Thor Lectures

Domain 1 Lecture notes
Welcome to the first CISM Domain.

 This chapter is VERY important because:
 Every other knowledge domain builds on top of this chapter
 This is the foundation.
 24% of the exam questions on the certification are from this domain.
 We will be covering our ethics, values, vision and our mission.
 We look at the policies, the procedures, the laws we need to adhere to.
 SWOT and GAP analysis.
 OpEx, CapEx, Fiscal years, KGIs, KPIs, and KRIs
 Secure software design.
Security governance principles.

 Governance vs. Management
 Governance – This is C-level Executives (Not you).
 Stakeholder needs, conditions and
options are evaluated to define:
 Balanced agreed-upon
enterprise objectives to be
achieved.
 Setting direction through
prioritization and decision
making.
 Monitoring performance
and compliance against
agreed-upon direction and
objectives.
 Risk appetite – Aggressive,
neutral, adverse.
 Management – How do we get to the destination (This is you).
 Plans, builds, runs and monitors activities in alignment with the
direction set by the governance to achieve the objectives.
 Risk tolerance – How are we going to practically work with our risk
appetite and our environment.
 Bottom-Up: IT Security is seen as a nuisance and not a helper, this often changes when
a security breach happens.
 Top-Down: IT leadership understands the
importance of IT Security, they lead and
set the direction. (The exam).
 C-Level Executives (Senior
Leadership) They are ultimately liable.
 CEO: Chief Executive Officer.
 CSO: Chief Security Officer.
 CIO: Chief Information Officer.
 CFO: Chief Financial Officer.
1|Page
https://thorteaches.com/
 Normal organizations obviously have more C-Level executives, the ones listed
here you need to know.
 Also know where you fit in the organization and on the exam.

 Governance standards and control frameworks.
 PCI-DSS - Payment Card Industry Data Security Standard (While a standard it is
required: more on this one later).
 OCTAVE® - Operationally Critical Threat, Asset, and Vulnerability Evaluation.
 Self Directed Risk Management.
 COBIT - Control Objectives for Information and related Technology.
 Goals for IT – Stakeholder needs are mapped down to IT related goals.
 COSO – Committee Of Sponsoring Organizations.
 Goals for the entire organization.
 ITIL - Information Technology Infrastructure Library.
 IT Service Management (ITSM).
 FRAP - Facilitated Risk Analysis Process.
 Analyses one business unit, application or system at a time in a
roundtable brainstorm with internal employees. Impact analyzed,
threats and risks prioritized.

 Governance standards and control frameworks.
 ISO 27000 series:
 ISO 27001: Establish, implement, control and improvement of the ISMS.
Uses PDCA (Plan, Do, Check, Act)
 ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on
how to implement security controls. It has 10 domains it uses for ISMS
(Information Security Management Systems).
 ISO 27004: Provides metrics for measuring the success of your ISMS.
 ISO 27005: Standards based approach to risk management.
 ISO 27799: Directives on how to protect PHI (Personal Health
Information).
Links on all these as well as ones from previous slides in the “Extras” lecture.

 Defense in Depth – Also called Layered Defense or Onion
Defense.
 We implement multiple overlapping security controls
to protect an asset.
 This applies both to physical and logical controls.
 To get to a server you may have to go
through multiple locked doors, security
guards, man traps.
2|Page
 To get to data you may need to get past firewalls, routers, switches, the
server, and the applications security.
 Each step may have multiple security controls.
 No single security control secures an asset.
 By implementing Defense in Depth you improve your organization’s
Confidentiality, Integrity and Availability.

 Values:
 What do are our values? Ethics,
Principles, Beliefs.
 Vision:
 What do we aspire to be? Hope and
Ambition.
 Mission:
 Who do we do it for? Motivation and
Purpose.
 Strategic Objectives:
 How are we going to progress? Plans,
goals, Sequencing.
 Action & KPI’s
 What do we need to do and how do we know when we achieved it? Actions,
Recourses, Outcomes, Owners, and Timeframes.
Information Security Governance:

 Policies – Mandatory.
 High level, non-specific.
 They can contain “Patches, updates, strong encryption”
 They will not be specific to “OS, encryption type,
vendor Technology”
 Standards – Mandatory.
 Describes a specific use of technology (All laptops are
W10, 64bit, 8gig memory … )
 Guidelines – non-Mandatory.
 Recommendations, discretionary – Suggestions on how
you would to do it.
 Procedures – Mandatory.
 Low level step-by-step guides, specific.
 They will contain “OS, encryption type, vendor
Technology”
 Baselines (Benchmarks) - Mandatory.
 Benchmarks for server hardening, apps, network. Minimum requirement, we
can implement stronger if needed.
Information Security Governance:

 Personnel Security – Users often pose the largest security risk:
3|Page
 Awareness – Change user behavior - this is what we want, we want them to
change their behavior.
 Training – Provides users with a skillset - this is nice, but if they ignore the
knowledge, it does nothing.
 Hiring Practices – We do background checks where we check: References,
degrees, employment, criminal, credit history (less common, more costly). We
have new staff sign a NDA (Non-Disclosure Agreement).
 Employee Termination Practices – We want to coach and train employees
before firing them. They get warnings.
 When terminating employees, we coordinate with HR to shut off access
at the right time.
 Vendors, Consultants and Contractor Security.
 When we use outside people in our environments, we need to ensure
they are trained on how to handle data. Their systems need to be
secure enough for our policies and standards.
 Outsourcing and Offshoring - Having someone else do part of your (IT in our
case) work.
 This can lower cost, but a thorough and accurate Risk Analysis must be
performed. Offshoring can also pose problems with them not having to
comply with the same data protection standards.
SWOT (Strengths, Weaknesses, Opportunities, and Threats):

 Internal factors:
 Strengths: What we do well,
skilled staff, assets, and
advantages over competitors.
 Weaknesses: Things we are
missing, resource limitations.
 Human resources,
physical resources,
4|Page
financials, activities and processes, and past experiences.
 External factors:
 Opportunities: Elements in the environment that the business or project could
exploit to its advantage.
 Threats: Elements in the environment that could cause trouble for the business
or project.
 Future trends, the economy, funding, our physical environment,
legislation, national, or international events
Gap analysis:
 Identify the existing process:
 What are we doing?
 Identify the existing outcome:
 How well do we do it?
 Identify the desired outcome:
 How well do we want to
do?
 Identify and document the gap:
 What is the difference
between now and desired
result?
 Identify the process to achieve the desired outcome:
 How can we possibly get to the desired result?
 Develop the means to fill the gap:
 Build the tool or processes to get the result.
 Develop and prioritize Requirements to bridge the gap.
Organizational finances.
 OPEX vs. CAPEX:
 OPEX (Operating Expense) is the ongoing cost for running a product, business,
or system. (Keeping the lights on).
 CAPEX (Capital Expenditure) is the money a company spends to buy, maintain,
or improve its fixed assets, such as buildings, vehicles, equipment, or land.
 Business plans, road-maps:
 We build our organizational business plans based on the organizations mission
statement and vision at the direction of senior leadership.
 We have 1-year, 3-year, and 5-year business plans and roadmaps.
 Fiscal years (budget year):
 We plan our budgets according to our organizations fiscal year.
KGI’s, KPI’s, and KRI’s:
 KGI (Key Goal Indicator):

 Define measures that tell management, after the fact—whether an IT process
has achieved its business requirements.
 KPI (Key Performance Indicators):
5|Page
 Define measures that determine how well the IT process is performing in
enabling the goal to be reached.
 KRI (Key Risk Indicators):
 Metrics that demonstrate the risks that an organization is facing or how risky an
activity is.
 They are the mainstay of measuring adherence to and establishing enterprise
risk appetite.
 Key risk indicators are metrics used by organizations to provide an early signal of
increasing risk exposures in various areas of the enterprise.
 KRI give an early warning to identify potential event that may harm continuity of
the activity/project.

 The CIA Triad (AIC)
 Confidentiality
 This is what most people think IT Security is.
 We keep our data and secrets
secret.
 We ensure no one unauthorized can
access the data.
 Integrity
 How we protect against
modifications of the data and the
systems.
 We ensure the data has not been altered.
 Availability
 We ensure authorized people can access the data they need, when they
need to.

 We use:
 Encryption for data at rest (for instance AES256), full disk encryption.
 Secure transport protocols for data in motion. (SSL, TLS or IPSEC).
 Best practices for data in use - clean desk, no
shoulder surfing, screen view angle protector,
PC locking (automatic and when leaving).
 Strong passwords, multi factor authentication,
masking, access control, need-to-know, least
privilege.
 Threats:
 Attacks on your encryption (cryptanalysis).
 Social engineering.
 Key loggers (software/hardware), cameras,
Steganography.
 IOT (Internet Of Things) – The growing number of connected devices we
have pose a new threat, they can be a backdoor to other systems.
6|Page
 System integrity and Data integrity
 We use:
 Cryptography (again).
 Check sums (This could be CRC).
 Message Digests also known as a
hash (This could be MD5, SHA1
or SHA2).
 Digital Signatures – non-
repudiation.
 Access control.
 Threats:
 Alterations of our data.
 Code injections.
 Attacks on your encryption (cryptanalysis).

 System integrity and Data availability.
 We use:
 IPS/IDS.
 Patch Management.
 Redundancy on hardware power
(Multiple power
supplies/UPS’/generators), Disks
(RAID), Traffic paths (Network
design), HVAC, staff, HA (high
availability) and much more.
 SLA’s – How high uptime to we
want (99.9%?) – (ROI)
 Threats:
 Malicious attacks (DDOS,
physical, system compromise, staff).
 Application failures (errors in the code).
 Component failure (Hardware).
Confidentiality, Integrity and Availability

 Finding the right mix of Confidentiality, Integrity and Availability
is a balancing act.
 This is really the cornerstone of IT Security – finding the RIGHT
mix for your organization.
 Too much Confidentiality and the Availability can suffer.
 Too much Integrity and the Availability can suffer.
7|Page
 Too much Availability and both the Confidentiality and Integrity can suffer.
 The opposites of the CIA Triad is DAD (Disclosure, Alteration and Destruction).
 Disclosure – Someone not authorized getting access to your information.
 Alteration – Your data has been changed.
 Destruction – Your data or systems have been destroyed or rendered
inaccessible.
Sensitive Information and Media Security:

 Sensitive information
 Any organization has data that is considered sensitive for a variety of reasons.
 We want to protect the data from Disclosure, Alteration
and Destruction (DAD).
 Data has 3 States: We want to protect it as well as

we can in each state.
 Data at Rest (Stored data): This is data on
disks, tapes, CDs/DVDs, USB sticks
 We use disk encryption
(full/partial), USB encryption, tape
encryption (avoid CDs/DVDs).
 Encryption can be hardware or software encryption.
 Data in Motion (Data being transferred on a network).
 We encrypt our network traffic, end to end encryption, this is
both on internal and external networks.
 Data in Use: (We are actively using the files/data, it can’t be encrypted).
 Use good practices: Clean desk policy, print policy, allow no
‘shoulder surfing’, may be the use of view angle privacy screen
for monitors, locking computer screen when leaving
workstation.
Sensitive information and Media Security:

 Sensitive Information
 Data handling:
 Only trusted individuals should handle our data; we should also have
policies on how, where, when, why the data was handled. Logs should
be in place to show these metrics.
 Data storage:
 Where do we keep our sensitive data? It should be kept in a secure,
climate-controlled facility, preferably geographically distant or at least
far enough away that potential incidents will not affect that facility too.
 Many older breaches were from bad policies around tape
backups.
 Tapes were kept at the homes of employees instead of at a
proper storage facility or in a storage room with no access logs
and no access restrictions (often unencrypted).
8|Page
Sensitive information and Media Security:
 Sensitive information
 Data retention:
 Data should not be kept beyond the period
of usefulness or beyond the legal
requirements (whichever is greater).
 Regulation (HIPAA or PCI-DSS) may require a
certain retention of the data (1, 3, 7 years or
infinity).
 Each industry has its own regulations and
company policies may differ from the
statutory requirements.
 Know your retention requirements!
Data Classification Policies:

 Labels: Objects have Labels assigned to them.
 The label is used to allow
Subjects with the right clearance
to access them.
 Labels are often more granular
than just “Top Secret” they can
be “Top Secret – Nuclear.”
 Clearance: Subjects have Clearance

assigned to them.
 A formal decision on a subject’s
current and future
trustworthiness.
 The higher the clearance, the more in-depth the background checks should be
(always in military, not always in business).
Data Classification Policies:

 Formal Access Approval:
 Document from the data owner approving access to the data for the subject.
 Subject must understand all requirements for accessing the data and the liability
involved if compromised, lost or destroyed.
 Appropriate Security Clearance is required as well as the Formal Access
Approval.
 Need to know:
 Just because you have access does not mean you are allowed the data.
 You need a valid reason for accessing the data. If you do not have one you can
be terminated/sued/jailed/fined.
 Leaked information about Octomom Natalie Suleman cost 15 Kaiser
employees fines or terminations because they had no valid reason for
accessing her file.
9|Page
 We may never know who actually leaked the information. It may not be
one of the 15, but they violated HIPAA by accessing the data.
 Least privilege: Users have the minimum necessary access to perform their job duties.
Data, system, mission ownership, custodians and users:

Each role has unique roles and responsibilities to keep the data safe.
 Mission/business owner: Senior executives make the policies that govern our data
security.
 Data/information owner: Management level, they assign sensitivity labels and backup
frequency.
 This could be you or a data owner from HR, payroll or other departments.
 System owner: Management level and the owner of the systems that house the data.
 Often a data center manager or an infrastructure manager.
 Data custodian: These are the technical hands-on employees who do the backups,
restores, patches, system configuration. They follow the directions of the data owner.
 Users: These are the users of the data. User awareness must be trained; they need to
know what is acceptable and what is not acceptable, and the consequences for not
following the policies, procedures and standards.
 Data controllers and data processors:
 Controllers create and manage sensitive data in the organization (HR/Payroll)
 Processors manage the data for controllers (Outsourced payroll)
Data Security Controls and Frameworks:

 We use standards, baselines, scoping and tailoring to decide which controls we use, and
how we deploy them.
 Different controls are deployed for data at rest and data in motion.
 Some of the standards and frameworks used could be PCI-DSS, ISO27000, OCTAVE,
COBIT or ITIL.
 Scoping is determining which portion of a standard we will deploy in our organization.
 We take the portions of the standard that we want or that apply to our industry,
and determine what is in scope and what is out of scope for us.
 Tailoring is customizing a standard to your organization.
 This could be: we will apply this standard, but we use a stronger encryption (AES
256bit).
 Classification: A system, and the security measures to protect it, meet the security
requirements set by the data owner or by regulations/laws.
 Accreditation: The data owner accepts the certification and the residual risk. This is
required before the system can be put into production.
Ethics:
 ISACA professional Code of Ethics: You sign this before the exam.
1. Support the implementation of, and encourage compliance with, appropriate
standards and procedures for the effective governance and management of
enterprise information systems and technology, including: audit, control,
security and risk management.
10 | P a g e
2. Perform their duties with objectivity, due diligence and professional care, in
accordance with professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining high
standards of conduct and character, and not discrediting their profession or the
Association.
4. Maintain the privacy and confidentiality of information obtained in the course
of their activities unless disclosure is required by legal authority. Such
information shall not be used for personal benefit or released to inappropriate
parties.
5. Maintain competency in their respective fields and agree to undertake only
those activities they can reasonably expect to complete with the necessary
skills, knowledge and competence.
6. Inform appropriate parties of the results of work performed including the
disclosure of all significant facts known to them that, if not disclosed, may
distort the reporting of the results.
7. Support the professional education of stakeholders in enhancing their
understanding of the governance and management of enterprise information
systems and technology, including: audit, control, security and risk
management.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or
certification holder's conduct and, ultimately, in disciplinary measures.
Ethics:
 Computer Ethics Institute
 Ten Commandments of Computer Ethics:
 Thou shalt not use a computer to harm other people.
 Thou shalt not interfere with other people’s computer work.
 Thou shalt not snoop around in other people’s computer files.
 Thou shalt not use a computer to steal.
 Thou shalt not use a computer to bear false witness.
 Thou shalt not copy or use proprietary software for which you have not
paid.
 Thou shalt not use other people's’ computer resources without
authorization or proper compensation.
 Thou shalt not appropriate other people's’ intellectual output.
 Thou shalt think about the social consequences of the program you are
writing or the system you are designing.
 Thou shalt always use a computer in ways that ensure consideration
and respect for your fellow humans.
Ethics:
 IAB’s Ethics and the Internet
 Defined as a Request For Comment (RFC), #1087 - Published in 1987
 Considered unethical behavior:
11 | P a g e
 Seeks to gain unauthorized access to the resources of the Internet.
 Disrupts the intended use of the Internet.
 Wastes resources (people, capacity, computer) through such actions :
 Destroys the integrity of computer-based information.
 Compromises the privacy of users.
 Your Organization’s Ethics:

 You need to know the Internal Code of Ethics of your organization
 If you do not, how can you adhere to it?
Legal and regulatory issues.

As IT Security Professionals we need to understand that laws and regulations have a huge influence on
how we work.
We need to know some of them and understand how the rest work.
 There are 4 types of laws covered on the exam and important to your job as an
IT Security Professional.
 Criminal Law:
 “Society” is the victim and proof must be “Beyond a reasonable
doubt”.
 Incarceration, death and financial fines to “Punish and deter”.
 Civil Law (Tort Law):
 Individuals, groups or organizations are the victims and proof
must be “the majority of proof”.
 Financial fines to “Compensate the victim(s)”.
 Administrative Law (Regulatory Law):
 Laws enacted by government agencies (FDA Laws, HIPAA, FAA
Laws etc.) Proof “More likely than not”.
 Private Regulations:
 Compliance is required by contract (For instance PCI-DSS).

 Liability:
 If the question is who is ULTIMATELY liable, the answer is Senior Leadership.
This does not mean you are not liable; you may be, that depends on Due Care.
Who is held accountable, who is to blame, who should pay?
 Due Diligence and Due Care:
 Due Diligence – The research to build the IT Security architecture of your
organization. Best practices and common protection mechanisms. Research of
new systems before implementing.
 Due Care – Prudent person rule – What would a prudent person do in this
situation?
 Implementing the IT Security architecture, keep systems patched. If
compromised: fix the issue, notify affected users (Follow the Security
Policies to the letter).
12 | P a g e
 Negligence (and gross negligence) is the opposite of Due Care.
 If a system under your control is compromised and you can prove you did your
Due Care, you are most likely not liable.
 If a system under your control is compromised and you did NOT perform Due
Care, you are most likely liable.

 Evidence:
 How you obtain and handle evidence is VERY important.
 Types of evidence:
 Real Evidence: Tangible and physical objects in IT Security: Hard disks,
USB drives – NOT the data on them.
 Direct Evidence: Testimony from a first hand witness, what they
experienced with their 5 senses.
 Circumstantial Evidence: Evidence to support circumstances for a point
or other evidence.
 Collaborative Evidence: Supports facts or elements of the case: not a
fact on its own, but support other facts.
 Hearsay: Not first-hand knowledge – normally inadmissible in a case.
 Computer-generated records and with that log files were
considered hearsay, but case law and updates to the Federal
Rule of Evidence have changed that. Rule 803 provides for the
admissibility of a record or report that was “made at or near the
time by, or from information transmitted by, a person with
knowledge, if kept in the course of a regularly conducted
business activity, and if it was the regular practice of that
business activity to make the memorandum, report, record or
data compilation.”

 Evidence:
 Best Evidence Rule – The courts prefer the best evidence possible.
 Evidence should be accurate, complete, relevant, authentic, and
convincing.
 Secondary Evidence – This is common in cases involving IT.
 Logs and documents from the systems are considered secondary
evidence.
 Evidence Integrity – It is vital that the evidence’s integrity cannot be
questioned.
 We do this with hashes. Any forensics is done on copies and never the
originals.
 We check hash on both original and copy before and after the
forensics.
 Chain of Custody – This is done to prove the integrity of the data; that no
tampering was done.
 Who handled it?
13 | P a g e
 When did they handle it?
 What did they do with it?
 Where did they handle it?

 Reasonable Searches:
 The Fourth Amendment to the United States Constitution protects citizens from
unreasonable search and seizure by the government.
 In all cases, the court will determine if evidence was obtained legally. If not, it is
inadmissible in court.
 Exigent circumstances apply if there is an immediate threat to human life or of
evidence destruction.
 This will later be decided by a court if it was justified.
 Only applies to law enforcement and those operating under the “color
of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the
Color of Law.
 Your organization needs to be very careful when ensuring that employees are
made aware in advance that their actions are monitored, that their equipment,
and maybe even personal belongings, can be subjected to searches.
 Notifications like that should only be made if your organization has
security policies in place for it, and it must take into account the privacy
laws in your county/state/country.

 Entrapment and Enticement:
 Entrapment (Illegal and unethical): When someone is persuaded to commit a
crime they had no intention of committing and is then charged with it.
 Openly advertising sensitive data and then charging people when they
access them.
 Entrapment is a solid legal defense.
 Enticement (Legal and ethical): Making committing a crime more enticing, but
the person has already broken the law or at least has decided to do so.
Honeypots can be a good way to use Enticement.
 Have open ports or services on a server that can be attacked.
 Enticement is not a valid defense.
 If there is a gray area in some cases between Entrapment and Enticement, it is

ultimately up to the jury to decide which one it was.
 Check with your legal department before using honeypots. They pose both legal
and practical risks.
 GDPR (General Data Protection Regulation):

 GDPR is a regulation in EU law on data protection and privacy for all individuals within
the European Union (EU) and the European Economic Area (EEA).
 It does not matter where we are based, if we have customers in EU/EEA we have to
adhere to the GDPR.
14 | P a g e
 Violators of the GDPR may be fined up to €20 million or up to 4% of the annual
worldwide turnover of the preceding financial year in case of an enterprise, whichever is
greater.
 Unless a data subject has provided informed consent to data processing for one or more
purposes, personal data may not be processed unless there is at least one legal basis to
do so.
 Restrictions: Lawful interception, national security, military, police, justice.

 Personal data covers a variety of data types including: Names, Email Addresses,
Addresses, Unsubscribe confirmation URLs that contain email and/or names, IP
Addresses
 GDPR (General Data Protection Regulation):

 Restrictions: Lawful interception, national security, military, police, justice.
 Right to access: Data controllers must be able to provide
a free copy of an individual’s data if requested.
 Right to erasure: All users have a ‘right to be forgotten’.
 Data portability: All users will be able to request access
to their data ‘in an electronic format’.
 Data breach notification: Users and data controllers
must be notified of data breaches within 72 hours.
 Privacy by design: When designing data processes, care
must be taken to ensure personal data is secure. Companies must ensure that only data
is ‘absolutely necessary for the completion of duties’.
 Data protection officers: Companies whose activities involve data processing and
monitoring must appoint a data protection officer.

Intellectual Property:
 Copyright © - (Exceptions: first sale, fair use).
 Books, art, music, software.
 Automatically granted and lasts 70 years after creator’s death or 95 years after
creation by/for corporations.
 Trademarks ™ and ® (Registered Trademark).
 Brand names, logos, slogans – Must be registered, is valid for 10 years at a time,
can be renewed indefinitely.
 Patents: Protects inventions for 20 years (normally) – Cryptography algorithms can be
patented.
 Inventions must be:
 Novel (New idea no one has had before).
 Useful (It is actually possible to use and it is useful to
someone).
 Nonobvious (Inventive work involved).
 Trade Secrets.
15 | P a g e
 You tell no one about your formula, your secret sauce. If discovered anyone can
use it; you are not protected.

Attacks on Intellectual Property:
 Copyright.
 Piracy - Software piracy is by far the most common attack on Intellectual
Property.
 Copyright infringement – Use of someone else’s copyrighted material, often
songs and images.
 Trademarks.
 Counterfeiting – Fake Rolexes, Prada, Nike, Apple products – Either using the
real name or a very similar name.
 Patents.
 Patent infringement – Using someone else’s patent in your product without
permission.
 Trade Secrets.
 While a organization can do nothing if their Trade Secret is discovered, how it is
done can be illegal.
 Cyber Squatting – Buying an URL you know someone else will need (To sell at huge
profit – not illegal).
 Typo Squatting – Buying an URL that is VERY close to real website name (Can be illegal
in certain circumstances).
 BCP and DRP:

 Warfare, Terrorism and Sabotage (Human):
 We still see plenty of conventional conflicts and wars, but there is much more
happening behind the veil of the internet, hacking for causes, countries, religion
and many more reasons.
 It makes sense to cripple a country's or region's infrastructure if you want to
invade or just destabilize that area.
 This could be for war, trade, influence or many other reasons, everything is so
interconnected we can shut down water, electricity or power from across the
world.
 The targets are not always the obvious targets, hospitals, air travel, shipping,
production, ... are potential targets.
 State, cause or religious hacking (Human):
 Common, we often see the attacks happening 9-5 in that time zone, this
is a day job.
 Approximate 120 countries have been developing ways to use the
internet as a weapon to target financial markets, government computer
systems and utilities.
 Famous attacks: US elections (Russia), Sony websites (N. Korea), Stuxnet
(US/Israel), US Office of Personnel Management (China) …
16 | P a g e
 BCP and DRP:
 Financially Motivated Attackers (Human):
 We are seeing more and more financially motivated attacks, they can be both
highly skilled or not.
 The lower skilled ones could be normal phishing attacks,
social engineering or vishing, these are often a numbers
game, but only a very small percentage needs to pay to
make it worth the attack.
 The ones requiring more skills could be stealing
cardholder data, identity theft, fake anti-malware tools,
or corporate espionage, ...
 Ransomware is a subtype of financially motivated
attacks, it will encrypt a system until a ransom is paid,
if not paid the system is unusable, if paid the attacker
may send instructions on how to recover the system.
 Attackers just want the payday, they don’t really care from whom.
 Administrative Personnel Security Controls:

 Administrative Security:
 Provides the means to control people's operational access to data.
 Least Privilege:
 We give employees the minimum necessary access they need, no more,
no less.
 Need to know:
 Even if you have access, if you do not need to know, then you should
not access the data. (Kaiser employees).
 Separation of duties:
 More than one individual in one single task is an internal control
intended to prevent fraud and error.
 We do not allow the same person to enter the purchase order and issue
the check.
 For the exam assume the organization is large enough to use separation
of duties, in smaller organizations where that is not practical,
compensating controls should be in place.

 Job rotation:
 For the exam think of it to detect errors and frauds. It is easier to detect
fraud and there is less chance of collusion between individuals if they
rotate jobs.
 It also helps with employees burnout and it helps employees
understand the entire business.
 This can be to cost prohibitive for the exam/real life, make sure on the
exam the cost justifies the benefit.
 Mandatory vacations:
17 | P a g e
 Done to ensure one person is not always performing the same task,
someone else has to cover and it can keep fraud from happening or help
us detect it.
 Their accounts are locked and an audit is performed on the accounts.
 If the employee has been conducting fraud and covering it up, the audit
will discover it.
 The best way to do this is to not give too much advance notice of
vacations.
 With the combination of all 5 we minimize some of the insider threats we may have.

 NDA (non-disclosure agreement):
 We covered NDA's between our and other organizations, it is also normal to
have them for internal employees.
 Some employment agreements will include a clause restricting employees' use
and dissemination of company-owned confidential information.
 Background checks:
 References, Degrees, Employment, Criminal, Credit history (less common, more
costly).
 For sensitive positions the background check is an ongoing process.
 Privilege monitoring:
 The more access and privilege an employee has the more we keep an eye on
their activity.
 They are already screened more in depth and consistently, but they also have
access to many business critical systems, we need to audit their use of that
access.
 With more access comes more responsibility and scrutiny.
 Designing security into our software:

 The more breaches and compromises, the more we see the move towards security
being part of the scope of the software design project.
 We use software at our jobs, our personal lives, our homes, cars, power, water...
 It is everywhere. And it has been, and still is, common to write functional code. Security
is an afterthought, or not considered at all.
 A large part of our defense-in-depth is to protect our assets, but ultimately most of it is
to protect our data/software.
 Software with security built in is much securer than software where it is added on later.
 It is common for programmers to make 15-50 mistakes per 1,000 lines of code. If using a
programming maturity framework, we can lower that to 1 error per 1,000 lines of code.
 Most of the errors are not a vulnerability, or really a concern, but the more we use
software in everything, the more critical the vulnerabilities become.
 Hacks have accelerated and stopped cars on highways, had planes change course
(hacked through bad security on the in-flight entertainment), power grids, elections...
 Programming concepts:
 Machine Code:
18 | P a g e
 Software executed directly by the CPU, 0's and 1's understood by the CPU.
 Source Code:
 Computer programming language, written in text and is human understandable,
translated into machine code.
 Assembler Language:
 Short mnemonics like ADD/SUB/JMP, which are matched with the full length
binary machine code; assemblers convert assembly language into machine
language. A disassembler does the reverse.
 Compiler Languages:
 Translates the higher level language into machine code and saves, often as
executables, compiled once and run multiple times.
 Interpreted languages:
 Similar to compiler languages, but interprets the code each time it is run into
machine code.
 Bytecode:
 An interpreted code, in intermediary form, converted from source code to
interpreted, but still needs to be converted into machine code before it can run
on the CPU.
 Procedural languages (Procedure-oriented):
 Uses subroutines, procedures and functions.
 Object-oriented Programming (OOP):
 Based on the concept of objects, which may contain data, in the form of fields,
often known as attributes, and code, in the form of procedures, often known as
methods.
 An object's procedures can access and often modify the data fields of the
objects with which they are associated.
 In OOP, computer programs are designed by making them out of objects that
interact with one another.
 4th Generation languages (4GL):
 Fourth-generation languages are designed to reduce programming effort and
the time it takes to develop software, resulting in a reduction in the cost of
software development.
 Increases the efficiency by automating the creation of machine code.
 Often uses a GUI, drag and drop, and then generating the code, often used for
websites, databases and reports.
 Programming languages and generations:

 1st generation: Machine Code
 2nd Generation: Assembler
 3rd Generation: Cobol, basic, C, C++, C#, Java, JavaScript, …
 4th Generation: ColdFusion, Progress 4GL, SQL, PHP, Perl, …
19 | P a g e
 CASE (Computer-Aided Software Engineering):
 Similar to and were partly inspired by computer-aided design (CAD) tools used
for designing hardware products.
 Used for developing high-quality, defect-free, and maintainable software.
 Often associated with methods for the development of information systems
together with automated tools that can be used in the software development
process.
 CASE software is classified into 3 categories:
 Tools support specific tasks in the software life-cycle.
 Workbenches combine two or more tools focused on a specific part of
the software life-cycle.
 Environments combine two or more tools or workbenches and support
the complete software life-cycle.
 Top-Down Programming:
 Starts with the big picture, then breaks it down into smaller segments.
 An overview of the system is formulated, specifying, but not detailing, any first-
level subsystems.
 Each subsystem is then refined in yet greater detail, sometimes in many
additional subsystem levels, until the entire specification is reduced to base
elements.
 Procedural programming leans toward Top-Down, you start with one function
and add to it.
 Bottom-Up Programming:
 Piecing together of systems to build more complex systems, making the original
systems a sub-system of the overarching system.
 The individual base elements of the system are first specified in great detail,
they are then linked together to form larger subsystems, which then in turn are
linked, sometimes in many levels, until a complete top-level system is formed.
 OOP leans tends toward Bottom-Up, you start by developing your objects and
build up.
 Software release:
Open source:
 We release the code publicly, where it can be tested, improved and corrected,
but it also allows attackers to find the flaws in the code.
 Closed Source:
 We release the software, but keep the source code a secret, may be sound
business practice, but can also be security through obscurity.
 Proprietary software:
 Software protected by intellectual property and/or patents, often used
interchangeably with Closed Source software, but it really is not. It can be both
Open and Closed Source software.
20 | P a g e
 Any software not released into the public domain is protected by copyright.
 Software release:
 Free software:
 Freeware:
 Actually free software, it is free of charge to use.
 Shareware:
 Fully functional proprietary software that is initially free to use.
 Often for trials to test the software, after 30 days you have to
pay to continue to use.
 Crippleware:
 Partially functioning proprietary software, often with key
features disabled.
 The user is required to make a payment to unlock the full
functionality.
 EULAs (End-User License Agreements):
 Electronic form where the user clicks “I agree” to the software terms
and conditions while installing the software.
 Software licenses:
 Open source software can be protected by a variety of licensing agreement.
 GNU (General Public License): Also called GPL or GPL
 Guarantees end users the freedom to run, study, share and
modify the software.
 A copyleft license, which means that derivative work can only
be distributed under the same license terms.
 BSD (Berkeley Software Distribution):
 A family of permissive free software licenses, imposing minimal
restrictions on the use and redistribution of covered software.
 This is different than copyleft licenses, which have reciprocity
share-alike requirements.
 Apache:
 Software must be free, distribute, modify and distribute the modified
software.
 Requires preservation of the copyright notice and disclaimer.
 Software Development Methodologies:

 There is a wide range of software development
methodologies used today.
 In the past the Waterfall method was widely used, it is a very
linear process, and does not work very well with the iterative
nature of software development.
 To remedy that problem other methods were developed Spiral, Sashimi,
Agile and Scrum.
21 | P a g e
 The individual phases are different from organization to organization, understand how
each methodology works and the phases flow.
 Waterfall:
 Very linear, each phase leads directly into the next.
 The unmodified waterfall model does not allow us to go back to the previous
phase.

 Sashimi model (Waterfall with overlapping phases):
 Similar to waterfall, but we always have 2
overlapping phases, if we close one phase,
we add the next phase.
 The modified waterfall model allows us to
go back to the previous phase but no
further.
 Agile software development:
 Describes a set of values and principles for
software development under which
requirements and solutions evolve through
the collaborative effort of self-organizing
cross-functional teams.
 Uses adaptive planning, evolutionary development, early delivery, and
continuous improvement, and it encourages rapid and flexible response to
change.
 There are many types of agile, for the exam know the flow.

 Manifesto for Agile Software Development:
 What is valued in the manifesto:
 Individuals and Interactions more
than processes and tools.
 Working Software more than
comprehensive documentation.
 Customer Collaboration more than
contract negotiation.
 Responding to Change more than
following a plan.
 The twelve principles in the manifesto:
 Customer satisfaction by early and
continuous delivery of valuable
software.
 Welcome changing requirements, even in late development.
 Working software is delivered frequently (weeks rather than
months).
22 | P a g e
 Close, daily cooperation between business people and
developers.
 Projects are built around motivated individuals, who should be
trusted.

 Manifesto for Agile Software Development:
 The twelve principles in the manifesto:
 Face-to-face conversation is the best
form of communication (co-location).
 Working software is the primary
measure of progress.
 Sustainable development, able to
maintain a constant pace.
 Continuous attention to technical
excellence and good design.
 Simplicity—the art of maximizing the
amount of work not done—is essential.
 Best architectures, requirements, and
designs emerge from self-organizing
teams.
 Regularly, the team reflects on how to
become more effective, and adjusts accordingly.

 Scrum:
 Scrum is a framework for managing software development. Scrum is
designed for teams of approximately 10 individuals, and generally relies
on two-week development cycles, called "sprints", as well as short daily
stand-up meetings.
 The three core roles in the Scrum framework.
 The product owner:
 Representing the product's stakeholders, the voice of
the customer, and is accountable for ensuring that the
team delivers value to the business.
 Development team:
 Responsible for delivering the product at the end of
each sprint (sprint goal).
 The team is made up of 3–9 individuals who do the
actual work (analysis, design, develop, test, technical
communication, document, etc.).
23 | P a g e
 Scrum:
 The three core roles in the Scrum framework.
 Development team:
 Development teams are cross-functional, with all of the
skills as a team necessary to create a product
increment.
 Scrum master:
 Facilitates and accountable for removing impediments
to the ability of the team to deliver the product goals
and deliverables.
 Not a traditional team lead or project manager but acts
as a buffer between the team and any distracting
influences.
 The scrum master ensures that the Scrum framework is
followed.

 XP (Extreme programming):
 Intended to improve software quality and responsiveness to changing
customer requirements.
 Uses advocates frequent releases in short development
cycles, intended to improve productivity and introduce checkpoints at
which new customer requirements can be adopted.
 XP uses:
 Programming in pairs or doing extensive code review.
 Unit testing of all code.
 Avoiding programming of features until they are actually
needed.
 Flat management structure.
 Code simplicity and clarity.
 Expecting changes in the customer's requirements as time
passes and the problem is better understood.
 Frequent communication with the customer and among
programmers.

