Professional Documents
Culture Documents
The Open Cissp Study Guide-Final
The Open Cissp Study Guide-Final
The Open Cissp Study Guide-Final
CBK 2018
Disclaimer: This reference contains passages, text and examples from the various references that the author was
using as study material. The intent of keeping the original text was due to it being an excellent explanation, and no
better explanation could be substituted for it. There is no intention of plagiarizing the original work. The author has
tried to substitute his own understanding and examples wherever possible to expound his grasp of the topic.
In Case you feel some of the content violates your copyright, and would like to be removed, please get in touch with
me on LinkedIn.
VERSION CONTROL
My objective in creating this document was to have a summary of notes as a ready reference for my studies. The other objective
was to remember the topics by creating notes. Almost all of the data has been typed rather than copied, increasing my recollection
and greatly helping me recollect important information.
In some areas, I may be expounding on the same concepts multiple times -> This is by design. In other times, the information
may seem scarce. This is because the notes were initially created for me by me. In areas where I have experience, I have not
covered some topics (they were obvious to me, thus reducing the document) and expounded in some where I needed to learn.
Domain 4 is an obvious example, where I have not gone into much detail. Similarly Web attacks, where I felt the OWASP
resources were the best resource for learning.
As you read through the notes, you may find more resemblance to a specific source. That’s because I started out with one source
as primary (Kelly’s excellent Cybrary course) and ended with Eric Conrad’s CISSP Study Guide (with the Sybex coming in for a
domain or two). Each domain was written referencing the primary source of study, and then cross-referencing the other sources.
This document has not been edited after the exam except for adding this Note, and other copyright notices on relevant content.
REFERENCES USED IN THE MAKING OF THIS REFERENCE
Conrad, Eric; Misenar, Seth; Feldman, Joshua. Eleventh Hour CISSP®: Study Guide, Syngress - Recommended!
Chapple, Mike. CISSP: Certified Information Systems Security Professional Official Study Guide, Wiley.
Miller, Lawrence C.. CISSP For Dummies, Wiley.
Kelly Handerhan. Cybrary – CISSP Course.
Sunflower CISSP Exam Cram V2
Lammle,Todd. Cisco Certified Network Associate Study Guide, Sybex.
Studynotesandtheory.com - Recommended!
CISSP Official Practice Tests, Sybex. - Recommended!
Pocket Prep, CISSP. - Recommended!
CISSP – Android App.
Resources.infosecinstitute.com
Adriancitu.com
Owasp.org
HIGH LEVEL TABLE OF CONTENTS
TM
TM
Confidentiality
• Information is not made available or
disclosed to unauthorized individuals,
entities, or processes.
Integrity
• Maintaining and assuring the accuracy
and completeness of data over its
entire life-cycle.
Availability
• Information must be available when it
is needed.
CONFIDENTIALITY
Attacks on Confidentiality:
Theft of PII such as credit card information
Packet Capturing
Dumpster Diving – Scanning company dumpsters for discarded sensitive information.
Wiretapping
Keylogging
Social Engineering.
Phishing / Pharming – Hack sensitive information using fake emails / URLs. Pharming redirects legitimate traffic to another website.
INTEGRITY
Prevent unauthorized modification of data.
Prevent unauthorized write access to data.
Maintain consistency, accuracy and trustworthiness of data over its entire life cycle.
Data cannot be changed in transit or at rest and must prove non-repudiable.
Data integrity protects information from unauthorized modification.
System integrity protects systems from unauthorized modification.
Attacks on Integrity:
Data Diddling – Changing data before or as it is being input into a PC or output.
Session hijacking
Man in the Middle
Salami Attacks – series of minor attacks that become a large attack.
AVAILABILITY
Attacks on Availability:
DoS – Denial of Service
DDoS – Distributed Denial of Service
SynFlood – Attacker sends TCPSYN packets but never sends a SYNACK back
ICMP Flood – False ICMP Packets
Electrical power – blackout, brownouts
Half open scan – SYN Scanning with NMAP
IDENTITY AND AUTHENTICATION
Authorization defines what actions you are allowed to perform once you are authenticated to a system.
Authorization is defined based on the Access Control model implemented – MAC, DAC, RBAC, RuBAC
Authorization examples:
User - Ashish member of Active Directory Group – Administrators gets Full Access to File Server.
User – Anil member of Active Directory Group – Managers gets Read Access to File Server.
User – Swati member of Active Directory Group – Sales gets Read/Write Access to File server: Folder Sales
Accountability aims to hold users accountable for their actions once they are authenticated and authorized.
Accountability is performed by logging and auditing user actions once access has been granted.
Enforcing accountability keeps honest people honest.
Accountability helps to prove who/what a given action was performed by.
Examples of Accountability:
At 3 AM in the night a firewall policy change resulted in downtime of 2 hours. With Accountability, administrators can view
who made the destructive policy change that resulted in the downtime.
A theft in the company happened overnight. The security teams can validate the fingerprint access reader and the security
camera system to identify the thief.
Accountability requires Non-Repudiation. For example if the audit logs can be modified by an administrator, they
can delete the offending logs of their changes and thus not be caught at all. Audit logs must be non-modifiable,
non-changeable thus making the offending changes Non-Repudiable.
NON-REPUDIATION
Non-repudiation – ensure that a user or person cannot deny an action they performed:
Modifying a security policy
Changing a transaction
Sending a message or email
AKA Layering, is the “art” of deploying multiple controls or safeguards to protect an Asset.
A single control may fail, due to a vulnerability or capacity, multiple controls provide redundancy and improve the security
posture by improving confidentiality, integrity and availability of data.
An example of Defence in depth is looking at medieval security:
A Castle is protected by a strong Wall, however a wall can be breached by attackers with Rams.
Adding a moat increases protection as it reduces approach areas to the castle – reducing the attack surface.
Adding watch towers on strategic corners adds more defensive capabilities to handle attackers with projectiles
Boiling oil stations on top of the Gate protects from Rams.
Subjects – Subject is an Active entity in a data system. A Subject manipulates objects in a data system. A user
accessing files. The user is the subject. Subject can be a Application server modifying or updating a Database
entry.
Object – An Object is a Passive entity in a data system. Objects are passive, they do not manipulate anything. A
Database or a physical document is an Object.
Example: Rohan is in charge of Asset management into the corporate Asset management program. Rohan inputs
asset details such as Asset tags, User information, Date of entry etc. into the Asset management program which
stores the data in an Oracle database.
Subjects: Rohan, Asset Management Program
Object: Oracle Database
ADMINISTRATIVE MANAGEMENT CONTROLS
Least Privilege – Users should be granted the minimum amount of access required to do their jobs and should only have them for the shortest amount
of time.
Example: Vinod is a Data Entry operator and inputs physical form data into the company ERP, he should only be granted access rights – Read/Write to the Data Entry
interface of the Company ERP. He must be Authenticated and Authorized via a secure mechanism to ensure his authenticity. Accountability should be in place to
ensure all changes by Vinod are captured. Authorization ensures Vinod does not have the capability to view/ modify other aspects of the system such as transactional or
audit logs.
Need to Know – User or subject is given only the information necessary to perform a specific task.
Example: Bhavesh is working on a Top secret Military project and is assigned the task of making a drone radar. He will be given access to just the information he
needs to know to make the drone radar -> The specifics of the functions required and the fitting assembly and any inter-operability required with other system
functions. The Big Picture – what is it for etc - is typically hidden.
Separation of Duties – Prevent information attacks by assigning parts of duties to different teams. No Single person has complete control of System’s
security mechanisms. Seeks to Prevent collusion between people trying to hijack information.
Example: Network access is the job role of the Network administrator. Firewall policy is the job role of the Firewall administrator. Application installation on a server
is the job role of the Systems Administrator. This ensures that no one person is in charge of the overall security mechanism and helps to prevent unauthorized change
such as a malicious backdoor & c&c installed in a server for data exfiltration.
Job Rotation / Mandatory Vacations – Rotate personnel across job profiles to ensure that they do not become too familiar with the system or process
and exploit flaws in the process.
Example: Mitul has been working in Accounts Payables for 7 years and has an understanding with the Services provider for 10% of the increased bill amount to be
paid to him. Changing roles or enforcing a mandatory vacation and having another user perform Mitul’s duties can enable the organization to identify the fraud taking
place.
ADMINISTRATIVE MANAGEMENT CONTROLS
Dual Control – Ensures two people are needed to complete a task so that no single person can circumvent and perform malicious actions.
Operations is split among two People.
Example: Authorizing a purchase of a new Firewall system requires verification of the Purchase order and justification by the CIO and the CFO to ensure that
there is no fraudulent/unauthorized attempt during the purchase via collusion.
Split Knowledge – M of N, requires minimum number of agents to work out of a total number of agents to work together to perform high-security
tasks. Information is split among two people.
Example: Rajesh and Samir are part of the ATM operations division. Rajesh is part of Cash management and Samir is part of ATM technology. To refill the
ATM machine, Samir has the knowledge to unlock the ATM Machine, Rajesh has the knowledge to open the Cashbox.
Example: The ATM asks for a 16 bit Password to access the admin console, of which 8 characters are input by Rajesh and 8 characters are input
by Samir. Split Knowledge is the 16 bit Password. Rajesh knows 8 characters, Samir knows the other 8. Information is split. However the actual
act of Accessing the admin console is Dual Control as it requires both to open it, and can’t be accomplished without the other.
Note: Split-Knowledge and Dual control seem similar at first glance, but on close analysis you can identify that in the Dual
control example, the purchase OPERATION is split and hence its Dual control, and in the Split Knowledge example, the
access INFORMATION is split. Remember “Need to Know”.
Agreements – No-compete clauses, Non-disclosure agreements, Acceptable use to prevent unauthorized information disclosure.
Example: Kamlesh is working on a sensitive auto-driving project at Automotiveca and is defecting to Eventman Technologies to lead their auto-driving project.
Automotiveca can enforce the no-compete clause to ensure Kamlesh does not join a competitor and leak potential Trade Secrets.
GOVERNANCE VS. MANAGEMENT
Governance
Agreed upon enterprise Objectives
Direction through prioritization and decision making.
Monitoring performance and compliance against agreed upon direction and objectives.
Plan – Decide the targets.
Responsible for Risk Appetite
Management:
Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the
enterprise objective.
Action – Do the actual operations to achieve targets.
Responsible for Risk Tolerance
RISK MANAGEMENT FRAMEWORK
Step 1 Data Owner
CATEGORIZE
Step 6 Data & Information Step 2
MONITOR Systems SELECT
• Based on Impact analysis Security Controls
Security Controls •
System
Initial baseline
• Assess effectiveness Owner
• Tailor, scope and
• Document changes
supplement on risk
• Impact of changes NIST SP800-37 assessment
Risk Management
Step 5
AUTHORIZE
Framework Step 3
IMPLEMENT Custodian/
Information System Step 4 Security Controls
• Based on risk to Administrator
operations and assets.
ASSESS • Implement
Security Controls • Describe how
• And the decision that risk
• Controls implemented implemented
is acceptable
correctly Data + System
Business Owner • Meeting security
requirements Owner
ISMS AND RISK FRAMEWORKS
Standards to develop Infrastructure Security Management Systems (ISMS). ISMS consists of:
Roles and Responsibilities CoBIT
Policies/Standards/Procedures/Guidelines IT Management Controls
SLA’s Service Level Agreements/Outsourcing 1. Meet Stake holder needs.
Data Classification/Security 2. Cover enterprise end to end.
Auditing 3. Apply single integrated framework.
4. Enable holistic approach.
OCTAVE
BS7799 / ISO 27002 5. Separate Governance from management.
3 Step Risk Assessment
Code for ISMS 1. ID Staff knowledge, COSO ITIL
Guideline to implement assets & threats Fraudulent Financial IT Services Management
ISO 27001 2. ID vulnerabilities Activities and Reporting. Framework.
and evaluate 1. Control environment
safeguards 2. Risk Assessment
NIST SP-800-30 3. Conduct risk 3. Control activities CMMI
Risk Management guide analysis, develop risk 4. Information Software Development
for Technology Systems mitigation strategy 5. Communication Framework
6. Monitoring
ISO STANDARDS
CISO
Overall Security Responsibility
Selects all applicable controls to mitigate risk.
Ensures that security controls are in place and effective.
Keep up with the Threats, derive Risk
CSO – responsible for physical security.
IT Systems Manager
Identify Vulnerabilites, verify controls are implemented and maintained.
IT Security Administrator
Implement the actual controls.
SECURITY POLICY
Policy – Mandatory, High-level management directives. Contains – Purpose | Scope | Responsibilities | Compliance.
Standards – Mandatory, Standardizes equipment or policy directives. Lowers TCO and supports DR. Specifics such as
“Laptops should be from XYZ with 8 GB RAM, 128 GB SSD”.
Procedures – Mandatory, Step by Step documents on how to perform an activity. “Adding a new Administrator”
Baselines – Discretionary, Minimum Acceptable Security Configuration, starting point for security configuration.
Guidelines – Discretionary, Best Practices. Example: “Recommended to deploy a WAF vs Required to deploy a WAF.”
Knowledge Transfer – modify Employee behavior
Awareness – provide basic security information to all employees. Administrative control. Ex: Don’t browse porn in the workplace.
Training – in-depth, focused on specific skill-set or task, to train employee on his role. Ex: How to access applications via the
VPN.
Education – deepest level, underlying principles, methodologies or concepts. Ex: Why VPN?
PERSONNEL SECURITY
Background Checks: Perform criminal records checks, education, certification checks before hiring.
Termination: Immediate revocation of access. Termination should be fair or there is a possibility of repercussion.
Termination should follow a process:
Coaching – Try to mentor and positively change employee behavior.
Discussion – Have a verbal discussion, ideally along with HR.
Warning – Written warning, along with HR.
Termination
All Access should be revoked on Termination.
All ID Cards, Badges and equipment should be collected.
Employee must be escorted outside the premises by security.
THIRD PARTY SECURITY
Vendor or Third Party Personnel: Organizations may employ third-party’s or vendors to perform business functions such as Physical
Security or Marketing. As such, security controls must apply to these vendors:
Background Checks – Standard: Ensures that the vendor also meets the standard criteria before hiring. Example: A Physical Security agency hires
a guard without a formal background check, who happens to have a criminal background, for lesser pay and more profit to the agency.
Data Control/Use – Standard: Define how the organizations data is to be used, stored and protected; and limits on subcontracting/disclosing data to
third parties, ideally with a penalty component. Ensures that organizations data is not leaked. Example: Eventman technologies, Kentucky is engages
a US Based agency for Hindi translation of it’s documents as part of it’s multilingual app project. This involves hundreds of customer data being
translated to Hindi. The agency subcontracts this to another Agency in India for a sub-fee. Confidential PII can be leaked by the sub-contracting
agency and the best part is Eventman is not even aware of it!
Third Party Agreements and documents:
MoU – Memorandum of Understanding: Broad understanding of goals and plans shared by two organizations. No monetary penalties.
MoA – Memorandum of Agreement: Describes in detail the specific responsibilities of and actions take by each party to accomplish the goals or
objectives. Legally binding.
SLA – Vendors must Adhere to service availability and response time’s defined as part of the SLA to meet business objectives.
ISA – Interconnection Security Agreement: Agreed upon when two parties plan to transmit sensitive data. Provides details on how data is shared
and how it is encrypted for transmission.
Outsourcing / Offshoring: Can raise privacy or regulatory issues. Ensure that contractors meet criteria for Data Protection and
Regulations. (E.g. Privacy Shield)
ISC2 CODE OF ETHICS
Code of Ethics Preamble:
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere,
and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.
Asset – Resources of value to the organization. The criticality or value of the asset determine the level of safeguards that are
put in place. Example: Office building, an eCommerce Member Database, Lab scientist.
Threats – Potentially harmful occurrence that can cause damage, disclosure, destruction or loss. They can be accidental like
a Power outage, earthquake, malware. They can also be man-made – an act of terrorism or hacking from human threat
agents.
Threat Agents – exploit vulnerabilities and are the root cause of Threats. Example: Terrorist attack is a Threat, the
Terrorists are the Threat Agents, Faulty Access controls are the Vulnerability.
Vulnerabilities – Are flaws or weaknesses that can be exploited to cause harm, loss or destruction.
Risk – Threat x Vulnerability = Risk. A Threat must connect with a vulnerability to form a risk.
