy White box - ethical hacker knows what to look for, see code as a
Controls gap - is the amount of risk that is reduced by - Preventive: hiring policies, screening security awareness developer
(also called soft-measures!) Grey Box - partial knowledge of the system, see code, act as a
implementing safeguards. A formula for residual risk is as follows: user
total risk – controls gap = residual risk - Detective: screening behavior, job rotation, review of
Black box - ethical hacker not knowing what to find
audit records
RTO – how quickly you need to have that application’s information
Technical (aka Logical)
available after downtime has occurred 4 stages: planning, discovery, attack, reporting
- Preventive: protocols, encryption, biometrics
RPO -Recovery Point Objective: Point in time that application data vulnerabilities exploited: kernel flaws, buffer overflows,
smartcards, routers, firewalls
must be recovered to resume business functions; AMOUNT OF symbolic links, file descriptor attacks
- Detective: IDS and automatic generated violation
DATA YOUR WILLING TO LOSE other model: footprint network (information gathering) port
reports, audit logs, CCTV(never preventative)
MTD -Maximum Tolerable Downtime: Maximum delay a business scans, vulnerability mapping, exploitation, report scanning
- Preventive: fences, guards, locks tools are used in penetration tests
can be down and still remain viable - Detective: motion detectors, thermal detectors video
MTD minutes to hours: critical flaw hypotheses methodology = operation system penetration
cameras testing
MTD 24 hours: urgent Physical (Domain 5) – see and
MTD 72 hours: important touch
MTD 7 days: normal Egregious hole – tell them now!
- Fences, door, lock, windows etc.
MTD 30 days non-essential Prime objective - is to reduce the effects of security threats and
PLAN Strategies - External, internal, blind, double-blind
vulnerabilities to a tolerable level
Accept Risk analysis - process that analyses threat scenarios and
Build Risk Team Categories – zero, partial, full knowledge tests
produces a representation of the estimated Potential loss
Review
Main Categories of Access Control (67) Pen Test Methodology (79)
Once in 100 years = ARO of 0.01
- Directive: specify rules of behavior Recon/discover -
SLE is the dollar value lost when an asset is successfully attacked
- Deterrent: discourage people, change my mind
Exposure Factor ranges from 0 to 1 Enumeration -
- Preventative: prevent incident or breach
NO – ALE is the annual % of the asset lost when attacked – NOT vulnerability analysis -
- Compensating: sub for loss of primary controls
execution/exploitation -
- Detective: signal warning, investigate
Determination of Impact (61) document findings/reporting - SPELL OUT AND DEFINE!!!!
- Corrective: mitigate damage, restore control
Life, dollars, prestige, market share - Recovery: restore to normal after incident
Control Assessment 76
Control Accuracy Security Consistency Look at your posture
Risk Response (61) Preventive Data checks, Labels, traffic DBMS, data
Risk Avoidance – discontinue activity because you don’t want to validity padding, dictionary
accept risk Deming Cycle (83)
checks encryption Plan – ID opportunity & plan for change
Risk Transfer – passing on the risk to another entity
Risk Mitigation – elimination or decrease in level of risk Detective Cyclic IDS, audit Comparison Do – implement change on small scale
Risk Acceptance – live with it and pay the cost Redundancy trails tools Check – use data to analyze results of change
Background checks – mitigation, acceptance, avoidance Act – if change successful, implement wider scale, if fails begin
Corrective Checkpoint, Emergency Database cycle again
backups response controls
Functional order in which controls should be used. Deterrence,
Denial, Detection, Delay
Identification of Threat (86) Terms
Individuals must be qualified with the appropriate level of training. Wire Tapping eavesdropping on communication -only legal with
- Develop job descriptions prior consent or warrant
- Contact references Data Diddling act of modifying information, programs, or
- Screen/investigate background documents to commit fraud, tampers with INPUT data
- Develop confidentiality agreements Privacy Laws data collected must be collected fairly and
- Determine policy on vendor, contractor, consultant, and lawfully and used only for the purpose it was collected.
temporary staff access Water holing – create a bunch of websites with similar names
DUE DILIGENCE Work Function (factor): the difficulty of obtaining the clear text
from the cipher text as measured by cost/time
Software Licenses (91) Fair Cryptosystems - In this escrow approach, the secret keys
used in a communication are divided into two or more pieces, each
Public domain - available for anyone to use
of which is given to an independent third party. When the
Open source - source code made available with a license in which government obtains legal authority to access a particular key, it
the copyright holder provides the rights to study, change, and provides evidence of the court order to each of the third parties and
distribute the software to anyone then reassembles the secret key.
Freeware - proprietary software that is available for use at no SLA – agreement between IT service provider and customer,
monetary cost. May be used without payment but may usually not document service levels, divorce; how to dissolve relationship
be modified, re-distributed or reverse-engineered without the SLR (requirements) – requirements for a service from client
author's permission viewpoint
Service level report – insight into a service providers ability to
deliver the agreed upon service quality
Assurance (92)
Degree of confidence in satisfaction of security requirements Legislative drivers?
Assurance = other word for security FISMA(federal agencies)
THINK OUTSIDE AUDIT Phase 1 categorizing, selecting minimum controls, assessment
Phase 2: create national network of secures services to assess
Successful Requirements Gathering 92
Don’t assume what client wants
Involve users early
Define and agree on scope
MORE
Firewalls
A method of guarding a private network by analyzing the data
leaving and entering. Firewalls can also provide network address
translation, so the IP addresses of computers inside the firewall
stay hidden from view.
Packet-filtering firewalls (layer 3/4) - use rules based on a
packet’s source, destination, port or other basic information to
determine whether or not to allow it into the network.
Stateful packet filtering firewalls (layer 7) - have access to
information such as; conversation, look at state table and context
of packets; from which to make their decisions.
Application Proxy firewalls (layer 7) (3-7 actually)- which look
at content and can involve authentication and encryption, can be
more flexible and secure but also tend to be far slower.
Circuit level proxy (layer 5)- looks at header of packet only,
protects wide range of protocols and services than app-level proxy,
but as detailed a level of control. Basically once the circuit is
allowed all info is tunneled between the parties. Although firewalls
are difficult to configure correctly, they are a critical component of
network security.
SPF, Static Packet Firewall (layer 3) -
Netwok IPV4 (354) Types of Wireless Networks (364) Email Security Solutions & Certs (368)
TCPIP Classes Uses the 802.11x specification to create a wireless LAN LDAP – Lightweight Directory Access Protocol, client/server based
Class A network number values begin at 1 and end at 127 Ad hoc Mode – directly connect two+ clients, no access point directory query protocol loosely based upon X.500, commonly
Class B network number values begin at 128 and end at 191 Infrastructure Mode – connects endpoints to a central network, manages user information, for accessing directory services and
Class C network number values begin at 192 and end at 223 not directly to each other, need access point and wireless clients manage certificates Ex. Active Directory, cn=ben+ou=sales
for IM mode wireless Zero or more, comma separated, no semi-colon, + to join
ISDN Stand-alone Mode – isolated system SASL – provides secure LDAP authentication
WEP – don’t use can be cracked in seconds, predecessor to WPA OpenLDAP – default, stores user PW in the clear
BRI B-channel 64Kbps, D-channel 16Kbps
and WPA2, confidentiality, uses RC4 for encryption, weakened by Client SSL Certificates – used to identify clients to servers via
PRI B- and D-channels are 64Kbps
use of RC4 use of common key and a limited number of SSL (client authentication)
initialization vectors S/MIME Certificates – used for signed and encrypted emails, can
80211 has CSMA/CA as protocol. Can use DSSS and FHSS (ss WPA – uses TKIP for data encryption form sign, and use as part of a SSO solution
stands for spread spectrum) WPA2 – based on 802.11i, uses AES, key management, reply MOSS – MIME Object Security Services, provides authentication,
802.11b uses only DSSS attack protection, and data integrity, most secure, CCMP included, confidentiality, integrity, and nonrepudiation
WPA2 ENTERPRISE Mode - uses RADIUS account lockout if a PEM – provides authentication, confidentiality, integrity, and
Before a computer can communicate with the internet, it needs an password-cracker is used nonrepudiation
IP-address, a default gateway and a subnet mask TKIP – Temporal Key Integrity Protocol, uses RC4 DKIM – Domain Keys Identified Mail, domain validation tool
LEAP – Lightweight Extensible Authentication Protocol, Cisco OAuth – ability to access resources from another service
proprietary protocol to handle problems with TKIP, security issues OpenID – paired with OAuth is a RESTful, JSON-based
To connect multiple LAN segments you can use Bridges,
don’t use. Provides reauthentication but was designed for WEP authentication protocol can provide identity verification and basic
Switches and Routers
TCP Ports profile information, phishing attack possible by sending fake data
Fast Ethernet 100Base-TX has as characteristics: 100Mbps data
transmission, 1 pairs Cat5 UTP and max segment of 100 meters - TCP 20 & 21; TCP
(328 feet) - UDP 21; not used for any common file transfer protocol Security Perimeter (370)
Unsubnetted netmask is shown as /24 - TCP 21 & UDP 21; The first line of protection between trusted and untrusted
- TCP 22; SSH (SFTP operates oevr SSH) networks. Generally includes a firewall and router that help filter
- TCP 23; telnet: TCP 515; LPD - print traffic. May also include proxies, IDSs, and IPSs.
Other word for DMZ is screened subnet - TCP 25; SMTP (Simple Mail Transfer Protocol) Zero Day – application white list
- TCP 53; DNS; TCP 110; POP3 Operations of Hardware (374)
FTP, RLOGIN and TELNET never uses UDP but TCP - TCP 80; HTTP – no confidentiality Multiplexors- device that enables more than one signal to be
- TCP 143; IMAP (Internet Message Access Protocol) send out of one physical circuit
Attenuation - is a decrease in amplitude as a signal propagates - TCP 389; unsecure LDAP
- TCP 636; LDAP-S over SSL or TLS WAN switches - multi-port networking devices that are used in
along a transmission medium
- TCP 9100; network printers carrier networks. Connect private data over public data by using
SSL session key length is from 40bit to 256 bit - UDP 69; TFTP (Trivial FTP) digital signals. Data link layer.
- 6000-6063; X Windows, Linux Access servers - server that provides dial-in and dial-out
The bridge connects multiple networks at the data link layer, while - TCP 443; HTTPS – Nikto to scan connections to the network
- TCP 445; Active Directory Modems - transmits data over telephone lines
router connects multiple networks at the network layer.
- TCP; 1433; Microsoft SQL, Db Channel Service Unit (CSU)/Data service unit (DSU) - digital
- TCP 1521; Oracle: TCP 3389; RDP interface device used to terminate the physical interface on a DTE
Data backups addresses availability, integrity and recovery but not - TCP 3268/3269; global catalog (unsecure/secure) device. They connect to the closest telephone company switch in a
confidentiality - TCP/UDP; 137-139; NetBIOS services central office (CO)
Switched Networks (378) LAN Devices (374)
IP headers contain 32-bit addresses (in IPv4) and 128 in IPv6. In Coaxial - many workstations, length. 1000Base-T – 100 M Repeaters - amplify data signals to extend range (physical)
an Ethernet LAN, however, addresses for attached devices are 48 Twisted pair to long. Cat 5 better than cat3 for
bits long. HUBS - connect multiple LAN devices into a concentrator. Is
interference Fiber optics immune to EMI, can be broken
and high cost/expertise Topology failures actually a multi-port repeater (physical)
Subnet Masks Ethernet twisted pair - more resistant than coaxial Bridges - Forwards data to all other network segments if it’s not
Class A 255.0.0.0 Token Ring because a token is passed by every station, a NIC on the local segment. Operates at level 2 (thus no IP-addressing)
Class B 255.255.0.0 that’s is set to wrong speed or error can take all network down Switches - Will only send data to the specific destination address.
Class C 255.255.255.0 Fiber Distributed Data Interface - form of token ring that has It’s actually a multi-port bridge. (Data link)
second ring that activates on error Routers - opens up data packet, reads hardware or network
Leased lines use multiple lines and/or multiple vendors
address and then forwards it to the correct network
Frame Relay WAN - over a public switched network. High
Fault tolerance by relaying fault segments to working. Gateway - software that acts as access point to another network
or device that translates between different protocols
Speeds; T-1 – 1.544 Mbps, T-3 – 44,736 Mbps (45)
LAN extenders - remote access, multi layer switch that connects
ATM – 155 Mbps, ISDN – 64 or 128 Mbps LANs over a WAN
CAT 3 UTP; 10 Mbps, CAT 5;100 Mbps CAT 5e/6 – 1,000 Mb
Terms Terms (Cont) Network Attacks – Denial of Service
Broadband Technologies – ISDN, cable modems, DSL, and PPP – Point-to-Point Protocol, most common, used for dial up Used to overwhelm a targets resources
T1/T3 lines that can support multiple simultaneous signals. They connections, replaced SLIP - Filling up hard drive by using huge email attachments or
are analog and not broadcast technologies. Proxy – form of gateway that provide clients with a filtering, file transfers
Broadcast Domain – set of systems that can receive a broadcast caching, or other service that protects their information from - Sends messages to reset targets host subnets masks
from each other remote systems - Using up all system resources
CHAP – Challenge-Handshake Authentication Protocol, used by PVCs – Private Virtual Circuits,
PPP servers to authenticate remote clients. Encrypts username RST flag – used to reset or disconnect a session, resumed by DOS - performed by sending malformed packets to a system; can
and PW and performs periodic re authentication while connected restarting the connection via a new three-way handshake interrupt service or completely deny legitimate users of system
using techniques to prevent replay attacks. Converged Network – carries multiple types of traffic like voice, resources, an attack that attempts to prevent authorized use of a
CIR – (committed Information Rate) minimum bandwidth video, and data resource. This can be done through flaw exploitation, connection
guarantee provided by service provider to customers SDN – Software designed networking, defined and configured as overloading, or traffic flooding.