 The spiral model:
 A risk-driven process model generator for software projects.
 The spiral model has four phases: Planning, Risk Analysis, Engineering and
Evaluation.
24 | P a g e
 A software project repeatedly passes
through these phases in iterations (called
Spirals in this model).
 The baseline spiral, starting in the
planning phase, requirements are
gathered and risk is assessed.
 Each subsequent spiral builds on the
baseline spiral.

 RAD (Rapid Application Development):
 Puts an emphasis on adaptability and the necessity of adjusting requirements in
response to knowledge gained as the project progresses.
 Prototypes are often used in addition to or sometimes even in place of design
specifications.
 Very suited for developing software that is driven by user interface
requirements.
 GUI builders are often called rapid application development tools.
 Prototyping:
 Breaks projects into smaller tasks, creating multiple prototypes of system design
features.
 A working model of software with some limited functionality, rather than
designing the full software up front.
 Has a high level of customer involvement, the customer inspects the prototypes
to ensure that the project is on track and meeting its objective.

 SDLC (Software Development Life Cycle):
 The SDLC is not really a methodology, but a
description of the phases in the life cycle of software
development.
 These phases are (in general), investigation, analysis,
design, build, test, implement, maintenance and
support (and disposal).
 Can have security built into each step of the process,
for the exam it always does.
 If an answer about SDLC does not list secure or
security, it would be wrong and can be eliminated.
 Has a number of clearly defined and distinct work
phases which are used by systems engineers and
systems developers to plan for, design, build, test,
and deliver information systems.
25 | P a g e
 SDLC:
 The aim is to produce high-quality systems that meet or exceed customer
expectations, based on customer requirements, by delivering systems which
move through each clearly defined phase, within scheduled time frames and
cost estimates.
 SDLC is used during the development of a project, it describes the different
stages involved in the project from the drawing board, through the completion
of the project.
 All software development methodologies follow the SDLC phases but the
method of doing that varies vastly between methodologies.
 Many different SDLC methodologies have been created, Waterfall, Spiral, Agile,
Rapid Prototyping, ...
 In Scrum project a single user story goes through all the phases of the SDLC
within a single two-week sprint, where Waterfall projects can take many
months or several years to get through the phases.
 While very different they both contain the SDLC phases in which a requirement
is defined, then pass through the life cycle phases ending in the final phase of
maintenance and support.

 Projects, programs and portfolios.
 A project is a temporary
endeavor, with a finite
start and end that is
focused on creating a
unique product, service,
or result.
 A program is a collection
of related projects.
Like a project, a program is temporary, when the collection of projects are
complete, the program is complete.
 A portfolio is a collection of projects and programs that are managed as a group
to achieve strategic objectives.

 IPT (Integrated Product Team):
 A multidisciplinary group of people who are collectively responsible for
delivering a defined product or process.
 IPTs are used in complex development programs/projects for review and
decision making.
 The emphasis of the IPT is on involvement of all stakeholders (users, customers,
management, developers, and contractors) in a collaborative forum.
 IPTs can be addressed at the program level, there may also be Oversight IPTs
(OIPTs), or Working-level IPTs (WIPTs).
26 | P a g e
 IPTs are created most often as part of structured systems engineering
methodologies, focusing attention on understanding the needs and desires of
each stakeholder.

 Source code escrow:
 The deposit of the source code of software with a third party escrow agent.
 Escrow is typically requested by a party licensing software (the licensee), to
ensure maintenance of the software instead of abandonment or orphaning.
 The software source code is released to the licensee if the licensor files for
bankruptcy or otherwise fails to maintain and update the software as promised
in the software license agreement.
 Source code repositories:
 Using public third party code repositories comes with some security concerns.
 Other than the provider security, one of the most important controls is using
multi-factor authentication.
 File archive and web hosting facility where a large amount of source code, for
software or for web pages, is kept, either publicly or privately.
 They are often used by open-source software projects and other multi-
developer projects to handle various versions. They help developers submit
patches of code in an organized fashion.

 API Security (Application Programming Interface):
 Allows an application to communicate with another application, operating
systems, databases, networks, ...
 Many applications use API's, this could be to add super sign-on, integrate 2
applications, or many other things, ...
 They are a good example of how we integrate for better usability, but often
security is overlooked.
 API's are the cause of a number of recent high-profile website security breaches
including SnapChat, Pinterest and Instagram.
 We will cover the OWASP top 10 web vulnerabilities in domain 2.
 OWASP also has an Enterprise Security API Toolkits project, which includes
these critical API controls:
 Authentication, Access control, Input validation, Output encoding/escaping,
Cryptography, Error handling and logging, Communication security, HTTP
security and Security configuration.

 Software Change and Configuration Management:
 Earlier in this domain we covered how software development has a lifecycle,
and in Domain 3 we will cover configuration and change management.
 Both change and configuration management are very applicable to our software
development process, all the way from investigation/initiation to disposal of the
software.
27 | P a g e
 As with many of the concepts we cover they are to some extend logical,
configuration management tracks changes to a specific piece of software where
change management is all changes in the entire software development process.

 Software Change and Configuration Management:
 NIST 80-128: Guide for Security-Focused Configuration Management of
Information Systems uses these terms:
 A Configuration Management Plan (CM Plan) is a comprehensive description of
the roles, responsibilities, policies, and procedures that apply when managing
the configuration of products and systems.
 The basic parts of a CM Plan include:
 Configuration Control Board (CCB) – Establishment of and charter for a group of
qualified people with responsibility for the process of controlling and approving
changes throughout the development and operational lifecycle of products and
systems, may also be referred to as a change control board.
 Configuration Item Identification – for selecting and naming configuration items
that need to be placed under CM.
 Configuration Change Control – Process for managing updates to the baseline
configurations for the configuration items.
 Configuration Monitoring – Process for assessing or testing the level of
compliance with the established baseline configuration and mechanisms for
reporting on the configuration status of items placed under CM

 DevOps:
 A software development and delivery process that emphasizes communication
and collaboration between product management, software development, and
operations professionals in the entire service lifecycle, from design through
 the development process to production support.
 It does this by automating and monitoring the process of software integration,
testing, deployment, and infrastructure changes by establishing a culture and
environment where building, testing, and releasing software can happen
rapidly, frequently, and more reliably.
 AI (Artificial intelligence):
 Intelligence exhibited by machines, rather than humans
or other animals.
 What true AI is, is a topic of discussion, what was
considered AI years ago we have achieved and when
once goal is reached the AI definition is tweaked a little.
 From what we are seeing published we do in my mind
not currently have true AI, but very highly simulated
intelligence, that being said IBM and Google do seem to
be getting a lot closer.
28 | P a g e
 It is also used when a machine mimics cognitive functions that humans associate with
other human minds, such as learning and problem solving.
 AI currently defined as advice that perceives its environment and takes actions that
maximize its chance of success at some goal, not through experience/programming, but
through reasoning.
 Expert systems:
 A computer system that emulates the decision-making ability of a human
expert.
 Designed to solve complex problems by reasoning about knowledge,
represented mainly as if–then rules rather than through conventional
procedural code.
 An expert system is divided into two subsystems:
 The knowledge base represents facts and rules.
 The inference engine applies the rules to the known facts to deduce new facts,
and can also include explanation and debugging abilities.
 ANN's (Artificial neural networks):
 Computing systems inspired by the biological neural networks that constitute
animal brains, we make decisions based on 1000’s of memories, stories, the
situation and many other factors, the ANN tries to emulate that.
 The systems learn and progressively improve their performance, to do tasks,
generally without task-specific programming.
 They can learn to identify images that contain geckos by analyzing example
images that have been manually labeled as "gecko" or "no gecko" and using the
analytic results to identify geckos in other images.
 They are mostly used in areas that are difficult to express in a traditional
computer algorithm using rule-based programming.
 An ANN is based on a collection of connected units called artificial neurons.
 Each connection (synapse) between neurons can transmit a signal to another
neuron.
 Typically, neurons are organized in layers, different layers may perform different
transformations on their inputs.
 Signals travel from the first input, to the last output layer, at times after
traversing the layers multiple times.
 GP (Genetic Programming):
 A technique where computer programs are encoded as a set of genes that are
then modified (evolved) using an evolutionary algorithm often a GA (Genetic
Algorithm).
 The results are computer programs able to perform well in a predefined task.
29 | P a g e
 The methods used to encode a computer program in an artificial chromosome
and to evaluate its fitness with respect to the predefined task are central in the
GP technique and still the subject of active research.
 GP evolves computer programs, traditionally represented in memory as tree
structures.
 Trees can be easily evaluated in a recursive manner.
 Every tree node has an operator function and every terminal node has an
operand, making mathematical expressions easy to evolve and evaluate.
 Traditionally GP favors the use of programming languages that naturally
embody tree structures for example, Lisp or other functional programming
languages.
 GP (Genetic Programming):
 The process is in its simple form like this:
 Generate an initial population of random computer programs.
 Execute each program in the population and assign it a fitness value
according to how well it solves the problem.
 Create a new population of computer programs.
 Copy the best existing programs
 Create new computer programs by mutation.
 Create new computer programs by crossover.
 Genetic Algorithms and Genetic Programming have been used to program a
Pac-Man playing program, robotic soccer teams, networked intrusion detection
systems, and many others.
What we covered in Domain 1.

 This chapter is VERY important because:
 Every other knowledge domain builds on top of this chapter
 This is the foundation.
 We covered our ethics, values, vision and our mission.
 We looked at the policies, the procedures, and the laws we need to adhere to.
 SWOT and GAP analysis.
 OpEx, CapEx, Fiscal years, KGIs, KPIs, and KRIs
 Secure software design.
30 | P a g e
Welcome to the second CISM Domain.
 As the name indicates, how do we manage our risk?
 What can we do to reduce the risk to an acceptable level?
 We identify all of our assets, and do qualitative and quantitative risk analysis.
 We cover the COBIT5, ISO27001/2, NIST 800-37, and NIST 800-53.
 System and software vulnerabilities.
 Networking, networking devices, IP, NAT, PAT, …
 Physical security.
 Redundancy, RAID, backups.
Risk Management - Identification:

 Risk = Threat * Vulnerability
 The Risk Management lifecycle is iterative.
 Identify our Risk Management team.
 What is in and what is out of scope?
 Which methods are we using?
 Which tools are we using?
 What are the acceptable risk levels, which
type of risk appetite do we have in our
enterprise?
 Identify our assets.
 Tangible: Physical hardware,
buildings, anything you can touch.
 Intangible: Data, trade secrets,
reputation, …
Risk Management - Assessment:

 Risk Assessment.
 Quantitative and Qualitative Risk
Analysis.
 Uncertainty analysis.
 Everything is done on a cost-benefit
analysis.
 Risk Mitigation/Risk Transference/Risk
Acceptance/Risk Avoidance.
 Risk Rejection is NEVER acceptable.
 We assess the current
countermeasures.
 Are they good enough?
 Do we need to improve on
them?
 Do we need to implement entirely new countermeasures?
1|Page
 Qualitative vs. Quantitative Risk Analysis.
 For any Risk analysis we need to identify our assets. What are we protecting?
 Qualitative Risk Analysis – How likely is it to happen and how bad is it if it
happens? This is a vague guess or a feeling, and relatively quick to do. Most
often done to know where to focus the Quantitative Risk Analysis.
 Quantitative Risk Analysis – What will it actually cost us in $? This is fact based
analysis, Total $ value of asset, math is involved.
 Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, ... )
 Vulnerability – A weakness that can allow the Threat to do harm. Having a data
center in the tsunami flood area, not earthquake resistant, not applying patches
and anti-virus, …
 Risk = Threat x Vulnerability.
 Impact - Can at times be added to give a fuller picture. Risk = Threat x
Vulnerability x Impact (How bad is it?).
 Total Risk = Threat x Vulnerability x Asset Value.
 Residual Risk = Total Risk – Countermeasures.

 Qualitative Risk Analysis with the Risk Analysis Matrix.
 Pick an asset: A laptop.
 How likely is one to get stolen or left
somewhere?
I would think possible or likely.
 How bad is it if it happens?
That really depends on a couple of
things:
 Is it encrypted?
 Does it contain classified or
PII/PHI content?
 Let’s say it is likely and a minor
issue, that puts the loss the high risk
category.
 It is normal to move high and extreme on to quantitative risk analysis. If mitigation is
implemented, we can maybe move the risk level to “Low” or “Medium”.
Risk registers:
 A risk category to group similar risks.
 The risk breakdown structure identification
number
 A brief description or name of the risk to
make the risk easy to discuss.
 The impact (or consequence) if event
actually occurs rated on an integer scale.
 The probability or likelihood of its
occurrence rated on an integer scale.
2|Page
 The Risk Score (or Risk Rating) is the multiplication of Probability and Impact and is often
used to rank the risks.
 Common mitigation steps (e.g. within IT projects) are Identify, Analyze, Plan Response,
Monitor and Control.

 Quantitative Risk Analysis – We want exactly enough security for our needs.
 This is where we put a number on that.
 We find the asset’s value: How much of it is compromised, how much one
incident will cost, how often the incident occurs and how much that is per year.
 Asset Value (AV) – How much is the asset worth?
 Exposure factor (EF) – Percentage of Asset Value lost?
 Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens
once?
 Annual Rate of Occurrence (ARO) – How often will this happen each
year?
 Annualized Loss Expectancy (ALE) – This is what it cost per year if we do
nothing.
 Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost
(Normally Operational)
Let’s look at a few examples.

Quantitative Risk Analysis
Laptop – Theft/Loss (unencrypted) Data Center – Flooding
The Laptop ($1,000) + PII ($9,000) per loss (AV) The Data Center is valued at $10,000,000 (AV)
It is a 100% loss, it is gone (EF) If a flooding happens 15% of the DC is
compromised (EF)
Loss per laptop is $10,000 (AV) x 100% EF) = (SLE) Loss per Flooding is $10,000,000 (AV) x
15% EF) = (SLE)
The organization loses 25 Laptops Per Year (ARO) The flooding happens every 4 years =
0.25 (ARO)
The annualized loss is $250,000 (ALE) The annualized loss is $375,000 (ALE)
3|Page
Quantitative Risk Analysis
For the example let’s use a 4-year tech refresh cycle.
 Full disk encryption software and support = $75,000 initial and $5,000 per year.
 Remote wipe capabilities for the laptop = $20,000 initial and $4,000 per year.
 Staff for encryption and help desk = $25,000 per year
Doing nothing costs us $1,000,000 per tech refresh cycle ($250,000 per year).
Implementing full disk encryption and remote wipe will cost $231,000 per tech refresh cycle ($57,750
per year)
The laptop hardware is a 100% loss, regardless. What we are mitigating is the 25 x $9,000 = $225,000 by
spending $57,750.
This is our ROI (Return on Investment): TCO ($57,750) < ALE ($250,000). This makes fiscal sense, we
should implement.

 Types of risk responses:
 Accept the Risk – We know the risk is there, but the mitigation is more costly than the
cost of the risk (Low risks). We ensure we have a paper trail and this was a calculated
decision.
 Mitigate the Risk (Reduction) – The laptop encryption/wipe is an example – acceptable
level (Leftover risk = Residual).
 Transfer the Risk – The insurance risk approach – We could get flooding insurance for
the data center, the flooding will still happen, we will still lose 15% of the infrastructure,
but we are insured for cost.
 Risk Avoidance – We don’t issue employees laptops (if possible) or we build the data
center in an area that doesn’t flood. (Most often done before launching new projects –
this could be the data center build).
 Risk Rejection – You know the risk is there, but you are ignoring it. This is never
acceptable. (You are liable).
 Secondary Risk – Mitigating one risk may open up another risk.
 This is area very testable, learn the formula, the risk responses to differentiate Qualitative and
Quantitative Risk.
 Qualitative = Think “quality.” This concept is semi-vague, e.g., “pretty good
quality. “
 Quantitative = Think “quantity.” How many; a specific number.

NIST 800-30 - United States National Institute of Standards and Technology Special Publication
A 9-step process for Risk Management.
1. System Characterization (Risk Management scope, boundaries, system
and data sensitivity).
2. Threat Identification (What are the threats to our systems?).
3. Vulnerability Identification (What are the vulnerabilities of our systems
?).
4|Page
4. Control Analysis (Analysis of the current and planned safeguards,
controls and mitigations).
5. Likelihood Determination (Qualitative – How likely is it to happen)?
6. Impact Analysis (Qualitative – How bad is it if it happens? Loss of CIA).
7. Risk Determination (Look at 5-6 and determine Risk and Associate Risk
Levels).
8. Control Recommendations (What can we do to Mitigate, Transfer, … the
risk).
9. Results Documentation (Documentation with all the facts and
recommendations).
Risk Management:
 Risk response and mitigation.
 Risk mitigation, transference, acceptance or
avoidance.
 We act on senior managements choices,
which they made based on our
recommendations from the assessment
phase.
 Do we stop issuing laptops, or do we add
full-disk encryption and remote wipe
capabilities?
 We update the risk register, with the
mitigations, the risk responses we chose
and see if the new risk level is acceptable.
Risk Management:
 Risk and Control Monitoring and Reporting.
 The process is ongoing, we have to keep
monitoring both the risk and the controls we
implemented.
 This is where we would use the KRIs (Key Risk
Indicators).
 We would also use KPIs (Key Performance
Indicators).
 You are the translating link, you have to be able
to explain IT and IT Security to Senior
Management in terms they can understand.
 It is normal to do the Risk Management lifecycle
on an annual basis, and do out-of-cycle Risk Management on critical items.
 COBIT 5:
 Principle 1: Meeting Stakeholder Needs
 Enterprises have many stakeholders, and ‘creating value’ means different—and
sometimes conflicting—things to each of them.
5|Page
 Governance is about negotiating and deciding
amongst different stakeholders’ value interests.
 The governance system should consider all
stakeholders when making benefit, resource and
risk assessment decisions.
 For each decision, the following can and should
be asked:
 Who receives the benefits?
 Who bears the risk?
 What resources are required?
 Stakeholder needs have to be transformed into
an enterprise’s practical strategy.
 COBIT 5:
 Principle 2: Covering the enterprise end-to-end.
 COBIT 5 addresses the governance and management of information and related
technology from an enterprise wide, end-to-end perspective.
 This means that COBIT 5:
 Integrates governance of enterprise IT into
enterprise governance, i.e., the governance
system for enterprise IT proposed by COBIT 5
integrates seamlessly in any governance
system because COBIT 5 aligns with the latest
views on governance.
 Covers all functions and processes within the
enterprise; COBIT 5 does not focus only on
the ‘IT function’, but treats information and
related technologies as assets that need to be
dealt with just like any other asset by everyone in the enterprise.
 COBIT 5:
 Principle 3: Applying a Single, Integrated Framework
 COBIT 5 aligns with the latest relevant other
standards and frameworks used by enterprises:
 Enterprise: COSO, COSO ERM, ISO/IEC 9000,
ISO/IEC 31000
 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000
series, TOGAF, PMBOK/PRINCE2, CMMI
 This allows the enterprise to use COBIT 5 as the
overarching governance and management framework
integrator.
 ISACA plans a capability to facilitate COBIT user
mapping of practices and activities to third-party
references.
6|Page
 COBIT 5:
 Principle 4: Enabling a Holistic Approach
 COBIT 5 enablers are:
 Factors that, individually and collectively,
influence whether something will work—in the
case of COBIT, governance and management
over enterprise IT
 Driven by the goals cascade, i.e., higher-level IT-
related goals define what the different enablers
should achieve
 Described by the COBIT 5 framework in seven
categories.
 COBIT 5:
1. Principles, policies and frameworks: Are the vehicles to translate the desired
behavior into practical guidance for day-to-
day management
2. Processes: Describe an organized set of
practices and activities to achieve certain
objectives and produce a set of outputs in
support of achieving overall IT-related goals
3. Organizational structures: Are the key
decision-making entities in an organization
4. Culture, ethics and behavior: Of individuals
and of the organization; very often underestimated as a success factor in
governance and management activities
 COBIT 5:
5. Information: Is pervasive throughout any organization, it deals with all
information produced and used by the enterprise. Information is required for
keeping the organization running and well governed, but at the operational
level, information is very often the key
product of the enterprise itself.
6. Services, infrastructure and
applications: Include the
infrastructure, technology and
applications that provide the enterprise
with information technology processing
and services
7. People, skills and competencies: Are
linked to people and are required for successful completion of all activities and
for making correct decisions and taking corrective actions
 COBIT 5:
7|Page
 Principle 5: Separating Governance from Management
 The COBIT 5 framework makes a clear
distinction between governance and
management.
 These two disciplines:
 Encompass different types of
activities.
 Require different organizational
structures
 Serve different purposes
 Governance: In most enterprises, governance
is the responsibility of the board of directors
under the leadership of the chairperson.
 Management: In most enterprises, management is the responsibility of the
executive management under the leadership of the CEO.
 COBIT 5:
 Principle 5: Separating Governance from Management
 Governance ensures that stakeholders
needs, conditions and options are
evaluated to determine balanced,
agreed-on enterprise objectives to be
achieved; setting direction through
prioritization and decision making; and
monitoring performance and
compliance against agreed-on
direction and objectives.
 Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise objectives.
COBIT 5:
8|Page
Risk Analysis:
 Types of attackers:
 Hackers:
 Now: Anyone trying to get access to or disrupt any leg of the CIA Triad
(Confidentiality, Integrity, Availability).
 Original use: Someone using something in a way not intended.
 White Hat hackers: Professional pen testers trying to find flaws so we can fix it
(Ethical hackers).
 Black Hat hackers: Malicious hackers, trying to find flaws to exploit them
(Crackers – they crack the code).
 Gray/Grey Hat hackers: They are somewhere between the white and black
hats, they go looking for vulnerable code, systems or products. They often just
publicize the vulnerability (which can lead to black hats using it before a patch is
developed). Gray hats sometimes also approach the company with the
vulnerability and ask them to fix it and if nothing happens they publish.
 Script Kiddies:
 They have little or no coding knowledge, but many sophisticated hacking tools
are available and easy to use. They pose a very real threat. They are just as
dangerous as skilled hackers; they often have no clue what they are doing.
Risk Analysis:
Types of attackers:
 Outsiders:
 Unauthorized individuals - Trying to gain access; they launch the majority of
attacks, but are often mitigated if the organization has good Defense in Depth.
 Interception, malicious code (e.g. virus, logic bomb, trojan horse), sale of
personal information, system bugs, system intrusion, system sabotage or
unauthorized system access.
 48-62% of risks are from outsiders.
 Insiders:
 Authorized individuals - Not necessarily to the compromised system, who
intentionally or unintentionally compromise the system or data.
 This could be: Assault on an employee, blackmail, browsing of proprietary
information, computer abuse, fraud and theft, information bribery, input of
falsified or corrupted data.
 38-52% of risks are from insiders, another reason good Authentication and
Authorization controls are needed.
Risk Analysis:
Types of attackers:
 Hacktivism/Hacktivist (hacker activist): Hacking for political or socially motivated
purposes.
 Often aimed at ensuring free speech, human rights, freedom of information
movement.
9|Page
 Famous attacks: Anonymous – DDOS attack on Visa, Mastercard, PayPal to
protest the arrest of Julian Assange (WikiLeaks). Google/Twitter/SayNow
worked together to provide communication for the Egyptian people when the
government orchestrated an internet blackout during the 2011 protests.
 Governments:
 State sponsored hacking is common; often you see the attacks happening
between the hours of 9 and 5 in that time zone; this is a day job.
 Approximately 120 countries have been developing ways to use the internet as
a weapon to target financial markets, government computer systems and
utilities.
 Famous attacks: US elections (Russia), Sony websites (N. Korea), Stuxnet
(US/Israel), US Office of Personnel Management (China), …
Risk Analysis:
Types of attackers:
 Bots and botnets (short for robot):
 Bots are a system with malware controlled by a
botnet.
 The system is compromised by an attack
or the user installing a remote access
Trojan (game or application with a
hidden payload).
 They often use IRC, HTTP or HTTPS.
 Some are dormant until activated.
 Others are actively sending data from
the system (Credit card/bank
information for instance).
 Active bots can also can be used to send
spam emails.
 Botnets is a C&C (Command and Control)
network, controlled by people (bot-herders).
 There can often be 1,000’s or even 100,000’s of bots in a botnet.
Risk Analysis:
Types of attackers:
 Phishing, spear phishing and whale phishing (Fisher spelled in hacker speak with Ph not
F).
 Phishing (Social engineering email attack):
 Click to win, Send information to get your inheritance …
 Sent to hundreds of thousands of people; if just 0.02% follow the
instructions they have 200 victims.
 A public treasurer in Michigan sent $1.2m to Nigeria ($1.1m of
taxpayer funds and $72,000 of his own).
 Spear Phishing: Targeted phishing, not just random spam, but targeted at
specific individuals.
10 | P a g e
 Sent with knowledge about the target (person or company); familiarity
increases success.
 Whale Phishing (Whaling): Spear phishing targeted at senior leadership of an
organization.
 This could be: “Your company is being sued if you don’t fill out the
attached documents (with trojan in them) and return them to us within
2 weeks”.
 Vishing (Voice Phishing): Attacks over automated VOIP (Voice over IP) systems,
bulk spam similar to phishing.
 These are: “Your taxes are due”, “Your account is locked” or “Enter your
PII to prevent this” types of calls.
 Incident management:
 Involves the monitoring and detection of security events on our systems, and
how we react in those events.
 It is an administrative function of managing and protecting computer assets,
networks and information systems.
 The primary purpose is to have a well understood and predictable response to
events and computer intrusions.
 We have very clear processes and responses, and our teams are trained in them
and know what to when an event occurs.
 Incidents are very stressful situations, it is important staff knows exactly what to
do, that they have received ongoing training and understand the procedures.
 Incidences and events can generally be categorized in 3 classes:
 Natural: Hurricanes, floods, earthquakes, blizzards, anything that is
caused by nature.
 Human: Done intentionally or unintentionally by humans, these are by
far the most common.
 Environmental: This is not nature, but the environments we work in,
the power grid, the internet connections, hardware failures, software
flaws, …
 Event:
 An observable change in state, this is neither negative nor positive, it is
just something has changed.
 A system powered on, traffic from one segment to another, an
application started.
 Alert:
 Triggers warnings if certain event happens.
 This can be traffic utilization above 75% or memory usage at 90% or
more for more than 2 minutes.
11 | P a g e
 Incident:
 Multiple adverse events happening on our systems or network, often
caused by people.
 Problem:
 Incidence with an unknown cause, we would follow similar steps to
incidence response.
 More time would be spent on root cause analysis, we need to know
what happened so we can prevent it from happening again, this could
be a total internet outage or server crash.
 Inconvenience (non-disasters):
 Non-disruptive failures, hard disk failure, 1 server in a cluster is down, ..
 Emergency (Crisis):
 Urgent, event with the potential for loss of life or property.
 Disaster:
 Our entire facility is unusable for 24 hours or longer.
 If we are geographically diverse and redundant we can mitigate this a
lot.
 Yes, a snowstorm can be a disaster.
 Catastrophe:
 Our facility is destroyed.
 The current exam lists a 7-step lifecycle, but
does not include the first step in most incident
handling methodologies preparation.
1. Preparation.
2. Detection (Identification).
3. Response (Containment).
4. Mitigation (Eradication).
5. Reporting.
6. Recovery.
7. Remediation.
8. Lessons Learned (Post-incident Activity,
Post Mortem, or Reporting).
 Preparation:
 This is all the steps we take to prepare for incidences.
 We write the policies, procedures, we train our staff, we procure the
detection soft/hardware, we give our incident response team the tools
they need to respond to an incident.
12 | P a g e
 The more we train our team, the better they will handle the response,
the faster we recover, the better we preserve the crime scene (if there
is one), the less impactful an incident will be.
 Detection
 Events are analyzed to determine if they might be a security incident.
 If we do not have strong detective capabilities in and around our
systems, we will most likely not realize we have a problem until long
after it has happened.
 The earlier we detect the events, the earlier we can respond, IDS's can
help us detect, where IPS's can help us detect and prevent further
compromise.
 Detection
 The IDS’s and IPS's can help us detect and prevent on a single network
segment, we also need something that can correlate all the information
from the entire network.
 Response
 The response phase is when the incident response team begins
interacting with affected systems and attempts to keep further damage
from occurring as a result of the incident.
 This can be taking a system off the network, isolating traffic, powering
off the system, or however our plan dictates to isolate the system to
minimize both the scope and severity of the incident.
 Knowing how to respond, when to follow the policies and procedures to
the letter and when not to, is why we have senior staff handle the
responses.
 We make bit level copies of the systems, as close as possible to the time
of incidence to ensure they are a true representation of the incident.
 Response:
 IT Security is there to help the business, it may not be the choice of
senior management to disrupt business to contain or analyze, it is
ultimately a decision that is made by them.
 We stop it from spreading, but that is it, we contain the event.
 Mitigation:
 We understand the cause of the incident so that the system can be
reliably cleaned and restored to operational status later in the recovery
phase.
 Organizations often remove the most obvious sign of intrusion on a
system or systems, but miss backdoors and other malware installed in
the attack.
13 | P a g e
 The obvious sign is often left to be found, where the actual payload is
hidden. If that is detected or assumed, we often just rebuild the system
from scratch and restore application files from a known good backup,
but not system files.
 Mitigation (continued):
 To ensure the backup is good, we need to do root cause analysis, we
need a timeline for the intrusion, when did it start?
 If it is from a known vulnerability we patch. If it's a newly discovered
vulnerability we mitigate it before exposing the newly built system to
the outside again.
 If anything else can be learned about the attack, we can add that to our
posture.
 Once eradication is complete, we start the recovery phase.
 Reporting:
 We report throughout the process beginning with the detection, and we
start reporting immediately when we detect malicious activity.
 The reporting has 2 focus areas: technical and non-technical.
 Reporting (continued):
 The incident handling teams report the technical details of the incident
as they start the incident handling process, but they also notify
management of serious incidents.
 The procedures and policies will outline when which level of
management needs to be informed and involved, it is commonly
forgotten until later and can be a RPE (Resume Producing Event).
 Management will also involve other departments if needed, this could
be legal, PR or whomever has been identified in the policies or
procedures.
 Recovery:
 We carefully restore the system or systems to operational status.
 When the system is ready for reinsertion is determined by the business
unit responsible for the system.
 We closely monitor the rebuilt or cleaned system carefully, it is possible
the attackers left backdoors or we did not remove all the infected
sectors.
 Recovery:
14 | P a g e
 Often the system(s) are reinserted off peak hours to minimize the effect
of the system(s) still being infected, or they can be introduced in a
controlled sandbox environment to see if the infection persists.
 Remediation:
 The remediation happens during the mitigation phase, where
vulnerabilities on the impacted system or systems are mitigated.
 Remediation continues after mitigation and becomes broader, this can
be patching all systems with the same vulnerability or change how the
organization authenticates.
 Lessons Learned:
 This phase is often overlooked, we removed the problem, we have
implemented new controls and safeguards.
 We can learn a lot from lessons learned, not just about the specific
incidence, but how well we handle them, what worked, what didn't.
 How can we as an organization grow and become better next time we
have another incidence? While we may have fixed this one vulnerability
there are potentially 100's of new ones we know nothing about yet.
 At the end of lessons learned we produce a report to senior
management, with our findings, we can only make suggestions, they are
ultimately in charge (and liable).
 Often after major incidents organizations shift to a top-down approach
and will listen more to IT Security.
 The outcome and changes of the Lessons Learned will then feed into
our preparation.
 Root-cause analysis:
 We attempt to determine the underlying weakness or vulnerability that
allowed the incident to happen.
 If we do not do the root-cause analysis we will most likely face the same
problem again.
 We need to fix the vulnerability on the system(s) that were affected, but
also on any system in the organization that has that particular
vulnerability or set of vulnerabilities.
 We could have a weak password policy and weak encryption that could
be the root cause of a system compromise, we then would implement
countermeasures to remove the vulnerability.
 If we do nothing and just fix the problem, the root of the issue still
persists, that is what we need to fix.
15 | P a g e
 NIST 800-53 Rev. 4:
 Security and Privacy Controls for Federal
Information Systems and Organizations.
 Tier 1: Organization.
 Tier 2: Mission / Business Processes.
 Tier 3: Information Systems.
 NIST 800-53 Rev. 4:

 Security and Privacy Controls for Federal
Information Systems and Organizations.
 Tier 1: Organization.
 Tier 2: Mission / Business Processes.
 Tier 3: Information Systems.
 Step 2: Select Security Controls.
 NIST 800-37 Rev. 1 and 2:

 Revision 1: Date Published: February 2010
(Updated 6/5/2014).
 Revision 2: Date Published: December 2018.
 The last exam revision was done prior to 800-
37 R2 being published.
 NIST 800-37 Rev. 1 and 2:

There are seven major objectives for this update:
1. To provide closer linkage and communication between the risk management processes
and activities at the C-suite or governance level of the organization and the individuals,
processes, and activities at the system and
operational level of the organization;
2. To institutionalize critical risk management
preparatory activities at all risk management
levels to facilitate a more effective, efficient, and
cost-effective execution of the RMF;
3. To demonstrate how the NIST Cybersecurity
Framework [NIST CSF] can be aligned with the
RMF and implemented using established NIST
risk management processes;
4. To integrate privacy risk management processes
into the RMF to better support the privacy
protection needs for which privacy programs are responsible;
5. To promote the development of trustworthy secure software and systems by aligning
life cycle-based systems engineering processes in NIST Special Publication 800-160,
Volume 1 [SP 800-160 v1], with the relevant tasks in the RMF;
16 | P a g e
6. To integrate security-related, supply chain risk management (SCRM) concepts into the
RMF to address untrustworthy suppliers, insertion of counterfeits, tampering,
unauthorized production, theft, insertion of malicious code, and poor manufacturing
and development practices throughout the SDLC; and
7. To allow for an organization-generated control selection approach to complement the
traditional baseline control selection approach and support the use of the consolidated
control catalog in NIST Special Publication 800-53, Revision 5.
NIST Cyber Security Framework Rev. 1.1
 ISO/IEC 27001 and 27002

 Most organizations have many different of information security controls, if we do not
have an information security management system (ISMS), our controls are often
disorganized and only cover some of our organization.
 ISO/IEC 27001 is a management system that is used to bring information security under
management control and gives specific requirements. It is the framework, and we can
get certified against ISO27001.
 ISO/IEC 27002 provides best practice recommendations on information security

controls for use by those responsible for initiating, implementing or maintaining ISMS.
Much more in detail, how we implement our ISMS.
 Software vulnerabilities and Attacks

 OWASP (Open Web Application Security Project):
 Top 10 of the most common web security issues, from the 2017 candidate list.
 A1 Injection.
 A2 Broken Authentication and Session Management.
 A3 Cross-Site Scripting (XSS).
 A4 Broken Access Control.
 A5 Security Misconfiguration.
 A6 Sensitive Data Exposure.
 A7 Insufficient Detection and Response (NEW still being worked on).
 A8 Cross-Site Request Forgery (CSRF).
 A9 Using Components with Known Vulnerabilities.
17 | P a g e
 A10 Underprotected APIs (Application Programming Interfaces) (NEW
still being worked on).

 OWASP:
 A1 Injection.
 Can be any code injected into user forms, often seen is SQL/LDAP.
 Attackers can do this because our software does not use:
 Strong enough input validation and data type limitations input
fields.
 Input length limitations.
 The fix is to do just that, we only allow users to input appropriate data
into the fields, only letters in names, numbers in phone number, have
dropdowns for country and state (if applicable), we limit how many
characters people can use per cell, ...
 CGI (Common Gateway Interface):
 Standard protocol for web servers to execute programs running
on a server that generates web pages dynamically. We use the
interface to ensure only proper input makes it to the database.
 The CGI separates the untrusted (user) from the trusted
(database).

 OWASP:
 A2 Broken Authentication and Session
Management.
 Sessions do not expire or take too long
to expire.
 Session ID’s are predictable. 001, 002,
003, 004, …
 Tokens, Session ID's, Passwords, ... are
kept in plaintext.

 OWASP:
 A3 Cross-Site Scripting (XSS).
 Attackers inject client-side scripts into web
pages viewed by other users.
 Vulnerability may be used by attackers to
bypass access controls such as the same-
origin policy.
 To prevent XSS we can use proper input
validation and data typing.
18 | P a g e
 Set our server to, redirect invalid requests, detect a simultaneous login
from two different IP addresses and invalidate the sessions, require
users to enter their passwords again before changing their registration
information and set cookie with HttpOnly flag to prevent access from
JavaScript.

 OWASP:
 A4 Broken Access Control.
 Not implemented consistently across an entire application.
 It might be done correctly in one location, but incorrectly in another.
 We need a centralized access control mechanism, and we write the
tricky logic once and reuse it everywhere.
 This is important both for writing code correctly and for making it easy
to audit later.
 Many access control schemes were not deliberately designed, but have
simply evolved along with the web site.
 Inconsistent access control rules are often inserted in various locations
all over the code, making it near impossible to manage.
 One particularly dangerous type of access control vulnerability arises
from Web-accessible administrative interfaces, frequently used to allow
site administrators to efficiently manage users, data, and content on
their site.

