Professional Documents
Culture Documents
SSCP Notes Today Date PDF
SSCP Notes Today Date PDF
1. Access Controls
2. Administration
3. Audit and Monitoring
4. Risk, Response, and Recovery
5. Cryptography
6. Data Communications
7. Malicious Code
1
Table of Content
1.0 ACCESS CONTROLS…………………………………………………………...... 03
2.0 ADMINISTRATION ……………………………………………………………... 07
3.0 AUDIT AND MONITORING…………………………………………………...... 13
4.0 RISK, RESPONSE, AND RECOVERY………………………………………....... 18
5.0 CRYPTOGRAPHY……………………………………………………………....... 21
6.0 DATA COMMUNICATIONS…………………………………………………...... 25
7.0 MALICIOUS CODE……………………………………………………………..... 31
REFERENCES………………………………………………………………………........ 33
2
1.0 ACCESS CONTROLS
Access control objects: Any objects that need controlled access can be considered an access control object.
Access control subjects: Any users, programs, and processes that request permission to objects are access
control subjects. It is these access control subjects that must be identified, authenticated and authorized.
Access control systems: Interface between access control objects and access control subjects.
1.1.5 Assurance
In order to provide assurance, the following four questions must be answered: (i.e. CIA + Accountability)
- Are transactions between the access control subject and access control object confidential?
- Is the integrity of the access control object ensured and guaranteed?
- Is the access control object available to be accessed when needed?
- Is the access control system accountable for what it authenticates (e.g. logging/auditing)?
If all four can be answered affirmatively then assurance has been properly assured.
Account Administration: Administration of all user, system, and service accounts used within the access control
system. This includes creation (authorization, rights, permissions), maintenance (account lockout-reset, audit,
password policy), and destruction (rename or delete) of accounts.
3
Access Rights and Permissions: The owner of the data should decide any rights and permissions for a specific
account. The principle of least privilege will be used here to grant all the rights and permissions necessary to an
account to perform the required duties, but not more than required or needed.
Monitoring: The changes to accounts, the escalation of privileges should be logged and should be constantly
monitored for security.
Removable Media Security: Any removable media from the system can be the vulnerability. All removable
media should be restricted or controlled in some manner to provide for the best possible system security.
Management of Data Caches: Access control is not only for users - any type of information which is on the
system needs to be considered - e.g. temporary data caches (pagefile, dr watsons, .tmp files etc)
Logical/Technical: In this implementations automated methods of enforcing access control policies are
used. This type of implementation of policies restricts human errors during operation stage. E.g. Actual
lockout password restrictions implemented (length, expiration, lockout), use of SSL, SSH etc.
Physical: This type of implementation includes everything from controlling access to a secure building
to protecting network cabling from electro-magnetic interference (EMI). Example: Security guards,
Biometric devices, ID badges, Perimeter defenses (walls/fences), Physical locks.
Note 1: The policies and implementations may be combined - I.e. Preventive / Administrative (e.g.
written password policy); Detective / Logical/Technical (e.g. IDS); Corrective / Administrative (e.g.
disaster recovery plan). There are also some, for e.g. CCTC that may be seen as Preventive/Physical
(when recording only) & Detective/Physical (when being actively monitored).
Note 2: Don't confuse the SSCP usage of policy with Windows Policies (e.g. min password length etc)
Discretionary Access Control (DAC): The data owner decides the access. (Owner can change
permissions).
Mandatory Access Control (MAC): The system decides the access depending on the classification
(sensitivity label). Stronger than DAC. (Only central admin can change permissions, but the data owner
still decides on the data classification).
Role-based access control (RBAC) aka Non- Discretionary: The role of the user/task (subject)
determines the access to the data object. Uses a centrally administrated set of controls to determine how
subjects and objects interact.
4
Formal Models:
1. Biba
First formal model to address integrity. The Biba model bases its access control on levels of integrity. It
consists of three primary rules.
1. A subject at a given integrity level X can only read objects at the same or higher integrity levels - the
simple integrity axiom.
2. A subject at integrity level X can only write objects at the same or lower integrity levels - the * (star)
integrity axiom.
3. A subject at integrity level X can only invoke a subject at the same or lower integrity levels.
2. Clark/Wilson
This model is similar to Biba, as it addresses integrity. Protecting the integrity of information by focusing on
preventing authorized users from making unauthorized modifications of data, fraud, and errors within
commercial applications.
It uses segregation of duties or separation of duties. The principle of segregation of duty states no single
person should perform a task from beginning to end, but that the task should be divided among two or more
people to prevent fraud by one person acting alone. This ensures the integrity of the access control object by
securing the process used to create or modify the object.
3. Bell/LaPadula
This formal model specifies that all access control objects have a minimum-security level assigned to it so
that access control subjects with a security level lower than the security level of the objects are unable to
access the object. The Bell-LaPadula formal model only addresses confidentiality. It is what the MAC
model is based on. Bell-LaPadula also formed the basis of the original "Orange Book".
Note: Bell-LaPadula does not address integrity or availability. Remember: No read up / No write down.
ORANGE BOOK: Department of Defense “Trusted Computer System Evaluation Criteria (TCSEC)” book
or the “Orange” book. Orange book requires that the system to be configured as standalone.
RED BOOK: Is in 2 parts “Trusted Network Interpretation of the TCSEC” and “Trusted Network
Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation.” The
guidelines within this book are as strict as the Orange book itself, but it is designed to work with networked
environments.
Centralized access control: All access control queries being directed to a central point of authentication.
This type of system allows for a single point of administration for the entire access control system.
Decreases the administrative effort, but also raises costs. Implementation more difficult. Example: Kerberos,
Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control
System (TACACS), TACACS+ (allows encryption of data).
5
1.4 Remote Authentication
To provide reliable authentication for remote users in small organizations it is possible to use the default
authentication method of the software being used for remote access. For large organization the following
authentication methods are used: Remote Authentication Dial-In User Service (RADIUS) and Terminal Access
Controller Access Control System (TACACS/TACACS+).
1.4.1 RADIUS
Using RADIUS, a remote access server accepts the authentication credentials from the access control
subject and passes them along to the RADIUS server for authentication. The RADIUS server then responds
to the remote access server either with authorization or denial. A major advantage of RADIUS is that
communication between the RADIUS server and the remote access server is encrypted, which helps increase
the overall security of access control.
