TM

THE OPEN CISSP STUDY REFERENCE

BY ASHISH CHALKE
ASHISH_CHALKE

CBK 2018
Disclaimer: This reference contains passages, text and examples from the various references that the author was
using as study material. The intent of keeping the original text was due to it being an excellent explanation, and no
better explanation could be substituted for it. There is no intention of plagiarizing the original work. The author has
tried to substitute his own understanding and examples wherever possible to expound his grasp of the topic.

In Case you feel some of the content violates your copyright, and would like to be removed, please get in touch with
me on LinkedIn.
 VERSION CONTROL

Sr. No. Version No. Author Date / Time Change Summary

1 1.0 Ashish Chalke 25/7/2018 Sanitized for Public Release
NOTE

 My objective in creating this document was to have a summary of notes as a ready reference for my studies. The other objective
was to remember the topics by creating notes. Almost all of the data has been typed rather than copied, increasing my recollection
and greatly helping me recollect important information.
 In some areas, I may be expounding on the same concepts multiple times -> This is by design. In other times, the information
may seem scarce. This is because the notes were initially created for me by me. In areas where I have experience, I have not
covered some topics (they were obvious to me, thus reducing the document) and expounded in some where I needed to learn.
Domain 4 is an obvious example, where I have not gone into much detail. Similarly Web attacks, where I felt the OWASP
resources were the best resource for learning.
 As you read through the notes, you may find more resemblance to a specific source. That’s because I started out with one source
as primary (Kelly’s excellent Cybrary course) and ended with Eric Conrad’s CISSP Study Guide (with the Sybex coming in for a
domain or two). Each domain was written referencing the primary source of study, and then cross-referencing the other sources.
 This document has not been edited after the exam except for adding this Note, and other copyright notices on relevant content.
REFERENCES USED IN THE MAKING OF THIS REFERENCE

 Conrad, Eric; Misenar, Seth; Feldman, Joshua. Eleventh Hour CISSP®: Study Guide, Syngress - Recommended!
 Chapple, Mike. CISSP: Certified Information Systems Security Professional Official Study Guide, Wiley.
 Miller, Lawrence C.. CISSP For Dummies, Wiley.
 Kelly Handerhan. Cybrary – CISSP Course.
 Sunflower CISSP Exam Cram V2
 Lammle,Todd. Cisco Certified Network Associate Study Guide, Sybex.
 Studynotesandtheory.com - Recommended!
 CISSP Official Practice Tests, Sybex. - Recommended!
 Pocket Prep, CISSP. - Recommended!
 CISSP – Android App.
 Resources.infosecinstitute.com
 Adriancitu.com
 Owasp.org
HIGH LEVEL TABLE OF CONTENTS

Domain III: Domain IV:

Domain I:
Domain II: Security Communications
Security & Risk
Asset Security Architecture & & Network
Management
Engineering Security

Domain VI: Domain VIII:

Domain V: Domain VII:
Security Software
Identity & Access Security
Assessment & Development
Management Operations
Testing Security

TM
 TM

DOMAIN I – SECURITY & RISK MANAGEMENT

CIA TRIAD

Confidentiality
• Information is not made available or
disclosed to unauthorized individuals,
entities, or processes.

Integrity
• Maintaining and assuring the accuracy
and completeness of data over its
entire life-cycle.

Availability
• Information must be available when it
is needed.
CONFIDENTIALITY

 Prevent the unauthorized disclosure of information.

 Prevent unauthorized read access to data.
 Restrict access to those authorized to view the data.
 Examples of confidentiality include:
 Encryption
 Authentication
 AirGap

 Attacks on Confidentiality:
 Theft of PII such as credit card information
 Packet Capturing
 Dumpster Diving – Scanning company dumpsters for discarded sensitive information.
 Wiretapping
 Keylogging
 Social Engineering.
 Phishing / Pharming – Hack sensitive information using fake emails / URLs. Pharming redirects legitimate traffic to another website.
INTEGRITY
 Prevent unauthorized modification of data.
 Prevent unauthorized write access to data.
 Maintain consistency, accuracy and trustworthiness of data over its entire life cycle.
 Data cannot be changed in transit or at rest and must prove non-repudiable.
 Data integrity protects information from unauthorized modification.
 System integrity protects systems from unauthorized modification.

 Examples of Integrity controls:

 File Permissions
 Write Access controls
 Audit logs
 Version controls
 Checksums

 Attacks on Integrity:
 Data Diddling – Changing data before or as it is being input into a PC or output.
 Session hijacking
 Man in the Middle
 Salami Attacks – series of minor attacks that become a large attack.
AVAILABILITY

 Systems and Information is available when and as needed.

 Systems need to be available and usable for normal business use.
 Types of Availability measures include:
 Providing adequate bandwidth for business traffic to applications / data center.
 Redundant application servers in case primary goes down.
 Backup of data in case primary is lost.

 Attacks on Availability:
 DoS – Denial of Service
 DDoS – Distributed Denial of Service
 SynFlood – Attacker sends TCPSYN packets but never sends a SYNACK back
 ICMP Flood – False ICMP Packets
 Electrical power – blackout, brownouts
 Half open scan – SYN Scanning with NMAP
IDENTITY AND AUTHENTICATION

 Identity is a claim – I am Ashish Chalke.

 Identity alone cannot guarantee truth as there is no proof. I can say I am Anil Chalke.
 Identity is typically = Username.
 Authentication supports Identity by providing proof.
 Authentication can be in the form of a confidential information that only the authentic person possesses, such as a
Password, a fingerprint or a documentary proof like a Passport.
 Safeguards for Authentication:
 Multifactor Authentication – Something I know + Something I have or Something I have or Something I do
 Tokens, Biometric, Password, Smartcards are all Authentication types.
 Biometric is the most secure as it cannot be easily duplicated.
AUTHORIZATION

 Authorization defines what actions you are allowed to perform once you are authenticated to a system.
 Authorization is defined based on the Access Control model implemented – MAC, DAC, RBAC, RuBAC
 Authorization examples:
 User - Ashish member of Active Directory Group – Administrators gets Full Access to File Server.
 User – Anil member of Active Directory Group – Managers gets Read Access to File Server.
 User – Swati member of Active Directory Group – Sales gets Read/Write Access to File server: Folder Sales

 Safeguards for Authorization:

 Access Control Models
 Active Directory Server
 Network Access Control
 RADIUS / TACACS+
ACCOUNTABILITY

 Accountability aims to hold users accountable for their actions once they are authenticated and authorized.
 Accountability is performed by logging and auditing user actions once access has been granted.
 Enforcing accountability keeps honest people honest.
 Accountability helps to prove who/what a given action was performed by.
 Examples of Accountability:
 At 3 AM in the night a firewall policy change resulted in downtime of 2 hours. With Accountability, administrators can view
who made the destructive policy change that resulted in the downtime.
 A theft in the company happened overnight. The security teams can validate the fingerprint access reader and the security
camera system to identify the thief.
 Accountability requires Non-Repudiation. For example if the audit logs can be modified by an administrator, they
can delete the offending logs of their changes and thus not be caught at all. Audit logs must be non-modifiable,
non-changeable thus making the offending changes Non-Repudiable.
NON-REPUDIATION

 Non-repudiation – ensure that a user or person cannot deny an action they performed:
 Modifying a security policy
 Changing a transaction
 Sending a message or email

 Non-repudiation relies on Authentication, Accountability and Integrity.

 For example: A firewall security administrator cannot make a change to policy without authentication. Once
authenticated, the firewall will automatically log actions to an Audit log (Accountability). The firewall mechanisms ensure
that even a security administrator cannot make changes to an Audit log (integrity)
 For example: An Exchange administrator deletes escalation emails from Senior Managements email box. Without proper
non-repudiation systems in place, the administrator can deny having done any such actions!
 Non-repudiation must be a key component of Security Design. Are the systems put in place capable of Non-repudiation?
DEFENCE IN DEPTH

 AKA Layering, is the “art” of deploying multiple controls or safeguards to protect an Asset.
 A single control may fail, due to a vulnerability or capacity, multiple controls provide redundancy and improve the security
posture by improving confidentiality, integrity and availability of data.
 An example of Defence in depth is looking at medieval security:
 A Castle is protected by a strong Wall, however a wall can be breached by attackers with Rams.
 Adding a moat increases protection as it reduces approach areas to the castle – reducing the attack surface.
 Adding watch towers on strategic corners adds more defensive capabilities to handle attackers with projectiles
 Boiling oil stations on top of the Gate protects from Rams.

 Similarly Network Security:

 Our Firewall – protects access to the network from outsiders, reduce reconnaissance.
 NAT/Proxy – reduces visibility, reduces attack surface.
 Intrusion Prevention – Prevent attacks.
 Web Application Firewall – Reduce targeted attacks.
 Endpoint Security – Prevent endpoint attacks, Defence outside perimeter.
SUBJECTS AND OBJECTS

 Subjects – Subject is an Active entity in a data system. A Subject manipulates objects in a data system. A user
accessing files. The user is the subject. Subject can be a Application server modifying or updating a Database
entry.
 Object – An Object is a Passive entity in a data system. Objects are passive, they do not manipulate anything. A
Database or a physical document is an Object.
 Example: Rohan is in charge of Asset management into the corporate Asset management program. Rohan inputs
asset details such as Asset tags, User information, Date of entry etc. into the Asset management program which
stores the data in an Oracle database.
 Subjects: Rohan, Asset Management Program
 Object: Oracle Database
ADMINISTRATIVE MANAGEMENT CONTROLS

 Least Privilege – Users should be granted the minimum amount of access required to do their jobs and should only have them for the shortest amount
of time.
 Example: Vinod is a Data Entry operator and inputs physical form data into the company ERP, he should only be granted access rights – Read/Write to the Data Entry
interface of the Company ERP. He must be Authenticated and Authorized via a secure mechanism to ensure his authenticity. Accountability should be in place to
ensure all changes by Vinod are captured. Authorization ensures Vinod does not have the capability to view/ modify other aspects of the system such as transactional or
audit logs.
 Need to Know – User or subject is given only the information necessary to perform a specific task.
 Example: Bhavesh is working on a Top secret Military project and is assigned the task of making a drone radar. He will be given access to just the information he
needs to know to make the drone radar -> The specifics of the functions required and the fitting assembly and any inter-operability required with other system
functions. The Big Picture – what is it for etc - is typically hidden.
 Separation of Duties – Prevent information attacks by assigning parts of duties to different teams. No Single person has complete control of System’s
security mechanisms. Seeks to Prevent collusion between people trying to hijack information.
 Example: Network access is the job role of the Network administrator. Firewall policy is the job role of the Firewall administrator. Application installation on a server
is the job role of the Systems Administrator. This ensures that no one person is in charge of the overall security mechanism and helps to prevent unauthorized change
such as a malicious backdoor & c&c installed in a server for data exfiltration.
 Job Rotation / Mandatory Vacations – Rotate personnel across job profiles to ensure that they do not become too familiar with the system or process
and exploit flaws in the process.
 Example: Mitul has been working in Accounts Payables for 7 years and has an understanding with the Services provider for 10% of the increased bill amount to be
paid to him. Changing roles or enforcing a mandatory vacation and having another user perform Mitul’s duties can enable the organization to identify the fraud taking
place.
ADMINISTRATIVE MANAGEMENT CONTROLS
 Dual Control – Ensures two people are needed to complete a task so that no single person can circumvent and perform malicious actions.
Operations is split among two People.
 Example: Authorizing a purchase of a new Firewall system requires verification of the Purchase order and justification by the CIO and the CFO to ensure that
there is no fraudulent/unauthorized attempt during the purchase via collusion.
 Split Knowledge – M of N, requires minimum number of agents to work out of a total number of agents to work together to perform high-security
tasks. Information is split among two people.
 Example: Rajesh and Samir are part of the ATM operations division. Rajesh is part of Cash management and Samir is part of ATM technology. To refill the
ATM machine, Samir has the knowledge to unlock the ATM Machine, Rajesh has the knowledge to open the Cashbox.
 Example: The ATM asks for a 16 bit Password to access the admin console, of which 8 characters are input by Rajesh and 8 characters are input
by Samir. Split Knowledge is the 16 bit Password. Rajesh knows 8 characters, Samir knows the other 8. Information is split. However the actual
act of Accessing the admin console is Dual Control as it requires both to open it, and can’t be accomplished without the other.
Note: Split-Knowledge and Dual control seem similar at first glance, but on close analysis you can identify that in the Dual
control example, the purchase OPERATION is split and hence its Dual control, and in the Split Knowledge example, the
access INFORMATION is split. Remember “Need to Know”.

 Agreements – No-compete clauses, Non-disclosure agreements, Acceptable use to prevent unauthorized information disclosure.
 Example: Kamlesh is working on a sensitive auto-driving project at Automotiveca and is defecting to Eventman Technologies to lead their auto-driving project.
Automotiveca can enforce the no-compete clause to ensure Kamlesh does not join a competitor and leak potential Trade Secrets.
GOVERNANCE VS. MANAGEMENT

 Governance
 Agreed upon enterprise Objectives
 Direction through prioritization and decision making.
 Monitoring performance and compliance against agreed upon direction and objectives.
 Plan – Decide the targets.
 Responsible for Risk Appetite

 Management:
 Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the
enterprise objective.
 Action – Do the actual operations to achieve targets.
 Responsible for Risk Tolerance
RISK MANAGEMENT FRAMEWORK
Step 1 Data Owner
CATEGORIZE
Step 6 Data & Information Step 2
MONITOR Systems SELECT
• Based on Impact analysis Security Controls
Security Controls •
System
Initial baseline
• Assess effectiveness Owner
• Tailor, scope and
• Document changes
supplement on risk
• Impact of changes NIST SP800-37 assessment
Risk Management
Step 5
AUTHORIZE
Framework Step 3
IMPLEMENT Custodian/
Information System Step 4 Security Controls
• Based on risk to Administrator
operations and assets.
ASSESS • Implement
Security Controls • Describe how
• And the decision that risk
• Controls implemented implemented
is acceptable
correctly Data + System
Business Owner • Meeting security
requirements Owner
 ISMS AND RISK FRAMEWORKS
 Standards to develop Infrastructure Security Management Systems (ISMS). ISMS consists of:
 Roles and Responsibilities CoBIT
 Policies/Standards/Procedures/Guidelines IT Management Controls
 SLA’s Service Level Agreements/Outsourcing 1. Meet Stake holder needs.
 Data Classification/Security 2. Cover enterprise end to end.
 Auditing 3. Apply single integrated framework.
4. Enable holistic approach.
OCTAVE
BS7799 / ISO 27002 5. Separate Governance from management.
3 Step Risk Assessment
Code for ISMS 1. ID Staff knowledge, COSO ITIL
Guideline to implement assets & threats Fraudulent Financial IT Services Management
ISO 27001 2. ID vulnerabilities Activities and Reporting. Framework.
and evaluate 1. Control environment
safeguards 2. Risk Assessment
NIST SP-800-30 3. Conduct risk 3. Control activities CMMI
Risk Management guide analysis, develop risk 4. Information Software Development
for Technology Systems mitigation strategy 5. Communication Framework
6. Monitoring
ISO STANDARDS

 27001 – ISMS requirements - Plan, Do, Check, Act PDCA

 27002 – Code of practice for information security management
 27003 – Guideline for ISMS Implementation
 27004 – Measure the success of ISMS with metrics framework.
 27005 – Risk Management
 27006 – Guidelines for audit and certification bodies of ISMS
 27799 – Protect PHI
ISMS ROLES
 Senior Management: responsible for
 Ultimate Responsible
 Development and Support for Policies
 Allocations of Resources
 Decisions based on Risk: Acceptance, Mitigation, Avoidance
 Security Policy

 CISO
 Overall Security Responsibility
 Selects all applicable controls to mitigate risk.
 Ensures that security controls are in place and effective.
 Keep up with the Threats, derive Risk
 CSO – responsible for physical security.

 Business Manager (BU head or Mission owner)

 Decides which Controls to implement based on risk and business needs (qualitative) for a particular system.

 IT Systems Manager
 Identify Vulnerabilites, verify controls are implemented and maintained.

 IT Security Administrator
 Implement the actual controls.
SECURITY POLICY

 Organizational Security Policy

 Mandatory
 High level policy mandated by Management
 Designed to support organization Strategic Goals.
 Legislation or Industry specific drivers (example Financial institution = GLBA)
 Assigns High Level responsibility e.g. Departmental

 NIST 800-12 policy types

 Program specific – Establishes an organizations Information Security Program
 System specific – aimed at protecting a system.
 Issue specific – focused on issues such as privacy or functions like email, acceptable use.
ISMS COMPONENTS

 Policy – Mandatory, High-level management directives. Contains – Purpose | Scope | Responsibilities | Compliance.
 Standards – Mandatory, Standardizes equipment or policy directives. Lowers TCO and supports DR. Specifics such as
“Laptops should be from XYZ with 8 GB RAM, 128 GB SSD”.
 Procedures – Mandatory, Step by Step documents on how to perform an activity. “Adding a new Administrator”
 Baselines – Discretionary, Minimum Acceptable Security Configuration, starting point for security configuration.
 Guidelines – Discretionary, Best Practices. Example: “Recommended to deploy a WAF vs Required to deploy a WAF.”
 Knowledge Transfer – modify Employee behavior
 Awareness – provide basic security information to all employees. Administrative control. Ex: Don’t browse porn in the workplace.
 Training – in-depth, focused on specific skill-set or task, to train employee on his role. Ex: How to access applications via the
VPN.
 Education – deepest level, underlying principles, methodologies or concepts. Ex: Why VPN?
PERSONNEL SECURITY

 Background Checks: Perform criminal records checks, education, certification checks before hiring.
 Termination: Immediate revocation of access. Termination should be fair or there is a possibility of repercussion.
Termination should follow a process:
 Coaching – Try to mentor and positively change employee behavior.
 Discussion – Have a verbal discussion, ideally along with HR.
 Warning – Written warning, along with HR.
 Termination
 All Access should be revoked on Termination.
 All ID Cards, Badges and equipment should be collected.
 Employee must be escorted outside the premises by security.
 THIRD PARTY SECURITY
 Vendor or Third Party Personnel: Organizations may employ third-party’s or vendors to perform business functions such as Physical
Security or Marketing. As such, security controls must apply to these vendors:
 Background Checks – Standard: Ensures that the vendor also meets the standard criteria before hiring. Example: A Physical Security agency hires
a guard without a formal background check, who happens to have a criminal background, for lesser pay and more profit to the agency.
 Data Control/Use – Standard: Define how the organizations data is to be used, stored and protected; and limits on subcontracting/disclosing data to
third parties, ideally with a penalty component. Ensures that organizations data is not leaked. Example: Eventman technologies, Kentucky is engages
a US Based agency for Hindi translation of it’s documents as part of it’s multilingual app project. This involves hundreds of customer data being
translated to Hindi. The agency subcontracts this to another Agency in India for a sub-fee. Confidential PII can be leaked by the sub-contracting
agency and the best part is Eventman is not even aware of it!
 Third Party Agreements and documents:
 MoU – Memorandum of Understanding: Broad understanding of goals and plans shared by two organizations. No monetary penalties.
 MoA – Memorandum of Agreement: Describes in detail the specific responsibilities of and actions take by each party to accomplish the goals or
objectives. Legally binding.
 SLA – Vendors must Adhere to service availability and response time’s defined as part of the SLA to meet business objectives.
 ISA – Interconnection Security Agreement: Agreed upon when two parties plan to transmit sensitive data. Provides details on how data is shared
and how it is encrypted for transmission.
 Outsourcing / Offshoring: Can raise privacy or regulatory issues. Ensure that contractors meet criteria for Data Protection and
Regulations. (E.g. Privacy Shield)
ISC2 CODE OF ETHICS
 Code of Ethics Preamble:
 The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere,
and be seen to adhere, to the highest ethical standards of behavior.
 Therefore, strict adherence to this Code is a condition of certification.

 Code of Ethics Canons:

 Protect society, the common good, necessary public trust and confidence, and the infrastructure.
 Act honorably, honestly, justly, responsibly, and legally.
 Provide diligent and competent service to principles.
 Advance and protect the profession.

Internet Advisory Board (IAB): Released RFC 1087 that lists:

• Unauthorized access to resources. • Destroys integrity of computer based
• Disrupt intended use of internet. information
• Waste resources. • Compromises privacy of users.
RISK MANAGEMENT DEFINITIONS

 Asset – Resources of value to the organization. The criticality or value of the asset determine the level of safeguards that are
put in place. Example: Office building, an eCommerce Member Database, Lab scientist.
 Threats – Potentially harmful occurrence that can cause damage, disclosure, destruction or loss. They can be accidental like
a Power outage, earthquake, malware. They can also be man-made – an act of terrorism or hacking from human threat
agents.
 Threat Agents – exploit vulnerabilities and are the root cause of Threats. Example: Terrorist attack is a Threat, the
Terrorists are the Threat Agents, Faulty Access controls are the Vulnerability.
 Vulnerabilities – Are flaws or weaknesses that can be exploited to cause harm, loss or destruction.
 Risk – Threat x Vulnerability = Risk. A Threat must connect with a vulnerability to form a risk.
 Example: A Web Application that has an input validation vulnerability that is not patched. A Hacker can exploit that vulnerability to
steal information. This is a Risk. If the input validation vulnerability did not exist, a hacker would not be able to exploit it, leading to no
Risk
Note:(atThreat
least from this specific
Agents aspect ;) ) to exploit a system to cause Threats. An example is a Hacker using an SQL
use Vulnerabilities
Note: Threat Agents use Vulnerabilities to exploit a system to cause Threats. An example is a Hacker using an SQL
Injection vulnerability in the eCommerce Website to steal Credit Card data of its users. The Hacker is the Threat Agent,
The SQL Injection is the vulnerability, Stealing of Credit Card Data (Hacking) is the Threat. Loss of PII (Credit Card
Data) is the Risk.
RISK MANAGEMENT DEFINITONS

 Secondary Risk – A direct result of implementing a risk response or safeguard mechanism. Response: Creation of
a Risk Response plan
 Example: A Web server is using a version of OpenSSL that has a Man-in-the-Middle Vulnerability. The administrator installs
the patch that mitigates this vulnerability. However the Anti-DDoS agent on the webserver is not compatible to the patch,
thus opening up the Web Server to DDoS attacks. The Risk response plan to mitigate the secondary risk is to install an update
version of the Anti-DDoS agent that supports the OpenSSL package.
 Residual Risk – A result of the remaining risk after enabling a risk response or safeguard mechanism. Residual
Risks are expected to remain, and generally accepted. Total Risk – Control’s Gap = Residual Risk. Response:
Contingency Plan
 Example: Shyam’s organization has a 10 Mbps Internet connection, which users typically cite as slow and has frequent
outages. The typical usage is seen to be 18 Mbps. There are event logs which show that the traffic can spike to 24 Mbps once
every quarter during Sales updation week. Due to budget constraints of increasing link size, Shyam takes a decision to add
another 10 Mbps internet connection and use Loadbalancing to distribute bandwidth equally to users.
 Possible link outage (reducing effective bandwidth to 10 Mbps) and the Spike of 4 Mbps surplus of his bandwidth is
considered as Residual risk as the organization accepts the Risk. Shyam develops a contingency plan to use Bandwidth
throttling during link outage or high-bandwidth scenarios to mitigate the residual risk.
RISK MANAGEMENT DEFINITIONS – DEFENCE TERMINOLOGY

 Safeguard – Implementation of a control or countermeasure that removes or reduces the vulnerability or protects
from threats.
 Example: A Firewall is a safeguard to reduce the chances of hacking on the company’s servers. An SQL Patch is a
countermeasure removes the specific Vulnerability from the server.
 Attack – Intentional Exploitation of vulnerability by a threat agent. But it can also mean violation of security
policy. (We’re under attack!!!)
 Breach – Bypass of a security mechanism. Breaches
 Example: The Wall’s been breached by the RAM’s!
 Example: Brute Force attacks against the firewall exploits a vulnerability to open all access causing a breach.
RISK MANAGEMENT DEFINITIONS - MISC

 Workarounds – An impromptu implementation, when no known responses work, to reduce downtime and
corresponding loss of business.
 Example: An unexpected Database server restart caused loss of connectivity to the ecommerce web application due to
unexpectedly listening on a different port. Tested response’s of switching to backup DB Server and restarting services do not
work. A Workaround is implemented to point the Web Application to the new port (and enable the firewall policy).
 Total Risk = Threat x Vulnerability x Asset Value
 Fallback or Contingency Plans – Response for accepted Risks that materialize.
 Example: Shyam’s company cannot afford two security personnel during the night hours. They have installed a police
hotline for the night security guard in-case assistance is needed in the event of a threat. This is a contingency plan.
 Impact - Impact can be equated with consequences, and is the severity of damages.
 Risk = Threat x Vulnerability x Impact
 Example: The Risk of being Hacked, can result in regulatory fines, disclosure related expenses, and loss of customer base.
This is Impact.
RISK MANAGEMENT PROCESS

1 System 2Threat Identification 3 Vulnerability 4 Control Analysis

Characterization Identify Threats to
Identification Analyze Safeguards
Determine Scope Identify Vulnerabilities in already in place to
Systems and Processes
Choose Systems Systems and Processes mitigate risk.

5 Likelihood 6 Impact Analysis

7
Determination Risk Determination
Impact if the Threat
How likely is it that the Determine Risk.
Occurs
threat will occur.

8 Controls 9Results Documentation

Recommendation Document the Results
Safeguards to mitigate risk
NIST SP-800-30 – Risk Management Guide for Technology Systems
RISK ASSESSMENT TYPES

 Quantitative Analysis – is defined by deriving a monetary value of a risk through probability and loss expectancy
calculations. Quantitative analysis provides concrete percentage based risk items that can then be prioritized on monetary
value.
 Example: Shyam Technologies deliver’s backup tapes using Fedex. Their executives identified that that DHL can provide a similar
service at lower the cost with only a slight increase in risk of loss of backup tapes. Each tape costs $50, and DHLs annual loss
expected is twice in a year resulting in a $100 loss.
 Qualitative Analysis – is based on judgement, intuition, experience and tangibility to the organization. Qualitative
analysis should be performed where the value of an asset far exceeds its dollar value to the organization. Qualitative
analysis involves taking feedback from various aspects of the organization to determine the value of an asset. Uses a
Probability Matrix (Likelihood/Impact) to determine risk.
 Example: The cost of a website for a Shyam Technologies, an outsourced Security Operations Vendor is $100. A Website defacement
hack is likely to cause a $100 loss to the organization to restore. However the business impact due to the loss of reputation (security
vendor being hacked) is too high to just rely on a Quantitative analysis.
DELPHI: The Delphi technique can be used to gather anonymous feedback for Qualitative Analysis. The idea is that
anonymous feedback enables the Risk Assessment team to get more honest feedback from participants.
For example: Asking Shyam upfront about the risk to the website, he would say definitely risky, but on anonymous
feedback he may say “Well nobody visits it anyway!”.
ASSESSING RISK

 Identify and Valuate Risk: Perform Risk assessments. Identify the associated Regulatory fines if a Risk is realized.
 Example: Exposure of Customer PII can lead to regulatory fines.

 Identify Threats and Vulnerabilities: Creating list of threats that can affect an organizations assets. Tools and
Processes can be used to perform this function. Additionally Third Party consultants can be used to identify Threats
and Vulnerabilities in processes or systems. Penetration Tests are a popular form of identification to identify threats
and vulnerabilities.
 Black Box Test – The Attacker has no knowledge of the system and processes that he is asked to penetrate.
 Example: This is an accounting application, identify the vulnerabilities.

 White Box Test – The Attacker has complete knowledge of the system and process.
 Example: This is an accounting application with a three structured system of Apache Webserver 2.0, MariaDB 2.1, authenticated via AD on
a Windows Server 2008 R2 Platform.
 Grey Box Test – The Attacker has some knowledge of the system implemented and can direct blackbox testing accordingly.
 Example: This is an accounting system with a typical Web-DB architecture and AD authentication.
THREAT MODELING
 Key Performance Indicators (KPI):
STRIDE
Resolve open items or backlog items DREAD
Originated at Microsoft
identified in past. Risk Assessment or Rating Threats
• Spoofing
audits. • Damage Potential
• Tampering
• Reproducibility
 Key Risk Indication (KRI): provides • Repudiation
• Exploitability
predictive information for an • Information Disclosure
• Affected Users
organization risk exposure. • Denial of Service (DoS)
• Discoverability
• Elevation of Privilege
 Key Control Indicator (KCI):
control an organization has over it’s
environment and risk. Effectively a PASTA
particular control is working. • Stage 1: Definition of Objectives (DO)
• Stage II: Definition of Technical Scope (DTS)
KPIs : Using automated data gathering and • Stage III: Application Decomposition Analysis (ADA)
tools that allow data to be digested and • Stage IV: Threat Analysis (TA)
summarized can provide predictive information
• Stage V: Weakness and Vulnerability Analysis (WVA)
about how organizational risks are changing. 
• Stage VI: Attack Modeling and Simulation (AMS)
• Stage VII: Risk Analysis and Management (RAM)
 QUANTITATIVE RISK ASSESMENT
Quantitative Risk Analysis - is determined on Single loss and Annual Loss expectations and is derived using a set of
formulas.