 OWASP:
 A5 Security Misconfiguration.
 Databases configured wrong.
 Not removing out of the box default access and settings.
 Keeping default usernames and passwords.
 OS, Webserver, DBMS, applications, … not patched and up to date.
 Unnecessary features are enabled or installed, this could be open ports,
services, pages, accounts, privileges, ...

 OWASP:
 A6 Sensitive Data Exposure.
 Sites being http, not https.
 Data at rest, backups and in transit are not encrypted
(stored/transmitted in plain text).
 Phishing.
 Using older weak deprecated encryption.
 Not monitoring if data is being exfiltrated.
19 | P a g e
 OWASP:
 A7 Insufficient Detection and Response (NEW).
 Not detecting we have been compromised, due to lack of controls,
detection applications
 Not performing our due diligence and due care on our applications,
systems, and our response to compromise.
 Not responding in a proper way to compromise, not informing anyone,
informing too late or just ignoring the incident (at best plugging the
leak).
 We need to not just protect against this attack, but future similar
attacks, patch software and applications, close ports.

 OWASP:
 A8 Cross-Site Request Forgery (CSRF).
 Stolen session IDs or
tokens.
 Often phishing.
 Passwords/Username
saved in cookies.
 Saved site passwords, not
logging off when done,
using the same browser
for sensitive and non-
sensitive information.
 Current browsers do
mitigate some of this, they
should use unique session
specific tokens (random or pseudo random), and validate session tokens
are not replayed.

 OWASP:
 A9 Using Components with Known Vulnerabilities.
 Developers using deprecated code or objects that are known to be
unsecure, but they use them because they are used to it or the library
they use has the objects in it.
 A10 Underprotected APIs (NEW).
 Badly coded APIs.
 Not using in depth API code reviews and auditing.
 Not using SSL/TLS.
 Forgotten and abandoned APIs, that still have access to backend
systems.
20 | P a g e
 OWASP:
 2013 OWASP top 10 vulnerabilities, no longer on the 2017 list, but still
something you should know for the exam and you future security job.
 2013 A4 Insecure direct object reference.
 Users can access resources they should not, by guessing the URL or
path, often if it is logical.
 If you have access to a report name ending in financials_may2017.pdf
on your organization's network, you can try guessing other file names
you should not have access to financials_August.pdf or
financials_2017.pdf
 Mitigated by proper access control, using non-sequential names or
monitoring file usage.
 2013 A10 Unvalidated Redirects and forwarding.
 Not confirming URLs forward and redirect us to the right page.
 Mitigated with user awareness and spider our site to see if it generates
any redirects (HTTP response codes 300-307, typically 302).
 Assessment and test strategies.

 Vulnerability scanning/testing:
 A vulnerability scanner tool is used to scan a network or system for a list
of predefined vulnerabilities such as system misconfiguration, outdated
software, or a lack of patching.
 It is very important to
understand the output from a
vulnerability scan, they can be
100s of pages for some systems,
and how do the vulnerabilities
map to Threats and Risks (Risk =
Threat x Vulnerability).
 When we understand the true
Risk, we can then plan our
mitigation.
 Common vulnerability scanners could be Nessus or OpenVAS, both list
vulnerabilities in Critical, High, Medium, Low, and Informational.
 Network basics and definitions:

 We use defense-in-depth on our internal network and when our data traverses the
internet.
 We do this by ensuring all our network devices, protocols and traffic are as
secure as possible.
 Simplex is a one-way communication (One system transmits, the other listen).
 Half-duplex communication sends or receives at one time only (Only one
system can transmit at a time).
21 | P a g e
 Full-duplex communication sends and receives simultaneously. (Both systems
can transmit/receive simultaneously).
 Baseband networks have one channel, and can only send one signal at a time.
 Ethernet is baseband: “1000baseT” STP cable is a 1000 megabit,
baseband, Shielded Twisted Pair cable.
 Broadband networks have multiple channels and can send and receive multiple
signals at a time.
 The Internet is a global collection of peered WAN networks, it really is a
patchwork of ISP’s.
 An Intranet is an organization's privately owned network, most larger
organizations have them.
 An Extranet is a connection between private Intranets, often connecting
business partners' Intranets.

 Circuit switching - Expensive, but always available, used less often.
 A dedicated communications channel through
the network.
 The circuit guarantees the full bandwidth.
 The circuit functions as if the nodes were
physically connected by a cable.
 Packet switching - Cheap, but no capacity guarantee,
very widely used today.
 Data is sent in packets, but take multiple
different paths to the destination.
 The packets are reassembled at the
destination.
 QoS (Quality of Service) gives specific traffic
priority over other traffic.
 Most commonly VOIP (Voice over IP), or other UDP traffic needing close
to real time communication.
 Other non-real time traffic is down prioritized, the 0.25 second delay
won’t be noticed.

 PAN (Personal Area Network) - A personal area network is a computer network used for
communication among computer and other information technological devices close to
one person (PCs, printers, scanners, consoles …).
 Can include wired (USB and FireWire) and wireless devices (Bluetooth and
infrared).
 LAN (Local Area Network) - A network that connects computers and devices in a limited
geographical area such as a home, school, office building, or campus.
 Each computer or device on the network is a node, wired LANs are most likely based on
Ethernet technology.
 MAN (Metropolitan Area Network) – A large computer network that usually spans a city
or a large campus.
22 | P a g e
 WAN (Wide area network) - A computer network that covers a large geographic area
such as a city, country, or spans even intercontinental distances. Combines many types
of media such as telephone lines, cables, and air waves.
 VPN (Virtual private network) - A VPN network sends private data over an insecure
network, most often the Internet.
 Your data is sent across a public network, but looks and feels private.
 GAN (Global area network) - A global area network, is a network used for supporting
mobile users across a number of wireless LANs, satellite coverage areas, … the transition
from one to the next can be seamless.
 Preventive and Detective Controls:

 Intrusion events and masking:
 SIEM (Security information and event
management), often pronounced SEM or
SIM.
 Provides a holistic view of our
organization’s events and
incidents.
 Gathers from all our systems and
looks at everything
 Centralizes the storage and
interpretation of logs, traffic and
allows near real-time automated identification, analysis and recovery of
security events.
 Definitions:
 The OSI model (Open Systems Interconnect):
 A layered network model that standardizes the communication functions of a
telecommunication or computing
system regardless of their
underlying internal structure and
technology.
 The model partitions a
communication system into
abstraction layers, the model has 7
layers.
 1. Physical, 2. Data Link, 3.
Network, 4. Transport, 5.
Session, 6. Presentation, 7.
Application.
 7-1 All people seem to need data processing.
 1-7 Please do not throw sausage pizza away.
 Know the PDUs (Data, Segments, Packets, Frames, Bits).
 The model is less used now and used as a reference point.
 Know it for the exam, it is testable.
23 | P a g e
 Definitions:
 The OSI model:
 Layer 1: Physical Layer:
 Wires, Fiber, Radio waves, hub, part of NIC,
connectors (wireless).
 Cable types:
 Copper TP (Twisted Pair) Least
secure, eavesdropping, interference,
easy tap into, but also cheap.
 Fiber is more secure, not susceptible
to eavesdropping, harder to use, can
break, higher cost.
 Topologies:
 Bus, Star, Ring, Mesh partial/full.
 Threats:
 Data emanation, theft, eavesdropping, sniffing, interference.
 Definitions:
 The OSI model:
 Layer 2: Data Link Layer:
 Transports data between 2 nodes connected to same network.
 LLC – Logical Link Control – error detection.
 MAC address (BIA) – a unique identifier on the network card.
 Can be spoofed very easily, both for good and not so good
reasons.
 48bit hexadecimal first 24
manufacturer identifier, last 24
unique.
 64bit hexadecimal first 24
manufacturer identifier, last 40 unique.
 Threats - MAC Spoofing, MAC Flooding.
 ARP (Address Resolution Protocol) Layer 2/3.
 CSMA/CD – Ethernet – minimized with switches vs. hubs.
 CSMA/CA – Wireless.
 Token passing – Similar to the talking stick, not really used anymore.
 Definitions:
 The OSI model:
 Layer 3: Network Layer:
 Expands to many different nodes (IP) – The Internet is IP based.
 Isolates traffic into broadcast domains.
 Protocols:
 IP, ICMP, IPSEC, IGMP, IGRP, IKE, ISAKMP, IPX.
 Threats:
 Ping of Death, Ping Floods, Smurf – spoof source and directed
broadcast, IP modifications, DHCP attacks …
24 | P a g e
 If the exam asks which layer a protocol with “I” is and you do not
remember answer layer 3.
 IP, IGMP, IGRP, IPSEC, IKE, ISAKMP, … are all layer 3, all except
IMAP which is layer 7.
 Definitions:
 The OSI model:
 Layer 4: Transport Layer:
 SSL/TLS Layer 4 to 7.
 UDP (User Datagram Protocol):
 Connectionless protocol,
unreliable, VOIP, Live video, gaming, “real time’’.
 Timing is more important than delivery confirmation.
 Sends message, doesn’t care if it arrives or in which order.
 Attack: Fraggle attack – works the same way as smurf, but may
be more successful since it uses UDP and not ICMP.
 TCP (Transmission Control Protocol):
 Reliable, Connection orientated, Guaranteed delivery, 3 way
handshake, slower/more overhead, data reassembled.
 Attacks: SYN floods – half open TCP sessions, client sends
1,000’s of SYN requests, but never the ACK.
 Definitions:
 The OSI model:
 Layer 4: Transport Layer:
 TCP Flags (9 bits 1-bit flags) (Control bits).
 NS: ECN-nonce concealment protection.
 CWR (Congestion Window Reduced) flag is set by the sending host to
indicate that it received a TCP segment with the ECE flag set and had
responded in congestion control mechanism.
 ECE: ECN-Echo has a dual role, depending on the value of the SYN flag.
 URG (1 bit): indicates that the Urgent pointer field is significant.
 ACK (1 bit): indicates that the Acknowledgment field is significant.
 PSH (1 bit): Push function. Asks to push the buffered data to the
receiving application.
 RST (1 bit): Reset the connection.
 SYN (1 bit): Synchronize sequence numbers. Only the first packet sent
from each end have this flag set.
 FIN (1 bit): Last package from sender.
 Definitions:
 The OSI model:
 Layer 5: Session Layer:
 Establishes connection between 2 applications: Setup > Maintenance >
Tear Down.
25 | P a g e
 Layer 6: Presentation Layer:
 Only layer with no protocols.
 Formatting, compressing, encryption (file level).
 Layer 7: Application Layer:
 Presents data to user (applications/websites).
 HTTP, HTTPS, FTP, SNMP, IMAP, POP and many more.
 Non-Repudiation, certificates, application proxies, deep packet
inspection, content inspection, AD integration.
 The higher you go up the layers the slower it is, speed is traded for intelligence.
 Threats to level 5-7: Virus, worms, trojans, buffer overflow, application or OS
vulnerabilities.
 Definitions:
 The OSI model:
 Definitions:
 The TCP/IP Model (Internet protocol suite):
 A conceptual model that provides end-to-end data communication.
 Specifying how data should be packetized, addressed, transmitted, routed and
received.
 It has four layers which are used to sort all related protocols according to the
scope of networking involved.
 From lowest to highest:
 The link layer, containing communication methods for data that
remains within a single network segment.
 The internet layer, connecting independent networks, thus providing
internetworking.
 The transport layer, handling host-to-host communication.
 The application layer, which provides process-to-process data exchange
for applications.
26 | P a g e
 Definitions:
 The TCP/IP Model:
 The link and physical layer has the networking scope of the local network
connection to which a host is attached.
 Used to move packets between the Internet layer interfaces of two
different hosts on the same network.
 The process of transmitting and receiving packets on a given link can be
controlled both in the software device driver for the network card, as
well as on firmware or specialized chipsets.
 These perform functions such as adding a packet header to prepare it
for transmission, then transmit the frame over a physical medium.
 The TCP/IP model includes specifications of translating the network
addressing methods used in the Internet Protocol to link layer
addresses, such as Media Access Control (MAC) addresses.
 The link and physical layer = OSI layer 1-2.
 Definitions:
 Internet/Internetwork layer is responsible for sending packets across
potentially multiple networks.
 Requires sending data from the source network to the destination
network (routing)
 The Internet Protocol performs two basic functions:
 Host addressing and identification: This is done with a hierarchical IP
addresses.
 Packet routing: Sending the packets of data (datagrams) from the
source to the destination by forwarding them to the next network
router closer to the final destination.
 Internet/Internetwork layer = OSI layer 3.
 Definitions:
 The transport layer establishes basic data channels that applications use for
task-specific data exchange.
 Its responsibility includes end-to-end message transfer independent of
the underlying network, along with error control, segmentation, flow
control, congestion control, and application addressing (port numbers).
 Data is sent connection-oriented (TCP) or connectionless (UDP).
 The transport layer = OSI layer 4.
27 | P a g e
 Definitions:
 The application layer includes the protocols used by applications for providing
user services or exchanging application data over the network (HTTP, FTP,
SMTP, DHCP, IMAP).
 Data coded according to application layer protocols are encapsulated into
transport layer protocol units, which then use lower layer protocols for data
transfer.
 The transport layer and the lower-level layers are unconcerned with the
specifics of application layer protocols.
 Routers and switches do not typically examine the encapsulated traffic, rather
they just provide a conduit for it. However, some firewall and bandwidth
throttling applications must interpret application data.
 The TCP/IP reference model distinguishes between user protocols and support
protocols.
 The application layer = OSI layer 5, 6 and 7.
 Definitions:
 Each layer of the
model adds or
removes
encapsulation
(encapsulation / de-
capsulation).
 The higher we go the
slower and smarter
the stack is, just like
the OSI model.
 MAC address (BIA):

 A unique identifier on the network card.
 Can be spoofed pretty easily, both for good and less good reasons.
 EUI/MAC-48 are 48bits (original design).
 The first 24 are the manufacturer identifier.
 The last 24 are unique and identify the
host.
 EUI-64 Mac Addresses use 24bit for manufacturer,
but 40 for unique ID.
 The first 24 are the manufacturer identifier.
 The last 40 are unique and identify the
host.
28 | P a g e
 Both are widely used today and used by both IPv4 and IPv6.
 For 48bit MAC’s IPv6 modified it into 64bit MAC’s by adding FF:FE to the device
identifier.
 Protocols:
 IPv4:
 First deployed for production in the ARPANet in 1983, ARPANet later became
the internet.
 IP was developed in the 1970’s for secure closed networks (DARPA - Defense
Advanced Research Projects Agency). Security was not built in, but was bolted
on later.
 IPv4 is a connectionless protocol for use on packet-switched networks.
 It operates on a best effort delivery model, it does not guarantee delivery, it
also does not assure proper sequencing or avoidance of duplicate delivery. We
have added protocols on top of IP to ensure those.
 IPv4 is the IT route's most Internet traffic today, but we are slowly moving
towards IPv6.
 The move towards IPv6 is mainly dictated by IPv4 Addresses being
depleted years ago.
 IPv4 has around 4.2 billion IP addresses and of those ~4 billion are usable
internet addresses.
 There is currently over 8 billion mobile devices on the internet.
 All major cellphone carriers in the US use IPv6 for all cell phones.
 IPv4 has 4,294,967,296 addresses where IPv6 has
340,282,366,920,938,463,463,374,607,431,768,211,456.
 Protocols:
 IP addresses and ports:
 When we send traffic we use both the Source IP and Port as well as Destination
IP and Port. This ensures we know where
we are going, and when the traffic returns
it knows where to return to.
 The IP addresses can be seen as the
number of an apartment building.
 The Port number is your apartment
number.
 If you have 50 browser tabs open,
each tab has its own port
number(s).
 Well-known Ports:
 0-1023 - Mostly used for protocols.
 Registered Ports:
 1024 to 49151 - Mostly used for vendor specific applications.
 Dynamic, Private or Ephemeral Ports:
 49152–65535 - Can be used by anyone for anything.
29 | P a g e
 Protocols:
 Common ports:
 20 TCP FTP data transfer.
 21 TCP FTP control.
 22 TCP/UDP Secure Shell (SSH).
 23 TCP Telnet unencrypted text communications.
 25 TCP Simple Mail Transfer Protocol (SMTP), can also use port 2525.
 80 TCP/UDP Hypertext Transfer Protocol (HTTP), can also use port
8008 and 8080 .
 110 TCP Post Office Protocol, version 3 (POP3).
 137 UDP NetBIOS Name Service, used for name registration and
resolution.
 138 TCP/UDP NetBIOS Datagram Service.
 143 TCP Internet Message Access Protocol (IMAP).
 443 TCP Hypertext Transfer Protocol over TLS/SSL (HTTPS).
 3389 TCP/UDP Microsoft Terminal Server (RDP).
 Protocols:
 IP addresses and ports:
 A Socket:
 1 set of IP and Port.
 UDP only uses 1 socket
(connectionless), TCP uses 2
in a pair, 2 individual sockets
making the pair.
 Socket Pairs (TCP):
 2 sets of IP and Port (Source
and Destination).
 My Pair for the top one is:
 Source
pair:192.168.0.6:49691
 Destination pair: 195.122.177.218:https
 Well-known ports are often translated, port 443 is https.
 Protocols:
 IPv4/IPv6 Address Space Management:
 IANA (Internet Assigned Numbers Authority) governs the
IP's address allocation.
 IANA is a department of ICANN (Internet Corporation for
Assigned Names and Numbers).
 The world is divided into RIR (Regional Internet Registry)
regions and organizations
in those areas delegate the address space they have control over.
 AFRINIC (African Network Information Center): Africa.
 ARIN (American Registry for Internet Numbers): United States, Canada,
several parts of the Caribbean region, and Antarctica.
30 | P a g e
 APNIC (Asia-Pacific Network Information Centre): Asia, Australia, New
Zealand, and neighboring countries.
 LACNIC (Latin America and Caribbean Network Information Centre):
Latin America and parts of the Caribbean region.
 RIPE NCC (Réseaux IP Européens Network Coordination Centre) Europe,
Russia, Middle East, and Central Asia.
 Protocols:
 IP Address and Traffic Types:
 Unicast, Multicast, and Broadcast Traffic:
 Unicast - one-to-one traffic (Client to Server): The traffic is from a client
to a host or reversed.
 To capture all unicast traffic on a network, we use promiscuous
mode on specific clients' network cards (Network IDS'/IPS'), and
the switch port they are attached to has to be configured as a
Span-port.
 Multicast -one-to-many (predefined): The traffic is sent to everyone in a
predefined list.
 Broadcast - one-to-all (on a LAN network): The traffic is sent to
everyone.
 Limited L3 Broadcast: Use the 255.255.255.255 broadcast IP
address, routers do not pass (they drop it).
 Limited L2 broadcast: Uses FF:FF:FF:FF:FF:FF broadcast MAC
address, routers do not pass.
 Directed broadcast: Sent to anyone logically connected to the
same network.
 A 192.168.19.12/24 will send to all hosts on that
network, regardless if it is physically behind the same
router or not. Accounting could have a VLAN spanning 3
separate remote buildings, the broadcast would be sent
to them all.
 Protocols:
 IPv4 (Internet Protocol version 4) addresses:
 IPv4 addresses are made up of 4 octets (dotted-
decimal notation) and broken further down in a
32bit integer binary.
 We use IP addresses to make it readable to
normal people, it is easier to read 4 sets of
numbers than a 32 bits string of 0’s and 1’s.
 Similarly websites are really just IP addresses
translated with DNS, which is then translated into
binary.
 It is easier to remember google.com, than it is to
remember 66.102.12.231 or
2607:f8b0:4007:80b::200e.
31 | P a g e
 Protocols:
 IPv4:
 Public IP Addresses (Internet routable addresses):
 Used to communicate over the internet between hosts.
 Private Addresses (RFC 1918 – Not routable on the internet): Other notable
IP spaces:
 10.0.0.0 10.255.255.255 16777216 127.0.0.0/8 Loopback IP’s
 172.16.0.0 172.31.255.255 1048576 169.254.0.0/16 Link-Local
 192.168.0.0 192.168.255.255 65536 255.255.255.255 Broadcast
 Protocols:
 IPv4:
 As a Band-Aid solution to extend the depletion
of IPv4 Addresses NAT and PAT were added:
 NAT (Network Address Translation)
 Static NAT Translates 1-1, we need 1
Public IP per Private IP we use, not
practical and not sustainable.
 Pool NAT: Also still 1-1, but a pool was
available to all clients not assigned to
specific clients.
 PAT (Port Address Translation):
 PAT was introduced to solve that issue, it uses IP AND Port number.
 Also called One-to-Many or NAT Overload since it translates one public
IP to many private IPs.
 Protocols:
 IPv4:
 Classful IP Networks were used early on the internet for public address.
Networks were VERY large, some with 16 million+ IP’s. Very inefficient use of IP
addresses.
 CIDR (Classless Inter-Domain Routing) (also called slash notation):
 We used CIDR to break our addresses into smaller logical
segment, this saves addresses, we can make suitable
sized IP ranges for our subnets and it is easier to add
security to our subnets if they are logically segmented.
 This would be the CIDR notation for our earlier IP
address: 172.16.254.1/24.
 This was done to The /24 indicates how many IPs are in
that subnet, from that we know the broadcast and the
range of host addresses.
 Our /24 address would have 256 addresses, 255 are
usable for hosts.
32 | P a g e
 Earlier the first (0)and last (255) in a /24 could not be used, but now
with newer technology and protocol use only 255 is not usable, since it
is the broadcast address.
 Protocols:
 IPv4:
 IP Headers contain:
 Version: IP version 4.
 IHL: Length of the IP
header.
 QoS (Quality of Service).
 Identification, Flags, Offset: used for IP fragmentation.
 TTL (Time To Live): to prevent routing loops.
 Protocol: Protocol number for TCP, UDP, ...
 Source and Destination IP addresses.
 Optional: Options and padding.
 MTU (Maximum Transmission Unit) - normally 1500 bytes in Ethernet

usage.
 If a packet exceeds that size a router along the path may
fragment into smaller packets.
 Protocols:
 IPv6:
 IPv6 is 128bit in hexadecimal numbers (uses 0-9 and a-f).
 8 groups of 4 hexadecimals, making addresses look like
this:
 fd01:fe91:aa32:342d:74bb:234c:ce19:123b
 The IPv6 address space is huge compared to IPv4.
340,282,366,920,938,463,463,374,607,431,768,211,456
addresses.
 34 with 37 0’s total or 79 with 27 0’s as many addresses as IPv4.
 Every square foot on the planet can have 65000 IP addresses.
 IPSec is built in, not bolted on like with IPv4.
 Mostly switched behind the scenes today, many organizations do not have Dual
Stack equipment in place.
 Used by major US ISPs for cell phones (and to some extend the connection to
your modem).
 To make the address more manageable 1 set of 0’s can be shortened with ::
above you see the last 16 0’s being shortened to 2001:0DB8:AC10:FE01::
33 | P a g e
 Protocols:
 IPv6:
 Our MAC address is 00:fa:22:52:88:8a
 It is a EUI-48 address we add “fffe” (for EUI-
64) 00:fa:22:ff:fe:52:88:8a
 Set the U/L bit 20:fa:22:ff:fe:52:88:8a
 (The use of the universal/local bit in
the Modified EUI-64 format identifier
is to allow development of future
technology that can take advantage of interface identifiers with
universal scope).
 Add our network prefix (2001:0000:0000:00b8)
2001:0000:0000:00b8:20fa:22ff:fe52:888a
 Remove largest group of 0’s 2001::b8:20fa:22ff:fe52:888a
 Link Local address (only for local) fe80::b8:20fa:22ff:fe52:888a
 Protocols:
 IPv6:
 IP Headers contain:
 Version: IP version 6 (4 bits)
 Traffic Class/Priority (8bits).
 Flow Label/QoS management (20
bits).
 Payload length in bytes (16 bits).
 Next Header (8 bits).
 Time To Live (TTL)/Hop Limit (8 bits).
 Source IP address (128 bits).
 Destination IP address (128 bits).
 MTU (Maximum Transmission Unit) - normally 1500 bytes in Ethernet

usage.
 If a packet exceeds that size a router along the path may
fragment into smaller packets.
 Protocols:
 ARP (Address Resolution Protocol):
 Translates MAC Addresses into IP Addresses.
 OSI Data/Network Layer or Network/Internet
Layer.
 ARP is a simple and trusting protocol, anyone can
respond to an ARP request.
 ARP (cache) Poisoning: An attacker sends fake
responses to ARP requests, often done repeatedly for
critical ARP entries (Default Gateway).
 A countermeasure can be hardcoding ARP
entries.
34 | P a g e
 RARP (Reverse ARP) is used by diskless workstations to get IPs.
 Protocols:
 ICMP (Internet Control Message Protocol):
 Used to help IP, for Ping (Echo
request/reply) and TTL Exceeds in
Traceroute.
 Often used for troubleshooting.
 An ICMP Echo Request is sent to the
IP, which then sends an ICMP reply
back (or not).
 Originally used (and still) to see if a
host is up or down.
 Today if we get an Echo reply we
know the host is up, but no reply does
not mean it is down.
 Firewalls and routers can block ICMP
replies.
 Protocols:
 Traceroute:
 Uses ICMP to trace a network route.
 Traceroute uses the TTL value in
somewhat reverse.
 We send a message with TTL 1.
 The first router decrements
the TTL to 0 and sends an
ICMP Time Exceed message
back, First Hop is now
identified.
 We send message 2 with TTL 2, 2nd
router does the same, it is identified.
 We do that over and over till the
destination is reached (maximum 30
hops).
 Protocols:
 Telnet:
 Remote access over a network.
 Uses TCP port 23, all data is plaintext including usernames and passwords,
should not be used.
 Attackers with network access can easily sniff credentials and alter data and
take control of telnet sessions.
 SSH (Secure Shell):
 Designed to replace or add security to unsecure protocols Telnet, FTP, HTTP...
35 | P a g e
 V1 had vulnerabilities long ago, and v2 has as well recently.
 Provides a 'secure' connection over an unsecured network (the internet).
 The Snowden leak in 2013 showed the NSA can 'sometimes' decrypt SSL and get
access to the data.
 On July 6th 2017 WikiLeaks confirmed the CIA (ONLY this one time it is the
Central Intelligence Agency) has developed a tool to crack the SSH protocol.
 BothanSpy is an implant that targets the SSH client program Xshell on
the Microsoft Windows platform.
 Gyrfalcon is an implant that targets the OpenSSH client on Linux
platforms centos, debian, rhel, suse, ubuntu.
 Protocols:
 FTP (File Transfer Protocol): Transfers files to and from servers.
 No confidentiality or Integrity checks.
 Should also not be used, since the vast majority of what we transport is over
unsecure networks.
 Uses TCP Port 21 for the control collection - commands are sent here.
 Uses TCP Port 20 for the data collection - the actual data is sent here.
 SFTP (SSH /Secure File Transfer Protocol) - Uses SSH to add security to FTP.
 FTPS (FTP Secure) - Uses TLS and SSL to add security to FTP.
 TFTP (Trivial FTP):
 Uses UDP Port 69.
 No authentication or directory structure, files are written and read from one
directory /tftpboot.
 Used for "Bootstrapping" - Downloading an OS over the network for diskless
workstations.
 Used for saving router configuration.
 Protocols:
 Email Protocols:
1. The MUA (Mail User Agent) formats the message
and using SMTP sends the message to the MSA
(Mail Submission Agent).
2. The MSA determines the destination address
provided in the SMTP protocol, in this case
jane@b.org. The MSA resolves the fully qualified
domain name of the mail server in the DNS.
3. The DNS server for the domain b.org (ns.b.org)
responds with any MX (Mail eXchange) records listing for that domain, in this case
mx.b.org, a MTA (Message Transfer Agent) server run by the recipient's ISP.
4. smtp.a.org sends the message to mx.b.org using SMTP. This server may need to forward
the message to other MTAs before the message reaches the final MDA.
5. The MDA delivers it to the mailbox of user Jane.
6. Jane's MUA picks up the message using either the Post Office Protocol (POP3) or the
Internet Message Access Protocol (IMAP).
36 | P a g e
 Protocols:
 DNS (Domain Name System):
 Translates server names into IP Addresses, uses TCP and UDP Port 53
 Google.com can get translated into 66.102.12.231 or 2607:f8b0:4007:80b::200e
depending on requester's IP.
 Uses gethostbyname() and gethostbyaddress()
 Authoritative name servers - The authority for a given name space.
 Recursive name server - Tries to resolve names it does not already know.
 Cache name server - Keeps previously resolved names in a temporary cache.
 DNS uses UDP for most requests and natively has no authentication. .
 DNS Poisoning is similar to ARP poisoning, an attacker sends a fake
address/name combo to another DNS server when asked and the server keeps it
in its DNS records until it expires.
 DNSSEC (DNS Security Extensions):
 Provides Authentication and Integrity using PKI Encryption.
 Does not provide Confidentiality - Think of it a digital signature for DNS.
 Protocols:
 SNMP (Simple Network Management Protocol):
 Mostly used to monitor devices on our network (routers, switches, servers,
HVAC, UPS ...).
 An SNMP client agent is enabled or installed on the client.
 The device can report port up/down, traffic utilization, temperature, memory
use, HDD allocation, ...
 SNMPv1 and SNMPv2 sends data in cleartext.
 SNMPv2 is still widely used, but should be avoided.
 An attacker on the network can sniff the traffic, often the default
community strings are used "public and "private".
 If an attacker gains access to the private (write) string they can re-
configure the device, shut it or interfaces down ...
 SNMPv3 uses encryption to provide CIA (Confidentiality, Integrity and
Availability).
 This should be the standard across any organization.
 Protocols:
 HTTP and HTTPS - Transport HTML data.
 HTTP (Hypertext Transfer
Protocol):
 Uses TCP port 80 (8008 and
8080), unencrypted website
data sent across the
internet.
 HTTPS (HTTP Secure):
 Uses TCP Port 443 (8443),
encrypted data sent over
the internet.
37 | P a g e
 HTML (Hypertext Markup Language):
 The actual language webpages are written in.
 Not to be confused with HTTP/HTTPS.
 Protocols:
 BOOTP (Bootstrap Protocol):
 Used for diskless workstations, used to determines
OS (Downloaded with tftp) and IP Address.
 Most system BIOS' support BOOTP, they can then
load the OS without a disk.
 DHCP (Dynamic Host Configuration Protocol):
 The common protocol we use to assign IP’s.
Controlled by a DHCP Server for your environment.
 You most likely already use it on your home
network, this is how when you connect a cable or
connect wireless you are online right away.
 Both BOOTP and DHCP uses UDP Port 67 for the
BOOTP/DHCP Server and UDP Port 68 for the Client.
 Cables:
 Networking Cables:
 When it comes to networking cables, most
people think RJ45 Copper Ethernet cables, many
more types are used though.
 Networking cables all come with pro's and con's,
some are cheap, some more secure, some faster,
...
 They can also pose different security
vulnerabilities depending on the cable type and
the environment.
 EMI (Electromagnetic Interference):
 Magnetism that can disrupt data availability and integrity.
 Crosstalk is the signal crossing from one cable to another, this can be a
confidentiality issue.
 Attenuation is the signal getting weaker the farther it travels.
 Copper lines have attenuation, with DSL the farther you are from the
DSLAM (Digital Subscriber Line Access Multiplexer) the lower speed you
get.
 Cables:
 Twisted Pair Cables:
 UTP (Unshielded Twisted Pair):
 Pairs of twisted pairs of cable.
 Twisting them makes them less
susceptible of EMI.
 1 cable sends and 1 receives data.
38 | P a g e
 The tighter the cables are twisted the less susceptible to EMI. For
example, CAT3 pairs (less tight) are more susceptible to EMI than CAT6
(tighter).
 STP (Shielded Twisted Pair):
 Has extra metal mesh shielding around each pair of cables, making them
less susceptible to EMI, but also making the cables thicker, stiffer and
more expensive.
 Cables:
 Coax (Coaxial) Cables:
 Most commonly used for cable TV and Internet
services.
 Coax Cables have built in layers:
 Copper core in the middle.
 A plastic insulator around the middle
core.
 A copper braid/shield around the
insulator.
 A plastic outer layer.
 The braid/shield, makes it less susceptible to
EMI, and the thicker core can provide higher
speeds.
 Cables:
 Fiber Optic Cables Use light to carry data (vs. electricity for copper
cables):
 Pros: Speed 1 Petabit per second, 35miles/50 km over a
single fiber.
 Distance it has no attenuation like copper, a single
uninterrupted cable can be 150 miles+ (240km+)
long.
 Not susceptible to EMI.
 More secure than copper, since it can't be sniffed
as easily as copper.
 Cons: Price, more difficult to use, you can break the glass
in the cable if you are not careful.
 Single-Mode fiber - A Single strand of fiber carries a single mode of light (down
the center), used for long distance cables (Often used in IP-Backbones).
 Multi-Mode fiber - Uses multiple modes (light colors) to carry multiple data
streams simultaneously, this is done with WDM (Wavelength Division
Multiplexing).
 Cables:
 All cable measurements are in metric (m/km).
 Only 3 countries in the world do not use metric (Burma, Liberia, and the United States).
39 | P a g e
 1Kbps - Kilobits per second
 1,000 bps (103)
 1Mbps - Megabit per second
 1,000,000 bps (106)
 1Gbps - Gigabit per second
 1,000,000,000 bps (109)
 1Tbps - Terabit per second
 1,000,000,000,000 bps (1012)
 1Pbps - Petabit per second
 1,000,000,000,000,000 bps (1015)
 LAN Technologies and Protocols:

 Network topology describes the layout and topologies of interconnections between
devices and network segments.
 Ethernet and Wi-Fi are the two most common transmission technologies in use for local
area networks.
 At the data link layer and physical layer, a wide variety of LAN topologies have been
used, including ring, bus, mesh and star.
 At the higher layers, NetBEUI, IPX/SPX, AppleTalk used to be common, but TCP/IP is now
the de facto standard.
 Fiber-optic is commonly used between switches, to servers, and for backbone data
transfers, rarely used for desktops.
 Ethernet is baseband and uses copper TP, coax and fiber cables.
 Ethernet was also not built for how we use networks today, so we bolt on
functionality we want.
 Wireless technologies are often built into Smartphones, tablet and laptops.
 In a wireless LAN, users can move unrestricted in the coverage area, the transfer
from one wireless access point to another is often completely seamless.

 CSMA (Carrier Sense Multiple Access):
 Clients on a network check to see if the shared line is in use, if not they will send
their data.
 Clients listen to see if the line is idle, if idle they send, if in use they wait a
random amount of time (milliseconds).
 CSMA/CD (CSMA/Collision Detection):
 Used for systems that can send and receive at the same time like Ethernet.
 If 2 clients listen at the same time and see the line is clear they can both
transmit at the same time causing collisions, CD is added to help with that
scenario.
 Clients listen to see if the line is idle, if idle they send, if in use they wait a
random amount of time (milliseconds).
 While transmitting they monitor the network.
 If more input is received than sent, another work station is also
transmitting.
40 | P a g e
 They send a Jam signal to tell the other nodes to stop sending.
 Wait for a random amount of time before starting to
retransmit.

 CSMA CA (CSMA/Collision Avoidance):
 Used for systems that can either send or receive like wireless.
 They check if the line is idle, if idle they send, if in use they wait a random
amount of time (milliseconds).
 Slightly different than CD, on Ethernet networks clients are normally
aware of other clients, on wireless that is not always the case.
 If a lot of congestion the client can send a RTS (Request To Send), and if
the host (the wireless access point) replies with a CTS (Clear To Send),
similar to a token, the client will transmit.
 This goes some way to alleviating the problem of hidden nodes, in a
wireless network, the Access Point only issues a Clear to Send to one
node at a time.
 Legacy Lan Systems:

 ARCNET (Attached Resource Computer Network):
 Used network tokens for traffic, no collisions.
 Used a Star topology.
 2.5Mbps.
 Token Ring:
 Used network tokens for traffic, no collisions.
 Used a Ring topology.
 16Mbps.
 FDDI (Fiber Distributed Data Interface):
 Used token-bus for traffic, no collisions.
 Used a Ring topology.
 Used fiber, and not copper so not susceptible to EMI.
 100Mbps.
 Physical LAN Topologies:

 Bus:
 All nodes are connected in a line, each node
inspects traffic and passes it along.
 Not very stable, a single break in the cable will
break the signal to all nodes past that point,
including communication between nodes way
past the break.
 Faulty NIC's (Network Interface Card) can also
break the chain.
 Tree (Hierarchical):
 The base of the Tree topology controls the
traffic, this was often the mainframe.
41 | P a g e
 Ring:
 All nodes are connected in a ring.
 Star:
 All nodes are connected to a central device.
 This is what we normally use for ethernet, our
nodes are connected to a switch.
 Provides better fault tolerance, a break in a
cable or a faulty NIC will only effect that one
node.
 If we use a switch no token passing or collision
detection is needed since each node is on its
own segment.
 If we use hubs collisions will still occur, but I
hope none are around anymore, not just how slow they are, but more how
unsecure they are now.

