Presentation is loading. Please wait.

Presentation is loading. Please wait.

How I Passed the CISSP Test: Lessons Learned in Certification

Similar presentations

Presentation on theme: "How I Passed the CISSP Test: Lessons Learned in Certification"— Presentation transcript:

1 How I Passed the CISSP Test: Lessons Learned in Certification
Presented by Kirk A. Burns, CISSP

2 Admin Data Emergency Exits Breaks Phones Other Admin Data

3 Introduction Instructor What is this class going to provide me?
What should I expect to get out of this class?

4 Class Structure Broken up into 12 parts Part 1: introduction
Parts 2 – 11: will be the domains Part 12: will be examples of types of questions you might see. THESE ARE NOT copies of the questions from the exam

5 What is (ISC)²? (ISC)² International Information Systems Security Certification Consortium Non-profit organization which specializes in information security education and certifications Often described as the “world’s largest IT security organization” Based in Palm Harbor, Florida, USA Offices in London, Tokyo, Hong Kong, Vienna, Virginia Over 85,000 certified professionals in 135 countries

6 (ISC)² Code of Ethics Preamble:
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals Advance and protect the profession

Member Benefits Continuing Education Security Leadership Series events Discounts Worldwide receptions, conferences, RSA, InfoSec, SecureAmerica Face-to-Face Networking Virtual Networking Career Tools, InterSeC

Industry Awards Resources InfoSecurity Professional Magazine Information Security Perspective journal Member submitted security awareness materials Volunteer Opportunities

9 What is CISSP? Certified Information Systems Security Professional
Governed by (ISC)² Worldwide recognition of competence Practical understanding of information security issues and solutions ANSI accreditation based on the ISO/IEC 17024:2003 standard (obtained in June 2004) Awareness of security challenges As of November 2013, reported to have 90,198 members worldwide in 149 countries

10 ROLE OF THE CISSP CISSPs often hold job functions such as:
Security Consultant Security Manger IT Director/Manager Security Auditor Security Architect Security Analyst Security Systems Engineer Chief Information Security Officer Director of Security Network Architect

11 ROLE OF THE CISSP Develops and oversees the implementation of the organization’s information security policies and procedures Provide advice on implementation of information security solutions and technologies Monitoring compliance with regulatory bodies and employees, contractors, alliances and other 3rd parties

CBK The (ISC)² CBK is a compendium of topics relevant to information security professionals around the world. The (ISC)² CBK is the accepted standard in the industry, the subject of many books written on information security, and the core of the university information assurance programs around the globe. The CBK continues to be updated annually by (ISC)² CBK Committees comprised of members from many industries and regions around the world, to reflect the most current and relevant topics required to practice in the field. (ISC)² uses the CBK domains to assess a candidate’s level of mastery of information security.

13 How to Get Your CISSP Certification
Obtain the Required Experience must have a minimum of five (5) years cumulative paid full-time work experience in two (2) or more of the ten (10) domains. May receive a one year experience waiver with a four-year college degree, or regional equivalent OR additional credential from the (ISC) approved list (requiring four (4) years of direct full-time professional security work experience in two or more of the ten domains) Study for the Exam Schedule the Exam Pass the Exam Complete the Endorsement Process Maintain the CISSP Certification

14 CISSP EXAM The CISSP exam 250 questions 6 hours
To pass must get 700 points out of 1000 BE ON TIME!!!!!! Bring admission letter Must have government issued Photo ID Bring pencil and eraser ~$500

15 ENDORSEMENT PROCESS What is needed for the Endorsement Process
Provide a recent resume Complete the Examination Registration Form Submit a completed and executed Endorsement Form

To maintain the CISSP certification and remain in “good standing” with (ISC)², you are required to: Pay the Annual Maintenance Fee (AMF) of $85 USD at the end of each certification year Earn and submit 120 credits over three years. A minimum of 20 CPEs must be posted during each year of the three year certification cycle

17 THE DOMAINS Access Control
Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations, and Compliance Operations Security Physical (Environmental) Security Security Architecture and Design Software Development Security Telecommunications and Network Security

18 Golden Rule People Safety First Management buy-is is Critical
Everyone is responsible for Security Training is Essential Policy is the Key to (nearly) everything

19 What If I Don’t Have The Experience?
For those who don’t have the experience, there is the Systems Security Certified Practitioner (SSCP) Only need 1 year of experience Domains covered: Access Controls Cryptography Malicious Code and Activity Monitoring and Analysis Networks and Communications Risk, Response and Recovery Security Operations and Administration

20 Access Control

21 Domain Objectives Provide definitions and key concepts
Identify access control categories and types Discuss access control threats Review system access control measures Understand Intrusion Detection and Intrusion Prevention systems Understand Access Control assurance methods

22 Access Control Is the basic foundation of information security
Implemented differently depending on whether the are of implementation is physical, technical or administrative. Categories include: Preventive Detective Corrective Deterrent Recovery Directive Compensating Often used in combination

23 Access Control A comprehensive threat analysis will identify the areas that will provide the greatest cost-benefit impact. The field of access control is constantly evolving. Organizations need to know what is available and what methods will best address their issues. Data and system access control are NOT the same. User might have access to a system but not to the data. Think “need-to-know” Access control assurance addresses the due diligence aspect of security. Implementing a control is part of due care, but due diligence involves regularly checking to ensure that the control is working as expected.

24 Information Security TRIAD
Access control has an impact on all of the legs with primary focus on confidentiality and integrity and a lesser impact on availability Availability – must not prevent access to authorized users. Access control methods should be used to prevent unauthorized users from accessing systems and purposefully or inadvertently causing it to be unavailable to authorized users. Integrity – 2 parts: data integrity and system integrity. Data means that the data in the system accurately and completely represents the information intended and reflects the similar data in external systems. System means that the system performs as intended without exception. Access control involves preventing both users and intruders from obtaining the kind of access that would enable them to make improper changes. Confidentiality – focus primarily on preventing unauthorized access to sensitive or critical data and systems in order to prevent improper disclosure.

25 Domain Objectives Definitions of Key Concepts
Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

26 Basic Requirements Security – ensure only authorized users and processes are able to access or modify Reliability – ensure control mechanisms work as expected, every time Transparency – have minimal impact on the ability of authorized users to interface with the system and do their job Scalability – should be able to handle a wide range of changing systems and user load without compromising system performance Maintainability – if too time-consuming or complicated, admins may not keep them up to date Auditability – should provide audit trails Integrity – must be designed to protect from unauthorized changes Authentic – help ensure that data input is authentic

27 Key Concepts Separation of duties
No one person should have control over the process. Allowing this could allow a person to manipulate the system for personal gain. Process should be broken down into individual steps executed by different people. Rotation of duties prevents collusion between two or more people. This minimizes the chance of or exposes fraud. Forced vacation can provide the same effect. Core element of the Clark-Wilson Integrity model Least privilege – only allow access to resources that are absolutely needed for work Need-to-know – just because you have the clearance doesn’t mean you really need to know the data or process

28 Information Classification
Is the PROPER assessment of the sensitivity and criticality of information Ensures that info is neither improperly disclosed nor overprotected Objectives: Identify info that needs to be protected Standardize labeling Alert authorized holders of protection requirements Comply with laws, regulation, etc. Benefits – keeps cost down Example of classification: Public, internal use only and company confidential Compartmentalized information – information that requires special privilege to access

29 Information Classification Procedures
Scope – risk analysis will evaluate data for classification. Things to consider: Exclusive possession (trade secrets, etc.) Usefulness Cost to recreate Legal or regulatory liability Operational impact Etc. Process – goal is to achieve a consistent approach to handling classified information Marking and labeling – for all types of media to include video Human readable Machine readable Assurance – regular internal and possibly external audits should be done

30 Domain Objectives Access Control Categories and Types
Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

31 Access Control Types Administrative – policies and procedures.
Technical/logical – use of hardware and software controls Physical – manual, structural or environmental controls to protect facilities and resources Examples: Admin – training and education, separation of duties, contingency and recovery plans, etc Technical/logical – access control software, anti-virus/spam/malware software, encryption, audit trails, logs, IDS/IPS systems, etc Physical – locks, doors, fences, guards, alarms, mantraps, turnstiles, CCTV, motion detectors, sensors, etc

32 Access Control Categories
Preventive – block unwanted actions. However, only effective if employees see these as necessary Detective – identify, log and alert management of unwanted actions (during or after event) Corrective – remedy the circumstances that enabled event Directive – controls dictated by organizational and legal authorities Deterrent – Prescribe some sort of punishment Recovery – restore lost resources or capabilities Compensating – backup controls that come into effect when normal controls are unavailable

33 Domain Objectives Access Control Threats Definitions of Key Concepts
Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

34 Access Control Threats
Denial of service Password crackers Dictionary Brute force Rainbow tables Keystroke loggers Spoofing/masquerading Machine Impersonation Sniffers Shoulder surfing/swiping Dumpster diving Emanations Time of Check (TOC)/Time of Use (TOU) TOC/TOU – system often only checks users access rights at login. If change is made to access rights, even though immediate the effect might not be till the next time the user logs in. This is an asynchronous attack based on the difference between when the access control system was checked and when a user used the system.

35 Domain Agenda Access to System Definitions of Key Concepts
Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

36 System Access Control Identification – process of recognizing users or resources as valid accounts Authentication – verification of the identity of the person or node Authorization – determines what a user or node is allowed to do once identified and authenticated Accountability – ability to track user activity

37 Identification Methods
Most common is UserID, account number, or PIN Biometrics can also be used Guidelines – unique UserID unless anonymity is required RFID – can be used in place of above methods to identify user MAC and IP address – used primarily to identify a node on the network Security user registration – user interacts with a registration authority to become an authorized member of the domain UserID, encryption keys, job title, , etc. User validation

38 Authentication Methods
Knowledge (something you know) Ownership (something you have) Characteristics (something you are)

39 Identity and Access Management
Need for identity management – needed to manage, authenticate, authorize, provision, de-provision and protect identities Challenges – the more complex a network and data protection system, the more challenging to manage Identity management technologies – designed to centralize and streamline the management of user ids, authentication and authorization

40 Identity Management Challenges
Consistency – user data entered across different systems MUST be consistent Reliability – user profile data should be reliable. Especially if used to control access to data or resources Usability – multiple logins over multiply systems might not be the best idea Efficiency – using an identity management system can decrease costs and improve productivity for both users and administrators Scalability – the management system used must be able to scale to support the data, systems and peak transaction rates

41 Identity Management Challenges
Principals Insiders – employees and contractors Outsiders – customers, partners, vendors, etc. Data – different types of data about principals must be managed Personal, legal and access control Some of this data might have regulatory requirements Life Cycle Initial setup – when user joins Change and maintenance – routine pw change, name changes, etc. Tear-down – when user leaves

42 Identity Management Technologies
Web Access Management (WAM) Password management Account management Profile update

43 Access Control Technologies
Single sign-on Kerberos SESAME - protocol developed by the European Union. Also known as SSO Web Portal Access Directory services Security domains

44 Domain Objectives Access to Data Definitions of Key Concepts
Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

45 Access to Data Implementations Descriptions Mandatory Temporal
Discretionary Role Rule Content Privacy List Matrix Capabilities Non-discretionary Constraints Centralized Decentralized

46 Access Control Lists (ACL)
Most common implementation of Discretionary Access Control (DAC) Provide easy method to specify which users are allowed access to which objects Objects/subjects Files/users O.S. dependent Each OS has its own way of representing ACLs. UNIX – 3 subjects: owner, group and world w/ 3 permissions: Read ,Write, Execute ACL support in Linux is available for Ext2, Ext3, IBJ JFS, ReiserFS and SGI XFS Microsoft has unlimited # of subjects and 26 permissions

47 Centralized/Decentralized Access Control
Centralized access control – one entity makes network access decisions. Owners decide which users can access specific objects and the administration supports these directives. RADIUS TACACS+ Diameter (RADIUS base but enhanced to overcome inherent limitations) Decentralized access control – decisions and admin are implemented locally, allowing people closer to the resource security controls. Often causes confusion because it can lead to non-standardization, overlapping rights, etc. P2P

48 Domain Objectives Intrusion Prevention and Detection Systems
Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

49 Intrusion Detection Systems
Network Based NIDS Host-Based HIDS Application-Based AIDS APIDS = Packet = Permission =Process

50 Intrusion Prevention Systems
Host-based Network-based Content-based Rate-based KPI (Key Performance Indicator) - measure effectiveness

51 Analysis Engine Methods
Pattern or signature-based Pattern matching Stateful matching Anomaly-based Statistical Traffic Protocol Heuristic scanning

52 IDS/IPS Examples Anomaly Response Alert Multiple failed logins
User logged in at unusual times Unexplained changes to system clocks Unusual number of error messages Unexplained system shutdowns/restarts Response Dropping suspicious packets Denying access to suspicious users Reporting suspicions to other system hosts/firewalls Changing IDS configurations Alert IM Pager Audible alarm

53 Domain Objectives Access Control Assurance Definitions of Key Concepts
Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

54 Access Control Assurance
Audit trail monitoring Vulnerability assessment tools

55 Penetration Testing Overview
Definition Areas to test Methods of testing Testing procedures Testing hazards

56 Areas to Test Application security Denial of Service (DoS) War dialing
Wireless penetration Social engineering PBX and IP telephony

57 Penetration Testing Methods
Attack perspectives External Internal Attack strategies Zero-knowledge Partial-knowledge Full-knowledge Targeted Double-blind

58 Testing Steps Discovery Enumeration Vulnerability mapping Exploitation

59 Testing Hazards and Reporting
Production interruption Application abort System crash Documentation Idetified vulnerabilities Countermeasure effectiveness Recommendations KPI – Key Performance Indicators KPI – green, yellow, red

60 Access Control Domain Summary
Definitions of Key Concepts Access Control Categories and Types Access Control Threats Access to System Access to Data Intrusion Prevention and Detection Systems Access Control Assurance

61 Business Continuity and Disaster Recovery Planning

62 Domain Objectives Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

63 Planning Should Occur BEFORE You Need It

64 BS 25999: Business Continuity Management
Risk Management Disaster Recovery Facilities Management Supply Chain Management Quality Management Health & Safety Knowledge Management Emergency Management Security Crisis Communications and PR

65 Information Security Priorities
Keeping CRITICAL products and services going Availability Integrity Out of Business!!! Confidentiality What should be done in a crisis when most controls are missing?

