Professional Documents
Culture Documents
Certified Information Systems Security Professional Official Isc2 Student Guide
Certified Information Systems Security Professional Official Isc2 Student Guide
Instructor Edition
An Official Publication
Dear Seminar Participant,
Congratulations! You are embarking on a journey to become part of the global (ISC)²
community. Not only are you taking a critical step in your career, you are also taking an
active role in inspiring a safe and secure cyber world.
Earning the CISSP certification demonstrates your ability to design and manage nearly all
aspects of an organization’s cybersecurity strategy.
The material in this course is based upon the knowledge found in the (ISC)² CISSP Common
Body of Knowledge. Successful completion of this course will help you achieve your career
goals, but passing the CISSP exam depends on your mastery of the domains covered within
the exam outline and your ability to apply those concepts in the real world.
I wish you the best of luck during the seminar and as you continue your journey to become a
certified member of (ISC)².
Sincerely,
Acknowledgments
The development of the CISSP Training Guide could not have been possible without the
participation and assistance of so many people. Their contributions are sincerely appreciated
and gratefully acknowledged.
Authors:
Mr. Ben Malisow, CCSP and CISSP
Mr. John Berti, CCSP, CISSP, and SSCP
Dr. Lyron Andrews, CCSP and CISSP
Mr. Kevin Stoffell, CAP, CCSP, CISSP, CISSP-ISSAP, CISSP-ISSEP, and CISSP-ISSMP
Editorial Service:
Six Red Marbles
Elsa Peterson Ltd.
Mr. Dennis Lee
Design Oversight:
Mr. Jon Harrison, (ISC)2
This book contains information obtained from authentic and highly regarded sources.
Reprinted material is quoted with permission, and sources are indicated. A wide variety of
references are listed. Reasonable efforts have been made to publish reliable data and
information, but the authors and the publisher cannot assume responsibility for the validity
of all materials or for the consequences of their use.
Please be advised that among the sources of quoted material in this document are United
States government publications, which by law belong to the public domain and therefore
require no copyright permission or acknowledgment. Further information about copyright is
available from the U.S. Copyright Office http://www.copyright.gov.
No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by
any electronic, mechanical, or other means, now known or hereafter invented, including
photocopying, microfilming, and recording, or in any information storage or retrieval system
without written permission from the publishers.
Acknowledgments i
Instructor Edition
Table of Contents
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii
iv Table of Contents
Instructor Edition
Table of Contents v
Official (ISC)2 CISSP Training Guide
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
vi Table of Contents
Instructor Edition
Notes
Welcome
Welcome
Welcome
The Official (ISC)2 Certified Information Systems Security PPT
Professional (CISSP) Training Seminar provides a comprehensive
Welcome
review of information systems security concepts and industry best
practices, covering the eight domains of the CISSP Common Body
of Knowledge (CBK):
PPT
1. Security and Risk Management How Do I Use the
2. Asset Security Course Materials?
Welcome vii
Official (ISC)2 CISSP Training Guide
Course Objectives
After completing this course, the participant will be able to:
1. Understand and apply fundamental concepts and methods
related to the fields of information technology and security.
2. Align overall organizational operational goals with security
functions and implementations.
3. Understand how to protect assets of the organization as
they go through their lifecycle.
4. Understand the concepts, principles, structures, and
standards used to design, implement, monitor, and secure
operating systems, equipment, networks, applications,
and those controls used to enforce various levels of
confidentiality, integrity, and availability.
5. Implement system security through the application of
security design principals and the application of appropriate
security control mitigations for vulnerabilities present in
common information system types and architectures.
6. Understand the importance of cryptography and the
security services it can provide in today’s digital and
information age.
7. Understand the impact of physical security elements
on information system security and apply secure design
principals to evaluate or recommend appropriate physical
security protections.
8. Understand the elements that comprise communication and
network security coupled with a thorough description of
how the communication and network systems function.
9. List the concepts and architecture that define the associated
technology and implementation systems and protocols at
Open Systems Interconnection (OSI) model layers 1–7.
viii Welcome
Instructor Edition
10. Identify standard terms for applying physical and logical Notes
access controls to environments related to their security
practice. Welcome
Welcome
security requirements. PPT
12. Name primary methods for designing and validating test Course Objectives
and audit strategies that support business requirements. (5 slides) (continued)
Welcome ix
Instructor Edition
Course Agenda
Domain 1: Security and Risk Management
Notes
Security and Risk
1
Management
Overview
Domain 1 of the (ISC)2® CBK lays the foundation for the entire course,
introducing concepts and principles that will be utilized throughout.
It is imperative that the candidate learn and understand these
thoroughly, if the candidate is not already familiar with the material
from professional practice.
NOTE: Throughout this domain and much of the rest of the course
material, the term “organization” will be used to describe operational
entities; an organization might be a private business operating in a
market dynamic, a government entity, or a nonprofit/charitable
agency of some kind. This term is used in generic fashion as a
consideration that candidates may work for any type of functional unit;
the material is designed to be agnostic to the type of industry or
nature of work a particular unit might be involved in. When material is
specific to a certain type of organization, it will be specified in context
(for instance, a bank as a financial organization has specific security
concerns not faced by other types of organizations).
4 Compliance Requirements
10 Professional Ethics
11 Domain Review
PPT
Module Objectives
Introduce the module
objectives.
PPT
Confidentiality: only authorized entities have access to the data.
CIA Triad Examples Integrity: there are no unauthorized modifications of the data.
Review the CIA triad
example.
Availability: authorized entities can access the data when and how they
are permitted to do so.
perform work within the environment may have security Introduce and describe
duties as well. These can include secure configuration of the common security
frameworks.
systems, applying secure networking, reporting potential
incidents, and so forth. Positions in this category include
but are not limited to: system administrators (often
Tech Support and Help Desk personnel) and network
administrators/engineers. This group typically reports to
the IT director or CIO.
l Users: Employees, contractors, and other personnel who
operate within the IT environment on a regular basis. While
this role does not have specific security duties per se, users
are required to operate the systems in a secure fashion,
and they are usually required to sign a formal agreement to
comply with security guidance. Users may also be co-opted
and trained to report potential security incidents, acting as
a rudimentary form of intrusion detection. Users typically
report to their functional managers.
Notes An example to clarify the concept: if a customer buys a car from the
vendor, the vendor should have designed and constructed the car in a
Organizational/Corporate way so that the car can be operated in a normal, expected manner
Governance
without some defect harming the customer. If the user is driving the car
normally on a road and a wheel falls off, the vendor may be culpable for
PPT any resulting injuries or damage if the loss of the wheel is found to be
Due Care/Due the result of insufficient care on the part of the vendor (if, say, the wheel
Diligence (continued) mount was poorly designed, or the bolts holding the wheel were made
Introduce and explain
from a material of insufficient strength, or the workers assembling the
the concepts of due care car did so in a careless or negligent way). This duty is only required for
and due diligence. reasonable situations; if, for instance, the customer purposefully drove
the car into a body of water, the vendor does not owe the customer any
assurance that the car would protect the customer, or even that the car
would function properly in that circumstance.
NOTE: There is a joke regarding the standard of reasonableness that
lawyers use—“Who is a reasonable person? The court. The court is a
reasonable person.” Meaning that the “standard” is actually quite
ambiguous and arbitrary: the outcome of a case hinging on a
determination of “reasonable” action is wholly dependent on a specific
judge on a specific day, and judges are only people with opinions.
Due diligence, then, is any activity used to demonstrate or provide due
care. Using the previous example, the car vendor might engage in due
diligence activities such as quality control testing (sampling cars that
come off the production line for construction/assembly defects),
subjecting itself to external safety audit, prototype and regular safety
testing of its vehicles to include crash testing, using only licensed and
trained engineers to design their products, and so forth. All of these
actions, and documentation of these actions, can be used to
demonstrate that the vendor provided due care by performing due
diligence.
In the IT and IT security arena, due diligence can also take the form of
reviewing vendors and suppliers for adequate provision of security
measures; for instance, before an organization uses an offsite storage
vendor, the organization should review the vendor’s security governance,
and perhaps even perform a security audit of the vendor to ensure that
the security provided by the vendor is at least equivalent to the security
the organization itself provides to its own customers. Another form of
due diligence for security purposes could be proper review of personnel
before granting them access to the organization’s data, or even before
hiring; this might include background checks and personnel assurance
activities. (Personnel security measures, which provide a measure of due
diligence, will be discussed in more detail later in this domain.)
Notes
Module 3: Risk Management Concepts
Risk Management
Concepts
Module Objectives
PPT 1. Describe common practices used for asset valuation and the
Risk Management challenges/benefits associated with each.
Concepts
2. Distinguish between threats and vulnerabilities.
Introduce the participants
to the “Risk Management 3. Identify common practices of risk assessment and analysis.
Concepts” module. 4. Know the four common methods of risk management.
5. Know how to choose from the four common methods of risk
management.
PPT
6. Recognize common practices for selecting security controls.
Module Objectives
(3 slides) 7. List the various types, classes, and categories of security controls.
Introduce the module 8. Describe the importance of monitoring and measuring the
objectives. security program and controls and why this is performed on a
continuous basis.
9. Recognize common risk frameworks.
10. Apply risk-based management concepts to the supply chain and
the use of third parties for risk assessment and monitoring.
11. Recognize standard threat modeling concepts.
12. Apply threat modeling methodologies.
13. Recognize common threats and risks.
14. Recognize the purpose of the service level agreement, how it
augments the contract, and which items should be contained
in each.
15. Determine and document minimum security requirements.
Asset Valuation
To effectively manage risk, the organization must determine what PPT
assets it has and assign a value to those assets. Assets can include Asset Valuation (2 slides)
property (both tangible and intangible), people, and processes.
Discuss the valuation of
NOTE: In modern organizations, data (an intangible asset) is often assets (slide 1); Introduce
the BIA and discuss its
the property with the most significant particular value.
importance in security
(slide 2).
An asset inventory is crucial for this task; it is impossible to protect
what you have if you don’t know what you have. There are many
tools to aid in an asset inventory, automated and otherwise. It is
important for the organization to mesh its acquisition and
development processes with the asset inventory method it uses so
that all new assets will be included in the inventory.
There are many ways to determine the value of an asset. An asset
might have a discrete market value (a monetary value). Conversely,
an asset might have a particular relative value for the organization;
a specific asset that might otherwise be of nominal value to
another organization might have great importance to your
organization. It is important for senior management to review and
oversee asset value determinations so that your organization is
properly assigning value to its assets.
However, while senior management will make the final
determination of value for the organization’s assets, the main effort
of valuation will fall to the functional managers. Usually, it is the line
managers who will have the best perspective of the assets under
their control, because they will be the people working with those
assets the most; they will have the greatest insight and
understanding of how those assets are used by the organization.
NOTE: It is important to remember when gathering asset valuation
information that while unit managers will have the best insight to
the value of the assets under their control, managers are also
inherently biased. When asked, “what assets are most important to
Notes the organization,” the response is almost invariably, “mine.” This is not a
result of malicious intent, it is simply human nature. Therefore, senior
Risk Management management must bear this phenomenon in mind while reviewing the
Concepts
valuation survey information and adjust for any possible overvaluation
that may have occurred.
PPT
One tool used widely in the industry is the business impact analysis
Asset Valuation (2 slides) (BIA). The BIA is a list of the organization’s assets, annotated to reflect
(continued)
the criticality of each asset to the organization. Because each
Discuss the valuation of organization operates differently, assets that are critical to one
assets (slide 1); Introduce
the BIA and discuss its
organization might have little relative importance to other organizations,
importance in security even within the same field or industry. The personnel involved in
(slide 2). creating the organization’s BIA will need to understand not only the
nominal value of each asset itself, but the business functions and
operations of the organization so as to properly determine that asset’s
PPT criticality. The use of the BIA will transcend asset valuation, and the BIA
can be used in other components of risk management as well as other
Identify Threats and
Vulnerabilities aspects of security.
Introduce and discuss
threats and vulnerabilities. Identify Threats and Vulnerabilities
The next step in the risk management process is to identify threats and
vulnerabilities associated with the organization’s assets. Threats are any
aspects that create a risk to the organization, its function, and its assets.
Vulnerabilities are any aspects of the organization’s operation that
could enhance a risk or the possibility of a risk being realized.
Threats can take many forms, anthropogenic and otherwise, and can be
the result of no motivation, malicious intent, or inadvertent action.
Consider the following list of common threats and the brief description
of each:
l Natural: Nature has no malicious intent; it does not have any
desire to interrupt business operations or to harm people. It
is, however, a threat to both operations and health and human
safety. Natural phenomena that fall into this category include
disasters (floods, hurricanes, earthquakes, and so on), fire (on a
disaster scale, or localized), and biologics. The latter category
includes such things as small animals affecting operations
by chewing through conduit/cables, which has caused both
widespread and localized outages, for both power and data
connectivity; that category can also include pandemic disease,
which can interrupt operations significantly.
l Criminal activity: People with specific intent to do harm by
performing illegal activity; the intended harm can be financial or
physical. Hackers, thieves, espionage agents, social activists, and
terrorists all fall into this category. This sort of activity can
come from external sources, or personnel internal to the
organization.
Notes
Risk Management
1
Concepts
l User error: Users can conduct a vast variety of inadvertent
Risk Assessment/Analysis
PPT After the organization has conducted a thorough asset inventory and
valuation and identified the threats and vulnerabilities the organization
Risk Assessment/
Analysis is subject to, it is possible for the organization to realistically assess risk.
Introduce the concept Because risk (as defined earlier in this domain) involves the likelihood a
and methods of risk risk will be realized, in addition to identifying possible types of damage/
assessment and analysis.
harm, it is important that professionals tasked with performing risk
analysis also be able to gather information from sources external to the
organization to accurately gauge the potential of occurrence.
Risk can generally be rated according to three factors: impact,
likelihood, and exposure.
Impact: The damage/harm caused if the risk is realized. This can be
measured monetarily as an effect to health and human safety, and/or
the criticality of the affected asset to the organization. The BIA,
mentioned earlier in this domain, is an excellent tool for use in this
aspect of risk assessment.
Likelihood: A measure of the possibility the risk will be realized. This
can be extremely difficult to determine as it is a form of prediction.
Often, this determination is aided by the use of historical data
from both within and external to the organization (answering the
questions: “how often does this happen to us? how often does it
happen, in general?”).
Exposure: Establishing the realistic potential for the organization to
face certain types of threats. Obviously, the organization will have a
greater exposure to those threats posed by the organization’s activities
(for instance, an organization involved in commercial fishing faces the
threat of losing personnel to drowning, whereas a metropolitan bicycle
messenger service does not). Location might be another factor that
affects exposure; some natural disasters are native to certain
geographic locations, while others are not.
Risk Response
Figure 1.1 shows the four general methods an organization can use
to address risk.
Avoidance Acceptance
Mitigation Transfer
Traditional Model
Notes
One traditional method for selecting the appropriate security controls
Risk Management
Concepts
has been the use of the “loss expectancy” model:
annual loss expectancy (ALE) = single loss expectancy (SLE) x annual
PPT rate of occurrence (ARO)
Security Control In detail, it works like this:
Selection: A Traditional
Model The SLE is the expected negative impact related to a particular risk (the
Introduce and explain the risk being assessed). Most often, this is expressed monetarily. It is
ALE concept/formula. calculated by determining the value of the asset that might be affected
(or lost) and multiplying it by an “exposure factor”—a percentage that
represents the amount of damage resulting from that type of loss.
So:
SLE = asset value (AV) x exposure factor (EF)
The ARO is the number of times per year a given impact is expected,
expressed as a number.
So, the ALE is the SLE multiplied by the ARO, which gives us the
estimated annual cost related to a particular risk.
The value of the ALE to the organization is that it allows the organization
to determine whether the cost of a particular kind of control for a
specific risk is worth the investment.
Let’s use an example to demonstrate:
You are the security manager of a retail store located in a shopping mall.
Senior management has tasked you with reviewing the options for
managing the risk associated with shoplifting.
To approach this decision, you first determine the SLE: what the loss
is to the company in a single event of shoplifting. Several factors go
into this determination. For instance, the size of the items you sell:
it is easier to shoplift small personal electronic devices than it is to
shoplift, say, major appliances such as washing machines; this is how
you determine the exposure factor. You also need to the know the
value of the assets that might be subject to shoplifting: what is the
value to your company, of any one item in the inventory you sell?
What is the wholesale value? What is the retail value? Which have
you lost if that item is stolen?
Let’s say you determine that based on the items you have for sale, a
single loss expectancy for shoplifting, on average, is $5. You then have
to determine the ARO.
How is this done; how do you predict how many shoplifting events
will occur at your store in a year? Well, this data is already available;
major insurers and retail trade groups have historical data about
Notes
Risk Management
1
Concepts
shoplifting gathered over many decades of retail sales, insurance
Notes Risk transference: The ALE is $5,000 and the cost of transferring is
$10,000; risk transference is not a rational option.
Risk Management
Concepts Risk avoidance: If the company did not offer merchandise for sale, it
would no longer be a retail sales operation; risk avoidance, in this case,
does not make much sense.
PPT
Security Control Risk acceptance: Because the other options do not make sense from a
Selection: A Traditional financial standpoint, and because the company wants to remain a retail
Model (continued) operation, the company could reasonably accept the risk due to
Introduce and explain the shoplifting.
ALE concept/formula.
NOTE: The ALE is a rudimentary and mature model, inherited from the
realm of physical security, and is well suited to examples of this kind. It is
PPT not particularly apt for IT security: in our field, there is no good way to
assess SLE; a loss event is rarely nominal, moreover, we are typically not
Applicable Types of
Controls allowed to have an ARO other than 1—whenever a vulnerability is
discovered because a loss has been realized, we are required to take steps
Introduce and explain the
three types of security
to remediate that vulnerability so that specific type of loss should not be
controls. repeated. An organization that has repeated, continuous losses related to
data/IT will soon be beleaguered by regulators, service providers, and
customers alike. So, this model doesn’t work well for IT security. However, it
is still used throughout the industry and is an aspect of security that the
candidate is required to understand as part of the CBK.
Risk Frameworks
Similar to (and, in some cases, overlapping with) the security
control frameworks mentioned earlier in this domain, the security
practitioner may also make use of risk frameworks to optimize the
did for its own internal operations. This may include the organization
performing the following for each entity within the supply chain:
Notes
Risk Management
1
l Governance review Concepts
l Fire: While fire can result from natural disasters, it can also be a
Notes
localized threat to the internal environment of a data center. The
Risk Management impact of combatting fire can be just as detrimental to physical
Concepts
IT components as the fire itself. This topic is addressed in more
detail in Domain 7.
PPT
Software
Risks Associated
with Hardware, l Defects: Bugs and improperly designed functions that can be
Software, and Services exploited by attackers. Defects that are discovered by attackers
(continued)
after a product has shipped and been put into production,
Discuss common threats/ without the knowledge of either the vendor or users, are known
risks associated with as “zero-day” exploits, as attackers can use these vulnerabilities
hardware, software, and
services.
indiscriminately for the time it takes until a patch or solution is
created to resolve the defect.
l Lack of security: Software that is not designed with proper
security controls is prolific and poses a significant risk to the
organization. Including security as an aspect of software
development and acquisition is crucial and discussed in depth
in Domain 8.
l Malicious software (malware): Software can be used as an
attack vector by people with malicious intent for a variety of
potential outcomes that affect every aspect of the CIA triad.
Malware includes worms, viruses, and Trojan horse programs.
Services
l Denial of service (DoS) and distributed denial of service
(DDoS): A DoS attack is launched by a malicious person trying
to affect the availability of systems or data. While this can take
almost any form (including physical), it often manifests as an
attack on (or using) native IT services, such as communication
protocols. A DDoS attack amplifies the attack source through
the attacker’s use of many disparate machines to focus on
the target. Modern DDoS attacks have used exponentially
more attack devices than were expected to a significant
deleterious effect.
l “Man in the middle”: Attacks on active communications are
referred to as “man in the middle,” where the attacker positions
themself (physically or logically) between parties engaged in a
communications session. This can be used to affect every aspect
of the CIA triad.
l Social engineering: If authorized use can be considered a form
of service, then undermining authorized users themselves can be
considered a service attack; this is called “social engineering.”
Instructions
As group, using the criteria described in this module, determine
whether each of the following elements should be included in an
Notes
Risk Management
1
Concepts
SLA, stated elsewhere in the managed service contract, or not
Notes
Module 4: Compliance Requirements
Compliance Requirements
Contractual Mandates
A contract is an agreement between parties requiring them to
perform in some way and the terms for performance. Contracts are
an instrumental tool in business where the contract obligates the
organization; contracts are either used or implicit in every business
transaction. Contracts could be as simple as the exchange of money
for a product, or a complicated, long-term arrangement requiring
hundreds of pages of contract documentation.
An organization enters into a contract voluntarily, and law and custom
dictate that every party to a contract will fulfill the requirements of the
Notes contract unless they are unable to do so. The importance of contracts has
been codified in most countries as law, to the extent that any party
Compliance Requirements not fulfilling their contractual obligations may be forced to do so (or pay
recompense) if the other party/parties to the contract seek relief from
PPT the courts.
Contractual Mandates In many cases, parties to a contract may have the right to review the
(continued) progress and activity of each other to ensure the terms of the contract are
Introduce and discuss being met (this is also stipulated in the contract). This may involve
PCI DSS. inspection of raw data, a measure of some performance, or audits; these
actions may be performed by the parties to the contract or by external
third parties on their behalf.
The candidate should be familiar with one widely used contract as it is
the basis for a great deal of work performed in the IT security industry:
the contract between entities that issue credit cards in the United
States and any entity that accepts those cards as a form of payment
(referred to as “merchants”). This contract is promulgated by the
Payment Card Industry (PCI) Security Standards Council; the Council
publishes and enforces the Payment Card Industry Data Security
Standard (PCI DSS).
The Data Security Standard (DSS) is generally view by those in the
industry as comprehensive and fairly well designed and administered. It
is also a mandate with significant consequences: any merchant that
doesn’t properly comply with the DSS can be assessed a fee by the
Council, and the Council reserves the right to revoke any merchant’s
ability to accept credit card payment for continued or exacerbated
noncompliance. For many merchants, losing the ability to receive credit
card payments would be fatal to their operations, so they are extremely
motivated to remain compliant.
Under PCI DSS, merchants are categorized into four Merchant Levels,
according to the number of credit card transactions the merchant is
party to annually. Merchants are required to subscribe to the security
control areas and processes described in the DSS. For the most part,
the DSS involves protecting privacy data related to the cardholder (the
cardholder’s name, card number, billing address, etc.), including
mandating some mechanisms for ensuring protection, such as encryption
or tokenization.
Other elements of the DSS exist to protect the financial institution that
has issued the card, especially in transactional activity. For instance,
merchants are not allowed to store the Card Verification Value (CVV)
number that appears on the card itself, for any length of time; the CVV
can only be used during the transaction.
Legal Standards
Legal standards are set by courts in decisions that set precedent;
that is, the judgments a court has made previously become the
Notes
Compliance Requirements
1
standard of acceptable practice for future behavior. This precedent
Industry Standards
As can be understood from the term, industry standards are set
for and by the organizations involved and associated with a given
field of endeavor. For instance, in the field of IT security, (ISC)2 is a
standard body that creates, maintains, and determines eligibility for
certifications of professional practitioners. Absent other mandates,
this standard has no inherent legal force but has weight and
credence lent it by recognition from industry participants.
Through time and use, industry standards may take on legal substance
when recognized by the court as credible and recognized. For
instance, when an organization is defending itself in court against
accusations of negligence in the due care for delivery of IT security,
the organization can present the experience and professional
Regulatory Standards
Regulations are mandates set by government bodies. Regulations can be
created by legislative or administrative action. Regulated organizations
are subject to oversight by representatives from the applicable regulatory
agencies (called “regulators”). Punishment for failure to comply can result
in fines, court orders for performance, and in some cases imprisonment
for principals of the organization.
A list of some regulations the candidate should be familiar with:
l General Data Protection Regulation (GDPR): From the
European Union, addresses personal privacy, deeming it an
individual human right. Currently perhaps the single most
powerful and influential regulations associated with IT and data
security in the world, influencing laws in many other countries
and regions. GDPR and some associated programs is discussed
in more depth in Module 5 of this domain.
l Health Insurance Portability and Accountability Act
(HIPAA): An American federal law that affects medical providers,
1. Recognize the role of digital rights management (DRM) Legal and Regulatory
Issues that Pertain to
solutions in protecting intellectual property. Information Security in
2. Recognize modern international legal restrictions on import/ a Global Context
export of data and IT tools. Introduce the participants
to the “Legal and
3. Explain how modern legal frameworks affect international Regulatory Issues that
data flow and how the information security industry is Pertain to Information
responsible for many compliance requirements. Security in a Global
Context” module.
PPT
Module Objectives
Introduce the module
objectives.
Module 5: Legal and Regulatory Issues that Pertain to Information Security in a Global Context 45
Official (ISC)2 CISSP Training Guide
PPT
Licensing and Intellectual Property Requirements Cyber Crimes and Data
Intangible assets are called intellectual property. This can include Breaches (continued)
proprietary material such as software owned by the organization. Introduce and discuss
Proprietary software is usually distributed under an agreement common computer-
between the owner of the software (the vendor) and customers related crimes, and data
breach notification laws.
through the use of a license; an agreement codifying the terms (price,
duration, number of copies) that govern the use of that software.
There are many modern forms of licensing. These include but are not PPT
limited to the following: Licensing and
Intellectual Property
l Site licensing: An organization purchases a right to use the
Requirements
software for all members of the organization’s staff, usually
Introduce and discuss the
for a stated duration and with a cap on the number of concept of intellectual
copies used. property, and common
l Per-seat licensing: An organization purchases the right forms of licensing.
to use a specific number of copies of the software for its
personnel, or to pay a certain price (usually less than the
common retail price) for every copy it uses. PPT
l Shareware: The owner of the software allows anyone to use Digital Rights
Management (DRM)
the software within given constraints. Often, this takes the
form of a Creative Commons license, where noncommercial Introduce and discuss
the concept and
use of the software is free, but any business use of the
implementation of DRM.
software requires payment.
l Public domain: Use of the software is free (as is
modification and customization of the application itself), but
technical support or extra features come at a premium.
In many organizations, the security office has become the de facto
software librarian; the organizational entity that is tasked with
maintaining the list of authorized copies of software used by the
organization and ensuring the organization is complying with the
terms of the license(s).
Module 5: Legal and Regulatory Issues that Pertain to Information Security in a Global Context 47
Official (ISC)2 CISSP Training Guide
Notes management (DRM) solution. DRM tools often create an additional layer of
access control within the organization for those files/data sets that contain
Legal and Regulatory Issues proprietary material.
that Pertain to Information
Security in a Global One DRM example many candidates may be familiar with is the
Context
encoding used on DVDs and DVD players. The customer buys the DVD
from the owner of the intellectual property (the movie). The customer
PPT can play the DVD on a DVD player; the customer can carry that DVD to
Digital Rights another DVD player and still play it. The customer owns the DVD and
Management (DRM) can view the movie whenever the customer wants. However, the
(continued) encryption built into the DVD (and the encryption-aware application in
Introduce and discuss the DVD players) will not allow the customer to copy the movie (without
the concept and the use of additional decryption measures). This enforces the intellectual
implementation of DRM. property owner’s rights over the movie; the owner is selling the right to
view the movie not to copy and redistribute it. The customer can even
sell the DVD to someone else—selling the customer’s right to watch the
movie. But the customer can’t sell the movie itself to someone else
because the customer doesn’t own the movie.
DRM sometimes offers additional capabilities as well. In the DVD example,
the DRM solution is also used to enforce laws in some jurisdictions,
pertaining to the content and nature of DVD content. This is a “region”
system where different countries are categorized by region, depending on
the laws of those countries regarding content. A DVD purchased in a
Region 1 country, for instance, will not play on a DVD player purchased in
(and encoded for) a Region 2 country, and vice versa.
DRM solutions should have the following traits:
l Persistency: The access controls follow the protected material
wherever the material goes. In the DVD example, the encryption
is carried on the DVD no matter where the customer carries
the DVD.
l Dynamic policy control: The DRM solution should be subject
to a centralized administrative function that allows the owner
of the intellectual property to update and modify permissions
as necessary. This characteristic has less to do with consumer
DRM and usually involves enterprise rights management (ERM,
which is also referred to as information rights management,
IRM) within an organization that creates intellectual or
proprietary material.
l Automatic expiration: The DRM solution should recognize a
time limit on permissions for specific data sets/files. When the
time limit has been reached, access may be revoked (in the case
of a software license expiring) or the material may become public
domain (when the private ownership rights expire).
DRM solutions often involve the use of system agents: elements of the Introduce and discuss
DRM solution application that are installed on all client devices within the concept and
implementation of DRM.
an organization. Each device used to access DRM-protected material
must be DRM-aware (that is, the device must recognize files protected
by the DRM solution and how to distinguish permissions for specific
PPT
files). In some organizations, this may be challenging; the DRM
solution agent will need to be added to the baseline configuration of Import/Export Controls
the organization’s environment, and in any organization where Discuss common
personnel are allowed to use personal devices, users will need to international restrictions
allow installation (and maintenance and often external audit) of the on IT and security-related
materials, particularly
DRM agent on their devices. cryptographic solutions.
Import/Export Controls
The security practitioner should be aware that IT hardware and
software is often subject to international trade restrictions, mainly for
national defense purposes. In particular, encryption tools are seen by
many governments as a threat to global stability and rule of law.
One such restriction scheme is the Wassenaar Agreement, a
multilateral export control restriction program involving 41
participating countries; these countries agree not to distribute
(export) certain technologies (including both weapons and, of more
concern to our field, cryptographic tools) to regions where an
accumulation of these materials might disturb the local balance of
power between nation-states. Security practitioners employed or
operating in either a Wassenaar signatory country or in a region
where import of these materials is controlled by the Agreement
need to be aware of these prohibitions and understand what
encryption tools may or may not be used.
Many countries have their own internal laws governing the import/
export of encryption technologies in addition to international treaties.
For instance, Russia and some Baltic states, Myanmar, Brunei, and
Mongolia have outright bans on the import of cryptographic
Module 5: Legal and Regulatory Issues that Pertain to Information Security in a Global Context 49
Official (ISC)2 CISSP Training Guide
l Argentina
l Uruguay
Notes
Legal and Regulatory Issues
1
l Canada that Pertain to Information
Security in a Global
Module 5: Legal and Regulatory Issues that Pertain to Information Security in a Global Context 51
Official (ISC)2 CISSP Training Guide
Notes language that makes a transaction conform to the GDPR. Simply put: if an
organization in a non-approved country outside the EU wants to engage in
Legal and Regulatory Issues business with parties in the EU and that business involves PII of EU citizens,
that Pertain to Information
Security in a Global
the organization must stipulate in the contract between the parties that the
Context business activity will comply with the GDPR. This contract wording is
referred to as “standard contractual clauses.” These clauses must be
included in every contract the organization creates with EU entities.
PPT
GDPR Compliance Standard contractual clauses must be approved by either the EU
(2 slides) (continued) Commission or by a government entity in an EU country (if the business
Explain which countries
activity is only occurring in that country). Once the language of a standard
have specific laws that contractual clause is approved, it may be used for many different contracts.
comply with the GDPR,
and which do not. Also,
explain how standard Privacy Terms
contractual clauses
Many data privacy laws use a common terminology; the candidate should
work, and how they can
fulfill GDPR compliance be familiar with the following terms and concepts.
requirements.
l Personally identifiable information (PII): PII, as it is referred to
in the industry, is any data about a human being that could be
used to identify that person. The specific elements of what data
PPT
constitutes PII differs from jurisdiction to jurisdiction and from law
Privacy Terms (2 slides) to law. These are some elements that are considered PII in some
Explain and give jurisdictions and laws:
examples of the
o Name
various terms related to
privacy regulation and o Tax identification number/Social Security number
compliance.
o Home address
o Mobile telephone number
o Specific computer data (MAC address, IP address of the user’s
machine)
o Credit card number
o Bank account number
o Facial photograph
Under some laws, PII is referred to by other terms as was mentioned earlier
in this domain: for instance, medical data in the United States is referred to
as electronic protected health information (ePHI) under HIPAA.
l Data subject: The individual human being that the PII refers to.
l Data owner/data controller: An entity that collects or
creates PII. The data owner/controller is legally responsible
for the protection of the PII in their control and liable for any
unauthorized release of PII. Ostensibly, the owner/controller is
an organization; the legal entity that legitimately owns the data.
l Data processor: Any entity, working on behalf or at the Privacy Terms (2 slides)
(continued)
behest of the data controller, that processes PII. Under
most PII-related laws, “processing” can include absolutely Explain and give
examples of the
anything that can be done with data: creating, storing, various terms related to
sending, computing, compiling, copying, destroying, and so privacy regulation and
forth. While the data processor does have to comply with compliance.
applicable PII law, it is the data owner/controller that remains
legally liable for any unauthorized disclosure of PII even if
the processor is proven to be negligent/malicious.
l Data custodian: The person/role within the organization
who usually manages the data on a day-to-day basis on
behalf of the data owner/controller. This is often a database
manager or administrator; other roles that might be
considered data custodians could be system administrators
or anyone with privileged access to the system or data set.
Module 5: Legal and Regulatory Issues that Pertain to Information Security in a Global Context 53
Official (ISC)2 CISSP Training Guide
Notes
Module 6: Security Policy, Standards,
Security Policy, Standards,
Procedures, and Guidelines Procedures, and Guidelines
PPT
Module Objectives
Security Policy,
Standards, Procedures,
1. Describe the hierarchy of written governance (policies, standards,
and Guidelines guidelines, and processes).
Introduce the participants
to the “Security Policy,
Standards, Procedures,
and Guidelines” module.
PPT
Module Objectives
Introduce the module
objectives.
Policy
The written aspect of governance (including security governance) is
Notes
Security Policy, Standards,
1
known as policy. Policies are documents published and promulgated Procedures, and Guidelines
by senior management dictating and describing the organization’s
Standards
Standards are specific mandates explicitly stating expectations of
performance or conformance. Standards can either come from within
the organization (internal) or from external sources such as statutory or
administrative law, case law (court decisions that set precedent),
professional organizations, and/or industry groups. Some standards
are detailed and specific; an example might be an industry standard
for configuring a certain IT component or device. Some standards are
general and describe a goal, outcome, or process; an example might
be a law that sets a standard declaring, “the data controller is required
to use physical access control measures to prevent unauthorized
removal of hardware containing PII.”
Organizations are required to comply with standards to which they
subscribe or which are applicable to the organization; failure to do
so can result in prosecution or fines assessed by law enforcement/
regulators or can increase and enhance the organization’s liability.
An example, for demonstration purposes: a retail company has some
PII related to its customers, including their contact information and
shopping habits. In the wake of a data breach, investigators
determine that the company was storing data in files that could be
accessed with default administrative usernames and passwords,
which is directly contrary to all current industry standards and
common security practice. Because not conforming to the standard
Guidelines
Guidelines are similar to standards in that they describe practices and
expectations of activity to best accomplish tasks and attain goals.
However, unlike standards, guidelines are not mandates but rather
recommendations and suggestions. Guidelines may be created internally,
for use by the organization, or come from external sources such as
industry participants, vendors, and interested parties.
There is a general hierarchy of importance typically associated with these
governance elements; while not applicable in all cases, usually:
l Policy is at the pinnacle of the hierarchy; the organization’s policy
is informed by applicable law(s) and specifies which standards
and guidelines the organization will follow. Senior management
dictates policy, so all activity within the organization should
conform with policy.
l Standards are next; the organization’s policies should
specify which standards the organization adheres to, and the
organization can be held accountable for not complying with
applicable standards.
Notes
Module 7: Personnel Security Policies
Personnel Security Policies
and Procedures and Procedures
PPT
Module Objectives
Personnel Security
Policies and Procedures
1. Identify the various means to support personnel security goals,
including common policies and procedures.
Introduce the participants
to the “Personnel Security
Policies and Procedures”
module.
PPT
Module Objectives
Introduce the module
objectives.
Notes about the former employee’s eligibility for rehire. Also, references
are often given by the candidate themselves, so are not wholly
Personnel Security Policies independent sources.
and Procedures
l Employment history: A review of previous employment can
assess the candidate’s progression of responsibility, appropriate
PPT experience, and gaps in employment.
Candidate Screening l Background check: The candidate can be screened against
and Hiring (continued)
trusted databases for suitability, such as verification of
Explain the methods certification/credentials, educational degrees, and criminal
for including security
and risk management
history.
practices in the l Financial profile: Positions of accentuated trust and
employment process. responsibility may also merit the organization’s review of a
candidate’s financial situation. This can reveal concerns about a
candidate’s trustworthiness: if the candidate has too little money,
PPT it might indicate personal problems such as an addictive behavior,
Employment gross poor judgment, or personal instability, all of which make
Agreements and the candidate susceptible to subversion should they get a
Policies position of responsibility; too much money may indicate that the
Explain the methods candidate is already participating in illicit activity, or has been
for including security paid by another entity already, or will not be responsive to the
and risk management
practices in the
organization’s requirements. A financial check usually requires the
employment process. candidate’s explicit written agreement and may be limited by law
in some jurisdictions.
The organization should have defined processes for granting access Employment
Agreements and
to personnel joining the organization, and those departing. Policies (continued)
Onboarding should include a review of the contract terms and job Explain the methods
description, formal initial training to familiarize the new employee for including security
and risk management
with the organization’s security policies and procedures, the signing
practices in the
of a nondisclosure agreement so that the employee declares employment process.
understanding of the organization’s ownership of its proprietary
systems and data, and a secure process for issuing the employee
any access information or tools necessary (such as user id/password, PPT
keys, tokens, etc.).
Onboarding and
Termination (whether the employee is leaving voluntarily or at the Termination Processes
behest of the organization) should be similarly codified. The Explain the methods
organization should lock the employee’s IT accounts so as to prohibit for including security
the employee from making any last-minute modifications to the and risk management
practices in the
system or data. The organization will also need to recover any of its employment process.
property from the employee, including devices, hardware, and
access control items such as identity/access badge, keys, and tokens.
There should be an exit interview to determine why the employee is
PPT
leaving (if the departure is amiable), a review of the terms of any
nondisclosure agreement, and the employee should be escorted Vendor, Consultant,
and Contractor
from the premises. Agreements and
Controls
Notes between parties can stipulate the form of protection necessary for
accomplishing this (often monetary). This protection can take the
Personnel Security Policies form of cash payments for failing to agree to terms, requirements for
and Procedures
the external party to maintain the appropriate insurance policies (in
professional services, this is often addressed by errors and omissions
PPT policies), or an express transfer of liability (where allowed by law).
Vendor, Consultant, l Distinct accounts: External parties might be granted
and Contractor differentiated accounts from other users; these accounts might
Agreements and
provide limited access or convey additional audit trail information.
Controls (continued)
l Escort requirements: External parties might require constant
Explain the methods
for including security monitoring, either via surveillance or continually in the presence
and risk management of an employee of the organization.
l Distinguishing identification: Identity/access badges for non-
practices in managing
external vendors.
employee personnel might be jarringly different than employee
badges, such as having a distinctly different color or shape.
PPT As with internal personnel, external personnel should be required to sign
Compliance Policy nondisclosure agreements to concede and recognize the organization’s
Requirements ownership of its own proprietary assets.
Explain the importance
and function of AUPs.
Compliance Policy Requirements
Organizations should also utilize acceptable use policies (AUPs) for all
personnel. The AUP should detail, from the user’s expected perspective,
the appropriate and approved usage of the organization’s assets, including
the IT environment, devices, and data. Each employee (or anyone having
access to the organization’s assets) should be required to sign an AUP,
preferably in the presence of an employee of the organization, and both
parties should keep a copy of the AUP for their records.
Policy aspects commonly included in AUPs:
l Data access
l System access
l Data disclosure
l Passwords
l Data retention
l Internet usage
Notes
Module 8: Security Awareness,
Security Awareness,
Education, and Training Education, and Training Programs
Programs
PPT
Module Objectives
Security Awareness,
1. Describe the importance of security training, education, and
Education, and Training awareness and how to differentiate between those elements.
Programs
Introduce the participants
to the “Security
Awareness, Education,
and Training Programs”
module.
PPT
Module Objectives
Introduce the module
objectives.
Notes
Module 9: Business Continuity
Business Continuity
Requirements Requirements
PPT
Module Objectives
Business Continuity
Requirements
1. Describe the necessity of business continuity and disaster
recovery (BCDR) functions, and recognize basic foundational
Introduce the participants
to the “Business
concepts.
Continuity Requirements”
module.
PPT
Module Objectives
Introduce the module
objectives.
Notes The recovery time objective (RTO) is the target time set for recovering
from any interruption—the RTO must necessarily be less than the MAD.
Business Continuity Senior management must set the RTO, based on their expert knowledge
Requirements
of the needs of the organization, and all BCDR strategy and plans must
support achieving the RTO.
PPT
NOTE: The term “recovery” in the context of the RTO is not a return to
Develop and Document normal operations, but it is instead a goal for recovering availability of
Scope and Plan
(continued) the critical path. This is a temporary state that the organization will
endure until it is feasible to return to regular status.
Introduce and explain
RTO, RPO, and MAD. The recovery point objective (RPO) is a measure of how much data the
organization can lose before the organization is no longer viable. The
RPO is usually measured not in storage amounts (gigabytes/terabytes/
PPT petabytes) but instead in units of time: minutes, hours, days, depending
Business Impact on the nature of the organization. Senior management will also set the
Analysis (BIA) (2 slides) RPO that will be used along with the RTO to inform BCDR plans.
Provide additional
explanation (expounding
on the concept from Business Impact Analysis (BIA)
earlier in the domain) for The BIA is the effort to determine the value of each asset belonging to
the BIA, and how it is
created.
the organization, as well as the potential risk of losing assets, the threats
likely to affect the organization, and the potential for common threats to
be realized.
This is a management process that may or may not involve the security
office. However, the BIA will also be an instrumental tool for the security
function as it is usually the security office that is required to craft and
execute the BCDR plan and tasks. Along with determining the value of
other assets, the BIA will also reveal the critical path of the organization;
without knowing the critical path, it is impossible to properly plan
BCDR efforts.
There are many ways to conduct a BIA and make asset value determinations.
The following is a partial list of methods that might be used, their benefits,
and potential challenges:
l Survey: Interview asset owners/data controllers to determine
their assessment of the value of the organization’s property they
oversee. This method allows for the people closest to the assets
to offer input but is also subject to inherent bias. See: the “Asset
Valuation” section of Module 3 of this domain.
l Financial audit: Review the acquisition/purchase documentation
to aggregate value data for all assets in the organization. This
offers a thorough review of assets but is prone to variance in actual
value because value changes over time (increasing or decreasing,
depending on the type of asset and its purpose/use).
Notes
Module 10: Professional Ethics
Professional Ethics
PPT
Module Objectives
Introduce the module
objectives.
Notes make comments and responses on the findings and recommendations for
the board to consider. The board will then make a ruling as to whether the
Professional Ethics member acted in a manner consistent with the Code and whether the
accused should have membership revoked.
PPT
(ISC)2 Code of Ethics Organizational Code of Ethics
(2 slides) (continued)
In addition to industry codes for guilds of professionals (such as (ISC)2,
Introduce and explain individual organizations can create their own codes of ethics and require
the (ISC)2 Code of Ethics,
including the preamble. their personnel to comply. This is done at the policy level with senior
management dictating modes of acceptable behavior and is often
combined with the overall organizational personnel policies.
PPT For instance, the organization may require that personnel not engage in
Organizational Code discriminatory and unproductive behavior, such as racial, religious, or
of Ethics sexual harassment. The organization may also disallow activity that
Explain how and why an constitutes unfair trade practices, such as nepotism, bribery, and
organization may want awarding contracts based on favors (cash or otherwise).
to create its own code
of ethics, and review the These practices that distort the market and create hostility in the
example in the guide. workplace are also often proscribed by law, as well, and the organization
is best served by enacting and enforcing codes and policies that ensure
compliance.
Conclusions
This largely depends
Consider a situation where questionable behavior has ethical implications:
on the jurisdiction of
the organization and
You are the organization’s security manager. A network administrator
where the activity took comes to you with a report about an employee; the administrator has
place. In the United noticed the employee using the organization’s resources, during work
States, for example, hours, to browse the internet. The employee’s activity is not illegal, but
organizations are legally it is against the organization’s policy.
allowed to surveil any
and all activity that takes When you ask the administrator how the administrator came to learn
place on their property
or with their assets
this information about the employee’s behavior, the administrator
(including IT); in Europe, will not reply. Your office conducts an initial investigation about the
workplace surveillance is situation, and you determine that the administrator and the employee
severely limited, and the in question have had a personal conflict that was recognized by other
administrator’s report
personnel in the organization.
itself could result in legal
action on the part of the
You are also able to determine that the administrator did have sufficient
employee (or could result
in prosecution). Even in permissions within the IT environment to monitor the employee’s
the United States, where behavior but was not given explicit authorization or tasking to do so.
monitoring is allowed,
that monitoring must Your conclusions:
be shown to be either
random, pervasive, or l Is the administrator’s report acceptable and valid?
(if targeting a specific l What should you recommend be done to the employee?
(continued)
l Would you recommend the administrator be rewarded or punished?
Notes
Module 11: Domain Review
Domain Review
PPT
Domain Summary
Domain Review Many of the concepts introduced in this domain will serve as the foundation
for discussion throughout the rest of this guide; be sure you have an
Engage participants in a
review of key information
understanding of the ideas so you can grasp the rest of the material.
from this domain by
discussing this scenario-
based set of questions
and answers. Question
slides are immediately
followed by the answer
slide.
PPT
Domain Summary
Participate in review of
key elements from the
domain on security and
risk management.
Notes 4. Bob is the security manager for an online retailer. To protect the
customer data they are entrusted with, Bob requires all personnel
Domain Review to attend security training sessions regularly. Bob documents and
tracks which personnel have attended training, and he suspends
PPT account access for those personnel who have missed training. Which
of the following answers does this best typify?
Domain Review
Questions (continued) A. Due care
Participate in review of
key elements from the B. Due diligence
domain on security and
risk management. C. Legal duty
D. Reasonable expectation
Recovery time the target time set for recovering from any
objective (RTO) interruption.
Notes
Notes
1
Notes
Course Agenda
Domain 1: Security and Risk Management
Notes
Asset Security
2
Overview
Asset Security within the context of the second domain of the
CISSP® examination deals with the protection of valuable assets
to an organization as those assets go through their lifecycle.
Therefore, it addresses the creation/collection, identification and
classification, protection, storage, usage, maintenance, disposition,
retention/archiving, and defensible destruction of assets.
To properly protect valuable assets, such as information, an
organization requires the careful and proper implementation of
ownership and classification processes, which can ensure that
assets receive the level of protection based on their value to
the organization.
The enormous increase in the collection of personal information
by organizations has resulted in a corresponding increase in the
importance of privacy considerations, and privacy protection
constitutes an important part of the asset security domain.