 Mesh:
 Nodes are connected to each other in either a
partial mesh or a full mesh.
 Partial Mesh:
 Nodes are directly connected to some
other nodes.
 Full Mesh:
 All nodes are directly connected to all
other nodes.
 More redundant, but requires a lot more cables
and NIC’s.
 Often used in HA (High Availability) environments, with cluster servers for
keepalives.
 Secure Network Devices and Protocols:

 We have different network devices through the OSI and TCP/IP
models and many have protocols specific to that device.
 Layer 1 devices:
 Repeaters receive a signal and retransmit it.
 They are used to extend transmissions so that the
signal can cover longer distances.
 Hubs are repeaters with more than 2 ports.
 All traffic is sent out all ports, no Confidentiality or
Integrity, half-duplex and not secure at all.
42 | P a g e
 Bridges are 2 port switches used to separate collision domains, sends traffic
across the 2 domains, but traffic from one domain is not seen on the other
unless sent there.

 Switches are bridges with more than 2 ports.
 Each port is its own collision domain, fixing some of the
issues with collisions.
 Can range from 4 to 500+ ports.
 Use MAC addresses to direct traffic.
 Good switch security includes:
 Shutting unused ports down.
 Put ports in specific VLANs.
 Using the MAC Sticky command to only
allow that MAC to use the port, either with a
warning or shut command if another MAC
accesses the port.
 Use VLAN pruning for Trunk ports.

 Layer 2 Protocols:
 VLAN (Virtual LAN) is a broadcast domain that is partitioned and
isolated at layer 2.
 Specific ports on a switch are assigned to a certain
VLAN.
 The Payroll VLAN is in 2 different buildings and spans
multiple switches.
 VLANs uses tags within network packets and tag handling
in networking systems, replicating the appearance and
functionality of network traffic that is physically on a
single network but acts as if it is split between separate
networks.
 It allows networks and devices that must be kept
separate to share the same physical devices without
interacting, for simplicity, security, traffic management,
and/or cost reduction.
 VLAN Trunks - Ports connecting two switches to span VLAN's across them.
 VLAN's share bandwidth, a VLAN trunk can use link aggregation, quality-of-
service prioritization, or both to route data efficiently.

 Routers:
 Normally have a few ports vs. a lot on switches.
43 | P a g e
 For our organizations they are in the data centers.
 In your home they are often combined with a switch, and wireless in
one box.
 Forwards traffic based on source and destination
IPs and ports.
 Connecting our LANs to the WAN.
 Routers send traffic to the most specific route in
their routing table.
 Static route a preconfigured route, always sends
traffic there for a certain subnet.
 Default gateway sends all non-local traffic to an ISP for instance.
 Dynamic route is learned from another routing via a routing protocol
(OSPF, EIGRP, BGP, IS-IS).
 Metric is used to determine the best route to a destination.

 Routers have two operation planes:
 Control plane:
 A router maintains a routing table that lists which route should
be used to forward a data packet, and through which physical
interface connection.
 It uses internal pre-configured static routes, or by learning
routes using a dynamic routing protocol.
 Static and dynamic routes are stored in the RIB (Routing
Information Base).
 The control-plane logic then strips non-essential directives from
the RIB and builds a FIB (Forwarding Information Base) to be
used by the forwarding-plane.
 Forwarding plane:
 The router forwards data packets between incoming and
outgoing interface connections.
 It routes them to the correct network type using information
that the packet header contains.
 It uses data recorded in the routing table control plane.

 Firewalls: A firewall typically establishes a barrier between a
trusted, secure internal network and another outside network,
like the Internet.
 First generation: Packet filtering firewalls, OSI Layer 1-3.
 Packet filters act by inspecting the "packets"
which are transferred between clients.
 If a packet does not match the packet filters set of
filtering rules, the packet filter will drop the
44 | P a g e
packet or reject it and send error responses to the source.
 Any packet that matches one of the Permits, is allowed to pass.
 Rules are checked in order, the attacker's traffic is dropped on the 3rd
filter rule. Drop anything trying to access 100.1.1.100.
 The internal machines can access the server since their IPs are
whitelisted in the first rule.

 Firewalls:
 Second generation: Stateful filtering firewalls, OSI
Layer 1-4.
 Records all connections passing through
and determines whether a packet is the
start of a new connection, a part of an
existing connection, or not part of any
connection.
 Static rules are still used, these rules can
now contain connection state as one of
their criteria.
 Some DOS attacks bombard the firewall with thousands of fake
connection packets trying to overwhelm the firewall by filling its
connection state memory.

 Firewalls:
 A proxy server can act as a firewall by
responding to input packets in the manner of an
application, while blocking other packets.
 A proxy server is a gateway from one network to
another for a specific network application, in the
sense that it functions as a proxy on behalf of the network user.

 Firewalls:
 Third generation: Application layer firewalls, OSI Layer 7.
 The key benefit of application layer firewalls is that they can understand
certain applications and protocols.
 They see the entire packet, the packet isn't decrypted until layer 6, any
other firewall can only inspect the packet, but not the payload.
 They can detect if an unwanted application or service is attempting to
bypass the firewall using a protocol on an allowed port, or detect if a
protocol is being used any malicious way.
 Network firewalls filter traffic between two or more networks, either software
appliances running on general purpose hardware, or hardware-based firewall.
 Host-based firewalls provide a layer of software security on one host that
controls network traffic in and out of that single machine.
45 | P a g e
 Firewalls design:
 A bastion host is a special purpose host designed and configured to withstand
attacks.
 Normally hosts a single application, all other services
are removed or limited to reduce the threat to the
host.
 It is hardened in this manner because of its location
and purpose, which is either on the outside of a
firewall or in a DMZ (demilitarized zone) and usually
involves access from untrusted networks or computers.
 A dual-homed host has two network interfaces, one connected
to a trusted network, and the other connected to an untrusted
network (Internet).
 The dual-homed host doesn't route.
 Any user wanting to access the trusted network from the outside, needs
to log into the dual-homed host and then access the trusted network
from there.
 No longer really used, mostly used pre modern firewalls.

 Screened host architecture:
 An older flat network design using one router to filter external traffic to
and from a bastion host via ACLs.
 The bastion host can reach other internal resources, but the router's
ACL denies direct internal/external connectivity.
 The difference between dual-homed host and screened
host design is screened host uses a screening router,
which filters Internet traffic to other internal systems.
 Screened host network design does not use defense-in-
depth: a failure of the bastion host puts the entire
trusted network at risk.
 Screened subnet architecture evolved as a result, using
network defense in depth by using DMZs.

 Screened Subnet Architecture:
 A screened subnet firewall is a variation of
the dual-homed and screened host firewall.
 It can be used to separate components of the
firewall onto separate systems, achieving
greater throughput and flexibility, although
at some cost to simplicity.
46 | P a g e
 As each component system of the screened subnet firewall needs to
implement only a specific task, each system is less complex to configure.
 A screened subnet firewall is often used to establish a DMZ
(demilitarized zone).
 Good design uses 2 different brands of firewalls, to avoid both having
the same vulnerabilities.

 DMZs:
 Normal DMZs use 2 firewalls in a screened
subnet, but they can also be three-legged
DMZs which only use 1 firewall.
 Physical or logical subnetwork that contains
and exposes an organization's external-facing
services to an untrusted network, like the
Internet.
 It adds an additional layer of security to our
organization's LAN, an external network node
can access only what is exposed in the DMZ,
while the rest of the organization's network is
firewalled.
 Firewalls are designed to fail closed, if they crash, get
flooded with traffic or are shut down, they block all
traffic.
 To get some redundancy we often use firewall pairs, and have the firewall in a
mesh topology, this way one firewall failure will just shift the traffic paths.

 IDSs and IPSs.
 We use both IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention
Systems) on our network to capture and alert or block traffic seen as malicious.
 They can be categorized into 2 types and with 2 different approaches toward
identifying malicious traffic.
 Network based, placed on a network segment (a switch port in
promiscuous mode).
 Host based, on a client, normally a server or workstation.
 Signature (Pattern) matching, similar to anti virus, it matches traffic
against a long list of known malicious traffic patterns.
 Heuristic (Behavioral) based, uses a normal traffic pattern baseline to
monitor for abnormal traffic.
 Just like firewalls, routers, servers, switches and everything else in our
environment they just see part of the larger picture, for full picture views and
data correlation we use a SIEM (Security Information and Event Management)
system.
47 | P a g e
 IDS (Intrusion Detection System):
 They are passive, they monitor, but they take no action other than sending out
alerts.
 Events trigger alerts: Emails/text message to administrators or an alert on a
monitoring tool, but if not monitored right this can take hours before noticed.
 IPS (Intrusion Prevention System):
 Similar to IDS, but they also take action to malicious traffic, what they do with
the traffic is determined by configuration.
 Events trigger an action, drop/redirect traffic, often combined with the trigger
monitoring/administrator warnings, emails or text messages.
 IDS/IPS:
 Part of our layered defense.
 Basically they are packet sniffers with analysis engines.

 Network based, placed on a network segment (a switch port in promiscuous mode).
 Looks at a segment of our network, normally a switch, but can aggregate
multiple switches.
 Inspects Host/destination ports, IPs, protocols, content of traffic, but can
obviously not look in encrypted traffic.
 Can protect against DDOS, Port scans, brute force attacks, policy violations …
 Deployed on one switch, port and NIC must be promiscuous and port must be a
span port.
 Host based, on a client, normally a server or workstation.
 We only look at a single system.
 Who is using the system, the resource usage, traffic, ...
 It can be application specific, it does not have to be the entire system we
monitor.
 If we do chose to do traffic analysis it will impact the host by slowing it down.
 Certain attacks can turn off HIDS/HIPS
 Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can't
look at encrypted packets.

 Signature based:
 Looks for known malware signatures.
 Faster since they just check traffic against malicious signatures.
 Easier to set up and manage, someone else does the signatures for us.
 They are completely vulnerable to 0 day attacks, and have to be updated
constantly to keep up with new vulnerability patterns.
 Heuristic (Behavioral) based:
 Looks for abnormal behavior - can produce a lot of false positives.
 We build a baseline of what normal network traffic looks like and all traffic is
matched to that baseline.
48 | P a g e
 Traffic not matching the baseline is handled depending on settings, they can
take a lot of tweaking.
 Can detect 'out of the ordinary' activity, not just attacks.
 Takes much more work and skills.
 Hybrid based systems combining both are more used now and check for both signatures
and abnormalities.

 IDS/IPS obviously then prompt attackers to develop attacks that try to avoid
detection.
 Fragmentation: Sending fragmented packets, the attack can avoid the
detection system's ability to detect the attack signature.
 Avoiding defaults: The TCP port utilized by a protocol does not always
provide an indication to the protocol which is being transported.
Attackers can send malware over an unexpected port.
 Low-bandwidth coordinated attacks: A number of attackers (or agents)
allocate different ports or hosts to different attackers making it difficult
for the IDS to correlate the captured packets and deduce that a network
scan is in progress.
 Address spoofing/proxying: attackers can use poorly secured or
incorrectly configured proxy servers to bounce an attack. If the source is
spoofed and bounced by a server then it makes it very difficult for IDS to
detect the origin of the attack.
 Pattern change evasion: The attacker changes the data used slightly,
which may avoid detection.

 Alerts on IDSs/IPSs can, like biometrics, be one of 4 categories:
 True Positive: An attack is happening and the system detects it and acts.
 True Negative: Normal traffic on the network and the system detects it
and does nothing.
 False Positive: Normal traffic and the system detects it and acts.
 False Negative: An attack is happening the system does not detect it
and does nothing.
 We rarely talk about the “true” states since things are happening like
they are supposed to, we are interested in when it does not and we
prevent authorized traffic or allow malicious traffic.
 Asset Management:
 0-day vulnerabilities:
49 | P a g e
 Vulnerabilities not generally known or discovered, the first time an attack is
seen is considered day 0, hence the name.
 From when a vulnerability is discovered it is now only a short timespan before
patches or signatures are released on major software.
 With millions of lines of code in a lot of software and the 1% errors we talked
about there will always be new attack surfaces and vulnerabilities to discover.
The only real defense against the 0 day exploits is defense in depth and when
discovered immediate patching as soon as it is available and we have tested it in
our test environments. Most signatures in IDS/IPS and antivirus auto update as
soon as new signatures are available.
 0-day vulnerability: The vulnerability that has not been widely discovered and
published.
 0-day exploit: Code that uses the 0-day vulnerability.
 0-day vulnerabilities:
 The Stuxnet worm that targeted Iran's nuclear centrifuges used 4 unique 0 day
exploits (previously unheard of).
 It was developed over 5+ years and estimated to have cost 100's of millions of
dollars.
 Stuxnet has three modules:
 A worm that executes all routines related to the main payload of the
attack;
 A link file that automatically executes the propagated copies of the
worm.
 A rootkit responsible for hiding all malicious files and processes,
preventing detection of Stuxnet.
 It is introduced to the target environment by an infected USB flash drive.
 The worm then propagates across the network, scanning for Siemens Step7
software on computers controlling a PLC, if both are not present, Stuxnet
becomes dormant inside the computer, it will still replicate the worm.
 If both are present, Stuxnet introduces the infected rootkit onto the PLC and
Step7 software, modifying the codes and giving unexpected commands to the
PLC while returning a loop of normal operations system values feedback to the
users.
 Secure Communications:
 Securing our data-in-motion is one of the most difficult tasks we have.
 The internet and IPv4 was never built to be secure and just like anywhere else we need
to find the right balance of Confidentiality, Integrity, and Availability.
 Authentication protocols:
 Communications or cryptographic protocols designed to transfer authentication
data between two entities.
 They authenticate to the connecting entity (often a server) as well as
authenticate themselves (often a server or desktop) by declaring the type of
information needed for authentication as well as syntax.
50 | P a g e
 It is the most important layer of protection needed for secure communication
between networks.
 PAP (Password Authentication Protocol):
 Authentication is initialized by client/user by sending packet with credentials
(username and password) at the beginning of the connection.
 One of the oldest authentication protocols, no longer secure. The credentials
are being transmitted over the network in plain text making it vulnerable to
simple attacks like Eavesdropping and man-in-the-middle attacks.
 CHAP (Challenge-Handshake Authentication Protocol):
 Provides protection against replay attacks by the peer through the use of an
incrementally changing identifier and of a variable challenge-value.
 Requires that both the client and server know the plaintext of a shared secret
like a password, it is never sent over the network.
 Providing better security compared to PAP which
is vulnerable for both these reasons.
 Used by PPP (Point to Point Protocol) servers to
validate the remote clients.
 CHAP periodically verifies the identity of the client by using a three-way
handshake.
 The CHAP server stores plaintext passwords of each client, an attacker gaining
access to the server can steal all the client passwords stored on it.
 802.1X defines the encapsulation of the EAP (Extensible Authentication
Protocol).
 802.1X authentication involves three parties: a supplicant, an
authenticator, and an AS (authentication server).
 The supplicant is a client device (normally a workstation) that wants to
attach to the LAN/WLAN, normally software running on the client that
provides credentials to the authenticator.
 The authenticator is a network device, a
switch or wireless AP.
 The AS (Authentication sever) is typically a
host running software supporting the
RADIUS and EAP protocols.
 In some cases, the authentication server software may be running on
the authenticator hardware.
 EAP is widely used, in 802.11 (Wi-Fi) the WPA and WPA2 standards it
was adopted with 100+ EAP Types as the official authentication
mechanism.
51 | P a g e
 PEAP (Protected EAP):
 A protocol that encapsulates EAP within an encrypted and
authenticated TLS (Transport Layer Security) tunnel.
 Developed by Cisco Systems, Microsoft, and RSA Security.
 EAP-MD5:
 Very weak forms of EAP. It offers client to server authentication only,
where most others provide mutual authentication.
 Vulnerable to man in the middle attacks and password attacks.
 LEAP (Lightweight Extensible Authentication Protocol):
 Cisco distributed the protocol through the CCX (Cisco Certified
Extensions) as part of getting 802.1X and dynamic WEP adoption into
the industry in the absence of a standard.
 No native support of LEAP in the Windows OS.
 EAP-TLS (EAP-Transport Layer Security):
 Uses PKI, requiring both server and client side certificates.
 Establishes a secure TLS tunnel used for authentication.
 This makes it very secure, but also complex and expensive.
 EAP-TTLS (EAP Tunneled Transport Layer Security):
 Simpler than EAP-TLS by dropping the client-side certificate
requirement, allowing other authentication methods for client-side
authentication.
 This makes it easier to deploy, but also less secure.
 PANA (Protocol for Carrying Authentication for Network Access):
 Allows a device to authenticate itself with a network to be granted
access.
 EAP will be used for authentication protocol, key distribution, key
agreement and key derivation protocols.
 SLIP (Serial Line Internet Protocol):
 An encapsulation of IP designed to work over serial ports and modem
connections.
 On PCs it has been replaced by PPP, which is better engineered, has
more features and does not require its IP address configuration to be
set before it is established.
 On microcontrollers, SLIP is still the preferred way of encapsulating IP
packets because of the very small overhead.
 PPP (Point-to-Point Protocol):
 Used over many types of physical networks including serial cable, phone
line, trunk line, cellular telephone, ...
 PPP is also used over Internet access connections.
52 | P a g e
 ISPs (Internet Service Providers) have used PPP for customer dial-up
access to the Internet, since IP packets cannot be transmitted over a
modem line on their own, without some data link protocol.
 VPN (Virtual Private Network):
 Extends a private network across a public network,
and users can send and receive data across shared
or public networks as if they were on the private
network.
 VPNs may allow employees and satellite offices to
securely access the organization's intranet.
 They are used to securely connect.
 Can also be used to get around geo-restrictions and
censorship, or to connect to proxy servers for the
purpose of protecting personal identity and
location.
 Created by establishing a virtual point-to-point connection using
dedicated connections, virtual tunneling protocols, or traffic
encryption.
 WLAN (Wireless LAN) Technologies and Protocols:

 A wireless computer network that links two or more devices
using a wireless distribution method within a limited area (a
home, a school, a coffee shop, or an office building).
 Gives users the ability to move around within a locally covered
area and be connected to the network.
 Often multiple APs (Access Points) are set up throughout an
office building to give seamless roaming coverage for the
employees.
 WLAN normally also provides an Internet connection, but not
always.
 Most modern WLANs are based on IEEE 802.11 standards and
are marketed under the Wi-Fi brand name.
 Wi-Fi makes us more mobile and our connection more seamless, but it is easier to
compromise than cabled internet connection.

 Wi-Fi attacks:
 Rogue access points:
 An unauthorized access point that has been
added to our network without our knowledge.
 This can be malicious by an attacker or just an
employee wanting Wi-Fi somewhere with bad
coverage.
53 | P a g e
 Without our security posture they are a very big concern.
 Can be somewhat mitigated with Port security on the switches, and by
scanning for Rogue access points.
 Can compromise confidentiality and integrity.

 Wi-Fi attacks:
 Jamming/Interference:
 This can be a lot of traffic on the Wi-Fi
frequencies or done by attackers to disrupt our
network (DOS).
 If interference is an issue we can change to other
channels, if any less crowded channels are
available, or to different frequencies if our
equipment supports it.
 The 2.4 GHz band is used by Bluetooth,
microwaves, cordless phones, baby monitors, Wi-
Fi, …
 Can compromise integrity and availability.

 Wi-Fi attacks:
 Evil twin:
 An evil twin is used when attackers are trying
to create rogue access points so as to gain
access to the network or access to
information that is being put through a
network.
 Can be done on your network or not, the
attacker simply names their access point the
same as ours, but with no security and user
devices automatically connect to them.
 Can compromise confidentiality and
integrity.

 802.11 standards:
 The 802.11 is a set of

media access control
(MAC) and physical layer
(PHY) specifications for
implementing WLAN
computer
communication in the
54 | P a g e
2.4, 3.7 and 5 GHz frequency bands.
 There are more 802.11 protocols but for the exam know these.

 802.11 standards:
 The 2.4 GHz frequency can be very crowded, wireless,
Bluetooth, microwaves, cordless phones and baby monitors,
... use that frequency.
 The 5 GHz frequency is normally less crowded, and has less
interference than 2.4 GHz.
 5 GHz is a higher frequency with shorter waves, it does not
penetrate walls, floors and other obstructions as well as the
longer 2.4 GHz waves.
 It is easy to change the channel your Wi-Fi to a less crowded
one.
 Some access points management software can dynamically
change the channels on individual access points, to find better channels and
provide less overlap.

 802.11 wireless NICs:
 Operate in four different modes:
 Managed/Client mode:
 Clients connect to an access point in
managed mode, once connected, clients
communicate with the access point only,
they cannot directly communicate with other
clients.
 Master/infrastructure mode:
 The mode used by wireless access points.
 A wireless card in master mode can only
communicate with connected clients in
managed mode.
 Access point must have the same SSID (service set identifier) as
the access point, and if encryption is enabled, they must share
the same keys or other authentication parameters.

 802.11 wireless NICs:
 Operate in four different modes (continued):
 Ad-hoc mode network:
 The WNIC does not require an access point, but can interface
with all other wireless nodes directly.
 All the nodes in an ad hoc network must have the same channel
and SSID.
55 | P a g e
 A computer connected to the Internet via a wired NIC may
advertise an ad-hoc WLAN to allow internet sharing.
 Monitor mode or RFMON (Radio Frequency Monitor) mode:
 Enables a computer with a WNIC to monitor all traffic received
from the wireless network.
 Unlike promiscuous mode, which is also used for packet sniffing,
monitor mode allows packets to be captured without having to
associate with an access point or ad hoc network first.

 SS (Service Set) is a set consisting of all the devices associated with an organization's
WLAN (Wireless Local Area Network).
 SSID (Service Set Identifier) is the name of the
wireless access point you see when you connect.
 Clients must know the SSID before joining
that WLAN.
 The SSID is a configuration parameter.
 SSIDs are normally broadcasted, but we can
disable the broadcast in the access point
configuration.
 It is a security measure we want to use, but
it is easy to bypass.
 We can also use MAC address filtering on our wireless access points, this is
another limited security feature.
 MAC addresses are sent in plaintext on 802.11 WLANs, it is easy to sniff and
spoof.

 WEP (Wired Equivalent Privacy) protocol, early 802.11 wireless security (1997).
 No longer secure, should not be used.
 Attackers can break any WEP key in a few minutes.
 It was designed to not conflict with the Wassenaar Arrangement’s 40 bit
limit on encryption and because of that, it was designed weaker than it
should have been.
 Many access points still have the WEP option today, but most are
preconfigured with WPA2/PSK.
 WEP uses 10 or 26 hexadecimal digits (40 or 104 bits).
 It was years back used widely and was often the first security choice
presented to users by router configuration tools.
 WEP frames do not use timestamp and have no replay protection,
attackers can inject traffic by replaying previously sniffed WEP frames.

 WPA (Wi-Fi Protected Access): (2003)
56 | P a g e
 Interim standard to address WEP issues should not be used unless
WPA2 is not feasible.
 Uses RC4 and TKIP (Temporal Key Integrity Protocol).
 Neither are considered secure anymore.
 TKIP uses a per-packet key, meaning that it dynamically
generates a new 128-bit key for each packet and preventing the
types of attacks that compromised WEP.
 WPA has been designed specifically to work with wireless hardware
produced prior to the introduction of the WPA protocol.
 WPA2 (Wi-Fi Protected Access II) also called RSN (Robust Security Network)
(2004):
 Current standard, should be used, the most secure form of WPA2 is
WPA2-PSK (Pre-Shared Key) using AES.
 AES provides confidentiality, and CCMP (Counter Mode CBC MAC
Protocol) a Message Integrity Check (MIC), which provides integrity. It
can be configured to use older less secure protocols (TKIP).

 Bluetooth:
 A wireless technology standard for exchanging data over short distances
using 2.4 GHz from fixed and mobile devices, and building personal area
networks (PANs).
 Bluetooth has three classes of devices, while designed for short-
distance networking, Class 1 can reach up to 100 meters.
 Class 1: 100 meters, 2: 10 meters, 3: under 10 meters.
 Bluetooth implements confidentiality, authentication and key derivation
with custom algorithms based on the SAFER+ block cipher.
 The E0 stream cipher is used for encrypting packets, granting
confidentiality, and is based on a shared cryptographic secret, namely a
previously generated link key or master key.
 Cryptanalysis of E0 has proven it to be weak, attacks show the true
strength to be 38 bits or even less.
 Bluetooth key generation is generally based on a Bluetooth PIN, which
must be entered on one or both devices.

 Bluetooth
 Bluetooth security is to some extent security
through obscurity, it assumes the 48-bit MAC
address of the Bluetooth adapter is not known.
 Even when disabled, Bluetooth devices may be
discovered by guessing the MAC address.
 The first 24 bits are the OUI, which can be easily
guessed, the last 24 bits can be discovered with
brute-force attacks.
57 | P a g e
 Bluetooth
 Attacks:
 Bluejacking: Sending unsolicited messages over Bluetooth, most
often harmless but annoying.
 Bluesnarfing: Unauthorized access of information from a
Bluetooth device phones, desktops, laptops, ...
 Bluebugging: The attacker gains total access and control of your
device, it can happen when your device is left in the
discoverable state.
 Only possible on older phones with outdated
OSs, newer smartphones constantly update their OS.
 Countermeasures:
 Enable Bluetooth only when you needed it.
 Enable Bluetooth discovery only when necessary, and disable
discovery when your devices are paired.
 Do not enter link keys or PINs when unexpectedly prompted to
do so.
 Remove paired devices when you do not use them.
 Regularly update firmware on all Bluetooth enabled devices.

 Honey pots and Honey nets:
 Honeypots:
 System looking like a real system, but with the sole purpose of attracting
attackers.
 They are used to learn about our vulnerabilities and how attackers would
circumvent our security measures.
 Used both internally and externally, internal honeypots can alert us to attackers
and malware that made it past our security perimeter and external honeypots
teach us about the attack vectors attackers use.
 External honeypots will get compromised on a regular basis, we analyze the
attack and ensure our internal systems are protected against that type of attack.
 Honeypots are rarely hardened completely, our actual data servers are always
hardened completely.
 Always talk to your legal department before deploying honeypots.
 Remember the thin line between entrapment and enticement.
 What are the legal/liability ramifications if an attacker launches a 3rd
party attack from your honeypot/net.
 Get very clear legal guidelines issued before deploying, and get senior
management's approval in writing.

 Honey pots and Honey nets:
 Honeynets:
58 | P a g e
 A network (real or simulated) of honeypots, can be a
full server farm simulated with applications, OSs and
fake data.
 Best practice segments the honeynet from our actual
network by a DMZ/firewall.
 The SIEM collects the data from our internal systems as
well as the honeynet.
 IPSec:
 SA (Security Association): Simplex one-way communication, can be used to
negotiate ESP or AH parameters.
 If 2 systems use ESP to communicate they need 1 SA for each direction
(2 total), if SA and ESP 4 total.
 A unique 32bit SPI (Security Parameter Index) is used to identify each SA
connection.
 ISAKMP (Internet Security And Key Management Protocol):
 Manages the SA creation process.
 Tunnel mode encrypts and authenticates the entire package (including
headers).
 Transport mode only encrypts and authenticates the payload, used for systems
that speak ITSEC.
 IKE (Internet Key Exchange):
 IPsec can use different types of encryption (3DES or AES) and hashes
(MD5, SHA1, SHA2, …).
 IKE negotiates the algorithm selection process.
 The 2 sides of an IPsec tunnel will normally use IKE to negotiate to the
highest and fastest level of security, selecting AES over single DES for
confidentiality if both sides support AES, for example
 IPSec:
 IPSec can protect data flows between a pair of hosts (host-to-host), a pair of
security gateways (network-to-network), and a security gateway and a host
(network-to-host).
 IPsec is an end-to-end security scheme operating in the Internet Layer of the
TCP/IP model, only IPsec protects all application traffic over an IP network.
 IPsec can automatically secure applications at the IP layer.
 SSL and TLS – Confidentiality and Authentication for web traffic.
 Cryptographic protocols for web browsing, email, Internet faxing, instant
messaging, and VOIP.
 You download the servers’ digital certificate, which includes the sites public key.
 SSL (Secure Socket Layer) Currently on v3.0.
 Mostly used for web traffic.
 TLS (Transport Layer Security) More secure than SSL v3.0.
59 | P a g e
 Used for internet chat and email client access (common), used for
securing web traffic (less common).
 ISDN (Integrated Services Digital Network) - OSI layer 1-3.
 Used for digital transmission of voice, video, data, and other network services
over the traditional circuits of the public switched telephone network.
 A circuit-switched telephone network system, which also provides access to
packet switched networks.
 It offers circuit-switched connections (for either voice or data), and packet-
switched connections (for data), in increments of 64 kilobit/s, but could be
higher with channel bonding.
 DSL (Digital subscriber line) is a family of technologies that are used to transmit digital
data over telephone line.
 Often used to describe ADSL (Asymmetric DSL), the most commonly DSL
technology.
 DSL service can be delivered side by side with wired telephone service on the
same line, this is possible because DSL uses higher frequency bands for data.
 At the customer Demarc a DSL filter on each non-DSL outlet blocks any high-
frequency interference to enable simultaneous use of the voice and DSL
services.
 Callback is a modem-based authentication system.
 Was mostly used for securing dial-up connections.
 The client computer calls the server computer.
 After a greeting the client identifies itself, usually with a username.
 The server disconnects the call.
 Depending on the user name and a list of users' phone numbers, the server will
then establish a second call back to the client computer.
 The client computer, expecting this returned call, will then answer and
communications between the two computers will proceed normally.
 Caller ID does the same, but the user has to be calling from the right number.
 It can easily be faked, many phones or phone companies allow the end user pick
their caller ID.
 Remote administration is controlling a computer from a remote location, we do this
through software.
 A remote location may refer to a computer in the next room or to one across
the world.
 Any computer with an Internet connection can be remotely administered.
 RDP (Remote Desktop Protocol): A Microsoft proprietary protocol.
 The user uses RDP client software for this, and the other computer must run
RDP server software.
60 | P a g e
 Providing a user with a GUI (Graphical User Interface), by default, the server
listens on TCP and UDP 3389.
 VNC (Virtual Network Computing): Non-MS proprietary and can run on most OSs (Using
screen scraping).
 It was at first used for remote administration of computers, but is also being
used more and more now for Remote Desktop Protocol for multi-user
environments and helpdesk RDP access.
 Newer versions use HTTPS (TCP port 443) and has the GUI contained in a browser.
 You install the software on the system you want to access, and the one you
want to access from, set up username/password, and you can control that
system from anywhere.
 Commonly used include: Chrome Remote Desktop, LogMeIn, GoToMyPC or
support.me.
 VDI (Virtualized Desktop Infrastructure/Interface):
 Thin Clients:
 Diskless Workstation (Diskless node) has all the normal
hardware/firmware except the disk, it has the lower level OS (the BIOS),
which performs the POST and it then downloads the kernel and OS.
 Thin Client Applications - We use a Web Browser to connect to the
application on a server on port 80 (HTTP) or port 443 (HTTPS), the full
application is housed and executed on the server vs. on your PC.
 Often stripped of non-essentials like CD drives, most ports, ...
 Zero Clients:
 Getting more popular for VDI because they are even slimmer and more
cost-effective than thin clients.
 These are client devices that require no configuration and have nothing
stored on them.
 They are sold by Dell, Fujitsu, HP, Pano Logic, ...
 IM (Instant messaging):
 Short messages are typically sent between two parties (one-to-one) or many to
many (group IM’s).
 Some IM applications can use push technology to provide real-time text, which
transmits messages character by character, as they are typed, others send when
you hit enter.
 More advanced instant messaging can add file transfer, clickable hyperlinks,
Voice over IP, and video chat.
 Commonly used chat protocols today include IRC, Jabber, Lync, and still used
but very limited ICQ and AIM.
 Today most IM'ing is done embedded in other applications like Facebook,
Twitter, Google+, or WhatsApp.
 Many IM applications and protocols are not designed with security in mind, they
are designed for usability.
61 | P a g e
 A 2014 report on the level of safety offered by instant messengers only
7 out of 39 instant messengers received a perfect score, and the most
popular instant messengers scored 2 out of 7.
 IM connections are often sent in plain text, making them vulnerable to
eavesdropping.
 Software often requires the user to open UDP ports, increasing the
threat posed by potential security vulnerabilities.
 Web conferencing:
 An umbrella term for different types of online collaborative services including
webinars, webcasts, and peer-level web meetings.
 Commonly used ones are WebEx, GoToMeeting, Google Hangouts, TeamViewer,
...
 Done over TCP/IP connections, services often use real-time point-to-point
communications as well as multicast communications from one sender to many
receivers.
 It offers data streams of text-based messages, voice and video chat to be shared
simultaneously, across geographically dispersed locations.
 Applications where web conferencing is used: meetings, training events,
lectures, or presentations one-to-one or many-to-many like IMs.
 The use of web conferencing should align with your organizations policies, some
may if not implemented right be a security vulnerability.
 They can bypass some security by using SSL/TLS tunnels and acceptable
products should be hardened.
 WAP (Wireless Application Protocol):
 Used for accessing information over a mobile wireless network.
 A WAP browser is a web browser for mobile devices like mobile phones, it is a
micro browser, does not have full browser functionality, but also uses less
resources.
 The browser accesses sites written in WML (Wireless Markup Language), based
on XML.
 Widely used in the early 2000s, but has mostly been replaced with newer
standards and protocols.
 Most mobile devices now fully support HTML, and WAP is not really needed
anymore.
 CDN (Content Distribution Network):
 A geographically dispersed network of proxy servers and data centers.
 The client is sent to the server node with the lowest latency in MS.
 The client's webpages, software download, and video streaming is faster.
 The provider, saves on cost, sending traffic short distances vs. long distance and
it provides redundancy, and some DDOS protection.
62 | P a g e
 The idea is to distribute service spatially relative to
end-users to provide high availability and high
performance.
 Many different services can be provided over CDNs :
video streaming, software downloads, web and
mobile content acceleration, licensed/managed CDN,
transparent caching, and services to measure CDN
performance, load balancing, multi-CDN switching
and analytics and cloud intelligence.
Mobile Security:
 The more external devices we connect, the more complex policies, procedures and
standards we need.
 Mobile devices are really anything “mobile” – External hard disks, USB drives, CDs,
laptops, cell phones, ...
 Most internal threats are not malicious people. They just do not know any better, did
not think about it or figured they would not get found out.
 Good security policies should lock down USB ports, CD drives, network ports, wireless
networks, disable autorun on media, use full disk encryption, have remote wipe
capabilities, raise user awareness training on where (if anywhere) mobile devices are
allowed. (Defense in Depth)
 Cell phones are the mobile devices most often lost – Current Android and iOS phones all
have full disk encryption.
 We can add a lot more features to our company cell phones to make them more
secure.
 Remote wipe, find my device, lock after x minutes, number of failed passwords,
disable removable storage, …
 We can also use a centralized management system: MDM (Mobile Device
Management) controls a lot of settings.
 App Black/White list, Storage Segmentation, Remote Access Revocation,
Configuration Pushes, Backups.
 More controversial: Track the location of employees, monitor their data
traffic and calls.
Mobile Security:
 Laptops, Smartphones and Tablets are great productivity tools, but they (just like
anything else) have to be secured properly or they are a
liability.
 BYOD (Bring Your Own Device) - There should
be clear corporate
policies/procedures/guidelines.
 On/off boarding - How is the return of mobile
devices handled and enforced?
63 | P a g e
 It is much harder to standardize on BYOD. Is support staff ready for that many
devices, OSs, applications?
 Should we use MDM?
 How do we handle patch and virus management?