Example: A Web Application that has an input validation vulnerability that is not patched. A Hacker can exploit that vulnerability to
steal information. This is a Risk. If the input validation vulnerability did not exist, a hacker would not be able to exploit it, leading to no
Risk
Note:(atThreat
least from this specific
Agents aspect ;) ) to exploit a system to cause Threats. An example is a Hacker using an SQL
use Vulnerabilities
Note: Threat Agents use Vulnerabilities to exploit a system to cause Threats. An example is a Hacker using an SQL
Injection vulnerability in the eCommerce Website to steal Credit Card data of its users. The Hacker is the Threat Agent,
The SQL Injection is the vulnerability, Stealing of Credit Card Data (Hacking) is the Threat. Loss of PII (Credit Card
Data) is the Risk.
RISK MANAGEMENT DEFINITONS
Secondary Risk – A direct result of implementing a risk response or safeguard mechanism. Response: Creation of
a Risk Response plan
Example: A Web server is using a version of OpenSSL that has a Man-in-the-Middle Vulnerability. The administrator installs
the patch that mitigates this vulnerability. However the Anti-DDoS agent on the webserver is not compatible to the patch,
thus opening up the Web Server to DDoS attacks. The Risk response plan to mitigate the secondary risk is to install an update
version of the Anti-DDoS agent that supports the OpenSSL package.
Residual Risk – A result of the remaining risk after enabling a risk response or safeguard mechanism. Residual
Risks are expected to remain, and generally accepted. Total Risk – Control’s Gap = Residual Risk. Response:
Contingency Plan
Example: Shyam’s organization has a 10 Mbps Internet connection, which users typically cite as slow and has frequent
outages. The typical usage is seen to be 18 Mbps. There are event logs which show that the traffic can spike to 24 Mbps once
every quarter during Sales updation week. Due to budget constraints of increasing link size, Shyam takes a decision to add
another 10 Mbps internet connection and use Loadbalancing to distribute bandwidth equally to users.
Possible link outage (reducing effective bandwidth to 10 Mbps) and the Spike of 4 Mbps surplus of his bandwidth is
considered as Residual risk as the organization accepts the Risk. Shyam develops a contingency plan to use Bandwidth
throttling during link outage or high-bandwidth scenarios to mitigate the residual risk.
RISK MANAGEMENT DEFINITIONS – DEFENCE TERMINOLOGY
Safeguard – Implementation of a control or countermeasure that removes or reduces the vulnerability or protects
from threats.
Example: A Firewall is a safeguard to reduce the chances of hacking on the company’s servers. An SQL Patch is a
countermeasure removes the specific Vulnerability from the server.
Attack – Intentional Exploitation of vulnerability by a threat agent. But it can also mean violation of security
policy. (We’re under attack!!!)
Breach – Bypass of a security mechanism. Breaches
Example: The Wall’s been breached by the RAM’s!
Example: Brute Force attacks against the firewall exploits a vulnerability to open all access causing a breach.
RISK MANAGEMENT DEFINITIONS - MISC
Workarounds – An impromptu implementation, when no known responses work, to reduce downtime and
corresponding loss of business.
Example: An unexpected Database server restart caused loss of connectivity to the ecommerce web application due to
unexpectedly listening on a different port. Tested response’s of switching to backup DB Server and restarting services do not
work. A Workaround is implemented to point the Web Application to the new port (and enable the firewall policy).
Total Risk = Threat x Vulnerability x Asset Value
Fallback or Contingency Plans – Response for accepted Risks that materialize.
Example: Shyam’s company cannot afford two security personnel during the night hours. They have installed a police
hotline for the night security guard in-case assistance is needed in the event of a threat. This is a contingency plan.
Impact - Impact can be equated with consequences, and is the severity of damages.
Risk = Threat x Vulnerability x Impact
Example: The Risk of being Hacked, can result in regulatory fines, disclosure related expenses, and loss of customer base.
This is Impact.
RISK MANAGEMENT PROCESS
Quantitative Analysis – is defined by deriving a monetary value of a risk through probability and loss expectancy
calculations. Quantitative analysis provides concrete percentage based risk items that can then be prioritized on monetary
value.
Example: Shyam Technologies deliver’s backup tapes using Fedex. Their executives identified that that DHL can provide a similar
service at lower the cost with only a slight increase in risk of loss of backup tapes. Each tape costs $50, and DHLs annual loss
expected is twice in a year resulting in a $100 loss.
Qualitative Analysis – is based on judgement, intuition, experience and tangibility to the organization. Qualitative
analysis should be performed where the value of an asset far exceeds its dollar value to the organization. Qualitative
analysis involves taking feedback from various aspects of the organization to determine the value of an asset. Uses a
Probability Matrix (Likelihood/Impact) to determine risk.
Example: The cost of a website for a Shyam Technologies, an outsourced Security Operations Vendor is $100. A Website defacement
hack is likely to cause a $100 loss to the organization to restore. However the business impact due to the loss of reputation (security
vendor being hacked) is too high to just rely on a Quantitative analysis.
DELPHI: The Delphi technique can be used to gather anonymous feedback for Qualitative Analysis. The idea is that
anonymous feedback enables the Risk Assessment team to get more honest feedback from participants.
For example: Asking Shyam upfront about the risk to the website, he would say definitely risky, but on anonymous
feedback he may say “Well nobody visits it anyway!”.
ASSESSING RISK
Identify and Valuate Risk: Perform Risk assessments. Identify the associated Regulatory fines if a Risk is realized.
Example: Exposure of Customer PII can lead to regulatory fines.
Identify Threats and Vulnerabilities: Creating list of threats that can affect an organizations assets. Tools and
Processes can be used to perform this function. Additionally Third Party consultants can be used to identify Threats
and Vulnerabilities in processes or systems. Penetration Tests are a popular form of identification to identify threats
and vulnerabilities.
Black Box Test – The Attacker has no knowledge of the system and processes that he is asked to penetrate.
Example: This is an accounting application, identify the vulnerabilities.
White Box Test – The Attacker has complete knowledge of the system and process.
Example: This is an accounting application with a three structured system of Apache Webserver 2.0, MariaDB 2.1, authenticated via AD on
a Windows Server 2008 R2 Platform.
Grey Box Test – The Attacker has some knowledge of the system implemented and can direct blackbox testing accordingly.
Example: This is an accounting system with a typical Web-DB architecture and AD authentication.
THREAT MODELING
Key Performance Indicators (KPI):
STRIDE
Resolve open items or backlog items DREAD
Originated at Microsoft
identified in past. Risk Assessment or Rating Threats
• Spoofing
audits. • Damage Potential
• Tampering
• Reproducibility
Key Risk Indication (KRI): provides • Repudiation
• Exploitability
predictive information for an • Information Disclosure
• Affected Users
organization risk exposure. • Denial of Service (DoS)
• Discoverability
• Elevation of Privilege
Key Control Indicator (KCI):
control an organization has over it’s
environment and risk. Effectively a PASTA
particular control is working. • Stage 1: Definition of Objectives (DO)
• Stage II: Definition of Technical Scope (DTS)
KPIs : Using automated data gathering and • Stage III: Application Decomposition Analysis (ADA)
tools that allow data to be digested and • Stage IV: Threat Analysis (TA)
summarized can provide predictive information
• Stage V: Weakness and Vulnerability Analysis (WVA)
about how organizational risks are changing.
• Stage VI: Attack Modeling and Simulation (AMS)
• Stage VII: Risk Analysis and Management (RAM)
QUANTITATIVE RISK ASSESMENT
Quantitative Risk Analysis - is determined on Single loss and Annual Loss expectations and is derived using a set of
formulas.
Asset Value (AV)– A monetary figure for an Asset that not just includes the cost of the asset and it’s per year maintenance but
the information residing on it.
For example: An GWC NAS Storage unit may cost $100000 with a per year maintenance of $10000, but the data residing on that Asset is
Confidential IP and is valued at $1 million. The total value of the Asset is $1.1+ Million.
Exposure Factor (EF) – a % Value, the exposure or percentage of loss expected from a threat.
For example: Multiple Disk failures can cause data loss stored in the Storage unit. 5 disk failures can cause 20% data loss. 7 disk failures
can cause 30% data loss, and 10 disk failures can cause 50% data loss. The % figures are the Exposure factor.
Single Loss Expectancy (SLE) – a monetary value from a one time loss. Calculated as SLE = AV * EF
For example:
5 Disk failures – SLE = 1110000 * 20% = $222,000
7 Disk Failures – SLE = 1110000 * 30% = $333,000
10 Disk Failures – SLE = 1110000 * 50% = $555,000
QUANTITATIVE RISK ASSESSMENT
Annual Rate of Occurrence (ARO)– The chance a particular threat can be realized in a single year. This data
has to be supplemented by studies, fact-checks or third-party tests/certifications.
For Example: GWC says there is a once in 3 years chance of a 5 disk failure, once in 5 years chance of a 7 disk failure and
once in 10 year chance of a 10 disk failure.
Annual Loss Expectancy (ALE) – The Amount of loss expected annually due to a threat. ALE = SLE * ARO
For Example:
ALE from a 5 disk failure = 222000 * 0.34 = $75,480
ALE from a 7 disk failure = 333000 * 0.2 = $66,600
ALE from a 10 disk failure = 555000 * 0.1 = $55,500
ARO – is also the probability determination assessment. The likelihood that a threat may occur. For some threats and
risks, the ARO is derived by the Annual likelihood to the number of users at given location.
For example: GeekCorp has a remote location with 10 users. ARO for a malware infection is 1 x 10 = 10
QUANTITATIVE RISK ASSESSMENT
Safeguard (SG)– Adding a safeguard can reduce the Exposure factor(EF) or reduce the Annualized Rate of Occurrence (ARO),
reducing the overall risk assessment.
For example: GWC says replacing disks at 80% duty cycle reduces chance of disk failures. This requires installing proprietary monitoring
software and replacing disks, however GWC certifies that a 5 disk failure will only happen once in 8 years, a 7 disk failure once in 12 years and a
10 disk failure of once in 20 years. The Safeguard costs $2000 per year
ALE with Safeguard – Safeguard assessment has to be calculated with the impact of its placement (the EF or the ALE) bringing
down the total cost of the risk.
ALE = SLE * ARO
In our example, the Safeguard directly impacts the ARO, thus the calculations are:
ALE Safeguard 5 disk failure: AV = 1110000; SLE = AV 1110000 * EF 20% = 222000
ALE = SLE 222000 * ARO 0.125 = 27,750
Annual Cost Savings (ACS) - The benefits of a Safeguard can be calculated by subtracting the Post Safeguard-ALE from the Pre
Safeguard-ALE.
Pre-ALE – Post-ALE = ACS
The Cost of a Safeguard is greater than the value of the asset or the threat, than the risk should be accepted or
another countermeasure should be adopted.
QUANTITATIVE RISK ASSESSMENT
Total Cost of Ownership (TCO) – The total cost of ownership is the total cost of a mitigating safeguard. The
TCO combines one time expense and Annual cost of maintenance, operational cost etc.
For example: Our GWC Safeguard solution of monitoring software and disk replacement costs $2000 annually and a $500
operational cost. Considering a 5 year technology refresh cycle, this amounts to $12500 for 5 years, and $2500 annually.
TCO for the Storage Safeguard is $2500 annually.
Return on Investment (RoI) – Amount of money saved by implementing a safeguard. If Annual TCO is less than
the ACS than ROI is positive.
ROI = ACS – TCO
Risk Mitigation – Risk reduction or risk mitigation is implementation of safeguards and countermeasures to eliminate
vulnerabilities or block threats. Lowering the risk to an acceptable level. In some cases, a specific risk can be eliminated
completely.
Risk Transfer – Transfer risk to another organization such as insurance or outsourcing.
Risk Avoidance – Eliminating the Risk cause, to avoid a risk. E.g. System is open to HTTP attacks, if HTTP is not needed, the
protocol can simply be disabled to avoid the risk.
Risk Deterrence – Deter violators from violating security and polices by putting in warning messages, auditing etc. but allow the
activity to continue. E.g. User’s browsing to File share websites are prompted a message saying they are being monitored.
Risk Acceptance – Risk acceptance happens when the cost of the safeguard is higher than the risk or if the risk is deemed to low
by the management. The management chooses to accept the consequences if the risk is realized. Acceptance of risk is determined
on an organizations Risk tolerance. Risk acceptance involves proper documentation of risk and signoff that the risk is accepted.
For example: An ecommerce organization won’t accept any downtime to it’s web applications as it’s their primary source of business. A
Salon will accept their website being down for sometime as their business is direct/walk-in.
Risk Rejection – Reject or ignore a risk. Unacceptable response. Denying a risk will not be realized is not prudent due-care
response to risk.
COUNTERMEASURE SELECTION CATEGORIES
Preventive Controls – Prevent unwanted actions from occurring. Restrict what a user can do with and without authorization.
Example’s: Prevent users from changing the time, mantraps, separation of duties, encryption, Smartcard/biometric authentication,
antivirus, pentesting, IPS, Security awareness training.
Detective Controls – Detect and alert without taking any action on the threat. Detective controls are designed to detect threat
activity after the threat action has taken place, or is currently taking place. Examples: CCTV, job rotation, IDS, Honeypots, audit
trails.
Deterrent Controls – Implemented so that the user is discouraged from performing violations. Examples: You are being monitored
disclaimer, fire at sight policy in case of fraudulent violation, beware of dog.
Corrective Controls – Correcting a damaged system or process. Works along with Detection controls. Detect & Respond.
Examples: Backup & restore, EDR, Anti-virus, System lockdown.
Recovery Controls – More advanced, granular or complex in order to restore a functionality or a complete system for the
organization. Examples: Fault-tolerant systems, system reimaging, server or database clustering, high availability.
Compensating Controls – Additional Security control put in place to address weaknesses in other controls. Example: An antivirus
software is unable to protect cryptomining and phishing attacks. We add a secure web gateway control to protect from these attacks.
Directive Control – Direct or control user actions. Examples: Notifications, Monitoring, Escape route signage,
IMPORTANT THINGS TO NOTE ON BCP
The start of any organization's DRP/BCP program must have the approval of the senior management team
Management's approval is also a show of their support
1 2 Activate 3
Respond Communicate
Initial responders will
Initial responders will Disseminate recovery
activate the DR Team via
Assess whether it is a details with workers and the
Secondary response
“disaster”. public.
procedures.
4 Assess
5
Reconstitute / Recover
DR Team will assess the
Recover critical Business
extent of the damage to
operations at primary or
determine proper steps to
secondary site.
recover.
DRP SITES
Hot Site – Maintained in constant working condition with continuous/periodic Data Replication, IT equipment
and systems equivalent to the Primary site pre-configured and ready to take over in the event of a disaster. Fastest
to restore. Expensive. – Minutes to upto 6 hours recovery.
Cold Site – Only contains communications, power systems. IT Systems / Data have to be installed, configured and
replicated to bring this site up. Slowest to Restore, Cheapest.
Warm Site – Contains all systems and applications pre-configured and up, doesn’t have any Data. Median
between MTTR and cost. – 24 to 48 hours recovery.
Mobile Site – Workgroup recovery strategy, ready to deploy via ground/rail/air/sea. Can be deployed as a Warm
or Cold Site.
Redundant Site – Fully Active-Active Site with live data and equipment. MOSTEST Expensive. – Seconds to
recovery. User does not see noticeable downtime.
BIA TERMS
MTD – Maximum Tolerable Downtime – how long can a business function be down till business suffers significant damage. MTD = RTO + WRT
RTO – Recovery Time Objective – period of time in which a system has to be restored.
RPO – Recovery Point Objective – maximum acceptable time for data or work loss during a disruption.
MTBF – Mean Time Between Failure – Identifies the average time between failures. Example: We can expect the syslog server to fail once every week due to load.
SLO – Service Level Objectives – desired uptime of a system
WRT – Work Recovery Time – Maximum Time till verification of Data integrity and systems to resume production.
MTTR – Mean Time to Restore – Time required to restore, repair or recover a system after failure.
MOR – Minimum operating requirements – Minimum requirements required for a system to function.