Individual privacy protection in the context of asset security
includes the concepts of asset owners and custodians, processors,
4 Protect Privacy
5 Asset Retention
8 Data Remanence
9 Domain Review
l Intellectual property
l Corporate reputation
Notes
Information and Assets
2
l Brand
PPT
Identification/Discovery and Classification Identification/Discovery
and Classification of
of Assets Based on Value Assets Based on Value
The value of assets will vary significantly, but to properly secure Identification and an
these assets, organizations need to identify and locate assets that inventory of assets is the
may have value and then classify the assets based on value while first step in protecting
defining how to properly protect each classification type. Assets, valuable assets.
such as information, have become challenging to protect based on
value. Organizations today are creating/collecting massive amounts
of data, which makes discovery of this data for inventory purposes
very difficult. To properly protect assets, including information,
organizations need to implement a formal asset classification system
supported by proper management support, commitment, and
conviction to ensure accountability. Proper policies need to be
created and communicated to the entire organization to create the
culture and set the tone for the effectiveness of the classification
initiative. Organizations then need to understand fully where assets
are created/used to establish an effective inventory system that will
drive the classification process. At this point, once assets have been
located and identified, they can be classified by owners based on
value and then protected based on classification. Classification of
assets is essential to have proper controls be implemented to allow
organizations to address compliance with relevant laws, regulations,
standards, and policies.
The first step in asset protection is to know what assets the
organization has. In other words, an asset inventory is required
before the organization can actually understand what assets they
have that may have value. Once we have an inventory of assets,
understanding the value of those assets becomes the next step as it
will drive asset classification, which, in turn, will drive the protection
l Software
o Applications
o Source code
o Object code
o Operating systems
l Physical assets
o Hardware
o Media
o Network equipment
o Servers
o Buildings
l Processes and services
o Communications
o Data facilities
o Voice systems
o Computing
Notes etc. Regardless, the owner is always in the best position to truly
understand the value of what they own to the organization. The process
Information and Assets of understanding the value of an asset is very appropriately called asset
valuation. The value of the asset will drive its classification level.
PPT
Process of Protection Protection Based on Classification
of Valuable Assets
Based on Classification The next step in the classification process is to protect the assets based
(continued) on their classification levels. A good way to achieve this would be to
Explain the classification
establish minimum security requirements for each of the classification
process. levels that are being used. We refer to these as baselines. In other
words, we can establish the minimum security baselines for each
classification level that exists. Asset classification drives the security
requirements that need to be implemented to protect the assets based
on their value. Once the baselines have been determined, they can be
applied to assets as they move through their lifecycle phases, including
phases such as retention and destruction.
PPT
Module Objectives
Introduce the module
objectives.
Identify
&
Classify Secure
Monitor
The Data Lifecycle
USE
Archive
Recover
Defensible
Disposition
Destruction
Notes fully from their PCs after they erase files containing sensitive data to
address any possible data remanence issues or concerns.
Asset Lifecycle
l Whether the data needs to be encrypted: Data owners will
have to decide whether their data needs to be encrypted. They
PPT typically set this requirement when they must comply with a law
Data Classification or regulation such as the Payment Card Industry Data Security
Policy (continued) Standard (PCI DSS).
State that classification l The appropriate use of the data: This aspect of the policy
should be driven defines whether data is for use within the company, is restricted
by well-written and
communicated policy.
for use by only selected roles, or can be made public to anyone
outside the organization. In addition, some data have associated
legal usage definitions. The organization’s policy should spell out
any such restrictions or refer to the legal definitions as required.
PPT
Proper data classification also helps the organization comply with
Activity: Applying pertinent laws and regulations. For example, classifying credit
Policy Considerations
in Your Organization
card data as private can help ensure compliance with the PCIDSS.
One of the requirements of this standard is to encrypt credit card
Introduce activity information. Data owners who correctly defined the encryption
related to policy
considerations. Give aspect of their organization’s data classification policy will require
students time to prepare that the data be encrypted according to the specifications
with a partner and defined in this standard.
discuss once completed.
Classification Benefits
Other than the obvious benefit of protecting assets based on value,
there are other potential benefits that can be realized by an
organization in using asset classification systems. Here are some
examples of these benefits:
l Awareness among employees and customers of the organization’s
commitment to protect information.
l Identification of critical information.
l Identification of vulnerability to modification.
Information Owner
When information is collected or created, someone in the
organization needs to be clearly made accountable for it. We refer
to this entity as the “owner.” Often, this is the individual or group
that created, purchased, or acquired the information to allow the
organization to achieve its mission and goals. This individual or
group is considered and referred to as the “information owner.”
Documentation
It is very important for data owners to establish and document certain
expectations that need to be passed on to others, such as custodians,
as they relate to the data that is owned by the owners. For instance,
these may be examples of documentation:
l The ownership, intellectual property rights, and copyright of
their data.
l The obligations relevant to ensure the data is compliant with
compliance requirements.
l The policies for protection of the data, including baselines and
access controls.
l The expectations for protection and responsibilities delegated to
custodians and others accessing the data.
Data Custodianship
Data custodians, as the word implies, have custody of assets that
Notes
Information and Asset
2
don’t belong to them, usually for a certain period of time. Those Ownership
assets belong to owners somewhere else, but the custodians have
INSTRUCTIONS
Fill in each of the spaces with either the word “accountable” or
“responsible” in relation to the protection of data and the various roles:
1. Data Steward
2. Data Owner
3. Data Custodian
4. Data Processor
5. Data Controller
European Union
The data protection and privacy laws in the European Union (EU)
member states are constrained by the EU directives, regulations,
Notes
Protect Privacy
2
and decisions enacted by the EU. The main piece of legislation
Notes One such example is the Data Protection Act (DPA) in the UK.
According to the Information Commissioner’s Office (ICO) of the UK,
Protect Privacy which is an independent organization devoted to uphold information
rights in the public interest, promoting openness by public bodies and
committed to data privacy for individuals, the Data Protection Act sets
out rights for individuals regarding their personal information. Personal
data is defined as information pertaining to an identifiable living
individual. The DPA mandates that whenever personal data is processed,
collected, recorded, stored or disposed of it must be done within the
terms of the Data Protection Act (DPA).
The Information Commissioner’s Office (ICO) helps organizations
understand their compliance requirements and find out about their
obligations and how to comply, including protecting personal
information. As such they advise on how to comply with the DPA by
providing any organization that handles personal information about
individuals, a framework that guides how to meet the obligations under
the DPA.
The framework guides those who have day-to-day responsibility for data
protection. It is split into eight data protection principles, and the guide
explains the purpose and effect of each principle, gives practical
examples, and answers frequently asked questions. The data protection
principles are as follows, taken directly from the ICO website:
1. Personal data shall be processed fairly and lawfully and, in
particular, shall not be processed unless – (a) at least one of the
conditions in Schedule 2 is met, and (b) in the case of sensitive
personal data, at least one of the conditions in Schedule 3 is
also met.
2. Personal data shall be obtained only for one or more specified
and lawful purposes, and shall not be further processed in any
manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up
to date.
5. Personal data processed for any purpose or purposes shall
not be kept for longer than is necessary for that purpose or
those purposes.
6. Personal data shall be processed in accordance with the rights of
data subjects under this Act.
Notes value and a condition for the free flow of personal data across borders.
A perfect example of this is what the OECD has published as the ‘OECD
Protect Privacy Privacy Guidelines.’ These guidelines can act as a framework that
organizations can use in order to understand and address the
PPT requirements of privacy protection. They can provide comprehensive
guidance on what organizations need to implement as far as security
OECD Privacy Guidelines
controls to address the requirements of the privacy principles.
Describe the OECD
privacy principles and
how they can be used as OECD Privacy Guidelines
a framework for privacy
protection. The OECD has broadly classified these principles into the collection
limitation, data quality, purpose specification, use limitation, security
safeguards, openness, individual participation, and accountability.
The guidelines are as follows:
1. Collection Limitation Principle: There should be limits to
the collection of personal data, and any such data should be
obtained by lawful and fair means and, where appropriate, with
the knowledge or consent of the data subject.
2. Data Quality Principle: Personal data should be relevant to
the purposes for which they are to be used, and, to the extent
necessary for those purposes, should be accurate, complete, and
kept up-to-date.
3. Purpose Specification Principle: The purposes for which
personal data are collected should be specified not later than
at the time of data collection and the subsequent use limited
to the fulfilment of those purposes or such others as are not
incompatible with those purposes and as are specified on each
occasion of change of purpose.
4. Use Limitation Principle: Personal data should not be disclosed,
made available or otherwise used for purposes other than those
specified except with the consent of the data subject; or by the
authority of law.
5. Security Safeguards Principle: Personal data should be
protected by reasonable security safeguards against such risks
as loss or unauthorized access, destruction, use, modification or
disclosure of data.
6. Openness Principle: There should be a general policy of
openness about developments, practices and policies with
respect to personal data. Means should be readily available
of establishing the existence and nature of personal data, and
the main purposes of their use, as well as the identity and usual
residence of the data controller.
Notes
Module 5: Asset Retention
Asset Retention
Retention – Introduction
Data retention, which is sometimes also referred to as records retention,
Notes
Asset Retention
2
is defined as the continued and long-term storage of valuable assets
driven by compliance requirements or corporate requirements.
Notes asset retention policies. This obviously needs to include the legal
function, compliance, privacy, technology, security, and possibly
Asset Retention others. Once the meaningful policies are developed, based on
requirements, the supporting technology infrastructure needs
PPT to be implemented to address the policies. Define clear lines of
accountability and responsibility in guiding all stakeholders in
Building Effective
Archiving and Data maximizing how they work together.
Retention Policies 2. Establish common objectives for supporting archiving and data
(continued)
retention best practices within the organization. Understand the
Explain the importance of best practices that exist out there, especially in the same industry
building good archiving or in companies having similar goals and objectives. Make sure
and retention policies by
involving stakeholders. stakeholders are educated and provided with the right skills to
manage the requirements for access to assets.
3. On a regular basis, monitor, review, and update the asset
PPT retention policies and archiving procedures. Continue to improve
Creating a Sound
the entire process to support your ongoing business objectives
Record Retention for providing appropriate service levels while supporting
Policy (2 slides) retention compliance and policy requirements.
Describe the steps
involved in understanding
retention requirements
and addressing those in Creating a Sound Record Retention Policy
policy. Fundamentally, there are some basic steps that can be useful in guiding
an organization in developing an effective asset retention policy:
1. Evaluate legal and regulatory requirements, litigation obligations,
and business needs.
2. Classify assets and records.
3. Determine retention periods and defensible destruction
procedures and methods.
4. Draft asset retention policy.
5. Provide training, awareness, and education to support policy.
6. Audit retention and destruction policy and procedures.
7. Periodically review policy and procedures.
8. Document policy, implementation, procedures, training,
awareness, and education and audit results.
For every type of asset, the organization should determine the proper
retention period through involvement with appropriate stakeholders by
taking into consideration laws, regulations, and corporate requirements.
As a result, certain assets may have very long retention periods. Other
assets may have short retention requirements, or possibly no retention
requirement at all, such as junk mail. Regardless, the retention periods
INSTRUCTIONS
Working with a partner, review the following sample policy. For your
assigned section, note your ideas about why each aspect of the policy is
in place or the risks to the organization if the policy is not implemented.
Be prepared to share your thoughts with the group.
Key Principles
These are the key principles of this policy:
1. Data must be stored securely and appropriately having regard to
the sensitivity and confidentiality of the data.
2. Appropriate measures are put in place to prevent unauthorized
access and processing of the data, or accidental loss or damage
to the data.
3. Data is retained for only as long as necessary.
Retention
Notes
The DPA requires that personal data processed for any purpose “shall
Asset Retention
not be kept for longer than necessary for that purpose.” In terms of the
data stored, we regard the following aspects to be personal:
1. A mobile phone number
2. First and last name
3. Customer identification number
4. Content of the communications sent and received
The maximum period of retention is regarded as five years. If there is no
communication sent to or received from a user in five years, then all
personal data in regard to that user will be deleted. No data file or
record will be retained for more than five years after it is closed unless a
good reason can be demonstrated.
Important Considerations
Questions to consider
Notes
Asset Retention
2
1. Who needs access to archived data and why? How fast do
HIGH:
l Access
o Strong passwords
o Asset owner approved request, review, termination process
o Non-disclosure agreement
l Encryption
o 128 bit symmetric encryption for creation, storage,
and transmission
l Labelling
o Watermark
l Monitoring
o Real-time
MEDIUM:
l Access
Notes
Data Security Controls
2
o passwords
PPT
Objective of Baseline Objective of Baseline Protection
Protection
The objective of baseline protection is to establish a minimum set of
Describe the objectives safeguards to protect the classified assets of the organization. Using
of baseline protection. this approach, it is possible to apply baseline protection enterprise-
wide and, additionally, use detailed risk analysis reviews to protect
valuable assets that may be at high risk or systems critical to
PPT the business.
Baseline Catalogs
Explain the benefits of
baseline catalogs.
Baseline Catalogs
Many catalogs of baseline protection examples exist that can be used in
helping organizations use guidance in coming up with their baseline
requirements. Baseline catalogs may specify safeguards to be used in
detail, or they may suggest a set of security requirements to be
addressed with whatever safeguards appropriate to the system under
consideration. Both approaches have advantages.
One of the objectives of the baseline approach is consistency of security
safeguards throughout the enterprise, which can be achieved by both
approaches mentioned above. Several documents are already available
that provide sets of baseline safeguards. Also, sometimes a similarity of
environments can be observed among companies within the same
industries. After the examination of the basic needs, it may be possible
for baseline safeguard catalogs to be used by a number of different
International Resources
13. 10 Steps to Cybersecurity: Published by CESG, the guidance
provided by the 10 Steps to Cybersecurity offers practical steps
that organizational leaders can direct to be taken to improve the
protection of networks and the information carried upon them.
10 Steps to Cybersecurity also directs readers to The 20 Critical
Controls developed by CSIS, also referenced in this guide, for
further guidance.
Document URL:
https://www.ncsc.gov.uk/guidance/10-steps-cyber-
security#quicktabs-guidances_tabs2
14. Cybersecurity Strategy of the European Union: Published
by the European Commission, the cybersecurity strategy
An Open, Safe, and Secure Cyberspace represents the EU’s
PPT
1. Languages: The SCAP languages provide standard vocabularies
and conventions for expressing security policy, technical check
SCAP Version 1.2
mechanisms, and assessment results. The SCAP language
Categories
specifications are Extensible Configuration Checklist Description
Describe SCAP Ver 1 Format (XCCDF), Open Vulnerability and Assessment Language
categories.
(OVAL®), and Open Checklist Interactive Language (OCIL™).
2. Reporting Formats: The SCAP reporting formats provide
the necessary constructs to express collected information in
standardized formats. The SCAP reporting format specifications
are Asset Reporting Format (ARF) and Asset Identification.
Although Asset Identification is not explicitly a reporting format,
SCAP uses it as a key component in identifying the assets that
reports relate to.
3. Enumerations: Each SCAP enumeration defines a standard
nomenclature (naming format) and an official dictionary or list of
items expressed using that nomenclature. The SCAP enumeration
specifications are Common Platform Enumeration (CPE™),
Common Configuration Enumeration (CCE™), and Common
Vulnerabilities and Exposures (CVE®).
4. Measurement and Scoring Systems: In SCAP, this refers to
evaluating specific characteristics of a security weakness (for
example, software vulnerabilities and security configuration issues)
and, based on those characteristics, generating a score that
reflects their relative severity. The SCAP measurement and scoring
system specifications are Common Vulnerability Scoring System
(CVSS) and Common Configuration Scoring System (CCSS).
5. Integrity: An SCAP integrity specification helps to preserve
the integrity of SCAP content and results. Trust Model for
Security Automation Data (TMSAD) is the SCAP integrity
specification.
SCAP utilizes software flaw and security configuration standard reference
data. This reference data are provided by the National Vulnerability
Database (NVD), which is managed by NIST and sponsored by the
Department of Homeland Security (DHS). The U.S. federal government,
in cooperation with academia and private industry, is adopting SCAP
and encourages its use in support of security automation activities and
initiatives. SCAP has achieved widespread adoption by major software
manufacturers and has become a significant component of large
information security management and governance programs. The
Infrastructure Cybersecurity
Recognizing that the national and economic security of the United PPT
States depends on the reliable functioning of critical infrastructure,
Framework for
President Obama issued Executive Order 13636, Improving Critical Improving Critical
Infrastructure Cybersecurity, in February 2013. It directed NIST to Infrastructure
work with stakeholders to develop a voluntary framework—based Cybersecurity
on existing standards, guidelines, and practices—for reducing Describe the Framework
cyber risks to critical infrastructure. for Improving Critical
Infrastructure Security.
NIST released the first version of the Framework for Improving
Critical Infrastructure Cybersecurity on February 12, 2014. The
Framework, created through collaboration between industry and
government, consists of standards, guidelines, and practices to
promote the protection of critical infrastructure. The prioritized,
flexible, repeatable, and cost-effective approach of the Framework
helps owners and operators of critical infrastructure to manage
cybersecurity-related risk.
Building from standards, guidelines, and practices, the Framework
provides a common taxonomy and mechanism for organizations to
do the following:
l Describe their current cybersecurity posture.
l Describe their target state for cybersecurity.
l Identify and prioritize opportunities for improvement within
the context of a continuous and repeatable process.
l Assess progress toward the target state.
l Communicate among internal and external stakeholders
about cybersecurity risk.
The Framework is a risk-based approach to managing cybersecurity
risk and is composed of three parts: the Framework Core, the
Framework Implementation Tiers, and the Framework Profiles.
Framework Components
Notes
Each framework component reinforces the connection between
Data Security Controls
business drivers and cybersecurity activities.
PPT
1. The Framework Core is a set of cybersecurity activities, desired
outcomes, and applicable references that are common across
Framework
critical infrastructure sectors. The Core presents industry standards,
Components (2 slides)
guidelines, and practices in a manner that allows for communication
Describe Framework of cybersecurity activities and outcomes across the organization
components.
from the executive level to the implementation/operations level. The
Framework Core consists of five concurrent and continuous functions:
identify, protect, detect, respond, and recover. When considered
together, these functions provide a high-level, strategic view of the
lifecycle of an organization’s management of cybersecurity risk.
The Framework Core then identifies underlying key categories and
subcategories for each function and matches them with example
informative references such as existing standards, guidelines, and
practices for each subcategory.
2. Framework Implementation Tiers (“Tiers”) provide context on
how an organization views cybersecurity risk and the processes
in place to manage that risk. Tiers describe the degree to which
an organization’s cybersecurity risk management practices
exhibit the characteristics defined in the Framework (e.g., risk and
threat aware, repeatable, and adaptive). The Tiers characterize
an organization’s practices over a range, from Partial (Tier 1)
to Adaptive (Tier 4). These Tiers reflect a progression from
informal, reactive responses to approaches that are agile and
risk-informed. During the Tier selection process, an organization
should consider its current risk management practices, threat
environment, legal and regulatory requirements, business/
mission objectives, and organizational constraints.
3. A Framework Profile (“Profile”) represents the outcomes based
on business needs that an organization has selected from the
Framework categories and subcategories. The Profile can be
characterized as the alignment of standards, guidelines, and
practices to the Framework Core in a particular implementation
scenario. Profiles can be used to identify opportunities for improving
cybersecurity posture by comparing a “Current” Profile (the “as
is” state) with a “Target” Profile (the “to be” state). To develop
a Profile, an organization can review all of the categories and
subcategories and, based on business drivers and a risk assessment,
determine which are most important; they can add categories
and subcategories as needed to address the organization’s risks.
The Current Profile can then be used to support prioritization and
measurement of progress toward the Target Profile, while factoring
158 Domain 2: Asset Security
Instructor Edition
1. Data at Rest: data stored on media in any type of form. It Data at Rest
is at rest because it is not being transmitted or processed in Define data at rest.
any way.
2. Data in Motion: data that is currently traveling, typically
across a network. It is in motion because it is moving.
3. Data in Use: data that is being processed by applications
or processes. It is in use because it is data that is currently
in the process of being generated, updated, appended, or
erased. It might also be in the process of being viewed by
users accessing it through various endpoints or applications.
Data at Rest
The protection of stored data is often a key requirement for a
company’s sensitive information. Databases, backup information,
off-site storage, password files, and many other types of sensitive
information need to be protected from disclosure or undetected
alteration and availability. Much of this can be done through the
use of cryptographic algorithms that limit access to the data to
those that hold the proper encryption (and decryption) keys. Some
modern cryptographic tools also permit the condensing, or
compressing, of messages, saving both transmission and storage
space, making them very efficient.
Module 6: Data Security Controls 159
Official (ISC)2 CISSP Training Guide
Link Encryption
Data are encrypted on a network using either link or end-to-end
encryption. In general, link encryption is performed by service providers,
such as a data communications provider on a Frame Relay network. Link
encryption encrypts all of the data along a communications path (e.g., a
satellite link, telephone circuit, or T-1 line).
Because link encryption also encrypts routing data, communications
nodes need to decrypt the data to continue routing. The data packet is
decrypted and re-encrypted at each point in the communications
channel. It is theoretically possible that an attacker compromising a
node in the network may see the message in the clear. Because link
encryption also encrypts the routing information, it provides traffic
confidentiality better than end-to-end encryption. Traffic confidentiality
hides the addressing information from an observer, preventing an
inference attack based on the existence of traffic between two parties.
End-to-End Encryption
End-to-end encryption is generally performed by the end user
within an organization. The data are encrypted at the start of the
Notes
Data Security Controls
2
communications channel or before and remain encrypted until
PPT
PSN Data in Transit –
Description of Risk
Explain data in transit
risks.
PSN PSN
PSN
End to End
Encryption Device
Data in Use
A particularly troublesome problem to protect is data in use. Data being
processed is a perfect example of data in use. Typically, most architectures
The industry has identified a potential solution to protecting data in Describe data in use.
use. This requires the implementation of secure enclaves where the
processing would occur. Data would still be processed in clear text,
but the concept of an enclave is that it would be isolated, or PPT
sectioned off, from the rest of the architecture so that it can Data in Use –
protect anything in the enclave. This really means that we are Recommendations
isolating the enclave and its contents from the rest of the Explain data in use
architecture and its components so that it cannot be affected by protection methods.
any vulnerabilities or malware that might exist in the architecture.
The definition of the word enclave does a really good job of
explaining or at least visualizing how this might work. The definition PPT
of an enclave is a territory that is isolated or distinct from another
Activity: Data at
territory. This implies we protect it from the other components of Rest/Data in Transit
an architecture so that it cannot be viewed or accessed while Comparison
processing data in use. But, as security professionals should always Introduce activity and ask
understand, nothing is perfectly secure, and there may be other students to fill in table.
vulnerabilities that would render this concept insecure as well,
especially related to implementation issues.
INSTRUCTIONS
Working with a partner, complete Table 2.1.
Definition
Risk Profile
Recommendations
(list at least two)
Wireless Connections
When connecting to wireless networks to access a system handling
sensitive data, only connect to wireless networks employing
cryptographically strong wireless encryption standards such as WPA2.
Encryption mechanisms described in the section above must also be
applied in addition to strong wireless network encryption to ensure end-
to-end protection.
Notes Introduction
Information and Asset Media
Handling Requirements
Media storing sensitive information requires physical and logical
controls. Media lacks the means for digital accountability when the data
PPT is not encrypted. For this reason, extensive security must be taken when
Media
handling sensitive media. Logical and physical controls, such as marking,
handling, storing, and declassification, provide methods for the secure
Explain how different
handling of sensitive media containing sensitive information.
media requires different
protection, but always
based on value.
Marking
Organizations should have policies in place regarding the marking and
PPT labeling of media based on its classification. For example:
Marking l Storage media should have a physical label identifying the
Explain the challenges in sensitivity of the information contained.
marking different media l The label should clearly indicate if the media is encrypted.
types.
l The label may also contain information regarding a point of
contact and a retention period.
PPT l When media is found or discovered without a label, it should be
Handling immediately labeled at the highest level of sensitivity until the
appropriate analysis reveals otherwise.
Describe how handling
procedures need to be in
The need for media marking typically is strongest in organizations where
place for classified media
and their content. sensitive intellectual property and confidential data must be stored and
shared among multiple people. If the security architect can design
centrally managed and controlled enterprise content management
(ECM) systems paired with Data Loss (Leakage) Protection technology
(DLP), then the entire threat vector that media marking is designed to
address may be able to be handled in a totally different way as well.
Handling
Only designated personnel should have access to sensitive media.
Policies and procedures describing the proper handling of sensitive
media should be promulgated. Individuals responsible for managing
sensitive media should be trained on the policies and procedures
regarding the proper handling and marking of sensitive media. Never
assume that all members of the organization are fully aware of or
understand security policies. It is also important that logs and other
records be used to track the activities of individuals handling backup
media. Manual processes, such as access logs, are necessary to
compensate for the lack of automated controls regarding access to
sensitive media.
Storing
Sensitive media should not be left lying about where a passerby
could access it. Whenever possible, backup media should be
Notes
Information and Asset
2
Handling Requirements
encrypted and stored in a security container, such as a safe or
PPT
Destruction
Destruction
Media that is no longer needed or is defective should be destroyed
Explain how destruction
rather than simply disposed of. A record of the destruction should procedures need to be in
be used that corresponds to any logs used for handling media. place for classified media
Implement object reuse controls for any media in question when and its content.
the sensitivity is unknown rather than simply recycling it.
PPT
Record Retention
Record Retention
Information and data should be kept only as long as it is required.
Organizations may have to keep certain records for a period as Explain how retention
procedures and
specified by industry standards or in accordance with laws and requirements need to
regulations. Hard- and soft-copy records should not be kept be in place for classified
beyond their required or useful life. Security practitioners should media and its content.
ensure that accurate records are maintained by the organization
regarding the location and types of records stored. A periodic
review of retained records is necessary to reduce the volume of
information stored and ensure that only relevant information
is preserved.
Record retention policies are used to indicate how long an organization
must maintain information and assets. Ensure the following:
l The organization understands the retention requirements for
different types of data throughout the organization.
l The organization documents in a record’s schedule the
retention requirements for each type of information.
l The systems, processes, and individuals of the organization
retain information in accordance with the schedule but
not longer.
Clearing
Clearing is defined as the removal of sensitive data from storage
devices, using methods that provide some assurance that the data may
not be reconstructed using most known data recovery techniques. The
original data may still be recoverable but typically not without special
recovery techniques and skills.
Purging
Purging, sometimes referred to as sanitizing, is the removal of sensitive
data from media with the intent that the sensitive data cannot be
reconstructed by any known technique.
Destruction
This is exactly as it sounds. The media is made unusable by using
some sort of destruction method. This could include shredding, or
Notes
Data Remanence
2
melting the media into liquid by using very high temperatures. We
the map so that the system finds the new, updated data rather than
the old data. Because of this, an SSD can contain multiple iterations
of the same data, even if those iterations are not accessible by
Notes
Data Remanence
2
conventional means. This is what causes data remanence on SSDs.
Notes operates the system and the enterprise is effectively renting storage
space, there is little to no visibility into the management and security of
Data Remanence the data in many cases.
While the challenge is a big one for the enterprise, the use of Platform as a
PPT
Service-based (PaaS) architectures can actually provide a solution for the
Cloud-Based Data issues raised by data remanence in the cloud. The security practitioner and
Remanence (continued) the cloud vendor have to be willing to work together to architect a PaaS
Define data remanence solution that addresses the daunting issues of media and application-level
in the cloud and encryption via a platform offering. There are many parts that have to
the challenges and
methods associated
be properly set up and synchronized for this solution to work, such as
with defensible data messaging, data transactions, data storage and caching, and framework
destruction. APIs. In addition, the platform has to be set up in such a way, with
appropriate safeguards available, to ensure that no unencrypted data
is ever written to physical media at any time during the data lifecycle,
including data in transit.
Standards
There are several standards pertaining to data lifecycle management in
general and data remanence in particular from different industries
and governments:
l The NIST Guidelines for Media Sanitization, Draft Special
Publication 800-88 Revision 1 is the most recent version of
the guidance provided by NIST in this area. It was updated in
September of 2012, replacing the original guidance published in
September of 2006.
l The United States Air Force Systems Security Instruction 8580,
dated 17 November, 2008, on Remanence Security. This replaced
Air Force System Security Instruction 5020, dated 20 August,
1996, on Remanence Security.
l The United States Department of Defense, Defense Security
Service National Industrial Security Program (DSS NISPOM).
l The Communications Security Establishment Canada, Clearing
and Declassifying Electronic Data Storage Devices – ITSG-06,
published July 2006.
l The United States National Security Agency (NSA) Central
Security Service (CSS) Media Destruction Guidance.
l The New Zealand Information Security Manual, 2010.
l The Australian Government Department of Defense Intelligence
and Security, Information Security Manual 2014.
Notes
Notes
2
Notes
Course Agenda
Domain 1: Security and Risk Management
Notes
Security Architecture and
3
Engineering
Overview
The goal of the Security Architecture and Engineering domain is to
provide you with concepts, principles, structures, and standards
used to design, implement, monitor, and secure operating systems,
equipment, networks, applications, and those controls used to
enforce various levels of confidentiality, integrity, and availability.
Domain Objectives
After completing this domain, the participant will be able to:
1. Implement engineering processes using secure design
principles.
2. Manage engineering processes using secure design
principles.
3. Identify the purpose of security models.
4. Identify common security models.
6 Cryptography
7 Physical Security
8 Domain Review
PPT
Module Objectives
Introduce the module
objectives.
Technical Processes
The following processes are defined in the NIST SP800-160 dated
Notes
Processes Using Secure
3
November 2016. The processes and process definitions are Design Principles
consistent with the INCOSE Systems Engineering Handbook and
Enabling Processes
The following processes are defined in the NIST SP800-160 dated
November 2016. The processes and process definitions are
consistent with the INCOSE Systems Engineering Handbook and
easily related to ISO-based standards with some minor differences.
l Lifecycle model management process: Identifies and
assesses the security needs and considerations for lifecycle
policies, procedures, processes, and models that are capable
of being applied using effective proven methods and tools to
achieve assurance and trustworthiness objectives.
l Infrastructure management process: Provides the basis
to ensure that the infrastructure and services supporting
the organizational and project objectives are adequate to
address protection needs, considerations, and concerns.
rity Av
teg ai
In
lab
ility
Notes
Module 2: Fundamental Concepts
Fundamental Concepts of
Security Models of Security Models
PPT
Module Objectives
Fundamental Concepts
of Security Models
1. Identify the purpose of security models.
Introduce the participants 2. Identify common security models.
to the “Fundamental
Concepts of Security
Models” module.
PPT
Module Objectives
Introduce the module
objectives.
Security Models
Security models define rules of behavior for an information
Notes
Fundamental Concepts of
3
system to enforce policies related to system security but typically Security Models
involving confidentiality and/or integrity policies of the system.
Biba
The Biba model is designed to address data integrity and does
not address data confidentiality. Like Bell–LaPadula, Biba is also a
lattice-based model with multiple levels. It defines similar but
slightly different modes of access (e.g., observe, modify) and also
Clark–Wilson
Biba only addresses one of three key integrity goals. The Clark–Wilson
model improves on Biba by focusing on integrity at the transaction level
and addressing three major goals of integrity in a commercial environment.
To address the second goal of integrity, Clark and Wilson realized that they
needed a way to prevent authorized subjects from making undesirable
202 Domain 3: Security Architecture and Engineering
Instructor Edition
Graham–Denning
Graham–Denning is primarily concerned with how subjects and
objects are created, how subjects are assigned rights or privileges,
and how ownership of objects is managed. In other words, it is
primarily concerned with how a model system controls subjects
and objects at a very basic level where other models simply
assumed such control.
The Graham–Denning access control model has three parts: a set
of objects, a set of subjects, and a set of rights. The subjects are
composed of two things: a process and a domain. The domain is
the set of constraints controlling how subjects may access
objects. Subjects may also be objects at specific times. The set of
rights govern how subjects may manipulate the passive objects.
This model describes eight primitive protection rights called
commands that subjects can execute to have an effect on other
subjects or objects.
The eight basic rules under Graham–Denning govern the following:
1. Secure object creation
2. Secure object deletion
3. Secure subject creation
4. Secure subject deletion
5. Secure provisioning of read access right
Modern Implementation
Most modern operating systems implement elements of the security
models. They are not perfect implementations of the academic models
and focus on practical implementations that provide functionality
consistent with one or more of the security models.
The access control models discussed in Domain 5 (discretionary access
control (DAC), mandatory access control (MAC), etc.) have operating
system vendor specific implementations of elements contained within
the security model. Precise implementation of the security models has
practical limitations and is rarely employed except in very specialized
systems with intentionally limited functionality.
Control Selection
Controls are selected to support the confidentiality, integrity, and
availability needs of the system. Control frameworks are often utilized to
206 Domain 3: Security Architecture and Engineering
Instructor Edition
Tailoring Controls
Notes
Control frameworks and standards are intended to be tailored to
Select Controls Based
upon System Security
specific use-cases. By nature, the control frameworks are general cases
Requirements that are intended to be widely applied. For that reason, they may lack
specifics on implementation details or require the control user to input
specific values for their organization or environment (e.g., control says
PPT you have to have a screen lock but allows the adopter to select a lock
Tailoring Controls timeout that makes sense for their use).
Discuss tailoring controls
to meet situational needs.
It is critical to adjust control specifications or parameters to meet the
needs of a specific system or environment to provide the optimal
security value. The tailoring process is well documented in most control
frameworks and fully supported by the frameworks themselves. Some
PPT
organizations choose to treat controls and control frameworks as
Evaluatuion Criteria checklists and forego intelligent tailoring, thus, reducing the overall
Discuss evaluation criteria security value of the controls.
for controls.
Evaluation Criteria
Each control should include specific evaluation methods and expected
results. To be effective as a security control, the control must be valuable
and have one or more measures of effectiveness associated with it.
The NIST framework defines three primary methods of control evaluation:
l Test: Conduct a direct test of the control (usually used for
technical type controls)
l Interview: Interview or question staff (usually used for
management or operational controls)
l Examine: Examine documentation or artifacts for evidence that a
control is properly employed (used for all control types)
In many cases, a control may (and should) be evaluated using multiple
evaluation methods to ensure control effectiveness. For instance, to
evaluate a particular control, the assessor may perform a technical test
to validate a function, examine documentation to ensure the function
was correctly configured, and interview a system administrator
regarding operation of the function. Taken together, the results may
show that the control is effectively applied or that there is some
deficiency that limits the control effectiveness.
PPT
Module Objectives
Introduce the module
objectives.
Trusted Platform
Hardware
Module (TPM)
System Kernel
The system kernel is the core of an OS, and one of its main functions
is to provide access to system resources, which includes the system’s
hardware and processes. The kernel:
l Loads and runs binary programs
l Schedules the task swapping that allows computer systems
to do more than one thing at a time
l Allocates memory
l Tracks the physical location of files on the computer’s hard disks
Memory Manager
Allocates and manages physical and/or virtual memory within a
system.
PPT
Input/Output (I/O) Manager
Manages and controls input and output from the operating system.
Generic Operating
System (OS)/Computer
Model (continued)
Application Programming Interface (API)
Provide a general
description of computer Provides a generalized or common set of commands for applications or
security releveant processes executing on a system to perform standard operations and
functions within the communications. It removes the need for applications to directly
generic OS model. interface with some OS components and hardware.
Access Control
PPT
Modern systems include some form of access control. Even kiosk or
Processor States
general user type systems internally implement a system of permissions
Describe this security and rules for accessing processes, memory, applications, and operating
capability (technical system functions even if those controls are transparent to the end user.
explanation-how it
works, value).
Access controls are typically enforced by a kernel level module known as
the security monitor or reference monitor. Specific access control types
will be discussed in Domain 5, but they are often based on one or more
security models discussed in Module 3.
Access control mechanisms are typically supported by the file system
that often stores security attributes with files and enables fine-grained
access control in storage objects.
Processor States
Processors and their supporting chipsets provide one of the first layers
of defense in any computing system. In addition to providing specialized
processors for security functions (such as cryptographic coprocessors),
processors also have states that can be used to distinguish between
more or less privileged instructions.
Process Isolation
Process isolation can also be used to prevent individual processes
from interacting with each other. This can be done by providing
distinct address spaces for each process, and preventing other
Notes processes from accessing that area of memory, and assigning access
permissions to files or other resources to each process.
Security Capabilities of
Information Systems Naming distinctions are also used to distinguish between different
processes. Virtual mapping is also used to assign randomly chosen
areas of actual memory to a process to prevent other processes from
PPT
finding those locations easily. Encapsulation of processes as objects
Process Isolation can also be used to isolate them, since an object includes the
(continued)
functions for operating on it, the details of how it is implemented can
Describe this security be hidden. The system can also ensure that shared resources are
capability (technical
explanation-how it
managed to ensure that processes are not allowed to access shared
works, value). resources in the same time slots.
Process Isolation
PPT
Data Hiding
Describe this security Process 1 Process 2
capability (technical
explanation-how it
works, value).
PPT
Operating System (OS) Managers
Abstraction Layers
Describe this security
Figure 3.3: Process Isolation
capability (technical
explanation-how it
works, value).
Data Hiding
Data hiding maintains activities at different security levels to separate
these levels from each other. This assists in preventing data at one
security level from being seen by processes operating at other security
levels. This is similar to the Bell–LaPadula security model.
Data hiding may also be associated with coding practices (typically in
object-oriented programming) where actual data is “hidden” from direct
access or manipulation and can only be read or modified by using a
standard interface mechanism.
Abstraction Layers
Abstraction involves the removal of characteristics from an entity to
easily represent its essential properties. Abstraction negates the
need for users to know the particulars of how an object functions.
They only need to be familiar with the correct syntax for using an
PPT
Operating System (OS) Security Kernel
Kernel
Describe this security
capability (technical
explanation-how it
Hardware Abstraction Layer works, value).
(HAL)
Hardware
Security Kernel
The security kernel or “reference monitor” within an operating
system or hardware device, acts as a security oversight mechanism
that enforces a predefined set of rules when a subject accesses an
object. The rules may include validating permissions from a table
(e.g., DAC) but are mandatorily applied and designed to prevent
being bypassed.
However, when user subjects are executing with administrative
rights on a system (e.g., Windows Administrator, Linux/Unix root),
the subject often has full control of most system objects. The
security kernel will still operate, but it will lose effectiveness when
the subject has full security rights to all objects. To maximize the
effectiveness of the security kernel, user subjects must be
executed with the least privilege necessary to perform their
intended function.
Notes Encryption
Encryption can be applied to data at rest (e.g., files on hard drive) or data in
Security Capabilities of
Information Systems transit (e.g., communication channel). Encryption may be used to protect
confidentiality, integrity, or both concurrently.
PPT The most direct value of encryption is the protection of data while the
Encryption
operating system protections are not active or available. For example,
encrypted data may be stored on a hard drive. If the computer system
Describe this security
is turned off and the hard drive removed, the data cannot be read or
capability (technical
explanation-how it modified since it is encrypted. Also, once data has been transmitted
works, value). from the system, if encrypted, it is protected from access or
modification if intercepted in transit.
Encryption mechanisms will be addressed in greater detail in following
PPT
modules. The specific protections (confidentiality, integrity) and level of
Code Signing and protection provided by encryption varies depending on the specific
Validation
cryptographic mechanism utilized.
Describe this security
capability (technical
explanation-how it
works, value). Code Signing and Validation
Code signing and validation is a cryptographic function. Executable code
is digitally signed using mechanisms presented in this module. This allows
PPT an operating system, firmware, or even hardware components to validate
Audit and Monitoring the digital signature on the executable code prior to it being loaded for
Describe this security execution. This ensures that only known, approved code is able to execute
capability (technical on a system or device.
explanation-how it
works, value). In some operating systems, the system checks the OS components before
they are loaded. This helps to prevent unauthorized code replacing
legitimate system components and being executed at a higher privilege
level than would normally be granted to user code.
Code signing may also be used during system or component updates
or when loading new software to ensure that the copy being loaded
is an approved copy from a recognized source. The protects the
system from loading malicious or unapproved code presented as
legitimate code.
PPT
Virtualization/Sandbox Virtualization/Sandbox
Virtualization offers numerous advantages from a security Describe this security
perspective. Virtual machines are typically isolated in a sandbox capability (technical
environment and if infected can be removed quickly or shut explanation-how it
works, value).
down and replaced by another virtual machine. The sandbox
environment is intentionally designed to keep executing code
within the controlled sandbox space and limit communications
into or out of the sandbox.
Virtual machines:
l Have limited access to hardware resources and, therefore,
help protect the host system and other virtual machines
l Do require strong configuration management control and
versioning to ensure known good copies are available for
restoration if needed
l Are also subject to all the typical requirements of hardware-
based systems, including anti-malware software, encryption,
host intrusion detection system (HIDS), firewalls, and
patching
Some operating systems automatically, or can be configured to,
sandbox certain types of code. Mobile code (e.g., Java, ActiveX,
etc.) may be allowed only to execute in a controlled sandbox where
the system configuration controls how much or little access to the
rest of the system is possible for code executing within the
sandbox.
Modern malware may be sandbox or virtualization aware and
contain routines that intentionally detect and attempt to break out
of a sandboxed environment.
Notes
Module 5: Vulnerabilities of Security
Vulnerabilities of Security
Architectures, Designs, and Architectures, Designs, and Solution
Solution Elements
Elements
PPT
Vulnerabilities of Module Objectives
Security Architectures, 1. Identify vulnerabilities and mitigations in client-based systems.
Designs, and Solution
Elements 2. Identify vulnerabilities and mitigations in server-based systems.
Introduce the 3. Identify vulnerabilities and mitigations in database systems.
participants to the
“Vulnerabilities of 4. Identify vulnerabilities and mitigations in Industrial Control
Security Architectures, Systems (ICS).
Designs, and Solution
Elements” module.
5. Identify vulnerabilities and mitigations in cloud-based systems.
6. Identify vulnerabilities and mitigations in distributed systems.
7. Identify vulnerabilities and mitigations in Internet of Things (IoT).
PPT
8. Assess and mitigate vulnerabilities in web-based systems.
Module Objectives
(2 slides) 9. Assess and mitigate vulnerabilities in mobile systems.
Introduce the module 10. Assess and mitigate vulnerabilities in embedded systems.
objectives.
In particular consider how common vulnerabilities might exist in the Provide context for the
module and following
following: slides.
l System hardware
l System code
PPT
l System misuse opportunities
Top Threat Actions/
l System communications Mitigations
Generic overview of
threat action types and
Top Threats and Mitigations mitigations, provide
examples where relevant.
The following threat action categories are common to most system
types but may exist in various forms.
Top Threat Actions
l Hacking: Human action attempting various permutations of
actions to defeat or bypass system protections or system
security.
l Social engineering: Attempting to gain information or
access by impacting human behavior or process. Generally
implemented through human interaction but may be
message or communication based.
l Malware distribution: Manual or automated distribution of
malware. May be targeted, untargeted, or the result of self-
replicating malware moving autonomously.
l Phishing: Attempting to gain information or access by
sending messages (e.g., email) that seem to be legitimate
but are not. May be combined with types of social
engineering or malware distribution.
The following top mitigations are general approaches applied on the
enterprise level. They should be considered the basics of mitigations
and must always be combined with other, more specific, mitigations
at the system level.
Module 5: Vulnerabilities of Security Architectures, Designs, and Solution Elements 221
Official (ISC)2 CISSP Training Guide
Vulnerabilities of Security l Know what you have: Maintain a good inventory of all IT
Architectures, Designs, and operating in the environment and understand the operational
Solution Elements status. While this sounds simple, it is one of the most difficult
things to accomplish for most large organizations.
PPT l Patch and manage what you have: Keep hardware, firmware,
Top Threat Actions/ and software up to date and manage system configurations to
Mitigations (continued) ensure they are kept in a secure and well-maintained state. This is
Generic overview of a basic security function but is also commonly neglected and not
threat action types and well implemented in many organizations.
mitigations, provide
l Assess/monitor/log: Assess system security status, monitor the
examples where relevant.
status continuously, and log system, user, and process actions
to the greatest extent possible. At the enterprise level, this
includes collecting and aggregating individual system logs with
PPT
automated and manual reviews.
Common System
Vulnerabilities (5 slides)
l Educate users: At the enterprise level, this is critical to address
human-based attacks (social engineering, phishing, etc.) that
Describe each
vulnearbility, what can
technology alone cannot defend against.
cause it, with real world
examples where practical.
Common System Vulnerabilities
The following are common system vulnerability types that exist to some
degree in most systems. For each of the specific system types in this
module, the common system vulnerabilities should be considered
applicable to some degree. The impact of the common vulnerabilities
may be different based on system type.
Hardware vulnerabilities are most typically associated with loss of
availability when components fail. However, supply chain concerns over
inappropriate modification or counterfeit hardware components are
valid concerns. Improperly configured or illicitly modified hardware can
impact system confidentiality and integrity.
Hardware:
l Hardware components may fail at any time
o Mean time between failures (MTBF) used to calculate
expected life
o Failure rates higher during initial system operation
l Supply chain issues may introduce technical flaws/vulnerabilities
or malicious modification
l Old hardware may be difficult to repair/replace
PPT
Client- based Systyems Client-based Systems
Define system type and Client-based systems are systems in which the end user directly
charateristics. interfaces with the computing hardware in the form of desktops,
laptops, thin client terminals, and so on. They are typically present
in large quantities in most organizations. Most organizations are
PPT continually adding new and decommissioning old client systems.
They are typically general-purpose computers that are used for a
Client-based System
Vulnerabilities variety of purposes across an organization.
Describe unique
vulnerabilities and ask Vulnerabilities
class to consider how
common vulnerabilities End users in most cases physically control these devices. This allows for
might also apply. end user modification or removal from enterprise control of the system.
They may be more susceptible to loss or theft for this reason. Since the
devices are typically under user control, monitoring and updating the
PPT systems may be difficult as the location and power status (e.g., on/off)
Client-based System may be indeterminate.
Mitigations
l Physically under user control
Describe unique
mitigation and value of l Susceptible to user misuse (intentional or accidental)
general mitigations to l May be lost/stolen
system type.
l Monitoring may be difficult
l 100 percent update may be difficult
Mitigations
The following mitigations are the basic mitigations to apply to a general-
purpose computer. While these mitigations seem basic in nature, they
Vulnerabilities PPT
Server based vulnerabilities include the following: Server-based System
Mitigations
l May be exposed to external communication/services
Describe unique
l Updates may be delayed due to operational need mitigation and value of
general mitigations to
l May exist for long periods (risk of being outdated)
system type.
l High-traffic volume makes monitoring more difficult
Mitigations
In addition to selective application of the mitigations identified for
client-based systems, servers can be additionally protected by
targeting network protections to reduce accessibility to only the
design functions.
Vulnerabilities
Vulnerabilities specific to the database system itself include the following:
PPT
Database System l Inference: Attacker guesses information from observing available
Vulnerabilities information. Essentially, users may be able to determine unauthorized
Describe unique information from what information they can access and may never
vulnerabilities and ask need to directly access unauthorized data.
class to consider how
common vulnerabilities
l Aggregation: Aggregation is combining nonsensitive or lower
might also apply. sensitivity data from separate sources to create higher sensitivity
information. For example, a user takes two or more publicly
available pieces of data and combines them to form a classified
piece of data that then becomes unauthorized for that user. Thus,
the combined data sensitivity can be greater than the sensitivity
of individual parts.
l Data mining: Data mining is a process of discovering information
in data warehouses by running queries on the data. A large
repository of data is required to perform data mining. Data
mining is used to reveal hidden relationships, patterns, and
trends in the data warehouse. Data mining is based on a series
of analytical techniques taken from the fields of mathematics,
statistics, cybernetics, and genetics. The techniques are used
independently and in cooperation with one another to uncover
information from data warehouses.
l High value target: Databases are considered a high-value target
and may be sought out by attackers and have attackers willing
Mitigations
l Isolated network infrastructure: The most effective
mitigation is to ensure limited functionality components are
Notes
Vulnerabilities of Security
3
Architectures, Designs, and
not connected or exposed to general purpose networks and
Vulnerabilities
Notes
l Inherently exposed to external communication/access: By
Vulnerabilities of Security
Architectures, Designs, and
their nature, cloud systems tend to be more exposed to external
Solution Elements communications.
l Misconfiguration a major risk: Cloud providers typically
PPT
have well managed infrastructure, but unfamiliarity with the
interface and management functions often results in users
Cloud-based System
misconfiguring the cloud service or hosted components in a
Vulnerabilities
way that exposes data.
