ملخص كتاب CISSP All-in-One Exam Guide PDF
ملخص كتاب CISSP All-in-One Exam Guide PDF
ملخص كتاب CISSP All-in-One Exam Guide PDF
DISCLAIMER .................................................................................................................................... 2
CHAPTER 1: Security and Risk Management ................................................................................. 3
CHAPTER 2: Asset Security ........................................................................................................... 15
CHAPTER 3: Security Engineering ................................................................................................ 19
CHAPTER 4: Communication and Network Security ................................................................... 44
CHAPTER 5: Identity and Access Management ........................................................................... 88
CHAPTER 6: Security Assessment and Testing .......................................................................... 104
CHAPTER 7: Security Operations ............................................................................................... 113
CHAPTER 8: Software Development Security ........................................................................... 136
Page | 1
DISCLAIMER
This document is presented as a free digital document only.
This document represents the effort of the author in summarizing the key points of the “CISSP
All-in-One Exam Guide, 7th Edition” by “Shon Harris”, with an addtion of extra remarks and
content from outside the book. Hereby, I do not have any copyright on the original “CISSP All-in-
One Exam Guide”, and their original copyrights holders owns all the rights on their book and
related materials.
In addition to that, reader is STRONGLY ENCOURGED to purchase the full “CISSP All-in-One Exam
Guide” book by “Shon Harris” and ready it thoroughly and use this digital document as a handy
document to revise and memorize the most important topics and definitions from the book.
Please exuse any typos in this digital document as it is a result of a personal effort, which was
mainly generated for a personal prepare for the exam use, and have not gone through a formal
reviewing process. Though, the author believes that putting in on the Internet for public use can
support people prepaing for their CISSP exam.
Page | 2
CHAPTER 1: Security and Risk Management
Vulnerability Weakness in the system that allows a threat source to compromise its
security.
Threat Potential damage that is associated with the exploitation of a vulnerability.
Threat Agent The entity that takes advantage of a vulnerability.
Risk Likelihood of a threat source exploiting a vulnerability and the
corresponding business impact.
Exposure An instance of being exposed to losses.
Control Countermeasure that is put in place to mitigate (reduce) the potential risk.
Types of controls:
• Technical
• Administrative
• Physical
Functions on controls:
• Preventative
• Detective
• Corrective
• Deterrent
• Recovery
• Compensating
Page | 3
• SABSA: similar to Zachman framework. It is a layered framework with its first layer
defining business requirement from a security perspective. It is security enterprise
architecture framework.
Sarbanes-Oxley Act (SOX): U.S. federal law that could send executives to jail if it were discovered
that their company was submitting fraudulent accounting findings to U.S. government. SOX is
based on COSO model.
• Computer-assisted crime (the crime can happen without computer): computer was used
as a tool to help carry out crime (attack banking system to steal money, obtaining
intellectual property from military system).
• Computer-targeted crime (couldn’t take place without computer): computer was the
victim of the attack (DoS, capturing passwords, installing malware).
Page | 4
• Computer is incidental: computer is not the attacker or the attackee. It just happened to
be involved when a crime was carried out (child pornography storage)
Safe Harbor Privacy Principles: outlines how U.S.-based companies can comply with the EU
privacy principles.
• Notice: individuals must be informed that their data is being collected.
• Choice: ability for individual to opt out from data collection.
• Onward Transfer: transfer data to 3rd parties to only parties that follow data
protection principles.
• Security: reasonable efforts must be made to protect collected data.
• Data Integrity: data must be relevant and reliable for the purpose it was collected for.
• Access: individual can access information held about him and correct or delete.
• Enforcement: there must be effective means of enforcing these rules.
Legal Systems:
• Civil (Code) Law: rule-based law (mostly used in Europe).
• Common law: based on previous interpretations of laws (used in US and UK).
o Criminal: addresses behavior harmful to society. Punishment involves loss of
freedom or monetary fines.
o Civil/tort: defendant’s breach of duty causes injury to the victim, usually physical
or financial.
o Administrative (regulatory): laws created by administrative agencies
(international trade, manufacturing, environment, immigration). Usually applied
to companies and individuals within specific industries.
• Customary Law: based on tradition and customs of the region.
• Religious Law: based on religious beliefs of the region.
• Mixed Law: most often civil and common law.
Trade secret: no expiration date unless information is no longer secret or no longer provide
economic benefits (formula of Pepsi, new form of mathematics, source code of a program).
Copyright: protects right of the creator of an original work to control public distribution,
reproduction, displays and adaption of that original work:
• It protects the expression of the ideal of the resource instead of the resource itself.
• Putting the © symbol is not required.
• Provides protection for life + 50 years.
• Warez attack: use copyrighted materials illegally (BitTorrent).
Trademark: protect a word, name, symbol, sound, shape, color, or combination of these
(protect brand identity).
Page | 5
• Strongest form of intellectual property protection.
• Non-Practicing Entities (NPE) perform patent trolls by getting patents without the
intention to manufacture the product, but with an aim to sue others if the patent was
used.
Freeware: publicly available software free of charge and can be used, used, modified, etc.
Shareware/Trialware: used by vendors to market their software.
Commercial software: sold for or serves commercial purposes.
Academic software: provided for academic purposes at a reduced cost. It can be open source,
freeware, or commercial software.
End User License Agreement (EULA) specifies more granular restrictions that a master
agreement.
Personally Identifiable Information (PII): data that can be used to uniquely identify, contact, or
locate a single person.
Laws:
• Federal Privacy Act: agencies can collect and hold individual’s private date if it is relevant
to accomplish agency’s purpose. Agency cannot disclose this information without written
permission from the individual.
• Gramm-Leach-Bliley Act: also known as Financial Services Modernization Act. Required
financial institutions to develop privacy notices and give customers the option to prohibit
sharing their information with nonaffiliated third parties.
• Health Insurance Portability and Accountability Act (HIPAA): provide national standards
and procedures for the storage, use, and transmission of personal medical information
and healthcare data. (Another name: Kennedy-Kassebaum Act).
• FISMA: law that requires every federal agency to create, document, and implement
agency’s wide security program.
• Department of Veterans Affairs Information Security Protection Act: narrow scope (only
applies to the VA) but it is an example to bolt security after a breach (the stolen laptop).
• Health Information Technology for Economic and Clinical Health (HITECH) Act: promote
the adaption and meaningful use of health information technology.
• USA PATRIOT Act: Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism Act. (reduce restriction of agencies
searching telephones, email, medical, etc. deporting immigrants).
• Personal Information Protection and Electronic Documents Act (PIPEDA): Canadian law
that deals with the protection of personal information. This law put trust on Canadian
businesses for international trading.
• Payment Card Industry Data Security Standard (PCI DSS): credit card companies joint
force and came up with a separate entity to look after this standard. It is a private-sector
industry initiative and it is not a law.
Page | 6
• Federal Sentencing Guidelines: extended to cover computer crimes. Senior management
can be held responsible if company did not comply with the laws set out for them.
Privacy vs. Security: privacy is the ability of an individual/group to control who has certain types
of information about them. Security is used to enforce these privacy rights.
Employee Privacy:
• Monitoring must be work related.
• All employees are subjected to monitoring, not just one or two employees.
• Clearly explained for employees through security policy and constant reminder.
HITECH states that company must report data breach to HHS and to the affected individuals
within 60 days. For companies who complies with HITECH recommendations, it is not required
to report a data breach.
GLBA requires notification to the federal regulators, law enforcement authorities, and affected
customers.
Economic Espionage Act enables FBI to investigate industrial and corporate espionage cases. This
act protects corporation’s IP.
European Union requires notification to the affected parties to take place within 24 hours of
discovery of breach. A complete detailed notification may be distributed no later than 3 days.
Issue-specific policy: also called functional policy. Addresses specific issue that management
feels it needs more detailed explanation (e.g. email security policy, access control policy, change
control policy).
Page | 7
System-specific policy: presents the management’s decision that are specific to the actual
computers, networks, and applications (e.g. how sensitive data in database must be protected,
who can access it, how to audit it. How laptops should be locked down).
Types of polices:
• Regulatory: ensures that the organization is following standards set by specific industry
regulations (HIPAA, GLBA, SOX, PCI DSS).
• Advisory: advises employees as to which types of behaviors and activities should and
should not take place within the organization.
• Informative: not an enforceable policy, but rather teaches individuals about specific
issues relevant to the company (e.g. how the company interacts with partners, general
reporting structure).
Standards: mandatory activities, actions, or roles (e.g. employee must wear ID badge, must
encrypt data).
Baselines: a point in time that is used as a comparison for future changes. All further comparison
and development are measured against the baseline.
Guidelines: recommended actions and operational guides to users. IT staff, operations staff, and
others when a specific standard does not apply. They can also be used as a recommended way
to achieve specific standards when those do apply.
Procedures: detailed step-by-step tasks that should be performed to achieve a certain goal (e.g.
how to install operating systems). It is considered as the lowest level in the documentation chain.
Risk Management: the process of identifying and assessing risk, reducing it to an acceptable
level, and ensuring it remains at that level.
NIST SP 800-39 defines 3 tiers of risk management: Organizational, Business Process, Information
Systems. It describes 4 components that comprise the risk management process:
1. Frame risk: What are the assumptions? What are the priorities? What management
wants?
2. Assess risk: assessing the risks.
3. Respond to risk: mitigate risk, accept risk, transfer risk, etc.
4. Monitor risk: continuously monitor the effectiveness of our controls against the risk.
Information Systems Risk Management (ISRM) policy: is a subset of the risk management policy,
which is a subset of the organizational security policies.
Threat modelling: the process of describing feasible adverse effects on our assets caused by
threat sources. (vulnerability-threat-attack triad).
Page | 8
Attack tree: expressive way in that show many ways which an attacker can accomplish each
objective (the main objective is in the root).
Reduction analysis: reduce the number of conditions we need to mitigate by finding these
commonalities. Also, the closer you implement the countermeasure to the root of the attack
tree, the more leaf conditions you will defeat with that one control. (goal is to reduce threats and
viable attacks).
Delayed loss: secondary in nature and takes place well after a vulnerability is exploited (e.g.
company reputation, loss of market share, late penalties, civil suites).
NIST 800-30 (IT-based): guide for risk assessment mainly focused on computer systems and IT
security issues.
ISO/IEC 27005:
• International standards for how the risk management should be carried out in the
framework of an information security management system (ISMS).
Page | 9
• Deals with IT and softer security issues (documentation, personnel security, training).
Central Computing and Telecommunication Agency Risk Analysis and Management Method
(CRAMM):
• Automated tools sold by Siemens.
Qualitative and quantitative can be used in hybrid: quantitative for tangible assets and
qualitative for intangible assets.
Uncertainty: the degree to which you lack confidence in an estimate (from 0 to 100 percent).
Delphi Technique: a group decision method used to ensure that member gives an honest
opinion of what he or she thinks the result of a threat would be. This is performed
anonymously.
Handling Risk;
• Risk avoidance: terminate the activity that is introducing the risk.
• Risk mitigation (reduction): risk is reduced to an acceptable level.
• Risk acceptance: company will accept the risk when the cost/benefit ratio indicates that
the cost of the control outweighs the potential loss value.
• Risk transfer: transfer the risk to third party.
SAS 70: Internal controls audit carried out by a third-party auditing organization.
Page | 10
• ISO 31000:2009: not focused on IT.
• ISACA Risk IT: very well integrated with COBIT.
• COSO Enterprise Risk Management—Integrated Framework: not focused on IT.
Business Continuity Management (BCM): the holistic management process that should cover
both of DRP and BCP.