Eventman GIC is an Insurance organization, providing Web based insurance advice and plans to their customers. Their BCP team is performing a BIA for their
infrastructure to prepare for business continuity in the event of a disaster. The team identified that full data backups take place every Sunday 9:00 AM, and incremental
backups every day. Incremental backups are stored locally, and transferred offsite DC every Day at 9:00AM. In the event the primary data center catches fire or systems are
unavailable, the organization needs to ensure that the website is online within 4 hours to prevent damage to the company reputation. For this to work, the website has to be
brought up online at the offsite facility. At a minimum a single server can be online for the website to function. Application and business owners require maximum of 2.5
hours to verify the data and application to certify it to come online. The IT Team, however states that they need 2 hours to restore the web application. Management also
wants that in such an event, transaction data at least 2 hours prior to the disaster be available to the website. Identify the metrics and what needs to be improved.
MTD is 4 hours.
WRT is 2.5 hours, thus we can deduce that the RTO is 1.5 hours as MTD = RTO + WRT.
MOR is a Single server. MTTR is 2 hours, and needs to be improved to be equal or less than RTO.
The current RPO is 24 hours is too high. This needs to be reduced to at 2 hours, thus the backups need to take place every 2 hours and transferred offsite.
BUSINESS IMPACT ANALYSIS
BUSINESS IMPACT ASSESSMENT
Identify Likelihood Impact Resource
Identify Risk
Priorities Assessment Assessment Prioritization
Senior Managers:
Develop and document testing strategies,
Identify and prioritize systems, arbitrate disputes about priority.
Monitor execution and development
Ensure periodic Tests.
BCP Teams:
Continuity Planning Project Team: Identify who plays what role in an emergency.
Rescue: immediately following the disaster
Recovery: recover business via alternate operations
Salvage: Return to primary operations.
BCP DOCUMENT COMPONENTS
Continuity Planning Goals – Goals for continuity decided by the Senior management and BCP Team
Statement of Importance – Reason why organization invested in BCP and request for cooperation.
Statement of Priorities – lists functions critical to operations in prioritized order. Pulled from BIA.
Statement of Organizational Responsibilities – Senior-level executive saying BCP is everybody’s responsibility.
Statement of Urgency and Timing – criticality and timing of BCP implementation by the BCP Team
Risk Assessment – recap BIA risk assessment of assets
Risk Acceptance / Mitigation – risks accepted (the why), Risks mitigated (the how)
Vital Records Program – define critical records, where they will be store, procedures for backing up and storing copies.
Emergency Response Guide-lines – emergency response procedures, individuals to be notified, secondary response
procedures.
Maintenance – review, change BCP Plan based on organizational changes.
Testing and Exercises – testing plan to ensure BCP plan remains current and people are trained.
BCP / DRP TESTING & MAINTENANCE
BCP Testing should be conducted at least once annually
Train everyone for initial disaster response activities within the organization.
TYPES OF LAWS
Law Reference
Criminal Law – The goal of Criminal laws is to deter malicious activities that are harmful
towards societies. The burden of proof should be beyond any reasonable doubt. Society Federal Code of
plays role of Victim. Regulations – Federal
Law or regulations
Civil Law – Harm caused due to a person or organization violating their responsibility to
specified by Federal
perform Due care and due Diligence. The burden of proof should be Preponderance of Agencies.
evidence. Preponderance means More likely than not. The more convincing evidence and
it’s probable truth or accuracy. United States Code –
Criminal Law or Civil
Liability, Due Care, Due Diligence and Prudent Man Rule all come under Civil Law.
Law
Regulatory Law – Enacted by government agencies or trade regulators to induce fair play,
Supreme Court Rulings
due care and due diligence and protection for the customers.
– Interpretation of Laws
TYPES OF DAMAGES
Statutory – Prescribed by law, and can be awarded to victim even if the victim incurred no actual loss or injury.
Compensatory – provide victims with a financial award in effort to compensate for loss or injury are a direct
result of wrongdoing.
Punitive – Punish and individual or organization to discourage a violation where statutory or compensatory
damages would not act as a deterrent.
TENETS OF LIABILITY
Liability – Is the organization or individual legally liable for specific actions or inactions, to determine negligence.
Liability is determined by the below:
Due Care – Reasonable care to prevent a given situation. An Organization needs to show that it tried to prevent possible damage by
meeting security requirements. Action. Due Care is the practice of Due Diligence.
For example: Eventman Technologies hosts an ecommerce website with Personally identifiable information of their customers such as Names,
Date of births, Phone numbers etc. In the event of a hack, Eventman Technologies needs to display Due care that they had the proper controls in
place such as implementing a Web Application firewall, penetration tests, salting databases.
Due Diligence – Management of due care by following and implementing best practices. Includes Researching the requirement of
due care & Verification of the implementation of due care. Due Diligence is ongoing and follows a process.
For example: Eventman Technologies needs to prove that they followed the best practices for configuring the WAF, performed patches and
recommendations from the Penetration tests, adhered to salting best practices and had the systems audited for regulatory requirements.
Another example:
Due Care: The CEO of Eventman Technologies thinks security is implementing security measures, and expecting his staff to perform regular maintenance and
patch the recommendations by Penetration testing teams.
Due Diligence: The CEO of Eventman Technologies appoints an auditor to verify the following of best practices and compliance guidelines and reviews audit
reports.
Federal Sentencing Guidelines of 1991 formalized the Prudent Man rule, which requires Senior executives for ensuring
Due care that a prudent individual would take during the situation. Interesting Case Study: Volkswagen Diesel
TENETS OF LIABILITY
Liability – Despite a hack with loss of PII, if an organization demonstrates Due Care and Due Diligence, they are at a
better legal position. Negligence makes for a much worse legal position.
• Example: Volkswagen – the Management was aware of malpractices in Diesel emission cars yet decided to ignore
the threat resulting in Gross Negligence.
EVIDENCE
Electronic Discovery – the process of gathering evidence for computer related crimes.
Evidence Integrity – maintain the integrity of the data during its course of acquisition and analysis. Data must be
non-repudiable. Chain of custody is required to maintain full documentation of who, what, when evidence was
handled post acquisition.
Examples: Checksums to ensure data integrity is maintained, audit logs to ensure chain of custody.
Entrapment – when someone is persuaded to commit a crime, where the person originally had no intention to
commit a crime.
Enticement – when conditions are made favorable to commit a crime, but the person was already determined to
break the law. Example – honeypot.
Computer Crimes are difficult to judge due to there being less precedent in legal systems.
COMPUTER FRAUD AND ABUSE ACT
The Computer Fraud and Abuse Act of 1986 changes this to:
Any computer used exclusively by the US Government
Any computer used exclusively by a Financial Institution.
Any computer used by the US Government or Financial Institute, where the offence impedes or prevents use of the system by
these organizations.
Any combination of computers used to commit a crime/offense when they are not located in the same state.
Threshold of damage $5000
COMPUTER FRAUD AND ABUSE ACT – FURTHER AMENDMENTS
The Computer Fraud and Abuse Act 1994 Amendments changes this to:
Outlawed creation of malware
Any computer used in inter-state Commerce
Allows for imprisonment of offenders regardless of whether they actually intended to cause damage. (Script kiddies)
Legal authority of victims to pursue Civil action to claim compensatory damages or relief.
FISMA – 2002
Implement an Information Security program that covers the agency’s operations.
Requires government agencies to include activities of their Contractors in their Security management programs.
Periodic Risk Assessments, Policies and procedures based on these assessments, security awareness training and periodic
testing.
FISMA – 2014
Centralizes Federal Cybersecurity responsibility with the Department of Homeland Security.
Defense-related Cybersecurity issues are responsibility of Secretary of Defence.
Intelligence-related issues are responsibility of Director of National Intelligence.
COMMONLY USED NIST STANDARDS
NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
Federal computing systems and Agencies must comply with this standard.
Commonly used as an Industry Cybersecurity benchmark.
NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and
Organizations.
Federal Contractors must comply with this standard.
HIPAA-HITECH
Applies to any organization that processes or stores private medical information of individuals such as Health-care providers, health insurance
providers etc.
HITECH 2013, also modifies this act to cover Business Associates of healthcare industry who work on PHI data to also be covered under HIPAA via
Business Associate Agreement.
HITECH also enforces Data Breach Notifications, requiring HIPAA covered entities notify affected individuals in the event of a breach. Also notify
Secretary of Health, and the media in case breach is higher than 500 individuals.
Example: Eventman Technologies works with National Insurance – Kentucky, to process the scanned forms and input them into the CRM solution for National Insurance. In this
case, National Insurance needs have a BAA with Eventman Technologies. Eventman Technologies would also be regulated by HIPAA and must follow the compliance
requirements.
Business Associates who work on PHI require a BAA – Business Associates Agreement.
SSAE18: REPORTS
Type-2 – Period based audit report, how the organization operated it’s controls over the period of 6 months, actual testing to
determine effectiveness, and auditors opinion based on description. More Reliable Report, preferred.
Example: How was security for the data center operated and maintained?
SOC-3 – Report by a 3rd Party auditor on whether a Service Provider organization (typically cloud vendor)
maintained effective controls over its systems – CIA. Typically used by Cloud vendors to assure customers of their
controls, and avoid individual audits from customers. (Less detailed than SOC-2 Type 2 Reports)
US PRIVACY LAWS
4th Amendment
Prohibits Government agents from searching private property without a warrant and probable clause.
Individuals about whom the data is held or processed have the right to:
Access the data
In case PII Data is being sent out of the EU, the organization must ensure that the data is protected.
Safe Harbor:
The EU requires EU Citizens PII traveling outside the EU to be protected by the EU Privacy law requirements.
Since the US has lesser privacy laws compared to the European Union, Safe Harbor enables US companies working on
EU Citizens PII / conducting business in the EU to comply with EU Privacy laws.
Department of Commerce certifies organizations as Safe Harbor compliant. SAFE HARBOR was
To qualify for Safe Harbor, US Companies need to meet seven requirements: outlawed in 2015 and
Notice – inform individuals what information is collected and how it will be used. the PRIVACY SHIELD
replaced it in 2016
Choice – opt-out choice if it’s shared with third parties. Opt-in in case it’s sensitive information.
Onward Transfer – Organizations can only share data with other Organizations that comply to Safe Harbor.
Access – Individuals must have access to any records containing their personal information.
Security – Proper mechanisms to protect data loss, misuse and unauthorized disclosure.
Data Integrity – mechanisms to have reliability of the data they maintain.
Enforcement – individuals have a dispute resolution process, and provide certifications to regulatory bodies that they comply to Safe
Harbor.
EUROPEAN UNION – PRIVACY SHIELD
Notice – inform individuals about the purposes for which it collects and uses information about them. Also
inform about rights.
Choice – offer the user the choice to opt-out.
Accountability of Onward Transfer – Organizations can only transfer data with other Organizations that comply
to Notice and Choice principles.
Security – Proper mechanisms to protect data loss, misuse and unauthorized disclosure to protect personal data.
Data integrity and Purpose Limitation – Only collect data that is needed for processing purposes as identified in
Notice. Organization also responsible to take reasonable steps to ensure data is accurate, complete and current.
Access – Individuals must have access to any records containing their personal information. Also have the ability
to correct, amend or delete information when it is inaccurate.
Recourse, Enforcement and Liability– implement mechanisms to ensure compliance with principles and provide
mechanisms to handle individual complaints with a response to any complaints within 45 days, agree to an appeal
process including binding arbitration.
INTELLECTUAL PROPERTY - DEFINITIONS
Copyright - U.S. Copyright Office
Protects works from unauthorized duplication.
Applies to: Literary, musical, movie, pictorial, sound, architectural works. Software source codes and look and feel can be copyrighted – not the idea.
Works are protected until 70 years after death of the author. 75 years for organizations.
Copyrights are protected by the DMCA – Digital Millennium Copyright Act.
Trade Secret
Trade secrets are absolutely critical to business and leakage could destroy the business (McDonald’s secret sauce)
Is not registered with anyone as it could lead to disclosure which could lead to copy. Companies must enforce their own protection of data to ensure it doesn’t get exposed.
Trade secrets are protected by the Economic Espionage Act.
Licensing
Protected by UCITA, making licensing terms are legal contracts, and opt-out capabilities.
INTELLECTUAL PROPERTY - LAWS
Contractual License Agreements: Written contract between Software vendor and Customer.
Shrink-wrap License Agreements: Written outside the box/software packaging. Acknowledgement via breaking
the seal.
Click-through License Agreements: Click a button for consent (I agree)
Cloud-services License Agreements: Click to Read T&C, Click I agree.
TM
Serious Damage
Secret Private
Class 2
Damage
Confidential Sensitive
Class 1
No Damage,
Unclassified available to anyone Public
Class 0
ASSET SECURITY TERMS
Data in Use:
Data being used by a data processor.
Rights management and DLP protects Data in Use
Data in Motion/Transit:
Data transmitted over wired or wireless networks, internet.
Encryption protecting the transit of data – TLS or IPSec; Encryption can protect the actual data
Example: Eventman Technologies deals with customer PII and wants to secure it on their Remote Sales users laptops
and while they are being viewed or being sent to the Usage Application in the DC.
Eventman Technologies will choose to implement AES 256 encryption for Data at Rest on the endpoint, Digital Rights
Management to prevent unauthorized actions (copy/print) for Data in Use, and enable dual controls of TLS encryption
for the web application and per file AES256 encryption for Data in transit.
DEALING WITH DATA REMANENCE
Data Remanence is Data left after erasing
Erasing: Performs delete operations on file, but does not delete actual data. Data can be recovered by
recovery tools.
Clearing: Overwrites deleted data with dummy bits (single character or patterns) to make data Same level
irrecoverable. However bad sectors and SSDs may retain data, making this technique less effective. Reuse of media
Degaussing: Rewrites magnetic media with a heavy magnetic field. Works on backup tapes, hdd or floppy
drives. Only Tapes can be reused, Destroys HDDs.
Purging: Repeats the “clearing” process multiple times and may use another process (degaussing) to
completely remove data. Degrading from Confidential to Unclassified requires Purging. Lower level
Declassifying: Efforts required to secure and declassify media costs more than new media for a lower Reuse of media
classification level, so many organizations choose not to declassify. Declassification requires Purging.
Sanitization: Ensures that Data cannot be recovered by using a combination of processes – verifying Top Secret
purging, verifying any media is not present in a system before it is scrapped, verifying destruction of hdds lowering
etc. recommendation
Destruction: destroying media via incineration, crushing, shredding, disintegration, dissolving. Destruction
NSA requires the destruction of SSD’s using an approved disintegrator as SSD’s cannot be securely erased. (ATA Secure
Erase can erase SSDs)
DEVICES AND REMANENCE
HardDisk Drives Backup Tape SSD
Same Level Reuse: Clearing Same Level Reuse: Clearing, Degaussing Same Level Reuse: OPAL Commands
Lower Level Reuse: Purging and (although not practical to reuse Tape) Lower Level Reuse: Destruction recommended, ATA
Declassifying Lower Level Reuse: Purging and Secure Erase
TopSecret to Unclassified: Destruction Declassifying TopSecret to Unclassified: Destruction recommended
Phase out: Sanitization and Destruction via recommended Use Encryption on SSD’s for reuse to prevent wear
Degaussing + Shredding Phase out: Sanitization and Destruction leveling / overprovisioned blocks from data remanence,
as these cannot cleared / purged.
Flash Drives
CD/DVD-RW
Same Level Reuse: Clearing CD/DVD-R
Same Level Reuse: Clearing
Lower Level Reuse: Purging and Same Level Reuse: Destruction
Lower Level Reuse: Purging and
Declassifying Lower Level Reuse: Destruction
Declassifying
TopSecret to Unclassified:
TopSecret to Unclassified: TopSecret to Unclassified:
Destruction recommended
Destruction recommended Destruction
Phase out: Sanitization and
Phase out: Sanitization and Phase out: Destruction
Destruction
ASSET SECURITY ROLES
Data Controller
Controls the use of Data
Required Role for GDPR.
Administrator
Responsible to grant appropriate access to personnel based on least privilege or need to know with a role-based access model.
User
Accesses data for work.
Example: Payroll Accounts user who accesses employee data for payroll.
DATA PROTECTION CONTROLS - ENCRYPTION
Symmetric Encryption – uses the same key for encrypting or decrypting data.
AES – 128, 192 and 256 bits,
selected as a standard to replace DES by NIST.
Approved to protect Data upto Top Secret.
Pseudonymization & Tokenization is reversible, meaning that with another set of data the original data can still be
identified.. Anonymization (Masking) is irreversible.
SECURITY CONTROLS
Baselines – NIST SP800-53
Ensure a minimum security standard and starting point for security controls.
Example: Disable unsecure protocols Telnet and HTTP on routers provides a minimum access security configuration.