 Asset Value (AV)– A monetary figure for an Asset that not just includes the cost of the asset and it’s per year maintenance but
the information residing on it.
 For example: An GWC NAS Storage unit may cost $100000 with a per year maintenance of $10000, but the data residing on that Asset is
Confidential IP and is valued at $1 million. The total value of the Asset is $1.1+ Million.
 Exposure Factor (EF) – a % Value, the exposure or percentage of loss expected from a threat.
 For example: Multiple Disk failures can cause data loss stored in the Storage unit. 5 disk failures can cause 20% data loss. 7 disk failures
can cause 30% data loss, and 10 disk failures can cause 50% data loss. The % figures are the Exposure factor.
 Single Loss Expectancy (SLE) – a monetary value from a one time loss. Calculated as SLE = AV * EF
 For example:
 5 Disk failures – SLE = 1110000 * 20% = $222,000
 7 Disk Failures – SLE = 1110000 * 30% = $333,000
 10 Disk Failures – SLE = 1110000 * 50% = $555,000
QUANTITATIVE RISK ASSESSMENT

 Annual Rate of Occurrence (ARO)– The chance a particular threat can be realized in a single year. This data
has to be supplemented by studies, fact-checks or third-party tests/certifications.
 For Example: GWC says there is a once in 3 years chance of a 5 disk failure, once in 5 years chance of a 7 disk failure and
once in 10 year chance of a 10 disk failure.
 Annual Loss Expectancy (ALE) – The Amount of loss expected annually due to a threat. ALE = SLE * ARO
 For Example:
 ALE from a 5 disk failure = 222000 * 0.34 = $75,480
 ALE from a 7 disk failure = 333000 * 0.2 = $66,600
 ALE from a 10 disk failure = 555000 * 0.1 = $55,500

ARO – is also the probability determination assessment. The likelihood that a threat may occur. For some threats and
risks, the ARO is derived by the Annual likelihood to the number of users at given location.
For example: GeekCorp has a remote location with 10 users. ARO for a malware infection is 1 x 10 = 10
QUANTITATIVE RISK ASSESSMENT

 Safeguard (SG)– Adding a safeguard can reduce the Exposure factor(EF) or reduce the Annualized Rate of Occurrence (ARO),
reducing the overall risk assessment.
 For example: GWC says replacing disks at 80% duty cycle reduces chance of disk failures. This requires installing proprietary monitoring
software and replacing disks, however GWC certifies that a 5 disk failure will only happen once in 8 years, a 7 disk failure once in 12 years and a
10 disk failure of once in 20 years. The Safeguard costs $2000 per year
 ALE with Safeguard – Safeguard assessment has to be calculated with the impact of its placement (the EF or the ALE) bringing
down the total cost of the risk.
 ALE = SLE * ARO
 In our example, the Safeguard directly impacts the ARO, thus the calculations are:
 ALE Safeguard 5 disk failure: AV = 1110000; SLE = AV 1110000 * EF 20% = 222000
 ALE = SLE 222000 * ARO 0.125 = 27,750

 ALE Safeguard 7 disk failure: AV = 1110000; SLE = AV 1110000 * EF 30% = 333000

 ALE = SLE 333000 * ARO 0.084 = 27,972

 ALE Safeguard 10 disk failure: AV = 1110000; SLE = AV 1110000 * EF 50% =550000

 ALE = SLE 550000 * ARO 0.05 = 27,500
QUANTITATIVE RISK ASSESSMENT

 Annual Cost Savings (ACS) - The benefits of a Safeguard can be calculated by subtracting the Post Safeguard-ALE from the Pre
Safeguard-ALE.
 Pre-ALE – Post-ALE = ACS

Type Pre-ALE Post-ALE ACS

5-disk Failure 75480 27750 47730
7-disk Failure 66600 27972 38628
10-disk Failure 55500 27500 28000

The Cost of a Safeguard is greater than the value of the asset or the threat, than the risk should be accepted or
another countermeasure should be adopted.
QUANTITATIVE RISK ASSESSMENT

 Total Cost of Ownership (TCO) – The total cost of ownership is the total cost of a mitigating safeguard. The
TCO combines one time expense and Annual cost of maintenance, operational cost etc.
 For example: Our GWC Safeguard solution of monitoring software and disk replacement costs $2000 annually and a $500
operational cost. Considering a 5 year technology refresh cycle, this amounts to $12500 for 5 years, and $2500 annually.
 TCO for the Storage Safeguard is $2500 annually.

 Return on Investment (RoI) – Amount of money saved by implementing a safeguard. If Annual TCO is less than
the ACS than ROI is positive.
 ROI = ACS – TCO

Type ACS TCO ROI

5-disk Failure 47730 2500 45230
7-disk Failure 38628 2500 36128
10-disk Failure 28000 2500 25500
 QUALITATIVE RISK ASSESSMENT
 Qualitative Risk Assessment focuses on Likelihood and Impact Assessment.
 Likelihood: How likely is it that a threat will be realized? Example: It floods every year in Mumbai during the rains. The likelihood
of Flooding is high. However, Earthquakes are unheard of. The likelihood is low.
 Impact: What will be the impact on the business? This can be monetary as well has having long term effects. Example: The impact
of flooding would be that operations could be down or slowed due to less number of employees. Impact is Moderate. However in an
Earthquake, the impact would be catastrophic.

L IMPACT Based on this table:

I Insignifica Minor Moderate Major Catastrophic • Flooding in
K nt 2 3 4 5 Mumbai has a
E 1 Risk of –
L 5. Almost High High Extreme Extreme Extreme • 5+3=8
I Certain • Earthquake in
H 4. Likely Medium High High Extreme Extreme Mumbai has a
O Risk of –
3. Possible Low Medium High Extreme Extreme • 2+5=7
O
d 2. Unlikely Low Low Medium High Extreme
 BUDGET & METRICS
 Metrics: Align the Security Budget to the mitigation of the right risks. Illustrate potentially costly risks, and
demonstrate effectiveness and savings of existing controls.
CIS Security Benchmarks – List metrics to help prioritize Security Budget. CIS Benchmarks are Baselines.
Application Security Configuration Change Patch Management
Incident Management
• Number of Applications Management • Patch Policy Compliance
• Mean time to Incident
• Percentage of Critical • Mean time to complete • Patch Management
Discovery.
Apps. changes. Coverage
• Incident Rate
• Risk Assessment • Percentage of Changes • Mean-time to Patch
• Percentage of Incidents
Coverage with Security Review
detected by internal
• Security Testing • Percentage of Changes Vulnerability Management
controls.
Coverage. with Security Exception • Vuln scan Coverage
• Mean-time between
Financial • % Systems without known
security incidents.
• Information Security Budget as % of IS severe vuln.
Budget • Mean-time to mitigate
• Information Security Budget Allocation • Number of Known
Vulnerability Instances
RISK CHOICES

 Risk Mitigation – Risk reduction or risk mitigation is implementation of safeguards and countermeasures to eliminate
vulnerabilities or block threats. Lowering the risk to an acceptable level. In some cases, a specific risk can be eliminated
completely.
 Risk Transfer – Transfer risk to another organization such as insurance or outsourcing.
 Risk Avoidance – Eliminating the Risk cause, to avoid a risk. E.g. System is open to HTTP attacks, if HTTP is not needed, the
protocol can simply be disabled to avoid the risk.
 Risk Deterrence – Deter violators from violating security and polices by putting in warning messages, auditing etc. but allow the
activity to continue. E.g. User’s browsing to File share websites are prompted a message saying they are being monitored.
 Risk Acceptance – Risk acceptance happens when the cost of the safeguard is higher than the risk or if the risk is deemed to low
by the management. The management chooses to accept the consequences if the risk is realized. Acceptance of risk is determined
on an organizations Risk tolerance. Risk acceptance involves proper documentation of risk and signoff that the risk is accepted.
 For example: An ecommerce organization won’t accept any downtime to it’s web applications as it’s their primary source of business. A
Salon will accept their website being down for sometime as their business is direct/walk-in.
 Risk Rejection – Reject or ignore a risk. Unacceptable response. Denying a risk will not be realized is not prudent due-care
response to risk.
 COUNTERMEASURE SELECTION CATEGORIES
 Administrative Controls – Following organization policy,
procedure or regulation. Focus is on personnel and business
practices. Examples: Procedures, hiring practices, data
classifications and labeling, Security awareness trainings,
reports and reviews.
 Technical Controls – Implementing hardware/software based
controls to provide protection and manage access to systems
and resources. Examples: Authentication, Encryption,
Firewalls, ACL, IPS, Clipping levels.
 Physical Controls – Implemented with physical devices to
prevent physical access and provide protection from physical
damage to systems and resources. Examples: Locks, fences,
mantraps, video cameras, dogs, motion detectors etc.
Security Control Assessment (SCA)
 Ensure Effectiveness of Security
Measures.
 Evaluate the Quality and thoroughness of
the risk management process in the
Organization.
 Produce a report of Relative Strengths &
weaknesses of the deployed Security
infrastructure.
 Formal U.S. Government process for
assessing security controls and is paired
with a Security Test & Evaluation (ST &
E) process.
7 ACCESS CONTROL TYPES

 Preventive Controls – Prevent unwanted actions from occurring. Restrict what a user can do with and without authorization.
Example’s: Prevent users from changing the time, mantraps, separation of duties, encryption, Smartcard/biometric authentication,
antivirus, pentesting, IPS, Security awareness training.
 Detective Controls – Detect and alert without taking any action on the threat. Detective controls are designed to detect threat
activity after the threat action has taken place, or is currently taking place. Examples: CCTV, job rotation, IDS, Honeypots, audit
trails.
 Deterrent Controls – Implemented so that the user is discouraged from performing violations. Examples: You are being monitored
disclaimer, fire at sight policy in case of fraudulent violation, beware of dog.
 Corrective Controls – Correcting a damaged system or process. Works along with Detection controls. Detect & Respond.
Examples: Backup & restore, EDR, Anti-virus, System lockdown.
 Recovery Controls – More advanced, granular or complex in order to restore a functionality or a complete system for the
organization. Examples: Fault-tolerant systems, system reimaging, server or database clustering, high availability.
 Compensating Controls – Additional Security control put in place to address weaknesses in other controls. Example: An antivirus
software is unable to protect cryptomining and phishing attacks. We add a secure web gateway control to protect from these attacks.
 Directive Control – Direct or control user actions. Examples: Notifications, Monitoring, Escape route signage,
IMPORTANT THINGS TO NOTE ON BCP

 BCP: Long Term Strategy Plan

 DRP: Short Term Tactical Plan
 The process of recovering an organization's critical business functions after a disaster is known as BCP
 Dealing with a more immediate or specific emergency is known as DRP. (Disaster Recovery Plan) 
 Difference between BCP and DRP
 BCP is more high-level than DRP.  DRP falls under the umbrella of BCP.  
 "What if our main data center was destroyed by an earthquake, what do we do?" - That's BCP.
 "What if our firewall failed at our main data center, what do we do?" - That's DRP.  

 The start of any organization's DRP/BCP program must have the approval of the senior management team 
 Management's approval is also a show of their support 

 BCP/DRP is all about documentation, documentation, documentation

 According to the CISSP, the first thing to look for in a disaster is the proper documentation that contains procedures and guidelines on
how to deal with a disaster 
FOUR PHASES OF BCP
 Phase 1: Project Scoping and Planning
 Business analysis from crisis point of view
 Creation of the BCP Team with Approval from senior management
 Assessment of resources available to participate in continuity processes
 Legal and Regulatory requirements analysis
 Business Organizational Analysis

 Phase 2: Business Impact Analysis 

 Phase 3: Continuity Planning - Recovery Strategies and Continuity Development
 Phase 4: Approval and Implementation
 Phase 5: Testing and Maintenance
 Exercise, Test, Drill and Maintain the BCP.
 Maintenance includes updating documentation as processes and controls change.

NIST SP800-34 provides guide-line on BCP - https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

 BCP PROCESS - NIST

Copyright: Harris, Shon;

Maymi,Fernando: CISSP All-in-One
Exam Guide, Seventh Edition;Mc-Graw
Hill Education
BCP SUB-PLANS
NIST SP800-34 describes BCP sub-plans - https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

BRP – Business Recovery Plan

Recover business plans following a
disaster.
CIP – Cyber Incident Plan
DRP – Disaster Recovery Plan Deal with cyber incidents
Tactical, immediate restoration of business /
BCP systems functions
Business Continuity OEP Occupant Emergency Plan
Dealing with getting employees out of buildings
Plan COOP – Continuity of Operations Plan during disasters e.g. fire.
Sustain critical functions at alternate site
for 30 days.
IT Systems Contingency Plan
Recovering IT services/support/systems after
CCP - Crisis Communication Plan disaster regardless of location
Communicate with employees in time of Disaster
DISASTER RECOVERY PROCESS

1 2 Activate 3
Respond Communicate
Initial responders will
Initial responders will Disseminate recovery
activate the DR Team via
Assess whether it is a details with workers and the
Secondary response
“disaster”. public.
procedures.

4 Assess
5
Reconstitute / Recover
DR Team will assess the
Recover critical Business
extent of the damage to
operations at primary or
determine proper steps to
secondary site.
recover.
DRP SITES

 Hot Site – Maintained in constant working condition with continuous/periodic Data Replication, IT equipment
and systems equivalent to the Primary site pre-configured and ready to take over in the event of a disaster. Fastest
to restore. Expensive. – Minutes to upto 6 hours recovery.
 Cold Site – Only contains communications, power systems. IT Systems / Data have to be installed, configured and
replicated to bring this site up. Slowest to Restore, Cheapest.
 Warm Site – Contains all systems and applications pre-configured and up, doesn’t have any Data. Median
between MTTR and cost. – 24 to 48 hours recovery.
 Mobile Site – Workgroup recovery strategy, ready to deploy via ground/rail/air/sea. Can be deployed as a Warm
or Cold Site.
 Redundant Site – Fully Active-Active Site with live data and equipment. MOSTEST Expensive. – Seconds to
recovery. User does not see noticeable downtime.
 BIA TERMS
 MTD – Maximum Tolerable Downtime – how long can a business function be down till business suffers significant damage. MTD = RTO + WRT
 RTO – Recovery Time Objective – period of time in which a system has to be restored.
 RPO – Recovery Point Objective – maximum acceptable time for data or work loss during a disruption.
 MTBF – Mean Time Between Failure – Identifies the average time between failures. Example: We can expect the syslog server to fail once every week due to load.
 SLO – Service Level Objectives – desired uptime of a system
 WRT – Work Recovery Time – Maximum Time till verification of Data integrity and systems to resume production.
 MTTR – Mean Time to Restore – Time required to restore, repair or recover a system after failure.
 MOR – Minimum operating requirements – Minimum requirements required for a system to function.

 Eventman GIC is an Insurance organization, providing Web based insurance advice and plans to their customers. Their BCP team is performing a BIA for their
infrastructure to prepare for business continuity in the event of a disaster. The team identified that full data backups take place every Sunday 9:00 AM, and incremental
backups every day. Incremental backups are stored locally, and transferred offsite DC every Day at 9:00AM. In the event the primary data center catches fire or systems are
unavailable, the organization needs to ensure that the website is online within 4 hours to prevent damage to the company reputation. For this to work, the website has to be
brought up online at the offsite facility. At a minimum a single server can be online for the website to function. Application and business owners require maximum of 2.5
hours to verify the data and application to certify it to come online. The IT Team, however states that they need 2 hours to restore the web application. Management also
wants that in such an event, transaction data at least 2 hours prior to the disaster be available to the website. Identify the metrics and what needs to be improved.
 MTD is 4 hours.
 WRT is 2.5 hours, thus we can deduce that the RTO is 1.5 hours as MTD = RTO + WRT.
 MOR is a Single server. MTTR is 2 hours, and needs to be improved to be equal or less than RTO.
 The current RPO is 24 hours is too high. This needs to be reduced to at 2 hours, thus the backups need to take place every 2 hours and transferred offsite.
 BUSINESS IMPACT ANALYSIS
BUSINESS IMPACT ASSESSMENT
Identify Likelihood Impact Resource
Identify Risk
Priorities Assessment Assessment Prioritization

BUSINESS IMPACT ANALYSIS

 Perform Vulnerability Assessment – determine the impact of loss of a critical business function or system.
 Perform Criticality Assessment – Length of time a disaster could impact business operations.
 E.g. Firewall failure down could impact 2 minutes of Operations as the recovery firewall would take over.
 E.g. Category 2 Storms and flooding could impact from 1 day to 3 days of operations.

 Determine the Maximum Tolerable Downtime of an IT Asset.

 Establish Recovery Targets via RPO and RTO – how much data / work can be lost; how much time can a
system/function be down.
 Determine Resource requirements – listing of resources needed for the Organization to function following a
disaster.
BCP ROLES
 Senior Management:
 Approves and Supports BCP Plans,
 Appoints the BCP Team,
 are the Mission owners.
 Prioritize
 Allocate Resources.
 Ensure maintenance of plan.

 BCP Steering Committee:

 Conducts BIA.
 Appointed by management, and from each department. Each member must know the goals of their department for BCP.

 Senior Managers:
 Develop and document testing strategies,
 Identify and prioritize systems, arbitrate disputes about priority.
 Monitor execution and development
 Ensure periodic Tests.

 BCP Teams:
 Continuity Planning Project Team: Identify who plays what role in an emergency.
 Rescue: immediately following the disaster
 Recovery: recover business via alternate operations
 Salvage: Return to primary operations.
BCP DOCUMENT COMPONENTS

 Continuity Planning Goals – Goals for continuity decided by the Senior management and BCP Team
 Statement of Importance – Reason why organization invested in BCP and request for cooperation.
 Statement of Priorities – lists functions critical to operations in prioritized order. Pulled from BIA.
 Statement of Organizational Responsibilities – Senior-level executive saying BCP is everybody’s responsibility.
 Statement of Urgency and Timing – criticality and timing of BCP implementation by the BCP Team
 Risk Assessment – recap BIA risk assessment of assets
 Risk Acceptance / Mitigation – risks accepted (the why), Risks mitigated (the how)
 Vital Records Program – define critical records, where they will be store, procedures for backing up and storing copies.
 Emergency Response Guide-lines – emergency response procedures, individuals to be notified, secondary response
procedures.
 Maintenance – review, change BCP Plan based on organizational changes.
 Testing and Exercises – testing plan to ensure BCP plan remains current and people are trained.
BCP / DRP TESTING & MAINTENANCE
BCP Testing should be conducted at least once annually

Read-Through / Checklist Test Structured-Walkthrough /

• All have copies of plans TableTop Exercise
• Make aware of responsibilities • Members ROLE-PLAY disaster
• Knowledge refreshed scenarios.
• Update the plan • Discuss Appropriate responses.

Simulation / Practical Test

• Given scenario and have to
develop response.
• Interruption of NON-
CRITICAL Business Activity.
• Some Operational Personnel
involved
Full-Interruption Test
Parallel Test
• Actual shutdown of primary
• Activate DR (Alternate Site)
site/operations.
• No interruption to Primary site.
• Activate DR (Alternate Site)

Train everyone for initial disaster response activities within the organization.
 TYPES OF LAWS

Law Reference
 Criminal Law – The goal of Criminal laws is to deter malicious activities that are harmful
towards societies. The burden of proof should be beyond any reasonable doubt. Society  Federal Code of
plays role of Victim. Regulations – Federal
Law or regulations
 Civil Law – Harm caused due to a person or organization violating their responsibility to
specified by Federal
perform Due care and due Diligence. The burden of proof should be Preponderance of Agencies.
evidence. Preponderance means More likely than not. The more convincing evidence and
it’s probable truth or accuracy.  United States Code –
Criminal Law or Civil
 Liability, Due Care, Due Diligence and Prudent Man Rule all come under Civil Law.
Law
 Regulatory Law – Enacted by government agencies or trade regulators to induce fair play,
 Supreme Court Rulings
due care and due diligence and protection for the customers.
– Interpretation of Laws
TYPES OF DAMAGES

 Statutory – Prescribed by law, and can be awarded to victim even if the victim incurred no actual loss or injury.
 Compensatory – provide victims with a financial award in effort to compensate for loss or injury are a direct
result of wrongdoing.
 Punitive – Punish and individual or organization to discourage a violation where statutory or compensatory
damages would not act as a deterrent.
 TENETS OF LIABILITY
Liability – Is the organization or individual legally liable for specific actions or inactions, to determine negligence.
Liability is determined by the below:
 Due Care – Reasonable care to prevent a given situation. An Organization needs to show that it tried to prevent possible damage by
meeting security requirements. Action. Due Care is the practice of Due Diligence.
 For example: Eventman Technologies hosts an ecommerce website with Personally identifiable information of their customers such as Names,
Date of births, Phone numbers etc. In the event of a hack, Eventman Technologies needs to display Due care that they had the proper controls in
place such as implementing a Web Application firewall, penetration tests, salting databases.
 Due Diligence – Management of due care by following and implementing best practices. Includes Researching the requirement of
due care & Verification of the implementation of due care. Due Diligence is ongoing and follows a process.
 For example: Eventman Technologies needs to prove that they followed the best practices for configuring the WAF, performed patches and
recommendations from the Penetration tests, adhered to salting best practices and had the systems audited for regulatory requirements.
 Another example:
 Due Care: The CEO of Eventman Technologies thinks security is implementing security measures, and expecting his staff to perform regular maintenance and
patch the recommendations by Penetration testing teams.
 Due Diligence: The CEO of Eventman Technologies appoints an auditor to verify the following of best practices and compliance guidelines and reviews audit
reports.

Federal Sentencing Guidelines of 1991 formalized the Prudent Man rule, which requires Senior executives for ensuring
Due care that a prudent individual would take during the situation. Interesting Case Study: Volkswagen Diesel
TENETS OF LIABILITY

 Gross Negligence – Opposite of Due care.

 For example: Despite the sensitivity of the data, the CEO of Eventman technologies refuses to implement any reasonable
security control to prevent data loss.

Liability – Despite a hack with loss of PII, if an organization demonstrates Due Care and Due Diligence, they are at a
better legal position. Negligence makes for a much worse legal position.
• Example: Volkswagen – the Management was aware of malpractices in Diesel emission cars yet decided to ignore
the threat resulting in Gross Negligence.
EVIDENCE

 Real Evidence – Tangible or Physical objects, e.g. murder weapon.

 Direct Evidence – Testimony provided by witnesses what they actually experienced. E.g. Stella the barmaid.
 Circumstantial evidence – Establish circumstances related to particular points. E.g. Train ticket of the accused.
 Corroborative evidence – Additional support for fact that may be in question. E.g. Video capture of accused at location.
 Hear-say evidence – Second-hand evidence, indirect information.
 Secondary evidence – Copies of original documents and oral descriptions. Computer generated logs and documents
might constitute secondary evidence.
 Best evidence Rule – Prefer the best evidence possible, original documents, tangible objects. E.g, actual footage of
murder.
 Parol Evidence Rule – Only written agreements acceptable.

Evidence must be Competent, Material and relevant

MORE LAW SPEAK

 Electronic Discovery – the process of gathering evidence for computer related crimes.
 Evidence Integrity – maintain the integrity of the data during its course of acquisition and analysis. Data must be
non-repudiable. Chain of custody is required to maintain full documentation of who, what, when evidence was
handled post acquisition.
 Examples: Checksums to ensure data integrity is maintained, audit logs to ensure chain of custody.

 Entrapment – when someone is persuaded to commit a crime, where the person originally had no intention to
commit a crime.
 Enticement – when conditions are made favorable to commit a crime, but the person was already determined to
break the law. Example – honeypot.
 Computer Crimes are difficult to judge due to there being less precedent in legal systems.
COMPUTER FRAUD AND ABUSE ACT

 Comprehensive Crime Control Act of 1984 covered:

 Covers computer crimes that cross State Boundaries.
 Access Classified information or financial information on a Federal System without authorization or in excess of privileges.
 Access a Computer System used exclusively by Federal Government without authorization.
 Use a Federal System to perpetrate a fraud. (unless the object of the fraud is the system itself)

 The Computer Fraud and Abuse Act of 1986 changes this to:
 Any computer used exclusively by the US Government
 Any computer used exclusively by a Financial Institution.
 Any computer used by the US Government or Financial Institute, where the offence impedes or prevents use of the system by
these organizations.
 Any combination of computers used to commit a crime/offense when they are not located in the same state.
 Threshold of damage $5000
COMPUTER FRAUD AND ABUSE ACT – FURTHER AMENDMENTS

 The Computer Fraud and Abuse Act 1994 Amendments changes this to:
 Outlawed creation of malware
 Any computer used in inter-state Commerce
 Allows for imprisonment of offenders regardless of whether they actually intended to cause damage. (Script kiddies)
 Legal authority of victims to pursue Civil action to claim compensatory damages or relief.

 National Information Infrastructure Protection Act of 1996 changes this to:

 Broadens scope to Computer Systems used in International Commerce.
 Similar protections to national infrastructure such as pipelines, railroads, power grids.
 Intentional or reckless act to National systems as a Felony.

 2015 – Barack Obama Modifications

 Bring computer crimes under the scope of RICO – Racketeer Influenced and Corrupt Organizations Act – e.g. Mafia.
COMPUTER SECURITY ACT OF 1987

Computer Security Act 1987

 Gives National Institute of Standards and Technology the responsibility to develop standards and guidelines
for Federal computer systems.
 NIST uses technical advice and assistance of National Security Agency (NSA) where appropriate.
 Provide enactment of such guidelines and standards.
 Require establishments of security plans by all operators of Federal computer systems that contain sensitive
information.
 Mandatory periodic training and review for all people involved in management, use and operation of such systems.
 This act replaced the NSA with NIST for the responsibility to develop the standards.
 NIST produces 800 series of Publications related to Computer Security for Federal Systems.
 http://csrc.nist.gov/publications/PubsSPs.html
GOVERNMENT AGENCY LAWS
 GISRA - 2000
 NIST holds oversight responsibility of Classified and Unclassified information processing systems.
 Maintaining Security and Integrity of Government information and information systems on the Government Agency leaders.
 Introduced Mission Critical System – defined as a National Security System.

 FISMA – 2002
 Implement an Information Security program that covers the agency’s operations.
 Requires government agencies to include activities of their Contractors in their Security management programs.
 Periodic Risk Assessments, Policies and procedures based on these assessments, security awareness training and periodic
testing.
 FISMA – 2014
 Centralizes Federal Cybersecurity responsibility with the Department of Homeland Security.
 Defense-related Cybersecurity issues are responsibility of Secretary of Defence.
 Intelligence-related issues are responsibility of Director of National Intelligence.
COMMONLY USED NIST STANDARDS

 NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
 Federal computing systems and Agencies must comply with this standard.
 Commonly used as an Industry Cybersecurity benchmark.

 NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and
Organizations.
 Federal Contractors must comply with this standard.

 NIST CyberSecurity Framework (CSF):

 Voluntary risk-based framework for securing data and systems.
GRAMM-LEACH-BLILEY ACT - GLBA

 Banking Industry Regulation, applies to Financial institutions. – CIVIL LAW

 GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a
policy in place to protect the information from foreseeable threats in security and data integrity.
 Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the
consumer relationship is established and annually thereafter.
 The privacy notice must explain the information collected about the consumer, where that information is shared, how that
information is used, and how that information is protected.
 The notice must also identify the consumer's right to opt out of the information being shared with unaffiliated parties
pursuant to the provisions of the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the
consumer must be notified again for acceptance.
 The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the
company is prepared for, and plans to continue to protect clients' nonpublic personal information.
INDUSTRY LAWS AND REGULATIONS

 Sarbanes-Oxley Act – SOX 2002

 Protects Shareholders and the General public from the fraudulent practices in enterprises and improve accuracy
corporate disclosures.
 SOX applies to PRIVATE Companies
 IT Departments are responsible for creating and maintaining corporate records (Data Retention)
 Mandates Segregation of Duties: duties should be separated and the person should be assigned the least privileges to
prevent fraud.
 BASEL-II
 International Banking Regulations with uniform rules and guidelines.
 Requires minimal capital requirements
 Regulatory Supervision – framework for national regulatory bodies to deal with systematic, liquidity and legal risk.
 Market Discipline – Banks have disclose risk exposures, risk assessment processes, capital adequacy. (e.g. mutual funds are
subject to market risk)
REGULATORY LAWS & STANDARDS
 PCI-DSS
 Payment Card Industry regulation – the Payment Card industry Self-regulates. Is not a Law, but a Data Security standard.
 All companies that accept, process, store or transmit credit-card information are subject to PCI-DSS Compliance.
 Requires disclosure by Merchants in case of Credit card data breach.
 Example: Eventman Technologies deliver a Solution Assessment Guideline service, where a consultant can be engaged to discuss and review a customer’s potential solution
investment vs. market trends. A customer can choose to buy the service via the Eventman Tech website using their credit-card. Eventman uses the Panauti-Pay platform to process
the credit-card transactions.
 In this case, both Eventman Technologies (Accept Credit Card) and Panauti-Pay (Process,Transmit) are thus required to conform to PCI-DSS at varying levels.

 HIPAA-HITECH
 Applies to any organization that processes or stores private medical information of individuals such as Health-care providers, health insurance
providers etc.
 HITECH 2013, also modifies this act to cover Business Associates of healthcare industry who work on PHI data to also be covered under HIPAA via
Business Associate Agreement.
 HITECH also enforces Data Breach Notifications, requiring HIPAA covered entities notify affected individuals in the event of a breach. Also notify
Secretary of Health, and the media in case breach is higher than 500 individuals.
 Example: Eventman Technologies works with National Insurance – Kentucky, to process the scanned forms and input them into the CRM solution for National Insurance. In this
case, National Insurance needs have a BAA with Eventman Technologies. Eventman Technologies would also be regulated by HIPAA and must follow the compliance
requirements.

Business Associates who work on PHI require a BAA – Business Associates Agreement.
SSAE18: REPORTS

 Based on ISAE 3402 International standard, supersedes SAS 70

 Auditing Standard
 SOC-1 – Financial control information Only.
 SOC-2 – Provide details on controls, procedures and issues. Released under NDA.
 Type-1 – Report of procedures or controls an organization has put in place as of at a point in time. Organization’s attestation.
 Example: What security measures are in place to protect data center as on today’s date?

 Type-2 – Period based audit report, how the organization operated it’s controls over the period of 6 months, actual testing to
determine effectiveness, and auditors opinion based on description. More Reliable Report, preferred.
 Example: How was security for the data center operated and maintained?

 SOC-3 – Report by a 3rd Party auditor on whether a Service Provider organization (typically cloud vendor)
maintained effective controls over its systems – CIA. Typically used by Cloud vendors to assure customers of their
controls, and avoid individual audits from customers. (Less detailed than SOC-2 Type 2 Reports)
US PRIVACY LAWS
 4th Amendment
 Prohibits Government agents from searching private property without a warrant and probable clause.

 Privacy Act of 1974

 Mandates that agencies maintain only records that are necessary for conducting business and they destroy those records when they are no longer needed
for a legitimate Government function.
 Procedure for individuals to gain access to records that the Government maintains about them and a request to change incorrect records.

 Electronics Communications Privacy Act of 1986 CALEA 1994

 Prohibits interception or disclosure of electronic communication. All service providers to make wiretaps possible with
 Defines situations in which disclosure of such is legal. court order, regardless of technology.
 Protects against monitoring of email and voicemail communications and prevent those service providers (e.g. gmail) from making unauthorized
disclosures of those contents.
 Makes it illegal to monitor telephone conversations.

 USA PATRIOT 2001 - Terrorism Focused.

 Agencies can gain Wiretapping authorization – blanket authorization against a person to monitor all communications to and from that person.
 ISPs may voluntarily provide the government with information. FERPA
 Allows the government to obtain detailed info on user activity through a subpoena. Applies to student records. Requires
 Childrens Online Privacy Protection Act (COPPA) of 2000
student consent for records
disclosure
DATA BREACH NOTIFICATION LAWS

 California SB 1386 - 2002

 Unencrypted Data Exposure or Breach of:
 Social Security Number
 Drivers License
 State Identification Number
 Credit or Debit Card Number
 Bank Account Number with Access password/PIN
 Medical Records
 Health Insurance Information
EUROPEAN UNION
 EU Data Protection Directive
 All processing of personal information meet the following criteria
 Consent
 Contract
 Legal Obligation (e.g. collect passport number in case staying in hotel)

 Vital Interest of the data subject

 Balance between interests of the data holder and the data subject. (e.g. Bank and customer)

 Individuals about whom the data is held or processed have the right to:
 Access the data

 Know the source

 Correct in-accurate data

 Withhold consent to process data in some situations.

 Legal action in case these rights are violated.

 In case PII Data is being sent out of the EU, the organization must ensure that the data is protected.

 GDPR – is a REGULATION, needs no LAWS to be passed to be effective!

 Aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for
international business by unifying the regulation within the EU
 EUROPEAN UNION - GDPR
 GDPR applies to all organizations that collect data from EU residents or process information on behalf of someone
who collects it, even if the organization itself is not based in the EU:
 Data Breach notification to inform authorities of SERIOUS DATA BREACHES within 24 hours.
 Creation of Centralized data protection authorities in each EU Member state.
GDPR has replaced the DPD and starts
 Provisions that individuals will have access to their own data. ENFORCEMENT from May 2018
 Data Portability provisions that facilitate the transfer of PII between service providers at the individual’s request.
 Right to be forgotten – allows people to require companies to delete their information if it is no longer needed.
 Organizations need to appoint a Data Protection Officer who is responsible to oversee the data protection strategy and
implementation compliance to GDPR requirements.
Data Controller Data Processor
Determines the purposes and means for Processes data on behalf of the
Both need to adhere to
collecting and processing of personal controller based on documented
GDPR and implement
Data. Shall use processors that will instruction of the controller.
controls to safeguard PII.
meet GDPR regulation requirements to E.g: Organization that digitizes and
safeguard PII archives data on behalf of the bank.
E.g: A bank collecting account
EUROPEAN UNION - SAFE HARBOR

 Safe Harbor:
 The EU requires EU Citizens PII traveling outside the EU to be protected by the EU Privacy law requirements.
 Since the US has lesser privacy laws compared to the European Union, Safe Harbor enables US companies working on
EU Citizens PII / conducting business in the EU to comply with EU Privacy laws.
 Department of Commerce certifies organizations as Safe Harbor compliant. SAFE HARBOR was
 To qualify for Safe Harbor, US Companies need to meet seven requirements: outlawed in 2015 and
 Notice – inform individuals what information is collected and how it will be used. the PRIVACY SHIELD
replaced it in 2016
 Choice – opt-out choice if it’s shared with third parties. Opt-in in case it’s sensitive information.
 Onward Transfer – Organizations can only share data with other Organizations that comply to Safe Harbor.
 Access – Individuals must have access to any records containing their personal information.
 Security – Proper mechanisms to protect data loss, misuse and unauthorized disclosure.
 Data Integrity – mechanisms to have reliability of the data they maintain.
 Enforcement – individuals have a dispute resolution process, and provide certifications to regulatory bodies that they comply to Safe
Harbor.
EUROPEAN UNION – PRIVACY SHIELD

 Notice – inform individuals about the purposes for which it collects and uses information about them. Also
inform about rights.
 Choice – offer the user the choice to opt-out.
 Accountability of Onward Transfer – Organizations can only transfer data with other Organizations that comply
to Notice and Choice principles.
 Security – Proper mechanisms to protect data loss, misuse and unauthorized disclosure to protect personal data.
 Data integrity and Purpose Limitation – Only collect data that is needed for processing purposes as identified in
Notice. Organization also responsible to take reasonable steps to ensure data is accurate, complete and current.
 Access – Individuals must have access to any records containing their personal information. Also have the ability
to correct, amend or delete information when it is inaccurate.
 Recourse, Enforcement and Liability– implement mechanisms to ensure compliance with principles and provide
mechanisms to handle individual complaints with a response to any complaints within 45 days, agree to an appeal
process including binding arbitration.
INTELLECTUAL PROPERTY - DEFINITIONS
 Copyright - U.S. Copyright Office
 Protects works from unauthorized duplication.
 Applies to: Literary, musical, movie, pictorial, sound, architectural works. Software source codes and look and feel can be copyrighted – not the idea.
 Works are protected until 70 years after death of the author. 75 years for organizations.
 Copyrights are protected by the DMCA – Digital Millennium Copyright Act.

 Trade Mark - US Patents and Trademarks Office.

 Trademarks protect words, slogans or logo’s that identify a Brand (a company and it’s services.)
 Trademarks are granted for 10 years but renewable indefinitely.
 Unregistered Trademarks have the TM symbol and the registered have ® symbol. Unregistered Registered
 Patents - US Patents and Trademarks Office.
 Protect intellectual property rights of inventors.
 Period of 20 years where the inventor has exclusive rights to his invention. Non-renewable, hence shortest duration.

 Trade Secret
 Trade secrets are absolutely critical to business and leakage could destroy the business (McDonald’s secret sauce)
 Is not registered with anyone as it could lead to disclosure which could lead to copy. Companies must enforce their own protection of data to ensure it doesn’t get exposed.
 Trade secrets are protected by the Economic Espionage Act.

 Licensing
 Protected by UCITA, making licensing terms are legal contracts, and opt-out capabilities.
INTELLECTUAL PROPERTY - LAWS

 Digital Millennium Copy Right Act:

 Literary, Musical, Dramatic, Pantomimes/Choreographic, Pictorial/Sculptural/Graphical, Motion Pictures/AV, Sound
recordings and Architectural works.
 Computer software under literary works, protects actual source code. Not the idea or process.
 Exemption from DMCA:
 Transmission must be initiated by person other than the Service Provider.
 Transmission, routing, provision of connections or copying must be carried out by an automated technical process without selection of
material by the service provider.
 The Service provider must not determine the recipients of the material.
 Any intermediate copies (caching) must not ordinarily be accessible to any one other than the anticipated recipients and must not be
retained for longer than reasonably necessary by the service provider.
 The material must be transmitted with no modification of the content.
EXPORT CONTROLS

 Computer Export Controls

 Limits US companies from exporting and selling high-performance computing systems to countries suspected of terrorism, pose a
nuclear threat etc. Today on the list: Cuba, Iran, Syria, North Korea, Sudan.
 Encryption Export Controls
 Limits US companies from exporting and selling high-security encryption technologies to countries suspected of terrorism, pose a
nuclear threat or not agreeing to the WAASENAR agreement.
 International Traffic in Arms Regulations (ITAR)
 Controls export of military or Defence items, appearing on United States Munitions List (USML)

 Export Administration Regulations (EAR)

 Controls export of commercial items that have military applications, appearing on Commerce control List (CCL)
 Department of Commerce
INTELLECTUAL PROPERTY - LICENSING

 Contractual License Agreements: Written contract between Software vendor and Customer.
 Shrink-wrap License Agreements: Written outside the box/software packaging. Acknowledgement via breaking
the seal.
 Click-through License Agreements: Click a button for consent (I agree)
 Cloud-services License Agreements: Click to Read T&C, Click I agree.
 TM

DOMAIN II – ASSET SECURITY

DATA CLASSIFICATION
 Purpose: Drive what controls must be in place to PROTECT the data or Asset Rights – Actions a
subject can take.
 Sensitivity Labels are selected on: Permissions – Access
to an Object.
 Value of the Data Sensitivity Criticality
Privileges – Rights +
 Loss if Compromised Amount of Damage Time when the release of sensitive data Permissions in a
that may be caused if may cause harm. Subject Object
 Legislative Drivers
data leaks. E.g. Financial results before public call. Relationship
 Liabilities
Labels Compartments
 Value to competitors Clearances
All objects have labels. Additional control over
All subjects have clearances.
 Acquisition Cost Marks sensitivity of the highly sensitive info.
Trustworthiness of a subject
object. Clearance + Need to Know

Securing Data / Asset

Marking
Value Classify Control Sensitive media needs
Implement controls to be marked to
Determine Value of Classify data based on
based on the
Data the Value
Classification Labels
prevent mishandling.
CLASSIFICATION MODELS
Government / Exposure Corporate
Military Model Consequence Model

Grave Damage Confidential /

Top Secret
Class 3 Propreitary

Serious Damage
Secret Private
Class 2

Damage
Confidential Sensitive
Class 1

No Damage,
Unclassified available to anyone Public
Class 0
ASSET SECURITY TERMS

 PII – Personally Identifiable Information – specified by NIST SP-800-122

 information to identify or trace an individual such as name, social-security number, place and date of birth, mother’s maiden
name, biometric records.
 Information that can be linked to an individual such as financial, work, health and educational.

 PHI – Personal Health Information – specified by HIPAA

 Information created or received by a healthcare provider, health plan, public health authority, life insurer, healthcare clearing
house, employer, school or university.
 Relates to past, present or future physical or mental health conditions of individual, or past, present and future payment to
provision health care to an individual.
 Record Retention: Time to retain audit logs or data as specified by the organizations policy or regulatory
requirements.
DATA STATES
 Data at Rest:
 Data residing in PCs, backup tapes, drives, SAN.
 Encryption used to protect Data at Rest – AES 256

 Data in Use:
 Data being used by a data processor.
 Rights management and DLP protects Data in Use

 Data in Motion/Transit:
 Data transmitted over wired or wireless networks, internet.
 Encryption protecting the transit of data – TLS or IPSec; Encryption can protect the actual data

Example: Eventman Technologies deals with customer PII and wants to secure it on their Remote Sales users laptops
and while they are being viewed or being sent to the Usage Application in the DC.
Eventman Technologies will choose to implement AES 256 encryption for Data at Rest on the endpoint, Digital Rights
Management to prevent unauthorized actions (copy/print) for Data in Use, and enable dual controls of TLS encryption
for the web application and per file AES256 encryption for Data in transit.
 DEALING WITH DATA REMANENCE
Data Remanence is Data left after erasing
 Erasing: Performs delete operations on file, but does not delete actual data. Data can be recovered by
recovery tools.
 Clearing: Overwrites deleted data with dummy bits (single character or patterns) to make data Same level
irrecoverable. However bad sectors and SSDs may retain data, making this technique less effective. Reuse of media
 Degaussing: Rewrites magnetic media with a heavy magnetic field. Works on backup tapes, hdd or floppy
drives. Only Tapes can be reused, Destroys HDDs.
 Purging: Repeats the “clearing” process multiple times and may use another process (degaussing) to
completely remove data. Degrading from Confidential to Unclassified requires Purging. Lower level
 Declassifying: Efforts required to secure and declassify media costs more than new media for a lower Reuse of media
classification level, so many organizations choose not to declassify. Declassification requires Purging.
 Sanitization: Ensures that Data cannot be recovered by using a combination of processes – verifying Top Secret
purging, verifying any media is not present in a system before it is scrapped, verifying destruction of hdds lowering
etc. recommendation
 Destruction: destroying media via incineration, crushing, shredding, disintegration, dissolving. Destruction
NSA requires the destruction of SSD’s using an approved disintegrator as SSD’s cannot be securely erased. (ATA Secure
Erase can erase SSDs)
 DEVICES AND REMANENCE
HardDisk Drives
 Same Level Reuse: Clearing
 Lower Level Reuse: Purging and
Declassifying
 TopSecret to Unclassified: Destruction
recommended
 Phase out: Sanitization and Destruction via
Degaussing + Shredding
Flash Drives
 Same Level Reuse: Clearing
 Lower Level Reuse: Purging and
Declassifying
 TopSecret to Unclassified:
Destruction recommended
 Phase out: Sanitization and
Destruction
Backup Tape
 Same Level Reuse: Clearing, Degaussing
(although not practical to reuse Tape)
 Lower Level Reuse: Purging and
Declassifying
 TopSecret to Unclassified: Destruction
recommended
 Phase out: Sanitization and Destruction
CD/DVD-RW
 Same Level Reuse: Clearing
 Lower Level Reuse: Purging and
Declassifying
 TopSecret to Unclassified:
Destruction recommended
 Phase out: Sanitization and
SSD
 Same Level Reuse: OPAL Commands
 Lower Level Reuse: Destruction recommended, ATA
Secure Erase
 TopSecret to Unclassified: Destruction recommended
 Phase out: Sanitization and Destruction
 Use Encryption on SSD’s for reuse to prevent wear
leveling / overprovisioned blocks from data remanence,
as these cannot cleared / purged.
CD/DVD-R
 Same Level Reuse: Destruction
 Lower Level Reuse: Destruction
 TopSecret to Unclassified:
Destruction
 Phase out: Destruction
ASSET SECURITY ROLES

 Information Security Officer:

 Communication of risks to management
 Best practices to influence policies, standards, procedures, guidelines.
 Establish Security measures.
 Compliance to establish government & industry regulations.
 Awareness of emerging threats.
DATA ROLES
 Data Owner
 Establishes rules for the appropriate use and protection of data.
 Provides information regarding security requirements and controls required to System Owners.
 Decides who has access to the information system with type of privileges and access rights.
 Assists in identification and assessment of common security controls.
 Typically the CEO, President or Department Head.

 Asset / System Owner

 Owns the IT systems on which Data resides and is processed. E.g. Systems Manager
 Develops and maintains system security plan to ensure system is secured, and operated according to the security requirements.
 Ensures system users and support personnel receive appropriate training.
 Assists in identification, selection and assessment of security controls.

 Mission / Business Owner

 Ensure that systems provide value to the organization.
 Owns the processes that use the systems. E.g. Sales teams using SAP.
 NIST 800-18 refers as Program Owner or Information Systems Owner.
 Responsible to ensure that security controls are not misguided or impacting business.
DATA ROLES - CONTINUED
 Data Custodian
 Day to day management of the data as dictated by the Data owner.
 Implements the actual controls to protect the data.
 E.g. Data owner may state that data has to be backed-up daily. Data Custodian implements the actual backup mechanism and ensures that it is
operational.
 Data Processor
 An individual, system or organization that processes data on behalf of the Data Controller.
 E.g. Panauti Systems (Data Controller) outsources physical application form input to Eventman Technologies (Data Processor)

 Data Controller
 Controls the use of Data
 Required Role for GDPR.

 Administrator
 Responsible to grant appropriate access to personnel based on least privilege or need to know with a role-based access model.

 User
 Accesses data for work.
 Example: Payroll Accounts user who accesses employee data for payroll.
DATA PROTECTION CONTROLS - ENCRYPTION

 Symmetric Encryption – uses the same key for encrypting or decrypting data.
 AES – 128, 192 and 256 bits,
 selected as a standard to replace DES by NIST.
 Approved to protect Data upto Top Secret.

 3DES – 56, 112, 168 bits.

 Blowfish – 32 to 448 bits.
 bCrypt for linux is based on BlowFish. Adds another 128 bits as Salt to protect against Rainbow table attacks.

 Transport Encryption – Asymmetric, Public key encrypts, private key decrypts.

 SSL/TLS – PKI infrastructure based on Certificates.
 IPSEC –
 AH – Authenticating Header only protects Header information
 ESP – Encapsulating Security Payload protects Header and Payload of packets.
DATA PROTECTION CONTROLS - OTHERS
 Pseudonymization:
Tokenization
 Use pseudonyms to represent data.
Uses tokens to represent other
 Prevents data from being identified directly. data
 GDPR refers to pseudonymization as replacing data with artificial identifiers.

Name Age Occupation Location

ORIGINAL DATA Kamlesh Sumthingkar 46 Consultant Mumbai
PSEUDONYMIZED Eventman 46 Consultant Mumbai
 Anonymization:
 If personal data is not needed, anonymization removes relevant data to make it impossible to identify the original subject or
person. Example:
 GDPR no longer relevant for anonymized data. A DLP detects Credit-card numbers for
breach detection. However to protect the
 Masking is an effective anonymization method:
data, it masks the credit card number to
 Swaps data in individual data columns, no longer representing the actual data. prevent it’s misuse by security personnel.

Pseudonymization & Tokenization is reversible, meaning that with another set of data the original data can still be
identified.. Anonymization (Masking) is irreversible.
SECURITY CONTROLS
 Baselines – NIST SP800-53
 Ensure a minimum security standard and starting point for security controls.
 Example: Disable unsecure protocols Telnet and HTTP on routers provides a minimum access security configuration.

 Scoping –
 Reviewing baselines and selecting relevant controls to the system or organization.
 Rejected as not relevant.
 Example: A Router hardening baseline may require to you implement an access-list to deny access to the webserver on the router. However if
your router does not have an embedded HTTP Server, you choose not implement this control.
 Tailoring –
 Tailoring the baseline to fit the organizations requirements.
 Baseline rejected as unable to implement and a compensating control implemented.
 Example: The organization uses low-cost routers at remote branches which only have HTTP management capability, and this cannot deny
access to the embedded HTTP Server. However the organization selects a compensating control such as allowing access to the HTTP server
only from the IT Subnet.
 Standards
 Comply with standards relevant to the industry the organization operates in such as PCI DSS, GLBA, SOX, HIPAA, DPD etc.
 TM

DOMAIN III – SECURITY ARCHITECTURE &

ENGINEERING
ENCRYPTION TYPES

 Symmetric
 Uses a single shared key to encrypt or decrypt data.
 Faster than Asymmetric
 External sharing of key required.
 No Non-Repudiation
 One key required per group that wishes to share encrypted information.
 If one person leaves, all keys have to be changed.

 Asymmetric
 One public key for encryption and one private key for decryption.
 Slower than Symmetric.
 No need to share key. Diffie-Hellman helps automate key share.
 Two keys per user.
 No need to change keys if one person leaves, just revoke access.
 Provide Integrity, Authentication and Non-Repudiation
CRYPTOGRAPHY TO CIA

 Encryption provides Confidentiality

 Hashing provides Integrity
 Digital Signatures provide Authentication
 PKI with Digital Signatures provide Non-Repudiation

Asymmetric Encryption
Symmetric Encryption Confidentiality, Integrity,
Confidentiality Authentication, Non-
Repudiation
CRYPTOGRAPHIC TERMS

 Plaintext (p) – un-encrypted text.

 Ciphertext (c) – Encrypted text
 Key (k) – encrypts & decrypts plaintext
 Keyspace – size of the key, bit size used by the algorithm eg. AES-128 bit
 IV – Initialization vector, prevents repetition in encryption by starting at a random order and not 0 at the start to
make the resulting encryption unique.
 Example: “Ashish kills Ashish” encrypted is S!$SAp94S!$SA in normal encryption. IV, makes it “SAp94S!$SAS!$”
preventing dictionary attacks.
 Block – size/chunks of data that an encryption algorithm encrypts.
 Kerchoff Principle – Everything about the system is public (algorithm, deciphering etc). The encryption is secure
because key’s are unique. This enables a cryptographic system to be tested by the community and identify
vulnerabilities.
 Security through Obscurity – Hide everything from the public to make it secure.
CRYPTOGRAPHIC FUNCTIONS
AND OR
X Y X /\ Y X Y X \/ Y
 AND [/\]– answer is 1 when both
0 1 0 0 0 0
bits are 1.
1 0 0 1 0 1
 OR [\/]– answer is 1 when both 1 1 1 1 1 1
bits, or single bits are 1, If both bits
are 0, answer is 0.
NOT XOR
 NOT [~ or !] – Reverses input of a
X ~X X Y X⊕ Y
variable. 1 becomes 0, 0 becomes 1. 0 1 0 1 1
 XOR [⊕] –answer is 1 if only 1 bit 1 0 1 0 1
of either variable is 1, both becomes 1 0 1 1 0
0.
CRYPTOGRAPHIC FUNCTIONS

 Modulo – Remainder value after a division is performed. Modulo Math

 Nonce – random number that acts as a placeholder. IV is an example of a placeholder.
6 mod 8 = 6
 One Way function – Output values where it’s (theoretically) impossible to retrieve the input values.
because
 Example: What combination of number’s could have formed 500,478,926? Too many! 0
 Zero Knowledge proof – showing that you know the answer, without actually revealing the answer. 8| 6
 Example: Key combination lock – open the lock without revealing the combination to show that you know the key. -0
 Split Knowledge – split the knowledge to access a system among two people. M of N control.
=6
 M of N Control = (m)inimum agents required out of (n) to perform high-security tasks.
 Example: Ashish and Samir each knows 8 bits of a 16 bit key to open the ATM machine.

 Work function – the time required to decrypt data without the actual key using attacks like brute forcing etc. Typically the Work
function must be higher than the time of data retention that you need for protection. Consider that future computing power will
reduce the work function time, compared to todays computers.
 Example: Ashish needs to protect retention data for 10 years. He has a choice of two protocols – one which has a work-function of 10 years and
another with 15 years. He should select the one with 15 since with technological advanced the work-function will decrease over time.
 TYPES OF CIPHERS
Codes vs Ciphers
• Codes are secret language. If you know it, you know the meaning. Example: The Eagle has landed.
• Ciphers always encrypt the message. The recipient needs a key to decrypt.
• Example: “Attack at Dawn” is “Zggzxp zg Wzdm” (Using the Atbash Cipher)

 Transposition Cipher – brings Diffusion in cryptography making the communication is more secure, rearranges
letters/blocks of a plaintext message to get the ciphertext. Decryption is reversal of the operation.
 Vulnerable: to Frequency Analysis attacks, same block of text can produce the same output ciphertext.
 Example: Ashish becomes HsihsA
 Columnar Transposition uses a secret key and arranges the letters below it for a more confusion secure communication.
 Example: Message – “Eventman Rocks” can be encrypted with a key of KAMLESH.
 We encrypt this by assigning number based on the alphabet. eg. A comes first so 1, E comes 2. (If two are same, increment one number – A
– 1, A -2, E – 3 and so on)
KAMLESH Now we align based on Share the Key Who uses the Key is 7 no’s KAMLESH
same theory on Rearrange
4165273 numbers and generate and Message 1234567 using key 4165273
the key to
1 EVENTMA 2 the message: 3 with the 4 regenerate the 5 VTAENEM 6 EVENTMA
NROCKS! VRTKA!ENNCEOMK recipient. message. RK!NCOK NROCKS!
TYPES OF CIPHERS
 Substitution Cipher – replaces each character with a different character.
 Example: Atbash Cipher reverses the Alphabet so that A = Z and Z = A.
Example: Substitution
 Example: ROT3 shifts the Alphabet 3 characters. A = D, Z = C, J = M.
EVENTMAN
 Ciphertext = (Plaintext + <substitution>) mod 26 (26 is letters of alphabet)
Encrypted with ROT3 =
 Plaintext = (Ciphertext - <substitution>) mod 26 HYHQWPDQ
 Vulnerable: to Frequency Analysis attacks – attackers try to identify frequently used words in the English
language.
 One Time Pad – powerful substitution cipher.
 Ciphertext = (Plaintext + Key) mod 26
 Each bit of the Plaintext is XORed with the Key to produce the Cipher Text.
Example: One Time Pad
 Can be unbreakable when used correctly.
A = 0, Z = 25
 One-time pad must be randomly generated, and then used on the Plaintext to generate a unique Ciphertext.
Plaintext E V E N T M A N
 The One-time pad must be physically protected from disclosure. If the enemy has the copy, they will easily Key K A M L E S H R
decrypt the message. Num. P 4 21 4 13 19 12 0 13
 Key is as long as the message making this impractical for large messages. Num. K 10 0 12 11 4 18 7 17
ADD 14 21 16 24 23 30 7 30
 Vulnerable to Pattern Analysis: One time pad must be used only once, and ideally not from a book so that the
mod26 Num. C 14 21 16 24 23 4 7 4
enemy does not discover similarities.
Ciphertext O V Q Y X E H E
 Running Key Cipher – type of One-time pad encryption which uses a known book/phrase on both
sides as the secret key, to avoid the sharing of the one time pad.
 Example: Using the 21st page of The Name of the wind as the secret key.
 TYPES OF CIPHERS

 Block Cipher – Block ciphers operate on chunks of the message called blocks. Transposition ciphers are an
example of Block Ciphers. Modern encryption algorithms work on Blocks (block size)
 Stream Cipher – Operates on one bit or character of the message at a time. Can also be block ciphers by using
buffers. RC4 is a Stream Cipher.
 Example: Atbash or Onetime pads are examples of Stream cipher, as they work on each character at a time.

Diffusion: Order of the plaintext should be

Confusion: Randomness, Change leads to Goal: diffused (dispersed) in the ciphertext,
change, a single change in plaintext can lead to Make the ciphertext making the key and ciphertext correlation as
multiple changes in the cipher text. from being decrypted intricate as possible.
Substitution provides Confusion by substituting without the key much Transposition provides Diffusion by
one character for another. One wrong character harder. randomly rearranging characters/blocks of
selected can lead to an incorrect decryption.
text.
HISTORICAL CIPHERS

 Caesar Cipher: Used substitution by Rotating 3 letters of the alphabet. ROT3.

 A becomes D, E becomes H, K becomes N ans so on.
 Can be easily deduced by Pattern and Frequency Analysis.

 Vernam Cipher: Used a One Time Pad which was XORed to the plaintext message.
 Only mathematically unbreakable form of Cryptography

 Enigma/Purple Machine: Used a Rotor based mechanism to generate encrypted message (used as mixers).
Depending on the configuration of the rotor’s at the other end, the message could be decrypted.

German Enigma Japanese

Polish reconstructed Purple Machine
a similar version.
SYMMETRIC ENCRYPTION BIT LENGTH SUMMARY

Sr.N Algorithm Block Size Key Size Rounds of

o. Encryption
01 AES 64 128,192, 256 10, 12, 14
02 Rjindael Variable 128,192, 256 10, 12, 14
03 DES 64 56 16
04 3DES 64 112, 168 48
05 IDEA 64 128
06 Blowfish 64 32-448
07 Skipjack 64 80
08 RC2 64 128
09 RC5 32, 64, 128 0-2040
 SYMMETRIC ENCRYPTION ALGORITHMS – DES
 DES – Data Encryption Standard, based on 64 bit block size and 56 bit key.
 DES performs 16 rounds of encryption.
 Electronic Code Book – Least Secure. Encrypts a block with the secret key. If same block is found, same ciphertext is
generated.
 Cipher Block Chaining Mode –
 Each block of Plaintext is XOR’ed with the preceding Ciphertext, and then encrypted by DES.
 The first block of text is XOR’ed with an IV and then encrypted, generating unique output every time. IV needs to be shared with the
recipient.
 Errors propagate – if one block is corrupted, entire transmission is corrupted.

 Cipher Feedback Mode – uses memory buffer instead of blocks to perform streaming CBC. Errors propagate.
 Output Feedback Mode – XOR’s plaintext with a seed value. No chaining functions, and transmission errors do not corrupt
future blocks.
 Counter Mode – uses a counter that increments at each operation. Errors do not propagate. (suited for parallel computing as
it breaks encryption & decryption operations into multiple independent steps.
SYMMETRIC ENCRYPTION ALGORITHMS – 3DES

 3DES stands for Triple DES.

 Performs 48 rounds of encryption.
 3DES Modes
 EEE3 – Encrypts Plaintext using three different keys with a length of 168 bits : E(K1,E(K2,E(K3,P)))
 EDE3 – Encrypt Decrypt Encrypt operation with three keys: E(K1,D(K2,E(K3,P)))
 EEE2 – Encrypts using 2 Keys three times, with length of 112 bits: E(K1,E(K2,E(K1,P)))
 EDE2 – Encrypt Decrypt Encrypt operation with two keys: E(K1,D(K2,E(K1,P)))
SYMMETRIC ENCRYPTION ALGORITHMS – AES / RJINDAEL

 NIST chose RJINDAEL as replacement for DES in 2001.

 FIPS 197 mandates the use of AES/RJINDAEL for encryption of all sensitive but unclassified data by the U.S.
Government.
 RJINDAEL enables cryptographers to use a block size equal to the key length.
 128-bit keys require 10 rounds of encryption
 192-bit keys require 12 rounds of encryption
 256-bit keys require 14 rounds of encryption

 SubBytes – provides confusion by Substitution of the bytes of the State. The bytes are substituted according to a
substitution table (also called an S-Box).
 ShiftRows – provides diffusion by shifting rows of the State. (Transposition)
 MixColumns – provides diffusion by “mixing” the columns of the State via finite field mathematics. (Transposition)
 AddRoundKey – is the final function applied in each round. It XOR’s the State with the subkey. The subkey is derived
from the key, and is different for each round of.
SYMMETRIC ENCRYPTION ALGORITHMS - MISC

 IDEA – International Data Encryption Algorithm

 Operates on 64bit blocks of plaintext/ciphertext.
 Uses 128 bit key.
 Broken into 52 16-bit subkeys.
 Operates on same modes as DES – EBC, CBC, CFB, OFB, CTR

 BlowFish
 Allows variable length keys from 32 bits to 448 bits.
 Operates on 64bit blocks of plaintext/ciphertext.
 Faster than DES and IDEA

 Skipjack
 Uses 80-bit key on 64-bit blocks.
 Approved for use in FIPS-185 as Escrowed Encryption Standard.
 Supports the escrow of encryption keys, Uses Clipper and Capstone encryption chips.
 NIST and Department of Treasure hold part of info to reconstruct Skipjack key, for law enforcement agencies.
 Not widely adopted due to mistrust of the US Government.
ASYMMETRIC - PUBLIC KEY ENCRYPTION
Rohan͛s public
Karan͛s public
Key
Key

 Uses a two Key system for Exchange

encryption.
 The Public Key encrypts data, but
User

can’t decrypt the same data. Rohan Karan

 The Private Key decrypts data

encrypted with the public key. Rohan͛s Private
Karan͛s Private
Key
Key
 Essentially, The key that locks the
data cannot unlock. Encrypted with Rohan͛s pub key
Karan͛s public
Rohan͛s public
Key
 Example Key

 The public key’s are exchanged

Encrypted with Karan͛s Pub key
between Rohan and Karan who want to
communicate securely.
User

 Rohan encrypts data with Karan’s Rohan Karan

public key, which Karan decrypts with

his private key at his end. Vice-versa. Karan͛s Private
Rohan͛s Private Key
Key
 ASYMMETRIC ENCRYPTION

 RSA – based on Prime Number factorization.

 2000 freely available in the public Domain. Sr. Algorithm Key Length
 Each user of the cryptosystem generates a public and a private key. 1 RSA 1024 bits
 El Gamal – based on a Standard Discrete Logarithm problem. 2 El Gamal 1024 bits
 an extension of the Diffie-Hellman algorithm. 3 Elliptic Curve 160 bits
 Freely available to use.
 Doubles the length of any encrypted message, increases size.

 Elliptic Curve – Elliptic Curve discrete logarithm problem is the bases of this algorithm, where it is extremely
hard to find x even if P and Q are known.
 Because of this even a lower bit Elliptic Curve encrypted message is as strong as RSA/El-Gamal.
Sr. DH Group Key Length
Diffie-Hellman – The Key Exchange Algorithm
• Used to exchange keys where there is no Public Key infrastructure or Offline Key distribution 1 DH Group 1 768 bits
mechanism. 2 DH Group 2 1024 bits
• Used by SSL and SSH, where only the Server has both a Public and Private key, but not the user.
3 DH Group 5 1536 bits
 PKI ON THE WEB – PKI WITH DIFFIE-HELLMAN
 PKI is slow, and requires the exchange of certificates from both ends of the
transmission. GET www.google.com

 On the internet, It’s hard that every “user” will have a set of public and User www.google.com
private keys. It’s always the “server” which does.
 To effectively counter this for the Internet or WWW, a hybrid form of
cryptography is used, with PKI forming the initial trust relationship and key
exchange, and then using Symmetric encryption for the actual User I am www.google.com www.google.com
communication of data.
 How is PKI Performed on the Web?
 User navigates to Google.com and gets the Public Certificate for google.com.
 User’s browser validates that Public Certificate is valid and issued by a Valid CA. User www.google.com

 User’s browser creates a “secret key” and encrypts it with Google’s Public
Certificate.
GET maps.google.com
 Google.com decrypts the “secret key” with its Private Key to derive the same key
as the “User Secret key” User www.google.com
 Google.com then uses the Secret Key for Symmetric Encryption for further
communication.
HASHING
 Hashing provides Integrity to Cryptographic functions by
validating if a message has been modified.
 Integrity is derived by creating a Message digest of the
original message by the sender.
 The sender sends the Encrypted message and the 5 Requirements of a Hashing function:
message digest to the recipient. 1. The Input can be of any length.
2. The Output must be of fixed length.
 The recipient creates a message digest of the message and
3. The Hash function must be relatively easy to
compares it with the message digest sent by the sender.
compute.
 If both match, Integrity is verified. If it doesn’t match, the 4. Hash function has to be one-way. (Cannot be
message was modified along the way. reversed to produce the original message)
 One modification, even a punctuation change the message 5. Collision free / unique – No two messages can
digest. create an identical hash.
Collision attack:
When identical message digests can be derived from two
different source messages.
Example: Modifying an exe file with malware, and ensuring via
Collision that the message digest matches the original. You would
trust and execute the malware file assuming that it’s the original.
HASH FUNCTIONS

 SHA – Secure Hash Algorithm

Sr. No. Hash Function Message Digest Block Size
 Government Standards promoted by NIST – part of FIPS 180 –
1 SHA-256 256-bit 512-bit
Secure Hashing Standard (SHS)
2 SHA-224 224-bit 512-bit
 SHA-1, SHA-2, SHA-3
3 SHA-384 384-bit 1024-bit
 SHA-2 is the official recommended standard. However 2015, Keccak
algorithm (SHA-3) was introduced as a drop-in replacement for SHA- 4 SHA-512 512-bit 1024-bit
2 with same variants and hash lengths but a more secure algorithm. 5 MD5 128-bit 512-bit
 MD5 – Message Digest 5 6 HAVAL 128, 160, 192, 1024-bit
 Processes 512-bits blocks of messages with four different 224 and 256-bit
computations to produce 128-bits message digest. 7 SHA-1 160-bit 512-bit
 Insecure – Subject to collision attacks.