66 The Business Continuity Life Cycle Overview
Analyze the business Assess the risks Develop the BC strategy Develop the BC plan Rehearse the plan

67 BCM Project Management
Senior management support Policy Access to key personnel Budget Immediate and ongoing budget

68 BCM Project Management
Scope Timelines Deliverables Team members Tools

69 Initiating BCP Awareness, data and implementation Staff and budget
Result must be a long-term, sustainable program Review progress monthly (suggestion)

70 Documentation Review current BCP, if available
Documentation may not equal capability Staff must be trained to use any necessary software Types of BCM document Policy, including scope and principles Business impact analysis Risk and threat assessment Strategies, including (if able) papers supporting the choice of strategies adopted Response plans Test schedule and reports Awareness and training program Service level agreements with customers and suppliers Contracts for 3rd party recovery services such as workspace and salvage Review/update as directed by policy

71 Domain Objectives Understanding the Organization
Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

72 Understanding BCM Priorities
Business priorities Policy/culture Critical services and products Legal and regulatory requirements

73 Risk Assessment and Management
Management is often NOT an IT person. Might have different priorities Risk management versus business continuity planning Risk management – tactical Business continuity – strategic Coordination between risk assessment and business impact analysis Purpose of risk management?

74 Threat Identification
Natural/environmental Human/man-made Utility Supply chain Equipment Facility Loss of key personnel

75 Understanding the Organization
Business Impact Analysis (BIA) Benefits Objectives Indicators of critical business functions Time sensitivity Data integrity Classification

76 Business Impact Analysis
Identifies, quantifies, and qualifies loss over time Business impact analysis process Workshops Questionnaires Interviews Observation

77 Business Impact Analysis
Business justifications for budget Maximum Tolerable Downtime (MTD)/ Maximum Tolerable Period of Downtime/Disruption (MTPD) Recovery Point objective (RPO) Document dependencies Third party dependencies and liabilities Service level agreements

78 Incident Readiness & Response
Planners become leaders Be prepared Triage Incident management Success = return to operations Application of lessons learned

79 Continuity Requirement Analysis
Identify supporting activities and resources Outcomes feed BCP strategy selection Reviewed with BIA

80 Domain Objectives Recovery Strategy Selection
Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

81 Determining Recovery Strategy
Determining BC strategies Strategy options Data Activity continuity options Resource-level consolidation

82 Determining Recovery Strategy
High-level strategies – purpose is to ensure overall continuity strategy appropriately supports the delivery of orgs products/services Recovery Time Objective (RTO) < Maximum Tolerable Downtime/Disruption (MTPD) Separation distance – how far away is recovery site Cost/benefit analysis – best strategy is often determined by cost Address specific business types Different business functions have different recovery solutions

83 Recovery Alternatives
Description Readiness Cost Multiple processing/mirrored site Fully redundant identical equipment & data Highest level of availability & readiness Highest Mobile site/trailer Designed, self-contained IT & communications Variable drive time; load data, & test systems High Hot site Fully provisioned IT & office, HVAC, infrastructure, & communications Short time to load data, test systems. May be yours or vendor staff Warm site Partially IT equipped, some office, data & voice infrastructure Days or weeks. Need equipment, data, communications Moderate Cold site Minimal infrastructure, HVAC Weeks or more. Need all IT, office equipment, & communications Lowest

84 Processing Agreements
Description Considerations Reciprocal or Mutual Aid Two or more organizations agree to recover critical operations for each other Technology upgrades/obsolescence or business growth. Security and access by partner users. Contingency Alternate arrangements if primary provider is interrupted, i.e., voice or data communications Providers may share paths or lease from each other. Question them Service Bureau Agreement with application service provider to process critical business functions Evaluate their loading, geography and ask about backup mode. Remote Working Arrangements Ability to telecommute or work from home Sensitive data controls, unauthorized equipment

85 Domain Objectives Creating the Plan(s)
Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

86 Business Continuity Plan
Master Plan Modular in design Executive endorsement Review quarterly

87 BCP Contents When will team be activated?
How will the team be activated? Where will everyone meet? Is there an Action Plan/Task List? Is there any reporting? If so, to whom?

88 BCP Contents Responsibilities of the team or specific individuals
Liaising with emergency services (fire, police, ambulance) Receiving or seeking information from response teams Reporting information to the incident management team Mobilizing third-party suppliers of salvage and recovery services Allocating available resources to recovery teams Location/mobilization instructions

89 Developing Response Plans
Incident response structure - plans that answer “What do we do now?” Emergency response procedures, Personnel notification, Backup and offsite storage, Etc. Emergency response procedures Personnel – executive succession plan, executive crisis management roles, BC coordinator and teams, notification lists, PR Communications – emergency systems, business systems communications and networks Alternate site considerations – utilities, communications, environmental protection, workspace protection Logistics and supplies – personnel and materials transport, personnel support and welfare, remote worker activation, emergency funds, protection against fraud and looting, safety and legal issues, escalated management authority

90 Creating Recovery Plans
Recovery procedures Recovery priorities Activation of alternate site or processes Data recovery Business resumption plan

91 Creating Disaster Recovery Plans
Recover out to the alternate – MOST critical first Recover back to the primary – LEAST critical first Responsibilities and authority Outlines what needs to be done Outlines who will do the work Since this may be happening at the same time as the incident, recovery should be done (if possible) by a different team comprised of technical experts and system engineers who can rebuild the failed systems

92 Creating Restoration Plans
Rebuilding of primary site Facility restoration System restoration Priorities Data synchronization Salvage Closure of alternate site

93 Topics to Address in Plans
Equipment Procurement (vendor agreement) Facilities Environmental controls Fire and water protection Personnel

94 Topics to Address in Plans
Data Offsite storage requirements Utilities Communications Logistics and supplies

95 Resource-Level Consolidation
Consolidation plan Availability of solutions Consolidate, approve and implement Outcomes and deliverables

96 Domain Objectives Developing and Implementing Response
Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

97 Incident Response Management
Strategic Level: Incident Management Plan (IMP) – defines how the strategic issues of a crisis will be managed by chief executive/senior managers. May include crises that do not result in interruptions (hostile takeover, media exposure, etc.). Tactical Level: Business Continuity Plan (BCP) – addresses business disruption, interruption, or loss from the initial response till normal business resumes. Operational Level: Activity Resumption Plans – provide plans for resuming normal business functions. Might provide logical and technical structure for restoring services or use of alternate facilities.

98 Implementing Incident Management
Crisis management Rapid response is critical Triage (alerts) Notification Health and safety of personnel (people first) Escalation Executive succession

99 Initial Assessment Damage assessment Declaring a disaster
Mobilization of response teams Permanent and virtual teams

100 Documentation and Communication
Documentation of the incident Feedback and analysis Communications Public relations

101 Domain Objectives Testing, Update, and Maintenance of the Plan
Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

102 Testing the Program Find the flaws Outsourcing Timetable for tests
Designing a test Define success/failure BEFORE test begins

103 Testing Types Desk check Check the contents of the plan
Process Participants Frequency Complexity Desk check Check the contents of the plan Aid in maintenance Author Often LOW Walk through Check interaction and roles of participants Author and main people Simulation Includes: business plans, buildings and communication Main people and auditors Parallel testing Moves work to another site Recreates the existing work from the displaced site Everyone at test location Full Interruption Shuts down and relocates all work Everyone at both locations Seldom HIGH

104 Testing BCP Arrangements
Test, rehearsal and exercise Combining individual tests to ensure complete coverage Stringency, realism, and minimal exposure Risks of testing Scope and documentation of a test Outcomes Testing BCP, rehearse team members and staff, exercise the system Might want to test segments of the plan but good idea to occasionally test multiple segments at the same time Stringent – test should be realistic, “fight as you train” Risks of testing – always a chance that a real problem will occur during a test. Be prepared Define what to expect from each test BEFORE starting Document and perform after action review

105 Embedding BCP into the Organization
Assessing level of awareness and training Develop levels of training for individuals Developing BCP within the culture Educate employees not only of what they are supposed to do but WHY they are doing it that way Monitoring cultural change Get feedback. Sometimes the best solution to a problem will come from the most unexpected person

106 Specialized Training Needs
EOC (Emergency Operations Center) Specialized skills Forensic Interviewing Technical Crisis management PR Etc.

107 Maintaining BCP Arrangements
Ready and embedded Aligned with change-management procedures Owners keep information current Documented Review as needed

108 BCP Maintenance Updating Annual review – at a minimum
Subsequent to tests – to immediately identify fail points and needed changes Response to audits – to address issues found Version control – to insure everyone is working off the most current plan Distribution of plan – to insure everyone is working off the most current plan

109 Reviewing BCP Audit Independent BCP audit opinion
As directed by audit policy

110 Factors for BCM Success
Supported by senior management Everyone is aware Everyone is invested Consensus

111 Business Continuity and Disaster Recovery Planning
Domain Summary Business Continuity Management (BCM) Project Planning Understanding the Organization Recovery Strategy Selection Creating the Plan(s) Developing and Implementing Response Testing, Update, and Maintenance of the Plan

112 Cryptography

113 Domain Objectives Definitions History Uses Cryptographic Methods
Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

114 Concepts and Definitions
Cryptology – the study of cryptography and cryptanalysis Cryptanalysis – practice of defeating the protective properties of cryptography. Reading protected info, altering messages or integrity values and violating authentication. The practice of testing cryptographic algorithms to determine their strength or resistance to compromise. Cryptography – from Greek words “kryptos” (hidden) and “graphia” (writing). Mathematical manipulation of information to prevent the information from being disclosed or altered.

115 Basic Goals of Cryptography
Confidentiality – prevent unauthorized people from being able to detect or understand a message Integrity – detect if a message has been tampered with or corrupted Authenticity – ensure that message has been sent to correct person and in correct order, including prevention of replay attacks Non-repudiation – sender cannot deny sending Access control – encrypted passwords, token-based access control devices provide protection for systems and applications Make compromise difficult – make the attack either too expensive or too time-consuming to be worth the effort

116 Concepts & Definitions
Cryptosystem – device or process used to perform encryption and decryption operations Plaintext/Cleartext – human readable message Ciphertext/Cryptogram – enciphered, encrypted, or scrambled message Cryptographic Algorithm – mathematical function that determines the cryptographic operations Cryptovariable (key) – often secret value used to transform the message in the encrypted message Key Space – total number of keys available to the user of a cryptosystem

117 Concepts & Definitions
Encrypt/Encipher – scrambling a plaintext message by using an algorithm, usually in conjunction with a key Encode – similar to enciphering or encrypting except that it does not use a key Decipher/Decrypt/Decode – descrambling an encrypted message and converting it to plaintext

118 Basic Transformation Techniques
Substitution – change value, not position. Transposition/Permutation – change the relative position of values without replacing them (bit-shuffling) Compression – change position, not value. Decrease redundancy before plaintext is encrypted. Used to save on bandwidth and storage. Entropy – maximum amount of compression that can be applied Expansion – typically used to increase the size of plaintext to match the size of keys or subkeys Padding – adding additional material to plaintext before encrypting. Addresses weaknesses in an algorithm and foils traffic analysis

119 XOR – Exclusive Or Fast arithmetic function used in many computer operations Binary math Add two values If both input values are the same the output is a Zero (i.e., 1+1=0; 0+0=0) If the input values are different the output is a One (i.e., 1+0=1; 0+1=1)

120 Keys and Cryptovariables
Key management – refers to the principles and practices of protecting the keys throughout the lifecycle Key expiry/cryptoperiod – keys should be changed on a regular basis. Length of time should be based on algorithm and level of protection required Key mixing/Key schedule – DES nominal length 56 bits (actual length 64 but 8 used for parity), does 16 rounds of substitution and transposition and uses 48 bits of the key. Generates new 48 bit key from original 56 bit. AES uses key schedulers to generate completely new keys from the original key for each round. Keystreams – pseudo-random sequence that is generated from the input key and mixed with the input message. Synchronous – keystream is generated based on original key, bit-by-bit, in sync with plaintext Non or self-synchronous – keystream is generated based upon previously generated ciphertext and cryptovariable Key storage – key must be protected in transit and storage Key clustering – term used to represent a weakness that exists in a cryptosystem if two different keys generate the same ciphertext from the same plaintext

121 Initialization Vector (IV)
Encrypting similar messages will create patterns of ciphertext even when using different keys. Predictability is an enemy of cryptography. An IV is a random value added to the plaintext message before encrypting so that each ciphertext will be substantially different. The recipient will also need the IV to decrypt the message

122 Work Factor An estimate of the effort/time needed to overcome a protective measure by an attacker with specified expertise and resources. Commonly used as a way to measure the amount of resources that would be required to brute-force an algorithm or cryptosystem. System is said to be broken when there is a way to decrease the work factor to a reasonable level. All cryptosystems will be crackable eventually. Objective is to use a system that is computationally infeasible to crack. Work factor has nothing to do with normal encryption/decrytion

123 Kerckhoff’s Principle
States that the strength of a cryptosystem is based on the secrecy of the key and not on the secrecy of the algorithm. Work factor for the cryptanalyst is the effort required to determine the correct key. Key length is the primary method used to determine the strength of the cryptosystems. Brittleness – measure of how badly a system fails. A resilient system is dynamic and designed to fail only partially or degrade gracefully. In general, automated systems which only do one thing are be definition brittle. “Security by Obscurity” – concept that system is secure as long as no one outside the “group” is allowed to find out anything about its internal mechanisms.