 Application whitelisting:
 We can whitelist the applications we want to allow to run on our environments,
but it can also be compromised.
 We would whitelist against a trusted digital certificate, a known hash or path
and name, the latter is the least secure, an attacker can replace the file at the
path with a malicious copy.
 Building the trusted application whitelist takes a good deal of time, but is far
superior to blacklisting, there are 10,000s of application and we can never keep
up with them.
 Removable Media Controls:
 Good security policies would also have us lock down USB ports, CD drives,
memory card ports and anything else where you can load malicious code onto
our systems from external devices.
 For servers we may rarely have to enable USB ports for firmware or other
updates, we would enable the ports while we use them and lock them right
away after, it is safer to be done centrally via group policies or similar.
Virtualization and Distributed Computing:

 Virtualization poses a whole new set of standards, best practices and security concerns.
 With Virtualization we have many servers (clients) on the same hardware platform
(host).
 Virtualization is software running under the OS and above the Hardware (Ring -1).
 Traffic between the clients on the host doesn't have to traverse our network.
 Common Virtualization software could be VMWare, Hyper-V or Xen.
 With Distributed Computing we use either multiple local or remote clients for our
needs, most commonly cloud computing. How do we ensure the cloud Data Center
meets our security posture, how do they segment their network?
 Virtualization holds a ton of benefits:
 Virtualized environments cost a lot less than all physical servers.
 It is much easier to stand up new servers (don't need to buy hardware, wait 2
weeks, rack it, run power/internet).
 You can easily backup servers with snapshots; server builds can be done with
images.
 You can instantly reallocate resources.
 They have lower power and cooling costs, a much smaller rack footprint (50-100
servers in the space of 5-8).

 Virtualization:
64 | P a g e
 Hypervisor - Controls the access
between the virtual guest/clients
and the host hardware.
 Type 1 hypervisor (Bare

Metal) is a part of a
Virtualization OS that runs
on top of the host
hardware (Think Data
Center).
 Type 2 hypervisor runs on top of a regular OS like Windows 10 - (Think your PC).

 Virtualization:
 Virtualization also poses new vulnerabilities,
because the technology is new-ish and very
complex.
 Clients on the same host should be on the same
network segment (Internal/DMZ). A host should
never house both zones.
 Clients should be logically separated on the
network like physical servers would be (HR,
Accounting, IT VLANs).
 VM Escape (Virtualization escape) is when an
attacker can jump from the host or a client to another client, this can be even more of a
concern if you have different Trust Level Clients on the same host. They should ideally
be on separate hosts.

 Cloud Computing - (There is no 'Cloud' it is just another computer somewhere else).
 When we use cloud computing we build or outsources some part of our IT
Infrastructure, storage, applications.
 This can be done for many good reasons, but most are cost related. It is cheaper to have
someone larger or more specialized in that one area doing it for us.
 Cloud Computing can be divided into 3 main types:
 Private Cloud Computing - Organizations build and run their own cloud
infrastructure (or they pay someone to do it for them).
 Public Cloud Computing - Shared tenancy – A company builds massive
infrastructures and rents it out to anyone who wants it. (Amazon AWS,
Microsoft, Google, IBM).
 Hybrid Cloud Computing – A mix of Private and Public Cloud Computing. An
organization can choose to use Private Cloud for sensitive information and
Public Cloud for non-sensitive data.
65 | P a g e
 As with any other outsourcing make sure you have the right to audit, pen test (clearly
agreed upon criteria), conduct vulnerability assessment, and check that the vendor is
compliant with your industry and the standards you adhere to.

 Cloud Computing Public Cloud Computing
 Platforms are normally offered as:
 IaaS - (Infrastructure as a Service) The
vendor provides infrastructure up to the
OS, the customer adds the OS and up.
 SaaS - (Software as a Service) The vendor
provides the OS and
applications/programs. Either the
customer interacts with the software
manually by entering data on the SaaS
page, or data is automatically pushed from your other applications to the SaaS
application (Gmail, Office 365, Dropbox, Payroll).

 Grid Computing – can make use of resources not currently in use from 100 or 100,000's of
computers to perform very complex tasks.
 Each node has a smaller subtask, but leveraging the entire Grid can make it be very
powerful and fast.
 Often used in problems so complex that they need that many nodes to be solved.
 BOINC (Berkeley Open Infrastructure for Network Computing) has over 4,000,000
machines enrolled, used for a wide variety of scientific research.
 Peer to Peer (P2P) - Any system can be a client and/or a server.
 Most commonly used on torrent networks to share music, movies, programs, pictures
and more (The majority without the copyright holder’s consent).
 Older versions had centralized index servers making it easier to disrupt a sharing
network, but the current versions uses no centralized infrastructure.
 Each client is often also a server and has the index. Taking down 10,000 in a network of
100,000 will just result in a network of 90,000, with no other discernible impact.

 Thin Clients (Boot sequence - BIOS > POST > TCP/IP > BOOTP or DHCP)
 Diskless Workstation (Diskless node) has all the normal hardware/firmware except the
disk, and the low level OS (BIOS), which performs the POST. It then downloads the
kernel and higher level OS.
 Thin Client Applications - We use a Web Browser to connect to the application on a
server on port 80 (HTTP) or port 443 (HTTPS). The full application is housed and
executed on the server vs. on your PC.
Database Security
 Polyinstantiation (Alternative Facts) – Two (or more) instances of the same file
depending on who accesses it.
66 | P a g e
 The real information may be available to subjects with Top Secret clearance, but
different information will be available to staff with Secret or lower clearance.
 Aggregation is a collection or gathering of data together for the purpose of statistical
analysis. (You see the bigger picture rather than the individual pieces of data).
 Inference requires deducing from evidence and reasoning rather than from explicit
statements.
 Data mining is the computing process of discovering patterns in large data sets.
 It uses methods combining machine learning, statistics, and database systems.
 Data Analytics is looking at what normal operations look like, then allowing us to more
proactively identify abuse from insider threats or compromised accounts.
We mitigate the attacks with Defense in Depth (again) – We secure the building, the entrances, the
doors, the network, the servers, the OS, the DB, screen the employees, … We have solid policies,
procedures, standards and guidelines.

 Buffer overflow (buffer overrun):
 An anomaly where a program, while writing data to a buffer, overruns the
buffer's boundary and overwrites adjacent memory locations, happen from
improper coding when a programmer fails to perform bounds checking.
 Buffers are areas of memory set aside to hold data, often while moving it from
one section of a program to another, or between programs.
 Buffer overflows can often be triggered by malformed inputs, if one assumes all
inputs will be smaller than a certain size and the buffer is created to be that size,
if an anomalous transaction produces more data it could cause it to write past
the end of the buffer.
 If this overwrites adjacent data or executable code, this may result in erratic
program behavior, including memory access errors, incorrect results, and
crashes.
 By sending in data designed to cause a buffer overflow, it is possible to write
into areas known to hold executable code, and replace it with malicious code.

 Race condition (race hazard):
 Two or more programs may collide in their attempts to modify or access a file.
 This can be an attacker with access, altering files which can then result in data
corruption or privilege escalation.
 TOCTOU (time of check to time of use):
 A software bug caused by changes in a system between the checking of
a condition (such as a security credential) and the use of the results of
that check.
 Privilege escalation:
 Exploiting a bug, design flaw or configuration oversight in an OS or application
to gain access to resources that are normally protected from an application or
user.
 Attacker often use this to elevate the user account they have gained access to,
in order to get administrator access.
67 | P a g e
 The result is that an application with more privileges than intended by the
application developer or system administrator can perform unauthorized
actions.

 Backdoors:
 Often installed by attackers during an attack to allow them access to the
systems after the initial attack is over, to exfiltrating data over time or to come
back and compromise other systems.
 Bypassing normal authentication or encryption in a computer system, a product,
or an embedded device, ...
 Backdoors are often used for securing remote access to a computer, or
obtaining access to plaintext in cryptographic systems.
 Disclosure:
 What do you do when you discover a vulnerability? we covered some of this in
the white, gray, black hat hacker section.
 Full disclosure: Tell everyone, make it public, assuming attackers already know
and are using it.
 Responsible/Partial disclosure: Telling the vendor, they have time to develop a
patch and then disclose it.
 If they do nothing we can revert to the full disclosure forcing them to
act.
 No disclosure: Attackers finding a vulnerability would try to exploit it and keep it
secret as long as possible.
System Vulnerabilities, Threats and Countermeasures.

 Emanations - Often Electromagnetic Emanations.
 Information that can be disseminated from the electrical changes from a system or a
wire.
 It is possible to log a user’s keystrokes on a smartphone using the motion sensor.
 It is unintentional information-bearing signals, which - if intercepted and analyzed - can
lead to a compromise.
 We can protect against Electromagnetic Emanations with heavy metals, but we would
have 80 lbs. (40 kg.) laptops.
 Covert Channels – Creates the capability to transfer information using channels not intended to
do so.
 Covert Timing Channels: Operations that affect the "real response time observed" by
the receiver.
 Most common is username/password - wrong username takes 100ms to
confirm, wrong password takes 600ms to confirm, you get the "Wrong
username or password" error, but an attacker can tell when they use a correct
username because of the delay difference.
 Covert Storage Channels: Hidden information through the modification of a stored
object.
 Certain file sizes have a certain meaning.
68 | P a g e
 Attackers can add data in payload if outbound ICMP packets (Unless we need it,
block outbound ICMP packets).

 Covert Channels
 Steganography - Hiding a message within another media
(invisible ink and the hidden clues in da Vinci's paintings).
 The messages can be hidden in anything really; most
common are images and soundtracks.
 On images like this one, the program changes the
shading of some of the pixels of the image. To the naked
eye, it is not noticeable, but a lot of information can be
hidden in the images this way.
 Hidden in the bottom image is the first chapter of Great
Expectations (Charles Dickens, 1867 Edition - 4 pages at
font size 11 , 1827 words, 7731 characters).
 Digital Watermarks encode data into a file.
 The watermark may be hidden, using steganography, or
visible watermarks.
 Often used to fingerprint files (the file is identified as yours).

 Malware (Malicious Code) - This is the catch-all name for any malicious software used to
compromise systems or data.
 Viruses - require some sort of human interaction and are often transmitted by USB
sticks or other portable devices.
 When the program is executed it replicates itself by inserting its own code into other
programs.
 Macro (document) viruses: Written in Macro Languages, embedded in other
documents (Word, Outlook).
 Boot Sector viruses: Infect the PC's boot sector or the Master Boot Record,
ensuring they run every time the PC boots.
 Stealth Viruses: Try to hide themselves from the OS and antivirus software.
 Polymorphic Viruses: Change their signature to avoid the antivirus signature
definitions. Well-written polymorphic viruses have no parts which remain
identical between infections, making it very difficult to detect directly using
antivirus signatures.
 Multipart (Multipartite) Viruses: Spread across multiple vectors. They are often
hard to get rid of because even if you clean the file infections, the virus may still
be in the boot sector and vice-versa.

 Malware (Malicious Code)
 Worms - spread through self-propagation - they need no human interaction, they do
both the payload damage and replicate through aggressive network use (also makes
them easier to spot).
69 | P a g e
 Trojans - malicious code embedded in a program that is normal. This can be games,
attachments, website clicks, etc. …
 Rootkits - Replace some of the OS/Kernel with a malicious payload. User rootkits work
on Ring 3 and Kernel rootkits on Ring 0.
 Logic Bombs - Malicious code that executes at a certain time or event - they are
dormant until the event (IF/THEN).
 IF Bob is not getting an annual bonus over $10,000, THEN execute malicious
code.
 IF date and time 5/15/18 00:02:12, THEN execute malicious code.
 Packers – Programs to compress *.exe files, which can be used to hide malware in an
executable, neutral technology.
 Antivirus Software - tries to protect us against malware.
 Signature based - looks for known malware signatures - MUST be updated
constantly.
 Heuristic (Behavioral) based - looks for abnormal behavior - can result in a lot of
false positives.

 Malware (Malicious Code)
 Server (Service) Side Attacks:
 Attack directly from an attacker to a target.
 Defense in Depth can mitigate some of these.
 The term "Server" does not mean only servers, just that the attack is directly
aimed at the end target. (They come to you).
 Client Side Attacks:

 The client initiates, then gets infected with malicious content usually from web
browsers or instant messaging applications. (You go to them).
 Since most firewalls protect inbound mostly client side attacks are often more
successful.
Physical Security
 As part of physical security we also design "Design-in-Depth" into our plan.
 Preventative Controls:
 Prevents action from happening – Tall fences, locked doors, bollards.
 Detective Controls:
 Controls that detect an attack (before, during or after) – CCTV, alarms.
 Deterrent Controls:
 Controls that deter an attack – fences, security guards, dogs, lights,
Beware of the Dog signs.
 Compensating Controls:
 Controls that compensate for other controls that are impossible or too
costly to implement. We may not be able to move our datacenter or
change the foundation, but we can add absorbers under the sub-floor,
in the racks, …
 Administrative Controls:
70 | P a g e
 Controls that give us administrative framework – compliance, policies,
procedures.
Physical Security
 Perimeter defense:
 Fences (Deterrence, Preventative):
 Smaller fences such as 3ft. (1m) can be a deterrence, while taller ones,
such as 8ft. (2.4m) can be a prevention mechanism.
 The idea of the fences is to ensure entrance/exits from the facility
happen through only a few entry points (doors, gates, turnstiles).
 Gates (Deterrence, Preventative):
 Placed at control points at the perimeter.
 Used with the fences to ensure access only happens through a few entry
points.
 ASTM Standard:
 Class I Residential (your house) - Class II Commercial/General
Access (parking garage).
 Class III Industrial/Limited Access (loading dock for 18-wheeler
trucks).
 Class IV Restricted Access (airport or prison).
Physical Security
 Bollards (Preventative):
 Used to prevent cars or trucks from entering an area while allowing foot
traffic to pass.
 Often shops use planters or similar; it looks prettier, but achieves the
same goal.
 Most are static heavy duty objects, but some cylindrical versions can
also be electronically raised or lowered to allow authorized traffic past a
"no traffic" point. Some are permanent fixtures and can be removed
with a key or other unlock function.
 Lights (Detective and Deterrence):
 Lights should be used to fully illuminate the entire area.
 Lights can be static, motion activated (static) or automatic/manual
Fresnel lights (search lights).
 Measured in lumen - 1 lumen per square foot or lux - 1 lumen per
square meter more commonly used.
Physical Security
 CCTV (Closed Circuit Television) (Detective, Deterrence) - used to monitor the
facility’s perimeter and inside it.
 Normal cameras use normal light spectrum; proper lighting is essential.
 Infrared cameras pick up heat signatures and work similar in light and
dark.
71 | P a g e
 Older cameras are analog and use video tapes for storage (often VHS);
quality is often bad, unclear.
 Modern cameras are digital and use CCD (Charged Couple Discharge);
also use a DVR (Digital Video Recorder) which stores on a local server or
device, or an NVR (Network Video Recorder), which stores the video on
a remote network location. This last option is preferable, as it is
centralized and more secure.
 Organizations may have retention requirements either from policies or
legislation that requires a certain retention of their video (this could be
bank ATM, data center or entry point footage).
 Cameras can be either static or non-static (automatic or manual).
 We have all seen the spy or heist movies where they avoid them
by knowing the patterns and timers.
 This risk can be mitigated with a randomizer or pseudo
randomizer, we want to ensure full coverage.
Physical Security
 Locks (Preventative):
 Key locks:
 Requires a physical key to unlock;
keys can be shared/copied.
 Key Bitting Code (How far the key is
bitten down for that section.) – Can
be copied and replicated without
the key from either the numbers or
a photo of it.
 Pin Tumbler Lock (or Yale lock) – A
lock mechanism that uses pins of
varying lengths to prevent the lock from opening without the
correct key.
Physical Security
 Key Locks (continued):
 Lock Picking - with a lock pick sets or bumping,
opening a lock without the key.
 Any key lock can be picked or bumped;
how long it takes depends on the quality
of the lock.
 Lock pick sets lift the pins in the
tumbler, opening the lock.
 Lock Bumping - Using a shaved-down key that
matches the lock, the attacker "bumps" the key
72 | P a g e
handle with a hammer or screwdriver which makes the pins
jump, then the attacker quickly turns the key.
Physical Security
 Key Locks (continued):
 Master Keys open any lock in a given area or security zone.
 Should be very closely guarded,
both who has them and where
they are kept at all times.
 Core Key is used to remove a lock core in
"interchangeable core locks."
 An interchangeable core, or IC, is
a compact keying mechanism in a
specific figure-eight shape.
 Relies upon a specialized
"control" key for insertion and
extraction of the core.
 Should be kept secure and access should be very
restricted.
Physical Security
 Combination Locks:
 Not very secure and have limited accountability even with
unique codes.
 Should be used for low security areas.
 Can be Dial type (think safe), Button or
Keypad.
 Very susceptible to brute force, shoulder
surfing and are often configured with weak
security (I know of a good deal of places
where the code is the street number).
 Over time the buttons used for the code will have more wear
and tear
 A 4-number PIN where 4 keys are used, the possible
combinations are no longer 10,000, but 256; if 3 keys, then 81
options.
Physical Security
 Perimeter Defense:
 Smart Cards (contact or contactless):
 They contain a computer circuit, using ICC (Integrated Circuit Card).
73 | P a g e
 Contact Cards - Inserted into a machine to be
read.
 This can be credit cards you insert into
the chip reader or the DOD CAC
(Common Access Card).
 Contactless Cards - can be read by proximity.
 Key fobs or credit cards where you just
hold it close to a reader.
 They use an RFID (Radio Frequency Identification) tag
(transponder) which is then read by an RFID Transceiver.
 Magnetic Stripe Cards:
 Swiped through a reader, no circuit.
 Very easy to duplicate.
Physical Security
 Perimeter Defense (continued):
 Tailgating/Piggybacking:
 Following someone authorized into an area you are not authorized to
be in.
 Often combined with Social Engineering.
 It is easy to do if your reason for being there seems plausible.
 Bring a lot of food, a cake and some balloons, have on clothes, ID badge
and tools that a repairman would, the options are endless.
 Mantrap:
 A Mantrap is a room with 2 doors; door 1 must close completely before
Door 2 can be opened.
 Each door has a different authentication method (something you know,
something you have, and something you are).
 They can at times use weight sensors - Bob weighs 220 lbs. (100kg), the
weight measured by the pressure plate is 390 lbs. (177kg), someone is
probably in the room with Bob. Door 2 won’t open until Bob is
confirmed alone in the Mantrap with a cart of old servers, normally
done by the cameras in the trap.
Physical Security
 Turnstiles (Preventative, Deterrence):
 Also prevents tailgating, by only allowing 1 person to
enter per Authentication (think like in US subway
systems or amusement park entries, but for secure
areas they are often floor to ceiling turnstiles with
interlocking blades.
Both Mantraps and Turnstiles should be designed to allow safe evacuation in case of
an emergency. (Remember that people are more important to protect than stuff.)
74 | P a g e
Physical Security
 Contraband Checks (Preventative, Detective, Deterrent):
 Often seen in airports, courthouses, intelligence offices or other higher
security facilities.
 Checking what you are bringing in or out of the building to ensure
nothing dangerous gets in or anything confidential gets out.
 With technology becoming much smaller, these are less effective when
it comes to data theft; it is easy to hide a micro SD memory card, which
can contain up to 256GB of data per card.
Physical Security
 Motion Detectors (Detective, Deterrence):
 Used to alert staff by triggering an alarm (silent or not).
 Someone is here, did an authorized person pass the checkpoint?
 IF yes, then log the event and do nothing else - IF no,
then alert/alarm.
 Basic ones are light-based - They require light, making them
not very reliable.
 Ultrasound, Microwave, Infrared or Laser (pew-pew!!)
 Active sensors, they send energy (sound, wave or
light).
 If the sound takes less time to return or the pattern it receives
back is altered, it means someone is somewhere they should
not be.
 Photoelectric motion sensors send a beam of light to a sensor; if
broken the alarm sounds. These are the pew-pew lasers and
sorry, no, they are not green or red and they are rarely visible.
Physical Security
 Perimeter Alarms:
 Door/window sensors – these are the thin strips around the edges of
either, and also contact sensors.
 If opened an alarm sounds; if broken, same effect.
 Can be circumvented, but they are part of a layered defense.
 Walls, windows, doors and any other openings should be considered
equally strong.
 Walls are inherently stronger; the rest need compensating measures
implemented (locks, alarms, sensors).
 Glass is normally easy to break, but can be bullet and/or explosion
proof, or have a wire mesh in the middle.
 Plexiglass can also be used, as it is stronger and does not shatter, but
can be melted.
 Door hinges should always be on the inside (or hidden in the door).
75 | P a g e
 Just like the turnstiles and mantraps, doors (and in some cases
windows) should be designed to allow safe exit from the building in case
of an emergency. Often there is a "Panic Bar" that opens the door, but
they are also connected to alarms that sound when opened (clearly
labeled Emergency Only - Alarm WILL Sound).
Physical Security
 Walls, Floors, and Ceilings:
 In line with our layered defense strategy, the strong security
encountered in getting to a data center does nothing if there is a crawl
space that an attacker can use.
 We need to secure all possible ways into our Data Center or other
secure location.
 Walls should be "slab to slab" (from the REAL floor to the REAL ceiling);
if sub-flooring or sub-ceilings are used, then they should be contained
within the slab to slab walls.
 Walls, floors and ceilings should be made of materials (where it makes
sense) that are secure enough for that location, e.g. don't have
sheetrock around your Data Center because I can cut that with a knife.
 Walls, floors and ceilings should have an appropriate fire rating.
 So should your doors, but walls, floors and ceilings are more
often overlooked.
 This is to protect the Data Center from outside fire, but just as
well the rest of the building from a Data Center fire.
Physical Security
 Guards – (Deterrent, Detective, Preventative, Compensating)
 Guards can serve many diverse purposes for an organization.
 They can check credentials/ID Cards, monitor
CCTV cameras, monitor environmental controls
(HVAC), react to incidents, act as a deterrent and
so much more.
 Professional Guards - Professional training and/or
schooling; armed.
 Amateur Guards - No professional training or
schooling; armed.
 Pseudo Guard - Unarmed guard.
 Guards should have a very clear set of rules and
regulations.
 Social engineering attacks are common and should
be prevented with training to raise awareness.
76 | P a g e
 Dogs (Deterrent, Detective, Compensating):
 Most often used in controlled, enclosed areas.
 Liability can be an issue.
 Dogs are trained to corner suspects and attack
someone who’s fleeing. People often panic when
they encounter a dog and run.
 Even if they’re in a secure area the organization may still be liable for
injuries.
 Can also be internal authorized employees walking out the wrong door
or trying to take a shortcut.
 They panic and the dog attacks.
Physical Security
 Restricted Work Areas and Escorts.
 To track and funnel authorized visitors we can use visitor badges, visitor
logs and escorts.
 Non-electronic visitor badges are easy to make copies of and easy to
fake.
 Electronic can be just a cheap re-programmable magnetic strip (like for
hotel rooms, easy to copy). Make sure they have a short window of use,
or more secure individually printed ones for each visit, and only used
once.
 The return of all badges and physical sign-out should be enforced when
the visitor leaves.
 When a vendor is coming to repair, install or remove something in your
facility, they need to be checked in and escorted from the entry point to
where they are going to work by an employee, and the employee
should stay with the vendor until the work is completed.
 The vendor’s employees should already have passed a security check
when they were hired; the vendor is liable.
 This sounds and is boring, but it is more likely to prevent the vendor
from compromising your security than if they were free to roam the
facility and the data center unsupervised.
Physical Security
 Site Selection, Design and Configuration:
 Before building a new facility, it is very important to
do proper research and planning.
 Multiple factors need to be considered, but for the
exam you need to think about the security ones.
 Site Selection:
 Greenfield - Not built on yet; undeveloped
land.
77 | P a g e
 Topography - the physical shape of the landscape - hills, valleys, trees,
streams. Most often used at military sites where they can leverage
(sometimes by altering) the topology for better security.
 Utilities - How reliable is the power, the internet in the area?
 Crime - How high are the crime rates in the area? How close are the
police?
Physical Security
 Site Design:
 Site Marking:
 Do not advertise your data
center’s (or other critical)
locations.
 The more nondescript and boring
the building is, the less attention it
gets (security through obscurity).
 A determined attacker can
obviously find the information,
but the harder you make it, the less your chances of being
compromised.
 Example: Don't name your credit card processing server
creditcard001.
Physical Security
 Shared Tenancy and Neighbors
 Sharing your building with someone else poses other security risks; the
people working at or visiting those organizations are already past the
perimeter.
 Their bad security posture can be a risk to yours.
 Attackers can set up base right next door, they can eavesdrop and
attack on your wireless without causing much suspicion.
 Think of the many movies with bank robberies or great heists where
they go through a neighbor’s wall, ceiling or floor.
 These all have a basis in reality from real robbers who did just that.
Physical Security
 Wiring Closets
 If shared, the other tenants have access to your network. You can lock it
down, but it is still a big security concern. I have seen a place where
one tenant had all their equipment bolted to the wall, but the wires
were exposed; it would be easy to attach a sniffer to that.
 Demarc - Point of Demarcation (POD) :
78 | P a g e
 Where the ISP (Internet Service Provider) terminates their
phone/internet lines and your network begins; most buildings only have
one.
 When shared, it is a security concern that other tenants have access.
Can they access your equipment?
 IPv4 is not inherently secure and ISP connections are not either. You
must add the security on your end.
 It is desired to have strong Access Control for the Demarc. If not
possible, find another location. (IAAA)
 For secure sites or sites that need high uptime it is common to have
multiple Demarcs from multiple ISPs. How segmented and secure each
Demarc is depends on your information security posture.
Physical Security
 Server Rooms and Data Centers:
 Many Data Centers were designed for our past requirements and not
how much data we move today.
 Pop-up server rooms are built when we outgrow our current Data
Center and we bolt-on somewhere in the building that was NOT built for
that purpose.
 They often lack proper walls, floors, ceilings, flood prevention; bolted-
on and not designed-in is less secure.
 I have seen a bolt-on server room where there were showers and
bathrooms just above it. What a fun day they would have if the
floor/ceiling started leaking.
 Data Center Build or Expansion:
 How much HVAC (Heating, Ventilation and Air Conditioning) do
we need for now/future use?
 Which natural events do we need to factor in for where we are
(e.g. hurricanes, floods, tornadoes)?
 Do we have enough Power for current/future use; is the grid
stable? Are blackouts or brownouts common? Brownout = drop
in voltage (lights flicker). Blackout = power is interrupted
completely.
Physical Security
 Server Rooms and Data Centers:
 Data Center Build or Expansion (continued):
 Power:
 What size generators do we need?
 How large of a UPS (Uninterruptible
Power Supply)? Huge battery bank also
ensures consistent voltage.
 Fire Suppression:
79 | P a g e
 Dry pipe vs. wet pipe.
 Halon/Chemical/FM200.
 Fire extinguishers.
Environmental Controls
 HCAC
 Heat:
 Many data centers are kept too cold;
the last decade’s research has shown
it is not needed.
 Common temperature levels range
from 68–77 °F (20–25 °C) - with an
allowable range of 59–90 °F (15–
32 °C).
 Keeping a data center too cold wastes
money and raises humidity.
 Pressure:
 Keeping positive pressure keeps
outside contaminants out.
 Humidity:
 Humidity should be kept between 40 and 60% rH (Relative Humidity).
 Low humidity will cause static electricity and high humidity will corrode metals
(electronics).
 HCAC (continued):
 Drains:
 Many data centers use subflooring where
water and contaminants (mostly dust) can
gather. If an HVAC unit malfunctions, it can
leak water.
 It is important to have sensors in the subfloor
for both water and dust, and to regularly
vacuum the space.
 Static Electricity:
 Can be mitigated by proper humidity control, grounding all
circuits, using antistatic wrist straps and work surfaces.
 All personnel working with internal computer equipment
(motherboards, insert cards, memory sticks, hard disks) should
ground themselves before working with the hardware.
80 | P a g e
 Heat, Flame, and Particle/Smoke Detectors:
 All used for detecting fires or potential fires, they are connected to warning lights, sirens
and suppression systems.
 Heat Detectors:
 Configured to trigger when a certain threshold is exceeded (Rise of 10° F in < 5
minutes or rising above 90° F).
 Smoke Detectors: (Ionization or Photoelectric):
 Ionization detectors have a small radioactive source which creates a small
electric charge.
 Photoelectric uses LED (Light Emitting Diode) and a photoelectric sensor that
produces a small charge while receiving light.
 Both trigger when smoke or any higher particle density interrupts the
radioactivity or light.
 Flame Detectors:
 Flame detectors detect infrared or ultraviolet light emitted by fire.
 They require line of sight to detect the flame.
 Electricity - It is important to have clean, reliable power for our servers, disk arrays, network
equipment.
 Loss of power can affect our availability and the Integrity of our data.
 Nothing can be accessed and power fluctuations can damage hardware and
corrupt data.
 Power Fluctuation Terms:
 Blackout - Long loss of power.
 Fault - Short loss of
power.
 Brownout - Long low
voltage.
 Sag - Short low
voltage.
 Surge - Long high
voltage.
 Spike - Short high voltage.
 Electricity:
 Surge Protectors, UPSs and Generators are used to get clean
power.
 Surge Protectors - Protect equipment from high
voltage.
 UPSs (Uninterruptible Power Supplies):
 Ensure constant clean power to the systems.
81 | P a g e
 Have large battery banks that take over in the event of a power outage;
they also act as surge protectors.
 Generator:
 Fueled generators are programmed to manually or automatically
(preferred) kick in during a power outage event.
 Will run as long as they have fuel, must be maintained.
 PDU (Power Distribution Unit) can be in rack or not.
 Electricity:
 EMI (Electromagnetic Interference)
 Disturbance generated by an external source that affects an electrical circuit by
electromagnetic induction, electrostatic coupling, or conduction.
 In our world this includes circuits, power cables, network cables, ...
 Often this is an issue with network cables that are not shielded properly or run
too closely to power cables. Magnetism from one cable “crosses” over to a
neighbor cable (crosstalk).
 This can impact the Integrity (data corruption), Confidentiality (data sniffed),
and Availability (data unavailable).
 Crosstalk is avoided with proper cable management, and by using STP (Shielded
Twisted Pair) cables, not UTP (Unshielded Twisted Pair) cables.
 Power cables should never be run close to copper data cables.
 Fiber optic cables are used when it makes sense (not susceptible to EMI or
sniffing, since they are glass).
 On the exam, if asked for the cheapest secure cables, fiber > copper; while not
as cheap they are way more secure.
 Continuity of Operations:
 Fault tolerance:
 To ensure our internal SLAs and provide as high availability as possible we use as
high degree of redundancy and resiliency as makes sense to that particular
system and data set.
 Backups:
 One of the first things that comes to mind when talking about fault
tolerance is backups of our data, while it is very important it is often like
log reviews an afterthought and treated with "Set it and forget it"
mentality.
 For backups we use Full, Incremental, Differential and Copy backups,
and how we use them is determined on what we need from our
backups.
 How much data we can stand to lose and how fast we want the backup
and restore process to be.
 In our backup solution we make backup policies of what to back up,
what to exclude, how long to keep the data of the Full, Incremental and
Differential backups.
82 | P a g e
 All these values are assigned dependent on what we back up, and
normal organizations would have different backup policies and apply
those to the appropriate data.
 Backups:
 This could be Full 3, 6, 12, 36, 84 months and infinity, the retention is
often mandated by our policies and the regulations in our field of
business.
 It is preferable to run backups outside of business hours, but if the
backup solution is a little older it can be required to run around the
clock, in that case we put the smaller and less important backups in the
daytime and the important larger ones after hours.
 We often want to exclude parts of the system we are backing up, this
could be the OS, the trashcan, certain program folders,... we just backup
what is important and rarely everything.
 If a system is compromised and the issue is a rootkit, the rootkit would
persist on the backup if we did a full mirror restore, by eliminating some
of the system data we not only backup a lot less data, we also may
avoid the infection we are trying to remedy.
 For very important data we may do hourly incrementals or use another
form of data loss prevention (covered later in this chapter).
 Backups:
 Full back up:
 This backs everything up, the
entire database (most often), or
the system.
 A full backup clears all archive
bits.
 Dependent on the size of the
data we may do infrequent full
backups, with large datasets it
can take many hours for a full
backup.
 Backups:
 Incremental backups:
 Backs up everything that has changed
since the last backup.
 Clears the archive bits.
 Incrementals are often fast to do, they
only backup what has changed since
the last incremental or full.
83 | P a g e
 The downside to them is if we do a monthly full backup and
daily incrementals, we have to get a full restore and could have
to use up to 30 tapes, this would take a lot longer than with 1
Full and 1 Differential.
 Backups:
 Differential backup:
 Backs up everything since the last Full backup.
 Does not clear the archive bit.
 Faster to restore since we just
need 2 tapes for a full restore, the
full and the differential.
 Backups take longer than the
incremental, we are backing
everything since the last full.
 Never use both incremental and
differential on the same data, it is
fine on the same backup solution, different data has different
needs.
 Backups:
 Copy backup:
 This is a full backup with one important difference, it does not
clear the archive bit.
 Often used before we do system updates, patches and similar
upgrades.
 We do not want to mess up the backup cycle, but we want to be
able to revert to a previous good copy if something goes wrong.
 Archive bit:
 For Windows the NTFS has an archive bit on file, it is a flag that
indicates if the file was changed since the last Full or
Incremental backup.
 On our systems we build in fault tolerance to give them as high as possible uptime, we
do this with redundant hardware and systems, one of the practices we
use is RAID.
 RAID (Redundant Array of Independent/Inexpensive Disks):
 Comes in 2 basic forms, disk mirroring and disk striping.
 Disk mirroring:
 Writing the same data across multiple hard disks, this is
slower, the RAID controller has to write all data twice.
 Uses at least 2 times as many disks for the same data
storage, needs at least 2 disks.
84 | P a g e
 Disk striping:
 Writing the data simultaneously across multiple disks providing higher
write speed.
 Uses at least 2 disks, and in itself does not provide redundancy.
 We use parity with striping for the redundancy, often by XOR, if we use
parity for redundancy we need at least 3 disks.
 There are many different types of RAID, for the exam I would know
the above terms and how RAID 0, 1 and 5 works.
 RAID 0:
 Striping with no mirroring or parity, no fault tolerance, only
provides faster read write speed, requires at least 2 disks
 RAID 1:
 Mirror set, 2 disks with identical data, and write function is written
to both disks simultaneously.
 RAID 5:
 Block level striping with distributed parity, requires at least 3 disks.
 Combined speed with redundancy.
 RAID will help with data loss when we have a single disk failure if we use
a fault tolerant RAID type, if more than one disk fails before the first is
replaced and rebuilt, we would need to restore from our tapes.
 Most servers have the same disks with the same manufacturer date,
they will hit their MTBF (Mean time between failures) around the same
time.
 Larger data centers often have SLAs with the hard disk/server vendor, which also
includes MTTR (Mean time to repair).
 This could be within 4 or 8 hours the vendor has to be onsite with a replacement disk.
 System redundancy:
 On top of the RAID and the backups we also try to provide system redundancy
as well as redundant parts on the systems.
 The most common system failures are from
pieces with moving parts, this could be
disks, fans or PSU (power supplies).
 Most servers have redundant power
supplies, extra fans, redundant NICs.
 The NIC and PSU serve a dual purpose, both for internal redundancy and
external. If a UPS fails, the server is still operational with just the 1 PSU getting
power.
85 | P a g e
 Redundant disk controllers are also reasonably common, we design and buy the
system to match the redundancy we need for that application.
 Often we have spare hardware on hand in the event of a failure, this could
include hard disks, PSUs, fans, memory, NICs.
 Many systems are built for some hardware to be hot-swappable, most
commonly HDDs, PSUs and fans.
 If the application or system is important we often also have multiple systems in
a cluster.
 Multiple servers often with a virtual IP, seen as a single server to users.
 Clustering is designed for fault tolerance, often combined with load balancing,
but not innately.
 Clustering can be active/active, this is load balancing, with 2 servers both
servers would actively process traffic.
 Active/passive: There is a designated primary active server and a secondary
passive server, they are connected and the passive sends a keep-alive or
heartbeat every 1-3 seconds, are you alive, are you alive ...
 AS long as the active server responds the passive does nothing, if the active
does not respond for (normally) 3 keepalives the passive assumes the primary is
dead and assumes the primary role.
 In well-designed environments the servers are geographically dispersed.
 We can also use other complementary backup strategies to give ourselves more
real time resilience, and faster recovery.
 Database shadowing:
 Exact real time copy of the database or files to another location.
 It can be another disk in the same server, but best practice dictates
another geographical location, often on a different media.
 Electronic vaulting (e-vaulting):
 Using a remote backup service, backups are sent off-site electronically
at a certain interval or when files change.
 Remote journaling:
 Sends transaction log files to a remote location, not the files
themselves. The transactions can be rebuilt from the logs if we lose the
original files.
Physical Security
 Media Storage and Locations:
 Where and how you store your offline data/media and (preferably) offsite is
dictated by internal policies, procedures and compliance requirements.
 All storage media should be encrypted (Data at Rest).
 Media (often tape) should be stored at an offsite facility designed for just that.
86 | P a g e
 The facility should be climate controlled (temperature, humidity) less strict than
a data center, standards still apply.
 Tape will deteriorate at a certain temperature just like disks will corrode
at a certain humidity.
 The storage facility should be secure, licensed and bonded (both for
transport and storage).
 Lost data is just as lost, but they are liable.
 Under an employee’s bed is NOT an OK place to store backups.
 Multiple incidents have happened when this was done, and break-ins relieved
the employees of the tapes, which in many cases were NOT encrypted.
Welcome to $10,000, $100,000 or $1,000,000 fines/lawsuits or loss of revenue
from the bad publicity hit. (Data at Rest should always be encrypted).
Physical Security
 Asset Tracking:
 Keeping an accurate inventory of all our assets is important; we cannot protect
what we do not know we have.
 We covered this a little in our risk analysis section, but other than identifying
the assets, we also should have it as part of our technology refresh cycle to
record the Asset Serial Number, Model Number and often an internal Asset ID.
 Hardware Hardening:
 On our servers - we harden the server.
 Apply all patches, block ports not needed, delete default users, … most
places are good about this.
 Workstations are often overlooked.
 Disabling the USB Ports, CD drives and any other port that can introduce malware to
our network.
 Physically: Disabled on motherboard or port itself blocked, easy to bypass - not
very secure.
 Logically: Locked in Windows services or through AD (Active Directory) is not
easy to bypass (if done right) - more secure.

