Isc2 Acceleratedcissp 2018 3 1 12 Security Architecture and Engineering

Filename: isc2-acceleratedcissp-2018-3-1-12-security-architecture-and-engineering
Show Name: Accelerated CISSP (2018)

Topic Name: Security Architecture and Engineering
Episode Name: Security Architecture and Engineering Pt.12
Description: Adam and Ronnie help you to understand how to apply cryptography.
Security Architecture and Engineering
Domain: Security Architecture and Engineering
Topic 1: Implement and manage engineering processes using secure design principles
Systems engineering models and processes usually organize themselves around the
concept of a life cycle.
Security should be a focus at EVERY STAGE of a system's development.
ISO/IEC 15288:2015 is a systems engineering standard covering processes and life

cycle stages. It defines a set of processes divided into four categories:
1. Agreement
2. Organization Project-Enabling
3. Technical Management
4. Technical
The V-model - all system development lifecycles share the fundamental elements
in the V-model. The left side of the V represents concept development and the
decomposition of requirements into functions and physical entities that can be
architected, designed, and developed. The right side of the V represents
integration of these entities and their ultimate transition into the field, where
they are operated and maintained.
Defense in Depth - the use of overlapping layers of controls / countermeasures

to create a series of defensive layers of physical / technical / administrative
types to secure assets
Common Criteria (ISO 15408) - provides a structured methodology for documenting

security requirements, documenting and validating security capabilities, and
promoting international cooperation in the area of IT security. Use of the Common
Criteria “protection profiles” and “security targets” greatly aids in the
development of products and systems that have IT security functions.
https://www.commoncriteriaportal.org/index.cfm
ISO/IEC 21827:2008, The Systems Security Engineering – Capability Maturity

Model (SSE-CMM) - describes the essential characteristics of an organization’s
security engineering process that must exist to ensure good security engineering.
It does not prescribe a particular process or sequence, but captures practices
generally observed in industry. The model is a standard metric for security
engineering practices covering the following:
a. The entire life cycle, including development, operation, maintenance, and
decommissioning activities
b. The whole organization, including management, organizational, and
engineering activities
c. Concurrent interactions with other disciplines, such as system, software,
hardware, human factors, test engineering, system management, operation, and

maintenance
d. Interactions with other organizations, including acquisition, system
management, certification, accreditation, and evaluation
General Concepts to be aware of:

a. Subjects (users) & Objects (data)
b. Closed (vendor specific) & Open Systems (industry standard)
c. Confinement (sandboxing) - ability to control read / write activity as
software executes in a system and accesses memory
d. Bounds - limits set on the memory addresses and resources a process can
access in a system
e. Isolation - the ability to use bounds and confinement to control the impact
process behavior has on a system
f. Controls (in the context of access) - use of access rules to limit
subject / object interaction
g. Trusted System - one where all protection mechanisms work together to
process sensitive data for many types of users while maintaining a stable,
secure environment
h. Assurance - the degree of confidence or certainty in a system's ability to
satisfy the defined security requirements
================================================================================
Understand the fundamental concepts of security models (topic 2)
AND
Understand security capabilities of information systems (e.g., memory

protection, Trusted Platform Module (TPM), encryption/decryption) (topic 4)
================================================================================
Security Model - provides a way for the designer(s) of a system to correlate

abstract statements into a security policy that will define an explicit set of
rules allowing a computer to implement the fundamental concepts of the policy.
Security Token - an object, separate from the asset, that is used to describe
the security attributes of the asset
Capabilities List - maintains a row of security attributes for each controlled

object (asset) managed through the model
Security Label - a permanent part of the object it references
Abstraction - one of the fundamental principles of Object Oriented

Programming (OOP). Users do not need to know how something works, they just need
to know the proper syntax to make it work and have a proper expectation as to
what kind of output will be produced.
Data Hiding - important concept in multilevel security systems, ensuring that

data existing at one security level is not visible to a process running at a
different security level
Trusted Recovery - ensures that all security controls remain in place in the
event of a crash
Maintenance Hook (backdoor) - entry point into a system known only to the
developer of the system.
Incremental attacks - occur in slow, gradual fashion. Types:
a. Data Diddling - attacker makes small, random changes to data to hide their
activity
b. Salami attack - small transactions deducting tiny financial amounts from
lots of accounts
Trusted Computing Base (TCB) - the totality of the hardware, software and
firmware that contains all elements of the system responsible for supporting the
security policy and the isolation of objects. When activated it provides a
Trusted Path for communication and a Trusted Shell for activity.
Reference Monitor - considered to be an abstract machine that mediates, or

controls, all access that subjects (users) have to objects (data or resources).
The reference monitor acts in order to ensure that any subject attempting to access
any object has the appropriate rights to do so in order to protect the object
from unauthorized access attempts by bad actors.
Security Kernel - made up of all of the components of the TCB and is responsible
for implementing and enforcing the reference monitor. A security kernel is
responsible for enforcing a security policy. The kernel should be at the lowest
and most primitive level or layer in the architecture. It is a small portion of
the operating system through which all references to information and all changes
to authorizations must pass.
To be secure, the kernel must meet three basic conditions:
a. Completeness (complete mediation): All accesses to information must go
through the kernel
b. Isolation: The kernel itself must be protected from any type of
unauthorized access
c. Verifiability: The kernel must be proven to meet design
specifications
Common System Components: (Processor | Memory | Storage)
a. Processor - Perform four key tasks:
1. fetching
2. decoding
3. executing
4. storing
Processor Privilege States - protect the processor and the activities that it
performs. Many operating systems use two processor access modes:
1. User (or process, problem, or program) mode - processor limits the access
to system data and hardware granted to the running process
2. Kernel (or supervisor) mode - processor is operating at the highest
privilege level on the system, and this allows the process running in
supervisor state to access any system resource (data and hardware) and execute
both privileged and non-privileged instructions
Layering - One of the ways that privileged parts of the system are protected is
through the use of discrete layers that control interactions between more
privileged and less privileged processes on the system. One of the most common
ways this is done uses ring protection. It is frequently represented as a series
of concentric rings where the innermost ring is assigned the lowest number and
the outermost ring is assigned the highest number. The most privileged
ring (Ring 0) is associated with core system functions, such as the most sensitive
parts of the O/S kernel, while the lowest privileged ring (Ring 3) is associated
to end-user applications.
b. Memory & Storage - data waiting to be processed sits in a staging area

called primary storage. The location where data is stored is denoted by its
physical memory address. The main purpose of memory protection is to prevent a
process from accessing memory that has not been allocated to it. The three most
common methods used to achieve memory protection are:
1. Segmentation - dividing a computer’s memory into segments. A reference to a
memory location includes a value that identifies a segment and an offset within
that segment.
2. Paging - divides the memory address space into equal-sized blocks called
pages. A page table maps virtual memory to physical memory. Unallocated pages
and pages allocated to any other application do not have any addresses from
the application point of view.
3. Protection keying - divides physical memory up into blocks of a particular
size, each of which has an associated numerical value called a protection key.
Each process also has a protection key value associated with it. When memory
is accessed, the hardware checks that the current process’s protection key
matches the value associated with the memory block being accessed; if not, then
an exception occurs.
Process isolation & memory protection
Interrupts - allows the operating system to ensure that a process is given

enough time to access the CPU when necessary to carry out its required functions,
but it also ensures that the process does not lock up resources that are
necessary for other processes to execute.
methods / approaches:
1. Encapsulation of a process - no other process is able to understand or
interact with the internal programming code of the process
2. Time multiplexing - provide well-defined and structured access to processes
that need to use resources according to a controlled and tightly managed schedule
3. Naming distinctions - each process is assigned a unique identity within
the context of the operating system
4. Virtual address memory mapping - allows each process to have access to its
own memory space as it executes. Enforced through the operating system’s use of
the memory manager. The memory manager provides for the following:
a. Provide an abstraction level for programmers
b. Maximize performance with the limited amount of memory available to the
system (Physical RAM)
c. Protect the operating system and applications once they are loaded into
memory
The Memory Manager has the following 5 responsibilities:
1. Relocation: Move, or swap, content between RAM and the hard drive as needed
and provide pointers to applications if their information has been moved to a

different location in memory
2. Protection: Provide access control for memory segments and limit processes
to interacting only with the memory segments assigned to them
3. Sharing: Allow for multiple users with different access levels to interact
with an application or process while running and enforce integrity and
confidentiality controls between processes while using shared memory segments
4. Logical organization: Segmentation of all memory types, providing an
addressing scheme at an abstraction level and allowing for the sharing of

software modules such as DLL procedures
5. Physical organization: Segmentation of the physical memory space for allocation
Memory Manager Registers - allow the operating system to make sure that a
process is only able to interact with the defined memory segments assigned to it
by the memory manager. Two types of registers used by the CPU to identify memory
addresses:
1. A base register is used to identify the beginning address assigned to the
process
2. A limit register is used to identify the ending address assigned to the
process
Memory protection methods (4):
1. All system-wide data structures and memory pools used by kernel mode
system components can be accessed only while in kernel mode. (user mode
requests cannot access these pages) Any attempt to do so will generate a fault,
and then the memory manager will create an access violation
2. Each process has a separate, private address space protected from being
accessed by any request belonging to another process (for the most part). Each
time a request references an address, the virtual memory hardware, in conjunction
with the memory manager, intervenes and translates the virtual address into a
physical one. This control mechanism is referred to as Address Space Layout
Randomization (ASLR).
3. Hardware or software controlled memory protection, such as read or write
access. While this protection mechanism is implemented differently depending

on manufacturer, it is commonly referred to as Data Execution Prevention (DEP).
4. Access control lists to protect shared memory objects, forcing them to
undergo a security check when processes attempt to open them.
Secondary Storage - holds data not currently being used by the CPU and is used
when data must be stored for an extended period of time using high-capacity,
nonvolatile storage.
Virtual Memory - storing part of the data on secondary storage, such as a disk,
which is a virtual page. If the data requested by the system is not currently in
main memory, a page fault is taken. If the virtual address is a valid one, the
OS will locate the physical page, put the right information in that page, update
the translation table, and then try the request again. Some other page might be
swapped out to make room. Each process may have its own separate virtual address
space along with its own mappings and protections.
Firmware - storage of programs or instructions in ROM. Typically, this software

is embedded into hardware and is used to control that hardware. Because ROM is
nonvolatile, these programs and instructions will not change if power is shut off,
but instead become a permanent part of the system. Usually, firmware is upgradeable
and is stored in electrically erasable programmable read-only memory (EEPROM.)
Trusted Platform Module (TPM) - a specialized cryptoprocessor that provides for

the secure generation, use, and storage of cryptographic keys. Since each TPM is
unique, it may also be used to provide hardware authentication using its keys.
Hardware Security Module (HSM) - an external TPM

