Certified Information Systems Security Professional Official Isc2 Student Guide

Official (ISC) Student Guide 2
Instructor Edition
The CISSP student guide provides a comprehensive review of the

knowledge required to effectively design, engineer, and manage
the overall security posture of an organization.
An Official Publication
Dear Seminar Participant,
Congratulations! You are embarking on a journey to become part of the global (ISC)²
community. Not only are you taking a critical step in your career, you are also taking an
active role in inspiring a safe and secure cyber world.
Earning the CISSP certification demonstrates your ability to design and manage nearly all
aspects of an organization’s cybersecurity strategy.
The material in this course is based upon the knowledge found in the (ISC)² CISSP Common
Body of Knowledge. Successful completion of this course will help you achieve your career
goals, but passing the CISSP exam depends on your mastery of the domains covered within
the exam outline and your ability to apply those concepts in the real world.
I wish you the best of luck during the seminar and as you continue your journey to become a
certified member of (ISC)².
Sincerely,
David Shearer, CISSP

Chief Executive Officer
(ISC)²
Instructor Edition
Acknowledgments
The development of the CISSP Training Guide could not have been possible without the
participation and assistance of so many people. Their contributions are sincerely appreciated
and gratefully acknowledged.
Authors:
Mr. Ben Malisow, CCSP and CISSP
Mr. John Berti, CCSP, CISSP, and SSCP
Dr. Lyron Andrews, CCSP and CISSP
Mr. Kevin Stoffell, CAP, CCSP, CISSP, CISSP-ISSAP, CISSP-ISSEP, and CISSP-ISSMP
Editorial Service:
Six Red Marbles
Elsa Peterson Ltd.
Mr. Dennis Lee
Instructional and Graphic Design:

Six Red Marbles
Design Oversight:
Mr. Jon Harrison, (ISC)2
This book contains information obtained from authentic and highly regarded sources.
Reprinted material is quoted with permission, and sources are indicated. A wide variety of
references are listed. Reasonable efforts have been made to publish reliable data and
information, but the authors and the publisher cannot assume responsibility for the validity
of all materials or for the consequences of their use.
Please be advised that among the sources of quoted material in this document are United
States government publications, which by law belong to the public domain and therefore
require no copyright permission or acknowledgment. Further information about copyright is
available from the U.S. Copyright Office http://www.copyright.gov.
No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by
any electronic, mechanical, or other means, now known or hereafter invented, including
photocopying, microfilming, and recording, or in any information storage or retrieval system
without written permission from the publishers.
Acknowledgments i
Instructor Edition
Table of Contents
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii
Domain 1: Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . 1

Module 1: Concepts of Confidentiality, Integrity, and Availability . . . . . . . . . . . . . . . . . . . . 5
Module 2: Organizational/Corporate Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Module 3: Risk Management Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Module 4: Compliance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Module 5: Legal and Regulatory Issues that Pertain to Information Security
in a Global Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Module 6: Security Policy, Standards,Procedures, and Guidelines . . . . . . . . . . . . . . . . . . . 54
Module 7: Personnel Security Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Module 8: Security Awareness, Education, and Training Programs . . . . . . . . . . . . . . . . . . 64
Module 9: Business Continuity Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Module 10: Professional Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Module 11: Domain Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Domain 2: Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Module 1: Information and Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Module 2: Asset Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Module 3: Information and Asset Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Module 4: Protect Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Module 5: Asset Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Module 6: Data Security Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Module 7: Information and Asset Handling Requirements . . . . . . . . . . . . . . . . . . . . . . . . 165
Module 8: Data Remanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Table of Contents iii

Official (ISC)2 CISSP Training Guide
Domain 3: Security Architecture and Engineering . . . . . . . . . . . . . . . . 189

Module 1: Processes Using Secure Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Module 2: Fundamental Concepts of Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Module 3: Select Controls Based upon System Security Requirements. . . . . . . . . . . . . . 205
Module 4: Security Capabilities of Information Systems . . . . . . . . . . . . . . . . . . . . . . . . . 209
Module 5: Vulnerabilities of Security Architectures, Designs, and Solution Elements . . . 220
Module 6: Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Module 7: Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Domain 4: Communication and Network Security . . . . . . . . . . . . . . . . 331

Module 1: Secure Design Principles in Network Architectures. . . . . . . . . . . . . . . . . . . . . 334
Module 2: OSI Layer 1: Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Module 3: OSI Layer 2: Data-Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Module 4: OSI Layer 3: Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Module 5: OSI Layer 4: Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Module 6: OSI Layer 5: Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Module 7: OSI Layer 6: Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Module 8: OSI Layer 7: Application Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Module 9: Service Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Module 10: Secure Network Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Module 11: Secure Communications Channels According to Design . . . . . . . . . . . . . . . . 389
Module 12: Domain Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Domain 5: Identity and Access Management (IAM) . . . . . . . . . . . . . . . .419

Module 1: Control Physical and Logical Access to Assets . . . . . . . . . . . . . . . . . . . . . . . . 422
Module 2: Identity and Access Provisioning Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Module 3: Identification and Authentication of People, Devices, and Services . . . . . . . . 433
iv Table of Contents
Instructor Edition
Module 4: Identity Management Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Module 5: Implement and Manage Authorization Mechanisms . . . . . . . . . . . . . . . . . . . . 445
Module 6: Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Domain 6: Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . 465

Module 1: Design and Validate Assessment, Test, and Audit Strategies . . . . . . . . . . . . . 468
Module 2: Security Control Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Module 3: Security Process Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Module 4: Test Output and Generate Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Module 5: Conduct or Facilitate Security Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Domain 7: Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Module 1: Foundational Security Operations Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . 525
Module 2: Securely Provisioning Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Module 3: Resource Protection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Module 4: Detective and Preventative Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Module 5: Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Module 6: Requirements for Investigation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Module 7: Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Module 8: Logging and Monitoring Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Module 9: Recovery Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Module 10: Disaster Recovery Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Module 11: Business Continuity Planning and Exercises . . . . . . . . . . . . . . . . . . . . . . . . . 593
Module 12: Test Disaster Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Module 13: Personnel Safety and Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Module 14: Domain Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Table of Contents v
Domain 8: Software Development Security . . . . . . . . . . . . . . . . . . . . . .615

Module 1: Security in the Software Development Lifecycle (SDLC) . . . . . . . . . . . . . . . . . 619
Module 2: Secure Coding Guidelines and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
Module 3: Security Controls in Development Environments . . . . . . . . . . . . . . . . . . . . . . 685
Module 4: The Effectiveness of Software Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
Copyright Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
Instructor Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
vi Table of Contents
Instructor Edition
Notes
Welcome
Welcome
Welcome
The Official (ISC)2 Certified Information Systems Security PPT
Professional (CISSP) Training Seminar provides a comprehensive
Welcome
review of information systems security concepts and industry best
practices, covering the eight domains of the CISSP Common Body
of Knowledge (CBK):
PPT
1. Security and Risk Management How Do I Use the
2. Asset Security Course Materials?
3. Security Architecture and Engineering

4. Communication and Network Security
5. Identity and Access Management (IAM)
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security
This training course will help candidates review and refresh their
information security knowledge as they pursue the CISSP certification.
How Do I Use the Course Materials?

The CISSP Training Seminar course material is built using the topics
from the Exam Outline and additional topics approved by the (ISC)²
CISSP Education Committee. The seminar is broken into progressively
smaller sections in support of the course objectives. Each domain
header identifies the objectives and what a student can expect to
learn after completing the domain. These objectives are divided into
smaller modules and sections. Modules contain activities that reinforce
covered topics with a goal to increase knowledge retention.
The student guide is designed to be a self/group study tool that
includes activities, references to external reading resources, study
questions, and a glossary of terms. The columns on the outside of
the pages are intended to be a place to make notes. There are three
icons in use throughout the book. The icons and their meaning are
outlined below.
Welcome vii
Notes This icon identifies a related PowerPoint slide: PPT
Welcome This icon identifies a case that will be presented

and discussed during class time:
PPT This icon identifies an activity that will be
Course Objectives performed during class time:
(5 slides)
Course Objectives
After completing this course, the participant will be able to:
1. Understand and apply fundamental concepts and methods
related to the fields of information technology and security.
2. Align overall organizational operational goals with security
functions and implementations.
3. Understand how to protect assets of the organization as
they go through their lifecycle.
4. Understand the concepts, principles, structures, and
standards used to design, implement, monitor, and secure
operating systems, equipment, networks, applications,
and those controls used to enforce various levels of
confidentiality, integrity, and availability.
5. Implement system security through the application of
security design principals and the application of appropriate
security control mitigations for vulnerabilities present in
common information system types and architectures.
6. Understand the importance of cryptography and the
security services it can provide in today’s digital and
information age.
7. Understand the impact of physical security elements
on information system security and apply secure design
principals to evaluate or recommend appropriate physical
security protections.
8. Understand the elements that comprise communication and
network security coupled with a thorough description of
how the communication and network systems function.
9. List the concepts and architecture that define the associated
technology and implementation systems and protocols at
Open Systems Interconnection (OSI) model layers 1–7.
viii Welcome
Instructor Edition
10. Identify standard terms for applying physical and logical Notes
access controls to environments related to their security
practice. Welcome
11. Appraise various access control models to meet business
Welcome
security requirements. PPT
12. Name primary methods for designing and validating test Course Objectives
and audit strategies that support business requirements. (5 slides) (continued)
13. Enhance and optimize an organization’s operational function

and capacity by applying and utilizing appropriate security
controls and countermeasures.
14. Recognize risks to an organization’s operational endeavors,
and assess specific threats, vulnerabilities, and controls.
15. Understand the System Lifecycle (SLC) and the Software
Development Lifecycle (SDLC) and how to apply security to
it, and identify which security control(s) are appropriate for
the development environment, and assess the effectiveness
of software security.
Welcome ix
Instructor Edition
Course Agenda
Domain 1: Security and Risk Management
Notes
Security and Risk
1
Management
Security and Risk Management Domain

Domain 2: Asset Security
PPT
Domain 3: Security Architecture and Engineering Course Agenda (2 slides)
Domain 4: Communication and Network Security

PPT
Domain 5: Identity and Access Management (IAM) Security and Risk
Management
Domain 6: Security Assessment and Testing Introduce the participants
to the “Security and Risk
Management” domain.
Domain 7: Security Operations
Domain 8: Software Development Security
Domain 1: Security and Risk

Management
Overview
Domain 1 of the (ISC)2® CBK lays the foundation for the entire course,
introducing concepts and principles that will be utilized throughout.
It is imperative that the candidate learn and understand these
thoroughly, if the candidate is not already familiar with the material
from professional practice.
NOTE: Throughout this domain and much of the rest of the course
material, the term “organization” will be used to describe operational
entities; an organization might be a private business operating in a
market dynamic, a government entity, or a nonprofit/charitable
agency of some kind. This term is used in generic fashion as a
consideration that candidates may work for any type of functional unit;
the material is designed to be agnostic to the type of industry or
nature of work a particular unit might be involved in. When material is
specific to a certain type of organization, it will be specified in context
(for instance, a bank as a financial organization has specific security
concerns not faced by other types of organizations).
Domain 1: Security and Risk Management 1

Notes Domain Objectives

After completing this domain, the participant will be able to:
Security and Risk
Management
1. Explain the concepts of confidentiality, integrity, and availability.
2. Differentiate between confidentiality, integrity, and availability.
PPT
3. Recognize security governance principles.
Domain Objectives
(7 slides) 4. Describe how the security function of an organization aligns
to that organization’s business strategy, goals, mission, and
Objectives for “Security
and Risk Management” objectives.
domain. 5. Describe various typical roles and responsibilities related to
security within organizations.
6. Identify governance processes within organizations, and explain
how those may affect security.
7. Identify specific security control frameworks based on a brief
description or list of framework attributes.
8. Discern between the concepts and meaning of “due care” and
“due diligence.”
9. Describe common practices used for asset valuation and the
challenges/benefits associated with each.
10. Distinguish between threats and vulnerabilities.
11. Identify common practices of risk assessment and analysis.
12. Know the four common methods of risk management.
13. Know how to choose from the four common methods of risk
management.
14. Recognize common practices for selecting security controls.
15. List the various types, classes, and categories of security controls.
16. Describe the importance of monitoring and measuring the
security program and controls and why this is performed on a
continuous basis.
17. Recognize common risk frameworks.
18. Apply risk-based management concepts to the supply chain and
the use of third parties for risk assessment and monitoring.
19. Recognize standard threat modeling concepts.
20. Apply threat modeling methodologies.
21. Recognize common threats and risks.
22. Recognize the purpose of the service level agreement, how it
augments the contract, and which items should be contained
in each.
2 Domain 1: Security and Risk Management

Instructor Edition
23. Determine and document minimum security requirements.

24. Recognize the various forms of compliance requirements
Notes
Security and Risk
1
(laws/regulations, standards, and contracts). Management

25. Understand the concept of regulatory compliance, especially
in the context of modern privacy requirements, and identify
PPT
typical regulations encountered in practice.
Domain Objectives
26. Recognize the role of digital rights management (DRM) (7 slides) (continued)
solutions in protecting intellectual property.
27. Recognize modern international legal restrictions on import/ and Risk Management”
export of data and IT tools. domain.
28. Identify common privacy terms used in current personal

data protection laws worldwide.
29. Describe the hierarchy of written governance (policies,
standards, guidelines, and processes).
30. Identify the various means to support personnel security
goals, including common policies and procedures.
31. Explain how modern legal frameworks affect international
data flow and how the information security industry is
responsible for many compliance requirements.
32. Describe the importance of security training, education, and
awareness and how to differentiate between those elements.
33. Describe the necessity of business continuity and disaster
recovery (BCDR) functions, and recognize basic foundational
concepts.
34. Explain the ethical standards to which a professional security
practitioner will be expected to uphold, as well as the
standards of behavior and performance expected of (ISC)2
members.
Domain 1: Security and Risk Management 3

Notes Domain Agenda

Security and Risk
Management Module Name
Concepts of Confidentiality, Integrity,

PPT 1
and Availability
Domain Agenda
(2 slides) 2 Organizational/Corporate Governance
Review the domain
agenda. 3 Risk Management Concepts
4 Compliance Requirements
Legal and Regulatory Issues that Pertain to

5
Information Security in a Global Context
Security Policy, Standards,
6
Procedures, and Guidelines
7 Personnel Security Policies and Procedures
Security Awareness, Education,

8
and Training Program
9 Business Continuity Requirements
10 Professional Ethics
11 Domain Review

Instructor Edition
Module 1: Concepts of Confidentiality, Notes

Concepts of Confidentiality,
1
Integrity, and Availability Integrity, and Availability

PPT
Module Objectives
Concepts of
1. Explain the concepts of confidentiality, integrity, and Confidentiality,
availability. Integrity, and
2. Differentiate between confidentiality, integrity, and Availability
availability. Introduce the participants
to the “Concepts of
Confidentiality, Integrity,
and Availability” module.
PPT
Module Objectives
Introduce the module
objectives.
Module 1: Concepts of Confidentiality, Integrity, and Availability 5

Notes Confidentiality, Integrity, and Availability

Concepts of Confidentiality,
(CIA) Triad
Integrity, and Availability When practitioners discuss the field of security, we concentrate on three
goals: ensuring the confidentiality, integrity, and availability (CIA) of assets.
This is referred to as the CIA triad. In information security, the assets are
PPT
data—information that requires security. This is true for data in any form,
Confidentiality, whether it is stored electronically or in printed hardcopy, and it also
Integrity, and
applies to any systems/mechanisms/techniques used to process/
Availability (CIA) Triad
manipulate/store that data.
Introduce the concept of
the CIA Triad. Explaining the CIA triad in more detail, in the context of information
security:
PPT
Confidentiality: only authorized entities have access to the data.
CIA Triad Examples Integrity: there are no unauthorized modifications of the data.
Review the CIA triad
example.
Availability: authorized entities can access the data when and how they
are permitted to do so.
CIA Triad Examples:

A lock on a file cabinet can provide confidentiality; only authorized
personnel will be given a key to access the information inside the cabinet.
Using a template for version control of a document; comparing copies of
the document against the template ensures the integrity of the data in
the copies.
A backup of data stored electronically ensures availability of the data; if
the primary version of the data is rendered useless, a copy of the backup
can be restored and used as the new primary.
Some security controls provide other functions that are not aspects of the
triad but are also desirable. These include nonrepudiation and
authentication, which will be discussed in a subsequent domain.
The CIA triad is a fundamental concept of our field and is absolutely
essential to understand. A lot of the material discussed throughout the
course will be couched in its relation to the triad.

Instructor Edition
Module 2: Organizational/Corporate Notes

Organizational/Corporate
1
Governance Governance

Module Objectives PPT
Organizational/
1. Recognize security governance principles. Corporate Governance
2. Describe how the security function of an organization aligns Introduce the participants
to that organization’s business strategy, goals, mission, and to the “Organizational/
objectives. Corporate Governance”
module.
3. Describe various typical roles and responsibilities related to
security within organizations.
4. Identify governance processes within organizations and how PPT
those may affect security.
Module Objectives
5. Identify specific security control frameworks based on a
brief description or list of framework attributes. objectives.
6. Discern between the concepts and meaning of “due care”
and “due diligence.”
Module 2: Organizational/Corporate Governance 7

Notes Security Governance Principles

Governance is the process of how an organization is managed. This
Governance includes all aspects of how decisions are made for that organization,
and can (and usually does) include the policy, roles, and procedures the
organization uses to make those decisions.
PPT
Security Governance
Security governance, then, is the entirety of the policies, roles, and
Principles processes the organization uses to make security decisions. Just as each
organization has its own unique governance structure, it will also have
Describe governance,
and the subset of security governance specific to its purposes and objectives.
security governance.
Aligning the Security Function to the Organization’s Business

PPT Strategy, Goals, Mission, and Objectives
Aligning the Security It is absolutely imperative that security not operate in a way that is
Function to the exclusive to and ignorant of the overall purpose and objective of the
Organization’s organization. In most cases, security is a support function; that is to say,
Business Strategy, the business could exist without the security department, but the
Goals, Mission, and
Objectives
security department could not exist without the business.
Explain how security Note: The exception to this, of course, is organizations that provide
supports business security products/services; in those organizations, security is a core
functions; discuss
component of operations, and the organization could not exist without
alignment.
security.
Therefore, the security practitioner must understand how the
PPT organization functions and what its goals are, then determine how
Organizational security can best enhance those functions and the attainment of those
Processes goals. Security governance that does not align properly with
Discuss the function of a organizational goals can lead to implementation of security policies and
governance committee, decisions that unnecessarily inhibit productivity, impose undue costs,
and briefly mention how and hinder strategic intent.
mergers/acquisitions/
divestitures can affect
security. Organizational Processes
As mentioned earlier, one significant aspect of governance is the
process of how a decision is made within an organization. This can be
accomplished in a number of ways, according to a variety of factors. For
instance, a small private business might have a very simplistic process
for making decisions: the small business owner makes every decision
based on their own judgment and the information they have available. A
corporation, on the other hand, might have a decision-making process
that is dictated by several sources: the government body where the
company is chartered might have legislation regarding how corporations
must make strategic decisions and which policies are required of all
corporations; the board of directors might impose a corporate mandate

Instructor Edition
for particular types of decisions (which might require including the

board, as one step in the process); local and federal regulators
might dictate who within the corporation participates and finalizes
Notes
1
Governance
particular decisions, and so on.

Each organization will have its own process for making decisions,
PPT
based on its structure, goals, nature, and industry. Some companies
make use of a governance committee; a formal body of personnel Organizational
Processes (continued)
who determine how decisions will be made within the organization
and the entity that can approve changes and exceptions to current Discuss the function of a
governance committee,
relevant governance. Governance committees are required for most and briefly mention how
nonprofit organizations; the governance committee recruits and mergers/acquisitions/
selects board members and determines if the board as a whole (and divestitures can affect
individual members) are performing optimally. security.
Just as security decisions can affect the overall business goals of

the organization, organizational decisions can affect security. PPT
Following are some business decisions that might affect the
Organizational Roles
organization’s security: and Responsibilities
l Acquisition: If the organization decides to purchase Review common security
another business unit to have as a subsidiary, the security roles and responsibilities.
implications are extensive. If there is a significant difference
in security policies and practices between the entities, the
security professionals in both groups will have to decide
how best to align the two, with guidance and final decision
from senior management.
l Merger: Much like an acquisition, a merger of two
organizations entails aligning the security governance of the
resulting entity.
l Divestiture: If an organization decides to sell off or cede
control of a subsidiary, a considerable amount of effort will
have to go into determining which of the resulting entities
controls proprietary property, to include data, which may
entail a great deal of effort on the part of the security
personnel.
In each of these examples, external entities, such as regulators and
investors, may have additional input and control in determining the
outcome. These examples are not exhaustive; many organizational
decisions will have vast security ramifications.
Organizational Roles and Responsibilities

An organization’s hierarchy is often determined by the goals of the
organization or which industry it operates in. This structure can

Notes have a bearing on how security governance is created and implemented,

or even how security functions are performed.
Governance The following are a sampling of various roles pertaining to security
encountered in many organizations. This list is in no way inclusive of all
types of organizational structures and is not presented as a definitive
PPT
guide to these roles; it is simply a way to demonstrate the form of some
Organizational Roles organizations and the bearing of some roles on organizational security.
and Responsibilities
(continued) l Senior management: The upper strata of the organization,
Review common security comprising those officers and executives that have the authority to
roles and responsibilities. obligate the organization and to dictate policy. These can include
such roles as president, vice president, chief executive officer
(CEO), chief operating officer (COO), chief information officer
(CIO), chief security officer (CSO), chief financial officer (CFO), and
the like. Usually, these roles include personnel with some direct
legal or financial responsibilities according to statute or regulation.
Senior management is typically responsible for mandating policy,
determining the strategic goals for the organization, and making
final determinations according to the organizational governance for
both security and non-security topics.
l Security manager/security officer/security director: Often,
this is the senior security person within an organization. In
some cases, the organization has a CSO (mentioned in the
preceding entry of this list), in which case the security officer
is a member of senior management. When the senior security
role is not a member of senior management, the reporting
hierarchy is an essential element of determining the importance
and influence security has within the organization. For instance,
an organization wherein the security manager reports directly
to the CEO places a great deal of importance on security; an
organization that has the security manager reporting to an
administrative director, who in turn reports to a vice president,
who reports to senior management, obviously does not. The
security manager is typically responsible for advising senior
management on security matters, may assist in drafting
security policy, manages day-to-day security operations,
represents the organization’s security needs in groups and
meetings such as the Configuration Management Board and
similar committees, contracts for and selects security products
and solutions, and may manage the organization’s response to
incidents and disasters.
Note: According to industry best practices, the security manager
should not report to the same role/department that is in charge of
information technology (IT) because the functions are somewhat

Instructor Edition
adversarial (the security team will be reporting on/reviewing

the operations and productivity of the IT team). Having the
same department responsible for both functions would
Notes
1
Governance
constitute a form of conflict of interest. The exception to

this is when both the security office and the IT department
report to the chief information officer (CIO); this is usually an PPT
acceptable form of hierarchy. Organizational Roles
l Security personnel: The security practitioners within the and Responsibilities
organization. These can include administrators, analysts, (continued)
incident responders, and so forth. This group may also Review common security
include personnel from disciplines other than IT security, roles and responsibilities.
such as physical security and personnel security. Security
personnel are tasked with performing the security processes
and activities within the organization. Security personnel PPT
usually report to the security manager/director/officer. Security Control
l Administrators/technicians: IT personnel who regularly Frameworks
perform work within the environment may have security Introduce and describe
duties as well. These can include secure configuration of the common security
frameworks.
systems, applying secure networking, reporting potential
incidents, and so forth. Positions in this category include
but are not limited to: system administrators (often
Tech Support and Help Desk personnel) and network
administrators/engineers. This group typically reports to
the IT director or CIO.
l Users: Employees, contractors, and other personnel who
operate within the IT environment on a regular basis. While
this role does not have specific security duties per se, users
are required to operate the systems in a secure fashion,
and they are usually required to sign a formal agreement to
comply with security guidance. Users may also be co-opted
and trained to report potential security incidents, acting as
a rudimentary form of intrusion detection. Users typically
report to their functional managers.
Security Control Frameworks

In formalizing its security governance, an organization might
implement a security control framework; this is a notional
construct outlining the organization’s approach to security,
including a list of specific security processes, procedures, and
solutions used by the organization. The framework is often used
by the organization to describe its security efforts, for both
internal tracking purposes and for demonstration to external
entities such as regulators and auditors.

Notes There are a variety of security frameworks currently popular in the

industry, each offering benefits and capabilities, usually designed for
Organizational/Corporate a certain industry, type of organization, or approach to security. The
Governance
following list of framework examples is by no means exhaustive or
intended to be exclusive; the security practitioner should have a working
PPT familiarity with the frameworks on this list, as well as whatever framework
Security Control is used by their own organization (if any). Some of these frameworks will
Frameworks be discussed in more detail later in the course.
(continued)
l ISO 27001/27002: The International Standards Organization
Introduce and describe
the common security
(ISO) is recognized globally, and it is probably the most pervasive
frameworks. and used source of security standards outside the United States
(American organizations often use standards from other sources).
ISO 27001 is known as the information security management
system (ISMS) and is a comprehensive, holistic view of security
governance within an organization, mostly focused on policy.
ISO 27002 is a comprehensive list of security controls that can
be applied to an organization; the organization uses ISO 27002
to select the controls appropriate to its own ISMS, which the
organization designs according to ISO 27001. ISO standards are
notably thorough, well-recognized in the industry, and expensive
relative to other standards. Use of ISO standards can allow
an organization to seek and acquire specific standards-based
certification from authorized auditors.
l COBIT: Created and maintained by ISACA, the COBIT
framework (currently COBIT 5) is designed as a way to manage
and document enterprise IT and IT security functions for an
organization. COBIT widely uses a governance and process
perspective for resource management and is intended to address
IT performance, security operations, risk management, and
regulatory compliance.
l ITIL: An IT service delivery set of best practices managed
by Axelos, a joint venture between the British government
and a private firm. ITIL (formerly the Information Technology
Infrastructure Library, now simply the proper name of the
framework) concentrates on how an organization’s IT environment
should enhance and benefit its business goals. ITIL is also
mapped to the ISO 20000 standard, perhaps the only non-ISO
standard to have this distinction. This framework also offers the
possibility for certification, for organizations that find certification
useful.
l RMF: NIST, the U.S. National Institute of Standards and
Technology, publishes two methods that work in concert (similar
to how ISO 27001 and 27002 function); the Risk Management

Instructor Edition
Framework (RMF), and the applicable list of security and

privacy controls that goes along with it (respectively,
these documents are Special Publications (SPs) 800-37
Notes
1
Governance
and 800-53). While the NIST SP series is only required to

be followed by federal agencies in the United States, it
can easily be applied to any kind of organization as the PPT
methods and concepts are universal. Also, like all American Security Control
government documents, it is in the public domain; private Frameworks
organizations do not have to pay to adopt and use this (continued)
framework. However, there is no private certification for the Introduce and describe
NIST framework. the common security
frameworks.
l CSA STAR: The Cloud Security Alliance (CSA) is a volunteer
organization with participant members from both public and
private sectors, concentrating—as the name suggests—on
security aspects of cloud computing. The CSA publishes PPT
standards and tools for industry and practitioners, at Due Care/Due
no charge. The CSA also hosts the Security, Trust, and Diligence
Assurance Registry (STAR), which is a voluntary list of all Introduce and explain
cloud service providers who comply with the STAR program the concepts of due care
and due diligence.
framework and agree to publish documentation on the STAR
website attesting to compliance. Customers and potential
customers can review and consider cloud vendors at no cost
by accessing the STAR website. The STAR framework is a
composite of various standards, regulations, and statutory
requirements from around the world, covering a variety
of subjects related to IT and data security; entities that
choose to subscribe to the STAR program are required
to complete and publish a questionnaire (the Consensus
Assessments Initiative Questionnaire (CAIQ), colloquially
pronounced “cake”) published by CSA. The STAR program
has three tiers, 1–3, in ascending order of complexity. Tier 1
only requires the vendor self-assessment, using the CAIQ.
Tier 2 is an assessment of the organization by an external
auditor certified by CSA to perform CAIQ audits. Tier 3 is
in draft form as of the time of publication of this CBK; it will
require continuous monitoring of the target organization by
independent, certified entities.
Due Care/Due Diligence

Due care is a legal concept pertaining to the duty owed by a
provider to a customer. In essence, a vendor has to engage in a
reasonable manner so as not to endanger the customer: the
vendor’s products/services should deliver what the customer
expects, without putting the customer at risk of undue harm.

Notes An example to clarify the concept: if a customer buys a car from the
vendor, the vendor should have designed and constructed the car in a
Organizational/Corporate way so that the car can be operated in a normal, expected manner
Governance
without some defect harming the customer. If the user is driving the car
normally on a road and a wheel falls off, the vendor may be culpable for
PPT any resulting injuries or damage if the loss of the wheel is found to be
Due Care/Due the result of insufficient care on the part of the vendor (if, say, the wheel
Diligence (continued) mount was poorly designed, or the bolts holding the wheel were made
Introduce and explain
from a material of insufficient strength, or the workers assembling the
the concepts of due care car did so in a careless or negligent way). This duty is only required for
and due diligence. reasonable situations; if, for instance, the customer purposefully drove
the car into a body of water, the vendor does not owe the customer any
assurance that the car would protect the customer, or even that the car
would function properly in that circumstance.
NOTE: There is a joke regarding the standard of reasonableness that
lawyers use—“Who is a reasonable person? The court. The court is a
reasonable person.” Meaning that the “standard” is actually quite
ambiguous and arbitrary: the outcome of a case hinging on a
determination of “reasonable” action is wholly dependent on a specific
judge on a specific day, and judges are only people with opinions.
Due diligence, then, is any activity used to demonstrate or provide due
care. Using the previous example, the car vendor might engage in due
diligence activities such as quality control testing (sampling cars that
come off the production line for construction/assembly defects),
subjecting itself to external safety audit, prototype and regular safety
testing of its vehicles to include crash testing, using only licensed and
trained engineers to design their products, and so forth. All of these
actions, and documentation of these actions, can be used to
demonstrate that the vendor provided due care by performing due
diligence.
In the IT and IT security arena, due diligence can also take the form of
reviewing vendors and suppliers for adequate provision of security
measures; for instance, before an organization uses an offsite storage
vendor, the organization should review the vendor’s security governance,
and perhaps even perform a security audit of the vendor to ensure that
the security provided by the vendor is at least equivalent to the security
the organization itself provides to its own customers. Another form of
due diligence for security purposes could be proper review of personnel
before granting them access to the organization’s data, or even before
hiring; this might include background checks and personnel assurance
activities. (Personnel security measures, which provide a measure of due
diligence, will be discussed in more detail later in this domain.)

Instructor Edition
NOTE: In recent years, regulators and courts (both of which are

often tasked with determining sufficient provision of due care) have
found certain activities to be insufficient for the purpose of
Notes
1
Governance
ensuring due diligence, even though those activities were

previously sufficient. Specifically, publishing a policy is an
insufficient form of due diligence; to meet the legal duty, an PPT
organization must also have a documented monitoring and Due Care/Due
enforcement capability in place and active to ensure the Diligence (continued)
organization is adhering to the policy. Introduce and explain
the concepts of due care
and due diligence.

Notes
Module 3: Risk Management Concepts
Risk Management
Concepts
Module Objectives
PPT 1. Describe common practices used for asset valuation and the
Risk Management challenges/benefits associated with each.
Concepts
2. Distinguish between threats and vulnerabilities.
Introduce the participants
to the “Risk Management 3. Identify common practices of risk assessment and analysis.
Concepts” module. 4. Know the four common methods of risk management.
5. Know how to choose from the four common methods of risk
management.
PPT
6. Recognize common practices for selecting security controls.
Module Objectives
(3 slides) 7. List the various types, classes, and categories of security controls.
Introduce the module 8. Describe the importance of monitoring and measuring the
objectives. security program and controls and why this is performed on a
continuous basis.
9. Recognize common risk frameworks.
10. Apply risk-based management concepts to the supply chain and
the use of third parties for risk assessment and monitoring.
11. Recognize standard threat modeling concepts.
12. Apply threat modeling methodologies.
13. Recognize common threats and risks.
14. Recognize the purpose of the service level agreement, how it
augments the contract, and which items should be contained
in each.
15. Determine and document minimum security requirements.

Instructor Edition
Risk Management Concepts

Risk is the possibility of damage or harm and the likelihood that
Notes
Risk Management
1
damage or harm will be realized. The security practitioner’s job is to Concepts
manage risk for the organization, according to the organization’s

strategy and needs. The senior management of the organization will
determine what level of risk (and if a particular risk) is suitable relative PPT
to the rewards offered by conducting operations; this is known as Risk Management
acceptable risk. Every organization makes its own determination of Concepts
what constitutes acceptable risk and how to manage risk. Explain the concepts of
risk and acceptable risk.
Asset Valuation
To effectively manage risk, the organization must determine what PPT
assets it has and assign a value to those assets. Assets can include Asset Valuation (2 slides)
property (both tangible and intangible), people, and processes.
Discuss the valuation of
NOTE: In modern organizations, data (an intangible asset) is often assets (slide 1); Introduce
the BIA and discuss its
the property with the most significant particular value.
importance in security
(slide 2).
An asset inventory is crucial for this task; it is impossible to protect
what you have if you don’t know what you have. There are many
tools to aid in an asset inventory, automated and otherwise. It is
important for the organization to mesh its acquisition and
development processes with the asset inventory method it uses so
that all new assets will be included in the inventory.
There are many ways to determine the value of an asset. An asset
might have a discrete market value (a monetary value). Conversely,
an asset might have a particular relative value for the organization;
a specific asset that might otherwise be of nominal value to
another organization might have great importance to your
organization. It is important for senior management to review and
oversee asset value determinations so that your organization is
properly assigning value to its assets.
However, while senior management will make the final
determination of value for the organization’s assets, the main effort
of valuation will fall to the functional managers. Usually, it is the line
managers who will have the best perspective of the assets under
their control, because they will be the people working with those
assets the most; they will have the greatest insight and
understanding of how those assets are used by the organization.
NOTE: It is important to remember when gathering asset valuation
information that while unit managers will have the best insight to
the value of the assets under their control, managers are also
inherently biased. When asked, “what assets are most important to
Module 3: Risk Management Concepts 17

Notes the organization,” the response is almost invariably, “mine.” This is not a
result of malicious intent, it is simply human nature. Therefore, senior
Risk Management management must bear this phenomenon in mind while reviewing the
Concepts
valuation survey information and adjust for any possible overvaluation
that may have occurred.
PPT
One tool used widely in the industry is the business impact analysis
Asset Valuation (2 slides) (BIA). The BIA is a list of the organization’s assets, annotated to reflect
(continued)
the criticality of each asset to the organization. Because each
Discuss the valuation of organization operates differently, assets that are critical to one
assets (slide 1); Introduce
the BIA and discuss its
organization might have little relative importance to other organizations,
importance in security even within the same field or industry. The personnel involved in
(slide 2). creating the organization’s BIA will need to understand not only the
nominal value of each asset itself, but the business functions and
operations of the organization so as to properly determine that asset’s
PPT criticality. The use of the BIA will transcend asset valuation, and the BIA
can be used in other components of risk management as well as other
Identify Threats and
Vulnerabilities aspects of security.
Introduce and discuss
threats and vulnerabilities. Identify Threats and Vulnerabilities
The next step in the risk management process is to identify threats and
vulnerabilities associated with the organization’s assets. Threats are any
aspects that create a risk to the organization, its function, and its assets.
Vulnerabilities are any aspects of the organization’s operation that
could enhance a risk or the possibility of a risk being realized.
Threats can take many forms, anthropogenic and otherwise, and can be
the result of no motivation, malicious intent, or inadvertent action.
Consider the following list of common threats and the brief description
of each:
l Natural: Nature has no malicious intent; it does not have any
desire to interrupt business operations or to harm people. It
is, however, a threat to both operations and health and human
safety. Natural phenomena that fall into this category include
disasters (floods, hurricanes, earthquakes, and so on), fire (on a
disaster scale, or localized), and biologics. The latter category
includes such things as small animals affecting operations
by chewing through conduit/cables, which has caused both
widespread and localized outages, for both power and data
connectivity; that category can also include pandemic disease,
which can interrupt operations significantly.
l Criminal activity: People with specific intent to do harm by
performing illegal activity; the intended harm can be financial or
physical. Hackers, thieves, espionage agents, social activists, and

Instructor Edition
terrorists all fall into this category. This sort of activity can
come from external sources, or personnel internal to the
organization.
Notes
Risk Management
1
Concepts
l User error: Users can conduct a vast variety of inadvertent

activity that can affect all aspects of the CIA triad. These
include actions as simple as spilling coffee, tripping over PPT
a cable, deleting a certain file unintentionally, or releasing Identify Threats
confidential information accidentally. and Vulnerabilities
(continued)
NOTE: This is a far from comprehensive list of threats, and is only Introduce and discuss
meant as an introduction to the concept. threats and vulnerabilities.
There are many ways to categorize and tabulate threats; there is no

one way that is correct for every organization. More importantly,
every organization will face threats particular to its own industry,
market, location, and type of operation. Threats also fluctuate
continually; there is no static threat landscape because both the
organization and the world it operates in continue to evolve.
The security practitioner, on behalf of the organization, must
constantly assess this evolving threat picture. It is important to
stay current with evolving threats by monitoring global, national,
and local news, organizational operations, and the activity of
those entities that might pose threats to the organization. In
addition to organizational efforts, there are vendors that supply
threat intelligence information on a contract basis, predicting
potential new (and increased existing) threats and notifying
their customers.
The organization must also assess and inventory existing and
potential vulnerabilities. In any situation where a threat could
exploit a means to cause harm to the organization and/or its assets,
a vulnerability exists.
There are many tools and methods for discovering and tabulating
vulnerabilities, both manually and with automation.
A small sampling of types of vulnerabilities:
l Software: There are many examples of software functions
that allow an attacker to affect some aspect of the CIA triad;
these software functions might be defects in the original
programming, or intentional programmatic elements that
can be utilized maliciously for outcomes unintended by the
vendor/owner of that software.
l Physical: Any aspect of the physical facilities or operations
of an organization that may pose danger to the organization

Notes or its personnel could be considered a vulnerability. Vulnerabilities

might include the entrances to the facility, flammable locations/
Risk Management items, easily portable assets, and sometimes even line of sight.
Concepts
l Personnel: The organization’s own personnel might be vulnerable
to attack either physically or by means of subversion/persuasion.
PPT The personnel might also pose a vulnerability, themselves as
Identify Threats internal threats with access to the organization and its operations.
and Vulnerabilities
(continued) NOTE: This is a far from comprehensive list of vulnerabilities, and is only
Introduce and discuss meant as an introduction to the concept.
threats and vulnerabilities.
Risk Assessment/Analysis
PPT After the organization has conducted a thorough asset inventory and
valuation and identified the threats and vulnerabilities the organization
Risk Assessment/
Analysis is subject to, it is possible for the organization to realistically assess risk.
Introduce the concept Because risk (as defined earlier in this domain) involves the likelihood a
and methods of risk risk will be realized, in addition to identifying possible types of damage/
assessment and analysis.
harm, it is important that professionals tasked with performing risk
analysis also be able to gather information from sources external to the
organization to accurately gauge the potential of occurrence.
Risk can generally be rated according to three factors: impact,
likelihood, and exposure.
Impact: The damage/harm caused if the risk is realized. This can be
measured monetarily as an effect to health and human safety, and/or
the criticality of the affected asset to the organization. The BIA,
mentioned earlier in this domain, is an excellent tool for use in this
aspect of risk assessment.
Likelihood: A measure of the possibility the risk will be realized. This
can be extremely difficult to determine as it is a form of prediction.
Often, this determination is aided by the use of historical data
from both within and external to the organization (answering the
questions: “how often does this happen to us? how often does it
happen, in general?”).
Exposure: Establishing the realistic potential for the organization to
face certain types of threats. Obviously, the organization will have a
greater exposure to those threats posed by the organization’s activities
(for instance, an organization involved in commercial fishing faces the
threat of losing personnel to drowning, whereas a metropolitan bicycle
messenger service does not). Location might be another factor that
affects exposure; some natural disasters are native to certain
geographic locations, while others are not.

Instructor Edition
It is essential to remember that there is no such thing as “zero

risk”—all activities entail some element of risk, and all threats have
a potential, even if miniscule or highly unlikely, for occurrence.
Notes
Risk Management
1
Concepts

Risk analysis is typically split into two categories: qualitative and
quantitative. These are somewhat academic distinctions, but the
PPT
candidate should understand them for purposes of adhering to
the CBK. Risk Assessment/
Analysis (continued)
l Qualitative: A subjective approach to risk analysis. Introduce the concept
The organization should opt for this method when the and methods of risk
organization does not have a sufficient availability of time, assessment and analysis.
budget, or personnel trained in risk analysis to put toward
the effort.
l Quantitative: An objective approach to risk analysis; the PPT
quantitative method should produce objective, discrete Risk Response (2 slides)
numeric values. The organization should opt for this method Introduce and describe
when it has sufficient time, budget, and personnel trained in the four methods of
risk analysis to put toward the effort. managing risk (slide 1);
Explain residual risk
Both methods require personnel who are familiar with the organization’s (slide 2).
operation, relevant threats, assets, and vulnerabilities.
Risk Response
Figure 1.1 shows the four general methods an organization can use
to address risk.
General Risk Management Options
Avoidance Acceptance
Mitigation Transfer
Figure 1.1: General Risk Management Options (go-by)

Notes Risk avoidance is a business decision, not a security practice. Senior

management may choose risk avoidance when the potential impact of a
Risk Management given risk is too high to be reasonably offset by the potential rewards of
Concepts
the business function, or if the likelihood of the risk being realized is
simply too great.
PPT
Risk acceptance is the converse of avoidance; management may opt for
Risk Response (2 slides) conducting the business function that is associated with the risk without
(continued)
any further action on the part of the organization, either because the
Introduce and describe impact or likelihood of occurrence is negligible, or because the benefit
the four methods of
managing risk (slide 1);
is more than enough to offset that risk.
Explain residual risk
(slide 2).
Risk mitigation is the realm of the security practitioner; in risk
mitigation, security controls are applied to the operational element
that is susceptible to (or causing) the risk to reduce either the impact or
the likelihood (or both) of the risk being realized.
PPT
Activity: Swimming Risk transference is the practice of paying another party to accept the
with Sharks full financial impact of the harm resulting from a risk being realized, in
Describe the four exchange for payment of a fractional amount of the full impact cost.
approaches to risk Typically, this is an insurance policy with premiums adjusted for a
management in the number of factors (the potential likelihood and impact, the use of
context of the example.
security controls, frequency of payments, etc.).
Activity: Swimming with Sharks

The organization must determine how to address risks associated with
each new operational function. This activity allows the candidate to
demonstrate understanding of the common approaches to risk
management.
You are the security manager for a commercial fishing operation. Your
company is considering adding a new line of business to the
organization in the form of ecotourism, where paying customers join
your crews at work sites and are lowered into the water in steel cages to
observe and photograph sharks.
Senior management is considering the different risk management
approaches for handling the risks inherent to this new line of business.
Instructions
Working as a group and using this scenario, describe each of the four
approaches to risk management in the context of the example. For the
mitigation portion, brainstorm a brief list of security controls that might
be included. You have 10 minutes.

Instructor Edition
Whenever risk mitigation is performed, there will always be

some degree of risk that remains after the security controls are
put into place: there is no such thing as either zero risk or
Notes
Risk Management
1
Concepts
100 percent security. We call this remaining risk “residual risk.”

The goal of risk mitigation is to reduce the residual risk
down to a level of acceptable risk and then to accept that PPT
remaining risk. Therefore, whenever an organization engages Activity: Swimming
in risk mitigation, it must also perform risk acceptance at with Sharks (continued)
some point. Describe the four
approaches to risk
management in the
Security Controls context of the example.
Security controls are methods, tools, mechanisms, and processes
used in risk mitigation. Security controls can function in two general
ways: as safeguards, which reduce risk impact/likelihood before the PPT
realization of the risk has occurred, and countermeasures, which Security Controls
reduce the impact/likelihood afterwards.
Introduce the concept
For example, a wall could be a safeguard, preventing hostile of security controls, and
discuss the tradeoff made
people from entering the facility, while a motion sensor could be
in selecting controls.
considered a countermeasure as it sends an alert when someone
has entered the area in an unauthorized fashion.
Security controls should be chosen according to a cost/benefit
analysis, comparing the expense of acquiring, deploying, and
maintaining the control against the control’s ability to reduce the
impact/likelihood of a specific risk (or set of risks). It is also crucial
to weigh the operational impact that will be caused by the control
itself against the benefit of continuing that business function with
the risk reduction offered by that control.
NOTE: It is essential to remember that every security control
has an attendant negative impact on operations, whether
that is a monetary cost or a reduction in user capability or
convenience; there is always a tradeoff between security and
productivity that makes the security team and the operations
group somewhat adversarial in many organizations. The
security practitioner is tasked with aiding the organization to
find the right balance. As Dr. Eugene “Spaf” Spafford of Purdue
University once put it: “The only truly secure system is one that is
powered off, cast in a block of concrete and sealed in a lead-lined
room with armed guards—and even then, I have my doubts.”
http://spaf.cerias.purdue.edu/quotes.html

Traditional Model
Notes
One traditional method for selecting the appropriate security controls
Risk Management
Concepts
has been the use of the “loss expectancy” model:
annual loss expectancy (ALE) = single loss expectancy (SLE) x annual
PPT rate of occurrence (ARO)
Security Control In detail, it works like this:
Selection: A Traditional
Model The SLE is the expected negative impact related to a particular risk (the
Introduce and explain the risk being assessed). Most often, this is expressed monetarily. It is
ALE concept/formula. calculated by determining the value of the asset that might be affected
(or lost) and multiplying it by an “exposure factor”—a percentage that
represents the amount of damage resulting from that type of loss.
So:
SLE = asset value (AV) x exposure factor (EF)
The ARO is the number of times per year a given impact is expected,
expressed as a number.
So, the ALE is the SLE multiplied by the ARO, which gives us the
estimated annual cost related to a particular risk.
The value of the ALE to the organization is that it allows the organization
to determine whether the cost of a particular kind of control for a
specific risk is worth the investment.
Let’s use an example to demonstrate:
You are the security manager of a retail store located in a shopping mall.
Senior management has tasked you with reviewing the options for
managing the risk associated with shoplifting.
To approach this decision, you first determine the SLE: what the loss
is to the company in a single event of shoplifting. Several factors go
into this determination. For instance, the size of the items you sell:
it is easier to shoplift small personal electronic devices than it is to
shoplift, say, major appliances such as washing machines; this is how
you determine the exposure factor. You also need to the know the
value of the assets that might be subject to shoplifting: what is the
value to your company, of any one item in the inventory you sell?
What is the wholesale value? What is the retail value? Which have
you lost if that item is stolen?
Let’s say you determine that based on the items you have for sale, a
single loss expectancy for shoplifting, on average, is $5. You then have
to determine the ARO.

Instructor Edition
How is this done; how do you predict how many shoplifting events
will occur at your store in a year? Well, this data is already available;
major insurers and retail trade groups have historical data about
Notes
Risk Management
1
Concepts
shoplifting gathered over many decades of retail sales, insurance

claims, and police reports of theft. In fact, there are historical retail
data sets that are so specific, the data can predict the ARO of PPT
shoplifting based on your retail location, the physical footprint Security Control
(size) of your store, and the inventory you carry. While historical Selection: A Traditional
data used to predict future activity are not perfect (financial Model (continued)
markets crash on a fairly regular basis, and vast, detailed financial Introduce and explain the
data exists and does not seem to obviate this activity), they can, on ALE concept/formula.
average, be useful for making this kind of assessment.
So, for purposes of this example, let’s say you determine that your
store can expect 1,000 shoplifting events in the course of a year.
This is your ARO for shoplifting.
With the ARO and SLE, you can easily determine the ALE: $5 x
1,000 = $5,000
You know that shoplifting will, on average, cost your company $5,000
per year. Using this figure, you can assess various risk management
options for addressing shoplifting. For instance, hiring a security guard
might cost the company $50,000 per year. Compared to the risk (the
ALE), this seems extremely disproportionate: even if the guard
prevents all shoplifting attempts, your company would be losing
$45,000 more than if you did nothing at all. You might also look at
other options: hardware tethers/locks for display merchandise, video
surveillance, radio-frequency identification (RFID) alarm chips, and so
forth. For each type of security control to address shoplifting, you can
compare the cost to the ALE. Remember that the cost of the control
includes more than the acquisition price: it also includes the costs of
annual maintenance and operation of that control. Let’s say, in this
demonstration case, the most cost-effective control you can find to
attenuate the possibility and effects of shoplifting will cost the
company $15,000 per year.
For our example, security controls (a form of risk mitigation) are not
the only option: you might consider risk transference, as well. This
would entail getting a quote from an insurance company for a
shoplifting policy. For example purposes, let’s say you receive a
number of quotes, and the lowest price of an annual policy is $10,000.
So, let’s review the risk management options using this example
data from the ALE:
Risk mitigation: The ALE is $5,000 and the most reasonable
control is $15,000; risk mitigation is not a rational option.

Notes Risk transference: The ALE is $5,000 and the cost of transferring is
$10,000; risk transference is not a rational option.
Risk Management
Concepts Risk avoidance: If the company did not offer merchandise for sale, it
would no longer be a retail sales operation; risk avoidance, in this case,
does not make much sense.
PPT
Security Control Risk acceptance: Because the other options do not make sense from a
Selection: A Traditional financial standpoint, and because the company wants to remain a retail
Model (continued) operation, the company could reasonably accept the risk due to
Introduce and explain the shoplifting.
ALE concept/formula.
NOTE: The ALE is a rudimentary and mature model, inherited from the
realm of physical security, and is well suited to examples of this kind. It is
PPT not particularly apt for IT security: in our field, there is no good way to
assess SLE; a loss event is rarely nominal, moreover, we are typically not
Applicable Types of
Controls allowed to have an ARO other than 1—whenever a vulnerability is
discovered because a loss has been realized, we are required to take steps
Introduce and explain the
three types of security
to remediate that vulnerability so that specific type of loss should not be
controls. repeated. An organization that has repeated, continuous losses related to
data/IT will soon be beleaguered by regulators, service providers, and
customers alike. So, this model doesn’t work well for IT security. However, it
is still used throughout the industry and is an aspect of security that the
candidate is required to understand as part of the CBK.
Applicable Types of Controls

Security controls can be arranged according to many criteria. One way
to consider controls is by the way the controls are implemented.
Technical/logical controls: Controls implemented with or by automated
or electronic systems. Examples include firewalls, electronic badge
readers, access control lists, and so on. Many IT systems include some
kind of technical control capacity or functionality; for instance, routers
can be set to reject traffic that may be indicative of possible attacks.
Physical controls: Controls implemented through a tangible mechanism.
Examples include walls, fences, guards, locks, and so forth. In modern
organizations, many physical control systems are linked to technical/
logical systems, such as badge readers connected to door locks.
Administrative controls: Controls implemented through policy and
procedure. Examples include access control processes and requiring
multiple personnel to conduct a specific operation. Administrative controls
in modern environments are often enforced in conjunction with physical
and/or technical controls, such as an access-granting policy for new users
that requires login and approval by the hiring manager.

Instructor Edition
Security Control Categories

Another way to group security controls is by how they take effect.
In the security industry, controls are typically arranged into these
Notes
Risk Management
1
Concepts
categories:

Directive: Controls that impose mandates or requirements. These PPT
can include policies, standards, signage, or notification, and are
Security Control
often combined with training. Categories (2 slides)
Deterrent: Controls that reduce the likelihood someone will Introduce and explain
choose to perform a certain activity. These can include notification, the security control
categories (slide 1);
signage, cameras, and the noticeable presence of other controls. Introduce and stress
the importance of
Preventative: Controls that prohibit a certain activity. These can the defense-in-depth
include walls and fences; they prohibit people from entering an concept (slide 2).
area in an unauthorized manner.
Compensating: Controls that mitigate the effects or risks of the
loss of primary controls. Examples include physical locks that still
function if an electronic access control system loses power, or
personnel trained to use fire extinguishers/hoses in the event a
sprinkler system does not activate.
Detective: Controls that recognize hostile or anomalous activity.
These can include motion sensors, guards, dogs, and intrusion
detection systems.
Corrective: Controls that react to a situation in order to perform
remediation or restoration. Examples include fire suppression
systems, intrusion prevention systems, and incident response
teams.
Recovery: Controls designed to restore operations to a known
good condition following a security incident. These can include
backups and disaster recovery plans.
This form of categorization is not absolute or distinct; many
controls can fall into several categories, depending on their
implementation and operation. For instance, surveillance cameras
can control that are deterrent (just the presence of cameras
discourages someone from entering a surveilled area, for fear of
being observed), detective (when combined with live monitoring
by guards or a motion-sensing capability), and compensating
(when providing additional detection capability that augments
gate guards or other controls). Controls of the various types
(administrative, technical, and physical) can be used in each of
the categories.

Notes When selecting and implementing security controls, it is always

preferable to use multiple types and implement them among the
Risk Management various categories than to rely on one type or category; this is called
Concepts
defense in depth (also known as layered defense), where controls of
various types and kinds overlap each other in coverage. There are two
PPT reasons to implement defense in depth:
Security Control l Relying on a single control type or category increases the
Categories (2 slides)
(continued) possibility that a single control failure could lead to enhanced
risk. For instance, if the organization were to rely solely on
the security control
technical controls and power was interrupted, those controls
categories (slide 1); would not function properly. Moreover, a new vulnerability might
Introduce and stress be discovered in a specific control; if that was the sole control
the importance of your organization relied on, your organization would become
the defense-in-depth completely exposed.
concept (slide 2).
l Using multiple types and categories of controls forces the
aggressor to prepare multiple means of attack instead of just
PPT one. By making the task of the attacker more complicated, we
reduce the number of possible attackers (many people know one
Monitoring and
Measurement (2 slides)
thing well, but few people know many things well). For instance,
combining strong technical and physical controls could require
the aggressor to have both hacking and physical intrusion toolkits,
of monitoring and
measuring security which increases the price of the attack for attacker, thereby
controls, and stress the reducing the number of potential attackers.
importance of continuous
monitoring (slide 1);
Introduce and explain Monitoring and Measurement
vulnerability assessments Implementation of security controls is not the final action necessary for
and penetration testing
risk mitigation; the security professional must monitor the function and
(slide 2).
operation of security controls for the organization to determine if they
are performing correctly and that they continue to provide the risk
coverage as intended.
Often referred to as a security control assessment (SCA) a plan and
process for determining the proper function and management of
controls is necessary and should be customized to the needs of the
organization. This is very similar to an audit with specific focus on
security controls and includes performance of those controls.
The security team is often tasked with assembling SCA data and
presenting a report to senior management, detailing which controls are
not performing as expected and which risks are not being addressed by
the current control set. This information might be gathered by the security
team itself through the use of automated monitoring tools, or it might be
delivered by internal sources (such as the IT department) as part of a
self-reporting mechanism, or from external sources (such as a third-party

Instructor Edition
security monitoring vendor). The security practitioner must collect

all relevant data and distill it into a form that is understandable and
useful to management.
Notes
Risk Management
1
Concepts

This security control monitoring effort should not be a singular
event or even a recurring task; the industry standard for security
PPT
control maintenance and improvement is a continual, ongoing,
enduring activity. Threats continue to evolve, the organization’s IT Monitoring and
Measurement (2 slides)
environment is continually being updated and modified, and (continued)
security tools continue to improve; these situations require
constant action on the part of security practitioners. of monitoring and
measuring security
Other control assessment techniques include vulnerability controls, and stress the
assessments and penetration tests: importance of continuous
monitoring (slide 1);
l Vulnerability assessment: Often performed with Introduce and explain
automated tools, the vulnerability assessment reviews the vulnerability assessments
organization’s IT environment for known vulnerabilities, and penetration testing
cataloging and often sending alerts for any detections. (slide 2).
NOTE: vulnerability assessments are often limited in the
respect that they only detect known vulnerabilities; relying
wholly on vulnerability assessments to determine the PPT
organization’s risk profile is inadequate, because there may Risk Frameworks
exist vulnerabilities that have not yet been discovered and Introduce and explain
are not in the signature database of the assessment tool. the common risk
l Penetration test: A trusted party (internal or external to frameworks.
the organization) tries to gain access to the organization’s
protected environment to simulate an external attack and
test the organization’s security defenses. There are many
ways to structure a penetration test, including requiring
that the adversarial parties (the organization’s security
team and the penetration testers) have no knowledge
beyond what an attacker would have: the security team
is not given forewarning that the test is taking place, and
the testers are not given details about the organization’s
environment or security. Ethical penetration testing requires
that any test not create a risk to health and human safety or
destroy property. It is essential to properly coordinate any
penetration test before the engagement to stipulate any
limitations on the scope or nature of the test.
Risk Frameworks
Similar to (and, in some cases, overlapping with) the security
control frameworks mentioned earlier in this domain, the security
practitioner may also make use of risk frameworks to optimize the

Notes organization’s response to risk. In many mature organizations, this

effort defines the organization’s strategy in terms of business risks
Risk Management and opportunities and is often referred to as enterprise risk
Concepts
management (ERM).
Many different standards bodies and industry-specific entities publish
PPT
ERM guidance and documentation. These include (but are not
Risk Frameworks limited to):
(continued)
Introduce and explain l ISO: Standards 31000 (Risk Management—Principles and
the common risk Guidelines) and 27005 (Information technology—Security
frameworks. techniques—Information security risk management) both discuss
risk from a holistic organizational perspective (the former) and
as specifically related to IT security (the latter). Standard 27001
PPT is also endorsed by ENISA (the European Union Agency for
Apply Risk-Based Network and Information Security) as a means of managing risk.
Management Concepts l COSO: The Committee of Sponsoring Organizations (COSO) of
to the Supply Chain
(2 slides) the Treadway Commission was formed in the wake of dramatic
and severe financial industry scandals in the United States in the
Discuss security and
risk-based management
1980s, as a body to suggest guidelines and practices to address
of the supply chain and financial reporting irregularities and fraud. Since that time, its
external providers. publications have been widely accepted and adopted by many
large companies. In 2004, COSO published the first version of
its Enterprise Risk Management - Integrated Framework; this
document was updated in 2017 and is seen as a definitive guide
to the topic.
l ISACA: Publishes the RISK IT framework, which is described
by ISACA as connecting risk management from a strategic
perspective with risk-related IT management.
l NIST: Special Publication (SP) 800-37, mentioned earlier in
this domain, is the Risk Management Framework (RMF), which
is extremely influential and important for how U.S. federal
government agencies address risk.
The candidate is advised to research the topic of risk frameworks;
however, of the ones listed here, only the NIST RMF is available
without payment.
Apply Risk-Based Management Concepts to the Supply Chain

An organization rarely operates wholly alone; there are many dependencies
and interconnections organizations have with their entire supply chain: the
organization’s suppliers, vendors, contractors, and customers.
It is imperative that the organization applies the same risk-management
methodologies and perspective to this supply chain as the organization

Instructor Edition
did for its own internal operations. This may include the organization
performing the following for each entity within the supply chain:
Notes
Risk Management
1
l Governance review Concepts

l Site security survey
l Formal security audit PPT
l Penetration testing Apply Risk-Based

Management Concepts
However, in many cases, this is untenable, and sometimes it can to the Supply Chain
(2 slides) (continued)
create additional liability issues for both parties. Instead, organizations
often rely on audit reports prepared by certified third parties to Discuss security and
risk-based management
properly evaluate the entities within the organization’s supply chain.
of the supply chain and
This has notably been the case with managed cloud services, where external providers.
the cloud customer often does not even know the physical location of
the cloud data center and must rely on external validation of the
provider’s security. PPT
There are a variety of standards and audit methodologies for Understand and Apply
assessing the security of external organizations. These include, but Threat Modeling
Concepts and
are not limited to the following:
Methodologies
l ISO-certified audits: Each ISO standard can be assessed Introduce and discuss
by an accredited auditor, and the target organization can threat modeling, and
earn certification by successfully passing this audit. explain the STRIDE model.
l CSA STAR evaluation: As mentioned previously in this domain,

the CSA offers a registration program for cloud providers
called STAR. STAR can be self-administered by the target
organization or conducted by a certified external auditor,
depending on the STAR Level the target organization seeks.
l AICPA SSAE 16 SOC reports: The American Institute of
Certified Public Accountants (AICPA) created the Statement
on Standards of Attestation Engagements (SSAE) 16
standard as a response to prevailing federal legislation in
the United States (specifically, the Sarbanes–Oxley Act,
referred to as SOX). The SSAE 16 standard details three
types of reports intended for different uses; these are the
SOC reports. While the SSAE 16 standard is designed for
publicly traded corporations, it has come into wide use by
organizations of all types.
Understand and Apply Threat Modeling Concepts

and Methodologies
As explained in this domain, a threat is something that might cause
a threat to be realized. To anticipate and counter anthropomorphic
threats, the security industry uses a technique called threat modeling,
Notes which entails looking at an environment, system, or application from an

attacker’s viewpoint and trying to determine vulnerabilities the attacker
Risk Management would exploit. The end state of this process is addressing each of the
Concepts
vulnerabilities discovered during threat modeling to ensure an actual
attacker cannot use them.
PPT
In many threat modeling techniques, an abstract, nontechnical
Understand and abstraction of the target (whether it is an organization or an IT system/
Apply Threat
Modeling Concepts application) is necessary before reviewing the details of the target itself.
and Methodologies Workflow diagrams (also referred to as dataflow diagrams or flowcharts)
(continued) are frequently used for the purpose; the threat modeling team creates a
Introduce and discuss conceptual view of how the target actually functions—how data and
threat modeling, and processes operate in the target from start to finish. This allows the
explain the STRIDE model. threat modeling team to understand where an attacker might affect the
target, by understanding potential locations (in time, space, and the
process) of vulnerabilities.
In some threat models used for specific targets (systems/applications,
instead of the overall organization), another element is used (mostly in
addition to, not in lieu of, the abstract); incorporating those same threat
modeling techniques into the detailed specifics of the target. With this
technique, designers can identify and troubleshoot potential
vulnerabilities during the development and acquisition of the target
instead of waiting until the target reaches the production environment.
This practice (securing a system/application) during development is less
expensive and time-consuming than addressing issues after the item
has entered production.
The candidate should certainly be familiar with one particular threat
modeling tool: STRIDE. STRIDE, created by Microsoft, is actually a threat
classification system used to inform software developers during the
development process. These are the elements of STRIDE:
l Spoofing identity: the type of threat wherein an attacker poses
an entity other than the attacker, often as an authorized user.
l Tampering with data: when the attacker attempts to modify the
target data in an unauthorized way.
l Repudiation: when the attacker, as a participant of a transaction,
can deny (or conceal) the attacker’s participation in that
transaction.
l Information disclosure: just like it sounds, this category can
include both inadvertent release of data (where an authorized
user discloses protected data accidentally to unauthorized
users, or gains access to material that their authorization should
not allow) and malicious access to data (an attacker getting
unauthorized access).

Instructor Edition
l Denial of service (DoS): an attack on the availability

aspect of the CIA triad; creating a situation in the target
where authorized users cannot get access to the system/
Notes
Risk Management
1
Concepts
application/data.

l Elevation of privilege: when an attacker not only gains
access to the target but can attain a level of control with PPT
which to completely disable/destroy the entire target Understand and
system. Apply Threat
Modeling Concepts
NOTE: The candidate should know each of the elements of the and Methodologies
(continued)
STRIDE model; as the term is an acronym, it is not exceptionally
difficult. However, some of the concepts seem to have been worded Introduce and discuss
in such a way as to force them into an acronym, which makes them threat modeling, and
explain the STRIDE model.
slightly differently worded in a way that varies from other industry
usage (for instance, the term “nonrepudiation” is commonly used;
the STRIDE variant, “repudiation” is specific to STRIDE).
PPT
Other threat models include: Risks Associated with
Hardware, Software,
l OCTAVE: Created by Carnegie-Mellon University, the OCTAVE and Services
model is designed for viewing the overall risk of IT systems
Discuss common threats/
across an organization. Published with two variants, OCTAVE risks associated with
for large organizations, OCTAVE-S for smaller operations. hardware, software, and
http://www.cert.org/resilience/products-services/octave/ services.
l Trike: An open-source methodology and toolset
from the Massachusetts Institute of Technology (MIT).
Has not been updated/revised for some time.
http://octotrike.org/home.shtml
Risks Associated with Hardware, Software, and Services

The following is a non-comprehensive list of common risks:
Hardware
l Theft: A box that can be touched can be owned; almost
no technical controls can withstand physical access to a
device, so physical security of all components is crucial,
as is ensuring that your personnel are screened and
monitored.
l Natural disasters: Physical devices are subject to physical
impact, and natural disasters pose a continual risk to
operations. Of particular concern is flooding as water is so
hostile to IT components, but a great many disasters can
affect hardware, such as hurricanes, tornadoes, earthquakes,
blizzards, and so on.

l Fire: While fire can result from natural disasters, it can also be a
Notes
localized threat to the internal environment of a data center. The
Risk Management impact of combatting fire can be just as detrimental to physical
Concepts
IT components as the fire itself. This topic is addressed in more
detail in Domain 7.
PPT
Software
Risks Associated
with Hardware, l Defects: Bugs and improperly designed functions that can be
Software, and Services exploited by attackers. Defects that are discovered by attackers
(continued)
after a product has shipped and been put into production,
Discuss common threats/ without the knowledge of either the vendor or users, are known
risks associated with as “zero-day” exploits, as attackers can use these vulnerabilities
hardware, software, and
services.
indiscriminately for the time it takes until a patch or solution is
created to resolve the defect.
l Lack of security: Software that is not designed with proper
security controls is prolific and poses a significant risk to the
organization. Including security as an aspect of software
development and acquisition is crucial and discussed in depth
in Domain 8.
l Malicious software (malware): Software can be used as an
attack vector by people with malicious intent for a variety of
potential outcomes that affect every aspect of the CIA triad.
Malware includes worms, viruses, and Trojan horse programs.
Services
l Denial of service (DoS) and distributed denial of service
(DDoS): A DoS attack is launched by a malicious person trying
to affect the availability of systems or data. While this can take
almost any form (including physical), it often manifests as an
attack on (or using) native IT services, such as communication
protocols. A DDoS attack amplifies the attack source through
the attacker’s use of many disparate machines to focus on
the target. Modern DDoS attacks have used exponentially
more attack devices than were expected to a significant
deleterious effect.
l “Man in the middle”: Attacks on active communications are
referred to as “man in the middle,” where the attacker positions
themself (physically or logically) between parties engaged in a
communications session. This can be used to affect every aspect
of the CIA triad.
l Social engineering: If authorized use can be considered a form
of service, then undermining authorized users themselves can be
considered a service attack; this is called “social engineering.”

Instructor Edition
Subverting the user can be done in many ways and often

exploits common human behaviors and emotions. Techniques
include blackmail, bluster, browbeating, bribery, and an
Notes
Risk Management
1
Concepts
appeal to aid.

This list is in no way comprehensive and is only offered as a cursory
PPT
overview.
Risks Associated
with Hardware,
Minimum Security Requirements Software, and Services
(continued)
To provide appropriate levels of security, a fundamental
Discuss common threats/
understanding of the desired outcomes is necessary. Security risks associated with
professionals achieve this by gathering a set of minimum security hardware, software, and
requirements to use as a goal. This minimum set of requirements services.
should be created for every level granularity in an operation: the
organization as a whole (where the minimum security requirements
become the level of acceptable risk), the overall IT environment, PPT
each network that is included in the environment, each system in Minimum Security
each network, and even each component. Moreover, this practice Requirements
(gathering minimum security requirements) should not be limited Discuss the process of
only to IT and data activity, but it should also be included in establishing minimum
project management and process functions. security requirements.
Some hints for effectively gathering minimum security requirements:

l Involve stakeholders in the development/acquisition/
planning process as soon as possible (close to the start of
the endeavor).
l Ensure that requirements are specific, realistic, and
measurable.
l Record and document all elements of the discussion and
outcome.
l When soliciting input from the customer, restate your
understanding of their requests back to them to confirm
what they intended to say and what you comprehend.
l Don’t choose tools or solutions until the requirements
are understood; too often in our field, we already have a
preferred technology in mind when starting a project, when
we should instead only select a specific product once we
fully comprehend the objectives. Otherwise, we tend to
allow the technology to drive business functions, instead of
the other way around.
l If possible, create diagrams, models, and prototypes to
solidify mutual understanding of the requirements before
commencing full-scale development and production.

Service Level Requirements

Notes
When an organization uses an external provider for managed services (for
Risk Management
Concepts
example, a cloud service, or a contractor that maintains the organization’s
data center), the parties must establish a mutual understanding of exactly
what will be provided, under which terms, and at what times. This should
PPT include a detailed description of both performance and security functions.
Service Level As with other projects, the organization has to establish a set of minimum
Requirements requirements for this effort to be successful; in this type of case, however,
Introduce, explain, and the organization is not usually able to dictate requirements unilaterally
stress the importance of and must instead cooperate with the provider.
the SLA. Explain how the
SLA is a specific subset Together, the parties will construct a business contract explicitly stating the
of the contract, and how terms of the arrangement. One part of this contract should be the service-
it differs from the rest of
level agreement (SLA), which defines the minimum requirements and
the contract.
codifies their provision. Every element of the SLA should include a discrete,
objective, numeric metric with which to judge success or failure, otherwise,
the SLA implementation will not be fair or reasonable for either party.
PPT
Activity: SLA or Not? For example, an SLA element that states, “There will be excellent
(3 slides) uptime for the duration of the service,” is not adequate; attorneys could
Review the contract terms spend months debating the meaning of “excellent” in the event the
and determine whether parties don’t agree on sufficiency of service during a given period.
the given elements Instead, an element stating, “The customer will have continual access to
should or should not be the service during the period of delivery; interruption lasting more than
included in an SLA.
five (5) seconds per period will result in failure,” would be preferable.
The strength of the SLA is its use as a payment discriminator; usually, SLAs
are created with contractual stipulations such that a failed SLA element will
result in a credit applied to the customer’s account. This incentivizes the
provider to meet the terms of the SLA and mollifies the customer if any
particular aspect of the service does not fully meet the customer’s needs.
NOTE: SLAs best serve recurring, continual requirements not singular or
infrequent events. For instance, a weekly performance report might be
included in the SLA, but a disaster response/recovery metric probably is
not suited for the SLA. However, specific terms for addressing
uncommon events like disaster response/recovery can and should be
included in the contract, even if they are not in the SLA.
Activity: SLA or Not?

You are the security manager for a chain of retail stores. Your company
recently entered into negotiation with an external provider of data
archiving services, which will securely store your nonproduction data for
long-term purposes. You are asked by senior management to review the
contract terms and SLA.

Instructor Edition
Instructions
As group, using the criteria described in this module, determine
whether each of the following elements should be included in an
Notes
Risk Management
1
Concepts
SLA, stated elsewhere in the managed service contract, or not

included at all. You have 10 minutes
PPT
a. The amount of data the customer can move to the archive daily
Activity: SLA or Not?
b. The format in which the data will stored (3 slides) (continued)
Review the contract terms
c. The media which will be used to store the data and determine whether
the given elements
d. Security methods used to routinely protect the data in should or should not be
storage included in an SLA.
e. Volume of storage made available to the customer

f. Results of routine data integrity checks
Answers:
a. SLA—a discrete, objective, numeric metric can be
applied, and this is a regularly-occurring activity
b. Contract—this is not a recurring activity and can be
stated just once elsewhere in the contract
c. Contract—this is not a recurring activity and can be
d. Neither—disclosing this information makes the service
less secure and should not be shared outside the
provider’s organization
e. Contract—this is not a recurring activity and can be
f. SLA—a discrete, objective, numeric metric can be
applied, and this is a regularly-occurring activity

Notes
Module 4: Compliance Requirements
Compliance Requirements
PPT Module Objectives

Compliance 1. Recognize the various forms of compliance requirements (laws/
Requirements regulations, standards, and contracts).
Introduce the participants 2. Understand the concept of regulatory compliance, especially in
to the “Compliance the context of modern privacy requirements, and identify typical
Requirements” module.
regulations encountered in practice.
3. Identify common privacy terms used in current personal data
protection laws worldwide.
PPT
Module Objectives
objectives.

Instructor Edition
Contractual, Legal, Industry Standards,

and Regulatory Requirements
Notes
1
Every organization operates under some type of external mandate.

This mandate can come in the form of simple contracts, as part of
PPT
the organization’s interactions with suppliers and customers; the
organization is compelled to fulfill their contractual obligations. Contractual, Legal,
Industry Standards,
Mandates can also come in the form of governmental imposition; and Regulatory
governments create regulations, either through legislative or Requirements
administrative means, and organizations must adhere to the Introduce and discuss the
regulations relevant to the industry and manner in which the concepts of compliance,
organization operates. There are also traditional and cultural privacy, and audits.
mandates, arising in every society; some of these take the form
of standards, which each organization is held to by custom and,
in some jurisdictions, by legal precedent and liability. PPT
Compliance is adherence to a mandate, regardless of the source. Contractual Mandates

Almost every modern organization is required to demonstrate Introduce and discuss
compliance to the various mandates the organization is subject PCI DSS.
to. Compliance is used in our industry as a term that means
both the action on the part of the organization to fulfill the
mandate and the tools, processes, and documentation that
demonstrate adherence.
Many modern mandates address a specific need: personal privacy.
Privacy is the right of a human being to control the manner and
extent to which information about him or her is distributed. Privacy
mandates take all forms: contractual, regulatory, and customary.
Organizations are often reviewed to determine compliance with
applicable mandates. Often, the tools, processes, and activities
used to perform compliance reviews are referred to as audits
(or auditing).
Contractual Mandates
A contract is an agreement between parties requiring them to
perform in some way and the terms for performance. Contracts are
an instrumental tool in business where the contract obligates the
organization; contracts are either used or implicit in every business
transaction. Contracts could be as simple as the exchange of money
for a product, or a complicated, long-term arrangement requiring
hundreds of pages of contract documentation.
An organization enters into a contract voluntarily, and law and custom
dictate that every party to a contract will fulfill the requirements of the
Module 4: Compliance Requirements 39

Notes contract unless they are unable to do so. The importance of contracts has
been codified in most countries as law, to the extent that any party
Compliance Requirements not fulfilling their contractual obligations may be forced to do so (or pay
recompense) if the other party/parties to the contract seek relief from
PPT the courts.
Contractual Mandates In many cases, parties to a contract may have the right to review the
(continued) progress and activity of each other to ensure the terms of the contract are
Introduce and discuss being met (this is also stipulated in the contract). This may involve
PCI DSS. inspection of raw data, a measure of some performance, or audits; these
actions may be performed by the parties to the contract or by external
third parties on their behalf.
The candidate should be familiar with one widely used contract as it is
the basis for a great deal of work performed in the IT security industry:
the contract between entities that issue credit cards in the United
States and any entity that accepts those cards as a form of payment
(referred to as “merchants”). This contract is promulgated by the
Payment Card Industry (PCI) Security Standards Council; the Council
publishes and enforces the Payment Card Industry Data Security
Standard (PCI DSS).
The Data Security Standard (DSS) is generally view by those in the
industry as comprehensive and fairly well designed and administered. It
is also a mandate with significant consequences: any merchant that
doesn’t properly comply with the DSS can be assessed a fee by the
Council, and the Council reserves the right to revoke any merchant’s
ability to accept credit card payment for continued or exacerbated
noncompliance. For many merchants, losing the ability to receive credit
card payments would be fatal to their operations, so they are extremely
motivated to remain compliant.
Under PCI DSS, merchants are categorized into four Merchant Levels,
according to the number of credit card transactions the merchant is
party to annually. Merchants are required to subscribe to the security
control areas and processes described in the DSS. For the most part,
the DSS involves protecting privacy data related to the cardholder (the
cardholder’s name, card number, billing address, etc.), including
mandating some mechanisms for ensuring protection, such as encryption
or tokenization.
Other elements of the DSS exist to protect the financial institution that
has issued the card, especially in transactional activity. For instance,
merchants are not allowed to store the Card Verification Value (CVV)
number that appears on the card itself, for any length of time; the CVV
can only be used during the transaction.

Instructor Edition
Legal Standards
Legal standards are set by courts in decisions that set precedent;
that is, the judgments a court has made previously become the
Notes
1
standard of acceptable practice for future behavior. This precedent

informs other courts in making determinations, for instance, of PPT
reasonable expectations for parties to a contract—the due care Legal Standards
mentioned earlier in this domain.
Explain the concept of
Organizations use these standards in the formulation of their own legal precedent.
strategy and governance as a means of setting acceptable risk.
When a court makes a decision about due care, organizations that
will be subject to similar circumstances make plans according to that PPT
standard out of recognition of liability they might face for Industry Standards
noncompliance. Introduce and discuss
the concept of industry
For example, an organization perceives and understands judgments standards, and discuss
for and against other organizations in the same industry or line of common industry
work and acts accordingly. If an organization is involved in standards.
manufacturing and is performing a cost-benefit analysis regarding
how to dispose of industrial waste, senior management might
consider using a non-certified disposal method to cut costs.
However, management would be wise to consider, in addition to
other externalities and mandates, how other manufacturing
operations have been treated by the courts when those
manufacturers engaged in similar activity.
NOTE: On this particular example, there are, of course, other external
mandates as mentioned, notably legislative and statutory mandates
related to manufacturing waste disposal that require the attention of
senior management, as well as the pertinent legal standards.
Industry Standards
As can be understood from the term, industry standards are set
for and by the organizations involved and associated with a given
field of endeavor. For instance, in the field of IT security, (ISC)2 is a
standard body that creates, maintains, and determines eligibility for
certifications of professional practitioners. Absent other mandates,
this standard has no inherent legal force but has weight and
credence lent it by recognition from industry participants.
Through time and use, industry standards may take on legal substance
when recognized by the court as credible and recognized. For
instance, when an organization is defending itself in court against
accusations of negligence in the due care for delivery of IT security,
the organization can present the experience and professional

Notes certifications of the organization’s IT security personnel as demonstration of

the organization’s due diligence: the organization hired certified personnel,
Compliance Requirements thus displaying due diligence in provision of security services.
Regulators (described in detail in a later section of this module) may
PPT
also recognize industry standards are sufficient for meeting regulatory
Industry Standards compliance requirements, especially in the absence of clear statutory
(continued) or administrative law guidance for a particular topic.
the concept of industry Some industry standards (including mention of those that were
standards, and discuss introduced earlier in this domain) that the candidate may find useful:
common industry
standards. l ISO: The International Standards Organization, which publishes
industry standards for almost every type of endeavor and
operation, is recognized globally for the comprehensiveness
PPT and credibility of its standards. They are, however, expensive.
Regulatory Standards l CSA STAR: The Cloud Security Alliance (CSA) program for
Introduce and discuss certifying managed cloud service providers.
regulatory standards, l Uptime Institute: Certification program for data centers, usually
and discuss the variety
of international privacy
involving managed services, describing the center’s capability to
regulations. support the availability aspect of the CIA triad.
l SSAE 16: Audit standard, designed for publicly-traded
corporations but widely used by many organizations, including
managed cloud providers, devised by the American Institute of
Certified Public Accountants (AICPA).
Regulatory Standards
Regulations are mandates set by government bodies. Regulations can be
created by legislative or administrative action. Regulated organizations
are subject to oversight by representatives from the applicable regulatory
agencies (called “regulators”). Punishment for failure to comply can result
in fines, court orders for performance, and in some cases imprisonment
for principals of the organization.
A list of some regulations the candidate should be familiar with:
l General Data Protection Regulation (GDPR): From the
European Union, addresses personal privacy, deeming it an
individual human right. Currently perhaps the single most
powerful and influential regulations associated with IT and data
security in the world, influencing laws in many other countries
and regions. GDPR and some associated programs is discussed
in more depth in Module 5 of this domain.
l Health Insurance Portability and Accountability Act
(HIPAA): An American federal law that affects medical providers,

Instructor Edition
and includes stipulations regarding the collection and

dissemination of health-related personal information,
referred to in the Act and the industry as “electronic
Notes
1
protected health information (ePHI).”

l Graham–Leach–Bliley Act (GLBA): A federal U.S. law PPT
that allowed banks to merge with insurance providers Regulatory Standards
and includes protection, collection, and dissemination (continued)
requirements for the personal information of individual Introduce and discuss
account holders. regulatory standards,
l Sarbanes–Oxley Act (SOX): Created by the U.S. Congress and discuss the variety
of international privacy
as a response to a series of dramatic frauds committed by regulations.
publicly traded corporations in the 1990s. Contains security,
privacy, and availability requirements of great interest to
IT security practitioners as resulting industry standards
(specifically, SSAE 16) created as a mechanism for SOX
audits have been accepted by many organizations, beyond
publicly traded corporations.
l Canada’s Personal Information Protection and Electronic
Documents Act (PIPEDA): Is severely restrictive of privacy
data collection and dissemination and requires intense
security for such data.
l Federal Information Systems Management Act (FISMA):
A U.S. national law applicable only to federal government
agencies, requires all covered entities to comply with NIST
guidance and standards for securing IT environments under
those agencies’ control. FedRAMP, the Federal Risk and
Authorization Management Program, is a wide-reaching
mandate that is a corollary to this law and stipulates security
requirements for managed service providers that want to
sell to federal government customers.
l Personal Data Protection Law (Argentina): Argentina’s
statute that creates a legal environment in that country that
directly adheres and supports the GDPR.
l Personal Data Protection Law (Singapore): Singapore’s
national law addressing all privacy data collected, processed,
and disseminated in or through that country.
l The Privacy Act: Sometimes confused with the American
law of the same name, this is Australia’s law that dictates
how personal information in Australia may be collected and
disseminated.
l Act on Protection of Personal Information (APPI): A
Japanese national law that covers business organizations
that hold personal data on 5,000 or more individuals.

Common Privacy Law Tenets

Notes
Many privacy laws address similar concepts associated with individual
personal data, that have become common globally. The candidate should
be familiar with these general concepts:
PPT
l Notification: The data subject (the individual human related to
Common Privacy Law the personal data in question) should be notified before any of
Tenets
their personal data is collected or created.
common privacy policy l Participation: The subject should have the option not to take
tenets (and perhaps part in the transaction, if the subject chooses not to share their
explain how they are personal data.
derived from the OECD
guidelines). l Scope: Any personal data collected or created should be for a
specific purpose; this purpose should be legal and ethical and be
included in the notification aspect of the transaction, as well as
inform the limitation aspect.
l Limitation: Any personal data should only be used for the
purpose identified in the scope aspect of the transaction; any
additional use would require repeating the notification and
participation aspects.
l Accuracy: Any personal data should be factual and current; data
subjects should have a means to correct/edit any information
about the subject in a simple, timely manner.
l Retention: Personal data should not be kept any longer than is
necessary for the purpose, or as required by applicable law.
l Security: Any entity that has possession of personal data is
responsible for protecting it.
l Dissemination: Any entity that has possession of personal data
should not share it with any other entity, nor release it, without
the express permission of the data subject and in accordance
with applicable law.

Instructor Edition
Module 5: Legal and Regulatory Issues Notes

Legal and Regulatory Issues
1
that Pertain to Information Security that Pertain to Information
Security in a Global

in a Global Context Context
1. Recognize the role of digital rights management (DRM) Legal and Regulatory
Issues that Pertain to
solutions in protecting intellectual property. Information Security in
2. Recognize modern international legal restrictions on import/ a Global Context
export of data and IT tools. Introduce the participants
to the “Legal and
3. Explain how modern legal frameworks affect international Regulatory Issues that
data flow and how the information security industry is Pertain to Information
responsible for many compliance requirements. Security in a Global
Context” module.
PPT
Module Objectives
objectives.
Module 5: Legal and Regulatory Issues that Pertain to Information Security in a Global Context 45
Notes Cyber Crimes and Data Breaches

The modern IT landscape affords criminals with a host of options for
that Pertain to Information engaging in nefarious activity, including updated versions of traditional
Security in a Global crimes. Criminals may, for instance, conduct age-old activities such as fraud,
Context theft, blackmail, and extortion but use modern appliances to extend their
reach, speed, and efficiency. There are also new criminal statutes that have
PPT
created new classes of crimes the security practitioner should be aware of.
Cyber Crimes and Data A brief description of some (but certainly not all) possible computer-
Breaches related crimes:
common computer- l Malware: In many jurisdictions, governments have made the
related crimes, and data creation and dissemination of malicious software a crime.
breach notification laws.
l Unauthorized access: The modern version of trespassing, the
simple act of accessing a system/network in an unauthorized
manner is against the law in many countries.
l Ransomware: A new version of the old crime of extortion; the
attacker gains access (often illegally) to the victim’s data, encrypts
it, and offers to sell the victim the encryption keys to recover the
data. Ransomware tools have become so pervasive and effective
that, in many cases, even federal law enforcement entities
have advised victims to pay the ransom: https://securityledger.
com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/.
l Theft: Stealing data—or hardware on which data resides—can
be a lucrative criminal enterprise.
l Illegal use of resources: In many situations, attackers conduct
unauthorized access not to get anything directly from the
victim but to use the victim’s IT assets for the attacker’s benefit.
This can take the form of storage (where the attacker is using
the victim’s memory to stash files and data the attacker has
acquired elsewhere), or processing (where the attacker is using
the victim’s CPU to conduct malicious activity such as staging
DDoS attacks).
l Fraud: By engaging the victim in some way (often through an
appeal to the victim’s greed or sympathy), the attacker is able to
illegally acquire the victim’s money. Common tactics include: the
attacker posing as someone else (often as someone related to
the victim, through social media); the attacker gaining access to
the victim’s bank account; the attacker preying on those who are
not media-savvy such as the elderly.
Data breach notification is another area of law that has become ubiquitous;
many countries (and jurisdictions within countries, such as U.S. states) have
created legislation requiring any entity that has personal data within its
possession to notify the subjects of that data if the data is disclosed in any

Instructor Edition
unauthorized fashion. Any organization that is not in compliance with

these laws (that is, any organization that loses personal data and does
not make sufficient notification in a timely manner) faces severe
Notes
1
that Pertain to Information
financial penalties in many jurisdictions. The security practitioner Security in a Global

should be aware of all such applicable laws for every jurisdiction in Context
which their organization operates.
PPT
Licensing and Intellectual Property Requirements Cyber Crimes and Data
Intangible assets are called intellectual property. This can include Breaches (continued)
proprietary material such as software owned by the organization. Introduce and discuss
Proprietary software is usually distributed under an agreement common computer-
between the owner of the software (the vendor) and customers related crimes, and data
breach notification laws.
through the use of a license; an agreement codifying the terms (price,
duration, number of copies) that govern the use of that software.
There are many modern forms of licensing. These include but are not PPT
limited to the following: Licensing and
Intellectual Property
l Site licensing: An organization purchases a right to use the
Requirements
software for all members of the organization’s staff, usually
Introduce and discuss the
for a stated duration and with a cap on the number of concept of intellectual
copies used. property, and common
l Per-seat licensing: An organization purchases the right forms of licensing.
to use a specific number of copies of the software for its
personnel, or to pay a certain price (usually less than the
common retail price) for every copy it uses. PPT
l Shareware: The owner of the software allows anyone to use Digital Rights
Management (DRM)
the software within given constraints. Often, this takes the
form of a Creative Commons license, where noncommercial Introduce and discuss
the concept and
use of the software is free, but any business use of the
implementation of DRM.
software requires payment.
l Public domain: Use of the software is free (as is
modification and customization of the application itself), but
technical support or extra features come at a premium.
In many organizations, the security office has become the de facto
software librarian; the organizational entity that is tasked with
maintaining the list of authorized copies of software used by the
organization and ensuring the organization is complying with the
terms of the license(s).
Digital Rights Management (DRM)

Organizations that seek to enforce and maintain their intellectual
property rights commonly implement some sort of digital rights
Notes management (DRM) solution. DRM tools often create an additional layer of
access control within the organization for those files/data sets that contain
Legal and Regulatory Issues proprietary material.
Security in a Global One DRM example many candidates may be familiar with is the
Context
encoding used on DVDs and DVD players. The customer buys the DVD
from the owner of the intellectual property (the movie). The customer
PPT can play the DVD on a DVD player; the customer can carry that DVD to
Digital Rights another DVD player and still play it. The customer owns the DVD and
Management (DRM) can view the movie whenever the customer wants. However, the
(continued) encryption built into the DVD (and the encryption-aware application in
Introduce and discuss the DVD players) will not allow the customer to copy the movie (without
the concept and the use of additional decryption measures). This enforces the intellectual
implementation of DRM. property owner’s rights over the movie; the owner is selling the right to
view the movie not to copy and redistribute it. The customer can even
sell the DVD to someone else—selling the customer’s right to watch the
movie. But the customer can’t sell the movie itself to someone else
because the customer doesn’t own the movie.
DRM sometimes offers additional capabilities as well. In the DVD example,
the DRM solution is also used to enforce laws in some jurisdictions,
pertaining to the content and nature of DVD content. This is a “region”
system where different countries are categorized by region, depending on
the laws of those countries regarding content. A DVD purchased in a
Region 1 country, for instance, will not play on a DVD player purchased in
(and encoded for) a Region 2 country, and vice versa.
DRM solutions should have the following traits:
l Persistency: The access controls follow the protected material
wherever the material goes. In the DVD example, the encryption
is carried on the DVD no matter where the customer carries
the DVD.
l Dynamic policy control: The DRM solution should be subject
to a centralized administrative function that allows the owner
of the intellectual property to update and modify permissions
as necessary. This characteristic has less to do with consumer
DRM and usually involves enterprise rights management (ERM,
which is also referred to as information rights management,
IRM) within an organization that creates intellectual or
proprietary material.
l Automatic expiration: The DRM solution should recognize a
time limit on permissions for specific data sets/files. When the
time limit has been reached, access may be revoked (in the case
of a software license expiring) or the material may become public
domain (when the private ownership rights expire).

Instructor Edition
l Continuous audit trail: The DRM solution should ensure

that every protected element (each file or data set) is able
to recognize and annotate access events (opening/viewing/
Notes
1
running/copying/etc.) on itself and maintain that record. Security in a Global

l Interoperability: The DRM solution should function Context
properly within the environment of whoever is running the
DRM and work in concert with that organization’s existing PPT
access control methodologies and tools. This means the
Digital Rights
DRM solution can integrate with the organization’s file
Management (DRM)
structure, email, etc. (continued)
DRM solutions often involve the use of system agents: elements of the Introduce and discuss
DRM solution application that are installed on all client devices within the concept and
implementation of DRM.
an organization. Each device used to access DRM-protected material
must be DRM-aware (that is, the device must recognize files protected
by the DRM solution and how to distinguish permissions for specific
PPT
files). In some organizations, this may be challenging; the DRM
solution agent will need to be added to the baseline configuration of Import/Export Controls
the organization’s environment, and in any organization where Discuss common
personnel are allowed to use personal devices, users will need to international restrictions
allow installation (and maintenance and often external audit) of the on IT and security-related
materials, particularly
DRM agent on their devices. cryptographic solutions.
Import/Export Controls
The security practitioner should be aware that IT hardware and
software is often subject to international trade restrictions, mainly for
national defense purposes. In particular, encryption tools are seen by
many governments as a threat to global stability and rule of law.
One such restriction scheme is the Wassenaar Agreement, a
multilateral export control restriction program involving 41
participating countries; these countries agree not to distribute
(export) certain technologies (including both weapons and, of more
concern to our field, cryptographic tools) to regions where an
accumulation of these materials might disturb the local balance of
power between nation-states. Security practitioners employed or
operating in either a Wassenaar signatory country or in a region
where import of these materials is controlled by the Agreement
need to be aware of these prohibitions and understand what
encryption tools may or may not be used.
Many countries have their own internal laws governing the import/
export of encryption technologies in addition to international treaties.
For instance, Russia and some Baltic states, Myanmar, Brunei, and
Mongolia have outright bans on the import of cryptographic
Notes technologies. Government rationale for these prohibitions is usually twofold:

the government is concerned that some citizens may use this technology to
Legal and Regulatory Issues prevent the government from intercepting their communications (ostensibly,
the government is worried about unmonitored criminal activity, but this
Context prohibition often includes some aspect of government intent to reduce
private political action, such as subversion and revolution), and the
government is also concerned that imported cryptographic tools may
PPT contain purposeful flaws and defects (specifically, backdoors) allowing the
Import/Export Controls host nation of the vendor to intercept encrypted traffic.
(continued)
Discuss common
Some countries (notably, the United States) also have their own laws
international restrictions preventing export of some encryption technologies because encryption
on IT and security-related can be used for both criminal and military purposes.
materials, particularly
cryptographic solutions.
Trans-Border Data Flow
In the modern data security field, the movement of data across
PPT international boundaries is technologically easy and ubiquitous, but legally
Trans-Border Data Flow it is risky and challenging.
Introduce and stress the The largest such challenge is currently posed by the European Union and its
primacy of the GDPR in
the international privacy
privacy law mandates—specifically, the GDPR. The GDPR (and its statutory
realm. predecessors) is expressly intended to prevent the personal data of EU
citizens from going to any country (that is, any hardware device located in
any country) that does not have a national personal privacy law that is in
PPT accordance with EU law in terms of breadth and individual protection.
GDPR Compliance It’s important for practitioners operating in a global environment to know
(2 slides) which countries have laws that comply with the GDPR (and are allowed to
Explain which countries receive/process data sets that contain personal information of EU citizens)
have specific laws that and which do not. The following is a partial list, current as of the date
comply with the GDPR,
of publication—the candidate is strongly advised to review current
and which do not. Also,
explain how standard laws/policies before taking the exam (the EU publishes a list on Web:
contractual clauses http://ec.europa.eu/justice/data-protection/international-transfers/
work, and how they can adequacy/index_en.htm).
fulfill GDPR compliance
requirements. Countries with national laws that adhere to the GDPR:
l All EU countries
l Andorra
l Singapore
l Switzerland
l Japan
l Israel
l Australia

Instructor Edition
l Argentina
l Uruguay
Notes
1
l Canada that Pertain to Information

Countries without national laws that adhere to the GDPR: Context
l The United States (unless the entity receiving/processing

the data subscribes to the Privacy Shield program or PPT
creates standard contractual language/policy compliant GDPR Compliance
with the GDPR) (2 slides) (continued)
l Everywhere else Explain which countries

have specific laws that
Privacy Shield comply with the GDPR,
Because of the overarching influence of both the GDPR and American explain how standard
contractual clauses
business interests, it is strongly recommended that the candidate work, and how they can
understand some basic elements of the Privacy Shield program. fulfill GDPR compliance
requirements.
Privacy Shield is a voluntary United States program for American
companies that want to do business that involves processing privacy
data of EU citizens. U.S. companies that want to take part in the
program must apply through the U.S. Department of Commerce
website (https://www.privacyshield.gov/welcome), using the form
specified for the company’s particular industry.
l For airlines and shipping companies, the Department of
Transportation is the relevant regulator.
l For all other companies, the Federal Trade Commission
(FTC) is the relevant regulator.
Companies applying to take part in the Privacy Shield program agree
to the following:
l Create internal policy/policies that position the company to
adhere to and comply with the GDPR.
l Submit to regulation by the relevant regulator.
l Self-certify via the Privacy Shield website, and recertify
annually.
For the sake of simplicity, the Privacy Shield program can be thought
of as a voluntary mechanism for U.S. companies to agree to follow EU
data protection law.
Standard Contractual Clauses
If a multinational organization headquartered in a non-approved
country wants to process/receive EU citizen personal data, that
organization can apply for specific approval by creating contract
Notes language that makes a transaction conform to the GDPR. Simply put: if an
organization in a non-approved country outside the EU wants to engage in
Legal and Regulatory Issues business with parties in the EU and that business involves PII of EU citizens,
the organization must stipulate in the contract between the parties that the
Context business activity will comply with the GDPR. This contract wording is
referred to as “standard contractual clauses.” These clauses must be
included in every contract the organization creates with EU entities.
PPT
GDPR Compliance Standard contractual clauses must be approved by either the EU
(2 slides) (continued) Commission or by a government entity in an EU country (if the business
Explain which countries
activity is only occurring in that country). Once the language of a standard
have specific laws that contractual clause is approved, it may be used for many different contracts.
comply with the GDPR,
explain how standard Privacy Terms
contractual clauses
Many data privacy laws use a common terminology; the candidate should
work, and how they can
fulfill GDPR compliance be familiar with the following terms and concepts.
requirements.
l Personally identifiable information (PII): PII, as it is referred to
in the industry, is any data about a human being that could be
used to identify that person. The specific elements of what data
PPT
constitutes PII differs from jurisdiction to jurisdiction and from law
Privacy Terms (2 slides) to law. These are some elements that are considered PII in some
Explain and give jurisdictions and laws:
examples of the
o Name
various terms related to
privacy regulation and o Tax identification number/Social Security number
compliance.
o Home address
o Mobile telephone number
o Specific computer data (MAC address, IP address of the user’s
machine)
o Credit card number
o Bank account number
o Facial photograph
Under some laws, PII is referred to by other terms as was mentioned earlier
in this domain: for instance, medical data in the United States is referred to
as electronic protected health information (ePHI) under HIPAA.
l Data subject: The individual human being that the PII refers to.
l Data owner/data controller: An entity that collects or
creates PII. The data owner/controller is legally responsible
for the protection of the PII in their control and liable for any
unauthorized release of PII. Ostensibly, the owner/controller is
an organization; the legal entity that legitimately owns the data.

Instructor Edition
In some cases (in certain jurisdictions, under certain laws),

the data owner is a named individual, such as an officer
of the company, who is the nominal data owner. In actual
Notes
1
practice, however, we usually think of the data owner as Security in a Global

the managerial person or office that has the most day-to- Context
day use and control of the data; that is, the department or
branch that created/collected the data and which puts the
data into use for the organization. PPT
l Data processor: Any entity, working on behalf or at the Privacy Terms (2 slides)
(continued)
behest of the data controller, that processes PII. Under
most PII-related laws, “processing” can include absolutely Explain and give
examples of the
anything that can be done with data: creating, storing, various terms related to
sending, computing, compiling, copying, destroying, and so privacy regulation and
forth. While the data processor does have to comply with compliance.
applicable PII law, it is the data owner/controller that remains
legally liable for any unauthorized disclosure of PII even if
the processor is proven to be negligent/malicious.
l Data custodian: The person/role within the organization
who usually manages the data on a day-to-day basis on
behalf of the data owner/controller. This is often a database
manager or administrator; other roles that might be
considered data custodians could be system administrators
or anyone with privileged access to the system or data set.
Notes
Module 6: Security Policy, Standards,
Procedures, and Guidelines Procedures, and Guidelines
PPT
Module Objectives
Security Policy,
Standards, Procedures,
1. Describe the hierarchy of written governance (policies, standards,
and Guidelines guidelines, and processes).
to the “Security Policy,
Standards, Procedures,
and Guidelines” module.
PPT
Module Objectives
objectives.

Instructor Edition
Policy
The written aspect of governance (including security governance) is
Notes
1
known as policy. Policies are documents published and promulgated Procedures, and Guidelines
by senior management dictating and describing the organization’s

strategic goals (“strategic” entails long-term, overarching planning
that addresses the whole of the organization; it is possible to have PPT
goals that are not strategic to the organization, such as goals for a Policy/Standards/
specific department, project, or duration). Security policies are those Procedures/Guidelines
policies that address the organization’s security goals and might Define and explain the
include such areas as data classification, access management, and differences between
so on. policies, standards,
guidelines, and
Typically, policies are drafted by subject matter experts, shared procedures.
among stakeholders for review and comment, revised, then
presented to senior management for final approval and publication.
This is especially true for security policy, which is often a topic of
which senior management has little understanding and insight, and
it relies greatly on security practitioners for advice and guidance.
Standards
Standards are specific mandates explicitly stating expectations of
performance or conformance. Standards can either come from within
the organization (internal) or from external sources such as statutory or
administrative law, case law (court decisions that set precedent),
professional organizations, and/or industry groups. Some standards
are detailed and specific; an example might be an industry standard
for configuring a certain IT component or device. Some standards are
general and describe a goal, outcome, or process; an example might
be a law that sets a standard declaring, “the data controller is required
to use physical access control measures to prevent unauthorized
removal of hardware containing PII.”
Organizations are required to comply with standards to which they
subscribe or which are applicable to the organization; failure to do
so can result in prosecution or fines assessed by law enforcement/
regulators or can increase and enhance the organization’s liability.
An example, for demonstration purposes: a retail company has some
PII related to its customers, including their contact information and
shopping habits. In the wake of a data breach, investigators
determine that the company was storing data in files that could be
accessed with default administrative usernames and passwords,
which is directly contrary to all current industry standards and
common security practice. Because not conforming to the standard
Module 6: Security Policy, Standards, Procedures, and Guidelines 55

Notes demonstrates a form of negligence, in addition to the costs of resolving

the breach, the company may face additional expenses in the form of
Security Policy, Standards, lawsuits from customers whose data was exposed and fines from
regulators who oversee the protection of personal information. If the
company had taken good faith steps to protect the data in a professional
PPT manner (including adherence to best practices and industry standards),
Policy/Standards/ the company would still incur expenses related to resolving the loss but
Procedures/Guidelines would have attenuated the liability from the additional costs.
(continued)
Define and explain the
differences between
policies, standards, Procedures
guidelines, and
procedures.
Procedures are explicit, repeatable activities to accomplish a specific
task. Procedures can address one-time or infrequent actions (such as a
disaster recovery checklist) or common, regular occurrences (for instance,
daily review of intrusion detection logs). Like standards, procedures aid
the organization by demonstrating due diligence and avoiding liability.
Proper documentation of procedures (in both creating the procedures
and in executing them) and training personnel how to locate and perform
procedures is necessary for the organization to derive benefit of
procedures.
Guidelines
Guidelines are similar to standards in that they describe practices and
expectations of activity to best accomplish tasks and attain goals.
However, unlike standards, guidelines are not mandates but rather
recommendations and suggestions. Guidelines may be created internally,
for use by the organization, or come from external sources such as
industry participants, vendors, and interested parties.
There is a general hierarchy of importance typically associated with these
governance elements; while not applicable in all cases, usually:
l Policy is at the pinnacle of the hierarchy; the organization’s policy
is informed by applicable law(s) and specifies which standards
and guidelines the organization will follow. Senior management
dictates policy, so all activity within the organization should
conform with policy.
l Standards are next; the organization’s policies should
specify which standards the organization adheres to, and the
organization can be held accountable for not complying with
applicable standards.

Instructor Edition
l Guidelines inform the organization how to conduct activities;

while not mandatory, they can be used to shape and inform
policies and procedures, and how to accomplish compliance
Notes
1
with standards.

l Procedures are the least powerful of the hierarchy, but they
are the most detailed; processes describe the actual actions PPT
personnel in the organization will take to accomplish their Policy/Standards/
tasks. Even though they may be considered the bottom Procedures/Guidelines
(continued)
of the hierarchy, they are still crucial and can be used for
obviating liability and demonstrating due diligence. Define and explain the
differences between
policies, standards,
guidelines, and
procedures.
Module 6: Security Policy, Standards, Procedures, and Guidelines 57

Notes
Module 7: Personnel Security Policies
Personnel Security Policies
and Procedures and Procedures
PPT
Module Objectives
Personnel Security
Policies and Procedures
1. Identify the various means to support personnel security goals,
including common policies and procedures.
to the “Personnel Security
Policies and Procedures”
module.
PPT
Module Objectives
objectives.

Instructor Edition
Personal Security Policies and Procedures

The area of personnel security involves efforts to ensure that
Notes
1
personnel within the organization are dependable and trustworthy. and Procedures
Personnel that can be subverted or influenced to contravene policy

and law and bring harm to the organization are called “insider
threats.” The purpose of personnel security is to minimize the risk PPT
and damage potential of insider threats. Candidate Screening
and Hiring
Explain the methods
Candidate Screening and Hiring for including security
Like many risks, the insider threat can often best be addressed and risk management
practices in the
before malicious activity can occur. For personnel, this is done
employment process.
before they are hired and given access to the organization’s IT
environment and data. There are several measures and tools that
can be implemented to accomplish this. They include the following:
l Crafting detailed and reliable job descriptions. The
job description is an outline of desired and expected
performance on the part of the employee; it will be used
to determine if the employee is performing adequately,
successfully, and in accordance with the organization’s
governance. The job description is also the mechanism that
will be used to demonstrate whether the employee violated,
in some manner, the expectations and performance set
out in the description. Therefore, it is important for the
job description to have clear, precise annotation of these
elements; if, for instance, the employee is terminated for
acting (or not acting) in a certain way, the employee might
engage in litigation to recover damages by claiming that
the organization did not make the transgressive behavior
known to the employee before the termination—the
job description is one tool to support the organization’s
allegation that the employee acted improperly. Creation of
the job description should be the task of the hiring manager
(who understands best the needs of the position) and the
Human Resources department (which understands best the
applicable laws and procedures for creating job descriptions
that protect all parties involved).
l Checking candidate references. Another way the
organization can obviate the risk of hiring a person not
suitable for the position is to determine the candidate’s past
performance. However, in most modern business settings,
this may not lead to any particularly useful information;
many organizations will not report on the performance of
former employees and will only offer simplified information
Module 7: Personnel Security Policies and Procedures 59

Notes about the former employee’s eligibility for rehire. Also, references
are often given by the candidate themselves, so are not wholly
Personnel Security Policies independent sources.
and Procedures
l Employment history: A review of previous employment can
assess the candidate’s progression of responsibility, appropriate
PPT experience, and gaps in employment.
Candidate Screening l Background check: The candidate can be screened against
and Hiring (continued)
trusted databases for suitability, such as verification of
Explain the methods certification/credentials, educational degrees, and criminal
for including security
and risk management
history.
practices in the l Financial profile: Positions of accentuated trust and
employment process. responsibility may also merit the organization’s review of a
candidate’s financial situation. This can reveal concerns about a
candidate’s trustworthiness: if the candidate has too little money,
PPT it might indicate personal problems such as an addictive behavior,
Employment gross poor judgment, or personal instability, all of which make
Agreements and the candidate susceptible to subversion should they get a
Policies position of responsibility; too much money may indicate that the
Explain the methods candidate is already participating in illicit activity, or has been
for including security paid by another entity already, or will not be responsive to the
and risk management
practices in the
organization’s requirements. A financial check usually requires the
employment process. candidate’s explicit written agreement and may be limited by law
in some jurisdictions.
Employment Agreements and Policies

Once the organization has decided which candidate should fill a position,
additional tools are available to enhance or support the trustworthiness
and security of employees and staff.
l Employee handbook: The is the written set of policies and
standards all personnel within the organization are required to
follow. It may contain proprietary information and remains the
property of the organization, but employees will need access to it
and should confirm receipt and understanding of the instructions
it contains. This document should be constructed with input from
senior management, legal counsel, and human resources subject
matter experts.
l Employment contract: Every employee should enter the
organization under a contractual agreement; each employment
contract should explicitly codify the terms of employment,
including payment and the performance expectations. The
contract should also be created with input from the legal
department.

Instructor Edition
l Nondisclosure agreement (NDA): The employee should

sign a formal agreement not to make any unauthorized
disclosure of any of the organization’s proprietary/sensitive
Notes
1
and Procedures
information, both during and after the term of employment.

Onboarding and Termination Processes PPT
The organization should have defined processes for granting access Employment
Agreements and
to personnel joining the organization, and those departing. Policies (continued)
Onboarding should include a review of the contract terms and job Explain the methods
description, formal initial training to familiarize the new employee for including security
and risk management
with the organization’s security policies and procedures, the signing
practices in the
of a nondisclosure agreement so that the employee declares employment process.
understanding of the organization’s ownership of its proprietary
systems and data, and a secure process for issuing the employee
any access information or tools necessary (such as user id/password, PPT
keys, tokens, etc.).
Onboarding and
Termination (whether the employee is leaving voluntarily or at the Termination Processes
behest of the organization) should be similarly codified. The Explain the methods
organization should lock the employee’s IT accounts so as to prohibit for including security
the employee from making any last-minute modifications to the and risk management
practices in the
system or data. The organization will also need to recover any of its employment process.
property from the employee, including devices, hardware, and
access control items such as identity/access badge, keys, and tokens.
There should be an exit interview to determine why the employee is
PPT
leaving (if the departure is amiable), a review of the terms of any
nondisclosure agreement, and the employee should be escorted Vendor, Consultant,
and Contractor
from the premises. Agreements and
Controls
Vendor, Consultant, and Contractor Agreements Explain the methods

for including security
and Controls and risk management
Employees and staff are not the only personnel who might have practices in managing
external vendors.
access to the organization’s IT environment. Vendors, consultants,
and contractors from outside the organization might also have
access. It is important for the organization to create procedures and
processes that properly constrain and distinguish access by
nonemployees.
Some tools the organization may consider for these purposes:
l Additional contractual protections: The organization should
protect itself from harm done by external parties that the
organization has granted (even limited) access to; the contract

Notes between parties can stipulate the form of protection necessary for
accomplishing this (often monetary). This protection can take the
Personnel Security Policies form of cash payments for failing to agree to terms, requirements for
and Procedures
the external party to maintain the appropriate insurance policies (in
professional services, this is often addressed by errors and omissions
PPT policies), or an express transfer of liability (where allowed by law).
Vendor, Consultant, l Distinct accounts: External parties might be granted
and Contractor differentiated accounts from other users; these accounts might
Agreements and
provide limited access or convey additional audit trail information.
Controls (continued)
l Escort requirements: External parties might require constant
Explain the methods
for including security monitoring, either via surveillance or continually in the presence
and risk management of an employee of the organization.
l Distinguishing identification: Identity/access badges for non-
practices in managing
external vendors.
employee personnel might be jarringly different than employee
badges, such as having a distinctly different color or shape.
PPT As with internal personnel, external personnel should be required to sign
Compliance Policy nondisclosure agreements to concede and recognize the organization’s
Requirements ownership of its own proprietary assets.
Explain the importance
and function of AUPs.
Compliance Policy Requirements
Organizations should also utilize acceptable use policies (AUPs) for all
personnel. The AUP should detail, from the user’s expected perspective,
the appropriate and approved usage of the organization’s assets, including
the IT environment, devices, and data. Each employee (or anyone having
access to the organization’s assets) should be required to sign an AUP,
preferably in the presence of an employee of the organization, and both
parties should keep a copy of the AUP for their records.
Policy aspects commonly included in AUPs:
l Data access
l System access
l Data disclosure
l Passwords
l Data retention
l Internet usage
It is also possible to determine and enforce personnel compliance with

the organization’s security policy by conducting surveillance of their
activity. If the organization uses this option, it is extremely important that
surveillance programs and functions are conducted in strict accordance
with applicable laws; many countries have severe legal restrictions on how
and when organizations can observe the activity of their personnel.
Instructor Edition
Privacy Policy Requirements

When personnel have access to PII, it is imperative that the
organization documents that the personnel understand and
Notes
1
and Procedures
acknowledge the organization’s policies and procedures for handling

of that type of material. This type of documentation is similar to the
AUP but is specific to privacy data. PPT
Privacy Policy
The organization’s privacy policy should stipulate which information Requirements
is considered PII, the appropriate handling procedures and
Explain the need for
mechanisms used by the organization, how the user is expected to every organization to
perform in accordance with the stated policy and procedures, any have a privacy policy.
enforcement mechanisms and punitive measures for failure to
comply, and references to applicable regulations to which the
organization is subject (this can include national laws for certain
jurisdictions, such as the GDPR and PIPEDA, laws for specific
industries in certain countries such as HIPAA and GLBA, or local laws
set by the state/municipality in which the organization operates).
The organization should also have a document that is a version of the
privacy policy as it affects customers and other external parties. For
instance, a medical provider should be able to present patients with
a description of how the provider will protect their information (or a
reference to where they can find this description, such as the
provider’s website).

Notes
Module 8: Security Awareness,
Security Awareness,
Education, and Training Education, and Training Programs
Programs
PPT
Module Objectives
Security Awareness,
1. Describe the importance of security training, education, and
Education, and Training awareness and how to differentiate between those elements.
Programs
to the “Security
Awareness, Education,
and Training Programs”
module.
PPT
Module Objectives
objectives.

Instructor Edition
Security Awareness, Education, and

Training Program Overview
Notes
Security Awareness,
1
To reduce both the internal threat and the effectiveness of certain Education, and Training
types of attacks (such as social engineering), it is crucial that the Programs

organization informs its employees and staff how to recognize
security problems and how to operate in a secure manner. While PPT
the specifics of secure operation differ in each organization, there
Forms of Instruction
are some general concepts that are applicable to all such
programs. Introduce and explain
the different forms of
First, an explanation of common areas of security learning: security instruction
(education, training, and
l Education: Formal classes, usually in an accredited awareness).
academic institution outside the organization of
employment, often with a degree program or professional
certification. The typical audience is practitioners and
experts.
l Training: Semi-formal, usually offered by the organization
itself (or by vendors), presented by subject matter experts
(typically security practitioners). Although less formal than
education, training is usually still documented and tracked
and is beneficial for demonstrating due diligence. The
typical audience is employees tasked with specific duties.
l Awareness: Informal, often unscheduled, and not
mandatory, awareness elements are used to remind and
encourage employees about operating in a secure manner.
The typical audience is everyone within the organization.
An example to clarify:
An organization wants to promote fire safety.
l The organization sends the security manager to college
courses for secure design of the data facility, including the
selection and implementation of fire control systems. This is
education.
l The organization provides a class for the person on each
floor designated as the fire marshal, instructing them on how
to take charge during a fire, and how to ensure everyone has
safely left the facility. This is training.
l The organization conducts regular fire drills and sends out
monthly reminders via email to all personnel, reminding
them of the appropriate evacuation paths and relocation
points in the event of emergencies. This is awareness.
Module 8: Security Awareness, Education, and Training Programs 65

Methods and Techniques to Present Awareness and Training

Notes
There are a variety of ways to deliver instruction in a meaningful,
Security Awareness,
Education, and Training
effective way. These are a few methods that can be used (but the
Programs following is by no means exhaustive).
l Computer-based training: The advantages of allowing
PPT personnel to complete training online include self-paced
Methods and instruction and less intrusion on the employee’s schedule. It is
Techniques to Present also highly efficient, allows for standardization of content and
Awareness and delivery, and usually includes automatic assessment and tracking
Training capabilities. One major downside of computer-based training,
Explain the various however, is the common employee habit of clicking through
means of delivering material without absorbing or retaining it to simply complete a
security instruction.
task, they consider a nuisance.
l Live instruction: Unlike computer-based training, live instruction
requires scheduling a specific meeting time, which can reduce
PPT
enthusiasm and affect attendance. Live instruction also requires a
Periodic Content subject matter expert who is also a skilled trainer (the two talents
Reviews
are not always complementary). However, live instruction counters
Explain the need to the possibility of click-through, can elicit and address subject
review material regularly.
matter questions in real time, and can present an opportunity for
the security department to build rapport with the user community
as a whole. Live instruction can be particularly effective when
combined with some sort of team-building exercise or other fun
aspect of learning, a competition, and/or food.
l Reward mechanisms: Traditionally, the security office was a
mechanism for enforcement of policy, which usually resulted
in negative consequences for employees. If, instead, the
organization utilizes rewards for demonstration of good (secure)
performance, this can increase the security of the organization
by fomenting correct behavior and creating a feeling of goodwill
between users and the security department. Rewards can be
as basic as written congratulations (which can be accented for
importance by including the letterhead and signature of a senior
manager) or as important as cash bonuses or paid vacation.
l Regular communications: Many organizations already have some
form of monthly newsletter (often via the internal website or email
blast); including security information in this communication can
serve to stress the importance the organization places on security
and promote awareness. Highly visible reminders, such as signage
and posters, are similar awareness communication tools.
Periodic Content Reviews

Dated material in security training programs can not only attenuate
the effectiveness of the instruction but can actually decrease the
Instructor Edition
organization’s security. If personnel are not informed of current

threats and how to counter them, those employees are subject to
subversion and are a vulnerability.
Notes
Security Awareness,
1
Education, and Training
Programs

It is imperative that subject matter experts regularly review
instructional material for currency and accuracy on a regular basis.
It is also useful to have external experts perform a review of the PPT
material to acquire as wide a perspective as possible.
Periodic Content
Methods for performing security functions are constantly changing Reviews (continued)
because threats and countermeasures are continually evolving, and Explain the need to
it is important to include the most current information possible for review material regularly.
security instruction to be relevant and effective. Pertinent security
aspects that should be included in the material and checked for
currency include the following: PPT
Program Effectiveness
l Applicable laws (particularly those involving data breach Evaluation
notification, intellectual property, and PII)
Explain the need to
l Security tools assess the effectiveness
of the instruction
l Organizational security policy
program.
l Recent widespread attack styles and methodology
Program Effectiveness Evaluation

The organization’s instructional program should also be continually
evaluated for utility and effectiveness to ensure it is accomplishing
its intent and goals.
There are several approaches that might be used (and can be used
in concert); this is not a comprehensive list:
l Participant testing: This can take the form of creating
a list of desired training outcomes, then formally testing
participants against those outcomes after the training is
complete. It can also be done through the use of audits,
random spot-checks of personnel who have participated,
to determine whether the personnel have understood the
concepts the training was meant to convey.
l Penetration testing: The organization can use social
engineering techniques in mock attack attempts and
determine if personnel who have been trained respond
accordingly.
l Log reviews: The behavior of personnel can be assessed by
surveying the event logs of users and determining whether
their activity is in accordance with policy as conveyed by
the training.
Module 8: Security Awareness, Education, and Training Programs 67

Notes
Module 9: Business Continuity
Business Continuity
Requirements Requirements
PPT
Module Objectives
Business Continuity
Requirements
1. Describe the necessity of business continuity and disaster
recovery (BCDR) functions, and recognize basic foundational
to the “Business
concepts.
Continuity Requirements”
module.
PPT
Module Objectives
objectives.

Instructor Edition
Business Continuity Requirements

There is always a risk that the organization will experience a drastic
Notes
Business Continuity
1
and dramatic event that threatens the existence of the organization Requirements
itself; these events can take the form of natural disaster, civil

unrest, international war, and other major situations. The security
practitioner is often called on to address this type of risk and to PPT
plan accordingly. Business Continuity
Requirements
The actions, processes, and tools for ensuring an organization can Introduce and explain the
continue critical operations during a contingency are referred to as concepts of BC and DR.
business continuity (BC). “Critical operations” (sometimes referred
to as “critical path” or “mission critical functions”) are those activities
and functions that the organization needs to perform to stay PPT
operational; they are a subset of the overall operation of the
Develop and Document
organization. For instance, during contingency operations, an Scope and Plan
organization might suspend janitorial functions or hiring procedures
but might continue sales and financial activity (depending on the
RTO, RPO, and MAD.
essential needs of the organization).
Disaster recovery (DR) efforts are those tasks and activities
required to bring an organization back from contingency
operations and reinstate regular operations.
Typically, these functions act in concert; the same personnel, assets,
and (generally) activities will be used to conduct business continuity
and disaster recovery efforts; they are often referred to in conjunction
with the term “business continuity and disaster recovery” (BCDR).
Develop and Document Scope and Plan

To properly provide the correct assets for dealing with contingency
situations, the organization must determine several essential
elements first:
l What is the critical path?
l How long can the organization survive an interruption of
that critical path?
l How much data can the organization lose and still remain
viable?
We will discuss the critical path determinations in the next section
of this module. Here, we’ll address the other two elements.
The maximum allowable downtime (MAD) (also referred to as the
maximum tolerable downtime (MTD)) is the measure of how long an
organization can survive an interruption of critical functions; if the
MAD is exceeded, the organization will no longer be a viable unit.
Module 9: Business Continuity Requirements 69

Notes The recovery time objective (RTO) is the target time set for recovering
from any interruption—the RTO must necessarily be less than the MAD.
Business Continuity Senior management must set the RTO, based on their expert knowledge
Requirements
of the needs of the organization, and all BCDR strategy and plans must
support achieving the RTO.
PPT
NOTE: The term “recovery” in the context of the RTO is not a return to
Develop and Document normal operations, but it is instead a goal for recovering availability of
Scope and Plan
(continued) the critical path. This is a temporary state that the organization will
endure until it is feasible to return to regular status.
RTO, RPO, and MAD. The recovery point objective (RPO) is a measure of how much data the
organization can lose before the organization is no longer viable. The
RPO is usually measured not in storage amounts (gigabytes/terabytes/
PPT petabytes) but instead in units of time: minutes, hours, days, depending
Business Impact on the nature of the organization. Senior management will also set the
Analysis (BIA) (2 slides) RPO that will be used along with the RTO to inform BCDR plans.
Provide additional
explanation (expounding
on the concept from Business Impact Analysis (BIA)
earlier in the domain) for The BIA is the effort to determine the value of each asset belonging to
the BIA, and how it is
created.
the organization, as well as the potential risk of losing assets, the threats
likely to affect the organization, and the potential for common threats to
be realized.
This is a management process that may or may not involve the security
office. However, the BIA will also be an instrumental tool for the security
function as it is usually the security office that is required to craft and
execute the BCDR plan and tasks. Along with determining the value of
other assets, the BIA will also reveal the critical path of the organization;
without knowing the critical path, it is impossible to properly plan
BCDR efforts.
There are many ways to conduct a BIA and make asset value determinations.
The following is a partial list of methods that might be used, their benefits,
and potential challenges:
l Survey: Interview asset owners/data controllers to determine
their assessment of the value of the organization’s property they
oversee. This method allows for the people closest to the assets
to offer input but is also subject to inherent bias. See: the “Asset
Valuation” section of Module 3 of this domain.
l Financial audit: Review the acquisition/purchase documentation
to aggregate value data for all assets in the organization. This
offers a thorough review of assets but is prone to variance in actual
value because value changes over time (increasing or decreasing,
depending on the type of asset and its purpose/use).

Instructor Edition
l Customer response: Surveys of customers can aid the

organization in determining which aspects of the operation
are most valuable to creating goodwill and long-term
Notes
Business Continuity
1
Requirements
revenue. However, customers only see a limited portion

of the overall operations and can’t know the source of the
value chain. PPT
There are accounting and auditing firms that perform holistic Business Impact
organizational valuation as their business, often as preparation for Analysis (BIA) (2 slides)
(continued)
the sale/acquisition of the organization by another entity. These
consultants have expertise and knowledge of this process that may Provide additional
offer an advantage over performing the tasks internally. explanation (expounding
on the concept from
The BIA should also consider externalities, such as likely threats and earlier in the domain) for
the BIA, and how it is
the potential for those threats to manifest. Depending on the created.
nature of the organization’s work, the senior management may
want to consider investing in business intelligence services; these
are external consultants that constantly glean information from
threat sources (hacktivist and terror organizations, open source
news reporting, government and industry information feeds,
malware management firms, and so on) and customize reports for
their clients. The organization may also want to consider creating
its own threat intelligence unit, depending on the size and scope of
both the organization and its potential attackers.
Module 9: Business Continuity Requirements 71

Notes
Module 10: Professional Ethics
Professional Ethics

Professional Ethics 1. Explain the ethical standards to which a professional security
practitioner will be expected to uphold, as well as the standards
to the “Professional of behavior and performance expected of (ISC)2 members.
Ethics” module.
PPT
Module Objectives
objectives.

Instructor Edition
The (ISC)2 Code of Ethics

After you pass the exam and are certified, you will be expected to
Notes
Professional Ethics
1
behave professionally and personally in accordance with the high
standards set by (ISC)2. These are set in the Code of Ethics, which

can be found on the (ISC)2 Ethics website: https://www.(ISC)2.org/ PPT
Ethics. They are included here as the material they contain is (ISC)2 Code of Ethics
testable and may be included as exam questions. (2 slides)
First, the Preamble: the (ISC)2 Code of Ethics,
including the preamble.
l The safety and welfare of society and the common good,
duty to our principles, and to each other, requires that
we adhere, and be seen to adhere, to the highest ethical
standards of behavior.
l Therefore, strict adherence to this Code is a condition of
certification.
For our clientele, and the public at large, to see the value in (ISC)2
certifications, they must be able to trust our members; this trust
must come from a belief that (ISC)2 members act in a manner that
is correct and professional and offer benefit.
Then, the Code:
The (ISC)2 member is expected to do the following:
l Protect society, the common good, necessary public trust
and confidence, and the infrastructure.
l Act honorably, honestly, justly, responsibly, and legally.
l Provide diligent and competent service to principles.
l Advance and protect the profession.
We provide security; to offer security services, we need to be
perceived as worthy of trust. A person tending to unethical
behavior denotes the possibility that this person will not secure the
client and the client’s assets but will instead act out of short-term
self-interest and add risk instead of benefit to the client.
There is a formal process (ISC)2 uses to determine whether a member
is failing to act in accordance with the Code. This process can begin
with a complaint made to (ISC)2 (the complaint process and form are
included on the same web page as the Code) and includes a finding
of facts, the opportunity for the accused member to offer rebuttal,
and a review by the (ISC)2 Ethics Committee. The Ethics Committee
will also allow the accused member to review any findings and
recommendations before the Ethics Committee presents them to the
(ISC)2 board for final disposition; the accused member can also
Module 10: Professional Ethics 73

Notes make comments and responses on the findings and recommendations for
the board to consider. The board will then make a ruling as to whether the
Professional Ethics member acted in a manner consistent with the Code and whether the
accused should have membership revoked.
PPT
(ISC)2 Code of Ethics Organizational Code of Ethics
In addition to industry codes for guilds of professionals (such as (ISC)2,
Introduce and explain individual organizations can create their own codes of ethics and require
the (ISC)2 Code of Ethics,
including the preamble. their personnel to comply. This is done at the policy level with senior
management dictating modes of acceptable behavior and is often
combined with the overall organizational personnel policies.
PPT For instance, the organization may require that personnel not engage in
Organizational Code discriminatory and unproductive behavior, such as racial, religious, or
of Ethics sexual harassment. The organization may also disallow activity that
Explain how and why an constitutes unfair trade practices, such as nepotism, bribery, and
organization may want awarding contracts based on favors (cash or otherwise).
to create its own code
of ethics, and review the These practices that distort the market and create hostility in the
example in the guide. workplace are also often proscribed by law, as well, and the organization
is best served by enacting and enforcing codes and policies that ensure
compliance.
Conclusions
This largely depends
Consider a situation where questionable behavior has ethical implications:
on the jurisdiction of
the organization and
You are the organization’s security manager. A network administrator
where the activity took comes to you with a report about an employee; the administrator has
place. In the United noticed the employee using the organization’s resources, during work
States, for example, hours, to browse the internet. The employee’s activity is not illegal, but
organizations are legally it is against the organization’s policy.
allowed to surveil any
and all activity that takes When you ask the administrator how the administrator came to learn
place on their property
or with their assets
this information about the employee’s behavior, the administrator
(including IT); in Europe, will not reply. Your office conducts an initial investigation about the
workplace surveillance is situation, and you determine that the administrator and the employee
severely limited, and the in question have had a personal conflict that was recognized by other
administrator’s report
personnel in the organization.
itself could result in legal
action on the part of the
You are also able to determine that the administrator did have sufficient
employee (or could result
in prosecution). Even in permissions within the IT environment to monitor the employee’s
the United States, where behavior but was not given explicit authorization or tasking to do so.
monitoring is allowed,
that monitoring must Your conclusions:
be shown to be either
random, pervasive, or l Is the administrator’s report acceptable and valid?
(if targeting a specific l What should you recommend be done to the employee?
(continued)
l Would you recommend the administrator be rewarded or punished?

Instructor Edition
Case: The End of Enron and the Development

of SOX
Notes
Professional Ethics
1
In the late 1990s and early 2000s, a series of accounting scandals

involving large, publicly traded corporations including WorldCom, individual) the result of
management request
Adelphia, and Enron led to their bankruptcies and investigations after the employee
into business practices in use throughout the audit and consulting has given cause for
industries. management to expect
wrongdoing. Otherwise,
The Enron debacle, in particular, garnered a lot of attention from any labor action taken
regulators and the public due to its scope and scale and the against the employee
egregious nature of some of the activities that transpired. Enron’s (firing, demotion, etc.)
could result in a lawsuit
external auditor body at the time was a firm called Arthur by the employee,
Andersen, one of the largest auditing companies then in existence. accusing the organization
In the investigation that ensured Enron’s demise, several practices of creating a hostile
were uncovered that were cause for questioning Arthur Andersen’s work environment.
Short answer: even
commitment to ethical behavior and industry standards in general: if the employee is
l Arthur Andersen was providing Enron with both business doing something
wrong, the response
consulting and audit services. This is usually perceived the organization can
as an inherent conflict of interest because the roles are take based on the
adversarial (business consulting looks to maximize profit for administrator’s report is
the customer, while auditors ensure compliance and proper now quite limited.
reporting). Arthur Andersen avowed that the two lines of
operation (consulting and audit) were compartmentalized
by policy and management, so the two services could not Conclusions
share information or influence each other. Because of the way
the employee’s actions
l When Enron officially ended its contract with Arthur
were reported, there is
Andersen and in the midst of an investigation by regulators, not much that can be
Arthur Andersen executives ordered Arthur Andersen done to the employee.
employees to shred thousands of pages of documents and You may recommend
delete volumes of electronic data detailing its audit services that the employee’s
manager counsel the
to Enron. When questioned by regulators, Arthur Andersen employee on appropriate
executives explained that Arthur Andersen internal workplace behavior,
policy was to destroy all customer data at the end of an perhaps re-emphasize
engagement to protect the customer’s privacy. the terms of the AUP or
employment contract,
l The hubris of Enron’s executives in their financial conspiracies and maybe be warned
was rampant and readily apparent: they named subsidiary about the organization’s
companies such things as “JEDI” and “CHEWCO,” using ability and right to
monitor the workplace.
those other companies to hide investment losses of the
parent corporation; Arthur Andersen dutifully performed
audits on those entities as well.
Arthur Andersen, as a company, was prosecuted under federal
charges of obstruction of justice and convicted. This conviction was

Notes eventually overturned on appeal to the Supreme Court on the grounds

that jury instructions in the initial trial were inappropriate. However,
Professional Ethics negative public attention and the company’s surrender of its certified
public accounting (CPA) licenses ended Arthur Andersen’s viability as a
Conclusions business, and it ceased auditing operations. The business consulting
practice of Arthur Andersen has since rebranded as Accenture and is
Punished, for sure. The
administrator has acted still functioning.
in an unethical manner
(or, at least, has no Eventually, it was determined that what Arthur Andersen did in the wake
support for an argument of the Enron scandal (namely, the destruction of information) was not
that they were not acting illegal at the time; there was no legal requirement for Arthur Andersen
unethically) by refusing to retain the data in its care, and Arthur Andersen’s data destruction
to specify the source of
the information about
policy did, in fact, require the firm to conduct sanitization procedures.
the employee’s activity.
Furthermore, the findings
In response to this and other similar activity, Congress created the
support allegations Sarbanes–Oxley Act (SOX) and amended the Federal Rules of
that the administrator is Evidence—the laws governing how and which data can be presented to
acting out of emotional a court for consideration. SOX requires a greater level of transparency in
motivation not financial reporting by publicly traded corporations. The modification to
professionally. This, in
turn, may have created a the Rules of Evidence was just as important and influential: it is now
hostile work environment federal law in the United States that any data owner cannot delete or
that puts the organization destroy any information (physical or electronic) once the data owner
at risk (mainly, in the receives notice of a pending legal action or investigation. This law
form of employee
specifically takes precedence over any other state law, federal law, or
lawsuits); whatever
risk the employee internal policy (many privacy laws and policies involve retention
posed because of the durations and requirements for destruction).
unauthorized online
activity is probably far SOX requires a great deal of transparency in financial reporting and
less than the new risk codifies accounting practices for publicly traded corporations. In
the administrator has response to SOX, the AICPA replaced its old audit standard, the SAS 70,
created. Moreover,
the administrator has
with the current standard, SSAE 16. While the majority of SOX and the
a trusted position of SSAE standard does not relate to security, SOX does include a
privilege within the requirement for corporations to report on how they manage internal
organization and a controls and control structures that are usually under the purview of the
significant level of access
security department/officer. The SSAE standard also spawned the SOC
to the IT environment.
Unprofessional behavior (System and Organization Controls) reporting method used ubiquitously
on the part of the throughout the United States audit industry.
administrator is cause
for great concern to Links:
management. In all
likelihood, this abuse SOX, the law:
of the position should https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/html/PLAW-
result in termination 107publ204.htm
of employment for the
administrator. The Federal Rules of Evidence (U.S.):
https://www.law.cornell.edu/rules/fre

Instructor Edition
The AICPA’s description of SOC reports:

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/
Pages/SORHome.aspx
Notes
Professional Ethics
1

A summation of the Enron/Arthur Andersen scandal:
https://www.hg.org/article.asp?id=31277
A magazine article about the Enron/Arthur Andersen scandal that
came out while it was unfolding, prior to Congress enacting SOX:
https://www.forbes.com/2002/01/18/0118topnews.html
A journal article about the eventual outcome of the situation:
http://www.aabri.com/manuscripts/11899.pdf
Kurt Eichenwald’s comprehensive book on the Enron debacle:
https://www.amazon.com/Conspiracy-Fools-Story-Kurt-Eichenwald-
ebook/dp/B000FCK1SO

Notes
Module 11: Domain Review
Domain Review
PPT
Domain Summary
Domain Review Many of the concepts introduced in this domain will serve as the foundation
for discussion throughout the rest of this guide; be sure you have an
Engage participants in a
review of key information
understanding of the ideas so you can grasp the rest of the material.
from this domain by
discussing this scenario-
based set of questions
and answers. Question
slides are immediately
followed by the answer
slide.
PPT
Domain Summary
Participate in review of
key elements from the
domain on security and
risk management.

Instructor Edition
Domain Review Questions

1. Alice has some data that is extremely valuable. She backs it up
Notes
Domain Review
1
from her computer to a flash stick, and she puts the flash stick

in a safe deposit box. Which two principles of the CIA triad
PPT
does this address?
Domain Review
A. Confidentiality and integrity Questions
B. Confidentiality and availability key elements from the
C. Integrity and availability risk management.
D. Availability and nonrepudiation
2. An organization’s recovery time objective (RTO) must always be

less than:
A. 12 hours
B. The time it takes to alert the public
C. The maximum allowable downtime (MAD)
D. The duration allowed by regulators
3. A security practitioner holding an (ISC)2 certification is expected

to first serve:
A. The client
B. The industry
C. (ISC)2
D. Humanity
Module 11: Domain Review 79

Notes 4. Bob is the security manager for an online retailer. To protect the
customer data they are entrusted with, Bob requires all personnel
Domain Review to attend security training sessions regularly. Bob documents and
tracks which personnel have attended training, and he suspends
PPT account access for those personnel who have missed training. Which
of the following answers does this best typify?
Domain Review
Questions (continued) A. Due care
key elements from the B. Due diligence
risk management. C. Legal duty
D. Reasonable expectation
5. Whenever an organization chooses to perform risk mitigation to

address a particular risk, what other form of risk management will
also be included?
A. Risk transference
B. Risk avoidance
C. Risk capture
D. Risk acceptance
6. To comply with the Payment Card Industry Data Security Standard

(PCI DSS), what data element must not be stored for any length of
time beyond the transaction?
A. Cardholder’s name
B. Social Security number
C. IP address
D. Card verification value (CVV)

Instructor Edition
7. Which of the following security tools would probably best help

an organization protect its proprietary software?
Notes
Domain Review
1
A. Intrusion prevention system (IPS)

B. Anti-malware suite PPT
Domain Review
C. Digital rights management solution (DRM) Questions (continued)
D. Web application firewall (WAF) Participate in review of
risk management.
8. Which of the following is usually perceived as having the
highest level of precedence for an organization?
A. Policy
B. Guidelines
C. Procedures
D. Standards
9. Which of the following describes a personnel security tool that

should not require the employee’s signature?
A. Nondisclosure agreement (NDA)
B. Personnel security policy
C. Acceptable use policy (AUP)
D. Contract
10. Which of the following is not a recommended method for

delivering security instruction?
A. Computer-based training
B. Rote memorization
C. Live training
D. Reward mechanisms

Notes Domain Review Answers

Domain Review 1. Alice has some data that is extremely valuable. She backs it up from
her computer to a flash stick, and she puts the flash stick in a safe
deposit box. Which two principles of the CIA triad does this address?
A. Confidentiality and integrity
B. Confidentiality and availability
C. Integrity and availability
D. Availability and nonrepudiation
The correct answer is B. Alice is ensuring a form of availability by having
a backup; if her laptop is lost, stolen, or malfunctions, she does not also
lose the data—she can restore the saved data to another machine. She
is also providing a form of confidentiality by locking up the flash stick;
this practice deters the ability of others to access the flash stick. (Note:
this ONLY provides confidentiality for the flash stick; we have no idea if
she is also providing confidentiality to the data while it is live on her
laptop.) The question does not describe any practice that could
constitute integrity protection, and the CIA triad does not deal with
nonrepudiation.
2. An organization’s recovery time objective (RTO) must always be less

than:
A. 12 hours
B. The time it takes to alert the public
C. The maximum allowable downtime (MAD)
D. The duration allowed by regulators
The correct answer is C. The organization will cease to be viable once
the MAD is reached (this is the definition of MAD); therefore, the critical
path must be recovered in less time than that (which is the definition of
the RTO). No arbitrary time duration (such as answer A) is suitable for all
organizations; every organization will determine its own MAD and RTO.
Likewise, regulators do not typically dictate RTO/MAD (exception:
critical infrastructure industries, such as power generation, may be
subject to downtime stipulations). Public notification has no bearing on
RTO.

Instructor Edition
3. A security practitioner holding an (ISC)2 certification is expected

to first serve:
Notes
Domain Review
1
A. The client

B. The industry
C. (ISC)2
D. Humanity
The correct answer is D. Human beings as individuals ,and, on a
larger scale, as a species are the paramount concern of security
practitioners. All the other answers should receive lesser
importance.
4. Bob is the security manager for an online retailer. To protect

the customer data they are entrusted with, Bob requires all
personnel to attend security training sessions regularly. Bob
documents and tracks which personnel have attended training,
and he suspends account access for those personnel who have
missed training. Which of the following answers does this best
typify?
A. Due care
B. Due diligence
C. Legal duty
D. Reasonable expectation
The correct answer is B. The evidence of providing due care is due
diligence; the documentation of who attends training is evidentiary
support. Due care is the legal duty owed to the customers; in this
scenario that would be “don’t allow unauthorized disclosures of
customer privacy data.” Due diligence is any action that supports
this duty, so answer B is preferable to answers A and C.
Reasonable expectation is what the customer should have when
they take part in the transaction; in this situation that would be,
“my personal information will be protected,” so answer D is not
optimum.

Notes 5. Whenever an organization chooses to perform risk mitigation to

address a particular risk, what other form of risk management will
Domain Review also be included?
A. Risk transference
B. Risk avoidance
C. Risk capture
D. Risk acceptance
The correct answer is D. Risk mitigation always leaves some residual risk;
the purpose of risk mitigation is to get risk down to an acceptable level.
6. To comply with the payment card industry data security standard

(PCI DSS), what data element must not be stored for any length of
time beyond the transaction?
A. Cardholder’s name
B. Social Security number
C. IP address
D. Card verification value (CVV)
The correct answer is D. PCI DSS prohibits storage of the CVV for any
time beyond the transaction.
7. Which of the following security tools would probably best help an

organization protect its proprietary software?
A. Intrusion prevention system (IPS)
B. Anti-malware suite
C. Digital rights management solution (DRM)
D. Web application firewall (WAF)
The correct answer is C. DRM solutions are designed to protect
intellectual property.

Instructor Edition
8. Which of the following is usually perceived as having the

highest level of precedence for an organization?
Notes
Domain Review
1
A. Policy

B. Guidelines
C. Procedures
D. Standards
The correct answer is A. Policy is the written form of governance
and is promulgated by senior management of the organization as a
way of describing the organization’s strategic vision and goals.
9. Which of the following describes a personnel security tool that

should not require the employee’s signature?
A. Nondisclosure agreement (NDA)
B. Personnel security policy
C. Acceptable use policy (AUP)
D. Contract
The correct answer is B. The organization’s security policy is
promulgated by senior management, and all personnel must comply
with it; the employee does not need to sign it. All the other answers
are tools that should include the employee’s signature.
10. Which of the following is not a recommended method for

delivering security instruction?
A. Computer-based training
B. Rote memorization
C. Live training
D. Reward mechanisms
The correct answer is B. Rote memorization of security material is
not a common method for delivering instruction. All the other
answers are recommended methods for delivering security
instruction.

Notes Terms and Definitions

Domain Review
Term Definition
Acceptable risk A suitable level of risk commensurate with

the potential benefits of the organization’s
operations as determined by senior
management.
Audit/auditing The tools, processes, and activities used to

perform compliance reviews.
Availability Ensuring timely and reliable access to and

use of information by authorized users.
Business Actions, processes, and tools for ensuring

continuity (BC) an organization can continue critical
operations during a contingency.
Business A term used to jointly describe business

continuity continuity and disaster recovery efforts.
and disaster
recovery (BCDR)
Business impact A list of the organization’s assets,

analysis (BIA) annotated to reflect the criticality of each
asset to the organization.
Compliance Adherence to a mandate; both the actions

demonstrating adherence and the tools,
processes, and documentation that are
used in adherence.
Confidentiality Preserving authorized restrictions on

information access and disclosure,
including means for protecting personal
privacy and proprietary information.
Data custodian The person/role within the organization who

usually manages the data on a day-to-day
basis on behalf of the data owner/controller.

Instructor Edition
Term Definition Notes

Domain Review
1
Data owner/ An entity that collects or creates PII.

controller
Data subject The individual human related to a set of

personal data.
Disaster Those tasks and activities required to bring

recovery (DR) an organization back from contingency
operations and reinstate regular operations.
Due care A legal concept pertaining to the duty

owed by a provider to a customer.
Due diligence Actions taken by a vendor to demonstrate/

provide due care.
Governance The process of how an organization is

managed; usually includes all aspects of
how decisions are made for that
organization, such as policies, roles, and
procedures the organization uses to make
those decisions.
Governance A formal body of personnel who determine

committee how decisions will be made within the
organization and the entity that can
approve changes and exceptions to current
relevant governance.
Guidelines Suggested practices and expectations of

activity to best accomplish tasks and attain
goals.
Integrity Guarding against improper information

modification or destruction and includes
ensuring information non-repudiation and
authenticity.
Intellectual Intangible assets (notably includes software

property and data).

Notes Term Definition

Domain Review
Maximum The measure of how long an organization can
allowable survive an interruption of critical functions.
downtime
(MAD) [also known as maximum tolerable
downtime (MTD)]
Personally Any data about a human being that could

identifiable be used to identify that person.
information (PII)
Policy Documents published and promulgated by

senior management dictating and
describing the organization’s strategic
goals.
Privacy The right of a human individual to control

the distribution of information about him-
or herself.
Procedures Explicit, repeatable activities to accomplish

a specific task. Procedures can address
one-time or infrequent actions or common,
regular occurrences.
Recovery point A measure of how much data the organization

objective (RPO) can lose before the organization is no longer
viable.
Recovery time the target time set for recovering from any
objective (RTO) interruption.
Residual risk The risk remaining after security controls

have been put in place as a means of risk
mitigation.
Risk The possibility of damage or harm and the

likelihood that damage or harm will be
realized.

Instructor Edition

Domain Review
1
Risk acceptance Determining that the potential benefits of

a business function outweigh the possible
risk impact/likelihood and performing that
business function with no other action.
Risk avoidance Determining that the impact and/or

likelihood of a specific risk is too great to
be offset by the potential benefits and not
performing a certain business function
because of that determination.
Risk mitigation Putting security controls in place to

attenuate the possible impact and/or
likelihood of a specific risk.
Risk Paying an external party to accept the

transference financial impact of a given risk.
Security control A notional construct outlining the

framework organization’s approach to security,
including a list of specific security
processes, procedures, and solutions used
by the organization.
Security The entirety of the policies, roles, and

governance processes the organization uses to make
security decisions in an organization.
Standards Specific mandates explicitly stating

expectations of performance or
conformance.