Scoping –
Reviewing baselines and selecting relevant controls to the system or organization.
Rejected as not relevant.
Example: A Router hardening baseline may require to you implement an access-list to deny access to the webserver on the router. However if
your router does not have an embedded HTTP Server, you choose not implement this control.
Tailoring –
Tailoring the baseline to fit the organizations requirements.
Baseline rejected as unable to implement and a compensating control implemented.
Example: The organization uses low-cost routers at remote branches which only have HTTP management capability, and this cannot deny
access to the embedded HTTP Server. However the organization selects a compensating control such as allowing access to the HTTP server
only from the IT Subnet.
Standards
Comply with standards relevant to the industry the organization operates in such as PCI DSS, GLBA, SOX, HIPAA, DPD etc.
TM
Symmetric
Uses a single shared key to encrypt or decrypt data.
Faster than Asymmetric
External sharing of key required.
No Non-Repudiation
One key required per group that wishes to share encrypted information.
If one person leaves, all keys have to be changed.
Asymmetric
One public key for encryption and one private key for decryption.
Slower than Symmetric.
No need to share key. Diffie-Hellman helps automate key share.
Two keys per user.
No need to change keys if one person leaves, just revoke access.
Provide Integrity, Authentication and Non-Repudiation
CRYPTOGRAPHY TO CIA
Asymmetric Encryption
Symmetric Encryption Confidentiality, Integrity,
Confidentiality Authentication, Non-
Repudiation
CRYPTOGRAPHIC TERMS
Work function – the time required to decrypt data without the actual key using attacks like brute forcing etc. Typically the Work
function must be higher than the time of data retention that you need for protection. Consider that future computing power will
reduce the work function time, compared to todays computers.
Example: Ashish needs to protect retention data for 10 years. He has a choice of two protocols – one which has a work-function of 10 years and
another with 15 years. He should select the one with 15 since with technological advanced the work-function will decrease over time.
TYPES OF CIPHERS
Codes vs Ciphers
• Codes are secret language. If you know it, you know the meaning. Example: The Eagle has landed.
• Ciphers always encrypt the message. The recipient needs a key to decrypt.
• Example: “Attack at Dawn” is “Zggzxp zg Wzdm” (Using the Atbash Cipher)
Transposition Cipher – brings Diffusion in cryptography making the communication is more secure, rearranges
letters/blocks of a plaintext message to get the ciphertext. Decryption is reversal of the operation.
Vulnerable: to Frequency Analysis attacks, same block of text can produce the same output ciphertext.
Example: Ashish becomes HsihsA
Columnar Transposition uses a secret key and arranges the letters below it for a more confusion secure communication.
Example: Message – “Eventman Rocks” can be encrypted with a key of KAMLESH.
We encrypt this by assigning number based on the alphabet. eg. A comes first so 1, E comes 2. (If two are same, increment one number – A
– 1, A -2, E – 3 and so on)
KAMLESH Now we align based on Share the Key Who uses the Key is 7 no’s KAMLESH
same theory on Rearrange
4165273 numbers and generate and Message 1234567 using key 4165273
the key to
1 EVENTMA 2 the message: 3 with the 4 regenerate the 5 VTAENEM 6 EVENTMA
NROCKS! VRTKA!ENNCEOMK recipient. message. RK!NCOK NROCKS!
TYPES OF CIPHERS
Substitution Cipher – replaces each character with a different character.
Example: Atbash Cipher reverses the Alphabet so that A = Z and Z = A.
Example: Substitution
Example: ROT3 shifts the Alphabet 3 characters. A = D, Z = C, J = M.
EVENTMAN
Ciphertext = (Plaintext + <substitution>) mod 26 (26 is letters of alphabet)
Encrypted with ROT3 =
Plaintext = (Ciphertext - <substitution>) mod 26 HYHQWPDQ
Vulnerable: to Frequency Analysis attacks – attackers try to identify frequently used words in the English
language.
One Time Pad – powerful substitution cipher.
Ciphertext = (Plaintext + Key) mod 26
Each bit of the Plaintext is XORed with the Key to produce the Cipher Text.
Example: One Time Pad
Can be unbreakable when used correctly.
A = 0, Z = 25
One-time pad must be randomly generated, and then used on the Plaintext to generate a unique Ciphertext.
Plaintext E V E N T M A N
The One-time pad must be physically protected from disclosure. If the enemy has the copy, they will easily Key K A M L E S H R
decrypt the message. Num. P 4 21 4 13 19 12 0 13
Key is as long as the message making this impractical for large messages. Num. K 10 0 12 11 4 18 7 17
ADD 14 21 16 24 23 30 7 30
Vulnerable to Pattern Analysis: One time pad must be used only once, and ideally not from a book so that the
mod26 Num. C 14 21 16 24 23 4 7 4
enemy does not discover similarities.
Ciphertext O V Q Y X E H E
Running Key Cipher – type of One-time pad encryption which uses a known book/phrase on both
sides as the secret key, to avoid the sharing of the one time pad.
Example: Using the 21st page of The Name of the wind as the secret key.
TYPES OF CIPHERS
Block Cipher – Block ciphers operate on chunks of the message called blocks. Transposition ciphers are an
example of Block Ciphers. Modern encryption algorithms work on Blocks (block size)
Stream Cipher – Operates on one bit or character of the message at a time. Can also be block ciphers by using
buffers. RC4 is a Stream Cipher.
Example: Atbash or Onetime pads are examples of Stream cipher, as they work on each character at a time.
Vernam Cipher: Used a One Time Pad which was XORed to the plaintext message.
Only mathematically unbreakable form of Cryptography
Enigma/Purple Machine: Used a Rotor based mechanism to generate encrypted message (used as mixers).
Depending on the configuration of the rotor’s at the other end, the message could be decrypted.
Cipher Feedback Mode – uses memory buffer instead of blocks to perform streaming CBC. Errors propagate.
Output Feedback Mode – XOR’s plaintext with a seed value. No chaining functions, and transmission errors do not corrupt
future blocks.
Counter Mode – uses a counter that increments at each operation. Errors do not propagate. (suited for parallel computing as
it breaks encryption & decryption operations into multiple independent steps.
SYMMETRIC ENCRYPTION ALGORITHMS – 3DES
SubBytes – provides confusion by Substitution of the bytes of the State. The bytes are substituted according to a
substitution table (also called an S-Box).
ShiftRows – provides diffusion by shifting rows of the State. (Transposition)
MixColumns – provides diffusion by “mixing” the columns of the State via finite field mathematics. (Transposition)
AddRoundKey – is the final function applied in each round. It XOR’s the State with the subkey. The subkey is derived
from the key, and is different for each round of.
SYMMETRIC ENCRYPTION ALGORITHMS - MISC
BlowFish
Allows variable length keys from 32 bits to 448 bits.
Operates on 64bit blocks of plaintext/ciphertext.
Faster than DES and IDEA
Skipjack
Uses 80-bit key on 64-bit blocks.
Approved for use in FIPS-185 as Escrowed Encryption Standard.
Supports the escrow of encryption keys, Uses Clipper and Capstone encryption chips.
NIST and Department of Treasure hold part of info to reconstruct Skipjack key, for law enforcement agencies.
Not widely adopted due to mistrust of the US Government.
ASYMMETRIC - PUBLIC KEY ENCRYPTION
Rohan͛s public
Karan͛s public
Key
Key
encryption.
The Public Key encrypts data, but
User
Elliptic Curve – Elliptic Curve discrete logarithm problem is the bases of this algorithm, where it is extremely
hard to find x even if P and Q are known.
Because of this even a lower bit Elliptic Curve encrypted message is as strong as RSA/El-Gamal.
Sr. DH Group Key Length
Diffie-Hellman – The Key Exchange Algorithm
• Used to exchange keys where there is no Public Key infrastructure or Offline Key distribution 1 DH Group 1 768 bits
mechanism. 2 DH Group 2 1024 bits
• Used by SSL and SSH, where only the Server has both a Public and Private key, but not the user.
3 DH Group 5 1536 bits
PKI ON THE WEB – PKI WITH DIFFIE-HELLMAN
PKI is slow, and requires the exchange of certificates from both ends of the
transmission. GET www.google.com
On the internet, It’s hard that every “user” will have a set of public and User www.google.com
private keys. It’s always the “server” which does.
To effectively counter this for the Internet or WWW, a hybrid form of
cryptography is used, with PKI forming the initial trust relationship and key
exchange, and then using Symmetric encryption for the actual User I am www.google.com www.google.com
communication of data.
How is PKI Performed on the Web?
User navigates to Google.com and gets the Public Certificate for google.com.
User’s browser validates that Public Certificate is valid and issued by a Valid CA. User www.google.com
User’s browser creates a “secret key” and encrypts it with Google’s Public
Certificate.
GET maps.google.com
Google.com decrypts the “secret key” with its Private Key to derive the same key
as the “User Secret key” User www.google.com
Google.com then uses the Secret Key for Symmetric Encryption for further
communication.
HASHING
Hashing provides Integrity to Cryptographic functions by
validating if a message has been modified.
Integrity is derived by creating a Message digest of the
original message by the sender.
The sender sends the Encrypted message and the 5 Requirements of a Hashing function:
message digest to the recipient. 1. The Input can be of any length.
2. The Output must be of fixed length.
The recipient creates a message digest of the message and
3. The Hash function must be relatively easy to
compares it with the message digest sent by the sender.
compute.
If both match, Integrity is verified. If it doesn’t match, the 4. Hash function has to be one-way. (Cannot be
message was modified along the way. reversed to produce the original message)
One modification, even a punctuation change the message 5. Collision free / unique – No two messages can
digest. create an identical hash.
Collision attack:
When identical message digests can be derived from two
different source messages.
Example: Modifying an exe file with malware, and ensuring via
Collision that the message digest matches the original. You would
trust and execute the malware file assuming that it’s the original.
HASH FUNCTIONS
Ashish could have used Vinod’s Public key to encrypt the original message to provide Confidentiality.
DIGITAL SIGNATURE ALGORITHMS
HMAC – Hashed Message Authentication Code
Only guarantees Integrity of a message.
Uses a Shared key – only communicators who know the shared key can create, or verify the digital signature.
No Non-repudiation or authentication – as anybody with the key can generate the message.
Others:
Schnorr’s and Nyborg-Rueppel.
PUBLIC KEY CERTIFICATES
COMPONENTS OF A CERTIFICATE Subject CA
Version of X.509
Intermediate CA
- To whom the cert - Who validates the - Who can issue cert’s
Serial Number from the certificate creator / issuer subject and issues the
is issued. cert.
on behalf of the CA
Signature Algorithm Identifier.
Issuer Name – the CA who issued the certificate. X.509 – The standard that governs Certificates.
Validity Period – from x to y Phases of Certification
Subject’s Name – the DN to whom the certificate is Enrollment Verification
- CA verified Revocation
issued. User verifies - Private key
Can be a hostname/IP like maps.google.com identity of - identity and
compromised
Can also be a wildcard that maps to a whole domain - subject. trust of CA. - Details changed
*.google.com - CA generates - Subject DN
- Error in issuing.
Public and matches the
Subject’s Public Key – aka use this to encrypt data Revoked using
when you send to me! Private key for actual entity.
CRL or OCSP
subject. - Not on a CRL
HSM – Hardware Security Module’s provide
CRL – Static list with Serial OCSP – OCSP request to CA
Key management. TPM is an example of HSM numbers of revoked certs. to verify validity.
CRYPTOGRAPHIC ATTACKS
Frequency Analysis Known Plain-text:
Analyze the frequency of common alphabets – e, t, a, o, i, n etc. and use that to Use a known plain text and an encrypted text to derive the key.
decipher the message.
Goal is to use that key to decrypt future communications.
Defeat: Randomize the message with IV.
Chosen Plain-text:
Dictionary Attacks
Use commonly used words or phrases to decrypt the message, example: pass, Choose Plain-text to be encrypted and compare with encrypted message
pass123, dateofbirth to derive the key.
Defeat: Do not use common words or phrases. Chosen Cipher-text:
Rainbow Tables Choose Cipher-text to be decrypted and compare with known plain-text
Precomputed values for cryptographic hashes. Enhances Brute forces. to derive the key. (Typically Asymmetric crypto)
Brute-force Adaptive Chosen:
Try every key combination to unlock the encrypted message. Uses either Chosen Plain or Cipher-text in round one and then adapts
Defeat: Use an encryption algorithm with a higher work factor than the time further rounds based on previous round.
needed to keep data secure. Use Brute-force mechanisms such as 5 times Differential Cryptanalysis: Replay:
wrong = block access.
Difference between two encrypted messages. Replay and
Meet in the middle: encrypted message
Birth Day Attack: captured between
Encrypt on one side, decrypt from the other. Meet in the middle.
Create Hash Collisions. two parties.
APPLIED CRYPTOGRAPHY
Hardware:
Web: S/MIME: PGP:
TPM used to derive and
SSL & TLS use Public Email encryption with Email encryption with
store symmetric
Key Infrastructure and PKI/ Symmetric. RSA web of trust. RSA with
encryption keys for Full
Symmetric Encryption. with AES/3DES IDEA and MD5
Disk Encryption.
Watermarking: DRM:
Wireless:
Steganography: Hide the Author’s Digital Rights
WPA2 encrypts
Hide a message in a digital signature in a Management. Control
communication between
image, music or movie. work to identify the rights such as
client and AP
author/source copy/play/use on data.
Networking:
IPSEC encrypts
communication between
two gateways or hosts.
IP-SEC: INTERNET PROTOCOL SECURITY
IPSEC can be Symmetric (Shared Secret) or Asymmetric (PKI) to setup a VPN Session.
Transport Mode: Tunnel Mode:
Security Association:
Host to Host, Protects Payload, not Gateway to Gateway, encrypts full packet .
One-way communication channel
header. Adds a new Header. Adds a new header. Can provide
Adds a new header. Can provide
(AH)Authentication Header: confidentiality and authentication (ESP +
AH) Use both for best security. Each
Encrypts the header information.
ESP – Encapsulating Security requires two SAs. So a single
Authentication, Message Integrity
Payload: tunnel will require 4 SA’s if both
and Non-repudiation. Prevents
Encrypts the payload. used.
Replay.
PFS: Perfect Forward Secrecy: SPI – Security Parameter
ISAKMP/IKE: Long term key cannot be used to Index:
• Authenticates Peers. decrypt past messages. • Unique per SA.
• Creates and Manages SA • IPSEC transforms
• Key Generation Mechanism. (algorithms), security keys
• Threat Protection i.e. Replay, used.
MiTM. • SPI must match for an inbound
SA to bring up the SA
SECURITY MODELS
State Machine Model Objects
Subjects
System is always secure, no matter its state. Passive Entities.
Active Entities.
Always boots into a secure state, maintains a secure state across Manipulated by
Manipulate Objects.
transitions, and allows subjects to access resources in a secure compliant Subjects.
manner by security policy.
Information Flow model A Subject can also be an object.
Focused on Flow of information. User Web server Database
USER SPACE
Security Perimeter
Delineates the Trusted and the Untrusted components within a
computer system.
Isolates the TCB. USER PROCESS
Reference Monitor
Abstract machine concept that mediates all access between
subjects and objects.
Defines the rules (laws) like an ACL.
REFERENCE
Security Kernel MONITOR
Enforces the Reference monitor concept.
TCB
Must facilitate isolation of process. Security Perimeter
Enforces the rules defined by the Reference monitor. SECURITY KERNEL
SYSTEM STATES
ROM – Read-only, non-volatile memory. CACHE – volatile, used to store frequently accessed data.
Content burned in at factory. Non-modifiable. CPU’s have L1 and L2 cache which are registers that store
PROM – Programmable Read-only memory: information which the ALU executes.
end user/oem burns in chips contents. Only Registers – Any data ALU manipulates must be inside a
allowed once. register.
EEPROM – Electronically Erasable PROM: Static RAM – Uses Flip-Flops to store volatile data,
Can be erased and re-written via electronic refreshed at power outage. Expensive.
voltages. Only full erase and write functions.
Dynamic RAM – Uses Registers to store volatile data, CPU
Flash Memory – Uses NAND Flash. Can be
must constantly refresh via electric voltages. Inexpensive.
written and erased in blocks. (single file
Flash Memory – Uses NAND Flash. Can be written and
write/deletes etc.)
erased in blocks. (single file write/deletes etc.)
