New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here


Star Star Star Star Star
1 review
by: Aaron Baillio
Aaron Baillio

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

These are some study guides I got when I took the exam back in 2010.
Principles Info Systems
Dr. Nobody
Study Guide
50 ?




Star Star Star Star Star
1 review
Star Star Star Star Star
"Can you just teach this course please? lol :)"

Popular in Principles Info Systems

Popular in Business, management

This 18 page Study Guide was uploaded by Aaron Baillio on Thursday October 1, 2015. The Study Guide belongs to Temp 101 at University of Oklahoma taught by Dr. Nobody in Summer 2015. Since its upload, it has received 45 views. For similar materials see Principles Info Systems in Business, management at University of Oklahoma.


Reviews for CISSP

Star Star Star Star Star

Can you just teach this course please? lol :)



Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/01/15
CISSP Boot Camp Overview >Manager perspective, refer to policy >Important Chapters: Risk Mgmt, Cryptography, Telecom, BCP >Not a lot of Physical Security and Legal (no dates, more conceptual) 1 – Info Security and Risk Mgmt >Risk Management (5-7 questions, know formulas) >Confidentiality (privacy) – prevent unauthorized disclosure (encryption) >Integrity – prevent unauthorized modification (CRC, hashing, MAC, ICV, MD), sender calculates >Availability – prevent disruption of service (redundancy) >Trust – does system do what supposed to do >Assurance – confidence that will work reliably Risk Management – identifying, analyzing, assessing, mitigating, or transferring risk - what risks are and how to deal with - main goal is to reduce risk to level acceptable by mgmt - 1. Risk Assessment – identify what assets are and threats to assets - 2. Risk Analysis – qualitative/quantitative analysis of risks (EMV-expected monetary value), cost/benefit of implementing controls - 3. Risk Mitigation – reject, accept (done due diligence), transfer (insurance, SLA), reduce (controls lower likelihood or impact) - Residual Risk – left over after controls -Secondary Risk – new risk triggered by response to other risk - Control – safeguards (preventative and deterrent), countermeasures (detective and corrective) >Top-Down better since mgmt buy-in >Plan Do Check Act (PDCA)– created by Demming (also TQM, basis of 6 Sigma), continuous improvement >ISO 27000 – deals with InfoSec, 27002-set up security program, 27799-health info >CobiT – goals for security controls (derived from strategic COSO-fraudulent reporting) >NIST, OCTAVE focus on IT threats and IS risks >AS/NZS 4360 financial/capital/safety/business risks >OECD – guidelines for data protection btw countries >Goals of Models – Strategic (over-arching, 3-5yrs), Tactical (mid term, 1-3yrs), Operational (day to day) >Liability: - Due Diligence – done the research on threats and risks - Due Care – acted upon the research, done right thing to protect assets - Prudent Person Rule – acted responsibly and cautiously as a prudent person would do >Risk Management – identify (Assessment), analyze, and reduce risk to acceptable level - Vulnerability-absence of a safeguard - Threat-potential danger - Threat Agent- anyone that can cause threat - Risk-likelihood that threat will attack vulnerability - Exposure-opportunity for threat - Exploit-instance of loss - Controls-risk mitigation mechanisms (safeguards and countermeasures) “There is a strong risk that a vulnerability on my system will expose me to a threat that a threat agent will exploit unless I provide a safeguard.” >Controls – administrative, technical, physical >Risk Assessment – identify and prioritize - 1.Assets-identify, valuate, classify 2. Risks-identify 3. Quantify-impact of threats 4. Economic Balance - Goal is to create a risk register - Data Classification Process – cost, classify (sensitivity), control (security controls) Commercial (Confidential, Private, Sensitive, Public) Gov’t (TS, S, Confidential, SBU, Unclass) - Roles: Data Owner-responsible for classification Data Custodian-implementing controls >Risk Analysis - Always start with qualitative but want quantitative as well (can’t have pure quantitative) - Qualitative – subjective, Delphi is anonymous survey of experts - Formulas: how much to spend on controls, value of risk and value of controls SLE – when event happens how much will cost, SLE = AV x EF (% of loss from threat) ALE – when happens how much will cost per year, ALE = SLE x ARO ARO – how often will happen in year E.g., Tornado every 10 yrs will damage 50% of facility and value of facility is $200k SLE = 200,000 x .50 = $100,000 ALE = 100,000 x .10 = $10,000 (should not spend > $10k/yr on controls) Control Value = delta ALE – cost of control – yearly upkeep, etc. If Control Value > 0, then implement >Total Risk-risk before controls Residual Risk-risk after controls Accepted Risk- choose not to implement >Total Risk = Threats * Vulnerability * Asset Value Residual Risk = Total Risk * Controls Gap Policy >Laws/Regs > Organization Policy > Functional Policies > Standards/Procedures/Baselines/Guidelines - Standards – directly support security policy, binding high-level rules - Baselines – minimum security settings (e.g., AV, patches) - Procedures – step by step actions how to, binding - Guidelines – everything else, recommended actions, non-binding Roles and Responsibilities >Executive Mgmt – assigns responsibility for security of info, liability issues fall on mgmt >IS