BCM Standards:
• NIST SP 800-34:
1. Develop the continuity planning policy statement.
2. Conduct BIA.
3. Identify preventive controls: implement preventive controls to reduce the risk.
4. Create contingency strategies: critical systems can be brought online quickly.
5. Develop an information system contingency plan.
6. Ensure plan testing, training, and exercises.
7. Ensure plan maintenance.
• ISO/IEC 27031:2011
• ISO 22301:2012
• Business Continuity Institute’s Good Practice Guidelines (GPG)
Page | 11
• DRI International Institute’s Professional Practices for Business Continuity Planners
BCP Project:
1. BCP leader is identified (preferably have good social skills).
2. BCP Committee is formed from different departments and must be aware of the work.
BCP Policy: supplies the framework for and governance of designing and building the BCP
effort. The policy helps the organization understand the importance of BCP by outlining the
BCP’s purpose.
Due care: taking the precautions that a reasonable and competent person would take (e.g. not
ignoring a warning message) (normally applicable to everyone and could be used to show
negligence).
Due diligence: doing everything within one’s power to prevent a bad thing from happening (e.g.
setting appropriate policies, researching threats, ensures audit happen in the right time)
(normally associated with leaders, laws, and regulations).
Separation of duties: makes sure that one individual cannot perform a critical task by himself
(preventive).
Collusion: at least two people are working together to cause some type of destruction or fraud.
Split knowledge: no one person knows or has all the details to perform a task (preventive).
Dual control: two people must be available and active in their participation to complete the
task or mission (preventive).
Rotation of duties: no person should stay in one position for a long time. This is used to
uncover fraudulent activities (administrative/detective).
Page | 12
Mandatory vacation: used to detect fraudulent activities by the employees filling the position
of the employee on vacation (usually 2 weeks).
Employee termination:
• Disable account and change passwords on all systems must be changed immediately.
• Escort terminated employee by manager or a security guard.
• Employee cannot be compelled to perform exit interview or return company property.
Security-awareness training:
• should be tailored to 3 typical audiences: management, staff, and technical employees.
• Should happen during the hiring process, and at least annually after that.
Security governance:
• A framework that allows the security goals of an organization to be set and expressed by
senior management, communicated throughout the different levels of the organization.
• Provides a way to verify the performance of the security activities.
• Coherent system of integrated processes that helps ensure consistent oversight,
accountability, and compliance.
ISO/IEC 27004:2009 used to assess the effectiveness of an ISMS and its controls (security
metrics and measurement).
ISO/IEC 27799: referred to as health informatics. Its purpose is to provide guidance to health
organizations that holds PHI on how to protect such data via implementation of ISO/IEC 27702.
Page | 13
Software Protection Association (SPA) and Business Software Affiliation (BSA): formed to
protect software vendors and their licenses from piracy.
Internet Architecture Board (IAB): Internet is a privilege and should be treated and used with
respect (group of researchers, engineers, executives, etc.).
Blue Boxing Attack: hackers use automated tone simulator that telephone switches perceived
it as authorization for long distance charges (other attacks followed are Red Boxes and Black
Boxes).
Page | 14
CHAPTER 2: Asset Security
Classification levels:
• Commercial business: Confidential – Private – Sensitive - Public
• Military: Top secret – Secret – Confidential - Sensitive but unclassified (SBU) – Unclassified
Not only data need to be classified, sometime applications and whole systems may need to be
classified.
Executive management are ultimately responsible for everything that happens in their
organization.
Chief Information Officer (CIO) is responsible for the strategic use and management of
information systems and technology within the organization. He may report to either the CEO or
CFO.
Chief Privacy Officer (CPO) is usually an attorney and is directly involved with setting policies on
how data is collected, protected, and given out to third parties.
Chief Security Officer (CSO) is responsible for understanding the risks that the company faces
and for mitigating these risks to an acceptable level.
Page | 15
Data owner is usually a member of management who is in charge of a specific business unit. The
data owner decides on the classification of data under his responsibility.
Data custodian is responsible for maintaining and protecting data. This role is usually filled by
the IT or security department.
Date retention policy take addresses: legal, regulatory, and operational requirement.
e-Discovery: discovery of electronically stored information (ESI) is the process of producing for a
court or external attorney all ESI to a legal proceeding.
NIST 800-111: Guide to storage encryption technologies for end user devices.
States of data:
• Data at rest: resides in secondary storage.
• Data in motion: sent over a network.
• Data in use: RAM, memory cache, CPU registers.
Page | 16
Heartbleed security bug demonstrated how failing to check the boundaries of requests to read
from memory could expose information from one process to others running on the same system.
Data Leak Prevention (DLP): comprises the actions that organizations take to prevent
unauthorized external parties from gaining access to sensitive data.
DLP steps:
1. Conduct a data inventory.
2. Determine data flows.
3. Data protection strategy.
4. Implementation, testing, and tuning (DLP products implementation).
Page | 17
DLP products can be compared by:
• Sensitive data awareness: analysis of documents and data for sensitive content (e.g.
keyword, regular expressions, tags, statistical methods).
• Policy engine: some allow extremely granular control but required obscure methods to
defining these policies.
• Interoperability.
• Accuracy.
Misuse case describes threat actors and tasks they want to perform on the system.
DLP resiliency: the ability to deal with challenges, damage, and crisis and bounce back to normal
or near-normal condition in short time.
Network DLP (NDLP): applies data protection policies to data in motion. Usually implemented as
appliance that are deployed at the network perimeter.
Endpoint DLP (EDLP): applied protection policies to data at rest and data in use. Usually called a
DLP agent and it communicates with the DLP policy server to update policies and report events.
Hybrid DLP: deploy both NDLP and EDLP across the enterprise.
Passive relocking: it can detect when someone attempts to temper with it and engages an extra
bolt to ensure it cannot be compromised.
Thermal relocking: when a temperature is met, an extra lock is implemented.
Page | 18
CHAPTER 3: Security Engineering
System architecture: describes the major component of the system and how they interact with
each other, with the users, and with other systems.
System development: refers to the entire life cycle of a system: planning, analysis, building,
testing, deployment, maintenance, and retirement phases.
Program counter register contains the memory address of the next instruction to be fetched.
Program status word (PSW) register holds different condition bits. One of the bits indicates
whether the CPU should be working in user mode (problem state) or privileged mode
(kernel/supervisor mode).
Control unit manages and synchronizes the system while different applications’ code and
operating system instructions are being executed.
The CPU is connected to address bus (hardwired connection to the RAM chips or I/O devices).
CPU can send fetch request by sending the memory address in the address bus and receive the
requested data in the data bus.
Page | 19
Multiprocessing (more than one CPU):
• Symmetric mode: each processor is handed work as needed by OS (it is like load-
balancing environment).
• Asymmetric mode: one, or more, processor is dedicated to a specific task or application
(good for time-sensitive applications).
Memory:
Synchronous DRAM (SDRAM): timing of the CPU and timing of memory are synchronized. This
increases the speed of transmission and executing data.
Extended data out DRAM (EDO DRAM): DRAM can only access one block of data at a time, while
EDO DRAM can capture the next block of data while the first block is being sent to the CPU for
processing (look ahead).
Burst EDO DRAM (BEDO DRAM): works like EDO DRAM, but it can send more that at once (burst).
It reads and sends up to 4 memory addresses.
Double data rate SDRAM (DDR SDRAM): carries out read operations on the rising and falling
cycles of a clock pulse.
Tharshing: when a computer spends more time moving data from one small portion of memory
to another than actually processing the data.
Hardware segmentation: memory is separated physically instead of just logically. This adds
another layer of protection to ensure lower privileged process cannot interfere with higher level
process’ memory addresses.
Page | 20
Read-only memory (ROM):
• Non-volatile
• Data cannot be altered.
• Software that is stored within ROM is called firmware.
Flash memory:
• Solid-state technology (no moving parts).
• Erasing function takes place in blocks or on the entire chip.
Cache memory:
• Memory used for high-speed writing and reading activities.
• L1 and L2 caches are usually built into the processors and the device controllers.
Relative addresses: based on a known address with and offset value applied (base + offset).
Memory stack: each process has its own stack in the memory. Stack can be read from and written
to in a last in, first out (LIFO) fashion.
Buffer is an allocated segment of memory (e.g. memory stack). It allows communication between
the requested application and the procedure/subroutine.
Return pointer (RP) is the first thing goes into stack (down), and followed by the parameters.
Buffer overflow attack that work on an Intel chip will not necessary work on an AMD chip.
Page | 21
Address space layout randomization (ASLR) where OS is changing the memory addresses used
by specific process continuously, so an attacker don’t know where to send his attack within
memory.
Data execution prevention (DEP) is implemented via hardware (CPU) or software (OS) to allow
marking certain memory locations as “off limits” with the goal of reducing the “playing field” for
hackers and malware.
Memory leaks:
• some applications are not indicating to the system that certain memory is no longer in
use (OS can starve for free memory space).
• Countermeasures:
o developing better code that releases memory properly.
o Garbage collection.
Process:
• a set of instructions that is actually running. Program is not considered a process until it
is loaded into memory and activated by the OS.
• Collection of instructions + assigned resources = process
Multiprogramming means that more than one program (or process) can be loaded into memory
at the same time.
Mutlitasking means that more than one application can be in memory at the same time and OS
can deal with requests from these different applications simultaneously.
Types of multitasking:
• Cooperative multitasking: processes voluntarily release resources they were using.
• Preemptive multitasking: OS controls how long a process can use a resource.
Unix and Linux allow their processes to create new children processes, which is called spawning.
Process states:
• Running: CPU is executing its instructions and data.
• Ready: waiting to send instructions to the CPU.
• Blocked: waiting for input data such as keystrokes from a user.
Process table maintained by OS. Include a record for each process with the following information:
state, memory allocation, stack pointer, program counter, status of open files in use.
OS can assign priorities to processes to help in decide whether to respond to a process interrupt.
Page | 22
Categories of interrupts:
• Maskable interrupt assigned to an event that is not important.
• Non-maskable interrupt can never be overridden by an application.
Watchdog timer is an example of a critical process that must always do its thing. This process will
reset the system with a warm boot if the OS hangs and cannot recover itself.
Thread:
• made up of individual instruction set and the data must be worked on by the CPU.
• When a process needs to send something to the CPU for processing, it generates a threat.
• Each thread shares the same resources of the process that created it.
An application that carry out several tasks at one time is called multi-threaded.
OS is responsible for controlling deadlocks between processes attempting to use the same
resources (e.g. process A commits resource 1 and needs to use resource 2 to complete its task,
but process B has committed resource 2 and needs resource 1 to finish its job).
OS implements process isolation to protect processes from each other (It is required in
preemptive multitasking):
• Encapsulation of objects: when a process is encapsulated, no other objects understands
or interacts with its internal programming code. It provides data hiding.
• Time multiplexing of shared resources: a technology that allows processes to use the
same resource.
• Naming distinctions: different processes have their own name or identification value (e.g.
process identification, PID).
• Virtual address memory mapping: each process has their own memory space.
Memory manager is a portion of the OS that keeps track of how hierarchy of memories is used
(CPU registers, Cache, Main memory, Swap space in secondary memory).
Page | 23
o Allow many users with different levels of access to interact with the same
application running in one memory segment.
• Logical organization:
o Segment all memory types and provide addressing scheme for each at an
abstraction level.
o Allow for sharing of specific software modules (e.g. DLLs).
• Physical organization:
o Segment the physical memory space for application and OS processes.
CPU uses base register and limit register to ensure the process is accessing its segment of memory
only.
