CISSP

The 8 domains of CISSP

CISSP course syllabus:

Domain-1: Security and Risk Management

Domain-2: Asset Security

Domain-3: Security Engineering

Domain-4: Communications and Network Security

Domain-5: Identity and Access Management

Domain-6: Security Assessment and Testing

Domain-7: Security Operations

Domain-8: Software Development Security

Focus on  Security and Risk Management / Security Engineering / Communications and Network
Security / Software Development Security

The CISSP mindset:

 Your role is a risk advisor. (You are not an architect, an engineer or a helpdesk. Think like a
manager)
 Do not fix problems. (It is a matter of a process)
 Who is responsible for security? - Senior management
 All decisions start with risk management. The risk management starts with asset identification and
valuation.
 Physical safety is always the first choice.
 Layered defense.

1
 Domain-1

Security and Risk Management:

- Agenda
1. CIA Triad.
2. IAAA
3. Security Governance vs. Management
4. Compliance
5. Legal and regulatory issues
6. Professional ethics
7. Security policies, standards, procedures and guidelines.
8. Business continuity and disaster recovery.

- CIA and IAAA

1. Core Security Requirements (Confidentiality)
 Overt (cryptography and masking) / covert (steganography)
 states of date  at rest / in process / in transit
 Examples  PII / Passwords / TLS or SSL / unsecure protocols like FTP are not
allowed / log files shall not store confidential data.
2. Core Security Requirements (Integrity)
 System Integrity (Protection against system or software modification)
 Code injection can modify the database  input validation is a mitigation
technique.
 Data Integrity (Ensuring the accuracy and reliability of data)
 CRCs, checksums, message digests, hashes, MACs
 Internal and external consistency.
 Examples  SW digests/ input validation / preventing subjects from
modifying data
3. Core Security Requirements (Availability)
 Providing timely access to resources.
 Metrics 
 To indicate tolerance for losses  MTD (Maximum Tolerable Downtime) /
RTO / RPO (Recovery Point Objective: How much data can be lost if being
restored after a compromise?)
 SLAs
 To identify life expectancy of a device  MTBF / MTTR.
 Examples  SW should support access to 200 users simultaneously / SW should
provide replication and load balancing / Mission critical functionality of the SW
should be restored within 30 minutes / SW should meet availability requirements of
99.9 % as specified in the SLA.
4. Core Security Requirements (Authenticity)
 Validation of an entity’s identity claim
2
  Anonymous : Public Access
 Basic: password submitted in the clear
 Digest: Challenge/Response
 Integrated: Directory Services Authentication
 Certificate-based : X.509 v4 certificates used
 Forms : an internet form prompts user to enter credentials which are
validated
 Token-based : Allows SSO
 Smart Cards: Requires EAP and is often integrated with PKI
 Biometric Authentication credentials inherently bound to a subject
1. Static (Fingerprint – iris scan – retina scan) vs Dynamic (signature –
keyboard cadence)
2. FAR / FRR / CER
 Examples  mutual authentication is provided using certificates
5. Core Security Requirements (Authorization)
 Privileges and permissions
 CRUD (Create, Read, Update, Delete)
 Access Control Models
 DAC
 MAC
 RBAC
 RuBAC
6. Core Security Requirements (Accountability)
 Also known as auditing.
 Must include (identity of subject, the action, object and timestamp).
 Audit logs should not overwrite the previous events.
 Audit logs must be retained for one year.

- Tents of security architecture and design

1. How much security is enough? – Risk Analysis (Cost/benefit analysis)
2. Defense in depth  layered protection
3. Fail-safe  No security compromise
4. Economy of Mechanism (The K.I.S.S principle)  keep it simple as it is easy to secure simple
systems.
5. Completeness of design  Through and Comprehensive
6. Least common mechanism  use what is there (do not invent the wheel)
7. Open design  make it known for review
8. Consider the weakest link  A chain is only as strong as ……………
9. Redundancy
10. Psychological acceptability  consider the users – The security is for supporting the
business.
11. Separation of duties  force collusion
3
 12. Mandatory vacations  Detect
13. Job rotation  Detect
14. Least privilege  only knowledge what you need
15. Dual control (Two-person control)  prevent abuse of power

- Risk Management
1. Risk Management Agenda:
 Definitions of Terms
 Types of Risk
 Governance and Compliance
 Risk Management Models
 Risk Options
2. Risk related definitions:
 Risk: Likelihood that a threat will exploit a vulnerability in an asset.
 Threat: has the potential to harm an asset.
 Vulnerability: a weakness in a system.
 Exploit: Instance of compromise.
 Controls: safeguards (proactive  deter and or prevent) and countermeasures
(reactive  detect and or correct)
 Secondary risk: the event that comes as a result of another risk response.
 Exploit: instance of compromise.
 Residual risk: the amount of risk left over after a risk response.
 Fallback Plan: Plan B
 Workaround: unplanned response
3. Risk Management:
 Risk Assessment  Identify assets, threats and vulnerabilities
 Risk analysis  Value of potential risks (cost/benefit analysis)
 Risk mitigation  Responding to risk
 Risk monitoring  Risk is forever
4. Risk Assessment:
 Identify and valuates assets
 Identify threats and vulnerabilities
 Methodologies:
 Octave  identify assets, threats, vulnerabilities and risks and then base the
protection strategy to reduce risk.

Phase 1 (Organizational view)

- Assets
- Threats
- Current Practices
Preparation - Organization Vulnerabilities
- Security Requirements
Phase 2 (Technological view)
- Key Components
- Technical Vulnerabilities
Phase 3 (Strategy plan and
development)
- Risks
- Protection Strategy
- Mitigation Plans

4
  FRAP  Facelifted Risk Analysis Process. Qualitative analysis used to
determine whether or not to proceed with a quantities analysis. If impact is
low, the quantitative analysis is forgone.
 NIST 800-30  Risk management guide for the information technology
systems  9 steps process
1. System characterization
2. Threat Identification
3. Vulnerability Identifications
4. Control Analysis
5. Likelihood determination
6. Impact analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
5. Risk Analysis:
 Qualitative analysis
1. subjective analysis
2. may use Delphi technique
 Quantitative analysis
1. Depends on qualitative information.
2. Business decisions are made on a quantitative analysis.
3. Provides a dollar value to a particular risk event.
4. TCO is the total cost of ownership of implementing a safeguard.
5. Return on investment  ALE before implementing the control and
ALE after implementing the control.
6. The (ALE before implementing the control – the ALE after
implementing the control) should be > the TCO
Asset Single Loss Annualized Rate
Exposure Annualized Loss
Asset Value Threats Expectancy occurrence
Factor (EF) Expectancy (ALE)
(AV) (SLE) (ARO)
Threat SLE = AV * EF 0 < ARO < very ALE = SLE * ARO
%
X ($) Large number ($)
Asset Threat SLE = AV * EF 0 < ARO < very ALE = SLE * ARO
$ %
Name Y ($) Large number ($)
Threat SLE = AV * EF 0 < ARO < very ALE = SLE * ARO
%
Z ($) Large number ($)

6. Risk Mitigation:

 Quantitative analysis leads to the proper risk mitigation strategy 

1. Reduce
2. Accept
3. Transfer
4. Avoidance
5. Rejection
 Additional risk terms  Total risk / residual risk / secondary risk
5
  Total risk = asset value * vulnerability * threats
 total risk * control gap = residual risk
7. Risk Management Process Review:
 Risk Assessment  Risk analysis  Risk mitigation  Maintain the risk level

