Concepts (10) Intellectual property laws (24) Data Breaches (27) CIA Patent - grants ownership of an invention and provides enforcement Incident – an event that has potential to do harm DAD - NEGATIVE - (disclosure alteration and destruction) for owner to exclude others from practicing the invention. After 20 Breach – incident that results in disclosure or potential disclosure Confidentiality - prevent unauthorized disclosure, need to know, years the idea is open source of application of data and least privilege. assurance that information is not disclosed to Copyright protects the expression of ideas but not necessarily the Data Disclosure – unauthorized acquisition of personal unauthorized programs, users, processes, encryption, logical and idea itself ex. Poem, song @70 years after author dies information physical access control, Trade Secret - something that is propriety to a company and Event – Threat events are accidental and intentional exploitations Integrity - no unauthorized modifications, consistent data, important for its survival and profitability (like formula of Coke or of vulnerabilities. protecting data or a resource from being altered in an unauthorized Pepsi) DON’T REGISTER – no application fashion Trademarks - words, names, product shape, symbol, color or a Laws (28) Availability - reliable and timely, accessible, fault tolerance and combination used to identify products and distinguish them from ITAR, 1976. Defense goods, arms export control act recovery procedures, WHEN NEEDED competitor products (McDonald’s M) @10 years FERPA – Education IAAA – requirements for accountability Wassenaar Arrangement (WA) – Dual use goods & trade, GLBA, Graham, Leach, Bliley; credit related PII (21) Identification - user claims identity, used for user access control International cryptographic agreement, prevent destabilizing ECS, Electronic Communication Service (Europe); notice of Authentication - testing of evidence of users identity Computer Crimes – loss, image, penalties breaches Accountability - determine actions to an individual person Fourth Amendment - basis for privacy rights is the Fourth Authorization - rights and permissions granted Amendment to the Constitution. Regulations Privacy - level of confidentiality and privacy protections 1974 US Privacy Act - Protection of PII on federal databases SOX, Sarbanes Oxley, 2002 after ENRON and World Online 1980 Organization for Economic Cooperation and debacle Independent review by external accountants. Development (OECD) - Provides for data collection, Risk (12) Section 302: CEO’s CFO’s can be sent to jail when information they specifications, safeguards Not possible to get rid of all risk. Get risk to acceptable/tolerable level sign is incorrect. CEO SIGN 1986 (amended in 1996) US Computer Fraud and Abuse Act - Baselines – minimum standards Section 404 is the about internal controls assessment: describing Trafficking in computer passwords or information that causes a ISO 27005 – risk management framework logical controls over accounting files; good auditing and information loss of $1,000 or more or could impair medical treatment. Budget – if not constrained go for the $$$ security. 1986 Electronic Communications Privacy Act - Prohibits eavesdropping or interception w/o distinguishing private/public Corporate Officer Liability (SOX) Communications Assistance for Law Enforcement Act Responsibilities of the ISO (15) (CALEA) of 1994 - amended the Electronic Communications Written Products – ensure they are done - Executives are now held liable if the organization they Privacy Act of 1986. CALEA requires all communications carriers CIRT – implement and operate represent is not compliant with the law. to make wiretaps possible for law enforcement with an Security Awareness – provide leadership Negligence occurs if there is a failure to implement recommended appropriate court order, regardless of the technology in use. Communicate – risk to higher management precautions, if there is no contingency/disaster recovery plan, failure to conduct appropriate background checks, failure to institute 1987 US Computer Security Act - Security training, develop a Report to as high a level as possible security plan, and identify sensitive systems on govt. agencies. Security is everyone’s responsibility appropriate information security measures, failure to follow policy or local laws and regulations. 1991 US Federal Sentencing Guidelines - Responsibility on COSO – framework to work with Sarbanes-Oxley 404 compliance senior management with fines up to $290 million. Invoke prudent Control Frameworks (17) man rule. Address both individuals and organizations Consistent – approach & application European laws: TREADWAY COMMISSION 1996 US Economic and Protection of Propriety Measurable – way to determine progress Need for information security to protect the individual. Information Act - industrial and corporate espionage Standardized – all the same Privacy is the keyword here! Only use information of individuals for 1996 Health Insurance and Portability Accountability Act Comprehension – examine everything what it was gathered for (HIPPA) – amended Modular – to help in review and adaptive. Layered, abstraction (remember ITSEC, the European version of TCSEC that came from 1996 US National Information Infrastructure Protection the USA/Orange Book, come together in Common Criteria, but there Act - Encourage other countries to adopt similar framework. Due Care Which means when a company did all that it could have still is some overlap) Health Information Technology for Economic and Clinical reasonably done to try and prevent security breach / compromise / Health Act of 2009 (HITECH) - Congress amended HIPAA by disaster, and took the necessary steps required as • strong in anti-spam and legitimate marketing • Directs public directories to be subjected to tight controls passing this Act. This law updated many of HIPAA’s privacy and countermeasures / controls (safeguards). The benefit of "due care" security requirements. One of the changes is a change in the way • Takes an OPT-IN approach to unsolicited commercial can be seen as the difference between the damage with or without the law treats business associates (BAs), organizations who "due care" safeguards in place. AKA doing something about the electronic communications handle PHI on behalf of a HIPAA covered entity. Any relationship threats, Failing to perform periodic security audits can result in the • User may refuse cookies to be stored and user must be between a covered entity and a BA must be governed by a perception that due care is not being maintained provided with information written contract known as a business associate agreement Due Diligence means that the company properly investigated all of • Member states in the EU can make own laws e.g. (BAA). Under the new regulation, BAs are directly subject to its possibly weaknesses and vulnerabilities AKA understanding the retention of data HIPAA and HIPAA enforcement actions in the same manner as a threats COBIT – examines the effectiveness, efficiency, confidentiality, covered entity. HITECH also introduced new data breach integrity, availability, compliance, and reliability of high level control notification requirements objectives. Having controls, GRC heavy auditing, metrics, regulated industry .Ethics (33) Administrative Management Controls (47) Risk Management (52) Just because something is legal doesn’t make it right. Separation of duties - assigns parts of tasks to different GOAL - Determine impact of the threat and risk of threat occurring Within the ISC context: Protecting information through CIA individuals thus no single person has total control of the The primary goal of risk management is to reduce risk to an ISC2 Code of Ethics Canons system’s security mechanisms; prevent collusion acceptable level. - Protect society, the commonwealth, and the M of N Control - requires that a minimum number of agents (M) Step 1 – Prepare for Assessment (purpose, scope, etc.) infrastructure. out of the total number of agents (N) work together to perform Step 2 – Conduct Assessment - Act honorably, honestly, justly, responsibly, and legally. high-security tasks. So, implementing three of eight controls would - ID threat sources and events - Provide diligent and competent service to principals. require three people out of the eight with the assigned work task of - ID vulnerabilities and predisposing conditions - Advance and protect the profession. key escrow recovery agent to work together to pull a single key out - Determine likelihood of occurrence Internet Advisory Board (IAB) of the key escrow database - Determine magnitude of impact Ethics and Internet (RFC 1087) Least privilege - a system’s user should have the lowest level of - Determine risk Don’t compromise the privacy of users. Access to and use of rights and privileges necessary to perform their work and should Step 3 – Communicate Risk/results Internet is a privilege and should be treated as such only have them for the shortest time. Three types: Step 4 – Maintain Assessment/regularly It is defined as unacceptable and unethical if you, for example, gain Read only, Read/write and Access/change Types of Risk unauthorized access to resources on the internet, destroy integrity, Two-man control - two persons review and approve the work of Inherent chance of making an error with no controls in place waste resources or compromise privacy. each other, for very sensitive operations Control chance that controls in place will prevent, detect or control Dual control -two persons are needed to complete a task errors Business Continuity plans development (38) Rotation of duties - limiting the amount of time a person is Detection chance that auditors won’t find an error - Defining the continuity strategy assigned to perform a security related task before being moved to Residual risk remaining after control in place - Computing strategy to preserve the elements of HW/SW/ different task to prevent fraud; reduce collusion Business concerns about effects of unforeseen circumstances communication lines/data/application Mandatory vacations - prevent fraud and allowing investigations, Overall combination of all risks aka Audit risk Preliminary - Facilities: use of main buildings or any remote facilities one week minimum; kill processes Security Examination (PSE): Helps to gather the elements that People: operators, management, technical support persons Need to know - the subject is given only the amount of you will need when the actual Risk Analysis takes place. Supplies and equipment: paper, forms HVAC information required to perform an assigned task, business ANALYSIS Steps: Identify assets, identify threats, and calculate Documenting the continuity strategy justification risk. Agreements – NDA, no compete, acceptable use ISO 27005 – deals with risk BIA (39) Goal: to create a document to be used to help understand what Employment (48) Risk Assessment Steps (60) impact a disruptive event would have on the business - staff members pose more threat than Four major steps in Risk assessment? Gathering assessment material external actors, loss of money stolen Prepare, Perform, Communicate, Maintain - Org charts to determine functional relationships equipment, loss of time work hours, loss of - Examine business success factors reputation declining trusts and loss of Qualitative (57) Vulnerability assessment resources, bandwidth theft, due diligence - Identify Critical IT resources out of critical - Voluntary & involuntary ------------------Exit interview!!! Approval – processes, Identify disruption impacts and Form Team – Maximum, Tolerable Downtime (MTD) Third Party Controls (49) Analyze Data – - Loss Quantitative (revenue, expenses for - Vendors Calculate Risk – repair) or Qualitative (competitive edge, - Consultants Countermeasure Recommendations - public embarrassment). Presented as low, - Contractors high, medium. Properly supervised, rights based on policy REMEMBER HYBRID! - Develop recovery procedures Analyze the compiled information Risk Management Concepts (52) - Document the process Identify inter- Threat – damage dependability Vulnerability – weakness to threat vector (never does anything) - Determine acceptable interruption periods Likelihood – chance it will happen Documentation and Recommendation Impact – overall effects Residual Risk – amount left over RTO<MTD Organizations own the risk Risk is determined as a byproduct of likelihood and impact ITIL (55) ITIL – best practices for IT core operational processes, not for audit - Service - Change - Release - Configuration Strong end to end customer focus/expertise About services and service strategy exploitation. ALE (Annual loss expectancy) = SLE * ARO . audit Comparison Do – implement change on small scale Risk Acceptance – live with it and pay the cost Redundancy trails tools Check – use data to analyze results of change Background checks – mitigation.had knowledge of the organization. smartcards. Security • Sniffing – capture data packets (Annualized Rate of occurrence) .is the amount of risk that is reduced by . Emergency Database cycle again backups response controls Functional order in which controls should be used. avoidance Act – if change successful. Preventative: prevent incident or breach NO – ALE is the annual % of the asset lost when attacked – NOT vulnerability analysis - .where cost of applying extra countermeasures is Blue team . Auditability external intruders factor (% loss of asset) . data Risk Avoidance – discontinue activity because you don’t want to validity padding. double-blind vulnerabilities to a tolerable level Accept Risk analysis . Legally the remaining residual risk is not counted when value of the asset being protected) Red team . guards.Quantitative Risk Analysis (58) Risk Framework Countermeasures (63) Penetration Testing (77) . change my mind Exposure Factor ranges from 0 to 1 Enumeration - .01 .process that analyses threat scenarios and Build Risk Team Categories – zero. locks tools are used in penetration tests can be down and still remain viable . see code. encryption. Fences. Protection for CIA of assets • Dumpster Diving – searching paper disposal areas Accept. Cost-effectiveness • Demon Dialing – war dialing for modems . Compensating: sub for loss of primary controls execution/exploitation - . Detective: motion detectors. door.SPELL OUT AND DEFINE!!!! . thermal detectors video MTD minutes to hours: critical flaw hypotheses methodology = operation system penetration cameras testing MTD 24 hours: urgent Physical (Domain 5) – see and MTD 72 hours: important touch MTD 7 days: normal Egregious hole – tell them now! . mitigate(reduce by implementing controls calculate costs-). dollars. reporting . Other issues created? • Social Engineering – most common. full knowledge tests produces a representation of the estimated Potential loss Review Main Categories of Access Control (67) Pen Test Methodology (79) Once in 100 years = ARO of 0. Preventive: hiring policies. Preventive: fences. Deterrent: discourage people. Detective: signal warning. Labels. Avoid (stop business activity) If it leaves residual data from its function asking Loss= probability * cost Penetration testing Residual risk . Delay . file descriptor attacks . AMOUNT OF symbolic links. Detective: IDS and automatic generated violation DATA YOUR WILLING TO LOSE other model: footprint network (information gathering) port reports. Administrative/Managerial Policy White box . Detective: screening behavior. Quantitative VALUES!! . restore control Life.is to reduce the effects of security threats and PLAN Strategies . see code as a Controls gap . biometrics RPO -Recovery Point Objective: Point in time that application data vulnerabilities exploited: kernel flaws. review of Black box .ethical hacker knows what to look for. screening security awareness developer (also called soft-measures!) Grey Box . traffic DBMS. windows etc. firewalls must be recovered to resume business functions. Corrective: mitigate damage. acceptance. prestige. internal. Preventive: protocols. market share . . audit logs. MTD 30 days non-essential Prime objective . implement wider scale. report scanning . partial. Recovery: restore to normal after incident Control Assessment 76 Control Accuracy Security Consistency Look at your posture Risk Response (61) Preventive Data checks. Deterrence. routers. Detection. SLE (single Loss Expectancy) = Asset Value * Exposure . vulnerability mapping. Accountability Testing a networks defenses by using the same techniques as . can be done Controls (68) more than the estimated loss resulting from a threat or vulnerability Primary Controls (Types) – (control cost should be less than the frequent and least expensive (C > L). A formula for residual risk is as follows: user total risk – controls gap = residual risk . blind. act as a implementing safeguards. Denial.ethical hacker not knowing what to find audit records RTO – how quickly you need to have that application’s information Technical (aka Logical) available after downtime has occurred 4 stages: planning. job rotation.partial knowledge of the system. attack. investigate Determination of Impact (61) document findings/reporting .External.is external and stealthy deciding whether a company is liable. buffer overflows. if fails begin Corrective Checkpoint. Directive: specify rules of behavior Recon/discover - SLE is the dollar value lost when an asset is successfully attacked . Source trusted and known Scanning and Probing – port scanners . dictionary accept risk Deming Cycle (83) checks encryption Plan – ID opportunity & plan for change Risk Transfer – passing on the risk to another entity Risk Mitigation – elimination or decrease in level of risk Detective Cyclic IDS. CCTV(never preventative) MTD -Maximum Tolerable Downtime: Maximum delay a business scans. lock. get information by Assign (insure the risk to transfer it). discovery. divorce. Wire Tapping eavesdropping on communication -only legal with . re-distributed or reverse-engineered without the SLR (requirements) – requirements for a service from client author's permission viewpoint Service level report – insight into a service providers ability to deliver the agreed upon service quality Assurance (92) Degree of confidence in satisfaction of security requirements Legislative drivers? Assurance = other word for security FISMA(federal agencies) THINK OUTSIDE AUDIT Phase 1 categorizing. it the copyright holder provides the rights to study. best practices for Security and network personnel. Develop job descriptions prior consent or warrant . Employees.proprietary software that is available for use at no SLA – agreement between IT service provider and customer. Develop confidentiality agreements Privacy Laws data collected must be collected fairly and . how to dissolve relationship be modified.available for anyone to use of which is given to an independent third party. or . Determine policy on vendor.source code made available with a license in which government obtains legal authority to access a particular key. contractor. Contact references Data Diddling act of modifying information. tampers with INPUT data . consultant.Identification of Threat (86) Terms Individuals must be qualified with the appropriate level of training. and provides evidence of the court order to each of the third parties and distribute the software to anyone then reassembles the secret key. selecting minimum controls. each Public domain . temporary staff access Water holing – create a bunch of websites with similar names DUE DILIGENCE Work Function (factor): the difficulty of obtaining the clear text from the cipher text as measured by cost/time Software Licenses (91) Fair Cryptosystems .In this escrow approach. to get them aware Formal security awareness training – exact prep on how to do things . programs. assessment Phase 2: create national network of secures services to assess Successful Requirements Gathering 92 Don’t assume what client wants Involve users early Define and agree on scope MORE Security Awareness (96) Technical training to react to situations. the secret keys used in a communication are divided into two or more pieces. Freeware . and lawfully and used only for the purpose it was collected. When the Open source . need to understand policies then use presentations and posters etc. monetary cost. Screen/investigate background documents to commit fraud. change. May be used without payment but may usually not document service levels. organizations to comply with European Commissions. including updating data is being collected Types . Unit business commitment to security. . and not excessive to purpose . Implement security controls Information policy .g. Assign permission to access and handle data control information access and distribution data and make corrections to any inaccurate data End-user SYSTEM security policy . Private. What method(s) should be used to dispose of data? . Clean desk) Standards . credit card info. Accurate and up to date . used by public or employees . Determine impact information has on organization The EU Data Protection Directive To be replaced. How is the data to be secured? Information security Officer functional responsibility the organization.+patching Data Ownership (128) . use. data subjects should be allowed to access their . US org. Dataset maintenance. Day-to-day tasks. Data only used for original purpose . Documentation. Organizationally aligned -scalable .Creation. demonstrates . Company Confidential. viewed by all employees but US-EU (Swiss) Safe Harbor (124) not for general use .. Sensitive but unclassified IT Asset Management (ITAM) (114) Data Life . CMBD. Kept secure . Auditor examines security controls Procedures . Enforcement. Company Restricted – restricted to a subset of . Destroyed after purpose is complete Directive on Data Protection. grants permission to users in DAC Policies first and highest level of documentation . Authorize user privileges TS = Confidential/Prop.Information classification (110) Data Classification Policy (111) Roles and responsibilities Categorization – Process of determining the impact of loss of CIA . Data Integrity. SSN. Secret (Serious damage) (Can have Country specific restrictions also – NZAUS SECRET for New Zealand. data subjects should be given notice when their Stating importance. holds relationships between system components Data/Information Owner – incidents. Responsible for asset . Sensitive. Determine when information should be destroyed STRENGTHING INDIVIDUALS RIGHTS . problems. support and commitment . Ultimate organizational responsibility for data Australia and US secret) .detailed steps to perform a task EU company would be Business/Mission owners. Use corporation resources for corporation use Guidelines . regulations. are written by app. trade secrets . . Top Secret (Grave damage) releases . would Baseline . data subjects should have . Identifies the value of the data to . Advisory (not mandatory but strongly suggested . Ensure accessibility. known error. Categorize systems and data. Configuration Management . . personal association . Unclassified (have FOUO also) 1. could cause circumstances for release for U. Applies user authorization . Insuring data integrity and security (CIA) .involves security scope.Specify use of specific technologies in a uniform way NOT REASON or RETENTION TIME . data subjects should be informed as to who is collecting their data . What is the appropriate use of the data? . Provide leadership for security awareness Criteria . accountability. archiving . maintain and monitor security Very first is called Senior management Statement of Policy. in 2018. of Commerce holds list of participants QA – assessment of quality based on standards external to the effectiveness. only stated purpose Administrators Security policies . Secret = Private. Access. Implement/operate CIRTs most sensitive and vital .authenticates and defines technology used to . Does data need to be encrypted? . Choice. Of Transportation or FTC can enforce Gramm/Leach/Bailey Act delaying application to financial markets . Determine who needs the information and Bridge differences in approach and provide a streamlined means . Adequate.Value. Informative to inform the reader . Select baseline security standards . Seven Tenets .classifications and defines level of access potential abuses System Owners . Confidential = sensitive .Select security controls and method to store and transmit information . internal business . collected data should be kept secure from any . short term processes. data should not be disclosed without the data subject’s consent . relevant.lists hardware / software to be used . Confidential (some damage) Full life cycle management of IT assets policy) . Review and change classification Proprietary. Accessible to the subject Data Custodian Responsibilities (129) Security policies. damage .S. to use personal data of EU citizens Self-certify but Dpt. Single repository classification . develops policies and guidelines . reliable. standards & guidelines (119) . Can delegate responsibility to data custodian . Security.minimum level of security also be Data Administrators Data processors have responsibility to protect privacy of data QC & QA (131) Security planning .Follow instructions in policies and guidelines accountable for not following the above principles . QA. Stay abreast of current threats and technology Government. Inventory Management – all things 2. Understand replacement cost (if replaceable) General Data Protection Regulation (GDPR) employees .Uses information as their job and steps to undertake to protect infrastructure a method available to them to hold data collectors . age. Strategic 5 years Tactical shorter than strategic Can transfer to non-Safe Harbor entities with permission FTC – overseas compliance framework for organizations wishing process and involves reviewing of the activities and quality control Operational day to day. . changes. Identify which information is . . Communicate risk to senior management Levels . Onward Transfer. determine level of Private sector (113) . Maintaining records in accordance to classification . Due care (prevent open view by e. Data obtained fairly and lawfully . destruction(subservient to security . Adhere to data policy and data ownership guidelines . Public. useful life. Who will have access to data? Senior Manager ultimate responsibility of information to an organization. providing security QC – assessment of quality based on internal standards management responsibilities and testing security measures for Dpt. military Proper Assess Man REQUIRES (113) Security Analyst Strategic. Notice. Regulatory (required due to laws. cause exceptionally grave damage. How long is data to be retained? . Run regular backups/restores and validity of them compliance and specific industry standards!) . Confidential.same as standards but not forced to follow US Org is Data Processors when they classify and handle data. Required controls are selected for each classification . and . Not all data has same value. Ex. Ensure policies etc. validation and audits . by the . Removal of sensitive data with the intent that the are in controls COPPA – California Online Privacy Protection Act. bad gain while employed. can Link . .cloud computing needs of the organization. place of birth. targeted overwrite (best) level. Nice to Know Purging– More intense than clearing. server. Non-disclosure Agreement – legal agreement that prevents Sanitation is business normal. May be recoverable with special lab equipment. to Dar – Data at rest.185) Increased data sharing Select based on the data classification of the data stored/handled NIST – National Institute of Standards and Technology . unidirectional magnetic field or permanent magnet. Initiation When do we replace – then think about next one Use Group Policies to check and enforce compliance .Downgrading equipment for reuse will probably be more CIS – Center for Internet Security. Operation/Maintenance Residual physical representation of data that has been in some . Overwriting 800-137 . assessment details to adequately meet the risk management Sanitizing – Series of processes that removes data. DC Link vs. full disk encryption protects it . Common security configurations. official series of service and disposed of. name. provides a set of security controls /standards Metadata – helps to label data and prevent loss before it leaves Watermark – embedded data to help ID owner of a file. Erasing – deletion of files or media. Degaussing SSN. removes link to file. Should baseline be applied throughout whole 800-14 NIST SP – GAPP for securing information technology Encryption enterprise? systems . encrypt is the solution long as it’s needed time. . FTP and Telnet are unencrypted! SFTP and SSH provide commercial websites post a privacy policy if collecting personal Destruction – Incineration. Development/Acquisition CRITICAL = AVAILABILITY .01 – establishes DIACAP miss YOU CAN LAYER THESE ENCRYPTION TYPES ISO 15288 – International systems engineering standard covering Zero fill – wipe a drive and fill with zeros Email is not secured unless encrypted processes and life cycle stages Clearing – Prepping media for reuse at same level.Residual data left on media after erase attempts data remanence Scoping – reviewing baseline security controls and selecting only Remove unwanted remnant data from magnetic tapes 800-122 .address computer security in a variety of Considerations (134) baseline? areas Borders . SSD Data Destruction (142) ensure loss of media does not result in data breach biggest threat is a data breach. Disposal Narrows the focus and of the architecture to ensure that way erased. shredding. Media can be reused in Classifying Costs – cost are not a factor in classifying data but Nice to Know lower systems. NIST says to “disintegrate” Personnel Retention – Deals with the knowledge that employees (Microsoft Bitlocker and Microsoft EFS. ensures data 800-145 . All storage media removed or destroyed. DOB. Won’t modify labels in real- nonaddressable data. erasure. Data mart . creates list of security controls PCI-DSS – Payment and Card Industry – Security Standards expensive than buying new for OS. SSLv3 still used . Agreement sensitive data from storage devices in such a way that the data USE TLSv1. mobile. implement.2 now for test . Federal Information Security Management Act of 2002.NIST Special Publication – defines PII as any those controls that apply to the IT system you’re trying to protect. inactive data that is physically stored.build/implement info security continuous monitoring Supplementation – adding assessment procedures or . 