Professionals – data custodians, design security controls >Data Owners – determine classification >Users – follow procedures >Auditors – independent assurance of administrative, technical, and physical controls >Awareness (what), Training (how), Education (why) >Diff groups need diff types of training 8 – Operations Security >Day to day security concerns, after system developed Operational Responsibilities and Controls >Config Mgmt and Change Mgmt – document, document, document - Config Mgmt – hardware and software configs - Change Mgmt – documentation of changes, before change must be formally approved - Both key in business continuity >Responsibilities – troubleshooting, new software versions, backups, audit logs >Clipping Level – baseline level of errors, anything above raises alarm >Network Admin – maintenance, keep up Security Admin – access control, view audit logs >Auditing – policy is administrative control, view logs is technical control >Change Control – involve operations staff, CCB-changes should be submitted/approved/tested - Change Mgmt DB – what, when, who >Config Mgmt – identify/control/audit changes to TCB, objective is stability (consistency) - Trusted Computing Base (TCB) – from Orange Book, all hardware and software involved with securing the system >Change Mgmt- control/document approvals for changes >Config Mgmt- document changes over time rd >Libraries – Production, Source Code (escrow-source code held by 3 party), Programmer, Media - Programmers should not have access to production code - Remove data remnants when sanitize - Sanitize-same environment, Purging-diff compartment, Zeroization, Degaussing >System is secure if starts, functions, shutdown security; Most vulnerable at startup >Trusted Recovery – failsecure system (bluescreen), failure of system can’t be used to bypass security - 1. System Restart – manual restart of computer through software - 2. Emergency Restart – system decides to restart - 3. System Cold Start – physical power down and power up Availability >Redundancy, Avoid single points of failure, Fault Tolerance >SLA, MTBF, MTTR, MTD-max tolerable downtime, RPO-recovery point objective (degree able to restore, how often do backups) >Direct Access Storage Device (DASD) – direct access to memory (not sequential), RAID is type of DASD >Redundant Array of Inexpensive Disks (RAID) - provide fault tolerance for hard drives (hard or software) - Level 0 – no fault tolerance, striping (write across disks)for higher read performance (multi heads) - Level 1 – Mirroring/duplexing, each drive is exact replica - Level 5 – disk striping with parity (speed of striping, parity for fault tolerance, need at least 3 disks) - Level 0+1 (10) – striping and mirroring - JBOD – just a bunch of disks, low cost >Parity – control data to allow recovery from partial loss >Mirroring – data in two places sharing controller >Duplexing – data in two places w/ diff controller >MAID – for medium scale storage, power down btw access to save energy >RAIT uses tape drives >Redundant Servers – multiple domain controllers, hot/warm/cold - Clustering – multiple physical acting as single logical entity (load sharing) >SAN – store and protect data, NAS similar but smaller with client direct access to storage >HSM – hierarchy of faster and economical, uses stub as pointer >Backups – offsite and onsite, testing is most important - Full – archive bit reset (I’ve been changed, back me up) - Incremental – anything changed since last backup, archive bit reset - Differential – anything changed since last full backup, archive bit not reset (faster for restoral) - Copy – same as full but archive bit not reset, used for before upgrades - Open Files Agent: snapshot of file while open, backup files currently in use - Media Rotation Plan: Grand, Father, Son –son (daily, keep week), father (weekly, keep month), grand (monthly, keep year) Tower of Hanoi – various tape sets, minimize number of tapes, don’t have to worry about age >Three copies of contingency plans: onsite, onsite fire-proof, offsite >Contingency Plan – small incident >BCP – after disaster >SMTP, POP, IMAP (push email, successor to POP) >Intrusion Detection System – passive can just log and alert, active IDS means IPS, Snort is free IDS - NIC capturing traffic must be in promiscuous mode - Network based, Host based (TCP wrapper) - Components: sensors, analysis engine, mgmt console - Signature Based (similar to AV), Behavior Based (anomaly, new attacks, false positives) - Pattern Matching – rule, signature, knowledge based - Profile – statistical, anomaly, behavior based - Response options: passive (alert admin, log event), active (resend reset, change ACL) - Switch based networks make it harder to pick up all packets, use span port >Honeypot – vulnerable system to entice (not entrap) attackers, dangerous, liability concerns >Padded Cell – create “safe” environment for applications and processes to run (similar to sandbox) >Tarpit – used to keep hacker busy >Vulnerability Assessments – due diligence research on security controls - Check physical, technical, and administrative controls >Penetration Testing – blue (defense), red (offense), purple (both) teams; mgmt objectives and approval - Goals: unauthorized hosts, deviations from policy, forensic info - Can be disruptive, should be done by outside entity, specific plan for devices/times, outside attacker - 1. Defined Goal 2. Limited Timeline 3. Approval by Senior Mgmt - Attack Phases: 1. Reconnaissance – info on target from