Presentation is loading. Please wait.

Presentation is loading. Please wait.

How I Passed the CISSP Test: Lessons Learned in Certification Presented by Kirk A. Burns, CISSP.

Similar presentations


Presentation on theme: "How I Passed the CISSP Test: Lessons Learned in Certification Presented by Kirk A. Burns, CISSP."— Presentation transcript:

1 How I Passed the CISSP Test: Lessons Learned in Certification Presented by Kirk A. Burns, CISSP

2 Admin Data Emergency Exits Breaks Phones Other Admin Data

3 Introduction Instructor What is this class going to provide me? What should I expect to get out of this class?

4 Class Structure Broken up into 12 parts Part 1: introduction Parts 2 – 11: will be the domains Part 12: will be examples of types of questions you might see. THESE ARE NOTTHESE ARE NOT copies of the questions from the exam

5 What is (ISC)²? (ISC)² International Information Systems Security Certification Consortium Non-profit organization which specializes in information security education and certifications Often described as the “world’s largest IT security organization” Based in Palm Harbor, Florida, USA Offices in London, Tokyo, Hong Kong, Vienna, Virginia Over 85,000 certified professionals in 135 countries

6 (ISC)² Code of Ethics Preamble: The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Advance and protect the profession

7 BENEFITS OF (ISC)² MEMBERSHIP Member Benefits Continuing Education Security Leadership Series events Discounts Worldwide receptions, conferences, RSA, InfoSec, SecureAmerica Face-to-Face Networking Virtual Networking Career Tools, InterSeC

8 BENEFITS OF (ISC)² MEMBERSHIP Industry Awards Resources InfoSecurity Professional Magazine Information Security Perspective journal Member submitted security awareness materials Volunteer Opportunities

9 What is CISSP? Certified Information Systems Security Professional Governed by (ISC)² Worldwide recognition of competence Practical understanding of information security issues and solutions ANSI accreditation based on the ISO/IEC 17024:2003 standard (obtained in June 2004) Awareness of security challenges As of November 2013, reported to have 90,198 members worldwide in 149 countries

10 ROLE OF THE CISSP CISSPs often hold job functions such as: Security Consultant Security Manger IT Director/Manager Security Auditor Security Architect Security Analyst Security Systems Engineer Chief Information Security Officer Director of Security Network Architect

11 ROLE OF THE CISSP Develops and oversees the implementation of the organization’s information security policies and procedures Provide advice on implementation of information security solutions and technologies Monitoring compliance with regulatory bodies and employees, contractors, alliances and other 3 rd parties

12 COMMON BODY OF KNOWLEDGE CBK The (ISC)² CBK is a compendium of topics relevant to information security professionals around the world. The (ISC)² CBK is the accepted standard in the industry, the subject of many books written on information security, and the core of the university information assurance programs around the globe. The CBK continues to be updated annually by (ISC)² CBK Committees comprised of members from many industries and regions around the world, to reflect the most current and relevant topics required to practice in the field. (ISC)² uses the CBK domains to assess a candidate’s level of mastery of information security.

13 How to Get Your CISSP Certification 1)Obtain the Required Experience a)must have a minimum of five (5) years cumulative paid full-time work experience in two (2) or more of the ten (10) domains. b)May receive a one year experience waiver with a four-year college degree, or regional equivalent OR additional credential from the (ISC) approved list (requiring four (4) years of direct full-time professional security work experience in two or more of the ten domains) 2)Study for the Exam 3)Schedule the Exam 4)Pass the Exam 5)Complete the Endorsement Process 6)Maintain the CISSP Certification

14 CISSP EXAM The CISSP exam 250 questions 6 hours To pass must get 700 points out of 1000 BE ON TIME!!!!!!BE ON TIME!!!!!! Bring admission letter Must have government issued Photo ID Bring pencil and eraser ~$500

15 ENDORSEMENT PROCESS What is needed for the Endorsement Process Provide a recent resume Complete the Examination Registration Form Submit a completed and executed Endorsement Form

16 MAINTENANCE REQUIREMENTS To maintain the CISSP certification and remain in “good standing” with (ISC)², you are required to: Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of each certification year Earn and submit 120 credits over three years. A minimum of 20 CPEs must be posted during each year of the three year certification cycle

17 THE DOMAINS Access Control Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations, and Compliance Operations Security Physical (Environmental) Security Security Architecture and Design Software Development Security Telecommunications and Network Security

18 Golden Rule 1.People Safety First 2.Management buy-is is Critical 3.Everyone is responsible for Security 4.Training is Essential 5.Policy is the Key to (nearly) everything

19 What If I Don’t Have The Experience? For those who don’t have the experience, there is the Systems Security Certified Practitioner (SSCP) Only need 1 year of experience Domains covered: Access Controls Cryptography Malicious Code and Activity Monitoring and Analysis Networks and Communications Risk, Response and Recovery Security Operations and Administration

20 Access Control

21 Domain Objectives Provide definitions and key concepts Identify access control categories and types Discuss access control threats Review system access control measures Understand Intrusion Detection and Intrusion Prevention systems Understand Access Control assurance methods

22 Access Control Is the basic foundation of information security Implemented differently depending on whether the are of implementation is physical, technical or administrative. Categories include: Preventive Detective Corrective Deterrent Recovery Directive Compensating Often used in combination

23 Access Control A comprehensive threat analysis will identify the areas that will provide the greatest cost-benefit impact. The field of access control is constantly evolving. Organizations need to know what is available and what methods will best address their issues. Data and system access control are NOT the same. User might have access to a system but not to the data. Think “need-to-know” Access control assurance addresses the due diligence aspect of security. Implementing a control is part of due care, but due diligence involves regularly checking to ensure that the control is working as expected.

24 Information Security TRIAD

25 Domain Objectives Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

26 Basic Requirements Security – ensure only authorized users and processes are able to access or modify Reliability – ensure control mechanisms work as expected, every time Transparency – have minimal impact on the ability of authorized users to interface with the system and do their job Scalability – should be able to handle a wide range of changing systems and user load without compromising system performance Maintainability – if too time-consuming or complicated, admins may not keep them up to date Auditability – should provide audit trails Integrity – must be designed to protect from unauthorized changes Authentic – help ensure that data input is authentic

27 Key Concepts Separation of duties No one person should have control over the process. Allowing this could allow a person to manipulate the system for personal gain. Process should be broken down into individual steps executed by different people. Rotation of duties prevents collusion between two or more people. This minimizes the chance of or exposes fraud. Forced vacation can provide the same effect. Core element of the Clark-Wilson Integrity model Least privilege – only allow access to resources that are absolutely needed for work Need-to-know – just because you have the clearance doesn’t mean you really need to know the data or process

28 Information Classification Is the PROPER assessment of the sensitivity and criticality of information Ensures that info is neither improperly disclosed nor overprotected Objectives: Identify info that needs to be protected Standardize labeling Alert authorized holders of protection requirements Comply with laws, regulation, etc. Benefits – keeps cost down Example of classification: Public, internal use only and company confidential Compartmentalized information – information that requires special privilege to access

29 Information Classification Procedures Scope – risk analysis will evaluate data for classification. Things to consider: Exclusive possession (trade secrets, etc.) Usefulness Cost to recreate Legal or regulatory liability Operational impact Etc. Process – goal is to achieve a consistent approach to handling classified information Marking and labeling – for all types of media to include video Human readable Machine readable Assurance – regular internal and possibly external audits should be done

30 Domain Objectives Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

31 Access Control Types Administrative – policies and procedures. Technical/logical – use of hardware and software controls Physical – manual, structural or environmental controls to protect facilities and resources

32 Access Control Categories Preventive – block unwanted actions. However, only effective if employees see these as necessary Detective – identify, log and alert management of unwanted actions (during or after event) Corrective – remedy the circumstances that enabled event Directive – controls dictated by organizational and legal authorities Deterrent – Prescribe some sort of punishment Recovery – restore lost resources or capabilities Compensating – backup controls that come into effect when normal controls are unavailable

33 Domain Objectives Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

34 Access Control Threats Denial of service Password crackers Dictionary Brute force Rainbow tables Keystroke loggers Spoofing/masquerading Machine Impersonation Sniffers Shoulder surfing/swiping Dumpster diving Emanations Time of Check (TOC)/Time of Use (TOU)

35 Domain Agenda Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

36 System Access Control Identification – process of recognizing users or resources as valid accounts Authentication – verification of the identity of the person or node Authorization – determines what a user or node is allowed to do once identified and authenticated Accountability – ability to track user activity

37 Identification Methods Most common is UserID, account number, or PIN Biometrics can also be used Guidelines – unique UserID unless anonymity is required RFID – can be used in place of above methods to identify user MAC and IP address – used primarily to identify a node on the network Security user registration – user interacts with a registration authority to become an authorized member of the domain 1.UserID, encryption keys, job title, , etc. 2.User validation

38 Authentication Methods Knowledge (something you know) Ownership (something you have) Characteristics (something you are)

39 Identity and Access Management Need for identity management – needed to manage, authenticate, authorize, provision, de-provision and protect identities Challenges – the more complex a network and data protection system, the more challenging to manage Identity management technologies – designed to centralize and streamline the management of user ids, authentication and authorization

40 Identity Management Challenges Consistency – user data entered across different systems MUST be consistent Reliability – user profile data should be reliable. Especially if used to control access to data or resources Usability – multiple logins over multiply systems might not be the best idea Efficiency – using an identity management system can decrease costs and improve productivity for both users and administrators Scalability – the management system used must be able to scale to support the data, systems and peak transaction rates

41 Identity Management Challenges Principals Insiders – employees and contractors Outsiders – customers, partners, vendors, etc. Data – different types of data about principals must be managed Personal, legal and access control Some of this data might have regulatory requirements Life Cycle Initial setup – when user joins Change and maintenance – routine pw change, name changes, etc. Tear-down – when user leaves

42 Identity Management Technologies Web Access Management (WAM) Password management Account management Profile update

43 Access Control Technologies Single sign-on Kerberos SESAME - protocol developed by the European Union. Also known as SSO Web Portal Access Directory services Security domains

44 Domain Objectives Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

45 Access to Data Mandatory Temporal Discretionary Role Rule Content Privacy List Matrix Capabilities Non-discretionary Constraints Centralized Decentralized Implementations Descriptions

46 Access Control Lists (ACL) Most common implementation of Discretionary Access Control (DAC) Provide easy method to specify which users are allowed access to which objects Objects/subjects Files/users O.S. dependent Each OS has its own way of representing ACLs. UNIX – 3 subjects: owner, group and world w/ 3 permissions: Read,Write, Execute ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and SGI XFS Microsoft has unlimited # of subjects and 26 permissions

47 Centralized/Decentralized Access Control Centralized access control – one entity makes network access decisions. Owners decide which users can access specific objects and the administration supports these directives. RADIUS TACACS+ Diameter (RADIUS base but enhanced to overcome inherent limitations) Decentralized access control – decisions and admin are implemented locally, allowing people closer to the resource security controls. Often causes confusion because it can lead to non-standardization, overlapping rights, etc. P2P

48 Domain Objectives Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

49 Intrusion Detection Systems Network Based NIDS Host-Based HIDS Application-Based AIDS APIDS = Packet = Permission =Process

50 Intrusion Prevention Systems Host-based Network-based Content-based Rate-based KPI (Key Performance Indicator) - measure effectiveness

51 Analysis Engine Methods Pattern or signature-based Pattern matching Stateful matching Anomaly-based Statistical Traffic Protocol Heuristic scanning

52 IDS/IPS Examples Anomaly Multiple failed logins User logged in at unusual times Unexplained changes to system clocks Unusual number of error messages Unexplained system shutdowns/restarts Response Dropping suspicious packets Denying access to suspicious users Reporting suspicions to other system hosts/firewalls Changing IDS configurations Alert IM Pager Audible alarm

53 Domain Objectives Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

54 Audit trail monitoring Vulnerability assessment tools

55 Penetration Testing Overview Definition Areas to test Methods of testing Testing procedures Testing hazards

56 Areas to Test Application security Denial of Service (DoS) War dialing Wireless penetration Social engineering PBX and IP telephony

57 Penetration Testing Methods Attack perspectives External Internal Attack strategies Zero-knowledge Partial-knowledge Full-knowledge Targeted Double-blind

58 Testing Steps Discovery Enumeration Vulnerability mapping Exploitation

59 Testing Hazards and Reporting Production interruption Application abort System crash Documentation Idetified vulnerabilities Countermeasure effectiveness Recommendations KPI – Key Performance Indicators

60 Access Control Domain Summary Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

61 Business Continuity and Disaster Recovery Planning

62 Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

63 Planning Should Occur BEFORE You Need It

64 BS 25999: Business Continuity Management Risk Management Disaster Recovery Facilities Management Supply Chain Management Quality Management Health & Safety Knowledge Management Emergency Management Security Crisis Communications and PR

65 Information Security Priorities Keeping CRITICAL products and services going Availability IntegrityOut of Business!!! Confidentiality What should be done in a crisis when most controls are missing?