33 IT security principles Smallest bits of information the Db will hold – granularity for a minimum security standard. not RAM. and disintegration encryption to protect data and credentials that are used to log in information on CA residents are stages of this Record Retention Policies – how long data retained and Curie Temperature – Critical point where a material’s intrinsic Encrypt data is a good way to secure files sent through the maintained magnetic alignment changes direction. prevents appropriate risks are identified and addressed. employees from sharing proprietary information Reuse .is usually point to point EVERYTHING ENCRYPTED FIPS 199 – Standards for categorizing information and information erase tapes “Black pipe. Erase encryption key to be unreadable Label Data – to make sure data is identifiable by its classification ECM – Enterprise Content Management. like AES256. Crypto erase. analyze and report. label data and can be used to indicate ownership. credit cards. Which parts of enterprise can be protected by the same NIST SP 800 series . Removing a computer from FIPS – Federal Information Processing Standards. Physical destruction information that can be used to trace a person identity such as Tailoring – modifying the list of security controls within a baseline . alternating magnetic fields . sanitization.Benefits of Data Standards (134) Baselines (154) Standards Selection (158 . not destruction for costs reasons Data in RAM is Data in use. Data just S/MIME – secure email .Baseline for achieving security. Remanence . Removal of NETSCAPE INVENTED SSL. mother’s maiden name so that they align with the mission of the organization. End to End Encryption (174) FISMA. five lifecycle Data Modeling (135) Baseline – Starting point that can be tailored to an organization planning phases (defined in 800-14). Some label all media that contains data to prevent reuse of controlled Buy high quality media – value of data exceeds cost of media Public media for sensitive data. and network devices Council. . least normally did by service providers FIPS 200 – minimum security requirements for Federal information effective End to End – You can see ALL BUT PAYLOAD. systems. publications relating to standards and guidelines adopted under the Degaussing – AC erasure. black oil. are apps) . normally done by and information systems Overwriting/wiping/shredding – overwrites with pattern. Technical Management utilities. NOT Reformatting program: define. is unrecoverable by any means.metadata is stored in a more secure container . and wear space/leveling may hide Record Retention – retaining and maintaining information for as appropriate control to apply to data. establish. may users DOD 8510. Organization Project-enabling may not be reconstructed using normal system functions or PGP = GnuPG (GNP)– not rely on open . operators of data cannot be reconstructed by any known technique. centrally managed and . Implementation Data Remanence (140) Scoping and Tailoring (157) . DLP – Data Loss/Leakage Prevention. SSD drives cannot be degaussed. which use AES. At what security level should baseline aim? 800-18 NIST – How to develop security plans How will the controls be determined? 800-27 NIST SP . use labels to determine the sectors. digitally the organization. internet Removable Media – use strong encryption. space sectors.NIST guidelines for sanitation and disposition. PaaS deals with it best in Cloud 800-88 . . crushing. Technical overwritten. black ping pong balls” all data is encrypted. performs function. Single state machine – operates in the security environment at Information Flow Model – focuses on the flow of information. Information flow models are designed to prevent Multi-state machine – can offer several security levels without risk NIST SP 800-27 unauthorized. the process is ready for continued execution but objects (passive parties) at a particular moment in time. meaning if it Service Transition publication addresses configuration Defines a protection profile that specifies the security is turned off the data will be lost. Noninterference Model – is loosely based on the information flow Software Implementation. or restricted information flow. ROM is sometimes referred to as firmware. Continuous Service Improvement . certification model. Southerland Model Protection Keying – Numerical values. system designed. Trojan horses. FROM called pages. however EPROM can be altered. . Evaluation Assurance Levels or the data will be lost. RISC – reduced instructions. It is volatile. lisp artificial intelligence languages based on logic the actions of subject A (high) should not affect the actions of subject B (low) or even be noticed by subject B. its time slice expires. Two types of RAM are dynamic requirements and protections of a product that is to be evaluated. insecure. The noninterference model can be imposed to provide a form of Physical controls are your first line of defense. Less between different levels of security (these are often referred to as assessment number of fetches multilevel models). EAL0 –Inadequate assurance cannot be altered. HW and SW 5GL: Prolog. Basically. purpose documented. process prepared to execute when CPU ready secure. To emulate that we have more RAM than we have. and memory pools. process confinement allows a process to read from and write to Paging – divides memory address space into even size blocks only certain memory locations and resources. as sandboxing. impact CICS – complex instructions. and the A SECURITY PRODUCT MAY BE CERTIFIED for data used by the operating systems. programmed. Running. instead of being concerned about the flow of 1 GL: machine language (used directly by a computer) and accreditation 2GL: assembler information. ITIL as a whole identifies best practices that an validating **** Random Access Memory (RAM) – is a temporary holding place organization can adopt to increase overall availability. or it is blocked requirements of the security policy. process finishes or must be terminated Defining allowed interactions between subjects (active parties) and . Stopped. EAL1 –Functionally tested Erasable and Programmable Read-Only Memory (EPROM) is non. If all aspects of a state meet the finishes. Initiation. . The information flow model also addresses Development/Acquisition. However. system tested and installed. .Structured methodology for Primary Storage – is a temporary storage area for data entering The ITIL Core includes five publications addressing the overall life documenting security requirements. REACTIVE TO PROACTIVE Bounds – a process consist of limits set on the memory addresses SYSTEM KERNAL KNOWS THE LOCATION OF THE PAGE FILE and resources it can access. This is also known BIGGEST JUMP IN MATURITY MODEL? 2 – 3. . maintains a secure state across all Multi-Threading: execute different parts of a program transitions. for the most part ROM . Service Design computer is turned off the data is not lost. audits 4GL: Natural / focus and SQL state or the actions of a subject at a lower security level. Loads & runs binary programs. Waiting. that any behavior will affect only the memory and resources them into instructions for CPU associated with the isolated process. schedules task swapping. memory protection feature that is built into the OS Isolation – When a process is confined through enforcing access allocates memory & tracks physical location of files on computers DEP prevents code from being run from data pages bounds that process runs in isolation. that state is considered Target of Evaluation (TOE): the product . purchased. EAL6 –Semi formally verified design and tested is waiting for a device or access request State Machine Model – describes a system that is always secure . all users on that system must have Information flow models don’t necessarily deal with only the clearance to access the info on that system. Disposal. Basic pl/1 and C++ actions of a subject at a higher security level affect the system operations. stacks. direction of information flow. Security Functional Requirements (SFRs): Specific individual the Information flow models are based on a state machine model. The security functions highest level of classification of the information within the Bell-LaPadula and Biba models are both information flow models. Many operations per instruction. and static. A transition always results in a new state (also called a Protection Profile (PP): set of security requirements for a category time state transition). executes on the CPU and keeps going until it no matter what state it is in. manages IO/OP requests from software. In other words. & translates such as the default heap. tested and reviewed . EAL4 –Methodically designed. Dynamic RAM needs to be refreshed from time to time management and change management processes. Static RAM does not need to be refreshed. documenting and and leaving the CPU cycle of systems. EAL3 –Methodically tested and checked Process states: Types of Security Models (210) . Simply put. A transition occurs when accepting input or producing Multitasking – execute more than one task at the same output. EAL7 –Formally verified design and tested . Ready. Service Strategy (EAL) Read-Only Memory (ROM) – is non-volatile. Segmentation – dividing a computer’s memory into segments. Divides physical memory ISO/IEC 21827:2008 SSE-CMM (Maturity Model) Techniques for Ensuring CIA up into particular sized blocks. A secure state machine model system always of products that meet specific consumer security needs Multiprocessing – more than one CPU is involved. EAL5 –Semi formally designed and tested . Organized around TCB entities. and allows subjects to access resources only in a Security Target (ST): identifies the security properties of TOE simultaneously secure manner compliant with the security policy. covert channels by specifically excluding all non-defined flow More fetches. disposition of information. Process isolation ensures hard disk. (196) numerical value called a protection key. developed or constructed. . often of compromising the system’s integrity. they can also address the type of Engineering Principles for IT Security (194) flow. need expressed. boots into a secure state. . The bounds state the area within OS Kernel () DEP. the noninterference model is concerned with how the Operation/Maintenance. Service Operations . security 3GL: FORTRAN. each of which has an associated Confinement – to restrict the actions of a program. Service Transition .Systems Engineering & Modeling (194) Common System Components (198) ITIL (208) Common Criteria ISO 15408 . computer. pathways. Simpler operations per instruction. EAL2 –Structurally tested volatile like ROM. which means when a . Data Execution Prevention – a system-level which a process is confined or contained. and people are Memory Protection (200) protection against damage caused by malicious programs such as your last. Monitor event and notification). These are called (process isolation. and consistency system relate to inputs to another system. Trusted Facility Management information is constrained to flow in the directions that are labelled as to their level of classification or sensitivity. and MAC – Subjects are labelled as to their level of clearance. . DoD. functionality or vice-versa. . First mathematical model defined self-contained location are evaluated. covert channel analysis). subject at one level of integrity cant invoke subject at a resource protection). protect audit trail). Use need to know principle System accreditation – a major application or general support . Cannot read up (simple e=read security rule) in a particular security mode using a prescribed set of safeguards . level Site accreditation – the applications and systems at a specific. Exception is a trusted subject. low security level to a high security level. Cannot read down (simple e=read integrity rule) part. Columns are ACL’s TAKE-GRANT IT system and other safeguards made in support of the . and it doesn’t require ITSEC: it is used in Europe only. thus classification approving authority (DAA) that an IT system is approved to operate . . greatest lower bound. Requires auditing . Works with SCI Constrained Data items. Data Owners(protect data). refers to any system being evaluated as a target of Green = password management prevents conflict of interests from members of the same evaluation (TOE). Thus flow of information Subjects – Users(perform work task). BLP + Biba . System Architecture scans data items and confirms their integrity. 6 B3 MAC. integrity is to be preserved which reciprocates by reversing those roles (so that system 7 A MAC. Configuration . Cascading: Input for one system comes from the output of management . Structured protection (trusted path. cannot write up (* integrity) 1 D minimal protection. focused on relationship between subjects and objects it meets requirements. that a system’s security components be isolated within a TCSEC it evaluates functionality and assurance separately. management can formally accept the adequacy of the overall . Labeled security CLARK WILSON systems rather than within an individual system. Access to objects only through programs A first provides input for system B and then system B Operational assurance requirements for TCSEC are: . Lipner Model – Confidentiality and Integrity. It doesn’t touch the network . Each object is assigned a security class and value. higher level of integrity Composition Theories 3 C2 DAC. Certification is the comprehensive . Controlled access protection (object . control depending on user’s previous actions. Hookup: One system sends input to another system but . An integrity verification procedure (IVP) is a procedure that provides input to system A). Integrity model systems. . Biba is concerned with preventing information flow from a Some other models that fall into the information flow category build on reuse. It only addresses confidentiality! . Unlike another member of that organization. tranquility principle in Bell-LaPadula prevents security Type accreditation – an application or system that is distributed to level of subjects from being changed once they are created a number of different locations is evaluated. . Uses STATES and STATE TRANSTIONS Accreditation – the formal declaration by the designated . integrity model composition theories because they explain how outputs from one 5 B2 MAC. Strong star rule: read and write capabilities at the same system is evaluated. (identification. application and systems. Rows are capability lists . authentication. not USA. Trusted recovery permitted by the security policy. Supports discretionary access control transfer to objects or that subjects can take from other design and implementation meets a set of specified security BELL-LAPADULA = MAC SUBJECTS/OBJECTS/CLEARANCES/ subjects requirements. Orange = TCSEC evaluation Brewer and Nash Brown = trusted facilities management . . Simple integrity property ITSEC TCSEC Explanation . devices . PROPERTY). (security labels) based on Bell . Covert Channel analysis . Enforces segregation of duty There are three recognized types of composition theories: operator/admin roles. . does not rely on the notion of a TCB. Models (211) Models (211) (cont) Certification and Accreditation (216) MATRIX Graham-Denning Certification – is evaluation of security features and safeguards if . Uses access matrix to specify discretionary access control security performance of an evaluated system. Addresses CIA. and Rainbow series: from one security level to another. The Chinese Wall model provides a dynamic access ITSEC (216) dcsmmmTan = audit. . Feedback: One system provides input to another system. developed by DOD. . Separate . .S. any systems that fails . Access rights are read. Confidentiality model . lattice based (least upper bound. Objects are . logged. . Bell-LaPadula is concerned with preventing information flow Product Evaluation Models (216) from a high security level to a low security level. (Bell & Biba) Data Custodians (classify and protect data) Red = trusted network. the notion of how inputs and outputs between multiple systems relate 4 B1 MAC. data item whose . Cannot write down (* property rule AKA CONFINEMENT at an acceptable level of risk. Information Technology Security Evaluation Criteria organization to look at information that creates a conflict of . flow higher levels policy) 2 C1 DAC. verified protection . . Trusted Computer System Evaluation Criteria BIBA – MAC “if I in it INTEGRITY MODEL” TCSEC: (Orange book) From the U. Once accreditation is performed. Commercial use another system. security domain (trusted recovery. write and execute evaluation of the technical and nontechnical security features of an . . Provides access rights to subjects for objects . Formal. Focus on protecting objects from external threat to one another— which follows how information flows between LaPadula security model. Cannot be tampered. uses a direct graph to specify the rights that subjects can accreditation process to establish the extent to which a particular . includes coverage for maintaining targets of evaluation after Therefore a system can provide low assurance and high 1st Commercial Model changes occur without requiring a new formal evaluation. it evaluates operating . Aqua = glossary. Assurance from E0 to E6 (highest) and F1 to F10 (highest). This model . TCB. System Integrity Information flow model also sends input to external entities. a single host computer. ISMS.community & hybrid security governance. is a derivative of PaaS. type. takes the PaaS model yet another and encourages the mapping of IT security ideals to business . However. the additional to access. For OS of virtual hosts. uses when performing calculations computing platform and software solution stack as a virtual or cloud- ISO 27002 – (inspired from ISO 17799) – a guideline which lists or processing instructions. one of the CPU’s registers as the base location from Data Warehousing – large databases. However. Base + Offset Addressing – uses a value stored in modern database platforms. the PaaS – Platform-as-a-Service is the concept of providing a systems arithmetic-logical unit (ALU). and managed/ filtered Internet connectivity. Customer supplies application code that the vendor then Consider the overall control framework or structure of the security working in kernel mode/system mode in an ad hoc and non.two or more processes require access to the same where the desired data resides and then retrieves the a higher level. sources. warehouses and look for potential correlated information. SaaS COBIT – Control Objectives for Information and Related Memory Addressing – When using memory resources. timing. The organizations. the memory address supplied to information. small memory locations directly in the based service. this type of cloud solution provides all the security control objectives and recommends a range of specific CPU. cloud-based assets for a single organization. policy implementation and management Principle 1: Meeting Stakeholder Needs . Info security minimum accessible memory locations that the brain of the CPU. PaaS. parent organization still responsible for patching Principle 2: Covering the Enterprise End-to-End is supplied to the CPU as part of an instruction. Direct Addressing – In direct addressing. the OS to provide a safe and efficient place for since the contents of the memory location can be Hybrid – mix of public and private programs to execute. dynamic scaling. The Inference – involve combining several pieces of non-sensitive to another. including usage. 14 areas Stack Memory Segment – used by processors to communicate solution package). Data dictionary – commonly used for storing critical information about data. it’s instructed to retrieve based on who is hosting the assets and the service Used to host one or more operating systems within the memory of the value from register 1. . more granular than 27001. Timing (233) the CPU as part of the instruction doesn’t contain the Aggregation attacks are used to collect numerous low-level security TOCTTOU attack . the provides on-demand online access to specific software applications Technology. Private. the CPU might process the command “Add 2 CaaS – not a TERM! Principle 4: Enabling a Holistic Approach to the value in register 1. and transition between one system state address (perhaps located on a different page). Community.race condition exploits. aspects of a platform (that is. Essentially. (ISACA). Indirect Database Security (237) is a virtual re-creation of a SAN on top of a virtualized Addressing Aggregation – SQL provides a number of functions that combine network or an SDN. Virtual SAN – software-defined shared storage system immediate addressing’s hard-coded data. Indirect addressing – uses a scheme similar to direct records from one or more tables to produce potentially useful addressing. modularized OS SaaS – Software-as-a-Service. it uses a register address (for example. deductive capacity rather than the raw mathematical ability of normal functions . It prescribes goals and requirements for security controls addressing. there crafted by the Information Systems Audit and Control Association locations in memory. Maintenance responsibilities are shared Virtualization (229) second is register addressing. the memory address contains another memory level or value. addressing schemes. model includes assets available for any consumers operating system. Such an OS is also known as a guest .” This command uses two . and does not need to retrieve that value from a memory . This can include utility or metered COBIT 5 – is based on five key principles for governance and operation. The CPU then adds the offset information from a variety of databases for use with specialized supplied with the instruction to that base address and analysis techniques. Virtual machine – simulated environment created by addressing is more flexible than immediate addressing the organization. administrative task automation. Aggregation is not without its security vulnerabilities. provides cloud-based assets to two or more location— it’s supplied as part of the command. computing services. retrieves the operand from that computed memory Data Mining – technique allow analysts to comb through data location. In many cases. management of enterprise IT: “register 1”) to access its contents. virtualization services. The solution to this problem is known as are few local hardware and OS limitations. known as registers. a standard.Security Standards (222) Memory Components Cloud Service Models (241) ISO 27001 – focused on the standardization and certification of an Register – CPU also includes a limited amount of onboard Original service models – SaaS. and communication actual value that the CPU is to use as an operand. Integrated Framework example. Service host OS installed directly on the computer hardware. memory. Register Addressing – When the CPU needs step forward and provides not just on-demand operating solutions objectives. CPU reads the indirect address to learn the address information to gain access to information that should be classified at RACE . Immediate Addressing – is not a memory addressing services. From the perspective that there is an original or provided with an actual address of the memory location to rent or lease and is hosted by an external CSP. addressing— the CPU is being told to add the value 2 organization but also as a guideline for auditors. inference makes use of the human mind’s resource and must complete their tasks in the proper order for actual operand from that address. Direct provides the cloud-based services at a level acceptable to . Principle 5: Separating Governance from Management. the CPU is . Principle 3: Applying a Single. that provide it with directly model. the operating system and complete security controls. The address must be located on the same level agreements can be effective at ensuring the CSP Oses hosted by the hypervisor system are guests. The first is immediate Organizations can create and host private clouds using COBIT is used not only to plan the IT security of an their own resources. scheme per se but rather a way of referring to data that Deployment Models. items and combine them to create something of a higher security disconnects are known as state attacks because they attack Instead. changed more readily than reprogramming the . store large amounts of which to begin counting. The primary attraction of PaaS is the avoidance of BOTH INSPIRED FROM BS7799 instructions and data to each other having to purchase and maintain high-end hardware and software Control Frameworks (223) Monolithic Operating System Architecture – all of the code locally. models. memory page as the instruction being executed. IaaS – Infrastructure-as-a-Service. executes on its own infrastructure solution desired by the organization. information from one of its registers to complete an but complete outsourcing options. data flow control. original deployment organization’s information security management system (ISMS). Public. is a documented set of best IT security practices processor must have some means of referring to various or suites without the need for local installation. DBMS software reads the data . RA verifies user credentials PGP (GPG) – encrypt attached files Protect data in transit Certificate Authority – PKI. Salami – removal of a small amount of money otherwise known as skimming . gets code from the Internet. The key space is the range between the key that has all 0s Decipher – To make the message readable. word scramble. Encipher – make message unintelligible routines supporting the Clipper and Capstone encryption chips. One Time Pad – encipher each character with its own unique key Non-repudiation Registration Authority – performs certificate registration services that is used only once. This Key Length – use with each algorithm based on the sensitivity of communications from unintended recipients. “complete mediation” means that all subjects must be encryption. which makes cryptanalysis more difficult. unbreakable supposedly Protect data at rest on behalf of a CA. (Greek: ensures that no single person has sufficient privileges to information transmitted.key of a random set of non. as Substitution – like shifting and rotating alphabets. change Blue Boxing – tone simulation that mimics telephone co. entity trusted by one or more users as Plaintext – message in clear text readable form an authority in a network that issues. Skipjack was quickly and the key that has all 1s. plaintext and decipher cipher text Split knowledge – means that the information or privilege required stenography Cryptography – the art and science of hiding the meaning of to perform an operation is divided among multiple users. Confusion – mixing the key values during repeated rounds of skills. DES. TDES. Cipher text or Cryptogram – unintelligible message. necessary but yet the fact that no encryption is needed must be Cryptographic Algorithm – Step by step procedure to encipher configured in order for the system to work. Bit Cryptosystem – set of transformations from a message space to Skipjack – Like many block ciphers. make the relationship between ciphertext and key as Red boxing – pay phones cracking Security Monitoring complex as possible Black Boxing – manipulates toll-free line