MEMORY ADDRESSING
Primary Memory:
Secondary Memory:
Readily available
Long-term storage. Ex.
Register Addressing: used by the CPU to access one information accessed by the
HDD, SSD, Tape
of it’s registers to store/ access data in the register. CPU. Temporary. Ex. RAM
Immediate Addressing: Instructions supplied as part
of a command that does not require the CPU to fetch Volatile: Non-Volatile:
anything. Temporary. Wiped after Long-term. Retains data. Ex.
power loss. Ex. RAM HDD
Direct Addressing: CPU is given the memory
address to fetch instruction.
Random Access:
Indirect Addressing: CPU is given a memory Sequential Access:
Info can be randomly
address to another memory address that has the Info has to be accessed in the
accessed based on addresses.
instruction. written sequence. Ex. Tape
Ex. RAM, HDD, Flash
Base+Offset Addressing: Use a value stored in a
register as base, and begin counting using the offset.
ESSENTIAL SECURITY PROTECTIONS
Layering: Defence in Depth for Processes. The most privileged threads are processed in the inner layer, like the Ring Model.
Abstraction: Subject doesn’t need to know all details (such as how it works) of an Object.
Data Hiding: Prevent one class from accessing / viewing data of higher class.
Process Isolation: Processes are executed in different memory spaces in an OS so that they do not interfere with each other.
OS provides Process Isolation normal environments. VM Environments it’s the Hypervisor.
Security Domains: Groups of subjects and objects with similar security requirements. Example: Kernel mode, user mode.
Hardware Segmentation: Segment hardware based on function, segment VMs to hypervisors based on functions.
Principle of Least Privilege: Lowest privilege needed.
Separation of privilege: Different tasks – security admin and network admin with differing goals.
Accountability: Audit logging, usage recording.
Address Space Layout Randomization
Data Execution Prevention Randomize executing memory space of
Prevent processes from executing instructions programs. Example: Attacker develops an
in memory locations that are not predefined in exploit on his pc for a memory address, won’t
the code. work on client as the process address changes
due to ASLR.
PROTECTING HARDWARE SYSTEMS
Storage Media: Monitors:
Mouse/Keyboard:
1) Data remanence – Sanitization 1) TEMPEST – data can be read
1) Keyloggers
2) Theft/Loss – Encryption remotely via Van Eck electronic
2) Bluetooth/RF Interception
3) Unauthorized access – Identity emanations. (Copper protects)
3) TEMPEST
Controls 2) Shoulder Surfing
Printers:
1) Unsecured prints on shared Modems:
BIOS/UEFI:
printer – Authentication to output 1) Dial-in attacks: BAN unless
1) Phlashing: Malicious BIOS
tray required by business.
flashing to EEPROM.
2) Sniffing on wire – encrypted 2) Isolate as security is bypassed.
transfer to printer
Forensics Disk Controller can be used to protect Data operations on Disks / Storage Devices. Functions:
Shall not transmit a command to a Protected Storage Device that modifies Data on the Storage device.
Shall return the Data requested by a Read operation.
Shall return data without modification any access-significant information from the device.
Any error condition reported by the Storage device shall be reported to the Host.
PROTECTING CLIENT BASED SYSTEMS
APPLETS CACHE POISONING
Act like a program and execute code on user machine rather than on the Poison temporarily stored data to malicious vector.
server. Example: Cisco UCS Manager. Rules/templates config happens Example: Modify the dns entry to hdfcbank.com to phishing
locally, only commands sent to server. website.
JAVA DNS
• Executes on the JVM • Hosts File poisoning
(Java Virtual ARP – modifying the hosts
Machine) ACTIVE-X • Modify the local ARP file.
environment which is • Microsoft’s, runs in Cache to point an IP • Authorized DNS
cross-platform. IE. to a malicious mac Server – modify the
• Operates in a • Full access to system address. (10 minutes record on the NS.
Sandbox resources. till refresh) • Caching DNS – ISP
environment • Can perform • Create Static ARP DNS poisoning.
preventing code from privileged actions. Entry to point to • DNS Server
accessing • Restrict Active-X in malicious mac. Poisoning – send
unauthorized environment. • Can be used to route malicious DNS
resources. to malicious gateway. server IP
• Lots of other • DNS Query spoofing
vulnerabilities. – reply with false ip.
PROTECTING SERVER SIDE ATTACKS
Protect Data:
• Full Disk
Prevent Threats: Prevent Spread:
encryption and file Protect Asset:
• Implement Anti- • Restrict interface
encryption. • Temperature /
virus. controls to
• Backup data on the Humidity Controls.
• Screen Email for applications (user,
endpoint. • Tracking, inventory
Malware, Phishing, not privileged)
• Secure Wipe of asset.
spam. • Restrict access
capabilities. • DRP and BCP for
• Web Filtering for domains (vlans)
• Multifactor Assets.
web screening.
Authentication for
identity
Security Monkey
PaaS: Platform as a Service: from Netflix (
SaaS: Software as a Service: IaaS: Infra as a Service: https://github.com
Platform (such as IIS,
Application access to Compute access to /Netflix/security_
Apache) access to monkey
organization. Cloud provider organization. Cloud provider
organization. Cloud provider ) monitors policy
responsible for application, responsible for compute &
responsible for server, changes and alerts
server, compute & security. security of the Compute.
compute & security of the on insecure
Organization for the security Organization for the security
Platform. Organization for configuration for
of the Data. of the Application, platform
the security of the Application AWS and Google
& Data.
& Data. Cloud.
PROTECTING IOT & ICS / SCADA SECURITY
IOT Security:
• Deploy separate network for IOT.
SCADA Security:
• Implement Firewalls between IOT
• Deploy separate network for
network and Data Network.
SCADA.
• Restrict Management interface
• Deploy endpoint security on
access to IOT devices.
SCADA systems.
• Disable unsecured management
• Restrict Management interface
such as uPnP.
access to SCADA / ICS devices.
• Restrict unsecured services on
• Implement AirGap design.
IOT devices – e.g. SNMP
monitoring, ftp etc.
PROTECTING WEB-BASED SYSTEMS
Injection Attacks Scripting Attacks Scripting Attacks
• SQL Injection: SQL command • Cross Site Request
inputs via web field. Forgery: on the visiting
• Cross Site Scripting: Attacker
• Command Injection: OS user’s web browser,
inserts malicious code into
Command inputs via web filed or tricking them to perform
website that is executed by other
URL. actions such as logging
users via CGI scripts, SQL
• Directory Traversal: jump out of out, uploading cookies,
injection, web vulnerabilities.
directory to restricted one. changing account details
• XML Injection: inject xml code. etc.
Prevent Injections Prevent XSS Prevent XSRF/CSRF
• Input Validation: Block <script> • Captcha
Input Validation: Block
tags. • Re-authentication /
metacharacters or use Escaping \ - ‘ “
• Patch Web servers. Confirmation / OTP
[]\;&^$.|?*+{}()
• Implement WAFs • Nonce to URL request
Limit Account Privileges: smallest
set of privileges to the Web server. Buffer Overflow Attacks: Overloads the allotted program buffer to write into a
memory area that is out of bounds, to corrupt or crash the program or execute
malware.
PROTECTING MOBILE DEVICES
Side Channel: Side channels are unintended leakages. These look at timing differences to process information, power consumption etc. and
typically targeted to the CPU.
Code Flaws: Source code analysis.
Trusted Recovery: System recovers with security intact.
Input and Parameter checking: Prevent web based attacks with language codes like <>= etc.
Maintenance Hooks – Put in by the developer to gain direct privileged access to the system. Can be exploited once method is known.
Backdoor – unintentional privileged access by malicious vector.
Privileged Programs – modify privileged programs to perform malicious actions. Psexec to harvest admin credentials or modify scripts to
perform malicious actions.
Data Diddling / Salami – small random, incremental changes to a system or data.
Time of Check Time of Use (TOCTOU) – modify file with precise timing between when a file is checked for integrity and file is used.
(Race conditions)
Electromagnetic Radiation – TEMPEST : monitors/keyboard/mice
PHYSICAL SITE DESIGN
Primary concerns when selecting a Site
Utility Reliability
• How reliable is a local utility for Crime Accessibility
Power? • Primary issue is Employee Safety. • Travel time to location.
• UPS can provide short reliability, • Additional issues – theft of • Public services near location.
Generators provide longer but need company assets. • Ease of access to employees.
refueling.
Shared Demark
Shared tenancy / Adjacency •
Site Marking ISPs have a single external circuits
• Other tenants poor security may
• Not externally marked as a Data Telecom Demarcation point for
lead to intruders in building. shared tenants.
Center to prevent unwarranted
• Preventive controls for movement •
attention. Tenants wire from here to resp.
of visitors. floors.
• Intruder can mess with Shared
Demarc to bring outage.
PHYSICAL SECURITY – PERIMETER DEFENSES
Gates
Fences Lighting
• Class 1 – Residential
• 3 feet – Deterrent • Detective and deterrent control.
• Class II – Commercial (parking)
• 6 feet – Deter most intruders. • Fresnel lights aim at a specific
• Class III – Industrial (loading
• 8 feet with barbed wire – direction.
dock)
Preventive – deter most • Lumen (foot candles)
• Class IV – Restricted Access
determined. • Lux – metric system.
(Airport / Prison)
Bollards
CCTV •
•
Locks Designed to stop
Detective and Deterrent Controls.
•
• Key locks – physical key, can be SmartCards cars and vehicles.
Aid security guards in detecting • Preventive control
shared or duplicated. • Contact based – Smart card reader.
presence of intruders.
• Combination locks – button or • Contact-less – RFiD / Wireless.
• Depth of field – area in focus
keypad or dial based key • Magnetic stripe – Swipe cards .
• Field of view – area view covered
combination. Sharing of keys.
by camera.
Walls
• Should withstand upto 1 hour of
fire damage.
PHYSICAL SECURITY – ACCESS DEFENSES
Tailgating / Piggybacking
When an unauthorized person, follows an authorized person without authentication.
Mantrap
One door must close, before TurnStile Contraband Checks
second opens. Two different One person per access. Detective and Deterrent.
authentication forms. Revolving door concept. Detect weapons, explosives,
Security guard’s may also Authenticated via Smartcard banned items such as USB,
verify authenticity for or Security Guard Mass storage etc.
second door.
PHYSICAL SECURITY – BUILDING DEFENCE
Alarms Guards
• Deterrent Alarms – engage • Add dynamic control: can
Motion Detectors inspect credentials, respond to
mechanisms to make further
• Wave Pattern (Ultrasonic) – incidents, monitor CCTVs and
intrusion difficult.
Active sensor. Energy wave act as Deterrents.
• Repellant Alarms – siren or
transmitted and listened for • Background verification
sound based to deter attackers
echo. needed.
from advancing
• Photoelectric – sends a beam • Can be affected by general
• Notification– silent. Notify
of light to another sensor. illness, mental / health issues.
the security or law
Alerts when beam is broken. • Rotation recommended.
enforcement.
• Infrared – changes in infrared
• Local Alarm system –
lighting pattern.
broadcast 120db to be easily
• Heat based – heat level
heard 400 feed away.
changes.
• Central Station – silent
• Capacitance – electric or Dogs
locally, broadcast at central
magnetic field changes. • Perimeter Defence.
monitoring.
• Passive audio – noise
• Auxiliary – notify emergency • Deterrent Controls.
changes.
services. Added to local or • Legal liability.
Central.
ENVIRONMENTAL CONTROLS
Electricity EMI
• Fault – temporary loss of • Electromagnetic
Heat, Ventilation Cooling
power. • HVAC
interference or Crosstalk –
• Brownout – prolonged low • Humidity – 40-60%
Poorly shielded cables or
voltage. • Temperature – 60-75F (15-
routes.
• Blackout – prolonged loss of 23 C degrees)
• Don’t route Network and
power. • High Humidity – leads to
Power cables together.
• Surge – prolonged high corrosion
• Proper cable management.
voltage • Low Humidity – leads to
• Shielded UTP or Coaxial
• Spike – temporary high Static Electricity.
less susceptible to crosstalk.
voltage. • Prevent condensation with a
• Fiber Optics has no
• Sag – temporary low positive drain system.
crosstalk.
voltage.
• Surge protectors – tripped during
Surge or spike. Short or regulate
Static & Corrosion
• Proper grounding.
level.
• Anti-static Straps.
• UPS – clean backup power.
• Proper humidity levels – 40-
• Generators – longer backup
60%
power, needs refueling.
FIRE DEFENCE
Sr.No Class Materials Suppression
Sprinkler Systems: Detection Systems:
• 1 A Ordinary – wood, paper Water or Soda Acid
• Wet Pipes – water right up to Fixed temperature
sprinkler head. Glass bulb • Rate of rise – speed 2 B Liquid – petrol etc. Halon, FM200, Soda
melts / breaks at specific of temp changes. Acid,CO2
temperature. Each head • Flame actuated – 3 B Flammable Gases - cng Halon, FM200, Soda
independent. infrared energy of Acid,CO2
• Dry Pipes – Water held back by flames. 4 C Electrical Equipment Halon, FM200, CO2
valve, compressed air in pipe. • Smoke Actuated –
photoelectric or 5 D Combustible Metals Dry Powder
As head opens, pressure drops
and water released. radioactive 6 K Kitchen Oil fires Wet Chemicals
• Deluge – Sprinkler heads are
always open and larger than dry Fire Hazards:
Fight fire by
pipers. Valve opens water flow • Smoke
removing one
via manual or fire alarm. • Toxic Vapors and materials
Ox
of the 3
el
• • Water Damage
yg
Preaction – combination of two,
Fu
elements to
en
opens via two separate triggers. • Building collapse.
break up the Fire
chemical Triangle
Fire Drills / Evacuation Routes – training for a fire event. reaction. Heat
TM
Payload is Encapsulated as it travels down from the Transport layer into Segments, Packets, Frames and Bits.
TOPOLOGIES
Ethernet
Layer 2 Broadcast based technology, Token Ring FDDI
essentially a Bus technology, but typically
Developed by IBM, uses a Ring Used for Fiber Optic data
implemented as a Star
topology and a proprietary token transmission.
Collision Domains: Two devices send
passing technology for transmission. Uses a Dual Ring topology with
packets at the same time on a shared
segment. Whosoever has the token can rings in opposing directions to
A Hub is one collision domain, only one transmit data. provide redundancy and dual
device can transmit at a time! Other hosts have to wait until they bandwidth.
A switch breaks collision domains. Every receive the token to transmit. The Typically a Service Provider or
port on a switch is one collision domain. token is passed along the ring. MAN implementation.
Broadcast Domains: The entire Layer 2 No collisions!
network. Routers break break broadcast
domains, VLANs reduce broadcast 16 Mbps
domains.
ETHERNET – MEDIA AND MAC
Simplex: Only one sided
ETHERNET Media Types: MAC Addresses
communication. Ex: A Letter, FM Radio Mac Addresses are typically 48 bits and burned in
10Base2 – Thinnet Coaxial, 2 Mbps
Half Duplex: Only one side can from factory.
transmit (speak) at a time. Ex: Walkie 10Base5 – Thicknet Coaxial, 5 Mbps First 24 bits are called OUI – Organizational Unique
Talkie Identifier and identify the manufacturer of the NIC
10BaseT – UTP Cat 5, 10 Mbps, 100m
Full Duplex: Both sides can transmit at card – such as Cisco, Juniper, Palo Alto etc.
a time. Ex: Phone call 100BaseT – UTP Cat 5, 100 Mbps, 100m The last 24 bits are the serial number, and unique to
100BaseFX – Fiber Optic each NIC.
Attenuation is the loss of signal
strength and integrity over a distance. EUI-64 was created to increase the pool. The OUI is
1000BaseT – UTP Cat 5e/6, 1Gbps, 100m
still 24 bits, but the serial number is now 40 bits.
UTP: Unshielded Twisted Pair, 10GBaseT: Copper 10G on UTP, Cat 7 IPv6 autoconfiguration is compatible to both MAC
Types.
susceptible to EMI. 10GBase-SR/LR/ER: 10G fiber-optic. S =
Modern OSes allow Mac Addresses to be changed
STP: Shielded Twisted Pair, Short Range, L = Long range, E =
via tools, thus allowing mac addresses to be spoofed.