 HAVAL – Hash of Variable Length

 Modification of MD5.
 Uses 1024-bit block size to produce 128, 160,192, 224 and 256bit
message digests.
 DIGITAL SIGNATURES
 Digital Signatures provide Integrity, Authentication and Non-repudiation.
 A Digitally Signed message provides non-repudiation – the sender cannot deny sending a message that was digitally signed.
 A Digitally Signed message provides Authentication – the digital signature verifies the identity of the sender.
 A Digitally Signed message provides Integrity – assuring the recipient that the message was not modified in transit.
 Digital Signature does not provide Confidentiality. – Adding encryption can provide confidentiality!

 Digital Signatures use PKI and Hashing.

 Ashish creates a Message digest of his plaintext message with SHA-256
 Ashish encrypts the Message digest with his Private key, and sends the Plaintext message and the Digital Signature to Vinod.
 Vinod decrypts the Message digest with the Public Key of Ashish.
 Vinod uses SHA-256 on the plaintext message and derives a Message Digest of his own.
 He compares his own Message Digest with the Message Digest sent by Ashish, if they match he is sure that:
 Ashish sent the message (Authentication), the message was not modified (Integrity), Ashish cannot deny that he sent the message (Non-
repudiation).

Ashish could have used Vinod’s Public key to encrypt the original message to provide Confidentiality.
DIGITAL SIGNATURE ALGORITHMS
 HMAC – Hashed Message Authentication Code
 Only guarantees Integrity of a message.
 Uses a Shared key – only communicators who know the shared key can create, or verify the digital signature.
 No Non-repudiation or authentication – as anybody with the key can generate the message.

 DSS – Digital Signature Standard

 Provides Non-Repudiation, Authentication and Integrity.
 NIST Specified standard under FIPS-186-4
 Specifies that Digital Signature algorithms MUST use SHA-3 for Hashing functions.
 Specifies the approved Encryption Algorithms:
 Digital Signature Algorithm (DSA) – FIPS 186-4
 Rivest-Shamir-Adleman (RSA) – ANSI X9.31

 Elliptic-Curve DSA (ECDSA) – ANSI X9.62

 Others:
 Schnorr’s and Nyborg-Rueppel.
PUBLIC KEY CERTIFICATES
COMPONENTS OF A CERTIFICATE Subject CA
 Version of X.509
Intermediate CA
- To whom the cert - Who validates the - Who can issue cert’s
 Serial Number from the certificate creator / issuer subject and issues the
is issued. cert.
on behalf of the CA
 Signature Algorithm Identifier.
 Issuer Name – the CA who issued the certificate. X.509 – The standard that governs Certificates.
 Validity Period – from x to y Phases of Certification
 Subject’s Name – the DN to whom the certificate is Enrollment Verification
- CA verified Revocation
issued. User verifies - Private key
 Can be a hostname/IP like maps.google.com identity of - identity and
compromised
 Can also be a wildcard that maps to a whole domain - subject. trust of CA. - Details changed
*.google.com - CA generates - Subject DN
- Error in issuing.
Public and matches the
 Subject’s Public Key – aka use this to encrypt data Revoked using
when you send to me! Private key for actual entity.
CRL or OCSP
subject. - Not on a CRL
HSM – Hardware Security Module’s provide
CRL – Static list with Serial OCSP – OCSP request to CA
Key management. TPM is an example of HSM numbers of revoked certs. to verify validity.
 CRYPTOGRAPHIC ATTACKS
 Frequency Analysis  Known Plain-text:
 Analyze the frequency of common alphabets – e, t, a, o, i, n etc. and use that to  Use a known plain text and an encrypted text to derive the key.
decipher the message.
 Goal is to use that key to decrypt future communications.
 Defeat: Randomize the message with IV.
 Chosen Plain-text:
 Dictionary Attacks
 Use commonly used words or phrases to decrypt the message, example: pass,  Choose Plain-text to be encrypted and compare with encrypted message
pass123, dateofbirth to derive the key.
 Defeat: Do not use common words or phrases.  Chosen Cipher-text:
 Rainbow Tables  Choose Cipher-text to be decrypted and compare with known plain-text
 Precomputed values for cryptographic hashes. Enhances Brute forces. to derive the key. (Typically Asymmetric crypto)
 Brute-force  Adaptive Chosen:

 Try every key combination to unlock the encrypted message.  Uses either Chosen Plain or Cipher-text in round one and then adapts
 Defeat: Use an encryption algorithm with a higher work factor than the time further rounds based on previous round.
needed to keep data secure. Use Brute-force mechanisms such as 5 times  Differential Cryptanalysis: Replay:
wrong = block access.
 Difference between two encrypted messages. Replay and
 Meet in the middle: encrypted message
 Birth Day Attack: captured between
 Encrypt on one side, decrypt from the other. Meet in the middle.
 Create Hash Collisions. two parties.
 APPLIED CRYPTOGRAPHY
Hardware:
Web: S/MIME: PGP:
TPM used to derive and
SSL & TLS use Public Email encryption with Email encryption with
store symmetric
Key Infrastructure and PKI/ Symmetric. RSA web of trust. RSA with
encryption keys for Full
Symmetric Encryption. with AES/3DES IDEA and MD5
Disk Encryption.

Watermarking: DRM:
Wireless:
Steganography: Hide the Author’s Digital Rights
WPA2 encrypts
Hide a message in a digital signature in a Management. Control
communication between
image, music or movie. work to identify the rights such as
client and AP
author/source copy/play/use on data.

Networking:
IPSEC encrypts
communication between
two gateways or hosts.
IP-SEC: INTERNET PROTOCOL SECURITY
IPSEC can be Symmetric (Shared Secret) or Asymmetric (PKI) to setup a VPN Session.
Transport Mode:
Host to Host, Protects Payload, not Gateway to Gateway, encrypts full packet .
header. Adds a new Header.
(AH)Authentication Header:
Encrypts the header information.
Authentication, Message Integrity
and Non-repudiation. Prevents
Replay.
ISAKMP/IKE:
• Authenticates Peers.
• Creates and Manages SA
• Key Generation Mechanism.
• Threat Protection i.e. Replay,
MiTM.
Tunnel Mode:
One-way communication channel
Adds a new header. Can provide
Adds a new header. Can provide
confidentiality and authentication (ESP +
AH)
ESP – Encapsulating Security
Payload:
Encrypts the payload.
PFS: Perfect Forward Secrecy:
Long term key cannot be used to
decrypt past messages.
Security Association:
Use both for best security. Each
requires two SAs. So a single
tunnel will require 4 SA’s if both
used.
SPI – Security Parameter
Index:
• Unique per SA.
• IPSEC transforms
(algorithms), security keys
used.
• SPI must match for an inbound
SA to bring up the SA
SECURITY MODELS
 State Machine Model Objects
Subjects
 System is always secure, no matter its state. Passive Entities.
Active Entities.
 Always boots into a secure state, maintains a secure state across Manipulated by
Manipulate Objects.
transitions, and allows subjects to access resources in a secure compliant Subjects.
manner by security policy.
 Information Flow model A Subject can also be an object.
 Focused on Flow of information. User Web server Database

 Designed to prevent unauthorized, insecure or restricted information

Write
flow, between different security tiers (clearances)
 Establishes relationships between two versions or state of an object at
different points in time.
Subject Object
 Take-Grant model
User Web server Database
 Take – take control of an object
 Grant – grants rights to an object Write

 Create – allow subject to create new rights

 Remove – allow subject to remove rights it has
Subject Object
 SECURITY MODELS – BELL-LAPADULA
 BELL-LAPADULA: Focused on Confidentiality.
 The idea behind is to ensure that Data is not leaked among clearance levels by restricting higher clearance subjects from writing
down (leaking) via lower clearance objects, and lower clearance subjects from reading (viewing) higher clearance objects.
 A Trusted Subject can violate the * Security Property (No Write Down) in the event of a Declassification.
 Is a Mandatory Access Control
 Information Flow Model
Protects only Confidentiality.
No Integrity or Availability
Sr.No Property Function Explanation
1 Simple Security Property No Read Up Subject cannot read higher than clearance
but can read down.
2 * Security Property No Write Down Subject cannot writer lower than clearance but
can write up. (so as to not leak data writing to a
lower level.) Can violate for Declassification
3 Strong * Property No Read/Write Up or Down Subject with read/write cannot read/write
above or below clearance. Only same
clearance allowed.
SECURITY MODELS – BIBA
 BIBA: Focused on Integrity.
 The idea behind is to ensure that Data is trustworthy. A Higher clearance subject cannot read a lower clearance (untrustworthy) object, a
lower clearance subject (untrustworthy) cannot modify/write to a higher clearance object.
 Prevent unauthorized modifications by authorized subjects
Protects only Integrity.
 Prevent modifications by unauthorized subjects.
No confidentiality or Availability
 Protect internal and external object consistency.

Sr.No Property Function Explanation

1 Simple Integrity Property
2 * Integrity Property
3 Invocation Property
No Read Down Subject cannot read lower than
clearance. (so as not to read
untrustworthy data)
No Write Up Subject cannot writer higher than
clearance (so as to not input
untrustworthy data.)
No invoke Processes cannot call upon/request
subjects at a higher clearance.
CLARK-WILSON
 Clark-Wilson – focused on Integrity
User Web server Database
 Enforces security by using a three-part structure with Security Labels.
 Subject -> Interface -> Object (The Restricted Interface Model)
 Example: A Data entry user modifies the Database via the SAP Web Interface.
 Enforces Well formed transactions & Separation of Duties: Subject Interface Object

 Prevents Unauthorized subjects from making modifications.

Example: Palo Alto Network’s
 Prevents authorized subjects from making unauthorized modifications to objects.
Firewall Management access can
 Separation of functions – different functions will be available to user based on class of user. be termed as a Clark-Wilson
 Common model in Commercial Systems. model.
Sr.No Procedures & Items Explanation
1 CDI – Constrained Data Item Any item whose integrity is protected by the model.
2 UDI – Unconstrained Data Item Any data item whose integrity is not protected by the model.
3 IVP – Integrity Verification Procedure Scans data items and confirms their integrity.
4 TP – Transformation Procedures Only items that are allowed to modify CDI
OTHERS
 Brewer-Nash – Chinese Wall model. Composition theory:
 Used for designed to avoid conflicts of interest. Remember: System Information
Flow Modes:
 ACL
 Prohibits access to a subject (like a consultant) from accessing multiple conflict of interest
are Object focused and
categories.
has a list of subjects who are  Feedback: One
 Brewer Nash model requires granted access to the object. system provides
 Properly identified subjects information to
 Capability table is Subject another, and reverses
 One or more datasets
focused and has a list of roles to receive it
 Class definitions related to conflict of interest for all datasets.
actions that a subject can back.
 Access Control Matrix: perform.  Cascading: When
 Table that defines access permissions between subjects and objects.
input of one system
Sr. No. Subject Firewall Folder Database receives information
from output of another
1 Ashish Logs view Read No Access cascading downwards.
2 Kamlesh Write rules, logs Read/Write No Access  Hookup: One system
view sends input to another
3 Vinod Write rules, Read, execute View system but also sends
modify rules, files input to external
modify interfaces entities.
 ACCESS CONTROL MODELS
MAC – Mandatory Access Control RBAC– Role Based Access
DAC – Discretionary Access
• Data Owners cannot grant access. Control
Control
• Security Labels of Subject and Object • Group based Access Permissions.
• Security of object is at Data
define decision. • Non-discretionary.
Owner’s Discretion.
• Access granted by Security Officer. • Each Role has a set of rights over
• Access granted through ACL.
• Subject label must dominate Object objects as defined by the Data
• Owner of Object decides
Label. Owner.
permission.
• Subject has knowledge of the object’s • The Security Admin configures
• Identity based.
sensitivity. the rights.
• Subject has no knowledge of
• Lattice-based Access control. • Subject focused.
the object’s sensitivity.
• Can be compartmented further for
• Scalable and Flexible as each
Label+Compartment access for Need to RuBAC– Rule Based Access
owner decides access.
Know. Control
• Enforces Confidentiality. • Rule based – Global focused
All models, apart from DAC are Non- Attributed Based Access Controls rules that apply to all subjects.
Discretionary Access Control Models. • Policies that include multiple attributes • Called restrictions or filters.
for rules (memory=8gb, os=windows)
• SDNs use ABAC
REQUIREMENTS OF A SECURITY SYSTEM

 Information systems architecture must meet business & Security Requirements.

 Security should be built into information systems by design.
 Security must be balanced with Business requirements.
 Tradeoffs will be needed between security and business to achieve balance.
 TCSEC / ITSEC
 TCSEC published in 1980, called the Orange Book, is  European ITSEC is the first international
made up of Divisions and Classes. evaluation model.
 Higher class number is better security. B3 is more secure  Separates
than B1.
 Functionality – F: how well a system works
 Division D – Minimal Protection
 Assurance – Ability to evaluate. Assurance is
 Division C – Discretion Security
measured by Effectiveness (Q) and Correctness (E)
 C1 – Discretionary Security Protection

 C2 – Controlled Access Protection

 Division B – Mandatory Protection
 B1 – Labeled Security Protection
 B2 – Structured Protection
 B3 – Security Domains
 Division A – Verified Protection
 A1 – Verified Design.
 TNI – Trusted Network, the Red Book, Interpretation
applies TCSEC concepts to the network.
 Class ratings are compared in a followup section.
 Additional functionality ratings include:
 F-IN – High Integrity Requirements
 AV – High Availability Requirements
 DI – High Integrity Requirements for networks.
 DC – High Confidentiality Requirements for
networks
 DX – High integrity and confidentiality for networks.
COMMON CRITERIA
 Target of Evaluation (ToE): System or product that
is being evaluated.
 Protection Profile: Independent Set of objectives and
requirements for a specific category of products or
systems, such as encryption software or firewalls.
Protection Profile is the “I want” from a customer
perspective.
 Security Target: documentation describing the ToE,
with the security requirements and operational
environment. Security Target is the “What I can do”
from the vendor’s perspective.
 Evaluation Assurance Level (EAL): The evaluation
score of the tested product.
 EAL1 – Functionally Tested
 EAL2 – Structurally Tested
 EAL3 – Methodically Tested and Checked
 EAL4 – Methodically Designed, tested and
reviewed.
 EAL5 – Semi-formally designed and tested
 EAL6 – Semi-formally verified, designed and
tested
 EAL7 – Formally verified, designed and tested.
TCSEC * ITSEC * COMMON CRITERIA COMPARISONS

Sr. No. TSCEC ITSEC Common Criteria Description

1 D F-D+E0 EAL1 Minimal / No Protection
2 C1 F-C1+E1 EAL2 Discretionary Security mechanisms
3 C2 F-C2+E2 EAL3 Controlled Access Protection
4 B1 F-B1+E3 EAL4 Labeled Security Protection
5 B2 F-B2+E4 EAL5 Structured Security Protection
6 B3 F-B3+E5 EAL6 Security Domains
7 A1 F-B3+E6 EAL7 Verified Security Design
CERTIFICATION VS ACCREDITATION
CERTIFICATION
Certified to meet security requirements of the Data
Owner. Considers the system, security measures and the
residual risk. (Certified by the manufacturer to state
what the system does)
ASSURANCE
Systems have designs accepted, development stages
analyzed, reviewed, tested and evaluated. (Assurance is
the analysis of how a system is made)
ACCREDITATION
Data Owners acceptance of the certification and the
residual risk before the system is put in production.
 Phase I: Definition – Assign appropriate
personnel, document mission goal, System
Security Authorization Agreement (SSAA) that
guides Certification and Accreditation.
 Phase II: Verification – Refinement of SSAA,
system dev activities, and certification analysis.
 Phase III: Validation – Certification evaluation of
integrated system, development recommendation
to DAA, DAA’s accreditation decision.
 Phase IV: Post Accreditation – maintenance of
SSAA, System operation, change mgmt.,
compliance validation
TCB

USER SPACE
 Security Perimeter
 Delineates the Trusted and the Untrusted components within a
computer system.
 Isolates the TCB. USER PROCESS
 Reference Monitor
 Abstract machine concept that mediates all access between
subjects and objects.
 Defines the rules (laws) like an ACL.
REFERENCE
 Security Kernel MONITOR
 Enforces the Reference monitor concept.
TCB
 Must facilitate isolation of process. Security Perimeter
 Enforces the rules defined by the Reference monitor. SECURITY KERNEL
 SYSTEM STATES
Dedicated Mode:
 Single State System.
 User must have clearance that
permits access to all data
processed by system.
 Access Approval for all data.
 User must have a valid Need to
Know for all data.
 Multi-state system.
 Subject does not have clearance to all data processed. Subject’s clearance dominates objects label.
 User needs to have Approval and Need to Know for only data they need to access.
System High Mode: Compartmented Mode:
 User must have clearance
 User must have clearance
that permits access to all
that permits access to all
information processed by
information processed by
system.
system.
 Access Approval for all data.
 Access Approval for data
 User must have a valid Need
they need access to.
to Know for some data
processed by the system.  User must have a valid
Need to Know for all data
they need access to.
Multilevel Mode:
CPU

 Multi-tasking: handles two or more tasks or Ring 2

processes simultaneously.
 Multi-threading: distributes multiple tasks inside a
process over two or more cores in parallel.
 Multi-processing: uses multiple processors with Ring 0
multi-threading applications to achieve computing.
 SMP: Symmetric Multiprocessing – single OS,
multiple CPUs on shared memory and databus.
 MPP: Massively Parallel Processing – One OS per Ring 1
CPU, with software that coordinates activities and
Ring 3
processing.
 Multi-Programming: emulates multi-tasking. When Ring 0: Kernel Ring 2: Drivers,
one process waits, another runs. Mode Protocols Ring 3: User Mode
OS Performs All apps execute in
 Multi-core: Independent cores that operate and privileged instructions Ring 1: OS user mode.
process simultaneously. via system call Components
CPU STATES

CPU Cycles CPU States

 Fetch: Gets the instructions from memory.
 Decode: Deciphers the instructions and sends
to the ALU for execution.
 Execute: ALU performs logical operations on
the data.
 Store: Result of the logic operation is stored in
register.
 Ready: Process is ready to begin processing,
CPU is not available.
 Waiting: Process is waiting for device or access
request (interrupt) to continue processing.
 Running: Process is executing, Problem state in
which CPU is trying to solve problem until it’s
solved, blocked or time-slice expires.
 Supervisory: Process requires greater privileges,
any function not executing in Ring 3.
 Stopped: Process finishes or terminates.
MEMORY
 ROM – Read-only, non-volatile memory.
Content burned in at factory. Non-modifiable.
 PROM – Programmable Read-only memory:
end user/oem burns in chips contents. Only
allowed once.
 EEPROM – Electronically Erasable PROM:
Can be erased and re-written via electronic
voltages. Only full erase and write functions.
 Flash Memory – Uses NAND Flash. Can be
written and erased in blocks. (single file
write/deletes etc.)
 CACHE – volatile, used to store frequently accessed data.
 CPU’s have L1 and L2 cache which are registers that store
information which the ALU executes.
 Registers – Any data ALU manipulates must be inside a
register.
 Static RAM – Uses Flip-Flops to store volatile data,
refreshed at power outage. Expensive.
 Dynamic RAM – Uses Registers to store volatile data, CPU
must constantly refresh via electric voltages. Inexpensive.
 Flash Memory – Uses NAND Flash. Can be written and
erased in blocks. (single file write/deletes etc.)
MEMORY ADDRESSING
Primary Memory:
Secondary Memory:
Readily available
Long-term storage. Ex.
 Register Addressing: used by the CPU to access one information accessed by the
HDD, SSD, Tape
of it’s registers to store/ access data in the register. CPU. Temporary. Ex. RAM
 Immediate Addressing: Instructions supplied as part
of a command that does not require the CPU to fetch Volatile: Non-Volatile:
anything. Temporary. Wiped after Long-term. Retains data. Ex.
power loss. Ex. RAM HDD
 Direct Addressing: CPU is given the memory
address to fetch instruction.
Random Access:
 Indirect Addressing: CPU is given a memory Sequential Access:
Info can be randomly
address to another memory address that has the Info has to be accessed in the
accessed based on addresses.
instruction. written sequence. Ex. Tape
Ex. RAM, HDD, Flash
 Base+Offset Addressing: Use a value stored in a
register as base, and begin counting using the offset.
ESSENTIAL SECURITY PROTECTIONS
 Layering: Defence in Depth for Processes. The most privileged threads are processed in the inner layer, like the Ring Model.
 Abstraction: Subject doesn’t need to know all details (such as how it works) of an Object.
 Data Hiding: Prevent one class from accessing / viewing data of higher class.
 Process Isolation: Processes are executed in different memory spaces in an OS so that they do not interfere with each other.
 OS provides Process Isolation normal environments. VM Environments it’s the Hypervisor.

 Security Domains: Groups of subjects and objects with similar security requirements. Example: Kernel mode, user mode.
 Hardware Segmentation: Segment hardware based on function, segment VMs to hypervisors based on functions.
 Principle of Least Privilege: Lowest privilege needed.
 Separation of privilege: Different tasks – security admin and network admin with differing goals.
 Accountability: Audit logging, usage recording.
Address Space Layout Randomization
Data Execution Prevention Randomize executing memory space of
Prevent processes from executing instructions programs. Example: Attacker develops an
in memory locations that are not predefined in exploit on his pc for a memory address, won’t
the code. work on client as the process address changes
due to ASLR.
PROTECTING HARDWARE SYSTEMS
Storage Media: Monitors:
Mouse/Keyboard:
1) Data remanence – Sanitization 1) TEMPEST – data can be read
1) Keyloggers
2) Theft/Loss – Encryption remotely via Van Eck electronic
2) Bluetooth/RF Interception
3) Unauthorized access – Identity emanations. (Copper protects)
3) TEMPEST
Controls 2) Shoulder Surfing
Printers:
1) Unsecured prints on shared Modems:
BIOS/UEFI:
printer – Authentication to output 1) Dial-in attacks: BAN unless
1) Phlashing: Malicious BIOS
tray required by business.
flashing to EEPROM.
2) Sniffing on wire – encrypted 2) Isolate as security is bypassed.
transfer to printer
 Forensics Disk Controller can be used to protect Data operations on Disks / Storage Devices. Functions:
 Shall not transmit a command to a Protected Storage Device that modifies Data on the Storage device.
 Shall return the Data requested by a Read operation.
 Shall return data without modification any access-significant information from the device.
 Any error condition reported by the Storage device shall be reported to the Host.
PROTECTING CLIENT BASED SYSTEMS
APPLETS CACHE POISONING
Act like a program and execute code on user machine rather than on the Poison temporarily stored data to malicious vector.
server. Example: Cisco UCS Manager. Rules/templates config happens Example: Modify the dns entry to hdfcbank.com to phishing
locally, only commands sent to server. website.
JAVA DNS
• Executes on the JVM • Hosts File poisoning
(Java Virtual ARP – modifying the hosts
Machine) ACTIVE-X • Modify the local ARP file.
environment which is • Microsoft’s, runs in Cache to point an IP • Authorized DNS
cross-platform. IE. to a malicious mac Server – modify the
• Operates in a • Full access to system address. (10 minutes record on the NS.
Sandbox resources. till refresh) • Caching DNS – ISP
environment • Can perform • Create Static ARP DNS poisoning.
preventing code from privileged actions. Entry to point to • DNS Server
accessing • Restrict Active-X in malicious mac. Poisoning – send
unauthorized environment. • Can be used to route malicious DNS
resources. to malicious gateway. server IP
• Lots of other • DNS Query spoofing
vulnerabilities. – reply with false ip.
 PROTECTING SERVER SIDE ATTACKS
Data Flow Control
• Movement of data between
processes or systems.
• Ensures systems are not
overloaded with traffic.
• Impacts Availability of the
system:
• Overload – drops
connections.
• Denial of Service
• Distributed Denial of
Service
Load Balancers / Application
Delivery Controllers provide
granular data flow control based
on policies derived on systems
capacity, cache for regularly
used data, TLS offload
IPS / DDOS Protector against
DoS/DDoS attacks.
Trusted Paths protect data
between a user and a security
control, such as a login window.
• Defined by Common Criteria.
• Protects from attacks such as
Login spoofing.
Trusted Channels protect data
on a link or between
communicating peers.
• Protects from attacks like
Man in the Middle.
PROTECTING DATABASES
Aggregation
Combine records from one or more tables to
produce reports. Inference Review
Example: A table has Quarterly results Deduce a result based on some data. Permissions To
with order values, another table has Per Example: Payroll issues 945 cheques to prevent database
order margins. Aggregation can lead to a employees. Thus, there are 945 employees. attacks
DB admin identifying that the company is in
loss.

Data Mining & Warehousing DAM: Database

Warehouse contains large amounts of Data Analytics Access
vulnerable data. Data mining produces Meta BIG DATA – focused on extracting Management can
Data that is more useful. Example: Security information interesting to business. prevent these
device logs are stored in a SIEM DB Example: Age groups of all users accessing attacks by giving
(Warehouse), the SIEM mines the DB and bank branches with hotspot timings, from granular access to
produces a Security Incident report their visitor intimes. the DB based on
(Metadata) query type!
PROTECTING ENDPOINTS

Protect Data:
• Full Disk
Prevent Threats: Prevent Spread:
encryption and file Protect Asset:
• Implement Anti- • Restrict interface
encryption. • Temperature /
virus. controls to
• Backup data on the Humidity Controls.
• Screen Email for applications (user,
endpoint. • Tracking, inventory
Malware, Phishing, not privileged)
• Secure Wipe of asset.
spam. • Restrict access
capabilities. • DRP and BCP for
• Web Filtering for domains (vlans)
• Multifactor Assets.
web screening.
Authentication for
identity

USER AWARENESS: Security awareness of potential threats, do’s &

don’ts
 PROTECTING CLOUD / VIRTUALIZED COMPUTING
Cloud-Security Access Broker
Recovery of Virtual System: Proper security between Cloud
Snapshots – point in time VM provider and Organization. CASB
image backup. can enforce who can share data in
a cloud environment etc,
PaaS: Platform as a Service:
SaaS: Software as a Service:
Platform (such as IIS,
Application access to
Apache) access to
organization. Cloud provider
organization. Cloud provider
responsible for application,
responsible for server,
server, compute & security.
compute & security of the
Organization for the security
Platform. Organization for
of the Data.
the security of the Application
& Data.
Shared Responsibility
Division of security responsibility
between the provider and the
customer.
Security Monkey
from Netflix (
IaaS: Infra as a Service: https://github.com
Compute access to /Netflix/security_
monkey
organization. Cloud provider
) monitors policy
responsible for compute &
changes and alerts
security of the Compute.
on insecure
Organization for the security
configuration for
of the Application, platform
AWS and Google
& Data.
Cloud.
PROTECTING IOT & ICS / SCADA SECURITY

IOT Security:
• Deploy separate network for IOT.
SCADA Security:
• Implement Firewalls between IOT
• Deploy separate network for
network and Data Network.
SCADA.
• Restrict Management interface
• Deploy endpoint security on
access to IOT devices.
SCADA systems.
• Disable unsecured management
• Restrict Management interface
such as uPnP.
access to SCADA / ICS devices.
• Restrict unsecured services on
• Implement AirGap design.
IOT devices – e.g. SNMP
monitoring, ftp etc.
PROTECTING WEB-BASED SYSTEMS
Injection Attacks
• SQL Injection: SQL command
inputs via web field.
• Command Injection: OS
Command inputs via web filed or
URL.
• Directory Traversal: jump out of
directory to restricted one.
• XML Injection: inject xml code.
Prevent Injections
Input Validation: Block
metacharacters or use Escaping \ - ‘ “
[]\;&^$.|?*+{}()
Limit Account Privileges: smallest
set of privileges to the Web server.
Scripting Attacks
• Cross Site Scripting: Attacker
inserts malicious code into
website that is executed by other
users via CGI scripts, SQL
injection, web vulnerabilities.
Prevent XSS
• Input Validation: Block <script>
tags.
• Patch Web servers.
• Implement WAFs
Buffer Overflow Attacks: Overloads the allotted program buffer to write into a
memory area that is out of bounds, to corrupt or crash the program or execute
malware.
Scripting Attacks
• Cross Site Request
Forgery: on the visiting
user’s web browser,
tricking them to perform
actions such as logging
out, uploading cookies,
changing account details
etc.
Prevent XSRF/CSRF
• Captcha
• Re-authentication /
Confirmation / OTP
• Nonce to URL request
PROTECTING MOBILE DEVICES

Bluetooth: Access Restrictions:

Typical Controls
• Keep Discovery off. • Only certain
• Full Device Encryption
• Enter a personalized 4 digit PIN. applications allowed
• Remote Wiping
• Disable Bluetooth when not on mobile device.
• Lock Out
required.
• Screen Lock (PIN based)
• Disabling NFC / NFC Discovery
• Application Control/Whitelisting Update: Secure Container:
• Update device with OS patches. • Corporate data cannot
• Device Segmentation
be copied/shared out
(Personal/Work)
• Mobile Device Management/MAM of the secure
BAN: container.
• Asset Tracking • Jailbroken / Rooted devices. • Example: Vmware
• Disable unused functions.
• Camera/Video Boxer/Workspace
One
COMMON SECURITY ARCHITECTURE ISSUES AND FLAWS
 Covert Channels: Uses a path not normally used for communication.
 Covert Timing Channel: modifying a process or system to intermittently transfer data. Timing of interruptions conveys messages. Requires active
listening.
 Covert Storage Channel: writing data to a memory space where another process can read the data. Leaves the evidence behind so another can read it.

 Side Channel: Side channels are unintended leakages. These look at timing differences to process information, power consumption etc. and
typically targeted to the CPU.
 Code Flaws: Source code analysis.
 Trusted Recovery: System recovers with security intact.
 Input and Parameter checking: Prevent web based attacks with language codes like <>= etc.
 Maintenance Hooks – Put in by the developer to gain direct privileged access to the system. Can be exploited once method is known.
 Backdoor – unintentional privileged access by malicious vector.
 Privileged Programs – modify privileged programs to perform malicious actions. Psexec to harvest admin credentials or modify scripts to
perform malicious actions.
 Data Diddling / Salami – small random, incremental changes to a system or data.
 Time of Check Time of Use (TOCTOU) – modify file with precise timing between when a file is checked for integrity and file is used.
(Race conditions)
 Electromagnetic Radiation – TEMPEST : monitors/keyboard/mice
PHYSICAL SITE DESIGN
Primary concerns when selecting a Site

Utility Reliability
• How reliable is a local utility for
Power?
• UPS can provide short reliability,
Generators provide longer but need
refueling.
Crime Accessibility
• Primary issue is Employee Safety. • Travel time to location.
• Additional issues – theft of • Public services near location.
company assets. • Ease of access to employees.