Collision Domain – set of systems that could cause a collision if code or software, quickly change the network based on
they transmitted at the same time, more number of systems in organizational requirements DDOS – botnet, zombie, massive dos attack using multiple
domain increases likelihood of network congestion due to more Hypervisor-based Network – may be software defined, but it computers
collisions could also use traditional network devices running as virtual
SMURF – ICMP requires three players (attacker, victim and
Data Streams – occur at Application, Presentation, and Session machines
layers. SSID – normally disabled for secure networks amplifying network); attacker spoofs packet header to make it
EAP, Extensible Authentication Protocol - an authentication Site Survey – identify areas where wireless network may be appear that it originated on the victim system with amplifying
framework. Effectively, EAP allows for new authentication accessible network broadcasting the message.
technologies to be compatible with existing wireless or point-to- SONET – protocol for sending multiple optical streams over fiber Countermeasures – disable broadcast at border routers; border
point connection technologies, extensible was used for PPP SUBNET – logical division of a network routers should not accept packets that originate within network;
connections Supernet – made up of two or more networks restrict ICMP traffic (Hint IC = Its Smurf though spelled wrong)
FCoE – Fiber Channel Over Ethernet, allows existing high-speed UDP – User Datagram Protocol, lightweight service for
FRAGGLE – similar to Smurf but uses UDP
networks to be used to carry storage traffic connectionless data transfer without error detection and correction
FDDI – Fiber Distributed Data Interface, token-passing network WAF – Web Application Firewall Countermeasures – disable broadcast at border routers; border
uses a pair of rings with traffic flowing in opposite directions, uses Wired Extension Mode – uses WAP to link wireless clients to a routers should not accept packets that originate within network;
tokens wired network restrict UDP traffic; employ IDS; apply appropriate patches, block
FTP – File Transfer Protocol AMP - Asymmetric multiprocessing - used in applications that UDP port 7 & 9 from entering network
Gateway – translates between protocols are dedicated, such as embedded systems, when individual Land Attack - The attack involves sending a spoofed TCP SYN
ICMP – Internet Control Message Protocol, means to send error processors can be dedicated to specific tasks at design time. packet (connection initiation) with the target host's IP address and
messages for non-transient error conditions and provides a way to SMP – Symmetric Multiprocessors, hardware and software an open port as both source and destination.
probe the network in order to determine general characteristics architecture where two or more identical processors are connected The reason a LAND attack works is because it causes the
about the network, ping to a single, shared main memory, have full access to all I/O
machine to reply to itself continuously.
iSCI – Internet Small Computer Interface, Converged protocol that devices, and are controlled by a single operating system instance
allows location-independent file services over traditional network that treats all processors equally, reserving none for special SYN FLOOD - TCP packets requesting a connection (SYN bit set)
technologies. Cost less than Fiber. Standard for linking data purposes. are sent to the target network with a spoofed source address. The
storage sites target responds with a SYN-ACK packet, but the spoofed source
ISDN – PRI (Primary Rate Interface) bandwidth of 1.544 Mbps, never replies. This can quickly overwhelm a system’s resources
Attacks, Malware, and Bad Stuff while waiting for the half-open connections to time out. This
faster than BRI’s 144 Kbps ARP Spoofing –
MAC – Machine Access Control, hardware address of machine, causes the system to crash or otherwise become unusable.
Bluejacking – when attackers send unsolicited messages via Counter: sync cookies/proxies, where connections are created
can tell manufacturer, Bluetooth
Multilayer Protocols – allow encryption at various layers, support later
Bluesnarfing – targets the data or information on Bluetooth- Teardrop - The length and fragmentation offset fields of sequential
a range of protocols at higher levels. Bad – conceal covert enabled devices
channels, filters can be bypassed, sometimes logical boundaries IP packets are modified, causing the target system to become
CAIN Attack - confused and crash. Uses fragmented packets to target a TCP
can be bypassed DNS Spoofing – when an attacker sends false replies to a
MPLS – Multiprotocol Label Switching, high performance flaw in how the TCP stack reassembles them. DOS
requesting system, beating valid replies from the real DNS server
networking, uses path labels instead of network addresses, wide Common Session Hijacking Attacks:
DNS Poisoning – when an attacker changes the domain name to
area networking protocol, label switching, finds final destination Session hijacking (Spoofing) - IP spoofing involves altering a
IP address mappings of a system to redirect traffic to alternative
and then labels route for others to follow systems TCP packet so that it appears to be coming from a known, trusted
PAP – Password Authentication Protocol, sends PW unencrypted RDP – provides terminal sessions w/out source, thus giving the attacker access to the network. Intercept
PEAP – provides encryption for EAP methods and can provide Screenscraper – copy actual screen, subset of remote control cookies from a request header
authentication, does not implement CCMP, encapsulates EAS in a SPIT attacks – Spam over Internet Telephony and targets VoIP TCP sequence number attack – intruder tricks target to believe it
TLS tunnel systems is connected to a trusted host and then hijacks the session by
Port Based Authentication – 802.1x, can be used with EAP
predicting the targets choice of an initial TCP sequence number
Things to Know
Nikto, Burp Suite, Wapiti – web application vulnerability scanners
Packet switching technologies Firewalls (376) Access Control Methodologies Remote Access
X25 defines point-to-point communication between Data terminal TYPES Authentication Systems (390)
Equipment (DTE) and Data Circuit Terminating Equipment (DCE) First generation – (static) Packet filtering firewall AKA Centralized access control
Link Access Procedure-Balanced (LAPB) created for use with screening router Examines source/destination address, protocol CALLBACK; system calls back to specific location (danger in user
X25, LAPB defines frame types and is capable of retransmitting, and ports of the incoming package. Based on ACL’s access can forwarding number) somewhere you are
be denied or accepted. Is considered a firewall and CHAP (part of PPP) supports encryption
exchanging and acknowledging frames as detecting out of
operates at Network or Transport layer of OSI XTACACS separates authentication, authorization and accounting
sequence or missing frames
Second generation - Application level firewall AKA processes
Frame Relay High performance WAN protocol designed for use TACACS+: stronger through use of tokens
proxy server While transferring data stream to another
across ISDN interfaces. Is fast but has no error correction, Terminal Access Controller Access Control System TACACS
network, it masks the data origin. operating at Application
supports multiple PVCs, unlike X.25, packet switched technology User passwords are administrated in a central database instead of
layer of OSI
that provides CIR, requires DTE/DCE at each connection point individual routers. A network device prompts user for a username
Third generation - Stateful inspection firewall (also known as
Switched Multimegabit DATA Service (SMDS) high speed Dynamic) All packages are inspected at the Networking layer so and static password then the device queries a TACACS server to
communication over public switches networks for exchanging it’s faster. By examining the state and context of the data verify the password. TACACSs does not support prompting for
‘bursts of data’ between enterprises packages it helps to track connectionless protocols like UDP and password change or use of dynamic password tokens. Port 49
Asynchronous Transfer mode (ATM) very high bandwidth. It RPC. Analyzed at all OSI Layers. TACACS: user-id and static password for network access via TCP
uses 53-byte fixed size cells instead of frames like Ethernet. It can Fourth generation - Dynamic Packet Filtering firewall TACACS+ Enhanced version with use of two factor
allocate bandwidth up on demand making it a solution for Busty Enables modification of the firewall rule. It provides limited support
authentication, ability to change user password, ability of security
applications. Requires fiber optics. for UDP by remembering UDP packages across the network.
tokens to be resynchronized and better audit trails and session
Voice over IP (VOIP) combines many types of data into a single Fifth generation - Kernel Proxy Firewall / Application level
accounting
IP packet. Cost, interoperability and performance wise it’s a major Firewall Runs in windows NT, modular, kernel based, multiplayer
session evaluation. Uses dynamic TCP/IP stacks to inspect Remote Authentication Dial-In User Service RADIUS
benefit. Client/server protocol, often leads to TACACS+. Clients sends
network packages and enforce security policies.
their authentication request to a central radius server that contains
Other important WLAN protocols all of the user authentication and network ACL’s RADIUS does not
Firewall architecture (377) provide two way authentication, therefore it’s not used for router-
Synchronous Data Link Control (SDLC) - created by IBM for
Packet filtering routers to-router authentication. Port 1812. Contains dynamic password
mainframes to connect to their remote offices. Uses a polling Sits between trusted and un-trusted network, sometimes used as and network service access information (Network ACLs) NOT a
media access method. Works with dedicated leased lines boundary router. Uses ACL’s. Protects against standard generic SSO solution, TLS over TCP – to encrypt, Default UDP, PW
permanent up. external attacks. Has no user authentication, has minimal auditing. encrypted, supports TCP and TLD if set, Remote connectivity via
Data link layer of OSI model Screened-Host firewall system dial in (user dials in to access server, access server prompt for
High-level Data Link Control (HDLC) - extension to SDLC also Has both a packet-filter router and a bastion host. Provides both credentials, user enters credentials and forwards to radius server,
for mainframes. Uses data encapsulation on synchronous serial radius server accepts or rejects). USES UDP. Incorporates an AS
network layer (package filtering) as application layer (proxy)
links using frame characters and checksums. Also data link layer and dynamic/static password user can connect to any network
server. access server, which then passes on the user’s credentials to the
High Speed Serial Interface (HSSI) - Defines electrical and Dual homed host firewall RADIUS server to verify authentication and authorization and to
physical interfaces to use for DTE/DCE communications. Physical Consists of a host with 2 NIC’s. One connected to trusted, one to track accounting. In this context, the network access server is the
layer of OSI un-trusted. Can thus be used as translator between 2 network RADIUS client and a RADIUS server acts as an authentication
types like Ethernet/token ring. Internal routing capabilities must not server. The RADIUS server also provides AAA services for
LAN Cables (378) be enabled to make it impossible to circumvent inspection of data. multiple remote access servers.
Twisted pair Screened-subnet firewalls DIAMETER - remote connectivity using phone wireless etc, more
Shielded (STP) or unshielded (UTP) Cat 3=10BaseT, secure than radius, cordless phone signal is rarely encrypted and
Has also defined a De-Militarized Zone (DMZ) : a small network
Cat5=100BaseT easily monitored
between trusted an untrusted.
Coaxial Remote Access Technologies (390)
Socks firewall
More EMI resistant. Baseband: only one single channel, Asynchronous Dial-Up Access This is how everyone connects
Broadband: multiple signal types like data, video, audio Fiber Every workstation gets some Socks software to reduce overhead to the internet. Using a public switched telephone network to
Optic access an ISP
Tiers – design separates distinct protected zones and can be
Most expensive, but hard to tap and resistant to EMI Integrated Serviced Digital Network (ISDN) communication
protected by a single firewall that has multiple interfaces
protocol that permits telephone line to carry data, voice and
other source traffic. Two types: BRI Basic rate interface and
Primary Rate Interface (PRI) xDSL uses regular telephone lines
for high speed digital access Cable Modems Via single shared
coaxial cable, insecure because of not being filtered or firewalled
Remote Access Security Technologies LAN Media Access (398) VPN Protocols
Restricted Address - incoming calls are only allowed from specific Ethernet IEEE 802.3 using CSMA with an BUS-topology Hint: TP at end for Tunneling Protocols
addresses on an approval list. This authenticates the node, not the Thinnet: 10base2 with coax cables up to 185 meters PPTP, Point to Point tunneling protocol
user! Thicknet: 10Base5, coax up to 500 meters - Works at data link layer of OSI
Callback - User initiates a connection, supplies identifying code, and UTP: 10BaseT=10MBps - Only one single point-to-point connection per session
then the system will call back a predetermined telephone number. 100baseT=Fast Ethernet =100MBps - Point To Point protocol (PPP) for authentication and
Also less useful for travelling users 1000BaseT=Gigabit Ethernet=1GBps tunneling
Ethernet networks were originally designed to work with more - Dial-up network use
Caller ID - checks incoming telephone number against an approval
sporadic traffic than token ring networks - Does not support EAP
list and then uses Callback. Less useful for travelling users.
- Sends initial packets in plaintext
ARCnet - uses token passing in a star technology on coax L2F, Layer 2 Forwarding
Remote Node Security Protocols - Cisco developed its own VPN protocol called which is a
Password Authenticate Protocol PAP Token Ring IEEE 802.5 - IBM created. All end stations are mutual authentication tunneling mechanism.
Provides identification and authentication of the user using static connected to a MAU Multi Access Unit. CAU: Controlled Access - L2F does not offer encryption. L2F was not widely
replayable passwords. No encryption of user-id or password during Units – for filtering allowed MAC (Extended Unique Identifier) deployed and was soon replaced by L2TP.
communication addresses. - both operate at layer 2. Both can encapsulate any LAN
Challenge Handshake Authenticate Protocol (CHAP) non- protocol.
replayable challenge/response dialog L2TP, Layer 2 tunneling protocol
FDDI, Fiber Distributed Data Interface - token-passing dual token
- Also in data-link layer of OSI
ring with fiber optic. Long distances, minimal EMI interference
LAN Topologies (394) - Single point-to-point connection per session
permits several tokens at the time active
BUS - all transmissions have to travel the full length of the cable - Dial-up network use
RING - Workstations are connected to form a closed loop LAN Transmission Protocols (398) - Port 115
STAR - nodes are connected to a central LAN device Carrier Sense Multiple Access CSMA - for Ethernet. Workstations - Uses IPsec
TREE - bus type with multiple branches send out packet. If it doesn’t get an acknowledgement, it resends IPSEC
MESH - all nodes interconnected CSMA with Collision Avoidance workstations - are attached by - Operates at Network Layer of OSI
2 coax cables. In one direction only. Wireless 802.11 - Enables multiple and simultaneous tunnels
LAN Transmission Methods (396) CSMA with Collision Detection - Only one host can send at the - Encrypt and authenticate
Unicast - Packet is sent from single source to single destination time, using jamming signals for the rest. - Build into IPv6
Multicast - source packet is copied and sent to multiple destinations Polling - Host can only transmit when he polls a secondary to see if - Network-to-network use
Broadcast - source packet is copied and sent to all nodes its free - Creates a private, encrypted network via a public network
Token-passing - Used in token rings, Hosts can only transit when - Encryption for confidentiality and integrity
DATA NETWORK SIGNALS they receive a clear to send token. 2 protocols: AH Authentication header and ESP Encapsulated
Analog signal - Infinite wave form, continuous signal, varied by Security Payload
DATA NETWORK TYPES
amplification works with Security Associations (SA's)
Local Area Network LAN
works with IKE protocols IKE IS FOR MANAGING SECURITY
Digital signal - Saw-tooth form, pulses, on-off only, digital signals Limited geographically to e.g. a building. Devices are sharing ASSOCIATIONS 2 modes:
are a means of transmission that involves the use of a discontinuous resources like printers, email and files. Connected through copper transport, data is encrypted header is not tunneled: new uses
electrical signal and a state change or on‐off pulses. wire or fiber optics. rc6; IP header is added, old IP header and data is encrypted
Asynchronous - sends bits of data sequentially. Same speed on CAN: campus area network, multiple building connected to fast cipher types: block (padding to blocks of fixed size) like DES 3DES
both sides. Modems and dial-up remote access systems backbone on a campus AES or stream (bit/byte one by one o padding) like RC4, Sober
Synchronous very high speed governed by electronic clock timing MAN: metropolitan network extends over cities TLS – Transport Layer Security
signals Wide Area network WAN - encrypt and protect transactions to prevent sniffing while
Asynchronous communications, broadband connections, and half‐ data is in transit along with VPN and IPsec
Connects LANS over a large geographical area
duplex links can be digital or analog. - most effective control against session hijacking
Internet intranet and extranet
- ephemeral session key is used to encrypt the actual
Internet is global, intranet local for use within companies and content of communications between a web server and
extranet can be used e.g. by your customers and clients but is not client
public. - TLS - MOST CURRENT not SSL!!!