Extended range.
less susceptible to EMI. You can quickly look up the OUI of a MAC address
Electromagnetic Interference (EMI) can introduce
Fiber Optic: Data via light, crosstalk, transmitting data between wires next to each for IP Spoofing. (Example: A rogue Cisco router has
other. TEMPEST attacks can be used to harvest data via the same IP as your Sonicwall Firewall). An arp –a
not susceptible to EMI. EMI. on a windows PC will give you clues!
LAYER 2 SECURITY - VLANS
VLANs PVLANs – Port Isolation
VLANs virtualize Local area networks and allow separation of a physical Private VLANs enhance the concept of VLANs further by
LAN into multiple smaller compartments, such as departments. A VLAN of taking the compartment concept to individual port.
the Sales department allows communication between only Sales PCs.
Ports in a PVLAN, only talk to the uplink port and/or
This creates smaller Broadcast domains, lowering broadcast traffic and
community port and not between themselves.
reducing bandwidth congestion.
Promiscuous (P) Port – Uplink to a router, firewall etc.
VLANs enforce separation, which is essential in security. Traffic between
VLAN’s has to traverse through a Layer 3 device such as a router or an L3 Community (C) Port – Port that communicates with the P Port
Switch where Access Lists can be enforce control for inter-vlan traffic. and other Ports on the PVLAN. (Ex: An Authentication server)
VLANs are Layer 2. A Layer 3 VLAN is a VLAN with an IP Address and Isolated (I) Port – A Host on the PVLAN. Can only talk to the
VLAN hopping can allow attackers to traverse VLANs by adding double PVLANs can be implemented for Secure Zones and prevent
VLAN tags to a frame. Disable trunking and use a native vlan with Lateral movement via Layer 2 such as Secured Hosting, a
unassigned ports. block of Application servers, or VDI.
VXLANs provide virtual Layer 2 Overlay networks over Layer 3.
SPAN or Mirror Ports provide duplicate streams of
A simple example is, extending the L2 subnet over two Data
traffic from a source port/s. SPAN ports are used for
Centers on an underlying L3 infrastructure. VMs can then be
IPSes, WAFs, DLP, Monitoring to get a copy of the
moved within the DC’s without changing addresses!
WAN TYPES
ATM – Circuit switched network. Each site needs
ISDN– Digital voice, video, data. dedicated circuits for connection.
BRI – Two data and one control channels – 144kbps. Frame Relay – Packet switched network. Frame Relay
PRI: T1- 23 Data and one control channels – 1.544 supports Virtual Circuits – One single physical link can
support multiple Private Virtual Circuits to connect to
Mbps
sites.
E1 – 30 Data and one Control channel – 2.048 Mbps
MPLS – Fast, label-switching WAN, establishes pre-
T3 – 28 bundled T1s – 45 Mbps defined routes. Can route to multiple sites over single
SONET: Optical network that connects continents. link without a PVC via routing protocols such as MP-
BGP. Adds Label headers and can forward IP and Non-
DSL: Digital subscriber Line, symmetric, same IP Packets.
upload/download speed. SD-WAN – The cost of dedicated WAN such as MPLS
ADSL – Asynchronous DSL, varying Upload and has driven SD-WAN. SDWAN enables an enterprise to
Download speed. create a WAN fabric across an underlying multi-wan
VDSL – High bandwidth DSL network such as MPLS, Internet etc. SD-WAN enhances
traffic delivery by adding auto-failover, congestion
detection and application bandwidth optimization.
INTERNET PROTOCOL V4 AND SUBNETTING
IPv4 uses 32-bits for addressing and is divided into the below classes: RFC 1918 Addresses: Private address, non routable:
Class D: 224-239.255.255.255 – used for Multicast. Loopback Addresses: Test the local TCP/IP stack
127.0.0.1 ( although the whole 127.0.0.0/8 is reserved)
VLSM allows using variable subnet masks to reduce subnet size, for
example breaking a Class B address into a Class C for Vlans. APIPA Address: Used by Microsoft Windows, when DHCP
IP is not received.
Version: IP version (4 for IPv4)
KEY FIELDS OF IP 169.254.x.x
IHL: Length of Header Key IP Protocol numbers ARP: Resolve IP
HEADER
ToS: Used to specify DiffServ for QoS
Protocol IP Protocol No to MAC
Time to Live: End routing loops. RARP: Resolve
TCP 6
Protocol: Encapsulated protocol – TCP, UDP, ICMP, etc. MAC to IP
UDP 17
Source Destination IP Address Both prone to
ICMP 1
Optional: Options & Padding.
spoofing / poisoning.
GRE 47 Hardcode on sensitive
MTU: Maximum Packet size transmission allowed. Max: 1500 bytes
networks.
IPV6 SECURITY
IPv6 adoption lags and can lead to security issues
IPv6 improves on v4 by increasing addresses from 32bits to 128bits. such as:
The massive size of the header increases the difficulty in Port Unauthorized clients: By default IPv6 is enabled in
scanning. most modern devices and OSes, unintentionally
Cryptographically Generated Addresses (CGA) allows user to increasing the attack surface where the enterprise
lacks the capabilities/defences from IPv6 attacks.
provide “proof of ownership” for an IPv6 address in the IPv6
neighbor router discovery mechanism: Disable IPv6 from devices
Spoofing and Stealing of IPv6 Addresses much harder. Detect and block IPv6 or IPv6 tunnel traffic at the
perimeter.
Allows for messages signed with the owners private key.
Dual Operation: Organizations migrating from IPv4
No need of an upgrade or modification to the network infrastructure.
to IPv6 may enable both protocols and security
IPSec is mandatory in IPv6, providing authentication, integrity, simultaneously. Security policies must be addressed
confidentiality and access control with AH & ESP. and reviewed for both protocols.
Elimination of ARP and it’s related vulnerabilities – Interface ID of a Filter IPv6 transition technologies such as 6to4, SIT,
L3 IPv6 address is derived from an L2 Address, and is used globally Teredo and allow only needed. Teredo (IPv6 over
in an IPv6 network. Neighbor discovery Protocol replaces ARP. UDP) may unknowingly flow if Firewall allows UDP,
creating an easy vector for C&C Communications.
ICMP – INTERNET CONTROL MESSAGE PROTOCOL
ICMP: Internet Control Message Protocol is used for IP Ping: Checks for reachability, Sends an Echo request and waits for
Investigations of Reachability. an Echo reply.
ICMPv6 is used for IPv6 Checks for latency between hosts.
ICMP has it’s own Transport layer protocol. Usually Filtered at firewalls.
Session SYN
Establishment
: 3 Way SYN-ACK
Handshake
Session
ACK
Established: DATA
Data Transfer
ACK
FIN
Session
Close ACK
FIN
ACK
Next Generation Firewalls: As apps shifted to HTTP/S, Three Tier Firewall DMZ
firewalls shift focus from Port based to Application based, DMZ DB DMZ With Firewall
sampling traffic to determine the actual application (example: Sandwich
A telnet on Port 80 is now categorized as Telnet app) LAN LAN DB LAN
WAN LAN
Bastion
Host
DMZ
LAN
Dual Homed Host: Host with two interfaces,
Bastion Host : is a hardened system exposed to the with a firewall to filter traffic between the
internet to securely expose services to the internet. interfaces.
A Reverse Proxy is also a Bastion Host. Also WAN DMZ
called Screened Host. 1.1.1.1
NAT
192.168.10.50
Example: An Antivirus server has the same port for
NAT: Static NAT is 1-to-1 Mapping. 1 Public IP to 1 Private IP.
management and user updates. If directly exposed, it Inbound/outbound connections.
can lead to attacks on the mgmt. console. A Bastion
Host securely exposes only user-updates service and
WAN DMZ
restricts management access from the internet. NAT
192.168.10.0/24
DMZ: Internet exposed servers separated from the 1.1.1.1
Anti-Spam gateways are the modern solution for fighting spam. These typically including Bayesian filters that learn
of good vs. bad mail for an organization and use methods such as RBLs, Anti-malware filtering and DLP to provide
email security.
NETWORK SECURITY: CONTENT/WEB FILTERING
Web Filtering provides protection against:
Phishing Websites: Can use reputation or content detection lookups to prevent users from navigating to Phishing URLs.
Malware: Secure Web Gateways can include reputation lookups for downloads or in-built malware scanning to prevent against
drive-by-downloads.
Illegal Content: Prevent users from navigating and using malicious or illegal websites in the workplace such as Adult or
Gambling.
Non-business: Prevent users from using Social-media or other non-business apps at the workplace to prevent productivity loss.
Leakage: Prevent file-sharing websites or apps to prevent data leakage.
Secure Web Gateways have additional controls that promote better browsing behavior such as:
Quotas: Users are allotted fixed quotas for browsing either time or data based. Used typically in education or hotspots.
Bandwidth Shaping: Prevent apps/users from exhausting bandwidth by enforcing upper level bandwidth restrictions. Can also be used to
provide guaranteed bandwidth for Business apps.
TLS Inspection: SWGs act as Man-in-the-Middle proxies to decrypt and filter encrypted TLS/SSL traffic.
Internationalized domain name (IDN) Homograph attack uses non-ASCII characters that look like the Latin characters to spoof known trusted
URLs. Browsers or Web Filters can be configured to block IDNs and non-ASCII URLs or Suspicious Websites.. www.rolex.com vs
www.rὀlex.com
NETWORK SECURITY: PORT SECURITY, 802.1X EAP
Port Security should be part of every
Port Security Network Access Control organizations strategy. While physical
Port Security provides security against Port Security is further enhanced by security can be rigorously
unauthorized network access by requiring Network Access Control which validates implemented at Head offices, the same
authentication on switches before user is the health of the device before allowing it cannot be said for Remote or small
allowed on the network. on to the network. locations.
802.1X protocol enforces Wired Authentication
NAC enforces a concept of health profiles
(PEAP) and Authorization to the network as A bank had an incident at a branch
soon as a device connects to the network. such as Antivirus Protection on and
updated, updates and hotfixes installed, where a vendor technician installed a
Device with Valid credentials are allowed access
Domain etc. Devices matching the profile device on a network switch that housed
to the network.
are assigned a role and vlan. all the PCs on the LAN and was able
Devices incapable of 802.1x are allowed by
to sniff transaction entries, PII being
using Mac-bypass mode by adding their macs to NAC can also have multiple profiles such
transmitted in the clear to the
the allowed list on the port – Cameras, printers, as guest or external vendors that have some
projectors etc. applications. They used these details to
protection (AV) and get an isolated VLAN
figure out the volume of transactions
Components: on authentication.
the branch handled, days with avg.
Supplicant – a 802.1x client User devices not matching a health profile amount of cash deposited and using
Authentication Server AS – authenticates the client are quarantined to a quarantine vlan and are CCTV footage, the movement of
Authenticator – device that needs authentication pushed for remediation (for e.g. allowed guards. And successfully performed a
like a switch or AP. access to update server, helpdesk and AV heist that left the bank with a loss of 70
server to get the necessary updates).
lacs!
ENDPOINT SECURITY
Signature Based: Best protection from Known Threats. Maintains DB
Firewalls: Endpoint firewall to prevent malicious applications
of known malware signatures. Needs constant updates to be effective.
accessing the internet or service. A firewall policy blocking TCP 445
Heuristics / Behavior: Looks for malicious behavior patterns once code SMB could have prevented the Wannacry Ransomware from spreading!
executes in memory. HIPS/IDS: Prevents attacks on vulnerabilities in services on the
Whitelisting / Blacklisting: Whitelisting aims to allow only approved endpoints.
apps, blacklisting blocks known bad apps. Device / Port Control: Locks down Ports such as USB, SD Card to
Sandboxing: Emulates a research lab locally/cloud to prevent from the prevent manual lateral movement of malware and Data exfiltration.
rise of unknown/zero-day malware. Unknown files are sent to the Device control goes further and controls access to WiFi / Bluetooth
sandbox which executes the code in VMs of popular OSes and performs networks.
Static and Dynamic Analysis. If malicious behavior is found, a signature
Encryption: Disk encryption protects data at rest in case of theft or loss.
is generated and sent to all the Endpoints to prevent further spread and
File Encryption protects data at rest and in transit additionally from
contain the malware.
insider threats. Removable Media encryption protects data at rest that is
AI / Machine Learning: Algorithm generated from known malware to copied to media such as Pen drives.
prevent variants of malware at the endpoint without dependency on Web Filtering: A local web filtering component is essential to protect
signatures or behavior patterns. Predictive approach to prevention. Best
endpoints from malicious websites and downloads when off the
protection offline/ w/o updates.
corporate network.
Scanning for Malware forms an essential activity for Signature based AVs.
Systems should ideally be scanned once a week, and updated daily. Ops DLP: Protects Data Loss from the endpoint over Web, Email or
teams must be vigilant for devices offline or not updated as they will be Removable media.
vulnerable to the latest malware.
DLP | ENCRYPTION
Data Loss Prevention seeks to prevent PII, PHI and IP from Disk Encryption: Encrypts the whole disk and enforces a Pre-
traversing out of the network unauthorized. boot Authentication. Successfully authenticating unlocks the
DLP employs controls such as Label matching, Pattern/Regex drive and OS boots. Prevents Outsider threats of theft and loss.
matching for words and patterns that could constitute PII, PHI and File Encryption: File level encryption on host or network.
IP such as Credit card numbers, SSN, secret sauce etc. Additional layer that protects files and grants access to the
Organizations can use additional techniques such as embedding author or group of users. Users need to successfully
watermarks in all confidential documents and searching for that authenticate and have the key for data access. Protects from
pattern at the DLP. outsider and insider threats.
DLP systems can also enforce Manager authorization and capture. A Removable Media Encryption: Encrypts external media.
confidential flagged document automatically is sent to the Manager
for approval before it is allowed. The contents of the message are Cloud Encryption: Encrypts data traversing to cloud shares
captured for forensic analysis. such as dropbox or google drive.
Gateway DLP: Enforces Data Leakage Prevention at the perimeter Rights Management: Go one step further by controlling data
or gateway and is typically deployed out-of-path via a Span Port. access after data has exited a network with controls such as print,
Endpoint DLP: Endpoint application that protects from leakage at copy, paste, expiry and screenshot controls. (Seclore)
the endpoint. Prevents Data Loss even if employee is out of the Hybrid: Solutions like Dell’s Data Guardian solution seek to
network.
combine DLP, RM and File level encryption together to Protect
Mail/Web DLP: Integration with Web filtering (ICAP Proxy) or Data in transit, Granular controls and monitoring of data access &
Email Gateway to enforce Data Loss Prevention. actions!
REMOTE MEETINGS | SCREEN SCRAPING
Terminal Access: Text based console access. Rlogin, Telnet, Rsh, The Do’s and Don’ts of Remote Access Security: Beware of Free Remote
meeting apps.
Powershell
Do not expose the Remote system directly due to Two apps: Ammyy
Remote Desktop: Graphical terminal access of a remote machine, vulnerabilities in the inherent applications. Telnet/Rlogin are Admin and Anydesk
Ms-RDP. not encrypted and should not be used. have been used in
Screen Scraping: Transmit only the information needed to draw a Have users use a VPN to access remote systems. malware attacks in the
remote systems screen. Only actions such as mouse movements are past. One in every 3
Disable File-copy and Drive mounting to prevent lateral
transmitted. VNC is a screen-scraping approach. Similarly an Ammyy downloads
movement of malware that may be present on the user’s contained a malware
attacker can use screenscraping to monitor administrator actions on machine, data leakage.
a protected system. RAT. The Blackrouter
Use strong authentication (multifactor) for authenticating to campaign bundled
Screenscraping can also be used to port legacy C/S apps to Web apps
remote systems. Anydesk for lateral
where the new UI converts actions into input for the older legacy UI.
If possible use VDI or Application Virtualization such as RD movement and
Remote/Web Meetings: Reverse tunneling approach that has the
Web or Citrix or Vmware WorkspaceOne propagation. A simple
Client creating an encrypted channel and the remote-sharing Deny at the web-filter
Filter RemoteMeeting Applications at Proxy or WebFiltering
protocol initiated through this channel. Webex, GoToMeeting, would have prevented
LogMeIn. and allow only Organization approved Remote meeting apps. both attacks!
Application Virtualization and VDI provide greater security and availability for remote-access. Application Virtualization exposes only the
application (vs the whole desktop) and provides mobility. VDI can provide persistent or temporary VMs for desktops. VDI should be used
for outsourced workers to perform data processing on a secure environment. VM Escape attacks seek to evade the guest and hypervisor
layer undetected, hence security components such as Micro-segmentation and virtual Firewalls / IPSes tailored for the Virtual
environment should be used.