After Site Selection

Shared Demark
Shared tenancy / Adjacency •
Site Marking ISPs have a single external circuits
• Other tenants poor security may
• Not externally marked as a Data Telecom Demarcation point for
lead to intruders in building. shared tenants.
Center to prevent unwarranted
• Preventive controls for movement •
attention. Tenants wire from here to resp.
of visitors. floors.
• Intruder can mess with Shared
Demarc to bring outage.
 PHYSICAL SECURITY – PERIMETER DEFENSES
Gates
Fences Lighting
• Class 1 – Residential
• 3 feet – Deterrent • Detective and deterrent control.
• Class II – Commercial (parking)
• 6 feet – Deter most intruders. • Fresnel lights aim at a specific
• Class III – Industrial (loading
• 8 feet with barbed wire – direction.
dock)
Preventive – deter most • Lumen (foot candles)
• Class IV – Restricted Access
determined. • Lux – metric system.
(Airport / Prison)

Bollards
CCTV •
•
Locks Designed to stop
Detective and Deterrent Controls.
•
• Key locks – physical key, can be SmartCards cars and vehicles.
Aid security guards in detecting • Preventive control
shared or duplicated. • Contact based – Smart card reader.
presence of intruders.
• Combination locks – button or • Contact-less – RFiD / Wireless.
• Depth of field – area in focus
keypad or dial based key • Magnetic stripe – Swipe cards .
• Field of view – area view covered
combination. Sharing of keys.
by camera.

Walls
• Should withstand upto 1 hour of
fire damage.
PHYSICAL SECURITY – ACCESS DEFENSES
Tailgating / Piggybacking
When an unauthorized person, follows an authorized person without authentication.

Mantrap
One door must close, before
second opens. Two different
authentication forms.
Security guard’s may also
verify authenticity for
second door.
TurnStile
One person per access.
Revolving door concept.
Authenticated via Smartcard
or Security Guard
Contraband Checks
Detective and Deterrent.
Detect weapons, explosives,
banned items such as USB,
Mass storage etc.
PHYSICAL SECURITY – BUILDING DEFENCE
Alarms Guards
• Deterrent Alarms – engage • Add dynamic control: can
Motion Detectors inspect credentials, respond to
mechanisms to make further
• Wave Pattern (Ultrasonic) – incidents, monitor CCTVs and
intrusion difficult.
Active sensor. Energy wave act as Deterrents.
• Repellant Alarms – siren or
transmitted and listened for • Background verification
sound based to deter attackers
echo. needed.
from advancing
• Photoelectric – sends a beam • Can be affected by general
• Notification– silent. Notify
of light to another sensor. illness, mental / health issues.
the security or law
Alerts when beam is broken. • Rotation recommended.
enforcement.
• Infrared – changes in infrared
• Local Alarm system –
lighting pattern.
broadcast 120db to be easily
• Heat based – heat level
heard 400 feed away.
changes.
• Central Station – silent
• Capacitance – electric or Dogs
locally, broadcast at central
magnetic field changes. • Perimeter Defence.
monitoring.
• Passive audio – noise
• Auxiliary – notify emergency • Deterrent Controls.
changes.
services. Added to local or • Legal liability.
Central.
 ENVIRONMENTAL CONTROLS
Electricity
• Fault – temporary loss of
power.
• Brownout – prolonged low
voltage.
• Blackout – prolonged loss of
power.
• Surge – prolonged high
voltage
• Spike – temporary high
voltage.
• Sag – temporary low
voltage.
• Surge protectors – tripped during
Surge or spike. Short or regulate
level.
• UPS – clean backup power.
• Generators – longer backup
power, needs refueling.
EMI
• Electromagnetic
Heat, Ventilation Cooling
• HVAC
interference or Crosstalk –
• Humidity – 40-60%
Poorly shielded cables or
• Temperature – 60-75F (15-
routes.
23 C degrees)
• Don’t route Network and
• High Humidity – leads to
Power cables together.
corrosion
• Proper cable management.
• Low Humidity – leads to
• Shielded UTP or Coaxial
Static Electricity.
less susceptible to crosstalk.
• Prevent condensation with a
• Fiber Optics has no
positive drain system.
crosstalk.
Static & Corrosion
• Proper grounding.
• Anti-static Straps.
• Proper humidity levels – 40-
60%
 FIRE DEFENCE
Sr.No Class Materials Suppression
Sprinkler Systems: Detection Systems:
• 1 A Ordinary – wood, paper Water or Soda Acid
• Wet Pipes – water right up to Fixed temperature
sprinkler head. Glass bulb • Rate of rise – speed 2 B Liquid – petrol etc. Halon, FM200, Soda
melts / breaks at specific of temp changes. Acid,CO2
temperature. Each head • Flame actuated – 3 B Flammable Gases - cng Halon, FM200, Soda
independent. infrared energy of Acid,CO2
• Dry Pipes – Water held back by flames. 4 C Electrical Equipment Halon, FM200, CO2
valve, compressed air in pipe. • Smoke Actuated –
photoelectric or 5 D Combustible Metals Dry Powder
As head opens, pressure drops
and water released. radioactive 6 K Kitchen Oil fires Wet Chemicals
• Deluge – Sprinkler heads are
always open and larger than dry Fire Hazards:
Fight fire by
pipers. Valve opens water flow • Smoke
removing one
via manual or fire alarm. • Toxic Vapors and materials

Ox
of the 3

el
• • Water Damage

yg
Preaction – combination of two,

Fu
elements to

en
opens via two separate triggers. • Building collapse.
break up the Fire
chemical Triangle
Fire Drills / Evacuation Routes – training for a fire event. reaction. Heat
 TM

DOMAIN IV: COMMUNICATION & NETWORK

SECURITY
 OSI MODEL / TCP-IP DOD MODEL

Protocols that interface

with Apps: HTTP, SMTP, Application Protocols that interface
with Apps: HTTP, SMTP,
FTP etc. FTP etc.
Conversion between human
& machine language Presentation Payload Application Conversion between human
& machine language

Session Setup and Session Setup and

Maintenance, SSL Session Maintenance, SSL

Actual Session setup, Actual Session setup,

TCP/UDP, segmentation, Transport Segments Host-to-Host TCP/UDP, segmentation,
ports, Error ports, Error
detection+correction detection+correction
Routing, Packets, ICMP, IP Routing, Packets, ICMP, IP
Network Packets Internet

Ethernet, MAC, Frames, Ethernet, MAC, Frames,

Mac Addresses, RARP, Data Link Frames Mac Addresses, RARP,
ARP, CRC ARP, CRC
Network Access Bits, Media, Physical specs,
Bits, Media, Physical specs,
LAN Physical Bits LAN

Payload is Encapsulated as it travels down from the Transport layer into Segments, Packets, Frames and Bits.
 TOPOLOGIES

Star Mesh Bus Ring

 A switch interconnects  All hosts  Single cable  Interconnects all hosts
all hosts interconnected to each interconnects all hosts. in a ring.
other.  Uses a token method
 Star is how Ethernet is  One failure affects all.
 Today used in DC that circles around all
implemented today.  Ethernet is essentially
switching to connect hosts. Host with token
Leaf and Spine. a Bus technology. can transmit data.
 MEDIA ACCESS PROTOCOLS

Ethernet
 Layer 2 Broadcast based technology,
essentially a Bus technology, but typically
implemented as a Star
 Collision Domains: Two devices send
packets at the same time on a shared
segment.
 A Hub is one collision domain, only one
device can transmit at a time!
 A switch breaks collision domains. Every
port on a switch is one collision domain.
 Broadcast Domains: The entire Layer 2
network. Routers break break broadcast
domains, VLANs reduce broadcast
domains.
Token Ring
 Developed by IBM, uses a Ring
topology and a proprietary token
passing technology for transmission.
 Whosoever has the token can
transmit data.
 Other hosts have to wait until they
receive the token to transmit. The
token is passed along the ring.
 No collisions!
 16 Mbps
FDDI
 Used for Fiber Optic data
transmission.
 Uses a Dual Ring topology with
rings in opposing directions to
provide redundancy and dual
bandwidth.
 Typically a Service Provider or
MAN implementation.
 ETHERNET – MEDIA AND MAC
 Simplex: Only one sided
communication. Ex: A Letter, FM Radio
 Half Duplex: Only one side can
transmit (speak) at a time. Ex: Walkie
Talkie
 Full Duplex: Both sides can transmit at
a time. Ex: Phone call
 Attenuation is the loss of signal
strength and integrity over a distance.
 UTP: Unshielded Twisted Pair,
susceptible to EMI.
 STP: Shielded Twisted Pair,
less susceptible to EMI.
 Fiber Optic: Data via light,
not susceptible to EMI.
ETHERNET Media Types:
 10Base2 – Thinnet Coaxial, 2 Mbps
 10Base5 – Thicknet Coaxial, 5 Mbps
 10BaseT – UTP Cat 5, 10 Mbps, 100m
 100BaseT – UTP Cat 5, 100 Mbps, 100m
 100BaseFX – Fiber Optic
 1000BaseT – UTP Cat 5e/6, 1Gbps, 100m
 10GBaseT: Copper 10G on UTP, Cat 7
 10GBase-SR/LR/ER: 10G fiber-optic. S =
Short Range, L = Long range, E =
Extended range.
 Electromagnetic Interference (EMI) can introduce
crosstalk, transmitting data between wires next to each
other. TEMPEST attacks can be used to harvest data via
EMI.
MAC Addresses
 Mac Addresses are typically 48 bits and burned in
from factory.
 First 24 bits are called OUI – Organizational Unique
Identifier and identify the manufacturer of the NIC
card – such as Cisco, Juniper, Palo Alto etc.
 The last 24 bits are the serial number, and unique to
each NIC.
 EUI-64 was created to increase the pool. The OUI is
still 24 bits, but the serial number is now 40 bits.
 IPv6 autoconfiguration is compatible to both MAC
Types.
 Modern OSes allow Mac Addresses to be changed
via tools, thus allowing mac addresses to be spoofed.
 You can quickly look up the OUI of a MAC address
for IP Spoofing. (Example: A rogue Cisco router has
the same IP as your Sonicwall Firewall). An arp –a
on a windows PC will give you clues!
 LAYER 2 SECURITY - VLANS
VLANs
 VLANs virtualize Local area networks and allow separation of a physical
LAN into multiple smaller compartments, such as departments. A VLAN of
the Sales department allows communication between only Sales PCs.
 This creates smaller Broadcast domains, lowering broadcast traffic and
reducing bandwidth congestion.
 VLANs enforce separation, which is essential in security. Traffic between
VLAN’s has to traverse through a Layer 3 device such as a router or an L3
Switch where Access Lists can be enforce control for inter-vlan traffic.
 VLANs are Layer 2. A Layer 3 VLAN is a VLAN with an IP Address and
interface, usually on a Layer 3 switch.
 VLAN hopping can allow attackers to traverse VLANs by adding double
VLAN tags to a frame. Disable trunking and use a native vlan with
unassigned ports.
VXLANs provide virtual Layer 2 Overlay networks over Layer 3.
A simple example is, extending the L2 subnet over two Data
Centers on an underlying L3 infrastructure. VMs can then be
moved within the DC’s without changing addresses!
PVLANs – Port Isolation
 Private VLANs enhance the concept of VLANs further by
taking the compartment concept to individual port.
 Ports in a PVLAN, only talk to the uplink port and/or
community port and not between themselves.
 Promiscuous (P) Port – Uplink to a router, firewall etc.
 Community (C) Port – Port that communicates with the P Port
and other Ports on the PVLAN. (Ex: An Authentication server)
 Isolated (I) Port – A Host on the PVLAN. Can only talk to the
P or C ports.
 PVLANs can be implemented for Secure Zones and prevent
Lateral movement via Layer 2 such as Secured Hosting, a
block of Application servers, or VDI.
SPAN or Mirror Ports provide duplicate streams of
traffic from a source port/s. SPAN ports are used for
IPSes, WAFs, DLP, Monitoring to get a copy of the
WAN TYPES
 ISDN– Digital voice, video, data.
 BRI – Two data and one control channels – 144kbps.
 PRI: T1- 23 Data and one control channels – 1.544
Mbps
 E1 – 30 Data and one Control channel – 2.048 Mbps
 T3 – 28 bundled T1s – 45 Mbps
 SONET: Optical network that connects continents.
 DSL: Digital subscriber Line, symmetric, same
upload/download speed.
 ADSL – Asynchronous DSL, varying Upload and
Download speed.
 VDSL – High bandwidth DSL
 ATM – Circuit switched network. Each site needs
dedicated circuits for connection.
 Frame Relay – Packet switched network. Frame Relay
supports Virtual Circuits – One single physical link can
support multiple Private Virtual Circuits to connect to
sites.
 MPLS – Fast, label-switching WAN, establishes pre-
defined routes. Can route to multiple sites over single
link without a PVC via routing protocols such as MP-
BGP. Adds Label headers and can forward IP and Non-
IP Packets.
 SD-WAN – The cost of dedicated WAN such as MPLS
has driven SD-WAN. SDWAN enables an enterprise to
create a WAN fabric across an underlying multi-wan
network such as MPLS, Internet etc. SD-WAN enhances
traffic delivery by adding auto-failover, congestion
detection and application bandwidth optimization.
 INTERNET PROTOCOL V4 AND SUBNETTING
 IPv4 uses 32-bits for addressing and is divided into the below classes:  RFC 1918 Addresses: Private address, non routable:

 Class A: 1-126.255.255.255 /8  Class A – 10.0.0.0-10.255.255.255

 Class B: 128-191.255.255.255 /16  Class B – 172.16.0.0-172.31.255.255

 Class C: 192-223.255.255.255 /24  Class C – 192.168.0.0-192.168.255.255

 Class D: 224-239.255.255.255 – used for Multicast.  Loopback Addresses: Test the local TCP/IP stack
 127.0.0.1 ( although the whole 127.0.0.0/8 is reserved)
 VLSM allows using variable subnet masks to reduce subnet size, for
example breaking a Class B address into a Class C for Vlans.  APIPA Address: Used by Microsoft Windows, when DHCP
IP is not received.
 Version: IP version (4 for IPv4)
KEY FIELDS OF IP  169.254.x.x
 IHL: Length of Header Key IP Protocol numbers  ARP: Resolve IP
HEADER
 ToS: Used to specify DiffServ for QoS
Protocol IP Protocol No to MAC
 Time to Live: End routing loops.  RARP: Resolve
TCP 6
 Protocol: Encapsulated protocol – TCP, UDP, ICMP, etc. MAC to IP
UDP 17
 Source Destination IP Address Both prone to
ICMP 1
 Optional: Options & Padding.
spoofing / poisoning.
GRE 47 Hardcode on sensitive
 MTU: Maximum Packet size transmission allowed. Max: 1500 bytes
networks.
 IPV6 SECURITY
 IPv6 improves on v4 by increasing addresses from 32bits to 128bits.
 The massive size of the header increases the difficulty in Port
scanning.
 Cryptographically Generated Addresses (CGA) allows user to
provide “proof of ownership” for an IPv6 address in the IPv6
neighbor router discovery mechanism:
 Spoofing and Stealing of IPv6 Addresses much harder.
 Allows for messages signed with the owners private key.
 No need of an upgrade or modification to the network infrastructure.
 IPSec is mandatory in IPv6, providing authentication, integrity,
confidentiality and access control with AH & ESP.
 Elimination of ARP and it’s related vulnerabilities – Interface ID of a
L3 IPv6 address is derived from an L2 Address, and is used globally
in an IPv6 network. Neighbor discovery Protocol replaces ARP.
 IPv6 adoption lags and can lead to security issues
such as:
 Unauthorized clients: By default IPv6 is enabled in
most modern devices and OSes, unintentionally
increasing the attack surface where the enterprise
lacks the capabilities/defences from IPv6 attacks.
 Disable IPv6 from devices
 Detect and block IPv6 or IPv6 tunnel traffic at the
perimeter.
 Dual Operation: Organizations migrating from IPv4
to IPv6 may enable both protocols and security
simultaneously. Security policies must be addressed
and reviewed for both protocols.
 Filter IPv6 transition technologies such as 6to4, SIT,
Teredo and allow only needed. Teredo (IPv6 over
UDP) may unknowingly flow if Firewall allows UDP,
creating an easy vector for C&C Communications.
 ICMP – INTERNET CONTROL MESSAGE PROTOCOL
 ICMP: Internet Control Message Protocol is used for IP  Ping: Checks for reachability, Sends an Echo request and waits for
Investigations of Reachability. an Echo reply.
 ICMPv6 is used for IPv6  Checks for latency between hosts.

 ICMP has it’s own Transport layer protocol.  Usually Filtered at firewalls.

 IP Protocol number: 1  Can be used as a discovery mechanism on networks to discover

online / unfiltered hosts.
 Important ICMP messages:
 Increasing the Packet size can investigate the MTU path size for hosts.
 ICMP Echo Request: Request a reply, check reachability. Type 8
 Ping of Death sends a large Packet causing system crashes.
message.
 ICMP Echo Reply: Reply to an Echo req. Type 0 message.
 Traceroute: Uses Time Exceeded messages to trace network path
and latency on the paths.
 ICMP Time Exceeded: Used in Traceroute to check distance.
 Traceroute sends ICMP messages with incremented TTL values to
 Destination Unreachable: Router reports that the Destination is
determine the full path.
unreachable.
 Host to Server4.com – TTL1: Router1 sends Time Exceeded – 1st hop
 0 – Network Unreachable
determined.
 1 – Host Unreachable
 Host to Server4.com – TTL2: Router2 sends Time Exceeded – 2nd hop
 2 – Protocol Unreachable
determined.
 3 – Port Unreachable
 Host to Server4.com – TTL3: Server4.com sends Time Exceeded – 3rd
 ICMP Redirect: Redirects Datagrams or Segments to the correct host. hop determined.
NETWORK SECURITY: ROUTING PROTOCOLS

RIP OSPF BGP

 RIP is a distance vector protocol that  OSPF is a link-state routing protocol  BGP is a path vector protocol that has
uses Hop count for selecting best path. and broadcasts Hello messages to distance vector properties. BGP can be
used for intra-as routing (iBGP), inter-
 Split-Horizon: Prevents incorrect provide link-state updates.
as (eBGP) and Multi-protocol routing
routing updates from propagating by  Updates are propagated only on link- such as MPLS (MPBGP)
blocking route updates to the interface state changes.
from which the original update was  BGP neighborships are manually
received.  Use Authentication for neighbor established (vs automatic in RIP/OSPF)
 Poison Reverse: Optimizes convergence, establishment to ensure that a  Implement BGP with MD5
if a router learns that neighbors are not malicious neighbor does not broadcast authentication for added security
reachable, it will send a poison reverse malicious or invalid Link-state between neighbors.
through the same interface saying the updates.  Use pre-fix lists to filter unwanted
neighbors are unreachable.  Use Non-Broadcast modes if possible routes.
 RIPv2 supports authentication in plain- such as Point-to-Point, specifically on  Implement BGP Time-to-Live check to
text or MD5. provider uplinks. preven from DoS and route
manipulation.
 TCP – HEADER | UDP
 TCP is a connection oriented Protocol, that segments
Payload/Data received from the higher layers, performs
Error Detection and correction and performs the actual 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
session setup. Reliability.
N C E U A P R S F
 TCP uses unique ports from 0-65535 for differentiating
application data. Destination are well known ports (such Header Length Reserved S W C R C S S Y I
as 80 for HTTP) and source ports are always random.
 URG – Packet contains Urgent Data.
R E G K H T N N
 ACK – Acknowledge received Data
• Packets with URG / PSH set could be possible
 PSH – Clear Buffer, Push Data to Application Layer.
attacks.
 RST – Reset (Tear down) TCP Connection
• RST can be a possible attack within context. RST is
 SYN – Synchronise a connection
also used by Out of Band WAFs and IPSes to Reset
 FIN – Graceful Tear down.
Manage congestion on Malicious connections.
 CWR – Congestion Window Reduced a network path, not
 ECE – Explicit Congestion Notification Echo. seen in modern UDP on the other hand is a Connection-less protocol and
networks. relies on Application Layer protocols for Reliability. Uses
 NS – Nonce Sum
IP Protocol number 17.
• TCP Uses an IP Protocol • QUIC is a google protocol that uses UDP for Web
number of 6 traffic, aimed at faster transmission.
• Block UDP and only allow Apps needed.
TCP THREE-WAY HANDSHAKE

Session SYN
Establishment
: 3 Way SYN-ACK
Handshake
Session
ACK
Established: DATA
Data Transfer
ACK
FIN
Session
Close ACK
FIN
ACK

 Numerous attacks try to exploit the 3-Way handshake.

 SYN attacks are half-open attacks where only a SYN is sent without an ACK.
 SYN Floods sent TCP Connection requests faster than the host machine has resources to respond leading to a DoS.
 An Attacker could directly send ACK or SYN-ACK trying to subvert the 3-Way Handshake. A Firewall should enforce
Stateful inspection and TCP Connection handshake to validate that the 3-Way handshake is in compliance.
 PROTOCOLS
 HTTP – TCP 80: Hyper Text Transfer Protocol – the protocol of the
internet. Plain-text.
 HTTPS – TCP 443: HTTP over SSL(Now TLS) to secure
communications. Replacing HTTP.
 SMTP – TCP 25: Secure Message Transfer Protocol, the protocol for
sending email. Plain Text.
 SMTP over TLS – Port 587
 POP3 – TCP 110: Post Office Protocol – email download. Plain Text.
 POP over TLS – 995
 IMAP – TCP 143: Internet Message Access Protocol, Active mail
fetching.
 IMAP over TLS – 993
 DHCP / BOOTP – UDP 67/68 – dynamic host control protocol for
Auto IP assignment (among others), BootP securely boot an OS via
PXE Boot.
 SNMP – UDP 161 – Simple Network Management Protocol. Plaintext.
SNMP v2 via community strings, v3 authentication via credentials.
 LDAP – TCP 389: Lightweight Directory Access Protocol.
Microsoft AD is an implementation of LDAP.
 SMB – TCP 445: Server Message Block, CIFS File shares.
 NetBios – UDP 137/139: Local Name resolution (WINS), Session
Setup.
 Telnet –TCP 23: Plain-text terminal access. Telnet Application can
be used to check for other ports open.
 SSH – TCP 22: Secure alternative to Telnet. Uses PKI.
 FTP – TCP 21/20: TCP 20 is used for control channel, 20 for data,
although modern implementations use 1023 and above ports for data.
Need an Application Layer Proxy to identify FTP Transformation.
 SFTP – TCP 22: Uses SSH for FTP to make it secure.
 SCP – TCP 22: Secure Copy Protocol.
 LPD – TCP 515: Line Printer Daemon, Printing Protocol.
 TFTP – UDP 69: Trivial FTP, used for small copy transmissions,
such as Cisco router images or VOIP configurations.
 DNS COMMUNICATION & SECURITY
 A Record – maps name to IPv4 address.  DNS attacks include hijacking and spoofing a
 DNS is a hierarchical database with a tree structure. Root ->
www, maps valid DNS address, allowing attackers to redirect
TLD -> Domain -> Sub-domain.
 AAAA Records – maps name to IPv6 users to their own Deceptive Websites.
 DNS uses UDP Port 53 for lookups, and TCP Port 53 for Zone
Transfers. addresses.  DNSSEC seeks to address this by adding Digital
 NS Record – nameserver that can respond Signatures to DNS Entries, thus validating the
Webserver
www.ashishchalke.com
TLD
.com
to A record queries for a domain. authenticity of the DNS lookups.
Nameserver
ns1.ashishchalke.com
 MX Record – mail exchange records for  At a minimal, signing the Root zone is a
email. necessary step in the overall process, although
 CName – Alias name for name. DNSSEC must be deployed at each step in the
2 Query: lookup from the root zone to the final A record –
 PTR – IP to name resolution.
ashishchalke.com
domain name.
4 Query:
www.ashishchalke.com  ZoneFile – contains all the A records for a
Response:
 DNSSEC only provides authenticity and not
HTTP GET / 5 Zone (domain)
index.php
10.151.9.10
confidentiality.
10.151.9.10
 SoA – Start of Authority, establishes the
3 Response:
ns1.ashishchalke.com authorized Name server for a domain.  Split-DNS splits the external and internal DNS
systems and records providing greater security.
 Quad9 (9.9.9.9) offers a free
1 Query: www.ashishchalke.com
DNS service with Threat  A Simple DNS attack is to modify the HOSTS file and
intelligence and filters Phishing statically point a domain to an IP of the attackers
choosing. Prevent these attacks by enforcing Privilege
and malware domains.
Endpoint 6 Response: 10.151.9.10 Local DNS Server Escalation controls.
 NETWORK SECURITY - FIREWALLS
ICMP Outbound allowed, ICMP Outbound allowed,
Inbound blocked Inbound blocked
 Packet Filter: Checks an ACL and only the message header
to determine access. Is not Stateful. Layer 4. ICMP echo ICMP echo
Echo reply
Echo reply
 Stateful Inspection firewall: Verifies the state (connection
originator) and allows access based on IP/Port combination
in message header.. Layer 4. (example: A telnet on Port 80 Packet Filter Stateful Inspection

will be allowed if Port 80 (HTTP) is allowed)

 Application Layer Proxy: Filters Layer 7 content, like a
web-filter or a VOIP gateway. Proxies connections on behalf
of the client, improving confidentiality and preventing
exposure of internal users to the internet.
 Deep Inspection Firewalls: Filter connections at Layer 7
and add services such as Malware protection, IPS etc.
 Tiering: Tiers are secure zones of a firewall, ideally separated by interfaces,
forcing traffic to be scanned while traversing zones. Tiers = Internal Zones (The
Wan/Internet is not counted as a Tier.
 Firewall Sandwich: Use two layers of Firewalls, ideally to secure Internal and
External Layers of the Enterprise. Also called Screened Subnet
ISP
ISP ISP

 Next Generation Firewalls: As apps shifted to HTTP/S, Three Tier Firewall DMZ
firewalls shift focus from Port based to Application based, DMZ DB DMZ With Firewall
sampling traffic to determine the actual application (example: Sandwich
A telnet on Port 80 is now categorized as Telnet app) LAN LAN DB LAN

Two Tier Firewall Three Tier Firewall

 NETWORK SECURITY – BASTION HOSTS /DMZ/NAT

WAN LAN

Bastion
Host
DMZ

LAN
 Dual Homed Host: Host with two interfaces,
 Bastion Host : is a hardened system exposed to the with a firewall to filter traffic between the
internet to securely expose services to the internet. interfaces.
A Reverse Proxy is also a Bastion Host. Also WAN DMZ
called Screened Host. 1.1.1.1
NAT

192.168.10.50
 Example: An Antivirus server has the same port for
 NAT: Static NAT is 1-to-1 Mapping. 1 Public IP to 1 Private IP.
management and user updates. If directly exposed, it Inbound/outbound connections.
can lead to attacks on the mgmt. console. A Bastion
Host securely exposes only user-updates service and
WAN DMZ
restricts management access from the internet. NAT
192.168.10.0/24
 DMZ: Internet exposed servers separated from the 1.1.1.1

internal network. Separation ensures that any

attacks do not allow lateral movement to the  PAT: Port Address Translation, overloads multiple private IPs such as a subnet to
a single Public IP. Used primarily for outbound internet connections for the LAN.
internal network.
 NETWORK SECURITY – IPS/IDS
Classification:
Types of IPS/IDS: Deployment modes: Event Classification:
 Signature based: (Knowledge based)  Inline-Inpath: Placed physically inline  Network IDS: A network  False Positive: IPS
Relies on a known signature (preset pattern) on the network. Traffic flows through appliance that detects threats and reports on genuine
database to detect and prevent against the IPS, and the IPS can take corrective alerts. No corrective action. traffic.
attacks. Attackers are increasingly aware of action on malicious detection.  Network IPS: A Network  False Negative: IPS
this technique and modify attacks to evade.  Out of Band: Deployed via a SPAN appliance that detects, prevents
Example: Adding multiple &nbsp; in an port of the Firewall that
does not report on
and alerts on threats. Can be malicious traffic.
attack. mirrors/duplicates traffic that
deployed as IDS initially for
 Anomaly based: Identifies anomalies in enters/exits the network. IPS’s  True Positive: IPS
typically use an additional port on the learning and eliminating False
traffic patterns and protocols. Can also Positives. Reports on malicious
internal network for TCP-RST of
perform traffic analysis to create a network traffic.
malicious traffic and are called Active  Host IPS/IDS: Installed on the
baseline.  True Negative: IPS
Response.
 Behavior based: Monitors for behaviors
endpoint typically as part of the
 Host Based: IPS component is does not report on
Endpoint security package.
using Artificial Intelligence for Attacks. Can installed as a software package on a genuine traffic.
be termed as an Expert System.
Prevent/Detect attacks on the
server/endpoint. endpoint (SMB/Netbios etc)
Breach Detection Systems are a modern complement to IPS that seek to prevent Zero-day and Persistent APT
attacks. A BDS engine typically includes Signature, Anomaly detection, behavior modeling, C&C detection, and
Correlation. The bigger difference is that a Traditional IPS/IDS typically monitored inbound traffic, but a BDS
monitors both inbound & outbound traffic to identify APTs already embedded in the network or escaped
 WIRELESS SECURITY – AUTHENTICATION / ENCRYPTION
WPA2: Wi-Fi Protected Access 2
 Uses CCMP (based on AES) to
encrypt communications from Client
to AP.
 Used along with EAP to provide
Enterprise grade security:
 EAP-TLS – Every client and
Controller/AP has a unique
certificate. Server-Client validation.
Difficult to deploy and maintain,
most secure.
 PEAP – Client Credentials (typically
AD) and Controller certificate. Cert
validated before client credentials are
sent. Easy to deploy and maintain,
good security.
 802.11i – RSN (Robust network
security)
WPA: Wi-Fi Protected Access
 Uses TKIP with RC4 to
improve security over WEP.
 Adds Key regeneration every
10000 packets, IV and key
mixing.
 Limits of 30 users per SSID.
Captive Portal
 Open network with a captive page
ideally used to provide temporary
access by hotspots (airport etc.)
 Open networks, are prone to
sniffing, always use a VPN on them. •
 Can be enhanced further by offering
Self registration, Sponsor
confirmation, billing and
advertisements.
WEP
 Uses RC4, CRC32 for
confidentiality and integrity with
24bit IV.
 Broken in 2001, not at all
recommended.
Recommendation
• Use WPA2-Enterprise for
WiFi ideally with RADIUS
auth.
• Isolate Captive Portal (Guest
Access) from the internal
network via VLAN and
firewall.
• Disable WPS.
Use a NAC or Role Based
Access for WiFi users.
Modern systems from HPE-
Aruba or Cisco allow roles
with vlans or ACLS/Firewall
WPS – WiFi Protected Setup
 Aimed at ease of use for home
users. Enables easy
connectivity to WiFi via 4
methods.
 PIN: Users enter a PIN (rather
than shared key). Susceptible
to BruteForce, recommended
to turn off.
 Push Button: Press button on
router and device for
connectivity. Any malicious
insider can onboard a device
using this.
 NFC: Push button for the new
millennium.
 USB: Transfer WiFi Profile via
USB.
 As a best practice: Turn off
WPS from corporate networks
completely, and from any
device which support WPS.
 WIRELESS SECURITY: ATTACKS & DEFENCE
 Site Survey: Provides a detailed
analysis of WiFi coverage and
strength. Can be two types: Active
– with an active AP / Passive – via
a simulator or walk.
 Site Survey’s are performed
before deployment to design the
placement of APs for coverage
and strength, and after to validate.
 Site Survey’s are preliminary
Defence to ensure and validate
that the WiFi signal propagates in
the designated area only, and
determine risk such as neighbor
networks.
Wireless Interference Attacks
 Radio or wifi based devices that produce noise and hamper transmissions by
causing lot of dumb interference on the wireless network in an area.
Hampers Availability.
Client Side Attacks
Rogue Access Points
 Session Redirection: Valid user
 An unauthorized access redirects all sessions to a
point placed on the company website/IP of the attackers own
choosing. Defence: Isolate
network.
Wireless clients.
 Typically uses impersonation
 Bridging: Valid user bridges
to emulate corporate WiFi so Corporate Wifi to an ad-hoc
that users in proximity connection with Windows bridge.
connect to the Rogue AP. All users connecting to the ad-hoc
 Wireless Rogue AP’s are network circumvent the corporate
security. Defence: Deny Windows
harder to mitigate than Wired. Bridging.
 Perform MiTM / Session
 Warwalking / Wardriving: Walk
Hijacking or drive trying to find open
hotspots.
 Eavesdropping: Use ethereal or
kismet to capture wireless traffic.
Defence: Encrypt the WiFi with
WPA2. In case of Captive Portal,
clients should use VPN.
Defenses:
 Spectrum Analysis: Performs

background scanning for
interfering and rogue devices.
 Deauthentication: WiPS

impersonates rogue AP and
repeatedly deauthenticates
users connecting to the rogue
AP. Can also be used against
client side attackers for valid
users.
 Tarpitting: WiPS detects a

Rogue AP/Client, is
transmitted to a walled garden
network with no access.
Client thinks that WiFi is
connected but no access to the
network.
NETWORK SECURITY: EMAIL
 SMTP over TLS: encapsulate SMTP traffic between server transmissions to prevent eavesdroppers. Does not protect from the compromise of the
server itself.
 Opportunistic: TLS connection forms if both servers are capable of TLS, or else reverts to Plain-Text.
 Mandatory: TLS Connection is required else connection is not established.