Virtual memory:
• When RAM and secondary storage are combined, the result is a virtual memory.
• Swap space is the reserved hard drive space used to extend RAM capabilities (Windows
use pagefile.sys).
• data sent back and forth between RAM and hard drive in units, called pages. The process
called virtual memory paging.
• When the page is sent back from hard disk to main memory, this process called page fault.
• Security issue: data is kept in the swap space after the process is terminated or the system
is shut down. A routine should be there to ensure data deletion in such cases.
I/O devices:
• Block devices work with data in fixed-size blocks (disk drive).
• Character devices works with stream of characters (printer, NIC, mouse).
OS has a table called interrupt vector or all I/O devices connected to it.
Page | 24
Pre-mapped and fully mapped I/O does not pertain to performance and provide two approaches
that can directly affect security.
Instruction set is a language an OS must be able to speak to properly communicate with CPU (x86
is a family of instruction sets).
Microarchitecture contains the things that made up the physical CPU (registers, logic gates, ALU,
cache, etc.).
Ring-based architecture: OS kernel (ring 0), OS (ring 1), OS utilities and file system drives (ring 2),
other applications (ring 3).
CPU operation modes: OS assigns a process a status level (stored as PSW): user and kernal
modes.
CPU vendor determines the number of available rings, and the OS vendor determines how it will
use these rings.
Process domain: a collection of resources assigned to the process when it is loaded into memory
(run time).
Monolithic architecture: all of the OS processes work in kernel mode (e.g. MS-DOS):
• Complexity
• Portability issues
• Extensibility issues
• Security issues
Layered Operating system architecture: separates system functionality into hierarchical layers
(e.g. THE, VAX/VMS, Multics, Unix):
• Full OS works in kernel mode (ring 0).
• Provides data hiding: instructions and data at various layers do not have direct access to
the instructions and data at any other layers.
• Provides more modularity.
• Provide more portability from one hardware to another (Hardware Abstraction Layer
HAL).
• Downfalls: performance (many layers), complexity (many layers), and security (all OS in
kernel mode).
Microkernel architecture: smaller subset of critical kernel processes, which focus mainly on
memory management and IPC, are running in kernel mode (ring 0):
• More secure
• Complexity is reduced
Page | 25
• Portability is increased
• Performance issues due to mode transitions.
Mode transition takes place every time a CPU has to move between executing instructions for a
processes that work in kernel mode versus user mode.
Thunking: when a 32-bits application wants to run on a 64-bits OS, OS creates a virtual
environment to simulates a 32-bits OS and once a request is received from the application, a
translation happen from 32-bits to 64-bits.
Virtual machine is an instance of an OS. It called guest that runs on a host environment.
Hypervisor within the host environment is responsible for managing system resources.
TCB is not the kernel only. TCB can include trusted commands, programs, configuration files, etc.
Security perimeter: an imaginary boundary that divides the trusted from the untrusted (e.g. strict
APIs must be implemented).
Reference monitor: an abstract machine that mediates all access subjects have to objects, both
to ensure that the subjects have the necessary access rights and to protect the objects from
unauthorized access and destructive modifications (an access control concept).
Page | 26
Security kernel:
• made up of hardware, software, and firmware components that fall within the TCB, and
implements and enforce the reference monitor concept.
• It is the core of TCB.
• Has 3 main requirements:
o Provide isolation to processes carrying out the reference monitor concept, and
processes must be tamperproof.
o Must be invoked for every access attempt.
o Must be small enough to be tested and verified.
Multilevel (multistate) security policies: policies that prevent information from flowing from a
high security level to a lower security level.
Security Models:
Bell-LaPadula:
• Enforces confidentiality aspects of access control.
• Multilevel security system
• Simple security rule: subject cannot read data at higher security level.
• *-property rule: subject cannot write information to a lower security level.
• Strong star property rule: subject with read/write capabilities can only perform both of
these functions at the same security level.
Biba:
• Enforces the integrity of data within a system.
• *-integrity axiom: a subject cannot write data to an object at a higher integrity level (no
write up).
• Simple integrity axiom: a subject cannot read data from a lower integrity level (no read
down).
• Invocation property: a subject cannot request service (invoke) at a higher integrity
(ensure that a dirty subject cannot invoke a clean tool to contaminate a clean object).
Clark-Wilson:
• Users: active agents
• Transformation procedures (TPs): programmed abstract operations (e.g. read, write,
modify).
• Constrained data items (CDIs): can be manipulated by TPs.
• Unconstrained data items (UDIs): can be manipulated by users using primitive read and
write operations.
• Integrity verification procedures (IVPs): check the consistency of CDIs with external
reality.
Page | 27
• Well-formed transaction is a series of operations that transform a data item from one
consistent state to another.
• Separation of duties is implemented by adding a type of procedure (the IVPs) that audits
the work done by the TPs and validates the integrity of the data.
• User uses TPs to operate on CDIs.
• Access triple: subject (user), program (TP), and object (CDI).
Noninterference:
• Implemented to ensure any actions that take place at a higher security level do not affect,
or interfere with, actions that take place at a lower level.
• Mainly focused on addressing covert channels.
Graham-Denning:
• Defines set of basic rights in terms of commands that a specific subject can execute on an
object.
• 8 primitive protection rights:
o How to securely create an object
o How to securely create a subject
o How to securely delete an object
o How to securely delete a subject
o How to securely provide the read access right
o How to securely provide the grant access right
o How to securely provide the delete access right
o How to securely provide transfer access right
Harrison-Ruzzo-Ullman (HRU):
• Deals with access rights of subjects and the integrity of those rights.
• Shows how a finite set of procedures can be available to edit the access rights of a subject.
Page | 28
ITSEC uses E-F rating.
Orange Book (TCSEC) uses A-D ratings. Rate A is the best:
• A: Verified protection
• B: Mandatory protection
• C: Discretionary protection
• D: Minimal protection
The Common Criteria uses protection profiles in its evaluation process, which contains the
following:
• Security problem description: describes the threats
• Security objectives: list the functionalities that the complied product must provide.
• Security requirement: detailed requirement that are enough for system developers and
for evaluation by independent laboratories.
Certification: the comprehensive technical evaluation of the security components and their
compliance for accreditation.
Accreditation: the formal acceptance of the adequacy of a system’s overall security and
functionality by management.
Parallel computing is the simultaneous use of multiple computers to solve a specific task by
dividing it among the available computers.
Bit-level parallelism: when the CPU perform instruction on a value stored in a register, each bit
is processed separately through set of parallel gates.
Task-level parallelism: a program can divide tasks into threads and run them in parallel.
Page | 29
Data parallelism: distribution of data among different nodes that then process it in parallel
(related to task parallelism).
Databases:
Aggregation the act of combining information from separate sources to form new information,
which the subject does not have the necessary access rights to it.
Inference is the ability to derive information not explicitly available (the intended result of
aggregation).
Context-dependent access control means that the software understands what actions should be
allowed based upon the state and sequence of the request.
Cyber-physical system is a system in which computers and physical devices collaborate via the
exchange of inputs and outputs to accomplish a task.
Industrial control systems (ICS): efficiency and safety is important. NIST 800-82 tackle this.
Page | 30
Distributed control system (DCS):
• a network of control devices within fairly close proximity that are part of one or more
industrial processes.
• PLCs are controlling the physical devices.
• A supervisory computer is controlling the PLCs.
• Those days, people think about physical security only.
Maintenance hook:
• A type of a back-door. Usually, enables developer to execute commands by using a
specific sequence of keystrokes.
• Countermeasures:
o Host-based IDS to watch for any attacker using back-doors.
o Use file system encryption to protect sensitive information.
o Implement auditing to detect any type of back door use.
Page | 31
Caesar cipher: shifts each alphabet by 3 positions (monoalphabetic cipher).
ROT13 shifts each alphabet by 13 positions (was used in online forum only).
Kerckhoff’s principle: the only secrecy involved with the cryptosystem should be they key. The
algorithms should be publicly known.
Running key cipher could use a key that does not require an electronic algorithm but uses
components in physical world around you (e.g. algorithm could be set of books agreed upon by
sender and receiver).
Concealment cipher (null cipher) is message within a message (e.g. every third word). It is a type
of steganography method.
Steganography is a method of hiding data in another media type so the very existence of the
data is concealed (type of security through obscurity):
• Carrier: a signal of a file that will hide information.
• Stego-medium: the medium in which information is hidden.
• Payload: the information that is to be concealed and transmitted.
Types of ciphers:
• Substitution cipher replaces bits, characters or blocks.
• Transposition cipher moves the original values around.
Key derivation functions (KDFs) are used to generate keys that are made up of random values.
If more than two keys are created from a master key, they are called subkeys.
Page | 32
Number of keys in symmetric encryption for N users: N(N-1)/2
Secure message format is when the message is encrypted using the receiver’s public key.
Open message format is when the message is encrypted using the sender’s private key.
Avalanche effect: if the input to an algorithm is slightly modified, then the output of the
algorithm is changed significantly.
Stream ciphers use keystream generators, which produce a stream of bits that is XORed with the
plaintext bits.
Initialization vectors (IV) are random values that are used with algorithms to ensure patterns are
not created during the encryption process.
Steam cipher requires more processing power than block ciphers, and better suited
implemented as the hardware level.
Digital envelope: the use of the hybrid encryption method (symmetric and asymmetric). Encrypt
message with symmetric key, and encrypt the encryption key with receiver’s public key.
Session key is a single-use symmetric key that is used to encrypt messages between two users
during a communication session.
Page | 33
Data Encryption Standard (DES):
• DEA is the algorithm name (formerly Lucifer).
• 64-bit block size
• 64-bit key size (56-bit key is used + 8 parity bit)
• 16 rounds of transposition and substitution functions
• It is currently broken
DES modes:
• Electronic Code Book (ECB):
o Fastest and easiest
o Used for small amount of data
o Does not use chaining, so not good for large data (e.g. patterns will show)
o Operations can be run in parallel
o Cannot carry out preprocessing functions before receiving plaintext
• Cipher Block Chaining (CBC):
o Ciphertext block is dependent upon all blocks before it
o IV should be used for first block encryption to avoid patterns
• Cipher Feedback (CFB):
o Great to use for sending large chunks of data at a time
o It is a combination of block cipher and stream cipher
o Can be used to encrypt any size blocks
o Error propagates to all future encryptions
• Output Feedback (OFB):
o Good to encrypt small amount of data when you don’t want error propagation
(e.g. digitized video, digitized voice signal)
o Preprocessing is possible
• Counter (CTR):
o Uses an IV counter that increments for each plaintext block
o No chaining, so the encryption of the individual block can happen in parallel.
Synchronous cyptosystem uses keystream to encrypt plaintext one bit at a time (keystream
values in sync with plaintext values) (stream cipher).
Asynchronous cyptosystem uses previously generated output to encrypt current plaintext values
(block cipher using chaining).
Double-DES:
• 112-bit key length
• There is specific attack against it that reduces its work factor to about the same as DES
Page | 34
• Modes:
o DES-EEE3: 3 keys
o DES-EDE3: 3 keys
o DES-EEE2: 2 keys
o DES-EDE2: 2 keys
Blowfish:
• 23-bit up to 448-bit key size
• 64-bit block size
• 16 rounds
• unpatented by its creator
RC4:
• it is a stream cipher
• variable key size
• Used in SSL protocol
• Was improperly implemented in802.11 WEP protocol standard
• Fast, simple and efficient
• Vulnerable to modification attacks
RC5:
• Block cipher
• Block sizes: 32-bit, 64-bit,128-bit
Page | 35
• Key size goes up to 2,048 bits
• Variable rounds up to 255 rounds
RC6:
• Block cipher
• Same attributes as RC5
Asymmetric cryptography:
• Security services: confidentiality, authentication, and nonrepudiation.