1.4.2 TACACS
Older, does not use encryption and less often used. It allows for a centralized access control approach that
keeps all access control changes isolated to a single place. When the TACACS server receives the
identification data, it either returns authorization information or denies access to the user. This information
is passed back to the remote access server in clear text and the remote access server responds appropriately.
1.4.3 TACACS+
Same as TACACS, in this authentication information is going across the network in an encrypted format.
6
2.0 ADMINISTRATION
2.1 Security Administration Principles
Authorization A process through which an access control subject is authenticated and identified, the
subject is authorized to have a specific level or type of access to the access control object.
Identification and Identification works with authentication, and is defined as a process through which the
Authentication identity of an object is ascertained. Identification takes place by using some form of
authentication.
Accountability Accountability within a system means that anyone using the system is tracked and held
accountable or responsible for their actions. Example: Authentication audit trail or log,
privilege elevation audit trail or log.
Non-repudiation Non-repudiation is an attribute of communications that seeks to prevent future false denial
of involvement by either party. Non-repudiation is consequently an essential element of
trust in e-business.
Least privileges The principle of least privilege states that a user should be given enough access to the
system to enable him/her to perform the duties required by their job. Elevated levels of
access should not be granted until they are required to perform job functions. Owners of
the information in a system are responsible for the information and are the appropriate
authority for authorizing access level upgrades for the system users under their control.
Data Classification The primary purpose of data classification is to indicate the level of confidentiality,
integrity and availability that is required for each type of information. It helps to ensure
that the data is protected in the most cost-effective manner. The data owner always
decides the level of classification.
Commercial Military
Confidential Top Secret
Private Secret
Sensitive Confidential
Public Sensitive but
unclassified
Unclassified
7
2.4 System Life Cycle Phases and Security Concerns
• Applies to new developments and systems improvements and maintenance.
• Security should be included at each phase of the cycle.
• Security should not be addressed at the end of development because of the added cost, time and effort.
• Separation of duties should be practiced in each phase (e.g. programmer not having production access).
• Changes must be authorized, tested and recorded. Any changes must not affect the security of the
system or its capability to enforce the security policy.
8
2.5 Due Diligence / Due Care
The concepts of due diligence and due care require that an organization engage in good business practices
relative to the organization’s industry.
Due Diligence is the continual effort of making sure that the correct policies, procedures and standards are in
place and being followed. Due diligence may be mandated by various legal requirements in the organization’s
industry or compliance with governmental regulatory standards.
An example of Due Care is training employees in security awareness – as opposed to simply creating a policy
with no implementation plan or follow-up. Another example is requiring employees to sign statements that they
have read and understood appropriate acceptable use policies.
In lay terms, due diligence is the responsibility a company has to investigate and identify issues, and due care is
doing something about the findings.
Once a system is built the certification process begins to test the system for all security and functional requirements. If
the system meets all requirements it gains accreditation. Accredited systems are then accepted into the operational
environment. This acceptance is because the owners and users of the system now have a reasonable level of assurance
that the system will perform as intended, both from a security and functional perspective.
9
2.8.3 Multilevel Secure Mode (MLS)
Proper clearance required for ALL information on the system. All users that have access to the system
must have a security clearance that authorizes their access. Uses data classification and Mandatory
Access Control (MAC) to secure the system. Processes and data are controlled. Processes from lower
security levels are not allowed to access processes at higher levels. All users can access SOME data,
based on their need to know, formal access approval and clearance level.
In addition, there are several system security architecture concepts that may be applied:
2.8.4 Hardware Segmentation
Within a system, memory allocations are broken up into segments that are completely separate from
one another. The kernel within the operating system controls how the memory is allocated to each
process and gives just enough memory for the process to load the application and the process data. Each
process has its own allocated memory and each segment is protected from one another.
2.8.5 Trusted computing base
Is defined as the total combination of protection mechanisms within a computer system. Includes
hardware, software and firmware. Originated from the Orange Book.
Security perimeter: Defined as resources that fall outside of TCB. Communication between trusted
components and un-trusted components needs to be controlled to ensure that confidential information
does not flow in an unintended way.
Reference monitor: Is an abstract machine (access control system), which mediates all access that
subjects have to objects to ensure that the subjects have the necessary access rights and to protect the
objects from unauthorized access and destructive modification. Compares access level to data
classification to permit/deny access.
Security kernel: Made up of mechanisms (h/w, s/w, firmware) that fall under the TCB and implement
and enforce the reference monitor. At the core of TCB and is the most common approach to building
trusted systems. Must be isolated from the reference monitor.
2.8.6 Data Protection Mechanisms
Layered design: Layered design is intended to protect operations that are performed within the kernel.
Each layer deals with a specific activity: the outer layer performs normal tasks (least trusted) and the
inner layer more complex and protected (most trusted) tasks. Segmenting processes like this mean that
untrusted user processes running in the outer layers will not be able to corrupt the core system.
Data abstraction: Data abstraction is the process of defining what an object us, what values it is
allowed to have, and the operations that are allowed against the object. The definition of an object is
broken down to its most essential form leaving only those details required for the system to operate.
Data hiding: Data hiding is the process of hiding information available to one process level in the
layered model from processes in other layers. Data hiding is a protection mechanism meant to keep the
core system processes safe from tampering or corruption.
It is important to enforce the change control / configuration management process. Some tools for detecting
violations are: NetIQ, PentaSafe, PoliVec and Tripwire. These tools offer solutions for monitoring the
configuration of systems and alerting on out-of-course changes.
10
2.10 Policy, Standard, Guidelines, Baselines
Security Is a general statement written by senior management to dictate what type of role security plays
Policy within the organization - it also provides scope and direction for all further security.
Standards Specifies how hardware/software products are to be used. Provide a means to ensure that
specific technology, applications, parameters and procedures are carried out in a uniform way.
These rules are usually compulsory within a company and they need to be enforced.
Baselines Provides the minimum level of security necessary throughout the organization.
Guidelines Are recommended actions and operational guides when a specific standard does not apply.
Procedures Are step-by-step actions to achieve a certain task.
11
2.15 Common Development of a Security Policy
The phases of the common development process of a security policy are:
Initial & Evaluation Writing a proposal to management that states the objectives of the policy.
Development Drafting and writing the actual policy, incorporating the agreed objectives.
Approval The process of presenting the policy to the approval body.
Publication Publishing and distributing the policy within the organization.
Implementation Carrying out and enforcing the objectives of the policy.
Maintenance Regularly reviewing the policy to ensure currency (may be on a scheduled basis).