 The Internet of Things (IoT) – This is one of the new things added to the 2015 CISSP update.
 It is really anything “Smart“: Smart TVs, Thermostats, Lightbulbs, Cars, and anything
that connects to the internet in some way (that did not before).
 They can be an easy way into your smart device, as most are never patched (many do
not even have the option).
 Most devices have very basic security (if any). They use the default login/password and
they often use well-known ports, making them easy to target. We harden here, we
patch, segment the network, lock ports and change defaults.
 They are not only simple to hack, but can also provide attackers an easy way onto your
network. If you use it in your organization or at home, segment that part of the network
off from everything else and lock it down.
87 | P a g e
What we covered in Domain 2
 As the name indicates, how do we manage our risk?
 What can we do to reduce the risk to an acceptable level?
 We identify all of our assets, and do qualitative and quantitative risk analysis.
 We cover the COBIT5, ISO27001/2, NIST 800-37, and NIST 800-53.
 System and software vulnerabilities.
 Networking, networking devices, IP, NAT, PAT, …
 Physical security.
 Redundancy, RAID, backups.
88 | P a g e
Welcome to the third CISM Domain.
 Access control. - MAC, DAC, RBAC, ABAC
 Objects and subjects.
 IAAA - Identification and Authentication, Authorization and Accountability
 Type 1, 2, and 3 authentication - Something you know, something you have, and
something you are
 The history of cryptography, symmetric/asymmetric encryption, hashing, and digital
signatures
 Patch management, configuration management, and change management
 Security assessment and security audits.
 Software testing.
 Buying software from other companies.
 Data remanence and destruction.
Access Control Defensive Categories and Types:

 Access Control Categories:
 Administrative (Directive) Controls:
 Organizational policies and procedures.
 Regulation.
 Training and awareness.
 Technical Controls:
 Hardware/software/firmware – Firewalls, routers, encryption.
 Physical Controls:
 Locks, fences, guards, dogs, gates, bollards.
Access Control Defensive Categories and Types:

 Access Control Types (Many can be multiple types – On the exam look at question
content to see which type it is).
 Preventative:
 Prevents action from happening – Least privilege, drug tests, IPS,
firewalls, encryption.
 Detective:
 Controls that Detect during or after an attack – IDS, CCTV, alarms, anti-
virus.
 Corrective:
 Controls that correct an attack – Anti-virus, patches, IPS.
 Recovery:
 Controls that help us recover after an attack – DR Environment,
backups, HA Environments.
 Deterrent:
 Controls that Deter an attack – Fences, security guards, dogs, lights,
Beware of the dog signs.
 Compensating:
1|Page
 Controls that Compensate – other controls that are impossible or too
costly to implement.
 Access Control:
 Our Access Control is determined by our policies,
procedures, and standards.
 This outlines how we grant access whom to what:
 We use least privilege, need to know, and we give
our staff and systems exactly the access they need
and no more.
 Access control spans all the layers of our defense in depth
model, different permissions are granted to different
subjects depending on their need to access the systems or
data and that adheres to the procedures for that area.
 We covered some of the physical parts of access control in
Domain 3’s Physical Security, how we use fences, locks,
turnstiles, bollards, ...
 On the logical side we do this by implementing the access security models we talked
about in Domain 1, how we Identify, Authenticate, Authorize our subjects and how we
keep them Accountable (IAAA).
 We never use group logins or accounts, they have no accountability.
IAAA (Identification and Authentication, Authorization and Accountability):

 Identification
 Your name, username, ID number, employee number, SSN
etc.
 “I am Thor”.
 Authentication
 “Prove you are Thor”. – Should always be done with multi-
factor authentication!
 Something you know - Type 1 Authentication
(passwords, pass phrase, PIN etc.).
 Something you have - Type 2 Authentication (ID,
passport, smart card, token, cookie on PC etc.).
 Something you are - Type 3 Authentication (and
Biometrics) (Fingerprint, iris scan, facial geometry
etc.).
 Somewhere you are - Type 4 Authentication (IP/MAC Address).
 Something you do - Type 5 Authentication (Signature, pattern unlock).
IAAA:
 Authorization
 What are you allowed to access – We use Access
Control models, what and how we implement
depends on the organization and what our security
2|Page
goals are. More on this in Domain 5 - Identity and Access Management (DAC, MAC,
RBAC, RUBAC)
 Accountability (also often referred to as Auditing)
 Trace an Action to a Subject’s Identity:
 Prove who/what a given action was performed by (non-repudiation).
IT Security is there to Support the organization.
 We are there to enable the organization to fulfil its mission statement and the business’
goals.
 We are not the most important part of the organization, but we span the entire
organization.
 We are Security leaders and Business leaders – Answer exam questions wearing BOTH
hats.

 Least Privilege and Need to Know.
 Least Privilege – (Minimum necessary access) Give users/systems exactly the
access they need, no more, no less.
 Need to Know – Even if you have access, if you do not need to know, then you
should not access the data.
 Non-repudiation.
 A user can not deny having performed a certain action. This uses both
Authentication and Integrity.
 Subject and Object.

 Subject – (Active) Most often users, but can also be programs – Subject
manipulates Object.
 Object – (Passive) Any passive data (both physical paper and data) – Object is
manipulated by Subject.
 Some can be both at different times, an active program is a subject; when
closed, the data in program can be object.
 IAAA Access Management:

 Something you know - Type 1 Authentication:
 Passwords, pass phrase, PIN etc., also called Knowledge factors.
 The subject uses these to authenticate their identity, if they know the secret,
they must be who they say they are
 This is the most commonly used form of authentication, and a password is the
most common knowledge factor.
 The user is required to prove knowledge of a secret in order to authenticate.
3|Page
 Variations include both longer ones formed from multiple words (a passphrase)
and the shorter purely numeric PINs (personal identification number)
commonly used for cash machines (ATM’s).
 It is the weakest form of authentication, and can easily be compromised.
 Secret questions like "Where were you born?" are poor examples of a
knowledge factor, it is known by a lot of people and can often be researched
easily.
 Sarah Palin had her email account hacked during the 2008 US
Presidential campaign using her secret questions. Since she used basic
ones (high school and birthday, …) the hackers could easily find that
information online, he reset her password with the information and
gained full control of her email account.

 Passwords:
 It is always easier to guess or steal passwords than it is to break the
encryption.
 We have password policies to ensure they are as secure as possible.
 They should contain minimum length, upper/lower case letters,
numbers and symbols, they should not contain full words or
other easy to guess phrases.
 They have an expiration date, password reuse policy and
minimum use before users can change it again.
 Common and less secure passwords often contain:
 The name of a pet, child, family member, significant
other, anniversary dates, birthdays, birthplace, favorite
holiday, something related to a favorite sports team, or
the word "password".
 Winter2017 is not a good password, even if it does fulfil
the password requirements.
 Key stretching – Adding 1-2 seconds to password verification.
 If an attacker is brute forcing a password and needs millions of
tries it will become an unfeasible attack.

 Passwords:
 Brute Force attacks (Limit number of wrong logins):
 Uses the entire key space (every possible key), with enough
time any plaintext can be decrypted.
 Effective against all key based ciphers except the one-time pad,
it would eventually decrypt it, but it would also generate so
many false positives the data would be useless.
 Dictionary attacks (Limit number of wrong logins, do not allow
dictionary words in passwords):
4|Page
 Based on a pre-arranged listing, often dictionary words
 Often succeed because people choose short passwords that are
ordinary words and numbers at the end.
 Rainbow tables attacks (Limit number of wrong logins, Salts):
 Pre-made list of plaintext and matching ciphertext.
 Often Passwords and matching Hashes a table can have
1,000,000's of pairs.

 Passwords:
 Keylogging (Keystroke logging):
 A keylogger is added to the user's computer
and it records every keystroke the user
enters.
 Hardware, attached to the USB port where
the keyboard is plugged in.
 Can either call home or needs to be
removed to retrieve the
information
 Software, a program installed on the computer.
 The computer is often compromised by a trojan, where
the payload is the keylogger or a backdoor.
 The keylogger calls home or uploads the keystrokes to a
server at regular intervals.

 Passwords:
 Salt (salting):
 Random data that is used as an additional input to a one-way
function that hashes a password or passphrase.
 Salts are very similar to nonce.
 The primary function of salts is to defend against dictionary
attacks or a pre-compiled rainbow table attack.
 Nonce: (arbitrary number that may only be used once).
 It is often a random or pseudo-random number issued in an
authentication protocol to ensure that old communications
cannot be reused in replay attacks.
 They can also be useful as initialization vectors and in
cryptographic hash function.

IAAA Access Management:
 Passwords:
5|Page
 Clipping levels: Clipping levels are in place to prevent
administrative overhead.
 It allows authorized users who forget or mistype their
password to still have a couple of extra tries.
 It prevents password guessing by locking the user
account for a certain timeframe (an hour), or until
unlocked by an administrator.
 Many systems store a cryptographic hash of passwords.
 If an attacker can get access to the file of hashed passwords
guessing can be done off-line, rapidly testing candidate
passwords against the true password's hash value.
 This will circumvent the clipping levels, stealing is always easier
than decrypting it.
 Some access systems store user passwords in plaintext, they are used to
compare user log on attempts.
 We need to secure every link in the chain, attackers will go for
the weakest one, it is often people, but can just as well be our
systems.

 Password Management:
 We covered some password requirements, here are the official
recommendations by the U.S. Department of Defense and
Microsoft.
 Password history = set to remember 24 passwords.
 Maximum password age = 90 days.
 Minimum password age = 2 days (to prevent users from
cycling through 24 passwords to return to their favorite
password again).
 Minimum password length = 8 characters.
 Passwords must meet complexity requirements = true.
 Store password using reversible encryption = false.

 Something you have - Type 2 Authentication:
 ID, passport, smart card, token, cookie on PC, these are called
Possession factors.
 The subject uses these to authenticate their identity, if
they have the item, they must be who they say they
are.
 Simple forms can be credit cards, you have the card
and you know the pin, that is multifactor
authentication.
6|Page
 Most also assume a shared trust, you have your passport, it looks like
you on the picture, we trust the issuer so we assume the passport is
real.

 Single-use passwords:
 Having passwords which are only valid once makes many
potential attacks ineffective, just like one-time pads.
 While they are passwords, it is something you have in your
possession, not something you know.
 Some are one-time-pads with a challenge-response or just a pin
or phase sent to your phone or email you need to enter to
confirm the transaction or the login.
 Most users find single use passwords extremely inconvenient.
 They are widely implemented in online banking, where they are
known as TANs (Transaction Authentication Numbers).
 Most private users only do a few transactions each week, the
single-use passwords has not led to customers refusing to use
it.
 It is their money, they actually care about keeping those
safe.

 Smart Cards and tokens (contact or contactless):
 They contain a computer circuit using an
ICC (Integrated Circuit Chip).
 Contact Cards - Inserted into a machine to
be read.
 This can be credit cards you insert
into the chip reader or the DOD
CAC (Common Access Card).
 Contactless Cards - can be read by
proximity.
 Key fobs or credit cards where you
just hold it close to a reader.
 They use a RFID (Radio Frequency
Identification) tag (transponder)
which is then read by a RFID
Transceiver.
 Magnetic Stripe Cards:
 Swiped through a reader, no circuit.
 Very easy to duplicate.
7|Page
 Tokens:
 HOTP and TOTP can be either hardware or
software based.
 Cellphone software applications are more
common now.
 HOTP (HMAC-based one-time
password):
 Shared secret and incremental
counter, generate code when
asked, valid till used.
 TOTP (Time-based One-Time
Password):
 Time based with shared secret,
often generated every 30 or 60
seconds, synchronized clocks
are critical.

 A Wisconsin company Three Square Market (32M) is offering to implant tiny
radio-frequency chips in its employees.
 They says the employees are lining up for the technology.
 Employees who have the rice-grain-sized RFID chip
implanted between their thumb and forefinger can then
use it "to make purchases in their break room micro
market, open doors, login to computers, use the copy
machine,"
 "The chip is not trackable and only contains information
you choose to associate with it," the company said "This
chip does not have GPS capabilities."
 I would never do this, I understand they save 5 seconds at the copier.
 I just have an innate skepticism when companies says, “We can’t or we
won’t use this for anything else than intended”.
 History proves they rarely do just that.

 Something you are - Type 3 Authentication (Biometrics):
 Fingerprint, iris scan, facial geometry etc., these are also called
realistic authentication.
 The subject uses these to authenticate their identity, if
they are that, they must be who they say they are.
 Something that is unique to you, this one comes with
more issues than the two other common
authentication factors.
8|Page
 We can allow unauthorized people into our facilities or systems if we
accept someone by mistake. (False Accept)
 We can prevent our authorized people from entering our facilities if we
refuse them by mistake. (False Reject).

 Errors for Biometric Authentication:
 FRR (False rejection rate) Type 1 error:
 Authorized users are
rejected.
 This can be too high
settings - 99% accuracy
on biometrics.
 FAR (False accept rate) Type 2
error:
 Unauthorized user is
granted access.
 This is a very serious
error.
 We want a good mix of FRR and FAR where they meet on the graph is
the CER (Crossover Error Rate), this is where we want to be.

 Biometric identifiers are often categorized as physiological and behavioral
characteristics.
 Physiological characteristics uses the shape of the body, these do not
change unless a drastic event occurs.
 Fingerprint, palm veins, facial recognition, DNA, palm print,
hand geometry, iris recognition, retina and odor.
 Behavioral characteristics uses the pattern of behavior of a person,
these can change, but most often revert back to the baseline.
 Typing rhythm, how you walk, signature and voice.
 We also need to respect and protect our employees privacy:
 Some fingerprint patterns are related to chromosomal diseases.
 Iris patterns could reveal genetic sex, retina scans can show if a person
is pregnant or diabetic.
 Hand vein patterns could reveal vascular diseases.
 Most behavioral biometrics could reveal neurological diseases, etc.

 Issues with Biometric Authentication:
9|Page
 While passwords and smart cards should be safe, because
you keep them a secret and secure, biometrics is
inherently not and something others can easily find out.
 Attackers can take pictures of your face, your finger prints,
your hands, your ears and print good enough copies to get
past a biometric scan.
 It is possible to copy fingerprints from your high resolution
social media posts if you do a peace sign like the one on
the right here.
 How you type, sign your name and your voice pattern can
be recorded, also not too difficult to cheat biometrics if it
is worth the effort.
 Some types are still inherently more secure, but they are
often also more invasive.

 Lost passwords and ID cards can be replaced with new different ones,
biometrics can’t.
 Which should make us question even more the mass collection of
biometric data.
 When Home Depot loses 10 million credit card numbers it is
bad, but they can be reissued.
 The US Office of Personnel Management got hacked and lost 5.6
million federal employees’ fingerprints.
 The FBI has a database with 52 million facial images and
Homeland Security and U.S. Customs and Border Patrol is
working on adding the iris scans and 170 million foreigner
fingerprints to the FBI’s database.
 The compromises of the future will have much more wide
reaching ramifications than the ones we have seen until now.

 Lost passwords and ID cards can be replaced with new different ones,
biometrics can’t.
 Which should make us question even more the mass collection of
biometric data.
 When Home Depot loses 10 million credit card numbers it is
bad, but they can be reissued.
 The US Office of Personnel Management got hacked and lost 5.6
million federal employees’ fingerprints.
 The FBI has a database with 52 million facial images and
Homeland Security and U.S. Customs and Border Patrol is
10 | P a g e
working on adding the iris scans and 170 million foreigner
fingerprints to the FBI’s database.
 The compromises of the future will have much more wide
reaching ramifications than the ones we have seen until now.

 Authorization
 We use Access Control models to determine what a subject is allowed to access
 What and how we implement depends on the organization and what our
security goals are, type can often be chosen dependent
on which leg of the CIA Triad is the most important one
to us.
 If it is Confidentiality we would most likely go with
Mandatory Access Control.
 If it is Availability we would most likely go with
Discretionary Access Control.
 If it is Integrity we would most likely go with Role Based
Access Control or Attribute Based Access Control.
 There technically is also RUBAC (Rule Based Access
Control), it is mostly used on firewalls with IF/THEN statements, but can be used
in conjunction with the other models to provide defense in depth.

 DAC (Discretionary Access Control): Often used when Availability is most important.
 Access to an object is assigned at the discretion of the object owner.
 The owner can add, remove rights, commonly used by most OS's’.
 Uses DACL’s (Discretionary ACL), based on user identity.
 MAC (Mandatory Access Control): Often used when Confidentiality is most important.
 Access to an object is determined by labels and clearance, this is often used in
the military or in organizations where confidentiality is very important.
 Labels: Objects have Labels assigned to them, the subject's clearance must
dominate the object's label.
 The label is used to allow Subjects with the right clearance access them.
 Labels are often more granular than just “Top Secret”, they can be “Top
Secret – Nuclear”.
 Clearance: Subjects have Clearance assigned to them.
 Based on a formal decision on a subject's current and future
trustworthiness.
 The higher the clearance the more in depth the background checks
should be.

 RBAC (Role Based Access Control): Often used when Integrity is most important.
 Policy neutral access control mechanism defined around roles and privileges.
11 | P a g e
 A role is assigned permissions, and
subjects in that role are added to the
group, if they move to another position
they are moved to the permissions group
for that position.
 It makes administration of 1,000's of users
and 10,000's of permissions much easier
to manage.
 The most commonly used form of access
control.
 If implemented right it can also enforce
separation of duties and prevent
authorization/privilege creep.
 We move employees transferring within the organization from one role
to another and we do not just add the new role to the old one.

 ABAC - (Attribute Based Access Control)
 Access to objects is granted based on subjects, objects
AND environmental conditions.
 Attributes could be:
 Subject (user) – Name, role, ID,
clearance, etc.
 Object (resource) – Name, owner, and
date of creation.
 Environment – Location and/or time of
access, and threat levels.
 Expected to be used by 70% of large enterprises

within the next 5 years, versus around 10% today.
 Can also be referred to as policy-based access control (PBAC) or claims-based

access control (CBAC).

 Context-based access control:
 Access to an object is controlled based on certain contextual parameters, such
as location, time, sequence of responses, access history.
 Providing the username and password combination followed by a challenge and
response mechanism such as CAPTCHA, filtering the access based on MAC
addresses on wireless, or a firewall filtering the data based on packet analysis
are all examples of context-dependent access control mechanisms.
 Content-based access control:
 Access is provided based on the attributes or content of an object, then it is
known as a content-dependent access control.
12 | P a g e
 In this type of control, the value and attributes of the content that is being
accessed determine the control requirements.
 Hiding or showing menus in an application, views in databases, and access to
confidential information are all content-dependent.

 Accountability (often referred to as Auditing):
 Traces an Action to a Subject's Identity:
 Proves who performed given action, it provides
non-repudiation.
 Group or shared accounts are never OK, they
have zero accountability.
 Uses audit trails and logs, to associate a subject
with its actions.
 Access control:
 Access control systems:
 We can use centralized and/or decentralized (distributed) access control
systems, depending on which type makes the most sense. Both options provide
different benefits.
 Access control decisions are made by comparing the
credential to an access control list.
 This look-up can be done by a host or server, by an
access control panel, or by a reader.
 Most common is hub and spoke with a control panel as
the hub, and the readers as the spokes.
 Today most private organizations use Role Based Access
Control (RBAC).
 You are in Payroll you get the payroll staff access
and permissions, if you move to HR, you lose
your payroll access and get HR access assigned.
 Access control:
 Normal systems are much larger, but you get the idea from this drawing how
they would connect.
 In a perfect world,
access control systems
should be physically
and logically
segmented from the
rest of our IP Network,
in reality it is most
often segmented logically with VLANs, but in many cases not even that.
 Access control:
13 | P a g e
 Centralized Pro’s: (Decentralized Con’s):
 All systems and locations have the same security posture.
 Easier to manage: All records, configurations and policies are centralized
and only configured once per policy.
 Attackers look for the weakest link in our chain, if a small
satellite office is not following our security posture, they can be
an easy way onto our network.
 It is more secure, only a few people have access and can make changes
to the system.
 It can also provide separation of duties, the local admin can’t
edit/delete logs from their facility.
 SSO can be used for user access to multiple systems with one login.
 Centralized Con’s: (Decentralized Pro’s):
 Traffic overhead and response time, how long does it take for a door
lock to authenticate the user against the database at the head office?
 Is connectivity to the head office stable, is important equipment on
redundant power and internet?
 Access control:
 Hybrid:
 Controlled centralized, but the access lists for that location are pushed
daily/hourly to a local server, local admins have no access.
 We still need to ensure the local site uses the organization security
posture on everything else.
 Access control:
 Identity and access provisioning:
 We can have multiple identities per entity
and each identity can have multiple
attributes.
 I can be staff, alumni and enrolled
student at a college.
 As staff I could have access to
different areas and data than I
would as alumni and student.
 Companies can have the same,
they can be the parent company,
then smaller companies under the
parent umbrella, all with different
attributes.
 Access control:
 Identity and access provisioning lifecycle:
14 | P a g e
 This is a suggested lifecycle example from “Identity Management Design Guide
with IBM Tivoli Identity Manager”.
 You obviously don’t have to implement it verbatim, but find a clear policy that
works for your organization.
 Life cycle rules provide administrators with the ability to define life cycle
operations to be executed as the result of an event. Life cycle rules are
especially useful in automating recurring administrative tasks.
 Password policy compliance checking.
 Notifying users to change their passwords before they expire.
 Identifying life cycle changes such as accounts that are inactive
for more than 30 consecutive days.
 Identifying new accounts that have not been used for more
than 10 days following their creation.
 Identifying accounts that are candidates for deletion because
they have been suspended for more than 30 days.
 When a contract expires, identifying all accounts belonging to a
business partner or contractor’s employees and revoking their
access rights.
 Access control:
 Federated identity:
 How we link a person's electronic identity and attributes across multiple distinct
identity management systems.
 FIDM (Federated Identity Management):
 Having a common set of policies, practices and protocols in place to
manage the identity and trust into IT users and devices across
organizations.
 SSO is a subset of federated identity management, it only uses
authentication and technical interoperability.
 Technologies used for federated identity include SAML, OAuth, OpenID, Security
Tokens, Microsoft Azure Cloud Services, Windows Identity Foundation...
 SAML (Security Assertion Markup Language):
 An XML-based, open-standard data format for exchanging
authentication and authorization data between parties.
 The single most important requirement that SAML addresses is
web browser SSO.
 Access control:
 Federated identity:
 SSO (Single sign-on):
 Users use a single sign-on for multiple
systems.
 Often deployed in organizations where users
have to access 10+ systems, and they think it
is too burdensome to remember all those
passwords.
15 | P a g e
 SSO have the same strong password requirements as normal single
system passwords.
 If an attacker compromises a single password they have access to
everything that user can access.
 Super sign-on.
 One login can allow you to access many systems and sites.
 Social media logins are common super sign-
ons, if an account is compromised an
attacker can often access multiple other
sites or systems, the social media account is
linked all the other systems.
 Access control:
 IDaaS (Identity as a Service):
 Identity and access management that is built, hosted and managed by a third-
party service provider.
 Native cloud-based IDaaS solutions can provide SSO functionality through the
cloud, Federated Identity Management for Access Governance, Password
Management, ...
 Hybrid IAM solutions from vendors like Microsoft and Amazon provide cloud-
based directories that link with on-premises IAM systems.
 Access control - Authentication protocols:

 Communications or cryptographic protocols designed to transfer authentication data
between two entities.
 They authenticate to the connecting entity (often a server) as well as authenticate itself
(often a server or desktop) by declaring the type of information needed for
authentication as well as syntax.
 It is the most important layer of protection needed for secure communication between
networks.
 Kerberos:
 Authentication protocol that works on the basis of tickets to allow nodes
communicating over a non-secure network to prove their identity to each other
in a secure manner.
 The protocol was named after the character Kerberos (or Cerberus) from Greek
mythology, the three-headed guard dog of Hades.
 It is based on a client–server model and it provides mutual authentication both
the user and the server verify each other's identity.
 Messages are protected against eavesdropping and replay attacks.
Cryptography – the science of secure communication.

 For the exam, what you need to know is that cryptography helps us:
 Keep our secrets secret (Confidentiality) ← This is what most people think all
cryptography does.
 Keep our data unaltered (Integrity).
16 | P a g e
 Provide a way to verify (Authentication) our Subjects; it can also provide non-
repudiation.
 Cryptography has been used for 1000’s of years to keep secrets secret.
 Encryption should be strong enough to be unbreakable or at least take a very long time
to break; there obviously needs to be a balance between Confidentiality and
Availability.
 Modular Math:
 Cryptography uses a lot of modular math.
 For the exam you need to know what it is but you don't need to know how to do
it.
 Numbers "wrap around" after they reach a certain value (modulus), which is
also why it is called clock math.
 Adding "X" (24) to "E" (5) = "C" (3) - The English alphabet wraps around after the
26th letter (modulus).

 Definitions:
 Cryptology is the science of securing communications.
 Cryptography creates messages where the meaning is hidden.
 Cryptanalysis is the science of breaking encrypted communication.
 Cryptanalysis is used to breach cryptographic security systems and gain
access to the contents of encrypted messages, even if the cryptographic
key is unknown.
 It uses mathematical analysis of the cryptographic algorithm, as well as
side-channel attacks that do not target weaknesses in the cryptographic
algorithms themselves, but instead exploit weaknesses in their
implementation and the devices that run them.
 Cipher is a cryptographic algorithm.

 Definitions:
 Plaintext (Cleartext) is an unencrypted message.
 Ciphertext is an encrypted message.
 Encryption converts the plaintext to a ciphertext.
 Decryption turns a ciphertext back into a plaintext.
 Book Cipher - Use of a well-known text (Often a book) as the key.
 Messages would then look like 244.2.13, 12.3.7, 41.42.1. ...
 The person reviewing the message would look at page 244, sentence 2, word
13, then page 12, sentence 3, word 7, page 41, sentence 42 word 1, ...
 Running-Key Cipher – uses a well-known test as a key as well, but uses a previously
agreed upon phrase.
 If we use the CISSP Code of Ethics preamble "The safety and welfare of society
and the common good..."
 The sender would add the plaintext message to the letters from the key, and the
receiver would subtract the letters from the key.
17 | P a g e
Cryptography
 Mono and Polyalphabetic Ciphers:
 Monoalphabetic Ciphers -
Substitutes one letter for
another - "T" would be "W"
for instance - very easy to
break with frequency
analysis (or even without).
 Polyalphabetic Ciphers -
Similar but uses different
starting point each round,
"T" may be "W" on first
round, but "D" on second round, more secure, but still not very secure.
 Frequency Analysis (analyzing the frequency of a certain character) – In English “E” is
used 12.7% of the time. Given enough encrypted substitution text, you can break it just
with that.
Cryptography
 Exclusive Or (XOR)
 XOR is very useful in basic cryptography; we add a key to
the plaintext to make the ciphertext.
 If we have the Key we can decipher the Cipher text.
 Used in most symmetric encryption (or at least used in the
algorithm behind it).
 Confusion is the relationship between the plaintext and
ciphertext; it should be as random (confusing) as possible.
 Diffusion is how the order of the plaintext should be “diffused”
(dispersed) in the ciphertext.
 Substitution replaces one character for another, this provides
diffusion.
 Permutation (transposition) provides confusion by rearranging
the characters of the plaintext.
Cryptography
 The history of Cryptography (yes, this is testable).
 Spartan Scytale - Message written