• Scalability: every user will have only pair of keys, regardless the number of users.
• Secure key distribution: public key can be sent to users.
Diffie-Hellman:
• Enables two systems to generate symmetric key securely without requiring prior
relationship.
• Based on difficulty of calculating discrete logarithms in a finite field.
• Vulnerable to man-in-the –middle attack, because no authentication occurs before public
keys exchanged.
o Countermeasure: to have authentication take place before accepting someone’s
public key (e.g. certificate usage).
• key agreement algorithm and not key distribution algorithm.
RSA:
• Based on the difficulty of factoring large numbers into their original prime numbers.
One-way function is a mathematical function that is easier to computer in one direction than in
the opposite direction.
El Gamal:
• Used for encryption, digital signatures, and key exchange
• Based on difficulty of calculating discrete logarithms in a finite field
• Performance issue
Page | 36
Knapsack:
• Based on “knapsack problem”, a mathematical dilemma that poses the following
question: if you have several different items, each having its own weight, is it possible to
add these items to a knapsack so the knapsack has a specific weight?
• It is insecure and not currently used.
Cyclic redundancy check (CRC) is used to identify data modifications (e.g. corruption) and used
mostly in lower layers of network stack.
MD4:
• Produces a 128-bit message digest value
• No longer secure
MD5:
• Produces a 128-bit message digest value
• Subject to collision attacks.
Page | 37
• Family: SHA-256, SHA-384, SHA-512
The output of the hashing algorithm is n. To find two messages that hash to the same value would
require only 2^(n/2) message.
Registration authority (RA) collects user/organization information and acts as a broker between
end-user and CA.
Cross certification is the process undertaken by CAs to establish a trust relationship in which they
rely upon each other’s digital certificates and public keys as if they had issues them themselves.
By default, web browsers do not check a CRL to ensure that a certificate is not revoked.
Certificate is the mechanism used to associate a public key with a collection of components (e.g.
serial number, version number, identify information, algorithm information, lifetime date,
signature of the issuing authority).
Multiparty key recover more than one person/entity are needed for this process (dual control).
Key escrow is a process or entity that can recover lost or corrupted cryptographic keys.
Page | 38
Trusted platform module (TPM) is a microchip installed on the motherboard and dedicated for
carrying out security functions that involves the storage and processing of secret keys, hashes,
and digital certificates:
• Binds the hard disk drive: the content of the disk is encrypted and the decryption key is
stored in the TPM chip.
• Seals system’s configuration: TPM stores the hash of the configuration files and validates
their integrity.
Known-plaintext attack: the attacker has the plaintext and corresponding ciphertext of one or
more messages.
Chosen-plaintext attack: the attacker has the plaintext and the ciphertext, but can choose the
plaintext that gets encrypted to see the corresponding ciphertext.
Chosen-ciphertext attack: the attacker can choose the ciphertext to be decrypted and has access
to the resulting decrypted plaintext.
Differential cryptanalysis: the attacker takes two messages of plaintext and follows the changes
that take place to the blocks as they go through S-boxes. The difference identified in the resulting
ciphertext values are used to find the key.
Linear cryptanalysis: the attacker carries out a known-plaintext attack on several different
messages encrypted with the same key.
Algebraic attack: analyze the vulnerabilities in the mathematics used within the algorithm.
Page | 39
Analytic attack: identify algorithms structural weaknesses or flaw.
Statistical attack: identify statistical weaknesses in algorithms design (e.g. number of zeros
compared to number of ones, biased PRNG).
Meet-in-the-Middle attack: mathematical analysis used to try and break a math problem from
both ends (encrypting from one end and decrypt from the other end).
Facility threats:
• Natural environmental threats (e.g. floods, earthquakes)
• Supply system threats (e.g. power, communication)
• Manmade threats (e.g. unauthorized access, employee error)
• Politically motivated threats (e.g. strike, riot, terrorist attack)
Target hardening focuses on denying access through physical and artificial barriers by applying
more granular protection mechanisms. (alarms, locks, fences). Whereas, CPTED mainly deals with
the construction, internal/external design and landscaping.
Compliance requirement:
• Occupational Safety and Health Administration (OSHA)
• Environmental Protection Agency (EPA)
Fire code requires 2 doors for data center: 1 door is only used and the other is for emergency
use (locked and exit only with panic bar).
Positive pressurization let the air goes out when the door is open (smoke goes out in case of
fire).
Page | 40
Window types:
• Standard: no extra protection
• Tempered: glass is heated and then cooled to increase its integrity
• Acrylic: plastic instead of glass. Polycarbonate acrylic is stronger than regular ones
• Wired: a mesh of wire is embedded between two sheets of glass (prevent shattering)
• Laminated: plastic layer between two outer glass layers.
• Solar window film: provide extra security by being tinted, also this film increases its
strength
• Security film: transparent film is applied to the glass to increase its strength
Leak detectors should be under raiser floors and on the dropped ceilings.
Online UPS system have the normal primary power passing though them and able to quickly
detect if power failure takes place and picks up the load faster.
Standby UPS devices stays inactive until a power line fail. The system has sensors that detect
power failure, and the load is switched to the battery pack with small delay.
Power excess:
• Spike: momentary high voltage
• Surge: prolonged high voltage
Power loss:
• Fault: momentary power outage
• Blackout: prolonged, completed loss of electric power
Power degradation:
• Sag/dip: momentary low-voltage condition, from one cycle to few seconds
• Brownout: prolonged power supply that is below normal voltage
• In-rush current: initial surge of current required to start a load
Page | 41
Fire needs fuel, oxygen, and high temperature.
Fire detectors:
• Smoke activated: photoelectric devices (optical detectors detects variation in light
intensity).
• Head activated: fixed temperature or rate-of-rise.
The most effective replacement of Halon is FM200 (doesn’t damage the ozone).
Replacement of Halon: FM200, NAS-S-III, CEA-410, FE-13, Water, Intergen, Argon, Argonite.
Fire extinguishers should be place 50 feet away from electrical equipment (viewable and
reachable).
Plenum Area:
• wiring and cables are strung through plenum area (dropped ceilings, spaces in walls,
under raise flooring)
• It should have fire detectors
• Only plenum-rated cabling should be used (doesn’t let off hazardous gasses if it burns)
Water sprinklers:
• Sensors should be used to shut down the electric power before water sprinklers activate.
• Wet pipe: pipes always contain water. Disadvantage is that water may freeze in colder
climate or leak.
• Dry pipe: water is contained in a holding tank.
• Preaction: similar to dry pipe, but have a thermal-fusible link on the sprinklers head to be
melted before water is released.
• Deluge: wide open sprinkler heads to allow a larger volume of water to be released in a
shorted period.
Page | 42
Seismic detects sound though the change in vibration.
MIME specifies how multimedia data and email attachment are transferred over the network.
S/MIME extended that to provide standard email encryption and digital signature.
Lattice is an access control model that provides bounds outlining what a subject can do pertaining
to individual objects.
Clipper Chip is a hardware encryption chip made for all US communication devices in the 90s. It
has 80-bit key and 16-bit checksum. It uses SkipJack as a private algorithm.
Phase Alternative Line (PAL): Video recording and transmission standards for CCTV (in Europe).
NTSC is used in US and Japan.
Page | 43
CHAPTER 4: Communication and Network Security
Federal Communications Commission (FCC) regulates telecommunications systems, which
includes voice and data transmissions.
Page | 44
TCP/IP model:
• Application (Application + Presentation + Session)
• Host-to-host (Transport)
• Internet (Network)
• Network access (Data link + Physical)
RPC has lack of, or weak, authentication. SRPC is more secure as it needs two computers to be
authenticated before communicating with each other.
Controller Area Network Bus (CAN) – It is different that Campus Area Network:
• Runs most of automobiles worldwide.
• Designed to allow microcontrollers and other embedded devices to communicate with
each other on a shared bus.
Ports:
• Well-known: 0 – 1023 (can be used only by privileged system or root processes).
• Registered: 1024 – 49151 (can be registered with the ICANN).
• Dynamic: 49152 – 65535 (as needed basis).
SYN flood:
• An attacker floods the victim system with SYN packets.
• Mitigations: use of SYN cache, which delays the allocation of a socket until the handshake
is completed.
TCP session hijacking: an attacker can correctly predict the TCP sequence numbers that two
systems will use.
Page | 45
IPv4: 32-bits address
IPv6: 128-bits address
Subnetting:
• Allows larger IP ranges to be divided into smaller, logical, and more tangible network
segments.
• Reduces the traffic load across the network, reduce network congestion, smaller
broadcast domain.
• Easier to implement network security policies more effectively.
• Keep down routing table sizes because external routers can directly send data to the
actual network segment.
Classless interdomain routing (CIDR) (supernetting): specify more flexible IP address classes.
Time to live (TTL) value decremented every time the packet passes through a router, so packet
do not continually traverse a network forever.
Type of Service (ToS) that means it can prioritize different packets for time-sensitive functions.
IPv6 (IPng):
• IPSec integrated into the protocol stack (end-to-end secure transmission and
authentication).
• Allows for QoS value to be assigned for time-sensitive transmissions.
• Offers auto-configuration, which makes administration much easier.
• Does not require NAT to extend its address space.
Page | 46
• Anycast address is defined, which is used to send a packet to any one of a group of nodes
(scalability of multicast routing is improved by adding a “scope” field to multicast
addresses).
• Some IPv4 header fields have been dropped or made optional.
• Extension to support authentication, data integrity and (optional) data confidentiality.
• Extends the size of the packet’s payload (jumbograms) and improve performance over
high-maximum transmission units (MTU) links.
Automatic tunneling: A technique where the routing infrastructure automatically determines the
tunnel endpoints so that protocol tunneling can take place without pre-configuration.
• 6to4 tunneling: the tunnel endpoints are determined by using a well-known IPv4 anycast
address on the remote side and embedding IPv4 address data within IPv6 addresses on
the local side.
• Teredo: uses UDP encapsulation so that NAT address translations are not affected.
• Intra-Site Automatic Tunnel Addressing Protocol (ISATAP): treats the IPv4 network as a
virtual IPv4 local link, with mappings from each IPv4 address to a link-local IPv6 address.
6to4 and Teredo are intersite tunneling mechanisms (connectivity between different network).
ISATAP is an intrasite mechanism (connectivity between systems within a specific network).
NAT: caused a lot of overhead and transmission problems because it breaks the client/server
model that many applications use today.
IEEE 802.1AE:
• IEEE MAC Security standard (MACSec).
• Provides hop-to-hop protection at layer 2.
• Only authenticated and trusted devices on the network can communicate with each
other.
• When a frame arrives at a device that is configured with MACSec, the MACSec Security
Entity (SecY) decrypts the frame if necessary and computes an integrity check value (ICV)
on the frame and compares it with the ICV that was sent with the frame.
• If ICV match, the device processes the frame. If not, the device handles the frame
according to a preconfigured policy (e.g. discarding it).
• Provides data encryption, integrity, and data origin authentication.
IEEE 802.1AR:
• Specifies unique per-device identifiers (DevID) and the management and cryptographic
binding of a device to its identifiers.
• A verifiable unique identity allows establishment of the trustworthiness of devices.
• Each device comes with single built-in initial secure device identity (iDevID).
• iDevID is used with authentication protocols such as EAP; which is supported by
IEEE8.2.1X.
Page | 47
IEEE 802.1AF:
• carries out key agreement functions for the session keys for data encryption.