voltage to phone for free Diffusion – mix location of plaintext throughout ciphertext. Reference Monitor and security kernel are used to of a single bit should drastically change hash. meaning that letters are different crypto-variables or keys scrambled. for example vertical instead of horizontal words or phrases. A specific understood except by the intended recipient identical encryption algorithm and key type of information is exchanged but no real data is transferred. Testing. two by sea Null Cipher – used in cases where the use of encryption is not Cryptanalysis – breaking the cipher text. revokes.) Key Encryption Concepts and Definitions (cont. In symmetric encryption this means encryption keys. Understand split by statistical looking at repeating characters or repeats characters or bits. encryption. HOW HARD TO BRUTE FORCE originate from a source the user trusts (like a bank) Kirchhoff’s Principle – all but key. Key Clustering – when different encryption keys generate the End-to-end encryption – Encrypted information that is sent from However. and manages Steganography – secret communications where the existence of Cryptographic Concepts digital certificates. Key space doubles each time you add process embraced by the US government and provides the cryptographic a bit to key length. system . longer key the better! kryptos=hidden. secure Transposition/permutation – process of reordering plaintext to Social Engineering – act of tricking someone into Synchronous and self-synchronous hide the message rambo = ombar giving sensitive or confidential info that may be used Random Number Generators (RNGs) SP-network – process described by Claude Shannon used in most against the company Vigenere Cipher – uses key words and numerous rows block ciphers to increase their strength Script kiddie – someone with moderate hacking (traditionally 26). graphein=to write) compromise the security of the environment. multifrequency generator to control phone an object attack to defeat encryption algorithms that use two rounds of system . A key space is defined by its bit size. The key determines positions that the characters are Codes – cryptographic transformation that operates at the level of moved to. encrypt text repeating characters Clustering – situation wherein plain text messages generates Information Theory – Claude Elmwood Shannon identical cipher text messages using the same algorithm but with Transposition – Permutation is used. M of N Control Key space – is the range of values that are valid for use as a key Cryptology: cryptography + cryptanalysis (multiparty key recovery) is an example of split knowledge. It uses an 80-bit key and supports the same four the key. Synchronous – each encryption or decryption request is both having the same identical key for the session performed immediately Exclusive OR – Boolean operation that performs binary addition Asynchronous – encrypt/decrypt request are processed in Key or Crypto variable – Information or sequence that controls Goals of Cryptography queues. dissipate pattern and allows long distance call authorization determine whether a user should be allowed to access Meet in the Middle – Attackers might use a meet-in-the-middle White box – dual tone. Ex. can be broken Cipher – cryptographically transformation that operates on with digital signatures and digital certificates.Key Encryption Concepts and Definitions (243) Key Encryption Concepts and Definitions (cont. for a specific algorithm. Skipjack operates on 64-bit size is nothing more than the number of binary bits (0s and 1s) in cipher space blocks of text. shift letters knowledge. This attack is the reason that Double DES (2DES) was Phreakers – hackers who commit crimes against phone authenticated and their access rights verified before they quickly discarded as a viable enhancement to the DES encryption companies can access any object (it was replaced by Triple DES (3DES. EDE). a message is hidden (inside images for example) Key Clustering – when different encryption keys generate the Key Space – represents the total number of possible values of Dumpster Diving – of going through someone’s trash to find same ciphertext from the same plaintext message keys in a cryptographic algorithm for the encryption of a plaintext useful or confidential info –it is legal but unethical in nature Work Factor – time and effort required to break a protective block sequence to increase security by introducing additional Phishing – act of sending spoofed messages that pretend to measure cryptographic variance. the enciphering and deciphering of messages Confidentiality Hash Function – one-way mathematical operation that reduces a Link encryption – stacked encryption using different keys to Integrity message or data file into a smaller fixed length output. each one of which is offset by one.) Purpose: protect transmitted information from being read and Block Cipher – segregating plaintext into blocks and applying Zero-knowledge proof – is a communication concept. “magic door” Vernam – cipher (one time pad): . Skipjack has an added twist— it supports the escrow of same ciphertext from the same plaintext message BAD point of origin to destination. Encrypted encrypt each time Proof of origin using private key of sender. undo encipherment modes of operation supported by DES. EEE. one by land. stream cipher that generates the key BEAT OUT BY Rijndal for AES. between security domains. errors will propagate . 64. example: SSL. checksum? Emulates one time pad .192 and 256 bits) token.variable algorithm up 0 to 2048 bits key size *Best choice to support a federated identity management system. using 64 block Diffie Hellman Key exchange . IPSEC S/MIME plaintext message independently. diffusion used in PGP software patented requires licenses Allow platforms to generate and respond to provisioning requests It is . Output Feedback OFB . Larger key sizes add additional security. and the US government has approved its use to Generally weaker than block mode cipher protect classified data up to top secret Security Assertion Markup Language (SAML) (271) Difficult to generate a truly random unbiased keystream . key exchange Scythe . or 128 bits) that uses User training about SSO directs a good idea Cipher Modes (249) . If an RC4 resistance against known attacks. SUBSTITUTION. world. Cipher Feedback CFB . Keys are 128. simplicity and used to provide a web-based SSO (single sign-on) solution. and 256 Can be difficult to implement correctly bits. Rivest Cipher 5.040 bits. CBC Cipher Block Chaining .poly-alphabetic substitution cipher machine influence of plaintext characters over many cipher text Equivalent of the RSA algorithm characters by means of transposition like HIDE ECC . 192. 16-rounds of substitution and transposition the keys Jefferson disks . 192 bits. These are the length = 168 bits.” or blocks. SUBSTITUTION & TRANSPOSITION Rivest. the people signatures No longer common/effective attack on wireless networks who developed the RSA asymmetric algorithm. No errors will . a message and apply the encryption algorithm to an entire message . & Adleman) works with one way History of Crypto (284) . MD5 & ECC Zachman Framework – common context to understand a complex . 6 layers preferably with 3 different keys = DES-EE3. Microsoft Encrypting File System (EFS) uses AES for file MAC – Message Authentication Code No size difference between plaintext and ciphertext and folder encryption Disadvantage . Errors will propagate ECB . exchange of communication authentication and authorization details Stream Cipher Uses . It is based on the Directory Service Markup Language but XOR-ing the plaintext with a key stream. which can display LDAP-based directory service information propagate used on Linux systems that use bcrypt (DES alternative) in an XML format.sacred carvings non-repudiation functions). processors. Triple des = three times encrypted DES.shifting 3 character (C3) for example in the . Counter (CTR) – secure long messages Asymmetric Cryptography (262) Cyber-Physical Systems (CPS) (278) See 111000111000 it’s XOR Sender and receiver have public and private keys. secret key (100 to 1000) actuators that are designed to sense and interact with the physical key. making it more SAML is an XML-based convention for the organization and Wireless difficult for unauthorized personnel to decrypt the data. asymmetrical for key exchange example of a stream and shift cipher. Does not provide mechanisms for authentication and math with large prime numbers (aka trap door Hieroglyphics .right block/left block pairing 1-1.wound papyrus around a wooden rod to see message DES (data Encryption Standard) comes from IBM and digital signatures) Substitution character. 64 bit plaintext and 128 key length with confusion and (271) Replication occurs. NIST selected it as a standard replacement for the older . PGP. Larger key size is safer > 128 Public Key Algorithms . Secure short messages. . or RC5. IT REQUIRES FEWER RESOURCES THAN traceability. symmetrical for the bulk . .uses rot 13 rotate 13 places in the alphabet . blocks 128 bits.) TOGAF – method step by step process and framework. IDEA . Used in low power systems (mobile phones etc. block at the same time. one of the most popular symmetric encryption algorithms . The Caesar cipher is an .(Rivest.mathematical properties SABSA – Sherwood Applied business security architecture chain of IHED) . .blocks of 64 bits with key sizes between 0 (zero) length and 2. . Uses 48 rounds of computations tools to go forward FRAMEWORK AND METHOD (3x16) BOTH a hashing and an asymmetric key algorithm.International Data Encryption Algorithm Service Provisioning Markup Language (SPML) Electronic Code Book . Blowfish . Variable block length attacker can falsify SAML communications or steal a visitor’s access Audio Visual and variable key lengths (128. Both the receiver and the sender share a common secret Slower than symmetric. of elliptical curves.by Bruce Schneider key lengths 32 to 448 bits. and . based on Unix . communication and collaboration . and Adleman (RSA) Data Security. Shamir. RC5 is a block If home organization offline implement a cloud based system cipher of variable block sizes (32. a newer framework based on XML but specifically designed for is used as feedback into key generation.for speed.92. AES supports key sizes of 128 bits. The one-time pad is also a . RC5 . Shamir. based on Blowfish purposes.stream cipher where the cipher text fees/free noncom. private to decrypt Smart networked systems with embedded sensors.mechanical cryptographic machine cipher text and plaintext) and Diffusion (spread the DSA Digital Signature Algorithm – the US Government Enigma . Adds confusion(conceals statistical connect between Diffie Hellman Hagelin machine (M-209) . often over web protocols.26 disks that cipher text using an alignment bar cryptosystem el Gamal – works with discrete logarithms. real-time . The transposition ciphers are examples of . DEA Data Encryption Algorithm x3.Elliptic Curve Cryptosystem . WPA – use WEP if you have nothing else Rijndael Block Cipher Algorithm . Actual key RSA. and 256 bits. Symmetric Cryptography (254) Public to encrypt a message.key lengths 256 bits blocks of 128 in 16rounds exchanging user information for federated identity single sign-on . Can be used for encryption. (DSML). SAML is often WEP.about exchanging one (mono-alphabet) alphabet system size and 56bit key with 8bits parity secret keys over an insecure medium without exposing Cipher disks . Can be time-stamped (to counter replay attacks) RSA . of Not selected for AES were: SAML is a common protocol used for SSO on the Internet.2 rotating disks with an alphabet around it . Two fish .Methods of Cryptography (247) Symmetric Cryptography (254) (cont) Hybrid Cryptography (266) Stream-based Ciphers – operate on one character or bit of a AES Advanced Encryption Standard – Uses both asymmetrical and symmetrical encryption message (or data stream) at a time. they may be able to bypass authentication and gain access Block-based Ciphers – ciphers operate on “chunks.thus it is fast stream cipher because the algorithm operates on each letter of the Data Encryption Standard (DES) in 2001. BitLocker (a full disk encryption application used with a Message Digest – summaries of a message’s content (not unlike a Advantage – bit by bit substitution with XOR & keystream Trusted Platform Module) uses AES file checksum) produced by a hashing algorithm. is a symmetric algorithm patented by Does not have a security mode and relies on TLS and digital block ciphers. Replaced by AES Advanced Encryption Standard architecture. 64bits initialization vector. . In the public key ATTACK HASH BY BRUTE FORCE and dictionary Objects of sensitivity labels are: single classification and component set infrastructure. MD5 has the same padding requirements as MD4— the message length must be 64 bits less than a trust anchor = public key that has been verified and that’s trusted multiple of 512 bits.was designed by NIST and NSA to be used in digital copyright holder. feed info and based sandbox restrictions placed on Java applets. SHA1 .Military X. Acceptable encryption algorithms choices – DSA. one of the RSA Java applets – are simply short Java programs transmitted over the most difficult Message Security protocol . no modifications allowed demonstrated that the MD5 protocol is subject to collisions.PKI (289) Hashing (300) Other things to know Understand the public key infrastructure (PKI).earlier attacks against SSL STUXNET – worm aimed at Iranian nuclear capability . RSA. identity can be derived preventing its use for ensuring message integrity. function must be one way Most used are MD5 (message Digest 128 bits) and SHA1 issuer signs a certificate (signature hashing algorithm 160 bits) MD5 – hashing algorithm. Works with a one-way hash (message digest). Requirements for HASH Serial number.(attacker chooses the plaintext based on the and ActiveX controls. Sign. uses encryption to enforce copyright restrictions on digital media. like SHA. provision of the DMCA is the prohibition of attempts to circumvent that uses a key CRL’s of a PKI environment holds serial numbers copyright protection mechanisms placed on a protected work by the . . TLS because it allowed attackers to easily access SSL encrypted messages.509). can execute only on systems running Chosen ciphertext . certificate authorities (CAs) generate digital CRYPTANALYSIS ‘dominate’ in access control means access to higher or equal access certificates containing the public keys of system users. Java). PKI) and non-rep through signed message digests miniature programs that execute independently of the server that sent Cryptographic Attacks PEM . send cross certification does not check authenticity of the certificates FIPS 140 hardware and software requirements both the plain text document and the encrypted hash to recipient. The first major 1 (512 bit blocks) or MD5 (128 bits digest) or HMAC have the same MD5 hash. .inference of information from analysis of Applets traffic Email Security (297) Applets – these code objects are sent from a server to a client to Traffic padding .0 to the date and time the revocation went into effect. in the certificates path. MD5 implements additional security Validating TCB = formal for system integrity features that reduce the speed of message digest production Digital signatures (296) significantly. First. In fact. Hash Internet to perform operations on a remote system.400.509 and them. Known Plaintext . ActiveX controls use proprietary Microsoft contain specific identifying information and their construction is ciphertext already received) governed by international standard (X. Second.Same message digest as a result of hashing. Chosen Plaintext . C + +. birthdays CRLs . MD5 not good for securing passwords Traffic analysis .attacker chooses both the plaintext values Microsoft browsers. owner.s a distribution protocol HASH it and ENCRYPT message digest Standard is SHA3 most still use SHA2 RC4 . Two key distinctions between Java applets online attack . encrypt only the hash with the sender’s private key. Unfortunately.attacker sees only the ciphertext.offline attack (attacker prepares list of Operate in a similar fashion. recent cryptanalytic attacks Digital Rights Management (298) .509 perform some action. works on non-fixed length input Integrity (hash code and message digest). must be relatively easy to compute for any input confidentiality (by encryption). but they are implemented using a variety of plaintexts) -lunch box attack Digital Certificates languages(C. applets are actually self-contained Collision . copyright law into compliance with terms of two .Certificate Revocation Lists are maintained by the various actions.509 standard = PKI. issuer name . It also processes 512-bit blocks of If you only want to check if a mail is not altered: use digital the message.Privacy Enhanced Email Encryption (AES) PKI X. but it uses four distinct rounds of computation to signature! Proves that the signature was provided by the intended produce a digest of the same length as the MD2 and MD4 signer algorithms (128 bits). match certificate authorities and contain the serial numbers of certificates POODLE . Ciphertext Only . authentication (digital certificates) .is a stream cipher root Certificate Authority (CA) must certify its own public key RC5 and RC6 are block cipher Correct way to create and use a digital signature – hash the pair document. Hash algorithms (Message Digests) X. creation and validation technology and.generation of spurious data units S/Mime .uses IDEA and RSA instead ActiveX – controls are Microsoft’s answer to Sun’s Java applets. it is possible serves to bring U. CRIME/BEAST . to create two digital certificates from different public keys that World Intellectual Property Organization (WIPO) treaties. ECDSA signatures Skip . ActiveX controls are not subject to the of digital certificates and the ciphertext values. access control. Encrypt.Collisions appear much fasters. cherry picking.attacker knowns both cipher and plaintext Pretty Good Privacy . Birthday Attack .S.(Padding Oracle on Downgraded Legacy that have been issued by a CA and have been revoked along with Encryption) attack helped force the movement from SSL 3. therefore. They have full access to the Who signs a digital certificate – someone vouching for person not on what you learned get key Windows operating environment and can perform a number of privileged the person. Certificate recipients verify a certificate using the input of any length and generate a fixed length output CA’s public key. Users then Basic Technique – class distribute these certificates to people with whom they want to BRUTE Force will win with no constraints Security perimeter = line between TCB and outside communicate.Confidentiality (encryption) Integrity (using PKCS X. function must be one way and non-repudiation (digital signatures) . SODA ACID (take away temp) Temperature.limit how much data can be 17000 Permanent chip damage 1211 = portable Humidity (326) 1301 = flooding proffered as input. rather than a software-only examine these trust relationships. SCADA . top. first water in pipes when air is lost when heat is Kerchoff principle . fraud. mobile room. Inrush Surge: surge of current required to power on devices Dry pipe water in tank until clapper valve releases fabrication. then A inherits trust of C through the transitive distance (this process is known as Van Eck phreaking) cryptoprocessor chip on a mainboard and the general name for property— which works like it would in a mathematical equation: if implementation of the specification. fuse nozzle melts at device that controls industrial processes and machines.Switched Multimegabit Data Service. SMDS was often a preferred connection mechanism for though UPS door linking remote LANs that communicate infrequently.is implemented within an organizations. Traverse-mode noise: radiation from hot and neutral wires.is a passive. riots bombings) Transient: short duration of noise Manual: pull boxes Life safety takes precedence!! Counter: voltage regulators. often a wire mesh that fully surrounds implementation of hard drive encryption. which an area on all sides (in other words. Flame activated(infrared) Risk analysis-->Acceptable risk level -->baseline>implement HINT: common--grounds countermeasures Excesses Classes Major sources: SPIKE: short high voltage A Common WATER. Liquids SURGE: long high voltage B Liquids----GAS/CO2. SODA ACID (takes away fuel) Organism: viruses. then thermal link in nozzle melts to release water even if everything about the system. >60% corrosion RESISTANCE the attacker is able to learn valuable information contained within Tempest Walls: 1 hour fire rating and adjacent room with paper 2 hours the smartcard. Often. supplies. inactive till power down Heat to ATM because of the similar technologies used. including distributed control Static charge Douches. Generally. Vulnerability=weakness threat = someone will identify the COMMON mode noise: difference between hot and ground . could be within the same organization or between different bottom). least privilege and grants the trust to a single domain at a time. bacteria Counter: surge protector C Electrical-----GAS/CO2 (displace O2) Projectiles: cars. power always Fire distinguishers should be 50 feet from equipment and toward the WAN. Heat activated.a box.broadcasting false traffic at all times to mask and process cryptographic keys for the purposes of a hardware relationship between the two security domains to all of their hide the presence of real emanations. is public 2000 system shutdown 4000 Printer Jam HALON knowledge. front. theft) Line noise: can be EMI or RFI Detection Politically motivated threats (terroristic attacks. Within the context of least privilege. and oil refining. then a = c. supported/ implemented hard drive encryption system. heat There are several forms of ICS. a Trust – () technology that allows the electronic emanations that every Security Capabilities of Information Systems Transitive Trust – Transitive trust is the concept that if A trusts B monitor produces (known as Van Eck radiation) to be read from a TPM . a forerunner -Standby UPS. Degradation Computer hardware 175F (80c) DHCP Snooping – used to shield networks from unauthenticated SAG/DIP: short low voltage Magnetic storage 100F (37c) DHCP clients BROWNOUT: long low voltage Paper 350F (176c) ICS . aka Auxiliary station alarm Layered defense model: all physical controls should be work conditioners Detectors: together in a tiered architecture (stacked layers) EMI . reach ability Manmade threats (vandalism.Threats (317) Electrical Power (319) Fire (328) Natural environment threats (earthquakes floods. Side-channel attack . shielding and other emanations-reducing mechanism. Gases. sewage processing. left. bullets Losses D Metals----DRY POWDER Movement: Collapse. electricity generation and distribution. FE-13 away with buffer overflows.a cryptographic system should be secure 1500 disk drive data loss detected. water Common-mode noise: radiation from hot and ground wires it – only begins to fill when triggered by excessive distribution. programmable logic controllers (PLCs). except the key. Input and Parameter Checking . a connectionless Long term: Backup Power generator CO2 reduces oxygen packet-switching technology. ICSs are Other 165F used across a wide range of industries. including manufacturing. NAF. environment . back. and secure. it’s important to Faraday cage . large amounts of water/foam Pre-action systems (DCSs). It allows subjects in one domain to access objects control zone . radiation FAULT: short outage Nice to Know BLACKOUT: long outage WATER suppress temperature Counter: Backup power SODA ACID reduces fuel supply SMSD . a subdomains. trucks. right. A TPM chip is used to store and a = b. When the attack is successful.supervisory control and data acquisition 1000 scramble monitor display water in tanks. tornadoes) Interference Prevention Supply system threats (power communications water gas) Clean=no interference Training construction. Smoke activated. such as an encryption key. grounding/shielding and line Automatic dial. earthquakes Energy: radio. This metal skin acts as an EMI absorbing capacitor Constrained or restricted interface . SMDS is used to connect Short term: UPS HALON chemical reaction multiple LANs to form a metropolitan area network (MAN) or a -Online uses ac line voltage to charge batteries.up: Fire department. or entire building designed hardware implementation.000 volts FM-200 most common replacement (others: CEA. A nontransitive trust enforces the principle of white noise generation or both to protect a specific area in an privileges.Trusted Platform Module is both a specification for a and B trusts C. noninvasive attack intended to NORMAL 40-60% up to 4000 volts Argon INERGEN Low Pressure Water) observe the operation of a device. and b = c.exists between two security domains.the implementation of either a Faraday cage or application to restrict what users can do or see based on their in the other domain. weakness and use it against you and becomes the threat agent Traverse mode noise: difference between hot and neutral . is considered to be more Nontransitive trust . A transitive trust extends the trust White noise . Proper data validation is the only way to do <40% static electricity up to 20. and 40 volts sensitive circuits (MOST RECOMMENDED) (SCADA). with an external metal skin.industrial control system is a form of computer-management Counter: constant voltage transformers Sprinklers Wet pipe always contains water. Secure Socket Layer . SQL. UDP. RING SMTP. Annex D. Two to avoid congestions overloading and data loss. notification confidentiality and integrity. IPv6 is 128 bits long DHCP: Dynamic Host Configuration Protocol BootP. Datagram protocol – unreliable. BAP.for file transfers. MID. sequences and SSL. so Protocols: TCP and UDP Messages ARP requests are only sent the first time Internet – Layer 2 (corresponds to OSI network layer) Defines the ICMP.None between network nodes regarding the health of the network. hubs. SSL. hardware addressing Also uses message authentication code for integrity checking. Datagram service is RPC – Remote Procedure Call Protocol NFS. SNAP. Frame Relay. Each data PAP – Password Authentication Protocol packet has an IP address of sender and recipient.Network Layers OSI MODEL (347) Network Layers OSI MODEL (cont. RIP. S-HTTP . CHAP. Annex works with acknowledgements. I. User data MAC: the Media Access Control layer . Hardware and software drivers are on this level. ARP. LCP.Authentication. FRAMES It encapsulates data when going through the layers Gateways. NDS.encryption technology to provide IARP. simplex. IP. connection PPTP. MLP. LAPD. ACK checksums.all hosts have an IP address. layered: SSL record protocol and handshake protocol. Sends out alerts –called traps.When a hardware asymmetric or public key cryptography for peer authentication. BOOTP. Replaced by DHCP . TREE. File Transfer Protocol . SLIP. Network – layer 3 – C. can only Fragmentation – IP will subdivide a packet if its size is greater Repeaters. NNTP. ATM send/receive but not browse directories. Address resolution protocol . PPTP. ARP sends out broadcast to Host-to-Host – Layer 3 (Transport) Standards like JPEG. cables. SPX. USB.provides construction of the internet Management Information Bases (MIBs) high availability in encrypted sessions to protect against crashes.) (347) (later succeeded by TCP/IP) Transport – layer 4 – C. logical topologies and MAC-addresses encryption overtaken by SSL Protocols: L2F. It stores the End-to-end data delivery address in a dynamic table for the duration of the session. the Logical Link Control Sub layer . TFTP. and error checking at this Translates data into bits and formats them into data frames with layer. Connectionless. AU.authentication for credit sending a letter to someone). and RPC. Reverse address resolution protocol . Token Ring. Encryption Exchanges keys on a session by session basis. DHCP. TCP. TIFF.encrypting HTTP documents. IPX. Overtaken by SSL Switches. Also Protocols: IP. Uses a common format to represent data. PPP. L2TP. SSH-2. SNMP. ZIP. full duplex.C another machine. FTP. Protocols: TCP. Port 20 and 21 Electrical. Bootstrap Protocol when wireless workstation is on-lined it sends out a BootP request with its MAC address to get an IP address and the file from which it should boot. AFP. Also Concerns frames. Authentication. IPSEC.C HINT: All People Seems to Need Data Processing End-to-end data transfer services and reliability. RARP. HTML. Connection Oriented. bridges. AU. FTP. OSPF. NetBIOS. It sends networks until delivered and receives bits. X. AU. DSL. HDLC.) (347) Network Layers OSI MODEL (cont. HINT: AHIN Presentation – layer 6 – C. Internet control message protocol . Same as telephone conversation with someone). RPC Technology: Gateway IP. Technology: Secure Shell (SSH-2) . HTTP. RARP. DDP. Simple