Describe unique
vulnerabilities and ask l May exist for long periods (risk of being outdated): Services
class to consider how ported to cloud environment may exist for long periods of
common vulnerabilities time. While the underlying components provisioned by the
might also apply. cloud service provider (CSP) may be periodically updated, it is
often the user’s responsibility to update some components, but
assumptions may exist that it is not necessary or that the CSP is
PPT providing that function when they are not.
Cloud-based Mitigations l Gap between CSP and data owner security controls: There
Describe unique is a high risk for misunderstanding on the cloud customer’s part
mitigation and value of where the responsibilities of the CSP end for security and the
general mitigations to
system type.
customer responsibilities begin.
Mitigations
PPT l Reputable cloud service provider that supplies security
Distributed Systems information/testing results
Define system type and l Well trained system administrators
charateristics. l Robust configuration control/change control
l File and communication encryption
l Well managed identity and access controls
Distributed Systems
In a distributed computing environment, nodes and processors
operate independently, and storage and processing may be spread
across multiple components. Nodes “pass messages” to coordinate
and communicate. Example: Traditional telephone switches operate
independently for local calls but coordinate to pass calls between
them.
In computing terms, distributed systems may be used by large organizations
to spread processing and storage across multiple low-cost systems, or it can
include user provided resources operating collectively (e.g., peer to peer
networks).
Vulnerabilities
l Lack of central control/monitoring may introduce failures or
allow entry of unauthorized nodes
Notes
Vulnerabilities of Security
3
Architectures, Designs, and
l Data elements may be lost if nodes fail
Mitigations
Notes
In effect, most IoT devices are small embedded system controllers and
Vulnerabilities of Security
Architectures, Designs, and
should be treated like an embedded system or industrial control systems
Solution Elements (ICSs) as appropriate.
l Isolated on private networks with controlled access
PPT l Products selected for security features and updatability:
Internet of Things (loT) inherently insecure products are not procured
Mitigations
l Product security/penetration testing
Describe unique
mitigation and value of l Disable unneeded functions
general mitigations to
system type.
Web-based Systems
Web-based systems or applications are mainly characterized by user
PPT interaction occurring through a web browser using http or https
Web-based Systems protocols. Applications or data are accessible and manipulated through
Define system type and a web browser or web service, and they often connect to a data source
charateristics. (database) that may be on or off platform. They use standard protocols,
and interfaces and connections are typically dynamic with potentially
thousands forming and closing within seconds of operation.
PPT
Web-based System Vulnerabilities
Vulnerabilities
Web servers or applications inherit the vulnerabilities of whatever platform or
Describe unique
vulnerabilities and ask
OS they execute upon. Common web vulnerabilities include the following:
class to consider how
l Accessibility to network communications/access: They tend to
common vulnerabilities
might also apply. be highly exposed and accessible to outside attackers.
l Use of obsolete protocols/encryption: Unless specifically
configured to prevent it, some web servers will allow obsolete
PPT or lower security protocols or encryption to support backwards
Web-based System compatibility with older browser types.
Mitigations l Code/configuration errors that expose components or data:
Describe unique The main vulnerability in most web servers is in server configuration
mitigation and value of errors or code flaws.
general mitigations to
system type.
Mitigations
Besides mitigations applied to the platform, common mitigation
strategies include the following:
l Protect system behind firewalls and access controls
l Limit and monitor communication protocols
l Scan, evaluate, and assess interfaces and code (HTML, Java,
scripts, etc.)
234 Domain 3: Security Architecture and Engineering
Instructor Edition
Vulnerabilities
For most mobile device types:
l Loss or theft
l Weak access controls configured
l Unencrypted data
l Communication interception or eavesdropping
l Limited onboard security services and monitoring
Mitigations
Notes
Mitigations for embedded type mobile devices without a full featured OS:
Vulnerabilities of Security
Architectures, Designs, and l Mobile device management (MDM) installed and managed
Solution Elements
centrally
l Device tracking, wiping, software control, policy enforcement
PPT
l Activate screen lock and high complexity passcodes or
Mobile System biometrics
Mitigations (2 slides)
l Ensure device is encrypted
Describe unique
mitigation and value of l Tunnel communications through virtual private network (VPN)
general mitigations to architecture
system type.
l Limit software/apps installed to trusted packages
l Prevent jailbreak or rooting devices as this bypasses most built-in
PPT security functions and leaves the device susceptible to both local
Embedded Systems access and network based attacks
Define system type and l Do not connect to public networks (e.g., coffee shop, hotel)
charateristics.
For laptops or hybrid systems with a full featured OS:
l Apply all traditional computer system protections (e.g., AV, FW,
Host IPS, etc.)
l Ensure encryption is activated
l Ensure strong passwords, biometrics, or two factor authentication
on all user accounts
l Activate anti-theft function or tracking functions if available
(available on many business class systems and some personal
class systems)
l Tunnel mobile communications through VPN
l Do not connect to public networks (e.g., coffee shop, hotel)
Embedded Systems
An embedded system is best characterized as a computing platform with a
dedicated function that usually has a limited function or specialized OS that
does not have the capabilities typical of a full featured OS (e.g., Windows,
MacOS, Standard Linux distro). Embedded systems typically have limited
processing power and a long service life in many applications. They may
include System on a Chip (SoC) architectures with very limited ability to
update. Embedded systems are common in IoT, ICS, and mobile devices
and tend to be highly diverse in nature with significant vendor specific
customizations. They perform specialized computing operations instead of
general purpose computing.
Vulnerabilities
Embedded systems have vulnerabilities associated with their particular
function or use case. In general they include the following:
Notes
Vulnerabilities of Security
3
Architectures, Designs, and
l Limited ability to update, vendor support often time limited Embedded System
Vulnerabilities
Describe unique
Mitigations vulnerabilities and ask
For all classes or types of embedded systems, the following class to consider how
common vulnerabilities
mitigations will typically improve security, but may impact
might also apply.
functionality and should be applied intelligently after appropriate
tailoring.
l Limit access to devices PPT
l Limit communications to devices Embedded System
Mitigations
l Disable unnecessary/unneeded components/features/
Describe unique
communications
mitigation and value of
l Isolate on dedicated networks if connected general mitigations to
system type.
l Monitor external communications with exterior sensors
(e.g., network taps, sensors)
l Apply vendor updates when available PPT
Activity: Designing
Security into an
Activity: Designing Security into an Architecture Architecture (4 slides)
The National Federal Amalgamated Corporation (NFAC) is Conduct activity.
developing a new customer facing application for amalgamated
data. The initial design includes the following elements:
l Database servers within the NFAC data center that store
customer private and sensitive data elements
l Application servers within the NFAC data center that access
the database servers and are accessed by NFAC employee
workstations
l Employee workstations (some desktop, some laptop) are
used by NFAC employees to access the application servers to
access, upload, modify, and delete sensitive customer data
l Web servers located with a cloud provider that access
NFAC databases and applications to deliver data to external
customers through a web browser
Application Servers
PPT
Activity: Designing
Security into an
Architecture (4 slides)
(continued)
Conduct activity.
Web Servers
Mobile Applications
Notes
Module 6: Cryptography
Cryptography
PPT
Module Objectives
Cryptography 1. Understand key terms associated with cryptography.
Introduce the participants 2. Understand how security services such as confidentiality,
to the “Cryptography” integrity, authenticity, non-repudiation, and access control are
module. addressed through cryptography.
3. Understand basic cryptography concepts of symmetric and
asymmetric.
PPT
4. Describe hashing algorithms and digital signatures.
Module Objectives
5. Understand the importance of key management.
Introduce the module
objectives. 6. Understand cryptanalysis methods.
Cryptography Services
The word cryptography has been derived from two Greek words.
Notes
Cryptography
3
The word cryptos translates into the word secret, and the word
graphy translates into the word writing. Cryptography, therefore,
Data Protection
Data at Rest
Notes
Cryptography
3
The protection of stored data is often a key requirement for an
End-to-end Encryption
End-to-end encryption is generally performed by the end user within
an organization. The data is encrypted at the start of the
communications channel or before and remains encrypted until it is
decrypted at the remote end. Although data remain encrypted
when passed through a network, routing information remains visible.
Link Encryption
Data that is moving across a network can be protected using
cryptography. There are two methods for protecting data in transit
across a network, link or end-to-end encryption.
In general, link encryption is performed by service providers, such as a
data communications provider on networks. Link encryption encrypts
all of the data along a communications path (e.g., a satellite link,
telephone circuit, or T-1 line). Because link encryption also encrypts
routing data, communications nodes need to decrypt the data to
Notes continue routing. The data packet is decrypted and re-encrypted at each
point in the communications channel. It is theoretically possible that an
Cryptography attacker compromising a node in the network may see the message in the
clear. Because link encryption also encrypts the routing information, it
PPT provides traffic confidentiality (not data confidentiality) better than end-to-
end encryption. In other words, it can be used to hide the routing
Link Encryption
(continued) information. Traffic confidentiality hides the addressing information from an
observer, preventing an inference attack based on the existence of traffic
Explain link encryption to
address data in transit.
between two parties.
Quantum Cryptography
A fundamental difference between traditional cryptography and quantum
cryptography is that in traditional cryptography, we primarily use difficult
mathematical techniques as the fundamental mechanism to provide
security for cryptography algorithms. Quantum cryptography, on the
other hand, uses physics to secure data. The basic difference is that in
traditional cryptography, strength is provided due to strong math, and in
quantum cryptography, the security is based on known physical laws
rather than on mathematical difficulties.
Quantum cryptography, also known as quantum key distribution, is built on
quantum physics. Many people understand the basic premise of quantum
physics as the uncertainty principle of Werner Heisenberg. His basic claim is
that a person cannot know both a particle’s position and momentum with
unlimited accuracy at the same time. Specifically, quantum cryptography is
a set of protocols, systems, and procedures by which it is possible to create
and distribute secret keys. Quantum cryptography can be used to generate
and distribute secret keys that can then be used together with traditional
crypto algorithms and protocols to encrypt and transfer data. It is important
to note that quantum cryptography is not used to encrypt data, transfer
encrypted data, or store encrypted data. The need for asymmetric key
systems arose from the issue of key distribution.
The biggest issue in symmetric key cryptography is that users need a
secure channel to set up a secure channel. Quantum cryptography
solves the key distribution problem by allowing the exchange of a
cryptographic key between two remote parties with complete security,
as dictated via the laws of physics. Once the key exchange takes place,
conventional cryptographic algorithms are used. For that reason, many
prefer the term quantum key distribution to quantum cryptography as it
is typically only used to distribute the symmetric keys required for
secure exchange of information.
246 Domain 3: Security Architecture and Engineering
Instructor Edition
Notes sender cannot deny having sent a particular message, and “non-
repudiation of delivery’” where the receiver cannot say that they
Cryptography have received a different message than the one that they actually
did receive.
PPT l Cryptanalysis: The study of techniques for attempting to defeat
Key Encryption cryptographic techniques and, more generally, information
Concepts and security services.
Definitions (3 slides)
l Cryptology: The science that deals with hidden, disguised, or
(continued)
encrypted communications. It embraces communications security
Explain key cryptography
concepts and definitions.
and communications intelligence.
l Collision: This occurs when a hash function generates the same
output for different inputs. In other words, two different messages
produce the same message digest.
l Key space: This represents the total number of possible values of
keys in a cryptographic algorithm or other security measure, such
as a password. For example, a 20-bit key would have a key space
of 1,048,576. A 2-bit key would have a key space of 4.
l Initialization vector (IV): A non-secret binary vector used as
the initializing input algorithm for the encryption of a plaintext
block sequence to increase security by introducing additional
cryptographic variance and to synchronize cryptographic
equipment. Typically referred to as a “random starting point,”
or random number that starts the process.
l Encoding: The action of changing a message into another
format through the use of a code. This is often done by taking
a plaintext message and converting it into a format that can be
transmitted via radio or some other medium, and it is usually
used for message integrity instead of secrecy. An example would
be to convert a message to Morse code.
l Decoding: The reverse process from encoding, converting the
encoded message back into its plaintext format.
l Substitution: The process of exchanging one letter or byte for
another. An example is the Caesar cipher, where each letter was
shifted by 3 characters. An “A” was represented by a “D,” a “B”
was represented by an “E,” a “C” was represented by an “F,”
and so on.
l Transposition or permutation: The process of reordering the
plaintext to hide the message, but keeping the same letters.
l Confusion: Provided by mixing or changing the key values used
during the repeated rounds of encryption. When the key is
modified for each round, it provides added complexity that the
attacker would encounter.
Methods of Cryptography
There are two primary methods of encrypting data: stream ciphering
and block ciphering.
Stream-based Ciphers
All cryptography fundamentally works with bits, zeros, and ones. Any
encryption algorithm will take the data that needs to be encrypted and turn
that data into bits and then apply the encryption methods. Once we have
the bits, we can work with them in two ways: one bit at a time, or a bunch
of bits at a time. When a cryptosystem performs its encryption on a bit-by-
bit basis, it is called a stream-based cipher, or a stream cipher. This is the
method most commonly associated with streaming applications, such as
voice or video transmission. Wherever we are working with one bit at a
time, it would make sense to use stream ciphers. The most well-known
stream cipher algorithm is Rivest Cipher 4 (RC4).
The cryptographic operation for a stream-based cipher is to mix the
plaintext with a keystream that is generated by the cryptosystem. The
Block Size
As we have seen above, symmetric key algorithms are either block or
stream ciphers. Block ciphers operate on a fixed length string of bits.
Usually, this fixed length is 64bits, or multiples of 64bits. The length of this
bit string is referred to as the block size. In all symmetric algorithms, the
plaintext and ciphertext are the same length. The block size of a block
cipher, like key length, may have a direct bearing on the security of the key.
252 Domain 3: Security Architecture and Engineering
Instructor Edition
Transposition Ciphers
Transposition (also called permutation) ciphers involve changing the
actual positions of plaintext letters. Instead of substituting for other
Notes analysis because, for example, the letter “e” would be represented by
some different character in each of the alphabets used. These types of
Cryptography ciphers, known as polyalphabetic, are very effective because they
disguise simple linguistic patterns.
PPT
Monoalphabetic and Running Key Cipher
Polyalphabetic Ciphers
(continued) The use of modular mathematics and the representation of each alphabet
letter by its numerical place in the alphabet are the basis of many modern
Define mono and poly
alphabetic ciphers and ciphers.
relevance.
Running Key Cipher
PPT A B C D E F G H I J K L M N O P Q ... Z
Running Key Cipher 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ... 25
Explain running key
cipher. Figure 3.5: Running Key Cipher
One-Time Pads
As we have seen above, in a running key cipher, the key is repeated, or
is as long as, for the same length as the plaintext input.
The only cipher system asserted as unbreakable, as long as it is
implemented properly, is referred to as a one-time pad. These are
often referred to as Vernam ciphers after the work of Gilbert Vernam,
who proposed the use of a key that could only be used once and that
must be as long as the plaintext and that never repeats.
The one-time pad uses the principles of the running key cipher,
using the numerical values of the letters and adding those to the
value of the key. However, the key is a string of random values and
Notes
Cryptography
3
exactly the same length as the plaintext and is never repeated.
Steganography
Steganography is defined as the science of hiding information.
Whereas the goal of cryptography is to make data unreadable by
turning it into a secret, the goal of steganography is to hide the data
from a third party. As cryptography is literally defined as turning
something into a secret, steganography, which hides something
within something else, is therefore a form of cryptography. The word
steganography is derived from the Greek words “steganos,” which
means covered or concealed, and “graphy,” which means writing.
The relationship between cryptography and steganography is as
follows: Cryptography can be defined as the practice of protecting
the contents of a message, steganography is concerned with
concealing the fact that a secret message is being sent as well as
concealing the contents of the message.
There are different ways that we can hide something within
something else, in other words, perform steganography. These
may include hiding messages by using physical concealment
techniques. This would be referred to as physical steganography.
Modern steganography can use technology to hide messages.
These may include but are not limited to the following:
l Covert channels
l Hidden text within web pages
l Hiding messages within picture files or sound files
l Null ciphers (hiding a message within another plain text
message)
Notes There are a number of uses for steganography. One of the most widely
used applications of steganography may be digital watermarking. A
Cryptography watermark, historically, is the replication of an image, logo, or text on
paper stock so that the source of the document can be at least partially
PPT authenticated. A digital watermark can accomplish the same function; a
graphic artist, for example, might post sample images on their website
Steganography
(continued)
complete with an embedded signature so that they can later prove their
ownership in case others attempt to portray the work as their own.
Define Steganography.
Null Cipher
PPT The term null cipher is defined as hiding a message within another
Null Cipher (2 slides) message that is in plaintext. In other words, you are hiding ciphertext
Explain null cipher as
within a plaintext message. A simple example:
part of steganography.
l Interesting Home Addition to Expand Behind Eastern Dairy
Transport Intersection Meanwhile Everything.
l If the first letter of each word is used, the message decodes into
the secret message I Hate Bed Time.
A very famous example of a null cipher is William Carrol’s poem titled
“Are You Deaf Father William?” We see that the first letter of each of
the lines of the poem spells out William Carrol’s lover at the time,
Adelaide Paine.
“Are you deaf, Father William!” the young man said,
“Did you hear what I told you just now?
“Excuse me for shouting! Don’t waggle your head
“Like a blundering, sleepy old cow!
“A little maid dwelling in Wallington Town,
“Is my friend, so I beg to remark:
“Do you think she’d be pleased if a book were sent down
“Entitled ‘The Hunt of the Snark?’” -
“Pack it up in brown paper!” the old man cried,
“And seal it with olive-and-dove.
“I command you to do it!” he added with pride,
“Nor forget, my good fellow, to send her beside
“Easter Greetings, and give her my love.”
PPT
Stream Modes Stream Modes (6 slides)
The following modes of block ciphers operate as a stream. Even
Explain stream modes
though we are describing block ciphers, these modes attempt to and relevance to
simulate stream cipher operations. A block-based cipher is subject cryptography.
to the problems of latency, or delay, in processing. This may make
them unsuitable for many applications where simultaneous
transmission of the data may be a requirement. These modes try to
simulate a stream to be more versatile and provide support for
stream-based applications.
l Cipher Feedback (CFB) Mode: In the CFB mode, the input is
separated into individual segments, the size of which can be
1 bit, 8 bit, 64 bit, or 128 bit (the four sub-modes of CFB)—
usually of 8 bits because that is the size of one character. When
the encryption process starts, the IV is chosen and loaded into
a shift register. It is then run through the encryption algorithm.
The first 8 bits that come from the algorithm are then XORed
with the first 8 bits of the plaintext (the first segment). Each
8-bit segment is then transmitted to the receiver and also fed
back into the shift register. The shift register contents are then
encrypted again to generate the keystream to be XORed with
the next plaintext segment. This process is repeated until the
end of the input.
l Output Feedback (OFB) Mode: The OFB mode is very
similar in operation to the CFB except that instead of using
the ciphertext result of the XOR operation to feed back
into the shift register for the ongoing keystream, it feeds
the encrypted keystream itself back into the shift register
to create the next portion of the keystream. Because the
keystream and message data are completely independent, it
is now possible to generate the entire keystream in advance
and store it for later use.
Module 6: Cryptography 261
Official (ISC)2 CISSP Training Guide
PPT
The Data Encryption
The Data Encryption Standard (DES)
Standard (DES) The 1960s was really the decade that modern computer cryptography
Define DES and some of began. It was during the 1960s that companies began needing secure
its characteristics. ways to transmit information. At the time, there was no standard;
financial institutions began to need a standard encryption method
they could have confidence in and use for secure data exchange. This
need really drove the National Institute of Standards and Technology
(NIST) in 1972 to assist in the development of a secure cryptographic
algorithm for sensitive, but not government classified, information. In
1974, it settled on DES, a method submitted by IBM. Despite some
controversy, DES was finally adopted as the federal standard for
unclassified documents in 1977 and is the most widely used
cryptographic method in history.
The DES was based on the work of Horst Feistel at IBM. Horst Feistel had
developed a family of algorithms that had a core principle of taking the
input block of plaintext and dividing it in half. Then, each half was used
several times through an XOR operation to alter the other half, providing
a type of algorithm that relied on substitution and permutation.
DES operates on 64-bit input blocks and outputs the corresponding
ciphertext into 64-bit blocks as well. There are 16 identical stages of
processing, termed rounds, or steps. Before the main rounds, the block
is divided into two 32-bit halves (because it is a Feistel cipher) and
processed alternately using an effective 56-bit key. When looking at an
actual DES key, it is 64 bits in length; however, every eighth bit of the
key is used for parity and, therefore, is ignored. Therefore, it is often
said that the effective length of the DES key is 56 bits.
Because every bit has a possible value of either 1 or 0, it can be stated
that the effective key space for the DES key is 2 raised to the power of
56. If you work this out, it gives a total number of keys for DES to be
almost 72,000,000,000,000,000. 15 zeros is referred to as a quadrillion.
Double-DES (2DES)
As we’ve seen, the main problem with DES is that the key is too
short to provide adequate protection against brute force attacks.
Increasing the key length is an effective defense against a brute
force attack. Ways to improve the DES algorithm’s resistance to a
brute force attack have been developed by the industry. These
efforts are referred to as Double DES and Triple DES.
Double-DES refers to the use of two DES encryptions with two
separate keys, effectively doubling the size of the DES key from
56 bits to 112 bits. This dramatic increase in key size much more than
doubles the strength of the cipher. Each increase of a single bit
effectively doubles the number of keys in the keyspace. This means
Notes that a 57-bit key space is twice as large as a 56-bit key space. A 58-bit key
is four times as big, etc. This would seem like a vast improvement in
Cryptography strength against brute force; however, there is an attack on Double-DES
that reduces its effective number of keys to about the same number in
PPT DES. This attack is known as the meet-in-the-middle attack, and it
reduces the strength of Double-DES to almost the same as DES.
Double-DES (2DES)
(continued)
Meet-in-the-Middle Attack on 2DES
Explain 2DES.
Two Concatenated
DES Keys
PPT
Meet-in-the-Middle
Key Material Key Material
Attack on 2DES
Describe meet-in-the- Encrypt with Ciphertext Encrypt with To
Plaintext Ciphertext 2
middle attack. First Key “m” Second Key Receiver
Operation within
PPT 2DES Cryptosystem
Decrypt Ciphertext
Triple DES (3DES) Encrypt Plaintext Store Results of
Until Match is
Using all Possible Encryption
Explain 3DES. Keys and Sort
Found with Stored
Results
either three or two different and separate keys that are used.
Managing three keys is more difficult, thus, many implementations
will use the two-key method that reduces the key management
Notes
Cryptography
3
requirement. The various ways of using Triple DES include the
Rijndael
Notes
As previously discussed, the industry realized that the DES algorithm
Cryptography
was becoming obsolete because of its short key length. To this end, the
National NIST held a competition to develop the AES as a replacement
PPT for DES. The winner of this competition was named as Rijndael, a block
Rijndael cipher designed by Joan Daemen and Vincent Rijmen from Belgium.
Describe Rijndael and its The design of the Rijndael algorithm was strongly influenced by the design
relevance as the AES. of the block cipher Square that was also created by Daemen and Rijmen.
The Rijndael algorithm can be implemented very efficiently on a wide
variety of processors and in hardware or software. It is considered very
PPT secure and to this point has no known weaknesses. Rijndael’s key length is
Other Symmetric variable, meaning that it can be set to any value of 128, 192, or 256 bits. It
Algorithms (2 slides) must be set specifically to one of these three lengths and not anything
Explain other symmetric arbitrary. It also has a variable block size of 128, 192, or 256 bits.
algorithms.
All nine combinations of key length and block size are possible, although
the official AES block size has been set to be 128. The number of rounds,
or iterations of the main algorithm, can vary from 10 to 14 and depends
PPT
on the block size and key length. The low number of rounds has been one
International Data of the main criticisms of Rijndael, but experts agree that if this ever
Encryption Algorithm
(IDEA)
becomes a problem, the number of rounds can be increased easily at
little extra cost and effort by increasing the block size and key length.
Describe IDEA.
Although Rijndael supports multiple block sizes, AES only supports one
block size (subset of Rijndael). AES is reviewed below in the 128-bit
block format. The AES operation works on the entire 128-bit block of
input data by first copying it into a square table (or array) that it calls
state. The inputs are placed into the array by column so that the first
four bytes of the input would fill the first column of the array.
The Rijndael operation consists of four major operations:
1. Substitute bytes: Use of an S-box to do a byte-by-byte substitution
of the entire block.
2. Shift rows: Transposition or permutation through offsetting each
row in the table.
3. Mix columns: A substitution of each value in a column based on
a function of the values of the data in the column.
4. Add round key: XOR each byte with the key for that round; the
key is modified for each round of operation.
something that could be used to replace DES, and indeed, the first
attempt to use a key size of longer than 56 bits. IDEA uses a 128-
bit key and operates on 64-bit blocks. IDEA performs eight rounds
Notes
Cryptography
3
of substitutions and transposition using modular addition and
PPT
CAST
CAST
CAST was developed in 1996 by Carlisle Adams and Stafford Tavares.
Describe CAST.
CAST-128 can use keys between 40 and 128 bits in length and will do
between 12 and 16 rounds of operations related to substitutions and
transpositions, depending on key length. CAST-128 is a Feistel-type
block cipher with 64-bit blocks. CAST-256 was submitted as an PPT
unsuccessful candidate for the AES competition. CAST-256 operates Secure and Fast
on 128-bit blocks and with keys of 128, 192, 160, 224, and 256 bits. It Encryption Routine
(SAFER)
performs 48 rounds and is described in RFC 2612.
Describe SAFER.
Blowfish PPT
Blowfish is another example of a symmetric algorithm developed Twofish
by Bruce Schneier. It is considered to be an extremely fast cipher, Describe Twofish.
and one of its extremely useful advantages is that it requires very
little system memory. It is also a Feistel-type cipher in that it
divides the input blocks into two halves and then uses them in
XORs against each other. However, it varies from the traditional
Feistel ciphers in that Blowfish does work against both halves, not
just one. The Blowfish algorithm operates with variable key sizes,
from 32 up to 448 bits on 64-bit input and output blocks.
Twofish
Twofish was one of the finalists for the AES competition mentioned
earlier. It is an adapted version of Blowfish developed by a team of
Notes cryptographers led by Bruce Schneier. It can operate with keys of 128,
192, or 256 bits on blocks of 128 bits. Just like DES, it performs 16
Cryptography rounds during the encryption and decryption process.
ensure that the keystream should not repeat for at least that
length. If RC4 is used with a key length of at least 128 bits, there
are currently no practical ways to attack it. Confusion exists in the
Notes
Cryptography
3
industry as to the weakness in WEP in regards to WEP using RC4
Notes The process to generate the public key (forward) is fairly simple, and
providing the public key to anyone who wants it does not compromise
Cryptography the private key because the process to go from the public key to the
private key is computationally infeasible.
PPT
As mentioned, all asymmetric key cryptography algorithms are based on
Asymmetric Algorithms these one-way functions, sometimes also referred to as “hard” math
(continued) problems. There are two hard math problems that are typically used to
Explain Asymmetric Key provide the security between the public key and the associated private key.
cryptography. These two hard math problems are referred to as the “factoring” problem
and the “discrete logarithm” problem. The RSA algorithm is the only one
that uses the factoring problem. All of the others, including Diffie-Hellman,
PPT ElGamal, elliptic curve cryptography (ECC), etc., use the discrete logarithm
Using Public Key problem. The discrete logarithm problem is similar to the factoring problem
Cryptography to Send in that it provides the mathematical concepts for the strength of the
a Confidential Message algorithm. Instead of factoring, the problem here is related to finding
Describe how to logarithms of large numbers that have been exponentiated.
address confidentiality
in Asymmetric Key
cryptography. Using Public Key Cryptography to Send a Confidential
Message
Because the keys are mutually exclusive but related to each other
mathematically using a one-way function, any message that is encrypted
with a public key can only be decrypted with the corresponding other
half of the key pair, the private key. Therefore, as long as the key holder
keeps the private key secure, there exists a method of transmitting a
message with confidentiality. The sender encrypts the message with the
public key of the receiver. This ensures that only the receiver with the
private key would be able to open or read the message, providing
confidentiality.
Open Message
Public key cryptography can be used to achieve other results.
Assume, for example, that message confidentiality is not our goal.
Notes
Cryptography
3
Disclosure of the message is not important, but rather it may be
PPT
Confidential Messages
with Proof of Origin
Key Material Key Material Describe how to
Encryption with Private Decrypt with Public address confidentiality
Key of Sender Key of Sender and authenticity in
Asymmetric Key
Figure 3.8: Using Public Key Cryptography to Send a Message with cryptography.
Proof of Origin
Notes sender’s public key. This series of steps achieves two services, it proves
the message came from the actual sender, and also it provides
Cryptography confidentiality of the message. Therefore, by encrypting a message
with the private key of the sender and the public key of the receiver,
PPT the ability exists to send a message that is confidential and also has
proof of origin.
Confidential Messages
with Proof of Origin
(continued) Confidential Messages with Proof of Origin
Describe how to Sender Transmitted Ciphertext Receiver
address confidentiality Plaintext
Encrypt
Intermediate
Encrypt Ciphertext Decrypt
Intermediate
Decrypt
Plaintext
Message Ciphertext Ciphertext Message
and authenticity in
Asymmetric Key
cryptography.
PPT
Confidentiality Operation
Rivest-Shamir-Adleman
Proof of Origin Operation
(RSA) Algorithm
Describe RSA. Figure 3.9: Confidential Messages with Proof of Origin
PPT
Rivest-Shamir-Adleman (RSA) Algorithm
Diffie-Hellman
RSA is an asymmetric key cryptosystem that offers both encryption and
Algorithm digital signatures that provides non-repudiation, integrity, and authentication
of source. Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA in
Describe other
Asymmetric algorithms. 1977, and as you might have surmised, RSA stands for the first letter of its
inventors’ surnames.
The RSA public (asymmetric) key algorithm is one of the most popular
and secure (given long key lengths) encryption methods available in the
asymmetric cryptography area. The algorithm capitalizes on the fact that
there is no efficient way to factor very large prime numbers. Therefore,
the security of RSA is based on the assumption that factoring is difficult.
Factoring is defined as taking a number and finding the numbers that
can be multiplied together to calculate that number. As the speed of
processors have become faster, RSA allows for the increase of key sizes
that counter the possibility of factoring and therefore deducing the
private key.
Diffie–Hellman Algorithm
Diffie–Hellman is a key negotiation algorithm and does not provide for
message confidentiality. It is used to enable two entities to exchange or
negotiate a secret symmetric key that will be used subsequently for
message encryption using symmetric key cryptography. The Diffie–Hellman
4. Describe RSA.
Notes
Example of Hybrid Cryptography
Sender Receiver
Cryptography
Plaintext Encryption Decryption
Encrypted Plaintext
Large Using Using
PPT Message Message
Message Symmetric Symmetric
Hybrid Cryptography Key Key
and Cryptographic
Systems (continued)
Explain hybrid
cryptography as
combination of symmetric
and asymmetric.
Symmetric Key SK Symmetric Key SK
PPT
Message Integrity Encryption Encrypted
Decryption
Controls (MICs) of Symmetric
Symmetric
(3 slides) Symmetric SK
Key
Key
Introduce message
integrity controls.
Non-keyed message digests are made without a secret key and are
called Message Integrity Codes (MICs). Most asymmetric key
digital signature schemes use non-keyed message digests. Keyed
Notes
Cryptography
3
message digests, known as Message Authentication Codes
Message Digests
PPT
A message digest is a small representation of a larger message
produced by a hashing algorithm. A message digest is used to Message Digests
ensure the integrity of information and does not address Describe message
confidentiality of the message. digests.
Notes along with the source message. The HMAC operation provides
cryptographic strength similar to a hashing algorithm, except that it
Cryptography now has the additional protection of a secret key and still operates
nearly as rapidly as a standard hash operation.
PPT
Hash Message Hashing
Authentication Code
(HMAC) (continued) Hashing is defined as using a hashing algorithm to produce a message
digest that can be used to address integrity. The hash function accepts an
Describe HMAC.
input message of any length and generates, through a one-way operation,
a fixed-length output called a message digest. The difference between
what we discussed above is that a hashing algorithm generates the
PPT
message digest but does not use a secret key. There are several ways to
Hashing use message digests in communications, depending on the need for the
Explain hashing and confidentiality of the message, the authentication of the source, the speed
hashing algorithms. of processing, and the choice of encryption algorithms. The requirements
for a hash function are that they must provide some assurance that the
message has not changed without detection and that it would be
PPT impractical to find any two messages with the same message digest value.
Five Key Properties of Examples of very popular hashing algorithms are SHA-1 and MD5.
a Hash Function
Describe key properties Five Key Properties of a Hash Function
of hashing functions.
1. Uniformly distributed: The hash output value should not be
predictable.
PPT 2. Collision resistant: Difficult to find a second input value that
Message Digest 5
would hash to the same value as another input, and difficult to
(MD5) Message Digest find any two inputs that hash to the same value.
Algorithm 3. Difficult to invert: Should be one way, should not be able to
Explain MD5. derive the original message by reversing the hash.
4. Computed on the entire message: The hash algorithm should
use the entire message to produce the digest.
5. Deterministic: Given an input x, it must always generate the
same hash value, y.
SHA-3
SHA-3 is the latest member of the Secure Hash Algorithm (SHA)
family of standards, released by NIST in 2015. The source code has
been made public and even though it is the next iteration of the
SHA family, it is quite different from the MD5-like structure of its
predecessors SHA-1 and SHA-2. Experts have said that the
purpose of SHA-3 is that it can be directly substituted for SHA-2 in
current implementation if it becomes necessary to do so. It was
also developed to try and significantly improve the robustness of
NIST’s current overall hash algorithm toolkit.
Notes message digest may be 128, 160, 192, 224, or 256 bits, and the number of
rounds may vary from three to five. That gives 15 possible combinations
Cryptography of operations. HAVAL’s claim to fame is it can operate 60 percent faster
than MD5 when only three rounds are used and is just as fast as MD5
PPT when it does five rounds of operation.
Other Hash Algorithms
(continued) RIPEMD-160 (RACE Integrity Primitives Evaluation
Describe other hashing Message Digest)
algorithms.
The original algorithm (RIPEMD-128) has the same vulnerabilities as MD4
and MD5 and led to the improved RIPEMD-160 version. The output for
PPT
RIPEMD-160 is 160 bits, and it operates similarly to MD5 on 512-bit
blocks. It does twice the processing of SHA-1, performing five paired
The Birthday Paradox/
rounds of 16 steps each for 160 operations. As with any other hashing
Birthday Attack
algorithm, the benefit of increasing the size of the message digest
Conduct birthday output is to provide better protection against collisions, where two
paradox with the class.
different messages produce the same message digest value.
Over the past number of years, extensive research has been done on
attacks on various hashing algorithms, such as MD-5 and SHA-1. Both
algorithms are susceptible to cryptographic attacks. A brute force attack
relies on finding a weakness in the hashing algorithm that would allow
an attacker to reconstruct the original message from the hash value
(defeat the one-way property of a hash function), find another message
with the same hash value, or find any pair of messages with the same
hash value (called collision resistance).
But if you work it out mathematically, once there are more than
23 people together in a room, there is a greater than 50 percent
probability that two of them share the same birthday. The reason
Notes
Cryptography
3
that this is mathematically correct is that if you consider that in a
Notes that they’ve received a different message than the one that was actually
received. Non-repudiation is achieved through digital signatures and
Cryptography PKI. The process is this: the message is signed using the sender’s
private key. When the recipient receives the message, they may use the
PPT sender’s public key to validate the signature. While this proves the
integrity of the message, it does not explicitly define the ownership of
Digital Signatures –
Non-repudiation
the original private key used to sign the message. For non-repudiation
(continued) to be valid, a CA must have an association between the private key and
Describe digital signatures
the sender that proves the authenticity of the private key belonging to
and how they address the entity having signed the message.
non-repudiation.
Digital Signatures
PPT The purpose of a digital signature is to provide the same level of
accountability for electronic transactions where a handwritten signature is
Digital Signatures
not possible or feasible. A digital signature can provide several assurances.
Describe digital signatures It will provide assurance that the message does indeed come from the
and how they address
person who claims to have sent it, it has not been altered, both parties have
non-repudiation.
a copy of the exact same document, the person sending the document
cannot claim they did not send it, and the person receiving it cannot claim
they have received a different message.
A digital signature is a block of data produced by hashing the message
with a hashing algorithm that produces a message digest that is
generated based on the contents of the message. That message digest
is then encrypted with the sender’s private key. The act of encrypting
the message digest with the sender’s private key produces the digital
signature. That digital signature is then appended to the message and
sent to the receiver. The receiver must then verify the digital signature
by decrypting it with the sender’s public key and comparing the result
with the message digest of the received message.
So, the use of digital signatures to address non-repudiation involves two
processes, one performed by the signer and the other by the receiver of
the digital signature:
l Digital signature creation uses a hash result, called a message
digest, derived from and unique to both the signed message and
a given private key of the sender.
l Digital signature verification is the process of checking the digital
signature by reference to the original message and a given
public key of the sender, thereby determining whether the digital
signature was created for that same message using the private
key that corresponds to the referenced public key of the sender.
To sign a document or any other item of information, the signer first
hashes the message to produce a message digest. The signer’s software
Notes In many parts of the world, the government and courts of law recognize
digital signatures as a verifiable form of authentication and non-
Cryptography repudiation.
PPT
Uses of Digital Applying Cryptography and
Signatures (continued) Key Management
Explain uses of digital
signatures. Cryptographic Lifecycle
All cryptographic functions, systems and implementations have a useful life.
In cryptography, the word “broken” typically means different things,
PPT depending on the application. A cryptographic function or implementation
Cryptographic Lifecycle is considered broken or no longer effective when one of the following
conditions is met:
Describe the
cryptographic lifecycle. For a hashing function:
l Collisions or hashes can be reliably reproduced in an economically
PPT feasible fashion without the original source.
Algorithm/Protocol l When an implementation of a hashing function allows a side channel
Governance attack. A side channel attack in cryptography is defined as targeting
Describe algorithm the weakness of the “implementation” of the algorithm and not the
governance. algorithm itself.
For an encryption system:
l A cipher is decoded without access to the key in an economically
feasible fashion.
l When an implementation of an encryption system allows for the
unauthorized disclosure of information in an economically feasible
fashion.
l When a private key has been compromised in asymmetric key
cryptography.
Algorithm/Protocol Governance
Security and other professionals must ensure governance processes are
in place to support an organization’s use and reliance of cryptography.
This means the requirement of policies and implementation of those
policies through standards, procedures, and baselines. The policies,
standards, and procedures relating to cryptography should minimally
address the following:
l Approved cryptographic algorithms and key sizes
l Transition plans for weakened or compromised algorithms
and keys
X.509 Certificate
Since there are many CA that can issue certificates, a CA needs to
adhere to the X.509 certificate standards. This is part of the overall
X.500 family of standards applying to directories. X.509 is the widely
accepted international X.509 PKI standard used to verify that a public
key belongs to the certificate owner. X.509 version 3 of the standard is
the most commonly used today.
X.509 Certificate
Field Description of
Notes
Cryptography
3
Period of validity
PPT
Start date/end date Certificate Revocation
Describe certificate
Subject’s name Owner of the public key revocation and when it is
required.
Subject’s public key Public key and algorithm used to
information (algorithm, create it
parameters, key)
Extensions
Certificate Revocation
Once issued, a certificate may prove to be unreliable, such as in a
situation where the subscriber misrepresents their identity to the
certification authority. In other situations, a certificate may be
reliable enough when it was issued but come to be unreliable later.
If the subscriber loses control of the private key—may have been
compromised—the certificate has become unreliable, and the
certification authority would revoke (permanently invalidate) the
certificate. Immediately upon suspending or revoking a certificate,
the certification authority must publish notice of the revocation or
suspension of the unreliable and revoked certificate.
Key Recovery
Key recovery can be explained as a backup mechanism that ensures an
organization can have continued access to its own encrypted information
in the event keys are lost or somehow damaged. There are several
methods of key recovery that have been proposed by experts, such as
common trusted directories or a policy that requires all cryptographic
keys to be registered with the security department. Others use password
wallets or other tools to hold all of their passwords. Regardless of method,
key recovery options must be secure.
One method may be multiparty key recovery. This suggests that a key
would be split into multiple parts and then each part would be secured
and given to trusted entities. In cases where the actual original keys
would be lost, the parts stored with the parties could be retrieved,
allowing the organization to recover the original keys.
Key Escrow
Key escrow is the process of ensuring a third party maintains a
copy of a private key or key needed to decrypt information. The
word “escrow” means “storing with a trusted third party.” Key
escrow also should be considered mandatory for most
organization’s use of cryptography because encrypted information
belongs to the organization and not the individual; however, often
an individual’s key is used to encrypt the information.
There must be explicit trust between the key escrow provider and
the parties involved as the escrow provider now holds a copy of the
private key, and the possibility exists that it could be used to reveal
information. Conditions of key release must be explicitly defined and
agreed upon by all parties through contracts and agreements.
Creation of Keys
The creation of keys, and how secure that process is, becomes an
important key management issue. There are a number of issues
that pertain to scalability and cryptographic key integrity:
l Automated key generation: Mechanisms used to
automatically generate strong cryptographic keys can be
used to deploy keys as part of key lifecycle management.
Effective automated key generation systems are designed
for user transparency as well as complete cryptographic key
policy enforcement.
l Truly random: For a key to be truly effective, it must have
an appropriately high work factor. That is, the amount of
Notes time and effort by an attacker needed to break the key must be
sufficiently significant so that it at least delays its discovery for
Cryptography as long as the information being protected needs to be kept
confidential. One factor that may contribute to strong keys that
PPT have a high work factor is the level of randomness of the bits
that make up the key.
Creation of Keys
(continued) l Random: Cryptographic keys are essentially strings of bits. The
Describe creation of keys. numbers used in making up the key need to be unpredictable
so that an attacker cannot easily guess the key and then expose
the protected information. Therefore, the randomness of the
PPT
numbers that comprise a key plays an important role in the
lifecycle of a cryptographic key. In the context of cryptography,
Key Wrapping and Key
randomness is the required quality of lacking predictability.
Encrypting Keys (KEKs)
Computer circuits and software libraries can be used to perform
Describe key wrapping the actual generation of random key values. Computers and
and key encrypting keys.
software libraries are well known as weak sources of randomness
and, therefore, special well-designed hardware and software
called random number generators are needed for cryptography
applications to ensure secure key creation.
l Asymmetric key length: The effectiveness of asymmetric
cryptography systems depends on the hard-to-solve nature of
certain math problems such as the factoring and discrete log
problems. These problems are time consuming to solve but
usually faster than trying all possible keys by brute force. Given
this fact, asymmetric algorithm keys must be longer for equivalent
resistance to attack than symmetric algorithm keys. As examples,
RSA Security claims that 1,024-bit RSA keys are equivalent in
strength to 80-bit symmetric keys, 2,048-bit RSA keys to 112-bit
symmetric keys, and 3,072-bit RSA keys to 128-bit symmetric
keys. RSA also suggests that 2,048-bit keys probably will be
sufficient until 2030. An RSA key length of 3072 bits should be
used if security is required beyond 2030.
Key Distribution
Key distribution is one of the most important aspects of key
management. As we have discussed, secure key distribution is
the most important issue with symmetric key cryptography. Key
distribution is the process of getting a key from the point of its
generation to the point of its intended use. This problem is
more difficult in symmetric key algorithms, where it is necessary
to protect the key from disclosure in the process. This step must
be performed using a channel separate from the one in which
the traffic moves. Keys can be distributed in a number of ways.
For example, two people who wish to perform secure key
exchange can use a medium other than that through which
secure messages will be sent. This is called out-of-band key
exchange. Even though out of band is the secure way to
distribute symmetric keys, this concept is not very scalable
beyond a few people and becomes very difficult as the number
of people involved grows.
Asymmetric key encryption provides a means to allow members of
a group to conduct secure transactions spontaneously. The
receiver’s public key certificate, which contains the receiver’s public
key, is retrieved by the sender from the key server and is used as
part of a public key encryption scheme, such as S/MIME, PGP, or
even SSL to encrypt a message and send it. The digital certificate
Notes is the medium that contains the public key of each member of the group
and makes the key portable, scalable, and easier to manage than an
Cryptography out-of-band method of key exchange.
Known Plaintext
Chosen Plaintext
Chosen
Ciphertext
Differential
Cryptanalysis
Linear
Cryptanalysis
Implementation
Attacks
Replay Attack
Algebraic
Rainbow Table
Frequency
Analysis
Birthday Attack
Factoring Attack
Social
Engineering for
Key Discovery
Attacking the
PPT
Random Number
Brute Force Attacks Generators
Explain brute force
attacks. Temporary Files
(CPU) and graphics processing unit (GPU) technology and new attack
techniques. The security professional and cryptologist need to
consider this when defining encryption requirements.
Notes
Cryptography
3
Known Plaintext
PPT
As the name of this attack implies, the attacker has access to known
Known Plaintext
samples of plaintext. In fact, the attacker has access to both the
ciphertext and the plaintext versions of the same message. Since the Explain known plaintext
attack.
method or algorithm is always known, the goal of this type of attack
is to find the relationship between the two that of course will be the
cryptographic key that was used to encrypt the message. Once the
key has been found, the attacker would then be able to decrypt all PPT
other messages that had been encrypted using that key. Chosen Plaintext
Explain chosen plaintext
attack.
Chosen Plaintext
In this type of cryptanalysis, the cryptanalyst is able to choose a
quantity of plaintext and then obtain the corresponding encrypted PPT
text to try and recover the key. To execute the chosen attacks, the
Chosen Ciphertext
attacker knows the algorithm used for the encryption, or even
better, may have access to the cryptosystem used to do the Explain chosen ciphertext
attack.
encryption and is trying to determine the key. At this point, the
attacker can run chosen pieces of plaintext through the algorithm
and see what the result is. This may assist in a known plaintext
attack. An adaptive chosen plaintext attack is where the attacker
can modify the chosen input files repeatedly to see what effect
that would have on the resulting ciphertext.
Chosen Ciphertext
This is similar to the chosen plaintext attack in that the attacker has
access to the decryption device or software and is attempting to
Implementation Attacks
Implementation attacks are some of the most common and popular attacks
against cryptographic systems today due to their ease and reliance on
system elements outside of the algorithm. Often the implementation of
certain cryptography elements are where the weaknesses may exist. The
main types of implementation attacks include the following:
l Side channel attacks: These are passive attacks that rely
on a physical attribute of the implementation such as power
consumption and emanations. These attributes may be able to be
studied to determine the secret key and the algorithm function
of the cryptosystem. Some examples of popular side channels
include timing analysis and electromagnetic differential analysis.
l Fault analysis: This attempts to force the system into an error
state to gain erroneous results. By forcing an error, gaining the
results and comparing it with known good results, an attacker
may learn clues about the secret key and the algorithm.
l Probing attacks: These attempt to watch the circuitry surrounding
the cryptographic module in hope that the other components of
Rainbow Table
Hash functions will produce message digest from plaintext. Since the
hash function is a one-way process, it is not possible to determine
the plaintext from the hash itself. However, there are two ways to
determine a given plaintext from its hash:
l Hash each plaintext until matching hash is found
l Hash each plaintext, but store each generated hash in a
table that can be used as a lookup table so hashes do not
need to be generated again
A rainbow table is a look-up table of sorted hash outputs. The idea
here is that storing precomputed hash values in a rainbow table
that one can later refer to saves time and computer resources when
attempting to decipher the plaintext from its hash value.