802.1X:
• device cannot carry out any network activity until it is authenticated to so do.
• Port authentication kicks-in, which means that only authentication data is allowed to
travel from the new device to the authentication server.
• The authentication data is the digital certificate and hardware identity associated with
that device (IEEE 802.1AR), which is processed by EAP-TLS.
• Once authenticated by authentication server (e.g. RADIUS), encryption keying materials
is negotiated and agreed upon between surrounding network devices.
Converged protocols: protocols start started off independent and distinct from one another but
over time converged to become one (or one protocol started being encapsulated/tunneled
within the other one).
• Fiber Channel over Ethernet (FCoE):
o Protocol encapsulation that allows Fiber Channel (FC) frames to ride over Ethernet
networks.
• Multiprotocol Label Switching (MPLS):
o Was originally developed to improve network performance.
o But frequently used for its ability to create VPNs over a variety of layer 2 protocols.
o It has elements in both layer 2 and layer 3 (referred to as 2.5 protocol).
o Considered converged protocol because it can encapsulate any higher-layer
protocol and tunnel it over a variety of links.
• Internet Small Computer System Interface (iSCSI):
o Encapsulate SCSO data in TCP segments.
IP convergence is the transition of services from disparate transport media and protocols to IP
(e.g. VoIP).
Bandwidth: the number of electrical pulses that can be transmitted over a link within a second,
and these pulses carry individual bits of information.
Data throughput: the actual amount of data that can be carried over a connection.
Data throughput values can be higher than bandwidth values if compression mechanisms are
implemented. But if links are highly congested or there are interference issues, the data
throughput values can be lower.
Page | 48
Synchronous vs. Asynchronous transmission: communicated systems do not use start and stop
bits, but the synchronization of the transfer of data take place through a timing sequence, which
is initiated by a clock pulse.
Data link protocol has the synchronization rules:
• High-level Data Link Control - HDLC (synchronous)
• Asynchronous Transfer Mode - ATM (asynchronous)
Broadband: divides the communication channel into individual and independent sub-channels
so that different types of data can be transmitted simultaneously (e.g. CATV: multiple channels
over the same cable).
Digital subscriber line (DSL) uses one single phone line and constructs a set of high-frequency
channels for Internet data transmissions.
Coaxial cables:
• Copper core that is surrounded by a shielding layer.
• Compared to twisted-pair cable is more resistant to electromagnetic interference (EMI)
and supports longer cable lengths, but more expensive and harder to work with.
Twisted-paid cable:
• Shielded twisted pair (STP) have an outer foil shielding.
• Unshielded twister pair (UTP) does not have this extra shielding.
• Resists the flow of electrons, which causes a signal to degrade after travelling a distance.
• Radiates energy, which means information can be monitored and captured.
Fiber-optic cable:
• Not affected by attenuation and EMI.
• Does not radiate signals and difficult to eavesdrop on.
• Light sources:
o Light-emitting diodes (LEDs)
o Diode lasers
• Modes:
o Single-mode: high-speed data transmission over long distances.
o Multi-mode: able to carry more data than single-mode and best for shorted
distances because of their higher attenuation levels.
Crosstalk occurs when electrical signals of one wire spill over to the signals of another wire.
Plenum-rated cables have jackets covers made of fluoropolymers, whereas non-plenum cables
usually have a polyvinyl chloride (PVC) jacket.
For better security, wires can be encapsulated into pressurized conduits.
Page | 49
Media access technologies
• Token Passing:
o A token is a 24-bit control frame.
o The token contains the data to be transmitted and source and destination address
information.
o The token is passed from computer to computer, and only the computer than has
the token can actually put frames onto the wire.
o Each computer checks the message to determine if it is addressed to it, which
continues until the destination computer receives it.
o The destination computer makes a copy of the message and flips a bit to tell the
source computer it did indeed get its message.
o Used in Token Ring and FDDI technologies.
• Carrier sense multiple access (CSMA):
o Ethernet uses CSMA to provide media-sharing capabilities.
o CSMA/CD:
▪ If a computer puts frames on the wire and its frames collide with another
computer’s frame, it will abort its transmission and alert all other stations
that a collision just took place.
▪ back-off algorithm: all stations will wait a random time before attempting
to transmit again.
▪ Used in Ethernet technology.
o CSMA/CA:
▪ Each computer signals its intent to transmit data.
▪ Once the medium is clear, a computer sends a broadcast stating that it is
looking to transmit data.
▪ Used in WLAN 802.11 technology.
o Polling:
Page | 50
▪ Some systems are configured as primary stations and others are secondary
stations.
▪ At predefined internals, the primary station asks the secondary station if it
has anything to transmit.
▪ Used in mainframe media access technology.
Carrier sensing access methods are faster than token-passing methods, but the former do have
the problem of collisions.
Contention-based environment is where each system has to “compete” to use the transmission
lines, which can cause contention.
Bridges allow broadcast traffic to pass between different parts of a subnet, but not the collisions.
If two LANs are connected by different data layer technology, they are considered a WAN.
Ethernet 802.3:
• Usually uses a bus or star topology
• Contention-based technology (CSMA/CD)
• User broadcast and collision domains
• Uses CSMA/CD
• Supports full-duplex communication
• Can use coaxial, twisted-pair, or fiber-optic cabling
10Base-T (10Mbps): Twisted-pair wiring uses one wire to transmit data and the other to receive
data.
10Base2 (Thin Net): uses thin, flexible coaxial cable that is easy to work with. (185 meters).
100Base-TX (100Mbps)
1000Base-R (1,000Mbps): all four pairs of twisted unshielded cable pairs are used for
simultaneous transmission in both directions for a maximum distance of 100m.
10GBase-T (10,000Mbps)
Page | 51
• Beaconing: if a computer detects a problem with the network, it sends a beacon frame.
This frame generates a failure domain, which is between the computer that issues the
beacon and its neighbor downstream.
Unicast transmission: a packet needs to go from the source computer to one particular system.
Broadcast transmission: a system wants all computers on its subnet to receive a message.
ARP table cache poisoning: the attacker goal is to receive packets intended for another computer
(masquerading attack).
Page | 52
• DORA (Discover-Offer-Request-Acknowledge):
o The client computer broadcasts a DHCPDISCOVER message on the network in
search for the DHCP server.
o The server responds with a DHCPOFFER packet, offering the client and IP address
and other configuration settings.
o The client responds to the server with a DHCPREQUEST packet confirming its
acceptance of the allotted settings.
o The server responds with a DHCPACK packet, which includes the validity period
(lease) for the allocated parameters.
Both the client and server segments of the DHCP are vulnerable to falsified identity.
DHCP snooping: implemented on network switches to ensures that DHCP servers can assign IP
addresses to only selected systems, identified by their MAC addresses.
RARP frames go to all systems on the subnet, but only RARP server responds. Once the RARP
server receives this request, it looks in its table to see which IP address matches the broadcast
hardware address (e.g. used by diskless workstations).
Bootstrap protocol (BOOTP) was created after RARP to enhance its functionality.
Page | 53
o Attacker can send bogus information to direct to his machine, or it can be
redirected into a “black hole”.
Countermeasures:
• Use firewall rules that only allow the necessary ICMP packets into the network.
• Use of IDS and IPS to watch for suspicious activities.
• Host-based protection (host firewall and host IDS) can also be installed.
Page | 54
o In your computer, which is responsible for sending out requests to DNS servers for
host IP address information.
o Resolver can send a non-recursive query or a recursive query.
• HOST file:
o Resides on the local computer and can contain static hostname-to-IP address
mapping information.
o Malicious manipulation can happen to the HOSTS file involves blocking users from
visiting antivirus update websites, which is usually done by mapping target
hostnames to the loopback interface IP address 127.0.0.1.
DNS poisoning:
• An attacker sees the DNS Server A and querying DNS server B for a resource record, here
the attacker replies back to DNS server A with incorrect record, which poisons the DNS
cache table. This happens because DNS server doesn’t authenticate the
sender/responder.
• Countermeasure:
o Usage of DNSSEC (DNS Security), which implements KPI and digital signatures,
which allows DNS server to validates the origin of a message to ensure that it is
not spoofed.
DNS splitting:
• Internal SNS server should only contain resource records for the internal computer
systems.
• External DNS server should only contain recourse records for the systems that
organization wants the outside world to be able to connect to (information of systems
within the DMZ).
URL hiding: embeds hyperlinks in any given text (e.g. Click Here).
Domain grabbing & Cyber squatting: individuals who register prominent or established names,
hoping to sell these later to real-world businesses.
SMTP:
• Uses TCP port 25.
• Works as a message transfer agent.
• Works as a message transfer protocol between email servers.
• Is a message-exchange addressing standard: xxx@xxx.xxx
• Most commonly SMTP servers: Sendmail (Unix) & Microsoft Exchange (Windows).
Page | 55
• Messages are held on the mail server until users are ready to download their messages,
instead of trying to push messages right to a person’s computer, which may be down or
offline.
Email relaying:
• Public mail server in the DMZ and one or more mail servers within the internal LAN.
• Mail servers use a relay agent to send a message from one mail server to another.
• Relay agent should be properly configured, so attacker cannot use it for spamming
activities.
• “wide open” configuration means that a mail server can be used to receive any mail
message and send it to any intended recipients.
Email threats:
• Email spoofing is a technique by malicious users to forge an email to make it appear to
be from a legitimate source.
• SMTP authentication (SMTP-AUTH) is an extension that comprises an authentication
feature that allows clients to authenticate to the mail server before an email is sent.
• To deal with forged email messages, Sender Policy Framework can be used. It is an email
validation system designed to prevent email span by detecting email spoofing by verifying
the sender’s IP address.
Page | 56
o Dynamic mapping: dynamically mapping a private address to one available public
address.
o Port address translation (PAT): can use single public IP address with many ports
Routing protocols:
• Individual networks on the Internet is referred to as autonomous system (AS), which are
independently controlled by different service providers and organizations.
• AS is made up of routers that are administered by a single entity and use a common
Interior Gateway Protocol (IGP) within the boundaries of the AS.
Page | 57
Route flapping refers to the constant changes in the availability of routes.
If a router does not receive an update that a link has gone down, the router will continue to
forward packets to that route, which is referred to as a black hole.
Wormhole attack:
• An attacker can capture a packet at one location in the network and tunnel it to another
location in the network (two attackers, one at each end of the tunnel).
• Countermeasure: use of leash, which is just data that is put into a header of the individual
packets. This leash restricts the packet’s maximum allowed transmission distance. It can
be either geographical or temporal.
Repeaters:
• Works as line conditioners by actually cleaning up the signals.
• A hub is a multiport repeater and is often referred to as a concentrator.
Bridges:
• Connect LAN segments.
• Works at data link layer and therefore work with MAC addresses.
• Used to divide overburdened networks into smaller segments to ensure better use of
bandwidth and traffic control.
• Used to extend a LAN and enable the administrator to filter frames.
• Isolates collision domains within the same broadcast domain.
• Forward broadcast frames. So, you have you have to watch carefully for broadcast
storms.
• Uses transparent bridging, where a bridge starts to learn routes by examining frames and
making entries in its forwarding table.
• Uses Spanning Tree Algorithm (STA):
o Ensures that frames do not circle networks forever
o Provides redundant paths in case a bridge goes down.
o Enables an administrator to indicate weather he wants traffic to travel certain
paths instead of others.
• 3 main types of bridges:
o Local: connects two or more LAN segments within a local area (e.g. building).
o Remote: can connects two or more LAN segments over a MAN by using
telecommunication links.
o Translation: need if two LANs being connected are different types and use
different standards and protocols.