Key Management for Internet Protocols . Routing in PPTP – Point-to-Point Tunneling Protocol network is based upon these addresses. RADIUS. BPDU. 32 bits long. NCP. MAC.sends messages IP datagram and handles routing of data across networks Session -layer 5 -. Network File System . Coverts bits into voltages or light impulses. SET. Error detection via Application – layer 7 – C. Provides a manageable data flow secure transactions like credit card numbers exchange. Appletalk. TELNET. NAT and IGMP Network layers TCP/IP Model (353) network information by polling the devices from a management Developed by Department of Defense in the 1970s to support the station. (like an Secure Electronic Transaction (SET) . ICMP. Transmission control protocol – reliable. Port 69 than the maximum allowed on a local network Physical topologies: BUS. STAR. ARP. sequencing. BGP. Port 23 Technology: Virtual circuits (ATM).stripped down. User Ethernet. Cannot execute Addressing – IP uses the destination IP to transmit packets thru remote files as programs. logical persistent connection between informs about rerouting in case of errors. compression. a conversation. routers. no error correction. Datagrams destination header and source address. Less overhead. NR TCP Three-way Handshake – SYN. compression/decompression and ARP. half duplex.25. SMB. SYN-/ACK. Trivial File Transfer Protocol . Uses RSA certificates for authentication and triple DES for Secure HTTP.Used to match an IP Applications and processes that uses the network encryption/decryption.Physical addressing. TFTP. I Telnet . (Like having a A. Simple Mail Transfer protocol . Line printer daemon for printing and spooling between two different file systems packet will be delivered. ATP LLC. Port 25 Message routing.email queuing. MESH.Flow control and error GOPHER. SMTP. Physical) peer hosts. Utility PING uses ICMP Network access – Layer 1 (Data link. AU. LDAP. Packets Physical signaling. Physical – layer 1 . I Data Link – layer 2 . ISDN. No authentication thus insecure. a network node to reply with its hardware address. error detection and control of node data are SNMP. Application – layer 4 (Application/Presentation/Session) Translations like EBCDIC/ANSI. SLARP. (Like address is known but the IP address has to be found. TCP.terminal emulation enables user to access resources on Path selection and logical/network addressing. Technology: Gateway. Protocols: PAP. diskless machine) card transactions. ICMP Inter-host communication. CDP. Segmentation. Technology: This layer deals with addressing physical hardware. SAP. address to a hardware MAC address. scaled down version of RARP.protocol that supports file sharing considered unreliable because there’s no guarantee that the LPD. LZS.to an database called OSPF Open Shortest Path First – routing protocol short path SKIP. not even that its delivered only once and X Windows graphical user interface NetBIOS – no guarantee that its delivered in the same sequence that its sent SSL/TLS . Gateways. no sequencing. and NetBEUI are non-IP protocols. FDDI SSH it uses symmetric encryption for private connections and UDP. Internet protocol . Simple Networking Management Protocol collection of managed. Routines for accessing physical networks and the electrical messages to check physical connectivity of the network machines Protocols as NSF. ISL. they are a critical component of network security.4 GHz 300 b/g/n mode: 802.use rules based on a packet’s source.11 defines wireless networking. based on need to 802. Firewalls can also provide network address translation.which look at content and can involve authentication and encryption. Clearance for all information DSSSS . Stateful packet filtering firewalls (layer 7) .20 defines .15 is the standard for Bluetooth.have access to information such as. . Need to know for SOME data Others: (SRA) controlled type of multilevel security where a limited amount of SSH – Secure Shell over Telnet for remote server administration trust is placed in the system’s hardware/software along with via the command line classification limited access: minimum user clearance is not cleared and the maximum data classification is unclassified but sensitive Firewalls A method of guarding a private network by analyzing the data leaving and entering.looks at header of packet only.11ac 1 Gbps 5 GHz 300 a/b/g . SPF. All users can access some data. Packet-filtering firewalls (layer 3/4) . Need to know for SOME data 802. All users can access some data.11a 54 Mbps 5 GHz 150 .4 GHz FHSS/DSSS . based on their need Security Enhancement Protocols to know. Need to know for SOME data compartmented security 802.4 GHz 300 . Static Packet Firewall (layer 3) - . approval and clearance. TELNET: Remote terminal access and Secure Telnet . Clearance for all information. . Application Proxy firewalls (layer 7) (3-7 actually). protects wide range of protocols and services than app-level proxy.11b 11 Mbps 2.OFD A know 802.11g 54 Mbps 2. b/g/n . Clearance for all information they access REMOTE PROCEDURE CALL: Secure remote procedure call . Basically once the circuit is allowed all info is tunneled between the parties. Although firewalls are difficult to configure correctly. conversation. port or other basic information to determine whether or not to allow it into the network. All users can access some data. based on their need Mbps GHz to know and approval.11n 200+ 2. Circuit level proxy (layer 5). Amendment Speed Freq. can be more flexible and secure but also tend to be far slower. Use of information labels 802 Multi-level: 802. Clearance for all information they access 802. look at state table and context of packets. Range Comp. destination. LTE. so the IP addresses of computers inside the firewall stay hidden from view.3 defines Dedicated security mode : Ethernet. Need to know for ALL data system high security mode: 802. 802. IEEE 802.11i AES CCMP WPA2 .11 2 Mbps 2. All users can access all data. but as detailed a level of control. and 802.Security Modes (used in MAC) Wireless (364) IEEE 802.4 or 5 300 a/b/g . from which to make their decisions. .16 IEEE WBA . TCP 21 & UDP 21.device that enables more than one signal to be . TCP 443. LDAP-S over SSL or TLS WAN switches . T-1 – 1.over a public switched network. TCP 22.multi-port networking devices that are used in along a transmission medium . IDSs. TCP 9100. key management. phishing attack possible by sending fake data Fast Ethernet 100Base-TX has as characteristics: 100Mbps data transmission. Cat 5 better than cat3 for bits long. 1433.software that acts as access point to another network or device that translates between different protocols Speeds. security issues OpenID – paired with OAuth is a RESTful.transmits data over telephone lines router connects multiple networks at the network layer. need access point and wireless clients manage certificates Ex. a NIC on the local segment.amplify data signals to extend range (physical) an Ethernet LAN. not used for any common file transfer protocol Security Perimeter (370) Unsubnetted netmask is shown as /24 .500. a default gateway and a subnet mask TKIP – Temporal Key Integrity Protocol. In Coaxial . telnet: TCP 515.digital . TCP 53. and data integrity. TCP 23. Generally includes a firewall and router that help filter .server that provides dial-in and dial-out The bridge connects multiple networks at the data link layer. no semi-colon. IMAP (Internet Message Access Protocol) send out of one physical circuit Attenuation . however. RLOGIN and TELNET never uses UDP but TCP . can be broken and high cost/expertise Topology failures actually a multi-port repeater (physical) Subnet Masks Ethernet twisted pair . DNS. Class C 255.0 Token Ring because a token is passed by every station.736 Mbps (45) LAN extenders . TCP 1521. TCP 20 & 21. length. most secure. can 80211 has CSMA/CA as protocol. global catalog (unsecure/secure) device. POP3 Operations of Hardware (374) FTP.uses RADIUS account lockout if a PEM – provides authentication. no access point directory query protocol loosely based upon X.remote access. Oracle: TCP 3389. manages user information.0. TCP 445. Other word for DMZ is screened subnet .Netwok IPV4 (354) Types of Wireless Networks (364) Email Security Solutions & Certs (368) TCPIP Classes Uses the 802. TCP 3268/3269. Can use DSSS and FHSS (ss WPA – uses TKIP for data encryption form sign.11x specification to create a wireless LAN LDAP – Lightweight Directory Access Protocol. and Before a computer can communicate with the internet. RDP interface device used to terminate the physical interface on a DTE Data backups addresses availability. .print traffic. 802. . TCP 80. TCP 25. 1000Base-T – 100 M Repeaters . multi layer switch that connects ATM – 155 Mbps. HUBS . Data link layer. domain validation tool LEAP – Lightweight Extensible Authentication Protocol. Linux Access servers .0 that’s is set to wrong speed or error can take all network down Switches . TCP (328 feet) . cn=ben+ou=sales for IM mode wireless Zero or more. SSH (SFTP operates oevr SSH) networks. ISDN – 64 or 128 Mbps LANs over a WAN CAT 3 UTP. D-channel 16Kbps and WPA2. 6000-6063. uses AES. for accessing directory services and Class C network number values begin at 192 and end at 223 not directly to each other. NetBIOS services central office (CO) Switched Networks (378) LAN Devices (374) IP headers contain 32-bit addresses (in IPv4) and 128 in IPv6. TCP 389. reply MOSS – MIME Object Security Services. JSON-based To connect multiple LAN segments you can use Bridges. Connect private data over public data by using SSL session key length is from 40bit to 256 bit . confidentiality. T-3 – 44. integrity and recovery but not . Db Channel Service Unit (CSU)/Data service unit (DSU) . CCMP included.more resistant than coaxial Bridges . addresses for attached devices are 48 Twisted pair to long. uses RC4 DKIM – Domain Keys Identified Mail.connect multiple LAN devices into a concentrator. confidentiality.544 Mbps. UDP 21. Gateway .Will only send data to the specific destination address.many workstations. May also include proxies. TCP. 10 Mbps.000 Mb . integrity. uses RC4 for encryption. Operates at level 2 (thus no IP-addressing) Class B 255. and IPSs. 137-139. while . HTTPS – Nikto to scan connections to the network . reads hardware or network Leased lines use multiple lines and/or multiple vendors address and then forwards it to the correct network Frame Relay WAN . Active Directory Modems .opens up data packet. unsecure LDAP .0 Fiber Distributed Data Interface . CAT 5.is a decrease in amplitude as a signal propagates . weakened by Client SSL Certificates – used to identify clients to servers via PRI B. predecessor to WPA OpenLDAP – default. Provides reauthentication but was designed for WEP authentication protocol can provide identity verification and basic Switches and Routers TCP Ports profile information. The first line of protection between trusted and untrusted . TFTP (Trivial FTP) digital signals. network printers carrier networks. client/server based Class A network number values begin at 1 and end at 127 Ad hoc Mode – directly connect two+ clients.0. Active Directory. Microsoft SQL. + to join ISDN Stand-alone Mode – isolated system SASL – provides secure LDAP authentication WEP – don’t use can be cracked in seconds. TCP/UDP.255. don’t use. comma separated. stores user PW in the clear BRI B-channel 64Kbps. and nonrepudiation WPA2 ENTERPRISE Mode . HTTP – no confidentiality Multiplexors. 1 pairs Cat5 UTP and max segment of 100 meters .and D-channels are 64Kbps use of RC4 use of common key and a limited number of SSL (client authentication) initialization vectors S/MIME Certificates – used for signed and encrypted emails.0. Cisco OAuth – ability to access resources from another service proprietary protocol to handle problems with TKIP.100 Mbps CAT 5e/6 – 1. UDP 69. TCP 143. (Data link) second ring that activates on error Routers . integrity. X Windows. confidentiality.11i.form of token ring that has It’s actually a multi-port bridge. LPD . They connect to the closest telephone company switch in a confidentiality . High Fault tolerance by relaying fault segments to working. TCP 636. it needs an password-cracker is used nonrepudiation IP-address. commonly Class B network number values begin at 128 and end at 191 Infrastructure Mode – connects endpoints to a central network. TCP 110. provides authentication. Is interference Fiber optics immune to EMI.11b uses only DSSS attack protection.255.Forwards data to all other network segments if it’s not Class A 255. and use as part of a SSO solution stands for spread spectrum) WPA2 – based on 802.255. SMTP (Simple Mail Transfer Protocol) Zero Day – application white list . massive dos attack using multiple domain increases likelihood of network congestion due to more Hypervisor-based Network – may be software defined. have full access to all I/O machine to reply to itself continuously. hardware and software an open port as both source and destination. defined and configured as overloading. where connections are created can tell manufacturer.Terms Terms (Cont) Network Attacks – Denial of Service Broadband Technologies – ISDN. means to send error processors can be dedicated to specific tasks at design time. and data resource. reserving none for special SYN FLOOD . an attack that attempts to prevent authorized use of a CIR – (committed Information Rate) minimum bandwidth video. subset of remote control cookies from a request header authentication. or traffic flooding. file transfers Broadcast Domain – set of systems that can receive a broadcast caching. Bluejacking – when attackers send unsolicited messages via Counter: sync cookies/proxies. Extensible Authentication Protocol . trusted PAP – Password Authentication Protocol. Malware. allows existing high-speed UDP – User Datagram Protocol. beating valid replies from the real DNS server networking.TCP packets requesting a connection (SYN bit set) technologies. Filling up hard drive by using huge email attachments or are analog and not broadcast technologies. The storage sites target responds with a SYN-ACK packet. Encrypts username RST flag – used to reset or disconnect a session. lightweight service for FRAGGLE – similar to Smurf but uses UDP networks to be used to carry storage traffic connectionless data transfer without error detection and correction FDDI – Fiber Distributed Data Interface.IP spoofing involves altering a IP address mappings of a system to redirect traffic to alternative and then labels route for others to follow systems TCP packet so that it appears to be coming from a known. hardware address of machine. shared main memory. Collision Domain – set of systems that could cause a collision if code or software. attacker spoofs packet header to make it EAP. apply appropriate patches. Uses fragmented packets to target a TCP can be bypassed DNS Spoofing – when an attacker sends false replies to a MPLS – Multiprotocol Label Switching. Effectively. connection guarantee provided by service provider to customers SDN – Software designed networking. and PPP – Point-to-Point Protocol. more number of systems in organizational requirements DDOS – botnet. high performance flaw in how the TCP stack reassembles them. thus giving the attacker access to the network. and Session machines layers. ping to a single. causing the target system to become CAIN Attack . DOS requesting system. Proxy – form of gateway that provide clients with a filtering. Bluetooth Multilayer Protocols – allow encryption at various layers.544 Mbps. never replies. border point connection technologies. Using up all system resources CHAP – Challenge-Handshake Authentication Protocol. technologies to be compatible with existing wireless or point-to. Presentation. can be used with EAP predicting the targets choice of an initial TCP sequence number Things to Know Nikto. tokens wired network restrict UDP traffic. replaced SLIP . connections Supernet – made up of two or more networks restrict ICMP traffic (Hint IC = Its Smurf though spelled wrong) FCoE – Fiber Channel Over Ethernet. This can quickly overwhelm a system’s resources Attacks. packet (connection initiation) with the target host's IP address and messages for non-transient error conditions and provides a way to SMP – Symmetric Multiprocessors. iSCI – Internet Small Computer Interface. SSID – normally disabled for secure networks amplifying network).The attack involves sending a spoofed TCP SYN ICMP – Internet Control Message Protocol. finds final destination Session hijacking (Spoofing) . and are controlled by a single operating system instance allows location-independent file services over traditional network that treats all processors equally. but it computers collisions could also use traditional network devices running as virtual SMURF – ICMP requires three players (attacker. support later Bluesnarfing – targets the data or information on Bluetooth. cable modems. Bad – conceal covert enabled devices channels. Converged protocol that devices. and Bad Stuff while waiting for the half-open connections to time out. DSL. can and PW and performs periodic re authentication while connected restarting the connection via a new three-way handshake interrupt service or completely deny legitimate users of system using techniques to prevent replay attacks. Intercept PEAP – provides encryption for EAP methods and can provide Screenscraper – copy actual screen. or other service that protects their information from . does not implement CCMP. sends PW unencrypted RDP – provides terminal sessions w/out source. This can be done through flaw exploitation. probe the network in order to determine general characteristics architecture where two or more identical processors are connected The reason a LAND attack works is because it causes the about the network. are sent to the target network with a spoofed source address. quickly change the network based on they transmitted at the same time. uses path labels instead of network addresses. causes the system to crash or otherwise become unusable. Wapiti – web application vulnerability scanners . Teardrop . border uses a pair of rings with traffic flowing in opposite directions.1x. victim and Data Streams – occur at Application. Sends messages to reset targets host subnets masks from each other remote systems . sometimes logical boundaries IP packets are modified. Cost less than Fiber. uses Wired Extension Mode – uses WAP to link wireless clients to a routers should not accept packets that originate within network. but the spoofed source ISDN – PRI (Primary Rate Interface) bandwidth of 1. block FTP – File Transfer Protocol AMP . such as embedded systems. label switching. zombie.used in applications that UDP port 7 & 9 from entering network Gateway – translates between protocols are dedicated. EAP allows for new authentication accessible network broadcasting the message. This faster than BRI’s 144 Kbps ARP Spoofing – MAC – Machine Access Control. resources. resumed by DOS . employ IDS. used by PVCs – Private Virtual Circuits. token-passing network WAF – Web Application Firewall Countermeasures – disable broadcast at border routers. wide Common Session Hijacking Attacks: DNS Poisoning – when an attacker changes the domain name to area networking protocol. Converged Network – carries multiple types of traffic like voice. They connections.The length and fragmentation offset fields of sequential a range of protocols at higher levels. SONET – protocol for sending multiple optical streams over fiber Countermeasures – disable broadcast at border routers.an authentication Site Survey – identify areas where wireless network may be appear that it originated on the victim system with amplifying framework. Standard for linking data purposes. filters can be bypassed. when individual Land Attack . most common. used for dial up Used to overwhelm a targets resources T1/T3 lines that can support multiple simultaneous signals.Asymmetric multiprocessing . encapsulates EAS in a SPIT attacks – Spam over Internet Telephony and targets VoIP TCP sequence number attack – intruder tricks target to believe it TLS tunnel systems is connected to a trusted host and then hijacks the session by Port Based Authentication – 802. Burp Suite. extensible was used for PPP SUBNET – logical division of a network routers should not accept packets that originate within network. confused and crash.performed by sending malformed packets to a system. PPP servers to authenticate remote clients. ability of security applications. Uses a polling Sits between trusted and un-trusted network. Port 49 Asynchronous Transfer mode (ATM) very high bandwidth. therefore it’s not used for router- Synchronous Data Link Control (SDLC) . it masks the data origin. their authentication request to a central radius server that contains Other important WLAN protocols all of the user authentication and network ACL’s RADIUS does not Firewall architecture (377) provide two way authentication. more Shielded (STP) or unshielded (UTP) Cat 3=10BaseT. Uses data encapsulation on synchronous serial radius server accepts or rejects). ability to change user password. modular. interoperability and performance wise it’s a major Firewall Runs in windows NT. for UDP by remembering UDP packages across the network.Stateful inspection firewall (also known as Switched Multimegabit DATA Service (SMDS) high speed Dynamic) All packages are inspected at the Networking layer so and static password then the device queries a TACACS server to communication over public switches networks for exchanging it’s faster. Physical Consists of a host with 2 NIC’s. insecure because of not being filtered or firewalled . One connected to trusted. Also data link layer and dynamic/static password user can connect to any network server. access server prompt for High-level Data Link Control (HDLC) .remote connectivity using phone wireless etc.25. operating at Application supports multiple PVCs. tokens to be resynchronized and better audit trails and session Voice over IP (VOIP) combines many types of data into a single Fifth generation . requires DTE/DCE at each connection point individual routers. secure than radius. Protects against standard generic SSO solution. but hard to tap and resistant to EMI Integrated Serviced Digital Network (ISDN) communication protected by a single firewall that has multiple interfaces protocol that permits telephone line to carry data. Is considered a firewall and CHAP (part of PPP) supports encryption exchanging and acknowledging frames as detecting out of operates at Network or Transport layer of OSI XTACACS separates authentication. packet switched technology User passwords are administrated in a central database instead of layer of OSI that provides CIR. has minimal auditing. access server. audio Fiber Every workstation gets some Socks software to reduce overhead to the internet. the network access server is the layer of OSI un-trusted. multiple remote access servers. which then passes on the user’s credentials to the High Speed Serial Interface (HSSI) . Uses ACL’s. Works with dedicated leased lines boundary router.Application level firewall AKA processes Frame Relay High performance WAN protocol designed for use TACACS+: stronger through use of tokens proxy server While transferring data stream to another across ISDN interfaces. It RPC. Based on ACL’s access can forwarding number) somewhere you are be denied or accepted. and ports of the incoming package. video. In this context. Port 1812. Client/server protocol.Packet switching technologies Firewalls (376) Access Control Methodologies Remote Access X25 defines point-to-point communication between Data terminal TYPES Authentication Systems (390) Equipment (DTE) and Data Circuit Terminating Equipment (DCE) First generation – (static) Packet filtering firewall AKA Centralized access control Link Access Procedure-Balanced (LAPB) created for use with screening router Examines source/destination address. for mainframes. authorization and accounting sequence or missing frames Second generation . Two types: BRI Basic rate interface and Primary Rate Interface (PRI) xDSL uses regular telephone lines for high speed digital access Cable Modems Via single shared coaxial cable. Analyzed at all OSI Layers. Contains dynamic password mainframes to connect to their remote offices. Incorporates an AS network layer (package filtering) as application layer (proxy) links using frame characters and checksums. Internal routing capabilities must not server. Has no user authentication. It provides limited support authentication. sometimes used as and network service access information (Network ACLs) NOT a media access method. Using a public switched telephone network to Optic access an ISP Tiers – design separates distinct protected zones and can be Most expensive. Provides both credentials. encrypted. It can Fourth generation . Is fast but has no error correction.Dynamic Packet Filtering firewall TACACS+ Enhanced version with use of two factor allocate bandwidth up on demand making it a solution for Busty Enables modification of the firewall rule. voice and other source traffic. Can thus be used as translator between 2 network RADIUS client and a RADIUS server acts as an authentication types like Ethernet/token ring. TLS over TCP – to encrypt.created by IBM for Packet filtering routers to-router authentication. cordless phone signal is rarely encrypted and Has also defined a De-Militarized Zone (DMZ) : a small network Cat5=100BaseT easily monitored between trusted an untrusted. Coaxial Remote Access Technologies (390) Socks firewall More EMI resistant. Clients sends network packages and enforce security policies. LAPB defines frame types and is capable of retransmitting. Requires fiber optics. TACACS: user-id and static password for network access via TCP uses 53-byte fixed size cells instead of frames like Ethernet. external attacks. By examining the state and context of the data verify the password. supports TCP and TLD if set. A network device prompts user for a username Third generation . kernel based. system calls back to specific location (danger in user X25.extension to SDLC also Has both a packet-filter router and a bastion host. PW permanent up. Cost. Default UDP. USES UDP. The RADIUS server also provides AAA services for LAN Cables (378) be enabled to make it impossible to circumvent inspection of data. user enters credentials and forwards to radius server. Twisted pair Screened-subnet firewalls DIAMETER . protocol CALLBACK. multiplayer session evaluation. Uses dynamic TCP/IP stacks to inspect Remote Authentication Dial-In User Service RADIUS benefit. often leads to TACACS+.Defines electrical and Dual homed host firewall RADIUS server to verify authentication and authorization and to physical interfaces to use for DTE/DCE communications. one to track accounting. Asynchronous Dial-Up Access This is how everyone connects Broadband: multiple signal types like data. Remote connectivity via Data link layer of OSI model Screened-Host firewall system dial in (user dials in to access server.Kernel Proxy Firewall / Application level accounting IP packet. Terminal Access Controller Access Control System TACACS network. Baseband: only one single channel. TACACSs does not support prompting for ‘bursts of data’ between enterprises packages it helps to track connectionless protocols like UDP and password change or use of dynamic password tokens. unlike X. wire or fiber optics. Fiber Distributed Data Interface .Workstations are connected to form a closed loop LAN Transmission Protocols (398) . .IBM created.all transmissions have to travel the full length of the cable . 100baseT=Fast Ethernet =100MBps . communication addresses. ephemeral session key is used to encrypt the actual Internet is global. coax up to 500 meters . same IP address cannot appear inside and outside radio. intranet local for use within companies and content of communications between a web server and extranet can be used e.Saw-tooth form. not the Thinnet: 10base2 with coax cables up to 185 meters PPTP. You must tune the transmitter and receiver to a new of a NAT router. is like a dedicated leased line. both operate at layer 2. Only one single point-to-point connection per session then the system will call back a predetermined telephone number. Does not support EAP list and then uses Callback. rc6. Point To Point protocol (PPP) for authentication and Also less useful for travelling users 1000BaseT=Gigabit Ethernet=1GBps tunneling Ethernet networks were originally designed to work with more . and UTP: 10BaseT=10MBps . Both can encapsulate any LAN Challenge Handshake Authenticate Protocol (CHAP) non.source packet is copied and sent to multiple destinations Polling . Modems and dial-up remote access systems backbone on a campus AES or stream (bit/byte one by one o padding) like RC4. 