- Governance vs management

- Security Blueprints (Frameworks)  For security Governance

1. COBIT and COSO  focus on goals of security  Testable
2. ITIL  Service Strategy  Service Design  Service Transition  Service Operation 
Continual Improvement (Not testable)
3. OCTAVE
4. ISO 27000 Series
 ISO 27001: Establishment, implementation, control and improvement of the ISMS.
Follows the PDCA (Plan, Do, Check and Act).
 ISO 270002: Replaced BS 17799. Provides practical advice how to implement security
controls. Uses 10 domains to address ISMS.
 ISO 27004: provides metrics to measure the success of the ISMS.
 ISO 27005: A standard based approach to risk management.
 ISO 27799: Directives on protecting personal health information.
5. Approaches to security management  Top-Down approach / Bottom-UP approach

- Policies, Procedures, Standards and Guidelines

1. Types:
 Organizational security policy
 Issues specific policy
 System specific policy (Ex: Firewall Policy)
 Regulatory policies
 advisory policies
 informative policies
2. Security policy document relationships:
Laws, Regulations and best practices Drives
Organizational or program policy Management’s security statement
Functional (system and issue specific policies) Management’s security directives
Standards Procedures Baselines Guidelines

3. The policy may say that we will be compliant with HIPAA. The standards say that we may
use 64-bit encryption (specifics and details). The procedures is the step-by-step how (How
can we perform the weekly backup?). The guidelines are not mandatory and they are

6
 suggestive by nature (best practices). The baseline is the minimum acceptable security
configuration.

- Types of Laws
1. Types  Criminal / Regulatory / Civil / Intellectual
2. The CISSP exam is a multinational exam meaning that there’s no question in US-based laws.
(Do not spend a lot of time here.)
3. The ISC2 code of ethics is very important.
4. Criminal Law
5. Civil Law
 Liability, due care, due diligence, prudent person rule are pertinent to civil law as
well as administrative law.
6. Administrative (regulatory) Laws
 Defines standards of performance and regulates conduct for specific industries.
 banking (Basel II)
 Energy (EPAct) of 2005
 Health Care (HIPAA)
 Penalties consist of financial or imprisonment.
7. Intellectual Property
 Protecting products of mind.
 UN organization  WIPO
 Trade secret
 Product must provide competitive value.
 Must be reasonably protected from unauthorized use or disclose.
 Must be genuine and not obvious.
 Copy Right
 Lasts for the lifetime of the author plus 70 or 75 years for corporations.
 Work doesn’t need to be registered or published to be protected.
 Protects expression of ideas/resources rather than the ideas/resources
themselves.
 two limitations on copyright  First Sale and Fair Use
 Trade Mark
 Protect word, name, symbol, sound, shape, color or combination used to
identify product to distinguish from others.
 protect from someone stealing another company’s “look and feel”
 Corporate brands and operating system logos.
 Patent (Cryptographic algorithms and software code)
 Originally valid for 17 years but are now valid for 20 years.
 Protection for those who have legal ownership of an invention.
 Owner has exclusive control of invention for 20 years.
 PCT  International protection for patents.
 No organization enforces patents. It is up to the owner to pursue the patent
rights through the legal system.
7
  Attacks on intellectual property
 Piracy
 copy right infringement
 counterfeiting
 cybersquatting  domain squatting
 typo squatting  Fake URL
8. Specific Laws
 Export/Import Restrictions
Export Restrictions Import Restrictions
1. No export of munitions 1. A copy of private keys is
(WASSENAAR agreement) and needed in case a strong
cryptographic algorithms to cryptographic software
terrorists. is imported.
2. Exporting of cryptographic 2. US Safe Harbor Laws.
software is allowed for non-
governmental users.

 Privacy Issues – Employee Monitoring

1. Local labor laws related to privacy can’t be violated.
2. Notify of monitoring that may be used.
3. Monitor work-related events (Telephones – E-mails)
 HIPAA (Health Insurance Probability and Accountability Act)
1. Applies to Health insurers
2. applies to health providers
3. health care clearing houses
 GLBA
1. Requires financial organizations (Banking) to better protect
customers’ PII.
2. Three rules:
 Financial Privacy Rule  to provide information to customers
regarding how PII is protected.
 Safeguard Rule  to have formal written security plan
detailing how the customer’s PII will be safeguarded.
 pretexting protection
 PCI
1. Not a legal mandate.
2. The compliance is enforced by the payment card vendor like Visa and
MasterCard.
3. PCI self-regulates its own security standards.
4. Applies to any organization that transmits, processes or stores
payment card transactions to conduct business with customers.
5. Six core principles (Not testable):
 Build a secure network.
 Protect the card holder data.
 Maintain a vulnerability management system.

8
  Implement a strong access control system.
 Regularly monitor and test the network.
 Maintain an information security policy.
9. Disclosure
 Often organizations prefer not to disclose security breaches.
10. Auditing role
 If internal auditing is in place, auditors should not report to the head of a business
unit, but rather to legal or human resources.

 Disclosure

- BCP
1. BCP Intro
 BCP vs DRP

 BCP relationship to risk management

9
2. Business Continuity Planning
 Must identify all possible threats.
 Threat types  man-made (fires and strikes) / natural (earthquakes) / technical
(power outage)
 Categories of disruptions  non-disaster / crisis (is declared by anybody) / disaster
(is declared by senior management or BCP team) / catastrophe
 BCP sub plans
 BCP
 Protect
1. Crisis communication plan
2. Occupant Emergency plan
 Recover
1. DRP
2. BRP
3. Continuity of support Plan / IT support plan
 Sustain
1. COOP (Continuity of Operations Plan)
3. Business Continuity Planning Phases (7 phases)
 Project Initiation
 Who is the project manager
 Selecting members of BCP team
 Determine scope of the plan
 Obtain senior management’s approval.
 BIA
 Recovery Strategy
 Plan Design and Development
 Implementation
 Testing
 Checklist test
 simulation test
 structured walk-through test
 parallel test
 full-interruption test
 Maintenance
4. BCP roles and responsibilities
 Senior Executive Management
 resources allocating
 plans final approval
 critical business functions prioritizing
 directing and reviewing test results
 setting the BCP policy
 Senior Functional Management
 prioritizing the mission-critical systems
10
  develop and document maintenance and testing strategy
 ensure periodic tests
 create the various teams needed to execute the plans
 BCP steering committee
 conduct the BIA
 Coordinate with department representatives
 Develop analysis group
 BCP Teams  Rescue / Recovery / Salvage
 Business Impact Analysis (BIA)
 Prioritizing business functions not IT functions
 types  Quantitative and Qualitative
 Key metrics to establish
1. MTBF / MTTR
2. SLA
3. RPO (Recovery Point Objective)
4. MTD
5. Minimum Operating Requirements (MOR)

11
 Domain-2

Asset Security

- Agenda
1. Roles within an organization
2. Data classification
3. System Baselining and hardening
4. states of data

- Roles and Responsibilities

1. Senior Executives  CEO / CFO / CIO / ISO
 ISO  Providing CIA / Reporting risks to senior management / recommend best
practices / maintain security awareness / establish security measurements / ensure
compliance with industry regulations.
2. Steering Committee  Define risks, objectives and approaches
3. Auditors  Evaluates business processes
4. Data owner  classifies data
5. Data custodian  day-to-day maintenance of data
6. Network administrator
7. Security Administrator  (network admin is here, security admin is there!)