124 Key Algorithms Symmetric key – same key used for both the encryption and decryption operation Asymmetric key – pair of mathematically related keys (A and B) used separately for encryption and decryption

125 Certificates Certificate proves who owns a public key
Digitally signed, special block of data that contains public key and identifying information for the entity that owns the private key Issued by a Certification Authority (CA) – trusted entity or 3rd party that issues and signs public key certificates, attesting to the validity of the public key. Registration Authority – is the primary organization that verifies a Certificate Applicant’s information and identity. Works with CA to verify applicant’s information before issuing a certificate

126 Hash Functions Message integrity
Computed value for a message, program, data, etc to be transmitted or stored One way function Cannot decrypt/reverse a hash

127 Digital Signatures Message Integrity and Proof of Origin
Proves message has not been altered Proves who sent the message Created by encrypting a hash of the message with the private asymmetric key of the sender. Creates a signed hash that can only be unlocked using the public asymmetric key of the sender. Reason for signing the hash of the message instead of the message is that asymmetric algorithms tend to be very slow and computationally intensive to use. So signing the hash saves time and money.

128 Domain Objectives History Definitions Uses Cryptographic Methods
Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

129 Historical Development
Cryptographic techniques Manual – cryptographic methods performed by hand using a variety of tools (still used on some one-time pads) Mechanical – use of mechanical tools to perform encryption and decryption (cipherdisk) Electro-mechanical –use of electro-mechanical devices (Enigma machine) Electronic – computer based tech used to perform complex and secure cryptographic operations (software and hardware based algorithms – AES, RSA, etc.) Quantum cryptography – using single photon light emissions to provide secure key negotiation

130 Domain Objectives Uses Definitions History Cryptographic Methods
Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

131 Uses of Cryptography Protecting information Transit
, VPNs, e-commerce, VOIP, etc. Storage Disk encryption System access Passwords, remote login

132 Domain Objectives Cryptographic Methods Definitions History Uses
Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

133 Making Secure Algorithms
Problems – simple systems are not very secure Discernible – if you know the language of the original message, “frequency analysis” can be performed Redundancies – make the cryptoanalyst’s job easier Statistical patterns – can be revealed in ciphertext if algorithm doesn’t obscure them Solutions Confusion – principle of hiding patterns in the plaintext by substitution Diffusion – act of transposing the input plaintext throughout the ciphertext so that a character in the ciphertext would not line up directly in the same position in the plaintext Avalanche – achieved with plaintext bits affect the entire ciphertext so that changing one bit in the plaintext would change half of the entire cipher text

134 Stream Ciphers Keystream Statistically unpredictable and unbiased
Not linearly related to the key Operates on individual bits or bytes

135 Uses of Stream Cipher and Stream-Mode Block Ciphers
Wireless Audio/video streaming SRTP (Secure Real-time Transport Protocol)

136 Block Cipher Blocks of plaintext are encrypted into ciphertext blocks
Multiple modes of operation Variable key size, block size, rounds

137 Block Cipher Uses Data transport – SSL, TLS. Both protocols can use AES and Triple DES. IPSec based VPNs also use block ciphers to encrypt communication between endpoints Data storage – even though block ciphers take more time, used because of their greater ability to frustrate cryptanalysis. TrueCrypt is an example of block cipher used to encrypt data

138 Domain Objectives Encryption Systems Definitions History Uses
Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

139 Simple Substitution Ciphers
Substitution of one value for another Caesar Cipher Shift alphabet (by 3) A B C D E F …. FACE D E F G H I …. IDFH Scramble alphabet Q E Y R T M …. MQYT Vulnerable to frequency analysis

140 Simple Transposition/Permutation
Columnar – rearranging the message in a table Plaintext “This is an example of transposition” Cipher “tsaoni hamfst inptpi selroo ixeasn” Key: grid shape & reading direction Example: the Spartan Scytale T H I S A N E X M P L O F R

141 Polyalphabetic Ciphers
D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 Encrypt the plaintext FEEDBACK using a key of 3241 Try encrypting your name

142 Running Key Ciphers Done by using the numerical value of letters in the plaintext and is coded and decoded by using a copy of the text in a book as the key. Sender and recipient determine the key by agreeing on a point in the book (i.e. page number) from which to start the encryption. Key would “run” as long as the plaintext, and the value of each letter of the key would be “added” to the value of each letter of the plaintext. If total of the two letters is greater than 25, then 26 would be subtracted from the result. The combined value of the letters would be the value of the ciphertext letter.

143 One-Time Pads (OTP) Truly random key values
Both sides have same pad of key values Keys are only used once Unbreakable algorithm Mathematically proven that it can never be broken

144 Steganography The art of hiding information Plaintext hidden/disguised
Prevents a third party from knowing that a secret message exists Traditionally accomplished in a number of ways: Physical techniques Null ciphers Physical: invisible inks, microdots, etc Null ciphers: message “buy gold now” sentence “I have been trying to BUY you a nice gift like GOLD or an antique but prices NOW are really high”

145 Original image Stegged image
Image-Based Steganography Original image Stegged image File size is identical (260 kb) If hashed, values would be different

146 Watermarking/Rights Management
Digital watermarking – similar to physical watermarking. Either visible or invisible markings embedded within a digital file to indicate copyright or other handling instructions, or to embed a fingerprint to detect unauthorized copying and distribution of images. Digital Rights Management/Digital Restriction Management (DRM) – extends digital watermarking in order to place strict usage conditions on the display and reproduction of digital media. Physical: invisible inks, microdots, etc Null ciphers: message “buy gold now” sentence “I have been trying to BUY you a nice gift like GOLD or an antique but prices NOW are really high”

147 Domain Objectives Algorithms Definitions History Uses
Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

148 Modes of Symmetric Block Ciphers
Block Modes Electronic Code Book (ECB) Cipher Block Chaining (CBC) Stream Modes Cipher Feed Back (CFB) Output Feed Back (OFB) Counter (CTR) Counter with CBC-MAC (CCMP) Examples of operational modes that allow block ciphers to: Encrypt short or long messages securely Allow a block cipher to act more like a stream cipher Take advantage of multiprocessing to perform multiple operations at the same time Contain the effects of error in operation Perform computationally intensive operations before plaintext is received by the cryptosystem

149 Electronic Code Book (ECB)
Each block of plaintext is encrypted independently using the same key

150 Cipher Block Chaining (CBC)
The first plaintext block is XOR’d with an Initialization Vector (IV) Result is ciphertext is chained into the next plaintext block

151 Cipher Feed Back (CFB) Similar to CBC
IV is encrypted and then XOR’d with the first plaintext block

152 Output Feed Back (OFB) Operates very much like CFB
Only the RESULT of encrypting the IV is feed back to the next operation

153 Counter (CTR) Similar to OFB Counter value is used instead of an IV

154 Counter With CBC-MAC (CCMP)
Provides confidentiality and authenticity Works with 128 bit block size Mandatory in i Adds one more block for confidentiality Counter mode lacks integrity. CCMP solves that problem.

155 DES – Data Encryption Standard
56 bit key 16 rounds of transposition and substitution Fixed 64 bit block size Double DES (DDES) Uses two 56 bit keys Message is encrypted by one key and re-encrypted by the second Was thought to provide 112 bit cipher but was successfully attacked by the “meet-in-the-middle” analytic attack Triple DES (TDES) Input data is encrypted three times Strength depends on the mode of the operation picked and the number of keys being used Effective key size is 168 bit

156 AES – Advanced Encryption Standard
Based on Rijndael algorithm Developed by Daemen and Rijmen in 1998 Block sizes: 128, 192, and 256 Variable number of rounds Variable key size

157 Other Block Ciphers RC5 and RC6 Blowfish Twofish CAST SAFER Serpent

158 RC-4 Symmetric stream cipher Arbitrary key size Many applications

159 Strengths & Weaknesses – Symmetric Ciphers
Fast Difficult to crack Algorithms and tools freely available Stream ciphers ensure highly efficient serial communications Block ciphers offer multiple modes A different form of key negotiation/ exchange/ distribution must be used Poor scalability Limited security On noisy channels, error correcting is a must Messages sent over an insecure channel may be subject to data loss and interference. This can cause loss of part of the message and make the rest of the message unintelligible.

160 Asymmetric Key Cryptography
Diffie-Hellman, 1976 Public key cryptography Uses a pair of mathematically related keys Private key Public key

161 Public Key Algorithms Ensures confidentiality Ensure proof of origin
Encrypting message with the receiver’s public key provides confidential transmission of the message because the only key that can open the message is the corresponding private key of the recipient Ensure proof of origin When a message is encrypted (signed) with the sender’s private key, the recipient can verify the source of the message because the message can only be opened with the sender’s public key Confidentiality and proof of origin Double encrypting a message with the private key of the sender and then with the public key of the receiver will provide both confidentiality and proof of origin

162 RSA Algorithm Rivest-Shamir-Adleman, 1977 Adjustable key size
Encryption Digital signatures Key distribution Adjustable key size PKCS#1 is the implementation of the algorithm. Currently in V2.1 How does it work? Find 2 prime numbers and call them p and q Multiply them and call the result n Choose a public value less than n relatively prime with (p-1) and (q-1) and call it e Find d such that e*d=1 mod (p-1)*(q-1) Make n and e PUBLIC, and keep d, p and q SECRET To encrypt message m, ciphertext c = me mod n To decrypt, m = cd mod n

163 Other Algorithms Diffie-Hellman Key Exchange Protocol
Perfect Forward Secrecy (PFS) – principle used in D-H that even if 2 private keys are used in negotiating a secret value (shared secret), and one of those private keys is later compromised, it will not be possible to determine either the secret key or the other private key from the compromised private key Diffie-Hellman Groups – determine the length of the base prime numbers that will be used in calculating the key pairs. STS/Unified Diffie-Hellman – one weakness of D-H was the man-in-the- middle attack. This led to development of the Station to Station (STS) key agreement protocol by Diffie, Van Oorscht and Weiner in 1992. Menzies/Qu/Vanstone Elgamal – retired Elliptic Curve Cryptography (ECC) – fewer bits. Extremely slow

164 Knapsack Algorithms Merkle-Hellman knapsack Chor-Rivest knapsack
Developed in 1978 Chor-Rivest knapsack Developed in 1984 and revised in 1988 Both schemes have been broken

165 Asymmetric Key Cryptography
Strengths Weaknesses Confidentiality/privacy Access control Authentication Integrity Non-repudiation Computationally intensive Very slow

166 Common Hash Functions Message Digest Secure Hash Algorithm (SHA) HAVAL
MD2, MD4, MD5 Secure Hash Algorithm (SHA) SHA-1 (160 bit), SHA-256, SHA-384 SHA-512 (best practice) SHA-3 HAVAL RIPEMD Tiger WHIRLPOOL

167 Hash Function Characteristics
Condensed representation of the message One-way function Non-linear relationship Hash calculated from whole, original message

168 Keyed Hashes (SALT) Basic hash can be intercepted and changed
To solve that problem, mix a HASH algorithm with a pre-shared key Adversary would need to know the key to create a collision Implemented in IPSec for integrity checking of both ESP (Encapsulating Security Payload) & AH (Authentication Header)

169 Digital Signatures (Asymmetric cryptography) + (Hash of message)
Only authenticity and non-repudiation (not confidentiality) Legality – if the encryption is intact and the private key is held by the rightful owner, it must be accepted by all parties in the transaction. American Bar Association has developed guidelines for accepting digital signatures that have been adopted in some US states and other countries Not accepted globally for transactions and specifically not for high- dollar/high-risk situations Examples DSA, RSA, Elgmal, Schnorr, ECC

170 Digital Signatures Uses
E-commerce Non-repudiation of origin (with private key) Integrity of message (with private key encrypted hash) Software distribution (integrity and non-repudiation) and secure document distribution

171 Key Management Challenges
Greatest challenge with secure cryptographic implementation is the management of the keys. Keys must be kept secret. Yet, they must be available when needed. Even OLD keys have to be kept to decrypt old backup files or data. Key distribution Key storage Key change Expire – how long to use a key

172 Functions of Key Management
Operations Dual control – require the active participation of 2 or more. No one person can misuse. Threshold schemes – require more than one person to successfully complete the task Key recovery Split knowledge – 2 or more people have info about the key. Must be combined to work. Multi-party key recovery – break the key into 3 or more parts and each part go to a different person. Escrow – Key held

173 Functions of Key Management
Creation Automated key generation – prevents user bias and provides quick key production Truly random – only true random generators are things like radioactive decay, noisy diodes, etc. Computers produce pseudo-random. Suitable length – generators must generate enough bits for a complete key. Generating 64 bits and concatenating them does not make them 128. Key encrypting keys (KEK) – keys used to encrypt other keys. Care must be taken to ensure that the data used to generate the KEK is NOT related to the keys being produced.