12
3.0 AUDIT AND MONITORING
Auditing is the process to verify that a specific system, control, process, mechanism, or function meets a defined
list of criteria. Gives security mangers the ability to determine the compliance with a specific policy or standard.
Often used to provide senior management with reports on the effectiveness of security controls. Monitoring is
the process to collect information to identify security events and report in a pre-described format.
Auditing goals should be coupled with governance. Ensures that auditing goals align with the business goals.
Governance considers organizational relationships and processes that directly affect the entire enterprise.
Once the goal of an audit has been clearly identified, the controls required to meet the objective can be planned -
this is often called the control objective.
1. Plan the audit - Understand the business context of the security audit
- Obtain required approvals from senior management and legal representatives
- Obtain historical information on previous audits, if possible
- Research the applicable regulatory statutes
- Assess the risk conditions inherent to the environment
2. Determine the - Evaluate the current security posture using risk-based approach
existing controls - Evaluate the effectiveness of existing security controls
in place and the - Perform detection/control risk assessment
risk profile - Determine the total resulting risk profile
3. Conduct - Determine the effectiveness of policies and procedures
compliance testing - Determine the effectiveness of segregation of duties
4. Conduct - Verify that the security controls behave as expected
substantive testing - Test controls in practice
5. Determine the - If the security exploits found were to be executed, what would be the tangible
materiality of ($£) impact to the business and the intangible (reputation) impact.
weaknesses found - Determine if the security exploits increase the organizational risk profile
6. Present findings - Prepare the audit report and the audit opinion
- Create recommendations
13
3.2.3 Audit Data Sources (p. 192)
Audit sources are locations from where audit data can be gathered, for valuation and analysis. The
auditor should always consider the objectivity of the information source. Audit sources can be gathered
from a number of locations such as:
- Organization charts - Hardware and software inventories
- Network topology diagrams - Informal interviews with employees
- Business process and development documentation - Previous audit reports
One of the most difficult aspects of establishing an audit trail is ensuring audit trail integrity.
Integrity of the audit trail is crucial to event reconstruction of a security incident. It is important to
protect the audit trail from unauthorized access and log tampering. The use of a Central Logging
Facility (CLF) to maintain disparate system logs is recommended. Backups of audit logs should also be
considered.
Audit log reviews will be done to review the level of detail that should be covered so that general
inferences can be made about host activity and granular enough to investigate further into a particular
event.
Audit trails provide a method of tracking or logging that allow for tracing security-related activity.
Useful audit trails include:
- Password changes - Account creations and deletions
- Privilege use - Resource access
- Privilege escalation - Authentication failures
System Events provide triggers that are captured in the audit trail and used to demonstrate a pattern of
activity. The following are examples of events tracked:
- Startup and shutdown - Admin/operator actions
- Log in and log off - Resource access denials
- Object create, delete, and modify - Resource access approvals
Sampling and Data Extraction is done when there is no original data available. In this case, the
administrator would have to use collection techniques such as interviews or questionnaires to extract
the data from a group of respondents. Data sampling allows them to extract specific information. This is
most often used for the detection of anomalous activity.
Retention periods indicate how long media must be kept to comply with regulatory constraints. The
key question is "how long is long enough"? Largely depends on regulatory/compliance issues.
When preparing for a penetration test, a list of attacks that will take place has to be generated or
mapped. This list of attacks can be likened to an audit checklist. A responsible penetration test
requires careful coordination and planning to minimize the likelihood of negative impact to an
organization.
14
A penetration test is the authorized, scheduled and systematic process of using known
vulnerabilities and exploiting the same in an attempt to perform an intrusion into host, network,
physical or application resources.
The penetration test can be conducted on internal (a building access or Intranet host security
system) or external (the company connection to the Internet) resources. It normally consists of
using an automated and manual testing of organization resources. The process includes.
Checklist Audit (p.198): Standard audit questions are prepared as template and used for a wide
variety of organizations (e.g. SPRINT).
If an auditor relies on the checklist too much and does not perform his or her own verification of
related details based on observations unique to the environment, a major security flaw could go
unnoticed. The same is true of software tools that automate the audit process and/or check for
security vulnerabilities (see CAATs below).
Other types of security audit methods are war-dialing (to see if there are any open modems),
dumpster diving (to test the effectiveness of the secure disposal of confidential information),
social engineering (to test employees security behaviour) and war-driving (looking for unsecured
wireless access points)
The advantage of using CAATs is the automation of manual tasks for data analysis. The danger of
using them is reliance on tools to replace human observation and intuition. Auditors should use
CAATs to exhaustively test data in different ways, test data integrity, identify trends, anomalies, and
exceptions and to promote creative approaches to audits while leveraging these tools.
Some example of (mainframe based) CAATs are: EZTrieve, CA-PanAudit, FocAudit and SAS. PC's
can also be used for spreadsheet/database programs for auditing or a Generalize Audit Software (GAS)
tool can be used to perform these audit functions - e.g. Integrated Development Environment Applicatin
(IDEA)
A CLF can collect and integrate disparate data from multiple systems and help determine a pattern of
attack through data correlation. It can also reveal discrepancies between remote logs and logs kept on a
protected server - in this way it may detect log tampering.
Warning Banners will warn the users of systems about their adherence to acceptable usage policy and their
legal liability. This will add to the process of legal requirements during prosecution of malicious users. In
addition the banners warn all users that anything they do on the systems is subject to monitoring.
15
Keystroke Monitoring is a process whereby computer system administrators view or record both the keystrokes
entered by a computer user and the computer's response during a user-to-computer session.
Traffic analysis allows data captured over the wire to be reported in human readable format for action.
Trend analysis draws on inferences made over time on historical data (mostly traffic). Can show how an
organization increases or decreases its compliance to policy (or whatever is being audited) over time.
Event Monitoring provides alerts, or notification, whenever a violation in policy is detected. IDSs typically
come to mind, but firewall logs, server/app logs, and many other sources can be monitored for event triggers.
Closed Circuit Television (CCTV) will monitor the physical activity of persons
Hardware monitoring is carried out for fault detection and software monitoring for detecting the illegal
installation of software.
Alarms and signals work with IDS. An alarm allows an administrator to be made aware of the occurrence of a
specific event. This can give the administrator a chance to head off an attack or to fix something before a
situation gets worse. These notifications can include paging, calling a telephone number and delivering a
message, or notification of centralized monitoring personnel
Violation Reports are used extensively in monitoring an access control system. This type of report basically
shows any attempts of unauthorized access. This could simply be a list of failed logon attempts reported. Also
see Clipping Levels p. 17
Honeypots are deliberately kept by the organizations for studying attackers' behavior and also in drawing
attention away from other potential targets.