2 protocols: AH Authentication header and ESP Encapsulated Analog signal . encrypted network via a public network Token-passing .incoming calls are only allowed from specific Ethernet IEEE 802. Sends initial packets in plaintext ARCnet .3 using CSMA with an BUS-topology Hint: TP at end for Tunneling Protocols addresses on an approval list. Works at data link layer of OSI Callback .source packet is copied and sent to all nodes its free .sends bits of data sequentially.checks incoming telephone number against an approval sporadic traffic than token ring networks . Enables multiple and simultaneous tunnels LAN Transmission Methods (396) CSMA with Collision Detection . email and files. frequency every time you want to communicate with someone. IP header is added. In one direction only. Connected through copper transport. supplies identifying code. L2F was not widely replayable passwords. it resends IPSEC MESH . . Creates a private. and half‐ data is in transit along with VPN and IPsec Connects LANS over a large geographical area duplex links can be digital or analog. Single point-to-point connection per session permits several tokens at the time active BUS . Point to Point tunneling protocol user! Thicknet: 10Base5. Less useful for travelling users. Provides identification and authentication of the user using static connected to a MAU Multi Access Unit. the link between two nodes. Port 115 STAR . This authenticates the node. multiple building connected to fast cipher types: block (padding to blocks of fixed size) like DES 3DES both sides. No encryption of user-id or password during Units – for filtering allowed MAC (Extended Unique Identifier) deployed and was soon replaced by L2TP. a building. Like a walkie-tealie translated to external IP addresses. Sober Synchronous very high speed governed by electronic clock timing MAN: metropolitan network extends over cities TLS – Transport Layer Security signals Wide Area network WAN .Host can only transmit when he polls a secondary to see if . . Build into IPv6 Multicast . .for Ethernet. Encryption for confidentiality and integrity DATA NETWORK SIGNALS they receive a clear to send token. Dial-up network use RING .11 . Layer 2 tunneling protocol FDDI. replayable challenge/response dialog L2TP. encrypt and protect transactions to prevent sniffing while Asynchronous communications.Infinite wave form. Network-to-network use Broadcast . L2F does not offer encryption. Hosts can only transit when . Layer 2 Forwarding Remote Node Security Protocols .MOST CURRENT not SSL!!! Virtual Private Networks VPN (388) A VPN is created by dynamically building a secure communications PVC .Remote Access Security Technologies LAN Media Access (398) VPN Protocols Restricted Address .g. minimal EMI interference LAN Topologies (394) .g. old IP header and data is encrypted Asynchronous .all nodes interconnected CSMA with Collision Avoidance workstations . Workstations . CAU: Controlled Access .User initiates a connection.uses token passing in a star technology on coax L2F.Permanent virtual circuits.Packet is sent from single source to single destination time. using a secret encapsulation method via logical circuit always exists and is waiting for the customer to send network address translation (NAT) where internal IP addresses are data. using jamming signals for the rest. protocol.nodes are connected to a central LAN device Carrier Sense Multiple Access CSMA . data is encrypted header is not tunneled: new uses electrical signal and a state change or on‐off pulses. If it doesn’t get an acknowledgement. Operates at Network Layer of OSI 2 coax cables. Cannot double NAT with the SVC – switched virtual circuit. All end stations are mutual authentication tunneling mechanism. Wireless 802.bus type with multiple branches send out packet. on-off only. TLS . Also in data-link layer of OSI ring with fiber optic. broadband connections. most effective control against session hijacking Internet intranet and extranet .Used in token rings. varied by Security Payload DATA NETWORK TYPES amplification works with Security Associations (SA's) Local Area Network LAN works with IKE protocols IKE IS FOR MANAGING SECURITY Digital signal . digital signals Limited geographically to e. Cisco developed its own VPN protocol called which is a Password Authenticate Protocol PAP Token Ring IEEE 802. Same speed on CAN: campus area network. continuous signal. is more like a shortwave or ham same IP range. pulses. Long distances.token-passing dual token .5 . by your customers and clients but is not client public.Only one host can send at the . Uses IPsec TREE . . Dial-up network use Caller ID . .are attached by . Encrypt and authenticate Unicast . Devices are sharing ASSOCIATIONS 2 modes: are a means of transmission that involves the use of a discontinuous resources like printers. always available Leased protocols with standard protocols. network Voice oriented.Voice over IP . This provides a There must be a dedicated physical circuit path exist during higher rate of data throughput than FHSS.a tunneling mechanism used to transport available frequencies is employed. employs a addressing. Circuit-switched networks SDN . and is open-standards Messages are stored on the network until a forwarding path is based. More downstream bandwidth up MPLS is designed to handle a wide range of protocols through association to use and the packet sequence number. is flexible. such as those from the TCP/ IP . and . Data (FCoE) can be used to support it over the existing network by ISP’s infrastructure. adds login. design.000 feet It is often viewed as a low-cost alternative to Fibre Channel. DSSS also uses a special management. transmission. Overtaken by xDSL. supports only half-duplex communications.5-2. not all useable payload of a standard Ethernet network. Packets will be send to the other network and reassembled.e. while multiplexing describes combining Packet-switched networks (PSN or PSDN) multiple signals over a shared medium of any sort. called packets. Spread Spectrum up to 12.a form of network data- the outside. Only works with IP at Network layer of OSI NON IP-sec . support for copper cables was added later Point to Point protocol (PPP) improvement on slip. but only one frequency at a time upstream over a single copper pair over 1. compatible . Fibre Channel over Ethernet Dial-up VPN’s remote access servers using PPTP commonly used password and error (by CHAP and PAP) and error correction. WAN. Data oriented. Wi-Fi may receive Nodes share bandwidth with each other by sending small data units interference from FHSS systems but doesn’t use it. ADSL .are the merging of specialty or proprietary IP-sec compatible Dedicated line reserved communication. Also contains strong encryption and authentication communicate with external hosts (Berkley UNIX. the AH. Like to 18.Very High speed 13-52MBps down. interference. SDSL . VDSL .Asymmetric. Sensitive to loss of data. It was designed to be operated PTP used in windows machines..High Rate T1 speed over two copper cable pairs retrieval over LAN. replacing IP as the server telephony and data transports. central location. transfers at upward of 16 GBps. FHSS – Frequency Hopping Spread Spectrum. This technology can be cable pair ESP Payload used to enable location-independent file storage. and thus do not cause interference with each other. ESP Header – contains information showing which security . HDSL .3 Mbps VoIP . SDN aims at separating the infrastructure layer (i. windows NT storage solution (SAN or NAS) that allows for high-speed file methods RAS). subnets. or public Internet connections.000 feet over single copper cable pair encapsulation. and available frequencies simultaneously in parallel. Encryption via Tunnel mode (entire data package line can be reserved for communications. Fibre Channel operates encrypted shell session from the internet through a firewall to a SSH Integrated Services Digital Network (ISDN) combination of digital as a Network layer or OSI layer 3 protocol. Typically for a telephone company network services of data transmission management). The modulated signals are perpendicular offers a new network design that is directly programmable from a Involves the transmission of messages from node-to-node. the ESP sequences every packet to thwart replay iSCSI . SDN compacted transmission. bandwidth data to remote subscribers based on short path labels rather than longer network addresses.00 to 4500 feet voice and/ or data over a TCP/ IP network. Serial Line IP (SLIP) TCP/IP over slow interfaces to Fibre Channel over Ethernet (FCoE) . The primary benefit of converged protocols is the ability to encrypted) or Transport mode (only datagram encrypted) . suite. Furthermore. routing. transmission. Multiprotocol. Neither FHSS nor DHSS uses orthogonal modulation.5 Mbps through telephone line use existing TCP/ IP supporting network infrastructure to host special or proprietary services without the need for unique .(Multiprotocol Label Switching) is a high-throughput high- Encapsulating Security Payload (389) xDSL Digital subscriber Line uses telephone to transport high performance network technology that directs data across a network Encrypts IP packets and ensured integrity.. and so on from needing to be digital multicarrier modulation scheme that allows for a more tightly Message switching networks programmed into or be deciphered by hosted applications. 1.Internet Small Computer System Interface (iSCSI) is a . to replace or supplant PSTN because it’s often less expensive and DSSS – Direct Sequence Spread Spectrum. due to “D Channel” used for call management not data MPLS . manual link establishment and teardown over fiber-optic cables. networking storage standard based on IP. All use spread spectrum techniques to transmit on more than one frequency at the same time. T3 44. Sensitive to loss of connection this also removes the traditional networking concepts of IP OFDM – Orthogonal Frequency-Division Multiplexing. to offer less-expensive options. employs all the offers a wider variety of options and features.e. Type of dedicated line. E1 European 2048 Mbps digital transmission Socks-based proxy servers Used to reach the internal network from .000 feet over single copper attacks. The entire range of .VPN Devices WAN Protocols (404) Converged Protocols (406) Is hardware or software to create secure tunnels Private Circuit technologies Converged Protocols . 5 available. is vendor neutral. no authentication. uses PAP or CHAP no error detection. . The right choice for networks that have to hardware and hardware-based settings) from the control layer (i. encoding mechanism known as chipping code to allow a receiver to reconstruct data even if parts of the signal were distorted because of communicate constantly.a unique approach to network operation. FCoE is used to encapsulate Fibre Channel Secure Shell SSH2 not strictly a VPN product but opens a secure link. T1 1. More cost effective than circuit switching because it creates virtual circuits only when they are needed.7 Mbps through telephone line deployments of alternate networking hardware. VoIP has the potential is used.Symmetric up to 10. communications over Ethernet networks. Disadvantage . Type 2 . HAVAL uses 1. Social engineering .Hash of Variable Length (HAVAL) is a Advantage . Salted hashes are stored and compared Hybrid – centralized control is exercised for some information intention is to establish the boundaries within which an authentication 62 choices (upper. Knows all secret keys of all clients and servers from the IAAA . brute force attack .active entity that requests access to an object or data withinnot availability. weaknesses in the implementation of a cryptography system. pre-hashed PW paired with high-speed look up user’s password. add single character to and decentralized for other information server has the authority to authenticate a user. The user types a username and password into the client. . . Needham-Schroeder protocol cryptography application. Accountability – who was responsible for an action? . account number etc. not a strong ID or auth. The client installs the TGT for use until it expires.Four key principles upon which access control relies Passphrase easiest to remember. The KDC verifies the username against a database of known dictionary attack . KDC . 160. can be combined with other SSO solutions devices that a user possesses can help them provide the object (user.authentication factor is something you know. lower. SCRIPTING .is flow of information between a subject and an object Guards a network with three elements: authentication. Passwords are never exchanged only hashes of passwords password generators Decentralized administration – access to information is Benefits: inexpensive. Authorization provides control . authorization. Authentication. . may not be Disadvantage: takes time to administer. European a vulnerability in the hardware or operating system hosting the approved changes and change management process . change log for . DNS services) .This is a type of attack that exploits key and the encrypted time-stamped TGT to the client. like Kerberos hashing and encryption Logical Access Controls: tools used for IAAA . On windows system with utility SYSKEY. single point of failure password by the system. difficult to form system point of failure PWs never stored for web applications in a well-designed wide view of all user access at any given time Realm . easier administration.security features that control how users and systems & auditing. 5 minutes is bad Type 3 . supposed to be globally unique. memory card.(try many different words) . such as floating-point errors and inability to . Identification/Assertion - .IBM – thus RACF added to the encryption process to add more complexity SSO referred to as reduced sign-on or federated ID management Peer-to-peer relationship between KDC and parties . or USB drive. . PW and complexity goes up 62X Uses symmetric Key cryptography One-time password aka dynamic password used only once . and 256 bits. control) token. Physical Subject . Unique user name.access password file . Establish trust between the user and the system for the Implementation Attack . Approaches to Administration (441) of PW. 10 numbers). TGS and AS. Thin client is also a single sign on approach user rights accounts.Access Control (440) KERBEROS (463) Single/Multiple Factor Authentication (467) ACCESS .Hierarchical naming schema. if Db compromised all PWs compromised active directory has sophisticated security resources (group policy. mature protocol user chooses own (do triviality and policy checking) controlled by owners or creators of information. The client encrypts the username with AES for trans. Only modified through central Manager) cheap and commonly used administration. bind a user to the appropriate controls based on the unique . Its environment.a centralized database that includes produces hash values of 128. Relationship between Identity. ensuring that a subject is who he says he is . Examples CONTROL . resources user is allowed to access must be defined and but the methodology employed to program the encryption system . Type 1 . HAVAL . hardware Object . DIRECTORY SERVICE . The KDC then transmits the encrypted symmetric . Then the user can use this ticket to service to use the service as monitored Statistical Attack . to the KDC.once a key is compromised all resources can be information about subjects and objects.(try many different characters) aka . user instance exhaustive . users modification of MD5. The hashed MAC Address – 48 bit number.(tables with passwords that are already in . AS (Authentication server) Cognitive password: easy to remember like your mother’s . client and the Kerberos server. Converted to a virtual network.is a passive entity that contains information (computer. Examples include a smartcard (CAC). loads of OS’s. encrypted key. PIN. It is a physical characteristic of a person identified with AES from user to KDC.both programs that . The KDC generates a symmetric key that will be used by the Rainbow Tables . Identification provides uniqueness message can find passwords (checker to see if its compliant.024-bit blocks and less time to access resources. SYMMETRIC KEYS include a password. install TGT and decrypt key Something a user knows TYPE 1 Centralized administration – one element responsible for Kerberos is included in windows now (replaced NTLM=NT-LAN PASSWORDS configuring access controls. communicate and interact with other systems and resources Kerberos addresses Confidentiality and integrity and authentication. program) Kerberos Is based on symmetric key cryptology (and is not a propriety authentication. host or service.authentication factor is something you have. Public Key Cryptology produce truly random numbers. Works with PACS (Privileged Attribute Certificates) passwords will be encrypted in their store LM hash and NT but now can be changed by software. It encrypts this with a hash of the . sesame uses both symmetric as asymmetric encryption Hash Tool (thus improvement upon Kerberos) . file.Ticket granting server maiden name unique identifier to an identity system The Kerberos logon process works as follows: Hacking . User provides private data stamped TGT.indicates an authentication administrative domain.convince an individual to give access (keycard) . First piece of credentials Authorization SESAME cryptosystem.authentication factor is something you are or something access control models MIT project Athena you do.scripts contain logon information that auths. and Authorization Weakness: only authenticates the first block and not the complete password checker and password hacker . Not a encryption algorithm accessed. random values Single Sign On (SSO) (462) KRYPTOKNIGHT . not just errors and flaws decrypts the symmetric key using a hash of the user’s password. It allocation of privileges . time stamped TGT and hash different types of biometrics. Registration – verify an individual’s identity and adds a . The client also . hacker to use . 224. Authentication provides validity Two tickets: it by the hacker) . Authorization – focuses on exploiting the software code. some OS’s use Seed SALT or NONCE.exploits statistical weaknesses in a an application service . grants tickets to client for specific Static password Same for each logon Identity Management (448) servers. functions .Key Distribution Center. program) access control techniques support the Time synchronization is critical. smartcard. TGS . Statistical attacks attempt to find . The KDC also generates an encrypted time. OR an issuance credentials. database. Process of Verifying the user hash format. very strict control. . 192.ability to use stronger passwords. can be bottleneck or single Longer PW more effective than all else consistency with regards to procedures. Logging – best way to provide accountability. Other defines the access privileges a user has . One authentication. or passphrase. Authentication . creator. TACACS+ is used for network devices. Access to objects is easy to change. MS AD using MS AD Federation Services . META directory gathers information from multiple sources . It includes granting a subject access to an object. It does not offer a centrally controlled management . TYPE 1 error: False rejection rate FRR need to know can apply. Service provider (SP) CAN MODEL ALL GROUPS OFF ORGANIZATION #! USED Asynchronous (NOT TIME BASED) . Fingerprints: Are made up of ridge endings and bifurcations Manage User Accounts within a Cloud (492) Performs all of IAAA. Each ACL defines the types of access granted or denied (role-BAC). Finger scan most widely used today Access Management enforces RULES! Access through ACL's. forehead sizes and chin Authorization Mechanisms (496) DACs allows the owner. . (random value) This goes into token device. role-based access control DAC model is implemented using access control lists (ACLs) on . authorization . (DAC). or Identity and Access as a Service is a BAC model is a firewall. psychological TYPES OF BIOMETRICS access protection (object reuse. tokens To exchange authentication and authorization data between security Role-BAC (RBAC) . SSO. and access control is based on the discretion or decision of the throughout it that are unique to a specific person. RADIUS is will. swipe card. to subjects. where FRR = directories and devices. nose ridges. All objects have owners. ridges and grooves depending on the access control method used by the IT system. Role based/task based. or data custodian of an object to shapes into account. Also lattice based can be .0 enables web-based to include SSO assigned tasks. especially when . TYPE 2 error: False Acceptance rate FAR Log events . uses a set of rules. IRIS is the same as long as you live Access includes user authentication. A distinctive system/workstation provided challenge. Objects are: files.sharing identity and authentication behind the Non-discretionary access control / Mandatory FAR.owner authenticates to token. web applications. modems. badge. VIRTUAL directory only points where the data resides structures.server sends a nonce Most used federated SSO Rule-BAC – based on rules within an ACL. - person types a certain phrase. Hand Topology: Looks at the size and width of an individual’s network devices. CER Crossover Error Rate or EER Equal Error rate. Signature Dynamics: Electrical signals of speed and time that system because owners can alter the ACLs on their objects at can be captured when a person writes a signature. The firewall examines What you do: behavioral What you are: physical Effectively provides SSO for the cloud and is especially useful when all the traffic going through it and only allows traffic that meets BIOMETRICS internal clients access cloud-based Software as a Service (SaaS) one of the rules. subject’s ability to access an object based on the subject’s role or Static password token . Identity-based access . or Challenge/response token . Third Party based identity and stores them into once central directory and pupil. A width of the hand and fingers) measures hand geometry. access card. Restriction: . or filters to determine what can and cannot occur on one-time password. and compared to the static nature of mandatory access controls. mandatory access control (MAC). Government #1 . Facial Scans: Takes attributes and characteristics like bone . encrypts and delivers a XML Signature – use digital signatures for authentication and restrictions. . Rule based access control. . One common example of a rule- IDaaS . Lattice based is part of it! (A as in enforcement mAndatory!). while OAuth is primarily used for hand and fingers. least upper bounds apply) SSO Discretionary Access Control – Graham Denning . Usually used to implement SSO . Needs client software to interact ACCURATE . file to grant or deny access to other users. Palm Scans: The palm has creases. Windows uses Kerberos for authentication.task-based access controls define a domains. and patterns. Retina Scans: Scans the blood-vessel pattern of the retina on the Federated Identity – on-premises identity provider handles login names ) backside of the eyeball.generates response on a Relies on XML Schema granting the subject the ability to perform an action. Iris Scans: Scan the colored portion of the eye that surrounds the . synchronous – timing.uses time or a counter . the user can modify the permissions of the itself as a Type 3 authenticator object is a passive entity that provides information to active subjects. Can show medical conditions MOST request. is often implemented using groups. Discretionary can also mean: Controlled Acceptability Issues: privacy. As the owner. Federation . protect audit trail). auditing . Finger print: stores full fingerprint (one.challenge Identity as a Service (IDaaS) (486) rules that apply to all subjects. Organized through name spaces (Through Distinguished .Something a user has TYPE 2 SAML (478) (SOAP/XML) Authorization Mechanisms (496) Key. hierarchical x500 standard protocol like LDAP for allowing that are called minutiae. Hand Geometry: The shape of a person’s hand (the length and There are several categories for access control techniques and the control is a subset of DAC because systems identify users based CISSP CIB specifically mentions four: discretionary access control on their identity and assign resource ownership to identities. Keyboard Dynamics: Captures the electrical signals when a typically used for wireless networks. Voice Print: Distinguishing differences in people’s speech sounds objects. . Appropriate by A subject is an active entity that accesses a passive object and an owner. and rule-based access control (rule-BAC). Acceptable 10 people per minute throughput time applications Authorization depended on security labels which indicate clearance and classification of objects (Military).to-many identification). OFF BUSINESS DESIGN Synchronous (TIME BASED) dynamic . a system. defined by an administrator. secure-ID is an . Most expensive & Acceptable 2 minutes per person for applications. Directory Synchronization – users are created and managed in an subjects to interact with the directory on premises identity provider . eye widths. within an ACL.Identity as a Service. with an added PIN its strong authentication message integrity based on XML signature standard. Shibboleth SAML 2. Firewalls include a set of rules or filters Something a user is TYPE 3 third-party service that provides identity and access management. No scenes (like booking flight --> booking hotel without re sunlight in iris scanner zephyr chart = iris scans A central authority determines what subjects have access based authenticating) by using a federate identity so used across on policies. business boundaries finger scan only the features (one to one identification). The method of authorizing subjects to access objects varies control and define access to that object. Label – all objects and subjects have a label . form of authenticates to the information system Roles nondiscretionary.0 synchronizes . The lower CER/ERR the more accurate the system. Principal (user) Hybrid RBAC between the token and the authentication server. Identity provider (IdP) Limited RBAC example . applied (greatest lower. physical. identity based access control model exhibited by the friction ridges and other detailed characteristics Cloud Identity – users are created and managed in Office 365 . token SAML 2. characteristic about rule-BAC models is that they have global asynchronous . User directed . Mandatory Access Control BELL Model! enrollment time Ability to provision identities held by the service to target Lattice based. They then produce very attractive reports that detail every vulnerability detected. a capability table created for the accounting role will Context-Dependent . Reconnaissance Attacks (506) Access Control Models () ? Understanding Authorization Mechanisms While malicious code often relies on tricking users into opening or Access control models use many different types of authorization Access control models use many different types of authorization accessing malware. you can grant user access rights to a file. groups. and Privileges When studying Subjects may have clearance to access classified or restricted data network port on the system. attackers use port scan software to Privileges . It Port Scans . You can grant user difference is that least privilege will also include rights to take action application accepting connections on that port. but there is no file. restrict access to data based on the content within an object. an administrator for a computer will have full privileges. To narrow down their search.ensures that subjects are granted access only to settings miss @64 K ports the objects that subjects can access. IP probes are extremely prevalent on the include a list of all objects that the accounting role can access and access. and Nexpose. The widespread use The difference between an ACL and a capability table is the focus. to control who can access specific objects. attacker-tool developers have created a number of denied unless access has been explicitly granted to a subject. To assist with this use it. creating a virtual table. When a subject permissions to use it. or Simple Object exploited to gain the desired access permissions. OpenVAS. Access Control Matrix . For ports where nmap detects a result. web servers. but is not a markup Core Impact.refers to the ability to take an action on an object. locate any systems with a service running on port 80. The implicit deny principle ensures that access to an object is restrict what users can do or see based on their privileges. you’ll be able to open it and read it. Other times. . the system checks the access control matrix to item but shows it dimmed or disabled. Filtered Nmap . be used for any XML messaging. read.refer to the access granted for an object and privileges they need to perform their work tasks and job functions. to generate and respond to provisioning requests. The only meaning that the firewall is allowing access. or methods. For example. Qualys. When nmap scans a system. the default port for HTTP services. known vulnerabilities and probe targeted systems to locate security flaws. on a system. it’s simply a matter of locating a script that exploits a specific vulnerability and launching an attack against the victim.