Notes

Instructor Edition
Notes
1

Notes

Instructor Edition
Course Agenda
Notes
Asset Security
2
Asset Security Domain

Domain 2: Asset Security PPT
Course Agenda
Course Agenda(2 slides)
Domain 3: Security Architecture and Engineering
Domain 4: Communication and Network Security PPT

Asset Security
Domain 5: Identity and Access Management (IAM) Introduce the participants
to the “Asset Security”
Domain 6: Security Assessment and Testing domain.
Overview
Asset Security within the context of the second domain of the
CISSP® examination deals with the protection of valuable assets
to an organization as those assets go through their lifecycle.
Therefore, it addresses the creation/collection, identification and
classification, protection, storage, usage, maintenance, disposition,
retention/archiving, and defensible destruction of assets.
To properly protect valuable assets, such as information, an
organization requires the careful and proper implementation of
ownership and classification processes, which can ensure that
assets receive the level of protection based on their value to
the organization.
The enormous increase in the collection of personal information
by organizations has resulted in a corresponding increase in the
importance of privacy considerations, and privacy protection
constitutes an important part of the asset security domain.
Individual privacy protection in the context of asset security
includes the concepts of asset owners and custodians, processors,
Domain 2: Asset Security 93

Notes remanence, and limitations on collection and storage of valuable assets

such as information. This also includes the important issue of retention
Asset Security as it relates to legal and regulatory requirements to the organization.
Appropriate security controls must be chosen to protect the asset as
PPT
it goes through its lifecycle, keeping in mind the requirements of
Asset Security each of the lifecycle phases and the handling requirements throughout.
(continued) Therefore, understanding and applying proper baselines, scoping and
Introduce the participants tailoring, standards selection, and proper controls need to be
to the “Asset Security” understood by the security professional.
domain.
The asset security domain also addresses asset handling requirements
and includes asset storage, labeling, and defensible destruction.
PPT
Domain Objectives
(6 slides)
Objectives for “Asset
Domain Objectives
Security” domain. After completing this Domain, the participant will be able to:
1. Understand key asset terms such as assets, information, data,
resources, etc.
2. Explain how security controls are dictated by the value of assets,
including information.
3. Understand that information/data is only one example of valuable
assets that organizations need to protect based on the value of
those assets to the organization.
4. Explain how asset classification drives the protection of assets
based on value.
5. Describe the asset lifecycle.
6. Understand how data classification and categorization applies to
the asset lifecycle.
7. Understand the importance of establishing accountability
and responsibilities for asset and information ownership and
custodianship.
8. Explain accountabilities and responsibilities for protection
of assets by owners, custodians, stewards, controllers, and
processors.
9. Explain key terms associated with asset protection.
10. Understand how privacy of personal information is affected by
today’s technologies.
11. Explain the expectations of subjects according to privacy laws
and regulations.
94 Domain 2: Asset Security

Instructor Edition
12. Explain the importance of the Organization for Economic

Cooperation and Development (OECD) Guidelines on
Privacy Protection.
Notes
Asset Security
2
13. Express the eight principles for privacy protection,

according to the OECD guidelines. PPT
14. Understand the concept of collection limitation as it applies Domain Objectives
to privacy. (6 slides) (continued)
Objectives for “Asset
15. Understand asset retention and how retention policies are
Security” domain.
driven by organizational requirements.
16. Explain the reasons that drive data and records retention,
including compliance or organizational requirements.
17. Understand the issues associated with long-term storage of
assets.
18. Define baseline protection.
19. Explain how baselines can help an organization achieve
minimum levels of security associated with valuable assets.
20. Understand how baselines include security controls and how
to implement them.
21. Describe baseline protection and scoping and tailoring in
reference to asset protection.
22. Understand the different data states and explain how to
secure each.
23. Explain the difference between end-to-end and link
encryption as it relates to data in motion.
24. Understand how media requires controls to protect its
content.
25. Understand labeling and marking requirements of assets
that have been classified.
26. Understand how the handling of media and assets that have
been classified should be allowed only to those that are
authorized.
27. Understand how storing, retention, and destruction of
assets is dictated by classification.
28. Understand data remanence and its impact to the value of
assets.
29. Explain the various options in addressing data remanence,
including clearing, purging, and destruction.
30. Explain methods used to clear, purge, and destroy data.
Domain 2: Asset Security 95

Notes Domain Agenda

Asset Security
Module Name
PPT
1 Information and Assets
Domain Agenda
(2 slides)
Review the domain
2 Asset Lifecycle
agenda.
3 Information and Asset Ownership
4 Protect Privacy
5 Asset Retention
6 Data Security Controls
7 Information and Asset Handling Requirements
8 Data Remanence
9 Domain Review

Instructor Edition
Module 1: Information and Assets Notes

Information and Assets
2

1. Understand key asset terms such as assets, information, Information and Assets
data, resources, etc.
2. Explain how security controls are dictated by the value of to the “Information and
assets, including information. Assets” module.
3. Understand that information/data is only one example of

valuable assets that organizations need to protect based on
the value of those assets to the organization. PPT
Module Objectives
4. Explain how asset classification drives the protection of
assets based on value. Introduce the module
objectives.
Module 1: Information and Assets 97

Notes Assets, information and

Other Valuable Resources
Any item deemed by a company to be valuable can be referred to as an
asset. In other words, an asset is anything that has value to an organization.
PPT In many cases, assets are also referred to as resources. Both words, assets
Assets, Information and resources, imply value to an organization and, therefore, must be
and Other Valuable protected based on the value that it represents to the organization.
Resources
Explain how resources, Value can be expressed in terms of quantitative and qualitative
information, and assets methodologies, and both of these valuation methods are used to
represent value to determine the level of protection that the assets require. Qualitative asset
organizations. valuation implies that value is expressed in terms of numbers, usually
monetary value. It is often understood that expressing value of intangible
assets, such as information, is very difficult and, in many cases impossible,
PPT to express in quantitative ways; therefore, value of intangible assets is
Examples of Valuable usually expressed in terms of qualitative methodologies usually using
Assets grades such as “high,” “medium,” “low,” or other classification that can
Give some examples express the value of assets without using numbers.
of assets (anything
that has value to the Understanding the actual value of assets becomes very important in
organization). understanding how to protect those assets because the value will always
dictate the level of security required. It is important for us to understand
that security is not always driven by risk but rather driven by value. In fact, if
you think about it, what is risk anyway? Risk is something that can impact
value, and therefore, to fully understand risk requires the full understanding
of the value of the asset first.
As we have just covered, an asset is an item of value to the organization.
Value can be expressed in terms of quantitative (numbers/monetary) and
qualitative (grades such as high/medium/low, or top secret/secret/
confidential, etc.). Examples of valuable assets include, and are not limited
to, and in no particular order:
l People
l Information
l Data
l Hardware
l Software
l Systems
l Processes
l Devices
l Functions
l Ideas

Instructor Edition
l Intellectual property
l Corporate reputation
Notes
2
l Brand

l Identity PPT
l Facilities Examples of Valuable
The list could include other assets, but the point has been made Assets (continued)
that any asset is really something that has value to an organization Give some examples
and requires careful protection based on that value. Therefore, of assets (anything
that has value to the
protection will be dictated by the value. This domain, called Asset organization).
Security, deals with the methods to protect assets based on value.
PPT
Identification/Discovery and Classification Identification/Discovery
and Classification of
of Assets Based on Value Assets Based on Value
The value of assets will vary significantly, but to properly secure Identification and an
these assets, organizations need to identify and locate assets that inventory of assets is the
may have value and then classify the assets based on value while first step in protecting
defining how to properly protect each classification type. Assets, valuable assets.
such as information, have become challenging to protect based on
value. Organizations today are creating/collecting massive amounts
of data, which makes discovery of this data for inventory purposes
very difficult. To properly protect assets, including information,
organizations need to implement a formal asset classification system
supported by proper management support, commitment, and
conviction to ensure accountability. Proper policies need to be
created and communicated to the entire organization to create the
culture and set the tone for the effectiveness of the classification
initiative. Organizations then need to understand fully where assets
are created/used to establish an effective inventory system that will
drive the classification process. At this point, once assets have been
located and identified, they can be classified by owners based on
value and then protected based on classification. Classification of
assets is essential to have proper controls be implemented to allow
organizations to address compliance with relevant laws, regulations,
standards, and policies.
The first step in asset protection is to know what assets the
organization has. In other words, an asset inventory is required
before the organization can actually understand what assets they
have that may have value. Once we have an inventory of assets,
understanding the value of those assets becomes the next step as it
will drive asset classification, which, in turn, will drive the protection

Notes of those assets throughout their lifecycle. Having a complete inventory

that is updated and reflective of creation/disposition/destruction of assets
Information and Assets becomes very important. An updated and meaningful inventory of assets
can then be used by the owners of those assets to determine value and
PPT classify assets based on that value. The classification system will then
determine the protection requirements.
Identification/Discovery
and Classification of
Assets Based on Value Classification Process
(continued)
Identification and an The asset classification process can be summarized as follows:
inventory of assets is the
first step in protecting Assess
valuable assets.
and
Review
PPT
Classification Process
Explain the classification Protect and
process.
Determine Classify
Asset Handle
and Assign Based on
Inventory Based on
Ownership Value
Classification
PPT
Process of Protection Figure 2.1: Classification Process
of Valuable Assets
Based on Classification
Explain the classification
process. Protection of the Value of Assets
and Information
To better achieve goals and objectives, organizations today are
generating massive amounts of information that obviously will represent
organizational value. It is important for organizations to understand
exactly the value that this information represents. Identifying and
classifying assets and information will allow organizations to determine
and achieve the protection requirements for the information.
These are the steps involved to do this properly:
1. Identify and locate assets, including information.
2. Classify based on value.
3. Protect based on classification.
Identify and Locate Assets, Including Information

The process of identifying assets that have value in the organization
can be very challenging but nevertheless is a requirement to protect

Instructor Edition
them accordingly. Valuable assets need to be identified in order

to protect them accordingly. Assets can take many forms, here
are a few examples:
Notes
2

l Information assets
PPT
o Databases
Process of Protection
o Files of Valuable Assets
Based on Classification
o Spreadsheets
(continued)
o Business continuity plans (BCPs) Explain the classification
o Procedures process.
l Software
o Applications
o Source code
o Object code
o Operating systems
l Physical assets
o Hardware
o Media
o Network equipment
o Servers
o Buildings
l Processes and services
o Communications
o Data facilities
o Voice systems
o Computing
Classify Based on Value

The next step in this process is to determine ownership to
establish accountability. This may be easier for physical and
tangible assets but the same needs to be done for intangible
assets such as data. The owners are always in the best position to
understand the value of what they own; therefore, it is up to the
owners to classify assets. Determining value may not be easy.
There are many factors and elements that need to be looked at to
determine the true value of assets. For instance, we need to think
about implications related to impact of disclosure, impact on
corporate reputation, intellectual property, and trade secrets,

Notes etc. Regardless, the owner is always in the best position to truly
understand the value of what they own to the organization. The process
Information and Assets of understanding the value of an asset is very appropriately called asset
valuation. The value of the asset will drive its classification level.
PPT
Process of Protection Protection Based on Classification
of Valuable Assets
Based on Classification The next step in the classification process is to protect the assets based
(continued) on their classification levels. A good way to achieve this would be to
Explain the classification
establish minimum security requirements for each of the classification
process. levels that are being used. We refer to these as baselines. In other
words, we can establish the minimum security baselines for each
classification level that exists. Asset classification drives the security
requirements that need to be implemented to protect the assets based
on their value. Once the baselines have been determined, they can be
applied to assets as they move through their lifecycle phases, including
phases such as retention and destruction.

Instructor Edition
Module 2: Asset Lifecycle Notes

Asset Lifecycle
2

1. Describe the asset lifecycle. Asset Lifecycle
2. Understand how data classification and categorization Introduce the participants
applies to the asset lifecycle. to the “Asset Lifecycle”
module.
PPT
Module Objectives
objectives.
Module 2: Asset Lifecycle 103

Notes The Asset Lifecycle

To protect assets properly, one must understand the asset lifecycle and
Asset Lifecycle
apply protection mechanism throughout the phases of the asset lifecycle.
The protection will always be based on the value of those assets at
PPT particular points in the lifecycle phases. This implies that the parties
Asset Lifecycle accountable and responsible for the protection of assets must understand
(2 slides) and monitor the value of assets as they go through their lifecycle. Those in
Describe the asset the best position to do this are the owners of those assets, or designates of
lifecycle. the owners.
Understanding the data security lifecycle, enables the organization to map
the different phases in the data lifecycle against the required controls
that are relevant for each phase. The data lifecycle guidance provides a
framework to map relevant use cases for data access, while assisting in the
development and application of appropriate security controls within each
lifecycle stage.
Asset Lifecycle (data)
Identify
&
Classify Secure
Monitor
The Data Lifecycle
USE
Archive
Recover
Defensible
Disposition
Destruction
Figure 2.2: Asset Lifecycle (data)

Instructor Edition
The Asset Lifecycle

To protect assets properly, one must understand the asset lifecycle
Notes
Asset Lifecycle
2
and apply protection mechanism throughout the phases of the
asset lifecycle. The protection will always be based on the value

of those assets at particular points in that lifecycle. Figure 2.2 PPT
illustrates one example of the lifecycle phases. There are many Asset Lifecycle
other methodologies where there are more or less phases, or they (2 slides) (continued)
might be named differently. Regardless, the point to be made Describe the asset
here is that protection is required throughout the phases, and it lifecycle and explain
is always based on the value of the assets at those particular how protection happens
moments in the lifecycle phases. at every phase.
For example, according to the Securosis Blog, the lifecycle of data

is depicted as having six phases: create, store, use, share, archive,
and destroy. The Securosis Blog describes these phases as follows:
Create: Creation is the generation or acquisition of new content,
or the iteration or updating of existing content. The creation phase is
the preferred time to classify content according to its sensitivity and
value to the organization. Careful classification is important since
security controls will be based on that classification. Unless the
classification is done correctly, poor security controls could be
implemented if content is classified incorrectly. This is why the
owners need to classify their assets; the owners are in the best
position to understand the value of those assets to the organization,
which is what the classification should be based on.
Store: Storing is the process of committing the data to some sort
of storage media and in most cases happens at the same time as
creation. When storing data, it should be protected in accordance
with its classification level, and baseline controls, such as encryption,
access controls, logging and monitoring, and redundancy, should be
implemented to avoid risks.
Use: Data is accessed, viewed, processed, or used in some sort
of way. Data in use is usually most vulnerable because it is
probably in clear text at that point and may be transported into
unsecure locations such as servers and workstations. To be
processed, data must be unencrypted. Controls, such as data loss
prevention (DLP), Digital Rights Management (DRM), and access
controls, should be in place to protect the data in use and
prevent unauthorized access.
Share: Information is shared with others, such as between users,
to customers, and to partners, vendors, and other third parties.
Not all data should be shared, and not all sharing should present
a threat, but since data that is shared is no longer under the

Notes organization’s control, maintaining security can be most difficult. Data

should only be shared based on its classification and only to those that
Asset Lifecycle are authorized for certain classifications. Technologies, such as DLP, can
be used to detect unauthorized sharing, and DRM technologies can be
PPT used to maintain control over the information.
Asset Lifecycle Archive: Data leaving active use may need to be stored long-term.
(2 slides) (continued) Archiving data for a long period of time can be challenging, especially
Describe the asset from a security perspective. Considerations of security through the
lifecycle and explain archive period may affect data access procedures. The technology used
how protection happens
at every phase.
may present challenges as well. Imagine if data is stored on some media
and then needs to be retrieved a number of years later. Will the technology
still exist to read the media? Data placed in archive must still be protected
according to its classification level. Legal and regulatory requirements must
also be addressed, and different tools and providers might be part of this
phase and, therefore, may have shared responsibilities for the protection of
archived information.
Destroy: The destruction phase can have different technical meanings
according to usage, data content, and applications used. Data
destruction can take many forms, from a simple delete or erase, to
permanent data destruction using physical or digital means. As usual,
consideration should be given according to value—the classification of
the data.
Even though the phases described are those depicted in the Securoris
Blog, the phases depicted in our diagram really focus on the security
requirements as data moves through the different phases of its lifecycle.
The phases depicted in our diagram are: identify and classify, secure,
monitor, recover, disposition, archive, and defensible destruction. These
phases imply the security requirements of each of these phases.
l Identify and classify: As information is created or collected, in
other words created, it needs to be classified based on its value.
This is done by the owner, who is always in the best position to
understand the value.
l Secure: Once information is discovered or created and classified
based on its value, it needs to be secured based on that value.
Each of the classification levels specified in the organization’s
classification system will dictate the protection requirements
expressed as baselines. Baselines are minimum levels of
security required for each of the classification levels used in the
organization’s classification scheme.
l Monitor: Once information is secured based on its classification
level, the security controls and the value of the asset needs to be

Instructor Edition
monitored on a regular basis. Any change in the value, or

the effectiveness of the security controls, will need attention
to either increase or decrease the security controls. Security
Notes
Asset Lifecycle
2
controls will always need to be cost-effective, based on the

value being protected. PPT
l Recover: Any impact to the value of the asset will require Asset Lifecycle
the ability to recover from those impacts. An impact could (2 slides) (continued)
be a failure in the security control or an event that impacts Describe the asset
the value of the asset, but regardless, it will require the lifecycle and explain
ability to recover from that negative eventuality. This could how protection happens
be as simple as having the ability to backup and restore, at every phase.
or to activate redundant controls. The value of the asset
and the risks to that value will always dictate the recovery
capability required.
l Disposition: Once the useful life of the asset has been
reached, the asset will need to be disposed of. Disposition
can usually take two forms, either archiving (retention) or
destruction. The decision of which method of disposition
to be used can be dictated by several factors such as laws,
regulations, policy, and value, etc.
l Archive: Archiving typically means long-term storage.
Requirements may be dictated by several factors, all of
which need to be carefully identified and understood to
properly meet the retention requirements. Again, the
owners are in the best position to understand these
requirements and must be consulted to achieve the
requirements of retention and archiving. Technology also
must be addressed as there are requirements to have the
information available far in the future, as well as possibly
having to access the information at any time during its
archiving period.
l Defensible destruction: Knowing when and how to destroy
assets can be very problematic, and many companies will
avoid this problem by keeping everything for a very long
time. This is not a good option as this is neither efficient
nor wise because protection of the information and the
assets will still be required. Defensible destruction means
eliminating and destroying assets, including information,
in a quality controlled, regulatory-compliant, and legally
defensible way. Every organization should have policies
that address not only records retention and archiving, but
also verifiable ways of destroying assets at the end of
their lifecycle.

Notes Classification and Categorization

Most dictionaries will define the words classification and
Asset Lifecycle
categorization as follows. Classification is the act of forming into a
class or classes. This can be rephrased as a distribution into groups, as
PPT classes, according to common attributes. Whereas categorization is the
Differences between process of sorting or arranging things into classes. This can be simplified
Classification and as saying classification is the system, and categorization is the act of
Categorization sorting into the classification system.
Discuss the differences
between classification
and categorization.
Classification
The purpose of a classification system is to ensure protection of the assets
PPT based on value in such a way that only those with an appropriate level of
Classification clearance can have access to the assets. Many organizations will use the
Explain classification. terms “confidential,” “proprietary,” or “sensitive” to mark assets. These
markings may limit access to specific individuals, such as board members,
or possibly certain sections of an organization, such as the human
PPT
resources (HR) area or other key areas of the organization.
Categorization
Explain categorization.
Categorization
Categorization is the process of determining the impact of the loss of
confidentiality, integrity, or availability of the information to an organization.
For example, public information on a web page may be low impact to an
organization as it requires only minimal uptime, it does not matter if the
information is changed, and it is globally viewable by the public. However, a
startup company may have a design for a new clean power plant, which if it
was lost or altered may cause the company to go bankrupt, as a competitor
may be able to manufacture and implement the design faster. This type of
information would be categorized as “high” impact.
Classification and categorization is used to help standardize the protection
baselines for information systems and the level of suitability and trust an
employee may need to access information. By consolidating data of similar
categorization and classification, organizations can realize economy of scale
in implementing appropriate security controls. Security controls are then
tailored for specific threats and vulnerabilities.
Data Classification and Policy

Data classification is all about analyzing the data that the organization has,
in whatever form, determining its importance and value and then assigning
it to a category or classification level. That category, or classification level,
Instructor Edition
will determine the security requirements for protection of that

valuable asset. For example, any data that is classified at the highest
level, whether contained in a printed report or stored electronically,
Notes
Asset Lifecycle
2
needs to be classified so that it can be handled and secured properly

based on its classification. The requirements for classification should PPT
be outlined in a classification policy.
Data Classification
Policy
State that classification
Data Classification Policy should be driven
by well-written and
When classifying data, determine the following aspects of the policy: communicated policy.
l Who will have access to the data: Define the roles of

people who can access the data. Examples include accounting
clerks who are allowed to see all accounts payable and
receivable but cannot add new accounts and all employees
who are allowed to see the names of other employees (along
with managers’ names and departments, and the names of
vendors and contractors working for the company). However,
only HR employees and managers can see the related pay
grades, home addresses, and phone numbers of the entire
staff. And only HR managers can see and update employee
information classified as private, including Social Security
numbers (SSNs) and insurance information.
l How the data is secured: Determine whether the data is
generally available or, by default, off limits. In other words,
when defining the roles that are allowed to have access, you
also need to define the type of access—view only or update
capabilities—along with the general access policy for the
data. As an example, many companies set access controls
to deny database access to everyone except those who are
specifically granted permission to view or update the data.
l How long the data is to be retained: Many industries
require that data be retained for a certain length of time. For
example, many finance industries in countries may require
specific retention periods. Data owners need to know the
regulatory requirements for their data, and if requirements do
not exist, they should base the retention period on the needs
of the business.
l What method(s) should be used to dispose of the data:
For some data classifications, the method of disposal will not
matter. But some data is so sensitive that data owners will want
to dispose of printed reports through cross-cut shredding
or another secure method. In addition, they may require
employees to use a utility to verify that data has been removed

Notes fully from their PCs after they erase files containing sensitive data to
address any possible data remanence issues or concerns.
Asset Lifecycle
l Whether the data needs to be encrypted: Data owners will
have to decide whether their data needs to be encrypted. They
PPT typically set this requirement when they must comply with a law
Data Classification or regulation such as the Payment Card Industry Data Security
Policy (continued) Standard (PCI DSS).
State that classification l The appropriate use of the data: This aspect of the policy
should be driven defines whether data is for use within the company, is restricted
by well-written and
communicated policy.
for use by only selected roles, or can be made public to anyone
outside the organization. In addition, some data have associated
legal usage definitions. The organization’s policy should spell out
any such restrictions or refer to the legal definitions as required.
PPT
Proper data classification also helps the organization comply with
Activity: Applying pertinent laws and regulations. For example, classifying credit
Policy Considerations
in Your Organization
card data as private can help ensure compliance with the PCIDSS.
One of the requirements of this standard is to encrypt credit card
Introduce activity information. Data owners who correctly defined the encryption
related to policy
considerations. Give aspect of their organization’s data classification policy will require
students time to prepare that the data be encrypted according to the specifications
with a partner and defined in this standard.
discuss once completed.
Activity: Applying Policy Considerations in

PPT
Your Organization
Examples of
Classification Levels
INSTRUCTIONS
Give examples of
classifications used, Working with a partner, discuss how you would apply each of the policy
stress that these are considerations in your organization.
only examples related to
“confidentiality”. 1. Who has access to the data.
2. How the data is secured.
3. How long the data is to be retained.
4. What methods should be used to dispose of the data.
5. Whether the data needs to be encrypted.
6. The appropriate use of the data.
Examples of Classification Levels

The requirement is that the definition of the classification levels should
be clear enough so that it is easy to determine how to classify the data
by the owners. Anyone else should also be able to easily understand

Instructor Edition
how to protect the assets based on their classification levels. Also,

it makes sense to use classification levels that truly reflect the value
of the particular category.
Notes
Asset Lifecycle
2

Here are some examples of classification:
PPT
l Top Secret: Data that is defined as being very sensitive, Examples of
possibly related to privacy, bank accounts, or credit card Classification Levels
information. (continued)
l Company Restricted: Data that is restricted to properly Give examples of

classifications used,
authorized employees.
stress that these are
l Company Confidential: Data that can be viewed by many only examples related to
employees but is not for general use. “confidentiality”.
l Public: Data that can be viewed or used by employees or

the general public.
PPT
What is important, however, is that whatever classifications are Classification – Done
used, everyone in the organization must understand the value that by Owners
each classification used represents, especially the owners who start Stress that classification
the classification process and pass on the requirements to should always be done
custodians and others. by owners as they are
in the best position to
understand value.
Classification – Done by Owners

The individual who owns the data should decide the classification
under which the data falls. We call that person the “owner.” The
data owner is best qualified to make this decision because he or
she has the most knowledge about the use of the data and its
value to the organization.
Data owners should review their data’s classification on a regular basis
to ensure that the data remains correctly classified and protected based
on that classification. As data moves through the data lifecycle, the
owner is still in the best position to monitor value and ensure that the
classification level reflects the data’s true value. If any discrepancies are
uncovered during the review, they need to be documented by the data
owner and then reviewed with the proper individuals responsible for the
data in question to establish the following:
l What caused the change in value, was it warranted and
under what circumstances, and for what reason?
l Under whose authority was the change in classification
carried out?
l What documentation, if any, exists to substantiate the
change in value and, therefore, classification?

Notes Purpose of Asset Classification

To summarize, the reason we classify assets, such as a data classification
Asset Lifecycle
system, is to afford the assets the level of protection they require based
on their value. The whole purpose of data classification is not only to
PPT express value but to protect based on the classification level. So, the
Purpose of Asset value of data classification, is not only in the classification levels that are
Classification (2 slides) used but in the underlying mechanisms and architectures that provide
Discuss the purposes of the levels of protection required by each classification level. Careful
asset classification. implementation of technologies and support elements for data
classification becomes very important. Support elements, such as
education and training, become critical in allowing classification systems
PPT to work properly. In other words, classification is not only just having
Classification Benefits
three or four classification categories, but having the careful
implementation of effective supporting elements and security controls
Discuss the benefits of
for each of the classification levels used.
asset classification.
As we have seen, data classification provides a way to protect assets
based on value. This allows the organization to take care of some
important and critical needs that can only be addressed through
classification systems. Some of these may include the following:
l Ensure that assets receive the appropriate level of protection
based on the value of the asset.
l Provide security classifications that will indicate the need and
priorities for security protection.
l Minimize risks of unauthorized information alteration.
l Avoid unauthorized disclosure.
l Maintain competitive edge.
l Protect legal tactics.
l Comply with privacy laws, regulations, and industry standards.
Other than the obvious benefit of protecting assets based on value,
there are other potential benefits that can be realized by an
organization in using asset classification systems. Here are some
examples of these benefits:
l Awareness among employees and customers of the organization’s
commitment to protect information.
l Identification of critical information.
l Identification of vulnerability to modification.

Instructor Edition
l Enable focus on integrity controls.

l Sensitivity to the need to protect valuable information.
Notes
Asset Lifecycle
2
l Understanding the value of information.

l Meeting legal requirements. PPT
(continued)
Issues Related to Classification Discuss the benefits of
asset classification.
As we have seen, classification needs to be driven by the owners of
the assets because they are in the best position to understand the
value of the asset. For this to work properly and for the
classification system to truly address the protection of the asset, PPT
there are numerous issues that may impede the goal of asset Issues Related to
classification. In some instances, the owner may delegate the Classification
responsibility for classification of the asset to someone else. Describe some issues
However, it is important to always understand that even though the related to classification.
owner has “delegated” the responsibility, the owner will always
remain accountable for protecting the value of what they own. In
security, it is always important to distinguish between very
important words such as “accountability” and “responsibility.”
Accountability is not something that can be delegated to someone
else, the owner will always be accountable for protecting what they
own. They may delegate the responsibility for protecting an asset,
but they will remain accountable.
Asset classification may have some other issues that the
organization needs to address. The following may be examples of
some of these issues, so in other words, these may include, and are
not limited to:
l Human error.
l Proper classification is dependent on ability and knowledge
of the classifier.
l Requires awareness of regulations and customer and
business expectations.
l Requires consistent classification method—often the
decisions can be somewhat arbitrary.
l Needs clear labeling of all classified items.
l Must include manner for declassifying and destroying
material in classification process.

Notes Human Error

In security, the human element is often viewed as being the weakest
Asset Lifecycle
link. This could be true of asset classification as well. Ultimately, security
controls may rely on the human element for effectiveness and, therefore,
PPT any failure related to the human element, may impact the effectiveness
Issues Related to of the security control, including asset classification. Problems may be
Classification related to such issues as all assets needing to be classified and that all
(continued) staff that handle those assets, need to understand and apply the same
Describe some issues classification schemes. Another problem may be related to the subjective
related to classification. judgment of the value of assets and also consistency in the classifications.
This might be due to too complex policies, procedures, and supporting
elements that are not fully understood by the human element, or a
general lack of skills by the human element.
Proper Classification Is Dependent on Ability

and Knowledge of the Classifier
The owner needs to have the proper knowledge and ability to classify
properly. This may require the security function to be able to provide the
capability and the education that the owners require. One example may
be that owners typically may have a tendency to over classify as they may
have a selfish view that the assets that they own are the most valuable
and critical in the entire organization. That may or may not be true, but
it needs to be addressed in all cases. The establishment of an asset
classification board, or committee, with proper membership from key
areas of the organization that will have the overall corporate perspective
of the value of assets can alleviate and address this problem. Regardless,
proper education, awareness, and training in relation to the asset
classification system and proper understanding of the classification levels
used is necessary.
Requires Awareness of Regulations and Customer

and Business Expectations
Classification should always be done based on the value of the asset,
but there are elements that owners need to take into consideration
to determine the true, correct value of the asset. Awareness and
understanding of the laws and regulations that the assets are subjected
to, and may have an impact on, would contribute to the value of the
asset. This is highlighting the concept that the owner is always in the
best position to understand the value of the asset as they should be
very aware of regulations and other customer and business expectations
that would obviously add and contribute to the value of the asset.

Instructor Edition
Requires Consistent Classification Method

The value of asset classification is dictated by its ability to protect
assets based on the classification levels that reflect on value. Making
Notes
Asset Lifecycle
2
sure that classification begins with the actual classification of the asset,

but done correctly, becomes of paramount importance. This requires PPT
everyone involved, especially the owners, to fully understand the Issues Related to
value that each of the classifications actually represents. This may Classification
require the security function to educate the owners as a collective (continued)
to ensure consistent classification processes that are uniform in Describe some issues
understanding the value. This may require the organization to related to classification.
establish a “value” system that can be used consistently throughout
the organization and that is also understood consistently by all
owners and others involved in supporting the classification system.
Unless this is done properly, the decisions related to classification,
especially in classifying in the first place, may become arbitrary,
where owners may choose classification levels that don’t truly
represent the real value of the assets.
Needs Clear Labeling of all Classified Items

One of the issues related to classification is the actual act of
showing the classification level of the asset. It is very easy to
address this for physical asset, such as a document. We can simply
“stamp” the classification level on the document itself so it is visible.
Other examples may be classifying the value of emails by adding a
classification level to the subject line to identify the importance of
the content of the email. However, other forms of assets may be
very challenging to label. For example, how would you label a file
that was just created on a laptop, or an output of an application
being stored on a server? These are just examples, but we are
trying to highlight the problem related to actually labeling the
classification level of assets that may not be in a physical form.
Regardless, the asset classification system needs to be able to
support labeling of assets in whatever form they may be in.
Support for Declassification and Destruction of Assets

Organizations need to remember that assets will go through a
lifecycle. As the asset moves through the asset lifecycle, it may need
to be moved to a higher level of classification, or in some cases,
declassified to a lower level. This will always be reflected by
the value of the asset, but the classification system should be
able to easily handle an increase or decrease in classification.
Monitoring the value of the asset as it moves through its lifecycle
is a necessity for this to work properly. As the value changes, the

Notes asset may need to be re-classified and, therefore, be protected according

to the new value. Once the asset has completed its lifecycle, the asset
Asset Lifecycle should be destroyed. The destruction procedure, the methods used, and
how effective those methods are need to reflect the classification levels.
PPT For example, anything that may have been classified at the highest levels
of classification may need to be securely destroyed, without presenting
Issues Related to
Classification the opportunity that any of the data can be recovered. Examples may be
(continued) the shredding of hard drives, degaussing technologies, purging methods,
Describe some issues
overwriting, and sanitizing, etc.
related to classification.

Instructor Edition
Module 3: Information and Notes

Information and Asset
2
Asset Ownership Ownership

PPT
Module Objectives
1. Understand the importance of establishing accountability Ownership
and responsibilities for asset and information ownership and
custodianship.
to the “Information
2. Explain accountabilities and responsibilities for protection and Asset Ownership”
of assets by owners, custodians, stewards, controllers, and module.
processors.
3. Explain key terms associated with asset protection.
PPT
Module Objectives
objectives.
Module 3: Information and Asset Ownership 117

Notes Asset Protection and

Classification Terminology
Ownership In organizations, responsibilities for asset management, including
data, have become increasingly divided among several roles. Asset
management and data management need to include accountabilities
PPT
and responsibilities for protection of assets based on classification.
Asset Protection There are key roles that are identified in many laws and regulations that
and Classification
Terminology
dictate certain accountabilities and responsibilities that organizations
need to assign. This is especially true of privacy laws that exist around
Explain terminology
the world, especially in very privacy-aware areas such as Europe.
related to classification,
always stress the
Laws for the protection of privacy have been enacted worldwide.
connection to security.
Regardless of the jurisdiction, privacy laws tend to converge around the
principle of allowing the individual to have control over their personal
information, including how it is protected while it is being collected,
processed, and stored by organizations. For organizations to protect the
individual’s personal information according to compliance requirements,
they must assign accountability and responsibility properly. Compliance
requirements will treat personal information as data that requires
protection at every step of its lifecycle, from collection, to processing,
to storage, to archiving, and to destruction.
Protection of data requires the clear distinction of roles, accountabilities, and
responsibilities to be clearly identified and defined:
l Data subject: The individual who is the subject of personal data.
l Data owner: Accountable for determining the value of the
data that they own and, therefore, also accountable for the
protection of the data. Data owners also are accountable for
defining policies for access of the data and clearly defining and
communicating the responsibilities for such protection to other
entities including stewards, custodians, and processors.
l Data controller: In the absence of a “true” owner, especially for
personal information that has been collected by organizations
belonging to clients and customers, the data controller is
assigned the accountability for protecting the value of the
information based on proper implementation of controls. The
controller, either alone or jointly with others, determines the
purposes for which and the manner in which any personal data is
to be processed and, therefore, protected.
l Data steward: Data stewards are commonly responsible for
data content, context, and associated business rules within the
organization.

Instructor Edition
l Data processor: Data processors are the entities that

process the data on behalf of the data controller, therefore,
they may be given the responsibility to protect the data,
Notes
2
Ownership
although the accountability would always remain with the

controller.
l Data custodian: Data custodians are responsible for the PPT
protection of the data while in their custody. That would Asset Protection
mean safe custody, transport, storage, and processing of and Classification
Terminology (continued)
the data and the understanding and compliance to policies
in regards to the protection of the data. Explain terminology
related to classification,
always stress the
connection to security.
Data Ownership
Data management and protection involves many aspects of
technology, but it also requires involved parties to clearly PPT
understand their roles and responsibilities. Data Ownership
Discuss the accountability
The objectives of delineating data management roles and of asset owners.
responsibilities are to:
l Clearly define roles associated with functions.
PPT
l Establish data ownership throughout all phases of a project.
Information Owner
l Instill data accountability.
l Ensure that adequate, agreed-upon data quality and of information owners.
metadata metrics are maintained on a continuous basis.
As we have seen, information goes through a lifecycle that consists
of phases that include creation, use, archiving, and destruction.
Information security controls and activities need to be embedded
into the lifecycle phases to protect it. Protection, as we know,
includes not only confidentiality, but also integrity and availability.
But security activities should also be involved in the last phase of
the lifecycle, which is destruction. Defensible destruction is what
should happen when the information is no longer needed.
Information Owner
When information is collected or created, someone in the
organization needs to be clearly made accountable for it. We refer
to this entity as the “owner.” Often, this is the individual or group
that created, purchased, or acquired the information to allow the
organization to achieve its mission and goals. This individual or
group is considered and referred to as the “information owner.”

Notes The information owner, therefore, is in the best position to clearly

understand the value, either quantitative or qualitative, of the
Information and Asset information. The owner is also accountable for protecting the
Ownership
information based on that value. To determine the correct value, the
owner, therefore, has the following accountabilities:
PPT
l Determine the impact the information has on the mission of the
Information Owner organization.
(continued)
l Understand the replacement cost of the information (if it can be
of information owners. replaced).
l Determine which laws and regulations, including privacy
laws, may dictate liabilities and accountabilities related to the
information.
l Determine who in the organization or outside of it has a need for
the information and under what circumstances the information
should be released.
l Know when the information is inaccurate or no longer needed
and should be destroyed.
The organization, as part of good data management, needs to be able
to identify the owners of the data. Those data owners then need to
be made accountable for the protection of the value of that data.
Data owners generally may have legal rights over the data, along with
copyright and intellectual property rights. Data ownership includes the
right to use the data to drive corporate decisions, and in situations
where the continued maintenance becomes unnecessary or
uneconomical, the right to destroy it.
Documentation
It is very important for data owners to establish and document certain
expectations that need to be passed on to others, such as custodians,
as they relate to the data that is owned by the owners. For instance,
these may be examples of documentation:
l The ownership, intellectual property rights, and copyright of
their data.
l The obligations relevant to ensure the data is compliant with
compliance requirements.
l The policies for protection of the data, including baselines and
access controls.
l The expectations for protection and responsibilities delegated to
custodians and others accessing the data.

Instructor Edition
Data Custodianship
Data custodians, as the word implies, have custody of assets that
Notes
2
don’t belong to them, usually for a certain period of time. Those Ownership
assets belong to owners somewhere else, but the custodians have

“custody” of those assets as they may be required for access,
decisions, supporting goals, and objectives, etc. PPT
Data Custodianship
Custodians have the very important responsibility to protect the
Discuss the responsibility
information while it’s in their custody, according to expectations by of custodians.
the owners as set out in policies, standards, procedures, baselines,
and guidelines. It will be up to the security function to ensure that
the custodians are supported and advised and have the proper
PPT
skills, tools, and architectures, etc. to be able to properly protect
assets, such as information, while in their custody. Difference Between
Data Owner/Controller
How these aspects are addressed and managed should be in and Data Custodian/
Processor (2 slides)
accordance with the defined data policies applicable to the data, as
well as any other applicable data stewardship specifications. Typical Discuss the differences
between the different
responsibilities of a data custodian may include the following:
roles related to
l Adherence to appropriate and relevant data policies, protection of data.
standards, procedures, baselines, and guidelines as set out
by owners and supported by the security function.
l Ensuring accessibility to appropriate users, maintaining
appropriate levels of data security.
l Fundamental data maintenance, including but not limited to
data storage and archiving.
l Data documentation, including updates to documentation.
l Assurance of quality and validation of any additions to data,
including supporting periodic audits to assure ongoing
data integrity.
Difference Between Data Owner/

Controller and Data Custodian/Processor
Based on the definitions that we have seen above, the difference
between the data owner and the data custodian is that the owner
is accountable for the protection of what they own based on the
value of that asset to the organization. In an environment where a
controller is required as part of compliance needs, the controller
will act as the owner and, therefore, becomes accountable for the
protection based on expectations related to legislation and regulations
and enforced through policy and the implementation of those policies
as standards, procedures, baselines, and guidelines.

Notes In a similar fashion, we have learned that the custodian of data is

responsible for the protection of the data while in their custody.
Information and Asset The “processor,” therefore, acts as the custodian and is required to
Ownership
adhere to policies, standards, procedures, baselines, and guidelines
as described above.
PPT
So, we can summarize as follows:
Difference Between
Data Owner/Controller
and Data Custodian/ Owners/Controllers:
Processor (2 slides)
(continued) l Accountable for the protection of data based on relevant
Discuss the differences national or community laws or regulations. The natural or legal
between the different person, public authority, agency, or any other body that alone
roles related to protection or jointly with others determines the purposes and means
of data.
of the processing of personal data; where the purposes and
means of processing are determined by national or community
laws or regulations, the controller or the specific criteria for his
PPT nomination may be designated by national or community law.
Activity: Understanding
Accountability and
Responsibility (2 slides)
Custodians/Processors:
Introduce the activity
l The processor processes data on behalf of the owners (example
related to accountability cloud provider). Therefore, responsible for the adherence of
vs responsibility. policies, standards, procedures, baselines, and guidelines to
ensure protection while in their custody.
Activity: Understanding Accountability and

Responsibility
INSTRUCTIONS
Fill in each of the spaces with either the word “accountable” or
“responsible” in relation to the protection of data and the various roles:
1. Data Steward
2. Data Owner
3. Data Custodian
4. Data Processor
5. Data Controller

Instructor Edition
Module 4: Protect Privacy Notes

Protect Privacy
2

1. Understand how privacy of personal information is affected Protect Privacy
by today’s technologies.
2. Explain the expectations of subjects according to privacy to the “Protect Privacy”
laws and regulations. module.
3. Explain the importance of the Organization for Economic

Cooperation and Development (OECD) Guidelines on
PPT
Privacy Protection.
Module Objectives
4. Express the eight principles for privacy protection according
to the OECD guidelines. Introduce the module
objectives.
5. Understand the concept of collection limitation as it applies
to privacy.
Module 4: Protect Privacy 123

Notes Privacy – Introduction

The global economy has, and still is, undergoing an information explosion.
Protect Privacy
There has been massive growth in the complexity and volume of global
information exchange and in general, information collection, processing,
PPT and storing. There is much more information and data that is available
Privacy – Introduction to everyone. Personal data is now very sensitive, and its protection and
Define privacy and the
privacy have become important factors that organizations face as part of
rights of individuals. compliance requirements. The organization needs to protect the privacy
of information as it is being collected, used, processed, stored, and
archived by authorized individuals in the workplace.
The following is an overview of some of the ways in which different
countries and regions around the world are addressing the various legal
and regulatory issues they face.
The United States

The United States has many sector-specific privacy and data security
laws, both at the federal and state levels. There is no official national
privacy data protection law or authority that governs privacy protection.
In fact, privacy in the United States is said be a “sectorial” concern.
For example, the Federal Trade Commission (FTC) has jurisdiction over
most commercial entities and, therefore, has the authority to issue and
enforce privacy regulations in specific areas. In addition to the FTC,
there are other industry specific regulators, particularly those in the
healthcare and financial services sectors, that have authority to issue
and enforce privacy regulations.
Generally, the processing of personal data is subject to “opt out”
consent from the data subject, while the “opt in” rule applies in special
cases such as the processing of sensitive and valuable health information.
With regard to the accessibility of data stored within organizations, it is
important to underline that the Fourth Amendment to the U.S. Constitution
applies; it protects people from unreasonable searches and seizures by the
government. The Fourth Amendment, however, is not a guarantee against
all searches and seizures but only those that are deemed unreasonable
under the law. Whether a particular type of search is considered reasonable
in the eyes of the law is determined by balancing two important interests,
the intrusion on an individual’s Fourth Amendment rights and the
legitimate government interests such as public safety.
In 2012, the US government unveiled a “Consumer Privacy Bill of Rights”
as part of a comprehensive blueprint to protect individual privacy rights
and give users more control over how their information is handled by
organizations that are collecting such information.

Instructor Edition
European Union
The data protection and privacy laws in the European Union (EU)
member states are constrained by the EU directives, regulations,
Notes
Protect Privacy
2
and decisions enacted by the EU. The main piece of legislation

is the EU Directive 95/46/EC “on the protection of individuals
with regard to the processing of personal data and on the free
movement of such data.” These provisions apply in all business
and, therefore, cover the processing of personal data in
organizations. There is also the EU Directive 2002/58/EC (the
ePrivacy Directive) “concerning the processing of personal data
and the protection of privacy in the electronic communications
sector.” This directive contains provisions that deal with data
breaches and the use of cookies.
Latin American, North Africa, and medium-size Asian countries
have privacy and data protection legislation largely influenced by
the EU privacy laws and, in fact, those EU privacy laws may have
been used as models for specific legislation.
Asia–Pacific Economic Cooperation (APEC) Council

The Asia–Pacific Economic Cooperation (APEC) council has become
the point of reference for the data protection and privacy regulations.
The APEC countries have endorsed the APEC privacy framework,
recognizing the importance of the development of effective privacy
protections that avoid barriers to information flows and ensure
continued trade and economic growth in the APEC region. The APEC
privacy framework promotes a flexible approach to information
privacy protection across APEC member economies, while avoiding
the creation of unnecessary barriers to information flows.
Essential Requirements in Privacy and

Data Protection Laws
The ultimate goal of privacy and data protection laws is to provide
protection to individuals that are referred to as data subjects for
the collection, storage, usage, and destruction of their personal
data with respect to their privacy. This is achieved with the
definitions of requirements to be fulfilled by the operators involved
in the data processing. These operators can process the data,
playing the role of data controllers or data processors; in other
words, controllers end up having accountability for protection,
and processors end up having responsibility for protection.

Notes One such example is the Data Protection Act (DPA) in the UK.
According to the Information Commissioner’s Office (ICO) of the UK,
Protect Privacy which is an independent organization devoted to uphold information
rights in the public interest, promoting openness by public bodies and
committed to data privacy for individuals, the Data Protection Act sets
out rights for individuals regarding their personal information. Personal
data is defined as information pertaining to an identifiable living
individual. The DPA mandates that whenever personal data is processed,
collected, recorded, stored or disposed of it must be done within the
terms of the Data Protection Act (DPA).
The Information Commissioner’s Office (ICO) helps organizations
understand their compliance requirements and find out about their
obligations and how to comply, including protecting personal
information. As such they advise on how to comply with the DPA by
providing any organization that handles personal information about
individuals, a framework that guides how to meet the obligations under
the DPA.
The framework guides those who have day-to-day responsibility for data
protection. It is split into eight data protection principles, and the guide
explains the purpose and effect of each principle, gives practical
examples, and answers frequently asked questions. The data protection
principles are as follows, taken directly from the ICO website:
1. Personal data shall be processed fairly and lawfully and, in
particular, shall not be processed unless – (a) at least one of the
conditions in Schedule 2 is met, and (b) in the case of sensitive
personal data, at least one of the conditions in Schedule 3 is
also met.
2. Personal data shall be obtained only for one or more specified
and lawful purposes, and shall not be further processed in any
manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up
to date.
5. Personal data processed for any purpose or purposes shall
not be kept for longer than is necessary for that purpose or
those purposes.
6. Personal data shall be processed in accordance with the rights of
data subjects under this Act.

Instructor Edition
7. Appropriate technical and organizational measures shall

be taken against unauthorized or unlawful processing of
personal data and against accidental loss or destruction of,
Notes
Protect Privacy
2
or damage to, personal data.

8. Personal data shall not be transferred to a country or
territory outside the European Economic Area unless that
country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to
the processing of personal data.
Organization for Economic Cooperation and Development

(OECD) Guidelines on Privacy Protection
With the proliferation of technology and the increasing awareness
that most of our personally identifiable information (PII) is stored
online or electronically in some way and being collected, stored,
and used by organizations, there is a need to protect personal
information. That expectation today is in most cases dictated by
privacy laws and regulations.
There is an organization that has been devoted to helping
governments and organizations around the world in dealing with
issues that focus on improving the economic and social well-being
of people around the world. That organizations is the OECD.
The following is taken directly from the OECD website (www.oecd.
org); it describes what the focus and initiatives of the OECD are.
The OECD provides a forum in which governments can work together
to share experiences and seek solutions to common problems. We
work with governments to understand what drives economic, social,
and environmental change. We measure productivity and global flows
of trade and investment. We analyze and compare data to predict
future trends. We set international standards on a wide range of
things, from agriculture and tax to the safety of chemicals.
We also look at issues that directly affect everyone’s daily life, like
how much people pay in taxes and social security and how much
leisure time they can take. We compare how different countries’
school systems are readying their young people for modern life
and how different countries’ pension systems will look after their
citizens in old age.
In the many decades that the OECD has existed, it has played an
important role in promoting respect for privacy as a fundamental

Notes value and a condition for the free flow of personal data across borders.
A perfect example of this is what the OECD has published as the ‘OECD
Protect Privacy Privacy Guidelines.’ These guidelines can act as a framework that
organizations can use in order to understand and address the
PPT requirements of privacy protection. They can provide comprehensive
guidance on what organizations need to implement as far as security
OECD Privacy Guidelines
controls to address the requirements of the privacy principles.
Describe the OECD
privacy principles and
how they can be used as OECD Privacy Guidelines
a framework for privacy
protection. The OECD has broadly classified these principles into the collection
limitation, data quality, purpose specification, use limitation, security
safeguards, openness, individual participation, and accountability.
The guidelines are as follows:
1. Collection Limitation Principle: There should be limits to
the collection of personal data, and any such data should be
obtained by lawful and fair means and, where appropriate, with
the knowledge or consent of the data subject.
2. Data Quality Principle: Personal data should be relevant to
the purposes for which they are to be used, and, to the extent
necessary for those purposes, should be accurate, complete, and
kept up-to-date.
3. Purpose Specification Principle: The purposes for which
personal data are collected should be specified not later than
at the time of data collection and the subsequent use limited
to the fulfilment of those purposes or such others as are not
incompatible with those purposes and as are specified on each
occasion of change of purpose.
4. Use Limitation Principle: Personal data should not be disclosed,
made available or otherwise used for purposes other than those
specified except with the consent of the data subject; or by the
authority of law.
5. Security Safeguards Principle: Personal data should be
protected by reasonable security safeguards against such risks
as loss or unauthorized access, destruction, use, modification or
disclosure of data.
6. Openness Principle: There should be a general policy of
openness about developments, practices and policies with
respect to personal data. Means should be readily available
of establishing the existence and nature of personal data, and
the main purposes of their use, as well as the identity and usual
residence of the data controller.

Instructor Edition
7. Individual Participation Principle: An individual should

have the right to a) obtain from a data controller, or
otherwise, confirmation of whether or not the data controller
Notes
Protect Privacy
2
has data relating to him; b) to have communicated to him,

data relating to him within a reasonable time; c) at a charge, PPT
if any, that is not excessive; d) in a reasonable manner; and
OECD Privacy Guidelines
in a form that is readily intelligible to him; e) to be given (continued)
reasons if a request is denied, and to be able to challenge
Describe the OECD
such denial; and f) to challenge data relating to him and, if privacy principles and
the challenge is successful to have the data erased, rectified, how they can be used as
completed or amended. a framework for privacy
protection.
8. Accountability Principle: A data controller should be
accountable for complying with measures which give effect
to the principles stated above.

Notes
Module 5: Asset Retention
Asset Retention

Asset Retention 1. Understand asset retention and how retention policies are driven
by organizational requirements.
to the “Asset Retention” 2. Explain the reasons that drive data and records retention,
module. including compliance or organizational requirements.
3. Understand the issues associated with long-term storage
of assets.
PPT
Module Objectives
objectives.

Instructor Edition
Retention – Introduction
Data retention, which is sometimes also referred to as records retention,
Notes
Asset Retention
2
is defined as the continued and long-term storage of valuable assets
driven by compliance requirements or corporate requirements.

Companies are required to comply with legal and regulatory legislation PPT
in retaining assets, especially information and records. Each company Establishing
should have those requirements clearly addressed and expressed in a Information
retention policy that usually is accompanied by a retention schedule. Governance and
Retention Policies
This will then provide the basis for how long to keep data and assets
around and also when they should be securely destroyed. Explain how archiving
and retention is driven
by policy.
Establishing Information Governance

PPT
and Retention Policies
Building Effective
To understand retention requirements, we need to understand Archiving and Data
the various types of assets, such as data and records, that may Retention Policies
have retention needs. As part of proper asset governance, the
establishment of effective asset archiving and retention policies of building good
needs to be done. These are the issues and factors to consider: archiving and retention
policies by involving
l Understand where the data exists: The enterprise cannot stakeholders.
properly retain and archive data unless knowledge of where
data resides and how different pieces of information relate
to one another across the enterprise is available and known.
l Classify and define data: Define what data needs to be
archived and for how long, based on business and retention
needs that are driven by laws, regulations, and corporate
requirements related to goals and objectives.
l Archive and manage data: Once data is defined and classified,
the archiving of that data needs to be done appropriately, based
on business access needs. Manage that archival data in a way
that supports the defined data retention policies but at the same
time allows authorized and timely access.
Building Effective Archiving and

Data Retention Policies
To build an effective overall archiving and data retention strategy,
consider the following guidelines:
1. Organizations need to involve the most important
stakeholders in the process of aligning the organizational
goals and objectives, with the legal requirements for the
Module 5: Asset Retention 131

Notes asset retention policies. This obviously needs to include the legal
function, compliance, privacy, technology, security, and possibly
Asset Retention others. Once the meaningful policies are developed, based on
requirements, the supporting technology infrastructure needs
PPT to be implemented to address the policies. Define clear lines of
accountability and responsibility in guiding all stakeholders in
Building Effective
Archiving and Data maximizing how they work together.
Retention Policies 2. Establish common objectives for supporting archiving and data
(continued)
retention best practices within the organization. Understand the
Explain the importance of best practices that exist out there, especially in the same industry
building good archiving or in companies having similar goals and objectives. Make sure
and retention policies by
involving stakeholders. stakeholders are educated and provided with the right skills to
manage the requirements for access to assets.
3. On a regular basis, monitor, review, and update the asset
PPT retention policies and archiving procedures. Continue to improve
Creating a Sound
the entire process to support your ongoing business objectives
Record Retention for providing appropriate service levels while supporting
Policy (2 slides) retention compliance and policy requirements.
Describe the steps
involved in understanding
retention requirements
and addressing those in Creating a Sound Record Retention Policy
policy. Fundamentally, there are some basic steps that can be useful in guiding
an organization in developing an effective asset retention policy:
1. Evaluate legal and regulatory requirements, litigation obligations,
and business needs.
2. Classify assets and records.
3. Determine retention periods and defensible destruction
procedures and methods.
4. Draft asset retention policy.
5. Provide training, awareness, and education to support policy.
6. Audit retention and destruction policy and procedures.
7. Periodically review policy and procedures.
8. Document policy, implementation, procedures, training,
awareness, and education and audit results.
For every type of asset, the organization should determine the proper
retention period through involvement with appropriate stakeholders by
taking into consideration laws, regulations, and corporate requirements.
As a result, certain assets may have very long retention periods. Other
assets may have short retention requirements, or possibly no retention
requirement at all, such as junk mail. Regardless, the retention periods

Instructor Edition
should be understood by all stakeholders so that the requirements

can be addressed properly.
Notes
Asset Retention
2
The organization should then draft its record retention policy based

on the requirements that are fully understood. The policy should
PPT
outline the classification of records, retention, and destruction
schedules, parties responsible for retention and destruction, and Creating a Sound
the correct procedures to be used for important tasks such as Record Retention
Policy (2 slides)
defensible destruction. The justification needs to discuss the (continued)
business reasons for retention periods of records and destruction
Describe the steps
of others. involved in understanding
retention requirements
Training, awareness, and education must be part of any retention and addressing those in
policy implementation. Every employee must be aware of the policy.
importance of retaining records in accordance with the policy but
also have the skills and knowledge to be able to do it properly. The
policy needs to be clear that any piece of information, regardless of
origin or format is covered by the policy. As the security function
operates in a support role, the security professional has responsibility
for supporting the organization in accurately assessing and measuring
the training being delivered to support the retention policy. This
provides assurance that the policy and how it is implemented is
actually effective.
Equally important is the notion that individual employees should
not destroy assets and records, unless they are records for which
the policy specifically permits. A record retention policy provides
guidance to the organization so that it understands the importance
of training employees as soon as the record retention policy has
been put into effect. That includes new employees as part of
new-hire training, but it should also include a process for
continuing education for existing employees as required.
A record retention policy should require periodic audits to ensure
that records are being retained and destroyed appropriately,
according to the policies and procedures. Paper files and electronic
storage media should be checked to ensure that records are
not retained past their scheduled destruction dates. Other
requirements for assurance may include addressing records on
other types of media.
In addition, the issue of data being shared outside of the
organization with partners, consultants, and other third parties
must also be considered by the security professional as this
data needs to be subjected to similar controls as inside the
organization.

Notes A record retention policy may need to be updated on a regular basis.

This might be because the organization’s business need to capture and
Asset Retention process new information and records may evolve over time. New laws or
regulations governing record retention may apply to the organization.
PPT Laws or regulations that already exist may be changed or in some cases
repealed. Constant monitoring of the retention systems may show that
Creating a Sound
Record Retention records need to be categorized differently or that other alterations
Policy (2 slides) would be beneficial. Any changes in the policy should be accompanied
(continued) by appropriate training and awareness.
Describe the steps
involved in understanding
It is crucial that an organization documents all aspects of record
retention requirements retention policy implementation. The policy itself must be effective
and addressing those in in how it is written, communicated, and understood to all those that
policy. are subjected to it. As well, the policy should be accompanied by
assurance mechanisms to show training, awareness and education
efforts, auditing processes and results, and record destruction
PPT schedules and actions.
Activity: Review an
Organization’s Sample
Policy Example
Introduce sample policy The data retention policy below outlines how Company “X” operates
review and facilitate with regard to data storage, retention, and destruction. It pays particular
discussion activity. attention to the requirements laid down in the UK DPA. We will use it as
an example.
Activity: Review an Organization’s Sample Policy
INSTRUCTIONS
Working with a partner, review the following sample policy. For your
assigned section, note your ideas about why each aspect of the policy is
in place or the risks to the organization if the policy is not implemented.
Be prepared to share your thoughts with the group.
Key Principles
These are the key principles of this policy:
1. Data must be stored securely and appropriately having regard to
the sensitivity and confidentiality of the data.
2. Appropriate measures are put in place to prevent unauthorized
access and processing of the data, or accidental loss or damage
to the data.
3. Data is retained for only as long as necessary.

Instructor Edition
4. Data is disposed of appropriately and securely to ensure the

data does not fall into the hands of unauthorized personnel.
Notes
Asset Retention
2
Storage

1. Data and records are stored securely to avoid misuse or loss. PPT
Activity: Review an
2. Any data file or record that contains personal data or Organization’s Sample
personal sensitive data is considered as confidential. Policy (continued)
Introduce sample policy
Examples of How We Approach Storage review and facilitate
discussion activity.
1. We only use secure data centers that prevent unauthorized
physical access to our hardware.
2. We only use our own hardware; we do not rent or
share servers.
3. Access to the hardware and maintenance is restricted to
appropriately trained and authorized Company “X” employees.
4. Only employees who are required to assist in meeting
our obligations in providing services have access to the
data. These employees have a full understanding of the
obligations and their duty of confidentiality and the care
required in the handling of the data.
5. We password protect all databases.
6. We encrypt data transferred between our web servers
and a client’s browser, using reputable SSL certificates to a
maximum of 256 bits with initial key exchange at 2048 bits.
The actual level on transfer depends on the capability of the
user’s browser.
7. We do not keep the Personal Data or Sensitive Personal
Data on any laptop or other removable drive. In the event
Personal Data or Personal Sensitive Data had to be stored
on a laptop or removable drive, then the data would be
encrypted to a level in line with industry best practice and
standards available at that time.
8. Our secure data centers are located in X and Y. We do not
disclose the exact location on this public document because
by doing so in part may compromise security.
9. We do not and will not transfer Personal Data or Personal
Sensitive Data to a country or territory outside the European
Economic Area unless that country or territory ensures an
adequate level of protection for the rights and freedoms of
data subjects.

Retention
Notes
The DPA requires that personal data processed for any purpose “shall
Asset Retention
not be kept for longer than necessary for that purpose.” In terms of the
data stored, we regard the following aspects to be personal:
1. A mobile phone number
2. First and last name
3. Customer identification number
4. Content of the communications sent and received
The maximum period of retention is regarded as five years. If there is no
communication sent to or received from a user in five years, then all
personal data in regard to that user will be deleted. No data file or
record will be retained for more than five years after it is closed unless a
good reason can be demonstrated.
Destruction and Disposal

All information of a confidential or sensitive nature must be securely
destroyed when no longer required. The procedure for the destruction
of confidential or sensitive records is as follows:
1. Electronic files are deleted in such a way that they cannot be
retrieved by simply undoing the last action or restoring the item
from the Recycle Bin.
2. Destruction of backup copies is also dealt with in the same
manner.
3. Prior to disposal, data storage devices are wiped to the standards
defined by the NIST SP 800-88 Revision 1, Guidelines for Media
Sanitization.
Framing the Conversation

The sample data retention policy provided above helps frame the
conversation with regard to retention in the enterprise. Without a
clearly written policy that can be communicated to all employees,
implemented, monitored for effectiveness, managed for compliance,
and audited for assurance, an organization is not able to safeguard the
enterprise and ensure that proper processes are being followed with
regard to asset management, including retention requirements.
By classifying these objects, you are able to partner with the enterprise
and can begin to define the rules for managing them at different stages
in the information lifecycle.

Instructor Edition
Important Considerations
Questions to consider
Notes
Asset Retention
2
1. Who needs access to archived data and why? How fast do

they need it? PPT
2. Do access requirements change as the archives age? Important
3. How long do we need to keep the archived data? When Considerations
should it be disposed of or deleted? Discuss considerations of
archiving and retention.
Best Practices
To effectively define and classify business information for retention
PPT
and disposal, consider the following best practices.
Best Practices
1. Promote cross-functional ownership. Typically, business Describe best practices in
units own their data and set the data retention policies, while record and data retention.
information technology (IT) owns the infrastructure and
controls data management processes. Accordingly, business
managers are responsible for defining who can touch the
data and what they can do with it. IT must implement a
technology infrastructure that supports these policies.
2. Promote cross-functional ownership for archiving,
retention, and disposal policies. This provides a great
indicator of project success because then all groups have a
vested interest in a positive outcome. These retention policy
definitions can then be saved to a glossary to be leveraged
throughout the data lifecycle, providing the proper context and
metadata to define, manage, and validate retention policies.
3. Plan and practice data retention and orderly disposal.
After all stakeholders have signed off on the archiving and
data retention policies, IT can develop a plan to implement
those policies. Consider solutions that manage enterprise-
wide retention policies for both structured and unstructured
data, supporting the defensible disposal of unneeded
information in addition to the retention of information based
on business value, regulatory, or legal obligations. Also,
think about solutions that generate notification reports and
identify which archives are nearing expiration.
Key Areas of Focus

By focusing in three distinct areas, media, hardware, and personnel,
you can ensure that retention is being addressed in a formal
manner, aligned with the policies of the enterprise, and meant to
ensure confidentiality, integrity, and availability of data as required.

Examples of Data Retention Policies

Notes
Some examples of retention policies are as follows:
Asset Retention
1. European Document Retention Guide 2013: A Comparative
PPT
View Across 15 Countries To Help You Better Understand Legal
Requirements And Records Management Best Practices (Iron
Examples of Data
Mountain, January 2013)
Retention Policies
(2 slides) 2. State of Florida Electronic Records and Records Management
Explain good examples Practices, November 2010
of data retention policies 3. The Employment Practices Code, Information Commissioner’s
that can be used as
examples.
Office, UK, November 2011
4. Wesleyan University, Information Technology Services
Policy Regarding Data Retention for ITS-Owned Systems,
September 2013
5. Visteon Corporation, International Data Protection Policy,
April 2013
6. Texas State Records Retention Schedule (Revised 4th edition),
effective July 4, 2012

Instructor Edition
Module 6: Data Security Controls Notes

Data Security Controls
2

1. Define baseline protection. Data Security Controls
2. Explain how baselines can help an organization achieve Introduce the participants
minimum levels of security associated with valuable assets. to the “Data Security
Controls” module.
3. Understand how baselines include security controls and how
to implement them.
4. Describe baseline protection and scoping and tailoring in PPT
reference to asset protection.
Module Objectives
5. Understand the different data states and explain how to
secure each. objectives.
6. Explain the difference between end-to-end and link
encryption as it relates to data in motion.
Module 6: Data Security Controls 139

Notes Data Protection Methods

Baselines
A baseline is a minimum level of protection that can be used as a
PPT reference point. As a reference point, baselines can therefore be used
Baselines (3 slides) as a comparison for assessments and requirements to ensure that
Define and summarize key those minimum levels of security controls are always being achieved.
points about baselines. Baselines can also provide a way to ensure updates to technology and
architectures are subjected to the minimum understood levels of
security requirements.
As part of what security does, once controls are in place to mitigate risks,
the baselines can be referenced, after which all further comparisons and
development are measured against it.
Specifically when protecting assets, baselines can be particularly
helpful in achieving protection of those assets based on value.
Remember, if we have classified assets based on value, as long as we
come up with meaningful baselines for each of the classification levels,
we can conform to the minimum levels required. In other words, let’s
say that we are using classifications such as HIGH, MEDIUM, and LOW.
Baselines could be developed for each of our classifications and
provide that minimum level of security required for each. For example,
we could establish baselines as follows, keeping in mind that these
examples may not be complete, they are just meant to show the
concepts of how baselines can provide that reference point for
minimum levels of security:
HIGH:
l Access
o Strong passwords
o Asset owner approved request, review, termination process
o Non-disclosure agreement
l Encryption
o 128 bit symmetric encryption for creation, storage,
and transmission
l Labelling
o Watermark
l Monitoring
o Real-time

Instructor Edition
MEDIUM:
l Access
Notes
2
o passwords

o Asset owner approved request, review, termination process PPT
l Encryption Baselines (3 slides)
(continued)
o 128 bit symmetric encryption for transmission
Define and summarize key
l Labeling points about baselines.
o None
l Monitoring
o Timely
LOW:
l Access
o Asset owner approved request, review, termination
process
l Encryption
o None
l Labelling
o None
l Monitoring
o None
Baselines can be technology and architecture related and specific
to certain types of systems. For example, an organization may
dictate what the minimum levels of security requirements need to
be for a Windows machine before it can be connected to the
corporate network. Baselines can also be non-technology related,
such as an organization requiring all employees to display their
identification badges while in certain areas of the organization, or
requiring that any visitors must be escorted in valuable areas of the
organizations. While these types of controls can be mandated and,
therefore, be considered to be policies, they can also establish the
minimum levels of security required as part of the security program
and, therefore, create a baseline of protection.
As a summary:
l A baseline is a consistent reference point.
l Baselines provide a definition of the minimum level of protection
that is required to protect valuable assets.

l Baselines can be defined as configurations for various

Notes
architectures, which will indicate the necessary settings and
Data Security Controls the level of protection that is required to protect that
architecture.
PPT
Baselines (3 slides)
(continued) Considerations
Define and summarize key Certain questions need to be considered when applying baseline
points about baselines.
security:
l Which parts of the enterprise or systems can be protected by the
PPT same baseline?
Considerations l Should the same baseline be applied throughout the whole
Explain some of the enterprise?
considerations in l At what security level should the baseline aim?
baseline selection.
l How will the controls forming the baselines be determined?
PPT
Objective of Baseline Objective of Baseline Protection
Protection
The objective of baseline protection is to establish a minimum set of
Describe the objectives safeguards to protect the classified assets of the organization. Using
of baseline protection. this approach, it is possible to apply baseline protection enterprise-
wide and, additionally, use detailed risk analysis reviews to protect
valuable assets that may be at high risk or systems critical to
PPT the business.
Baseline Catalogs
Explain the benefits of
baseline catalogs.
Baseline Catalogs
Many catalogs of baseline protection examples exist that can be used in
helping organizations use guidance in coming up with their baseline
requirements. Baseline catalogs may specify safeguards to be used in
detail, or they may suggest a set of security requirements to be
addressed with whatever safeguards appropriate to the system under
consideration. Both approaches have advantages.
One of the objectives of the baseline approach is consistency of security
safeguards throughout the enterprise, which can be achieved by both
approaches mentioned above. Several documents are already available
that provide sets of baseline safeguards. Also, sometimes a similarity of
environments can be observed among companies within the same
industries. After the examination of the basic needs, it may be possible
for baseline safeguard catalogs to be used by a number of different

Instructor Edition
organizations. For example, catalogues of baseline safeguards

could be obtained from these examples:
Notes
2
1. International and national standards organizations.

2. Industry sector standards or recommendations. PPT
3. Some other company, preferably with similar business Baseline Catalogs
objectives and of comparable size. (continued)
An enterprise may also generate its own baseline, established Explain the benefits of
solely on the requirements of the organization’s goals and baseline catalogs.
objectives. There are several advantages with this approach, such
as the following:
1. Only a minimum amount of resources is needed for
risk analysis and management for each safeguard
implementation and thus, less time and effort is spent on
selecting security safeguards.
2. Baseline safeguards may offer a cost-effective solution
because the same or similar baseline safeguards can be
adopted for many systems without great effort if a large
number of the enterprise’s systems operate in a common
environment and i the security needs are comparable.
Example: United States Government Configuration

Baseline (USGCB)
One such example of this approach can be found by examining the
United States Government Configuration Baseline (USGCB). The
purpose of the USGCB initiative is to create security configuration
baselines for IT products widely deployed across the federal
agencies. The USGCB baseline evolved from the Federal Desktop
Core Configuration mandate. The USGCB is a federal government-
wide initiative that provides guidance to agencies on what should
be done to improve and maintain an effective configuration
settings focusing primarily on security.
Example: Estonian Information System’s Authority

IT Baseline Security System ISKE
Another example can be found in the Estonian Information System’s
Authority IT baseline security system ISKE. ISKE is an information
security standard developed for the Estonian public sector, which is
mandatory for state and local government organizations that handle
databases. ISKE is based on a German information security
standard—IT Baseline Protection Manual (IT-Grundschutz in
German)—that has been adapted to suit the Estonian situation.

Notes ISKE is implemented as a three-level baseline system, meaning that three

different sets of security measures for three different security
Data Security Controls requirements have been developed and are available for implementation
based on the needs of the entity managing the databases in question
PPT and the type(s) of data that the database contains.
Generally Accepted
Principles (2 slides) Generally Accepted Principles
Describe some of This section introduces some generally accepted principles that address
the best practices in
baseline catalogs. information security from a very high-level viewpoint that again can
provide comprehensive guidance to organizations. These principles are
fundamental in nature and rarely change over time, regardless of
technology focus. They are NOT stated here as security requirements
but are provided as useful guiding references for developing,
implementing, and understanding security policies and baselines for use
in any organization, regardless of industry or focus. The principles listed
below are by no means exhaustive and only meant to be examples:
l Information System Security Objectives: Information system
security objectives or goals are described in terms of three
overall objectives: confidentiality, integrity, and availability.
Security policies, baselines, and measures are developed and
implemented according to these objectives.
l Prevent, Detect, Respond, and Recover: Information security
is a combination of preventive, detective, response, and recovery
measures. Preventive measures are for avoiding or deterring the
occurrence of an undesirable event. Detective measures are for
identifying the occurrence of an undesirable event. Response
measures refer to coordinated response to contain damage when
an undesirable event (or incident) occurs. Recovery measures
are for restoring the confidentiality, integrity, and availability of
information systems to their expected state.
l Protection of Information While Being Processed, in Transit,
and in Storage: Security measures should be considered and
implemented as appropriate to preserve the confidentiality,
integrity, and availability of information while it is being
processed, in transit, and in storage.
l External Systems Are Assumed to Be Insecure: In general,
an external system or entity that is not under your direct control
should be considered insecure. Additional security measures are
required when your information assets or information systems
are located in, or interfacing with, external systems. Information
systems infrastructure could be partitioned using either physical
or logical means to segregate environments with different
risk levels.

Instructor Edition
l Resilience for Critical Information Systems: All critical

information systems need to be resilient to withstand
major disruptive events, with measures in place to detect
Notes
2
disruption, minimize damage, and rapidly respond

and recover. PPT
l Auditability and Accountability: Security requires Generally Accepted
auditability and accountability. Auditability refers to the Principles (2 slides)
ability to verify the activities in an information system. (continued)
Evidence used for verification can take the form of Describe some of
audit trails, system logs, alarms, or other notifications. the best practices in
Accountability refers to the ability to audit the actions of baseline catalogs.
all parties and processes that interact with information
systems. Roles and responsibilities should be clearly defined,
identified, and authorized at a level commensurate with the PPT
sensitivity of information. Scoping and Tailoring
Define scoping and
tailoring and how they
related to baselines.
Scoping and Tailoring
Scoping can be defined as limiting the general baseline
recommendations by removing those that do not apply. We
“scope” to ensure the baseline control applies to the environment
as best as it can. Tailoring is defined as altering baseline control
recommendations to apply more specifically. This means we “tailor”
to make sure controls apply as required probably specifically to the
technology or environment. To scope and tailor, a thorough
understanding of the environment and risks is necessary.
Scoping guidance provides an enterprise with specific terms and
conditions on the applicability and implementation of individual
security controls. Several considerations can potentially impact
how baseline security controls are applied by the enterprise.
System security plans should clearly identify which security controls
employed scoping guidance and include a description of the type
of considerations that were made. The application of scoping
guidance must be reviewed and approved by the authorizing
official for the information system in question.
Tailoring involves scoping the assessment procedures to more
closely match the characteristics of the information system and its
environment of operation. The tailoring process gives enterprises
the flexibility needed to avoid assessment approaches that are
unnecessarily complex or costly while simultaneously meeting the
assessment requirements established by applying the fundamental
concepts of a risk management framework. Supplementation

Notes involves adding assessment procedures or assessment details to

adequately meet the risk management needs of the organization (e.g.,
Data Security Controls adding organization-specific details such as system/platform-specific
information for selected security controls). Supplementation decisions
PPT are left to the discretion of the organization to maximize flexibility in
developing security assessment plans when applying the results of risk
(continued) assessments in determining the extent, rigor, and level of intensity of
the assessments.
Define scoping and
tailoring and how they Be aware of the value that scoping, tailoring, and supplementation can
related to baselines.
bring to the security architectures being planned and assessed for the
enterprise. The use of scoping and tailoring to properly narrow the focus
of the architecture will ensure that the appropriate risks are identified
PPT and addressed based on requirements. The use of supplementation will
Case: Standards allow the architecture to stay flexible over time and grow to address the
Selection Review needs of the enterprise that arise during operation of the architecture
Introduce case, describe once it is implemented fully and as time goes on.
standards that can be
used as frameworks for
organizations.
Standards (Frameworks) Selection
Standards, sometimes referred to as frameworks, that are focused on
security can be very helpful to organizations in not only understanding
baseline security controls, but can also be used in assessing the current
state of security programs for organizations. There are many frameworks
that have been created by governments and industry groups to guide and
assist organizations in the daunting task of protecting assets. Examples
include Payment Caed Industry Data Security Standard (PCI DSS),
International Organization for Standardization (ISO), General Data
Protection Regulation (GDPR), and many others.
The security professionals needs to be familiar with a wide range of
standards and frameworks and the organizations and entities that are
responsible for each of them. These range from United States-based
entities, such as National Institute of Standards and Technology (NIST),
to transnational entities, such as the European Network and Information
Security Agency (ENISA), the International Telecommunications Union
(ITU), and the ISO.
Case: Standards Selection Review

The following extensive list includes many of the leading standards
bodies and each respective standard/framework for which they are
responsible. Being assigned one or more of these standards/
frameworks to review will gain you an understanding of how some

Instructor Edition
of these real-world frameworks can help organizations in having

comprehensive guidance on how to structure security controls
properly and how these can also be used to gauge the current
Notes
2
state of an organization’s security program.

PPT
The following is a list of many of the leading standards bodies and
the standards for which they are responsible. Case: Standards
Selection Review
(continued)
INSTRUCTIONS Introduce case, describe
Working on your own, review your assigned standards and prepare standards that can be
used as frameworks for
to introduce it to the rest of the class. organizations.
United States Resources

U.S. Department of Defense Policies
1. Department of Defense Instruction 8510.01 (DoDI
8510.01): DoD Instruction 8510.01 establishes the Defense
Information Assurance Certification & Accreditation Process
(DIACAP) for authorizing the operation of DoD Information
Systems, for managing the implementation of information
assurance (IA) capabilities and services, and for providing
visibility of accreditation decisions regarding the operation
of DoD Information Systems, including core enterprise
services- and web services-based software systems and
applications.
DoDI 8510.01 URL:
http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf
2. United States National Security Agency (NSA) IA
Mitigation Guidance: The NSA provides guidance on IA
security solutions so that customers can benefit from NSA’s
unique and deep understanding of risks, vulnerabilities,
mitigations, and threats. Available mitigation guidance
includes security configuration, trusting computing, and
system-level IA guidance.
NSA IA Mitigation Guidance web site:
http://www.nsa.gov/ia/mitigation_guidance/index.shtml
3. NIST Computer Security Division (CSD): NIST is the
U.S. federal technology agency that works with industry
to develop and apply technology, measurements,
and standards. The NIST CSD focuses on providing
measurements and standards to protect information systems
against threats to the confidentiality of information, integrity

Notes of information and processes, and availability of information and

services in order to build trust and confidence in IT systems.
The NIST CSD maintains an online Computer Security Resource
Center that can be accessed at:
PPT http://csrc.nist.gov/index.html
Case: Standards
Selection Review
(continued) NIST Publications Series
Introduce case, describe 4. Federal Information Processing Standards (FIPS): FIPS is the
standards that can be official series of publications relating to standards and guidelines
used as frameworks for adopted under the Federal Information Security Management Act
organizations.
(FISMA) of 2002. FIPS’ publications provide standards guidance
on topics such as minimum security requirements, standards for
security categorization for federal information and information
systems, personal identity verification, and digital signature
standards, among others.
The complete library of FIPS publications can be found at:
http://csrc.nist.gov/publications/PubsFIPS.html
5. FIPS Publication 199: FIPS Publication 199, Standards for
Security Categorization of Federal Information and Information
Systems provides standards for categorizing information and
information systems. Security categorization standards provide
a common framework and understanding for expressing
security that promotes effective management and oversight
of information security programs and consistent reporting
to oversight offices on the adequacy and effectiveness of
information security policies, procedures, and practices.
Document URL:
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
6. FIPS Publication 200: FIPS Publication 200, Minimum Security
Requirements for Federal Information and Information Systems,
was created in response to the need for each U.S. federal agency
to develop, document, and implement an enterprise-wide
program to provide information security for the information and
information systems that support the operations and assets of
the agency, and it outlines minimum security requirements for
U.S. federal information and information systems.
Document URL:
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
7. Special Publications (SP) 800 Series: The SP 800 series
presents documents of general interest to the computer security
community and reports on research, guidelines, and outreach

Instructor Edition
efforts in computer security and its collaborative activities

with industry, government, and academic organizations.
SPs 800-37, 800-53, and 800-60 are highlighted here for
Notes
2
reference.

The complete text of all SP 800 documents can be PPT
downloaded at: Case: Standards
http://csrc.nist.gov/publications/PubsSPs.html Selection Review
(continued)
8. SP 800-37, Guide for Applying Risk Management
Introduce case, describe
Framework to Federal Information Systems: NIST standards that can be
Special Publication 800-37, Guide for Applying the Risk used as frameworks for
Management Framework to Federal Information Systems, organizations.
establishes a common framework to improve information
security, strengthen risk management processes, and
encourage reciprocity among federal agencies. This
publication introduces guidelines for a six-step Risk
Management Framework. See Risk Management Framework
for additional information.
Document URL:
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-
37-rev1-final.pdf
9. SP 800-53, Security and Privacy Controls for Federal
Information Systems and Organizations: NIST Special
Publication 800-53, Security and Privacy Controls for
Federal Information Systems and Organizations provides
guidelines for selecting and specifying security controls
for organizations and information systems supporting
the executive agencies of the federal government. The
guidelines apply to all components of an information system
that process, store, or transmit federal information.
Document URL:
http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-
rev4-ipd.pdf
10. SP 800-60, Guide to Mapping Types of Information
and Information Systems to Security Categories: NIST
Special Publication 800-60, Guide for Mapping Types of
Information and Information Systems to Security Categories
provides guidelines recommending the types of information
and information systems to be included in each category
of potential security impact. These guidelines are intended
to help agencies consistently map security impact levels
to types of information (e.g., privacy, medical, proprietary,
financial, contractor sensitive, trade secret, investigation)

Notes and information systems (e.g., mission critical, mission support,

administrative).
Document URL:
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/
PPT SP800-60_Vol1-Rev1.pdf
Case: Standards
Selection Review
(continued) Additional NIST Resources
Introduce case, describe 11. Risk Management Framework: The management of organizational
standards that can be risk is a key element in an organization’s information security
used as frameworks for program and provides an effective framework for selecting the
organizations.
appropriate security controls for an information system. The NIST Risk
Management Framework is a risk-based approach to security control
selection and specification and is comprised of activities related to
managing organizational risk. These activities are paramount to an
effective information security program and can be applied to both
new and legacy information systems. See Special Publication 800-37
for additional information.
Risk Management Framework web site:
http://csrc.nist.gov/groups/SMA/fisma/framework.html
12. National Checklist Program (NCP): The NCP is the U.S.
government repository of publicly available security checklists (or
benchmarks) that provide detailed low-level guidance on setting
the security configuration of operating systems and applications.
The checklist repository can be found at:
http://web.nvd.nist.gov/view/ncp/repository
International Resources
13. 10 Steps to Cybersecurity: Published by CESG, the guidance
provided by the 10 Steps to Cybersecurity offers practical steps
that organizational leaders can direct to be taken to improve the
protection of networks and the information carried upon them.
10 Steps to Cybersecurity also directs readers to The 20 Critical
Controls developed by CSIS, also referenced in this guide, for
further guidance.
Document URL:
https://www.ncsc.gov.uk/guidance/10-steps-cyber-
security#quicktabs-guidances_tabs2
14. Cybersecurity Strategy of the European Union: Published
by the European Commission, the cybersecurity strategy
An Open, Safe, and Secure Cyberspace represents the EU’s

Instructor Edition
comprehensive vision on how best to prevent and respond

to cyber disruptions and incidents. Specific actions
are aimed at enhancing cyber resilience of information
Notes
2
systems, reducing cybercrime, and strengthening EU

international cybersecurity policy and cyber defense. The PPT
EU international cyberspace policy promotes the respect
Case: Standards
of EU core values, defines norms for responsible behavior, Selection Review
advocates the application of existing international laws in (continued)
cyberspace, while assisting countries outside the EU with Introduce case, describe
cybersecurity capacity-building, and promoting international standards that can be
cooperation in cyber issues. used as frameworks for
organizations.
Document URL:
http://eeas.europa.eu/policies/eu-cyber-security/cybsec_comm_
en.pdf
15. European Network and Information Security Agency
(ENISA): ENISA is a center of network and information
security expertise for the EU, its Member States, the private
sector, and Europe’s citizens. ENISA works with these groups
to develop advice and recommendations on good practice
in information security. It assists EU Member States in
implementing relevant EU legislation and works to improve
the resilience of Europe’s critical information infrastructure
and networks. ENISA seeks to enhance existing expertise in
EU Member States by supporting the development of cross-
border communities committed to improving network and
information security throughout the EU.
More information about ENISA and its work can be found at:
http://www.enisa.europa.eu
16. National Cyber Security Strategies: An Implementation
Guide: The National Cyber Security Strategies
implementation guide developed by ENISA introduces a
set of concrete actions, which if implemented will lead to
a coherent and holistic national cyber-security strategy. It
also proposes a national cyber-security strategy life cycle,
with a special emphasis on the development and execution
phase. Policy makers will find practical recommendations on
how to control the overall development and improvement
processes and how to follow up on the status of national
cybersecurity affairs within their country.
Document URL:
https://www.enisa.europa.eu/publications/national-cyber-
security-strategies-an-implementation-guide

Notes 17. International Organization for Standardization (ISO): ISO is

a developer of voluntary International Standards in collaboration
Data Security Controls with its partners in international standardization, the International
Electrotechnical Commission (IEC) and the International
PPT Telecommunication Union (ITU), particularly in the field of
information and communication technologies.
Case: Standards
Selection Review ISO web site:
(continued) http://www.iso.org/iso/home.html
standards that can be 18. ISO/IEC 27001: ISO/IEC 27001 covers all types of organizations,
used as frameworks for including government agencies, and specifies the requirements
organizations. for establishing, implementing, operating, monitoring, reviewing,
maintaining, and improving a documented Information Security
Management System within the context of the organization’s
overall business risks. It specifies requirements for the
implementation of security controls customized to the needs of
individual organizations and is designed to ensure the selection
of adequate and proportionate security controls that protect
information assets and give confidence to interested parties. ISO/
IEC Standards are under copyright and cannot be redistributed
without purchase.
ISO/IEC 27001 is available for purchase at:
http://www.iso.org/iso/catalogue_detail?csnumber=42103
19. ISO/IEC 27002: In conjunction with ISO/IEC 27001, ISO/IEC
27002 establishes guidelines and general principles for initiating,
implementing, maintaining, and improving information security
management in an organization. The objectives outlined
provide general guidance on the commonly accepted goals of
information security management. The control objectives and
controls in ISO/IEC 27002 are intended to be implemented to
meet the requirements identified by a risk assessment. ISO/
IEC Standards are under copyright and cannot be redistributed
without purchase.
ISO/IEC 27002 is available for purchase at:
http://www.iso.org/iso/catalogue_detail?csnumber=50297
20. International Telecommunication Union-Telecommunication
(ITU-T) Standardization: The International Telecommunication
Union is a specialized agency of the United Nations responsible
for issues that concern information and communication
technologies. The study groups of ITU-T’s Standardization Sector
assemble global experts to produce international standards
known as ITU-T Recommendations, which act as defining

Instructor Edition
elements in the global infrastructure of information and

communication technologies (ICTs).
Notes
2
ITU-T Standardization Sector web page:
http://www.itu.int/en/ITU-T/Pages/default.aspx

PPT
21. Recommendations X.800 – X.849: The X.800 series of
Case: Standards
ITU-T Recommendations defines a security baseline against Selection Review
which network operators can assess their network and (continued)
information security status in terms of readiness and ability
to collaborate with other entities to counteract information standards that can be
security threats. used as frameworks for
organizations.
The complete text of all X.800 series recommendations can be
downloaded at:
http://www.itu.int/rec/T-REC-X/e
22. Recommendation X.1205: Recommendation ITU-T X.1205
provides a definition for cybersecurity and taxonomy
of security threats from an organization point of view.
Cybersecurity threats and vulnerabilities, including the
most common hacker’s tools, are presented and threats are
discussed at various network layers. Available cybersecurity
technologies are discussed as well as network protection
principles, such as defense in depth and access management,
with application to cybersecurity. Risk management strategies
and techniques are presented, including the value of training
and education in protecting the network.
Document URL:
http://www.itu.int/rec/T-REC-X.1205-200804-I/en
23. National Cyber Security Framework Manual: The
National Cyber Security Framework Manual provides
detailed background information and in-depth theoretical
frameworks to help the reader understand the various facets
of National Cyber Security, according to different levels of
public policy formulation. The four levels of government—
political, strategic, operational, and tactical/technical—
have their own perspectives on National Cyber Security,
and each is addressed in individual sections within the
manual. Additionally, the manual gives examples of relevant
institutions in National Cyber Security, from top-level policy
coordination bodies down to cyber crisis management
structures and similar institutions.
Document URL:
http://www.ccdcoe.org/publications/books/
NationalCyberSecurityFrameworkManual.pdf

The Center for Strategic & International Studies (CSIS)

Notes
20 Critical Security Controls Initiative
The need to understand the scope of the security needs to be
addressed, as well as the business requirements to be supported and
PPT the resources available to accomplish the tasks at hand are all part of
The Center for Strategic the formula for success that you must learn to master.
& International Studies
(CSIS) 20 Critical Security The Center for Strategic & International Studies (CSIS) 20 Critical
Controls Initiative Security Controls initiative provides a unified list of 20 critical controls
Describe CSIS 20 critical that have been identified through a consensus of federal and private
security controls initiative industry security professionals as the most critical security issues seen
and how it can be useful. in the industry. The CSIS team includes officials from the NSA, US Cert,
DoD JTF-GNO, the Department of Energy Nuclear Laboratories,
Department of State, DoD Cyber Crime Center, and the commercial
sector. The CSIS controls do not introduce any new security
requirements, but they organize the requirements into a simplified list
to aid in determining compliance and ensure that the most important
areas of concern are addressed.
In 2013, the stewardship and sustainment of the Controls was transferred
to the Council on CyberSecurity (the Council), an independent, global,
non-profit entity committed to a secure and open internet. The CSIS
initiative is designed to help the federal government prioritize resources
and consolidate efforts to reduce costs and ensure that the critical
security issues are addressed. The five “critical tenets” of the CSIS
initiative, as listed on the SANS website, are as follows:
l Offense Informs Defense: Use knowledge of actual attacks that
have compromised systems to provide the foundation to build
effective, practical defenses. Include only those controls that can
be shown to stop known real-world attacks.
l Prioritization: Invest first in controls that will provide the greatest
risk reduction and protection against the most dangerous threat
actors and that can be feasibly implemented in your computing
environment.
l Metrics: Establish common metrics to provide a shared language
for executives, IT specialists, auditors, and security officials
to measure the effectiveness of security measures within an
organization so that required adjustments can be identified and
implemented quickly.
l Continuous Monitoring: Carry out continuous monitoring to test
and validate the effectiveness of current security measures.
l Automation: Automate defenses so that organizations can
achieve reliable, scalable, and continuous measurements of their
adherence to the controls and related metrics.

Instructor Edition
Current List of Critical Security Controls – Version 5.1

The current list of Critical Security Controls—Version 5.1 are as follows:
Notes
2
l Inventory of Authorized and Unauthorized Devices

l Inventory of Authorized and Unauthorized Software PPT
l Secure Configurations for Hardware and Software on Mobile Current List of Critical
Devices, Laptops, Workstations, and Servers Security Controls –
Version 5.1
l Continuous Vulnerability Assessment and Remediation
Describe the Council on
l Malware Defenses CyberSecurity Critical
Security Controls.
l Application Software Security
l Wireless Access Control
l Data Recovery Capability PPT
l Security Skills Assessment and Appropriate Training to Fill Gaps NIST Security Content
Automation Protocol
l Secure Configurations for Network Devices such as Firewalls,
(SCAP)
Routers, and Switches
Describe SCAP.
l Limitation and Control of Network Ports, Protocols, and
Services
l Controlled Use of Administrative Privileges
l Boundary Defense
l Maintenance, Monitoring, and Analysis of Audit Logs
l Controlled Access Based on the Need to Know
l Account Monitoring and Control
l Data Protection
l Incident Response and Management
l Secure Network Engineering
l Penetration Tests and Red Team Exercises
NIST Security Content Automation Protocol (SCAP)

Paired with the Critical Security Controls, NIST has also created the
Security Content Automation Protocol (SCAP). SCAP is a suite of
specifications that standardize the format and nomenclature by
which software flaw and security configuration information is
communicated, both to machines and humans.
SCAP is a multi-purpose framework of specifications that supports
automated configuration, vulnerability and patch checking, technical
control compliance activities, and security measurement. Goals for
the development of SCAP include standardizing system security
management, promoting interoperability of security products, and
fostering the use of standard expressions of security content.
SCAP Version 1.2 Categories

Notes
SCAP version 1.2 is comprised of 11 component specifications in
five categories:
PPT
1. Languages: The SCAP languages provide standard vocabularies
and conventions for expressing security policy, technical check
SCAP Version 1.2
mechanisms, and assessment results. The SCAP language
Categories
specifications are Extensible Configuration Checklist Description
Describe SCAP Ver 1 Format (XCCDF), Open Vulnerability and Assessment Language
categories.
(OVAL®), and Open Checklist Interactive Language (OCIL™).
2. Reporting Formats: The SCAP reporting formats provide
the necessary constructs to express collected information in
standardized formats. The SCAP reporting format specifications
are Asset Reporting Format (ARF) and Asset Identification.
Although Asset Identification is not explicitly a reporting format,
SCAP uses it as a key component in identifying the assets that
reports relate to.
3. Enumerations: Each SCAP enumeration defines a standard
nomenclature (naming format) and an official dictionary or list of
items expressed using that nomenclature. The SCAP enumeration
specifications are Common Platform Enumeration (CPE™),
Common Configuration Enumeration (CCE™), and Common
Vulnerabilities and Exposures (CVE®).
4. Measurement and Scoring Systems: In SCAP, this refers to
evaluating specific characteristics of a security weakness (for
example, software vulnerabilities and security configuration issues)
and, based on those characteristics, generating a score that
reflects their relative severity. The SCAP measurement and scoring
system specifications are Common Vulnerability Scoring System
(CVSS) and Common Configuration Scoring System (CCSS).
5. Integrity: An SCAP integrity specification helps to preserve
the integrity of SCAP content and results. Trust Model for
Security Automation Data (TMSAD) is the SCAP integrity
specification.
SCAP utilizes software flaw and security configuration standard reference
data. This reference data are provided by the National Vulnerability
Database (NVD), which is managed by NIST and sponsored by the
Department of Homeland Security (DHS). The U.S. federal government,
in cooperation with academia and private industry, is adopting SCAP
and encourages its use in support of security automation activities and
initiatives. SCAP has achieved widespread adoption by major software
manufacturers and has become a significant component of large
information security management and governance programs. The

Instructor Edition
protocol is expected to evolve and expand in support of the

growing needs to define and measure effective security controls,
assess and monitor ongoing aspects of that information security,
Notes
2
and successfully manage systems in accordance with risk

management frameworks such as NIST Special Publication 800-534, PPT
Department of Defense (DoD) Instruction 8500.2, and the Payment
SCAP Version 1.2
Card Industry (PCI) framework. Categories (continued)
Describe SCAP Ver 1
Framework for Improving Critical categories.
Infrastructure Cybersecurity
Recognizing that the national and economic security of the United PPT
States depends on the reliable functioning of critical infrastructure,
Framework for
President Obama issued Executive Order 13636, Improving Critical Improving Critical
Infrastructure Cybersecurity, in February 2013. It directed NIST to Infrastructure
work with stakeholders to develop a voluntary framework—based Cybersecurity
on existing standards, guidelines, and practices—for reducing Describe the Framework
cyber risks to critical infrastructure. for Improving Critical
Infrastructure Security.
NIST released the first version of the Framework for Improving
Critical Infrastructure Cybersecurity on February 12, 2014. The
Framework, created through collaboration between industry and
government, consists of standards, guidelines, and practices to
promote the protection of critical infrastructure. The prioritized,
flexible, repeatable, and cost-effective approach of the Framework
helps owners and operators of critical infrastructure to manage
cybersecurity-related risk.
Building from standards, guidelines, and practices, the Framework
provides a common taxonomy and mechanism for organizations to
do the following:
l Describe their current cybersecurity posture.
l Describe their target state for cybersecurity.
l Identify and prioritize opportunities for improvement within
the context of a continuous and repeatable process.
l Assess progress toward the target state.
l Communicate among internal and external stakeholders
about cybersecurity risk.
The Framework is a risk-based approach to managing cybersecurity
risk and is composed of three parts: the Framework Core, the
Framework Implementation Tiers, and the Framework Profiles.

Framework Components
Notes
Each framework component reinforces the connection between
business drivers and cybersecurity activities.
PPT
1. The Framework Core is a set of cybersecurity activities, desired
outcomes, and applicable references that are common across
Framework
critical infrastructure sectors. The Core presents industry standards,
Components (2 slides)
guidelines, and practices in a manner that allows for communication
Describe Framework of cybersecurity activities and outcomes across the organization
components.
from the executive level to the implementation/operations level. The
Framework Core consists of five concurrent and continuous functions:
identify, protect, detect, respond, and recover. When considered
together, these functions provide a high-level, strategic view of the
lifecycle of an organization’s management of cybersecurity risk.
The Framework Core then identifies underlying key categories and
subcategories for each function and matches them with example
informative references such as existing standards, guidelines, and
practices for each subcategory.
2. Framework Implementation Tiers (“Tiers”) provide context on
how an organization views cybersecurity risk and the processes
in place to manage that risk. Tiers describe the degree to which
an organization’s cybersecurity risk management practices
exhibit the characteristics defined in the Framework (e.g., risk and
threat aware, repeatable, and adaptive). The Tiers characterize
an organization’s practices over a range, from Partial (Tier 1)
to Adaptive (Tier 4). These Tiers reflect a progression from
informal, reactive responses to approaches that are agile and
risk-informed. During the Tier selection process, an organization
should consider its current risk management practices, threat
environment, legal and regulatory requirements, business/
mission objectives, and organizational constraints.
3. A Framework Profile (“Profile”) represents the outcomes based
on business needs that an organization has selected from the
Framework categories and subcategories. The Profile can be
characterized as the alignment of standards, guidelines, and
practices to the Framework Core in a particular implementation
scenario. Profiles can be used to identify opportunities for improving
cybersecurity posture by comparing a “Current” Profile (the “as
is” state) with a “Target” Profile (the “to be” state). To develop
a Profile, an organization can review all of the categories and
subcategories and, based on business drivers and a risk assessment,
determine which are most important; they can add categories
and subcategories as needed to address the organization’s risks.
The Current Profile can then be used to support prioritization and
measurement of progress toward the Target Profile, while factoring
Instructor Edition
in other business needs, including cost-effectiveness and

innovation. Profiles can be used to conduct self-assessments
and communicate within an organization or between
Notes
2
organizations.

PPT
Homeland Security’s Critical Infrastructure Cyber Framework
Community C³ Voluntary Program Components (2 slides)
(continued)
The United States Department of Homeland Security’s Critical
Describe Framework
Infrastructure Cyber Community C³ Voluntary Program helps align components.
critical infrastructure owners and operators with existing resources
that will assist their efforts to adopt the Cybersecurity Framework
and manage their cyber risks.
PPT
Data States
Data States Explain the different

data states and
It is typically agreed upon that data and information can be in three differences between
basic states: data at rest, data in motion (transit), and data in use. each.
Understanding these three states and how information and data can
be represented in each of the states can allow an organization to
apply the security measures that are appropriate for its protection. PPT
1. Data at Rest: data stored on media in any type of form. It Data at Rest
is at rest because it is not being transmitted or processed in Define data at rest.
any way.
2. Data in Motion: data that is currently traveling, typically
across a network. It is in motion because it is moving.
3. Data in Use: data that is being processed by applications
or processes. It is in use because it is data that is currently
in the process of being generated, updated, appended, or
erased. It might also be in the process of being viewed by
users accessing it through various endpoints or applications.
Data at Rest
The protection of stored data is often a key requirement for a
company’s sensitive information. Databases, backup information,
off-site storage, password files, and many other types of sensitive
information need to be protected from disclosure or undetected
alteration and availability. Much of this can be done through the
use of cryptographic algorithms that limit access to the data to
those that hold the proper encryption (and decryption) keys. Some
modern cryptographic tools also permit the condensing, or
compressing, of messages, saving both transmission and storage
space, making them very efficient.
Data at Rest – Description of Risk

Notes
Malicious users may gain unauthorized physical or logical access to a
device, transfer information from the device to an attacker’s system, and
perform other actions that jeopardize the confidentiality of the
PPT information on a device.
Data at Rest –
Description of Risk Data at Rest – Recommendations
Explain data at rest risks. Removable media and mobile devices must be properly encrypted,
following the guidelines below when used to store valuable data.
Mobile devices include laptops, tablets, wearable tech, and
PPT smartphones. Proper access controls and redundancy controls also
need to be applied to protect data at rest.
Data at Rest –
Recommendations
(3 slides)
Explain data at rest Data in Transit
protection methods. Data that moves, usually across networks, is said to be data in motion,
or in transit. One of the primary needs of organizations today is to move
data and information across various types of media, but the need is to
PPT prevent the contents of the message from being revealed even if the
Data in Transit message itself was intercepted in transit.
Define data in transit. Whether the message is sent manually, over a voice network, or via the
internet, or any other network, including wireless networks, modern
cryptography can provide secure and confidential methods to transmit
PPT data and allows the verification of the integrity of the message so that
Link Encryption any changes to the message itself can be detected. Recent advances in
Describe link encryption.
quantum cryptography have shown that the “viewing” of a message can
be detected while in transit.
Link Encryption
Data are encrypted on a network using either link or end-to-end
encryption. In general, link encryption is performed by service providers,
such as a data communications provider on a Frame Relay network. Link
encryption encrypts all of the data along a communications path (e.g., a
satellite link, telephone circuit, or T-1 line).
Because link encryption also encrypts routing data, communications
nodes need to decrypt the data to continue routing. The data packet is
decrypted and re-encrypted at each point in the communications
channel. It is theoretically possible that an attacker compromising a
node in the network may see the message in the clear. Because link
encryption also encrypts the routing information, it provides traffic
confidentiality better than end-to-end encryption. Traffic confidentiality
hides the addressing information from an observer, preventing an
inference attack based on the existence of traffic between two parties.

Instructor Edition
End-to-End Encryption
End-to-end encryption is generally performed by the end user
within an organization. The data are encrypted at the start of the
Notes
2
communications channel or before and remain encrypted until

decrypted at the remote end. Although data remain encrypted PPT
when passed through a network, routing information remains End-to-End Encryption
visible. An example of end-to-end encryption would be a virtual
Describe end-to-end
private network (VPN) connection. encryption.
Comparison of End-to-End and

Link Encryption
PPT
Comparison of End-
to-End and Link
Encryption
Compare end-to-end
and link encryption.
PPT
PSN Data in Transit –
Description of Risk
Explain data in transit
risks.
PSN PSN
PSN
End to End
Encryption Device
Link Encryption Device
Figure 2.3: Comparison of End-to-End and Link Encryption.
Data in Transit – Description of Risk

The risks associated with data in motion are the same as those
associated with data at rest. These include unauthorized disclosure,
modification, and unavailability. Malicious actors may intercept or
monitor plaintext data transmitting across network and gain
unauthorized access that jeopardizes the confidentiality, integrity,
and availability of the data.

Data in Transit – Recommendations

Notes
l Valuable data must be encrypted when transmitted across any
network to protect against eavesdropping of network traffic by
unauthorized users.
PPT l In cases where source and target endpoint devices are within
Data in Transit – the same protected subnet, valuable data transmission must
Recommendations still be encrypted as recommended below due to the potential
(4 slides)
for high-negative impact of a valuable data breach. The types
Explain data in transit of transmission may include client-to-server and server-to-server
protection methods. communication, as well as any data transfer between core
systems and third-party systems.
l Email is not considered secure and must not be used to transmit
PPT
sensitive data unless additional email encryption tools are used.
Data in Use When attempting to secure data in transit, consider the following
Describe data in use. recommendations to design secure transmission of data:
o Where the sensitive device is reachable via web interface,
web traffic must be transmitted over Secure Sockets Layer
(SSL), using only strong security protocols, such as SSLv3, and
Transport Layer Security v1.1 or v1.2 (TLS).
o Sensitive data transmitted over email must be secured using
cryptographically strong email encryption tools such as PGP
or S/MIME.
o Alternatively, prior to sending the email, user should encrypt
sensitive data using compliant File Encryption tools and
attach to email for transmission.
l Non-web valuable data traffic should be encrypted via
application-level encryption.
l Where an application database resides outside of the application
server, all connections between the database and application
should also be encrypted using FIPS-compliant cryptographic
algorithms.
l Where application-level encryption is not available for non-web
sensitive data traffic, implement network-level encryption such as
IPSec or SSH tunneling.
l Encryption should be applied when transmitting valuable data
between devices in protected subnets with strong firewall
controls.
Data in Use
A particularly troublesome problem to protect is data in use. Data being
processed is a perfect example of data in use. Typically, most architectures

Instructor Edition
will need to process data in clear text, therefore, making it really

difficult to protect data in use. While we may be able to protect data
in motion and data at rest by using methods such as encryption, and
Notes
2
access controls, data in use is very difficult to protect.

PPT
Data in Use – Recommendations Data in Use (continued)
The industry has identified a potential solution to protecting data in Describe data in use.
use. This requires the implementation of secure enclaves where the
processing would occur. Data would still be processed in clear text,
but the concept of an enclave is that it would be isolated, or PPT
sectioned off, from the rest of the architecture so that it can Data in Use –
protect anything in the enclave. This really means that we are Recommendations
isolating the enclave and its contents from the rest of the Explain data in use
architecture and its components so that it cannot be affected by protection methods.
any vulnerabilities or malware that might exist in the architecture.
The definition of the word enclave does a really good job of
explaining or at least visualizing how this might work. The definition PPT
of an enclave is a territory that is isolated or distinct from another
Activity: Data at
territory. This implies we protect it from the other components of Rest/Data in Transit
an architecture so that it cannot be viewed or accessed while Comparison
processing data in use. But, as security professionals should always Introduce activity and ask
understand, nothing is perfectly secure, and there may be other students to fill in table.
vulnerabilities that would render this concept insecure as well,
especially related to implementation issues.
Activity: Data at Rest/Data in Transit Comparison
INSTRUCTIONS
Working with a partner, complete Table 2.1.
Data at Rest Data in Transit
Definition
Risk Profile
Recommendations
(list at least two)
Table 2.1: Activity: Data at Rest/Data in Transit Comparison

Notes Examples of Insecure Network Protocols

and Their Secure Alternatives
Action Instead of this … Use these …
PPT
Examples of Insecure Web Access HTTP HTTPS
Network Protocols
and Their Secure File Transfer FTP, RCP FTPS, SFTP, SCP
Alternatives
Describe some of the Remote Shell telnet SSH v3
network protocols and
their insecurities and
secure alternatives. Remote Desktop VNC radmin, RDP
Table 2.2: Examples of Insecure Network Protocols and Their

PPT Secure Alternatives
Picking Encryption
Algorithms
Describe factors in
picking the correct
Picking Encryption Algorithms
encryption algorithms. When selecting algorithms to encrypt valuable data, keep these
considerations in mind:
l Always choose the encryption algorithms that support longer key
PPT
lengths as they generally provides stronger protection.
Wireless Connections
l Since passwords are often used to control the keys within the
Explain how cryptography cryptosystem, long complex passphrases are stronger than
is required to secure
wireless connections. shorter passphrases.
Wireless Connections
When connecting to wireless networks to access a system handling
sensitive data, only connect to wireless networks employing
cryptographically strong wireless encryption standards such as WPA2.
Encryption mechanisms described in the section above must also be
applied in addition to strong wireless network encryption to ensure end-
to-end protection.

Instructor Edition
Module 7: Information and Notes

2
Asset Handling Requirements Handling Requirements

PPT
Module Objectives
1. Understand how media requires controls to protect Handling Requirements
its content.
2. Understand labeling and marking requirements of assets to the “Information
that have been classified. and Asset Handling
Requirements” module.
3. Understand how the handling of media and assets that
have been classified should be allowed only to those that
are authorized.
PPT
4. Understand how storing, retention, and destruction of
Module Objectives
assets is dictated by classification.
objectives.
Module 7: Information and Asset Handling Requirements 165

Notes Introduction
Information and Asset Media
Handling Requirements
Media storing sensitive information requires physical and logical
controls. Media lacks the means for digital accountability when the data
PPT is not encrypted. For this reason, extensive security must be taken when
Media
handling sensitive media. Logical and physical controls, such as marking,
handling, storing, and declassification, provide methods for the secure
Explain how different
handling of sensitive media containing sensitive information.
media requires different
protection, but always
based on value.
Marking
Organizations should have policies in place regarding the marking and
PPT labeling of media based on its classification. For example:
Marking l Storage media should have a physical label identifying the
Explain the challenges in sensitivity of the information contained.
marking different media l The label should clearly indicate if the media is encrypted.
types.
l The label may also contain information regarding a point of
contact and a retention period.
PPT l When media is found or discovered without a label, it should be
Handling immediately labeled at the highest level of sensitivity until the
appropriate analysis reveals otherwise.
Describe how handling
procedures need to be in
The need for media marking typically is strongest in organizations where
place for classified media
and their content. sensitive intellectual property and confidential data must be stored and
shared among multiple people. If the security architect can design
centrally managed and controlled enterprise content management
(ECM) systems paired with Data Loss (Leakage) Protection technology
(DLP), then the entire threat vector that media marking is designed to
address may be able to be handled in a totally different way as well.
Handling
Only designated personnel should have access to sensitive media.
Policies and procedures describing the proper handling of sensitive
media should be promulgated. Individuals responsible for managing
sensitive media should be trained on the policies and procedures
regarding the proper handling and marking of sensitive media. Never
assume that all members of the organization are fully aware of or
understand security policies. It is also important that logs and other
records be used to track the activities of individuals handling backup
media. Manual processes, such as access logs, are necessary to
compensate for the lack of automated controls regarding access to
sensitive media.

Instructor Edition
Storing
Sensitive media should not be left lying about where a passerby
could access it. Whenever possible, backup media should be
Notes
2
encrypted and stored in a security container, such as a safe or

strong box with limited access. Storing encrypted backup media
at an off-site location should be considered for disaster recovery PPT
purposes. Sensitive backup media stored at the same site as the Storing
system should be kept in a fire-resistant box whenever possible. Describe how storing
In every case, the number of individuals with access to media procedures need to be in
should be strictly limited, and the separation of duties and job place for classified media
rotation concepts should be implemented where it is cost- and its content.
effective to do so.
PPT
Destruction
Destruction
Media that is no longer needed or is defective should be destroyed
Explain how destruction
rather than simply disposed of. A record of the destruction should procedures need to be in
be used that corresponds to any logs used for handling media. place for classified media
Implement object reuse controls for any media in question when and its content.
the sensitivity is unknown rather than simply recycling it.
PPT
Record Retention
Record Retention
Information and data should be kept only as long as it is required.
Organizations may have to keep certain records for a period as Explain how retention
procedures and
specified by industry standards or in accordance with laws and requirements need to
regulations. Hard- and soft-copy records should not be kept be in place for classified
beyond their required or useful life. Security practitioners should media and its content.
ensure that accurate records are maintained by the organization
regarding the location and types of records stored. A periodic
review of retained records is necessary to reduce the volume of
information stored and ensure that only relevant information
is preserved.
Record retention policies are used to indicate how long an organization
must maintain information and assets. Ensure the following:
l The organization understands the retention requirements for
different types of data throughout the organization.
l The organization documents in a record’s schedule the
retention requirements for each type of information.
l The systems, processes, and individuals of the organization
retain information in accordance with the schedule but
not longer.
Module 7: Information and Asset Handling Requirements 167

Notes A common mistake in records retention is finding the longest retention

period and applying it without analysis to all types of information in an
Information and Asset organization. This not only wastes storage but also adds considerable
“noise” when searching or processing information in search of relevant
records. Records and information no longer mandated to be retained
PPT should be destroyed in accordance with the policies of the enterprise
Record Retention and any appropriate legal requirements that may need to be taken
(continued) into account.
Explain how retention
procedures and
requirements need to
be in place for classified
media and its content.

Instructor Edition
Module 8: Data Remanence Notes

Data Remanence
2

1. Understand data remanence and its impact to the value Data Remanence
of assets.
2. Explain the various options in addressing data remanence, to the “Data Remanence”
including clearing, purging, and destruction. module.
3. Explain methods used to clear, purge, and destroy data.

PPT
Module Objectives
objectives.
Module 8: Data Remanence 169

Notes Data Remanence

Data remanence is defined as the residual data remaining on some sort
Data Remanence
of object after the data has been deleted or erased. The problem related
to data remanence is that there may some physical characteristics of that
PPT data remaining on the media even after we’ve tried to securely erase it.
Data Remanence Depending on the value of the data, it may be very important to securely
(2 slides) erase the data so that there are no residual characteristics remaining that
Define data remanence may allow anyone to recover the information.
and its importance.
On a typical hard disk drive (HDD), the data is represented onto the
hard drive by using magnetic technology. In other words, the zeroes and
the ones are represented by using magnetic technology. This type of
PPT
technology can be used to re-record new data onto the drive as we can
Clearing alter the magnetic field so that we can overwrite and erase any data that
Define clearing. may have been represented onto the data previously.
Solid-state drive (SSD) technology, which is newer technology, does not
use magnetic fields to represent the information, instead, it uses flash
PPT
memory to store data. Flash technology uses electrons that change the
Purging electronic “charge” in a “flash” to represent the information. That is
Define purging and why it is called “flash” technology. Flash memory, such as SSD, does
compare it to clearing. not require power as moving parts are not required to access any
stored data.
Data remaining on media that use magnetic technologies, such as HDDs,
become an issue if the value of the data that was stored on that media is
high. Since there may be methods to recover the original data, sanitizing
the information must be done effectively by using secure methods.
Secure methods to address data remanence (data remaining on the
media after erasure) can be summarized by three options. These
options are clearing, purging, and destruction.
Clearing
Clearing is defined as the removal of sensitive data from storage
devices, using methods that provide some assurance that the data may
not be reconstructed using most known data recovery techniques. The
original data may still be recoverable but typically not without special
recovery techniques and skills.
Purging
Purging, sometimes referred to as sanitizing, is the removal of sensitive
data from media with the intent that the sensitive data cannot be
reconstructed by any known technique.

Instructor Edition
Destruction
This is exactly as it sounds. The media is made unusable by using
some sort of destruction method. This could include shredding, or
Notes
Data Remanence
2
melting the media into liquid by using very high temperatures. We

must note, however, that the effectiveness of destroying the media PPT
varies. For example, simply drilling a hole through a hard drive may Destruction
allow most of the data to still be recovered, whereas, melting the
Define destruction and
hard drive into liquid would not. The destruction method should be point out difference
driven by the value of the sensitive data that is residing on the media. between media and data
To summarize, destruction using appropriate techniques is the most destruction.
secure method of preventing retrieval. Destruction of the media is
the best method as it destroys the media and also the data that is on
it. However, the destruction method must be a very good one to PPT
prevent the recovery of the data. If we ensure that the data cannot Data Destruction
be reconstructed, we refer to that as defensible destruction of the Methods
data. In other words, we ensure that the data is not recoverable.
Define destruction and
different destruction
methods.
Data Destruction Methods

As we have discussed, the three options available to address data
remanence are clearing, purging, and destruction. Destruction is
thought of as being the best option, as long as the destruction
method is a good one. The following methods may fit into the three
categories as described above:
l Overwriting: One common method used to address
data remanence is to overwrite the storage media with
new data. We can overwrite with zeroes or ones. This is
sometimes called wiping. The simplest overwrite technique
is to write zeroes over the existing data, and depending
on the sensitivity of the data, this might need to be done
several times.
l Degaussing: During the mainframe days, a technology
called degaussing was created. This technique uses a
degausser that basically erases the information on the
magnetic media by applying a varying magnetic field to
the media to erase the information that was stored using
magnetic technology. The media is basically saturated with
a magnetic field that erases all of the information. Since
this uses a magnetic field to saturate the media, it can be
useful for any technology that uses magnetic technology
to represent the data, including mainframe tapes and
also HDDs. While many types of older magnetic storage

Notes media, such as tapes, can be safely degaussed, degaussing

usually renders the magnetic media of modern HDDs completely
Data Remanence unusable, which may be ultimately desirable to address
remanence properly.
PPT l Encryption: Encrypting data before it is stored on the media
Data Destruction can address data remanence very effectively. But this is only
Methods (continued) true if the encryption key used to encrypt the information is
Define destruction and then destroyed securely. This would make it very difficult, if not
different destruction impossible, for an untrusted party to recover any data from the
methods. media. The industry refers to this process as crypto-erase or in
some cases, crypto-shredding. This method of addressing data
remanence may be very useful in cloud environments.
PPT
Media Destruction –
Defensible Destruction
Media Destruction – Defensible Destruction
Define defensible
destruction and its
As we have discussed, destruction of the media and the data on it is the
importance. most desirable way to address data remanence. But this is only effective
based on the method used for destruction. Defensible destruction
implies that the method used will not allow the reconstruction and
PPT recovery of that data contained on the media device itself through any
known means. The following may be examples of effective defensible
Solid-State Drives
(SSDs)
destruction methods:
Define Solid State Drives l Physically breaking the media apart, such as hard drive
and the challenges shredding, etc.
related to data
destruction. l Chemically altering the media into a non-readable state by
possibly using corrosive chemicals.
l Phase transition, which means using temperature and pressure to
change the state of something into something else.
l For media using magnetic technology, raising its temperature
above the Curie Temperature, which is at the point where
devices lose their magnetic properties.
Solid-State Drives (SSDs)

Solid-State Drives (SSDs) use flash memory for data storage and retrieval.
Flash memory differs from magnetic memory in one key way: flash
memory cannot be overwritten. When existing data on an HDD is
changed, the drive overwrites the old data with the new data. This makes
overwriting an effective way of erasing data on an HDD. However, when
changes are made to existing data on an SSD, the drive writes that
data, along with the new changes, to a different location rather than
overwriting the same section. The flash translation layer then updates

Instructor Edition
the map so that the system finds the new, updated data rather than
the old data. Because of this, an SSD can contain multiple iterations
of the same data, even if those iterations are not accessible by
Notes
Data Remanence
2
conventional means. This is what causes data remanence on SSDs.

PPT
Solid- State Drive (SSD)
Solid-State Drive (SSD) Data Destruction Data Destruction
Explain SSD data
SSDs have a unique set of challenges that require a specialized set
destruction methods.
of data destruction techniques. Unlike HDDs, overwriting is not
effective for SSDs. Because the flash translation layer controls how the
system is able to access the data, it can effectively “hide” data from
PPT
data destruction software, leaving iterations of the data un-erased on
different sections of the drive. Instead, SSD manufacturers include Cloud-Based Data
built-in sanitization commands that are designed to internally erase Remanence
the data on the drive. The benefit of this is that the flash translation Define data remanence
layer does not interfere with the erasure process. However, if these in the cloud and
the challenges and
commands were improperly implemented by the manufacturer, this methods associated
erasure technique will not be effective. with defensible data
destruction.
Another technique, called cryptographic erasure or crypto-erase,
takes advantage of the SSD’s built-in data encryption. Most SSDs
encrypt data by default. By erasing the encryption key, the data
will then be unreadable. However, this approach relies again on
being able to effectively erase data despite interference by the
flash translation layer. If the flash translation layer masks the
presence of any data pertaining to the encryption, the “encrypted”
drive may still be readable.
Due to the unique complexities of SSDs, the best data destruction
method is, in fact, a combination of techniques such as crypto-erase,
sanitization, and overwrite. SSDs require the careful data destruction
techniques to effectively prevent data remanence on SSDs.
The use of cloud-based storage today also presents a data
remanence challenge for the organizations moving to the cloud.
As more and more data is being moved to the cloud, the ability
to address data security issues in general can become much more
difficult for the enterprise.
Cloud-Based Data Remanence

Among the many challenges that face the security practitioner in
this area is the ability to authoritatively certify that data has been
successfully destroyed upon decommissioning of cloud-based
storage systems. Due to the fact that a third party owns and

Notes operates the system and the enterprise is effectively renting storage
space, there is little to no visibility into the management and security of
Data Remanence the data in many cases.
While the challenge is a big one for the enterprise, the use of Platform as a
PPT
Service-based (PaaS) architectures can actually provide a solution for the
Cloud-Based Data issues raised by data remanence in the cloud. The security practitioner and
Remanence (continued) the cloud vendor have to be willing to work together to architect a PaaS
Define data remanence solution that addresses the daunting issues of media and application-level
in the cloud and encryption via a platform offering. There are many parts that have to
the challenges and
methods associated
be properly set up and synchronized for this solution to work, such as
with defensible data messaging, data transactions, data storage and caching, and framework
destruction. APIs. In addition, the platform has to be set up in such a way, with
appropriate safeguards available, to ensure that no unencrypted data
is ever written to physical media at any time during the data lifecycle,
including data in transit.
Standards
There are several standards pertaining to data lifecycle management in
general and data remanence in particular from different industries
and governments:
l The NIST Guidelines for Media Sanitization, Draft Special
Publication 800-88 Revision 1 is the most recent version of
the guidance provided by NIST in this area. It was updated in
September of 2012, replacing the original guidance published in
September of 2006.
l The United States Air Force Systems Security Instruction 8580,
dated 17 November, 2008, on Remanence Security. This replaced
Air Force System Security Instruction 5020, dated 20 August,
1996, on Remanence Security.
l The United States Department of Defense, Defense Security
Service National Industrial Security Program (DSS NISPOM).
l The Communications Security Establishment Canada, Clearing
and Declassifying Electronic Data Storage Devices – ITSG-06,
published July 2006.
l The United States National Security Agency (NSA) Central
Security Service (CSS) Media Destruction Guidance.
l The New Zealand Information Security Manual, 2010.
l The Australian Government Department of Defense Intelligence
and Security, Information Security Manual 2014.

Instructor Edition
Module 9: Domain Review Notes

Domain Review
2

Domain Summary PPT
Asset Security is all about the protection of valuable assets to an Domain Review
organization as those assets go through their lifecycle. Protection
will always be done based on value. review of key information
from this domain by
The value of the asset is expressed by its classification level that is discussing this scenario-
initiated by the owner. The value must be monitored as the asset based set of questions
goes through its lifecycle. and answers. Question
Classification, therefore, protects the asset based on its value. followed by the answer
To protect the asset based on its classification, we need to slide.
implement baselines of minimum levels of security for each of
the classification levels.
PPT
To properly protect valuable assets, such as information, an
Domain Summary
organization requires the careful and proper implementation (4 slides)
of ownership and classification processes that can ensure that
assets receive the level of protection based on their value to key elements from the
the organization. domain on asset security.
The enormous increase in the collection of personal information

by organizations has resulted in a corresponding increase in the
importance of privacy considerations, and privacy protection
constitutes an important part of the asset security domain.
Individual privacy protection in the context of asset security include
the concepts of asset owners and custodians, processors,
remanence, and limitations on collection and storage of valuable
assets such as information. This also includes the important issue
of retention as it relates to legal and regulatory requirements to
the organization.
Appropriate security controls must be chosen to protect the asset
as it goes through its lifecycle, keeping in mind the requirements
of each of the lifecycle phases and the handling requirements
throughout. Therefore, understanding and applying proper
baselines, scoping and tailoring, standards selection, and proper
controls need to be understood by the security professional. This
also requires the protection of data in different states, these states
being data at rest, data in motion, and data in use. Encryption can
be an effective tool in protecting all states.
The asset lifecycle should end with the asset and data being
destroyed securely, this is referred to as defensible destruction.

Notes Domain Review Questions

Domain Review 1. How can an asset classification program improve the organization’s
ability to achieve its goals and objectives?
PPT A. By meeting the requirements imposed by the audit function
Domain Review
Questions B. By controlling changes to production environments
Participate in sample C. By enhancing ownership principles
review questions
addressing key elements D. By specifying controls to protect valuable assets
of the Asset Security
Domain.
2. What is the correct order of the asset lifecycle phases?

A. Create, use, share, store, archive, and destroy
B. Create, share, use, archive, store, and destroy
C. Create, store, use, share, archive, and destroy
D. Create, share, archive, use, store, and destroy
3. Which of the following is the BEST definition of defensible destruction?

A. The destruction of assets using defense approved methods
B. The destruction of assets using a controlled, legally defensible,
and compliant way
C. The destruction of assets without the opportunity of the recovery
of those assets
D. The destruction of assets using a method that may not allow
attackers to recover data

Instructor Edition
4. In an environment where asset classification has been

implemented to address the requirements of privacy protection,
who in the following list is considered to be the “owner” and,
Notes
Domain Review
2
therefore, has the accountability to ensure that the requirements

for protection and compliance are addressed properly? PPT
A. Data processor Domain Review
Questions (continued)
B. Data subject Participate in sample
review questions
C. Data controller addressing key elements
D. Data steward Domain.
5. Which of the following is NOT an Organization for Economic

Cooperation and Development (OECD) principle of privacy
protection?
A. Collection Limitation Principle
B. Right to be Forgotten Principle
C. Use Limitation Principle
D. Accountability Principle
6. Effective retention requirements for organizations requires all of

the following EXCEPT for?
A. Policy
B. Awareness, education, training
C. Understanding of requirements related to compliance
D. Data steward

Notes 7. Which of the following is not an objective of baseline security

controls used in protecting assets?
Domain Review
A. Specific steps that must be executed
PPT B. Minimum level of security controls
Domain Review
C. May be associated with specific architectures and systems
Participate in sample D. A consistent reference point
review questions
addressing key elements
Domain.
8. Which of the following is the BEST definition of “scoping”?
A. Altering baselines to apply more specifically
B. Modifying assumptions based on previous learned behavior
C. Limiting general baseline recommendations by removing those
that do not apply
D. Responsible protection of assets based on goals and objectives
9. Which of the following is the BEST definition of an asset?

A. A hardware system in a data center
B. People in specific valuable environments
C. Software running in a categorized environment
D. Any item perceived as having value
10. Which of the following is NOT an example of a data state?

A. Data in motion
B. Data in use
C. Data in storage
D. Data at rest

Instructor Edition
Domain Review Answers

1. How can an asset classification program improve the
Notes
Domain Review
2
organization’s ability to achieve its goals and objectives?

A. By meeting the requirements imposed by the audit function
B. By controlling changes to production environments
C. By enhancing ownership principles
D. By specifying controls to protect valuable assets
The correct answer is D. Asset classification is implemented to
allow the organization to protect assets based on the value of
those assets, which is categorized by its classification level.
Protection of assets, including information, is always done based
on its value and, therefore, asset classification not only portrays its
value, but also defines the protection requirements.
2. What is the correct order of the asset lifecycle phases?

A. Create, use, share, store, archive, and destroy
B. Create, share, use, archive, store, and destroy
C. Create, store, use, share, archive, and destroy
D. Create, share, archive, use, store, and destroy
The correct answer is C. This is the correct order of the lifecycle
phases of assets: create, store, use, share, archive, and destroy.
This is according to the Securosis Blog. Asset classification,
therefore, needs to be able to protect assets in whatever phase
they are in.

Notes 3. Which of the following is the BEST definition of defensible destruction?
Domain Review A. The destruction of assets using defense approved methods

B. The destruction of assets using a controlled, legally
defensible, and compliant way
C. The destruction of assets without the opportunity of the recovery
of those assets
D. The destruction of assets using a method that may not allow
attackers to recover data
The correct answer is B. The perfect definition of legally defensible
destruction of assets, which should end the asset lifecycle, is
eliminating data using a controlled, legally defensible, and regulatory
compliant way.
4. In an environment where asset classification has been implemented

to address the requirements of privacy protection, who in the
following list is considered to be the “owner” and, therefore, has the
accountability to ensure that the requirements for protection and
compliance are addressed properly?
A. Data processor
B. Data subject
C. Data controller
D. Data steward
The correct answer is C. In specific privacy legislation, the roles for
accountability of protection of subject’s personal privacy information is
assigned to the data controller. They act as the “owner” and, therefore,
have the accountability to protect based on legislative and legal
requirements.

Instructor Edition
5. Which of the following is NOT an Organization for Economic

Cooperation and Development (OECD) principle of privacy
protection?
Notes
Domain Review
2

A. Collection Limitation Principle
B. Right to be Forgotten Principle
C. Use Limitation Principle
D. Accountability Principle
The correct answer is B. The right to be forgotten principle is not
a principle addressed in the OECD guidelines for privacy
protection. It has been introduced and is part of privacy legislation
in Europe and Argentina since 2006 and is part of the new General
Data Protection Regulation (GDPR) to take effect in Europe.
6. Effective retention requirements for organizations requires all of

the following EXCEPT for?
A. Policy
B. Awareness, education, training
C. Understanding of requirements related to compliance
D. Data steward
The correct answer is D. A data steward may be required to
address the proper protection of assets but is NOT a requirement
to implement effective data retention methods in the organization.
The other three answers are absolutely critical in addressing any
important requirement, including retention.

Notes 7. Which of the following is not an objective of baseline security

controls used in protecting assets?
Domain Review
A. Specific steps that must be executed
B. Minimum level of security controls
C. May be associated with specific architectures and systems
D. A consistent reference point
The correct answer is A. Specific steps required to be executed are
actually examples of procedures, not baselines. A baseline is a minimum
level of security that must be achieved so that they can be consistently
referenced and may be specific to certain architectures and systems.
8. Which of the following is the BEST definition of “scoping”?

A. Altering baselines to apply more specifically
B. Modifying assumptions based on previous learned behavior
C. Limiting general baseline recommendations by removing
those that do not apply
D. Responsible protection of assets based on goals and objectives
The correct answer is C. Limiting recommendations by removing those
that do not apply is “scoping.” You are scoping to make sure things
apply in the environments that you are trying to understand fully, from
the perspective of protecting assets.
9. Which of the following is the BEST definition of an asset?

A. A hardware system in a data center
B. People in specific valuable environments
C. Software running in a categorized environment
D. Any item perceived as having value
The correct answer is D. Even though A, B, and C may be considered to
be assets, the question is asking for the best definition, not examples. An
asset is anything that has value to the organization.

Instructor Edition
10. Which of the following is NOT an example of a data state?

A. Data in motion
Notes
Domain Review
2
B. Data in use

C. Data in storage
D. Data at rest
The correct answer is C. Data in storage may be an example of
data at rest, which is the correct terminology related to a data
state. The three valid data states are data in motion, data at rest,
and data in use. It is important to protect data in all three states
and of course always based on value.


Domain Review
Term Definition
Accountability Accountability ensures that account

management has assurance that only
authorized users are accessing the system
and using it properly.
Asset An item perceived as having value.
Asset lifecycle The phases that an asset goes through from

creation (collection) to destruction.
Baselines A minimum level of security.
Classification Arrangement of assets into categories.
Clearing The removal of sensitive data from storage

devices in such a way that there is assurance
that the data may not be reconstructed
using normal system functions or software
recovery utilities.
Curie The critical point where a material’s intrinsic

Temperature magnetic alignment changes direction.
Custodian Responsible for protecting an asset that has

value, while in the custodian’s possession.
Data Entails analyzing the data that the

classification organization retains, determining its
importance and value, and then assigning it
to a category.
Defensible Eliminating data using a controlled, legally

destruction defensible, and regulatory compliant way.
Inventory Complete list of items.
Lifecycle Phases that an asset goes through from

creation to destruction.

Instructor Edition

Domain Review
2
Ownership Possessing something, usually of value.

Purging The removal of sensitive data from a system
or storage device with the intent that the
data cannot be reconstructed by any known
technique.
Qualitative Measuring something without using

numbers, using adjectives, scales, and
grades, etc.
Quantitative Using numbers to measure something,

usually monetary values.
Remanence Residual magnetism left behind.
Resources Assets of an organization that can be used

effectively.
Responsibility Obligation for doing something. Can be

delegated.

Notes

Instructor Edition
Notes
2

Notes

Instructor Edition
Course Agenda
Notes
Security Architecture and
3
Engineering
Security Architecture and Engineering Domain

PPT

PPT
Domain 5: Identity and Access Management (IAM) Security Architecture
and Engineering
to the “Security
Architecture and
Domain 7: Security Operations Engineering” domain.

PPT
Domain Objectives
(6 slides)
Domain 3: Security Architecture Architecture and
Engineering” domain.
and Engineering
Overview
The goal of the Security Architecture and Engineering domain is to
provide you with concepts, principles, structures, and standards
used to design, implement, monitor, and secure operating systems,
equipment, networks, applications, and those controls used to
enforce various levels of confidentiality, integrity, and availability.
Domain Objectives
1. Implement engineering processes using secure design
principles.
2. Manage engineering processes using secure design
principles.
3. Identify the purpose of security models.
4. Identify common security models.
Domain 3: Security Architecture and Engineering 189

Notes 5. Differentiate between security requirements and security

controls.
Engineering 6. Identify types of controls.
7. Identify common or inheritable controls.
PPT 8. Select appropriate security controls.
Domain Objectives 9. Identify major control frameworks.
10. Tailor security controls.
Architecture and 11. Identify security control evaluation criteria.
Engineering” domain. 12. Identify types of system security capabilities.
13. Employ integrated security elements.
14. Identify vulnerabilities and mitigations in client-based systems.
15. Identify vulnerabilities and mitigations in server-based systems.
16. Identify vulnerabilities and mitigations in database systems
17. Identify vulnerabilities and mitigations in industrial control
systems (ICSs).
18. Identify vulnerabilities and mitigations in cloud-based systems.
19. Identify vulnerabilities and mitigations in distributed systems.
20. Identify vulnerabilities and mitigations in Internet of Things (IoT).
21. Assess and mitigate vulnerabilities in web-based systems.
22. Assess and mitigate vulnerabilities in mobile systems.
23. Assess and mitigate vulnerabilities in embedded systems.
24. Understand key terms associated with cryptography.
25. Understand how security services such as confidentiality,
integrity, authenticity, non-repudiation, and access control are
addressed through cryptography.
26. Understand basic cryptography concepts of symmetric and
asymmetric.
27. Describe hashing algorithms and digital signatures.
28. Understand the importance of key management.
29. Understand cryptanalysis methods.
30. Apply security principals to site and facility design.
31. Implement and manage physical security controls.
32. Implement and manage physical controls in wiring closets and
intermediate distribution facilities.
33. Implement and manage physical controls in server rooms and
data centers.
190 Domain 3: Security Architecture and Engineering

Instructor Edition
34. Implement and manage physical controls in media storage

facilities.
Notes
3
35. Implement and manage physical controls for evidence Engineering
storage.

36. Implement and manage physical controls in restricted areas.
PPT
37. Implement and manage physical controls in work areas. Domain Objectives
38. Implement and manage environmental controls for utilities (6 slides) (continued)
and power. Objectives for “Security
Architecture and
39. Implement and manage controls for heating, ventilation, and
Engineering” domain.
air conditioning (HVAC).
40. Implement and manage environmental controls.
41. Implement and manage environmental controls for fire
prevention, detection, and suppression.
Domain 3: Security Architecture and Engineering 191

Notes Domain Agenda

Engineering Module Name
PPT 1 Processes Using Security Design Principles

Domain Agenda
(2 slides) 2 Fundamental Concepts of Security Models
Review the domain
agenda.
Select Controls Based upon Systems Security
3
Requirements
4 Security Capabilities of Information Systems
Vulnerabilities of Security Architectures,

5
Designs, and Solution Elements
6 Cryptography
7 Physical Security
8 Domain Review

Instructor Edition
Module 1: Processes Using Secure Notes

Processes Using Secure
3
Design Principles Design Principles

PPT
Module Objectives
1. Implement engineering processes using secure design Design Principles
principles.
2. Manage engineering processes using secure design to the “Processes Using
principles. Secure Design Principles”
module.
PPT
Module Objectives
objectives.
Module 1: Processes Using Secure Design Principles 193

Notes System and Security Engineering Processes

Older sources such as the System Security Engineering Capability Maturity
Design Principles Model (SSE-CMM) provided systems security specific processes that did not
directly map to systems engineering processes. While valuable resources,
earlier system security engineering models were difficult to relate to standard
PPT engineering and software design processes that limited their adoption in
System and Security many industries.
Engineering Processes
The current direction with major standards has been to converge systems
Summarize the resources
for the processes. security engineering as a specialty engineering discipline under traditional
systems engineering processes. This allows for closer alignment between
traditional engineering and security engineering.
Both the International Council on Systems Engineering (INCOSE) and the
National Institute of Standards and Technology (NIST) recognize Systems
Security Engineering as a specialty engineering discipline of systems
engineering. All systems engineering processes are applicable to systems
security engineering and are applied with a systems security perspective.
Commonly accepted sources for engineering and security engineering
include the following:
l INCOSE Systems Engineering Handbook
o INCOSE is a not-for-profit membership organization founded
to develop and disseminate the interdisciplinary principles and
practices that enable the realization of successful systems.
l NIST SP800-160 System Security Engineering
o This publication addresses the engineering-driven actions
necessary to develop more defensible and survivable
systems—including the components that compose and
the services that depend on those systems. It starts with
and builds upon a set of well-established International
Standards for systems and software engineering published
by the International Organization for Standardization (ISO),
the International Electrotechnical Commission (IEC), and
the Institute of Electrical and Electronics Engineers (IEEE)
and infuses systems security engineering techniques,
methods, and practices into those systems and software
engineering activities.
l ISO/IEC 15026 Series-Systems and Software Engineering
o A series of standards focused on Systems and Software
Engineering.
l ISO/IEC/IEEE 15288 Systems and Software Engineering
o A systems engineering standard defining processes.

Instructor Edition
Technical Processes
The following processes are defined in the NIST SP800-160 dated
Notes
3
November 2016. The processes and process definitions are Design Principles
consistent with the INCOSE Systems Engineering Handbook and

easily related to ISO-based standards with some minor differences.
PPT
l Business and mission analysis process: Helps the engineering
Technical Processes
team to understand the scope, basis, and drivers of the business
Overview of Technical
or mission problems or opportunities and ascertain the asset
Processes.
loss consequences that present security and protection issues
associated with those problems or opportunities.
l Stakeholder needs and requirements definition process:
Defines the stakeholder security requirements that include
the protection capability, security characteristics, and
security-driven constraints for the system to securely provide
the capabilities needed by users and other stakeholders.
l System requirements definition process: Transforms
the stakeholder security requirements into the system
requirements that reflect a technical security view of the
system.
l Architecture definition process: Generates a set of
representative security views of the system architecture
alternatives to inform the selection of one or more alternatives.
l Design definition process: Provides security-related data
and information about the system and its elements to enable
implementation consistent with security architectural entities
and constraints as defined in the models and views of the
system architecture.
l System analysis process: Provides a security view to system
analyses and contributes specific system security analyses
to provide essential data and information for the technical
understanding of the security aspects of decision-making.
l Implementation process: Realizes (implements, builds) the
security aspects of all system elements.
l Integration process: Addresses the security aspects in the
assembly of a set of system elements such that the realized
system achieves the protection capability in a trustworthy
manner as specified by the system security requirements and
in accordance with the system architecture and system design.
l Verification process: Produces evidence sufficient to
demonstrate that the system satisfies its security requirements
and security characteristics with the level of assurance that
applies to the system.

l Validation process: Provides evidence sufficient to demonstrate

Notes
that the system, while in use, fulfills its business or mission
Processes Using Secure objectives while being able to provide adequate protection of
Design Principles
stakeholder and business or mission assets; minimize or contain
asset loss and associated consequences; and achieve its intended
PPT use in its intended operational environment with the desired level
Technical Processes
of trustworthiness.
(continued) l Transition process: Establishes a capability to preserve the
Overview of Technical system security characteristics during all aspects of an orderly and
Processes. planned transition of the system into operational status.
l Operation process: Establishes the requirements and constraints
to enable the secure operation of the system in a manner
PPT consistent with its intended uses, in its intended operational
Technical Management environment, and for all system modes of operation.
Processess
l Maintenance process: Establishes the requirements and
Overview of Technical constraints to enable maintenance elements to sustain delivery of
Management Processes.
the specified system security services and provides engineering
support to maintenance elements.
l Disposal process: Provides for the security aspects of ending the
existence of a system element or system for a specified intended
use. It accounts for the methods and techniques used to securely
handle, transport, package, store, or destroy retired elements to
include the data and information associated with the system or
contained in system elements.
Technical Management Processes

November 2016. The processes and process definitions are consistent
with the INCOSE Systems Engineering Handbook and easily related to
ISO-based standards with some minor differences.
l Project planning process: Produces and coordinates the
security aspects of project plans; develops the security scope
of the technical and management activities; and identifies
security planning outputs, tasks, deliverables, achievement
criteria, and the resources needed to accomplish security
tasks.
l Project assessment and control process: Evaluates the
progress and achievements of the security aspects of project
plans, and communicates the need for specific management
action to resolve any identified variances that could affect
the overall ability of the project to satisfy security technical
objectives.

Instructor Edition
l Decision management process: Identifies, analyzes,

characterizes, and evaluates a set of security-based
and security-informed alternatives for a decision, and
Notes
3
Design Principles
recommends the most beneficial course of security-based or

security-informed action.
l Risk management process: Identifies, analyzes, treats, and PPT
monitors security risks for all identified contexts within the Technical Management
risk profile. Processess (continued)
l Configuration management process: Ensures that security Overview of Technical

Management Processes.
considerations are addressed in the management and the
control of system elements, configurations, and associated
data and information over the system lifecycle.
PPT
l Information management process: Ensures that all
Enabling Processes
stakeholder protection needs and all associated security
considerations, constraints, and concerns are adequately Overview of Enabling
addressed by the information management process. Processes.
l Measurement process: Collects, analyzes, and reports

security-relevant data and information to support effective
management and to demonstrate the quality of the
products, services, and processes.
l Quality assurance process: Conducts proactive security
quality assurance analyses throughout the project to ensure
the effective application of the security aspects of the
Quality Management process and to provide a level of
confidence that the product or service delivered will be of
the desired security quality.
Enabling Processes
November 2016. The processes and process definitions are
consistent with the INCOSE Systems Engineering Handbook and
easily related to ISO-based standards with some minor differences.
l Lifecycle model management process: Identifies and
assesses the security needs and considerations for lifecycle
policies, procedures, processes, and models that are capable
of being applied using effective proven methods and tools to
achieve assurance and trustworthiness objectives.
l Infrastructure management process: Provides the basis
to ensure that the infrastructure and services supporting
the organizational and project objectives are adequate to
address protection needs, considerations, and concerns.

l Portfolio management process: Ensures that security

Notes
considerations are a factor in the management of the portfolio
Processes Using Secure of organizational projects, and security considerations are used
Design Principles
in the assessment of projects to confirm that the projects justify
continued investment.
PPT l Human resources management process: Defines the security
Enabling Processes criteria for the qualification, assessment, selection, and ongoing
(continued) training of skilled and experienced personnel qualified to perform
Overview of Enabling the security aspects of lifecycle processes to achieve organization,
Processes. project, and stakeholder security objectives.
l Quality management process: Defines security quality objectives
and the criteria used to determine that those objectives are met by
PPT products, services, and implementations of the quality management
Agreement Processes process.
Overview of Agreement l Knowledge management process: Identifies, obtains, maintains,
Processes. and manages the security knowledge and skills needed to enable
the organization to exploit opportunities and to reapply existing
security knowledge.
PPT
Key Principles of
System Security Agreement Processes
Describe CIA triad and The following processes are defined in the NIST SP800-160 dated
interaction with processes. November 2016. The processes and process definitions are consistent
with the INCOSE Systems Engineering Handbook and easily related to
ISO-based standards with some minor differences.
l Acquisition process: Ensures that the acquirer’s protection
needs and security concerns are addressed by the acquirer’s
requirements used to obtain a product or service.
l Supply process: Ensures that a product or service provided to
an acquirer provides the security functions and services while
meeting all security concerns and constraints expressed by the
acquirer’s requirements.
Key Principles of System Security

A key principle of Systems Security Engineering and a differentiator
from traditional Systems Engineering is that Systems Security
Engineering is focused on supporting the confidentiality, integrity, and
availability (CIA) needs of the system and not on the system functional
requirements. This is known as the CIA triad and is a prime governing
factor for all system security engineering activities.

Instructor Edition
CIA Triad Notes

3
Design Principles

nﬁdentiality
Co PPT
Key Principles of
System Security
(continued)
Describe CIA triad and
interaction with processes.
rity Av
teg ai
In
lab
ility
Figure 3.1: CIA Triad

Notes
Module 2: Fundamental Concepts
Fundamental Concepts of
Security Models of Security Models
PPT
Module Objectives
Fundamental Concepts
of Security Models
1. Identify the purpose of security models.
Introduce the participants 2. Identify common security models.
to the “Fundamental
Concepts of Security
Models” module.
PPT
Module Objectives
objectives.

Instructor Edition
Security Models
Security models define rules of behavior for an information
Notes
3
system to enforce policies related to system security but typically Security Models
involving confidentiality and/or integrity policies of the system.