Routers:
• Connect similar or different networks (e.g. two Ethernet LANs or an Ethernet LAN and
Token Ring LAN).
Page | 58
• It can filter traffic based on access control lists (ACLs) and fragments packets when
necessary.
• In ACL, access decisions are based on source and destination IP addresses, protocol type,
and source and destination ports.
• If router does not have information in its routing table about the destination address, it
sends out an ICMP error message to the sending computer indicating that the message
could not reach its destination.
• If the destination network requires a smaller MTU, the router fragments the datagram.
Switches:
• High level switches offer routing functionality, packet inspection, traffic prioritization, and
QoS functionality. It creates a lot of overhead, but multilayered switches perform these
activities using an ASIC chips.
Gateways:
• A general term for software running on a device that connects two different
environments and that many times acts as a translator for them.
• A popular type is an electronic mail gateway (translate email send from one mail server
to another to a standard format, X.400, that both will understand).
• Voice and media gateway is another example.
Page | 59
Private Branch Exchange (PBX):
• A private telephone switch that is located on a company’s property.
• Performs same switching tasks that take place at the telephone company’s central office.
• The voice data is multiplexed onto a dedicated line connected to the telephone
company’s central office.
• Many companies have modems hanging off their PBX to enable vendor to dial in and
perform maintenance to the system (usually unprotected).
• PBX is vulnerable to brute-force (preacher uses scripts and dictionaries to gain access to
the system).
Source routing:
• Packets contain the necessary information within them to tell the bridge or router where
they should go. It doesn’t require the bridge or router to dictate their paths.
• External and boarder devices should not accept packets with source routing information
within their headers.
Phreaker:
• is a phone hacker who knows knows the default password of modems can perform
malicious activities (e.g. toll fraud).
• In some cases, he changes people’s voice messages (e.g. someone screams).
Firewalls:
• Supports and enforce the company’s network policy.
• Considered as a “choke point” in the network because all communication should flow
through it, and this is where traffic is inspected and restricted.
• Can discard packets, repackage them, or redirect them.
• Packets are filtered based on their source and destination addresses, and ports by
service, packet type, protocol type, header information, sequence bits, and must more.
• Used to construct a demilitarized zone (DMZ), which is a segment between protected and
unprotected networks.
Packet-filtering firewall:
• 1st generation of firewalls.
• Packet-filtering processes is configured with ACLs.
• The ACL filtering rules are enforced at the network interface of the device.
• Have capability of reviewing protocol header information at the network and transport
layers.
• Access decisions based upon the following basic criteria:
o Source and destination IP addresses
o Source and destination port numbers
o Protocol types
o Inbound and outbound traffic direction (ingress and egress)
• Packet filtering is also known as stateless inspection
Page | 60
• Weaknesses:
o Cannot prevent attacks that employs application-specific vulnerabilities.
o Limited logging functionality.
o Most packet-filtering firewalls do not support advanced user authentication
schemes.
o Many packet-filtering firewalls cannot detect spoofed addresses.
o They may not be able to detect packet fragmentation attacks.
Stateful firewalls:
• maintains a state table to keep track of each and every communication session.
• Can detect out of order TCP handshake.
• Can detect malicious activity if all TCP flag values are set.
• Can track connectionless protocols (UDP) by keeping track of source and destination
addresses, UDP header, and some ACL rules. It’ll time-out the connection after a period
of inactivated as there is not tear-down stage.
• Provides a high degree of security and does not introduce the performance hit introduced
by application proxy firewall.
• Weakness: can be victim of many types of DoS attacks.
Proxy firewalls:
• Stands between a trusted and untrusted network (e.g. HTTP proxy).
• Breaks the communication channel. There is not direct connection between the two
communicating devices.
• circuit-level proxy:
o Proxy-based firewall that works at the lower layers
o Creates a connection (circuit) between the two communicating systems.
o Works at the session layer.
o Monitors traffic from a network-view.
o Similar to packet-filtering firewall as it makes it decision based on address, port,
and protocol type header values.
o SOCKS is an example of a circuit-level proxy gateway that provides a secure
channel between two computers.
• application-level proxy:
o Proxy-based firewall that works at the application layer.
o Inspects the packet up through the application layer.
o Can distinguish between an FTP GET command and FTP PUT command.
o Extensive logging capabilities (as it can inspect more information).
o Capable of authenticating users directly.
o Can address spoofing and other sophisticated attacks.
o Disadvantages:
▪ Create performance issues.
▪ Not suited to high-bandwidth or real-time applications.
▪ Limited in terms of support for new network applications/protocols.
Page | 61
• One proxy per protocol that understands how a specific protocol works.
• Dual-homed firewall:
o a device that has two interfaces: one connected to one network and the other
connected to a different network.
o If firewall software is installed in a device, the device must have the routing and
forwarding disabled (to ensure ACL is applied as expected).
o Multi-homed: they have several NICs that are used to connect several different
networks (e.g. a company can have several DMZs).
o Different DMZs are used for 2 reasons:
▪ Control the different traffic types (makes HTTP traffic only goes toward
web servers and DNS requests towards DNS server).
▪ If one system on one DMZ is compromised, the other systems in the rest
of the DMZs are not accessible to this attacker.
Page | 62
• Screened host (single-tiered configuration):
o a firewall that communicates directly with a perimeter router and the internal
network.
o The screened host (the firewall) is the only device that receive traffic directly from
the router.
o For any attacker to be successful, they should compromise the router and the
firewall.
o The router is the screening device, which gets rid of a lot of the “junk” before it is
directed toward the firewall.
Virtual firewalls can be used to control and monitor traffic between virtual machines within a
host. Also, it can be embedded within the hypervisor, which allow it to monitor all activities taking
place within the system.
Any packet entering the network that has a source of an internal host should be denied
(masquerading or spoofing).
No packets allowed from to go outbound if it does not have internal source address (indication
of DDoS zombie activity).
Firewalls should reassemble fragmented packets before sending them on to their destination.
Because firewall cannot make decision based on partial packets (traffic delay and more
overhead).
Fragmentation attacks: attackers have constructed several exploits that take advantage of some
of the packet fragmentation steps within networking protocols:
o IP fragmentation: exploits fragmentation flaws within IP, which causes DoS.
o Teardrop attack: malformed fragments are created and once they are assembled, they
could cause the victim system to become unstable.
o Overlapping fragment attack: used to subvert packet filters that do not reassemble
packet fragments before inspection. A malicious fragment overwrites a previously
approved fragment and executes an attack on the victim’s system.
Page | 63
Common firewall rules:
o Silent rule: drops “noisy” traffic without logging.
o Stealth rule: disallow access to firewall software from unauthorized systems.
o Cleanup rule: last rule in rule base, drops and logs any traffic that does not meet
preceding rules.
o Negate rule: used instead of the broad and primitive “any rules”, provides tighter
permission rights by specifying what system can be accessed and how.
Bastion host is a highly exposed device that is more likely to be targeted by attackers (in the
public side of a DMZ or it directly connected to an untrusted network).
Forwarding proxy is one that allows the client to specify the server it wants to communicate
with.
Reverse proxy appears to the client as the original server. The client sends a request to what it
thinks is the original server, but in reality this reverse proxy makes a request to the actual server
and provides the client with the response.
Honeypot:
• A computer that is intended to be exploited by attackers (usually in screened subnet or
DMZ).
• Some emulates services, where the actual services are not running but software that acts
like those services is available.
• Should not be connected to production systems.
• On a small scale, companies may choose to implement tarpits. Tarpit can be configured
to appear as a vulnerable service that attackers will commonly attempt to exploit. Once
the attacker establishes a connection to the victim system, everything seems to be live,
but the response from the victim system is slow and the connection may time out.
• Due to slow or no reply by tarpits, automated tools may not be successful.
Page | 64
o Single point of compromise
o Performance issues
Page | 65
▪ The SDN simply exists simply as a virtual overlay on top of a physical
(underlay) network.
Web-based clients:
• Limit a user’s ability to access the computer’s system files, resources, and hard drive
space; access back-end systems; and perform other tasks.
• Can be configured to provide a GUI with only the buttons, fields, and pages necessary for
the users to perform tasks.
Extranet:
• Extends outside the bounds of the company’s network to enable two or more companies
to share common information and resources.
• Used to be based mainly on dedicated transmission lines which are more difficult to
attackers to infiltrate.
• Can be set over internet, which requires properly configured VPNs and security policies.
Trading partners often use electronic data interchange (EDI), which provides structure and
organization to electronic documents, orders, etc.
SONET:
• A standard for telecommunications transmissions over fiber-optic cables.
Page | 66
• Self-healing: if a break in the lines occurs, it can use a backup redundant ring to ensure
transmission continues. All SONET lines and rings are fully redundant.
• Can transmit voice, video, and data over optical networks.
Metro Ethernet:
• Ethernet can connect to previously mentioned MAN technologies, or they can be
extended to cover a metropolitan area, which is called Metro Ethernet.
• Can be used as pure Ethernet (less expensive and less scalable), or integrated with other
technologies, as in MPLS, (more expensive and more scalable).
Virtual Private LAN Service (VPLS): is a multipoint, layer 2 VPN that connects two or more
customer devices using Ethernet bridging techniques, in other words, VPLS emulates LAN over a
managed IP/MPLS network.
Telecommunication Evolution:
• Copper lines carry purely analog signals.
• Digital phone systems emerged with T1 trunks, which carried 24 voice communication
calls over two pair of copper wires (1.544 Mbps transmission rate).
• Trunk can be implemented on T3 lines, which can carry up to 28 T1 lines (44.736 Mbps
transmission rate).
• Then SONET came, an optical-fiber technology for telecommunications transmission over
fiber-optic cables.
• The next step was Asynchronous Transfer Mode (ATM). ATM encapsulates data in fixed
cells and can be used to deliver data over a SONET network. Fixed cells provides better
performance and a reduced overhead for error handling.
• Europe uses Synchronous Digital Hierarchy (SDH). SHD and SONET are similar but
incompatible.
Dedicated links: also called leased lines or point-to-point link. It is dedicated and expensive.
T-Carriers:
• Dedicated lines that carry voice and data information over trunk lines. (e.g. Fractional T1,
T1, T2, T3, T4).
• It offers multiplexing functionality through time-division multiplexing (TDM).
• Fractional T lines: T1 channels are split up between companies who do not really need
the full bandwidth (1.544 Mbps).
E-Carriers:
• Similar to T-carriers and uses TDM for multiplexing.
• 30 channels interleave 8 bits of data in a frame.
Page | 67
Optical Carrier:
• High-speed fiber-optic connection measured in optical carrier (OC) transmission rates.
• Referred to as OCx, where the “x” represents a multiplier of the basic OC-1 transmission
rate, which is 51.84 Mbps. (e.g. OC-12: 622.08 Mbps).
Statistical time-division multiplexing (STDM): analyzes statistics related to the typical workload
of each input device, and allocate the required time for data transmission.
Switching:
• Circuit switching:
o Sets up a virtual connection that acts like a dedicated link between two systems
(e.g. ISDN and telephone calls).
o Dedicated virtual communication link is set up. Devices do not dynamically move
the call through different devices.
• Packet switching:
o Packets from one connection can pass through a number of different individual
devices (e.g. Internet, Frame Relay, X.25).
o Provide multiple paths to the same destinations, which offers a high degree of
redundancy.
o Data broken into packets and can be travelling into different routes, once received
by the receiver, packets must be reassembled in the correct order using Frame
Check Sequence (FCS) numbers.
Page | 68
Frame Relay:
• It is a WAN technology that operates at the data link layer and uses packet-switching
technology.