VOIP SECURITY / POTS SECURITY
Phone Hackers are known as Phreakers.
White box – Controls the phone system, is a DTML – dual tone multi-frequency generator.
VOIP systems are
susceptible to:
Callback Authorization attempts to Log all activities on the PBX. DISA – Direct Inward System Sniffing
verify the authenticity of the caller Deploy voice recording for Access – enables authorized
by disconnecting the original call, processes such as Support or Call corporate users outside office Denial of Service
and redialing to the number defined center for audit trails. Do note that premises to make calls on the
End users must be notified that using the organizations Voice Host OS Attacks
in the users profile.
calls are being recorded. Systems. However Hijack of
VLAN hopping.
dialing codes can lead to hijack.
Educate users on the Do’s and don’ts of voice calls, for ex: Do not share passwords with anyone, validate identity, be mindful of the background if
speaking on sensitive topics. Avoid sensitive topics on phone conversations as they can be tapped.
NETWORK SECURITY: STORAGE AREA NETWORKS
FC: Fibre Channel is the standard used for Storage area Networks. SANs were typically separated, running on a
specialized network comprising of SAN Switches.
HBAs are the equivalent of NICs and have a burned in address called the WWPN, and communicate with the SAN Storages by
addressing it’s controllers WWPN numbers.
Zoning creates compartments (like VLANs) to control SAN communications between parties. Routing over WAN requires
specialized equipment.
FC provided availability by having two redundant HBAs, paths, and controllers for the SAN.
FCoE: Fibre Channel over Ethernet is a convergence protocol that transmits FC traffic on Ethernet switches. Requires a
CAN (Converged Network Adapter) to listen to both FC and IP traffic.
FCIP: Fibre Channel over IP, encapsulates FC Traffic over TCP/IP, thus removing need for a specialized switch or
adapter.
iSCSI: SAN Protocol uses the higher layers such as Application layer to transmit over the network on traditional TCP/IP
networks. Can be routed over the WAN. Uses Logical Unit Numbers (LUNs) for addressing Storage on the network.
vSANs or Virtual SANs is a newer disruptive technology that brings virtualization to SAN. It uses the disks on the hosts
(e.g. a server) and forms a virtual SAN without needed a dedicated Storage Array.
VIRTUALIZATION SECURITY
Virtualization: The hypervisor is responsible for isolation of Guest OSes.
VMEscape: Enables the attacker to exploit the Guest OS to directly interact with the Hypervisor and other Virtual machines. Containers provide the
Separation: Enforce VLANs between Guests to enforce security.
next challenge for security
In a typical hypervisor, any inter-Guest However Inter-vlan communication will require traffic to hit the physical professionals. Containers
traffic traverses between the vSwitch and network causing latency. are “virtualized
Virtual Appliances: Virtual Firewalls, Intrusion prevention solutions etc. applications” that run on
does not hit the physical switch at all. provide security for the Guests at the hypervisor layer. Traffic does not a Host. Rather than
Physical controls such as Firewalls, IPSes have to hit the Physical network. virtualizing the OS and the
are useless as traffic never hits the
Micro-segmentation: Enables finely grained policies to be applied per app, only the app is
guest and secure East-West traffic. Think for example an Ecommerce app, virtualized. Since any host
physical network. it needs to only access the DB and nothing else. Guest-to-Guest Access
control over L2 or L3. Solutions such as NSX or ACI provide can run a multitude of
Hypervisor microsegmentation. containers, each having
their own vulnerabilities,
Hypervisor
each Container host needs
VM VM VM VM to be secured along with
VM VM VM VM
access controls for the
SAP WEB SAP HR containers. Docker
VSwitch VSwitch includes Seccomp which
NIC HBA NIC HBA
are security profiles for
containers.
CONVERGED PROTOCOLS | ICS
DNP3 – multi-layer TCP/IP Protocol that enables Industrial systems such as SCADA to
intercommunicate. DNP3 is very good at communicating over low-bandwidth links, making it ICS Terms
ideal for utilities, power grids and Oil and Gas management systems. DNP3 supports OT – Operational Technology:
unsolicited messages that exposes Industrial systems to large remote attack surfaces. The computing systems that manage
Maroochy-Shire Sewage System attack [https://www.tofinosecurity.com/why/Case-Profile- industrial systems.
Maroochy-Shire] spilled one million liters of sewage due to a false message from a field ICS – Industrial Control Systems:
station.
systems that are used to monitor and
DNP3 supports Secure authentication control industrial processes like conveyor
IEEE 1815-2010 – supported pre-shared keys (deprecated) belts, power consumption on electric
grids.
IEEE 1815-2012 – supports PKI
PLC – Programmable Logic
Use Industrial Firewalls or DPI that support the DNP3 protocol.
Controllers: ruggedized device that
Host based solutions (such as Endpoint Security) don’t work as PLC’s are Embedded OSes. manages an ICS.
A Lot of ICS systems are legacy (15-20 years old), and the cost of replacing them is prohibitive. Thus SCADA – Supervisory Control and
modern security protocols may not be a possibility. Alternative strategies such as Isolation and Airgap Data Acquisition: Control and monitor
must be used.
Industrial facilities locally and remotely.
MES – Manufacturing Execution
Systems: track and document
AirGap transformation of Raw material to
Separation (ideally physical) of Protected systems and the internet. The idea is to prevent internet based attacks. finished goods.
TM
Recovery
Deterrent Directive
Compensating
Long term recovery, if damage
Discourage people from Direct and control user
is extensive. Backup access control in case
making security actions.
Ex: Backup & restore primary fails or not available.
violations. Ex: Acceptable use policy,
(ransomware attack), RAID, Ex: Smartcard – primary,
Ex: Fences, Guards, Exit signs, warnings,
Load-balancing, System re- temporary id – secondary.
Warnings. procedures.
imaging.
ACCESS CONTROLS IMPLEMENTATION
Two-Step
Authentication
Synchronous Dynamic Tokens • Websites like google
Algorithm based dynamic tokens. implement OTP based
ASynchronous Dynamic Tokens
Tokens are dynamically generated at a preset time Two-step auth.
(60 secs) on the token. Token expires after time
Requires an event such as a OTP, Challenge, PIN • HOTP – HMAC OTP
expires. or Button press to generate a token. standard to create one-
Server has a seed database and matches the token Token once generated is valid till use. time-password. Valid
till used.
based by calculating the algorithm on the token’s Server matches token code + Challenge with its
seed. • TOTP – Time based
Seed database. OTP, valid till specific
Requires time synchronization between Server and
No time synchronization needed. time such as 30
Authenticator. (Usually a calibration process to
Security Concern – Token valid till next use. seconds.
enter consecutive tokens so server can identify the
exact code that will be processed next)
• NIST SP800-63B
Example: Seen above is Arrayshield, that requires recommends Push
Most Secure. you to place the shield on a challenge code notifications over
Example: RSA Securid token generates a generated by the server and type the words as the SMS.
Tokencode every 60 seconds. token code.
TYPE III - BIOMETRICS
Fingerprint: Widely used, scans minutae. FAR FRR Enrollment:
• Process of registering biometric factor.
Retina: Scans capillaries at back of eye. ERRORS
• Time should not exceed 2 mins.
Most accurate, but intrusive. Health Risk • The enrolled biometric is called
and privacy issues. Enrollment Template which is
referenced during the authentication.
Iris: Second most accurate, passive.
Palm scan: Scan’s the veins, establish Throughput:
unique identity without another factor. CER • Time taken to authenticate a user with
biometric factor.
Hand Geometry scan: Scan’s the length, • Typical time 6-10 seconds.
SENSITIVITY
width and thickness of hand. Not reliable.
Voice Print: Voice sampling. Vulnerable to
Biometric Accuracy If the CER of a biometric
capture and replay of voice. system is not acceptable:
• Type I Error - False Reject Rate:
Evaluate other biometric
Facial Scanning: Scans facial features (FRR)Valid authorized user is rejected.
against DB. Passive. • Type II Error - False Accept Rate:
systems.
Keyboard dynamics: typing style capture (FAR) Invalid Unauthorized user is
accepted. Zephyr Charts gauge
(how hard/fast). Change in behavior can effectiveness of different
• Crossover Error Rate: (CER) When
cause FRRs.
FRR and FAR are equal. biometric devices.
TYPES OF AUTHENTICATION
3
Client sents the authentication request encrypted with the Symmetric Key and the
Principal / encrypted TGT to the KDC Ticket Granting Service (TGS) KDC Replay attacks possible by sniffing the
({Auth_REQ}Symmetric_Key) Ticket Granting
Client
TGS_REQ ({TGT}TGS_Secret_Key) Service (TGS) Authenticator (Session and Service keys) and
DoSing / Spoofing the client.
Since the client sends a valid TGT, the client has validated identity to the TGS.
Keys cached locally are not encrypted.
4
TGS sends a Session_Key encrypted with the Symmetric_Key, and a
Service_Ticket encrypted with the Target_Service (TS) secret Key. KDC
Principal /
Client (Session_Key}Symmetric_Key)
Ticket Granting
Service (TGS)
Kerberos 4 did not validate the end user allowing
({Service_Ticket}TS_Key) TGS_REP
another user to request a key on behalf of user.
Client connects to the Target service(TS) and sends the Session Key and the Service
Kerberos 5 fixed this issue.
Ticket.
5
The TS knows the client is valid (since it has the Session Key). TS decrypts the
Principal / ͞Service Ticket͟and verifies with the KDC. TS
Client Auth: Print Service Target Service SESAME, a European followup protocol implements
AP_REQ
({Session_Key}Symmetric_Key)
PKI, eliminating the plain-text storage of local keys.
6
({Service_Ticket}TS_Key)
Allow Access
AP_REP
FEDERATED IDENTITY MANAGEMENT
Security Association Markup Language OAuth 2.0 OpenID
(SAML) • Provides Authorization to API’s • SAML based SSO, consumer
• Log-In to Federated sites via SSO. such as GoogleID, LinkedIn, websites and apps.
Enterprise websites and apps. Facebook etc. • Roles:
• Uses XML • Roles: • OpenID Provider: Verifies
• Components: • OAuth Provider: Hosts the End user.
• Assertions: Authentication, resource to be accessed. • Resource Party: Wants to
Attribute, Authorization • OAuth Consumer: verify the user.
• Protocols: HTTP, SMTP, SOAP, Requesting the resource. • End User: who wants access
FTP • End User: Granting access • Example: Facebook App
• Bindings: SAML over SOAP, SAML • Example: Facebook App (Consumer) asking for permission
over HTTP (Consumer) asking for permission from (End User) to grant access to
• Roles: from (End User) to grant access to your Facebook Profile (Provider)
• Identity Provider (IdP): Validate your Facebook Profile (Provider) • OpenID Connect: Uses JSON
user identity. • No Encryption – Relies on TLS for Web Tokens (JWT) and REST to
• Service Provider (SP): The Service Session encryption. retrieve JWT. Can retrieve user
• Principal: User profiles.
• Circle of Trust between all parties before • Vulnerable to Phishing attacks.
AAA PROTOCOLS
TACACS+ Diameter
RADIUS
Authentication, Authorization, Supports wide range of protocols:
Authentication, Authorization,
Accounting IP, Mobile IP, VoIP.
Accounting
Ports: TCP 49 Better Reliability and Flexibility
Ports: UDP 1812,1813 or
1645,1646(unofficial) than RADIUS.
TACACS+ enhancement allows
Uses Attribute Value Pairs (AVPs) Two-factor authentication. Authentication, Authorization,
that can be used to enhance Accounting
Separates AAA into different
authentication and Authorization. 256
Pairs possible.
processes that can be implemented Ports: TCP / SCTP 3868
on multiple servers. Supports IPSec & TLS Encryption.
Logs privileged access once logged in.
Encrypts all authentication Not backwards compatible with
Only encrypts the Password exchange.
information. RADIUS
RADSEC enables RADIUS over
Better accountability compared to Uses AVP’s and increases to use 32
TCP/TLS
Radius. bits i.e. billions of Pairs.
IDENTITY MANAGEMENT – LIFECYCLE & BEST PRACTICES
Access Control Matrix: Object focused. Table of Need to Know: grant access only to what the
subject, object and privileges. subject needs to perform job function.
Capability Table: Subject focused, details the Least Privilege: grant access to lowest
capabilities of a subject or role. amounts of rights subject needs to perform job
Layering: Defence in depth. Layer function.
Administrative, Physical and Technical controls. Separation of duties: Separate sensitive
Example: Server protected with encryption, functions into two tasks for different
locked inside rack, with keep out signs. employees, preventing security incidents.
ACCESS CONTROL MODELS
DAC – Discretionary Access MAC – Mandatory Access Control RBAC– Role Based Access
Control • Data Owners cannot grant access. Control
• Security of object is at Data • Security Labels of Subject and Object • Group based Access Permissions.
Owner’s Discretion. define decision. • Non-discretionary.
• • Access granted by Security Officer. • Each Role has a set of rights over
Access granted through ACL.
• Subject label must dominate Object Label. objects as defined by the Data
• Owner of Object decides
• Subject has knowledge of the object’s Owner.
permission.
sensitivity. • The Security Admin configures
• Identity based. • Lattice-based Access control. the rights.
• Subject has no knowledge of • Can be compartmented further for
the object’s sensitivity. • Subject focused.
Label+Compartment for enforcement of
• Scalable and Flexible as each Need to Know. RuBAC– Rule Based Access
owner decides access. • 3 Types: Compartmented, Hierarchical, Control
Hybrid. • Rule based – Global focused
rules that apply to all subjects.
All models, apart from DAC are Non- Attributed Based Access Controls • Called restrictions or filters.
Discretionary Access Control Models. • Policies that include multiple attributes • If/then statements (group=admin
for rules (memory=8gb, os=windows) allow social-networking
• SDNs use ABAC
THREAT MODELING – APPROACHES AND PROTECTION
METHODS
Protection Methods
Control Physical Access: Reduce attack
Approaches surface by controlling physical access. Enable Last Logon
Focus on Assets: Valuate Assets and Control File Access: Confidentiality and Notifications –
identify threats to these attacks to Users can detect and
Integrity.
determine likelihood and impact. notify suspicious login
Strong Password policy: Longer length, activity.
Focus on Attackers/Threats: Identify complexity, reuse and history – more time
attackers and take potential measures to to crack a password!
protect from them. E.g. Pakistan/North
Hash and Salt Passwords: bcrypt and
Korea block IP-Geo-resolution.
PBKDF2 to salt, hash and store passwords. EDUCATE USERS!
Focus on Software: Potential threats Never store passwords in clear text. • Creating strong
against software. E.g. Web attacks like passwords.
Password Masking: Don’t show
PHP injections. • Detecting phishing
passwords in cleartext, use masking ***.
mails.
Account Lockout: Use Clipping levels, • Social engineering.
wrong credentials only allowed x times
before locking out, prevents brute force.
ATTACKS ON PASSWORDS
Password Guessing Password Cracking
Hybrid Attack
Guesses passwords based on Conducted offline against a Password
Modify a dictionary with
knowledge of the subject (user) or the Directory which stores passwords in
changes to crack complex
object (default credentials). Change hashes. Creates multiple password’s
passwords. Password
default credentials, implement account and hashes in an effort to achieve the
becomes Passw0rd.
lockout. same hash as stored in directory.
Implement Salting,
Implement Salting, and stronger
Dictionary complexity, length.
Hashing
Matches against a known list of words BruteForce
and compares with stored hash. Offline Try every combination for a password. Salt
attack. Reject commonly known Implement Account Lockout for Add a random
passwords, implement salting and Clipping levels, longer length & character/string to a
stronger hashing algorithm. complexity. password before hashing to
Rainbow Tables make it difficult to crack.
Birthday Database of precomputed hashes of Even same password by
Find the same Hash value by collision. Passwords. Implement Salting. different users will have
different values.
ATTACKS ON THE ACCESS
Policy/Procedure/Process
Vulnerability Assessment
Review
Security Real-world assessment of Remediation Assessment
Penetration Testing Report
Assessment admin controls Recommendations
WarGames goes further than Penetration testing by testing an Organization’s awareness and response to a security
SECURITY AUDITS
Impartial, unbiased evaluations to determine effectiveness of Controls to a Third Party. Validated against a Standard.
Planning
Typically organization’s follow less stringent Code Review processes:
Overview Walkthrough: Developers walkthrough the code with other team members.