Virtual Private Networks VPN (388)
A VPN is created by dynamically building a secure communications PVC - Permanent virtual circuits, is like a dedicated leased line; the
link between two nodes, using a secret encapsulation method via logical circuit always exists and is waiting for the customer to send
network address translation (NAT) where internal IP addresses are data. Like a walkie-tealie
translated to external IP addresses. Cannot double NAT with the
SVC – switched virtual circuit, is more like a shortwave or ham
same IP range, same IP address cannot appear inside and outside
radio. You must tune the transmitter and receiver to a new
of a NAT router. frequency every time you want to communicate with someone.
VPN Devices WAN Protocols (404) Converged Protocols (406)
Is hardware or software to create secure tunnels Private Circuit technologies Converged Protocols - are the merging of specialty or proprietary
IP-sec compatible Dedicated line reserved communication, always available Leased protocols with standard protocols, such as those from the TCP/ IP
- Encryption via Tunnel mode (entire data package line can be reserved for communications. Type of dedicated line. suite. The primary benefit of converged protocols is the ability to
encrypted) or Transport mode (only datagram encrypted) - T1 1,5 Mbps through telephone line use existing TCP/ IP supporting network infrastructure to host
special or proprietary services without the need for unique
- Only works with IP at Network layer of OSI NON IP-sec - T3 44,7 Mbps through telephone line
deployments of alternate networking hardware.
compatible - E1 European 2048 Mbps digital transmission
Socks-based proxy servers Used to reach the internal network from - Serial Line IP (SLIP) TCP/IP over slow interfaces to Fibre Channel over Ethernet (FCoE) - a form of network data-
the outside. Also contains strong encryption and authentication communicate with external hosts (Berkley UNIX, windows NT storage solution (SAN or NAS) that allows for high-speed file
methods RAS), no authentication, supports only half-duplex communications, transfers at upward of 16 GBps. It was designed to be operated
PTP used in windows machines. Multiprotocol, uses PAP or CHAP no error detection, manual link establishment and teardown over fiber-optic cables; support for copper cables was added later
Point to Point protocol (PPP) improvement on slip, adds login, to offer less-expensive options. Fibre Channel over Ethernet
Dial-up VPN’s remote access servers using PPTP commonly used
password and error (by CHAP and PAP) and error correction. Data (FCoE) can be used to support it over the existing network
by ISP’s infrastructure. FCoE is used to encapsulate Fibre Channel
Secure Shell SSH2 not strictly a VPN product but opens a secure link.
communications over Ethernet networks. Fibre Channel operates
encrypted shell session from the internet through a firewall to a SSH Integrated Services Digital Network (ISDN) combination of digital
as a Network layer or OSI layer 3 protocol, replacing IP as the
server telephony and data transports. Overtaken by xDSL, not all useable payload of a standard Ethernet network.
due to “D Channel” used for call management not data MPLS - (Multiprotocol Label Switching) is a high-throughput high-
Encapsulating Security Payload (389) xDSL Digital subscriber Line uses telephone to transport high performance network technology that directs data across a network
Encrypts IP packets and ensured integrity. bandwidth data to remote subscribers based on short path labels rather than longer network addresses.
ESP Header – contains information showing which security - ADSL - Asymmetric. More downstream bandwidth up MPLS is designed to handle a wide range of protocols through
association to use and the packet sequence number. Like to 18,000 feet over single copper cable pair encapsulation.
the AH, the ESP sequences every packet to thwart replay iSCSI - Internet Small Computer System Interface (iSCSI) is a
- SDSL - Symmetric up to 10,000 feet over single copper
attacks. networking storage standard based on IP. This technology can be
cable pair
ESP Payload used to enable location-independent file storage, transmission, and
- HDSL - High Rate T1 speed over two copper cable pairs retrieval over LAN, WAN, or public Internet connections.
Spread Spectrum up to 12,000 feet It is often viewed as a low-cost alternative to Fibre Channel.
FHSS – Frequency Hopping Spread Spectrum, The entire range of - VDSL - Very High speed 13-52MBps down, 1,5-2,3 Mbps VoIP - Voice over IP - a tunneling mechanism used to transport
available frequencies is employed, but only one frequency at a time upstream over a single copper pair over 1,00 to 4500 feet voice and/ or data over a TCP/ IP network. VoIP has the potential
is used. to replace or supplant PSTN because it’s often less expensive and
DSSS – Direct Sequence Spread Spectrum, employs all the offers a wider variety of options and features.
Circuit-switched networks SDN - a unique approach to network operation, design, and
available frequencies simultaneously in parallel. This provides a There must be a dedicated physical circuit path exist during
higher rate of data throughput than FHSS. DSSS also uses a special management. SDN aims at separating the infrastructure layer (i.e.,
transmission. The right choice for networks that have to hardware and hardware-based settings) from the control layer (i.e.,
encoding mechanism known as chipping code to allow a receiver to
reconstruct data even if parts of the signal were distorted because of communicate constantly. Typically for a telephone company network services of data transmission management). Furthermore,
interference. network Voice oriented. Sensitive to loss of connection this also removes the traditional networking concepts of IP
OFDM – Orthogonal Frequency-Division Multiplexing, employs a addressing, subnets, routing, and so on from needing to be
digital multicarrier modulation scheme that allows for a more tightly Message switching networks programmed into or be deciphered by hosted applications. SDN
compacted transmission. The modulated signals are perpendicular offers a new network design that is directly programmable from a
Involves the transmission of messages from node-to-node.
and thus do not cause interference with each other. central location, is flexible, is vendor neutral, and is open-standards
Messages are stored on the network until a forwarding path is based.
5 available.
All use spread spectrum techniques to transmit on more than one
frequency at the same time. Neither FHSS nor DHSS uses
orthogonal modulation, while multiplexing describes combining Packet-switched networks (PSN or PSDN)
multiple signals over a shared medium of any sort. Wi-Fi may receive Nodes share bandwidth with each other by sending small data units
interference from FHSS systems but doesn’t use it. called packets. Packets will be send to the other network and
reassembled. Data oriented. Sensitive to loss of data. More cost
effective than circuit switching because it creates virtual circuits only
when they are needed.
Access Control (440) KERBEROS (463) Single/Multiple Factor Authentication (467)
ACCESS - is flow of information between a subject and an object Guards a network with three elements: authentication, authorization, Type 1 - authentication factor is something you know. Examples
CONTROL - security features that control how users and systems & auditing. SYMMETRIC KEYS include a password, PIN, or passphrase.
communicate and interact with other systems and resources Kerberos addresses Confidentiality and integrity and authentication, Type 2 - authentication factor is something you have. Physical
Subject - active entity that requests access to an object or data withinnot availability, can be combined with other SSO solutions devices that a user possesses can help them provide
the object (user, program) Kerberos Is based on symmetric key cryptology (and is not a propriety authentication. Examples include a smartcard (CAC), hardware
Object - is a passive entity that contains information (computer, control) token, smartcard, memory card, or USB drive.
database, file, program) access control techniques support the Time synchronization is critical, 5 minutes is bad Type 3 - authentication factor is something you are or something
access control models MIT project Athena you do. It is a physical characteristic of a person identified with
AES from user to KDC, encrypted key, time stamped TGT and hash different types of biometrics.
Approaches to Administration (441) of PW, install TGT and decrypt key Something a user knows TYPE 1
Centralized administration – one element responsible for Kerberos is included in windows now (replaced NTLM=NT-LAN PASSWORDS
configuring access controls. Only modified through central Manager) cheap and commonly used
administration, very strict control, Passwords are never exchanged only hashes of passwords password generators
Decentralized administration – access to information is Benefits: inexpensive, loads of OS’s, mature protocol user chooses own (do triviality and policy checking)
controlled by owners or creators of information, may not be Disadvantage: takes time to administer, can be bottleneck or single Longer PW more effective than all else
consistency with regards to procedures, difficult to form system point of failure PWs never stored for web applications in a well-designed
wide view of all user access at any given time Realm - indicates an authentication administrative domain. Its environment. Salted hashes are stored and compared
Hybrid – centralized control is exercised for some information intention is to establish the boundaries within which an authentication 62 choices (upper, lower, 10 numbers), add single character to
and decentralized for other information server has the authority to authenticate a user, host or service. PW and complexity goes up 62X
Uses symmetric Key cryptography One-time password aka dynamic password used only once
- KDC - Key Distribution Center, grants tickets to client for specific Static password Same for each logon
Identity Management (448) servers. Knows all secret keys of all clients and servers from the
IAAA - Four key principles upon which access control relies Passphrase easiest to remember. Converted to a virtual
network, TGS and AS, single point of failure password by the system.
- Identification/Assertion -
- AS (Authentication server) Cognitive password: easy to remember like your mother’s
- Registration – verify an individual’s identity and adds a
- TGS - Ticket granting server maiden name
unique identifier to an identity system
The Kerberos logon process works as follows: Hacking - access password file
- ensuring that a subject is who he says he is
- The user types a username and password into the client. brute force attack - (try many different characters) aka
- bind a user to the appropriate controls based on the unique - The client encrypts the username with AES for trans. to the KDC.
user instance exhaustive
- The KDC verifies the username against a database of known dictionary attack - (try many different words)
- Unique user name, account number etc. OR an issuance credentials. Social engineering - convince an individual to give access
(keycard) - The KDC generates a symmetric key that will be used by the Rainbow Tables - (tables with passwords that are already in
- Authentication - client and the Kerberos server. It encrypts this with a hash of the
- Process of Verifying the user hash format, pre-hashed PW paired with high-speed look up
user’s password. The KDC also generates an encrypted time- functions
- User provides private data stamped TGT. The KDC then transmits the encrypted symmetric
- Establish trust between the user and the system for the Implementation Attack - This is a type of attack that exploits
key and the encrypted time-stamped TGT to the client. weaknesses in the implementation of a cryptography system. It
allocation of privileges - The client installs the TGT for use until it expires. The client also
- Authorization – focuses on exploiting the software code, not just errors and flaws
decrypts the symmetric key using a hash of the user’s password.
- resources user is allowed to access must be defined and but the methodology employed to program the encryption system
- Then the user can use this ticket to service to use the service as
monitored Statistical Attack - exploits statistical weaknesses in a
an application service
- First piece of credentials Authorization SESAME cryptosystem, such as floating-point errors and inability to
- Accountability – who was responsible for an action? - Public Key Cryptology produce truly random numbers. Statistical attacks attempt to find
- Logging – best way to provide accountability, change log for - European a vulnerability in the hardware or operating system hosting the
approved changes and change management process - Needham-Schroeder protocol cryptography application.
Relationship between Identity, Authentication, and Authorization Weakness: only authenticates the first block and not the complete password checker and password hacker - both programs that
- Identification provides uniqueness message can find passwords (checker to see if its compliant, hacker to use
- Authentication provides validity Two tickets: it by the hacker)
- Authorization provides control - One authentication, like Kerberos hashing and encryption
Logical Access Controls: tools used for IAAA - Other defines the access privileges a user has - On windows system with utility SYSKEY. The hashed
MAC Address – 48 bit number, supposed to be globally unique, - Works with PACS (Privileged Attribute Certificates) passwords will be encrypted in their store LM hash and NT
but now can be changed by software, not a strong ID or auth. - sesame uses both symmetric as asymmetric encryption Hash
Tool (thus improvement upon Kerberos) - some OS’s use Seed SALT or NONCE, random values
Single Sign On (SSO) (462) KRYPTOKNIGHT - IBM – thus RACF added to the encryption process to add more complexity
SSO referred to as reduced sign-on or federated ID management Peer-to-peer relationship between KDC and parties - HAVAL - Hash of Variable Length (HAVAL) is a
Advantage - ability to use stronger passwords, easier administration, SCRIPTING - scripts contain logon information that auths. users modification of MD5. HAVAL uses 1,024-bit blocks and
less time to access resources. DIRECTORY SERVICE - a centralized database that includes produces hash values of 128, 160, 192, 224, and 256 bits.
Disadvantage - once a key is compromised all resources can be information about subjects and objects, .Hierarchical naming schema, Not a encryption algorithm
accessed, if Db compromised all PWs compromised active directory has sophisticated security resources (group policy,
Thin client is also a single sign on approach user rights accounts, DNS services)
Something a user has TYPE 2 SAML (478) (SOAP/XML) Authorization Mechanisms (496)
Key, swipe card, access card, badge, tokens To exchange authentication and authorization data between security Role-BAC (RBAC) - task-based access controls define a
domains. subject’s ability to access an object based on the subject’s role or
Static password token - owner authenticates to token, token SAML 2.0 enables web-based to include SSO assigned tasks, is often implemented using groups, form of
authenticates to the information system Roles nondiscretionary. OFF BUSINESS DESIGN
Synchronous (TIME BASED) dynamic - uses time or a counter - Principal (user) Hybrid RBAC
between the token and the authentication server, secure-ID is an - Identity provider (IdP) Limited RBAC
example - Service provider (SP) CAN MODEL ALL GROUPS OFF ORGANIZATION #! USED
Asynchronous (NOT TIME BASED) - server sends a nonce Most used federated SSO Rule-BAC – based on rules within an ACL, uses a set of rules,
(random value) This goes into token device, encrypts and delivers a XML Signature – use digital signatures for authentication and restrictions, or filters to determine what can and cannot occur on
one-time password, with an added PIN its strong authentication message integrity based on XML signature standard. a system. It includes granting a subject access to an object, or
Challenge/response token - generates response on a Relies on XML Schema granting the subject the ability to perform an action. A distinctive
system/workstation provided challenge; synchronous – timing, characteristic about rule-BAC models is that they have global
asynchronous - challenge Identity as a Service (IDaaS) (486) rules that apply to all subjects. One common example of a rule-
IDaaS - Identity as a Service, or Identity and Access as a Service is a BAC model is a firewall. Firewalls include a set of rules or filters
Something a user is TYPE 3 third-party service that provides identity and access management, within an ACL, defined by an administrator. The firewall examines
What you do: behavioral What you are: physical Effectively provides SSO for the cloud and is especially useful when all the traffic going through it and only allows traffic that meets
BIOMETRICS internal clients access cloud-based Software as a Service (SaaS) one of the rules. Government #1
- Most expensive & Acceptable 2 minutes per person for applications. Mandatory Access Control BELL Model!