• To avoid unnecessary cost, companies moved from dedicated lines to frame relay. Cost is
based on the amount of bandwidth used.
• Companies that pay more, ensures a higher level of bandwidth will always be available
(committed information rate CIR).
Virtual Circuits:
• Frame relay (and X.25) forwards frames across virtual circuits.
• Permanent circuit: programmed in advanced (e.g. worked likes a private line with an
agreed-upon bandwidth availability).
• Switched circuit: quickly built when it is needed and torn down when it is no longer
needed (e.g. used for teleconferencing, establishing temporary connections to remote
sites, data replication, voice calls.
X.25:
• An older WAN protocol works in a switching technology.
• Provides any-to-any connection.
• Subscribers are charged based on the amount of bandwidth they use.
• Data is encapsulated in High-level Data Link Control (HDLC) frames.
• Provide many layers of error checking, error correcting, and fault tolerance.
ATM:
• A connection-oriented switching technology. It uses a cell-switching method (e.g. more
efficient and faster use of the communication paths).
• Used for LAN, MAN, WAN, and service provider connections.
• ATM set up a virtual circuit that can guarantee bandwidth and QoS (e.g. good carrier for
voice and video transmission).
• Used by carriers and service providers, and is the core technology of the Internet.
Page | 69
o Available bit rate (ABR): connection-oriented channel, where customers are given
the bandwidth that remains after a guaranteed service rate has been met.
• QoS basic levels:
o Best-effort service: no guarantee of throughput, delay, or delivery.
o Differentiated service: compared to best-effort service, traffic that is assigned this
level has more bandwidth, shorted delay, and fewer dropped frames.
o Guaranteed service: ensures specific data throughput at a guaranteed speed.
Traffic shaping: controlling network traffic to allow for optimization or the guarantee of certain
performance levels.
Page | 70
• SIP is an application layer protocol that ca work over TCP or UDP.
• Jitter: experience of lags in VoIP conversation, which means that packets holding the
other person’s voice message got queued somewhere within the network and are on their
way.
• Isochronous network: contains the necessary protocols and devices that guarantee
continuous bandwidth without interruption (e.g. good for time-sensitive applications).
• Components of VoIP: IP Telephony device, call-processing manager, voice system, and
voice gateway.
H.323 Gateways:
• An H.323 environment features terminals, which can be telephones or computers with
telephony software, gateways that connect this environment to the PTSN, etc.
• H.323 gateways connect different types of systems and devices and provide the necessary
translation functionality.
• H.323 terminals are connected to these gateways, which in turn can be connected to the
PSTN.
SIP:
• Two major components: User Agent Client (UAC) and User Agent Server (UAS).
• UAC is the application that create the SIP requests for initiating a communication session.
• UAS is the SIP server, which is responsible for handling all routing and signaling involved
in VoIP calls.
• Relies on a three-way-handshake process to initiate a session.
• How it works?
o A starts be sending an INVITE packet to B.
o Since A is unaware of B’s location, the INVITE packet is sent to the SIP server,
which looks up B’s address in the SIP registrar server.
o Once location of B has been determined, the INVITE packet is forwarded to him.
o During this entire process the server keeps A updating by sending him TRYING
packet.
o Once packet reaches B, it starts ringing. B sends RINGING packet to A.
o Once B answers the call, an OK packet is sent to A (through the server).
o A now issues an ACK packet to begin the call setup.
o RTP is used to to stream media (e.g. voice or video):
▪ RTP is a session layer protocol.
▪ End-to-end delivery service over the transport layer protocol UDP.
▪ RTP Control Protocol (RTCP) is used with RTP and considered session layer
also. It provides out-of-band statistics and control information to provide
feedback on QoS levels.
o Once communication is done, a BYE message is sent from the system terminating
the call. The other system responds with an OK message.
• SIP architecture consists of three different types of servers:
o Proxy server: relay packets within a network between the UACs and the UAS.
Page | 71
o Registrar server: keeps a centralized records of the updated locations of all the
users on the network.
o Redirect server: allows SIP devices to retain their SIP identities despite changes in
their geographic location.
• Intra-organizational routing enables SIP traffic to be routed within a VoIP network without
being transmitted over the PSTN or external network.
• Skype uses a peer-to-peer communication model rather than the traditional client/server
approach of VoIP systems.
IP Telephony issues:
• SIP-based signaling lack of encrypted call channels and authentication of control signals.
• Attackers can tap into the SIP server and client communication to sniff out login ID,
passwords/PINs, and phone numbers.
• VoIP-PSTN gateways must be secure from intrusion to avoid toll fraud.
• Attackers can masquerade identities by redirecting SIP control packets from a caller to a
forged destination.
• Attacker can impersonate a server and issue commands like BYE, CHECKSYNC, and RESET:
o The CHECKSYNC command can be used to reboot VoIP terminal.
o The RESET command causes the server to reset and reestablish the connection.
• SPIT (Spam over Internet Telephony): spamming the voicemail servers.
Dial-up Connections:
• Utilize existing telephone lines.
• A modem (modulator-demodulator) is added that modulates an outgoing digital signal
into an analog signal that will be carried over an analog carrier, and demodulates the
incoming analog signal into digital signals that can be processed by a computer.
• Most companies did not enforce access control through these modem connections. Thus,
war dialing can be performed by attackers.
• Dial-up connection take place over PPP.
Page | 72
o Basic Rate Interface (BRI):
▪ 2 B channels that enables data to be transferred and 1 D channel that
provides for call setup, connection management, error control, caller ID,
etc.
▪ Channel D is “out-of-band” because the control data is not mixed in with
the user communication data.
▪ Aimed for small office and home office.
▪ Bandwidth available is 144 Kbps.
o Primary Rate Interface (PRI):
▪ 23 B channels and 1 D channel.
▪ Bandwidth is equivalent to T1 (1.544 Mbps).
▪ ISDN is used as a backup in case the primary connection of the company
goes down.
▪ Companies can implement dial-on-demand routing (DDR), which work
over ISDN. DDR allows a company to send WAN data over its existing
telephone lines and use the PSTN as a temporary type of WAN link.
• Broadband ISND (BISDN): Mainly used within telecommunications carrier backbones.
Cable Modems:
• Provide high-speed access to the Internet through existing cable coaxial and fiber lines.
• The bandwidth is shared between users in a local area.
• Most cable provides comply with Data-Over-Cable Service Interface Specifications
(DOCSIS), which allow for the addition of high-speed data transfer to an existing cable TV
(CATV) system.
Always connected: DSL lines and cable modems are connected to the Internet and “live” all the
time. This can cause security issues, as this always online is available for scanning, probing,
hacking and attacking at any time.
Page | 73
VPN (Virtual Private Network): secure and private connection through an untrusted network.
PPP provides user authentication through PAP, CHAP, or EAP-TLS, whereas IPSec provides system
authentication.
Page | 74
▪ Only payload is encrypted.
▪ Used for client-to-client VPN.
▪ NAT traversal is not supported.
Page | 75
The higher the frequency, the more data the signal can carry, but the more susceptible the
signal is to atmospheric interference.
Spread Spectrum:
• The sender spreads its data across the frequencies over which it has permission to
communicate. This allows for more effective use of the available bandwidth, because
the sending system can use more than one frequency at at time.
• FHSS (Frequency Hopping Spread Spectrum):
o Takes the total amount of bandwidth (spectrum) and splits it into smaller sub-
channels.
o The FHSS algorithm determines the individual frequencies that will be used and
in what order, and this is referred to as the sender and receiver’s hop sequence.
o Difficult for eavesdroppers to listen. But in today’s WLAN devices, the hopping
sequence is known and does not provide any security.
o If the signal is corrupted, it must be re-sent.
• DSSS (Direct Sequence Spread Spectrum):
Page | 76
o Apply sub-bites to a message. The sub-bites are used by the sending system to
generate a different format of the data. The receiving end uses these sub-bits to
reassemble the signal into the original data format.
o These sub-bits called chips. The sequence of how the sub-bits are applied is
called the chipping code (it is sometimes called a pseudo-noise sequence).
o When message is combined with the chip, the signal appears as random noise to
anyone does not know the chipping sequence.
o Synchronization between both parties is required.
o It does provide error recovery instructions.
• FHSS vs. DSSS:
o FHSS uses only a portion of the total bandwidth available at any one time. While,
DSSS uses all of the available bandwidth continuously.
o DSSS spreads the signals over a wider frequency band, whereas FHSS uses a
narrow band.
o DSSS sends data across all frequencies at once, it has a higher data throughput
than FHSS.
Standalone mode: when there is just one AP and it is not connected to a wired network.
Ad hoc WLAN: has no APs. The wireless devices communicate with each other through their
wireless NICs instead of going through a centralized device (peer-to-peer operation mode).
When wireless devices work in infrastructure mode, the AP and the wireless clients form a
Basic Service Set (BSS). This group is assigned a name, which is the SSID value. SSID is a Service
Set ID.
Gap in the WAP: wireless device encrypts packets using WTLS and sends it to WAP. WAP
performs translation from WTLS to TLS. Here WAP is decrypts the WLTS protected packets and
encrypts it using TLS standard.
Page | 77
Evolution of WLAN Security:
• IEEE 802.11 (WEP):
o It uses Wired Equivalent Privacy (WEP).
o WEP uses RC4 algorithm, which is a stream-symmetric cipher.
o The 3 core deficiencies with WEP:
1. Use of static encryption keys
2. Ineffective use of IV: In most WEP implementation, the same IV values
are used over and over again.
3. Lack of packet integrity assurance: An attacker can actually change date
within the wireless packet by flipping specific bits and altering the ICV.
o The key and IV value are inserted into the RC4 algorithm to generate key stream.
The values of the key stream are XORed with the binary values of the individual
packets.
o The wireless device using this protocol can authenticate to the AP in two main
ways: open system authentication (OSA) and shared key authentication (SKA).
o OSA:
▪ Does not require the wireless device to prove to the AP it has a specific
cryptographic key to allow for authentication purposes.
▪ The wireless device needs to provide only the correct SSID value.
▪ All transactions are in cleartext.
o SKA:
▪ The AP sends a random value to the wireless device. The device encrypts
it with its cryptographic key and returns it. The AP decrypts and extracts
the response.
o AirSnort and WEPCrack are tools to easily crack WEP.
• IEEE 802.11i (WPA2):
o WiFi Protected Access II (WPA2)
o Temporal Key Integrity Protocol (TKIP):
▪ Backward-compatible. The goal was to increase the strength of WEP or
replace it fully without the need for hardware replacement.
▪ Works with WEP by feeding it keying materials, which is data to be used
for generating new dynamic keys.
▪ It generates a new key for every frame that is transmitted.
▪ It provides a sequence counter to protect against replay attacks.
▪ The protocol increases the length of IV and ensure every frame has a
different IV value.
▪ TKIP deals with integrity issues by using MIC instead of ICV.
o The use of 802.1X provides access control by restricting the network access until
full authentication and authorization have been completed. It also provides an
authentication framework that allows for different EAP modules to be plugged in
(using EAP allows for mutual authentication with flexibility: passwords, tokens,
OTP, certificates, smart cards, Kerberos).
Page | 78
o The full WPA2 has a major advantage over WPA by providing encryption
protection with the use of the AES algorithm in counter mode with CBC-MAC
(CCM).