66 The Business Continuity Life Cycle Overview Analyze the business Assess the risks Develop the BC strategy Develop the BC plan Rehearse the plan

67 BCM Project Management Senior management support Policy Access to key personnel Budget Immediate and ongoing budget

68 BCM Project Management Project management Scope Timelines Deliverables Team members Tools

69 Initiating BCP Awareness, data and implementation Staff and budget Result must be a long-term, sustainable program Review progress monthly (suggestion)

70 Documentation Review current BCP, if available Documentation may not equal capability Staff must be trained to use any necessary software Types of BCM document Policy, including scope and principles Business impact analysis Risk and threat assessment Strategies, including (if able) papers supporting the choice of strategies adopted Response plans Test schedule and reports Awareness and training program Service level agreements with customers and suppliers Contracts for 3 rd party recovery services such as workspace and salvage Review/update as directed by policy

71 Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

72 Understanding BCM Priorities Business priorities Policy/culture Critical services and products Legal and regulatory requirements

73 Risk Assessment and Management Management is often NOT an IT person. Might have different priorities Risk management versus business continuity planning Risk management – tactical Business continuity – strategic Coordination between risk assessment and business impact analysis Purpose of risk management?

74 Threat Identification Natural/environmental Human/man-made Utility Supply chain Equipment Facility Loss of key personnel

75 Understanding the Organization Business Impact Analysis (BIA) Benefits Objectives Indicators of critical business functions Time sensitivity Data integrity Classification

76 Business Impact Analysis Identifies, quantifies, and qualifies loss over time Business impact analysis process Workshops Questionnaires Interviews Observation

77 Business Impact Analysis Business justifications for budget Maximum Tolerable Downtime (MTD)/ Maximum Tolerable Period of Downtime/Disruption (MTPD) Recovery Point objective (RPO) Document dependencies Third party dependencies and liabilities Service level agreements

78 Incident Readiness & Response Planners become leaders Be prepared Triage Incident management Success = return to operations Application of lessons learned

79 Continuity Requirement Analysis Identify supporting activities and resources Outcomes feed BCP strategy selection Reviewed with BIA

80 Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

81 Determining Recovery Strategy Determining BC strategies Strategy options Data Activity continuity options Resource-level consolidation

82 Determining Recovery Strategy High-level strategies – purpose is to ensure overall continuity strategy appropriately supports the delivery of orgs products/services Recovery Time Objective (RTO) < Maximum Tolerable Downtime/Disruption (MTPD) Separation distance – how far away is recovery site Cost/benefit analysis – best strategy is often determined by cost Address specific business types Different business functions have different recovery solutions

83 Recovery Alternatives AlternativeDescriptionReadinessCost Multiple processing/mirrored site Fully redundant identical equipment & data Highest level of availability & readiness Highest Mobile site/trailerDesigned, self-contained IT & communications Variable drive time; load data, & test systems High Hot siteFully provisioned IT & office, HVAC, infrastructure, & communications Short time to load data, test systems. May be yours or vendor staff High Warm sitePartially IT equipped, some office, data & voice infrastructure Days or weeks. Need equipment, data, communications Moderate Cold siteMinimal infrastructure, HVAC Weeks or more. Need all IT, office equipment, & communications Lowest

84 Processing Agreements AgreementDescriptionConsiderations Reciprocal or Mutual AidTwo or more organizations agree to recover critical operations for each other Technology upgrades/obsolescence or business growth. Security and access by partner users. ContingencyAlternate arrangements if primary provider is interrupted, i.e., voice or data communications Providers may share paths or lease from each other. Question them Service BureauAgreement with application service provider to process critical business functions Evaluate their loading, geography and ask about backup mode. Remote Working ArrangementsAbility to telecommute or work from home Sensitive data controls, unauthorized equipment

85 Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

86 Business Continuity Plan Master Plan Modular in design Executive endorsement Review quarterly

87 BCP Contents When will team be activated? How will the team be activated? Where will everyone meet? Is there an Action Plan/Task List? Is there any reporting? If so, to whom?

88 BCP Contents Responsibilities of the team or specific individuals Liaising with emergency services (fire, police, ambulance) Receiving or seeking information from response teams Reporting information to the incident management team Mobilizing third-party suppliers of salvage and recovery services Allocating available resources to recovery teams Location/mobilization instructions

89 Developing Response Plans Incident response structure - plans that answer “What do we do now?” Emergency response procedures, Personnel notification, Backup and offsite storage, Etc. Emergency response procedures Personnel – executive succession plan, executive crisis management roles, BC coordinator and teams, notification lists, PR Communications – emergency systems, business systems communications and networks Alternate site considerations – utilities, communications, environmental protection, workspace protection Logistics and supplies – personnel and materials transport, personnel support and welfare, remote worker activation, emergency funds, protection against fraud and looting, safety and legal issues, escalated management authority

90 Creating Recovery Plans Recovery procedures Recovery priorities Activation of alternate site or processes Data recovery Business resumption plan

91 Creating Disaster Recovery Plans Disaster recovery Recover out to the alternate – MOST critical first Recover back to the primary – LEAST critical first Responsibilities and authority Outlines what needs to be done Outlines who will do the work Since this may be happening at the same time as the incident, recovery should be done (if possible) by a different team comprised of technical experts and system engineers who can rebuild the failed systems

92 Creating Restoration Plans Rebuilding of primary site Facility restoration System restoration Priorities Data synchronization Salvage Closure of alternate site

93 Topics to Address in Plans Equipment Procurement (vendor agreement) Facilities Environmental controls Fire and water protection Personnel

94 Topics to Address in Plans Data Offsite storage requirements Utilities Communications Logistics and supplies

95 Resource-Level Consolidation Consolidation plan Availability of solutions Consolidate, approve and implement Outcomes and deliverables

96 Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

97 Incident Response Management Strategic Level: Incident Management Plan (IMP) – defines how the strategic issues of a crisis will be managed by chief executive/senior managers. May include crises that do not result in interruptions (hostile takeover, media exposure, etc.). Tactical Level: Business Continuity Plan (BCP) – addresses business disruption, interruption, or loss from the initial response till normal business resumes. Operational Level: Activity Resumption Plans – provide plans for resuming normal business functions. Might provide logical and technical structure for restoring services or use of alternate facilities.

98 Implementing Incident Management Crisis management Rapid response is critical Triage (alerts) Notification Health and safety of personnel (people first)Health and safety of personnel (people first) Escalation Executive succession

99 Initial Assessment Damage assessment Declaring a disaster Mobilization of response teams Permanent and virtual teams

100 Documentation and Communication Documentation of the incident Feedback and analysis Communications Public relations

101 Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

102 Testing the Program Find the flaws Outsourcing Timetable for tests Designing a test Define success/failure BEFORE test begins

103 Testing Types TypesProcessParticipantsFrequencyComplexity Desk check Check the contents of the plan Aid in maintenance AuthorOftenLOW Walk through Check interaction and roles of participantsAuthor and main people Simulation Includes: business plans, buildings and communication Main people and auditors Parallel testing Moves work to another site Recreates the existing work from the displaced site Everyone at test location Full Interruption Shuts down and relocates all workEveryone at both locations SeldomHIGH

104 Testing BCP Arrangements Test, rehearsal and exercise Combining individual tests to ensure complete coverage Stringency, realism, and minimal exposure Risks of testing Scope and documentation of a test Outcomes

105 Embedding BCP into the Organization Assessing level of awareness and training Develop levels of training for individuals Developing BCP within the culture Educate employees not only of what they are supposed to do but WHY they are doing it that way Monitoring cultural change Get feedback. Sometimes the best solution to a problem will come from the most unexpected person

106 Specialized Training Needs EOC (Emergency Operations Center) Specialized skills Forensic Interviewing Technical Crisis management PR Etc.

107 Maintaining BCP Arrangements Ready and embedded Aligned with change-management procedures Owners keep information current Documented Review as needed

108 BCP Maintenance Updating Annual review – at a minimum Subsequent to tests – to immediately identify fail points and needed changes Response to audits – to address issues found Version control – to insure everyone is working off the most current plan Distribution of plan – to insure everyone is working off the most current plan

109 Reviewing BCP Audit Independent BCP audit opinion As directed by audit policy

110 Factors for BCM Success Supported by senior management Everyone is aware Everyone is invested Consensus

111 Business Continuity and Disaster Recovery Planning Domain Summary Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

112 Cryptography

113 Domain Objectives Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

114 Concepts and Definitions Cryptology – the study of cryptography and cryptanalysis Cryptanalysis – practice of defeating the protective properties of cryptography. Reading protected info, altering messages or integrity values and violating authentication. The practice of testing cryptographic algorithms to determine their strength or resistance to compromise. Cryptography – from Greek words “kryptos” (hidden) and “graphia” (writing). Mathematical manipulation of information to prevent the information from being disclosed or altered.