These can be very helpful in attacks against password files and
other implementations where hashes, or hashed versions of
information, are stored.
Frequency Analysis
This attack works closely with several other types of attacks. It is
especially useful when attacking a substitution cipher where the
statistics of the plaintext language are known, for example in a
ciphertext-only attack. In the English language, for example, some
Notes letters will appear more often than others will, allowing an attacker to
assume that those letters may represent an E or S, as those two letters are
Cryptography the most commonly used letters in the English alphabet. Another example
is that the most commonly used three-letter word in the English language is
PPT the word “the.” Knowing language statistics may be very helpful in
conducting certain cryptanalysis attacks.
Birthday Attack
Explain birthday attack
and its relevance to Birthday Attack
hashing algorithms.
The birthday paradox says that the probability that two or more people
in a group of 23 share the same birthday is greater than 50 percent. This
paradox can be applied mathematically to attack types of hashing
PPT functions to find two messages that produce the same message digest,
Factoring Attack and this is referred to as the birthday attack against hashing algorithms.
Explain factoring attack The birthday paradox shows that the probability that two messages will
against RSA. end up with the same hash is high even if the number of messages is
considerably less than the number of hashes possible. The really strong
hashing algorithms will resist, as much as possible, the possibilities that
duplicate hashes will be produced. To most experts, the birthday attack
is considered a type of brute force attack because the attacker keeps
trying to hash messages until messages that yield the same hash are
obtained. The point of the birthday attack is that it is easier to find two
messages that hash to the same message digest than to match a
specific message and its specific message digest.
Factoring Attack
This attack is aimed at the RSA algorithm specifically. Because that
algorithm uses the product of large prime numbers to generate the
public and private keys, this attack attempts to find the private key
through solving the factoring of these public keys.
Dictionary Attack
The dictionary attack is used most commonly against password files if a
copy of the password file can be obtained by the attacker. Even though
password files are one-way encrypted (the password file contains
hashes, or digests of the actual passwords), it exploits the poor habits of
users who choose simple passwords based on natural words. The
dictionary attack merely encrypts all of the words and different
combinations of words in a dictionary and then checks whether the
resulting hash matches an encrypted password stored in the password
file. Rainbow tables that provide already hashed digests of known
passwords and combinations can aid and speed up dictionary attacks
significantly.
Notes
Module 7: Physical Security
Physical Security
PPT
Module Objectives
Physical Security 1. Apply security principals to site and facility design.
Introduce the participants 2. Implement and manage physical security controls.
to the “Physical Security” 3. Implement and manage physical controls in wiring closets and
module.
intermediate distribution facilities.
4. Implement and manage physical controls in server rooms and
PPT data centers.
Module Objectives 5. Implement and manage physical controls in media storage
(2 slides) facilities.
Introduce the module 6. Implement and manage physical controls for evidence storage.
objectives.
7. Implement and manage physical controls in restricted areas.
8. Implement and manage physical controls in work areas.
9. Implement and manage environmental controls for utilities and
power.
10. Implement and manage controls for heating, ventilation, and air
conditioning (HVAC).
11. Implement and manage environmental controls.
12. Implement and manage environmental controls for fire
prevention, detection, and suppression.
Physical Security
Physical security plans and infrastructure are often designed,
Notes
Physical Security
3
implemented, and operated by physical security specialists in larger
organizations. Physical security infrastructure is typically controlled
One important consideration is that physical risk controls will impact Describe high-level
implementation process.
information system design. For example, weak physical controls may
necessitate more complex information system protections to
compensate, while strong physical protections may lower the overall
risk of an information system and allow for less costly or complicated PPT
controls to be applied at the information system level. Perimeter Security
Controls (3 slides)
Just as information system controls must be monitored for Describe how the
effectiveness, physical controls must also be monitored and tested considerations apply to
for effectiveness. This is especially true for controls associated with the conditions at each
human safety, continuity of operations, disaster recovery, and perimeter zone.
emergency backups.
Facility Perimeters
Surrounding
Areas
Site Entry/Exit
Points
External
Facilities
Operational
Facilities
l Evidence storage
Notes
l Restricted area security
Physical Security
l Utilities
l Heating, ventilation, and air conditioning (HVAC)
PPT
Implement Site and l Fire prevention, detection, and suppression
Facility Security l Environmental issues
Controls (continued)
Introduce topic areas for
site and facility controls.
Wiring Closets/Intermediate Distribution Facilities
The facility wiring infrastructure or “cable plant” is integral to overall
information system security and reliability.
PPT
Entrance facility
Wiring Closets/
Intermediate l External communications enter facility
Distribution Facilities—
l Phone, network, special connections
Protections (2 slides)
For each internal control l May house internet service provider (ISP) or telecommunications
type, describe, provide provider equipment
examples, and describe
CIA impacts. Equipment room
l Primary communication hub for facility
l Houses wiring/switch components
l May be combined with entrance facility
l Backbone distribution
l Connects entrance facility, equipment room and telecommunication
room(s)
Telecommunications room (wiring closet)
l Serves a particular area of a facility
l Floor, section, wing, etc.
l Terminates local wiring into patch panels
Rooms in the facility where multiple computer assets are installed For each internal control
type, describe, provide
and operate. Server rooms have similar security and environmental examples, and describe
protections to wiring closets. However, they may have higher CIA impacts.
human traffic, and it is critical that access point security and access
monitoring is in place. When server room space is shared with
other organizational units or even other businesses, it can be
critical to employ rack or equipment level locking.
Power, surge protection, and uninterruptible power supplies (UPS)
must tailored to the operating equipment and of sufficient
capacity. As equipment is modified or replaced, power concerns
must be readdressed to ensure capacities are not exceeded.
Human safety becomes an issue with power levels in most server
rooms and emergency shutoffs, and non-conductive hooks/gloves
become important for human safety. Non-conductive personal
protective equipment or hooks can be used to disengage
equipment from a power source or safely disengage a human
from a live power source without endangering another human.
Appropriate training may also be necessary to ensure staff
respond appropriately to electrical emergencies by cutting power
and/or safely resolving the emergency.
For server rooms, appropriate fire detection/suppression must be
considered (e.g., sprinkler is inappropriate for electrical fires) based
on the size of the room, typical human occupation, egress routes,
and risk of damage to equipment.
PPT
Evidence Storage
Evidence Storage
For each internal control
Evidence storage facilities or rooms are special-access areas with
type, describe, provide strictly limited access and may be aggressively monitored. They will
examples, and describe typically contain individual lockers or secure containers for each
CIA impacts. investigation or investigator assigned to the facility. This is to ensure
evidence accountability and chain of custody is maintained at all
times to prove evidence has not been modified or tampering has not
PPT occurred. Evidence is protected against damage or theft, and
Restricted Area Security appropriate environmental protections should be commensurate with
evidence types stored (e.g., paper, digital, media).
For each internal control
type, describe, provide
examples, and describe
CIA impacts.
Restricted Area Security
Restricted area security applies to any spaces or rooms within the facility
where highly sensitive work occurs or information is stored. This includes
secure facilities and classified workspaces. These spaces typically have
extremely high access control protections and logging of all access, and
they may include audio protections against eavesdropping such as white
noise machines. They may also include enhanced visual screening from
exterior spaces or have no windows at all. In the most extreme cases,
they may include protection against the detection of electromagnetic
emissions from equipment.
Utilities
Power
Notes
Physical Security
3
l Redundant power input from utilities
Water/Sewer
l Cooling/Human habitation
l Risk of leaks/damage to equipment
l Supports most building-wide fire suppression plans
Notes enclosed spaces requires adequate cooling and airflow. Cooling must
be designed match the equipment and space to be cooled.
Physical Security
High-capacity rooms (e.g., operations center) must have sufficient airflow
for the number of human occupants (CO2 danger), and air for all uses
PPT
should be filtered for contaminants (natural or intentionally introduced).
Heating, Ventilation,
and Air Conditioning
(HVAC) (continued) Fire Prevention and Detection
For each internal control Human training and awareness is critical to fire prevention. Sensors
type, describe, provide (infrared temperature, smoke) can detect conditions leading up to a
examples, and describe
CIA impacts. fire as well as fire initiation and may assist with prevention, but they are
primarily valuable for detection. Smoke detectors include optical
(photoelectric) and physical process (ionization). Flame detectors
include infrared and ultraviolet detectors
PPT
Fire Prevention and
Detection Fire Suppression
Cover fire detection and Buildings should be equipped with one or more types of fire suppression
supression technologies. systems. There are two main types of suppression systems: water-based
and gas-based:
PPT Water-based
Fire Suppression l Effective for common material fires (e.g., wood, paper, building
(3 slides)
materials)
Cover fire detection and
l Safe for human spaces
supression technologies.
l Damages equipment
l Ineffective for electrical or petroleum fires
l Typically cheaper than gas-based
Gas-based
l Effective for any fire type
l Typically safe for equipment
l May be dangerous to humans in enclosed spaces (depending on
type)
l Costly to install and maintain compared to water-based
Gas-based systems may be safe for humans under certain conditions but
not others. System design must take into account the size and ventilation of
protected rooms and volume calculations for the gas. If well implemented,
most modern gas systems can be safe for human occupied spaces, but
some risk of suffocation may still exist if not implemented correctly of if
unusual conditions apply.
Environmental Issues
The following is a limited list of environmental hazards that may be
encountered that could affect the facility. These hazards should be
considered based on expected frequency and potential impact for
the geographic area in which the facility is located.
l Hurricane
l Tornado
l Forest/wildfire
Notes
l Earthquake
Physical Security
l Flooding
l Mudslide
PPT
Environmental Issues
(continued)
Case: WannaCry Ransomware
Describe and discuss
each issue area and In May of 2017, a ransomware attack known as WannaCry was initiated
potential impacts. and affected over 230,000 computers in 150 companies. The attack
encrypted user files and requested a ransom be paid to an anonymous
address using Bitcoins. Ransomware maliciously using encryption was
not new at this point, but this incident raised public awareness of these
types of attacks.
The attack used vulnerabilities largely existing in older computer
systems and had the greatest impact within industries that historically
use embedded or long lifespan systems.
Attack anatomy:
The exploit used vulnerabilities in a Microsoft Server Message Block v1
(SMBv1) protocol to transfer itself across the network. SMBv1 is an older
protocol, having been replaced in more modern systems with v2 and
later since 2006. However, it was maintained for backwards compatibility
through Windows Server 2012. The malware used flaws in SMBv1 to
execute arbitrary code on the affected systems and install itself. It then
encrypted user files and attempted to spread itself using the same SMB
vulnerability.
FAILURES THAT MADE IT POSSIBLE
Architecture:
The malware spread using an older network protocol (SMBv1). This
protocol is used by Microsoft systems for file and print sharing. There is
no reason for this protocol to be accessible from external sources, yet
some infections occurred via external computers exploiting a
vulnerability in an internal protocol. Had SMB port blocks been better
implemented on organizational external defenses (e.g., firewalls), OR
had internal blocks that limited traversal of internal networks been in
place, the impact and spread would have been significantly reduced.
Many affected systems were older type systems using outdated
operating systems. The medical community was hit particularly hard in
Great Britain with many pieces of medical equipment being impacted.
For older or embedded systems, tight network segmentation and
limitation of ports, protocols, and services allowed to access those
systems would have significantly reduced the impact.
System updates:
As noted on the architecture, many of the affected systems were
older type systems and embedded type systems. However,
Notes
Physical Security
3
patches for the cores vulnerabilities were available from Microsoft
Notes
Module 8: Domain Review
Domain Review
PPT
Domain Summary
Domain Review The Security Architecture and Engineering Domain introduces several
Engage participants in a concepts for applying security architecture and engineering principles.
review of key information We have covered basic security models and security control frameworks.
from this domain by This included applying control frameworks and developing assessable
discussing this scenario- evaluation criteria. The domain introduced several common security
based set of questions
and answers. Question capabilities inherent in modern information systems and introduced
slides are immediately common vulnerabilities and mitigations that exist in different types of
followed by the answer information systems. The history of cryptography is very long, but over
slide. the last 50 years or so, cryptography has become an integral and
necessary part of security implementations.
Notes
3
Notes
Course Agenda
Domain 1: Security and Risk Management
Notes
Communication and
4
Network Security
Overview
The communication and network systems that comprise the
connections inside and outside of an organization can be compared
to the central nervous system of a body. It is how the organization
communicates within its boundaries and without. If the communication
and network systems experiences interruption or degradation in
service, it can be debilitating or even impossible to survive. To
manage vulnerabilities, it is necessary to be familiar with threats and
countermeasures that meet business needs for security.
Domain Objectives
After completing this course, the participant will be able to:
1. Name the layers of the Open Systems Interconnection (OSI)
and Transport Control Protocol/Internet Protocol (TCP/IP)
network models.
9 Service Considerations
12 Domain Review
Notes
Module 1: Secure Design Principles
Secure Design Principles in
Network Architectures in Network Architectures
PPT
Module Objectives
Secure Design
Principles in Network
1. Name the layers of the Open Systems Interconnection (OSI) and
Architectures Transport Control Protocol/Internet Protocol (TCP/IP) network
Introduce the participants
models.
to the “Secure Design 2. Compare the differences and similarities between the Open
Principles in Network Systems Interconnection (OSI) and Transport Control Protocol/
Architectures” module.
Internet Protocol (TCP/IP) network models.
PPT
Module Objectives
Introduce the module
objectives.
Notes with the technology it was designed to describe. The OSI model was
ratified as the international standard to describe network systems, and
Secure Design Principles in TCP/IP became the model for implementing the de-facto protocols on the
Network Architectures
internet and private networks.
The TCP/IP doesn’t have an inherent specification for security but in the
PPT
series of documents that make up the ISO/IEC 7498 OSI model, it is Part 2
Architecture and that addresses the security architecture for network systems.
Design (continued)
Introduce Architecture ISO/IEC 7498 consist of the following parts:
and Design.
Part 1: The Basic Model
Part 2: Security Architecture
PPT
Open Systems
Part 3: Naming and Addressing
Interconnection (OSI)
Model
Part 4: Management Framework
Discuss the Open
Systems Interconnection Open Systems Interconnection (OSI) Model
(OSI) Model.
Application
Data Network Process to
Application
Presentation
Data Data Representation
and Encryption
Session
Data Interhost
Communication
Transport
Segments End-to-End Connections
and Reliability
Network
Packets Path Determination and
IP (Logical Addressing)
Data Link
Frames MAC and LLC
(Physical Addressing)
Physical
Bits Media, Signal and
Binary Transmission
Notes
TCP/IP Model Compared to OSI Model
Secure Design Principles in OSI Model TCP/IP
Network Architectures
Layers Protocol TCP/IP Protocol Suite
Architecture
layers
PPT
Application Application
TCP/IP Model Compared Layer
Layer
to OSI Model
Compare contrast the Presentation
TCP/IP Model Compared Layer Telnet FTP SMTP DNS RIP SNMP
to OSI Model.
Session
Layer
Transport Host-to-Host
Layer Transport TCP UDP
Layer
Network
Layer Internet IP IGMP ICMP
ARP
Layer
Data-Link
Layer Ethernet Token Frame ATM
Network Ring Relay
Physical Interface
Layer Layer
Disadvantages of buses:
l Because there is only one central bus, a bus failure will leave the
entire network inoperable.
Tree
A tree topology is like a bus. Instead of all the nodes connecting to a
central bus, the devices connect to a branching cable. Like a bus, every
node receives all the transmitted traffic and processes only the traffic
that is destined for it. Furthermore, the data-link layer must transmit a
frame only when there is not a frame on the wire.
Advantages of a tree:
l Adding a node to the tree is easy.
l A node failure will not likely affect the rest of the network but
any node failure that provides additional branching will cause all
dependent nodes to fail.
Disadvantages of a tree:
l A cable failure could leave the entire network inoperable.
Ring
A ring is a closed-loop topology. Data is transmitted in one
direction only, based on the direction that the ring was initialized to
Notes
OSI Layer 1: Physical Layer
4
transmit in, either clockwise, or counter-clockwise. Each device
Disadvantages of rings:
l Simple rings have a single point of failure. If one node fails,
the entire ring fails. Some rings, such as fiber distributed
data interface (FDDI), use dual rings for failover.
Mesh
In a mesh network, all nodes are connected to every other node on
the network. A full mesh network is usually too expensive because it
requires many connections. As an alternative, a partial mesh can be
employed in which only selected nodes (typically the most critical)
are connected in a full mesh and the remaining nodes are connected
to a few devices. As an example, core switches, firewalls, and routers
and their hot standbys are often all connected to ensure as much
availability as possible.
Advantages of a mesh:
l Mesh networks provide a high level of redundancy.
Disadvantages of a mesh:
l Mesh networks are very expensive because of the enormous
amount of cables that are required.
Star
All nodes in a star network are connected to a central device, such
as a hub, switch, or router. Modern LANs usually employ a star
topology.
OSI Layer 1: Physical Layer l Star networks require fewer cables than full or partial mesh.
l Star networks are easy to deploy, and nodes can be easily added
PPT or removed.
Concepts and Disadvantages of a star:
Architecture (3 slides)
(continued) l The central connection device is a single point of failure. If it is
not functional, all the connected nodes lose network connectivity.
Discuss the Physical
Layer Concepts and
Architecture. Carrier Sense Multiple Access (CSMA)
As the name implies, Carrier Sense Multiple Access (CSMA) is an access
protocol that uses the absence/presence of a signal on the medium that
it wants to transmit on as permission to transmit. Only one device may
transmit at a time; otherwise, the transmitted frames will be unreadable.
Because there is not an inherent mechanism that determines which
device may transmit, all the devices must compete for available
bandwidth. For this reason, CSMA is referred to as a contention-based
protocol. Also, because it is impossible to predict when a device may
transmit, CSMA is also nondeterministic.
l Carrier Sense Multiple Access with Collision Detection
(CSMA/CD): Devices on a LAN CSMA/CD listen for a carrier
before transmitting data. If another transmission is not
detected, the data will be transmitted. It is possible that a
station will transmit before another station’s transmission had
enough time to propagate. If this happens, two frames will be
transmitted simultaneously, and a collision will occur. Instead
of all stations simply retransmitting their data, which will
likely cause more collisions, each station will wait a randomly
generated interval before retransmitting. CSMA/CD is part
of the Institute of Electrical and Electronics Engineers (IEEE)
802.3 standard.
l Carrier Sense Multiple Access with Collision Avoidance
(CSMA/CA): Avoids collisions by sensing if the media is clear
for transmission. If the media is clear for transmission, then the
potential transmitter send out a special control frame called a
Request to Send (RTS). The RTS is sent to the common access
point along with all stations on that segment. If the RTS is
accepted by the access point, then a Clear to Send (CTS) is sent
back to the potential transmitter and all stations connected to
the access point. In this way collisions do not have an opportunity
to take place. CSMA/CA is used in the IEEE 802.11 wireless
standard.
Media
The wired media utilized within the physical layer of the Open Systems
Interconnection (OSI) model spans various strands and gauges of
copper along with plastics and glass.
l Twisted Pair: Pairs of copper wires are twisted together to
reduce electromagnetic interference and cross talk. Each wire is
insulated with a fire-resistant material, such as Teflon. The twisted
pairs are surrounded by an outer jacket that physically protects
the wires. The quality of cable, and therefore, its appropriate
application is determined by the number of twists per inch, the
type of insulation, and conductive material. The P802.3bt draft is
designed to be a standard for managing a supply of power over a
four-pair set of copper wire connecting data terminal equipment.
Notes medium where they travel down the cable. Think of a fiber cable in
terms of very long cardboard roll (from the inside roll of paper towel)
OSI Layer 1: Physical Layer that is coated with a mirror on the inside. If you shine a flashlight in
one end you can see light come out at the far end—even if it’s been
PPT bent around a corner. Light pulses move easily down the fiber-optic
line because of a principle known as total internal reflection. This
Technology and
Implementation
principle states that when the angle of incidence exceeds a critical
(7 slides) (continued) value, light cannot get out of the glass; instead, the light bounces
Discuss Physical Layer
back in. When this principle is applied to the construction of the
Technology and fiber-optic strand, it is possible to transmit information down fiber
Implementation. lines in the form of light pulses. The core must be made from a very
clear and pure material. The core can be plastic (used for very short
distances) but most are made from glass. Glass optical fibers are
almost always made from pure silica, but some other materials, such
as fluorozirconate, fluoroaluminate, and chalcogenide glasses, are
used for longer wavelength infrared applications.
There are three types of fiber optic cable commonly used:
l Single mode: This mode has a small diameter core that
decreases the number of light reflections within the cable. This
allows for great transmission distance, up to 80Km, 50 times
further than multimode.
l Multimode: This mode uses a larger diameter cable than single
mode. Light reflections subsequently increase. Typically used for
short distances. Transmission distances are up to 400m.
l Plastic optical fiber (POF): This uses a plastic core and allows
for larger diameter fiber cores. Distortion of the signal is greatly
increased using plastic, which limits its range significantly.
Transmission distances are around 100m.
l Patch panels: As an alternative to directly connecting devices,
devices are connected to the patch panel. Then, a network
administrator can connect two of these devices by attaching a small
cable, called a patch cord, to two jacks in the panel.
Internet Access
Digital Subscriber Lines (DSLs): There are several methods of
implementing DSL:
l Asymmetric Digital Subscriber line (ADSL): Downstream
transmission rates are much greater than upstream ones, typically
up to 8Mbps downstream and 384Kbps upstream.
l Rate-Adaptive DSL (RADSL): The upstream transmission rate
is automatically tuned based on the quality of the line and
adjustments made on the modem.
346 Domain 4: Communication and Network Security
Instructor Edition
Notes At the release of this publication, the minimum version for devices
released is DOCSIS 3.
OSI Layer 1: Physical Layer
Like DSL, cable modems make it practical for home users to remain
connected to the internet for an extended time, which exposes cable
PPT
modem users to the same risks as DSL users. Cable modem users must
Technology and take the same precautions as DSL users: ensure that PCs on the home
Implementation network have a personal firewall, install vendor security patches, and
(7 slides) (continued)
disable dangerous and unused protocols.
Discuss Physical Layer
Technology and At a high level, the cable model process is:
Implementation.
l When a cable modem is powered on, it is assigned upstream and
downstream channels
l Next, it establishes timing parameters by determining how far it is
from the head end (the core of the cable network)
l The cable modem makes a Dynamic Host Configuration Protocol
(DHCP) request to obtain an IP address
To help protect the cable provider from piracy and its users from their
data being intercepted by other cable users, the modem, and head end
exchange cryptography keys. From that point forward, all traffic
between the two ends is encrypted.
Wireless (LAN/WAN)
Wi-Fi (Wireless LAN IEEE 802.11x)
Primarily associated with computer networking, Wi-Fi uses the IEEE
802.11x specification to create a wireless local-area network either public
or private. A Wi-Fi network consists of a wireless connection to wireless
access point (WAP) that is normally connected to a wired network.
Wi-Fi range is generally wide enough for most homes or small offices, and
for larger campuses or homes, range extenders may be placed strategically
to extend the signal. Over time the Wi-Fi standard has evolved, with each
updated version faster than the last. Current devices usually use the
802.11n or 802.11ac versions of the spec, but backwards compatibility
ensures that an older laptop can still connect to a new Wi-Fi router.
Notes
OSI Layer 1: Physical Layer
4
However, to see the fastest speeds, both the computer and the router
Satellite
Notes
Just as satellites orbiting Earth provide necessary links for telephone
OSI Layer 1: Physical Layer
and television service, they can also provide links for broadband.
Satellite broadband is another form of wireless broadband and is also
PPT useful for serving remote or sparsely populated areas.
Technology and Downstream and upstream speeds for satellite broadband depend on
Implementation
(7 slides) (continued) several factors, including the provider and service package purchased,
the consumer’s line of sight to the orbiting satellite, and the weather.
Discuss Physical Layer
Technology and
Typically, a consumer can expect to receive (download) at a speed of
Implementation. about 500Kbps and send (upload) at a speed of about 80Kbps. These
speeds may be slower than DSL and cable modem, but they are about
10 times faster than the download speed with dial-up internet access.
Service can be disrupted in extreme weather conditions.
Cellular Network
A cellular network or mobile network is a radio network distributed
over land areas called cells, each served by at least one fixed-location
transceiver known as a cell site or base station. In a cellular network,
each cell characteristically uses a distinct set of radio frequencies from
all their immediate neighboring cells to avoid any interference. When
joined together, these cells provide radio coverage over a wide
geographic area. This enables many portable transceivers (e.g., mobile
phones, pagers, etc.) to communicate with each other and with fixed
transceivers and telephones anywhere in the network via base stations
even if some of the transceivers are moving through more than one
cell during transmission.
There are two primary transmission types for cell phones:
l Code-division multiple access (CDMA): Every call’s data is
encoded with a unique key, then the calls are all transmitted
at once. CDMA carriers use network-based white lists to
verify their subscribers. Phones can only be switched with the
carrier’s permission, and a carrier doesn’t have to accept any
phone onto its network.
l Global System for Mobiles (GSM): Each call is transformed into
digital data that is given a channel and a time slot. Customer
information, including telephone number, is kept on a Subscriber
Identity Module (SIM) that is a removable from one phone to
another in GSM provisioned phones. To be considered GSM, a
carrier must accept any GSM-compliant phone.
The transmission speeds and carrier capabilities of wireless networks
related to cellular services is expressed within a “Generation” with a
4G 2009 Maximum of Long Term Evolution (LTE) or HD mobile media and web
100Mbps WiMax conferencing
Unshielded Relative inexpensive Easiest to tap and disclose data. Utilize STP or fiber
Twisted Pair network cable. optic cable to reduce EMI/RFI.
(UTP) Disrupt with electromagnetic
interference (EMI) or radio frequency Use repeaters and fiber optic
interference (RFI). cable to reduce issues with
attenuation.
Attenuation of signal begins at 100
meters or 328 feet.
Shielded Provides greater protection Degradation or loss of Use repeaters and fiber optic
Twisted Pair against EMI/RFI. a signal (attenuation) begins at 100 cable to reduce issues with
(STP) meters or 328 feet. attenuation.
Coaxial Cable Heavier gauge and Cables can be difficult to manage. Use fiber optic cable as
shielding provides more alternative.
protection than STP against
EMI/RFI and greater
bandwidth.
Fiber Optic Provides most protection Fiber optic taps can disclose data. Use of end-to-end encryption
Cable against EMI/RFI and highest when required.
bandwidth.
Bus Topology Easily add new node with Bus failure leaves entire network Transition to star or mesh
negligible impact. inoperable. topology.
Star Topology Fewer cables than full or Star device failure will leave Restrict traffic data disclosure by
partial mesh. Nodes can be connected nodes without access. means of smart port
easily added. management.
All nodes connected to star device
can potentially listen to traffic on
the device.
Ring Topology Deterministic traffic Single point of failure. Use dual ring such as fiber
management. distributed data interface
(FDDI).
Mesh Topology All nodes have a backup Complex management of Use partially meshed.
connection to every other redundant cables and nodes may
node in the network. lead to loops of unintentional
Designed for high bypassing of access controls.
availability.
Bluetooth Remote access and data Deprecated versions allow Keep up with patching and
sharing between devices. unauthenticated access. Blueborne, security updates.
Bluejacking, and other attacks allow
unauthorized access to data. Do not use in insecure public
settings.
Cellular Cell phones and other Spoofed femtocells facilitate man- Require femtocell handset
devices communicate in-the-middle attack. registration.
globally.
Devices
Bridges
Bridges are layer 2 devices that filter traffic between segments based on
MAC addresses. In addition, they amplify signals to facilitate physically
larger networks. A basic bridge filters out frames that are destined for
another segment. Bridges can connect LANs with unlike media types,
such as connecting an Unshielded Twisted Pair (UTP) segment with a
segment that uses coaxial cable. Bridges do not reformat frames, such
as converting a Token Ring frame to Ethernet. This means that only
identical layer 2 architectures can relate to a simple bridge (e.g.,
Ethernet to Ethernet, etc.).
Network administrators can use translator bridges to connect dissimilar
layer 2 architectures, such as Ethernet to Token Ring. Other specialized
bridges filter outgoing traffic based on the destination MAC address.
Bridges do not prevent an intruder from intercepting traffic on the local
segment. A common type of bridge for many organizations is a wireless
bridge based upon one of the IEEE 802.11 standards. While wireless
bridges offer compelling efficiencies, they can pose devastating security
VLAN Segmentation of MAC Flooding Attack: Switch is Port Security, 802.1x, and
network traffic to fed many ethernet frames, each Dynamic VLANs are three
reduce congestion containing different source MAC features that can be used to
and contention addresses, by the attacker. The constrain the connectivity of a
while supporting intention is to consume the device based on its user’s login
prioritization and limited memory set aside in the ID and based on the device’s
security switch to store the MAC own MAC layer identification.
management. address table.
Address Resolves IP address ARP Attacks: By means of This type of attack can be
Resolution to MAC Address. “poisoning,” ARP tables and prevented either by blocking
Protocol attacker can pose as an the direct communication at
(ARP) intermediary system and layer 2 between the attacker
accomplish a Man-In-the-Middle and the attacked device or by
attack. embedding more intelligence
into the network so that it can
check the forwarded ARP
packets for identity correctness.
Multicast Supports one-to- Multicast Brute Force Attack: All traffic should be constrained
many communication Storm of layer 2 multicast frames to its own VLAN.
transmissions. creating denial of service.
Spanning Maintains a loop- Spanning-Tree Attack: Attacker Do not allow port mirroring or
Tree free switching sends out STP frames claiming monitoring of STP frames.
Protocol environment. to be root bridge.
PPT
Unicast, Multicast, and Broadcast Transmissions
Concepts and
Architecture In many cases, computer transmission methodology reflects some of the
Discuss Network
norms that happen in a verbal conversation. Typically, if you want to have a
Layer Concepts and private conversation with an individual, you will take that person aside and
Architecture. speak one-to-one. A unicast is a one-to-one communication between hosts.
If you need to let a group within a crowd of people know about a matter, you
can open your announcement with a relevant statement to capture that
groups attention within the crowd. A multicast is a one-to-many
communication between hosts. If there is something that everyone within a
crowd of people should know, such as the need to escape a fire, you
wouldn’t walk up to each individual and tell them one at a time, you would
shout it out for all to hear. A broadcast is a one-to-all communication
between hosts.
A host can send a broadcast to everyone on its network or sub-network.
Depending on the network topology, the broadcast could have
anywhere from one to tens of thousands of recipients. Like a person
standing on a soapbox, this is a noisy method of communication.
Typically, only one or two destination hosts are interested in the
broadcast; the other recipients waste resources to process the
transmission. However, there are productive uses for broadcasts.
Consider a router that knows a device’s IP address but must determine
the device’s media access control (MAC) address. The router will
broadcast an Address Resolution Protocol (ARP) request asking for the
device’s MAC address.
Multicasting was designed to deliver a stream to only interested hosts.
Radio broadcasting is a typical analogy for multicasting. To select a
specific radio show, you tune a radio to the broadcasting station.
Likewise, to receive a desired multicast, you join the corresponding
multicast group. Multicast agents are used to route multicast traffic over
networks and administer multicast groups.
Each network and sub-network that supports multicasting must have at
least one multicast agent. Hosts use Internet Group Management Protocol
(IGMP) to tell a local multicast agent that it wants to join a specific multicast
group. Multicast agents also route multicasts to local hosts that are
members of the multicast’s group and relay multicasts to neighboring
agents. When a host wants to leave a multicast group, it sends an IGMP
message to a local multicast agent. Multicasts do not use reliable sessions;
therefore, the multicasts are transmitted as best effort with no guarantee
that datagrams are received.
360 Domain 4: Communication and Network Security
Instructor Edition
Devices
Routers
Routers route packets to other networks and are commonly referred
to as the Gateway. They read the IP destination in received packets,
and based on the router’s view of the network, it determines the
next device on the network (the next hop) to send the packet. If the
destination address is not on a network that is directly connected to
the router, it will send the packet to the gateway of last resort,
another connected router, and rely on that router to establish a path.
Routers can be used to interconnect different technologies and
change the architecture. For example, connecting a Token Ring and
Ethernet networks to the same router would allow IP Ethernet
packets to be forwarded to a Token Ring network.
Routers are most commonly used today to connect LANs to
WANs. To build a network, you need switches for the LAN and a
router to connect the LAN to the WAN. The most basic security
that can be performed at layer 3 on a router is an access control
list (ACL) that can define permitted and denied source and
destination addresses and ports or services.
Firewalls
Routers and firewalls are devices that enforce administrative
security policies by filtering incoming traffic based on a set of rules.
While a firewall should always be placed at internet gateways, there
are also internal network considerations and conditions where a
firewall would be employed, such as network zoning. Additionally,
firewalls are also threat management appliances with a variety of
other security services embedded, such as proxy services and
intrusion prevention services (IPS) that seek to monitor and alert
proactively at the network perimeter. The types of firewall are
further addressed in Domain 4 Module 10.
Module 4: OSI Layer 3: Network Layer 363
Official (ISC)2 CISSP Training Guide
Firewall Prevent Skilled hackers, misconfigured devices, Schedule and install regular
unauthorized version/release/update level updates and patches.
access to network vulnerabilities. Provide proper training for
resources. configuration, maintenance,
and operation.
Router Transmits packets Undesired receipt or transmission of data Create ACL on router
between discreet between networks. interface to allow or deny IP
networks. addresses and services.
ICMP Verify that a system Smurf: ICMP Echo Request sent to the Disable ICMP Echo Request
is responsive network broadcast address of a spoofed on Network.
running IP. victim causing all nodes to respond to
the victim with an Echo Reply.
IP Designed to allow Tear Drop Attack: Exploits the Host OS and routers have
Fragmentation units of information reassembly of fragmented IP packets in patching that inspects
to be disassembled the fragment offset field that indicates discrepancy in fragment
or fragmented with the starting position, or offset, of the offset and drops malformed
the benefit of being data contained in a fragmented packet fragment packets.
delivered in smaller relative to the data of the original
units. unfragmented packet. System crashes
with accumulation of multiple malformed
packets.
UDP Broadcast Used to message Fraggle: ICMP Echo Do not allow router to
all systems on a Request sent to the forward request to
network with a network broadcast network directed
single broadcast. address of a spoofed broadcast address.
victim causing all nodes
to respond to the
victim with an Echo
Reply. (Same as Smurf
but utilizes UDP port 7.)
Notes
Module 6: OSI Layer 5: Session Layer
OSI Layer 5: Session Layer
PPT
Module Objectives
Introduce the module
objectives.
Notes
Module 7: OSI Layer 6: Presentation
OSI Layer 6: Presentation
Layer Layer
PPT
Module Objectives
OSI Layer 6:
Presentation Layer
1. List the concepts and architecture that define the associated
technology and implementation systems and protocols at Open
Introduce the participants
Systems Interconnection (OSI) model layers 1–7. (Presentation
to the “OSI Layer 6:
Presentation Layer” Layer)
module. 2. Define related threats and select appropriate countermeasures for
systems and protocols operating at Open Systems Interconnection
(OSI) model layers 1–7. (Presentation Layer)
PPT
Module Objectives
Introduce the module
objectives.
Encoding
Encryption services such as TLS/SSL are managed below,
above, and within the presentation layer. At times, the
Notes encoding capabilities that are resident at the presentation layer are
inappropriately conflated with a specific set of cryptographic
OSI Layer 6: Presentation services. Abstract Syntax Notation (ASN.1) is an ISO standard that
Layer
addresses the issue of representing, encoding, transmitting, and
decoding data structures. The transfer of data entities between two
PPT points of communication could appear as nonsensical or encoding if
Technology and
a nonparticipating (eavesdropping) third party wasn’t aware of the
Implementation standard being used in transmission.
(continued)
Discuss Presentation
Layer Technology and
Implementation.
PPT
Threats and
Countermeasures
Discuss Presentation
Layer Threats and
Countermeasures.
DNS Resolve web names Poisoning of DNS server Utilize DNSSEC and
to IP addresses. records. harden DNS servers and
related services to
Redirect resolvers to mitigate erroneous
erroneous DNS assignment of DNS
services. services.
HTTP Resolve web page URL Text traversing the Utilize SSL or TLS -
request from server to internet is in plaintext HTTPS.
client. and can be read and
manipulated.
Notes
Module 9: Service Considerations
Service Considerations
PPT
Module Objectives
Service Considerations 1. Identify technological implementations that provide services to
support mobility and collaboration.
Introduce the participants
to the “Service 2. Describe various network services that abstract and virtualize
Considerations” module. underlying components and infrastructure and associate service
benefits.
PPT
Module Objectives
Introduce the module
objectives.
Virtualized Networks
Within the realm of circuit switched networking arose two types of
virtualization, namely;
Circuit-Switched Networks
Circuit-switched networks establish a dedicated circuit between
endpoints. These circuits consist of dedicated switch connections.
PPT
l Micro-segmentation of traffic types (broadband, MPLS, customer/
corporate facing, etc.) for greater performance
Virtualized Networks
(3 slides) (continued) l Support for security integration
List Types of Virtualized
Networks.
Content Distribution Networks (CDNs)
A content delivery network or content distribution network (CDN) is a
large distributed system of servers deployed in multiple data centers
across the internet. The goal of a CDN is to serve content to end users
with high availability and high performance. A key capability of CDN is to
provide for capacity management in that original content will not be easily
exhausted by request from a wide geographic field.
These are the two primary components of a CDN:
l Origin servers: Housing original content in the form of web and
rich media composed of audio and video files
l Edge servers: Holds cached copies of the original content that
distributes media to regionally close clients to speed delivery
Notes Firewalls
Firewalls will not be effective right out of the box. Firewall rules must be
Secure Network
Components defined correctly not to inadvertently grant unauthorized access. Like all
hosts on a network, administrators must install patches to the firewall and
disable all unnecessary services. Also, firewalls offer limited protection
PPT against vulnerabilities caused by applications flaws in server software on
Firewalls other hosts. For example, a firewall will not prevent an attacker from
Discuss Firewalls. manipulating a database to disclose confidential information.
Firewalls filter traffic based on a rule set. Each rule instructs the firewall
to block or forward a packet based on one or more conditions. For each
incoming packet, the firewall will look through its rule set for a rule
whose conditions apply to that packet and block or forward the packet
as specified in that rule. Below are two important conditions used to
determine if a packet should be filtered.
l By address: Firewalls will often use the packet’s source or
destination address, or both, to determine if the packet should
be filtered.
l By service: Packets can also be filtered by service. The firewall
inspects the service the packet is using (if the packet is part
of the Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP), the service is the destination port number) to
determine if the packet should be filtered. For example, firewalls
will often have a rule to filter the Finger service to prevent an
attacker from using it to gather information about a host. Filtering
by address and by service are often combined in rules. If the
engineering department wanted to grant anyone on the LAN
access to its web server, a rule could be defined to forward
packets whose destination address is the web server’s and the
service is HTTP (TCP port 80).
Firewalls can change the source address of each outgoing (from trusted
to untrusted network) packet to a different address. This has several
applications, most notably to allow hosts with RFC 1918 addresses
access to the internet by changing their private address to one that is
routable on the internet. A private address is one that will not be
forwarded by an internet router and, therefore, remote attacks using
private internal addresses cannot be launched over the open internet.
Anonymity is another reason to use network address translation (NAT).
Many organizations do not want to advertise their IP addresses to an
untrusted host and, thus, unnecessarily give information about the
network. They would rather hide the entire network behind translated
addresses. NAT also greatly extends the capabilities of organizations to
continue using IPv4 address spaces.
Proxy Firewall
A proxy firewall mediates communications between untrusted
endpoints (servers/hosts/clients) and trusted endpoints (servers/
hosts/clients). From an internal perspective, a proxy may forward
traffic from known, internal client machines to untrusted hosts on
the internet, creating the illusion for the untrusted host that the
traffic originated from the proxy firewall, thus, hiding the trusted
internal client from potential attackers. To the user, it appears that
they are communicating directly with the untrusted server. Proxy
servers are often placed at internet gateways to hide the internal
network behind one IP address and to prevent direct
communication between internal and external hosts.
Proxy Types
A circuit-level proxy creates a conduit through which a trusted host
can communicate with an untrusted one. This type of proxy does
Module 10: Secure Network Components 387
Official (ISC)2 CISSP Training Guide
Notes not inspect the data field that it forwards, which adds very little
overhead to the communication between the user and untrusted server.
Secure Network The lack of application awareness also allows circuit-level proxies to
Components
forward any traffic to any TCP and UDP port. The disadvantage is that
the data field will not be analyzed for malicious content.
PPT
An application-level proxy relays the traffic from a trusted end-point
Network Access running a specific application to an untrusted end-point. The most
Control (NAC) Devices
(continued) significant advantage of application-level proxies is that they analyze the
data field that they forward for various sorts of common attacks such as
Discuss Network Access
Control (NAC) Devices.
buffer overflows. Application-level proxies add processing overhead.
Endpoint Security
Workstations should be hardened, and users should be using limited
access accounts whenever possible in accordance with the concept of
“least privilege.”
Workstations should have the following:
l Up to date antivirus and anti-malware software
l A configured and operational host-based firewall
l A hardened configuration with unneeded services disabled
l A patched and maintained operating system
While workstations are clearly what most people will associate with
endpoint attacks, the landscape is changing. Mobile devices, such as
smart phones, tablets etc., are beginning to make up more and more of
the average organization’s endpoints. With this additional diversity of
devices, there becomes a requirement for the security architect to also
increase the diversity and agility of an organization’s endpoint defenses.
For mobile devices such as smart phones and tablets, consider the
following:
l Encryption for the whole device, or if not possible, then at least
encryption for sensitive information held on the device
l Device virtualization/sandboxing
l Remote management capabilities including the following:
o Remote wipe
o Remote geolocate
o Remote update
o Remote operation
l User policies and agreements that ensure an organization can
manage the device or seize it for legal hold
PPT
Module Objectives
Introduce the module
objectives.
Notes Voice
Secure Communications Voice over Internet Protocol (VoIP)
Channels According to
Voice over Internet Protocol (VoIP) is a technology that allows you to make
Design
voice calls using a broadband internet connection instead of a regular (or
analog) phone line. VoIP is simply the transmission of voice traffic over
PPT IP-based networks. VoIP is also the foundation for more advanced unified
Voice communications applications such as web and video conferencing.
Discuss Voice Technology. VoIP systems are based on the use of the Session Initiation Protocol (SIP),
which is the recognized standard. Any SIP compatible device can talk to any
other. In all VoIP systems, your voice is converted into packets of data and
then transmitted to the recipient over the internet and decoded back into
your voice at the other end. To make it quicker, these packets are
compressed before transmission with certain codecs, almost like zipping a
file on the fly. There are many codecs with diverse ways of achieving
compression and managing bitrates, thus, each codec has its own
bandwidth requirements and provides different voice quality for VoIP calls.
VoIP systems employ session control and signaling protocols to control
the signaling, set-up, and tear-down of calls. A codec is software that
encodes audio signals into digital frames and vice versa. Codecs are
characterized by different sampling rates and resolutions. Different
codecs employ different compression methods and algorithms, using
different bandwidth and computational requirements.
VoIP Problems
Packet loss: A technique called packet loss concealment (PLC) is used
in VoIP communications to mask the effect of dropped packets.
There are several techniques that may be used by different
implementations:
Zero substitution is the simplest PLC technique that requires the least
computational resources. These simple algorithms generally provide the
Instant Messaging
Instant messaging systems can generally be categorized in three
classes:
l P2P networks
l Brokered communication
l Server-oriented networks
All these classes will support basic “chat” services on a one-to-one basis
and frequently on a many-to-many basis. Most instant messaging
applications do offer additional services beyond their text messaging
capability, for instance, screen sharing, remote control, exchange of files,
and voice and video conversation. Some applications even allow command
scripting. Instant messaging and chat is increasingly considered a significant
business application used for office communications, customer support,
and “presence” applications. Instant message capabilities will frequently be
deployed with a bundle of other IP-based services such as VoIP and video
conferencing support.
Conceptually, because they are built on mutual trust, they can be misused
to obtain access and to horizontally and vertically escalate privileges in an
attack. Their authentication and transmission capabilities are insecure by
design; therefore, they have to be retrofitted (as X11) or replaced
altogether (TELNET and rlogin by SSH).
TELNET is a command line protocol designed to give command line
access to another host. Although implementations for Windows exist,
TELNET’s original domain was the UNIX server world, and in fact, a
TELNET server is standard equipment for any UNIX server. (Whether it
should be enabled is another question entirely, but in small LAN
environments, TELNET is still widely used.)
TELNET:
l Offers little security, and indeed, its use poses serious
Notes
Secure Communications
4
security risks in untrusted environments. Channels According to
Design
By the latter, a user may grant access that was not permitted by
the system administrator. The same mechanism applies to rsh
and rcp although they are relying on a different daemon (rshd).
Authentication can be considered host/IP address based.
Although rlogin grants access based on user ID, it is not verified;
i.e., the ID a remote client claims to possess is taken for granted
if the request comes from a trusted host. The rlogin protocol
transmits data without encryption and is hence subject to
eavesdropping and interception.
The rlogin protocol is of limited value—its main benefit can be
considered its main drawback: remote access without supplying a
password. It should only be used in trusted networks, if at all. A
more secure replacement is available in the form of SSHv2 for
rlogin, rsh, and rcp.
Screen Scraper
Notes
A screen scraper is a program that can extract data from output on a
Secure Communications
Channels According to
display intended for a human. Screen scrapers are used in a legitimate
Design fashion when older technologies are unable to interface with modern
ones. In a nefarious sense, this technology can also be used to capture
images from a user’s computer such as PIN pad sequences at a banking
PPT website when implemented by a virus or malware.
Remote Access
Tunneling/ VPNs
(continued) Virtual Applications and Desktops
Discuss Remote Access Virtual Network Terminal Services
Tunneling/ VPNs. Virtual terminal service is a tool frequently used for remote access to
server resources. Virtual terminal services allow the desktop environment
for a server to be exported to a remote workstation. This allows users at
the remote workstation to execute desktop commands as though they
were sitting at the server terminal interface in person.
The advantage of terminal services such as those provided by Citrix,
Microsoft, or public domain virtual network computing (VNC) services is
that they allow for complex administrative commands to be executed
using the native interface of the server, rather than a command-line
interface, which might be available through SSHv2 or telnet. Terminal
services also allow for the authentication and authorization services
integrated into the server to be leveraged for remote users, in addition
to all the logging and auditing features of the server as well.
Remote Access
Virtual Private Network (VPN)
A virtual private network (VPN) is point-to-point connection that extends a
private network across a public network. The most common security
definition is an encrypted tunnel between two hosts, but doesn’t have to
be. A tunnel is the encapsulation of one protocol inside another. Remote
users employ VPNs to access their organization’s network securely.
Depending on the VPN’s implementation, they may have most of the
same resources available to them as if they were physically at the office.
As an alternative to expensive dedicated point-to-point connections,
organizations use gateway-to-gateway VPNs to securely transmit
information over the internet between sites or even with business partners.
Telecommuting
Common issues such as visitor control, physical security, and network
control are almost impossible to address with teleworkers. Strong VPN
Tunneling
Point-to-Point Tunneling Protocol (PPTP)
Point-to-Point Tunneling Protocol (PPTP) is a tunnel protocol that runs
over other protocols. PPTP relies on Generic Routing Encapsulation
(GRE) to build the tunnel between the endpoints.