Manual: Senior dev manually reviews and signs-off on code.
Preparation
Pair Programming: AGILE method where one dev writes code and other
Inspection reviews line-by-line, alternately.
Formal Inspection: Fagan inspection.
Rework
Automated Review tools to detect flaws: loadrunner etc.
Follow-up
Code Reviews help to identify software vulnerabilities and coding flaws such as memory
leaks, buffer overflow, stack exploitation, race conditions, bounds.
SOFTWARE TESTING LEVELS – COVERAGE ANALYSIS
Coverage Analysis
Fuzzing – Provides multiple invalid inputs to software to test it’s limits, in an attempt to produce crashes,
vulnerabilities such as bounds, buffer overflows etc. Tools: zzuf
Mutation Fuzzing: Takes valid input, alters it and sends to the application.
Generational Fuzzing: Intelligent Fuzzing. Creates models based on the data types accepted by the program.
Lateral Movement
Perform
Objective
Recon Weaponize Deliver Exploit Install C&C
(eg.
Exfiltrate)
Encrypt,
Exfiltrate!
INCIDENT RESPONSE MANAGEMENT
Mitigation Reporting
Detection Response
Determine Cause that leads to Technical: Technical details of
First responders analyze to classify
Investigate, Assess damage, collect
RCA, take action to Contain incident.
alarm as incident and Activate theevidence, determine the response
CIRT. Reporting 1 (containment action) 2 3 4
incident and Eradicate to stopNon-Technical: Seriousness of incident
incident. to management.
CIRT – Computer Incident Response Team: Responsible for Investigation, Containment and Recovery.
NIST Computer Security Handling Guide: 800-61r2
TYPE OF ATTACKS
Troublemakers
Hacktivists Nation-state Insider
Script kiddies, technical
Hack for a cause Government funded. Disgruntled employee.
know-how
Espionag Espionag
Skill Thrill Thrill Cause Terrorism Grudge e
e
Disruption
Crime
Funded by organized
crime. After $$$.
Money Terrorism
INVESTIGATIONS
Administrative Investigations: Operational investigations
to internal IT system faults, functions & processes. No set Investigation Process
Warrant
guideline for evidence. Evidence is Voluntarily
Evidence Gathering • Must be obtained prior
Surrendered to investigation personnel.
searching private
Criminal Investigation: Evidence must meet Beyond a belongings.
Notify Law
reasonable doubt, investigated by law enforcement. Enforcement • Must be based on
Civil Investigation: Evidence meets More likely than not, Conduct probable cause.
investigated by employees and consultants. • Must be specific in
Investigation
scope.
Regulatory Investigation: Evidence meets Standard of Interview
proof, investigated by government or regulatory bodies if
companies are suspected of violating compliance or Data
administrative laws. Integrity/Retention
Evidence gathered for
Compliance Assessment: Evidence meets Proof of Report & Document Investigation must
compliance, Periodic assessment to meet compliance maintain their Integrity.
standards, investigated by third-party auditors appointed by
regulatory bodies.
EVIDENCE
Best Evidence Rule: Admissability Recommended: Watch “My Cousin Vinny”.
Direct Evidence
Relevant: Prove or disprove facts relevant to the case. Real Evidence
Oral / Written Testimonial
Material: Related to the case. Physical, can be brought to
evidence witnessed by a
Reliable: Integrity of evidence. court. (Hard disks etc)
persons 5 senses.
Competent / Legally Permissible: Obtained through legal
means, and not via: Documentary Evidence Demonstrative Evidence
Illegal Search & Seizure: without warrant. Original / copies of business records, Aid understanding of case via
Illegal Wiretap & Phonetaps computer-generated/stored logs. Must Expert opinion or non-expert
Entrapment comply with Hearsay rule facts.
Coercion: force to testify.
Circumstantial Evidence Secondary Evidence
Parol Evidence Rule – Only written agreements acceptable.
Doesn’t directly prove, but makes A duplicate copy such as
Hearsay Rule – Hearsay evidence only admitted if maker of reasonable inference. (Tickets to the photocopy, tape backup,
the statements is able to testify in court. opera infers person was at opera) screenshot, logs
Legal & Ethical
Illegal & Unethical Enticement Best-evidence: Original, unaltered, requires Federal Rules of Evidence
Entrapment Make a crime more enticing. integrity. Computer-generated records. states if data stored on pc, or
Encourage to commit Criminal already has mindset to Hearsay-evidence: Inaccurate, unreliable, printout is demonstrated to
crime when they had commit crime. E.g. He has already unable to prove integrity. Computer-stored be accurate and reliable, it is
hacked in, so Honeypot can be used Best Evidence.
no intention.. records.
to contain, gain knowledge.
FORENSICS
Evidence Lifecycle
Chain of Evidence Custody
Collection & Identification eDiscovery Reference Model
Persons Involved (Who): All people who 1. Information Governance: well
Voluntary: Owner freely surrenders. (typically
handled evidence. within an organization) organized for future eDiscovery.
Description of Evidence (What) Subpeona 2. Identification: locates info required
Location of Evidence (Where) Search Warrant / Writ of Possesion for discovery request.
Date/Time (When)
Exigent Circumstances. 3. Preservation: maintains integrity.
Marked and Identified: 4. Collection: gathers responsive
Methods Used (How): How was it
Mark evidence. Use an Evidence Tag. information centrally for eDiscovery.
handled? 5. Processing: rough cut of irrelevant
Seal
Hardware Analysis: Device Forensics Protect info.
Analysis 6. Review: remove any info protected by
Media Analysis: Storage media attorney-client privilege.
Storage, Preservation, Transportation
Forensics 7. Analysis: deep content & context
Presentation in Court
inspection.
Network Analysis: Network Forensics Return to Victim/Owner.
8. Production: format for display.
Chain of Evidence does not require that 9. Presentation: display info to court,
Forensic investigators know the relation of
Software Analysis: Code/log Forensics witnesses or third-parties.
the evidence to the crime.
DISASTER RECOVERY
Recovery Types Tape Backup Recovery
Quality of Service
Trusted Recovery: System is as secure as Strategies:
Protects from Network congestion disasters. Tower of Hanoi: archiving
before failure or crash.
Manual Recovery: If system does not fail
Bandwidth: Capacity to carry data for an extended period of
connections time in an economical manner.
in a secure state, an admin has to manually
Recursive pattern of scheduling
implement security before recovery. Latency: Time taken to travel from
tapes. 1,2,4,8,16 days restore in
Automated Recovery: System performs source to destination.
5 tapes.
trusted recovery activities against failure. Jitter: Variation of latency between Grandfather-Father-Son:
Ex: RAID. packets due to congestion or Grandfather – offsite full
Automated Recovery with Undue Loss: interference.. backup; Father – local fast full
System performs trusted recovery Packet Loss: Loss of packets during backup; Son – local
activities against failure, but also protects transmission leading to retransmission. differential/incremental backup.
specific objects against loss. First in, First Out – First tape
Interference: Corruption of packets as written is the first tape
Function Recovery: Systems that can they travel due to congestion, faulty overwritten. Old data is
automatically recovery functions. equipment or crosstalk EMI. overwritten by new data.
DISASTER RECOVERY - DATA
Database Backup
RAID – Redundant Array of
Independent Disks
Electronic Vaulting: Remote site database backup Data Backup Types
using bulk transfers. Smaller time to backup to
Full Backup: Full data backup.
RAID Type Function remote site, then sending tape.
Exact replica. Turns Archive bit
RAID 0 Striping, 2+ disks Significant delay to recover as backup has to be
off after backup.
obtained from vault and then restored.
RAID 1 Mirroring, 2 disks Remote Journaling: Transaction logs backed up Incremental Backup: changes
RAID 5 Striping + Parity, 3+ remotely. since the last incremental or full
disks. Some delay (ex.hourly), technicians retrieve logs
backup. Turns Archive bit off.
transaction logs and apply to production DB.
RAID 6 Striping + Dual Differential Backup: changes
Remote Mirroring: Live Backup via copying any
Parity
changes to the production database to the backup. since the last full backup.
RAID 10 Striping + Mirroring, (also called Shadowing) Archive bit kept on.
4 disks. No delay. Can be migrated as is.
Eventman Technologies takes Full Backups every Monday, and incremental/differential backups every day at 3:00PM. If failure occurs on
Thursday at 1:00PM. RPO is 3 hours. How many backups to restore in both scenario’s and how much data is lost?
Answer:
• If incremental, need to restore Monday’s full backup, and Tuesday + Wednesday’s Incremental backup.
• If Differential, need to restore Monday’s full backup and Wednesday’s differential.
• Data will be lost from Wednesday 3:00PM to Thursday 1:00PM. Does not meet the RPO objective of 3 hours.
TM
Machine Code: Software executed directly by the Open-source: Source code released to public, to be
CPU. Binary or Hexadecimal. used, forked etc.
Assembly Language: Low-level Computer Closed-source: Source code kept secret. Typically IP
programming language that match to machine to the creater.
language instructions. ADD, SUB etc. Freeware: Free to use, free as in free beer.
Source Code: Software instructions written in text
Shareware: Free to use for limited time or with
that need to be translated into Machine Code for
execution. Compiled once. bundled software.
Shell Code: Software instructions executed on the fly. Crippleware: Key features require payment to
Need to be compiled every time. unlock.
Compilers: Compile Source code into Machine Code.
Interpreters: Interpret shell code into Machine Code.
SECURE SOFTWARE DESIGN
Input Validation: Validate user input for fields to ensure that users are not abusing field’s to gain access to the backend
systems. Example: using SQL or Script characters in the URL or Password fields to exploit the web application.
Authentication and Session Management: Ensure that users are properly authenticated with the proper set of controls based
on the sensitivity of the application and the sessions are managed.
Cookies used for a session should be securely transmitted (TLS) to the end-user to prevent session-hijacking attacks.
Identifiers should be long and random (not using Password for passwords, else it’s easy for the attacker to identify the password.)
Session Tokens should expire after a set time (idle/session time) and the user must re-authenticate.
Error Handling: Debug error messages should be disabled for publicly exposed applications as this can expose the underlying
middleware, process and technologies used. Attackers try to produce errors to get information about an application.
Logging: Logging to file/disk or an external SIEM helps developers and security analysts figure problems. Should be used in
lieu of End-user Errors.
Fail-Open: bypasses security at failure to allow operations to continue.
Fail-Secure: puts system in high-security state at failure and does not allow operations until administrator diagnoses and
resolves problems.
SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)
Functional Req. Design Review
Conceptual Definition
Determination Control Specifications Dev Design System structure, functional
Basic Concept, Purpose and general
Input, Behavior, Output. Security Controls for functions: interoperation. Timelines for
system requirements. Agreement b/w
all stakeholders. 1 2
Concept translates to Function.
Specific System requirements.
Access Controls. CIA, IAAA
3 milestones.
Review with all stakeholders. 4
Acceptance Testing
Code Review
User Acceptance: User’s test application forMaintenance & Change Management
Coding of the application. Code review with
functions / workflow. Operational maintenance of application, and
developers with walk-through of each module.
5
Identify logical-flaw, security flaws.
6
Systems Acceptance: Systems Admins test software
7
structuring Change with review, logging.
for availability, failure, backup before production.
Waterfall Conceptual
Development
All Stages performed sequentially, one after the other.
Requirement
One Stage ends, the next begins. Analysis
Acceptance
Sashimi Testing
Overlapping Waterfall Model. Release &
Maintenance
Steps overlap, leading to faster-integrated
development cycle.
SPIRAL
Software developed and evolved as a loop.
Project developed in Spirals: Modest goals and expanding outwards
in spirals.
Meta-Model: Each rounds contains a complete model such as
Waterfall.
Risk analysis after each round.
Identifies risks earlier in the development process.
Lowers overall risk of the project. Designed to control Risk.
Shows cumulative project cost over several development iterations.
4 Phases:
Planning
Risk Analysis
Engineering
Focus on Iterative Development, when requirements are not
Evaluation well understood or developed, or iterative (prototype)
development is required.
AGILE
Looking at the information presented, and acting as a CISO for the nuclear plant, Which one of these controls
could have effectively prevented the Stuxnet Worm from infecting the Iranian nuclear facility? Please remember
this is 2010 – and the technology available for the time period.
a) Deploying Antivirus with Signature scanning technology.
b) Blocking USB ports and mass storage devices.
c) Installing software patches to patch the reported vulnerabilities.
d) Awareness on Social engineering.
Ans: B) Block USB Ports and Mass Storage devices.
a) Deploying antivirus is incorrect as ICS systems use embedded firmware and it is difficult to install software such as anti-virus on PLCs. Secondly, Signature
scanning is effective against Known threats. Stuxnet was an unknown threat.
c) While installing software patches is the best way to mitigate vulnerabilities, the reported vulnerabilities were Zero-day with no publicly released patch
available.
d) Awareness of Social Engineering: while an excellent control to reduce such instances, this method would not have been effective to stop the infection and
spread of the malware.
B) It is known that the facility was using an airgapped model in which systems do not have access to the internet. The suspected method of infection was a USB
drive. Out of all answers, this is the best answer to block the initial infection vector.
ROLEPLAY – STUXNET – Q2
On inspection it is identified that the plant did indeed have controls to prevent USB and Mass Storage devices from
connecting to the network. The Security Officers identified a computer that had a policy of allowing USB drives set. On
further probing, it was identified that a Formal change request had been filed to allow USB access for a day, but the
Administrator had forgotten to revoke access after the time elapsed. What could the Security team have done to prevent
such an incident?
a) Penetration Test
b) Vulnerability Scanning
c) Internal Audit
d) Risk Analysis
Ans: C) Internal Audit
a) A Penetration test seeks to exploit vulnerabilities.
b) A vulnerability scan exposes loopholes in services on systems usually via an automated scanner.
d) Risk Analysis seeks to assess risk and then deploy safeguards to mitigate risk. Since a control was already deployed yet
was not enforced properly, this is not the best answer.
C) An internal audit is the best way to assess currently deployed controls and procedures.
ROLEPLAY – STUXNET – Q3
On further investigation of the incident, it was identified that a member of the Operations team identified anomalous
behavior including slowness of a PC monitoring a Centrifuge. The Tech identified a few processes that were utilizing
high memory and ended them, which led to the PC crashing. The Tech restarted the PC, and the behavior was not seen
again. The Incident was filed as resolved. What was incorrect done in this scenario, and what could have prevented the
catastrophic disaster if determined correctly?
a) Incident Response
b) Mitigation
c) Recovery
d) Root Cause Analysis
Ans: A) B) and D) The response was incorrect – no evidence collection, incorrect identification, Mitigation was
unable to eradicate the actual threat, as there was an incorrect Root Cause Analysis.
c) Recovery – The system was brought to an operational state by rebooting the system.
ROLEPLAY – STUXNET – Q4
What additional control could have been deployed to prevent the infection and spread of the malware in the
facilities?
a) Prevent auto-run of executables
b) Blacklisting
c) Whitelisting
d) Condensation
Ans: C) Whitelisting would have prevented an unauthorized program not whitelisted previously from being run.
Whitelisting is a recommended control for critical systems such as OT.
a) Prevent auto-run – would have prevented the initial execution, but an accidental user click would have executed the
malware.
c) Blacklisting seeks to block known bad software. Since this was unknown, blacklisting would not have prevented it.
D) Condensation is a distractor
ROLEPLAY – STUXNET – Q5
What essential was Stuxnet based on the information provided in the scenario?
a) APT
b) Malware
c) Trojan Horse
d) Worm
Ans: A) APT – an Advanced Persistent Threat goes beyond traditional malware and worms, embedding in the
victim for a specific purpose and is usually funded and aided by governments.
BONUS: ROLEPLAY II
GEEKCORP
ROLEPLAY II – GEEKCORP
Bhavesh has recently been hired as the CISO for GeekCorp Media, an online and print media and entertainment
powerhouse. GeekCorp operates several entertainment websites under its banner geekcorp.com, allowing
customers to view, stream and download original content.
Bhavesh recently received a report as part of a vulnerability assessment, of a vulnerability in the website that
allowed website visitors to download videos without authentication. What should be the next step that Bhavesh
should take?
a) Implement a countermeasure
b) Disable video downloads
c) Inform his superior
d) Have his team download some videos using the method described.
Ans: d) The first step is to Validate the vulnerability as part of the vulnerability management process, and that can only
be possible via d)
Thank You for Reading!
TM