115 Basic Goals of Cryptography Confidentiality – prevent unauthorized people from being able to detect or understand a message Integrity – detect if a message has been tampered with or corrupted Authenticity – ensure that message has been sent to correct person and in correct order, including prevention of replay attacks Non-repudiation – sender cannot deny sending Access control – encrypted passwords, token-based access control devices provide protection for systems and applications Make compromise difficult – make the attack either too expensive or too time-consuming to be worth the effort

116 Concepts & Definitions Cryptosystem – device or process used to perform encryption and decryption operations Plaintext/Cleartext – human readable message Ciphertext/Cryptogram – enciphered, encrypted, or scrambled message Cryptographic Algorithm – mathematical function that determines the cryptographic operations Cryptovariable (key) – often secret value used to transform the message in the encrypted message Key Space – total number of keys available to the user of a cryptosystem

117 Concepts & Definitions Encrypt/Encipher – scrambling a plaintext message by using an algorithm, usually in conjunction with a key Encode – similar to enciphering or encrypting except that it does not use a key Decipher/Decrypt/Decode – descrambling an encrypted message and converting it to plaintext

118 Basic Transformation Techniques Substitution – change value, not position. Transposition/Permutation – change the relative position of values without replacing them (bit-shuffling) Compression – change position, not value. Decrease redundancy before plaintext is encrypted. Used to save on bandwidth and storage. Entropy – maximum amount of compression that can be applied Expansion – typically used to increase the size of plaintext to match the size of keys or subkeys Padding – adding additional material to plaintext before encrypting. Addresses weaknesses in an algorithm and foils traffic analysis

119 XOR – Exclusive Or Fast arithmetic function used in many computer operations Binary math Add two values If both input values are the same the output is a Zero (i.e., 1+1=0; 0+0=0) If the input values are different the output is a One (i.e., 1+0=1; 0+1=1)

120 Keys and Cryptovariables Key management – refers to the principles and practices of protecting the keys throughout the lifecycle Key expiry/cryptoperiod – keys should be changed on a regular basis. Length of time should be based on algorithm and level of protection required Key mixing/Key schedule – DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16 rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original 56 bit. AES uses key schedulers to generate completely new keys from the original key for each round. Keystreams – pseudo-random sequence that is generated from the input key and mixed with the input message. Synchronous – keystream is generated based on original key, bit-by-bit, in sync with plaintext Non or self-synchronous – keystream is generated based upon previously generated ciphertext and cryptovariable Key storage – key must be protected in transit and storage Key clustering – term used to represent a weakness that exists in a cryptosystem if two different keys generate the same ciphertext from the same plaintext

121 Initialization Vector (IV) Encrypting similar messages will create patterns of ciphertext even when using different keys. Predictability is an enemy of cryptography. An IV is a random value added to the plaintext message before encrypting so that each ciphertext will be substantially different. The recipient will also need the IV to decrypt the message

122 Work Factor An estimate of the effort/time needed to overcome a protective measure by an attacker with specified expertise and resources. Commonly used as a way to measure the amount of resources that would be required to brute-force an algorithm or cryptosystem. System is said to be broken when there is a way to decrease the work factor to a reasonable level. All cryptosystems will be crackable eventually. Objective is to use a system that is computationally infeasible to crack. Work factor has nothing to do with normal encryption/decrytion

123 Kerckhoff’s Principle States that the strength of a cryptosystem is based on the secrecy of the key and not on the secrecy of the algorithm. Work factor for the cryptanalyst is the effort required to determine the correct key. Key length is the primary method used to determine the strength of the cryptosystems. Brittleness – measure of how badly a system fails. A resilient system is dynamic and designed to fail only partially or degrade gracefully. In general, automated systems which only do one thing are be definition brittle. “Security by Obscurity” – concept that system is secure as long as no one outside the “group” is allowed to find out anything about its internal mechanisms.

124 Key Algorithms Symmetric key – same key used for both the encryption and decryption operation Asymmetric key – pair of mathematically related keys (A and B) used separately for encryption and decryption

125 Certificates Certificate proves who owns a public key Digitally signed, special block of data that contains public key and identifying information for the entity that owns the private key Issued by a Certification Authority (CA) – trusted entity or 3 rd party that issues and signs public key certificates, attesting to the validity of the public key. Registration Authority – is the primary organization that verifies a Certificate Applicant’s information and identity. Works with CA to verify applicant’s information before issuing a certificate

126 Hash Functions Message integrity Computed value for a message, program, data, etc to be transmitted or stored One way function Cannot decrypt/reverse a hash

127 Digital Signatures Message Integrity and Proof of Origin Proves message has not been altered Proves who sent the message Created by encrypting a hash of the message with the private asymmetric key of the sender. Creates a signed hash that can only be unlocked using the public asymmetric key of the sender. Reason for signing the hash of the message instead of the message is that asymmetric algorithms tend to be very slow and computationally intensive to use. So signing the hash saves time and money.

128 Domain Objectives Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

129 Historical Development Cryptographic techniques Manual – cryptographic methods performed by hand using a variety of tools (still used on some one-time pads) Mechanical – use of mechanical tools to perform encryption and decryption (cipherdisk) Electro-mechanical –use of electro-mechanical devices (Enigma machine) Electronic – computer based tech used to perform complex and secure cryptographic operations (software and hardware based algorithms – AES, RSA, etc.) Quantum cryptography – using single photon light emissions to provide secure key negotiation

130 Domain Objectives Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

131 Uses of Cryptography Protecting information Transit , VPNs, e-commerce, VOIP, etc. Storage Disk encryption System access Passwords, remote login

132 Domain Objectives Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

133 Making Secure Algorithms Problems – simple systems are not very secure Discernible – if you know the language of the original message, “frequency analysis” can be performed Redundancies – make the cryptoanalyst’s job easier Statistical patterns – can be revealed in ciphertext if algorithm doesn’t obscure them Solutions Confusion – principle of hiding patterns in the plaintext by substitution Diffusion – act of transposing the input plaintext throughout the ciphertext so that a character in the ciphertext would not line up directly in the same position in the plaintext Avalanche – achieved with plaintext bits affect the entire ciphertext so that changing one bit in the plaintext would change half of the entire cipher text

134 Stream Ciphers Keystream Statistically unpredictable and unbiased Not linearly related to the key Operates on individual bits or bytes

135 Uses of Stream Cipher and Stream-Mode Block Ciphers Wireless Audio/video streaming SRTP (Secure Real-time Transport Protocol)

136 Block Cipher Blocks of plaintext are encrypted into ciphertext blocks Multiple modes of operation Variable key size, block size, rounds

137 Block Cipher Uses Data transport – SSL, TLS. Both protocols can use AES and Triple DES. IPSec based VPNs also use block ciphers to encrypt communication between endpoints Data storage – even though block ciphers take more time, used because of their greater ability to frustrate cryptanalysis. TrueCrypt is an example of block cipher used to encrypt data

138 Domain Objectives Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

139 Simple Substitution Ciphers Substitution of one value for another Caesar Cipher Shift alphabet (by 3) A B C D E F …. FACE D E F G H I …. IDFH Scramble alphabet A B C D E F …. FACE Q E Y R T M …. MQYT Vulnerable to frequency analysis

140 Simple Transposition/Permutation Columnar – rearranging the message in a table Plaintext “This is an example of transposition” Cipher “tsaoni hamfst inptpi selroo ixeasn” Key: grid shape & reading direction Example: the Spartan Scytale THISI SANEX AMPLE OFTRA NSPOS ITION

141 Polyalphabetic Ciphers ABCDEFGHIJKLMNOPQRSTUVWXYZ 1ZABCDEFGHIJKLMNOPQRSTUVWXY 2YZABCDEFGHIJKLMNOPQRSTUVWX 3XYZABCDEFGHIJKLMNOPQRSTUVW 4WXYZABCDEFGHIJKLMNOPQRSTUV … Encrypt the plaintext FEEDBACK using a key of 3241 Try encrypting your name

142 Running Key Ciphers Done by using the numerical value of letters in the plaintext and is coded and decoded by using a copy of the text in a book as the key. Sender and recipient determine the key by agreeing on a point in the book (i.e. page number) from which to start the encryption. Key would “run” as long as the plaintext, and the value of each letter of the key would be “added” to the value of each letter of the plaintext. If total of the two letters is greater than 25, then 26 would be subtracted from the result. The combined value of the letters would be the value of the ciphertext letter.

143 One-Time Pads (OTP) Truly random key values Both sides have same pad of key values Keys are only used once Unbreakable algorithm Mathematically proven that it can never be broken

144 Steganography The art of hiding information Plaintext hidden/disguised Prevents a third party from knowing that a secret message exists Traditionally accomplished in a number of ways: Physical techniques Null ciphers

145 Image-Based Steganography Original imageStegged image File size is identical (260 kb) If hashed, values would be different

146 Watermarking/Rights Management Digital watermarking – similar to physical watermarking. Either visible or invisible markings embedded within a digital file to indicate copyright or other handling instructions, or to embed a fingerprint to detect unauthorized copying and distribution of images. Digital Rights Management/Digital Restriction Management (DRM) – extends digital watermarking in order to place strict usage conditions on the display and reproduction of digital media.

147 Domain Objectives Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

148 Modes of Symmetric Block Ciphers Block Modes Electronic Code Book (ECB) Cipher Block Chaining (CBC) Stream Modes Cipher Feed Back (CFB) Output Feed Back (OFB) Counter (CTR) Counter with CBC-MAC (CCMP)

149 Electronic Code Book (ECB) Each block of plaintext is encrypted independently using the same key

150 Cipher Block Chaining (CBC) The first plaintext block is XOR’d with an Initialization Vector (IV) Result is ciphertext is chained into the next plaintext block

151 Cipher Feed Back (CFB) Similar to CBC IV is encrypted and then XOR’d with the first plaintext block

152 Output Feed Back (OFB) Operates very much like CFB Only the RESULT of encrypting the IV is feed back to the next operation

153 Counter (CTR) Similar to OFB Counter value is used instead of an IV

154 Counter With CBC-MAC (CCMP) Provides confidentiality and authenticity Works with 128 bit block size Mandatory in i Adds one more block for confidentiality Counter mode lacks integrity. CCMP solves that problem.

155 DES – Data Encryption Standard DES 56 bit key 16 rounds of transposition and substitution Fixed 64 bit block size Double DES (DDES) Uses two 56 bit keys Message is encrypted by one key and re-encrypted by the second Was thought to provide 112 bit cipher but was successfully attacked by the “meet-in-the-middle” analytic attack Triple DES (TDES) Input data is encrypted three times Strength depends on the mode of the operation picked and the number of keys being used Effective key size is 168 bit

156 AES – Advanced Encryption Standard Based on Rijndael algorithm Developed by Daemen and Rijmen in 1998 Block sizes: 128, 192, and 256 Variable number of rounds Variable key size

157 Other Block Ciphers RC5 and RC6 Blowfish Twofish CAST SAFER Serpent

158 RC-4 Symmetric stream cipher Arbitrary key size Many applications

159 Strengths & Weaknesses – Symmetric Ciphers Strengths Fast Difficult to crack Algorithms and tools freely available Stream ciphers ensure highly efficient serial communications Block ciphers offer multiple modes Weaknesses A different form of key negotiation/ exchange/ distribution must be used Poor scalability Limited security On noisy channels, error correcting is a must

160 Asymmetric Key Cryptography Diffie-Hellman, 1976 Public key cryptography Uses a pair of mathematically related keys Private key Public key

161 Public Key Algorithms Ensures confidentiality Encrypting message with the receiver’s public key provides confidential transmission of the message because the only key that can open the message is the corresponding private key of the recipient Ensure proof of origin When a message is encrypted (signed) with the sender’s private key, the recipient can verify the source of the message because the message can only be opened with the sender’s public key Confidentiality and proof of origin Double encrypting a message with the private key of the sender and then with the public key of the receiver will provide both confidentiality and proof of origin

162 RSA Algorithm Rivest-Shamir-Adleman, 1977 Encryption Digital signatures Key distribution Adjustable key size PKCS#1 is the implementation of the algorithm. Currently in V2.1 How does it work? Find 2 prime numbers and call them p and q Multiply them and call the result n Choose a public value less than n relatively prime with (p-1) and (q-1) and call it e Find d such that e*d=1 mod (p-1)*(q-1) Make n and e PUBLIC, and keep d, p and q SECRET To encrypt message m, ciphertext c = me mod n To decrypt, m = cd mod n