174 Functions of Key Management
Distribution Out of band – does not guarantee security delivery, but it increases its likelihood Public key encryption – most common solution Secret key construction – using D-H (or similar), exchange values online that generate a new secret key Secret key delivery – using RSA (or similar), party encrypts secret key with receiving party’s public key. Key distribution center – think Kerberos Certificates – used to distribute public keys Storage Trusted hardware – hardware evaluated (typically) by FIPS or Common Criteria Smartcard – non-volatile storage

175 Public Key Infrastructure (PKI)
Binds people/entities to their public keys Prevent Man-in-the-Middle attack Public keys are published and are certified by digital signatures

176 Strong Cryptographic PKI Solutions
Use evaluated solutions High work factor Publicly-evaluated cryptographic algorithms Training Import and export of cryptography Wassenaar Agreement – is an agreement between several countries that governs the movement of cryptographic algorithms between those countries. The restrictions are usually based on key length and whether the product is commercially available Law enforcement issues

177 Certificates and CAs Certificates link a public key to its owner
Classes of certificates Certification Authorities (CAs) Registration Authority (RA) Cross-certification Certificate Revocation Lists (CRLs) Online Certificate Status Protocol (OCSP) X.509

178 Domain Objectives Cryptanalysis and Attacks Definitions History Uses
Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

179 Cryptanalysis Art and science of breaking codes Attack vectors Key
Algorithm Implementation Data (ciphertext or plaintext) People – social engineering Assumptions

180 Brute Force Attack Trying all possible key combinations
Two factors: cost and time Moore’s Law Processing speed doubles every 18 months for the same price Advances in technology and computing performance will always make brute force an increasingly practical attack on keys of a fixed length Measured in MIPS per year – 1 computer running 1,000,000 calculations per second for a year

181 Brute Force Attack Bits Number of keys Brute Force Attack Time 56 7.2 x 10^16 80 1.2 x 10^24 128 3.4 x 10^38 256 1.15 x 10^77 Bits Number of keys Brute Force Attack Time 56 7.2 x 10^16 20 hours 80 1.2 x 10^24 54,800 years 128 3.4 x 10^38 1.5 x 10^19 years 256 1.15 x 10^77 5.2 x 10^57 years Data shown is as of 1998 when “Deep Crack” was used in RSA DES challenge. Cost $250,000 to build. Today the same thing can be done for under $10,000. With today’s tech, can break DES in 8.7 days or less for under $10,000.

182 Plaintext Attacks Known plaintext attack – attacker has both the plaintext and ciphertext. Uses analysis to try to determine key. Chosen plaintext attack – attacker has access to the crypto machine. Runs plaintext through machine to get encrypted data. Uses statistical information to try to determine key. Adaptive chosen plaintext attack – attacker has encryption device for more than one message. Patterns may emerge if the attacker puts similar texts into the device

183 Ciphertext Attacks Ciphertext only – assume attacker has samples of encrypted text but not the algorithm, key or system. Most difficult attack because the attacker has the least to work with. Chosen ciphertext attack – attacker has access to ciphertext and system used to generate. Attacker can run pieces of ciphertext through to obtain the plaintext. Leads to Known Plaintext Attack or Differential or Linear Cryptanalysis attack. Adaptive chosen ciphertext attack – attacker has access to the cryptosystem and can now modify and run ciphertext through the system to see what the effect of the modification is on the plaintext.

184 Attack Against Ciphers
Stream Frequency analysis – knows characteristics of plaintext language IV or keystream analysis – examines large numbers of generated IVs for weaknesses, statistical biases, etc. Block Linear cryptanalysis – large amounts of plaintext and associated ciphertext to find info about the key Differential cryptanalysis – 2 or more similar plaintexts are encrypted using same key and compared Linear-differential cryptanalysis – combo of linear and differential Algebraic attacks – examines the algorithm Frequency analysis – uses the statistics of the language to break a ciphertext

185 Attacks Against Hash Functions
Dictionary Attacks Based on known lists of common words Birthday attacks – group of 23 people, 50% chance 2 will have same birthday people, 99% chance. Relevant because it describes the amount of effort that must be made to determine when 2 randomly-chosen values will be the same (collisions). Weak hash causes many collisions Attack the hash value Attack the initialization vector Rainbow table attacks Hash reductions Salts

186 Social Engineering Persuasion Coercion (rubber-hose cryptanalysis)
Bribery (purchase-key attack)

187 Other Common Attacks Meet-in-the-Middle Man-in-the-Middle
Mathematical analysis that attacks a problem from both ends and attempts to find the solution by working toward the center of the operation from both sides. Man-in-the-Middle Attacker intercepts and modifies the data before transmitting to intended person. Poor Random Number Generation

188 Domain Objectives Implementations Definitions History Uses
Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

189 Common Secure Email Protocols
Privacy Enhanced Mail (PEM) Uses DES in Cipher-Block-Chaining (CBC) mode for confidentiality Can also use Electronic Code Book (ECB) or 3DES for key management For message integrity it uses either MD2 or MD5 hash Not compatible with Multipurpose Internet Mail Extensions (MIME) so not often used Pretty Good Privacy (PGP) Uses symmetric and asymmetric key cryptography Can use RSA, D-H, and Elgamal for asymmetric key Secure Multipurpose Internet Mail Extensions (S/MIME) De facto standard for privacy

190 Internet Security Uses Remote Access VPNs E-commerce Tools IPSec

191 Cryptography Domain Summary
Definitions History Uses Cryptographic Methods Encryption Systems Algorithms Cryptanalysis and Attacks Implementations

192 Information Security Governance and Risk Management

193 Domain Objectives Business Drivers Governance
Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

194 Information Security Environment
Organizations must contend with complex laws, regulations, requirements, technology, competitors and partners while pursuing their business objectives. Management must take many things into account including moral, labor relations, productivity, cost, etc. Must develop an effective security program Overarching Organizational Policy Management’s Security Statement Regulations Competition Organizational Objectives Organizational Goals Laws Shareholders’ Interests

195 Information Security Triad
Security planning Budget Business requirements Security metrics

196 Domain Objectives Governance Roles and Responsibilities
Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

197 Roles and Responsibilities
Specific Delegate certain responsibilities for security to individuals Define acceptable and unacceptable behavior General Rules that let everyone know they are responsible for security Communicated at hiring Tell new hires the rules and consider annual review Verified capabilities and limitations Access to resources defined by job Third-party considerations Brief vendors, temps, contract staff on security requirements Good practices Keep it simple, relevant, understandable and communicate Reinforced via training Annual security training

198 Internal Roles Executive management set policy, allocate budget
Board level “C” level Information systems security professionals advise management Developers create secure code Custodians and Operations staff Custodians – care of data Ops – run the computers

199 Internal Roles Security staff Data and system owners Classify
Access permissions Users Task as assigned Legal, compliance, and privacy officer Inform/implement laws/regs Internal auditors Check on procedures Physical security Is IT or traditional security responsible

200 External Roles Vendors/suppliers Contractors/consultants
Service level agreements Temporary employees Customers

201 External Roles Business partners Outsourced relationships
Outsourced security External audit

202 Human Resources Employee development and training Employee management
Hiring and termination of employment

203 Hiring New Staff Background checks/security clearances
Verify references and education records

204 Signed Employment Agreements
Acceptable use Non-disclosure Non-compete Ethics

205 Personnel Good Practices
Job descriptions/defined roles and responsibilities Least privilege Need to know Separation of duties Job rotation Mandatory vacations

206 Security Awareness, Training, and Education
Delivery methods General knowledge Topics Job training Task based Professional education Understanding

207 Good Training Practices
Be relevant Scope properly Address the audience

208 Domain Objectives Governance Security Planning Business Drivers
Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

209 Documented Security Program
Focus on the mission of the organization Organizations are different Cost effective/risk based Promiscuous 1 Permissive Prudent Paranoid 10

210 Documented Security Program
Strategic Long term planning Decide on job to do Tactical Medium term planning Manage jobs being done Operational Day to day operations Job being done

211 Security Program Management
Staffing Not just workers but look at management Evaluate numbers needed Reporting Make sure everyone knows who they are to report to. Understand chain of command/reporting

212 Security Blueprints Identify and design security requirements
Infrastructure security blueprints Holistic By Scott Berinato and Sarah Scalet: “Holistic security means making security part of everything and not making it its own thing. It means security isn’t added to the enterprise; it’s woven into the fabric of the application. Here’s an example. The non-holistic thinker sees a virus threat and immediately starts spending money on virus- blocking software. The holistic security guru will set a policy around usage; subscribe to news services that warn of new threats; re-evaluate the network architecture; host best practices seminars for users; and use virus blocking software and, probably, firewalls.” (

213 ISO/IEC 27000 Series = ISMS Blueprints
27000:2009 – Overview and vocabulary 27001:2005 – Attainable certification 27002:2005/Cor 1:2007 – Code of practice 27003:2010 – ISMS implementation guidance 27004:2009 – Information security measurement 27005:2008 – Information security – risk management 27006:2007 – Certification vendor process 27799:2008 – Information security for health care organizations ISO = IT Risk Management

214 IT Security Requirements
Complete Security Solutions Define security behavior of the control measure What is the problem you are trying to solve? Provide confidence that security function is performing as expected Does it solve the problem? Does your solution Solve the problem (best) Move the problem (good) Make it worse (bad)

215 Single Point of Failure
Identify the processes Identify risks to the plan Who has too much control Be prepared

216 Domain Objectives Governance Security Administration Business Drivers
Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

217 Security Policy Management’s goals and objective IN WRITING
Documents compliance Creates security culture

218 Examples of Functional Policies
Data classification Certification and accreditation Access control Outsourcing Remote access Internet acceptable use Privacy Acquisition Change control Employment agreements, ethics IMPORTANT Say what to do NOT how to do it

219 Procedures Step by step actions Required Be detailed Policy Standard
Baseline Procedures Guideline Risk Assessment Incident Management Identity Management Software Installation

220 Standards Common hardware and software products
Policy Standard Baseline Procedures Guideline Desktop Antivirus Firewall Be decisive. Will say something like: We [verb] We drug test We use Norton AV software

221 Baselines Establish consistent implementation of mechanisms
Platform unique Know minimum and understand what is normal Policy Standard Baseline Procedures Guideline VPN Setup IDS Configuration Password Rules

222 Guidelines Recommendations for implementations, procurement and planning Policy Standard Baseline Procedures Guideline Recommendations Best Practices ISO

223 Area IV Buddy System Policy

224 Domain Objectives Risk Management Business Drivers Governance
Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

225 Risk Management Overview
Identifying and reducing total risks Choosing mitigation strategies Setting residual risk at an acceptable level Integrating risk management processes into the organization (Total risk) – (countermeasures) = (residual risk)

226 Risk Management Purpose
The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission. Including, but not limited to its IT assets. Risk is a function of the likelihood of a given threat exercising a particular vulnerability and the resulting impact of that adverse event on the organization.

227 Risk Management Benefits
Focuses policy and resources Identifies areas with specific risk requirements Directs budget Supports Business continuity process Insurance and liability decisions Legitimizes security awareness programs

228 Risk Management Definitions
Asset – something that is of value to the organization Threat-source/agent – any circumstance or event with the potential to cause harm to an IT system. Threat – any potential danger to information or an information system Exposure – an opportunity for a threat to cause loss, or the amount of loss suffered as a result of an attack Vulnerability – flaw or weakness in system security procedure, design, implementation, etc. Likelihood – probability that a potential vulnerability happens

229 Risk Management Definitions
Attack/Exploitation – action intending to cause harm Controls – admin, technical or physical measures and actions taken to try to protect system Countermeasures – controls applied after the fact; reactive in nature Safeguards – controls applied before the fact; proactive in nature Total Risk – included the factors of threats, vulnerabilities, and current value of the asset Residual Risk – amount of risk remaining after countermeasures and safeguards are applied

230 Risk Assessment Steps: SP 800-30
System characterization Threat identification Vulnerability identification Control analysis Likelihood determination Impact analysis Risk determination Control recommendations Results documentation

231 Risk Assessment – Asset Valuation
Tangible assets Can buy/sell Hardware, software, facilities, documentation, customer lists, and intellectual property Intangible assets Personnel, reputation/brand, and moral

232 Information Valuation Considerations
Exclusive possession Utility Cost to acquire or create Liability Convertibility Operational impact Timing

233 Information/Risk Valuation Methods
Modified Delphi Facilitated sessions Survey Interview Checklist

234 Quantitative Risk Analysis
Assign Monetary values Labor and time intensive Difficult to achieve 100% quantitative is impossible. Why? There are always QUALITATIVE issues. RISK = MONEY

235 Quantitative Analysis Steps - Overview
Estimate potential losses – single loss expectancy (SLE) Conduct a threat likelihood analysis Annualized rate of occurrence (ARO) Calculate annual loss expectancy (ALE)

236 Single Loss Expectancy (SLE)
Step One: Estimate Potential Losses Single Loss Expectancy (SLE) SLE = AV ($) x EF (%) AV (Asset Value) EF (Exposure Factor)

237 Annual Rate of Occurrence (ARO)
Step Two: Threat Likelihood Analysis Annual Rate of Occurrence (ARO) Number of exposures or incidents that can be expected in a given year Likelihood of an unwanted event occurring

238 Annual Loss Expectancy (ALE)
Step Three: Calculate ALE Annual Loss Expectancy (ALE) ALE = SLE * ARO Magnitude of risk = ALE Purpose: Justify security countermeasures

239 Qualitative Risk Analysis
Scenario oriented No $ values Rank seriousness of threats and sensitivity of assets Perform a carefully reasoned risk assessment

240 Hybrid Risk Analysis Quantitative Qualitative
FMEA (failure modes and effects analysis) Risk assessment originally concerned with manufacturing defects Focuses on the upstream and downstream impact of a failure Defines risk in immediate, near-term and long-term impact FTA (fault tree analysis) Analytical technique for system safety Used to consider all possible threats and then “trim” down to the most relevant risks

241 Risk Management Options
Acceptance = Absorb the effect of an incident Mitigation = Implement controls Transference = Insurance Avoidance = Stop it

242 Security Control Selection Principles
Cost/benefit analysis Don’t spend more to protect than it is worth Accountability At least one person for every control Include accountability in performance reviews Absence of design secrecy Ability to change out the controls at some time in the future without having extraordinary cost to rework, interoperability with other controls, confidence in the design Audit capability Controls must be testable Include auditors in design and implementation

243 Security Control Selection Principles
Vendor trustworthiness Independence of control and subject Universal application Compartmentalization Defense in depth Isolation, economy, and least common mechanism

244 Security Control Selection Principles
Acceptance and tolerance of personnel (pushback) Minimum human intervention Sustainability Reaction and recovery Override and fail-safe defaults Residuals and reset

245 Risk Evaluation and Assurance
Cyclical nature of risk – U.S. and EU regulatory bodies have mandated risk management as a business process. Frequency for re-evaluation is based upon the speed of change in each industry or organization Ongoing review Periodic review Liability – management has the responsibility of remaining informed about risk management activities and to make the final decisions. If they fail to do so, they are potentially in violation of regulatory or industry standards. This is one of the reasons why internal auditors should report directly to senior executives rather than through the normal chain of command.