public sources 2. Footprinting – map network (NMAP), ping, DNS zone 3. Fingerprinting – identify host info based on responses, port scanning (need to know port numbers) 4. Vulnerability Assessment – identify weaknesses, discover unpatched 5. Attack – penetration, privilege escalation, root kit, cover tracks >Password Cracking – brute force, dictionary, rainbow table (hash = virtual password) >Maintenance Hook or SuperZap – way of bypassing security controls >War Dialing – look for RAS, have modem pick up after 4 rings, implement call-back >Certification – tech evaluation of system Accreditation – mgmt acceptance of system >Attacks - Virus, Worm, Logic Bomb, Trojan Horse, Back Door (NetBus, Back Orifice, SubSeven),Rootkit (admin access), Salami, Data Diddling, Sniffing, Session Hijacking (man-in-middle), Wardialing, DoS, DDoS - Ping of Death, Ping Flooding, Tear Drop (malformed), Bonk (segmentation), Buffer Overflow (input validation), Land Attack (circular ref), SYN Flood, Smurf, Fraggle (UDP instead of ICMP), Spoofing, Masquerading (phishing) 5 – Cryptography >Know history of cryptography >Symmetric vs. Asymmetric – details of both >Confidentiality – encryption, Authenticity – digital signature, Integrity – hashing, Non-Repudiation – digital signatures (can’t deny sending and message) >Ciphertext = plaintext + IV + algorithm + key >Key tells algorithm how to work >M of N control for key backup; key escrow for 3 party hold >Clipper-govt key escrow, Skipjack, 80bit >Wassanaar Agreement – limits on strength of crypto export, 128bit? >History – Hieroglyphics, Scytale (tape around rod size), Caesar (substitution), Vigenere (polyalphabetic), Engima (rotors), Vernam (one-time pad) >Steganography – hide existence of message, can use LSB >XOR used in symmetric stream ciphers >Strength based on algorithm, secrecy, length, tied to sensitivity of data >Kerchoff – algorithm public >Symmetric: stream, block >Asymmetric: Discrete logs in finite field (most), Factoring large primes (RSA) >Confusion-complexity (algorithm and key) >Diffusion-# rounds (many functions) >Avalanche >Block sizes usually 64 bit (slower but more secure), stream work on one bit at time (RC4 is main one) >Block Cipher: DES uses 16 S-boxes (round=through S-box), key sets the S-box Symmetric Algorithms >Symmetric – very fast, key distribution issues, scalability issues N(N-1)/2 ; security in strength of key >DES – 56 bit key (5 min break), DEA is algorithm, designed for SBU, 64bit blocks through 16 rounds, processor intensive >DES Modes - ECB: fast but no feedback so same plain gives same cipher, only safe for small amount of data - CBC: previous cipher mixes with next plain (IV for first), error propagation, good randomness, SSH - CFB: previous cipher mixes with key for next, error propagation, emulates stream, terminal emulation - OFB: previous key streams mixes with key for next, no error propagation, emulates stream, satellites - CTR: done in parallel, emulates stream, 802.11i >3DES: EEE, EDE, 2 or 3 keys; variable key space 112, 168 bit keys >AES – 128,192,256 bit keys and block size, Rijndael algorithm, WPA2 >Two- fish, blow-fish >IDEA – 128 bit keys, variable bit block, used in PGP, proprietary >CAST – 128 bit keys, non-proprietary >All RC family are symmetric and block, except RC4 (stream for WEP) Asymmetric Algorithms >Asymmetric – slow, in-band key exchange possible, public/private key pairs >RSA, DSA, DH, ElGamel, ECC, Knapsack >DH – session key exchange w/out preshared secret >RSA – trapdoor function based on factoring, mostly for key distribution >ECC – speed, good for hand-held devices >Hashing –integrity, aka: ICV, MD, fingerprint, MAC, MIC, MDC - Hash – no key used; only basic integrity; only unintentional modifications - HMAC – system key used in hashing algorithm; integrity and system authen - CBC-MAC – use last block of ciphertext as MAC, data origin authentication (shared key) not user; CMAC is more secure variation; integrity and data origin authen >Hash “broken” if create collision in less than 2^69 >Variable length message to fixed length digest >Collision: two diff text create same hash >MD5 (128bit) collision attacks >SHA-1 (160bit), SHA-2(256bit) >HAVAL, Tiger, RIPEMD >Birthday Attack – 2^(n/2) for collision, 160 bit requires 2^80 >Digital Signature – hash value encrypted with sender private key (authen and non-repudiation) >DSS – standard met by DSA >Digital Envelope – encrypt message with session key (DES, AES); encrypt session key with receiver’s public key (DH, RSA); add hash (MD5, SHA1) for integrity and encrypt hash with sender’s private key (RSA, DSA) >Most algorithms do encrypt, digital sign, and key dist; DH only key dist, DSA only digital sign >Privacy: DES, 3DES, AES >Authentication: DSA, etc. >Key Exchange: DH, RSA, etc. >Integrity: MD5, SHA-1 >Non-Repudiation: DSA, etc. PKI >Dual control and split knowledge for key control >Secure key storage >Keys for diff purposes >Authentication framework that uses public key crypto and X.509 >Infrastructure: identify users, create/distribute/maintain/revoke certs, distribute keys, etc. >Certificate Authority – maintains and issues certs; signs certs; CRL (auto check with OCSP); offline Certificates give integrity and authentication; Code signing certificates Certificate Directory: store certificates, X.500, LDAP (clients can locate and access) OCSP – client asks online responder to look up instead of downloading entire CRL >Registration Authority – performs cert registration duties >Certificate – binds public key to user, X.509; serial #, version #, ID info, algorithm, lifetime, CA signature Version 1-bind to email Version 2 Version 3-more checking (required for financial transactions) >Secure time stamping important >SSL – 6 way handshake; User initiates with HTTPS, Website responds with public key, User sends session key, etc. >PGP uses proprietary certificates; web of trust (no CA) Email >MIME – how multimedia data and email attachments are transferred; tells type so know how to open - S/MIME encrypts and digital sign email; follows PKCS; provides PAIN; Supports DES, 3DES, AES >PGP – proprietary email security program; RSA for key mgmt - key ring: public keys from other users -uses passphrases instead of passwords -web of trust - Algorithms supported: DES, 3DES, IDEA, CAST, AES >PEM – Internet standard; compatible with PKCS >MSP – military’s PEM Secure Protocols >HTTPS = HTTP + SSL (or TLS) encrypts entire comm channel >SSL – developed at Netscape, Transport layer, used for WWW connections; client creates session key; only server needs certificate; client compares URL in browser and certificate >SET – e-wallet, developed by VISA and MasterCard, too much overhead, SSL works fine, DES/RSA >DNSSEC – DNS servers distribute public keys, prevent spoofing >S-RPC – DES/3DES to secure computer to computer comm >SSH – secure terminal access (replaces Telnet and Unix r-utilities) >Secure FTP – SSH that looks like FTP, FTP shell (not FTP) >IPSec – designed for IPv6, confidentiality/integrity/authentication - Transport Mode: only payload protected - Tunnel Mode: entire pkt encapsulated, header added - IKE: Handshake to determine hashing and crypto algorithm/keys; Client sets up SA in each direction ISKAMP: handshake part, framework OAKLY: sets up SA (similar to socket), does negotiation Unique SPI holds SA info in header - AH: authentication (MAC) and integrity (ICV-header, data, trailer), not with NAT - ESP: adds encryption, integrity only on data - Algorithms: 3DES, RC5, IDEA, CAST, Blowfish, AES >Attacks - Ciphertext, known plaintext, chosen plaintext, chosen ciphertext (midnight/lunch time attack) - Replay (nonce, timestamps, seq #), Man-in-Middle (seq #, digital sign), Meet-in- Middle - Side Channel – observe processing, power, radiation, etc. 3 – Access Control >Protect info and resources from unauthorized disclosure, modification, and destruction >Administrative – policy, Technical – firewall, passwd, id, audit, Physical –facility, guards >Preventative, Deterrent, Detective, Corrective, Recovery, Compensatory (plan B) >Clipping Level – reduce admin overhead, only worried about events above threshold >Definitions: subject access object; access is flow of info btw subject and object; access control >Capability Matrix – describes what subject can do >ACL – describes who can access object >Access Control Steps: 1. Identification – subject making a claim (user ID) 2. Authentication – subject proves claim (password); something you know(1)/have(2)/are(3)/where 3. Authorization – granting of access permissions (read/write/modify) and rights (things can do on network) 4. Accounting (Auditing) – keeping records of activity; match action to subject >MS-CHAPv2 – first dialup protocol to provide mutual authentication (client and server to each other) >Biometric, Passwords (8), Token (one-time passwd), Memory card, Smart card (processing), crypto key >Token (synch, async-challenge/response) good for protection against replay attacks >Biometrics – Type 1 False Reject, Type 2 False Accept, Crossover Error Rate (Type1=Type2) - Iris more accurate and accepted than retina >Access Criteria – clearance, need-to-know, least privilege, default to “no access” >Splitting Control – separation of duties (no one person can do critical), dual control (M of N) >Single Sign On (SSO) – users present credentials once, “keys to kingdom” - Methods: Scripts, Directory Services (LDAP), Kerberos, SESAME (Euro version), Thin Clients - Kerberos: tkt based, symmetric key, Carnival analogy – admission (AS) which issues TGT, use TGT to get tkts for each resource from TGS, KDC = AS + TGS Principals – users, applications, services Realm – carnival grounds User types in username/passwd, Sends username to AS, AS sends TGT encrypted with password TGT sends two session keys: one encrypted with user key, one encrypted with service’s key KNOW: SSO, Port 88, KDC, tkt based, time sensitive (5min), principals, mutual authen, symmetric - SESAME – Euro version, PAC equivalent of tkt, PAS equivalent of KDC >Access Control Models: Discretionary (DAC), Mandatory (MAC), Role Based (RBAC), Rule Based - DAC – data owner chooses access, identity based, implemented through ACLs, services run at level of user logged in, not highly secure - MAC – subject cleared, objects classified (security labels); access decided by system (not owner); compartments enforce need-to-know; subject label must dominate object label; controls for flow of info btw classification labels; used in classified environments - RBAC – access to objects based on role in company; admins assign user to role; permissions assigned to roles; high turnover - Rule Based – global rules for all subjects - Content Based – access determined by sensitivity of content (similar to MAC) - Context Based >Restricted Interfaces – menus, shells, DB views, physical, encryption >Implementation: - Capabilities – subject’s access rights - Profile – list of object associated with each subject - ACL – authorize subject access to