163 Other Algorithms Diffie-Hellman Key Exchange Protocol Perfect Forward Secrecy (PFS) – principle used in D-H that even if 2 private keys are used in negotiating a secret value (shared secret), and one of those private keys is later compromised, it will not be possible to determine either the secret key or the other private key from the compromised private key Diffie-Hellman Groups – determine the length of the base prime numbers that will be used in calculating the key pairs. STS/Unified Diffie-Hellman – one weakness of D-H was the man-in-the- middle attack. This led to development of the Station to Station (STS) key agreement protocol by Diffie, Van Oorscht and Weiner in Menzies/Qu/Vanstone Elgamal – retired Elliptic Curve Cryptography (ECC) – fewer bits. Extremely slow

164 Knapsack Algorithms Merkle-Hellman knapsack Developed in 1978 Chor-Rivest knapsack Developed in 1984 and revised in 1988 Both schemes have been broken

165 Asymmetric Key Cryptography Strengths Confidentiality/privacy Access control Authentication Integrity Non-repudiation Weaknesses Computationally intensive Very slow

166 Common Hash Functions Message Digest MD2, MD4, MD5 Secure Hash Algorithm (SHA) SHA-1 (160 bit), SHA-256, SHA-384 SHA-512 (best practice) SHA-3 HAVAL RIPEMD Tiger WHIRLPOOL

167 Hash Function Characteristics Condensed representation of the message One-way function Non-linear relationship Hash calculated from whole, original message

168 Keyed Hashes (SALT) Basic hash can be intercepted and changed To solve that problem, mix a HASH algorithm with a pre-shared key Adversary would need to know the key to create a collision Implemented in IPSec for integrity checking of both ESP (Encapsulating Security Payload) & AH (Authentication Header)

169 Digital Signatures (Asymmetric cryptography) + (Hash of message) Only authenticity and non-repudiation (not confidentiality) Legality – if the encryption is intact and the private key is held by the rightful owner, it must be accepted by all parties in the transaction. American Bar Association has developed guidelines for accepting digital signatures that have been adopted in some US states and other countries Not accepted globally for transactions and specifically not for high- dollar/high-risk situations Examples DSA, RSA, Elgmal, Schnorr, ECC

170 Digital Signatures Uses E-commerce Non-repudiation of origin (with private key) Integrity of message (with private key encrypted hash) Software distribution (integrity and non-repudiation) and secure document distribution

171 Key Management Challenges Greatest challenge with secure cryptographic implementation is the management of the keys. Keys must be kept secret. Yet, they must be available when needed. Even OLD keys have to be kept to decrypt old backup files or data. Key distribution Key storage Key change Expire – how long to use a key

172 Functions of Key Management Operations Dual control – require the active participation of 2 or more. No one person can misuse. Threshold schemes – require more than one person to successfully complete the task Key recovery Split knowledge – 2 or more people have info about the key. Must be combined to work. Multi-party key recovery – break the key into 3 or more parts and each part go to a different person. Escrow – Key held

173 Functions of Key Management Creation Automated key generation – prevents user bias and provides quick key production Truly random – only true random generators are things like radioactive decay, noisy diodes, etc. Computers produce pseudo-random. Suitable length – generators must generate enough bits for a complete key. Generating 64 bits and concatenating them does not make them 128. Key encrypting keys (KEK) – keys used to encrypt other keys. Care must be taken to ensure that the data used to generate the KEK is NOT related to the keys being produced.

174 Functions of Key Management Distribution Out of band – does not guarantee security delivery, but it increases its likelihood Public key encryption – most common solution Secret key construction – using D-H (or similar), exchange values online that generate a new secret key Secret key delivery – using RSA (or similar), party encrypts secret key with receiving party’s public key. Key distribution center – think Kerberos Certificates – used to distribute public keys Storage Trusted hardware – hardware evaluated (typically) by FIPS or Common Criteria Smartcard – non-volatile storage

175 Public Key Infrastructure (PKI) Binds people/entities to their public keys Prevent Man-in-the-Middle attack Public keys are published and are certified by digital signatures

176 Strong Cryptographic PKI Solutions Use evaluated solutions High work factor Publicly-evaluated cryptographic algorithms Training Import and export of cryptography Wassenaar Agreement – is an agreement between several countries that governs the movement of cryptographic algorithms between those countries. The restrictions are usually based on key length and whether the product is commercially available Law enforcement issues

177 Certificates and CAs Certificates link a public key to its owner Classes of certificates Certification Authorities (CAs) Registration Authority (RA) Cross-certification Certificate Revocation Lists (CRLs) Online Certificate Status Protocol (OCSP) X.509

178 Domain Objectives Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

179 Cryptanalysis Art and science of breaking codes Attack vectors Key Algorithm Implementation Data (ciphertext or plaintext) People – social engineering Assumptions

180 Brute Force Attack Trying all possible key combinations Two factors: cost and time Moore’s Law Processing speed doubles every 18 months for the same price Advances in technology and computing performance will always make brute force an increasingly practical attack on keys of a fixed length Measured in MIPS per year – 1 computer running 1,000,000 calculations per second for a year

181 Brute Force Attack BitsNumber of keysBrute Force Attack Time x 10^1620 hours x 10^2454,800 years x 10^381.5 x 10^19 years x 10^775.2 x 10^57 years BitsNumber of keysBrute Force Attack Time x 10^ x 10^ x 10^ x 10^77 Data shown is as of 1998 when “Deep Crack” was used in RSA DES challenge. Cost $250,000 to build. Today the same thing can be done for under $10,000. With today’s tech, can break DES in 8.7 days or less for under $10,000.

182 Plaintext Attacks Known plaintext attack – attacker has both the plaintext and ciphertext. Uses analysis to try to determine key. Chosen plaintext attack – attacker has access to the crypto machine. Runs plaintext through machine to get encrypted data. Uses statistical information to try to determine key. Adaptive chosen plaintext attack – attacker has encryption device for more than one message. Patterns may emerge if the attacker puts similar texts into the device

183 Ciphertext Attacks Ciphertext only – assume attacker has samples of encrypted text but not the algorithm, key or system. Most difficult attack because the attacker has the least to work with. Chosen ciphertext attack – attacker has access to ciphertext and system used to generate. Attacker can run pieces of ciphertext through to obtain the plaintext. Leads to Known Plaintext Attack or Differential or Linear Cryptanalysis attack. Adaptive chosen ciphertext attack – attacker has access to the cryptosystem and can now modify and run ciphertext through the system to see what the effect of the modification is on the plaintext.

184 Attack Against Ciphers Stream Frequency analysis – knows characteristics of plaintext language IV or keystream analysis – examines large numbers of generated IVs for weaknesses, statistical biases, etc. Block Linear cryptanalysis – large amounts of plaintext and associated ciphertext to find info about the key Differential cryptanalysis – 2 or more similar plaintexts are encrypted using same key and compared Linear-differential cryptanalysis – combo of linear and differential Algebraic attacks – examines the algorithm Frequency analysis – uses the statistics of the language to break a ciphertext

185 Attacks Against Hash Functions Dictionary Attacks Based on known lists of common words Birthday attacks – group of 23 people, 50% chance 2 will have same birthday. 60 people, 99% chance. Relevant because it describes the amount of effort that must be made to determine when 2 randomly-chosen values will be the same (collisions). Weak hash causes many collisions Attack the hash value Attack the initialization vector Rainbow table attacks Hash reductions Salts

186 Social Engineering Persuasion Coercion (rubber-hose cryptanalysis) Bribery (purchase-key attack)

187 Other Common Attacks Meet-in-the-Middle Mathematical analysis that attacks a problem from both ends and attempts to find the solution by working toward the center of the operation from both sides. Man-in-the-Middle Attacker intercepts and modifies the data before transmitting to intended person. Poor Random Number Generation

188 Domain Objectives Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

189 Common Secure Protocols Privacy Enhanced Mail (PEM) Uses DES in Cipher-Block-Chaining (CBC) mode for confidentiality Can also use Electronic Code Book (ECB) or 3DES for key management For message integrity it uses either MD2 or MD5 hash Not compatible with Multipurpose Internet Mail Extensions (MIME) so not often used Pretty Good Privacy (PGP) Uses symmetric and asymmetric key cryptography Can use RSA, D-H, and Elgamal for asymmetric key Secure Multipurpose Internet Mail Extensions (S/MIME) De facto standard for privacy

190 Internet Security Uses Remote Access VPNs E-commerce Tools IPSec SSL/TLS Secure HTTP TLS

191 Cryptography Domain Summary Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

192 Information Security Governance and Risk Management

193 Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

194 Information Security Environment Organizations must contend with complex laws, regulations, requirements, technology, competitors and partners while pursuing their business objectives. Management must take many things into account including moral, labor relations, productivity, cost, etc. Must develop an effective security program Overarching Organizational Policy Management’s Security Statement Regulations Competition Organizational Objectives Organizational Goals Laws Shareholders’ Interests

195 Information Security Triad Security planning Budget Business requirements Security metrics

196 Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

197 Roles and Responsibilities Specific Delegate certain responsibilities for security to individuals Define acceptable and unacceptable behavior General Rules that let everyone know they are responsible for security Communicated at hiring Tell new hires the rules and consider annual review Verified capabilities and limitations Access to resources defined by job Third-party considerations Brief vendors, temps, contract staff on security requirements Good practices Keep it simple, relevant, understandable and communicate Reinforced via training Annual security training

198 Internal Roles Executive management set policy, allocate budget Board level “C” level Information systems security professionals advise management Developers create secure code Custodians and Operations staff Custodians – care of data Ops – run the computers

199 Internal Roles Security staff Data and system owners Classify Access permissions Users Task as assigned Legal, compliance, and privacy officer Inform/implement laws/regs Internal auditors Check on procedures Physical security Is IT or traditional security responsible

200 External Roles Vendors/suppliers Contractors/consultants Service level agreements Temporary employees Customers

201 External Roles Business partners Outsourced relationships Outsourced security External audit

202 Human Resources Employee development and training Employee management Hiring and termination of employment

203 Hiring New Staff Background checks/security clearances Verify references and education records

204 Signed Employment Agreements Acceptable use Non-disclosure Non-compete Ethics

205 Personnel Good Practices Job descriptions/defined roles and responsibilities Least privilege Need to know Separation of duties Job rotation Mandatory vacations

206 Security Awareness, Training, and Education Awareness Training Delivery methodsGeneral knowledge Topics Job training Task based Professional education Understanding

207 Good Training Practices Be relevant Scope properly Address the audience

208 Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

209 Documented Security Program Focus on the mission of the organization Organizations are different Cost effective/risk based Promiscuous1 Permissive Prudent Paranoid10

210 Documented Security Program Strategic Long term planning Decide on job to do Tactical Medium term planning Manage jobs being done Operational Day to day operations Job being done

211 Security Program Management Staffing Not just workers but look at management Evaluate numbers needed Reporting Make sure everyone knows who they are to report to. Understand chain of command/reporting

212 Security Blueprints Identify and design security requirements Infrastructure security blueprints Holistic By Scott Berinato and Sarah Scalet: “Holistic security means making security part of everything and not making it its own thing. It means security isn’t added to the enterprise; it’s woven into the fabric of the application. Here’s an example. The non-holistic thinker sees a virus threat and immediately starts spending money on virus- blocking software. The holistic security guru will set a policy around usage; subscribe to news services that warn of new threats; re-evaluate the network architecture; host best practices seminars for users; and use virus blocking software and, probably, firewalls.” (www.cio.com)