246 Domain Objectives Ethics Business Drivers Governance
Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

247 Ethical Environments Ethics are difficult to define Do No Harm
Begins with senior management Guidelines for Establishment of Ethics Corporate ethics to include ethical use of computers In functional policies (privacy, , acceptable use, etc) Active monitoring of network activities combined with responsible investigation of incidents and enforcement Handbooks and guides Training Reviews

248 Ethical Responsibility
Global responsibility National Organizational Personal

249 Ethical Responsibility of all CISSPs
“Set the Example” ********* Encourage adoption of ethical guidelines and standards Inform users about ethical responsibilities through security awareness training

250 Basis and Origin of Ethics
Religion Law National interest Individual rights Common good/interest Enlightened self-interest Professional ethics/practices Standards of good practice Tradition/culture

251 Formal Ethical Theories
Teleology (Star Trek – needs of the many) Ethics in terms of goals, purposes, or ends Deontology (duty of most powerful to protect least powerful) Ethical behavior is a duty Informed consent – notified and agree

252 Relevant Professional Codes of Ethics
(ISC)² RFC 1087 Internet Architecture Board

253 (ISC)² Code of Ethics Preamble
“Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.” “Therefore, strict adherence to this code is a condition of certification.”

254 (ISC)² Code of Ethics Canons
“Protect society, the commonwealth, and the infrastructure.” “Act honorably, honestly, justly, responsibly, and legally.” “Provide diligent and competent service to principals.” “Advance and protect the profession.” In that order

255 Any activity is unethical and unacceptable that purposely:
Internet Architecture Board (IAB) Any activity is unethical and unacceptable that purposely: Seeks to gain unauthorized access to Internet resources Disrupts the intended use of the Internet Wastes resources (people, capacity, computer) through such actions Destroys the integrity of computer-based information Compromises the privacy of users Involves negligence in the conduct of Internet-wide experiments

256 RFC 1087 Access and use of the Internet is a PRIVILEGE and should be treated as such by all users RFC 1087 refers to “Negligence in the conduct of Internet- wide experiments” as “irresponsible and unacceptable,” but does not specifically label such conduct “unethical”. Internet Engineering Task Force (IETF)

257 Information Security Governance and Risk Management
Domain Summary Business Drivers Governance Roles and Responsibilities Security Planning Security Administration Risk Management Ethics

258 Legal, Regulations, Investigations, and Compliance

259 Domain Objectives Computer Crime and International Legal Issues
Liability and Privacy Issues Incident Management Forensic Investigation Compliance

260 International Legal Systems
Common law Criminal law Civil law Administrative law Religious law Customary law Mixed law Maritime law

261 Jurisdiction Law, economics, beliefs and politics
Law enforcement agencies will work together, even cross borders. But sometimes countries don’t agree. Sovereignty of nations Laws aren’t always the same country to country. Nations are making an effort to harmonize their laws in order to promote uniform enforcement and cooperation where possible.

262 Computer Crimes vs. Traditional Crimes
Violent Property Public order Real property Virtual property

263 Computer Crime Crime against a computer Crimes using a computer
Electronic equipment as source of evidence

264 Reasons for Criminal Behavior
Ego Financial gain Revenge

265 Advanced Persistent Threat (APT)
Source – group with capabilities and intent to persistently and effectively target a specific entity Attack vector – infected media, supply chain compromise, social engineering, etc. Advanced – have full spectrum of intelligence gathering techniques at their disposal Persistent – priority to a specific task. Implies that they are guided by external entities. Threat – capability and intent. Coordinated human action instead of automation, specific objective. Skilled, motivated, organized and well funded Implies a country instead of individual. Cyberwarfare?

266 International Cooperation
Initiatives related to international cooperation in dealing with computer crime The Council of Europe (CoE) Cybercrime Convention Example of multilateral attempt to draft an international response to criminal behaviors targeted at technology and the Internet.

267 Intellectual Property Protection
Organizations must protect intellectual property Theft Loss Corporate espionage Improper duplication Intellectual property must have value Organization must demonstrate actions to protect IP

268 Intellectual Property: Trademark
Purpose of a trademark Characteristics of a trademark Word Name Symbol Color Sound Product shape

269 Intellectual Property: Copyright
Covers the expression of ideas Writings Recordings Computer programs Etc. Weaker than patent protection

270 Intellectual Property: Trade Secrets
Must be confidential Protection of trade secret

271 Intellectual Property: Software Licensing
Categories of software licensing: Freeware Shareware Commercial Academic Master agreements and end user licensing agreements (EULAs)

272 Encryption Import and Export Law
Strong encryption restrictions Previously anything over 40 bits was considered strong encryption U.S. companies can now export any encryption software to individuals, commercial firms or other non-government end users in any country No enemy states Many countries require the importer of equipment containing strong cryptography to provide the government or law enforcement with a copy of their private keys. Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria Controls on dual-use goods Cryptography has long been considered a munition or weapon of war. Can be used for commercial or military purposes, therefor considered dual-use and protected as a military weapon Wassenaar Arrangement 39 countries are parties to the agreement which specifies all controlled dual-use goods, including encryption products and products that use encryption

273 Domain Objectives Liability and Privacy Issues
Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

274 Liability Legal responsibility
Know responsibilities to employees, customers, etc. Penalties Can range from compensation to criminal penalties for violation of law Negligence and liability Important factor in determining liability Determined by courts or other quasi-legal body

275 Protection of Assets Legal obligation Prudent person rule
Must demonstrate practice of due care

276 Negligence Acting without care Due care Negligence = Gap Regulation or
Best Practice Due Diligence = Action Due Care = Policy

277 Privacy Laws and Regulations
Rights and Obligations of: Individuals Identity theft Organizations Collection, sharing, storage, processing of personal info Actual laws depend on jurisdiction

278 International Privacy
Organization for Economic Co-operation and Development Group of 30 member countries Eight core principles Limits to collection of personal data and should be obtained legally Personal data should be relevant to use Purpose for gathering personal data should be specified no later than the time the data is collected Personal data should not be disclosed, made available, or otherwise used for purposes other than specified above Personal data should be protected by reasonable security General policy of openness about developments, practices and policies with respect to personal data Individual should have the right to find out if data controller has data about him/her. To have communication with data controller about data relating to him/her. And to be able to challenge data and if successful have the data erased, rectified, completed or amended. Data controller should be accountable for complying with measures

279 Personally Identifiable Information (PII)
Identify or locate an individual Controls on collection and use Many countries have laws governing this Global effect Laws are different in each country. What laws govern?

280 Employee Privacy Employee monitoring Training
Authorized usage policies Training

281 Transborder Data Flow Political boundaries Privacy Investigations

282 Privacy Law Examples Health Insurance Portability and Accountability Act (HIPAA) Personal Information Protection and Electronic Documents Act (PIPEDA) European Union Data Protection Directive

283 Domain Objectives Incident Management
Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

284 Incident Management Incident – event that causes harm Protect Prepare
Sustain Improve Protect Infrastructure Respond Detect

285 Incident Response: Overview
Response capability Policy and guidelines Response Incident response phases Triage Containment Investigation Analysis and treatment Recovery Debriefing Metrics Public disclosure

286 Incident Response: Objectives
Incident response in its simplest form is the practice of: Detecting a problem Determining its cause Minimizing the damage it causes Resolving the problem Documenting each step of the response for future reference Effectively and appropriately communicating issues

287 Response Capability The foundation for incident response (IR) is comprised of: Policy Authority Procedures Approved Management of evidence

288 Incident Response – External Parties
Escalation process Employees should be trained and have approved procedures that include when an incident or crime must be reported to higher management, outside agencies or law enforcement Interaction with third-party entities Complex issues involving: Jurisdiction (who has control) Status of crime (already committed, in progress, or planned) Nature of the evidence (circumstantial, conclusive) Nature of the crime (in many jurisdictions, some crimes MUST be reported)

289 Incident Response and Handling Phases
Triage Investigation Containment Analysis and tracking

290 Triage Detection Classification Notification
False positives Classification Internal versus external One system or many What is the root cause versus the symptoms Notification Priorities and escalation Senior management or other departments Business partners Law enforcement Note: Prioritization is one of the most important aspects

291 Investigation Phase Objectives
Desired outcomes of this phase are: Reduce the impact Identify the cause Get back up and running in the shortest possible time Prevent the incident from re-occurring

292 Investigation Considerations
The investigative phase must consider: Adherence to company policy Confidentiality Applicable laws and regulations Proper evidence management and handling

293 Investigation Process
Identify suspects Identify witnesses Identify system Identify team Search warrants

294 Investigation Techniques
Ownership and possession analysis Means, opportunity, and motive (MOM)

295 Behavior of Computer Criminals
Computer criminals have specific MOs Hacking software/tools Types of systems or networks attacked, etc. Signature behaviors Profiling

296 Open-ended Questioning Closed-ended Questioning
Interviewing vs Interrogation Open-ended Questioning Closed-ended Questioning General gathering Cooperation Seek truth Specific aim Hostile Dangerous Should only be done by TRAINED professionals

297 Investigation Phase Components
Components of this phase: Analysis Interpretation Reaction recovery

298 Containment Reduce the potential impact of the incident
Systems, devices, or networks that can become “infected” The containment strategy depends on: Category of the attack Asset(s) affected Criticality of the data or system

299 Analysis and Tracking Goals
Obtain sufficient information to stop the current incident Prevent future “like” incidents from occurring Identify what or who is responsible

300 Analysis and Tracking Logs
Dynamic nature of the logs Feeds into the tracking process Working relationship with other entities

301 Reporting and Documentation
Law Court proceedings Policy Regulations

302 Recovery Phase Goal To get back up and running Protect evidence
The business (worst case) Affected systems (best case) Protect evidence

303 Recovery and Repair Recovery into production of affected systems
Ensure system can withstand another attack Test for vulnerabilities and weaknesses

304 Closure of the Incident and Feedback
Incident response is an iterative process Improve processes and controls Closure of the incident Feedback from all participants

305 Communication about the Incident
Public disclosure Authorized personnel only

306 Domain Objectives Forensic Investigation
Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

307 Computer Forensics: Evidence
Potential evidence Digital Forensic Science Research Workshop (DFRWS) defines digital forensic science as – “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized action shown to be disruptive to planned operations.” Evidence and legal systems Computer forensics is generally applied according to the standards of evidence admissible in a court of law

308 Computer Forensics: Evidence
Identification of evidence Collecting of evidence Use appropriate collection techniques Reduce contamination Protect the scene Maintain the chain of custody and authentication

309 Collection of Digital Evidence
Volatile and fragile Short lifespan Collect quickly By order of volatility Document, document, document

310 Chain of Custody for Evidence
Who What When Where How

311 Forensic Evidence Procedure
Receive media Disk write blocker Bit for bit image Cryptographic checksum Store the source drive

312 Evidence: Hearsay Hearsay Business records exception
Second-hand evidence Normally not admissible Business records exception Computer-generated information Process of creation description Can you cross examine it?

313 Evidence Analysis and Reporting
Scientific methods for analysis Characteristics of the evidence Comparison of evidence Event reconstruction Presentation of findings Interpretation and analysis Format appropriate for the intended audience

314 Computer Forensics Key components Crime scenes Digital evidence
Computer forensics is not a piece of software or hardware. It is a set of procedures and protocols. Methodical, Repeatable, Defensible, Auditable Crime scenes Digital evidence Non-criminal cases Divorce, breach of contract, dissolution of corporation or partnership, embezzlement, personal injury, etc.