object >Centralized Access Control - More capabilities, more power, more consistency; e.g., RADIUS (DIAMETER), TACACS+ - 802.1X – implementation of EAP for port based authentication; EAP replacing PAP and CHAP uses central authentication server (RADIUS) - Client is supplicant, NAS are authenticating servers (RADIUS client), RADIUS is authenticator - RADIUS is UDP and only dial-up (PPP, SLIP), DIAMETER is TCP and multi-access >Technical Controls – directory services: X.500, LDAP (lighter X.500), Active Directory (MS version) - Distinguished Name is leaf on tree 2 – Security Architecture >Topics: Components in OS, Trusted Computing Base, Access Control Models, Evaluation, C&A, Threats >Components: - CPU – control unit, ALU, registers; - Processing is instructions and data passed to registers; buses are pathways - Problem (User) and Supervisor (Kernel, Privileged) States; what processor can access - Primary Storage – RAM, volatile - Secondary Storage – ROM, hard drive, EPROM - Cache – fast, static RAM; very expensive -Memory: CPU Register > Cache > Main Memory > Disk Storage - Virtual Memory – on hard drive that acts like RAM; swapping - Memory Mapping – handles memory access on behalf of applications - Sequential storage (tape) vs. direct (random) - Program – application Process – application open in memory Thread – single instruction from a process (e.g., Print) - Process States: Stop, Reading, Waiting, Running - Functionality: Multi-threading (process several tasks), multi-tasking (execute several programs), multi-programming (run several applications), multi-processing (more than one CPU), multi-core (processor with several core) >Trusted Computing Base - TCB – hardware/software/firmware, trusted components to be protected, keep trusted and untrusted separated >Isolation is primary mechanism of protection - Memory Segmentation – process isolation, virtual machines - Layering and Data Hiding – protection rings - Parts of TCB enforce isolation - Techniques: virtual mapping, encapsulation of objects, naming distinctions, time mux of resources >Protection Rings: evaluates processes based on trusted; most trusted processes (OS Kernel) in Ring 0; exec services of OS in Ring 1; file system drivers in Ring 2; least trusted (applications) in Ring 3; API – trusted path that allows comm from one ring (layer) to another >Security Domain – what application has access to >Virtual Machines – multi OS on hardware; consolidate hardware but maintain isolation >Security Kernel (police officer) invokes the Reference Monitor (law) - When subject references object, reference monitor determines access and security kernel enforces - Security Kernel is physical, Reference Monitor is abstract - Requirements: 1. Tamperproof 2. Impossible to Circumvent 3. Small enough to be tested/verified >Operating States (MAC) - Single State – single security level - Multi-State – multiple security levels >Moore’s Law-transistors double every 18months, Pareto’s Principle-80/20 >Security Modes of Operation 1. Dedicated – single state; all users have clearance and need-to-know for all data 2. System High – single state; all users have clearance, but not all have need-to- know for all data 3. Compartmented – multi state; need highest clearance for all data on system and need-to-know for just what accessing 4. Multilevel – multi state; need just clearance and need-to-know for what accessing Security Models - most are confidentiality and integrity models (5-7 questions) >State Machine –if start, run, shutsdown, then is secure system >Information Flow – info flow btw states is secure >Lattice – MAC; upper and lower boundaries on confidentiality and integrity >Bell-LaPadula – confidentiality model; lattice model; developed by military - Simple (read) Property – no read up - Star (write) Property – no write down - Strong Star Property – stay where are; no read/write up or down >Biba – integrity model; lattice model - Simple Integrity (read) Property – no write up - Integrity Star (write) Property – no read down >Clark-Wilson – integrity model; well formed transactions; isolation model; UDI, CDI, TP - Any application can access UDI - Only TP (trusted process) can access CDI - Access triple – subject must go through TP to access object - Prevents unauthorized users from making modification; Prevents authorized users from making improper modifications >Non-Interference (Take-Brant) Model – isolation into domains >Brewer Nash Model (Chinese Wall) – context not content; eliminate conflict of interest Evaluation Criteria >Trust – is system designed to meet needs >Assurance – how well does system work in correct and predictable manner >Unbiased third party; only looking at TCB, not performance >Trusted Network Interpretation (TNI) (Red Book) – network >TCSEC (Orange Book) – individual system (operating system) - Developed for DOD; confidentiality based on Bell-LaPadula - Functionality (trust) and assurance are not evaluated separately; basically just trust - A – Verified Protection (formal) Formal, verified design and secure delivery - B1,2,3 – Mandatory Protection (security labels) B1-Labeled; process isolation B2-Structured; separation of operator and admin functions, protect covert storage channels B3-Security Domains; trusted recovery, security admin role, protect cover timing channels - C1,2 – Discretionary Protection C1-Discretionary; separates users and data C2-Controlled; object reuse (media cleansing), audit trail - D – Minimal Protection >ITSEC - European - Separated