The security architect and practitioner both need to consider known
weaknesses, such as the issues identified with PPTP, when planning
for the deployment and use of remote access technologies.
PPTP is based on Point-to-Point Protocol (PPP), so it does offer
authentication by way of password authentication protocol (PAP),
Challenge-Handshake Authentication Protocol (CHAP), or
Extensible Authentication Protocol (EAP).
IPSec
IP security (IPSec) is a suite of protocols for communicating
securely with IP by providing mechanisms for authentication and
encryption. Standard IPSec only authenticates hosts with each
Notes Remote users employ a web browser to access applications that are
in the organization’s network. Even though users employ a web
Secure Communications browser, SSL VPNs are not restricted to applications that use HTTP.
Channels According to
Design
With the aid of plug-ins, such as Java, users can have access to
back-end databases, and other non-web- based applications. SSL
VPNs have several advantages over IPSec. They are easier to deploy
PPT on client workstations than IPSec because they require a web
Remote Access browser only, and almost all networks permit outgoing HTTP. SSL
Tunneling/ VPNs VPNs can be operated through a proxy server. In addition,
(continued) applications can restrict users’ access based on criteria, such as the
Discuss Remote Access network the user is on, which is useful for building extranets with
Tunneling/ VPNs. several organizations.
PPT
Tunneling Firewalls and Other Restrictions
Case: Network Security
Control of HTTP tunneling can happen on the firewall or the proxy server.
Incident Mitigation It should, however, be noted that in the case of peer-to-peer protocols,
this would require a “deny by default” policy. Blocking instant messaging
Introduce and Frame
Case Network Security without providing a legitimate alternative is not likely to foster user
Incident Mitigation. acceptance and might give users incentive to utilize even more dangerous
workarounds. It should also be noted that inbound file transfers can also
result in circumvention of policy, etc. or restrictions in place, for the
spreading of malware.
An effective countermeasure can be found in active antivirus scanning
on the client, which should be enabled anyway.
Notes
Module 12: Domain Review
Domain Review
PPT
Domain Summary
Participate in review
of key elements
from the domain on
communication and
network security.
Notes 10. At what plane can you locate routers and switches in a software-
defined network (SDN)?
Domain Review
A. Data-link and network plane
PPT B. Data plane
Domain Review
Questions (continued)
C. Control plane
Participate in review D. Application plane
of key elements
from the domain on
communication and
network security.
Notes 10. At what plane can you locate routers and switches in a software-
defined network (SDN)?
Domain Review
A. Data-link and network plane
B. Data plane
C. Control plane
D. Application plane
The correct answer is B. Routers and switches are in the data plane.
Notes
4
Notes
Course Agenda
Domain 1: Security and Risk Management
Notes
Identity and Access
5
Management (IAM)
Overview
Identity and access management (IAM) are core to maintaining
confidentiality, integrity, and availability of assets and resources that
are critical to business survival and function. Central to maintaining
protection of business-critical assets is the ability to name, associate,
and apply suitable identity and access control methodologies and
technologies that meet specific business needs.
Domain Objectives
After completing this domain, the participant will be able to:
1. Identify standard terms for applying physical and logical
access controls to environments related to their security
practice.
2. Apply physical and logical access controls to environments
with relation to the (environment’s or access controls’)
security practice.
6 Accountability
7 Domain Review
Notes
Module 1: Control Physical and
Control Physical and
Logical Access to Assets Logical Access to Assets
PPT
Module Objectives
Control Physical and
Logical Access to
1. Identify standard terms for applying physical and logical access
Assets controls to environments related to their security practice.
Introduce the participants 2. Apply physical and logical access controls to environments
to the “Control Physical with relation to the (environment’s or access controls’) security
and Logical Access to practice.
Assets” module.
PPT
Module Objectives
Introduce the module
objectives.
Information
Information and the administration of information is key to the
Notes
Control Physical and
5
management of individual and systemic access control systems. Logical Access to Assets
Information can be associated with both logical and physical access
Notes files control the types of access or users’ abilities for the files under their
control. For example, when a new employee is hired into a department, a
Control Physical and central administrator might provide the employee with a set of access
Logical Access to Assets
perhaps based on the functional element they are assigned to, job
classification, and the specific task the employee was hired to work on.
PPT The employee might have read-only access to an organization-wide
Systems
SharePoint document library and to project status report files, but read
and write privileges to his department’s weekly activities report. Also, if
Explain key systems that
define identity and access
the employee left a project, the project manager can easily close that
management (IAM). employee’s access to that file.
PPT
Systems
Logical and Physical
Access Control Systems
Access controls can be classified by either logical or physical systems.
The simplest example of a physical access control system is a door that
Note examples of
physical and logical
can be locked, limiting people to one side of the door or the other. A
access control systems. logical access control system is normally operational in an office
network where users are allowed or not allowed to login to a system to
access data labeled with a classification by users granted a clearance.
Devices
There are a range of devices (systems or components if logical)
associated with logical and physical access control. Logical and
physical access control devices include but are not limited to
access tokens (hardware and software), keys, and cards.
Notes for the point where it is read based on time, date, day, holiday, or other
condition used for controlling validation.
Control Physical and
Logical Access to Assets When biometric readers are used, the token or key is the user’s retina,
fingerprint, hand geometry, voice, or whatever biological attribute is
enrolled into the system. Most biometric readers also require a PIN to
PPT
index the stored data on the sample readings of the biological attribute.
Devices (continued) Biometric systems can also be used to determine whether a person is
Review types of devices already in a database, such as for social service or national ID applications.
related to identity and
access management
(IAM).
Facilities
Below is an example of how a physical access control system can be
PPT
applied to a specific entity or facility.
Case [5 Min.]:
Department of
Homeland Security
Define roles and systems
Case: Department of Homeland Security
related to the facilities 1. What distinct roles can you locate within the physical access
case study. control system (PACS) application’s four areas as described below?
What are general security roles that can be used as placeholders
for the PACS application roles?
2. Name the logical or physical systems that are described in the
PACS application described below?
3. What assumptions could you make about the nature of the
information related to identification in the PACS application cited
below?
Notes
Module 2: Identity and Access
Identity and Access
Provisioning Lifecycle Provisioning Lifecycle
PPT
Identity and Access
Module Objectives
Provisioning Lifecycle 1. Define the process of user and systems access review.
Introduce the participants 2. Apply the appropriate control types/categories for provisioning
to the “Identity and and deprovisioning of identities.
Access Provisioning
Lifecycle” module.
PPT
Module Objectives
Introduce the module
objectives.
Notes Here are examples of built-in user accounts that are associated with a
Microsoft Windows system:
Identity and Access
Provisioning Lifecycle l SID: S-1-5-21domain-500
Name: Administrator
PPT Description: A user account for the system administrator. By
System Account Access
default, it is the only user account that is given full control over
Review (continued) the system.
Relate primary challenges l SID: S-1-5-21domain-501
of system account access
review. Name: Guest
Description: A user account for people who do not have
individual accounts and does not require a password. By default,
the Guest account is disabled.
l SID: S-1-5-21domain-512
Name: Domain Admins
Description: A global group whose members are authorized to
administer the domain. By default, the Domain Admins group is a
member of the Administrators group on all computers that have
joined a domain, including the domain controllers. Domain
Admins is the default owner of any object that is created by any
member of the group.
Current systems associate administrator privileges with individual users for
the duration that the privileges are required for a specific function and then
return the level escalated privileges when the specific task is completed.
Some system accounts are predefined to be used as service accounts
and are not always recognized by the security subsystem so may,
therefore, not be reviewable with the typical views or calls as a
traditional “administrator” or “root” account. Service accounts may
possess extensive privileges within a computing system and behave as
the computing system within a network. Service accounts will often have
unbated access and control of most system objects. In addition to the
wide-ranging access maintained by system accounts, the account itself
will often be active without any method of authentication and will not be
associated with any logged-on user account.
A compromised system account may yield access and information that
could make a system vulnerable to attack. Many service accounts do not
need as high a privilege level as is granted in the default configuration,
and if that is true of a system, then demoting the privileges to the least
level would be an appropriate application of the principle of least-
privilege.
Process Flow
The as-is process flow for this use case is broken into three parts.
Part 1: Provision a user account and apply user permissions
1. An Individual completes a request for access to an
application and provides it to the individual responsible
for access approvals (hereafter referred to as the Privilege
Manager).
2. The Privilege Manager validates the Individual’s need for
access and provides the access request to the Application
Administrator.
3. The Application Administrator creates a user account for
the Individual in the application with the appropriate user
permissions.
4. The Application Administrator notifies the User of the
account creation.
Identity and Access 1. The User completes a request for a change in privileges.
Provisioning Lifecycle
2. The Privilege Manager validates the User’s need for access and
provides the access request to the Application Administrator.
PPT 3. The Application Administrator updates the User’s access
Provisioning and permissions in the application.
Deprovisioning
(continued)
4. The Application Administrator notifies the User of the permission
change, often via phone, email, or another manual process.
Define the key steps
in provisioning and Part 3: Deprovision a user account
deprovisioning users
accounts. 1. The Privilege Manager notifies the Application Administrator that
the User no longer requires access to the application.
2. The Application Administrator removes the access permissions
PPT
and the User account from the application.
Activity [5 Min.]: Identify
the Roles and Control
Types and Categories
of Provisioning and Activity: Identify the Roles and Control Types and
Deprovisioning Categories of Provisioning and Deprovisioning
Select the appropriate Working together in small teams answer the questions below.
control types/
categories and roles 1. What additional controls (choose from the confidentiality,
for provisioning and
deprovisioning of user
integrity, and availability (CIA) triad) could be added to the three
accounts. phases of the process flow?
a. Add control types
b. Add control categories
2. What roles can you identify in the process flow (i.e., Custodian,
Data Owner, etc.)?
PPT
Module Objectives
Introduce the module
objectives.
Notes Identification
The objective of identification is to bind a user to the appropriate controls
Identification and
Authentication of People, based on the unique user instance. For example, once the unique user is
Devices, and Services identified and validated through authentication, his or her identity within the
infrastructure is used to allocate resources based on predefined privileges.
PPT
Identity Management
Implementation
Identity Management Implementation
Note the four elements
An identity represents the initial attribute in a linear succession of
of identity management attributes to protect access and use of a system. Providing an identity to
implementation. access a system is simply an assertion or claim of an entity. An assertion
or claim made by an entity should be followed by rigorous proof that
the entity’s claim is legitimate. The attributes that follow an identity to
prove out a legitimate claim are authentication, authorization, and
usually some form of accountability.
The downstream effect of proper identification includes accountability
with a protected audit trail and the ability to trace activities to individuals.
It also includes the provisioning of rights and privileges, system profiles,
and availability of system information, applications, and services.
Single/Multi-Factor Authentication
Authentication within a system involves presenting evidence that an identified
entity should be allowed access through a control point. Standard evidence
for being allowed to log into a system includes three primary factors:
l Something you know, such as a password or PIN
l Something you have, such as a token or smart card
l Something you are or do, such as biometrics or a fingerprint
Biometrics
Biometric devices rely on measurements of biological characteristics
of an individual, such as a fingerprint, hand geometry, voice, or iris
patterns. Biometric technology involves data that is unique to the
individual and is difficult to counterfeit. Selected individual
characteristics are stored in a device’s memory, or on a card, which
stores reference data that can be analyzed and compared with the
presented template. A one-to-many or a one-to-one comparison of
the presented template with the stored template can be made and
access granted if a match is found.
However, on the negative side, some biometric systems may
periodically fail to perform, or have a high rejection rate. The
sensitivity of readers makes system readers susceptible to
inadvertent reader damage or intentional sabotage. Some systems
may be perceived by the user as a safety or health risk. Also, some
of the systems may require a degree of skill on the part of the user
for proper operation. Other systems may be perceived as
unacceptable by management for a combination of reasons.
Biometric Readers
Biometric readers verify personal biological metrics of an individual. Biometric
readers may be used in addition to credential devices or a PIN code.
l Fingerprint: Fingerprint reader technology scans the loops, whorls,
and other characteristics of a fingerprint and compares it with
stored templates. When a match is found, access is granted. The
advantage of fingerprint technology is that it is easily understood.
The disadvantages are that the system can be disrupted if cuts or
sores appear on fingers, or if grease or other medium contaminates
the fingers and the scanning plates.
l Facial image: This technology measures the geometric
properties of the subject’s face relative to an archived image.
Specifically, the center of the subject’s eyes must be located and
placed at precise locations.
l Hand geometry: This technology assesses the hand’s geometry:
height, width, and distance between knuckle joints and finger
length. Advantages of hand geometry are that the systems are
durable and easily understood. The speed of hand recognition
tends to be more rapid than fingerprint recognition. Hand
recognition is reasonably accurate because the shape of a hand
is unique. A disadvantage is that hand recognition tends to give
higher false acceptance rates than fingerprint recognition.
l Voice recognition: Voice recognition compares the voice
characteristics of a given phrase to one held in a template. Voice
recognition is generally not performed as one function and is
typically part of a system where a valid PIN must be entered
before the voice analyzer is activated. Advantages of voice
recognition are that the technology is less expensive than other
biometric technologies, and it has hands-free operation. A
disadvantage is that the voice synthesizer must be placed in an
area where the voice is not disturbed by background sounds;
often a booth or security portal must be installed to house the
sensor to provide the system with a quiet background.
l Iris patterns: Iris recognition technology scans the surface of the
eye and compares the iris pattern with stored iris templates. An
advantage of iris recognition is that it is not susceptible to theft,
loss, or compromise, and irises are less susceptible to wear and
injury than many other parts of the body. Newer iris scanners
PPT Authorization
Session Management Authorization defines what resources users may have access to.
Explain the session
management process.
Session Management
PPT
Session management is related to when a user is authenticated, authorized,
and held accountable for using system resources. The system must
Registration and maintain an uninterrupted path of protection of resources by means of
Proofing of Identity
system management. Open Web Application Security Project (OWASP)
Relate the three levels Top 10 number 2 threat is broken authentication and session management.
of assurance for digital
identities.
RFC 2965 provides an example of how to maintain session managements
with cookies. When a user accesses a website, the user’s actions and
identity are tracked across various requests from that website. A state of
these interactions is maintained in a session cookie. Evidence of this state is
maintained by linking all new connections across the entirety of a session to
the cookie. Cookie handling achieves non-repudiation; effectively
leveraging an audit trail of session activity.
Notes
Module 4: Identity Management
Identity Management
Implementation Implementation
PPT
Module Objectives
Identity Management
Implementation
1. Differentiate the languages and protocols that are related to roles
and systems that support federation.
Introduce the
participants to the 2. Select the appropriate components for a federated environment
“Identity Management relevant to business requirements.
Implementation” module.
PPT
Module Objectives
Introduce the module
objectives.
On-Premise
On-premise organizations can use existing infrastructure that
manages identities through LDAP services like Windows Active
Directory to connect and login to a service provider that extends
their internal identities to authenticate to consume services that are
in the cloud. An example of extending internal services related to
ID management to integrate with cloud services would be an
enterprise Windows Active Directory connecting to Windows
Azure (public cloud) AD to consume services related to Office 365.
Office 365 represents a service that the enterprise is seeking to
consume as software as a service (SaaS) that would be facilitated
through linking an enterprise directory to a provider directory.
While the service is provided externally, the passwords and IDs
would be managed internal, thus on-premise.
Cloud
If the previous scenario is managed by creating and storing the
identities within an instance of Office 365 and Windows Active
Directory in Windows Azure, then the third-party service is
completely managed in the cloud.
Notes
Activity: Select the Appropriate Components for a
Identity Management
Implementation Federated Environment Linking Two or More Companies’
Discrete Resources
PPT As a team, reflect upon and discuss actual business needs within your
corporation. Each team should allow every participant to relate business
Activity [13 Min.]:
Select the Appropriate needs within each company. Instead of contributing to or jumping to a
Components for a conclusion on what solution there might be, each participant should ask
Federated Environment deeper questions of the presenter to uncover additional insights into the
Linking Two or More environment. Expose assumptions by asking “why” a thing is so or to give
Companies’ Discrete
Resources
an example of a statement shared. Create a business case for utilizing
either OAuth or SAML or both. What are actual business drivers? Also
Participate in group
select if it should be solved on-premise or in the cloud and why? Create
activity to support
separate companies in analogous connections between the roles in SAML and OAuth.
sharing resources by
selecting appropriate
tools.
PPT
Module Objectives
Introduce the module
objectives.
Notes
Module 6: Accountability
Accountability
PPT
Module Objectives
Introduce the module
objectives.
Accountability
Ultimately one of the drivers behind strong identification,
Notes
Accountability
5
authentication, auditing, and session management is accountability.
Fundamentally, accountability is being able to determine whom or
Notes
Module 7: Domain Review
Domain Review
PPT
Domain Summary
Participate in review of
key elements from the
domain on identity and
access management
(IAM).
7. How does system account review differ from user account review?
A. User account review is connected to systems, and system account
review is connected to users
B. User account and system account review are the same
C. User account review targets user IDs, and system account review
targets built-in administrative and other non-user ID accounts
D. None of the above
2. What actions specify enrolling and the opposite of enrolling user IDs
within an organization?
A. Identity creation and disposition
B. Disposition only
C. Creation only
D. Provisioning and deprovisioning
The correct answer is D. Identity creation is an activity that would be
included in provisioning, but the only correct answer is provisioning and
deprovisioning.
7. How does system account review differ from user account review?
A. User account review is connected to systems, and system account
review is connected to users
B. User account and system account review are the same
C. User account review targets user IDs, and system account
review targets built-in administrative and other non-user ID
accounts
D. None of the above
The correct answer is C. User account reviews are related to regular IDs,
and system account reviews are connected to administrator IDs and
non-user IDs. Answer A is the inverse of the correct answer. Answers B
and D are not true.
Notes 10. Your organization shares a customer base with another organization
that you partner with to provide a more complete solution. You
Domain Review will not be sharing the customer user IDs or passwords with your
partner, so how will your partner allow your customers to access their
resources in a secure fashion?
A. They will not allow it because it is not ethical
B. Your organizations will use OAuth
C. XML will solve the needs related to the requirements
D. Set up two servers and exchange information in a sanitized
fashion
The correct answer is B. Answers A and D are illogical, incorrect, and
don’t solve the requirements. XML is the underlying language used by
SAML and while SAML answers to the needs for federated security,
SAML wasn’t mentioned.
Notes
Notes
5
Notes
Course Agenda
Domain 1: Security and Risk Management
Notes
Security Assessment and
6
Testing
Overview
Security testing and assessment are activities that assist an
organization in managing risk, developing applications, managing
systems, and utilizing services. To be successful in mitigating risks,
organizations must develop competencies that align with business
needs related to assessing, validating, testing, and auditing systems
and applications that support business objectives and goals.
Domain Objectives
After completing this domain, the participant will be able to:
1. Name primary methods for designing and validating test
and audit strategies.
2. Choose appropriate strategy to design and validate test and
audit functions that support business requirements.
6 Domain Review
Notes
Module 1: Design and Validate Assessment,
Design and Validate
Assessment, Test, and Test, and Audit Strategies
Audit Strategies
PPT
Module Objectives
1. Name primary methods for designing and validating test and
Design and Validate
Assessment, Test, and audit strategies.
Audit Strategies 2. Choose appropriate strategy to design and validate test and
Introduce the participants audit functions that support business requirements.
to the “Design and
Validate Assessment, Test,
and Audit Strategies”
module.
PPT
Module Objectives
Introduce the module
objectives.
Introduction
The design, validation, testing, and auditing of security assessment
Notes
Design and Validate
6
contribute to determining the extent to which security controls are Assessment, Test, and
implemented correctly as defined by the organizational security policy.
Internal
In 2012, Carnegie Mellon University- Software Engineering (CMU-SEI)
published a seminal research paper on insider threats entitled, “Threat
Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Sector.”
Module 1: Design and Validate Assessment, Test, and Audit Strategies 469
Official (ISC)2 CISSP Training Guide
Notes The research was funded by the Department of Homeland Security (DHS),
Science and Technology Directorate (S&T) in collaboration with the U.S.
Design and Validate Secret Service (USSS). The empirical research done during 2005–2012
Assessment, Test, and
Audit Strategies
established that in 80 major cases of financial fraud, 67 were internal actors
(employees) and 13 were external (non-employees).
External
External testing is described by NIST SP 800-115 as “offering the ability to
view the environment’s security posture as it appears outside the security
perimeter—usually as seen from the Internet—with the goal of revealing
vulnerabilities that could be exploited by an external attacker.” External
tests are often done in a blind format where the assessors only have
information that is available to the public. The internal team or security staff
may be forewarned of the test, or the test could be rendered without notice
and therefore, be double-blind where the internal team doesn’t know about
the impending test.
If an organization’s security assessment and testing plans include both
internal and external testing (and a single entity will be performing both),
then the external test should be performed first to prevent information
leakage from the insider testing environment into the outsider testing
environment.
Development of external testing strategies can be driven by regulatory,
legal, or jurisdictional regimes. These strategies for the assessment may be
informed by or based upon any number of security frameworks.
Third-Party
Justification for utilizing third party assessment services may include
Notes
Design and Validate
6
meeting regulatory requirements, providing assurance to consumers Assessment, Test, and
of operational integrity, or supplementing organizational assessment
Module 1: Design and Validate Assessment, Test, and Audit Strategies 471
Official (ISC)2 CISSP Training Guide
Notes
Module 2: Security Control Testing
Security Control Testing
PPT
Module Objectives
Security Control 1. Describe how to maintain logs related to security control testing
Testing and prepare logging systems for relevant review and protection.
Introduce the participants 2. Classify the various security control testing techniques related to
to the “Security Control application development and delivery.
Testing” module.
3. Apply the appropriate security control testing techniques for use
internally and externally for an organizational system.
PPT
Module Objectives
Introduce the module
objectives.
Vulnerability Testing
ISO 27001:2013:2013 note that, “Penetration testing and vulnerability
Notes
Security Control Testing
6
assessments provide a snapshot of a system in a specific state at a
specific time. The snapshot is limited to those portions of the system
In the planning phase, the scope and objectives are defined, rules are
devised or identified, and management signs off on the finalized
documentation.
474 Domain 6: Security Assessment and Testing
Instructor Edition
Notes Covert security testing and black hat testing are synonymous terms.
Covert testing is performed to simulate the threats that are associated
Security Control Testing with external adversaries. While the security staff has no knowledge
of the covert test, the organization management is fully aware and
PPT consents to the test. A third-party organization may participate in
the test as a mitigation point for the security staff’s reaction and a
Penetration Testing
(continued) communication focal point between the assessors, management,
and the security staff. Covert testing will illuminate security staff
Define penetration
testing.
responsiveness. Typically, the most basic and fundamental exploits are
executed within predetermined boundaries and scope to reduce the
potential impact of system degradation or damage. Covert tests are
often carried out in a stealth fashion, “under the radar,” or “slow and
PPT
low” to simulate an adversary that is seeking to avoid detection. Covert
Log Reviews testing provides a comprehensive view of the behavior, posture, and
Describe how to maintain responsiveness of the security staff.
logs related to security
control testing and log
reviews.
Log Reviews
ISO 27001:2013 control 12.4.1 addresses event logging and states,
“Event logs recording user activities, exceptions, faults and information
security events should be produced, kept and regularly reviewed.”
Information that may be relevant to being recorded and reviewed
include (and is not limited to) user IDs, system activities, dates/times
of key events (e.g. log-on and log-off), device and location identity,
successful and rejected system and resource access attempts, system
configuration changes, and system protection activation and
deactivation events.
NIST SP 800-92 identifies log reviews as being a component of log
management. Log reviews are an imperative function not only related to
security assessment and testing but to identifying security incidents, policy
violations, fraudulent activities, and operational problems near to the time
of occurrence. Log reviews support audits, forensic analysis related to
internal and external investigations and provide support for organizational
security baselines. Review of historic audit logs can determine if a
vulnerability identified in a system has been previously exploited.
Listed below are some prominent regulations that drive the need for
diligent log reviews.
Gramm–Leach–Bliley Act (GLBA). Because a primary tenant of GLBA is
the requirement for financial institutions to protect customer information,
log review can be utilized to identify and rectify security violations.
Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA maintains specific security practices to protect health information
Log Security
ISO 27001:2013 control item 12.4.2 specifies that, “logging facilities
Notes
Security Control Testing
6
and log information should be protected against tampering and
unauthorized access.” Controls are implemented to protect against
Synthetic Transactions
Real User Monitoring (RUM)
Real user monitoring (RUM) is an approach to web monitoring
that aims to capture and analyze every transaction of every user of
a website or application. Also known as real-user measurement,
Types of Monitoring
l Website Monitoring: Website monitoring uses synthetic
transactions to perform HTTP requests to check availability
and to measure performance of a web page, website, or web
application.
Notes phases where code review and testing are considered, namely during
planning/design and development; and testing techniques and methods
Security Control Testing that are utilized for successful code review and testing.
Most successful attacks against IT applications do not attack core Relate the relevance of
code review and testing
security primitives such as cryptographic algorithms. Attackers listing the various types
much more often exploit bad programming, interface problems, and utility for each.
uncontrolled interconnections, or misconfigurations. From a high-
level perspective, (security) testing techniques are often classified
as follows:
l Black-box testing vs. white-box testing: In black-box
testing, the tested system is used as a black box, i.e., no
internal details of the system implementation are used. In
contrast, white-box testing takes the internal system details
(e.g., the source code) into account.
l Dynamic testing vs. static testing: Traditionally, testing is
understood as a dynamic testing, i.e., the system under test
is executed and its behavior is observed. In contrast, static
testing techniques analyze a system without executing the
system under test.
l Manual testing vs. automated testing: In manual testing,
the test scenario is guided by a human, while in automated
testing, the test scenario is executed by a specialized
application.
After code has been prepared and made ready for execution, the
following methods may be utilized for additional testing:
l Manual or automated penetration testing: Simulates an
attacker sending data to the application and observes its
behavior:
o Benefits: Identification of a wide range of vulnerabilities
in a deployed application
l Automated vulnerability scanners: Test an application for
the use of system components or configurations that are
known to be insecure. For this, predefined attack patterns
are executed as well as system fingerprints are analyzed:
o Benefits: Detection of well-known vulnerabilities, i.e.,
detection of outdated frameworks and misconfigurations
PPT
Code Review and
Testing (continued)
Test Coverage Analysis
The level of structural testing can be evaluated using metrics that are
Relate the relevance of
code review and testing designed to show what percentage of the software structure has
listing the various types been evaluated during structural testing. These metrics are typically
and utility for each. referred to as “coverage” and are a measure of completeness with
respect to test selection criteria. The amount of structural coverage
should be commensurate with the level of risk posed by the software.
Use of the term “coverage” usually means 100 percent coverage. For
example, if a testing program has achieved “statement coverage,” it
means that 100 percent of the statements in the software have been
executed at least once. What follows are examples of structural
coverage types:
l Statement coverage: This criterion requires sufficient test
cases for each program statement to be executed at least once;
however, its achievement is insufficient to provide confidence in a
software product’s behavior.
l Decision (branch) coverage: This criterion requires sufficient test
cases for each program decision or branch to be executed so that
each possible outcome occurs at least once. It is a minimum level
of coverage for most software products, but decision coverage
alone is insufficient for high-integrity applications.
l Condition coverage: This criterion requires sufficient test cases
for each condition in a program decision to take on all possible
outcomes at least once. It differs from multi-condition branch
coverage only when multiple conditions must be evaluated to
reach a decision.
l Multi-condition coverage: This criterion requires sufficient test
cases to exercise all possible combinations of conditions in a
program decision.
l Loop coverage: This criterion requires sufficient test cases for
all program loops to be executed for zero, one, two, and many
iterations covering initialization, typical running, and termination
(boundary) conditions.
l Path coverage: This criterion requires sufficient test cases for
each feasible path, basis path, etc., from start to exit of a defined
program segment, to be executed at least once. Because of the
Interface Testing
Interface testing involves the testing of the different components
of an application, e.g., software and hardware, in combination.
This kind of combination testing is done to ensure they are
working correctly and conforming to the requirements based on
which they were designed and developed. Interface testing is
different from integration testing in that interface testing is done
to check whether the different components of the application or
system being developed are in sync with each other. In technical
terms, interface testing helps determine that distinct functions,
such as data transfer between the different elements in
the system, are happening according to the way they were
designed to happen.
Interface testing is one of the most important software tests in
assuring the quality of software products. Interface testing is
External Interface
Regarding the external interface, testing can establish the following:
l Have all supported browsers been tested?
l Have all error conditions related to external interfaces been
tested when the external application is unavailable, or the server
is inaccessible?
Internal Interface
Regarding the internal interface, testing can answer the following:
l If the site uses plug-ins, can the site still be used without them?
l Can all linked documents be supported/opened on all platforms
(e.g., can Microsoft Word be opened on Solaris)?
l Are failures handled if there are errors during download?
Notes
Module 3: Security Process Data
Security Process Data
Account Management
Account management supports organizational and mission/
Notes
Security Process Data
6
business functions by:
Notes
Module 4: Test Output and
Test Output and Generate
Report Generate Report
PPT
Module Objectives
Test Output and
Generate Report
1. Recognize relevant procedures to protect sensitive information
when utilizing test data.
Introduce the participants
to the “Test Output
and Generate Report”
module.
PPT
Module Objectives
Introduce the module
objectives.
l Verifying that the access control procedures utilized in Review the guidelines for
protecting test data.
production procedures are used in testing procedures.
l Every time there is a need to use production data in testing
environments, there is an individual and separate request for
each use instance.
l Whenever the testing is completed, the sensitive information
should be completely erased.
l Logs should trace the copying of production data to testing
environments, and such logging should be used to form an
audit trail.
All test outputs from systems that house sensitive data should also
carry appropriate classification labels. Labels that are used to
classify test data should conform to the standard labeling
procedures that accompany production environments. Any
contractors that are working to support the testing efforts should
have proper awareness of the labeling procedures to apply to test
data. Due diligence should be maintained to limit the amount of
information contained in outputs.
Periodic reports should be generated from the test output data.
Reports that are generated from the test output process should be
reviewed with consistent frequency that is used in production
environments. Reviews should be done to illuminate errors,
process violations, and the leakage of sensitive information.
Notes
Module 5: Conduct or Facilitate
Conduct or Facilitate
Security Audits Security Audits
PPT
Module Objectives
Conduct or Facilitate
Security Audits
1. Define the process of a service provider audit.
Introduce the participants 2. Associate the appropriate use of an audit type based upon the
to the “Conduct or business support requirements.
Facilitate Security Audits”
module.
PPT
Module Objectives
Introduce the module
objectives.
Availability
l Availability policy
Notes
Conduct or Facilitate
6
l Backup and restoration Security Audits
Processing Integrity
l The processing integrity criteria can be used to provide
assurance regarding a wide range of system processing
beyond processing that would be relevant to users from
purely an ICOFR perspective, and where users cannot gain
such assurance through other means, such as monitoring
processes.
l System processing integrity policies.
l Completeness, accuracy, timeliness, and authorization of
inputs, system processing, and outputs.
l Information tracing from source to disposition
Privacy
The privacy criteria can be used to provide assurance regarding the
effectiveness of a privacy program’s controls. This can be a
complex area for organizations with multiple service offerings and
Notes geographically diverse users. Even more so than with the other criteria
areas, significant preparation is typically required before completing an
Conduct or Facilitate SOC 2 report, including the privacy principle:
Security Audits
l Management
l Notice
l Choice and consent
l Collection
l Use and retention
l Access
l Disclosure to third parties
l Quality
l Monitoring and enforcement
A cloud-based enterprise resource planning (ERP) service historically
would have provided an SAS 70 report because it provided a core
financial reporting service to users. It is likely that it would continue to
provide an SOC 1 report for that same reason. However, it may also
have a need to provide an SOC 2 or SOC 3 Security and Availability
report to address user assurance needs specific to cloud services.
Many data center colocation providers have historically completed SAS 70
examinations limited to physical and environmental security controls.
However, most data center providers host much more than just customers’
financial systems. As a result, leading providers are moving toward SOC 2
security reporting. Some service providers incorporate supporting
environmental security controls within their SOC 2 security report,
whereas others also address the availability criteria, depending on the
nature of their services.
For IT systems management, which can include general IT services
provided to a portfolio of users as well as customized services provided
to specific users, SOC 1 or SOC 2 reporting could be applicable,
depending on whether users’ assurance needs are more focused on
ICOFR or security/availability.
At the other end of the spectrum, there are services that are operational and
technology focused with very little, if any, direct connection to users’ ICOFR.
For example, these types of outsourced services are unlikely to be included
within a public company’s Sarbanes–Oxley (SOX) 404 scope. Users of these
services are typically most concerned about security of their data and
availability of these systems, which can be addressed by an SOC 2 or SOC 3
report covering security and availability. Where applicable, SOC 2/SOC 3
reports can cover confidentiality, processing integrity, and/or privacy as well.
Notes
Module 6: Domain Review
Domain Review
PPT
Domain Summary
Participate in review
of key elements from
the domain on security
assessment and testing.
Notes 3. What report would be most appropriate to answer the needs of the
potential client?
Domain Review
A. SOC 2 Type II
PPT B. SOC 2 Type I
Domain Review
Questions (continued)
C. SOC 1 Type II
Participate in review D. SOC 1 Type I
of key elements from
the domain on security
assessment and testing.
4. What report would be good for attracting additional clients yet
unknown to your business?
A. SOC 5 Type II
B. SOC 3
C. SOC 5 Type II New Client
D. SOC 5 Type I Existing Client
Notes 5. What is the difference between a Type I and a Type II SOC report?
Notes 10. What is the key difference between training and awareness?
Notes
Notes
6
Notes
Course Agenda
Domain 1: Security and Risk Management
Notes
Security Operations
7
Overview
Domain 7 deals with aspects of security the practitioner encounters
while servicing the organization’s operational environment. The
course material addresses foundational concepts, asset protection,
incident management and response, business continuity and disaster
recovery (BCDR), and personnel security.
Domain Objectives
After completing this domain, the participant will be able to:
1. Describe the characteristics of fundamental information
security practices, such as need-to-know, job rotation,
separation of duties, and least privilege.
2. Differentiate between methods used to secure privileged
accounts and regular user accounts.
3. Describe the facets of each phase of the information
lifecycle, in order.
5 Incident Management
7 Investigations
9 Recovery Strategies
14 Domain Review
Separation of Duties
Separation of duties: As a means to attenuate possibilities for
corruption and theft, the organization can craft an environment where
no individual person can complete an entire trusted action. The classic
example is bifurcated purchasing: the purchasing manager must sign
the purchase order but cannot issue a check; the accountant can issue
the check but only with a purchase order signed by a manager. As with
l More advanced access control than regular user Explain how privileged
account holders pose
accounts. Password complexity requirements should be a greater risk to the
higher for privileged accounts than regular accounts, and environment, and the
refresh rates should be more frequent (if regular users are ways we try to attenuate
required, for instance, to change passwords every 90 days, this risk.
privileged account holders might have to change them
every 30). Privileged account access might also entail
multifactor authentication, or other measures more stringent
than regular log-on tasks.
l Temporary access. Privileged accounts should necessarily be
limited in duration; privileged users should only have access
to systems/data for which they have clear need-to-know and
only for the duration of the project/task for which that access
is necessary.
l Deeper trust verification than regular users. Privileged
account holders should be subject to more detailed
background checks, stricter nondisclosure agreements,
and acceptable use policies and be willing to be subject to
financial investigation.
l Greater audit of privileged accounts. Privileged account
activity should be monitored and audited at a greater rate
and extent than regular usage.
Information Lifecycle
Data enters the organization, is utilized, and eventually (should be)
destroyed. Conceptually, this progression is known as the “data
lifecycle.” There are many ways to portray this evolution, but the
version in Figure 7.1 is preferred by (ISC)2.
CR E A T E
Y
ST
O
TR
OR
DE S
E
E IV
US
CH
E
AR
SHAR E
l Network management
Notes
l Data management
Foundational Security
Operations Concepts l Data center management
l Physical security
PPT l Hardware maintenance
Service-Level l Help desk
Agreements (SLAs)
(continued) The SLA details specific performance metrics for the given service. For
Explain what an SLA is, instance, the SLA for a managed help desk service might include the
how it differs from the following stipulations:
rest of the contract, how
it is enforced, and review l Every basic user request receives a response within 1 hour and
an example.
is resolved to the user’s satisfaction within 24 hours (“basic user
request” to be defined as any of the following tasks: password
reset, hardware replacement, installation of approved software, or
account lockout reset)
l Help desk available via email and/or telephone, 24/7 during the
workweek; between the hours of 7:00 a.m. and 9:00 p.m. on
weekends
and so forth.
The enforcement mechanism of the SLA is usually a financial penalty/reward
mandated by the contract. Typically, if the provider successfully meets the
requirements of the SLA during a certain period (a week, a month, three
months, whatever), the customer must pay the agreed amount for that
period. However, if during a given period the provider does not successfully
meet the terms of the SLA, the customer is not required to pay the full
amount of the service price, as stipulated in the contract. This incentivizes
the provider to meet the SLA terms and offsets costs incurred by the
customer if the task is not performed satisfactorily.
For more discussion of the SLA, refer to Domain 1 of this course.
Configuration Management
To properly enact an asset management process, many organizations
Notes
Securely Provisioning
7
enact a configuration management/change management program, Resources
especially for IT assets. (Under some schema, such as ISO certified
Notes The CMB should be responsible for annotating and updating the asset
inventory to reflect the current environment accurately.
Securely Provisioning
Resources All organizational stakeholders should be represented in the CMB
so that sufficient information exists regarding potential ripple
effects that could result from a suggested change, including new
PPT
or enhanced risk(s). Typical composition of the CMB includes
Configuration representatives from various departments/groups/offices in the
Management and
Change Management organization, such as:
(3 slides) (continued)
l IT department (which may have several representatives, reflecting
Explain the purpose, the many functions of IT in modifying the environment, such as
process, and composition
of the CMB. Review some
network and system administrators and Help Desk)
best practices for security l Senior management
practitioners involved in
the CMB. l Security office
l User community
l General counsel
l Accounting/finance
l Human resources (in some cases)
PPT
Module Objectives
Introduce the module
objectives.
l Administrative:
o In conjunction with one or both of the other types of
Notes
Resource Protection
7
controls (physical, technical), policy and procedures can Techniques
be crafted to restrict access to and control of media.
PPT
Module Objectives
Introduce the module
objectives.
Notes There are many ways to implement a security program that includes
proactive security measures; the candidate should be familiar with the
Detective and Preventative following common methods and tools.
Measures
PPT
Third-Party Provided
Third-Party Provided Security Services
Security Services As mentioned throughout the course, organizations can avail themselves
(2 slides) of services offered by external entities to enhance security. This is
Review common security especially true for organizations for which security is not a core
services offered by third- competency. For instance, an agricultural retail business might not
party providers. have the expertise and tools to create a comprehensive and thorough
security program; the core competency of that business is to sell
agricultural goods, not to secure data.
There are a variety of security services currently offered by professional
providers, including the following:
l Threat intelligence: The provider may perform open-source
monitoring or conduct their own investigative efforts to
determine what threats pose a risk to their clientele. This can
include general threats to clients in a certain region or industry,
or using certain products, or it can include threats against specific
clients based on their operations or personnel.
l Network monitoring: Because detecting network attacks can
require a significant degree of analysis and expertise, not all
organizations are in the position to monitor their own environment.
Network monitoring as a managed service can be performed
remotely from the provider’s location, or on-site at the client’s facility.
l Physical security: Many organizations hire guard services
from an external provider as opposed to bringing on guards
as employees. This obviates the additional personnel burden
(benefits, administrative costs, etc.), costs associated with training
and managing those personnel, and with creating and running a
program that might not be a core competency of the organization.
l Network management: While not strictly a security service,
managed network providers are often tasked with many of the
security functions associated with IT administration such as
enforcing network usage policy, monitoring, patch management,
asset inventory, and so forth. Modern managed network services
include cloud computing hosting, discussed in-depth in Domain 3.
l Audit: Again, not strictly a security service, external audits
can address security needs such as verification and validation,
vulnerability scanning, certification of compliance, configuration
maintenance, and the like.
Notes Sandboxing
To determine whether a particular component (hardware or software)
Detective and Preventative
Measures will operate safely and securely in a particular environment, it is
preferable to test it under conditions that simulate that environment but
will not affect other components. We often refer to this type of isolated
PPT test environment as a sandbox (or use the verb form to describe the
Sandboxing activity: sandboxing).
Explain the concepts of
hardware and software
Two general approaches for sandboxing depend on the respective
sandboxing. component, hardware or software:
l Hardware sandboxing: A test environment is created that mimics
the production environment such that the test environment
PPT contains representative samples of all the devices (and appropriate
Honeypots/Honeynets installed software) that the production environment contains.
Discuss the purpose, Obviously, this does not need to a be one-to-one ratio (else the
placement, and size of the test environment would be the size of the production
challenges involved with environment, which would be ridiculously cumbersome and
honeypots/honeynets. expensive), but every box on the production network should
at least be represented in the test bed. The test environment
should have no physical connection to the production environment
(known as air gapping), and preferably no logical/wireless
connection, as well, so that defects or malware infections that
affect the test environment do not contaminate the production
environment.
l Software sandboxing: Processes are run in such a way so as not
to affect the underlying components (the operating system (OS)
or hardware), or other applications running on the same system/
environment. This can be accomplished through a variety of
methods and mechanisms. Some programming environments, such
as Java, only allow content/applets to run in necessarily limited
conditions, with severe restrictions, and have security tools built
into the environment that ensure these conditions are met. Another
form of software sandboxing involves the use of virtualization; a fully
functional device (hardware with installed software) is simulated in
software fully contained on a host machine—programs run in the
virtualized (simulated) machine cannot leave that constricted space
and affect the underlying host, other applications on the host, or
other virtualized machines on the host.
Honeypots/Honeynets
Another method for protecting the environment involves the use of
honeypots: machines that exist on the network but do not contain sensitive
or valuable data (a number of machines of this kind, linked together as a
Anti-Malware
The threat of malware is pervasive and persistent, and the means
of introducing malware into the environment remain as long as the
environment has any contact with the outside world. Therefore,
a realistic defense in depth strategy should also involve the use
of anti-malware solutions. These can take the form of either
hardware and software implementations and combinations of both.
PPT
Module Objectives
Introduce the module
objectives.
Perhaps one of the most prolific and useful sources of incident detection
is the user community; users often realize when their device/application
has been modified in some way, even if that change is subtle. Sometimes,
this includes Help Desk involvement; the user reports a problem to Help
Response
After the possible incident has been discovered and the proper
entities notified, the initial response commences. This step involves
determining whether the reported activity is truly an incident, is
underway, or has occurred. This portion of the management
process can also serve as a form of triage, where the incident (if it
is decided one exists) can be categorized so as to guide the
subsequent phases of the process.
This step should involve security practitioners trained and
knowledgeable in incident identification and management;
someone with experience in incident handling needs to review the
situation and, if necessary, formally declare an incident and activate
the incident response team. This does not mean, however, that
only one person should be involved in making this determination;
the security practitioner tasked with this portion of the process
should make use of any assets required to make an accurate
determination. Sources that can aid in this determination might
include other security team members (such as log or forensics
analysts), additional personnel from other departments (such as
networking and systems administrators/architects), devices (such as
the detection equipment/tools listed in the discussion of the
Notes previous phase), and data (including possibly event logs or video feeds,
depending on the nature of the supposed incident).
Incident Management
Mitigation
PPT
The initial mitigation effort depends on many factors, including the nature
Response (continued)
and breadth of the incident, the organization’s risk appetite and critical
Discuss the particular business needs, and any policy or regulatory drivers. This phase includes
elements and issues the immediate action taken upon determining an incident has occurred/is
associated with this
phase of the incident
occurring, but it will not be the final effort in addressing the incident.
management process.
The main variables affecting how an incident is initially addressed are
the following:
PPT l Time
Mitigation l Risk
Discuss the particular l Impact
elements and issues
associated with this For every organization, these factors will have different priorities. For
phase of the incident example, one organization might prioritize risk reduction; when an
management process.
incident is discovered, the immediate response may be to disconnect
the affected machines (and machines suspected of being affected) from
the environment so as to minimize risk, even though this may cause
additional impact (the loss of the machines from the environment affects
the availability aspect of the confidentiality/integrity/availability (CIA)
Triad). However, another organization might consider uptime paramount;
when an incident is discovered, that organization’s immediate reaction is
to track and document the incident impact without taking any action
that might reduce functionality—this incurs a greater risk (the incident
continues, and might spread) and potential increase in future impact,
but it allows the organization to maintain the greatest level of availability
at the risk of more impact to confidentiality and integrity.
The desired end state will also have some bearing on how activity is
conducted at this phase. In some organizations, eventual legal action
(prosecution or litigation) is the desired end state; in those cases, the
organization wants to gather as much information about the cause of
the incident, and anyone responsible for the incident, as possible,
which may mean leaving the environment at risk while information is
gathered. In other organizations, the desired end state might be
maximal containment, so the initial action at this phase might include
incurring significant impact to the operational environment, losing the
opportunity to gather incident data, but minimizing the potential for
additional losses from the incident.
Depending on the organization and the type of incident, this phase might
take place concurrently with the previous (response) phase. Typically, any
Notes especially important; when reviewed later, the options the team
presented to senior management need to be explained clearly, as does
Incident Management the senior manager’s decision and the rationale for that decision.
PPT Recovery
Reporting (continued)
Once the senior manager has decided how the incident will be
Discuss the particular addressed, the incident management team can proceed to return the
elements and issues environment to normal operations, taking into account any special activity
associated with this
phase of the incident
that must be performed to contain/obviate the effects of the incident.
management process.
This phase often entails appreciable expense because the various incident
management team members expend time and resources to perform the
required actions, and other personnel in the organization may have to take
PPT part in this activity as well (or, instead, may be affected by the recovery
Recovery activity, such that it interrupts normal productivity). All efforts made by
Discuss the particular personnel in this phase, and any interruption to personnel productivity,
elements and issues need to be documented and assessed financially as this will be included in
associated with this the overall impact cost of the incident (which may be reportable to
phase of the incident
stakeholders, or used in attempts to recover damages in legal efforts later).
management process.
In this phase, the team will take part in addressing the incident itself. For
instance, this might include patching systems to remove the vulnerability
PPT that allowed an incident to occur, or removing malware from infected
Remediation systems, or involving law enforcement to deal with criminal activity.
Discuss the particular
elements and issues Remediation
associated with this
phase of the incident After a return to normal operations, the root cause of the incident
management process. should be addressed: what was it that allowed the incident to take
place, as an underlying problem.
For instance, if the incident was caused by malware infection, and
recovery actions removed the malware, the remediation/root cause
assessment may try to determine how the malware was introduced into
the environment in the first place: did the organization’s anti-malware
solution not detect the infection? If so, why not? Was there a failure to
update the signature base of the malware solution? If so, why? Was
there no signature definition available? If not, why not? Was this a zero-
day exploit unknown by any other malware vendors, or researchers, or
government advisory entities? Was the malware introduced by an
authorized user? Accidentally or maliciously? Was the malware not
scanned at the time it was introduced to the environment?
And so on. Typically, the practice of root cause remediation entails
asking “why?” until there are no more valid questions to ask, and the
root cause has been determined.
Notes
Module 6: Requirements for
Requirements for
Investigation Types Investigation Types
PPT
Module Objectives
Requirements for
Investigation Types 1. Describe the characteristics commonly associated with
various types of investigations (administrative, civil, criminal,
Introduce the participants
to the “Requirements
and regulatory), and demonstrate familiarity with popular
for Investigation Types” investigatory standards.
module.
PPT
Module Objectives
Introduce the module
objectives.