enrollment time Ability to provision identities held by the service to target Lattice based, Label – all objects and subjects have a label
- Acceptable 10 people per minute throughput time applications Authorization depended on security labels which indicate
clearance and classification of objects (Military). Restriction:
- IRIS is the same as long as you live Access includes user authentication, SSO, authorization
- TYPE 1 error: False rejection rate FRR need to know can apply. Lattice based is part of it! (A as in
enforcement
mAndatory!). Rule based access control. Objects are: files,
- TYPE 2 error: False Acceptance rate FAR Log events , auditing
- CER Crossover Error Rate or EER Equal Error rate, where FRR = directories and devices;
Federation - sharing identity and authentication behind the Non-discretionary access control / Mandatory
FAR. The lower CER/ERR the more accurate the system. No scenes (like booking flight --> booking hotel without re
sunlight in iris scanner zephyr chart = iris scans A central authority determines what subjects have access based
authenticating) by using a federate identity so used across on policies. Role based/task based. Also lattice based can be
- Finger print: stores full fingerprint (one- to-many identification), business boundaries
finger scan only the features (one to one identification). applied (greatest lower, least upper bounds apply)
SSO Discretionary Access Control – Graham Denning
- Finger scan most widely used today
Access Management enforces RULES! Access through ACL's. Discretionary can also mean: Controlled
Acceptability Issues: privacy, physical, psychological
TYPES OF BIOMETRICS access protection (object reuse, protect audit trail). User directed
- Fingerprints: Are made up of ridge endings and bifurcations Manage User Accounts within a Cloud (492) Performs all of IAAA, identity based access control model
exhibited by the friction ridges and other detailed characteristics Cloud Identity – users are created and managed in Office 365 - hierarchical x500 standard protocol like LDAP for allowing
that are called minutiae. Directory Synchronization – users are created and managed in an subjects to interact with the directory
on premises identity provider - Organized through name spaces (Through Distinguished
- Retina Scans: Scans the blood-vessel pattern of the retina on the
Federated Identity – on-premises identity provider handles login names )
backside of the eyeball. Can show medical conditions MOST
request. Usually used to implement SSO - Needs client software to interact
ACCURATE - MS AD using MS AD Federation Services - META directory gathers information from multiple sources
- Iris Scans: Scan the colored portion of the eye that surrounds the - Third Party based identity and stores them into once central directory and
pupil. - Shibboleth SAML 2.0 synchronizes
- Facial Scans: Takes attributes and characteristics like bone - VIRTUAL directory only points where the data resides
structures, nose ridges, eye widths, forehead sizes and chin Authorization Mechanisms (496) DACs allows the owner, creator, or data custodian of an object to
shapes into account. The method of authorizing subjects to access objects varies control and define access to that object. All objects have owners,
- Palm Scans: The palm has creases, ridges and grooves depending on the access control method used by the IT system. and access control is based on the discretion or decision of the
throughout it that are unique to a specific person. Appropriate by A subject is an active entity that accesses a passive object and an owner. As the owner, the user can modify the permissions of the
itself as a Type 3 authenticator object is a passive entity that provides information to active subjects. file to grant or deny access to other users. Identity-based access
- Hand Geometry: The shape of a person’s hand (the length and There are several categories for access control techniques and the control is a subset of DAC because systems identify users based
CISSP CIB specifically mentions four: discretionary access control on their identity and assign resource ownership to identities. A
width of the hand and fingers) measures hand geometry.
(DAC), mandatory access control (MAC), role-based access control DAC model is implemented using access control lists (ACLs) on
- Voice Print: Distinguishing differences in people’s speech sounds objects. Each ACL defines the types of access granted or denied
(role-BAC), and rule-based access control (rule-BAC).
and patterns. to subjects. It does not offer a centrally controlled management
- Signature Dynamics: Electrical signals of speed and time that system because owners can alter the ACLs on their objects at
can be captured when a person writes a signature. Windows uses Kerberos for authentication. RADIUS is will. Access to objects is easy to change, especially when
- Keyboard Dynamics: Captures the electrical signals when a typically used for wireless networks, modems, and compared to the static nature of mandatory access controls.
-
person types a certain phrase.
Hand Topology: Looks at the size and width of an individual’s
network devices, while OAuth is primarily used for
hand and fingers. web applications. TACACS+ is used for network
devices.
Reconnaissance Attacks (506)
Access Control Models () ? Understanding Authorization Mechanisms While malicious code often relies on tricking users into opening or
Access control models use many different types of authorization Access control models use many different types of authorization accessing malware, other attacks directly target machines.
mechanisms, or methods, to control who can access specific objects. mechanisms, or methods, to control who can access specific objects. Performing reconnaissance can allow an attacker to find weak
Implicit Deny - basic principle that most authorization mechanisms Constrained Interface Applications – (restricted interfaces) to points to target directly with their attack code. To assist with this
use it. The implicit deny principle ensures that access to an object is restrict what users can do or see based on their privileges. targeting, attacker-tool developers have created a number of
denied unless access has been explicitly granted to a subject. Applications constrain the interface using different methods. A automated tools that perform network reconnaissance.
Access Control Matrix - An access control matrix is a table that common method is to hide the capability if the user doesn’t have IP Probes - (also called IP sweeps or ping sweeps) are often the
includes subjects, objects, and assigned privileges. When a subject permissions to use it. Other times, the application displays the menu first type of network reconnaissance carried out against a targeted
attempts an action, the system checks the access control matrix to item but shows it dimmed or disabled. network. With this technique, automated tools simply attempt to
determine if the subject has the appropriate privileges to perform the Content-Dependent – internal data of each field, data stored by a ping each address in a range. Systems that respond to the ping
action field, restrict access to data based on the content within an object. A request are logged for further analysis. Addresses that do not
Capability Tables - They are different from ACLs in that a capability database view is a content-dependent control. A view retrieves produce a response are assumed to be unused and are ignored.
table is focused on subjects (such as users, groups, or roles). For specific columns from one or more tables, creating a virtual table. Nmap tool - one of the most common tools used to perform both IP
example, a capability table created for the accounting role will Context-Dependent - require specific activity before granting users probes and port scans. IP probes are extremely prevalent on the
include a list of all objects that the accounting role can access and access. For example, it’s possible to restrict access to computers Internet today. Indeed, if you configure a system with a public IP
will include the specific privileges assigned to the accounting role for and applications based on the current day and/ or time. If users address and connect it to the Internet, you’ll probably receive at
these objects. attempt to access the resource outside of the allowed time, the least one IP probe within hours of booting up. The widespread use
The difference between an ACL and a capability table is the focus. system denies them access. of this technique makes a strong case for disabling ping
ACLs are object focused and identify access granted to subjects for Work Hours – context-dependent control functionality, at least for users external to a network. Default
any specific object. Capability tables are subject focused and identify Need to Know - ensures that subjects are granted access only to settings miss @64 K ports
the objects that subjects can access. what they need to know for their work tasks and job functions. When nmap scans a system, it identifies the current state of each
Comparing Permissions, Rights, and Privileges When studying Subjects may have clearance to access classified or restricted data network port on the system. For ports where nmap detects a result,
access control topics, you’ll often come across the terms but are not granted authorization to the data unless they actually it provides the current status of that port:
permissions, rights, and privileges. Some people use these terms need it to perform a job. Open - The port is open on the remote system and there is an
interchangeably, but they don’t always mean the same thing. Least Privilege - ensures that subjects are granted only the application that is actively accepting connections on that port.
Permissions - refer to the access granted for an object and privileges they need to perform their work tasks and job functions. Closed - The port is accessible on the remote system,
determine what you can do with it. If you have read permission for a This is sometimes lumped together with need to know. The only meaning that the firewall is allowing access, but there is no
file, you’ll be able to open it and read it. You can grant user difference is that least privilege will also include rights to take action application accepting connections on that port.
permissions to create, read, edit, or delete a file on a file server. on a system. Filtered Nmap - is unable to determine whether a port is open or
Similarly, you can grant user access rights to a file, so in this context, Separation of Duties and Responsibilities - ensures that sensitive closed because a firewall is interfering with the connection attempt
access rights and permissions are synonymous functions are split into tasks performed by two or more employees. It Port Scans - After an attacker performs an IP probe, they are left
Rights - refers to the ability to take an action on an object. For helps to prevent fraud and errors by creating a system of checks and with a list of active systems on a given network. The next task is to
example, a user might have the right to modify the system time on a balances. select one or more systems to target with additional attacks. Often,
computer or the right to restore backed-up data. This is a subtle attackers have a type of target in mind; web servers, file servers,
distinction and not always stressed. You’ll rarely see the right to take and other servers supporting critical operations are prime targets.
action on a system referred to as a permission. To narrow down their search, attackers use port scan software to
Privileges - are the combination of rights and permissions. For
example, an administrator for a computer will have full privileges,
Service Provisioning Markup Language, or SPML is probe all the active systems on a network and determine what
public services are running on each machine. For example, if the
granting the administrator full rights and permissions on the an XML-based language designed to allow platforms attacker wants to target a web server, they might run a port scan to
computer. The administrator will be able to perform any actions and
access any data on the computer.
to generate and respond to provisioning requests. locate any systems with a service running on port 80, the default
port for HTTP services.
SAML is used to make authorization and Vulnerability Scans - The third technique is the vulnerability scan.
authentication data, while XACML is used to Once the attacker determines a specific system to target, they need
to discover a specific vulnerability in that system that can be
describe access controls. SOAP, or Simple Object exploited to gain the desired access permissions. A variety of tools
Access Protocol, is a messaging protocol and could available on the Internet assist with this task. Some of the more
popular tools for this purpose include Nessus, OpenVAS, Qualys,
be used for any XML messaging, but is not a markup Core Impact, and Nexpose. These packages contain a database of
language itself.
known vulnerabilities and probe targeted systems to locate security
flaws. They then produce very attractive reports that detail every
vulnerability detected. From that point, it’s simply a matter of
locating a script that exploits a specific vulnerability and launching
an attack against the victim.
Security Testing (522) Security Software (534) Code Review and Testing (542)
Security Testing - verifies that a control is functioning properly. Antimalware and Antivirus – records instances of detected 2 Code review is the foundation of software assessment programs.
These tests include automated scans, tool-assisted penetration malware, During a code review, also known as a “peer review,” developers
tests and manual attempts to undermine security. When scheduling IDS/IPS = security testing, NIST 800-4 other than the one who wrote the code review it for defects.
security controls for review, information security managers should War driving - driving a car with notebook to find open access points The most formal code review processes, known as Fagan
consider the following factors: IDS intrusion detection system inspections, follow a rigorous review and testing process with six
- Availability of security testing resources NETWORK BASED steps:
- Criticality of the systems and applications protected by - Detects intrusions on the LAN behind a firewall. - Planning
the tested controls Sensitivity of information contained on - Is passive while it acquires data. - Overview
tested systems and applications - Reviews packets and headers - Preparation
- Likelihood of a technical failure of the mechanism - Problem with network based is that it will not detect attacks - Inspection
implementing the control by users logged into hosts - Rework
- Likelihood of a misconfiguration of the control that would HOST BASED - Follow-up
jeopardize security - monitoring servers through EVENT LOGS AND SYSTEM Code Coverage Report – information on the functions,
- Risk that the system will come under attack LOGS statements, branches, and conditions covered in testing.
- Rate of change of the control configuration - as good as the completeness of the host logging Use cases – used as part of test coverage calculation that divides
- Other changes in the technical environment that may easier to discover and disable the tested use case by total use cases
affect the control performance Signature based method (AKA Knowledge based) - compared Code Review Report – generated if the organization was
- Difficulty and time required to perform a control test with signature attack database (aka misuse detector) manually reviewing the application’s source code
- Impact of the test on normal business operations Statistical anomaly based - defines a ‘normal’ behavior and - Black-box testing observes the system external
After assessing each of these factors, security teams design and detects abnormal behaviors. behavior, no internal details known
validate a comprehensive assessment and testing strategy. Response box - is a part of an IDS that initiates alarm or activity - Dynamic Testing – does not require access to source
Components: Information source/sensor, centralized monitor code, evaluates code in a runtime environment
Verification & Validation (523) software, data and even report analysis, database components and - White-box testing (crystal) is a detailed exam of a
Verification – objective evidence that the design outputs of a response to an event or intrusion logical path, checking the possible conditions. Requires
phase of the SDLC meet requirements. 3rd party sometimes IPS Intrusion prevention system - detect attack and PREVENT that access to source code
Validation – develop “level of confidence” that the software meets attack being successful - Static Testing – requires access to source code,
all requirements and expectations, software improve over time Remote Access Software – granted and secured through VPNs performs code analysis
Find back doors thru structured walk through Web Proxies – intermediate hosts, restrict access - CSV – Comma Separated Values
Vulnerability Management Software – patching - CVE - Common Vulnerability and Exposures dictionary.
Logs (530) Authentication Servers – SSO servers The CVE dictionary provides a standard convention
Network Flow – captured to provide insight into network traffic for Routers – permit or block traffic based on policy used to identify vulnerabilities, list by MITRE
security, troubleshooting, and performance management Firewalls – more sophisticated than routers to examine traffic - CVSS – Common Vulnerability Scoring System, metrics
Audit logging – provides information about events on the routers Monitoring and auditing (537) and calculation tools for exploitability, impact, how
Companies can set predefined thresholds for the number of certain mature exploit code is, and how vulnerabilities can be
NTP - Network Time Protocol, One important consideration is
types of errors that will be allowed before the activity is considered remediated, also to score vulnerabilities against unique
ensuring that logs have accurate time stamps and that these time
suspicious. This baseline is referred to as clipping level requirements.
stamps remain consistent throughout the environment. A common
Audit trails - NVD – National Vulnerability Db
method is to set up an internal NTP server that is synchronized to a
- Transaction date/time - Compiled code poses more risk than interpreted code
trusted time source such as a public NTP server. Other systems can
- Who processed the transaction because malicious code can be embedded in the
then synchronize with this internal NTP server.
- At which terminal compiled code and can be difficult to detect.
Syslog – message logging standard commonly used by network - Regression testing is the verification that what is being
devices, Linux and Unix systems and other devices (firewalls) Protecting Logs (538)
Breaches – protect from breaches of confidentiality and integrity. installed does not affect any portion of the application
Reboot – generates an information log entry system already installed. It generally requires the
Availability – archival process to prevent loss by overwritten logs
- Errors – significant problem support of automated process to repeat tests previously
Log Analysis – study logs for events of interest
- Warnings – future problem undertaken. Known inputs against an application then
Set maximum size. If too small, attacker can make little changes and
- Information – successful operations compares results to earlier version results
push them out of window
- Success Audits – successful security accesses - nonRegression testing – code works as planned
- Failure Audits – failed security access attempts Synthetic Transactions (540)
- Code comparison is normally used to identify the parts
Real User Monitoring – aims to capture and analyze every
Inconsistent Time Stamps – often caused by improperly set time of the source code that have changed.
transaction of a user
zones or due to differences in how system clocks are set - Integration testing is aimed at finding bugs in the
Synthetic Performance Monitoring – uses scripted or recorded
Modified logs – often a sign of intrusion or malicious intent data. Traffic capture, Db performance monitoring, website relationship and interfaces between pairs of
NetFlow is a feature that was introduced on Cisco routers that performance monitoring can be used. NOT User Session Monitoring components. It does not normally test all functions.
provides the ability to collect IP network traffic as it enters or exits Types - Attack surface - exposure
an interface. a network administrator can determine things such as - Proactive monitoring involves having external agents run
the source and destination of traffic, class of service, and the scripted transactions against a web application
causes of congestion. - Db monitoring; availability of Db
- TCP port monitoring; availability of website, service, or
application
Threat Assessment Modeling (544)? Testing Software (549) Levels of Development Testing (550)
STRIDE - is often used in relation to assessing threats against Static Testing - evaluates the security of software without running it Unit testing - testing small piece of software during a development
applications or operating systems, threat categorization scheme, by analyzing either the source code or the compiled application. stage by developers and quality assurance, ensures quality units
spoofing, tampering, repudiation, information disclosure, denial of Static analysis usually involves the use of automated tools designed are furnished for integration into final product
service, and elevation of privilege. to detect common software flaws, such as buffer overflows. Integration level testing – focus on transfer of data and control
Spoofing - An attack with the goal of gaining access to a target Dynamic Testing - evaluates the security of software in a runtime across a programs interfaces
system through the use of a falsified identity. Spoofing can be used environment and is often the only option for organizations deploying Integration level testing – focus on transfer of data and control
against IP addresses, MAC address, usernames, system names, applications written by someone else. In those cases, testers often do across a programs interfaces
wireless network SSIDs, and other types of logical identification. not have access to the underlying source code. One common System level testing – demonstrates that all specified functionality
Tampering - Any action resulting in the unauthorized changes or example of dynamic software testing is the use of web application exists and that the software product is trustworthy
manipulation of data, whether in transit or in storage. Tampering is scanning tools to detect the presence of cross-site scripting, SQL
used to falsify communications or alter static information. Such injection, or other flaws in web applications. Testing may include the Things to Know
attacks are a violation of integrity as well as availability. use of synthetic transactions to verify system performance. SAS 70 – outdated 2011, based on ISAE 3402
Repudiation -The ability for a user or attacker to deny having Fuzz Testing - is a specialized dynamic testing technique that SOC Reports - service organization control report. (569)
performed an action or activity. provides many different types of input to software to stress its limits - SOC-1 report, covers only internal controls over financial
Information disclosure - The revelation or distribution of private, and find previously undetected flaws. Fuzz testing software supplies reporting. SSAE 16 is the same most common synonym
confidential, or controlled information to external or unauthorized invalid input to the software, either randomly generated or specially SOC 1 - Finances
entities. crafted to trigger known software vulnerabilities. Often limited to - SOC-2 (design and operational effectiveness) If you want to
Elevation of privilege - An attack where a limited user account is simple errors, does find important, exploitable issues, don’t fully cover verify the security, integrity, privacy, and availability controls,
transformed into an account with greater privileges/powers/ access code in detail for business partners, auditors @security
Key Performance and Risk Indicators (562) Mutation (Dumb) Fuzzing - Takes previous input values from actual - SOC-3 report; shared with broad community, website seal,
Security managers should also monitor key performance and risk operation of the software and manipulates (or mutates) it to create support organizations claims about their ability to provide CIA
indicators on an ongoing basis. The exact metrics they monitor will fuzzed input. It might alter the characters of the content, append Type 1 – point in time covering design
vary by organization but may include the following: strings to the end of the content, or perform other data manipulation Type 2 – period of time covering design and operating
- Number of open vulnerabilities techniques. effectiveness
- Time to resolve vulnerabilities Generational (Intelligent) Fuzzing - develops inputs based on Passive monitoring only works after issues have occurred because
- Number of compromised accounts models of expected inputs to perform the same task. The zzuf tool it requires actual traffic
- Number of software flaws detected in preproduction automates the process of mutation fuzzing by manipulating input Log Management System – volume of log data, network
scanning & Repeat audit findings according to user specifications. bandwidth, security of data, and amount of effort to analyze. NOT
- User attempts to visit known malicious sites Misuse Case testing - Software testers use this process or abuse enough log sources
Performing Vulnerability Assessments case testing to evaluate the vulnerability of their software to known OPSEC process - Understanding your day-to-day operations from
Vulnerability scans - automatically probe systems, applications, risks. the viewpoint of a competitor, enemy, or hacker and then
and networks, looking for weaknesses that may be exploited Misuse Case diagrams – threats and mitigate developing and applying countermeasures.
Network discovery scanning - uses a variety of techniques to scan Test Coverage Analysis - method used to assess how well software Pen-test – testing of network security as would a hacker do to find
a range of IP addresses, searching for systems with open ports. testing covered the potential use of an application vulnerabilities. Always get management approval first
Interface testing - is an important part of the development of complex Port scanner - program that attempts to determine whether any of
TCP SYN Scanning - Sends a single packet to each scanned port a range of ports is open on a particular computer or device
software systems. In many cases, multiple teams of developers work
with the SYN flag set. This indicates a request to open a new Ring zero - inner code of the operating system. Reserved for
on different parts of a complex application that must function together
connection. If the scanner receives a response that has the SYN and privileged instructions by the OS itself
to meet business objectives. The handoffs between these separately
ACK flags set, this indicates that the system is moving to the second War dialer - dials a range of phone numbers as in the movie
developed modules use well-defined interfaces so that the teams may
phase in the three-way TCP handshake and that the port is open.
work independently. Interface testing assesses the performance of wargames
TCP SYN scanning is also known as “half-open” scanning. Superzapping - system utility or application that bypasses all
modules against the interface specifications to ensure that they will
TCP Connect Scanning - Opens a full connection to the remote work together properly when all of the development efforts are access controls and audit/logging functions to make updates to
system on the specified port. This scan type is used when the user complete. code or data
running the scan does not have the necessary permissions to run a - Application Programming Interfaces (APIs) - Offer a Operational assurance – Verification that a system is operating
half-open scan. standardized way for code modules to interact and may be according to its security requirements
TCP ACK Scanning - Sends a packet with the ACK flag set, exposed to the outside world through web services. • Design & development reviews
indicating that it is part of an open connection. Developers must test APIs to ensure that they enforce all • Formal modeling
Xmas Scanning - Sends a packet with the FIN, PSH, and URG flags security requirements. • Security architecture
set. A packet with so many flags set is said to be “lit up like a - User Interfaces (UIs) - Examples include graphic user • ISO 9000 quality techniques
Christmas tree,” leading to the scan’s name. interfaces (GUIs) and command-line interfaces. UIs provide • Assurance – degree of confidence that the implemented
Passive Scanning – user scan wireless to look for rogue devices in end users with the ability to interact with the software. security measures work as intended
addition to IDS Interface tests should include reviews of all user interfaces Piggybacking - when an unauthorized person goes through a door
to verify that they function properly. behind an authorized person.
Bluetooth Scans – time consuming, many personal devices
Physical Interfaces - Exist in some applications that manipulate Tailgating – authorized person circumventing controls
- Active; strength of PIN, security mode
machinery, logic controllers, or other objects in the physical world. Supervisor mode - processes running in inner protected ring
- Passive; only active connections, multiple visits
Software testers should pay careful attention to physical interfaces
Authenticated scans – read-only account to access config files because of the potential consequences if they fail.
Incident Scene (581) Live evidence (582) (cont) Digital Evidence (584)
- ID the Scene Conclusive evidence Six principles to guide digital evidence technicians as they
- Protect the environment –Irrefutable and cannot be contradicted perform media analysis, network analysis, and software
- ID evidence and potential sources of evidence –Requires no other corroboration analysis in the pursuit of forensically recovered evidence:
- Collect evidence – hash + Circumstantial evidence When dealing with digital evidence, all of the general
- Minimize the degree of contamination –Used to help assume another fact forensic and procedural principles must be applied.
–Cannot stand on its own to directly prove a fact Upon seizing digital evidence, actions taken should
Locard’s Exchange Principle – perps leave something behind not change that evidence.
Corroborative Evidence:
–Supports or substantiates other evidence presented in a case When it is necessary for a person to access original
Evidence (581) Hearsay Evidence something a witness hears another one say. digital evidence, that person should be trained for
Sufficient –persuasive enough to convince one of its validity Also business records are hearsay and all that’s printed or the purpose.
Reliable –consistent with fact, evidence has not been tampered with or displayed. One exception to business records: audit trails and All activity relating to the seizure, access, storage, or
modified business records are not considered hearsay when the documents transfer of digital evidence must be fully
Relevant –relationship to the findings must be reasonable and sensible, are created in the normal course of business. documented, preserved, and available for review.
Proof of crime, documentation of events, proof of acts and methods used, An individual is responsible for all actions taken with
motive proof, identification of acts respect to digital evidence while the digital evidence
Permissible – lawful obtaining of evidence, avoid: unlawful search and Interviewing and Interrogation (584) is in their possession.
Interviewing – gather facts and determine the substance of the
seizure, secret recording, privacy violations, forced confessions, unlawful Any agency that is responsible for seizing,
obtaining of evidence case. accessing, storing, or transferring digital evidence is
Preserved and identifiable – collection, reconstruction Interrogation–Evidence retrieval method, ultimately obtain a responsible for compliance with these principles.
Identification labeling, recording serial number etc. confession Media analysis - a branch of computer forensic analysis,
Evidence must be preserved and identifiable The Process - Due Process involves the identification and extraction of information from
•Collection, documentation, classification, comparison, reconstruction –Prepare questions and topics, put witness at ease, summarize storage media. This may include the following: Magnetic
EVIDENCE LIFECYCLE information –interview/interrogation plan media (e.g., hard disks, tapes) Optical media (e.g., CDs,
1. Discovery –Have one person as lead and 1-2 others involved as well DVDs, Blu-ray discs) Memory (e.g., RAM, solid state storage)
2. Protection –never interrogate or interview alone Techniques used for media analysis may include the recovery
3. Recording of deleted files from unallocated sectors of the physical disk,
4. Collection and identification the live analysis of storage media connected to a computer
5. Analysis Witnesses
system (especially useful when examining encrypted media),
6. Storage, preservation, transportation Opinion Rule
and the static analysis of forensic images of storage media.
7. Present in court –Requires witnesses to testify only about the facts of the case,
Network Analysis - Forensic investigators are also often
8. Return to owner cannot be used as evidence in the case. interested in the activity that took place over the network
Witnesses that evidence is trustworthy, description of procedures, normal Expert Witnesses during a security incident. Network forensic analysis, therefore,
business methods collections, error precaution and correction –Used to educate the jury, can be used as evidence. often depends on either prior knowledge that an incident is
underway or the use of preexisting security controls that log
Live evidence (582) network activity. These include: Intrusion detection and
Best Evidence: prevention system logs Network flow data captured by a flow
–Primary Evidence–is used at the trial because it is the most reliable. monitoring system Packet captures deliberately collected
–Original documents–are used to document things such as contracts – during an incident Logs from firewalls and other network
NOTE: no copies! security devices The task of the network forensic analyst is to
collect and correlate information from these disparate sources
–Note: Oral is not best evidence though it may provide interpretation of
and produce as comprehensive a picture of network activity as
documents, etc. possible.
Secondary Evidence Software Analysis - Forensic analysts may also be called on
–Not as strong as best evidence. to conduct forensic reviews of applications or the activity that
–A copy, Secondary Evidence, is not permitted if the original, Best takes place within a running application. In some cases, when
Evidence, is available –Copies of documents. malicious insiders are suspected, the forensic analyst may be
–Oral evidence like Witness testimony asked to conduct a review of software code, looking for back
Direct Evidence: doors, logic bombs, or other security vulnerabilities. In other
cases, forensic analysis may be asked to review and interpret
–Can prove fact by itself and does not need any type of backup.
the log files from application or database servers, seeking
–Testimony from a witness –one of their 5 senses: other signs of malicious activity, such as SQL injection attacks,
•Oral Evidence is a type of Secondary Evidence so the case can’t simply privilege escalations, or other application attacks.
stand on it alone Hardware/ Embedded Device Analysis - Forensic analysts
But it is Direct Evidence and does not need other evidence to often must review the contents of hardware and embedded
substantiate devices. This may include a review of Personal computers &
Smartphones
Evidence (584) Law Intrusion Detection and Prevention (594)
Admissible Evidence Common law - USA, UK Australia Canada (judges) An intrusion occurs when an attacker is able to bypass or thwart
- The evidence must be relevant to determining a fact. Civil law - Europe, South America security mechanisms and gain access to an organization’s resources.
- The fact that the evidence seeks to determine must be Islamite and other Religious laws – ME, Africa, Indonesia Intrusion detection is a specific form of monitoring that monitors
material (that is, related) to the case. USA recorded information and real-time events to detect abnormal activity
- The evidence must be competent, meaning it must have 3 branches for laws: indicating a potential incident or intrusion.
been obtained legally. Evidence that results from an illegal Legislative: writing laws (statutory laws). IDS - intrusion detection system automates the inspection of logs and
search would be inadmissible because it is not competent. real-time system events to detect intrusion attempts and system
Executive: enforces laws (administrative laws)
failures. IDSs are an effective method of detecting many DoS and
Juridical: Interprets laws (makes common laws out of court decisions)
Digital Forensics (585) DDoS attacks. They can recognize attacks that come from external
3 categories connections, such as an attack from the Internet, and attacks that
Five rules of evidence: Criminal law – individuals that violate government laws.
- Be authentic; evidence tied back to scene spread internally such as a malicious worm. Once they detect a
Punishment mostly imprisonment suspicious event, they respond by sending alerts or raising alarms. In
- Be accurate; maintain authenticity and veracity
Civil law – wrongs against individual or organization that result in a some cases, they can modify the environment to stop an attack. A
- Be complete; all evidence collected, for & against view
- Be convincing; clear & easy to understand for jury damage or loss. Punishment can include financial penalties. AKA tort primary goal of an IDS is to provide a means for a timely and
- Be admissible; be able to be used in court law (I’ll Sue You!) Jury decides liability accurate response to intrusions. An IDS is intended as part of a
Forensic Disk Controller – intercepting and Administrative/Regulatory law – how the industries, organizations defense-in-depth security plan. It will work with, and complement,
other security mechanisms such as firewalls, but it does not replace
modifying or discarding commands sent to the and officers have to act. Wrongs can be penalized with imprisonment
them.
storage device or financial penalties IPS - intrusion prevention system includes all the capabilities of an
Write Blocking, intercepts write commands Uniform Computer Information Transactions Act (UCITA) - is a IDS but can also take additional steps to stop or prevent intrusions. If
sent to the device and prevents them from federal law that provides a common framework for the conduct of desired, administrators can disable these extra features of an IPS,
modifying data on the device computer-related business transactions. UCITA contains provisions essentially causing it to function as an IDS.
Return data requested by a read operation that address software licensing. The terms of UCITA give legal
Returning access-significant information from backing to the previously questionable practices of shrink-wrap DLP (597) Data Loss Prevention
device licensing and click-wrap licensing by giving them status as legally
PROTECT SENSITIVE INFORMATION
Reporting errors from device to forensic host binding contracts.
Data loss prevention systems attempt to detect and block data
Computer Crime Laws -3 types of harm
exfiltration attempts. These systems have the capability of scanning
- unauthorized intrusion,
LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS data looking for keywords and data patterns.
- unauthorized alteration or destruction
Network-based DLP - scans all outgoing data looking for specific
- malicious code
Investigation (590) data. Administrators would place it on the edge of the negative to
Admissible evidence relevant, sufficient, reliable, does
MOM means, opportunity and motive scan all data leaving the organization. If a user sends out a file
not have to be tangible
Determine suspects containing restricted data, the DLP system will detect it and prevent it
Hearsay second-hand data not admissible in court
Victimology –why certain people are victims of crime and how from leaving the organization. The DLP system will send an alert,
Enticement is the legal action of luring an intruder, like in a honeypot
such as an email to an administrator.
lifestyle affects the chances that a certain person will fall victim to a Entrapment is the illegal act of inducing a crime, the individual had
Endpoint-based DLP - can scan files stored on a system as well as
crime Investigation no intent of committing the crime at first
files sent to external devices, such as printers. For example, an
Types Federal Sentencing Guidelines provides judges and courts
organization endpoint-based DLP can prevent users from copying
- Operational procedures on the prevention, detection and reporting
sensitive data to USB flash drives or sending sensitive data to a
- Criminal printer.
- Civil
Security incident and event management
- eDiscovery (SIEM) (595) 3 states of information
- Automating much of the routine work of log review. - data at rest (storage)
When investigating a hard drive, don’t use message digest because - data in transit (the network)
Provide real‐time analysis of events occurring on systems throughout
it will change the timestamps of the files when the file-system is not an organization but don’t necessarily scan outgoing traffic. - data being processed (must be decrypted) / in use / end-point
set to Read-Only
Slack space on a disk should be inspected for hidden data and Can look for sensitive information stored on hard drives
should be included in a disk image
-
Configuration Management (603) RCA, Root Cause Analysis (632) Disaster Processing Continuity plan (659)
Configuration item (CI) - component whose state is recorded Tree / Boolean -FAULT TREE ANALYSIS Mutual aid agreements (aka reciprocal agreement)
Version: recorded state of the CI - 5Ways Arrangement with another similar corporation to take over
Configuration - collection of component CI’s that make another - Failure Mode and Effects analysis processes. Advantage: cheap. Disadvantage: must be exact the
CI - Pareto Analysis same, is there enough capability, only for short term and what if
Building - assembling a version of a CI using component CI’s - Fault Tree Analysis disaster affects both corporations. Is not enforceable.
Build list - set of versions of component CI’s used to build a - Cause Mapping
CI Software Library - controlled area only accessible for Subscription services
approved users Firewalls (636) Third party, commercial services provide alternate backups and
ARTIFACTS – CONFIGURATION MANAGEMENT HIDS - Host-based IDS, monitors activity on a single computer, processing facilities. Most common of implementations!
Recovery procedures (606) including process calls and information recorded in firewall logs. -It Redundant – Mirrored site, potential 0 down time
Recovery procedures: system should restart in secure mode can often examine events in more detail than an NIDS can, and it- HOT SITE – Internal/External, Fully configured computer facility.
Startup should occur in maintenance mode that permits access can pinpoint specific files compromised in an attack. It can also All applications are installed, up-to-date mirror of the production
track processes employed by the attacker. A benefit of HIDSs over system. For extremely urgent critical transaction processing.
only by privileged users from privileged terminals
NIDSs is that HIDSs can detect anomalies on the host system that Advantage: 24/7 availability and exclusive use are assured. Short
Fault-tolerant continues to function despite failure and long term. Disadvantage: extra administrative overhead,
NIDSs cannot detect.
Fail safe system, program execution is terminated and system NIDS - Network-based IDS, monitors and evaluates network costly, security controls needs to be installed at the remote facility
protected from compromise when hardware or software failure activity to detect attacks or event anomalies. It cannot monitor the too. Exclusive to one company hours to be up
occurs DOORS usually content of encrypted traffic but can monitor other packet details. -A WARM SITE - Cross between hot and cold site. The computer
Fail Closed/secure – most conservative from a security single NIDS can monitor a large network by using remote sensors facility is available but the applications may not be installed or need
to collect data at key network locations that send data to a central to be configured. External connections and other data elements
perspective
management console. that take long time to order are present. Workstations have to be
Fail Open delivered and data has to be restored. Advantage: Less costly,
Fail Hard – BSOD, human to see why it failed more choices of location, less administrative resources.
Fail soft or resilient system, reboot, selected, non-critical
Backup types (658)
Disadvantage: it will take some time to start production processing.
Full - All files, archive bit and modify bit are cleared. Advantage:
processing is terminated when failure occurs Nonexclusive. 12 hours to be up
only previous day needed for full restore, disadvantage: time - COLD SITE - Least ready but most commonly used. Has no
Failover, switches to hot backup.
consuming hardware installed only power and HVAC.
FAIL SAFE: doors UNLOCK
Incremental - only modified files, archive bit cleared, Advantage: Disadvantage: Very lengthy time of restoration, false sense of
FAIL SECURE: doors LOCK
least time and space, Disadvantage: first restore full then all security but better than nothing. Advantage: Cost, ease of location
Trusted Path (606) choice. Nonexclusive. week
Protect data between users and a security component. Channel incremental backups, thus less reliable because it depends on
more components - SERVICE BUREAU - Contract with a service bureau to fully
established with strict standards to allow necessary
Differential - only modified files, doesn’t clear archive bit. provide alternate backup processing services. Advantage: quick
communication to occur without exposing the TCB to security
Advantage: full and only last diff needed, Intermediate time response and availability, testing is possible. Disadvantage:
vulnerabilities. A trusted path also protects system users
between full and diff. expense and it is more of a short time option.
(sometimes known as subjects) from compromise as a result of a
TCB interchange. Redundant servers – applies raid 1 mirroring concept to servers.
On error servers can do a fail-over. This AKA server fault Multiple centers (aka dual sites)
ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY
tolerance Processing is spread over several computer centers. Can be
Server clustering – group of independent servers which are managed by same corporation (in-house) or with another
Incident Response (624) organization (reciprocal agreement). Advantage: costs, multiple
Events: anything that happens. Can be documented verified and managed as a single system. All servers are online and take part
in processing service requests. sites will share resources and support. Disadvantage: a major
analyzed disaster could affect both sites; multiple configurations have to be
Individual computing devices on a cluster vs. a grid system –
Security Incident - event or series of events that adversely impact
cluster devices all share the same OS and application software but administered.
the ability of an organization to do business grid devices can have different OSs while still working on same Other data center backup alternatives
Security incident – suspected attack problem - Rolling/mobile sites - Mobile homes or HVAC trucks.
Security intrusion – evidence attacker attempted or gained access Could be considered a cold site
Tape Rotation Schemes – GF/Father/Son, Tower of Hanoi, Six - In-house or external - supply of hardware replacements.
Lifecycle - Response Capability (policy, procedures, a team),
Cartridge Weekly Stock of hardware either onsite or with a vendor. May be
Incident response and handling (Triage, investigation,
acceptable for warm site but not for hot site.
containment, and analysis & tracking), Recovery (Recovery /
RAIT – robotic mechanisms to transfer tapes between storage and
- Prefabricated buildings - A very cold site.
Repair), Debriefing / Feedback (External Communications)
drive mechanisms
Mitigation – limit the effect or scope of an incident
RTO: recovery time objectives. Refers to business processes not
hardware.
RTO 5 minutes or hours Hot site; RTO 1-2 days warm site
RTO 3-5 days mobile site; RTO 1tgt-2 weeks cold site
-
Raid Levels (665) Disaster Recovery Planning (672) Disaster Recovery Test (679)
RAID 0 Striped, one large disk out of several –Improved End Goal - Restore normal business operations. Desk Check – review plan contents
performance but no fault tolerance Statement of actions that have to be taken before, during and Table-top exercise -members of the disaster recovery team
RAID 1 Mirrored drives –fault tolerance from disk errors and single after a disruptive event that causes a significant loss of gather in a large conference room and role-play a disaster
disk failure, expensive; redundancy only, not speed information Goal: provide organized way for decision making,
scenario.
RAID 2 not used commercially. Hammering Code Parity/error reduce confusion and deal with the crisis. Planning and
RAID 3 Striped on byte level with extra parity drive –Improved development must occur before the disaster Simulation tests - are more comprehensive and may impact one
performance and fault tolerance, but parity drive is a single point or more noncritical business units of the organization, all support
of failure and write intensive. 3 or more drives BIA has already been done, now were going to protect! personnel meet in a practice room
RAID4 Same as Raid 3 but striped on block level; 3 or more drives Parallel tests - involve relocating personnel to the alternate site
RAID 5 Striped on block level, parity distributed over all drives – Disaster – any event, natural or manmade, that can disrupt and commencing operations there. Critical systems are run at an
requires all drives but one to be present to operate hot- alternate site, main site open also
normal IT operations
swappable. Interleave parity, recovery control; 3 or more drives Full-interruption tests - involve relocating personnel to the
The disaster is not over until all operations have been returned to alternate site and shutting down operations at the primary site.
RAID 6 Dual Parity, parity distributed over all drives –requires
their normal location and function
all drives but two to be present to operate hot- swappable
RAID 7 is same as raid5 but all drives act as one single virtual It will be officially over when the data has been verified at the BCP (685)
disk primary site, as accurate Plan for emergency response, backup operations and post disaster
Backup storage media recovery maintained by an activity as a part of its security program
Tape: sequential, slow read, fast write 200GB an hour, historically Disaster recovery process (673) that will ensure the availability of critical resources and facilitate the
cheaper than disk (now changing), robotic libraries TEAMS continuity of operations in an emergency situation
Disk fast read/write, less robust than tape Recovery team mandated to implement recovery after the
Optical drive: CD/DVD. Inexpensive declaration of the disaster
Solid state: USB drive, security issues, protected by AES Salvage team goes back to the primary site to normal processing BCP (pro) & DRP (reactive)Goals
MTTF (mean time to failure) Business continuity- Ensuring the business can continue in an
environmental conditions. Clean, repair, Salvage. Can declare
MTTR (mean time to repair) emergency, 1st business organization analysis
MTBF Mean time between failures (Useful Life) = MTTF + MTTR when primary site is available again
Focus on business processes
JBOD – MOST BASIC TYPE OF STORAGE Normal Operations Resume plan has all procedures on how the 1. Scope and plan initiation - Consider amount of work
company will return processing from the alternate site required, resources required, management practice
Other recovery issues 2. BIA – helps to understand impact of disruptive
Transaction Redundancy Implementations (667) Interfacing with other groups: everyone outside the corporation
Electronic vaulting - transfer of backup data to an offsite storage processes
Employee relations: responsibility towards employees and families 3. Business Continuity Plan development
location via communication lines a. Use BIA to develop BCP (strategy
Fraud and Crime: like vandalism, looting and people grabbing the
Remote Journaling - parallel processing of transactions to an development phase bridges the gap between
opportunity
alternative site via communication lines the business impact assessment and the
Financial disbursement, Media relations
Database shadowing - live processing of remote journaling and 1. Find someone to run it continuity planning phases of BCP
creating duplicates of the database sets to multiple servers development)
Documenting the Plan b. Testing
Data destruction and reuse (143) Activation and recovery procedures 4. Plan approval and implementation
Object reuse - use after initial use Plan management - Management approval
Data remanence - remaining data after erasure HR involvement - Create awareness
Format magnetic media 7 times (orange book) Costs Update plan as needed, At least once a year testing
Clearing - overwriting media to be reused Required documentation Disaster Recovery – Recover as quickly as possible
Purging - degaussing or overwriting to be removed Internal /external communications - Heavy IT focus
Destruction - complete destroy preferably by burning Detailed plans by team members - Allows the execution of the BCP
- Needs Planning
- Needs Testing
GET COMMUNICATIONS UP FIRST THEN MOST CRITCAL CRITICA, URGENT, IMPORTANT
BUSINESS FUNCTIONS
Business Continuity plans development ALARMS (697) Security access cards
- Defining the continuity strategy Local alarms - audible alarm for at least 4000 feet far Photo id card: dumb cards Digital-coded
- Computing: strategy to preserve the elements of Central stations - less than 10mins travel time for e.g. an private cards:
hardware/software/ communication security firm • Swipe cards
Proprietary systems - owned and operated by the customer. • Smartcards
lines/ applications/ data System provides many of the features in-house Wireless proximity cards
- Facilities: use of main buildings or any remote facilities Auxiliary Station systems - on alarm ring out to local fire or • User activated
- People: operators, management, technical support persons police • System sensing
- Supplies and equipment: paper, forms HVAC - Line supervision check - if no tampering is done with the alarm o Passive device, no battery, uses power of the
Documenting the continuity strategy wires field
Power supplies - alarm systems needs separate circuitry and o Field Powered device: active electronics,
backup power transmitter but gets power from the
Roles and responsibilities
surrounding field from the reader
BCP committee Intrusion detection (698) Transponders: both card and receiver holds power, transmitter and
- Senior staff (ultimate responsibility, due care/diligence) PHYSICAL PARAMETER DETECTION electronics
- Various business units (identify and prioritize time critical Electromechanical - detect a break or change in a circuit
systems) magnets pulled lose, wires door, pressure pads Trusted recovery ()
- Information Systems Photoelectric - light beams interrupted (as in an store Ensures that the security is not breached when a system crash
- Security Administrator entrance) or failure occurs. Only required for a B3 and A1 level systems.
- People who will carry out the plan (execute) Passive infrared - detects changes in temperature
representatives from all departments Acoustical detection - microphones, vibrations sensors Failure preparation Backup critical information thus enabling
MOTION data recovery
wave pattern motion detectors - detects motions
CCTV (692) proximity or capacitance detector - magnetic field detects
Multiplexer allows multiple camera screens shown over one cable System recovery after a system crash
presence around an object 1. Rebooting system in single user mode or recovery
on a monitor
Via coax cables (hence closed) console, so no user access is enabled
Attacks: replayed (video images)
Locks (702) 2. Recovering all file systems that were active during
Fixed mounting versus PTZ Pan Tilt Zoom Warded lock - hanging lock with a key failure
accunicator system (detects movements on screen and alerts Tumbler lock - cylinder slot 3. Restoring missing or damaged files
guards) Combination lock - 3 digits with wheels 4. Recovering the required security characteristic, such as
Recording (for later review) = detective control Cipher Lock - Electrical file security labels
CCTV enables you to compare the audit trails and access logs Device lock - bolt down hardware 5. Checking security-critical files such as system password
with a visual recording Preset - ordinary door lock file
Programmable - combination or electrical lock
Lightning (694)
Glare protection - against blinding by lights Common criteria hierarchical recovery types
Raking - circumvent a pin tumbler lock 1. Manual System administrator intervention is required to
Continuous lightning - evenly distributed lightning
Controlled lightning - no bleeding over no blinding return the system to a secure state
Standby Lightning - timers
Audit trails 2. Automatic Recovery to an secure state is automatic
Responsive areas illumination - IDS detects activities and turns Date and time stamps when resolving a single failure (though system
on lightning Successful or not attempt administrators are needed to resolve additional failures)
NIST: for critical areas the area should be illuminated 8 feet Where the access was granted 3. Automatic without Undo Loss Higher level of recovery
in height with 2-foot candle power Who attempted access defining prevention against the undue loss of protected
Who modified access privileges at supervisor level objects
4. Function system can restore functional processes
Fences automatically
Small mesh and high gauge is most secure
Types of system failure
3-4 feet deters casual trespasser
System reboot System shuts itself down in a controlled manner
6-7 feet too hard to climb easily
after detecting inconsistent data structures or runs out of
8 feet + wires deters intruders,
resources
difficult to climb
Emergency restart when a system restarts after a failure
no one STOPS a determined intruder
happens in an uncontrolled manner. E.g. when a low privileged
user tries to access restricted memory segments
System cold start when an unexpected kernel or media failure
happens and the regular recovery procedure cannot recover the
system in a more consistent state.
Things to know Location Attacks ()
Hackers and crackers - want to verify their skills as intruders CPTED Crime Prevention Through Environmental design Hacktivists - combination of hacker and activist), often combine
Entitlement - refers to the amount of privileges granted to users, - Natural Access control: guidance of people by doors political motivations with the thrill of hacking.
typically when first provisioning an account. A user entitlement audit fences bollards lightning. Security zones defined Thrill attacks - are the attacks launched only for the fun of it.
- Natural surveillance: cameras and guards Pride, bragging rights
can detect when employees have excessive privileges
- Territorial Reinforcements: walls fences flags Target Script kiddies - Attackers who lack the ability to devise their own
Aggregation - Privilege Creep, accumulate privileges attacks will often download programs that do their work for them.
Hardening: focus on locks, cameras guards
Hypervisor - software component that manages the virtual Facility site: CORE OF BUILDING (thus with 6 stores, on 3rd floor) The main motivation behind these attacks is the “high” of
components. The hypervisor adds an additional attack surface, so it’s successfully breaking into a system. Service interruption. An
important to ensure it is deployed in a secure state and kept up-to- attacker may destroy data, the main motivation is to compromise a
date with patches, controls access to physical resources system and perhaps use it to launch an attack against another
Notebook - most preferred in the legal investigation is a bound victim. Common to do website defacements,
Business Attacks - focus on illegally obtaining an organization’s
notebook, pages are attached to a binding.
confidential information. The use of the information gathered during
Exigent circumstances allows officials to seize evidence before its the attack usually causes more damage than the attack itself.
destroyed (police team fall in) Financial Attacks - carried out to unlawfully obtain money or
Data haven is a country or location that has no laws or poorly services.
enforced laws Terrorist Attacks - purpose of a terrorist attack is to disrupt
Chain of custody = collection, analysis and preservation of data normal life and instill fear
Forensics uses bit-level copy of the disk Military or intelligence attack - designed to extract secret
Darknet – unused network space that may detect unauthorized information.
Grudge Attacks - are attacks that are carried out to damage an
activity
Pseudo flaw – false vulnerability in a system that may attract an organization or a person. The damage could be in the loss of
information or information processing capabilities or harm to the
attacker
FAIR INFORMATION PRACTICES organization or a person’s reputation.
Sabotage - is a criminal act of destruction or disruption committed
• Openness against an organization by an employee. It can become a risk if an
• Collection Limitation employee is knowledgeable enough about the assets of an
• Purpose Specification organization, has sufficient access to manipulate critical aspects of
• Use Limitation the environment, and has become disgruntled.
• Data Quality Espionage - is the malicious act of gathering proprietary, secret,
• Individual Participation private, sensitive, or confidential information about an organization.
• Security Safeguards Attackers often commit espionage with the intent of disclosing or
• Accountability selling the information to a competitor or other interested
Noise and perturbation: inserting bogus information to hope to organization (such as a foreign government). Attackers can be
mislead an attacker dissatisfied employees, and in some cases, employees who are
First step by change process = management approval. being blackmailed from someone outside the organization.
NB: when a question is about processes, there must always be Countermeasures against espionage are to strictly control access
management’s approval as First step. to all nonpublic data, thoroughly screen new employee candidates,
PROTOTYPING: customer view taken into account and efficiently track all employee activities.
SQL –SUDIGR, 6 basic SQL commands Integrity breaches - unauthorized modification of information,
Select, Update, Delete, Insert, Grant, Revoke violations are not limited to intentional attacks. Human error,
Bind variables are placeholders for literal values in SQL query being oversight, or ineptitude accounts for many instances
sent to the database on a server Confidentiality breaches – theft of sensitive information
Bind variables in SQL used to enhance performance of a database
Monitor progress and planning of projects through
GANTT and PERT charts
Piggybacking: looking over someone’s shoulder to see how someone
gets access.
Data center should have:
• Walls from floor to ceiling
• Floor: Concrete slab: 150 pounds square foot
• No windows in a datacenter
• Air-conditioning should have own Emergency Power Off
(EPO)
Electronic Access Control (EAC): proximity readers, programmable
locks or biometric systems
System Development Life Cycle (SDLC) (720) SDLC Software Development Methods (732)
Project initiation - Feasibility, cost, risk analysis, Management Conceptual definition MODELS
approval, basic security objectives Functional requirements definition Simplistic model
Functional analysis and planning - Define need, requirements, Control specifications development This model was simplistic in that it assumed that each step could
review proposed security controls Design review be completed and finalized without any effect from the later
Code review stages that may require rework.
System design specifications - Develop detailed design specs, Waterfall model
Review support documentation, Examine security controls System test review
Maintenance and change management Can be managed if developers are limited going back only one
Software development - Programmers develop code. Unit testing step. If rework may be done at any stage it’s not manageable.
Check modules. Prototyping, Verification, Validation Software Capability Maturity model (CMM) (725) Problem: it assumes that a phase or stage ends at a specific time.
Quality of software is a direct function of quality of development System Requirements-> Software Requirements -> Analysis ->
Acceptance testing and implementation - Separation of duties,
and maintenance Program Design -> Coding -> Testing -> Operations &
security testing, data validation, bounds checking, certification, Defined by Carnegie Mellon University SEI (Software Engineering Maintenance
accreditation , part of release control Institute) Waterfall including Validation and Verification (V&V)
System Life Cycle (SLC) (extends beyond SDLC) Describes procedures, principles, and practices that underlie Reinterpretation of the waterfall model where verification evaluates
Operations and maintenance - release into production. software development process maturity the product during development against specification and
Certification/accreditation 1-2 REACTIVE, 3-5 PROACTIVE validation refers to the work product satisfying the real-world
Revisions/ Disposal - remove. Sanitation and destruction of 5 levels requirements and concepts.
unneeded data 1. initiating – competent people, informal processes, ad- Verification=doing the job right Validation:= doing the right job
The has three basic components: hoc, absence of formal process Spiral model
Change Management Process 2. repeatable – project management processes, basic life- Angular = progress made
cycle management processes Radial = cost
Together, change and configuration management techniques form
3. defined – engineering processes, presence of basic life- Lower left = development plans
an important part of the software engineer’s arsenal and protect the
cycle management processes and reuse of code, use of Upper left = objectives of the plans, alternatives checked
organization from development-related security issues.
requirements management, software project planning, Upper right = assessing alternatives, risk analysis
The change management process has three basic components:
quality assurance, configuration management practices Lower right = final development
4. managed – product and process improvement, Left horizontal axis = includes the major review required to
Request Control - provides an organized framework within which
quantitatively controlled complete each full cycle
users can request modifications, managers can conduct cost/
5. Optimizing – continuous process improvement Works Cleanroom – write code correctly first time, quality thru design
benefit analysis, and developers can prioritize tasks.
with an IDEAL model. Cleanroom design – prove original design
Change Control - provides an organized framework within which
Initiate begin effort, Diagnose perform assessment, Establish an
multiple developers can create and test a solution prior to rolling it
action plan, Action implement improvements, Leverage
out into a production environment. Change control includes
reassesses and continuously improve
Agile Software Development (733)
conforming to quality control restrictions, developing tools for update Developers increasingly embraced approaches that placed an
Project Management Tools
or change deployment, properly documenting any coded changes, emphasis on the needs of the customer and on quickly developing
Gantt Chart - a type of bar chart that shows the interrelationships
and restricting the effects of new code to minimize diminishment of new functionality that meets those needs in an iterative fashion.
over time between projects and schedules. It provides a graphical
security. - Individuals and interactions over processes and tools
Release Control - Once the changes are finalized, they must be illustration of a schedule that helps to plan, coordinate, and track
- Working software over comprehensive documentation
specific tasks in a project. WBS a subpart
approved for release through the release control procedure. - Customer collaboration over contract negotiation
PERT - Program Evaluation Review Technique is a project-
Configuration Management Process - Responding to change over following a plan
scheduling tool used to judge the size of a software product in
This process is used to control the version( s) of software used WORKING SOFTWARE PRIMARY MEASURE OF SUCCESS
development and calculate the standard deviation (SD) for risk
throughout an organization and formally track and control changes assessment. PERT relates the estimated lowest possible size, the
Configuration Identification - administrators document the most likely size, and the highest possible size of each component.
configuration of covered software products throughout the PERT is used to direct improvements to project management and
organization. software coding in order to produce more efficient software.
Configuration Control - ensures that changes to software DevOps (728)
versions are made in accordance with the change control and The DevOps approach seeks to resolve issues by bringing the
configuration management policies. Updates can be made only three functions together in a single operational model. The word
from authorized distributions in accordance with those policies. DevOps is a combination of Development and Operations,
Configuration Status Accounting - Formalized procedures are symbolizing that these functions must merge and cooperate to
used to keep track of all authorized changes that take place. meet business requirements.
Configuration Audit - periodic configuration audit should be Integrates:
conducted to ensure that the actual production environment - Software Development,
is consistent with the accounting records and that no - Quality Assurance
unauthorized configuration changes have taken place. - IT Operations
NOT SECURITY
Database Systems (736) Database Systems (736) (cont.) Knowledge Management (755)
Database - general mechanism for defining, storing and Incorrect Summaries – when one transaction is using an Expert Systems
manipulating data without writing specific programs aggregate function to summarize data stored in a Db while a Expert systems seek to embody the accumulated knowledge
DBMS - refers to a suite of software programs that maintains and second transaction is making modifications to a Db, causing of experts on a particular subject and apply it in a consistent
provides controlled access to data components store in rows and summary to include incorrect information fashion to future decisions.
columns of a table Dirty Reads – when one transaction reads a value from a Db that Every expert system has two main components: the
Types was written by another transaction that did not commit, Db knowledge base and the inference engine.
- Hierarchical= tree (sons with only one parent), one to concurrency issue - Based on human reasoning
many relationship Lost Updates – when one transaction writes a value to the Db that - Knowledge base of the domain in the form of rules
- Network = tree (all interconnected) overwrites a value needed by transactions that have earlier - If-then statements=called forward chaining
- Mesh precedence - Priority in rules are called salience
- Object-orientated Dynamic Lifetime Objects: Objects created on the fly by software - Interference system = decision program
- Relational – one-to-one relationships, has DDL and in an Object Oriented Programming environment. An object is - Expert system = inference engine + knowledge base -
DML, has TUPLES and ATTRIBUTES (rows and preassembled code that is a self-contained module Degree of uncertainty handled by approaches as
columns) ODBC - Open Database Connectivity is a database feature that Bayesian networks(probability of events), certainty
- Key-Value Store - key-value database, is a data storage allows applications to communicate with different types of factors(probability an event is true) or fuzzy logic(to develop
paradigm designed for storing, retrieving, and managing databases without having to be directly programmed for interaction conclusions)
associative arrays, a data structure more commonly with each type. ODBC acts as a proxy. - Two modes:
known today as a dictionary or hash. Multilevel security - it’s essential that admins and developers o Forward chaining: acquires info and comes to a
DDL – Data definition language defines structure and schema strive to keep data with different security requirements separate. conclusion
DML – Data manipulation language view, manipulate and use Database contamination - Mixing data with different classification o Backward chaining: backtracks to determine IF a
the database via VIEW, ADD, MODIFY, SORT and DELETE levels and/ or need-to-know requirements and is a significant hypothesis is correct
commands. security challenge. Often, administrators will deploy a trusted front Neural Networks
Degree of Db –number of attributes (columns) in table end to add multilevel security to a legacy or insecure DBMS. - Use complex computations to replace partial functions of the
Tuple – row or record Database partitioning - is the process of splitting a single human mind
DDE – Dynamic data exchange enables applications to work in a database into multiple parts, each with a unique and distinct - Based on function of biologic neurons
client/server model by providing the inter-process communications security level or type of content. - Works with weighted inputs
mechanism (IPC) Polyinstantiation - occurs when two or more rows in the same - If a threshold is exceeded there will be output
DCL – Data control language subset of SQL used to control relational database table appear to have identical primary key - Single-layer : only one level of summoning codes
access to data in a database, using GRANT and REVOKE elements but contain different data for use at differing - Multi-level: more levels of summoning codes
statements classification levels. It is often used as a defense against inference - Training period needed to determine input vectors -
Semantic integrity - make sure that the structural and semantic attacks adaptability (learning process)
rules are enforced on all data types, logical values that could Database transactions
adversely affect the structure of the database Four required characteristics: atomicity, consistency, isolation, and
Referential integrity - all foreign keys reference existing primary
Programming Language Generations (762)
durability. Together, these attributes are known as the ACID First-generation languages (1GL) include all machine languages.
keys, model, which is a critical concept in the development of database Second-generation languages (2GL) include all assembly
Candidate Key – an attribute that is a unique identifier within a management systems. languages.
given table, one of the candidate keys is chosen to be the primary Atomicity - Database transactions must be atomic— that is, they Third-generation languages (3GL) include all compiled
key and the others are alternate keys, A candidate key is a subset must be an “all-or-nothing” affair. If any part of the transaction fails, languages.
of attributes that can be used to uniquely identify any record in a the entire transaction must be rolled back as if it never occurred. Fourth-generation languages (4GL) attempt to approximate
table. No two records in the same table will ever contain the same Consistency - All transactions must begin operating in an natural languages and include SQL, which is used by databases.
values for all attributes composing a candidate key. Each table environment that is consistent with all of the database’s rules (for Fifth-generation languages (5GL) allow programmers to create
may have one or more candidate keys, which are chosen from example, all records have a unique primary key). When the code using visual interfaces.
column headings. transaction is complete, the database must again be consistent
Primary Key – provide the sole tuple-level addressing mechanism with the rules, regardless of whether those rules were violated
within the relational model. Cannot contain a null value and cannot during the processing of the transaction itself. No other transaction Programs
change or become null during the life of each entity. When the should ever be able to use any inconsistent data that might be Compiler Translates higher level program into an executable file
primary key of one relation is used as an attribute in another generated during the execution of another transaction. Interpreter reads higher level code, one line at the time to
relation, it is the foreign key in that relation. Uniquely identify a Isolation - principle requires that transactions operate separately produce machine instructions
record in a database from each other. If a database receives two SQL transactions that Assembler converts machine-code into binary machine
Foreign Key – represents a reference to an entry in some other modify the same data, one transaction must be completed in its instructions. Translate assembly language into machine language.
table that is a primary key there. Link between the foreign and entirety before the other transaction is allowed to modify the same
primary keys represents the relationship between the tuples. data. This prevents one transaction from working with invalid data
Enforces referential integrity generated as an intermediate step by another transaction.
Main Components of a Db using Db Durability - Database transactions must be durable. That is, once
- Schemas; blueprints they are committed to the database, they must be preserved.
- tables Databases ensure durability through the use of backup
- views mechanisms, such as transaction logs.
Object Orientated Technology (769) Technical Security Protection Mechanisms Malicious code threats (787)
Objects behave as a black box; they are encapsulated to perform Abstraction - one of the fundamental principles behind object- Virus - reproduces using a host application. It inserts or attaches
an action. Can be substituted if they have compatible operations. oriented programming. It is the “black-box” doctrine that says that
itself to the file, spread thru infected media
It can store objects like video and pictures users of an object (or operating system component) don’t Worm - reproduces on its own without host application
Encapsulation (Data Hiding) – only data it needs, no Logic Bomb/Code Bomb - executes when a certain event
necessarily need to know the details of how the object works; they
accidental access to data need to know just the proper syntax for using the object and the happens (like accessing a bank account or employee being fired)
Message - communication to object to perform an action type of data that will be returned as a result or a data/time occurs
Method - code that defines an action an object performs in Separation of privilege - builds on the principle of least privilege.
Trojan Horse - program disguised as a useful program/tool
response to a message HOAXES – False warnings like: DON’T OPEN X SEND TO ALL
It requires the use of granular access permissions; that is, different
Behavior - results exhibited by an object in response to a msg. permissions for each type of privileged operation. This allows YOUR COLLEGUES
Class - collection of methods that defines the behavior of objects designers to assign some processes rights to perform certain RAT, Remote Access Trojan - remote control programs that have
Instance - objects are instances of classes that contain their supervisory functions without granting them unrestricted access to
the malicious code and allow for unauthorized remote access Back
methods the system. orifice, sub seven, net bus )
Inheritance - allows a subclass to access methods belonging to a Process isolation - requires that the operating system provide Buffer Overflow - Excessive information provided to a memory
superclass separate memory spaces for each process’s instructions and data.buffer without appropriate bounds checking which can result in an
Multiple Inheritance - class inherits characteristics from more It also requires that the operating system enforce those elevation of privilege. If executable code is loaded into the
than one parent class boundaries, preventing one process from reading or writing data overflow, it will be run as if it were the program.
Delegation - forwarding a request to another object that belongs to another process. Buffer overflows can be detected by disassembling programs and
Polymorphism: objects of many different classes that are related - It prevents unauthorized data access. Process isolation
looking at their operations.
by some common super class. When different subclasses may is one of the fundamental requirements in a multilevel
Buffer overflows must be corrected by the programmer or by
have different methods using the same interfaces that respond security mode system. directly patching system memory.
differently - It protects the integrity of processes. Trap Door - An undocumented access path through a system.
Poly-instantiation - occurs when two or more rows in the same Layering processes - you implement a structure similar to the ring
This typically bypasses the normal security mechanisms and is to
relational database table appear to have identical primary key model used for operating modes and apply it to each operating plant any of the malicious code forms.
elements but contain different data for use at differing classification system process. Backdoor - program installed by an attacker to enable him to
levels. It is often used as a defense against some types of Hardware segmentation - is similar to process isolation in come back on a later date without going through the proper
inference attacks purpose. Difference is that hardware segmentation enforces theseauthorization channels , maintenance hook for developers
5 phases of object orientation requirements through the use of physical hardware controls rather
sometimes
OORA, Requirements Analysis - defines classes of objects and than the logical process isolation controls imposed by an operating
Covert Channel - a way to receive information in an unauthorized
their interactions system. manner. Information flood that is not protected by a security
OOA, Analysis - understanding and modeling a particular problem mechanism.
Domain Analysis (DA) seeks to identify classes and objects that Covert channels (778) Covert Storage Channel - Writing to storage by one process and
are common to all applications in a domain Is a way to receive information in an unauthorized manner, reading by another of lower security level.
OOD, Design - Objects are the basic units, and instances of information flood that is not protected by a security mechanism Covert Timing Channel - One process relays to another by
classes 2 types modulating its use of system resources.
OOP, Programming - employment of objects and methods Storage covert channel - processes communicate via storage Countermeasures - EAL6 systems have less than EAL3
If class = airplane, objects like fighter plane, cargo plane, space on the system systems because covert channels are normally a flaw in design.
passenger plane can be created. Method would be what a plane Covert timing channel - one process relays to another by LOKI - is a tool used for covert channel that writes data directly
would do with a message like: climb, dive, and roll. modulating its use of system resources. Typing rhythm of Morse after the ICMP header
ORBs, Object Request Brokers - middleware that acts as Code is an example Botnet - compromise thousands of systems with zombie codes
locators and distributors of the objects across networks. Countermeasures: eal6 systems have less than eal3 systems can be used in DDOS attacks or spammers, send spam
Standards because covert channels are normally a flaw in design. messages, conduct brute force attacks, scan for vulnerable
CORBA, Common object request - broker architecture enables systems
programs written in different languages and using different Mobile code Directory Traversal Attack – attacker attempts to force the web
platforms and OS’s through IDL (Interface Definition Language)
Java – sandboxes, no warnings, programs are compiled to application to navigate up the file hierarchy and retrieve a file that
COM, Common Object Model - support exchange of objects should not normally be provided to a web user.
bytecode
amongst programs. This used to be called OLE. DCOM is the Macro Virus – Most common in office productivity documents
ActiveX – Authenticode, relies on digital signatures, annoying
network variant (distributed) .doc/.docx
dialogs people click away
Conclusion - Object orientation (e.g. with C++ and Smalltalk) Trojans – pretends to do one thing while performing another
supports reuse of objects and reduces development risk, natural in Worms – reproduces and spreads, capacity to propagate
its representation of real world entities. independent of user action
Cohesion: ability to perform without use of other programs, MDM, Mobile device management - a software solution to
strength of the relationship between the purposes of methods manage the myriad mobile devices that employees use to access
within the same class company resources. The goals of MDM are to improve security,
High cohesion - without use of other modules provide monitoring, enable remote management, and support
Low cohesion - must interact with other modules troubleshooting.
Coupling - effect on other modules. Level of interaction between Collisions – two different files produce the same result from a
objects hashing operation
High coupling - module largely affects many more modules
Low coupling - it doesn’t affect many other modules
Virus (784) Protection mechanisms (795) Nice to Know
Boot sector – moves or overwrites the boot sector with the virus Protection domain Code Review - peer-driven process that includes multiple
code. Execution and memory space assigned to each process developers, may be automated, may review several hundred lines
System infector – infects BIOS command other system files. It is TRUSTED COMPUTER BASE of code an hour, done after code developed
often a memory resident virus. Combination of protection systems within a computer system, Strong Passwords – social engineering best attack method to
Phlashing - a malicious variation of official BIOS or firmware is which include the hardware, software and firmware that are beat
installed that introduces remote control or other malicious features trusted to enforce the security policy. Threat Modeling – reduce the number of security-related design
into a device. UEFI – replacement for BIOS Security Kernel - hardware, software, firmware, elements of TCB and coding flaws, reduce severity of non-security related files, not
Compression – appended to executables that implement the reference monitor concept — must be isolated to reduce number of threat vectors
Companion virus - A specific type of virus where the infected from reference monitor (reference monitor: isolation, Aggregate – summarize large amounts of data and provide only
code is stored not in the host program, but in a separate completeness and verifiability, that compares the security labels summary information as a result
‘companion’ files. For example, the virus might rename the of subjects and objects) Port Scan – attacking system sends connection attempts to the
standard NOTEPAD.EXE file to NOTEPAD.EXD and create a new Multistate systems - capable of implementing a much higher targets system against a series of commonly used ports
NOTEPAD.EXE containing the virus code. When the user level of security. These systems are certified to handle multiple Account [name of class]
subsequently runs the Notepad application, the virus will run first security levels simultaneously by using specialized mechanisms Balance: currency = 0 [attributes of class]
and then pass control to the original program, so the user doesn’t Protection rings - (MIT’s MULTICS design) Owner: string [attributes of class]
see anything suspicious. Takes advantage of search order of an Ring 0 - Operating system kernel. The OS’ core. The kernel AddFunds(deposit: currency) [method of class]
OS manages the HW (for example, processor cycles and memory) RemoveFunds (withdrawal: currency) [method of class]
Stealth virus – hides modifications to files or boot records and and supplies fundamental services that the HW does not provide. JavaScript – is an interpreted language that does not make use of
itself Ring 1 - Remaining parts of the operating system a complier to transform code into an executable state. Java, C,
Multipart virus - infects both the boot sector and executable files; Ring 2 - I/O drivers and utilities and C++ are all compiled languages.
becomes resident first in memory and then infects the boot sector Ring 3 - Applications and programs Directory Traversal Attack - %252E%252Fetc/passwd, %252E =
and finally the entire system, uses two or more propagation Layers 1 and 2 contain device drivers but are not normally . & %252F = /
mechanisms implemented in practice. Layer 3 contains user applications. Layer Open system - is one with published APIs that allow third parties
Self-garbling virus – attempts to hide by garbling its code; as it 4 does not exist. to develop products to interact with it.
spreads, it changes the way its code is encoded Closed system - is one that is proprietary with no third-party
Polymorphic virus – this is also a self-garbling virus where the Terms product support, does not define if it’s code can be viewed
virus changes the "garble" pattern each time is spreads. As a CSRF (XSRF) – Cross site request forgery, attacks exploit the Open source - is a coding stance that allows others to view the
result, it is also difficult to detect. trust that sites have in a user’s browser by attempting to force the source code of a program, distributed free or for a fee
Macro virus – usually written in Word Basic, Visual Basic or submission of authenticated request to third-party sites. Closed source - is an opposing coding stance that keeps source
VBScript and used with MS Office Cross-site Scripting – uses reflected input to trick a user’s code confidential. can be reverse engineered or decompiled
Resident virus – Virus that loads when a program loads in browser into executing untrusted code from a trusted site API Keys - like passwords and should be treated as very sensitive
memory Session Hijacking – attempt to steal previously authenticated information. They should always be stored in secure locations and
Master boot record /boot sector - (MBR) virus attack the MBR— sessions but do not force the browser to submit request. transmitted only over encrypted communications channels. If
the portion of bootable media (such as a hard disk, USB drive, or SQL Injection – directly attacks a database through a web app,, someone gains access to your API key, they can interact with a
CD/ DVD) that the computer uses to load the operating system CARROT’1=1;-- quotation mark to escape out of input field web service as if they were you! Limit access to API
during the boot process. Because the MBR is extremely small Blue Screen of Death – when a Windows system experiences a Nessus - is a popular vulnerability scanner managed by Tenable
(usually 512 bytes), it can’t contain all the code required to dangerous failure and enters a full secure state (reboot) Network Security, and it combines multiple techniques to detect a
implement the virus’s propagation and destructive functions. To Hotfix, update, Security fix – single patch, patches provide wide range of vulnerabilities. It uses port scans to detect open
bypass this space limitation, MBR viruses store the majority of updates to operating systems and applications. ports and identify the services and protocols that are likely running
their code on another portion of the storage media. When the Service Pack – collection of unrelated patches released in a large on these systems. Once Nessus discovers basic details about
system reads the infected MBR, the virus instructs it to read and collection systems, it can then follow up with queries to test the systems for
execute the code stored in this alternate location, thereby loading Patch management system - prevents outages from known known vulnerabilities, such as if the system is up-to-date with
the entire virus into memory and potentially triggering the delivery attacks by ensuring systems are patched. Patches aren’t available current patches. Attacker can use to best identify vulnerabilities in
of the virus’s payload. for new attacks. However, the patch management system doesn’t a targeted system
Non-resident virus - attached to .exe provide the updates. Ensuring systems are patched reduces CASE - tool for development, if concerned about security
vulnerabilities but it does not eliminate them OWASP – Open Web Application Security Project, most
ANTI-Virus authoritative source on web application security issues
Signature based cannot detect new malware Shadow Password File - , /etc./ shadow. This file contains the
Heuristic behavioral can detect new malware true encrypted PWs of each user, but it is not accessible to
anyone but the administrator. The publicly accessible /etc./
Threats passwd file then simply contains a list of usernames without the
Natural (Fires, explosions water, storm) data necessary to mount a dictionary attack. “x”
User Mode – processor mode used to run the system tools used
Man-made (bombing, strikes, toxin spills)
by admins to make configuration changes to a machine
Kernel Mode – used by processor to execute instructions from OS