315 Forensic Evidence Analysis Procedure
Recent activity Keyword search Slack space Documented

316 Media Analysis Recognizing operating system artifacts File system
Types of files created as the system runs Where they should be What their contents are likely to be File system Timeline analysis Modified Accessed Created Searching data

317 Software Analysis What is does What files it creates
More malware analysis

318 Network Analysis Data on the wire Ports Traffic hiding

319 Domain Objectives Compliance
Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

320 Compliance Knowing legislation Following legislation

321 Regulatory Environment Examples
Sarbanes-Oxley (SOX) Meant to enhance corporate governance through measures that will strengthen internal checks and balances and, ultimately, strengthen corporate accountability. Gramm-Leach-Bliley (GLB) Protects the privacy of consumer information held by financial institutions Basel II Regulatory harmony in the international banking community

322 Compliance Roles and Responsibilities
Information owner Local manager Auditor Individual

323 Audit Report Format Introduction Executive summary
Background Audit perspective Scope & objectives What was done Executive summary Internal audit opinion Detailed report including auditee responses Appendix Exhibits

324 Legal, Regulations, Investigations, and Compliance Domain Summary
Computer Crime and International Legal Issues Liability and Privacy Issues Incident Management Forensic Investigation Compliance

325 Operations Security

326 Domain Objectives Operator and Administrator Security
Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

327 Control Over Privileged Entities
Review of access rights Supervision Monitoring/audit

328 Operator Privileges Initial program load (IPL)
Monitor system execution Control job flow Mount I/O volumes Bypass label processing (BLP) Renaming/relabeling resources Reassigning ports/lines Some studies indicate that 70% of all security breaches come from insider abuse of privilege

329 Administrators Systems administrators Network administrators
Database administrators

330 Administrator Privileges Summary
Control network operations Server startup and shutdown Reset system configurations Backups System maintenance Customer service Network administrator duties

331 Backup Types File image System image Data mirroring
Electronic vaulting Remote journaling Database shadowing Redundant servers Standby services

332 Software and Data Backup
Operations controls must ensure adequate backups of: Data Operating Systems Applications Transactions Configurations Reports

333 Backup Integrity Backup storage locations Backups must be tested
Alternate site recovery plan Site specific software

334 RAID – Redundant Array of Independent Disks
Hardware based Software based Hot Spare Global Hot Spare (all disk in array) Dedicated Hot Spare (individual disk in array)

335 RAID Level 0 Striping Two or more disks No redundancy Performance only

336 RAID Level 1 Exact copy (mirror) Two or more disks Fault tolerant
200% cost

337 RAID Level 2 Striping of data with error correcting codes (ECC)
Requires more disks than RAID 3/4/5 Not used

338 RAID Level 3/4 Byte/block level stripes 1 drive from parity
All other drives are for data Stripe 1A Stripe 1B P(1A, 1B) Stripe 2A Stripe 2B P(2a, 2B) Stripe 3A Stripe 3B P(3A, 3B) Stripe 4A Stripe 4B P(4A, 4B) Disk A Disk B Parity

339 RAID Level 5 Block-level stripes
Data and parity interleaved amongst all drives The most popular RAID implementation Stripe 1A Stripe 1B P(1A, 1B) P(2B, 2C) Stripe 2B Stripe 2C Stripe 3A P(3A, 3C) Stripe 3C Stripe 4A Stripe 4B P(4A, 4B) Disk A Disk B Disk C

340 RAID Level 6 Block-level stripes All drives used for data AND parity
Two parity types Higher costs More fault tolerant than RAID implementations 2 - 5

341 RAID Level 0+1 Mirroring and striping Higher cost Higher speed

342 RAID Level 10 Mirroring and striping Higher cost Higher speed RAID 10

343 Configuration Management Elements
Hardware inventory Hardware configuration chart Software licensing management Firmware Documentation requirements Testing

344 Hardware Inventory Up-to-date listing of all equipment Location Owner
Serial and model numbers

345 Change Control Management
Policy Business and technology balance Defines a process for authorized change Process of changes Ownership of changes Changes are reviewed for impact on security

346 Patch Management Knowledge of patches Testing Deployment
Know when patches for all software you own are released by the vendor Testing Test all patches, and new software, in a test environment prior to going live Deployment Can be challenging. Should be automated to insure no machine is missed. Zero-day challenges Vulnerable time between patch pushed out and able to apply

347 Software Issues Pirating software Version control

348 Job Documentation Scheduling Error codes Inputs and outputs
Dependencies Error codes Inputs and outputs Backout procedures Every job should be documented. Important for continuity and possible staff changes. Must include when a job has to be done, what error codes you can expect and what to do about it and what inputs/outputs job depends on Backout – how to recover if job fails and how to clean out corrupted files and purge residual data elements

349 Security Administrator Roles
Policy Development Implementation Maintenance and compliance Vulnerability assessments Incident response

350 Security Administrator Responsibilities
User-oriented activity management Information classification implementation Audit log monitoring and review Security tool oversight and management

351 Domain Objectives Operator and Administrator Security
Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

352 Misuse Prevention Threats Countermeasures Personal Use
Acceptable use policy, workstation controls, web content filtering, and filtering Theft of Media Appropriate media controls Fraud Balancing of input/output reports, separation of duties, and verification of information Sniffers Encryption and policy

353 Domain Objectives Operator and Administrator Security System Recovery
Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

354 System Recovery – Trusted Recovery
Correct implementation according to Policy Failures don’t compromise a system’s secure operation Trusted path

355 Types of Trusted Recovery
System Reboot – shutting down computer in a normal fashion after a failure Emergency System Restart – done when a system fails in an uncontrolled manner. Media may be in an inconsistent state. System enters maintenance mode, automatically performs recovery, and system restarts with no user processes in progress. System Cold Start – system fails and cannot restart without human intervention

356 Control Failure Modes Fail secure (fail closed) Fail soft (fail open)
Fail safe (fails in a way that will cause no or minimal harm)

357 Fault Tolerance Hardware failure is planned for
System recognizes a failure Automatic corrective action Standby systems Cold – configured, not on, lost connections Warm – on, some lost data or transactions (TRX) Hot – ready, failover

358 Domain Objectives Resource Protection
Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

359 Facility Support Systems
Fire protection HVAC Electrical power goals UPS Water Communications Alarm system

360 Domain Objectives Resource Protection Media Management
Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

361 Media Management Practices
Sensitive Media Controls Marking Labeling Handling Storing Declassifying

362 Media Management Tapes Storage Encryption Retrieval Disposal

363 Object Reuse Securely reassigned Disclosure Contamination

364 Clearing of Magnetic Media
Overwriting Degaussing Data remanence Physical destruction

365 Records Management Considerations for records management program development Business need Guidelines for developing a records management program Records retention Declassification Legal requirements Privacy Absent law or regulation to the contrary, a business can set any retention policy it wishes

366 Protection of Operational Files
Library maintenance – protect production programs and applications as well as data Backups Source code Object code Configuration files Librarian - sole person with write access to the main system files, backups and application libraries. Should never be filled by a developer or person initiating the change request

367 Domain Objectives Resource Protection Personnel Privacy and Safety
Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

368 Personnel Privacy and Safety – Mobile Computing
Components Devices Limitations (e.g. privacy, safety, etc.) Mobile device management

369 Personnel Privacy and Safety – Social Networks
Connection services Social dynamics Storage of data Potential dangers

370 Operations Security Domain Summary
Operator and Administrator Security Monitoring of Special Privileges Misuse of Resources System Recovery Resource Protection Environmental Issues and Controls Media Management Personnel Privacy and Safety

371 Physical (Environmental) Security

372 Domain Objectives Physical Security Threats and Controls
Perimeter Security Building and Inside Security Secure Operational Areas

373 Goals of Physical Security
Deter would be intruders Delay long enough to detect and respond before damage occurs Detect in a timely manner Assess method of attack Respond appropriately without overreacting Recovery to normal operating status

374 The Primary Goal Remember that life, health, and safety are always the first priorities in physical security!

375 Threats to Physical Security
Natural/environmental History of natural disasters in the area Utilities Communications outages, power outages, etc. Circumstantial Fire or break-in at a neighboring building, strike at a critical point in supply chain, etc. Human-made/political events Explosions, vandalism, theft, terrorist attacks, strikes, activism, riots, etc.

376 Threat Sources External activists Staff
Intelligence agents/foreign governments Petty criminals

377 Threat Sources and Controls
Theft Espionage Dumpster diving Social engineering Shoulder surfing HVAC access Locks Background checks Disposal procedures Awareness Screen filters Motion sensors in ventilation ducts

378 Facility Vulnerabilities
Location Layout and design Age and condition

379 Location Security Considerations
Emergency services Fire Security Visibility Controlled access public transit

380 Countermeasures and Controls
Environmental controls may be: Physical Administrative/managerial Technical Layered defense/defense in depth

381 Crime Prevention Through Environmental Design (CPTED)
Principle of deterring crime through managing the potential crime scene Territoriality Restricted access Surveillance Monitoring Access control Entrances Maintenance

382 Domain Objectives Perimeter Security
Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

383 Perimeter and Building Boundary Protection
First line of defense Protective barriers Natural structural

384 Fences May be restricted by local regulations Inspections
Parking should not be allowed near fences 1 meter/3-4 feet – will deter casual trespassers 2 meters/6-7 feet – too high to climb easily 2.5 meters/8 feet – will delay the determined intruder Top guard will add 2-3 feet. Can be defeated by blanket, mattress, towel, etc.

385 Controlled Access Points
Gates are the minimum necessary layer Bollards Permanent or retractable post used to deter vehicle-based attacks

386 Perimeter Intrusion Detection Systems
Detect unauthorized access into an area Electronic “eyes” Note that some perimeter IDS can function inside the perimeter as well Physical IDS Photoelectric Ultrasonic Microwave Passive IR Pressure sensitive Sounds/vibration Electrical circuits Motion sensors

387 Closed Circuit Television (CCTV)
CCTV capability requirements Detection Recognition Identification Mixing capabilities Adding IR/thermal Virtual CCTV systems Fake systems

388 CCTV Concerns Total surveillance requirements
Operating parameters (correct lens, angle?) Size depth, height, and width Pan, tilt, and zoom Lighting Contrast

389 CCTV Protection and Image Retention
Storage of images Maintenance Privacy

390 Guards and Guard Stations
Deterrent Possible liability Contractors Guard stations

391 Domain Objectives Building and Inside Security
Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

392 Building Entry Points Doors Windows Loading ramps Elevator shafts
Ventilation ducts Crawlspaces Sewage or steam lines

393 Doors Isolation of critical areas Lighting of doorways Contact devices
Guidelines Solid core Hinges fixed to frame with minimum of 3 hinges per door Lighting Should not open out except as required by building codes Locks should be daytime (push button) and 24 hour (deadbolt) Door frame should be permanently fixed to the adjoining wall studs Have same fire-resistance rating as adjacent walls Etc.

394 Access and Visitor Logs
Identification/sign in and out Temporary badges Vehicles Escort

395 Turnstiles and Mantraps

396 Types of Locks Something you have – keyed
Something you know – combinations Something you are – biometric

397 Keyed Locks Lock components Body Strike Strike plate Key Cylinder

398 Lock Controls Lock and key control system Key control procedures
Who has access to keys Keys issued Key inventory Default settings changed Change combinations Fail Soft (unlocked) Secure (locked) Safe (allow exit but not entry)

399 Electronic Physical Controls
Card access Biometric access methods

400 Windows and Glass Standard plate glass Tempered glass
5 – 7 times more break resistant than plate and breaks into small, less dangerous fragments Acrylic materials Stronger than plate Burn and produce toxic fumes, scratch easy and yellow over time Polycarbonate windows Resistant to abrasion, chemicals, fires and are even anti-ballistic Very expensive

401 Glass and Window Protection
Laminate Solar film Bomb blast film/curtains Wired glass Intrusion detection/glass breakage sensors

402 Internal Intrusion Detection Systems
Closed circuit television Sensors and monitors

403 Types of Lighting Continuous lighting Trip lighting
Standby/backup lighting Emergency exit/egress lighting Infrared/night vision

404 Domain Objectives Secure Operational Areas
Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

405 Equipment Room Perimeter enclosure Controls Policy
Emergency power off (EPO) switch

406 Data Processing Facility
Small devices threat Digital camera Cell phone cameras USB drive Etc. Server room Most important requirements are space, power, air conditioning, access control and security monitoring Mainframes Storage

407 Communications Wireless access points Network access control Cabling

408 Access to Utility Rooms
Power rooms Breaker panels Water Ventilation Gas

409 Work Area Keeping a work area safe is important for everyone Operators
Only allow access as needed/monitor System administrators Restricted work areas Only a select few people need access

410 Equipment Protection Inventory Locks and tracing equipment
Data encryption Disabling I/O ports

411 Environmental Controls
System Threat Electric power HVAC Water/plumbing Gas Refrigeration Loss of power Overheating Flood/dripping Explosion Leakage

412 Fire Protection Prevention – reduce causes Detection – alert occupants
Suppression – contain or extinguish Wet-pipe sprinkler Most reliable Simple Water under pressure, when sprinkler head breaks water comes out Dry-pipe sprinkler Water is held back by valve and is released when sensor activates Pipes then fill with water and sprinkler engages

413 Materials and Suppression Agents
Class Type Suppression Agents A Common combustibles Water, foam, dry chemicals B Combustible liquids Inert gas, CO2, foam, dry chemicals C Electrical Inert gas, CO2, dry chemicals D Combustible metals Dry powders K Cooking media (fats) Wet chemicals Suggested way to remember each: Ash Boil Current Drive Kitchen

414 Three Legs of a Common Fire
Displace: CO2/foam Bind: Halon & alike Reduce: Water Bind: Purple K Remove: Fireman

415 Flooding Area Coverage
Water – sprinkler systems Gas – halon/CO2/argon systems Best practices for systems Portable extinguishers

416 Loss of Electrical Power
UPS Generators Goals of power – clean and steady power Power controls Emergency power off (EPO) switch Power line monitors Total load

417 Heating, Ventilation, Air Conditioning
Location Positive pressure Can indicate unauthorized physical breach Helps minimize dust Maintenance

418 Other Infrastructure Threats
Vermin Electromagnetic fields Excess vibration

419 Physical (Environmental) Security Domain Summary
Physical Security Threats and Controls Perimeter Security Building and Inside Security Secure Operational Areas