Models define allowable behavior for one or more aspect of
system operation. When implemented in a system, technology PPT
enforces the rules of behavior to ensure security goals (e.g., Security Models
confidentiality, integrity) are met. (8 slides)
Desribe and explain each
security model.
Bell–LaPadula (BLP)
The Bell–LaPadula (BLP) model is intended to address confidentiality
in a multilevel security (MLS) system. It defines two primary security
constructs, subjects and objects. Subjects are the active parties, while
objects are the passive parties. To help determine what subjects will
be allowed to do, they are assigned clearances that outline what
modes of access (e.g., read, write) they will be allowed to use when
they interact with objects.
The model system uses labels to keep track of clearances and
classifications and implements a set of rules to limit interactions
between different types of subjects and objects. It was an early
security model and does not provide a mechanism for a one-to-
one mapping of individual subjects and objects. This also needs
to be addressed by other models or features within a practical
operating system.
The model defines two properties, the ss-property and the
*-property.
l Simple Security property: A subject cannot read/access an
object of a higher classification (no read up)
l Star property: A subject can only save an object at the
same or higher classification (no write down)
The model does not attempt to define technical constructs or
solutions. It merely identifies a high level set of rules that if
implemented correctly, prevent the exposure or unauthorized
disclosure of information in a system processing different
classification levels of data.
Biba
The Biba model is designed to address data integrity and does
not address data confidentiality. Like Bell–LaPadula, Biba is also a
lattice-based model with multiple levels. It defines similar but
slightly different modes of access (e.g., observe, modify) and also
Module 2: Fundamental Concepts of Security Models 201

Notes describes interactions between subjects and objects. Where Biba

differs most obviously is that it is an integrity model; it focuses on
Fundamental Concepts of ensuring that the integrity of information is being maintained by
Security Models
preventing corruption.
At the core of the model is a multilevel approach to integrity designed
PPT
to prevent unauthorized subjects from modifying objects. Access is
Security Models controlled to ensure that objects maintain their current state of integrity
as subjects interact with them. Instead of the confidentiality levels
Desribe and explain each used by Bell–LaPadula, Biba assigns integrity levels to subjects and
security model.
objects depending on how trustworthy they are considered to be.
Like Bell–LaPadula, Biba considers the same modes of access but with
different results.
The model defines three properties, the ss-property and the *-property
as in BLP, but also includes a new property, the invocation property.
l Simple Integrity property: A subject cannot observe an object
of lower integrity (no read down)
l Star property: A subject cannot modify an object of higher
integrity (no write up)
l Invocation property: A subject cannot send logical service
requests to an object of higher integrity
Brewer and Nash

This model focuses on preventing conflict of interest when a given subject
has access to objects with sensitive information associated with two
competing parties. The principle is that users should not access the
confidential information of both a client organization and one or more of
its competitors. At the beginning, subjects may access either set of
objects. Once, however, a subject accesses an object associated with one
competitor, they are instantly prevented from accessing any objects on
the opposite side. This is intended to prevent the subject from sharing
information inappropriately between the two competitors even
unintentionally. It is called the Chinese Wall Model because, like the Great
Wall of China, once on one side of the wall, a person cannot get to the
other side. It is an unusual model in comparison with many of the others
because the access control rules change based on subject behavior.
Clark–Wilson
Biba only addresses one of three key integrity goals. The Clark–Wilson
model improves on Biba by focusing on integrity at the transaction level
and addressing three major goals of integrity in a commercial environment.
To address the second goal of integrity, Clark and Wilson realized that they
needed a way to prevent authorized subjects from making undesirable
Instructor Edition
changes. This required that transactions by authorized subjects be

evaluated by another party before they were committed on the
model system. This provided separation of duties where the powers
Notes
3
Security Models
of the authorized subject were limited by another subject given the

power to evaluate and complete the transaction. To address internal
consistency (or consistency within the model system itself), Clark and PPT
Wilson recommended a strict definition of well-formed transactions. Security Models
In other words, the set of steps within any transaction would need to (8 slides) (continued)
be carefully designed and enforced. Any deviation from that Desribe and explain each
expected path would result in a failure of the transaction to ensure security model.
that the model system’s integrity was not compromised. To control all
subject and object interactions, Clark–Wilson establishes a system of
subject–program–object bindings such that the subject no longer has
direct access to the object. Instead, this is done through a program
with access to the object. This program arbitrates all access and
ensures that every interaction between subject and object follows a
defined set of rules. The program provides for subject authentication
and identification and limits all access to objects under its control.
Graham–Denning
Graham–Denning is primarily concerned with how subjects and
objects are created, how subjects are assigned rights or privileges,
and how ownership of objects is managed. In other words, it is
primarily concerned with how a model system controls subjects
and objects at a very basic level where other models simply
assumed such control.
The Graham–Denning access control model has three parts: a set
of objects, a set of subjects, and a set of rights. The subjects are
composed of two things: a process and a domain. The domain is
the set of constraints controlling how subjects may access
objects. Subjects may also be objects at specific times. The set of
rights govern how subjects may manipulate the passive objects.
This model describes eight primitive protection rights called
commands that subjects can execute to have an effect on other
subjects or objects.
The eight basic rules under Graham–Denning govern the following:
1. Secure object creation
2. Secure object deletion
3. Secure subject creation
4. Secure subject deletion
5. Secure provisioning of read access right
Module 2: Fundamental Concepts of Security Models 203

Notes 6. Secure provisioning of grant access right

7. Secure provisioning of delete access right
Security Models 8. Secure provisioning of transfer access right
PPT Harrison, Ruzzo, Ullman (HRU)

Security Models This model is very similar to the Graham–Denning model, and it is
(8 slides) (continued) composed of a set of generic rights and a finite set of commands. It is
Desribe and explain each also concerned with situations in which a subject should be restricted
security model. from gaining particular privileges. To do so, subjects are prevented
from accessing programs, or subroutines, that can execute a particular
command (to grant read access for example) where necessary.
Modern Implementation
Most modern operating systems implement elements of the security
models. They are not perfect implementations of the academic models
and focus on practical implementations that provide functionality
consistent with one or more of the security models.
The access control models discussed in Domain 5 (discretionary access
control (DAC), mandatory access control (MAC), etc.) have operating
system vendor specific implementations of elements contained within
the security model. Precise implementation of the security models has
practical limitations and is rarely employed except in very specialized
systems with intentionally limited functionality.

Instructor Edition
Module 3: Select Controls Based Notes

Select Controls Based
3
upon System Security Requirements upon System Security

Requirements

1. Differentiate between security requirements and security Select Controls Based
controls. upon System Security
2. Identify types of controls. Requirements
3. Identify common or inheritable controls. to the “Select Controls
4. Select appropriate security controls. Based upon System
Security Requirements”
5. Identify major control frameworks. module.
6. Tailor security controls.
7. Identify security control evaluation criteria.
PPT
Module Objectives
objectives.
Module 3: Select Controls Based upon System Security Requirements 205

Notes Security Controls

Security controls are safeguards or countermeasures that mitigate risks to
upon System Security confidentiality, integrity, or availability in a system or operating environment.
Requirements Controls may impact or modify the behavior of people, process, or
technology. They may be directly applied or inherited from another system
or organization.
PPT
Security Controls
General definition of Types of Controls
security controls.
Security controls primarily perform one of three major actions:
l Preventive controls: Reduce likelihood or impact of an
PPT undesirable event occurring
Types of Controls l Detective controls: Identify an undesirable event or collect
General overview of information about it
control types-reference
l Corrective controls: Reduce or eliminate the impact of an
Domain 1 explanations
also. undesirable event that has occurred
Controls can be classified by how they are applied:
PPT l Management: Policy- or human-driven controls
Common/Inheritable l Operational: Process-driven controls
Controls
l Technical: Controls applied to technology
Definition of common
controls.
Common/Inheritable Controls
Common or Inheritable controls exist outside of a particular system but
PPT provide some confidentiality, integrity, or availability protection to the system.
Control Selection
For instance, an enterprise firewall likely provides some level of protection to
all systems located behind the firewall. Systems that reside behind the firewall
Discuss purpose of
can be said to “inherit” protections provided by the firewall as part of the
controls and how they are
selected. overall protection applied to the inheriting system. However, the level of
protection applied by the firewall will depend on specifics of configuration
and may not be equal for all systems. The firewall may provide more
protection to some network segments than others or have specific rules
configured that expose some systems behind it to a greater or lesser extent.
Part of the consideration for any inheritable control is the effectiveness or
amount of protection actually inherited by a particular system.
Inheritable controls may also be referred to as common controls in some
control frameworks.
Control Selection
Controls are selected to support the confidentiality, integrity, and
availability needs of the system. Control frameworks are often utilized to
Instructor Edition
select appropriate controls and define controls. If existing controls

from the operating environment, adjacent systems, or network
environment can be leveraged by the target system, those controls
Notes
3
upon System Security
can be considered “inherited” by the target system. For example, a

Requirements
workstation typically inherits controls from the organization firewall
and any application gateways.
PPT
Control Frameworks Control Selection

(continued)
Control frameworks define controls and control elements. In some Discuss purpose of
cases, they may provide explicit or recommended control controls and how they are
specifications, and in other cases, they may provide guidance on selected.
the intended objective or outcome of the control.
Frameworks allow for standardization of control implementation
PPT
and may often include evaluation criteria or mechanisms to verify
that controls are effective Significant research and refinement has Control Frameworks
gone into the development of control frameworks, and adoption of Discuss/Define control
an existing framework is typically a more effective approach than frameworks.
developing a unique set of controls.
Example control frameworks: PPT
l ISO/IEC 27001: International Standard Example Control
Frameworks and
l NIST (SP 800-53): Required for US government use Standards
l COBIT: Focused on business values Brief discussion of
l ISA/IEC 62443 (ISA 99): Industrial Automation and Control commonly used control
frameworks.
Systems
Control frameworks or control catalogs should be selected based on
the industry or specific security goals of the organization. Each
framework has advantages and disadvantages, and business needs,
regulatory requirements, or operational needs may drive selection of
a control framework as much as direct security concerns.
Control frameworks have significant overlaps and often have well
researched mappings between controls from different frameworks.
This supports adopting controls from multiple frameworks when
necessary to support business, regulatory, or security needs. For
example, a multinational corporation with significant business
dealings with the US federal government may choose to adopt the
internationally recognized ISO standard and map those controls to
the NIST controls. This allows them to report NIST compliance to
the US federal government and ISO control status to any
international oversight organization. Conversely, the same
organization could standardize on the NIST controls internally but
map them to ISO for external reporting.
Module 3: Select Controls Based upon System Security Requirements 207

Tailoring Controls
Notes
Control frameworks and standards are intended to be tailored to
upon System Security
specific use-cases. By nature, the control frameworks are general cases
Requirements that are intended to be widely applied. For that reason, they may lack
specifics on implementation details or require the control user to input
specific values for their organization or environment (e.g., control says
PPT you have to have a screen lock but allows the adopter to select a lock
Tailoring Controls timeout that makes sense for their use).
Discuss tailoring controls
to meet situational needs.
It is critical to adjust control specifications or parameters to meet the
needs of a specific system or environment to provide the optimal
security value. The tailoring process is well documented in most control
frameworks and fully supported by the frameworks themselves. Some
PPT
organizations choose to treat controls and control frameworks as
Evaluatuion Criteria checklists and forego intelligent tailoring, thus, reducing the overall
Discuss evaluation criteria security value of the controls.
for controls.
Evaluation Criteria
Each control should include specific evaluation methods and expected
results. To be effective as a security control, the control must be valuable
and have one or more measures of effectiveness associated with it.
The NIST framework defines three primary methods of control evaluation:
l Test: Conduct a direct test of the control (usually used for
technical type controls)
l Interview: Interview or question staff (usually used for
management or operational controls)
l Examine: Examine documentation or artifacts for evidence that a
control is properly employed (used for all control types)
In many cases, a control may (and should) be evaluated using multiple
evaluation methods to ensure control effectiveness. For instance, to
evaluate a particular control, the assessor may perform a technical test
to validate a function, examine documentation to ensure the function
was correctly configured, and interview a system administrator
regarding operation of the function. Taken together, the results may
show that the control is effectively applied or that there is some
deficiency that limits the control effectiveness.

Instructor Edition
Module 4: Security Capabilities of Notes

Security Capabilities of
3
Information Systems Information Systems

PPT
Module Objectives
1. Identify types of system security capabilities. Information Systems
2. Employ integrated security elements. Introduce the
participants to the
“Security Capabilities
of Information Systems”
module.
PPT
Module Objectives
objectives.
Module 4: Security Capabilities of Information Systems 209

Notes System Security Capabilities

The following sections detail common system security capabilities.
Information Systems Variations of these common capabilities are integrated into most modern
operating systems and hardware platforms. The specific methods and
types of implementation will vary from platform to platform but all typically
PPT share some of the common security value obtained from these capabilities.
System Security
Capabilities System security capabilities generally interact with one or more other security
capabilities or have some level of integration with other security components.
General description of
common system security This provides an integrated defense-in-depth model within the system
capabilities that exist in architecture itself to limit the overall attack surface of the system and harden
most systems. it against different forms of attack. However, security capabilities may be
disabled or not fully integrated based on particular vendor products chosen
as system components, or technical implementation by the system
PPT manufacturer or operator. For maximum functionality, integrated system
Generic Operating security capabilities must typically be enabled and properly configured to
System (OS)/Computer provide desired protective capabilities.
Model
Provide a general
description of computer Generic Operating System (OS)/
security releveant
functions within the Computer Model
generic OS model. Figure 3.2 is a generic representation of an operating system. It does
not represent a particular operating system, but it contains elements
common to most modern operating systems. This diagram can be used
for reference when considering the system security capabilities
described in the following sections.
Generic Information System Model

Application Application Application
User
Application Mode
User
Programming Services
Interface
Interface (API)
Security Memory Process

Monitor Manager Manager
Kernel
Hardware Mode
Input/Output Device
Abstraction
(I/O) Manager Drivers
Layer (HAL)
Trusted Platform
Hardware
Module (TPM)
Figure 3.2: Generic Information System Model

Instructor Edition
In a modern operating system, there are two primary processor states:

a user mode and a kernel mode. The kernel mode is reserved for core
operating system management while the user mode is exposed to user
Notes
3
Information Systems
applications and services. Functions allowed to execute on the

hardware are limited in user mode and managed by processes that
exist in kernel mode. This provides a level of abstraction that restricts PPT
actions that can be taken at the user level. There is an additional layer Generic Operating
of separation in many operating systems call the Hardware Abstraction System (OS)/Computer
Layer (HAL) that acts as an interface between some user and kernel Model (continued)
mode operations and the actual system hardware. This allows for Provide a general
standardized commands directed at hardware to be generalized and description of computer
translated to device specific commands but also limits the binary security releveant
command set that can be sent directly to hardware components. functions within the
generic OS model.
Device drivers function in a similar fashion but may allow more direct
control over specific hardware devices based on manufacturer
specifications. The hardware layer may include specialized security
hardware such as a Trusted Platform Module (TPM).
Some key operating system components include the following:
System Kernel
The system kernel is the core of an OS, and one of its main functions
is to provide access to system resources, which includes the system’s
hardware and processes. The kernel:
l Loads and runs binary programs
l Schedules the task swapping that allows computer systems
to do more than one thing at a time
l Allocates memory
l Tracks the physical location of files on the computer’s hard disks
The kernel provides these services by acting as an interface

between other programs operating under its control and the
physical hardware of the computer; this insulates programs running
on the system from the complexities of the computer.
Memory Manager
Allocates and manages physical and/or virtual memory within a
system.
Security Monitor/Reference Monitor

Enforces access control policy and rules over subjects interacting
with objects and performing operations. It is typically intended to

Notes be always on and impossible to bypass for any function. It operates in

kernel mode and provides oversight to the operation of internal OS
Security Capabilities of functions.
Information Systems
PPT
Input/Output (I/O) Manager
Manages and controls input and output from the operating system.
Generic Operating
System (OS)/Computer
Model (continued)
Application Programming Interface (API)
Provide a general
description of computer Provides a generalized or common set of commands for applications or
security releveant processes executing on a system to perform standard operations and
functions within the communications. It removes the need for applications to directly
generic OS model. interface with some OS components and hardware.
PPT User Interface (UI)

Access Control The UI presents control and input methods to system users in an
understandable and controlled fashion. It often includes common user
Describe this security
capability (technical interaction functions that can be easily implemented by applications or
explanation-how it code executing on the system.
works, value).
Access Control
PPT
Modern systems include some form of access control. Even kiosk or
Processor States
general user type systems internally implement a system of permissions
Describe this security and rules for accessing processes, memory, applications, and operating
capability (technical system functions even if those controls are transparent to the end user.
explanation-how it
works, value).
Access controls are typically enforced by a kernel level module known as
the security monitor or reference monitor. Specific access control types
will be discussed in Domain 5, but they are often based on one or more
security models discussed in Module 3.
Access control mechanisms are typically supported by the file system
that often stores security attributes with files and enables fine-grained
access control in storage objects.
Processor States
Processors and their supporting chipsets provide one of the first layers
of defense in any computing system. In addition to providing specialized
processors for security functions (such as cryptographic coprocessors),
processors also have states that can be used to distinguish between
more or less privileged instructions.

Instructor Edition
Most processors support at least two states:

l A supervisor state
Notes
3
l A problem state Information Systems

In supervisor state (also known as kernel mode), the processor is
PPT
operating at the highest privilege level on the system, and this
allows the process running in supervisor state to access any system Processor States
(continued)
resource (data and hardware) and execute both privileged and
non-privileged instructions. Describe this security
capability (technical
In problem state (also known as user mode), the processor limits explanation-how it
works, value).
the access to system data and hardware granted to the running
process. A malicious process running in supervisor state has very
few restrictions placed upon it and can be used to cause a lot of
damage. Ideally, access to supervisor state is limited only to core PPT
OS functions that are abstracted from end-user interaction through Memory Management
other controls, but this is not always the case. Describe this security
explanation-how it
works, value).
Memory Management
From a security perspective, memory and storage are the most
important resources in any computing system. Ideally, it would be PPT
possible to easily separate memory used by subjects (such as
Process Isolation
running processes and threads) from objects (such as data in
storage). Buffer overflows are a common type of attack that Describe this security
attempts to write executable code into memory locations where it capability (technical
explanation-how it
may be inadvertently executed. works, value).
Modern operating systems utilize a variety of techniques to limit the
exposure of the memory space to a potential attacker. Direct access to
the system memory is limited to user-space programs or allocated
randomized blocks of memory space to limit the utility of a crafted
memory attack running within a program or piece of code. Additionally,
memory space for user programs may be monitored by the operating
system to ensure it is utilizing memory properly and that executable
code is only located in authorized memory blocks. An example is Data
Execution Prevention (DEP) technology in Windows that will close a
program or code that is mismanaging memory or attempting to
execute code from unauthorized locations.
Process Isolation
Process isolation can also be used to prevent individual processes
from interacting with each other. This can be done by providing
distinct address spaces for each process, and preventing other

Notes processes from accessing that area of memory, and assigning access
permissions to files or other resources to each process.
Information Systems Naming distinctions are also used to distinguish between different
processes. Virtual mapping is also used to assign randomly chosen
areas of actual memory to a process to prevent other processes from
PPT
finding those locations easily. Encapsulation of processes as objects
Process Isolation can also be used to isolate them, since an object includes the
(continued)
functions for operating on it, the details of how it is implemented can
Describe this security be hidden. The system can also ensure that shared resources are
explanation-how it
managed to ensure that processes are not allowed to access shared
works, value). resources in the same time slots.
Process Isolation
PPT
Data Hiding
Describe this security Process 1 Process 2
explanation-how it
works, value).
PPT
Operating System (OS) Managers
Abstraction Layers
Figure 3.3: Process Isolation
explanation-how it
works, value).
Data Hiding
Data hiding maintains activities at different security levels to separate
these levels from each other. This assists in preventing data at one
security level from being seen by processes operating at other security
levels. This is similar to the Bell–LaPadula security model.
Data hiding may also be associated with coding practices (typically in
object-oriented programming) where actual data is “hidden” from direct
access or manipulation and can only be read or modified by using a
standard interface mechanism.
Abstraction Layers
Abstraction involves the removal of characteristics from an entity to
easily represent its essential properties. Abstraction negates the
need for users to know the particulars of how an object functions.
They only need to be familiar with the correct syntax for using an

Instructor Edition
object and the nature of the information that will be presented

as a result. Since a separate subject controls the access to the
object, the ability to manipulate the object outside of the
Notes
3
Information Systems
defined rules is limited.

Abstraction PPT
Abstraction Layers
(continued)
Application
explanation-how it
Application Programming works, value).
Interface (API)
PPT
Operating System (OS) Security Kernel
Kernel
explanation-how it
Hardware Abstraction Layer works, value).
(HAL)
Hardware
Figure 3.4: Abstraction
Security Kernel
The security kernel or “reference monitor” within an operating
system or hardware device, acts as a security oversight mechanism
that enforces a predefined set of rules when a subject accesses an
object. The rules may include validating permissions from a table
(e.g., DAC) but are mandatorily applied and designed to prevent
being bypassed.
However, when user subjects are executing with administrative
rights on a system (e.g., Windows Administrator, Linux/Unix root),
the subject often has full control of most system objects. The
security kernel will still operate, but it will lose effectiveness when
the subject has full security rights to all objects. To maximize the
effectiveness of the security kernel, user subjects must be
executed with the least privilege necessary to perform their
intended function.

Notes Encryption
Encryption can be applied to data at rest (e.g., files on hard drive) or data in
Information Systems transit (e.g., communication channel). Encryption may be used to protect
confidentiality, integrity, or both concurrently.
PPT The most direct value of encryption is the protection of data while the
Encryption
operating system protections are not active or available. For example,
encrypted data may be stored on a hard drive. If the computer system
is turned off and the hard drive removed, the data cannot be read or
explanation-how it modified since it is encrypted. Also, once data has been transmitted
works, value). from the system, if encrypted, it is protected from access or
modification if intercepted in transit.
Encryption mechanisms will be addressed in greater detail in following
PPT
modules. The specific protections (confidentiality, integrity) and level of
Code Signing and protection provided by encryption varies depending on the specific
Validation
cryptographic mechanism utilized.
explanation-how it
works, value). Code Signing and Validation
Code signing and validation is a cryptographic function. Executable code
is digitally signed using mechanisms presented in this module. This allows
PPT an operating system, firmware, or even hardware components to validate
Audit and Monitoring the digital signature on the executable code prior to it being loaded for
Describe this security execution. This ensures that only known, approved code is able to execute
capability (technical on a system or device.
explanation-how it
works, value). In some operating systems, the system checks the OS components before
they are loaded. This helps to prevent unauthorized code replacing
legitimate system components and being executed at a higher privilege
level than would normally be granted to user code.
Code signing may also be used during system or component updates
or when loading new software to ensure that the copy being loaded
is an approved copy from a recognized source. The protects the
system from loading malicious or unapproved code presented as
legitimate code.
Audit and Monitoring

Secure systems must also have the ability to provide administrators
with evidence of their correct operation. This is performed using
logging subsystems that allow for important system, security, and
application messages to be recorded for analysis. More secure

Instructor Edition
systems will provide considerable protection to ensure these logs

cannot be tampered with, including secure export of such logs to
external systems.
Notes
3
Information Systems

As part of an organizational security architecture, logs and monitoring
data must be collected from individual systems and reviewed by
PPT
automated or manual means. This is typically done centrally where
data from multiple systems can be used to build an overall protection Audit and Monitoring
(continued)
picture of the entire information environment. Logs that are not
reviewed or managed, either by automated or manual means, provide Describe this security
some value to correct issues after they have occurred. By monitoring explanation-how it
logs and information systems, the audit data can provide some works, value).
preventative and detective control value as well.
PPT
Virtualization/Sandbox Virtualization/Sandbox
Virtualization offers numerous advantages from a security Describe this security
perspective. Virtual machines are typically isolated in a sandbox capability (technical
environment and if infected can be removed quickly or shut explanation-how it
works, value).
down and replaced by another virtual machine. The sandbox
environment is intentionally designed to keep executing code
within the controlled sandbox space and limit communications
into or out of the sandbox.
Virtual machines:
l Have limited access to hardware resources and, therefore,
help protect the host system and other virtual machines
l Do require strong configuration management control and
versioning to ensure known good copies are available for
restoration if needed
l Are also subject to all the typical requirements of hardware-
based systems, including anti-malware software, encryption,
host intrusion detection system (HIDS), firewalls, and
patching
Some operating systems automatically, or can be configured to,
sandbox certain types of code. Mobile code (e.g., Java, ActiveX,
etc.) may be allowed only to execute in a controlled sandbox where
the system configuration controls how much or little access to the
rest of the system is possible for code executing within the
sandbox.
Modern malware may be sandbox or virtualization aware and
contain routines that intentionally detect and attempt to break out
of a sandboxed environment.

Notes Hardware Security Modules

Hardware components may be used to provide security services to the
Information Systems system. A common example is the Trusted Platform Module (TPM) that is
provided by or available as an option on most major device manufacturers.
The TPM is a hardware module that includes a secure storage container
PPT and a cryptographic processor with some cryptographic functions. It is
Hardware Security typically used to securely generate and store cryptographic keys or provide
Modules secure storage of small data sets.
capability (technical The most common use for a TPM is to generate and store cryptographic keys
explanation-how it associated with file system or drive encryption mechanisms. Since the keys
works, value). are stored within the dedicated hardware module, they are extremely difficult
to extract when the system is powered down. They are only exposed at
certain points during the boot process that are difficult to monitor prior to
PPT the OS being functional and taking over the role of protecting the keys.
File System Attributes
Other hardware security modules exist for specialty functions and may
Describe this security be added to systems or used as peripheral devices for special security
capability (technical functions.
explanation-how it
works, value).
File System Attributes

PPT Modern files systems store security attributes, or permissions, associated
Host Protection with files as an integral part of the file system. This enables advanced
Software security models to be employed in practical systems and ensures easy
Describe this security association of security attributes with individual files.
explanation-how it Some file systems include journaling that protects file integrity by ensuring
works, value). that incomplete disk operations are identified and completed.
Host Protection Software

The following are examples of host protection software that may be
installed at the system level to provide additional protections beyond
those built into the OS and system architecture. Some may be available
as OS components but must typically be enabled and configured for full
function. In other cases, third-party software suites may be used to
provide these functions.
l Antivirus: Protects against viruses and malicious code by
checking files against a list of known malware. Many products
also include a heuristics function that allows them to identify
malware that is not in their database based on software behavior.
l Host-based intrusion prevention system (HIPS): HIPS provides
monitoring of system communications and performs a similar

Instructor Edition
function to a network-based intrusion prevention system

(NIPS) within a specific host.
Notes
3
l Host firewall: Blocks inbound or outbound communications Information Systems
from the host based on a defined rule set. Some host firewalls

allow applications to dynamically configure the firewall to
allow on-demand communications when necessary. PPT
l File integrity monitoring (FIM): Creates a known baseline of Host Protection

Software (continued)
all files on a system, typically using a cryptographic hashing
mechanism to create unique signatures for each file. It can Describe this security
then compare files against the known baseline periodically or explanation-how it
when the files are loaded into memory for use. works, value).
l Configuration and policy monitor: A configuration or
policy monitor provides oversight to ensure defined system
configurations or policies are correctly configured and not
improperly modified. It may also report system status or
compliance to an enterprise tool.

Notes
Module 5: Vulnerabilities of Security
Vulnerabilities of Security
Architectures, Designs, and Architectures, Designs, and Solution
Solution Elements
Elements
PPT
Vulnerabilities of Module Objectives
Security Architectures, 1. Identify vulnerabilities and mitigations in client-based systems.
Designs, and Solution
Elements 2. Identify vulnerabilities and mitigations in server-based systems.
Introduce the 3. Identify vulnerabilities and mitigations in database systems.
participants to the
“Vulnerabilities of 4. Identify vulnerabilities and mitigations in Industrial Control
Security Architectures, Systems (ICS).
Designs, and Solution
Elements” module.
5. Identify vulnerabilities and mitigations in cloud-based systems.
6. Identify vulnerabilities and mitigations in distributed systems.
7. Identify vulnerabilities and mitigations in Internet of Things (IoT).
PPT
8. Assess and mitigate vulnerabilities in web-based systems.
Module Objectives
(2 slides) 9. Assess and mitigate vulnerabilities in mobile systems.
Introduce the module 10. Assess and mitigate vulnerabilities in embedded systems.
objectives.

Instructor Edition
Vulnerabilities of Security Architectures,

Designs, and Solution Elements Notes
3
This module introduces some common vulnerabilities and mitigation Architectures, Designs, and

approaches that are common among most system types. It then Solution Elements
presents typical vulnerabilities and mitigation approaches for various
system types. The vulnerabilities and mitigations are not intended to be PPT
comprehensive for each system type and represent the most common
Vulnerabilities of
issues and solutions associated with the system type. For each system Security Architectures,
type, consider which common vulnerabilities might exist in the various Designs, and Solution
system components in addition to the system specific vulnerabilities. Elements
In particular consider how common vulnerabilities might exist in the Provide context for the
module and following
following: slides.
l System hardware
l System code
PPT
l System misuse opportunities
Top Threat Actions/
l System communications Mitigations
Generic overview of
threat action types and
Top Threats and Mitigations mitigations, provide
examples where relevant.
The following threat action categories are common to most system
types but may exist in various forms.
Top Threat Actions
l Hacking: Human action attempting various permutations of
actions to defeat or bypass system protections or system
security.
l Social engineering: Attempting to gain information or
access by impacting human behavior or process. Generally
implemented through human interaction but may be
message or communication based.
l Malware distribution: Manual or automated distribution of
malware. May be targeted, untargeted, or the result of self-
replicating malware moving autonomously.
l Phishing: Attempting to gain information or access by
sending messages (e.g., email) that seem to be legitimate
but are not. May be combined with types of social
engineering or malware distribution.
The following top mitigations are general approaches applied on the
enterprise level. They should be considered the basics of mitigations
and must always be combined with other, more specific, mitigations
at the system level.
Module 5: Vulnerabilities of Security Architectures, Designs, and Solution Elements 221
Notes Top Mitigations
Vulnerabilities of Security l Know what you have: Maintain a good inventory of all IT
Architectures, Designs, and operating in the environment and understand the operational
Solution Elements status. While this sounds simple, it is one of the most difficult
things to accomplish for most large organizations.
PPT l Patch and manage what you have: Keep hardware, firmware,
Top Threat Actions/ and software up to date and manage system configurations to
Mitigations (continued) ensure they are kept in a secure and well-maintained state. This is
Generic overview of a basic security function but is also commonly neglected and not
threat action types and well implemented in many organizations.
mitigations, provide
l Assess/monitor/log: Assess system security status, monitor the
examples where relevant.
status continuously, and log system, user, and process actions
to the greatest extent possible. At the enterprise level, this
includes collecting and aggregating individual system logs with
PPT
automated and manual reviews.
Common System
Vulnerabilities (5 slides)
l Educate users: At the enterprise level, this is critical to address
human-based attacks (social engineering, phishing, etc.) that
Describe each
vulnearbility, what can
technology alone cannot defend against.
cause it, with real world
examples where practical.
Common System Vulnerabilities
The following are common system vulnerability types that exist to some
degree in most systems. For each of the specific system types in this
module, the common system vulnerabilities should be considered
applicable to some degree. The impact of the common vulnerabilities
may be different based on system type.
Hardware vulnerabilities are most typically associated with loss of
availability when components fail. However, supply chain concerns over
inappropriate modification or counterfeit hardware components are
valid concerns. Improperly configured or illicitly modified hardware can
impact system confidentiality and integrity.
Hardware:
l Hardware components may fail at any time
o Mean time between failures (MTBF) used to calculate
expected life
o Failure rates higher during initial system operation
l Supply chain issues may introduce technical flaws/vulnerabilities
or malicious modification
l Old hardware may be difficult to repair/replace

Instructor Edition
Communication vulnerabilities can directly impact confidentiality,

integrity, or availability depending on system functions. Typically,
the communication sub-systems of an information system are the
Notes
3
Architectures, Designs, and
most exposed components of the system and the most susceptible

Solution Elements
to technical attacks.
Communications: PPT
l Can fail Common System
Vulnerabilities (5 slides)
l Can be blocked (denial of service (DoS))
(continued)
l Can be intercepted Describe each
l Can be counterfeited (replayed) vulnearbility, what can
l Can be modified examples where practical.
l Characteristics can expose information about the sender/
receiver (e.g., address, location, etc.)
Misuse by a system user can significantly impact confidentiality,
integrity, or availability. Misuse can include actions resulting from
social engineering attacks, phishing attacks, or intentional bypass
of security functions to “get the job done.” This is one area that
may increase in risk if technical or procedural protections
negatively impact user functionality.
Misuse by user:
l Can be intentional or accidental
l Can degrade or bypass security controls
l Increases in likelihood as difficulty to operate increases
l For example, difficult security requirements increase
likelihood of intentional misuse to “get the job done”
Code flaws exist in all software products with more than a very low
level of complexity. Flaws may not be obvious, and they may not
be easily accessible to an attacker.
Code flaws:
l Exist in all software products with more than trivial complexity
l May be introduced accidentally or intentionally
l Typical risk conditions:
o Known flaws, patch available, systems not patched,
exploit available
o Known flaws, patch not available, exploit available
o Unknown flaws, exploit available (zero-day attack possible)

Notes Emanation vulnerabilities are primarily a concern to very high security

systems (e.g., classified government systems) but can have impacts
Vulnerabilities of Security on other systems. Exploiting emanations is a highly complex problem,
Solution Elements
but an external observer may be able to obtain useful information
about an environment by doing a basic analysis of detectable
emissions.
PPT
Emanations:
Common System
Vulnerabilities (5 slides) l Hardware/physical elements may radiate information
(continued)
l Radio frequency
Describe each
vulnearbility, what can l Visible and non-visible spectrum
examples where practical.
l Can be used to discern system functions
l Can be used to locate systems/components
PPT
Client- based Systyems Client-based Systems
Define system type and Client-based systems are systems in which the end user directly
charateristics. interfaces with the computing hardware in the form of desktops,
laptops, thin client terminals, and so on. They are typically present
in large quantities in most organizations. Most organizations are
PPT continually adding new and decommissioning old client systems.
They are typically general-purpose computers that are used for a
Client-based System
Vulnerabilities variety of purposes across an organization.
Describe unique
vulnerabilities and ask Vulnerabilities
class to consider how
common vulnerabilities End users in most cases physically control these devices. This allows for
might also apply. end user modification or removal from enterprise control of the system.
They may be more susceptible to loss or theft for this reason. Since the
devices are typically under user control, monitoring and updating the
PPT systems may be difficult as the location and power status (e.g., on/off)
Client-based System may be indeterminate.
Mitigations
l Physically under user control
Describe unique
mitigation and value of l Susceptible to user misuse (intentional or accidental)
general mitigations to l May be lost/stolen
system type.
l Monitoring may be difficult
l 100 percent update may be difficult
Mitigations
The following mitigations are the basic mitigations to apply to a general-
purpose computer. While these mitigations seem basic in nature, they

Instructor Edition
are difficult to do well across a large installation base of client

devices.
Notes
3
l Patch/update*: Continuous action Architectures, Designs, and

Solution Elements
l General network protections: e.g. Network segmentation,
firewall devices, network intrusion prevention or detection
l Host protections*: Antivirus, host intrusion prevention PPT
system (IPS), host firewall, disk encryption Client-based System
Mitigations (continued)
l Monitor*: Logs, alerts, track location
Describe unique
l Educate users: Anti-phishing campaign, detecting attacks mitigation and value of
general mitigations to
*Applied to all general purpose computing systems-servers, system type.
database, distributed, cloud-based, and web-based. These
mitigations should be applied to all general purpose computing
platforms to support software (e.g., database/application) or PPT
functional roles.
Server-based Systems
Define system type and
charateristics.
Server-based Systems
Server-based systems generally provide a specific purpose and
may be specially configured or have special software loaded to PPT
provide a specific function. Typical types include: application Server-based System
servers, file servers, domain controllers, print servers, and network Vulnerabilities
service servers (e.g., Domain Name Service). They are often Describe unique
centrally managed and controlled in most organizations and have vulnerabilities and ask
limited access or functionality beyond their specific intended class to consider how
purpose. They are also often maintained in a controlled, limited common vulnerabilities
might also apply.
access environment.
Vulnerabilities PPT
Server based vulnerabilities include the following: Server-based System
Mitigations
l May be exposed to external communication/services
Describe unique
l Updates may be delayed due to operational need mitigation and value of
l May exist for long periods (risk of being outdated)
system type.
l High-traffic volume makes monitoring more difficult
Mitigations
In addition to selective application of the mitigations identified for
client-based systems, servers can be additionally protected by
targeting network protections to reduce accessibility to only the
design functions.

Notes Other mitigations include the following:
Vulnerabilities of Security l Targeted network protections (server specific rules, restricted

Architectures, Designs, and ports/protocols)
Solution Elements
l Strong remote access mechanisms
l Configuration and change management
PPT
l Monitor: Logs, alerts-targeted to server functions
Server-based System
Mitigations (continued)
Describe unique
mitigation and value of
Database Systems
general mitigations to Database systems are hosted on various platforms to include stand-alone
system type. server, cloud hosting environments, distributed computing environments,
and so on. Database systems inherit any platform vulnerabilities and add
database-specific vulnerabilities. They typically contain large quantities of
PPT valuable information and require high-speed operation with large number
Database Systems of transactions. This tends to make database systems high-value targets
for any attacker.
charateristics.
Vulnerabilities
Vulnerabilities specific to the database system itself include the following:
PPT
Database System l Inference: Attacker guesses information from observing available
Vulnerabilities information. Essentially, users may be able to determine unauthorized
Describe unique information from what information they can access and may never
vulnerabilities and ask need to directly access unauthorized data.
common vulnerabilities
l Aggregation: Aggregation is combining nonsensitive or lower
might also apply. sensitivity data from separate sources to create higher sensitivity
information. For example, a user takes two or more publicly
available pieces of data and combines them to form a classified
piece of data that then becomes unauthorized for that user. Thus,
the combined data sensitivity can be greater than the sensitivity
of individual parts.
l Data mining: Data mining is a process of discovering information
in data warehouses by running queries on the data. A large
repository of data is required to perform data mining. Data
mining is used to reveal hidden relationships, patterns, and
trends in the data warehouse. Data mining is based on a series
of analytical techniques taken from the fields of mathematics,
statistics, cybernetics, and genetics. The techniques are used
independently and in cooperation with one another to uncover
information from data warehouses.
l High value target: Databases are considered a high-value target
and may be sought out by attackers and have attackers willing

Instructor Edition
to spend greater effort to find technical vulnerabilities to

exploit than other system types.
Notes
3
Mitigations

Solution Elements
Database specific mitigation techniques:
l Input validation: User input or query input is carefully PPT
validated to ensure only allowable information is sent from Database System
the user interface to the database server. This limits the Vulnerabilities
(continued)
utility of Structured Query Language (SQL) injection type
attacks and potentially protects database information Describe unique
integrity from invalid entries. vulnerabilities and ask
l Robust authentication/access control: Database access common vulnerabilities
is strictly controlled and user interface is limited to might also apply.
preconfigured or controlled interface methods.
l Output throttling: To reduce an attacker’s ability to siphon
PPT
off database data one record at a time, throttling can be
employed to limit the number of records provided over Database System
a specific time period. This limits an attacker’s ability to Mitigations
perform data mining and some inference and aggregation Describe unique
attacks. mitigation and value of
l Anonymization: This approach permanently removes system type.
identifying data features from a database, typically to
protect personal information.
l Tokenization: Similar to anonymization except that PPT
information is replaced with an identifier that can be used Industrial Control
to reconstruct the original data if necessary. The identifiers Systems (ICS)
(tokens) are then kept in a more secure system or offline. Define system type and
This approach also allows data to be shared or made charateristics.
available with less risk to inference and aggregation attacks.
Industrial Control Systems (ICSs)

Industrial systems and critical infrastructures are often monitored
and controlled by simple computers called industrial control
systems (ICS). ICSs are based on standard embedded systems
platforms, and they often use commercial off-the-shelf software.
ICSs are used to control industrial processes such as
manufacturing, product handling, production, and distribution.
They typically have components that execute on embedded,
limited function hardware. They also typically contain interfaces
between logical (computer) space and the physical world. These
may include sensors, motors, actuators, valves, gauges, and so on.

Notes Following are three well-known types of ICS systems:
Vulnerabilities of Security l Supervisory control and data acquisition (SCADA): A SCADA

Architectures, Designs, and system can be typically viewed as an assembly of interconnected
Solution Elements equipment used to monitor and control physical equipment
in industrial environments. They are widely used to automate
PPT geographically distributed processes such as electricity power
generation, transmission and distribution, oil and gas refining and
Industrial Control
System Types
pipeline management, water treatment and distribution, chemical
production and processing, rail systems, and other mass transit.
Describe different ICS
types and how they are l Distributed control systems (DCSs): Typically confined to a
differentiated. geographic area or specific plant (e.g., manufacturing facility). They
are characterized by large numbers of semi-autonomous controllers.
They share many similarities with SCADA systems, but they are
PPT typically confined to a defined area with a local control center.
Industrial Control l Programmable logic controllers (PLCs): Ruggedized industrial
System Vulnerabilities controller. Typically use specialized code that reacts in real
Describe unique time to inputs. May be stand-alone systems or included as
vulnerabilities and ask components in SCADA or DCS infrastructure.
might also apply. Vulnerabilities
ICSs are typically comprised of embedded system components and
some general purpose servers or clients running control software. The
general purpose components share vulnerability and mitigation types
with client- and server-based systems. The below list of vulnerabilities is
targeted at the embedded system components.
l Limited functionality: Standard OS functions and protections
may not be available.
l Limited protections: General purpose host protections are not
feasible.
l Long lifespan (become outdated): Typically in operation for
10+ years.
l Susceptible to misuse/error: Complicated, specialty systems,
difficult to validate correct code and configuration.
l Highly susceptible to denial of service (DoS) attacks: Typically
contain minimal communication protections and are very sensitive
to improper input.
l Attacks can produce physical effects: Unlike most computing
systems, attacks can cause impacts to the physical world.
l Often unattended in remote locations: Physical security
may be limited or unmonitored allowing attackers to gain and
maintain physical access with limited effort.

Instructor Edition
Mitigations
l Isolated network infrastructure: The most effective
mitigation is to ensure limited functionality components are
Notes
3
not connected or exposed to general purpose networks and

Solution Elements
are only connected to high controlled networks.
l Robust network connection restrictions and monitoring:
PPT
Any connections allowed on or off control system networks
Industrial Control
must be carefully monitored.
System Mitigations
l Highly segmented network: Networks segmented by
Describe unique
process or by devices that must directly communicate to mitigation and value of
function. This generates some very small network segments, general mitigations to
but is highly desirable. system type.
l Protect communication channels: All communication

channels must be heavily protected from outside access.
PPT
l Robust configuration control: Configuration and code on
Cloud-based Systems
devices must be robustly managed.
charateristics.
Cloud-based Systems
For the sake of discussion, cloud computing has been formally
defined by NIST as: PPT
Cloud-based System
“… a model for enabling ubiquitous, convenient, on-demand Characteristics
network access to a shared pool of configurable computing
Describe unique cloud
resources (e.g., networks, servers, storage, applications, and characteristics.
services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction.”
The definition from the comparable ISO/IEC standard 17888 for cloud
computing is similar: “Paradigm for enabling network access to a
scalable and elastic pool of shareable physical or virtual resources with
self-service provisioning and administration on-demand.”
Five Essential Characteristics of Cloud Computing
NIST defines the five essential characteristics of cloud computing
as the following:
1. On-Demand Self-Service: A consumer can unilaterally
provision computing capabilities, such as server time and
network storage, as needed automatically without requiring
human interaction with each service provider.
2. Broad Network Access: Capabilities are available over the
network and accessed through standard mechanisms that
promote use by heterogeneous thin or thick client platforms
(e.g., mobile phones, tablets, laptops, and workstations).

Notes 3. Resource Pooling: The provider’s computing resources are

pooled to serve multiple consumers using a multi-tenant model,
Vulnerabilities of Security with different physical and virtual resources dynamically assigned
Solution Elements
and reassigned according to consumer demand. Examples of
resources include storage, processing, memory, and network
bandwidth.
PPT
4. Rapid Elasticity: Capabilities can be elastically provisioned and
Cloud-based System released, in some cases automatically, to scale rapidly outward
Characteristics and inward commensurate with demand.
(continued)
Describe unique cloud
5. Measured Service: Cloud systems automatically control and
characteristics. optimize resource use by leveraging a metering capability at
some level of abstraction appropriate to the type of service (e.g.,
storage, processing, bandwidth, and active user accounts).
PPT The ISO/IEC 17888 standard includes the NIST characteristics and adds
Cloud-based System a sixth:
Types
Describe different cloud
6. Multi-Tenancy: A feature where physical or virtual resources are
types and how they are allocated in such a way that multiple tenants and their computations
differentiated. and data are isolated from and inaccessible to one another.
NIST and ISO/IEC 17889 identify three service models (NIST) and four
service categories (ISO/IEC 17889) that represent different types of cloud
services available. The first three are the same with both standards:
Software as a service (SaaS): The capability provided to the consumer is
to use the provider’s applications running on a cloud infrastructure. The
applications are accessible from various client devices through either a thin
client interface, such as a web browser (e.g., web-based email), or a program
interface. The consumer does not manage or control the underlying cloud
infrastructure, including network, servers, operating systems, storage, or
even individual application capabilities, with the possible exception of
limited user-specific application configuration settings.
Platform as a service (PaaS): The capability provided to the consumer
is to deploy onto the cloud infrastructure consumer-created or acquired
applications created using programming languages, libraries, services,
and tools supported by the provider. The consumer does not manage or
control the underlying cloud infrastructure, including network, servers,
operating systems, or storage but has control over the deployed
applications and possibly configuration settings for the application-
hosting environment.
Infrastructure as a service (IaaS): The capability provided to the
consumer is to provision processing, storage, networks, and other
fundamental computing resources where the consumer is able to deploy
and run arbitrary software, which can include operating systems and

Instructor Edition
applications. The consumer does not manage or control the

underlying cloud infrastructure but has control over operating
systems, storage, and deployed applications; and possibly limited
Notes
3
control of select networking components (e.g., host firewalls).

Solution Elements
ISO/IEC 17789 adds an additional service category as:
Network as a service (NaaS): A cloud service category in which PPT
the capability provided to the cloud service customer is transport Cloud-based System
connectivity and related network capabilities. Types (continued)
Describe different cloud
ISO/IEC 17888 defines the four categories above and adds some types and how they are
additional service categories: differentiated.
l Communication as a service (CaaS)

l Compute as a service (CompaaS) PPT
l Data storage as a service (DSaaS) Cloud-based System
Deployment
NIST, ISO/IEC 17888, and ISO/IEC 17889 both describe four
Describe cloud
different deployment models: deployment models.
Private cloud: In this model, the cloud infrastructure is provisioned
for exclusive use by a single organization comprising multiple
consumers (e.g., business units). It may be owned, managed, and
operated by the organization, a third party, or some combination
of them, and it may exist on or off premises.
Community cloud: Community cloud infrastructure is provisioned
for exclusive use by a specific community of consumers from
organizations that have shared concerns (e.g., mission, security
requirements, policy, and compliance considerations). It may be
owned, managed, and operated by one or more of the organizations
in the community, a third party, or some combination of them, and it
may exist on or off premises.
Public cloud: The public cloud infrastructure is provisioned for open
use by the general public. It may be owned, managed, and operated
by a business, academic, or government organization, or some
combination of them. It exists on the premises of the cloud provider.
Hybrid cloud: The hybrid cloud infrastructure is a composition of
two or more distinct cloud infrastructures (private, community, or
public) that remain unique entities but are bound together by
standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing
between clouds). As more organizations are leveraging SaaS, PaaS,
and IaaS, it is important to be aware of the limited ability they have
to define specific security controls and functions.

Vulnerabilities
Notes
l Inherently exposed to external communication/access: By
their nature, cloud systems tend to be more exposed to external
Solution Elements communications.
l Misconfiguration a major risk: Cloud providers typically
PPT
have well managed infrastructure, but unfamiliarity with the
interface and management functions often results in users
Cloud-based System
misconfiguring the cloud service or hosted components in a
Vulnerabilities
way that exposes data.
Describe unique
vulnerabilities and ask l May exist for long periods (risk of being outdated): Services
class to consider how ported to cloud environment may exist for long periods of
common vulnerabilities time. While the underlying components provisioned by the
might also apply. cloud service provider (CSP) may be periodically updated, it is
often the user’s responsibility to update some components, but
assumptions may exist that it is not necessary or that the CSP is
PPT providing that function when they are not.
Cloud-based Mitigations l Gap between CSP and data owner security controls: There
Describe unique is a high risk for misunderstanding on the cloud customer’s part
mitigation and value of where the responsibilities of the CSP end for security and the
system type.
customer responsibilities begin.
Mitigations
PPT l Reputable cloud service provider that supplies security
Distributed Systems information/testing results
Define system type and l Well trained system administrators
charateristics. l Robust configuration control/change control
l File and communication encryption
l Well managed identity and access controls
Distributed Systems
In a distributed computing environment, nodes and processors
operate independently, and storage and processing may be spread
across multiple components. Nodes “pass messages” to coordinate
and communicate. Example: Traditional telephone switches operate
independently for local calls but coordinate to pass calls between
them.
In computing terms, distributed systems may be used by large organizations
to spread processing and storage across multiple low-cost systems, or it can
include user provided resources operating collectively (e.g., peer to peer
networks).

Instructor Edition
Vulnerabilities
l Lack of central control/monitoring may introduce failures or
allow entry of unauthorized nodes
Notes
3
l Data elements may be lost if nodes fail

Solution Elements
l Inconsistent security levels between nodes is possible in
large-scale organizational employments and highly likely in PPT
peer to peer employment Distributed System
l Susceptible to communication failures, compromise, or Vulnerabilities
denial of service (DoS) from either external attackers or Describe unique
internal components misbehaving (intentional or accidental) vulnerabilities and ask
Mitigations might also apply.
l Standard security rules for nodes to enter distributed network
l Communication control, encryption, and redundancy
PPT
l Node backup and data sharing between nodes
Distributed System
Mitigations
Internet of Things (IoT) Systems Describe unique

The Internet of Things (IoT) is made up of small dedicated use devices general mitigations to
that are typically designed as small form factor, embedded hardware system type.
with a limited functionality OS. They may interface with the physical
world and tend to be pervasively deployed where they exist. They are
often connected to general purpose networks with the protections PPT
applied to general purpose computing systems, and their full range of Internet of Things (loT)
functions and external accessibility may be unclear to owner or user. Systems
Vulnerabilities charateristics.
l Limited vendor support for updates: Vendors may provide

a limited support lifecycle for individual devices and little
PPT
concern provided for security updates.
Internet of Things (loT)
l Little to no onboard security capability: The devices have
Vulnerabilities
limited integrated security capabilities and rarely have any
Describe unique
mechanism to allow external monitoring of their security vulnerabilities and ask
functions (if any exist). class to consider how
l Poor code management due to rapid development cycles: common vulnerabilities
might also apply.
Vendor code may be suspect and “hacked together” from
various sources to meet aggressive product release schedules.
l May contain limited or weak security implementations
on standard protocols (e.g., Bluetooth, WiFi): While the
devices are often capable of using standard protocols, the
security features may be disabled or degraded in favor of
interoperability and ease of use.
Mitigations
Notes
In effect, most IoT devices are small embedded system controllers and
should be treated like an embedded system or industrial control systems
Solution Elements (ICSs) as appropriate.
l Isolated on private networks with controlled access
PPT l Products selected for security features and updatability:
Internet of Things (loT) inherently insecure products are not procured
Mitigations
l Product security/penetration testing
Describe unique
mitigation and value of l Disable unneeded functions
system type.
Web-based Systems
Web-based systems or applications are mainly characterized by user
PPT interaction occurring through a web browser using http or https
Web-based Systems protocols. Applications or data are accessible and manipulated through
Define system type and a web browser or web service, and they often connect to a data source
charateristics. (database) that may be on or off platform. They use standard protocols,
and interfaces and connections are typically dynamic with potentially
thousands forming and closing within seconds of operation.
PPT
Web-based System Vulnerabilities
Vulnerabilities
Web servers or applications inherit the vulnerabilities of whatever platform or
Describe unique
vulnerabilities and ask
OS they execute upon. Common web vulnerabilities include the following:
l Accessibility to network communications/access: They tend to
might also apply. be highly exposed and accessible to outside attackers.
l Use of obsolete protocols/encryption: Unless specifically
configured to prevent it, some web servers will allow obsolete
PPT or lower security protocols or encryption to support backwards
Web-based System compatibility with older browser types.
Mitigations l Code/configuration errors that expose components or data:
Describe unique The main vulnerability in most web servers is in server configuration
mitigation and value of errors or code flaws.
system type.
Mitigations
Besides mitigations applied to the platform, common mitigation
strategies include the following:
l Protect system behind firewalls and access controls
l Limit and monitor communication protocols
l Scan, evaluate, and assess interfaces and code (HTML, Java,
scripts, etc.)
Instructor Edition
l Tightly control configuration and change management

l Ensure platform is security configured
Notes
3

Solution Elements
Mobile Systems
Mobile systems include a large and diverse set of products. PPT
It is commonly agreed to include phones, tablets, and wearable
Web-based System
devices. Many have a portable, small form factor and a limited Mitigations (continued)
functionality embedded OS. They typically contain limited amounts
Describe unique
of data but are highly connected (cellular, WiFi, Bluetooth, tethering) mitigation and value of
devices designed for single user. general mitigations to
system type.
Laptop and convertible computers are essentially general
purpose computing platforms in a small form factor hardware
configuration. These include laptops, convertibles, and full
PPT
function computing platforms in tablet-like form factors. The
main differentiator between this type of mobile platform is the Mobile Systems (3 slides)
inclusion of a full featured Operating System with capabilities Define system type and
similar to a desktop computer. They typically contain large charateristics.
amounts of data and are multi-user capable. However, they may
share connectivity characteristics with smaller form factor
mobile systems and be highly connected (WiFi, Bluetooth, PPT
tethering, possibly cellular). Mobile System
Vulnerabilities
Are laptops mobile systems? Opinions may vary, they are
Describe unique
certainly portable systems and share many of the physical
vulnerabilities and ask
security concerns with other mobile devices but may have class to consider how
significantly different security concerns associated with the OS. common vulnerabilities
They are capable of more onboard controls (e.g., traditional might also apply.
computer host protections, logging, monitoring, access controls)
and have different mitigation mechanisms available to them than
other mobile device types. Some tablets cross the line between
laptop characteristics and embedded mobile device
characteristics.
Vulnerabilities
For most mobile device types:
l Loss or theft
l Weak access controls configured
l Unencrypted data
l Communication interception or eavesdropping
l Limited onboard security services and monitoring

Mitigations
Notes
Mitigations for embedded type mobile devices without a full featured OS:
Architectures, Designs, and l Mobile device management (MDM) installed and managed
Solution Elements
centrally
l Device tracking, wiping, software control, policy enforcement
PPT
l Activate screen lock and high complexity passcodes or
Mobile System biometrics
Mitigations (2 slides)
l Ensure device is encrypted
Describe unique
mitigation and value of l Tunnel communications through virtual private network (VPN)
general mitigations to architecture
system type.
l Limit software/apps installed to trusted packages
l Prevent jailbreak or rooting devices as this bypasses most built-in
PPT security functions and leaves the device susceptible to both local
Embedded Systems access and network based attacks
Define system type and l Do not connect to public networks (e.g., coffee shop, hotel)
charateristics.
For laptops or hybrid systems with a full featured OS:
l Apply all traditional computer system protections (e.g., AV, FW,
Host IPS, etc.)
l Ensure encryption is activated
l Ensure strong passwords, biometrics, or two factor authentication
on all user accounts
l Activate anti-theft function or tracking functions if available
(available on many business class systems and some personal
class systems)
l Tunnel mobile communications through VPN
l Do not connect to public networks (e.g., coffee shop, hotel)
Embedded Systems
An embedded system is best characterized as a computing platform with a
dedicated function that usually has a limited function or specialized OS that
does not have the capabilities typical of a full featured OS (e.g., Windows,
MacOS, Standard Linux distro). Embedded systems typically have limited
processing power and a long service life in many applications. They may
include System on a Chip (SoC) architectures with very limited ability to
update. Embedded systems are common in IoT, ICS, and mobile devices
and tend to be highly diverse in nature with significant vendor specific
customizations. They perform specialized computing operations instead of
general purpose computing.

Instructor Edition
Vulnerabilities
Embedded systems have vulnerabilities associated with their particular
function or use case. In general they include the following:
Notes
3

Solution Elements
l Limited function design does not include all full monitoring
and security control implementation
l Limited access controls PPT
l Limited ability to update, vendor support often time limited Embedded System
Vulnerabilities
Describe unique
Mitigations vulnerabilities and ask
For all classes or types of embedded systems, the following class to consider how
mitigations will typically improve security, but may impact
might also apply.
functionality and should be applied intelligently after appropriate
tailoring.
l Limit access to devices PPT
l Limit communications to devices Embedded System
Mitigations
l Disable unnecessary/unneeded components/features/
Describe unique
communications
l Isolate on dedicated networks if connected general mitigations to
system type.
l Monitor external communications with exterior sensors
(e.g., network taps, sensors)
l Apply vendor updates when available PPT
Activity: Designing
Security into an
Activity: Designing Security into an Architecture Architecture (4 slides)
The National Federal Amalgamated Corporation (NFAC) is Conduct activity.
developing a new customer facing application for amalgamated
data. The initial design includes the following elements:
l Database servers within the NFAC data center that store
customer private and sensitive data elements
l Application servers within the NFAC data center that access
the database servers and are accessed by NFAC employee
workstations
l Employee workstations (some desktop, some laptop) are
used by NFAC employees to access the application servers to
access, upload, modify, and delete sensitive customer data
l Web servers located with a cloud provider that access
NFAC databases and applications to deliver data to external
customers through a web browser

l Mobile applications distributed to customers for installation on

Notes
Android and Apple devices that provide customer access via a
Vulnerabilities of Security Mobile Application Service hosted by the same cloud provider
Solution Elements
hosting the web servers
INSTRUCTIONS:
PPT Consider the scenario and the vulnerabilities, mitigations, and controls
discussed in the preceding modules. Each of the system types listed in
Activity: Designing
Security into an the scenario has inherent strengths and weaknesses. For each item,
Architecture (2 slides) identify potential risks or weakness and one or more controls or mitigation
(continued) consistent with the access requirements listed in the scenario.
Conduct activity.
EXAMPLE:
Database Servers
l Risk: Database servers contain bulk sensitive data and may be
targeted by adversaries.
l Control: Database servers will be placed on a protected network
segment and network access controls will prevent access to
the database server for any connection except from authorized
application servers.
Complete for:
Database Servers
Application Servers

Instructor Edition
Employee workstations Notes

3

Solution Elements
PPT
Activity: Designing
Security into an
Architecture (4 slides)
(continued)
Conduct activity.
Web Servers
Mobile Applications

Notes
Module 6: Cryptography
Cryptography
PPT
Module Objectives
Cryptography 1. Understand key terms associated with cryptography.
Introduce the participants 2. Understand how security services such as confidentiality,
to the “Cryptography” integrity, authenticity, non-repudiation, and access control are
module. addressed through cryptography.
3. Understand basic cryptography concepts of symmetric and
asymmetric.
PPT
4. Describe hashing algorithms and digital signatures.
Module Objectives
5. Understand the importance of key management.
objectives. 6. Understand cryptanalysis methods.

Instructor Edition
Cryptography Services
The word cryptography has been derived from two Greek words.
Notes
Cryptography
3
The word cryptos translates into the word secret, and the word
graphy translates into the word writing. Cryptography, therefore,

literally means secret writing. Any form that takes something and PPT
turns it into a secret is defined as a form of cryptography. Historians Cryptography Services
have told us that cryptography is thousands of years old, and in fact,
Describe services
it was the ancient Egyptians that were the first (at least recorded provided by cryptography.
example) to use cryptography-like services to turn knowledge and
words into secrets.
The question is: why turn something into a secret? The obvious
answer to that is to keep it confidential from certain people.
Throughout history knowledge has provided power over others. If
you can keep certain knowledge from others, you may have
significant advantage over them. Throughout history, cryptography
has been used mainly to secure communications belonging to the
powerful and the influential, usually governments, the military, and
royalty. The powerful people of this world have always used
ciphers. We have seen examples of the exchange of coded
messages among one another and decoded the messages of
others for their own advantage.
As we have seen, cryptography is about writing secrets. The first
secret messages were exchanged as long as thousands of years
ago. Cryptography involves scrambling some kind of useful
information in its original form, called plaintext, into a garbled or
secret form, called ciphertext. The usual intent is to allow two or
more parties to communicate the information while preventing
other parties from being privy to it.
Cryptography today can be said to provide some important
security services. The five key services that cryptography can
provide are the following:
1. Confidentiality: Cryptography provides confidentiality
through altering or hiding a message so that ideally it cannot
be understood by anyone except the intended recipient.
Confidentiality is a service that ensures keeping information
secret from those who are not authorized to have it. Secrecy
is a term sometimes used to mean confidentiality.
2. Integrity: Cryptographic tools can provide integrity services
that allow a recipient to verify that a message has not been
altered. Cryptography tools cannot prevent a message
from being altered, but they can be effective to detect
either intentional or accidental modification of the message.
Module 6: Cryptography 241

Notes Cryptographic functions use several methods to ensure that a

message has not been changed or altered. These may include
Cryptography hash functions, digital signatures, and simpler message integrity
controls such a message authentication codes (MACs), Cyclic
PPT Redundancy Checks (CRC), or even checksums. The concept
behind this is that the recipient is able to detect any change
Cryptography Services
(continued)
that has been made to a message, whether accidentally or
intentionally.
Describe services
provided by cryptography. 3. Authenticity: Sometimes referred to as “proof of origin,” this is
a service that allows entities wanting to communicate with each
other to positively identify each other. Information delivered
over a channel should be authenticated as to the origin of that
transmission. Authenticity can allow a recipient to know positively
that a transmission of information actually came from the entity
that we expect it from.
4. Non-repudiation: This is a service that prevents an entity from
denying having participated in a previous action. Typically, non-
repudiation can only be achieved properly through the use of
digital signatures. The word repudiation means the ability to
deny. So, non-repudiation means the inability to deny. There are
two flavors of non-repudiation:
o Non-repudiation of origin means that the sender cannot deny
they sent a particular message.
o Non-repudiation of delivery means that the receiver cannot
say that they received a different message than the one they
actually did receive.
5. Access Control: Through the use of cryptographic tools,
many forms of access control are supported—from log-ins
via passwords and passphrases to the prevention of access to
confidential files or messages. In all cases, access would only
be possible for those individuals who had access to the correct
cryptographic keys.
The fundamental goal of cryptography is to adequately address these
five security services in both theory and practice. Confidentiality is
normally achieved by encrypting the message content, data integrity is
achieved through cryptographic hashing functions, authenticity is
achieved through the use of asymmetric cryptography, non-repudiation
is normally achieved through the use of cryptographic digital signatures,
and access control can be achieved through both symmetric and
asymmetric key cryptography but encrypting with keys that allows the
recipient to decrypt with the proper keys.

Instructor Edition
Data Protection
Data at Rest
Notes
Cryptography
3
The protection of stored data is often a key requirement for an

organization’s sensitive information. Backups, off-site storage, PPT
password files, sensitive databases, valuable files, and other types
Data Protection
of sensitive information need to be protected from disclosure or
undetected alteration. This can usually be done through the use of Explain data at rest and
data in transit.
cryptographic algorithms that limit access to the data to those that
hold the proper encryption (and decryption) keys. Protecting these
valuable examples of assets of the organization can be done
usually through cryptography, but it is usually referred to as PPT
protecting data at rest. Data at rest means the data is resting, End-to-End Encryption
stored on some storage media without it moving at any point. Explain end-to-end
encrption to address
data in transit.
Data in Transit
Data in transit, sometimes referred to as data in motion, is data
that is moving, usually across networks. Whether the message is PPT
sent manually, over a voice network, or via the internet, modern Link Encryption
cryptography can provide secure and confidential methods to
transmit data and allows the verification of the integrity of the Explain link encryption to
address data in transit.
message so that any changes to the message itself can be
detected.
End-to-end Encryption
End-to-end encryption is generally performed by the end user within
an organization. The data is encrypted at the start of the
communications channel or before and remains encrypted until it is
decrypted at the remote end. Although data remain encrypted
when passed through a network, routing information remains visible.
Link Encryption
Data that is moving across a network can be protected using
cryptography. There are two methods for protecting data in transit
across a network, link or end-to-end encryption.
In general, link encryption is performed by service providers, such as a
data communications provider on networks. Link encryption encrypts
all of the data along a communications path (e.g., a satellite link,
telephone circuit, or T-1 line). Because link encryption also encrypts
routing data, communications nodes need to decrypt the data to

Notes continue routing. The data packet is decrypted and re-encrypted at each
point in the communications channel. It is theoretically possible that an
Cryptography attacker compromising a node in the network may see the message in the
clear. Because link encryption also encrypts the routing information, it
PPT provides traffic confidentiality (not data confidentiality) better than end-to-
end encryption. In other words, it can be used to hide the routing
Link Encryption
(continued) information. Traffic confidentiality hides the addressing information from an
observer, preventing an inference attack based on the existence of traffic
Explain link encryption to
address data in transit.
between two parties.
PPT Cryptographic Evolution

Cryptographic Evolution Oddly enough, some of the earliest cryptographers were not really
Describe the eras of
trying to hide anything. Rather, they were trying to draw attention to
cryptography and give their subject and show off their language skills by playing with words.
examples. When knowledge of the written language was not widespread, for
example during Julius Caesar’s time, ciphers did not need to be very
complex. Because few people knew how to speak or read, Caesar’s
cipher, simple as it was, was very effective. As history unfolded and
more people were able to read and write, cryptographers had to find a
better way to deal with the growing number of potential adversaries.
Throughout history, cryptography has been used mainly to secure
communications belonging to the powerful and the influential, usually
governments, the military, and also royalty. The powerful people of this
world have always used ciphers. They have exchanged coded messages
among one another and decoded the messages of others for their own
advantage. Throughout history, knowledge is power.
But with the advent of the computer, the widespread use of computer
technology has expanded the need for secure communications around
the world and the need for secure storage of sensitive information. The
advent of computers has changed many things but not the fundamentals
of cryptography. The fundamentals of cryptography are the same today
as they were hundreds and even thousands of years ago. They have just
been applied to today’s technology to provide some very good methods
of ensuring the confidentiality, integrity, authenticity, non-repudiation, and
access of information.
Computers have made adding complexity to cryptography very easy.
They have also made solving complexity more of a snap. Because of
rapidly advancing technology, secure systems must constantly be
assessed for the possibility of new attacks if security is to be maintained.
Secret sharing, a necessity in today’s world, is still a tug-of-war between
clever cryptographers and ingenious cryptanalysts with new tools in
their belts.

Instructor Edition
The Early (Manual) Era

Cryptographers have found evidence of cryptographic-type
operations going back thousands of years. A perfect example of
Notes
Cryptography
3
this is in early Egypt, where sets of nonstandard hieroglyphics

were used in inscriptions to avoid certain people from being able PPT
to understand what was written on those inscriptions. Cryptographic Evolution
(continued)
Another example of later in history, the Spartans were known for
something very appropriately called the Spartan scytale, a method Describe the eras of
cryptography and give
of transmitting a message by wrapping a leather belt around a examples.
tapered dowel. Written across the dowel, the message would be
unreadable once it was unwrapped from the dowel. The belt could
then be carried to the recipient, who would be able to read the
message as long as he had a dowel of the same diameter and taper.
There are further examples of the use and development of
cryptographic methods throughout the past two millennia. Julius
Caesar used the Caesar cipher, a very simple substitution cipher
that shifted the alphabet by three positions. Developments in
cryptographic science continued throughout the middle ages with
the work of Leon Battista Alberti, who invented the idea of a
cryptographic key in 1466, and the enhanced use of polyalphabetic
ciphers by Blais de Vigenère.
The Mechanical Era

The major advancement developed in this era was the performance of
the algorithm on the numerical value of a letter, rather than the letter
itself. Up until this point, most cryptography was based on substitution
ciphers, such as the Caesar cipher. This was a natural transition into
the electronic era, where cryptographic operations are normally
performed on binary values of letters, rather than on the written letter
itself. For example, the alphabet could be written as follows: A = 0,
B = 1, C = 2 . . . Z = 25. This was especially integral to the one-time
pad and other cipher methods that were developed during this era.
This represented a major evolution of cryptography that really set the
stage for further developments in later time periods.
The Electro-Mechanical Era

In the early 20th century, the world saw the invention of complex
mechanical and electromechanical machines. In cryptography,
these machines, such as the Enigma machine used by the Germans
during World War II, provided more sophisticated and efficient
means of encryption and decryption.

The Modern Era

Notes
After World War II, we saw the subsequent introduction of electronics and
Cryptography
computing. In cryptography, this has allowed elaborate schemes that offer
greater complexity in encryption. Today’s cryptosystems operate in a
PPT manner that allows anyone with a computer to be able to use cryptography
Cryptographic Evolution without even understanding cryptographic operations, algorithms, and
(continued) advanced mathematics. This is because most crypto systems are driven by
Describe the eras of
software applications that have become easy to use, and offer greater
cryptography and give services. However, from our perspective, it is still important to implement a
examples. cryptosystem in a secure manner. In fact, the majority of attacks against
cryptosystems are not the result of weaknesses in cryptographic algorithms,
or key lengths, but rather poor or mismanaged implementations, usually
related to key management.
Quantum Cryptography
A fundamental difference between traditional cryptography and quantum
cryptography is that in traditional cryptography, we primarily use difficult
mathematical techniques as the fundamental mechanism to provide
security for cryptography algorithms. Quantum cryptography, on the
other hand, uses physics to secure data. The basic difference is that in
traditional cryptography, strength is provided due to strong math, and in
quantum cryptography, the security is based on known physical laws
rather than on mathematical difficulties.
Quantum cryptography, also known as quantum key distribution, is built on
quantum physics. Many people understand the basic premise of quantum
physics as the uncertainty principle of Werner Heisenberg. His basic claim is
that a person cannot know both a particle’s position and momentum with
unlimited accuracy at the same time. Specifically, quantum cryptography is
a set of protocols, systems, and procedures by which it is possible to create
and distribute secret keys. Quantum cryptography can be used to generate
and distribute secret keys that can then be used together with traditional
crypto algorithms and protocols to encrypt and transfer data. It is important
to note that quantum cryptography is not used to encrypt data, transfer
encrypted data, or store encrypted data. The need for asymmetric key
systems arose from the issue of key distribution.
The biggest issue in symmetric key cryptography is that users need a
secure channel to set up a secure channel. Quantum cryptography
solves the key distribution problem by allowing the exchange of a
cryptographic key between two remote parties with complete security,
as dictated via the laws of physics. Once the key exchange takes place,
conventional cryptographic algorithms are used. For that reason, many
prefer the term quantum key distribution to quantum cryptography as it
is typically only used to distribute the symmetric keys required for
secure exchange of information.
Instructor Edition
Key Encryption Concepts and Definitions

l Plaintext or cleartext: This is the message or data in its
natural format and in readable form. Plaintext is human
Notes
Cryptography
3
readable and is extremely vulnerable from a confidentiality

perspective. Plaintext is the message or data that has not PPT
been turned into a secret. Key Encryption
l Ciphertext or cryptogram: This is the altered form of a Concepts and
Definitions (3 slides)
plaintext message so as to be unreadable for anyone except
the intended recipients. In other words, it has been turned Explain key cryptography
into a secret. An attacker seeing ciphertext would be unable concepts and definitions.
to easily read the message or to determine its content. Also
referred to as the message that has been turned into a secret.
l Cryptosystem: This represents the entire cryptographic
operation and system. This typically includes the algorithm,
key, and key management functions, together with the services
that can be provided through cryptography. The cryptosystem
is the complete set of applications that allows sender and
receiver to communicate using cryptography systems.
l Algorithm: An algorithm is a mathematical function that is
used in the encryption and decryption processes. It may be
quite simple or extremely complex. Also defined as the set
of instructions by which encryption and decryption is done.
l Encryption: This is the process and act of converting
the message from its plaintext to ciphertext. Sometimes
this is also referred to as enciphering. The two terms are
sometimes used interchangeably in the literature and have
similar meanings.
l Decryption: This is the reverse process from encryption. It
is the process of converting a ciphertext message back into
plaintext through the use of the cryptographic algorithm
and key (cryptovariable) that was used to do the original
encryption. This term is also used interchangeably with the
term deciphering.
l Key or cryptovariable: The input that controls the
operation of the cryptographic algorithm. It determines
the behavior of the algorithm and permits the reliable
encryption and decryption of the message. There are both
secret and public keys used in cryptographic algorithms.
l Non-repudiation: The inability to deny. In cryptography, it
is a security service by which evidence is maintained so that
the sender and the recipient of data cannot deny having
participated in the communication. There are two flavors
of non-repudiation, “nonrepudiation of origin” means the

Notes sender cannot deny having sent a particular message, and “non-
repudiation of delivery’” where the receiver cannot say that they
Cryptography have received a different message than the one that they actually
did receive.
PPT l Cryptanalysis: The study of techniques for attempting to defeat
Key Encryption cryptographic techniques and, more generally, information
Concepts and security services.
Definitions (3 slides)
l Cryptology: The science that deals with hidden, disguised, or
(continued)
encrypted communications. It embraces communications security
Explain key cryptography
concepts and definitions.
and communications intelligence.
l Collision: This occurs when a hash function generates the same
output for different inputs. In other words, two different messages
produce the same message digest.
l Key space: This represents the total number of possible values of
keys in a cryptographic algorithm or other security measure, such
as a password. For example, a 20-bit key would have a key space
of 1,048,576. A 2-bit key would have a key space of 4.
l Initialization vector (IV): A non-secret binary vector used as
the initializing input algorithm for the encryption of a plaintext
block sequence to increase security by introducing additional
cryptographic variance and to synchronize cryptographic
equipment. Typically referred to as a “random starting point,”
or random number that starts the process.
l Encoding: The action of changing a message into another
format through the use of a code. This is often done by taking
a plaintext message and converting it into a format that can be
transmitted via radio or some other medium, and it is usually
used for message integrity instead of secrecy. An example would
be to convert a message to Morse code.
l Decoding: The reverse process from encoding, converting the
encoded message back into its plaintext format.
l Substitution: The process of exchanging one letter or byte for
another. An example is the Caesar cipher, where each letter was
shifted by 3 characters. An “A” was represented by a “D,” a “B”
was represented by an “E,” a “C” was represented by an “F,”
and so on.
l Transposition or permutation: The process of reordering the
plaintext to hide the message, but keeping the same letters.
l Confusion: Provided by mixing or changing the key values used
during the repeated rounds of encryption. When the key is
modified for each round, it provides added complexity that the
attacker would encounter.

Instructor Edition
l Diffusion: Provided by mixing up the location of the

plaintext throughout the ciphertext. Through transposition,
the location of the first character of the plaintext may
Notes
Cryptography
3
change several times during the encryption process, and

this makes the cryptanalysis process much more difficult. PPT
l Avalanche effect: An important consideration in all Key Encryption
cryptography used to design algorithms where a minor Concepts and
change in either the key or the plaintext will have a Definitions (3 slides)
significant large change in the resulting ciphertext. This is (continued)
also a feature of a strong-hashing algorithm. Explain key cryptography
concepts and definitions.
l Key clustering: When different encryption keys generate
the same ciphertext from the same plaintext message.
l Synchronous: Each encryption or decryption request is
performed immediately.
l Asynchronous: Encrypt/Decrypt requests are processed
in queues. A key benefit of asynchronous cryptography is
utilization of hardware devices and multiprocessor systems
for cryptographic acceleration.
l Hash function: A hash function is a one-way mathematical
operation that reduces a message or data file into a smaller
fixed length output, or hash value. By comparing the
hash value computed by the sender with the hash value
computed by the receiver over the original file, unauthorized
changes to the file can be detected, assuming they both
used the same hash function. Ideally, there should never be
more than one unique hash for a given input and one hash
exclusively for a given input.
l Digital signatures: These provide authentication of a
sender and integrity of a sender’s message. A message
is input into a hash function. Then, the hash value is
encrypted using the private key of the sender. The result
of these two steps yields a digital signature. The receiver
can verify the digital signature by decrypting the hash value
using the signer’s public key, then perform the same hash
computation over the message and then compare the hash
values for an exact match. If the hash values are the same,
then the signature is valid.
l Symmetric: This is a term used in cryptography to indicate
that the same key is required to encrypt and decrypt.
The word “symmetric” means “the same,” and we are
obviously referring to the key that is required at both ends
to encrypt and decrypt. Symmetric key cryptography has the
fundamental problem of secure key distribution.

l Asymmetric: This word means “not the same.” This is a term

Notes
used in cryptography in which two different but mathematically
Cryptography related keys are used where one key is used to encrypt and
another is used to decrypt.
PPT l Digital certificate: A digital certificate is an electronic document
Key Encryption that contains the name of an organization or individual, the
Concepts and business address, the digital signature of the certificate authority
Definitions (3 slides) issuing the certificate, the certificate holder’s public key, a serial
(continued) number, and the expiration date. The certificate is used to
Explain key cryptography identify the certificate holder and the associated public key when
concepts and definitions. conducting electronic transactions.
l Certificate authority (CA): This is an entity trusted by one or
more users as an authority in a network that issues, revokes, and
PPT
manages digital certificates that prove the authenticity of public
Stream-based Ciphers keys belonging to certain individuals or entities.
Explain stream ciphering. l Registration authority (RA): This performs certificate registration
services on behalf of a CA. The RA, a single-purpose server,
is responsible for the accuracy of the information contained in
a certificate request. The RA is also expected to perform user
validation before issuing a certificate request.
l Work factor: This represents the time and effort required to
break a protective measure, or in cryptography, the time and
effort required to break a cryptography algorithm.
Methods of Cryptography
There are two primary methods of encrypting data: stream ciphering
and block ciphering.
Stream-based Ciphers
All cryptography fundamentally works with bits, zeros, and ones. Any
encryption algorithm will take the data that needs to be encrypted and turn
that data into bits and then apply the encryption methods. Once we have
the bits, we can work with them in two ways: one bit at a time, or a bunch
of bits at a time. When a cryptosystem performs its encryption on a bit-by-
bit basis, it is called a stream-based cipher, or a stream cipher. This is the
method most commonly associated with streaming applications, such as
voice or video transmission. Wherever we are working with one bit at a
time, it would make sense to use stream ciphers. The most well-known
stream cipher algorithm is Rivest Cipher 4 (RC4).
The cryptographic operation for a stream-based cipher is to mix the
plaintext with a keystream that is generated by the cryptosystem. The

Instructor Edition
mixing operation is usually an exclusive-or (XOR) operation, which is

a very fast mathematical operation.
Notes
Cryptography
3

Cryptographic Operation for PPT
a Stream-based Cipher Stream-based Ciphers
(continued)
In stream ciphers, the plaintext is XORed with a seemingly random
Explain stream ciphering.
keystream to generate ciphertext. It is seemingly random because
the generation of the keystream is usually controlled by the key. If
the key could not produce the same keystream for the purposes of
decryption of the ciphertext, then it would be impossible to ever PPT
decrypt the message. Cryptographic
Operation for a
The XOR process is a key part of many cryptographic algorithms. It Stream-based Cipher
is a simple binary operation that adds two values together. If the Explain stream ciphering.
two values are the same, 0 + 0 or 1 + 1, then the output is always a
0. However, if the two values are different, 1 + 0 or 0 + 1, then the
output is a 1.
Operation of the Cipher

A stream-based cipher relies primarily on substitution, the substitution
of one character or bit for another in a manner governed by the
cryptosystem and controlled by the cipher key. For a stream-based
cipher to operate securely, it is necessary to follow certain rules for the
operation and implementation of the cipher. These are examples of
basic requirements for any stream cipher:
l Statistically unpredictable and unbiased: Given that
you know successive bits from the keystream, it would not
possible to predict any of the following bits.
l Keystream should be linearly related to the cryptovarible:
which means that knowledge of the keystream output value
does not disclose the cryptovariable (encryption/decryption
key).
l Statistically unbiased: There should be as many 0s as 1s
and as many 00s as 01s, 10s, 11s, etc.
l Functional complexity: Each keystream bit should depend
on most or all of the cryptovariable bits.
l Long periods: without repetition.
The keystream must be strong enough not to be easily guessed

or predictable. In time, the keystream will repeat, and that period
(or length of the repeating segment of the keystream) must be long

Notes enough to be difficult to calculate. If a keystream is too short, then it is

susceptible to frequency analysis or other language-specific attacks.
Cryptography
The implementation of the stream-based cipher is probably the most
important factor in the strength of the cipher. This applies to nearly every
PPT
crypto product and, in fact, to security overall. Some important factors in
Cryptographic the implementation are to ensure that the key management processes are
Operation for a secure and cannot be readily compromised or intercepted by an attacker.
Stream-based Cipher
(continued)
Explain stream ciphering.
Block Ciphers
A block cipher operates on blocks or chunks of bits. As plaintext is fed
PPT into the cryptosystem, it is divided into blocks of a preset size, often a
multiple of the American Standard Code for Information Interchange
Block Ciphers (2 slides)
(ASCII) character size, 64, 128, 192 bits, etc.
Define and explain block
ciphers. Most block ciphers use a combination of substitution and transposition
to perform their operations. This makes a block cipher relatively
stronger than most stream-based ciphers but more computationally
PPT intensive and possibly more expensive to implement. This is also why
Key Length many stream-based ciphers are implemented in hardware, whereas a
block-based cipher is most likely implemented in software.
Explain importance of
key length.
Key Length
As we have seen, key management is the most important issue surrounding
PPT cryptography. As part of key management, key length is a very important
Block Size aspect to consider when generating cryptographic keys and making the
Define block size. choice of which algorithms to use. Key length is the size of a key, usually
measured in bits, that a cryptographic algorithm uses in ciphering or
deciphering protected information. The longer the key, the more
possibilities of key values exist (keyspace) and, therefore, if the key is large
enough, it makes brute force attacks against the key space infeasible
because it would take too long.
The goal of cryptography, as in security, is to make breaking of the key
(finding the correct key) cost more (in terms of effort, time, and
resources) than the value of the information being protected.
Block Size
As we have seen above, symmetric key algorithms are either block or
stream ciphers. Block ciphers operate on a fixed length string of bits.
Usually, this fixed length is 64bits, or multiples of 64bits. The length of this
bit string is referred to as the block size. In all symmetric algorithms, the
plaintext and ciphertext are the same length. The block size of a block
cipher, like key length, may have a direct bearing on the security of the key.
Instructor Edition
Block ciphers produce a fixed-length block of ciphertext. However,

since the data being encrypted are an arbitrary number of bytes, the
ciphertext block size may not come out to be a full block. This is
Notes
Cryptography
3
solved by padding the plaintext up to the block size before encryption

and unpadding after decryption. PPT
Block Size (continued)
Define block size.
Initialization Vectors (IVs) – Why They
Are Needed
Because messages may be of any length, and because encrypting PPT
the same plaintext using the same key always produces the same
Initialization Vectors
ciphertext, several modes of operation for encryption have been (IV)- Why they are
invented that allow block ciphers to provide confidentiality for Needed
messages of arbitrary length. The use of various modes allows the Explain the importance
addressing the need for unpredictability into the keystream. This is of initialization vectors
required so that even if the same key is used to encrypt the exact and their application in
same message, the ciphertext produced will be different each cryptography.
time. Because the IV is a random starting point, or a random
number, that starts the process, it ensures that we add complexity
and randomness into the encryption process. This is especially PPT
needed as randomness and preventing patterns is really useful in Kerckhoff’s Principle
cryptography. Initialization vectors provide a really good way to
Define Kerckhoff’s
add randomness into encryption algorithms. principle and its
importance in
cryptography.
Kerckhoffs’s Principle
Named after Dutch cryptographer Auguste Kerckhoffs, the principle
states that “A cryptosystem should be secure even if everything about PPT
the system, except the key, is public knowledge.” In other words, most
High Work Factor
people summarize that as meaning “the enemy knows the system”
and, therefore, the only thing that provides security in cryptography is Explain work factor.
security of the key. We have to assume that the enemy will know the
methods and the algorithms, so protecting the key become the most
important aspect of cryptography.
High Work Factor

The average amount of effort or work required to break an
encryption system is referred to as the work factor. That is to say,
decrypting a message without having the entire encryption key or
to find a secret key given all or part of a ciphertext would also be
referred to as the work factor of the cryptographic system.
Typically, the work factor is measured in some units such as hours
of computing time on one or more given computer systems or a
cost in dollars of breaking the encryption. If the work factor is
sufficiently high, the encryption system is considered to be
Notes practically or economically unbreakable, and is sometimes referred to

as “economically infeasible” to break. Communication systems using
Cryptography encryption schemes that are economically infeasible to break are
generally considered secure. The work factor required to break a given
PPT cryptographic system can vary over time due to advancements in
technology, such as improvements in the speed and capacity of
High Work Factor
(continued) computers and the processors within those architectures.
Explain work factor.
Encryption Systems
Various systems exist to encrypt and decrypt information and, therefore,
PPT provide cryptography services. Many share common characteristics such
Substitution Ciphers as the ability to use substitution and transposition capabilities.
Explain substitution.
Substitution Ciphers
Substitution ciphers involve the simple process of substituting letters for
PPT
other letters, or more appropriately, substituting bits for other bits,
Transposition Ciphers based upon a cryptovariable. Substitution involves shifting positions in
Explain transposition. the alphabet of a defined number of characters. Some examples of
cryptosystems used in early history of cryptography were based on
substitution, including the Caesar cipher and ROT-13.
Substitution ciphers involve replacing each letter of the plaintext with
another that may be further down the alphabet. Encryption cryptosystems
will combine a method, called the algorithm, and a cryptovariable (key).
With substitution ciphers, the method is “substitute by adding,” and the
key is how many times to do it. In Caesar’s case, the key was shift 3. If
Caesar’s secret message to his generals was “attack at eleven pm” his
encrypted message would look like: dwwdfn dw hohyhq sp. An attacker
trying to decrypt Caesar’s cipher would repeatedly increase each letter
one alphabetic position until the plaintext becomes readable, assuming
that they could read and understand the language.
As we can figure out, Caesar’s cipher has only 25 possible keys as we
can shift each letter to 25 others. The objective to Caesar’s cipher, and
indeed with cryptography in general, is to make your adversary work a
long time by having them try many keys. If the keyspace is too large, the
attacker would not even try as it would not be feasible. Hopefully, by the
time the attacker finds the correct key, the encrypted message has little
or no value. In our example above, at 11:01 p.m., the value of “attack at
eleven pm” has been greatly reduced.
Transposition Ciphers
Transposition (also called permutation) ciphers involve changing the
actual positions of plaintext letters. Instead of substituting for other

Instructor Edition
letters, we move the letters around to create the ciphertext. Here is

an example, a simple transposition of “eleven pm” could move
each letter one position to the left. The ciphertext would then
Notes
Cryptography
3
become “leven pme.” Although the letters have been moved

around, all the ciphertext letters have not changed, they have only PPT
moved. There is no replacement or substitution of letters, only
Transposition Ciphers
rearrangement. Obviously, we can get more complex on how we (continued)
do the transposition to offer more security, and throughout history,
Explain transposition.
we have seen some really good examples of transposition ciphers.
Monoalphabetic and Polyalphabetic Ciphers PPT

The Caesar cipher is a simple substitution algorithm that merely Monoalphabetic and
shifted the plaintext over three places to create the ciphertext. We Polyalphabetic Ciphers
could reference this as being a monoalphabetic system, the Define mono and poly
substitution was one alphabet letter for another. The problem with alphabetic ciphers and
monoalphabetic ciphers is that they can be broken by a technique relevance.
called “frequency analysis.” Frequency analysis is knowing language
statistics about the particular language being used by the cipher. For
example, in the English language, we know certain statistics such as
the letter “e” is the most commonly used letter. The most commonly
used three-letter word in the English language is “the.” Knowing
these types of statistics allows attackers to eventually break
monoalphabetic ciphers. The problem is that simple substitution and
transposition ciphers do not disguise the linguistic patterns of letters
and word frequency in the encrypted message so they are easily
cracked using frequency analysis. To prevent frequency analysis, we
can use multiple alphabets as part of the enciphering process.
The use of several alphabets for substituting the plaintext is called a
“polyalphabetic” cipher. It is designed to make the breaking of a cipher
by frequency analysis more difficult, or impossible. Instead of
substituting one alphabet for another, the ciphertext is generated from
several possible substitution alphabets that language statistics are not
known. A well-known example of a polyalphabetic cipher is called the
Vigenere cipher. Blaise de Vigenère, a Frenchman, developed a
polyalphabetic cipher in the 15th century using a key word and 26
alphabets, each one offset by one place. This is a very effective way of
preventing frequency analysis in helping break the cipher.
To summarize, adding complexity to a substitution cipher can make
the disguise more effective. Ciphers can use several alphabets to
provide more security and complexity. The idea is simple, instead of
having one alphabet, we create many that no one knows language
statistics about. Using several alphabets with letters randomly
rearranged and then substituting letters from each alphabet for
letters in plaintext provides a system that can defeat frequency
Notes analysis because, for example, the letter “e” would be represented by
some different character in each of the alphabets used. These types of
Cryptography ciphers, known as polyalphabetic, are very effective because they
disguise simple linguistic patterns.
PPT
Monoalphabetic and Running Key Cipher
Polyalphabetic Ciphers
(continued) The use of modular mathematics and the representation of each alphabet
letter by its numerical place in the alphabet are the basis of many modern
Define mono and poly
alphabetic ciphers and ciphers.
relevance.
Running Key Cipher
PPT A B C D E F G H I J K L M N O P Q ... Z
Running Key Cipher 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ... 25
Explain running key
cipher. Figure 3.5: Running Key Cipher
The English alphabet would be calculated as modular 26 because there

PPT
are 26 letters in the English alphabet. The use of modular 26 means that
whenever the result of a mathematical operation is equal to or greater
One-Time Pads
than 26, 26 needs to be subtracted from the total as often as needed
Define a one-time-pad. until it is less than 26. Using the above values, the cryptographic
operation operates as follows:
Ciphertext = plaintext + key (modular 26)
This is written as C = P + K (modular 26)
Ciphertext is the value of the plaintext + the value of the key (modular
26). For example, the plaintext letter N has a value of 13 because it is
the 13th letter in the alphabet using the table above. If the key to be
used to encrypt the plaintext is a Q with a value of 16, the ciphertext
would be 13 + 16, or the 29th letter of the alphabet. Because 29 is more
letters than we have in the English alphabet, 26 is subtracted and the
ciphertext becomes the letter corresponding to the number 3, a D.
One-Time Pads
As we have seen above, in a running key cipher, the key is repeated, or
is as long as, for the same length as the plaintext input.
The only cipher system asserted as unbreakable, as long as it is
implemented properly, is referred to as a one-time pad. These are
often referred to as Vernam ciphers after the work of Gilbert Vernam,
who proposed the use of a key that could only be used once and that
must be as long as the plaintext and that never repeats.

Instructor Edition
The one-time pad uses the principles of the running key cipher,
using the numerical values of the letters and adding those to the
value of the key. However, the key is a string of random values and
Notes
Cryptography
3
exactly the same length as the plaintext and is never repeated.

Earlier we discussed stream and block ciphers. Stream ciphers may be, PPT
in some cases, equated to what may be referred to as one-time pads. One-Time Pads
A one-time pad uses a keystream string of bits that is generated (continued)
completely at random. The keystream will be the same length as the Define a one-time-pad.
plaintext message, and again, both are combined using typically the
XOR operation. Because the entire keystream is totally random and is
used only once, a one-time pad is said to have perfect secrecy, which PPT
means it is unable to be defeated by a brute-force attack. Stream Steganography
ciphers were developed to try and apply the action of one-time pads.
Define Steganography.
This practically means that a one-time pad is not breakable by
frequency analysis or many other cryptographic attacks.
Steganography
Steganography is defined as the science of hiding information.
Whereas the goal of cryptography is to make data unreadable by
turning it into a secret, the goal of steganography is to hide the data
from a third party. As cryptography is literally defined as turning
something into a secret, steganography, which hides something
within something else, is therefore a form of cryptography. The word
steganography is derived from the Greek words “steganos,” which
means covered or concealed, and “graphy,” which means writing.
The relationship between cryptography and steganography is as
follows: Cryptography can be defined as the practice of protecting
the contents of a message, steganography is concerned with
concealing the fact that a secret message is being sent as well as
concealing the contents of the message.
There are different ways that we can hide something within
something else, in other words, perform steganography. These
may include hiding messages by using physical concealment
techniques. This would be referred to as physical steganography.
Modern steganography can use technology to hide messages.
These may include but are not limited to the following:
l Covert channels
l Hidden text within web pages
l Hiding messages within picture files or sound files
l Null ciphers (hiding a message within another plain text
message)

Notes There are a number of uses for steganography. One of the most widely
used applications of steganography may be digital watermarking. A
Cryptography watermark, historically, is the replication of an image, logo, or text on
paper stock so that the source of the document can be at least partially
PPT authenticated. A digital watermark can accomplish the same function; a
graphic artist, for example, might post sample images on their website
Steganography
(continued)
complete with an embedded signature so that they can later prove their
ownership in case others attempt to portray the work as their own.
Define Steganography.
Null Cipher
PPT The term null cipher is defined as hiding a message within another
Null Cipher (2 slides) message that is in plaintext. In other words, you are hiding ciphertext
Explain null cipher as
within a plaintext message. A simple example:
part of steganography.
l Interesting Home Addition to Expand Behind Eastern Dairy
Transport Intersection Meanwhile Everything.
l If the first letter of each word is used, the message decodes into
the secret message I Hate Bed Time.
A very famous example of a null cipher is William Carrol’s poem titled
“Are You Deaf Father William?” We see that the first letter of each of
the lines of the poem spells out William Carrol’s lover at the time,
Adelaide Paine.
“Are you deaf, Father William!” the young man said,
“Did you hear what I told you just now?
“Excuse me for shouting! Don’t waggle your head
“Like a blundering, sleepy old cow!
“A little maid dwelling in Wallington Town,
“Is my friend, so I beg to remark:
“Do you think she’d be pleased if a book were sent down
“Entitled ‘The Hunt of the Snark?’” -
“Pack it up in brown paper!” the old man cried,
“And seal it with olive-and-dove.
“I command you to do it!” he added with pride,
“Nor forget, my good fellow, to send her beside
“Easter Greetings, and give her my love.”

Instructor Edition
Advantages and Disadvantages of

Symmetric Algorithms
Notes
Cryptography
3
Symmetric algorithms are very fast and provide very secure

methods of confidentiality. Many algorithms can be implemented
in either hardware or software and are typically available at little or PPT
no cost to the user. However, there are serious disadvantages to Advantages and
symmetric algorithms; key distribution and management may be Disadvantages of
very difficult, especially in large organizations. The biggest
problem of symmetric key cryptography is key distribution. The Emphasize advantages
sender and receiver must have the same symmetric key to allow the and disadvantages
of symmetric key
encryption and decryption of the message. Key distribution may cryptography.
not be easy without having anyone else, in between, know what
that key is. Secure key distribution of keys has been a fundamental
problem of symmetric key cryptography.
PPT
Another problem related to symmetric key cryptography is what is Out-of-Band Key
referred to as scalability. The number of keys required to have Distribution
secure communications between parties grows rapidly with every Explain out-of-band
new user according to the following formula: n(n – 1)/2, where n is key distribution and its
the number of users. An organization with only 10 users, all wanting relevance to symmetric
algorithms.
to communicate securely with one another, would require 45 keys
(10*9/2). If the organization grows to 1,000 employees, the need
for key management expands to nearly half a million keys.
Symmetric algorithms also are not able to provide extended security
services such as digital signature services, non-repudiation of origin,
non-repudiation of delivery, and also access control and integrity. If
two or more people share a symmetric key, then it is impossible to
prove who altered a file protected with a symmetric key.
There are important requirements for key management needing to be
addressed in symmetric key cryptography. Selecting keys is an
important part of key management. There needs to be a process in
place that ensures a key is selected randomly from the entire keyspace
and that there is some way to recover a lost or forgotten key.
Out-of-Band Key Distribution

As we have referenced above, symmetric algorithms require both
sender and receiver to share the same key. Therefore, as we have
highlighted, there are challenges with secure key distribution.
Often, the users must use what is referred to as out-of-band
channel such as in person, mail, fax, telephone, or courier to
exchange secret keys. Out-of-band channel means using some
channel other than the one that is being used to communicate the
encrypted message. It implies that the out-of-band channel is more
secure than the one being used for communications of the
Notes encrypted message. The use of an out-of-band channel should make it

difficult for an attacker to seize both the encrypted data and the key.
Cryptography Key distribution is the most difficult challenge of symmetric key ciphers.
Because the encryption and decryption processes both require the
PPT same key, the secure distribution of the key to both the sender and
receiver is a key factor in the secure implementation of a symmetric key
Out-of-Band Key
Distribution (continued) system. Out-of-band implies and requires that the cryptographic key
cannot be sent in the same channel as the data.
Explain out-of-band
key distribution and its
relevance to symmetric Examples of Symmetric Algorithms
algorithms.
Algorithms and systems such as the Caesar cipher, the Spartan scytale,
and the Enigma machine are all examples of symmetric algorithms. As
we have learned in regards to symmetric cryptography, sender and
PPT
receiver require the same key at both ends, making key distribution the
Examples of Symmetric biggest problem in symmetric system.
Algorithms
Explain examples of
symmetric algorithms.
Basic Block Cipher Modes
Data Encryption Standard (DES) and some other block ciphers can be
PPT used in different modes. The following describe the basic block cipher
modes that operate in a block structure.
Basic Block Cipher
Modes (2 slides) l Electronic Code Book (ECB) Mode: The ECB is the most basic
Explain block cipher block cipher mode. It is called codebook because it is similar
modes and relevance to to having a large codebook containing every piece of 64-bit
cryptography.
plaintext input and all possible 64-bit ciphertext outputs. When
a plaintext input is received by ECB, it operates on that block
independently and produces the ciphertext output. The problem
with ECB is that repeated text, when encrypted using the same
key, will always produce the same ciphertext. This is essentially
because ECB does not use an IV to randomize the process. In
fact, ECB is the only mode of symmetric block ciphers that does
not use an IV. Such lack of randomness may make cryptanalysis
easier. For that reason, ECB is typically only used for very short
messages such as transmission of a key.
l Cipher Block Chaining (CBC) Mode: The CBC mode is stronger
than ECB in that each input block will produce a different output
ciphertext block, even if the input blocks are identical. This is
accomplished by introducing two new factors in the encryption
process that are lacking in ECB mode, an IV and a chaining
function that XORs each input with the previous ciphertext.
As with ECB, if this mode did not have an IV, the chaining
process applied to the same messages would create the exam
same ciphertext. The IV is a randomly chosen value that is
mixed with the first block of plaintext. This acts just like a seed
Instructor Edition
in a stream-based cipher. The sender and the receiver must

know the IV so that the message can be decrypted later.
The initial input block is XORed with the IV, and the result
Notes
Cryptography
3
of that process is encrypted to produce the first block of

ciphertext. This first ciphertext block is then XORed with PPT
the next input plaintext block, and the process is repeated
Basic Block Cipher
for each successive block. This is the chaining process that Modes (2 slides)
ensures that even if the input blocks are the same, the (continued)
resulting outputs will be different. In other words, you can Explain block cipher
encrypt the exact same message twice, with the same key, modes and relevance to
and it would not produce the same ciphertext because the cryptography.
IV would be different in each of those encryptions.
PPT
Stream Modes Stream Modes (6 slides)
The following modes of block ciphers operate as a stream. Even
Explain stream modes
though we are describing block ciphers, these modes attempt to and relevance to
simulate stream cipher operations. A block-based cipher is subject cryptography.
to the problems of latency, or delay, in processing. This may make
them unsuitable for many applications where simultaneous
transmission of the data may be a requirement. These modes try to
simulate a stream to be more versatile and provide support for
stream-based applications.
l Cipher Feedback (CFB) Mode: In the CFB mode, the input is
separated into individual segments, the size of which can be
1 bit, 8 bit, 64 bit, or 128 bit (the four sub-modes of CFB)—
usually of 8 bits because that is the size of one character. When
the encryption process starts, the IV is chosen and loaded into
a shift register. It is then run through the encryption algorithm.
The first 8 bits that come from the algorithm are then XORed
with the first 8 bits of the plaintext (the first segment). Each
8-bit segment is then transmitted to the receiver and also fed
back into the shift register. The shift register contents are then
encrypted again to generate the keystream to be XORed with
the next plaintext segment. This process is repeated until the
end of the input.
l Output Feedback (OFB) Mode: The OFB mode is very
similar in operation to the CFB except that instead of using
the ciphertext result of the XOR operation to feed back
into the shift register for the ongoing keystream, it feeds
the encrypted keystream itself back into the shift register
to create the next portion of the keystream. Because the
keystream and message data are completely independent, it
is now possible to generate the entire keystream in advance
and store it for later use.
l Counter (CTR) Mode: The CTR mode is typically used in high-

Notes
speed applications. In this mode, a counter, which is really again
Cryptography a random starting point or number, is a 64-bit random data
block and is used as the first IV. A requirement of CTR is that the
PPT counter must be different for every block of plaintext, so for each
subsequent block, the counter is incremented by 1, hence the
Stream Modes
(6 slides) (continued) name “counter.” The counter is then encrypted just as in OFB, and
the result is used as a keystream and XORed with the plaintext.
Explain stream modes
and relevance to
Because the keystream is independent from the message, it is
cryptography. possible to process several blocks of data at the same time, thus
speeding up the entire process and throughput of the algorithm.
PPT
The Data Encryption
The Data Encryption Standard (DES)
Standard (DES) The 1960s was really the decade that modern computer cryptography
Define DES and some of began. It was during the 1960s that companies began needing secure
its characteristics. ways to transmit information. At the time, there was no standard;
financial institutions began to need a standard encryption method
they could have confidence in and use for secure data exchange. This
need really drove the National Institute of Standards and Technology
(NIST) in 1972 to assist in the development of a secure cryptographic
algorithm for sensitive, but not government classified, information. In
1974, it settled on DES, a method submitted by IBM. Despite some
controversy, DES was finally adopted as the federal standard for
unclassified documents in 1977 and is the most widely used
cryptographic method in history.
The DES was based on the work of Horst Feistel at IBM. Horst Feistel had
developed a family of algorithms that had a core principle of taking the
input block of plaintext and dividing it in half. Then, each half was used
several times through an XOR operation to alter the other half, providing
a type of algorithm that relied on substitution and permutation.
DES operates on 64-bit input blocks and outputs the corresponding
ciphertext into 64-bit blocks as well. There are 16 identical stages of
processing, termed rounds, or steps. Before the main rounds, the block
is divided into two 32-bit halves (because it is a Feistel cipher) and
processed alternately using an effective 56-bit key. When looking at an
actual DES key, it is 64 bits in length; however, every eighth bit of the
key is used for parity and, therefore, is ignored. Therefore, it is often
said that the effective length of the DES key is 56 bits.
Because every bit has a possible value of either 1 or 0, it can be stated
that the effective key space for the DES key is 2 raised to the power of
56. If you work this out, it gives a total number of keys for DES to be
almost 72,000,000,000,000,000. 15 zeros is referred to as a quadrillion.

Instructor Edition
DES has probably been subjected to more cryptanalysis than any

other encryption method in history, but yet, no practical holes have
been found in the algorithm itself. In other words, the 16 steps of
Notes
Cryptography
3
substitution and transposition. Arguably, the best attack on DES is

brute force to try each possible key one at a time until you find the PPT
correct one. In 1977, a 56-bit key was considered an excellent
The Data Encryption
defense. A cryptanalyst without the key possibly would have to try Standard (DES)
all 56 combinations of 0s and 1s (72 quadrillion possibilities) to find (continued)
the correct key. Working at one million keys per second, this would Define DES and some of
take an attacker nearly 1,000 years to try them all. its characteristics.
With the realization of faster computer chips and processors, this

requirement has been greatly reduced today. A 1975 computer
could try half of the possible DES keys in about 100,000 days, PPT
which is almost 300 years. Back in those days, that provided very Double-DES (2DES)
good security. But over the past quarter century or so, computers Explain 2DES.
have become about 100,000 times more powerful. This pattern of
computers becoming stronger is dictated by what is referred to as
Moore’s Law, named after the observation made in 1965 by
Gordon Moore, co-founder of Intel. His observation was that the
number of transistors per square inch on integrated circuits had
doubled every year since the integrated circuit was invented.
Moore then predicted that this trend would continue for the
foreseeable future. Since then, the pace seems to have slowed a
bit, but data density has doubled approximately every 18 months,
and this is arguably the current definition of Moore’s Law.
In reference to DES, the pattern is clear. If you need a strong
cryptographic method, DES does not provide it anymore as it only
provides 56 bits of strength. Other algorithms have been developed
that have longer bit support and, therefore, larger key space.
Double-DES (2DES)
As we’ve seen, the main problem with DES is that the key is too
short to provide adequate protection against brute force attacks.
Increasing the key length is an effective defense against a brute
force attack. Ways to improve the DES algorithm’s resistance to a
brute force attack have been developed by the industry. These
efforts are referred to as Double DES and Triple DES.
Double-DES refers to the use of two DES encryptions with two
separate keys, effectively doubling the size of the DES key from
56 bits to 112 bits. This dramatic increase in key size much more than
doubles the strength of the cipher. Each increase of a single bit
effectively doubles the number of keys in the keyspace. This means

Notes that a 57-bit key space is twice as large as a 56-bit key space. A 58-bit key
is four times as big, etc. This would seem like a vast improvement in
Cryptography strength against brute force; however, there is an attack on Double-DES
that reduces its effective number of keys to about the same number in
PPT DES. This attack is known as the meet-in-the-middle attack, and it
reduces the strength of Double-DES to almost the same as DES.
Double-DES (2DES)
(continued)
Meet-in-the-Middle Attack on 2DES
Explain 2DES.
Two Concatenated
DES Keys
PPT
Meet-in-the-Middle
Key Material Key Material
Attack on 2DES
Describe meet-in-the- Encrypt with Ciphertext Encrypt with To
Plaintext Ciphertext 2
middle attack. First Key “m” Second Key Receiver
Operation within
PPT 2DES Cryptosystem
Decrypt Ciphertext
Triple DES (3DES) Encrypt Plaintext Store Results of
Until Match is
Using all Possible Encryption
Explain 3DES. Keys and Sort
Found with Stored
Results
Figure 3.6: Meet-in-the-Middle Attack on 2DES
A very effective attack against double DES is based on doing a brute

force attack against known plaintext. This attack is known as the meet-
in-the-middle attack. The attacker would encrypt the plaintext using all
possible keys and create a table containing all possible results. This
intermediate cipher is referred to as “m” for this discussion. This would
mean encrypting using all 2 to the power of 56 possible keys. The table
would then be sorted according to the values of “m.” The attacker
would then decrypt the ciphertext using all possible keys until he found
a match with the value of “m.” This would result in a true strength of
double DES of approximately 2 to the power of 57 (twice the strength of
DES but not strong enough to be considered effective) instead of the 2
to the power of 112 as originally hoped.
Triple DES (3DES)

The defeat of double DES resulted in the adoption of another
improvement in how the DES algorithm could be modified to stand up
better against brute force attacks. This improvement is known as Triple
DES. Triple DES is much more secure, so much so that although attacks
on it have been proposed, the data requirements of these have made
them impractical. With Triple DES, there are three DES encryptions with

Instructor Edition
either three or two different and separate keys that are used.
Managing three keys is more difficult, thus, many implementations
will use the two-key method that reduces the key management
Notes
Cryptography
3
requirement. The various ways of using Triple DES include the

following: PPT
l DES-EEE3: three DES encryptions with three different keys Triple DES (3DES)
(continued)
l DES-EDE3: three DES operations in the sequence encrypt-
Explain 3DES.
decrypt-encrypt with three different keys
l DES-EEE2 and DES-EDE2: same as the previous formats
except that the first and third operations use the same key
PPT
Counter Mode with
Cipher Block Chaining
Advanced Encryption Standard (AES) Message Authentication
Code Protocol (CCMP)
Counter Mode with Cipher Block Chaining Message Describe CCMP.
Authentication Code Protocol (CCMP)
CCMP is defined as being an encryption protocol that is part of
the Institute of Electric and Electronic Engineers (IEEE) 802.11i PPT
standard for wireless local area networks. In other words, it is an How CCMP Works
encryption method used in WiFi. The CCMP protocol is based on
Describe how CCMP
Advanced Encryption Standard (AES) encryption using the works.
Counter (CTR) with CBC-MAC (CCM) mode of operation. It is
designed for data confidentiality and based upon the Counter
Mode with CBC-MAC (CCM) of the AES standard. It was created
to address the vulnerabilities that have been identified in the
dated Wired Equivalent Privacy (WEP).
How CCMP Works

CCMP uses AES processing, specifically in 128-bit key mode and also
128-bit block size. The AES algorithm (a block cipher) uses blocks of
128 bits; can use keys with lengths of 128, 192, and 256 bits; as well as
a choice of number of rounds of 10, 12, and 14. Many will refer to AES
as a variable algorithm because of the choices that it allows. The
specific CCMP use of 128-bit keys and a 48-bit IV minimizes the
vulnerability to replay attacks. The CTR mode encryption component
provides data privacy. The Cipher Block Chaining Message
Authentication Code component produces a message integrity code
(MIC) that provides data origin authentication and data integrity for
the packet payload data. As we’ve noted, the 802.11i standard
includes CCMP. AES is often referred to as the encryption protocol
used by 802.11i; however, AES itself is simply a block cipher. The actual
encryption protocol is CCMP.

Rijndael
Notes
As previously discussed, the industry realized that the DES algorithm
Cryptography
was becoming obsolete because of its short key length. To this end, the
National NIST held a competition to develop the AES as a replacement
PPT for DES. The winner of this competition was named as Rijndael, a block
Rijndael cipher designed by Joan Daemen and Vincent Rijmen from Belgium.
Describe Rijndael and its The design of the Rijndael algorithm was strongly influenced by the design
relevance as the AES. of the block cipher Square that was also created by Daemen and Rijmen.
The Rijndael algorithm can be implemented very efficiently on a wide
variety of processors and in hardware or software. It is considered very
PPT secure and to this point has no known weaknesses. Rijndael’s key length is
Other Symmetric variable, meaning that it can be set to any value of 128, 192, or 256 bits. It
Algorithms (2 slides) must be set specifically to one of these three lengths and not anything
Explain other symmetric arbitrary. It also has a variable block size of 128, 192, or 256 bits.
algorithms.
All nine combinations of key length and block size are possible, although
the official AES block size has been set to be 128. The number of rounds,
or iterations of the main algorithm, can vary from 10 to 14 and depends
PPT
on the block size and key length. The low number of rounds has been one
International Data of the main criticisms of Rijndael, but experts agree that if this ever
Encryption Algorithm
(IDEA)
becomes a problem, the number of rounds can be increased easily at
little extra cost and effort by increasing the block size and key length.
Describe IDEA.
Although Rijndael supports multiple block sizes, AES only supports one
block size (subset of Rijndael). AES is reviewed below in the 128-bit
block format. The AES operation works on the entire 128-bit block of
input data by first copying it into a square table (or array) that it calls
state. The inputs are placed into the array by column so that the first
four bytes of the input would fill the first column of the array.
The Rijndael operation consists of four major operations:
1. Substitute bytes: Use of an S-box to do a byte-by-byte substitution
of the entire block.
2. Shift rows: Transposition or permutation through offsetting each
row in the table.
3. Mix columns: A substitution of each value in a column based on
a function of the values of the data in the column.
4. Add round key: XOR each byte with the key for that round; the
key is modified for each round of operation.
International Data Encryption Algorithm (IDEA)

IDEA was developed as a replacement for DES by Xuejai Lai and James
Massey in 1991. It is considered to be the first attempt to come up with

Instructor Edition
something that could be used to replace DES, and indeed, the first
attempt to use a key size of longer than 56 bits. IDEA uses a 128-
bit key and operates on 64-bit blocks. IDEA performs eight rounds
Notes
Cryptography
3
of substitutions and transposition using modular addition and

multiplication and what is referred to as bitwise XOR. PPT
Because IDEA was developed as a possible replacement for DES, International Data
many in the industry will compare IDEA to having many of the Encryption Algorithm
(IDEA) (continued)
same capabilities of DES. As far as speed is concerned, software
implementations of IDEA are comparable to those of DES, and Describe IDEA.
hardware implementations are just slightly faster.
PPT
CAST
CAST
CAST was developed in 1996 by Carlisle Adams and Stafford Tavares.
Describe CAST.
CAST-128 can use keys between 40 and 128 bits in length and will do
between 12 and 16 rounds of operations related to substitutions and
transpositions, depending on key length. CAST-128 is a Feistel-type
block cipher with 64-bit blocks. CAST-256 was submitted as an PPT
unsuccessful candidate for the AES competition. CAST-256 operates Secure and Fast
on 128-bit blocks and with keys of 128, 192, 160, 224, and 256 bits. It Encryption Routine
(SAFER)
performs 48 rounds and is described in RFC 2612.
Describe SAFER.
Secure and Fast Encryption Routine (SAFER)

All of the algorithms in SAFER are patent-free. The algorithms were PPT
developed by James Massey and work on either 64-bit input blocks Blowfish
(SAFER-SK64) or 128-bit blocks (SAFER-SK128). A variation of SAFER
Describe Blowfish.
is used as a block cipher in Bluetooth.
Blowfish PPT
Blowfish is another example of a symmetric algorithm developed Twofish
by Bruce Schneier. It is considered to be an extremely fast cipher, Describe Twofish.
and one of its extremely useful advantages is that it requires very
little system memory. It is also a Feistel-type cipher in that it
divides the input blocks into two halves and then uses them in
XORs against each other. However, it varies from the traditional
Feistel ciphers in that Blowfish does work against both halves, not
just one. The Blowfish algorithm operates with variable key sizes,
from 32 up to 448 bits on 64-bit input and output blocks.
Twofish
Twofish was one of the finalists for the AES competition mentioned
earlier. It is an adapted version of Blowfish developed by a team of

Notes cryptographers led by Bruce Schneier. It can operate with keys of 128,
192, or 256 bits on blocks of 128 bits. Just like DES, it performs 16
Cryptography rounds during the encryption and decryption process.
PPT Rivest Cipher 5 (RC5)

Twofish (continued)
RC5 is a fast block cipher designed by Ron Rivest. The algorithm was
Describe Twofish. designed to be used in existing security products and in a number of
internet protocols. It was explicitly designed to be simple to implement
in software, therefore, the algorithm does not support any type of bit
PPT permutations. Rivest designed a lengthy sub-key generation phase into
Rivest Cipher 5 (RC5) the algorithm to make brute force key searching substantially more
difficult without slowing down conventional one-key uses of RC5.
Describe RC5.
Today’s RC5 is a parameterized algorithm with a variable block size, a
variable key size, and a variable number of rounds. Allowable choices for
PPT the block size are 32, 64, and 128 bits. The number of rounds can range
Rivest Cipher 4 (RC4) anywhere from 0 to 255, while the key can range from 0 bits to 2040
bits in size. There are three routines in RC5: key expansion, encryption,
Describe RC4 as a
stream cipher. and decryption. In the key expansion routine, the user-provided secret
key is expanded to fill a key table whose size depends on the number of
rounds. The key table is then used in both encryption and decryption.
The encryption routine consists of three primitive operations: integer
addition, bitwise XOR, and variable rotation.
Rivest Cipher 6 (RC6)

RC6 is a block cipher based on RC5 and, just like its predecessor, it is a
variable parameterized algorithm where the block size, the key size, and
the number of rounds are variable. The upper limit on the key size is
2040 bits, which experts agree should certainly make it strong for quite
a few years. When RC6 was designed, they built two new features in it
compared to RC5. The first is the inclusion of integer multiplication and
the use of four 4-bit working registers instead of two 2-bit working
registers. Integer multiplication is used to increase the diffusion
achieved per round so that fewer rounds are needed and the speed of
the cipher can be increased.

RC4, a stream-based cipher, was developed in 1987 by Ron Rivest for
RSA Data Security and has become the most widely used stream
cipher, being deployed, for example, in WEP and Secure Socket Layer/
Transport Layer Security (SSL/TLS). RC4 can use a variable length key
ranging from 8 to 2,048 bits (1 to 256 bytes) and a period of greater
than 10,100. This means that in implementations, it is possible to

Instructor Edition
ensure that the keystream should not repeat for at least that
length. If RC4 is used with a key length of at least 128 bits, there
are currently no practical ways to attack it. Confusion exists in the
Notes
Cryptography
3
industry as to the weakness in WEP in regards to WEP using RC4

and its weakness. The published successful attacks against the PPT
use of RC4 in WEP applications are actually related to problems
with the implementation of the algorithm, not the algorithm itself. (continued)
Describe RC4 as a
stream cipher.
Asymmetric Cryptography
Asymmetric Algorithms
PPT
When someone wishes to communicate using an asymmetric
algorithm, they first require the generation of two keys, referred (2 slides)
to as a key pair. Usually, this is done by the cryptosystem itself,
Explain Asymmetric Key
usually implemented as part of a public key infrastructure (PKI) cryptography.
without user involvement to ensure the strength of the key
generation process. One half of the key pair is kept very secure
and secret and only known to the key holder. For this reason, it
is referred to as private key. The other half of the key pair can be
given freely to anyone who may want to communicate with the
private key holder. Because this key is made available to the
general public, it may be available through the corporate
websites or public key servers available through the web. It may
also be given through attachments to emails. This is why this
half of the key pair is referred to as the public key.
Asymmetric algorithms are one-way functions, that is, a process
that is much simpler to go in one direction, the forward direction,
than to go in the other direction, the backward direction. In other
words, it is very difficult, or impossible to backwards engineer.
A one-way function is one in which there is an enormous
difference in the time required to perform the function itself,
referred to as the forward or fast direction, compared to how
quickly you can perform its inverse, or reverse or slow direction.
As an example, the Rivest-Shamir-Adleman (RSA) encryption
algorithm is based on the fact that you can easily and fairly
quickly multiply two large prime numbers together, but it takes
a very long time to factor that number into its two prime factors.
If the product is large enough, then there is a factor of millions
or billions difference in the time required.
As an example of this concept, think of an information diode. A
diode is an electronic circuit device that allows current to flow
easily in one direction but poorly, if at all, in the opposite direction.

Notes The process to generate the public key (forward) is fairly simple, and
providing the public key to anyone who wants it does not compromise
Cryptography the private key because the process to go from the public key to the
private key is computationally infeasible.
PPT
As mentioned, all asymmetric key cryptography algorithms are based on
Asymmetric Algorithms these one-way functions, sometimes also referred to as “hard” math
(continued) problems. There are two hard math problems that are typically used to
Explain Asymmetric Key provide the security between the public key and the associated private key.
cryptography. These two hard math problems are referred to as the “factoring” problem
and the “discrete logarithm” problem. The RSA algorithm is the only one
that uses the factoring problem. All of the others, including Diffie-Hellman,
PPT ElGamal, elliptic curve cryptography (ECC), etc., use the discrete logarithm
Using Public Key problem. The discrete logarithm problem is similar to the factoring problem
Cryptography to Send in that it provides the mathematical concepts for the strength of the
a Confidential Message algorithm. Instead of factoring, the problem here is related to finding
Describe how to logarithms of large numbers that have been exponentiated.
address confidentiality
in Asymmetric Key
cryptography. Using Public Key Cryptography to Send a Confidential
Message
Because the keys are mutually exclusive but related to each other
mathematically using a one-way function, any message that is encrypted
with a public key can only be decrypted with the corresponding other
half of the key pair, the private key. Therefore, as long as the key holder
keeps the private key secure, there exists a method of transmitting a
message with confidentiality. The sender encrypts the message with the
public key of the receiver. This ensures that only the receiver with the
private key would be able to open or read the message, providing
confidentiality.
Using Public Key Cryptography to Send

a Confidential Message
Plaintext Encryption Ciphertext Decryption Plaintext
Key Material Key Material

Encrypt with Public Decrypt with Private
Key of Receiver Key of Receiver
Figure 3.7: Using Public Key Cryptography to Send a Confidential Message

Instructor Edition
Open Message
Public key cryptography can be used to achieve other results.
Assume, for example, that message confidentiality is not our goal.
Notes
Cryptography
3
Disclosure of the message is not important, but rather it may be

very important to verify the identity of the sender. This goal can PPT
also be achieved using asymmetric key cryptography. Open Message
In this case, the sender of the message would encrypt the message Describe how to
with their own private key. This would ensure that the only key that address authenticity
in Asymmetric Key
would be able to decrypt the information is the sender’s public key. cryptography.
Because the public key is not kept secret, this method does not
ensure message confidentiality. However, because the message
was encrypted using the sender’s private key, it offers us a way to
PPT
prove that it was actually encrypted by the sender, because they
must have used their own private key. The sender, at this point, Using Public Key
Cryptography to Send
cannot deny having sent the message. a Message with Proof
of Origin
Using Public Key Cryptography to Send Describe how to
a Message with Proof of Origin address authenticity
in Asymmetric Key
cryptography.
Plaintext Encryption Ciphertext Decryption Plaintext
PPT
Confidential Messages
with Proof of Origin
Key Material Key Material Describe how to
Encryption with Private Decrypt with Public address confidentiality
Key of Sender Key of Sender and authenticity in
Asymmetric Key
Figure 3.8: Using Public Key Cryptography to Send a Message with cryptography.
Proof of Origin
Confidential Messages with Proof of Origin

What if the goal is to provide confidentiality of the message and
to prove the source of it? Asymmetric key cryptography can
address this as well; however, it requires two encrypting steps and
two decrypting steps. In this scenario, encryption is done first
using the sender’s private key. A second encrypting step is now
necessary. The message is encrypted again using the receiver’s
public key. This will ensure that only the recipient will be able to
decrypt the message because as we have said before, we have to
assume that their private key is kept confidential. At the other
end, the following is necessary. First, the receiver will need to
decrypt using their own private key and then decrypt again using

Notes sender’s public key. This series of steps achieves two services, it proves
the message came from the actual sender, and also it provides
Cryptography confidentiality of the message. Therefore, by encrypting a message
with the private key of the sender and the public key of the receiver,
PPT the ability exists to send a message that is confidential and also has
proof of origin.
Confidential Messages
with Proof of Origin
(continued) Confidential Messages with Proof of Origin
Describe how to Sender Transmitted Ciphertext Receiver
address confidentiality Plaintext
Encrypt
Intermediate
Encrypt Ciphertext Decrypt
Intermediate
Decrypt
Plaintext
Message Ciphertext Ciphertext Message
and authenticity in
Asymmetric Key
cryptography.
Key Material Key Material Key Material Key Material

Private Key of Sender Public Key of Receiver Private Key of Receiver Public Key of Sender
PPT
Confidentiality Operation
Rivest-Shamir-Adleman
Proof of Origin Operation
(RSA) Algorithm
Describe RSA. Figure 3.9: Confidential Messages with Proof of Origin
PPT
Rivest-Shamir-Adleman (RSA) Algorithm
Diffie-Hellman
RSA is an asymmetric key cryptosystem that offers both encryption and
Algorithm digital signatures that provides non-repudiation, integrity, and authentication
of source. Ron Rivest, Adi Shamir, and Leonard Adleman developed RSA in
Describe other
Asymmetric algorithms. 1977, and as you might have surmised, RSA stands for the first letter of its
inventors’ surnames.
The RSA public (asymmetric) key algorithm is one of the most popular
and secure (given long key lengths) encryption methods available in the
asymmetric cryptography area. The algorithm capitalizes on the fact that
there is no efficient way to factor very large prime numbers. Therefore,
the security of RSA is based on the assumption that factoring is difficult.
Factoring is defined as taking a number and finding the numbers that
can be multiplied together to calculate that number. As the speed of
processors have become faster, RSA allows for the increase of key sizes
that counter the possibility of factoring and therefore deducing the
private key.
Diffie–Hellman Algorithm
Diffie–Hellman is a key negotiation algorithm and does not provide for
message confidentiality. It is used to enable two entities to exchange or
negotiate a secret symmetric key that will be used subsequently for
message encryption using symmetric key cryptography. The Diffie–Hellman

Instructor Edition
algorithm can be extremely useful for applications such as PKI

and others where the generation of symmetric session keys are
required. It is often referred to as a session key negotiation
Notes
Cryptography
3
algorithm. Diffie–Hellman is based on discrete logarithm hard

math problem. PPT
Diffie–Hellman can be summarized as follows: It is a key agreement Diffie-Hellman
protocol whereby two parties, without any prior arrangements, can Algorithm (continued)
agree upon a secret symmetric key that is known only to them. This Describe other
secret key can then be used, for example, to encrypt further Asymmetric algorithms.
communications between the parties from that point on using
symmetric key cryptography.
PPT
The Diffie–Hellman key agreement requires that both the sender
ElGamal
and recipient of a message have their private and public key pairs.
By combining one’s private key and the other party’s public key, Describe other
asymmetric algorithms.
both parties can compute the same shared secret number that
ends up being the symmetric session key. A “session key” is a
symmetric key that is used only for that particular session. PPT
Elliptic Curve
Cryptography (ECC)
ElGamal
Describe ECC.
The ElGamal cryptographic algorithm is based on the work of Diffie–
Hellman, but it also includes the ability to provide message
confidentiality and digital signature services, not just session key
negotiation. Although not technically correct, some people refer to
ElGamal as a combination of the Diffie–Hellman and RSA algorithms.
The ElGamal algorithm is based on the same mathematical functions
of discrete logs.
Elliptic Curve Cryptography (ECC)

The elliptic curve algorithm has the highest strength per bit of
key length of any of the asymmetric algorithms. The ability to
use much shorter keys for elliptic curve cryptography (ECC)
implementations provides savings on computational power,
bandwidth, and storage. This makes ECC especially beneficial
for implementations in smart cards, wireless, and other similar
application areas where those elements may be lacking. Elliptic
curve algorithms provide confidentiality, digital signatures, and
message authentication services. The excitement of ECC is that
elliptic curve group discrete log techniques have not seen
significant improvement over the past number of years. This is
obviously good news for elliptic methods because it allows us to
use reduced key sizes to provide the same level of security as
traditional public key cryptography methods.

Advantages and Disadvantages of Asymmetric Key Algorithms

Notes
The development of asymmetric key cryptography revolutionized the
Cryptography
cryptographic community. Not only did it solve the problem of key
distribution, by allowing a message to be sent across an untrusted
PPT medium in a secure manner without the overhead of prior key exchange
Advantages and or key material distribution, but it also allowed several other features not
Disadvantages of readily available in symmetric cryptography, such as the non-repudiation
Asymmetric Key of origin and delivery, access control, and data integrity. Asymmetric key
Algorithms cryptography has also solved the problem of scalability. It does scale
Emphasize advantages well with an increase of people required to communicate, as each party
and disadvantages only requires a key pair, the private and public keys.
of Asymmetric key
cryptography. The problem, however, has been that asymmetric cryptography is
extremely slow compared with its symmetric counterpart. Asymmetric
cryptography is extremely problematic in terms of speed and
PPT performance and is impractical for everyday use in encrypting large
Activity: Asymmetric amounts of data and frequent transactions where speed is required.
Cryptography (3 slides) This is because asymmetric key cryptography is handling much larger
Conduct activity. keys and is mathematically intensive, thereby reducing the speed
significantly. This means that for large messages, asymmetric key
cryptography is not effective for confidentiality; however, it can be very
effective for message integrity, authentication, and non-repudiation of
both origin and delivery.
Activity: Asymmetric Cryptography

INSTRUCTIONS
Answer the following questions.
1. What must the key holder do to allow for the transmission
of a confidential message?

Instructor Edition
2. Identify one or more advantages of asymmetric

cryptography.
Notes
Cryptography
3

PPT
Activity: Asymmetric
Cryptography (3 slides)
(continued)
Conduct activity.
3. Identify one or more disadvantages of asymmetric

cryptography. PPT
Hybrid Cryptography
and Cryptographic
Systems
Explain hybrid
cryptography as
combination of symmetric
and asymmetric.
4. Describe RSA.
Hybrid Cryptography and Cryptographic Systems

Hybrid cryptography is where we use the advantages of both
symmetric and asymmetric key cryptography. As you remember,
symmetric is very fast but problematic in the way of key distribution.
Asymmetric, on the other hand, is very slow but solves the problem
of key distribution. Why not use both for what they are each good
at? This is referred to as a hybrid cryptography system. A hybrid
system operates as shown. The message itself is encrypted with a
symmetric key, SK, and is sent to the recipient. To allow the recipient
to have the symmetric key required for decryption, the symmetric
key is encrypted with the public key of the recipient and sent to the
recipient. The recipient then decrypts the symmetric key with their
private key that no one else has. This provides the symmetric key to
the recipient only. The symmetric key can then be used to decrypt
the message.

Notes
Example of Hybrid Cryptography
Sender Receiver
Cryptography
Plaintext Encryption Decryption
Encrypted Plaintext
Large Using Using
PPT Message Message
Message Symmetric Symmetric
Hybrid Cryptography Key Key
and Cryptographic
Systems (continued)
Explain hybrid
cryptography as
combination of symmetric
and asymmetric.
Symmetric Key SK Symmetric Key SK
PPT
Message Integrity Encryption Encrypted
Decryption
Controls (MICs) of Symmetric
Symmetric
(3 slides) Symmetric SK
Key
Key
Introduce message
integrity controls.
Public Key Private Key

of Receiver of Receiver
Figure 3.10: Example of Hybrid Cryptography
Message Integrity Controls (MICs)

An important part of electronic commerce and computerized transactions
today is the assurance that a transmitted message or data has not been
modified, is indeed from the person that the sender claims to be, and that
the message was received by the correct party. This is accomplished
through cryptographic functions that perform in several manners,
depending on the business needs and level of trust between the parties
and systems.
The point is this, when receiving messages over untrusted networks such
as the internet, it is very important to ensure the integrity of the message.
Integrity means receiving exactly what was sent, without modification. The
principle of integrity assures that nothing changed without detection. In
cryptography, this principle can be referred to as message authentication.
Message authentication can be achieved using Message Digest security
features. Message digests come in two flavors: keyed and non-keyed.

Instructor Edition
Non-keyed message digests are made without a secret key and are
called Message Integrity Codes (MICs). Most asymmetric key
digital signature schemes use non-keyed message digests. Keyed
Notes
Cryptography
3
message digests, known as Message Authentication Codes

(MACs), combine a message digest and a secret key. MACs require PPT
the sender and the receiver to share a secret key ahead of time to
Message Integrity
be able to address integrity properly. It is important to realize that Controls (MICs)
the word “keyed” does not mean that the message digest is (3 slides) (continued)
signed (private key encrypted), instead, it means that the digest is Explain message integrity
encrypted with a secret symmetric key. controls and hashing.
Message Digests
PPT
A message digest is a small representation of a larger message
produced by a hashing algorithm. A message digest is used to Message Digests
ensure the integrity of information and does not address Describe message
confidentiality of the message. digests.
Message Authentication Code (MAC) PPT

A MAC (also known as a cryptographic checksum) is a small block of Message Authentication
data that is generated using a secret key and then appended to the Code (MAC)
message. When the message is received, the recipient can generate Describe MAC.
their own MAC using the secret key, and thereby know that the
message has not changed either accidentally or intentionally in transit.
It is important to remember that this assurance is only as strong as the
PPT
trust the two parties have that no one else has access to the secret
symmetric key. A MAC is a small representation of a message and Hash Message
Authentication Code
needs to have the following characteristics: (HMAC)
l A MAC is much smaller than the message generating it. Describe HMAC.
l Given a MAC, it is impractical to compute the message that
generated it.
l Given a MAC and the message that generated it, it is
impractical to find another message generating the same
MAC.
Hash Message Authentication Code (HMAC)

Hashed MACing implements a freely available hash algorithm
(such as SHA-1 or MD5) as a component within the HMAC
implementation. This allows ease of the replacement of the
hashing module if a new hash function ever becomes necessary.
The use of proven cryptographic hash algorithms also provides
assurance of the security of HMAC implementations. HMACs
work by adding a secret key value to the hash input function

Notes along with the source message. The HMAC operation provides
cryptographic strength similar to a hashing algorithm, except that it
Cryptography now has the additional protection of a secret key and still operates
nearly as rapidly as a standard hash operation.
PPT
Hash Message Hashing
Authentication Code
(HMAC) (continued) Hashing is defined as using a hashing algorithm to produce a message
digest that can be used to address integrity. The hash function accepts an
Describe HMAC.
input message of any length and generates, through a one-way operation,
a fixed-length output called a message digest. The difference between
what we discussed above is that a hashing algorithm generates the
PPT
message digest but does not use a secret key. There are several ways to
Hashing use message digests in communications, depending on the need for the
Explain hashing and confidentiality of the message, the authentication of the source, the speed
hashing algorithms. of processing, and the choice of encryption algorithms. The requirements
for a hash function are that they must provide some assurance that the
message has not changed without detection and that it would be
PPT impractical to find any two messages with the same message digest value.
Five Key Properties of Examples of very popular hashing algorithms are SHA-1 and MD5.
a Hash Function
Describe key properties Five Key Properties of a Hash Function
of hashing functions.
1. Uniformly distributed: The hash output value should not be
predictable.
PPT 2. Collision resistant: Difficult to find a second input value that
Message Digest 5
would hash to the same value as another input, and difficult to
(MD5) Message Digest find any two inputs that hash to the same value.
Algorithm 3. Difficult to invert: Should be one way, should not be able to
Explain MD5. derive the original message by reversing the hash.
4. Computed on the entire message: The hash algorithm should
use the entire message to produce the digest.
5. Deterministic: Given an input x, it must always generate the
same hash value, y.
MD5 (Message Digest 5) Message Digest Algorithm

MD5 was developed by Ron Rivest at MIT in 1992. It is considered to
be the most widely used hashing algorithm and is described in RFC
1321. MD5 generates a 128-bit digest from an arbitrary message of
any length. It processes the message in 512-bit blocks and does four
rounds of processing to generate the message digest. Each round
contains 16 steps. MD5 is an example of a series of hashing algorithms
developed by Ron Rivest.

Instructor Edition
One interesting use of MD5 is to verify the integrity of digital

evidence used in forensic investigations and to ensure that the
original media has not been altered once the evidence has been
Notes
Cryptography
3
captured. In the past number of years, there have been several

attacks developed against MD5 where it is now possible to find PPT
collisions through analysis. This has led to many industry experts to
Message Digest 5
recommend that MD5 not be used for secure communications and (MD5) Message Digest
for non-repudiation services such as digital signatures. Algorithm (continued)
Explain MD5.
Secure Hash Algorithm (SHA) and SHA-1
The original SHA was developed by NIST in the United States in 1993
and was issued as Federal Information Processing Standard (FIPS) 180. PPT
A revised version (FIPS 180-1) was issued in 1995 as SHA-1 (RFC 3174) Secure Hash Algorithm
with some improvements. SHA was based on the previous MD4 (SHA) and SHA-1
algorithm, whereas SHA-1 follows the logic of the MD5 hashing Explain SHA and SHA-1.
algorithm described above. SHA-1 operates on 512-bit blocks. The
output hash, or message digest, is 160 bits in length. The processing
includes four rounds of operations of 20 steps each. PPT
As in MD5, recently, there have been several attacks described SHA-3

against the SHA-1 algorithm to try and find collisions, despite it Explain SHA-3.
being considered to be considerably stronger than MD5. NIST has
issued FIPS 180-4 that recognizes SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512, SHA-512/224, and SHA 512/256 as a part of the PPT
Secure Hash Standard. The output lengths of the digests of these Other Hash Algorithms
vary from 160 to 512 bits, typically identified by the number written
Describe other hashing
after the SHA letters.
algorithms.
SHA-3
SHA-3 is the latest member of the Secure Hash Algorithm (SHA)
family of standards, released by NIST in 2015. The source code has
been made public and even though it is the next iteration of the
SHA family, it is quite different from the MD5-like structure of its
predecessors SHA-1 and SHA-2. Experts have said that the
purpose of SHA-3 is that it can be directly substituted for SHA-2 in
current implementation if it becomes necessary to do so. It was
also developed to try and significantly improve the robustness of
NIST’s current overall hash algorithm toolkit.
HAsh of VAriable Length (HAVAL)

HAVAL is a hashing algorithm with a variable length output message
digest. It combines a variable length output with a variable number
of rounds of operations on 1,024-bit input blocks. The output

Notes message digest may be 128, 160, 192, 224, or 256 bits, and the number of
rounds may vary from three to five. That gives 15 possible combinations
Cryptography of operations. HAVAL’s claim to fame is it can operate 60 percent faster
than MD5 when only three rounds are used and is just as fast as MD5
PPT when it does five rounds of operation.
Other Hash Algorithms
(continued) RIPEMD-160 (RACE Integrity Primitives Evaluation
Describe other hashing Message Digest)
algorithms.
The original algorithm (RIPEMD-128) has the same vulnerabilities as MD4
and MD5 and led to the improved RIPEMD-160 version. The output for
PPT
RIPEMD-160 is 160 bits, and it operates similarly to MD5 on 512-bit
blocks. It does twice the processing of SHA-1, performing five paired
The Birthday Paradox/
rounds of 16 steps each for 160 operations. As with any other hashing
Birthday Attack
algorithm, the benefit of increasing the size of the message digest
Conduct birthday output is to provide better protection against collisions, where two
paradox with the class.
different messages produce the same message digest value.
Attacks on Hashing Algorithms and Message

Authentication Codes
Typically, attacks against hashing functions takes the form of finding
collisions. There are two primary ways to attack hash functions:
l Brute force
l Cryptanalysis
Over the past number of years, extensive research has been done on
attacks on various hashing algorithms, such as MD-5 and SHA-1. Both
algorithms are susceptible to cryptographic attacks. A brute force attack
relies on finding a weakness in the hashing algorithm that would allow
an attacker to reconstruct the original message from the hash value
(defeat the one-way property of a hash function), find another message
with the same hash value, or find any pair of messages with the same
hash value (called collision resistance).
The Birthday Paradox/Birthday Attack

The birthday paradox is an interesting and surprising mathematical
condition that describes the ease of finding two people with the same
birthday (month and day) from a group of people. If one considers that
there are 365 possible birthdays (not including leap years and assuming
that birthdays are spread evenly across all possible dates), then one would
expect to need to have roughly 183 people together to have a 50 percent
probability that two of those people share the same birthday.

Instructor Edition
But if you work it out mathematically, once there are more than
23 people together in a room, there is a greater than 50 percent
probability that two of them share the same birthday. The reason
Notes
Cryptography
3
that this is mathematically correct is that if you consider that in a

group of 23 people, there are 253 different pairings described by PPT
the formula: (n(n − 1)/2). The probability increases to the point
The Birthday Paradox/
where once 100 people are together, the chance of two of them Birthday Attack
having the same birthday is actually greater than 99.99 percent. (continued)
This is referred to as the birthday paradox. Conduct birthday
paradox with the class
So why is this discussion about birthdays and the birthday paradox and explain its relevance
important while discussing attacks against hashing algorithms? to hashing algorithms.
The answer is that the likelihood of finding a collision for two
messages and their hash values may be a lot easier than may have
been believed, just in the same way as the birthday paradox. The PPT
mathematics behind this would be very similar to the statistics of
Digital Signatures –
finding two people with the same birthday. As we have seen, a Non-repudiation
most important consideration for evaluating the strength of a
hashing algorithm must be its resistance to collisions. Describe digital signatures
and how they address
The probability of finding a collision for a 160-bit hash can be non-repudiation.
estimated at either 2 raised to the power of 160 or 2 raised to the
power of 160/2, depending on the level of collision resistance
needed. This approach is relevant because a hash is a representation
of the message and not the message itself. As part of an attack, the
attacker does not want to find an identical message, the attacker
wants to find out how to:
l Change the message contents to what the attacker wants it
to read and still have the same digest value
l Cast some doubt on the authenticity of the original message
by demonstrating that another message has the same value
as the original
The hashing algorithm must be resistant to a birthday-type attack
that would allow the attacker to feasibly accomplish his goals.
Digital Signatures – Non-repudiation

Non-repudiation
Non-repudiation is the inability to deny. The word “repudiation”
is defined as the ability to deny, so “non-repudiation” means the
inability to deny. In cryptography, non-repudiation is a service that
ensures the sender cannot deny a message was actually sent and
the integrity of the message is intact, and the receiver cannot say

Notes that they’ve received a different message than the one that was actually
received. Non-repudiation is achieved through digital signatures and
Cryptography PKI. The process is this: the message is signed using the sender’s
private key. When the recipient receives the message, they may use the
PPT sender’s public key to validate the signature. While this proves the
integrity of the message, it does not explicitly define the ownership of
Digital Signatures –
Non-repudiation
the original private key used to sign the message. For non-repudiation
(continued) to be valid, a CA must have an association between the private key and
Describe digital signatures
the sender that proves the authenticity of the private key belonging to
and how they address the entity having signed the message.
non-repudiation.
Digital Signatures
PPT The purpose of a digital signature is to provide the same level of
accountability for electronic transactions where a handwritten signature is
Digital Signatures
not possible or feasible. A digital signature can provide several assurances.
Describe digital signatures It will provide assurance that the message does indeed come from the
and how they address
person who claims to have sent it, it has not been altered, both parties have
non-repudiation.
a copy of the exact same document, the person sending the document
cannot claim they did not send it, and the person receiving it cannot claim
they have received a different message.
A digital signature is a block of data produced by hashing the message
with a hashing algorithm that produces a message digest that is
generated based on the contents of the message. That message digest
is then encrypted with the sender’s private key. The act of encrypting
the message digest with the sender’s private key produces the digital
signature. That digital signature is then appended to the message and
sent to the receiver. The receiver must then verify the digital signature
by decrypting it with the sender’s public key and comparing the result
with the message digest of the received message.
So, the use of digital signatures to address non-repudiation involves two
processes, one performed by the signer and the other by the receiver of
the digital signature:
l Digital signature creation uses a hash result, called a message
digest, derived from and unique to both the signed message and
a given private key of the sender.
l Digital signature verification is the process of checking the digital
signature by reference to the original message and a given
public key of the sender, thereby determining whether the digital
signature was created for that same message using the private
key that corresponds to the referenced public key of the sender.
To sign a document or any other item of information, the signer first
hashes the message to produce a message digest. The signer’s software

Instructor Edition
then allows the transformation of the message digest into a digital

signature using the signer’s private key. The resulting digital
signature is thus unique to both the message and the private key
Notes
Cryptography
3
used to create it.

PPT
Typically, the digital signature is attached to its message and
stored or transmitted along with the message. In some cases, the Digital Signatures
digital signature may also be sent or stored as a separate element (continued)
as long as it maintains a reliable association with its message. Describe digital signatures
Because a digital signature is unique to its message, it would be and how they address
non-repudiation.
useless if somehow disassociated from its message.
Verification of the digital signature is accomplished by computing a
new hash result (message digest) of the original message by means PPT
of the same hashing function used to create the digital signature in Uses of Digital
the first place. Then, using the public key of the signer and the new Signatures
hash result, the verifier (receiver) can check the following: Explain uses of digital
signatures.
l Whether the digital signature was created using the
corresponding private key of the sender
l Whether the newly computed hash result matches the
original hash result that was transformed into the digital
signature during the signing process
Uses of Digital Signatures

There are many practical uses for digital signatures simply because
they address non-repudiation of origin (signer cannot deny signing a
particular message or document) and non-repudiation of delivery
(recipient cannot say they’ve received a different message or
document than the original). The following are some practical uses of
digital signatures. They are used to sign digital certificates. A digital
certificate is an electronic document that asserts authenticity and data
integrity that is tied to a sender. A hash computation is performed
over the certificate content, then the hash value is encrypted using the
private key of the certification authority and then embedded into the
certificate. The recipient decrypts the embedded hash value using the
certification authority’s public key. The receiver then uses the public
key of the certification authority to verify the sender authenticity by
performing the same hash computation over the certificate content as
was done by the certification authority. If the hash results are the
same, then sender authentication and data integrity of the certificate
has been established.
Digital signatures can also be used to sign emails, ecommerce
transactions, software and software patches, digital certificates,
contracts, agreements, and service-level agreements (SLAs).

Notes In many parts of the world, the government and courts of law recognize
digital signatures as a verifiable form of authentication and non-
Cryptography repudiation.
PPT
Uses of Digital Applying Cryptography and
Signatures (continued) Key Management
Explain uses of digital
signatures. Cryptographic Lifecycle
All cryptographic functions, systems and implementations have a useful life.
In cryptography, the word “broken” typically means different things,
PPT depending on the application. A cryptographic function or implementation
Cryptographic Lifecycle is considered broken or no longer effective when one of the following
conditions is met:
Describe the
cryptographic lifecycle. For a hashing function:
l Collisions or hashes can be reliably reproduced in an economically
PPT feasible fashion without the original source.
Algorithm/Protocol l When an implementation of a hashing function allows a side channel
Governance attack. A side channel attack in cryptography is defined as targeting
Describe algorithm the weakness of the “implementation” of the algorithm and not the
governance. algorithm itself.
For an encryption system:
l A cipher is decoded without access to the key in an economically
feasible fashion.
l When an implementation of an encryption system allows for the
unauthorized disclosure of information in an economically feasible
fashion.
l When a private key has been compromised in asymmetric key
cryptography.
Algorithm/Protocol Governance
Security and other professionals must ensure governance processes are
in place to support an organization’s use and reliance of cryptography.
This means the requirement of policies and implementation of those
policies through standards, procedures, and baselines. The policies,
standards, and procedures relating to cryptography should minimally
address the following:
l Approved cryptographic algorithms and key sizes
l Transition plans for weakened or compromised algorithms
and keys

Instructor Edition
l Procedures for the use of cryptographic systems in the

organization and standards indicating what information and
processes are subject to cryptographic requirements
Notes
Cryptography
3
l Key generation, escrow, and secure destruction

l Incident reporting surrounding the loss of keys or the PPT
compromise of cryptographic systems Algorithm/Protocol
Governance (continued)
Issues Surrounding Cryptography Describe algorithm

governance.
The power of cryptography has been and is increasingly misused
by those with criminal intentions and is subject to export and law
enforcement requirements by countries and governments. As part PPT
of risk analysis, it is important to understand how cryptography
Issues Surrounding
can be misused so that appropriate security and risk mitigation Cryptography
can be applied. Another important issue with the potential misuse
Explain certain issues
of cryptography is in the protection of intellectual property.
related to cryptography.
Cryptographic protection is implemented for preventing software
and media piracy. Digital rights management (DRM) systems
require a design and governance that can be used to both
PPT
protect intellectual property and individual privacy while ensuring
an individual’s fair use of the intellectual property. Some International Export
Controls
governments impose restrictions on the use, export, or import of
cryptographic hardware and software having high work factors. Explain export controls
and Wassenaar
Arrangement.
International Export Controls
Cryptography is considered in most countries to be on par with
munitions, a military tool, and may be managed through laws written
to control the distribution of military equipment. Some countries do
not allow any cryptographic tools to be used by their citizens, and
others have laws that control the use of cryptography, usually based
on key length and strength of algorithms. This is because in
cryptography, the key length is one of the most understandable
methods of gauging the strength of a cryptosystem.
International export controls may be employed by governments to
limit the shipment of products containing strong cryptography to
countries that the government feels are trustworthy enough to use in
a friendly way. Most countries’ concern over their national security
related to cryptography is established as specific technologies that
would be detrimental to their national defense and, therefore, need
to be controlled through export regulations. As a result of these
export controls, many vendors market two versions of their products,
one version that may have strong encryption and the other version
that may have weaker encryption that is sold in other countries.