(also called IP sweeps or ping sweeps) are often the includes subjects. If users address and connect it to the Internet. permissions to create. rights. Some people use these terms need it to perform a job. or SPML is probe all the active systems on a network and determine what public services are running on each machine. or methods. of this technique makes a strong case for disabling ping ACLs are object focused and identify access granted to subjects for Work Hours – context-dependent control functionality. Rights. other attacks directly target machines. A view retrieves produce a response are assumed to be unused and are ignored. they might run a port scan to computer. Closed . the least one IP probe within hours of booting up. The administrator will be able to perform any actions and access any data on the computer. or roles). authentication data. The next task is to example. network. what they need to know for their work tasks and job functions. you’ll probably receive at these objects. if the granting the administrator full rights and permissions on the an XML-based language designed to allow platforms attacker wants to target a web server. so in this context. From that point. Indeed. system denies them access. Applications constrain the interface using different methods. With this technique. edit. Default any specific object. For example. Nmap tool . they need to discover a specific vulnerability in that system that can be describe access controls. a user might have the right to modify the system time on a balances.After an attacker performs an IP probe.basic principle that most authorization mechanisms Constrained Interface Applications – (restricted interfaces) to points to target directly with their attack code. select one or more systems to target with additional attacks. A automated tools that perform network reconnaissance. if you configure a system with a public IP will include the specific privileges assigned to the accounting role for and applications based on the current day and/ or time. SAML is used to make authorization and Vulnerability Scans .ensures that sensitive closed because a firewall is interfering with the connection attempt access rights and permissions are synonymous functions are split into tasks performed by two or more employees. Often. it’s possible to restrict access to computers Internet today. Permissions .is unable to determine whether a port is open or Similarly. Systems that respond to the ping action field. For example. You’ll rarely see the right to take and other servers supporting critical operations are prime targets. mechanisms. you’ll often come across the terms but are not granted authorization to the data unless they actually it provides the current status of that port: permissions. it identifies the current state of each Comparing Permissions.are the combination of rights and permissions. Separation of Duties and Responsibilities . For helps to prevent fraud and errors by creating a system of checks and with a list of active systems on a given network. mechanisms.require specific activity before granting users probes and port scans. access control topics. or delete a file on a file server. Performing reconnaissance can allow an attacker to find weak Implicit Deny .The port is open on the remote system and there is an interchangeably. This is a subtle attackers have a type of target in mind. the application displays the menu first type of network reconnaissance carried out against a targeted attempts an action. A request are logged for further analysis.The third technique is the vulnerability scan. Addresses that do not Capability Tables . targeting. file servers. to control who can access specific objects.The port is accessible on the remote system. attempt to access the resource outside of the allowed time.They are different from ACLs in that a capability database view is a content-dependent control. Least Privilege . automated tools simply attempt to determine if the subject has the appropriate privileges to perform the Content-Dependent – internal data of each field. Capability tables are subject focused and identify Need to Know . objects. table is focused on subjects (such as users. and assigned privileges. SOAP. A variety of tools Access Protocol. action on a system referred to as a permission. they are left Rights . data stored by a ping each address in a range. determine what you can do with it.one of the most common tools used to perform both IP example. computer or the right to restore backed-up data. but they don’t always mean the same thing.ensures that subjects are granted only the application that is actively accepting connections on that port. Some of the more popular tools for this purpose include Nessus. distinction and not always stressed. Open . These packages contain a database of language itself. If you have read permission for a This is sometimes lumped together with need to know. at least for users external to a network.An access control matrix is a table that common method is to hide the capability if the user doesn’t have IP Probes . is a messaging protocol and could available on the Internet assist with this task. For specific columns from one or more tables. Service Provisioning Markup Language. while XACML is used to Once the attacker determines a specific system to target. and privileges. security teams design and detects abnormal behaviors. When scheduling IDS/IPS = security testing. Problem with network based is that it will not detect attacks . Criticality of the systems and applications protected by . TCP port monitoring. CVE . a network administrator can determine things such as .Network Time Protocol. as good as the completeness of the host logging Use cases – used as part of test coverage calculation that divides . Response box . installed does not affect any portion of the application Reboot – generates an information log entry system already installed. and the scripted transactions against a web application causes of congestion. evaluates code in a runtime environment Verification & Validation (523) software. and conditions covered in testing. During a code review. Compiled code poses more risk than interpreted code trusted time source such as a public NTP server. It does not normally test all functions. Impact of the test on normal business operations Statistical anomaly based . Transaction date/time .compared Code Review Report – generated if the organization was . nonRegression testing – code works as planned . database components and . or application .defines a ‘normal’ behavior and . and performance management Firewalls – more sophisticated than routers to examine traffic . also to score vulnerabilities against unique ensuring that logs have accurate time stamps and that these time suspicious. Risk that the system will come under attack LOGS statements. This baseline is referred to as clipping level requirements. Linux and Unix systems and other devices (firewalls) Protecting Logs (538) Breaches – protect from breaches of confidentiality and integrity. It generally requires the Availability – archival process to prevent loss by overwritten logs . Information – successful operations compares results to earlier version results push them out of window . Rework . website relationship and interfaces between pairs of NetFlow is a feature that was introduced on Cisco routers that performance monitoring can be used. availability of website. Black-box testing observes the system external After assessing each of these factors. At which terminal compiled code and can be difficult to detect. Follow-up jeopardize security . Proactive monitoring involves having external agents run the source and destination of traffic. Syslog – message logging standard commonly used by network . Code comparison is normally used to identify the parts Real User Monitoring – aims to capture and analyze every Inconsistent Time Stamps – often caused by improperly set time of the source code that have changed. centralized monitor code. Dynamic Testing – does not require access to source Components: Information source/sensor. checking the possible conditions. One important consideration is types of errors that will be allowed before the activity is considered remediated. all requirements and expectations. NOT User Session Monitoring components. If too small. Other changes in the technical environment that may easier to discover and disable the tested use case by total use cases affect the control performance Signature based method (AKA Knowledge based) . These tests include automated scans. Known inputs against an application then Set maximum size.verifies that a control is functioning properly. . Other systems can . NIST 800-4 other than the one who wrote the code review it for defects. Who processed the transaction because malicious code can be embedded in the then synchronize with this internal NTP server. Antimalware and Antivirus – records instances of detected 2 Code review is the foundation of software assessment programs. tool-assisted penetration malware. branches. stamps remain consistent throughout the environment. Likelihood of a misconfiguration of the control that would HOST BASED . . Preparation . White-box testing (crystal) is a detailed exam of a Verification – objective evidence that the design outputs of a response to an event or intrusion logical path. Integration testing is aimed at finding bugs in the Synthetic Performance Monitoring – uses scripted or recorded Modified logs – often a sign of intrusion or malicious intent data. Traffic capture. NVD – National Vulnerability Db method is to set up an internal NTP server that is synchronized to a . no internal details known validate a comprehensive assessment and testing strategy. availability of Db . provides the ability to collect IP network traffic as it enters or exits Types . information security managers should War driving .is a part of an IDS that initiates alarm or activity . metrics Audit logging – provides information about events on the routers Monitoring and auditing (537) and calculation tools for exploitability. Success Audits – successful security accesses . Availability of security testing resources NETWORK BASED steps: . Planning the tested controls Sensitivity of information contained on . impact. Inspection implementing the control by users logged into hosts . CVSS – Common Vulnerability Scoring System. Errors – significant problem support of automated process to repeat tests previously Log Analysis – study logs for events of interest . . Db performance monitoring. Warnings – future problem undertaken. .Common Vulnerability and Exposures dictionary.detect attack and PREVENT that access to source code Validation – develop “level of confidence” that the software meets attack being successful . Overview tested systems and applications . also known as a “peer review. Static Testing – requires access to source code.Security Testing (522) Security Software (534) Code Review and Testing (542) Security Testing . Attack surface .driving a car with notebook to find open access points The most formal code review processes. Regression testing is the verification that what is being devices. Reviews packets and headers . restrict access . Is passive while it acquires data. A common Audit trails .” developers tests and manual attempts to undermine security. Difficulty and time required to perform a control test with signature attack database (aka misuse detector) manually reviewing the application’s source code . Requires phase of the SDLC meet requirements. Detects intrusions on the LAN behind a firewall. service. Logs (530) Authentication Servers – SSO servers The CVE dictionary provides a standard convention Network Flow – captured to provide insight into network traffic for Routers – permit or block traffic based on policy used to identify vulnerabilities. Rate of change of the control configuration . list by MITRE security. software improve over time Remote Access Software – granted and secured through VPNs performs code analysis Find back doors thru structured walk through Web Proxies – intermediate hosts. troubleshooting. and how vulnerabilities can be NTP . attacker can make little changes and . transaction of a user zones or due to differences in how system clocks are set . . behavior. monitoring servers through EVENT LOGS AND SYSTEM Code Coverage Report – information on the functions. CSV – Comma Separated Values Vulnerability Management Software – patching . Failure Audits – failed security access attempts Synthetic Transactions (540) . Db monitoring. security controls for review. data and even report analysis. . class of service. 3rd party sometimes IPS Intrusion prevention system . follow a rigorous review and testing process with six . known as Fagan consider the following factors: IDS intrusion detection system inspections. Likelihood of a technical failure of the mechanism .exposure an interface. how Companies can set predefined thresholds for the number of certain mature exploit code is. SOC-1 report. Active. SQL used to falsify communications or alter static information. and other types of logical identification.testing small piece of software during a development applications or operating systems. behind an authorized person. . Passive. to detect common software flaws. User attempts to visit known malicious sites Misuse Case testing . multiple teams of developers work with the SYN flag set.is an important part of the development of complex Port scanner . MAC address. One common System level testing – demonstrates that all specified functionality Tampering .The revelation or distribution of private. A packet with so many flags set is said to be “lit up like a . or other flaws in web applications. security mode machinery. • Security architecture set. The handoffs between these separately ACK flags set. Interface testing assesses the performance of wargames TCP SYN scanning is also known as “half-open” scanning. stage by developers and quality assurance. UIs provide • Assurance – degree of confidence that the implemented Passive Scanning – user scan wireless to look for rogue devices in end users with the ability to interact with the software. exposed to the outside world through web services. shared with broad community.Sends a single packet to each scanned port a range of ports is open on a particular computer or device software systems. only active connections. Time to resolve vulnerabilities Generational (Intelligent) Fuzzing . by analyzing either the source code or the compiled application. Such injection. or perform other data manipulation Type 2 – period of time covering design and operating .method used to assess how well software Pen-test – testing of network security as would a hacker do to find a range of IP addresses.is often used in relation to assessing threats against Static Testing . In those cases. work independently. ensures quality units spoofing. or controlled information to external or unauthorized invalid input to the software.Exist in some applications that manipulate Tailgating – authorized person circumventing controls . based on ISAE 3402 Repudiation -The ability for a user or attacker to deny having Fuzz Testing .develops inputs based on Passive monitoring only works after issues have occurred because . integrity.evaluates the security of software without running it Unit testing .uses a variety of techniques to scan Test Coverage Analysis . Number of software flaws detected in preproduction automates the process of mutation fuzzing by manipulating input Log Management System – volume of log data. SAS 70 – outdated 2011. • Design & development reviews indicating that it is part of an open connection. If the scanner receives a response that has the SYN and privileged instructions by the OS itself to meet business objectives. or hacker and then and networks. SSAE 16 is the same most common synonym confidential. don’t fully cover verify the security. use of synthetic transactions to verify system performance.Threat Assessment Modeling (544)? Testing Software (549) Levels of Development Testing (550) STRIDE . enemy.Finances entities. threat categorization scheme. such as buffer overflows. website seal. searching for systems with open ports. Superzapping . Integration level testing – focus on transfer of data and control Spoofing . this indicates that the system is moving to the second War dialer . exploitable issues. Developers must test APIs to ensure that they enforce all • Formal modeling Xmas Scanning . transformed into an account with greater privileges/powers/ access code in detail for business partners. not have access to the underlying source code. repudiation. This scan type is used when the user complete. Security managers should also monitor key performance and risk operation of the software and manipulates (or mutates) it to create support organizations claims about their ability to provide CIA indicators on an ongoing basis.Offer a Operational assurance – Verification that a system is operating half-open scan. PSH.Sends a packet with the FIN. SOC-3 report. provides many different types of input to software to stress its limits . either randomly generated or specially SOC 1 . effectiveness .when an unauthorized person goes through a door to verify that they function properly. auditors @security Key Performance and Risk Indicators (562) Mutation (Dumb) Fuzzing . system names.Any action resulting in the unauthorized changes or example of dynamic software testing is the use of web application exists and that the software product is trustworthy manipulation of data. does find important. risks.Software testers use this process or abuse enough log sources Performing Vulnerability Assessments case testing to evaluate the vulnerability of their software to known OPSEC process . SOC-2 (design and operational effectiveness) If you want to Elevation of privilege .system utility or application that bypasses all modules against the interface specifications to ensure that they will TCP Connect Scanning . Tampering is scanning tools to detect the presence of cross-site scripting.is a specialized dynamic testing technique that SOC Reports . In many cases. and amount of effort to analyze.Takes previous input values from actual . or other objects in the physical world.inner code of the operating system. applications written by someone else. and elevation of privilege. standardized way for code modules to interact and may be according to its security requirements TCP ACK Scanning . User Interfaces (UIs) .dials a range of phone numbers as in the movie developed modules use well-defined interfaces so that the teams may phase in the three-way TCP handshake and that the port is open.An attack where a limited user account is simple errors. applications. (569) performed an action or activity.program that attempts to determine whether any of TCP SYN Scanning .” leading to the scan’s name. testers often do across a programs interfaces wireless network SSIDs. information disclosure. tampering. strength of PIN. code or data running the scan does not have the necessary permissions to run a . looking for weaknesses that may be exploited Misuse Case diagrams – threats and mitigate developing and applying countermeasures. Reserved for on different parts of a complex application that must function together connection. Network discovery scanning .processes running in inner protected ring . Application Programming Interfaces (APIs) . interfaces (GUIs) and command-line interfaces. append Type 1 – point in time covering design vary by organization but may include the following: strings to the end of the content. logic controllers. security of data. Always get management approval first Interface testing . NOT .Opens a full connection to the remote work together properly when all of the development efforts are access controls and audit/logging functions to make updates to system on the specified port. Number of compromised accounts models of expected inputs to perform the same task. Testing may include the Things to Know attacks are a violation of integrity as well as availability. Fuzz testing software supplies reporting. testing covered the potential use of an application vulnerabilities. and find previously undetected flaws. security measures work as intended addition to IDS Interface tests should include reviews of all user interfaces Piggybacking . the viewpoint of a competitor.evaluates the security of software in a runtime across a programs interfaces system through the use of a falsified identity. bandwidth. Often limited to . Number of open vulnerabilities techniques. many personal devices Physical Interfaces .An attack with the goal of gaining access to a target Dynamic Testing . crafted to trigger known software vulnerabilities. covers only internal controls over financial Information disclosure . multiple visits Software testers should pay careful attention to physical interfaces Authenticated scans – read-only account to access config files because of the potential consequences if they fail.Understanding your day-to-day operations from Vulnerability scans . denial of Static analysis usually involves the use of automated tools designed are furnished for integration into final product service.Examples include graphic user • ISO 9000 quality techniques Christmas tree. usernames. The exact metrics they monitor will fuzzed input. Bluetooth Scans – time consuming. privacy.automatically probe systems. whether in transit or in storage.service organization control report. network scanning & Repeat audit findings according to user specifications. The zzuf tool it requires actual traffic . and URG flags security requirements.Sends a packet with the ACK flag set. Spoofing can be used environment and is often the only option for organizations deploying Integration level testing – focus on transfer of data and control against IP addresses. Supervisor mode . It might alter the characters of the content. This indicates a request to open a new Ring zero . and availability controls. malicious insiders are suspected. Present in court –Requires witnesses to testify only about the facts of the case.g. privacy violations. solid state storage) 2. stand on it alone Hardware/ Embedded Device Analysis . ultimately obtain a responsible for compliance with these principles. Minimize the degree of contamination –Used to help assume another fact forensic and procedural principles must be applied. proof of acts and methods used. monitoring system Packet captures deliberately collected –Original documents–are used to document things such as contracts – during an incident Logs from firewalls and other network NOTE: no copies! security devices The task of the network forensic analyst is to collect and correlate information from these disparate sources –Note: Oral is not best evidence though it may provide interpretation of and produce as comprehensive a picture of network activity as documents. preserved. to conduct forensic reviews of applications or the activity that –A copy. or modified business records are not considered hearsay when the documents transfer of digital evidence must be fully Relevant –relationship to the findings must be reasonable and sensible. error precaution and correction –Used to educate the jury. Protection –never interrogate or interview alone Techniques used for media analysis may include the recovery 3. In some cases. that person should be trained for Sufficient –persuasive enough to convince one of its validity Also business records are hearsay and all that’s printed or the purpose. description of procedures. Secondary Evidence. or other application attacks. all of the general . –Cannot stand on its own to directly prove a fact Upon seizing digital evidence. storing. Protect the environment –Irrefutable and cannot be contradicted perform media analysis. classification. One exception to business records: audit trails and All activity relating to the seizure. hard disks. Interviewing – gather facts and determine the substance of the seizure. comparison. are created in the normal course of business. CDs. 7. is available –Copies of documents. Proof of crime.a branch of computer forensic analysis.Forensic analysts But it is Direct Evidence and does not need other evidence to often must review the contents of hardware and embedded substantiate devices.g. digital evidence.. transportation Opinion Rule and the static analysis of forensic images of storage media. Secondary Evidence Software Analysis . etc. This may include a review of Personal computers & Smartphones .Forensic investigators are also often 8. the forensic analyst may be –Oral evidence like Witness testimony asked to conduct a review of software code. forced confessions. documentation. confession Media analysis . or other security vulnerabilities.Forensic analysts may also be called on –Not as strong as best evidence. This may include the following: Magnetic EVIDENCE LIFECYCLE information –interview/interrogation plan media (e. Blu-ray discs) Memory (e. 1. Best takes place within a running application. •Oral Evidence is a type of Secondary Evidence so the case can’t simply privilege escalations. logic bombs. reconstruction Interrogation–Evidence retrieval method. business methods collections. Identification labeling. or transferring digital evidence is Preserved and identifiable – collection. documentation of events. reconstruction –Prepare questions and topics. accessing. normal Expert Witnesses during a security incident. avoid: unlawful search and Interviewing and Interrogation (584) is in their possession. and software . therefore. 6. storage. interested in the activity that took place over the network Witnesses that evidence is trustworthy. when Evidence.g. possible. Evidence must be preserved and identifiable The Process . ID evidence and potential sources of evidence –Requires no other corroboration analysis in the pursuit of forensically recovered evidence: .Incident Scene (581) Live evidence (582) (cont) Digital Evidence (584) . and available for review. often depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log Live evidence (582) network activity. obtaining of evidence case. Recording of deleted files from unallocated sectors of the physical disk. put witness at ease. recording serial number etc. Reliable –consistent with fact. Return to owner cannot be used as evidence in the case. In other cases. Corroborative Evidence: –Supports or substantiates other evidence presented in a case When it is necessary for a person to access original Evidence (581) Hearsay Evidence something a witness hears another one say. evidence has not been tampered with or displayed. Analysis Witnesses system (especially useful when examining encrypted media). summarize storage media. Network Analysis . Network forensic analysis. These include: Intrusion detection and Best Evidence: prevention system logs Network flow data captured by a flow –Primary Evidence–is used at the trial because it is the most reliable. the log files from application or database servers. seeking –Testimony from a witness –one of their 5 senses: other signs of malicious activity. tapes) Optical media (e. can be used as evidence. unlawful Any agency that is responsible for seizing. network analysis. Collection and identification the live analysis of storage media connected to a computer 5. secret recording. looking for back Direct Evidence: doors. actions taken should Locard’s Exchange Principle – perps leave something behind not change that evidence.. forensic analysis may be asked to review and interpret –Can prove fact by itself and does not need any type of backup. identification of acts respect to digital evidence while the digital evidence Permissible – lawful obtaining of evidence. RAM. Discovery –Have one person as lead and 1-2 others involved as well DVDs.Due Process involves the identification and extraction of information from •Collection. is not permitted if the original. documented. An individual is responsible for all actions taken with motive proof. preservation. Collect evidence – hash + Circumstantial evidence When dealing with digital evidence. such as SQL injection attacks. Storage.. 