Misuse detectors analyze system activity, looking for events or sets of events that match a predefined
pattern of events that describe a known attack. Sometimes called "signature-based detection." The most
common form of misuse detection used in commercial products specifies each pattern of events
corresponding to an attack as a separate signature
Intrusion Detection Systems (IDS) provide an alert when an anomaly occurs that does not match a predefined
baseline or if network activity matches a particular pattern that can be recognized as an attack. There are two
major types of intrusion detection:
- Network-based IDS (NIDS) which will sniff all network traffic and report on the results.
- Host-based IDS (HIDS) which will operate on one particular system and report only on items affecting that
system. Intrusion detection systems use two approaches:
Brute Force Attack: In this type of attack, every conceivable combination of letters, numbers, and symbols are
systematically tried against the password until it is broken. It may take an incredibly long time due to different
permutations and combinations that require to be tried.
Denial of Service (DoS): Is a situation where a circumstance, either intentionally or accidentally, prevents the
system from functioning as intended or prevents legitimate users from using that service. In certain cases, the
system may be functioning exactly as designed however it was never intended to handle the load, scope, or
parameters being imposed upon it. Denial-of-service attack is characterized by an explicit attempt by attackers to
prevent legitimate users of a service from using that service. Examples include:
- Attempts to "flood" a network, thereby preventing legitimate network traffic.
- Attempts to disrupt connections between two machines, thereby preventing access to a service.
- Attempts to prevent a particular individual from accessing a service.
- Attempts to disrupt service to a specific system or person.
Distributed Denial of Service (DDoS): Similar to DoS attack but the attacker uses other systems to launch the
denial of service attack. A trojan horse could be placed on the "slave" system that allows the attacker to launch
the attack from this system.
16
Spoofing: Spoofing is a form of attack where the intruder pretends to be another system and attempts to
provide/obtain data and communications that were intended for the original system. This can be done in several
different ways including IP spoofing, session hijacking, and Address Resolution Protocol (ARP) spoofing.
Man In The Middle Attacks: Performed by effectively inserting an intruder’s system in the middle of the
communications path between two other systems on the network. By doing this, an attacker is able to see both
sides of the conversation between the systems and pull data directly from the communications stream. In
addition, the intruder can insert data into the communications stream, which could allow them to perform
extended attacks or obtain more unauthorized data from the host system.
Spamming attacks: Spamming or the sending of unsolicited e-mail messages is typically considered more of an
annoyance than an attack, but it can be both. It slows down the system, making it unable to process legitimate
messages. In addition to that mail servers have a finite amount of storage capacity, which can be overfilled by
sending a huge number of messages to the server, thus effectively leading to DoS attack on the mail server.
Sniffing: The process of listening/capturing the traffic going across the network either using a dedicated device
or a system configured with special software and a network card set in promiscuous mode. A sniffer basically sits
on the network and listens for all traffic going across the network. The software associated with the sniffer is
then able to filter the captured traffic allowing the intruder to find passwords and other data sent across the
network in clear text. Sniffers have a valid function within information technology by allowing network analysts
to troubleshoot network problems, but they can also be very powerful weapons in the hands of intruders.
3.4 TEMPEST
TEMPEST is the U.S. government codename for a set of standards for limiting electric or electromagnetic
radiation emanations from electronic equipment such as microchips, monitors, or printers. It helps ensure that
devices are not susceptible to attacks like Van Eck Phreaking.
For example, a clipping level of three can be set for reporting failed log-on attempts at a workstation. Thus, three
or fewer log-on attempts by an individual at a workstation will not be reported as a violation (thus eliminating the
need for reviewing normal log-on entry errors.)
17
4.0 RISK, RESPONSE, AND RECOVERY
Risk Management Identification, measurement and controlling the risk.
Risk Assessment Process of determining the relationship of threats to vulnerabilities and the controls in
place and the resulting impact (objective process).
Risk Analysis Using a risk analysis process determines the overall risk (subjective process). The negative
impact can be loss of integrity, availability or confidentiality. The RA should recommend
controls to mitigate the risk (i.e. counter-measures).
18
4.3 Risk Analysis /Assessment Tools and Techniques
DELPHI Delphi techniques involve a group of experts independently rating and ranking business risk for
a business process or organization and blending the results into a consensus. Each expert in the
Delphi group measures and prioritizes the risk for each element or criteria.
COBRA 'Consultative, Objective and Bi-functional Risk Analysis'. It is a questionnaire PC system using
‘expert’ system principles and extensive knowledge base. It evaluates the relative importance of
all threats and vulnerabilities.
OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a risk-based
strategic assessment and planning technique for security.
NIST Risk Step 1.System Characterization Step 5.Likelihood Determination
Assessment Step 2.Threat Identification Step 6.Impact Analysis
Methodology Step 3.Vulnerability Identification Step 7.Risk Determination
(SP800-30) Step 4.Control Analysis Step 8.Control Recommendations
Step 9.Results Documentation
19
4.4.6 Restoration and Recovery
Hot Site The most prepares facility (and most expensive) that has the necessary hardware, software,
phone lines, network connections etc to allow a business to resume business functions
almost immediately.
Warm Site Not as well equipped as a hot site, but has part of the necessary hardware, software, network
etc needed to restore business functions quickly. Most commonly used.
Cold Site Cheaper, ready for equipment to be brought in during emergency, but no hardware resides at
the site, though does have AC, electrical wiring etc. May not work when a disaster strikes.
Reciprocal This is an arrangement with another company, so that one will accommodate the other in the
Site event of an emergency - not ideal for large companies. Is the cheapest option. Main concern
is compatibility of equipment.
When deciding on appropriate locations for alternate sites, it is important that they be in different
geographical locations that cannot be victim to the same disaster. This should be balanced with the
need for the alternate site not to be so far away that it will significantly add to the downtime.
When moving business functions to an alternate site the most critical should be moved first. When
moving business functions back to primary site, the least critical should be moved first.
20
5.0 CRYPTOGRAPHY
Cryptography: Science of secret writing that enables you to store and transmit data in a form that is available
only to the intended individuals.
Cryptosystem: Hardware or software implementation of cryptography that transforms a message to ciphertext
and back to plaintext.