Public Key Infrastructure (PKI)

Notes
A PKI is a set of system, software, communication, and cryptography
Cryptography
protocols required to use, manage, and control public key cryptography.
It has four primary purposes:
PPT
l Publish public keys/certificates
Public Key Infrastructure
(PKI) l Certify that a key is tied to an individual or entity
Describe PKI. l Provide verification of the validity of a public key
l Provide security services such as confidentiality, integrity,
authenticity, non-repudiation and access control
PPT
Certification/Certificate Certification/Certificate Authority (CA)
Authority (CA)
In cryptography, there needs to be assurance that a public key actually
corresponds and belongs to the signer’s private key. If you think about
Certificate Authorities.
it, a public and private key pair has no intrinsic association with any
person, they are simply a pair of numbers. Some convincing strategy is
necessary to reliably associate a particular person or entity to the
PPT
asymmetric key pair.
X.509 Certificate
The solution to these problems is the use of one or more trusted third
Explain X.509.
parties to associate an identified certificate owner with a specific public
key. That trusted third party is referred to as a certificate authority (CA).
The certificate authority “signs” an entity’s digital certificate to certify
that the certificate content accurately represents the certificate owner,
including their public key.
To ensure both message and identity authenticity of the certificate itself,
the CA digitally signs it. The issuing CA’s digital signature on the certificate
can be verified using the public key of the certification authority listed in
another certificate by another CA that may or may not need be on a higher
level in a hierarchy.
There can be different levels of assurance implied by the CA signing the
certificate similar to forms of the physical identification of an individual
can imply differing levels of trust.
X.509 Certificate
Since there are many CA that can issue certificates, a CA needs to
adhere to the X.509 certificate standards. This is part of the overall
X.500 family of standards applying to directories. X.509 is the widely
accepted international X.509 PKI standard used to verify that a public
key belongs to the certificate owner. X.509 version 3 of the standard is
the most commonly used today.

Instructor Edition
X.509 Certificate
Field Description of
Notes
Cryptography
3

Algorithim used for Algorithm used to sign the PPT
the signature certificate X.509 Certificate
(continued)
Issuer name X.500 name of CA Explain X.509.
Period of validity
PPT
Start date/end date Certificate Revocation
Describe certificate
Subject’s name Owner of the public key revocation and when it is
required.
Subject’s public key Public key and algorithm used to
information (algorithm, create it
parameters, key)
Issuer unique identifier Optional field in case the CA used

more than one X.500 name
Subject’s unique Optional field in case the public key

identifier owner has more than one X.500 name
Extensions
Digital signature of CA Hash of the certificate encrypted

with the private key of the CA
Table 3.1: X.509 Certificate
Certificate Revocation
Once issued, a certificate may prove to be unreliable, such as in a
situation where the subscriber misrepresents their identity to the
certification authority. In other situations, a certificate may be
reliable enough when it was issued but come to be unreliable later.
If the subscriber loses control of the private key—may have been
compromised—the certificate has become unreliable, and the
certification authority would revoke (permanently invalidate) the
certificate. Immediately upon suspending or revoking a certificate,
the certification authority must publish notice of the revocation or
suspension of the unreliable and revoked certificate.

Key Management and Key Management Practices

Notes
The most important part of any cryptographic implementation is key
Cryptography
management. Control over the issuance, revocation, recovery,
distribution, and other aspects of key management is of the utmost
PPT importance to any organization relying on cryptography for any of the
Key Management and security services that it can provide.
Key Management
Practices Earlier, we learned about Kerckhoffs’s principle. It states that a cryptosystem
should be secure even if everything about the system, except the key, is
key management.
public knowledge. That simply means that the key, therefore, is the true
strength of the cryptosystem. How the key is handled and managed
throughout its lifecycle becomes the most important thing in cryptography.
This is what is referred to as key management.
PPT
Key Recovery Key management can be defined as the generation, recording,
Describe key recovery
transcription, distribution, installation, storage, change, disposition, and
options. control of cryptographic keys. History teaches us that key management
is very important. It shows that each of these steps in key management
is an opportunity to compromise the cryptographic system. Further, it
also teaches us that attacks against keys and key management are far
more likely and efficient than attacks against cryptography algorithms.
As a consequence, key management must be rigorous and disciplined.
The most productive cryptanalytic attacks in history have exploited poor
key management. How keys are generated, distributed, how often they
are changed and used, how securely they are disposed of, how they are
recovered if they are lost, and how securely they are stored are all
examples of important aspects of key management that must be
addressed properly. There are many issues surrounding key
management. Here are a few to think about.
Key Recovery
Key recovery can be explained as a backup mechanism that ensures an
organization can have continued access to its own encrypted information
in the event keys are lost or somehow damaged. There are several
methods of key recovery that have been proposed by experts, such as
common trusted directories or a policy that requires all cryptographic
keys to be registered with the security department. Others use password
wallets or other tools to hold all of their passwords. Regardless of method,
key recovery options must be secure.
One method may be multiparty key recovery. This suggests that a key
would be split into multiple parts and then each part would be secured
and given to trusted entities. In cases where the actual original keys
would be lost, the parts stored with the parties could be retrieved,
allowing the organization to recover the original keys.

Instructor Edition
Dual Control and Split Knowledge

Dual control is usually implemented as a security procedure that
requires two or more persons to come together and work together
Notes
Cryptography
3
to complete a process. In a cryptography system, the two (or more)

people would each supply a unique key, or parts of keys, that when PPT
taken together will allow a cryptographic process to be completed. Creation of Keys
To illustrate, here is a perfect example. Let’s assume that a box Describe creation of keys.
containing money is secured by a combination lock and a keyed lock.
One employee is given the combination to the lock, and a different
employee has possession of the correct key to the keyed lock. To
open the box, both employees must be present at the cashbox at the
same time. One cannot open the box without the other. This is the
aspect of dual control and split knowledge as both knowledge and
actions are required to perform and complete a task.
Key Escrow
Key escrow is the process of ensuring a third party maintains a
copy of a private key or key needed to decrypt information. The
word “escrow” means “storing with a trusted third party.” Key
escrow also should be considered mandatory for most
organization’s use of cryptography because encrypted information
belongs to the organization and not the individual; however, often
an individual’s key is used to encrypt the information.
There must be explicit trust between the key escrow provider and
the parties involved as the escrow provider now holds a copy of the
private key, and the possibility exists that it could be used to reveal
information. Conditions of key release must be explicitly defined and
agreed upon by all parties through contracts and agreements.
Creation of Keys
The creation of keys, and how secure that process is, becomes an
important key management issue. There are a number of issues
that pertain to scalability and cryptographic key integrity:
l Automated key generation: Mechanisms used to
automatically generate strong cryptographic keys can be
used to deploy keys as part of key lifecycle management.
Effective automated key generation systems are designed
for user transparency as well as complete cryptographic key
policy enforcement.
l Truly random: For a key to be truly effective, it must have
an appropriately high work factor. That is, the amount of

Notes time and effort by an attacker needed to break the key must be
sufficiently significant so that it at least delays its discovery for
Cryptography as long as the information being protected needs to be kept
confidential. One factor that may contribute to strong keys that
PPT have a high work factor is the level of randomness of the bits
that make up the key.
Creation of Keys
(continued) l Random: Cryptographic keys are essentially strings of bits. The
Describe creation of keys. numbers used in making up the key need to be unpredictable
so that an attacker cannot easily guess the key and then expose
the protected information. Therefore, the randomness of the
PPT
numbers that comprise a key plays an important role in the
lifecycle of a cryptographic key. In the context of cryptography,
Key Wrapping and Key
randomness is the required quality of lacking predictability.
Encrypting Keys (KEKs)
Computer circuits and software libraries can be used to perform
Describe key wrapping the actual generation of random key values. Computers and
and key encrypting keys.
software libraries are well known as weak sources of randomness
and, therefore, special well-designed hardware and software
called random number generators are needed for cryptography
applications to ensure secure key creation.
l Asymmetric key length: The effectiveness of asymmetric
cryptography systems depends on the hard-to-solve nature of
certain math problems such as the factoring and discrete log
problems. These problems are time consuming to solve but
usually faster than trying all possible keys by brute force. Given
this fact, asymmetric algorithm keys must be longer for equivalent
resistance to attack than symmetric algorithm keys. As examples,
RSA Security claims that 1,024-bit RSA keys are equivalent in
strength to 80-bit symmetric keys, 2,048-bit RSA keys to 112-bit
symmetric keys, and 3,072-bit RSA keys to 128-bit symmetric
keys. RSA also suggests that 2,048-bit keys probably will be
sufficient until 2030. An RSA key length of 3072 bits should be
used if security is required beyond 2030.
Key Wrapping and Key Encrypting Keys (KEKs)

One important aspect of key management is to ensure that the same
key used in encrypting a given message by a sender is the same key
used to decrypt the message by the intended receiver. The problem is
how to exchange the proper keys or other needed information so that
no one else can obtain, or deduce a copy. This is referred to as the key
distribution problem. One solution is to protect the symmetric session
key with a special purpose long-term use key called a key encrypting
key (KEK); therefore, KEKs can be used as part of key distribution or key
exchange processes.

Instructor Edition
In cryptography, the process of using a KEK to protect session keys

is appropriately called key wrapping. Key wrapping uses symmetric
ciphers to securely encrypt (thus encapsulating) a plaintext key along
Notes
Cryptography
3
with any associated integrity information and data. Key wrapping

can be used when protecting session keys in untrusted storage or PPT
when sending over an untrusted transport mechanism. Key wrapping
Key Wrapping and Key
or encapsulation using a KEK can be accomplished using either Encrypting Keys (KEKs)
symmetric or asymmetric ciphers. If the cipher is a symmetric KEK, (continued)
both the sender and the receiver will need a copy of the same key. If Describe key wrapping
using an asymmetric cipher with public and private key properties to and key encrypting keys.
encapsulate a session key, both the sender and the receiver will
need each other’s public keys.
In today’s applications, protocols such as SSL, PGP, and S/MIME PPT
use the services of KEKs to provide session key confidentiality, Key Distribution
integrity, and sometimes to authenticate the binding of the session Explain key distribution.
key originator and the session key itself to make sure the session
key came from the real sender and not someone pretending to be
authorized individuals.
Key Distribution
Key distribution is one of the most important aspects of key
management. As we have discussed, secure key distribution is
the most important issue with symmetric key cryptography. Key
distribution is the process of getting a key from the point of its
generation to the point of its intended use. This problem is
more difficult in symmetric key algorithms, where it is necessary
to protect the key from disclosure in the process. This step must
be performed using a channel separate from the one in which
the traffic moves. Keys can be distributed in a number of ways.
For example, two people who wish to perform secure key
exchange can use a medium other than that through which
secure messages will be sent. This is called out-of-band key
exchange. Even though out of band is the secure way to
distribute symmetric keys, this concept is not very scalable
beyond a few people and becomes very difficult as the number
of people involved grows.
Asymmetric key encryption provides a means to allow members of
a group to conduct secure transactions spontaneously. The
receiver’s public key certificate, which contains the receiver’s public
key, is retrieved by the sender from the key server and is used as
part of a public key encryption scheme, such as S/MIME, PGP, or
even SSL to encrypt a message and send it. The digital certificate

Notes is the medium that contains the public key of each member of the group
and makes the key portable, scalable, and easier to manage than an
Cryptography out-of-band method of key exchange.
PPT Key Storage and Destruction

Key Distribution
All keys need to be protected against modification, and secret and
(continued)
private keys need to be protected against unauthorized disclosure.
Explain key distribution. Methods for protecting stored keys include trusted, tamperproof
hardware security modules, passphrase protected smart cards, key
wrapping the session keys using long-term storage KEKs, splitting
PPT cipher keys and storing in physically separate storage locations, and
Key Storage and protecting keys using strong passwords and passphrases, key expiry,
Destruction and the like.
Describe key storage and
destruction. Keys may be protected by the integrity of the storage mechanism itself.
For example, the mechanism can be designed so that once the key is
installed, it cannot be observed from outside the encryption mechanism
itself. Indeed, some key storage devices are designed to self-destruct
when subjected to forces that might disclose the key. Alternatively, the
key can be stored in an encrypted form so that knowledge of the stored
form does not disclose information about the behavior of the device
under the key.
To guard against a long-term cryptanalytic attack, every key must
have an expiration date after which it is no longer valid. The key
length must be long enough to make the chances of cryptanalysis
before key expiration extremely small. The validity period for a key
pair may also depend on the circumstances in which the key needs
to be used.
Keys must be disposed of and destroyed in such a way as to resist
disclosure. At the end of a key lifecycle, it must be properly destroyed
as to avoid the reconstruction of that key, and the purpose must be to
make it impossible to regenerate or reconstruct the key.
Cryptanalysis – Methods of Cryptanalytic Attacks

Cryptanalysis is defined as the study of techniques for attempting to
defeat cryptographic methods and techniques and, more generally,
information security services protected or achieved by cryptography.
Since in cryptography, the key is the only element that provides
security, cryptanalysis is generally all about finding or deducing what
the key is.

Instructor Edition
Activity: Cryptanalytic Attacks

Notes
Cryptography
3
INSTRUCTIONS

As we discuss each of the attacks, complete the following table. PPT
Activity: Cryptanalytic
Attacks Description Attacks
Conduct activity.
Ciphertext-only
Attack
Known Plaintext
Chosen Plaintext
Chosen
Ciphertext
Differential
Cryptanalysis
Linear
Cryptanalysis
Implementation
Attacks
Replay Attack
Algebraic
Rainbow Table
Frequency
Analysis
Birthday Attack
Factoring Attack
Social
Engineering for
Key Discovery

Notes Attacks Description

Cryptography
Dictionary Attack
PPT
Brute Force
Activity: Cryptanalytic
Attacks (continued)
Reverse
Conduct activity.
Engineering
Attacking the
PPT
Random Number
Brute Force Attacks Generators
Explain brute force
attacks. Temporary Files
Brute Force Attacks

Brute force attacks are also referred to as exhaustive search attacks.
This technique simply involves trying every possible combination,
specifically the key, until the correct one is identified. Brute force
attacks can be mounted on any type of cipher and cryptography
system. Advances in technology and computing performance have
made brute force attacks increasingly practical against cryptography
keys of a fixed length. For example, when DES was designed, it was
considered secure against brute force attacks. But as we have seen,
over the years, this type of attack has become increasingly attractive
to attackers because the cost and time involved in finding a DES key
has been reduced dramatically. With today’s technology, DES only
offers a few hours of protection from brute force attacks mainly
because its key space is no longer large enough. An exhaustive search
of DES’s 56-bit key space is very feasible today, as the growth of the
internet and networking has made it possible to utilize thousands of
machines in a distributed search by splitting the key space and
allocating those key spaces to each computer. However, key spaces
offered by algorithms that support larger key lengths are still very
effective against brute force attacks.
Adequate encryption is defined as encryption that is strong enough to
make brute force attacks impractical because there is a higher work factor
than the attacker wants, or is able, to invest into the attack. Moore’s Law
states that available computing power doubles every 18 months. Experts
suggest this advance may be slowing. However, as history has taught us,
encryption strength considered adequate today will probably not be
sufficient a few years from now due to advances in central processing unit

Instructor Edition
(CPU) and graphics processing unit (GPU) technology and new attack
techniques. The security professional and cryptologist need to
consider this when defining encryption requirements.
Notes
Cryptography
3

Ciphertext-only Attack PPT
Brute Force Attacks
The ciphertext-only attack is one of the most difficult because the
(continued)
attacker has so little information with which to start. All the attacker
starts with is some unintelligible data—ciphertext—that the Explain brute force
attacks.
attacker suspects may be an important encrypted message. The
attack becomes simpler when the attacker is able to gather several
pieces of ciphertext and thereby look for patterns or trends or
statistical data that would help in the attack. In many cases, PPT
frequency analysis can be helpful in ciphertext-only attacks. Ciphertext-only Attack
Frequency analysis is defined as knowing linguistic patterns of Explain ciphertext only
letters and word frequency in certain alphabets and languages. attack.
Known Plaintext
PPT
As the name of this attack implies, the attacker has access to known
Known Plaintext
samples of plaintext. In fact, the attacker has access to both the
ciphertext and the plaintext versions of the same message. Since the Explain known plaintext
attack.
method or algorithm is always known, the goal of this type of attack
is to find the relationship between the two that of course will be the
cryptographic key that was used to encrypt the message. Once the
key has been found, the attacker would then be able to decrypt all PPT
other messages that had been encrypted using that key. Chosen Plaintext
Explain chosen plaintext
attack.
Chosen Plaintext
In this type of cryptanalysis, the cryptanalyst is able to choose a
quantity of plaintext and then obtain the corresponding encrypted PPT
text to try and recover the key. To execute the chosen attacks, the
Chosen Ciphertext
attacker knows the algorithm used for the encryption, or even
better, may have access to the cryptosystem used to do the Explain chosen ciphertext
attack.
encryption and is trying to determine the key. At this point, the
attacker can run chosen pieces of plaintext through the algorithm
and see what the result is. This may assist in a known plaintext
attack. An adaptive chosen plaintext attack is where the attacker
can modify the chosen input files repeatedly to see what effect
that would have on the resulting ciphertext.
Chosen Ciphertext
This is similar to the chosen plaintext attack in that the attacker has
access to the decryption device or software and is attempting to

Notes defeat the cryptographic protection by decrypting chosen pieces of

ciphertext to see what the corresponding plaintext is to discover the key.
Cryptography An adaptive chosen ciphertext would be the same, except that the attacker
can repeatedly modify the ciphertext prior to putting it through the
PPT algorithm.
Chosen Ciphertext
(continued) Linear Cryptanalysis
Explain chosen ciphertext Linear cryptanalysis is a known plaintext attack and uses a linear
attack.
approximation to try and describe the behavior of the block cipher.
Given sufficient pairs of plaintext and corresponding ciphertext, bits of
information about the key can be obtained, and increased amounts of
PPT data will usually give a higher probability of success in possibly
Linear and Differential figuring out the correct key.
Cryptanalysis
Explain linear and
differential cryptanalysis. Differential Cryptanalysis
Differential cryptanalysis begins with a chosen plaintext approach. The
attacker makes minor changes in the chosen plaintext to see if there are
PPT corresponding minor changes in the resulting ciphertext. The idea is to
Implementation obtain bits of clues regarding the key itself.
Attacks
Combining the two attacks above, linear and differential cryptanalysis,
Explain implementation have provided a variety of enhancements and improvements to each
attacks.
basic attack to improve the success of each.
Implementation Attacks
Implementation attacks are some of the most common and popular attacks
against cryptographic systems today due to their ease and reliance on
system elements outside of the algorithm. Often the implementation of
certain cryptography elements are where the weaknesses may exist. The
main types of implementation attacks include the following:
l Side channel attacks: These are passive attacks that rely
on a physical attribute of the implementation such as power
consumption and emanations. These attributes may be able to be
studied to determine the secret key and the algorithm function
of the cryptosystem. Some examples of popular side channels
include timing analysis and electromagnetic differential analysis.
l Fault analysis: This attempts to force the system into an error
state to gain erroneous results. By forcing an error, gaining the
results and comparing it with known good results, an attacker
may learn clues about the secret key and the algorithm.
l Probing attacks: These attempt to watch the circuitry surrounding
the cryptographic module in hope that the other components of

Instructor Edition
the architecture will disclose information about the key or the

algorithm. Sometimes, new hardware may be added to the
cryptographic module to observe and inject information to
Notes
Cryptography
3
again possibly gain valuable information.

PPT
Replay Attack Implementation
This attack is meant to disrupt and damage processing by the attacker, Attacks (continued)
through the resending of repeated files or input to the host. If there are Explain implementation
no checks such as timestamping, use of one-time tokens. or sequence attacks.
verification codes in the receiving software or architecture, the system
might process duplicate files or input, allowing access.
PPT
Replay Attack
Algebraic Attacks
Explain replay attack.
Algebraic attacks are a class of attacks that rely on the math structure
of certain block ciphers. Basically the attacks tries to find correlations
between certain elements to find weaknesses in multiple encryption
cycles within the cryptosystem itself to try and yield the correct key.
Rainbow Table
Hash functions will produce message digest from plaintext. Since the
hash function is a one-way process, it is not possible to determine
the plaintext from the hash itself. However, there are two ways to
determine a given plaintext from its hash:
l Hash each plaintext until matching hash is found
l Hash each plaintext, but store each generated hash in a
table that can be used as a lookup table so hashes do not
need to be generated again
A rainbow table is a look-up table of sorted hash outputs. The idea
here is that storing precomputed hash values in a rainbow table
that one can later refer to saves time and computer resources when
attempting to decipher the plaintext from its hash value.
These can be very helpful in attacks against password files and
other implementations where hashes, or hashed versions of
information, are stored.
Frequency Analysis
This attack works closely with several other types of attacks. It is
especially useful when attacking a substitution cipher where the
statistics of the plaintext language are known, for example in a
ciphertext-only attack. In the English language, for example, some

Notes letters will appear more often than others will, allowing an attacker to
assume that those letters may represent an E or S, as those two letters are
Cryptography the most commonly used letters in the English alphabet. Another example
is that the most commonly used three-letter word in the English language is
PPT the word “the.” Knowing language statistics may be very helpful in
conducting certain cryptanalysis attacks.
Birthday Attack
Explain birthday attack
and its relevance to Birthday Attack
hashing algorithms.
The birthday paradox says that the probability that two or more people
in a group of 23 share the same birthday is greater than 50 percent. This
paradox can be applied mathematically to attack types of hashing
PPT functions to find two messages that produce the same message digest,
Factoring Attack and this is referred to as the birthday attack against hashing algorithms.
Explain factoring attack The birthday paradox shows that the probability that two messages will
against RSA. end up with the same hash is high even if the number of messages is
considerably less than the number of hashes possible. The really strong
hashing algorithms will resist, as much as possible, the possibilities that
duplicate hashes will be produced. To most experts, the birthday attack
is considered a type of brute force attack because the attacker keeps
trying to hash messages until messages that yield the same hash are
obtained. The point of the birthday attack is that it is easier to find two
messages that hash to the same message digest than to match a
specific message and its specific message digest.
Factoring Attack
This attack is aimed at the RSA algorithm specifically. Because that
algorithm uses the product of large prime numbers to generate the
public and private keys, this attack attempts to find the private key
through solving the factoring of these public keys.
Dictionary Attack
The dictionary attack is used most commonly against password files if a
copy of the password file can be obtained by the attacker. Even though
password files are one-way encrypted (the password file contains
hashes, or digests of the actual passwords), it exploits the poor habits of
users who choose simple passwords based on natural words. The
dictionary attack merely encrypts all of the words and different
combinations of words in a dictionary and then checks whether the
resulting hash matches an encrypted password stored in the password
file. Rainbow tables that provide already hashed digests of known
passwords and combinations can aid and speed up dictionary attacks
significantly.

Instructor Edition
Attacking the Random Number Generators

This attack has been successful against certain cryptography
implementations. If the random number generator used by
Notes
Cryptography
3
cryptosystems is too predictable, it may give attackers the ability to

guess or predict the random numbers that are very critical in PPT
setting up initialization vectors in cryptography systems. With this Attacking the Random
information in hand, the attacker is much more likely to run a Number Generators
successful attack. Explain attacking
the random number
generators.
Temporary Files
Most cryptosystems need to use temporary files in storage to
perform their calculations. If these files and storage locations used PPT
in architectures are not deleted and overwritten securely, they may
Accessing Temporary
be possibly accessed and compromised and lead an attacker to Files
conduct successful cryptanalysis. Making sure any temporary file,
Explain importance
or storage location, and volatile memory used by cryptosystems is of protecting against
securely overwritten is very important part of what the accessing temporary
cryptosystem needs to be able to achieve. files.
Social Engineering for Key Discovery

PPT
Social engineering is defined as using deception or intimidation to
Social Engineering for
get people to provide information they shouldn’t. Other examples Key Discovery
may include those that use coercion, bribery, or deception by
Explain importance
attackers to gain access to systems without having any technical
of protecting against
expertise. These techniques may be used in cryptanalysis as well, social engineering in
as this generally is usually the most common type of attack and cryptography.
usually the most successful as well. All cryptography systems, just
like security controls, will ultimately rely to some extent on humans
to implement and operate properly. Unfortunately, this is one of
the greatest vulnerabilities and has led to some of the greatest
compromises of a nation’s or organization’s secrets or intellectual
property. Defending against social engineering requires a constant
focus on awareness, education, and training.

Notes
Module 7: Physical Security
Physical Security
PPT
Module Objectives
Physical Security 1. Apply security principals to site and facility design.
Introduce the participants 2. Implement and manage physical security controls.
to the “Physical Security” 3. Implement and manage physical controls in wiring closets and
module.
intermediate distribution facilities.
4. Implement and manage physical controls in server rooms and
PPT data centers.
Module Objectives 5. Implement and manage physical controls in media storage
(2 slides) facilities.
Introduce the module 6. Implement and manage physical controls for evidence storage.
objectives.
7. Implement and manage physical controls in restricted areas.
8. Implement and manage physical controls in work areas.
9. Implement and manage environmental controls for utilities and
power.
10. Implement and manage controls for heating, ventilation, and air
conditioning (HVAC).
11. Implement and manage environmental controls.
12. Implement and manage environmental controls for fire
prevention, detection, and suppression.

Instructor Edition
Physical Security
Physical security plans and infrastructure are often designed,
Notes
Physical Security
3
implemented, and operated by physical security specialists in larger
organizations. Physical security infrastructure is typically controlled

outside of IT or IT security control in larger organizations. However, PPT
the CISSP MUST understand physical security fundamentals in order Physical Security
to do the following:
Define physical security
l Assess the risk reduction value of physical security controls and the context for the
CISSP.
l Communicate physical security needs to physical security
managers
l Identify risks to Information Security due to physical security PPT
weaknesses Apply Security
Principals to Site and
While the CISSP may never actually design or implement physical Facility Design
security in a larger organization, they may very well be required to
Describe physical security
implement physical security elements in smaller organizations. It is design principals .
also vital for the CISSP to understand the impact of either good or
bad physical security as it impacts information system security,
regardless of organization size. PPT
A role of the CISSP in some cases may be to translate information Physical Design that
security needs or requirements in such a way that the physical security Supports Confidentiality,
Integrity, and
or facilities operators can understand those needs in their terms.
Availability (CIA)
Describe how physical
Apply Security Principals to Site and Facility Design security supports CIA,
provide examples.
Physical design should support confidentiality, integrity, and
availability of information systems and must consider human safety
and external factors as well. Physical security at the facility level
does support confidentiality, integrity, and availability at the
information system level. Facility design absolutely supports
system availability and can have a particularly high impact on
continuity of operations and disaster recovery.
Physical Design that Supports Confidentiality, Integrity,

and Availability (CIA)
Physical design elements can protect information systems from
unauthorized access. It can enable auditing or observation of sensitive
physical access areas, such as server rooms or wiring infrastructure,
and either complement or simplify the information system controls
that must be applied to achieve adequate overall security. Facilities
management ensures robust services (e.g., power, cooling) to
information systems and provides backup or redundant capabilities.
Module 7: Physical Security 301

Physical Design that Supports Human Safety

Notes
Some physical design elements directly support human safety. It is
Physical Security
important to ensure the controls remain in place as security controls are
applied. In some cases, physical security restrictions could imperil
PPT human safety and that must be avoided. For example, physical access
Physical Design that restrictions could impede building evacuation during an emergency and
Supports Human must be designed to allow rapid exit while still protecting against
Safety improper entry. In other cases, facility modifications done to support
Provide examples how information systems could necessitate additional human safety controls
physical security support to be installed. This might include additional emergency alarms (audible,
human safety. visible), new or updated egress routes, or additional safety equipment.
Information systems and their support elements (e.g., UPS, HVAC) consume
PPT
large amounts of power and the power terminals that are often located with
the equipment. This may necessitate emergency power shutoff switches (big
Site and Facility Design
red button on the wall) or equipment shutoffs to ensure electrical accidents
Considerations
are minimized. Additionally, equipment lockouts for power may be advisable.
Present the design These are manual or physical lock latches that physically lock circuit breakers
considerations and
discuss the value of each. or switches in the off position while staff are exposed to power cabling.
Site and Facility Design Considerations

PPT
The following list includes top level design considerations for physical
Implement and Manage security and facilities:
Physical Security
Describe high-level l Personnel policy and procedure
implementation process. l Personnel screening
l Workplace violence prevention
l Response protocols and training
l Mail screening
l Shipping and receiving
l Property ID and tracking
l Parking and site security
l Site and building access control
l Video surveillance
l Internal access control
l Infrastructure protection
l Onsite redundancy
l Structural protections
Implement and Manage Physical Security

To implement effective physical security, a physical risk assessment consistent
with the Risk Assessment described in Domain 1 should be conducted. It
Instructor Edition
should consider potential human action, natural disaster, industrial

accident, equipment failure, and so forth. As in information security, a
set of layered physical protections and countermeasures for identified
Notes
Physical Security
3
physical risks must be developed so that the protections are

commensurate with the risk assessment. For example, the physical and PPT
facility controls associated with a foreign embassy level of protection
Implement and Manage
would be very different from those needed to mitigate the physical risks Physical Security
associated with a small remote office of a commercial business. (continued)
One important consideration is that physical risk controls will impact Describe high-level
implementation process.
information system design. For example, weak physical controls may
necessitate more complex information system protections to
compensate, while strong physical protections may lower the overall
risk of an information system and allow for less costly or complicated PPT
controls to be applied at the information system level. Perimeter Security
Controls (3 slides)
Just as information system controls must be monitored for Describe how the
effectiveness, physical controls must also be monitored and tested considerations apply to
for effectiveness. This is especially true for controls associated with the conditions at each
human safety, continuity of operations, disaster recovery, and perimeter zone.
emergency backups.
Perimeter Security Controls

Figure 3.11 shows the layers of perimeter controls that may exist. This
model is based on a campus or multi-structure type site, but it can be
applied to a single building or facility. In cases where an organization is
located on a single floor or office space within a larger facility, there may
be limited control over the perimeter security controls, but they should
still be evaluated for effectiveness and any positive or negative impacts.
Facility Perimeters
Surrounding
Areas
Site Entry/Exit
Points
External
Facilities
Operational
Facilities
Figure 3.11: Facility Perimeters

Notes Surrounding areas concerns include the following:
Physical Security l Roadways: Roads close to or adjacent to the site.

l Waterways: Adjacent or crossing the site. This may include
PPT navigable waterways or small drainage features if they impact the
site security.
Perimeter Security
Controls (3 slides) l Geography: Terrain of the site in terms of potential visibility
(continued) limits, concealment opportunities, or natural barriers to entry.
Describe how the l Lines of sight: Areas where visibility is limited by features or
considerations apply to
structures is a concern.
the conditions at each
perimeter zone.
Associated considerations include the following:
l Is the facility visible from roads?
l Is there a potential for vehicle borne threats?
l Where are the vehicular and pedestrian access points?
l Is there adequate fencing, or impassible perimeter landscaping
(natural fence)?
Areas to assess for site entry and exit points include the following:
l Vehicular: Are vehicular access points protected against credible
vehicular threats?
l Public/customer/visitor: Are there separate entry controls for
public, customer, or visitor access?
l Staff/employee: Do staff or employees have dedicated
controlled access points?
l Delivery/truck: Is there a delivery or truck entrance, and how is it
controlled?
l Pedestrian: Are there controlled pedestrian entry points to the site?
Considerations for site entry and exit:

l Access controls: What are the access controls to enter or leave
the site—badge, proximity card, guard monitored?
l Surveillance: Is there sufficient surveillance capability to cover
site entry and exit points?
l Lighting: Is lighting sufficient to allow humans or video systems
to adequately make subject identification in all light conditions?
l Intrusion detection: Are sensors or intrusion detection devices
installed on unattended or unmonitored access points?
l Barriers/traffic control: Are barriers in place or available for
traffic control at any or all of the vehicular access points?

Instructor Edition
At larger sites, there may be external facilities that include the

following:
Notes
Physical Security
3
l Parking structures/lots

l Utilities components
PPT
l Electric transformers/lines Perimeter Security
l Telecommunications Controls (3 slides)
(continued)
l Landscaping
Describe how the
For these consider the following: considerations apply to
l Lighting: Does the lighting provide sufficient lighting under perimeter zone.
all conditions for human and/or video identification of
subjects? Does the lighting limit shadow areas or areas of no
visibly during darkness?
l Surveillance: Does surveillance cover areas where security
or human safety is a concern?
l Intrusion detection: Are alarms or sensors installed in
unattended external buildings or facilities?
l Lines of sight: Are lines of site sufficient and dead space
eliminated?
Operational Facilities are the following:
l Where employees work
l Where IT operates
For these consider the following:

l Exterior lighting and surveillance: Appropriate to
expected threats. Lighting is of sufficient brightness and
coverage to limit shadows and make human or video
identification of subjects possible.
l Building materials: Appropriate for the level of security
required.
l Doors, windows, walls: Are of the appropriate type and
security level to mitigate expected risks.
l Entry/exit points and access controls: Unattended access
conditions, guard monitoring, video monitoring.
l Staff/employee entrance: Is there a staff only entrance,
and how is it controlled? Attended, unattended?
l Public/customer entrance: Is there a public or customer
entrance with different security needs from the staff
entrance?

l Delivery entrance: Is there a loading dock or delivery facility?

Notes
l Sensors/intrusion detection: Have sensors or alarms been
Physical Security
installed on doors and windows?
PPT Typical perimeter control types:

Perimeter Security l Lighting
Controls (4 slides)
(continued) o Bright enough to cover target areas
Describe how the o Limits shadow areas
considerations apply to o Sufficient for operation of cameras, must be coordinated with
perimeter zone. camera plan
l Surveillance/Camera
o Narrow focus for critical areas
o Wide focus for large areas
o IR/low light in unlit areas
o Monitored and/or recorded
o Dummy cameras
l Intrusion Detection
o Cut/break sensors
o Sound/audio sensors
o Motion sensors
l Barriers
o Fixed barriers to prevent ramming
o Fixed barriers to slow speeds
o Deployable barriers to block access ways
o Fencing/Security landscaping
o Slows and deters
o Should not impede monitoring
l Building Material security examples:
o High-security glass
o Steel/composite doors
o Steel telecommunications conduit
o Secure walls
o True floor to ceiling walls (wall continues above drop ceiling)
o Anchored framing material
o Solid walls/in wall barriers

Instructor Edition
l Lock security examples:

o Available in varying grades
Notes
Physical Security
3
o Physical key locks

o Mechanical combination locks PPT
o Electronic combination locks Perimeter Security
o Biometric locks Controls (4 slides)
(continued)
o Magnetic locks
Describe how the
o Magnetic strip card locks considerations apply to
o Proximity card locks perimeter zone.
o Multi-factor locks (e.g., card + pin)
Internal Security Controls PPT

l Controls for human safety Internal Security
Controls
o Visible and audible alarms, fire suppression, response
High level description
plans/training, emergency shutoffs of internal controls with
l Controls to manage access examples.
o Door locks (e.g., magnetic, card key, mechanical key,

combination lock)
PPT
o Access point security (e.g., mantraps, limited ingress,
Implement Site and
alarmed emergency egress)
Facility Security
o Multifactor access (e.g., key card + pin for room entry) Controls
l Internal monitoring Introduce topic areas for
site and facility controls.
o Physical access control system/monitor (e.g., records key
card use)
o Video surveillance/cameras
o Radio Frequency (RF) monitoring
Implement Site and Facility Security Controls

The following sections will provide recommended controls or
considerations for special areas of the facility. These areas may
require special or enhanced physical controls both from the
security perspective as well as for maintaining information systems
and protection of human life.
The special areas considered are the following:
l Wiring closets/intermediate distribution facilities
l Server rooms/data centers
l Media storage facilities

l Evidence storage
Notes
l Restricted area security
Physical Security
l Utilities
l Heating, ventilation, and air conditioning (HVAC)
PPT
Implement Site and l Fire prevention, detection, and suppression
Facility Security l Environmental issues
Introduce topic areas for
site and facility controls.
Wiring Closets/Intermediate Distribution Facilities
The facility wiring infrastructure or “cable plant” is integral to overall
information system security and reliability.
PPT
Entrance facility
Wiring Closets/
Intermediate l External communications enter facility
Distribution Facilities—
l Phone, network, special connections
Protections (2 slides)
For each internal control l May house internet service provider (ISP) or telecommunications
type, describe, provide provider equipment
examples, and describe
CIA impacts. Equipment room
l Primary communication hub for facility
l Houses wiring/switch components
l May be combined with entrance facility
l Backbone distribution
l Connects entrance facility, equipment room and telecommunication
room(s)
Telecommunications room (wiring closet)
l Serves a particular area of a facility
l Floor, section, wing, etc.
l Terminates local wiring into patch panels
Backbone distribution is broken out to individual connections (e.g.,

switch)
l Horizontal Distribution System
l Cables, patch panels, jumpers, cable
Security protections for the overall cable plant:

l Rooms must be secured against unauthorized access
l Access to rooms should be monitored/recorded

Instructor Edition
l Secondary locks on equipment/racks

o Rooms may share space with non-IT equipment and
Notes
Physical Security
3
require access by non-IT staff

l Conduit or tamper protections for wiring
PPT
Environmental protections for the cable plant: Wiring Closets/
Intermediate
l Protection from lightning/surge Distribution Facilities
l Backup power/uninterruptible power supply (UPS) (2 slides) (continued)
l Heating/cooling/air flow For each internal control

type, describe, provide
o Critical in enclosed spaces examples, and describe
CIA impacts.
l Appropriate fire detection/suppression
l Emergency shutoffs for high power connections
l May not be necessary in all closets PPT
Server Rooms/Data
Server Rooms/Data Centers Centers
Rooms in the facility where multiple computer assets are installed For each internal control
and operate. Server rooms have similar security and environmental examples, and describe
protections to wiring closets. However, they may have higher CIA impacts.
human traffic, and it is critical that access point security and access
monitoring is in place. When server room space is shared with
other organizational units or even other businesses, it can be
critical to employ rack or equipment level locking.
Power, surge protection, and uninterruptible power supplies (UPS)
must tailored to the operating equipment and of sufficient
capacity. As equipment is modified or replaced, power concerns
must be readdressed to ensure capacities are not exceeded.
Human safety becomes an issue with power levels in most server
rooms and emergency shutoffs, and non-conductive hooks/gloves
become important for human safety. Non-conductive personal
protective equipment or hooks can be used to disengage
equipment from a power source or safely disengage a human
from a live power source without endangering another human.
Appropriate training may also be necessary to ensure staff
respond appropriately to electrical emergencies by cutting power
and/or safely resolving the emergency.
For server rooms, appropriate fire detection/suppression must be
considered (e.g., sprinkler is inappropriate for electrical fires) based
on the size of the room, typical human occupation, egress routes,
and risk of damage to equipment.

Notes Server rooms are typically maintained at a higher level of physical

security than the rest of the facility.
Physical Security
Media Storage Facilities

PPT
Media storage facilities may be onsite and offsite from the main
Server Rooms/Data
facility. If onsite with the main facility, backup copies should ideally
Centers (continued)
be stored offsite and fireproof/waterproof containers should be
For each internal control employed. Offsite storage should duplicate critical media stored
examples, and describe onsite and retain the ability to recover critical information. Media
CIA impacts. typically contains sensitive historical data that likely still requires
protection. Some media types may support encryption while others
do not. If sensitive data is stored on unencrypted media access,
PPT control must be strictly limited and monitored. Some organizations
may limit access to dedicated archivists.
Media Storage Facilities
For each internal control Temperature and humidity should be consistent with media storage
type, describe, provide requirements of the particular media in the facility. As media types
examples, and describe evolve, this must be continually reassessed but must be maintained
CIA impacts.
consistently with the needs of all stored media. Fire protection should
be in place at both room and container levels.
PPT
Evidence Storage
Evidence Storage
For each internal control
Evidence storage facilities or rooms are special-access areas with
type, describe, provide strictly limited access and may be aggressively monitored. They will
examples, and describe typically contain individual lockers or secure containers for each
CIA impacts. investigation or investigator assigned to the facility. This is to ensure
evidence accountability and chain of custody is maintained at all
times to prove evidence has not been modified or tampering has not
PPT occurred. Evidence is protected against damage or theft, and
Restricted Area Security appropriate environmental protections should be commensurate with
evidence types stored (e.g., paper, digital, media).
For each internal control
CIA impacts.
Restricted Area Security
Restricted area security applies to any spaces or rooms within the facility
where highly sensitive work occurs or information is stored. This includes
secure facilities and classified workspaces. These spaces typically have
extremely high access control protections and logging of all access, and
they may include audio protections against eavesdropping such as white
noise machines. They may also include enhanced visual screening from
exterior spaces or have no windows at all. In the most extreme cases,
they may include protection against the detection of electromagnetic
emissions from equipment.

Instructor Edition
Utilities
Power
Notes
Physical Security
3
l Redundant power input from utilities

l Redundant transformers/power deliver PPT
l Backup generators Utilities (2 slides)
l Battery backups For each internal control
l Dual power infrastructure within data centers examples, and describe
l Backup sources must be tested/exercised CIA impacts.
l Backup sources must be sized appropriately and upgraded

when load increases
PPT
Telecommunications Heating, Ventilation,
and Air Conditioning
l Multiple service provider inputs (HVAC)
l Redundant communication channels/mechanisms For each internal control
l Redundancy on key equipment (eliminate single points of type, describe, provide
failure) CIA impacts.
Water/Sewer
l Cooling/Human habitation
l Risk of leaks/damage to equipment
l Supports most building-wide fire suppression plans
Safety concerns with utilities are critical as generators, battery

backups, and data center power feeds may carry very high
electrical loads that are inherently dangerous.
Emergency power shutoffs in high-load areas:
l Safeguard human life in case of electrocution (big red
button)
l Safeguard equipment in case of overload (automated
shutoff)
l Safeguard humans and equipment in emergencies
High-load areas should provide access to non-conductive gloves/

equipment and push/pull rods in case of emergency.
Heating, Ventilation, and Air Conditioning (HVAC)

All computer equipment has a range of acceptable operating
temperatures. High density equipment and equipment within

Notes enclosed spaces requires adequate cooling and airflow. Cooling must
be designed match the equipment and space to be cooled.
Physical Security
High-capacity rooms (e.g., operations center) must have sufficient airflow
for the number of human occupants (CO2 danger), and air for all uses
PPT
should be filtered for contaminants (natural or intentionally introduced).
Heating, Ventilation,
and Air Conditioning
(HVAC) (continued) Fire Prevention and Detection
For each internal control Human training and awareness is critical to fire prevention. Sensors
type, describe, provide (infrared temperature, smoke) can detect conditions leading up to a
CIA impacts. fire as well as fire initiation and may assist with prevention, but they are
primarily valuable for detection. Smoke detectors include optical
(photoelectric) and physical process (ionization). Flame detectors
include infrared and ultraviolet detectors
PPT
Fire Prevention and
Detection Fire Suppression
Cover fire detection and Buildings should be equipped with one or more types of fire suppression
supression technologies. systems. There are two main types of suppression systems: water-based
and gas-based:
PPT Water-based
Fire Suppression l Effective for common material fires (e.g., wood, paper, building
(3 slides)
materials)
Cover fire detection and
l Safe for human spaces
supression technologies.
l Damages equipment
l Ineffective for electrical or petroleum fires
l Typically cheaper than gas-based
Gas-based
l Effective for any fire type
l Typically safe for equipment
l May be dangerous to humans in enclosed spaces (depending on
type)
l Costly to install and maintain compared to water-based
Gas-based systems may be safe for humans under certain conditions but
not others. System design must take into account the size and ventilation of
protected rooms and volume calculations for the gas. If well implemented,
most modern gas systems can be safe for human occupied spaces, but
some risk of suffocation may still exist if not implemented correctly of if
unusual conditions apply.

Instructor Edition
Water-based system types:

l Wet pipe: Most common, water in pipes, heat activated
Notes
Physical Security
3
sprinkler heads that typically operate independently.

l Dry pipe: Pressurized gas in pipes, water released after the
PPT
first sprinkler head is activated, slight delay in operation.
Fire Suppression
Sprinkler heads operate independently. Beneficial due to (2 slides) (continued)
less danger of pipe leaks or freezing, often used in open
Cover fire detection and
facilities (e.g., parking garage).
supression technologies.
l Pre-action: Combines elements of wet and dry pipe
actions. Fire sensors initiate pre-action charging of the water
pipes that can then activate independently as in a wet pipe PPT
system. In other instances, the system may require both
Environmental Issues
an independent fire sensor and one or more sprinklers to
activate prior to water entering the system. Describe and discuss
each issue area and
l Deluge: Similar to pre-action operation but with open potential impacts.
sprinkler heads. Once the overall system is activated by
a heat or fire sensor, all sprinkler heads will be active
simultaneously when the central valve is opened.
Gas system examples:
l Hydrofluorocarbon
o Halon (older type-mostly gone)
o FM-200
l Inert gas (e.g., Argon/Nitrogen)
o Argonite
o Inergen
l Aerosol
o Aero-K
Note: Aerosol-based systems typically inject an inert gas with some
type of aerosol liquid into the protected area. They are typically
safe for human occupied areas
The following is a limited list of environmental hazards that may be
encountered that could affect the facility. These hazards should be
considered based on expected frequency and potential impact for
the geographic area in which the facility is located.
l Hurricane
l Tornado

l Forest/wildfire
Notes
l Earthquake
Physical Security
l Flooding
l Mudslide
PPT
(continued)
Case: WannaCry Ransomware
Describe and discuss
each issue area and In May of 2017, a ransomware attack known as WannaCry was initiated
potential impacts. and affected over 230,000 computers in 150 companies. The attack
encrypted user files and requested a ransom be paid to an anonymous
address using Bitcoins. Ransomware maliciously using encryption was
not new at this point, but this incident raised public awareness of these
types of attacks.
The attack used vulnerabilities largely existing in older computer
systems and had the greatest impact within industries that historically
use embedded or long lifespan systems.
Attack anatomy:
The exploit used vulnerabilities in a Microsoft Server Message Block v1
(SMBv1) protocol to transfer itself across the network. SMBv1 is an older
protocol, having been replaced in more modern systems with v2 and
later since 2006. However, it was maintained for backwards compatibility
through Windows Server 2012. The malware used flaws in SMBv1 to
execute arbitrary code on the affected systems and install itself. It then
encrypted user files and attempted to spread itself using the same SMB
vulnerability.
FAILURES THAT MADE IT POSSIBLE
Architecture:
The malware spread using an older network protocol (SMBv1). This
protocol is used by Microsoft systems for file and print sharing. There is
no reason for this protocol to be accessible from external sources, yet
some infections occurred via external computers exploiting a
vulnerability in an internal protocol. Had SMB port blocks been better
implemented on organizational external defenses (e.g., firewalls), OR
had internal blocks that limited traversal of internal networks been in
place, the impact and spread would have been significantly reduced.
Many affected systems were older type systems using outdated
operating systems. The medical community was hit particularly hard in
Great Britain with many pieces of medical equipment being impacted.
For older or embedded systems, tight network segmentation and
limitation of ports, protocols, and services allowed to access those
systems would have significantly reduced the impact.

Instructor Edition
System updates:
As noted on the architecture, many of the affected systems were
older type systems and embedded type systems. However,
Notes
Physical Security
3
patches for the cores vulnerabilities were available from Microsoft

prior to the initial malware release. Had older systems been fully
updated, the impact would have been significantly reduced.
FAILURES THAT CONTRIBUTED TO THE MALWARE DEMISE:
Malware authors make mistakes as well. In the case of WannaCry,
the developer made some interesting implementation mistakes
that allowed counteractions against the malware to reduce its
effects. In particular, two malware flaws included the following:
1. Kills switch: Security researchers determined the malware
attempted to contact a specific URL prior to encrypting
data. This was easily determined by observing the malware
operating in a sandbox, and there was no secure verification
process. It simply attempted to locate the URL and if
successful shut down. By registering the domain name,
impact of the malware was significantly reduced. (https://
www.csoonline.com/article/3227906/ransomware/what-is-
wannacry-ransomware-how-does-it-infect-and-who-was-
responsible.html )
2. Ransomware/Cryptolocker type malware has some practical
limitations for use. In some cases, it is feasible to recover
the cryptographic keys from the system memory. Since the
encryption key has to be onboard the system to encrypt and
decrypt files, it can be recovered. Boston University, MITRE,
and University College London researchers had previously
developed a mechanism that can recover some malicious
crypto keys. (http://cs-people.bu.edu/wfkoch/my-data/pubs/
paybreak.pdf)

Notes
Domain Review
PPT
Domain Summary
Domain Review The Security Architecture and Engineering Domain introduces several
Engage participants in a concepts for applying security architecture and engineering principles.
review of key information We have covered basic security models and security control frameworks.
from this domain by This included applying control frameworks and developing assessable
discussing this scenario- evaluation criteria. The domain introduced several common security
and answers. Question capabilities inherent in modern information systems and introduced
slides are immediately common vulnerabilities and mitigations that exist in different types of
followed by the answer information systems. The history of cryptography is very long, but over
slide. the last 50 years or so, cryptography has become an integral and
necessary part of security implementations.
PPT Cryptography can be very effective in providing some key security

services such as confidentiality, integrity, authenticity (proof of origin),
Domain Summary
(4 slides)
non-repudiation, and access control. There are basic fundamental ways to
do cryptography, stream and block ciphers. Symmetric key cryptography
Participate in review
of key elements from
is very fast but has problems related to key distribution and scalability.
the domain on security Asymmetric key cryptography is very slow but solves the problems
architecture and related to key distribution and scalability. Hashing, which is defined as
engineering. one-way encryption, can be very useful in addressing integrity of stored
and transmitted information. Digital signatures can achieve non-
repudiation of origin and non-repudiation of delivery. Key management
and key management techniques are the most important aspects of
secure cryptography implementations. There are many cryptanalysis
attacks that try and break cryptography systems. Finally, we applied
security concepts to the physical environment and facilities.

Instructor Edition

1. Requirements definition, design, implementation, and operation
Notes
Domain Review
3
are examples of what type of System and Security Engineering

processes?
PPT
A. Technology processes Domain Review
Questions
B. Acquisition processes
C. Design processes of key elements from
the domain on security
D. Technical processes architecture and
engineering.
2. One security model includes a set of rules that can dynamically

restrict access to information based upon information that a
subject has already accessed in order to prevent any potential
conflict of interest. This model is known as the:
A. Biba model
B. Brewer/Nash model
C. Graham–Denning model
D. Harrison, Ruzzo, Ullman model
3. Select the best answer. Inheritable or “common” security

controls are characterized as:
A. Controls that are passed down from older systems to new
systems through code sharing
B. Introduces unacceptable risk in most systems
C. Controls that are never assessed in an operational
environment
D. Controls that are provided from one system to another in an
operational environment

Notes 4. Three common types of industrial control systems include:
Domain Review A. Supervisory control and data acquisition, distributed control

systems, programmable logic controllers
PPT B. Supervisory control and data anonymization, distributed control
Domain Review systems, programmable logic capability
C. Supervisory control and data anonymization, distributed chip
systems, programmable logic controllers
D. Supervisory control and data acquisition, distributed chip
architecture and
engineering. systems, programmable logic capability
5. The four most common types of sprinkler systems are:

A. Soaking, wet pipe, dry pipe, and pre-action
B. Wet pipe, dry pipe, deluge, and pre-action
C. Wet pipe, dry pipe, soaking, and hybrid
D. Dry pipe, soaking, deluge, and hybrid
6. The key used in a cryptographic operation is also called:

A. Cryptovariable
B. Cryptosequence
C. Cryptoform
D. Cryptolock
7. Most cryptographic algorithms operate in either block mode or:

A. Cipher mode
B. Logical mode
C. Stream mode
D. Decryption mode

Instructor Edition
8. Which of the following is NOT one of the five primary objectives

of cryptography?
Notes
Domain Review
3
A. Non-repudiation

B. Authenticity PPT
Domain Review
C. Data integrity Questions (continued)
D. Authorization Participate in review
architecture and
engineering.
9. Another name for symmetric key cryptography is?
A. Shared
B. Public
C. Key clustering
D. Elliptic curve
10. How many keys would need to be managed for an asymmetric

key system such as RSA with 500 users (N)?
A. Nx2
B. N (N–1)/2
C. 2 to the power of N
D. N to the power of 2


Domain Review 1. Requirements definition, design, implementation, and operation
are examples of what type of System and Security Engineering
processes?
A. Technology processes
B. Acquisition processes
C. Design processes
D. Technical processes
The correct answer is D. A is incorrect terminology. B and C are specific
processes, not types of processes.
2. One security model includes a set of rules that can dynamically

restrict access to information based upon information that a subject
has already accessed in order to prevent any potential conflict of
interest. This model is known as the:
A. Biba model
B. Brewer/Nash model
C. Graham–Denning model
D. Harrison, Ruzzo, Ullman model
The correct answer is B. A, C, and D are models that describe an
information system’s rules for operation, but those rules are applied
universally. The Brewer/Nash model is the only model that explicitly
addressed conflicts of interest.

Instructor Edition
3. Select the best answer. Inheritable or “common” security

controls are characterized as:
Notes
Domain Review
3
A. Controls that are passed down from older systems to new

systems through code sharing
B. Introduces unacceptable risk in most systems
C. Controls that are never assessed in an operational environment
D. Controls that are provided from one system to another
in an operational environment
The correct answer is D. D is the correct definition of the term. A,
B, and C are not types of controls. All controls must be assessed
whether inherited or not, and while inheritable controls may
introduce risk if not operating properly, they do not generally
introduce unacceptable risk, which makes D a better answer
4. Three common types of industrial control systems include:

A. Supervisory control and data acquisition, distributed
control systems, programmable logic controllers
B. Supervisory control and data anonymization, distributed
control systems, programmable logic capability
C. Supervisory control and data anonymization, distributed
chip systems, programmable logic controllers
D. Supervisory control and data acquisition, distributed chip
systems, programmable logic capability
The correct answer is A. Items B, C, and D include incorrect
terminology.
5. The four most common types of sprinkler systems are:

A. Soaking, wet pipe, dry pipe, and pre-action
B. Wet pipe, dry pipe, deluge, and pre-action
C. Wet pipe, dry pipe, soaking, and hybrid
D. Dry pipe, soaking, deluge, and hybrid
The correct answer is B. Items A, C, and D each contain at least
one incorrect element

Notes 6. The key used in a cryptographic operation is also called:
Domain Review A. Cryptovariable

B. Cryptosequence
C. Cryptoform
D. Cryptolock
The correct answer is A. The cryptovariable is the correct definition used
by cryptologists to describe the key in a cryptography system.
7. Most cryptographic algorithms operate in either block mode or:

A. Cipher mode
B. Logical mode
C. Stream mode
D. Decryption mode
The correct answer is C. All ciphers either operate on stream mode, one
bit at a time, or block mode, several bits at a time.
8. Which of the following is NOT one of the five primary objectives of

cryptography?
A. Non-repudiation
B. Authenticity
C. Data integrity
D. Authorization
The correct answer is D. The five services that cryptography can provide
are confidentiality, integrity, authenticity, non-repudiation, and access
control. Authorization, therefore, is not a service that cryptography can
achieve.

Instructor Edition
9. Another name for symmetric key cryptography is?

A. Shared
Notes
Domain Review
3
B. Public

C. Key clustering
D. Elliptic curve
The correct answer is A. Symmetric, which means “the same,”
implies that a shared key is required by the sender and receiver in
order to be able to encrypt and decrypt a message or data.
10. How many keys would need to be managed for an asymmetric

key system such as RSA with 500 users (N)?
A. Nx2
B. N (N–1)/2
C. 2 to the power of N
D. N to the power of 2
The correct answer is A. Asymmetric key cryptography algorithms
require users to have their private and public key pairs, two keys
each. For 500 users, each having a key pair, the answer is 1,000, or
Nx2.


Domain Review
Term Definition
Algorithm A mathematical function that is used in the

encryption and decryption processes.
Asymmetric Not identical on both sides. In cryptography,

key pairs are used, one to encrypt, the other
to decrypt.
Availability Ensuring timely and reliable access to and

use of information by authorized users.
Certificate An entity trusted by one or more users as

authority (CA) an authority that issues, revokes, and
manages digital certificates to bind
individuals and entities to their public keys.
CIA/AIC Triad Security model with the three security

concepts of confidentiality, integrity, and
availability make up the CIA Triad. It is also
sometimes referred to as the AIC Triad.
Ciphertext The altered form of a plaintext message, so

as to be unreadable for anyone except the
intended recipients. Something that has
been turned into a secret.
Confidentiality Preserving authorized restrictions on

information access and disclosure,
including means for protecting personal
privacy and proprietary information.
Confusion Provided by mixing (changing) the key

values used during the repeated rounds of
encryption. When the key is modified for
each round, it provides added complexity
that the attacker would encounter.

Instructor Edition

Domain Review
3
Cryptanalysis The study of techniques for attempting to

defeat cryptographic techniques and, more
generally, information security services
provided through cryptography.
Cryptology The science that deals with hidden,

disguised, or encrypted information and
communications.
Cryptography Secret writing. Today provides the ability to

achieve confidentiality, integrity, authenticity,
non-repudiation, and access control.
Decryption The reverse process from encryption. It is

the process of converting a ciphertext
message back into plaintext through the
use of the cryptographic algorithm and the
appropriate key that was used to do the
original encryption.
Diffusion Provided by mixing up the location of the

plaintext throughout the ciphertext. The
strongest algorithms exhibit a high degree
of confusion and diffusion.
Digital An electronic document that contains the

certificate name of an organization or individual, the
business address, the digital signature of
the certificate authority issuing the
certificate, the certificate holder’s public
key, a serial number, and the expiration
date. Used to bind individuals and entities
to their public keys. Issued by a trusted
third party referred to as a Certificate
Authority (CA).
Digital rights A broad range of technologies that grant

management control and protection to content providers
(DRM) over their own digital media. May use
cryptography techniques.


Domain Review
Digital Provide authentication of a sender and
signatures integrity of a sender’s message and non-
repudiation services.
Encoding The action of changing a message into

another format through the use of a code.
Encryption The process of converting the message

from its plaintext to ciphertext.
Hash function Accepts an input message of any length

and generates, through a one-way
operation, a fixed-length output called a
message digest or hash.
Initialization A non-secret binary vector used as the

vector (IV) initializing input algorithm, or a random
starting point, for the encryption of a
plaintext block sequence to increase
security by introducing additional
cryptographic variance and to synchronize
cryptographic equipment.
Integrity Guarding against improper information

modification or destruction and includes
ensuring information non-repudiation and
authenticity.
Key or The input that controls the operation

Cryptovariable of the cryptographic algorithm. It
determines the behavior of the algorithm
and permits the reliable encryption and
decryption of the message.
Key Clustering When different encryption keys generate

the same ciphertext from the same
plaintext message.

Instructor Edition

Domain Review
3
Key Length The size of a key, usually measured in bits,

that a cryptographic algorithm uses in
ciphering or deciphering protected
information.
Message A small block of data that is generated

authentication using a secret key and then appended to
code (MAC) the message, used to address integrity.
Message digest A small representation of a larger message.

Message digests are used to ensure the
authentication and integrity of information,
not the confidentiality.
Non- Inability to deny. In cryptography, a service

repudiation that ensures the sender cannot deny a
message was sent and the integrity of the
message is intact, and the receiver cannot
claim receiving a different message.
Null cipher Hiding plaintext within other plaintext. A

form of steganography.
Plaintext The message in its natural format has not

Registration This performs certificate registration

authority (RA) services on behalf of a Certificate Authority
(CA).
Steganography Hiding something within something else,

or data hidden within other data.
Stream cipher When a cryptosystem performs its

encryption on a bit-by-bit basis.
Substitution The process of exchanging one letter or bit

for another.


Domain Review
Symmetric Operate with a single cryptographic key
algorithm that is used for both encryption and
decryption of the message.
Transposition The process of reordering the plaintext to

hide the message by using the same
letters or bits.
Trusted A secure crypto processor and storage

Platform module.
Module (TPM)
Work factor This represents the time and effort

required to break a cryptography system.

Instructor Edition
Notes
3

Notes

Instructor Edition
Course Agenda
Notes
Communication and
4
Network Security
Communication and Network Security Domain

PPT

PPT
Domain 5: Identity and Access Management (IAM) Communication and
Network Security
to the “Communication
and Network Security”
Domain 7: Security Operations domain.

PPT
Domain Objectives
(3 slides)
Objectives for
Domain 4: Communication and “Communication and
Network Security”
Network Security domain.
Overview
The communication and network systems that comprise the
connections inside and outside of an organization can be compared
to the central nervous system of a body. It is how the organization
communicates within its boundaries and without. If the communication
and network systems experiences interruption or degradation in
service, it can be debilitating or even impossible to survive. To
manage vulnerabilities, it is necessary to be familiar with threats and
countermeasures that meet business needs for security.
Domain Objectives
After completing this course, the participant will be able to:
1. Name the layers of the Open Systems Interconnection (OSI)
and Transport Control Protocol/Internet Protocol (TCP/IP)
network models.
Domain 4: Communication and Network Security 331

Notes 2. Compare the differences and similarities between the Open

Systems Interconnection (OSI) and Transport Control Protocol/
Communication and Internet Protocol (TCP/IP) network models.
Network Security
technology and implementation systems and protocols at Open
PPT Systems Interconnection (OSI) model layers 1–7.
Domain Objectives 4. Define related threats and select appropriate countermeasures
for systems and protocols operating at Open Systems
Objectives for Interconnection (OSI) model layers 1–7.
“Communication and
Network Security” 5. Identify technological implementations that provide services to
domain. support mobility and collaboration.
6. Describe various network services that abstract and virtualize
underlying components and infrastructure and associate service
benefits.
7. Recognize relevant network components used to secure
communications and differentiate use based upon requirements.
8. Demonstrate use of secure network components as
countermeasures in response to specific threats associated with
the Open Systems Interconnection (OSI) model layers 1–7.
9. Define secure communications channels that support remote
access services and collaboration.
332 Domain 4: Communication and Network Security

Instructor Edition
Domain Agenda Notes

Communication and
4
Module Name Network Security

1 Secure Design Principles in Network Architectures PPT
Domain Agenda
2 OSI Layer 1: Physical Layer (2 slides)
Review the domain
3 OSI Layer 2: Data-Link Layer agenda.
4 OSI Layer 3: Network Layer
5 OSI Layer 4: Transport Layer
6 OSI Layer 5: Session Layer
7 OSI Layer 6: Presentation Layer
8 OSI Layer 7: Application Layer
9 Service Considerations
10 Secure Network Components
11 Secure Communication Channels According to Design
12 Domain Review
Domain 4: Communication and Network Security 333

Notes
Module 1: Secure Design Principles
Secure Design Principles in
Network Architectures in Network Architectures
PPT
Module Objectives
Secure Design
Principles in Network
1. Name the layers of the Open Systems Interconnection (OSI) and
Architectures Transport Control Protocol/Internet Protocol (TCP/IP) network
models.
to the “Secure Design 2. Compare the differences and similarities between the Open
Principles in Network Systems Interconnection (OSI) and Transport Control Protocol/
Architectures” module.
Internet Protocol (TCP/IP) network models.
PPT
Module Objectives
objectives.

Instructor Edition
Architecture and Design

Architecture and design are not the same. Design produces a
Notes
4
specific implementation that is informed by an architecture. Network Architectures
When reviewing various frameworks such as Zachman,

Sherwood Applied Business Security Architecture (SABSA),
ISO/IEC 21827:2008 Systems Security Engineering-Capability PPT
Maturity Model, and a host of others, it can be readily Architecture and
discerned that a well thought out architecture is a direct Design
reflection of actual business requirements that precedes a Introduce Architecture
design. Architecture done in the spirit of the frameworks listed and Design.
is technology agnostic from choosing specific tools and
vendors. Yet often, technologists will respond with a specific
technical design and solution before reflecting on an
architectural path that can answer not only the problem that is
before them but strategically envision solutions to problems
and requirements that haven’t yet surfaced. Architecture
is strategic and conceptual; design is related to implementing
the concepts into specific technological building blocks. A
primary reason that organizations have problems integrating
technology is because they are in a constant call-and-response
that moves from requirements to design without first reflecting
on architectural statements that should be known and utilized
throughout the enterprise. The architectural statements
provide consistency in the design so that every design element
agrees with the architecture and will then have interoperable
capabilities between design elements.
In 1985 Ben Segal was working at the European Council for Nuclear
Research (CERN) and as a mentor to Tim Berners Lee who led the
development of the World Wide Web. At that time Mr. Segal
thought about the problems that stem from a lack of architectural
harmony in global technology when he noted, “Each company had
its own operating system; each company had its own networking
system; each company had its own computer architecture and there
was no consensus even in the way that the bits and the bytes were
ordered, or the bytes and the words were ordered.” In 1985 Mr.
Segal was assisting CERN in implementation of the Transport
Control Protocol/Internet Protocol (TCP/IP). He notes that there was
“considerable controversy” over whether CERN would accept the
TCP/IP model or the Open Systems Interconnection (OSI) model.
The TCP/IP model was developed from research sponsored by the
U.S. Department of Defense. In the early days, it continued growing
in acceptance by means of bottom-up standards adoption and
consensus building. Conversely, development of the OSI model was
a top-down committee-driven process and struggled to keep up
Module 1: Secure Design Principles in Network Architectures 335

Notes with the technology it was designed to describe. The OSI model was
ratified as the international standard to describe network systems, and
Secure Design Principles in TCP/IP became the model for implementing the de-facto protocols on the
Network Architectures
internet and private networks.
The TCP/IP doesn’t have an inherent specification for security but in the
PPT
series of documents that make up the ISO/IEC 7498 OSI model, it is Part 2
Architecture and that addresses the security architecture for network systems.
Design (continued)
Introduce Architecture ISO/IEC 7498 consist of the following parts:
and Design.
Part 1: The Basic Model
Part 2: Security Architecture
PPT
Open Systems
Part 3: Naming and Addressing
Interconnection (OSI)
Model
Part 4: Management Framework
Discuss the Open
Systems Interconnection Open Systems Interconnection (OSI) Model
(OSI) Model.
Application
Data Network Process to
Application
Presentation
Data Data Representation
and Encryption
Session
Data Interhost
Communication
Transport
Segments End-to-End Connections
and Reliability
Network
Packets Path Determination and
IP (Logical Addressing)
Data Link
Frames MAC and LLC
(Physical Addressing)
Physical
Bits Media, Signal and
Binary Transmission
Figure 4.1: Open Systems Interconnection (OSI) Model

Instructor Edition
The process of someone at one location sending a gift to another

person at a different location serves as an analogy for how data is
processed through the Open Systems Interconnection (OSI) model
Notes
4
layers. Everything from each step is layered and carried forward and

included in the next step.
PPT
l The application layer is comparable to the gift.
Open Systems
l The presentation layer is like the gift wrapping paper. It is a Interconnection (OSI)
common and acceptable form for receiving a gift. Model (continued)
l The session layer represents the choice that the sender can Discuss the Open
make to select a service with the ability to track the package Systems Interconnection
(OSI) Model.
along the route from sender to recipient.
l The transport layer transmits segments and affects the
prioritization of the delivery schedule of the gift.
l The network layer transmits packets or datagrams via logical
addressing and is the same as the street address that will be
attached to the package to be used in routing the package
to the recipient.
l The data-link layer transmits frames and translates logical
address to physical addresses as a shipping company would
have tools that manage translations from street addresses to
GPS locations.
l The physical layer transmits bits of data and is akin to making
the choice if you want to ship your package via ground or air.
At the physical layer, transmission media is a choice of wired
and wireless.
Module 1: Secure Design Principles in Network Architectures 337

Notes
TCP/IP Model Compared to OSI Model
Secure Design Principles in OSI Model TCP/IP
Layers Protocol TCP/IP Protocol Suite
Architecture
layers
PPT
Application Application
TCP/IP Model Compared Layer
Layer
to OSI Model
Compare contrast the Presentation
TCP/IP Model Compared Layer Telnet FTP SMTP DNS RIP SNMP
to OSI Model.
Session
Layer
Transport Host-to-Host
Layer Transport TCP UDP
Layer
Network
Layer Internet IP IGMP ICMP
ARP
Layer
Data-Link
Layer Ethernet Token Frame ATM
Network Ring Relay
Physical Interface
Layer Layer
Figure 4.2: TCP/IP Model Compared to OSI Model
Although Domain 4 will describe specific protocols that originate from

TCP/IP, the protocols will be categorized in each of the seven layers of
the Open Systems Interconnection (OSI) model.
Modules 2–9 will consider a repeating theme for each layer of the OSI
model, namely; Concepts and Architecture, Technology and
Implementation, and Threats and Countermeasures. The threats and
countermeasures are not meant to be exhaustive, but an example of
what threats were exploited at the time of publishing. Contemporary
threats and countermeasures can be addressed in the Case: Network
Security Incident Mitigation in Module 11.

Instructor Edition
Module 2: OSI Layer 1: Physical Layer Notes

OSI Layer 1: Physical Layer
4

1. List the concepts and architecture that define the associated OSI Layer 1: Physical
technology and implementation systems and protocols Layer
at Open Systems Interconnection (OSI) model layers 1–7. Introduce the participants
(Physical Layer) to the “OSI Layer 1:
2. Define related threats and select appropriate Physical Layer” module.
countermeasures for systems and protocols operating at
(Physical Layer) PPT
Module Objectives
objectives.
Module 2: OSI Layer 1: Physical Layer 339

Notes Concepts and Architecture

At the physical layer, bits are encoded and decoded through
transmitting and receiving devices and media. Media and device types
may potentially utilize signals that include light, radio, or electrical.
PPT Transmission techniques determine if the bits are transmitted via
Concepts and baseband or broadband. The physical layer receives and processes data
Architecture (3 slides) from and going to the data-link layer.
Discuss the Physical
Layer Concepts and
Architecture.
Network Topologies
Bus
A bus topology is a LAN with a central cable (bus) to which all nodes
(devices) connect. All nodes transmit directly on the central bus. Each
node listens to all the traffic on the bus and processes only the traffic
that is destined for it. This topology relies on the data-link layer to
determine when a node can transmit a frame on the bus without
colliding with another frame on the bus.
Advantages of buses:
l Adding a node to the bus is easy.
l A node failure will not likely affect the rest of the network.
Disadvantages of buses:
l Because there is only one central bus, a bus failure will leave the
entire network inoperable.
Tree
A tree topology is like a bus. Instead of all the nodes connecting to a
central bus, the devices connect to a branching cable. Like a bus, every
node receives all the transmitted traffic and processes only the traffic
that is destined for it. Furthermore, the data-link layer must transmit a
frame only when there is not a frame on the wire.
Advantages of a tree:
l Adding a node to the tree is easy.
l A node failure will not likely affect the rest of the network but
any node failure that provides additional branching will cause all
dependent nodes to fail.
Disadvantages of a tree:
l A cable failure could leave the entire network inoperable.

Instructor Edition
Ring
A ring is a closed-loop topology. Data is transmitted in one
direction only, based on the direction that the ring was initialized to
Notes
4
transmit in, either clockwise, or counter-clockwise. Each device

receives data from its upstream neighbor only and transmits data PPT
to its downstream neighbor only. Typically, rings use coaxial cables Concepts and
or fiber optics. Architecture (3 slides)
(continued)
Advantages of rings:
l Because rings use tokens, one can predict the maximum Layer Concepts and
Architecture.
time that a node must wait before it can transmit (i.e., the
network is deterministic).
l Rings can be used as a LAN or network backbone.
Disadvantages of rings:
l Simple rings have a single point of failure. If one node fails,
the entire ring fails. Some rings, such as fiber distributed
data interface (FDDI), use dual rings for failover.
Mesh
In a mesh network, all nodes are connected to every other node on
the network. A full mesh network is usually too expensive because it
requires many connections. As an alternative, a partial mesh can be
employed in which only selected nodes (typically the most critical)
are connected in a full mesh and the remaining nodes are connected
to a few devices. As an example, core switches, firewalls, and routers
and their hot standbys are often all connected to ensure as much
availability as possible.
Advantages of a mesh:
l Mesh networks provide a high level of redundancy.
Disadvantages of a mesh:
l Mesh networks are very expensive because of the enormous
amount of cables that are required.
Star
All nodes in a star network are connected to a central device, such
as a hub, switch, or router. Modern LANs usually employ a star
topology.

Notes Advantages of a star:
OSI Layer 1: Physical Layer l Star networks require fewer cables than full or partial mesh.
l Star networks are easy to deploy, and nodes can be easily added
PPT or removed.
Concepts and Disadvantages of a star:
Architecture (3 slides)
(continued) l The central connection device is a single point of failure. If it is
not functional, all the connected nodes lose network connectivity.
Layer Concepts and
Architecture. Carrier Sense Multiple Access (CSMA)
As the name implies, Carrier Sense Multiple Access (CSMA) is an access
protocol that uses the absence/presence of a signal on the medium that
it wants to transmit on as permission to transmit. Only one device may
transmit at a time; otherwise, the transmitted frames will be unreadable.
Because there is not an inherent mechanism that determines which
device may transmit, all the devices must compete for available
bandwidth. For this reason, CSMA is referred to as a contention-based
protocol. Also, because it is impossible to predict when a device may
transmit, CSMA is also nondeterministic.
l Carrier Sense Multiple Access with Collision Detection
(CSMA/CD): Devices on a LAN CSMA/CD listen for a carrier
before transmitting data. If another transmission is not
detected, the data will be transmitted. It is possible that a
station will transmit before another station’s transmission had
enough time to propagate. If this happens, two frames will be
transmitted simultaneously, and a collision will occur. Instead
of all stations simply retransmitting their data, which will
likely cause more collisions, each station will wait a randomly
generated interval before retransmitting. CSMA/CD is part
of the Institute of Electrical and Electronics Engineers (IEEE)
802.3 standard.
l Carrier Sense Multiple Access with Collision Avoidance
(CSMA/CA): Avoids collisions by sensing if the media is clear
for transmission. If the media is clear for transmission, then the
potential transmitter send out a special control frame called a
Request to Send (RTS). The RTS is sent to the common access
point along with all stations on that segment. If the RTS is
accepted by the access point, then a Clear to Send (CTS) is sent
back to the potential transmitter and all stations connected to
the access point. In this way collisions do not have an opportunity
to take place. CSMA/CA is used in the IEEE 802.11 wireless
standard.

Instructor Edition
Technology and Implementations

Wired-Local Area Network (LAN)/Wide Area
Notes
4
Network (WAN)

Concentrators, Multiplexers, Hubs, and Repeaters PPT
l Concentrators multiplex connected devices into one signal Technology and

Implementation
to be transmitted on a network. For instance, a Fiber (7 slides)
Distributed Data Interface (FDDI) concentrator multiplexes
Discuss Physical Layer
transmissions from connected devices to a FDDI ring. Technology and
l A multiplexer combines multiple signals into one signal Implementation.
for transmission. Using a multiplexer is much more
efficient than transmitting the same signals separately.
Multiplexers are used in devices from simple hubs to very
sophisticated dense-wave division multiplexers (DWDMs)
that combine multi-optical signals on one strand of
optical fiber.
l Hubs retransmit signals from each port to all other ports.
Hubs are used to implement a physical star topology. All the
devices in the star connect to the hub.
Ethernet (IEEE 802.3 – uses CSMA/CD)

The physical topologies that are supported by Ethernet are bus,
star, and point to point, but the logical topology is the bus.
With the exception of full-duplex Ethernet that does not have
the issues of collisions, the architecture uses CSMA/CD. This
protocol allows devices to transmit data with a minimum of
overhead (compared to Token Ring), resulting in an efficient use
of bandwidth. However, because devices must retransmit when
more than one device attempts to send data on the medium,
too many retransmissions due to collisions can cause serious
throughput degradation. The Ethernet standard supports
coaxial cable, unshielded twisted pair, and fiber optics as
transmission media. Ethernet was originally rated at 10Mbps,
but like 10-megabyte disk drives, users quickly figured out how
to use and exceed its capacity and needed faster LANs. To
meet the growing demand for more bandwidth, 100 Base-TX
(100Mbps over twisted pair) and 100 Base-FX (100Mbps over
multimode fiber optics) were defined. When the demand grew
for even more bandwidth over unshielded twisted pair, 1000
Base-T was defined, and 1000 Base-SX and 1000 Base-LX were
defined for fiber optics. These standards support 1,000Mbps.
The IEEE has also specified standards for 10, 40, and 100
Gigabit Ethernet.

Token Ring (IEEE 802.5)

Notes
Originally designed by IBM, Token Ring was adapted with some modification
by the IEEE as IEEE 802.5. Despite the architecture’s name, Token Ring uses
a physical star topology. The logical topology, however, is a ring. Each
PPT device receives data from its upstream neighbor and transmits to
Technology and its downstream neighbor. Token Ring uses ring passing to mediate which
Implementation device may transmit. As mentioned in the section on token passing, a
(7 slides) (continued) special frame, called a token, is passed on the LAN. To transmit, a device
Discuss Physical Layer must possess the token. To transmit on the LAN, the device appends
Technology and data to the token and sends it to its next downstream neighbor. Devices
Implementation. retransmit frames whenever the token is not the intended recipient. When
the destination device receives the frame, it copies the data, marks the
frame as read, and sends it to its downstream neighbor. When the packet
returns to the source device, it confirms that the packet has been read.
The source device resets the data bit to zero thus relinquishing the token
for the next device in the ring to utilize. Token ring is now considered a
“legacy” technology that is rarely seen and only then because there has
been no reason to upgrade away from it. Token ring has almost entirely
been replaced with Ethernet technology.
Fiber Distributed Data Interface (FDDI)

FDDI is a token-passing architecture that uses two rings. Because FDDI
employs fiber optics, FDDI was designed to be a 100-Mbps network
backbone. Only one ring (the primary) is used; the other one (secondary)
is used as a backup. Information in the rings flows in opposite directions
from each other. Hence, the rings are referred to as counter rotating.
FDDI is also considered a legacy technology and has been supplanted
by more modern transport technologies; initially Asynchronous Transfer
Mode (ATM) but more recently Multiprotocol Label Switching (MPLS).
Media
The wired media utilized within the physical layer of the Open Systems
Interconnection (OSI) model spans various strands and gauges of
copper along with plastics and glass.
l Twisted Pair: Pairs of copper wires are twisted together to
reduce electromagnetic interference and cross talk. Each wire is
insulated with a fire-resistant material, such as Teflon. The twisted
pairs are surrounded by an outer jacket that physically protects
the wires. The quality of cable, and therefore, its appropriate
application is determined by the number of twists per inch, the
type of insulation, and conductive material. The P802.3bt draft is
designed to be a standard for managing a supply of power over a
four-pair set of copper wire connecting data terminal equipment.

Instructor Edition
l Unshielded Twisted Pair (UTP): UTP has several drawbacks:

Because it does not have shielding like shielded twisted-pair
cables, UTP is more susceptible to interference from external
Notes
4
electrical sources as with crosstalk or noise. Protection against

surveillance is more difficult when using UTP than with shielded PPT
wire. Thus, UTP may not be a desirable choice when transmitting
Technology and
very sensitive data or when installed in an environment with Implementation
much electromagnetic interference (EMI) or radio frequency (7 slides) (continued)
interference (RFI). Despite its drawbacks, UTP is the most Discuss Physical Layer
common cable type. UTP is inexpensive, can be easily bent Technology and
during installation, and, in most cases, the risk from the above Implementation.
drawbacks is not enough to justify more expensive cables.
l Shielded Twisted Pair (STP): Shielded twisted pair is like UTP.
Pairs of insulated twisted copper are enclosed in a protective
(metal foil) jacket or shield. However, STP uses an electronically
grounded shield to protect the signal. The shield surrounds
each of the twisted pairs in the cable, surrounds the bundle of
twisted pairs, or both. The shield protects the electronic signals
from outside. Although the shielding protects the signal, STP
has disadvantages over UTP. STP is more expensive and is
bulkier and hard to bend during installation.
l Coaxial Cable: Instead of a pair of wires twisted together,
coaxial cable (or simply, coax) uses one thick conductor that is
surrounded by a grounding braid of wire. A non-conducting
layer is placed between the two layers to insulate them.
The entire cable is placed within a protective sheath. The
conducting wire is much thicker than the twisted pair and,
therefore, can support greater bandwidth and longer cable
lengths. The superior insulation protects coaxial cable from
electronic interference, such as EMI and RFI. Likewise, the
shielding makes it more difficult for an intruder to monitor the
signal with antennae or install a tap. Coaxial cable has some
disadvantages. The cable is expensive and difficult to bend
during installation. For this reason, coaxial cable is used in
specialized applications, such as cable TV.
l Fiber Optic: Fiber optics use light pulses to transmit
information within fiber lines instead of using electronic pulses
to transmit information down copper lines. At one end of the
system is a transmitter. This is the place of origin for information
coming onto fiber-optic lines. The transmitter accepts coded
electronic pulse information coming from copper wire. It then
processes and translates that information into equivalently
coded light pulses. A light-emitting diode (LED) or an injection-
laser diode (ILD) can be used for generating the light pulses.
Using a lens, the light pulses are funneled into the fiber-optic

Notes medium where they travel down the cable. Think of a fiber cable in
terms of very long cardboard roll (from the inside roll of paper towel)
OSI Layer 1: Physical Layer that is coated with a mirror on the inside. If you shine a flashlight in
one end you can see light come out at the far end—even if it’s been
PPT bent around a corner. Light pulses move easily down the fiber-optic
line because of a principle known as total internal reflection. This
Technology and
Implementation
principle states that when the angle of incidence exceeds a critical
(7 slides) (continued) value, light cannot get out of the glass; instead, the light bounces
back in. When this principle is applied to the construction of the
Technology and fiber-optic strand, it is possible to transmit information down fiber
Implementation. lines in the form of light pulses. The core must be made from a very
clear and pure material. The core can be plastic (used for very short
distances) but most are made from glass. Glass optical fibers are
almost always made from pure silica, but some other materials, such
as fluorozirconate, fluoroaluminate, and chalcogenide glasses, are
used for longer wavelength infrared applications.
There are three types of fiber optic cable commonly used:
l Single mode: This mode has a small diameter core that
decreases the number of light reflections within the cable. This
allows for great transmission distance, up to 80Km, 50 times
further than multimode.
l Multimode: This mode uses a larger diameter cable than single
mode. Light reflections subsequently increase. Typically used for
short distances. Transmission distances are up to 400m.
l Plastic optical fiber (POF): This uses a plastic core and allows
for larger diameter fiber cores. Distortion of the signal is greatly
increased using plastic, which limits its range significantly.
Transmission distances are around 100m.
l Patch panels: As an alternative to directly connecting devices,
devices are connected to the patch panel. Then, a network
administrator can connect two of these devices by attaching a small
cable, called a patch cord, to two jacks in the panel.
Internet Access
Digital Subscriber Lines (DSLs): There are several methods of
implementing DSL:
l Asymmetric Digital Subscriber line (ADSL): Downstream
transmission rates are much greater than upstream ones, typically
up to 8Mbps downstream and 384Kbps upstream.
l Rate-Adaptive DSL (RADSL): The upstream transmission rate
is automatically tuned based on the quality of the line and
adjustments made on the modem.
Instructor Edition
l Symmetric Digital Subscriber Line (SDSL): Uses the same

rates for upstream and downstream transmissions.
Notes
4
l Very High Bit Rate DSL (VDSL): Supports much higher
transmission rates than other DSL technologies, such as 52Mbps

downstream and 2Mbps upstream. PPT
Technology and
There are two significant issues with all variations of DSL: Implementation
l There is a limit to the length of the phone line between
the central office (CO) and the customer. The precise limit Discuss Physical Layer
Technology and
depends on several factors, including the quality of the
Implementation.
cable and transmission rates. In other words, the customer
cannot be too far from the CO.
l DSL allows the users to be connected to the internet for
much longer time intervals. Certainly, this is very convenient
for the user, but extended time exposed to the internet
greatly increases the risk of being attacked. To mitigate
this serious risk, it is imperative that the host has a firewall,
vendor security patches are installed, and dangerous and
unused protocols are disabled.
Cable Modem: The user connects their PC Ethernet network
interface card (NIC) to a cable modem that is connected to the
cable provider’s network. Most major cable providers supply cable
modems that comply with Data-Over-Cable Service Interface
Specifications (DOCSIS), which helps ensure compatibility. The
different versions of DOCSIS over the years are equated with the
following speeds:
DOCSIS Version Maximum Download Maximum Upload
DOCSIS 1 40Mbps 10Mbps
DOCSIS 1.1 40Mbps 10Mbps
DOCSIS 2 40Mbps 30Mbps
DOCSIS 3 1.2Gbps 200Mbps
DOCSIS 3.1 10Gbps 1Gbps
DOCSIS 3.1 Full 10Gbps 10Gbps

Duplex

Notes At the release of this publication, the minimum version for devices
released is DOCSIS 3.
Like DSL, cable modems make it practical for home users to remain
connected to the internet for an extended time, which exposes cable
PPT
modem users to the same risks as DSL users. Cable modem users must
Technology and take the same precautions as DSL users: ensure that PCs on the home
Implementation network have a personal firewall, install vendor security patches, and
disable dangerous and unused protocols.
Technology and At a high level, the cable model process is:
Implementation.
l When a cable modem is powered on, it is assigned upstream and
downstream channels
l Next, it establishes timing parameters by determining how far it is
from the head end (the core of the cable network)
l The cable modem makes a Dynamic Host Configuration Protocol
(DHCP) request to obtain an IP address
To help protect the cable provider from piracy and its users from their
data being intercepted by other cable users, the modem, and head end
exchange cryptography keys. From that point forward, all traffic
between the two ends is encrypted.
Broadband over Powerline (BPL)

BPL is the delivery of broadband over the existing low- and medium-
voltage electric power distribution network. BPL speeds are comparable
to DSL and cable modem speeds. BPL can be provided to homes using
existing electrical connections and outlets. BPL is an emerging technology
that is available in very limited areas. It has significant potential because
power lines are installed virtually everywhere, alleviating the need to build
new broadband facilities for every customer.
Wireless (LAN/WAN)
Wi-Fi (Wireless LAN IEEE 802.11x)
Primarily associated with computer networking, Wi-Fi uses the IEEE
802.11x specification to create a wireless local-area network either public
or private. A Wi-Fi network consists of a wireless connection to wireless
access point (WAP) that is normally connected to a wired network.
Wi-Fi range is generally wide enough for most homes or small offices, and
for larger campuses or homes, range extenders may be placed strategically
to extend the signal. Over time the Wi-Fi standard has evolved, with each

Instructor Edition
updated version faster than the last. Current devices usually use the
802.11n or 802.11ac versions of the spec, but backwards compatibility
ensures that an older laptop can still connect to a new Wi-Fi router.
Notes
4
However, to see the fastest speeds, both the computer and the router

must use the latest 802.11 version. PPT
Technology and
Bluetooth (Wireless Personal Area Network Implementation
IEEE 802.15)
Bluetooth was originally conceived by Ericsson in 1994. Ericsson, Technology and
IBM, Intel, Nokia, and Toshiba formed the Bluetooth Special Interest Implementation.
Group (SIG), a not-for-profit trade association developed to drive
development of Bluetooth products and serve as the governing
body for Bluetooth specifications. Bluetooth is standardized within
the IEEE 802.15 Working Group for Wireless Personal Area Networks
(WPANs) that formed in 1999 as IEEE 802.15.1-2002. Bluetooth
wireless technology is an open standard for short-range radio
frequency communication used primarily to establish wireless
personal area networks (WPANs), and has been integrated into
many types of business and consumer devices.
While both Wi-Fi and cellular networks enable connections to
anywhere in the world, Bluetooth is much more local with the stated
purpose of “replacing the cables connecting devices,” according to
the official Bluetooth website. Bluetooth uses a low-power signal
with a maximum range of 100 meters (330 feet), primarily used in
industrial environments. The range depends on the power class of
the devices being used. In Bluetooth networks this is typically Class
2 that has a range of 10 meters (33 feet) but with sufficient speed to
enable transmission of high-fidelity music and streaming video.
As with other wireless technologies, Bluetooth speed increases
with each revision of its standard, but it requires up-to-date
equipment at both ends to deliver the highest possible speed.
Also, the latest Bluetooth revisions can use maximum power only
when it’s required, preserving battery life.
WiMAX (Broadband Wireless Access IEEE 802.16)

One well-known example of wireless broadband is WiMAX.
Although WiMAX can potentially deliver data rates of more than
30Mbps, providers offer average data rates of 6Mbps and often
deliver less, making the service significantly slower than hard-wired
broadband. The advent of other wireless technology that includes
4G specifications and Long Term Evolution (LTE) replaced much of
the effort put into developing WiMAX solutions.

Satellite
Notes
Just as satellites orbiting Earth provide necessary links for telephone
and television service, they can also provide links for broadband.
Satellite broadband is another form of wireless broadband and is also
PPT useful for serving remote or sparsely populated areas.
Technology and Downstream and upstream speeds for satellite broadband depend on
Implementation
(7 slides) (continued) several factors, including the provider and service package purchased,
the consumer’s line of sight to the orbiting satellite, and the weather.
Technology and
Typically, a consumer can expect to receive (download) at a speed of
Implementation. about 500Kbps and send (upload) at a speed of about 80Kbps. These
speeds may be slower than DSL and cable modem, but they are about
10 times faster than the download speed with dial-up internet access.
Service can be disrupted in extreme weather conditions.
Cellular Network
A cellular network or mobile network is a radio network distributed
over land areas called cells, each served by at least one fixed-location
transceiver known as a cell site or base station. In a cellular network,
each cell characteristically uses a distinct set of radio frequencies from
all their immediate neighboring cells to avoid any interference. When
joined together, these cells provide radio coverage over a wide
geographic area. This enables many portable transceivers (e.g., mobile
phones, pagers, etc.) to communicate with each other and with fixed
transceivers and telephones anywhere in the network via base stations
even if some of the transceivers are moving through more than one
cell during transmission.
There are two primary transmission types for cell phones:
l Code-division multiple access (CDMA): Every call’s data is
encoded with a unique key, then the calls are all transmitted
at once. CDMA carriers use network-based white lists to
verify their subscribers. Phones can only be switched with the
carrier’s permission, and a carrier doesn’t have to accept any
phone onto its network.
l Global System for Mobiles (GSM): Each call is transformed into
digital data that is given a channel and a time slot. Customer
information, including telephone number, is kept on a Subscriber
Identity Module (SIM) that is a removable from one phone to
another in GSM provisioned phones. To be considered GSM, a
carrier must accept any GSM-compliant phone.
The transmission speeds and carrier capabilities of wireless networks
related to cellular services is expressed within a “Generation” with a

Instructor Edition
format of 1G-5G. The chart below describes the characteristics of

each generation: 4

Generation Advent Transmission Technology Type Purpose (each generation
Speed includes previous service)
1G 1980’s 2.4Kbps Analog Phone calls
2G 1991 50Kbps to General Packet Radio Data services such as Short

1 Mbps Service (GPRS) with Message Service (SMS),
Enhanced Data Rates for pictures, and Multimedia
GSM Evolution (EDGE) Messaging Service (MMS)
3G 2001 Maximum of HSDPA (High-Speed Video calls and mobile

52Mbps Downlink Packet Access) internet
4G 2009 Maximum of Long Term Evolution (LTE) or HD mobile media and web
100Mbps WiMax conferencing
5G Still in draft Maximum of Software-defined networks Internet of Things (IoT),

as of 2017 35Gbps (SDNs) self-driving cars, robot aided
surgeries
Table 4.1: Characteristics of Cellular Generations
Threats and Countermeasures

Following is a list of threats and countermeasures associated with
the physical layer in the OSI model.

Technology Utilization Threats Countermeasures
Unshielded Relative inexpensive Easiest to tap and disclose data. Utilize STP or fiber
Twisted Pair network cable. optic cable to reduce EMI/RFI.
(UTP) Disrupt with electromagnetic
interference (EMI) or radio frequency Use repeaters and fiber optic
interference (RFI). cable to reduce issues with
attenuation.
Attenuation of signal begins at 100
meters or 328 feet.
Shielded Provides greater protection Degradation or loss of Use repeaters and fiber optic
Twisted Pair against EMI/RFI. a signal (attenuation) begins at 100 cable to reduce issues with
(STP) meters or 328 feet. attenuation.

Coaxial Cable Heavier gauge and Cables can be difficult to manage. Use fiber optic cable as
shielding provides more alternative.
protection than STP against
EMI/RFI and greater
bandwidth.
Fiber Optic Provides most protection Fiber optic taps can disclose data. Use of end-to-end encryption
Cable against EMI/RFI and highest when required.
bandwidth.
Bus Topology Easily add new node with Bus failure leaves entire network Transition to star or mesh
negligible impact. inoperable. topology.
All nodes ‘listen’ to traffic along the

bus.
Star Topology Fewer cables than full or Star device failure will leave Restrict traffic data disclosure by
partial mesh. Nodes can be connected nodes without access. means of smart port
easily added. management.
All nodes connected to star device
can potentially listen to traffic on
the device.
Ring Topology Deterministic traffic Single point of failure. Use dual ring such as fiber
management. distributed data interface
(FDDI).
Mesh Topology All nodes have a backup Complex management of Use partially meshed.
connection to every other redundant cables and nodes may
node in the network. lead to loops of unintentional
Designed for high bypassing of access controls.
availability.
Bluetooth Remote access and data Deprecated versions allow Keep up with patching and
sharing between devices. unauthenticated access. Blueborne, security updates.
Bluejacking, and other attacks allow
unauthorized access to data. Do not use in insecure public
settings.
Use Bluetooth 4.x and above

devices with Security Mode 4
Level 4 FIPS approved
Advanced Encryption Standard
(AES).
Cellular Cell phones and other Spoofed femtocells facilitate man- Require femtocell handset
devices communicate in-the-middle attack. registration.
globally.
Table 4.2: OSI Layer 1: Physical Layer – Threats and Countermeasures

Instructor Edition
Module 3: OSI Layer 2: Data-Link Layer Notes

OSI Layer 2: Data-Link Layer
4

1. List the concepts and architecture that define the associated OSI Layer 2: Data-Link
(Data-Link Layer) to the “OSI Layer 2: Data-
Link Layer” module.
2. Define related threats and select appropriate countermeasures
Interconnection (OSI) model layers 1–7. (Data-Link Layer)
PPT
Module Objectives
objectives.
Module 3: OSI Layer 2: Data-Link Layer 353


The data-link layer prepares the packet that it receives from the network
layer to be transmitted as frames on the network. This layer ensures that
the information that it exchanges with its peers is error-free.
PPT
If the data-link layer detects an error in a frame, it will request that its
Concepts and
Architecture
peer resend that frame. The data-link layer converts information from
the higher layers into bits in the format that is expected for each
Discuss Data-Link
Layer Concepts and
networking technology, such as Ethernet, Token Ring, etc. Using
Architecture. hardware addresses, this layer transmits frames to devices that are
physically connected only.
There are two sublayers within the data-link layer:
PPT
l Media Access Control (MAC) Layer: At this layer, a 48-bit
Technology and
Implementation (12-digit hexadecimal) address is defined that represents
(2 slides) the physical address “burned-in” or chemically etched
Discuss Data-Link into each Network Interface Card (NIC). The first three
Layer Technology and octets (MM:MM:MM or MM-MM-MM) are the ID number
Implementation. of the hardware manufacturer. Manufacturer ID numbers
are assigned by the Institute of Electrical and Electronics
Engineers (IEEE). The last three octets (SS:SS:SS or SS-SS-SS)
make up the serial number for the device that is assigned
by the manufacturer. The Ethernet and ATM technologies
supported on devices use the MAC-48 address space. IPv6
uses the EUI-64 address space.
l Logical Link Control (LLC) Layer: This layer is concerned with
sending frames to the next link on a local area network.
Technology and Implementation

Protocols
Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP) is used at the MAC layer to provide for
direct communication between two devices within the same LAN segment.
Sending devices will resolve IP addresses to MAC addresses of target
devices to communicate.
Fibre Channel over Ethernet (FCoE)

Fibre Channel is a high-speed serial interface using either optical or
electrical connections (i.e., the physical layer) at data rates currently
up to 2Gbits/s with a growth path to 10Gbits/s. FCoE is a lightweight

Instructor Edition
encapsulation protocol and lacks the reliable data transport of the

TCP layer. Therefore, FCoE must operate on DCB-enabled
Ethernet and use lossless traffic classes to prevent Ethernet frame
Notes
4
loss under congested network conditions. FCoE on a DCB

network mimics the lightweight nature of native FC protocols and PPT
media. It does not incorporate TCP or even IP protocols. This
Technology and
means that FCoE is a layer 2 (non-routable) protocol just like FC. Implementation
FCoE is only for short-haul communication within a data center. (2 slides) (continued)
Discuss Data-Link
Layer Technology and
Multiprotocol Label Switching (MPLS) Implementation.
Multiprotocol Label Switching (MPLS) is a wide area networking
protocol that operates at both layer 2 and 3 and does “label
switching.” The first device does a routing lookup, just like before,
but instead of finding a next-hop, it finds the final destination router.
And it finds a predetermined path from “here” to that final router.
The router applies a “label” based on this information. Future
routers use the label to route the traffic without needing to perform
any additional IP lookups. At the final destination router, the label is
removed, and the packet is delivered via normal IP routing.
RFC 3031 defines the MPLS label switching architecture. These are
primary components of a MPLS network:
l MPLS Edge Node: an MPLS node that connects an MPLS
domain with a node that is outside of the domain, either
because it does not use MPLS, and/or because it is in a
different domain
l Label Switching Router (LSR): an MPLS node capable of
forwarding native layer 3 packets
l Label Switch Path: the path through one or more LSRs at
one level of the hierarchy followed by packets in a Forward
Equivalence Path (FEC)
The 32-bit MPLS header is mapped as follows:
l 20-bit Label
l 3-bit Class of Service
l 1-bit Stack
l 8-bit TTL
Why Use MPLS?

l Implementing Traffic-Engineering: The ability to
control where and how traffic is routed on your network,

Notes to manage capacity, prioritize different services, and prevent

congestion.
l Implementing Multi-Service Networks: The ability to deliver
data transport services, as well as IP routing services, across the
PPT same packets switched network infrastructure.
Technology and l Improving Network Resiliency with MPLS Fast Reroute:
Implementation Some organizations are choosing software-defined wide area
networks (SD-WAN) as an alternative to MPLS. SD-WAN will be
Discuss Data-Link further developed in Domain 4 Module 9 in the Software Defined
Networks section.
Implementation.
Point-to-Point Protocol (PPP)

The Point-to-Point Protocol (PPP) provides a standard method for
transporting multiprotocol datagrams over point-to-point links. PPP is
comprised of three main components:
1. A method for encapsulating multiprotocol datagrams
2. A Link Control Protocol (LCP) for establishing, configuring, and
testing the data-link connection
3. A family of Network Control Protocols (NCPs) for establishing and
configuring different network-layer protocols
Devices
Bridges
Bridges are layer 2 devices that filter traffic between segments based on
MAC addresses. In addition, they amplify signals to facilitate physically
larger networks. A basic bridge filters out frames that are destined for
another segment. Bridges can connect LANs with unlike media types,
such as connecting an Unshielded Twisted Pair (UTP) segment with a
segment that uses coaxial cable. Bridges do not reformat frames, such
as converting a Token Ring frame to Ethernet. This means that only
identical layer 2 architectures can relate to a simple bridge (e.g.,
Ethernet to Ethernet, etc.).
Network administrators can use translator bridges to connect dissimilar
layer 2 architectures, such as Ethernet to Token Ring. Other specialized
bridges filter outgoing traffic based on the destination MAC address.
Bridges do not prevent an intruder from intercepting traffic on the local
segment. A common type of bridge for many organizations is a wireless
bridge based upon one of the IEEE 802.11 standards. While wireless
bridges offer compelling efficiencies, they can pose devastating security

Instructor Edition
issues to organizations by effectively making all traffic crossing the

bridge visible to anyone connected to the LAN.
Notes
4
Switches

PPT
The most common type of switches used today in the LAN
Technology and
operate at layer 2. A switch establishes a collision domain per
Implementation
port, enabling more efficient transmissions with CSMA/CD logic (2 slides) (continued)
within Ethernet. Switches are the core device used today to build
Discuss Data-Link
LANs. There are many security features offered within switches Layer Technology and
today, such as port blocking, port authentication, MAC filtering, Implementation.
and virtual local area networks (VLAN), to name a few. Layer 3
switches are switch, router combinations and are capable of
making “switching decisions” based on either the MAC or
IP address.
Virtual Local Area Networks (VLANs)

Virtual local area networks (VLANs) allow network administrators
to use switches to create software-based LAN segments that can
be defined based on factors other than physical location. Devices
that share a VLAN communicate through switches, without being
routed to other sub-networks, which reduces overhead due to
router latency (as routers become faster, this is less of an
advantage).
Furthermore, broadcasts are not forwarded outside of a VLAN,
which reduces congestion due to broadcasts. Because VLANs
are not restricted to the physical location of devices, they help
make networks easier to manage. When a user or group of
users changes their physical location, network administrators
can simply change the membership of ports within a VLAN.
Likewise, when additional devices must communicate with
members of a VLAN, it is easy to add new ports to a VLAN.
VLANs can be configured based on switch port, IP subnet,
MAC address, and protocols.
It is important to remember that VLANs do not guarantee a
network’s security. At first glance, it may seem that traffic
cannot be intercepted because communication within a VLAN
is restricted to member devices. However, there are attacks
that allow a malicious user to see traffic from other VLANs
(so-called VLAN hopping). Therefore, a VLAN can be created
so that engineers can efficiently share confidential documents,
but the VLAN does not significantly protect the documents
from unauthorized access.


VLAN Segmentation of MAC Flooding Attack: Switch is Port Security, 802.1x, and
network traffic to fed many ethernet frames, each Dynamic VLANs are three
reduce congestion containing different source MAC features that can be used to
and contention addresses, by the attacker. The constrain the connectivity of a
while supporting intention is to consume the device based on its user’s login
prioritization and limited memory set aside in the ID and based on the device’s
security switch to store the MAC own MAC layer identification.
management. address table.
802.1Q and Inter-Switch Link Follow simple configuration

Protocol (ISL) Tagging Attack: User guidelines and commit to
on one VLAN connects to another patching updates.
unauthorized VLAN via Dynamic
Trunking Protocol (DTP) link.
Double-Encapsulated 802.1Q/ Clear native VLAN from all

Nested VLAN Attack: The 802.1Q trunks. Make sure that
extended format that allows the the commands “switchport
forwarding path to maintain mode access” and “switchport
VLAN. no negotiate” are applied to all
user-facing switch interfaces.
Isolation can also be used to
launch an attack.
Address Resolves IP address ARP Attacks: By means of This type of attack can be
Resolution to MAC Address. “poisoning,” ARP tables and prevented either by blocking
Protocol attacker can pose as an the direct communication at
(ARP) intermediary system and layer 2 between the attacker
accomplish a Man-In-the-Middle and the attacked device or by
attack. embedding more intelligence
into the network so that it can
check the forwarded ARP
packets for identity correctness.
Multicast Supports one-to- Multicast Brute Force Attack: All traffic should be constrained
many communication Storm of layer 2 multicast frames to its own VLAN.
transmissions. creating denial of service.
Spanning Maintains a loop- Spanning-Tree Attack: Attacker Do not allow port mirroring or
Tree free switching sends out STP frames claiming monitoring of STP frames.
Protocol environment. to be root bridge.
Table 4.3: OSI Layer 2: Data-Link Layer – Threats and Countermeasures

Instructor Edition
Module 4: OSI Layer 3: Network Layer Notes

OSI Layer 3: Network Layer
4

1. List the concepts and architecture that define the associated OSI Layer 3: Network
(Network Layer) to the “OSI Layer 3:
2. Define related threats and select appropriate Network Layer” module.
(Network Layer) PPT
Module Objectives
objectives.
Module 4: OSI Layer 3: Network Layer 359


The network layer moves data between networks as packets by means
of logical addressing schemes.
PPT
Unicast, Multicast, and Broadcast Transmissions
Concepts and
Architecture In many cases, computer transmission methodology reflects some of the
Discuss Network
norms that happen in a verbal conversation. Typically, if you want to have a
Layer Concepts and private conversation with an individual, you will take that person aside and
Architecture. speak one-to-one. A unicast is a one-to-one communication between hosts.
If you need to let a group within a crowd of people know about a matter, you
can open your announcement with a relevant statement to capture that
groups attention within the crowd. A multicast is a one-to-many
communication between hosts. If there is something that everyone within a
crowd of people should know, such as the need to escape a fire, you
wouldn’t walk up to each individual and tell them one at a time, you would
shout it out for all to hear. A broadcast is a one-to-all communication
between hosts.
A host can send a broadcast to everyone on its network or sub-network.
Depending on the network topology, the broadcast could have
anywhere from one to tens of thousands of recipients. Like a person
standing on a soapbox, this is a noisy method of communication.
Typically, only one or two destination hosts are interested in the
broadcast; the other recipients waste resources to process the
transmission. However, there are productive uses for broadcasts.
Consider a router that knows a device’s IP address but must determine
the device’s media access control (MAC) address. The router will
broadcast an Address Resolution Protocol (ARP) request asking for the
device’s MAC address.
Multicasting was designed to deliver a stream to only interested hosts.
Radio broadcasting is a typical analogy for multicasting. To select a
specific radio show, you tune a radio to the broadcasting station.
Likewise, to receive a desired multicast, you join the corresponding
multicast group. Multicast agents are used to route multicast traffic over
networks and administer multicast groups.
Each network and sub-network that supports multicasting must have at
least one multicast agent. Hosts use Internet Group Management Protocol
(IGMP) to tell a local multicast agent that it wants to join a specific multicast
group. Multicast agents also route multicasts to local hosts that are
members of the multicast’s group and relay multicasts to neighboring
agents. When a host wants to leave a multicast group, it sends an IGMP
message to a local multicast agent. Multicasts do not use reliable sessions;
therefore, the multicasts are transmitted as best effort with no guarantee
that datagrams are received.
Instructor Edition

Protocols
Notes
4
Internet Protocol (IPv4) Networking

The Internet Protocol (IP) is the dominant protocol that operates at the PPT
OSI Network Layer 3. IP is responsible for addressing packets so that Technology and
they can be transmitted from the source to the destination hosts. Implementation
(2 slides)
Because it is an unreliable protocol, it does not guarantee delivery. IP
will subdivide the message into fragments when they are too large for Discuss Network
a packet. Hosts are distinguished by the IP addresses. The address is Layer Technology and
Implementation.
expressed as four octets separated by a dot (.), for example,
216.12.146.140. Each octet may have a value between 0 and 255.
However, 0 and 255 are not used for hosts. 255 is used for broadcast
addresses, and the 0’s meaning depends on the context in which it is
used. Each address is subdivided into two parts: the network number
and the host. The network number assigned by an external
organization, such as the Internet Corporation for Assigned Names
and Numbers (ICANN), represents the organization’s network. The
host represents the network interface within the network. The part of
the address that represents the network number defines the network’s
class. Class A network used the leftmost octet as the network number,
Class B used the leftmost two octets, etc.
The part of the address that is not used as the network number is
used to specify the host. For example, the address 216.12.146.140
represents a Class C network. Therefore, the network portion of
the address is represented by the 216.12.146, and the unique host
address within the network block is represented by 140. 127, which
is the Class A network address block, is reserved for a computer’s
loopback address. Usually, the address 127.0.0.1 is used. The
loopback address is used to provide a mechanism for self-
diagnosis and troubleshooting at the machine level. This
mechanism allows a network administrator to treat a local machine
as if it were a remote machine, and ping the network interface to
establish whether it is operational.
To ease network administration, networks are typically subdivided
into subnets. Because subnets cannot be distinguished with the
addressing scheme discussed so far, a separate mechanism, the
subnet mask, is used to define the part of the address that is used
for the subnet. Bits in the subnet mask are 1 when the
corresponding bits in the address are used for the subnet. The
remaining bits in the mask are 0. For example, if the leftmost three
octets (24 bits) are used to distinguish subnets, the subnet mask is
11111111 11111111 11111111 00000000. A string of 32 1s and 0s is
very unwieldy, so the mask is usually converted to decimal

Notes notation: 255.255.255.0. Alternatively, the mask is expressed with a slash

(/) followed by the number of 1s in the mask. The above mask would be
OSI Layer 3: Network Layer written as /24.
PPT Internet Protocol (IPv6) Networking

Technology and IPv6 is a modernization of IPv4 that includes the following:
Implementation
(2 slides) (continued) l A much larger address field: IPv6 addresses are 128 bits, which
Discuss Network supports 2128 hosts. Suffice it to say that we will not run out of
Layer Technology and addresses.
Implementation.
l Improved security: IPSec can be implemented in IPv6. This will
help ensure the integrity and confidentiality of IP packets and
allow communicating partners to authenticate with each other.
l Improved quality of service (QoS): This will help services obtain
an appropriate share of a network’s bandwidth.
Internet Control Message Protocol (ICMP)

The ICMP is used for the exchange of control messages between hosts
and gateways and is used for diagnostic tools such as ping and
traceroute. ICMP can be leveraged for malicious behavior, including
man-in-the-middle and denial-of-service attacks.
Internet Group Management Protocol (IGMP)

IGMP is used to manage multicasting groups that are a set of
hosts anywhere on a network that are listening for a transmission.
Multicast agents administer multicast groups, and hosts send IGMP
messages to local agents to join and leave groups.
Open Shortest Path First (OSPF) versions 1, 2, and 3

Open Shortest Path First (OSPF) is an interior gateway routing protocol
developed for IP networks based on the shortest path first or link-state
algorithm. A link-state algorithm can keep track of a total “cost” to calculate
the most efficient way of moving information from a source to destination.
While a distance vector protocol, such as Routing Information Protocol (RIP),
will basically use the number of hops or count of links between networks to
determine the best path, a link-state algorithm can surmise the most
efficient path by knowing the connecting speed, congestion of the link,
availability of the link, and the total hops to determine what might be the
best path. A longer hop count could be the shortest path if all other
measurements are superior to a path with a shorter hop count.
Routers use link-state algorithms to send routing information to all nodes
in an internetwork by calculating the shortest path to each node based on
Instructor Edition
a topography of the internet constructed by each node. Each router

sends that portion of the routing table (keeps track of routes to
network destinations) that describes the state of its own links, and it
Notes
4
also sends the complete routing structure (topography). The

advantage of shortest path first algorithms is that their use results in PPT
smaller, more frequent updates everywhere. They converge quickly,
Technology and
thus preventing such problems as routing loops and Count-to-Infinity Implementation
(when routers continuously increment the hop count to a network). (2 slides) (continued)
The disadvantage of shortest path first algorithms is that they Discuss Network
require substantial amounts of CPU power and memory. Layer Technology and
Implementation.
Devices
Routers
Routers route packets to other networks and are commonly referred
to as the Gateway. They read the IP destination in received packets,
and based on the router’s view of the network, it determines the
next device on the network (the next hop) to send the packet. If the
destination address is not on a network that is directly connected to
the router, it will send the packet to the gateway of last resort,
another connected router, and rely on that router to establish a path.
Routers can be used to interconnect different technologies and
change the architecture. For example, connecting a Token Ring and
Ethernet networks to the same router would allow IP Ethernet
packets to be forwarded to a Token Ring network.
Routers are most commonly used today to connect LANs to
WANs. To build a network, you need switches for the LAN and a
router to connect the LAN to the WAN. The most basic security
that can be performed at layer 3 on a router is an access control
list (ACL) that can define permitted and denied source and
destination addresses and ports or services.
Firewalls
Routers and firewalls are devices that enforce administrative
security policies by filtering incoming traffic based on a set of rules.
While a firewall should always be placed at internet gateways, there
are also internal network considerations and conditions where a
firewall would be employed, such as network zoning. Additionally,
firewalls are also threat management appliances with a variety of
other security services embedded, such as proxy services and
intrusion prevention services (IPS) that seek to monitor and alert
proactively at the network perimeter. The types of firewall are
further addressed in Domain 4 Module 10.

Firewall Prevent Skilled hackers, misconfigured devices, Schedule and install regular
unauthorized version/release/update level updates and patches.
access to network vulnerabilities. Provide proper training for
resources. configuration, maintenance,
and operation.
Router Transmits packets Undesired receipt or transmission of data Create ACL on router
between discreet between networks. interface to allow or deny IP
networks. addresses and services.
Augment protection with

firewalls, Intrusion Detection
and Intrusion Prevention
Devices.
ICMP Verify that a system Smurf: ICMP Echo Request sent to the Disable ICMP Echo Request
is responsive network broadcast address of a spoofed on Network.
running IP. victim causing all nodes to respond to
the victim with an Echo Reply.
Traceroute Exploitation: Traceroute is a Disable node enabled

diagnostic tool that displays the path a deterministic route path;
packet traverses between a source and “no ip source-route.”
destination host. Traceroute can be used
maliciously to map a victim network and
learn about its routing.
Ping of Death: Exceeds maximum packet Redundant and diverse

size and causes receiving system to fail. network paths to provide for
availability during attack.
Disable ICMP Echo Request

on Network.
Ping Scanning: Network mapping Disable ICMP Echo Request

technique to detect if host replies to a on Network.
ping, then the attacker knows that a host
exists at that address.
IP Designed to allow Tear Drop Attack: Exploits the Host OS and routers have
Fragmentation units of information reassembly of fragmented IP packets in patching that inspects
to be disassembled the fragment offset field that indicates discrepancy in fragment
or fragmented with the starting position, or offset, of the offset and drops malformed
the benefit of being data contained in a fragmented packet fragment packets.
delivered in smaller relative to the data of the original
units. unfragmented packet. System crashes
with accumulation of multiple malformed
packets.
Table 4.4: OSI Layer 3: Network Layer – Threats and Countermeasures

Instructor Edition
Module 5: OSI Layer 4: Transport Layer Notes

OSI Layer 4: Transport Layer
4

1. List the concepts and architecture that define the associated OSI Layer 4: Transport
(Transport Layer) to the “OSI Layer 4:
2. Define related threats and select appropriate Transport Layer” module.
(Transport Layer) PPT
Module Objectives
objectives.
Module 5: OSI Layer 4: Transport Layer 365


The transport layer delivers end-to-end services through segments
transmitted in a stream of data and controls streams of data to relieve
congestion through elements that include quality of service (QoS).
PPT
Concepts and
Architecture
Discuss Transport
Layer Concepts and The Transport Layer
Architecture.
Transmission Control Protocol (TCP)
The Transmission Control Protocol (TCP) provides connection-oriented
PPT data management and reliable data transfer.
Concepts and
Architecture (2 slides) User Datagram Protocol (UDP)
Discuss Transport Layer.
The UDP provides connectionless data transfer without error detection
and correction. UDP uses port numbers in a similar fashion to TCP. As a
connectionless protocol, UDP is useful for attacks as there is no state for
routers or firewalls to observe and monitor.
TCP and User Datagram Protocol (UDP)Ports

TCP and User Datagram Protocol (UDP) map data types using port
numbers associated with services. For example: Web traffic (or HTTP), is
port 80. Secure web traffic (or HTTPS), is port 443.
UDP uses ports numbers in a similar fashion to TCP.
Well-Known Ports: Ports 0–1023
l These ports are related to the common protocols that are utilized
in the underlying management of Transport Control Protocol/
Internet Protocol (TCP/IP) system (Domain Name Service (DNS),
Simple Mail Transfer Protocol (SMTP), etc.)
Registered Ports: Ports 1024–49151
l These ports typically accompany non-system applications
associated with vendors and developers.
Dynamic or Private Ports: Ports 49152–65535
l Whenever a service is requested that is associated with Well-
Known or Registered Ports those services will respond with a
dynamic port.

Instructor Edition

Attacks on the transport layer of the Open Systems Interconnection
Notes
4
(OSI) model (layer 4) seek to manipulate, disclose, or prevent delivery
of the payload. This can, for instance, happen by reading the

payload (as would happen in a sniffer attack) or changing it (which PPT
could happen in a man-in-the-middle attack). While disruptions of Threats and
service can be executed at other layers as well, the transport layer Countermeasures
has become a common attack ground via ICMP. Discuss Transport
Layer Threats and
Countermeasures.

Transport Control Connection SYN Flood: Send Protocol anomaly IPS

Protocol (TCP) oriented reliable request to synchronize will detect half-open
connection transmission. with a remote host with connections that do
a bogus source address. not comply with RFC
Create half-open TCP behavior.
connections exhausting
resources on the victim Deep packet
to make legitimate inspection will detect
connections. the attack.
UDP Broadcast Used to message Fraggle: ICMP Echo Do not allow router to
all systems on a Request sent to the forward request to
network with a network broadcast network directed
single broadcast. address of a spoofed broadcast address.
victim causing all nodes
to respond to the
victim with an Echo
Reply. (Same as Smurf
but utilizes UDP port 7.)
Table 4.5: OSI Layer 4: Transport Layer – Threats and Countermeasures
Module 5: OSI Layer 4: Transport Layer 367

Notes
Module 6: OSI Layer 5: Session Layer
OSI Layer 5: Session Layer

OSI Layer 5: Session 1. List the concepts and architecture that define the associated
Layer technology and implementation systems and protocols at Open
Introduce the participants Systems Interconnection (OSI) model layers 1–7. (Session Layer)
to the “OSI Layer 5: 2. Define related threats and select appropriate countermeasures
Session Layer” module.
Interconnection (OSI) model layers 1–7. (Session Layer)
PPT
Module Objectives
objectives.

Instructor Edition
Concepts and Architecture

The session layer provides a logical persistent connection between
Notes
OSI Layer 5: Session Layer
4
peer hosts. The session layer is responsible for creating,
maintaining, and tearing down the session.

PPT
Concepts and
Technology and Implementation Architecture
Discuss Session
Session layer protocols include the following: Layer Concepts and
Architecture.
l PAP – password authentication protocol
l PPTP – Point-to-Point Tunneling Protocol
l RPC – remote procedure call protocol PPT
Technology and
RPCs represent the ability to allow for the executing of objects across
Implementation
hosts with a client sending a set of instructions to an application
residing on a different host on the network. It is important to note that Discuss Session Layer
Technology and
RPC does not in fact provide any services on its own; instead, it Implementation.
provides a brokering service by providing (basic) authentication and a
way to address the actual service.
PPT
Threats and
Threats and Countermeasures Countermeasures
ISO 7498 -2 specifies that no security services are provided in the Discuss Session
session layer; therefore, it is imperative to address vulnerabilities Layer Threats and
revealed in the session layer by applying security services either Countermeasures.
above or below the session layer. A common methodology is to
secure risky protocols that are still needed by means of encryption.
Module 6: OSI Layer 5: Session Layer 369

Notes
Module 7: OSI Layer 6: Presentation
OSI Layer 6: Presentation
Layer Layer
PPT
Module Objectives
OSI Layer 6:
Presentation Layer
technology and implementation systems and protocols at Open
Systems Interconnection (OSI) model layers 1–7. (Presentation
to the “OSI Layer 6:
Presentation Layer” Layer)
module. 2. Define related threats and select appropriate countermeasures for
systems and protocols operating at Open Systems Interconnection
(OSI) model layers 1–7. (Presentation Layer)
PPT
Module Objectives
objectives.

Instructor Edition
Concepts and Architecture

The presentation layer maintains that communications delivered
Notes
OSI Layer 6: Presentation
4
between sending and receiving computer systems are in a common Layer
and discernable system format.

PPT
Technology and Implementation Concepts and

Architecture
Translation Services Discuss Presentation
Layer Concepts and
To provide a reliable syntax, systems processing at the presentation Architecture.
layer will use American Standard Code for Information Interchange
(ASCII) or Extended Binary Coded Decimal Interchange Code (EBCDIC)
to translate from Unicode. In 2016 the W3C Internationalization Working
PPT
Group estimated that 86 percent of all web pages sampled showed
that they are using UTF 8 Unicode character encoding. It further Technology and
Implementation
states, “Not only are people using UTF-8 for their pages, but
Unicode encodings are the basis of the Web itself. All browsers use Discuss Presentation
Unicode internally, and convert all other encodings to Unicode for Layer Technology and
Implementation.
processing. As do all search engines. All modern operating
systems also use Unicode internally. It has become part of the
fabric of the Web.”
Translation services are also necessary when considering that
different computer platforms (Macintosh and Windows personal
computers) may exist within the same network and could be
sharing data. The presentation layer is needed to translate the
output from unlike systems to similar formats.
Conversion and Compression Services

Data conversion or bit order reversal and compression are other
functions of the presentation layer. As an example, an MPEG-1
Audio Layer-3 (MP3) is a standard audio encoding and compression
algorithm that creates a file with a bitrate of 128kbit/s. The
Waveform Audio File Format (WAVE) with Linear PCM bitstream is
another standard audio encoding and compression that creates a
file with a bitrate of 44.1khz. The compression for both formats is
accomplished at the presentation layer. If a tool is used to convert
one format into another, this is also accomplished at the
presentation layer.
Encoding
Encryption services such as TLS/SSL are managed below,
above, and within the presentation layer. At times, the
Module 7: OSI Layer 6: Presentation Layer 371

Notes encoding capabilities that are resident at the presentation layer are
inappropriately conflated with a specific set of cryptographic
OSI Layer 6: Presentation services. Abstract Syntax Notation (ASN.1) is an ISO standard that
Layer
addresses the issue of representing, encoding, transmitting, and
decoding data structures. The transfer of data entities between two
PPT points of communication could appear as nonsensical or encoding if
Technology and
a nonparticipating (eavesdropping) third party wasn’t aware of the
Implementation standard being used in transmission.
(continued)
Discuss Presentation
Implementation.
PPT
Threats and
Countermeasures
Discuss Presentation
Layer Threats and
Countermeasures.

Unicode Common A web application that has Input security filter

presentation restricted directories or files mechanism to refuse any
of data. (e.g., a file containing request containing “../”
application usernames: sequence, thus blocking the
appusers.txt). An attacker can attack (OWASP).
encode the character
sequence “../” (Path Traversal The W3C strongly
Attack) using Unicode format recommends that content
and attempt to access the authors should only use the
protected resource (OWASP). UTF-8 encoding for their
documents. This is partly to
avoid the security risks
associated with some
encodings but also to ensure
world-wide usability of web
pages.
Table 4.6: OSI Layer 6: Presentation Layer – Threats and Countermeasures

Instructor Edition
Module 8: OSI Layer 7: Application Notes

OSI Layer 7: Application
4
Layer Layer

PPT
Module Objectives
1. List the concepts and architecture that define the associated Layer
technology and implementation systems and protocols
at Open Systems Interconnection (OSI) model layers 1–7.
to the “OSI Layer 7:
(Application Layer) Application Layer”
2. Define related threats and select appropriate module.
(Application Layer) PPT
Module Objectives
objectives.
Module 8: OSI Layer 7: Application Layer 373


The application layer supports or hosts the function of applications that
Layer run on a system. All manner of a human supported interfaces,
messaging, systems control, and processing occur at the application
level. While the application layer itself is not the application it is where
PPT applications run.
Concepts and
Architecture
Discuss Application
Layer Concepts and Technology and Implementation
Architecture.
Dynamic Host Configuration Protocol (DHCP/DHCPV6)
DHCP is a client/server application that is designed to assign
PPT IP addresses from a pool of pre-allotted addresses on a DHCP server.
Based upon the specifications in RFC 2131, the client transmits on port
Technology and
Implementation
67 and the server responds on port 68. The client sends out a
broadcast with a DHCPDISCOVER packet. The server responds with a
Discuss Application
DHCPOFFER giving the client an available address to use. The client
Implementation. responds back with DHCPREQUEST to use the offered address, and
the server sends back a DHCPACK allowing the client to bind the
requested address to the network interface card (NIC). If a DHCP
server doesn’t respond in a predetermined time, then the DHCP client
self-assigns an IP address in the 169.254.x.x range based upon IPv4
Link-Local Addresses based upon RFC 3927.
Domain Name System (DNS)

DNS resolves Fully Qualified Domain Names (FQDN) to IP addresses
and transmits data on port 53. According to RFC 1035, the local user, or
client, queries an agent known as a Resolver that is part of the client
operating system. DNS is used to resolve a FQDN to an IP address.
Network nodes automatically register this resolution in the DNS server’s
database. To resolve any external domain name, each DNS in the world
must hold a list of these root servers. Various extensions to DNS have
been proposed to enhance its functionality and security, for instance, by
introducing authentication using DNS Security Extensions (DNSSEC),
multicasting, or service discovery.
DNS maintains a directory of zones that have a hierarchical superior
known as the root that are represented by an administrative (“.”) that is
appended to the end of a FQDN. The root servers (at the initial printing
of this publication there are 13) carry references to what is known as
Top Level Domains (TLDs). A few examples of TLDs are .com; .edu; .gov;
etc. The TLDs contain references to sub zones know as second level
domain. A few examples of second level domains include amazon.com;

Instructor Edition
microsoft.com; ibm.com; etc. The subzones can continue with third

or fourth level domains that are typically tied to a specific service.
Notes
4
When a resolver connects to a DNS server, the default Layer

specifications state that it will do so with an iterative lookup. This
means that the DNS server will hand the lookup to the resolver
PPT
after making the first query. In a recursive lookup, the DNS server
will return with a response of the FQDN to the original resolver Technology and
Implementation
after managing the lookup from the root servers until the last (continued)
answer.
Discuss Application
The following records are necessary for the DNS server to be Layer Technology and
Implementation.
operational.
l Host (A)
l Start of Authority (SOA)
l Name Server (NS)
l Pointer (PTR)
l Mail Exchange (MX)
RFC 5011 specifics a DNS Security DNSSEC specification that

automates the trust anchor process of validating the thousands
of possible DNS systems that may exist in a resolver’s DNS
hierarchy. The purpose of DNSSEC is to validate zone transfers
with a digital signature. On September 27, 2017, The Internet
Corporation for Assigned Names and Numbers (ICANN)
announced that in the first quarter of 2018, it planned to roll out
a new Key Signing Key (KSK) to support global DNSSEC.
Simple Network Management Protocol (SNMP)

SNMP is designed to manage network infrastructure. SNMP
architecture consists of a management server (called the
manager in SNMP terminology) and a client usually installed on
network devices, such as routers and switches, called an agent.
SNMP allows the manager to retrieve “get” values of variables
from the agent, as well as “set” variables. Such variables could
be routing tables or performance-monitoring information.
Probably the most easily exploited SNMP vulnerability is a
brute-force attack on default or easily guessable SNMP
passwords known as “community strings” often used to manage
a remote device. Given the scale of SNMP v1 and v2
deployment, combined with a lack of clear direction from the
security professional with regards to the risks associated with
using SNMP without additional security enhancements to

Notes protect the community string, it is certainly a realistic scenario and a

potentially severe but easily mitigated risk.
Layer Until version 2, SNMP did not provide any degree of authentication or
transmission security. Authentication consists of an identifier, called a
community string, by which a manager will identify itself against an
PPT
agent (this string is configured into the agent) and a password sent with
Technology and a command. As a result, passwords can be easily intercepted that
Implementation
(continued) could then result in commands being sniffed and potentially faked.
Like the previous problem, SNMP version 2 did not support any form
Discuss Application
of encryption so that passwords (community strings) were passed as
Implementation. cleartext. SNMP version 3 addresses this weakness with encryption
for passwords.
These are the primary components of SNMP:
l Network management systems
l Management information base
l Managed devices
l Agents
Lightweight Directory Access Protocol (LDAP)

LDAP uses a hierarchical tree structure for directory entries. Like X.500,
LDAP entries support the DN and RDN concepts. DN attributes are
typically based on an entity’s DNS name. Each entry in the database has
a series of name/value pairs to denote the various attributes associated
with each entry.
Common attributes for an LDAP entry include the following:
l Distinguished Name (DN)
l Relative Distinguished Name (RDN)
l Common Name (CN)
l Domain Component (DC)
l Organizational Unit (OU)
LDAP operates in a client/server architecture. Clients make requests for

access to LDAP servers, and the server responds back to the client with
results of that request. LDAP typically runs over unsecured network
connections using TCP port 389 for communications. If advanced security
is required, version 3 of the LDAP protocol supports using TLS to encrypt
communications.

Instructor Edition

4

DHCP Dynamic assignment Rogue DHCP service. Port authentication of
of IP addresses on a MAC addresses for all
network. workstations.
DNS Resolve web names Poisoning of DNS server Utilize DNSSEC and
to IP addresses. records. harden DNS servers and
related services to
Redirect resolvers to mitigate erroneous
erroneous DNS assignment of DNS
services. services.
DNS Resolve web names Amplification: Turn small Manages Black/

to IP addresses. queries into oversized Whitelist (untrusted/
payloads to exhaust trusted) DNS servers,
victim DNS servers. establish rate limiting
Reflection: Use spoofed responses.
victim addresses to
receive query responses. Deep packet inspection
to detect malicious
traffic.
HTTP Resolve web page URL Text traversing the Utilize SSL or TLS -
request from server to internet is in plaintext HTTPS.
client. and can be read and
manipulated.
LDAP Directory service Injection for Utilize input validation

protocol for managing unauthorized query or for queries and strong
and organizing systems content modification. authentication and
and services. encryption.
SNMP Monitor enterprise Sensitive system and Utilize SNMP V3 only

system performance information disclosure. with strong encryption.
and health.
Table 4.7: OSI Layer 7: Application Layer – Threats and Countermeasures

Notes
Module 9: Service Considerations
Service Considerations
PPT
Module Objectives
Service Considerations 1. Identify technological implementations that provide services to
support mobility and collaboration.
to the “Service 2. Describe various network services that abstract and virtualize
Considerations” module. underlying components and infrastructure and associate service
benefits.
PPT
Module Objectives
objectives.

Instructor Edition
Mobility and Collaboration

Remote Meeting Technology
Notes
4
Several technologies and services exist that allow organizations and

individuals to meet “virtually.” These applications are typically PPT
web-based and either install extensions in the browser or client
Mobility and
software on the host system. These technologies also typically Collaboration
allow “desktop sharing” as a feature. This feature may allow the
Review Mobility and
viewing of a user’s desktop.
Collaboration Tools.
Some organizations use dedicated equipment such as cameras,
monitors and meeting rooms to host and participate in remote
meetings. These devices are often integrated with Voice over PPT
Internet Protocol (VoIP). Virtualized Networks
(3 slides)
Remote meeting technology risks include the following:
List Types of Virtualized
l Some software may allow control of another system when Networks.
the desktop is shared
l Vulnerabilities in the underlying operating system or firmware
Virtualized Networks
Within the realm of circuit switched networking arose two types of
virtualization, namely;
Permanent Virtual Circuits (PVCs) and Switched Virtual

Circuits (SVCs).
Virtual circuits provide a connection between endpoints over high-
bandwidth, multiuser cable or fiber that behaves as if the circuit were
a dedicated physical circuit. There are two types of virtual circuits
based on when the routes in the circuit are established.
In a permanent virtual circuit (PVC), the carrier configures the circuit’s
routes when the circuit is purchased. Unless the carrier changes the
routes to tune the network, respond to an outage, etc., the routes
do not change.
On the other hand, the routes of a switched virtual circuit (SVC) are
configured dynamically by the routers each time the circuit is used.
Circuit-Switched Networks
Circuit-switched networks establish a dedicated circuit between
endpoints. These circuits consist of dedicated switch connections.
Module 9: Service Considerations 379

Notes Neither endpoint starts communicating until the circuit is completely

established. The endpoints have exclusive use of the circuit and its
Service Considerations bandwidth. Carriers base the cost of using a circuit-switched network on
the duration of the connection that makes this type of network only
PPT cost-effective for a steady communication stream between the
endpoints. Examples of circuit-switched networks are the plain old
(3 slides) (continued) telephone service (POTS), Integrated Services Digital Network (ISDN),
and Point-to-Point Protocol (PPP).
Networks.
Packet-Switched Networks
Packet-switched networks do not use a dedicated connection between
endpoints. Instead, data is divided into packets and transmitted on a
shared network. Each packet contains meta-information so that it can be
independently routed on the network.
Networking devices will attempt to find the best path for each packet to
its destination. Because network conditions could change while the
partners are communicating, packets could take different paths as they
transverse the network and arrive in any order. It is the responsibility of
the destination endpoint to ensure that the received packets are in the
correct order before sending them up the stack.
The modern virtualization of networks and the associated technology
is called Network Function Virtualization (NFV) or alternately referred
to as virtual network function. The objective of NFV is to decouple
functions, such as firewall management, intrusion detection, network
address translation, or name service resolution, away from specific
hardware implementation into software solutions. NFV focus is to
optimize distinct network services. With the focus on network service
management and not hardware deployment, NFV readily supports
capacity management since there is a more thorough utilization of
resources.
As service providers struggled to keep up with the quick deployment
needs and faster growth models, the slowness of hardware-based
solutions was exposed. A number of these service providers came
together and founded The European Telecommunications Standards
Institute (ETSI) and worked to formalize NFV standards. The following
benefits are sought for utilizing NFV:
l Support transition from capital expenditure to operational
expenditure (CapEx to OpEx).
l Reduce wait time in time-to-market ventures.
l Increase service consumption agility.

Instructor Edition
Software-Defined Networking (SDN)

Sighting research from the International Data Corporation,
Notes
4
Network World stated July 19, 2017; “IDC estimates the SDN
market has grown from a $406 million industry in 2013 to more

than a $6.6 billion market in 2017. IDC predicts the SDN market PPT
will continue to grow at a 25.4% compound annual growth rate Virtualized Networks
to $13.8 billion by 2021. IDC estimates that SDN is emerging out (3 slides) (continued)
of the early adopter and into the early mainstream stage of its List Types of Virtualized
development.” Networks.
Research that came out of Stanford University in California influenced

a perspective that traditional network infrastructure that comprises
routers and switches are technology laden and too rigid and slow for
the agile needs in the modern business world. To respond to these
needs, software-defined networking (SDN) is repurposing existing
infrastructure from being device and hardware centric to be virtual
and data centric. The aim is to deliver services rather than to deliver
technology.
By abstracting the equipment that is reflected in a SDN, a business
requirement for resiliency is met readily in that technology serves the
requirement of data flow and consumption rather than populating an
infrastructure. The architecture in a SDN is more data centric rather
than infrastructure centric. Proactive awareness of that data not
meeting optimal needs informs better strategies related to resiliency
than does reactive responses to outages.
SDN is defined by three separate planes or layers:
l Application plane: At this plane all the business
applications that manage the underlying Control Plane are
exposed with North Bound Interfaces.
l Control plane: Control of network functionality and
programmability is directly made to devices at this layer.
OpenFlow was the original framework/protocol specified to
interface with devices through South Bound Interfaces.
l Data plane: The network switches and routers are
located at this plane associated with the infrastructure.
The process of forwarding data is accomplished at this
plane and, therefore, can be referred to as a Forwarding
Plane as well.
Software-defined wide area network (SD-WAN) is an
extension of the SDN practices to connect to entities spread
across the internet to support WAN architecture especially
Module 9: Service Considerations 381

Notes related to cloud migration. The benefits sought from SD-WAN

implementations include the following:
l Minimizing on-premise hardware procurement and management
PPT
l Micro-segmentation of traffic types (broadband, MPLS, customer/
corporate facing, etc.) for greater performance
(3 slides) (continued) l Support for security integration
Networks.
Content Distribution Networks (CDNs)
A content delivery network or content distribution network (CDN) is a
large distributed system of servers deployed in multiple data centers
across the internet. The goal of a CDN is to serve content to end users
with high availability and high performance. A key capability of CDN is to
provide for capacity management in that original content will not be easily
exhausted by request from a wide geographic field.
These are the two primary components of a CDN:
l Origin servers: Housing original content in the form of web and
rich media composed of audio and video files
l Edge servers: Holds cached copies of the original content that
distributes media to regionally close clients to speed delivery

Instructor Edition
Module 10: Secure Network Notes

Secure Network
4
Components Components

PPT
Module Objectives
Secure Network
1. Recognize relevant network components used to secure Components
communications and differentiate use based upon
requirements.
to the “Secure Network
2. Demonstrate use of secure network components as Components” module.
countermeasures in response to specific threats associated
with the Open Systems Interconnection (OSI) model layers 1–7.
PPT
Module Objectives
objectives.
Module 10: Secure Network Components 383

Notes Firewalls
Firewalls will not be effective right out of the box. Firewall rules must be
Secure Network
Components defined correctly not to inadvertently grant unauthorized access. Like all
hosts on a network, administrators must install patches to the firewall and
disable all unnecessary services. Also, firewalls offer limited protection
PPT against vulnerabilities caused by applications flaws in server software on
Firewalls other hosts. For example, a firewall will not prevent an attacker from
Discuss Firewalls. manipulating a database to disclose confidential information.
Firewalls filter traffic based on a rule set. Each rule instructs the firewall
to block or forward a packet based on one or more conditions. For each
incoming packet, the firewall will look through its rule set for a rule
whose conditions apply to that packet and block or forward the packet
as specified in that rule. Below are two important conditions used to
determine if a packet should be filtered.
l By address: Firewalls will often use the packet’s source or
destination address, or both, to determine if the packet should
be filtered.
l By service: Packets can also be filtered by service. The firewall
inspects the service the packet is using (if the packet is part
of the Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP), the service is the destination port number) to
determine if the packet should be filtered. For example, firewalls
will often have a rule to filter the Finger service to prevent an
attacker from using it to gather information about a host. Filtering
by address and by service are often combined in rules. If the
engineering department wanted to grant anyone on the LAN
access to its web server, a rule could be defined to forward
packets whose destination address is the web server’s and the
service is HTTP (TCP port 80).
Firewalls can change the source address of each outgoing (from trusted
to untrusted network) packet to a different address. This has several
applications, most notably to allow hosts with RFC 1918 addresses
access to the internet by changing their private address to one that is
routable on the internet. A private address is one that will not be
forwarded by an internet router and, therefore, remote attacks using
private internal addresses cannot be launched over the open internet.
Anonymity is another reason to use network address translation (NAT).
Many organizations do not want to advertise their IP addresses to an
untrusted host and, thus, unnecessarily give information about the
network. They would rather hide the entire network behind translated
addresses. NAT also greatly extends the capabilities of organizations to
continue using IPv4 address spaces.

Instructor Edition
Static Packet Filtering

When a firewall uses static packet filtering, it examines each packet
without regard to the packet’s context in a session. Packets are
Notes
Secure Network
4
Components
examined against static criteria, for example, blocking all packets

with a port number of 79 (finger).
PPT
Because of its simplicity, static packet filtering requires very little
Firewalls (continued)
overhead, but it has a significant disadvantage. Static rules cannot
be temporarily changed by the firewall to accommodate legitimate Discuss Firewalls.
traffic. If a protocol requires a port to be temporarily opened,
administrators must choose between permanently opening the
port and disallowing the protocol. PPT
Intrusion Detection
and Prevention
Stateful Inspection or Dynamic Packet Filtering Systems (IDS/IPS)
Stateful inspection examines each packet in the context of a List Types of Intrusion
session that allows it to make dynamic adjustments to the rules to Detection and Prevention
accommodate legitimate traffic and block malicious traffic that Systems (IDS/IPS) Engines.
would appear benign to a static filter. For example, if a user sends
a Syn request to a server and receives a Syn Ack back from the
server, the next appropriate frame to send is an Ack. If the user
sends another Syn request, the stateful inspection device will see
and reject this next “inappropriate” packet.
Next-generation firewalls (NGFWs) are deep-packet inspection
firewalls that move beyond port/protocol inspection and blocking
to add application-level inspection, intrusion prevention, along with
malware awareness and prevention. NGFWs are not the same as
intrusion prevention system (IPS) stand-alone devices or even
firewalls that are simply integrating IPS capabilities. Included in
what is called the third generation of firewall technology is in-line
deep inspection of traffic, application programming interface (API)
gateways, and Database Activity Monitoring.
Intrusion Detection and Prevention

Systems (IDS/IPS)
Intrusion detection systems (IDSs) monitor activity and send alerts
when they detect suspicious traffic. There are two broad classifications
of IDS/IPS:
l Host-based IDS/IPS: Monitor activity on servers and
workstations.
l Network-based IDS/IPS: Monitor network activity. Network
IDS services are typically stand-alone devices or at least

Notes independent blades within network chassis. Network IDS logs

would be accessed through a separate management console that
Secure Network will also generate alarms and alerts.
Components
Currently, there are two approaches to the deployment and use of IDSs.
PPT
An appliance on the network can monitor traffic for attacks based on a
set of signatures (analogous to antivirus software), or the appliance can
Intrusion Detection watch the network’s traffic for a while, learn what traffic patterns are
and Prevention
Systems (IDS/IPS) normal and send an alert when it detects an anomaly. Of course, the
(continued) IDS can be deployed using a hybrid of the two approaches as well.
List Types of Intrusion Independent of the approach, how an organization uses an IDS determines
Detection and Prevention
Systems (IDS/IPS) Engines.
whether the tool is effective. Despite its name, the IDS should not be used
to detect intrusions because IDS solutions are not designed to be able to
take preventative actions as part of their response. Instead, it should send
an alert when it detects interesting, abnormal traffic that could be a prelude
to an attack.
For example, someone in the engineering department trying to access
payroll information over the network at 3 a.m. is probably very interesting and
not normal. Or, perhaps a sudden rise in network utilization should be noted.
Intrusion systems use several techniques to determine whether an attack
is underway:
l Signature or pattern-matching systems examine the available
information (logs or network traffic) to determine if it matches a
known attack.
l Protocol-anomaly-based systems examine network traffic
to determine if what it sees conforms to the defined standard
for that protocol; for example, as it is defined in a Request for
Comment (RFC).
l Statistical-anomaly-based systems establish a baseline of
normal traffic patterns over time and detect any deviations from
that baseline. Some also use heuristics to evaluate the intended
behavior of network traffic to determine if it intended to be
malicious or not. Most modern systems combine two or more of
these techniques together to provide a more accurate analysis
before it decides whether it sees an attack or not.
In most cases, there will continue to be problems associated with false-
positives as well as false-negatives. False-positives occur when the IDS
or IPS identifies something as an attack, but it is in fact normal traffic.
False-negatives occur when the IPS or IDS fails to interpret something as
an attack when it should have. In these cases, intrusion systems must be
carefully “tuned” to ensure that these are kept to a minimum.