 DKIM: Valid mail is sent by verification of the Domain Identity.

 S/MIME: Provides confidentiality and authentication by encrypting email messages and using Digital signatures to provide authentication of sender
using the RSA asymmetric cryptosystem and PKCS (Public Key Cryptography)
 MOSS: MIME object security service, provides authentication, integrity, confidentiality and non-repudiation using MD5 and RSA asymmetric keys.
 PGP: Provides confidentiality and authentication by using IDEA for encryption and RSA for Digital signatures and key distribution. Uses a
decentralized Trust model.
 SPF: Sender Policy Framework protects against Spam and Spoofing. Checks inbound messages are originating from an authorized host of the sender
domain.
 RBL: Real Time Blacklists maintained by sources such as Trustedsource.org that provide a list of spam/malware originating domains.

Anti-Spam gateways are the modern solution for fighting spam. These typically including Bayesian filters that learn
of good vs. bad mail for an organization and use methods such as RBLs, Anti-malware filtering and DLP to provide
email security.
 NETWORK SECURITY: CONTENT/WEB FILTERING
 Web Filtering provides protection against:
 Phishing Websites: Can use reputation or content detection lookups to prevent users from navigating to Phishing URLs.
 Malware: Secure Web Gateways can include reputation lookups for downloads or in-built malware scanning to prevent against
drive-by-downloads.
 Illegal Content: Prevent users from navigating and using malicious or illegal websites in the workplace such as Adult or
Gambling.
 Non-business: Prevent users from using Social-media or other non-business apps at the workplace to prevent productivity loss.
 Leakage: Prevent file-sharing websites or apps to prevent data leakage.
 Secure Web Gateways have additional controls that promote better browsing behavior such as:
 Quotas: Users are allotted fixed quotas for browsing either time or data based. Used typically in education or hotspots.
 Bandwidth Shaping: Prevent apps/users from exhausting bandwidth by enforcing upper level bandwidth restrictions. Can also be used to
provide guaranteed bandwidth for Business apps.
 TLS Inspection: SWGs act as Man-in-the-Middle proxies to decrypt and filter encrypted TLS/SSL traffic.
Internationalized domain name (IDN) Homograph attack uses non-ASCII characters that look like the Latin characters to spoof known trusted
URLs. Browsers or Web Filters can be configured to block IDNs and non-ASCII URLs or Suspicious Websites.. www.rolex.com vs
www.rὀlex.com
NETWORK SECURITY: PORT SECURITY, 802.1X EAP
Port Security
 Port Security provides security against
unauthorized network access by requiring
authentication on switches before user is
allowed on the network.
 802.1X protocol enforces Wired Authentication
(PEAP) and Authorization to the network as
soon as a device connects to the network.
Device with Valid credentials are allowed access
to the network.
 Devices incapable of 802.1x are allowed by
using Mac-bypass mode by adding their macs to
the allowed list on the port – Cameras, printers,
projectors etc.
 Components:
 Supplicant – a 802.1x client
 Authentication Server AS – authenticates the client
 Authenticator – device that needs authentication
like a switch or AP.
Network Access Control
 Port Security is further enhanced by
Network Access Control which validates
the health of the device before allowing it
on to the network.
 NAC enforces a concept of health profiles
such as Antivirus Protection on and
updated, updates and hotfixes installed,
Domain etc. Devices matching the profile
are assigned a role and vlan.
 NAC can also have multiple profiles such
as guest or external vendors that have some
protection (AV) and get an isolated VLAN
on authentication.
 User devices not matching a health profile
are quarantined to a quarantine vlan and are
pushed for remediation (for e.g. allowed
access to update server, helpdesk and AV
server to get the necessary updates).
Port Security should be part of every
organizations strategy. While physical
security can be rigorously
implemented at Head offices, the same
cannot be said for Remote or small
locations.
A bank had an incident at a branch
where a vendor technician installed a
device on a network switch that housed
all the PCs on the LAN and was able
to sniff transaction entries, PII being
transmitted in the clear to the
applications. They used these details to
figure out the volume of transactions
the branch handled, days with avg.
amount of cash deposited and using
CCTV footage, the movement of
guards. And successfully performed a
heist that left the bank with a loss of 70
lacs!
 ENDPOINT SECURITY
 Signature Based: Best protection from Known Threats. Maintains DB
of known malware signatures. Needs constant updates to be effective.
 Heuristics / Behavior: Looks for malicious behavior patterns once code
executes in memory.
 Whitelisting / Blacklisting: Whitelisting aims to allow only approved
apps, blacklisting blocks known bad apps.
 Sandboxing: Emulates a research lab locally/cloud to prevent from the
rise of unknown/zero-day malware. Unknown files are sent to the
sandbox which executes the code in VMs of popular OSes and performs
Static and Dynamic Analysis. If malicious behavior is found, a signature 
is generated and sent to all the Endpoints to prevent further spread and
contain the malware.
 AI / Machine Learning: Algorithm generated from known malware to
prevent variants of malware at the endpoint without dependency on
signatures or behavior patterns. Predictive approach to prevention. Best
protection offline/ w/o updates.
Scanning for Malware forms an essential activity for Signature based AVs.
Systems should ideally be scanned once a week, and updated daily. Ops
teams must be vigilant for devices offline or not updated as they will be
vulnerable to the latest malware.
 Firewalls: Endpoint firewall to prevent malicious applications
accessing the internet or service. A firewall policy blocking TCP 445
SMB could have prevented the Wannacry Ransomware from spreading!
 HIPS/IDS: Prevents attacks on vulnerabilities in services on the
endpoints.
 Device / Port Control: Locks down Ports such as USB, SD Card to
prevent manual lateral movement of malware and Data exfiltration.
Device control goes further and controls access to WiFi / Bluetooth
networks.
Encryption: Disk encryption protects data at rest in case of theft or loss.
File Encryption protects data at rest and in transit additionally from
insider threats. Removable Media encryption protects data at rest that is
copied to media such as Pen drives.
 Web Filtering: A local web filtering component is essential to protect
endpoints from malicious websites and downloads when off the
corporate network.
 DLP: Protects Data Loss from the endpoint over Web, Email or
Removable media.
DLP | ENCRYPTION
 Data Loss Prevention seeks to prevent PII, PHI and IP from
traversing out of the network unauthorized.
 DLP employs controls such as Label matching, Pattern/Regex
matching for words and patterns that could constitute PII, PHI and
IP such as Credit card numbers, SSN, secret sauce etc.
 Organizations can use additional techniques such as embedding
watermarks in all confidential documents and searching for that
pattern at the DLP.
 DLP systems can also enforce Manager authorization and capture. A
confidential flagged document automatically is sent to the Manager
for approval before it is allowed. The contents of the message are
captured for forensic analysis.
 Gateway DLP: Enforces Data Leakage Prevention at the perimeter
or gateway and is typically deployed out-of-path via a Span Port.
 Endpoint DLP: Endpoint application that protects from leakage at
the endpoint. Prevents Data Loss even if employee is out of the
network.
 Mail/Web DLP: Integration with Web filtering (ICAP Proxy) or
Email Gateway to enforce Data Loss Prevention.
 Disk Encryption: Encrypts the whole disk and enforces a Pre-
boot Authentication. Successfully authenticating unlocks the
drive and OS boots. Prevents Outsider threats of theft and loss.
 File Encryption: File level encryption on host or network.
Additional layer that protects files and grants access to the
author or group of users. Users need to successfully
authenticate and have the key for data access. Protects from
outsider and insider threats.
 Removable Media Encryption: Encrypts external media.
 Cloud Encryption: Encrypts data traversing to cloud shares
such as dropbox or google drive.
 Rights Management: Go one step further by controlling data
access after data has exited a network with controls such as print,
copy, paste, expiry and screenshot controls. (Seclore)
 Hybrid: Solutions like Dell’s Data Guardian solution seek to
combine DLP, RM and File level encryption together to Protect
Data in transit, Granular controls and monitoring of data access &
actions!
 REMOTE MEETINGS | SCREEN SCRAPING
 Terminal Access: Text based console access. Rlogin, Telnet, Rsh,  The Do’s and Don’ts of Remote Access Security: Beware of Free Remote
meeting apps.
Powershell
 Do not expose the Remote system directly due to Two apps: Ammyy
 Remote Desktop: Graphical terminal access of a remote machine, vulnerabilities in the inherent applications. Telnet/Rlogin are Admin and Anydesk
Ms-RDP. not encrypted and should not be used. have been used in
 Screen Scraping: Transmit only the information needed to draw a  Have users use a VPN to access remote systems. malware attacks in the
remote systems screen. Only actions such as mouse movements are past. One in every 3
 Disable File-copy and Drive mounting to prevent lateral
transmitted. VNC is a screen-scraping approach. Similarly an Ammyy downloads
movement of malware that may be present on the user’s contained a malware
attacker can use screenscraping to monitor administrator actions on machine, data leakage.
a protected system. RAT. The Blackrouter
 Use strong authentication (multifactor) for authenticating to campaign bundled
 Screenscraping can also be used to port legacy C/S apps to Web apps
remote systems. Anydesk for lateral
where the new UI converts actions into input for the older legacy UI.
 If possible use VDI or Application Virtualization such as RD movement and
 Remote/Web Meetings: Reverse tunneling approach that has the
Web or Citrix or Vmware WorkspaceOne propagation. A simple
Client creating an encrypted channel and the remote-sharing Deny at the web-filter
 Filter RemoteMeeting Applications at Proxy or WebFiltering
protocol initiated through this channel. Webex, GoToMeeting, would have prevented
LogMeIn. and allow only Organization approved Remote meeting apps. both attacks!
Application Virtualization and VDI provide greater security and availability for remote-access. Application Virtualization exposes only the
application (vs the whole desktop) and provides mobility. VDI can provide persistent or temporary VMs for desktops. VDI should be used
for outsourced workers to perform data processing on a secure environment. VM Escape attacks seek to evade the guest and hypervisor
layer undetected, hence security components such as Micro-segmentation and virtual Firewalls / IPSes tailored for the Virtual
environment should be used.
 VOIP SECURITY / POTS SECURITY
 Phone Hackers are known as Phreakers.

SIP (the registration protocol for VOIP) uses clear

 Black box – manipulate line voltages to steal long-distance services.
text, if a hacker can capture these messages, that
 Red Box – Simulate noise of coins falling into a payphone. hacker is able to read subscribers' sensitive
information such as their public and private
 Blue box – simulate phone tones to interact directly with the backend. identities, and use it to spoof the subscriber.

 White box – Controls the phone system, is a DTML – dual tone multi-frequency generator.
VOIP systems are
susceptible to:
 Callback Authorization attempts to  Log all activities on the PBX.  DISA – Direct Inward System  Sniffing
verify the authenticity of the caller Deploy voice recording for Access – enables authorized
by disconnecting the original call, processes such as Support or Call corporate users outside office  Denial of Service
and redialing to the number defined center for audit trails. Do note that premises to make calls on the
End users must be notified that using the organizations Voice  Host OS Attacks
in the users profile.
calls are being recorded. Systems. However Hijack of
 VLAN hopping.
dialing codes can lead to hijack.
 Educate users on the Do’s and don’ts of voice calls, for ex: Do not share passwords with anyone, validate identity, be mindful of the background if
speaking on sensitive topics. Avoid sensitive topics on phone conversations as they can be tapped.
NETWORK SECURITY: STORAGE AREA NETWORKS
 FC: Fibre Channel is the standard used for Storage area Networks. SANs were typically separated, running on a
specialized network comprising of SAN Switches.
 HBAs are the equivalent of NICs and have a burned in address called the WWPN, and communicate with the SAN Storages by
addressing it’s controllers WWPN numbers.
 Zoning creates compartments (like VLANs) to control SAN communications between parties. Routing over WAN requires
specialized equipment.
 FC provided availability by having two redundant HBAs, paths, and controllers for the SAN.

 FCoE: Fibre Channel over Ethernet is a convergence protocol that transmits FC traffic on Ethernet switches. Requires a
CAN (Converged Network Adapter) to listen to both FC and IP traffic.
 FCIP: Fibre Channel over IP, encapsulates FC Traffic over TCP/IP, thus removing need for a specialized switch or
adapter.
 iSCSI: SAN Protocol uses the higher layers such as Application layer to transmit over the network on traditional TCP/IP
networks. Can be routed over the WAN. Uses Logical Unit Numbers (LUNs) for addressing Storage on the network.

vSANs or Virtual SANs is a newer disruptive technology that brings virtualization to SAN. It uses the disks on the hosts
(e.g. a server) and forms a virtual SAN without needed a dedicated Storage Array.
 VIRTUALIZATION SECURITY
 Virtualization: The hypervisor is responsible for isolation of Guest OSes.
 VMEscape: Enables the attacker to exploit the Guest OS to directly interact with the Hypervisor and other Virtual machines. Containers provide the
 Separation: Enforce VLANs between Guests to enforce security.
next challenge for security
 In a typical hypervisor, any inter-Guest However Inter-vlan communication will require traffic to hit the physical professionals. Containers
traffic traverses between the vSwitch and network causing latency. are “virtualized
 Virtual Appliances: Virtual Firewalls, Intrusion prevention solutions etc. applications” that run on
does not hit the physical switch at all. provide security for the Guests at the hypervisor layer. Traffic does not a Host. Rather than
 Physical controls such as Firewalls, IPSes have to hit the Physical network. virtualizing the OS and the
are useless as traffic never hits the
 Micro-segmentation: Enables finely grained policies to be applied per app, only the app is
guest and secure East-West traffic. Think for example an Ecommerce app, virtualized. Since any host
physical network. it needs to only access the DB and nothing else. Guest-to-Guest Access
control over L2 or L3. Solutions such as NSX or ACI provide can run a multitude of
Hypervisor microsegmentation. containers, each having
their own vulnerabilities,
Hypervisor
each Container host needs
VM VM VM VM to be secured along with
VM VM VM VM
access controls for the
SAP WEB SAP HR containers. Docker
VSwitch VSwitch includes Seccomp which
NIC HBA NIC HBA
are security profiles for
containers.
 CONVERGED PROTOCOLS | ICS
 DNP3 – multi-layer TCP/IP Protocol that enables Industrial systems such as SCADA to
intercommunicate. DNP3 is very good at communicating over low-bandwidth links, making it ICS Terms
ideal for utilities, power grids and Oil and Gas management systems. DNP3 supports  OT – Operational Technology:
unsolicited messages that exposes Industrial systems to large remote attack surfaces. The computing systems that manage
Maroochy-Shire Sewage System attack [https://www.tofinosecurity.com/why/Case-Profile- industrial systems.
Maroochy-Shire] spilled one million liters of sewage due to a false message from a field  ICS – Industrial Control Systems:
station.
systems that are used to monitor and
 DNP3 supports Secure authentication control industrial processes like conveyor
 IEEE 1815-2010 – supported pre-shared keys (deprecated) belts, power consumption on electric
grids.
 IEEE 1815-2012 – supports PKI
 PLC – Programmable Logic
 Use Industrial Firewalls or DPI that support the DNP3 protocol.
Controllers: ruggedized device that
 Host based solutions (such as Endpoint Security) don’t work as PLC’s are Embedded OSes. manages an ICS.
 A Lot of ICS systems are legacy (15-20 years old), and the cost of replacing them is prohibitive. Thus  SCADA – Supervisory Control and
modern security protocols may not be a possibility. Alternative strategies such as Isolation and Airgap Data Acquisition: Control and monitor
must be used.
Industrial facilities locally and remotely.
 MES – Manufacturing Execution
Systems: track and document
AirGap transformation of Raw material to
 Separation (ideally physical) of Protected systems and the internet. The idea is to prevent internet based attacks. finished goods.
 TM

DOMAIN V: IDENTITY AND ACCESS

MANAGEMENT
CIA IMPACT OF ACCESS CONTROLS
 Confidentiality – Only authenticated and authorized Objects
Subjects
subjects can access objects. Else there will be a loss Passive Entities.
Active Entities.
of confidentiality. Manipulated by
Manipulate Objects.
Subjects.
 Example: If anybody can read the payroll database,
there is no confidentiality.
A Subject can also be an object.
 Integrity – Data or system configurations are not
User Web server Database
modified without authorization. If unauthorized
changes occur, they must be detected and logged. Write
Else there will be a loss of integrity.
 Example: Changing routing tables to a router that has
no authentication or authorization. Subject Object

 Availability – Timely access to authorization User Web server Database

requests. If authentication & authorization fails,

there will be a loss of availability. Write

 Example: Fingerprint scanner times out while

authenticating, door doesn’t open.
Subject Object
 TYPES OF ACCESS CONTROL
Preventive
Prevent or stop unwanted
activities from occuring.
Ex: Encryption, mantrap,
Firewall, security awareness
Corrective
Detective
Restore or resolve problems
after security incident. (Short-
Detect unwanted /
term recovery – damage isn’t
unauthorized activities.
extensive)
Ex: CCTV, IDS, EDR, Job
Ex: AV Scan, Data Restore,
rotation, mandatory vacations.
IPS TCP Reset

Recovery
Deterrent Directive
Compensating
Long term recovery, if damage
Discourage people from Direct and control user
is extensive. Backup access control in case
making security actions.
Ex: Backup & restore primary fails or not available.
violations. Ex: Acceptable use policy,
(ransomware attack), RAID, Ex: Smartcard – primary,
Ex: Fences, Guards, Exit signs, warnings,
Load-balancing, System re- temporary id – secondary.
Warnings. procedures.
imaging.
 ACCESS CONTROLS IMPLEMENTATION

Administrative Technical / Logical Physical

 Hardware and software that provide  Physical mechanisms that provide
 Policies and procedures defined by
protection and access.. protection and access.
security policy or regulators.
 Focus on Resources and Systems.  Focus on Facilities and Systems.
 Focus on Personnel and Business
 Examples:  Examples:
Practices.
 Firewalls  Security Guards
 Examples:
 Antivirus  Doors
 Security Awareness Trainings
 Intrusion Prevention & Detection  CCTV
 Background checks
 Encryption  Fences & Walls
 Classifying and labeling data
 Biometric / smartcards / passwords  Alarms
 Polices and procedures.  Access Roles  Fire Fighting equipment
 AUTHENTICATION FACTORS

TYPE III – Something

TYPE I – Something You You Are
TYPE II – Something
Know TYPE IV – Some place
You Have
• Biometric you are
• Something that the Authentication such
• Something that the
user knows such as a as Fingerprint, Retina, • GPS, Geolocation,
user has such as a
Password, Passphrase Iris, Facial or Hand Device
Token, Smartcard.
PIN or Response. Geometry scans.
 TYPE I – SOMETHING YOU KNOW
Passwords Passphrases
 Weakest form of authentication. Can be  Use a whole sentence as PassPhrase.
NIST SP 800-63B
guessed.  “IamtheLordofDarkness”
Recommends
 Brute force and dictionary attacks can  Add complexity: “!@m7#eL0rdofDarkn3$s”
quickly uncover weak passwords. Cognitive • Compare user
passwords against
 Recommendations:  Challenge handshake process.
known weak
 User answers questions during signup, and is asked the
 Enforce Maximum age – 30-45 days
answers of these questions at login.
passwords like
“password” etc.
 Complexity – alphanumeric & numbers  Recommended to have user create own questions for
• Don’t enforce
security.
 Length – 8 for normal, 15 for privileged complex passwords
 Passwords are stored as Hashes (one way functions) in most
 Never store passwords in clear-text or users will write it
modern applications or OSes. When a user enters the
password, the application/OS creates a hash and compares to down.
 Save as Hash with random salts of 32bits. the stored hash. • Salt passwords with
 Prevent password reuse by enforcing history.  Linux Stores hashes in /etc/shadow random value and
 Windows stores hashes in the SAM file on the local machine store as hash.
and the Domain controller. If the domain controller is not
Cain & Abel is a Password cracker for reachable, the local hashes are checked.
 TYPE II – SOMETHING YOU HAVE

Two-Step
Authentication
 Synchronous Dynamic Tokens • Websites like google
 Algorithm based dynamic tokens. implement OTP based
 ASynchronous Dynamic Tokens
 Tokens are dynamically generated at a preset time Two-step auth.
(60 secs) on the token. Token expires after time
 Requires an event such as a OTP, Challenge, PIN • HOTP – HMAC OTP
expires. or Button press to generate a token. standard to create one-
 Server has a seed database and matches the token  Token once generated is valid till use. time-password. Valid
till used.
based by calculating the algorithm on the token’s  Server matches token code + Challenge with its
seed. • TOTP – Time based
Seed database. OTP, valid till specific
 Requires time synchronization between Server and
 No time synchronization needed. time such as 30
Authenticator. (Usually a calibration process to
 Security Concern – Token valid till next use. seconds.
enter consecutive tokens so server can identify the
exact code that will be processed next)
• NIST SP800-63B
 Example: Seen above is Arrayshield, that requires recommends Push
 Most Secure. you to place the shield on a challenge code notifications over
 Example: RSA Securid token generates a generated by the server and type the words as the SMS.
Tokencode every 60 seconds. token code.
 TYPE III - BIOMETRICS
 Fingerprint: Widely used, scans minutae.
 Retina: Scans capillaries at back of eye.
Most accurate, but intrusive. Health Risk
and privacy issues.
 Iris: Second most accurate, passive.
 Palm scan: Scan’s the veins, establish
unique identity without another factor.
 Hand Geometry scan: Scan’s the length,
width and thickness of hand. Not reliable.
 Voice Print: Voice sampling. Vulnerable to
capture and replay of voice.
 Facial Scanning: Scans facial features
against DB. Passive.
 Keyboard dynamics: typing style capture
(how hard/fast). Change in behavior can
cause FRRs.
FAR FRR Enrollment:
• Process of registering biometric factor.
ERRORS
• Time should not exceed 2 mins.
• The enrolled biometric is called
Enrollment Template which is
referenced during the authentication.
Throughput:
CER • Time taken to authenticate a user with
biometric factor.
• Typical time 6-10 seconds.
SENSITIVITY
Biometric Accuracy If the CER of a biometric
system is not acceptable:
• Type I Error - False Reject Rate:
Evaluate other biometric
(FRR)Valid authorized user is rejected.
• Type II Error - False Accept Rate:
systems.
(FAR) Invalid Unauthorized user is
accepted. Zephyr Charts gauge
effectiveness of different
• Crossover Error Rate: (CER) When
FRR and FAR are equal. biometric devices.
 TYPES OF AUTHENTICATION

Device Authentication User Authentication Service Authentication

 Device’s cannot login interactively, and may not
be part of the domain.
 Device Fingerprinting which identifies Device
type, Mac, Manufacturer etc. may be used for
authentication.
 802.1x with NAC used for device authentication.
 NAC determines health such as Antivirus is
installed and enabled, before allowing device on
the network.
 Third party tools – SecureAuth Identity Provider
IdP
 Typically known as
“Interactive Logon”
 User accesses the login page
and logs in with username
and authentication factors.
 Application services need privileged
authentication.
 Service accounts enable privileged access
for services.
 Recommendations:
 Disable Interactive Logon to prevent
misuse.
 Disable password expiry.
 Use Certificate authentication if possible.
 Use API authentication if possible.
IDENTITY MANAGEMENT
Centralized Access Control
 Authorization verification performed centrally
by a single entity.
 Access is provisioned on the central Access
management control.
 Advantages: Centrally managed – uniform
access control for the whole organization. Simple
authentication to Resources.
 Disadvantages: Single point of failure.
 Example:
 Centralized Active Directory server: all
authentication / authorization through AD.
 Organizations utilizing Aruba Clearpass or Cisco
ISE for AAA & TACACS+
Decentralized Access Control
 Authorization verification performed locally by a local
entity.
 Access is provisioned individually per system or
location.
 Advantages: No dependency on connectivity to Central
system. Management closer to the authenticating
resource. Granularity.
 Disadvantages: Access Control not uniform, each
location may manage differently, leading to excess
privileges or lax reviews. Complex authentication to
resources as they have to be integrated with all locations
controls.
 Example:
 Local AD per location.
 Biometric authentication managed locally.
MISC - SINGLE SIGN ON | IDAAS | CREDENTIAL MANAGEMENT
 Single Sign On – authenticate once, access all.
 Convenient for users – remember only one authentication,
the system authenticates the application.
 Easy to manage: reduces the number of accounts to
manage on disparate systems.
 Disadvantage:
 One account hijacked – all systems access!
 Integration with legacy apps.
 Single point of attack
 Securing Single-Sign On:
 Implement Session Timeouts and Auto Lockout controls to
prevent idle systems or sessions from being taken advantage
of.
 SSO should be paired with Multi-factor authentication to
secure the account.
IDaaS
Identity As A Service offering cloud
based Identity services and management.
Example: PingID, OneIdentity, Okta
Credential Management System
Credential management systems offer
features like password management,
multifactor authentication to retrieve
passwords, logging, audit, and password
rotation capabilities. Can be used in lieu
of Single-Sign-On if SSO cannot be
deployed or impractical.
LDAP
 Lightweight Directory Access Protocol:
Directory based on Subjects (users) and
objects (resources)
 Enforces controls based on a subjects
authorization (group). Subject must
authenticate before queries/lookups. Access
based on privileges assigned to the user.
 Subject resides in nested containers –
Organization units, with the top level being
a Domain.
 Expressed as:
 Dn=ashish,ou=technology,dc=zerodegrees,dc
=it
 Microsoft Active Directory: based on LDAP
 Multiple-AD’s authenticate a Domain.
 Trust Relationship = Domain to Domain
authentication
 Forest = Made up of multiple domains.
 Directory Server = authenticates Domain
 Global Catalog = authenticates Forest.
 Ports:
 389 – Plain LDAP
 636 – LDAP-S over SSL
 3268 – Global Catalog
 3269 – Secure Global Catalog
 KERBEROS - COMPONENTS
Realm
Principal Resource Server
Kerberos: Domain. Each realm
The subject that raises
• Uses Symmetric The Target Service (TS) needs an AS and a TGS.
access request to the
encryption. that the User/Principal
KDC. Can be a client or
• Port: UDP 88 needs access to. Remote TGS
application.
• The Principal / TGS in a remote Realm
client’s password is
never transmitted on
the network. Authentication Server Session Key – Encrypts
Kerberos Key (AS) – Grants Ticket communication for a session
• Time Sensitive: All
Distribution Granting Tickets (TGT) between client and KDC or TS
systems clocks need
Center to access the TGS Ticket Granting Ticket (TGT) –
to be in sync.
• Single Point of Ticket Granting Service access to TGS.
Kerberos Service
Failure. (TGS) – Grants tickets
that includes: Service Ticket – access to Target
to target services.
Service.
 KERBEROS AUTHENTICATION PROCESS
Sends Username Encrypted with AES Kerberos Weaknesses:
1
KDC
Principal /
Encrypted Username Authentication
Client
AS_REQ Service (AS)  The KDC stores all the keys of Principals
(Users/Servers). A compromise of the KDC
KDC AS Verifies Username against Known Credentials. compromises all keys in the realm.
2
Generates a Symmetric Key and encrypts with Hash of Users password.
Generates and sends a TGT encrypted with TGS secret key. KDC
Principal /
Client ({Symmetric_Key}UserPwHash)
Authentication  KDC and the TGS are single points of failure.
Service (AS)
({TGT}TGS_Secret_Key) AS_REP
When down, new credentials are not issued,
Client decrypts the Symmetric Key by hashing the user password (thus authenticating
the user) and installs the TGT. TGT can͛t be decrypted as he doesn͛t have the key.
authentication and authorization will be stopped.

3
Client sents the authentication request encrypted with the Symmetric Key and the
Principal / encrypted TGT to the KDC Ticket Granting Service (TGS) KDC  Replay attacks possible by sniffing the
({Auth_REQ}Symmetric_Key) Ticket Granting
Client
TGS_REQ ({TGT}TGS_Secret_Key) Service (TGS) Authenticator (Session and Service keys) and
DoSing / Spoofing the client.
Since the client sends a valid TGT, the client has validated identity to the TGS.
 Keys cached locally are not encrypted.
4
TGS sends a Session_Key encrypted with the Symmetric_Key, and a
Service_Ticket encrypted with the Target_Service (TS) secret Key. KDC
Principal /
Client (Session_Key}Symmetric_Key)
Ticket Granting
Service (TGS)
 Kerberos 4 did not validate the end user allowing
({Service_Ticket}TS_Key) TGS_REP
another user to request a key on behalf of user.
Client connects to the Target service(TS) and sends the Session Key and the Service
Kerberos 5 fixed this issue.
Ticket.