Types of Security Models - security models focus on defining allowed interactions
between subjects (users) and objects (assets/data) at a particular moment in time.
State Machine Model - based on the computer science definition of a Finite State
Machine (FSM), which describes the behavior of a system as it moves between one
state and another. Purpose is to define which actions will be permitted at any
point in time to ensure that a secure state (a point in time when things are
secure) is preserved. The role of time in a state machine model is very important.
According to its rule set, which is determined by a security policy, a model
system’s secure state can only change at distinct points in time, such as when
an event occurs or a clock triggers it. Thus, upon its initial startup, the
system checks to determine if it is in a secure state. Once the system is
determined to be in a secure state, the state machine model will ensure that
every time the system is accessed, it will be accessed only in accordance with
the security policy rules. This process will guarantee that the system will
transition only from one secure state to another secure state.
Information Flow Models - focus on how information is allowed or not allowed

between individual objects. Information flow models are used to determine if
information is being properly protected throughout a given process. They may be
used to identify potential covert channels.
Matrix-based Models - An access control matrix is a two-dimensional table that

indicates the actions that subjects can perform on objects. Columns are Access
Control Lists (ACLs) tied to objects. Rows are Capability Lists tied to subjects.
Subjects File Scanner
Mike Read No Access
Wes Read, Write Scan
Take-Grant Model - uses a set of rules to enforce how rights can be passed from
one subject to another or from a subject to an object.
Take rule --> allows a subject to take rights
Grant rule --> allows a subject to grant rights
Create rule --> allows a subject to create new rights
Remove rule --> allows a subject to remove rights
Multilevel Lattice Models - describes strict layers of subjects and objects and
defines clear rules that allow or disallow interactions between them based on
the layers they are in. Subjects are assigned security clearances that define
what layer they are assigned to and objects are classified into similar layers.
Related security labels are attached to all subjects and objects. According to
this type of model, the clearance of the subject is compared with the
classification of the data to determine access. They will also look at what the
subject is trying to do to determine whether access should be allowed.
Noninterference Models - a type of multilevel model with a high degree of

strictness. These models not only address obvious and intentional interactions
between subjects and objects, but they also deal with the effects of covert
channels that may leak information inappropriately. The goal of a noninterference
model is to help ensure that high-level actions (inputs) do not determine what
low-level users can see (outputs).
Specific Models:
1. Bell-LaPadula - CONFIDENTAILITY OF DATA !!! (only). Also, the first
mathematical model of a multilevel security policy. Built on a state machine

concept & the information flow model as well as employing Mandatory Access
Controls & a lattice. The lattice tiers form the classification levels. Three
properties of the state machine:
a. Simple Security Property - subject may not read information at a higher

sensitivity level ... NO READ UP
b. * (star) Security Property (confinement property) - subject may not write
information to an object at a lower sensitivity level ... NO WRITE DOWN
c. Discretionary Security Property - system uses an access matrix to enforce
discretionary access control
There is an exception in Bell-LaPadula that a "trusted subject" will be

constrained by the * Security Property. A trusted subject is one that WILL NOT
cause or allow a security breaching transfer, even if it is possible. This allows
the trusted subject to violate the * property, performing a write down operation,
which they must do in order to declassify or reclassify an object.
2. Biba - INTEGRITY !!! (only). Like Bell LaPadula, requires that all
subjects & objects have a classification label. Designed to address three
integrity issues:
Prevent modifications of objects by unauthorized subjects
Prevent unauthorized modifications of objects by authorized subjects
Protect internal and external object consistency
Properties:
a. Simple Integrity Property - subject cannot read an object at a lower
integrity level ... NO READ DOWN
b. * (star) Integrity Property - subject cannot modify an object at a higher
integrity level ... NO WRITE UP
Limitations of the model:
Focuses on protecting objects from external threats
Does not address access control
Does not provide a way to classification level of a subject or object
Does not prevent covert channels
3. Clark-Wilson - INTEGRITY !!! (only). Takes a different approach than Biba,
ditching the formal state machine in favor of defining each data item and
allowing modification ONLY through a small set of programs. Uses a three part
relationship (subject | program | object) called a triple or an access control
triple. NO DIRECT ACCESS BY SUBJECTS TO OBJECTS !!! (access only allowed
through authorized programs). Principles:
a. well-formed transactions
b. separation of duties
Items & Procedures:
a. constrained data item (CDI) - any data item protected by the model
b. unconstrained data item (UDI) - any data item not protected by the model
c. integrity verification procedure (IVP) - scanning items to ensure integrity
d. transformation procedures (TPs) - ONLY procedures allowed to modify a CDI

Improves on Biba by focusing on integrity at the transaction level and addressing
three major goals of integrity in a commercial environment:
1. Preventing unauthorized users from making modifications to data or programs.
2. Preventing authorized users from making improper or unauthorized modifications.
3. Maintaining internal and external consistency of data and programs.
4. Brewer-Nash (Chinese Wall) - focuses on conflict of interest
5. Goguen-Meseguer - INTEGRITY !!! (just not as well known as Biba). Credited
with defining the concepts of noninterference. Based on predetermining a list

of objects that a subject can access.
6. Sutherland - INTEGRITY !!! focuses on preventing interference to support
integrity. Based on state machine and information flow. Only allows for the
use of a set of predetermined secure states to maintain integrity and prevent
interference. Is often used to prevent covert channels from influencing outcomes.
7. Graham-Denning - secure creation & deletion of subjects & objects specified
via a collection of rules & detailed in an Access Control Matrix. 8 primary

rules:
a. securely create an object

b. securely create a subject
c. securely delete an object
d. securely delete a subject
e. securely provide the read access right
f. securely provide the grant access right
g. securely provide the delete access right
h. securely provide the transfer access right
8. Harrison-Ruzzo-Ullman - very similar to Graham-Denning. Composed of a set
of generic rights and a finite set of commands. It is also concerned with

situations in which a subject should be restricted from gaining particular
privileges.
================================================================================
Topic 3: Select controls based upon systems security requirements
Capturing and Analyzing Requirements - Principles are defined as fundamental

statements of belief, mandatory elements that will restrict the overall design
and establish the key priorities for protection.
Types of Requirements - two types:
a. Functional requirements - address what the design must do or accomplish.
This includes what types of controls need to be included, what assets must be
protected, what common threats must be addressed, and what vulnerabilities
have been found.
b. Nonfunctional requirements - focus on the qualities of the services,
including any requirements for reliability and performance.
Capturing Requirements - Vulnerability assessments, risk assessments, and threat

modeling may be used to capture detailed requirements.
Information Systems Security Evaluation Models:

a. security policy documents the security requirements of an organization; can
be thought of as the “what” (what are the requirements for security).
b. a security model is a specification that describes the rules to be
implemented to support and enforce the security policy; can be thought of as

the “how” (how are those requirements translated into implementable and
auditable technical specifications).
c. a formal security model describes and verifies the ability to enforce
security policy in mathematical or measurable terms.
Evaluation Criteria - The aim of system assurance is to verify that a system

enforces a desired set of security goals. To accomplish this, they need a common
way to describe security requirements, evaluate products against them in a
consistent and repeatable manner, and report on the results.
Certification and Accreditation - objective is to determine how well a system

measures up to a preferred level of security in the real world, and then make a
decision whether to proceed with its use in the enterprise.
a. Certification - product or system is tested to see whether it meets the
documented requirements (including any security requirements). It considers

the system in context, including the other systems around it, the network it
is running on, and its intended use.
b. Accreditation - management evaluates the capacity of a system to meet the
needs of the organization. If management determines that the needs of the

system satisfy the needs of the organization, they will formally accept the
evaluated system, usually for a defined period of time or set of conditions.
If the configuration is changed or the accreditation expires, the new
configuration must be certified. Recertification must normally be performed
either when the time period elapses or when significant configuration changes
are made.
C&A process is governed by two sets of standards in the U.S. Government and
military:
1. NIST Risk Management Framework (RMF) | RMF is the most current, it replaced
the DoD Information Assurance Certification & Accreditation Process (DIACAP),

which had replaced the Defense Information Technology Security
Certification & Accreditation Process (DITSCAP)
2. Committee on National Security Systems (CNSS) Policy | replaces the
National Information Assurance Certification & Accreditation Process (NIACAP)
Both use a four phase flow:
Phase 1 - Definition
Phase 2 - Verification
Phase 3 - Validation
Phase 4 - Post Accreditation
Product Evaluation Models - Three main models:
a. Trusted Computer System Evaluation Criteria (TCSEC) - frequently referred
to as the Orange Book, was a United States Government Department of Defense

standard that set basic standards for the implementation of security
protections in computing systems. Strongly focused on enforcing confidentiality
with no focus on other aspects of security such as integrity or availability.
Although it has since been superseded by the common criteria, it influenced
the development of other product evaluation criteria, and some of its basic
approach and terminology continues to be used. Introduced the idea of the
Trusted Computing Base (TCB) into product evaluation.
TCSEC combines functionality & assurance rating of the confidentiality protection

of a system into four categories. These are then subdivided into numbered
subcategories:
Level Label Requirements
D Minimal Protection
C1 Discretionary Protection
C2 Controlled Access Protection
B1 Labeled Security
B2 Structured Protection
B3 Security Domains
A1 Verified Protection
Evaluation of a target system is used to assign the appropriate category ranking.