Instructor Edition
An IDS requires frequent attention. An IDS requires the response of a

human who is knowledgeable enough with the system and types of
normal activity to make an educated judgment about the relevance and
Notes
Secure Network
4
Components
significance of the event. Alerts need to be investigated to determine if

they represent an actual event, or if they are simply background noise.
PPT
Intrusion Detection
Whitelisting/Blacklisting and Prevention
Systems (IDS/IPS)
Whitelisting/blacklisting: A whitelist is a list of email addresses (continued)
and/or internet addresses that someone knows as “good” senders.
List Types of Intrusion
A blacklist is a corresponding list of known “bad” senders. So, an Detection and Prevention
email from an unrecognized sender is neither on the whitelist or the Systems (IDS/IPS) Engines.
blacklist and, therefore, is treated differently. Greylisting works by
telling the sending email server to resend the message sometime
soon. Many spammers set their software to blindly transmit their PPT
spam email, and the software does not understand the “resend
Whitelisting/blacklisting
soon” message. Thus, the spam would never actually be delivered.
Explain Whitelisting/
blacklisting.
Network Access Control (NAC) Devices

Port Address Translation (PAT) PPT
An extension to network address translation (NAT), which translates Network Access
all addresses to one externally routable IP address, is to use port Control (NAC) Devices
address translation (PAT) to translate the source port number for an Discuss Network Access
external service. The port translation keeps track of multiple Control (NAC) Devices.
sessions that are accessing the internet.
Proxy Firewall
A proxy firewall mediates communications between untrusted
endpoints (servers/hosts/clients) and trusted endpoints (servers/
hosts/clients). From an internal perspective, a proxy may forward
traffic from known, internal client machines to untrusted hosts on
the internet, creating the illusion for the untrusted host that the
traffic originated from the proxy firewall, thus, hiding the trusted
internal client from potential attackers. To the user, it appears that
they are communicating directly with the untrusted server. Proxy
servers are often placed at internet gateways to hide the internal
network behind one IP address and to prevent direct
communication between internal and external hosts.
Proxy Types
A circuit-level proxy creates a conduit through which a trusted host
can communicate with an untrusted one. This type of proxy does
Notes not inspect the data field that it forwards, which adds very little
overhead to the communication between the user and untrusted server.
Secure Network The lack of application awareness also allows circuit-level proxies to
Components
forward any traffic to any TCP and UDP port. The disadvantage is that
the data field will not be analyzed for malicious content.
PPT
An application-level proxy relays the traffic from a trusted end-point
Network Access running a specific application to an untrusted end-point. The most
Control (NAC) Devices
(continued) significant advantage of application-level proxies is that they analyze the
data field that they forward for various sorts of common attacks such as
Discuss Network Access
Control (NAC) Devices.
buffer overflows. Application-level proxies add processing overhead.
Endpoint Security
Workstations should be hardened, and users should be using limited
access accounts whenever possible in accordance with the concept of
“least privilege.”
Workstations should have the following:
l Up to date antivirus and anti-malware software
l A configured and operational host-based firewall
l A hardened configuration with unneeded services disabled
l A patched and maintained operating system
While workstations are clearly what most people will associate with
endpoint attacks, the landscape is changing. Mobile devices, such as
smart phones, tablets etc., are beginning to make up more and more of
the average organization’s endpoints. With this additional diversity of
devices, there becomes a requirement for the security architect to also
increase the diversity and agility of an organization’s endpoint defenses.
For mobile devices such as smart phones and tablets, consider the
following:
l Encryption for the whole device, or if not possible, then at least
encryption for sensitive information held on the device
l Device virtualization/sandboxing
l Remote management capabilities including the following:
o Remote wipe
o Remote geolocate
o Remote update
o Remote operation
l User policies and agreements that ensure an organization can
manage the device or seize it for legal hold

Instructor Edition
Module 11: Secure Communications Notes

Secure Communications
4
Channels According to Design Channels According to
Design

1. Define secure communications channels that support Secure Communications
remote access services and collaboration. Channels According to
Design
to the “Secure
Communications
Channels According to
Design” module.
PPT
Module Objectives
objectives.
Module 11: Secure Communications Channels According to Design 389

Notes Voice
Secure Communications Voice over Internet Protocol (VoIP)
Voice over Internet Protocol (VoIP) is a technology that allows you to make
Design
voice calls using a broadband internet connection instead of a regular (or
analog) phone line. VoIP is simply the transmission of voice traffic over
PPT IP-based networks. VoIP is also the foundation for more advanced unified
Voice communications applications such as web and video conferencing.
Discuss Voice Technology. VoIP systems are based on the use of the Session Initiation Protocol (SIP),
which is the recognized standard. Any SIP compatible device can talk to any
other. In all VoIP systems, your voice is converted into packets of data and
then transmitted to the recipient over the internet and decoded back into
your voice at the other end. To make it quicker, these packets are
compressed before transmission with certain codecs, almost like zipping a
file on the fly. There are many codecs with diverse ways of achieving
compression and managing bitrates, thus, each codec has its own
bandwidth requirements and provides different voice quality for VoIP calls.
VoIP systems employ session control and signaling protocols to control
the signaling, set-up, and tear-down of calls. A codec is software that
encodes audio signals into digital frames and vice versa. Codecs are
characterized by different sampling rates and resolutions. Different
codecs employ different compression methods and algorithms, using
different bandwidth and computational requirements.
Session Initiation Protocol (SIP)

As its name implies, SIP is designed to manage multimedia connections.
SIP is designed to support digest authentication structured by realms,
like HTTP (basic username/password authentication has been removed
from the protocol as of RFC 3261). In addition, SIP provides integrity
protection through MD5 hash functions. SIP supports a variety of
encryption mechanisms, such as TLS. Privacy extensions to SIP, including
encryption and caller ID suppression, have been defined in extensions
to the original Session Initiation Protocol (RFC 3325).
VoIP Problems
Packet loss: A technique called packet loss concealment (PLC) is used
in VoIP communications to mask the effect of dropped packets.
There are several techniques that may be used by different
implementations:
Zero substitution is the simplest PLC technique that requires the least
computational resources. These simple algorithms generally provide the

Instructor Edition
lowest quality sound when a considerable number of packets are

discarded.
Notes
4
Filling empty spaces with artificially generated, substitute sound. Channels According to
Design

The more advanced algorithms interpolate the gaps, producing the
best sound quality at the cost of using extra computational
resources. The best implementation can tolerate up to 20 percent PPT
of packets lost without significant degradation of voice quality.
Voice (continued)
While some PLC techniques work better than others, no masking
technique can compensate for a significant loss of packets. When Discuss Voice Technology.
bursts of packets are lost due to network congestion, noticeable
degradation of call quality occurs.
In VoIP, packets can be discarded for many reasons, including
network congestion, line errors, and late arrival. The network
architect and security practitioner need to work together to select
the right PLC technique that best matches the characteristics of an
environment, as well as to ensure that they implement measures to
reduce packet loss on the network.
l Jitter: Unlike network delay, jitter does not occur because
of the packet delay but because of a variation of packet
timing. As VoIP endpoints try to compensate for jitter by
increasing the size of the packet buffer, jitter causes delays
in the conversation. If the variation becomes too high and
exceeds 150ms, callers notice the delay and often revert to
a walkie-talkie style of conversation.
Reducing the delays on the network helps keep the buffer under
150ms even if a significant variation is present. While the reduced
delay does not necessarily remove the variation, it still effectively
reduces the degree to which the effect is pronounced and brings it
to the point where it’s unnoticeable by the callers. Prioritizing VoIP
traffic and implementing bandwidth shaping also helps reduce the
variation of packet delay.
At the endpoint, it is essential to optimize jitter buffering. While
greater buffers reduce and remove the jitter, anything over 150ms
noticeably affects the perceived quality of the conversation. Adaptive
algorithms to control buffer size depending on the current network
conditions are often quite effective. Fiddling with packet size (payload)
or using a different codec often helps control jitter as well.
l Sequence errors: Routed networks will send packets along
the best possible path at this moment. That means packets
will, on occasion, arrive in a different order than transmitted.
This will cause a degradation in the call quality.

Notes Multimedia Collaboration

Peer-to-Peer (P2P) Applications and Protocols
Peer-to-peer (P2P) applications are often designed to open an uncontrolled
Design
channel through network boundaries (normally through tunneling). Therefore,
they provide a way for dangerous content, such as botnets, spyware
PPT applications, and viruses, to enter an otherwise protected network.
Multimedia
Collaboration
Because P2P networks can be established and managed using a series
of multiple, overlapping master and slave nodes, they can be very
Discuss Multimedia
difficult to fully detect and shut down. If one master node is detected
Collaboration.
and shutdown, the “bot herder” who controls the P2P botnet can make
one of the slave nodes a master and use that as a redundant staging
point, allowing for botnet operations to continue unimpeded.
Instant Messaging
Instant messaging systems can generally be categorized in three
classes:
l P2P networks
l Brokered communication
l Server-oriented networks
All these classes will support basic “chat” services on a one-to-one basis
and frequently on a many-to-many basis. Most instant messaging
applications do offer additional services beyond their text messaging
capability, for instance, screen sharing, remote control, exchange of files,
and voice and video conversation. Some applications even allow command
scripting. Instant messaging and chat is increasingly considered a significant
business application used for office communications, customer support,
and “presence” applications. Instant message capabilities will frequently be
deployed with a bundle of other IP-based services such as VoIP and video
conferencing support.
Open Protocols, Applications, and Services

Internet Relay Chat (IRC)
Internet Relay Chat (IRC) is a client/server-based network. This is a
common method of communicating today. IRC is unencrypted and,
therefore, an easy target for sniffing attacks. The basic architecture of
IRC, founded on trust among servers, enables special forms of denial-of-
service attacks. For instance, a malicious user can hijack a channel while
a server or group of servers has been disconnected from the rest (net

Instructor Edition
split). IRC is also a common platform for social engineering attacks

aimed at inexperienced or technically unskilled users. While there
are many business and personal benefits and efficiencies to be
Notes
4
gained from adopting instant messaging/chat/IRC technologies, Design

there are also many risks.
Authenticity: User identification can be easily faked in instant PPT
messaging and chat applications by the following:
Multimedia
l Choosing a misleading identity upon registration or changing Collaboration
(continued)
one’s nickname while online.
Discuss Multimedia
l Manipulating the directory service if the application requires Collaboration.
one.
l Manipulating either the attacker’s or the target’s client to
send or display a wrong identity.
l The continued growth of social-networking services and
sites like Facebook, Vine, KiK, Twitter, LinkedIn and others
present amply opportunity to create false identity and to try
and dupe others for criminal purposes.
Additional risk related to use of internet relay chat (IRC) include:
l Confidentiality: Many chat systems transmit their
information in cleartext. Similar to unencrypted email,
information can be disclosed by sniffing on the network.
A different form of confidentiality breach may occur based
on the fact that chat applications can generate an illusion
and expectation of privacy, e.g., by establishing “closed
rooms.” Depending on the kind of infrastructure used, all
messages can, however, be read in cleartext by privileged
users such as the chat system’s operators. File transfer
mechanisms embedded in instant messaging clients can
be considered an uncontrolled channel for information,
especially file leakage.
l Scripting: Certain chat clients, such as IRC clients, can
execute scripts that are intended to simplify administration
tasks, such as joining a chat channel. Because these scripts
are executed with the user’s privileges with relatively
unsophisticated (no sandbox) or nonexistent protection,
they are an attractive target for social engineering or other
attacks. Once the victim has been tricked into executing
commands, they can leave their computer wide open for
other attacks.
l Social Engineering: Related to spam and phishing, in social
engineering attackers can exploit human nature and good

Notes will to claim false legitimacy, for instance, by claiming to belong

to a certain company or social group. Again, social networking
Secure Communications applications and services provide many opportunities to
Design
masquerade as a legitimate member of a group for criminal and
fraudulent purposes.
l Spam over instant messaging (SPIM): With the proliferation
PPT
of instant messaging clients and social networking sites, a form
Multimedia of SPIM is delivered through pop-up windows that can overrun
Collaboration
processes that are part of an intended course of action. An
(continued)
effective countermeasure is to disable the service or only allow
Discuss Multimedia internal or corporate instant message services.
Collaboration.
PPT Remote Access Tunneling/ Virtual Private

Remote Access Networks (VPNs)
Tunneling/ VPNs
Remote-Access Services
Discuss Remote Access
Tunneling/ VPNs. The services described under this section are present in many UNIX
operations and, when combined with Network File System (NFS) and
Network Information Service (NIS), provide the user with seamless remote
working capabilities. However, they also form a risky combination if not
configured and managed properly.
These services include the following:
l TELNET
l rlogin
l X Window System (X11)
l Remote copy (RCP)
l Remote shell (RSH)
l Secure shell (SSH)
Conceptually, because they are built on mutual trust, they can be misused
to obtain access and to horizontally and vertically escalate privileges in an
attack. Their authentication and transmission capabilities are insecure by
design; therefore, they have to be retrofitted (as X11) or replaced
altogether (TELNET and rlogin by SSH).
TELNET is a command line protocol designed to give command line
access to another host. Although implementations for Windows exist,
TELNET’s original domain was the UNIX server world, and in fact, a
TELNET server is standard equipment for any UNIX server. (Whether it
should be enabled is another question entirely, but in small LAN
environments, TELNET is still widely used.)

Instructor Edition
TELNET:
l Offers little security, and indeed, its use poses serious
Notes
4
security risks in untrusted environments. Channels According to
Design

l Is limited to username/password authentication.
l Does not offer encryption.
PPT
Once an attacker has obtained even a low-level user’s credentials, Remote Access
they have a trivial path toward privilege escalation because they can Tunneling/ VPNs
transfer data to and from a machine, as well as execute commands. (continued)
As the TELNET server is running under system privileges, it is an Discuss Remote Access
attractive target of attack in itself; exploits in TELNET servers pave Tunneling/ VPNs.
the way to system privileges for an attacker. Therefore, it is
recommended that security practitioners discontinue the use of
TELNET over the internet and on internet facing machines. In fact,
the standard hardening procedure for any internet facing server
should include disabling its TELNET service that under UNIX systems
would normally run under the name of telnetd, and using SSHv2 for
remote administration and management where required.
Remote Log-in (rlogin), Remote Shell (rsh), Remote
Copy (rcp)
In its most generic form, rlogin is a protocol used for granting
remote access to a machine, normally a UNIX server. Similarly, rsh
grants direct remote command execution while rcp copies data
from or to a remote machine. If a rlogin daemon (rlogind) is running
on a machine, rlogin access can be granted in two ways:
l Using a central configuration file
l Through a user configuration
By the latter, a user may grant access that was not permitted by
the system administrator. The same mechanism applies to rsh
and rcp although they are relying on a different daemon (rshd).
Authentication can be considered host/IP address based.
Although rlogin grants access based on user ID, it is not verified;
i.e., the ID a remote client claims to possess is taken for granted
if the request comes from a trusted host. The rlogin protocol
transmits data without encryption and is hence subject to
eavesdropping and interception.
The rlogin protocol is of limited value—its main benefit can be
considered its main drawback: remote access without supplying a
password. It should only be used in trusted networks, if at all. A
more secure replacement is available in the form of SSHv2 for
rlogin, rsh, and rcp.

Screen Scraper
Notes
A screen scraper is a program that can extract data from output on a
display intended for a human. Screen scrapers are used in a legitimate
Design fashion when older technologies are unable to interface with modern
ones. In a nefarious sense, this technology can also be used to capture
images from a user’s computer such as PIN pad sequences at a banking
PPT website when implemented by a virus or malware.
Remote Access
Tunneling/ VPNs
(continued) Virtual Applications and Desktops
Discuss Remote Access Virtual Network Terminal Services
Tunneling/ VPNs. Virtual terminal service is a tool frequently used for remote access to
server resources. Virtual terminal services allow the desktop environment
for a server to be exported to a remote workstation. This allows users at
the remote workstation to execute desktop commands as though they
were sitting at the server terminal interface in person.
The advantage of terminal services such as those provided by Citrix,
Microsoft, or public domain virtual network computing (VNC) services is
that they allow for complex administrative commands to be executed
using the native interface of the server, rather than a command-line
interface, which might be available through SSHv2 or telnet. Terminal
services also allow for the authentication and authorization services
integrated into the server to be leveraged for remote users, in addition
to all the logging and auditing features of the server as well.
Remote Access
Virtual Private Network (VPN)
A virtual private network (VPN) is point-to-point connection that extends a
private network across a public network. The most common security
definition is an encrypted tunnel between two hosts, but doesn’t have to
be. A tunnel is the encapsulation of one protocol inside another. Remote
users employ VPNs to access their organization’s network securely.
Depending on the VPN’s implementation, they may have most of the
same resources available to them as if they were physically at the office.
As an alternative to expensive dedicated point-to-point connections,
organizations use gateway-to-gateway VPNs to securely transmit
information over the internet between sites or even with business partners.
Telecommuting
Common issues such as visitor control, physical security, and network
control are almost impossible to address with teleworkers. Strong VPN

Instructor Edition
connections between the teleworker and the organization need to

be established, and full device encryption should be the norm for
protecting sensitive information.
Notes
4
Design

If the user works in public places or a home office the following
should also be considered:
l Is the user trained to use secure connectivity software and PPT
methods such as a VPN? Remote Access
Tunneling/ VPNs
l Does the user know which information is sensitive or (continued)
valuable and why someone might wish to steal or modify it?
l Is the user’s physical location appropriately secure for the Tunneling/ VPNs.
type of work and type of information they are using?
l Who else has access to the area? While a child may seem
trusted, the child’s friends may not be.
Tunneling
Point-to-Point Tunneling Protocol (PPTP)
Point-to-Point Tunneling Protocol (PPTP) is a tunnel protocol that runs
over other protocols. PPTP relies on Generic Routing Encapsulation
(GRE) to build the tunnel between the endpoints.
The security architect and practitioner both need to consider known
weaknesses, such as the issues identified with PPTP, when planning
for the deployment and use of remote access technologies.
PPTP is based on Point-to-Point Protocol (PPP), so it does offer
authentication by way of password authentication protocol (PAP),
Challenge-Handshake Authentication Protocol (CHAP), or
Extensible Authentication Protocol (EAP).
Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP) is a hybrid of Layer 2 Forwarding
(L2F) and PPTP. It allows callers over a serial line using PPP to
connect over the internet to a remote network. L2TP does not
provide encryption, but it relies upon IPSec to provide encryption.
L2TP is based on PPP so it does offer authentication by way of PAP,
CHAP, and EAP. Again IPSec can provide authentication.
IPSec
IP security (IPSec) is a suite of protocols for communicating
securely with IP by providing mechanisms for authentication and
encryption. Standard IPSec only authenticates hosts with each

Notes other. If an organization requires users to authenticate, they must

employ a nonstandard proprietary IPSec implementation, or use IPSec
Secure Communications over Layer 2 Tunneling Protocol (L2TP).
Design The latter approach uses L2TP to authenticate the users and encapsulate
IPSec packets within an L2TP tunnel. Because IPSec interprets the change
PPT of IP address within packet headers as an attack, NAT does not work well
with IPSec. To resolve the incompatibility of the two protocols, NAT-
Remote Access
Tunneling/ VPNs Transversal (NAT-T) encapsulates IPSec within UDP port 4500 (see RFC
(continued) 3948 for details).
Discuss Remote Access Authentication Header (AH)
Tunneling/ VPNs.
The Authentication Header (AH) is used to prove the identity of the origin
node and ensure that the transmitted data has not been tampered with.
Before each packet (headers + data) is transmitted, a hash value of the
packet’s contents (except for the fields that are expected to change when
the packet is routed) based on a shared secret is inserted in the last field
of the AH. The endpoints negotiate which hashing algorithm to use and
the shared secret when they establish their security association. To help
thwart replay attacks (when a legitimate session is retransmitted to gain
unauthorized access), each packet that is transmitted during a security
association has a sequence number that is stored in the AH. In transport
mode, the AH is inserted between the packet’s IP and TCP header. The
AH helps ensure authenticity and integrity, not confidentiality. Encryption
is implemented through the use of encapsulating security payload (ESP).
Encapsulating Security Payload (ESP)
The ESP encrypts IP packets and ensures their integrity. ESP contains
four sections:
l ESP header: Contains information showing which security
association to use and the packet sequence number. Like the AH,
the ESP sequences every packet to thwart replay attacks.
l ESP payload: The payload contains the encrypted part of the
packet. If the encryption algorithm requires an initialization
vector (IV), it is included with the payload. The endpoints
negotiate which encryption to use when the security association
is established. Because packets must be encrypted with as little
overhead as possible, ESP typically uses a symmetric encryption
algorithm.
l ESP trailer: May include padding (filler bytes) if required by the
encryption algorithm or to align fields.
l Authentication: If authentication is used, this field contains the
integrity check value (hash) of the ESP packet. As with the AH,
the authentication algorithm is negotiated when the endpoints
establish their security association.

Instructor Edition
Security Associations (SAs)

A security association (SA) defines the mechanisms that an endpoint
will use to communicate with its partner. All SAs cover transmissions
Notes
4
in one direction only. A second SA must be defined for two-way Design

communication. Mechanisms that are defined in the SA include the
encryption and authentication algorithms and whether to use the AH
or ESP protocol. Deferring the mechanisms to the SA, as opposed to PPT
specifying them in the protocol, allows the communicating partners Remote Access
to use the appropriate mechanisms based on situational risk. Tunneling/ VPNs
(continued)
Transport Mode and Tunnel Mode Tunneling/ VPNs.
Endpoints communicate with IPSec using either transport or
tunnel mode.
In transport mode, the IP payload is protected. This mode is
mostly used for end-to-end protection, for example, between
client and server.
In tunnel mode, the IP payload and its IP header are protected.
The entire protected IP packet becomes a payload of a new IP
packet and header. Tunnel mode is often used between networks,
such as with firewall-to- firewall VPNs.
Internet Key Exchange (IKE)

Internet key exchange (IKE) allows two devices to “exchange”
symmetric keys for the use of encrypting in AH or ESP. There are
two ways to “exchange” keys:
1. Use a Diffie-Hellman (DH) style negotiation
2. Use public key certificates
DH would be used between devices like routers. Public key
certificates would be used in an end user VPN connection.
Secure Socket Layer (SSL) Virtual Private Network VPN

SSL VPNs are another approach to remote access. Instead of
building a VPN around the IPSec and the network layer, SSL VPNs
leverage SSL/TLS to create a tunnel back to the home office. SSL
3.0 (Secure Socket Layer) and TLS 1.2 (Transport Layer Security) are
essentially fully compatible, with SSL being a session encryption
tool originally developed by Netscape and TLS 1.2 being the open
standard IETF version of SSL 3.0. SSL and TSL use public key certs
to authenticate each through mutual authentication.

Notes Remote users employ a web browser to access applications that are
in the organization’s network. Even though users employ a web
Secure Communications browser, SSL VPNs are not restricted to applications that use HTTP.
Design
With the aid of plug-ins, such as Java, users can have access to
back-end databases, and other non-web- based applications. SSL
VPNs have several advantages over IPSec. They are easier to deploy
PPT on client workstations than IPSec because they require a web
Remote Access browser only, and almost all networks permit outgoing HTTP. SSL
Tunneling/ VPNs VPNs can be operated through a proxy server. In addition,
(continued) applications can restrict users’ access based on criteria, such as the
Discuss Remote Access network the user is on, which is useful for building extranets with
Tunneling/ VPNs. several organizations.
PPT
Tunneling Firewalls and Other Restrictions
Case: Network Security
Control of HTTP tunneling can happen on the firewall or the proxy server.
Incident Mitigation It should, however, be noted that in the case of peer-to-peer protocols,
this would require a “deny by default” policy. Blocking instant messaging
Introduce and Frame
Case Network Security without providing a legitimate alternative is not likely to foster user
Incident Mitigation. acceptance and might give users incentive to utilize even more dangerous
workarounds. It should also be noted that inbound file transfers can also
result in circumvention of policy, etc. or restrictions in place, for the
spreading of malware.
An effective countermeasure can be found in active antivirus scanning
on the client, which should be enabled anyway.
Case: Network Security Incident Mitigation

To accomplish the next exercise, we will work in small groups.
Part I
5 min
Each person will briefly (1 min or less) relate a current event/incident
connected to communication and network security of a system they are
familiar with. The team should choose a single critical incident from the
events related to use for Part II.
Part II
10 min
The group will take the critical event and produce two or three threats
executed on a vulnerability from the case and the appropriate
countermeasure to have prevented it. Reference Modules 2–9.

Instructor Edition
Technology Utilization Threats Countermeasures Notes

4
Design

PPT
Case: Network Security
Incident Mitigation
(continued)
Introduce and Frame
Case Network Security
Incident Mitigation.

Notes
Domain Review
PPT Domain Summary

Domain Review Solid understanding of the elements that comprise communication and
network security coupled with an accurate measure of business needs
review of key information
leads to a meaningful approach to protection. Keeping abreast of ever
from this domain by changing attack surfaces and continuous monitoring of emerging threats
discussing this scenario- will enhanced the approach to communication and network security.
slide.
PPT
Domain Summary
of key elements
from the domain on
communication and
network security.

Instructor Edition

1. A system user is sending an instruction from their source node
Notes
Domain Review
4
to a destination node. The instruction tells the receiving station

to create space for coming incoming fragments that are not
PPT
equivalent to the actual fragment size. What is happening?
Domain Review
A. A normal process of fragmentation Questions
B. Anvil attack of key elements
from the domain on
C. Teardrop attack communication and
network security.
D. Level attack
2. At what layer of the Open Systems Interconnection (OSI) model

does the Address Resolution Protocol (ARP) resolve?
A. Layer 2 Data-Link Layer
B. Layer 3 Network Layer
C. Layer 4 Transport Layer
D. Layer 5 Presentation Layer
3. A remote workstation is attempting to probe your workstation

by means of port 79 (finger), what is the minimum technology
that can be used to block this incursion?
A. Access control list (ACL)
B. Dynamic packet filtering
C. Next generation firewall
D. Web application firewall

Notes 4. Which Lightweight Directory Access Protocol (LDAP) attribute

defines a portion of a directory access protocol name that can
Domain Review resolve by Domain Name Service (DNS)?
A. Relative domain
PPT
Domain Review B. Domain component
C. Organizational systems
of key elements D. Distinguished unit
from the domain on
communication and
network security.
5. You have inherited a version 1 Simple Network Management

Protocol (SNMP) system. What is the primary risk associated with
utilizing this version?
A. Unencrypted traffic
B. Routers rejecting “gets”
C. Switches rejecting “not”
D. Connecting to systems without authentication
6. A Smurf attack exploits the spoofed address of .

A. an attacker and an ICMP echo request
B. a victim and a UDP port 7 message
C. a victim and an ICMP echo request
D. a victim and an IGMP echo request

Instructor Edition
7. A malicious insider has accessed a workstation’s host file and

after pinging the website of www.124.com takes the IP address
that is resolved and maps it with www.abz.com. What will
Notes
Domain Review
4
happen when the user of the workstation attempts to resolve

www.abz.com in their browser? PPT
A. No website will resolve Domain Review
B. www.124.com will resolve Participate in review
of key elements
C. www.abz.com will resolve from the domain on
communication and
D. None of the above network security.
8. How is distance-vector different from link-state routing

protocols?
A. Distance-vector uses a more complex algorithm than
link-state.
B. Link-state has a cost of zero only; distance-vector has a cost
of one.
C. Distance-vector calculates cost based upon hop count;
link-state can use bandwidth.
D. Distance-vector can use bandwidth to calculate cost; link-
state uses hop count only.
9. Internet Group Management Protocol (IGMP) is used to .

A. send unicast messages
B. send multicast messages
C. send broadcast messages
D. send one to all messages

Notes 10. At what plane can you locate routers and switches in a software-
defined network (SDN)?
Domain Review
A. Data-link and network plane
PPT B. Data plane
Domain Review
C. Control plane
Participate in review D. Application plane
of key elements
from the domain on
communication and
network security.

Instructor Edition

1. A system user is sending an instruction from their source node
Notes
Domain Review
4
to a destination node. The instruction tells the receiving station

to create space for coming incoming fragments that are not
equivalent to the actual fragment size. What is happening?
A. A normal process of fragmentation
B. Anvil attack
C. Teardrop attack
D. Level attack
The correct answer is C. The teardrop attack exploits the fragmentation
process at the destination station to place corrupt data into the
fragmentation space.
2. At what layer of the Open Systems Interconnection (OSI) model

does the Address Resolution Protocol (ARP) resolve?
A. Layer 2 Data-Link Layer
B. Layer 3 Network Layer
C. Layer 4 Transport Layer
D. Layer 5 Presentation Layer
The correct answer is A. ARP resolves IP addresses to MAC addresses
at Layer 2.
3. A remote workstation is attempting to probe your workstation

by means of port 79 (finger), what is the minimum technology
that can be used to block this incursion?
A. Access control list (ACL)
B. Dynamic packet filtering
C. Next generation firewall
D. Web application firewall
The correct answer is A. Access control lists define if an IP address
or port can be allowed or denied into a network. Dynamic packet
filtering and next generation firewalls are beyond the minimum
technology necessary to prevent the attack.
Notes 4. Which Lightweight Directory Access Protocol (LDAP) attribute

defines a portion of a directory access protocol name that can
Domain Review resolve by Domain Name Service (DNS)?
A. Relative domain
B. Domain component
C. Organizational systems
D. Distinguished unit
The correct answer is B. A domain component is the only item that is an
attribute of LDAP and that can be resolved by DNS.
5. You have inherited a version 1 Simple Network Management

Protocol (SNMP) system. What is the primary risk associated with
utilizing this version?
A. Unencrypted traffic
B. Routers rejecting “gets”
C. Switches rejecting “not”
D. Connecting to systems without authentication
The correct answer is D. A rogue user can simply connect to an SNMP
v1 system by means of a public or private community string without
need for authentication.
6. A Smurf attack exploits the spoofed address of .

A. an attacker and an ICMP echo request
B. a victim and a UDP port 7 message
C. a victim and an ICMP echo request
D. a victim and an IGMP echo request
The correct answer is C. A Smurf attack is Internet Control Message
Protocol (ICMP) echo request sent to the network broadcast address of
a spoofed victim, causing all nodes to respond to the victim with an
echo reply.

Instructor Edition
7. A malicious insider has accessed a workstation’s host file and

after pinging the website of www.124.com takes the IP address
that is resolved and maps it with www.abz.com. What will
Notes
Domain Review
4
happen when the user of the workstation attempts to resolve

www.abz.com in their browser?
A. No website will resolve
B. www.124.com will resolve
C. www.abz.com will resolve
D. None of the above
The correct answer is B. Mapping any IP address to any domain
name in the host file will cause a workstation to resolve that IP
address to that name in the workstation’s browser.
8. How is distance-vector different from link-state routing protocols?

A. Distance-vector uses a more complex algorithm than
link-state.
B. Link-state has a cost of zero only; distance-vector has a cost
of one.
C. Distance-vector calculates cost based upon hop count;
link-state can use bandwidth.
D. Distance-vector can use bandwidth to calculate cost; link-
state uses hop count only.
The correct answer is C. Distance-vector calculates cost based
upon hop count; link-state can use bandwidth, availability,
congestion, and hop count.
9. Internet Group Management Protocol (IGMP) is used to .

A. send unicast messages
B. send multicast messages
C. send broadcast messages
D. send one to all messages
The correct answer is B. IGMP is a multicast protocol.

Notes 10. At what plane can you locate routers and switches in a software-
defined network (SDN)?
Domain Review
A. Data-link and network plane
B. Data plane
C. Control plane
D. Application plane
The correct answer is B. Routers and switches are in the data plane.

Instructor Edition
Terms and Definitions Notes

Domain Review
4
Term Definition

Address Is used at the Media Access Control (MAC)
Resolution Layer to provide for direct communication
Protocol (ARP) between two devices within the same LAN
segment.
Bit Most essential representation of data (zero

or one) at Layer 1 of the Open Systems
Interconnection (OSI) model.
Bluetooth Bluetooth wireless technology is an open

(Wireless standard for short-range radio frequency
Personal Area communication used primarily to establish
Network wireless personal area networks (WPANs),
IEEE 802.15) and it has been integrated into many types
of business and consumer devices.
Bridges Layer 2 devices that filter traffic between

segments based on Media Access Control
(MAC) addresses.
Cellular A radio network distributed over land areas

Network called cells, each served by at least one
fixed-location transceiver, known as a cell
site or base station.
Code-division Every call’s data is encoded with a unique

multiple key, then the calls are all transmitted at
access (CDMA) once.
Concentrators Multiplex connected devices into one signal

to be transmitted on a network.
Content Is a large distributed system of servers

Distribution deployed in multiple data centers across the
Network internet.
(CDN)


Domain Review
Dynamic or Ports 49152 – 65535. Whenever a service is
Private Ports requested that is associated with Well-
Known or Registered Ports those services
will respond with a dynamic port.
Fibre Channel A lightweight encapsulation protocol, and it

over Ethernet lacks the reliable data transport of the TCP
(FCoE) layer.
Firewalls Devices that enforce administrative security

policies by filtering incoming traffic based
on a set of rules.
Frame Data represented at Layer 2 of the Open

Systems Interconnection (OSI) model.
Global System Each call is transformed into digital data that

for Mobiles is given a channel and a time slot.
(GSM)
Internet Provides a means to send error messages

Control and a way to probe the network to
Message determine network availability.
Protocol
(ICMP)
Internet Used to manage multicasting groups that

Group are a set of hosts anywhere on a network
Management that are listening for a transmission.
Protocol
(IGMP)
Multiprotocol Is a wide area networking protocol that

Label operates at both Layer 2 and 3 and does
Switching label switching.
(MPLS)
OSI Layer 1 Physical layer.
OSI Layer 2 Data-link layer.

Instructor Edition

Domain Review
4
OSI Layer 3 Network layer.

OSI Layer 4 Transport layer.
OSI Layer 5 Session layer.
OSI Layer 6 Presentation layer.
OSI Layer 7 Application layer.
Network The objective of NFV is to decouple

Function functions such as firewall management,
Virtualization intrusion detection, network address
(NFV) translation, or name service resolution away
from specific hardware implementation into
software solutions.
Internet Is the dominant protocol that operates at

Protocol (IPv4) the Open Systems Interconnection (OSI)
Network Layer 3. IP is responsible for
addressing packets so that they can be
transmitted from the source to the
destination hosts.
Internet Is a modernization of IPv4 that includes a

Protocol (IPv6) much larger address field: IPv6 addresses
are 128 bits that support 2128 hosts.
Open Shortest An interior gateway routing protocol

Path First developed for IP networks based on the
(OSPF) shortest path first or link-state algorithm.
Packet Representation of data at Layer 3 of the

Open Systems Interconnection (OSI) model.
Packet Loss A technique called Packet Loss Concealment

(PLC) is used in VoIP communications to
mask the effect of dropped packets.


Domain Review
Point-to-Point Provides a standard method for transporting
Protocol (PPP) multiprotocol datagrams over point-to-point
links.
Port Address An extension to NAT to translate all

Translation addresses to one routable IP address and
(PAT) translate the source port number in the
packet to a unique value.
Ping of Death Exceeds maximum packet size and causes

receiving system to fail.
Ping Scanning Network mapping technique to detect if

host replies to a ping, then the attacker
knows that a host exists at that address.
Registered Ports 1024 – 49151. These ports typically

Ports accompany non-system applications
associated with vendors and developers.
Segment Data representation at Layer 4 of the Open

Systems Interconnection (OSI) model.
Session Is designed to manage multimedia

Initiation connections.
Protocol (SIP)
Smurf ICMP Echo Request sent to the network

broadcast address of a spoofed victim
causing all nodes to respond to the victim
with an Echo Reply.
Software- Separates network systems into three

defined components: raw data, how the data is sent,
networks and what purpose the data serves. This
(SDNs) involves a focus on data, control, and
application (management) functions or
“planes”.

Instructor Edition

Domain Review
4
Software Is an extension of the SDN practices to

Defined Wide connect to entities spread across the
Area Network internet to support WAN architecture
(SD-WAN) especially related to cloud migration.
Switches Operate at Layer 2. A switch establishes a

collision domain per port.
Transmission Provides connection-oriented data

Control management and reliable data transfer.
Protocol (TCP)
Teardrop Exploits the reassembly of fragmented IP

Attack packets in the fragment offset field that
indicates the starting position, or offset, of
the data contained in a fragmented packet
relative to the data of the original
unfragmented packet.
Transport Layering model structured into four layers

Control (network interface layer, internet layer,
Protocol/ transport layer, host-to-host transport layer,
Internet application layer).
Protocol (TCP/
IP) Model
User The User Datagram Protocol provides

Datagram connectionless data transfer without error
Protocol (UDP) detection and correction.
Virtual Allow network administrators to use switches

Local Area to create software-based LAN segments
Networks that can be defined based on factors other
(VLANs) than physical location.
Voice over Is a technology that allows you to make

Internet voice calls using a broadband internet
Protocol connection instead of a regular (or analog)
(VoIP) phone line.


Domain Review
Well-Known Ports 0–1023 ports are related to the
Ports common protocols that are utilized in the
underlying management of Transport
Control Protocol/Internet Protocol (TCP/IP)
system, Domain Name Service (DNS),
Simple Mail Transfer Protocol (SMTP), etc.
Whitelisting/ A whitelist is a list of email addresses and/or

blacklisting internet addresses that someone knows as
“good” senders. A blacklist is a
corresponding list of known “bad” senders.
Wi-Fi Primarily associated with computer

(Wireless LAN networking, Wi-Fi uses the IEEE 802.11x
IEEE 802.11x) specification to create a wireless local-area
network either public or private.
WiMAX One well-known example of wireless

(Broadband broadband is WiMAX. WiMAX can
Wireless potentially deliver data rates of more than
Access IEEE 30 megabits per second.
802.16)

Instructor Edition
Notes
4

Notes

Instructor Edition
Course Agenda
Notes
Identity and Access
5
Management (IAM)
Identity and Access Management (IAM) Domain

PPT

PPT
Domain 5: Identity and Access Management (IAM) Identity and Access
Management (IAM)
to the “Identity and
Access Management
Domain 7: Security Operations (IAM)” domain.

PPT
Domain Objectives
(2 slides)
Objectives for “Identity
Domain 5: Identity and Access and Access Management
(IAM)” domain.
Management (IAM)
Overview
Identity and access management (IAM) are core to maintaining
confidentiality, integrity, and availability of assets and resources that
are critical to business survival and function. Central to maintaining
protection of business-critical assets is the ability to name, associate,
and apply suitable identity and access control methodologies and
technologies that meet specific business needs.
Domain Objectives
1. Identify standard terms for applying physical and logical
access controls to environments related to their security
practice.
2. Apply physical and logical access controls to environments
with relation to the (environment’s or access controls’)
security practice.
Domain 5: Identity and Access Management (IAM) 419

Notes 3. Define the process of user and systems access review.

4. Apply the appropriate control types/categories for provisioning
Identity and Access
Management (IAM) and deprovisioning of identities.
5. Classify various identification, authentication, and authorization
technologies for use in managing people, devices, and services.
PPT
Domain Objectives
6. Differentiate the languages and protocols that are related to roles
(2 slides) (continued) and systems that support federation.
Objectives for “Identity 7. Select the appropriate technologies and protocols for
and Access Management establishing a federated environment that satisfies business
(IAM)” domain. requirements.
8. Appraise various access control models to meet business security
requirements.
9. Name the significance of accountability in relationship to
identification, authentication, and auditing.
420 Domain 5: Identity and Access Management (IAM)

Instructor Edition
Domain Agenda Notes

Identity and Access
5
Module Name Management (IAM)

1 Control Physical and Logical Access to Assets PPT
Domain Agenda
2 Identity and Access Provisioning Lifecycle (2 slides)
Review the domain
Identification and Authentication of People, agenda.
3
Devices, and Services
4 Identity Management Implementation
5 Implement and Manage Authorization Mechanisms
6 Accountability
7 Domain Review
Domain 5: Identity and Access Management (IAM) 421

Notes
Module 1: Control Physical and
Control Physical and
Logical Access to Assets Logical Access to Assets
PPT
Module Objectives
Logical Access to
1. Identify standard terms for applying physical and logical access
Assets controls to environments related to their security practice.
Introduce the participants 2. Apply physical and logical access controls to environments
to the “Control Physical with relation to the (environment’s or access controls’) security
and Logical Access to practice.
Assets” module.
PPT
Module Objectives
objectives.

Instructor Edition
Information
Information and the administration of information is key to the
Notes
5
management of individual and systemic access control systems. Logical Access to Assets
Information can be associated with both logical and physical access

control systems. Whether it is a logical or physical access system, the
control of that system is maintained somewhere as discrete data and/
or information. The management of information related to physical
and logical access is accomplished in three primary ways, namely:
centralized, decentralized, and hybrid.
Centralized–Centralized administration means that one element is
responsible for configuring access controls so that users can access
data and perform the activities they need to. As users’ information
processing needs change, their access can be modified only through
central administration, usually after requests have been approved
through an established procedure and by the appropriate authority.
The main advantage of centralized administration is that very strict
control over information can be maintained because the ability to
make changes resides with very few persons. Each user’s account
can be centrally monitored, and closing all access for any user can
be easily accomplished if that individual leaves the organization.
Consistent and uniform procedures and criteria are usually not
difficult to enforce, since relatively few individuals oversee
the process.
Decentralized–In contrast to centralized administration, decentralized
administration means that access to information is controlled by the
owners or creators of the files, whoever or wherever those individuals
may be. An advantage of decentralized administration is that control is
in the hands of the individuals most accountable for the information,
most familiar with it, and best able to judge who should be able to do
what in relation to it. One disadvantage, however, is that there may not
be consistency among creators/owners as to procedures and criteria for
granting user access and capabilities. Another disadvantage is that
when requests are not processed centrally, it may be more difficult to
form a system-wide view of all user access on the system at any given
time. Different data owners may inadvertently implement combinations
of access that introduce conflicts of interest or that are in some way not
in the organization’s best interest. It may also be difficult to ensure that
access is properly terminated when an employee transfers within, or
leaves an organization.
Hybrid–In a hybrid approach, centralized control is exercised for
some information and decentralized is allowed for other information.
One typical arrangement is that central administration is responsible
for the broadest and most basic access, and the creators/owners of
Module 1: Control Physical and Logical Access to Assets 423

Notes files control the types of access or users’ abilities for the files under their
control. For example, when a new employee is hired into a department, a
Control Physical and central administrator might provide the employee with a set of access
Logical Access to Assets
perhaps based on the functional element they are assigned to, job
classification, and the specific task the employee was hired to work on.
PPT The employee might have read-only access to an organization-wide
Systems
SharePoint document library and to project status report files, but read
and write privileges to his department’s weekly activities report. Also, if
Explain key systems that
define identity and access
the employee left a project, the project manager can easily close that
management (IAM). employee’s access to that file.
PPT
Systems
Logical and Physical
Access Control Systems
Access controls can be classified by either logical or physical systems.
The simplest example of a physical access control system is a door that
Note examples of
physical and logical
can be locked, limiting people to one side of the door or the other. A
access control systems. logical access control system is normally operational in an office
network where users are allowed or not allowed to login to a system to
access data labeled with a classification by users granted a clearance.
Access Controls and Administration

ISO/IEC 27000:2016(E) defines access control as a “means to ensure
that access to assets is authorized and restricted based on business
and security requirements.” These requirements will be formalized in
the organizational policy that is pertinent to individual organizations.
Two primary system types that form access controls are physical and
logical. Each type requires administration that can have various
degrees of involvement from senior management regarding risk-
based decisions concerning the organizational risk appetite and
profile, the data owner concerning “need-to-know” and “least
privilege” and asset value determination, the custodian concerning
tool implementation to provide appropriate restriction of the assets
to disclosure, destruction, or alteration.
Logical Access Control Systems

The Federal Identity, Credential, and Access Management (FICAM)
defines logical access control as: “An automated system that
controls an individual’s ability to access one or more computer
system resources such as a workstation, network, application, or
database. A logical access control system requires validation of an
individual’s identity through some mechanism such as a Personal
Identification Number (PIN), card, biometric, or other token. It has

Instructor Edition
the capability to assign different access privileges to meet

different persons depending on their roles and responsibilities
in an organization.”
Notes
5
Logical access control requires more complex and nuanced

administration than physical. Before selection and implementation
PPT
of the logical access control type, the data owner has classified and
categorized the data. Categorizing the data will reveal the impact Logical and Physical
Access Control Systems
that would occur if there is disclosure, alteration, or destruction. (continued)
Classifying the data will define the value of discreet assets and who
Note examples of
should have access and authorization. physical and logical
access control systems.
Logical access controls are often built into the operating system,
or may be part of the “logic” of applications programs or major
utilities, such as database management systems (DBMS). They may
also be implemented in add-on security packages that are installed PPT
into an operating system; such packages are available for a variety Devices
of systems, including PCs and mainframes. Additionally, logical Review types of devices
access controls may be present in specialized components that related to identity and
regulate communications between computers and networks. access management
(IAM).
Physical Access Control Systems (PACS)

Special Publications 800-53r4 defines physical access control
as “An automated system that manages the passage of people or
assets through an opening(s) in a secure perimeter(s) based on a
set of authorization rules.”
Devices
There are a range of devices (systems or components if logical)
associated with logical and physical access control. Logical and
physical access control devices include but are not limited to
access tokens (hardware and software), keys, and cards.
Access Control Tokens

Access control tokens are available in many different technologies
and in many different shapes. The information that is stored on the
token is presented to a reader that reads the information and sends
it to the system for processing. The token may have to be swiped,
inserted, or placed on or near a reader. When the reader sends
information to the system, it verifies that the token belongs to the
system and identifies the token itself. Then, the system decides if
access is to be granted or denied based upon the validity of the token

Notes for the point where it is read based on time, date, day, holiday, or other
condition used for controlling validation.
Logical Access to Assets When biometric readers are used, the token or key is the user’s retina,
fingerprint, hand geometry, voice, or whatever biological attribute is
enrolled into the system. Most biometric readers also require a PIN to
PPT
index the stored data on the sample readings of the biological attribute.
Devices (continued) Biometric systems can also be used to determine whether a person is
Review types of devices already in a database, such as for social service or national ID applications.
related to identity and
access management
(IAM).
Facilities
Below is an example of how a physical access control system can be
PPT
applied to a specific entity or facility.
Case [5 Min.]:
Department of
Homeland Security
Define roles and systems
Case: Department of Homeland Security
related to the facilities 1. What distinct roles can you locate within the physical access
case study. control system (PACS) application’s four areas as described below?
What are general security roles that can be used as placeholders
for the PACS application roles?
2. Name the logical or physical systems that are described in the
PACS application described below?
3. What assumptions could you make about the nature of the
information related to identification in the PACS application cited
below?
Physical Access Control Systems (PACS) Applications

PACS applications used are divided into four areas that operate
independently at the direction of the PACS administrator:
l Identification: PACS requires an individual’s personally
identifiable information (PII) so it can authorize physical access
to the Department of Homeland Security’s (DHS) facilities. PACS
sensors read the information on an individual’s personal identity
verification (PIV) card to verify if the individual is authorized access.
l Visitor Management: Visitors and construction and service
contractors who have not been issued a PIV card must be
identified before being granted access.
l Parking Permit Management: The Office of the Chief
Administrative Officer (OCAO) uses PACS to issue and track
parking permits. OCAO personnel access PACS to determine
if an individual is eligible to receive a parking permit. Upon

Instructor Edition
issuance of the parking permit, OCAO personnel enter into

PACS the name and email address of the permit holder, the
permit number and type, issue date, and expiration date.
Notes
5
l Alarm Monitoring and Intrusion Detection: The PACS alarm

monitoring application allows OCAO personnel to monitor the
intrusion detection system (IDS). A record is created in PACS of PPT
all IDS alarm activations or other issues, such as communication Case [5 Min.]:
and power failures. The IDS in PACS consists of sensors, lights, Department of
Homeland Security
and other mechanisms through which Office of the Chief
(continued)
Security Officer (OCSO) can detect the unauthorized intrusion
of persons or devices. The only PII collected by the PACS IDS Define roles and systems
related to the facilities
suite is the first and last name of the individual authorized to case study.
turn the alarm system on and off and the corresponding PIN
number which the individual inputs into the alarm keypad to
activate or deactivate the alarm.

Notes
Module 2: Identity and Access
Identity and Access
Provisioning Lifecycle Provisioning Lifecycle
PPT
Identity and Access
Module Objectives
Provisioning Lifecycle 1. Define the process of user and systems access review.
Introduce the participants 2. Apply the appropriate control types/categories for provisioning
to the “Identity and and deprovisioning of identities.
Access Provisioning
Lifecycle” module.
PPT
Module Objectives
objectives.

Instructor Edition
User Access Review

At the development of the enterprise security architecture, the
Notes
Identity and Access
5
security architect will map business requirements to technology Provisioning Lifecycle
agnostic views or statements that enforce the security policy and

answer business goals throughout the organization. These
architectural views or statements are what provide guidance for PPT
implementation of cohesive technology solutions that come from User Access Review
specific design elements that are informed by the architecture. Identify key elements and
benefits of user access
Within the lifecycle of identity and access provisioning, it is review.
imperative that user access reviews are conducted on an on-going
basis once an account has been created and provisioned. The
review will be based upon the business requirements that are PPT
expressed within the enterprise security architecture. Scheduled
System Account Access
and regular user access reviews could reveal vulnerabilities that
Review
might require the need for revocation, disablement, or deletion of
an account. Relate primary challenges
of system account access
These occurrences are causes for revocation/disablement/or review.
deletion of user access:
l If a user is voluntarily or involuntarily terminated from an
organization.
l If an account has been inactive for a period that surpasses
the organizational policy.
l If the user account is no longer appropriate for the job
description or role.
l If user account privileges have experienced unnecessary
access aggregation.
System Account Access Review

System accounts such as “administrator,” “sudo,” or “root”
accounts present an often-exploited vulnerability for attackers.
Making a non-linear representation between the user ID name and
its function could represent the first layer of defense against
attackers. Disconnecting the account name from the function is as
simple as renaming the account to something that looks more like
a traditional user name or randomly generated name. In addition
to identifying an account by the name, an attacker could also
identify the account by other attributes such as system assigned
static numeric ID. Therefore, “security by obscurity” or only
renaming the system account is insufficient due diligence to
protect them from anything more than trivial exploitation efforts.
Module 2: Identity and Access Provisioning Lifecycle 429

Notes Here are examples of built-in user accounts that are associated with a
Microsoft Windows system:
Identity and Access
Provisioning Lifecycle l SID: S-1-5-21domain-500
Name: Administrator
PPT Description: A user account for the system administrator. By
System Account Access
default, it is the only user account that is given full control over
Review (continued) the system.
Relate primary challenges l SID: S-1-5-21domain-501
of system account access
review. Name: Guest
Description: A user account for people who do not have
individual accounts and does not require a password. By default,
the Guest account is disabled.
l SID: S-1-5-21domain-512
Name: Domain Admins
Description: A global group whose members are authorized to
administer the domain. By default, the Domain Admins group is a
member of the Administrators group on all computers that have
joined a domain, including the domain controllers. Domain
Admins is the default owner of any object that is created by any
member of the group.
Current systems associate administrator privileges with individual users for
the duration that the privileges are required for a specific function and then
return the level escalated privileges when the specific task is completed.
Some system accounts are predefined to be used as service accounts
and are not always recognized by the security subsystem so may,
therefore, not be reviewable with the typical views or calls as a
traditional “administrator” or “root” account. Service accounts may
possess extensive privileges within a computing system and behave as
the computing system within a network. Service accounts will often have
unbated access and control of most system objects. In addition to the
wide-ranging access maintained by system accounts, the account itself
will often be active without any method of authentication and will not be
associated with any logged-on user account.
A compromised system account may yield access and information that
could make a system vulnerable to attack. Many service accounts do not
need as high a privilege level as is granted in the default configuration,
and if that is true of a system, then demoting the privileges to the least
level would be an appropriate application of the principle of least-
privilege.

Instructor Edition
Provisioning and Deprovisioning

Provisioning and deprovision of access and identities involves a list
Notes
Identity and Access
5
of activities that are driven by business needs and requirements, Provisioning Lifecycle
job function and role, asset classification and categorization, and

dynamic legal and regulatory issues. Users needing access to
system resources go through a process of provisioning that rightly PPT
begins with the data/information owner expressing a business Provisioning and
need for the stated access. Deprovisioning
Define the key steps
Vulnerabilities that are readily ascribed to technology often have their in provisioning and
introduction by means of a lack of due care and due diligence related deprovisioning users
to administrative controls. Identity and access management (IAM) accounts.
forms a lifecycle that begins with provisioning or enrollment, access
and consumption of resources, and finally deprovisioning or
revocation of access.
The Federal Identity, Credential, and Access Management (FICAM)
Roadmap and Implementation Guidance 4.7.1. As-is Analysis
provides for three phases that manage the Provisioning and
Deprovisioning process.
l Provision a user account and apply user permissions
l Modify user permissions
l Deprovision user account and end user permissions
Process Flow
The as-is process flow for this use case is broken into three parts.
Part 1: Provision a user account and apply user permissions
1. An Individual completes a request for access to an
application and provides it to the individual responsible
for access approvals (hereafter referred to as the Privilege
Manager).
2. The Privilege Manager validates the Individual’s need for
access and provides the access request to the Application
Administrator.
3. The Application Administrator creates a user account for
the Individual in the application with the appropriate user
permissions.
4. The Application Administrator notifies the User of the
account creation.
Module 2: Identity and Access Provisioning Lifecycle 431

Notes Part 2: Modify user permissions
Identity and Access 1. The User completes a request for a change in privileges.
Provisioning Lifecycle
2. The Privilege Manager validates the User’s need for access and
provides the access request to the Application Administrator.
PPT 3. The Application Administrator updates the User’s access
Provisioning and permissions in the application.
Deprovisioning
(continued)
4. The Application Administrator notifies the User of the permission
change, often via phone, email, or another manual process.
Define the key steps
in provisioning and Part 3: Deprovision a user account
deprovisioning users
accounts. 1. The Privilege Manager notifies the Application Administrator that
the User no longer requires access to the application.
2. The Application Administrator removes the access permissions
PPT
and the User account from the application.
Activity [5 Min.]: Identify
the Roles and Control
Types and Categories
of Provisioning and Activity: Identify the Roles and Control Types and
Deprovisioning Categories of Provisioning and Deprovisioning
Select the appropriate Working together in small teams answer the questions below.
control types/
categories and roles 1. What additional controls (choose from the confidentiality,
for provisioning and
deprovisioning of user
integrity, and availability (CIA) triad) could be added to the three
accounts. phases of the process flow?
a. Add control types
b. Add control categories
2. What roles can you identify in the process flow (i.e., Custodian,
Data Owner, etc.)?

Instructor Edition
Module 3: Identification and Authentication Notes

Identification and
5
of People, Devices, and Services Authentication of People,


1. Classify various identification, authentication, and Identification and
authorization technologies for use in managing people, Authentication of
devices, and services. People, Devices, and
Services
to the “Identification and
Authentication of People,
Devices, and Services”
module.
PPT
Module Objectives
objectives.
Module 3: Identification and Authentication of People, Devices, and Services 433

Notes Identification
The objective of identification is to bind a user to the appropriate controls
Identification and
Authentication of People, based on the unique user instance. For example, once the unique user is
Devices, and Services identified and validated through authentication, his or her identity within the
infrastructure is used to allocate resources based on predefined privileges.
PPT
Identity Management
Implementation
Identity Management Implementation
Note the four elements
An identity represents the initial attribute in a linear succession of
of identity management attributes to protect access and use of a system. Providing an identity to
implementation. access a system is simply an assertion or claim of an entity. An assertion
or claim made by an entity should be followed by rigorous proof that
the entity’s claim is legitimate. The attributes that follow an identity to
prove out a legitimate claim are authentication, authorization, and
usually some form of accountability.
The downstream effect of proper identification includes accountability
with a protected audit trail and the ability to trace activities to individuals.
It also includes the provisioning of rights and privileges, system profiles,
and availability of system information, applications, and services.
Single/Multi-Factor Authentication
Authentication within a system involves presenting evidence that an identified
entity should be allowed access through a control point. Standard evidence
for being allowed to log into a system includes three primary factors:
l Something you know, such as a password or PIN
l Something you have, such as a token or smart card
l Something you are or do, such as biometrics or a fingerprint
Single factor authentication involves a user or entity providing one

type of evidence to support an assertion or claim for access to a system.
The factor could be related to something the entity knows, something
the entity has, something the entity is, or somewhere the entity is. One
factor or type of evidence can have multiple methodologies. As an
example, if an entity provided a password and a PIN that would be two
methodologies of the same factor (something you know); thus, these
two elements would be considered a single factor.
Multi-factor authentication involves an entity providing more than one
factor of proof of their identity. An example of this would be an entity
providing both a password and an iris scan to authenticate to a source.
Each factor of authentication may represent an additional hurdle that needs
to be overcome by the unauthorized. As the factors of authentication grow,

Instructor Edition
then so grows the layers of defense or of defense in depth. Multi-

factor systems may increase the complexity of systems management
or decrease or otherwise impact the productivity of the user
Notes
Identification and
5
attempting to gain access to the system.

Burgeoning authentication methodologies include location and node.
Location authentication makes use of geo-location data that can allow
or disallow authentication from or to specific global locations. Service
providers such as Netflix and Amazon use location authentication to
protect against intellectual property content leakage or theft. Node
authentication allows for device-type recognition to be used as a
means of authentication. Examples of node authentication could
include a specific smartphone, laptop, desktop, etc.
Biometrics
Biometric devices rely on measurements of biological characteristics
of an individual, such as a fingerprint, hand geometry, voice, or iris
patterns. Biometric technology involves data that is unique to the
individual and is difficult to counterfeit. Selected individual
characteristics are stored in a device’s memory, or on a card, which
stores reference data that can be analyzed and compared with the
presented template. A one-to-many or a one-to-one comparison of
the presented template with the stored template can be made and
access granted if a match is found.
However, on the negative side, some biometric systems may
periodically fail to perform, or have a high rejection rate. The
sensitivity of readers makes system readers susceptible to
inadvertent reader damage or intentional sabotage. Some systems
may be perceived by the user as a safety or health risk. Also, some
of the systems may require a degree of skill on the part of the user
for proper operation. Other systems may be perceived as
unacceptable by management for a combination of reasons.
Types of Failure in Biometric Identification

There are two types of failures in biometric identification:
False Rejection Rate (Type I): This is a failure to recognize a
legitimate user. While it could be argued that this effectively keeps
the protected area extra secure, it is an intolerable frustration to
legitimate users who are refused access because the scanner does
not recognize them.
False Acceptance Rate (Type II): This is erroneous recognition,
either by confusing one user with another, or by accepting an

Notes imposter as a legitimate user. Failure rates can be adjusted by changing

the criteria for declaring an acceptance or rejection; but decreasing one
Identification and failure rate increases the other. Crossover Error Rate (CER) is achieved
when the type I and type II are equal.
Biometric Readers
Biometric readers verify personal biological metrics of an individual. Biometric
readers may be used in addition to credential devices or a PIN code.
l Fingerprint: Fingerprint reader technology scans the loops, whorls,
and other characteristics of a fingerprint and compares it with
stored templates. When a match is found, access is granted. The
advantage of fingerprint technology is that it is easily understood.
The disadvantages are that the system can be disrupted if cuts or
sores appear on fingers, or if grease or other medium contaminates
the fingers and the scanning plates.
l Facial image: This technology measures the geometric
properties of the subject’s face relative to an archived image.
Specifically, the center of the subject’s eyes must be located and
placed at precise locations.
l Hand geometry: This technology assesses the hand’s geometry:
height, width, and distance between knuckle joints and finger
length. Advantages of hand geometry are that the systems are
durable and easily understood. The speed of hand recognition
tends to be more rapid than fingerprint recognition. Hand
recognition is reasonably accurate because the shape of a hand
is unique. A disadvantage is that hand recognition tends to give
higher false acceptance rates than fingerprint recognition.
l Voice recognition: Voice recognition compares the voice
characteristics of a given phrase to one held in a template. Voice
recognition is generally not performed as one function and is
typically part of a system where a valid PIN must be entered
before the voice analyzer is activated. Advantages of voice
recognition are that the technology is less expensive than other
biometric technologies, and it has hands-free operation. A
disadvantage is that the voice synthesizer must be placed in an
area where the voice is not disturbed by background sounds;
often a booth or security portal must be installed to house the
sensor to provide the system with a quiet background.
l Iris patterns: Iris recognition technology scans the surface of the
eye and compares the iris pattern with stored iris templates. An
advantage of iris recognition is that it is not susceptible to theft,
loss, or compromise, and irises are less susceptible to wear and
injury than many other parts of the body. Newer iris scanners

Instructor Edition
allow scanning to occur from up to ten inches away. A

disadvantage of iris scanning is that some people are timid
about having their eye scanned. Throughput time for this
Notes
Identification and
5
technology also should be considered; typical throughput

time is two seconds. If a number of people need to be
processed through an entrance in a short period of time,
this can be problematic.
l Retinal scanning: Retinal scanning analyzes the layer of
blood vessels at the back of the eye, which are unique to
each person. Scanning involves using a low-intensity LED light
source and an optical coupler that can read the patterns with
great accuracy. It does require the user to remove glasses,
place the eye close to the device, and focus on a certain
point. The user looks through a small opening in the device,
and the head needs to be still and the eye focused for several
seconds, during which time the device verifies identity. This
process takes about ten seconds. The continuity of the retinal
pattern throughout life and the difficulty in fooling such a
device also makes it a great long-term, high-security option.
l Signature dynamics: First, the signer writes out a handwritten
signature on a special electronic pad, such as the ePad by
Interlink or a Palm Pilot. The shape of the signature is then
electronically read and recorded, along with unique features,
such as the pressure on the pen and the speed at which the
signature was written, to identify the signer’s unique writing;
for example, did the “t” get crossed from right to left and did
the “i” get dotted at the very end. The advantage of signature
dynamics is that it works like a traditional signature. Signers
do not need special knowledge of computers nor any unusual
tools to provide a signature. At the same time, the system
allows the notary to record unique identifying features to help
prevent and detect forged signatures.
l Vascular patterns: This is the ultimate palm reader; vascular
patterns are best described as a picture of the veins in a
person’s hand or finger. The thickness and location of these
veins are believed to be unique enough to an individual to
verify a person’s identity. The National Television Standards
Committee (NTSC) Subcommittee on Biometrics reports that
researchers determined that the vascular pattern of the human
body is unique to each individual and does not change with age.
l Keystroke dynamics: Keystroke dynamics are also known as
keyboard dynamics, which identify the way a person types at
a keyboard; specifically, the keystroke rhythms of a user are
measured to develop a unique template of the user’s typing

Notes pattern for future authentication. Raw measurements available

from most keyboards can be recorded to determine dwell time, or
Identification and the amount of time a particular key is held, and flight time, or the
amount of time between the next key down and the next key up.
PPT Authorization
Session Management Authorization defines what resources users may have access to.
Explain the session
management process.
Session Management
PPT
Session management is related to when a user is authenticated, authorized,
and held accountable for using system resources. The system must
Registration and maintain an uninterrupted path of protection of resources by means of
Proofing of Identity
system management. Open Web Application Security Project (OWASP)
Relate the three levels Top 10 number 2 threat is broken authentication and session management.
of assurance for digital
identities.
RFC 2965 provides an example of how to maintain session managements
with cookies. When a user accesses a website, the user’s actions and
identity are tracked across various requests from that website. A state of
these interactions is maintained in a session cookie. Evidence of this state is
maintained by linking all new connections across the entirety of a session to
the cookie. Cookie handling achieves non-repudiation; effectively
leveraging an audit trail of session activity.
Registration and Proofing of Identity

Registration and proofing of an identity are processes that connect an
entity or user identity to an access control system that creates a
confirmed relationship of trust that an entity is who he or she claims to
be. The process of proving that a person is authentically the person that
is being claimed can be challenging and even serve as an opening for
impersonation. If a user is valid, there is also the threat that the user can
be a malicious or bad actor. Writing for the New Yorker, Peter Steiner
stated succinctly, “On the Internet no one knows that you are a dog.”
Herein lies the crux of the concern; balancing the needs of controlling
access to valued assets and the simplicity of registering and proofing
the credentials of the potential user of a system.
The Digital Identity Guidelines of NIST SP 800-63-3 contains
recommendations to support, among other items, requirements for
identity proofing and registration. These requirements are the following:
l Identity Assurance Level (IAL) refers to the identity proofing
process. A category that conveys the degree of confidence that
the applicant’s claimed identity is their real identity

Instructor Edition
Identity Assurance Levels

IAL1: At IAL1, attributes, if any, are self-asserted or should be
Notes
Identification and
5
treated as self-asserted. Authentication of People,

IAL2: At IAL2, either remote or in-person identity proofing is required.
IAL2 requires identifying attributes to have been verified in person or
remotely, using, at a minimum, the procedures given in SP 800-63A. PPT
Registration and
IAL3: At IAL3, in-person identity proofing is required. Identifying Proofing of Identity
attributes must be verified by an authorized Credential Service (continued)
Provider (CSP) representative through examination of physical
Relate the three levels
documentation as described in SP 800-63A. of assurance for digital
identities.
l Authenticator Assurance Level (AAL) refers to the
authentication process.
l Federation Assurance Level (FAL) refers to the strength
of an assertion in a federated environment, used to
communicate authentication and attribute information (if
applicable) to a relying party (RP).
Credential Management Systems

NIST SP 800-63-3 describes a credential as a binding between an
authenticator and a subscriber by means of an identifier. The
credential may be collected and managed by the CSP, although it
is possessed by the claimant. Credential examples include but are
not limited to smart cards, private/public cryptographic keys, and
digital certificates. The FICAM Roadmap and Implementation
Guidance Version 2.0 within the U.S. federal government has the
following five-step enrollment process:
1. Sponsorship: An authorized entity sponsors claimant for a
credential with a CSP.
2. Enrollment: The sponsored claimant enrolls for the
credentials from a CSP. This step would include identity
proofing, which might include capture of biographic and
biometric data.
3. Credential Production: Credentials are produced in the
form of smart cards, private/public cryptographic keys, and
digital certificates.
4. Issuance: Claimant is issued credential.
5. Credential Lifecycle Management: Credentials are
maintained through activities that includes revocation,
reissuance, re-enrollment, expiration, suspension, or
reinstatement.

Notes
Module 4: Identity Management
Identity Management
Implementation Implementation
PPT
Module Objectives
Identity Management
Implementation
1. Differentiate the languages and protocols that are related to roles
and systems that support federation.
Introduce the
participants to the 2. Select the appropriate components for a federated environment
“Identity Management relevant to business requirements.
Implementation” module.
PPT
Module Objectives
objectives.

Instructor Edition
Federated Identity Management (FIM)

When disparate organizations have a need to share common
Notes
Identity Management
5
information, federated identity management (FIM) solutions are Implementation
sought. Think of businesses that use social media platforms such as

Linkedin and Twitter but have different business models and
corporate goals and missions. PPT
Federated Identity
Twitter: Management (FIM)
“Twitter is what’s happening in the world and what people are Explain the justification
talking about right now.” for federated identity
management and the
Linkedin: tools used.
“Creating a digital map of the global economy to connect talent
with opportunity at massive scale.”
Although Linkedin and Twitter are markedly different in their PPT
mission statements, they share a common customer base. The Security Assertion
common customers between Linkedin and Twitter may at times Markup Language
(SAML) Roles
want the information that is resident on one service provider
platform to appear automatically and synchronously on another Define the three roles
connected to Security
service provider platform.
Assertion Markup
Language (SAML).
Security Assertion Markup Language (SAML) and
Open Authorization (OAuth)
SAML and OAuth 2.0 are two protocols that support the access
and authorization that is required to link disparate organizations. PPT
Security Assertion
SAML defines an XML-based framework for describing and Markup Language
exchanging security information between online business (SAML) Components
relationships. This security information is maintained in SAML Define the four
assertions that work between trusted security domain boundaries. components connected
The SAML standard follows a prescribed set of rules for requesting, to Security Assertion
creating, communicating, and using SAML assertions. Markup Language
(SAML).
SAML has three roles and four primary components.
SAML roles:
1. Identity provider (IdP)
2. Service provider / relying party
3. User/principal
SAML components:
1. Assumptions-defines how SAML attributes, authentication,
and authorization request-response protocol messages
Module 4: Identity Management Implementation 441

Notes can be exchanged between systems using common underlying

communication protocols and frameworks.
Identity Management
Implementation 2. Bindings-defines how SAML assertions and protocol message
exchanges are conducted with response/request pairs.
3. Protocols-defines what protocols are used, which include SOAP
PPT
and HTTP.
Security Assertion
Markup Language 4. Profiles-defines specific sets of rules for a use case for attributes,
(SAML) Components bindings, and protocols for a SAML session.
(continued)
Define the four
Internet Engineering Task Force (IETF) rfc 6749 states:
components connected The Open Authorization (OAuth) 2.0 authorization framework enables
to Security Assertion a third-party application to obtain limited access to an HTTP service,
Markup Language either on behalf of a resource owner by orchestrating an approval
(SAML).
interaction between the resource owner and the HTTP service, or
by allowing the third-party application to obtain access on its
own behalf.
PPT
Open Authentication
OAuth standard has four roles:
Define the four roles 1. Resource owner: An entity capable of granting access to a
associated with Open protected resource. When the resource owner is a person, the
Authenticaion.
entity is referred to as an end-user.
2. Resource server: The server hosting the protected resources,
capable of accepting and responding to protected resource
PPT
requests using access tokens.
Integrate Identity
Management as a 3. Client application: An application making protected resource
Third-Party Service requests on behalf of the resource owner and with its authorization.
Name the service options The term “client” does not imply any implementation characteristics
for thrid-party identity (e.g., whether the application executes on a server, a desktop, or
managment. other devices).
4. Authorization server: The server issuing access tokens to the
client after successfully authenticating the resource owner and
obtaining authorization.
Integrate Identity Management as a

Third-Party Service
Gartner defines identity as a service (IDaaS) as, “a predominantly
cloud-based service in a multi-tenant or dedicated and hosted delivery
model that brokers core identity governance and administration (IGA),
access and intelligence functions to target systems on customers’
premises and in the cloud.”

Instructor Edition
Gartner states that the core aspects of IDaaS are:

l IGA: Provisioning of users to cloud applications and
Notes
Identity Management
5
password reset functionality. Implementation

l Access: User authentication, single sign-on (SSO), and
authorization, supporting federation standards such as PPT
SAML. Integrate Identity
l Intelligence: Identity access log monitoring and reporting. Management as a
Third-Party Service
The modern convergence of various business needs (that include (continued)
ubiquitous access to services, reduced effort with sign-on, and greater Name the service options
support with federated standards) have driven adoption of IDaaS. for thrid-party identity
managment.
These are some of the top performers in the IDaaS space that are
part of Gardner’s Magic Quadrant:
l Centrify
l Okta
l Windows Active Directory Federated Services
On-Premise
On-premise organizations can use existing infrastructure that
manages identities through LDAP services like Windows Active
Directory to connect and login to a service provider that extends
their internal identities to authenticate to consume services that are
in the cloud. An example of extending internal services related to
ID management to integrate with cloud services would be an
enterprise Windows Active Directory connecting to Windows
Azure (public cloud) AD to consume services related to Office 365.
Office 365 represents a service that the enterprise is seeking to
consume as software as a service (SaaS) that would be facilitated
through linking an enterprise directory to a provider directory.
While the service is provided externally, the passwords and IDs
would be managed internal, thus on-premise.
Cloud
If the previous scenario is managed by creating and storing the
identities within an instance of Office 365 and Windows Active
Directory in Windows Azure, then the third-party service is
completely managed in the cloud.
Module 4: Identity Management Implementation 443

Notes
Activity: Select the Appropriate Components for a
Identity Management
Implementation Federated Environment Linking Two or More Companies’
Discrete Resources
PPT As a team, reflect upon and discuss actual business needs within your
corporation. Each team should allow every participant to relate business
Activity [13 Min.]:
Select the Appropriate needs within each company. Instead of contributing to or jumping to a
Components for a conclusion on what solution there might be, each participant should ask
Federated Environment deeper questions of the presenter to uncover additional insights into the
Linking Two or More environment. Expose assumptions by asking “why” a thing is so or to give
Companies’ Discrete
Resources
an example of a statement shared. Create a business case for utilizing
either OAuth or SAML or both. What are actual business drivers? Also
Participate in group
select if it should be solved on-premise or in the cloud and why? Create
activity to support
separate companies in analogous connections between the roles in SAML and OAuth.
sharing resources by
selecting appropriate
tools.

Instructor Edition
Module 5: Implement and Manage Notes

5
Authorization Mechanisms Authorization Mechanisms

PPT
Module Objectives Implement and
1. Appraise various access control models to meet business Manage Authorization
security requirements. Mechanisms
Introduce the
participants to the
“Implement and
Manage Authorization
Mechanisms” module.
PPT
Module Objectives
objectives.
Module 5: Implement and Manage Authorization Mechanisms 445

Notes Types of Access Control

NIST SP 800-192 specifies access control models as “formal presentations
Authorization Mechanisms of the security policies enforced by AC systems, and are useful for proving
theoretical limitations of systems. AC models bridge the gap in abstraction
between policy and mechanism.” The access control types addressed in
PPT this module are discretionary access control (DAC), mandatory access
Types of Access Control control (MAC), nondiscretionary access control (NDAC), role-based
Name and define the access control (RBAC), rule-based access control (RBAC), and attribute-
various types of access based access control (ABAC). NIST SP 800-192 provides the definition for
control choices. each of the types of access control mentioned below.
Discretionary Access Control (DAC)

DAC leaves a certain amount of access control to the discretion of the
object’s owner or anyone else who is authorized to control the object’s
access. The owner can determine who should have access rights to an
object and what those rights should be. DAC allows for the greatest
flexibility in controls along with the greatest vulnerabilities. The object’s
owner can pass on control weaknesses that can contribute to access
and privilege aggregation.
Mandatory Access Control (MAC)

MAC means that access control policy decisions are made by a central
authority and not by the individual owner of an object. User cannot
change access rights. An example of MAC occurs in military security,
where an individual data owner does not decide who has a top-secret
clearance, nor can the owner change the classification of an object from
top-secret to secret.
Nondiscretionary Access Control (NDAC)

In general, all AC policies other than DAC are grouped under the
category of nondiscretionary AC (NDAC). As the name implies, policies
in this category have rules that are not established at the discretion of
the user. Nondiscretionary policies establish controls that cannot be
changed by users but only through administrative action.
Role-Based Access Control (RBAC)

RBAC is an access control policy that restricts information system access
to authorized users. Organizations can create specific roles based on
job functions and the authorizations (i.e., privileges) to perform needed
operations on organizational information systems associated with the

Instructor Edition
organization-defined roles. Access can be granted by the owner as

with DAC and applied with the policy according to MAC.
Notes
5
Authorization Mechanisms
Rule-Based Access Control (RBAC)

This is based upon a pre-defined list of rules that can determine PPT
access with additional granularity controls such as when, where,
Types of Access Control
and if the system will allow read, write, or execute based upon (continued)
special conditions. RBACs are managed by the system owner and
Name and define the
represent an implementation of DAC. various types of access
control choices.
Attribute-Based Access Control (ABAC)

ABAC is an access control paradigm whereby access rights are PPT
granted to users with policies that combine attributes together.
Activity [13 min.]:
The policies can use any type of attributes (user attributes, resource
Select the Appropriate
attributes, environment attributes etc.). Access Control Type
(Rule, Role, Attribute,
etc.) for Specific
Business Needs
Activity: Select the Appropriate Access Control
Participate in group
Type (Rule, Role, Attribute, etc.) for Specific Business activity to create a
Needs business case for
utilizing an access
As a team, reflect upon and discuss actual business needs within control type.
your corporation. Each team should allow every participant to relate
business needs within each company. Instead of contributing to or
jumping to a conclusion on what solution there might be, each
participant should ask deeper questions of the presenter to uncover
additional insights into the environment. Expose assumptions by
asking “why” a thing is so or to give an example of a statement
shared. Create a business case for utilizing the previously reviewed
access control methods. Use the best examples from each
participant for each method.
Module 5: Implement and Manage Authorization Mechanisms 447

Notes
Module 6: Accountability
Accountability

Accountability 1. Name the significance of accountability in relationship to
identification, authentication, and auditing.
to the “Accountability”
module.
PPT
Module Objectives
objectives.

Instructor Edition
Accountability
Ultimately one of the drivers behind strong identification,
Notes
Accountability
5
authentication, auditing, and session management is accountability.
Fundamentally, accountability is being able to determine whom or

what is responsible for an action and can be held responsible. PPT
Accountability ensures that account management has assurance that Accountability
only authorized users are accessing the system and that they are Explain the need for
using the system properly. accountability in access
control.
A closely related information assurance topic is non-repudiation.
Repudiation is the ability to deny an action, event, impact, or result.
Non-repudiation is the process of ensuring a user may not deny an
action. Accountability relies heavily on non-repudiation to ensure
users, processes, and actions may be held responsible. A primary
activity in establishing accountability is to log relevant accesses
and events within a system and to have a process that includes log
review analysis.
Module 6: Accountability 449

Notes
Domain Review
PPT Domain Summary

Domain Review Identity and access management (IAM) includes controls related to
physical and logical access to assets along with managing an identity
review of key information and access provisioning lifecycle. The essential elements of an access
from this domain by provisioning lifecycle include a full range of items under system
discussing this scenario- management related to people, devices, and resources. Identification,
based set of questions authentication, and authorization ensure that the right users are
accessing the system and the correct usage of resources is happening.
slide.
PPT
Domain Summary
domain on identity and
access management
(IAM).

Instructor Edition

1. What are the two primary types of access control systems, and
Notes
Domain Review
5
what is one way that access control systems are maintained?

A. Physical and network; due diligence PPT
Domain Review
B. Deterrent and corrective; due care and due diligence Questions
C. Integrity and availability; by as much security as can be Participate in review of
safely applied key elements from the
D. Logical and physical; central administration of access control access management
(IAM).
systems
2. What actions specify enrolling and the opposite of enrolling

user IDs within an organization?
A. Identity creation and disposition
B. Disposition only
C. Creation only
D. Provisioning and deprovisioning
3. What are the three roles within Security Assertion Markup

Language (SAML)?
A. Identity provider, relying party, service provider
B. Identity provider, relying party, user
C. Identity provider, service provider, relative token
D. Attributes, principal, bindings
4. Name two roles related to Open Authorization (OAuth).

A. Resource provider, resource server
B. Resource provider, resource relying party
C. Authorization server, resource server
D. Authorization server, authorization owner

Notes 5. If an organization demanded that an enrolling party or claimant

needed to present themselves in person at an enrolling agent to
Domain Review authenticate their assertion to their identity, what level of assurance
would they be providing according to NIST SP 800-63-3?
PPT
A. IAL1
Domain Review
Questions (continued) B. IAL 2
C. IAL 3
access management
(IAM).
6. What provides assurance that a user of a system is consuming

resources as intended?
A. Accountability
B. Noninterference
C. Spoliation
D. Subsystem
7. How does system account review differ from user account review?
A. User account review is connected to systems, and system account
review is connected to users
B. User account and system account review are the same
C. User account review targets user IDs, and system account review
targets built-in administrative and other non-user ID accounts

Instructor Edition
8. Special Publications 800-53r4 defines physical access control as

an automated system that manages the passage of people or
assets through an opening(s) in a secure perimeter(s) based on (a).
Notes
Domain Review
5

A. Audit and assurance
PPT
B. Scoping and tailoring Domain Review
C. Guidelines and tailoring
D. Set of authorization rules key elements from the
access management
(IAM).
9. What is an appropriate reason to disable or revoke a user

account after a review?
A. A user is voluntarily terminated from an organization
B. An account has been inactive for a period that surpasses the
organizational policy
C. The user account is no longer appropriate for the job
description or role
D. All of the above
10. Your organization shares a customer base with another

organization that you partner with to provide a more complete
solution. You will not be sharing the customer user IDs or
passwords with your partner, so how will your partner allow your
customers to access their resources in a secure fashion?
A. They will not allow it because it is not ethical
B. Your organizations will use OAuth
C. XML will solve the needs related to the requirements
D. Set up two servers and exchange information in a sanitized
fashion


Domain Review 1. What are the two primary types of access control systems, and what
is one way that access control systems are maintained?
A. Physical and network; due diligence
B. Deterrent and corrective; due care and due diligence
C. Integrity and availability; by as much security as can be safely
applied
D. Logical and physical; central administration of access control
systems
The correct answer is D. NIST SP 800-53 defines two primary access
control systems, logical and physical, and both are maintained by
administration and security policy. Due diligence and care are
overarching organizational postures and actions that aid in avoiding the
accusation of negligence and liability. Using as much security as can be
safely applied is not a prudent approach to security and doesn’t answer
the question. Integrity and availability are overarching tenants of
information security.
2. What actions specify enrolling and the opposite of enrolling user IDs
within an organization?
A. Identity creation and disposition
B. Disposition only
C. Creation only
D. Provisioning and deprovisioning
The correct answer is D. Identity creation is an activity that would be
included in provisioning, but the only correct answer is provisioning and
deprovisioning.

Instructor Edition
3. What are the three roles within Security Assertion Markup

Language (SAML)?
Notes
Domain Review
5
A. Identity provider, relying party, service provider

B. Identity provider, relying party, user
C. Identity provider, service provider, relative token
D. Attributes, principal, bindings
The correct answer is B. Attributes and bindings are components of
SAML. Relative token is a distractor. Relying party is an alternate
term for a service provider.
4. Name two roles related to Open Authorization (OAuth).

A. Resource provider, resource server
B. Resource provider, resource relying party
C. Authorization server, resource server
D. Authorization server, authorization owner
The correct answer is C. There isn’t a resource provider owner in
OAuth, but there is a resource owner and server. There is also no
authorization owner.
5. If an organization demanded that an enrolling party or

claimant needed to present themselves in person at an
enrolling agent to authenticate their assertion to their identity,
what level of assurance would they be providing according to
NIST SP 800-63-3?
A. IAL1
B. IAL 2
C. IAL 3
The correct answer is B. IAL2 is remote or in-person authentication
of an identity. IAL 1 is self-assertion. IAL 3 is assertion verified by a
credential service provider.

Notes 6. What provides assurance that a user of a system is consuming

resources as intended?
Domain Review
A. Accountability
B. Noninterference
C. Spoliation
D. Subsystem
The correct answer is A. Noninterference is a security model. Spoliation
is the destruction, concealment, or damaging of information.
Subsystems are low level systems that support operating systems.
7. How does system account review differ from user account review?
A. User account review is connected to systems, and system account
review is connected to users
B. User account and system account review are the same
C. User account review targets user IDs, and system account
review targets built-in administrative and other non-user ID
accounts
The correct answer is C. User account reviews are related to regular IDs,
and system account reviews are connected to administrator IDs and
non-user IDs. Answer A is the inverse of the correct answer. Answers B
and D are not true.

Instructor Edition
8. Special Publications 800-53r4 defines physical access control

as an automated system that manages the passage of people
or assets through an opening(s) in a secure perimeter(s) based
Notes
Domain Review
5
on (a).

A. Audit and assurance
B. Scoping and tailoring
C. Guidelines and tailoring
D. Set of authorization rules
The correct answer is D. Tailoring and scoping are used to apply a
set of controls within an environment that fit the internal
requirement utilizing specific controls. Auditing the controls would
provide assurance about the effectiveness of the controls.
9. What is an appropriate reason to disable or revoke a user

account after a review?
A. A user is voluntarily terminated from an organization
B. An account has been inactive for a period that surpasses the
organizational policy
C. The user account is no longer appropriate for the job
description or role
D. All of the above
The correct answer is D. Answers A through C are all correct
because these are appropriate reasons to disable or revoke a user
account, thus, the correct answer is D.

Notes 10. Your organization shares a customer base with another organization
that you partner with to provide a more complete solution. You
Domain Review will not be sharing the customer user IDs or passwords with your
partner, so how will your partner allow your customers to access their
resources in a secure fashion?
A. They will not allow it because it is not ethical
B. Your organizations will use OAuth
C. XML will solve the needs related to the requirements
D. Set up two servers and exchange information in a sanitized
fashion
The correct answer is B. Answers A and D are illogical, incorrect, and
don’t solve the requirements. XML is the underlying language used by
SAML and while SAML answers to the needs for federated security,
SAML wasn’t mentioned.

Instructor Edition

Domain Review
5
Term Definition

Access control Means to ensure that access to assets is
system authorized and restricted based on
business and security requirements related
to logical and physical systems.
Access control The system decides if access is to be

tokens granted or denied based upon the validity
of the token for the point where it is read
based on time, date, day, holiday, or other
condition used for controlling validation.
Accountability Accountability ensures that account

management has assurance that only
authorized users are accessing the system
and using it properly.
Attribute- This is an access control paradigm whereby

based access access rights are granted to users with
control (ABAC) policies that combine attributes together.
Authorization The process of defining the specific

resources a user needs and determining the
type of access to those resources the user
may have.
Crossover Error This is achieved when the type I and type II

Rate (CER) are equal.
Discretionary The system owner decides who gets access.

access control
(DAC)
False This is erroneous recognition either by

Acceptance confusing one user with another, or by
Rate (Type II) accepting an imposter as a legitimate user.
False Rejection This is failure to recognize a legitimate user.

Rate (Type I)


Domain Review
Identity The process of collecting and verifying
proofing information about a person for the purpose
of proving that a person who has requested
an account, a credential, or other special
privilege is indeed who he or she claims to
be and establishing a reliable relationship
that can be trusted electronically between
the individual and said credential for
purposes of electronic authentication.
Identity as a Cloud-based services that broker identity

service (IDaaS) and access management (IAM) functions to
target systems on customers’ premises
and/or in the cloud.
Logical access Non-physical system that allows access

control system based upon pre-determined policies.
Mandatory Access control that requires the system

access controls itself to manage access controls in
(MAC) accordance with the organization’s security
policies
Multi-factor Ensures that a user is who he or she claims

authentication to be. The more factors used to determine
a person’s identity, the greater the trust of
authenticity.
Open The OAuth 2.0 authorization framework

Authorization enables a third-party application to obtain
(OAuth) limited access to an HTTP service, either on
behalf of a resource owner by orchestrating
an approval interaction between the
resource owner and the HTTP service, or by
allowing the third-party application to
obtain access on its own behalf.
Physical access An automated system that manages the

control system passage of people or assets through an
opening(s) in a secure perimeter(s) based
on a set of authorization rules.

Instructor Edition

Domain Review
5
Rule-based An access control model that is based on a

access control list of predefined rules that determine what
(RBAC) accesses should be granted.
Role-based An access control model that bases the

access control access control authorizations on the roles
(RBAC) (or functions) that the user is assigned
within an organization.
Security A version of the SAML standard for

Assertion exchanging authentication and
Markup authorization data between security
Language 2.0 domains.
(SAML 2.0)
Single factor Involves the use of simply one of the three

authentication available factors solely to carry out the
authentication process being requested.

Notes

Instructor Edition
Notes
5

Notes

Instructor Edition
Course Agenda
Notes
Security Assessment and
6
Testing
Security Assessment and Testing Domain

PPT

PPT
Domain 5: Identity and Access Management (IAM) Security Assessment
and Testing
to the “Security
Assessment and Testing”

PPT
Domain Objectives
(3 slides)
Domain 6: Security Assessment Assessment and Testing”
and Testing domain.
Overview
Security testing and assessment are activities that assist an
organization in managing risk, developing applications, managing
systems, and utilizing services. To be successful in mitigating risks,
organizations must develop competencies that align with business
needs related to assessing, validating, testing, and auditing systems
and applications that support business objectives and goals.
Domain Objectives
1. Name primary methods for designing and validating test
and audit strategies.
2. Choose appropriate strategy to design and validate test and
audit functions that support business requirements.
Domain 6: Security Assessment and Testing 465

Notes 3. Describe how to maintain logs related to security control testing

and prepare logging systems for relevant review and protection.
Testing 4. Classify the various security control testing techniques related to
application development and delivery.
5. Select the relevant security processing data administration that
PPT
supports testing and assessment related to account management
Domain Objectives and process approval.
6. Apply the appropriate security control testing techniques for use
Assessment and Testing” internally and externally for an organizational system.
domain. 7. List essential elements of and differentiate between training
and awareness that are aligned with organizational governance,
compliance, policy, and capabilities.
8. Recognize relevant procedures to protect sensitive information
when utilizing test data.
9. Define the process of a service provider audit.
10. Associate the appropriate use of an audit type based upon the
business support requirements.
466 Domain 6: Security Assessment and Testing

Instructor Edition
Domain Agenda Notes

6
Module Name Testing

Design and Validate Assessment, Test, and
1 PPT
Audit Strategies
Domain Agenda
2 Security Control Testing
Review the domain
agenda.
3 Security Process Data
4 Test Output and Generate Report
5 Conduct or Facilitate Security Audits
6 Domain Review
Domain 6: Security Assessment and Testing 467

Notes
Module 1: Design and Validate Assessment,
Design and Validate
Assessment, Test, and Test, and Audit Strategies
Audit Strategies
PPT
Module Objectives
1. Name primary methods for designing and validating test and
Design and Validate
Assessment, Test, and audit strategies.
Audit Strategies 2. Choose appropriate strategy to design and validate test and
Introduce the participants audit functions that support business requirements.
to the “Design and
Validate Assessment, Test,
and Audit Strategies”
module.
PPT
Module Objectives
objectives.

Instructor Edition
Introduction
The design, validation, testing, and auditing of security assessment
Notes
Design and Validate
6
contribute to determining the extent to which security controls are Assessment, Test, and
implemented correctly as defined by the organizational security policy.

Audit Strategies
NIST SP 800-53r4 delineates several steps that an assessor should
consider when developing an assessment plan for information security
PPT
testing. The steps are as follows:
Internal
1. Determine the type of security control assessment.
Define internal testing.
2. Determine the security controls and enhancements to
be included.
3. Select the appropriate assessment procedures to be used.
4. Tailor the selected assessment procedures to match the
organization’s operating environment.
5. Develop additional assessment procedures to address
enhancements.
6. Optimize assessment procedures to reduce duplication and
increase cost effectiveness.
7. Finalize assessment plan and obtain approvals necessary
for execution.
This module will consider three perspectives for organizational security
assessments, namely: internal, external, and third-party. Development
of internal and external testing strategies that formulate the validation,
design, and audit functions of an organization’s system security and
assessment should be driven by the organizational mission and security
policy. Internal and external testing may have distinctly different
business needs, requirements, and objectives. Internal assessments
and test generally concentrate on the controls that are associated with
authorized and trusted actors (employees and other users such as
contractors) and the threats that may stem from misuse of resources.
External assessments and test focus on threats posed by external
actors that seek unauthorized access to organization resources. Third-
party assessments are usually arranged to augment or provide auxiliary
support to internal/external testing methodologies retained within an
organization. Third-party assessments also provide the highest level of
assurance of assessment independence.
Internal
In 2012, Carnegie Mellon University- Software Engineering (CMU-SEI)
published a seminal research paper on insider threats entitled, “Threat
Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Sector.”
Module 1: Design and Validate Assessment, Test, and Audit Strategies 469
Notes The research was funded by the Department of Homeland Security (DHS),
Science and Technology Directorate (S&T) in collaboration with the U.S.
Design and Validate Secret Service (USSS). The empirical research done during 2005–2012
Assessment, Test, and
Audit Strategies
established that in 80 major cases of financial fraud, 67 were internal actors
(employees) and 13 were external (non-employees).
PPT According to NIST SP 800-115, internal testing and assessment design

and validation are intended to “work from the internal network and
Internal (continued)
assume the identity of a trusted insider or an attacker who has
Define internal testing. penetrated the perimeter defenses.” The trusted insider could be a
disgruntled employee whose authorization level provides the potential
for damaging results if they decide to exploit a vulnerability. An internal
PPT view of testing would reflect a system-level focus that is specified in
External NIST SP 800-115 to include, “application and service configuration,
authentication, access control, and system hardening.” An attacker that
Define external testing.
has “penetrated the perimeter defenses” may be masquerading as an
internal user or may have otherwise attained access and is perceived as
an insider. Depending on test goals and objectives, the test assessor
may be given access rights to a system or network that span basic users
to administrators. Internal testing may include the assessor attempting
to gain access that is additional to what is provisioned to network or
system resources through privilege escalation.
External
External testing is described by NIST SP 800-115 as “offering the ability to
view the environment’s security posture as it appears outside the security
perimeter—usually as seen from the Internet—with the goal of revealing
vulnerabilities that could be exploited by an external attacker.” External
tests are often done in a blind format where the assessors only have
information that is available to the public. The internal team or security staff
may be forewarned of the test, or the test could be rendered without notice
and therefore, be double-blind where the internal team doesn’t know about
the impending test.
If an organization’s security assessment and testing plans include both
internal and external testing (and a single entity will be performing both),
then the external test should be performed first to prevent information
leakage from the insider testing environment into the outsider testing
environment.
Development of external testing strategies can be driven by regulatory,
legal, or jurisdictional regimes. These strategies for the assessment may be
informed by or based upon any number of security frameworks.

Instructor Edition
Third-Party
Justification for utilizing third party assessment services may include
Notes
Design and Validate
6
meeting regulatory requirements, providing assurance to consumers Assessment, Test, and
of operational integrity, or supplementing organizational assessment

Audit Strategies
services. Organizational alignment of business needs and requirements
should be considered before engaging third-party assessor services.
PPT
Analysis of business needs, requirements, and risks lead to developing
clear and concise operational boundaries for third-party assessment. Third-Party
New requirements that emerge due to changing business needs Define third-party testing.
should be addressed as needed. Nondisclosure agreements should
be executed before any work by a third-party assessor commences.
External entities that work with an organization should abide by
all the organizational policies, governance, and regulations, and
all exceptions should be officially approved by management
and documented.
Module 1: Design and Validate Assessment, Test, and Audit Strategies 471
Notes
Module 2: Security Control Testing
Security Control Testing
PPT
Module Objectives
Security Control 1. Describe how to maintain logs related to security control testing
Testing and prepare logging systems for relevant review and protection.
Introduce the participants 2. Classify the various security control testing techniques related to
to the “Security Control application development and delivery.
Testing” module.
3. Apply the appropriate security control testing techniques for use
internally and externally for an organizational system.
PPT
Module Objectives
objectives.

Instructor Edition
Vulnerability Testing
ISO 27001:2013:2013 note that, “Penetration testing and vulnerability
Notes
6
assessments provide a snapshot of a system in a specific state at a
specific time. The snapshot is limited to those portions of the system

actually tested during the penetration attempt(s). Penetration testing PPT
and vulnerability assessments are not a substitute for risk Vulnerability Testing
assessment.” Define vulnerability
testing.
NIST SP 800-53 r4 describes vulnerability assessment as a
“Systematic examination of an information system or product to
determine the adequacy of security measures, identify security
deficiencies, provide data from which to predict the effectiveness
of proposed security measures, and confirm the adequacy of such
measures after implementation.”
Vulnerability testing targets known threats and can be
accomplished by tools that access known vulnerability databases
(such as the National Vulnerability Database) or by means of an
assessor’s knowledge. The vulnerability scanning that is done
to support vulnerability testing will determine (1) patch levels;
(2) services that should not be enabled; and (3) improperly
configured systems. What follows are some control areas that can
be considered for vulnerability testing.
l Update tool capability: The time between discovery of a
vulnerability and the corresponding publishing and update
of the vulnerability should be reduced to the smallest
window possible. The efficiency of the updating process
impacts remediation opportunities.
l Discoverable information: Sensitive information may be
available to adversaries without system breaches but due to
inadequate categorization, classification, and corresponding
controls of assets. Sensitive discoverable information
may be manifested on the web by a simple Boolean
search (www.domain.com + “for internal use only”) may
return information that is properly labeled but improperly
protected.
l Privileged access: While privileged access authorization
facilitates holistic reviews of systems, it also may reveal
highly sensitive information. Purposeful selection of systems
with a view to reducing sensitive information exposure will
reduce spillage or leakage threats.
Organizations managing vulnerability testing should use tools that
conform to Common Vulnerability and Exposures (CVE) naming
convention and use the Open Vulnerability and Assessment
Module 2: Security Control Testing 473

Notes Language (OVAL) to establish and test vulnerabilities. Examples of

sources that can be utilized for ongoing vulnerability information
Security Control Testing include the Common Weakness Enumeration (CWE) and the National
Vulnerability Database (NVD). Vulnerability impact can be quantified and
PPT measured by using a Common Vulnerability Scoring System (CVSS).
Vulnerability Testing
(continued)
Define vulnerability Penetration Testing
testing.
ISO/IEC 27004:2016 provides guidelines intended to assist organizations
in evaluating the information security performance and the effectiveness
of an information security management system that are found in ISO/IEC
PPT 27001:2013. One means of evaluating the information security performance
Penetration Testing and effectiveness of an information security management system is through
Define penetration penetration testing.
testing.
NIST SP 800-53 r4 denotes penetration testing as “a specialized type
of assessment conducted on information systems or individual system
components to identify vulnerabilities that could be exploited by
adversaries.” Such testing can be used to either validate vulnerabilities
or determine the degree of resistance organizational information
systems have to adversaries within a set of specified constraints (e.g.,
time, resources, and/or skills). Penetration testing attempts to duplicate
the actions of adversaries in carrying out hostile cyber attacks against
organizations and provides a more in-depth analysis of security-related
weaknesses/deficiencies.
Within the Payment Card Industry Data Security Standard (PCI DSS)
are listed two primary goals related to penetration testing:
1. To determine whether and how a malicious user can gain
unauthorized access to assets that affect the fundamental
security of the system, files, logs, and/or cardholder data.
2. To confirm that the applicable controls, such as scope, vulnerability
management, methodology, and segmentation, required in PCI
DSS are in place.
NIST SP 800-115 describes four phases related to penetration testing:
l Planning
l Discovery
l Attack
l Reporting
In the planning phase, the scope and objectives are defined, rules are
devised or identified, and management signs off on the finalized
documentation.
Instructor Edition
The discovery phase contains two sub-phases: (1) information

gathering and scanning; and (2) vulnerability analysis. The
discovery phase first sub-phase of information gathering and
Notes
6
scanning includes collecting network port and service identification

information. Information gathering and scanning might reveal host PPT
names and IP addresses, employee contact data, and system and
Penetration Testing
application information. The second sub-phase of the discovery (continued)
scanning phase of vulnerability analysis seeks to compare systems
Define penetration
and applications against know vulnerability databases or the testing.
assessor’s knowledge.
The attack phase includes gaining access, escalating privileges,
browsing for additional systems, and installing additional tools.
The attack phase exploits vulnerabilities to confirm their existence.
Recurring vulnerabilities categories are misconfigurations, kernel
flaws, buffer overflows, insufficient input validation, symbolic links,
file descriptor attacks, race conditions, and incorrect file and
directory permissions. The attack phase has a loopback to the
discovery phase as it may reveal additional information that can
inform the attack steps.
The reporting phase occurs during the same time line as the
planning, discovery, and attack phases. During the planning phase,
rules of engagement are documented and presented to the
management for final acceptance. The discovery and attack phases
contain written logs and periodic reports that are made to
management and administrators. After the penetration test is
completed, a comprehensive report is made of vulnerabilities
along with a risk rating and recommendations to mitigate the
vulnerabilities.
Penetration testing can be performed in internal, external, and
third-party testing contexts.
Overt (white hat) and Covert (black hat) Testing

Overt security testing and white hat testing are synonymous
terms. Overt testing can be used with both internal and external
testing. When used from an internal perspective the bad actor
simulated is an employee of the organization. The organization’s
IT staff is made aware of the testing and can assist the assessor in
limiting the impact of the test by providing specific guidelines for
the test scope and parameters. Since overt testing is transparent
to the IT staff, it can be an optimal way to train the IT staff. Overt
testing carries less risk than covert testing, has lower cost than
covert testing, and is utilized more often than covert testing.

Notes Covert security testing and black hat testing are synonymous terms.
Covert testing is performed to simulate the threats that are associated
Security Control Testing with external adversaries. While the security staff has no knowledge
of the covert test, the organization management is fully aware and
PPT consents to the test. A third-party organization may participate in
the test as a mitigation point for the security staff’s reaction and a
Penetration Testing
(continued) communication focal point between the assessors, management,
and the security staff. Covert testing will illuminate security staff
Define penetration
testing.
responsiveness. Typically, the most basic and fundamental exploits are
executed within predetermined boundaries and scope to reduce the
potential impact of system degradation or damage. Covert tests are
often carried out in a stealth fashion, “under the radar,” or “slow and
PPT
low” to simulate an adversary that is seeking to avoid detection. Covert
Log Reviews testing provides a comprehensive view of the behavior, posture, and
Describe how to maintain responsiveness of the security staff.
logs related to security
control testing and log
reviews.
Log Reviews
ISO 27001:2013 control 12.4.1 addresses event logging and states,
“Event logs recording user activities, exceptions, faults and information
security events should be produced, kept and regularly reviewed.”
Information that may be relevant to being recorded and reviewed
include (and is not limited to) user IDs, system activities, dates/times
of key events (e.g. log-on and log-off), device and location identity,
successful and rejected system and resource access attempts, system
configuration changes, and system protection activation and
deactivation events.
NIST SP 800-92 identifies log reviews as being a component of log
management. Log reviews are an imperative function not only related to
security assessment and testing but to identifying security incidents, policy
violations, fraudulent activities, and operational problems near to the time
of occurrence. Log reviews support audits, forensic analysis related to
internal and external investigations and provide support for organizational
security baselines. Review of historic audit logs can determine if a
vulnerability identified in a system has been previously exploited.
Listed below are some prominent regulations that drive the need for
diligent log reviews.
Gramm–Leach–Bliley Act (GLBA). Because a primary tenant of GLBA is
the requirement for financial institutions to protect customer information,
log review can be utilized to identify and rectify security violations.
Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA maintains specific security practices to protect health information

Instructor Edition
related to patients. Related to the protection of health information

are specific activities that include regular reviews of audit logs and
access reports and that documentation of these activities needs to
Notes
6
be retained for a minimum of six years.

PPT
Sarbanes–Oxley Act (SOX) of 2002. SOX regulates accurate
financial and accounting practices. SOX regulatory requirements Log Reviews (continued)
are supported by a regular review of logs with a view to locating Describe how to maintain
security violations and appropriate retention of logs and records logs related to security
for future review. control testing and log
reviews.
Payment Card Industry Data Security Standard (PCI DSS). PCI DSS
mandates the security for organizations that store, process, or
transmit credit card data. A primary responsibility for a processor PPT
of credit card data is to track all network resource access and Key Logging Practices
cardholder data.
Describe how to maintain
logs related to security
control testing and log
Key Logging Practices reviews.
To establish and maintain successful log management activities, an
organization should develop standard processes for performing
log management. As part of the planning process, an organization
should define its logging requirements and goals. Based on those,
an organization should then develop policies that clearly define
mandatory requirements and suggested recommendations for log
management activities, including log generation, transmission,
storage, analysis, and disposal.
An organization should also ensure that related policies and
procedures incorporate and support the log management
requirements and recommendations. The organization’s
management should provide the necessary support for the efforts
involving log management planning, policy, and procedures
development.
Requirements and recommendations for logging should be created
in conjunction with a detailed analysis of the technology and
resources needed to implement and maintain them, their security
implications and value, and the regulations and laws to which the
organization is subject. Generally, organizations should require
logging and analyzing of the data that is of greatest importance and
have nonmandatory recommendations for which other types and
sources of data should be logged and analyzed if time and
resources permit. In some cases, organizations choose to have all or
nearly all log data generated and stored for at least a brief period in
case it is needed. This favors security considerations over usability
and resource usage, and it also allows for better decision-making in

Notes some cases. When establishing requirements and recommendations,

organizations should strive to be flexible since each system is different
Security Control Testing and will log different amounts of data.
Prioritization of log entries is driven by organizational policies, regulatory
PPT
standards, and key business requirements. What follows are four
Key Logging Practices practices that should be considered key to logging.
(continued)
Describe how to maintain
l Prioritize log management appropriately throughout the
logs related to security organization. An organization should define its requirements
control testing and log and goals for performing logging and monitoring logs to include
reviews. applicable laws, regulations, and existing organizational policies.
The organization can then prioritize its goals based on balancing
the organization’s reduction of risk with the time and resources
needed to perform log management functions.
l Establish policies and procedures for log management.
Policies and procedures are beneficial because they ensure a
consistent approach throughout the organization as well as
ensuring that laws and regulatory requirements are being met.
Periodic audits are one way to confirm that logging standards
and guidelines are being followed throughout the organization.
Testing and validation can further ensure that the policies
and procedures in the log management process are being
performed properly.
l Create and maintain a secure log management infrastructure.
It is very helpful for an organization to create components of
a log management infrastructure and determine how these
components interact. This aids in preserving the integrity of
log data from accidental or intentional modification or deletion
and also in maintaining the confidentiality of log data. It is also
critical to create an infrastructure robust enough to handle
not only expected volumes of log data, but also peak volumes
during extreme situations (e.g., widespread malware incident,
penetration testing, vulnerability scans). Organizations should
consider using security information and event management
(SIEM) systems for storage and analysis.
l Provide adequate support for all staff with log management
responsibilities. While defining the log management scheme,
organizations should ensure that they provide the necessary
training to relevant staff regarding their log management
responsibilities as well as skill instruction for the needed
resources to support log management. Support also includes
providing log management tools and tool documentation,
providing technical guidance on log management activities,
and disseminating information to log management staff.

Instructor Edition
Log Security
ISO 27001:2013 control item 12.4.2 specifies that, “logging facilities
Notes
6
and log information should be protected against tampering and
unauthorized access.” Controls are implemented to protect against

unauthorized changes to log information and operational problems PPT
with the logging facility that are related to alterations to the Log Security
messages that are recorded, log files being edited or deleted, and Describe log security
storage capacity of log file media being exceeded. Organizations relevance and protection
must maintain adherence to retention policy for logs as prescribed methods.
by law, regulations, and corporate governance.
The organization’s policies and procedures should also address the
PPT
preservation of original logs. Many organizations send copies of
network traffic logs to centralized devices, as well as use tools that Synthetic Transactions
analyze and interpret network traffic. In cases where logs may be List types of synthetic
needed as evidence, organizations may wish to acquire copies of transactions and the use
the original log files, the centralized log files, and interpreted log case for each type.
data in case there are any questions regarding the fidelity of the
copying and interpretation processes. Retaining logs for evidence
may involve the use of different forms of storage and different
processes, such as additional restrictions on access to the records.
Logs need to be protected from breaches of their confidentiality
and integrity. For example, logs might intentionally or inadvertently
capture sensitive information such as users’ passwords and the
content of emails. This raises security and privacy concerns
involving both the individuals who review the logs and others
who might be able to access the logs through authorized or
unauthorized means.
Logs that are secured improperly in storage or in transit might
also be susceptible to intentional and unintentional alteration and
destruction. This could cause a variety of impacts, including
allowing malicious activities to go unnoticed and manipulating
evidence to conceal the identity of a malicious party. For example,
many rootkits are specifically designed to alter logs to remove any
evidence of the rootkits’ installation or execution.
Synthetic Transactions
Real User Monitoring (RUM)
Real user monitoring (RUM) is an approach to web monitoring
that aims to capture and analyze every transaction of every user of
a website or application. Also known as real-user measurement,

Notes real-user metrics, or end-user experience monitoring (EUM), it’s a form of

passive monitoring, relying on web-monitoring services that continuously
Security Control Testing observe a system in action, tracking availability, functionality, and
responsiveness. While some bottom-up forms of RUM rely on capturing
PPT server-side information to reconstruct end-user experience, top-down
client-side RUM can see directly how users interact with an application
Synthetic Transactions
(continued) and what the experience is like for them. By using local agents or small
bits of JavaScript to gauge site performance and reliability from the
List types of synthetic
transactions and the use
perspective of client apps and browsers, top-down RUM focuses on the
case for each type. direct relationship between site speed and user satisfaction, providing
valuable insights into ways to optimize an application’s components and
improve overall performance.
Synthetic Performance Monitoring

Synthetic performance monitoring, sometimes called proactive
monitoring, involves having external agents run scripted transactions
against a web application. These scripts are meant to follow the steps a
typical user might follow to search, view product, log in, and check out
to assess the experience of a user. Traditionally, synthetic monitoring
has been done with lightweight, low-level agents, but increasingly it’s
necessary for these agents to run full web browsers to process JavaScript,
CSS, and AJAX calls that occur on page load.
Synthetic Transactions for Monitoring: Example

A practical example of the use of synthetic transactions for monitoring
can be found in Microsoft’s System Center Operations Manager
software. With this, you can create a variety of synthetic transactions
that can be used to monitor across databases, website, and Transport
Control Protocol (TCP) port usage. Before you create the monitoring
settings for Operations Manager to use in a synthetic transaction, you
should plan the actions that you want the synthetic transaction to
perform. For example, if you want to create a synthetic transaction that
measures the performance of a website, you can plan actions that are
typical for a customer, such as logging on, browsing web pages, and
completing a transaction, such as placing an item in a shopping cart
and making a purchase.
Types of Monitoring
l Website Monitoring: Website monitoring uses synthetic
transactions to perform HTTP requests to check availability
and to measure performance of a web page, website, or web
application.

Instructor Edition
l Database Monitoring: Database monitoring using synthetic

transactions monitors the availability of a database.
Notes
6
l TCP Port Monitoring: A TCP port synthetic transaction
measures the availability of your website, service, or

application; you can specify the server and TCP port for PPT
Operations Manager to monitor. Synthetic Transactions
(continued)
Synthetic Monitoring Benefits List types of synthetic
transactions and the use
The security architect and security practitioner both need to be case for each type.
involved in the decisions surrounding the use and deployment of
RUM and synthetic transaction monitoring systems within the
organization.
PPT
Below is a list of the main reasons why using synthetic monitoring Code Review and
can add value: Testing
Relate the relevance of
l Monitor application availability 24 x 7 code review and testing
l Know if a remote site is reachable listing the various types
and utility for each.
l Understand the performance impact that third-party
services have on business apps
l Monitor performance availability of SaaS applications and
support
l cloud infrastructure such as IaaS and PaaS
l Test business-to-business (B2B) web services that use Simple
Object Access Protocol (SOAP), Representational State
Transfer (REST), or other web service technologies
l Monitor critical databases’ queries for availability
l Objectively measure service-level agreements (SLAs)
l Baseline and analyze performance trends across geographies
l Complement real-user monitoring by synthetically monitoring
availability during periods of low traffic
Code Review and Testing

ISO 27002:2013 control item 14.2.1 prescribes that, “Rules for the
development of software and systems should be established and
applied to developments within the organization.” In this control item,
guidance is given that developers should be trained in secure coding
standards and best practices. Testing and code review should verify
use of the standards and best practices as evidenced in what is
developed. The following topics under this heading will include two

Notes phases where code review and testing are considered, namely during
planning/design and development; and testing techniques and methods
Security Control Testing that are utilized for successful code review and testing.
PPT During Planning and Design

Code Review and
Testing (continued)
While a security review of the architecture and threat modeling are
not security testing methods, they are an important prerequisite for
subsequent security testing efforts, and the security practitioner
code review and testing
listing the various types should be aware of the options available to them. The following is a
and utility for each. consideration of the prerequisites and benefits of architecture security
review and threat modeling:
l Architecture security review: A manual review of the product
architecture to ensure that it fulfills the necessary security
requirements:
o Prerequisites: Architectural model
o Benefit: Detecting architectural violations of the security
standard
l Threat modeling: A structured manual analysis of an application
specific business case or usage scenario. This analysis is guided
by a set of precompiled security threats:
o Prerequisites: Business Case or Usage Scenario
o Benefits: Identification of threats, including their impact and
potential countermeasures specific to the development of the
software product
These methods help to identify the attack surface and, thus, the most
critical components. This allows a focusing of the security testing
activities to ensure they are as effective as possible.
During Application and Development

In the development stages where an application is not yet sufficiently
mature enough to be able to be placed into a test environment, the
following techniques are applicable:
Static Source Code Analysis (SAST) and manual code review:
Analysis of the application source code for finding vulnerabilities without
executing the application:
l Prerequisites: Application source code
l Benefits: Detection of insecure programming, outdated libraries,
and misconfigurations

Instructor Edition
Static binary code analysis and manual binary review: Analysis

of the compiled application (binary) for finding vulnerabilities
without executing the application. In general, this is like the source
Notes
6
code analysis but is not as precise and fix recommendations

typically cannot be provided. PPT
Code Review and
Testing Techniques Testing (continued)
Most successful attacks against IT applications do not attack core Relate the relevance of
security primitives such as cryptographic algorithms. Attackers listing the various types
much more often exploit bad programming, interface problems, and utility for each.
uncontrolled interconnections, or misconfigurations. From a high-
level perspective, (security) testing techniques are often classified
as follows:
l Black-box testing vs. white-box testing: In black-box
testing, the tested system is used as a black box, i.e., no
internal details of the system implementation are used. In
contrast, white-box testing takes the internal system details
(e.g., the source code) into account.
l Dynamic testing vs. static testing: Traditionally, testing is
understood as a dynamic testing, i.e., the system under test
is executed and its behavior is observed. In contrast, static
testing techniques analyze a system without executing the
system under test.
l Manual testing vs. automated testing: In manual testing,
the test scenario is guided by a human, while in automated
testing, the test scenario is executed by a specialized
application.
After code has been prepared and made ready for execution, the
following methods may be utilized for additional testing:
l Manual or automated penetration testing: Simulates an
attacker sending data to the application and observes its
behavior:
o Benefits: Identification of a wide range of vulnerabilities
in a deployed application
l Automated vulnerability scanners: Test an application for
the use of system components or configurations that are
known to be insecure. For this, predefined attack patterns
are executed as well as system fingerprints are analyzed:
o Benefits: Detection of well-known vulnerabilities, i.e.,
detection of outdated frameworks and misconfigurations

l Fuzz testing tools: Send random data, usually in larger chunks

Notes
than expected by the application, to the input channels of an
Security Control Testing application to provoke a crashing of the application:
o Benefits: Detection of application crashes (e.g., caused by
PPT buffer overflows) that might be security critical
Code Review and
Testing (continued) Testing Method Considerations
Relate the relevance of When selecting a security testing method or tool, consider the following:
listing the various types l Attack surface: Different security testing methods find different
vulnerability types
l Application type: Different security testing methods behave
differently when applied to different application types
l Quality of results and usability: Security testing techniques
and tools differ in usability (e.g., fix recommendations) and quality
(e.g., false positives rate)
l Supported technologies: Security testing tools usually only
support a limited number of technologies (e.g., programming
languages), and if a tool supports multiple technologies, it does
not necessarily support all of them equally well
l Performance and resource utilization: Different tools and
methods require different computing power or different
manual efforts
Once the prerequisite tasks (e.g., code inspection) have been
successfully completed, software testing begins. It starts with unit
level testing and concludes with system level testing. There may be
a distinct integration level of testing. A software product should be
challenged with test cases based on its internal structure and with
test cases based on its external specification. These tests should
provide a thorough and rigorous examination of the software
product’s compliance with its functional, performance, and interface
definitions and requirements.
Code-based testing is also known as structural testing, or white-box
testing. It identifies test cases based on knowledge obtained from the
source code, detailed design specification, and other development
documents. These test cases challenge the control decisions made by
the program and the program’s data structures, including configuration
tables. Structural testing can identify “dead” code that is never
executed when the program is run. Structural testing is accomplished
primarily with unit (module) level testing but can be extended to other
levels of software testing.

Instructor Edition
Misuse Case Testing

Use cases are abstract episodes of interaction between a system
Notes
6
and its environment. A use case characterizes a way of using a
system, or a dialog that a system and its environment may share as

they interact. A scenario is a description of a specific interaction PPT
between individuals. Code Review and
Testing (continued)
A misuse case is simply a use case from the point of view of an
Actor hostile to the system under design. Misuse cases turn out to code review and testing
have many possible applications and to interact with use cases in listing the various types
interesting and helpful ways. Security requirements exist because and utility for each.
people and the agents they create (such as computer viruses) pose
real threats to systems. Security differs from all other specification
areas in that someone is deliberately threatening to violate proper
use of a system. Employing use and misuse cases to model and
analyze scenarios in systems under design can improve security by
helping to mitigate threats.
Some misuse cases occur in highly specific situations, whereas
others continually threaten systems. For instance, a car is most
likely to be stolen when parked and unattended; whereas a web
server might suffer a denial-of-service attack at any time. You can
develop misuse and use cases recursively, going from system to
subsystem levels or lower as necessary. Lower-level cases can
highlight aspects not considered at higher levels, possibly forcing
another analysis. The approach offers rich possibilities for
exploring, understanding, and validating the requirements in any
direction. Drawing the agents and misuse cases explicitly helps to
focus the attention of the security practitioner on the elements of
the scenario.
Explore Negative Testing

In contrast to a positive test (that determines that a system
works as expected, and with any error fails the test); a negative
test is designed to provide evidence of the application behavior
if there is unexpected or invalid data. Any provocation of
application failure is designed to surface in the test rather than
once the application is approved for production. An optimal
response for an application to a negative test is to gracefully
reject the unexpected or invalid data without crashing. While
exceptions and error conditions are expected in negative tests
they are not expected in positive tests. It is optimal to combine
a range of positive and negative test to run on an application for
thorough examination of behavior.

Notes Negative testing is aimed at detecting possible application crashes in

different situations. Below are several possible examples of such
Security Control Testing situations:
PPT
Code Review and
Testing (continued)
Test Coverage Analysis
The level of structural testing can be evaluated using metrics that are
code review and testing designed to show what percentage of the software structure has
listing the various types been evaluated during structural testing. These metrics are typically
and utility for each. referred to as “coverage” and are a measure of completeness with
respect to test selection criteria. The amount of structural coverage
should be commensurate with the level of risk posed by the software.
Use of the term “coverage” usually means 100 percent coverage. For
example, if a testing program has achieved “statement coverage,” it
means that 100 percent of the statements in the software have been
executed at least once. What follows are examples of structural
coverage types:
l Statement coverage: This criterion requires sufficient test
cases for each program statement to be executed at least once;
however, its achievement is insufficient to provide confidence in a
software product’s behavior.
l Decision (branch) coverage: This criterion requires sufficient test
cases for each program decision or branch to be executed so that
each possible outcome occurs at least once. It is a minimum level
of coverage for most software products, but decision coverage
alone is insufficient for high-integrity applications.
l Condition coverage: This criterion requires sufficient test cases
for each condition in a program decision to take on all possible
outcomes at least once. It differs from multi-condition branch
coverage only when multiple conditions must be evaluated to
reach a decision.
l Multi-condition coverage: This criterion requires sufficient test
cases to exercise all possible combinations of conditions in a
program decision.
l Loop coverage: This criterion requires sufficient test cases for
all program loops to be executed for zero, one, two, and many
iterations covering initialization, typical running, and termination
(boundary) conditions.
l Path coverage: This criterion requires sufficient test cases for
each feasible path, basis path, etc., from start to exit of a defined
program segment, to be executed at least once. Because of the

Instructor Edition
very large number of possible paths through a software

program, path coverage is generally not achievable. The
amount of path coverage is normally established based on
Notes
6
the risk or criticality of the software under test.

l Data flow coverage: This criterion requires sufficient test PPT
cases for each feasible data flow to be executed at least Code Review and
once. Many data flow testing strategies are available. Testing (continued)
l Populating required fields: Some applications and web Relate the relevance of
pages contain fields that are marked as required. Test the code review and testing
listing the various types
condition of leaving required populated fields unpopulated. and utility for each.
Verify proper application response to missing data input.
l Correspondence between data and field types: Verify
proper controls that limit the data or specific types of
data that can be entered and accepted in field type. For
example, verify that a date filed (MM/DD/YYYY) cannot
accept 19/34/2018.
l Allowed number of characters: Verify that a limited
number of characters can be accepted in a field. For
example, a field that allows only 25 characters should not
accept 26.
l Allowed data bounds and limits: Applications can use
input fields that accept data in a certain range. Verify that
data that is not allowed that is below the lower (bound)
range or above the upper (limit) range
Interface Testing
Interface testing involves the testing of the different components
of an application, e.g., software and hardware, in combination.
This kind of combination testing is done to ensure they are
working correctly and conforming to the requirements based on
which they were designed and developed. Interface testing is
different from integration testing in that interface testing is done
to check whether the different components of the application or
system being developed are in sync with each other. In technical
terms, interface testing helps determine that distinct functions,
such as data transfer between the different elements in
the system, are happening according to the way they were
designed to happen.
Interface testing is one of the most important software tests in
assuring the quality of software products. Interface testing is

Notes conducted to evaluate whether systems or components pass data

and control correctly to one another. Interface testing is usually
Security Control Testing performed by both testing and development teams. Interface testing
helps to determine which application areas are accessed as well as
PPT their user-friendliness.
Code Review and Interface testing can be used to do the following:
Testing (continued)
l Check and verify if all the interactions between the application
code review and testing and a server are executed properly
listing the various types l Check and verify if errors are being handled properly
l Check what happens if a user interrupts any transaction
l Check what happens if a connection to a web server is reset
PPT
Case [15 Min.]: Team Server Interface
Consultation for Regarding the server interface, testing can establish the following:
Critical Incident
l That communication is done correctly between web server-
Assist room to gather in
teams of 3–4 members.
application server, application server-database server, and
Interview process is vice versa
questions not answers. l Compatibility of server software, hardware, and network
connections
External Interface
Regarding the external interface, testing can establish the following:
l Have all supported browsers been tested?
l Have all error conditions related to external interfaces been
tested when the external application is unavailable, or the server
is inaccessible?
Internal Interface
Regarding the internal interface, testing can answer the following:
l If the site uses plug-ins, can the site still be used without them?
l Can all linked documents be supported/opened on all platforms
(e.g., can Microsoft Word be opened on Solaris)?
l Are failures handled if there are errors during download?
Case: Team Consultation for Critical Incident

Working in small teams, select one team member to share a critical
incident that caused a degradation or disruption in service. Do a post
mortem of the incident by all other team members holding an interview.

Instructor Edition
Interview should take no more than six minutes. Following the

interview, each team member takes three minutes to reflect on
what type of testing may have been prescribed to expose the
Notes
6
vulnerability that led to the critical incident. Select a methodology

from this module and write it down on a sheet of paper. Fold your PPT
answer and hand to the member who shared the incident, then
Case [15 Min.]: Team
have that member read aloud the answers and provide feedback. Consultation for
Critical Incident
(continued)
Assist room to gather in
teams of 3–4 members.
Interview process is
questions not answers.

Notes
Module 3: Security Process Data
Security Process Data

Security Process Data 1. Select the relevant security processing data administration that
supports testing and assessment related to account management
to the “Security Process
and process approval.
Data” module. 2. List essential elements of and differentiate between training
and awareness that are aligned with organizational governance,
compliance, policy, and capabilities.
PPT
Module Objectives
objectives.

Instructor Edition
Account Management
Account management supports organizational and mission/
Notes
6
business functions by:

l Assigning account managers for information systems PPT
accounts.
Account Management
l Establishing conditions for group or role membership.
List the business/mission
l Specifying authorized users of information systems. functions supported by
account management.
l Requiring approval for authorizations, creating, enabling,
modifying, disabling, and removing access.
l Monitoring use of information systems accounts. PPT
l Notification to account manager when account access is no Management Review
longer needed. and Approval
l Reviews account for compliance with account management Describe the elements
requirements. needing management
review and approval.
Management Review and Approval

Periodic management reviews ensure that security process data is
being used as intended and that required controls are functioning
as intended.
ISO 27001:2013 outlines concerns for management reviews of an
information system by stating, “Top management shall review the
organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and
effectiveness.”
Management review should include but is not limited to the
following:
l Exemptions from normal activities
l Information related to previous reviews
l Ongoing metrics related to outcomes
l Results of audits
l When security objectives have been met
l Feedback from interested parties
l Risk assessment reporting and plan management for
handling risk
The objective of the activities related to management review and
approval should be to support continual process improvement.
Module 3: Security Process Data 491

Notes Key Performance and Risk Indicators

Key performance indicators (KPIs) are different from key risk indicators
(KRIs). The Committee of Sponsoring Organizations (COSO) of the
Treadway Commission December 2010 report on How Key Risk Indicators
PPT can Sharpen Focus on Emerging Risks states that KPIs typically “shed
Key Performance and insights about risk events that have already affected the organization” and
Risk Indicators that KRIs, “typically help to better monitor potential future shifts in risk
Differentiate conditions or new emerging risks so that management and boards are
characteristics of key able to more proactively identify potential impacts on the organization’s
performance and risk portfolio of risks.” KPIs can be viewed as looking to the past while KRIs
indicators and how each involve peering into the future.
are used.
KPIs are essential to the management of emerging risk because they
involve scrutinizing past activities with a view to making corrections to
future actions. Careful KPI management may reveal underperforming
segments of a department, an organization, or a company.
Underperformance in select KPIs may reveal underlying disfunction,
greater need for training or awareness, organizational cultural issues,
mismanagement of resources, or a need for increase in resources.
Meeting KPI performance measures is helpful for keeping abreast of
success factors in organizational behavior, can support meritorious
rewards for employees and groups, and a confidence builder for a
client-base.
KRIs are imperative to developing insights to recognizing risks that can
impact achieving objectives. An organization needs to pay attention
to the key or significant risk so that careful monitoring reveals leading
indicators of what is to come. It is important that an organization develop
capabilities to map KRIs to critical risk and core strategies to ensure there
is adequate concentration of resources and activities that reduce the
likelihood of risk interrupting achieving objectives. Management of KRIs
begin with understanding root cause events, which may contain various
activities and outcomes that give rise to intermediate events, which
correspondingly lead to a risk event. Initial strategies to combat risk
events may need to adjust as environmental conditions change. Finally,
it is important for the designated owner of the risk to properly
communicate the risk landscape and opportunities to executive
management and if necessary the organizational board of directors.
Backup Verification Data

ISO 27002:2013 control item 12.3.1 specifies guidance for information
backup. It states, “A backup policy should be established to define the
organization’s requirements for backup of information, software and
systems. The backup policy should define the retention and protection

Instructor Edition
requirements. Adequate backup facilities should be provided to

ensure that all essential information and software can be recovered
following a disaster or media failure.”
Notes
6

The backup plan should be based upon the business needs and
PPT
corresponding policy, and it should have supportive documentation
that provides procedures for proper restoration of data. Backup Training and Awareness
frequency should be informed by business needs and description of List the roles and
restore point objectives. Care should be taken to adequately protect responsiblitites that
backup media and information from disclosure, alteration, or should be addressed
through training and
destruction by means of proper physical, logical, and administrative awareness.
tools. A test plan should be written to frequently test restores to
provide assurance that the backups are functioning as intended;
remember, your backup is only as good as your last restore.
Training and Awareness

NIST SP 800-50 states, “The most significant difference between
training and awareness is that training seeks to teach skills, which
allow a person to perform a specific function, while awareness
seeks to focus an individual’s attention on an issue or set of issues.”
The structure, development, priorities, and efficacy of a training and
awareness program is entirely dependent on the organization policy,
strategy, and distribution. An initial and continuous needs assessment
determines the strategy that is formulated for the training.
A needs assessment is a process that can be used to determine an
organization’s awareness and training needs. The results of a needs
assessment can provide justification to convince management to
allocate adequate resources to meet the identified awareness and
training needs. In conducting a needs assessment, it is important
that key personnel be involved. At a minimum, the following roles
should be addressed in terms of any special training needs:
l Executive management: Organizational leaders need to
fully understand directives and laws that form the basis for
the security program. They also need to comprehend their
leadership roles in ensuring full compliance by users within
their units.
l Security personnel (security program managers
and security officers): These individuals act as expert
consultants for their organization; therefore, they must
be well educated on security policy and accepted best
practices.

l System owners: Owners must have a broad understanding of

Notes
security policy and a high degree of understanding regarding
Security Process Data security controls and requirements applicable to the systems
they manage.
PPT l System administrators and IT support personnel: Entrusted
Training and Awareness with a high degree of authority over support operations critical
(continued) to a successful security program, these individuals need a higher
List the roles and degree of technical knowledge in effective security practices and
responsiblitites that implementation.
should be addressed
l Operational managers and system users: These individuals
through training and
awareness. need a high degree of security awareness and training on
security controls and rules of behavior for systems they use to
conduct business operations.
The question to be answered when beginning to develop material for a
specific training course is, “What skill or skills do we want the audience
to learn?” The awareness and training plan should identify an audience,
or several audiences, that should receive training tailored to address
their IT security responsibilities.
There are a variety of sources of material on security awareness that can
be incorporated into an awareness program. The material can address a
specific issue, or in some cases, can describe how to begin to develop
an entire awareness program, session, or campaign. Sources of timely
material may include the following:
l Email advisories issued by industry-hosted news groups,
academic institutions, or the organization’s IT security office
l Professional organizations and vendors
l Online IT security daily news websites
l Periodicals
l Conferences, seminars, and courses
Awareness material can be developed using one theme at a time or created

by combining a number of themes or messages into a presentation. For
example, a poster or a slogan on an awareness tool should contain one
theme, while an instructor-led session or web-based presentation can contain
numerous themes. (Dissemination techniques are covered in greater depth in
Section 5.) Regardless of the approach taken, the amount of information
should not overwhelm the audience. Brief mention of requirements (policies),
the problems the requirements were designed to remedy, and actions to
take are the major topics to be covered in a typical awareness presentation.
Continuous feedback loops are important to maintain training and
awareness relevance, cultural change, compliance, and impact.

Instructor Edition
Disaster Recovery (DR) and Business

Continuity (BC)
Notes
6
Disaster recovery (DR) is a component of business continuity (BC).

DR is designed for the technical recovery of systems during a disaster.
BC addresses all elements of business resiliency during a disaster,
both technical and non-technical. Testing the effectiveness of the
business continuity and disaster recovery (BCDR) planning is
imperative to have assurance of the continuance of business. The
suggested testing techniques, processes, and methodologies are
addressed in Domain 7.

Notes
Module 4: Test Output and
Test Output and Generate
Report Generate Report
PPT
Module Objectives
Test Output and
Generate Report
1. Recognize relevant procedures to protect sensitive information
when utilizing test data.
to the “Test Output
and Generate Report”
module.
PPT
Module Objectives
objectives.

Instructor Edition
Protection of Test Data

ISO 27002:2013 control 14.3.1 specifies the protection of test data.
Notes
Test Output and Generate
6
Organizations are admonished that use of personally identifiable data Report
or that which is confidential should be avoided. If an organization must

use personally identifiable information (PII) for testing, then they
should be careful to remove sensitive details. Additional guidelines PPT
include the following: Protection of Test Data
l Verifying that the access control procedures utilized in Review the guidelines for
protecting test data.
production procedures are used in testing procedures.
l Every time there is a need to use production data in testing
environments, there is an individual and separate request for
each use instance.
l Whenever the testing is completed, the sensitive information
should be completely erased.
l Logs should trace the copying of production data to testing
environments, and such logging should be used to form an
audit trail.
All test outputs from systems that house sensitive data should also
carry appropriate classification labels. Labels that are used to
classify test data should conform to the standard labeling
procedures that accompany production environments. Any
contractors that are working to support the testing efforts should
have proper awareness of the labeling procedures to apply to test
data. Due diligence should be maintained to limit the amount of
information contained in outputs.
Periodic reports should be generated from the test output data.
Reports that are generated from the test output process should be
reviewed with consistent frequency that is used in production
environments. Reviews should be done to illuminate errors,
process violations, and the leakage of sensitive information.
Module 4: Test Output and Generate Report 497

Notes
Module 5: Conduct or Facilitate
Conduct or Facilitate
Security Audits Security Audits
PPT
Module Objectives
Security Audits
1. Define the process of a service provider audit.
Introduce the participants 2. Associate the appropriate use of an audit type based upon the
to the “Conduct or business support requirements.
Facilitate Security Audits”
module.
PPT
Module Objectives
objectives.

Instructor Edition
Service Organization Control (SOC) 2

and SOC 3
Notes
6
Service Organization Control (SOC) 2 and SOC 3 reports use Security Audits

the Trust Services Principles and Criteria, a set of specific
requirements developed by the American Institute of Certified
PPT
Public Accountants (AICPA) and the Canadian Institute of
Chartered Accountants (CICA), to provide assurance beyond Service Organization
Control (SOC) 2 and
internal controls over financial reporting (ICOFR). The Trust SOC 3
Services Principles and Criteria are specifically defined for the
Note the five Trust
following:
Services Principles and
l Security Criteria for Service
Organization Control
l Availability (SOC) 2 and 3.
l Confidentiality
l Processing integrity
PPT
l Privacy
SOC 1
This has been done in a modular way so that an SOC 2 or SOC 3 Define SOC 1 audit and
report could cover one or more of the principles depending on the purpose.
needs of the service provider and its users.
In contrast, SOC 1 reports require that a service organization PPT
describes its system and define its control objectives and
SOC 1 and 2
controls that are relevant to users’ internal control over
financial reporting. An SOC 1 report generally should not Define SOC 1 and 2
audit and purpose.
cover services or control domains that are not relevant to users Contrast and compare
from an internal controls over financial reporting (ICOFR) differences.
perspective, and it specifically cannot cover topics such as
disaster recovery and privacy.
SAS 70 consisted of Type I and Type II audits. This has been carried
over to the SOC audit reports.
l Type I: report on the fairness of the presentation of
management’s description of the service organization’s
system and the suitability of the design of the controls
to achieve the related control objectives included in the
description as of a specified date.
l Type II: report on the fairness of the presentation of
management’s description of the service organization’s
system and the suitability of the design and operating
effectiveness of the controls to achieve the related control
objectives included in the description throughout a
specified period.
Module 5: Conduct or Facilitate Security Audits 499

Notes SOC 2/SOC 3 Criteria

For first-time SOC 2 reports, starting with the security principle is often
Security Audits the most practical approach. Security is the most common area of user
focus, and the security criteria in large part form the foundation for the
other trust services principles.
In addition, the security criteria are relatively consistent with the
requirements of other security frameworks such as ISO 27001. If the
organization already has a security program based on a standard such
as ISO 27001 or if it historically completed an SAS 70 examination that
covered IT controls at a detailed level, many of the security criteria
topics may already be addressed.
Security
l IT security policy
l Security awareness and communication
l Risk assessment
l Logical access
l Physical access
l Security monitoring
l User authentication
l Incident management
l Asset classification and management
l Systems development and maintenance
l Personnel security
l Configuration management
l Change management
l Monitoring and compliance
Security and Availability Principles and Criteria

Building upon security, availability is also a frequent area of enterprise
focus given increasing business dependencies on the availability of
outsourced systems and the desire for assurance regarding system
availability SLAs. The following are the topics covered by the security
and availability principles and criteria:
l Availability
l Confidentiality
l Processing integrity
l Privacy

Instructor Edition
Availability
l Availability policy
Notes
6
l Backup and restoration Security Audits

l Environmental controls
l Disaster recovery
l Business continuity management
Confidentiality, Processing Integrity, and Privacy

Principles and criteria are also established for confidentiality, processing
integrity, and privacy with the covered topics summarized below.
Whereas the security criteria provide assurance regarding the service
provider’s security controls, the confidentiality criteria can be used to
provide additional detail regarding processes specifically for protecting
confidential information.
Confidentiality
l Confidentiality policy
l Confidentiality of inputs
l Confidentiality of data processing
l Confidentiality of outputs
l Information disclosures (including third parties)
l Confidentiality of information in systems development
Processing Integrity
l The processing integrity criteria can be used to provide
assurance regarding a wide range of system processing
beyond processing that would be relevant to users from
purely an ICOFR perspective, and where users cannot gain
such assurance through other means, such as monitoring
processes.
l System processing integrity policies.
l Completeness, accuracy, timeliness, and authorization of
inputs, system processing, and outputs.
l Information tracing from source to disposition
Privacy
The privacy criteria can be used to provide assurance regarding the
effectiveness of a privacy program’s controls. This can be a
complex area for organizations with multiple service offerings and

Notes geographically diverse users. Even more so than with the other criteria
areas, significant preparation is typically required before completing an
Conduct or Facilitate SOC 2 report, including the privacy principle:
Security Audits
l Management
l Notice
l Choice and consent
l Collection
l Use and retention
l Access
l Disclosure to third parties
l Quality
l Monitoring and enforcement
A cloud-based enterprise resource planning (ERP) service historically
would have provided an SAS 70 report because it provided a core
financial reporting service to users. It is likely that it would continue to
provide an SOC 1 report for that same reason. However, it may also
have a need to provide an SOC 2 or SOC 3 Security and Availability
report to address user assurance needs specific to cloud services.
Many data center colocation providers have historically completed SAS 70
examinations limited to physical and environmental security controls.
However, most data center providers host much more than just customers’
financial systems. As a result, leading providers are moving toward SOC 2
security reporting. Some service providers incorporate supporting
environmental security controls within their SOC 2 security report,
whereas others also address the availability criteria, depending on the
nature of their services.
For IT systems management, which can include general IT services
provided to a portfolio of users as well as customized services provided
to specific users, SOC 1 or SOC 2 reporting could be applicable,
depending on whether users’ assurance needs are more focused on
ICOFR or security/availability.
At the other end of the spectrum, there are services that are operational and
technology focused with very little, if any, direct connection to users’ ICOFR.
For example, these types of outsourced services are unlikely to be included
within a public company’s Sarbanes–Oxley (SOX) 404 scope. Users of these
services are typically most concerned about security of their data and
availability of these systems, which can be addressed by an SOC 2 or SOC 3
report covering security and availability. Where applicable, SOC 2/SOC 3
reports can cover confidentiality, processing integrity, and/or privacy as well.

Instructor Edition
SOC 2 is also potentially applicable for any organization that is storing

and processing sensitive third-party data.
Notes
6
Where there is a need to demonstrate to third parties that effective Security Audits

security and confidentiality controls are in place to protect that
information, SOC 2 and SOC 3 provide a mechanism for providing
assurance. Through the system description in the report, the
organization clearly describes the boundary of the “system,” and
the examination is then performed based on the defined trust
services criteria.
Audit Preparation Phase
For service providers that have not previously completed an audit,
there is typically a two-phase process to prepare for and complete
the SOC 2/SOC 3 examination. The following listings summarize a
phased approach for first-time audits. The security professional
should start with an audit preparation phase where he or she
would collaborate with the service provider and provide guidance
to set the stage for a successful audit. The audit phase then builds
upon the understanding of the service provider’s architecture and
controls that are established in the audit preparation phase.
Audit Preparation Phase
l Define audit scope and overall project timeline
l Identify existing or required controls through discussions
with management and review of available documentation
l Perform readiness review to identify gaps requiring
management attention
l Communicate prioritized recommendations to address any
identified gaps
l Hold working sessions to discuss alternatives and
remediation plans
l Verify that gaps have been closed before beginning the
formal audit phase
l Determine the most effective audit and reporting approach
to address the service provider’s external requirements
Audit Phase
l Provide overall project plan
l Complete advanced data collection before on-site work to
accelerate the audit process
l Conduct on-site meetings and testing

l Complete off-site analysis of collected information

Notes
l Conduct weekly reporting of project status and any identified
Security Audits issues
l Provide a draft report for management review and electronic and
hard copies of the final report
l Provide an internal report for management containing any overall
observations and recommendations for consideration
Point of View on the Use of SOC Reports

Historically, many organizations that use outsourced services have asked
for SAS 70 reports. Few organizations understood or acknowledged that
the SAS 70 report was designed for a specific purpose: to help users
and their auditors to rely upon the controls over a service provider in
the context of the users’ financial statement and ICOFR audits. Many of
these users were concerned about areas such as security, availability,
and privacy with little or no regard for financial reporting implications.
Despite the existence of other IT/security-focused assurance tools (e.g.,
WebTrust, SysTrust, ISO 27001, etc.) that were arguably better suited for
the purpose, users continued to ask for SAS 70 reports and service
providers and their auditors accommodated.
With the replacement of the SAS 70 report with SOC reports, the
professional guidance is now clear. The AICPA has also provided
messaging to clearly explain the different types of SOC reports and
where they are applicable. In most cases, service providers that provide
core financial processing services (e.g., payroll, transaction processing,
asset management, etc.) moved to the SOC 1 report in 2011. IT service
providers that have no impact or an indirect impact on users’ financial
reporting systems have started to move to the SOC 2 report.
The SOC 3 report has been used where there is a need to communicate
a level of assurance to a broad base of users without having to disclose
detailed controls and test results. Some organizations may complete a
combined SOC 2/SOC 3 examination with two reports geared for
different constituencies.
Update and Replacements to SAS 70

Although the U.S.-based standard SAS 70 has been used extensively
outside of the United States, the International Auditing and Assurance
Standards Board (IAASB) saw fit to develop the International Standard
on Assurance Engagements 3402 (ISAE 3402) as a global standard.

Instructor Edition
The AICPA also updated the SAS 70 with a new Statement on

Standards for Attestation Engagements No. 16 (SSAE 16) and
attempts to mirror the ISAE 3402. The two types of reports that
Notes
6
Security Audits
can be issued for ISAE 3402/SSAE 16 are Type 1 and 2.

A Type 1 report covers a point in time and does not address
operating effectiveness of controls. Typically, a service organization
undertakes a Type 1 examination in the first year as they may lack
documentation supporting a Type 2 examination. Alternatively, a
Type 2 report will interrogate the effectiveness of the controls by
means of testing for a period of time (generally not less than six
months but not more than 12).
ISAE 3402/SSAE 16 share the following report structure:
l Section one: Service auditor’s independent report, also
known as the “opinion”
l Section two: Written attestation or assertion of the control
by the service organization
l Section three: Description of internal controls and control
objectives by service organization
l Section four: Service auditor’s information that includes test
of operating effectiveness
l Section five: Additional information included that the
service organization needs to supply

Notes
Domain Review
PPT Domain Summary

Domain Review Security and assessment testing are integral to an organization
managing a portfolio of risks. Key to security assessment and testing are
review of key information the ability and competency to determine, select, tailor, optimize, and
from this domain by execute on strategies that are related to exposing vulnerabilities before
discussing this scenario- they are exploited by adversaries or dysfunctional implementations. All
based set of questions relevant security frameworks support developing a robust security
assessment and testing organizational plan and practice that is
followed by the answer continually improved.
slide.
PPT
Domain Summary
assessment and testing.

Instructor Edition

1. If an organization’s security assessment and testing plans
Notes
Domain Review
6
include both internal and external testing, in what order should

the test be performed?
PPT
A. Always choose the order based upon cost/benefit analysis. Domain Review
Questions
B. Internal testing should be performed first.
C. External testing should be performed first. of key elements from
D. Internal and external testing should be performed assessment and testing.
simultaneously.
2. This type of testing would inform an organization of the

vulnerabilities that could be exposed by a bad actor with little or
no information about the organization’s systems.
A. Internal testing
B. Nocturnal testing
C. External testing
D. White-box testing
Scenario Questions 3–6:

Your organization develops security-as-a-service (SECaas) software
that is consumed via your private cloud. You employ 50 developers
that practice agile discipline in releasing tools to market. A
potential client approaches your organization with the intent to
acquire your services. Before the potential client commits to a
contractual agreement, they have informed your organization that
they need to be provided with the highest degree of assurance
possible that risks to your operational effectiveness are well
contained or mitigated, and they will receive your services
delivered in the same operable form they were created in without
being changed.

Notes 3. What report would be most appropriate to answer the needs of the
potential client?
Domain Review
A. SOC 2 Type II
PPT B. SOC 2 Type I
Domain Review
C. SOC 1 Type II
Participate in review D. SOC 1 Type I
4. What report would be good for attracting additional clients yet
unknown to your business?
A. SOC 5 Type II
B. SOC 3
C. SOC 5 Type II New Client
D. SOC 5 Type I Existing Client
5. What is the difference between a Type I and a Type II SOC report?

A. Type I is developed over a time period; Type II is a snapshot.
B. There are no Type I or II reports.
C. Type I is longer than Type II.
D. Type I is concerned with control design; Type II is concerned with
control effectiveness.
6. For the potential client to understand the probability that your

department of 50 developers remain properly compensated and
incentivized to continue to support the security-as-a-service that
they wish to consume, what report might they consider?
A. SOC 2 Type II
B. SOC 2 Type I
C. SOC 1 Type II
D. SOC 1 Type I

Instructor Edition
7. To simulate a malicious agent trying to gain access to a system

via vulnerability, which test best fits the description?
Notes
Domain Review
6
A. Misuse case

B. Penetration test PPT
Domain Review
C. Use case Questions (continued)
D. Vulnerability assessment Participate in review
8. According to ISO 27002 a backup policy should define
A. How many times a tape has been used
B. Retention and protection requirements
C. All the information that can be used in business
requirements
D. Technical training for all backup administrators
9. What statement is true of key risk indicators (KRIs)?

A. Aid in monitoring emerging risks
B. Aid in understanding if goals have been met
C. Aid in shedding light on performance metrics
D. Aid in alerting when team metrics haven’t been met
10. What is the key difference between training and awareness?

A. Training is serious whereas awareness is lighthearted.
B. Training is concerned with skills, and awareness is concerned
with issue focus.
C. Training and awareness are not different at all.
D. Training is issue focus, and awareness is concerned with
skills.


Domain Review 1. If an organization’s security assessment and testing plans include
both internal and external testing, in what order should the test be
performed?
A. Always choose the order based upon cost/benefit analysis.
B. Internal testing should be performed first.
C. External testing should be performed first.
D. Internal and external testing should be performed simultaneously.
The correct answer is C. External testing is performed first so as not to
provide leakage from insider information to outsider environments.
Internal and external testing would not be done simultaneously
otherwise the identification of vulnerabilities sources could be
misconstrued. Cost/benefit analysis would not be a primary justification
for choosing which testing should be accomplished first.
2. This type of testing would inform an organization of the

vulnerabilities that could be exposed by a bad actor with little or no
information about the organization’s systems.
A. Internal testing
B. Nocturnal testing
C. External testing
D. White-box testing
The correct answer is C. External testing is done to emulate an attacker
that is outside of the organization’s perimeter. Nocturnal testing doesn’t
exist. External testing by its definition doesn’t have insider information
that would be identified with white-box testing.

Instructor Edition
Scenario Questions 3–6:

Your organization develops security-as-a-service (SECaas) software
Notes
Domain Review
6
that is consumed via your private cloud. You employ 50 developers

that practice agile discipline in releasing tools to market. A
potential client approaches your organization with the intent to
acquire your services. Before the potential client commits to a
contractual agreement, they have informed your organization that
they need to be provided with the highest degree of assurance
possible that risks to your operational effectiveness are well
contained or mitigated, and they will receive your services
delivered in the same operable form they were created in without
being changed.
3. What report would be most appropriate to answer the needs of

the potential client?
A. SOC 2 Type II
B. SOC 2 Type I
C. SOC 1 Type II
D. SOC 1 Type I
The correct answer is A. SOC 2 Type II is a report on technology
security controls within an organization. Type II proves design
effectiveness. SOC 2 Type I would only confirm the design. SOC 1
is for reviewing financial controls.
4. What report would be good for attracting additional clients yet

unknown to your business?
A. SOC 5 Type II
B. SOC 3
C. SOC 5 Type II New Client
D. SOC 5 Type I Existing Client
The correct answer is B. SOC 3 is an executive summary that can
be used as a web seal to advertise a summary opinion of technical
controls. The summary can be posted to a website to advertise for
potential customers. There are no SOC 5 reports.