213 ISO/IEC Series = ISMS Blueprints 27000:2009 – Overview and vocabulary 27001:2005 – Attainable certification 27002:2005/Cor 1:2007 – Code of practice 27003:2010 – ISMS implementation guidance 27004:2009 – Information security measurement 27005:2008 – Information security – risk management 27006:2007 – Certification vendor process 27799:2008 – Information security for health care organizations ISO = IT Risk Management

214 IT Security Requirements Complete Security Solutions Define security behavior of the control measure What is the problem you are trying to solve? Provide confidence that security function is performing as expected Does it solve the problem? Does your solution Solve the problem (best) Move the problem (good) Make it worse (bad)

215 Single Point of Failure Identify the processes Identify risks to the plan Who has too much control Be prepared

216 Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

217 Security Policy Management’s goals and objective IN WRITING Documents compliance Creates security culture

218 Examples of Functional Policies Data classification Certification and accreditation Access control Outsourcing Remote access Internet acceptable use Privacy Acquisition Change control Employment agreements, ethics IMPORTANT Say what to do NOT how to do it

219 Procedures Step by step actions Required Be detailed Policy StandardBaselineProceduresGuideline Risk Assessment Incident Management Identity Management Software Installation

220 Standards Common hardware and software products Policy StandardBaselineProceduresGuideline DesktopAntivirus Firewall Be decisive. Will say something like: We [verb] We drug test We use Norton AV software

221 Baselines Establish consistent implementation of mechanisms Platform unique Know minimum and understand what is normal Policy StandardBaselineProceduresGuideline VPN Setup IDS Configuration Password Rules

222 Guidelines Recommendations for implementations, procurement and planning Policy StandardBaselineProceduresGuideline Recommendations Best Practices ISO

223 Good Policy? Area IV Buddy System Policy THE AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE MEMEBERS WILL USE THE “BUDDY SYSTEM” AT ALL TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY INSTALLATION. THE “BUDDY SYSTEM” IS NOT REQUIRED, BUT HIGHLY RECOMMENDED FOR PERSONNEL TRAVELING DIRECTLY TO AND FROM THEIR DOMICILE ALL PERSONNEL WILL CARRY A S.O.F.A AND AN EMERGENCY TELEPHONE NUMBER CARD AT ALL TIMES. LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES. BY ORDER OF THE AREA IV COMMANDER

224 Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

225 Risk Management Overview Identifying and reducing total risks Choosing mitigation strategies Setting residual risk at an acceptable level Integrating risk management processes into the organization (Total risk) – (countermeasures) = (residual risk)

226 Risk Management Purpose The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission. Including, but not limited to its IT assets. Risk is a function of the likelihood of a given threat exercising a particular vulnerability and the resulting impact of that adverse event on the organization.

227 Risk Management Benefits Focuses policy and resources Identifies areas with specific risk requirements Directs budget Supports Business continuity process Insurance and liability decisions Legitimizes security awareness programs

228 Risk Management Definitions Asset – something that is of value to the organization Threat-source/agent – any circumstance or event with the potential to cause harm to an IT system. Threat – any potential danger to information or an information system Exposure – an opportunity for a threat to cause loss, or the amount of loss suffered as a result of an attack Vulnerability – flaw or weakness in system security procedure, design, implementation, etc. Likelihood – probability that a potential vulnerability happens

229 Risk Management Definitions Attack/Exploitation – action intending to cause harm Controls – admin, technical or physical measures and actions taken to try to protect system Countermeasures – controls applied after the fact; reactive in nature Safeguards – controls applied before the fact; proactive in nature Total Risk – included the factors of threats, vulnerabilities, and current value of the asset Residual Risk – amount of risk remaining after countermeasures and safeguards are applied

230 Risk Assessment Steps: SP System characterization 2.Threat identification 3.Vulnerability identification 4.Control analysis 5.Likelihood determination 6.Impact analysis 7.Risk determination 8.Control recommendations 9.Results documentation

231 Risk Assessment – Asset Valuation Tangible assets Can buy/sell Hardware, software, facilities, documentation, customer lists, and intellectual property Intangible assets Personnel, reputation/brand, and moral

232 Information Valuation Considerations Exclusive possession Utility Cost to acquire or create Liability Convertibility Operational impact Timing

233 Information/Risk Valuation Methods Modified Delphi Facilitated sessions Survey Interview Checklist

234 Quantitative Risk Analysis Assign Monetary values Labor and time intensive Difficult to achieve 100% quantitative is impossible. Why? There are always QUALITATIVE issues. RISK = MONEY

235 Quantitative Analysis Steps - Overview 1.Estimate potential losses – single loss expectancy (SLE) 2.Conduct a threat likelihood analysis Annualized rate of occurrence (ARO) 3.Calculate annual loss expectancy (ALE)

236 Step One: Estimate Potential Losses Single Loss Expectancy (SLE) SLE = AV ($) x EF (%) AV (Asset Value) EF (Exposure Factor)

237 Step Two: Threat Likelihood Analysis Annual Rate of Occurrence (ARO) Number of exposures or incidents that can be expected in a given year Likelihood of an unwanted event occurring

238 Step Three: Calculate ALE Annual Loss Expectancy (ALE) ALE = SLE * ARO Magnitude of risk = ALE Purpose: Justify security countermeasures

239 Qualitative Risk Analysis Scenario oriented No $ values Rank seriousness of threats and sensitivity of assets Perform a carefully reasoned risk assessment

240 Hybrid Risk Analysis Quantitative Qualitative FMEA (failure modes and effects analysis) Risk assessment originally concerned with manufacturing defects Focuses on the upstream and downstream impact of a failure Defines risk in immediate, near-term and long-term impact FTA (fault tree analysis) Analytical technique for system safety Used to consider all possible threats and then “trim” down to the most relevant risks

241 Risk Management Options Acceptance = Absorb the effect of an incident Mitigation = Implement controls Transference = Insurance Avoidance = Stop it

242 Security Control Selection Principles Cost/benefit analysis Don’t spend more to protect than it is worth Accountability At least one person for every control Include accountability in performance reviews Absence of design secrecy Ability to change out the controls at some time in the future without having extraordinary cost to rework, interoperability with other controls, confidence in the design Audit capability Controls must be testable Include auditors in design and implementation

243 Security Control Selection Principles Vendor trustworthiness Independence of control and subject Universal application Compartmentalization Defense in depth Isolation, economy, and least common mechanism

244 Security Control Selection Principles Acceptance and tolerance of personnel (pushback) Minimum human intervention Sustainability Reaction and recovery Override and fail-safe defaults Residuals and reset

245 Risk Evaluation and Assurance Cyclical nature of risk – U.S. and EU regulatory bodies have mandated risk management as a business process. Frequency for re- evaluation is based upon the speed of change in each industry or organization Ongoing review Periodic review Liability – management has the responsibility of remaining informed about risk management activities and to make the final decisions. If they fail to do so, they are potentially in violation of regulatory or industry standards. This is one of the reasons why internal auditors should report directly to senior executives rather than through the normal chain of command.

246 Domain Objectives Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

247 Ethical Environments Ethics are difficult to define Do No Harm Begins with senior management Guidelines for Establishment of Ethics Corporate ethics to include ethical use of computers In functional policies (privacy, , acceptable use, etc) Active monitoring of network activities combined with responsible investigation of incidents and enforcement Handbooks and guides Training Reviews

248 Ethical Responsibility Global responsibility National Organizational Personal

249 Ethical Responsibility of all CISSPs “Set the Example” ********* Encourage adoption of ethical guidelines and standards Inform users about ethical responsibilities through security awareness training

250 Basis and Origin of Ethics Religion Law National interest Individual rights Common good/interest Enlightened self-interest Professional ethics/practices Standards of good practice Tradition/culture

251 Formal Ethical Theories Teleology (Star Trek – needs of the many) Ethics in terms of goals, purposes, or ends Deontology (duty of most powerful to protect least powerful) Ethical behavior is a duty Informed consent – notified and agree

252 Relevant Professional Codes of Ethics (ISC)² RFC 1087 Internet Architecture Board

253 (ISC)² Code of Ethics Preamble “Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.”“Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.” “Therefore, strict adherence to this code is a condition of certification.”“Therefore, strict adherence to this code is a condition of certification.”

254 (ISC)² Code of Ethics Canons “Protect society, the commonwealth, and the infrastructure.”“Protect society, the commonwealth, and the infrastructure.” “Act honorably, honestly, justly, responsibly, and legally.”“Act honorably, honestly, justly, responsibly, and legally.” “Provide diligent and competent service to principals.”“Provide diligent and competent service to principals.” “Advance and protect the profession.”“Advance and protect the profession.” In that order

255 Internet Architecture Board (IAB) Any activity is unethical and unacceptable that purposely: Seeks to gain unauthorized access to Internet resources Disrupts the intended use of the Internet Wastes resources (people, capacity, computer) through such actions Destroys the integrity of computer-based information Compromises the privacy of users Involves negligence in the conduct of Internet-wide experiments

256 RFC 1087 Access and use of the Internet is a PRIVILEGE and should be treated as such by all users RFC 1087 refers to “Negligence in the conduct of Internet- wide experiments” as “irresponsible and unacceptable,” but does not specifically label such conduct “unethical”. Internet Engineering Task Force (IETF)

257 Information Security Governance and Risk Management Domain Summary Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

258 Legal, Regulations, Investigations, and Compliance

259 Domain Objectives Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

260 International Legal Systems Common law Criminal law Civil law Administrative law Religious law Customary law Mixed law Maritime law

261 Jurisdiction Law, economics, beliefs and politics Law enforcement agencies will work together, even cross borders. But sometimes countries don’t agree. Sovereignty of nations Laws aren’t always the same country to country. Nations are making an effort to harmonize their laws in order to promote uniform enforcement and cooperation where possible.

262 Computer Crimes vs. Traditional Crimes Traditional Crime Violent Property Public order Computer Crime Real property Virtual property

263 Computer Crime Crime against a computer Crimes using a computer Electronic equipment as source of evidence

264 Reasons for Criminal Behavior Ego Financial gain Revenge

265 Advanced Persistent Threat (APT) Source – group with capabilities and intent to persistently and effectively target a specific entity Attack vector – infected media, supply chain compromise, social engineering, etc. Advanced – have full spectrum of intelligence gathering techniques at their disposal Persistent – priority to a specific task. Implies that they are guided by external entities. Threat – capability and intent. Coordinated human action instead of automation, specific objective. Skilled, motivated, organized and well funded

266 International Cooperation Initiatives related to international cooperation in dealing with computer crime The Council of Europe (CoE) Cybercrime Convention Example of multilateral attempt to draft an international response to criminal behaviors targeted at technology and the Internet.