- Data Classification
1. Development of Sensitivity labels for data for configuring baseline security based on the
value of data.
2. Cost  Value of Data
3. Classify  Criteria for classification
4. Controls  determining the baseline security configuration for each
5. Considerations (what makes up the value of an asset?)
 liabilities / value to competitors / Loss if compromised / value to the organization /
acquisition costs / many others
6. Sensitivity vs. criticality  (Sensitive E-mail vs. critical E-mail server)
7. States of Data  at rest (EFS / BitLocker / PGP / TPM) / in process / in transit (IPsec,
SSL/TLS)

- States of Data  at rest (EFS / BitLocker / PGP / TPM) / in process / in transit (IPsec, SSL/TLS)

- System baselining and hardening

12
1. Removing unnecessary services / installing the latest services packs and patches / renaming
default accounts / changing default settings / Physical security
2. configuration management
 configuration identification
 change management
 configuration status accounting
 configuration audit
3. configuration management documentation  location / permanent IP address if applicable
/ serial number / BIOS version / Model / MAC Address / OS version
4. Change management process
 request for change
 risk assessment/analysis
 gaining approvals
 testing
 notifying
 implementation
 validation
 documentation
5. Patch management
 a response for vendor notification or pen testing
 is a part of configuration and change management
 CVE  Common Vulnerabilities and Exposures  nvd.nist.gov
 www.cert.org

13
 Domain-3

Security Engineering

- Agenda
1. Part I
 Principles of Secure Design
 Trusted Computer Base Elements
 Security perimeter
 reference monitor
 security kernel
 Computer/security architecture
 Security models
 security evaluation criteria
2. Part II
 Cryptography (very very testable)

- Trusted Computing
1. Requirements of system architecture
 Business and security requirements should be defined.
 Security must be built into the security by design.
 Security and business requirements have to be balanced. (Tradeoffs are involved)
2. Elements of system architecture : TCB
 Deals with the protection mechanism within a computer system.
 Security perimeter  it delineates the trusted and the untrusted
components within a computer system.
 Reference monitor  is an abstract machine concept that mediates all access
between subjects and objects.
 Security kernel
1. Enforces the reference monitor concept.
2. Must facilitate isolation of processes.
3. Must be invoked at every access attempt.
4. Must be small enough to best tested and verified in a comprehensive
manner.
- Security Models
1. Bell-LaPadula
2. Biba
3. Clarck-Wilson

- Computer Architecture
1. CPU

14
 CPU cycles  Fetch / Decode / Execute / Store

 Execution Types
 multiprogramming
1. Multiple programs are running at the same time.
2. Sometime, called cooperative multitasking.
3. Doesn’t allow for isolation of individual processes.
4. Windows 3.1x
 multitasking
1. Multiple programs are running at the same time.
2. Preemptive multitasking.
3. True isolation of resources  each application is running in its own
space and can be isolated.
4. Windows 95
 multithreading
1. Separates instructions within a process.
2. It is the ability to perform more than one thread at the same.
3. Is traditionally done by multithreading OS (software multithreading).
4. To get a true hardware multithreading, we need multiple processors.
 multiprocessing
1. Installing more than one processor into a system.
 Asymmetric multiprocessing
 Symmetric Multiprocessing
 multi-core processors
1. Provides hardware multithreading.
 CPU Modes
 User mode (Problem state)
1. It is the mode in which the processor operates with a limited access to
resources.
2. Ring 3
15
  Privileged mode (Kernel mode)
1. The processor operates in ring 0 which indicates the highest level of
trust.
2. Memory
 RAM
 Dynamic / Static
1. DRAM  System RAM is dynamic in nature
2. SRAM  A cache  a memory for things that are frequently used 
Expensive.
 Cache  can be a static RAM.
 ROM
 PROM
 EPROM
 EEPROM

- Security models
1. Dictates how a system will enforce a security policy.
2. BELL-LAPADULA
 Designed to protect confidentiality.
 Has 3 rules
 Simple security property – “No read up”
 *_Security property – “No Write down”
 strong * property – “No read/write up or down”

3. BIBA Integrity Model

 Designed to protect integrity of the knowledge base.
 Summary  Down data is dirty.
 The rules:
 Simple integrity axiom  “No read down”  as read down is untrusted.
 * integrity axiom  “No write up”
 Invocation Property  a subject can’t invoke subjects at a higher integrity
level.

16
 4. Clark –Wilson Model
 Do not allow untrusted users to access your trusted resources. Instead, force them
to access resources through a trusted interface  User / Interface / Backend
 The model is for commercial use
 Constrained Data Item (CDI)
 Deals with all three integrity goals
 Prevents unauthorized users from making modifications.
 Prevents authorized users from making unauthorized modifications.
 Reinforces separation of duties.

- Access control models

1. DAC (Discretionary Access Control)
 Security of an object is at the owner’s discretion
 Identity based.
 Access is granted through ACL.
2. MAC (Mandatory Access Control)
 Data owners can’t grant access.
 Users and data are given clearance levels (Confidential, Secret and top secret)
 Rules for access are configured by the security officer and enforced by the operating
system.
3. RBAC (Role Based Access Control)  Non-DAC

- Common Architectures
1. Distributed computing
17
  Client-server
 thin vs. fat clients
 scalability
 availability
 maintainability
 security
 peer-to-peer
 for file sharing
 encryption and hashing are needed
2. Service Oriented Architecture
 SOA is an architecture and a vision on how heterogeneous applications should be
developed and integrated in the enterprise.
 share a formal contract
 loosely coupled
 abstraction
 composable
 reusable
 autonomous
 stateless
 discoverable
3. Rich Internet Applications
 client side threats
1. XSS  Takes the advantage of the user trust of a website.
2. CSRF  Takes the advantage of the website trust of a user.
 server side threats
1. code injection
 validate input
2. Aggregation and Inference
 masking
 polyinstatiation
4. Ubiquitous Computing (‫)واسع اإلنتشار‬
 Wireless networking
 RFID
 NFC (Near Field Communication)
 LBS (Location Based Services)

- Cryptography
1. History of cryptography
 Caesar cipher
 simple substitution
 shift characters 3 spaces
 Vulnerable to pattern analysis.
18
  Scytale
 used by Spartans
 Wrapped a tape around a rod.
 Diameter of a rod is the pre-agreed secret key (Transposition cipher)
 Vignere
 First polyalphabetic cipher.
 substitution cipher (A development to Caesar cipher)
 Not vulnerable to pattern analysis.
 Key word is agreed upon ahead of time.

 Vernam
 One Time Pad
 the only unbreakable form of cryptography
 The pad is used only once.
 The pad is at least as long as the message.
 The pad must be delivered and stored securely.
 Enigma machine Purple machine
2. Security Services of cryptography
 Privacy
 Integrity
 Authenticity
 Non-repudiation
3. Definitions and concepts
 Plain text + Initialization vector (IV) + Algorithm (cipher) + Key = Cipher text
 Elements of Cryptography
 Desirable qualities of an algorithm
1. Confusion  The complexity of substitution.
2. Diffusion  The use of the plaintext in the cipher text.
3. Avalanche  Changing one piece of the plaintext will result in many
changes on the cipher text.
4. Permutations  Rounds
5. open (Kerckhoff’s’ Principle)
 Desirable Qualities of a key
 Long
 Random
 Secret
4. Encryption
 Symmetric (Secret key encryption / private key encryption)
1. One secret (pre-shared) key for encryption and decryption.
2. common symmetric algorithms  AES – DES – 3DES – RC-4 – RC-5 –
Two Fish – Blowfish – IDEA – CAST - MARS
3. Advantages  very fast

19
 4. Drawbacks  out of band key exchange / no authenticity support –
no integrity support – no non-repudiation support / not scalable
5. Stream (very fast and efficient – bit-by-bit encryption)
 RC-4 (The only testable)
6. Block
 AES
 AES is the standard for most uncommercial
applications like IPsec.
 3DES
 Asymmetric
1. One key for encryption (Public) and another key for decryption
(Private)  Confidentiality
2. common asymmetric algorithms  DSA – RSA – ECC – El Gamal –
Diffie-Hellman - Knapsack
3. Encryption by private key is for authenticity.
4. Solved the symmetric encryption drawbacks but it is slow.
5. Discrete Logarithms
 Diffie-Hellman
 For secure key agreement.
 ECC
 Is designed for limited processing capabilities.
 El Gamal
6. Factorization
 RSA
 RSA is the standard for digital signatures.
5. Hashing
 Provides data integrity.
 Collision  2 different messages provide the same hash. (Birthday attack)
 Hashing algorithms
 MD5  128-bit hash
 SHA-1  160-bit hash
 SHA-256  256-bit hash
 Non-repudiation = integrity + authenticity (Digital signature)
 Integrity  hash the message. (Message digest)
 Authenticity  encrypt the message with the sender’s private key.
 Note: Message Authentication Code (MAC) provides integrity and reasonable
authenticity. MAC doesn’t provide a true authenticity as it uses symmetric
encryption.
6. SSL/TLS hybrid cryptography