lengthwise on a long thin piece of
parchment wrapped around a
certain size round stick. By itself it
would make no sense, but if
rewrapped around a stick of the
same diameter it would be
decipherable.
18 | P a g e
 Caesar Cipher (Substitution) - Done by switching letters a certain numbers of
spots in the alphabet. “Pass the exam" moved 3 back would be “Mxpp qeb
buxj.”
Cryptography
 The history of Cryptography
 The Vigenère cipher is a polyalphabetic cipher named
after Blaise de Vigenère, a French cryptographer who
lived in the 16th century.
 The alphabet is repeated 26 times to form a matrix
(Vigenère Square).
 It uses the plaintext (x axis) and a key (y axis).
 If the plaintext is CISSP and the key is THOR,
the ciphertext would be VPGJI.
 The key wraps if the plaintext is longer than
the key (it normally is).
Cryptography
 Cipher Disk - 2 concentric disks with alphabets on them, either just as agreed
upon "T" is "D" (monoalphabetic) or "T" is "D"
again, but the inner disk is turned in an pre-
agreed upon direction and turns every X number
of letters (decoder rings).
 Enigma - Rotary based. Was 3 rotors early on,
which was broken, so the Germans added 1
rotor, making it much harder. Breaking the
Enigma was responsible for ending the war early
and saving millions of lives.
 Purple (US name) - Japanese rotary based, very
similar to the Enigma.
 Broken by the US, England and Russia (3
rotors).
 When the Russians learned Japan was
not attacking them, they moved the
majority of their eastern troops to Moscow to fight the Germans. They
had decoded that Japan was going for Southeast Asia.
Cryptography
 The history of Cryptography:
 One-Time Pad:
 Cryptographic algorithm where plaintext is combined with a random
key.
 It is the only existing mathematically unbreakable encryption.
 While it is unbreakable it is also very impractical.
19 | P a g e
 It has ONE use per pad; they should never be reused.
 Characters on the pad have to be truly
random.
 The pads are kept secure.
 Vernam Cipher (The first known use of a one-time
pad).
 It used bits, and the bits were XORed to the
plaintext bits.
 Project VENONA was a project by the US and the UK to
break the KGB’s encryption from 1943 to 1980.
 The KGB used one-time pads (unbreakable if
not reused) for sensitive transmissions.
 The KGB reused pads, many messages were decoded, leading to the
arrest of many high-profile US residents.
Cryptography
 The Jefferson Disk (Bazeries Cylinder) - is a cipher system using a set of wheels
or disks, each with the 26 letters of the alphabet arranged around the edge.
Jefferson (US president) invented it, and Bazeries improved it.
 The order of the letters is different for each disk and is usually
scrambled in some random way.
 Each disk is marked with a unique
number.
 A hole in the center of the disks allows
them to be stacked on an axle.
 The disks are removable and can be
mounted on the axle in any order
desired.
 The order of the disks is the cipher key,
and both sender and receiver must
arrange the disks in the same predefined
order.
 Jefferson's device had 36 disks.
Cryptography
 SIGABA:
20 | P a g e
 A rotor machine used by the United States throughout World War II and
into the 1950s, similar to the Enigma.
 It was more complex, and was built
after examining the weaknesses of
the Enigma.
 No successful cryptanalysis of the
machine during its service lifetime is
publicly known.
 It used 3x 5 sets of rotors.
 The SIGABA was very large, heavy,
expensive, difficult to operate,
mechanically complex, and fragile.
Cryptography
With the common use of Cryptography, many governments realized how important it was that
cryptographic algorithms were added to export restrictions in the same category as munitions.
 COCOM (Coordinating Committee of Multilateral Export Controls) 1947 – 1994.
 Was used to prevent the export of "Critical Technologies" from “Western”
countries to the "Iron Curtain" countries during the cold war.
 Encryption is considered "Critical Technologies"
 Wassenaar Arrangement - 1996 – present.
 Similar to COCOM, but with former "Iron Curtain" countries being members
 Limits exports on military and "dual-use” technologies. Cryptography is part of
that.
 Some nations also use it to prevent their citizens from having strong encryption
(easier to spy on your own people if they can't use strong cryptography).
Cryptography
 Asymmetric vs Symmetric Encryption and Hybrid:
 Asymmetric
 Pros: It does not need a pre-shared key, only 2x users = total keys.
 Cons: It is much slower, it is weaker per bit.
 Symmetric:
 Pros: Much faster, stronger per bit.
 Cons: Needs a pre-shared key, n(n-1)/2 users,
becomes unmanageable with many users.
 Hybrid Encryption:
 Uses Asymmetric encryption to share a Symmetric Key (session key).
 We use the security over an unsecure media from Asymmetric for the initial
exchange and we use the speed and higher security of the Symmetric for the
actual data transfer.
 The Asymmetric Encryption may send a new session key every so often to
ensure security.
Cryptography
21 | P a g e
Symmetric Encryption:
 DES - Data Encryption Standard (Single DES).
 For the exam it may be called DEA (algorithm) or DES (standard)
 No longer secure and it has multiple attack vectors published.
 Symmetric - 64 bit block cipher - 56 bit key, 16 rounds of encryption, uses Fistel.
 DES has 5 different modes it can encrypt data with, they include: Block, Stream,
Initialization Vector and if encryption errors propagate to the next block.
 ECB (Electronic Code Book), CBC (Cipher Block Chaining), CFB (Cipher
Feedback), OFB (Output Feedback) and CTR (Counter).
Cryptography
 3 DES (Triple DES):
 Was developed to extend life of DES systems while getting ready for AES.
 Symmetric - 64 bit block cipher - 56 bit key, 16 rounds of encryption, uses Fistel.
 3 rounds of DES vs 1.
 K1 (keymode1) - 3 different keys with 112 bit key strength.
 K2 (keymode2) - 2 different keys with 80 bits and 1/3 same key.
 K3 (keymode3) – Same key 3 times, just as insecure as DES
(encrypt/decrypt/encrypt).
 Considered secure until 2030 and still commonly used (K1).
 IDEA (International Data Encryption Algorithm):
 Designed to replace DES.
 Symmetric, 128bit key, 64bit block size, considered safe.
 Not widely used now, since it is patented and slower than AES.
Cryptography
 AES - Advanced Encryption Standard (Rijndael).
 Symmetric.
 Considered secure.
 Open source.
 Uses both transposition and substitution.
 Widely used today.
 AES operates on a 4 × 4 column-major order matrix of
bytes.
 Initial Round:
 AddRoundKey — each byte is combined with
a block of the round key using bitwise XOR.
Cryptography
 AES
 Rounds:
22 | P a g e
 SubBytes — a non-linear substitution step
where each byte is replaced with another
according to a lookup table.
 ShiftRows — a transposition step where the
last three rows of the state are shifted a
certain number of steps.
 MixColumns — a mixing operation which
operates on the columns, combining the
four bytes in each column.
 Final Round (no MixColumns):
 SubBytes
 ShiftRows
 AddRoundKey
Cryptography
 AES
 The key size used for an AES cipher specifies
the number of repetitions of transformation
rounds that convert the plaintext, into the
ciphertext.
 The number of cycles depends on the key
length:
 10 cycles for 128-bit keys.
Cryptography
 Blowfish - publish domain.
 Uses Fistel.
 Symmetric, block cipher, 64 bit blocks, 32-448 bit key lengths.
 No longer considered secure.
 Developer recommends using Twofish.
 Twofish.
 Uses Fistel.
 Symmetric, block cipher 128bit blocks, key length 128, 192, 256 bits.
Cryptography
 Fistel cipher (Fistel network):
 The Cipher splits a plaintext block into two halves (L and R).
23 | P a g e
 The process goes through several rounds, the right half of the block does not
change.
 The right half (Rn) is XOR'ed with a subkey (Kn)for
each round (F).
 The XOR'ed value (F) is XOR'ed with the left block
(Ln).
 The recipient reverses the subkey order and XOR’s
to get the plaintext.
 Feistel or modified Feistel Algorithms:
 Blowfish, Camellia, CAST-128, DES, FEAL,
ICE, KASUMI, LOKI97, Lucifer, MARS,
MAGENTA, MISTY1, RC5, TEA, Triple DES,
Twofish, XTEA, …
 Generalized Feistel Algorithms:
 CAST-256, MacGuffin, RC2, RC6, Skipjack.
Cryptography
Symmetric Encryption
 RC4:
 Used by WEP/WPA/SSL/TLS.
 Pseudorandom keystream.
 No longer considered secure.
 Symmetric, Stream cipher, 40-2048 bit key length.
 RC5:
 Symmetric, Block Cipher, 32, 64, 128bit blocks, Key length 0-2040bits, uses
Fistel.
 Considered Secure (if high enough blocks/key).
 RC6 – AES3 Finalist:
 Based on RC5, but changed to meet AES requirements, uses Fistel.
 Symmetric, Block Cipher, 128bit blocks, 128, 192, 256bit key length.
 Considered Secure.
Cryptography
Asymmetric Encryption (Public Key Encryption)
 We have used symmetric encryption for 1000's of years. Asymmetric is, however, a new
player.
 In the 1970s, multiple Asymmetric keys were developed, including Diffie-
Hellman (DH - 1976) and RSA (Rivest, Shamir and Adleman - 1977).
 Asymmetric Encryption uses 2 keys: a Public Key and a Private Key (Key Pair).
 Your Public Key is publicly available.
 Used by others to encrypt messages sent to you. Since the key is
asymmetric, the cipher text can't be decrypted with your public
Key.
 Your Private Key - You keep this safe.
 You use it to decrypt messages sent with your public key.
24 | P a g e
 Also used for digital signatures, slightly reversed.
 You encrypt with your private key and the recipient decrypts with your
public key.
Cryptography
Asymmetric Encryption
 Prime Number Factorization:
 Factoring large Prime numbers using a one-way factorization - It is easy to
multiply 2 numbers, but hard to discern the 2 numbers multiplied from the
result.
 1373 x 8081 = 11095213 - It will be hard to tell which numbers were multiplied
to get 11095213.
 Between 1 and 10,000 there are 1229 prime numbers, and strong encryption
uses much higher prime numbers.
 Discrete Logarithms:
 Another one-way function - this one uses Logarithms, which is the opposite of
exponentiation.
 5 to the 12th power = 244140625, but asking 244140625 is 5 to the what power
is much harder.
 Discrete Logarithms apply the concept to groups, making them much harder so
solve.
Cryptography
Asymmetric Encryption
 RSA cryptography
 New keypair from very large prime numbers - creates public/private key pair.
 Used to exchange symmetric keys, it is slow, and the algorithm was patent
protected (1977-1997 - 20 years).
 Asymmetric, 1094-4096bit key, Considered secure.
 RSA-704 uses these 2 prime numbers, remember I said LARGE prime numbers
were factorized:
 8143859259110045265727809126284429335877899002167627883200
914172429324360133004116702003240828777970252499
 9091213529597818878440658302600437485892608310328358720428
512168960411528640933367824950788367956756806141
 They then produce this result, and while this number is known, figuring out the
2 prime numbers is very difficult:
 7403756347956171282804679609742957314259318888923128908493
6232638972765034028266276891996419625117843995894330502127
5853701189680982867331732731089309005525051168770632990723
96380786710086096962537934650563796359
Cryptography
Asymmetric Encryption:
25 | P a g e
 Diffie–Hellman (DH) key exchange is a method of securely exchanging cryptographic
keys over a public channel and was one of the first public-key protocols.
 It is one of the earliest practical examples of public key exchange implemented
within the field of cryptography.
 The Diffie–Hellman key exchange method allows two parties that have no prior
knowledge of each other to jointly establish a shared secret key over an
insecure channel.
 This key can then be used to encrypt subsequent communications using
a symmetric key cipher.
 Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete Logarithms
applied to elliptical curves. Much stronger per bit than normal discrete Logarithms.
 Often found on low-power devices since they can use shorter key lengths and
be as secure.
 Patented, so less used since it is patented and costs money to use, 256-bit ECC
key is just as strong as a 3,072-bit RSA key.
Cryptography
Asymmetric Encryption:
 ElGamal is an asymmetric key encryption algorithm for public-key cryptography which is
based on the Diffie–Hellman key exchange. ElGamal encryption is used in the free GNU
Privacy Guard software, recent versions of PGP, and other cryptosystems.
 DSA (Digital Signature Algorithm) uses a different algorithm for signing and encryption
than RSA, yet provides the same level of security. Key generation has two phases.
 The first phase is a choice of algorithm parameters which may be shared
between different users of the system, while the second phase computes public
and private keys for a single user.
 DSA is a variant of the ElGamal signature scheme, which should not be confused
with ElGamal encryption.
 Knapsack (Merkle–Hellman knapsack cryptosystem) is one-way.
 The public key is used only for encryption, and the private key is used only for
decryption, making it unusable for authentication by cryptographic signing.
 No longer secure.
Cryptography
 Hash Functions (One-Way Hash Functions) are used for Integrity:
 A variable-length plaintext is hashed into a fixed-length value hash or MD
(Message Digest).
 It is used to prove the Integrity of the data has not changed. Even changing a
comma in a 1000 page document will produce an entirely new hash.
 Collisions: When 2 hashes of different data provide the same hash. It is possible,
but very unlikely.
 MD5 (Message Digest 5):
 128bit Fixed-Length hash, used very widely until a flaw was found
making it possible to produce collisions in a reasonable amount of time.
 While not a chosen-text collision, it is still a collision.
 Still widely used.
26 | P a g e
 MD6 (Message Digest 6):
 Was not used for very long; was supposed to replace MD5, but SHA2/3
were better.
 It was in the running for the SHA3 race, but withdrawn due to flaws.
Cryptography
 Hash Functions:
 Just 1 bit change completely changes the hash.
 Using Great Expectations (Charles Dickens
- 1867 Edition again, 4 pages at font size
11, 1827 words, 7731 characters).
 Hash#1 is the original
2b72b2c18554112e36bd0db4f27f1d89
 Hash#2 is with 1 comma removed
21b78d32ed57a684e7702b4a30363161
 Just a single “.” added will change the
hash value to
5058f1af8388633f609cadb75a75dc9d
Remember: variable-length input, fixed-length output.
Cryptography
 Hash Functions:
 SHA1 (Secure Hash Algorithm 1):
 160bit Hash Value.
 Found to have weak collision avoidance, but still commonly used.
 Considered collision resistant.
 Somewhat used now, relatively new.
 Finalized in August 2015.
 HAVAL (Hash of Variable Length):
 The Message Digest (MD) length is variable (128, 169, 192, 224,
256bits).
 Uses the MD design principles, but is faster.
 Not widely used.
Cryptography
 Hash Functions:
 RIPEMD:
 Developed outside of defense to ensure no government backdoors.
 128, 256, 320bit hashes.
 No longer secure.
 RIPEMD160:
 Redesigned, fixing flaws of RIPEMD.
 160bit hashes.
27 | P a g e
Cryptography
 Hash Functions:
 Salt (Salting):
 Random data that is used as an additional input to a one-way function
that "hashes" a password or passphrase.
 Salts are very similar to nonces.
 The primary function of salts is to defend
against dictionary attacks or a pre-
compiled rainbow table attack.
 Nonce: (arbitrary number that may only be used
once).
 It is often a random or pseudo-random
number issued in an authentication
protocol to ensure that old communications cannot be reused in replay
attacks.
 They can also be useful as initialization vectors and in cryptographic
hash function.
Cryptography
 Cryptographic Attacks:
 Steal the Key - Modern encryption being so difficult to break, it is easier to
recover the private key.
 Law enforcement does this when they get search warrants, to recover
the private key from the PC or phone of someone charged with a crime.
 Attackers do this by gaining access to your system or key repository;
they can then decrypt your data.
 Brute Force:
 Uses the entire key space (every possible key); with enough time, any
plaintext can be decrypted.
 Effective against all key-based ciphers except the one-time pad; it would
eventually decrypt it, but it would also generate so many false positives
that the data would be useless.
 Key stretching: Adding 1-2 seconds to password verification.
 If an attacker is brute forcing password and needs millions of
attempts, it will become an unfeasible attack vector.
 Digraph attack: Similar to frequency analysis/attacks, but looks at common
pairs of letters (TH, HE, IN, ER).
Cryptography
 Man-in-the-Middle Attack (MITM):
 The attacker secretly relays and may alter communication between two
parties, who believe they are directly communicating with each other.
28 | P a g e
 The attacker must be able to intercept all relevant messages passing
between the two victims.
 They can alter the information,
just steal it or inject new
messages.
 Session Hijacking (TCP Session Hijacking):

 An attacker takes over a web
user’s session ID and
masquerades as the authorized
user.
 Once the session ID has been
accessed, through session
prediction the attacker pretends to be the user, and as that user, can do
anything the user is authorized to do on the network.
Cryptography
 Social Engineering
 Much easier than breaking the key is convincing the key holder to hand
it over to the "help desk“.
FREE ICECREAM!
A very successful social engineering attack was a
Pen-Test company driving up in front of a
company office with "Free Ice Cream” and
company logo signs on an ice cream van.
The employees had to enter their username and
password to ‘prove’ they were real employees.
They were rewarded with an “approved"
message and got their free ice cream.
The Pen-Testers got 90%+ of the employees’ usernames and passwords from those who
were there that day.
Cryptography
 Rainbow Tables:
 Pre-made list of plaintext and matching ciphertext.
 Often Passwords and matching Hashes, a table can contain have
1,000,000's of pairs.
 Known Plaintext:
 You know the plaintext and the ciphertext, and using those you try to
figure out the key.
 Chosen Plaintext:
 Similar to Known Plaintext, but the attacker choses the plaintext, then
tries to figure out the key.
 Adaptive Chosen Plaintext:
29 | P a g e
 Same as Chosen Plaintext, the attacker “adapts" the following rounds
dependent on the previous rounds.
 Meet-in-the-Middle:
 A known plaintext attack, the intruder has to know some parts of
plaintext and their ciphertexts, used to break ciphers, which have two or
more secret keys for multiple encryption using the same algorithm.
Cryptography
 Cryptographic Attacks
 Known Key - (Not really known, because if it was, the attacker would have the
key).
 The attacker knows 'something' about the key, making easier to break
it.
 The password could be exactly 8 characters, first character has to be
upper case and last has to be a number.
 Differential Cryptanalysis:
 Tries to find the “difference" between the related plaintexts; if the
plaintexts are only a few bits different, can we discern anything? Can we
see non-randomness?
 The same bit should have a 50/50 chance of flipping; areas where this is
not so can be a clue to the key.
 Linear Cryptanalysis:
 A type of known plaintext attack where the attacker has a lot of
plaintext/ciphertext pairs created with the same key.
 The attacker studies the pairs to learn information about the key used
to create the ciphertext.
 Differential Linear Cryptanalysis is Differential and Linear Cryptanalysis
combined.
Cryptography
 Side Channel Attacks:
 Attackers use physical data to break a crypto system. This can be CPU
cycles, power consumption while encrypting/decrypting, ...
 Implementation Attacks:
 Some vulnerability is left from the implementation of the application,
system or service.
 It is almost always easier to find a flaw in the system than to break the
cryptography.
 Is the key stored somewhere in plaintext? Is the key stored somewhere
not very secure? Is anything stored in memory?
 Key Clustering:
 When 2 different Symmetric Keys used on the same plaintext produce
the same ciphertext, both can decrypt ciphertext from the other key.
Cryptography
30 | P a g e
 Implementing Cryptography:
 PKI (Public Key Infrastructure):
 Uses Asymmetric and Symmetric Encryption as well as Hashing to
provide and manage digital certificates.
 To ensure PKI works well, we keep the private key secret.
 We also store a copy of the key pair somewhere central and secure (key
repository).
 We have policies in place that require 2 Security Administrators to
retrieve the key pair (if only 1 person did it, chances of key compromise
would be higher).
 If users lose their private key and if no key repository is kept, anything
encrypted with the public key is inaccessible).
 Key Escrow:
 Keys are kept by a 3rd party organization (often law
enforcement).
Cryptography
 Digital Signatures:
 Digital certificates are public keys signed with a digital signature.
 Server based - SSL for instance – is assigned to the server
(stored on the server).
 Client based - Digital Signature – is assigned to a person (stored
on your PC).
 CA (Certification Authority):
 Issues and revokes certificates.
 Can be run internally in your organization or in public
(Verisign or GoDaddy, for instance).
 ORA (Organizational Registration Authorities):
 Done within an organization.
 Authenticates the certificate holder prior to certificate
issuance.
Cryptography
 Digital certificates (continued):
 CRL (Certification Revocation List):
 Maintained by the CA.
 Certificates are revoked if a private key is compromised,
if an employee leaves the organization, etc.
 Server side, starting to be replaced by OCSP
(client/server side hybrid).
 OCSP (Online Certification Status Protocol):
31 | P a g e
 Client/server hybrid, better balance, faster, keeps lists
of revoked certificates.
 The Clipper chip was a chipset that was developed and promoted by the United
States National Security Agency (NSA) as an encryption device that “secured”
voice and data messages. with a built-in backdoor.
 It was intended to be adopted by telecommunications companies for
voice/data transmission but was abandoned after public outcry, and
was later found to have many security flaws (it used Skipjack).
Cryptography
 Provides Integrity and Non-Repudiation.
 I want to send an email to
Bob.
 My email is Hashed,
the hash is encrypted
with my private key
(the encrypted Hash is
my Digital Signature), I
attach the signature to
the email and send it.
 Bob receives it, he
generates a hash, and
decrypts my signature
with my public key. If
the hash he generated
and the hash he unencrypted match, the email is not altered.
Cryptography
 MAC (Message Authentication Code) – The exam uses MAC for several
concepts; it will be spelled out which one it is.
 Hash function using a key.
 CBC-MAC, for instance, uses Cipher Block Chaining from a symmetric
encryption (like DES).
 Provides integrity and authenticity.
 HMAC (Hashed Message Authentication Code) combines a shared key with
hashing.
 A pre-shared key is exchanged.
 The sender uses XOR to combine the plaintext with a shared key, then
hashes the output using a hashing algorithm (Could be HMAC-MD5 or
HMAC-SHA-1).
 That hash is then combined with the key again, creating an HMAC.
 The receiver does the same and compares their HMAC with the sender’s
HMAC.
32 | P a g e
 If the two HMACs are identical, the sender is authenticated.
Cryptography
 SSL and TLS – Confidentiality and Authentication for web traffic.
 Cryptographic protocols for web
browsing, email, internet faxing,
instant messaging, and VOIP.
 You download the server’s digital
certificate, which
includes the site’s public key.
 SSL (Secure Socket Layer) -
Currently on v3.0.
 Mostly used for
web traffic.
 TLS (Transport Layer
Security) - More secure
than SSL v3.0.
 Used for securing web traffic (less common).
 Used for internet chat and email client access.

 Configuration Management:
 When we receive or build new systems they often are completely open, before
we introduce them to our environment we
harden them.
 We develop a long list of ports to close,
services to disable, accounts to delete, missing
patches and many other things.
 Often it is easier to have OS images that are
completely hardened and use the image for
the new system, we then update the image
when new vulnerabilities are found or patches
need to be applied, often though we use a
standard image and just apply the missing patches.
 We do this for any device on our network, servers, workstations, phones,
routers, switches ...

 Configuration Management:
 Pre introduction into our production environment we run vulnerability scans
against the system to ensure we didn't miss anything (Rarely done on
workstations, should be done on servers/network equipment).
33 | P a g e
 Having a standard hardening baseline for each OS ensures all servers are
similarly hardened and there should be no weak links, we also have the
standardized hardening making troubleshooting much easier.
 Once a system is introduced to our production environment we monitor
changes away from our security baseline, most changes are administrators
troubleshooting or making workarounds, which may or may not be allowed, but
it could also be an attacker punching a path out of our network.
 Patch Management:
 In order to keep our network secure we need to apply patches on a regular
basis.
 Whenever a vulnerability is discovered the software producer should release a
patch to fix it.
 Microsoft for instance have “Patch Tuesday” (2nd Tuesday of the month).
 They release all their patches for that month.
 If critical vulnerabilities are discovered they push those patches outside
of Patch Tuesday.
 Most organizations give the patches a few weeks to be reviewed and
then implement them in their environment.
 We normally remember the OS patches, but can often forget about network
equipment updates, array updates, IoT updates and so on, if they are not
patched we are not fully using defense in depth and we can expose ourselves to
risk.
 Patch Management:
 I have seen places where full rack disk arrays were not encrypted and had not
been patched since installation over 10 years prior, the reasoning was poorly
designed data storage and updating would take the disks offline for up to an
hour, which for the organization was unacceptable.
 We use software to push our patches to all appropriate systems, this is easier,
we ensure all systems gets patched and they all get the same parts of the patch,
we may exclude some parts that have an adverse effect on our network.
 Common tools could be SCCM or WSUS, they do not only push patches, but any
software we want to distribute to our organization.
 We do the pushes after hours to not impact the availability during working
hours, normally done Friday or Saturday night somewhere between 01:00 am
and 04:00 am.
 Most places avoid midnight as a lot of backups and jobs run at that time, and
end no later than 04:00 am or 05:00 am to ensure systems are online by the
start of business the following day.
 Change Management:
 Our formalized process on how we handle changes to our environments.
34 | P a g e
 If done right we will have full documentation, understanding and we
communicate changes to appropriate parties.
 The change review board should be comprised of both IT and other operational
units from the organization, we may consider impacts on IT, but we are there to
serve the organization, they need to understand how it will impact them and
raise concerns if they have any.
 A change is proposed to the change board, they research in order to understand
the full impact of the change.
 The person or group submitting the change should clearly explain the reasons
for the change, the pros and cons of implementing and not implementing, any
changes to systems and processes they know about and in general aide and
support the board with as much information as needed.
 The board can have senior leadership on it or they can have a predefined range
of changes they can approve and anything above that threshold they would
make recommendations but changes require senior leadership approval.
 There are many different models and process flows for change management,
some are dependent on organization structure, maturity, field of business and
many other factors.
 A generalized flow would look like this:
 Identifying the change.
 Propose the change.
 Assessing risks, impacts and benefits of implementing and not
implementing.
 Provisional change approval, if testing is what we expect this is
the final approval.
 Testing the change, if what we expected we proceed, if not we
go back.
 Scheduling the change.
 Change notification for impacted parties.
 Implementing the change.
 Post implementation reporting of the actual change impact.
 We closely monitor and audit changes,
remember changes can hold residual risk
which we would then have to mitigate.
 Everything in the change control process
should be documented and kept, often
auditors want to see that we have
implemented proper change controls, and
that we actually follow the paper process
we have presented them with.
35 | P a g e
Evaluation Methods, Certification and Accreditation:
 Choosing the security systems and products we implement in our organization can be a
daunting task.
 How do we know the vendor is trustworthy, how do we know
the systems and products were tested well and what the tests
revealed?
 There are many evaluation models in use today.
 The earliest one, which most security models are based
on today is "The Orange Book" - The Trusted Computer
System Evaluation Criteria – (TCSEC).
 It was developed by the U.S. Department of Defense in
the 1980s. The Orange book was part of a Rainbow
Series (or Rainbow Books).
 The series also had a “The Red Book” Trusted Network
Interpretation - (TNI).
It addresses Network systems, whereas “The Orange
Book” does not address Network Systems.

 ITSEC (The European Information Technology Security Evaluation Criteria):
 Was the first successful international model. Contains a lot of references from
The Orange Book, but both are retired now.
 The International Common Criteria (ISO/IEC 15408):
 Common Criteria evaluations are performed on computer security products and
systems.
 To be of practical use, the evaluation must verify the target's security features.
This is done through the following:
 Target Of Evaluation (TOE) – The product or system that is the subject
of the evaluation.
 Protection Profile (PP) – A document which identifies security
requirements for a class of security devices. Products can comply with
more than one PP. Customers looking for particular types of products
can focus on those products certified against the PP that meet their
requirements.
 Security Target (ST) – The document that identifies the security
properties of the target of evaluation. The ST may have one or more
PPs.

 The International Common Criteria (ISO/IEC 15408):
 Evaluation Assurance Level (EAL) – How did the system or product
score on the testing?
 EAL Level 1-7:
 EAL1: Functionally Tested.
36 | P a g e
 EAL2: Structurally Tested.
 EAL3: Methodically Tested and Checked.
 EAL4: Methodically Designed, Tested and Reviewed
 EAL5: Semi-formally Designed and Tested.
 EAL6: Semi-formally Verified Design and Tested.
 EAL7: Formally Verified Design and Tested.

 Security Assessments:
 A full picture approach to assessing how effective our access controls are, they
have a very broad scope.
 Security assessments often span multiple areas, and can use some or all of these
components:
 Policies, procedures, and other administrative controls.
 Assessing the real world-effectiveness of administrative controls.
 Change management.
 Architectural review.
 Penetration tests.
 Vulnerability assessments.
 Security audits.

 Security audit: A test against a published standard.
 SOC 2 Type 1 or 2, PCI-DSS, …
 SOC 2 Type 1 report on management’s description of a service
organization’s system and the suitability of the design of controls.
 SOC 2 Type 2 report on management’s description of a service
organization’s system and the suitability of the design and operating
effectiveness of controls.
 Purpose is to validate/verify that an organization meets the requirements as
stated in the published standard.
 Internal and 3rd-Party Audits:
 Structured audits (3rd party):
 External auditors who validate our compliance, they are experts and the
audit adds credibility.
 Can also be a knowledge transfer for the organization, required annually
in many organizations.
 Unstructured audits:
 Internal auditors to improve our security and find flaws, often done
before an external audit.

 Security Audit Logs:
 Reviewing security audit logs in an IT system is one of the easiest ways to verify
that access control mechanisms are working as intended.
 Reviewing audit logs is primarily a detective control.
37 | P a g e
 NIST Special Publication 800-92 suggests the following log types should be
collected and audited:
 Network Security Software/Hardware:
 Antivirus logs, IDS/IPS logs, remote access software (such as
VPN logs), web proxy, vulnerability management,
authentication servers, routers and firewalls.
 Operating System:
 System events, audit records, applications, client requests and
server responses, usage information, significant operational
actions.

 Security Audit Logs:
 Centralized Logging:
 Should be automated, secure and even administrators should have
limited access.
 Often a central repository is hashed and never touched, and a
secondary copy is analyzed to ensure integrity.
 Logs should have a retention policy to ensure we are compliant and we
keep the logs as long as we need them.
 Checking logs is often an afterthought and rarely done, where do we
start?
 Since they are often keeping everything, there can be 10's of millions of
lines of log info, we need to implement systems to automate this as
much as makes sense.

 Security Audit Logs (Audit trail):
 Audit record management typically faces five distinct problems:
 Logs are not reviewed on a regular and timely basis.
 Audit logs and audit trails are not stored for a long enough time period.
 Logs are not standardized or viewable by correlation toolsets - they are
only viewable from the system being audited.
 Log entries and alerts are not prioritized.
 Audit records are only reviewed for the bad stuff.

 Vulnerability scanning/testing:
38 | P a g e
 A vulnerability scanner tool is used to scan a network or system for a list
of predefined vulnerabilities such as system misconfiguration, outdated
software, or a lack of patching.
 It is very important to
understand the output from a
vulnerability scan, they can be
100's of pages for some
systems, and how do the
vulnerabilities map to Threats
and Risks (Risk = Threat x
Vulnerability).
 When we understand the true Risk, we can then plan our mitigation.
 Common vulnerability scanners could be Nessus or OpenVAS, both list
vulnerabilities in Critical, High, Medium, Low, and Informational.

 Penetration Testing (Pen Testing), often called Ethical Hacking.
 Test if the vulnerabilities are exploitable.
 An authorized simulated attack on our organization that looks for security
weaknesses, potentially gaining access to the systems, buildings and data.
 It is very important to have very clear rules of engagement defined in a SOW
(Statement Of Work)
 Which IP ranges, time frame, tools, POC, how to test, what to test, …
 We confirm with our legal team before hiring Pen Testers, even if you
allow it what they do may still be illegal.
 Senior management set the goals for the Pen testing.
 Why are we doing it? What are we trying to achieve? They have to sign
off on it.
 If we are the pen testers, we are there to test and document the vulnerabilities,
not to fix them.
 We provide the report to senior management and they decide which
vulnerabilities they want to address.
 Use multiple attack vectors and Pen testing uses an iterative process that is
similar to Agile project planning.

 Penetration Testing:
 Discovery (planning): Finding the vulnerabilities, design the attacks.
 Gaining Access: Access the network.
 Escalate Privileges: Get higher level access,
ultimately we want admin access.
 System Browsing: Gain additional access, often
back to discovery again with our new
knowledge level and access.
39 | P a g e
 Install Additional tools: With our elevated access we can install more tools and
exploit new attack surfaces, can go back to Gaining Access.
 Finally when done, they report the findings.

 Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment
> Exploitation > Reporting.
 Very similar to a black hat methodology.
 Black hats often spend less time planning, and instead of reporting they cover
their tracks.
 They delete/modify logs and any other tracks they left and if possible
install backdoors, so they can keep exploiting our environments.
 A Pen tester has a very clear SOW and they do not compromise system and data
integrity.
 The Pen tester may also not be allowed to access certain files (PII/PHI), but a
dummy file is created in the same location, if the Pen tester can get to the
target file, they could get to the actual data file.
 The Pen testing is done in clearly defined time windows, often in maintenance
windows after hours, the point is to prove we are vulnerable, not disrupt our
business.
 Some low impact Pen tests can also be done on DR environments, to not effect
our live environments, but they are often less useful since most DR
environments are not a mirror copy of the production environment.

 Black box Pen testing (Zero Knowledge):
 The attacker had no knowledge about the organization other than
publicly available information.
 They start from the point an external attacker would.
 White box (Crystal/Clear) Pen testing: (Full Knowledge):
 The attacker has knowledge of the internal network and access to it like
a privileged employee would.
 Normally Administrator access employee with full knowledge of our
environment.
 Gray (Grey) box (Partial Knowledge) Pen testing:
 The attacker has limited knowledge, a normal user, vendor or someone
with limited environment knowledge.
 Do not confuse these with Black, Gray, or White Hat Hackers.
 White Hat hackers: Professional Pen Testers trying to find flaws so we
can fix it (Ethical Hackers).
 Black Hat hackers: Malicious hackers, trying to find flaws to exploit
them (Crackers - they crack the code).
 Gray/Grey Hat hackers: They are somewhere between the white and
black hats.
40 | P a g e
 Think like an attacker would, start with the easiest attack first, the users.
 Low technical tools can be just as effective as sophisticated tools,
 Many organizations have strong perimeter defense, but no defense in depth,
once you get past 1 or 2 barriers you can access most things.
 Social engineering uses people skills to bypass security controls.
 Can be used in a combination with many other attacks, especially client-
side attacks or physical tests.
 Attacks are often more successful if they use one or more of these
approaches:
 Authority (someone you trust or are afraid of) - Look and sound
like an authority figure, be in charge, this can be in a uniform or
a suit. Most effective with impersonation, whaling, and vishing
attacks.
 Intimidation (If you don't bad thing happens) - Virus on the
network, credit card compromised, lawsuit against your
company, intimidation is most effective with impersonation and
vishing attacks.

 Social engineering attacks:
 Consensus (Following the crowd, everyone else was doing it) -
Fake reviews on a website, using consensus/social proof is most
effective with Trojans and hoaxes.
 Scarcity (If you don't act now, it is too late) - New iPhone out,
only 200 available, often effective with phishing and Trojan
attacks.
 Urgency (It has to happen now or else) - The company will be
sued for $1,000,000 if these papers are not filled out before
Friday, often used with Phishing.
 Familiarity (Have a common ground, or build it) - Knowing
something about the victim ahead of time and then reference it
can raises chances of a successful attack drastically. People
want to be helpful, if they feel like they know you they want to
even more. Often successful with vishing and in-person social
engineering.

 War dialing:
 Uses modem to dial a series of phone numbers, looking for an
answering modem carrier tone, the penetration tester then attempts to
access the answering system.
41 | P a g e
 Not really done anymore, but know it for the exam.
 War driving (access point mapping):
 Driving or walking around, mapping access points and trying to gain
access to them.
 Network attacks
 Client-side attacks, server-side attacks, or Web application attacks.
 Wireless tests:
 Evaluate the risk related to potential access to your wireless network.
 Uses the password combination & sniffing technique for cracking
unsecured wireless network, so a proper set up is required for making
the whole process semi-automated and automated.

 Penetration Testing Tools and Methodology:
 Just like hackers, Pen testers use many different tools to test, both
published tools and own creations.
 Be VERY careful if testing these out, do not use them outside your own
network, and only on internal networks with written permission.
 Penetration testing tools:
 Open source Metasploit - http://www.metasploit.org/
 Closed source Core Impact - http://www.coresecurity.com/
 Immunity Canvas - http://www.immunitysec.com/
 Top 125 Network Security Tools - http://sectools.org/
 Kali Linux - https://www.kali.org/

 Real-time map of detected hacks.
 http://map.norsecorp.com/#/

 Software testing:
 Historically we have built functional software and tested it for just that stability
and functionality, security has been an afterthought if considered at all.
Software needs to be designed securely, built in not bolted on.
 Normal software can have millions of line of code and about 1% of that contains
vulnerabilities.
 Many security breaches happen because our software is easy to compromise.
 Static testing - Passively testing the code, it is not running.
 This is walkthroughs, syntax checking, and code reviews.
 Looks at the raw source code itself looking for evidence of known
insecure practices, functions, libraries, or other characteristics having
been used in the source code.
42 | P a g e
 There are 100's of static code analysis tools available depending on
programming language.
 Dynamic testing – Actively testing the code while executing it.
 Can uncover flaws that exist in the particular implementation and
interaction of code that static analysis missed. Software can run and
code execute with flaws.

 Code testing uses white and black box terms just like in Pen testing.
 White box software testing:
 The tester has full access to program source code, data
structures, variables, ...
 Black box software testing:
 The tester has no details, just the software, they then test for
functionality and security flaws.

 TM/RTM (Requirements Traceability Matrix):
 Normally a table, used to map
customer requirements to the
testing plan using a many-to-many
relationship comparison.
 A requirements traceability matrix
may be used to check if the current
project requirements are being met,
and to help in the creation of a
request for proposal, software requirements specification, various
deliverable documents, and project plan tasks.

 Software Testing levels:
 Unit testing:
 Tests that verify the functionality of a specific section of code.
 In an object-oriented environment, this is usually at the class
level, and the minimal unit tests include the constructors and
destructors.
 Usually written by developers as they work on code (white-box),
to ensure that the specific function is working as expected.
 Integration testing:
 Seeks to verify the interfaces between components against a
software design.
 Integration testing works to expose defects in the interfaces and
interaction between integrated components/modules.
43 | P a g e
 Progressively larger groups of software components are tested
until the software works as a system.

 Software Testing levels:
 Component interface testing:
 Testing can be used to check the handling of data passed
between various units, or subsystem components, beyond full
integration testing between those units.
 Tests a completely integrated system to verify that the system
meets its requirements.
 Operational acceptance:
 Used to conduct operational readiness (pre-release) of a
product, service or system as part of a quality management
system.

 Software Testing types:
 Installation testing:
 Assures that the system is installed correctly and working at
actual customer's hardware.
 Regression testing:
 Finding defects after a major code change has occurred.
 Looks for software regressions, as degraded or lost features,
including old bugs that have come back.

 Fuzzing (Fuzz testing):
 Testing that provides a lot of different inputs in order to try to
cause unauthorized access or for the application to enter
unpredictable state or crash.
 If the program crashes or hangs the fuzz test failed.
 The Fuzz tester can enter values into the script or use pre-
compiled random or specific values.
 Mutating fuzzing – The tester analyses real info and modifies it
iteratively.

 All-pairs testing (Pairwise testing):
44 | P a g e
 All-Pairs Testing is defined as a black-box test design technique
in which test cases are designed to execute all possible discrete
combinations of each pair of input parameters.
 The most common bugs in a program are generally triggered by
either a single input parameter or an interaction between pairs
of parameters.
 It uses carefully chosen test vectors, this can be done much
faster than an exhaustive search of all combinations of all
parameters, by parallelizing the tests of parameter pairs.
 If we have a very simple piece of software with 3 input
parameters:
 Server type A: Physical B: VM Vendor: A: Dell B: HP Serial
number: A Valid (5000) B Invalid
 If we test all possible combinations we would test
2x2x5000 = 20000 combinations.
 If we test all-pairs we would test 2x2x2 = 8
combinations – we only look at valid or invalid input.

 Misuse Case Testing:
 Executing a malicious act against a system, attackers won't do
what normal users would, we need to test misuse to ensure our
application or software is safe.
 Test Coverage Analysis:
 Identifies how much of the code was tested in relation to the
entire application.
 To ensure there are no significant gaps where a lack of testing
could allow for bugs or security issues to be present that
otherwise should have been discovered.
 With 50+ millions line of code in a Windows OS, often spot
checks on critical areas are only enforced.

 Now that we have completed our tests, just like on our log reviews, we need to
use it and analyze the data we got from the testing.
 It can be huge amounts of data, and we need to prioritize what we act on first,
what is acceptable and what is not.
 Think of the qualitative risk analysis, if it is low likelihood and low impact we
may leave it alone and focus on higher priority items.

 CMM (Capability Maturity Model):
45 | P a g e
 The maturity relates to the degree of formality and optimization of processes,
from ad hoc practices, to formally defined repeatable steps, to managed result
metrics, to active optimization of the processes.
 There are five levels defined in the model and, which describes where an
organization is, it also has practical steps to how to mature the organization to
get to the next level.
 Level 1: Initial
 Processes at this level are normally undocumented and in a state of
dynamic change, tending to be driven in an ad hoc, uncontrolled and
reactive manner by users or events.
 This provides a chaotic or unstable environment for the processes.
 Level 2: Repeatable
 This level of maturity that some processes are repeatable, possibly with
consistent results.
 Process discipline is unlikely to be rigorous, but where it exists it may
help to ensure that existing processes are maintained during times of
stress.

 CMM:
 Level 3: Defined
 This level that there are sets of defined and documented standard
processes established and subject to some degree of improvement over
time.
 These standard processes are in place.
 The processes may not have been systematically or repeatedly utilized
enough for the users to become competent or the process to be
validated in a range of situations.
 Level 4: Managed (Capable)
 Processes at this level uses process metrics, effective achievement of
the process objectives can be evidenced across a range of operational
conditions.
 The suitability of the process in multiple environments has been tested
and the process refined and adapted.
 Process users have experienced the process in multiple and varied
conditions, and are able to demonstrate competence.

 CMM:
 Level 5: Optimizing
 Processes at this level focus on
continually improving process
performance through both
incremental and innovative
technological
changes/improvements.
46 | P a g e
 Addressing statistical common causes of process variation and changing
the process to improve process performance.

 CMM:
 Acceptance testing:
 There are many different testing types we use throughout the
development lifecycle.
 At the end of development we also use acceptance testing, we need to
test it to ensure it does what it is supposed to and it is robust and
secure.
 The User Acceptance test:
 Is the software functional for the users who will be using it? It is
tested by the users and application managers.
 Operational acceptance testing:
 Does the software and all of the components it interacts with
ready requirements for operation.
 Tested by system administrators are the backups in place, do
we have a DR plan, how do we handle patching, is it checked for
vulnerabilities, ...?

 CMM:
 Acceptance testing:
 Contract Acceptance testing:
 Does the software fulfil the contract specifications? The
what/where/how of the acceptance is defined in the contract.
 Compliance acceptance testing:
 Is the software compliant with the rules, regulations and laws of
our industry?
 Compatibility/production testing:
 Does the software interface as expected with other applications
or systems?
 Does the software perform as expected in our production
environment vs. the development environment?

 Buying software from other companies:
 When we buy software from vendors either COTS (Commercial Off The Shelf) or
custom built software we need to ensure it is as secure as we need it to be.
 Vendors claims of security posture should until proven be seen as marketing
claims.
 We need to do our due care and due diligence, as well as use outside council if
needed.
 Many organizations deal with C-level executives going to conferences and
buying software that the organization may not want or need.
47 | P a g e
 Software development and procurement as well as any other project should be
carefully scoped, planned be based on a clear analysis of what the business
needs and wants.

 COTS (Commercial Off-the-Shelf) Software:
 When buying COTS software we can, depending on how widely the
software is used, look at reviews, talk to current customers and users to
get a clearer understanding of the software capabilities and security.
 Software roadmaps are nice, but only buy the software for what it can
actually do now, not what it can maybe do in the future.
 We can use a clear RTM (requirements traceability matrix),
requirements are divided into "Must have, nice to have and maybe
should have".
 We would then score the software candidates on the "Have's" and from
that we should be able to see feasible candidates, other factors such as
cost, maintenance also play a big part in the decision.
 For large/expensive implementations it may also be possible for the
vendor to provide references to talk to.
 We would also look at how financially sound the vendor looks to be, if
we spend $2,000,000 on software and the vendor goes out bankrupt in
3 months, we may have to spend another $2,000,000 all over again.