267 Intellectual Property Protection Organizations must protect intellectual property Theft Loss Corporate espionage Improper duplication Intellectual property must have value Organization must demonstrate actions to protect IP

268 Intellectual Property: Trademark Purpose of a trademark Characteristics of a trademark Word Name Symbol Color Sound Product shape

269 Intellectual Property: Copyright Covers the expression of ideas Writings Recordings Computer programs Etc. Weaker than patent protection

270 Intellectual Property: Trade Secrets Must be confidential Protection of trade secret

271 Intellectual Property: Software Licensing Categories of software licensing: Freeware Shareware Commercial Academic Master agreements and end user licensing agreements (EULAs)

272 Encryption Import and Export Law Strong encryption restrictions Previously anything over 40 bits was considered strong encryption U.S. companies can now export any encryption software to individuals, commercial firms or other non-government end users in any country No enemy states Many countries require the importer of equipment containing strong cryptography to provide the government or law enforcement with a copy of their private keys. Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria Controls on dual-use goods Cryptography has long been considered a munition or weapon of war. Can be used for commercial or military purposes, therefor considered dual-use and protected as a military weapon Wassenaar Arrangement 39 countries are parties to the agreement which specifies all controlled dual-use goods, including encryption products and products that use encryption

273 Domain Objectives Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

274 Liability Legal responsibility Know responsibilities to employees, customers, etc. Penalties Can range from compensation to criminal penalties for violation of law Negligence and liability Important factor in determining liability Determined by courts or other quasi-legal body

275 Protection of Assets Legal obligation Prudent person rule Must demonstrate practice of due care

276 Negligence Acting without care Due care Negligence = Gap Regulation or Best Practice Due Care = Policy Due Diligence = Action

277 Privacy Laws and Regulations Rights and Obligations of: Individuals Identity theft Organizations Collection, sharing, storage, processing of personal info Actual laws depend on jurisdiction

278 International Privacy Organization for Economic Co-operation and Development Group of 30 member countries Eight core principles 1.Limits to collection of personal data and should be obtained legally 2.Personal data should be relevant to use 3.Purpose for gathering personal data should be specified no later than the time the data is collected 4.Personal data should not be disclosed, made available, or otherwise used for purposes other than specified above 5.Personal data should be protected by reasonable security 6.General policy of openness about developments, practices and policies with respect to personal data 7.Individual should have the right to find out if data controller has data about him/her. To have communication with data controller about data relating to him/her. And to be able to challenge data and if successful have the data erased, rectified, completed or amended. 8.Data controller should be accountable for complying with measures

279 Personally Identifiable Information (PII) Identify or locate an individual Controls on collection and use Many countries have laws governing this Global effect Laws are different in each country. What laws govern?

280 Employee Privacy Employee monitoring Authorized usage policies Training

281 Transborder Data Flow Political boundaries Privacy Investigations Jurisdiction

282 Privacy Law Examples Health Insurance Portability and Accountability Act (HIPAA) Personal Information Protection and Electronic Documents Act (PIPEDA) European Union Data Protection Directive

283 Domain Objectives Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

284 Incident Management Incident – event that causes harm Protect Detect Respond Prepare Sustain Improve Protect Infrastructure

285 Incident Response: Overview Response capability Policy and guidelines Response Incident response phases Triage Containment Investigation Analysis and treatment Recovery Debriefing Metrics Public disclosure

286 Incident Response: Objectives Incident response in its simplest form is the practice of: Detecting a problem Determining its cause Minimizing the damage it causes Resolving the problem Documenting each step of the response for future reference Effectively and appropriately communicating issues

287 Response Capability The foundation for incident response (IR) is comprised of: Policy Authority Procedures Approved Management of evidence

288 Incident Response – External Parties Escalation process Employees should be trained and have approved procedures that include when an incident or crime must be reported to higher management, outside agencies or law enforcement Interaction with third-party entities Complex issues involving: Jurisdiction (who has control) Status of crime (already committed, in progress, or planned) Nature of the evidence (circumstantial, conclusive) Nature of the crime (in many jurisdictions, some crimes MUST be reported)

289 Incident Response and Handling Phases Triage Investigation Containment Analysis and tracking

290 Triage Detection False positives Classification Internal versus external One system or many What is the root cause versus the symptoms Notification Priorities and escalation Senior management or other departments Business partners Law enforcement Note: Prioritization is one of the most important aspects

291 Investigation Phase Objectives Desired outcomes of this phase are: Reduce the impact Identify the cause Get back up and running in the shortest possible time Prevent the incident from re-occurring

292 Investigation Considerations The investigative phase must consider: Adherence to company policy Confidentiality Applicable laws and regulations Proper evidence management and handling

293 Investigation Process Identify suspects Identify witnesses Identify system Identify team Search warrants

294 Investigation Techniques Ownership and possession analysis Means, opportunity, and motive (MOM)

295 Behavior of Computer Criminals Computer criminals have specific MOs Hacking software/tools Types of systems or networks attacked, etc. Signature behaviors Profiling

296 Interviewing vs Interrogation Open-ended Questioning General gathering Cooperation Seek truth Closed-ended Questioning Specific aim Hostile Dangerous Should only be done by TRAINED professionals

297 Investigation Phase Components Components of this phase: Analysis Interpretation Reaction recovery

298 Containment Reduce the potential impact of the incident Systems, devices, or networks that can become “infected” The containment strategy depends on: Category of the attack Asset(s) affected Criticality of the data or system

299 Analysis and Tracking Goals Obtain sufficient information to stop the current incident Prevent future “like” incidents from occurring Identify what or who is responsible

300 Analysis and Tracking Logs Dynamic nature of the logs Feeds into the tracking process Working relationship with other entities

301 Reporting and Documentation Law Court proceedings Policy Regulations

302 Recovery Phase Goal To get back up and running The business (worst case) Affected systems (best case) Protect evidence

303 Recovery and Repair Recovery into production of affected systems Ensure system can withstand another attack Test for vulnerabilities and weaknesses

304 Closure of the Incident and Feedback Incident response is an iterative process Improve processes and controls Closure of the incident Feedback from all participants

305 Communication about the Incident Public disclosure Authorized personnel only

306 Domain Objectives Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

307 Computer Forensics: Evidence Potential evidence Digital Forensic Science Research Workshop (DFRWS) defines digital forensic science as – “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized action shown to be disruptive to planned operations.” Evidence and legal systems Computer forensics is generally applied according to the standards of evidence admissible in a court of law

308 Computer Forensics: Evidence Identification of evidence Collecting of evidence Use appropriate collection techniques Reduce contamination Protect the scene Maintain the chain of custody and authentication

309 Collection of Digital Evidence Volatile and fragile Short lifespan Collect quickly By order of volatility Document, document, document

310 Chain of Custody for Evidence Who What When Where How

311 Forensic Evidence Procedure Receive media Disk write blocker Bit for bit image Cryptographic checksum Store the source drive

312 Evidence: Hearsay Hearsay Second-hand evidence Normally not admissible Business records exception Computer-generated information Process of creation description Can you cross examine it?

313 Evidence Analysis and Reporting Scientific methods for analysis Characteristics of the evidence Comparison of evidence Event reconstruction Presentation of findings Interpretation and analysis Format appropriate for the intended audience

314 Computer Forensics Key components Computer forensics is not a piece of software or hardware. It is a set of procedures and protocols. Methodical, Repeatable, Defensible, Auditable Crime scenes Digital evidence Non-criminal cases Divorce, breach of contract, dissolution of corporation or partnership, embezzlement, personal injury, etc.

315 Forensic Evidence Analysis Procedure Recent activity Keyword search Slack space Documented

316 Media Analysis Recognizing operating system artifacts Types of files created as the system runs Where they should be What their contents are likely to be File system Timeline analysis Modified Accessed Created Searching data

317 Software Analysis What is does What files it creates

318 Network Analysis Data on the wire Ports Traffic hiding

319 Domain Objectives Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

320 Knowing legislation Following legislation

321 Regulatory Environment Examples Sarbanes-Oxley (SOX) Meant to enhance corporate governance through measures that will strengthen internal checks and balances and, ultimately, strengthen corporate accountability. Gramm-Leach-Bliley (GLB) Protects the privacy of consumer information held by financial institutions Basel II Regulatory harmony in the international banking community

322 Compliance Roles and Responsibilities Information owner Local manager Auditor Individual

323 Audit Report Format Introduction Background Audit perspective Scope & objectives What was done Executive summary Internal audit opinion Detailed report including auditee responses Appendix Exhibits

324 Legal, Regulations, Investigations, and Compliance Domain Summary Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

325 Operations Security

326 Domain Objectives Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

327 Control Over Privileged Entities Review of access rights Supervision Monitoring/audit

328 Operator Privileges Initial program load (IPL) Monitor system execution Control job flow Mount I/O volumes Bypass label processing (BLP) Renaming/relabeling resources Reassigning ports/lines

329 Administrators Systems administrators Network administrators Database administrators

330 Administrator Privileges Summary Control network operations Server startup and shutdown Reset system configurations Backups System maintenance Customer service Network administrator duties

331 Backup Types File image System image Data mirroring Electronic vaulting Remote journaling Database shadowing Redundant servers Standby services

332 Software and Data Backup Operations controls must ensure adequate backups of: Data Operating Systems Applications Transactions Configurations Reports

333 Backup Integrity Backup storage locations Backups must be tested Alternate site recovery plan Site specific software

334 RAID – Redundant Array of Independent Disks Hardware based Software based Hot Spare Global Hot Spare (all disk in array) Dedicated Hot Spare (individual disk in array)

335 RAID Level 0 Striping Two or more disks No redundancy Performance only

336 RAID Level 1 Exact copy (mirror) Two or more disks Fault tolerant 200% cost

337 RAID Level 2 Striping of data with error correcting codes (ECC) Requires more disks than RAID 3/4/5 Not used

338 RAID Level 3/4 Byte/block level stripes 1 drive from parity All other drives are for data Stripe 1AStripe 1BP(1A, 1B) Stripe 2A Stripe 2B P(2a, 2B) Stripe 3A Stripe 3B P(3A, 3B) Stripe 4A Disk A Stripe 4B P(4A, 4B) Disk B Parity

339 RAID Level 5 Block-level stripes Data and parity interleaved amongst all drives The most popular RAID implementation Stripe 1AStripe 1BP(1A, 1B) P(2B, 2C) Stripe 2B Stripe 2C Stripe 3A P(3A, 3C) Stripe 3C Stripe 4A Disk A Stripe 4B P(4A, 4B) Disk B Disk C

340 RAID Level 6 Block-level stripes All drives used for data AND parity Two parity types Higher costs More fault tolerant than RAID implementations 2 - 5

341 RAID Level 0+1 Mirroring and striping Higher cost Higher speed A1A2 A1 A3 A4 A6 A7A8 A5 A6 A7A8 RAID 0 RAID 1 RAID 0+1

342 RAID Level 10 Mirroring and striping Higher cost Higher speed A1 A2 A3A4A3A4 A5 A7 A5A6 A8 RAID 1 RAID 0 RAID 10

343 Configuration Management Elements Hardware inventory Hardware configuration chart Software licensing management Firmware Documentation requirements Testing

344 Hardware Inventory Up-to-date listing of all equipment Location Owner Serial and model numbers

345 Change Control Management Policy Business and technology balance Defines a process for authorized change Process of changes Ownership of changes Changes are reviewed for impact on security

346 Patch Management Knowledge of patches Know when patches for all software you own are released by the vendor Testing Test all patches, and new software, in a test environment prior to going live Deployment Can be challenging. Should be automated to insure no machine is missed. Zero-day challenges Vulnerable time between patch pushed out and able to apply

347 Software Issues Pirating software Version control

348 Job Documentation Scheduling Dependencies Error codes Inputs and outputs Backout procedures

349 Security Administrator Roles Policy Development Implementation Maintenance and compliance Vulnerability assessments Incident response

350 Security Administrator Responsibilities User-oriented activity management Information classification implementation Audit log monitoring and review Security tool oversight and management

351 Domain Objectives Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

352 Misuse Prevention ThreatsCountermeasures Personal UseAcceptable use policy, workstation controls, web content filtering, and filtering Theft of MediaAppropriate media controls FraudBalancing of input/output reports, separation of duties, and verification of information SniffersEncryption and policy