420 Security Architecture and Design

421 Domain Objectives System and Component Security
Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

422 Definitions and Key Concepts
Information security management system (ISMS) Set of standards for addressing security throughout the development, deployment and implementation schedule Enterprise security architecture (ESA) Includes all areas of security for an organization: leadership, strategy, planning, etc. Information security architecture (ISA) Another term for ISO/IEC 27002 Best practice Well-recognized and accepted approach to designing, developing, managing/monitoring and enhancing processes

423 Definitions and Key Concepts
Architecture High-level perspective of how business requirements are to be structured and aligned with technology and processes Framework Defined approach to the process used to achieve the goals of an architecture, based on policy Infrastructure Integrated building blocks that support the goals of the architecture Model Outlines how security is to be implemented within the organization

424 Definitions and Key Concepts
Good security architecture Strategic Provides a long-range perspective that is less subject to tactical changes in technology Business requirements based Understand business and security and design a system that meets those requirements Holistic Understanding all the parts of the business and interconnecting them Design Blueprint Integration and development of technology infrastructure into the business process Multiple implementations Flexibility due to location and business constraints

425 Definitions and Key Concepts
Benefits of a good security architecture Consistently manage risk Reduce the costs of managing risk Accurate security-related decisions Promote interoperability, integration, and ease of access Provide a frame of reference (for other organizations interacting with the enterprise)

426 Domain Objectives System and Component Security
Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

427 Architecture Components
What are the security limitations and benefits of each component? Hardware Firmware Central processing units Input/output devices Software Architectural structures Storage and memory

428 Hardware: Computers Mainframe Minicomputers Microcomputers/desktops
Servers Laptop/notebook Embedded From a security perspective, each security risk must be addressed individually

429 Hardware: Mobile Devices
USB storage Portable hard drives PDAs and mobile phones

430 Hardware: Printers Multifunctional More than output device
Network aware More than output device Full operating system

431 Hardware: Communication Devices
Modem Network Interface Card (NIC)

432 Hardware: Wireless Wireless network interface card
Wireless access point Wireless Ethernet bridge Wireless router Wireless range extender

433 Firmware: Pre-Programmed Chips
ROM (read-only memory) PROMs (programmable read-only memory) EPROMs (erasable programmable read-only memory) EEPROMs (electrically erasable, programmable, read- only memory) Field programmable gate arrays (FPGAs) Flash chips Embedded system

434 CPU Functionality Multitasking Multiprogramming Multiprocessing
Multiprocessor Multi core Multithreading Direct memory access (DMA)

435 Real-Time Systems Time and mission critical systems – systems that support mission critical services such as flight controls, alarms and monitoring sensors Immediate processing High levels of tolerance Failover

436 Virtual Machines Mimic the architecture of the actual system
Resources provided by the host system

437 CPU and Processor Privilege States
Supervisor state Problem (user) state Running Ready Blocked Masked/interruptible

438 Input/Output (I/O) Devices
I/O controller Managing memory Hardware

439 Software: Operating System
Hardware control Hardware abstraction Resource manager Design Kernel

440 Software: Utilities and Drivers
System utilities Maintenance System drivers Application/hardware interface Plug and play

441 Commercial Software Programs (Applications)
Commercial off the shelf (COTS) Function first Unless the software is inherently a security-focused application (such as a firewall), attention will first be devoted to functionality. Security is usually an afterthought. Evaluation Make sure to consider the information security aspects of the application such as authentication methods, audit capabilities, edit checks and error reporting, etc.

442 Software: Custom Business application System development life cycle
No two businesses do business the same way. Custom software is the solution used as a natural progression from manual processes to automation of tasks System development life cycle

443 Software: convergent Technologies
Customer relationship management (CRM) Workflow management systems SharePoint, Lotus Notes Unified messaging Allows different technologies to work together. Fax to a PDA, access internet from TV

444 CPU and OS Support for Applications
Applications were originally self-contained OS capable of accommodating more than one application at a time Security Reinforced by the OS since the OS has the ability to control the activity of the applications and ensure that one or more application threads do not affect another

445 Applications - Today Today’s applications are modular
Execute multiple process threads Security Problems lie in the fact that independent sections are frequently written by someone else and may be malicious. Module may also be used in a way not intended by the author. Modules and threads will often communicate directly and not involve the OS. This prevents the OS from being able to manage the activity of the process threads. Programs spawn processes. Processes spawn threads. Memory is allocated to processes. So, threads share memory.

446 Systems Architecture Approaches
Open – standards based interfaces. Considered more vulnerable but often result in a more robust set of security features Closed – proprietary interfaces. Illusion that security through obscurity works Dedicated – single level of processing permitted Single level – permit users to execute any instruction available Mutilevel – processing at two levels is permitted through some form of user authentication and authorization. Most common today and allow system to be accessed by users holding different levels of privilege. Embedded – single purpose computer

447 Architectural Structures
Client server Centralized architecture Distributed architectures Thin client architecture Diskless computing Clusters

448 Cloud Computing Provisioning of services Cost models
Supplement/consumption/delivery model Involves provisioning of dynamically scalable and often virtualized resources Characteristics Layers

449 Cloud Computing Issues Deployment models Security Architecture Privacy
Compliance Open source Open standards Security Issues surrounding cloud computing are due in large part to the private and public sectors unease surrounding the external management of security based services Deployment models Public cloud Community cloud Private cloud Hybrid cloud Architecture Intercloud Cloud Engineering

450 Service-Oriented Architecture
Technology benefits More flexible architecture, integration of existing applications, improved data integration, supports business process management, facilitates enterprise portal initiatives, speeds custom application development Security issues A system that relies on distributed processing must have adequate bandwidth and high availability. Business benefits More effective integration with business partners, supports customer-service initiatives, enables employee self-service, streamlines the supply chain, more effective use of external service providers, facilitates global sourcing

451 Virtualization Virtual copy of physical system
System virtual machine – complete operating environment that can support user needs and multiple environment Hypervisor – interface between the physical and virtual environments Process virtual machine – systems that are dedicated to supporting one process or program

452 Types of Memory Addressing
Logical Refers to a memory location that is independent of the current assignment of data to memory. Requires a translation to the physical address. Relative Address expressed as a location relative to a known point Physical Absolute address or actual location

453 Memory Management Requirements
Relocation Programmer does not know where the program will be placed in memory when it is executed. It may be swapped to disk and returned to main memory at a different location. Protection Processes should not be able to reference memory locations in another process without permission. Sharing Allows several processes to access the same portion of memory. OS allows each process access to the same copy of the program rather than having its own separate copy.

454 Memory Protection Benefits
Memory reference Different data classes Users can share access Users cannot generate addresses

455 Primary Storage Registers Cache Random access memory (RAM)
Very high-speed storage structures built into the CPU chip set and are often used to store timing and state information for the CPU to maintain control over processes. Cache Very fast memory directly on the CPU chip body. Not upgradeable. Three types (level 1-3). Random access memory (RAM) Main memory of the system

456 Secondary Storage Internal External Virtual memory SANs Clusters

457 Virtual Memory = primary + secondary or RAM + Disk
Extends apparent memory to accommodate larger program execution space than is possible using only physical memory and involves paging and swapping operations. Generally 4 or 8 kb in length

458 Storage Systems Network Attached Storage (NAS)
Simple, cost effective solution. Box on network that extends storage area. Storage Area Network (SAN) Complex, expensive solution. Offers large capacity storage for servers over high-speed (usually fiber) links

459 Blade Systems Server chassis Processing power
Management simplification Is simply a series of motherboards housed in a box with a high speed backbone

460 Domain Objectives System Design Principles
System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

461 Separation Temporal isolation Physical isolation Virtual isolation
Accomplished through time limits. Person cannot access an area of the building or an area of the network, or an application outside of certain authorized hours. Physical isolation Refers to separating out sensitive areas from common access, such as setting up compartmentalized areas or secure rooms. Virtual isolation Protects against malicious activity by not permitting a process to execute outside of a strict set of boundaries.

462 Ring Protection Based on the Honeywell Multics Operating System architecture. Set of segments in concentric numbered rings. Ring number determines the access level. Procedure assumes its appropriate ring number when executing. This prohibits a process from unregulated execution of commands at a higher level. Program may call services residing on the same or more privileged ring. Program may only access data that resides on the same ring.

463 Privilege Levels Identifying, authenticating, and authorizing subjects
Subjects of higher trust can access more system instructions and operate in privileged mode Subjects with lower trust can access a smaller portion of system instructions and operate only in user mode

464 Process Isolation Preserves Object’s integrity and subjects adherence to access controls Prevents interaction – prevents objects from interacting with each other and their resources Independent states – actions of one object should not affect the state of other objects Process isolation method Encapsulation – objects, data, and functions are packaged together Time multiplexing – assignment specific time slots for processing information Naming distinctions – to distinguish between processes Virtual mapping/domains – mapping info objects to virtual locations to ensure applications can find their data

465 Trusted Computing Base (TCB)
Trusted computer base – includes all the components and their operating processes and procedures that ensure that the security policy of the organization is enforced. Hardware Firmware Software Processes Inter-process communications Simple and testable

466 Trusted Computing Base (TCB)
Enforces security policy – must be able to enforce security policy regardless of user input and be protected from interference or tampering Monitors four basic functions Process activation Execution domain switching Memory protection Input/output operations

467 Reference Monitor Concept
Abstract machine concept – abstract machine that is regulating all access on the system and enforcing security controls Must be tamperproof Always invoked Verifiable Security kernel Components of an OS perform various protection tasks designed to control and monitor system evens and prevent things from occurring that might disrupt normal execution or threaten the stability of the system or any of its resources. Subject Active entity Object Passive entity If you see subject……answer is object.

468 Attested Boot/TPM/Processing
Ensures secure configuration and integrity of software/hardware Uses cryptographic hash functions to ensure integrity Can also be used remotely

469 Secure System Design Availability – must be designed to meet needs
Criticality – design of system must ensure that the critical processes run effectively Redundancy Single points of failure – must be designed to avoid Defense in depth – ensures the security of the system cannot be circumvented through one vulnerability

470 Domain Objectives Security Models System and Component Security
Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

471 Security Models Introduction
Information-flow model – tracks the movement of information from one object to another Non-interference model – based upon rules to prevent processes that are operating in different domains from affecting each other in violation of security policy State-machine model – abstract mathematical model where state variables represent the system state Lattice-based model – hierarchical model defining access control privilege levels

472 Bell-LaPadula Confidentiality Model
Lattice-based model Described using rows and columns State-machine model Hierarchical based model with dominance relationships between higher and lower security levels Three fundamental modes Read only, write only , read and write Secure state Defines access rules ***** very important to know *****

473 Biba Integrity Model Lattice-based model
Addressed first goal of integrity Subject – object tuple State machine model When you mix clean & dirty, dirty wins Read & write are opposite from Bell-LaPadula ***** very important to know *****

474 Clark-Wilson Integrity Model
Addresses all three integrity goals Defines well-formed transactions Separation of duties Authorized users limited to authorized transactions Unauthorized users do no tasks Maintain internal & external consistency ***** very important to know *****

475 Brewer and Nash Model Chinese Wall security policy
Designed to prevent conflicts of interest ***** very important to know *****

476 Other Models Graham-Denning Harrison-Ruzzo-Ullman (HRU) result
Variations of Biba

477 Security Models Integrity Need to know Confidentiality Implementations
Clark-Wilson Biba G&M Sutherland Graham-Denning HRU Need to know Confidentiality Brewer-Nash BLP Implementations Gong Lipner Karger Jueneman Lee & Shockley

478 Domain Objectives Information Systems Evaluation Models
System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

479 Evaluation Standards TCSEC (U.S. DoD) ITSEC (European Union)
Common Criteria (ISO Standard 15408)

480 TCSEC or Orange Book DoD-centric Security and functionality
Product evaluation Rainbow series – was a part of the Rainbow Series of books dealing with security topics TNI – Trusted Network Interpretation (another of the series)

481 ITSEC International origin ITSEM Assurance Fucntionality

482 Common Criteria (ISO 15408) Origins Documents
EAL 1-7 (evaluation assurance level) Protection profile (PP) Target of evaluation (TOE) Software, firmware, and/or hardware Security target (ST) Requested level of testing

483 Domain Objectives Security Frameworks System and Component Security
Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

484 ISO 7498-2 Defined secure communications NOT an implementation
Takes 7-layer OSI model and maps it to a 2-layer functional model

485 Zachman Framework Complete overview of IT business alignment Intent
Scope Two-dimensional Principles

486 SABSA What are the business requirements? Follow-on to Zachman
Operational security focus

487 The Open Group Architecture Framework
Governance Business Application Data Technology

488 DoD Architecture Framework
OMB A-130 requirement View sets: All view Operational view Systems view Technical standards view

489 ISO/IEC 42010 International standard for information security management systems (ISMS) Practice for architectural description of software- intensive systems

490 ISO 27001 - ISMS Information security management system
Ensures best practices are met Sets standards for security areas Based on BS7799-2 Measurable and certifiable standard

491 IT Infrastructure library (ITIL)
Focuses on IT services Supporting products

492 COSO Enterprise Risk Management Framework
Emphasizes the importance of identifying and managing risks Process People Reasonable assurance Objectives If moving money, probably want to use this

493 Capability Maturity Model
Developed by SEI (Software Engineering Institute) Based on TQM concepts (Total Quality Management) Framework for improving process Benefits Top 3 are proactive, bottom 2 reactive

494 PCI-DSS Payment card industry – data security standard
Standards for the protection of payment card data (e.g. credit cards, debit cards, etc.) Covered more in Domain 5 (Legal, Regulations, Investigations, and Compliance)

495 Security Architecture and Design Domain Summary
System and Component Security Definitions and Key Concepts Architecture Components System Design Principles Security Models Information Systems Evaluation Models Security Frameworks

496 Software Development Security

497 Domain Objectives Overview of Applications Security
System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security

498 Need for Applications Security
While this model is important to all domains, AIC is probably most important to this one Interface to critical and sensitive data Thousands of exploits

499 Secure Systems Development Policies
Organizations require security development methodology Many corporations are beginning to require and provide guidelines for developing secure applications Security climate has changed Vendors are focused on functionality of their products and on increasing their return on investment instead of security Security as built-in instead of add-on Compliance – many regulations and compliance requirements now demand that systems track and control access permissions of users and other entities

500 Organizational Standards
Web Application Security Consortium (WASC) Build Security in (BSI) International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) These orgs provide information for software vendors and the public that is intended to create secure environments for software development, to aid in developing internal code standards, to incorporate security features in software products, and to deploy into secure environments.