5
The TS knows the client is valid (since it has the Session Key). TS decrypts the
Principal / ͞Service Ticket͟and verifies with the KDC. TS
Client Auth: Print Service Target Service SESAME, a European followup protocol implements
AP_REQ
({Session_Key}Symmetric_Key)
PKI, eliminating the plain-text storage of local keys.
6
({Service_Ticket}TS_Key)
Allow Access
AP_REP
 FEDERATED IDENTITY MANAGEMENT
Security Association Markup Language
(SAML)
• Log-In to Federated sites via SSO.
Enterprise websites and apps.
• Uses XML
• Components:
• Assertions: Authentication,
Attribute, Authorization
• Protocols: HTTP, SMTP, SOAP,
FTP
• Bindings: SAML over SOAP, SAML
over HTTP
• Roles:
• Identity Provider (IdP): Validate
user identity.
• Service Provider (SP): The Service
• Principal: User
• Circle of Trust between all parties before
OAuth 2.0
• Provides Authorization to API’s
such as GoogleID, LinkedIn,
Facebook etc.
• Roles:
• OAuth Provider: Hosts the
resource to be accessed.
• OAuth Consumer:
Requesting the resource.
• End User: Granting access
• Example: Facebook App
(Consumer) asking for permission
from (End User) to grant access to
your Facebook Profile (Provider)
• No Encryption – Relies on TLS for
Session encryption.
OpenID
• SAML based SSO, consumer
websites and apps.
• Roles:
• OpenID Provider: Verifies
End user.
• Resource Party: Wants to
verify the user.
• End User: who wants access
• Example: Facebook App
(Consumer) asking for permission
from (End User) to grant access to
your Facebook Profile (Provider)
• OpenID Connect: Uses JSON
Web Tokens (JWT) and REST to
retrieve JWT. Can retrieve user
profiles.
• Vulnerable to Phishing attacks.
AAA PROTOCOLS

TACACS+ Diameter
RADIUS
 Authentication, Authorization,  Supports wide range of protocols:
 Authentication, Authorization,
Accounting IP, Mobile IP, VoIP.
Accounting
 Ports: TCP 49  Better Reliability and Flexibility
 Ports: UDP 1812,1813 or
1645,1646(unofficial) than RADIUS.
 TACACS+ enhancement allows
 Uses Attribute Value Pairs (AVPs) Two-factor authentication.  Authentication, Authorization,
that can be used to enhance Accounting
 Separates AAA into different
authentication and Authorization. 256
Pairs possible.
processes that can be implemented  Ports: TCP / SCTP 3868
on multiple servers.  Supports IPSec & TLS Encryption.
 Logs privileged access once logged in.
 Encrypts all authentication  Not backwards compatible with
 Only encrypts the Password exchange.
information. RADIUS
 RADSEC enables RADIUS over
 Better accountability compared to  Uses AVP’s and increases to use 32
TCP/TLS
Radius. bits i.e. billions of Pairs.
IDENTITY MANAGEMENT – LIFECYCLE & BEST PRACTICES
Provisioning
 Provisioning must follow procedure
defined by Security policy.
 Enrollment of user factors into
system for authentication.
 Identity should be proved prior to
enrollment via background checks
or identity proof such as Aadhar
Card, Social Security etc.
 Automated provisioning create
consistent usernames based on
org_schema.
 Least Privilege: Grant lowest
privilege possible.
Account Review
 Review periodically to determine inactive
accounts or excessive privileges.
 Users over time may accrue privileges
called Privilege Creep. Review must track
Vertical and Horizontal moves to identify
privilege creep.
 Users may be allocated Excessive
Privileges.
 Contract Expiry: Identify all business
partner accounts and revoke rights.
 Identify Accounts that have not been used
for more than 10 days post creation.
 Goal: Verify violation of Least Privilege
Principal.
Account Revocation
 Disable accounts when no longer
needed, like a termination or
resignation of employee.
 Goal is to prevent misuse of
credentials by the employee or
others.
 Account should be disabled for 30
days and then deleted.
 Enables access to mails, encrypted
data of the user if needed for
business for a temp period (to
migrate or extract)
 Identify suspended accounts for
more than 30 days and delete.
COMPONENTS OF ACCESS CONTROL MODELS
 Permissions: Access granted to an object,
determines what can be done to an object.
 Rights: Subject’s ability to take an action.
 Privileges: Combination of Permissions and
Rights.
 Implicit Deny: Deny all by default, allow if
required.
 Access Control Matrix: Object focused. Table of
subject, object and privileges.
 Capability Table: Subject focused, details the
capabilities of a subject or role.
 Layering: Defence in depth. Layer
Administrative, Physical and Technical controls.
Example: Server protected with encryption,
locked inside rack, with keep out signs.
 Constrained Interfaces: Restricted interfaces.
(block /admin for non-admin users)
 Content Dependant View: Restrict access based on
the content. Retrieves specific columns or rows and
not the full table.
 Context-Dependent Control: Requires specific
activity or context before granting access. Example:
Doesn’t show Download’s page until login/payment.
 Need to Know: grant access only to what the
subject needs to perform job function.
 Least Privilege: grant access to lowest
amounts of rights subject needs to perform job
function.
 Separation of duties: Separate sensitive
functions into two tasks for different
employees, preventing security incidents.
 ACCESS CONTROL MODELS
DAC – Discretionary Access
Control
• Security of object is at Data
Owner’s Discretion.
• • Access granted by Security Officer.
Access granted through ACL.
• Owner of Object decides
permission.
• Identity based.
• Subject has no knowledge of
the object’s sensitivity.
• Scalable and Flexible as each
owner decides access.
All models, apart from DAC are Non-
Discretionary Access Control Models.
MAC – Mandatory Access Control RBAC– Role Based Access
• Data Owners cannot grant access. Control
• Security Labels of Subject and Object • Group based Access Permissions.
define decision. • Non-discretionary.
• Each Role has a set of rights over
• Subject label must dominate Object Label. objects as defined by the Data
• Subject has knowledge of the object’s Owner.
sensitivity. • The Security Admin configures
• Lattice-based Access control. the rights.
• Can be compartmented further for
• Subject focused.
Label+Compartment for enforcement of
Need to Know. RuBAC– Rule Based Access
• 3 Types: Compartmented, Hierarchical, Control
Hybrid. • Rule based – Global focused
rules that apply to all subjects.
Attributed Based Access Controls • Called restrictions or filters.
• Policies that include multiple attributes • If/then statements (group=admin
for rules (memory=8gb, os=windows) allow social-networking
• SDNs use ABAC
THREAT MODELING – APPROACHES AND PROTECTION
METHODS
Approaches
 Focus on Assets: Valuate Assets and
identify threats to these attacks to
determine likelihood and impact.
 Focus on Attackers/Threats: Identify
attackers and take potential measures to
protect from them. E.g. Pakistan/North
Korea block IP-Geo-resolution.
 Focus on Software: Potential threats
against software. E.g. Web attacks like
PHP injections.
Protection Methods
 Control Physical Access: Reduce attack
surface by controlling physical access. Enable Last Logon
 Control File Access: Confidentiality and Notifications –
Users can detect and
Integrity.
notify suspicious login
 Strong Password policy: Longer length, activity.
complexity, reuse and history – more time
to crack a password!
 Hash and Salt Passwords: bcrypt and
PBKDF2 to salt, hash and store passwords. EDUCATE USERS!
Never store passwords in clear text. • Creating strong
passwords.
 Password Masking: Don’t show
• Detecting phishing
passwords in cleartext, use masking ***.
mails.
 Account Lockout: Use Clipping levels, • Social engineering.
wrong credentials only allowed x times
before locking out, prevents brute force.
ATTACKS ON PASSWORDS
Password Guessing
Guesses passwords based on
knowledge of the subject (user) or the
object (default credentials). Change
default credentials, implement account
lockout.
Dictionary
Matches against a known list of words
and compares with stored hash. Offline
attack. Reject commonly known
passwords, implement salting and
stronger hashing algorithm.
Birthday
Find the same Hash value by collision.
Password Cracking
Hybrid Attack
Conducted offline against a Password
Modify a dictionary with
Directory which stores passwords in
changes to crack complex
hashes. Creates multiple password’s
passwords. Password
and hashes in an effort to achieve the
becomes Passw0rd.
same hash as stored in directory.
Implement Salting,
Implement Salting, and stronger
complexity, length.
Hashing
BruteForce
Try every combination for a password. Salt
Implement Account Lockout for Add a random
Clipping levels, longer length & character/string to a
complexity. password before hashing to
Rainbow Tables make it difficult to crack.
Database of precomputed hashes of Even same password by
Passwords. Implement Salting. different users will have
different values.
 ATTACKS ON THE ACCESS

Sniffer SmartCard attacks

Use Wireshark, tcpdump like tools to Email Spoofing • Side Channel attacks –
sniff authentication and data packets Change the reply-to field to analyze information sent to
on the network. Encrypt or select impersonate an institution or reader.
encrypted protocols, use OTP, physical individual. Implement Anti-spam, • Timing attack – monitor
security to prevent installation of DKIM, SPF. timing taken to process.
sniffers. • Fault Analysis – send too
low power to create faults
and gain information.
Phishing Spear Phishing
Social Engineering attack: Targeted Phishing – specific users of
Send a fake webpage to an organization (RnD, Marketing). Whaling
harvest credentials. Drive by Considerable research before SpearPhishing for VPs, CXOs.
downloads. launching this attack. Involves exploits
Awareness, reputation crafted for target. Awareness, Shouldersurfing
filtering, Patching, reputation filtering. Look at monitor screen.
Use Password masking, screen
filters.
 TM

DOMAIN VI - SECURITY ASSESSMENT & TESTING

 SECURITY ASSESSMENTS
 Broader in scope: include the other
assessments as components.
 Comprehensive review of security for an
application, system or environment.
 Includes Risk Assessment, Vulnerability
and Threat identification,
Recommendations for remediation.
 Work Product: Security Assessment
Report.
Policy/Procedure/Process
Review
Security Real-world assessment of
Assessment admin controls
Change Management Review
NIST SP800-53A – Assessing Security & Privacy
Controls:
Assessment Methods:
 Specifications: documents of system being
 Examination – Mechanisms,
audited, policies, requirements.
Specifications, Activities
 Mechanisms: Controls used to meet specifications.
 Interviews - Individuals
 Activities: Actions carried out by individuals,
procedures and processes.  Testing/Assessment –
 Individuals: People who access the system and Mechanisms or Activities.
perform the activities.
Vulnerability Assessment
Remediation Assessment
Penetration Testing Report
Recommendations
Security Audits
 VULNERABILITY ASSESSMENT & TESTING
 Identify the presence of a vulnerability in a system via an automated or manual scan. Authenticated scans reduce chances of false positives.
Detect Validate Remediate Document

Network Vulnerability Scans

Network Discovery Scans Web Vulnerability Scans
Uses a vulnerability database
Scan a range of IP addresses for Scans web applications for web
and signatures to check for Database
open ports. vulnerabilities, which are not
known vulnerabilities on open Vulnerability Scans
• TCP SYN Scanning: Half-open typically detected by Network • Scan for Database
scan, sends SYN and gets ACK ports (services).
•
Vulnerability scans. vulnerabilities and
from server = port is open. False Positive: Vulnerability
• Scan all apps database access from
• TCP Connect: Opens full TCP does not exist, but reported.
• Scan apps before moving to web applications that
• False Negative: Vulnerability
Connection. production.
not detected. may affect database
• TCP ACK: Sends TCP Ack to • Scan modified apps before
• Authenticated Scans: Enables security.
verify if firewall enforces TCP 3- moving code to production. •
authentication for scans Identify common
Way handshake. • Scan apps on a recurring basis.
providing better coverage. attacks like
• XMAS: Sends FIN,PSH and • PCI-DSS compliance requires
• Vulnerability scanners are unable SQLInjection.
URG packets set. quarterly audits or WAF. •
to detect zero-day Tools: SQLmap
• Popular tool: nMAP – open, • Tools: Nikto, Acunetix,
closed, filtered statuses vulnerabilities.
Burpsuite, Wapiti
• Tools: Nessus, OpenVAS
 VULNERABILITY MANAGEMENT WORKFLOW
NIST Security Content Automation Protocol (SCAP): • Initial identification of vulnerability.
interface with the NVD for vulnerability information • Usually detected by the vulnerability
exchange.
Detection scanner.
 Common Vulnerabilities and Exposures (CVE):
naming system and describes vulnerabilities.
 Common Vulnerability Scoring System (CVSS):
Scoring for Severity. • Application owner or administrator
 Common Configuration Enumeration (CCE): Validation
validates that the vulnerability exists.
Naming system for system config issues.
 Common Platform Enumeration (CPE): Naming
for Platforms. • Vulnerabilities should be remediated.
 Extensible Configuration Checklist Description • Patching, configuration change,
Format (XCCDF): specifies Security Checklist. Remediation deploying a WAF or a workaround.
 Open Vulnerability and Assessment
Language(OVAL): security testing procedures.
 PENETRATION TESTING
 Go beyond Vulnerability Scanning: Exploit the Vulnerability. Pen Tests should use dummy data (flags) protected with same
controls as the actual protected data to simulate secure penetration of deployed controls and simulate exfiltration.
Planning Reconnaissance Vulnerability Exploit Report
Agreement on the Identify systems via Scanning Exploit the vulnerability Result of Pen-test and
scope and rules of discovery scans, Identify using manual/automated recommendations for
engagement. gather information vulnerabilities techniques. remediation.

Hazards of Pen Testing Methodologies

Testing Whitebox Testing
• Application • Complete knowledge
of system.
Crashes •
Bypasses
• Data Corruption Reconnaissance
• Denial of Service
stage, reducing time.
• Increases likelihood
Vulnerabilities are
of finding security
exploited in Pen-test.
flaws and reducing
Exploitation is not a
consultant time/fees.
hazard.
BlackBox Testing
• No knowledge of
system.
• Simulates an external
attacker attacking a
system.
• Real world results.
• Time consuming.
Gray Box Testing • OWASP Testing Guide
• Some knowledge of • NIST 800-115
system. • OSSTMM
• Trade-off between • FedRAMP PenTest
White-box and • PCI-DSS Guidelines
Black-box.
• Reduces time than If a Pen Test detects an
Blackbox, but active compromise, stop
test silently and
produces real world
flag/escalate to security
results nearer to
contact.
blackbox.

Tools: Metasploit, Core-Impact, Immunity Canvas | Platforms: Kali Linux, BackTrack

WARGAMES – BLUE TEAM & RED TEAM TESTING
 Wargaming is a new concept that proposes to take Vulnerability testing further by having two opposing teams –
Red & Blue – simulating an actual Breach scenario with both teams actively testing the security infrastructure and
operations.
Blue Team • Objective is to identify loopholes
Red Team • Defensive team – seeks to in the Security Infrastructure and
• Offensive team – seeks to prevent breach by using security Operations processes of an
circumvent and breach the tools and operational processes. organization.
controls. • Tests the security teams • Identify awareness, alertness,
• Uses amalgamation of awareness, readiness for adherence to processes of Sec-
techniques using Social- scenarios. Ops team.
engineering, pen-testing etc. to • Focus on the response – how an • Identify Incident Handling
simulate an actual attack attack is triaged, mitigated, crisis capabilities – Triage, Response,
scenario. escalation. Escalation, Recovery.
• Typically an External contractor. • Typically the Security • Identify Failures and how they
Operations team. could be avoided in the future.

WarGames goes further than Penetration testing by testing an Organization’s awareness and response to a security
 SECURITY AUDITS
 Impartial, unbiased evaluations to determine effectiveness of Controls to a Third Party. Validated against a Standard.

Internal Audits Third Party Audits

External Audits
Performed by organization Performed on behalf or conducted
Performed by outside
appointed auditors. Continual by another organization, like a
organizations. No conflict of
review of controls. Separate line regulatory body. Scope decided
interest. High validity. Big Four:
of reporting to CEO/Business by the Third Party. Example: PCI-
E&Y, PwC, Deloitte, KPMG
owners. DSS, SOX
Auditing Standards
Identify Determine Appoint an • CoBIT – common security requirements for
Identify Audit Audit systems
Business What will be
Goals
1 2 Needs 3 audited 4 committee • ISO 27002 – granular specifics information
systems security control
• SSAE18 – SOC2
• Type 1 – Point in time controls.
Document Outline a plan for • Type II – Period of time controls, testing.
Perform the Audit
everything audit
7 6 5 More reliable and preferred, auditor
opinion
• rd
 LOG MANAGEMENT & REVIEW
 Log Reviews verify that Security Tools
Problems with Syslog Correlated Alerts
Controls, Access Controls are  Syslog Server: Stores Syslog centrally, that • Log events could be false
can be dynamically viewed via filters. Most  Plain-text
performing adequately. positives or low concern
software have mechanisms to feed logs via  Uses UDP (another security control
 Log Reviews identify security
syslog, ftp and windows events. Typically blocks incident) leading to
incidents such as malware spread, RAW output, needs an expert on the system  Can be easily spoofed.
privilege abuse etc. information overload.
to review. • SIEM’s solve this by using
 Detective Control.  Popular Tools: Kiwi Syslog. Logging Best Practices automated Correlation
 Syslog: Port UDP 514, Universal  Security Information & Event  Use Centralized logging to between two or more
logging for network, security devices Management (SIEM): Aggregate logs from prevent deletion/modification of systems:
or application servers. Post-incident. variety of sources. Parse logs into human logs by attackers. 1. Proxy reports UserA
Syslog is plain-text and can be readable output. Can be used for getting downloaded
 Keep some logs on the endpoint,
spoofed. compliance reports. suspicious exe.
in the event centralized log
 Events: Windows systems create  Example: Reports on Windows Password 2. Firewall reports
server is unreachable due to
Windows Events. Can be viewed in resets. network issues. excessive Netbios
Eventviewer and lack native syslog  Popular Tools: ArcSight, Splunk, OSSIM connections between
 Use a Bastion Host (Log
functionality. Post-incident. hosts.
 Netflow logger: Network utilization logging Collector) in the DMZ for Cloud 3. External firewall
 Netflow: UDP 2055. Live logging of using Flows from multiple sources. Live hosted, Screened (DMZ) devices
reports Outbound
application flows on the network. detection. connection to
malicious domain.
All systems sending logs must be synced with NTP to ensure that • Correlated Event:
incident time is accurately recorded across all devices. Malware Infection.
 SECURITY MANAGEMENT PROCESS
Account Management Backup Verification Key Performance and Risk Indicators
 Security Officers/Managers must  Verify backups  Number of Open Vulnerabilities
periodically review Accounts to identify periodically:
privilege creep, inactive accounts.  Time to resolve vulnerabilities
 Backups jobs successful
 Compare a list of Privileged users against a  Vulnerability / defect occurrence
 Backup failures and
data owner/business owner list of users  Compromised Accounts
reasons.
who need the privilege.
 Time to backup  Software flaws detected in pre-production
 Large organizations use sampling – pull
 Backups meeting  Repeat audit findings
random accounts and perform privilege
Recovery Point
verification. Objectives (RPO)
 Malware detections
 Verify terminated users do not retain  Verify by restoring the  User behavior analysis – malicious
privileges. actual backup. websites, downloads, suspicious behavior
Automated tools such as Solarwinds  Intrusion analysis (IPS logs)
Permissions Analyzer for Active
Directory can simplify this process.
 SOFTWARE TESTING: STATIC & DYNAMIC
Static
 Static Testing reviews raw source code looks for known
Dynamic
insecure practices, functions, libraries or characteristics.
 Test code passively. Manual
 Walkthrough  Dynamic Testing tests code while executing i.e.  Code Read
 Syntax Checking functions it performs, actions it takes. line by line.
 Code Review  Test code Actively.  Verifies
 Lexical Analysis business logic
 Organizations deploying third party software
 Control flow graphs errors in code.
typically use this approach.
 Data Flow analysis
 Can use automated tools to perform Static Testing.

Whitebox Testing Graybox Testing

Gives Tester access to source code, data
structures, variables, tester performs
review directly on backend.
Blackbox Testing
Gives Tester access to source code, but
No internal or software details.
tester performs review from end-user
Testing from end-user perspective.
perspective and compares source code.
CODE REVIEW
Fagan Inspections

Planning
Typically organization’s follow less stringent Code Review processes:
Overview  Walkthrough: Developers walkthrough the code with other team members.
 Manual: Senior dev manually reviews and signs-off on code.
Preparation
 Pair Programming: AGILE method where one dev writes code and other
Inspection reviews line-by-line, alternately.
 Formal Inspection: Fagan inspection.
Rework
 Automated Review tools to detect flaws: loadrunner etc.
Follow-up

Code Reviews help to identify software vulnerabilities and coding flaws such as memory
leaks, buffer overflow, stack exploitation, race conditions, bounds.
 SOFTWARE TESTING LEVELS – COVERAGE ANALYSIS
Coverage Analysis

Software Testing Levels Percentage of code tested by a test / validation suite.

 Branch Coverage: every branch at a decision point is TRUE or S
 Unit Testing: low-level tests – functions, procedures or
FALSE. T
objects.
 Condition Coverage: each Boolean expression is evaluated to R
 Installation Testing: Test Software as it is installed and both TRUE or FALSE. U
operated. C
 Function Coverage: every Function or Subrotation is called.
 Integration Testing: Testing multiple components as they T
 Statement Coverage: every Statement is executed at least once. U
are integrated into a single system.
 Loop Coverage: every loop in the code to verify loop R
 Regression Testing: Test software after updates, patches initialization problems, repetition issues, capacity/performance A
or modifications. bottlenecks. L
 Acceptance Testing: Software meets the customers / users  Normal Testing: Normal inputs (expected user behavior) are fed
requirements. and results are tested with expected outcomes.
 User Acceptance Testing: When users or customers  Misuse Case Testing: Wrong or unexpected inputs sent to

perform the Acceptance Testing. program for testing robustness.

Functional
SOFTWARE TESTING

 Fuzzing – Provides multiple invalid inputs to software to test it’s limits, in an attempt to produce crashes,
vulnerabilities such as bounds, buffer overflows etc. Tools: zzuf
 Mutation Fuzzing: Takes valid input, alters it and sends to the application.
 Generational Fuzzing: Intelligent Fuzzing. Creates models based on the data types accepted by the program.

 Combinatorial Testing – identify and test all unique combinations of inputs.

 Mutation Testing – Modifies a program in small ways and then tests the mutant to determine if it behaves as it should
or fails. This is used to design new software tests and ensures the quality of the tests.
 Misuse Case Testing – tests application abuse, by purposely performing inputs that do not follow the flow of valid
user behavior.
 Interface Testing – Tests the interfaces exposed by the application such as API, GUI for security vulnerabilities and
proper handoff’s, data inputs.
SOFTWARE TESTING

 Passive Monitoring: Captures real data

 Traceability Matrix (network sniffer / transaction capture) to
 Maps customer requirements to a Use-Case via analyze performance issues and real-world
a Software Testing Plan. data. Detective, happens after the fact.
 Traces the requirements to ensure they are  Examples: Fluke Time Machine, RSA
being met. Netwitness Logs & Packets
 Synthetic Transactions: Creates automated
Use Case 1 Use Case 2 Use Case 3 transactions to applications via
scripts/functions to test application availability
TestCase 1 Yes No Yes or performance. Proactive. Cannot give real-
TestCase 2 Yes Yes Yes world performance output i.e. user issues such
as low client bandwidth etc.
TestCase 3 Yes No No
 Examples: Solarwinds Web Performance
Monitor.
 TM

DOMAIN VII: SECURITY OPERATIONS

ADMINISTRATIVE SECURITY
Rights Permissions Entitlement Separation of Privilege
Take actions Object focused. Amount of Privilege user gets No single person has control over a
e.g. create, Allow access e.g. when account is provisioned system.
modify read/write/execute for the first time. Segregation of Duties
No single person is completely
Need to Know Aggregation responsible/assigned all functions of a
Grant access to only the data and Amount of Privilege user gets process. Mandatory requirement of SOX
knowledge needed to perform a over time. Typically role compliance.
task. changes but privileges remain.
Transitive Trust Two Man Control
Least Privilege Two people required to complete a
Inter-domain trust relationship.
Grant the lowest possible function or access a system.
Subjects can access inter-
privilege to a user to perform a
domain & child objects. Split Knowledge
task. (Needs well defined job
Typically seen in company Split the know-how of accessing a
description)
mergers. system/ performing a function between
Privileged Accounts two people.
Should be monitored and audited to prevent abuse of privileges by
admins.
 ASSET MANAGEMENT / PERSONNEL SAFETY

Creation or Classificatio Destruction

Storage Usage Archive
Capture n Sanitization

Information Lifecycle Management

 Hardware Asset Management: Manage Personnel Safety
Hardware inventory and asset management -  Travel: Ensure that personnel are safe during company travel. Advisories
hardware/model/SR/location.
for travel to conflicted areas, secure travel arrangements etc.
 BarCode system – read codes via a code reader.
 Duress: Duress systems for safety of personnel working alone or in
 RFID Tag system – RFID scanner via RF
remote area. (Signal to indicate hazard). Example: Code word for
 Software Asset Management: Manage security guard if he is surrounded or in danger.
software licenses and usage.  Sensitive Data: Data should not be on the endpoint. Endpoint should be
 Collect software installed encrypted. (Some countries forbid encryption such as China. Use
 Compare licenses. alternate devices when travelling)
 Virtual Asset Management: Manage VM and  VPN: Prevent MITM or network capture and provide secure access to
VDI and Cloud Assets. resources.
 LOG MANAGEMENT & MONITORING
Types of Logs
 Application Logs: Related to application
events.
 Security Logs: Related to security events
such as logon,lockout.
 System Logs: Related to system events
such as hardware errors.
 Proxy Logs: Related to web events.
 Audit Logs: Related to admin actions.
SIEM’s offer logging, log analysis,
threshold monitoring, sampling,
clipping, trend analysis and
compliance reports.
Types of Monitoring
 Log Analysis: Analyze logs from related systems Types of Audits
to identify incident. Can be manual or • Access Review Audit
automated. • User Entitlement review
 Sampling: Extracting specific elements • Inspection audits
randomly representing larger data. (100 users (controls)
from 25-39 demographic) • Privileged Users / Groups
 Clipping: Threshold trigger. When data reaches audit
a level. (Failed logins 3 times)
 Keystroke: Monitor the keystrokes via
keylogger.
Types of Audit Reports
• Patch Management
 Traffic Analysis / Trend Analysis: Analyse the
• Change Management
flow of packets to derive trends and patterns. •
Vulnerability
 Egress Monitoring: Monitoring traffic egressing Management
out of the corporate network. (DLP) • Configuration
 Watermarking: Enable original author to be Management
tracked on data by watermarking.
CHANGE MANAGEMENT
Versioning
Labeling changes with version
Request Change numbers differentiating Security Impact Analysis
configuration or software sets. Evaluate the security impact a
Review Change proposed change can bring,
(w/ Impact Analysis) Configuration Documentation
and it’s related mitigation
Documentation of the configuration
steps.
Approve/Reject with justification as to why a
particular feature was configured.
Test Rollback Plan Change Management Tools
Action steps to take if a change fails. Manual form based process or
Implement
Change Review Board a software tool like
Comprised of experts from different Manageengine with approval
Document workflows.
departments. Review and
Approve/Reject a change.

Note: Management has to be notified of a change before it occurs.

PATCH MANAGEMENT | VULNERABILITY MANAGEMENT
Patch Management Vulnerability Management
Exploit
Evaluate Plan
Exploit’s take advantage of an
Common
unpatched vulnerability.
Vulnerabilities and
Test Vulnerability Scan
Exploit Mitigation Exposures (CVE)
Approve/Reject Patch. If patching is not possible Vulnerability
(loss of functionality/stability) use Assessment Standard convention
Virtual Patching. to identify
Deploy vulnerabilities
Virtual Patching Mitigation
among vendors.
Verify A control that protects against a MITRE maintains
vulnerability without altering the Document
the CVE database.
Document actual software code by denying
access. Example: A WAF.

Tools: SCCM, LanDesk, Manageengine, WSUS Tools: Nessus, OpenVAS

 THE CYBER KILL-CHAIN
Social Exploit local system Persistence. Download
Conduct reconnaissance, Spread!
Engineering, -> move from a user software (e.g. malware) Phone Home.
understand target.
Create exploit phishing etc. to process to system to enable the attacker to Receive further
based on recon. deliver exploit. process. persist. instructions!

Lateral Movement

Perform
Objective
Recon Weaponize Deliver Exploit Install C&C
(eg.
Exfiltrate)

Proactive Detection & Mitigation Containment & Incident Response

Encrypt,
Exfiltrate!
 INCIDENT RESPONSE MANAGEMENT
Mitigation Reporting
Detection Response
Determine Cause that leads to Technical: Technical details of
First responders analyze to classify
Investigate, Assess damage, collect
RCA, take action to Contain incident.
alarm as incident and Activate theevidence, determine the response
CIRT. Reporting 1 (containment action) 2 3 4
incident and Eradicate to stopNon-Technical: Seriousness of incident
incident. to management.

Remediation Lessons Learned

Recovery
Long term mitigation. Prevent Recurrance. Root cause Final Incident Report.
Restore system to operational status
Analysis. Eg: Password was compromised, mitigation What could be done to prevent further
(BU approves). Monitor for persistence.
Recovery in off-peak hours.
5 6
changes password. Remediation adds Multifactorincidents, response analysis, shortcomings,
authentication. feedback. 7
Root Cause Analysis
Determine what caused an incident: very critical to Mitigation, Recovery and Remediation. If root cause is not properly identified, an incident can
persist for a longer time.

CIRT – Computer Incident Response Team: Responsible for Investigation, Containment and Recovery.
NIST Computer Security Handling Guide: 800-61r2
 TYPE OF ATTACKS

SYN Flood Attack TCP Reset Attack Smurf Attack

Sabotage
Sends multiple SYN packets, Send TCP RST packets to Sends ICMP echo packets Criminal
but does not respond to the terminate session. spoofing the Victim’s IP as destruction or
SYN-ACK with an ACK. source to a broadcast network disruption against
via directed broadcast in a an organization by
Fraggle Attack Ping of Death router. RFC 2644 defaults to an employee.
no directed broadcast.
Send UDP Port 7 and 19 traffic Send ICMP Packets over
spoofing Victims IP as source. 64KB in size. Teardrop
All hosts then send traffic to the Fragments packets in a way that
victim. Espionage
receiving machine is unable to
recover original message,
Spy and steal
Land Attacks Man-in-the-middle secrets /
leading to crashes.
Spoofs SYN packets with the Intercept. Obfuscate/Proxy. intelligence.
Src.IP and Dst.IP both as Reap. XMAS Attack
Victim’s IP, leading to crashes. Has URG, FIN and RST Flags
set, lit up like a Christmas tree.
CONTROLS
 Firewalls: Prevent unauthorized access.
 Intrusion Detection: Detect attacks. Honeypots
 Intrusion Prevention: Prevent Attacks Offer enticement to attackers, so that the attacker may spend
time attacking the honeypot without gaining any information
 Can be Context based.
leading to discouragement.
 Can be anomaly based.
 Can be signature based (known attacks) Honeynet: Two or more networked honeypots to simulate a
 Sandboxing: Detonate files in a VM to determine behavior. network.
 SIEM: Detect and correlate incidents from multiple log PsuedoFlaws Padded Cell
sources. False vulnerabilities or Detection of attack, attacker
 Whitelisting-Blacklisting: Allow whats good, deny what’s loopholes present in a transmitted to virtual network
bad. system, enticing attacker to with exact look and feel of
 DLP: Prevent classified information from leaking.
attack. real.
 Classification: Classify information for DLP. Tools: Smokescreen
 Warning banners: Warn potential attackers of legal
enforcement. Security As A Service: Managed Detection & Response,
 Anti-Virus/Anti-malware Vulnerability Assessment & Mitigation etc.
COMPUTER ATTACKERS AND MOTIVATION

Troublemakers
Hacktivists Nation-state Insider
Script kiddies, technical
Hack for a cause Government funded. Disgruntled employee.
know-how
Espionag Espionag
Skill Thrill Thrill Cause Terrorism Grudge e
e
Disruption

Crime
Funded by organized
crime. After $$$.