PPT
Criminal
Requirements for
When a crime is committed (as in the preceding example), the organization
Investigation Types is usually required to notify the applicable law enforcement entity and allow
(continued) that entity to conduct the investigation. This may not be true in all cases:
Introduce and explain some crimes, particularly where the only victim is the organization itself,
the different possible may not require law enforcement involvement if the victimized party
types of incident chooses to handle the matter in a nonjudicial manner. However, making this
investigations, and the determination can be difficult and risky, and the organization should consult
requirements associated
with each.
with legal counsel before making this decision.
When law enforcement conducts the investigation, the organization may
or may not be involved in the process; this is the option of the law
enforcement body. In many jurisdictions, law enforcement may request
the organization to voluntarily collect or disclose information about the
situation to further the investigation and build a case. Typically, the
organization may opt to participate or not participate in an investigation
when informally requested to do so. However, if the law enforcement
entity acquires a warrant or subpoena, which are governmental/judicial
orders to disclose information, then the organization must comply with
the request to the fullest extent required. Any interference or negligence
on the part of the organization in fulfilling mandated requests may
actually constitute additional crimes: obstruction of justice, contempt of
court, interfering with an investigation, and so forth.
Conversely, a law enforcement entity conducting a criminal investigation
may be severely limited as to which information can be collected and
considered and the methods for acquiring that information. Many
jurisdictions have laws constraining law enforcement methodology and
reach. The organization’s cooperation can often reveal more information
than the law enforcement entity would be able to acquire without that
cooperation.
Once a criminal investigation has begun, the organization’s own policies
and procedures are superseded, and the organization’s investigative efforts
must comply and not interfere with the law enforcement investigation.
Civil
Unlike criminal proceedings, a civil dispute involves a court but not a
prosecutor. An investigation with the intended purpose of a lawsuit
should involve the same degree of documentation and adherence to
detail as a criminal investigation, because the organization will not be
Regulatory
Some investigations will be done by or on the behalf of regulatory
bodies. When an organization is involved in regulated activity, that
activity necessarily is subject to investigation by the pertinent
regulator(s).
Regulators may conduct their own investigations, require the target
organization to acquire and present information to the regulator, or
engage a third party to perform the investigation.
Notes In many jurisdictions, regulatory investigation has the force of law, so it will
have similar processes to criminal investigations but require a much lower
Requirements for threshold of access (regulators typically do not need warrants, court
Investigation Types
orders, or subpoenas to gather evidence) and a much lower burden of
evidence to make findings (in some jurisdictions, such as the United
PPT States, many regulators make their own laws, perform their own
Requirements for investigations, have their own prosecutors, and hearings are held by the
Investigation Types regulators’ own courts and judges).
(continued)
Introduce and explain
the different possible
Industry Standards
types of incident There are many industry standards for investigations of all sorts, including
investigations, and the IT security and data investigations; applicable standards for a given
requirements associated
with each.
organization depend on a host of variables, such as geographic region/
jurisdiction, the nature of the data in question, the business of the
organization, and so forth. The following is a sample list of standards from
around the world; this list is in no way comprehensive or definitive, and
the candidate will not be required to memorize these standards for
certification purposes. However, many of these standards include
common principles and methods of execution, so the candidate is
encouraged to review them for insight into professional investigation
approaches and expectations.
ASIS/ANSI Investigations Standard INV.1-2015 (executive summary):
https://www.asisonline.org/Standards-Guidelines/Standards/published/
Documents/INV_ExecSummary.pdf
Council of the Inspectors General on Integrity and Efficiency,
“Quality Standards for Investigations”:
https://www.ignet.gov/sites/default/files/files/invstds2011.pdf
American Bar Association, “Standards on Prosecutorial Investigations”:
https://www.americanbar.org/publications/criminal_justice_section_
archive/crimjust_standards_pinvestigate.html
Australian Government Investigations Standards 2011:
https://www.ag.gov.au/RightsAndProtections/FOI/Documents/AGIS%20
2011.pdf
ISO 27043, Information technology—Security techniques—
Incident investigation principles and processes [requires payment]:
https://www.iso.org/standard/44407.html
PPT
l Data that may have been compromised.
Evidence Collection l Systems (hardware, software, and media) that may have been
and Handling (2 slides) compromised.
Explain possible sources l Data about the incident (all monitoring data from assets
of evidence that may be reviewing the data/systems that may have been compromised).
gathered for investigatory
purposes. Discuss the l Information from people with knowledge of the incident.
crucial elements of l Information about the incident scene. With an IT-based incident,
evidence management
the practitioner should the incident scene can actually involve many geophysical
understand; this may take locations and jurisdictions, including the site where the
a significant amount of compromised systems/data resides, the location of the intruder
time and detail to explain. (if unauthorized intrusion was an element of the incident), and any
locations between the compromised systems and the intruder
where resources were used to aid the intruder.
l There are many sources and forms of evidence, and it all needs to
be collected, tracked, and maintained carefully. These are some
common practices for handling evidence the security professional
should be aware of:
l Maintain a chain of custody. Evidence needs to be handled and
maintained in a secure fashion, from the time it is collected until
it is presented (usually, to a court). The chain of custody entails
maintaining a record of where and when the evidence was
collected, what form it is (physical, data, etc.), where and how it
is stored between time of collection and presentation, and who
had access to it at all times during that interval. It is imperative
that the chain of custody be strictly maintained because any
violation of the chain of custody introduces doubt into the
sanctity of evidence that can harm the legal case the evidence
is meant to support.
l Make copies of all original data/system states. Backups are vital
and should be made at the bit level and without changing the
data/state of the original whenever possible.
l Analysis should be performed on copies, not original systems/
data, whenever possible.
l A named individual should be appointed as evidence
custodian; this person will maintain the chain of custody and
oversee the disposition of all relevant evidence until the
matter is resolved.
Notes and come to the conclusions you are presenting to the court. This does
not detract from your case and indeed supports it.
Investigations
The security professional should bear in mind that the audience (judge
or jury or both) will not be IT security experts, and the presentation of
PPT
the material should avoid technical jargon and complex concepts;
Reporting and everything should be explained without any assumptions about the
Documentation (2 slides) audience’s understanding of basics.
(continued)
Explain how evidence will In all matters involving presentation of evidence, the security
be used/presented, to practitioner should defer to legal counsel; attorneys have much more
whom, and what qualities expertise and familiarity with testimony and the courts.
that evidence should
have.
Investigative Techniques
PPT
There are many ways to conduct an investigation and gather evidence.
Investigative Techniques
The following is a basic, noncomprehensive list of common evidence-
Discuss some of the gathering techniques and some of the benefits and challenges
methods and tools associated with them.
currently used to gather
evidence, and the issues l Automated capture: The organization’s monitoring activity can
associated with each.
be used for collecting and analyzing incident data in addition
to the goals of detection and performance optimization; this is
especially true if the organization has a continuous monitoring
program in place. Normal logging can be copied and harvested
for evidentiary purposes.
l Interviews: You can solicit information from the people involved
with or who have insight into an incident. However, for all
organizations other than law enforcement entities, this can pose
some legal challenges in many jurisdictions. Some aspects that
should be considered when conducting interviews of personnel:
o Record when possible. In some jurisdictions, recording
interviews can be problematic; check your local applicable
laws. Be sure to notify the interview subject that the
conversation is being recorded (record the notification).
o Conduct multiparty interviews. Never have a sole interviewer
talk to the subject.
o Ensure preservation of the subject’s rights. Comply with all
applicable laws regarding interviews. Make sure the subject
is aware that they do not have to partake in the interview
(even when the choice to refuse an interview will result in
termination of employment). If required by law or contract,
allow the subject to bring an attorney or union representative
to the interview.
PPT
Case
Review the case study.
Notes have also been trained for on the scene collection to know whether they
need to properly shut down, to not shut down, or to contact a member of
Investigations the team on all located devices, which will ensure the analyst will be able
to recover all volatile data.
Analysis/Reporting
Once the forensic evidence files have been created, they are
immediately backed up to a centralized data server for preservation.
From the analyst’s local forensic workstation, they will utilize the
information from the investigator, to determine the best course of action
for the examination. The DFU has a wide variety of software suites
and resources available to them. It is important to have multiple
pieces of software and hardware platforms available to avoid
Notes
Investigations
7
focusing on one vendor. This also provides one of the most critical
Notes
Module 8: Logging and Monitoring
Logging and Monitoring
Activities Activities
PPT
Module Objectives
Logging and Monitoring
Activities 1. Name the characteristics and purpose of intrusion detection
systems/intrusion prevention systems (IDS/IPS).
Introduce the participants
to the “Logging and 2. Describe the purpose and challenges associated with the
Monitoring Activities” employment of a security information and event management
module. (SIEM) system.
3. Describe, in detail, the purpose of continuous monitoring
practices and the tools currently in common use for achieving
PPT
that purpose, specifically data loss protection (DLP).
Module Objectives
Introduce the module
objectives.
Logging and Monitoring l Deviation: The IDS/IPS can learn a standard activity baseline
Activities normal to the organization; deviations from this baseline of
expected behavior are deemed suspect.
PPT l Signature: The IDS/IPS can recognize known attack patterns in
Intrusion Detection and
traffic and activity.
Prevention (continued) l Heuristic: Machine-learning algorithms in the IDS/IPS can acquire
Review IDS/IPS more information about the environment as the tools operates,
placement, function, and beyond a simple baseline. This is an advanced form of deviation
cost/benefit tradeoff. analysis.
It is important to note the tradeoffs associated with IDS/IPS systems,
as well:
l Maintenance: Regardless of how the IDS/IPS solution detects
attacks, the system will need regular maintenance. Signature-
based systems will need routine updates to ensure the latest
signatures are installed; systems that work from a baseline will
need to be updated as necessary to reflect any modifications to
the baseline.
l Overhead: As with all security measures, IDS/IPS deployment
will have an impact on productivity/capacity/performance.
The organization may decide to limit installation/deployment
of IDS/IPS solutions on those systems/networks that contain
high-value assets.
l False positives: Every detection/response made by an IDS/
IPS will also entail an impact to productivity/performance,
either in terms of loss of functionality (in the cases where the
security solution prevents an authorized transaction from taking
place) or in time and effort undertaken by the response team
to address a detected/suspected attack. In some instances,
the security tool will be responding to a legitimate transaction
instead of an actual attack; a “false positive” response. The cost
associated with each response (including false positives) must
be weighed against the potential benefit (reduced risk/impact
of actual attacks).
NOTE: IDS/IPS solutions, like all tools that need to “learn” the typical
activity/behavior in your environment, will not work perfectly right out of
the box; there will be a time period during which the tool will have to
become familiar with the expected norms. During that time, you can
expect a significantly greater number of false positive alerts.
NOTE: While intrusion detection and prevention are typically intended
to obviate attacks on the confidentiality aspect of the CIA Triad, many
Ingress Monitoring
Ingress monitoring refers to surveillance and assessment of all inbound
communications traffic and access attempts. Devices and tools that
offer logging and alerting opportunities for ingress monitoring include
the following:
l Firewalls
l Gateways
l Remote authentication servers
l IDS/IPS tools
l SIEM solutions
l Anti-malware solutions
As with all security tools, solutions used for ingress monitoring must
be maintained, patched, and updated as necessary for signature
libraries and configuration changes. Also, the overhead cost in terms
of both maintenance of these tools and impact to productivity must
be considered.
Egress Monitoring
Egress monitoring is used to regulate data leaving the organization’s IT
environment. The term currently used in conjunction with this effort is
Notes
Logging and Monitoring
7
Activities
“DLP”; a marketing descriptor without standard definition, it is often
Notes The overall data protection effort needed to support DLP includes
the following:
Logging and Monitoring
Activities l Data discovery/classification/categorization: To know what
to protect, the organization needs to know what it owns; the
candidate should recall this point from the earlier discussion of
PPT
asset inventories. DLP tools are often equipped with discovery
Continuous Monitoring tools to aid in initial data recognition, and they can be also used
(continued)
to categorize/classify the organization’s data assets.
Discuss the purpose and
tools used in continuous l Monitoring: The DLP solution should be deployed such that it
monitoring; give can inspect all forms of data leaving the organization, including
particular attention to
o Email (content and attachments)
DLP solutions, how they
function, and challenges o Copy to portable media
associated with their use.
o File Transfer Protocol (FTP)
o Posting to web pages/sites
o Application/application programming interface (API)
l Enforcement: The DLP enforcement settings should reflect the
ideal response suited to the organization’s risk/benefit appetite
and level of scrutiny. Examples of different organizational intent
for DLP might include the following:
o Training. The DLP tool might identify a user’s attempt to
distribute sensitive information and merely remind the user of
the organization’s policy and the sensitivity of the material the
user is distributing.
o Attribution/assigning responsibility. The DLP tool might
ask for the user to confirm intent to distribute sensitive
information; the confirmation acts as the user’s indication of
accepting responsibility for distributing that information.
o Stringency/prevention. The DLP tool might halt the transaction
upon identifying sensitive information, lock the user’s account,
and inform management/security of the attempt.
DLP tools can serve many functions, depending on how they are deployed
and what settings the organization applies. These functions can include
the following:
l Compliance
l Security
l Training/awareness
l Due diligence
l Asset management
PPT
Backup Storage Strategies
Backup Storage
Strategies Accurate and comprehensive backups are instrumental to facilitating
BCDR efforts; this is an essential aspect of the availability facet of the
Review the various
backup storage strategies CIA Triad. Some backup concepts the candidate should be familiar with:
and methods.
l Onsite/offsite: There is a risk/benefit tradeoff to deciding the
location of the organization’s backups.
o Onsite: The organization has full control (and responsibility)
of the stored data. Cost may be proportionally higher for
the organization, depending on the organization’s core
competencies and type of business. (Example: a small or
midsize organization might not have the data center capacity
and skillset internally to support thorough secure backups.)
o Offsite: The data is exposed to additional risk while it is
moved from the organization’s environment to the external
environment (in transit). The organization loses some control
of the security governance and controls used to store the
data. Cost may be lower or higher than the onsite option,
depending on the nature of the organization and the options
offered by the provider. A provider with the sole focus on
secure data storage may be able to scale services such that
secure storage is much more affordable for its clientele,
where the same service would be cost-prohibitive for each
individual client.
l Full/differential/incremental: The amount of data backed up at
any given time can vary between organizations because of one
factor: time. It takes time to back up large volumes of data, and
this time can have an impact on operations/productivity (and
a related cost). Organizations try to limit the negative impact
by scheduling backups in an optimum way to capture the best
representation of the current state of the environment with the
most acceptable amount of interruption. There are three general
approaches to making a backup:
o Full: All data in the environment is copied. The most expensive
and time-consuming option, and the one that provides the
most thorough depiction of the environment.
o Differential: All data in the environment that has changed
since the last full backup is copied. Not as time-consuming as a
full backup.
Instructions
Notes
As a group, work through the following thought problems. You have
Recovery Strategies
10 minutes.
a. If Alice opts to do differential backups during the week, which
PPT
data would be captured on Wednesday night?
Activity: How Many
Versions? (3 slides) b. If Alice opts to do incremental backups during the week, which
(continued) data would be captured on Thursday night?
Introduce and moderate c. If Alice opts to do differential backups during the week, and the
the Activity. backup copy made Tuesday night is corrupt, which data would
be lost?
PPT Answers:
Recovery Site Strategies a. All data created/modified during the workdays of Monday,
Review the various Tuesday, and Wednesday.
alternatives for recovery
sites.
b. All data created/modified during the workday Thursday.
c. All data created/modified during the workdays Monday and
Tuesday.
Notes if a single drive fails. This can be costly but also serves as a
backup for the production data.
Recovery Strategies
o RAID 2: A legacy technique not currently in wide use.
o RAID 3 and 4: Data is striped across multiple drives, and
PPT
a distinct drive is used to store parity information. RAID 3
System Resilience, High stripes data at the byte level; RAID 4 at the block level. These
Availability, Quality of RAID configurations may not be optimum for organizations
Service (QoS), and Fault
Tolerance (continued) seeking high availability environments, as the parity drive in
each represents a potential single point of failure.
Discuss the various
topics related to ensuring o RAID 5: Both the data and the parity bits are striped across
availability of the multiple disks; provides high availability.
environment; include
full discussion of UPS/ o RAID 6: Uses data striping and two sets of parity bits striped
generators and RAID across multiple disks; two drives can fail and the data can still
options. be recovered.
o RAID 0+1: Combines techniques of RAID 0 and RAID 1; data
is striped across multiple disks (RAID 0), then mirrored to a
duplicate set of disks (RAID 1).
o RAID 1+0: (often referred to as “RAID 10”). Again,
combines techniques of RAID 0 and RAID 1; however, with
RAID 10, data is striped across two sets of duplicate disks
simultaneously. RAID 10 is considered preferable to RAID 0+1.
o RAID 15 and 51: Uses techniques from RAID 1 and RAID 5
to utilize both striping of parity bits and mirroring of all the
drives (including both the data and parity information). These
techniques are not in wide use outside of highly sensitive
environments because the impact to productivity and cost
are significant.
l Centralized data storage: If operational data is stored on
various user devices (production endpoints), it is susceptible
to loss (and harder to archive) if a particular user device fails.
Organizations often obviate this risk by using a centralized
data storage system where user data is consolidated, making
it easier to archive and protect. The tradeoff, of course, is that
centralization may cause a single point of failure (and a single
target for attackers) if not protected properly. Data storage
centralization requires planning for redundancy and secure
backup practices. Two common methods for data storage
centralization are storage area networks (SANs) and network-
attached storage (NAS).
o Storage area networks (SANs): A network of storage
devices/arrays provide volume storage to servers that present
the data to users. Usually, SANs rely on protocols designed
Notes
Module 10: Disaster Recovery
Disaster Recovery Processes
Processes
PPT
Disaster Recovery Module Objectives
Processes
1. Describe, in detail, the essential elements of the business continuity
Introduce the participants and disaster recovery (BCDR) process, including response actions,
to the “Disaster Recovery
the personnel involved, communications strategies, the practice and
Processes” module.
risks associated with assessment and recovery, and proper training
and awareness for BCDR purposes.
PPT
Module Objectives
Introduce the module
objectives.
Every organization will tailor its BCDR methods to best suit its own
needs. This module includes discussion of fundamental principles
that might be used to craft a typical BCDR process.
Notes
Disaster Recovery Processes
7
Personnel
In addition to the member(s) of senior management authorized to
initiate the BCDR response action, the response plan should
specifically task personnel who will be involved in the process. This
includes the following:
l Critical path personnel: This group includes the essential
personnel necessary to continue the organization’s operational
Module 10: Disaster Recovery Processes 587
Official (ISC)2 CISSP Training Guide
Notes functions during the contingency event. While these people may not
be involved in handling the response action (instead, they will have
Disaster Recovery Processes production tasks to perform), they should receive proper training
for their roles during the response activity, such as how to reach the
PPT alternate operating site (if appropriate), how to access archived data,
how to log transactions during the contingency, etc.
Personnel (continued)
l Responders: Those personnel involved in managing the
Discuss the specification
of personnel to perform response process. This typically includes representatives from the
DR tasks. following groups:
o IT: Administrators, architects, and technicians are usually
essential in handling contingency situations.
o Security: Security practitioners often have specific insight and
experience that is crucial to dealing with contingencies.
o Legal: General counsel provides proper guidance to ensure
the organization’s regulatory and due diligence requirements
are met, and in collecting and preserving evidence for criminal
and civil cases that might arise from the contingency.
o Human resources (HR): The HR representative often has
access to privacy data related to all employees, for purposes
of contacting either the employees themselves or family
members, if necessary.
o Finance/accounting: Someone with insight into tracking costs
and expenditures will need to account for establishing the
overall cost of the response action after it has been completed;
also, an accountant may have to participate in making the
appropriate financial transactions during the event.
o Public relations/communications: A team member
with experience and knowledge of handling external
communications will be necessary, in order to ensure the
organization has a uniform voice in describing the situation
as it unfolds. See the “Communications” topic in this
Module, immediately following this one.
l Management: A member of senior leadership should be
monitoring the response activity at all times; this person should
have the authority to approve all expenditures necessary to fulfill
the response process, and to decide when the contingency event
has ended and resumption of normal operations can begin (see
the “Restoration” topic in this Module).
NOTE: Naming specific individuals for contingency tasks has some benefit
(those individuals can be trained and practice their emergency functions),
but relying on specific people for emergency response can create points
of failure; during an emergency, the organization cannot expect all
individuals to report to their workplace (such is the nature of a disaster).
588 Domain 7: Security Operations
Instructor Edition
Assessment
As mentioned in earlier topics within this module, there is a fundamental
need to calculate the entire, overall impact of the contingency; this
includes both the damaging effects of the event itself, as well as the cost
Restoration
The ultimate goal of the response action is to resume full normal
operations. The process to achieve this goal might include the
following:
l Returning to the primary operating site; creating a new
primary operating site. When the cause of the contingency
has passed or been resolved, personnel will need to be
returned to a primary operating situation (both a physical
and logical location). This might take the form of returning
the organization’s original production location/environment
or by creating a new one (many organizations that have
suffered disaster-level events and used an alternate site/
system for maintaining critical operations have ended up
making the alternate site into the new primary site, and
abandoned the original primary).
PPT
Module Objectives
Introduce the module
objectives.
PPT
Module Objectives
Introduce the module
objectives.
Notes There are a number of ways to test DR plans and train personnel
tasked with enacting them. This module will discuss several; the
Test Disaster Recovery Plans candidate should recognize and understand the benefits and risks
associated with each.
PPT
Test Disaster Recovery
Plans
Read Through/Tabletop
Review the various
methods for testing BC This method is a controlled, isolated roleplaying activity, only involving
plans. those personnel tasked with DR responsibilities and activities (see the
Personnel topic, in Module 10 of this domain) and a moderator.
The participants should gather at a centralized location (such as a
conference room) and bring all DR guidance materials, such as the
organization’s DR plan and any documents that will be included at any
alternate operating site. The moderator presents a situation that would
constitute an event significant enough to trigger a DR response; the
participants pretend they are in the situation and verbally describe their
actions. Participants can refer to any materials for information and
guidance and can cooperate.
The moderator should manage the discussion and take notes on the
progress, recording both problem areas and elements that seemed
successful. It is best to have an experienced moderator present to
address interpersonal conflicts and handle problems as they arise. The
moderator can also introduce new situational information as the pretend
situation “unfolds.”
A tabletop exercise is excellent for training response personnel unfamiliar
with their tasks and/or new to the organization; it is also an extremely
useful tool for reviewing the BCDR plan to determine gaps in response
capabilities so that the plan can be revised later.
The tabletop exercise is the least intrusive and cheapest type of BCDR
test.
Walk-Through
This is similar to the tabletop exercise where the only participants are
those personnel who have a role in BCDR activities, and they respond
to a scripted situation. However, in a walk-through, instead of staying
around a conference table, the participants will actually walk to each of
the locations they will need to visit for response activities (hence the
name). They can still refer to written guidance and should be monitored
by someone who can record any problems/successes.
Parallel
Parallel exercises are for those organizations that utilize alternate
operating sites as part of their BCDR plan. The exercise entails
mobilizing personnel and resources for the alternate site and
actually conducting operations from the alternate location.
Obviously, this is much more expensive and has a greater impact
than any of the exercise options discussed previously (not the least
of which is taking those personnel involved in the exercise away
from their normal duties). However, it also offers great benefit in
that the organization has greater assurance the alternate solution
will work effectively during an actual contingency, and the
personnel involved gain experience and knowledge (and can
identify problems) in enacting the response procedures.
Full Interruption
A full interruption involves the entire organization in a scripted
situation that mimics an actual contingency event. All BCDR
resources, personnel, and activities are involved and perform the
actions they would take during an unscheduled situation.
Notes This is, by far, the most expensive option with the greatest impact to
the organization and its stakeholders. Great care must be taken to
Test Disaster Recovery Plans ensure the exercise does not turn into an actual disaster because of
the interruption to normal operating conditions. Only organizations
PPT with the wherewithal to properly plan and execute an action with the
amount of resources required to successfully complete a full
Test Disaster Recovery
Plans (continued) interruption should attempt it because of the associated risk.
Review the various
methods for testing BC
plans.
PPT
Module Objectives
Introduce the module
objectives.
Notes Travel
Security concerns and risks differ depending on location; the organization
Personnel Safety and
Security Concerns should take this into account when personnel are required to work
outside the organization’s control (that is, everywhere but inside the
organization’s facilities/campus).
PPT
Travel Some security aspects to consider when personnel are traveling/
working remotely:
Discuss travel-related
security concerns, l Encryption: Devices and data that are physically moved to any
concentrating on threats
to personnel.
location outside the organization’s control can benefit from
the additional protection of encryption; this can protect the
organization from loss of data due to interception in transit
or physical theft/loss of a device. However, if personnel are
PPT
traveling internationally, encryption options may be limited
Security Training and by law in some jurisdictions (refer to the discussion of import/
Awareness
export controls and trans-border data flow in Modules 5 and 6
Review personnel of Domain 1).
participation in security
efforts, particularly l Secure remote access: If personnel are going to connect to the
emergency/safety organization’s environment from off-site facilities, the organization
procedures and incident needs to create a secure mechanism for doing so (for detailed
detection and reporting.
discussion, see Module 11, Domain 4).
l Additional jurisdictional concerns: Data moved across borders
may be subject to different statutory/contractual regulation (see
Module 5 Domain 1).
l Personnel protection: Personnel need to be protected according
to the specific security conditions of geographical areas where
they may be traveling. The organization should provide location-
specific orientation material for travelers, additional personal
training, medical/life insurance, and physical protection elements
as needed.
l Condition monitoring: When personnel are traveling, someone
remaining at the organization’s primary operating site should
be monitoring their location/condition on a regular basis and
ensuring daily check-in.
Notes Duress
Personnel should have a means to report to the organization if they are
Personnel Safety and
Security Concerns ever put under duress (threatened or hindered in movement). This is
especially true for travelers, senior management, and critical personnel,
all who may be subject to crimes that target those roles (kidnapping,
PPT terror attacks, etc.).
Duress
Personnel should be able to convey duress situations in a subtle manner
Explain duress procedures
(that is, with code words other than, “I’m under duress”) that can be
and guidance.
worked into normal communications and can be remember while the
subject is under extreme stress. Duress codes should be able to be
conveyed by several methods of communication (verbal and otherwise).
Personnel receiving duress codes should have training and practice in
the actions to undertake in those circumstances.
Duress codes should change on a regular basis, but if personnel convey
expired codes, a response process should still be initiated.
PPT
Domain Summary
Participate in review
of key elements from
the domain on security
operations.
Notes
7
Notes
Course Agenda
Domain 1: Security and Risk Management
Notes
Software Development
8
Security
Overview
Software Development Security within the context of the eighth
domain of the CISSP® examination deals with the important
requirement of protecting applications and the environments that
they exist in, from inception to decommissioning. In other words,
this domain focuses on involving and designing security into the
application from the beginning, at inception and throughout what is
referred to as the “software development lifecycle” or SDLC. But
security does not end there, it needs to also be involved in what is
referred to as the System Lifecycle (SLC) that includes when the
application and systems are being used, maintained, and tested
while in production, but also during the decommissioning (disposal)
phase when the application or system has a need to be retired.
It is important to focus on the security of the application itself
and also the environment it exists in. For example, in today’s
environments the majority of attacks are happening at the
application layer, specifically, the web application environment.
Notes Protection of applications and the valuable data they process requires a
layered approach and also the protection of all components that make up
Software Development the architectures the applications are running in.
Security
To address security properly requires appropriate security controls that
focus on a number of things, from the development environment, to the
PPT
tools and methodologies being used, to operations and maintenance,
Software Development to enforcing the latest security capable tools, to addressing the latest
Security (continued)
exploits and vulnerabilities, to providing assurance mechanisms related
Introduce the participants to logging and monitoring and testing. In other words, security of
to the “Software
Development Security”
applications and systems involves many components that the security
domain. professional has to enforce and support throughout the organization.
5 Domain Review
The System Lifecycle (SLC) covers the life of the system, beyond
putting the system into production. Placing the system into
production is where the SDLC ends, but the SLC continues to
Notes
Security in the Software
8
Development Lifecycle
include two additional phases:
Determine Define
Security Conduct Security
Requirements Risk Analysis Strategy
Notes
Activity: Reviewing Potential Security Checklist in the
Security in the Software
Development Lifecycle Project Initiation Phase
(SDLC)
Instructions
Review the checklist below and identify the most important
considerations that would be helpful to your organization in addressing
security requirements in the project initiation phase. Also, see if you can
come up with some additional questions. The list is only a sampling,
there may be other important considerations that an organization may
need to evaluate.
l Is there any information that has exceptional value or sensitivity
and therefore requires special protection?
l Does the application or software being used to access the data
itself have proprietary functionality or intellectual property that
will need to be safeguarded as part of understanding the value
of the system and possibly separate from the data the system is
processing?
l If the data being processed is of low value, does the resulting
output information have higher value?
l Has the organization identified an owner, and has the owner
determined the information’s value?
l Are there any special legal, regulatory, or compliance requirements
that need to be addressed?
l What are the assigned classifications or categorizations according
to the asset classification system?
l Will application operation risk exposure of very sensitive
information?
l Will control of output displays or reports require special security
controls?
l Will data be processed, stored, or transmitted through public or
untrusted networks?
l Are physically controlled areas required for operation of the
system?
l What systems and data sources interconnect with this system and
are they considered to be secure?
l What will this system do to the operations and culture of the
organization?
l Does the system require special support in terms of the business
continuity requirements of the organization?
Identify Develop
Develop Set Test Define
Functional Functional
Project Plan Criteria Strategy
Requirements Baseline
Include
Security Include
Identify Establish Functional
Security Security Security Requirements Security
Areas Requirements Tests in RFPs, Requirements
Contracts
l Before and after images of components where integrity is Describe the security
activities in the
important Development and
l Counts that are useful for process integrity checks, examples Documentation phase.
may include total transactions, batch totals, hash totals, and
balances
l Internal checks such as checks for data integrity within the
program while being processed
l Parameter ranges and data types
l Valid and legal address references
l Completion codes
l Peer code review
l Program or data library when developing software applications:
o Automated control system
o Current versions of both programs and documentation
o Record of changes made by whom, when authorized, what
changed
o Test data and verification of changes
o Owner and stakeholder sign-offs indicating correct testing
l A librarian ensures program or data library is controlled in
accordance with policy and procedures:
o Controls all copies of data dictionaries, programs, load
modules, and documentation and can provide version
controls
o Change control/management that ensures no programs
are added or changed unless properly tested and
authorized and gone through the proper steps of making
those changes
o Invalid transactions detected are written to a report and
reviewed by developers and management
Notes
Development and Documentation
Security Activities
Security in the Software
Development Lifecycle
(SDLC)
Develop Unit Testing Document
System & Evaluation System
PPT
Development and
Documentation
Security Activities Develop Security Code Document
(continued) Security Code Evaluation Security Code
Describe the security
activities in the Figure 8.4: Development and Documentation Security Activities
Development and
Documentation phase.
Acceptance
The acceptance phase is one of the most important as this is where we
PPT ensure the system does what it is supposed to. But this also includes the
Testing and Evaluation security capabilities. Once all of this has been confirmed, acceptance can
Controls happen. As part of the acceptance phase, an independent group develops
Identify the controls that test data and tests the code to ensure it will function within the organization’s
apply to testing and environment and that it meets all the functional, and most importantly, from
evaluation. our perspective, security requirements. It is therefore, very important that the
group members performing the testing are independent, but also includes
the most important stakeholders that will be involved in accepting the system.
The very important goal of security testing is to ensure the application meets
its security requirements and specifications that were outlined in previous
phases. The security testing strives to uncover all design and implementation
flaws that would allow someone, including authorized or unauthorized
individuals, to bypass the software security policy and access requirements.
To ensure proper and valuable testing, the application should be tested
in an environment that simulates as much as possible, the actual
production environment. This should include testing the security
capabilities and simulating other security related problems that may
occur. This is the first phase of what is commonly referred to as the
certification and accreditation process.
Security in
Security Integrated Security Security Secure Secure
Components System Code Controls Operations System
Figure 8.5: Testing, Acceptance, and Transition into Production Security Activities
PPT
Operation and Maintenance
Operation and
During this phase, the system is being used throughout the Maintenance
organization. The activities that need to be done here are
Describe security
monitoring the performance of the system on a regular basis but
activities during
also ensuring the continuity of operations. This may require making operation of system and
certain components redundant and also detecting defects or maintenance of system.
weaknesses and addressing them. During operations and
maintenance, the organization also needs to manage and prevent
system problems, recovering from system problems, and
implementing system changes.
The specific security activities that need to be done during this
phase include testing backup and recovery procedures, ensuring
proper controls for data, reports, and generally ensuring the
effectiveness of security controls and processes. During the
maintenance phase, periodic risk analysis and recertification of
sensitive applications may be required, especially when significant
changes occur. Significant changes may include examples such as
change in data classification or sensitivity, relocation or major
changes to the physical environment, the purchasing and
implementation of new equipment, new internal or external
interfaces, new or upgrading of operating system software, and
new application software.
Throughout the operation and maintenance phase, it becomes very
important to verify that any changes to anything related to the
system, including procedures or functionality, do not disable or
affect the required security that already exists. Also, verifying
compliance with applicable service-level agreements (SLAs) and
contracts according to the initial operational and security baselines
need to be constantly assured.
Spiral Method
A nested version of the original waterfall method, the development of
each phase is carefully designed using the waterfall model, but the
distinguishing feature of the spiral model is that in each phase we add
Iterative Development
The waterfall model is highly structured and does not allow for
changes once the project is started and moved onto subsequent
phases. Revisions are not allowed in later phases. This is indeed
why it is called “waterfall.” Just like water falling in a waterfall,
water cannot go backwards, therefore, waterfall methodology
does not allow us to go back in phases to redesign new
requirements that we find as we move through the phases.
This is where the iterative development methodologies become
desirable. Iterative models allow for successive refinements
of requirements, design, and development of code. Allowing
refinements during the process requires that a change control
mechanism be implemented as part of this to allow the refinement
of requirements. Also, the scope of the project may be exceeded
if owners and stakeholders change the requirements after each
point of development. Iterative models also make it very difficult
to ensure that security provisions are still valid in a changing
Component-Based Development
Notes
This model is based on a process of using standardized and building
Security in the Software
Development Lifecycle
blocks to assemble, rather than develop the application. The components
(SDLC) are made up of sets of standardized data and standardized methods of
processing that data. These sets, when used together, offer scheduling
and cost-effective benefits to the development process and the team
PPT members involved. From a security perspective, the advantage might be
Other Methods and that components have previously been tested for security functionality
Models (continued) and assurance effectiveness. This is very similar to object-oriented
Explain other models programming (OOP) where objects and classes may be designed with
and how security fits in security methods initially and then reused as required.
to each.
Reuse Model
PPT In this model, an application is built from already existing and tested
Model Choice components. The reuse model is best suited for projects using object-
Considerations and oriented development because objects can be created, exported,
Combinations reused, or modified as required. From a security perspective, the
Summarize how components would then be chosen based on the known effectiveness
organizations of the security characteristics.
are combining
methodologies, but
regardless, security is Extreme Programming
included in each phase.
This discipline of software development is based on having several values
and characteristics of software development. The values are simplicity,
communication, and feedback all combined into the process. Despite the
name, extreme programming is an attempt to use a structured approach to
software development, relying on subprojects of limited and defined scope
and developers always working in pairs. The team produces the software in
a series of small, fully integrated releases that are supposed to fulfill the
owner-defined needs. This implies that the owners need to be involved in
defining the needs in the first place. It makes sense, as well, to involve
security in defining those needs ahead of the developers programming the
requirements. As we have mentioned earlier, this model relies on simplicity
of the process, communication between all involved stakeholders, including
security, and feedback to ensure requirements are addressed properly.
Notes then, this model is very useful in allowing an organization to measure their
current capability in software development and also to formulate a plan
Security in the Software by which they can get better. The CMM focuses on quality management
Development Lifecycle
(SDLC)
processes and contains five maturity levels that contain required
measurement parameters within each maturity level. The five levels
describe an evolutionary path from chaotic and unstructured processes to
PPT mature, disciplined, and optimized software processes. The whole
Capability Maturity purpose of using CMM is to allow organizations to mature to a higher
Model (CMM) for level of quality in software development. So, to summarize, the CMM
Software or Software framework as shown in Figure 8.6 establishes a basis for evaluation of the
Capability Maturity
Model (SW-CMM)
reliability and improvement of the software development environment.
(continued)
Explain CMM for
Software Capability Maturity Model
software and how it (SW-CMM) Levels
allows organizations to
mature in development OPTIMIZING
methodologies. Processes are
MANAGED continually
DEFINED Controlled using improved,
Processes are quantitative optimized
PPT REPEATABLE well-characterized, techniques
INITIAL Processes are understood,
Software Capability more organized, proactive
Process is
Maturity Model unpredictable, often reactive
(SW-CMM) Levels poorly controlled,
Describe the five maturity and reactive
levels and the objective of
this model. Figure 8.6: Software Capability Maturity Model (SW-CMM) Levels
Initial: At the initial level, it typically means that good practices can be
repeated, but they may be unorganized and chaotic. If an activity is not
repeated, there is no reason to improve it. Therefore, organizations would
be able to show that they have policies, procedures, and practices and
commit to using them so that the organization can perform software
development in a consistent manner.
Repeatable: In this level, best practices for software development are
repeatable and can be rapidly transferred across various groups in the
organization without problems. Practices need to be defined in such way
so that the organizations allows for transfer of processes across project
boundaries. This can provide for standardization and repeatable
processes across the entire organization.
Defined: At the defined level, standard processes are formalized and all
new developments happen with new, stricter, and standardized processes.
The processes are well-understood and are very proactive.
Managed: At this level, quantitative and measurable objectives are
established for tasks. Quantitative measures are established, calculated,
Notes from different perspectives and disciplines. This includes allowing team
decisions to be made based on input from the entire team that would
Security in the Software include for example, engineering, manufacturing, management, financial
Development Lifecycle
(SDLC)
management, procurement, legal, and of course, security. The teams may
also include customers and contractors in some instances, in other words,
these teams may involve members from both the enterprise and the
PPT contactors or consultants.
Integrated Product and
Process Development
(IPPD) (continued) DevOps
Define IPPD and how As the two words combined imply, DevOps is a combining of
security fits in. development and operations. DevOps typically also involves the quality
assurance processes of the organization. DevOps can be summarized as
an approach based on lean and agile principles in which business owners
PPT and the development, operations, and quality assurance departments
DevOps (2 slides)
collaborate and work together to deliver software in a continuous manner
that enables the business to more quickly react to market opportunities
Emphasize the benefits
and reduce the time to include customer feedback into products that
of DevOps and how
security fits in. need to be developed.
When implemented holistically, DevOps can become a business-driven
software delivery approach that takes a new or enhanced business
capability from an idea or concept, through the production phase and
implementation, while providing business value to customers in an
efficient manner and capturing feedback as customers engage with
the capability. To do this, you need participation from stakeholders
beyond just the development and operations teams. A true DevOps
approach includes lines of business, practitioners, management,
partners, suppliers, and other stakeholders. There are many variants
on the DevOps concept that exist today based on the needs of the
organization implementing this model. Companies such as Google,
IBM, Amazon, and Microsoft all have DevOps implementations that
they use to drive core elements of their business. Regardless of the
various implementations, the core common principles that DevOps is
usually made up of some of the following:
l Develop and test against production-like systems. The goal is to
allow development, operations, and quality assurance teams to
develop and test against systems that behave just like the actual
production system, so that realistic behaviors and performance
parameters can be captured before the system is ready to be put
into production.
l Deploy with repeatable, reliable processes. We often refer to
this as a form of automation, specifically repeatable automation.
This principle allows development and operations to support
development process all the way through to production.
Notes
Module 2: Secure Coding Guidelines
Secure Coding Guidelines
and Standards and Standards
Notes Another such example might be inadequate data validation that can
lead to all kinds of escalation of privileges and other exploits.
Secure Coding Guidelines
and Standards Today’s software environments are also distributed, meaning they are
connected to many other environments, architectures, networks, etc.
Distributed applications provide a particular challenge in terms of
PPT
adequate security due to the complexity of the information being
The Software passed by components in the distributed architectures.
Environment (continued)
Define the software The architectures that software is part of today are complex and ever
environment. changing. The functionality that software provides today is much
more complex as well, and so protecting from a security perspective
is also very challenging. Protecting the application itself and the
PPT environment that it run in begins with designing security into the
Programming
functionality of the application that is written in some sort of
Languages programming language.
Define programming
language.
Programming Languages
During development phases, developers need to write code in some
sort of programming language. There are many programming
languages that have been developed over the years. A programming
language is a set of instructions that tell the computer what operations
to perform. Programming languages have evolved in generations, and
each language is characterized into one of the typical generations
characterized below. Those in the earlier classification level are closer
in form to the binary language of the computer. Both machine and
assembly languages are considered low-level languages.
As programming languages have evolved, they have become easier and
more similar to the language people use to communicate. In other
words, they have become higher level languages. High-level languages
are easier to use by developers than low-level languages and in some
cases, can be used to produce programs more quickly and more
efficiently. In addition, high-level languages are considered to be more
beneficial because they enforce coding standards and development
methods that can enforce a better level of more security. On the other
hand, higher-level languages can also work against proper security as
they can automate certain functions and provide complicated
functionality for the application, implemented by the programming
environment or tool, the internal details of which may be poorly
understood by the designers and developers. As a result, it may be
possible that high-level languages may introduce possibilities of security
vulnerabilities in ways that may not be apparent to the designers,
developer, and security professionals.
Notes limited. The operating instructions, or code instructions for the computer
and any necessary arguments or data were presented to the machine
Secure Coding Guidelines in the form that was needed to get it to process properly. Assembly
and Standards
language was created to allow this process to become easier, although
there is a fairly direct correspondence between the assembly mnemonics
PPT and specific operational codes, at least the assembly files are formatted in
The Programming a way that is relatively easy for humans to read, rather than being strings
Procedure (continued) of hexadecimal or binary numbers.
Describe differences In summary, assembly language improved certain mnemonics so that
between assemblers,
compilers and
they could be easier to read by the human element. These included
interpreters. mnemonics such as: MOV (move), CMP (compare), DEC (decrement),
and ADD, all basic functions in programming. As a summary, assembly
language made it easier to equate binary instructions to readable
mnemonics.
With the advent of third generation, or what most people refer to as
high-level languages, programming languages evolved into two types,
high-level languages and compiled languages.
l High-level languages are those where the source code is
somewhat more comprehensible to people. Those who work
with C may dispute this assertion, of course: These languages, in
the hands of skilled programmers, can produce highly functional
programs from very little source code but at the expense of
legibility. COBOL is a perfect example.
l Compiled languages involve two separate step processes before
a program is ready to be executed. The application must first
be programmed in the source code, which is the text or human-
readable code, and then the source code has to be compiled
into object code that the computer can understand, the strings
of opcodes or machine language. This may be a simplified
description of the “compiled” process, as it may also require
more involved processes such as linkers and other utilities.
The point, however, is that the source code for languages like
FORTRAN and Modula cannot be run directly, they must be
compiled first.
Interpreted languages may shorten the process. Once the source code
for the application has been developed, it can be run with the help of
the interpreter. The interpreter, therefore, translates the source code
into machine language on the fly, rendering it into a form that the
computer can understand and use. The drawback to interpreted
architectures is that there may be a cost in performance and speed for
this as the interpretation needs to be done each time the application
runs. Compiled programs, on the other hand, are native, or natural, for
the CPU to use directly because they can run directly from the
object code, and so run considerably faster. In addition, some
compilers can perform optimization on the application, choosing
Notes
Secure Coding Guidelines
8
and Standards
the best set of functions for a given situation.
Notes access other data, which is a great security capability, and as we’ve
mentioned, referred to as data hiding or encapsulation.
Secure Coding Guidelines
and Standards
l Inheritance: The concept of a data class makes it possible to define
subclasses of data objects that share some or all of the main (or
super) class characteristics. If security is properly implemented in
PPT the high-level class, then subclasses should inherit that security. The
Object-Oriented same is true of objects derived not from a class but from another
Technology and object. The keys are to properly implement security in the high-
Programming
level class objects so that the subclasses can inherit them properly.
(continued)
It is very important to create objects that have good security
Define object oriented characteristics because these can be inherited by further objects.
technologies and
programming. l Polymorphism: Objects of differing data types can be processed
differently, depending on that data type. Instantiating an object
from a prior object ensures that the new object inherits attributes
PPT and methods from the original. The changing characteristics
of an object created in such a way may change the operation
Polyinstantiation
of the modified object. From a security perspective, this may
Define polyinstantiation have negative implications that must be carefully assessed,
and relate to an example.
because secure methods may be lost through polymorphism
and changing characteristics.
Polyinstantiation
One of the key features in object oriented technology, useful for security, is
polyinstantiation. Polyinstantiation may prevent inference possibilities by
creating a new version of an object by replacing variable with other values.
Essentially, it allows different versions of the same information to exist at
different classification levels. Therefore, users at a lower classification level
don’t know of the existence of a higher classification level. Inference is
defined as the ability of authorized or unauthorized users to deduce (infer)
more sensitive information from observing authorized information.
Specific objects, instantiated from a higher class, may vary their
behavior depending upon the data they contain. Therefore, it may be
difficult to verify that inherited security properties are valid for all
objects. However, this is why polyinstantiation can also be used to
prevent inference attacks against databases, because it allows different
versions of the same information to exist at different classification levels.
Within an OOP environment, any things created are referred to as objects.
A data type in a programming language is a set of data with values having
predefined characteristics. Those characteristics can be a number value, a
character, a string, or anything else. In most programming languages, a
limited number of such data types are built into the language. The
Object-Oriented Security
As we have described above, in object-oriented systems, objects are
encapsulated. Encapsulation protects the object by denying direct
access to view or interact with what is located inside the object, this is
referred to as data hiding. It is not possible to see what is contained in
the object because it is encapsulated. Encapsulation can be used to
protect the object, since it does not allow any other object to see data
from outside. This makes sense from a security perspective because
no object should be able to access or see another object’s data.
CORBA Implementations
As a best practice from the perspective of security, CORBA PPT
implementations need to consider the following as examples: CORBA Implementations
l The specific CORBA security features that are supported Explain CORBA
implementations.
l The implementation of CORBA security building blocks, such
as cryptography blocks or support for Kerberos systems
l The ease by which system administrators can use the CORBA PPT
interfaces to set up the organization’s security policies
Libraries and Toolsets
l Types of access control mechanisms that are supported
Define libraries and
l Types, granularity, and tools for capturing and reviewing toolsets and benefits.
audit logs
l Any technical evaluations, such as those related to the
Common Criteria
There are other methods for securing distributed application
environments. These include JRMI and EJB. EJB is a Sun
Microsystems model providing similar environments to CORBA by
using API specifications for building distributed and component-
based applications. EJB uses Java’s RMI implementations for
communications in a similar architecture. The EJB server can provide
a set of services for transactions, security, and resource sharing.
All of these architectures can support the enforcement of policies
and rules that can be applied between interactions of components
or objects.
A standard library is a library made available across implementations Explain the benefits of
of a programming language. Standard libraries typically include libraries.
definitions for commonly used algorithms, data structures, and
mechanisms that can be reused. Typically, a standard library may
include these: PPT
Standard Libraries
l Subroutines
Give examples of
l Macro definitions libraries.
l Global variables
l Class definitions
PPT
l Templates
Common Programming
In addition, most standard libraries include definitions for at least Language Libraries
the following commonly used facilities: Give examples of
libraries.
l Algorithms (such as sorting algorithms)
l Data structures (such as lists, trees, and hash tables)
l Interaction with the host platform, including input/output
and operating system calls
Runtime
A runtime system is the collection of all the hardware and software
components that allows an application to actually run on a
computer system. In other words, a runtime system is all of the
mechanisms, regardless of either hardware or software, that allow
the application to run on a computer system, regardless of the
programming language used to program the application.