Cryptoanalysis/Cryptanalysis: Recovering plaintext from ciphertext without a key or breaking the encryption.
Cryptology: The study of both cryptography and cryptoanalysis.
Ciphertext: Data in encrypted or unreadable format.
Encipher: Converting data into an unreadable format.
Decipher: Converting data into a readable format.
Cryptovariable (key): Secret sequence of bits (key) used for encryption and decryption.
Steganography: The art of hiding the existence of a message in a different medium (e.g. in jpg, mp3 etc)
Key Escrow: The unit keys are split into two sections and given to two different escrow agencies to maintain.
Block ciphers (p.346 SSCP): Encrypts data in discrete chunks of a fixed size. Block
ciphers are symmetric - they use the same secret key for encryption and decryption.
Commonly, the block size will be 64 bits, but the ciphers may support blocks of any
size, depending on the implementation. 128-bit block ciphers are becoming common.
Algorithms used or Symmetric Encryption Algorithms: Also known as private key, because only one key
number of keys used. is used and it must be kept secret for security. Both parties will be using the same key
for encryption and decryption. Much faster than asymmetric systems, hard to break if
using a large key size. Key distribution requires a secure mechanism for key delivery.
Limited security as it only provides confidentiality. The "out-of-band method" means
that the key is transmitted through another channel than the message.
21
International Data Encryption Algorithm (IDEA): 128-bit key is used. Block cipher operates on 64 bit blocks
of data. The 64-byte data block is divided into 16 smaller blocks and each has eight rounds of mathematical
functions performed on it. Used in PGP.
Skipjack: Used for electronic encryption devices (hardware). This makes it unique since the other algorithms
might be implemented in either hardware or software. SkipJack operates in a manner similar to DES, but uses an
80-bit key and 32 rounds, rather than 56-bit keys and 16 rounds (DES).
Blowfish: A block cipher that works on 64-bit blocks of data. The key length can be up to 448 bits and the data
blocks go through 16 rounds of cryptographic functions.
RC4/5: A block cipher that has a variety of parameters it can use for block size, key size and the number of
rounds used. Block sizes: 32/64/128 and key size up to 2048 bits.
22
HAVAL: Is a variable length one-way hash function and is the faster modification of MD5. Processes
text in 1024-bit blocks. HAVAL compresses a message of arbitrary length into a digest of 128, 160,
192, 224 or 256 bits. In addition, HAVAL has a parameter that controls the number of passes a message
block (of 1024 bits) is processed. A message block can be processed in 3, 4 or 5 passes.
Hash Salting: Refers to the process of adding random data to the hash value. Many hashes have weaknesses or
could be looked up on a hash lookup table (if the table were big enough and the computer fast enough). Salting
the hash negates this weakness. Cryptographic protocols that use salts include SSL.
SSL (Secure Sockets Layer): Protects a communication channel by use of public key encryption. Uses public-
key (asymmetric) for key exchange and certificate-based authentication and private-key (symmetric) for
traffic encryption.
Provides data encryption, server authentication, message integrity and client authentication. Keeps the
communication path open until one of the parties’ requests to end the session (use TCP). Lies beneath the
application layer and above the transport layer of the OSI model. Originally developed by Netscape - version 3
designed with public input. Subsequently became the Internet standard known as TLS (Transport Layer
Security). If asked at what layer of OSI SSL operates, the answer is Transport.
SET - Secure Electronic Transaction: System for ensuring the security of financial transactions on the Internet.
Mastercard, Visa, Microsoft, and others supported it initially. With SET, a user is given an electronic wallet
(digital certificate) and a transaction is conducted and verified using a combination of digital certificates and
digital signatures in a way that ensures privacy and confidentiality. Uses some but not all aspects of a PKI. SSH:
Used to securely login and work on a remote computer over a network. Uses a tunneling mechanism that
provides terminal like access to computers. Should be used instead of telnet, ftp, rsh etc.
IPSec (Internet Protocol Security): A method of setting up a secure channel for protected data exchange
between two devices. Provides security to the actual IP packets at the network layer. Is usually used to establish
VPN. It is an open, modular framework that provides a lot of flexibility. Suitable only to protect upper layer
protocols. IPSec uses two protocols: AH and ESP.
23
AH (Authentication Header): Supports access control, data origin authentication, and connectionless
integrity. AH provides integrity, authentication and non-repudiation - does NOT provide confidentiality.
ESP (Encapsulating Security Payload): Uses cryptographic mechanism to provide source
authentication (by IP header), confidentiality and message integrity.
IPSec works in two modes:
1. Transport mode: Only the payload of the message is encrypted. (for peer-to-peer)
2. Tunnel mode: Payload, routing and header information is encrypted. (for gateway-to-gateway)
5.8.1 X.509
X.509 is the standard used to define what makes up a digital certificate. It was developed from the
X.500 standard for Directory Services. Section 11.2 of X.509 describes a certificate as allowing an
association between a user's distinguished name (DN) and the user's public key. A common X.509
certificate would include: DN, Serial Number, Issuer, Valid From, Valid To, Public Key, Subject etc.
The following are the components of a PKI:
Digital certificate: An electronic file issued by a trusted third party Certificate Authority (CA). It contains
credentials of that individual along with other identifying information (i.e. a user's public key). There are two
types of digital certificates: server certificates and personal certificates.
Certificate Authority (CA): An organization that maintains and issues public key certificates, it is equivalent to
passport office. They are responsible for the lifetime of a certificate - i.e. issuing, expiration etc. CA's issue
certificates validating the identity of a user or system with a digital signature. CA's also revoke certificates by
publishing to the CRL. Cross-certification is the act or process by which two CAs each certify a public key
of the other, issuing a public-key certificate to that other CA, enabling users that are certified under
different certification hierarchies to validate each other's certificate
Note: A key is renewed at or near the end of key's lifetime, provided none of the information has changed. If any
information used to issue the key changes it should be revoked and a new key issued.
Certificate Revocation List (CRL): A list of every certificate that has been revoked for whatever reason. This
list is maintained periodically and made available to concern parties. CRL's are usually based on an LDAP server.
Registration authority (RA): Performs the certification registration duties. A RA is internal to a CA and
provides the interface between the user and the CA. It authenticates the identity of the users and submits the
certificate request to the CA.
PKI provides confidentiality, access control, integrity, authentication and non-repudiation. PKI enabled
applications and standards that rely on PKI include SSL, S/MIME, SET, IPSec and VPN.
24
6.0 DATA COMMUNICATIONS
6.1 Data Communication Models:
TCP/IP OSI Description
7 Application Provides different services to the applications (HTTP, FTP, Telnet, SET,
HTTP-S). Provides non-repudiation at application level.
Application 6
Presentation Converts the information (ASCII, JPEG, MIDI, MPEG, GIF)
5
Session Handles problems which are not communication issues (PPP, SQL,
Gateways, NetBEUI)
Transport 4 Transport Provides end to end communication control (TCP, UDP, TLS/SSL)
Internet 3 Network Routes the information in the network (IP, IPX, ICMP, RIP, OSPF, IPSec,
(packets) Routers)
2 Datalink (frame) Provides error control between adjacent nodes (Ethernet, Token Ring,
Network FDDI, SLIP, PPP, RARP, L2F, L2TP, PPTP, FDDI, ISDN, 802.11,
switches, bridges)
1 Physical (bits) Connects the entity to the transmission media (UTP, coax, voltage
Levels, signaling, hubs, repeaters) converts bits into voltage for
transmission.
The session layer enables communication between two computers to happen in three different modes:
1. Simplex: Communication takes place in one direction.
2. Half-duplex: Communication takes place in both directions, but only one system can send information at a time.
3. Full-duplex: Communication takes place in both direction and both systems can send information at a time.
Datalink (Layer 2) primarily responsible for error correction at the bit-level
Transport (layer 4) primarily responsible for error correction at the packet level
Encapsulation Process:
Note: The IP header contains a protocol field. Common values are 1=ICMP 2=IGMP 6=TCP 17=UDP
TCP Handshake:
1. Host sends a SYN packet 2. Receiver answers with a SYN/ACK packet 3. Host sends an ACK packet
UDP: Is a best-effort and connectionless oriented protocol. Does not have packet sequencing, flow and
congestion control and the destination does not acknowledge every packet it receives. There are fewer overheads
in UDP packet.
TCP and UDP use port numbers of 16-bit length
Remember, only TCP is connection-oriented (IP is NOT)
25
6.3 Common types of LAN systems
Ethernet (802.3)
Ethernet uses a bus or star topology and supports data transfer rates of 10 Mbps. Based on IEEE 802.3
specifications. It is one of the most widely implemented LAN standards. More recent versions of Ethernet, called
100Base-T (or Fast Ethernet), supports data transfer rates of 100 Mbps and gigabit Ethernet supports data rates of
1 gigabit (1,000 megabits) per second. An Ethernet address (aka physical MAC address) uses 48-bits.
6.4 Cabling
Coaxial Cable: Resistant to EMI (electromagnetic interference), provides a higher bandwidth and longer cable
lengths compared to twisted pair. Can transmit using both baseband and broadband methods. 10base2: ThinNet,
coax cable, maxlength 185m, provides 10 Mbps. 10base5: Thicknet, coax cable, maxlength 500m, provides 10
Mbps
Twisted pair: Cheaper and easier to work with than coaxial cable and is a commonly used cable. Shielded
twisted pair (STP - 2 wires) has an outer foil shielding, which is added protection from radio frequency
interference. Unshielded twisted pair (UTP - 4 wires) has different categories of cabling with varying
characteristics. The physical connector used to connect PCs and network devices, is called an RJ-45. 10base-T:
Uses twisted-pair wiring, provides 10 Mbps, max length 100m.
Fast Ethernet: Uses twisted-pair wiring, provides 100 Mbps.
Fiber-optic cabling: It has higher transmission speeds that can travel over longer distances and is not affected by
attenuation and EMI when compared to cabling that uses copper. It is used to connect two LANs. It does not
radiate signals like UTP cabling and is very hard to tap into. The complexity of making connections using fiber is
one of its major drawbacks and also it is expensive.
26
Broadcast: A packet goes to all computers on its subnet. Broadcast transmission is supported on most LANs,
and may be used to send the same message to all computers on the LAN (e.g. the address resolution protocol
(ARP) uses this to send an address resolution query to all computers on a LAN). The data is sent to a special
broadcast address. Network layer protocols (such as IP) also support a form of broadcast which allows the same
packet to be sent to every system in a logical network.
6.7 Networks
Local Area Network (LAN)
Spans a relatively small geographical area. Most LANs are confined to a single or group of buildings. Network
Interface Card (NIC) connects computers. Two types of LAN (1) Wired LAN and (2) Wireless LAN
Wide Area Network (WAN)
LANs connected together over distance via telephone lines/radio waves/fibre. High-speed dedicated networks
(leased lines or point to point network). Secured WANs can be created using IPSec.
Metropolitan Area Network (MAN)
Similar to WAN - MANs are high-speed communication lines and equipment covering a metropolitan area.
Intranet: A network belonging to an organization, usually a corporation, accessible only by the organization's
members, employees, or others with authorization (Private network). Intranets are used to share information.
Internet: A global network connecting millions of computers (global interconnection of LAN, WAN, and
MAN). Internet is decentralized by design. Each Internet computer, called a host, is independent.
Extranet: An Intranet that is partially accessible to authorized outsiders. An extranet provides various levels of
accessibility to outsiders, very popular means for business partners to exchange information.
27
6.10 Network Devices
Hub or Physical Layer Broadcasts all packets to all ports. When it receives a packet it transmits
Repeater (OSI Layer 1) (repeats) the packet to all of its ports (to all of the other PCs on the network.)
This can result in a lot of unnecessary traffic being sent on the network.
Bridge Data Link Layer Forwards packets and filters based on MAC addresses; forwards broadcast
(OSI Layer 2) traffic, but not collision traffic. Can be used to extend networks.
Switches Data Link Layer Switches control flow of network traffic based on the address information in
(OSI Layer 2) each packet. A switch is an intelligent hub, which learns which devices (MAC
add) are connected to its ports and forwards packets to the appropriate port only.
Reduces amount of unnecessary traffic.
Routers Network Layer A device that forwards data packets along networks. A router is connected to at
(OSI Layer 3) least two networks. Routers use headers and forwarding tables to determine the
best path for forwarding the packets.
Packet Filter Most common type of firewall. Placed Adv.: Cheap, may not need dedicated hardware
aka Screening between trusted and untested network. (can use router), easy to setup.
router Uses ACLs to filter traffic. Dis: Difficult to maintain ACLs, network
(Layer 3 or 4) performance degradation.
Application- Inspects all packets at application layer to Adv: More secure than packet-filtering - can tell
Proxy filter application specific commands such what application the packet is trying to use.
(aka Bastion as http: post and get, etc. Typically uses Dis: Requires more data processing and can slow
Host OR 2 NICs down network performance even more.
Application
Layer/Level)
Stateful- Monitors packets to filter them and also Adv: Faster than application-proxy and more
Inspection the status of connections. (e.g. will close secure than packet-filtering.
(Layer 3) a half-open connection). Dis: Expensive.
Screened-host Uses a packet-filtering firewall/router Adv: Highly secure
and a bastion (application-proxy) host. Dis: Packet-filtering firewall/router is a single
point of attack.
Screened- It employs two packet-filtering Adv: Considered the most secure type of firewall.
subnet firewall/routers and a bastion host. Dis: Packet-filtering firewall/router is a single
Separates internet - dmz - external point of attack, but because there is a 2nd one that
networks. Supports both packet- protects the internal network, it is still secure.
filtering and application-proxy services
6.12 Protocols
Internet Protocol (IP): See previous (p.25)
Transmission Control Protocol (TCP): See previous (p.25)
User Datagram Protocol (UDP): See previous (p.25)
NetBios Extended User Interface (NetBEUI): It is an enhanced version of the NetBIOS protocol used by
network operating systems such as LAN Manager. NetBIOS works at layer 5 (Session).
28
6.12 Remote Authentication Service Servers
To authenticate and authorize remote users several methods have been created to make the system secure. Some
of the way by which we can access the remote services are: Dial-up, ISDN (Integrated Services Digital
Network), DSL (Digital Subscriber Line), Cable modems (Provide high-speed access).
RADIUS (Remote Authentication Dial-In User service): Simplest method of providing user authentication.
RADIUS server holds a list of usernames and passwords that systems on the network refer to when
authenticating a user. RADIUS supports a number of popular protocols such as PPP, PAP and CHAP. RADIUS
uses UDP along with client and server model. RADIUS encrypts only the password the remainder of the packet
is unencrypted. A third party could capture other information, such as username, authorized services. RADIUS
combines authentication and authorization.
TACACS (Terminal Access Controller Access Control System): Provides remote authentication and event
logging using UDP as communication protocol. User tries to log into a TACACS device, the device refers to the
TACACS server to authenticate the user. This provides a central location for all usernames and passwords to be
stored. Does not allow for a device to prompt a user to allow them to change their password. It also does not use
dynamic password tokens. The information is NOT encrypted.
TACACS+ (Terminal Server Controller Access Control Systems Plus): Provides enhancements to the
standard version of TACACS. It allows users the ability to change their password; dynamic password tokens so
that the tokens can be resynchronized; also provides better auditing capabilities. TACACS+ uses TCP as its
communication protocol. Encrypts the entire body of the packet but leaves a standard TACACS+ header.
PPP - Point-to-Point: Is used to encapsulate messages and transmit them through an IP network.
PAP - Password Authentication Protocol: Provides identification and authentication of the user attempting to
access a network from the remote system. (User should enter a password). The user's name and password are sent
over the wire to a server, for comparison with the database. Sniffing is possible because the password can be
captured.
CHAP - Challenge Handshake Authentication Protocol: An authentication protocol that uses
challenge/response mechanism to authenticate instead of sending a username and password. Avoids sending
passwords in any form over the wire by using a challenge/response technique. CHAP is better than PAP. The
authentication can be repeated any number of times to ensure the “Replay” attacks is not possible.
Serial Line Internet Protocol (SLIP), and Point-to-Point Protocol (PPP): Works at layer 2 (Datalink) to
connect two systems over a serial line, (point-to-point communication line using a dial-up modem), some way is
needed to transport IP packets (a network layer activity) across the serial link (a data link layer activity). The
following two schemes generally used, SLIP and PPP. PPP has replaced SLIP, because the later does not do
error detection, dynamic assignment of IP addresses and data compression.
Point to point tunneling protocol (PPTP): PPTP was developed by Microsoft to provide virtual dial-up
services. PPTP is an encapsulation protocol based on PPP and encrypts and encapsulates PPP packets.
Layer 2 Tunneling Protocol (L2TP): The extension of point-to-point protocol (PPP). L2TP is also called a
"virtual dial-up protocol" because it extends a dial-up PPP session across the Internet. The client's PPP frames
are encapsulated into IP packets with an L2TP tunneling header and sent across the Internet connection.
L2TP was derived from PPTP features and Cisco protocol called L2F (Layer 2 Forwarding).
- L2TP supports TACACS+ and RADIUS authentication. PPTP does not.
- L2TP also supports more protocols than PPTP, including IPX, SNA, and others.
- Microsoft continues to support PPTP for its Windows products, but L2TP is preferred over PPTP.
- IPSec is now the Internet standard for tunneling and secure VPNs.
Layer 2 Forward Protocol (L2F): Used to establish a secure tunnel across Internet developed by Cisco. This
tunnel creates a virtual point-to-point connection between the user and the enterprise customer's network. L2F
allows encapsulation of PPP/SLIP packets within L2F. Not used by IPSec. It is used by VPNs.
29
6.13 Communications Security Techniques
Network address translation (NAT): Allows using one set of IP addresses for internal traffic and a second set
of addresses for external traffic. It allows hosts on a private internal network to transparently communicate with
destinations on an external network or vice versa. Following are the types of NAT.
Static: Maps unregistered IP address to a registered IP address on a one-to-one basis. [Typically used
for internal to external translation.]
Dynamic: Maps unregistered IP address to a registered IP address from a group of registered IP addresses.
Port Address Translation: A form of dynamic NAT that maps multiple unregistered IP addresses to a
single registered IP address by using different ports.
Note: The Internet Assigned Numbers Authority (IANA) has reserved 3 blocks of IP addresses for use in internal
private networks. All of these addresses are non-routable and cannot be connected to the Internet:
10.0.0.0 to 10.255.255.255 (used for large organizations)
172.16.0.0 to 172.31.255.255 (used for medium Intranets)
192.168.0.0 to 192.168.255.255 (used for small Intranets)
Virtual Private Network (VPN): A secure private connection through a public network. A virtual private
network is the creation of private links across public networks such as the Internet using encryption and
tunneling techniques. Before IPSec, L2TP (Layer 2 Tunneling Protocol) was used to encapsulate IP packets in
"tunneling" packets that hide the underlying Internet routing structure. Two types of VPN are generally used.
1) Remote Access: User-to-LAN connection via a public or shared network, for employees that have a
need to connect to the corporate LAN from the remote place. The user systems will be loaded with
special client software that enables a secure link between themselves and the corporate LAN.
2) Site-to-site: VPN connects fixed sites to a corporate LAN over Internet or intranet.
IP Address Ranges
Address Types Starts with
Class A addresses 0-127 (128)
Class B addresses 128-191 (64)
Class C addresses 192-223 (32)
Class D addresses 224-239 (16)
30
7.0 MALICIOUS CODE
Virus Is program or piece of code, which has been loaded without permission, it can hide itself, can
reproduce itself, and can attach to any other program. Virus will try to do
undesirable/unwanted things.
Worm A program, which can replicates itself over a computer network and usually performs
malicious actions.
Trojan Horses A destructive program, which has been inserted inside an apparently harmless program. This
program can do the intended function in foreground as well as undesirable function in the
background.
Logic bomb A logic bomb is a program, or portion of a program, which lies dormant until a specific piece
of program logic or system event is activated. If the specific logic is fulfilled then it will
generally perform security-compromising activity.
Boot sector: Boot sector viruses infect the boot record on hard disks, floppy disks. If the infected computer boots
successfully, then the boot sector virus stays in the memory and infects floppies and other media when the
infected computer writes them.
Master Boot Record (MBR): Very similar to boot sector viruses, except that they infect the MBR (Master Boot
Record) instead of the boot sector.
File infector viruses: Infect files, which contain executables code, such as .EXE and .COM files, infect other files
when they are executed.
Macro: Macro viruses infect certain types of data files. Most macro viruses infect Microsoft Office files, such as
Word Documents, Excel Spreadsheets, PowerPoint Presentations, and Access Databases. These are typically
using the Visual Basic macro language, which is built into Microsoft Office applications.
Source Code: These viruses add code to actual program source code.
Polymorphic: A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects
a new files in order to keep from being detected by an anti-virus program.
Stealth: In order to avoid detection, a virus will often take over system functions likely to spot it and use them to
hide itself.
Multi-partite: Multi-partite viruses share the characteristics of more than one virus type (these are having duel
personality). For example, a multi-partite virus might infect both the boot record and program files.
Camouflage Viruses: Viruses that attempted to appear as a harmless program to scanners. (Older/Outdated type
of virus).
7.2 How malicious code can be introduced into the computing environment
- Network attacks: Trying to get the username and password by brute forcing or dictionary attack. After
successful exploitation introducing virus file or malicious code.
- Spoofing (masquerading): Sending email that appears to have originated from one source when it actually
was sent from another source.
- Alteration of authorized code and introducing malicious code.
- Email Spamming or bombing: sending email to hundreds or thousands of users with attached virus file.
- Active-X: Set of platform independent technologies developed by Microsoft that enable software
components to interact with one another in a networked environment. This functionality of Active X
components can be exploited by malicious mobile code.
- Mobile code: Code that can be transferred from a system to another system to be executed (i.e. Java,
ActiveX etc)
- Trap doors: mechanism, which is intentionally built often for the purpose of providing direct access.
Hidden code or hardware device used to circumvent security controls.
7.3 Mechanisms that can be used to prevent, detect malicious code attacks
Generally anti-virus software program will be used in combination with Scanning, Integrity Checking and
Interception. You should also try to ensure:
31
- Use of Anti-virus software).
- Keeping virus definition files up to date
- Scanning at the network, mainframe, server, and workstation for vulnerability
- Loading software only from trusted sources
- Physical security of removable media
- Making frequent backups
- Installing change detection software (integrity checker)
- Implement a user awareness program
SYN Attack: Occurs when an attacker exploits the use of the buffer space during a TCP session initialization
handshake. The attacker floods the target system’s small “in-process” queue with connection requests, but it does
not respond when a target system replies to those requests. This causes the target system to “time out” while
waiting for the proper response, which makes the system crash or become unusable.
Teardrop Attack: Consists of modifying the length and fragmentation offset fields in sequential IP packets. The
target system then becomes confused and crashes after it receives contradictory instructions on how the
fragments are offset on these packets.
Smurf: Uses a combination of IP spoofing and ICMP to saturate a target network with traffic, thereby launching
a denial of service attack. It consists of three elements — the source site, the bounce site, and the target site. The
attacker (the source site) sends a spoofed PING packet to the broadcast address of a large network (the bounce
site). This modified packet contains the address of the target site. This causes the bounce site to broadcast the
misinformation to all of the devices on its local network. All of these devices now respond with a reply to the
target system, which is then saturated with those replies.
IP Spoofing Attacks: Involves an alteration of a packet at the TCP level, which is used to attack Internet-
connected systems that provide various TCP/IP services. The attacker sends a packet with an IP source address
of a known, trusted host to convince a system that it is communicating with a known entity that gives an intruder
access. This target host may accept the packet and act upon it.
TCP Sequence Number Attacks: Exploit the communications session, which was established between the
target and the trusted host that initiated the session. The intruder tricks the target into believing it is connected to
a trusted host and then hijacks the session by predicting the target’s choice of an initial TCP sequence number.
This session is then often used to launch various attacks
on other hosts.
A tiny fragment attack occurs when the intruder sends a very small fragment that forces some of the TCP
header field into a second fragment. If the target’s filtering device does not enforce minimum fragment size, this
illegal packet can then be passed on through the target’s network.
An overlapping fragment attack is another variation on a datagram’s zero-offset modification (like the teardrop
attack). Subsequent packets overwrite the initial packet’s destination address information and then the second
packet is passed by the target’s filtering device. This can happen if the target’s filtering device does not enforce a
minimum fragment offset for fragments with non-zero offsets.
32
References
International Information Systems Security certification Consortium (www.isc2.org)
The CISSP and SSCP Open Study Guide Web site (www.cccure.org)
CERT Coordination Center (www.cert.org)
NIST CSRC (www.csrc.nist.gov)
Google (www.google.com)
Tom Sheldon’s Linktionary.com (www.linktionary.com)
Online Computer Dictionary for computer/Internet terms & Definitions (www.webopedia.com)
Computer Knowledge Virus Tutorial (www.cknow.com/vtutor/)
Free online dictionary and thesaurus (http://encyclopedia.thefreedictionary.com/)
SANS Institute - Computer Security Education & Information Security Training (www.sans.org)
Wikipedia (www.wikipedia.org)
33