Money Terrorism
 INVESTIGATIONS
 Administrative Investigations: Operational investigations
to internal IT system faults, functions & processes. No set Investigation Process
Warrant
guideline for evidence. Evidence is Voluntarily
Evidence Gathering • Must be obtained prior
Surrendered to investigation personnel.
searching private
 Criminal Investigation: Evidence must meet Beyond a belongings.
Notify Law
reasonable doubt, investigated by law enforcement. Enforcement • Must be based on
 Civil Investigation: Evidence meets More likely than not, Conduct probable cause.
investigated by employees and consultants. • Must be specific in
Investigation
scope.
 Regulatory Investigation: Evidence meets Standard of Interview
proof, investigated by government or regulatory bodies if
companies are suspected of violating compliance or Data
administrative laws. Integrity/Retention
Evidence gathered for
 Compliance Assessment: Evidence meets Proof of Report & Document Investigation must
compliance, Periodic assessment to meet compliance maintain their Integrity.
standards, investigated by third-party auditors appointed by
regulatory bodies.
 EVIDENCE
Best Evidence Rule: Admissability Recommended: Watch “My Cousin Vinny”.
Direct Evidence
 Relevant: Prove or disprove facts relevant to the case. Real Evidence
Oral / Written Testimonial
 Material: Related to the case. Physical, can be brought to
evidence witnessed by a
 Reliable: Integrity of evidence. court. (Hard disks etc)
persons 5 senses.
 Competent / Legally Permissible: Obtained through legal
means, and not via: Documentary Evidence Demonstrative Evidence
 Illegal Search & Seizure: without warrant. Original / copies of business records, Aid understanding of case via
 Illegal Wiretap & Phonetaps computer-generated/stored logs. Must Expert opinion or non-expert
 Entrapment comply with Hearsay rule facts.
 Coercion: force to testify.
Circumstantial Evidence Secondary Evidence
 Parol Evidence Rule – Only written agreements acceptable.
Doesn’t directly prove, but makes A duplicate copy such as
 Hearsay Rule – Hearsay evidence only admitted if maker of reasonable inference. (Tickets to the photocopy, tape backup,
the statements is able to testify in court. opera infers person was at opera) screenshot, logs
Legal & Ethical
Illegal & Unethical Enticement  Best-evidence: Original, unaltered, requires Federal Rules of Evidence
Entrapment Make a crime more enticing. integrity. Computer-generated records. states if data stored on pc, or
Encourage to commit Criminal already has mindset to  Hearsay-evidence: Inaccurate, unreliable, printout is demonstrated to
crime when they had commit crime. E.g. He has already unable to prove integrity. Computer-stored be accurate and reliable, it is
hacked in, so Honeypot can be used Best Evidence.
no intention.. records.
to contain, gain knowledge.
 FORENSICS
Chain of Evidence Custody
 Persons Involved (Who): All people who
handled evidence.
 Description of Evidence (What)
 Location of Evidence (Where)
 Date/Time (When)
 Methods Used (How): How was it
handled?
Hardware Analysis: Device Forensics
Media Analysis: Storage media
Forensics
Network Analysis: Network Forensics
Software Analysis: Code/log Forensics
Evidence Lifecycle
 Collection & Identification eDiscovery Reference Model
1. Information Governance: well
 Voluntary: Owner freely surrenders. (typically
within an organization) organized for future eDiscovery.
 Subpeona 2. Identification: locates info required
 Search Warrant / Writ of Possesion for discovery request.
 Exigent Circumstances. 3. Preservation: maintains integrity.
 Marked and Identified: 4. Collection: gathers responsive
 Mark evidence. Use an Evidence Tag. information centrally for eDiscovery.
5. Processing: rough cut of irrelevant
 Seal
 Protect info.
 Analysis 6. Review: remove any info protected by
attorney-client privilege.
 Storage, Preservation, Transportation
7. Analysis: deep content & context
 Presentation in Court
inspection.
 Return to Victim/Owner.
8. Production: format for display.
Chain of Evidence does not require that 9. Presentation: display info to court,
Forensic investigators know the relation of
witnesses or third-parties.
the evidence to the crime.
 DISASTER RECOVERY
Recovery Types
 Trusted Recovery: System is as secure as
before failure or crash.
 Manual Recovery: If system does not fail
in a secure state, an admin has to manually
implement security before recovery.
 Automated Recovery: System performs
trusted recovery activities against failure.  Jitter: Variation of latency between
Ex: RAID.
 Automated Recovery with Undue Loss:
System performs trusted recovery
activities against failure, but also protects
specific objects against loss.
 Function Recovery: Systems that can
automatically recovery functions.
Quality of Service
Protects from Network congestion disasters.
 Bandwidth: Capacity to carry
connections
 Latency: Time taken to travel from
source to destination.
packets due to congestion or
interference..
 Packet Loss: Loss of packets during
transmission leading to retransmission.
 Interference: Corruption of packets as
they travel due to congestion, faulty
equipment or crosstalk EMI.
Tape Backup Recovery
Strategies:
 Tower of Hanoi: archiving
data for an extended period of
time in an economical manner.
Recursive pattern of scheduling
tapes. 1,2,4,8,16 days restore in
5 tapes.
 Grandfather-Father-Son:
Grandfather – offsite full
backup; Father – local fast full
backup; Son – local
differential/incremental backup.
 First in, First Out – First tape
written is the first tape
overwritten. Old data is
overwritten by new data.
 DISASTER RECOVERY - DATA
Database Backup
RAID – Redundant Array of
Independent Disks
 Electronic Vaulting: Remote site database backup Data Backup Types
using bulk transfers. Smaller time to backup to
 Full Backup: Full data backup.
RAID Type Function remote site, then sending tape.
Exact replica. Turns Archive bit
RAID 0 Striping, 2+ disks  Significant delay to recover as backup has to be
off after backup.
obtained from vault and then restored.
RAID 1 Mirroring, 2 disks  Remote Journaling: Transaction logs backed up  Incremental Backup: changes
RAID 5 Striping + Parity, 3+ remotely. since the last incremental or full
disks.  Some delay (ex.hourly), technicians retrieve logs
backup. Turns Archive bit off.
transaction logs and apply to production DB.
RAID 6 Striping + Dual  Differential Backup: changes
 Remote Mirroring: Live Backup via copying any
Parity
changes to the production database to the backup. since the last full backup.
RAID 10 Striping + Mirroring, (also called Shadowing) Archive bit kept on.
4 disks.  No delay. Can be migrated as is.

Eventman Technologies takes Full Backups every Monday, and incremental/differential backups every day at 3:00PM. If failure occurs on
Thursday at 1:00PM. RPO is 3 hours. How many backups to restore in both scenario’s and how much data is lost?
Answer:
• If incremental, need to restore Monday’s full backup, and Tuesday + Wednesday’s Incremental backup.
• If Differential, need to restore Monday’s full backup and Wednesday’s differential.
• Data will be lost from Wednesday 3:00PM to Thursday 1:00PM. Does not meet the RPO objective of 3 hours.
 TM

DOMAIN VIII: SOFTWARE DEVELOPMENT

SECURITY
PROGRAMMING CONCEPTS
 Machine Code: Software executed directly by the
CPU. Binary or Hexadecimal.
 Assembly Language: Low-level Computer
programming language that match to machine
language instructions. ADD, SUB etc.
 Source Code: Software instructions written in text
that need to be translated into Machine Code for
execution. Compiled once.
 Shell Code: Software instructions executed on the fly.
Need to be compiled every time.
 Compilers: Compile Source code into Machine Code.
 Interpreters: Interpret shell code into Machine Code.
 Open-source: Source code released to public, to be
used, forked etc.
 Closed-source: Source code kept secret. Typically IP
to the creater.
 Freeware: Free to use, free as in free beer.
 Shareware: Free to use for limited time or with
bundled software.
 Crippleware: Key features require payment to
unlock.
 SECURE SOFTWARE DESIGN
 Input Validation: Validate user input for fields to ensure that users are not abusing field’s to gain access to the backend
systems. Example: using SQL or Script characters in the URL or Password fields to exploit the web application.
 Authentication and Session Management: Ensure that users are properly authenticated with the proper set of controls based
on the sensitivity of the application and the sessions are managed.
 Cookies used for a session should be securely transmitted (TLS) to the end-user to prevent session-hijacking attacks.
 Identifiers should be long and random (not using Password for passwords, else it’s easy for the attacker to identify the password.)
 Session Tokens should expire after a set time (idle/session time) and the user must re-authenticate.

 Error Handling: Debug error messages should be disabled for publicly exposed applications as this can expose the underlying
middleware, process and technologies used. Attackers try to produce errors to get information about an application.
 Logging: Logging to file/disk or an external SIEM helps developers and security analysts figure problems. Should be used in
lieu of End-user Errors.
 Fail-Open: bypasses security at failure to allow operations to continue.
 Fail-Secure: puts system in high-security state at failure and does not allow operations until administrator diagnoses and
resolves problems.
 SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)
Functional Req. Design Review
Conceptual Definition
Determination Control Specifications Dev Design System structure, functional
Basic Concept, Purpose and general
Input, Behavior, Output. Security Controls for functions: interoperation. Timelines for
system requirements. Agreement b/w
all stakeholders. 1 2
Concept translates to Function.
Specific System requirements.
Access Controls. CIA, IAAA
3 milestones.
Review with all stakeholders. 4
Acceptance Testing
Code Review
User Acceptance: User’s test application forMaintenance & Change Management
Coding of the application. Code review with
functions / workflow. Operational maintenance of application, and
developers with walk-through of each module.
5
Identify logical-flaw, security flaws.
6
Systems Acceptance: Systems Admins test software
7
structuring Change with review, logging.
for availability, failure, backup before production.

Work Breakdown Structure Project Plan

Test Analyses
Divides work done for a large Timelines, Phases and
Report on Test Results.
project into smaller components. Resources aligned to a project.
NIST SP Development/ Operation /
Initiation Implementation Disposal
800-14 Acquisition Maintenance
WATERFALL / SASHIMI

Waterfall Conceptual
Development
 All Stages performed sequentially, one after the other.
Requirement
 One Stage ends, the next begins. Analysis

 Does not allow developers to go back to previous steps. Architectural

Design
 Modified Waterfall model allows return to previous stage
for Verification and Validation. Detailed Design

 Development of documentation is prioritized.

Code & Debug
Review

Acceptance
Sashimi Testing
 Overlapping Waterfall Model. Release &
Maintenance
 Steps overlap, leading to faster-integrated
development cycle.
SPIRAL
 Software developed and evolved as a loop.
 Project developed in Spirals: Modest goals and expanding outwards
in spirals.
 Meta-Model: Each rounds contains a complete model such as
Waterfall.
 Risk analysis after each round.
 Identifies risks earlier in the development process.
 Lowers overall risk of the project. Designed to control Risk.
 Shows cumulative project cost over several development iterations.
 4 Phases:
 Planning
 Risk Analysis
 Engineering
Focus on Iterative Development, when requirements are not
 Evaluation well understood or developed, or iterative (prototype)
development is required.
AGILE

Developed in response to rigid Development processes like Waterfall.

 Individuals and interactions over processes and tools
 Working software over comprehensive documentation
 Customer collaboration over contract negotiation
 Responding to change over following a plan

Focus on Iterative Development, when requirements are not

well understood or developed, or iterative (prototype)
development is required.
SCRUM
Product Backlog
 Prioritized list of customer requirements
(user stories) maintained by the Product
Owner.
 Product Owner communicates on behalf
of the stake holders with the Scrum Team.
Daily Standup
 Daily 15 minute team meeting during the
Sprint.
 What did I accomplish yesterday?
 What will I accomplish today?
 What prevents me meeting my sprint goals.
 Run by the Scrum master, responsible for
tracking, reporting the sprint and
resolving any issues that are identified in
the Standup.
User Stories
 Formal requirements written as brief
descriptions of the functionality desired.
 User Story: As a manager, I need
access to work hours tasks, so I can
monitor my team’s work.
Sprint Review and Retrospective.
 2 hour review after a Sprint with
Product Owner and Stakeholders.
 Present / demo the work that was
completed in the sprint.
 Review work that was planned but
not completed in the sprint.
 Identify what went well and what
could have been done better.
Sprint Planning
 Entire team meets during first 2 hours and decides
on the Product Backlog items they believe they can
deliver in the upcoming Sprint.
 Sprint: two-week timeboxed cycle.
 Dev team breaks down selected items into discrete
tasks and plans the work required during the sprint.
 Scrum Team: Developer team
 Scrum Master: Coach of the Scrum
Team
 Product Owner: Business Unit/
Customer representative.
 Sprint: Two week Time-boxed cycle.
EXTREME PROGRAMMING (XP)
Communication Simplicity
Planning
 Desired features in the form of
User Stories.
 User stories determine timeline
and detailed specs.
Total Customer Involvement
 Customer must be always
involved and provide feedback
and monitor the project.
Feedback
Paired Programming
 Programmers work in a paired
teams.
 One codes, other reviews
alternately.
Detailed Test Procedures
 Unit Testing: Test every function.
 Code review.
Respect Courage
40-hour Work Week
 Forecasted iteration to be
accurate to track completion.
 If additional time is required,
then iteration is flawed.
Rapid Application Development (RAD)
 Another model that focuses on creation
of prototypes and dummy GUIs.
 Meet the business requirements of the
customer over technical concerns.
 High customer involvement.
CMMI
SEI SW-CMMI
 Measures Software Development Maturity.
 Required by US Agencies and Contractors
 Initial: Processes are chaotic, unpredictable,
poorly controlled, reactive.
 Repeatable: Processes are characterized for
projects but reactive. Basic lifecycle mgmt.
 Defined: Processes are defined (written) and
proactive.
 Quantitatively Managed: Processes are defined
and measured.
 Optimizing: Processes are measured and
improved.
 Defect Prevention, Technology Change
Management, Process Change Management
SEI IDEAL
 IDEAL model for software development
and Change management.
 Initiating: Business reasons behind change,
approval/support, requirements in place.
 Diagnosing: Engineers analyze current state
and make recommendations.
 Establishing: Recommendations are
developed into plan of actions.
 Acting: Develop, test, refine and implement
solution.
 Learning: Continuous analysis of desired
goals, new plans for achieving goals.
 GANTT/PERT
GANTT
PERT
 Gantt breaks projects into smaller tasks
 Use to Plan and Determine the timeline of
and highlights scheduling.
a project. Used before a project starts.
 Typically used during a Project to show
 Shows interdependency
progress.
 Direct improvements to Software coding
 Components:
and project management to produce more
 Scheduled Tasks efficient software.
 Timeline
 Progress
 CHANGE AND CONFIGURATION MANAGEMENT
Change Management Process Configuration Management Process
 Request Control: Organized framework for users to request modifications,  Configuration Identification: Documentation of all
managers conduct cost/benefit analysis and developers prioritize tasks. software configuration within organization.
 Change Control: Framework for multiple developers to develop and test a  Configuration Control: Configuration changes follow
solution before rolling into production. change management.
 Quality Control restrictions
 Configuration Accounting: Track all authorized
 Documenting code changes
configuration changes.
 Restrict new code to minimize security
 Configuration Audit: Configuration documentation
 Develop tools for deployment of change.
meets actual configuration
 Release Control: Review code before release. Review includes:
 Remove any backdoors.
Source Code Management
 Approval of change
Use a Code Management repository such as GitHub
 User Acceptance Testing
to manage code that tracks changes and code
 Configuration Control: Ensures that changes to software versions are made commits. It should have check-in, check-out, roll-
in accordance with change control and configuration management process. back, locking, access-control and logging functions.
 Updates can only be made from authorized distributions.
 SECURE CODE REPOSITORIES AND DEVELOPMENT
ENVIRONMENTS
 No Direct Source Code Access – All source code access
should be provisioned through a Code Management system
only.
 Restricted Developer Access – Only authorized developers
should have access to Source Code.
 Limited, Controlled Checkout – Developers should only be
allowed to checkout modules they are specifically authorized.
 No Bulk Access – Prevent IP theft, prevent any developer
from access all modules of code at once.
 Retention – maintain multiple versions of code to facilitate
rollback.
 Check-in approval – any modification to code (check-in)
requires approval to prevent defects or malicious
introductions (backdoor)
 Activity Review – make sure there are no unauthorized
modifications, checkouts of code.
Development Environment Security
• System Isolation – isolate Source Code repository and
development machines from the internet.
• Source Code Version control – All changes should be
managed by a Source Code Management System.
• No Admin Privileges to Developers – Use VMs if they
need these privileges.
• Use Standard IDEs – custom IDEs can introduce leaks,
backdoors. A team should have a standard IDE.
• Use company owned systems - to ensure development
environments are free from malware or APTs.
Modern Code Management Repositories
Bitbucket, SourceForge, Github, GoogleCode
Integrated Development Environments
Eclipse, Visual Studio, Netbeans, PyCharm
Software Escrow Agreement
Archive Source code with a third-party repository, to protect the
customer in case the software vendor goes out of business..
 SECURE CODING PRACTICES
Securing Applications / Web Applications
 Input Validation and output encoding / sanitization and address meta-characters such as %’;:< etc. either via escaping Securing API’s
or banning.  Use API Keys for authentication
 Use Parameterization which uses generic place holders such as “userid, first_name” in place of actual data “robm, for APIs.
Robert”  Centralize authentication with
 Require Authentication for all (except public) resources, with centralized authentication controls and password Identity Provider.
management.  Do not expose API key’s.
 Only store cryptographically strong One way Salted Password hashes. Do not store the actual password or just a plain  Transmit API keys in the HTTP
password hash. Header or body, not in URL.
 Do not store authentication credentials in source code. Authentication credentials should be stored elsewhere in a  Sanitize input to APIs – input
trusted system, and must be encrypted. validation.
 Use only HTTP POST to transmit authentication credentials.  Use Clipping for too many API
 Use Unique Session Identifiers and force automatic logout with idle timers. Session Identifiers should be in the HTTP requests and error 429.
Cookie Header only and not in URL, logs or error messages.  Do not allow unsecure JSON
 Set the Secure Attribute for cookies to enable TLS transmission. Web tokens. Use Signature or
 Reuse Trusted Objects over creation of new objects.
MAC to protect integrity.
 Restrict HTTP Methods to – GET,
 Do not disclose sensitive info in Error responses, including Server version, directory information etc.
POST, PUT.
 Applications should use the lowest possible privilege.
 Only use TLS (or HTTPS)!
 USE TLS!
DEV-OPS
 Automate security audits. Use scripts, static and dynamic analysis, composition analysis, and integration of testing within existing tools
 Detect security flaws as soon as possible. The sooner a security flaw can be detected, and the further away they are done from production (or the
client’s computer), the better it is, and the cheaper it is to resolve
 Regularly break the build. Ensure that tools can spot and flag security flaws which result in broken builds, just like how failing tests already work.
 Have accurate audit report results. Ensure that reports of security flaws are accurate; otherwise, faith and trust will rapidly erode.
 Use composition analysis. Ensure that you know the security, reliability, and exposure of the packages that you’re building your software on, as well
as when they need to be avoided or replaced. Use tools that automatically validate them.
 Focus on instrumentation. Ensure that infrastructure, not just code, can be verified as working and secure; and that it’s replaceable when it’s isn’t.
 Use real-time protection. Ensure that production applications are protected against vulnerabilities that weren’t caught earlier. No software is 100%
secure. Avoid solutions that create alert fatigue, false positives or that aren’t integrated into the DevOps tools. 
 Establish strong feedback loops. As with any successful process or organization, you need to engender the ability to provide reliable feedback, even
if the information delivered isn’t encouraging, or what the team wants to hear.
 Perform regular code audits. Just as with any other code review, such as for quality and standards compliance, security also needs to
be reviewed, assessed, and corrected as transparently — and as quickly — as possible.
 Benchmark and review your performance. Like reaching any goal, you have to know where you are and whether you’re improving or declining in
the attainment of it. Make sure that you know how you’re doing, and where you still need to improve.
 Have documented procedures for dealing with problems. Eventually, problems do occur. Ensure that you’re equipped to deal with them when they
do in an organized and standardized manner.
 DATABASES
 Primary Key – attribute that uniquely identifies a record in a  Field – Attributes that contain values.
table. Is also a candidate key. Should be Unique, Should not be
 Tuple – a Row of attributes, records.
NULL and only one per table.
 Attribute – a Column
 Candidate Key – attributes that can be used to uniquely identify a
database. Two records may not contain the same value in a table. A  Cardinality – number of rows.
table can have multiple candidate keys.  Degree – Number of columns.
 Foreign Key – relationships between tables, referential integrity.  Domain – Allowable values for an attribute.
Foreign key is a the primary/candidate key of the related database
Primary Foreign Candidat
table. Used in table JOIN’s.
DDL – Database Definition Language: Create, modify, delete Key Key e Key
Degree
tables.
DML – Database Manipulation Language: Query and update Rep.ID City Role Manager Region
data stored in tables. Primary
Foreign Key 979 Mumbai Comm. Arun West
Key
OrderID Product Rep.ID Cardinalit 642 Chennai GCCS Subhash South
y
x4567b TD 979 231 Mumbai Enterprise Ashish BFSI
x8964a Absolute 231 Attribute Tuple
x11833 Mozy 979
 DATABASE OPERATIONS
 Atomicity – Transaction must be
rolled back if not complete
(committed).
 Isolation – One transaction must
complete before other can modify
the same data.
 Consistency – Transactional
changes must ensure that the DB is
consistent to the rules (unique
primary key etc.)
 Durability – Transactions once
committed must be durable.
Backups such as transaction logs
ensure durability.
 Concurrency – enables users to lock
the database to prevent changes by
others during a transaction.
 Lost Updates – two different processes
make updates to the DB without being
aware of each others transactions
causing errors. Isolation solves this.
 Dirty Reads – Process reads from a
transaction that did not commit.
Atomicity solves this.
• Referential Integrity – every foreign
key matches a candidate key in the
parent table.
• Semantic Integrity – each column
attribute value is consistent with the
attribute data type. (Date in date
column)
• Entity Integrity – every tuple has a
primary key which is unique and not
 Polyinstantiation –tuple’s having
multiple values with identical primary
keys based on Security Clearance, to
prevent lower-level inference attacks.
 Cell Suppression – Hide individual
fields based on security clearance.
 Aggregation – Use access to multiple
low-level database to gain information.
Basically, person asks every question,
receives every answer and thus gains
information. (No deduction needed)
(One DB has Employee ID and name,
other has Employee ID and Salary.
Aggregation allows to identify Salary of
each employee)
 Inference – speculation of information
based on some information. (Weapon
shipment increase in DB records can
infer a possible mission)
 OBJECT ORIENTED PROGRAMMING
 Object: Contains data and Methods to manipulate it. Provides
Math
encapsulation (data hiding)
Objects communicate Operators + - int %
 Class: Inheritance of the object, family. Class
with other objects via Inheritanc
 Method: the function of an object. e
Messaging.
 Inheritance: inherits the understanding of it’s class.
Addy
 Polymorphism: Change behavior based on the context of the input.
3+7 Adds two data inputs 10
 Polyinstantiation: Two objects with the same function but with different Method
Input Output
data at different clearance levels. Object
 Delegation: If an object does not know how to perform an operation, it can
delegate to another object. Delegation

 Coupling: requires other objects to complete functions. (Addy can only

add, subtraction is delegated to another object, thus it has High Coupling. A
3-7 Addy 3-7 Subby -4
Input Delegate Output
Calculator will have low coupling.)
 Cohesion: Independent from other object. (Addy needs others, hence Low Polymorphism
Cohesion, Calculator is more independent, high cohesion.
Object Request Brokers locate reusable objects. Event + Man Addy Eventman
• Input Output
COM: Allows Objects in different OOP languages to communicate in a machine. MS
• DCOM: Allows objects to communicate on the network. MS Proprietary.
• OLE: Link documents to other documents. Example copied as is from: Conrad, Eric; Misenar, Seth; Feldman, Joshua.
• CORBA: Open source vendor neutral networked Object Broker. Competes with DCOM. Eleventh Hour CISSP®: Study Guide (p. 199). Elsevier Science. Kindle
BONUS: ROLEPLAY I
STUXNET
ROLEPLAY 1 – STUXNET - BACKGROUND
 In the year 2010, Stuxnet a malware was first uncovered. It targeted ICS/SCADA systems and is believed to be responsible for causing
substantial damage to Iran’s nuclear program. In a rare moment of openness from Iran, the nation  confirmed that the Stuxnet malware (the
name stems from keywords buried in the code) that was originally discovered in July, had damaged the country’s nuclear ambitions.
Although Iran is downplaying the incident, some reports suggest that the worm was so effective, it may have set back the Iranian nuclear
program by several years.
 Stuxnet is smart and adaptable. When it enters a new system, it remains dormant and learns the security system of the computer. Once it can
operate without raising alarm, it then seeks out very specific targets and begins to attack certain systems. Rather than simply destroy its
targets, it does something far more effective—it misleads them. When a uranium sample was inserted into a Stuxnet-infected centrifuge for
refinement, the virus would command the machine to spin faster than it was designed for, then suddenly stop. The results were thousands of
machines that wore out years ahead of schedule, and more importantly, ruined samples. But the real trick of the virus was that while it was
sabotaging the machinery, it would falsify the readings and make it appear as if everything was operating within the expected parameters.
 Stuxnet used four zero-day attacks and specifically targeted Siemens’ WinCC/PCS 7 SCADA software. A zero-day threat is a vulnerability
that is either unknown or unannounced by the manufacturer. These are generally system-critical vulnerabilities, and once they are
discovered, immediately patched. In this case, the two of the zero-day elements had been discovered and were close to having a fixes
released, but two others had never been discovered by anyone. The malware had the ability to communicate via Peer-to-Peer sharing if an
internet connection was detected, monitored and attacked frequency converters responsible for managing centrifuges, and attacked a system
on a rare frequency. However since such facilities are an Airgapped system, the malware needed to be brought into the system, possibly a
USB flash drive.  This might explain why the worm spread so far, as the only way for it to infect the system is was to target a wide area and
act as a Trojan while waiting for an Iranian nuclear employee to receive an infected file away from the facility and physically bring it into
the plant.
ROLEPLAY I – STUXNET – Q1

 Looking at the information presented, and acting as a CISO for the nuclear plant, Which one of these controls
could have effectively prevented the Stuxnet Worm from infecting the Iranian nuclear facility? Please remember
this is 2010 – and the technology available for the time period.
a) Deploying Antivirus with Signature scanning technology.
b) Blocking USB ports and mass storage devices.
c) Installing software patches to patch the reported vulnerabilities.
d) Awareness on Social engineering.
 Ans: B) Block USB Ports and Mass Storage devices.
 a) Deploying antivirus is incorrect as ICS systems use embedded firmware and it is difficult to install software such as anti-virus on PLCs. Secondly, Signature
scanning is effective against Known threats. Stuxnet was an unknown threat.
 c) While installing software patches is the best way to mitigate vulnerabilities, the reported vulnerabilities were Zero-day with no publicly released patch
available.
 d) Awareness of Social Engineering: while an excellent control to reduce such instances, this method would not have been effective to stop the infection and
spread of the malware.
 B) It is known that the facility was using an airgapped model in which systems do not have access to the internet. The suspected method of infection was a USB
drive. Out of all answers, this is the best answer to block the initial infection vector.
ROLEPLAY – STUXNET – Q2
 On inspection it is identified that the plant did indeed have controls to prevent USB and Mass Storage devices from
connecting to the network. The Security Officers identified a computer that had a policy of allowing USB drives set. On
further probing, it was identified that a Formal change request had been filed to allow USB access for a day, but the
Administrator had forgotten to revoke access after the time elapsed. What could the Security team have done to prevent
such an incident?
a) Penetration Test
b) Vulnerability Scanning
c) Internal Audit
d) Risk Analysis
 Ans: C) Internal Audit
 a) A Penetration test seeks to exploit vulnerabilities.
 b) A vulnerability scan exposes loopholes in services on systems usually via an automated scanner.
 d) Risk Analysis seeks to assess risk and then deploy safeguards to mitigate risk. Since a control was already deployed yet
was not enforced properly, this is not the best answer.
 C) An internal audit is the best way to assess currently deployed controls and procedures.
ROLEPLAY – STUXNET – Q3
 On further investigation of the incident, it was identified that a member of the Operations team identified anomalous
behavior including slowness of a PC monitoring a Centrifuge. The Tech identified a few processes that were utilizing
high memory and ended them, which led to the PC crashing. The Tech restarted the PC, and the behavior was not seen
again. The Incident was filed as resolved. What was incorrect done in this scenario, and what could have prevented the
catastrophic disaster if determined correctly?
a) Incident Response
b) Mitigation
c) Recovery
d) Root Cause Analysis

 Ans: A) B) and D) The response was incorrect – no evidence collection, incorrect identification, Mitigation was
unable to eradicate the actual threat, as there was an incorrect Root Cause Analysis.
 c) Recovery – The system was brought to an operational state by rebooting the system.
ROLEPLAY – STUXNET – Q4

 What additional control could have been deployed to prevent the infection and spread of the malware in the
facilities?
a) Prevent auto-run of executables
b) Blacklisting
c) Whitelisting
d) Condensation

 Ans: C) Whitelisting would have prevented an unauthorized program not whitelisted previously from being run.
Whitelisting is a recommended control for critical systems such as OT.
 a) Prevent auto-run – would have prevented the initial execution, but an accidental user click would have executed the
malware.
 c) Blacklisting seeks to block known bad software. Since this was unknown, blacklisting would not have prevented it.
 D) Condensation is a distractor
 ROLEPLAY – STUXNET – Q5

 What essential was Stuxnet based on the information provided in the scenario?
a) APT
b) Malware
c) Trojan Horse
d) Worm

 Ans: A) APT – an Advanced Persistent Threat goes beyond traditional malware and worms, embedding in the
victim for a specific purpose and is usually funded and aided by governments.
BONUS: ROLEPLAY II
GEEKCORP
 ROLEPLAY II – GEEKCORP

 Bhavesh has recently been hired as the CISO for GeekCorp Media, an online and print media and entertainment
powerhouse. GeekCorp operates several entertainment websites under its banner geekcorp.com, allowing
customers to view, stream and download original content.
 Bhavesh recently received a report as part of a vulnerability assessment, of a vulnerability in the website that
allowed website visitors to download videos without authentication. What should be the next step that Bhavesh
should take?
a) Implement a countermeasure
b) Disable video downloads
c) Inform his superior
d) Have his team download some videos using the method described.

 Ans: d) The first step is to Validate the vulnerability as part of the vulnerability management process, and that can only
be possible via d)
 Thank You for Reading!

TM

Feedback / Comments to: Ashish Chalke | www.ashishchalke.com