Because every program needs components to actually run, every
programming language has some form of a runtime system,
whether the language is a compiled language, interpreted
language, or is invoked via an API. Services that can be provided
by the runtime system include type checking, debugging, or code
generation and optimization. As an example, the Java Runtime
Environment (JRE) is what you get when you download Java
software. The JRE consists of the Java virtual machine (JVM), Java
platform core classes, and supporting Java platform libraries that
ultimately allow that Java program to run on your system. In other
words, the JRE is the runtime portion of Java software, which is all
you need to run it in your web browser.
The runtime system can also be the gateway by which a running
program interacts with the runtime environment itself, which
contains state values accessible during program execution that
are needed by the environment. Again, as we are focusing on
security, the runtime environment needs to include the
components required for security to be handled properly.
Social Engineering
PPT
A very simple definition of social engineering is where an attacker uses
Social Engineering deception and intimidation to get someone to provide information they
Define social engineering shouldn’t. This can be a vulnerability and something that needs to be
and how it applies to the addressed in software development and management environments.
software environment. Proper awareness, education, and training needs to be provided to the
development environment to mitigate this threat. The security
professional needs to support these initiatives.
PPT
In addition, there are several weaknesses and threats listed below that
Activity: Security
Weaknesses and possibly need to be addressed as well in software development
Vulnerabilities at the environments and also environments where applications exist. These may
Source Code Level and include and are not limited to the following.
Secure Coding Practices
Introduce the activity and
explain the importance
of understanding Activity: Security Weaknesses and Vulnerabilities at the
the weaknesses and Source Code Level and Secure Coding Practices
threats in the software
environment. Review the following and be able to explain it to someone else in the
class. Understand how security needs to be part of the process to
ensure the following risks are mitigated through proper secure coding
practices.
Buffer Overflow
Buffer overflows can be created or exploited in a wide variety of ways and
over the years, we have seen many examples. Generally, the following
description is an example of how a buffer overflow works.
A program that is the target of an attack is provided with more data
than the application’s buffer was intended to handle. Applications need
to use buffers to store information while that data is being processed.
When the application is designed, the buffer size has to be determined.
Citizen Programmers
As we have explained above, today, technology environments are
equipped with scripting and programming tools as part of their
functional environments. The ability to provide more functionality
in application environments is so that these functions can be
performed by the users themselves, instead of having them be
programmed into the application by developers. These tools may
allow all computer users to create their own utilities and reusable
elements. This can be negative from a security perspective as users
now have access to very powerful capabilities that may be misused
by the users as they are not focused on security or have security
training. They may not be aware of the increased risk as a result of
their increased functionality. If this type of unsupervised
functionality is allowed, then a single user may have complete
control over an application or process. This may violate separation
of duties requirements.
Putting powerful tool and capabilities at the user level requires
mitigation of the increased risks that this may pose.
Covert Channel
Notes
A covert channel may be defined as a communication channel that
Secure Coding Guidelines
and Standards
allows processes to transfer information in such a way to violate some
security policy or requirement. This is an information flow issue. Even
though there are protection mechanisms in place, if unauthorized
PPT information can be transferred using a signaling mechanism or a
Activity: Security storage mechanism, using some way that is not normally considered to
Weaknesses and be able to communicate, then a covert channel may exist. In simplified
Vulnerabilities at the terms, it is any flow of information, unintentional or inadvertent, that
Source Code Level and
enables an unauthorized observer to have access to the sensitive
Secure Coding Practices
(continued) information. This may allow the observer to infer more sensitive
information than is allowed.
Introduce the activity and
explain the importance There are two defined types of covert channels, storage and timing.
of understanding
the weaknesses and A storage covert channel involves the direct or indirect reading of
threats in the software
environment. storage locations by one process and a direct or indirect reading of the
same storage location by another process. Typically, a covert storage
channel involves memory locations or sectors on a disk that may be
shared by two subjects at different security levels. This could include
hard drive space, cache, or other typically used memory types in
computer architectures.
A timing covert channel depends upon being able to influence the rate
or timing issue that some other process is able to acquire resource.
Examples of this may be the CPU, memory, or I/O devices. The variation
in rate may be used to pass signals that may be used to infer more
sensitive information. Essentially, the process signals information to
another process by modulating its own use of system resources in such
a way that this manipulation affects the real response time observed by
the second process and therefore, may signal sensitive information.
Timing channels may be very difficult to detect as a result.
Notes executed on that local system. The code is transferred by user actions
and, in some cases, without the explicit action or consent of that user. The
Secure Coding Guidelines code can arrive to the local system as attachments to email messages, or
and Standards
through web pages. This can be particularly dangerous because the
software that is transmitted as a result may be malicious in intent.
PPT
Mobile code might be called by many names such as mobile agents,
Activity: Security mobile code, downloadable code, executable content, active capsules,
Weaknesses and
Vulnerabilities at the
remote code, dynamic email, and so on.
Source Code Level and
Secure Coding Practices
Even though the terms are very similar, there are slight differences
(continued) in each of them. For example, mobile agents are programs that can
migrate from host to host in a network at times and to places of their
Introduce the activity and
explain the importance own choosing. They have a high degree of autonomy rather than
of understanding being directly controlled from a central point and therefore, are very
the weaknesses and difficult to protect against if malicious. Mobile agents differ from
threats in the software applets that are programs downloaded as the result of a user action,
environment.
then executed from beginning to end on the user’s machine. Examples
may include ActiveX controls, Java applets, and scripts run within the
browser of the user. All of these deal with the local execution of
remotely sourced code.
Between-the-Lines Attack
A similar attack to the above is called a between-the-lines entry. This
occurs when the telecommunication lines used by an authorized user
Notes allow the components to talk to each other, REST uses simple HTTP,
which is the language of the web.
Secure Coding Guidelines
and Standards REST is not an architecture, but it is an architectural style to build
services on top of the web. REST allows interaction with a web-based
system via simplified URLs rather than complex request body to
PPT
request specific items from the system.
Representational
State Transfer (REST) The widespread use of REST APIs is really at the heart of the key
(continued) challenge to the security professional with regards to API security.
Define REST. Because REST uses simple HTTP, protecting web services relying on
REST APIs becomes challenging. REST-based APIs can be secured,
but the security professional needs to work at it to get the security
PPT implemented correctly and consistently across the enterprise, as well
REST-based API Security as within all of the architecture components that systems use.
Recommendations
Explain REST- REST-based API Security Recommendations
based API security
recommendations. The following recommendations are for developers to use to ensure
REST-based API security:
l Employ the same security mechanisms for APIs as any other web
application your organization deploys. For example, if you are
filtering for Cross Site Scripting on the web front-end, you must
do it for your APIs, preferably with the same tools.
l Do not create and implement your own security solutions. Use
a framework or existing library that has been peer-reviewed and
tested. Developers not familiar with designing secure systems
may often produce flawed security implementations if they try
on their own, and they may leave their APIs vulnerable to attack
as a result.
l Unless your API is a free, read-only public API, do not use single
key-based authentication. It is not enough. You should add a
strong password requirement.
l Do not pass unencrypted static encryption keys. If you are using
HTTP and sending it across the wire, then make sure you always
encrypt it.
l Ideally, use hash-based message authentication code (HMAC)
because it is the most secure. Use SHA-2 and above. Avoid
SHA-1 and MD5 because of their known vulnerabilities and
weaknesses.
Security professionals may also need to provide guidance on the use of
authentication protocols with regard to REST APIs in the enterprise.
These options are listed here.
Authentication Options
There are three typical options available when addressing
authentication protocols with regards to REST APIs.
Notes
Secure Coding Guidelines
8
and Standards
Security Kernels
The security kernel, as mentioned above, is the implementation of
the reference monitor concept. It is made up of all of the
components of the TCB (the software, hardware, and firmware),
and it is responsible for implementing and enforcing the reference
monitor idea. A security kernel is responsible for enforcing the
memory, data, and system resources all at the same time. In other
words, they may be contending for system resources all at the same
time, while trying to complete their tasks.
Notes
Secure Coding Guidelines
8
and Standards
Interrupts
PPT
The use of interrupts allows the operating system to ensure that a
process is given enough time to access the CPU when necessary to Process Encapsulation
carry out its required functions, but it also ensures that the process Define process
does not lock up resources that are necessary for other processes encapsulation.
to execute as well.
To enforce the concept of process isolation, the following methods
are typically used by the operating system and architecture:
l Encapsulation of a process
l Time multiplexing of shared resources
l Naming distinctions
l Virtual memory mapping
Process Encapsulation
Encapsulating a process means that you isolate that process so that no
other process is able to see, understand, or interact with the internal
functions of the process itself. This act of encapsulating forces
processes to interact with each other through well-defined interfaces
that can be overseen and managed by the operating system properly.
Encapsulation effectively hides the process and its functions from
other processes, thereby allowing it to engage in data hiding. Data
hiding is what it sounds like, hiding data from other processes so
that each of the processes running at the same time do not
interfere with each other.
Time Multiplexing
Notes
Time multiplexing allows the operating system to provide structured
Secure Coding Guidelines
and Standards
access by processes to resources according to a controlled and tightly
managed time schedule. This schedule is defined as a short period of
time, or a time slice, which will grant access to the system resources
PPT required by the process and then terminate that access once the time
Time Multiplexing period has expired. That resource then becomes available to another
Define time multiplexing.
process, again based on a time slice.
Multitasking and multi-processor architectures that are common today
create an additional layer of performance but also complexity with regard
PPT to time slicing or multiplexing. Due to the fact that each CPU in a computer
Naming Distinctions can have more than one core, or more than one processor, the ability for
Define naming
the computer to process multiple requests for access to resources from
distinctions. processes simultaneously continues to increase, and therefore, needs to be
managed properly. This is referred to as multitasking.
Memory Management
Memory management is used by the operating system to achieve the
following goals:
l Provide an abstraction level for programmers
l Maximize performance with the limited amount of memory
available to the system (Physical RAM)
Notes This might be an example, let’s say there is a situation where a process
can be started and stopped by one program, and the existence of that
Secure Coding Guidelines process can be detected by another application. Thus, the existence of
and Standards
the process can be used, over time, to signal sensitive information.
There is one commonality that exists in all covert channels, the
PPT
transmitting and receiving of objects over the covert channel must have
Covert Channel access to a shared resource. The following are protection mechanisms
Controls (2 slides)
(continued) for covert channels:
Define covert channels, l The first step is to identify any potential covert channels.
two types, and controls.
l The second step is to analyze these channels to determine
whether a channel actually exists.
PPT
l The next steps are based on manual inspection and appropriate
testing techniques to verify if the channel creates security
Cryptography
concerns.
Define cryptography
and its relevance to
l These need to be addressed properly through security control
controls in the software implementation.
environment.
Cryptography
PPT Cryptography techniques can be implemented to protect information
Password Protection
by transforming the data through encryption schemes and methods.
Techniques Typically, they can be used to protect the confidentiality and integrity of
information. Cryptography can also be used to address authenticity of
Explain password
protection techniques. communications and nonrepudiation. Cryptography today can be used
in many architectures and to protect information while in motion (transit)
or at rest. Encryption algorithms can be used to encrypt specific
information located anywhere in the architecture.
Backup Controls
Backing up critical and sensitive components and data is a very effective
method of ensuring we can deal with potential interruptions or disasters.
Anything deemed to be critical and sensitive and of value needs to be
backed up in the event of problems occurring. Examples of good
Software Forensics
Software forensics is the science of analyzing source code or
machine language code to try and determine whether intellectual
property infringement may have occurred. Software forensics may
have other uses, such as examining the output, consequences, and
other traces produced by software, especially for investigative
purposes. Software forensics may be used by companies to try and
settle legal issues related to copyright, patent, or trade secret
infringements. Even though it is typically used to try and prove
authorship related to infringement possibilities, it may have a
number of possible uses. In analyzing software suspected of being
malicious, it can be used to determine whether a problem is a
result of carelessness or a deliberate attempt related to malicious
software. Information can be obtained about authorship and the
sequence in which related programs were written. This can be used
to provide evidence about a suspected author of a program or to
determine intellectual property issues.
The techniques behind software forensics can sometimes also be
used to recover source code that has been lost. Software forensics
generally deals with two different types of code:
l Source code, which can be easily analyzed, is referred to as
code analysis and is closely related to literary analysis.
l Analysis of object, or machine, code is generally referred to
as forensic programming.
Sandbox
One of the control mechanisms for mobile code is called a sandbox
environment. As its name implies, a sandbox can be a “play” area
where we can test certain pieces of code to see if they are
malicious. The sandbox provides a protective area for program
execution. Limits are placed on the amount of memory and
processor resources the program can consume in that sandbox
environment. If the program exceeds these limits, the web browser
terminates the process and logs an error code and ultimately does
not allow the code to run.
This can ensure the safety of the browser’s activities. As an
example, in the Java sandbox security model, there is an option to
provide an area for the Java code to do what it needs to do,
including restricting the bounds of this area. This is exactly the idea
of a sandbox.
A sandbox cannot confine code and its behavior without some type
of enforcement mechanism. The Java security manager makes sure
all restricted code stays in the sandbox and cannot ultimately
do anything outside of it. Trusted code resides outside the sandbox,
and untrusted code is confined within the sandbox. By default, Java
applications live outside the sandbox and Java applets are confined
within the sandbox.
PPT
Module Objectives
Introduce the module
objectives.
PPT
Other developers disagree. The question is will other programmers be
able to find all of the security vulnerabilities even given enough time.
Database Management
Some may ultimately always remain no matter how many eyes have
System (DBMS)
Architecture looked at the source code. Releasing the source code does not ensure
that all security bugs and vulnerabilities will be found, and the automatic
Define a DBMS.
assumption of reliability can lead to a false sense of security in many
cases. Advocates of proprietary systems note that dishonest
programmers may find security vulnerabilities but not disclose the
problem to the general community, or at least not until they have
exploited it. There have been instances where those in the black hat
community tried to blackmail software vendors when they have
found problems.
A final determination on this issue has not yet been made, and there are
advocates for both, having advantages and disadvantages. However, in
general, it is known that “security by obscurity,” which is the idea that if a
technology is little known, there is less likelihood that someone will discover
how to break into it, and find vulnerabilities, does not generally work.
Whether programs are available in source or only as executable versions, it
is known that observation, reverse engineering, disassembly, trial and error,
and random chance may be able to find security vulnerabilities.
Elements of a DBMS
Typically, and at minimum, a DBMS architecture has four major
elements:
l The database engine itself
l The hardware platform
l Application software
l Users
Notes the entire database architecture, and all of the components that make
up that architecture, becomes very important. Indeed, this is how
Security Controls in security of any architecture is approached, by securing each of the
Development Environments
components that make up the entire architecture itself.
The data consists of individual entities, and these entities may have
PPT
relationships that link them to other entities within the database. The
Elements of a DBMS mapping or organization of the data entities is based on a particular
(continued)
database model.
Describe the elements of
a DBMS and how security
needs to protect each
element.
Database Models
A database model describes the relationship between the data entities
PPT within the database and provides a framework for organizing the data.
Database Models The data model is fundamental to the design because it provides a
mechanism for representing the data in a specific format and provides
Define how database
models require, at correlations between the data. At minimum, any database model needs
minimum, certain to provide the following requirements:
security controls related
to functions performed l Transaction persistence: The state of the database is the same
by the DBMS. after a transaction against the database has occurred as it was
prior to the transaction, and the transaction should be durable,
meaning it lasts.
l Fault tolerance and recovery: In the event of a hardware or
software failure, the data should remain in its original state
without impacting the security of that data. Two types of
recovery systems are typically available to address this. They
are referred to as rollback and shadowing. Rollback recovery is
when incomplete or invalid transactions are able to be backed
out properly. Shadow recovery occurs when transactions are
reapplied to a previous version of the database. Shadow recovery
requires the use of transaction logging to identify the last good
transactions that can be reapplied.
l Sharing by multiple users: The data should be available to
multiple users at the same time without endangering the integrity
of the data or the integrity of the database environment itself.
l Security controls: Including confidentiality, integrity, availability
and others that address requirements of access controls, integrity
checking, and view definitions.
When an organization is designing a database architecture, the first step
is to understand the requirements for the database and then design
a system that meets those requirements, including those related to
security. This includes what information will be stored, who is allowed to
This model stores data in a series of records that have field values Hierarchical Database
Management Model
attached to each record. It collects all the instances of a specific
record together as a record type. These record types are the Explain evolution of
DBMS environments
equivalent of tables in the relational model that we will describe
starting with Hierarchical.
later. To create links between the record types, the hierarchical
model needs to use parent and child relationships through the use
of tree structures.
PPT
An obvious weakness in this model is that the hierarchical model is Network Database
only able to cope with a single tree and is not able to link between Management Model
branches or over multiple layers. For example, an organization Define network DBMS
could have several divisions and several subtrees that represent models.
employees, facilities, and products. If an employee worked for
several divisions, the hierarchical model would not be able to
provide a link between the two divisions for one employee. In
other words, this model is very restricted in the relationships that
can exist between elements of the database architecture.
Notes format for these attributes. For example, an employee record type
could contain the last name, first name, address, and other types of
Security Controls in information related to the employee. Record types are sets of records
Development Environments
of the same type. These are the equivalent of tables in the relational
model. Set types are the relationships between two record types, such
PPT as an organization’s department and the employees that work in it. The
Network Database set types allow the network model to run some queries faster, and it is
Management Model definitely an improvement over the hierarchical database model;
(continued) however, it does not offer the flexibility of a relational model. As a result,
Define network DBMS the network model is not commonly used today to design database
models. systems; however, as we’ve said earlier, there are still some legacy
systems remaining.
PPT
Relational Database Management Model
Relational Database
Management Model
In today’s environments where the need for many databases exist, the
majority of organizations are using the relational database management
Define relational DBMS
model. Relational environments allow organizations to represent data in
models.
very simple two-dimensional structures called tables. As it offers many
advantages, the relational database has become very dominant in
database management systems used in organizations.
PPT
Elements of the The relational model allows data to be structured in a series of tables
Relational Model that have columns representing the variables and rows that contain
Explain elements of a specific instances of data. These tables are organized using normal
relational DBMS. forms. And because they are organized using normal forms, they can be
used throughout the organization and can be linked to other relational
tables to join the information together.
PPT
Attributes of a Table Elements of the Relational Model
Define attributes in From a very simplistic view, the relational model consists of three
relational DBMS.
elements:
l Data structures that are called either tables or relations
l Integrity rules on allowable values and combinations of values in
tables
l Data manipulation agents that provide the relational
mathematical basis and an assignment operator
Attributes of a Table
Each table or database in the relational model is made up of a set of
attributes and a set of tuples, which are really rows or entries in the
table. Attributes are really columns in a table. Attributes are unordered
left to right, and thus, are referenced by name and not by position. All
A row in the table is referred to as a tuple. Tuples are unordered Attributes of a Table
(continued)
top to bottom because a relation is a mathematical set and not a
list. Also, because tuples are based on tables that are mathematical Define attributes in
relational DBMS.
sets, there cannot be duplicate tuples in a table. So, there needs
to be something that can set all of the tuples apart, and this is
referred to as the primary key. The primary key is an attribute or set
of attributes that uniquely identifies a specific instance of an entity.
Each table in a database must have a primary key that is unique to
that table. It is a subset of the candidate key. Any key that could be
a primary key is called a candidate key. The candidate key is an
attribute that is a unique identifier within a given relational table.
One of the candidate keys is chosen to be the primary key and
then the others can be referred to as alternate keys.
Primary keys provide the addressing mechanism within the relational
model. They are the only guaranteed method of referring to an
individual tuple, therefore, they are fundamental to the operation of
the overall relational model. There are some really important rules that
need to be enforced for relational table to work properly. For instance,
because primary keys are so critical to the relational model, they
cannot contain null values and cannot change or become null during
the life of each entity. When the primary key of one relation, or table,
is used as an attribute in another table, it is referred to as the foreign
key in the other table.
The foreign key in a relational model is different from the primary
key. The foreign key value represents a reference to an entry in
some other table. In other words, the foreign key is a primary key
in another table that is used to provide a relationship in another
table. So, if a value in one table matches those of the primary key
of some other table or relation, it is considered the foreign key.
The link between the foreign and primary keys represents the
relationships between tuples. Thus, the matches represent
references and allow one table to be referenced to another table
to link them together for analysis purposes. It can be said that the
primary key and foreign key links are the binding factors that hold
the database together.
Foreign keys also provide a method for maintaining referential
integrity in the data and for navigating between different instances of
PPT
Integrity Constraints in Relational Databases
In relational database technology, the database needs to be able to
Attributes of a Table
(continued) provide integrity. The user’s applications may carry out many operations
on the data retrieved from the database, but the DBMS is only concerned
Define attributes in
relational DBMS. about the data that is read and written from or to the database itself.
This is called the transaction. Users can submit transactions against the
database and view each transaction as occurring by itself. Concurrency is
said to occur when the DBMS coordinates actions and reads and writes of
PPT
database objects of various transactions properly. For integrity and
Integrity Constraints in concurrency to be secure, each transaction that is applied against the
Relational Databases
database must leave the database in a consistent state.
Explain entity and
referential integrity The DBMS simply stores the data after a transaction, that is, it does not
requirements in a understand how an operation on data occurs. A transaction might
relational DBMS.
commit after completing all its actions or it could abort or be aborted
by the DBMS after executing some actions. A very important property
guaranteed by the DBMS for all transactions is that they are atomic.
Atomicity simply means that if a transaction requires a number of steps to
execute properly, all of the steps need to be executed properly or none of
them will execute. In other words, some people say, “either all or none.”
To help with concurrency, the DBMS logs all actions so that if needed, it
can undo the actions of aborted transactions. Problems related to this
may occur if several users who are attempting to query data from the
database interfere with each other’s requests.
As we mentioned earlier, there are two integrity rules of the relational
model that are very important to always address and ensure. These are
entity integrity and referential integrity. The two rules apply to every
relational model and focus on the primary and foreign keys as
described earlier.
Entity integrity means that the tuple must have a unique and non-null
value in the primary key. This guarantees that the tuple is uniquely
identified by the primary key value.
Referential integrity states that for any foreign key value, the referenced
relation must have a tuple with the same value for its primary key. In
other words, for every foreign key value, there must be a valid relation
back as a primary key somewhere else in another table. Essentially,
every table relation, or join, must be accomplished by having a proper
relationship in another table.
SQL Sublanguages
Notes
SQL actually consists of these three sublanguages:
Security Controls in
Development Environments l The Data Definition Language (DDL) is used to create databases,
tables, views, and keys specifying the links between tables. Because
PPT it is administrative in nature, users of SQL rarely use DDL commands
as they should be restricted to database administrators.
SQL Sublanguages
l DDL also has nothing to do with the population of the database,
Define SQL sublanguages.
which is accomplished by Data Manipulation Language (DML),
used to query and extract data, insert new records, delete old
records, and update existing records.
PPT
l System and database administrators utilize Data Control
Object-Oriented (OO)
Database Model
Language (DCL) to control access to data. It provides the security
control aspects of SQL and should be the security professional’s
Define object-oriented
(OO) DBMS models.
area of concern.
These are some of the DCL commands:
l COMMIT: Saves work that has been done
l SAVEPOINT: Identifies a location in a transaction to which you
can later roll back, if required
l ROLLBACK: Restores the database to its state at the last
COMMIT _
l SET TRANSACTION: Changes transaction options such as what
rollback segment to use
There are other scripting and query languages for organizations to use
that are similar to the above, to allow the creation of database interface
applications that rely on an underlying database engine for function.
Notes making data calls. The Component Object Model (COM) is the
protocol that allows OLE to work properly. OLE allows users to
Security Controls in share a single source of data for a particular object. The document
Development Environments
contains the name of the file containing the data, along with a
picture of the data. The way OLE works is that when the source is
PPT updated, all the documents using the data are also updated.
Activity: Database As part of the OLE technology, there is something called OLE DB,
Interface Languages
Review which is an interface language designed by Microsoft to link data
across various DBMSs. It is an open specification that is designed to
Introduce activity for
interface languages.
build on the success of ODBC by providing an open standard for
accessing all kinds of data across different environments. It enables
organizations to easily take advantage of information contained not
only in data within a database environment, but also when accessing
PPT
data from other types of data sources.
Activity: Database
Interface Languages The OLE DB interfaces are based on the COM, and as such, they
Review – Answers provide applications with uniform access to data regardless of the
Explain the answers to information source. The OLE DB separates the data into components
the activity. that can run as middleware on a client or server across a wide variety of
applications. The OLE DB architecture provides for components such as
direct data access interfaces, query engines, cursor engines, optimizers,
business rules, and transaction managers.
As with any powerful interface language, when organizations are
developing databases and determining how data may be linked
through the applications accessing those databases, security must be
addressed during the development stage. If OLE DB is considered,
there are optional OLE DB interfaces that can be implemented to
support the administration of security information. OLE DB interfaces
allow for authentication and authorization for access to data among
components and applications. The OLE DB can also provide a clear
view of the security mechanisms that are supported by the operating
system and the database components.
Answers:
1. A system of symbols and rules to identify structures (format)
Notes
Security Controls in
8
in a document. Development Environments
Many database developers today will support the use of the Tiered Application
Approach
internet and corporate intranets to allow users, through
interface technologies, to access centralized back-end servers Explain tiered application
that contain data. approach.
Notes needs attention. The tier approach can add to security because the users
do not connect directly to the data. Instead, they connect to a middle
Security Controls in layer, the business logic layer, which connects directly to the database on
Development Environments
behalf of the users. In this model, the middle tier can provide relevant
security. There is a bad side of this as well; if the database provides
PPT security features, they may be lost in the translation through the middle
Tiered Application
layer. So, when looking at providing security, it is important to analyze not
Approach (continued) only how the security features are implemented, but also where they are
Explain tiered application
implemented and how the configuration of the application with the back-
approach. end database affects the overall security features. As always, additional
security considerations should always focus on user authentication, user
access control, auditing of user actions, protecting data as it travels
PPT
between the tiers, managing identities across the tiers, scalability of the
system, and setting the proper privileges for the different tiers.
ActiveX Data Objects
(ADO)
Define ADO. ActiveX Data Objects (ADO)
ADO is a Microsoft high-level interface for all kinds of data. It can be
used to create a front-end database client or a middle-tier business
PPT object using an application, tool, or internet browser. This tool is very
Metadata valuable to developers because they can simplify the development of
Define metadata.
OLE DB by using ADO. Objects can be the building blocks of Java,
JavaScript, Visual Basic, and other object-oriented languages. By using
common and reusable data access components (COM), different
applications can access all data regardless of data location or data
format. ADO is very flexible as it can support typical client/server
applications, HTML tables, spreadsheets, and mail engine information.
Many security professionals are concerned about the use of ADO because
there are no configurable restrictions on its access to the underlying system.
But, as a mitigation to this, newer browsers implement sandboxing and
stronger ActiveX controls to address this vulnerability.
Metadata
Metadata is defined as information that describes other information.
Literally, people will define metadata as “data about the data.” As such,
metadata can provide a systematic method for describing resources and
improving the retrieval of information. The objective is to help users search
through a wide range of sources with better precision so that those data
objects can be accessed more efficiently. It includes the data associated
with either an information system or an information object for the purposes
of description, administration, legal requirements, technical functionality,
usage, and preservation. Metadata is considered the key component for
using and capitalizing on a data warehouse.
Notes patterns, correlations, and trends in the data warehouse, which is a large
repository purposely set up for data mining.
Security Controls in
Development Environments There can be many advantages to using data-mining techniques in driving
business intelligence. However, there may be some disadvantages,
especially related to security. The ability to mine data about individuals
PPT
may possibly lead to privacy issues. The danger increases when private
Online Analytical information may be stored on the web or an unprotected area of the
Processing (OLAP)
(continued) network and thus becomes available to unauthorized users. In addition,
the integrity of the data may be at risk as well. Because a large amount
Define OLAP.
of data must be collected, transformed, and loaded, the chance of errors
through human data entry and processing may result in inaccurate
relationships or patterns. These errors are sometimes referred to as data
PPT contamination.
Activity: Database
Vulnerabilities and One possibly positive security element of data mining is to use the same
Threats mining tools to review audit logs to determine intelligence related to events
Introduce activity related and incidents. Because audit logs may contain many entries, data-mining
to database vulnerabilities tools can help to discover abnormal events by drilling down into the data
and threats. for specific trends or unusual behaviors. Security professionals and
stakeholders may be able to use data-mining tools to mine security
intelligence to drive better controls and address vulnerabilities in a more
efficient and cost-effective way.
INSTRUCTIONS
Working with a partner, review your assigned threats and prepare to
explain them to the rest of the class.
l Aggregation and inference: The ability to combine non-sensitive
data from separate sources to create sensitive information is
referred to as aggregation. For example, a user takes two or more
unclassified pieces of data and combines them to form a classified
piece of data that then becomes unauthorized for that user. The
combined data sensitivity can be greater than the classification
of individual parts. Being able to aggregate information may lead
to inference possibilities. Inference is the ability to deduce more
sensitive information than you should be allowed.
l TOCTOU: TOCTOU can also occur in database environments. Introduce activity related
to database vulnerabilities
An example is when some type of malicious code or privileged and threats.
access could change data between the time that a user’s query
was approved and the actual time the data is displayed to
the user. PPT
l Web security: Many database environments allow access to
DBMS Controls
data through web technologies. Static web pages (HTML or
Explain the need for
XML files) are methods of displaying data stored on a server DBMS security controls.
to the user’s browser. One method is when an application
queries information from the database and the HTML page
displays the data. Another is through dynamic web pages
that are stored on the web server with a template for the
query and HTML display code, but no actual data is stored.
When the web page is accessed, the query is dynamically
created and executed and the information is displayed
within the HTML display. If the source for the page is viewed,
all information, including sensitive data, may be visible at
this point. Providing security control includes measures for
protecting against unauthorized access during the log-in
process, protecting the information while it is transferred from
the server to the web server, and protecting the information
from being stored on or downloaded to the user’s browser.
l Unauthorized access: Allowing the release of information
either intentionally or accidentally to unauthorized users.
Examples may include error messages or system prompts
that provide the unauthorized user with information about
the nature or function of the system.
DBMS Controls
Database security is a very important issue to address. The
challenge for both the security professionals, database
administrators and owners, and other stakeholders is to retain
control over the organization’s data and ensure business rules are
Notes set up a view for each type of user and then each user can only
access the view assigned to them. Some database views will allow
Security Controls in the restrictions to be very granular, for example, of both rows and
Development Environments
columns, while others allow for views that can write and update data
as well as the capability to only read.
PPT l Grant and revoke access controls: Grant and revoke controls allow
Other DBMS Access users who have “grant authority” permission to grant permissions
Controls (continued) to other users. In a grant and revoke system, if a user is granted
Define other DBMS permission without the grant option, the user will not be able to pass
security controls. that grant authority to anyone else. This is, in a sense, a modification
of discretionary access control. However, there is a weakness where
the possibility exists of a user being granted access but not grant
authority could make a complete copy of the relation and subvert
the system. Because the user, who is not the owner, created a copy,
the user is now considered by the system to be the owner of the
copy and therefore, could provide grant authority over the copy to
other users. And because the copy is not updated with the original
relation, the user making the copy could continue making similar
copies of the relation and continue to provide the same data to
other users. The revoke statement functions like the grant statement.
One of the possible security characteristics of the revoke statement
is its cascading effect. When the rights previously granted to a user
are subsequently revoked, all similar rights are revoked for all users
who may have been granted access by the newly revoked user.
l Security for object-oriented (OO) databases: Most of the
models for securing databases have been designed for relational
databases since it has been a very popular architecture. Because
of the complexity of object-oriented databases, the security
models for object-oriented databases are also more complex.
Adding to this complexity, the views of the object-oriented
model may differ as they are more granular. Therefore, each
security model has to make some assumptions about the object-
oriented model used for its particular database.
l Metadata controls: In addition to facilitating the effective retrieving
of business intelligence information, metadata can also be used
to manage restricted access to sensitive information. Metadata
can serve as sort of a gatekeeper to enforce access rules and as a
result provide security controls. One example of metadata is called
the data dictionary, which is a central repository of information
regarding the various databases that may be in use within the entire
enterprise. The data dictionary does not provide direct control of
databases, or access control restrictions, but it can give the database
administrator a full understanding and view of the various bodies
of information throughout the enterprise, potentially including the
sensitivity and classification of material held in different objects that
Knowledge Management
Knowledge management is the efficient and effective management of
information and associated resources in an enterprise to drive business
intelligence and decision-making. It involves several existing research
areas tied together by their common application environment, that is,
the enterprise itself. Some areas that organizations get into as part of
knowledge management include workflow management, business
process modeling, document management, databases and information
systems, knowledge-based systems, and possibly several other
methodologies to drive decision-making to allow the organization to
meet its goals and objectives efficiently and effectively.
Many organizations are also getting into trending areas of knowledge
management such as application of artificial intelligence technologies to
drive and support decision-making and business intelligence. Knowledge
management systems frequently make use of data warehousing and
associated technologies. The data warehouse serves to store the
accumulated enterprise knowledge that has to be managed and is used to
mine business intelligence out of it.
Notes system uses pattern discovery and removes redundant data found. By
eliminating redundant and non-important data, the discovery of patterns in
Security Controls in the data becomes much more simplified.
Development Environments
Deviation and trend analysis uses filtering techniques to detect patterns
in the data. An example of this might be where an intrusion detection
PPT
system (IDS) filters large volumes of data so that only the pertinent data
Knowledge Discovery is reviewed and analyzed.
in Databases (KDD)
(continued)
Define KDD and relate to Security Controls in KDD
security issues.
Because KDD drives useful business intelligence and decisions, it is
important to secure the process. Security controls may include the
following:
PPT
Security Controls in l Protecting the knowledge base as you would any database
KDD l Routinely verifying the decisions based on what outcomes are
Explain security expected from specific inputs
requirements in KDD.
l If using a rule-based approach, changes to the rules must go
through a change control process
l If the data output seems suspicious or out of the ordinary,
PPT
perform additional and possibly different queries to verify the
Web Application
Environment
information as being accurate
l Making risk management decisions because decisions that are
Define the web
application environment based on data warehouse analysis techniques may be incorrect
and explain it is the l Developing a baseline of expected performance from the
largest attack vector
and why. analytical tool being used
l The standard security tools of firewalls and intrusion Mention the reasons
that make websites
detection systems can be applied but are not particularly vulnerable.
well suited to protecting such public websites:
o In the case of firewalls, a website must have standard
ports open for specific traffic. PPT
o Intrusion detection systems (IDSs) must be tuned Web Application
properly and maintained adequately to provide any Threats and Protection
(2 slides)
useful information from the flood of data. Websites
will see all kinds of traffic, from different locations, Explain web application
requesting connections, web pages, submitting form threats and protection
methods.
information, or even updating search engine facts.
Viruses
A computer virus is a software program written with functions and
intent to copy and disperse itself without the knowledge and
cooperation of the owner or user of the particular system. Researchers
of malicious software disagree on a perfect definition of a virus;
however, a common definition may be a program that modifies other
programs to contain a possibly altered version of itself. This definition
is generally attributed to Fred Cohen from his seminal research in the
mid-1980s, although Dr. Cohen’s actual definition is in a mathematical
form. The term “computer virus” was first defined by Dr. Cohen in his
graduate thesis in 1984. Cohen credits a suggestion from his advisor,
Leonard Adleman (of RSA fame), for the use of the term. Cohen’s
definition is specific to programs that attach themselves to other
executable programs as their intent of infection. However, common
usage now holds viruses to consist of a set of coded program
instructions that are designed to attach to an object capable of
containing the material without knowledgeable user intervention.
Types of Viruses
There are a number of various types of viruses, such as file infectors,
boot sector infectors, system infectors, email viruses, multipartite,
macro viruses, and script viruses. These terms do not necessarily
indicate differing characteristics as, for example, a file infector may
also be a system infector. A script virus that infects other script files
may be considered a file infector, although this type of activity,
while theoretically possible, is unusual in practice. Researchers tell
Notes us that there are also difficulties in drawing a hard distinction between
macro and script viruses. The following are characteristics of the various
Security Controls in types of viruses:
Development Environments
l File infectors: A file infector infects program or object files.
System infectors that infect operating system program files are
PPT
also considered to be file infectors. File infectors can attach to
Types of Viruses the front of the object file (prependers), attach to the back of the
(continued)
file, and create a jump at the front of the file to the virus code
Define different types of (appenders), or overwrite the file or portions of it (overwriters).
viruses.
l Boot sector infectors: Boot sector infectors attach to or replace
the master boot record, system boot record, or other boot
records and blocks on physical disks. The importance of boot
sectors is that in most operating systems, the boot sector needs
to be read and executed during the boot process to function
properly. Boot sector infectors usually copy the existing boot
sector to another unused sector of the hard drive and then copy
themselves into the first physical sector, ending with a call to
the original programming. Many examples exist such as Brain,
Stoned, and Michelangelo viruses.
l System infectors: System infector is a somewhat a vague and
overused term. The phrase is often used to indicate viruses that
infect operating system files, or boot sectors, in such a way that
the virus is called at boot time and may have control over some
functions of the operating system. Recent viruses in the Windows
environment sometimes preferentially infect utility files in the
system directory. In other examples, a system infector modifies
other system structures, such as the linking pointers in directory
tables or the MS Windows system registry, in order to be called
first when programs are invoked on the host computer. An
example of directory table linking is the DIR virus family. Many
email viruses will target the Windows registry, examples are MTX
and Magistr, and these can be very difficult to get rid of.
l Companion virus: Some virus programs have been specifically
designed to not physically touch the target file at all. For example,
one method is quite simple and may take advantage of precedence
in the system. In MS-DOS, for example, when a command is given,
the system checks first for internal commands, then .COM, .EXE,
and .BAT files, in that order. .EXE files can be infected by writing a
.COM file in the same directory with the same filename. This type of
virus is most commonly known as a companion virus, although the
term spawning virus is sometimes also used.
l Email virus: An email virus specifically, rather than accidentally,
uses the email system to spread. Although virus-infected files may
Malware Types
In addition to viruses, there are many other flavors of malware. They
include worms, hoaxes, Trojan horses, logic bombs, botnets, pranks and
spyware and adware, as well as others. Each of these has its own
characteristics. Some forms of malware combine characteristics of more
than one type, and it can be difficult to draw hard and fast distinctions in
regards to individual examples of malware, but it may be important to
keep the specific attributes in mind.
For example, viruses and Trojans are being used to spread and plant
remote access Trojans (RATs), and in some cases, RATs are being used to
install zombies. In some cases, hoax virus warnings are being used to
spread viruses. In some other cases, virus and Trojan horse payloads may
contain logic bombs and data diddlers. So, drawing a specific distinction
between malware has become clouded.
l Worms: A worm reproduces and spreads, just like viruses; however,
worms are distinct and different from viruses although they may
have similar results. The difference is that a worm can propagate
without user action. In other words, they do not rely on human
involvement, instead they spread across networks of their own
accord, primarily by exploiting known vulnerabilities in common
software. The lack of requirement for user involvement means that
Notes intrusive and frequently now have functions that will install without
the user’s knowledge and can possibly have privacy implications.
Security Controls in Companies involved with spyware and adware have been quite
Development Environments
active in promoting the confusion of definitions and terms.
Vendors and developers of anti-spyware programs have frequently
found themselves targets of lawsuits alleging that the identification
of programs as spyware is defamation.
l Pranks: Pranks are very much a part of the computer culture, so
much so that anyone can now buy commercially produced joke
packages that allow you to perform tricks on other users. There
are numerous pranks available as shareware. Some make the
computer appear to insult the user and yet others will use sound
effects or voices and even use special visual effects. An example
might be PARASCAN, the paranoid scanner. It pretends to find
large numbers of infected files, although it does not actually check
for any infections at all. Generally speaking, pranks that create
some kind of announcement are not considered to be malware
and in fact, viruses that can generate a screen or audio display
are actually quite rare. The distinction between jokes and Trojans
is harder to make, but pranks are intended for amusement and
not malicious intent. The malicious part may be the consuming of
computing resources and network resources. One specific type
of joke is the Easter egg, a function hidden in a program and
generally accessible only by some arcane sequence of commands.
These may be seen as harmless, but note that they do consume
resources, even if only disk space, and also make the task of
ensuring program integrity much more difficult. Repeated pranks
may also serve to dissuade the end user from seeking help from
the help desk when legitimately needed for a security reason.
l Botnets: A botnet is a network of automated systems or processes
(robots or for short, bots) performing a specific function together,
usually malicious. Botnets have greatly magnified the power and
speed of malicious operations because they all work together
toward achieving a malicious goal, and they have allowed for tuning
and directing of operations in a way that was not possible with
malicious programs in the past. The distributed nature of botnets
and related technologies such as fast-flux domain and Internet
Protocol (IP) address reassignment (rapidly rotating domain names
and IP addresses) have made it much more difficult to detect,
analyze, and remove botnets and botnet activity from networks and
architectures. Bot agent software can be installed on user machines
in any number of ways, but usually Trojan horse programs may be
used. In some cases, users are socially engineered to infect their
own machines. This may or may not be viruses, or indeed worms.
Drive-by downloads, peer-to-peer file sharing software, and instant
Notes other. There are three approaches to how antivirus software technology
is able to work:
Security Controls in
Development Environments l Known signature scanning
l Activity monitoring
PPT l Change detection
Malware Protection:
Tools (continued) Some people compare these basic types of malware detection systems to
common intrusion detection system (IDS) types, although the comparison
Explain importance of
malware protection and is not exact, it is made by some regardless. A scanner is like a signature-
methods. based IDS. An activity monitor is like a rule-based IDS or an anomaly-
based IDS. And a change detection system is like a statistical-based IDS.
l Scanners: These are also known as signature scanners or known
virus scanners, and they look for search strings whose presence
is characteristic of a known virus. In other words, they look for
known signatures of known viruses and malware. As they are
able to recognize specific types of viruses, they frequently have
capabilities to remove the virus from an infected object; however,
some objects cannot be repaired. Even where an object can be
repaired, it is often preferable and probably safer to replace the
object altogether rather than repair it, and some scanners are
very selective about which they may be able to repair.
l Heuristic scanners: One of the latest technologies used for
scanning is what is referred to as intelligent analysis of unknown
code, currently referred to as heuristic scanning. More closely
associated with activity monitoring functions than traditional
signature scanning, this looks for suspicious sections of code that
are generally found in virus and malicious programs. Activities,
such as modifying code and unauthorized change, can be
associated and flagged by heuristic scanning as suspicious.
One disadvantage of heuristics, however, may be that they can
generate a lot of false positives, or false alarms.
l Activity monitors: An activity monitor performs a task very similar
to an automated form of traditional auditing: it watches for and
flags what may be suspicious activity. It may, for example, check
for any calls to format a disk or attempts to alter or delete program
files while a program other than the operating system is in control.
These are just examples of some activities that activity monitors
may flag as suspicious. Activity monitors may be even more
sophisticated and check for any program that performs direct
activities with hardware without using the standard system calls.
l Change detection: Change detection software examines system
or program files and configurations, stores the information, and
compares it against the same program files and configurations on
Answers:
1. Heuristic PPT
2. Scanner Activity: Malware
Protection Tools –
3. Zero-day/Zero-hour Answers
4. An activity monitor Explain the answers to
the activity.
Notes availability, and usage of the correct version of all system components
such as the software code, design documents, documentation, and
Security Controls in control files.
Development Environments
CM, therefore, involves reviewing every change made to a system.
This includes identifying, controlling, accounting for, and auditing all
PPT
changes. The process would include the following:
Configuration
Management (CM) l The first step is to identify any changes that are made.
(continued)
l Controlling occurs when every change is subject to some type
Define configuration
of documentation that must be reviewed and approved by an
management.
authorized individual.
l Accounting is recording and reporting on the configuration of the
PPT software or hardware throughout any change procedures.
Configuration l Auditing allows the completed change to be verified, especially
Management Plans ensuring that any changes did not affect the security policy or
Define configuration protection mechanisms that are implemented.
management plans.
Configuration Management Plans
The best method of controlling changes is to have a CM plan that
ensures changes are performed in a step-by-step, rigorous, and agreed-
upon manner. Any deviations from the plan may change the
configuration of the entire system architecture and could essentially
void any certification that it is a secure, trusted system. In a project, CM
often refers to the controlling of changes and limiting them to the scope
or requirements of the project. Not controlling properly can often lead
to what is called scope creep, and a lack of configuration management
can lead to a project never being completed or structured because its
requirements are continuously changing.
At its heart, CM is intended to eliminate the confusion and error brought
about by the existence of different versions of artifacts. An artifact is
defined as a piece of hardware, software, or documentation. Changes are
made to correct errors, provide enhancements, or simply reflect the
evolutionary refinement of product definition. Without a well-enforced CM
process, involved team members can use different versions of artifacts
unintentionally and erroneously. Individuals can also create versions without
the proper authority, and possibly the wrong version of an artifact can be
used inadvertently. Successful CM requires a well-defined and understood
set of policies and standards that clearly define the following:
l The set of artifacts (configuration items) under the jurisdiction
of CM
l How artifacts are named
Notes
Module 4: The Effectiveness of
The Effectiveness of
Software Security Software Security
PPT
Module Objectives
Introduce the module
objectives.
NIST SP 800-37 R1
Notes
The U.S. National Institute of Standards and Technology (NIST) has
The Effectiveness of
Software Security
developed and published a document, SP 800-37 Revision 1: Guide
for Applying the Risk Management Framework to Information Systems
that recommends a security authorization process and procedures to
PPT ensure the risk management process is applied into application
NIST SP 800-37 R1 development and how security is involved to ensure the effectiveness
Mention NIST SP800-37
of software and its security capabilities. As we’ve seen above, the
as an example of what process of certification and accreditation can be very useful, but the
to emphasize in secure NIST SP 800-37 Revision 1 guidance has provided a way to create a
software development. change in the traditional thought process surrounding certification
and accreditation and extends it. The revised process emphasizes
the following:
PPT
l Building information security capabilities into information systems
Risk Management
through the application of state-of-the-practice management,
Framework (RMF)
operational, and technical security controls
Mention the RMF as
a framework to allow l Maintaining awareness of the security state of information
organizations to manage systems on an ongoing basis though enhanced monitoring
information security processes
related risks.
l Providing essential information to senior leaders to facilitate
decisions regarding the acceptance of risk to organizational
operations and assets, individuals, and other organizations,
PPT
arising from the operation and use of information systems
RMF Characteristics
Mention characteristics
of RMF. Risk Management Framework (RMF)
Using the NIST SP 800-37, the traditional certification and accreditation
process has been transformed into a six step Risk Management
Framework (RMF). The risk management process changes the traditional
focus of certification and accreditation as a static, procedural activity to
a more dynamic approach that provides the capability to the
organization to more effectively manage information system-related
security risks in highly distributed and diverse environments of complex
and sophisticated cyber threats, ever-increasing system vulnerabilities,
and rapidly changing organizational needs.