Notes 5. What is the difference between a Type I and a Type II SOC report?
Domain Review A. Type I is developed over a time period; Type II is a snapshot.

B. There are no Type I or II reports.
C. Type I is longer than Type II.
D. Type I is concerned with control design; Type II is concerned
with control effectiveness.
The correct answer is D. Type I is concerned with control design; Type II
is concerned with control effectiveness.
6. For the potential client to understand the probability that your

department of 50 developers remain properly compensated and
incentivized to continue to support the security-as-a-service that they
wish to consume, what report might they consider?
A. SOC 2 Type II
B. SOC 2 Type I
C. SOC 1 Type II
D. SOC 1 Type I
The correct answer is C. A SOC 1 Type II report would be appropriate
since it would reflect what the effectiveness of the internal controls over
financial reporting is. Special attention could be associated with benefits
management. SOC 1 is for reviewing financial controls. Type II proves
design effectiveness design of the financial control. SOC 1 Type I is
proof of the design of the financial control alone. SOC 2 Type II & I are
reports on technology security controls within an organization.

Instructor Edition
7. To simulate a malicious agent trying to gain access to a system

via vulnerability, which test best fits the description?
Notes
Domain Review
6
A. Misuse case

B. Penetration test
C. Use case
D. Vulnerability assessment
The correct answer is B. Penetration test is intended to test the
security state of a system as if an adversary is trying to gain
unauthorized access. Misuse case is designed to emulate a misuse of
a software application. Use case is proper or expected use of a
software application. Vulnerability assessments are designed to
verify compliance.
8. According to ISO 27002 a backup policy should define

A. How many times a tape has been used
B. Retention and protection requirements
C. All the information that can be used in business
requirements
D. Technical training for all backup administrators
The correct answer is B. ISO 27002 states that a backup policy
should define retention and protection requirements. None of the
other statements are true concerning what is stated in ISO 27002.
9. What statement is true of key risk indicators (KRIs)?

A. Aid in monitoring emerging risks
B. Aid in understanding if goals have been met
C. Aid in shedding light on performance metrics
D. Aid in alerting when team metrics haven’t been met
The correct answer is A. KRIs are designed to monitor risk to take
proactive action. B, C, and D are all key performance indicator
(KPI) markers.

Notes 10. What is the key difference between training and awareness?
Domain Review A. Training is serious whereas awareness is lighthearted.

B. Training is concerned with skills, and awareness is concerned
with issue focus.
C. Training and awareness are not different at all.
D. Training is issue focus, and awareness is concerned with skills.
The correct answer is B. Training is concerned with skills, and awareness
is concerned with issue focus. A, C, and D are all wrong.

Instructor Edition

Domain Review
6
Term Definition

Attack surface Different security testing methods find
different vulnerability types.
Black-box Testing where no internal details of the

testing system implementation are used.
Condition This criterion requires sufficient test cases

coverage for each condition in a program decision to
take on all possible outcomes at least once.
It differs from branch coverage only when
multiple conditions must be evaluated to
reach a decision.
Covert security Performed to simulate the threats that are

testing associated with external adversaries. While
the security staff has no knowledge of the
covert test, the organization management
is fully aware and consents to the test.
Data flow This criteria requires sufficient test cases for

coverage each feasible data flow to be executed at
least once.
Decision Considered to be a minimum level of

(branch) coverage for most software products, but
coverage decision coverage alone is insufficient for
high-integrity applications.
Dynamic When the system under test is executed

testing and its behavior is observed.
Loop coverage This criterion requires sufficient test cases

for all program loops to be executed for
zero, one, two, and many iterations
covering initialization, typical running, and
termination (boundary) conditions.
Misuse case A use case from the point of view of an

actor hostile to the system under design.


Domain Review
Multi-condition These criteria require sufficient test cases
coverage to exercise all possible combinations of
conditions in a program decision.
Negative This ensures the application can gracefully

testing handle invalid input or unexpected user
behavior.
Overt security Overt testing can be used with both internal

testing and external testing. When used from an
internal perspective, the bad actor simulated
is an employee of the organization. The
organization’s IT staff is made aware of the
testing and can assist the assessor in limiting
the impact of the test by providing specific
guidelines for the test scope and parameters
Path coverage This criteria require sufficient test cases for

each feasible path, basis path, etc., from
start to exit of a defined program segment,
to be executed at least once.
Positive testing This determines that your application works

as expected.
Real user An approach to web monitoring that aims

monitoring to capture and analyze every transaction of
(RUM) every user of a website or application.
Statement This criterion requires sufficient test cases

coverage for each program statement to be executed
at least once; however, its achievement is
insufficient to provide confidence in a
software product’s behavior.
Static source Analysis of the application source code for

code analysis finding vulnerabilities without executing the
(SAST) application.

Instructor Edition

Domain Review
6
Synthetic Involves having external agents run scripted

performance transactions against a web application.
monitoring
Threat A process by which developers can

modeling understand security threats to a system,
determine risks from those threats, and
establish appropriate mitigations.
Use cases Abstract episodes of interaction between a

system and its environment.
White-box A design that allows one to peek inside

testing the “box” and focuses specifically on using
internal knowledge of the software to
guide the selection of test data.

Notes

Instructor Edition
Notes
6

Notes

Instructor Edition
Course Agenda
Notes
Security Operations
7
Security Operations Domain

Domain 2: Asset Security PPT
Course Agenda (2 slides)
Domain 4: Communication and Network Security PPT

Security Operations
Domain 5: Identity and Access Management (IAM) Introduce the participants
to the “Security
Domain 6: Security Assessment and Testing Operations” domain.

PPT
Domain 8: Software Development Security Domain Objectives
(6 slides)
Operations” domain.
Overview
Domain 7 deals with aspects of security the practitioner encounters
while servicing the organization’s operational environment. The
course material addresses foundational concepts, asset protection,
incident management and response, business continuity and disaster
recovery (BCDR), and personnel security.
Domain Objectives
1. Describe the characteristics of fundamental information
security practices, such as need-to-know, job rotation,
separation of duties, and least privilege.
2. Differentiate between methods used to secure privileged
accounts and regular user accounts.
3. Describe the facets of each phase of the information
lifecycle, in order.
Domain 7: Security Operations 521

Notes 4. Describe the purpose and usage of a service-level agreement

(SLA).
Security Operations
5. Describe the purpose and practice of asset inventory/asset
management.
PPT
6. Describe the reasons for and use of configuration management/
Domain Objectives change management to include the composition of a Change
(6 slides) (continued) Management Board (CMB).
7. List the benefits, challenges, and best ways to implement patch
management.
8. Describe techniques for securing media (and the data it contains),
including physical, logical, and administrative practices.
9. List typical threats/risks associated with protecting hardware
and software assets and common practices for countering those
threats/risks.
10. Discuss comprehensively the common aspects of organizational
security that can be tasked to third-party vendors and best
practices for securing those relationships.
11. Describe the benefits and challenges of common security
practices including the use of sandboxing, honeypots/honeynets,
and anti-malware solutions.
12. List phases of a common incident management model, and detail
the benefits/challenges associated with each phase.
13. Describe the characteristics commonly associated with
various types of investigations (administrative, civil, criminal,
and regulatory), and demonstrate familiarity with popular
investigatory standards.
14. Describe the challenges and common practices associated with
evidence collection and handling, including the chain of custody.
15. List the desired characteristics (for reporting purposes) of
evidence.
16. Describe common evidence handling techniques, including
digital forensics practices.
17. Name the characteristics and purpose of intrusion detection
systems/intrusion prevention systems (IDS/IPS).
18. Describe the purpose and challenges associated with the
employment of a security information and event management
(SIEM) system.
19. Describe, in detail, the purpose of continuous monitoring
practices and the tools currently in common use for achieving
that purpose, specifically data loss protection (DLP).
522 Domain 7: Security Operations

Instructor Edition
20. Describe the benefits and challenges associated with various

common backup strategies and techniques.
Notes
Security Operations
7
21. List the characteristics of common alternate operating site
strategies.

PPT
22. Describe the technologies and techniques associated with
high-availability environments, including differentiating Domain Objectives
between various redundant array of independent disks (6 slides) (continued)
(RAID) levels. Objectives for “Security
23. Describe, in detail, the essential elements of the business
continuity and disaster recovery (BCDR) process, including
response actions, the personnel involved, communications
strategies, the practice and risks associated with assessment
and recovery, and proper training and awareness for BCDR
purposes.
24. Describe the facets and challenges of business continuity
and disaster recovery (BCDR) planning and exercises.
25. Describe the characteristics of common types of business
continuity and disaster recovery (BCDR) tests.
26. List common security aspects of operational concerns
associated with personnel.
Domain 7: Security Operations 523

Notes Domain Agenda

Security Operations
Module Name
PPT
1 Foundational Security Operations Concepts
Domain Agenda
(3 slides)
2 Securely Provisioning Resources
Review the domain
agenda.
3 Resource Protection Techniques
4 Detective and Preventative Measures
5 Incident Management
6 Requirements for Investigation Types
7 Investigations
8 Logging and Monitoring Activities
9 Recovery Strategies
10 Disaster Recovery (DR) Processes
11 Business Continuity (BC) Planning and Exercises
12 Test Disaster Recovery Plans (DRPs)
13 Personnel Safety and Security Concerns
14 Domain Review

Instructor Edition
Module 1: Foundational Security Notes

Foundational Security
7
Operations Concepts Operations Concepts

PPT
Module Objectives
1. Describe the characteristics of fundamental information Operations Concepts
security practices, such as need-to-know, job rotation,
separation of duties, and least privilege. to the “Foundational
2. Differentiate between methods used to secure privileged Security Operations
accounts and regular user accounts. Concepts” module.
3. Describe the facets of each phase of the information

lifecycle, in order.
PPT
4. Describe the purpose and usage of a service-level Module Objectives
agreement (SLA).
objectives.
Module 1: Foundational Security Operations Concepts 525

Notes The CISSP® candidate is expected to understand some basic fundamentals

of information security practice.
Operations Concepts
PPT Need-to-Know/Least Privilege

Foundational Security Need-to-know/compartmentalization: In organizations where
Operations Concepts classifications of material and clearances of personnel are utilized to
Explain each of these control access to information, an additional safeguard is usually
crucial concepts. Pay necessary—the concept of “need-to-know,” often referred to as
particular attention to the compartmentalization. Strictly speaking, someone should not have
difference between least access to information unless their job description requires it (need-to-
privilege and need to
know, because students
know can be viewed as one aspect of least privilege).
often have a difficult time
understanding.
Example: Alice and Bob, longtime friends and colleagues, both work
for an organization that has created clearance levels for its personnel
and classification levels for its assets. Alice and Bob both have Level 3
clearance, but they work in different offices on different projects.
When Bob and Alice meet for lunch, they are not allowed to discuss
the details of their respective projects, even though they are both
aware that they have comparable clearance levels, and the material
they each work with is classified at the same level. Because their
projects are separate, they each do not have a need-to-know about
the other’s project.
Least privilege: No employee should have access to or authority
over any system or data unless it is necessary for the employee to
perform their job function. For example, a database administrator
may have full control over the layout and structure of a database but
does not need to be able to view the data within the database; while
this is often upsetting for the administrator, it limits the potential for
the administrator to gain knowledge of multiple organizational
efforts and projects, and thus, disclose valuable information about
operations (maliciously or inadvertently). The aforementioned job
description is crucial for determining least privilege of each position
and role within the organization.
Separation of Duties
Separation of duties: As a means to attenuate possibilities for
corruption and theft, the organization can craft an environment where
no individual person can complete an entire trusted action. The classic
example is bifurcated purchasing: the purchasing manager must sign
the purchase order but cannot issue a check; the accountant can issue
the check but only with a purchase order signed by a manager. As with

Instructor Edition
all security measures, separation of duties necessarily degrades

the efficiency of operations but with the benefit of making the
process more secure.
Notes
7
Operations Concepts

PPT
Privileged Account Management Foundational Security
Privileged accounts are those with permissions beyond that of Operations Concepts
normal users, such as managers and administrators. Because (continued)
those permissions lend the privileged user more capability to Explain each of these
cause potential harm to the organization, privileged accounts crucial concepts. Pay
require additional protections. particular attention to the
difference between least
Typical measures used for attenuating elevated risks from privileged privilege and need to
know, because students
accounts include the following: often have a difficult time
understanding.
l More extensive and detailed logging than regular
user accounts. The record of privileged actions is vitally
important, as both a deterrent (for privileged account holders
that might be tempted to engage in untoward activity) and an PPT
administrative control (the logs can be audited and reviewed Privileged Account
to detect and respond to malicious activity). Management
l More advanced access control than regular user Explain how privileged
account holders pose
accounts. Password complexity requirements should be a greater risk to the
higher for privileged accounts than regular accounts, and environment, and the
refresh rates should be more frequent (if regular users are ways we try to attenuate
required, for instance, to change passwords every 90 days, this risk.
privileged account holders might have to change them
every 30). Privileged account access might also entail
multifactor authentication, or other measures more stringent
than regular log-on tasks.
l Temporary access. Privileged accounts should necessarily be
limited in duration; privileged users should only have access
to systems/data for which they have clear need-to-know and
only for the duration of the project/task for which that access
is necessary.
l Deeper trust verification than regular users. Privileged
account holders should be subject to more detailed
background checks, stricter nondisclosure agreements,
and acceptable use policies and be willing to be subject to
financial investigation.
l Greater audit of privileged accounts. Privileged account
activity should be monitored and audited at a greater rate
and extent than regular usage.

Notes Job Rotation

Job rotation: The organization can implement the practice of job rotation,
Operations Concepts where all employees change roles and tasks on a regular basis. This
improves the overall security of the organization in a number of ways:
PPT l An employee engaged in wrongdoing in a specific position may

Information Lifecycle
be found out when the replacement takes over that position after
rotation.
Review the Data
Lifecycle, and explain l The organization will have a staff that has no single point of failure;
the importance of every person on a team will know how to perform all the functions
knowing each of the of that team (to greater or lesser extent). This can be crucial for
phases, in order.
business continuity and disaster recovery actions.
l This often improves morale, which fosters trust among employees;
employees like having an increased skillset and marketability even
if they don’t plan to leave the organization, and different tasks are
intriguing and interesting and stave off boredom.
Data enters the organization, is utilized, and eventually (should be)
destroyed. Conceptually, this progression is known as the “data
lifecycle.” There are many ways to portray this evolution, but the
version in Figure 7.1 is preferred by (ISC)2.
The Data Lifecycle Phases
CR E A T E
Y
ST
O
TR
OR
DE S
E
E IV
US
CH
E
AR
SHAR E
Figure 7.1: The Data Lifecycle Phases.

Instructor Edition
Strictly speaking, the diagram is not a perfect representation of the

path data takes through the lifecycle because the diagram is a circle,
suggesting that data is (re)created after destruction; however,
Notes
7
Operations Concepts
destruction of data, if performed properly, should be permanent,

and there should be no progression beyond that stage.
PPT
The data lifecycle stages can be described as the following:
Create: The moment the data is created or acquired by the (continued)
organization. Review the Data
Lifecycle, and explain
Store: Near-time storage for further utilization; this takes place almost the importance of
simultaneously with creation of the data. knowing each of the
phases, in order.
Use: Any processing of the data by the organization.
Share: Dissemination of the data typically considered outside the
PPT
organization (internal “sharing” would most often be considered
“Use”); this can include sale of the data, publication, and so forth. Service-Level
Agreements (SLAs)
Archive: The data is moved from the operational environment to Explain what an SLA is,
long-term storage; it is still available for irregular purposes (disaster how it differs from the
recovery, for instance, or possibly to replace operational data that was rest of the contract, how
accidentally deleted) but is no longer used on a regular basis. it is enforced, and review
an example.
Destroy: Data is permanently removed from the organization with no
way to recover it.
The organization’s security program should be sufficient to protect the
data throughout all phases of the lifecycle with proper security
controls for each phase.
Service-Level Agreements (SLAs)

For situations where the organization contracts with an external
provider for a particular service (often referred to as a “managed
service”), a service-level agreement (SLA) is a preferred mechanism for
ensuring both parties are satisfied with the arrangement. The SLA
codifies specific performance elements with discrete, objective
metrics required for fulfillment so that the customer knows what to
expect, and the provider knows what to deliver.
In the IT security realm, many common security tasks are available on
the open market, including (but not limited to) the following:
l Security monitoring
l Threat intelligence and warning

l Network management
Notes
l Data management
Operations Concepts l Data center management
l Physical security
PPT l Hardware maintenance
Service-Level l Help desk
Agreements (SLAs)
(continued) The SLA details specific performance metrics for the given service. For
Explain what an SLA is, instance, the SLA for a managed help desk service might include the
how it differs from the following stipulations:
rest of the contract, how
it is enforced, and review l Every basic user request receives a response within 1 hour and
an example.
is resolved to the user’s satisfaction within 24 hours (“basic user
request” to be defined as any of the following tasks: password
reset, hardware replacement, installation of approved software, or
account lockout reset)
l Help desk available via email and/or telephone, 24/7 during the
workweek; between the hours of 7:00 a.m. and 9:00 p.m. on
weekends
and so forth.
The enforcement mechanism of the SLA is usually a financial penalty/reward
mandated by the contract. Typically, if the provider successfully meets the
requirements of the SLA during a certain period (a week, a month, three
months, whatever), the customer must pay the agreed amount for that
period. However, if during a given period the provider does not successfully
meet the terms of the SLA, the customer is not required to pay the full
amount of the service price, as stipulated in the contract. This incentivizes
the provider to meet the SLA terms and offsets costs incurred by the
customer if the task is not performed satisfactorily.
For more discussion of the SLA, refer to Domain 1 of this course.

Instructor Edition
Module 2: Securely Provisioning Notes

Securely Provisioning
7
Resources Resources

PPT
Module Objectives
1. Describe the purpose and practice of asset inventory/asset Resources
management.
2. Describe the reasons for and use of configuration management/ to the “Securely
change management, to include the composition of a Change Provisioning Resources”
Management Board (CMB). module.
3. List the benefits, challenges, and best ways to implement

patch management.
PPT
Module Objectives
objectives.
Module 2: Securely Provisioning Resources 531

Notes Asset Inventory/Asset Management

The organization must determine what assets the organization has in
Resources order to properly protect those assets. (It is also vital to assign value to
the assets to know how much protection each asset requires; too much
protection is wasted expense and undermines the value of the asset,
PPT and too little protection puts an asset at undue risk.) This effort is known
Asset Inventory/Asset as asset management, and the primary tool is the asset inventory.
Management
Review the importance of
Asset management entails a formalized process for selecting, acquiring/
the inventory, what should developing, maintaining, and disposing of all assets within the organization.
be included, and how it is If designed properly, the asset management process should also include
used in managing risk. security elements in each step. A typical implementation of this activity is
explained in the discussion of configuration management, later in this module.
The asset inventory is a comprehensive, detailed log of all assets within the
organization. This should include durable materials (such as IT hardware,
production materials, finished goods, and even office furniture), intellectual
property (including software, processes, data, brand identity materials, and
so forth), and personnel. The asset inventory is often created during and in
conjunction with the business impact analysis (BIA) effort (see Domain 1 for
more discussion of that topic).
When possible, the asset inventory should reflect the following:
l Asset owner
l Asset location (logical location, physical location, and its location
in the organizational hierarchy, as applicable)
l Asset value (either market value or acquisition price/cost; this is
usually determined by the asset owner at the time of acquisition/
development)
l Annual cost of maintenance
l Projected duration of the asset lifespan
l Asset security classification, if relevant
l Any other pertinent information about the asset; this could
include dependencies on other assets, the office/entity
responsible for maintaining the asset, etc.
Because the asset inventory can and should include all these characteristics
and values, a database is often used to maintain the asset inventory.
The asset inventory also serves other security efforts, such as mapping
controls to assets, providing audit artifacts, and serving as proper
documentation for business continuity and BCDR plans and processes.
Backup copies of the asset inventory should be maintained and stored
in more than one place, including the data archive, and with any BCDR/
relocation kits.
Instructor Edition
Configuration Management
To properly enact an asset management process, many organizations
Notes
7
enact a configuration management/change management program, Resources
especially for IT assets. (Under some schema, such as ISO certified

environments, the use of proper configuration management is
required, not optional.) PPT
Configuration
Simply put: Management and
Change Management
Configuration management is a formal, methodical, comprehensive (3 slides)
process for establishing a baseline of the IT environment (and each Explain the purpose,
of the assets within that environment). This almost always also entails process, and composition
the pursuit of a secure baseline; that is, an asset template created of the CMB. Review some
before or during the acquisition of a new asset that includes the best practices for security
proper settings/security controls for that asset, such that the asset is practitioners involved in
the CMB.
secure when it is deployed in the production environment, and its
normal use does not cause undue/unexpected risk.
Change management is a formal, methodical, comprehensive
process for requesting, reviewing, and approving changes to the
baseline of the IT environment.
In many organizations, the efforts of configuration management and
change management are combined; this is a reasonable measure
because changes to the environment are just configuration
modifications. It is also cost-effective because many of the same
resources (specifically, particular personnel and time) used in one are
also used in the other.
Typically, the process involves a Change/Configuration Management
Board (CMB); a group of stakeholders who participate in regular
meetings to review requests to modify the environment, or make an
exception to the baseline. Modification requests normally come from
departments, managers, and users within the organization, and
include desired changes such as adding components/systems to the
environment, creating exceptions to security control mechanisms,
granting access to a particular system/data set, and so forth.
A typical CMB process might be described as the following:
l Request
l Review
l Recommend
l Implement
l Monitor/administration
l Disposal

Notes The CMB should be responsible for annotating and updating the asset
inventory to reflect the current environment accurately.
Resources All organizational stakeholders should be represented in the CMB
so that sufficient information exists regarding potential ripple
effects that could result from a suggested change, including new
PPT
or enhanced risk(s). Typical composition of the CMB includes
Configuration representatives from various departments/groups/offices in the
Management and
Change Management organization, such as:
l IT department (which may have several representatives, reflecting
Explain the purpose, the many functions of IT in modifying the environment, such as
process, and composition
of the CMB. Review some
network and system administrators and Help Desk)
best practices for security l Senior management
practitioners involved in
the CMB. l Security office
l User community
l General counsel
l Accounting/finance
l Human resources (in some cases)
The role of the security practitioner in the CMB is extremely crucial; it

involves the guidance of the process and use of subject matter expertise
to inform the other members regarding the state of the industry (current
tools and techniques), pending and applicable legislation that might
affect the organization as a whole and the requested modification in
particular, and potential threats and vulnerabilities the board may not
have considered.
From a pragmatic standpoint, it serves the organization (and the
security practitioner’s role) best not to deny a request unilaterally
and definitively; that is, “Don’t say ‘no.’” Security and operations
are already adversarial, by their respective natures; it’s best not to
introduce organizational politics into this formative conflict if at all
possible (human nature has to be considered in security practice, as
well: telling someone “no” does not create a cooperative situation).
Instead, the security practitioner should take the request into
consideration, and define the various risks and costs associated with
the requested change, if the change were to be implemented:
saying, “yes, but...” instead of “no.”
For example, if an operational office wants to put a new system into
the organization’s IT environment, the security practitioner should not
deny the request but instead, explain that the implementation of the
new system will incur new risks to the organization. Then the security

Instructor Edition
practitioner can offer suggestions of security mechanisms that

might be used to offset these risks and present the continual costs
of those mechanisms (continual costs because security is a process,
Notes
7
Resources
and there is usually no single, up-front price to be paid to secure a

system; the system must instead be part of the ongoing security
effort, including long-term maintenance and enforcement). If the PPT
requesting office still wants to put the system in place, and is Configuration
willing to absorb the security cost burden, and senior management Management and
approves of the new risks to the organization (offset by the benefits Change Management
offered by the new system), then the security practitioner best (3 slides) (continued)
serves the organization by working to implement the system in a Explain the purpose,
secure manner. process, and composition
of the CMB. Review some
best practices for security
Patch and Vulnerability Management practitioners involved in
the CMB.
Patch management/vulnerability management is one form of
configuration/change management that is initiated by entities
outside the organization. PPT
Patches are updates to the existing IT environment, usually for Patch and Vulnerability
software, but sometimes hardware and firmware as well, typically Management (3 slides)
issued by the original vendors but sometimes by third parties. Explain the issues and
Typically, patches are intended to fix security flaws or enhance risks associated with
performance. patch management,
review a typical patching
Patches can be perceived as originating in one of two ways: process, and explain
how vulnerability
routine and reactive. Routine patches are regularly scheduled management is utilized
events with a comparatively low threshold of criticality (which is to enhance the patching
not to say some routine patches are not critical to the function effort.
and secure operation of the systems receiving the patch, but
routine patches are often less time-sensitive than reactive
patches). Vendors may publish patches on a regular basis for
their products; for instance, Microsoft is well known for its
practice of “Patch Tuesday,” the regularly scheduled day for
routine patches.
Reactive patches, on the other hand, are usually created and
published in response to a recently discovered threat or
vulnerability to/in a given product. For instance, if a new attack
occurs successfully and the analysis of that attack determines
that it was only possible because of a given flaw in a certain
product, the vendor of that product might quickly craft an
update to the product and offer it to customers so that the
product might remain viable for operational purposes without
retaining the new risk due to that type of attack.

Notes The practice of patching systems, while necessary to ensure a continually

secure environment, entails its own set of challenges. These include the
Securely Provisioning following:
Resources
l Interoperability: A patch to a given system might conflict with
the proper function of another system or systems that have
PPT
some interrelated dependency on or for the patched system.
Patch and Vulnerability The organization might apply the patch and then discover that
Management (3 slides)
(continued) this causes an outage for another system/process within their
environment. Vendors cannot possibly create patches that
Explain the issues and
risks associated with
will work properly in all environments where their products
patch management, are deployed, because the vendors do not know all the
review a typical patching circumstances of every organization that uses their products.
process, and explain
l Poorly crafted patches: If a patch is not designed and created
how vulnerability
management is utilized properly, the implementation of that patch might degrade
to enhance the patching system performance, cause the aforementioned interoperability
effort. problems, or even introduce new vulnerabilities and risks to the
environment. This is particularly true for reactive patching, but it
can also result from routine patches.
l Required downtime: Patches often require a reboot of the
affected systems to properly take effect; this can interrupt the
organization’s operations and incur additional costs.
l Added expense: In addition to the previous point, the very act of
patching entails its own expense: the time of the administrator(s)
performing the patch function and the resources necessary to do so
properly (as will be explained later in this module, the formal patch
process requires significant attention and effort if done properly).
This cost should be factored into the consideration of the original
system by the CMB, as described earlier in this module.
l Virtualization-specific concerns: Virtualization is the practice
of running multiple software-based hosts on a single device;
virtualization allows for resource optimization and pooling,
rapid scalability, and ease of configuration/replication. Cloud
computing, for instance, is a viable financial endeavor because
the use of virtual machines allows a limited number of devices
to service an almost unlimited number of customers. However,
virtualized machines in storage are saved only as snapshotted
files, and therefore cannot receive patches. Therefore, any stored
virtual machines must run configuration-verification checks upon
reinstantiation to ensure security through version control.
l Timing: Because of the aforementioned outage problems/reboot
requirements, organizations that operate across multiple time
zones are at a particular risk of not applying patches uniformly
throughout their environment(s).

Instructor Edition
The industry has responded to these challenges with a fairly standard

patching process; each organization should create a patching policy/
program/process that best suits its needs, taking the following
Notes
7
Resources
concepts into consideration.

The following might be included in a formal patch process:
PPT
l Receiving notice of the patch: This might come in the form Patch and Vulnerability
of an announcement from the vendor(s), a third party (such Management (3 slides)
as an anti-malware or business threat intelligence provider), (continued)
or via general news sources. The organization should have Explain the issues and
a regular (at least daily) process in place to observe and risks associated with
patch management,
analyze these sources. review a typical patching
l Determining applicability: Because not every organization process, and explain
uses products in the same way (and with different how vulnerability
management is utilized
dependencies/interrelated products), not every patch to enhance the patching
is applicable to every customer who owns the targeted effort.
system. The organization should have a patch analysis
process with an office/role specifically assigned to perform
this function for each proposed patch.
l Determining potential impacts: If a patch is determined
necessary/applicable, the next step is to figure out what
other systems might be affected if the patch is implemented
and what additional risks this might entail.
l Testing the patch: The organization should have a sample
test bed that mimics the production environment (on a
smaller scale; while every interdependency should be
reflected in the test environment, not every machine needs
to be replicated on a one-to-one basis). The test environment
should be kept both logically and physically isolated (“air-
gapped”) from the production environment. The patch
should be applied in that test environment, to determine
whether it will cause any interoperability problems in the
production environment.
l Perform a full backup prior to application: Even after
testing, the patch might cause unforeseen issues upon actual
implementation; the organization should have the capability
to rollback to a previous version of the environment (before
the patch) so as not to lose any data/transactions/capabilities.
l Apply the patch: This should be done in accordance with
vendor/issuer instructions, industry best practices, and the
organization’s own formal process.
l Confirm installation of the patch for all target systems: This
can be done with automated tools designed for the purpose.

l Solicit/receive user feedback: The patch team should be

Notes
ready to take input from the user community about possible
Securely Provisioning operational changes/problems/issues that arise from the patch.
Resources
l Be prepared for rollback: Significant negative impact to the
operational environment might entail rollback to a previous (pre-
PPT patch) state. Because rollback would, of course, involve accepting
Patch and Vulnerability the additional risk the patch was meant to obviate, this decision
Management (3 slides) requires senior management involvement.
(continued)
l Document: Everything must be annotated for later reference;
Explain the issues and
risks associated with
patching records should be included in the asset inventory.
patch management,
review a typical patching
Again, patch management is a form of change management. Change
process, and explain management is not always about irregular, unexpected modifications to
how vulnerability the environment. In some cases, changes/patches are fairly routine.
management is utilized While the organization should have a formal configuration/change
to enhance the patching management policy/process in place that reviews each change and
effort.
approves those deemed viable, the CMB might grant blanket approval,
without individual review, for routine changes that don’t exceed a
certain threshold. In other words, the CMB might choose to give pre-
approval to routine patches and only review those changes after the
fact, instead of delaying the patch process.
Likewise, the CMB may grant contingency authority to the patch team
for emergency patches—those non-routine/reactive patches that are
time-critical because waiting for CMB approval might leave the
organization exposed to significant, unacceptable risks.
Vulnerability management is a term to describe a very similar effort but
from another perspective; instead of the organization responding to
new information (risks/attacks/threats) based on patches published by
vendors, the organization proactively searches for vulnerabilities within
its own environment (most vulnerability management efforts focus on
software in particular). This is an ongoing process as new software
exploits are discovered constantly by researchers and attackers.
Vulnerability management can use automated tools such as vulnerability
scanners (see Domain 1 for a more detailed discussion of vulnerability
scanners); however, scanners only detect vulnerabilities known at the
time of the scan, and for which the scanner has programmed definitions.
Scanners do not locate vulnerabilities which have not been identified by
the entity which created and updated the scanner (often termed “zero-
day” exploits).
Vulnerability management can also involve manual testing with users
running the software and trying to discover problems (for more detailed
discussion of software security testing, see Domains 6 and 8).

Instructor Edition
Module 3: Resource Protection Notes

Resource Protection
7
Techniques Techniques

PPT
Module Objectives
Identification and
1. Describe techniques for securing media (and the data it Authentication of
contains), including physical, logical, and administrative People, Devices, and
practices. Services
2. List typical threats/risks associated with protecting hardware Introduce the participants
and software assets and common practices for countering to the “Resource
Protection Techniques”
those threats/risks. module.
PPT
Module Objectives
objectives.
Module 3: Resource Protection Techniques 539

Notes Media Management

In our industry, media is any object that contains data; this can
Resource Protection
Techniques include hardware embedded in a networked environment (hard
drives and drive arrays), items designed for data portability (flash
drives and disks), and even nonelectronic substrates (paper or
PPT microfilm/fiche, often called “hardcopy”). Like the data itself, media
Media Management needs to be protected.
Review some of the
security practices
Using the security control types defined in Domain 1, media protection
associated with media can use the following techniques/mechanisms:
management, by control
type. l Technical/logical:
o Media can be encrypted so that the resident data cannot
easily be accessed even if someone with malicious intent has
physical possession of the media.
o Strong access controls can be implemented on the media
itself or on the software within the media, making it
resistant to unauthorized access. (For a more detailed
discussion of controlling access to assets, see Domain 5,
Module 1.)
o Tracking mechanisms can be embedded in the media such
that, in the event the media is stolen and reconnected to
another system and then the internet, the media will notify the
rightful owner.
o Digital watermarks/signatures can be embedded in the
content of the media, so any unauthorized replication/use can
later be determined and used as evidence in legal claims.
l Physical:
o Physical access to the media itself can be severely restricted
through the use of common physical protective measures
(walls, door locks, guards, cameras, alarms, etc.) in a
program that utilizes defense in depth design, multifactor
authentication, and/or two-person integrity.
o The organization can implement severe media control
procedures, including searching personnel as they enter and
leave the workplace, metal detectors, etc.
o The media can be physically locked/adhered to a device/
container, such that any attempt at removal would cause the
destruction of the media itself.
o Media disposal should be done in a secure manner to
avoid data remanence. (See Domain 2 for a more detailed
discussion of secure destruction.)

Instructor Edition
l Administrative:
o In conjunction with one or both of the other types of
Notes
Resource Protection
7
controls (physical, technical), policy and procedures can Techniques
be crafted to restrict access to and control of media.

o Purchase/acquisition and deployment of media can be
PPT
rigidly controlled by a defined, formalized process.
Media Management
o Continuous monitoring and audit procedures can be (continued)
used to regularly survey the enterprise, to identify
Review some of the
unauthorized media in the environment, or to determine security practices
if any are missing. associated with media
management, by control
type.
Hardware and Software Asset Management
Hardware devices can be protected in the same fashion, and
with many of the same controls, as physical media (see previous PPT
discussion). It is imperative that the organization maintain a detailed
Hardware and Software
asset inventory to ensure hardware within the environment is secure Asset Management
(see Module 2 in this domain). It is also crucial that the change/
Discuss secure hardware
configuration management process include updates to the inventory management (and its
whenever hardware is added or removed from the environment similarity to media
(again, refer to Module 2 in this domain). management), and
review the methods
Software asset management involves a similar but slightly different used to ensure secure
approach than media or hardware; media and hardware involve and proper software
tangible objects as well as data, while software is strictly electronic management.
information applied to the environment. Moreover, software is a
form of intellectual property (see Domain 1 for a detailed discussion
of intellectual property); therefore, it is often used under license (and
can be thought of as “leased” or “rented”) as opposed to hardware
and media that are purchased and owned by the organization.
Organizations typically employ the following practices to properly
manage software assets:
l All software in the environment must be inventoried and
tracked; this can be included in the overall asset inventory.
However, additional information about each software
program, beyond what would be included for tangible assets,
is vital to the security effort. Specifically, records of secure
software baselines and versioning must be maintained (see
Module 2 of this domain). Moreover, the inventory needs to
reflect which software is associated with each device in the
environment (and which version of which software, if there are
any deviations or exceptions).
l Software operated under license (that is, software not
created and owned by the organization) needs to be
Module 3: Resource Protection Techniques 541

Notes catalogued in accordance with the terms of the respective

license(s). Typically, this involves the use of a software “library”
Resource Protection and a custodian assigned to maintain records of licenses. The
Techniques
software custodian must work in concert with the acquisitions/
finance team to know what the terms of the licenses are (duration,
PPT number of instances, etc.) and with the operational offices to
Hardware and Software determine which personnel/machines should have access to the
Asset Management software. Often, the security office is tasked with the software
(continued) library duties.
Discuss secure hardware l There should be regular vulnerability assessments for each
management (and its software package installed in the operational environment.
similarity to media
management), and
This optimally includes the use of both automated tools and
review the methods manual testing. Vulnerability scans should sample live instances
used to ensure secure in the production environment, as well as checking the baseline
and proper software configuration in an isolated test bed. Typically, this task falls to
management.
the IT and/or security department.
l As noted in the previous module, software must be patched and
updated as necessary to address evolving and newly-discovered
vulnerabilities. This task often falls to the IT department.
NOTE: Timing of patch implementation always incurs a measure of risk,
as well. Being the first organization in an industry to apply a patch
means that your organization will also be the first to realize any defects
or negative impacts resulting from a faulty patch; however, waiting to
determine if a patch is faulty (by waiting to see how the patch impacts
other organizations that apply it first) may leave the organization at risk
for the threat/vulnerability that the patch was meant to address.

Instructor Edition
Module 4: Detective and Notes

Detective and Preventative
7
Preventative Measures Measures

PPT
Module Objectives
Detective and
1. Discuss comprehensively the common aspects of organizational Preventative Measures
security that can be tasked to third-party vendors and best
practices for securing those relationships. to the “Detective and
2. Describe the benefits and challenges of common security Preventative Measures”
practices including the use of sandboxing, honeypots/ module.
honeynets, and anti-malware solutions.
PPT
Module Objectives
objectives.
Module 4: Detective and Preventative Measures 543

Notes There are many ways to implement a security program that includes
proactive security measures; the candidate should be familiar with the
Detective and Preventative following common methods and tools.
Measures
PPT
Third-Party Provided
Third-Party Provided Security Services
Security Services As mentioned throughout the course, organizations can avail themselves
(2 slides) of services offered by external entities to enhance security. This is
Review common security especially true for organizations for which security is not a core
services offered by third- competency. For instance, an agricultural retail business might not
party providers. have the expertise and tools to create a comprehensive and thorough
security program; the core competency of that business is to sell
agricultural goods, not to secure data.
There are a variety of security services currently offered by professional
providers, including the following:
l Threat intelligence: The provider may perform open-source
monitoring or conduct their own investigative efforts to
determine what threats pose a risk to their clientele. This can
include general threats to clients in a certain region or industry,
or using certain products, or it can include threats against specific
clients based on their operations or personnel.
l Network monitoring: Because detecting network attacks can
require a significant degree of analysis and expertise, not all
organizations are in the position to monitor their own environment.
Network monitoring as a managed service can be performed
remotely from the provider’s location, or on-site at the client’s facility.
l Physical security: Many organizations hire guard services
from an external provider as opposed to bringing on guards
as employees. This obviates the additional personnel burden
(benefits, administrative costs, etc.), costs associated with training
and managing those personnel, and with creating and running a
program that might not be a core competency of the organization.
l Network management: While not strictly a security service,
managed network providers are often tasked with many of the
security functions associated with IT administration such as
enforcing network usage policy, monitoring, patch management,
asset inventory, and so forth. Modern managed network services
include cloud computing hosting, discussed in-depth in Domain 3.
l Audit: Again, not strictly a security service, external audits
can address security needs such as verification and validation,
vulnerability scanning, certification of compliance, configuration
maintenance, and the like.

Instructor Edition
When contracting with third-party services of any kind, it is important

to perform due diligence in the form of research about the provider’s
ability to perform the requisite tasks and maintain the necessary level
Notes
7
Measures
of customer satisfaction and protection of assets. This is even more

essential when the services in question involve security that requires
the client place a great deal of trust in the provider. This often entails PPT
(but is not limited to) the following measures: Third-Party Provided
Security Services
l Review of governance: The client should review the provider’s
approach to service provision, including security policy and
Review common security
procedures. services offered by third-
l Service-level agreements (SLAs): The client and provider party providers.
must agree, explicitly, what constitutes full and accurate
satisfaction of the terms of service. For a more detailed
discussion of SLAs, refer to Domain 1.
l Nondisclosure agreements (NDAs): Similar to the agreement
between employer and employee discussed in Domain 1,
the provider must agree to protect and limit dissemination
of any of the customer’s data that the provider may access
during provision of the service. This also includes the provider
agreeing not to take any action beneficial to the provider
based on the customer’s information (such as using that
information for personal financial gain).
l Insurance/bonding: Professional service providers are
necessarily in a position to cause significant negative impact to
the customer and should obviate that risk to build trust in the
relationship. One technique for accomplishing this is to provide
financial assurance that the customer will receive restitution for
any damages resulting from the provider’s negligence/failures.
Common methods include a form of risk transference, such as
a surety bond or errors and omissions insurance policies.
l Audit/testing: The provider should allow the customer to
perform surveys/reviews of the provider’s operation and
the service itself; these can take the form of on-site audits,
performance monitoring, penetration testing, etc.
l Strong contract language: All terms of the managed
service must be enforceable and legitimate for all
jurisdictions and applicable laws where the service will be
rendered. This should involve exhaustive review by legal
counsel for both parties.
l Regulator approval: As in all matters involving compliance
requirements, any regulators that oversee the organization
need to be informed and grant acceptance of any managed
service that might affect compliance.

Notes Sandboxing
To determine whether a particular component (hardware or software)
Measures will operate safely and securely in a particular environment, it is
preferable to test it under conditions that simulate that environment but
will not affect other components. We often refer to this type of isolated
PPT test environment as a sandbox (or use the verb form to describe the
Sandboxing activity: sandboxing).
Explain the concepts of
hardware and software
Two general approaches for sandboxing depend on the respective
sandboxing. component, hardware or software:
l Hardware sandboxing: A test environment is created that mimics
the production environment such that the test environment
PPT contains representative samples of all the devices (and appropriate
Honeypots/Honeynets installed software) that the production environment contains.
Discuss the purpose, Obviously, this does not need to a be one-to-one ratio (else the
placement, and size of the test environment would be the size of the production
challenges involved with environment, which would be ridiculously cumbersome and
honeypots/honeynets. expensive), but every box on the production network should
at least be represented in the test bed. The test environment
should have no physical connection to the production environment
(known as air gapping), and preferably no logical/wireless
connection, as well, so that defects or malware infections that
affect the test environment do not contaminate the production
environment.
l Software sandboxing: Processes are run in such a way so as not
to affect the underlying components (the operating system (OS)
or hardware), or other applications running on the same system/
environment. This can be accomplished through a variety of
methods and mechanisms. Some programming environments, such
as Java, only allow content/applets to run in necessarily limited
conditions, with severe restrictions, and have security tools built
into the environment that ensure these conditions are met. Another
form of software sandboxing involves the use of virtualization; a fully
functional device (hardware with installed software) is simulated in
software fully contained on a host machine—programs run in the
virtualized (simulated) machine cannot leave that constricted space
and affect the underlying host, other applications on the host, or
other virtualized machines on the host.
Honeypots/Honeynets
Another method for protecting the environment involves the use of
honeypots: machines that exist on the network but do not contain sensitive
or valuable data (a number of machines of this kind, linked together as a

Instructor Edition
network or subnet, are referred to as a “honeynet”). Honeypots are

meant to distract and occupy malicious or unauthorized intruders as a
means of delaying their attempts to access production data/assets.
Notes
7
Measures
Honeypots also provide the organization an opportunity to observe

the attack as it is happening (without appreciable risk to the
organization) so as to better determine the nature of the attack, PPT
possibly identify the attacker, and assess the tools and skill of the Honeypots/Honeynets
attacker, as well as gather evidence for use later in legal action or law (continued)
enforcement response. Discuss the purpose,
placement, and
Typically, honeypots are placed in the network demilitarized zone challenges involved with
(DMZ) and should mimic the architecture of an actual environment, honeypots/honeynets.
as well as contain simulated assets that mimic the content of a
production environment. The attacker should presume this is a live
part of the actual network. Some managed service providers offer PPT
entire simulated networks as honeypots with significant breadth
Anti-Malware
(hundreds of simulated devices) and granularity (including fake user
accounts and credit card data). Explain the purpose,
placement, and common
NOTE: Honeypots/honeynets are NOT to be considered a means characteristics of anti-
to lure or attract the attention of malicious actors; even using that malware solutions.
language can degrade the organization’s ability to successfully
prosecute/litigate: if a device/application is connected to public-
facing infrastructure with the intent to draw someone to it, then,
legally, anyone visiting that device/application will have a strong
defense against accusations of illegal incursion. A simple analogy:
you cannot invite someone onto your property and then have them
arrested for trespassing.
NOTE: In almost all jurisdictions, “hackback” (the practice of
hacking a malicious attacker who has hacked your organization)
is illegal, often with severe penalties (for instance, in the United
States, it is simply another form of hacking, which is a felony). There
is often a temptation to use information gleaned from a honeypot
to assess the attacker’s environment or make contact with the
attacker; this is unprofessional, unethical, and usually illegal.
Anti-Malware
The threat of malware is pervasive and persistent, and the means
of introducing malware into the environment remain as long as the
environment has any contact with the outside world. Therefore,
a realistic defense in depth strategy should also involve the use
of anti-malware solutions. These can take the form of either
hardware and software implementations and combinations of both.

Notes Anti-malware solutions can be installed on network devices and

individual systems, as well as mobile endpoints (including user devices,
Detective and Preventative when they are allowed to be connected to the production environment).
Measures
It is worth noting that the same characteristics that typify malware—
software that performs unmonitored, automatic functions that adversely
PPT
impact performance and privacy, often conflicting with other software
Anti-Malware and communicating with external parties, and sometimes involving
(continued)
payment to those parties—pretty much define most anti-malware
Explain the purpose, packages, as well. The organization should, therefore, consider the risk/
placement, and common
characteristics of anti-
benefit tradeoff of wide implementation of anti-malware solutions and
malware solutions. which systems/devices require the additional protection (at the relative
performance overhead cost) they offer.

Instructor Edition
Module 5: Incident Management Notes

Incident Management
7

1. List phases of a common incident management model, and Incident Management
detail the benefits/challenges associated with each phase.
to the “Incident
Management” module.
PPT
Module Objectives
objectives.
Module 5: Incident Management 549

Notes Incident Management

Incident management involves a comprehensive, multiphase process. To
Incident Management
approach this topic, we’ll start with a description of a typical incident
management process, then discuss each phase in detail.
PPT
A standard approach to incident management involves these phases:
Incident Management
Review the typical l Detection
incident management l Response
process described on
the slide. l Mitigation
l Reporting
l Recovery
PPT
l Remediation
Detection
l Lessons learned
Discuss the particular
elements and issues
associated with this
phase of the incident Detection
management process. Obviously, the first step in handling an incident is discovering that an
incident may have taken place. Not all activities that are detected in this
phase will be determined to be actual incidents; all detection mechanisms
have the potential for reporting false positive results. However, this step
of the process involves finding the possible incident and notifying the
proper entities.
As has been discussed throughout the course, there are a variety of
methods and mechanisms for detecting possible incidents, including
both automated solutions and human involvement. These can include
(but are in no way limited to) the following:
l Intrusion detection systems (IDSs)/intrusion prevention systems
(IPSs)
l Anti-malware solutions
l Log analysis
l Firewalls
l Vulnerability scan results
l Database activity monitors (DAMs)
l Data leak protection/data loss prevention (DLP) tools
l Digital rights management (DRM) solutions
Perhaps one of the most prolific and useful sources of incident detection
is the user community; users often realize when their device/application
has been modified in some way, even if that change is subtle. Sometimes,
this includes Help Desk involvement; the user reports a problem to Help

Instructor Edition
Desk, and a Help Desk administrator then troubleshoots the

problem and discovers something that might be a security incident.
It is crucial that the organization thoroughly trains both the general
Notes
Incident Management
7
user community and Help Desk personnel on the methods for

reporting possible incidents to the appropriate entities (usually the PPT
security office).
Detection (continued)
NOTE: In most cases, it is preferable for the organization that Discuss the particular
even nonthreatening activity is mistakenly reported rather than elements and issues
missing the opportunity for early detection of actual incidents associated with this
phase of the incident
(overreporting is better than underreporting). There is a cost management process.
associated with making the appropriate determination, so this
may not be true for all organizations, but the costs of delayed
response to actual incidents usually exceed the costs of
PPT
responding to innocuous activities.
Response
NOTE: Personnel should be able to report potential incidents Discuss the particular
through a variety of media (not just, for instance, limiting incident elements and issues
reports to a web-based form) because a particular incident might associated with this
attenuate a single form of communication (if the incident affects phase of the incident
web connectivity, there will be no way to fill out a web-based form management process.
to report it).
Response
After the possible incident has been discovered and the proper
entities notified, the initial response commences. This step involves
determining whether the reported activity is truly an incident, is
underway, or has occurred. This portion of the management
process can also serve as a form of triage, where the incident (if it
is decided one exists) can be categorized so as to guide the
subsequent phases of the process.
This step should involve security practitioners trained and
knowledgeable in incident identification and management;
someone with experience in incident handling needs to review the
situation and, if necessary, formally declare an incident and activate
the incident response team. This does not mean, however, that
only one person should be involved in making this determination;
the security practitioner tasked with this portion of the process
should make use of any assets required to make an accurate
determination. Sources that can aid in this determination might
include other security team members (such as log or forensics
analysts), additional personnel from other departments (such as
networking and systems administrators/architects), devices (such as
the detection equipment/tools listed in the discussion of the

Notes previous phase), and data (including possibly event logs or video feeds,
depending on the nature of the supposed incident).
Incident Management
Mitigation
PPT
The initial mitigation effort depends on many factors, including the nature
Response (continued)
and breadth of the incident, the organization’s risk appetite and critical
Discuss the particular business needs, and any policy or regulatory drivers. This phase includes
elements and issues the immediate action taken upon determining an incident has occurred/is
occurring, but it will not be the final effort in addressing the incident.
management process.
The main variables affecting how an incident is initially addressed are
the following:
PPT l Time
Mitigation l Risk
Discuss the particular l Impact
elements and issues
associated with this For every organization, these factors will have different priorities. For
phase of the incident example, one organization might prioritize risk reduction; when an
management process.
incident is discovered, the immediate response may be to disconnect
the affected machines (and machines suspected of being affected) from
the environment so as to minimize risk, even though this may cause
additional impact (the loss of the machines from the environment affects
the availability aspect of the confidentiality/integrity/availability (CIA)
Triad). However, another organization might consider uptime paramount;
when an incident is discovered, that organization’s immediate reaction is
to track and document the incident impact without taking any action
that might reduce functionality—this incurs a greater risk (the incident
continues, and might spread) and potential increase in future impact,
but it allows the organization to maintain the greatest level of availability
at the risk of more impact to confidentiality and integrity.
The desired end state will also have some bearing on how activity is
conducted at this phase. In some organizations, eventual legal action
(prosecution or litigation) is the desired end state; in those cases, the
organization wants to gather as much information about the cause of
the incident, and anyone responsible for the incident, as possible,
which may mean leaving the environment at risk while information is
gathered. In other organizations, the desired end state might be
maximal containment, so the initial action at this phase might include
incurring significant impact to the operational environment, losing the
opportunity to gather incident data, but minimizing the potential for
additional losses from the incident.
Depending on the organization and the type of incident, this phase might
take place concurrently with the previous (response) phase. Typically, any

Instructor Edition
action taken at this phase should be the decision of the incident

manager (usually a security practitioner), and it should be informed
by the organization’s incident response policy and procedures.
Notes
Incident Management
7

The incident should be handled by a team of subject matter experts
PPT
that have insight into the various aspects of security and IT. The team
composition should include representatives from several departments, Mitigation (continued)
such as the following: Discuss the particular
elements and issues
l Security practitioners associated with this
l IT administrators/architects phase of the incident
management process.
l General counsel
l Human resources (HR)
l Public relations PPT
Reporting
l Management
elements and issues
Reporting associated with this
After the initial mitigation/containment action has taken place, the phase of the incident
management process.
incident needs to be assessed, analyzed, and reported to any other
relevant stakeholders (including management). Depending on the
nature of the incident, stakeholders may include the following:
l Customers
l Vendors
l The public
l Regulators
l Users/employees
l Law enforcement
Senior management will decide on the appropriate course of

action for the rest of the incident management process. The
incident management team should apprise senior management on
actions taken up to this point and present various possible courses
of action. The senior manager will decide how the organization
(and, specifically, the incident management team) should proceed.
NOTE: It is perfectly acceptable when the incident management
team is presenting options to senior management for the team to
explain why one option is favorable over the others; this is part of
the duties of a security practitioner and the value the security
practitioner adds to the organization.
NOTE: All incident management actions should be thoroughly
documented, but documentation for this aspect of the process is

Notes especially important; when reviewed later, the options the team
presented to senior management need to be explained clearly, as does
Incident Management the senior manager’s decision and the rationale for that decision.
PPT Recovery
Reporting (continued)
Once the senior manager has decided how the incident will be
Discuss the particular addressed, the incident management team can proceed to return the
elements and issues environment to normal operations, taking into account any special activity
that must be performed to contain/obviate the effects of the incident.
management process.
This phase often entails appreciable expense because the various incident
management team members expend time and resources to perform the
required actions, and other personnel in the organization may have to take
PPT part in this activity as well (or, instead, may be affected by the recovery
Recovery activity, such that it interrupts normal productivity). All efforts made by
Discuss the particular personnel in this phase, and any interruption to personnel productivity,
elements and issues need to be documented and assessed financially as this will be included in
associated with this the overall impact cost of the incident (which may be reportable to
stakeholders, or used in attempts to recover damages in legal efforts later).
management process.
In this phase, the team will take part in addressing the incident itself. For
instance, this might include patching systems to remove the vulnerability
PPT that allowed an incident to occur, or removing malware from infected
Remediation systems, or involving law enforcement to deal with criminal activity.
elements and issues Remediation
phase of the incident After a return to normal operations, the root cause of the incident
management process. should be addressed: what was it that allowed the incident to take
place, as an underlying problem.
For instance, if the incident was caused by malware infection, and
recovery actions removed the malware, the remediation/root cause
assessment may try to determine how the malware was introduced into
the environment in the first place: did the organization’s anti-malware
solution not detect the infection? If so, why not? Was there a failure to
update the signature base of the malware solution? If so, why? Was
there no signature definition available? If not, why not? Was this a zero-
day exploit unknown by any other malware vendors, or researchers, or
government advisory entities? Was the malware introduced by an
authorized user? Accidentally or maliciously? Was the malware not
scanned at the time it was introduced to the environment?
And so on. Typically, the practice of root cause remediation entails
asking “why?” until there are no more valid questions to ask, and the
root cause has been determined.

Instructor Edition
Once the root cause has been determined, management again

needs to be apprised of this information, in order to make a
decision how to address the root cause. For instance, using the
Notes
Incident Management
7
same example of an incident caused by malware infection, the

courses of action to address the root cause might include changing PPT
the anti-malware update process, choosing a new anti-malware
Remediation (continued)
vendor, adopting another tool to create an additional layer of
defense in depth (catching malware that was not detected by the Discuss the particular
elements and issues
anti-malware solution), or amending organizational policy to create associated with this
a new administrative process for deterring the introduction of phase of the incident
malware or obviating the risk of it happening. management process.
NOTE: Depending on the form the remediation takes, the

jurisdiction where the organization operates, and the form of
PPT
accounting used, the costs of remediation might also be included
in the assessment of total damages resulting from the incident. Lessons Learned
Regardless, all activity taken during this phase needs thorough Discuss the particular
documentation in the same manner as the rest of the incident elements and issues
management process. associated with this
management process.
Lessons Learned
It is extremely useful to the organization that the details of each
incident management action be assessed and documented for
future use. This is helpful in two ways:
l It allows the organization to better deal with the same type
of incident if it ever happens again.
l It allows the organization to improve the overall incident
management process for use in all future incident
management activity.
It is just as important to highlight the actions that functioned
correctly or achieved successful outcomes as it is to note which
aspects of the incident management effort were ineffective and
unsuccessful.

Notes
Module 6: Requirements for
Requirements for
Investigation Types Investigation Types
PPT
Module Objectives
Requirements for
Investigation Types 1. Describe the characteristics commonly associated with
various types of investigations (administrative, civil, criminal,
to the “Requirements
and regulatory), and demonstrate familiarity with popular
for Investigation Types” investigatory standards.
module.
PPT
Module Objectives
objectives.

Instructor Edition
The organization will conduct different types of investigations,

depending on the nature of various incidents.
Notes
Requirements for
7
Investigation Types

Administrative PPT
An administrative investigation is conducted when the entirety of the Requirements for
process will be contained within the organization; it exists solely as Investigation Types
an internal function. When conducting administrative investigations, Introduce and explain
the organization can follow its own policies and procedures as long the different possible
as they are in compliance with applicable law(s). types of incident
investigations, and the
Administrative investigations are usually carried out when an incident requirements associated
is the result of some insider activity (an authorized user acting with each.
maliciously or inadvertently, causing damage or bringing risk to the
organization) and when the intended end result is a labor action
(some form of punishment issued by the organization itself, such as
termination of employment, demotion, warning, etc.). In such cases,
the organization is within its legal rights to review and investigate the
situation within its own environment.
If, however, in the course of conducting what is originally intended
as an administrative investigation, the investigators determine that
a criminal action has taken place, the nature and course of the
investigation may have to change to reflect this; depending on the
nature of the crime, the organization may or may not have the option
of deciding whether to keep the investigation internal or notifying
law enforcement.
Example: The network monitoring unit within the organization notes
that one particular user is exceeding normal data usage patterns
to a dramatic extent; where most users use the organization’s data
storage capacity to save, on average, a few hundred megabytes
of work data, this user has saved two terabytes of data in violation
of normal operating procedures and policy. The security team is
informed and an internal (administrative) investigation begins. The
investigators interview the user’s manager to determine if there
is a unique usage requirement for this user’s tasks, or if the user
has received special permission to exceed the maximum storage
capacity; the manager tells the investigators that the user has no
duties that would require this amount of stored data. Further
investigation reveals that the material the user has stored is large
amounts of movies and games, intellectual property that the user
does not own, and is the property of other parties. This situation has
now been revealed to be a crime—intellectual property theft—and
under the applicable laws in the jurisdiction where the organization
Module 6: Requirements for Investigation Types 557

Notes operates, it must be reported to law enforcement. The organization no

longer has the option to address the matter internally, and must formally
Requirements for notify the relevant law enforcement entity.
Investigation Types
PPT
Criminal
Requirements for
When a crime is committed (as in the preceding example), the organization
Investigation Types is usually required to notify the applicable law enforcement entity and allow
(continued) that entity to conduct the investigation. This may not be true in all cases:
Introduce and explain some crimes, particularly where the only victim is the organization itself,
the different possible may not require law enforcement involvement if the victimized party
types of incident chooses to handle the matter in a nonjudicial manner. However, making this
investigations, and the determination can be difficult and risky, and the organization should consult
requirements associated
with each.
with legal counsel before making this decision.
When law enforcement conducts the investigation, the organization may
or may not be involved in the process; this is the option of the law
enforcement body. In many jurisdictions, law enforcement may request
the organization to voluntarily collect or disclose information about the
situation to further the investigation and build a case. Typically, the
organization may opt to participate or not participate in an investigation
when informally requested to do so. However, if the law enforcement
entity acquires a warrant or subpoena, which are governmental/judicial
orders to disclose information, then the organization must comply with
the request to the fullest extent required. Any interference or negligence
on the part of the organization in fulfilling mandated requests may
actually constitute additional crimes: obstruction of justice, contempt of
court, interfering with an investigation, and so forth.
Conversely, a law enforcement entity conducting a criminal investigation
may be severely limited as to which information can be collected and
considered and the methods for acquiring that information. Many
jurisdictions have laws constraining law enforcement methodology and
reach. The organization’s cooperation can often reveal more information
than the law enforcement entity would be able to acquire without that
cooperation.
Once a criminal investigation has begun, the organization’s own policies
and procedures are superseded, and the organization’s investigative efforts
must comply and not interfere with the law enforcement investigation.
Civil
Unlike criminal proceedings, a civil dispute involves a court but not a
prosecutor. An investigation with the intended purpose of a lawsuit
should involve the same degree of documentation and adherence to
detail as a criminal investigation, because the organization will not be

Instructor Edition
deciding the outcome but will be trusting the court to determine if

either party owes restitution to the other.
Notes
Requirements for
7
Some incidents may involve components of both criminal and civil Investigation Types

actions; for instance, if the organization is hacked by a malicious
attacker, the hack itself might be a criminal act (violating the law),
PPT
and it might also cause damages for which the victim organization
can sue the attacker. In these situations, the parties to the civil suit Requirements for
Investigation Types
can often use the evidence collected during the criminal (continued)
proceedings to support their claims. However, civil courts usually
also allow a greater breadth of evidence that may be presented in a the different possible
more liberal fashion than in a criminal case—some of the restrictions types of incident
placed on law enforcement when collecting evidence do not apply investigations, and the
to victims in civil cases. (For instance, a law enforcement agency requirements associated
might need to get a court order to conduct network monitoring on a with each.
target environment, while the owner of that environment—the victim
organization—is allowed to monitor activity within the environment
and present resulting data without permission from the courts.)
If an organization decides to become involved in a civil suit, it must
be understood that the organization will be bearing the financial
burden: attorneys’ and court fees and so forth (sometimes,
depending on the case and the jurisdiction, the winning side of a
civil case may transfer this burden to the loser, but this is not always
true and that cost is only recovered after the court’s decision; there
is still a significant up-front cost in initiating the case). This differs
from criminal actions where the government expends those costs.
Finally, another aspect to be aware of is the threshold of proof
required: in civil cases, the burden of proof is usually much lower than
in criminal cases (typically, civil cases are decided based on the
preponderance of evidence, which means even a 51 percent/49
percent split in the evidence presented would be decided in favor of
the party with 51 percent, while criminal cases usually require a much
higher standard for conviction, such as “beyond a reasonable doubt”).
Regulatory
Some investigations will be done by or on the behalf of regulatory
bodies. When an organization is involved in regulated activity, that
activity necessarily is subject to investigation by the pertinent
regulator(s).
Regulators may conduct their own investigations, require the target
organization to acquire and present information to the regulator, or
engage a third party to perform the investigation.
Module 6: Requirements for Investigation Types 559

Notes In many jurisdictions, regulatory investigation has the force of law, so it will
have similar processes to criminal investigations but require a much lower
Requirements for threshold of access (regulators typically do not need warrants, court
Investigation Types
orders, or subpoenas to gather evidence) and a much lower burden of
evidence to make findings (in some jurisdictions, such as the United
PPT States, many regulators make their own laws, perform their own
Requirements for investigations, have their own prosecutors, and hearings are held by the
Investigation Types regulators’ own courts and judges).
(continued)
the different possible
Industry Standards
types of incident There are many industry standards for investigations of all sorts, including
investigations, and the IT security and data investigations; applicable standards for a given
requirements associated
with each.
organization depend on a host of variables, such as geographic region/
jurisdiction, the nature of the data in question, the business of the
organization, and so forth. The following is a sample list of standards from
around the world; this list is in no way comprehensive or definitive, and
the candidate will not be required to memorize these standards for
certification purposes. However, many of these standards include
common principles and methods of execution, so the candidate is
encouraged to review them for insight into professional investigation
approaches and expectations.
ASIS/ANSI Investigations Standard INV.1-2015 (executive summary):
https://www.asisonline.org/Standards-Guidelines/Standards/published/
Documents/INV_ExecSummary.pdf
Council of the Inspectors General on Integrity and Efficiency,
“Quality Standards for Investigations”:
https://www.ignet.gov/sites/default/files/files/invstds2011.pdf
American Bar Association, “Standards on Prosecutorial Investigations”:
https://www.americanbar.org/publications/criminal_justice_section_
archive/crimjust_standards_pinvestigate.html
Australian Government Investigations Standards 2011:
https://www.ag.gov.au/RightsAndProtections/FOI/Documents/AGIS%20
2011.pdf
ISO 27043, Information technology—Security techniques—
Incident investigation principles and processes [requires payment]:
https://www.iso.org/standard/44407.html

Instructor Edition
Module 7: Investigations Notes

Investigations
7

1. Describe the challenges and common practices associated Investigations
with evidence collection and handling, including the chain
of custody. to the “Investigations”
2. List the desired characteristics (for reporting purposes) module.
of evidence.
3. Describe common evidence handling techniques, including
PPT
digital forensics practices.
Module Objectives
objectives.
Module 7: Investigations 561

Notes Evidence Collection and Handling

All material associated with an incident could be pertinent to an
Investigations
investigation and used as evidence. This includes the following:
PPT
l Data that may have been compromised.
Evidence Collection l Systems (hardware, software, and media) that may have been
and Handling (2 slides) compromised.
Explain possible sources l Data about the incident (all monitoring data from assets
of evidence that may be reviewing the data/systems that may have been compromised).
gathered for investigatory
purposes. Discuss the l Information from people with knowledge of the incident.
crucial elements of l Information about the incident scene. With an IT-based incident,
evidence management
the practitioner should the incident scene can actually involve many geophysical
understand; this may take locations and jurisdictions, including the site where the
a significant amount of compromised systems/data resides, the location of the intruder
time and detail to explain. (if unauthorized intrusion was an element of the incident), and any
locations between the compromised systems and the intruder
where resources were used to aid the intruder.
l There are many sources and forms of evidence, and it all needs to
be collected, tracked, and maintained carefully. These are some
common practices for handling evidence the security professional
should be aware of:
l Maintain a chain of custody. Evidence needs to be handled and
maintained in a secure fashion, from the time it is collected until
it is presented (usually, to a court). The chain of custody entails
maintaining a record of where and when the evidence was
collected, what form it is (physical, data, etc.), where and how it
is stored between time of collection and presentation, and who
had access to it at all times during that interval. It is imperative
that the chain of custody be strictly maintained because any
violation of the chain of custody introduces doubt into the
sanctity of evidence that can harm the legal case the evidence
is meant to support.
l Make copies of all original data/system states. Backups are vital
and should be made at the bit level and without changing the
data/state of the original whenever possible.
l Analysis should be performed on copies, not original systems/
data, whenever possible.
l A named individual should be appointed as evidence
custodian; this person will maintain the chain of custody and
oversee the disposition of all relevant evidence until the
matter is resolved.

Instructor Edition
Reporting and Documentation

In addition to the chain of custody and the evidence itself, all other
Notes
Investigations
7
relevant information should be documented and catalogued for
presentation later. The information should be in a form and with

sufficient depth to be presented to a court (in either criminal or civil PPT
cases), regulators, insurance adjusters, investors/shareholders, or Reporting and
other stakeholders. It should be thorough, accurate, and believable. Documentation (2 slides)
Explain how evidence will
Reports based on and supported by evidence should contain be used/presented, to
enough information to relate the entirety of the incident/situation whom, and what qualities
without the need for subjective or convoluted interpretation. that evidence should
have.
In most jurisdictions, evidence will be presented to a court in an
adversarial situation: there will be two (or more) sides of a story;
in criminal court, there will be a prosecutor and a defendant; in
civil court, there will be a claimant and a defendant. Basically,
each side is telling a story using the same facts; each side is
trying to convince the court (a judge or jury) that the narrative
told by their side is correct—that the evidence supports their
story and not the opponent’s story. Evidence is meant to make
the story believable.
When presenting evidence (especially to a court), the security
practitioner should adhere to these tenets:
l Admissibility: Only evidence that is acceptable to the court
may be presented. The court will inform the practitioner if
some evidence is unacceptable.
l Accuracy: The evidence should be true and clear.
l Comprehensibility: Even though the organization is trying
to present one particular story, the organization (or the
security practitioner) cannot withhold evidence that may
be contrary to that story. Keeping contrary evidence out of
consideration may be a crime in some cases.
l Objectivity: The evidence should stand for itself on a factual
basis. Unless called upon by the court or counsel, the security
practitioner should not introduce subjective opinion.
NOTE: There is nothing wrong with stating the existence of
alternative explanations (stories that differ from the story your
organization wants to present); in fact, this is a very persuasive
technique. When presenting evidence/testimony, you can explain
how the organization considered alternative explanations (including
your opponent’s explanation), and how, using the evidence and
expert opinion/analysis, you were able to rule out that explanation

Notes and come to the conclusions you are presenting to the court. This does
not detract from your case and indeed supports it.
Investigations
The security professional should bear in mind that the audience (judge
or jury or both) will not be IT security experts, and the presentation of
PPT
the material should avoid technical jargon and complex concepts;
Reporting and everything should be explained without any assumptions about the
Documentation (2 slides) audience’s understanding of basics.
(continued)
Explain how evidence will In all matters involving presentation of evidence, the security
be used/presented, to practitioner should defer to legal counsel; attorneys have much more
whom, and what qualities expertise and familiarity with testimony and the courts.
that evidence should
have.
Investigative Techniques
PPT
There are many ways to conduct an investigation and gather evidence.
Investigative Techniques
The following is a basic, noncomprehensive list of common evidence-
Discuss some of the gathering techniques and some of the benefits and challenges
methods and tools associated with them.
currently used to gather
evidence, and the issues l Automated capture: The organization’s monitoring activity can
associated with each.
be used for collecting and analyzing incident data in addition
to the goals of detection and performance optimization; this is
especially true if the organization has a continuous monitoring
program in place. Normal logging can be copied and harvested
for evidentiary purposes.
l Interviews: You can solicit information from the people involved
with or who have insight into an incident. However, for all
organizations other than law enforcement entities, this can pose
some legal challenges in many jurisdictions. Some aspects that
should be considered when conducting interviews of personnel:
o Record when possible. In some jurisdictions, recording
interviews can be problematic; check your local applicable
laws. Be sure to notify the interview subject that the
conversation is being recorded (record the notification).
o Conduct multiparty interviews. Never have a sole interviewer
talk to the subject.
o Ensure preservation of the subject’s rights. Comply with all
applicable laws regarding interviews. Make sure the subject
is aware that they do not have to partake in the interview
(even when the choice to refuse an interview will result in
termination of employment). If required by law or contract,
allow the subject to bring an attorney or union representative
to the interview.

Instructor Edition
o Enlist trained interviewers. Not all security practitioners

are familiar with interview procedures and best practices.
If necessary, use an experienced contractor for this
Notes
Investigations
7
purpose.

l Manual capture: The investigator can make copies of PPT
evidence where necessary, and record specific information Investigative Techniques
(including audio interviews, photographic/video capture of (continued)
the incident scene and response process, and so forth) for Discuss some of the
later usage. methods and tools
currently used to gather
l External requests: Investigators can request information
evidence, and the issues
from external sources to collect evidence relevant to the associated with each.
situation. External sources might include intermediary
communications entities (ISPs), government agencies,
interested parties, witnesses, and so on. Requests can be PPT
formal (in the form of subpoenas) or informal (that may or
Digital Forensics Tools,
may not be fulfilled, on the decision of the party receiving Tactics, and Procedures
the request).
Explain the challenges
and issues associated
with modern forensic
evidence collection tools.
Digital Forensics Tools, Tactics,
and Procedures
In the context of investigations, “forensics” is applying science to law.
The field of digital forensics has matured in pace with information
technology (IT) as a whole. There are now a variety of vendors and
academic entities that certify digital forensic specialists.
Some general digital forensics principles the candidate should be
aware of:
l Document everything. All actions taken by the forensic
analyst (and, indeed, by anyone who has/had access to the
material taken as evidence) should be thoroughly recorded
and annotated. This documentation should completely
address the imperative questions (who, what, where, why,
and when) related to any manipulation of the evidence,
where possible. The documentation should be so thorough
that anyone else starting with the same original material
could follow the documented process and end up with the
same material resulting from analysis. Documentation should
include all steps of the chain of custody, including evidence
collection/capture, analysis, and storage.
l Avoid unrecorded/unintended modification. When
capturing and analyzing systems/media and related data,
forensic practitioners should act to preserve the original

Notes version/state of the material. This includes the use of write-

blocking technology, additional access from external sources,
Investigations and controlling exposure to and from electromagnetic emissions.
This should be combined with the previous point: all preservation
PPT efforts should be documented thoroughly.
Digital Forensics Tools, l Collection is a sensitive process. In the “evidence collection
Tactics, and Procedures and handling” section of this module, there was discussion of
(continued) this topic. When considering forensic analysis of evidence, this
Explain the challenges discussion needs to be combined with the “Mitigation” topic of
and issues associated the previous module in this domain: there is a tradeoff between
with modern forensic the speed of response to minimize damage/risk and the potential
for capturing/collecting significant evidence. For example, data
in random-access memory (RAM) is typically extremely volatile;
when the power to the system is removed or the system is shut
down, the data in RAM becomes unrecoverable by ordinary
means; the organization can decide whether to minimize risk/
damages from an incident by shutting down affected systems as
soon as possible, or the organization can choose to try to recover
RAM data from affected systems but accept the risk of longer/
additional exposure.
l Not an amateur endeavor. Most organizations do not have
trained forensic practitioners on staff because that is a very
specific discipline, requiring extensive training and experience, for
an activity that is not at all common in most business endeavors.
Therefore, the organization may be tempted, when forensic
analysis is required, to allow someone else (a member of the
security team or someone from the IT department) to perform the
task; this is not recommended. Because forensic analysis requires
such specific knowledge and skills, it is best to use a certified (and
if need be, licensed) external contractor when necessary.
NOTE: In some jurisdictions (such as the American states of Texas and
Michigan), forensic analysis cannot be performed as a service (that is,
professionally for pay or fees) unless the analyst is licensed by the
government (in the examples mentioned, the required license is for the
profession of “private investigator”). Be sure your organization takes into
account all applicable laws when crafting its own policies regarding
evidence collection, analysis, and presentation.
NOTE: Many security practitioners have heard the canard “If evidence is
modified, it becomes inadmissible in court.” This is not true: almost
anything pertinent to the case is admissible. However, unrecorded
modification of evidence introduces doubt as to the accuracy/veracity of
the evidence; material that changes between the time it is collected and
when it is presented to the court is less believable than original material,
unless additional efforts are made. This is why documentation is so vital:

Instructor Edition
if the presenter can demonstrate how original material was

affected by analysis, the audience (judge/jury) will have a greater
degree of belief in that evidence, and the opposing side has less
Notes
Investigations
7
ability to attack the evidence and testimony.

PPT
Digital Forensics Tools,
CASE: Jefferson Parish Sheriff’s Office Crime Tactics, and Procedures
(continued)
Laboratory Digital Forensics Unit (JPSO DFU)
Explain the challenges
and issues associated
JPSO DFU Seal with modern forensic
PPT
Case
Review the case study.
Figure 7.2: JPSO DFU Seal (used with permission)
The Jefferson Parish Sheriff’s Office Digital Forensics Unit, which is

in the state of Louisiana in the United States, strives to stay ahead
of the curve to better serve the people of Jefferson Parish. To do
this, the Digital Forensics Unit (DFU) utilizes the latest in
equipment, hardware, and software. They also consistently attend
advanced level training, interact with top-level professionals, and
participate in certification programs, all to keep them up to date
with the latest advancements in the field of digital forensics.
Identify/Collection/Preserve Digital Evidence

Patrol officers have been trained by the DFU to identify and collect
digital evidence for a criminal case. The integrity of the digital
evidence begins with that first encounter by the officer. An example
of preservation when it comes to mobile phones would be placing
that device in the proper mode (airplane mode) to prevent signals
from being sent or received. An additional option would be to place
the device in a metallic-lined bag (Faraday bag). These methods help
to minimize the possibility of changes occurring on the device’s
memory, as well as the ability of accomplices from remotely
tampering with the phones after the arrest. Officers and detectives

Notes have also been trained for on the scene collection to know whether they
need to properly shut down, to not shut down, or to contact a member of
Investigations the team on all located devices, which will ensure the analyst will be able
to recover all volatile data.
Evidence Intake/Initial Review

Once digital devices are seized, they are properly packaged and
transported to the crime laboratory for cataloging and storage until the
examination is conducted. A digital forensic analyst retrieves the digital
evidence and brings it to their laboratory to begin the examination process.
Here, the devices will be documented by capturing photographs before
analysis is conducted and during needed disassembly. Preservation is again
very important to the examination process. The analyst, utilizing their
training and experience, will determine the best course of preservation for
the device(s) at hand.
Although some changes to an analyzed device/data are almost inevitable,
the DFU uses tools and techniques to minimize these changes during the
preservation process. For example, consider a desktop tower with an
internal SATA 3.5” hard drive. The drive can be removed and replaced
without damaging the memory container or desktop tower. Then, with
minimal or no changes to the memory contained on the hard drive, it can
be connected to a write-blocker, and forensic evidence files can be
created from this hard drive.
One example where changes cannot be minimized or prevented is a
mobile phone’s physical memory. The memory is soldered onto a green
board, therefore, it can’t be physically removed without possible
damage to the memory container. In most cases, an extraction is
created utilizing an external data connection (USB plug or Bluetooth).
With mobile phones, unless a specific method can be utilized, write-
blocking is not an option. In fact, changes will need to be made on the
memory to create the extraction. When mobile phones are brought to
the DFU, the aforementioned metallic-lined bag, containing the device,
is placed into a transparent, similarly-shielded Faraday box. The forensic
investigator can then access the device (manipulating its keypad/screen,
plugging in connectors, etc.) via protective gloves so that the evidence
is not contaminated or exposed to signals/remote connections.
Analysis/Reporting
Once the forensic evidence files have been created, they are
immediately backed up to a centralized data server for preservation.
From the analyst’s local forensic workstation, they will utilize the
information from the investigator, to determine the best course of action

Instructor Edition
for the examination. The DFU has a wide variety of software suites
and resources available to them. It is important to have multiple
pieces of software and hardware platforms available to avoid
Notes
Investigations
7
focusing on one vendor. This also provides one of the most critical

aspects of digital forensics, providing accurate information that
includes the ability to verify findings. During the examination, an
analyst will keep a detailed worksheet of all actions. This is mainly
utilized as a reference during the report writing process. Upon
completion of the examination, the analyst will create a media disk
(CD/DVD) of the items related to the request. These disks will be
properly packaged and labeled for submission as additional
evidence. The investigator is automatically notified via lab software
when the case/evidence disk(s)/report etc. is ready.

Notes
Module 8: Logging and Monitoring
Logging and Monitoring
Activities Activities
PPT
Module Objectives
Activities 1. Name the characteristics and purpose of intrusion detection
systems/intrusion prevention systems (IDS/IPS).
to the “Logging and 2. Describe the purpose and challenges associated with the
Monitoring Activities” employment of a security information and event management
module. (SIEM) system.
3. Describe, in detail, the purpose of continuous monitoring
practices and the tools currently in common use for achieving
PPT
that purpose, specifically data loss protection (DLP).
Module Objectives
objectives.

Instructor Edition
Intrusion Detection and Prevention

One major area of IT security concerns the confidentiality aspect of
Notes
7
the CIA Triad: unauthorized intrusion into the organization’s Activities
environment. Usually, when referring to “intrusion,” we are discussing

unauthorized access from attackers outside the organization (not
internal threats). PPT
Intrusion Detection
Security practitioners often discuss two general conceptual classes and Prevention
of intrusion security mechanisms: intrusion detection systems (IDSs) Review IDS/IPS
and intrusion prevention systems (IPSs). placement, function, and
cost/benefit tradeoff.
Intrusion detection system (IDS): A solution that monitors the
environment and automatically recognizes malicious attempts to
gain unauthorized access. The IDS will alert someone within the
organization (usually someone in the security office or the IT
department) for analysis and follow-up action.
Intrusion prevention system (IPS): A solution that monitors the
environment and automatically takes action when it recognizes
malicious attempts to gain unauthorized access. It will also typically
notify someone within the organization that action has been taken.
NOTE: Most modern intrusion solutions will function as either IDS
or IPS; the organization can customize the tool to perform in a
manner optimal for the organization.
IDS/IPS solutions can be deployed at various physical and logical
locations in the IT environment. This includes the following:
l Perimeter placement: The IDS/IPS can be placed as or with
the gateway for traffic entering and leaving the environment,
within the DMZ, or on the boundary of the DMZ (external
facing); in this respect, it is similar to firewall placement.
l Host-based: IDS/IPS agents can be installed on various
endpoint systems to detect malicious or suspect traffic
between hosts; this adds a layer of defense in case an
attacker was able to make it through perimeter defenses
(and, although not the primary goal of IDS/IPS, may detect
internal threats attempting unauthorized activity, as well).
l Network-based: IDS/IPS elements can be placed at various
points of the network as a means to monitor internal traffic
and recognize malicious or suspect activity internally. Like
the host-based option, this can aid in efforts to create
defense in depth and possibly reveal internal threats.
NOTE: The organization is not limited to single placement choice;
combining multiple placements of IDS/IPS is recommended.
Module 8: Logging and Monitoring Activities 571

Notes IDS/IPS can detect malicious activity in a number of ways:
Logging and Monitoring l Deviation: The IDS/IPS can learn a standard activity baseline
Activities normal to the organization; deviations from this baseline of
expected behavior are deemed suspect.
PPT l Signature: The IDS/IPS can recognize known attack patterns in
Intrusion Detection and
traffic and activity.
Prevention (continued) l Heuristic: Machine-learning algorithms in the IDS/IPS can acquire
Review IDS/IPS more information about the environment as the tools operates,
placement, function, and beyond a simple baseline. This is an advanced form of deviation
cost/benefit tradeoff. analysis.
It is important to note the tradeoffs associated with IDS/IPS systems,
as well:
l Maintenance: Regardless of how the IDS/IPS solution detects
attacks, the system will need regular maintenance. Signature-
based systems will need routine updates to ensure the latest
signatures are installed; systems that work from a baseline will
need to be updated as necessary to reflect any modifications to
the baseline.
l Overhead: As with all security measures, IDS/IPS deployment
will have an impact on productivity/capacity/performance.
The organization may decide to limit installation/deployment
of IDS/IPS solutions on those systems/networks that contain
high-value assets.
l False positives: Every detection/response made by an IDS/
IPS will also entail an impact to productivity/performance,
either in terms of loss of functionality (in the cases where the
security solution prevents an authorized transaction from taking
place) or in time and effort undertaken by the response team
to address a detected/suspected attack. In some instances,
the security tool will be responding to a legitimate transaction
instead of an actual attack; a “false positive” response. The cost
associated with each response (including false positives) must
be weighed against the potential benefit (reduced risk/impact
of actual attacks).
NOTE: IDS/IPS solutions, like all tools that need to “learn” the typical
activity/behavior in your environment, will not work perfectly right out of
the box; there will be a time period during which the tool will have to
become familiar with the expected norms. During that time, you can
expect a significantly greater number of false positive alerts.
NOTE: While intrusion detection and prevention are typically intended
to obviate attacks on the confidentiality aspect of the CIA Triad, many

Instructor Edition
of these attacks also affect availability; by putting some systems/

applications into fail states, attackers attempt to gain control/
access.
Notes
7
Activities

PPT
Security Information and Event Intrusion Detection and
Management (SIEM) Prevention (continued)
The current trend in security management involves the use of tools Review IDS/IPS
that collect information about the IT environment from many placement, function, and
disparate sources to better examine the overall security of the cost/benefit tradeoff.
organization and streamline security efforts. These tools are
generally known as SIEM solutions.
PPT
NOTE: There is no formal industry standard defining SIEM
Security Information
solutions, their function, and their implementation. “SIEM” is a and Event Management
marketing term used by vendors to describe tools that offer (SIEM)
some common functions (described in this section of the Explain the purpose
module). Practitioners should be aware that similar tools offering and benefits of SIEM
the same functionality may be termed “SEIM,” and many tools solutions.
that were previously called “SEM” or “SIM” may offer the same
types of services.
The general idea of a SIEM solution is to gather log data from
various sources across the enterprise to better understand
potential security concerns and apportion resources accordingly.
Some common functions of SIEM solutions include the following:
l Aggregation: The SIEM tool gathers information from
across the environment. This offers a centralized repository
of security data and allows analysts to have a single interface
with which to perform their duties. The SIEM might gather
log data from:
o Firewalls
o IDS/IPS systems
o IT performance monitoring tools
o Network devices (routers/switches/gateways)
o Individual hosts/endpoints
o Anti-malware solutions
l Normalization: SIEM tools can often collect different types
of information from different types of sources and present the
data in a meaningful, standardized way, such that the analysis
task is simplified; analysts can use the SIEM tool instead of
repeating various log review actions on multiple systems.

l Correlation: The SIEM may be able to mathematically assign

Notes
weight and probability to various activities throughout the
Logging and Monitoring enterprise as a means of automatically calculating probability that
Activities
a given stream of log information is an actual attack, whether
the attack affects more than host/location/network, and the
PPT likelihood and significance of input.
Security Information l Secure storage: Because log data is enormously valuable (both
and Event Management to the organization and to attackers) for many reasons and
(SIEM) (continued)
purposes, SIEM tools often offer the ability to archive the material
Explain the purpose they contain in a secure manner.
and benefits of SIEM
solutions. l Analysis: Some SIEM solutions perform automated analyses,
using scripts and heuristics.
l Reporting: SIEM solutions often offer reporting tools for
PPT distilling current and historical depictions of the activity in your
Continuous Monitoring environment.
Discuss the purpose and
tools used in continuous
monitoring; give
particular attention to
Continuous Monitoring
DLP solutions, how they This course has already included discussion of continuous monitoring and
function, and challenges improvement of security controls (see the “Monitoring and Measurement”
associated with their use. section of Module 3 in Domain 1); the same principles apply to
monitoring and optimizing traffic and activity.
Ingress Monitoring
Ingress monitoring refers to surveillance and assessment of all inbound
communications traffic and access attempts. Devices and tools that
offer logging and alerting opportunities for ingress monitoring include
the following:
l Firewalls
l Gateways
l Remote authentication servers
l IDS/IPS tools
l SIEM solutions
l Anti-malware solutions
As with all security tools, solutions used for ingress monitoring must
be maintained, patched, and updated as necessary for signature
libraries and configuration changes. Also, the overhead cost in terms
of both maintenance of these tools and impact to productivity must
be considered.

Instructor Edition
Egress Monitoring
Egress monitoring is used to regulate data leaving the organization’s IT
environment. The term currently used in conjunction with this effort is
Notes
7
Activities
“DLP”; a marketing descriptor without standard definition, it is often

referred to as “data leak protection” or “data loss protection,” or some
combination of those words. For purposes of addressing this topic, the PPT
term DLP will be used synonymously with egress monitoring. Continuous Monitoring
(continued)
DLP tools function by comparing data leaving the control of the
organization against a rule set to determine whether that action is tools used in continuous
allowed. The DLP rule set can be defined by the following: monitoring; give
l Signature: Particular types of data might conform to certain DLP solutions, how they
strings that are readily identifiable and can, therefore, be function, and challenges
recognized by the tool. For instance, a DLP set to prevent the associated with their use.
egress of credit card information might be taught to search
for and sequester any 15–20 string of numeric characters.
l Pattern matching: The DLP might be conditioned to
look for two-word strings where each word starts with
one uppercase character and the rest are lowercase; in
this way, the DLP might restrict the export of individual
names. This might also be done for the frequency of a
given word/words in the context of a page or throughout
a document to prevent the egress of proprietary or
l Labeling: Sensitive assets within the environment might
be tagged with specific labels that will be recognized
by the DLP tool. For instance, an organization trying to
protect proprietary information might embed labels such as
“copyright,” “proprietary,” or “confidential” in data assets
that should not be shared outside the organization.
For DLP solutions to function properly, they usually need to be
deployed in conjunction with and as part of an overall data
protection effort within the organization. Deployment is often
construed as having three facets:
l Data at rest: Placement of DLP agents in data storage locations
(both physical and logical), such as databases and archives.
l Data in motion: DLP software that inspects outbound
communications traffic.
l Data in use: DLP agents installed on endpoint devices. (This
is especially important in bring your own device (BYOD)
environments and cloud deployments, where users process
the organization’s data on devices owned by the user.)

Notes The overall data protection effort needed to support DLP includes
the following:
Activities l Data discovery/classification/categorization: To know what
to protect, the organization needs to know what it owns; the
candidate should recall this point from the earlier discussion of
PPT
asset inventories. DLP tools are often equipped with discovery
Continuous Monitoring tools to aid in initial data recognition, and they can be also used
(continued)
to categorize/classify the organization’s data assets.
tools used in continuous l Monitoring: The DLP solution should be deployed such that it
monitoring; give can inspect all forms of data leaving the organization, including
o Email (content and attachments)
DLP solutions, how they
function, and challenges o Copy to portable media
associated with their use.
o File Transfer Protocol (FTP)
o Posting to web pages/sites
o Application/application programming interface (API)
l Enforcement: The DLP enforcement settings should reflect the
ideal response suited to the organization’s risk/benefit appetite
and level of scrutiny. Examples of different organizational intent
for DLP might include the following:
o Training. The DLP tool might identify a user’s attempt to
distribute sensitive information and merely remind the user of
the organization’s policy and the sensitivity of the material the
user is distributing.
o Attribution/assigning responsibility. The DLP tool might
ask for the user to confirm intent to distribute sensitive
information; the confirmation acts as the user’s indication of
accepting responsibility for distributing that information.
o Stringency/prevention. The DLP tool might halt the transaction
upon identifying sensitive information, lock the user’s account,
and inform management/security of the attempt.
DLP tools can serve many functions, depending on how they are deployed
and what settings the organization applies. These functions can include
the following:
l Compliance
l Security
l Training/awareness
l Due diligence
l Asset management

Instructor Edition
Module 9: Recovery Strategies Notes

Recovery Strategies
7

1. Describe the benefits and challenges associated with various Recovery Strategies
common backup strategies and techniques.
2. List the characteristics of common alternate operating site to the “Recovery
strategies. Strategies” module.
3. Describe the technologies and techniques associated with

high-availability environments, including differentiating
PPT
between various redundant array of independent disks
(RAID) levels. Module Objectives
objectives.
Module 9: Recovery Strategies 577

Notes It is important for the candidate to be familiar with common BCDR

fundamentals.
Recovery Strategies
PPT
Backup Storage Strategies
Backup Storage
Strategies Accurate and comprehensive backups are instrumental to facilitating
BCDR efforts; this is an essential aspect of the availability facet of the
Review the various
backup storage strategies CIA Triad. Some backup concepts the candidate should be familiar with:
and methods.
l Onsite/offsite: There is a risk/benefit tradeoff to deciding the
location of the organization’s backups.
o Onsite: The organization has full control (and responsibility)
of the stored data. Cost may be proportionally higher for
the organization, depending on the organization’s core
competencies and type of business. (Example: a small or
midsize organization might not have the data center capacity
and skillset internally to support thorough secure backups.)
o Offsite: The data is exposed to additional risk while it is
moved from the organization’s environment to the external
environment (in transit). The organization loses some control
of the security governance and controls used to store the
data. Cost may be lower or higher than the onsite option,
depending on the nature of the organization and the options
offered by the provider. A provider with the sole focus on
secure data storage may be able to scale services such that
secure storage is much more affordable for its clientele,
where the same service would be cost-prohibitive for each
individual client.
l Full/differential/incremental: The amount of data backed up at
any given time can vary between organizations because of one
factor: time. It takes time to back up large volumes of data, and
this time can have an impact on operations/productivity (and
a related cost). Organizations try to limit the negative impact
by scheduling backups in an optimum way to capture the best
representation of the current state of the environment with the
most acceptable amount of interruption. There are three general
approaches to making a backup:
o Full: All data in the environment is copied. The most expensive
and time-consuming option, and the one that provides the
most thorough depiction of the environment.
o Differential: All data in the environment that has changed
since the last full backup is copied. Not as time-consuming as a
full backup.

Instructor Edition
o Incremental: All data in the environment that has

changed since the last backup (full or incremental) is
copied. Fastest backup method.
Notes
Recovery Strategies
7
l Versioning: Data storage is a lot less expensive than it was

just a few decades ago when computers were becoming PPT
ubiquitous, because memory is a lot less expensive. However, Backup Storage
the amount of data each organization creates and maintains Strategies (continued)
has increased dramatically in that same time. The organization Review the various
must determine how many versions of backup data it will create backup storage strategies
and keep. For instance, the organization can copy over each and methods.
previous backup made by the organization, using the same
memory volume over and over to save space (and money); in
this case, it will only have one version as a backup, but data PPT
changed between backups will not be recoverable—only the Activity: How Many
data in the last backup copy will be available. This practice is Versions? (3 slides)
not advisable because a faulty backup process can lead to a Introduce and moderate
situation where the backup is corrupted, and the production the Activity.
environment is the only accurate existing version (the backup is
a single point of failure). The organization can also make many
backups, creating a new version each time a backup is made.
This can quickly consume vast amounts of storage and lead to
confusion about the most recent version or difficulty finding
particular versions among many. The organization needs to find
a happy medium where there are sufficient versions to obviate
the risk of losing all recovery capability, and the number of
versions/amount of data is manageable.
l Validation: After each backup (regardless of backup method),
the organization needs to validate that the backup copy is
thorough and accurate; this is usually achieved through the
use of some form of integrity check and, depending on the
size of the data set, sampling.
Activity: How Many Versions?

Alice is in charge of orchestrating backups for Ostrich, Inc., her
midsize retail company. Employees at Ostrich work between the
hours of 7:00 a.m. and 8:00 p.m. (individual employees each work
eight-hour days, but they are spread across several time zones),
Monday through Friday. Backups are made on Saturday night to
allow for integrity checks and repetition on Sunday if the process
was faulty or interrupted. Alice has decided to augment the weekly
full backups with partial backups Monday through Friday, at the
end of each workday, to capture data that has changed between
full backups.

Instructions
Notes
As a group, work through the following thought problems. You have
Recovery Strategies
10 minutes.
a. If Alice opts to do differential backups during the week, which
PPT
data would be captured on Wednesday night?
Activity: How Many
Versions? (3 slides) b. If Alice opts to do incremental backups during the week, which
(continued) data would be captured on Thursday night?
Introduce and moderate c. If Alice opts to do differential backups during the week, and the
the Activity. backup copy made Tuesday night is corrupt, which data would
be lost?
PPT Answers:
Recovery Site Strategies a. All data created/modified during the workdays of Monday,
Review the various Tuesday, and Wednesday.
alternatives for recovery
sites.
b. All data created/modified during the workday Thursday.
c. All data created/modified during the workdays Monday and
Tuesday.
Recovery Site Strategies

In the event the normal physical production environment (the building/
campus/location the organization’s personnel performs work) becomes
inhospitable, the organization will require an alternative location to remain
viable. The use of an alternate location might involve reconstituting only
those personnel and assets necessary to perform critical functions until
such time the organization can resume full production, or it might involve
relocating the entirety of the organization, or some blend of critical and
noncritical functions (but not full production); the choice of approach will
differ between organizations based on senior management decision.
Alternate location types include the following:
l Hot: A fully functional operations site that has all necessary
hardware, software, and data for instantly handling critical
functions of the organization. (Hot sites may not have the latest
data, and restoration or synchronization of the latest data may
be necessary. Mirror sites or multiple processing centershave
the latest data, and data restoration is usually not necessary.
However, this high availability comes at greater cost.) This is the
most expensive option.
l Warm: Similar to a hot site but typically does not have the
current version of the organization’s data and may not have

Instructor Edition
certain functional aspects ready for instant failover

(for example, utilities such as water and power may be
connected to the warm site facility but are not currently
Notes
Recovery Strategies
7
live, and they must be activated to use the site).

l Cold: An empty facility containing no hardware/software/ PPT
data; utilities may be hooked up but not active. The least Recovery Site Strategies
expensive option, but it is the one that requires the longest (continued)
delay between loss of functionality in the primary location Review the various
and resumption of the critical path. alternatives for recovery
sites.
l Mobile: A portable facility often mounted on or carried by
a vehicle. Can provide operational functionality for a very
limited number of users in the critical path but is not limited
in placement and location.
l Cloud: Backup data is stored with a cloud computing
service provider; users can resume critical operations from
any location with a broadband connection that can reach
the cloud provider.
NOTE: The organization must consider the placement of any
alternate site when choosing a recovery strategy; the alternate site
should be physically far away enough so that it is not affected by
any contingency that affects the primary production environment,
but close enough that key personnel can reach the alternate site in
times of crisis.
NOTE: The organization should consider maintaining relocation kits
containing all material necessary for resuming critical operations at
another location (current build of critical IT assets, current versions
of the production data set, encryption key information, contact
information for key personnel/entities, etc.). Updating the kit on a
regular basis should be part of the duties of the BCDR team and
part of the change management process.
l Joint operating agreement (JOA)/memorandum of
understanding (MOU): The JOA and MOU are contractual
techniques for creating alternate operating locations; they
create a partnership between organizations under which
Organization A can use Organization B’s site and assets if
Organization A is affected by a significant interruption of
production (and vice-versa). This technique is usually most
effective for localized impacts (those that affect one building/
campus, such as fire), as opposed to those that affect an
entire metropolitan area, because both organizations are
often affected in the latter case.

Notes Multiple Processing Sites

Some organizations that seek to minimize downtime and enhance BCDR
Recovery Strategies
capabilities utilize multiple processing sites to obviate the effects of an
impact to any single site. This can be perceived as a JOA/MOU between
PPT internal bodies within the organization; geographically separated
Multiple Processing branches can serve as alternate production sites for each other in the
Sites event of a contingency.
Discuss the possible
costs and benefits
For this technique to function properly, both sites must copy their
in having multiple production data to each other (or at least a sufficient portion of
processing sites. production data to maintain the critical path) on a constant or frequent
basis. This requires a communications connection with significant
bandwidth and speed. It can also serve as each site’s backup archive
PPT instead of using a third-party external site.
System Resilience, High
Availability, Quality of
Service (QoS), and Fault
Tolerance System Resilience, High Availability, Quality
Discuss the various of Service (QoS), and Fault Tolerance
topics related to ensuring
availability of the
Organizations with extreme sensitivity to downtime—medical providers,
environment; include military/intelligence agencies, high-volume online retailers, utilities—
full discussion of UPS/ have a greater need to ensure BCDR capabilities are comprehensive and
generators and RAID effective. Here are some techniques for facilitating this practice:
options.
l Sufficient spare components: An organization seeking high
availability needs to have sufficient components in inventory to
replace/repair any affected elements of the environment (or at least
those components supporting the critical path). This is a security
concern addressed by logistics and budgeting; having too many
spares on hand is an expensive proposition and can negatively
impact the organization financially just as much as an outage might.
l Clustering: Systems can be combined to provide constant full
capacity to the organization when one system/element goes
down; this is referred to as “clustering” (storage, processing,
and network systems can all be clustered). This can be viewed
as duplication/replication of the systems in the cluster, and the
cluster can enhance normal production through load balancing
or merely serve as additional capacity for contingency operations
or when widespread temporary scaling is necessary. Common
modes of clustering include “active-active” (where all systems
in the cluster operate in normal production, each handling a
portion of the operational load) and “active-passive” (where at
least one of the systems in the cluster doesn’t function during
normal operations and is only brought online when the normal
productions system(s) go into a fail state).

Instructor Edition
l Power: In addition to IT capacity within the environment,

the organization must also consider the power requirements
for that environment; interruption of sufficient power can
Notes
Recovery Strategies
7
lead to loss of availability just as much as a direct impact

to the organization’s IT/data. Practical power availability PPT
considerations include the following:
o Uninterruptible power supplies (UPS): These are Availability, Quality of
basically batteries that provide temporary, immediate Service (QoS), and Fault
power during times when utility service is interrupted. Tolerance (continued)
Typically, these units are extremely limited and not Discuss the various
designed to sustain a production environment for any topics related to ensuring
availability of the
considerable length of time; UPS are only meant to environment; include
allow users/administrators to conduct formal shutdown full discussion of UPS/
procedures on active systems. generators and RAID
options.
o Generators: A generator is a local power production
unit not reliant on utility service. Generators typically
run on combustible fuels (gasoline/diesel, natural gas,
or propane), and therefore, pose another risk that must
be considered in security/BCDR planning (for both fire/
explosions and toxic exhaust). Generators should also be
paired with a transfer switch, which is a mechanism that
detects loss of utility power and engages the generator
automatically to compensate.
l RAID: An organization can use a RAID (sometimes
repetitively referred to as a “RAID array,” or defined as
a “redundant array of independent disks”) to enhance
availability and diminish the risk of downtime due to failure
of a single storage component. A RAID setup entails
virtualizing a storage volume across several physical disks
so that an entire data set is not lost if a single drive fails.
The technique of writing a data set across multiple drives
is known as striping, and some RAID configurations also
use a mechanism known as parity bits to allow recovery
of the full data set if one drive fails (the striped data from
adjacent drives, combined with the parity bits can fill in the
missing data). There are many RAID configurations, and the
candidate should be familiar with each:
o RAID: Not actually a redundancy configuration, as the
array has no parity bits; this configuration is used for
optimizing speed and performance.
o RAID 1: Another method that does not typically use
parity bits (and RAID 1 does not even use striping);
instead, the data is fully duplicated across multiple
drives so that any part of the data set can be recovered

Notes if a single drive fails. This can be costly but also serves as a
backup for the production data.
Recovery Strategies
o RAID 2: A legacy technique not currently in wide use.
o RAID 3 and 4: Data is striped across multiple drives, and
PPT
a distinct drive is used to store parity information. RAID 3
System Resilience, High stripes data at the byte level; RAID 4 at the block level. These
Availability, Quality of RAID configurations may not be optimum for organizations
Service (QoS), and Fault
Tolerance (continued) seeking high availability environments, as the parity drive in
each represents a potential single point of failure.
Discuss the various
topics related to ensuring o RAID 5: Both the data and the parity bits are striped across
availability of the multiple disks; provides high availability.
environment; include
full discussion of UPS/ o RAID 6: Uses data striping and two sets of parity bits striped
generators and RAID across multiple disks; two drives can fail and the data can still
options. be recovered.
o RAID 0+1: Combines techniques of RAID 0 and RAID 1; data
is striped across multiple disks (RAID 0), then mirrored to a
duplicate set of disks (RAID 1).
o RAID 1+0: (often referred to as “RAID 10”). Again,
combines techniques of RAID 0 and RAID 1; however, with
RAID 10, data is striped across two sets of duplicate disks
simultaneously. RAID 10 is considered preferable to RAID 0+1.
o RAID 15 and 51: Uses techniques from RAID 1 and RAID 5
to utilize both striping of parity bits and mirroring of all the
drives (including both the data and parity information). These
techniques are not in wide use outside of highly sensitive
environments because the impact to productivity and cost
are significant.
l Centralized data storage: If operational data is stored on
various user devices (production endpoints), it is susceptible
to loss (and harder to archive) if a particular user device fails.
Organizations often obviate this risk by using a centralized
data storage system where user data is consolidated, making
it easier to archive and protect. The tradeoff, of course, is that
centralization may cause a single point of failure (and a single
target for attackers) if not protected properly. Data storage
centralization requires planning for redundancy and secure
backup practices. Two common methods for data storage
centralization are storage area networks (SANs) and network-
attached storage (NAS).
o Storage area networks (SANs): A network of storage
devices/arrays provide volume storage to servers that present
the data to users. Usually, SANs rely on protocols designed

Instructor Edition
for the service, such as Fibre Channel and iSCSI. A SAN

architecture presents storage volumes to the operating
system of each user’s device as if the volume were
Notes
Recovery Strategies
7
directly attached to that device (such as a mounted

drive). While SANs apportion storage as volumes (raw PPT
drive space), file systems can be created within SANs to
allow for data management at the SAN level as opposed Availability, Quality of
to presenting various storage spaces to individual Service (QoS), and Fault
servers/users. Tolerance (continued)
o Network-attached storage (NAS): A NAS is typically a Discuss the various
centralized file server (device) that is accessed by many topics related to ensuring
availability of the
users within the environment; the NAS server maintains environment; include
the file structure/hierarchy and presents the data as files full discussion of UPS/
to users/applications. generators and RAID
options.

Notes
Module 10: Disaster Recovery
Disaster Recovery Processes
Processes
PPT
Disaster Recovery Module Objectives
Processes
1. Describe, in detail, the essential elements of the business continuity
Introduce the participants and disaster recovery (BCDR) process, including response actions,
to the “Disaster Recovery
the personnel involved, communications strategies, the practice and
Processes” module.
risks associated with assessment and recovery, and proper training
and awareness for BCDR purposes.
PPT
Module Objectives
objectives.

Instructor Edition
Every organization will tailor its BCDR methods to best suit its own
needs. This module includes discussion of fundamental principles
that might be used to craft a typical BCDR process.
Notes
7

PPT
Response Response
A BCDR action can be triggered by a number of possible circumstances Discuss the elements
(natural disaster/severe weather, fire, physical damage to resources, of initiating the DR
external attack, etc.); to best manage the activation of the response, the response actions.
organization must determine the following:
l Criteria for initiating the response action. Not all possible
PPT
contingency events can be predicted and described before
Personnel
they occur, but a set of guidelines can be created to aid
those personnel who will ultimately make the decision when a Discuss the specification
of personnel to perform
disaster occurs. Criteria might include dollar value of affected
DR tasks.
assets, number of affected users, expected duration of system
downtime, threat to human health and safety, and so on.
l Personnel authorized to initiate the BCDR action.
Enacting the BCDR plan usually entails considerable cost
and results in a significant impact to the organization (both
financial and operational); often, these costs are not included
in the organization’s budget and therefore, will have a
lasting impact. The person(s) allowed to make this decision
for the organization must be trusted and have a significant
degree of authority and insight—usually, a member of senior
management, if not the head of the organization.
l Information stream/chain to provide the decision-making
authority with sufficient data to make the correct
decision at the right time. This might include a formal
process, such as escalating incident-related information (see
discussion of incident response, in Module 5 of this domain),
external professional sources (such as government agencies
and paid threat intelligence providers), and informal means
(such as news services and social media).
Personnel
In addition to the member(s) of senior management authorized to
initiate the BCDR response action, the response plan should
specifically task personnel who will be involved in the process. This
includes the following:
l Critical path personnel: This group includes the essential
personnel necessary to continue the organization’s operational
Module 10: Disaster Recovery Processes 587
Notes functions during the contingency event. While these people may not
be involved in handling the response action (instead, they will have
Disaster Recovery Processes production tasks to perform), they should receive proper training
for their roles during the response activity, such as how to reach the
PPT alternate operating site (if appropriate), how to access archived data,
how to log transactions during the contingency, etc.
Personnel (continued)
l Responders: Those personnel involved in managing the
Discuss the specification
of personnel to perform response process. This typically includes representatives from the
DR tasks. following groups:
o IT: Administrators, architects, and technicians are usually
essential in handling contingency situations.
o Security: Security practitioners often have specific insight and
experience that is crucial to dealing with contingencies.
o Legal: General counsel provides proper guidance to ensure
the organization’s regulatory and due diligence requirements
are met, and in collecting and preserving evidence for criminal
and civil cases that might arise from the contingency.
o Human resources (HR): The HR representative often has
access to privacy data related to all employees, for purposes
of contacting either the employees themselves or family
members, if necessary.
o Finance/accounting: Someone with insight into tracking costs
and expenditures will need to account for establishing the
overall cost of the response action after it has been completed;
also, an accountant may have to participate in making the
appropriate financial transactions during the event.
o Public relations/communications: A team member
with experience and knowledge of handling external
communications will be necessary, in order to ensure the
organization has a uniform voice in describing the situation
as it unfolds. See the “Communications” topic in this
Module, immediately following this one.
l Management: A member of senior leadership should be
monitoring the response activity at all times; this person should
have the authority to approve all expenditures necessary to fulfill
the response process, and to decide when the contingency event
has ended and resumption of normal operations can begin (see
the “Restoration” topic in this Module).
NOTE: Naming specific individuals for contingency tasks has some benefit
(those individuals can be trained and practice their emergency functions),
but relying on specific people for emergency response can create points
of failure; during an emergency, the organization cannot expect all
individuals to report to their workplace (such is the nature of a disaster).
Instructor Edition
Instead, it is better to task offices/departments, and have personnel

within those offices cross trained to handle contingency tasks as
needed. A proper BCDR plan will include procedures for each
Notes
7
tasked office, detailed to the point where any member of that office,

with no prior exposure to the material, could follow instructions and PPT
complete the necessary tasks.
Personnel (continued)
Discuss the specification
of personnel to perform
Communications DR tasks.
The organization will need to have the capacity and resources
for two types of essential contingency communications: internal
and external. PPT
Communications
l Internal communications: In the event of a disaster-level
event, the organization will need to reach all its personnel to Explain the various
issues and challenges
inform them of the proper actions expected of them (such as: associated with the
evacuation if they are at the work site, staying home if they are various communications
not yet at the work site, reporting to the alternate site if they needs during a disaster
are responders or critical personnel, etc.). This might include response action.
push capability (automatic messaging sent to all personnel)
or access capability (a central clearinghouse of data, such as
a website, that all organizational personnel can reach in order
to receive updates of the situation). Essential elements of an
internal contingency communications plan should include:
o The ability to rapidly contact all organizational personnel.
Planners should bear in mind:
– During a contingency event, normal communications
channels may be unavailable. This could include public
mobile phone/texting services, Internet connectivity,
and so forth. Alternate means of mass communication
should be a priority.
– Employees rarely update their emergency contact
information (typically this is only done when the
employee is changing insurance status), and
access to that information may be limited (by
jurisdictional regulation and by internal process/
compartmentalization). Regular updates and tests
of mass communication for employees should be a
facet of the organization’s policy and practices.
o There is a cost/benefit tradeoff between making information
widely available in a timely fashion and spreading critical
information about the organization’s operation outside
authorized channels; senior management needs to establish
strategic direction in this matter for the organization.

l External communications: During a contingency, the organization

Notes
may have to reach various external entities, such as:
o Law enforcement/first responders (police, fire, medical
assistance, etc.).
PPT o Regulators.
Communications
(continued)
o The public at large/news media.
Explain the various
o Business partners (vendors, clients, end customers, etc.).
issues and challenges
associated with the In order to handle external communications properly, the organization
various communications should consider these crucial elements:
needs during a disaster
response action. l A single voice is optimum. When multiple people from
within the organization make statements (especially to the
public), there is a significant chance that the facts in the
PPT disparate statements will conflict (unintentionally, due to the
nature of the pace of contingency responses, and differing
Assessment
perspectives from people with different jobs); this can lead
Discuss the assessment to public mistrust of the organization, and loss of faith, which
of impact and damages,
and the importance of
can eventually lead to severe negative impacts (loss of market
that assessment in DR share, funding, etc.). It is far preferable to have one single
functions. authorized representative from the organization make all
external communications, especially to the public.
l Trained communications professionals are extremely valuable in
this effort; crafting external communications such that they inform,
have uniform voice, do not admit/incur liability, and reach the target
audience in a desirable manner is a great benefit to the organization.
l When information is not immediately verifiable or may be
somewhat tenuous (especially at the outset of a contingency
event), it is almost always preferable to say that (“the situation
is currently developing, and the information is unclear at this
time; we will have updates as we learn more”) rather than
publishing data that might be revised later (such as hypothetical
causes and theories about the origin of the event). This is
particularly true for predictions of resolution timing, which
can be affected by many factors unforeseen when a disaster
response is initiated. Making one statement of fact that is
repeatedly recanted can make the organization seem distrustful
or incompetent, neither of which is desirable.
Assessment
As mentioned in earlier topics within this module, there is a fundamental
need to calculate the entire, overall impact of the contingency; this
includes both the damaging effects of the event itself, as well as the cost

Instructor Edition
of the response efforts. This assessment is best performed by

accounting and audit personnel, with input from subject matter
experts (who understand the value of the assets/resources) and
Notes
7
human resources (who have access to timesheets/production hours,

for calculating the time taken by all personnel involved in the PPT
response, which is a factor in the overall damages).
Assessment (continued)
This assessment can be crucial, depending on the nature of the Discuss the assessment
organization and the event, for reporting purposes after resolution. of impact and damages,
Assessments could play an essential role in the following ways: and the importance of
that assessment in DR
l Criminal prosecution: If the event was caused by a criminal functions.
act, the state will need to know the extent/amount of
damages in order to charge the suspect accordingly.
l Civil action: If the event was caused by external actors, PPT
the organization may want to try to recoup losses through Restoration
litigation (whether or not the state prosecutes those same Review the ultimate goal
external actors). Being able to substantiate the amount of of DR efforts.
damages with hard data is extremely important in this type
of effort.
l Investor reporting: The organization needs to be able to
inform investors about the extent and amount of damages;
this is particularly true when required by law (such as for
publicly traded corporations).
l Informing regulators: Depending on the industry and
nature of the organization, regulators may require full
disclosure of all contingency-related damages.
Restoration
The ultimate goal of the response action is to resume full normal
operations. The process to achieve this goal might include the
following:
l Returning to the primary operating site; creating a new
primary operating site. When the cause of the contingency
has passed or been resolved, personnel will need to be
returned to a primary operating situation (both a physical
and logical location). This might take the form of returning
the organization’s original production location/environment
or by creating a new one (many organizations that have
suffered disaster-level events and used an alternate site/
system for maintaining critical operations have ended up
making the alternate site into the new primary site, and
abandoned the original primary).

l Restoring data to the production environment. This process involves

Notes
a high degree of risk: importing the original backup archive and
Disaster Recovery Processes record of transactions created during the contingency can result in
damaging impact to all three: the archive, the contingency record,
PPT and the operational environment. (See more discussion of this topic
in Module 11 of this domain). Great care and planning should be
Restoration (continued)
involved in this process.
Review the ultimate goal
of DR efforts. NOTE: The timing of restoration can result in a massive impact to the
organization as well. Returning to primary operations too soon (if the
danger related to the contingency has not been resolved) can risk harm
PPT to health and human safety or, of lesser concern, to the organization’s
Training and Awareness operations. Staying in contingency operations too long can have a grave
financial/personnel impact to the organization (alternate operations are
Discuss the needs for
differentiated training
expensive; also, keeping nonproductive people—all the nonessential
for all personnel in the personnel—on the payroll for extended periods is not cost-effective,
organization versus those and not paying nonessential personnel during the contingency risks
tasked with DR functions. them leaving the organization to find new work and the organization not
having a full staff upon return to normal operating conditions. The
decision of when to return to normal operations must be made by
senior management—often the head of the organization.
Training and Awareness

Personnel assigned to BCDR tasks (responders and those who are part
of the critical path, as well as alternates) should receive formal training
for their roles; this should include involvement in all tests.
All personnel within the organization need to be exposed to awareness
activities that prepare them for disaster/emergency actions. This can
include both formal training (often presented during initial training for
new hires, and/or during annual tests) as well as recurring informal
information (newsletters, reminders, posters, etc.).
See Modules 11 and 12 for more detailed discussion of BCDR testing/
training.

Instructor Edition
Module 11: Business Continuity Notes

Business Continuity
7
Planning and Exercises Planning and Exercises

PPT
Module Objectives
Business Continuity
1. Describe the facets and challenges of business continuity and Planning and Exercises
disaster recovery (BCDR) planning and exercises.
to the “Business
Continuity Planning and
Exercises” module.
PPT
Module Objectives
objectives.
Module 11: Business Continuity Planning and Exercises 593

Notes Business Continuity Planning and Exercises

When discussing BCDR, as mentioned earlier in the course, BC typically
Business Continuity
Planning and Exercises involves those practices and resources the organization uses to maintain
critical operations during contingencies, and DR typically involves those
practices and resources used by the organization to resume full normal
PPT operations after a contingency has been resolved.
Business Continuity
Planning and Exercises When we parse the discussion in these terms, the means for handling
Review the issues
interruptions to normal processing differ slightly: BC is often addressed
associated with testing by using redundancy and having a failover capability (either to an
BC plans. alternate operating site, or to a mirrored/backup IT environment, both
concepts discussed in Module 9 of this Domain) and DR by restoring
from secure backups/archives to achieve a “last known good” state.
However, for purposes of simplicity in this topic (“Business Continuity
Planning and Exercises”), we’re going to cover both means of
addressing contingencies (failover to alternate systems/sites and
recovery from backups) under the term “continuity.”
Having a continuity methodology is standard practice and expected of
professional organizations. However, simply having a continuity policy,
resources, and process is insufficient for meeting due diligence
requirements. Continuity methods and resources must be tested. An
organization that has thorough and diligent continuity processes but has
never tested a backup recovery or failover to alternate systems/sites
should be considered as not having any continuity capability at all.
When testing both a failover process and a backup procedure, some
fundamental concepts should be considered:
l The test can result in an actual contingency. Whether failing over
to an alternate processing system/site or restoring from a backup,
the production environment and the contingency resources can
be affected, damaging both. Tests involve a significant amount of
risk and should be planned and handled accordingly.
l The test can be scaled down to minimize actual/potential impact.
Instead of using a failover for the entire environment or restoring
all operational data, the test might only involve a portion of each,
such as a particular office or branch of the organization or a
simulation built in a test bed environment.
l Tests involve cost. The organization must budget for tests in the
same manner it plans for operational expenses.
l Tests may be mandatory. Some regulatory schema require
regular testing (typically, at a minimum, annually).

Instructor Edition
Module 12: Test Disaster Notes

Test Disaster Recovery Plans
7
Recovery Plans

PPT
Module Objectives Test Disaster Recovery
Plans
1. Describe the characteristics of the common types of
business continuity and disaster recovery (BCDR) tests, Introduce the participants
to the “Test Disaster
and describe the characteristics of each. Recovery Plans” module.
PPT
Module Objectives
objectives.
Module 12: Test Disaster Recovery Plans 595

Notes There are a number of ways to test DR plans and train personnel
tasked with enacting them. This module will discuss several; the
Test Disaster Recovery Plans candidate should recognize and understand the benefits and risks
associated with each.
PPT
Test Disaster Recovery
Plans
Read Through/Tabletop
Review the various
methods for testing BC This method is a controlled, isolated roleplaying activity, only involving
plans. those personnel tasked with DR responsibilities and activities (see the
Personnel topic, in Module 10 of this domain) and a moderator.
The participants should gather at a centralized location (such as a
conference room) and bring all DR guidance materials, such as the
organization’s DR plan and any documents that will be included at any
alternate operating site. The moderator presents a situation that would
constitute an event significant enough to trigger a DR response; the
participants pretend they are in the situation and verbally describe their
actions. Participants can refer to any materials for information and
guidance and can cooperate.
The moderator should manage the discussion and take notes on the
progress, recording both problem areas and elements that seemed
successful. It is best to have an experienced moderator present to
address interpersonal conflicts and handle problems as they arise. The
moderator can also introduce new situational information as the pretend
situation “unfolds.”
A tabletop exercise is excellent for training response personnel unfamiliar
with their tasks and/or new to the organization; it is also an extremely
useful tool for reviewing the BCDR plan to determine gaps in response
capabilities so that the plan can be revised later.
The tabletop exercise is the least intrusive and cheapest type of BCDR
test.
Walk-Through
This is similar to the tabletop exercise where the only participants are
those personnel who have a role in BCDR activities, and they respond
to a scripted situation. However, in a walk-through, instead of staying
around a conference table, the participants will actually walk to each of
the locations they will need to visit for response activities (hence the
name). They can still refer to written guidance and should be monitored
by someone who can record any problems/successes.

Instructor Edition
The walk-through is more beneficial than the tabletop exercise in

terms of being able to assess physical limitations for response
actions and establish timing for certain activities. It is only slightly
Notes
Test Disaster Recovery Plans
7
more expensive than the tabletop exercise.

PPT
Plans (continued)
Simulation
Review the various
A simulation can be thought of as a walk-through exercise with methods for testing BC
more complexity and involvement. A simulation might involve all plans.
personnel in a given office/location participating in a scripted
emergency situation. A fire drill where personnel evacuate from the
work site is an example of a simulation.
Simulations can be much more expensive than tabletop or walk-
through exercises because they involve more people and activity;
simulations can also have a greater impact and risk of impact to
productivity because work is interrupted for the duration of the
test. However, simulations offer greater benefit than the
aforementioned tests because more people within the organization
receive experience and training from the simulation.
Parallel
Parallel exercises are for those organizations that utilize alternate
operating sites as part of their BCDR plan. The exercise entails
mobilizing personnel and resources for the alternate site and
actually conducting operations from the alternate location.
Obviously, this is much more expensive and has a greater impact
than any of the exercise options discussed previously (not the least
of which is taking those personnel involved in the exercise away
from their normal duties). However, it also offers great benefit in
that the organization has greater assurance the alternate solution
will work effectively during an actual contingency, and the
personnel involved gain experience and knowledge (and can
identify problems) in enacting the response procedures.
Full Interruption
A full interruption involves the entire organization in a scripted
situation that mimics an actual contingency event. All BCDR
resources, personnel, and activities are involved and perform the
actions they would take during an unscheduled situation.
Module 12: Test Disaster Recovery Plans 597

Notes This is, by far, the most expensive option with the greatest impact to
the organization and its stakeholders. Great care must be taken to
Test Disaster Recovery Plans ensure the exercise does not turn into an actual disaster because of
the interruption to normal operating conditions. Only organizations
PPT with the wherewithal to properly plan and execute an action with the
amount of resources required to successfully complete a full
Plans (continued) interruption should attempt it because of the associated risk.
Review the various
methods for testing BC
plans.

Instructor Edition
Module 13: Personnel Safety and Notes

Personnel Safety and
7
Security Concerns Security Concerns

PPT
Module Objectives
1. List common security aspects of operational concerns Security Concerns
associated with personnel.
to the “Personnel Safety
and Security Concerns”
module.
PPT
Module Objectives
objectives.
Module 13: Personnel Safety and Security Concerns 599

Notes Travel
Security concerns and risks differ depending on location; the organization
Security Concerns should take this into account when personnel are required to work
outside the organization’s control (that is, everywhere but inside the
organization’s facilities/campus).
PPT
Travel Some security aspects to consider when personnel are traveling/
working remotely:
Discuss travel-related
security concerns, l Encryption: Devices and data that are physically moved to any
concentrating on threats
to personnel.
location outside the organization’s control can benefit from
the additional protection of encryption; this can protect the
organization from loss of data due to interception in transit
or physical theft/loss of a device. However, if personnel are
PPT
traveling internationally, encryption options may be limited
Security Training and by law in some jurisdictions (refer to the discussion of import/
Awareness
export controls and trans-border data flow in Modules 5 and 6
Review personnel of Domain 1).
participation in security
efforts, particularly l Secure remote access: If personnel are going to connect to the
emergency/safety organization’s environment from off-site facilities, the organization
procedures and incident needs to create a secure mechanism for doing so (for detailed
detection and reporting.
discussion, see Module 11, Domain 4).
l Additional jurisdictional concerns: Data moved across borders
may be subject to different statutory/contractual regulation (see
Module 5 Domain 1).
l Personnel protection: Personnel need to be protected according
to the specific security conditions of geographical areas where
they may be traveling. The organization should provide location-
specific orientation material for travelers, additional personal
training, medical/life insurance, and physical protection elements
as needed.
l Condition monitoring: When personnel are traveling, someone
remaining at the organization’s primary operating site should
be monitoring their location/condition on a regular basis and
ensuring daily check-in.
Security Training and Awareness

Health and human safety is the paramount concern of all security
efforts; ensuring personnel are properly trained and aware of safety and
security threats and risks is essential.

Instructor Edition
This effort should include the following:

l Location-specific orientation, training, and awareness for
Notes
7
travelers (see previous topic in this module). Security Concerns

l Emergency procedures (see next topic in this module).
l Incident reporting procedures (see Module 5 in this domain). PPT
l Users’ role(s) in incident detection and response. Security Training and

Awareness (continued)
l How to recognize attack attempts that directly target
Review personnel
individual users (phishing, social engineering, etc.). participation in security
efforts, particularly
For a more detailed discussion of security training and awareness emergency/safety
programs, see Module 8 Domain 1. procedures and incident
detection and reporting.
Emergency Management PPT

All emergency/BCDR planning should take into account personnel Emergency
safety as the highest priority. Elements of the security program Management
specific to personnel safety should include the following: Review crucial elements
of the security program
l Fire detection/suppression systems designed to protect human focused on personnel
health and safety first and foremost (see Module 7, Domain 3). safety.
All egress paths from the facility should be equipped with
deluge systems. Fire marshals (and alternates) should be
assigned per workspace and fully trained and practiced.
l Evacuation of personnel should be practiced on a regular
basis; all personnel should be aware of emergency exits
and procedures (see Modules 10, 11, and 12 in this domain
for discussion of training, awareness, and exercises for
contingency events).
l Coordination with all applicable external entities (law
enforcement, fire department, medical response, etc.)
should be performed prior to any actual event so that ready
communication and familiarity is established.
l The organization’s BCDR team needs to consider all
localized threats (natural disaster/weather applicable to the
particular location, etc.) when making the response plan and
in designing the thresholds for initiating the response.
l Asset protection activities must not put personnel in jeopardy.
l If the organization’s BCDR response includes relocating
critical personnel to a geographically removed alternate site,
the organization should also consider budgeting to allow
those personnel to relocate family members as well.
Module 13: Personnel Safety and Security Concerns 601

Notes Duress
Personnel should have a means to report to the organization if they are
Security Concerns ever put under duress (threatened or hindered in movement). This is
especially true for travelers, senior management, and critical personnel,
all who may be subject to crimes that target those roles (kidnapping,
PPT terror attacks, etc.).
Duress
Personnel should be able to convey duress situations in a subtle manner
Explain duress procedures
(that is, with code words other than, “I’m under duress”) that can be
and guidance.
worked into normal communications and can be remember while the
subject is under extreme stress. Duress codes should be able to be
conveyed by several methods of communication (verbal and otherwise).
Personnel receiving duress codes should have training and practice in
the actions to undertake in those circumstances.
Duress codes should change on a regular basis, but if personnel convey
expired codes, a response process should still be initiated.

Instructor Edition

Domain Review
7

Domain Summary PPT
The organization’s operations incur considerable security risks; Domain Review
it is important for the security practitioner to remember that the
security effort supports operations and production and that every review of key information
security decision comes with an associated tradeoff in productivity. from this domain by
discussing this scenario-
slide.
PPT
Domain Summary
operations.

Notes Domain Review Questions

Domain Review 1. All of the following are types of alternate operating sites except:
A. Joint operating agreement
PPT
B. Mobile site
Domain Review
Questions C. Cloud
of key elements from D. Full interruption
operations.
2. Which of the following is paramount in all emergency actions/

responses?
A. Asset protection
B. Health and human safety
C. Regulatory compliance
D. Confidentiality
3. A duress code should be .

A. reusable
B. immediately recognizable
C. covert
D. complex
4. The organization should provide specific BCDR plan training to

.
A. all members of the security team
B. critical personnel and response team members
C. all stakeholders
D. members of external first response teams (fire, police, medical,
etc.)

Instructor Edition
5. Honeypots/honeynets are intended to attackers.

A. deter
Notes
Domain Review
7
B. attract

PPT
C. distract
Domain Review
D. prevent Questions (continued)
6. Which of the following backup methods requires the most operations.
number of data versions to conduct restoration?
A. Full
B. Incremental
C. Differential
D. Composite
7. Which of the following is not true about emergency response

testing?
A. Tests involve cost
B. Tests might result in actual emergencies
C. Tests may be mandatory
D. Tests are performed by the security department
8. Which of the following is true about evidence?

A. Evidence is useless if the original version has been changed
in any way
B. Evidence can expire
C. Electronic evidence is inadmissible
D. Evidence should be believable

Notes 9. Which of the following is true about incident detection?
Domain Review A. It is better to have overreporting than underreporting

B. It is better to have underreporting than overreporting
PPT
C. Incidents must be ended within 24 hours of detection
Domain Review
Questions (continued) D. Detection of incidents should be limited to the IT and security
Participate in review departments
operations.
10. Which of the following is true about vulnerability scans?
A. They prevent attacks
B. They deter attacks
C. They are all automated
D. They typically don’t detect zero-day exploits

Instructor Edition

1. All of the following are types of alternate operating sites except:
Notes
Domain Review
7
A. Joint operating agreement

B. Mobile site
C. Cloud
D. Full interruption
The correct answer is D. Full interruption is a type of BCDR exercise;
all the other answers are types of alternate operating sites.
2. Which of the following is paramount in all emergency actions/

responses?
A. Asset protection
B. Health and human safety
C. Regulatory compliance
D. Confidentiality
The correct answer is B. Health and human safety is always the
most important aspect of security.
3. A duress code should be .

A. reusable
B. immediately recognizable
C. covert
D. complex
The correct answer is C. The duress code should be something
subtle and unrecognizable to anyone outside the organization,
simple enough to remember in times of stress, and of limited
duration.

Notes 4. The organization should provide specific BCDR plan training to

.
Domain Review
A. all members of the security team
B. critical personnel and response team members
C. all stakeholders
D. members of external first response teams (fire, police, medical,
etc.)
The correct answer is B. Organizational personnel who will be involved
in an actual BCDR response should receive specific training from the
organization. External responders will be trained by their agencies. Not
all members of the security team will be involved in BCDR actions.
5. Honeypots/honeynets are intended to attackers.

A. deter
B. attract
C. distract
D. prevent
The correct answer is C. A honeypot/honeynet is meant to occupy the
attacker’s time, attention, and efforts while the organization collects
information about the attack. Honeypots/honeynets will not deter or
prevent attacks and should not be construed as attractive.
6. Which of the following backup methods requires the most number of

data versions to conduct restoration?
A. Full
B. Incremental
C. Differential
D. Composite
The correct answer is B. Incremental backups copy all data changed since the
last full or incremental backup; this would, on average, require more versions
for restoration than full backup (requires one version) and differential (requires
two). There is no such thing as composite backup.

Instructor Edition
7. Which of the following is not true about emergency response

testing?
Notes
Domain Review
7
A. Tests involve cost

B. Tests might result in actual emergencies
C. Tests may be mandatory
D. Tests are performed by the security department
The correct answer is D. Emergency response testing should
include all affected parties (can include all personnel in the
organization) and is not limited to the security department.
8. Which of the following is true about evidence?

A. Evidence is useless if the original version has been changed
in any way
B. Evidence can expire
C. Electronic evidence is inadmissible
D. Evidence should be believable
The correct answer is D. Evidence is material supporting an
argument; it must be believable to be effective.
9. Which of the following is true about incident detection?

A. It is better to have overreporting than underreporting
B. It is better to have underreporting than overreporting
C. Incidents must be ended within 24 hours of detection
D. Detection of incidents should be limited to the IT and
security departments
The correct answer is A. In general, responding to possible
incidents that turn out to be harmless is preferable to not knowing
when an actual incident occurs (even though false responses still
do incur some cost).

Notes 10. Which of the following is true about vulnerability scans?
Domain Review A. They prevent attacks

B. They deter attacks
C. They are all automated
D. They typically don’t detect zero-day exploits
The correct answer is D. Vulnerability scans typically can only detect
known vulnerabilities (which is how they work) but cannot detect zero-
day exploits, which are based on attacks unknown to the industry to
that point in time.

Instructor Edition

Domain Review
7
Term Definition

Change A formal, methodical, comprehensive process
management for requesting, reviewing, and approving
changes to the baseline of the IT environment.
Configuration A formal, methodical, comprehensive

management process for establishing a baseline of the IT
(CM) environment (and each of the assets within
that environment).
Honeypots/ Machines that exist on the network, but do

honeynets not contain sensitive or valuable data, and
are meant to distract and occupy malicious
or unauthorized intruders, as a means of
delaying their attempts to access
production data/assets. A number of
machines of this kind, linked together as a
network or subnet, are referred to as a
“honeynet.”
Intrusion A solution that monitors the environment

detection and automatically recognizes malicious
system (IDS) attempts to gain unauthorized access.
Intrusion A solution that monitors the environment

prevention and automatically takes action when it
system (IPS) recognizes malicious attempts to gain
unauthorized access.
Job rotation The practice of having personnel become

familiar with multiple positions within the
organization as a means to reduce single
points of failure and to better detect
insider threats.
Least privilege The practice of only granting a user the

minimal permissions necessary to perform
their explicit job function.
Media Any object that contains data.


Domain Review
Need-to-know Primarily associated with organizations that
assign clearance levels to all users and
classification levels to all assets; restricts
users with the same clearance level from
sharing information unless they are working
on the same effort. Entails
compartmentalization.
Parity bits RAID technique; logical mechanism used to

mark striped data; allows recovery of
missing drive(s) by pulling data from
adjacent drives.
Patch An update/fix for an IT asset.
Sandbox An isolated test environment that simulates

the production environment but will not
affect production components/data.
Separation The practice of ensuring that no organizational

of duties process can be completed by a single person;
forces collusion as a means to reduce insider
threats.
Striping RAID technique; writing a data set across

multiple drives.
Uninterruptible Batteries that provide temporary, immediate

power supplies power during times when utility service is
(UPS) interrupted.

Instructor Edition
Notes
7

Notes

Instructor Edition
Course Agenda
Notes
Software Development
8
Security
Software Development Security Domain

PPT

PPT
Domain 5: Identity and Access Management (IAM) Software Development
Security

to the “Software
Development Security”
Domain 8: Software Development

Security
Overview
Software Development Security within the context of the eighth
domain of the CISSP® examination deals with the important
requirement of protecting applications and the environments that
they exist in, from inception to decommissioning. In other words,
this domain focuses on involving and designing security into the
application from the beginning, at inception and throughout what is
referred to as the “software development lifecycle” or SDLC. But
security does not end there, it needs to also be involved in what is
referred to as the System Lifecycle (SLC) that includes when the
application and systems are being used, maintained, and tested
while in production, but also during the decommissioning (disposal)
phase when the application or system has a need to be retired.
It is important to focus on the security of the application itself
and also the environment it exists in. For example, in today’s
environments the majority of attacks are happening at the
application layer, specifically, the web application environment.
Domain 8: Software Development Security 615

Notes Protection of applications and the valuable data they process requires a
layered approach and also the protection of all components that make up
Software Development the architectures the applications are running in.
Security
To address security properly requires appropriate security controls that
focus on a number of things, from the development environment, to the
PPT
tools and methodologies being used, to operations and maintenance,
Software Development to enforcing the latest security capable tools, to addressing the latest
Security (continued)
exploits and vulnerabilities, to providing assurance mechanisms related
Introduce the participants to logging and monitoring and testing. In other words, security of
to the “Software
applications and systems involves many components that the security
domain. professional has to enforce and support throughout the organization.
PPT Domain Objectives

Domain Objectives After completing this domain, the participant will be able to:
(3 slides)
Objectives for “Software 1. Understand development methodologies.
Development Security” 2. Explain how maturity models, such as the Capability Maturity
domain.
Model (CMM), can help organizations address software
development properly.
3. Understand operations and maintenance.
4. Understand change management and how it applies to software
development.
5. Understand the value of integrated product teams (IPTs),
including DevOps.
6. Understand secure coding standards and guidelines.
7. Explain the evolution of programming languages and how this
relates to security.
8. Explain the benefits of libraries and toolsets.
9. Understand the value of integrated development environments
and runtime systems.
10. Understand security weaknesses and vulnerabilities at the source-
code level.
11. Explain how to secure application programming interfaces (API)
and secure coding practices.
12. Understand security and how it is applied in software
environments.
13. Explain the importance of protecting code repositories.
616 Domain 8: Software Development Security

Instructor Edition
14. Understand the importance of configuration management

as an aspect of secure coding.
Notes
8
15. Understand the importance of auditing and logging all Security
changes to software.

16. Understand how risk analysis and mitigation is applied to
PPT
software security.
Domain Objectives
17. Explain how to assess security impact of acquired software. (3 slides) (continued)
Objectives for “Software
domain.
Domain 8: Software Development Security 617

Notes Domain Agenda

Security Module Name
PPT 1 Security in the Software Development Lifecycle (SDLC)

Domain Agenda
2 Secure Coding Guidelines and Standards
Review the domain
agenda.
3 Security Controls in Development Environments
4 The Effectiveness of Software Security
5 Domain Review

Instructor Edition
Module 1: Security in the Software Notes

Security in the Software
8
Development Lifecycle (SDLC) Development Lifecycle

(SDLC)

1. Understand development methodologies. Security in the
2. Explain how maturity models such as Capability Maturity Software Development
Model (CMM) can help organizations address software Lifecycle (SDLC)
development properly. Introduce the
participants to the
3. Understand operations and maintenance. “Security in the Software
4. Understand change management and how it applies to Development Lifecycle
(SDLC)” module.
software development.
5. Understand the value of integrated product teams (IPTs),
including DevOps. PPT
Module Objectives
objectives.
Module 1: Security in the Software Development Lifecycle (SDLC) 619

Notes Development Lifecycle Methodologies

To ensure software development success, organizations should choose
Development Lifecycle appropriate development lifecycle methodologies to guide them in
(SDLC) properly completing the phases involved in software development. As
software development projects have become more complex, a number
of methodologies have been created to manage this complexity, such
PPT
as waterfall, agile, spiral, and a number of others.
Typical Phases of the
System Lifecycle (SLC) As a systems development effort goes through a lifecycle, the methodology
Explain the lifecycle can guide the engineers and developers in completing the phases properly.
phases. The theme of our presentation is that security needs to be involved in the
phases, and therefore, the methodologies.
The software development lifecycle (SDLC) is a framework that can
PPT
guide the phases of a software development project from inception to
Software Development defining the functional requirements to implementation. As the word
Lifecycle (SDLC)
“development” implies, this lifecycle ends at the implementation phase.
Explain the systems Regardless of the methodology used, the SDLC outlines the phases a
development lifecycle software development project needs go to through. Organizations
(SDLC).
need to choose methodologies carefully, as the model chosen should
be based on the requirements of the organization. As with any other
project, understanding the requirements ahead of time is paramount
PPT for the success of the project itself. For example, some models work
SDLC vs. SLC better with long-term, complex projects, while others are more
Describe the difference suited for short-term projects. However, the key point being made
between SLC and SDLC. here is that a formalized SDLC needs to be utilized, but the entire
process needs to involve security. The best security is always what is
designed into the system, not what is added later. The number of
phases used in methodologies can vary as we will witness in some
examples below.
Software Development Lifecycle (SDLC) Phases

Typically, these are considered to be the most basic phases of
the SDLC:
l Project initiation and planning
l Functional requirements definition
l System design specifications
l Development and implementation
l Documentation and common program controls
l Testing and evaluation control (certification and accreditation)
l Transition to production(implementation)

Instructor Edition
The System Lifecycle (SLC) covers the life of the system, beyond
putting the system into production. Placing the system into
production is where the SDLC ends, but the SLC continues to
Notes
8
Development Lifecycle
include two additional phases:

(SDLC)
l Operations and maintenance support (post installation)
l Decommissioning/disposal and system replacement PPT
SDLC vs. SLC (continued)
Project Initiation and Planning Describe the difference
between SLC and SDLC.
Projects usually start out with an idea, a vision, or some
conceptual objective. These may address particular business
needs, or a better way of doing things. At this point, justification
PPT
for the undertaking of the project needs to be formulated. This
type of information is typically contained in a document that Project Initiation and
Planning Security
outlines the project’s objectives, scope, strategies, and other
Activities
very important factors, such as an estimate of cost or schedule.
Management approval for the project is based on this project Describe the security
activities in the project
plan document as all undertakings should be cost justified. initiation and planning
During this phase is where security must also be involved, as phases.
understanding the security requirements needs to begin here.
Security activities need to be done in parallel with project
initiation activities and with every single phase guided by the
methodology used.
The following graphic in Figure 8.1 outlines some of the activities that
are done in this phase of the project. Of note are the security activities
that also need to be done to complete the very important overall
project activities.
Project Initiation and Planning

Security Activities
Establish User Identify Select/Approve

Requirements Alternatives Approach
Determine Define
Security Conduct Security
Requirements Risk Analysis Strategy
Figure 8.1: Project Initiation and Planning Security Activities

Notes
Activity: Reviewing Potential Security Checklist in the
Development Lifecycle Project Initiation Phase
(SDLC)
Instructions
Review the checklist below and identify the most important
considerations that would be helpful to your organization in addressing
security requirements in the project initiation phase. Also, see if you can
come up with some additional questions. The list is only a sampling,
there may be other important considerations that an organization may
need to evaluate.
l Is there any information that has exceptional value or sensitivity
and therefore requires special protection?
l Does the application or software being used to access the data
itself have proprietary functionality or intellectual property that
will need to be safeguarded as part of understanding the value
of the system and possibly separate from the data the system is
processing?
l If the data being processed is of low value, does the resulting
output information have higher value?
l Has the organization identified an owner, and has the owner
determined the information’s value?
l Are there any special legal, regulatory, or compliance requirements
that need to be addressed?
l What are the assigned classifications or categorizations according
to the asset classification system?
l Will application operation risk exposure of very sensitive
information?
l Will control of output displays or reports require special security
controls?
l Will data be processed, stored, or transmitted through public or
untrusted networks?
l Are physically controlled areas required for operation of the
system?
l What systems and data sources interconnect with this system and
are they considered to be secure?
l What will this system do to the operations and culture of the
organization?
l Does the system require special support in terms of the business
continuity requirements of the organization?

Instructor Edition
l Has the system and the information been looked at through

the organization’s business impact analysis (BIA)?
Notes
8
Any additional questions you may have come up with. Development Lifecycle

(SDLC)
Functional Requirements Definition

PPT
At this part of the SDLC, the project management and systems
Functional Requirements
development teams will conduct a comprehensive analysis of current
Specifications Security
and possible future functional requirements to ensure that the system Activities
will meet owner and organization’s needs. This is also where security
Describe the security
needs to address the requirements of controls and compliance activities in the
requirements. The teams, which includes security, also review the Functional Requirements
documents from the project initiation phase and make any revisions or Specifications phase.
updates as needed. At this point, security requirements should be
formalized as well by involving all parties, especially the owners,
compliance, privacy, business-facing functions, and other stakeholders
that are obviously informed of the security requirements that the
system needs to be able to address. The Figure 8.2 shows some of
the security activities that need to be completed in this phase.
Functional Requirements Specifications

Security Activities
Identify Develop
Develop Set Test Deﬁne
Functional Functional
Project Plan Criteria Strategy
Requirements Baseline
Include
Security Include
Identify Establish Functional
Security Security Security Requirements Security
Areas Requirements Tests in RFPs, Requirements
Contracts
Prepare Risk Analysis

and Contingency Plan
Figure 8.2: Functional Requirements Specifications Security Activities
System Design Specifications

This phase includes all activities related to designing the system and
software, including the system architecture, system outputs, and
system interfaces. Data input, data flow, and output requirements
are established, and security features are designed into design

Notes specifications, based on the requirements that we have understood

in the previous phases. Figure 8.3 depicts the security activities that need
Security in the Software to be completed in this phase.
(SDLC)
Detailed Design Specifications
Security Activities
PPT
Detailed Design
Specifications Security
Activities Prepare Update Develop
Detailed Testing Formal
activities in the Detailed Designs Goals & Plans Baseline
Design Specifications
phase.
Establish Update Document

PPT
Security Security Security
Specifications Test Plans Baseline
Development and
Documentation
Security Activities Figure 8.3: Detailed Design Specifications Security Activities
activities in the
Development and
Development and Implementation
Documentation phase. During this phase, the source code is actually developed by the
developers based on the design specifications from the previous phases.
Test scenarios and test cases are also developed, unit and integration
testing is performed, and the applications and system are documented
for maintenance and for the process of turning it into production.
In this phase, particular care for software quality, reliability, and
consistency of operation needs to be addressed. However, particular
care should be taken to ensure the code is analyzed to eliminate
common vulnerabilities that might lead to security exploits and other
risks. There are many ways that this can be done, but code review needs
time to be done properly. Adequate time needs to be allocated for the
proper code review before getting into further phases of the SDLC.
Other types of controls that would need to be coded into the system
and applications would be related to data validation, logging and
monitoring, version control, etc. A large number of other controls may
also be required, and may include testing and integrity controls for:
l Program and application
l Operating instructions and procedures
l Utilities
l Privileged functions

Instructor Edition
l Job and system documentation

l Components including hardware, software, files, databases,
Notes
8
reports, and also users Development Lifecycle

l Restart and recovery procedures (SDLC)
l Common program controls such as data validation

l Edits such as syntax, reasonableness, sometimes referred to PPT
as sanity check, range checks, and check digits Development and
Documentation
l Logging of security relevant information Security Activities
l Time stamps for certain time sensitive applications (continued)
l Before and after images of components where integrity is Describe the security
activities in the
important Development and
l Counts that are useful for process integrity checks, examples Documentation phase.
may include total transactions, batch totals, hash totals, and
balances
l Internal checks such as checks for data integrity within the
program while being processed
l Parameter ranges and data types
l Valid and legal address references
l Completion codes
l Peer code review
l Program or data library when developing software applications:
o Automated control system
o Current versions of both programs and documentation
o Record of changes made by whom, when authorized, what
changed
o Test data and verification of changes
o Owner and stakeholder sign-offs indicating correct testing
l A librarian ensures program or data library is controlled in
accordance with policy and procedures:
o Controls all copies of data dictionaries, programs, load
modules, and documentation and can provide version
controls
o Change control/management that ensures no programs
are added or changed unless properly tested and
authorized and gone through the proper steps of making
those changes
o Invalid transactions detected are written to a report and
reviewed by developers and management

Notes
Development and Documentation
Security Activities
(SDLC)
Develop Unit Testing Document
System & Evaluation System
PPT
Development and
Documentation
Security Activities Develop Security Code Document
(continued) Security Code Evaluation Security Code
activities in the Figure 8.4: Development and Documentation Security Activities
Development and
Documentation phase.
Acceptance
The acceptance phase is one of the most important as this is where we
PPT ensure the system does what it is supposed to. But this also includes the
Testing and Evaluation security capabilities. Once all of this has been confirmed, acceptance can
Controls happen. As part of the acceptance phase, an independent group develops
Identify the controls that test data and tests the code to ensure it will function within the organization’s
apply to testing and environment and that it meets all the functional, and most importantly, from
evaluation. our perspective, security requirements. It is therefore, very important that the
group members performing the testing are independent, but also includes
the most important stakeholders that will be involved in accepting the system.
The very important goal of security testing is to ensure the application meets
its security requirements and specifications that were outlined in previous
phases. The security testing strives to uncover all design and implementation
flaws that would allow someone, including authorized or unauthorized
individuals, to bypass the software security policy and access requirements.
To ensure proper and valuable testing, the application should be tested
in an environment that simulates as much as possible, the actual
production environment. This should include testing the security
capabilities and simulating other security related problems that may
occur. This is the first phase of what is commonly referred to as the
certification and accreditation process.
Testing and Evaluation of Controls

The testing and evaluation phase is next, and this is where the following
concepts related to testing can be applied:
l Good test data should be chosen to include all kinds of
possibilities including data that would challenge the
acceptable data ranges, various points in between, and

Instructor Edition
data beyond what may be expected by the application.