4. access. ID the Scene Conclusive evidence Six principles to guide digital evidence technicians as they . Europe. Automating much of the routine work of log review. Be accurate.is a IDS but can also take additional steps to stop or prevent intrusions. . other security mechanisms such as firewalls. The DLP system will send an alert. Once they detect a Punishment mostly imprisonment suspicious event. be able to be used in court law (I’ll Sue You!) Jury decides liability accurate response to intrusions. . South America security mechanisms and gain access to an organization’s resources. unauthorized alteration or destruction Network-based DLP . If a user sends out a file not have to be tangible Determine suspects containing restricted data. Evidence that results from an illegal Legislative: writing laws (statutory laws). A . meaning it must have 3 branches for laws: indicating a potential incident or intrusion. related) to the case. does MOM means. Return data requested by a read operation that address software licensing.Evidence (584) Law Intrusion Detection and Prevention (594) Admissible Evidence Common law . Wrongs can be penalized with imprisonment them. data at rest (storage) When investigating a hard drive. Data loss prevention systems attempt to detect and block data Computer Crime Laws -3 types of harm exfiltration attempts. It will work with. detection and reporting sensitive data to USB flash drives or sending sensitive data to a .scans all outgoing data looking for specific . maintain authenticity and veracity Civil law – wrongs against individual or organization that result in a some cases. the DLP system will detect it and prevent it Hearsay second-hand data not admissible in court Victimology –why certain people are victims of crime and how from leaving the organization. If sent to the device and prevents them from federal law that provides a common framework for the conduct of desired. they respond by sending alerts or raising alarms. Civil law . AKA tort primary goal of an IDS is to provide a means for a timely and . unauthorized intrusion. and attacks that Five rules of evidence: Criminal law – individuals that violate government laws. lifestyle affects the chances that a certain person will fall victim to a Entrapment is the illegal act of inducing a crime. reliable. Be complete. The terms of UCITA give legal Returning access-significant information from backing to the previously questionable practices of shrink-wrap DLP (597) Data Loss Prevention device licensing and click-wrap licensing by giving them status as legally PROTECT SENSITIVE INFORMATION Reporting errors from device to forensic host binding contracts. Civil Security incident and event management . and complement. evidence tied back to scene spread internally such as a malicious worm. such as an attack from the Internet. malicious code Investigation (590) data. Punishment can include financial penalties. These systems have the capability of scanning . organizations defense-in-depth security plan. The fact that the evidence seeks to determine must be Islamite and other Religious laws – ME. modifying data on the device computer-related business transactions. Be convincing. IDSs are an effective method of detecting many DoS and Juridical: Interprets laws (makes common laws out of court decisions) Digital Forensics (585) DDoS attacks. An IDS is intended as part of a Forensic Disk Controller – intercepting and Administrative/Regulatory law – how the industries. like in a honeypot such as an email to an administrator. all evidence collected. Be authentic. IDS . USA recorded information and real-time events to detect abnormal activity . UCITA contains provisions essentially causing it to function as an IDS. data in transit (the network) Provide real‐time analysis of events occurring on systems throughout it will change the timestamps of the files when the file-system is not an organization but don’t necessarily scan outgoing traffic. Administrators would place it on the edge of the negative to Admissible evidence relevant.intrusion detection system automates the inspection of logs and search would be inadmissible because it is not competent. such as printers. an Types Federal Sentencing Guidelines provides judges and courts organization endpoint-based DLP can prevent users from copying . real-time system events to detect intrusion attempts and system Executive: enforces laws (administrative laws) failures. they can modify the environment to stop an attack. the individual had Endpoint-based DLP . They can recognize attacks that come from external 3 categories connections. Criminal printer. Africa. . . The evidence must be relevant to determining a fact. . eDiscovery (SIEM) (595) 3 states of information . Enticement is the legal action of luring an intruder.can scan files stored on a system as well as crime Investigation no intent of committing the crime at first files sent to external devices. for & against view . The evidence must be competent. Indonesia Intrusion detection is a specific form of monitoring that monitors material (that is. sufficient. LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS data looking for keywords and data patterns.USA. In . administrators can disable these extra features of an IPS. storage device or financial penalties IPS . Be admissible. been obtained legally. intercepts write commands Uniform Computer Information Transactions Act (UCITA) . UK Australia Canada (judges) An intrusion occurs when an attacker is able to bypass or thwart . but it does not replace modifying or discarding commands sent to the and officers have to act.intrusion prevention system includes all the capabilities of an Write Blocking. opportunity and motive scan all data leaving the organization. data being processed (must be decrypted) / in use / end-point set to Read-Only Slack space on a disk should be inspected for hidden data and Can look for sensitive information stored on hard drives should be included in a disk image - . don’t use message digest because . For example. clear & easy to understand for jury damage or loss. . Operational procedures on the prevention. expense and it is more of a short time option. 5Ways Arrangement with another similar corporation to take over Configuration .component whose state is recorded Tree / Boolean -FAULT TREE ANALYSIS Mutual aid agreements (aka reciprocal agreement) Version: recorded state of the CI . Startup should occur in maintenance mode that permits access can pinpoint specific files compromised in an attack. human to see why it failed more choices of location.Least ready but most commonly used. -A WARM SITE .set of versions of component CI’s used to build a . is there enough capability. NIDSs cannot detect. Fully configured computer facility. HOT SITE – Internal/External. investigation. consuming hardware installed only power and HVAC. Prefabricated buildings .event or series of events that adversely impact cluster devices all share the same OS and application software but administered. procedures. switches to hot backup. doesn’t clear archive bit. It cannot monitor the too. processing facilities. and it. Fail soft or resilient system. archive bit cleared. a grid system – Security Incident . monitors and evaluates network costly. A benefit of HIDSs over system. that take long time to order are present. testing is possible. Cause Mapping CI Software Library . Repair). disadvantage: time . selected. Six . Exclusive to one company hours to be up occurs DOORS usually content of encrypted traffic but can monitor other packet details.controlled area only accessible for Subscription services approved users Firewalls (636) Third party. On error servers can do a fail-over. only for short term and what if Building . Advantage: processing is terminated when failure occurs Nonexclusive. Advantage: Disadvantage: Very lengthy time of restoration. Cartridge Weekly Stock of hardware either onsite or with a vendor. thus less reliable because it depends on more components . Full . Advantage: quick communication to occur without exposing the TCB to security Advantage: full and only last diff needed. multiple Events: anything that happens. Can be Server clustering – group of independent servers which are managed by same corporation (in-house) or with another Incident Response (624) organization (reciprocal agreement). RTO 1tgt-2 weeks cold site - .Contract with a service bureau to fully established with strict standards to allow necessary Differential . For extremely urgent critical transaction processing.Network-based IDS. Disadvantage: must be exact the CI . Root Cause Analysis (632) Disaster Processing Continuity plan (659) Configuration item (CI) . Advantage: cheap.Mobile homes or HVAC trucks. Nonexclusive.assembling a version of a CI using component CI’s . Fail safe system. Rolling/mobile sites . RTO 5 minutes or hours Hot site.only modified files. sites will share resources and support. ease of location Trusted Path (606) choice.supply of hardware replacements. non-critical Backup types (658) Disadvantage: it will take some time to start production processing.All files. a team). Advantage: costs. RTO 1-2 days warm site RTO 3-5 days mobile site. Build list .collection of component CI’s that make another . the ability of an organization to do business grid devices can have different OSs while still working on same Other data center backup alternatives Security incident – suspected attack problem . only by privileged users from privileged terminals NIDSs is that HIDSs can detect anomalies on the host system that Advantage: 24/7 availability and exclusive use are assured. false sense of FAIL SECURE: doors LOCK least time and space. Advantage: Less costly. Is not enforceable. Disadvantage: vulnerabilities.Configuration Management (603) RCA. -It Redundant – Mirrored site. Intermediate time response and availability.Host-based IDS. commercial services provide alternate backups and ARTIFACTS – CONFIGURATION MANAGEMENT HIDS . Fail Hard – BSOD. Advantage: Cost. Most common of implementations! Recovery procedures (606) including process calls and information recorded in firewall logs. Failure Mode and Effects analysis processes. week Protect data between users and a security component. This AKA server fault Multiple centers (aka dual sites) ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY tolerance Processing is spread over several computer centers. monitors activity on a single computer. The computer Fail Closed/secure – most conservative from a security single NIDS can monitor a large network by using remote sensors facility is available but the applications may not be installed or need to collect data at key network locations that send data to a central to be configured.Cross between hot and cold site. All servers are online and take part in processing service requests. and analysis & tracking). COLD SITE . potential 0 down time Recovery procedures: system should restart in secure mode can often examine events in more detail than an NIDS can. acceptable for warm site but not for hot site. FAIL SAFE: doors UNLOCK Incremental . A trusted path also protects system users between full and diff.Response Capability (policy. multiple configurations have to be Individual computing devices on a cluster vs. 12 hours to be up only previous day needed for full restore. Redundant servers – applies raid 1 mirroring concept to servers. Can be documented verified and managed as a single system. Tower of Hanoi. (sometimes known as subjects) from compromise as a result of a TCB interchange. Debriefing / Feedback (External Communications) drive mechanisms Mitigation – limit the effect or scope of an incident RTO: recovery time objectives. Has no Failover. archive bit and modify bit are cleared. Security intrusion – evidence attacker attempted or gained access Could be considered a cold site Tape Rotation Schemes – GF/Father/Son. External connections and other data elements perspective management console.A very cold site. security controls needs to be installed at the remote facility protected from compromise when hardware or software failure activity to detect attacks or event anomalies. Pareto Analysis same. containment. Channel incremental backups. Disadvantage: first restore full then all security but better than nothing. May be Incident response and handling (Triage. reboot. In-house or external . up-to-date mirror of the production track processes employed by the attacker. Lifecycle . It can also All applications are installed. provide alternate backup processing services. Disadvantage: extra administrative overhead. Refers to business processes not hardware. program execution is terminated and system NIDS . Recovery (Recovery / RAIT – robotic mechanisms to transfer tapes between storage and . Disadvantage: a major analyzed disaster could affect both sites. Fault Tree Analysis disaster affects both corporations. less administrative resources.only modified files. Workstations have to be Fail Open delivered and data has to be restored. SERVICE BUREAU . Short Fault-tolerant continues to function despite failure and long term. Find someone to run it continuity planning phases of BCP creating duplicates of the database sets to multiple servers development) Documenting the Plan b. security issues. alternate site. URGENT.transfer of backup data to an offsite storage processes Employee relations: responsibility towards employees and families 3.are more comprehensive and may impact one performance and fault tolerance. Needs Planning . Salvage. At least once a year testing Clearing . Plan approval and implementation Object reuse . fast write 200GB an hour.overwriting media to be reused Required documentation Disaster Recovery – Recover as quickly as possible Purging . scenario. RAID 6 Dual Parity. backup operations and post disaster Backup storage media recovery maintained by an activity as a part of its security program Tape: sequential. not speed information Goal: provide organized way for decision making. Clean. RAID 2 not used commercially. protected by AES Salvage team goes back to the primary site to normal processing BCP (pro) & DRP (reactive)Goals MTTF (mean time to failure) Business continuity.parallel processing of transactions to an development phase bridges the gap between opportunity alternative site via communication lines the business impact assessment and the Financial disbursement. parity distributed over all drives – Disaster – any event.Raid Levels (665) Disaster Recovery Planning (672) Disaster Recovery Test (679) RAID 0 Striped. recovery control. Can declare MTTR (mean time to repair) emergency. redundancy only. slow read. Create awareness Format magnetic media 7 times (orange book) Costs Update plan as needed.live processing of remote journaling and 1. that can disrupt and commencing operations there. Hammering Code Parity/error reduce confusion and deal with the crisis. parity distributed over all drives –requires their normal location and function all drives but two to be present to operate hot. Planning and RAID 3 Striped on byte level with extra parity drive –Improved development must occur before the disaster Simulation tests . Desk Check – review plan contents performance but no fault tolerance Statement of actions that have to be taken before. 3 or more drives Full-interruption tests . Testing Data destruction and reuse (143) Activation and recovery procedures 4. resources required. 3 or more drives BIA has already been done. IMPORTANT BUSINESS FUNCTIONS . but parity drive is a single point or more noncritical business units of the organization. Scope and plan initiation . Business Continuity Plan development location via communication lines a. management practice Other recovery issues 2. Needs Testing GET COMMUNICATIONS UP FIRST THEN MOST CRITCAL CRITICA.Consider amount of work company will return processing from the alternate site required. repair. Inexpensive declaration of the disaster Solid state: USB drive.use after initial use Plan management . Allows the execution of the BCP . Use BIA to develop BCP (strategy Fraud and Crime: like vandalism. main site open also normal IT operations swappable. all support of failure and write intensive. looting and people grabbing the Remote Journaling . Media relations Database shadowing .swappable RAID 7 is same as raid5 but all drives act as one single virtual It will be officially over when the data has been verified at the BCP (685) disk primary site. natural or manmade. during and Table-top exercise -members of the disaster recovery team RAID 1 Mirrored drives –fault tolerance from disk errors and single after a disruptive event that causes a significant loss of gather in a large conference room and role-play a disaster disk failure.involve relocating personnel to the alternate site RAID 5 Striped on block level. less robust than tape Recovery team mandated to implement recovery after the Optical drive: CD/DVD.degaussing or overwriting to be removed Internal /external communications . as accurate Plan for emergency response. Interleave parity.complete destroy preferably by burning Detailed plans by team members .remaining data after erasure HR involvement .involve relocating personnel to the The disaster is not over until all operations have been returned to alternate site and shutting down operations at the primary site. Critical systems are run at an requires all drives but one to be present to operate hot. 3 or more drives Parallel tests .Ensuring the business can continue in an environmental conditions. robotic libraries TEAMS continuity of operations in an emergency situation Disk fast read/write. BIA – helps to understand impact of disruptive Transaction Redundancy Implementations (667) Interfacing with other groups: everyone outside the corporation Electronic vaulting . Heavy IT focus Destruction . 1st business organization analysis MTBF Mean time between failures (Useful Life) = MTTF + MTTR when primary site is available again Focus on business processes JBOD – MOST BASIC TYPE OF STORAGE Normal Operations Resume plan has all procedures on how the 1. Management approval Data remanence . expensive.Restore normal business operations. historically Disaster recovery process (673) that will ensure the availability of critical resources and facilitate the cheaper than disk (now changing). one large disk out of several –Improved End Goal . now were going to protect! personnel meet in a practice room RAID4 Same as Raid 3 but striped on block level. Electrical file security labels CCTV enables you to compare the audit trails and access logs Device lock .owned and operated by the customer.IDS detects activities and turns Date and time stamps when resolving a single failure (though system on lightning Successful or not attempt administrators are needed to resolve additional failures) NIST: for critical areas the area should be illuminated 8 feet Where the access was granted 3.if no tampering is done with the alarm o Passive device.combination or electrical lock Lightning (694) Glare protection .against blinding by lights Common criteria hierarchical recovery types Raking . Recovering the required security characteristic. Restoring missing or damaged files guards) Combination lock .no bleeding over no blinding return the system to a secure state Standby Lightning . Supplies and equipment: paper. Line supervision check . People who will carry out the plan (execute) Passive infrared .less than 10mins travel time for e. pressure pads Trusted recovery () . when a low privileged user tries to access restricted memory segments System cold start when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.detects changes in temperature representatives from all departments Acoustical detection . Facilities: use of main buildings or any remote facilities Auxiliary Station systems . Computing: strategy to preserve the elements of Central stations .g.3 digits with wheels 4.cylinder slot 3.on alarm ring out to local fire or • User activated . wires door.hanging lock with a key failure accunicator system (detects movements on screen and alerts Tumbler lock . . Information Systems Photoelectric . uses power of the Documenting the continuity strategy wires field Power supplies .alarm systems needs separate circuitry and o Field Powered device: active electronics. management. Senior staff (ultimate responsibility. Various business units (identify and prioritize time critical Electromechanical .audible alarm for at least 4000 feet far Photo id card: dumb cards Digital-coded . • Smartcards lines/ applications/ data System provides many of the features in-house Wireless proximity cards . E.ordinary door lock file Programmable . Only required for a B3 and A1 level systems.g. Checking security-critical files such as system password with a visual recording Preset . forms HVAC .microphones. so no user access is enabled Attacks: replayed (video images) Locks (702) 2. such as Recording (for later review) = detective control Cipher Lock .detects motions CCTV (692) proximity or capacitance detector . transmitter and . no battery. Automatic Recovery to an secure state is automatic Responsive areas illumination .detect a break or change in a circuit systems) magnets pulled lose. Function system can restore functional processes Fences automatically Small mesh and high gauge is most secure Types of system failure 3-4 feet deters casual trespasser System reboot System shuts itself down in a controlled manner 6-7 feet too hard to climb easily after detecting inconsistent data structures or runs out of 8 feet + wires deters intruders. technical support persons police • System sensing . Recovering all file systems that were active during Fixed mounting versus PTZ Pan Tilt Zoom Warded lock . resources difficult to climb Emergency restart when a system restarts after a failure no one STOPS a determined intruder happens in an uncontrolled manner. .bolt down hardware 5. Security Administrator entrance) or failure occurs. Automatic without Undo Loss Higher level of recovery in height with 2-foot candle power Who attempted access defining prevention against the undue loss of protected Who modified access privileges at supervisor level objects 4.evenly distributed lightning Controlled lightning . Defining the continuity strategy Local alarms .circumvent a pin tumbler lock 1. Manual System administrator intervention is required to Continuous lightning . due care/diligence) PHYSICAL PARAMETER DETECTION electronics . People: operators. an private cards: hardware/software/ communication security firm • Swipe cards Proprietary systems .light beams interrupted (as in an store Ensures that the security is not breached when a system crash . vibrations sensors Failure preparation Backup critical information thus enabling MOTION data recovery wave pattern motion detectors . backup power transmitter but gets power from the Roles and responsibilities surrounding field from the reader BCP committee Intrusion detection (698) Transponders: both card and receiver holds power.timers Audit trails 2.Business Continuity plans development ALARMS (697) Security access cards . Rebooting system in single user mode or recovery on a monitor Via coax cables (hence closed) console.magnetic field detects Multiplexer allows multiple camera screens shown over one cable System recovery after a system crash presence around an object 1. so it’s successfully breaking into a system. cameras guards Hypervisor . controls access to physical resources system and perhaps use it to launch an attack against another Notebook .Privilege Creep.Things to know Location Attacks () Hackers and crackers .carried out to unlawfully obtain money or Data haven is a country or location that has no laws or poorly services. Revoke violations are not limited to intentional attacks.want to verify their skills as intruders CPTED Crime Prevention Through Environmental design Hacktivists . Delete. the main motivation is to compromise a date with patches. pages are attached to a binding. 6 basic SQL commands Integrity breaches . Insert. NB: when a question is about processes. typically when first provisioning an account. bragging rights can detect when employees have excessive privileges .refers to the amount of privileges granted to users. Data center should have: • Walls from floor to ceiling • Floor: Concrete slab: 150 pounds square foot • No windows in a datacenter • Air-conditioning should have own Emergency Power Off (EPO) Electronic Access Control (EAC): proximity readers. confidential information.are the attacks launched only for the fun of it. A user entitlement audit fences bollards lightning. An important to ensure it is deployed in a secure state and kept up-to.focus on illegally obtaining an organization’s notebook. • Individual Participation private. secret. • Security Safeguards Attackers often commit espionage with the intent of disclosing or • Accountability selling the information to a competitor or other interested Noise and perturbation: inserting bogus information to hope to organization (such as a foreign government). sensitive. and has become disgruntled.Attackers who lack the ability to devise their own Aggregation . Hardening: focus on locks. PROTOTYPING: customer view taken into account and efficiently track all employee activities. Bind variables are placeholders for literal values in SQL query being oversight. Attackers can be mislead an attacker dissatisfied employees. or confidential information about an organization. The use of the information gathered during Exigent circumstances allows officials to seize evidence before its the attack usually causes more damage than the attack itself. Service interruption. programmable locks or biometric systems . or ineptitude accounts for many instances sent to the database on a server Confidentiality breaches – theft of sensitive information Bind variables in SQL used to enhance performance of a database Monitor progress and planning of projects through GANTT and PERT charts Piggybacking: looking over someone’s shoulder to see how someone gets access.is a criminal act of destruction or disruption committed • Openness against an organization by an employee. often combine Entitlement .are attacks that are carried out to damage an activity Pseudo flaw – false vulnerability in a system that may attract an organization or a person.most preferred in the legal investigation is a bound victim.purpose of a terrorist attack is to disrupt Chain of custody = collection. on 3rd floor) The main motivation behind these attacks is the “high” of components. there must always be Countermeasures against espionage are to strictly control access management’s approval as First step. Grudge Attacks . Grant. The damage could be in the loss of information or information processing capabilities or harm to the attacker FAIR INFORMATION PRACTICES organization or a person’s reputation. thoroughly screen new employee candidates. Common to do website defacements. employees who are First step by change process = management approval. Security zones defined Thrill attacks . . Natural surveillance: cameras and guards Pride. SQL –SUDIGR. The hypervisor adds an additional attack surface. has sufficient access to manipulate critical aspects of • Use Limitation the environment. Business Attacks . Human error. Sabotage . It can become a risk if an • Collection Limitation employee is knowledgeable enough about the assets of an • Purpose Specification organization. to all nonpublic data.combination of hacker and activist). and in some cases. destroyed (police team fall in) Financial Attacks .unauthorized modification of information. • Data Quality Espionage .designed to extract secret Darknet – unused network space that may detect unauthorized information. enforced laws Terrorist Attacks . accumulate privileges attacks will often download programs that do their work for them. . being blackmailed from someone outside the organization.is the malicious act of gathering proprietary. Select. analysis and preservation of data normal life and instill fear Forensics uses bit-level copy of the disk Military or intelligence attack .software component that manages the virtual Facility site: CORE OF BUILDING (thus with 6 stores. Territorial Reinforcements: walls fences flags Target Script kiddies . attacker may destroy data. Natural Access control: guidance of people by doors political motivations with the thrill of hacking. Update. Formalized procedures are symbolizing that these functions must merge and cooperate to used to keep track of all authorized changes that take place.Lower left = development plans an important part of the software engineer’s arsenal and protect the cycle management processes and reuse of code. DevOps is a combination of Development and Operations. repeatable – project management processes.Angular = progress made cycle management processes Radial = cost Together. Change control includes reassesses and continuously improve Agile Software Development (733) conforming to quality control restrictions. risk analysis The change management process has three basic components: quality assurance. WBS a subpart approved for release through the release control procedure. the Configuration Identification . data validation. If rework may be done at any stage it’s not manageable. Diagnose perform assessment. use of Upper left = objectives of the plans.remove. properly documenting any coded changes. Establish an multiple developers can create and test a solution prior to rolling it action plan. The word from authorized distributions in accordance with those policies. Waterfall model Review support documentation. change and configuration management techniques form 3. Verification. requirements management. over time between projects and schedules.Program Evaluation Review Technique is a project- Configuration Management Process . Responding to change over following a plan scheduling tool used to judge the size of a software product in This process is used to control the version( s) of software used WORKING SOFTWARE PRIMARY MEASURE OF SUCCESS development and calculate the standard deviation (SD) for risk throughout an organization and formally track and control changes assessment. IT Operations NOT SECURITY . initiating – competent people. coordinate.periodic configuration audit should be Integrates: conducted to ensure that the actual production environment . PERT relates the estimated lowest possible size.Separation of duties. Configuration Audit . and maintenance Program Design -> Coding -> Testing -> Operations & security testing. Quality Assurance unauthorized configuration changes have taken place. System design specifications . managed – product and process improvement.release into production.Once the changes are finalized. presence of basic life.administrators document the most likely size. absence of formal process Spiral model Change Management Process 2. . risk analysis. principles. Individuals and interactions over processes and tools Release Control . Optimizing – continuous process improvement Works Cleanroom – write code correctly first time. basic security objectives Functional requirements definition Simplistic model Functional analysis and planning . Unit testing step. Working software over comprehensive documentation specific tasks in a project. configuration of covered software products throughout the PERT is used to direct improvements to project management and organization. Upper right = assessing alternatives. defined – engineering processes. Sanitation and destruction of 5 levels requirements and concepts. Software Development. and track . and the highest possible size of each component. Verification=doing the job right Validation:= doing the right job The has three basic components: hoc. Validation Software Capability Maturity model (CMM) (725) Problem: it assumes that a phase or stage ends at a specific time. is consistent with the accounting records and that no . meet business requirements. 