20
7. Symmetric VS Asymmetric

8. Public Key Infrastructure (PKI)

 X.509 standard
 PKI Elements
 Certificate Authority (CA)
 Registration Authority (RA)
 Certificate Repository
 Certificate Revocation List (CRL)
 Certificates
 X.509 v4 standard.
 Provides authenticity of a server’s public key.
 Is necessary to avoid MITM attack.
 Digitally signed by a certificate authority. (The hash of the certificate is
hashed by the CA private key)
 Revocation
21
 1. CRL
2. OCSP
9. Internet Protocol Security (IPsec)
 IPsec is an encapsulation framework.
 two modes (just encapsulation – no security till now)
 Tunnel mode  whole packet is encapsulated.
 Transport mode  only the payload is encapsulated.
 IPsec sub protocols (to add security services)
 AH (Authentication Header)
1. Provides authenticity, integrity and non-repudiation thorough the use
of an ICV (integrity check value).
2. It uses MAC.
3. The ICV is run on the entire packet (header, data, and trailer) except
for particular fields in the header that are dynamic (like TTL).
4. No confidentiality.
5. AH doesn’t work with NAT. (NAT traversal solves the issue)
 ESP (Encapsulation Security Payload)
1. The main security service is confidentiality.
2. Provides authenticity and integrity through MAC (No non-repudiation
since MAC is symmetric).
 IKE (Internet Key Exchange)
1. Oakley: uses DH to agree upon a key.
2. ISAKMP (Internet Security Association Key Management Protocol)
 Manages keys
 Security Associations (SAs)  Destination address + SPI
(random number) – Every secure connection has at least SA,
one for going and one for incoming communication.
 Security Parameter Index (SPI)
10. Attacks on cryptography
 cipher text only
 known plain text
 chosen plain text
 chosen cipher text
 MITM attack

22

Communications and Network Security
- Agenda
1. OSI reference model
2. Network protocols
3. Network connectivity devices
4. Threats to network security
5. Firewalls
6. Wireless communications
- OSI reference model
1. Open System Interconnect (By International Organization for Standardization)
Application – Layer 7
Session – Layer 6
Presentation – Layer 5
Transport – Layer 4
Network – Layer 3
Domain-4
 This defines a protocol (way of sending data) that two
Data different programs or applications understand.
 HTTP / SMTP / FTP / TFTP / Telnet / DNS
 Presents the data in a format that all computers can
understand.
 The only layer that doesn’t have any protocols.
Data (concerned with encryption, compression and formatting)
 making sure data is presented in a universal format / file
level encryption / removing redundancy from files
(compression)
 Responsible for establishing a connection between 2
applications either on the same computer or two different
Data
computers.
 create connection / transfer data / release connection
 Layer 4 provides end-to-end delivery and establishes 2
logical connection between 2 computer systems.
 Layer 3 protocols  TCP / UDP / SSL/TLS
 TCP (Transmission Control Protocol)  Connection
oriented (3-way handshake) (Advantages  easier to
Segment
program with / truly implements a session / adds security)
/ (Disadvantages  more overhead (slower) / SYN floods)
 UDP (User Datagram Protocol)  connectionless /
unreliable / no handshaking / desirable when real time
traffic is essential / low overhead / faster than TCP
 Devices  Router  Layer 3 / Routing table / isolate
traffic into broadcast domains / use IP addressing to direct
traffic / but routers are expensive, so VLAN is necessary to
isolate broadcast domains / A layer 2 switch doesn’t
understand IP addressing, so a layer 3 switch is necessary
for inter-VLAN routing (communication).
 Protocols & attacks  all protocols that start with “I”
Packet
except IMAP are layer 3 protocols.
1. IP
2. ICMP  “IP helper” / the protocol behind echoing utilities
like ping and traceroute / frequently exploited  (LOKI:
sending data in ICMP headers – covert channel) / (Ping of
death: violates the MTU size) / (Ping floods: lots of ping
traffic) / (SMURF: uses spoofed source address (Target)
23
 and directed broadcast to launch a DDoS)
3. IGMP
4. IGRP
5. IPSEC
6. IKE
7. ISAKMP
LLC  LLC  Logic Link Control (Error Detection)
 MAC  Media Access Control (Physical)
1. Addressing and media access determination (ARP / RARP)
 48-bit addressing, 24 bits for the manufacturer and 24
bits identify the device uniquely. (Attack  ARP
poisoning)
2. Media Access Control (Which system get to
Datalink – Layer 2 Frame
communicate?) (CSMA/CD  IEEE standard 802.3
MAC
Ethernet) / (CSMA/CA  IEEE standard 802.11 Wireless) /
(Token passing  a system can’t communicate without a
token , so there are no collisions)
 Devices  Switch  Layer 2 / MAC filtering / isolate
traffic into collision domains / one broadcast domain /
doesn’t isolate broadcasts natively.
 Specific cabling, Voltages and Timing.
 Devices  Hub – NIC – Cables – Connectors – modems –
wireless access points
 Transmission Media/Cabling
1. Coaxial Cable  Not flexible or easy to work with / speed
with originally limited to 10 mbps / more secure than
twisted pair, but still susceptible to vulnerabilities.
(Originally used for LANs  10Base2 (Thinnet) RG-58 –
10Base5 (Thicknet) RG-8) / (Now used for WAN  Access
RG-6 or RG-59).
2. Twisted Pair  Least secure / Easy to tab into /
susceptible to EMI and RFI / Attenuation and cross talk are
other problems / most popular is use as it is cheap and
easy to work with  Shielded and unshielded  CAT3 10
mbps / CAT5 100mbps / CAT5e and CAT6 1000 mbps.
3. Fiber Optic Cable  most secure / signal is sent as pulses
of light, so it is not susceptible to EMI/RFI. Very difficult to
eavesdrop, but also hard to work with and expensive 
Physical – Layer 1 Bit multi-mode for short distances / single mode for very long
distances (hundreds of miles).
 Layer 1 Topology
1. Bus  No central point of connection / Hard to
troubleshoot / one break in cable takes down the whole
network.
2. Ring  No central point of connection / Often
implemented with a MAU for fault tolerance.
3. Star  Switch offers fault tolerance / Switch is still a single
point of failure / the most we use today.
4. Mesh  Most fault tolerance / fully redundant / partial
mesh is often used to spare cost.
 Threats (Attacks)
1. Theft
2. Unauthorized access
3. vandalism
4. sniffing
5. interference
6. data emanation