353 Domain Objectives Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

354 System Recovery – Trusted Recovery Correct implementation according to Policy Failures don’t compromise a system’s secure operation Trusted path

355 Types of Trusted Recovery System Reboot – shutting down computer in a normal fashion after a failure Emergency System Restart – done when a system fails in an uncontrolled manner. Media may be in an inconsistent state. System enters maintenance mode, automatically performs recovery, and system restarts with no user processes in progress. System Cold Start – system fails and cannot restart without human intervention

356 Control Failure Modes Fail secure (fail closed) Fail soft (fail open) Fail safe (fails in a way that will cause no or minimal harm)

357 Fault Tolerance Hardware failure is planned for System recognizes a failure Automatic corrective action Standby systems Cold – configured, not on, lost connections Warm – on, some lost data or transactions (TRX) Hot – ready, failover

358 Domain Objectives Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

359 Facility Support Systems Fire protection HVAC Electrical power goals UPS Water Communications Alarm system

360 Domain Objectives Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

361 Media Management Practices Sensitive Media Controls Marking Labeling Handling Storing Declassifying

362 Media Management Tapes Storage Encryption Retrieval Disposal

363 Object Reuse Securely reassigned Disclosure Contamination Recoverability

364 Clearing of Magnetic Media Overwriting Degaussing Data remanence Physical destruction

365 Records Management Considerations for records management program development Business need Guidelines for developing a records management program Records retention Declassification Legal requirements Privacy Absent law or regulation to the contrary, a business can set any retention policy it wishes

366 Protection of Operational Files Library maintenance – protect production programs and applications as well as data Backups Source code Object code Configuration files Librarian - sole person with write access to the main system files, backups and application libraries. Should never be filled by a developer or person initiating the change request

367 Domain Objectives Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

368 Personnel Privacy and Safety – Mobile Computing Components Devices Limitations (e.g. privacy, safety, etc.) Mobile device management

369 Personnel Privacy and Safety – Social Networks Social networks Connection services Social dynamics Storage of data Potential dangers

370 Operations Security Domain Summary Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

371 Physical (Environmental) Security

372 Domain Objectives Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

373 Goals of Physical Security Deter would be intruders Delay long enough to detect and respond before damage occurs Detect in a timely manner Assess method of attack Respond appropriately without overreacting Recovery to normal operating status

374 The Primary Goal Remember that life, health, and safety are always the first priorities in physical security!

375 Threats to Physical Security Natural/environmental History of natural disasters in the area Utilities Communications outages, power outages, etc. Circumstantial Fire or break-in at a neighboring building, strike at a critical point in supply chain, etc. Human-made/political events Explosions, vandalism, theft, terrorist attacks, strikes, activism, riots, etc.

376 Threat Sources External activists Staff Intelligence agents/foreign governments Petty criminals

377 Threat Sources and Controls Threat Theft Espionage Dumpster diving Social engineering Shoulder surfing HVAC access Controls Locks Background checks Disposal procedures Awareness Screen filters Motion sensors in ventilation ducts

378 Facility Vulnerabilities Location Layout and design Age and condition

379 Location Security Considerations Emergency services Fire Security Visibility Controlled access public transit

380 Countermeasures and Controls Environmental controls may be: Physical Administrative/managerial Technical Layered defense/defense in depth

381 Crime Prevention Through Environmental Design (CPTED) Principle of deterring crime through managing the potential crime scene Territoriality Restricted access Surveillance Monitoring Access control Entrances Maintenance

382 Domain Objectives Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

383 Perimeter and Building Boundary Protection First line of defense Protective barriers Natural structural

384 Fences May be restricted by local regulations Inspections Parking should not be allowed near fences 1 meter/3-4 feet – will deter casual trespassers 2 meters/6-7 feet – too high to climb easily 2.5 meters/8 feet – will delay the determined intruder Top guard will add 2-3 feet. Can be defeated by blanket, mattress, towel, etc.

385 Controlled Access Points Gates are the minimum necessary layer Bollards Permanent or retractable post used to deter vehicle-based attacks

386 Perimeter Intrusion Detection Systems Detect unauthorized access into an area Electronic “eyes” Note that some perimeter IDS can function inside the perimeter as well Physical IDS Photoelectric Ultrasonic Microwave Passive IR Pressure sensitive Sounds/vibration Electrical circuits Motion sensors

387 Closed Circuit Television (CCTV) CCTV capability requirements Detection Recognition Identification Mixing capabilities Adding IR/thermal Virtual CCTV systems Fake systems

388 CCTV Concerns Total surveillance requirements Operating parameters (correct lens, angle?) Size depth, height, and width Pan, tilt, and zoom Lighting Contrast

389 CCTV Protection and Image Retention Storage of images Maintenance Privacy

390 Guards and Guard Stations Guards Deterrent Possible liability Contractors Guard stations

391 Domain Objectives Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

392 Building Entry Points Doors Windows Loading ramps Elevator shafts Ventilation ducts Crawlspaces Sewage or steam lines

393 Doors Isolation of critical areas Lighting of doorways Contact devices Guidelines Solid core Hinges fixed to frame with minimum of 3 hinges per door Lighting Should not open out except as required by building codes Locks should be daytime (push button) and 24 hour (deadbolt) Door frame should be permanently fixed to the adjoining wall studs Have same fire-resistance rating as adjacent walls Etc.

394 Access and Visitor Logs Identification/sign in and out Temporary badges Vehicles Escort

395 Turnstiles and Mantraps Tailgating/piggybacking

396 Types of Locks Something you have – keyed Something you know – combinations Something you are – biometric

397 Keyed Locks Lock components Body Strike Strike plate Key Cylinder

398 Lock Controls Lock and key control system Key control procedures Who has access to keys Keys issued Key inventory Default settings changed Change combinations Fail Soft (unlocked) Secure (locked) Safe (allow exit but not entry)

399 Electronic Physical Controls Card access Biometric access methods

400 Windows and Glass Standard plate glass Tempered glass 5 – 7 times more break resistant than plate and breaks into small, less dangerous fragments Acrylic materials Stronger than plate Burn and produce toxic fumes, scratch easy and yellow over time Polycarbonate windows Resistant to abrasion, chemicals, fires and are even anti-ballistic Very expensive

401 Glass and Window Protection Laminate Solar film Bomb blast film/curtains Wired glass Intrusion detection/glass breakage sensors

402 Internal Intrusion Detection Systems Closed circuit television Sensors and monitors

403 Types of Lighting Continuous lighting Trip lighting Standby/backup lighting Emergency exit/egress lighting Infrared/night vision

404 Domain Objectives Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

405 Equipment Room Perimeter enclosure Controls Policy Emergency power off (EPO) switch

406 Data Processing Facility Small devices threat Digital camera Cell phone cameras USB drive Etc. Server room Most important requirements are space, power, air conditioning, access control and security monitoring Mainframes Storage

407 Communications Wireless access points Network access control Cabling conduit

408 Access to Utility Rooms Power rooms Breaker panels Water Ventilation Gas

409 Work Area Keeping a work area safe is important for everyone Operators Only allow access as needed/monitor System administrators Only allow access as needed/monitor Restricted work areas Only a select few people need access

410 Equipment Protection Inventory Locks and tracing equipment Data encryption Disabling I/O ports

411 Environmental Controls System Electric power HVAC Water/plumbing Gas Refrigeration Threat Loss of power Overheating Flood/dripping Explosion Leakage

412 Fire Protection Prevention – reduce causes Detection – alert occupants Suppression – contain or extinguish Wet-pipe sprinkler Most reliable Simple Water under pressure, when sprinkler head breaks water comes out Dry-pipe sprinkler Water is held back by valve and is released when sensor activates Pipes then fill with water and sprinkler engages

413 Materials and Suppression Agents ClassTypeSuppression Agents ACommon combustiblesWater, foam, dry chemicals BCombustible liquidsInert gas, CO2, foam, dry chemicals CElectricalInert gas, CO2, dry chemicals DCombustible metalsDry powders KCooking media (fats)Wet chemicals Suggested way to remember each: Ash Boil Current Drive Kitchen

414 Three Legs of a Common Fire Reduce: Water Bind: Purple K Remove: Fireman Displace: CO2/foam Bind: Halon & alike

415 Flooding Area Coverage Water – sprinkler systems Gas – halon/CO2/argon systems Best practices for systems Portable extinguishers

416 Loss of Electrical Power UPS Generators Goals of power – clean and steady power Power controls Emergency power off (EPO) switch Power line monitors Total load

417 Heating, Ventilation, Air Conditioning Location Positive pressure Can indicate unauthorized physical breach Helps minimize dust Maintenance

418 Other Infrastructure Threats Vermin Electromagnetic fields Excess vibration

419 Physical (Environmental) Security Domain Summary Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

420 Security Architecture and Design

421 Domain Objectives System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

422 Definitions and Key Concepts Information security management system (ISMS) Set of standards for addressing security throughout the development, deployment and implementation schedule Enterprise security architecture (ESA) Includes all areas of security for an organization: leadership, strategy, planning, etc. Information security architecture (ISA) Another term for ISO/IEC Best practice Well-recognized and accepted approach to designing, developing, managing/monitoring and enhancing processes

423 Definitions and Key Concepts Architecture High-level perspective of how business requirements are to be structured and aligned with technology and processes Framework Defined approach to the process used to achieve the goals of an architecture, based on policy Infrastructure Integrated building blocks that support the goals of the architecture Model Outlines how security is to be implemented within the organization

424 Definitions and Key Concepts Good security architecture Strategic Provides a long-range perspective that is less subject to tactical changes in technology Business requirements based Understand business and security and design a system that meets those requirements Holistic Understanding all the parts of the business and interconnecting them Design Blueprint Integration and development of technology infrastructure into the business process Multiple implementations Flexibility due to location and business constraints

425 Definitions and Key Concepts Benefits of a good security architecture Consistently manage risk Reduce the costs of managing risk Accurate security-related decisions Promote interoperability, integration, and ease of access Provide a frame of reference (for other organizations interacting with the enterprise)

426 Domain Objectives System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

427 Architecture Components What are the security limitations and benefits of each component? Hardware Firmware Central processing units Input/output devices Software Architectural structures Storage and memory

428 Hardware: Computers Mainframe Minicomputers Microcomputers/desktops Servers Laptop/notebook Embedded From a security perspective, each security risk must be addressed individually

429 Hardware: Mobile Devices USB storage Portable hard drives PDAs and mobile phones

430 Hardware: Printers Multifunctional Network aware More than output device Full operating system

431 Hardware: Communication Devices Modem Network Interface Card (NIC)

432 Hardware: Wireless Wireless network interface card Wireless access point Wireless Ethernet bridge Wireless router Wireless range extender

433 Firmware: Pre-Programmed Chips ROM (read-only memory) PROMs (programmable read-only memory) EPROMs (erasable programmable read-only memory) EEPROMs (electrically erasable, programmable, read- only memory) Field programmable gate arrays (FPGAs) Flash chips Embedded system

434 CPU Functionality Multitasking Multiprogramming Multiprocessing Multiprocessor Multi core Multithreading Direct memory access (DMA)

435 Real-Time Systems Time and mission critical systems – systems that support mission critical services such as flight controls, alarms and monitoring sensors Immediate processing High levels of tolerance Failover

436 Virtual Machines Mimic the architecture of the actual system Resources provided by the host system

437 CPU and Processor Privilege States Supervisor state Problem (user) state Running Ready Blocked Masked/interruptible

438 Input/Output (I/O) Devices I/O controller Managing memory Hardware

439 Software: Operating System Hardware control Hardware abstraction Resource manager Design Kernel

440 Software: Utilities and Drivers System utilities Maintenance System drivers Application/hardware interface Plug and play

441 Commercial Software Programs (Applications) Commercial off the shelf (COTS) Function first Unless the software is inherently a security-focused application (such as a firewall), attention will first be devoted to functionality. Security is usually an afterthought. Evaluation Make sure to consider the information security aspects of the application such as authentication methods, audit capabilities, edit checks and error reporting, etc.