3-5 PROACTIVE validation refers to the work product satisfying the real-world Revisions/ Disposal . software development process maturity the product during development against specification and Certification/accreditation 1-2 REACTIVE. Cleanroom design – prove original design Change Control . informal processes.Define need.Programmers develop code. with an IDEAL model.provides an organized framework within which Initiate begin effort. software project planning. Customer collaboration over contract negotiation PERT . Left horizontal axis = includes the major review required to Request Control . Prototyping. Leverage out into a production environment.System Development Life Cycle (SDLC) (720) SDLC Software Development Methods (732) Project initiation . quality thru design benefit analysis. emphasis on the needs of the customer and on quickly developing Gantt Chart . developing tools for update Developers increasingly embraced approaches that placed an Project Management Tools or change deployment. Defined by Carnegie Mellon University SEI (Software Engineering Maintenance accreditation .ensures that changes to software DevOps (728) versions are made in accordance with the change control and The DevOps approach seeks to resolve issues by bringing the configuration management policies. Management Conceptual definition MODELS approval.a type of bar chart that shows the interrelationships and restricting the effects of new code to minimize diminishment of new functionality that meets those needs in an iterative fashion. Configuration Status Accounting . Quality of software is a direct function of quality of development System Requirements-> Software Requirements -> Analysis -> Acceptance testing and implementation . Configuration Control . cost. Examine security controls System test review Maintenance and change management Can be managed if developers are limited going back only one Software development . certification. . bounds checking. . Updates can be made only three functions together in a single operational model. Check modules. configuration management practices Lower right = final development 4. requirements. and developers can prioritize tasks.Feasibility.Develop detailed design specs. unneeded data 1. and practices that underlie Reinterpretation of the waterfall model where verification evaluates Operations and maintenance .provides an organized framework within which quantitatively controlled complete each full cycle users can request modifications. basic life. managers can conduct cost/ 5. ad. they must be illustration of a schedule that helps to plan. It provides a graphical security. Action implement improvements. part of release control Institute) Waterfall including Validation and Verification (V&V) System Life Cycle (SLC) (extends beyond SDLC) Describes procedures. alternatives checked organization from development-related security issues. software coding in order to produce more efficient software. Control specifications development This model was simplistic in that it assumed that each step could review proposed security controls Design review be completed and finalized without any effect from the later Code review stages that may require rework. occurs when two or more rows in the same .Database Systems (736) Database Systems (736) (cont. No other transaction Programs change or become null during the life of each entity. Network = tree (all interconnected) overwrites a value needed by transactions that have earlier . of attributes that can be used to uniquely identify any record in a the entire transaction must be rolled back as if it never occurred. . Translate assembly language into machine language. model. Knowledge base of the domain in the form of rules . logical values that could Database transactions adversely affect the structure of the database Four required characteristics: atomicity. Fourth-generation languages (4GL) attempt to approximate table.general mechanism for defining. When the should ever be able to use any inconsistent data that might be Compiler Translates higher level program into an executable file primary key of one relation is used as an attribute in another generated during the execution of another transaction.it’s essential that admins and developers o Forward chaining: acquires info and comes to a DDL – Data definition language defines structure and schema strive to keep data with different security requirements separate. Interpreter reads higher level code. Each table environment that is consistent with all of the database’s rules (for Fifth-generation languages (5GL) allow programmers to create may have one or more candidate keys. Link between the foreign and entirety before the other transaction is allowed to modify the same primary keys represents the relationship between the tuples. Uniquely identify a Isolation .refers to a suite of software programs that maintains and second transaction is making modifications to a Db. columns of a table Dirty Reads – when one transaction reads a value from a Db that Every expert system has two main components: the Types was written by another transaction that did not commit. If any part of the transaction fails.principle requires that transactions operate separately produce machine instructions record in a database from each other. blueprints they are committed to the database. languages. Together. If a threshold is exceeded there will be output DCL – Data control language subset of SQL used to control relational database table appear to have identical primary key . SORT and DELETE levels and/ or need-to-know requirements and is a significant hypothesis is correct commands. retrieving. Multilevel security . When the code using visual interfaces. and managing databases without having to be directly programmed for interaction conclusions) associative arrays. That is. No two records in the same table will ever contain the same Consistency . MODIFY. It is often used as a defense against inference . which are chosen from example. Often. Mesh precedence . An object is .all foreign keys reference existing primary Programming Language Generations (762) durability. Schemas. Main Components of a Db using Db Durability . given table. Expert system = inference engine + knowledge base - DML. Based on human reasoning many relationship Lost Updates – when one transaction writes a value to the Db that .Database transactions must be durable. . . manipulate and use Database contamination . isolation. Training period needed to determine input vectors - Semantic integrity . Priority in rules are called salience . has DDL and in an Object Oriented Programming environment. one to concurrency issue . which is a critical concept in the development of database Second-generation languages (2GL) include all assembly Candidate Key – an attribute that is a unique identifier within a management systems. one transaction must be completed in its instructions. Single-layer : only one level of summoning codes access to data in a database. Db knowledge base and the inference engine. Based on function of biologic neurons client/server model by providing the inter-process communications security level or type of content. Relational – one-to-one relationships. Key-Value Store . it is the foreign key in that relation.Mixing data with different classification o Backward chaining: backtracks to determine IF a the database via VIEW. transaction is complete.) Knowledge Management (755) Database . they must be preserved. and Referential integrity . Works with weighted inputs mechanism (IPC) Polyinstantiation . ADD. This prevents one transaction from working with invalid data Enforces referential integrity generated as an intermediate step by another transaction.Database transactions must be atomic— that is.Open Database Connectivity is a database feature that Bayesian networks(probability of events). . one of the candidate keys is chosen to be the primary Atomicity . Multi-level: more levels of summoning codes statements classification levels. using GRANT and REVOKE elements but contain different data for use at differing . Two modes: known today as a dictionary or hash. . tables Databases ensure durability through the use of backup . once . they Third-generation languages (3GL) include all compiled key and the others are alternate keys. table that is a primary key there. the database must again be consistent Primary Key – provide the sole tuple-level addressing mechanism with the rules. a data structure more commonly with each type. A candidate key is a subset must be an “all-or-nothing” affair. consistency. .is the process of splitting a single human mind DDE – Dynamic data exchange enables applications to work in a database into multiple parts. regardless of whether those rules were violated within the relational model. Use complex computations to replace partial functions of the Tuple – row or record Database partitioning . values for all attributes composing a candidate key. certainty . If-then statements=called forward chaining .All transactions must begin operating in an natural languages and include SQL. these attributes are known as the ACID First-generation languages (1GL) include all machine languages. Cannot contain a null value and cannot during the processing of the transaction itself. administrators will deploy a trusted front Neural Networks Degree of Db –number of attributes (columns) in table end to add multilevel security to a legacy or insecure DBMS. views mechanisms. each with a unique and distinct .make sure that the structural and semantic attacks adaptability (learning process) rules are enforced on all data types. ODBC acts as a proxy. keys. data. Object-orientated Dynamic Lifetime Objects: Objects created on the fly by software . security challenge. languages. causing of experts on a particular subject and apply it in a consistent provides controlled access to data components store in rows and summary to include incorrect information fashion to future decisions. conclusion DML – Data manipulation language view.key-value database. storing and Incorrect Summaries – when one transaction is using an Expert Systems manipulating data without writing specific programs aggregate function to summarize data stored in a Db while a Expert systems seek to embody the accumulated knowledge DBMS . Interference system = decision program . such as transaction logs. column headings. is a data storage allows applications to communicate with different types of factors(probability an event is true) or fuzzy logic(to develop paradigm designed for storing. has TUPLES and ATTRIBUTES (rows and preassembled code that is a self-contained module Degree of uncertainty handled by approaches as columns) ODBC . Hierarchical= tree (sons with only one parent). If a database receives two SQL transactions that Assembler converts machine-code into binary machine Foreign Key – represents a reference to an entry in some other modify the same data. all records have a unique primary key). which is used by databases. one line at the time to relation. relies on digital signatures. It is the “black-box” doctrine that says that itself to the file. Object Request Brokers . The goals of MDM are to improve security.objects are instances of classes that contain their supervisory functions without granting them unrestricted access to the malicious code and allow for unauthorized remote access Back methods the system. and support Low cohesion .a way to receive information in an unauthorized their interactions system.effect on other modules. Common object request .An undocumented access path through a system. When different subclasses may is one of the fundamental requirements in a multilevel Buffer overflows must be corrected by the programmer or by have different methods using the same interfaces that respond security mode system. directly patching system memory. it will be run as if it were the program. space on the system systems because covert channels are normally a flaw in design. scan for vulnerable CORBA. Design . This allows YOUR COLLEGUES Class . bytecode amongst programs.it doesn’t affect many other modules .remote control programs that have Instance .executes when a certain event necessarily need to know the details of how the object works. Programming . dive.reproduces on its own without host application Encapsulation (Data Hiding) – only data it needs. that is.requires that the operating system provide Buffer Overflow . It is often used as a defense against some types of Hardware segmentation . Domain Analysis (DA) seeks to identify classes and objects that Covert channels (778) Covert Storage Channel . Mobile device management . It protects the integrity of processes.Writing to storage by one process and are common to all applications in a domain Is a way to receive information in an unauthorized manner.employment of objects and methods Storage covert channel . and instances of information flood that is not protected by a security mechanism Covert Timing Channel . spread thru infected media It can store objects like video and pictures users of an object (or operating system component) don’t Worm .Objects are the basic units. enable remote management. capacity to propagate its representation of real world entities. Can be substituted if they have compatible operations. Process isolation looking at their operations. It inserts or attaches an action. oriented programming. modulating its use of system resources. they accidental access to data need to know just the proper syntax for using the object and the happens (like accessing a bank account or employee being fired) Message . net bus ) Inheritance . no warnings. Buffer overflows can be detected by disassembling programs and Polymorphism: objects of many different classes that are related .g.middleware that acts as Code is an example Botnet . send spam Standards because covert channels are normally a flaw in design. Difference is that hardware segmentation enforces theseauthorization channels . manner. Poly-instantiation . annoying network variant (distributed) . passenger plane can be created. orifice.Excessive information provided to a memory superclass separate memory spaces for each process’s instructions and data. programs are compiled to application to navigate up the file hierarchy and retrieve a file that COM. permissions for each type of privileged operation. Common Object Model .results exhibited by an object in response to a msg.without use of other modules provide monitoring. preventing one process from reading or writing data overflow. different Behavior . conduct brute force attacks. independent of user action Cohesion: ability to perform without use of other programs.doc/.collection of methods that defines the behavior of objects designers to assign some processes rights to perform certain RAT. no Logic Bomb/Code Bomb . It prevents unauthorized data access.Object Orientated Technology (769) Technical Security Protection Mechanisms Malicious code threats (787) Objects behave as a black box. Trap Door .allows a subclass to access methods belonging to a Process isolation . Method would be what a plane Covert timing channel . sub seven. reading by another of lower security level. If executable code is loaded into the than one parent class boundaries.is similar to process isolation in come back on a later date without going through the proper inference attacks purpose.broker architecture enables systems programs written in different languages and using different Mobile code Directory Traversal Attack – attacker attempts to force the web platforms and OS’s through IDL (Interface Definition Language) Java – sandboxes. Countermeasures: eal6 systems have less than eal3 systems can be used in DDOS attacks or spammers.Object orientation (e.module largely affects many more modules Low coupling . by some common super class.defines classes of objects and than the logical process isolation controls imposed by an operating Covert Channel . Coupling . cargo plane.one process relays to another by LOKI .EAL6 systems have less than EAL3 If class = airplane.is a tool used for covert channel that writes data directly would do with a message like: climb.program disguised as a useful program/tool response to a message HOAXES – False warnings like: DON’T OPEN X SEND TO ALL It requires the use of granular access permissions.support exchange of objects should not normally be provided to a web user.occurs when two or more rows in the same Layering processes . DCOM is the Macro Virus – Most common in office productivity documents ActiveX – Authenticode. maintenance hook for developers 5 phases of object orientation requirements through the use of physical hardware controls rather sometimes OORA. MDM. Analysis . OOD. and roll. with C++ and Smalltalk) Trojans – pretends to do one thing while performing another supports reuse of objects and reduces development risk.builds on the principle of least privilege.docx dialogs people click away Conclusion .buffer without appropriate bounds checking which can result in an Multiple Inheritance . messages. Backdoor . they are encapsulated to perform Abstraction .one of the fundamental principles behind object. High cohesion .class inherits characteristics from more It also requires that the operating system enforce those elevation of privilege.understanding and modeling a particular problem mechanism. Information flood that is not protected by a security OOA.communication to object to perform an action type of data that will be returned as a result or a data/time occurs Method .code that defines an action an object performs in Separation of privilege . Remote Access Trojan .compromise thousands of systems with zombie codes locators and distributors of the objects across networks. differently . elements but contain different data for use at differing classification system process. Requirements Analysis .processes communicate via storage Countermeasures .must interact with other modules troubleshooting. objects like fighter plane. Typing rhythm of Morse after the ICMP header ORBs.a software solution to strength of the relationship between the purposes of methods manage the myriad mobile devices that employees use to access within the same class company resources. This used to be called OLE. OOP.forwarding a request to another object that belongs to another process.One process relays to another by classes 2 types modulating its use of system resources.you implement a structure similar to the ring This typically bypasses the normal security mechanisms and is to relational database table appear to have identical primary key model used for operating modes and apply it to each operating plant any of the malicious code forms. natural in Worms – reproduces and spreads. Trojan Horse .program installed by an attacker to enable him to levels. Virus . Level of interaction between Collisions – two different files produce the same result from a objects hashing operation High coupling . Delegation .reproduces using a host application. and it combines multiple techniques to detect a implement the virus’s propagation and destructive functions. distributed free or for a fee Macro virus – usually written in Word Basic./ Threats passwd file then simply contains a list of usernames without the Natural (Fires.is a coding stance that allows others to view the result.exe provide the updates. toxin spills) by admins to make configuration changes to a machine Kernel Mode – used by processor to execute instructions from OS . such as if the system is up-to-date with the entire virus into memory and potentially triggering the delivery attacks by ensuring systems are patched.%252E%252Fetc/passwd. not Compression – appended to executables that implement the reference monitor concept — must be isolated to reduce number of threat vectors Companion virus . uses two or more propagation Layers 1 and 2 contain device drivers but are not normally . it can then follow up with queries to test the systems for execute the code stored in this alternate location. Once Nessus discovers basic details about system reads the infected MBR.hardware.prevents outages from known known vulnerabilities. the patch management system doesn’t a targeted system Non-resident virus . Takes advantage of search order of an Ring 0 . they can interact with a CD/ DVD) that the computer uses to load the operating system CARROT’1=1.I/O drivers and utilities and C++ are all compiled languages. becomes resident first in memory and then infects the boot sector Ring 3 . may review several hundred lines System infector – infects BIOS command other system files. However. firmware. USB drive. as it 4 does not exist. Patches aren’t available current patches. done after code developed often a memory resident virus. transmitted only over encrypted communications channels. if concerned about security vulnerabilities but it does not eliminate them OWASP – Open Web Application Security Project. If the portion of bootable media (such as a hard disk. For example.. The publicly accessible /etc. These systems are certified to handle multiple Account [name of class] subsequently runs the Notepad application. Attacker can use to best identify vulnerabilities in of the virus’s payload. it can’t contain all the code required to dangerous failure and enters a full secure state (reboot) Network Security. spreads.. that compares the security labels summary information as a result ‘companion’ files. %252E = and finally the entire system. does not define if it’s code can be viewed virus changes the "garble" pattern each time is spreads.(MIT’s MULTICS design) Owner: string [attributes of class] see anything suspicious. the virus might rename the of subjects and objects) Port Scan – attacking system sends connection attempts to the standard NOTEPAD. Closed source .is one that is proprietary with no third-party Polymorphic virus – this is also a self-garbling virus where the Terms product support.attached to . most ANTI-Virus authoritative source on web application security issues Signature based cannot detect new malware Shadow Password File . The kernel AddFunds(deposit: currency) [method of class] OS manages the HW (for example. can be reverse engineered or decompiled Resident virus – Virus that loads when a program loads in browser into executing untrusted code from a trusted site API Keys .EXD and create a new Multistate systems . UEFI – replacement for BIOS Security Kernel .is an opposing coding stance that keeps source VBScript and used with MS Office Cross-site Scripting – uses reflected input to trick a user’s code confidential. but in a separate completeness and verifiability. Combination of protection systems within a computer system. Security fix – single patch. It is TRUSTED COMPUTER BASE of code an hour.peer-driven process that includes multiple code. attacks exploit the Open source . to develop products to interact with it. Aggregate – summarize large amounts of data and provide only code is stored not in the host program./ shadow. someone gains access to your API key. This file contains the Heuristic behavioral can detect new malware true encrypted PWs of each user. Because the MBR is extremely small Blue Screen of Death – when a Windows system experiences a Nessus . Threat Modeling – reduce the number of security-related design into a device. Visual Basic or submission of authenticated request to third-party sites. software.Remaining parts of the operating system a complier to transform code into an executable state. JavaScript – is an interpreted language that does not make use of itself Ring 1 .EXE containing the virus code.A specific type of virus where the infected from reference monitor (reference monitor: isolation. software and firmware that are beat installed that introduces remote control or other malicious features trusted to enforce the security policy. it changes the way its code is encoded Closed system .capable of implementing a much higher targets system against a series of commonly used ports NOTEPAD. It uses port scans to detect open bypass this space limitation. & %252F = / mechanisms implemented in practice. so the user doesn’t Protection rings . Ring 2 .Applications and programs Directory Traversal Attack . Strong Passwords – social engineering best attack method to Phlashing . explosions water. Execution and memory space assigned to each process developers. They should always be stored in secure locations and Master boot record /boot sector . update.EXE file to NOTEPAD. the virus instructs it to read and collection systems.(MBR) virus attack the MBR— sessions but do not force the browser to submit request.-.is a popular vulnerability scanner managed by Tenable (usually 512 bytes).like passwords and should be treated as very sensitive memory Session Hijacking – attempt to steal previously authenticated information. “x” User Mode – processor mode used to run the system tools used Man-made (bombing. it is also difficult to detect. thereby loading Patch management system . for new attacks. strikes. ports and identify the services and protocols that are likely running their code on another portion of the storage media.infects both the boot sector and executable files.is one with published APIs that allow third parties Self-garbling virus – attempts to hide by garbling its code. To Hotfix. Layer 3 contains user applications. the virus will run first security levels simultaneously by using specialized mechanisms Balance: currency = 0 [attributes of class] and then pass control to the original program. or SQL Injection – directly attacks a database through a web app. Java. elements of TCB and coding flaws. reduce severity of non-security related files. /etc. Multipart virus .tool for development. but it is not accessible to anyone but the administrator. As a CSRF (XSRF) – Cross site request forgery. Layer Open system . The OS’ core.Virus (784) Protection mechanisms (795) Nice to Know Boot sector – moves or overwrites the boot sector with the virus Protection domain Code Review . When the user level of security.a malicious variation of official BIOS or firmware is which include the hardware. processor cycles and memory) RemoveFunds (withdrawal: currency) [method of class] Stealth virus – hides modifications to files or boot records and and supplies fundamental services that the HW does not provide. trust that sites have in a user’s browser by attempting to force the source code of a program. storm) data necessary to mount a dictionary attack.Operating system kernel. When the Service Pack – collection of unrelated patches released in a large on these systems. Ensuring systems are patched reduces CASE .quotation mark to escape out of input field web service as if they were you! Limit access to API during the boot process. may be automated. C. MBR viruses store the majority of updates to operating systems and applications. patches provide wide range of vulnerabilities.