2. OSI vs. TCP/IP (by the DoD)  Application / Host-to-host / Internet / Network Access

24
- Common Attacks
 Virus  needs a host to live in and an action by the user to spread. (E-mail
attachments and embedded scripts )
 Worm  similar to the virus but it is self-replicating.
 Logic bomb  a type of malicious code that stays dormant until a logic event occurs.
 Trojan horse  one program masquerades as another. It is the usual mean of
spreading backdoors.
 Backdoors  A program that allows access to a system that bypasses normal
security controls. Examples are NetBus, Back Orifice and SubSeven
 Salami  many small attacks add up to equal a large attack.
 Data Diddling  altering/manipulating data, usually before entry.
 Sniffing  viewing data. The best defense is encryption.
 Session Hijacking  It is a type of MITM attacks. Mutual authentication would
prevent a session hijack.
 War dialing  an attack on RAS (Remote Access Server). The attacker tries to find
the phone number that accepts incoming calls.
 DoS  against availability.
 DDoS  Control machines (Handlers) + Zombies (bots) + Dos attack
 Ping of Death  A very large ping packet.
 Ping flooding  overwhelming a system with multitude pings.
 Tear Drop  sending malformed packets which the OS doesn’t know how to
assemble. Layer 3 attack.
 Buffer overflow  attacks that overwhelm a specific type of memory on a system 
can be avoided with input validation.
 Bonk  similar to Tear drop attack with very large packets.
 Land attack  creates a circular reference on the machine. Sends a packet where
the source and the destination are the same.
 SYN flood  exploits the 3-way handshake  layer 3 protocol  a stateful firewall
is needed to prevent it.
 Smurf  uses an ICMP directed broadcast  layer 3 attack  can be prevented by
blocking distributed broadcasts on routers.
 Loki  Information is stored in the ICMP header. (covert channel)
 Fraggle  Similar to Smurf, but uses UDP instead of TCP  Layer 4 attack  can be
prevented by blocking distributed broadcasts on routers.

- Firewalls, Proxies and NAT

1. Firewalls
 Allow/block traffic.
 Layer 3 firewall  Static packet filter (Filtering based on IP and port)
 Layer 5 firewall  Stateful inspection  can block unsolicited replies. Protocol
anomaly firewalls  can block traffic if the syntax is different from the RFC.

25
  Layer 7 firewall  Application proxies / kernel proxies  make decision on content,
active directory integration, certificates, time.
 Two types of proxies
1. Circuit level  works at the session layer of the OSI model between
the application layer and the transport layer of the TCP/IP stack. It
monitors the TCP handshaking between packets to determine
whether a requested session is legitimate.
2. Application level
 Advantages  understand the protocols so they can add extra
security / they can have advanced logging/auditing and access
control features.
 Disadvantages  Extra processing is needed / they only
understand the protocols they were written to understand /
more expensive.
 Examples  Microsoft ISA / FTP Proxy / SMTP Proxy
2. NAT/PAT
 NAT  one-to-one mapping.
 PAT  multiple private addresses to one public IP address.
 Advantages  Saves public IP addresses / protects the network by hiding the
internal IP addresses
 Disadvantages  single point of failure / performance bottleneck / doesn’t protect
from bad content.
 RFC 1918  Private ranges  10.x.x.x / 172.16.x.x – 172.31.x.x / 192.168.x.x
3. Overall firewall issues
 Can be bottleneck
 Can restrict valid access.
 Often misconfigured
 Don’t protect against internal attacks.
 Don’t filter malware or improper traffic except application firewalls.
4. Overall firewall best practices
 Block unnecessary ICMP packets.
 Use least privilege.
 Keep access-lists simple.
 Disallow source routed packet packets.
 Use implicit deny.
 Enable logging.
 Drop fragments or re-assemble packets.
 Perform ingress and egress filtering. (Block ingress traffic with internal source IPs and
block egress traffic with external source IPs)

- WAN
1. Circuit switching

26
  uses public phone system
 PSTN
1. Dial Up (Remote Access)
 Disadvantages
 slow
2. Attacks
 war dialing
3. Defenses
 dial back
 caller ID restriction
 use authentication
 answer after 4 or more rings
 ISDN (Not testable)
 ADSL
1. much faster than the ISDN (6-30 times faster)
2. symmetric and asymmetric (down,oad/upload)
 T-carriers
2. packet switching (faster than circuit switching)
 X.25
 Frame Relay
 ATM
 VOIP
 Analog  Digital  Analog
 is not designed to be secure
 Security issues
1. eavesdropping (the greatest threat)
2. vishing  phishing using the phone
3. Toll fraud
4. SPIT  SPAM over IP telephony
 Performance issues
1. Latency
2. Jittering
 MPLS
 Cost effective.
 Faster and more secure than regular routed “Public” IP networks like the
internet.
 VPN can be implemented
 Purely Layer 3 technology.
 Provides QoS for VOIP and other higher priority traffic.
 Cable modems
 High speed access up to 50 mbps via cable TV lines.
 Shared bandwidth.
 Have security concerns.
27
- Wireless
1. Wireless components
 Access points
 Wireless cards
 wireless devices must use the same channel
 devices are configured to use a specific SSID (often broadcasted)
2. 802.11 Family
802.11a 802.11b 802.11g 802.11i 802.11n
 54 mbps  11 mbps  54 mbps Wireless with  100 mbps
 5 GHZ  2.4 GHZ  2.4 GHZ security, First  2.4 or 5
 8 (some as standard to GHZ
channels other require WPA
home II.
devices )

 Wireless security problems

 unauthorized access
 war driving
 MITM (unauthorized access points)
 sniffing
3. Transmission encryption
 WEP
 Shared authentication passwords.
 Weak IV (24 bits)
 IV transmitted in a clear text.
 RC-4 stream cipher (very fast but less secure)
 Easily crackable
 the only option for 802.11b
 WPA
 stronger IV
 Introduced TKIP
 still used RC-4 (for backward compatibility)
 WPA2
 AES (block cipher  very complex to reverse)
 CCMP
 not backward compatible
 WPA and WPA2 Enterprise
 Uses 802.1x authentication to have individual passwords for individual users.
 RADIUS
4. Bluetooth
 To free devices from physical wires.
 Bluetooth modes.
 discovery mode
 automatic pairing
 Bluetooth Attacks
28
  Blue Jacking  sends spam to nearby Bluetooth devices
 Blue Snarfing  copies information off a remote device
 Blue Bugging
1. more serious
2. eavesdrop calls
3. can make calls
4. allows full use pf phone
 Bluetooth Countermeasures
1. disable it if you are not using it
2. disable auto discovery
3. disable auto pairing

- Cloud Computing
1. It is about hosting services on the internet. Its main goals are reducing cost.
2. Types
 private cloud
 public cloud
 community cloud
 hybrid cloud
3. Three variety of services
 Software as a service (SaaS)
 Platform as a service (PaaS)
 Infrastructure as a service (IaaS)

29
 Domain-5

Identity and Access Management

- Agenda
1. IAAA
 Identification
 Authentication
 Type I (something you know)
 Type II (something you have)
 Type III (something you are)
 Authorization
 Accounting
2. Single Sign On
3. Access control models
4. Access control methods
5. Access control administration
6. Data Emanation

- IAAA
1. authentication and identity management
2. security controls (including management) are audited annually under Sarbanes-Oxley (SOX)
3. Credential management
 Exploits
 MITM attack and Traffic hijacking
 privilege escalation
 unauthorized access
 Solutions
 SSO
 Certificates
4. Authorization
 Confirms that an authenticated entity has the privileges and permissions necessary.
 CRUD operations  Create / Read / Update / Delete
 Access Control Models
 DAC
 MAC
 RBAC
 RuBAC
5. Accountability
 Tracing an action to a subject. (Auditing)
 Must include, the identity, the action, the object and the timestamp.