442 Software: Custom Business application No two businesses do business the same way. Custom software is the solution used as a natural progression from manual processes to automation of tasks System development life cycle

443 Software: convergent Technologies Customer relationship management (CRM) Workflow management systems SharePoint, Lotus Notes Unified messaging Allows different technologies to work together. Fax to a PDA, access internet from TV

444 CPU and OS Support for Applications Applications were originally self-contained OS capable of accommodating more than one application at a time Security Reinforced by the OS since the OS has the ability to control the activity of the applications and ensure that one or more application threads do not affect another

445 Applications - Today Today’s applications are modular Execute multiple process threads Security Problems lie in the fact that independent sections are frequently written by someone else and may be malicious. Module may also be used in a way not intended by the author. Modules and threads will often communicate directly and not involve the OS. This prevents the OS from being able to manage the activity of the process threads. Programs spawn processes. Processes spawn threads. Memory is allocated to processes. So, threads share memory.

446 Systems Architecture Approaches Open – standards based interfaces. Considered more vulnerable but often result in a more robust set of security features Closed – proprietary interfaces. Illusion that security through obscurity works Dedicated – single level of processing permitted Single level – permit users to execute any instruction available Mutilevel – processing at two levels is permitted through some form of user authentication and authorization. Most common today and allow system to be accessed by users holding different levels of privilege. Embedded – single purpose computer

447 Architectural Structures Client server Centralized architecture Distributed architectures Thin client architecture Diskless computing Clusters

448 Cloud Computing Provisioning of services Cost models Supplement/consumption/delivery model Involves provisioning of dynamically scalable and often virtualized resources Characteristics Layers

449 Cloud Computing Deployment models Public cloud Community cloud Private cloud Hybrid cloud Architecture Intercloud Cloud Engineering Issues Privacy Compliance Open source Open standards Security Issues surrounding cloud computing are due in large part to the private and public sectors unease surrounding the external management of security based services

450 Service-Oriented Architecture Technology benefits More flexible architecture, integration of existing applications, improved data integration, supports business process management, facilitates enterprise portal initiatives, speeds custom application development Security issues A system that relies on distributed processing must have adequate bandwidth and high availability. Business benefits More effective integration with business partners, supports customer-service initiatives, enables employee self-service, streamlines the supply chain, more effective use of external service providers, facilitates global sourcing

451 Virtualization Virtual copy of physical system System virtual machine – complete operating environment that can support user needs and multiple environment Hypervisor – interface between the physical and virtual environments Process virtual machine – systems that are dedicated to supporting one process or program

452 Types of Memory Addressing Logical Refers to a memory location that is independent of the current assignment of data to memory. Requires a translation to the physical address. Relative Address expressed as a location relative to a known point Physical Absolute address or actual location

453 Memory Management Requirements Relocation Programmer does not know where the program will be placed in memory when it is executed. It may be swapped to disk and returned to main memory at a different location. Protection Processes should not be able to reference memory locations in another process without permission. Sharing Allows several processes to access the same portion of memory. OS allows each process access to the same copy of the program rather than having its own separate copy.

454 Memory Protection Benefits Memory reference Different data classes Users can share access Users cannot generate addresses

455 Primary Storage Registers Very high-speed storage structures built into the CPU chip set and are often used to store timing and state information for the CPU to maintain control over processes. Cache Very fast memory directly on the CPU chip body. Not upgradeable. Three types (level 1-3). Random access memory (RAM) Main memory of the system

456 Secondary Storage Internal External Virtual memory SANs Clusters

457 Virtual Memory = primary + secondary or RAM + Disk Extends apparent memory to accommodate larger program execution space than is possible using only physical memory and involves paging and swapping operations. Generally 4 or 8 kb in length

458 Storage Systems Network Attached Storage (NAS) Simple, cost effective solution. Box on network that extends storage area. Storage Area Network (SAN) Complex, expensive solution. Offers large capacity storage for servers over high-speed (usually fiber) links

459 Blade Systems Server chassis Processing power Management simplification Is simply a series of motherboards housed in a box with a high speed backbone

460 Domain Objectives System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

461 Separation Temporal isolation Accomplished through time limits. Person cannot access an area of the building or an area of the network, or an application outside of certain authorized hours. Physical isolation Refers to separating out sensitive areas from common access, such as setting up compartmentalized areas or secure rooms. Virtual isolation Protects against malicious activity by not permitting a process to execute outside of a strict set of boundaries.

462 Ring Protection Based on the Honeywell Multics Operating System architecture. Set of segments in concentric numbered rings. Ring number determines the access level. Procedure assumes its appropriate ring number when executing. This prohibits a process from unregulated execution of commands at a higher level. Program may call services residing on the same or more privileged ring. Program may only access data that resides on the same ring.

463 Privilege Levels Identifying, authenticating, and authorizing subjects Subjects of higher trust can access more system instructions and operate in privileged mode Subjects with lower trust can access a smaller portion of system instructions and operate only in user mode

464 Process Isolation Preserves Object’s integrity and subjects adherence to access controls Prevents interaction – prevents objects from interacting with each other and their resources Independent states – actions of one object should not affect the state of other objects Process isolation method Encapsulation – objects, data, and functions are packaged together Time multiplexing – assignment specific time slots for processing information Naming distinctions – to distinguish between processes Virtual mapping/domains – mapping info objects to virtual locations to ensure applications can find their data

465 Trusted Computing Base (TCB) Trusted computer base – includes all the components and their operating processes and procedures that ensure that the security policy of the organization is enforced. Hardware Firmware Software Processes Inter-process communications Simple and testable

466 Trusted Computing Base (TCB) Enforces security policy – must be able to enforce security policy regardless of user input and be protected from interference or tampering Monitors four basic functions Process activation Execution domain switching Memory protection Input/output operations

467 Reference Monitor Concept Abstract machine concept – abstract machine that is regulating all access on the system and enforcing security controls Must be tamperproof Always invoked Verifiable Security kernel Components of an OS perform various protection tasks designed to control and monitor system evens and prevent things from occurring that might disrupt normal execution or threaten the stability of the system or any of its resources. Subject Active entity Object Passive entity

468 Attested Boot/TPM/Processing Ensures secure configuration and integrity of software/hardware Uses cryptographic hash functions to ensure integrity Can also be used remotely

469 Secure System Design Availability – must be designed to meet needs Criticality – design of system must ensure that the critical processes run effectively Redundancy Single points of failure – must be designed to avoid Defense in depth – ensures the security of the system cannot be circumvented through one vulnerability

470 Domain Objectives System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

471 Security Models Introduction Information-flow model – tracks the movement of information from one object to another Non-interference model – based upon rules to prevent processes that are operating in different domains from affecting each other in violation of security policy State-machine model – abstract mathematical model where state variables represent the system state Lattice-based model – hierarchical model defining access control privilege levels

472 Bell-LaPadula Confidentiality Model Lattice-based model Described using rows and columns State-machine model Hierarchical based model with dominance relationships between higher and lower security levels Three fundamental modes Read only, write only, read and write Secure state Defines access rules ***** very important to know ********** very important to know *****

473 Biba Integrity Model Lattice-based model Addressed first goal of integrity Subject – object tuple State machine model When you mix clean & dirty, dirty wins Read & write are opposite from Bell-LaPadula ***** very important to know ********** very important to know *****

474 Clark-Wilson Integrity Model Addresses all three integrity goals Defines well-formed transactions Separation of duties 1.Authorized users limited to authorized transactions 2.Unauthorized users do no tasks 3.Maintain internal & external consistency ***** very important to know ********** very important to know *****

475 Brewer and Nash Model Chinese Wall security policy Designed to prevent conflicts of interest ***** very important to know ********** very important to know *****

476 Other Models Graham-Denning Harrison-Ruzzo-Ullman (HRU) result Variations of Biba

477 Security Models Integrity Clark-Wilson Biba G&M Sutherland Graham-Denning HRU Need to know Confidentiality Brewer-Nash BLP Implementations Gong Lipner Karger Jueneman Lee & Shockley

478 Domain Objectives System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

479 Evaluation Standards TCSEC (U.S. DoD) ITSEC (European Union) Common Criteria (ISO Standard 15408)

480 TCSEC or Orange Book DoD-centric Security and functionality Product evaluation Rainbow series – was a part of the Rainbow Series of books dealing with security topics TNI – Trusted Network Interpretation (another of the series)

481 ITSEC International origin ITSEM Assurance Fucntionality

482 Common Criteria (ISO 15408) Origins Documents EAL 1-7 (evaluation assurance level) Protection profile (PP) Target of evaluation (TOE) Software, firmware, and/or hardware Security target (ST) Requested level of testing

483 Domain Objectives System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

484 ISO Defined secure communications NOT an implementation Takes 7-layer OSI model and maps it to a 2-layer functional model

485 Zachman Framework Complete overview of IT business alignment Intent Scope Two-dimensional Principles

486 SABSA What are the business requirements? Follow-on to Zachman Operational security focus

487 The Open Group Architecture Framework Governance Business Application Data Technology

488 DoD Architecture Framework OMB A-130 requirement View sets: All view Operational view Systems view Technical standards view

489 ISO/IEC International standard for information security management systems (ISMS) Practice for architectural description of software- intensive systems

490 ISO ISMS Information security management system Ensures best practices are met Sets standards for security areas Based on BS Measurable and certifiable standard

491 IT Infrastructure library (ITIL) Focuses on IT services Supporting products

492 COSO Enterprise Risk Management Framework Emphasizes the importance of identifying and managing risks Process People Reasonable assurance Objectives If moving money, probably want to use this

493 Capability Maturity Model Developed by SEI (Software Engineering Institute) Based on TQM concepts (Total Quality Management) Framework for improving process Benefits Top 3 are proactive, bottom 2 reactive

494 PCI-DSS Payment card industry – data security standard Standards for the protection of payment card data (e.g. credit cards, debit cards, etc.) Covered more in Domain 5 (Legal, Regulations, Investigations, and Compliance)

495 Security Architecture and Design Domain Summary System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

496 Software Development Security

497 Domain Objectives Overview of Applications Security System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security

498 Need for Applications Security While this model is important to all domains, AIC is probably most important to this one Interface to critical and sensitive data Thousands of exploits

499 Secure Systems Development Policies Organizations require security development methodology Many corporations are beginning to require and provide guidelines for developing secure applications Security climate has changed Vendors are focused on functionality of their products and on increasing their return on investment instead of security Security as built-in instead of add-on Compliance – many regulations and compliance requirements now demand that systems track and control access permissions of users and other entities

500 Organizational Standards Web Application Security Consortium (WASC) Build Security in (BSI) International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) These orgs provide information for software vendors and the public that is intended to create secure environments for software development, to aid in developing internal code standards, to incorporate security features in software products, and to deploy into secure environments.

501