"A" is the highest level.
Rainbow Series is where Orange Book comes from. Approx. 30 titles with different
color designations make up the series. Red Book
(Trusted Network Interpretation | TNI), discussed how to implement the Orange
Book concept into a trusted network.
b. Information Technology Security Evaluation Criteria (ITSEC) - consumer or
vendor has the ability to define a set of requirements from a menu of possible
requirements into a Security Target (ST) and vendors develop products (the
Target of Evaluation or ToE) and have them evaluated against that target.
Provides two sets of levels: functional levels and assurance levels. Unlike
TCSEC, it also addressed a wider range of security needs, including integrity
and availability requirements. Where ITSEC was significantly different from
TCSEC is in the assignment of assurance levels (or E levels). Assurance can be
defined as the level of confidence that the evaluator has that the product not
only meets the functional requirements, but that it will continue to meet those
requirements. ITSEC defined six different levels of assurance, each more
difficult to achieve than the last.
The functionality of a system is rated from F-D through F-B3. (There is no F-A1)
The assurance of a system is rated from E0 to E6.
c. Common Criteria (ISO 15408) - focused on standardizing the general approach
to product evaluation and providing mutual recognition of such evaluations

globally. Introduced protection profiles (PP), which are a common set of
functional and assurance requirements for a category of vendor products
deployed in a particular type of environment. The vendor product (referred to
as a ToE) is then examined against this specific profile by a third-party
evaluation lab using a common evaluation methodology (CEM).
Structure of the CC - Three areas:
1. Part 1 - Introduction & General Model
2. Part 2 - Security Functional Requirements
3. Part 3 - Security Assurance
CC Evaluation Assurance Levels (EALs) - EAL1 - EAL7:

Level Assurance Level
EAL1 Functionally tested
EAL2 Structurally tested
EAL3 Methodically tested & checked
EAL4 Methodically designed, tested, & reviewed
EAL5 Semi-formally designed & tested
EAL6 Semi-formally verified, designed, & tested
EAL7 Formally verified, designed, & tested
Comparing Evaluation Standards:
TCSEC ITSEC CC Protection
D F-D + E0 EAL0/EAL1 Minimal protection
C1 F-C1 + E1 EAL2 Discretionary Security
C2 F-C2 + E2 EAL3 Controlled Access
B1 F-B1 + E3 EAL4 Labeled Security
B2 F-B2 + E4 EAL5 Structured Security
B3 F-B3 + E5 EAL6 Security Domains
A1 F-B3 + E6 EAL7 Verified Design
================================================================================
Topic 5: Assess and mitigate the vulnerabilities of security architectures,

designs, and solution elements
1. Client-based systems
2. Server-based systems
3. Database systems
4. Cryptographic systems - will be dealt with in Apply Cryptography
5. Industrial Control Systems (ICS)

6. Cloud-based systems
7. Distributed systems
8. Internet of Things (IoT)
Computer architecture - the design and construction of computing systems at a

logical level
IN ORDER TO KNOW THE SYSTEM, YOU MUST KNOW THE SYSTEM COMPONENTS !!!
Hardware - the physical stuff that makes up the system
Processor (CPU) - the Central Processing Unit that governs all operations
Execution Types:
a. Multitasking - handling two or more tasks simultaneously
b. Multicore - CPU containing two or more cores operating simultaneously, but
independently
c. Multiprocessing - a multiprocessor computer executing tasks on behalf of a
multithreaded application. Two types:

1. Symmetric multiprocessing (SMP) - processors share a common O/S, a data
bus, & memory. Limited to a single computer system that shares these components.
2. Massively Parallel Processing (MPP) - Very large collections of CPUs, each

having its own O/S, a data bus, & memory.
d. Multiprogramming - very similar to multitasking. Key difference is size of
system.
e. Multithreading - allows multiple concurrent tasks to be performed within a
single process
Processing Types:
a. Single State Systems - use policy mechanisms to manage information at
different levels, but only handling one security level at a time
b. Multistate Systems - handle multiple security levels simultaneously,
providing higher levels of security
Protection Mechanisms - the ways in which computers implement & handle security
at runtime
a. Protection Rings - Ring Levels 3 - 0
b. Process States (operating states) - forms of execution in which a process
may run
1. Ready
2. Waiting
3. Running (problem)
4. Supervisory
5. Stopped
Security Modes - used by the U.S. Government to designate four approved modes for
systems that process classified information. The following three elements must
exist BEFORE a security mode can be deployed:
a. hierarchical mandatory access control (MAC) environment
b. total physical control over which subjects can access the computer console
c. total physical control over which subjects can enter into the same room as
the computer console
Four Security Modes:
1. Dedicated
2. System High
3. Compartmented
4. Multilevel (controlled)
Operating Modes for the CPU - two:
1. User (or process, problem, or program) mode - processor limits the access
to system data and hardware granted to the running process
2. Kernel (or supervisor) mode - processor is operating at the highest
privilege level on the system, and this allows the process running in
supervisor state to access any system resource (data and hardware) and execute
both privileged and non-privileged instructions
Memory - Storage for information that the system needs to be able to access
1. Read-Only Memory (ROM) - no writing allowed
a. Programmable Read-Only Memory (PROM) - ROM with the ability to be

"programmed", or written to ONCE to allow for customer specified data to be
placed. Once written to, they behave like standard ROM.
b. Erasable Programmable Read-Only Memory (EPROM) - Reusable/rewritable ROM

that uses Ultraviolet light to erase
c. Electronically Erasable Programmable Read-Only Memory (EEPROM) -

Reusable/rewritable ROM that uses electricity to erase
d. Flash Memory - similar to EEPROM. Difference is that EEPROM must be FULLY

erased to be rewritten, while Flash can be erased and rewritten in blocks or
pages
2. Random Access Memory (RAM) - Read & write allowed
3. Registers - onboard memory available to the CPU
Memory Addressing - how the CPU refers to locations in memory. Five common
addressing schemes:
a. Register Addressing - address of the registers in the CPU
b. Immediate Addressing - a way of referring to data supplied to the CPU as
part of an instruction
c. Direct Addressing - the actual location of the memory to access
d. Indirect Addressing - memory address provided contains another memory
address instead of the actual location of the memory to be addressed
e. Base + Offset Addressing - uses a value stored in one of the CPU registers
as the base value, then adds the offset value provided to it and retrieves the
information from the computed location
Secondary Memory - magnetic, optical or flash based media. Virtual Memory is

considered a special type of Secondary Memory.
Firmware (microcode) - software stored in ROM
Basic Input/Output System (BIOS) & Unified Extensible Firmware Interface (UEFI):
BIOS - O/S independent instructions necessary to start the computer
UEFI - more advanced interface between hardware & software that replaces the BIOS
Client-Based System Vulnerabilities:
1. Applets / Java Applets
2. Local Caches (ARP | DNS)
3. ActiveX Controls
Server-Based System Vulnerabilities:
1. data flow control (load balancers | DDoS)
Database System Vulnerabilities:
a. Aggregation - The ability to combine non-sensitive data from separate
sources to create sensitive information.

b. Bypass Attacks - Users attempt to bypass controls at the front end of the
database application to access information.
c. Concurrency (TOC/TOU) - When actions or processes run at the same time, they
are said to be concurrent. Problems with concurrency include running processes

that use old data, updates that are inconsistent, or having a deadlock occur.
d. Data Contamination - The corruption of data integrity by input data errors
or erroneous processing. This can occur in a file, report, or database.
e. Deadlocking - Occurs when two users try to access the information at the
same time and both are denied.
g. Inference - The ability to deduce (infer) sensitive or restricted
information from observing available information.
Distributed System Vulnerabilities - ALL of the vulnerabilities that we discuss

and envision for client/server based models.
Grid Computing - the sharing of CPU and other resources across a network in
such a manner that all machines function as one large computer. Grid computers
are often used for processor intensive tasks that are suitable to be processed
by parallel tasks.
Cloud-Based System Vulnerabilities - cloud computing has been formally defined by

U.S. NIST as: “… a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction. This
cloud model is composed of five essential characteristics, three service models,
and four deployment models.”
Five Essential Characteristics of Cloud Computing - NIST defines them as:
1. On-Demand Self-Service - A consumer can unilaterally provision computing
capabilities, such as server time and network storage, as needed automatically

without requiring human interaction with each service provider.
2. Broad Network Access - Capabilities are available over the network and
accessed through standard mechanisms that promote use by heterogeneous thin or

thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
3. Resource Pooling - The provider’s computing resources are pooled to serve
multiple consumers using a multi-tenant model, with different physical and

virtual resources dynamically assigned and reassigned according to consumer
demand. Examples of resources include storage, processing, memory, and network
bandwidth.
4. Rapid Elasticity - Capabilities can be elastically provisioned and released,
in some cases automatically, to scale rapidly outward and inward commensurate

with demand.
5. Measured Service - Cloud systems automatically control and optimize resource
use by leveraging a metering capability at some level of abstraction appropriate

to the type of service (e.g., storage, processing, bandwidth, and active user
accounts).
Cloud Service Models - three service models:
1. Software as a Service (SaaS) - The capability provided to the consumer is

to use the provider’s applications running on a cloud infrastructure. The
applications are accessible from various client devices through either a thin
client interface, such as a web browser (e.g., web-based e-mail), or a program
interface. The consumer does not manage or control the underlying cloud
infrastructure, including network, servers, operating systems, storage, or even
individual application capabilities, with the possible exception of limited
user-specific application configuration settings.
2. Platform as a Service (PaaS) - The capability provided to the consumer is
to deploy onto the cloud infrastructure consumer-created or acquired applications

created using programming languages, libraries, services, and tools supported
by the provider. The consumer does not manage or control the underlying cloud
infrastructure, including network, servers, operating systems, or storage, but
has control over the deployed applications and possibly configuration settings
for the application-hosting environment.
3. Infrastructure as a Service (IaaS) - The capability provided to the consumer
is to provision processing, storage, networks, and other fundamental computing

resources where the consumer is able to deploy and run arbitrary software, which
can include operating systems and applications. The consumer does not manage or
control the underlying cloud infrastructure but has control over operating
systems, storage, and deployed applications; and possibly limited control of
select networking components (e.g., host firewalls).
Cloud Deployment Models - four:
1. Private Cloud - the cloud infrastructure is provisioned for exclusive use
by a single organization comprising multiple consumers (e.g., business units).