30
- Access control models
1. DAC (Discretionary Access Control)
 Object-oriented (Security of an object is at the owner’s discretion)
 Identity-based
 Access is granted through ACL.
 Examples  Windows sharing and UNIX file permissions
 Almost all client and many server based systems use DAC for its ease of use and
sharing capabilities.
2. MAC (Mandatory Access Control)
 More security. (High level of confidentiality)
 Data owners can’t grant access!
 OS makes decision based on a security label system.
 Rules for access are configured by security officers and enforced by the OS.
 Users and data are given a clearance level (confidential, secret, top secret and etc)
 Subject’s label must dominate object’s label.
3. RBAC (Role Based Access Control)
 Permissions can’t be changed without security admin’s involvement.
 Groups / Roles / Permissions
 Role/function based access control
 Threats  authorization creep
 Subject-oriented

- Authentication Types
1. Type 1 : something you know
 passwords / passphrases / cognitive password
 best practices
 not less than 8 characters
 enforce password history
 change on a regular basis
 consider brute force and dictionary attacks
 Ease of cracking cognitive passwords
 Graphic image
 Enable clipping levels and respond accordingly
2. Type 2 : something you have
 Token devices
 one time password generators  reduce vulnerability associated with
sniffing passwords / can be costly / simple device to implement / users can
lose or damage / 2 Types  synchronous: (synchronizing with authentication
server – time or event based – if damaged or battery fails, must be re-
synchronized) and asynchronous: (challenge/response – better protection
against sniffing)
 smart card
31
  have processors / much more secure / often integrated with PKI / Two types
 contact and contactless
 smart card attacks
1. Fault generation
2. side channel attacks
 differential power analysis
 electromagnetic analysis
3. micro probing
 memory card
 Holds information / doesn’t process / holds authentication information /
usually paired with a PIN / usually insecure / easily copied / a credit card is a
type of memory card.
 hardware key
 cryptographic key
 certificate
 cookie
3. Type 3 : something you are (Biometrics)
 Static
 Should not significantly change over time.
 Bound to user’s physiological traits.
 Finger print
 hand geometry
 retina
 Dynamic
 based on behavioral treats
1. voice
2. gait
3. signature
4. keyboard cadence
5. signature
 Biometric concerns
 Accuracy
1. Type I error: False Rejection Rate (FRR)
2. Type II error: False Acceptance Rate (FAR)
3. As FRR goes down, the FAR goes up and vice versa.
4. The level at which, the 2 values meet is called crossover error rate
(CER). The lower the CER, the more accurate the system.
5. Iris scan is the most accurate.
 User acceptance
1. cost/benefit analysis
2. many users feel biometrics are intrusive (Retina scan can reveal
health care information)
3. Time for enrollment ant verification can make user resistant.

32
 4. No way to revoke biometric.
4. Type 4 : something you do
5. Type 5 : somewhere you are

- SSO and Kerberos

1. Some SSO systems are
 Kerberos
 LDAP
 SeSame
 KryptoKnight
2. SSO Pros and Cons
 Pros
 Ease of user for end users
 Centralized control
 Ease of administration
 Cons
 Single point of failure
 standards necessary
 keys to kingdom
3. Kerberos
 Never transfer passwords.
 avoids replay attack
 uses symmetric encryption to verify identifications
 Used in Windows 2000+ and some UNIX systems.
 allows SSO
 Kerberos Components

 Kerberos Concerns
 Computers must have clocks synchronized within 5 minutes of each other.
33
  Tickets are stored on the workstation.
 If your KDC is hacked, security is lost.
 A single KDC is a single point of failure and a performance bottleneck.
 Still vulnerable to password guessing attacks.

- Access control methods

1. Rule-based Access control
 if x then y (logic)
 Example  Routers and firewalls
2. Constrained user interface
 views
 restricted shell
 menus
 physically constrained interface (ATM)
3. content-dependent access control
 Access is determined by the type of data. (Web proxy)
4. context-dependent access control
 system reviews a situation then makes a decision on access (Time profiles)
- Centralized Access Control Administration
1. RADIUS
 Authentication protocol that authenticates and authorizes users.
 Communication between radius client and radius server is protected.
 The radius client always dial in to an access server.
2. TACACS, TACACS+
3. Diameter

- Emanation Security

34
 Domain-6

Security Assessment and Testing

- Agenda
1. Introduction to security assessment
2. vulnerability assessment
3. penetration testing
4. remediation
5. intrusion detection
6. audit logs
7. common vulnerabilities

- Vulnerability assessment and penetration testing

1. vulnerability assessment
 physical / administrative / logical
 identify weaknesses
 vulnerability scanning
 Identifying
1. Active hosts on the network.
2. Active and vulnerable services (ports) on hosts.
3. applications
4. operating systems
5. Vulnerabilities associated with applications and operating systems.
6. misconfigured settings
 Testing compliance with host applications usage/security policies
 Establishing a foundation for penetration testing
2. penetration testing
 ethical hacking to validate discovered weaknesses
 red teams (attack) / blue teams (defend)
 Degree of knowledge
 zero knowledge  black box testing
 partial knowledge  gray box testing
 full knowledge  white box testing
3. NIST 800-42 guideline on security testing
4. Attack methodology
 Test attacks 1 of 2
 Reconnaissance
1. whois database / search engines / company website
 Footprinting
1. Mapping the network (Nmap)
2. ICMP ping sweeps
3. DNS zone transfers
35
  Fingerprinting
1. Identifying host information
2. port scanning
 Vulnerability assessment
1. identifying weaknesses in system configurations
2. discovering unpatched software
 Test attacks 2 of 2
 The attack
1. penetration
2. privilege escalation
3. root kits
4. cover the tacks
5. Penetration testing considerations
 Three basic requirements
 Meet with senior management to determine the goal of the assessment.
 get sign off from senior management
 document rules of engagement
1. Specify IP addresses/ranges to be tested. (Any restricted hosts)
2. A list of acceptable testing techniques.
3. Times when testing to be conducted.
4. Handling information collected by penetration testing team.
5. Measures to prevent law enforcement being called with false alarms.
 Issue: it could disrupt productivity and systems
 Overall purpose is determine the effectiveness of current security measures.
6. Types of penetration testing
 Physical security
 Logical security
 Administrative security
7. Approaches to testing
 Do not rely on single method of attack. (dumpster diving)
 Path of least resistance. (users/social engineering)
 Break the rules. (Attempt things not expected)
 Do not rely on high tech tools.
 stealth methods may be required
 do not damage a system or data
 have a toolkit of techniques
 do not overlook small weakness in search for the big ones
8. Network scanning
 active hosts
 port scanning
 network services

36
- Intrusion Detection
1. IDS
 identify suspicious activity
 alert people
 interface in promiscuous mode  SPAN port (port mirroring)
 log activity
 detective control (passive device)
 categories
 HIDS
1. Logins
2. system log files / audit files
3. network traffic from/to host
4. application log files / audit files
5. file activity / changes to software
6. configuration files changes
7. CPU usage
8. use of certain programs
9. processes being launched or stopped
10. Advantages of HIDS  understand the latest attack against service on
a host / can look at data after it has been decrypted (network traffic is
usually encrypted)  NIDS can’t look at encrypted traffic.
11. Disadvantages of HIDS  protect single machine / use local resources,
CPU and memory / scalability / can be disabled if the machine is
hacked
 NIDS
1. focuses on network traffic
2. A NIDS will always look for
 Dos Attacks
 Port scans
 Malicious content
 vulnerability tests
 tunneling
 brute force attack
 policy violations  detecting instant messaging or streaming
video
3. NIDS advantages
 can cover whole network
 easier to be deployed than HIDS
 see things that are happening on multiple machines and may
see distributed attacks that a HIDS would miss
4. NIDS problems
 Traffic must be decrypted to be analyzed
 It doesn’t see what is going on a server directly.
 Should be able to handle wire speed.
37
  IDS components
 Sensor
 user interface and reporting
 signature database
 analysis engine (IDS = packet sniffer + analysis engine)
1. pattern matching (signature based)
 compare network traffic against known signatures
 concerns  pay for a signatures subscription / doesn’t detect
zero day attacks / signature database has to be always
updated
 less false positives
2. profile matching (anomaly / behavioral / heuristic)
 look for change in normal traffic  (learning mode + baseline)
 can detect zero day attacks (advantage)
 Lots of false positives (so, it is often ignored)  the more false
positives you get, the less seriously you take positives.
 requires much more skilled analysts
2. IPS
 preventive control (active device)
3. bypassing an IDS
 Evasion attack  many small attacks from different directions.
 Insertion attack  adding meaningless information to a known attack. (geared
toward a signature based systems)

- Honeypots
1. Loophole purposely added to operating system or application to trap intruders.
2. Intruders will attack this system instead of production systems.
3. padded cells and vulnerability tools
 Environment that is created for new applications and processes to run in. (similar to
virtual machines)
 Simulated environment to keep the intruder busy.

38
 Domain-7

Security Operations

- Security operations objectives

1. Incident response
2. Forensics
 Evidence collection
 Admissibly issues
 Types of evidences
3. Fault tolerance and recovery strategies

- Incident Response
1. Incident management
 Event  an observable change in state.
 Alert Flagged events that may require further investigation to determine if an
incident has taken place.
 Incident  Adverse impact to the system or network.
 Types of incidents  Dos or DDoS / malicious code / unauthorized access /
inappropriate access
 Incident response process
 Preparation  I have to put together a team and train them / I have to have
the policies and procedures / I have to have the necessary tools.
 Detection and analysis  which systems are affected? / What is the root
cause? / What is the scope of the damage?
 containment, education and recovery  get back up and running /
documentation
 Post-incident review  lessons learnt / what are the internal vulnerabilities?
2. Problem management
 an incident with an unknown cause
 incident notification
 root cause analysis
 solution determination
 request for change
 implement solution
 monitor and report

- Forensics
1. Computer forensics: collection, preservation, validation, identification, analysis,
interpretation, documentation and presentation of digital evidence.
2. IOCE and SWGDE are 2 entities that provide forensics guidelines and principles as follows
39
  All forensics principles must be applied to digital evidence.
 Evidence should not be altered as a result of collection.
 If a person is supposed to access original digital evidence, that person must to be
trained for such a purpose.
 All activities related to evidence transfer must be fully documented and available for
review.
3. Five rules of digital evidence  Digital evidence must be authentic / accurate / complete /
convincing / admissible
4. Forensics investigation process
 identification
 Locard’s principle of exchange: when a crime is committed, the attacker takes
something and leaves something behind. What they leave behind can help us
identify aspects of the responsible party?
 preservation
 documentation  a history of how the evidence was collected / analyzed /
transported / preserved
 Hashing algorithms are used to ensure that the evidence has not been
modified by the investigation process.
 collection
 keep detailed logs of your actions
 minimize handling of evidence
 comply with the 5 rules of digital evidence
 do not exceed your knowledge
 follow organization’s security policy
 capture an accurate image of the system
 ensure actions are repeatable
 work fast (The digital evidence may have short lifespan)
 do not run any program or open any file on the infected system till a forensic
copy of the disk has been made
 work from volatile to persistence evidence (sequencing)
 photograph area and record what is on the screen
 dump contents from memory
 power down system
 photograph inside of system
 label each piece of evidence
 record who collected what and how
 have legal department and possibly human resources involved
 The fourth amendment protects against illegal search and seizure
 computer evidence can be obtained by law enforcement only through
1. subpoena
2. search warrant
3. voluntary consent
4. exigent circumstances
40
  examination
 look for known attacks signatures
 review audit logs
 hidden data recovery
 analysis
 primary image (original) VS working image (copy)
 both copies must be hashed and working copy should be write protected
 What is the root cause?
 What files are installed/altered?
 What communication channels were opened?
 presentation
 documentation
 decision
 What are the results of investigation?
1. suspects
2. corrective actions
5. Types of evidence
 Direct evidence  can prove a fact by itself and doesn’t need backup information.
Information provided based on the 5 sense of a (reliable) witness.
 Real evidence  physical evidence. The objects themselves that are used in a crime.
(Example: laptop)
 Best evidence  most reliable. (a signed contract)
 Secondary evidence  not strong enough to stand alone but can support other
evidence. (Expert opinion)
 Corroborative evidence  support evidence. Backup other information presented.
Can’t stand on its own.
 Circumstantial  proves a fact which can be used to suggest another. Cannot stand
on its own.
 Hearsay  2nd hand oral or written. Usually not admissible.
 Demonstrative  presentation based. photos of a crime scene, x-rays, diagrams and
etc. (visual)
6. Who should do the investigation?
 Law enforcement
 Available skilled resources for this investigation?
 Fourth amendment.
 Information dissemination is not controlled.
7. Suspect’s actions and intent
 Enticement
 Tempting a potential criminal.
 Legal and ethical.
 Honeypot.
 Entrapment
 Tricking a person into committing a crime.
41
  illegal and unethical
 Pointing a user to a site and then saying they trespassed.

- Fault Management
1. Spares
 Redundant hardware
 available in the event that the primary device becomes unavailable
 often associated with hard drives
 Hot, warm and cold swappable devices
 SLAs
 MTBF and MTTR
2. Redundant servers
 Primary server mirrors data to secondary server. (server fault tolerance)
3. RAID
RAID-0 RAID-1 RAID-5
 No fault tolerance  Disk mirroring –  Disk striping with
 No redundancy provides redundancy parity.
 Provides performance  The least efficient  Fault tolerance +
improvement for usage of space speed
read/write functions

4. UPS
5. Clustering
 A group of servers that are managed as a single system.
 Higher availability, great scalability, easier to manage instead of individual systems
 May provide redundancy, load balancing or both. (active/active or active/passive)
 Cluster looks like a single server to the user. (server farm)
 Clustering vs. load balancing  clustering: multiple servers as on single system. Load
balancing: distributing the load on multiple servers.
6. Backups
 It is important to be able to restore data:
 If a hard drive fails
 if a disaster takes place
 some type of software corruption
 Backup types
Full Backup Incremental Backup Differential Backup Copy Backup
 Archive bit is  Backup all files  Backup all files  Same as full
reset. that has been that has been backup but
modified since modified since archive bit is
last backup. last full backup. not reset.
 Archive bit is  Archive backup  Use before
reset. is not reset. upgrades, or
 Slowest restore. system
maintenance
.

42
 Sunday Monday Tuesday Wednesday Thursday (restore)
Full Full Full Full Full (W)
Full Inc Inc Inc Full (S) + Inc (M, T, W)
Full Diff Diff Diff Full (S) + Diff (W)

7. Database shadowing, remote Journaling, Electronic Vaulting

 Database shadowing  disk shadowing (mirroring technology) / updating more
copies of data at the same time / data saved to two media types for redundancy.
 Remote journaling  moves the journal or transaction logs to a remote location, not
the actual files.
 electronic vaulting  copy of modified files is sent to a remote location where the
original backup is stored / batch process of moving data
8. Redundancy of staff

43
 Domain-8

Software Development Security

- Agenda
1. Why is software unsecure?
2. Development methodologies
3. Common architectures
4. Monitoring and Auditing
5. Adversaries
6. OWASP top 10
7. Change management
8. Assessing vulnerabilities
9. Databases
 Design
 Vulnerabilities/threats
10. Verification and validation
11. Secure disposal

- Why is software unsecure?

1. lack of training
2. lack of funding
3. no prioritization of security
4. security as an afterthought

- Software development methodologies

1. Waterfall

44
  Pros
 Each phase has a specific deliverables and a review process.
 Phases are processed and completed one at time.
 Best for small projects where requirements are very well understood.
 It reinforces “define before design” and “design before code”.
 cons
 Adjusting scope during the life cycle can kill a project.
 No working software is produced until late during the life cycle.
 High amounts of risk and uncertainty.
 Poor model for long and ongoing projects.
 Poor model if there’s a probability of change.
2. Prototype

 Pros
 Users interact with prototype very quickly and can identify needed changes
and refine requirements.
 The developer can obtain feedback from the users early in the project.
 Cons
 There’s tendency to do superficial analysis.
 Clients rarely understand all the ramifications of proposed changes.
 Developers may use shortcuts to create the prototype and sometimes don’t
formalize their processes for the actual product.
3. Spiral

45
  Pros
 Good for large, mission-critical projects.
 High amount of risk analysis.
 Software is produced early in the software life cycle.
 Cons
 Can be costly.
 Risk analysis requires highly specific expertise.
 Project’s success is highly dependent on the risk analysis phase.
 Doesn’t work well for small projects.
4. Agile

46
  Pros
 Less defects in the final project.
 Adaptable to changing requirements. (Flexibility)
 Iterations provide an immediate feedback.
 Cons
 Lack of documentation.
 Hard to have good system design.
5. Quick Review
Waterfall Prototyping Spiral Agile
Phased approach that is Produces prototype and A combination of Addresses projects
focused on deliverables custom adds refinements waterfall and where requirements
being produced at end of until requirements are prototyping. change frequently.
each phase. met.

- Common architectures
1. Distributed computing
 client-server  Thin vs. Fat clients / scalability / maintainability / availability /
security
 peer-to-peer  frequently used for file sharing / channel security is needed
2. Service oriented architecture (SOA)  SOA is an architecture and a vision on how
heterogeneous applications should be developed and integrated in the enterprise.
 share a formal contract
 loosely coupled (minimizes dependencies)
 abstraction (services hide logic from outside world)
 compatibility
 Reusable
 Autonomous
 stateless
 discoverable
3. Rich internet application
 client side threats
 XSS  code injection on a trusted website that doesn’t provide a proper
input validation. The code –usually java script code- runs on the client
(victim) machine. It takes advantage of trust I have in a website.
 CSRF  stealing the session ID/cookie to make authorized actions. (Session
hijacking). It takes advantage of trust a website has in me.
 server side threats
 code injection  input validation (Example: SQL injection)
 aggregation and inference (collecting information and making an assumption
based on collected information)  masking / polyinstantiation
4. Ubiquitous computing
 wireless networking
 RFID
47
  NFC (Near Field Communications)
 LBS (Location Based Services)
5. Cloud architecture

- Monitoring
1. Objectives:
 Validate compliance to regulations.
 Demonstrate due care and due diligence.
 Provide evidence for audit defense.
 Assist in forensics.
 Determine the security level.
 Ensure the CIA.
 Detect internal and external threats.
 Validate that appropriate controls are in place and working effectively.
2. Characteristics of good metrics:
 consistency: the results of the same data set must be the same or equivalent
 quantitative: precise, numeric values, objective
 objectivity: unbiased
 Relevance: should have a direct bearing on a decision.
 inexpensive: cost-effective

- Auditing
1. is a detective control
2. ensures that policies are being followed
3. privileged actions are restricted to authorized personnel
4. User accounts are not unintentionally being allowed to accumulate rights/permissons.

- Adversaries
1. script kiddie
2. hackers  black hackers / gray hackers / white hackers (pen testers)
3. elite  very high skill level (talented attackers)

- OWASP
1. Vulnerability databases and resources
 OWASP (Open Web Application Security Project) Top 10
 CVE (Common Vulnerabilities and Exposures)
 NVD (National Vulnerabilities Database)
 CWE (Common Weaknesses Enumeration)
48
  US CERT (Computer Emergency Response Team) Vulnerability Database
2. OWASP
 International non-profit organization.
 Designed to raise awareness
3. 2013 – TOP Ten
 Code injection
 Broken authentication and session management  poor session management can
lead to compromise of credentials and/or session hijacking.
 Cross site scripting
 Insecure direct object reference

 Security misconfigurations
 Sensitive data exposure. (Reasons  insufficient data in transit protection /
insufficient data at rest protection / electronic social engineering)
 missing function level access control
 Cross Site Request Forgery
 mitigation strategies  don’t save username/password in the browser / do
not check remember me option in websites / do not use the same browser to
surf the internet and access sensitive web site at the same time, if you are
accessing both from the same machine / read standard e-mails in a plain text
/ explicitly log off after using a web application / use client-side browser
extensions that mitigate CSRF attacks.
 develop strategies to mitigate CSRF  implement the software to use a
unique session specific token that is generated randomly / CAPTCHAs can be
used to establish specific token identifiers per session / use POST instead of
GET for sensitive data transactions
 known vulnerable component usage
 invalidated redirects and forwarders

- Defensive coding
1. input validation
2. Sanitization  convert something that seems dangerous to safe form. Input sanitization
types are striping and substitution. Output sanitization is encoding.
3. Error handling (exception handling) messages.
4. Safe APIs
5. concurrency
6. Tokenizing  is to replace sensitive data with unique identification symbols that still retain
the needed information about data.
7. sandboxing
8. anti-tampering  obfuscation / protection against reverse engineering / code signing
9. version control
49
 10. Code analysis  inspect code for quality and weaknesses  two types: static  inspecting
the code without execution / dynamic  inspecting the code when it is being executed.
11. code review  insecure code / inefficient code

- Security testing
1. white box (aka structural analysis) – Full access to:
 source code
 design documents
 configuration files
 use and misuse cases
2. Black box  No knowledge of the code
 Fuzzing
 Known as fault injection tolerance  inject faults into the software and then
observe the behavior. (brute force type of testing)
 Verifies the effectiveness of input validation.
 Also used to find coding defects and security bugs.
 Ideally prevents issues with buffer overflow, remote code execution, logic
faults, etc.
 Scanning  is used to:
 map the environment
 identify server versions, open ports and running services
 inventory and validate asset management database
 identify patch levels
 prove due care and due diligence for compliance issues
 Types of scanning
1. vulnerability scanning
2. port scanning
3. privacy scanning  performed do detect violations of privacy policies
4. content scanning  analyzes the actual contents of the document for
malicious content
 Penetration testing  is active testing while scanning is passive. It usually follows
the steps:
 reconnaissance
 resiliency attack
 removal of evidence
 reporting and recommendations

- Verification and validation

1. Verification  does the software meet the developer’s description? Does the software
satisfy the requirements?

50
 2. Validation  Does the software solve the problem that it was supposed to solve? Does it
meet a real world need?
3. verification and validation checks  Confidentiality / Integrity / Availability / authentication
/ authorization / auditing / secure session management / proper exception handling /
configuration management
4. Certification  Does the product provide the appropriate security needs in a particular
environment? Completed by independent testers or QA. (Technical evaluation of security
features)
5. Accreditation  management’s acceptance (risk acceptance) of the product

- DB Management
1. Database models (describe relations between data elements / used to represent the
conceptual organization of data / Formal methods of representing information)
 Hierarchical
 stores related information in a tree-like fashion
 info traced from groups to subgroup
 predetermined access paths to data
 data traced through parents (hierarchy)
 Distributed
 Client-server types of DB located on more than one server distributed in
several locations.
 Synchronization is accomplished via a 2-phase commit or replication
methods.
 Data accessible in a single search function despite separate location.
 object-oriented
 Keep track of objects and entities that contain both data and action on the
data.
 Designed for non-text data such as graphics, videos and audio clips.
 The operations carried out on data objects are considered part of their
definition.
 Relational
 A DB in the form of tables related to each other.
 Stores data in such a way that a data manipulation language can be used
independently on data.
 uses a database engine (oracle, Sybase, etc)
2. Relational database components
 definitions
 Primary key  a unique identifier for each record.
 Normalization  The process of removing duplicates and ensuring that each
attribute only describes the primary key.
 Entity integrity  the primary key can’t be null.
 Data dictionary
51
  metadata
 Foreign keys
 view
 cell
 record
 file
 schema
 Tuple
 Attribute

3. database integrity
4. database security issues
5. data warehousing and data mining

52