501 Software Configuration Management (SCM)
Versioning Technologist Protection of code Protection of project Scope creep vs Statement of Work Process Integrity Process of controlling software by managing the versions of all components and the relations between them Statement of Work – lists of all tasks to be completed as a part of the project Scope creep – condition in which the scope of a project continues to increase, typically in an uncontrolled fashion throughout the development process

502 System Development Controls
Project Management Complexity of Systems and Projects Security by Design Controls Built in to Software Secure by Default

503 Secure Development Excuses
You cannot build security around an application, you have to build it in “We need security? Then we’ll use SSL” “We need strong authentication? PKI will solve all our problems” “We use a secret/military-grade encryption” “We had a hacking contest and no one broke it” “We have an excellent firewall” “We’ll add it later; let’s have the features first”

504 Secure Development Concerns
Push to Market – pressure to deliver a product quickly Protect Source Code From tampering Pirating Accidental loss Protection against attacks

505 Secure Development - Physical
Controlled access areas Development vs Operations Project security Probably best to only develop and work on projects in a secure area.

506 Personnel Security Hiring controls – background checks for everyone involved Trust – several attacks come from developers Skills – don’t post to blogs asking for assistance on programming problems Changes in employment If internal, adjust permissions on things no longer needed If leaving company, remind to keep company secrets Protection of privacy from employees Privacy Impact Rating – part of risk assessment. Looks at the data that would be accessible by programs and identifies sensitive data

507 Separating Test Data From Production
Never test on a production system Never use real data Protection of sensitive data Test for failure – test error routines and the resilience of system to failure Ranges – test using both acceptable and unacceptable data values Stress Tests – make sure system can handle the number of transactions or users that may be using the system at once Always try to test for what the bad guy and stupid user would do

508 Certification and Accreditation
Certification of secure design and deployment Production environment Accreditation of acceptance of risk Management approval for implementation Ensure that systems meet, and continue to meet, their security requirements Certification is done during the design and development process with an aim at ensuring that the risks were identified, and cost-effective controls were designed and implemented in a way which effectively mitigated the risk Goal is to ensure that the system will be secure in the real world Formal approval by senior management Ongoing process that watches for any changes to a system that could change security posture

509 Domain Objectives System Life Cycle Security
Overview of Applications Security System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security

510 System and Project Management
Project Management-Based Methodology Systems Security Engineering-Compatibility Maturity Model Integration (SSE-CMMI) 1-initial (chaotic, immature), 2-managed (disciplined, capable), 3-defined (documented, consistent), 4-quantitatively managed (predictable), 5- optimizing (constant improvement) SLC vs SDLC Systems Life Cycle – development, post-development, maintenance phases System Development Life Cycle – development and ends shortly after implementation System development is a complex task. Best way to ensure security is to make certain that no mistakes are made during the development stage. Important to manage the system and project life cycle particularly the development stage. SSE-CMMI model has 5 levels of management maturity

511 Software Development Methods
Waterfall Spiral Method Clean-Room Structured Programming Development Iterative Development Joint Analysis Development Prototyping Waterfall – dates back to early 70s and is probably the oldest known method for developing software systems. Each phase contains a list of activities that must be performed before the next phase begins. Spiral Method – each phase adds a risk assessment review. Schedules and estimated costs to complete are revised each time the risk assessment is performed. Decision to continue or cancel project is made based on the results of each of these risk assessments. Clean Room – zero defect approach. Developed in the 90s as an engineering process for development of high quality software. Method of controlling defects in software by writing code correctly the first time rather than trying to find and fix the problems once they are there. Focuses on “Defect Prevention”.

512 Software Development Methods
Modified Prototype Model Exploratory Model Rapid Application Development Agile Development Computer Aided Software Engineering Component-Based Development Reuse Model Extreme Programming

513 Programming Language Examples
Interpreted Compiled Oldest Newest Basic REXX PostScript Pascal Perl Ruby Python Basic Fortran COBOL Pascal C, C++, C# ADA Python Visual Basic

514 Program Utilities Assembler – program that translates an assembly language program into machine language. Compiler – translates a high-level (source) language into machine language Interpreter – instead of compiling a program all at once, the interpreter translates it statement-by-statement Drivers – used to interface a program with the system Hybrid – compilation and interpretation. Code is compiled into an intermediate stage. In Java, known as bytecode. Needed for compatibility between systems.

515 Transaction Processing
Separation of Duties Need to Know Logging Transaction: Integrity – data not inappropriately altered Edit checks, balancing, data/input validation, error handling/information leakage, logging/auditing, cryptography, secure code environment, session management Availability – large queries that affect performance should be limited. Critical systems should be designed with redundancy and failover Confidentiality – provide necessary security measures for data Information system must support Separation of Duties and Need to Know. Transactions must be designed so that an internal or external person cannot change data maliciously or execute an operation that should require dual control or the approval of another party.

516 Object-Oriented Programming
OOP Concepts Classes – templates for objects Objects – instances of the classes Message – objects request services by sending messages to other objects Inheritance – an object that is called by another object or program derives its data and functionality from the calling object Polymorphism – different objects may respond to the same command in different ways Polyinstantiation – creating a new version of the object by changing its attributes. Prevents Inference Violations by allowing different versions of the same information to exist at different classification levels Allows for code reuse. Saves time and money. Object (code block) can be reused instead of starting from scratch each time. Possible to have malicious code in the object or for it to also do other things not wanted

517 Distributed Programming
Distributed Component Object Model (DCOM) Simple Object Access Protocol (SOAP) Common Object-Request Broker Architecture (CORBA) Enterprise Java Beans (EJB) Distributed programming requires abstract communication between hosts. Entails programs located on different computers be able to use the same program at the same time.

518 Software Security Effectiveness
Senior management participation Software security group Many organizations implement this. Charged with directly executing or facilitating the software security activities. Understand, measure and plan Result of many activities Software security is the result of many activities. People, process and automation are all key components. 15 core activities

519 Software Security Effectiveness
BSIMM (Build Security In Maturity Model) Organization observed Business objectives Roles Framework Descriptive model of software security. Helps orgs determine where they stand w/ respect to real-world software security 12 financial, 7 technology, 2 healthcare, 2 insurance, 2 energy, 2 media. Companies include Adobe, Bank of America, Capital One, Google, Intel, intuit, Microsoft, Nokia, Sallie Mae, Symantec, VMware, etc. Model is appropriate for an organization whose overall business goals for software security include informed risk management decisions, clarity of what is “the right thing to do”, cost reduction through standard repeatable processes, and increased code security. Determine who is supposed to carry out the activities described. 12 practices organized into 4 domains

520 Domain Objectives Applications Security Issues
Overview of Applications Security System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security

521 Applications Security Issues
Building security in Adding defense-in-depth Cryptographic protection of data Secure architecture

522 Applications Security Principles
Validate all input and output Fail secure (closed) Make it simple Defense in Depth Only as secure as your weakest link

523 Secure Coding Issues Buffer overflow SQL injection
Cross-site-scripting (XSS) Dangling pointer Invalid hyperlink Secure (encrypted) web application traffic risks JavaScript attacks vs sandbox

524 Secure Coding Issues Application programming interface (API)
Open source Vendor proprietary software Escrow iFrames Race condition

525 Secure Coding Issues Risks of push technology
Information disclosure – error handling Infrastructure flaws Misconfiguration

526 Secure Coding Issues Incomplete parameter check and enforcement
Covert channels Inadequate granularity of controls Privileged programs/privilege escalation Social engineering Multiple paths to information

527 Secure Coding Issues Object reuse Garbage collection
Trap door/maintenance hooks

528 Domain Objectives Malware and Other Attacks
Overview of Applications Security System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security

529 Malware and Attack Types
Malformed input Injection (SQL injection) Input manipulation/malicious file execution URL manipulation Unicode attack DoS packets normally rejected by Firewall can be fragmented to the point that the firewall no longer recognizes the individual fragments as malicious. Commands such as dir can be sent in Unicode (“%c0%af”) which the server will properly interpret. Such an attack frequently involves commands or code that are somehow crafted to appear to be mearely data. Attackers can access or modify data in a database, or execute commands on a server and access sensitive data Code is vulnerable to remote file inclusion that allows attackers to include hostile code and data Used to redirect from a simple URL to a more complex URL Representations of control information may be passed by a firewall but “correctly” (negatively) interpreted by the server.

530 Malware and Attack Types
Cryptographic storage Hijacking Insecure communications Encrypt and hold data hostage. Internal or external threat Taking over someone elses web session Sending information unencrypted over the network

531 Malware and Attack Types
Denial of Service (DoS) Distributed Denial of Service (DDoS) Botnets Fast flux botnets Data hiding Alternate data streams (ADS) Non-technical Fast flux botnets – spammers use. Send a few hundred s from one IP, move to the next. Whitelisting and blacklisting don’t work. Term and Bayesian filtering generally are effective Data hiding - Slack space. As many as 11 different types of places to hide data on a computer ADS – compatibility feature of NTFS that provides hackers with a method of hiding rootkits or tools on a breached machine and execute without being detected by sysadmin Social engineering, shoulder surfing, sensitive info on sales receipts, reports with sensitive data that aren’t protected, etc.

532 Malware and Attack Types
Executable content/mobile code Web applets Dynamic Cookie poisoning (manipulation) Code that is downloaded to the user’s machine and executed. May give unexpected access to resources on the machine Java, scripting languages, ActiveX Scripts or links included in message Modifying cookies. Can do such things as let user pay less for products, get more for free, or let people still info from unsuspecting user

533 Malware and Attack Types
Keystroke logging Adware and spyware SPAM Phishing Spear phishing Whaling Pharming Spear – targeted at an individual Whaling – spear phishing targeted specifically at executives of an organization Takes victim to an unintended website. Could be from DSN poisoning or compromise of the victim’s machine

534 Malware and Attack Types
Remote Access Trojans (RAT) Rootkits and RATs HTTP Response Splitting Cross Site Request Forgeries (CSRF) Inappropriate over the network control of a host Allows you to take control of computer at the highest level. Sony and DRM Method of submitting code to a web server by adding a carriage feed into the http response. Server sees the carriage feed and assumes header is complete and assumes the rest is the body of the message Exploits a user who is logged into a secure server and tricks that user into executing an unintended command. Takes advantage of the session management vulnerabilities in many web browsers and servers that will accept any submission from the authenticated user without requiring reauthentication or confirmation. Can be used to cause the user to make purchases, change account information or take other action on behalf of the attacker.

535 Malware Structure Infection/reproduction Trigger Payload Target search

536 Malware Anti-Detection
Stealth Tunneling Polymorphism Self-decrypting Antivirus (anti-malware) disabling All forms of anti-detection technology Act of tracing interrupt links and system calls in order to intercept calls to read the disk or perform other actions to determine if an infection exists. Techniques which attempt to change the code string on each generation of a virus

537 Virus Central characteristic is reproduction
Generally requires some action by user May or may not carry payloads

538 Virus Types File infector Boot Sector Infector System infector
virus Multipartit Use to mean a virus that was able to infect boot sectors and programs Now means virus that can infect more than one type of object or to infect or reproduce in more than one way Macro Virus Script Virus visual basic file that can be seen as a data file but is executable (.vbs)

539 The Hoax, Chain Letters and Pranks
Social engineering Hoax Chain Letters Pranks Forms of spam. More annoying that anything else but can eat up bandwidth

540 Worm Reproduces No user action required Loopholes
Often probe the computer looking to exploit specific weaknesses and/or compromise other computers Attacks server software

541 Trojan Horse Purported to be a positive utility
Hidden negative payload Social engineering

542 Logic Bomb Generally implanted by an insider
Waits for condition or time Triggers negative payload

543 Diddlers, Backdoors and RATs
Data diddler Salami technique Office Space – fractions of a cent moved to bank account Payload in a Trojan or virus that deliberately corrupts data, generally by small increments over time.

544 Protection From Malware Code
Policies Tools Monitoring Operation Egress scanning Integrity checkers Operation – regularly check that anti-malware software is working Egress scanning – certain types of traffic, or outbound traffic, could indicate malware even if the software doesn’t find any Integrity checkers – only work if the data is correct to begin with. Compares current file sizes and exes with stored values.

545 Emerging Threats and Chained Exploits
New application services Cell phones/mobile phones Telephony Chained exploits

546 Domain Objectives Database Security Overview of Applications Security
System Life Cycle Security Applications Security Issues Malware and Other Attacks Database Security

547 Database Security Database (day to day) and data warehousing (strategic) environment Eliminate duplication of data Consistency of data Network access Databases provide consistency of data. Data can be saved in one place allowing anyone with access to see data without the need for duplicate. Greater consistency or accuracy of data Data warehousing is a new concept where large volumes of information from many databases are stored. May lead to privacy concerns.

548 Database Management Systems (DBMS) Models
Hierarchical DBMS Stores records in a single table Parent/child relationships Limited to a single tree Difficult to link branches Car