Different testing strategies should be used to test as
much as possible. This would include fuzzy testing,
Notes
8
which allows the test data to be very random and

(SDLC)
not “expected.”
l Testing with known good data is also required to ensure
PPT
the application and system reacts as expected. A very
important rule to always follow is to ensure that live Testing and Evaluation
production data should never be used as it may impact
privacy and need-to-know policies. If testing with live Identify the controls that
production data cannot be avoided, then the data owner apply to testing and
evaluation.
needs to be consulted, and they will have to sign off on
the usage of the data for testing and to allow certain
test members to possibly be exposed to very sensitive
information. Further, usage controls strictly regulating PPT
what can be done with the data during testing will need Certification and
to be negotiated between the data owner and the testing Accreditation
coordinator to ensure the exposure and risk to the data Define both certification
is managed properly; however, as a general rule, live and accreditation and
production data should not be used. how they apply to
systems development.
o Data validation: Before and after each test, review
the data to ensure that data has not been modified
inadvertently.
o Bounds checking: Field size, time, date, etc. Proper
bounds checking can be very effective in preventing
buffer overflows.
l Sanitize test data to ensure that sensitive production data is
not exposed to test members that should not be allowed to
view sensitive data. Test data should not be production data
until preparing for final user acceptance tests, at which point,
special precautions should be taken to avoid need-to-know
noncompliance.
Clear and adequate segregation between testing and production
environments must be maintained at all times. Copies of
production data should be sanitized so that we ensure policy
compliance. Management and stakeholders should be informed of
the test results, and they also need to formally acknowledge the
results of the test.
Certification and Accreditation

Certification and Accreditation is sometimes referred to as “Security
Authorization.” Certification is defined as the formal process of
evaluating the security capabilities of the software or system against a

Notes predetermined set of security standards or policies. Certification can also

examine how well the system performs its intended functional requirements
Security in the Software related to security. In other words, certification is the comprehensive
(SDLC)
technical analysis of the system to ensure that it meets the requirements.
The result of this certification process should contain an analysis of the
PPT technical and nontechnical security capabilities and countermeasures and
the extent to which the software or system meets the security requirements.
Certification and
Accreditation Once the software has been certified to meet the requirements,
(continued)
management needs to review the certification and authorize the system
Define both certification to be implemented in production for a specific period of time. This is the
and accreditation and
how they apply to
process referred to as accreditation. There are two types of accreditation,
systems development. provisional and full. Provisional accreditation is for a specific period and
therefore, outlines required changes to the applications, system, or
accreditation to meet full accreditation requirements and status. Full
PPT
accreditation implies that no changes are required for making the
accreditation decision. Note that management and owners may choose
Testing, Acceptance,
to accredit a system that has failed certification or may refuse to accredit
and Transition into
Production Security a system even if it has been certified as meeting the requirements.
Activities
Describe security Transition to Production/Implementation
activities in the testing,
acceptance, and transition During this phase, the new system is transitioned from the acceptance
into production phase. phase into the live production environment. Activities during this phase
may include obtaining security accreditation, providing training, awareness,
and education to the new users according to the implementation and
training requirements. Other activities would include implementing the
system, including components such as installation and data conversions,
and, if necessary, conducting any parallel operations.
Figure 8.5 outlines the security activities that need to be included as part
of the testing, acceptance, and transition into production.
Testing, Acceptance, and Transition into

Production Security Activities
System System Integrated Project Acceptance
Components Performance System Manuals Test System
Test Validate Implement Document Certify Accept
Security in
Security Integrated Security Security Secure Secure
Components System Code Controls Operations System
Figure 8.5: Testing, Acceptance, and Transition into Production Security Activities

Instructor Edition
Revisions and System Replacement

While systems may be in production mode, the hardware and
software baselines should be subject to periodic evaluations and
Notes
8
audits. In some instances, problems with the application may not be

(SDLC)
defects or flaws but possibly additional functions not currently
developed in the application.
PPT
As the system is now in production, any changes that need to be made Revisions and System
to the application must follow the same SDLC and be done in a Replacement
change management system. Revision reviews and approvals should Explain security’s role
include security planning and procedures. Periodic application audits in revisions and system
should be conducted and include documenting security incidents replacement.
when problems occur.
PPT
Operation and Maintenance
Operation and
During this phase, the system is being used throughout the Maintenance
organization. The activities that need to be done here are
Describe security
monitoring the performance of the system on a regular basis but
activities during
also ensuring the continuity of operations. This may require making operation of system and
certain components redundant and also detecting defects or maintenance of system.
weaknesses and addressing them. During operations and
maintenance, the organization also needs to manage and prevent
system problems, recovering from system problems, and
implementing system changes.
The specific security activities that need to be done during this
phase include testing backup and recovery procedures, ensuring
proper controls for data, reports, and generally ensuring the
effectiveness of security controls and processes. During the
maintenance phase, periodic risk analysis and recertification of
sensitive applications may be required, especially when significant
changes occur. Significant changes may include examples such as
change in data classification or sensitivity, relocation or major
changes to the physical environment, the purchasing and
implementation of new equipment, new internal or external
interfaces, new or upgrading of operating system software, and
new application software.
Throughout the operation and maintenance phase, it becomes very
important to verify that any changes to anything related to the
system, including procedures or functionality, do not disable or
affect the required security that already exists. Also, verifying
compliance with applicable service-level agreements (SLAs) and
contracts according to the initial operational and security baselines
need to be constantly assured.

Notes Software Development Methods –

Primary Models
Development Lifecycle Waterfall
(SDLC)
Waterfall is considered to be the traditional software development
methodology. It represents a phased approach to software
PPT development where each phase is completed before the next one can
Software Development be started. Each phase, from concept or idea, requirements definition,
Methods – Primary design, and so on, requires a set of activities that must be performed
Models
and documented before the next phase can begin. From the
Explain the different perspective of the organization, the disadvantage of the waterfall
methodologies for methodology is that it demands a heavy overhead in planning and
systems development
and how security fits in
administration and requires patience in the early stages of the project.
to all of them. For us in security however, these same factors are considered an
advantage as they may force deliberate consideration and planning in
relation to security.
Because each phase must be completed before the next can begin,
waterfall methodologies can prevent development teams from doing
activities and phases in concert with others. This limit slows initial
development but may ensure that phases are done diligently and with
the right focus.
The waterfall model is considered the basis for the following other
methodologies, known as non-iterative models. From the perspective
of security, non-iterative models may be preferred for systems development
as they again force a diligent and structured approach to software
development but with security being involved at each phase.
Structured Programming Development

A method that programmers use to write programs allowing considerable
influence on the quality of the finished products in terms of coherence,
comprehensibility, freedom from faults, and security. This methodology
uses extensive uses of subroutines and block structures that can be
heavily reused. Structured programming also promotes discipline, allows
introspection, and provides controlled flexibility. It requires defined
processes and develops code into modules that are reused, and each
phase is subject to reviews and approvals. It also provides a structured
approach for security to be added as a formalized, involved approach.
Spiral Method
A nested version of the original waterfall method, the development of
each phase is carefully designed using the waterfall model, but the
distinguishing feature of the spiral model is that in each phase we add

Instructor Edition
four sub-stages, based on what is known as the Deming plan, do,

check, act (PDCA) model. Specifically, a risk assessment review
(Check) is done at each phase. The estimated costs to complete
Notes
8
and the schedules are revised each time the risk assessment is

(SDLC)
performed. We can consider this model to be an improvement of
the waterfall methodology based on being able to address, at each
phase, the results of the risk sub-phase assessment. At this point, a PPT
decision is made to continue or cancel the project. Software Development
Methods – Primary
Models (continued)
Cleanroom Explain the different
This methodology is focused on controlling and, at best, avoiding methodologies for
defects and bugs in the software. The emphasis is to write the code systems development
correctly the first time rather than trying to find the problems once
to all of them.
they are already there and trying to address them later. Essentially,
cleanroom software development focuses on defect prevention
rather than defect removal. To allow this to happen, more time is
PPT
spent in the early phases, focusing heavily on the assumption that
the time spent in other phases, such as testing, is theoretically Iterative Development
reduced. The basic premise, therefore, is that quality is achieved Explain the itirative
through proper design rather than testing and remediation later. In methodologies and how
terms of security, the same pattern applies, if risk considerations are security fits in to all of
them.
addressed up front, security becomes an integral part of the system
as a design rather than adding it later. This is always preferred as far
as security is concerned. Security should always be designed into
the system based on requirements rather than being retrofitted later.
Iterative Development
The waterfall model is highly structured and does not allow for
changes once the project is started and moved onto subsequent
phases. Revisions are not allowed in later phases. This is indeed
why it is called “waterfall.” Just like water falling in a waterfall,
water cannot go backwards, therefore, waterfall methodology
does not allow us to go back in phases to redesign new
requirements that we find as we move through the phases.
This is where the iterative development methodologies become
desirable. Iterative models allow for successive refinements
of requirements, design, and development of code. Allowing
refinements during the process requires that a change control
mechanism be implemented as part of this to allow the refinement
of requirements. Also, the scope of the project may be exceeded
if owners and stakeholders change the requirements after each
point of development. Iterative models also make it very difficult
to ensure that security provisions are still valid in a changing

Notes environment. If anything changes, the security requirements may

need to change as well.
(SDLC) Prototyping
In prototyping, the objective is to build a simplified version of the
PPT entire application, release it for review, and use the feedback from
Iterative Development the stakeholders to review to build a second, much better version.
(continued) This is repeated until the owner and stakeholders are satisfied with
Explain the itirative
the final product. Prototyping is broken down into a step-by-step
methodologies and how process that includes initial concept, design and implementation of
security fits in to all of initial prototype, refining the prototype until acceptable to the owner,
them. and complete and release final version.
Modified Prototype Model (MPM)

A refined form of the above prototyping methodology that is ideal for
web application development, it allows for the basic functionality of a
desired system or component to be formally deployed in a quick time
frame. The maintenance phase is set to begin after the deployment.
The goal is to have the process be flexible enough so the application
is not based on the state of the organization at any given time. As the
organization grows and the environment changes, the application
evolves with it rather than being frozen in time.
Rapid Application Development (RAD)

Also, a refined form of prototyping, rapid application development
(RAD) requires strict time limits on each phase and relies on efficient
tools that enable quick development. The goal is to produce quality
code quickly. While this sounds attractive, it must be handled properly
because the quick development process may be a disadvantage if
decisions are made so rapidly that it leads to poor design.
Joint Analysis Development (JAD)

Originally invented to enhance the development of large mainframe systems,
joint analysis development (JAD) has become very useful in today’s
environments. The premise is to have facilitation techniques that become an
integral part of the management process that helps developers to work
directly with owners and stakeholders to develop a working application. This
is a novel idea that involves all stakeholders in the entire process. The success
of this methodology is based on having key players communicating at all
critical phases of the project. The focus, is in having the people who actually
perform the job work together with those who have the best understanding
of the technologies available to design the best solution. In other words,

Instructor Edition
facilitation techniques bring together a team of stakeholders, including

owner, expert systems developers, technical experts, and security
professionals, throughout the development lifecycle. As we have
Notes
8
mentioned, this needs to involve security as well. While input from the

(SDLC)
owner may result in a more functional program, the involvement of
large numbers of stakeholder may help in addressing the security
requirements, or at least that is the goal. PPT
Iterative Development
(continued)
Exploratory Model
Explain the itirative
The exploratory model uses a set of requirements built with what is methodologies and how
currently available. A big part of this model requires assumptions to security fits in to all of
be made as to how the system might work, and further insights and them.
suggestions by interested parties, including security, are combined
to create a usable system. Because of the lack of structure being the
basis for this model, security requirements need to take priority to PPT
address the requirements properly. The security professionals need Other Methods and
to ensure the requirements are addressed appropriately. Models
Explain other models
to each.
Other Methods and Models
There are other software development methods that rely on totally
different approaches to software development. They include the
following:
l Computer-Aided Software Engineering (CASE)
l Computer-Based Development
l Reuse Model
l Extreme Modeling
Computer-Aided Software Engineering (CASE)

As the words imply, this methodology relies on using computers
and software utilities to aid in the analysis, design, development,
implementation, and maintenance of software. This model is ideal
for large, complex projects involving multiple software components
and large teams of people and resources. The basis is to provide
mechanisms for planners, designers, code writers, testers, owners,
and other stakeholders, such as security, to share a common view
of where a software project is at each phase of the SLC process. By
having an organized approach, code and design can be reused,
which can reduce costs and improve quality over time. The CASE
approach requires building and maintaining software tools and
training for the designers and developers who use them.

Component-Based Development
Notes
This model is based on a process of using standardized and building
blocks to assemble, rather than develop the application. The components
(SDLC) are made up of sets of standardized data and standardized methods of
processing that data. These sets, when used together, offer scheduling
and cost-effective benefits to the development process and the team
PPT members involved. From a security perspective, the advantage might be
Other Methods and that components have previously been tested for security functionality
Models (continued) and assurance effectiveness. This is very similar to object-oriented
Explain other models programming (OOP) where objects and classes may be designed with
and how security fits in security methods initially and then reused as required.
to each.
Reuse Model
PPT In this model, an application is built from already existing and tested
Model Choice components. The reuse model is best suited for projects using object-
Considerations and oriented development because objects can be created, exported,
Combinations reused, or modified as required. From a security perspective, the
Summarize how components would then be chosen based on the known effectiveness
organizations of the security characteristics.
are combining
methodologies, but
regardless, security is Extreme Programming
included in each phase.
This discipline of software development is based on having several values
and characteristics of software development. The values are simplicity,
communication, and feedback all combined into the process. Despite the
name, extreme programming is an attempt to use a structured approach to
software development, relying on subprojects of limited and defined scope
and developers always working in pairs. The team produces the software in
a series of small, fully integrated releases that are supposed to fulfill the
owner-defined needs. This implies that the owners need to be involved in
defining the needs in the first place. It makes sense, as well, to involve
security in defining those needs ahead of the developers programming the
requirements. As we have mentioned earlier, this model relies on simplicity
of the process, communication between all involved stakeholders, including
security, and feedback to ensure requirements are addressed properly.
Model Choice Considerations

and Combinations
The trends in software development combined with specific
organizational needs have shown that companies tend to combine
different software development methodologies to fit the specific
design and development requirements. For example, an application
may need a certain set of activities to take place to achieve success, or
Instructor Edition
the organization may require certain standards or processes to

meet industry or government requirements. In these cases, it
would make sense to combine several models to allow that
Notes
8
organization to develop the proper requirements in the most

(SDLC)
cost-effective and efficient way. However, as we have seen in all
models, security needs to be included as part of the process
from the start, to the end of not only the software development PPT
process, but also to the end of the SLC. Security, therefore, Model Choice
must be included, regardless of methodologies used. As security Considerations
professionals know, the best type of security is what is designed and Combinations
into the system, not what is added later. Regardless of (continued)
methodology used, security needs to be included right at the Summarize how
beginning as requirements for security functionality needs to be organizations
are combining
understood at that point. All stakeholders, including owners, methodologies, but
must also be involved in determining those requirements. regardless, security is
included in each phase.
Historically, development has focused on functionality rather than
security; therefore, it is critically important to educate those
individuals responsible for the development, the managers who
PPT
oversee the projects, and the owners that are accountable for the
protection of valuable assets. Development today is much more Capability Maturity
Model (CMM) for
focused on security, and it is important for an organization to Software or Software
streamline the process of development of systems and applications Capability Maturity
and involve security in the early phases and throughout the SDLC. Model (SW-CMM)
Explain CMM for
software and how it
allows organizations to
Maturity Models mature in development
The word “maturity” is translated to an ability or measure of a methodologies.
particular discipline. The ability to measure an ability of an
organization to do something can be important to that
organization in wanting to become better. There are maturity
models in the industry to be able to allow organizations to measure
their particular capability in some sort of discipline, including
software development. It makes sense that an organization would
want to measure their current capability in software development
and formulate a path by which they can get better. One such
model is called the Capability Maturity Model (CMM) for Software
Development, issued by the Software Engineering Institute.
Capability Maturity Model (CMM) for Software or

Software Capability Maturity Model (SW-CMM)
The Software Engineering Institute (SEI) released the Capability
Maturity Model for Software (CMM or SW-CMM) back in 1991.
Even though software development has evolved in many ways since

Notes then, this model is very useful in allowing an organization to measure their
current capability in software development and also to formulate a plan
Security in the Software by which they can get better. The CMM focuses on quality management
(SDLC)
processes and contains five maturity levels that contain required
measurement parameters within each maturity level. The five levels
describe an evolutionary path from chaotic and unstructured processes to
PPT mature, disciplined, and optimized software processes. The whole
Capability Maturity purpose of using CMM is to allow organizations to mature to a higher
Model (CMM) for level of quality in software development. So, to summarize, the CMM
Software or Software framework as shown in Figure 8.6 establishes a basis for evaluation of the
Capability Maturity
Model (SW-CMM)
reliability and improvement of the software development environment.
(continued)
Explain CMM for
Software Capability Maturity Model
software and how it (SW-CMM) Levels
allows organizations to
mature in development OPTIMIZING
methodologies. Processes are
MANAGED continually
DEFINED Controlled using improved,
Processes are quantitative optimized
PPT REPEATABLE well-characterized, techniques
INITIAL Processes are understood,
Software Capability more organized, proactive
Process is
Maturity Model unpredictable, often reactive
(SW-CMM) Levels poorly controlled,
Describe the five maturity and reactive
levels and the objective of
this model. Figure 8.6: Software Capability Maturity Model (SW-CMM) Levels
Initial: At the initial level, it typically means that good practices can be
repeated, but they may be unorganized and chaotic. If an activity is not
repeated, there is no reason to improve it. Therefore, organizations would
be able to show that they have policies, procedures, and practices and
commit to using them so that the organization can perform software
development in a consistent manner.
Repeatable: In this level, best practices for software development are
repeatable and can be rapidly transferred across various groups in the
organization without problems. Practices need to be defined in such way
so that the organizations allows for transfer of processes across project
boundaries. This can provide for standardization and repeatable
processes across the entire organization.
Defined: At the defined level, standard processes are formalized and all
new developments happen with new, stricter, and standardized processes.
The processes are well-understood and are very proactive.
Managed: At this level, quantitative and measurable objectives are
established for tasks. Quantitative measures are established, calculated,

Instructor Edition
and maintained to form a baseline from which an assessment is

possible. This can ensure that the best practices are followed and
deviations from those measured objectives are reduced.
Notes
8

Optimizing: At the final level of the CMM, practices are continuously (SDLC)
improved to enhance the organization’s capability, and they are also
optimized. This level also focuses on continuous improvement, and PPT
feedback from one phase will reach and positively impact
Software Capability
development in other phases, all ensuring positive future results. Maturity Model
(SW-CMM) Levels
(continued)
Change Management Describe the five maturity
To ensure the integrity of applications and systems, proper care must levels and the objective of
be taken to ensure that when applications need to be changed, the this model.
change is made in a consistent, structured and rigorous manner that
will ensure quality assurance of the change. The process by which
organizations can do this is called change management, sometimes PPT
also referred to as change control. Change management can be Change Management
summarized as being the controlled identification, approval, and Describe security’s role in
implementation of required changes within a system that is already change management.
in production.
Change management and the controls within the entire process
must be sufficient to protect against accidental or deliberate
introduction of variations in code that would allow system failures,
security intrusions, corruption of data, or improper disclosure of
information. In other words, the change management process must
be very rigorous to prevent any adverse effect on the functionality
of the system and also the security of the system. Successful
change management requires the following:
l Understanding the benefits beforehand and definition of
measurable metrics that can be incorporated into a business
case. As part of the process, continuous monitoring of risks,
dependencies, costs, return on investment, and other issues
that may affect the entire process.
l Effective communication that keeps stakeholders informed of
the progress and benefits of successful implementation. Very
detailed documentation of the changes needs to be provided
as well.
l The implementation of an effective education, training, and
awareness program for the organization in regards to change
management.
l Involvement of upper management to create a culture
that will support the change management process that

Notes is ultimately aligned with the overall strategic direction of the

organization.
l Monitoring of the entire change management process and
(SDLC) improvement of the process by fine-tuning as required.
The change management process should have a formal cycle, in the same
PPT manner as the SDLC discussed earlier. There should be a formal change
Change Management request, an assessment of impact and resource requirements and approval
(continued) decision, implementation and testing, implementation into production, and
Describe security’s role in a review and verification within the production environment.
change management.
These are the key points of change management:
l It needs to be a rigorous process that addresses quality assurance
PPT of the change.
Typical Change l Changes must be submitted, approved, tested, implemented,
Management Process and recorded.
Phases
l There should be a back-out plan in case the change is not
Describe the typical
phases in change successful at any point of the change management process.
management.
Figure 8.7 summarizes the key phases in any change management
process. Keep in mind that the change management process may look
different in various organizations, but typically the steps indicated below
are required to address the whole purpose of change management,
which as we’ve said, is to ensure quality assurance of the change itself.
Typical Change Management Process Phases

,
i b ility
s
u est r Fea ty)
q
e
lR e s t f ecuri
o n
r m a
n g q u e ( S t a tio
Fo Cha R e n e e n
o r ly ze imeli p l em
f a
An act, T o pI
m
e
p l
Im e ve gy h ang
D ate C
Str a l of ang
e
v h
pro the
C
and e
Ap p n t g
o
vel me Chan e
D e p l e
e h ang
Im t th C
Tes v i ew eness
Re ctiv to
rt ent
Effe p o
Re nagem
Ma
Figure 8.7: Typical Change Management Process Phases

Instructor Edition
Integrated Product Team (IPT)

An integrated product team (IPT) is a team of stakeholders and
Notes
8
individuals that possess various different skills that work together to Development Lifecycle
achieve a defined process or product. The purpose of an IPT is to

(SDLC)
force the members of the team to work together and be involved all
together into achieving the goal. If we make everyone accountable for
PPT
achieving the goal of the product, the team members can be more
motivated to work together efficiently to achieve the end result. The Integrated Product and
Process Development
team members involved need to be all stakeholders involved, such
(IPPD)
as owners, management, developers, designers, contractors, and
yes, security professionals, to collaborate together in achieving the Define IPPD and how
security fits in.
requirements of the end result. Below are some examples of
integrating and collaborating various groups to achieve better results
in development or acquisition of systems and applications.
Integrated Product and Process

Development (IPPD)
In Integrated Product and Process Development (IPPD), the goal is
to combine the product design with process design. In other words,
we involve both product and process design together right in the
early phases to understand the requirements of the product that
needs to be designed. At the same time that the product and its
functionality is being understood, the design layout and other
constraints is involved in understanding how to create the process
properly to create the best product possible. This allows the clear
definition of details that are then used to drive extensive modelling
and testing to create the best product possible.
IPPD can also be used as a management technique that combines
essential acquisition activities also through the use of skilled teams to
optimize the design, manufacturing, and supportability processes of
the end result. The advantage of IPPD can be to facilitate meeting
cost and performance objectives from product or system concept
through development and production, including support after placing
into production.
One of the key goals of IPPD is to facilitate multi-skilled team
members working together through the concept of integrated
product teams (IPTs). These teams are composed of skilled
representatives from all involved functional disciplines working
together with a team leader to build successful and efficient
applications. The need to identify and resolve issues and make sound
and timely decisions is facilitated as everyone is working together,

Notes from different perspectives and disciplines. This includes allowing team
decisions to be made based on input from the entire team that would
Security in the Software include for example, engineering, manufacturing, management, financial
(SDLC)
management, procurement, legal, and of course, security. The teams may
also include customers and contractors in some instances, in other words,
these teams may involve members from both the enterprise and the
PPT contactors or consultants.
Integrated Product and
Process Development
(IPPD) (continued) DevOps
Define IPPD and how As the two words combined imply, DevOps is a combining of
security fits in. development and operations. DevOps typically also involves the quality
assurance processes of the organization. DevOps can be summarized as
an approach based on lean and agile principles in which business owners
PPT and the development, operations, and quality assurance departments
DevOps (2 slides)
collaborate and work together to deliver software in a continuous manner
that enables the business to more quickly react to market opportunities
Emphasize the benefits
and reduce the time to include customer feedback into products that
of DevOps and how
security fits in. need to be developed.
When implemented holistically, DevOps can become a business-driven
software delivery approach that takes a new or enhanced business
capability from an idea or concept, through the production phase and
implementation, while providing business value to customers in an
efficient manner and capturing feedback as customers engage with
the capability. To do this, you need participation from stakeholders
beyond just the development and operations teams. A true DevOps
approach includes lines of business, practitioners, management,
partners, suppliers, and other stakeholders. There are many variants
on the DevOps concept that exist today based on the needs of the
organization implementing this model. Companies such as Google,
IBM, Amazon, and Microsoft all have DevOps implementations that
they use to drive core elements of their business. Regardless of the
various implementations, the core common principles that DevOps is
usually made up of some of the following:
l Develop and test against production-like systems. The goal is to
allow development, operations, and quality assurance teams to
develop and test against systems that behave just like the actual
production system, so that realistic behaviors and performance
parameters can be captured before the system is ready to be put
into production.
l Deploy with repeatable, reliable processes. We often refer to
this as a form of automation, specifically repeatable automation.
This principle allows development and operations to support
development process all the way through to production.

Instructor Edition
Automation is essential to create processes that are iterative,

frequent, repeatable, and reliable, so the organization
must create a delivery system that allows for continuous,
Notes
8
automated deployment and testing. Frequent deployments

(SDLC)
also allow teams to test the deployment processes
themselves, thereby lowering the risk of deployment failures
at release time. PPT
l Monitor and validate operational quality. This principle moves DevOps (2 slides)
the concept of monitoring earlier in the lifecycle by requiring (continued)
that automated testing be done early and often to monitor Emphasize the benefits
important and valuable characteristics of the application. of DevOps and how
security fits in.
Whenever an application is deployed and tested, meaningful
metrics should be captured and analyzed. Frequent
monitoring provides early warning and ways to address
operational and quality issues that may occur in production.
l Amplify feedback loops. This principle calls for organizations
to create communication channels that allow all stakeholders
to access and act on feedback in a very efficient manner.

Notes
Module 2: Secure Coding Guidelines
Secure Coding Guidelines
and Standards and Standards

Secure Coding
Guidelines and
1. Understand secure coding standards and guidelines.
Standards 2. Explain the evolution of programming languages and how this
Introduce the participants relates to security.
to the “Secure Coding
3. Explain the benefits of libraries and toolsets.
Guidelines and Standards”
module. 4. Understand the value of integrated development environments
and runtime systems.
5. Understand security weaknesses and vulnerabilities at the source-
PPT code level.
Module Objectives 6. Explain how to secure application programming interfaces (API)
Introduce the module and secure coding practices
objectives.

Instructor Edition
Secure Coding Guidelines and Standards

Coding guidelines and standards can be used by organizations
Notes
8
to encourage developers to follow a standard set of rules and and Standards
guidelines determined by the requirements of the organization.

This should prevent traditional problems in development where
development of code was driven by the developer’s preference or PPT
familiarity. This can help in addressing security requirements in Secure Coding
software development. Organizations can mandate through Guidelines and
Standards
policy that software designers and developers apply these coding
standards during software development to create systems and Define secure coding
applications that address proper security requirements based on guidelines and how they
should be used to ensure
the organization’s needs. security in development.
There are a number of secure coding guidelines and standards
that have been developed by groups and industries to address
this requirement. Such groups and platforms include the CERT PPT
division of the SEI and the Open Web Application Security The Software
Project (OWASP). As a result, there are coding standards that Environment
have been developed for programming languages such as C, Define the software
C++, Java, Perl, etc. environment.
The Software Environment

Today’s architectures rely heavily on software and applications. The
architecture itself includes hardware resources, including the typical
components such as the central processing unit (CPU), memory,
input/output processing, and storage. The operating system, which
is fundamental to any technology architecture, is responsible for
controlling not only the hardware resources, but also in providing
security mechanisms to protect them, as well as providing resource
access permissions and safeguards against misuse.
Applications are used by the architecture to allow the interaction
and interface to the users. Applications today provide much more
functionality than ever, also making them very easy to exploit by
attackers through vulnerabilities that may exist in the functionality
provided. Security controls, therefore, need to be designed and
built into the software to allow the users more control over the
functionality, but at the same time, protect against exploits and
vulnerabilities, and ultimately to protect the value of the
information being processed through the application.
There are many vulnerabilities and exploits that can be introduced
in the application, such as when a buffer overflow attack takes
advantage of improper parameter checking within the application.
Module 2: Secure Coding Guidelines and Standards 643

Notes Another such example might be inadequate data validation that can
lead to all kinds of escalation of privileges and other exploits.
and Standards Today’s software environments are also distributed, meaning they are
connected to many other environments, architectures, networks, etc.
Distributed applications provide a particular challenge in terms of
PPT
adequate security due to the complexity of the information being
The Software passed by components in the distributed architectures.
Environment (continued)
Define the software The architectures that software is part of today are complex and ever
environment. changing. The functionality that software provides today is much
more complex as well, and so protecting from a security perspective
is also very challenging. Protecting the application itself and the
PPT environment that it run in begins with designing security into the
Programming
functionality of the application that is written in some sort of
Languages programming language.
Define programming
language.
Programming Languages
During development phases, developers need to write code in some
sort of programming language. There are many programming
languages that have been developed over the years. A programming
language is a set of instructions that tell the computer what operations
to perform. Programming languages have evolved in generations, and
each language is characterized into one of the typical generations
characterized below. Those in the earlier classification level are closer
in form to the binary language of the computer. Both machine and
assembly languages are considered low-level languages.
As programming languages have evolved, they have become easier and
more similar to the language people use to communicate. In other
words, they have become higher level languages. High-level languages
are easier to use by developers than low-level languages and in some
cases, can be used to produce programs more quickly and more
efficiently. In addition, high-level languages are considered to be more
beneficial because they enforce coding standards and development
methods that can enforce a better level of more security. On the other
hand, higher-level languages can also work against proper security as
they can automate certain functions and provide complicated
functionality for the application, implemented by the programming
environment or tool, the internal details of which may be poorly
understood by the designers and developers. As a result, it may be
possible that high-level languages may introduce possibilities of security
vulnerabilities in ways that may not be apparent to the designers,
developer, and security professionals.

Instructor Edition
Programming Language Generations

Programming languages are typically classified into generations.
Notes
8
What is important here to understand is that as we have evolved and Standards
into the higher generation languages, they have allowed us to

program greater functionality into the application, which includes
greater security functionality as well. PPT
Programming
l Generation 1: The first generation is referred to as machine Language Generations
language, opcodes (operating codes), and object code used Describe the evolution of
by the computer itself. These are very simple instructions that programming languages.
can be executed directly by the CPU and coded in binary, or
object code.
l Generation 2: Assembly language. As hexadecimal PPT
or binary code is difficult for people to understand, The Programming
programming evolved into a second generation of assembly Procedure
language that was created. Assembly language uses Describe differences
symbols as abbreviations for major instructions. between assemblers,
l Generation 3: The third generation, usually known as high- compilers and
interpreters.
level language, uses meaningful words (generally English)
as part of the commands that make up the instructions.
COBOL, FORTRAN, BASIC, Java, and C may be examples of
this type.
l Generation 4: The fourth generation languages are
sometimes known as very high-level languages and may
include report generators and application generators.
l Generation 5: Fifth generation languages, or natural
language interfaces, require expert systems and artificial
intelligence. The intent is to eliminate the need for
programmers to learn a specific vocabulary, grammar, or
syntax. The text of a natural language statement used by
natural language programming very closely resembles
human speech but requires format and structure.
The Programming Procedure

In the early days of programming, developers created object
(machine or binary) programs directly by coding machine language
commands. There are still some developers today that have retained
this skill. It is possible to enter data directly from a keyboard of a
common desktop computer, using only printable characters, and
create a usable program. However, this activity now seems limited to
few skilled developers and has little relation to modern, commercial
software development as functionality of these programs would be

Notes limited. The operating instructions, or code instructions for the computer
and any necessary arguments or data were presented to the machine
Secure Coding Guidelines in the form that was needed to get it to process properly. Assembly
and Standards
language was created to allow this process to become easier, although
there is a fairly direct correspondence between the assembly mnemonics
PPT and specific operational codes, at least the assembly files are formatted in
The Programming a way that is relatively easy for humans to read, rather than being strings
Procedure (continued) of hexadecimal or binary numbers.
Describe differences In summary, assembly language improved certain mnemonics so that
between assemblers,
compilers and
they could be easier to read by the human element. These included
interpreters. mnemonics such as: MOV (move), CMP (compare), DEC (decrement),
and ADD, all basic functions in programming. As a summary, assembly
language made it easier to equate binary instructions to readable
mnemonics.
With the advent of third generation, or what most people refer to as
high-level languages, programming languages evolved into two types,
high-level languages and compiled languages.
l High-level languages are those where the source code is
somewhat more comprehensible to people. Those who work
with C may dispute this assertion, of course: These languages, in
the hands of skilled programmers, can produce highly functional
programs from very little source code but at the expense of
legibility. COBOL is a perfect example.
l Compiled languages involve two separate step processes before
a program is ready to be executed. The application must first
be programmed in the source code, which is the text or human-
readable code, and then the source code has to be compiled
into object code that the computer can understand, the strings
of opcodes or machine language. This may be a simplified
description of the “compiled” process, as it may also require
more involved processes such as linkers and other utilities.
The point, however, is that the source code for languages like
FORTRAN and Modula cannot be run directly, they must be
compiled first.
Interpreted languages may shorten the process. Once the source code
for the application has been developed, it can be run with the help of
the interpreter. The interpreter, therefore, translates the source code
into machine language on the fly, rendering it into a form that the
computer can understand and use. The drawback to interpreted
architectures is that there may be a cost in performance and speed for
this as the interpretation needs to be done each time the application
runs. Compiled programs, on the other hand, are native, or natural, for

Instructor Edition
the CPU to use directly because they can run directly from the
object code, and so run considerably faster. In addition, some
compilers can perform optimization on the application, choosing
Notes
8
and Standards
the best set of functions for a given situation.

On the other hand, an advantage of interpreted languages may be
PPT
that because the language is translated on the machine where the
program is run, an application can be run on a variety of different The Programming
Procedure (continued)
computers, as long as an interpreter for that language is available.
Scripting languages are examples of this. Describe differences
between assemblers,
compilers and
interpreters.
Object-Oriented Technology and
Programming PPT
As its name implies, object-oriented programming (OOP) is a Object-Oriented
fundamental change in how we have viewed programming. The Technology and
concept here is that this methodology is centered on ‘objects’ as Programming
opposed to ‘actions’. In traditional programming, we are interested in Define object oriented
performing actions and procedures against input, processing and technologies and
output. In this model, the view is different, we take the approach that programming.
we are interested in the objects we want to manipulate rather than the
logic required to manipulate them. An object can be anything, or
rather any entity, which has state.
The first step in OOP is to identify objects that a developer wants
to manipulate. This process is called “data modeling.” The object
is a block of preassembled programming code in a self-contained
module, although it operates differently and more independently
than a function or procedure in a procedural language. The
module encapsulates both data and the processing instructions
that may be called to process the data. Once a block of
programming code, or an object, is written, it can be reused in any
number of programs that require it.
Examples of object-oriented languages are Java, Python, C++,
Ruby, Curl, Smalltalk, Delphi, and Eiffel. A recent trend has been to
have a number of recent object-oriented languages that are built
on top of other, previous object-oriented languages, and therefore,
may extend their capabilities in specialized ways.
Most object-oriented languages have the following key characteristics:
l Encapsulation: Encapsulation is also referred to as data
hiding. A class defines only the data it needs to be concerned
with. When an instance of that class, which is referred to as
an object, is run, the code will not be able to accidentally

Notes access other data, which is a great security capability, and as we’ve
mentioned, referred to as data hiding or encapsulation.
and Standards
l Inheritance: The concept of a data class makes it possible to define
subclasses of data objects that share some or all of the main (or
super) class characteristics. If security is properly implemented in
PPT the high-level class, then subclasses should inherit that security. The
Object-Oriented same is true of objects derived not from a class but from another
Technology and object. The keys are to properly implement security in the high-
Programming
level class objects so that the subclasses can inherit them properly.
(continued)
It is very important to create objects that have good security
Define object oriented characteristics because these can be inherited by further objects.
technologies and
programming. l Polymorphism: Objects of differing data types can be processed
differently, depending on that data type. Instantiating an object
from a prior object ensures that the new object inherits attributes
PPT and methods from the original. The changing characteristics
of an object created in such a way may change the operation
Polyinstantiation
of the modified object. From a security perspective, this may
Define polyinstantiation have negative implications that must be carefully assessed,
and relate to an example.
because secure methods may be lost through polymorphism
and changing characteristics.
Polyinstantiation
One of the key features in object oriented technology, useful for security, is
polyinstantiation. Polyinstantiation may prevent inference possibilities by
creating a new version of an object by replacing variable with other values.
Essentially, it allows different versions of the same information to exist at
different classification levels. Therefore, users at a lower classification level
don’t know of the existence of a higher classification level. Inference is
defined as the ability of authorized or unauthorized users to deduce (infer)
more sensitive information from observing authorized information.
Specific objects, instantiated from a higher class, may vary their
behavior depending upon the data they contain. Therefore, it may be
difficult to verify that inherited security properties are valid for all
objects. However, this is why polyinstantiation can also be used to
prevent inference attacks against databases, because it allows different
versions of the same information to exist at different classification levels.
Within an OOP environment, any things created are referred to as objects.
A data type in a programming language is a set of data with values having
predefined characteristics. Those characteristics can be a number value, a
character, a string, or anything else. In most programming languages, a
limited number of such data types are built into the language. The

Instructor Edition
programming language usually specifies the possible range of values

for a given data type and also how those values can be processed by
the computer. The programming language may also specify how
Notes
8
and Standards
those data types can be stored. In OOP, all defined ranges and data

values are also referred to as objects.
PPT
The first step in OOP is to identify all the objects you want to
manipulate and how they relate to each other. This is the process Polyinstantiation
(continued)
known as data modeling. Once the object has been identified, it
is classified as a class of objects and then also defined as the kind Define polyinstantiation
and relate to an example.
of data it may contain. Then they are assigned logic sequences
that can manipulate the object.
Each distinct logic sequence is referred to as a method. A real PPT
instance of a class is called an object, or an instance of a class, and Distributed Object-
this is what is run in the computer. The object’s methods provide Oriented Systems
computer instructions, and the class object characteristics provide Define object-oriented
relevant data. Communication between objects is done through systems.
what is referred to, very appropriately, as messages.
When building traditional programs, the programmers must write
every line of code from the beginning. With OOP, programmers
can use and reuse the blocks of code that are called objects.
Consequently, an object can be used over and over again in
various programs and by several developers. The advantage here
is that this reduces programming time and therefore, overall
project costs. The real benefit from a security perspective is that
well-defined security objects, can also be reused repeatedly.
Object-Oriented Security
As we have described above, in object-oriented systems, objects are
encapsulated. Encapsulation protects the object by denying direct
access to view or interact with what is located inside the object, this is
referred to as data hiding. It is not possible to see what is contained in
the object because it is encapsulated. Encapsulation can be used to
protect the object, since it does not allow any other object to see data
from outside. This makes sense from a security perspective because
no object should be able to access or see another object’s data.
Distributed Object-Oriented Systems

The trend in computing over the last number of decades has been
to move toward a new age of distributed computing. Distributed
computing allows the sharing of resources. The same concept of

Notes distributed environments can be applied in software development.

Distributed development architectures allow applications to be divided
Secure Coding Guidelines into logical objects that are called components, and each component
and Standards
can exist in different locations. The components can then communicate
with each other, and programs can call the components as required.
PPT
This development architecture allows applications to download code
Distributed Object- from remote machines onto a user’s local host in a manner that is
Oriented Systems
(continued)
seamless to the user. Applications today can be built using this
distributed architecture constructed with software systems that are
Define object-oriented
systems.
based on distributed objects. Examples may include Common Object
Request Broker Architecture (CORBA), Java Remote Method Invocation
(JRMI), Enterprise JavaBean (EJB), and Distributed Component Object
Model (DCOM).
PPT
Common Object A distributed object-oriented system allows parts of the system to be
Request Broker located on separate computers within a network. The object system
Architecture (CORBA) itself is a compilation of reusable self-contained objects of code
(2 slides)
designed to perform specific business functions.
Explain CORBA.
Objects can communicate with each other, even though they may
reside on different machines across the network. To standardize this
process, the Object Management Group (OMG) created a standard for
finding objects, initiating objects, and sending requests to the objects.
The standard is called the Object Request Broker (ORB), which is part
of the Common Object Request Broker Architecture (CORBA)
mentioned above.
Common Object Request Broker

Architecture (CORBA)
Common Object Request Broker Architecture (CORBA) is a set of
standards that addresses the need for interoperability between hardware
and software products residing on different machines across a network.
CORBA allows applications to communicate with one another regardless
of where they may be stored. The ORB is the component that sits in the
middle that establishes relationships between client and server objects.
Using the ORB, a client can locate and use an object on a server object
either on the same machine or across a network. The ORB operates
regardless of the processor type or programming language; therefore, it
is independent of technology. From a security perspective, not only does
the ORB handle all the requests on the system, but it can also enforce
security policies and rules. The policies and rules would describe what the
users and systems are allowed to perform and also what user and system
actions they are not allowed to do.

Instructor Edition
The CORBA security service supports four specific types of policies:

1. Access control
Notes
8
and Standards
2. Data protection

3. Nonrepudiation
PPT
4. Auditing
Common Object
The client application can send requests through what are called Request Broker
messages to the target object and because the message is sent Architecture (CORBA)
through the ORB security system, rules and policies can be enforced.
Explain CORBA.
CORBA Implementations
As a best practice from the perspective of security, CORBA PPT
implementations need to consider the following as examples: CORBA Implementations
l The specific CORBA security features that are supported Explain CORBA
implementations.
l The implementation of CORBA security building blocks, such
as cryptography blocks or support for Kerberos systems
l The ease by which system administrators can use the CORBA PPT
interfaces to set up the organization’s security policies
Libraries and Toolsets
l Types of access control mechanisms that are supported
Define libraries and
l Types, granularity, and tools for capturing and reviewing toolsets and benefits.
audit logs
l Any technical evaluations, such as those related to the
Common Criteria
There are other methods for securing distributed application
environments. These include JRMI and EJB. EJB is a Sun
Microsystems model providing similar environments to CORBA by
using API specifications for building distributed and component-
based applications. EJB uses Java’s RMI implementations for
communications in a similar architecture. The EJB server can provide
a set of services for transactions, security, and resource sharing.
All of these architectures can support the enforcement of policies
and rules that can be applied between interactions of components
or objects.
Libraries and Toolsets

As the word implies, a library is a repository of something
useful. A software library, therefore, can contain a repository
of pre-written code, classes, procedures, scripts, and other

Notes programming elements. A developer might manually add a software

library to a program to achieve more functionality or to automate a
Secure Coding Guidelines process without writing the code for it from scratch. This allows the
and Standards
developer to “create” the functionality they want to use, or call,
within the application but to do so without having to write all of the
PPT code necessary to provide the functionality, as it is contained within
Libraries and Toolsets the code library. This implies that benefits can be realized simply by
(continued) reusing components stored within the library.
Define libraries and For example, when developing a mathematical program or application,
toolsets and their benefits.
a developer may add a mathematics software library to the program to
eliminate the need for writing complex functions. All of the available
functions within a software library can be called as required and used
PPT within the program calling it without defining them explicitly.
Library Benefits
Explain the benefits of
libraries.
Library Benefits
The benefits of libraries are many. Software libraries can contain well-
coded objects that are implemented properly, well-secured, and kept
up to date with security patches and an iterative feedback mechanism
to address bugs and faults as they are identified. Software libraries can
also have the following advantages:
l Increased dependability: Reused software that has been
developed and tested as such can be more dependable than
new software. This is because the software can be tested to
reveal any design and implementation faults and therefore, these
can be fixed and then reused over and over again.
l Reduced process risk: If software exists, organizations know
exactly the cost of creating that software. This is an important
factor for project management as it reduces the margin of error
in estimating project costs. This is particularly true in large-scale
development projects.
l Effective use of specialists: Instead of developers doing the
same work on different projects, specialists can develop reusable
software on different projects. These specialists can develop
reusable software that encapsulates their knowledge. This can
include security specialists.
l Standards compliance: Some standards, such as user interface
standards, can be implemented as a set of standard reusable
components. For example, if menus in a user interface are
implemented using reusable components, all applications
present the same menu formats to users. The use of standard
user interfaces improves dependability as users are less likely to
make mistakes when presented with a familiar interface.

Instructor Edition
l Accelerated development: In many cases, bringing

a system to market as early as possible is often more
important than overall development costs. Reusing well-
Notes
8
and Standards
developed software can speed up system production

because both development and validation time should
be reduced. PPT
Library Benefits
Standard Libraries (continued)
A standard library is a library made available across implementations Explain the benefits of
of a programming language. Standard libraries typically include libraries.
definitions for commonly used algorithms, data structures, and
mechanisms that can be reused. Typically, a standard library may
include these: PPT
Standard Libraries
l Subroutines
Give examples of
l Macro definitions libraries.
l Global variables
l Class definitions
PPT
l Templates
Common Programming
In addition, most standard libraries include definitions for at least Language Libraries
the following commonly used facilities: Give examples of
libraries.
l Algorithms (such as sorting algorithms)
l Data structures (such as lists, trees, and hash tables)
l Interaction with the host platform, including input/output
and operating system calls
Common Programming Language Libraries

As there are many popular programming languages, it makes sense
that there would be many Common Programming Language
Libraries for the most popular languages. These include, but are
not limited to the following:
l C and C++ standard libraries: applies to C and C++
programming languages
l Framework Class Library (FCL): applies to the .NET
Framework
l Java Class Library (JCL): applies to Java programming
language/Java Platform
l Ruby standard library: Ruby programming language

Notes Programming Tools/Toolsets

A programming tool or software development tool is a program or
and Standards application that software developers use to create, debug, maintain,
and also, support development efforts and applications. Typically,
programming tools exist such as the following:
PPT
l Binary compatibility analysis tools
Programming Tools/
Toolsets l Bug databases
Give examples of tools l Build tools
and toolsets.
l Code coverage
l Compilation and linking tools
PPT l Debuggers
Integrated Development l Documentation generators
Environments (IDEs)
l Library interface generators
Define IDEs.
l Integration tools
l Memory debuggers
l Revision control tools
l Scripting languages
l Search tools
l Source code editors
l Source code generation tools
l Static code analysis tools
l Unit testing tools
The focus of the security professional needs to be on awareness of the

existence and availability of these toolsets and how they may pertain
to the security of the systems that the security professional is being
asked to manage and maintain. Reliance on experts in this area as
needed to help better understand the impact of the use of one or
more of these items in a production system is very important for the
overall security to be addressed properly in the system.
Integrated Development Environments

(IDEs)
Integrated development environments (IDEs) combine the features
of many tools and capabilities into one environment for use by
the developer and other stakeholders. Integrated development
environments are designed to maximize developer productivity by

Instructor Edition
providing re-usable components with similar user interfaces.

Integrated development environments also present a single
architecture in which all development may be done. The
Notes
8
and Standards
environment typically consists of a source code editor, build

automation tools, and debuggers. They may also have a class
browser, an object browser, and a class hierarchy diagram for use PPT
in object-oriented software development. Sometimes, version Integrated Development
control is also included as part of the environment to help Environments (IDEs)
organizations manage the development of a graphical user (continued)
interface (GUI). Define IDEs.
An IDE for OOP usually features a class browser, tools to produce

class hierarchy diagrams, and an object inspector. By using such
a comprehensive toolset, developers can realize many benefits, PPT
including more efficient access and use of system resources. From Runtime
a security perspective, more efficient use of security controls can Define runtime.
also be a benefit.
Runtime
A runtime system is the collection of all the hardware and software
components that allows an application to actually run on a
computer system. In other words, a runtime system is all of the
mechanisms, regardless of either hardware or software, that allow
the application to run on a computer system, regardless of the
programming language used to program the application.
Because every program needs components to actually run, every
programming language has some form of a runtime system,
whether the language is a compiled language, interpreted
language, or is invoked via an API. Services that can be provided
by the runtime system include type checking, debugging, or code
generation and optimization. As an example, the Java Runtime
Environment (JRE) is what you get when you download Java
software. The JRE consists of the Java virtual machine (JVM), Java
platform core classes, and supporting Java platform libraries that
ultimately allow that Java program to run on your system. In other
words, the JRE is the runtime portion of Java software, which is all
you need to run it in your web browser.
The runtime system can also be the gateway by which a running
program interacts with the runtime environment itself, which
contains state values accessible during program execution that
are needed by the environment. Again, as we are focusing on
security, the runtime environment needs to include the
components required for security to be handled properly.

Notes Security Weaknesses at Source Code Level

and Secure Coding Practices
and Standards Since applications represent the largest attack vector, there are a number
of weaknesses and threats that are important to be aware of and address.
These include but are not limited to the following list described below.
PPT
Secure coding practices in development environments need to be
Security Weaknesses at addressed to limit the exposure to the same list. Proper awareness,
Source Code Level and
Secure Coding Practices
education, training and security skills need to become part of the culture
of the development environment to address security properly. The
Explain security security professional needs to be heavily involved in addressing and
weaknesses at the source
code level. minimizing the risks associated with the following topics.
Social Engineering
PPT
A very simple definition of social engineering is where an attacker uses
Social Engineering deception and intimidation to get someone to provide information they
Define social engineering shouldn’t. This can be a vulnerability and something that needs to be
and how it applies to the addressed in software development and management environments.
software environment. Proper awareness, education, and training needs to be provided to the
development environment to mitigate this threat. The security
professional needs to support these initiatives.
PPT
In addition, there are several weaknesses and threats listed below that
Activity: Security
Weaknesses and possibly need to be addressed as well in software development
Vulnerabilities at the environments and also environments where applications exist. These may
Source Code Level and include and are not limited to the following.
Introduce the activity and
explain the importance
of understanding Activity: Security Weaknesses and Vulnerabilities at the
the weaknesses and Source Code Level and Secure Coding Practices
threats in the software
environment. Review the following and be able to explain it to someone else in the
class. Understand how security needs to be part of the process to
ensure the following risks are mitigated through proper secure coding
practices.
Buffer Overflow
Buffer overflows can be created or exploited in a wide variety of ways and
over the years, we have seen many examples. Generally, the following
description is an example of how a buffer overflow works.
A program that is the target of an attack is provided with more data
than the application’s buffer was intended to handle. Applications need
to use buffers to store information while that data is being processed.
When the application is designed, the buffer size has to be determined.

Instructor Edition
A buffer overflow condition exists when that buffer is somehow

subjected to more data than it was designed to handle.
Notes
8
This can be done by many clever means such as entering too much and Standards

text into a dialog box, submitting a web address that is far too
long, or creating a network packet much larger than is necessary.
PPT
As you can see, there are many ways to subject a system to more
information than it can handle. As a result, the target application Activity: Security
Weaknesses and
overflows the memory allocated for the buffer and because of that, Vulnerabilities at the
the application has no choice but to write the excess data into the Source Code Level and
system memory that may be allocated for instruction processing. Secure Coding Practices
If the attack has been done cleverly, the excess data can contain (continued)
machine language instructions so that when the next step is Introduce the activity and
executed, the attack code is run, thereby allowing the attacker to explain the importance
complete the attack. of understanding
the weaknesses and
The above is a simplification of what a buffer overflow attack may threats in the software
environment.
look like, but in reality, they may far more detailed, and the attack
itself may be highly dependent on the architecture that the
application is run in, in other words, its runtime environment.
The desired result of any buffer overflow attack is to put the attack
instructions into memory and have them be executed. These
instructions typically allow attackers to elevate their privilege levels
or conduct other malicious activities.
Citizen Programmers
As we have explained above, today, technology environments are
equipped with scripting and programming tools as part of their
functional environments. The ability to provide more functionality
in application environments is so that these functions can be
performed by the users themselves, instead of having them be
programmed into the application by developers. These tools may
allow all computer users to create their own utilities and reusable
elements. This can be negative from a security perspective as users
now have access to very powerful capabilities that may be misused
by the users as they are not focused on security or have security
training. They may not be aware of the increased risk as a result of
their increased functionality. If this type of unsupervised
functionality is allowed, then a single user may have complete
control over an application or process. This may violate separation
of duties requirements.
Putting powerful tool and capabilities at the user level requires
mitigation of the increased risks that this may pose.

Covert Channel
Notes
A covert channel may be defined as a communication channel that
and Standards
allows processes to transfer information in such a way to violate some
security policy or requirement. This is an information flow issue. Even
though there are protection mechanisms in place, if unauthorized
PPT information can be transferred using a signaling mechanism or a
Activity: Security storage mechanism, using some way that is not normally considered to
Weaknesses and be able to communicate, then a covert channel may exist. In simplified
Vulnerabilities at the terms, it is any flow of information, unintentional or inadvertent, that
enables an unauthorized observer to have access to the sensitive
(continued) information. This may allow the observer to infer more sensitive
information than is allowed.
explain the importance There are two defined types of covert channels, storage and timing.
of understanding
the weaknesses and A storage covert channel involves the direct or indirect reading of
threats in the software
environment. storage locations by one process and a direct or indirect reading of the
same storage location by another process. Typically, a covert storage
channel involves memory locations or sectors on a disk that may be
shared by two subjects at different security levels. This could include
hard drive space, cache, or other typically used memory types in
computer architectures.
A timing covert channel depends upon being able to influence the rate
or timing issue that some other process is able to acquire resource.
Examples of this may be the CPU, memory, or I/O devices. The variation
in rate may be used to pass signals that may be used to infer more
sensitive information. Essentially, the process signals information to
another process by modulating its own use of system resources in such
a way that this manipulation affects the real response time observed by
the second process and therefore, may signal sensitive information.
Timing channels may be very difficult to detect as a result.
Malformed Input Attacks

A number of attacks that use input from the user and somehow inject
or modify such input currently exist and are known. The known ones
may be able to be detected by various detection systems and can
be possibly protected against. However, new attacks relying on
configuring user input in unusual ways may not be detected. For
example, an attack that redirected a web browser to an alternate site
might be caught by a firewall through the detection of the uniform
resource locator (URL) of an inappropriate website. If, however, the
URL was expressed in a Unicode format rather than ASCII, the firewall
would likely fail to recognize the content, whereas the web browser
would convert the information without difficulty.

Instructor Edition
Here is another example. Many websites allow query access to

databases but place filters on the requests to control access as part
of access control. When requests using the Structured Query
Notes
8
and Standards
Language (SQL) are allowed, the use of certain syntactical structures

in the query can fool the filters into seeing the query as a comment
instead of an instruction, and as a result, the resulting query may be PPT
submitted to the database engine and retrieve more information than Activity: Security
was intended. In another instance, a site that allows users to input Weaknesses and
information for later retrieval by other users, such as a blog, may fail Vulnerabilities at the
to detect when such input comes in the form of active scripting. Source Code Level and
This is the basis of a very well-known type of attack known as (continued)
cross-site scripting. As we’ve seen above, technically, buffer Introduce the activity and
overflows are also a form of malformed input. explain the importance
of understanding
the weaknesses and
Memory Reuse (Object Reuse) threats in the software
environment.
All architectures use memory to process information and data.
Memory management involves sections of memory allocated to
one process for a while, then de-allocated, then reallocated to
other processes. This can include random access memory (RAM),
cache, or simply hard drive space.
The problem from a security perspective is that because
residual information may remain when a section of memory is
reassigned to a new process after a previous process is finished
with it, that information remaining on that object may be very
sensitive. The architecture should ensure that memory is zeroed
out completely or overwritten completely before it should be
allocated to a new process. As a result, there should be no
sensitive information that remains residually in memory carrying
over from one process to another. While memory locations are
of primary concern in this regard, developers should also be
careful with the reuse of other resources that can contain
sensitive information such as buffers, disk space, and other
shared resources.
Other examples of storage that may be very vulnerable to this type
of problem is the paging or swap file on the disk. It is frequently
left unprotected and may contain an enormous amount of sensitive
information. Note that this is a perfect example of storage covert
channel, as discussed earlier.
Executable Content/Mobile Code

Executable content, or mobile code, is software that is transmitted
across a network from a remote source to a local system and is then

Notes executed on that local system. The code is transferred by user actions
and, in some cases, without the explicit action or consent of that user. The
Secure Coding Guidelines code can arrive to the local system as attachments to email messages, or
and Standards
through web pages. This can be particularly dangerous because the
software that is transmitted as a result may be malicious in intent.
PPT
Mobile code might be called by many names such as mobile agents,
Activity: Security mobile code, downloadable code, executable content, active capsules,
Weaknesses and
Vulnerabilities at the
remote code, dynamic email, and so on.
Even though the terms are very similar, there are slight differences
(continued) in each of them. For example, mobile agents are programs that can
migrate from host to host in a network at times and to places of their
explain the importance own choosing. They have a high degree of autonomy rather than
of understanding being directly controlled from a central point and therefore, are very
the weaknesses and difficult to protect against if malicious. Mobile agents differ from
threats in the software applets that are programs downloaded as the result of a user action,
environment.
then executed from beginning to end on the user’s machine. Examples
may include ActiveX controls, Java applets, and scripts run within the
browser of the user. All of these deal with the local execution of
remotely sourced code.
Time of Check vs. Time of Use (TOCTOU)

Time of Check vs. Time of Use (TOCTOU) is seemingly a very
common type of attack that occurs when control information changes
between the time the system security functions check the contents of
variables and the time the variables actually are used during operations.
Control information is information that is used to make security
decisions. This might be a very good example. A user logs onto a
system in the morning and later is dismissed. As a result of the
termination, the security administrator removes the user from the user
database and disables the account. However, because the user did not
log off, the account still has access to the system and, as far as the
system is concerned, still has privileges.
Here is another example. A connection between two machines may
drop. If an attacker manages to attach to one of the ports used for this
link before the failure is detected, the invader can hijack the session by
pretending to be one of the trusted hosts. A good way to deal with this
would be to force periodic reauthentication on a regular basis.
Between-the-Lines Attack
A similar attack to the above is called a between-the-lines entry. This
occurs when the telecommunication lines used by an authorized user

Instructor Edition
are tapped into and data falsely inserted or injected. To avoid

this, the telecommunication lines should be physically secured
so that they cannot be accessed by unauthorized individuals,
Notes
8
and Standards
and users should not leave telecommunication lines open

when they finished with them and those lines are not being
used anymore. PPT
Activity: Security
Weaknesses and
Trapdoor/Backdoor Vulnerabilities at the
A trapdoor or backdoor is a hidden mechanism that bypasses Source Code Level and
access control measures. It is an entry point into an architecture (continued)
or system that is inserted in software, typically by developers,
during the program’s development to provide a method of explain the importance
gaining access into the program for modification and support of understanding
reasons. This may be useful if the access control mechanism fails the weaknesses and
or malfunctions and the developer needs access quickly. In threats in the software
many cases, this type of activity may also be called a environment.
maintenance hook.
The problem of trapdoors and backdoors is when they still exist PPT
once the application or system has been placed in production. Source Code Analysis
Security needs to take great care in making sure trapdoor, Tools
backdoor, and maintenance hooks don’t exist in production.
Define source code
analysis tools and their
benefits.
Source Code Analysis Tools
Source code analysis tools are designed to analyze source
code and, in some cases, also compiled or machine language
code. The idea is to look for security flaws and weaknesses.
Ideally, such tools would help in automatically finding security
flaws with a high degree of confidence that what is found is
indeed a flaw. However, in reality, such tools end up serving as
helpful aids to analysts to help them zero in on security
relevant portions of code so they can find flaws more
efficiently. The software development phases are where these
tools can be helpful as they can provide immediate feedback
to the developers and analysts on issues that they might be
introducing into the code during code development itself. This
allows them to address the issues as part of the development
process and not later.
This is where security should work closely with the development
teams to address potential security problems before they are
actually implemented into the system and before release of the
software.

Strengths of Source Code Analysis Tools

Notes
l Scale well; can be run repeatedly on various software.
and Standards l Useful for things that such tools can automatically find with
high confidence, such as buffer overflows, SQL Injection
flaws, etc.
PPT
l Output is good for developers; highlights the precise source files
Strengths of Source
Code Analysis Tools and line numbers affected.
Emphasize strengths
of source code analysis Weaknesses of Source Code Analysis Tools
tools. l Many types of security vulnerabilities are very difficult
to find automatically, such as authentication problems,
access control issues, insecure use of cryptography, etc.
PPT The current state of these tools only allows the finding of
Weaknesses of Source a relatively small percentage of application security flaws.
Code Analysis Tools However, this is better than nothing, and tools of this type
Emphasize weaknesses are getting better.
of source code analysis l High numbers of false positives. Many advocates, however, would
tools.
argue that false positives are good because they allow us to fine
tune the tools so they are more meaningful. Going through false
positive experiences are good for the fine tuning.
PPT
l Frequently cannot find configuration issues, since they may not
Security of Application
Programming Interfaces be represented in the code.
(APIs) l Difficult to prove that an identified security issue may indeed be
Define APIs and explain an actual vulnerability.
security relevance.
l Many of these tools have difficulty analyzing code that cannot be
compiled. Analysts frequently cannot compile code because they
do not have the right libraries, all the compilation instructions, or
all the code available.
Security of Application Programming

Interfaces (APIs)
Application programming interfaces (APIs) are the connectors that
allow many different things to communicate. Think of a messenger
that carries messages between different components of an
architecture, or a system, to allow the entire architecture to work
seamlessly to achieve certain things. For many of the systems and
architectures that are used today, messengers that can allow different
components to work together become integral parts of achieving
useful things. For many of the architectures that we use today, there
needs to be interfaces, or messengers, that allow applications, or

Instructor Edition
systems, to communicate with each other. APIs are the

messengers that carry the important information between the
components, or applications that make up the entire system.
Notes
8
and Standards

The Internet of Things (IoT) is a perfect example. We may
ultimately use many devices, but then allowing those devices to
PPT
speak to each other becomes a requirement. APIs provide that
functionality. At the same time, however, they are considered to Security of Application
Programming Interfaces
be the unknown force of the internet because for the most part, (APIs) (continued)
end users are not aware they are there and the work they are
Define APIs and explain
providing. They work in between the systems. Yet, APIs are security relevance.
everywhere, when a fitness wristband sends your jogging time
to a website, that ultimately uses an API. When you remotely
unlock a car with a mobile app, it also uses an API. When you
PPT
remotely change the temperature in your home thermostat from
your office, that uses an API. These APIs must be managed and Representational State
Transfer (REST)
secured, otherwise the wrong messages, influenced by
attackers, may ultimately be passed to applications. So, the Define REST.
challenge for organizations is securely exposing functionality to
be consumed by developers and partners, some of whom are
unknown to the enterprise. At the same time, technology still
needs to fulfill its primary mandate, which is to provide security
and protection for a company’s systems and for company and
user data. Comprehensive security has to protect the whole
digital value chain, from applications to APIs to back-end
services. API security and the security of the infrastructures the
APIs are running on is critical to an enterprise that is exposing
digital assets.
Security professionals, therefore, need to understand API security
at many levels. The overarching framework that can link those
various levels together is the concept of data governance, allowing
for the structured and controlled development and deployment of
APIs that will be used to manage and secure all data exchanges
straight from the very beginning of the lifecycle of a system,
ensuring that data is protected at every step of the process and
throughout its lifecycle.
Representational State Transfer (REST)

As we have explained above, API allows different components to
communicate through a “messenger.” REST is an architectural style
for designing networked architectures where the components need
to talk to each other. And instead of using complex mechanisms to

Notes allow the components to talk to each other, REST uses simple HTTP,
which is the language of the web.
and Standards REST is not an architecture, but it is an architectural style to build
services on top of the web. REST allows interaction with a web-based
system via simplified URLs rather than complex request body to
PPT
request specific items from the system.
Representational
State Transfer (REST) The widespread use of REST APIs is really at the heart of the key
(continued) challenge to the security professional with regards to API security.
Define REST. Because REST uses simple HTTP, protecting web services relying on
REST APIs becomes challenging. REST-based APIs can be secured,
but the security professional needs to work at it to get the security
PPT implemented correctly and consistently across the enterprise, as well
REST-based API Security as within all of the architecture components that systems use.
Recommendations
Explain REST- REST-based API Security Recommendations
based API security
recommendations. The following recommendations are for developers to use to ensure
REST-based API security:
l Employ the same security mechanisms for APIs as any other web
application your organization deploys. For example, if you are
filtering for Cross Site Scripting on the web front-end, you must
do it for your APIs, preferably with the same tools.
l Do not create and implement your own security solutions. Use
a framework or existing library that has been peer-reviewed and
tested. Developers not familiar with designing secure systems
may often produce flawed security implementations if they try
on their own, and they may leave their APIs vulnerable to attack
as a result.
l Unless your API is a free, read-only public API, do not use single
key-based authentication. It is not enough. You should add a
strong password requirement.
l Do not pass unencrypted static encryption keys. If you are using
HTTP and sending it across the wire, then make sure you always
encrypt it.
l Ideally, use hash-based message authentication code (HMAC)
because it is the most secure. Use SHA-2 and above. Avoid
SHA-1 and MD5 because of their known vulnerabilities and
weaknesses.
Security professionals may also need to provide guidance on the use of
authentication protocols with regard to REST APIs in the enterprise.
These options are listed here.

Instructor Edition
Authentication Options
There are three typical options available when addressing
authentication protocols with regards to REST APIs.
Notes
8
and Standards

l Basic authentication with Transport Layer Security (TLS):
Basic authentication is the easiest of the three to implement PPT
because the majority of the time, it can be implemented
without additional libraries. Everything that is needed
to implement basic authentication is usually included in Mention authentication
options.
standard framework or language library. The problem with
basic authentication is that it is basic, and it offers only the
absolute lowest security options of the available common
protocols, so depending on requirement, it may not be
enough as there are no advanced options for using this
protocol. Recommendations are that basic authentication
should never be used without Transport Layer Security
(TLS) (formerly known as SSL) encryption because the
username and password combination can easily be deduced
otherwise.
l OAuth 1.0a: OAuth 1.0a is the most secure of the three
common protocols. The protocol uses a cryptographic
signature that is usually HMAC-SHA1 value that combines
the token secret, nonce, and other request-based security
information. The great advantage of OAuth 1 is that
the token secret is never sent across the wire, which
completely eliminates the possibility of anyone seeing
the password while in transit. This is the only one of the
three protocols that can be safely used without TLS,
although recommendations are always that TLS should
be used based on the sensitivity of the information being
transferred. However, as with any level of increased
security, it usually demands a price. The price is that
generating and validating signatures can become a
complex process. What needs to be used are specific
algorithms and a considerable set of procedures that need
to be followed. However, as levels of security have become
much more needed, this issue has really disappeared as
every major programming language now has a library to
handle this type of activity.
l OAuth 2: This is the next evolution of what was
discussed above, and OAuth 2’s current specification
removes signatures so there is no requirement to use
cryptographic algorithms to create, generate, and validate
signatures. All the encryption is now handled by TLS,

Notes which is a requirement. As a drawback, however, there may not

be as many OAuth 2 libraries as there are OAuth 1a libraries,
Secure Coding Guidelines so integrating this protocol into your API may be more
and Standards
challenging. However, this is changing rapidly.
Also useful, could be the use of a solution such as Key Management
PPT
Interoperability Protocol (KMIP) V1.1. Client certificates.
(continued)
Mention authentication Open Web Application Security Project (OWASP) REST
options. Security Cheat Sheet
Further resources to consider when examining REST API-based security
requirements may include the Open Web Application Security Project
PPT
(OWASP) REST Security Cheat Sheet. Examples of the guidance offered
OWASP REST Security by the OWASP REST Security Cheat Sheet include the following, taken
Cheat Sheet
directly from the cheat sheet:
Define OWASP and the
OWASP REST security “RESTful web services should use session based authentication,
cheat sheet. either by establishing a session token via a POST or using an API key
as a POST body argument or as a cookie. Usernames and passwords,
session tokens, and API keys should not appear in the URL, as this
PPT can be captured in web server logs and makes them intrinsically
Secure Coding Practices valuable….”
Introduce secure coding
practices at the source
code level.
Secure coding practices can be referred to as developing software with
PPT the focus on securing against known and possibly vulnerabilities that
Trusted Computing may exist in the environment the applications will be running in. There
Bases (TCBs) are many vulnerabilities that exist and addressing them all would be
Define TCB and its impossible. However, if development of code follows a culture of
relevance to security. focusing on security, many of the vulnerabilities can be effectively
mitigated. The requirement is for these secure coding practices to be
integrated into the SDLC, and coding mitigating controls as the
applications are being written is an effective way of dealing with
many vulnerabilities.
Trusted Computing Bases (TCBs)

The trusted computing base (TCB) is the collection of all the
hardware, software, and firmware components within an architecture
that are specifically responsible for security. The TCB is a term that is
usually associated with security kernels and the reference monitor. The
TCB is the collection of all of the hardware, software, and firmware

Instructor Edition
within a computer system that contains all elements of the system

responsible for supporting the security policy and the isolation of
objects. When designed and coded properly, all of the security
Notes
8
and Standards
features within a system becomes the TCB, and therefore, can

support adequate security requirements. Again, if designed and
developed properly, the TCB can contain a very good trusted PPT
path (secure methods to gain access) and a trusted shell (the Trusted Computing
environment supporting the security is secure). The trusted path Bases (TCBs) (continued)
is a communication channel between the user or program and the Define TCB and its
TCB. The TCB is responsible for providing the protection relevance to security.
mechanisms necessary to ensure that the trusted path cannot be
compromised in any way. The trusted shell implies that any
activity taking place within the shell, or communication channel, is PPT
isolated to that channel and cannot be interacted with either from
Reference Monitors
inside or outside by an untrusted party or entity.
Define the Reference
Monitor.
Reference Monitors
The reference monitor is the element that enforces security
between subjects and objects. As an idea, or concept, it can PPT
enforce security rules and requirements as it sits between the Security Kernels
two elements, subjects and objects. It can take the form of a Define the security kernel.
reference validator, which usually runs inside the security kernel
and is responsible for performing security access checks on
objects, manipulating privileges, and generating any resulting
security audit messages. In other words, the reference monitor
is considered to be an abstract machine that mediates, or
controls, all access that subjects (users) have to objects (data or
resources). The reference monitor acts to ensure that any
subject attempting to access any object has the appropriate
rights to do so in order to protect the object from unauthorized
access attempts by bad actors.
The reference monitor is a conceptual idea, or an abstraction as
noted above. As a result of it being an idea, or concept, it must be
implemented or enacted in some way. The implementation of this
concept is referred to as the security kernel.
Security Kernels
The security kernel, as mentioned above, is the implementation of
the reference monitor concept. It is made up of all of the
components of the TCB (the software, hardware, and firmware),
and it is responsible for implementing and enforcing the reference
monitor idea. A security kernel is responsible for enforcing the

Notes security policy. It must be a strict implementation of a reference monitor

mechanism. The architecture of a kernel operating system is typically
Secure Coding Guidelines layered, and the kernel should be at the lowest and most primitive level.
and Standards
It is a small portion of the operating system through which all references
to information and all changes to authorizations must pass. The kernel
PPT implements access control and information flow control between
Security Kernels
implemented objects according to the security policy. To be
(continued) implemented properly and securely, the security kernel must meet three
Define the Security Kernel.
basic fundamental requirements:
l Completeness: All accesses to information must go through the
kernel.
PPT l Isolation: The kernel itself must be protected from any type of
Processor Privilege unauthorized access.
States
l Verifiability: The kernel must be proven to meet design
Describe processor
specifications.
privilege states.
To address confidence and assurance of security capabilities of the
components that make up the TCB, there are various measurement
systems that can be used to verify the level of security capabilities. These
measurement systems are called evaluation criteria. A number of them
exist such as the Trusted Computer System Evaluation Criteria (TCSEC)
and the current Common Criteria standards.
Processor Privilege States

Limiting processors so they can only do certain activities and capabilities
can be a security control. This can be referred to as privilege states. The
processor privilege states protect the processor and the activities it can
perform.
The earliest method of doing this was to record the processor state in a
register that could only be altered when the processor was operating in
a privileged state. Instructions such as I/O requests were designed to
include a reference to this register. If the register was not in a privileged
state, the instructions were aborted and not performed.
The hardware itself typically controls entry into the privilege mode. For
example, there are certain newer processors that prevent system code
and data from being overwritten. The idea is to have the privilege-
level mechanism prevent memory access by programs or data from
less privileged to more privileged levels, but only if the controls are
invoked and properly managed in software. In other words, hardware
and software can work together to allow privileged access through
processor states. The privileged levels are typically referenced in a
ring architecture.

Instructor Edition
As an example, many operating systems use two processor

access modes:
Notes
8
l User state, or sometimes referred to as problem state and Standards

l Supervisor state, or sometimes referred to as kernel state
PPT
Normal user applications should run in user mode, and operating
system functions will run in supervisor mode. The privileged Processor Privilege
States (continued)
processor mode is called kernel mode. The kernel mode allows the
processor access to all system memory, resources, and CPU Describe processor
privilege states.
instructions appropriately.
Applications should run in a non-privileged mode or what is
referred to as user, or problem, state and have a limited set of
capabilities, limited access to system data, and denied direct
access to hardware resources. Advantages of this architecture is
that problematic application software cannot disrupt the system
ability to function properly. One of the major challenges of modern
processing is that operating systems and applications may be most
effective if run in supervisor or kernel mode at all times. Here’s an
example, when a user mode program calls a system service, such
as reading a document from storage, the processor intercepts the
call and switches the calling request to supervisor mode. When the
operation is complete, the operating system switches the mode
back to user mode and allows the user mode program to continue.
Earlier, we mentioned that many of these architectures are set up in
ring architecture. Under the most secure operating policy, the
operating system and device drivers operate at ring level 0, also
known as kernel-level or system-level privilege. At this privilege
level, there are no restrictions on what a program can do. Because
programs at this level have unlimited access, security professionals
should be concerned about the source of device drivers for
machines that contain sensitive information. Applications and
services should operate at ring level 3, also known as user-level or
application-level privilege.
Operating system code runs in kernel mode, it is critical that
kernel mode components be carefully designed to ensure they
do not violate security features. For example, if a system
administrator installs a third-party device driver, it operates in
kernel mode and then has access to all operating system data.
Here’s the importance of understanding the security ramifications
of this type of architecture. If the device driver installation
software also contains malicious code, that code will also
be installed and could open the system to unauthorized accesses
as a result.

Security Controls for Buffer Overflows

Notes
As we’ve described earlier, a common problem with technology
and Standards
architectures is referred to as buffer overflows. This is where an application
has been subjected to much more information than its buffer can handle.
The problem is inadequate bounds checking, or ineffective parameter
PPT checking, which may lead to buffer overflows. As we’ve said, a buffer
Security Controls for overflow is caused by improper bounds checking on input to an
Buffer Overflows application. Essentially, the program fails to see if too much data is
Define a buffer overflow provided for an allocated space of memory, referred to as a buffer. In order
and security controls for to run, programs need to be loaded into memory, but if there is an
buffer overflows. overflow the data has to go somewhere. If the attack has been done
creatively, that data could be malicious code that is loaded, and as a result,
it may run as if it were the program itself, allowing exploits by an attacker.
PPT
Buffer overflows must be corrected by developers or by directly
Controls for Incomplete
Parameter Check and
patching fixes. Sometimes, they may be detected by reverse
Enforcement engineering the application’s code, also referred to as disassembling
programs, and looking at the actual operations of the application itself.
Define incomplete
parameter check and The fix to buffer overflows is to patch for known buffer overflow
enforcement and security
controls. conditions and also to enforce proper bounds checking and
enforcement, and in some cases, proper error checking.
PPT Controls for Incomplete Parameter Check and Enforcement

Process Isolation and Another security risk exists when all parameters, such as input, have not
Memory Protection
been fully checked for accuracy and consistency by the systems. This lack
Define process isolation of parameter checking can lead to many attacks including buffer overflow
and memory protection. attacks. To counter this vulnerability, systems can include some type of
buffer bounds controls. Complete and effective parameter checking is
something that needs to be designed, coded, and implemented by the
developers and involves checking the input data to make sure the
program does not allow unwanted characters, length, data types, and
formats. This may be referred to as proper input data validation.
Process Isolation and Memory Protection

Computer architectures today are multitasking. This means they can host
multiple processes that are running at the same time. A process is defined
as part of a computer program that is being executed in memory.
Multitasking architectures today are capable of running multiple
processes at the same time. For these different processes to run at the
same time, they must be managed in such a way that they are able to
access resources as needed, but at the same time do so without
impacting any of the other processes that are running at the same time.
This can become very complicated at times as processes can share

Instructor Edition
memory, data, and system resources all at the same time. In other
words, they may be contending for system resources all at the same
time, while trying to complete their tasks.
Notes
8
and Standards

To maintain the integrity of the operating system and of each of the
processes and the data that is being accessed, it is important that
PPT
accesses to resources is managed properly at all times. This requires
the processes to be isolated from each other. This, very Process Isolation and
Memory Protection
appropriately, is called process isolation. This need to isolate (continued)
processes from one another within the computer architecture has to
Define process isolation
be managed to ensure that it is happening effectively and and memory protection.
thoroughly, without exceptions and problems.
This is handled by the operating system. It is the operating
system that takes care of process isolation, but it needs to PPT
partner with the CPU to enforce the process isolation through Interrupts
the use of interrupts and time slicing. Define interrups.
Interrupts
PPT
The use of interrupts allows the operating system to ensure that a
process is given enough time to access the CPU when necessary to Process Encapsulation
carry out its required functions, but it also ensures that the process Define process
does not lock up resources that are necessary for other processes encapsulation.
to execute as well.
To enforce the concept of process isolation, the following methods
are typically used by the operating system and architecture:
l Encapsulation of a process
l Time multiplexing of shared resources
l Naming distinctions
l Virtual memory mapping
Process Encapsulation
Encapsulating a process means that you isolate that process so that no
other process is able to see, understand, or interact with the internal
functions of the process itself. This act of encapsulating forces
processes to interact with each other through well-defined interfaces
that can be overseen and managed by the operating system properly.
Encapsulation effectively hides the process and its functions from
other processes, thereby allowing it to engage in data hiding. Data
hiding is what it sounds like, hiding data from other processes so
that each of the processes running at the same time do not
interfere with each other.

Time Multiplexing
Notes
Time multiplexing allows the operating system to provide structured
and Standards
access by processes to resources according to a controlled and tightly
managed time schedule. This schedule is defined as a short period of
time, or a time slice, which will grant access to the system resources
PPT required by the process and then terminate that access once the time
Time Multiplexing period has expired. That resource then becomes available to another
Define time multiplexing.
process, again based on a time slice.
Multitasking and multi-processor architectures that are common today
create an additional layer of performance but also complexity with regard
PPT to time slicing or multiplexing. Due to the fact that each CPU in a computer
Naming Distinctions can have more than one core, or more than one processor, the ability for
Define naming
the computer to process multiple requests for access to resources from
distinctions. processes simultaneously continues to increase, and therefore, needs to be
managed properly. This is referred to as multitasking.
PPT Naming Distinctions

Virtual Address Naming distinctions are used to ensure that each process is assigned a
Memory Mapping
unique identity within the context of the operating system and its
Define virtual address architecture. This means that each process will be given a unique name
memory mapping.
and Process ID, or PID, ensuring that when it is referenced by the
operating system, there is no confusion as to which process is being
accessed by which resources. This allows all processes to be referenced
PPT properly as they execute their tasks.
Memory Management
Define memory Virtual Address Memory Mapping
management.
Virtual address memory mapping allows each process to have access to
its own set of memory locations as it executes. In other words, each
process is allocated certain memory locations where that process will be
allowed to do its tasks. The memory manager part of the operating
system will enforce memory mapping. The memory manager is used to
ensure that processes do not access each other’s memory areas in
improper ways that can lead to loss of integrity or confidentiality or
corruption of information.
Memory Management
Memory management is used by the operating system to achieve the
following goals:
l Provide an abstraction level for programmers
l Maximize performance with the limited amount of memory
available to the system (Physical RAM)

Instructor Edition
l Protect the operating system and applications once they

are loaded into memory
Notes
8
As its name implies, the memory manager is the function of the and Standards

operating system that keeps track of and manages how different
types of memory are used. It allocates and deallocates the
PPT
different memory types as needed by running processes, enforces
access control to ensure that processes are only able to interact Memory Management
(continued)
with their own memory segments, and manages the swapping of
memory contents from RAM to the hard drive when needed. Define memory
management.
Memory Manager Responsibilities

As well as the above responsibilities, the memory manager has five PPT
distinct other responsibilities: Memory Manager
Responsibilities
l Relocation: Move and swap content between RAM and
Explain memory
the hard drive as needed and provide reference pointers manager responsibilities.
to applications if their information has been moved to a
different location in memory.
l Protection: Provide access control for memory segments PPT
and limit processes to interacting only with the memory Covert Channel
segments assigned to them. Controls (2 slides)
l Sharing: Allow for multiple users with different access levels Define covert channels,
to interact with an application or process while running and two types, and controls.
enforcing integrity and confidentiality controls between
processes while using shared memory segments.
l Logical organization: Segmentation of all system memory
types, providing an addressing scheme at an abstraction
level and allowing for the sharing of software modules.
l Physical organization: Segmentation of the physical
memory space for allocation.
Covert Channel Controls

A covert channel is defined as a communication channel that has the
opportunity of disclosing confidential information. As we saw earlier,
there are two types of covert channels, storage and timing. A covert
channel is sometimes referred to as a confinement problem, or an
information flow that is not controlled by a security control properly.
It is a communication channel allowing two cooperating processes to
transfer information in a way that violates the security controls. Even
though there are protection mechanisms in place, if unauthorized
information can be transferred using a signaling mechanism or
storage weaknesses, then a covert channel may exist.

Notes This might be an example, let’s say there is a situation where a process
can be started and stopped by one program, and the existence of that
Secure Coding Guidelines process can be detected by another application. Thus, the existence of
and Standards
the process can be used, over time, to signal sensitive information.
There is one commonality that exists in all covert channels, the
PPT
transmitting and receiving of objects over the covert channel must have
Covert Channel access to a shared resource. The following are protection mechanisms
Controls (2 slides)
(continued) for covert channels:
Define covert channels, l The first step is to identify any potential covert channels.
two types, and controls.
l The second step is to analyze these channels to determine
whether a channel actually exists.
PPT
l The next steps are based on manual inspection and appropriate
testing techniques to verify if the channel creates security
Cryptography
concerns.
Define cryptography
and its relevance to
l These need to be addressed properly through security control
controls in the software implementation.
environment.
Cryptography
PPT Cryptography techniques can be implemented to protect information
Password Protection
by transforming the data through encryption schemes and methods.
Techniques Typically, they can be used to protect the confidentiality and integrity of
information. Cryptography can also be used to address authenticity of
Explain password
protection techniques. communications and nonrepudiation. Cryptography today can be used
in many architectures and to protect information while in motion (transit)
or at rest. Encryption algorithms can be used to encrypt specific
information located anywhere in the architecture.
Password Protection Techniques

Operating system and applications can use passwords as a convenient
mechanism to provide authentication services. Typically, operating
systems use passwords to authenticate the user and establish access
controls for resources including the system, files, or applications.
Password protections offered by the operating system include controls
on how the password is selected and how complex the password needs
to be, password time limits, and password lengths as well.
Password files stored within a computer system must be secured by the
protection mechanisms of the operating system so that no one, including
system administrators, will have access to passwords belonging to entities
of the system. Because password files are prone to unauthorized access,
the most common solution is to encrypt password files using one-way

Instructor Edition
encryption algorithms (hashing). Hashing passwords ensures that no

one has access to the actual passwords. However, there are attacks
against hashed password files, such as what is referred to as a
Notes
8
and Standards
dictionary attack.

There are many other types of password controls that may be
PPT
offered by the architecture, such as password masking, etc. Careful
implementation of these password protection measures needs to be Password Protection
Techniques (continued)
done to ensure protection based on the value of the architecture.
Explain password
protection techniques.
Inadequate Granularity of Controls
Granularity of controls means there are many levels of security
that can be applied based on requirements. The more granular PPT
the system is, the more levels can be fine-tuned to provide the Inadequate Granularity
level of security required. Granularity can also mean the ability of Controls
to restrict specific actions while allowing others. If there is not Define granularity as
enough granularity of security, users may be able to gain more it applies to software
access permission than needed. Here’s an example of how low environment.
granularity can affect security. Let’s say a user is unable to
access object X, but the user has access to a program that can
access object X, then the security mechanisms could be
bypassed. This would be an example of a low granular system.
If the security controls are granular enough to address both program
and user, then the above security problem may be prevented.
Inadequate granularity of controls can be addressed by properly
implementing the concept of least privilege, separation of duties,
and setting reasonable access control and permission limits on
subjects. Also, separation of duties and functions should be
implemented as well; for example, developers should never perform
system administrator or user functions. Other examples include
granting users only those permissions necessary for them to perform
their authorized job functions, which is referred to as need to know,
and give them the least amount of privilege to do so.
In addition, granularity should also address the issue of a finely
tuned access control mechanism. In other words, granularity is
also referred to as the level of detail that an access control system
can be adjusted. As far as the operating system is concerned, an
object is a file not a structure within that file. Therefore, users
granted access to a file can read the whole file. To restrict access
to certain parts of the file, such as records or fields within a
database, additional controls must be built into the database
management system application that will ensure that areas of
concern are protected.

Control and Separation of Environments

Notes
In software development, there are usually various environments, these
and Standards
may include, for example:
l Development environment
PPT l Quality assurance environment
Control and Separation l Production environment
of Environments
Explain the need to There may be other environments, but the security issue is to control
separate the different how each environment can access the application and the data that the
software environments. application is processing and then provide mechanisms to keep them
separate. For example, systems analysts and programmers write,
compile, and perform initial testing of the application’s implementation
PPT and functionality in the development environment. As the application
Race Conditions vs. reaches the point of being ready to be put into production, users and
Time of Check vs. quality assurance people perform functional testing within the quality
Time of Use (TOCTOU) assurance environment. To be effective, the quality assurance
Attacks configuration should simulate the production environment as closely as
Define race conditions possible. Once the testing has been completed, including the security
and TOCTOU. testing, and stakeholders have accepted the application, it is moved into
the production environment.
What is important is to keep the environments separate and isolated.
Those working in any environment should be restricted to that
environment only. Blended environments combine one or more of
these individual environments and are generally the most difficult to
control. As an example, it is generally accepted that developers
working in development environments should never have access to the
production environment.
Control measures protecting the various environments are many, but they
should include physical isolation of environment, physical or temporal
separation of data for each environment, access control lists, content-
dependent access controls, role-based constraints, role definition stability,
accountability, and separation of duties.
Race Conditions vs. Time of Check vs. Time of Use

(TOCTOU) Attacks
A race condition may exist when the output of a specific architecture is
dependent on the timing of certain uncontrollable events, but somehow
those events are not done in the proper sequence. In other words, in a
system, there may be a need to do operations in a specific sequence,
but the system somehow performs two operations at the same time. If
there are multiple threads of execution occurring at the same time, but

Instructor Edition
when the proper sequence of those events needs to be done

properly, a TOCTOU attack may become possible.
Notes
8
An example of a TOCTOU attack may be when there are changes and Standards

between when security credential information is actually checked
and when those credentials are actually used. The granting of
PPT
privileges may be dependent on the timing of events that takes
place in a multitasking operating system. Race Conditions vs.
Time of Check vs.
Here’s an example that illustrates this. Our example involves the Time of Use (TOCTOU)
Attacks (continued)
use of two processes and two files. Process 1 is used to validate
the credentials of a user to allow the user to open file A, and Define race conditions
and TOCTOU.
process 2 is used to call and access the file once process 1
authorizes the user access. If an attacker can manage to redirect
process 2 to open a secure file, such as a payroll file, after
process 1 authorizes the user access but before process 2
executes the handed off request to retrieve and access the
non-secure file called file A, then this would be an example of
possibly a TOCTOU attack.
Flaws in the programming code of the operating system are what
can allow this kind of attack to take place. To avoid TOCTOU
attacks, the operating system should use the concept of software
locking. Software locking applies a lock, or a blocking mechanism,
to the file or resource being accessed by the process. This enables
the operating system to ensure that the file cannot be substituted
out for another file through the process of access validation, thus
ensuring that only the file initially requested by the process will be
accessed by the user as the process completes.
A race condition occurs when two processes need to carry out
their tasks against one resource. The processes, however, need to
execute in the correct order, process 1 first, process 2 second. If
that order can be disrupted by an attacker, then the attacker can
manipulate the output of the results of the combined action of the
two processes and potentially create a different outcome than the
one intended. This would be a race condition. Here is a good
example. Let’s say the operating system were to allow the security
functions for authentication and authorization to be handled by
two different processes. The outcome may be perfectly normal
and acceptable almost all of the time, meaning that when a user
attempts to log into a system, the user is first authenticated and
then authorized to access system resources as required based on
the permissions that the user has. However, let’s say an attacker
was able to force the authorization process to execute before the
authentication process. The outcome may be that the user is

Notes granted access to resources in the system without authentication of their

identity taking place.
and Standards To protect against a race condition attack from taking place within a
system, the security professional needs to ensure that the architecture
and design of the operating system and the programs that run on top
PPT
of it are not allowing critical tasks to be split up for execution. To
Race Conditions vs. ensure this does not happen, the use of atomic operations needs to be
Time of Check vs.
Time of Use (TOCTOU) enforced within the system. The difference between race conditions and
Attacks (continued) TOCTOU attacks is subtle but important for the security professional to
Define race conditions
understand. A race condition implies that two processes will be forced
and TOCTOU. to execute out of sequence, allowing the attacker to control or
manipulate the outcome. While a TOCTOU attack may happen as a
result of the attacker inserting themselves in between two processes as
PPT
they are executing, causing a redirection of the second process in some
way to control or manipulate the outcome.
Social Engineering
Mention examples of
social engineering. Social Engineering
Social engineering attacks typically use deception and intimidation to
get someone to provide information they shouldn’t that then can be
PPT used by attackers to circumvent security controls. Some of the ways in
Backup Controls which attackers can try to use social influence over users to subvert
normal processes and technical controls for their own gain may also
Explain backup controls.
include subtle intimidation, pulling rank, exploiting guilt, pleading for
special treatment, or exploiting the victim’s natural desire to be helpful.
In regards to protection against social engineering attacks, awareness
and training are very useful. People also need to understand the policies
and be able to recognize when they may be experiencing a social
engineering attack.
The best method of preventing social engineering attacks is always to
make people aware of the threat and give them the proper procedures
for handling unusual or what may seem usual requests for information.
Recognizing potential social engineering situations and dealing with
them appropriately is paramount in mitigating this threat. Proper
awareness, training, and education are very effective in providing
people with the skills and knowledge to be able to handle these
situations properly.
Backup Controls
Backing up critical and sensitive components and data is a very effective
method of ensuring we can deal with potential interruptions or disasters.
Anything deemed to be critical and sensitive and of value needs to be
backed up in the event of problems occurring. Examples of good

Instructor Edition
practices include the following. Operational copies of software

should be available in the event of a system crash. Also, storing
copies of software in an off-site location can be useful if the
Notes
8
and Standards
building is no longer available. Anything sensitive and valuable,

such as data, programs, documentation, computing, and
communications equipment must be backed up and be available PPT
to restore. Backup Controls
(continued)
Other examples include: Redundancy can ensure that information is
available in the event of an emergency. Requiring that the source Explain backup controls.
code for custom-designed software is kept in escrow ensures that if
the software vendor were to go out of business, the source code
would be available to use or give to another vendor in the event PPT
upgrades or assistance is needed. Contingency planning documents Software Forensics
help to provide a plan for returning operations to normal in the Explain software forensics
event of an emergency. Disk mirroring, redundant array of and its relevance to
independent disks (RAID), etc., can provide protection for security.
information in the event of a production server crashing.
Software Forensics
Software forensics is the science of analyzing source code or
machine language code to try and determine whether intellectual
property infringement may have occurred. Software forensics may
have other uses, such as examining the output, consequences, and
other traces produced by software, especially for investigative
purposes. Software forensics may be used by companies to try and
settle legal issues related to copyright, patent, or trade secret
infringements. Even though it is typically used to try and prove
authorship related to infringement possibilities, it may have a
number of possible uses. In analyzing software suspected of being
malicious, it can be used to determine whether a problem is a
result of carelessness or a deliberate attempt related to malicious
software. Information can be obtained about authorship and the
sequence in which related programs were written. This can be used
to provide evidence about a suspected author of a program or to
determine intellectual property issues.
The techniques behind software forensics can sometimes also be
used to recover source code that has been lost. Software forensics
generally deals with two different types of code:
l Source code, which can be easily analyzed, is referred to as
code analysis and is closely related to literary analysis.
l Analysis of object, or machine, code is generally referred to
as forensic programming.

Notes Certain message formats may provide additional information. For

example, a number of Microsoft email systems include a data block with
Secure Coding Guidelines every message sent. To most readers, this block contains meaningless
and Standards
information; however, it may include a variety of information, such as
part of the structure of the file system on the sender’s machine identity,
PPT the sender’s registered identity, programs in use, and other possible
Software Forensics forensic information.
(continued)
Other programs may add information that can be used as well. A great
Explain software forensics example is Microsoft Word. As it is used to frequently create documents
and its relevance to
security.
sent by email. Word documents include information about file system
structure, the author’s name, possibly the author’s company, and a
global user ID. This ID was analyzed as evidence in the case of the
Melissa virus. Microsoft Word can also provide other data, such as
PPT
comments and deleted sections of text, that may be retained in Word
Mobile Code Controls files and simply marked as hidden to prevent them from being
Define mobile code and displayed. Simple utility tools can recover this information from the
controls related to it. file itself.
Mobile Code Controls

Mobile code can be defined as the ability of a program, code, or
object to be moved from one machine or application to another. In
typical client server architectures, it is the data that moves. In mobile
code environments, it is the actual code, or instructions, that move.
The concept of attaching code to web pages that move when a link has
been clicked on has very real security implications. The implication may
be that the code could be malicious, as it will ultimately run on the
user’s machine. However, through the use of appropriate technical
controls, this threat can be mitigated. With proper mitigation, the
security controls determine if the user can view the page. Secured
systems can limit mobile code, which can include applets, access to
system resources such as the file system, the CPU, the network, or any
other component of the architecture that may be prone to attack
or exploitation.
Fundamentally, the issue of safe execution of code on any architecture
comes down to a concern with access to system resources. Any running
program has to access system resources to perform its task. Traditionally,
that access has been given to all normal user resources. To safely allow
mobile code to run, we must restrict access to system resources and data.
However, it must be allowed in some form to allow it to perform its
required functions.
When creating a secure environment for an executable program, such as
mobile code, it is important to identify the resources the program needs

Instructor Edition
and then provide limited access to these resources to protect

against potential threats. Some of these threats may include the
following:
Notes
8
and Standards

l Disclosure of sensitive information
l Denial of service (DoS) attacks that make a resource PPT
unavailable for legitimate purposes Mobile Code Controls
l Damaging or modifying data (continued)
Define mobile code and
Some resources are clearly more dangerous to give full access controls related to it.
to than others, but regardless, the issue in mobile code is
determining which resources a particular piece of code should
have access to.
PPT
Two control mechanisms can be used to limit the risk to the user in Sandbox
relation to mobile code: Explain sandbox and its
applicability to security.
l Attempt to run code in a restricted environment where it
cannot do harm, such as in a sandbox.
l Cryptographic authentication can be used in an attempt to
authenticate where the code is coming from.
Sandbox
One of the control mechanisms for mobile code is called a sandbox
environment. As its name implies, a sandbox can be a “play” area
where we can test certain pieces of code to see if they are
malicious. The sandbox provides a protective area for program
execution. Limits are placed on the amount of memory and
processor resources the program can consume in that sandbox
environment. If the program exceeds these limits, the web browser
terminates the process and logs an error code and ultimately does
not allow the code to run.
This can ensure the safety of the browser’s activities. As an
example, in the Java sandbox security model, there is an option to
provide an area for the Java code to do what it needs to do,
including restricting the bounds of this area. This is exactly the idea
of a sandbox.
A sandbox cannot confine code and its behavior without some type
of enforcement mechanism. The Java security manager makes sure
all restricted code stays in the sandbox and cannot ultimately
do anything outside of it. Trusted code resides outside the sandbox,
and untrusted code is confined within the sandbox. By default, Java
applications live outside the sandbox and Java applets are confined
within the sandbox.

Notes In Java, applets are either sandbox applets or privileged applets.

Sandbox applets are run in a security sandbox that allows only a set of
Secure Coding Guidelines safe operations. Privileged applets can run outside the security sandbox
and Standards
and have extensive capabilities to access the client and its environment.
Applets that are not signed are restricted to the security sandbox and
PPT run only if the user accepts the applet. Applets that are signed by a
Sandbox (continued)
certificate from a recognized certificate authority can either run only in
the sandbox or can request permission to run outside the sandbox. In
Explain sandbox and its
either case, the user must accept the applet’s security certificate before
anything can happen. If the user does not accept the certificate, the
applet is blocked from running.
Sandbox applets are restricted to the security sandbox and can do
the following:
l Make network connections to the host they came from
l Easily display HTML documents using the showDocument
method of the java.applet.AppletContext class
l Invoke public methods of other applets on the same page
l Applets that are loaded from the local file system (from a
directory in the user’s CLASSPATH) have none of the restrictions
that applets loaded over the network do
l Read secure system properties
When launched by using the Java Network Launch Protocol (JNLP),

sandbox applets can also:
l Open, read, and save files on the client
l Access the shared system-wide clipboard
l Access printing functions
l Store data on the client, decide how applets should be
downloaded and cached, and much more
Sandbox applets cannot do the following:
l Access client resources such as the local file system, executable
files, system clipboard, and printers
l Connect to or retrieve resources from any third-party server (any
server other than the server it originated from)
l Load native libraries
l Change the Security Manager
l Create a Class Loader
l Read certain system properties

Instructor Edition
Privileged applets do not have the security restrictions that are

imposed on sandbox applets and can run outside the security
sandbox. The sandbox aims to ensure that an untrusted
Notes
8
and Standards
application cannot gain access to sensitive system resources. As

a note, some newer examples of malicious software, or malware,
are capable of detecting sandboxes and may be able to break PPT
out of the sandbox environment. Sandbox (continued)
Explain sandbox and its
Activity: Sandbox Applet Operations
Instructions
PPT
Use the lists below to determine if sandbox applets can perform each
Activity: Sandbox
of the following operations or not, by noting “can” or “cannot” next to Applet Operations
each one:
Introduce the sandbox
1. read secure properties activity.
2. access printing functions

3. access client printer resources PPT
4. save files on the client Activity: Sandbox
5. load native libraries Applet Operations –
Answers
Explain the answers to
the activity.
Activity: Sandbox Applet Operations – Answers
1. Can read secure properties
2. Can access printing functions PPT
3. Cannot access client printer resources Programming Language

Support
4. Can save files on the client
Explain programming
5. Cannot load native libraries language support
including type-safe
language benefits from a
Programming Language Support security perspective.
A method of providing safe execution of programs is to use a
type-safe programming language (also known as strong typing),
such as Java. A type-safe language, or safe language, is a program
that is prevented from being able to go wrong in certain ways.
These ensure that arrays stay in bounds, the pointers are always
valid, and code cannot violate variable typing, such as placing code
in a string and then executing it, which may prevent injection type
of problems.
From a security perspective, the absence of pointers is important.
Memory access through pointers is one of the main causes for

Notes weaknesses, exploits, and security problems in C or C++. Java does an

internal check, called static type checking, which examines whether the
Secure Coding Guidelines arguments an operand may get during execution are always of the
and Standards
correct type.
Verifying and enforcing constraints of types, which is often referred to as
PPT
“type checking,” can usually be done at different times. These times
Programming Language may be during the compile process or during runtime. If a language
Support (continued)
specification requires its typing rules “strongly,” in other words allowing
Explain programming only those automatic type conversions that do not lose information, then
language support
including type-safe
the process can be referred to as being strongly typed. If this is not the
language benefits from a case, we can refer it to being weakly typed.
security perspective.

Instructor Edition
Module 3: Security Controls in Notes

Security Controls in
8
Development Environments Development Environments

Security Controls
1. Understand security and how it is applied in software in Development
environments. Environments
2. Explain the importance of protecting code repositories. Introduce the participants
to the “Security Controls
3. Understand the importance of configuration management
in Development
as an aspect of secure coding. Environments” module.
PPT
Module Objectives
objectives.
Module 3: Security Controls in Development Environments 685

Notes Security of the Software Environment

Applications have become the cornerstone of organizations achieving their
Development Environments goals and objectives. They are the way that organizations do business and
also process very valuable information that allows them to achieve goals
and objectives and provide services to customers. Application software is
PPT therefore a very important component of any architecture to protect. Most
Security of the Software attacks today are happening at the application software level.
Environment
The security of data and information is one of the most important
Explain objective of
security in the software elements for organizations today. This is of course supported by
environment. the security function. It is through software and applications that
organizations process and access data on technology systems. In
addition, almost all technical controls need to be implemented in
PPT software applications, and the interfaces to all technical
countermeasures are managed through software applications.
Current Software
Environment
The objective of information security is to make sure that the system
Describe current and its resources are available when needed, that the integrity of the
software environment processing of the data and the data itself is ensured, and that the
and the increased
security requirements.
confidentiality, integrity, and availability of the information is protected
at all times throughout its lifecycle. All of these requirements rely upon
secure, consistent, reliable, and properly operating application software.
Application development procedures are absolutely vital to the integrity
and security of technology systems. If applications are not developed
properly and securely, data may be processed in such a way that the
integrity of either the original data or the processed results may end up
being corrupted. In addition, the integrity of both application and
operating system software itself must be maintained in terms of both
change control and attack from malicious software such as viruses.
If special protection requirements, such as confidentiality, for the data
controlled by a system are required based on the value of that data,
protective mechanisms and safeguards need to be designed and
implemented into the system. This may require encryption and possibly
other controls that should be designed at the beginning of the SDLC of
the application. Because operating system software is also responsible
for many of the controls on access to data and systems, it may also be
vital that these areas of programming be tightly protected.
Current Software Environment

Information systems are becoming more distributed, with a substantial
increase in the use of open protocols, interfaces, and source code, as
well as sharing of resources. All of these elements require that all

Instructor Edition
resources be protected against unauthorized access, as well as

issues related to confidentiality, integrity, and availability. Many
of these safeguards are provided through software controls,
Notes
8
Development Environments
especially operating system mechanisms and application software

controls. The operating system must offer controls that protect
the computer’s resources and so must the application and system PPT
itself running on top of the operating system. In addition, the Current Software
relationship between applications and the operating system, and Environment (continued)
how they communicate is also very important. Controls must be Describe current
included in operating systems so that applications cannot software environment
damage or circumvent the operating system controls. And and the increased
controls need to be designed and built into the application security requirements.
software to protect the data that ultimately it processes. A lack
of adequate software protection mechanisms can leave the
operating system and critical computer resources open to
corruption and attack and the sensitive data open to potential
disclosure, corruption, or unavailability.
The complexity of information systems today has also increased.
Older computing typically required the application running on a
specific machine, aside from the hardwired functions resident in the
CPU. Today, an application may be running on architectures that
involve the hardware platform, CPU microcode, virtual machine
server, operating system, network operating system, utilities, remote
procedure calls, object request broker, database and web servers,
engine application, multiple interface applications, interface utilities,
API libraries, and multiple entities involved in a remote client
interface. In other words, the architecture itself, and the components
that make it up, has become much more complex. This ultimately
requires adequate protection of all entities and components that
make up the architecture.
While many of these levels have been added in the name of
interoperability and standardization, the complexity introduced
does make addressing the security requirements more difficult.
Some of the main security requirements for applications and
databases are to ensure that only valid, authorized, and authenticated
users can access the sensitive information contained within the
database environments and the proper enforcement of the
permissions related to use of the data. It may also be required
that the system or software provides some type of granularity for
controlling such permissions and that possibly encryption or other
appropriate logical controls are available for protecting the value
of sensitive information. Other controls required may include
password protection and audit mechanisms that provide
assurance of the functional security controls.

Notes Open Source

Open source application software is source code that is made generally
Development Environments available to anyone. It is usually developed by and for the user community.
Advocates of open source software believe that security can be improved
when the source code is available to the public. This is expressed in Linus’s
PPT law that basically says that with sufficiently enough eyeballs looking at the
Open Source code, all bugs within that software will become apparent. The idea is to let
Explain the benefits of other developers and programmers review the code to help find the
open source and relate security vulnerabilities that may exist. The idea is that this openness will
to closed source. lead to quick identification and repair of any issues, including those dealing
with security.
PPT
Other developers disagree. The question is will other programmers be
able to find all of the security vulnerabilities even given enough time.
Database Management
Some may ultimately always remain no matter how many eyes have
System (DBMS)
Architecture looked at the source code. Releasing the source code does not ensure
that all security bugs and vulnerabilities will be found, and the automatic
Define a DBMS.
assumption of reliability can lead to a false sense of security in many
cases. Advocates of proprietary systems note that dishonest
programmers may find security vulnerabilities but not disclose the
problem to the general community, or at least not until they have
exploited it. There have been instances where those in the black hat
community tried to blackmail software vendors when they have
found problems.
A final determination on this issue has not yet been made, and there are
advocates for both, having advantages and disadvantages. However, in
general, it is known that “security by obscurity,” which is the idea that if a
technology is little known, there is less likelihood that someone will discover
how to break into it, and find vulnerabilities, does not generally work.
Whether programs are available in source or only as executable versions, it
is known that observation, reverse engineering, disassembly, trial and error,
and random chance may be able to find security vulnerabilities.
The Database and Data Warehousing

Environment
Database Management System (DBMS) Architecture
When we look at the evolution of database architectures, originally,
companies created separate databases to store and update databases.
Databases are a repository of organized, valuable information that
organizations use to drive business decisions and provide services to
clients and customers. Originally, organizations created separate

Instructor Edition
databases for various reasons and requirements. However, as

database technology improved, organizations started to see
benefits in collecting data from many separate databases into one
Notes
8
large database system, where it is available for viewing, updating,

and processing by either programs or users. Organizations have
seen advantages in keeping large amounts of data together into PPT
one large database environment. Database Management
System (DBMS)
One of the components of database architecture is the database Architecture (continued)
management system (DBMS). A database management system
Define a DBMS.
(DBMS) is a suite of application programs that typically manages
databases and their environments. It performs and manages
functions such as stores, maintains, and provides access to the
database and its contents. The DBMS provides the structure for the PPT
data and some type of language and architecture for accessing and Elements of a DBMS
manipulating the data. The primary objective is to store data and Describe the elements
allow users to interact with the data, but of course, in a secure way of a DBMS and how
from a confidentiality, integrity, and availability perspective. security needs to protect
each element.
Elements of a DBMS
Typically, and at minimum, a DBMS architecture has four major
elements:
l The database engine itself
l The hardware platform
l Application software
l Users
The database itself is a large, structured sets or tables of persistent

and related data. Databases are usually associated with other
components of the database architecture, including the software
that allows queries and updates to be done against the data within
the database. The DBMS uses software application programs that
allow it to manage the large, structured sets of data and provide
access to the data for multiple, possibly concurrent users while at
the same time maintaining the integrity of the database itself and
the data within.
There may be other major components that make up the entire
database environment. These may include virtual machine
platforms and interfaces, middleware components that sit between
the applications and the database engine itself, utilities in support
of applications, and, increasingly, web access, or web browser, as a
front end. Increasing the components that make up an architecture
always increases complexity and security requirements. Securing

Notes the entire database architecture, and all of the components that make
up that architecture, becomes very important. Indeed, this is how
Security Controls in security of any architecture is approached, by securing each of the
components that make up the entire architecture itself.
The data consists of individual entities, and these entities may have
PPT
relationships that link them to other entities within the database. The
Elements of a DBMS mapping or organization of the data entities is based on a particular
(continued)
database model.
Describe the elements of
a DBMS and how security
needs to protect each
element.
Database Models
A database model describes the relationship between the data entities
PPT within the database and provides a framework for organizing the data.
Database Models The data model is fundamental to the design because it provides a
mechanism for representing the data in a specific format and provides
Define how database
models require, at correlations between the data. At minimum, any database model needs
minimum, certain to provide the following requirements:
security controls related
to functions performed l Transaction persistence: The state of the database is the same
by the DBMS. after a transaction against the database has occurred as it was
prior to the transaction, and the transaction should be durable,
meaning it lasts.
l Fault tolerance and recovery: In the event of a hardware or
software failure, the data should remain in its original state
without impacting the security of that data. Two types of
recovery systems are typically available to address this. They
are referred to as rollback and shadowing. Rollback recovery is
when incomplete or invalid transactions are able to be backed
out properly. Shadow recovery occurs when transactions are
reapplied to a previous version of the database. Shadow recovery
requires the use of transaction logging to identify the last good
transactions that can be reapplied.
l Sharing by multiple users: The data should be available to
multiple users at the same time without endangering the integrity
of the data or the integrity of the database environment itself.
l Security controls: Including confidentiality, integrity, availability
and others that address requirements of access controls, integrity
checking, and view definitions.
When an organization is designing a database architecture, the first step
is to understand the requirements for the database and then design
a system that meets those requirements, including those related to
security. This includes what information will be stored, who is allowed to

Instructor Edition
access and update the information, and understanding how many

people will need to access the data at the same time. Other factors
to consider include duplication of attributes and keys, maximizing
Notes
8
flexibility, and balancing those demands against the need to

reduce accesses to increase performance.
PPT
The following is a description of the evolution of database models
and architectures. Database Models
(continued)
Define how database
Hierarchical Database Management Model models require, at
minimum, certain
The hierarchical model is the oldest of the database models and security controls related
dates back to the information management systems that existed to functions performed
during the 1950s and 1960s. Even though this technology seems by the DBMS.
old, there are still hierarchical legacy systems that are being
operated today in many organizations as their reliance on legacy
applications and database models continues. PPT
This model stores data in a series of records that have field values Hierarchical Database
Management Model
attached to each record. It collects all the instances of a specific
record together as a record type. These record types are the Explain evolution of
DBMS environments
equivalent of tables in the relational model that we will describe
starting with Hierarchical.
later. To create links between the record types, the hierarchical
model needs to use parent and child relationships through the use
of tree structures.
PPT
An obvious weakness in this model is that the hierarchical model is Network Database
only able to cope with a single tree and is not able to link between Management Model
branches or over multiple layers. For example, an organization Define network DBMS
could have several divisions and several subtrees that represent models.
employees, facilities, and products. If an employee worked for
several divisions, the hierarchical model would not be able to
provide a link between the two divisions for one employee. In
other words, this model is very restricted in the relationships that
can exist between elements of the database architecture.
Network Database Management Model

The network architecture model represents its data in the form of a
network of records and sets that are related to each other, forming
a network of linkages that exist. So, the name “network” does not
mean that this architecture resides on a network but rather that a
‘network’ of linkages can be associated as part of the architecture.
Records are sets of related data values and are the equivalent of
rows in the relational model to be discussed later. They store the
name of the record type, the attributes associated with it, and the

Notes format for these attributes. For example, an employee record type
could contain the last name, first name, address, and other types of
Security Controls in information related to the employee. Record types are sets of records
of the same type. These are the equivalent of tables in the relational
model. Set types are the relationships between two record types, such
PPT as an organization’s department and the employees that work in it. The
Network Database set types allow the network model to run some queries faster, and it is
Management Model definitely an improvement over the hierarchical database model;
(continued) however, it does not offer the flexibility of a relational model. As a result,
Define network DBMS the network model is not commonly used today to design database
models. systems; however, as we’ve said earlier, there are still some legacy
systems remaining.
PPT
Relational Database Management Model
Relational Database
Management Model
In today’s environments where the need for many databases exist, the
majority of organizations are using the relational database management
Define relational DBMS
model. Relational environments allow organizations to represent data in
models.
very simple two-dimensional structures called tables. As it offers many
advantages, the relational database has become very dominant in
database management systems used in organizations.
PPT
Elements of the The relational model allows data to be structured in a series of tables
Relational Model that have columns representing the variables and rows that contain
Explain elements of a specific instances of data. These tables are organized using normal
relational DBMS. forms. And because they are organized using normal forms, they can be
used throughout the organization and can be linked to other relational
tables to join the information together.
PPT
Attributes of a Table Elements of the Relational Model
Define attributes in From a very simplistic view, the relational model consists of three
relational DBMS.
elements:
l Data structures that are called either tables or relations
l Integrity rules on allowable values and combinations of values in
tables
l Data manipulation agents that provide the relational
mathematical basis and an assignment operator
Attributes of a Table
Each table or database in the relational model is made up of a set of
attributes and a set of tuples, which are really rows or entries in the
table. Attributes are really columns in a table. Attributes are unordered
left to right, and thus, are referenced by name and not by position. All

Instructor Edition
data values in the relational model are said to be atomic. Atomic

values mean that at every row and column position in every table,
there is always exactly one data value and never a set of values. In
Notes
8
relational databases, there are no links or pointers connecting

tables, therefore, the representation of relationships is contained
as data in another table. PPT
A row in the table is referred to as a tuple. Tuples are unordered Attributes of a Table
(continued)
top to bottom because a relation is a mathematical set and not a
list. Also, because tuples are based on tables that are mathematical Define attributes in
relational DBMS.
sets, there cannot be duplicate tuples in a table. So, there needs
to be something that can set all of the tuples apart, and this is
referred to as the primary key. The primary key is an attribute or set
of attributes that uniquely identifies a specific instance of an entity.
Each table in a database must have a primary key that is unique to
that table. It is a subset of the candidate key. Any key that could be
a primary key is called a candidate key. The candidate key is an
attribute that is a unique identifier within a given relational table.
One of the candidate keys is chosen to be the primary key and
then the others can be referred to as alternate keys.
Primary keys provide the addressing mechanism within the relational
model. They are the only guaranteed method of referring to an
individual tuple, therefore, they are fundamental to the operation of
the overall relational model. There are some really important rules that
need to be enforced for relational table to work properly. For instance,
because primary keys are so critical to the relational model, they
cannot contain null values and cannot change or become null during
the life of each entity. When the primary key of one relation, or table,
is used as an attribute in another table, it is referred to as the foreign
key in the other table.
The foreign key in a relational model is different from the primary
key. The foreign key value represents a reference to an entry in
some other table. In other words, the foreign key is a primary key
in another table that is used to provide a relationship in another
table. So, if a value in one table matches those of the primary key
of some other table or relation, it is considered the foreign key.
The link between the foreign and primary keys represents the
relationships between tuples. Thus, the matches represent
references and allow one table to be referenced to another table
to link them together for analysis purposes. It can be said that the
primary key and foreign key links are the binding factors that hold
the database together.
Foreign keys also provide a method for maintaining referential
integrity in the data and for navigating between different instances of

Notes an entity. Entity integrity and referential integrity are important

considerations in relational database environments. These integrity rules
Security Controls in will be discussed next.
PPT
Integrity Constraints in Relational Databases
In relational database technology, the database needs to be able to
Attributes of a Table
(continued) provide integrity. The user’s applications may carry out many operations
on the data retrieved from the database, but the DBMS is only concerned
Define attributes in
relational DBMS. about the data that is read and written from or to the database itself.
This is called the transaction. Users can submit transactions against the
database and view each transaction as occurring by itself. Concurrency is
said to occur when the DBMS coordinates actions and reads and writes of
PPT
database objects of various transactions properly. For integrity and
Integrity Constraints in concurrency to be secure, each transaction that is applied against the
Relational Databases
database must leave the database in a consistent state.
Explain entity and
referential integrity The DBMS simply stores the data after a transaction, that is, it does not
requirements in a understand how an operation on data occurs. A transaction might
relational DBMS.
commit after completing all its actions or it could abort or be aborted
by the DBMS after executing some actions. A very important property
guaranteed by the DBMS for all transactions is that they are atomic.
Atomicity simply means that if a transaction requires a number of steps to
execute properly, all of the steps need to be executed properly or none of
them will execute. In other words, some people say, “either all or none.”
To help with concurrency, the DBMS logs all actions so that if needed, it
can undo the actions of aborted transactions. Problems related to this
may occur if several users who are attempting to query data from the
database interfere with each other’s requests.
As we mentioned earlier, there are two integrity rules of the relational
model that are very important to always address and ensure. These are
entity integrity and referential integrity. The two rules apply to every
relational model and focus on the primary and foreign keys as
described earlier.
Entity integrity means that the tuple must have a unique and non-null
value in the primary key. This guarantees that the tuple is uniquely
identified by the primary key value.
Referential integrity states that for any foreign key value, the referenced
relation must have a tuple with the same value for its primary key. In
other words, for every foreign key value, there must be a valid relation
back as a primary key somewhere else in another table. Essentially,
every table relation, or join, must be accomplished by having a proper
relationship in another table.

Instructor Edition
Each table participating in a join with another table must

demonstrate entity integrity and in the referenced relation must
have a similar primary key and foreign key relationship. Another
Notes
8
example of the loss of referential integrity is to assign a tuple

to a nonexistent attribute. If this occurs, the tuple could not
be referenced, and with no attribute, it would be impossible PPT
to know what it represented. This would mean there is no Integrity Constraints in
referential integrity. Relational Databases
(continued)
Structured Query Language (SQL) Explain entity and

referential integrity
The relational model also contains several standardized requirements in a
languages. These languages can be used as tools to interface relational DBMS.
with databases. One such language is called the Structured
Query Language (SQL), which provides a way for users to issue
commands against the database. An advantage of having a PPT
standard language is that organizations can switch between Structured Query
different database engine vendor systems without having to Language (SQL)
rewrite all of its application software already produced. And yet Define SQL.
another benefit is that even though technologies may change,
the need to retrain users is not a requirement since they can still
use SQL to issue commands.
There are main components of a database using SQL:
l Schemas: Describes the structure of the database, including
any access controls limiting how the users will view the
information contained in the tables.
l Tables: The columns and rows of the data are contained in
tables.
l Views: Defines what information a user can view in the
tables. The view can be customized so that an entire table
may be visible or a user may be limited to only being able
to see just a row or a column. Views are created dynamically
by the system for each user and provide access control
granularity.
A view is a feature that allows for virtual tables in a database,
and these virtual tables are created from one or more real tables
in the database. A view is indeed like a window to a database.
A view can be set up for each user, or group of users, on the
system so that the user can then only view those virtual tables,
as a view. Using views, access can be restricted so that only
rows or columns are visible in the view for specific users based
on their clearances. The value of views is to have control over
what users can see.

SQL Sublanguages
Notes
SQL actually consists of these three sublanguages:
Development Environments l The Data Definition Language (DDL) is used to create databases,
tables, views, and keys specifying the links between tables. Because
PPT it is administrative in nature, users of SQL rarely use DDL commands
as they should be restricted to database administrators.
SQL Sublanguages
l DDL also has nothing to do with the population of the database,
Define SQL sublanguages.
which is accomplished by Data Manipulation Language (DML),
used to query and extract data, insert new records, delete old
records, and update existing records.
PPT
l System and database administrators utilize Data Control
Object-Oriented (OO)
Database Model
Language (DCL) to control access to data. It provides the security
control aspects of SQL and should be the security professional’s
(OO) DBMS models.
area of concern.
These are some of the DCL commands:
l COMMIT: Saves work that has been done
l SAVEPOINT: Identifies a location in a transaction to which you
can later roll back, if required
l ROLLBACK: Restores the database to its state at the last
COMMIT _
l SET TRANSACTION: Changes transaction options such as what
rollback segment to use
There are other scripting and query languages for organizations to use
that are similar to the above, to allow the creation of database interface
applications that rely on an underlying database engine for function.
Object-Oriented (OO) Database Model

The object-oriented (OO) database model is one of the newest
database models. It is very similar to OOP languages, and as such, the
OO database model stores data as objects. The objects are a collection
of public and private data elements and the set of operations that can
be executed on those data elements. Because the data objects contain
their own operations, any call to data potentially has the full range of
database functions available, and therefore, must be secured properly.
Because of the nature of objects being the driver in this model, the OO
model does not necessarily require a high-level language, such as SQL,
because the functions are contained within the objects themselves. An
advantage of not having a query language allows the OO DBMS to
interact with applications without the language overhead. There is no
need for a language in between.

Instructor Edition
A natural evolution of the above DBMS models has seen relational

models being used together with OO functions and interfaces to
create what is called an object-relational model. This is basically a
Notes
8
hybrid model, taking the advantages of each, relational and OO.

The hybrid model allows organizations to maintain their current
PPT
relational database software and, at the same time, provide an upgrade
path for future technologies by supporting the OO capabilities. Object-Oriented (OO)
Database Model
(continued)
Activity: Database Model Review (OO) DBMS models.
INSTRUCTIONS: Match the database model with the correct
description.
PPT
a. Hierarchical Database Model
Activity: Database
b. Network Database Management Model Model Review (2 slides)
Introduce the activity for
c. Relational Database Management Model DBMS review.
d. Object-Oriented Database Model

1. Stores data in a series of records that have field PPT
values attached. It collects all the instances of a specific Activity: Database
record together as a record type. Model Review –
Answers
2. Allows data to be structured in a series of tables
that have columns representing the variables and rows that Explain the answers to
the activity.
contain specific instances of data.
3. One of the most recent database models.
4. Represents data in the form of a network of records PPT
and sets that are related to each other, forming a network Database Interface
of links. Languages
Answers: Define database interface

languages.
1. a
2. c
3. d
4. b
Database Interface Languages

The existence of legacy databases has proven a difficult challenge
for managing new database access requirements. To provide an
interface that combines newer systems and legacy systems that are

Notes still being used by many organizations, several standardized access

methods have evolved. These are referred to as Database Interface
Security Controls in Languages, and some of them include the following:
l Open Database Connectivity (ODBC)
PPT l Java Database Connectivity (JDBC)

Database Interface l Extensible Markup Language (XML)
Languages (continued)
l Object Linking and Embedding Database (OLE DB)
Define database interface
l ActiveX Data Objects (ADO)
languages.
The purpose of all of these languages is to provide a gateway to the data
contained in the legacy systems as well as the newer database systems.
Open Database Connectivity (ODBC)

ODBC is considered to be the dominant means of standardized data
access. It was developed and maintained by Microsoft, most database
vendors use it as an interface method to allow an application to
communicate with a database either locally or remotely over a network.
It is really considered to be an API that is used to provide a connection
between applications and databases. It was designed so that databases
could connect without having to use specific database commands and
features. It acts as the middle component that facilitates access between
applications and databases.
ODBC commands are used in application programs that then translates
them into the commands required by the specific database system. This
allows programs to be linked between any DBMS with a minimum of code
changes. It allows users to specify which database is being used and can
be easily updated as new database technologies enter the market. ODBC
is considered to be a very powerful tool. However, because it needs to
operate as a system entity, it has vulnerabilities that can be exploited. The
following is a discussion of some of the ODBC security issues.
ODBC Security Issues

l The username and password for the database are stored in
plaintext. To prevent disclosure of this information, the files need
to be protected. For example, if an HTML document was calling an
ODBC data source, the HTML source must be protected to ensure
that the username and password in plaintext cannot be read.
l The HTML should call a common gateway interface (CGI) that
has the authentication details because HTML can be viewed in
a browser.
l The returned data is sent as clear text over the network.

Instructor Edition
l Verification of the access level of the user using the ODBC

application may be inadequate in some cases.
Notes
8
l Calling applications must be checked to ensure they do not Development Environments
attempt to combine data from multiple data sources, thus

allowing data aggregation that may lead to unauthorized
inference.
l Every calling applications or API must be checked properly
to ensure they do not attempt to exploit the ODBC drivers
and somehow gain elevated system access.
Java Database Connectivity (JDBC)

As we have seen above, ODBC is Microsoft’s answer to providing
an interface between applications and the database environment.
JDBC is Sun Microsystems’ technology. It is an API used to connect
Java programs to database environments. It is used to connect a
Java program to a database either directly or also by connecting
through ODBC, depending on whether the database vendor has
created the necessary drivers for Java.
Regardless of the interface used to connect the user to the
database, there are some very important security controls to
consider in this environment. These include how and where the
user will be authenticated, controlling user access properly, and
auditing user actions to provide accountability. As security is very
important in these environments, Java has a number of capabilities
driven toward security, but these must be deliberately and properly
implemented to secure the database calls and applications.
Extensible Markup Language (XML)

XML is referred to as a markup language that is used to store and
transport data across networks. Much like HTML, it is widely used
across the internet to represent data structures used in web
services. XML can also be used to make database calls as it is used
to store and transport data, and as such, XML applications must be
reviewed for how authentication of users is established, access
controls are implemented, auditing of user actions is implemented
and stored, and confidentiality of sensitive data is maintained.
Object Linking and Embedding Database (OLE DB)

Object Linking and Embedding (OLE) is a Microsoft technology
that allows an object, such as an Excel spreadsheet, to be
embedded or linked to the inside of another object, such as a
Word document. This capability makes OLE very flexible in

Notes making data calls. The Component Object Model (COM) is the
protocol that allows OLE to work properly. OLE allows users to
Security Controls in share a single source of data for a particular object. The document
contains the name of the file containing the data, along with a
picture of the data. The way OLE works is that when the source is
PPT updated, all the documents using the data are also updated.
Activity: Database As part of the OLE technology, there is something called OLE DB,
Interface Languages
Review which is an interface language designed by Microsoft to link data
across various DBMSs. It is an open specification that is designed to
Introduce activity for
interface languages.
build on the success of ODBC by providing an open standard for
accessing all kinds of data across different environments. It enables
organizations to easily take advantage of information contained not
only in data within a database environment, but also when accessing
PPT
data from other types of data sources.
Activity: Database
Interface Languages The OLE DB interfaces are based on the COM, and as such, they
Review – Answers provide applications with uniform access to data regardless of the
Explain the answers to information source. The OLE DB separates the data into components
the activity. that can run as middleware on a client or server across a wide variety of
applications. The OLE DB architecture provides for components such as
direct data access interfaces, query engines, cursor engines, optimizers,
business rules, and transaction managers.
As with any powerful interface language, when organizations are
developing databases and determining how data may be linked
through the applications accessing those databases, security must be
addressed during the development stage. If OLE DB is considered,
there are optional OLE DB interfaces that can be implemented to
support the administration of security information. OLE DB interfaces
allow for authentication and authorization for access to data among
components and applications. The OLE DB can also provide a clear
view of the security mechanisms that are supported by the operating
system and the database components.
Activity: Database Interface Languages Review

INSTRUCTIONS
1. What is a markup language?
2. What is Object Linking and Embedding (OLE)?
3. What is the protocol that allows OLE to work?
4. What is JDBC?

Instructor Edition
Answers:
1. A system of symbols and rules to identify structures (format)
Notes
8
in a document. Development Environments

2. A Microsoft technology that allows an object, such as an
Excel spreadsheet, to be embedded or linked to the inside PPT
of another object, such as a Word document. Application
3. The Component Object Model (COM). Programming Interfaces
(APIs)
4. An API from Sun Microsystems used to connect Java
Explain issues related to
programs to databases.
security of APIs.
Accessing Databases through the Internet PPT
Many database developers today will support the use of the Tiered Application
Approach
internet and corporate intranets to allow users, through
interface technologies, to access centralized back-end servers Explain tiered application
that contain data. approach.
Application Programming Interfaces (APIs)

There are several types of APIs that can be used to connect the
end-user applications to the back-end databases stored on servers.
There are several security issues related to API technologies and
capabilities that the security professional must be aware of. These
potential vulnerabilities need to be addressed through authentication
of users, authorizations of users, encryption, and protection of the
data from unauthorized entry, accountability and auditing, and
availability and redundancy of current data.
Tiered Application Approach

One approach for internet access is to create a tiered application
approach that manages data in layers. This approach dictates that there
can be any number of layers; however, the most typical and most
commonly used architecture is to use a three-tier approach as follows:
l Presentation layer
l Business logic layer
l Data layer
This is sometimes referred to as the internet computing model

because the browser is used to connect to an application server that
then connects to a database and allows data to be accessed. From
a security perspective, the implementation of this tiered approach

Notes needs attention. The tier approach can add to security because the users
do not connect directly to the data. Instead, they connect to a middle
Security Controls in layer, the business logic layer, which connects directly to the database on
behalf of the users. In this model, the middle tier can provide relevant
security. There is a bad side of this as well; if the database provides
PPT security features, they may be lost in the translation through the middle
Tiered Application
layer. So, when looking at providing security, it is important to analyze not
Approach (continued) only how the security features are implemented, but also where they are
Explain tiered application
implemented and how the configuration of the application with the back-
approach. end database affects the overall security features. As always, additional
security considerations should always focus on user authentication, user
access control, auditing of user actions, protecting data as it travels
PPT
between the tiers, managing identities across the tiers, scalability of the
system, and setting the proper privileges for the different tiers.
ActiveX Data Objects
(ADO)
Define ADO. ActiveX Data Objects (ADO)
ADO is a Microsoft high-level interface for all kinds of data. It can be
used to create a front-end database client or a middle-tier business
PPT object using an application, tool, or internet browser. This tool is very
Metadata valuable to developers because they can simplify the development of
Define metadata.
OLE DB by using ADO. Objects can be the building blocks of Java,
JavaScript, Visual Basic, and other object-oriented languages. By using
common and reusable data access components (COM), different
applications can access all data regardless of data location or data
format. ADO is very flexible as it can support typical client/server
applications, HTML tables, spreadsheets, and mail engine information.
Many security professionals are concerned about the use of ADO because
there are no configurable restrictions on its access to the underlying system.
But, as a mitigation to this, newer browsers implement sandboxing and
stronger ActiveX controls to address this vulnerability.
Metadata
Metadata is defined as information that describes other information.
Literally, people will define metadata as “data about the data.” As such,
metadata can provide a systematic method for describing resources and
improving the retrieval of information. The objective is to help users search
through a wide range of sources with better precision so that those data
objects can be accessed more efficiently. It includes the data associated
with either an information system or an information object for the purposes
of description, administration, legal requirements, technical functionality,
usage, and preservation. Metadata is considered the key component for
using and capitalizing on a data warehouse.

Instructor Edition
Metadata is useful because it provides the following:

l Valuable information about the unseen relationships
Notes
8
between data Development Environments

l The ability to correlate data that was previously considered
unrelated PPT
l The keys to unlocking critical or highly important data inside Metadata (continued)
the data warehouse Define metadata.
Note that the data warehouse is usually at the highest classification
or categorization level possible. However, users of the metadata
are usually not at that level, and therefore, any data that should not PPT
be publicly available must be removed from the metadata. Online Analytical
Generally, this involves abstracting the correlations but not the Processing (OLAP)
underlying data that the correlations came from. Define OLAP.
Data contained in a data warehouse is typically accessed through

front-end analysis tools such as online analytical processing (OLAP),
data mining, or knowledge discovery in databases (KDD) methods.
Online Analytical Processing (OLAP)

OLAP technologies provide an analyst with the ability to formulate
queries and, based on the outcome of the queries, define further
queries. The analyst can then collect information by roaming
through the data. The collected information is then presented to
management. To support the best decision-making capability
possible in organizations, the data analyst should possess in-depth
knowledge of the organization. Here’s a perfect example. Let’s say
a retail chain may have several locations that locally capture
product sales information. If management decided to review data
on a specific promotional item without a data warehouse, there
would be no easy method of capturing sales for all stores on the
one item. However, a data warehouse could effectively combine
the data from each store into one central repository. That central
repository now can be analyzed to provide all kinds of meaningful
information that should drive business decisions.
In addition to OLAP, data mining is another tool for discovering
information in data warehouses by running queries against the data
contained within the database. Data mining is a decision-making
technique allowing the analysis of information that is based on a
series of analytical techniques taken from the fields of mathematics,
statistics, cybernetics, and even genetics. The techniques can be
used separately or in combination to uncover information from data
warehouses. Data mining is used to reveal hidden relationships,

Notes patterns, correlations, and trends in the data warehouse, which is a large
repository purposely set up for data mining.
Development Environments There can be many advantages to using data-mining techniques in driving
business intelligence. However, there may be some disadvantages,
especially related to security. The ability to mine data about individuals
PPT
may possibly lead to privacy issues. The danger increases when private
Online Analytical information may be stored on the web or an unprotected area of the
Processing (OLAP)
(continued) network and thus becomes available to unauthorized users. In addition,
the integrity of the data may be at risk as well. Because a large amount
Define OLAP.
of data must be collected, transformed, and loaded, the chance of errors
through human data entry and processing may result in inaccurate
relationships or patterns. These errors are sometimes referred to as data
PPT contamination.
Activity: Database
Vulnerabilities and One possibly positive security element of data mining is to use the same
Threats mining tools to review audit logs to determine intelligence related to events
Introduce activity related and incidents. Because audit logs may contain many entries, data-mining
to database vulnerabilities tools can help to discover abnormal events by drilling down into the data
and threats. for specific trends or unusual behaviors. Security professionals and
stakeholders may be able to use data-mining tools to mine security
intelligence to drive better controls and address vulnerabilities in a more
efficient and cost-effective way.
Activity: Database Vulnerabilities and Threats

One of the primary concerns related to any database environment is
the confidentiality of sensitive information. As with any other valuable
asset, we also need to be concerned with availability and integrity
controls. Especially with databases, integrity and accuracy of the
content is very important.
INSTRUCTIONS
Working with a partner, review your assigned threats and prepare to
explain them to the rest of the class.
l Aggregation and inference: The ability to combine non-sensitive
data from separate sources to create sensitive information is
referred to as aggregation. For example, a user takes two or more
unclassified pieces of data and combines them to form a classified
piece of data that then becomes unauthorized for that user. The
combined data sensitivity can be greater than the classification
of individual parts. Being able to aggregate information may lead
to inference possibilities. Inference is the ability to deduce more
sensitive information than you should be allowed.

Instructor Edition
l Bypass attacks: Users attempt to bypass controls at the front

end of the database application to access information. If the
query engine contains security controls, the engine may have
Notes
8
complete access to the information, and as a result users

may try to bypass the query engine and directly access and
manipulate the data. PPT
l Compromising database views used for access control: Activity: Database
A database view restricts the data a user can see or request Vulnerabilities and
from a database. One of the threats is that users may try Threats (continued)
to access restricted views or modify an existing view with Introduce activity related
certain capabilities they may have. Another problem with to database vulnerabilities
and threats.
view-based access control is the difficulty in verifying how the
software performs the view processing. Because all objects
must have a security label identifying the sensitivity of the
information in the database, the software used to classify
the information must also have a mechanism to verify the
sensitivity of the information. Combining this with a query
language adds even more complexity and possible security
problems. Also, a database view typically just limits the data
the user sees, it does not limit the operations that may be
performed on the views. An additional problem is that the
layered model frequently used in database interface design
may provide multiple alternative routes to the same data, not
all of which may be protected. A given user may be able to
access information through the view provided, through a direct
query to the database itself, or even via direct system access
to the underlying data files. Also, any standard views set up
for security controls must be carefully prepared in terms of the
granularity of the control. Views can be very granular and able
to restrict access to information down to a field and even to a
specific content-based restriction level. Modifications to these
regulations can significantly change the degree of possible
access material provided through the view.
l Concurrency: When processes and actions run at the
same time, they are said to be concurrent. Systems and
architectures need to be able to provide a way to avoid
concurrency problems such as a concurrent process using old
data, updates that are inconsistent, or having what is called a
deadlock occur (described below).
l Data contamination: The corruption of data integrity by
input data errors or erroneous or inconsistent processing.
This can occur in any environment including files, reports, or
database environments.
l Deadlocking: Occurs when two processes try to access
the information at the same exact time and both are
Notes denied. In a database environment, deadlocking occurs when

two concurrent processes have locks on separate objects and
Security Controls in each process is trying to gain a lock on the object that the other
process has already locked. People often refer to this condition
as a “deadly embrace.” A typical fix to this is the database should
PPT end the deadlock by automatically choosing and aborting one of
Activity: Database the concurrent processes, allowing the other process to continue.
Vulnerabilities and Recognizing the situation, however, may not be that easy. But if
Threats (continued) it is recognized, at this point, the aborted transaction needs to
Introduce activity related be rolled back and an error message is sent to the user of the
to database vulnerabilities aborted process. Typically, the transaction that requires the least
and threats. amount of overhead to roll back is the transaction that should be
chosen to be aborted. Deadlocking can be viewed as an issue
related to concurrency.
l Denial of service (DoS): Any type of attack or actions that could
prevent authorized users from gaining access to the information,
or prevents a process or system from doing what it is supposed
to. Often this can happen through a poorly designed application
or query that locks up databases tables and requires intensive
processing, such as a table scan where every row in the table
must be examined to return the requested data to the calling
application. This can be partially prevented by limiting the
number of rows of data returned from any one query.
l Improper modification of information: Authorized or
unauthorized users may intentionally or accidentally modify
information incorrectly. As this is an issue related to accuracy, it
is associated with integrity. Proper integrity controls would need
to be implemented correctly to prevent improper modification of
database content.
l Inference: The ability to deduce or infer sensitive or restricted
information from observing other available information. Essentially,
users may be able to determine unauthorized information from
what information they can access and see. For example, if a user
is reviewing authorized information about patients, such as the
medications they have been prescribed, the user may be able to
determine the illness. Inference is very difficult to protect against.
l Interception of data: If remote access is allowed to access
database environments, the threat of interception of the session
and modification of the data in transit must be controlled.
Depending on the security of the remote access being used and
whether the channels are secure and encrypted, this threat may
be mitigated.
l Query attacks: Users try to use query tools to access data not
normally allowed by the trusted front end, including the views

Instructor Edition
controlled by the query application. Malformed queries using

SQL in such a way as to bypass security controls may be
possible as well. There are many other examples of where
Notes
8
improper or incomplete checks on queries can be used in a

similar way to bypass access controls.
l Server access: The server where the database resides PPT
must be protected from unauthorized physical and logical Activity: Database
access to prevent the disabling or changing of logical and Vulnerabilities and
technical controls. Threats (continued)
l TOCTOU: TOCTOU can also occur in database environments. Introduce activity related
to database vulnerabilities
An example is when some type of malicious code or privileged and threats.
access could change data between the time that a user’s query
was approved and the actual time the data is displayed to
the user. PPT
l Web security: Many database environments allow access to
DBMS Controls
data through web technologies. Static web pages (HTML or
XML files) are methods of displaying data stored on a server DBMS security controls.
to the user’s browser. One method is when an application
queries information from the database and the HTML page
displays the data. Another is through dynamic web pages
that are stored on the web server with a template for the
query and HTML display code, but no actual data is stored.
When the web page is accessed, the query is dynamically
created and executed and the information is displayed
within the HTML display. If the source for the page is viewed,
all information, including sensitive data, may be visible at
this point. Providing security control includes measures for
protecting against unauthorized access during the log-in
process, protecting the information while it is transferred from
the server to the web server, and protecting the information
from being stored on or downloaded to the user’s browser.
l Unauthorized access: Allowing the release of information
either intentionally or accidentally to unauthorized users.
Examples may include error messages or system prompts
that provide the unauthorized user with information about
the nature or function of the system.
DBMS Controls
Database security is a very important issue to address. The
challenge for both the security professionals, database
administrators and owners, and other stakeholders is to retain
control over the organization’s data and ensure business rules are

Notes consistently applied when information from databases is accessed or

manipulated. The DBMS can provide security controls in a variety of
Security Controls in ways to prevent unauthorized access and also to prevent authorized
users from making improper modifications. To address these potential
problems, including preventing unauthorized users from accessing the
PPT system, the DBMS should use identification, authentication,
DBMS Controls authorization, and accountability controls as part of well implemented
(continued) access controls. Most databases can have some type of log-on and
password authentication mechanism that limits access to tables in the
DBMS security controls. database based on the specific user’s account. This also requires
specific permissions to be established, such as limiting the ability to
read, write, update, query, and delete data in the database.
PPT
Lock Controls Lock Controls
Define lock or concurrency The DBMS can control who is able to read and write data through the
controls. use of locks. Locks can be used for read and write access to specific
rows of data in relational database systems or objects in object-oriented
systems.
In database systems and environments, if two or more people wish to
modify a piece of data at the same time, a deadlock may occur. As we’ve
explained earlier, a deadlock may happen when two processes try to
access the same resource. However, the resource cannot handle two
requests simultaneously without causing integrity problems. As a result,
the system may not be able to release the resource to either transaction,
thereby refusing to process both of the transactions. To prevent a
deadlock situation so that no one can access the data, the access controls
lock part of the data so that only one user can access the data.
Lock controls can also be very granular so that locking can be
accomplished by table, row, record, or even field. By using locks, only
one user at a time can perform an action on the specific data element.
Let’s use an example. Let’s say, in an airline reservation system, there
are two requests to book the last remaining seat on a flight. If the
database environment allowed more than one user or process to write
information to a row at the same time, then both transactions could
occur simultaneously and cause a problem. To prevent this, the DBMS
takes both transactions and gives one transaction a write lock on the
account. Once the first transaction has finished, it releases its lock and
then the other transaction, which has been held in a queue, can
acquire the lock and make its action or, in this example, be denied the
action as a result of seats being no longer available.
These and some other related requirements in database environments
are referred to as the ACID test, which represent the first letters of each

Instructor Edition
of these terms: atomicity, consistency, isolation, and durability. Let’s

define these requirements:
Notes
8
l Atomicity: Is when all the steps in a transaction’s execution Development Environments

are either all committed or all rolled back. In other words, do
it all or not at all. Essentially, either all changes take effect
PPT
or none do. Atomicity ensures there are no incomplete or
unfinished transactions in the system. Lock Controls
(continued)
l Consistency: Occurs when the database is transformed
Define lock or concurrency
from one valid state to another valid state. A transaction controls.
that is applied to a database is only allowed if it follows
integrity constraints that will not affect the integrity of the
database itself and its content. Illegal transactions are not PPT
allowed, and if an integrity constraint cannot be satisfied,
the transaction is rolled back to its previously valid state, Other DBMS Access
Controls
and the user is informed that the transaction has failed.
Define other DBMS
l Isolation: Is the process guaranteeing the results of a security controls.
transaction are invisible to other transactions and users of
the database environment until the transaction is completed
successfully.
l Durability: Ensures the results of a completed transaction
are permanent and can survive future system and media
failures once it has been applied successfully. In other words,
once they are done, they cannot be undone. This is similar
to what is referred to as transaction persistence.
Other DBMS Access Controls

Security controls that apply to databases can be implemented at
different levels. These include the user level, by restricting the
user’s permissions by using methods such as views, or in an object-
oriented database, placing restrictions on the object itself. As we
have seen earlier, objects can be tables, views of tables, and even
more granular items such as the columns in those tables or views.
l View-based access controls: In some database environments,
security can be addressed through the creation and
management of views. A trusted front end is built to control
assignment of views to users. View-based access control allows
the database to be logically divided into pieces that allow
certain sensitive data to be hidden from users that are not
authorized users. It is important that proper security controls
are put in place so that a user cannot bypass the trusted
front end and directly access and manipulate the sensitive
data within the database. The database administrator can

Notes set up a view for each type of user and then each user can only
access the view assigned to them. Some database views will allow
Security Controls in the restrictions to be very granular, for example, of both rows and
columns, while others allow for views that can write and update data
as well as the capability to only read.
PPT l Grant and revoke access controls: Grant and revoke controls allow
Other DBMS Access users who have “grant authority” permission to grant permissions
Controls (continued) to other users. In a grant and revoke system, if a user is granted
Define other DBMS permission without the grant option, the user will not be able to pass
security controls. that grant authority to anyone else. This is, in a sense, a modification
of discretionary access control. However, there is a weakness where
the possibility exists of a user being granted access but not grant
authority could make a complete copy of the relation and subvert
the system. Because the user, who is not the owner, created a copy,
the user is now considered by the system to be the owner of the
copy and therefore, could provide grant authority over the copy to
other users. And because the copy is not updated with the original
relation, the user making the copy could continue making similar
copies of the relation and continue to provide the same data to
other users. The revoke statement functions like the grant statement.
One of the possible security characteristics of the revoke statement
is its cascading effect. When the rights previously granted to a user
are subsequently revoked, all similar rights are revoked for all users
who may have been granted access by the newly revoked user.
l Security for object-oriented (OO) databases: Most of the
models for securing databases have been designed for relational
databases since it has been a very popular architecture. Because
of the complexity of object-oriented databases, the security
models for object-oriented databases are also more complex.
Adding to this complexity, the views of the object-oriented
model may differ as they are more granular. Therefore, each
security model has to make some assumptions about the object-
oriented model used for its particular database.
l Metadata controls: In addition to facilitating the effective retrieving
of business intelligence information, metadata can also be used
to manage restricted access to sensitive information. Metadata
can serve as sort of a gatekeeper to enforce access rules and as a
result provide security controls. One example of metadata is called
the data dictionary, which is a central repository of information
regarding the various databases that may be in use within the entire
enterprise. The data dictionary does not provide direct control of
databases, or access control restrictions, but it can give the database
administrator a full understanding and view of the various bodies
of information throughout the enterprise, potentially including the
sensitivity and classification of material held in different objects that

Instructor Edition
are being accessed by users. Therefore, the data dictionary can

be used in risk management and direct the understanding of
protective resources.
Notes
8
l Data contamination controls: To ensure the integrity

of data, there are two types of controls that can be used.
These are input and output controls. Examples of input PPT
controls include transaction counts, hash totals, error Other DBMS Access
detection, error correction, resubmission, self-check Controls (continued)
digits, and control totals. Examples of output controls may Define other DBMS
include the validation of transactions through reconciliation, security controls.
physical-handling procedures, authorization controls,
verification with expected results, and audit trails.
PPT
Online Transaction
Processing (OLTP)
Online Transaction Processing (OLTP)
Define OLTP and security
OLTP is a processing system that can facilitate and manage high issues.
transactions oriented applications. In other words, it can facilitate a
high number of transactions to be applied against database
environments especially across the web. OLTP is designed to record
all of the business transactions of an organization as they occur.
These can be characterized as a system used by many concurrent
users who are actively adding and modifying data against databases,
all happening in real time. OLTP environments are frequently used in
many industries such as the financial, telecommunications, insurance,
retail, transportation, and travel industries. For example, airline
reservation agents can enter data in the databases in real time by
creating and modifying travel reservations, and these are
increasingly joined by users directly making their own reservations
through websites and purchasing tickets through airline company
websites as well as discount travel website portals. All of these
high-volume transactions can be hosted and handled by OLTP.
Therefore, millions of people may be accessing the same flight
database every day, and dozens of people may be looking at
specific flights at the same time, and this can be handled properly
and securely through OLTP.
There are two major security concerns for OLTP systems that need
to be always addressed. These are concurrency and atomicity.
l Concurrency controls ensure that two users cannot
simultaneously change the same data, or that one user
cannot make changes before another user is finished with it.
As an example, in an airline ticket system, it is critical for an
agent processing a reservation to complete the transaction,
especially if it is the last seat available on the plane.

l Atomicity ensures that all of the steps involved in the transaction

Notes
complete successfully, or everything is backed out. If one step
Security Controls in should fail, then the other steps should not be able to complete.
In the same airline example, if the agent does not enter a name
into the name data field correctly, the transaction should not be
PPT able to complete properly.
Online Transaction As we’ve mentioned earlier, OLTP systems can act as a monitoring system.
Processing (OLTP)
(continued) As such, they should be able to detect when individual processes abort,
automatically restart the aborted process, and back out a transaction if
Define OLTP and security
issues.
necessary. They also need to be able to allow distribution of multiple copies
of application servers across machines and perform dynamic load
balancing. These are all very important tasks indeed.
PPT A security feature that can be useful is using transaction logs to record
Knowledge information on a transaction before it is processed, and then mark it
Management as processed after it is done. If the system fails during the transaction,
Define knowledge the transaction can be recovered and reapplied by reviewing the
management and relate transaction logs.
to security.
Another feature is referred to as checkpoint restart, which is the process
of using the transaction logs to restart the machine by running through
the log to the last checkpoint or good known transaction. All transactions
following the last checkpoint are applied before allowing users to access
the data again after a failure.
Knowledge Management
Knowledge management is the efficient and effective management of
information and associated resources in an enterprise to drive business
intelligence and decision-making. It involves several existing research
areas tied together by their common application environment, that is,
the enterprise itself. Some areas that organizations get into as part of
knowledge management include workflow management, business
process modeling, document management, databases and information
systems, knowledge-based systems, and possibly several other
methodologies to drive decision-making to allow the organization to
meet its goals and objectives efficiently and effectively.
Many organizations are also getting into trending areas of knowledge
management such as application of artificial intelligence technologies to
drive and support decision-making and business intelligence. Knowledge
management systems frequently make use of data warehousing and
associated technologies. The data warehouse serves to store the
accumulated enterprise knowledge that has to be managed and is used to
mine business intelligence out of it.