 Custom-Developed Third Party Products:
 Having someone else develop the software we need is also an option.
 This is higher cost than COTS software, but also far more customizable.
 The same questions and then some should be asked:
 How good are they? Have they done this before? How secure are
they?...
 Do we own the code or do we rent it when it is done?
 What happens if they go out of business?
 Who will support it?
 Do you have capable staff that can support and tweak the software?
 Is it secure or is it security through obscurity?
 Many code shops are just that, only code shops, once the software is
accepted it is your problem to do the day to day maintenance, they may
contract for updates, but that is it.

 Access control. - MAC, DAC, RBAC, ABAC
 Objects and subjects.
 IAAA - Identification and Authentication, Authorization and Accountability
48 | P a g e
 Type 1, 2, and 3 authentication - Something you know, something you have, and
something you are
 The history of cryptography, symmetric/asymmetric encryption, hashing, and digital
signatures
 Patch management, configuration management, and change management
 Security assessment and security audits.
 Software testing.
 Buying software from other companies.
 Thank you for staying here with me!
49 | P a g e
Welcome to the fourth CISM Domain.
 How we plan for incidences and disasters.
 Business Continuity Planning and Disaster Recovery Planning.
 BIA (Business Impact Analysis).
 Supply, personnel and infrastructure redundancy.
 Disaster Recovery sites.
 Other BCP sub plans:
 COOP (Continuity of Operations Plan), Cyber Incident Response Plan, OEP
(Occupant Emergency Plan).
 After a disruption.
 Digital, spinning disk, network and software forensics.
 Memory and data remanence.
 Domain 4 Key terms:

 BCP (Business Continuity Plan): Long-term plan to ensure the continuity of business
operations in a disaster event.
 DR (Disaster Recovery): Policies, procedures and tools to recover from a natural,
environmental or man made disaster.
 Collusion: An agreement between two or more individuals to subvert the security of a
system.
 COOP (Continuity of Operations Plan): A plan to maintain operations during a disaster.
 Disaster: Any disruptive event that interrupts normal system operations.
 DRP (Disaster Recovery Plan): Short-term plan to recover from a disruptive event, part
of our BCP.
 MTBF (Mean Time Between Failures): How long a new or repaired system or component
will function on average before failing.
 MTTR (Mean Time to Repair): How long it will take to recover a failed system.
 RAID (Redundant Array of Independent/Inexpensive Disks): Using multiple disk drives to
achieve greater data reliability, speed, and fault tolerance.
 Mirroring: Complete duplication of data to another disk, used by some levels of RAID.
 Striping: Spreading data writes across multiple disks to achieve performance gains, used
by some levels of RAID.
 BCP and DRP:

 Any organization will encounter disasters every so often, how
we try to avoid them, how we mitigate them and how we
recover when they happen is very important.
 If we do a poor job the organization may be severely impacted
or have to close.
 Companies that had a major loss of data, 43% never reopen and
29% close within two years.
 BCP (Business Continuity Plan):
 This is the process of creating the long-term strategic business plans, policies
and procedures for continued operation after a disruptive event.
1|Page
 It is for the entire organization, everything that could be impacted, not just IT.
 Lists a range of disaster scenarios and the steps the organization must take in
any particular scenario to return to regular operations.
 BCP’s often contain COOP (Continuity of Operations Plan), Crisis
Communications Plan, Critical Infrastructure Protection Plan, Cyber Incident
Response Plan, DRP (Disaster Recovery Plan), ISCP (Information System
Contingency Plan), Occupant Emergency Plan.
 BCP and DRP:

 BCP (Business Continuity Plan):
 We look at what we would do if a critical supplier closed, the facility was hit by
an earthquake, what if we were snowed in and staff couldn't get to work, ...
 They are written ahead of time, and continually improved upon, it is an iterative
process.
 We write the BCP with input from key staff and at times outside BCP
consultants.
 DRP (Disaster Recovery Plan):
 This is the process of creating the short-term plans, policies, procedures and
tools to enable the recovery or continuation of vital IT systems in a disaster.
 It focuses on the IT systems supporting critical business functions, and how we
get those back up after a disaster.
 DRP is a subset of our BCP.
 We look at what we would do if we get hit with a DDOS attack (can be in the
DRP or in our Cyber Incident Response Plan), a server gets compromised, we
experience a power outage, ...
 Often the how and system specific, where the BCP is more what and non-system
specific.
 BCP and DRP:

 We categorize disasters in 3 categories, natural, human, or environmental.
 Natural:
 Anything caused by nature, this could be earthquakes, floods, snow,
tornados, ...
 They can be very devastating, but are less common than the other types
of threats.
 The natural disaster threats are different in different areas, we do the
risk analysis on our area.
 For one site we could build our buildings and data center earthquake
resilient and another flood resilient.
 Human:
 Anything caused by humans, they can be intentional or unintentional
disasters.
 Unintentional could be an employee uses a personal USB stick on a PC
at work and spreads malware, just as bad as if an attacker had done it,
but the employee were just ignorant, lazy or didn't think it would
matter.
2|Page
 Intentional could be malware, terrorism, DOS attacks, hacktivism,
phishing, ...
 Environmental: (Not to be confused with natural disasters).
 Anything in our environment, could be power outage/spikes, hardware
failures, provider issues, ...
 BCP and DRP:

 Errors and Omissions (human):
 The most common reason for disruptive events are internal employees, often
called errors and omissions.
 They are not intending to harm our organization, but they can inadvertently do
so by making mistakes or not following proper security protocols.
 This could be a mistype, leaving a door unlocked to go outside to smoke or
leaving a box of backup tapes somewhere not secure.
 They often have a minor impact, but if we have issues where they are deemed
very common or potentially damaging we can build in controls to mitigate
them.
 We could put a double check in place for the mistype, an alarm on the unlocked
door that sounds after being open for 10 seconds, or very clear procedures and
controls for the transport of backup tapes.
 BCP and DRP:

 Electrical or Power Problems (environmental):
 Are power outages common in our area?
 Do we have proper battery and generator backup to sustain our sites for an
extended period of time?
 We want the redundancy of UPS's and generators, they both supply constant
and clean power.
 These should always be in place in data centers, but what about our other
buildings?
 Power fluctuations can damage hardware.
 Heat (environmental):
 Many data centers are kept too cold, the last decades research has shown it is
not needed.
 Common temperature levels range from 68–77 °F (20–25 °C) - with an allowable
range 59–90 °F (15–32 °C).
 Keeping a Data Center too cold wastes money and raises humidity.
 Pressure (environmental): Keeping positive pressure keeps outside contaminants out.
 Humidity (environmental): Humidity should be kept between 40 and 60% rH (Relative
Humidity).
 Low humidity will cause static electricity and high humidity will corrode metals
(electronics).
 BCP and DRP:

 Personnel Shortages (Human/Nature/Environmental):
3|Page
 In our BCP we also have to ensure that we have redundancy for our personnel
and how we handle cases where we have staff shortages.
 If we have 10% staff how impacted is our organization?
 This can be caused by natural events (snow, hurricane), but is more commonly
caused by the flu or other viruses.
 Pandemics:
 Organizations should identify critical staff by position not name, and
have it on hand for potential epidemics.
 When the H1N1 flu was declared a pandemic the ISP I worked for at the
time, had identified critical staff and they were offered some of the very
limited vaccines for the H1N1.
 Strikes:
 A work stoppage caused by the mass refusal of employees to work.
 Usually takes place in response to employee grievances.
 How diminished of a workforce can we have to continue to function?
 BCP and DRP:

 Our DRP (Disaster Recovery Plan) should answer at least three basic questions:
 What is the objective and purpose?
 Who will be the people or teams who will be responsible in case any disruptions
happen?
 What will these people do (our procedures) when the disaster hits?
 Normal plans are a lot more in depth and outline many different scenarios, they have a
clear definition of what a disaster is, who can declare it, who should be informed, how
often we send updates to whom, who does what, …
 It is easy to just focus on getting back up and running when we are in the middle of a
disaster, staff often forget about communication, preserving the crime scene (if any)
and in general our written procedures.
 BCP and DRP:

 DRP has a lifecycle of Mitigation,
Preparation, Response and Recovery.
 Mitigation: Reduce the impact,
and likeliness of a disaster.
 Preparation: Build programs,
procedures and tools for our
response.
 Response: How we react in a
disaster, following the procedures.
 Recovery: Reestablish basic
functionality and get back to full
production.
 BCP and DRP:

 We have looked at the first 2 before, for now we will focus on Response and Recovery.
 Response: How we react in a disaster, following the procedures.
4|Page
 How we respond and how quickly we respond is essential in Disaster
Recovery.
 We assess if the incident we were alerted to or discovered is serious and
could be a disaster, the assessment is an iterative process.
 The more we learn and as the team gets involved we can assess
the disaster better.
 We notify appropriate staff to help with the incident (often a call tree or
automated calls), inform the senior management identified in our plans
and if indicated by the plan communicate with any other appropriate
staff.
 Recovery: Reestablish basic functionality and get back to full production.
 We act on our assessment using the plan.
 At this point all key stakeholders should be involved, we have a clearer
picture of the disaster and take the appropriate steps to recover. This
could be DR site, system rebuilds, traffic redirects, …
 Developing our BCP and DRP:

 Older versions of NIST 800-34 had these steps as a framework for building our BCP/DRP,
they are still very applicable
 Project Initiation: We start the project, identify stakeholders, get C-level approval and
formalize the project structure.
 Scope the Project: We identify exactly what we are trying to do and what we are not.
 Business Impact Analysis: We identify and prioritize critical systems and components.
 Identify Preventive Controls: We identify the current and possible preventative controls
we can deploy.
 Recovery Strategy: How do we recover efficiently? What are our options? DR site,
system restore, cloud, ...
 Plan Design and Development: We build a specific plan for recovery from a disaster,
procedures, guidelines and tools.
 Implementation, Training, and Testing: We test the plan to find gaps and we train staff
to be able to act on the plan.
 BCP/DRP Maintenance: It is an iterative process. Our organization develops, adds
systems, facilities or technologies and the threat landscape constantly changes, we have
to keep improving and tweaking our BCP and DRP.

 Senior management needs to be involved and committed to the BCP/DRP process,
without that it is just lip service.
 They need to be part of at least the initiation and the final approval of the
plans.
 They are responsible for the plan, they own the plan and since they are
ultimately liable, they must show due-care and due-diligence.
 We need top-down IT security in our organization (the exam assumed we have
that).
5|Page
 In serious disasters, it will be Senior Management or someone from our legal
department that will talk to the press.
 Most business areas often feel they are the most important area and because of
that their systems and facilities should receive the priority, senior management
being ultimately liable and the leaders of our organization, obviously have the
final say in priorities, implementations and the plans themselves.
 BCP/DRP’s are often built using the waterfall project management methodology.

 The BCP team has sub-teams responsible for rescue, recovery and salvage in the event
of a disaster or disruption.
 Rescue team (activation/notification):
 Responsible for dealing with the disaster as it happens. Evacuates
employees, notifies the appropriate personnel (call trees) pulls the
network from the infected server or shuts down systems, and initial
damage assessment.
 Recovery team (failover):
 Responsible for getting the alternate site up and running as fast as
possible or for getting the systems rebuilt.
 We get the most critical systems up first.
 Salvage team (failback):
 Responsible for returning our full infrastructure, staff and operations to
our primary site or a new facility if the old site was destroyed.
 We get the least critical systems up first, we want to ensure the new
sites is ready and stable before moving the critical systems back.

 BIA (Business impact analysis):
 Identifies critical and non-critical organization systems, functions and activities.
 Critical is where disruption is considered unacceptable, the acceptability is also
based on the cost of recovery.
 A function may also be considered critical if dictated by law.
 For each critical (in scope) system, function or activity, two values are then
assigned:
 RPO (Recovery Point Objective): The acceptable amount of data that cannot be
recovered.
 The recovery point objective must ensure that the maximum tolerable
data loss for each system, function or activity is not exceeded.
 If we only back up once a week, we accept up to a week of data loss.

 BIA (continued):
 MTD (Maximum Tolerable Downtime): MTD ≥ RTO + WRT:
 The time to rebuild the system and configure it for reinsertion into
production must be less than or equal to our MTD.
6|Page
 The total time a system can be inoperable before our organization is
severely impacted.
 Remember companies that had a major loss of data, 43% never reopen
and 29% close within two years.
 Other frameworks may use other terms for MTD, but for the exam know
and use MTD.
 MAD (Maximum Allowable Downtime), MTO (Maximum Tolerable
Outage), MAO (Maximum Acceptable
 Outage), MTPoD (Maximum Tolerable Period of Disruption).
 RTO (Recovery Time Objective): The amount of time to restore the system
(hardware).
 The recovery time objective must ensure that the MTD for each system,
function or activity is not exceeded.
 WRT (Work Recovery Time): (software)
 How much time is required to configure a recovered system.

 BIA (continued):
 MTBF (Mean Time Between Failures):
 How long a new or repaired system or component will function on
average before failing, this can help us plan for spares and give us an
idea of how often we can expect hardware to fail.
 MTTR (Mean Time to Repair):
 How long it will take to recover a failed system.
 MOR (Minimum Operating Requirements):
 The minimum environmental and connectivity requirements for our
critical systems to function, can also at times have minimum system
requirements for DR sites.
 We may not need a fully spec'd system to resume the business
functionality.
 Recovery Strategies:
 In our recovery process we have to consider the many factors that can impact us, we
need look at our options if our suppliers, contractors or the infrastructure are impacted
as well.
 We may be able to get our data center up and running in 12 hours, but if we have no
outside connectivity that may not matter.
 Supply chain:
 If an earthquake hits, do our local suppliers function, can we get supplies from
farther away, is the infrastructure intact?
 Infrastructure: How long can we be without water, sewage, power, … ?
 We can use generators for power, but how long do we have fuel for?
 In prolonged power outages, we have pre-determined critical systems we leave
up and everything else is shut down to preserve power (fuel) and lessen HVAC
requirements.
7|Page
 From our MTD we can determine our approach to how we handle disasters and the
safeguards we put in place to mitigate or recover from them.
 Redundant site:
 Complete identical site to our production, receives a real time copy of our data.
 Power, HVAC, Raised floors, generators, …
 If our main site is down the redundant site will automatically have all traffic fail
over to the redundant site.
 The redundant site should be geographically distant, and have staff at it.
 By far the most expensive recovery option, end users will never notice the fail
over.
 Hot site:
 Similar to the redundant site, but only houses critical applications and systems,
often on lower spec’d systems.
 Still often a smaller but a full data center, with redundant UPS’s, HVAC’s, ISP’s,
generators, …
 We may have to manually fail traffic over, but a full switch can take an hour or
less.
 Near or real-time copies of data.
 Warm site:
 Similar to the hot site, but not with real or near-real time data, often restored
with backups.
 A smaller but full data center, with redundant UPSs, HVACs, ISPs, generators,…
 We manually fail traffic over, a full switch and restore can take 4-24 hours +.
 Cold site:
 A smaller but full data center, with redundant UPSs, HVACs, ISPs, generators, …
 No hardware or backups are at the cold site, they require systems to be
acquired, configured and applications loaded and configured.
 This is by far the cheapest, but also longest recovery option, can be weeks+.
 Reciprocal Agreement site:
 Your organization has a contract with another organization that they will give
you space in their data center in a disaster event and vice versa.
 This can be promised space or some racks with hardware completely segmented
off the network there.
 Mobile site:
 Basically a data center on
wheels, often a container
or trailer that can be
moved wherever by a
truck.
 Has HVAC, fire suppression, physical security, (generator),… everything you
need in a full data center.
8|Page
 Some are independent with generator and satellite internet, others need power
and internet hookups.
 Subscription/cloud site:
 We pay someone else to have a minimal or full replica of our production
environment up and running within a certain number of hours (SLA).
 They have fully built systems with our applications and receive backups of our
data, if we are completely down we
contact them and they spin the systems up and apply the latest backups.
 How fast and how much is determined by our plans and how much we want to
pay for this type of insurance.
 Other BCP plans:

 Related plans:
 Our BCP being the overarching plan also contains our other plans, including but
not limited to:
 COOP (Continuity of Operations Plan):
 How we keep operating in a disaster, how we get staff to alternate sites,
what are all the operational things we need to ensure we function even
if at reduced capacity for up to 30 days.
 Cyber Incident Response Plan:
 How we respond in cyber events, can be part of the DRP or not. This
could be DDOS, worms, viruses, ...
 OEP (Occupant Emergency Plan):
 How do we protect our facilities, our staff and the environment in a
disaster event.
 This could be fires, hurricanes, floods, criminal attacks, terrorism, ...
 Focuses on safety and evacuation, details how we evacuate, how often
we do the drills and the training staff should get.

 Related plans:
 BRP (Business Recovery Plan):
 Lists the steps we need to take to restore normal business operations
after recovering from a disruptive event.
 This could be switching operations from an alternate site back to a
(repaired) primary site.
 Continuity of Support Plan:
 Focuses narrowly on support of specific IT systems and applications.
 Also called the IT Contingency Plan, emphasizing IT over general
business support.
 CMP (The Crisis Management Plan):
 Gives us effective coordination among the management of the
organization in the event of an emergency or disruptive event.
9|Page
 Details what steps management must take to ensure that life and safety
of personnel and property are immediately protected in case of a
disaster.

 Related plans:
 Crisis Communications Plan:
 A subplan of the CMP.
 How we communicate internally and externally during a disaster.
 Who is permitted to talk to the press? Who is allowed to communicate
what to whom internally?
 Call Trees:
 Each user in the tree calls a small number of people.
 The calling tree is detailed in the communications plan and
should be printed out and at the home of staff, assume we have
no network or system access.
 Starts from the bottom up and then top down.
 The staff that discovers the incident calls their manager or
director, they then contact someone at a senior level (often the
CEO).

 Related plans:
 Call Trees:
 The CEO calls the rest of the C-level leadership,
they call their directors and managers and the
managers call their staff.
 Obviously only where it is appropriate and
needed for the recovery effort or if staff is
directly impacted by the disaster.
 Should be done with 2 way confirmation,
managers/directors should confirm to their C-
level executive that they did get a hold of the
identified staff.
 Automated call trees are often a better idea
than manual ones, notifying people of the
disaster is one of those things that tends to get
forgotten.
 They are hosted at a remote location, often on SaaS, and key personnel
that are allowed to declare a disaster can activate them.

 Off site copies and plans:
 We keep both digital and physical copies of all our plans at offsite locations,
assume we can’t access our data or our facilities. Relying on memory is a bad
idea.
10 | P a g e
 We also keep critical business records in the same manner.
 EOC (Emergency Operations Center):
 A central temporary command and control facility responsible for our
emergency management, or disaster management functions at a strategic level
during an emergency.
 It ensures the continuity of operation of our organization.
 We place the EOC in a secure location if the disaster is impacting a larger area.
 MOU/MOA (Memorandum of Understanding/Agreement)
 Staff signs a legal document acknowledging they are responsible for a certain
activity.
 If the test asks "A critical staff member didn't show, and they were supposed to
be there. What could have fixed that problem?" it would be the MOU/MOA.
While slightly different they are used interchangeably on the test.

 Executive Succession Planning:
 Senior leadership often are the only ones who can declare a disaster.
 We need to plan for if they are not available to do so.
 Their unavailability may be from the disaster or they may just be somewhere
without phone coverage.
 Organizations must ensure that there is always an executive available to make
decisions
 Our plans should clearly outline who should declare a disaster, if they are not
available, who is next in line and the list should be relatively long.
 Organizations often have the entire executive team at remote sessions or
conferences (it is not very smart).
 Employee redundancy:
 We should have a high degree of skilled employee redundancy, just like we have
on our critical hardware.
 It is natural for key employees to move on, find a new job, retire or win the
lottery.
 If we do not prepare for it we can cripple our organization.
 Can be mitigated with training and job rotation.
 Testing the plans:

 We have built our plans, now we need to see how complete and accurate they are, they
are living documents we continually improve them.
 Simulated tests:
 DRP review:
 Team members who are part of the DRP team review the plan quickly
looking for glaring omissions, gaps or missing sections in the plan.
 Read-Through (checklist):
 Managers and functional areas go through the plan and check a list of
components needed for in the recovery process.
 Walk/Talk-through (tabletop or structured walkthrough):
11 | P a g e
 A group of managers and critical personnel sit down and talk through
the recovery process.
 Can often expose gaps, omissions or just technical inaccuracies that
would prevent the recovery.

 Simulated tests:
 Simulation Test (Walkthrough Drill):
 Similar to the walkthrough (but different, do not confuse them).
 The team simulates a disaster and the teams respond with their pieces
from the DRP.
 Physical tests:
 Parallel processing:
 We bring critical components up at a secondary site using backups,
while the same systems are up at the primary site, after the last daily
backup is loaded we compare the two systems.
 Partial Interruption:
 We interrupt a single application and fail it over to our secondary
facilities, often done off hours.
 Full Interruption:
 We interrupt all applications and fail it over to our secondary facilities,
always done off hours.
 Both partial and full are mostly done by fully redundant organizations, build
your plans for your environment.

 Testing:
 To ensure the plan is accurate, complete and effective, happens before we
implement the plan.
 Drills (exercises):
 Walkthroughs of the plan, main focus is to train staff, and improve employee
response (think fire drills).
 Auditing:
 A 3rd party ensures that the plan is being followed, understood and the
measures in the plan are effective.
 Training for the plans:

 For most of our plans we need to provide training for our staff on how they react and
handle their piece of the plan.
 We train evacuations, fire safety, CPR, first aid, and for the DRP the teams with
responsibilities needs to feel comfortable performing their tasks.
 If an employee is expected to restore a system from tape and they have never
done it is time to train them.
 Do they know how to get the restore tapes (they are of course not kept
on premises)?
12 | P a g e
 Does the UPS fail over automatically or does someone have to flip the switch,
does every data center employee know how to do that?
 It is each functional unit's responsibility they are ready for a disaster, they need
to provide the training (they are taught it), in the end what we need is
awareness (they actively use it).
 This is also where we would do as much as possible for the people redundancy.
 New staff is trained on our systems as well as the emergency protocols
and how to perform their tasks.
 If we only have one server administrator we better hope he is not on
vacation when our incident happens.
 Improving the plans:

 The plans needs to be continually updated, it is an iterative process.
 Plans should be reviewed and updated at least every 12 months.
 If our organization has had a major change we also update the plans.
 This could be:
 We acquired another company or we split off into several
companies.
 We changed major components of our systems (new backup
solution, new IP scheme, …).
 We had a disaster and we had a lot of gaps in our plans.
 A significant part of senior leadership has changed.
 When we update the plans older copies are retrieved and destroyed, and
current versions are distributed.
 After a disruption or test:

 Once we have had and recovered from a disruption or we have done our failover test
we do a lessons learned.
 Lessons Learned:
 This phase is often overlooked, we removed the problem, we have
implemented new controls and safeguards.
 We can learn a lot from lessons learned, not just about the specific incidence,
but how well we handle them, what worked, what didn't.
 What happened and didn’t happen is less important than how we improve for
next time.
 We do not place blame, the purpose is improving.
 How can we as an organization grow and become better next time we have
another incidence? While we may have fixed this one vulnerability there are
potentially 100's of new ones we know nothing about yet.
 The outcome and changes of the Lessons Learned will then feed into our
preparation and improvement of our BCP and DRP.
 BCP/DRP frameworks:
 When building or updating our BCP/DRP plans, we can get a lot of guidance from these
frameworks, and just like the other standards and frameworks we use we often tailor
and tweak them to fit the needs of our organization.
13 | P a g e
 NIST 800-34:
 Provides instructions, recommendations, and considerations for federal
information system contingency planning. Contingency planning refers to
interim measures to recover information system services after a disruption.
 ISO 22301:
 Societal security, Business continuity management systems, specifies a
management system to manage an organization's business continuity plans,
supported by ISO 27031.
 ISO/IEC-27031:
 Societal security, Business continuity management systems – Guidance, which
provides more pragmatic advice concerning business continuity management
 BCI (Business Continuity Institute):
 6 step process of "Good Practice Guidelines (GPG)” the independent body of
knowledge for Business Continuity.
 After a disruption:
 We only use our BCP/DRP's when our other countermeasures have failed.
 This makes the plans even more important. (Remember 2/3 of business with major data
loss close).
 When we make and maintain the plans there are some common pitfalls we want to
avoid:
 Lack of senior leadership support.
 Lack of involvement from the business units.
 Lack of critical staff prioritization.
 Too narrow scope.
 Inadequate telecommunications and supply chain management.
 Lack of testing
 Lack of training and awareness
 Not keeping the BCP/DRP plans up to date, or no proper versioning controls.
 Digital (computer) forensics:
 Focuses on the recovery and investigation of
material found in digital devices, often in
relation to computer crime.
 Closely related to incident response, forensics is
based on gathering and protecting the
evidence, where incidents responses are how
we react in an event breach.
 We preserve the crime scene and the evidence,
we can prove the integrity of it at a later
needed time, often court.
 Digital (computer) forensics:
 The forensic process:
14 | P a g e
 Identify the potential evidence, acquire the
evidence, analyze the evidence, make a report.
 We need to be more aware of how we gather
our forensic evidence, attackers are covering
their tracks, deleting the evidence and logs.
 This can be through malware that is only in
volatile memory, if power is shut off (to preserve
the crime scene), the malware is gone and the
evidence is lost.
 Rather than shutting the system down, we can if
considered safe disconnect it from the network
and take bit by bit copies of the memory, drives,
running processes and network connection data.
 Digital forensics:
 The evidence we collect must be accurate, complete, authentic, convincing,
admissible.
 Identification: Identify the evidence, what is left behind,
 Preservation:
 Everything is documented, chain of custody: Who had it when? What
was done? When did they do it?
 Pull the original, put it in write protected machine, we make a hash.
 We only do examinations and analysis on bit level copies, we confirm
they have the same hash as the original before and after examination
 Collection:
 We examine and analyze the data, again document everything.
 We handle the evidence as little as possible.
 Work from most volatile to least volatile, starting with the RAM and
ending with the hard disks.
 We use our incidence response plan:
 This can include getting our HR and Legal departments involved.
 We ensure our evidence is acquired in a legal manner. Remember the US
Constitution 4th amendment.
 The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be
violated.
 Anything subpoenaed, search warranted, turned over voluntarily and in exigent
circumstances (immediate danger of being destroyed), can allow law
enforcement to bypass the 4th amendment.
 Examination: Find the facts and document them, collecting the data.
 Analysis: Look at the data and look for meaning or reason.
 Presentation in court: We present our findings and any other evidence.
15 | P a g e
 Decision: The court rules on the case.
 Forensic data is normally obtained from binary images of secondary storage and
portable storage devices like hard drives, flash drives, CDs, DVDs, and cell
phones and mp3 players.
 We use a binary or bit stream image copy to ensure we get an exact copy of the
device, and not just a copy of certain sectors.
 Real Evidence: Tangible and Physical objects, in IT Security: Hard Disks, USB
Drives – NOT the data on them.
 Evidence Integrity – It is vital the evidence's integrity cannot be questioned, we
do this with hashes. Any forensics is done on copies and never the originals, we
check hash on both original and copy before and after the forensics.
 Chain of Custody – Chain of custody form, this is done to prove the integrity of
the data. No tampering was done.
 Who handled it?
 When did they handle it?
 What did they do with it?
 Where did they handle it?
 Here are the four basic types of disk-based forensic data:
 Allocated space:
 The portions of the disk that are
marked as actively containing
data.
 Unallocated space:
 The portions of the disk that
does not contain active data.
 This is parts that have never
been allocated and previously
allocated parts that have been
marked unallocated.
 When a file is deleted, the parts
of the disk that held the deleted
file are marked as unallocated
and made available for use. (This is also why deleting a file does
nothing, the data is still there until overwritten).
16 | P a g e
 Slack space:
 Data is stored in specific size chunks known as clusters
(clusters = sectors or blocks).
 A cluster is the minimum size that can be allocated by a file
system.
 If a particular file, or final portion of a file, does not require the
use of the entire cluster then some extra space will exist within
the cluster.
 This leftover space is known as slack space: it may contain old
data, or can be used intentionally by attackers to hide
information.
 Bad blocks/clusters/sectors:
 Hard disks end up with sectors that cannot be read due to some
physical defect.
 The sectors marked as bad will be ignored by the operating
system since no data could be read in those defective portions.
 Attackers can mark sectors or clusters as being bad in order to
hide data within this portion of the disk.
Memory and Data Remanence:

 Data Remanence: Data left over after normal removal and deletion of data.
 Memory: Is just 0’s (off) and 1’s (on); switches representing bits.
 ROM:
 ROM (Read Only Memory) is nonvolatile (retains memory after power
loss); most common use is the BIOS.
 PROM (Programmable read only memory) – Can only be written
once, normally at the factory.
 EPROM (Erasable programmable read only memory) – Can be
erased (flashed) and written many times, by shining an
ultraviolet light (flash) on a small window on the chip (normally
covered by foil).
 EEPROM (Electrically erasable programmable read only
memory) – These are electrically erasable, you can use a
flashing program. This is still called read only.
 The ability to write to the BIOS makes it vulnerable to
attackers.
 PLD (Programmable logic devices) are programmable after they leave
the factory (EPROM, EEPROM and flash memory). Not PROM.
17 | P a g e
 Cache Memory: L1 cache is on the CPU (fastest), L2 cache is connected
to the CPU, but is outside it.
 RAM (Random Access Memory) is volatile memory. It loses the memory
content after a power loss(or within a few minutes). This can be
memory sticks or embedded memory.
 SRAM and DRAM:
 SRAM (Static RAM): Fast and expensive. Uses latches to
store bits (Flip-Flops).
 Does not need refreshing to keep data, keeps
data until power is lost. This can be embedded
on the CPU.
 DRAM (Dynamic RAM) Slower and cheaper. Uses small
capacitors.
 Must be refreshed to keep data integrity (100-
1000ms).
 This can be embedded on graphics cards.
 SDRAM: (Synchronous DRAM):
 What we normally put in the
motherboard slots for the memory
sticks.
 DDR (Double Data Rate) 1, 2, 3, 4
SDRAM.

 Firmware and SSD’s (Solid State Drives).
 Firmware:
 This is the BIOS on a computer, router or switch; the low-level operating
system and configuration.
 The firmware is stored on an embedded device.
 PROM, EPROM, EEPROM are common firmware chips.
 Flash memory: Small portable drives (USB sticks are an example); they are a
type of EEPROM.
 SSD drives are a combination of EEPROM and DRAM, can’t be degaussed.

 To ensure no data is readable we must use must ATA Secure Erase
or/and destruction of SSD drives.
18 | P a g e
Data Destruction:
When we no longer need a certain media, we must dispose of it in a manner that ensures the data
cannot be retrieved. This pertains to both electronic media and paper copies of data.
 Paper disposal – It is highly encouraged to dispose of ANY paper with
any data on it in a secure manner. This also has standards and cross
shredding is recommended. It is easy to scan and have a program re-
assemble documents from normal shreds like this one.
 Digital disposal – The digital disposal procedures are determined by
the type of media.
 Deleting, formatting and overwriting (Soft destruction):
 Deleting a file just removes it from the table;
everything is still recoverable.
 Formatting does the same but it also puts a new file
structure over the old one. Still recoverable in most cases.
 Overwriting is done by writing 0’s or random characters over the data.
 As far as we know there is no tool available that can recover
even single pass overwriting (not possible on damaged media).
Data Destruction:
 Degaussing destroys magnetic media by exposing it to a very strong magnetic field. This
will also most likely destroy the media integrity.
 Full physical destruction is safer than soft destruction:
 Disk crushers do exactly what their name implies: they
crush disks (often used on spinning disks).
 Shredders do the same thing as paper shredders do, they
just work on metal. These are rare to have at normal
organizations, but you can buy the service.
 Incineration, pulverizing, melting and acid are also (very
rarely) used to ensure full data destruction.
 It is common to do multiple types of data destruction on sensitive
data (both degaussing and disk crushing/shredding).
 While it may not be necessary, it is a lot cheaper than a potential
$1,000,000 fine or loss of proprietary technology or state secrets.
 Network forensics:
 A sub-branch of digital forensics where we look at the monitoring and
analysis of computer network traffic for the purposes of information
gathering, legal evidence, or intrusion detection.
 Network investigations deal with volatile and dynamic information.
 Network traffic is transmitted and then lost, so network forensics is
often a pro-active investigation.
19 | P a g e
 Network forensics generally has two uses.
 The first type is monitoring a network for anomalous traffic and
identifying intrusions (IDS/IPS).
 An attacker might be able to erase all log files on a
compromised host, a network-based evidence might be
the only evidence available for forensic analysis.
 The second type relates to law enforcement.
 In this case analysis of captured network traffic can
include tasks such as reassembling transferred files,
searching for keywords and parsing human
communication such as emails or chat sessions.
 Network forensics:
 Systems used to collect network data for forensics use usually come in
two forms:
 Catch-it-as-you-can:
 All packets passing through a certain traffic point are
captured and written to storage with analysis being
done subsequently in batch mode.
 This approach requires large amounts of storage.
 Stop, look and listen:
 Each packet is analyzed in a basic way in memory and
only certain information is saved for future analysis.
 This approach requires a faster processor to keep up
with incoming traffic.
 Forensic software analysis:
 Comparing and/or reverse engineering software.
 Reverse engineering malware is one of the most common examples.
 Investigators often have a binary copy of a malware program, and try to
deduce what it does.
 Common tools are disassemblers and debuggers.
 Software forensics can also refer to intellectual property infringement, for the
exam this is not the type we talk about.
 Embedded Device Forensics:
 We have for decades analyzed and investigated standard systems,
traffic and hardware, but embedded devices is a new player.
20 | P a g e
 They include SSDs, GPSs, cell phones, PDA, and much more.
 They can contain a lot of information, but how do we safely retrieve it
while keeping the integrity of the data?
 We talked about how the IoT (Internet of Things) can be a security
concern, but all the devices can also hold a wealth of information.
 Where does the GPS say the car, phone or person was at a
certain time?
 When did the AC turn on? Can we assume someone was home
at that time?
 Forensic examiners may have to be able to access, interpret and analyze
embedded devices in their investigation.

 How we plan for incidences and disasters.
 Business Continuity Planning and Disaster Recovery Planning.
 BIA (Business Impact Analysis).
 Supply, personnel and infrastructure redundancy.
 Disaster Recovery sites.
 Other BCP sub plans:
 COOP (Continuity of Operations Plan), Cyber Incident Response Plan, OEP
(Occupant Emergency Plan).
 After a disruption.
 Digital, spinning disk, network and software forensics.
 Memory and data remanence.
 Thank you for staying here with me!
21 | P a g e

Thor Lectures

Uploaded by

Copyright:

Available Formats

You might also like

Thor Lectures

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Thor Lectures

Uploaded by

Copyright:

Available Formats

Domain 1 Lecture notes

Welcome to the first CISM Domain.

Security governance principles.

Security governance principles.

Security governance principles.

Security governance principles.

Security governance principles.

Information Security Governance:

Information Security Governance:

SWOT (Strengths, Weaknesses, Opportunities, and Threats):

KGI’s, KPI’s, and KRI’s:

 KGI (Key Goal Indicator):

Confidentiality, Integrity and Availability.

Confidentiality, Integrity and Availability.

Confidentiality, Integrity and Availability.

Confidentiality, Integrity and Availability

Sensitive Information and Media Security:

 Data has 3 States: We want to protect it as well as

Sensitive information and Media Security:

Data Classification Policies:

 Clearance: Subjects have Clearance

Data Classification Policies:

Data, system, mission ownership, custodians and users:

Data Security Controls and Frameworks:

 Your Organization’s Ethics:

Legal and regulatory issues.

Legal and regulatory issues.

Legal and regulatory issues.

Legal and regulatory issues.

Legal and regulatory issues.

Legal and regulatory issues.

 If there is a gray area in some cases between Entrapment and Enticement, it is

 GDPR (General Data Protection Regulation):

 Restrictions: Lawful interception, national security, military, police, justice.

 GDPR (General Data Protection Regulation):

Legal and regulatory issues.

Legal and regulatory issues.

 BCP and DRP:

 Administrative Personnel Security Controls:

 Administrative Personnel Security Controls:

 Administrative Personnel Security Controls:

 Designing security into our software:

 Programming languages and generations:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies:

 Software Development Methodologies: