Professional Documents
Culture Documents
Disclosure Alteration Destruction: Rto/Mtd/Rpo, MTBF, Sla
Disclosure Alteration Destruction: Rto/Mtd/Rpo, MTBF, Sla
Asset Security
Risk Management Life Cycle
Security Engineering
Assessment Analysis Mitigation / Response
Communications and Network Security
Categorize, Classify & Evaluate
Qualitative vs Quantitative Reduce, Transfer, Accept Identity and Access Management
Assets
Security Assessment and Testing
as per NIST 800-30: Qualitative – Judgments Reduce / Avoid
Security Operations
System Characterization Quantitative – Main terms Transfer Software Development Security
Threat Identification AV – Asset Value Accept / Reject
Data Ownership
Data Ownership Data Custodian Systems Owners Administrators End User
Grant permissions on daily basis
Ensure compliance with data policy and
Top level/Primary responsibility for
data ownership guidelines Grant permission
data Apply Security Controls
for data handling
Ensure accessibility, maintain and
Define level of classification
monitor security
Define controls for levels of
Data archive
classification Data Remanence
Data documentation
Define baseline security standards Series of processes that removes data,
Take regular backups , restore to check Sanitizing
Impact analysis completely
validations
Decide when to destroy Erase form magnetic tapes etc to ensure not
Ensure CIA Degaussing
information recoverable
Conduct user authorization
Erasing Deletion of files or media
Implement security controls
Overwriting Writing over files, shredding
Zero fill Overwrite all data on drives with zeros
Data Classification Criteria Destruction Physical destruction of data hardware device
Value - Usefulness - Age - Association Make data unreadable without special keys or
Encryption
algorithm
Data Retention Policies
The State of Florida Electronic Records and Records Management Practices,
2010
Standards
The European Documents Retention Guide, 2012 National Institute of Standards
NIST
Technology
Security Policies, Standards & Guidelines NIST SP 800 Series Computer security in a variety of areas
Regulatory Required by law and industrial standards Securing Information Technology
800-14 NIST SP
systems
Advisory Not compulsory, but advisable
Informative As guidance to others 800-18 NIST Develop security plans
Define best practices for information handling and usage 800-27 NIST SP Baseline for achieving security
Information -Security policies: Technical details of the policies Guidelines for sanitation and disposition,
800-88 NIST
Policy i.e. SYSTEM security policy: lists hardware / software in prevents data remanence
use and steps for using policies Continuous monitoring program: define,
800-137
Standards Define usage levels establish, implement, analyze and report
Guidelines Non-compulsory standards 800-145 Cloud computing standards
Procedures Steps for carrying out tasls and policies Federal Information Processing
FIPS
Baseline Minimum level of security Standards
Domain 3: Security Engineering CISSP Cheat Sheet Series
Security Models and Concepts Security Models System Evaluation and Assurance Levels Hardware architecture
Security architecture frameworks - Provides access rights including discretionary access control Evaluates operating systems, application and systems. But not Simultaneous running of
Trusted Computer Multitasking
A 2D model considering interrogations such as what, where MATRIX to subjects for different objects. network part. Consider only about confidentiality. Operational two or more tasks.
System Evaluation
Zachman Framework and when with, etc. With various views such as planner, owner, (Access control model) - Read, write and execute access defined in ACL as matrix assurance requirements for TCSEC are: System Architecture, Simultaneous running of
Criteria Multi programming
designer etc. columns and rows as capability lists. System Integrity, Covert Channel analysis, Trusted Facility two or more programs
(TCSEC)
-A subject cannot read data at a higher security level. (A.K.A Management and Trusted recovery.
Sherwood Applied CPU consists or more
simple security rule) A collection of criteria based on the Bell-LaPadula model used Multi-processing
Business Security To facilitate communication between stakeholders than one processor
Architecture (SABSA) - Subject in a defined security level cannot write to a lower Orange Book to grade or rate the security offered by a computer system
Processing Types
security level unless it is a trusted subject. (A.K.A *-property product.
Information Technology One security level at a
BELL-LAPADULA (star property) rule Red Book Similar to the Orange Book but addresses network security. Single State
Infrastructure Library Set of best practices for IT service management time.
(Confidentiality model) - Access matrix specifies discretionary access control.
(ITIL) Green Book Password Management.
- subject with read and write access should write and read at Multiple security levels at
Evaluates operating systems, application and systems. But not Multi State
Security architecture documentation the same security level (A.K.A Strong star rule :) Trusted Computer a time.
network part. Consider only about confidentiality. Operational
Establish security controls published by Standardization (ISO) - Tranquility prevents security level of subjects change between System Evaluation Software built in to in the
ISO/IEC 27000 Series assurance requirements for TCSEC are: System Architecture, Firmware
and the Electrotechnical Commission (IEC) levels. Criteria ROM.
System Integrity, Covert Channel analysis, Trusted Facility
Control Objectives for - Cannot read data from a lower integrity level (A.K.A The (TCSEC) Base Input Output Set of instructions used to
Define goals and requirements for security controls and the Management and Trusted recovery.
Information and Related simple integrity axiom) System (BIOS) load OS by the computer.
mapping of IT security controls to business objectives. Consider all 3 CIA (integrity and availability as well as
Technology (CobiT) - Cannot write data to an object at a higher integrity level. ITSEC
Types of security models BIBA (A.K.A the * (star) integrity axiom)
confidentiality
Mobile Security
(Integrity model) - Cannot invoke service at higher integrity. (A.K.A The TCSEC Explanation
Check each of the possible system state and ensure the proper Device Encryption • Remote wiping • Remote lock out
invocation property) D Minimal protection
State Machine Models security relationship between objects and subjects in each • Internal locks (voice, face recognition, pattern, pin,
- Consider preventing information flow from a low security level
state. DAC; Discretionary Protection (identification, authentication, password) • Application installation control • Asset
to a high security level. C1
Allocate each security subject a security label defining the resource protection) tracking (IMIE) • Mobile Device Management •
User: An active agent Removable storage (SD CARD, Micro SD etc.)
highest and lowest boundaries of the subject’s access to the C2 DAC; Controlled access protection
Multilevel Lattice Models • Transformation Procedure (TP): An abstract operation, such
system. Enforce controls to all objects by dividing them into
as read, writes, and modify, implemented through B1 MAC; Labeled security (process isolation, devices) IoT & Internet Security
levels known as lattices.
Programming B2 MAC; Structured protection
Network Segmentation (Isolation) • Logical Isolation
Arrange tables known as matrix which includes subjects and • Constrained Data Item (CDI): An item that can be manipulated B3 MAC; security domain (VLAN) • Physical isolation (Network segments) •
Matrix Based Models objects defining what actions subjects can take upon another only through a TP A MAC; verified protection Application firewalls • Firmware updates
object. • Unconstrained Data Item (UDI): An item that can be
CLARK WILSON Common criteria assurance levels
Consider the state of the system at a point in time for a
Noninterference Models subject, it consider preventing the actions that take place at
(Integrity model)
manipulated by a user via read and write operations
EAL0 Inadequate assurance
Physical Security
- Enforces separation of duty
one level which can alter the state of another level. - Requires auditing EAL1 Functionality tested Internal vs external threat and mitigation
Try to avoid the flow of information from one entity to another - Commercial use EAL2 Structurally tested Hurricanes, tornadoes, earthquakes
Information Flow Models Natural threats
which can violate the security policy. - Data item whose integrity need to be preserved should be EAL3 Methodically tested and checked floods, tsunami, fire, etc
Read and Write are allowed or restricted using a specific audited EAL4 Methodically designed, tested and reviewed Politically
Confinement - An integrity verification procedure (IVP) -scans data items and motivated Bombs, terrorist actions, etc
memory location, e.g. Sandboxing. EAL5 Semi-formally designed and tested
confirms their integrity against external threats EAL6 Semi-formally verified, designed and tested threats
Data in Use Scoping & tailoring
Information is restricted to flow in the directions that are EAL7 Formally verified, designed and tested Power/utility General infrastructure damage
Security Modes Information flow model permitted by the security policy. Thus flow of information from
ITSEC security evaluation criteria - required levels
supply threats (electricity telecom, water, gas, etc)
one security level to another. (Bell & Biba). Man Made
Use a single classification level. All objects can access all D + E0 Minimum Protection Sabotage, vandalism, fraud, theft
- Use a dynamic access control based on objects previous threats
Dedicated Security Mode subjects, but users they must sign an NDA and approved prior C1 + E1 Discretionary Protection (DAC)
actions. Liquids, heat, gases, viruses,
to access on need-to-know basis C2 + E2 Controlled Access Protection (Media cleansing for reusability) Major sources
- Subject can write to an object if, and only if, the subject bacteria, movement: (earthquakes),
All users get the same access level but all of them do not get Brewer and Nash B1 + E3 Labelled Security (Labelling of data) to check
System High Security cannot read another object in a different dataset. radiation, etc
the need-to-know clearance for all the information in the (A.K.A Chinese wall B2 + E4 Structured Domain (Addresses Covert channel)
Mode - Prevents conflict of interests among objects.
system. model) Natural threat control measures
Citation B3 + E5 Security Domain (Isolation)
In addition to system high security level all the users should https://ipspecialist.net/fundamental-concepts-of-security-mod Hurricanes, Move or check location, frequency of
A + E6 Verified Protection (B3 + Dev Cycle)
Compartmented Security Tornadoes, occurrence, and impact. Allocate
have need-to-know clearance and an NDA, and formal approval els-how-they-work/ Common criteria protection profile components
Mode Earthquakes budget.
for all access required information. Lipner Model Commercial mode (Confidentiality and Integrity,) -BLP + Biba Descriptive Elements • Rationale • Functional Requirements • Development assurance
Use two classification levels as System Evaluation and Raised flooring server rooms and
Multilevel Security Mode Graham-Denning Model Rule 1: Transfer Access, Rule 2: Grant Access, Rule 3: Delete requirements • Evaluation assurance requirements Floods
Assurance Levels offices to keep computer devices .
Objects, subjects and 8 Access, Rule 4: Read Object, Rule 5: Create Object, Rule 6: Certification & Accreditation
rules destroy Object, Rule 7: Create Subject, Rule 8: Destroy Electrical UPS, Onsite generators
Virtualization Harrison-Ruzzo-Ullman Restricts operations able to perform on an object to a defined
Certification
Evaluation of security and technical/non-technical features to ensure
if it meets specified requirements to achieve accreditation.
Fix temperature sensors inside
Guest operating systems run on virtual machines and hypervisors run on one or more Model set to preserve integrity. server rooms , Communications -
Declare that an IT system is approved to operate in predefined
host physical machines.
Accreditation Temperature Redundant internet links, mobile
conditions defined as a set of safety measures at given risk level.
Virtualization security Web Security NIACAP Accreditation Process
communication links as a back up to
Trojan infected VMs, misconfigured hypervisor cable internet.
threats Open-source application security project. OWASP creates Phase 1: Definition • Phase 2: Verification • Phase 3: Validation • Phase 4: Post Man-Made Threats
Software as A Service (SaaS), Infrastructure As A Service OWASP guidelines, testing procedures, and tools to use with web Accreditation
Cloud computing models Avoid areas where explosions can
(IaaS), Platform As A Service (PaaS) security.
Accreditation Types Explosions occur Eg. Mining, Military training
Account hijack, malware infections, data breach, loss of data Injection / SQL Injection, Broken Authentication, Sensitive Data
Cloud computing threats Type Accreditation Evaluates a system distributed in different locations. etc.
and integrity Exposure, XML External Entity, Broken Access Control, Security
OWASP Top 10 Misconfiguration, Cross-Site Scripting (XSS), Insecure System Accreditation Evaluates an application system. Minimum 2 hour fire rating for walls,
Fire
Memory Protection Deserialization, Using Components with Known Vulnerabilities, Site Accreditation Evaluates the system at a specific location. Fire alarms, Fire extinguishers.
Insufficient Logging and Monitoring Deploy perimeter security, double
Register Directly access inbuilt CPU memory to access CPU and ALU. Vandalism
Stack Memory Segment Used by processors for intercommunication.
Attackers try to exploit by allowing user input to modify the Symmetric vs. Asymmetric Encryption locks, security camera etc.
back-end/server of the web application or execute harmful Use measures to avoid physical
Monolithic Operating SQL Injections: Use a private key which is a secret key between two parties.
All of the code working in kernel mode/system. code which includes special characters inside SQL codes Fraud/Theft access to critical systems. Eg.
System Architecture Each party needs a unique and separate private key.
results in deleting database tables etc. Fingerprint scanning for doors.
Symmetric Algorithms Number of keys = x(x-1)/2 where x is the number of users. Eg.
Memory Addressing Identification of memory locations by the processor. SQL Injection prevention: Validate the inputs and parameters. DES, AES, IDEA, Skipjack, Blowfish, Twofish, RC4/5/6, and
Register Addressing CPU access registry to get information. Cross-Site Scripting Attacks carryout by inputting invalidated scripts inside CAST.
Site Selection
Immediate Addressing Part of an instruction during information supply to CPU. (XSS) webpages. Stream Based Symmetric Encryption done bitwise and use keystream generators Eg. Deter Criminal Activity - Delay
Physical
Direct Addressing Actual address of the memory location is used by CPU. Attackers use POST/GET requests of the http web pages with Cipher RC4. Intruders - Detect Intruders - Assess
security goals
Indirect Addressing Same as direct addressing but not the actual memory location. HTML forms to carry out malicious activity with user accounts. Situation - Respond to Intrusion
Encryption done by dividing the message into fixed-length
Block Symmetric Cipher Visibility - External Entities -
Base + Offset Addressing Value stored in registry is used as based value by the CPU. Cross-Request Forgery Prevention can be done by authorization user accounts to carry blocks Eg. IDEA, Blowfish and, RC5/6. Site selection
the actions. Eg. using a Random string in the form, and store it Accessibility - Construction - Internal
*Citation CISSP SUMMARY BY Maarten De Frankrijker Use public and private key where both parties know the public issues
on the server. Compartments
and the private key known by the owner .Public key encrypts
Cryptographic Terminology Cryptography Asymmetric Algorithms
the message, and private key decrypts the message. 2x is total • Middle of the building (Middle
number of keys where x is number of users. Eg. Diffie-Hellman, floor)
Encryption Convert data from plaintext to cipher text. • Single access door or entry point
• P - Privacy (Confidentiality) RSA, El Gamal, ECC, Knapsack, DSA, and Zero Knowledge
Decryption Convert from ciphertext to plaintext. • A – Authentication Proof. Server room • Fire detection and suppression
Key A value used in encryption conversion process. Cryptography Goals • I - Integrity security systems
Symmetric Algorithms Asymmetric Algorithms Hybrid Cryptography
(P.A.I.N.) • N - Non-Repudiation. • Raised flooring
Synchronous Encryption or decryption happens simultaneously. Use of both Symmetric and
Use of private key which is a Use of public and private key • Redundant power supplies
Encryption or decryption requests done subsequently or after a • Key space = 2n. (n is number of key bits) Asymmetric encryption. Eg.
Asynchronous secret key pairs • Solid /Unbreakable doors
waiting period. • Confidentiality SSL/TLS
8 feet and taller with razor wire.
Symmetric Single private key use for encryption and decryption. • Integrity Provide integrity. One way Fences and
Provides confidentiality but Provides confidentiality, Remote controlled underground
Key pair use for encrypting and decrypting. (One private and • Proof of origin function divides a message Gates
Asymmetrical Use of Cryptography not authentication or integrity, authentication, and concealed gates.
one public key) • Non-repudiation or a data file into a smaller
nonrepudiation nonrepudiation Perimeter Infrared Sensors - Electromechanical
• Protect data at rest fixed length chunks.
Use to verify authentication and message integrity of the Intrusion Systems - Acoustical Systems -
Digital Signature sender. The message use as an input to a hash functions for • Protect data in transit One key encrypts and One key encrypts and other Encrypted with the private
Detection CCTV - Smart cards -
validating user authentication. decrypts key decrypts key of the sender.
A one-way function, convert message to a hash value used to
Codes vs. Ciphers Message Authentication
Systems Fingerprint/retina scanning
Continuous Lighting - Standby
Hash verify message integrity by comparing sender and receiver Substitution cipher, Transposition cipher, Caesar Cipher, Larger key size. Bulk Code (MAC) used to encrypt Lighting
Classical Ciphers Small blocks and key sizes Lighting - Movable Lighting -
values. Concealment. encryptions the hash function with a Systems
Emergency Lighting
Modern Ciphers Block cipher, Stream cipher, Steganography, Combination. symmetric key.
Digital Certificate An electronic document that authenticate certification owner. Offsite media storage - redundant
Cipher converts Plaintext to another written text to hide original Allows for more trade-offs Media storage
Plaintext Simple text message. Concealment Cipher Faster and less complex. Not backups and storage
text. Slower. More scalable. between speed, complexity,
Normal text converted to special format where it is unreadable scalable Faraday Cage to avoid
Ciphertext and scalability.
without reconversion using keys. Uses a key to substitute letters or blocks of letters with electromagnetic emissions - White
Substitution Ciphers different letters or block of letters. I.e. One-time pad, Hash Functions and Digital
The set of components used for encryption. Includes Electricity noise results in signal interference -
Cryptosystem stenography. Certificates
algorithm, key and key management functions. Out-of-band key exchange In-band key exchange Control Zone: Faraday cage + White
Hashing use message
Reorder or scramble the letters of the original message where noise
Breaking decrypting ciphertext without knowledge of digests.
Cryptanalysis Transposition Ciphers the key used to decide the positions to which the letters are Use anti-static spray, mats and
cryptosystem used.
Cryptographic Algorithm Procedure of enciphers plaintext and deciphers cipher text.
moved.
Key Escrow and Recovery Static wristbands when handling electrical
Electricity equipment - Monitor and maintain
Cryptography
The science of hiding the communication messages from Common Algorithms Secret key is divided into two parts and handover to a third party.
humidity levels.
unauthorized recipients.
Cryptology Cryptography + Cryptanalysis
Symmetric/ PKI HVAC control
Heat - High Humidity - Low Humidity
Algorithm Asymmetric Key length Based on Structure levels
Decipher Convert the message as readable. confidentiality, message integrity, authentication, and nonrepudiation
64 bit cipher block size and 56 bit key • 100F can damage storage media
Encipher Convert the message as unreadable or meaningless. Receiver’s Public Key-Encrypt message
128-bit with 8 bits parity. such as tape drives.
One-time pad (OTP) Encipher all of the characters with separate unique keys. DES Symmetric 64 bit Lucifer • 16 rounds of transposition and Sender Private Key-Decrypt message • 175 F can cause computer and
Different encryption keys generate the same plaintext algorithm substitution Sender Private Key-Digitally sign electrical equipment damage.
Key Clustering • 350 F can result in fires due to
message. (ECB, CBC, CFB, OFB, CTR) Sender’s Public Key - Verify Signature
Key Space Every possible key value for a specific algorithm. 3 * 56 bit keys paper based products.
3 DES or
A mathematical function used in encryption and decryption of TDES Symmetric 56 bit*3 DES
• Slower than DES but higher security PKI Structure HVAC
• HVAC: UPS, and surge protectors
Algorithm (DES EE3, DES EDE3 ,DES EEE2, DES to prevent electric surcharge.
data; A.K.A. cipher. (Triple DES) Certificates Provides authorization between the parties verified by CA. Guidelines
EDE2) • Noise: Electromagnetic
Cryptology The science of encryption. Authority performing verification of identities and provides Interference (EMI), Radio Frequency
Use 3 different bit size keys Certificate Authority
Rearranging the plaintext to hide the original message; A.K.A. certificates. Interference
Transposition 128,192 or Rijndael Examples Bitlocker, Microsoft EFS
Permutation. AES Symmetric Registration Authority Help CA with verification. Temperatures, Humidity
256 bit algorithm Fast, secure 10,12, and 14
Exchanging or repeating characters (1 byte) in a message with Certification Path • Computer Rooms should have 15°
Substitution transformation rounds Certificate validity from top level.
another message. Validation C - 23°C temperature and 40 - 60%
64 bit cipher blocks (Humidity)
Key of a random set of non-repeating characters. A.K.A. One Certification Revocation
Vernam each block divide to 16 smaller Valid certificates list • Static Voltage
time pad. List
blocks • 40v can damage Circuits, 1000v
Confusion Changing a key value during each circle of the encryption. IDEA symmetric 128 bit Online Certificate status
Each block undergo 8 rounds of Used to check certificate validity online Flickering monitors, 1500v can
Diffusion Changing the location of the plaintext inside the cipher text. transformation protocol (OCSP) Voltage levels
cause loss of stored data, 2000v can
When any change in the key or plaintext significantly change Example PGP Cross-Certification Create a trust relationship between two CA’s control
Avalanche Effect cause System shut down or reboot,
the ciphertext. Skipjack Symmetric 80 bit 64 bit Block cipher 17000 v can cause complete
Split Knowledge Segregation of Duties and Dual Control.
Blowfish Symmetric 32-448bit 64 bit Block cipher
Digital Signatures electronic circuit damage.
Work factor The time and resources needed to break the encryption. • Sender’s private key used to encrypt hash value Fire proof Safety lockers - Access
128, 192, Equipment
Arbitrary number to provide randomness to cryptographic TwoFish Symmetric 128 bit blocks • Provides authentication, nonrepudiation, and integrity control for locking mechanisms
Nonce 256 safety
function. • Public key cryptography used to generate digital signatures such as keys and passwords.
Example SSL and WEP • Users register public keys with a certification authority (CA).
Dividing plaintext into blocks and assign similar encryption Maintain raised floor and proper
Block Cipher RC4 Symmetric 40-2048 • Stream cipher • Digital signature is generated by the user’s public key and validity period according to
algorithm and key. Water leakage drainage systems. Use of barriers
• 256 Rounds of transformation the certificate issuer and digital signature algorithm identifier.
Encrypt bit wise - one bit at a time with corresponding digit of such as sand bags
Stream Cipher 255 rounds transformation
the keystream. RC5 Symmetric 2048 Fire retardant materials - Fire
• 32, 64 & 128 bit block sizes Digital Certificate - Steps suppression - Hot Aisle/Cold Aisle
Dumpster Diving Unauthorized access a trash to find confidential information. Fire safety
CAST 128 Enrollment - Verification - Revocation Containment - Fire triangle (Oxygen -
Phishing Sending spoofed messages as originate from a trusted source. (40 to 128
64 bit block 12 transformation rounds Heat - Fuel) - Water, CO2, Halon
Social Engineering Mislead a person to provide confidential information. bit)
A moderate level hacker that uses readily found code from the
CAST Symmetric
CAST 256
128 bit block 48 rounds Cryptography Applications & Secure Protocols Fire extinguishers
Script kiddie transformation
internet. (128 to 256 Class Type Suppression
• BitLocker: Windows full volume encryption feature (Vista
bit)
Hardware -BitLocker and onward)
Requirements for Hashing Message Digest No confidentiality, authentication, or truecrypt • truecrypt: freeware utility for on-the-fly encryption A
Common Water , SODA
Diffie - combustible acid
Variable length input - easy to compute - one way function - digital signatures - fixed Asymmetric non-repudiation (discontinued)
Hellman
length output • Secure key transfer
CO2, HALON,
Uses 1024 keys A hardware chip installed on a motherboard used to manage B Liquid
MD Hash Algorithms • Public key and one-way function for Hardware-Trusted Symmetric and asymmetric keys, hashes, and digital
SODA acid
encryption and digital signature Platform Module (TPM) certificates. TPM protect passwords, encrypt drives, and
MD2 128-bit hash, 18 rounds of computations
verification manage digital permissions. C Electrical CO2, HALON
MD4 128-bit hash. 3 rounds of computations, 512 bits block sizes
RSA Asymmetric 4096 bit • Private key and one-way function for
128-bit hash. 4 rounds of computations, 512 bits block sizes, decryption and digital signature Encrypts entire packet components except Data Link Control
MD5 Link encryption D Metal Dry Powder
Merkle–Damgård construction generation information.
MD6 Variable, 0<d≤512 bits, Merkle tree structure • Used for encryption, key exchange End to end encryption Packet routing, headers, and addresses not encrypted.
and digital signatures Water based
Phased out, collision found with a complexity of 2^33.6 (approx
SHA-0 Privacy (Encrypt), Authentication (Digital signature), Integrity, suppression Wet pipes - Dry Pipe - Deluge
1 hr on standard PC) Retired by NIST Diffie - Used for encryption, key exchange
(Hash) and Non-repudiation (Digital signature) Email (Secure systems
160-bit MD, 80 rounds of computations, 512 bits block sizes, Elgamal Asymmetric Any key size Hellman and digital signatures
SHA-1 Merkle–Damgård construction (not considered safe against algorithm • Slower Email (PGP) MIME (S/MIME): Encryption for confidentiality, Hashing for • HI VIS clothes
well funded attackers) integrity, Public key certificates for authentication, and Personnel • Safety garments /Boots
Elliptic Used for encryption, key exchange
Message Digests for nonrepudiation. safety • Design and Deploy an Occupant
224, 256, 384, or 512 bits, 64 or 80 rounds of computations, Curve and digital signatures
Asymmetric Any key size Emergency Plan (OEP)
SHA-2 512 or 1024 bits block sizes, Merkle–Damgård construction Cryptosyste • Speed and efficiency and better Web application SSL/TLS. SSL encryption, authentication and integrity.
with Davies–Meyer compression function m (ECC) security
Cross-Certification Create a trust relationship between two CA’s • Programmable multiple control
Cryptographic Attacks (Privacy, authentication, Integrity, Non Repudiation).
locks
• Electronic Access Control - Digital
Use eavesdropping or packet sniffing to find or gain access to IPSEC Tunnel mode encrypt whole packet (Secure). Transport mode
Passive Attacks Algebraic Attack Uses known words to find out the keys scanning, Sensors
information. encrypt payload (Faster) Internal
• Door entry cards and badges for
Attacker tries different methods such as message or file modification Frequency Attacker assumes substitution and transposition ciphers use repeated Security
Active Attacks staff
Authentication Header (AH): Authentication, Integrity, Non
attempting to break encryption keys, algorithm. Analysis patterns in ciphertext. • Motion Detectors- Infrared, Heat
repudiation. Encapsulated Security Payload (ESP): Privacy,
Ciphertext-Only An attacker uses multiple encrypted texts to find out the key used for Assumes figuring out two messages with the same hash value is IPSEC components Based, Wave Pattern, Photoelectric,
Birthday Attack Authentication, and Integrity. Security Association (SA):
Attack encryption. easier than message with its own hash value Passive audio motion
Distinct Identifier of a secure connection.
Known Plaintext An attacker uses plain text and cipher text to find out the key used for
Dictionary Attacks Uses all the words in the dictionary to find out correct key
Attack encryption using reverse engineering or brute force encryption. Internet Security Association Key Management Protocol Create, distribute, transmission,
ISAKMP
Chosen Plaintext An attacker sends a message to another user expecting the user will Authentication, use to create and manage SA, key generation. storage - Automatic integration to
Replay Attacks Attacker sends the same data repeatedly to trick the receiver. Key application for key distribution,
Attack forward that message as cipher text.
Key exchange used by IPsec .Consists of OAKLEY and management storage, and handling. Backup keys
Social Engineering An attacker attempts to trick users into giving their attacker try to
Analytic Attack An attacker uses known weaknesses of the algorithm Internet Key Exchange Internet Security Association and Key Management Protocol should be stored secure by
Attack impersonate another user to obtain the cryptographic key used.
(IKE) (ISAKMP). IKE use Pre-Shared keys, certificates, and public key designated person only.
Brute Force Try all possible patterns and combinations to find correct key. Statistical Attack An attacker uses known statistical weaknesses of the algorithm authentication.
Differential Calculate the execution times and power required by the cryptographic Pilot testing for all the backups and
Factoring Attack By using the solutions of factoring large numbers in RSA
Cryptanalysis device. A.K.A. Side-Channel attacks Wired Equivalent Privacy (WEP): 64 & 128 bit encryption. Wi-Fi safety systems to check the
Testing
Linear Reverse Wireless encryption Protected Access (WPA): Uses TKIP. More secure than WEP working condition and to find any
Uses linear approximation Use a cryptographic device to decrypt the key WPA2: Uses AES. More secure than WEP and WPA. faults.
Cryptanalysis Engineering
Common TCP Protocols CISSP Cheat Sheet Series
Port Protocol
OSI Reference Model IP Addresses Port Ranges
20,21 FTP
7 layers, Allow changes between layers, Standard hardware/software interoperability. • Class A: 0.0.0.0 – 127.255.255.255 Authentication methods:
22 SSH Public IPv4
Tip, OSI Mnemonics • Class B: 128.0.0.0 – 191.255.255.255 • PAP=Clear text, unencrypted
23 TELNET address space Point to Point Tunneling Protocol (PPTP)
All People Seem To Need Data Processing • Class C: 192.0.0.0 – 223.255.255.255 • CHAP=unencrypted, encrypted
25 SMTP • Class A: 10.0.0.0 – 10.255.255.255 • MS-CHAP=encrypted, encrypted
Please Do Not Throw Sausage Pizza Away Private IPv4
53 DNS • Class B: 172.16.0.0 – 172.31.255.255
Layer Data Security address space Challenge-Handshake Authentication Encrypt username/password and
110 POP3 • Class C: 192.168.0.0 – 192.168.255.255 Protocol (CHAP) re-authenticate periodically. Use in PPP.
Application Data C, I, AU, N
80 HTTP • Class A: 255.0.0.0
Presentation Data C, AU, Encryption Subnet Masks • Class B: 255.255.0.0 Layer 2 Tunneling Protocol (L2TP) Use with IPsec for encryption.
143 IMAP
Session Data N • Class C: 255.255.255.0
389 LDAP Provide authentication and integrity, no
Transport Segment C, AU, I IPv4 32 bit octets Authentication Header (AH)
443 HTTPS confidentiality.
Network Packets C, AU, I IPv6 128 bit hexadecimal
636 Secure LDAP Encapsulating Security Payload (ESP) Encrypted IP packets and preserve integrity.
Data link Frames C
Physical Bits C
445 ACTIVE DIRECTORY Network Types Shared security attributes between two
1433 Microsoft SQL Security Associations (SA)
C=Confidentiality, AU=Authentication, I=Integrity, N=Non repudiation Geographic Distance and are is limited to one network entities.
3389 RDP Local Area
building. Usually connect using copper wire or Transport Mode Payload is protected.
Hardware / Network (LAN)
Layer (No) Functions Protocols 137-139 NETBIOS fiber optics
Formats Tunnel Mode IP payload and IP header are protected.
Campus Area Multiple buildings connected over fiber or
Cables, HUB, Attacks in OSI layers Network (CAN) wireless
Internet Key Exchange (IKE) Exchange the encryption keys in AH or ESP.
Electrical signal USB, DSL Remote Authentication Dial-In User Service Password is encrypted but user
Physical (1) Layer Attack Metropolitan
Bits to voltage Repeaters, (RADIUS) authentication with cleartext.
ATM Phishing - Worms - Area Network Metropolitan network span within cities
SNMP v3 Encrypts the passwords.
Application Trojans (MAN)
Frames setup
PPP - PPTP - L2TP - - ARP - Dynamic Ports 49152 - 65535
Error detection and control Wide Area Interconnect LANs over large geographic area
RARP - SNAP - CHAP - LCP - Layer 2 Phishing - Worms -
Data Link Check integrity of packets network (WAN) such as between countries or regions.
Presentation Trojans
Layer (2) Destination address, Frames
MLP - Frame Relay - HDLC -
ISL - MAC - Ethernet - Token
Switch -
bridges Session Session hijack
Intranet A private internal network Remote Access Services
use in MAC to IP address connects external authorized persons access to Telnet Username /Password authentication. No encryption.
Ring - FDDI Transport SYN flood - fraggle Extranet
conversion. intranet Remote login (rlogin) No password protection.
Routing, Layer 3 switching, Layer 3 smurfing flooding -
Network ICMP - BGP - OSPF - RIP - IP - Internet Public network SSH (Secure Shell) Secure telnet
segmentation, logical Switch - Network ICMP spoofing - DOS
layer BOOTP - DHCP - ICMP
addressing. ATM. Packets. Router Collision - DOS /DDOS Networking Methods & Standards Terminal Access Controller
Access-Control System
User credentials are stored in a server known as a
TACACS server. User authentication requests are
TCP - UDP datagrams. Data link - Eavesdropping
Routers - Software Decoupling the network control and the (TACACS) handled by this server.
Reliable end to end data Signal Jamming -
Segment - Connection VPN defined forwarding functions. More advanced version of TACACS. Use two factor
Transport transfer - Physical Wiretapping networking Features -Agility, Central management, TACACS+
oriented concentrato authentication.
Segmentation - sequencing -
rs - Gateway (SDN) Programmatic configuration, Vendor neutrality.
and error checking Hardware Devices Converged
Remote Authentication Dial-In Client/server protocol use to enable AAA services for
TCP - UDP - NSF - SQL - Transfer voice, data, video, images, over single User Service (RADIUS) remote access servers.
Session Data, simplex, half duplex, full Layer 1 device forward protocols for
RADIUS - and RPC - PPTP - Gateways HUB network. Secure and encrypted communication channel
Layer dupl Eg. peer connections. frames via all ports media transfer
PPP between two networks or between a user and a
digital to analog Fibre Channel Virtual private network (VPN)
Modem network. Use NAT for IP address conversion. Secured
Data Gateways conversion over Ethernet Running fiber over Ethernet network.
Presentation with strong encryptions such as L2TP or IPSEC.
compression/decompression TCP - UDP messages JPEG - TIFF - Routers Interconnect networks (FCoE)
layer
and encryption/decryption MID - HTML Multiprotocol
Interconnect networks in
TCP - UDP - FTP - TELNET -
Bridge
Ethernet Label
Transfer data based on the short path labels VPN encryption options
instead of the network IP addresses. No need of
Application TFTP - SMTP - HTTP CDP - Inbound/outbound data Switching • PPP for authentication
Data Gateways Gateways route table lookups.
layer SMB - SNMP - NNTP - SSL - entry points for networks (MPLS) • No support for EAP
HTTP/HTTPS. Internet Small Standard for connecting data storage sites such Point-to-Point Tunneling Protocol • Dial in
Frame forward in local
Switch Computer as storage area networks or storage arrays. (PPTP) • Connection setup uses plaintext
network.
TCP/IP Model Interface (ISCI) Location independent. • Data link layer
Share network traffic
Encryption and different protocols at different • Single connection per session
Layers Action Example Protocols load by distributing
Load balancers Multilayer
levels. Disadvantages are hiding coveted channels • Same as PPTP except more secure
Token ring • Frame Relay • FDDI traffic between two Protocols Layer 2 Tunneling Protocol (L2TP)
Network access Data transfer done at this layer and weak encryptions. • Commonly uses IPsec to secure L2TP packets
• Ethernet • X.25 devices
Voice over • Network layer
Create small data chunks called Hide internal public IP Allows voice signals to be transferred over the
Internet • Multiple connection per session
Internet datagrams to be transferred via IP • RARP • ARP • IGMP • ICMP address from external public Internet connection. Internet Protocol Security (IPsec)
Protocol (VoIP) • Encryption and authentication
network access layer Proxies public internet
Packet switching technology with higher • Confidentiality and integrity
Transport Flow control and integrity TCP • UDP /Connection caching and
Asynchronous
filtering. bandwidth. Uses 53-byte fixed size cells. On
Application
Convert data into readable Telnet • SSH • DNS • HTTP • FTP transfer mode
demand bandwidth allocation. Use fiber optics.
Communication Hardware Devices
format • SNMP • DHCP Use to create VPN or (ATM)
aggregate VPN Popular among ISPs Divides connected devices into one input signal for transmission over
VPNs and VPN Concentrator
TCP 3-way Handshake concentrators
connections provide PTP connection between Data terminal equipment one output via network.
using different internet X25 (DTE) and data circuit-terminating equipment Multiplexer Combines multiple signals into one signal for transmission.
SYN - SYN/ACK - ACK links (DCE) Hubs Retransmit signal received from one port to all ports.
Use with ISDN interfaces. Faster and use multiple
LAN Topologies Protocol analyzers
Capture or monitor
network traffic in PVCs, provides CIR. Higher performance. Need to
Repeater Amplifies signal strength.
Frame Relay
Topology Pros Cons real-time ad offline have DTE/DCE at each connection point. Perform
WAN Transmission Types
• No redundancy New generation error correction.
Unified threat • Dedicated permanent circuits or communication paths required.
BUS • Simple to setup • Single point of failure vulnerability scanning Synchronous Circuit-switched
management IBM proprietary protocol use with permanent • Stable speed. Delay sensitive.
• Difficult to troubleshoot application Data Link networks
dedicated leased lines. • Mostly used by ISPs for telephony.
Create collision Control (SDLC)
RING • Fault tolerance • No middle point • Fixed size packets are sending between nodes and share
domains. Routers High-level Data
Start • Fault tolerance • Single point of failure VLANs Use DTE/DCE communications. Extended Packet-switched bandwidth.
separate broadcast Link Control
• Redundant protocol for SDLC. networks • Delay sensitive.
Mesh • Fault tolerance domains (HDLC)
• Expensive to setup • Use virtual circuits therefore less expensive.
Intrusion detection and Domain name Map domain names /host names to IP Address
IDS/IPS
system (DNS) and vice versa.
Types of Digital Subscriber Lines (DSL) prevention.
Wireless Networking
Asymmetric Digital • Download speed higher than upload
Firewall and Perimeter Leased Lines Wireless personal area network (WPAN) standards
Subscriber Line • Maximum 5500 meters distance via telephone lines. T1 1.544Mbps via telephone line IEEE 802.15 Bluetooth
(ADSL) • Maximum download 8Mbps, upload 800Kbps. Security T3 45Mbps via telephone line IEEE 802.3 Ethernet
Rate Adaptive DSL • Upload speed adjust based on quality of the transmission line
DMZ Secure network between ATM 155Mbps IEEE 802.11 Wi-Fi
(RADSL) • Maximum 7Mbps download, 1Mbps upload over 5500 meters.
(Demilitarized external internet facing and ISDN 64 or 128 Kbps REPLACED BY xDSL IEEE 802.20 LTE
Symmetric Digital • Same rate for upstream and downstream transmission rates.
zone) internal networks. Reserved 1024-49151
Subscriber Line • Distance 6700 meters via copper telephone cables Wi-Fi
(SDSL) • Maximum 2.3Mbps download, 2.3Mbps upload. Bastion Host - Dual-Homed - Three-Legged - BRI B-channel 64 Kbps
Standard Speed Frequency (GHz)
• Higher speeds than standard ADSL Screened Subnet - Proxy Server - PBX - Honey BRI D-channel 16 Kbps
Very-high-bit-rate DSL 802.11a 54 Mbps 2.4
• Maximum 52Mbps download, 16 Mbps upload up to 1200 Pot - IDS/IPS PRI B & D channels 64 Kbps
(VDSL) 802.11b 11 Mbps 5
Meters
802.11g 54 Mbps 2.4
High-bit-rate DSL
(HDSL)
T1 speed for two copper cables for 3650 meters Network Attacks 802.11n 200+ Mbps 2.4/5
Ownership factor Something that the user possesses, like a key or a token.
Subject An entity which requires access to an object or objects. Identity Management
Object Entity which consists information. IAAA – Identification - Authentication - Authorization - Accountability.
Characteristic A user characteristic, such as biometrics; fingerprints, face
• Registration verification of user identity and add an
factor scan, signature. Levels of Access & Control identifier to system.
Identification
Centralized Only one component can control access. Highly restricted • Assign user the proper controls
Knowledge –Type/category 1 – something you know administration level where control done centrally. • Commonly use user ID or username.
Password authentication, Secret questions such as mother’s maiden name, Decentralized Access is controlled by information owners, Can be less • User verification process
Authentication
favorite food, date of birth, key combination / PIN. administration consistent. • Commonly used passwords
Hybrid Combination of centralized and decentralized. Authorization • Defining resources for user access
Terminology and concepts Accountability • Person responsible for the controls, uses logs.
Access stances allow-by-default or deny-by-default
Random data added to a password before hashing and
• A.K.A federated ID management
SESAME (Secure European System for Applications in
storing in a database on a server. Used instead of
Salted hash
plaintext storage that can be verified without revealing
Single • Pros – ComplEg. passwords, easy administration, faster a Multi-vendor Environment)
password. Sign-On authentication. Public Key cryptology only authenticates initial segment without
(SSO) • Cons – Risk of all systems comprised by unauthorized authenticating full message. Two separate tickets are in use one for
Alphanumeric, more than 10 characters. Includes a access of a key or keys. authentication and other one defines the access privileges for user. Both
ComplEg.
combination of upper and lower case letters, numbers symmetric and asymmetric encryptions are used.
password
and symbols. Authorization Exchange authentication and authorization information
between security domains and systems.
One-time password Dynamically generated to be used for one session or SAML -
(OTP) transaction.
Access control policies: Level of access and controls granted for a user. • Components: Principal User • Identity provider • Service
(SOAP/XML)
provider.
Static password Password does not change. To be avoided. Separation of Assigning different users different levels of access to • Use in directory federation SSO.
duties protect privacy and security.
Something used to identify a person, i.e. pets name,
Access to perform specific functions is granted to two or
Authorization Concepts
Cognitive password favorite color, mother’s maiden name etc, place of birth Dual Controls
more users. Security
etc. Set of resources having the same security policies.
domain
Password Hacking Unauthorized access of a password file Split Knowledge No single user can have full information to perform a task. Federated Organization having a common set of policies and standards
Identity within the federation.
Multiple attempts using all possible password or pin Principle of Least User is given minimum access level needed to perform a
Brute force attack Privilege task.
combinations to guess the password. Federation Models
Type of brute force attack that uses all the words from Need-to-Know Minimum knowledge level to perform a task. Every organization is certified and trusted by the other
Dictionary attack Cross-Certification
the dictionary. organizations within the standards defined internally by
No Access User is not assigned any access for any object. Model
said organizations.
Gain access by impersonating a user by establishing Trusted
Social engineering Centrally managed database for user objects management. Every organization adheres to the standards set by a third
legitimate user credentials through social manipulation of Directory Service Third-Party /
attack i.e. LDAP party.
trusted parties or authorities. Bridge Model
Client /server model authentication protocol. IDaaS (Identity as Identity and access management is provided by a third
Precomputed table for reversing cryptographic hash
Rainbow Tables • Symmetric Key Cryptography a Service) party organization.
functions and cracking passwords.
Kerberos • Key Distribution Center (KDC) Access management for multiple similar, yet independant
• Confidentiality and integrity and authentication, SSO (Single
Ownership –Type/category 2 – Something you have systems. Primarily used for the cloud and SaaS based
symmetric key cryptography sign-on)
system access.
Synchronous token Create password at regular time intervals. Cloud Identity User account management (Office 365)
Authentication administrative domain. Uses symmetric-key
Realm Directory
cryptography On-premises identity provider (Microsoft Active directory)
Asynchronous Generate a password based on the challenge-response Synchronization
token technique. Issues tickets to client for server authentication
KDC (Key On-premises identity provider for managing login request.
• Stores secret keys of all clients and servers in the network Federated Identity
Memory card A swipe card containing user information. Distribution (MS AD)
• AS (Authentication Server)
Center)
Smart Cards or
A card or dongle that includes a chip and memory, like
• TGS (Ticket Granting Server) Access Control Models
Integrated Circuit
bank cards or credit cards. • User input username/password in client PC/Device. By default access to an object is denied unless explicitly
Card (ICC) Implicit Deny
• Client system encrypts credentials using AES to submit granted.
Contact Cards Swiped against a hardware device. for KDC. Access Control Table which included subjects, objects, and access
• KDC match input credentials against database. Matrix controls / privileges.
The Kerberos
Contactless Cards • KDC create a symmetric key and time-stamped TGT to be List access controls and privileges assigned to a subject.
Simply need to be within proximity to the reader device. logon process
or Proximity Cards used by the client and the Kerberos server. Capability Tables • ACLs focus on objects whereas capability lists focus on
• Key and TGT are encrypted using client password hash. subjects.
Allows a card to be used in both contact and contactless • Client installs the TGT and decrypts the symmetric key
Hybrid Cards Permissions Access granted for an object.
systems. using a hash.
Rights Ability/access to perform an action on an object.
USB drive Bespoke USB with access credentials Privileges Combination of rights and permissions.
Authorization Methods
Static password
token
Simplest type of security token where the password is
stored within the token. Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Access Control Categories
Role-based Access Control (role-BAC) • Rule-based Access Control (Rule-BAC). Category Scope / Purpose Example
Challenge/respons Two keys or key and
A challenge has to be met by the correct user response. Discretionary Access Control Uses access control lists (ACLs -
e token Compensative Risk mitigation action. combination to open a safety
(DAC) Access-control lists).
locker.
Characteristic –Type/category 3 – Something you do / are Subject authorize according to security labels.
Having fire extinguishers, having
Mandatory Access Control Used by owners to grant or deny access to Corrective Reduce attack impact.
offsite data backups.
Biometric technology allows the user to be authenticated based on (MAC) other users. ACL defines the level of access
physiological behavior or characteristics. Detect an attack before CCTV, intrusion detection
granted or denied to subjects. Detective
• Physiological i.e. Iris, retina, and fingerprints. happens. systems (IDS).
Task-based access controls - subjects require User identification and
• Behavioral i.e. Voice pattern
Role-BAC (RBAC) access an object based on its role or Deterrent Discourages an attacker.
authentication, fences
assigned tasks.
Physiological Characteristics Define and document
Uses a set of rules or filters to define what Directive acceptable practices within Acceptable Use Policy (AUP)
Fingerprint Scans the thumb or edge of the finger. Rule-BAC
can or cannot be done on a system. an organization.
Locks, biometric systems,
Size, shape, bone length, finger length, or other layout Hybrid RBAC Limited RBAC Preventative Stop an attack.
Hand Geometry encryption, IPS, passwords.
attributes of a user’s hand are taken.
Objects are classified based on control level Recovery of a system after Disaster recovery plans, data
Lattice based / Label Recovery
Hand Topography Hand peaks and valleys pattern. using a label. an attack. backups etc.
• Most reliable and used by trial Obtain a confession by evidence retrieval method.
8. Return to owner
Incident Response
Primary Interrogation
• Original documents–Eg. Legal contracts Response Capability • Incident response and handling •
Evidence
• No copies or duplicates
• The Process: Prepare questions and topics, summarize information
Digital Evidence Lifecycle
Recovery • Feedback
Opinion Rule Witnesses test only the facts of the case, not used as evidence.
• Less powerful and reliable than primary evidence. Mitigation Limit the impact of an incident.
Expert Six principles to guide digital evidence
Secondary • Eg. Copies of originals, witness oral evidence. Can be used as evidence.
Witnesses technicians
Evidence • If primary evidence is available secondary of the same content
is not valid.
Root Cause Analysis (RCA)
Can prove without a backup support.
Network Analysis • All general forensic and procedural
principles apply. Fault tree analysis (FTA) Top down deductive failure analysis using boolean logic.
Direct Evidence Use of existing controls to inspect a security breach incident. Eg. IDS/IPS, firewall
• Eg. witness testimony by his/her own 5 senses.
logs • Upon seizure, all actions should not Review of as many components, assemblies, and
• Cannot contradict, conditional evidence, no other supportive Failure mode and
Conclusive • Software Analysis: Forensic investigation of applications which was running while change the data. subsystems as possible to identify potential failure
evidence requires effects analysis (FMEA)
Evidence the incident happened. modes.
• Cannot be used to directly prove a fact • All people accessing the data should
• Hardware/ Embedded Device Analysis: Eg. review of Personal computers & Looks at the predominant likely causes to deal with them
Corroborative be trained Pareto Analysis
• Use as substantiate for other evidence Smartphones first.
Evidence
• All actions performed on the data Connects individual cause-and-effect relationships to give
Cause mapping
Hearsay
• Something heard by the witness where another person told Governing Laws should be fully documented and insights into the system of causes within an issue.
Evidence
• Common law - USA, UK Australia, Canada accessible.
Asset Management • Civil law - Europe, South America Disaster Recovery Methods
• Islamic and other Religious laws – Middle East, Africa, Indonesia, USA • Anyone that possesses evidence is
A real-time mirror of your system and network activity
Preserve Availability • Authorization and Integrity • Redundancy and Fault Tolerance • responsible for all actions taken with it
• Legislative: Statutory law - Make the laws Hot Site running in sync. Allows for minimum disruption and
Backup and Recovery Systems • Identity and Access Management while in their possession.
The 3 Branches of Law • Executive: Administrative law - Enforce the laws downtime.
• Hierarchical Storage Management (HSM): continuous online • Juridical: Interpret the laws • Any agency that possesses evidence An alternative workspace with power and HVAC setup, but
backup system Using optical storage. Cold Site
Storage • Criminal law –violate government laws result in is is responsible for compliance with no hardware. All recovery efforts will be technician heavy.
• Media History: Media usage log
Management commonly imprisonment these principles. A middle-ground solution which includes skeletal hardware,
• Media Labeling and Storage: safe store of media after labeling Warm Site
Issues • Civil law – Wrong act against individual or organization software and connectivity to restore critical functionality.
sequentially
which results in a damage or loss. Result in financial
• Environment: Temperature and heat Eg. Magnetic media Categories of law
penalties. Media Analysis Service Bureau Contract with a service bureau to provide backup services.
• Data Purging: degaussing Archived data not usable for • Administrative/Regulatory law – how the industries, Multiple centers /
Sanitizing and Process between multiple data centers
forensics organizations and officers should act. Punishments can Part of computer forensic analysis sites
Disposing of
• Data Clearing: Cannot recover using keyboard be imprisonment or financial penalties used for identification and extraction
Data Rolling / mobile sites Mobile homes or HVAC trucks.
• Remanence: Data left in media deleted of information from storage media.
Uniform Computer
• Redundant hardware Common framework for the conduct of computer-related Eg. Magnetic media, Optical media, • Hot site RTO: 5 minutes or hours
Information
Network and • Fault-tolerant technologies business transactions. A federal law Eg. Use of software Memory (e.g., RAM) Recovery Time • Warm site RTO: 1-2 days
Transactions Act
Resource • Service Level Agreements (SLA’s) licensing Objectives (RTOs) • Mobile site RTO: 3-5 days
(UCITA)
Management • MTBF and MTTR
• Unauthorized intrusion Admissible Evidence • Cold site RTO: 1 to 2 weeks
• Single Point of Failure (SPOF) Computer Crime Laws
Incident 3 types of harm
• Unauthorized alteration or destruction
Relevant to the incident. The evidence RAID, SAN, & NAS
1. Detect • 2. Respond • 3. Report • 4. Recover • 5. Remediate • 6. • Malicious code
Response - must be obtained legally. RAID Redundant Array of Independent / Inexpensive Disks
Review • Relevant, sufficient, reliable, does not have to be
steps Admissible evidence Writing the same data across multiple hard disks, slower as
tangible Disk Mirroring
• Changes should be formally requested
Hearsay • Second hand data not admissible in court Digital Forensics data is written twice, doubles up on storage requirements
• Analyze requests against goals to ensure validity Writes data across multiple disks simultaneously, provides
Change • Cost and effort estimation before approval • Is the legal action of luring an intruder, like in a Five rules of evidence: Disk Striping
Enticement higher write speed.
Management • Identify the change steps after approval honeypot Be authentic • Be accurate • Be complete
• Be convincing • Admissible • Writes files in stripes across multiple disks without using
• Incremental testing during implementation • Is the illegal act of inducing a crime, the individual had
Entrapment parity information
• Complete documentation no intent of committing the crime at first RAID 0
• Clipping levels: Define a baseline for normal user errors, Investigation - To • 2 or more disks required
• Fast reading and writing but no redundancy
Threats and • Modification from Standards Eg. DDOS Data Loss Prevention (DLP) Determine Suspects • Creates identical copies of drives - has redundancy
Preventative • Unusual patterns or events Scans data for keywords and data patterns. Protects before an incident occurs.
Types: • Space is effectively utilized, since half will be given to
Measures • Unscheduled reboots: Eg. Hardware or operating system issue RAID 1
Network-bas Data in motion. Scans all outbound data looking for anomalies. Place Operational • Criminal • Civil • eDiscovery another disk
• Input/output Controls
ed DLP in edge of the network to scan all outgoing data. • Expensive
Endpoint-bas Data in use. Scans all internal end-user workstations, servers and Security Incident and RAID 3 Byte level data striping across multiple
Intrusion Detection & Prevention Systems (IDS & ed DLP devices. RAID 4 Block level data striping across multiple
Event Management
IPS) Digital Data States RAID 5
Data and parity Information is striped together across all
(SIEM) drives
Automated inspection of logs and real-time system events Data at Rest Data that is stored on a device or a backup medium. Stripes data across available drives and mirrors to a seperate
IDS (Intrusion Log review automating RAID 0+1
to detect intrusion attempts and system failures. IDSs are an Data in Data that is currently travelling across a network or on a device's Real‐time analysis of events occurring set of disks
Detection System)
effective method of detecting many DoS and DDoS attacks. Motion RAM ready to be read, updated, or processed. on systems Each drive in a set is mirrored to an equivalent drive in
RAID 1+0 (RAID 10)
Data in Use Data that is being inputted, processed, used or altered. another set
IPS (Intrusion
A IDS with additional caabilities to stop intrusions. Transaction Redundancy Storage Area Typically use Fibre Channel and iSCSI. High speed blick level
Prevention System)
Backup Types Implementations
Network (SAN) storage.
Full All files backed up, archive bit and modify bit will be deleted Network-Attached Typically an NFS server, file-level computer data storage
Firewalls Incremental Backup files changed after last full backup, archive bit deleted.
Electronic Vaulting • Remote Journaling Storage (NAS) server connected to a computer network.
• Database shadowing
Only modified files are backed up, do not delete archive bit.
HIDS
Monitor and analyze the internals of a computing system, Disaster Recovery Terminology & Concepts
(Host-based IDS)
including its network connection points. Eg. Mainframe Differential Need last full backup and last incremental backup for a full System Hardening
computer restore. MTTF Mean Time To Failure
" • Uninstall unnecessary applications
Redundant servers Eg. RAID, adding disks for increased fault tolerance. MTTR Mean Time To Repair
Hardware based device or software applications used to • Disable unnecessary services
NIDS Server clustering Set of servers that process traffic simultaneously. MTBF Mean Time Between Failures, MTTF + MTTR
monitor and analyse network activity, specifically scanning • Deny unwanted ports
(Network-based IDS)
for malicious activities and policy violations. • External storage device restriction Transaction Redundancy Electronic Vaulting • Remote Journaling • Database
• Monitoring and Reporting Implementations shadowing
Disaster Recovery Test • Vulnerability Management System
Hierarchical Recovery Types of System Failure • IDP/IPS: Attack signature engine
Desk Check Review contents of the plan
should be updated regularly Business Continuity Planning
Types Table-top exercise
Disaster recovery team members gather and roleplay a
• System reboot disaster scenario Concerns the preservation and recovery of business in the
• Emergency restart More intense than a roleplay, all support and tech staff meet
System Recovery Business Continuity
event of
1. Manual Simulation test Plan (BCP)
• System cold start and practice against disaster simulations 1. Rebooting system in single user outages to normal business operations.
2. Automatic Recovery
mode, recovery console
Personnel are taken to an alternative site and commence Business Impact The process of assessing the impact of an IT disruption.
2. Recovering all file systems active
Parallel tests operations of critical systems, while original site continues Analysis (BIA) BIA is part of BCP
Data Destruction and Reuse operating
before crash
3. Restore missing / damaged files A framework of steps and actions that need to be taken
Object reuse Use after initial use Full-implementation Personnel are taken to an alternative site and commence
4. Recover security and access to achieve business continuity and disaster recovery
Remaining data after erasure Format magnetic media 7 tests operations of all systems, main site is shut down
Data remanence controls Disaster Recovery Plan goals.
times (orange book (DRP) End Goal – Revert back to normal operations - planning
Clearing Overwriting media to be reused BCP Plan Development and development must be done before the disaster - BIA
Purging Degaussing or overwriting to be removed • Computing: strategy to protect - hardware, software, communication links, applications, data should be complete
Destruction Complete destruction, preferably by burning Define the continuity • Facilities: use of primary or alternate/remote site buildings 1. Scope and plan initiation
strategy • People: operational and management 2. BIA - assess impact of disruptive processes
• Supplies and equipment
Disaster Recovery Planning Business Continuity
3. Business Continuity Plan development - Use BIA to
Roles and • BCP committee: senior staff, business units, information systems, security administrator, officials from all develop BCP -
Disaster Steps
Teams responsible for DR implementation - Salvage team - Work responsibilities departments Testing
recovery
on normal /primary site to make suitable for normal operations • CCTV 4. Plan approval and implementation - management
process
• Fences-Small mesh and high gauge approval
• Interfacing with other groups • Alarms
• Fraud and Crime: Eg. vandalism, looting
• Financial disbursement
• Intrusion detection: electromechanical, photoelectric, passive infrared, acoustical detection Trusted Recovery
• Motion: wave pattern motion detectors, proximity detector
• Documenting the Plan - Required documentation Physical security • Locks: warded lock, combination lock, cipher lock, device lock, preset / ordinary door lock, programmable Breach Confirmation Confirm security breach not happen during system failure.
Other recovery • Activation and recovery procedures locks, raking lock
issues • Plan management • Audit trails: date and time stamps, successful/unsuccessful attempts, who attempted, who Failure Preparation Backup critical information to enable recovery
• HR involvement granted/modified access controls After a failure of operating system or application, the
• Costs • Security access cards: Photo ID card, swipe cards, smartcards System Recovery system should work enough to have the system in a
• Internal /external communications • Wireless proximity cards: user activated or system sensing field powered device secure state
• Detailed plans by team members
Domain 8: Software Development Security CISSP Cheat Sheet Series
Software Development Lifecycle (SDLC) Programming Language Types Data Warehousing and Data Mining Change Management Process
Understand and integrate security throughout the software development Machine Data Develop organizational framework where users can
Direct instructions to processor - binary representation Combine data from multiple sources. Request
lifecycle (SDLC) Languages Warehousing request modifications, conduct cost/ benefit analysis by
Control
Assembly Use of symbols, mnemonics to represent binary codes - Arrange the data into a format easier to make business management, and task prioritization by developers
Data Mining
Development Methodologies Language ADD, PUSH and POP decisions based on the content. Develop organizational framework where developers can
Change
Processor independent programming languages - use create and test a solution before implementation in a
• No key architecture design
• Problems fixed as they occur
High-Level
IF, THEN and ELSE statements as
Database Threats Control
production environment.
Build and fix Language
• No formal feedback cycle part of the code logic Aggregation The act of combining information from various sources. Release
Change approval before release
• Reactive not proactive Generation 4 languages further reduce amount of code Inference Process of information piecing Control
Very high-level
• Linear sequential lifecycle required - programmers can focus on algorithms. • Content Dependent Access Control: access is based on
• Each phase is completed before moving on
language
Python, C++, C# and Java Access the sensitivity of the data
Configuration Management Process
Waterfall
• No formal way to make changes during cycle Natural Generation 5 languages enable system to learn and Control • Context Dependent Access Control: access via Software Version A methodology for storing and tracking changes
• Project ends before collecting feedback and re-starting language change on its own - AI location, time of day, and previous access history. Control (SVC) to software
• Based on the waterfall model • Database Views: set of data a user or group can see Configuration The labelling of software and hardware
Access
V-shaped
• Each phase is complete before moving on Database Architecture and Models Control
• Database Locks: prevent simultaneous access Identification configurations with unique identifiers
• Verification and validation after each phase • Polyinstantiation: prevent data interference violations Verify modifications to software versions
Uses attributes (columns) and tuples (rows) to Mechanisms
• No risk analysis phase Relational Model in databases Configuration Control comply with the change control and
organize data
• Rapid prototyping - quick sample to test the current configuration management policies.
project Hierarchical Parent child structure. An object can have one child, A•C•I•D Ensure that the production environment is
• Evolutionary prototyping - incremental improvements to Model multiple children or no children. Configuration Audit
Database roll back if all operations are not completed, consistent with the accounting records
Prototyping Atomicity
a design Similar to hierarchical model but objects can have transactions must be completed or not completed at all
• Operational prototypes - incremental improvements Network Model
multiple parents. Consistency Preserve integrity by maintaining consistent transactions Capability Maturity Model
intended for production
Transaction keeps separate from other transactions until 1. Initiating – informal processes,
• Multiple cycles (~ multiple waterfalls) Object-Oriented Has the capability to handle a variety of data types Isolation Reactive
complete 2. Repeatable – project management processes
• Restart at any time as a different phase Model and is more dynamic than a relational database.
Incremental Durability Committed transaction cannot be roll backed 3. Defined – engineering processes, project planning,
• Easy to introduce new requirements
quality assurance, configuration management practices
• Delivers incremental updates to software Object-Relational Combination of object oriented and relational Traditional SDLC Proactive
4. Managed – product and process improvement
• Iterative Model models. 5. Optimizing – continuous process improvement
Analysis, High-level design, Detail Design, Construction,
• Risk analysis during development Steps
testing, Implementation
Spiral • Future information and requirements considered for risk Project Management Tools
analysis Database Interface Languages • Initiation: Feasibility, cost analysis, risk analysis,
• Allows for testing early in development Management approval, basic security controls Type of bar chart that illustrates the relationship
Gantt chart
Open Database • Functional analysis and planning: Requirement between projects and schedules over time.
Rapid • Rapid prototyping Local or remote communication via API
Connectivity (DOBC) definition, review proposed security controls Program Evaluation Project-scheduling tool used to measure the
Application • Designed for quick development
• System design specifications: detailed design specs, Review Technique capacity of a software product in development
Development • Analysis and design are quickly demonstrated Java Database Java API that connects to a database, Phases
Examine security controls (PERT) which uses to calculate risk.
(RAD) • Testing and requirements are often revisited Connectivity (JDBC) issuing queries and commands, etc • Software development: Coding. Unit testing Prototyping,
• Umbrella term - multiple methods
DB API allows XML applications to interact Verification, Validation Phases of object-oriented design
• Highlights efficiency and iterative development XML
Agile with more traditional databases • Acceptance testing and implementation: security OORA (Requirements
• User stories describe what a user does and why Define classes of objects and interactions
testing, data validation Analysis)
• Prototypes are filtered down to individual features Object Linking and
Embedding Database (OLE is a replacement for ODBC Object-oriented technology (OOT) - Identify classes and objects which are common
DevOps (Development & Operations) DB) OOA (Analysis) to any applications in a domain - process of
Terminology discovery
Software Development • Quality Assurance • IT
OOD (Design) Objects are instances of classes
Operations Knowledge Management Objects contain both data and the instructions that work
OOP (Programming) Introduce objects and methods
on the data.
Two main components: 'Knowledge base' and the ORBs (Object Request Work as middleware locators and distributors
Software Development Methods
Encapsulation Data stores as objects
'Inference engine' Brokers) for the objects
Message Informs an object to perform an action.
Expert • Use human reasoning Architecture and standards that use ORBS to
Performs an action on an object in response to a CORBA (Common
Systems • Rule based knowledge base Method allow different systems and software on a
Database Systems • If-then statements message. object request)
system to interfce with eachother
• Interference system Results shown by an object in response to a Work independently without help from other
Database Define storing and manipulating data message. Defined by its methods, which are the programs
Behavior
• Forward chaining: Begins with known facts and applies functions and subroutines defined within the object • High cohesion – No integration or interaction
DBMS (database inference rule to extract more data unit it reaches to the class. Cohesion with other modules
Software program control access to data stored
management goal. A bottom-up approach. Breadth-first search Set of methods which defines the behavior of • Low cohesion – Have interaction with other
in a database. Expert Class
system) strategy. objects modules
Systems (Two
• Backward chaining: Begins with the goal, works • Coupling - Level of interaction between objects
Modes) Object An instance of a class containing methods
Hierarchical • Network • Mesh • Object-orientated backward through inference rules to deduce the
DBMS Types Inheritance Subclass accesses methods of a superclass
• Relational required facts that support the goal. A top-down
approach. Depth-first search strategy. Multiple Inherits characteristics from more than one parent Virus Types
Data definition language defines structure and Inheritance class
DDL
schema DML Accumulates knowledge by observing events, Two or more rows in the same relational database Boot record infectors, gain the most privaleged
Boot sector
Neural measuring their inputs and outcome, then predicting Polyinstantiation table appear to have identical primary key elements access and can be the most damaging
Degree of Db number of attributes (columns) in table Networks outcomes and improving through multiple iterations but contain different data
over time. Infects executable system files, BIOS and system
Object users do not need to know the information System infector
Tuple row Abstraction commands
about how the object works
DDE Dynamic data exchange Covert Channels (Storage & Timing) Process isolation
Allocation of separate memory spaces for process’s UEFI Infects a system's factory installed UEFI (firmware)
instructions and data by the operating system.
DCL Data control language. Subset of SQL. Executable content Virus stored in a specific location other than in the
ActiveX controls, Java applets, browser scripts Companion
Mobile code Trusted Computer Base (TCB) main system folder. Example NOTEPAD.EXE
ensure semantic rules are enforced between data
Semantic integrity Virus Propagates with help from the host Any modifications to files or boot sector are hidden
types The set of all hardware, firmware, and/or software components that are Stealth
Worm Propagates without any help from the host by the virus
critical to its security. Any compromises here are critical to system
Referential integrity all foreign keys reference existing primary keys Logic Bomb/Code security.
Run when a specific event happens Multipart Infects both boot sector and executable files
Bomb
an attribute that is a unique identifier within a May need to interact with higher rings of
Input/output Attempts to hide from anti-virus by changing the
Candidate Key given table, one of the candidates key becomes Buffer Overflow Memory buffer exhaustion protection - such communications must be Self-garbling
operations encoding of its own code, a.k.a. 'garbling'
primary key and others are alternate keys Malicious code install at back end with the monitored
Backdoor
help of a front end user Execution domain Applications that invoke applications or Polymorphic The virus modifies the "garble" pattern as it spreads
Primary Key unique data identification
Covert Channel Unauthorized information gathering switching services in other domains
Resident Loads as and when a program loads to the memory
reference to another table which include primary Zombie code used to compromise thousands Monitoring of memory references to verify
Foreign Key key. Foreign and primary keys link is known as Botnet Memory protection Master boot
of systems confidentiality and integrity in storage
referential integrity. record / sector Infects the bootable section of the system
Malicious code that outwardly looks or Monitor registers, process status information, (MBR)
Trojan Process activation
behaves as harmless or necesary code and file access lists for vulnerabilities
• Incorrect Summaries • Dirty Reads • Lost
Updates Security Assessment & Testing Terms Anti-Virus Types
• Dynamic Lifetime Objects: Objects developed Browser site trust is exploited by trying to
Cross-site request A process of identifying and determining the Not able to detect new malware a.k.a. Zero-day
using software in an Object Oriented submit authenticated requests forcefully to Penetration Testing Signature based
forgery (CSRF / XSRF ) true nature if system vulnerabilities attacks
Programming environment. third-party sites.
• ODBC - Open Database Connectivity. Database Heuristic based Static analysis without relying on signatures
Cross-site scripting Uses inputs to pretend a user’s browser to Patch management Manages the deployment of patches to
feature where applications to communicate with
(XSS) execute untrusted code from a trusted site system prevent known attack vectors
different types of databases without a program
DBMS terms Attempts to obtain previously authenticated
code.
• Database contamination - Mixing data with
Session Hijacking sessions without forcing browser requests Open system
System with published APIs - third parties can Protection Rings
use system
submission
different classification levels
Proprietary system - no third-party Layer 0 Operating system kernel
• Database partitioning - splitting a single SQL Injection Directly attacks a database through a web app Closed system
database into multiple parts with unique contents involvement
Layer 1 Parts of the operating system other than the kernel
• Polyinstantiation - two or more rows in the same Hotfix / Update / Updates to operating systems and Source code can be viewed, edited and
Open-source
relational database table appear to have identical Security fix applications distributed free or with attribution or fees
Layer 2 I/O drivers and utilities
primary key and different data in the table. Collection of patches for a complete operating Used to access API. Highly sensitive - same
Service Pack API Keys
system as passwords Layer 3 Applications and programs