function (trust) and assurance F1-10 Functionality E0-6 Assurance - Examined CIA, not just C (Orange Book); Examined network system, not just stand alone (Orange) >ISO/IEC 15408 (Common Criteria) - TCSEC too rigid, ITSEC too broad - Customer presents Protection Profile (what need system to do) - Vendors provide Target of Evaluation (TOE)-system and Security Target- documentation of how system meets needs; Packages – add-ons to Protection Profile, Evaluation Assurance Levels (EAL) - Auditors evaluate function and assurance and assign EAL 1-7 to how TOE meets Protection Profile >Certification – does it meet technical requirements?, independent, third-party >Accreditation – acceptance of product security and risk by mgmt - C&A need to happen on on-going basis Threats >Covert Channels – storage (easier to detect) and timing (use of system resources) >Async Timing Attack - TOC/TOU (diff btw check and use)-race attack - Race Conditions - Sequence attack >Code Injection >Buffer Overflow – overwrite other memory, ensure in proper format >Smart Card – microprobing (attack chip), fault generation (manipulate environment to generate fault), eavesdropping, software protocol attack, side channel 7 – Telecommunications >PORT NUMBERS FTP 20/21, SSH 22, Telnet 23, SMTP 25, ESP 50, AH 51, DNS 53, DHCP 67/68, HTTP 80, Kerberos 88, POP 110, NNTP 119, NTP 123, IMAP 143, LDAP 389, HTTPS 443, S- LDAP 636 L2TP 1701, PPTP 1723, RDP 3389 >Man-in-the-Middle (MITM) >MAC – 48 bits (24 manuf ID, 24 host ID) >DNS – secure zone transfer and protect against cache poisoning >Cabling - Coax: Thinnet (10Base2, RG58)-185m, BNC Thicknet (10Base5,RG8,11)-500m AUI Vampire Tap, both 50ohm terminator RG6,59-broadband 75ohm terminator - Twisted Pair: 100m, RJ-45, vulnerable to EMI (motor) and RFI (fluorescent lights), Cat 1-7 - Fiber: more secure, 2000m, expensive - Plenum Rated – do not release dangerous chemicals when burned >Token Ring – MAU (central hub) that distributes token >Polling – HDLC, SDLC >Firewall: - Packet Filtering – individual pkts, source/destination IP addr, port numbers - Stateful – keeps track of connection states - Circuit Proxy – similar to pkt filter but breaks connection (pkt filter proxy), SOCKS - Application Proxy – evaluates specific parts of application: URL, content, directory service info >Bastion – hardened host for Internet facing services, in DMZ >Firewall – DMZ – Firewall >Screened Host – proxy behind router, separation btw trusted and untrusted networks >Dial-Up: SLIP, PPP – data link connections for modems - PPP – encapsulation for multi-protocol pkts over ptp links, PAP/CHAP/EAP authentication # PAP – authentication plaintext # CHAP – periodic rechallenge, 3-way handshake, challenge/hash/response; MS- CHAPv2-mutual # EAP – multiple auth mechanisms: MD5-Challenge, One-Time Password, Generic Token Card, RADIUS >Tunneling - PPTP: PPP tunneled through IP network; Microsoft MPPE; CHAP or EAP - L2TP: no inherent security (works with IPSec); - IPSec: Layer 3 tunneling - SSTP: secure sockets; uses existing SSH 443 port open on firewall >FDDI – dual ring, token passing >CSU/DSU – converts LAN traffic to format for T1/T3 lines >T1-1.544Mbps, T3- 44Mbps >ISDN – ckt switched for last mile, all digital, many features BRI – 2B channels (64kbps), D channel (16kbps for call setup); usable bw is 128kbps, total is 144kbps PRI – 23B channels, D channel; total bw is 1.544Mbps >X.25 and FR – variable length packets; X.25 lots of error checking; FR is connection-oriented, PVC, SVC, CIR, pkt-switching >SMDS – pkt switched, connectionless >ATM – fixed length 53 byte cells >PBX Threats – eavesdropping, toll fraud, phreakers; Red (coins), Blue (tones), Black Boxing (volt) >Wireless - WAP – scaled down version of TCP/IP for mobile devices connecting to Internet; WTLS (wireless SSL) “Gap in the WAP is at the Gateway” – only in WAP 1; server translates from WTLS to SSL for Internet - Authentication – RADIUS, Encryption – WEP, WPA, WPA2 - AP, SSID, Open System-no key required, War Driving, Sniffing (NetStumbler, AirSnort) - WEP – stream cipher, weak IV, shared key, too short (WEPCrack) - Enable WEP, change SSID, disable broadcast SSID, authentication (RADIUS), AP location, DMZ, ACL >Cell Phones – ESN and MIN used to clone phone; Bluesnarfing (intercept) Bluejacking (spam) Slamming (change service provider), Cramming (extra charges) >802.11 Wireless a – 5GHz, 54Mbps b-11M, 2.4GHz g-2.4GHz, 54Mbps i-WAP 11 – Application Security >Databases, especially relational; data warehousing; Development - SDLC >Why buggy code? – customers demand quick release, many lines of code, change quickly, security after >Development Models - Waterfall – structured, finish each part then start next - Prototyping – basic prototype that evolves each round - Spiral – combo of waterfall and prototyping - Clean Room – “perfect process yields a perfect product” - Extreme – quick development, many teams; Rapid Application Development (RAD) >7 Lifecycle Phases: Project Initiation (initial risk), Functional Design (big picture), System Design (specs), Software Development (write code), Install/Test/Implement (separate testers, C&A), O&M (code in library, CCB), Disposal - differentiate from Operational Phases (Vulnerability Testing, Monitoring, Auditing) >Life Cycle Assurance-designed and overseen >Operational Assurance-does it work correctly, day-to-day >Verification – do what supposed to >Validation – does it meet user needs (real world use) >Computer Aided Software Engineering (CASE) – automated