It may be owned, managed, and operated by the organization, a third party, or
some combination of them, and it may exist on or off premises.
2. Community Cloud - provisioned for exclusive use by a specific community of
consumers from organizations that have shared concerns (e.g., mission, security
requirements, policy, and compliance considerations). It may be owned, managed,
and operated by one or more of the organizations in the community, a third
party, or some combination of them, and it may exist on or off premises.
3. Public Cloud - provisioned for open use by the general public. It may be
owned, managed, and operated by a business, academic, or government

organization, or some combination of them. It exists on the premises of the
cloud provider.
4. Hybrid Cloud - a composition of two or more distinct cloud infrastructures
(private, community, or public) that remain unique entities but are bound
together by standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing between clouds).
NOTE: As cloud computing moves from infrastructure to platform to software, the

responsibility to implement effective security controls shifts away from the
organization and toward the cloud service provider. Called the Cloud shared
responsibility model.
Cloud computing is based on the use of virtualization technology.
The key component that makes virtualization possible is the use of a Hypervisor
(Virtual Machine Monitor). Types:
a. Type I - Native or Bare-Metal. Used for Server virtualization
b. Type II - Hosted on a client O/S
Cloud Access Security Broker (CASB) - security policy enforcement solution

between a cloud provider and a customer. Can be on-premise or cloud based.
Security as a Service (SECaaS) - security services provided by a third party
cloud provider
Internet of Things (IoT) System Vulnerabilities - IP enabled endpoints in the

hands of consumers, often connected to networks where corporate owned assets may
also be, with little to no security built in or available... What could possibly
go wrong !!??
Industrial Control Systems (ICS) Vulnerabilities - computer management devices

that control industrial processes and / or systems. Types:
1. Distributed Control System (DCS)

2. Programmable Logic Controller (PLC)
3. Supervisory Control and Data Acquisition (SCADA)
Biggest issues are the IP enabling of these systems to allow for non-closed loop
remote monitoring and control along with a lack of security capabilities built-in
to the protocol stacks (no encryption or tunneling support)
================================================================================
Topic 6: Assess and mitigate vulnerabilities in web-based systems
Web based systems face a wide variety of vulnerabilities. The OWASP top 10 list
is VERY, VERY IMPORTANT !!
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
A1 - Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur
when untrusted data is sent to an interpreter as part of a command or query. The
attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.
a. Input Validation
b. Limit Account Privileges
A2 - Broken Authentication: Application functions related to authentication and

session management are often implemented incorrectly, allowing attackers to
compromise passwords, keys, or session tokens, or to exploit other implementation
flaws to assume other users’ identities temporarily or permanently.
A3 - Sensitive Data Exposure: Attackers may steal or modify weakly protected

data to conduct credit card fraud, identity theft, or other crimes. Sensitive
data may be compromised without extra protection, such as encryption at rest or
in transit, and requires special precautions when exchanged with the browser.
A4 - XML External Entities (XXE): Many older or poorly configured XML processors
evaluate external entity references within XML documents. External entities can
be used to disclose internal files using the file URI handler, internal file
shares, internal port scanning, remote code execution, and denial of service
attacks.
Applications and in particular XML-based web services or downstream integrations

might be vulnerable to attack if:
• The application accepts XML directly or XML uploads, especially from
untrusted sources, or inserts untrusted data into XML documents, which is then
parsed by an XML processor.
• Any of the XML processors in the application or SOAP based web services has
document type definitions (DTDs) enabled. As the exact mechanism for disabling
DTD processing varies by processor, it is good practice to consult a reference
such as the OWASP Cheat Sheet 'XXE Prevention’.
• If your application uses SAML for identity processing within federated
security or single sign on (SSO) purposes. SAML uses XML for identity
assertions, and may be vulnerable.
• If the application uses SOAP prior to version 1.2, it is likely susceptible
to XXE attacks if XML entities are being passed to the SOAP framework.
NOTE: Being vulnerable to XXE attacks likely means that the application is
vulnerable to denial of service attacks including the Billion Laughs attack.
A5 - Broken Access Control: Restrictions on what authenticated users are allowed

to do are often not properly enforced. Attackers can exploit these flaws to
access unauthorized functionality and/or data, such as access other users'
accounts, view sensitive files, modify other users’ data, change access rights, etc...
A6 - Security Misconfiguration: The most commonly seen issue. The result of

insecure default configurations, incomplete or ad hoc configurations, open cloud
storage, misconfigured HTTP headers, and verbose error messages containing
sensitive information. Not only must all operating systems, frameworks, libraries,
and applications be securely configured, but they must be patched and upgraded
in a timely fashion.
A7 - Cross-Site Scripting (XSS) - XSS flaws occur whenever an application

includes untrusted data in a new web page without proper validation or escaping,
or updates an existing web page with user-supplied data using a browser API that
can create HTML or JavaScript. XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface web sites, or redirect
the user to malicious sites.
There are three forms of XSS, usually targeting users' browsers:
1. Reflected XSS - The application or API includes unvalidated and unescaped

user input as part of HTML output. A successful attack can allow the attacker
to execute arbitrary HTML and JavaScript in the victim’s browser. Typically
the user will need to interact with some malicious link that points to an
attacker controlled page, such as malicious watering hole websites,
advertisements, or similar.
2. Stored XSS - The application or API stores unsanitized user input that is
viewed at a later time by another user or an administrator. Stored XSS is often
considered a high or critical risk.
3. DOM XSS - JavaScript frameworks, single-page applications, and APIs that

dynamically include attacker-controllable data to a page are vulnerable to
DOM XSS. Ideally, the application would not send attacker-controllable data to
unsafe JavaScript APIs.
Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM
node replacement or defacement (such as trojan login panels), attacks against
the user's browser such as malicious software downloads, key logging, and other
client-side attacks.
A8 - Insecure Deserialization: Often leads to remote code execution. Even if

deserialization flaws do not result in remote code execution, they can be used
to perform attacks, including replay attacks, injection attacks, and privilege
escalation attacks.
Serialization is the process of translating data structures or object state into

a format that can be stored or transmitted and reconstructed later. When the
resulting series of bits is reread according to the serialization format, it can
be used to create a semantically identical clone of the original object.
A9 - Using Components with Known Vulnerabilities: Components, such as libraries,

frameworks, and other software modules, run with the same privileges as the
application. If a vulnerable component is exploited, such an attack can facilitate
serious data loss or server takeover. Applications and APIs using components with
known vulnerabilities may undermine application defenses and enable various
attacks and impacts.
A10 - Insufficient Logging & Monitoring: Insufficient logging and monitoring,

coupled with missing or ineffective integration with incident response, allows
attackers to further attack systems, maintain persistence, pivot to more systems,
and tamper, extract, or destroy data.
Additional Attacks to be concerned about:
1. Directory Traversal (../) - moving from one directory to others without the
knowledge of the system owner
2. Cross-Site Request Forgery (CSRF) - forces a logged-on victim’s browser to
send a forged HTTP request, including the victim’s session cookie and any other
automatically included authentication information, to a vulnerable web
application. This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the
victim.
================================================================================
Topic 7: Assess and mitigate vulnerabilities in mobile systems
Device security is often a difficult issue for mobile devices, but not because
options are unavailable. Instead the need to secure personal devices that are
used to access corporate assets is the problem that has to be addressed.
Potential Approaches:
1. Full device encryption

2. Remote Wiping
3. Lockout
4. Screen Locks
5. GPS
6. Application controls
7. Storage Segmentation
8. Asset Tracking / Inventory Control
9. Mobile Device Management (MDM)
10. Device based Access Control
11. Removable Storage
12. Disable Unused Features / Device Hardening
The applications that run on the device are also a potential source of
vulnerabilities. The same kind of concerns we would address on a laptop or a
desktop are what must be addressed in mobile devices:
Potential Approaches:
1. Key Management
2. Credential Management
3. Authentication
4. Geotagging
5. Encryption
6. Application Whitelisting
General areas of concern due to Bring Your Own Device (BYOD):
1. Data Ownership
2. Patch Management
3. A/V
4. Device Forensics / Incident Response
5. Privacy
6. Cameras & Microphones
Alternatives to BYOD:
1. Company Owned Personally Enabled (COPE)
2. Choose Your Own Device (CYOD)
3. Corporate Owned
4. Virtual Desktop Infrastructure (VDI)
5. Virtual Mobile Infrastructure (VMI)
================================================================================
Topic 8: Assess and mitigate vulnerabilities in Embedded Devices &

Cyber-Physical Systems
Embedded Device - a computer implanted as part of a larger system
Static System (static environment) - a set of conditions, events and environment

that do not change
Cyber-Physical System (CPS) - smart networked systems with embedded sensors,

processors, and actuators that are designed to sense and interact with the
physical world (including the human users) and can support real-time, guaranteed
performance in safety-critical applications. In CPS systems, the joint behavior
of the “cyber” and “physical” elements of the system is critical — computing,
control, sensing, and networking are deeply integrated into every component, and
the actions of components and systems must be carefully orchestrated.
Security Approaches:
1. Network Segmentation
2. Security Layering
3. Application Firewalls
4. Patch Management
5. Firmware Versioning
6. Wrapping / Encapsulation of updates or configuration information to allow
for secure communication / acceptance

7. Monitoring
8. Redundancy
================================================================================
Topic 9: Apply Cryptography
1. Cryptographic life cycle (e.g., key management, algorithm selection)

2. Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
3. Public Key Infrastructure (PKI)
4. Key management practices
5. Digital signatures
6. Non-repudiation
7. Integrity (e.g., hashing)
8. Understand methods of cryptanalytic attacks
9. Digital Rights Management (DRM)
First things first - What are the goals of Cryptography?
1. Confidentiality
2. Integrity
3. Authentication
4. Nonrepudiation
Cryptographic Systems - Key Encryption Concepts and Definitions:
MAKE SURE THAT YOU DOWNLOAD THE CRYPTO DEFINITIONS WORD DOCUMENT !!!
Some additional things that are important, but are not in the document:
Kerckhoffs's principle - stated by Netherlands born cryptographer Auguste
Kerckhoffs in the 19th century: "A cryptosystem should be secure even if
everything about the system, except the key, is public knowledge."
Kerckhoffs's principle was reformulated by American mathematician Claude

Shannon as "the enemy knows the system", i.e., "one ought to design systems
under the assumption that the enemy will immediately gain full familiarity with
them".
The Mathematics of Cryptography - The rules that govern us all
1. Boolean Mathematics - defines the rules used for the bytes & bits that make
up information
2. Logical Operators:
a. AND - represented by the ^ symbol checks to see whether two values are
both true - (x^y)
b. OR - represented by the ∨ symbol checks to see whether at least one of

the values are true - (x∨y)
c. NOT - represented by the - or ! symbol reverses the value of an input
d. Exclusive OR (XOR) - represented by the ⊕ symbol and returns a true

value when only one of the inputs is true
Modulo Function - the remainder left over AFTER a division operation has been
performed
Example: 8 MOD 6 = 2
One-Way Function - easily produces output, but makes it impossible to retrieve

the input values
Nonce - a random number that acts as a placeholder variable in a mathematical

function
Zero-Knowledge Proof - ability to prove your knowledge of a fact to a

third-party WITHOUT revealing that fact to the third-party. "Show but don't tell"
Split Knowledge - when the knowledge or privilege required to complete a task is

split among two or more parties
Codes vs Ciphers - Know the difference !!
a. Codes - cryptographic systems of symbols that represent words or phrases,
but are not always secret & DO NOT provide confidentiality
b. Ciphers - ALWAYS meant to hide the meaning of a transmitted message using a
variety of techniques to achieve some measure of confidentiality
One-Time Pad (Vernam Ciphers) - Only TRULY UNBREAKABLE Cryptosystem, but only if
implemented correctly
Caesar Cipher - one of the earliest documented cipher systems, used substitution
Vigenère Cipher - a method of encrypting alphabetic text by using a series of

different Caesar ciphers based on the letters of a keyword. It is a simple form
of polyalphabetic substitution
Null Cipher - used in cases where the use of encryption is not necessary but yet
the fact that no encryption is needed must be configured in order for the system
to work. In such cryptographic systems, various encryption options are configurable,
including the option to not use encryption. A Null Cipher is used when
testing/debugging, low security is needed, or when using authentication-only
based communications.
NOTE: also a reference to an ancient form of ciphering where the plaintext is
mixed together with non-cipher material. Today this is regarded as a type of
steganography.
Playfair Cipher - sender and receiver agree on a key word, for example, Pizza. A
table is then constructed using that word and then the rest of the
alphabet — skipping over the letters already appearing in the key, and using
I and J as the same letter. If the sender wanted to encrypt the message
“Do not eat my slice,” it would be encrypted by first grouping the plaintext in
two letter blocks and spacing the repeated letters in the plaintext with a
filler letter, e.g., H.
http://rumkin.com/tools/cipher/playfair.php
Transposition Ciphers - rely on concealing the message through the transposing

of or interchanging the order of the letters
Running Key Cipher - the key is repeated (or runs) for the same length as the
plaintext input
Message Integrity Controls (MICs) - allow for a degree of confidence in the

integrity of the message
Cryptographic Keys - Symmetric algorithms & Asymmetric algorithms
Symmetric Key Algorithms - are SINGLE KEY !!! - We call that key the
PRIVATE KEY | SECRET KEY | SHARED KEY (all or any will do, but make sure that you
know we only use one key, shared by all participants in the system)
Weaknesses:
1. key distribution is a challenge / not scalable
2. NO Non-Repudiation possible because everyone has a copy of the key
3. key must be regenerated whenever anyone leaves the group of keyholders
Strength:
1. FAST !!! (in comparison to asymmetric)
Asymmetric Key Algorithms - are DUAL KEY !!! - We call the keys a
PUBLIC / PRIVATE key pair.
Each user has a distinct key pair issued to them upon entry / registration into
the system. The PUBLIC key is meant to be shared with anyone who may need it to
facilitate communication. The PRIVATE key is kept secret and NOT SHARED.
But, Wait for it .... Wait for it ... Here it comes .. THE UGLY TRUTH:
We use OPPOSITE & RELATED keys in tandem to encrypt & decrypt TA DA!!
So, if your public key is used to encrypt a message, then ONLY your private key
can be used to decrypt that message.
That is THE ABSOLUTE HARDEST CONCEPT that you have to master about cryptography.
If you can wrap your head around that, and understand whose key is used to do
what, you can solve ANY problem or question that you will see.
Strengths:
1. adding users requires ONLY the generation of the key pair for them
2. users can be removed easily, without having to regenerate keys
3. ONLY time you typically regenerate a key is if the PRIVATE KEY of a user has
been compromised, or is suspect for some reason
4. provides confidentiality, integrity, authentication and non-repudiation
Weakness:
1. SLOW !!! (in comparison to Symmetric)

How many keys do I need ?? - n(n-1)/2 keys
participants symmetric keys
4 4(4-1)/2 = 6
Symmetric Algorithms to know - (DES | 3-DES | IDEA | Blowfish | Skipjack | AES)
Data Encryption Standard (DES) - used to be "the standard" for symmetric

encryption for many governments and militaries, but no longer because it is
considered compromisable using current computer power.
64-bit block cipher that has five modes of operation. This means that DES takes
64 bits of data and sets them into a block to encipher them into a 64-bit block
of ciphertext. DES uses 16 Exclusive ORs (XORs) in a series to generate the
ciphertext. We calls these ROUNDS, which is why people say that DES performs 16
rounds of encryption.
NOTE: DES uses a 56-bit key, because 8 bits are supposed to be reserved for
parity operations. This means:
1. DES = 56 bit key

2. 2-DES (Double DES) = 112 bit key
3. 3-DES (Triple DES) = 168 bit key
DES Modes:
MAKE SURE THAT YOU DOWNLOAD THE CRYPTO DEFINITIONS WORD DOCUMENT !!!
International Data Encryption Algorithm (IDEA) - Block Cipher like DES. Uses
64-bit blocks to encrypt, like DES. Starts with a 128 bit key, NOT LIKE DES !!
Blowfish - Block Cipher. Uses 64-bit blocks to encrypt, like DES. Variable key
from 32 bits to 448 bits.
Skipjack - Block Cipher. Uses 64-bit blocks to encrypt, like DES. 80 bit key. Has
an additional capability to use key escrow for the encryption keys. The basis for
the U.S. Gov'ts attempts at the Clipper Chip.
Advanced Encryption Standard (AES) - Variable key strengths (128 | 192 | 256 bits)
with a 128-bit block. Number of rounds:
128-bit key requires 10 rounds

NOTE: The original name for AES is the Rijndael Algorithm. Rijndael consists of
four major operations:
1. Substitute bytes - Use of an S-box to do a byte-by-byte substitution of the
entire block
2. Shift rows - Transposition or permutation through offsetting each row in
the table
3. Mix columns - A substitution of each value in a column based on a function
of the values of the data in the column
4. Add round key - XOR each byte with the key for that round; the key is
modified for each round of operation
NOTE: The Rijndael S-box is a square matrix (square array of numbers) used in
the Rijndael cipher. The S-box (substitution box) serves as a lookup table.
CAST - CAST-128 can use keys between 40 and 128 bits in length and will do
between 12 and 16 rounds of operation, depending on key length. CAST-128 is a
Feistal-type block cipher with 64-bit blocks.
CAST-256 operates on 128-bit blocks and with keys of 128, 192, 160, 224, and
256 bits. It performs 48 rounds and is described in RFC 2612.
Secure and Fast Encryption Routine (SAFER) - either 64-bit input blocks
(SAFER-SK64) or 128bit blocks (SAFER-SK128). A variation of SAFER is used as a
block cipher in Bluetooth.
Twofish - 128-bit block with keys up to 256 bit length
Rivest Cipher (RC) 5 - Variable block size (32, 64 or 128 bits) with variable
key length of 0 bits to 2048 bits.
RC4 - It's a Stream Cipher .... NOT BLOCK !!!
The most widely used stream cipher, being deployed, for example, in WEP and
SSL/TLS. RC4 uses a variable length key ranging from 8 to 2,048 bits (1 to 256 bytes).
If RC4 is used with a key length of at least 128 bits, there are currently no
practical ways to attack it; the published successful attacks against the use of
RC4 in WEP applications are related to problems with the implementation of the
algorithm, not the algorithm itself.
NOTE: RC2 is no longer considered to be safe for use, but when active was
64-bit block with a 128 bit key.
Algorithm Block Size (bits) Key Size (bits)
AES 128 128, 192, 256
Rijndael Variable 128, 192, 256
Blowfish 64 32 - 448
DES 64 56
2-DES 64 112
3-DES 64 168
IDEA 64 128
RC2 64 128
RC5 32, 64, 128 0 - 2048
Skipjack 64 80
Twofish 128 1 - 256
Symmetric Key Management - the steps necessary to safeguard keys, including:

1. Creation & Distribution - three methods:
a. Offline Distribution - physical method(s) used to securely deliver the

key to someone
b. Public Key Encryption - use of Asymmetric encryption to exchange the

symmetric key securely
c. Diffie-Hellman algorithm - a key exchange algorithm used to enable two

users to exchange or negotiate a secret symmetric key that will be used
subsequently for message encryption. Does not provide for message
confidentiality but is extremely useful for applications such as Public Key
Infrastructure (PKI).
2. Storage & Destruction - Best Practices:
a. never store the key in the same system as the encrypted data
b. consider the use of split-knowledge approach for keys
3. Key Escrow & Recovery - Key escrow is a data security measure in which a
cryptographic key is entrusted to a third party.
a. Fair Cryptosystem - split knowledge approach with key shards being held
by different trusted third parties
Cryptographic Lifecycle - ALL cryptosystems have a limited lifespan based on

their ability to withstand attacks. The problem is that technological power
keeps advancing, and as a result, what is secure today may be breakable tomorrow.
Moore's law is at the heart of this issue and has to be kept in mind when
choosing a system, but also as you evaluate the protective ability of the system
over the retention period.
Asymmetric Cryptography - uses DUAL KEYS !!! - We call the keys a