Instructor Edition
To support business intelligence, databases need to contain several

kinds of information, including employee knowledge, customer
information, supplier information, and also product information.
Notes
8
Essentially, it is all of the information, data, and knowledge about

an organization that is usually obtained from several different
sources. However, for that information to be helpful and drive PPT
business intelligence, it must have meaning. The interpretation Knowledge
of the data into meaning requires knowledge and knowledge Management (continued)
management systems. This knowledge is an integral aspect Define knowledge
of interpreting the data into intelligence. Historically, the management and relate
understanding of raw data into meaning was done by the human to security.
element. Automating this process is what knowledge management
systems try and do. These knowledge-based systems are used
along with problem-solving methods to allow the inference of PPT
meaning and business intelligence. Knowledge Discovery
in Databases (KDD)
Knowledge Discovery in Databases (KDD) Define KDD and relate to
security issues.
Knowledge Discovery in Databases (KDD) is a mathematical,
statistical, and visualization method of identifying valid and useful
patterns in data to derive meaningful information. It is an evolving
field of study to provide automated analysis and inference solutions.
The knowledge discovery process takes the data from data mining
and tries to accurately transform it into useful and understandable
information that can be used to drive business decisions. This
information is usually not obtained through standard query
techniques, it but is retrieved through the use of artificial intelligence
(AI) techniques.
There are many approaches to KDD that science and industries
have come up with. The probabilistic method uses graphical
representation models to compare different knowledge
representations and come up with meaningful information. The
systems are based on probabilities and data independences.
The probabilistic models are useful for applications involving
uncertainty, such as those used in planning and control systems.
The statistical approach uses rule discovery and is based on data
relationships and known statistics. These will typically use learning
algorithms that can automatically select useful data relationship paths
and attributes. These paths and attributes are then used to build rules
for discovering meaningful information from those data relationships.
This approach comes up with patterns in the data and builds rules as
part of the process. An example of the statistical approach is OLAP
that was discussed earlier. Classification groups data according to
patterns and similarities. One example of this might be where the

Notes system uses pattern discovery and removes redundant data found. By
eliminating redundant and non-important data, the discovery of patterns in
Security Controls in the data becomes much more simplified.
Deviation and trend analysis uses filtering techniques to detect patterns
in the data. An example of this might be where an intrusion detection
PPT
system (IDS) filters large volumes of data so that only the pertinent data
Knowledge Discovery is reviewed and analyzed.
in Databases (KDD)
(continued)
Define KDD and relate to Security Controls in KDD
security issues.
Because KDD drives useful business intelligence and decisions, it is
important to secure the process. Security controls may include the
following:
PPT
Security Controls in l Protecting the knowledge base as you would any database
KDD l Routinely verifying the decisions based on what outcomes are
Explain security expected from specific inputs
requirements in KDD.
l If using a rule-based approach, changes to the rules must go
through a change control process
l If the data output seems suspicious or out of the ordinary,
PPT
perform additional and possibly different queries to verify the
Web Application
Environment
information as being accurate
l Making risk management decisions because decisions that are
Define the web
application environment based on data warehouse analysis techniques may be incorrect
and explain it is the l Developing a baseline of expected performance from the
largest attack vector
and why. analytical tool being used
Web Application Environment

The web application environment is where web applications run on a
server and hosts the interface that web users use to interact with
organizations. As the web application environment is accessible to
everyone out on the web, it becomes really important to protect the
entire web application architecture and its components. If the web
server can be compromised in some way, it may offer the attacker a
platform from which to mount probes or other nefarious activities. Also,
such unauthorized access may provide the attacker with intelligence
about the organization such as corporate sales and projects and can
also provide a way by which the attacker may be able to gain access to
the enterprise’s proprietary and sensitive intellectual property.
Current statistics indicate that most attacks are conducted at the
application level, either against the web server application itself,

Instructor Edition
in-house scripts, or the common front-end applications used for

e-commerce activities. There are many vulnerabilities and
exploits that exist in the application layer, especially the web
Notes
8
application environment. Therefore, attacks on the application

software are much more likely to succeed than attacks on the
underlying platforms. Once the application has been breached, PPT
an attack on the operating system, and other components of Web Application
the architecture becomes generally possible. Environment (continued)
Define the web
Factors that Make Websites Vulnerable application environment
and explain it is the
l Websites are designed to be widely accessible and are largest attack vector
usually heavily advertised as well, therefore, a very large and why.
number of people will have information about the web site
and its architecture.
l Web server software does make provisions for logging PPT
of traffic, but many administrators either turn off logging Factors that Make
altogether or reduce the logging to minimal levels. Websites Vulnerable
l The standard security tools of firewalls and intrusion Mention the reasons
that make websites
detection systems can be applied but are not particularly vulnerable.
well suited to protecting such public websites:
o In the case of firewalls, a website must have standard
ports open for specific traffic. PPT
o Intrusion detection systems (IDSs) must be tuned Web Application
properly and maintained adequately to provide any Threats and Protection
(2 slides)
useful information from the flood of data. Websites
will see all kinds of traffic, from different locations, Explain web application
requesting connections, web pages, submitting form threats and protection
methods.
information, or even updating search engine facts.
Web Application Threats and Protection

Specific protections that may be helpful include the following:
l Having a particular assurance sign-off process for web servers
l Hardening the operating system used on such servers, which
would include at the very least removing default configurations
and accounts, configuring permissions and privileges correctly,
and keeping up to date with vendor patches
l Extending web and network vulnerability scans prior to
deployment
l Deploying IDS and advanced intrusion prevention system
(IPS) technology
l Using application proxy firewalls

l Disabling any unnecessary documentation and libraries

Notes
l Ensure administrative interfaces are removed or secured
Development Environments appropriately
l Only allow access from authorized hosts or networks, and then
use strong (multi-factor) user authentication
PPT
l Do not hard code the authentication credentials into the
Web Application
Threats and Protection application itself, and ensure the security of the credentials using
(2 slides) (continued) certificates or similar high-trust authentication mechanisms
Explain web application l Use account lockout and extended logging and audit, and
threats and protection protect all authentication traffic with encryption
methods.
l Ensure the interface is at least as secure as the rest of the
application and most often secure it at a higher level
Because of the accessibility of web systems and applications, and the
vulnerabilities and exploits available, input validation becomes essential
to address as part of securing this environment.
Application proxy firewalls are very effective, but they need to make
sure the proxies are able to deal with problems of known exploits such
as buffer overflows, authentication issues, scripting, the passing of
commands to the underlying platform (that includes issues related to
database engines, such as SQL commands), encoding issues (such
as Unicode), and URL encoding and translation. In particular, the
application proxy firewalls may need to address issues of the passing
of input data to in-house and custom-developed software, ensuring
validation of input to those systems. In other words, the biggest
challenge when data is being passed from anything to anything else
becomes adequate data validation.
In regard to session management, we need to remember that Hypertext
Transfer Protocol (HTTP) is a stateless technology, and therefore,
periods of apparent attachment to the server are controlled by other
technologies, such as cookies or URL data, that must be both protected
and validated. If cookies are needed, or allowed, they should always be
encrypted. Also, time validation needs to be included as part of session
management, which typically means to disallow sequential, calculable,
or predictable cookies, session numbers, or URL data. Instead, always
use random and unique indicators.
As usual, with any application related environment, web application
environments should always validate all input and output, fail secure
(closed), and make your application or system as simple as possible.
Use secure network design and penetration testing to validate secure
designs and to identify potential vulnerabilities and threats to be
mitigated and use defense in depth. Some other specific security

Instructor Edition
controls to consider in a web system are not to cache secure pages,

confirm that all encryption used meets industry standards, monitor
your code vendors for security patches and alerts, log any and all
Notes
8
critical transactions and milestones, handle exceptions properly, do

not trust any data from the client, and do not automatically trust
data from other servers, partners, or any other part of the PPT
application itself. Web Application
Threats and Protection
Open Web Application Security Project (OWASP)
Explain web application
Framework threats and protection
One very helpful resource for the secure development of web methods.
environments, including web applications, is the Open Web
Application Security Web Project (OWASP). OWASP provides a
number of helpful frameworks focused on the secure deployment PPT
of web applications. OWASP has several guides and resources Open Web Application
available for secure web application development: Security Project
(OWASP) Framework
l Development Guide
Explain relevance of
l Code Review Guide OWASP in allowing
organizations to protect
l Testing Guide their web environments.
l Top Ten Web Application Security Vulnerabilities
l OWASP Mobile
PPT
Given the prevalence of web-based and cloud-based solutions Malicious Software
that organizations can standardize on, OWASP provides an easily (Malware)
accessible and complete framework with processes for web Introduce malicious
application security that has become very valuable in current web software.
application environments. The security professional should be
familiar with the “top ten” web application vulnerabilities and also
how to mitigate them. This knowledge needs to be enforced in
web development and deployment areas of the organization,
together with other valuable resources from OWASP and possibly
other frameworks used by professionals and stakeholders
involved in web solution deployment.
Malicious Software (Malware)

Malicious software are applications that have been written to do
something harmful to resources and assets that have value to
the organization. Malware can compromise programs and
applications, but also impact data and information, to affect its
integrity and availability. In addition, malware may use the

Notes resources of the system or architecture for nefarious purposes and

in some cases exhaust CPU cycles, available processes, memory,
Security Controls in communications links and bandwidth, open ports, disk space, mail
queues, and so forth. The list of resources and assets that malware can
affect is possibly endless.
PPT
There are many flavors and forms of malware. They include viruses,
Malicious Software worms, Trojan horses, logic bombs, and many other examples. We will
(Malware) (continued)
examine some of them below.
Introduce malicious
software. Malware can attack and destroy system integrity in a number of ways.
Viruses are often defined in terms of their ability to attach to programs
or executable files and so must, in some way, compromise the integrity
PPT of applications. Many viruses or other forms of malware will typically
Viruses contain what is referred to as payloads that may either erase data files
or interfere with application data over time in such a way that data
Define virus and it’s
characteristics.
integrity is compromised and data may become completely useless.
The payload in malware is often referred to as “negative payload”
because it will do something malicious. Sometimes, this can be a
direct DoS attack, and sometimes, it is a side effect of the activity of
the malware itself. Malware such as backdoors and remote access
Trojans (RATs) are intended to make intrusion and penetration easier
for attackers. There have been viruses written to send data files from
your system to other systems. Malware can be written to do directed
searches and send confidential and sensitive data to specific parties,
and it can also be used to open covert channels to potentially disclose
Viruses
A computer virus is a software program written with functions and
intent to copy and disperse itself without the knowledge and
cooperation of the owner or user of the particular system. Researchers
of malicious software disagree on a perfect definition of a virus;
however, a common definition may be a program that modifies other
programs to contain a possibly altered version of itself. This definition
is generally attributed to Fred Cohen from his seminal research in the
mid-1980s, although Dr. Cohen’s actual definition is in a mathematical
form. The term “computer virus” was first defined by Dr. Cohen in his
graduate thesis in 1984. Cohen credits a suggestion from his advisor,
Leonard Adleman (of RSA fame), for the use of the term. Cohen’s
definition is specific to programs that attach themselves to other
executable programs as their intent of infection. However, common
usage now holds viruses to consist of a set of coded program
instructions that are designed to attach to an object capable of
containing the material without knowledgeable user intervention.

Instructor Edition
However, it is typically agreed upon that viruses require user

action to be able to infect and do their malicious action.
Notes
8
The object that viruses typically attach themselves to may be an Development Environments

email message, program file, document, CD-ROM, short message
system (SMS) message on mobile telephones, or any similar
PPT
information medium.
Viruses (continued)
A really good way to think of a virus may be the following Define virus and it’s
statement: a virus is defined by its ability to reproduce and spread characteristics.
but to do so with the aid of the user in some form. Just like how
the common cold or the flu spreads between people because one
person will get sick and through interactions with others, such as PPT
coughing or touching a surface leaving behind the virus, the sick
Types of Viruses
person helps the virus to spread to uninfected people.
Define different types of
A worm, which is sometimes referred as a specialized type of virus, viruses.
is currently distinguished from a virus because a virus generally
requires an action on the part of the user to trigger or aid
reproduction and spread, whereas a worm spreads on its own by
taking advantage of vulnerabilities in software.
The action on the part of the user is generally a common function,
such as the starting of a program by double clicking on an
attachment, and the user generally does not realize the danger
of the action or the fact that he or she is assisting the virus in
reproducing and performing its malicious intent. The only
requirement that defines a program as a virus is that it reproduces
and by some sort of user action. There is no necessity that the
virus carries a payload, although a malicious virus obviously would
have a negative payload.
A deliberately damaging payload, such as one that erases a disk or
system files, usually restricts the ability of the virus to spread because
the virus uses the resources of the host system. In some cases, a virus
may carry a logic bomb or time bomb that triggers a damaging
payload on a certain date or under a specific, often delayed, condition.
Types of Viruses
There are a number of various types of viruses, such as file infectors,
boot sector infectors, system infectors, email viruses, multipartite,
macro viruses, and script viruses. These terms do not necessarily
indicate differing characteristics as, for example, a file infector may
also be a system infector. A script virus that infects other script files
may be considered a file infector, although this type of activity,
while theoretically possible, is unusual in practice. Researchers tell

Notes us that there are also difficulties in drawing a hard distinction between
macro and script viruses. The following are characteristics of the various
Security Controls in types of viruses:
l File infectors: A file infector infects program or object files.
System infectors that infect operating system program files are
PPT
also considered to be file infectors. File infectors can attach to
Types of Viruses the front of the object file (prependers), attach to the back of the
(continued)
file, and create a jump at the front of the file to the virus code
Define different types of (appenders), or overwrite the file or portions of it (overwriters).
viruses.
l Boot sector infectors: Boot sector infectors attach to or replace
the master boot record, system boot record, or other boot
records and blocks on physical disks. The importance of boot
sectors is that in most operating systems, the boot sector needs
to be read and executed during the boot process to function
properly. Boot sector infectors usually copy the existing boot
sector to another unused sector of the hard drive and then copy
themselves into the first physical sector, ending with a call to
the original programming. Many examples exist such as Brain,
Stoned, and Michelangelo viruses.
l System infectors: System infector is a somewhat a vague and
overused term. The phrase is often used to indicate viruses that
infect operating system files, or boot sectors, in such a way that
the virus is called at boot time and may have control over some
functions of the operating system. Recent viruses in the Windows
environment sometimes preferentially infect utility files in the
system directory. In other examples, a system infector modifies
other system structures, such as the linking pointers in directory
tables or the MS Windows system registry, in order to be called
first when programs are invoked on the host computer. An
example of directory table linking is the DIR virus family. Many
email viruses will target the Windows registry, examples are MTX
and Magistr, and these can be very difficult to get rid of.
l Companion virus: Some virus programs have been specifically
designed to not physically touch the target file at all. For example,
one method is quite simple and may take advantage of precedence
in the system. In MS-DOS, for example, when a command is given,
the system checks first for internal commands, then .COM, .EXE,
and .BAT files, in that order. .EXE files can be infected by writing a
.COM file in the same directory with the same filename. This type of
virus is most commonly known as a companion virus, although the
term spawning virus is sometimes also used.
l Email virus: An email virus specifically, rather than accidentally,
uses the email system to spread. Although virus-infected files may

Instructor Edition
be accidentally sent as email attachments, email viruses are

aware of email system functions and can take advantage of
those. They generally target a specific type of email system,
Notes
8
may also use email addresses from various sources, and

may append copies of themselves to all email sent, or may
generate email messages containing copies of themselves PPT
as attachments. Some email viruses may monitor network Types of Viruses
traffic and follow up legitimate messages with messages (continued)
they generate instead. Some email viruses may be technically Define different types of
considered worms because they often do not infect other viruses.
program files on the target computer, but again, this may not
be a hard and fast distinction. There are known examples
of email viruses that are file infectors, macro viruses, script
viruses, and worms. Examples of these include Melissa,
LoveLetter, Hybris, and SirCam. Historically, viruses took
many months to spread but may have stayed around for
many years in computing environments. Recently, many email
viruses can spread around the world, infecting hundreds of
thousands or even millions of machines within hours. However,
once the characteristics of these viruses become known and
understood, they may typically become ineffective as users
become knowledgeable and stop running the attachments,
or anti-virus program signature files are updated to recognize
these specific type of viruses.
l Multipartite: The term multipartite was originally used to
indicate a virus that was able to infect both boot sectors
and program files at the same time. The ability of a virus
to do this was also referred to as a dual infector. Current
understanding and usage tends to mean a virus that can
infect more than one type of object or that infects or
reproduces in more than one way. Examples of traditional
multipartite viruses are Telefonica, One Half, and Junkie,
but these programs have not been as successful as other
multipartite examples such as Nimda. Nimda was quite
successful, spreading as a classic worm, a file infector, using
network shares and other means.
l Macro virus: A macro virus uses macro programming of an
application and is usually said to infect office productivity
tools, such as word processors. Most known macro viruses
use Visual Basic for Applications in Microsoft Word, and
some are able to cross between applications and function
in, for example, a PowerPoint presentation and a Word
document, but this ability is rare. Macro viruses infect data
files and tend to remain resident in the application itself
by infecting a configuration template such as MS Word’s

Notes NORMAL.DOT. Even though macro viruses infect data files,

they are not generally considered file infectors. The distinction
Security Controls in is made between program and data files. What makes them
effective is that macro viruses can operate across hardware or
operating system platforms as long as the required application
PPT platform is present in those platforms. An example is that many
Types of Viruses
MS Word macro viruses can operate on both the Windows and
(continued) Macintosh versions of MS Word. Examples are Concept and CAP.
Define different types of
Melissa is also considered to be a macro virus, in addition to
viruses. being an email virus. This is because it mailed itself to potential
victims as an infected document.
l Script virus: Script viruses are generally differentiated from
PPT macro viruses in that they are usually stand-alone files that can be
Malware Types executed usually by an interpreter, such as Microsoft’s Windows
Script Host (.vbs files). A script virus file can be seen as a data
Define other malware
types and their
file in that it is generally a simple text file, but it usually does not
characteristics. contain other data and often has some indicator, such as the .vbs
extension, that is executable. LoveLetter is an example of a script
virus found on the Microsoft platform. Another example is be
the ALS.Bursted.C virus, which is written in Autoclips, a scripting
language used by AutoCAD.
Malware Types
In addition to viruses, there are many other flavors of malware. They
include worms, hoaxes, Trojan horses, logic bombs, botnets, pranks and
spyware and adware, as well as others. Each of these has its own
characteristics. Some forms of malware combine characteristics of more
than one type, and it can be difficult to draw hard and fast distinctions in
regards to individual examples of malware, but it may be important to
keep the specific attributes in mind.
For example, viruses and Trojans are being used to spread and plant
remote access Trojans (RATs), and in some cases, RATs are being used to
install zombies. In some cases, hoax virus warnings are being used to
spread viruses. In some other cases, virus and Trojan horse payloads may
contain logic bombs and data diddlers. So, drawing a specific distinction
between malware has become clouded.
l Worms: A worm reproduces and spreads, just like viruses; however,
worms are distinct and different from viruses although they may
have similar results. The difference is that a worm can propagate
without user action. In other words, they do not rely on human
involvement, instead they spread across networks of their own
accord, primarily by exploiting known vulnerabilities in common
software. The lack of requirement for user involvement means that

Instructor Edition
worms have a significant speed advantage and therefore,

can spread very rapidly and much faster than viruses. Some
viruses have been able to spread to many hosts measured
Notes
8
in days, whereas worms can travel worldwide in hours or

even minutes. Originally, the distinction made by researchers
was that worms used networks and communications links to PPT
spread and that a worm, unlike a virus, did not directly attach Malware Types
to an executable file. In early research into computer viruses, (continued)
the terms worm and virus tended to be used synonymously
Define other malware
and today, sometimes, it is as well. The first worm to garner types and their
significant attention was the Morris Internet Worm back characteristics.
in 1988. Recently, many of the most prolific virus infections
have not been viruses but have used a combination of viral
and worm techniques to spread more rapidly and effectively. PPT
LoveLetter is a really good example of this convergence of
Case: WannaCry
both reproductive technologies. Although infected email Ransomware – 2017
attachments were perhaps the most widely publicized (3 slides)
example of infection, LoveLetter also spread by actively Introduce real world
scanning attached network drives and infecting a variety case: WannaCry.
of common file types. Code Red and a number of Linux
programs (such as Lion) are modern examples of worms.
Nimda is an example of a worm, but it also spreads in a
number of other ways, so it could be considered an email
virus, multipartite, as well as a worm.
Case: WannaCry Ransomware – 2017

According to Symantec Threat Intelligence, WannaCry, is the
most destructive ransomware variety of 2017. It has been
reported to have hit over 150 countries and over 100,000
organizations, including major corporations and various
government agencies. First discovered in May of 2017 and
categorized as ransomware, it was initially introduced to
systems via phishing emails and spread using a known
Windows vulnerability as a worm.
The attack was introduced to the world on Friday May 12, 2017
and within a day it was reported to have infected more than
240,000 computers in over 150 countries. Hardest hit areas of
the world included parts of the United Kingdom’s National
Health Service, where the infection caused the National
Health Service to run some services on an emergency-only
basis. As part of the attack many organizations were hit,
including Spanish Telefónica, FedEx, and Deutsche Bahn,
along with many other countries and companies worldwide.
WannaCry has turned out to be more dangerous than other

Notes common ransomware types because of its ability to spread across

an organization’s network by exploiting critical vulnerabilities in
Security Controls in Windows computers that were actually patched by Microsoft in
March 2017.
The details of WannaCry is now known as follows. The WannaCry
PPT
attackers requested that the ransom be paid using Bitcoins.
Case: WannaCry WannaCry generates a unique Bitcoin wallet address for each
Ransomware – 2017
infected computer; however, due to a race condition bug, this
code did not execute correctly. WannaCry then defaulted to
Introduce real world
case: WannaCry.
three hardcoded Bitcoin addresses for payment.
What are best practices for protecting against ransomware?
l Always keep your security software up to date to protect
yourself against them, patch often and as necessary.
l Keep your operating system and other software updated to
the latest versions. Software updates issued by Microsoft
and other operating system vendors will frequently include
patches for newly discovered security vulnerabilities that could
be exploited by ransomware attackers.
l Email is thought to be one of the main infection methods. Be
wary and very careful of unexpected emails especially if they
contain links and attachments.
l Be extremely wary of any Microsoft Office email attachment that
requires you to enable macros to view its content. Unless you are
absolutely sure that this is a genuine email from a trusted source,
do not enable macros and delete the email instead.
l Backing up your most important data regularly is the single most
effective way of combating ransomware. Attackers have leverage
over their victims by encrypting valuable files and leaving them
inaccessible. If the victim has backup copies, they can restore
their files once the infection has been cleaned up. Organizations
should ensure that backups are appropriately protected or
stored off-line so that attackers cannot delete them.
l In today’s environments, using cloud services could help mitigate
ransomware infection, since many retain previous versions of
files, allowing you to roll back to the unencrypted form.
l Hoaxes: Hoaxes are usually warnings about new viruses that do
not actually exist. Hoaxes generally carry an instruction to the
user to forward the warning to all contacts available to the user.
Some people will consider these to be descendants of chain
letters and if successful, form a kind of self-perpetuating spam.
Hoaxes typically rely on people’s desire to communicate with
others and on a sense of urgency and importance to be the first

Instructor Edition
to provide important new information of relevance to others.

The hoaxes may get users to delete certain important files
on users’ machines.
Notes
8
l Trojans: Trojans, short for Trojan horse programs, are

considered to be a very large class of malware. However,
the use of the term Trojan or Trojan horse is subject to a lot
of confusion, particularly in relation to computer viruses.
A Trojan is a program that can be seemingly useful, but it
also contains something unknown that will do something
malicious. In other words, it pretends to do one thing while
performing another unwanted or malicious action. The
extent of the pretense may vary greatly. Some Trojans may
contain actual code that does what it is supposed to while
performing additional acts that are not clearly documented
or defined. Trojan programs have been distributed by mass
emails, by posting on Usenet newsgroup discussion groups,
through downloads on infected websites, or through
automated distribution agents (bots) on Internet Relay
Chat (IRC) channels. Because source identification in these
communications channels can be easily forged and hidden,
Trojan programs can be redistributed through a number of
channels, and specific identification of a malicious program
has become much more difficult as a result.
l Social engineering: A major component of malware success
is related to the social engineering component. To recall,
social engineering can be defined as using deception
and intimidation to get people to do something that
they shouldn’t. Social engineering can range from simple
deception to bullying and intimidation to get employees to
disclose sensitive information. It can also include methods to
make social engineering easier such as dumpster diving (to
find potentially valuable information people have carelessly
discarded), to shoulder surfing (to find out personal
identification numbers and passwords). A recent entry to
the list of malicious attacks aimed at computer users is the
practice of phishing. Phishing attempts to get the user to
provide information that will be useful for identity theft-type
frauds by pretending to be an authorized source, such as
the user’s bank. Although phishing messages frequently
use websites and try to confuse the origin and ownership of
those sites, very little programming, malicious or otherwise,
is usually involved. Phishing is definitely a form of social
engineering or deception. Some recent examples, however,
have incorporated certain technical aspects, such as the
creation of unframed browser windows to overlay areas in

Notes the browser frame and recreate browser characteristics such as

the padlock symbol denoting a site certificate and authentication
Security Controls in and encryption using the SSL/TLS protocol.
l Remote access Trojans (RATs): RATs are programs designed
to be installed, usually remotely, after systems are in production
and so, they are different from logic bombs and backdoors.
The intent is to have easy access to the host remotely after the
RAT has been installed on the remote host. An example such
as 32.Shadesrat, FAKEM, Blackshades, Back Orifice, Netbus,
Bionet, or SubSeven, is installed on the target computer, the
controlling computer is able to obtain information about the
target computer. The master, or controlling, computer will be
able to download files from and upload files to the target. The
control computer will also be able to submit commands to the
victim computer that basically allows the distant operator to do
pretty much anything to the prey. The problem associated with
RATs is that all of this activity may go on without any alert being
given to the owner or operator of the targeted computer. When
a RAT program has been run on a computer, it will install itself
in such a way as to be active every time the computer is started
subsequent to the installation and without the operator of the
computer knowing anything about it. Information is sent back to
the controlling computer using network channels noting that the
RAT is now active. The user of the command computer is now
able to explore the target, escalate access to other resources,
and install other malicious software, such as DDoS zombies, and
others. Remote access tools, such as RATs, are not viral, in other
words, they cannot spread. When the software is active, the
master computer can submit commands to have the installation
program sent on via network transfer or email to other machines.
In addition, RATs can be installed as a payload from a virus or
Trojan. Many RATs now operate in very specialized ways, making
the affected computer part of a botnet (robot network). Botnets
use large numbers of computers to perform functions such as
distributing spam messages, increasing the number of messages
that can be sent, and isolating the actual sender from the targets
of the messages. Recently, we have seen that certain viruses have
carried RAT programming payloads to set up spam botnets and
that such spam botnets have then been used to seed the release
of new viruses. Rootkits, containing software that can subvert or
replace normal operating system software, have been around for
some time. RATs differ from rootkits in that a working account
must be either subverted or created on the target computer to
use a rootkit. RATs, once installed by a virus or Trojan, do not
require access to an account.

Instructor Edition
l DDoS zombies: Distributed denial of service (DDoS) is a

category of DoS attacks. DoS attacks do not attempt to
destroy or corrupt data, but rather they attempt to use up
Notes
8
a computing resource to the point where normal resources

cannot proceed. A DDoS attack differs in that it requires the
compromise of a number of computers in the middle that
are then used to attack specific other hosts or architectures.
These computers in between the master and the target
are sometimes called agents or clients but most often are
referred to as zombie programs as they are not really aware
they are contributing to a DoS attack
l Logic bombs: Logic bombs are software programs set up
to run in a dormant state until a specific condition or set of
conditions exist and then activate their negative payload.
The condition that a logic bomb waits for can be related to a
certain date or time, or specific conditions related to system
and architecture parameters. A logic bomb can also wait for
conditions related to how data looks in specific databases,
or files. A logic bomb is generally implanted in or coded as
part of an application under development or maintenance.
Unlike a RAT or Trojan, it is difficult to implant a logic bomb
after the fact as it is related to logic that needs to execute
in specific conditions. There are numerous examples of
this type of activity, usually based upon actions taken by a
developer or administrator to deprive a company of needed
resources if employment was terminated. A Trojan or a virus
may contain a logic bomb as part of the payload. A logic
bomb involves no reproduction and no social engineering.
An example of this concept of logic bombs involves what
is known as the salami scam. The basic idea involves the
siphoning off of small amounts of money, in some versions,
fractions of a cent, credited to a specific account, over a
large number of transactions. The attack siphons off small
amounts over a large period of time. In most discussions
of this type of activity, it is explained as the action of an
individual, or small group, defrauding an organization.
l Spyware and adware: It is extremely difficult to define
which spyware and adware entities are malicious and
which are legitimate marketing tools. Originally, many of
the programs now known as spyware were intended to
support the development of certain programs by providing
advertising or marketing services. The idea was to try and
figure out browsing patterns by web users and then provide
marketing materials they may have been interested in. Over
time, a number of these programs became more and more

Notes intrusive and frequently now have functions that will install without
the user’s knowledge and can possibly have privacy implications.
Security Controls in Companies involved with spyware and adware have been quite
active in promoting the confusion of definitions and terms.
Vendors and developers of anti-spyware programs have frequently
found themselves targets of lawsuits alleging that the identification
of programs as spyware is defamation.
l Pranks: Pranks are very much a part of the computer culture, so
much so that anyone can now buy commercially produced joke
packages that allow you to perform tricks on other users. There
are numerous pranks available as shareware. Some make the
computer appear to insult the user and yet others will use sound
effects or voices and even use special visual effects. An example
might be PARASCAN, the paranoid scanner. It pretends to find
large numbers of infected files, although it does not actually check
for any infections at all. Generally speaking, pranks that create
some kind of announcement are not considered to be malware
and in fact, viruses that can generate a screen or audio display
are actually quite rare. The distinction between jokes and Trojans
is harder to make, but pranks are intended for amusement and
not malicious intent. The malicious part may be the consuming of
computing resources and network resources. One specific type
of joke is the Easter egg, a function hidden in a program and
generally accessible only by some arcane sequence of commands.
These may be seen as harmless, but note that they do consume
resources, even if only disk space, and also make the task of
ensuring program integrity much more difficult. Repeated pranks
may also serve to dissuade the end user from seeking help from
the help desk when legitimately needed for a security reason.
l Botnets: A botnet is a network of automated systems or processes
(robots or for short, bots) performing a specific function together,
usually malicious. Botnets have greatly magnified the power and
speed of malicious operations because they all work together
toward achieving a malicious goal, and they have allowed for tuning
and directing of operations in a way that was not possible with
malicious programs in the past. The distributed nature of botnets
and related technologies such as fast-flux domain and Internet
Protocol (IP) address reassignment (rapidly rotating domain names
and IP addresses) have made it much more difficult to detect,
analyze, and remove botnets and botnet activity from networks and
architectures. Bot agent software can be installed on user machines
in any number of ways, but usually Trojan horse programs may be
used. In some cases, users are socially engineered to infect their
own machines. This may or may not be viruses, or indeed worms.
Drive-by downloads, peer-to-peer file sharing software, and instant

Instructor Edition
messaging platforms and clients all have functions that may

allow remote submission and placing of files and invocation of
commands or programs directly to remote machines. Generally
Notes
8
speaking, once botnet software has been installed on the

infected machine, it no longer requires personal intervention
but will respond to automated communications through PPT
the command and control channel directed at a number of Malware Protection:
computers that are part of the botnet. Training and Policies
malware protection and
Malware Protection: Training and Policies methods.
As we have seen, there are numerous examples of malware that

can be introduced into organizations. Protecting against malware is
a very important part of any security management program of PPT
organizations. Malware Protection:
Tools
As with anything that relates to security, we have to start with
properly written and communicated policies. Those are followed by malware protection and
training and awareness directed toward employees and users. Here methods.
are some important issues to address:
l Do not double-click on attachments
l When sending attachments, provide a clear and specific
description as to the content of the attachment
l Do not blindly use the most widely used products as a
company standard
l Disable Windows Script Host, ActiveX, VBScript, and
JavaScript
l Do not send HTML-formatted email
l Use more than one scanner, and scan everything
As always, guidelines such as these should be enforced based on

the organization’s goals and objectives and based on the level of
acceptable risk. And as always, policies need to be developed
based on the understanding of the requirements and the risks that
exist in the specific environment.
Malware Protection: Tools

Experts and researchers agree that all antivirus software is
essentially reactive, that is, it exists only because viruses and other
programmed malware threats existed first. It is important to be
able to distinguish between virus-specific scanning or known virus
scanning (KVS) on the one hand and generic measures on the

Notes other. There are three approaches to how antivirus software technology
is able to work:
Development Environments l Known signature scanning
l Activity monitoring
PPT l Change detection
Malware Protection:
Tools (continued) Some people compare these basic types of malware detection systems to
common intrusion detection system (IDS) types, although the comparison
malware protection and is not exact, it is made by some regardless. A scanner is like a signature-
methods. based IDS. An activity monitor is like a rule-based IDS or an anomaly-
based IDS. And a change detection system is like a statistical-based IDS.
l Scanners: These are also known as signature scanners or known
virus scanners, and they look for search strings whose presence
is characteristic of a known virus. In other words, they look for
known signatures of known viruses and malware. As they are
able to recognize specific types of viruses, they frequently have
capabilities to remove the virus from an infected object; however,
some objects cannot be repaired. Even where an object can be
repaired, it is often preferable and probably safer to replace the
object altogether rather than repair it, and some scanners are
very selective about which they may be able to repair.
l Heuristic scanners: One of the latest technologies used for
scanning is what is referred to as intelligent analysis of unknown
code, currently referred to as heuristic scanning. More closely
associated with activity monitoring functions than traditional
signature scanning, this looks for suspicious sections of code that
are generally found in virus and malicious programs. Activities,
such as modifying code and unauthorized change, can be
associated and flagged by heuristic scanning as suspicious.
One disadvantage of heuristics, however, may be that they can
generate a lot of false positives, or false alarms.
l Activity monitors: An activity monitor performs a task very similar
to an automated form of traditional auditing: it watches for and
flags what may be suspicious activity. It may, for example, check
for any calls to format a disk or attempts to alter or delete program
files while a program other than the operating system is in control.
These are just examples of some activities that activity monitors
may flag as suspicious. Activity monitors may be even more
sophisticated and check for any program that performs direct
activities with hardware without using the standard system calls.
l Change detection: Change detection software examines system
or program files and configurations, stores the information, and
compares it against the same program files and configurations on

Instructor Edition
a regular basis to look for changes. Most of these programs

perform some sort of checksum or cyclic redundancy check
(CRC) that will detect changes to a file even if the length
Notes
8
is unchanged. Some programs will even use sophisticated

encryption techniques to generate a signature, referred to as a
hash, or digest, to detect changes. Change detection software PPT
can also detect the addition of completely new entities to Malware Protection:
a system. Some improperly configured change detection Tools (continued)
techniques have failed to detect additions. Change detection
software is also often referred to as integrity-checking malware protection and
software, but this term may be somewhat misleading. The methods.
integrity of a system may have been compromised before the
establishment of the initial baseline of comparison and that
would make this technique totally ineffective. A sufficiently
advanced and properly implemented change detection system
that takes all factors, including system areas of the disk and
the computer memory, into account has the best chance of
detecting malicious activities. However, change detection
also has the highest probability of false alarms because it
will not know whether a change is due to malicious intent or
was actually authorized. The addition of intelligent analysis
of the changes detected may assist with this condition.
l Reputation monitoring zero-day/zero-hour: 0-day/0-hour
is defined as the period of time from when a new malware
hosting website is created until it is recognized as malicious.
There are zero days between the time it is discovered until
the first infection. During this period, activity on these sites
is considered high risk. In the zero-hour period, no matter
how many antivirus engines you may have deployed, anyone
visiting a website hosting new malicious content is at risk and
their machine may become infected. This seems to be a big
problem for organizations to address. A strong solution may
be to apply “Reputation Monitoring.” The idea is to classify
certain types of websites, including those that have not been
seen before as “suspicious.” This is referred to as assigning a
reputation score to that website. Applying a reputation score
to websites and classifying them as “suspicious” is a proactive
approach to security, you are addressing a risk before it can
become a serious threat. Web reputation is a method that can
be used to boost protection against current to future malicious
content on the web for those browsing the web. Using
web reputation, websites are assessed for immediate and
potential threats, malicious content, and risky characteristics
and usually scores between zero and 100 are given. In a
similar way that content categorization places websites into

Notes different categories and classifies them based on their content,

web reputation scores are used to determine the risk factor of each
Security Controls in website. Once the score for a website has been determined, this will
help administrators to either block or proceed with caution or allow
access to those websites. Although good antivirus programs are
PPT also required, web reputation can help by giving that safety rating to
Malware Protection:
websites and where necessary, allowing proactive blocking of risky
Tools (continued) sites. They can complement anti-malware approaches. Typically, web
reputation scores may fall into five risk bands as examples:
malware protection and o High Risk (1–20)
methods.
o Suspicious (21–40)
o Moderate Risk (41–60)
PPT o Low Risk (61–80)
Activity: Malware o Trustworthy (81–100)
Protection Tools
l Anti-malware policies: Creating policies or educating users in
Introduce activity related
safe and secure practices can reduce the risk of becoming infected,
to malware protection.
even when a virus enters the organization. There are many possible
preemptive measures, such as avoiding the use of applications that
are particularly vulnerable and denying entry to mail attachments
that are likely to be vectors for inbound viruses. Such measures can
be very effective at addressing aspects of antivirus damage that
reactive antivirus software does not deal with very well. Having
well-written and communicated policies should always be the
foundation for defending against malicious software.
Activity: Malware Protection Tools

INTRUCTIONS
1. Which tool is known to generate a lot of false alarms?
2. Which tool looks for search strings whose presence is

characteristic of a known virus?

Instructor Edition
3. What is the period of time from when a new malware

hosting website is created until it is recognized as malicious?
Notes
8

PPT
4. What tool watches for suspicious activity? Activity: Malware
Protection Tools
(continued)
Introduce activity related
to malware protection.
Answers:
1. Heuristic PPT
2. Scanner Activity: Malware
Protection Tools –
3. Zero-day/Zero-hour Answers
4. An activity monitor Explain the answers to
the activity.
Security of Code Repositories PPT

As part of good security management, it’s very important to Security of Code
ensure the safety of application code while it is being developed, Repositories
as well as during usage and while at rest in the enterprise. Code Explain importance
is typically stored in what are called code repositories. In today’s of protecting code
environments and trends, the security of code repositories can repositories.
pose a challenge for several reasons. With the move to offshoring
application development, the code being developed may not be
available to the enterprise directly, and likewise, the development PPT
environment may be unavailable for management and inspection.
Configuration
Management (CM)
The protection of code repositories needs to be handled just like
any other valuable asset through a combination of logical and Define configuration
physical access controls and mechanisms, as well as protecting the management.
integrity and availability of the content of code repositories.
Configuration Management (CM) as

an Aspect of Secure Coding
Configuration Management (CM)
For software and applications, configuration management (CM)
refers to monitoring and managing changes to a program or
documentation. The goal is to guarantee the integrity of the code,

Notes availability, and usage of the correct version of all system components
such as the software code, design documents, documentation, and
Security Controls in control files.
CM, therefore, involves reviewing every change made to a system.
This includes identifying, controlling, accounting for, and auditing all
PPT
changes. The process would include the following:
Configuration
Management (CM) l The first step is to identify any changes that are made.
(continued)
l Controlling occurs when every change is subject to some type
Define configuration
of documentation that must be reviewed and approved by an
management.
authorized individual.
l Accounting is recording and reporting on the configuration of the
PPT software or hardware throughout any change procedures.
Configuration l Auditing allows the completed change to be verified, especially
Management Plans ensuring that any changes did not affect the security policy or
Define configuration protection mechanisms that are implemented.
management plans.
Configuration Management Plans
The best method of controlling changes is to have a CM plan that
ensures changes are performed in a step-by-step, rigorous, and agreed-
upon manner. Any deviations from the plan may change the
configuration of the entire system architecture and could essentially
void any certification that it is a secure, trusted system. In a project, CM
often refers to the controlling of changes and limiting them to the scope
or requirements of the project. Not controlling properly can often lead
to what is called scope creep, and a lack of configuration management
can lead to a project never being completed or structured because its
requirements are continuously changing.
At its heart, CM is intended to eliminate the confusion and error brought
about by the existence of different versions of artifacts. An artifact is
defined as a piece of hardware, software, or documentation. Changes are
made to correct errors, provide enhancements, or simply reflect the
evolutionary refinement of product definition. Without a well-enforced CM
process, involved team members can use different versions of artifacts
unintentionally and erroneously. Individuals can also create versions without
the proper authority, and possibly the wrong version of an artifact can be
used inadvertently. Successful CM requires a well-defined and understood
set of policies and standards that clearly define the following:
l The set of artifacts (configuration items) under the jurisdiction
of CM
l How artifacts are named

Instructor Edition
l How artifacts enter and leave the controlled set

l How an artifact under CM is allowed to change
Notes
8
l How different versions of an artifact under CM are made Development Environments

available and under what conditions each one can be used
l How CM tools are used to enable and enforce CM PPT
These policies and standards are documented in a CM plan that Configuration

Management Plans
informs everyone in the organization just how CM is carried out. (continued)
Define configuration
Information Protection Management management plans.
If software is shared, it should be protected from unauthorized

modification by ensuring that policies, developmental controls, and
lifecycle controls are in place. In addition, users should be aware PPT
and abide by security policies and procedures. Software controls Information Protection
and policies should require procedures for changing, accepting, Management
and testing software prior to implementation. These controls and Define information
policies require management approval for any software changes protection management.
and compliance with change control procedures.

Notes
Module 4: The Effectiveness of
The Effectiveness of
Software Security Software Security

Software Security
1. Understand the importance of auditing and logging all changes
to software.
to the “The Effectiveness 2. Understand how risk analysis and mitigation is applied to
of Software Security” software security.
module.
3. Explain how to assess security impact of acquired software.
PPT
Module Objectives
objectives.

Instructor Edition
Effectiveness of Software Security

As we have seen, application software has become an integral
Notes
8
component in every organization over the last number of decades, Software Security
and building better applications, that have the proper security

controls built-in based on requirements becomes very important.
As part of this importance, organizations need to evaluate the PPT
effectiveness of the applications development process, including Effectiveness of
how security is involved and ultimately that the security designed Software Security
into the application is indeed effective based on the organization’s Explain the importance
requirements. of measuring the
effectiveness of software
The best way to evaluate the effectiveness of application security.
development and software security is through having an efficient
and secure process itself and through testing and assurance
mechanisms. Providing meaningful metrics that are evaluated, PPT
meaningful, and provided to stakeholders allows organizations to Certification and
have assurance that the effectiveness of software security is indeed Accreditation
at the levels required based on goals and objectives. Explain certification and
accreditation and its
Providing meaningful metrics that reflect on use cases can give relevance to software
organizations a more comprehensive view of how secure applications effectiveness.
actually are. Use cases are tangible outcomes of a program and can
definitely be useful in applications security testing. They are essentially
scores for how well the security functions in certain test situations. By
measuring the quality of each use case, organizations can have a clear
understanding of how well the applications provide security. There are
other methods used to test the effectiveness of software security, they
include some of the methods discussed below.
Certification and Accreditation

Certification is defined as the technical evaluation or assessment of
security compliance of the information system, or application,
within its operational environment. In other words, it could be the
endorsement by the security professionals and others, such as
developers and analysts, that the system, including the
applications. meets its functional requirements, including the
security requirements. To make this a more meaningful process, it
can also include the independent verification of the endorsement.
The certification process is always followed by the accreditation or
management authorization process. The accreditation or authorization
process is where the certification information is reviewed by
stakeholders and management and grants the official authorization
to use the information system and solution into operational use. In
other words, it is the formal approval by senior management.
Module 4: The Effectiveness of Software Security 737

NIST SP 800-37 R1
Notes
The U.S. National Institute of Standards and Technology (NIST) has
Software Security
developed and published a document, SP 800-37 Revision 1: Guide
for Applying the Risk Management Framework to Information Systems
that recommends a security authorization process and procedures to
PPT ensure the risk management process is applied into application
NIST SP 800-37 R1 development and how security is involved to ensure the effectiveness
Mention NIST SP800-37
of software and its security capabilities. As we’ve seen above, the
as an example of what process of certification and accreditation can be very useful, but the
to emphasize in secure NIST SP 800-37 Revision 1 guidance has provided a way to create a
software development. change in the traditional thought process surrounding certification
and accreditation and extends it. The revised process emphasizes
the following:
PPT
l Building information security capabilities into information systems
Risk Management
through the application of state-of-the-practice management,
Framework (RMF)
operational, and technical security controls
Mention the RMF as
a framework to allow l Maintaining awareness of the security state of information
organizations to manage systems on an ongoing basis though enhanced monitoring
information security processes
related risks.
l Providing essential information to senior leaders to facilitate
decisions regarding the acceptance of risk to organizational
operations and assets, individuals, and other organizations,
PPT
arising from the operation and use of information systems
RMF Characteristics
Mention characteristics
of RMF. Risk Management Framework (RMF)
Using the NIST SP 800-37, the traditional certification and accreditation
process has been transformed into a six step Risk Management
Framework (RMF). The risk management process changes the traditional
focus of certification and accreditation as a static, procedural activity to
a more dynamic approach that provides the capability to the
organization to more effectively manage information system-related
security risks in highly distributed and diverse environments of complex
and sophisticated cyber threats, ever-increasing system vulnerabilities,
and rapidly changing organizational needs.
RMF Characteristics
The RMF has the following characteristics:
l Promotes the concept of near real-time risk management and
ongoing information system authorization by stakeholders through
the implementation of robust continuous monitoring processes

Instructor Edition
l Encourages the use of automation to provide senior

management the necessary information to make cost-effective,
risk-based decisions with regard to the organizational
Notes
8
Software Security
information systems supporting their core missions and

business functions
l Integrates information security into the enterprise architecture PPT
and system development lifecycle as part of the process and RMF Characteristics
not an add-on later (continued)
l Provides emphasis on the selection, implementation, Mention characteristics

of RMF.
assessment, and monitoring of security controls and the
authorization of information systems
l Links risk management processes at the information system
PPT
and application level to the corporate risk management
Certification for
processes at the organization level through a risk executive
Private Organizations
function that needs to be established
Explain the benefit
l Establishes responsibility and accountability for security of certification to
controls deployed within organizational information systems organizations.
There are some really good reasons why a private organization may
implement the certification and accreditation process with the NIST
PPT
extension, as above. Reasons may include the following:
Auditing and Logging
l A certification and accreditation process ensures a control of Changes
framework has been selected and is consistently being Explain the importance
applied across the organization. of logging and auditing
of changes to systems.
l If implemented as part of a change management program,
the system authorization process can have a relatively low
overhead.
l Security authorization standards can mandate the use of
standards, and standardization across an organization can
lead to gains in efficiency and less unexpected changes.
l If implemented properly, a security authorization program
includes all aspects of a system’s security, including physical,
training, environment, and interconnections that could be
missed by purely technical approaches.
Auditing and Logging of Changes

Systems, applications, architecture, and network device reporting
is important to the overall health and security of systems. Every
network device, operating system, or application, and indeed,
component of architectures should provide some form of logging
capabilities.

Logs
Notes
A log is a record of security relevant actions and events that have taken
Software Security
place on a computer architecture. Logs:
l Provide a clear view of who owns a process, what action was
PPT initiated, when it was initiated, where the action occurred, and
why the process ran
Logs
l Are the primary record keepers of system and network activity
of logs. l Are particularly helpful in capturing the pertinent information
to explain what happened and why in the event that security
controls experience failures
PPT
Auditing Auditing
Explain the importance As part of due care and due diligence, it is in the best interest of the
of auditing.
enterprise to have appropriate auditing policies in place. One such
requirement is to effectively and efficiently collect information regarding
critical and security related events occurring in valuable network and
PPT systems in the form of logs for the purpose of being able to manage
Change Management them appropriately.
of change management. This information regarding security relevant events is typically available
in the form of logs and would enable all interested parties, such as
management, executives, and stakeholders, as well as network and
system administrators, to understand and assess the following:
l The need for establishing baselines
l The performance of various servers and systems
l An application‘s functional and operational problems
l Effective detection of intrusion attempts
l Forensic analysis
l Compliance with various regulatory laws
Change Management
Organizations need to understand change and change management as
integral elements in any successful enterprise security architecture. They
need to make sure that changes to applications and other systems
already in production are made in a rigorous and controlled way to
ensure quality assurance of the change. As part of this, organizations
need to be able to plan for change, manage it through a well-defined
lifecycle, approve changes, document it, and roll it back if required. There
are many practices and guides available that organizations can use as
frameworks to guide change management and change control.

Instructor Edition
Information Integrity, Accuracy, and Auditing

Information integrity means that organizations need to have
procedures in place that should be applied to compare or
Notes
8
Software Security
reconcile what was processed against what was supposed to be

processed. For example, controls can compare totals or check
sequence numbers to make sure the right operations were PPT
performed on the correct data elements. Information Integrity,
Accuracy, and Auditing
Another element of integrity is information accuracy. Because
Define iformation integrity,
decisions are made based on information, the accuracy of accuracy and auditing.
information becomes very important to ensure as information is
processed by applications. To check input accuracy, data
validation and verification checks should be incorporated into the
appropriate applications. Other controls that may be required are
character checks to compare input characters against the
expected type of actual characters, such as numbers or letters.
This is sometimes known as sanity checking by developers and
others involved in applications. Range checks verify input data
against predetermined upper and lower limits to make sure they
fit within those ranges. Relationship checks compare input data
with data on a master record file somewhere else to ensure the
correct relationships. Reasonableness checks will compare input
data with an expected standard that is also considered to be
another form of sanity checking. Transaction limits check input
data against set ceilings on specified transactions to make sure
they don’t exceed the limits set as being the specified ceiling or
upper limit.
Information auditing is important because vulnerabilities may
exist in the development and software lifecycles and therefore,
as a result, there is a likelihood that attacks and vulnerabilities
may be exploited. Auditing procedures can assist in detecting
any abnormal activities that may indicate vulnerabilities are
being exploited. A secure information system must provide
authorized personnel with the ability to audit any action that can
potentially cause unauthorized access to, damage to, or in some
way affect the release of sensitive and valuable information.
The level and type of auditing depends on the auditing
requirements of the installed software and the sensitivity of data
that is processed or stored on the system. The key point is that the
audit results provide information on what types of unauthorized
activities have taken place and who or what processes took the
action to be able to drive the corrective actions necessary at
that point.

Risk Analysis and Mitigation

Notes
Risk is defined as an event or occurrence that has a probability of having
Software Security
an impact to an application project should that risk occur. Being able to
identify the risks and mitigate them as part of application security
effectiveness is also very important.
PPT
Risk Analysis and
Mitigation Risk Management
Define the importance Risk management is an ongoing process that continues through the life
of identifying risks in the of a project. It includes processes for risk management planning,
software environment and
mitigating those risks.
identification, analysis, monitoring, and control. Many of these processes
are updated throughout the project lifecycle as new risks can be
identified at any time and need to be mitigated as they are identified
and analyzed. It is the objective of risk management to mitigate or treat
PPT
the risk, and therefore, the probability and impact of events adverse to
Risk Management the project.
Explain the importance of
risk management.
Testing and Verification
When mitigations are implemented, they must be tested. In mature and
PPT efficient SDLC environments, this is often done as part of the promotion
Testing and Verification between development environments by the quality assurance and
Explain the importance of testing teams.
testing and verification of
risk mitigation techniques.
Testing and Verification Roles
Security findings should be addressed by the development team
PPT
the same as any other change request with the condition that the
Testing and Verification security assessor or another independent entity verifies and
Roles validates the flaw has indeed been remediated. These roles need
Explain the importance to be distinct and separate. In large organizations, independent
of accountabilities of verification and validation teams work to determine if security
several roles related to risk
mitigation in the software
findings and flaws are truly resolved. They do this by testing and
environment. using other assurance methods. This process should also involve
the audit group to independently verify that the findings have been
addressed. In other words, the developer or system owner does not
authoritatively declare the risk mitigated without the concurrence of
an independent party that includes security and audit and possibly
other stakeholders. In addition to testing of mitigations, the
developer should be encouraged to use code signing as another
means of integrity checking for the code they are producing. Code
signing is discussed next.

Instructor Edition
Code Signing
Code signing is a technique that can be used to address
applications software integrity. As a summary, code signing can be
Notes
8
Software Security
used to determine the following:

l Who is the author of a specific code PPT
l The purpose or function of the specific code that has been Code Signing
signed
Define code signing and
its relevance to security.
For code signing to work, it requires signatures that will be used to
perform policy checks. These policy checks can be done at
different levels and in some cases, when done by the operating
system, the O/S can determine whether to allow the code to
actually run. A very simplistic way to look at this is that the code
would be allowed to run only if it was signed and met certain other
policy requirements established by the organization.
Code signing has been shown to provide other benefits. Digital
certificates attached to the code can protect users from
downloading compromised files or applications that may have
malware. Here’s an example, let’s say an application or program
has been signed by a particular developer, but it has been
modified after publication. A browser may display a pop-up
warning that the code may have been modified and, therefore,
cannot be verified as being authentic. Code signing makes all
this possible, and it is a tool to allow verification of code as
being authentic and that it hasn’t been modified.
If an application or program has been signed by the original author,
it makes it possible to determine whether someone other than the
signer has modified the code at some point after publication. Once
signed, it may be possible to detect intentional or accidental
alterations.
Code signing can be used to “sign” more than just application and
programs; in fact, the industry has used code signing to “sign”
programming tools, applications, scripts, libraries, plug-ins, etc. To
summarize, code signing can achieve three distinct purposes. It
can be used to:
l Allow detection of code that may have been altered
l Identify the author of specific code or the signer of that
code
l Allow determination of the specific purpose of code, and
the reason it was written

Code Signature Components

Notes
To allow code signing to work properly and achieve its goals, code
Software Security
signatures consist of three parts:
l A seal that can be used to detect unauthorized alterations to
PPT the code
Code Signature l A digital signature that signs the seal to guarantee its integrity
Components and addresses nonrepudiation of the author
Mention the important l A unique identifier used to identify the purpose of the code or to
components of code determine which classification the code belongs to
signing.
Code Signature Limitations

PPT As with any other security control, code signing is not perfect, and it
Code Signature cannot achieve everything. These are a summary of what code signing
Limitations may not be able to do:
Emphasize the code
l Cannot guarantee that code is free of security vulnerabilities,
signing limitations.
exploits, or bugs
l Cannot guarantee that an application or program during
PPT execution will not load unsafe or altered code, such as untrusted
Regression and
plug-ins
Acceptance Testing l Cannot address Digital Rights Management (DRM) or provide
Define regression testing copy protection capabilities
and its importance.
Regression and Acceptance Testing

PPT Whenever developers change or modify their software, even a small
tweak can have unexpected consequences to the overall functionality of
Regression Testing
the system.
Explain benefits of
regression testing.
Regression Testing
Testing existing software applications to make sure that a change or
addition to the application has not affected any existing functionality
in a negative way is called regression testing. Its purpose is to catch
any code or bugs that may have been accidentally introduced into a
new build of software or release candidate and to ensure that
previously eradicated bugs continue to stay eradicated.
By rerunning testing scenarios that were originally scripted when known
problems were first fixed, the developer or security professional can
make sure that any new changes to an application have not resulted in
a regression or caused components that worked before to fail.

Instructor Edition
Acceptance Testing
Acceptance testing is a formal test conducted to determine
whether the system satisfies its acceptance criteria and to enable
Notes
8
Software Security
the owner/customer to determine whether to accept the system.

This was originally called “Functional Testing” because each
acceptance test tries to test the functionality of the application PPT
to ensure it does what it is supposed to. Acceptance tests are Acceptance Testing
different from Unit Tests in that Unit Tests are modeled and Define acceptance testing.
written by the developer of each class, while the acceptance test
is modeled and written by the customers and owners.
Testing generally involves running a suite of tests on the completed PPT
system once it is ready, and the individual test, known as a case, Assess Security Impact
exercises a particular operating condition of the environment or of Acquired Software
feature of the system and will result in a pass or fail outcome. There Explain the importance
is generally no degree of success or failure, it’s either a yes or a no. of involving security in
acquiring software.
Assess Security Impact of Acquired PPT
Software Software Assurance in

the Phases of Acquiring
Software Assurance Software
Software vulnerabilities, malicious code, and software that does not Explain how security is
involved in all phases of
function as required is a substantial risk to any organization’s software- software acquisition.
intensive critical infrastructure. Minimizing risks associated with the
software environment is the goal of software assurance. In other
words, software assurance can be defined as having a high level of
confidence that software is free from vulnerabilities, either intentionally
designed into the software or accidentally inserted at any time during
its lifecycle, and that it functions in the intended manner.
Software Assurance in the Phases of Acquiring Software

To ensure the integrity of business operations and key assets within
critical infrastructure that rely on software, acquired software must
be reliable and secure just as if it was developed in-house. That
means that software assurance must be addressed around the major
phases of a generic acquisition process. These are the major phases:
1. Planning
2. Contracting
3. Monitoring and Acceptance
4. Follow-on

Planning Phase
Notes
This phase begins with:
Software Security l Needs determination for acquiring software services or products,
identifying potential alternative software approaches, and
PPT identifying risks associated with those alternatives. This includes
the following:
Planning Phase
o Developing software requirements to be included in work
Explain security’s role in
the planning phase. statements
o Creating an acquisition strategy and/or plan that includes
identifying risks associated with various software acquisition
PPT strategies
Contracting Phase o Developing evaluation criteria and an evaluation plan
the contracting phase. Contracting Phase
This phase includes three major activities:
PPT l Creating and issuing the solicitation or request for proposal (RFP)
Monitoring and with a work statement, instructions to potential respondents of
Acceptance Phase RFP, terms and conditions, including conditions for acceptance,
Explain security’s role prequalification considerations, and certifications.
in the monitoring and l Evaluating supplier proposals submitted in response to the
acceptance phase.
solicitation or RFP.
l Finalizing contract negotiation to include changes in terms and
conditions and awarding the contract.
Software risks should be addressed and mitigated through terms and
conditions, certifications, evaluation factors for award, and risk
mitigation requirements in the work statement.
Monitoring and Acceptance Phase

This phase involves monitoring the supplier’s work and accepting the
final service or product delivered under a contract. This phase includes
three major activities as well:
l Establishing and consenting to the contract work schedule
l Implementing change or configuration control procedures
l Reviewing and accepting software deliverables
During the monitoring and acceptance phase, software risk

management and assurance case deliverables must be evaluated to
determine compliance in accepted risk mitigation strategies as stated in
the requirements of the contract.

Instructor Edition
Follow-on
This phase involves maintaining the software. This process is
sometimes called sustainment. This phase includes two major
Notes
8
Software Security
activities:

l Sustainment, which includes risk management, assurance PPT
case management, and change management
Follow-on
l Disposal or decommissioning
the follow-on phase.
During the follow-on phase, software risks must be managed
through continued analysis of the assurance case and should be
adjusted to mitigate changing risks.
PPT
Software Assurance
Software Assurance Policy Policy
As with any other important security initiative, the organization Emphasize the importance
needs to ensure that a well-documented, well-written, well- of a software assurance
communicated, and well-understood policy and process is in place policy.
for software assurance. Without the benefits of such a policy, the
dangers and risks faced by the enterprise range from potentially
acquiring for use and deploying software that is full of errors and PPT
other vulnerabilities that may be exploitable, or that may contain Risks Associated with
malicious software. Software Vulnerabilities
Mention certain risks
associated with software
Risks Associated with Software Vulnerabilities and vulnerabilities in
Application software that is vulnerable software may permit the software.
following:
l Unintentional errors leading to faulty operations that
PPT
result in destruction or corruption of information or major
Acquisition Process
disruption of operations
Define the acquisition
l Intentional insertion of malicious code that may lead to
process.
destruction of information, major disruption of operations,
or even destruction of critical infrastructure
l Theft of vital information that is sensitive, valuable, and
classified
l Theft of personal information
l Changed product, inserted agents, or corrupted information
Acquisition Process
The acquisition process can be leveraged to promote good software
development practices and facilitate the delivery of trustworthy
software to the organization. All final software security requirements

Notes decisions are made during the acquisition process, in addition to

acceptance and implementation decisions. And as usual, security must be
The Effectiveness of designed and engineered in from the beginning because the best type of
Software Security
security is always what is designed into the application and system.
Many suppliers use CMMs to guide process improvement and assess
PPT
capabilities, especially related to applications development, yet most of
Acquisition Process the CMMs may not explicitly address safety and security specifically. As
(continued)
such, suppliers claiming mature process capabilities can fail to exercise
Define the acquisition practices critical to software assurance. Therefore, the security
process.
professional should verify how software assurance has been factored into
suppliers’ process capabilities.

Instructor Edition

Domain Review
8

Domain Summary PPT
To protect applications and the functions they provide, we need to Domain Review
involve security at the beginning of the SDLC.
Organizations can choose the correct methodologies for applications review of key information
from this domain by
development, but the development methodology needs to involve discussing this scenario-
security as part of the process. based set of questions
There are maturity models and other methods that can be used by slides are immediately
organizations to mature and get better in software development followed by the answer
and get security involved. slide.
Change management is useful in allowing changes to anything that

is already running in production, including applications and systems. PPT
Security needs to be a part of the entire change control process.
Domain Summary
Organizations need to understand the benefits of integrating (6 slides)
traditionally separate environments in software. Integrating the Participate in review of
development area together with the quality assurance function and key elements from the
domain on software
the operations environment provides a better way to understand
development security.
and address goals and objectives.
Organizations need to standardize on using secure coding
guidelines and standards that exist in the industry. These can
provide guidance on how to develop secure code in applications
by using toolsets, program languages, libraries, and other
methods.
It is important to address weaknesses at the source code level.
These include making sure we protect APIs and addressing known
vulnerabilities that exist in application software environments such
as buffer overflows, escalation of privileges, and data validation.
Applications are instrumental in providing access and control of
database environments. Protecting against vulnerabilities, exploits,
and risk in the database environment needs special attention. Using
controls related to concurrency, integrity protection, and inference
and aggregation become very important.
Protecting the web application environment is very challenging to
organizations and needs to be done in a structured and layered
defense model. Data validation is one of the most important
focuses in web environments.

Notes Malicious software are applications that are written to do something

harmful. Protecting against all of the different flavors of malware
Domain Review requires a consistent and effective malware protection program within
the organization.
PPT
On a regular basis, it is important to measure and provide assurance
Domain Summary related to the effectiveness of software security. Having software
(6 slides) (continued) assurance policies and procedures and assessment methods can
Participate in review of address this need.
domain on software Risk management processes need to be applied in the software
development security. environment, and it becomes important to provide assurance for
any software that is acquired and purchased through vendors and
third parties.

Instructor Edition

1. The Software Engineering Institute’s Capability Maturity Model
Notes
Domain Review
8
(CMM) Integration focuses on:

A. Software development methodologies PPT
Domain Review
B. Systems integration Questions
C. Process management Participate in sample
review questions
D. Software testing and evaluation addressing key elements
of the Software
Development Security
Domain.
2. Two cooperating processes that simultaneously compete for
a shared resource, in such a way that they violate the system’s
security policy is commonly known as:
A. Denial of service (DoS)
B. Race condition
C. Object reuse
D. Overt channel
3. Programmed procedures which ensure that valid transactions

are processed accurately are referred to as:
A. Data installation
B. Application controls
C. Operations controls
D. Physical controls

Notes 4. Buffer overflow and boundary condition errors are subsets of:
Domain Review A. Race condition errors

B. Access validation errors
PPT
C. Exceptional condition handling errors
Domain Review
Questions (continued) D. Input validation errors
Participate in sample
review questions
addressing key elements
of the Software 5. Copies of essential application programs, documentation, and
electronic data should be:
Domain.
A. Stored with the computer system
B. Licensed by the users
C. Maintained by the developers
D. Stored at a backup site
6. A property that ensures only valid or legal transactions that do not

violate any user-defined integrity constraints in DBMS technologies
is known as:
A. Durability
B. Isolation
C. Consistency
D. Atomicity
7. The ability to combine non-sensitive data from separate sources to

create possibly more sensitive information is referred to as:
A. Concurrency
B. Inference
C. Polyinstantiation
D. Aggregation

Instructor Edition
8. The purpose of polyinstantiation is to prevent:

A. Low-level users from inferring the existence of higher
Notes
Domain Review
8
level data

B. Low-level users from inferring the existence of data in PPT
other databases Domain Review
C. Low-level users from accessing low-level data
Participate in sample
D. High-level users from inferring the existence of data at lower review questions
levels addressing key elements
of the Software
Domain.
9. Which virus type changes some of its characteristics as it

spreads?
A. Boot sector infector
B. Macro
C. Stealth
D. Polymorphic
10. Which one of the following BEST describes a logic bomb?

A. Functions triggered by a specified condition
B. Cause the execution of unanticipated functions
C. Used to remove data or copies of data from the computer
D. Used to move assets from one system to another


Domain Review 1. The Software Engineering Institute’s Capability Maturity Model
(CMM) Integration focuses on:
A. Software development methodologies
B. Systems integration
C. Process management
D. Software testing and evaluation
The correct answer is C. CMM is a process improvement methodology to
allow organizations to mature to better levels in relation to process
improvement.
2. Two cooperating processes that simultaneously compete for a

shared resource, in such a way that they violate the system’s security
policy is commonly known as:
A. Denial of service (DoS)
B. Race condition
C. Object reusereuse
D. Overt channelchannel
The correct answer is B. Race condition occurs when two processes
need to carry out their tasks against one resource. The processes,
however, need to execute in the correct order, process 1 first, process 2
second. If that order can be disrupted by an attacker, then the attacker
can manipulate the output of the results of the combined action of
the two processes and potentially create a different outcome than the
one intended.

Instructor Edition
3. Programmed procedures which ensure that valid transactions

are processed accurately are referred to as:
Notes
Domain Review
8
A. Data installation

B. Application controls
C. Operations controls
D. Physical controls
The correct answer is B. Key word is the word “programmed” that
indicates they are applications. Plus, valid transactions would need to
be ensured as part of the application controls.
4. Buffer overflow and boundary condition errors are subsets of:

A. Race condition errors
B. Access validation errors
C. Exceptional condition handling errors
D. Input validation errors
The correct answer is D. Inadequate input, or data validation, is the
problem that relates to most attacks and conditions related to
application problems. Validating input properly is the best control
to avoid many attacks and buffer overflow conditions.
5. Copies of essential application programs, documentation, and

electronic data should be:
A. Stored with the computer system
B. Licensed by the users
C. Maintained by the developers
D. Stored at a backup site
The correct answer is D. Key word in the question is the word
“copies” or even the word “essential” that tells us that we need to
provide redundancy. None of the other answers really make sense
in relation to “essential” valuable assets.

Notes 6. A property that ensures only valid or legal transactions that do not
violate any user-defined integrity constraints in DBMS technologies
Domain Review is known as:
A. Durability
B. Isolation
C. Consistency
D. Atomicity
The correct answer is C. Consistency as part of the ACID (Atomicity,
Consistency, Isolation, Durability) test ensures that transactions that are
applied do not affect the integrity of the database and its contents. The
integrity of the database needs to be the same as it was before the
transaction was applied.
7. The ability to combine non-sensitive data from separate sources to

create possibly more sensitive information is referred to as:
A. Concurrency
B. Inference
C. Polyinstantiation
D. Aggregation
The correct answer is D. Combining smaller things together to possibly
come up with the ability to infer sensitive information is referred to as
aggregation, in fact, the word itself means “combining things together.”
Inference is the ability to deduce more sensitive information.

Instructor Edition
8. The purpose of polyinstantiation is to prevent:

A. Low-level users from inferring the existence of higher
Notes
Domain Review
8
level data

B. Low-level users from inferring the existence of data in other
databases
C. Low-level users from accessing low-level data
D. High-level users from inferring the existence of data at
lower levels
The correct answer is A. Polyinstantiation allows different versions
of the same information to exist at different classification levels to
prevent inference of more sensitive information that exists at higher
levels.
9. Which virus type changes some of its characteristics as it

spreads?
A. Boot sector infector
B. Macro
C. Stealth
D. Polymorphic
The correct answer is D. The word polymorphism means many
changes. Polymorphic viruses change something about themselves
as they infect to try and hide from detection programs.
10. Which one of the following BEST describes a logic bomb?

A. Functions triggered by a specified condition
B. Cause the execution of unanticipated functions
C. Used to remove data or copies of data from the computer
D. Used to move assets from one system to another
The correct answer is A. A logic bomb is defined as malware that
waits for a specific condition to exist before its negative (damaging)
payload is triggered. The condition can be related to time, or
specific parameters that exist in the system.


Domain Review
Term Definition
ActiveX Data A Microsoft high-level interface for all kinds

Objects (ADO) of data.
Capability Maturity model focused on quality

Maturity management processes and has five
Model for maturity levels that contain several key
Software or practices within each maturity level.
Software
Capability
Maturity
Model (CMM
or SW-CMM)
Common A set of standards that addresses the need

Object for interoperability between hardware and
Request software products.
Broker
Architecture
(CORBA)
Computer A program written with functions and intent

virus to copy and disperse itself without the
knowledge and cooperation of the owner or
user of the computer.
Configuration A formal, methodical, comprehensive

management process for establishing a baseline of the IT
(CM) environment (and each of the assets within
that environment).
Covert An information flow that is not controlled by

channel a security control and has the opportunity of
disclosing confidential information.
Data mining A decision-making technique that is based

on a series of analytical techniques taken
from the fields of mathematics, statistics,
cybernetics, and genetics.

Instructor Edition

Domain Review
8
Database A suite of application programs that typically

Management manages large, structured sets of persistent
System data.
(DBMS)
Database Describes the relationship between the data

model elements and provides a framework for
organizing the data.
DevOps An approach based on lean and agile

principles in which business owners and the
development, operations, and quality
assurance departments collaborate.
Integrated A management technique that

Process and simultaneously integrates all essential
Product acquisition activities through the use of
Development multidisciplinary teams to optimize the
(IPPD) design, manufacturing, and supportability
processes.
Knowledge A mathematical, statistical, and visualization

Discovery in method of identifying valid and useful
Databases patterns in data.
(KDD)
Log A record of actions and events that have

taken place on a computer system.
Metadata Information about the data.
Software The level of confidence that software is free

assurance from vulnerabilities either intentionally
designed into the software or accidentally
inserted at any time during its lifecycle and
that it functions in the intended manner.
Time Allows the operating system to provide well-

multiplexing defined and structured access to processes
that need to use resources according to a
controlled and tightly managed schedule.


Domain Review
Time of Check Takes advantage of the dependency on the
vs. Time of timing of events that takes place in a
Use (TOCTOU) multitasking operating system.
Attacks
Trusted The collection of all of the hardware,

computing software, and firmware within a computer
base (TCB) system that contains all elements of the
system responsible for supporting the
security policy and the isolation of objects.
Waterfall A development model in which each phase

Development contains a list of activities that must be
Methodology performed and documented before the next
phase begins.

Instructor Edition
Notes
8

Notes

Instructor Edition
Glossary
Term Definition
Glossary
Acceptable risk A suitable level of risk commensurate with the potential benefits
of the organization’s operations as determined by senior
management.
Access control Means to ensure that access to assets is authorized and

system restricted based on business and security requirements related
to logical and physical systems.
Access control The system decides if access is to be granted or denied based

tokens upon the validity of the token for the point where it is read based
on time, date, day, holiday, or other condition used for
controlling validation.
Accountability Accountability ensures that account management has assurance

that only authorized users are accessing the system and using it
properly.
ActiveX Data A Microsoft high-level interface for all kinds of data.

Objects (ADO)
Address Resolution Is used at the Media Access Control (MAC) Layer to provide for
Protocol (ARP) direct communication between two devices within the same LAN
segment.
Algorithm A mathematical function that is used in the encryption and

decryption processes.
Asset An item perceived as having value.
Asset lifecycle The phases that an asset goes through from creation (collection)
to destruction.
Asymmetric Not identical on both sides. In cryptography, key pairs are used,
one to encrypt, the other to decrypt.
Attack surface Different security testing methods find different vulnerability types.
Attribute-based This is an access control paradigm whereby access rights are

access control (ABAC) granted to users with policies that combine attributes together.
Glossary 763
Term Definition
Audit/auditing The tools, processes, and activities used to perform compliance reviews.
Authorization The process of defining the specific resources a user needs and
determining the type of access to those resources the user may have.
Availability Ensuring timely and reliable access to and use of information by

authorized users.
Baselines A minimum level of security.
Bit Most essential representation of data (zero or one) at Layer 1 of the

Open Systems Interconnection (OSI) model.
Black-box testing Testing where no internal details of the system implementation are used.
Bluetooth Bluetooth wireless technology is an open standard for short-range

(Wireless Personal radio frequency communication used primarily to establish wireless
Area Network personal area networks (WPANs), and it has been integrated into
IEEE 802.15) many types of business and consumer devices.
Bridges Layer 2 devices that filter traffic between segments based on Media
Access Control (MAC) addresses.
Business Actions, processes, and tools for ensuring an organization can

continuity (BC) continue critical operations during a contingency.
Business continuity A term used to jointly describe business continuity and disaster
and disaster recovery efforts.
recovery (BCDR)
Business impact A list of the organization’s assets, annotated to reflect the criticality of
analysis (BIA) each asset to the organization.
Capability Maturity Maturity model focused on quality management processes and has
Model for Software five maturity levels that contain several key practices within each
or Software maturity level.
Capability Maturity
Model (CMM
or SW-CMM)
Cellular Network A radio network distributed over land areas called cells, each served
by at least one fixed-location transceiver, known as a cell site or base
station.
764 Glossary
Instructor Edition
Term Definition
Certificate An entity trusted by one or more users as an authority that

authority (CA) issues, revokes, and manages digital certificates to bind
Glossary
individuals and entities to their public keys.
Change A formal, methodical, comprehensive process for requesting,

management reviewing, and approving changes to the baseline of the IT
environment.
CIA/AIC Triad Security model with the three security concepts of confidentiality,
integrity, and availability make up the CIA Triad. It is also
sometimes referred to as the AIC Triad.
Ciphertext The altered form of a plaintext message, so as to be unreadable

for anyone except the intended recipients. Something that has
Classification Arrangement of assets into categories.
Clearing The removal of sensitive data from storage devices in such a way
that there is assurance that the data may not be reconstructed
using normal system functions or software recovery utilities.
Code-division Every call’s data is encoded with a unique key, then the calls are
multiple access all transmitted at once.
(CDMA)
Common Object A set of standards that addresses the need for interoperability
Request Broker between hardware and software products.
Architecture
(CORBA)
Compliance Adherence to a mandate; both the actions demonstrating

adherence and the tools, processes, and documentation that are
used in adherence.
Computer virus A program written with functions and intent to copy and disperse
itself without the knowledge and cooperation of the owner or
user of the computer.
Concentrators Multiplex connected devices into one signal to be transmitted on

a network.
Glossary 765
Term Definition
Condition coverage This criterion requires sufficient test cases for each condition in a
program decision to take on all possible outcomes at least once. It
differs from branch coverage only when multiple conditions must be
evaluated to reach a decision.
Confidentiality Preserving authorized restrictions on information access and

disclosure, including means for protecting personal privacy and
proprietary information.
Configuration A formal, methodical, comprehensive process for establishing a

management (CM) baseline of the IT environment (and each of the assets within that
environment).
Confusion Provided by mixing (changing) the key values used during the
repeated rounds of encryption. When the key is modified for each
round, it provides added complexity that the attacker would
encounter.
Content Distribution Is a large distributed system of servers deployed in multiple data

Network (CDN) centers across the internet.
Covert channel An information flow that is not controlled by a security control and has
the opportunity of disclosing confidential information.
Covert security Performed to simulate the threats that are associated with external
testing adversaries. While the security staff has no knowledge of the covert test,
the organization management is fully aware and consents to the test.
Crossover Error This is achieved when the type I and type II are equal.
Rate (CER)
Cryptanalysis The study of techniques for attempting to defeat cryptographic

techniques and, more generally, information security services
provided through cryptography.
Cryptography Secret writing. Today provides the ability to achieve confidentiality,

integrity, authenticity, non-repudiation, and access control.
Cryptology The science that deals with hidden, disguised, or encrypted

information and communications.
Curie Temperature The critical point where a material’s intrinsic magnetic alignment
changes direction.
766 Glossary
Instructor Edition
Term Definition
Custodian Responsible for protecting an asset that has value, while in the
custodian’s possession.
Glossary
Data classification Entails analyzing the data that the organization retains,
determining its importance and value, and then assigning it to a
category.
Data custodian The person/role within the organization who usually manages the
data on a day-to-day basis on behalf of the data owner/controller.
Data flow coverage This criteria requires sufficient test cases for each feasible data
flow to be executed at least once.
Data mining A decision-making technique that is based on a series of

analytical techniques taken from the fields of mathematics,
statistics, cybernetics, and genetics.
Data owner/ An entity that collects or creates PII.

controller
Data subject The individual human related to a set of personal data.
Database A suite of application programs that typically manages large,

Management structured sets of persistent data.
System (DBMS)
Database model Describes the relationship between the data elements and
provides a framework for organizing the data.
Decision (branch) Considered to be a minimum level of coverage for most software

coverage products, but decision coverage alone is insufficient for high-
integrity applications.
Decryption The reverse process from encryption. It is the process of

converting a ciphertext message back into plaintext through the
use of the cryptographic algorithm and the appropriate key that
was used to do the original encryption.
Defensible Eliminating data using a controlled, legally defensible, and

destruction regulatory compliant way.
DevOps An approach based on lean and agile principles in which

business owners and the development, operations, and quality
assurance departments collaborate.
Glossary 767
Term Definition
Diffusion Provided by mixing up the location of the plaintext throughout the

ciphertext. The strongest algorithms exhibit a high degree of
confusion and diffusion.
Digital certificate An electronic document that contains the name of an organization or

individual, the business address, the digital signature of the certificate
authority issuing the certificate, the certificate holder’s public key, a
serial number, and the expiration date. Used to bind individuals and
entities to their public keys. Issued by a trusted third party referred to
as a Certificate Authority (CA).
Digital rights A broad range of technologies that grant control and protection to
management (DRM) content providers over their own digital media. May use cryptography
techniques.
Digital signatures Provide authentication of a sender and integrity of a sender’s message

and non-repudiation services.
Disaster Those tasks and activities required to bring an organization back from
recovery (DR) contingency operations and reinstate regular operations.
Discretionary access The system owner decides who gets access.

control (DAC)
Due care A legal concept pertaining to the duty owed by a provider to a

customer.
Due diligence Actions taken by a vendor to demonstrate/ provide due care.
Dynamic or Ports 49152–65535. Whenever a service is requested that is associated

Private Ports with Well-Known or Registered Ports those services will respond with
a dynamic port.
Dynamic testing When the system under test is executed and its behavior is observed.
Encoding The action of changing a message into another format through the
use of a code.
Encryption The process of converting the message from its plaintext to

ciphertext.
False Acceptance This is erroneous recognition either by confusing one user with
Rate (Type II) another, or by accepting an imposter as a legitimate user.
768 Glossary
Instructor Edition
Term Definition
False Rejection This is failure to recognize a legitimate user.

Rate (Type I)
Glossary
Fibre Channel over A lightweight encapsulation protocol, and it lacks the reliable
Ethernet (FCoE) data transport of the TCP layer.
Firewalls Devices that enforce administrative security policies by filtering

incoming traffic based on a set of rules.
Frame Data represented at Layer 2 of the Open Systems

Global System for Each call is transformed into digital data that is given a channel
Mobiles (GSM) and a time slot.
Governance The process of how an organization is managed; usually includes

all aspects of how decisions are made for that organization, such
as policies, roles, and procedures the organization uses to make
those decisions.
Governance A formal body of personnel who determine how decisions will be

committee made within the organization and the entity that can approve
changes and exceptions to current relevant governance.
Guidelines Suggested practices and expectations of activity to best

accomplish tasks and attain goals.
Hash function Accepts an input message of any length and generates, through
a one-way operation, a fixed-length output called a message
digest or hash.
Honeypots/ Machines that exist on the network, but do not contain sensitive
honeynets or valuable data, and are meant to distract and occupy malicious
or unauthorized intruders, as a means of delaying their attempts
to access production data/assets. A number of machines of this
kind, linked together as a network or subnet, are referred to as a
“honeynet.”
Identity as a Cloud-based services that broker identity and access

service (IDaaS) management (IAM) functions to target systems on customers’
premises and/or in the cloud.
Glossary 769
Term Definition
Identity proofing The process of collecting and verifying information about a person for
the purpose of proving that a person who has requested an account, a
credential, or other special privilege is indeed who he or she claims to be
and establishing a reliable relationship that can be trusted electronically
between the individual and said credential for purposes of electronic
authentication.
Initialization A non-secret binary vector used as the initializing input algorithm, or a

vector (IV) random starting point, for the encryption of a plaintext block
sequence to increase security by introducing additional cryptographic
variance and to synchronize cryptographic equipment.
Integrated Process A management technique that simultaneously integrates all essential

and Product acquisition activities through the use of multidisciplinary teams to
Development (IPPD) optimize the design, manufacturing, and supportability processes.
Integrity Guarding against improper information modification or destruction

and includes ensuring information non-repudiation and authenticity.
Intellectual property Intangible assets (notably includes software and data).
Internet Control Provides a means to send error messages and a way to probe the
Message Protocol network to determine network availability.
(ICMP)
Internet Group Used to manage multicasting groups that are a set of hosts anywhere
Management on a network that are listening for a transmission.
Protocol (IGMP)
Internet Protocol Is the dominant protocol that operates at the Open Systems
(IPv4) Interconnection (OSI) Network Layer 3. IP is responsible for addressing
packets so that they can be transmitted from the source to the
destination hosts.
Internet Protocol Is a modernization of IPv4 that includes a much larger address field:
(IPv6) IPv6 addresses are 128 bits that support 2128 hosts.
Intrusion detection A solution that monitors the environment and automatically recognizes
system (IDS) malicious attempts to gain unauthorized access.
Intrusion prevention A solution that monitors the environment and automatically takes
system (IPS) action when it recognizes malicious attempts to gain unauthorized
access.
770 Glossary
Instructor Edition
Term Definition
Inventory Complete list of items.
Glossary
Job rotation The practice of having personnel become familiar with multiple
positions within the organization as a means to reduce single
points of failure and to better detect insider threats.
Key Clustering When different encryption keys generate the same ciphertext
from the same plaintext message.
Key Length The size of a key, usually measured in bits, that a cryptographic
algorithm uses in ciphering or deciphering protected
information.
Key or The input that controls the operation of the cryptographic

Cryptovariable algorithm. It determines the behavior of the algorithm and
permits the reliable encryption and decryption of the message.
Knowledge A mathematical, statistical, and visualization method of

Discovery in identifying valid and useful patterns in data.
Databases (KDD)
Least privilege The practice of only granting a user the minimal permissions
necessary to perform their explicit job function.
Lifecycle Phases that an asset goes through from creation to destruction.
Log A record of actions and events that have taken place on a

computer system.
Logical access Non-physical system that allows access based upon pre-
control system determined policies.
Loop coverage This criterion requires sufficient test cases for all program loops
to be executed for zero, one, two, and many iterations covering
initialization, typical running, and termination (boundary)
conditions.
Mandatory access Access control that requires the system itself to manage access
controls (MAC) controls in accordance with the organization’s security policies.
Maximum allowable The measure of how long an organization can survive an

downtime (MAD) interruption of critical functions.
[also known as maximum tolerable downtime (MTD)]
Glossary 771
Term Definition
Media Any object that contains data.
Message A small block of data that is generated using a secret key and then
authentication appended to the message, used to address integrity.
code (MAC)
Message digest A small representation of a larger message. Message digests are used
to ensure the authentication and integrity of information, not the
confidentiality.
Metadata Information about the data.
Misuse case A use case from the point of view of an actor hostile to the system
under design.
Multi-condition These criteria require sufficient test cases to exercise all possible
coverage combinations of conditions in a program decision.
Multi-factor Ensures that a user is who he or she claims to be. The more factors
authentication used to determine a person’s identity, the greater the trust of
authenticity.
Multiprotocol Label Is a wide area networking protocol that operates at both Layer 2 and
Switching (MPLS) 3 and does label switching.
Need-to-know Primarily associated with organizations that assign clearance levels to all
users and classification levels to all assets; restricts users with the same
clearance level from sharing information unless they are working on the
same effort. Entails compartmentalization.
Negative testing This ensures the application can gracefully handle invalid input or
unexpected user behavior.
Network Function The objective of NFV is to decouple functions such as firewall

Virtualization (NFV) management, intrusion detection, network address translation, or
name service resolution away from specific hardware implementation
into software solutions.
Non-repudiation Inability to deny. In cryptography, a service that ensures the sender

cannot deny a message was sent and the integrity of the message is
intact, and the receiver cannot claim receiving a different message.
Null cipher Hiding plaintext within other plaintext. A form of steganography.
772 Glossary
Instructor Edition
Term Definition
Open Authorization The OAuth 2.0 authorization framework enables a third-party

(OAuth) application to obtain limited access to an HTTP service, either on
Glossary
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Open Shortest An interior gateway routing protocol developed for IP networks

Path First (OSPF) based on the shortest path first or link-state algorithm.
OSI Layer 1 Physical layer.
OSI Layer 2 Data-link layer.
OSI Layer 3 Network layer.
OSI Layer 4 Transport layer.
OSI Layer 5 Session layer.
OSI Layer 6 Presentation layer.
OSI Layer 7 Application layer.
Overt security Overt testing can be used with both internal and external
testing testing. When used from an internal perspective, the bad actor
simulated is an employee of the organization. The organization’s
IT staff is made aware of the testing and can assist the assessor
in limiting the impact of the test by providing specific guidelines
for the test scope and parameters.
Ownership Possessing something, usually of value.
Packet Representation of data at Layer 3 of the Open Systems

Packet Loss A technique called Packet Loss Concealment (PLC) is used in

VoIP communications to mask the effect of dropped packets.
Parity bits RAID technique; logical mechanism used to mark striped data;
allows recovery of missing drive(s) by pulling data from adjacent
drives.
Patch An update/fix for an IT asset.
Glossary 773
Term Definition
Path coverage This criteria require sufficient test cases for each feasible path, basis
path, etc., from start to exit of a defined program segment, to be
executed at least once.
Personally Any data about a human being that could be used to identify that
identifiable person.
information (PII)
Physical access An automated system that manages the passage of people or assets
control system through an opening(s) in a secure perimeter(s) based on a set of
authorization rules.
Ping of Death Exceeds maximum packet size and causes receiving system to fail.
Ping Scanning Network mapping technique to detect if host replies to a ping, then
the attacker knows that a host exists at that address.
Plaintext The message in its natural format has not been turned into a secret.
Point-to-Point Provides a standard method for transporting multiprotocol datagrams

Protocol (PPP) over point-to-point links.
Policy Documents published and promulgated by senior management

dictating and describing the organization’s strategic goals.
Port Address An extension to NAT to translate all addresses to one routable IP

Translation (PAT) address and translate the source port number in the packet to a
unique value.
Positive testing This determines that your application works as expected.
Privacy The right of a human individual to control the distribution of

information about him- or herself.
Procedures Explicit, repeatable activities to accomplish a specific task. Procedures

can address one-time or infrequent actions or common, regular
occurrences.
Purging The removal of sensitive data from a system or storage device with the
intent that the data cannot be reconstructed by any known technique.
Qualitative Measuring something without using numbers, using adjectives, scales,

and grades, etc.
774 Glossary
Instructor Edition
Term Definition
Quantitative Using numbers to measure something, usually monetary values.
Glossary
Real user An approach to web monitoring that aims to capture and analyze
monitoring (RUM) every transaction of every user of a website or application.
Recovery point A measure of how much data the organization can lose before
objective (RPO) the organization is no longer viable.
Recovery time The target time set for recovering from any interruption.
objective (RTO)
Registered Ports Ports 1024–49151. These ports typically accompany non-system

applications associated with vendors and developers.
Registration This performs certificate registration services on behalf of a

authority (RA) Certificate Authority (CA).
Remanence Residual magnetism left behind.
Residual risk The risk remaining after security controls have been put in place
as a means of risk mitigation.
Resources Assets of an organization that can be used effectively.
Responsibility Obligation for doing something. Can be delegated.
Risk The possibility of damage or harm and the likelihood that

damage or harm will be realized.
Risk acceptance Determining that the potential benefits of a business function

outweigh the possible risk impact/likelihood and performing that
business function with no other action.
Risk avoidance Determining that the impact and/or likelihood of a specific risk is too
great to be offset by the potential benefits and not performing a
certain business function because of that determination.
Risk mitigation Putting security controls in place to attenuate the possible

impact and/or likelihood of a specific risk.
Risk transference Paying an external party to accept the financial impact of a given
risk.
Glossary 775
Term Definition
Role-based access An access control model that bases the access control authorizations
control (RBAC) on the roles (or functions) that the user is assigned within an
organization.
Rule-based access An access control model that is based on a list of predefined rules
control (RBAC) that determine what accesses should be granted.
Sandbox An isolated test environment that simulates the production

environment but will not affect production components/data.
Security Assertion A version of the SAML standard for exchanging authentication and
Markup Language authorization data between security domains.
2.0 (SAML 2.0)
Security control A notional construct outlining the organization’s approach to security,

framework including a list of specific security processes, procedures, and
solutions used by the organization.
Security governance The entirety of the policies, roles, and processes the organization uses
to make security decisions in an organization.
Segment Data representation at Layer 4 of the Open Systems Interconnection

(OSI) model.
Separation of duties The practice of ensuring that no organizational process can be

completed by a single person; forces collusion as a means to reduce
insider threats.
Session Initiation Is designed to manage multimedia connections.

Protocol (SIP)
Single factor Involves the use of simply one of the three available factors solely to
authentication carry out the authentication process being requested.
Smurf ICMP Echo Request sent to the network broadcast address of a spoofed
victim causing all nodes to respond to the victim with an Echo Reply.
Software assurance The level of confidence that software is free from vulnerabilities either
intentionally designed into the software or accidentally inserted at any
time during its lifecycle and that it functions in the intended manner.
Software-defined Separates network systems into three components: raw data, how the
networks (SDNs) data is sent, and what purpose the data serves. This involves a focus
on data, control, and application (management) functions or “planes”.
776 Glossary
Instructor Edition
Term Definition
Software Defined Is an extension of the SDN practices to connect to entities

Wide Area Network spread across the internet to support WAN architecture
Glossary
(SD-WAN) especially related to cloud migration.
Standards Specific mandates explicitly stating expectations of performance

or conformance.
Statement coverage This criterion requires sufficient test cases for each program
statement to be executed at least once; however, its achievement
is insufficient to provide confidence in a software product’s
behavior.
Static source code Analysis of the application source code for finding vulnerabilities
analysis (SAST) without executing the application.
Steganography Hiding something within something else, or data hidden within

other data.
Stream cipher When a cryptosystem performs its encryption on a bit-by-bit

basis.
Striping RAID technique; writing a data set across multiple drives.
Substitution The process of exchanging one letter or bit for another.
Switches Operate at Layer 2. A switch establishes a collision domain per

port.
Symmetric algorithm Operate with a single cryptographic key that is used for both
encryption and decryption of the message.
Synthetic Involves having external agents run scripted transactions against

performance a web application.
monitoring
Teardrop Attack Exploits the reassembly of fragmented IP packets in the

fragment offset field that indicates the starting position, or
offset, of the data contained in a fragmented packet relative to
the data of the original unfragmented packet.
Threat modeling A process by which developers can understand security threats

to a system, determine risks from those threats, and establish
appropriate mitigations.
Glossary 777
Term Definition
Time multiplexing Allows the operating system to provide well-defined and structured
access to processes that need to use resources according to a
controlled and tightly managed schedule.
Time of check time Takes advantage of the dependency on the timing of events that takes
of use (TOCTOU) place in a multitasking operating system.
Attacks
Transmission Control Provides connection-oriented data management and reliable data

Protocol (TCP) transfer.
Transport Control Layering model structured into four layers (network interface layer,
Protocol/Internet internet layer, transport layer, host-to-host transport layer, application
Protocol (TCP/ IP) layer).
Model
Transposition The process of reordering the plaintext to hide the message by using
the same letters or bits.
Trusted computing The collection of all of the hardware, software, and firmware within a
base (TCB) computer system that contains all elements of the system responsible
for supporting the security policy and the isolation of objects.
Trusted Platform A secure crypto processor and storage module.

Module (TPM)
Uninterruptible Batteries that provide temporary, immediate power during times

power supplies (UPS) when utility service is interrupted.
Use cases Abstract episodes of interaction between a system and its

environment.
User Datagram The User Datagram Protocol provides connectionless data transfer
Protocol (UDP) without error detection and correction.
Virtual Local Area Allow network administrators to use switches to create software-
Networks (VLANs) based LAN segments that can be defined based on factors other than
physical location.
Voice over Internet Is a technology that allows you to make voice calls using a broadband
Protocol (VoIP) internet connection instead of a regular (or analog) phone line.
778 Glossary
Instructor Edition
Term Definition
Waterfall A development model in which each phase contains a list of

Development activities that must be performed and documented before the
Glossary
Methodology next phase begins.
Well-Known Ports Ports 0–1023 ports are related to the common protocols that are
utilized in the underlying management of Transport Control
Protocol/Internet Protocol (TCP/IP) system, Domain Name
Service (DNS), Simple Mail Transfer Protocol (SMTP), etc.
White-box testing A design that allows one to peek inside the “box” and focuses
specifically on using internal knowledge of the software to guide
the selection of test data.
Whitelisting/ A whitelist is a list of email addresses and/or internet addresses

blacklisting that someone knows as “good” senders. A blacklist is a
corresponding list of known “bad” senders.
Wi-Fi (Wireless Primarily associated with computer networking, Wi-Fi uses the
LAN IEEE 802.11x) IEEE 802.11x specification to create a wireless local-area network
either public or private.
WiMAX (Broadband One well-known example of wireless broadband is WiMAX.

Wireless Access WiMAX can potentially deliver data rates of more than 30
IEEE 802.16) megabits per second.
Work factor This represents the time and effort required to break a
cryptography system.
Glossary 779
Copyright Acknowledgments
Acknowledgments appear on page i, which constitutes an extension of this copyright page.
Excerpts from the following material are hereby acknowledged.
“The Importance of Data Classification and Ownership.” © SkyView Partners, Inc. 2007. All
Rights Reserved.
Data Retention Policy. Courtesy of Mediaburst.co.uk
Guide to Data Protection Principle 1: Fair and Lawful. This material is covered by ICO’s Open
Government Licence (OGL) v3.0 http://www.nationalarchives.gov.uk/doc/open-
government-licence/version/3/
From Speech 1.2: “Weaving the Web” in Proceedings from the ISO-CERN conference on
Standardization and Innovation held in November 2014. With permission from Ben
Segal.
OAuth (Open Authorization) Standard. Copyright © 2011 IETF Trust and the persons
identified as the document authors: Eran Hammer-Lahav (editor), David Recordon, Dick
Hardt.. All rights reserved.
Excerpt from KPMG Business Matters 2016 Q3: Overview of SOC1, SOC2 and SOC3
reports. By Bing Lin, Manager, IT Advisory. © 2016 KPMG, a group of Bermuda limited
liability companies which are member firms of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a
Swiss entity. All rights reserved.
“Negative Testing” © 2017 SmartBear Software. All Rights Reserved.
“Misuse Cases: Use Cases with Hostile Intent”; first appeared in IEEE Software, Vol. 20, No.1,
Jan-Feb 2003, 58–66. Used by permission of Ian Alexander. Retrieved from http://www.
scenarioplus.org.uk/papers/misuse_cases_hostile_intent/misuse_cases_hostile_intent.htm.
Figure reproduced with permission of Jefferson Parish Sheriff’s Office.
“What you need to know about the WannaCry Ransomware,” blog post by Symantec
Security Response Team. Copyright © 2017 Symantec Corporation. All rights reserved.
Reprinted with permission from Symantec Corporation.
780 Copyright Acknowledgments

Instructor Edition
Instructor Notes
Instructor Notes
Module 1
The concepts of the CIA triad are fundamental, and it is crucial that you communicate that
importance to the participants. A quick review of pertinent situations/controls/examples
would be very helpful here.
While they are included as a brief mention in the guide, the terms nonrepudiation and
authentication do not need to be discussed in class at this point; they will be addressed in
a later domain. Bringing them up at this point might only confuse the participants.
Module 2
The discussion that explains that security is not typically a strategic business goal can be
tricky; class participants, as security practitioners, can be reluctant to accept this concept, or
even be resistant to it. Two good examples to explain the idea:
Example 1: A private-sector company. The company is in business to make money not to
provide security. A lack of security can inhibit this goal: for instance, fees assessed by
regulators in the wake of a data breach are unnecessary and unplanned expenses, and the
loss of confidential business information (such as proprietary sales or marketing data) might
cost the company its competitive edge and lead to less market share. But if the company
were to decide not to budget anything for security, the company could still exist, with
perhaps reduced profits.
Example 2: The military. The job of the military is to deliver orchestrated force not to provide
security. A lack of security can inhibit this goal: for instance, if the enemy learns how to
defeat a particular weapon system, then the delivery of force is attenuated, or if the enemy
learns of particular battle plans, then the military loses the element of surprise. But the
military could function without any security whatsoever and still deliver force, albeit with
greater complication, cost, and reduced effectiveness.
Module 3
In the discussion of risk analysis, when talking about the concept of likelihood, it is crucial to
stress that there is never “zero risk.” One example that might be useful is meteorites: there is
always the possibility a meteorite will strike the organization, even though that likelihood is
very, very small.
Instructor Notes 781

Activity answers, for Swimming with Sharks:

If management were to opt for avoidance, they would not even start the ecotourism service
and would remain solely a fishing venture. This is the right choice when the possible risk
outcome (say, a tourist being eaten by a shark) would be more costly and frequent than the
profits realized by offering the service.
If management were to accept the risks associated with ecotourism, then no other action
needs to take place. This is the right choice when the risk associated with the service is
negligible. NOTE: Explain and stress that risks that endanger health and human safety
CANNOT be balanced against profit incentive and, therefore, just accepted if the financial
benefit is of sufficient magnitude; this is both unethical and illegal.
If management chooses to mitigate the risks associated with ecotourism, then security
controls to attenuate the risks will be adopted and implemented. These might include (for
purposes of the example) cages with welded joints instead of fasteners, tourists
accompanied by professional guides who are equipped with anti-shark tools to be used in
the case of attack including medical professionals on the tourism expeditions, coating
tourists with shark-repellent gel, etc.
If management chooses to transfer the risks associated with ecotourism, the company will
have to find an insurance underwriter who will offer a policy for that line of business. The
insurer will often also require the company to put security controls in place.
In the discussion of continuous monitoring and measurement of security controls, be sure to
mention that various standards (including NIST, ISACA, ISO, SANS, etc.) all have emphasis on
continuous monitoring programs for security controls. Candidates are encouraged to review
these sources for in-depth review and perspective of the topic.
When discussing threat modeling, it’s worth mentioning that the STRIDE model and a
subsequent toolset for software developers were both made open source for use by
developers outside Microsoft.
Module 8
When discussing RTO and RPO, it is useful to stress the following:
l RTO is a measure of time, using units of time.
l RPO is a measure of data, using units of time.
l The RTO and RPO will be different for every organization, based on that
organization’s needs and functions.
782 Instructor Notes

Instructor Edition

Module 1
Assets, Information and Resources
Instructor Notes
l Any item that has value to the organization can be referred to as an asset.
l As asset is anything that has value to the organization.
l Assets are sometimes referred to as resources.
Assets, Information, and Other Valuable Resources

l Value can be expressed using quantitative and qualitative methodologies.
l Quantitative uses numbers, usually monetary values.
l Qualitative uses grades such as high, medium, low, or top secret, secret, confidential,
or others.
l Protection of assets is always dictated by the value of the asset.
Examples of Valuable Assets

Many examples of anything that might have value to the organization and, therefore, can be
considered assets/resources that need to be protected based on value. There are many
others that could be added such as facilities, architectures, networks, and devices, etc.
Identification/Discovery and Classification Based on Value

l To properly secure assets, organizations need to identify and locate assets that may
have value and then classify the assets based on value while defining how to properly
protect each classification type.
l To properly protect assets, including information, organizations need to implement
a formal asset classification system supported by proper management support,
commitment and conviction to ensure accountability. Proper policies need to be
created and communicated to the entire organization to create the culture and set the
tone for the effectiveness of the classification initiative.
Classification Process
Describe the classification process. Highlight the fact that discovery of assets to create an
inventory starts the process, butit is an ongoing requirement.
Summary—Process of Protection of Valuable Assets Based on Classification
To better achieve goals and objectives, organizations today are generating massive amounts
of information that obviously will represent organizational value. It is important for
organizations to understand exactly the value that this information represents. Identifying
and classifying assets and information will allow organizations to determine and achieve the
protection requirements for the information.

To do this properly, these are the steps involved:

l Identify and locate assets including information
l Classify based on value
l Protect based on classification
Module 2
Asset Lifecycle
There are many methodologies that describe the data lifecycle, this is just one example.
However, the point is that protection throughout the lifecycle needs to be done based on
value at that particular lifecycle moment. Classification and categorization allows protection
of that data throughout its lifecycle. These phases focus on the security requirements as
data goes through its lifecycle.
Asset Lifecycle
Assets should be classified based on value upon discovery or creation. Custodianship begins
after the classification process. Archiving requirements are dictated by laws, regulations,
best practices, corporate policies, and authorizations.
Differences Between Classification and Categorization

Discuss the differences between classification and categorization. Relate to information/data.
Think of classification as the system and categorization as the act of sorting into the
classification system.
Classification
Explain that classification systems are used to protect the assets based on their value, which
is expressed through the classification process.
Categorization
Explain the purpose of categorization.
Data Classification Policy

Data classification should be driven by policy. The policy will communicate important
information such as accountability, responsibility, methods, and directives, etc.
Data Policy Activity

Instruct participants to pair up and discuss how they would apply each consideration in their
organization. After a few minutes, ask for volunteers to share their thoughts about each item.

Instructor Edition
What Classifications Should Be Used?

Examples only. Note that these only apply to confidentiality. There may be requirements to
classify based on integrity and availability as well.
Instructor Notes
Who Decides Data Classification?
Owners should always classify their assets, they are in the best position to understand value,
which drives classification.
Purpose of Asset Classification

Some of the benefits realized by classification of assets, note the most important reason,
which is listed first. Others are benefits that may be realized as well.
Discuss some of the benefits that organizations can realize by having a good classification
system in place with the proper supporting elements, such as education, proper
technologies, etc. There may be other benefits listed here, other than the obvious benefit
of classification providing the proper protection based on value of the asset.
Issues Related to Classification

Some of the issues that may need to be addressed for classification systems to work
properly. As the security function and the CISSP is in a support role, our responsibility is to
address these issues properly to ensure that asset classification works properly.
Module 3
Module Objectives
In many cases, we will use “data” as an example asset.
Module Topics
Introduce the module topics. But also point out that accountability and responsibility for
each is important to establish.
Asset Protection and Classification Terminology

Discuss the classification terminology.
Difference Between Data Owner/Controller and Data Custodian/Processor

Describe the difference between data owner/controller and data custodian/processor. Emphasize
“accountability” with the owner/ controller and responsibility with the custodian/processor.

Accountability/Responsibility Activity
Instruct participants to fill in either the word “accountable” or “responsible” in relation to
protection of data and the different roles listed. The last role “subject” is a trick question,
they are neither accountable or responsible but rather should have “control” over their data
no matter who has collected it, processed it, and stored it, etc. This is according to most
privacy laws and regulations.
Accountability/Responsibility Activity – Answers

Accountability/Responsibility Activity.
Answers as per the slide. Note that the subject’s expectation is to have control over their
data that has been collected and being processed by an organization. Basically this is what
all privacy laws ensure.
Module 4
Privacy – Introduction
These are the data protection principles as required by the Information Commissioner’s
Office (ICO) of the UK. It is an independent authority to uphold information rights, including
data privacy for individuals. These are from the Guide for Data Protection that basically say
that if you are handling personal information about individuals, you have obligations under
the DPA to protect that information.
OECD Privacy Requirements, Privacy Foundations

Discuss the OECD privacy requirements, privacy foundations.
Example – Collection Limitation Principle

Explain that each of the eight privacy principles go into more detail as to what each principle
actually means. For example, here is the first principle, which is the Collection Limitation
principle. The OECD guidelines go on to describe how to meet this principle, you need to
address each of the three items listed here.
Module 5
Establishing Information Governance and Retention Policies
Explain that retention and archiving is driven by policy. These policies need to reflect on not
only the value of the data being retained, but bylaws, regulations, and other drivers that are
important for organization to understand.
Building Effective Archiving and Data Retention Policies

Policies need to be driven by the stakeholders, those that have a stake in the protection of
data while being retained.

Instructor Edition
Creating a Sound Records Retention Policy

Steps in understanding the retention requirements and addressing those in the policy.
Instructor Notes
Example Review Activity
Introduce activity.
Best Practices
Explain best practices in data and records retention.
Example Data Retention Policies

Good examples of retention policies that many organizations find useful in providing
guidance for their own. Only examples, and there is not an expectation of having to look at
these to understand what is on the exam.
Module 6
Baselines
Baselines, minimum levels of security, can provide the basis for how to protect assets that
have been classified. There should be baselines for each of the classification levels that exist.
Baselines – Summary
As a summary:
A baseline is a consistent reference point.
Baselines provide a definition of the minimum level of protection that is required to protect
valuable assets.
Baselines can be defined as configurations for various architectures that will indicate the
necessary settings and the level of protection that is required to protect that architecture.
Example Baselines and How They Can be Used to Enforce Security Controls
Explain how baselines can be used to enforce security controls for each classification. Other
“columns” would exist for other requirements such as retention, audit, destruction, and
disaster recovery, etc. We only show four categories of controls on this slide but the list
could go on.
Baseline Catalogs
Many catalogs exists around the world that can be useful for organizations to follow. These
end up being frameworks that can provide comprehensive guidance to organizations.

Generally Accepted Principles

Example of catalogs that exists. Next few slides will provide some examples.

Define scoping and tailoring. Explain that thorough knowledge of the environment is
required to do this properly.
Standards Selection Activity

Introduce activity and explain how selecting the right standards to follow as guidelines can
be a part of scoping and tailoring.
Data States
Data at Rest: data stored on media in any type of form. It is at rest because it is not being
transmitted or processed in any way.
Data in Motion: data that is currently traveling, typically across a network. It is in motion
because it is moving.
Data in Use: data that is being processed by applications or processes. It is in use because it
is data that is currently in the process of being generated, updated, appended, or erased. It
might also be in the process of being viewed by users accessing it through various
endpoints or applications.
Protection of Data
Explain that whatever state the data is in, it needs to be protected based on value. Its
classification level will dictate the value, and the baselines will dictate the protection.
Data in Use
Explain the challenges in protecting data in use, as data being processed usually requires
that data to be in clear text.
Data in Use Recommendations

Explain the concept of enclaves and how they can be used to protect data in use. A enclave
is a territory that is isolated from a larger territory. But also explain that nothing is perfectly
secure, there may be issues in how to implement this, especially related to implementation
issues.
Data at Rest/Data in Transit Activity

Introduce the activity and ask students to fill in the table.

Instructor Edition
Picking Encryption Algorithms

We will learn all of this in domain 3, when discussing cryptography. Key management is the
most important thing in cryptography.
Instructor Notes
Module 7
Module Objectives
Discuss the asset handling requirements based on policies, procedures based on
classification levels.
Module 8
Data Remanence
Explain data remanence and the issues associated with data remaining on an object.
Data Remanence
Destruction is always preferred. Explain difference between media destruction and data
destruction. Purging is better than clearing, but destruction is always best, provided the
destruction method is a good one.
Clearing
Definition of clearing.
Purging
Definition of purging. Note the definition using the words “cannot be reconstructed” by any
known means. This is better than clearing.

Module 1
This is intended to be a short introductory module. The module introduces several
commonly accepted sources for engineering processes and lists of technical, technical
management, enabling, and agreement processes. The processes listed are fairly consistent
across the major references with only minor differences. The full process descriptions are
provided to the students in the student manual, however, due to the limited time allocated
for this module, it is NOT intended that the instructor fully describe each process.
The instructor may provide some context on how the engineering processes fit together
with other security processes.

The final slide reintroduces the CIA/AIC Triad in the context that all Security Architecture
and Engineering activities should support one or more of these key security principals
Module 2
This module is programmed as a short introduction to common security models
The models in this module are formal or academic security models and are not necessarily
implemented perfectly in practical systems. This should not detract from the value of the
models but only identify that the models are very high-level concepts, and practical
implementation requires significantly more detail than that provided in the models
themselves.
For each of the security models listed, the instructor should provide an overview of the
model with the primary purpose and use of the model. The student guide has the major
points of purpose of each model listed.
The final slide introduces the concept that the modern operating systems and applications
do implement some of the fundamental concepts from the formal security models, but they
are rarely based on one particular model.
Module 3
This module is programmed as a short introduction to security controls, what they are,
where they come from, and how to implement them. Domain 1 should have covered some
of this material, and this will partially be a review of that material in the context of how to
identify the correct controls for the operating environment and tailoring those controls
appropriately.
Module 4
This module is an introduction to system security capabilities. The focus is on controls or
technical capabilities for protecting data or systems that are typically built into system
architectures.
There is an introduction to the 13 system security capabilities that will be discussed in the
module. For initial context, the instructor should identify how the capabilities work together
using some examples from personal experience.
The generic OS/Computer model slide is intended to introduce extremely rudimentary
computer architecture for students that have not been exposed to it before. The main point for
this slide is the separation between user mode components, kernel mode components, and
system hardware. This slide can also be used as a reference when discussing the capabilities.
For each of the capability slides, introduce the capability and describe the value of the
capability per the student guide descriptions.

Instructor Edition
Module 5
This module introduces common vulnerabilities and potential mitigations that exist in most
systems to some degree as well as some architecture specific vulnerabilities and mitigations.
The listed vulnerabilities and mitigations are necessarily generic in this format, and it should
Instructor Notes
be stressed to the students that these represent common issues and are not intended to be
comprehensive when applied to a particular real-world system.
The first several slides introduce common system vulnerabilities. These exist in most systems
in some form. During the architecture specific slides, a graphic will appear on the slide to
remind the students that they must also consider the common vulnerabilities in
communications, hardware, code, and user misuse and how those common vulnerabilities
might apply to any specific architecture.
For each of the architectures described, there is a standard three-slide format. The first slide
characterizes the architecture element (e.g., client-based systems), the next slide lists
common vulnerabilities associated to that architecture element, and the third slide lists
common mitigations that might be applied.
Cloud and mobile architectures contain extra slides to provide additional detail.
For each three (or more) slide set, the instructor should introduce and characterize the
architecture element on the first slide. Describe the architecture specific vulnerabilities on the
second slide. Time permitting, the instructor should ask the class to consider common (e.g.,
communications, hardware, code, misuse) vulnerabilities that might be unique to the particular
architecture. This can be used as an interactive discussion on each architecture type as timer
permits. The final slide should be used to introduce the architecture specific mitigations.
Module 6 Cryptography
Block Ciphers
Our example of a block cipher here uses earlier resultants from the algorithm and combines
them with later keys. This is in effect DES in CBC (Cipher Block Chaining). We will talk about
the 4 modes of DES later on. Here is the explanation:
l The data you wish to encrypt is broken up into data blocks (DB1, DB2, etc.). An
Initialization Vector (IV), 64 randomly chosen bits, is added to the beginning of the
data to ensure that all blocks can be properly ciphered. The IV is simply a random
character string to ensure that two identical messages will not create the same
ciphertext. To create your first block of ciphertext (CT1), you mathematically combine
the crypto key, the first block of data (DB1), and the initialization vector (IV). When you
create the second block of ciphertext (CT2), you mathematically combine the crypto
key, the first block of ciphertext (CT1), and the second block of data (DB2). Because
the variables in your algorithm have changed, DB1 and DB2 could be identical,
but the resulting ciphertext (CT1 and CT2) will contain different values. This helps
to ensure that the resulting ciphertext is sufficiently scrambled so that it appears
completely random.

Null Cipher – “Are You Deaf, Father William,” William Carroll - 1876
Famous poem by William Carrol written in 1876. First letter of each line spells out the name
of his lover at the time, Adelaide Paine.
Rijndael
The winner of the AES competition hosted by NIST. This winner is eventually planned to
replace DES as the standard for symmetric key cryptography. Rijndael is the winner, as
announced on Oct. 2, 2000, out of approx. 30 competitors and later, 5 finalists.
In many respects, Rijndael is a relatively simple cipher.
Rijndael has a variable number of rounds. Other than an extra round performed at the end
of encipherment with one step omitted, the number of rounds in Rijndael is:
l 9 if both the block and the key are 128 bits long
l 11 if either the block or the key is 192 bits long, and neither of them is longer
than that
l 13 if either the block or the key is 256 bits long
The process for enciphering a block of data in Rijndael is to first perform an Add Round Key
step (XORing a sub key with the block) by itself, the regular rounds noted above, the final
round with the Mix Column step, as described below, omitted.
The Rounds
There are four steps in each round. First is the Byte Sub step, where each byte of the block
is replaced by its substitute in an S-box.
Next is the Shift Row step. Considering the block to be made up of bytes 1 to 16, these
bytes are arranged in a rectangle and shifted according to the algorithm. Next comes the
Mix Column step. Matrix multiplication is performed: each column, in the arrangement we
have seen above, is multiplied by the matrix:
l 2311
l 1231
l 1123
l 3112
The final step is Add Round Key. This simply XORs in the sub key for the current round.
Some of the common block cipher symmetric algorithms are listed here in a comparison
type chart. Note that RC5 is a “parameterized” algorithm—the first parameter refers to
the block size in bits, the second parameter refers to the number of iterations during the
scrambling, and the last refers to the key length in bytes (i.e., 7 = 56 bits). This allows it to

Instructor Edition
be used at various strengths. The larger the parameters, the stronger (but slower) the
encryption. Obviously, the sender and the receiver must agree upon a given set of
parameters.
Instructor Notes
Factoring is splitting an integer into a set of integers that when multiplied together, form the
original integer. For example, 35 factors into 5 and 7. Using large prime numbers and
multiplying them together is easy, but as far as we know, factoring that product is much
more difficult.
The discrete logarithm problem is a mathematical problem using entities called groups. A
group is a collection of elements, together with an operation defined on them that is
commonly referred to as multiplication or composition and follows certain rules. Assuming
the group has a finite number of elements, each element in the group has an order, the
minimum number of times it must be multiplied by itself to get back to the identity, which is
usually one. The discrete logarithm problem is as follows: given an element g in a finite
group G and another element h Î G, find an integer x such that gx = h. For example, the
solution to the problem 3x º 13 (mod 17) is 4, because 34 = 81 º 13 (mod 17).
Knapsack algorithms were also used in the past as a third hard math problem for algorithms
such as Chor Rivest, Merkle Helman, but mention that KnapSack algorithms are no longer
used, as they have been broken.
Message Integrity Controls

This is a diagram illustrating a variety of integrity functions to show where the cryptographic
functions fit in. Message Integrity Controls are sometimes called MICs
In the next few slides, we will talk in detail about MIC, CBC-MAC, Hash Functions, HMAC,
and then Digital Signatures.
In the top row, we show the three basic examples of integrity controls (parity, checksum,
hash) that can protect against accidental errors (e.g., a bit flipped in a network transmission)
but not a determined attacker, who could alter the message, and also alter the integrity
control to match the change.
To protect against an intentional integrity attack, we need to use the three choices in the
bottom row. We need to protect the message by either encrypting a hash of the message
with the private key of an asymmetric key pair (which generates a digital signature), or
generating the hash with a secret key (which generates a keyed hash/HMAC), or we can use
a special function called a CBC-MAC that doesn’t use a standard hashing function (like
MD5 or SHA-1). An example of CBC-MAC is the ANSI X9.9 DES-MAC function that (used by
the financial community, also documented as NIST document FIPS-113) computes a DES
CBC function over the entire message using a secret key, generating a 64-bit output value.
The HMAC (e.g., RFC 2104) uses a standard hash function (such as MD5 or SHA-1) and
hashes the message with a secret key but without a secret key algorithm such as DES.
HMACs run much faster than CBC-MAC functions, are believed to be as secure, and

support the interchangeable use of different standard hash functions as necessary, so they
are increasingly replacing MAC functions for integrity controls (e.g., HMAC is used in SSL
and IPSEC).
Remember that a digital signature has a side benefit of providing non-repudiation as well as
integrity checking, while a keyed hash does not provide non-repudiation, but it runs much
faster and doesn’t require a PKI to be implemented.
Operation of Hash Functions

The purpose of a hash function is to produce a “fingerprint” of a file, message, or other
block of data. To be useful for message authentication, a hash function must have the
following properties:
l Can be applied to a block of data of any size
l Produce a fixed-length output
l Be relatively easy to compute making both hardware and software implementations
practical
l For any given code, it is computationally infeasible to find the message that created it
l An alternative message hashing to the same value as a given message cannot be
found
Key Management
Elements of key management. As the key is the only thing that provides security in
cryptography, key management becomes critical in the success of any cryptosystem.
Brute Force
Assumptions: Faster supercomputer: 10.51 Pentaflops = 10.51 x 1015 Flops [Flops = Floating
point operations per second]
No. of Flops required per combination check: 1000 (very optimistic but just assume for now)
No. of combination checks per second = (10.51 x 1015)/1000 = 10.51 x 1012
No. of seconds in one year = 365 x 24 x 60 x 60 = 31536000
No. of years to crack AES with 128-bit key = (3.4 x 1038)/[(10.51 x 1012) x 31536000]
= (0.323 x 1026)/31536000
= 1.02 x 1018
= 1 billion years
Module 7
This module introduces physical security concepts for the CISSP. As context, it should be
stressed that the CISSP must understand physical security concepts, even in organizations
that have separated physical and IT security into different organizational responsibilities.

Instructor Edition
The CISSP must understand how the presence or absence of physical security may impact
the computer system security controls or design elements that must be employed.
Additionally, the CISSP may be in a position at smaller organizations where they have direct
responsibility over physical security controls or assessment responsibilities over physical
Instructor Notes
security controls.
In addition to supporting confidentiality, integrity, and availability protections, physical
security elements must also consider human safety as a primary goal. Examples of each goal
are provided on the introductory slides.
The site and facility design considerations slide should be used to introduce some top level
design considerations. A few minutes should be spent on this slide identifying the
importance of each and some relationship to either computer security or human safety. In
some cases it may include both. For instance, mail screening can be used to prevent
malicious physical attacks (e.g., anthrax in the mail protected by mail screening) or examples
of cyber attacks (e.g., mailing a cellular device with active wireless access point to someone
on vacation to attack internal wireless protected by mail screening). These items are “good
to know” general physical security controls but are not explicitly identified in the course
outline, and descriptions can be minimized to shorten overall time.
The next several slides walk through common physical security concerns from the surrounding
area to the operational facilities. Each slide provides some examples of vulnerabilities or
concerns at each layer with a list of controls that should be considered for employment.
The perimeter Security Controls Typical Control Types slides and Internal Security Control
slide introduce types of security controls that exist in the physical world that should be
considered as well as some basic employment considerations.
The topics listed on the Implement Site and Facility Security Controls slide are an
introduction, and each item has a follow on slide(s). These items are explicitly identified in
the course outline. Each of the following slides describes the particular topic.
The Fire Suppression slides introduce two main types of installed fire suppression: water-
based and gas-based. Aerosol-based systems are listed under gas systems and may be
considered a third main type but are not consistently listed as a main type. Chemical agent
suppression using handheld extinguishers is also listed.
A list of potential environmental issues is on the last module slide. The instructor should
introduce each and how they may affect computer system operations, usually through loss
of availability (power, communication, etc.) or direct damage/destruction of facilities.

Module 1
Provide a background for the development and use of the OSI and TCP/IP network models.
Draw comparisons of the layers in similarities and differences.

Module 2
Physical Layer bits are encoded and decoded through transmitting and receiving devices
and media. Media and device types may potentially utilize signals that include light, radio,
or electrical.
Understanding system origins can assist in understanding current technology. Use the charts
concerning threats and countermeasures to discuss real-world relevant issues.
Module 3
The data-link layer prepares the packet that it receives from the Network Layer to be
transmitted as frames on the network. This layer ensures that the information it exchanges
with its peers is error-free.
Switches remain the dominant technology consumed at Layer 2. Review the significance of
threats and countermeasures related to Layer 2 technology listed in the chart.
Module 4
The network layer moves data between networks as packets by means of logical addressing
schemes. There was a time when this layer was crowded with other logical network
addressing protocols but now IP is dominant.
Routers and firewalls remain the technology that is consumed most heavily at Layer 3. Focus
on the prevalent threats that are related to the design of fragmentation in the threats and
countermeasure chart.
Module 5
The transport layer delivers end-to-end services through segments transmitted in a stream of
data and controls streams of data to relieve congestion through elements that include QoS.
Focus on the three types of ports that are associated with TCP/UDP. Discuss the threats and
countermeasure chart that is related to TCP/UDP.
Module 6
The session layer provides a logical persistent connection between peer hosts. The session
layer is responsible for creating, maintaining, and tearing down the session.
No specific technology services are specified for the session layer in ISO 7498–2.
Module 7
The presentation layer maintains that communications delivered to a recipient are in a
common and discernable system format. To provide a reliable syntax, systems processing at
the presentation layer will use ASCII or EBCDIC to translate from Unicode.

Instructor Edition
There are obscure yet effective attacks at the presentation layer. Review the threats and
countermeasures for more details.
Module 8
Instructor Notes
The application layer supports or hosts the function of applications that run on a system. All
manner of human supported interfaces, messaging, systems control, and processing occur
at the application level. While the Application Layer itself is not the application, it is where
applications run.
Map out and understand the sequence of DNS, DHCP, LDAP, and SNMP resolutions. Be
aware of the threats and countermeasures for the application layer.
Module 11
When meeting as a small group (3 to 4 max) keep the participants brief with sharing incidents.
Each participant should listen carefully while the other participants are sharing. If there is time left
in the day after part II is completed have each group give a brief recounting of their findings.
Domain 5: Identity and Access Management

Module 1
Case Study: Instructor should think of
l System/Information Owner being the OCAO personnel, and the Data Subject being
the person for whom there is PII related information in the system.
l Logical or physical systems described in the case study are PACS sensors, PIV card,
the PACS alarm monitoring application, and the IDS.
l An assumption to be made about the information in the PAC system is that it needs
to meet regulatory standards for data privacy.
Module 2
Participants should be thinking about control types: administrative, logical, and physical.
Control categories: detective, directive, compensating, deterrence, preventive, recovery, and
corrective. For roles: Custodian matches Application Administrator, and Data Owner
matches the privilege manager.
Module 3
Lead a discussion on the credential management process and have the participants share
their challenges with selection methodology.

Module 4
Highly regulated environments and stringent PII protection requirements may skew decisions
towards retaining on-premise management versus cloud.
Participants should be thinking Resource Owner, Server (OAuth) match the Service Provider
(SAML); Client App (OAuth) match User/Principal (SAML); etc.
Module 5
Encourage participants to integrate knowledge from previous domains to engage the
activity for this domain.
Domain 6: Security Assessment and Testing

Module 2
Case [15 min.]: Team Consultation for Critical Incident
Encourage participants to take a minute or two to nominate a person to share their critical
incident by listening to two volunteers. Norms for the group should be respect for privacy
and confidentiality of any discussion that ensues. Encourage the listeners to practice active
listening and use methods like the “five whys” to uncover insights into the critical incident.
Listeners should not be drawn to solutions in framing questions but drawn to understanding.
Module 3
Delineate differences between training and awareness with participants by having them
reflect for a few minutes on their work environments and consider what focus they can bring
to aid in cultural change and business success. Have the participants share responses with
the classroom.
Module 5
Prompt participants to connect the appropriate SOC report with a concern that an
organization may have with a service provider. An example, what report and type might an
organization order that is concerned about is engaging a service provider that is new to
market versus one that needs to provide high assurance data privacy controls?

Module 1
Page 532–The discussion of least privilege contains a reference back to Domain 1, where the
security aspects of job descriptions was discussed.

Instructor Edition
Module 2
In the discussion of patches, please state that the concept and terms of “routine patches”
and “reactive patches” are not common industry standard, nor are they testable, but they
are used here for academic purposes only to explain the different types and uses of patches.
Instructor Notes
Module 8
In the DLP discussion, it’s worth mentioning that DLP tools can aid in limiting both malicious and
inadvertent disclosures; users with hostile intent (insider threats) and those who may accidentally
attempt to send sensitive data can both be identified and prevented from doing so.
Module 9
When discussing the JOA/MOU/multiple processing site options, it’s useful to point out that
the various locations involved don’t need floorspace/workspaces sufficient to replicate the
entire affected site, but they only need enough room for those personnel essential to
maintain the critical path.
Module 12
You can add that, overall, exercises are a great opportunity for cross-training personnel and
allowing deputies and assistants a chance to practice managerial roles while primary
personnel are participating in the exercise.

Module 1
Typical Phases of the SLC
Note the difference between an SLC, which includes disposal/ decommissioning, and the
SDLC, which is discussed on the next slide.
Software Development Lifecycle (SDLC)

An SDLC shows the phases that a typical application development project would go
through. Normally, an SDLC does not include the decommissioning or disposal stage that
would be included in the SLC.
The SDLC simply provides a framework for the phases of a software development project
from defining the functional requirements to implementation. Regardless of the method
used, the SDLC will have several essential phases that can be shown together or as separate
elements. The model chosen should be based on the project.

Project Initiation and Planning

As the project gets under way, note that there are specific security requirements that need
to be done for the project to be done properly. For example, how can “identify user needs”
be completed until we have identified “security needs.” Also note that the word “user” is
really implying “owner.”
Functional Requirements Definition

This is when the “wish list” of what the application should do is planned into reality. Note
the specific security requirements that need to be done.
Detailed Design Specifications

Fine tuning and making the security requirements more detailed and integrated into the
design make the security elements more cohesive.
Develop and Document

These are the security elements that take place during the development of the program.
Testing, Acceptance, and Transition into Production

The critical element in this phase is testing the program and its security capabilities before it
is brought into full-line production.
Decommissioning/Disposal
Important accountabilities that the owner needs to address. Decommissioning and disposal
also requires security to be involved in some example activities mentioned on the slide.
Software Development Models

There are several software development methods that have evolved. The following list
provides a brief overview of some methods.
l Waterfall: The traditional waterfall lifecycle method is probably the oldest known
method for developing software systems. It was developed in the early 1970s and
provided a sense of order to the process. Each phase contains a list of activities that
must be performed before the next phase begins. An advantage is that each phase
is completely documented, which allows for easier updates and modifications. A
disadvantage is that it does not always scale well for large and complex projects, and
it inhibits the team from pursuing concurrent phases or activities. Usually, the method
is not good for projects that must be developed in quick turnaround time periods
(i.e., less than six months).
l Iterative Development: In this model, the project is fragmented into smaller
components, and each component is a regular waterfall model. This model allows
for successive refinements of requirements, design, and coding. The danger in

Instructor Edition
allowing refinements during the process is that a change control mechanism must
be implemented. Also, the scope of the project may be exceeded if clients change
requirements after each release.
l Joint Analysis Development (JAD) It was originally invented to enhance the
Instructor Notes
development of large mainframe systems; however, JAD facilitation techniques
have now become an integral part of Rapid Application Development (RAD), web
development, and other methods. It is a management process that helps developers
work effectively with users to develop an application that works. Its success is based
on having key players communicate at critical phases of the project. The focus
is on having the people who actually perform the job (those who have the best
understanding of the job) work together with those who have the best understanding
of the technologies available to design a solution. JAD facilitation techniques
bring together a team of users, expert systems developers, and technical experts
throughout the development lifecycle.
l Prototyping: The prototyping method was formally introduced in the early 1980s to
combat the weaknesses of the waterfall model. The objective is to build a simplified
version (prototype) of the application, release it for review, and use the feedback from
the users to build a second, better version. This is repeated until the users (client)
is satisfied with the product. It is a four-step process: initial concept, design and
implement initial prototype, refine prototype until acceptable, complete and release
final version. List, TCL, and Smalltalk are often used for prototyping.
l Rapid Application Development (RAD): RAD is a form of rapid prototyping
that requires strict time limits on each phase and relies on tools that enable quick
development. This may be a disadvantage if decisions are made so rapidly that it
leads to poor design.
l Modified Prototype Model (MPM): It is a form of prototyping that is ideal for web
application development. It allows for the basic functionality of a desired system or
component to be formally deployed in a quick time frame. The maintenance phase is
set to begin after the deployment. The goal is to have the process be flexible enough
so that the application is not based on the state of the organization at any given time.
As the organization grows and the environment changes, the application changes
with it rather than being frozen in time.
l Exploratory Model: A set of requirements is built with what is currently available.
Assumptions are made as to how the system might work and further insights and
suggestions are combined to create a usable system.
l Spiral Method: The spiral model is a combination of both the waterfall and
prototyping methods. Similar to prototyping, an initial version of the application is
developed; however, the development of each version is carefully designed using
the waterfall model. A distinguishing feature of the spiral model is that in each phase
a risk assessment review is added. Estimated costs to complete and schedules are
revised each time the risk assessment is performed. Based on the results of the risk
assessment, a decision is made to continue or cancel the project.

l Reuse Model: An application is built from existing components. This model is best
suited for projects that can use object-oriented development because objects can be
exported, reused, or modified.
l Cleanroom: This was developed in the 1990s as an engineering process for the
development of high-quality software. It is named after the process of cleaning
electronic wafers in a wafer fabrication plant. Instead of cleaning the crud from the
wafer after it has been made, the objective is to prevent the crud from getting into
the fabrication environment. In software application development, it is a method
of controlling defects (bugs) in the software. The goal is to write code correctly the
first time rather than trying to find the problems once they are there. Essentially,
cleanroom software development focuses on “defect prevention” rather than “defect
removal.” Cleanroom software engineering produces applications that are correct by
mathematically sound design and are certified by statistically valid testing. Reduced
development time is achieved from incremental development strategy and the
avoidance of reworking the code. To achieve this, more time is spent in the design
phase; however, the time spent in other phases, such as testing, is reduced (i.e.,
quality is achieved through design and not testing). Since testing often consumes the
majority of a project time line, the time saved during the testing phase can result in
substantial savings.
l Computer Aided Software Engineering (CASE): It is the technique of using
computers to help with the systematic analysis, design, development, implementation,
and maintenance of software. It was designed in the 1970s, but has evolved to include
visual programming tools and object-oriented programming. It is most often used on
large, complex projects that involve multiple software components and many people.
It provides a mechanism for planners, designers, code writers, testers, and managers
to share a common view of where a software project is at each phase of the lifecycle
process. By having an organized approach, code and design can be reused, which
can reduce costs and improve quality. The CASE approach requires building and
maintaining software tools and training for the developers who will use them.
l Component-Based Development: It is the process of using components that are
standardized building blocks that can be used to assemble rather than develop
an application. The components are encapsulated sets of standardized data
and standardized methods of processing data that together offer economic and
scheduling benefits to the development process.
l Structured Programming Development: It is a method that programmers use to
write programs that allows a considerable influence on the quality of the finished
products in terms of coherence, comprehensibility, freedom from faults, and
security. It is one of the most widely known programming development models.
The methodology promotes discipline, allows introspection, and provides controlled
flexibility. It requires that processes are defined, development is modular, and each
phase is subject to reviews and approvals. It also allows for security to be added in a
formalized, structured approach.

Instructor Edition
l Extreme Programming (XP): A discipline of software development that follows a

specific structure designed to simplify and expedite the process of developing new
software. Kent Beck developed extreme programming (XP) to be used with small
teams of developers who need to develop software quickly in an environment of
Instructor Notes
rapidly-changing requirements. XP teams design software for specific functionalities
without adding any functionalities not specifically requested that may slow down the
process, keeping the development course simple through systematic and regular
testing and design improvements.
Model Choice Considerations and Combinations

The trend has been to combine many models for software development, for example
waterfall, agile and spiral. It doesn’t matter which methodologies an organization uses,
security must be embedded into the process. As we have seen, there are specific security
requirements that need to be addressed.
Software Capability Maturity Model

A way to track an organization’s maturity in software development. Allows organizations to
improve the development process which should also improve the quality of the software
being produced. SW-CMM is based on the simple fact that the quality of the software is
dependent on the quality of the development process.
Typical Change Management Process Phases

Change Management Process – As the SDLC is one of the major software protection
controls, a proper change management process is vital to continued software assurance.
Note that SDLC and change management can be said to be part of each other, and partake
of many of the same practices.
l When analyzing the impact on operations, it is particularly important to note and
examine all changes that might negatively affect security functions, operations, or
assurance measures from previous versions.
l Ensure that internal documentation identifies why this change was made. If the
change is significant enough, there may be a requirement to perform a new
certification and accreditation process in conjunction with the change.
Dev/Ops
Process that emphasizes communication and collaboration between the three entities.
DevOps addresses the disconnect that usually exists in traditional software development. It
creates a culture of shared accountability by bridging gaps between all involved including
Development, Quality Assurance, and Operations teams. The idea is to facilitate
cooperation that should allow faster and better deployments.

Module 2
Polyinstantiation
Object-oriented systems provide security by applying controls based on policy. For
example, in a CORBA system, a policy applies to a domain. System administrators can apply
policy to an object by putting the object into a domain and setting up policy for the domain.
Encapsulation protects objects. It is not possible to see what is contained in the object
because it is encapsulated.
Polyinstantiation is also the technique used to prevent inference violations. Essentially, it
allows different versions of the same information to exist at different classification levels;
therefore, users at a lower classification level don’t know of the existence of a higher
classification level.
CORBA
CORBA is a set of standards that address the need for interoperability between hardware
and software products. CORBA allows applications to communicate with one another
regardless of where they are stored. The ORB is the middleware that establishes a client/
server relationship between objects. Using an ORB, a client can transparently locate and
activate a method on a server object either on the same machine or across a network. The
ORB operates regardless of processor type or programming language.
The process works as follows:
1. The client application (through an object) sends a request (message) to the target
object.
2. The message is sent through the ORB Security System. Inside the ORB Security
System is the Policy Enforcement Code that contains the organization’s policy
regarding objects.
3. If the policy allows the requester to access the targeted object, the request is then
forwarded to the target object for processing.
Runtime
Components, hardware and software, that allows applications to run on a system. Includes
the security features of that architecture.
Security Weaknesses and Vulnerabilities at the Source Code Level
Explain that the following slides explain weaknesses and vulnerabilities at the source code
level and need to be addressed properly through properly implemented security controls
and secure coding practices.

Instructor Edition
Social Engineering
Many definitions, but this one applies nicely to security and the software environment.
Instructor Notes
Activity: Security Weaknesses at the Source Code Level and Secure Coding Practices
Introduce the activity. Make the point that students need to understand these vulnerabilities
but also how security needs to be part of the process to ensure that secure coding practices
are followed to ensure mitigation of the same vulnerabilities.

Explain that the following slides explain secure coding practices and vulnerabilities that need
to be addressed. These are just examples, there may be many more.
Covert Channel Controls

Techniques to address covert channels.
Software Forensics
Analysis of source code or machine language to address issues related to legal
infringements related to patent, trade secret, or copyright infringement. Software forensics
may have other uses such as examining the output, consequences, and other traces
produced by software, especially for investigative purposes.
Mobile Code Controls

Examples of potential threats relate to mobile code.
Module 3
Activity: Database Model Review
Introduce the activity. Basically match the correct definition to its DBMS model.
Activity: Database Vulnerabilities and Threats

Introduce the activity. Assign threats and vulnerabilities to the class, get them to present to
the rest of the class.
Knowledge Management
Knowledge management techniques to drive business intelligence. Automated process of
analyzing data to come up with meaning.

Web Application Threats and Protection

Protection mechanisms for web application environments.
Activity: Malware Protection Tools

Introduce the activity, ask the students to answer the questions.
Security of Code Repositories

Protecting code repositories and their content is important.
Module 4
NIST SP 800-37 R1
This NIST guideline is an extension of certification and accreditation and emphasizes some
key points to really ensure the secure development of applications and the security
capabilities within the application itself.
Risk Management Framework

Using the NIST SP 800-37, the traditional Certification and Accreditation process has been
transformed into a six step Risk Management Framework. The risk management process
changes the traditional focus of certification and accreditation as a static, procedural activity
to a more dynamic approach that provides the capability to the organization to more
effectively manage information system-related security risks.
Change Management
Change management as a way to ensure effectiveness of software security.
Code Signature Limitations

What code signing cannot do.

Certified Information Systems Security Professional Official Isc2 Student Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Certified Information Systems Security Professional Official Isc2 Student Guide

Uploaded by

Copyright:

Available Formats

Official (ISC) Student Guide 2

The CISSP student guide provides a comprehensive review of the

David Shearer, CISSP

Instructional and Graphic Design:

Domain 1: Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . 1

Domain 2: Asset Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Table of Contents iii

Domain 3: Security Architecture and Engineering . . . . . . . . . . . . . . . . 189

Domain 4: Communication and Network Security . . . . . . . . . . . . . . . . 331

Domain 5: Identity and Access Management (IAM) . . . . . . . . . . . . . . . .419

Module 4: Identity Management Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Domain 6: Security Assessment and Testing . . . . . . . . . . . . . . . . . . . . . 465

Domain 7: Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Domain 8: Software Development Security . . . . . . . . . . . . . . . . . . . . . .615

Copyright Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780

Instructor Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781

3. Security Architecture and Engineering

How Do I Use the Course Materials?

Notes This icon identifies a related PowerPoint slide: PPT

Welcome This icon identifies a case that will be presented

11. Appraise various access control models to meet business

13. Enhance and optimize an organization’s operational function

Security and Risk Management Domain

Domain 4: Communication and Network Security

Domain 8: Software Development Security

Domain 1: Security and Risk

Domain 1: Security and Risk Management 1

Notes Domain Objectives

2 Domain 1: Security and Risk Management

23. Determine and document minimum security requirements.

Security and Risk Management Domain

28. Identify common privacy terms used in current personal

Domain 1: Security and Risk Management 3

Notes Domain Agenda

Concepts of Confidentiality, Integrity,

Legal and Regulatory Issues that Pertain to

7 Personnel Security Policies and Procedures

Security Awareness, Education,

9 Business Continuity Requirements

4 Domain 1: Security and Risk Management

Module 1: Concepts of Confidentiality, Notes

Security and Risk Management Domain

Module 1: Concepts of Confidentiality, Integrity, and Availability 5

Notes Confidentiality, Integrity, and Availability

CIA Triad Examples:

6 Domain 1: Security and Risk Management

Module 2: Organizational/Corporate Notes

Security and Risk Management Domain

Module 2: Organizational/Corporate Governance 7

Notes Security Governance Principles

Aligning the Security Function to the Organization’s Business

8 Domain 1: Security and Risk Management

for particular types of decisions (which might require including the

Security and Risk Management Domain

Just as security decisions can affect the overall business goals of

Organizational Roles and Responsibilities

Module 2: Organizational/Corporate Governance 9

Notes have a bearing on how security governance is created and implemented,

10 Domain 1: Security and Risk Management

adversarial (the security team will be reporting on/reviewing

Security and Risk Management Domain

Security Control Frameworks

Module 2: Organizational/Corporate Governance 11

Notes There are a variety of security frameworks currently popular in the