tools for programmers >Capabilities Maturity Model (CMM, CMMI) – rate organization based on PM of software development - Level 1 Initiating (heroic effort to be successful) - Level 2 Repeatable - Level 3 Defined (structured) - Level 4 Managed (quantitative measure) - Level 5 Optimizing (continuous improvement) >Project Eval and Review Technique (PERT) – use best/worst/realistic estimates; (P+O+4*R)/6 >Object Oriented Programming – modular, efficient, flexible - Classes (animal), Objects (dog), Attributes (breed), Variables (name, sex, weight) - Modular, snapping in of code as needed - Polymorphism – same input can provide diff output depending on context; telephone book vs. HR db - Methods = Commands - Abstraction = black box, suppress details >Cohesion – singleness of process (high) >Coupling – how dependent on other processes (low) Databases >Relational (lots of little tables)- Hierarchical (root, branch, AD) - Distributed (lots spread out, DNS) >Relational - Primary key – unique to distinguish records, can’t be null - Foreign key – primary key in other db - Normalize – create good db form - Attributes – categories in columns - Tuple – data in row (cardinality = # of rows) - Cell – intersection of row and column - Schema – holds data that describes db, relations described by schema - Meta- data – data about data - Data Dictionary – definitions, supports data, repository of meta-data >ODBC – allows front end apps to com with db drivers; universal access; translator >ACID Test – all db should meet - Atomicity (changes committed or rolled back) - Consistency (rules of integrity followed) - Isolation (processes separate) - Durability (once changes committed, can’t be rolled back) >Polyinstantiation – diff set of data for lower and higher clearance >Issues – Aggregation (add up gives higher classif), Inference (derive info from other facts) #Polyinstantiation is best defense against both, noise - Views (restricted interface), Checkpoints, Concurrency (dead-lock), Trusted Front End (users don’t directly access db) >Content Dependent Access (confidentiality) >Context Dependent Access (conflict of interest) >Integrity - Entity Integrity – every record has unique primary key, not null - Referential Integrity – data referenced in one table must exist in home table - Semantic Integrity – enforces rules of validation >Data Warehousing – combine data from several db; aggregation >Data Mart – sub of data warehouse >Data Mining – looking for trends, meta-data, big picture; fraud detection >Expert System – AI, knowledge base, emulate human logic, - Rule-based (If-Then) - Inference Engine-pattern-based - Fuzzy Logic – grey areas >Artificial Neural Network - mimic neural structure of brain, learn from new experiences, remember - only as good as experience given >Distributed Computing - COM – interactivity on single system (ORB-non Microsoft environment) - DCOM – interactivity on distributed system (CORBA-non Microsoft environment) - OLE – allows objects to be embedded (Excel in PowerPoint); COM and DCOM enable OLE >Mobile Code - code that runs on client system; Macros, Java, JavaScript, ActiveX, exe email attachments - ActiveX uses COM, DCOM, OLE; allows linking and embedding - Java – Virtual Machine allows platform independence, run in sandbox to contain >CGI Scripting – interaction between form and db; risk to db server; input validation important >Cross Site Scripting (XSS) – link takes to malicious site; often in phishing >Cookies – file saved in browser; first party (placed by website), third party (sold to other website); persistent or session based >EICAR – benign file in AV system for testing 6 – Physical Security >Security through Obscurity – not really a valid defense >Minimize doors; in/out access (not through access) >Bollard – small columns to prevent driving attack >Positive air flow for HVAC and water flow >Law/Regulations; Low cost, high benefit >Detect/Deny/Delay/Deter >Fortress Mentality – false sense of security, no defense in depth >Crime Prevention Through Environmental Design (CPTED) – design environ for security - Surveillance (can see easily), Access Control, Territoriality (bldg well maintained), Activity Support (fill up empty rooms with employees) >Fencing – 3-4ft (casual), 6-7ft (too high to climb easily climb), 8ft (deter determined), PIDAS (sensor), Concrete (should be at least 10ft); can only deter/delay, not prevent Normal security – 2in, 9 gauge; smaller inch and higher gauge better security >Lighting is good deterrent control; at least 8ft high and two ft candle power >CCTV: PTZ -pan, tilt, zoom; short focal length = wide angle view; small lens size = greater depth of field >IDS: electromechanical (magnetic switch, metallic foil, pressure mats), volumetric (vibration, IF), motion detector (change in frequency) >UL 611-1988 Std – burglar alarm have 24 hrs without loss of primary power >Windows: Polycarbonate (strongest), Plexiglass (toxic when burn) >Door should open in, solid core >Locks: Conventional/Preset (susceptible to picks), Cipher (code, door delay, key override, hostage) >Piggybacking: best defense is security guard > Humidity 45-60%; Temp 70-74F >Order for Power: 1. Line Conditioner 2. UPS 3. Backup Generator >Power: Spike, Surge (excess); Fault, Blackout (loss); Sag, Brownout (degradation) >Fire - Detectors: Ionization (early), Thermal (fixed, rate), Photoelectric (light interrupt), Infrared (flames) - Extinguishers – in sight, within 50 feet of electrical, near exits, inspect quarterly - A Combustibles (water, soda); B Liquid (CO2,FM-200, Argon), C Electrical (CO2, FM-200), D Metals (powder), K Kitchen (wet chemicals) - Fires need fuel, oxygen, high temperatures, chemical reaction - Halon changes chemical reaction but dangerous; replace with FM-200, Inergen (Montreal Act) - One hour fire time for doors and walls >Wet Pipe – contains water, quick release >Dry Pipe – release after delay >Preaction – combo, link melts before release, best for DC >Deluge – dry, but head open BCP/DR >Risk Management; Business Impact Analysis >Disaster Recovery – immediate event response (sky is falling) >Business Continuity – restore operations after major event (sky fell, now get back up and running); mitigate negative effects of disruption Disaster – 3 to 5 days Catastrophe – partial or total destruction of building >Contingency Plan – everything else, guidelines, Plan B >Stages: Project Initiation, BIA, Risk Analysis, Risk Mitigation, Implementation, Testing, Maintenance >Securities and Exchange Act 1934 – all publicly held companies required to keep accurate records and maintain controls of systems >Seven Steps: 1. Contingency Policy 2. BIA 3. Preventive Controls 4. Recovery Strategies 5. Contingency Plan 6. Test 7. Maintain >After event: Notification, Recovery, Reconstitution >BIA – how impacted by threats; MTD (Critical, Urgent, Important, Normal, Non- essential), RTO, RPO >Alternative Facilities: - Mirrored (full redundancy), Hot (full equip, just load recent data), Rolling (similar to hot, but basic), Warm (partial equip), Cold (facility but no equip) >Backups - Database Shadowing – mirroring, redundancy - Electronic Vaulting – batch transfer of modified files - Remote Journaling – just backup logs >Reconstitution – not out of emergency until back at original; bring up least critical first (test) >Tests: Checklist, Structured Walk Through (table top), Simulation (up to move), Parallel (move to alternate), Full-Interruption (risky) >Post Incident Review – never placing blame >DR Plan developed after BIA and submitted to mgmt for approval 10 – Legal and Ethics >ISC2 Code of Ethics >Which institute says what >Laws but no dates >Evidence collection, Incident handling Ethics >ISC2 Canons: - Protect society - Act honestly - Serve Principals - Advance Profession >IAB (RFC 1087) – Internet use is privilege; specific actions unethical >GASSP (GAISP) – organizations writing policies; responsibilities, accountability >Computer Crime - Difficult to identify crimina- Motive, Opportunity, Means – required to prosecute crime - Difficulties: cross-jurisdiction, transborder (safe harbor), new types of crimes, intangible evidence >Laws: - Civil Law (Tort)-damage or loss, preponderance of evidence required, proximate causation, no jail time - Criminal Law – protect public, guilt beyond reasonable doubt, jail time - Administrative Law (Regulatory) – industry laws, gov’t regulations, jail or financial - Intellectual – trade secret, copyright (artists), trademark (symbol), patents (inventions, 20yrs), OECD WIPO-international >Encryption – export allowed to non-terrorist states (key size restrictions), Wassanaar Agreement >Patriot Act – monitor comms without warrant >Computer Security Act – federal agencies sensitive info >Economic Espionage Act – corporate spying >Liability – Prudent Man (due care, due diligence); downstream liability; protect others from unreasonable risks; cost of countermeasure less than loss potential then can be liable >Regulatory Compliance – SOX (corporate accountability), GLB (banking customer privacy), Basel II (international banking), HIPPA (medical) >Independent audits to measure compliance >Personally Identifiable Information (PII) – falls under privacy laws >Privacy – employee needs to acknowledge no expectation of privacy; monitor all or none >Violation Analysis – capture system activities, violations, etc. to find solution >Incident Mgmt – Detect, Triage (contain), Respond - Contain damage, prevent further data, copy data - Computer Incident Response Team - Learn about attack (incident response) or prosecute (forensics)? – different actions >Evidence - thosecute: forensics - collect data while preserving evidence - 4 Amendment – search and seizure; applies to law enforcement - Evidence collection: subpoena, search warrant, voluntary consent, exigent circumstances - Copy memory (bit by bit, slack space, hash), Photograph, avoid powering down, labeling - Chain of Custody (who, when, why) - Lifecycle of Evidence: Collection, Analysis, Storage, Present, Return to Owner - Poorly trained staff most common cause of improper evidence collection - Req for Court: Material, Competent, Relevant - Evidence Types: Direct (witness), Real (used in crime), Best (most reliable), Secondary (testimony of witness), Corroborative (supports other evidence), nd Circumstantial (suggests another fact), Hearsay (2 hand, copies-computer generated), Demonstrative (presentation based, photos), Opinion, Documentary (business records) >Audit trails can only be used if produced during normal course of business (no single out) >Business records can be used if during normal business


Buy Material

Are you sure you want to buy this material for

50 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Kyle Maynard Purdue

"When you're taking detailed notes and trying to help everyone else out in the class, it really helps you learn and understand the I made $280 on my first study guide!"

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.