PUBLIC / PRIVATE key pair.
Each user has a distinct key pair issued to them upon entry / registration into
the system. The PUBLIC key is meant to be shared with anyone who may need it to
facilitate communication. The PRIVATE key is kept secret and NOT SHARED.
We use OPPOSITE & RELATED keys in tandem to encrypt & decrypt (already said that,
but so important, I am saying it again!!)
RSA - most famous asymmetric cryptosystem. Named for its creators:
Ron Rivest
Adi Shamir
Leonard Adleman
Depends on the computational difficulty of factoring large prime numbers.
Merkle-Hellman Knapsack - developed at approx. same time as RSA, and also based
on difficulty of factoring, but took a different approach. Broken in 1984.
El Gamal - based on an extension of the Diffie-Hellman algorithm. Published

without a patent, so it is freely available. Doubles the size of any message
that it encrypts, which can be an issue.
Elliptic Curve Cryptography (ECC) - based on the elliptic curve discrete

logarithm problem. Harder to solve than the factoring problems for RSA or the
standard discrete logarithm problem that Diffie-Hellman uses.
Hash Functions - take a message and mix it with a hash to derive a unique output
value, the Message Digest. Generated by the sender and sent along with the
message to the recipient for two reasons:
1. verify the Integrity of the message
2. verify the authenticity of the message (proof of origin & non-repudiation)
Note: Message Digests are also called:
a. hashes
b. hash values
c. hash total
d. CRC
e. fingerprint
f. checksum
g. digital ID
RSA says that a hash function has five basic requirements it must meet:
1. input can be of any length
2. output has a fixed length
3. hash function is easy to compute for given input
4. hash function is "one-way"; almost impossible to figure out the input based
on the output
5. hash function is collision free; almost impossible to find two messages
that will produce the same hash value
Hashing Algorithms - Know Them !!!
1. Secure Hashing Algorithm (SHA) - variable length input (up to 2,097,152
terabytes) gives fixed output as noted:
a. SHA-160 = 160 bits (using a 512 bit block size for processing message data)
b. SHA-224 = 224 bits (using a 512 bit block size for processing message data)
c. SHA-256 = 256 bits (using a 512 bit block size for processing message data)
d. SHA-384 = 384 bits (using a 1024 bit block size for processing message data)
e. SHA-512 = 512 bits (using a 1024 bit block size for processing message data)
NOTE: SHA1 is considered to be weak, and has been replaced by the SHA2 series
(SHA-224 | SHA-256 | SHA-384 | SHA-512). SHA2 is considered secure, but
potentially has same weaknesses as SHA1, so SHA3 has been produced, called the
Keccak algorithm.
2. Message Digest (2 | 4 | 5) - all produce a 128 bit output
3. Hash of Variable Length (HAVAL) - 128 | 160 | 192 | 224 & 256 bits
4. Hash Message Authentication Code (HMAC) - Variable
5. RIPEMD-160 - output is 160 bits, operates similarly to MD5 on 512-bit blocks
Digital Signatures - provide assurance that a message does indeed come from the
person who claims to have sent it, it has not been altered, both parties have a
copy of the same document, and the person sending the document cannot claim that
he/she did not send it.
A digital signature is a block of data (usually a hash) that is generated based
on the contents of the message sent and encrypted with the sender’s private key.
It must contain some unique value that links it with the sender of the message
that can be verified easily by the receiver and by a third party, and it must be
difficult to forge the digital signature or create a new message with the same
signature.
Hence, the reason we use the sender's private key !!!
Digital Signature Steps:
1. Cherokee generates a message digest of the original plaintext message
using SHA-160
2. Cherokee then encrypts ONLY the message digest using her private key - this
becomes the digital signature
3. Cherokee appends (adds) the digital signature to the plaintext message
4. Cherokee sends the message to Adam (that's me !!)
5. When Adam receives the message, he reverses the process:
6. Adam decrypts the digital signature using Cherokee's public key
7. Adam then uses the same hashing function to create a message digest of the
message
8. Adam then compares the decrypted message digest to the new one he has just
created; if the two match, then the message was sent by Cherokee; if they do
not match, then it was not sent by Cherokee
HMAC implements a partial digital signature, guaranteeing the integrity of the

message, but does not provide for nonrepudiation
What key to use?
1. encrypt a message = recipient's public key
2. decrypt a message = recipient's private key
3. digitally sign a message = sender's private key
4. verify a digitally signed message = sender's public key
Digital Signature Standard (DSS) - document that NIST puts out to specify the
digital signature algorithms & the encryption algorithms approved for use by the
U.S. Federal Government:
1. ALL Digital Signatures must use SHA-3 hashing
2. Digital Signature Algorithm for encryption
3. RSA algorithm for encryption
4. Elliptic Curve DSA for encryption
5. Schnorr's Signature Algorithm for encryption
6. Nyberg-Rueppel Signature Algorithm for encryption
Public Key Infrastructure (PKI) - comprehensive system required to provide

public-key encryption and digital signature services. It has three primary
purposes:
1. publish public keys/certificates
2. certify that a key is tied to an individual or entity
3. provide verification of the validity of a public key
NOTE: PKI functions, or not, based on the TRUST of all of the participants in
the system; remove the trust and the system crashes
Digital Certificates - assurance mechanism that allows communicating parties to

establish their identity
X.509 v3 is current format most widely used. Part of the X.500 family of standards
Specific information contained in a Digital Certificate:
a. Version of conformity (v3)
b. Serial number (unique tracking mechanism from creator)
c. Signature algorithm used to sign the certificate by the Certificate
Authority (CA)
d. Issuer Name
e. Validity Period
f. Subject's Name (the Distinguished Name, DN, of the owner of the public key
in the certificate)
g. Subject's Public Key
Certificate Authorities (CA) - Perform the activities that make the PKI function,
include issuance of certificates and oversight of the certificate lifecycle. The
CA “signs” an entities digital certificate to certify that the certificate
content accurately represents the certificate owner.
Types of Certificate Authorities:
1. Enterprise vs. Stand Alone
2. Root vs. Subordinate
Registration Authorities (RA) - assists the CA by verifying the user's identity

PRIOR to the issuance of a certificate. DOES NOT ISSUE certificate, but facilitate
the CAs ability to do so
Certificate Lifecycle (generation through destruction):
1. Enrollment - process of obtaining a certificate from a CA by validating your
identity. Will need to provide the CA with a copy of your PUBLIC KEY once
identity is validated to allow CA to issue the digital certificate on your
behalf. Certificate issued is signed by the CA using it's PRIVATE KEY, certifying
that they "TRUST" you and includes a copy of your PUBLIC KEY.
2. Verification - the process of checking the validity of an issued certificate
by using the issuing CA's PUBLIC KEY. You must also check to ensure that the
certificate has not been revoked by consulting the CA's Certificate Revocation
List (CRL), or the Online Certificate Status Protocol (OCSP).
3. Revocation - the occasional process that a CA engages in to let the world
know that the certificate is no longer valid. The revocation request grace
period is the maximum response time within which a CA will perform a revocation.
Defined by the Certificate Practice Statement (CPS).
Asymmetric Key Management - Control over the issuance, revocation, recovery,

distribution, and history of cryptographic keys.
Kerckhoff’s principle states: “A cryptosystem should be secure even if everything
about the system, except the key, is public knowledge.”
The key is the true strength of the cryptosystem. The size of the key and the
secrecy of the key are perhaps the two most important elements in a crypto
implementation.
XML Key Management Specification 2.0 (XKMS) - defines protocols for distributing
and registering public keys, suitable for use in conjunction with XML Digital
Signatures and XML Encryption.
ANSI X9.17 - developed to address the need of financial institutions to transmit

securities and funds securely using an electronic medium. Specifically, it
describes the means to ensure the secrecy of keys.
Segregation of Duties | Split Knowledge | Dual Control
Key Wrapping and Key Encrypting Keys (KEK) - KEKs are used as part of key
distribution or key exchange. The process of using a KEK to protect session keys
is called key wrapping. Key wrapping uses symmetric ciphers to securely encrypt
(thus encapsulating) a plaintext key along with any associated integrity
information and data.
Key wrapping can be used when protecting session keys in untrusted storage or
when sending over an untrusted transport medium. Key wrapping or encapsulation
using a KEK can be accomplished using either symmetric or asymmetric ciphers.
1. If the cipher is a symmetric KEK, both the sender and the receiver will
need a copy of the same key.
2. If using an asymmetric cipher, with public/private key properties, to
encapsulate a session key, both the sender and the receiver will need the
other’s public key.
Protocols such as SSL, PGP, and S/MIME use the services of KEKs to provide
session key confidentiality, integrity, and sometimes to authenticate the
binding of the session key originator and the session key itself to make sure
the session key came from the real sender and not an attacker.
Pretty Good Privacy (PGP) - Phil Zimmerman created this secure e-mail solution
E-mail security:
1. Secure Multipurpose Internet Mail Extension (S/MIME) - authentication and
confidentiality protection through use of public key cryptography and digital

signatures. X.509 digital certificates are used for authentication. Two
message types:
a. signed messages - integrity | sender authentication & non-repudiation
b. enveloped messages - integrity | sender authentication & confidentiality
2. MIME Object Security Services (MOSS) - authentication, confidentiality,
integrity & non-repudiation. Uses Message Digest 2 (MD2) and Message Digest 5
(MD5), RSA public key & Data Encryption Standard (DES) for authentication &
encryption.
3. Privacy Enhanced Mail (PEM) - authentication, confidentiality, integrity &
non-repudiation. Uses RSA, DES & X.509
4. DomainKeys Identified Mail (DKIM) - assertion that an e-mail was sent by an
organization via means of domain name verification. http://www.dkim.org
5. Pretty Good Privacy (PGP) - Asymmetric key system using a variety of