RMF Characteristics
The RMF has the following characteristics:
l Promotes the concept of near real-time risk management and
ongoing information system authorization by stakeholders through
the implementation of robust continuous monitoring processes
There are some really good reasons why a private organization may
implement the certification and accreditation process with the NIST
PPT
extension, as above. Reasons may include the following:
Auditing and Logging
l A certification and accreditation process ensures a control of Changes
framework has been selected and is consistently being Explain the importance
applied across the organization. of logging and auditing
of changes to systems.
l If implemented as part of a change management program,
the system authorization process can have a relatively low
overhead.
l Security authorization standards can mandate the use of
standards, and standardization across an organization can
lead to gains in efficiency and less unexpected changes.
l If implemented properly, a security authorization program
includes all aspects of a system’s security, including physical,
training, environment, and interconnections that could be
missed by purely technical approaches.
Logs
Notes
A log is a record of security relevant actions and events that have taken
The Effectiveness of
Software Security
place on a computer architecture. Logs:
l Provide a clear view of who owns a process, what action was
PPT initiated, when it was initiated, where the action occurred, and
why the process ran
Logs
l Are the primary record keepers of system and network activity
Explain the importance
of logs. l Are particularly helpful in capturing the pertinent information
to explain what happened and why in the event that security
controls experience failures
PPT
Auditing Auditing
Explain the importance As part of due care and due diligence, it is in the best interest of the
of auditing.
enterprise to have appropriate auditing policies in place. One such
requirement is to effectively and efficiently collect information regarding
critical and security related events occurring in valuable network and
PPT systems in the form of logs for the purpose of being able to manage
Change Management them appropriately.
Explain the importance
of change management. This information regarding security relevant events is typically available
in the form of logs and would enable all interested parties, such as
management, executives, and stakeholders, as well as network and
system administrators, to understand and assess the following:
l The need for establishing baselines
l The performance of various servers and systems
l An application‘s functional and operational problems
l Effective detection of intrusion attempts
l Forensic analysis
l Compliance with various regulatory laws
Change Management
Organizations need to understand change and change management as
integral elements in any successful enterprise security architecture. They
need to make sure that changes to applications and other systems
already in production are made in a rigorous and controlled way to
ensure quality assurance of the change. As part of this, organizations
need to be able to plan for change, manage it through a well-defined
lifecycle, approve changes, document it, and roll it back if required. There
are many practices and guides available that organizations can use as
frameworks to guide change management and change control.
Code Signing
Code signing is a technique that can be used to address
applications software integrity. As a summary, code signing can be
Notes
The Effectiveness of
8
Software Security
used to determine the following:
Acceptance Testing
Acceptance testing is a formal test conducted to determine
whether the system satisfies its acceptance criteria and to enable
Notes
The Effectiveness of
8
Software Security
the owner/customer to determine whether to accept the system.
Software vulnerabilities, malicious code, and software that does not Explain how security is
involved in all phases of
function as required is a substantial risk to any organization’s software- software acquisition.
intensive critical infrastructure. Minimizing risks associated with the
software environment is the goal of software assurance. In other
words, software assurance can be defined as having a high level of
confidence that software is free from vulnerabilities, either intentionally
designed into the software or accidentally inserted at any time during
its lifecycle, and that it functions in the intended manner.
Planning Phase
Notes
This phase begins with:
The Effectiveness of
Software Security l Needs determination for acquiring software services or products,
identifying potential alternative software approaches, and
PPT identifying risks associated with those alternatives. This includes
the following:
Planning Phase
o Developing software requirements to be included in work
Explain security’s role in
the planning phase. statements
o Creating an acquisition strategy and/or plan that includes
identifying risks associated with various software acquisition
PPT strategies
Contracting Phase o Developing evaluation criteria and an evaluation plan
Explain security’s role in
the contracting phase. Contracting Phase
This phase includes three major activities:
PPT l Creating and issuing the solicitation or request for proposal (RFP)
Monitoring and with a work statement, instructions to potential respondents of
Acceptance Phase RFP, terms and conditions, including conditions for acceptance,
Explain security’s role prequalification considerations, and certifications.
in the monitoring and l Evaluating supplier proposals submitted in response to the
acceptance phase.
solicitation or RFP.
l Finalizing contract negotiation to include changes in terms and
conditions and awarding the contract.
Software risks should be addressed and mitigated through terms and
conditions, certifications, evaluation factors for award, and risk
mitigation requirements in the work statement.
Follow-on
This phase involves maintaining the software. This process is
sometimes called sustainment. This phase includes two major
Notes
The Effectiveness of
8
Software Security
activities:
Acquisition Process
The acquisition process can be leveraged to promote good software
development practices and facilitate the delivery of trustworthy
software to the organization. All final software security requirements
Notes 4. Buffer overflow and boundary condition errors are subsets of:
Notes 6. A property that ensures only valid or legal transactions that do not
violate any user-defined integrity constraints in DBMS technologies
Domain Review is known as:
A. Durability
B. Isolation
C. Consistency
D. Atomicity
The correct answer is C. Consistency as part of the ACID (Atomicity,
Consistency, Isolation, Durability) test ensures that transactions that are
applied do not affect the integrity of the database and its contents. The
integrity of the database needs to be the same as it was before the
transaction was applied.
Notes
8
Notes
Glossary
Term Definition
Glossary
Acceptable risk A suitable level of risk commensurate with the potential benefits
of the organization’s operations as determined by senior
management.
Address Resolution Is used at the Media Access Control (MAC) Layer to provide for
Protocol (ARP) direct communication between two devices within the same LAN
segment.
Asset lifecycle The phases that an asset goes through from creation (collection)
to destruction.
Asymmetric Not identical on both sides. In cryptography, key pairs are used,
one to encrypt, the other to decrypt.
Attack surface Different security testing methods find different vulnerability types.
Glossary 763
Official (ISC)2 CISSP Training Guide
Term Definition
Audit/auditing The tools, processes, and activities used to perform compliance reviews.
Authorization The process of defining the specific resources a user needs and
determining the type of access to those resources the user may have.
Black-box testing Testing where no internal details of the system implementation are used.
Bridges Layer 2 devices that filter traffic between segments based on Media
Access Control (MAC) addresses.
Business continuity A term used to jointly describe business continuity and disaster
and disaster recovery efforts.
recovery (BCDR)
Business impact A list of the organization’s assets, annotated to reflect the criticality of
analysis (BIA) each asset to the organization.
Capability Maturity Maturity model focused on quality management processes and has
Model for Software five maturity levels that contain several key practices within each
or Software maturity level.
Capability Maturity
Model (CMM
or SW-CMM)
Cellular Network A radio network distributed over land areas called cells, each served
by at least one fixed-location transceiver, known as a cell site or base
station.
764 Glossary
Instructor Edition
Term Definition
Glossary
individuals and entities to their public keys.
CIA/AIC Triad Security model with the three security concepts of confidentiality,
integrity, and availability make up the CIA Triad. It is also
sometimes referred to as the AIC Triad.
Clearing The removal of sensitive data from storage devices in such a way
that there is assurance that the data may not be reconstructed
using normal system functions or software recovery utilities.
Code-division Every call’s data is encoded with a unique key, then the calls are
multiple access all transmitted at once.
(CDMA)
Common Object A set of standards that addresses the need for interoperability
Request Broker between hardware and software products.
Architecture
(CORBA)
Computer virus A program written with functions and intent to copy and disperse
itself without the knowledge and cooperation of the owner or
user of the computer.
Glossary 765
Official (ISC)2 CISSP Training Guide
Term Definition
Condition coverage This criterion requires sufficient test cases for each condition in a
program decision to take on all possible outcomes at least once. It
differs from branch coverage only when multiple conditions must be
evaluated to reach a decision.
Confusion Provided by mixing (changing) the key values used during the
repeated rounds of encryption. When the key is modified for each
round, it provides added complexity that the attacker would
encounter.
Covert channel An information flow that is not controlled by a security control and has
the opportunity of disclosing confidential information.
Covert security Performed to simulate the threats that are associated with external
testing adversaries. While the security staff has no knowledge of the covert test,
the organization management is fully aware and consents to the test.
Crossover Error This is achieved when the type I and type II are equal.
Rate (CER)
Curie Temperature The critical point where a material’s intrinsic magnetic alignment
changes direction.
766 Glossary
Instructor Edition
Term Definition
Custodian Responsible for protecting an asset that has value, while in the
custodian’s possession.
Glossary
Data classification Entails analyzing the data that the organization retains,
determining its importance and value, and then assigning it to a
category.
Data custodian The person/role within the organization who usually manages the
data on a day-to-day basis on behalf of the data owner/controller.
Data flow coverage This criteria requires sufficient test cases for each feasible data
flow to be executed at least once.
Database model Describes the relationship between the data elements and
provides a framework for organizing the data.
Glossary 767
Official (ISC)2 CISSP Training Guide
Term Definition
Digital rights A broad range of technologies that grant control and protection to
management (DRM) content providers over their own digital media. May use cryptography
techniques.
Disaster Those tasks and activities required to bring an organization back from
recovery (DR) contingency operations and reinstate regular operations.
Dynamic testing When the system under test is executed and its behavior is observed.
Encoding The action of changing a message into another format through the
use of a code.
False Acceptance This is erroneous recognition either by confusing one user with
Rate (Type II) another, or by accepting an imposter as a legitimate user.
768 Glossary
Instructor Edition
Term Definition
Glossary
Fibre Channel over A lightweight encapsulation protocol, and it lacks the reliable
Ethernet (FCoE) data transport of the TCP layer.
Global System for Each call is transformed into digital data that is given a channel
Mobiles (GSM) and a time slot.
Hash function Accepts an input message of any length and generates, through
a one-way operation, a fixed-length output called a message
digest or hash.
Honeypots/ Machines that exist on the network, but do not contain sensitive
honeynets or valuable data, and are meant to distract and occupy malicious
or unauthorized intruders, as a means of delaying their attempts
to access production data/assets. A number of machines of this
kind, linked together as a network or subnet, are referred to as a
“honeynet.”
Glossary 769
Official (ISC)2 CISSP Training Guide
Term Definition
Identity proofing The process of collecting and verifying information about a person for
the purpose of proving that a person who has requested an account, a
credential, or other special privilege is indeed who he or she claims to be
and establishing a reliable relationship that can be trusted electronically
between the individual and said credential for purposes of electronic
authentication.
Internet Control Provides a means to send error messages and a way to probe the
Message Protocol network to determine network availability.
(ICMP)
Internet Group Used to manage multicasting groups that are a set of hosts anywhere
Management on a network that are listening for a transmission.
Protocol (IGMP)
Internet Protocol Is the dominant protocol that operates at the Open Systems
(IPv4) Interconnection (OSI) Network Layer 3. IP is responsible for addressing
packets so that they can be transmitted from the source to the
destination hosts.
Internet Protocol Is a modernization of IPv4 that includes a much larger address field:
(IPv6) IPv6 addresses are 128 bits that support 2128 hosts.
Intrusion detection A solution that monitors the environment and automatically recognizes
system (IDS) malicious attempts to gain unauthorized access.
Intrusion prevention A solution that monitors the environment and automatically takes
system (IPS) action when it recognizes malicious attempts to gain unauthorized
access.
770 Glossary
Instructor Edition
Term Definition
Glossary
Job rotation The practice of having personnel become familiar with multiple
positions within the organization as a means to reduce single
points of failure and to better detect insider threats.
Key Clustering When different encryption keys generate the same ciphertext
from the same plaintext message.
Key Length The size of a key, usually measured in bits, that a cryptographic
algorithm uses in ciphering or deciphering protected
information.
Least privilege The practice of only granting a user the minimal permissions
necessary to perform their explicit job function.
Logical access Non-physical system that allows access based upon pre-
control system determined policies.
Loop coverage This criterion requires sufficient test cases for all program loops
to be executed for zero, one, two, and many iterations covering
initialization, typical running, and termination (boundary)
conditions.
Mandatory access Access control that requires the system itself to manage access
controls (MAC) controls in accordance with the organization’s security policies.
Glossary 771
Official (ISC)2 CISSP Training Guide
Term Definition
Message A small block of data that is generated using a secret key and then
authentication appended to the message, used to address integrity.
code (MAC)
Message digest A small representation of a larger message. Message digests are used
to ensure the authentication and integrity of information, not the
confidentiality.
Misuse case A use case from the point of view of an actor hostile to the system
under design.
Multi-condition These criteria require sufficient test cases to exercise all possible
coverage combinations of conditions in a program decision.
Multi-factor Ensures that a user is who he or she claims to be. The more factors
authentication used to determine a person’s identity, the greater the trust of
authenticity.
Multiprotocol Label Is a wide area networking protocol that operates at both Layer 2 and
Switching (MPLS) 3 and does label switching.
Need-to-know Primarily associated with organizations that assign clearance levels to all
users and classification levels to all assets; restricts users with the same
clearance level from sharing information unless they are working on the
same effort. Entails compartmentalization.
Negative testing This ensures the application can gracefully handle invalid input or
unexpected user behavior.
772 Glossary
Instructor Edition
Term Definition
Glossary
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Overt security Overt testing can be used with both internal and external
testing testing. When used from an internal perspective, the bad actor
simulated is an employee of the organization. The organization’s
IT staff is made aware of the testing and can assist the assessor
in limiting the impact of the test by providing specific guidelines
for the test scope and parameters.
Parity bits RAID technique; logical mechanism used to mark striped data;
allows recovery of missing drive(s) by pulling data from adjacent
drives.
Glossary 773
Official (ISC)2 CISSP Training Guide
Term Definition
Path coverage This criteria require sufficient test cases for each feasible path, basis
path, etc., from start to exit of a defined program segment, to be
executed at least once.
Personally Any data about a human being that could be used to identify that
identifiable person.
information (PII)
Physical access An automated system that manages the passage of people or assets
control system through an opening(s) in a secure perimeter(s) based on a set of
authorization rules.
Ping of Death Exceeds maximum packet size and causes receiving system to fail.
Ping Scanning Network mapping technique to detect if host replies to a ping, then
the attacker knows that a host exists at that address.
Plaintext The message in its natural format has not been turned into a secret.
Purging The removal of sensitive data from a system or storage device with the
intent that the data cannot be reconstructed by any known technique.
774 Glossary
Instructor Edition
Term Definition
Glossary
Real user An approach to web monitoring that aims to capture and analyze
monitoring (RUM) every transaction of every user of a website or application.
Recovery point A measure of how much data the organization can lose before
objective (RPO) the organization is no longer viable.
Recovery time The target time set for recovering from any interruption.
objective (RTO)
Residual risk The risk remaining after security controls have been put in place
as a means of risk mitigation.
Risk avoidance Determining that the impact and/or likelihood of a specific risk is too
great to be offset by the potential benefits and not performing a
certain business function because of that determination.
Risk transference Paying an external party to accept the financial impact of a given
risk.
Glossary 775
Official (ISC)2 CISSP Training Guide
Term Definition
Role-based access An access control model that bases the access control authorizations
control (RBAC) on the roles (or functions) that the user is assigned within an
organization.
Rule-based access An access control model that is based on a list of predefined rules
control (RBAC) that determine what accesses should be granted.
Security Assertion A version of the SAML standard for exchanging authentication and
Markup Language authorization data between security domains.
2.0 (SAML 2.0)
Security governance The entirety of the policies, roles, and processes the organization uses
to make security decisions in an organization.
Single factor Involves the use of simply one of the three available factors solely to
authentication carry out the authentication process being requested.
Smurf ICMP Echo Request sent to the network broadcast address of a spoofed
victim causing all nodes to respond to the victim with an Echo Reply.
Software assurance The level of confidence that software is free from vulnerabilities either
intentionally designed into the software or accidentally inserted at any
time during its lifecycle and that it functions in the intended manner.
Software-defined Separates network systems into three components: raw data, how the
networks (SDNs) data is sent, and what purpose the data serves. This involves a focus
on data, control, and application (management) functions or “planes”.
776 Glossary
Instructor Edition
Term Definition
Glossary
(SD-WAN) especially related to cloud migration.
Statement coverage This criterion requires sufficient test cases for each program
statement to be executed at least once; however, its achievement
is insufficient to provide confidence in a software product’s
behavior.
Static source code Analysis of the application source code for finding vulnerabilities
analysis (SAST) without executing the application.
Symmetric algorithm Operate with a single cryptographic key that is used for both
encryption and decryption of the message.
Glossary 777
Official (ISC)2 CISSP Training Guide
Term Definition
Time multiplexing Allows the operating system to provide well-defined and structured
access to processes that need to use resources according to a
controlled and tightly managed schedule.
Time of check time Takes advantage of the dependency on the timing of events that takes
of use (TOCTOU) place in a multitasking operating system.
Attacks
Transport Control Layering model structured into four layers (network interface layer,
Protocol/Internet internet layer, transport layer, host-to-host transport layer, application
Protocol (TCP/ IP) layer).
Model
Transposition The process of reordering the plaintext to hide the message by using
the same letters or bits.
Trusted computing The collection of all of the hardware, software, and firmware within a
base (TCB) computer system that contains all elements of the system responsible
for supporting the security policy and the isolation of objects.
User Datagram The User Datagram Protocol provides connectionless data transfer
Protocol (UDP) without error detection and correction.
Virtual Local Area Allow network administrators to use switches to create software-
Networks (VLANs) based LAN segments that can be defined based on factors other than
physical location.
Voice over Internet Is a technology that allows you to make voice calls using a broadband
Protocol (VoIP) internet connection instead of a regular (or analog) phone line.
778 Glossary
Instructor Edition
Term Definition
Glossary
Methodology next phase begins.
Well-Known Ports Ports 0–1023 ports are related to the common protocols that are
utilized in the underlying management of Transport Control
Protocol/Internet Protocol (TCP/IP) system, Domain Name
Service (DNS), Simple Mail Transfer Protocol (SMTP), etc.
White-box testing A design that allows one to peek inside the “box” and focuses
specifically on using internal knowledge of the software to guide
the selection of test data.
Wi-Fi (Wireless Primarily associated with computer networking, Wi-Fi uses the
LAN IEEE 802.11x) IEEE 802.11x specification to create a wireless local-area network
either public or private.
Work factor This represents the time and effort required to break a
cryptography system.
Glossary 779
Official (ISC)2 CISSP Training Guide
Copyright Acknowledgments
Acknowledgments appear on page i, which constitutes an extension of this copyright page.
Excerpts from the following material are hereby acknowledged.
“The Importance of Data Classification and Ownership.” © SkyView Partners, Inc. 2007. All
Rights Reserved.
Data Retention Policy. Courtesy of Mediaburst.co.uk
Guide to Data Protection Principle 1: Fair and Lawful. This material is covered by ICO’s Open
Government Licence (OGL) v3.0 http://www.nationalarchives.gov.uk/doc/open-
government-licence/version/3/
From Speech 1.2: “Weaving the Web” in Proceedings from the ISO-CERN conference on
Standardization and Innovation held in November 2014. With permission from Ben
Segal.
OAuth (Open Authorization) Standard. Copyright © 2011 IETF Trust and the persons
identified as the document authors: Eran Hammer-Lahav (editor), David Recordon, Dick
Hardt.. All rights reserved.
Excerpt from KPMG Business Matters 2016 Q3: Overview of SOC1, SOC2 and SOC3
reports. By Bing Lin, Manager, IT Advisory. © 2016 KPMG, a group of Bermuda limited
liability companies which are member firms of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a
Swiss entity. All rights reserved.
“Negative Testing” © 2017 SmartBear Software. All Rights Reserved.
“Misuse Cases: Use Cases with Hostile Intent”; first appeared in IEEE Software, Vol. 20, No.1,
Jan-Feb 2003, 58–66. Used by permission of Ian Alexander. Retrieved from http://www.
scenarioplus.org.uk/papers/misuse_cases_hostile_intent/misuse_cases_hostile_intent.htm.
Figure reproduced with permission of Jefferson Parish Sheriff’s Office.
“What you need to know about the WannaCry Ransomware,” blog post by Symantec
Security Response Team. Copyright © 2017 Symantec Corporation. All rights reserved.
Reprinted with permission from Symantec Corporation.
Instructor Notes
Instructor Notes
Module 1
The concepts of the CIA triad are fundamental, and it is crucial that you communicate that
importance to the participants. A quick review of pertinent situations/controls/examples
would be very helpful here.
While they are included as a brief mention in the guide, the terms nonrepudiation and
authentication do not need to be discussed in class at this point; they will be addressed in
a later domain. Bringing them up at this point might only confuse the participants.
Module 2
The discussion that explains that security is not typically a strategic business goal can be
tricky; class participants, as security practitioners, can be reluctant to accept this concept, or
even be resistant to it. Two good examples to explain the idea:
Example 1: A private-sector company. The company is in business to make money not to
provide security. A lack of security can inhibit this goal: for instance, fees assessed by
regulators in the wake of a data breach are unnecessary and unplanned expenses, and the
loss of confidential business information (such as proprietary sales or marketing data) might
cost the company its competitive edge and lead to less market share. But if the company
were to decide not to budget anything for security, the company could still exist, with
perhaps reduced profits.
Example 2: The military. The job of the military is to deliver orchestrated force not to provide
security. A lack of security can inhibit this goal: for instance, if the enemy learns how to
defeat a particular weapon system, then the delivery of force is attenuated, or if the enemy
learns of particular battle plans, then the military loses the element of surprise. But the
military could function without any security whatsoever and still deliver force, albeit with
greater complication, cost, and reduced effectiveness.
Module 3
In the discussion of risk analysis, when talking about the concept of likelihood, it is crucial to
stress that there is never “zero risk.” One example that might be useful is meteorites: there is
always the possibility a meteorite will strike the organization, even though that likelihood is
very, very small.
Module 8
When discussing RTO and RPO, it is useful to stress the following:
l RTO is a measure of time, using units of time.
l RPO is a measure of data, using units of time.
l The RTO and RPO will be different for every organization, based on that
organization’s needs and functions.
Instructor Notes
l Any item that has value to the organization can be referred to as an asset.
l As asset is anything that has value to the organization.
l Assets are sometimes referred to as resources.
Classification Process
Describe the classification process. Highlight the fact that discovery of assets to create an
inventory starts the process, butit is an ongoing requirement.
Summary—Process of Protection of Valuable Assets Based on Classification
To better achieve goals and objectives, organizations today are generating massive amounts
of information that obviously will represent organizational value. It is important for
organizations to understand exactly the value that this information represents. Identifying
and classifying assets and information will allow organizations to determine and achieve the
protection requirements for the information.
Module 2
Asset Lifecycle
There are many methodologies that describe the data lifecycle, this is just one example.
However, the point is that protection throughout the lifecycle needs to be done based on
value at that particular lifecycle moment. Classification and categorization allows protection
of that data throughout its lifecycle. These phases focus on the security requirements as
data goes through its lifecycle.
Asset Lifecycle
Assets should be classified based on value upon discovery or creation. Custodianship begins
after the classification process. Archiving requirements are dictated by laws, regulations,
best practices, corporate policies, and authorizations.
Classification
Explain that classification systems are used to protect the assets based on their value, which
is expressed through the classification process.
Categorization
Explain the purpose of categorization.
Instructor Notes
Who Decides Data Classification?
Owners should always classify their assets, they are in the best position to understand value,
which drives classification.
Classification Benefits
Discuss some of the benefits that organizations can realize by having a good classification
system in place with the proper supporting elements, such as education, proper
technologies, etc. There may be other benefits listed here, other than the obvious benefit
of classification providing the proper protection based on value of the asset.
Module 3
Module Objectives
In many cases, we will use “data” as an example asset.
Module Topics
Introduce the module topics. But also point out that accountability and responsibility for
each is important to establish.
Accountability/Responsibility Activity
Instruct participants to fill in either the word “accountable” or “responsible” in relation to
protection of data and the different roles listed. The last role “subject” is a trick question,
they are neither accountable or responsible but rather should have “control” over their data
no matter who has collected it, processed it, and stored it, etc. This is according to most
privacy laws and regulations.
Module 4
Privacy – Introduction
These are the data protection principles as required by the Information Commissioner’s
Office (ICO) of the UK. It is an independent authority to uphold information rights, including
data privacy for individuals. These are from the Guide for Data Protection that basically say
that if you are handling personal information about individuals, you have obligations under
the DPA to protect that information.
Module 5
Establishing Information Governance and Retention Policies
Explain that retention and archiving is driven by policy. These policies need to reflect on not
only the value of the data being retained, but bylaws, regulations, and other drivers that are
important for organization to understand.
Instructor Notes
Example Review Activity
Introduce activity.
Best Practices
Explain best practices in data and records retention.
Module 6
Baselines
Baselines, minimum levels of security, can provide the basis for how to protect assets that
have been classified. There should be baselines for each of the classification levels that exist.
Baselines – Summary
As a summary:
A baseline is a consistent reference point.
Baselines provide a definition of the minimum level of protection that is required to protect
valuable assets.
Baselines can be defined as configurations for various architectures that will indicate the
necessary settings and the level of protection that is required to protect that architecture.
Example Baselines and How They Can be Used to Enforce Security Controls
Explain how baselines can be used to enforce security controls for each classification. Other
“columns” would exist for other requirements such as retention, audit, destruction, and
disaster recovery, etc. We only show four categories of controls on this slide but the list
could go on.
Baseline Catalogs
Many catalogs exists around the world that can be useful for organizations to follow. These
end up being frameworks that can provide comprehensive guidance to organizations.
Data States
Data at Rest: data stored on media in any type of form. It is at rest because it is not being
transmitted or processed in any way.
Data in Motion: data that is currently traveling, typically across a network. It is in motion
because it is moving.
Data in Use: data that is being processed by applications or processes. It is in use because it
is data that is currently in the process of being generated, updated, appended, or erased. It
might also be in the process of being viewed by users accessing it through various
endpoints or applications.
Protection of Data
Explain that whatever state the data is in, it needs to be protected based on value. Its
classification level will dictate the value, and the baselines will dictate the protection.
Data in Use
Explain the challenges in protecting data in use, as data being processed usually requires
that data to be in clear text.
Instructor Notes
Module 7
Module Objectives
Discuss the asset handling requirements based on policies, procedures based on
classification levels.
Module 8
Data Remanence
Explain data remanence and the issues associated with data remaining on an object.
Data Remanence
Destruction is always preferred. Explain difference between media destruction and data
destruction. Purging is better than clearing, but destruction is always best, provided the
destruction method is a good one.
Clearing
Definition of clearing.
Purging
Definition of purging. Note the definition using the words “cannot be reconstructed” by any
known means. This is better than clearing.
The final slide reintroduces the CIA/AIC Triad in the context that all Security Architecture
and Engineering activities should support one or more of these key security principals
Module 2
This module is programmed as a short introduction to common security models
The models in this module are formal or academic security models and are not necessarily
implemented perfectly in practical systems. This should not detract from the value of the
models but only identify that the models are very high-level concepts, and practical
implementation requires significantly more detail than that provided in the models
themselves.
For each of the security models listed, the instructor should provide an overview of the
model with the primary purpose and use of the model. The student guide has the major
points of purpose of each model listed.
The final slide introduces the concept that the modern operating systems and applications
do implement some of the fundamental concepts from the formal security models, but they
are rarely based on one particular model.
Module 3
This module is programmed as a short introduction to security controls, what they are,
where they come from, and how to implement them. Domain 1 should have covered some
of this material, and this will partially be a review of that material in the context of how to
identify the correct controls for the operating environment and tailoring those controls
appropriately.
Module 4
This module is an introduction to system security capabilities. The focus is on controls or
technical capabilities for protecting data or systems that are typically built into system
architectures.
There is an introduction to the 13 system security capabilities that will be discussed in the
module. For initial context, the instructor should identify how the capabilities work together
using some examples from personal experience.
The generic OS/Computer model slide is intended to introduce extremely rudimentary
computer architecture for students that have not been exposed to it before. The main point for
this slide is the separation between user mode components, kernel mode components, and
system hardware. This slide can also be used as a reference when discussing the capabilities.
For each of the capability slides, introduce the capability and describe the value of the
capability per the student guide descriptions.
Module 5
This module introduces common vulnerabilities and potential mitigations that exist in most
systems to some degree as well as some architecture specific vulnerabilities and mitigations.
The listed vulnerabilities and mitigations are necessarily generic in this format, and it should
Instructor Notes
be stressed to the students that these represent common issues and are not intended to be
comprehensive when applied to a particular real-world system.
The first several slides introduce common system vulnerabilities. These exist in most systems
in some form. During the architecture specific slides, a graphic will appear on the slide to
remind the students that they must also consider the common vulnerabilities in
communications, hardware, code, and user misuse and how those common vulnerabilities
might apply to any specific architecture.
For each of the architectures described, there is a standard three-slide format. The first slide
characterizes the architecture element (e.g., client-based systems), the next slide lists
common vulnerabilities associated to that architecture element, and the third slide lists
common mitigations that might be applied.
Cloud and mobile architectures contain extra slides to provide additional detail.
For each three (or more) slide set, the instructor should introduce and characterize the
architecture element on the first slide. Describe the architecture specific vulnerabilities on the
second slide. Time permitting, the instructor should ask the class to consider common (e.g.,
communications, hardware, code, misuse) vulnerabilities that might be unique to the particular
architecture. This can be used as an interactive discussion on each architecture type as timer
permits. The final slide should be used to introduce the architecture specific mitigations.
Module 6 Cryptography
Block Ciphers
Our example of a block cipher here uses earlier resultants from the algorithm and combines
them with later keys. This is in effect DES in CBC (Cipher Block Chaining). We will talk about
the 4 modes of DES later on. Here is the explanation:
l The data you wish to encrypt is broken up into data blocks (DB1, DB2, etc.). An
Initialization Vector (IV), 64 randomly chosen bits, is added to the beginning of the
data to ensure that all blocks can be properly ciphered. The IV is simply a random
character string to ensure that two identical messages will not create the same
ciphertext. To create your first block of ciphertext (CT1), you mathematically combine
the crypto key, the first block of data (DB1), and the initialization vector (IV). When you
create the second block of ciphertext (CT2), you mathematically combine the crypto
key, the first block of ciphertext (CT1), and the second block of data (DB2). Because
the variables in your algorithm have changed, DB1 and DB2 could be identical,
but the resulting ciphertext (CT1 and CT2) will contain different values. This helps
to ensure that the resulting ciphertext is sufficiently scrambled so that it appears
completely random.
Null Cipher – “Are You Deaf, Father William,” William Carroll - 1876
Famous poem by William Carrol written in 1876. First letter of each line spells out the name
of his lover at the time, Adelaide Paine.
Rijndael
The winner of the AES competition hosted by NIST. This winner is eventually planned to
replace DES as the standard for symmetric key cryptography. Rijndael is the winner, as
announced on Oct. 2, 2000, out of approx. 30 competitors and later, 5 finalists.
In many respects, Rijndael is a relatively simple cipher.
Rijndael has a variable number of rounds. Other than an extra round performed at the end
of encipherment with one step omitted, the number of rounds in Rijndael is:
l 9 if both the block and the key are 128 bits long
l 11 if either the block or the key is 192 bits long, and neither of them is longer
than that
l 13 if either the block or the key is 256 bits long
The process for enciphering a block of data in Rijndael is to first perform an Add Round Key
step (XORing a sub key with the block) by itself, the regular rounds noted above, the final
round with the Mix Column step, as described below, omitted.
The Rounds
There are four steps in each round. First is the Byte Sub step, where each byte of the block
is replaced by its substitute in an S-box.
Next is the Shift Row step. Considering the block to be made up of bytes 1 to 16, these
bytes are arranged in a rectangle and shifted according to the algorithm. Next comes the
Mix Column step. Matrix multiplication is performed: each column, in the arrangement we
have seen above, is multiplied by the matrix:
l 2311
l 1231
l 1123
l 3112
The final step is Add Round Key. This simply XORs in the sub key for the current round.
Symmetric Algorithms
Some of the common block cipher symmetric algorithms are listed here in a comparison
type chart. Note that RC5 is a “parameterized” algorithm—the first parameter refers to
the block size in bits, the second parameter refers to the number of iterations during the
scrambling, and the last refers to the key length in bytes (i.e., 7 = 56 bits). This allows it to
be used at various strengths. The larger the parameters, the stronger (but slower) the
encryption. Obviously, the sender and the receiver must agree upon a given set of
parameters.
Instructor Notes
Asymmetric Algorithms
Factoring is splitting an integer into a set of integers that when multiplied together, form the
original integer. For example, 35 factors into 5 and 7. Using large prime numbers and
multiplying them together is easy, but as far as we know, factoring that product is much
more difficult.
The discrete logarithm problem is a mathematical problem using entities called groups. A
group is a collection of elements, together with an operation defined on them that is
commonly referred to as multiplication or composition and follows certain rules. Assuming
the group has a finite number of elements, each element in the group has an order, the
minimum number of times it must be multiplied by itself to get back to the identity, which is
usually one. The discrete logarithm problem is as follows: given an element g in a finite
group G and another element h Î G, find an integer x such that gx = h. For example, the
solution to the problem 3x º 13 (mod 17) is 4, because 34 = 81 º 13 (mod 17).
Knapsack algorithms were also used in the past as a third hard math problem for algorithms
such as Chor Rivest, Merkle Helman, but mention that KnapSack algorithms are no longer
used, as they have been broken.
support the interchangeable use of different standard hash functions as necessary, so they
are increasingly replacing MAC functions for integrity controls (e.g., HMAC is used in SSL
and IPSEC).
Remember that a digital signature has a side benefit of providing non-repudiation as well as
integrity checking, while a keyed hash does not provide non-repudiation, but it runs much
faster and doesn’t require a PKI to be implemented.
Key Management
Elements of key management. As the key is the only thing that provides security in
cryptography, key management becomes critical in the success of any cryptosystem.
Brute Force
Assumptions: Faster supercomputer: 10.51 Pentaflops = 10.51 x 1015 Flops [Flops = Floating
point operations per second]
No. of Flops required per combination check: 1000 (very optimistic but just assume for now)
No. of combination checks per second = (10.51 x 1015)/1000 = 10.51 x 1012
No. of seconds in one year = 365 x 24 x 60 x 60 = 31536000
No. of years to crack AES with 128-bit key = (3.4 x 1038)/[(10.51 x 1012) x 31536000]
= (0.323 x 1026)/31536000
= 1.02 x 1018
= 1 billion years
Module 7
This module introduces physical security concepts for the CISSP. As context, it should be
stressed that the CISSP must understand physical security concepts, even in organizations
that have separated physical and IT security into different organizational responsibilities.
The CISSP must understand how the presence or absence of physical security may impact
the computer system security controls or design elements that must be employed.
Additionally, the CISSP may be in a position at smaller organizations where they have direct
responsibility over physical security controls or assessment responsibilities over physical
Instructor Notes
security controls.
In addition to supporting confidentiality, integrity, and availability protections, physical
security elements must also consider human safety as a primary goal. Examples of each goal
are provided on the introductory slides.
The site and facility design considerations slide should be used to introduce some top level
design considerations. A few minutes should be spent on this slide identifying the
importance of each and some relationship to either computer security or human safety. In
some cases it may include both. For instance, mail screening can be used to prevent
malicious physical attacks (e.g., anthrax in the mail protected by mail screening) or examples
of cyber attacks (e.g., mailing a cellular device with active wireless access point to someone
on vacation to attack internal wireless protected by mail screening). These items are “good
to know” general physical security controls but are not explicitly identified in the course
outline, and descriptions can be minimized to shorten overall time.
The next several slides walk through common physical security concerns from the surrounding
area to the operational facilities. Each slide provides some examples of vulnerabilities or
concerns at each layer with a list of controls that should be considered for employment.
The perimeter Security Controls Typical Control Types slides and Internal Security Control
slide introduce types of security controls that exist in the physical world that should be
considered as well as some basic employment considerations.
The topics listed on the Implement Site and Facility Security Controls slide are an
introduction, and each item has a follow on slide(s). These items are explicitly identified in
the course outline. Each of the following slides describes the particular topic.
The Fire Suppression slides introduce two main types of installed fire suppression: water-
based and gas-based. Aerosol-based systems are listed under gas systems and may be
considered a third main type but are not consistently listed as a main type. Chemical agent
suppression using handheld extinguishers is also listed.
A list of potential environmental issues is on the last module slide. The instructor should
introduce each and how they may affect computer system operations, usually through loss
of availability (power, communication, etc.) or direct damage/destruction of facilities.
Module 2
Physical Layer bits are encoded and decoded through transmitting and receiving devices
and media. Media and device types may potentially utilize signals that include light, radio,
or electrical.
Understanding system origins can assist in understanding current technology. Use the charts
concerning threats and countermeasures to discuss real-world relevant issues.
Module 3
The data-link layer prepares the packet that it receives from the Network Layer to be
transmitted as frames on the network. This layer ensures that the information it exchanges
with its peers is error-free.
Switches remain the dominant technology consumed at Layer 2. Review the significance of
threats and countermeasures related to Layer 2 technology listed in the chart.
Module 4
The network layer moves data between networks as packets by means of logical addressing
schemes. There was a time when this layer was crowded with other logical network
addressing protocols but now IP is dominant.
Routers and firewalls remain the technology that is consumed most heavily at Layer 3. Focus
on the prevalent threats that are related to the design of fragmentation in the threats and
countermeasure chart.
Module 5
The transport layer delivers end-to-end services through segments transmitted in a stream of
data and controls streams of data to relieve congestion through elements that include QoS.
Focus on the three types of ports that are associated with TCP/UDP. Discuss the threats and
countermeasure chart that is related to TCP/UDP.
Module 6
The session layer provides a logical persistent connection between peer hosts. The session
layer is responsible for creating, maintaining, and tearing down the session.
No specific technology services are specified for the session layer in ISO 7498–2.
Module 7
The presentation layer maintains that communications delivered to a recipient are in a
common and discernable system format. To provide a reliable syntax, systems processing at
the presentation layer will use ASCII or EBCDIC to translate from Unicode.
There are obscure yet effective attacks at the presentation layer. Review the threats and
countermeasures for more details.
Module 8
Instructor Notes
The application layer supports or hosts the function of applications that run on a system. All
manner of human supported interfaces, messaging, systems control, and processing occur
at the application level. While the Application Layer itself is not the application, it is where
applications run.
Map out and understand the sequence of DNS, DHCP, LDAP, and SNMP resolutions. Be
aware of the threats and countermeasures for the application layer.
Module 11
When meeting as a small group (3 to 4 max) keep the participants brief with sharing incidents.
Each participant should listen carefully while the other participants are sharing. If there is time left
in the day after part II is completed have each group give a brief recounting of their findings.
Module 2
Participants should be thinking about control types: administrative, logical, and physical.
Control categories: detective, directive, compensating, deterrence, preventive, recovery, and
corrective. For roles: Custodian matches Application Administrator, and Data Owner
matches the privilege manager.
Module 3
Lead a discussion on the credential management process and have the participants share
their challenges with selection methodology.
Module 4
Highly regulated environments and stringent PII protection requirements may skew decisions
towards retaining on-premise management versus cloud.
Participants should be thinking Resource Owner, Server (OAuth) match the Service Provider
(SAML); Client App (OAuth) match User/Principal (SAML); etc.
Module 5
Encourage participants to integrate knowledge from previous domains to engage the
activity for this domain.
Module 3
Delineate differences between training and awareness with participants by having them
reflect for a few minutes on their work environments and consider what focus they can bring
to aid in cultural change and business success. Have the participants share responses with
the classroom.
Module 5
Prompt participants to connect the appropriate SOC report with a concern that an
organization may have with a service provider. An example, what report and type might an
organization order that is concerned about is engaging a service provider that is new to
market versus one that needs to provide high assurance data privacy controls?
Module 2
In the discussion of patches, please state that the concept and terms of “routine patches”
and “reactive patches” are not common industry standard, nor are they testable, but they
are used here for academic purposes only to explain the different types and uses of patches.
Instructor Notes
Module 8
In the DLP discussion, it’s worth mentioning that DLP tools can aid in limiting both malicious and
inadvertent disclosures; users with hostile intent (insider threats) and those who may accidentally
attempt to send sensitive data can both be identified and prevented from doing so.
Module 9
When discussing the JOA/MOU/multiple processing site options, it’s useful to point out that
the various locations involved don’t need floorspace/workspaces sufficient to replicate the
entire affected site, but they only need enough room for those personnel essential to
maintain the critical path.
Module 12
You can add that, overall, exercises are a great opportunity for cross-training personnel and
allowing deputies and assistants a chance to practice managerial roles while primary
personnel are participating in the exercise.
Decommissioning/Disposal
Important accountabilities that the owner needs to address. Decommissioning and disposal
also requires security to be involved in some example activities mentioned on the slide.
allowing refinements during the process is that a change control mechanism must
be implemented. Also, the scope of the project may be exceeded if clients change
requirements after each release.
l Joint Analysis Development (JAD) It was originally invented to enhance the
Instructor Notes
development of large mainframe systems; however, JAD facilitation techniques
have now become an integral part of Rapid Application Development (RAD), web
development, and other methods. It is a management process that helps developers
work effectively with users to develop an application that works. Its success is based
on having key players communicate at critical phases of the project. The focus
is on having the people who actually perform the job (those who have the best
understanding of the job) work together with those who have the best understanding
of the technologies available to design a solution. JAD facilitation techniques
bring together a team of users, expert systems developers, and technical experts
throughout the development lifecycle.
l Prototyping: The prototyping method was formally introduced in the early 1980s to
combat the weaknesses of the waterfall model. The objective is to build a simplified
version (prototype) of the application, release it for review, and use the feedback from
the users to build a second, better version. This is repeated until the users (client)
is satisfied with the product. It is a four-step process: initial concept, design and
implement initial prototype, refine prototype until acceptable, complete and release
final version. List, TCL, and Smalltalk are often used for prototyping.
l Rapid Application Development (RAD): RAD is a form of rapid prototyping
that requires strict time limits on each phase and relies on tools that enable quick
development. This may be a disadvantage if decisions are made so rapidly that it
leads to poor design.
l Modified Prototype Model (MPM): It is a form of prototyping that is ideal for web
application development. It allows for the basic functionality of a desired system or
component to be formally deployed in a quick time frame. The maintenance phase is
set to begin after the deployment. The goal is to have the process be flexible enough
so that the application is not based on the state of the organization at any given time.
As the organization grows and the environment changes, the application changes
with it rather than being frozen in time.
l Exploratory Model: A set of requirements is built with what is currently available.
Assumptions are made as to how the system might work and further insights and
suggestions are combined to create a usable system.
l Spiral Method: The spiral model is a combination of both the waterfall and
prototyping methods. Similar to prototyping, an initial version of the application is
developed; however, the development of each version is carefully designed using
the waterfall model. A distinguishing feature of the spiral model is that in each phase
a risk assessment review is added. Estimated costs to complete and schedules are
revised each time the risk assessment is performed. Based on the results of the risk
assessment, a decision is made to continue or cancel the project.
l Reuse Model: An application is built from existing components. This model is best
suited for projects that can use object-oriented development because objects can be
exported, reused, or modified.
l Cleanroom: This was developed in the 1990s as an engineering process for the
development of high-quality software. It is named after the process of cleaning
electronic wafers in a wafer fabrication plant. Instead of cleaning the crud from the
wafer after it has been made, the objective is to prevent the crud from getting into
the fabrication environment. In software application development, it is a method
of controlling defects (bugs) in the software. The goal is to write code correctly the
first time rather than trying to find the problems once they are there. Essentially,
cleanroom software development focuses on “defect prevention” rather than “defect
removal.” Cleanroom software engineering produces applications that are correct by
mathematically sound design and are certified by statistically valid testing. Reduced
development time is achieved from incremental development strategy and the
avoidance of reworking the code. To achieve this, more time is spent in the design
phase; however, the time spent in other phases, such as testing, is reduced (i.e.,
quality is achieved through design and not testing). Since testing often consumes the
majority of a project time line, the time saved during the testing phase can result in
substantial savings.
l Computer Aided Software Engineering (CASE): It is the technique of using
computers to help with the systematic analysis, design, development, implementation,
and maintenance of software. It was designed in the 1970s, but has evolved to include
visual programming tools and object-oriented programming. It is most often used on
large, complex projects that involve multiple software components and many people.
It provides a mechanism for planners, designers, code writers, testers, and managers
to share a common view of where a software project is at each phase of the lifecycle
process. By having an organized approach, code and design can be reused, which
can reduce costs and improve quality. The CASE approach requires building and
maintaining software tools and training for the developers who will use them.
l Component-Based Development: It is the process of using components that are
standardized building blocks that can be used to assemble rather than develop
an application. The components are encapsulated sets of standardized data
and standardized methods of processing data that together offer economic and
scheduling benefits to the development process.
l Structured Programming Development: It is a method that programmers use to
write programs that allows a considerable influence on the quality of the finished
products in terms of coherence, comprehensibility, freedom from faults, and
security. It is one of the most widely known programming development models.
The methodology promotes discipline, allows introspection, and provides controlled
flexibility. It requires that processes are defined, development is modular, and each
phase is subject to reviews and approvals. It also allows for security to be added in a
formalized, structured approach.
Instructor Notes
rapidly-changing requirements. XP teams design software for specific functionalities
without adding any functionalities not specifically requested that may slow down the
process, keeping the development course simple through systematic and regular
testing and design improvements.
Dev/Ops
Process that emphasizes communication and collaboration between the three entities.
DevOps addresses the disconnect that usually exists in traditional software development. It
creates a culture of shared accountability by bridging gaps between all involved including
Development, Quality Assurance, and Operations teams. The idea is to facilitate
cooperation that should allow faster and better deployments.
Module 2
Polyinstantiation
Object-oriented systems provide security by applying controls based on policy. For
example, in a CORBA system, a policy applies to a domain. System administrators can apply
policy to an object by putting the object into a domain and setting up policy for the domain.
Encapsulation protects objects. It is not possible to see what is contained in the object
because it is encapsulated.
Polyinstantiation is also the technique used to prevent inference violations. Essentially, it
allows different versions of the same information to exist at different classification levels;
therefore, users at a lower classification level don’t know of the existence of a higher
classification level.
CORBA
CORBA is a set of standards that address the need for interoperability between hardware
and software products. CORBA allows applications to communicate with one another
regardless of where they are stored. The ORB is the middleware that establishes a client/
server relationship between objects. Using an ORB, a client can transparently locate and
activate a method on a server object either on the same machine or across a network. The
ORB operates regardless of processor type or programming language.
The process works as follows:
1. The client application (through an object) sends a request (message) to the target
object.
2. The message is sent through the ORB Security System. Inside the ORB Security
System is the Policy Enforcement Code that contains the organization’s policy
regarding objects.
3. If the policy allows the requester to access the targeted object, the request is then
forwarded to the target object for processing.
Runtime
Components, hardware and software, that allows applications to run on a system. Includes
the security features of that architecture.
Security Weaknesses and Vulnerabilities at the Source Code Level
Explain that the following slides explain weaknesses and vulnerabilities at the source code
level and need to be addressed properly through properly implemented security controls
and secure coding practices.
Social Engineering
Many definitions, but this one applies nicely to security and the software environment.
Instructor Notes
Activity: Security Weaknesses at the Source Code Level and Secure Coding Practices
Introduce the activity. Make the point that students need to understand these vulnerabilities
but also how security needs to be part of the process to ensure that secure coding practices
are followed to ensure mitigation of the same vulnerabilities.
Software Forensics
Analysis of source code or machine language to address issues related to legal
infringements related to patent, trade secret, or copyright infringement. Software forensics
may have other uses such as examining the output, consequences, and other traces
produced by software, especially for investigative purposes.
Module 3
Activity: Database Model Review
Introduce the activity. Basically match the correct definition to its DBMS model.
Knowledge Management
Knowledge management techniques to drive business intelligence. Automated process of
analyzing data to come up with meaning.
Module 4
NIST SP 800-37 R1
This NIST guideline is an extension of certification and accreditation and emphasizes some
key points to really ensure the secure development of applications and the security
capabilities within the application itself.
Change Management
Change management as a way to ensure effectiveness of software security.