algorithms including RSA and IDEA
6. Opportunistic TLS for SMTP Gateways (RFC 3207) - attempts to setup an
encrypted connection with every other mail server that supports it.
Steganography - the ability to use cryptographic techniques to hide information

inside of a "cover medium"
Watermarking - the use of steganography to protect documents or Intellectual Property
Digital Rights Management (DRM) - using software to encrypt data and then apply
stringent protections to only allow authorized users to interact with the data in
specifically defined ways. Types:
a. Music
b. E-Book
c. Video Games
d. Document
e. Movies - two technologies:
1. High-Bandwidth Digital Content Protection (HDCP) - content sent over
digital connections such as HDMI, DVI and DisplayPort
2. Advanced Access Content System (AACS) - Blu-Ray & HD DVD
Networking Encryption Applications - Circuit Encryption:
1. Link Encryption - protects the entire communication circuit by creating an
encrypted tunnel between two end points, encrypting ALL OF THE DATA, including
the header, trailer, address and routing information.
2. End-to-End Encryption - protects communications between two parties and is
performed independently of link encryption. Just encrypts the data payload

itself, not any of the routing information, so it is quicker.
Higher up in the OSI model = end-to-end (SSH)
Lower down in the OSI model = link (SSL/TLS)
IP Security Protocol (IPSec) - Most commonly used VPN protocol !!! IP traffic
only. Public key cryptography for encryption, access control, non-repudiation &
authentication. Two primary components:
1. Authentication Header (AH) - authentication, integrity & non-repudiation
2. Encapsulating Security Payload (ESP) - confidentiality with limited
authentication. Operates at Layer 3, and can be deployed in either;
Transport Mode - IP packet data is encrypted, header is not
Tunnel Mode - Entire IP packet is encrypted & new header is added to manage
transmission through the tunnel
Internet Security Association and Key Management Protocol (ISAKMP) - provides

security support in IPSec by negotiating, establishing, modifying, and deleting
Security Associations (SAs). RFC 2048 lays out four requirements for ISAKMP:
1. Authenticate communicating peers

2. Create & Manage security associations
3. Provide key generation mechanisms
4. Protect against threats
Security Associations (SAs) - negotiated by ISAKMP during the initialization of

an IPSec session. It represents a simplex connection, or a "one-way" transmission
agreement. You must have two SAs established to securely communicate, one for
each direction of the transmission. If you want to use both AH & ESP
bidirectionally with IPSec, then you actually need four SAs !!
Using secure encryption protocols on wireless networks:
Wired Equivalent Privacy (WEP) - uses a predefined and shared symmetric key that
is STATIC. Uses RC4 stream cipher. Bad implementation is at the heart of the
issues with WEP, not the use of RC4 itself.
a. static symmetric key
b. small IV's
Wi-Fi Protected Access (WPA) - meant to be a bridge between WEP and newer
802.11i standard that would replace it. Based on Lightweight Extensible
Authentication Protocol (LEAP) and Temporal Key Integrity Protocol (TKIP). Also
uses a single static passphrase. TKIP sought to improve on WEP by implementing a
key mixing function combining the IV with the secret root-key BEFORE using the
key with RC4 to encrypt along with a sequence counter to prevent replay attacks
and a strong integrity check named Michael.
NOTE: WPA only encrypts traffic between the mobile device & the wireless access
point. Once traffic moves to the wired network, it is no longer encrypted by WPA.
Wi-Fi Protected Access 2 (WPA2 or 802.11i) - uses Counter Mode Cipher Block
Chaining Message Authentication Protocol (CCMP), based on AES 128 bit key. Can be
attacked potentially using a Key Reinstallation Attack (KRACK), which is capable
of corrupting the initial 4 way handshake between the client and the Wireless
Access Point (WAP), forcing the reuse of keys and/or a key comprised of all zeros.
802.1x / Extensible Authentication Protocol (EAP) - Port based network access

control supported by WPA and WPA2. 802.1x actually allows for a "handoff" or
integration with additional infrastructure based authentication mechanisms such
as RADIUS / TACACS(+), certificates, smartcards, tokens & biometrics. EAP is an
extensible and flexible authentication framework used to integrate new
authentication technologies.
Protected Extensible Authentication Protocol (PEAP) - EAP encapsulated inside a

TLS tunnel
Lightweight Extensible Authentication Protocol (LEAP) - Cisco proprietary

alternative for TKIP
Cryptographic Attacks - approaches that seek to exploit one or more

vulnerabilities in a cryptosystem to break it
REMEMBER ---> PATTERNS KILL !!!
REMEMBER ---> IT'S ALL ABOUT THE KEY !!!
1. Analytic Attack - algebraic manipulation attempting to reduce the
complexity of the algorithm by focusing on the logic of the algorithm
2. Implementation Attack - exploiting weaknesses in the way in which the
cryptosystem has been architected & implemented
3. Statistical Attack - exploits weaknesses such as floating point errors & an
inability to produce truly random numbers
4. Brute Force Attack - attempting EVERY POSSIBLE combination until the right
one is found
Ways to enhance effectiveness of attack:
a. Rainbow Tables - attempt to shortcut using tables of pre-computed hash

values
b. Use of specialized hardware
Way to defeat attack:
a. Salt the passwords - add random values to end of password and then hash.
The salt is stored along with the password hash in the password file
maintained in the O/S. By using the salt value when the password hash is
submitted for verification, we can determine if the password is accurate or
not without exposing it.
b. pepper - a large constant number stored separately from the hashed password
c. key stretching - technique making it more computationally difficult to

guess a password by converting a password to a longer and more random key for
cryptographic purposes such as encryption
5. Frequency Analysis & the Ciphertext Only Attack - what we do when we only
have access to the ciphertext of the message. We examine the frequency of

letters appearing in the ciphertext attempting to figure out what letters they
correspond to in the plaintext version by having knowledge of frequency in the
language.
6. Known Plaintext - attacker has a copy of the plaintext & ciphertext versions
of the same message
7. Chosen Ciphertext - attacker can choose which portions of the ciphertext
message they decrypt
8. Chosen Plaintext - attacker has he ability to encrypt plaintext messages to
see what the resulting ciphertext is
9. Meet in the Middle - used against algorithms that use 2 rounds of encryption.
(reason that 2-DES was defeated) Attacker uses a known plaintext message and
encrypts it using every possible key, and then the ciphertext is decrypted
using every possible key. When a match is found, the corresponding key pair
represents both the encrypt and decrypt capabilities
10. Man in the Middle - attacker sits between the two communicating parties,
allowing for interception of all communication, including the setup of the

communication session. Attacker responds to the sender's initialization request,
setting up a secure communication exchange with the sender. The attacker also
sets up a secure communication session with the intended recipient, posing as
the sender. This allows the attacker to be in the middle and have control of
all communications between the two parties
11. Birthday Attack (collision attack | reverse hash matching) - find flaws in
the one-to-one association of the hash function. Attacker attempts to substitute

a digitally signed message that produces the same message digest as the original.
12. Replay Attacks - used against cryptosystems that do not use temporal
protections.
Do Not Forget about Social Engineering !!!
================================================================================
Apply security principles to site and facility design (topic 10)
AND
Implement site and facility security controls (topic 11)
1. Wiring closets/intermediate distribution facilities

2. Server rooms/data centers
3. Media storage facilities
4. Evidence storage
5. Restricted and work area security
6. Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
7. Environmental issues
8. Fire prevention, detection, and suppression
================================================================================
The single most important goal in planning a site is the protection of life,
property, and operations
A secure facility plan should be based on a security assessment, which is a

comprehensive overview of the facility including physical security controls,
policy, procedures, and employee safety. A good assessment requires the
determination of the following objectives:
1. Threat Definition
2. Target Identification
3. Facility Characteristics
Critical Path Analysis - identifies relationships between mission-critical

applications, processes and operations, as well as all the necessary supporting
elements they require
Crime Prevention Through Environmental Design (CPTED) - idea of structuring the

physical environment and surroundings to minimize the opportunities for people to
act in inappropriate ways
Controls implemented to manage physical security in a facility can be divided into

three groups:
1. Administrative - facility construction & selection, site management,
personnel controls, awareness training and emergency response procedures
2. Technical - access controls, intrusion detection, alarms,
Closed Circuit TV (CCTV), monitoring, Heating Ventilation Air Conditioning

(HVAC), power supplies, fire detection
3. Physical - fencing, lighting, locks, mantraps, dogs, guards
Functional order that controls should be used:
a. Deter
b. Deny
c. Detect
d. Delay
Equipment Failure can cause a Single Point of Failure if not anticipated and
monitored for. Things to consider:
a. Service Level Agreements (SLA)

b. Mean Time to Failure (MTTF)
c. Mean Time to Repair (MTTR)
d. Mean Time Between Failure (MTBF)
Wiring Closets (premises wire distribution rooms | intermediate distribution

facilities | telecommunications room) - should be included in the facility
security plan AND should be physically secured. If you are in a building that is
managed by a third party, notify the management of the security plan for the
wiring closet to ensure that they do not accidentally violate it. Access must be
controlled into this area, and only authorized personnel should be allowed to
work on this equipment. No matter what transmission mode or media is selected, it
is important that a method for securing communications be included.
Cable Plant - the collection of interconnected cables and devices that establish
the network. Made up of:
a. Entrance Facility (demarcation point) - cables from the provider enter the
building here
b. Equipment Room - main wiring closet for the building
c. Backbone Distribution System - provides wired connections between equipment
room and telecommunications room, including cross-floor connections
d. Telecommunications Room (wiring closet) - interconnect point for the backbone
and horizontal distribution system
e. Horizontal Distribution System - connection to the work areas of a floor.
Consists of:
1. Cables
2. Cross-connecting blocks
3. Patch panels
4. Jumpers
5. Connecting hardware
6. Pathways (supporting structures such as cable trays, conduits, and hangers
that support the cables from the telecommunication room to the work areas)
Cable Plant Management - the design, documentation, and management of the lowest
layer of the OSI network model – the physical layer
Server Rooms | Data Centers - protected areas that should be optimized for
operations, not humans
a. should be located in or near center of building

b. should not be on ground floor if possible
c. should not be on top floor if possible
d. should not be in basement if possible
e. should be away from water, gas, sewer runs if possible
f. walls of space should have a MINIMUM fire rating of 1 hour
Smartcards & Proximity Readers - often used to control access to a secure area
such as a datacenter
Common Access Concerns:
a. Masquerading
b. Piggybacking
NOTE: remember the importance of Audit Trails & Access Logs as physical access
controls
Emanation Security - focused on the minimization and mitigation of electrical

signals that could breach confidentiality if discovered coming from one or more
devices. TEMPEST Countermeasure types:
a. Faraday Cage
b. White Noise
c. Control Zone
Media Storage / Evidence Storage - need to plan for these areas as well
Protection from Lightning - lightning strikes to a grounding system produce an

elevated ground or ground potential rise (GPR). Any equipment bonded to this
grounding system and also connected to wire-line communications will most likely
be damaged from outgoing current seeking remote ground. Personnel working at this
equipment are susceptible to harm because they will be in the current path of
this outgoing current.
Windows - Nice to have in a house, NOT IN A SECURE LOCATION !!!
Types of Glass:
1. Tempered glass is similar to the glass installed in car windshields. Should
be used in entrance doors and adjacent panels.
2. Wired glass provides resistance to impact from blunt objects. The wire mesh
is imbedded into the glass thereby providing limited protection.
3. Laminated glass is recommended for installation in street-level windows,
doorways, and other access areas. It is made from two sheets of ordinary glass
bonded to a middle layer of resilient plastic. When it is struck, it may crack
but the pieces of glass tend to stick to the plastic inner material.
4. Bullet resistant (BR) glass is typically installed in banks and high-risk
areas.
Glass Break Sensors - a good intrusion detection device for buildings with a lot
of glass windows and doors with glass panes. The basic types of glass break
sensors include:
a. Acoustic sensors - listen for an acoustic sound wave that matches the
frequency of broken glass
b. Shock sensors - feel the shock wave when glass is broken
NOTE: use of dual-technology glass break sensors — both acoustic and shock
wave — is most effective
Garages -
1. use CCTV cameras to monitor events and place emergency call boxes throughout
the garage
2. installing bright lights is one of the most effective deterrents to both
accidents and attacks
3. lighting levels of at least 10- to 12-ft. candles over parked cars and
15- to 20-ft. candles in walking and driving aisles is recommended
4. exterior lights should be placed approximately 12 ft. above ground, and
they should point downward to illuminate wide areas along the ground
5. increase visibility by painting the walls of the structure white to reflect
light
6. place lighting fixtures to bounce light off the walls and reduce dark
corners where criminals or attackers could hide
7. if the garage is under the facility, elevators or walk-ups should all
empty into the lobby, NOT into the controlled space
Utilities & Heating, Ventilation, & Air Conditioning (HVAC):
Power Supplies - Redundant (or dual) power supplies are common in systems where
failures cannot be tolerated.
Alternatively, failures that occur outside of an individual system can be dealt
with using appropriate uninterruptible power supply (UPS) systems and alternative
sources of power from the main grid (such as diesel-based generators common to
many data center facilities).
Power Concerns:
a. Spike - a quick instance of an increase in voltage
b. Sag - a quick instance of a decrease in voltage
c. Surge - an increase in power that is prolonged
d. Brownout - a decrease in power that is prolonged
e. Transients - short duration noise on the power lines
f. Noise - steady interference on power lines
g. Fault - momentary loss of power
h. Blackout - complete loss of power
i. Inrush - initial surge of power
j. Clean - nonfluctuating power
k. Ground - wire in the electrical circuit that is the reference point from
which voltages are measured, a common return path for electric current, or a
direct physical connection to the earth
Noise - Two types:
1. Electromagnetic Interference (EMI) - two types:
a. Common Mode - difference in power between the hot & ground wires
b. Traverse Mode - difference in power between the hot & neutral wires
NOTE: The neutral wire is the wire in which electricity returns from the hot
wire. It is also connected to the ground wire.
2. Radio-frequency Interference (RFI)
Temperature & Humidity & Static - all bad if not managed and controlled
Temperature Range -
60 - 75 degrees Fahrenheit
15 - 23 degrees Celsius
Humidity Range -
40 - 60 %
a. Too much humidity = corrosion
b. Too little humidity = static electricity
Two types of cooling:
1. Latent cooling - the ability of the air-conditioning system to remove moisture
2. Sensible cooling - the ability of the air-conditioning system to remove

heat that can be measured by a thermometer
FIRE !!!! (yup, got know about it too)
Stages of a fire (four):
Stage 1 - The Incipient Stage - air ionization but no smoke
Stage 2 - The Smoke Stage - smoke is visible at point of ignition
Stage 3 - The Flame Stage - flame(s) can be seen
Stage 4 - The Heat Stage - burn, baby burn
Fire Extinguishers - Know the table:
Class Type Suppression Material
A Common Combustibles Water, soda acid
B Liquids CO2, Halon equivalent, soda acid
C Electrical CO2, Halon equivalent
D Metal Dry Powder
Fire Detection System Types: (5)
1. Fixed temperature detection - trigger when a specific temperature is
reached; these are the systems that most of us are familiar with
2. Rate-of-rise detection - speed of temperature change is critical factor
3. Flame actuated - based on the infrared energy produced by the flames
4. Smoke actuated - use ionization monitoring
5. Incipient smoke detection (aspirating sensors) - detect chemicals
associated with early stages of combustion BEFORE other monitors would

normally be able to detect
Water Suppression System Types (sprinklers): (4)
1. Wet Pipe Systems (closed head) - have a constant supply of water in them at
all times; discharge occurs immediately once activated
2. Dry Pipe Systems - do not have water in them, they are filled with
compressed air. Discharge occurs only after all air has escaped.
3. Pre-Action System - incorporate a detection system, which can eliminate
concerns of water damage due to false activations. Water is held back until
detectors in the area are activated.
4. Deluge Systems - another type of dry-pipe system, except all sprinkler
heads are in the open position and larger pipes are used to provide greater
water flow.
Gas Systems - operate to starve the fire of oxygen. Halon used to be used in
most systems, as it is a very effective suppression agent. However, it is
problematic for several reasons, and has been banned by International Treaty
(Montreal Protocol). A variety of alternates are now used, including:
a. FM-200
b. CEA-410 or CEA-308
c. Argon
d. Aero-K

Isc2 Acceleratedcissp 2018 3 1 12 Security Architecture and Engineering

Uploaded by

Copyright:

Available Formats

You might also like

Isc2 Acceleratedcissp 2018 3 1 12 Security Architecture and Engineering

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Isc2 Acceleratedcissp 2018 3 1 12 Security Architecture and Engineering

Uploaded by

Copyright:

Available Formats

Filename: isc2-acceleratedcissp-2018-3-1-12-security-architecture-and-engineering

Show Name: Accelerated CISSP (2018)

Security Architecture and Engineering

Domain: Security Architecture and Engineering

Security should be a focus at EVERY STAGE of a system's development.

ISO/IEC 15288:2015 is a systems engineering standard covering processes and life

Defense in Depth - the use of overlapping layers of controls / countermeasures

Common Criteria (ISO 15408) - provides a structured methodology for documenting

ISO/IEC 21827:2008, The Systems Security Engineering – Capability Maturity

a. The entire life cycle, including development, operation, maintenance, and

b. The whole organization, including management, organizational, and

c. Concurrent interactions with other disciplines, such as system, software,

hardware, human factors, test engineering, system management, operation, and

d. Interactions with other organizations, including acquisition, system

management, certification, accreditation, and evaluation

General Concepts to be aware of:

b. Closed (vendor specific) & Open Systems (industry standard)

c. Confinement (sandboxing) - ability to control read / write activity as

software executes in a system and accesses memory

process behavior has on a system

f. Controls (in the context of access) - use of access rules to limit

subject / object interaction

g. Trusted System - one where all protection mechanisms work together to

h. Assurance - the degree of confidence or certainty in a system's ability to

satisfy the defined security requirements

Understand the fundamental concepts of security models (topic 2)

Understand security capabilities of information systems (e.g., memory

Security Model - provides a way for the designer(s) of a system to correlate

Capabilities List - maintains a row of security attributes for each controlled

Security Label - a permanent part of the object it references

Abstraction - one of the fundamental principles of Object Oriented

Data Hiding - important concept in multilevel security systems, ensuring that

Incremental attacks - occur in slow, gradual fashion. Types:

Reference Monitor - considered to be an abstract machine that mediates, or

To be secure, the kernel must meet three basic conditions:

a. Completeness (complete mediation): All accesses to information must go

through the kernel

b. Isolation: The kernel itself must be protected from any type of

c. Verifiability: The kernel must be proven to meet design

Common System Components: (Processor | Memory | Storage)

a. Processor - Perform four key tasks:

to system data and hardware granted to the running process

2. Kernel (or supervisor) mode - processor is operating at the highest

b. Memory & Storage - data waiting to be processed sits in a staging area

1. Segmentation - dividing a computer’s memory into segments. A reference to a

3. Protection keying - divides physical memory up into blocks of a particular

Process isolation & memory protection

Interrupts - allows the operating system to ensure that a process is given

1. Encapsulation of a process - no other process is able to understand or

interact with the internal programming code of the process

2. Time multiplexing - provide well-defined and structured access to processes

3. Naming distinctions - each process is assigned a unique identity within

the context of the operating system

a. Provide an abstraction level for programmers

b. Maximize performance with the limited amount of memory available to the

system (Physical RAM)

The Memory Manager has the following 5 responsibilities:

and provide pointers to applications if their information has been moved to a