• IEEE 802.1X:
o Port-based network access control.
o It is a network access protocol that can be implemented on both wired and
wireless networks.
o The 3 main entities in this framework are:
▪ Supplicant (wireless device)
▪ Authenticator (AP)
▪ Authentication server (e.g. RADIUS server).
o The wireless device cannot send or receive HTTP, DHCP, SMTP, or any other type
of traffic until the user is properly authorized.
o Disadvantage of the original 802.11 is that mutual authentication is not possible
(e.g. A rouge AP can be set up to capture user’s credentials).
Wireless Standards:
Page | 79
It aims on bringing together many of
the different standards and
802.11j - - streamlining their development to
allow for better interoperability
across borders.
Uses MIMO to increase the
802.11n 100 Mbps 5 GHz throughput.
Extension of 802.11n
Page | 80
Satellites:
• For two locations to communicate via satellite links, they must be within the satellite’s
line of sight and footprint (area covered by the satellite).
• On top of building, we see antennas contains one or more microwave receivers,
depending upon how many satellites it is accepting data from.
• It commonly provides broadband transmission (e.g. TV, PC Internet access,).
• One way for TV data, and two-ways transmission for Internet connectivity.
• Low Earth Orbit: there is not as much distance between the ground stations and the
satellites as in other types of satellites (e.g. smaller receivers can be used).
• 2 main microwave wireless technologies are:
o Satellite (ground to orbiter to ground)
o Terrestrial (ground to ground)
• Very small aperture terminal (VSAT): links a remote site to the Internet through a
satellite gateway facility run by a service provider (cost are affordable now).
Page | 81
Mobile Wireless Communication:
• Mobile device is a device that can send voice and data over wireless radio links. It
connects to a cellular network, which is connected to the PSTN.
• Radio stations use broadcast networks, which provide one-way transmission.
• A cellular network distributes radio signals over dedicated areas, called cells.
• Each cell has at least one fixed-location transceiver (base station) and is joined to other
cells to provide connections over large geographic areas.
• Individual cells can use the same frequency range, as long as they are not right next to
each other.
• Many multiple access technologies highlighted below.
Page | 82
1G:
• Analog services
• Voice service only
2G:
• Primarily voice, some low-speed data (circuit switched).
• Phones were smaller in size.
• Added functionality of email, paging and caller ID.
2.5G:
• Higher bandwidth than 2G.
• “Always on” technology for email and pages.
3G:
• Integration of voice and data.
• Packet-switched technology.
3.5G (3GPP):
• Higher data rates.
• Use of OFDMA technology.
• Has number of new or enhanced technologies: EDGE, HSPDA, CDMA2000, WiMAX.
4G:
• Based on an all-IP packet-switched network (LTE – Long Term Evolution).
• Data exchange at 100Mbps – 1Gbps.
Link encryption:
• Encrypts all the data along a specific communication path.
• Not only is the user information encrypted, but the headers, trailers, addresses, and
routing data that are part of the packets are also encrypted.
• The only traffic not encrypted in this technology is the data link control messaging
information.
• Packets must be decrypted at each hop so the router knows where to send the packet
next.
• It works at lower layer, so user do not need to do anything to initiate it.
• Provides protection against packet sniffers and eavesdroppers.
• Sometimes called online encryption. Also referred to as traffic-flow security.
• Disadvantages:
o Key distribution and management (key change, key update).
o More points of vulnerability (each hop decrypts the packet).
End-to-end encryption:
• Headers, trailers, addresses and routing information are not encrypted.
• Flexible to the user in choosing what gets encrypted and how.
• Higher granularity of functionality as each application or user can choose specific
configuration.
• Each hop device on the network does not need to have a key to decrypt each packet.
Page | 83
• Disadvantages: headers, addresses, and routing information are not encrypted, and
therefore not protected.
Internet security:
• The Web is the collection of HTTP servers that holds and processes websites we see.
• Web browsers enable users to read pages by enabling them to request and accept web
pages via HTTP.
• User’s browsers convert the language (HTML, DHTML, and XML) into a format that can
be viewed on the monitor.
• HTTP is a stateless protocol, which means the client and web server make and break the
connection for each operation. The web server never “remembers” the users that ask
for different web pages.
Page | 84
• HTTP Secure (HTTPS) is HTTP running over Secure Socket Layer (SSL) or Transport Layer
Security (TLS). Nowadays, SSL considered insecure and obsolete and TLS should be used
in its place.
• S-HTTP protects individual message between two computers instead of all
communications.
• Secure Socket Layer (SSL):
o Uses public key encryption and provides data encryption, server authentication,
message integrity, and optional client authentication.
o The web server will start the necessary tasks and invoke SSL and protect this
type of communication.
o The server sends a message back to the client, indicating a secure session should
be established, and the client in response sends its security parameters. This is
the handshaking phase.
o The server authenticates to the client by sending over its certificate. If mutual
authentication is required, the client sends back its certificate.
o The client generates a session key and encrypts it with the server’s public key, so
they both use this symmetric key for encryption.
o SSL session keeps open until one of the parties ends it (usually a client sends a
FIN packet).
o SSL requires an SSL-enables server and browser.
o SSL lies beneath the application layer and above the network layer (so SSL is not
limited to specific application protocols). For the purpose of CISSP exam, SSL
protocol works at the transport layer.
o The final version of SSL was 3.0 (considered insecure today).
• Transport Layer Security (TLS):
o TLS is the open community and standardized version of SSL.
o TLS is currently in version 1.2.
o Passing Oracle On Downgraded Legacy Encryption (POODLE) attack was the
death of SSL and demonstrated that TLS was superior security-wise. The key to
POODLE attack was to force SSL to downgrade its security.
• Cookies:
o Text files that a browser maintains on a user’s hard drive or memory segments.
o In most cases, cookies contain sensitive information should stay in the memory
and not to be stored in the hard drive.
o Some 3rd parties are used to limit the type of cookies downloaded, hides user’s
identity as he travels from one site to another.
• Secure Shell (SSH):
o A type of tunneling mechanism that provides terminal-like access to remote
computers.
o SSH provides authentication and secure transmission over vulnerable channels
like the Internet.
o SSH should be used instead of Telnet, FTP, rlogin, rexec, or rsh.
o SSH is a program and a set of protocols.
Page | 85
o Two computers go through a handshaking process and exchange (via Diffie-
Hellman) a session key.
Network Attacks:
• Denial of service (DoS): compromise to the availability.
• Malformed packets:
o Ping of Death. This attack sent a single ICMP Echo Request to a computer, which
resulted in the “death” of its network stack until it was restarted. This attack
exploited the fact that many early networking stacks did not enforce the
maximum length of ICMP packet, which is 65,536 bytes.
o The single most important countermeasure here is to keep your system patched.
• Flooding:
o Overwhelming the target computer with packets until it is unable to process
legitimate user requests (e.g. SYN flooding).
• Distributed denial of service:
o A network of compromised computers. Each of these computers are called a bot
or a zombie, and the network they form called a botnet.
o A countermeasure is to leverage a content distribution network (CDN).
o Most modern switches and routers have rate-limiting features that can throttle
or block the traffic from particularly noisy sources such as these attackers.
o If the attack happens to be a SYN flood, you can configure your servers to use a
technique known as delayed binding in which the half-open connection is not
allowed to tie up a socket until the three-way handshake is completed.
• DNS hijacking:
o an attack that forces the victim to use a malicious DNS server instead of the
legitimate one.
o Host based: adversary changes the IP settings of the victim’s computer to point
to the rouge DNS server.
o Network based: adversary in a network use a technique such as ARP table cache
poisoning to redirect DNS traffic to his own server. Countermeasure: NIDS.
o Server based: if DNS server is not configured properly, the attacker can tell the
server that is own rouge server is the authorities one for whatever domain he
wants to hijack. Countermeasure: DNSSEC.
• Drive-by download:
o Occurs when a user visits a website that is hosting malicious code and
automatically gets infected.
o This type of attack exploits vulnerabilities in the user’s web browsers (e.g. a
browser plug-in such as video player).
Page | 86
Loki attack:
• Loki is a client/server program used by attacker to create backdoor.
• The attacker installs the server potion on the compromised machine and communicates
with it by embedding data into ICMP packets.
Page | 87
CHAPTER 5: Identity and Access Management
Subject is an active entity that requests access to an object or the data within an object (e.g. user,
program, process).
Object is a passive entity that contains information or needed functionality (e.g. computer,
database, file, directory, field or table in a database).
Race condition: an attacker can force the authorization step to take place before the
authentication step.
Authentication factors:
• Something you know (authentication by knowledge): password, PIN, mother’s name
• Something you have (authentication by ownership): key, swipe card, access card, badge
• Something you are (authentication by characteristic): biometrics
Directories:
• Most directories follow a hierarchical database format, based on the X.500 standard, and
a type of protocol (e.g. Lightweight Directory Access Protocol, LDAP).
Page | 88
• Applications can request information about a particular user by making an LDAP request
to the directory.
• Directory service allows an administrator to configure and manage how identification,
authentication, authorization, and access control for individual systems.
• Directory service keeps everything organized by using namespaces. Databases based on
X.500 that are accessed by LDAP uses distinguished names (DNs) to each object.
• DN is a collection of attributes (common name, domain components).
• Many legacy devices and applications cannot be managed by the directory service.
• Meta-directory gathers the necessary information from multiple sources and stores it on
one central directory. It synchronizes itself with all of the identify stores periodically.
• Virtual directory does not have the information stored physically, but points to where the
actual data resides.
Cookies can be in a format stored on the user’s hard drive (permeant), or only held in memory
(session).
Password management:
• Password synchronization: reduce the complexity of keeping up with multiple passwords.
• Self-service password reset: reduces help-desk calls.
• Assisted password reset: reduces the resolution process for password issues for the help
desk (may include other types of authentication mechanisms: biometrics or tokens).
Usually users’ data is being pulled from authoritative source (e.g. HR database) into a directory.
Authoritative system of record (ASOR) is a hierarchical tree-like structure system that tracks
subjects and their authorization chains.
User provisioning refers to the creation, maintenance, and deactivation of user objects and
attributes as they exist in one or more systems, directories, or applications, in response to
business process.
Page | 89
Biometrics:
• Analyzes a unique personal attribute or behavior.
• Very sophisticated technology and expensive.
• Challenges: user acceptance, enrollment timeframe, throughput.
• 2 different categories:
o Physiological (e.g. fingerprints) – What you are
o Behavioral (e.g. signature dynamics) – What you do
• Type of errors:
o Type I error (false rejection rate FRR): rejects authorized individual
o Type II error (false acceptance rate FAR): accepts impostors who should be
rejected
• Crossover error rate (CER) (Equal error rate EER) is a percentage that represents the point
at which FRR equals FAR (CER of 3 is more accurate that CER 4).
Fingerprint:
• Detailed characteristics of fingerprint called minutiae.
• This technology extracts specific features from the fingerprint and stores it in the hard
drive to allow smaller space and to allow quicker database lookup.
Palm scan can include fingerprints of each finger in addition to a wealth of other information.
Retina scan:
• Scans the blood-vessel pattern of the retina on the backside of the eyeball.
• A camera is used to project a beam inside the eye and capture the pattern.
• Involves number of privacy issues (e.g. collected information can be used in the diagnosis
of medical conditions).
Iris scan is one of the most accurate biometric technologies. Iris remains constant through
adulthood.
Signature dynamics relies on the physical motions performed when someone is signing a
document, which create electrical signals. It provides more information than a static signature.
Voice print:
• It records words from a user during enrollment process.
• During authentication, the system jumbles the words in different sequence to overcome
an attacker replays a recorded audio file.
Page | 90
Facial scan scans the face and geometry of the face.
Hand topography:
• A camera snaps wide-view picture of the hand from different view and angle than that of
systems that target hand geometry.
• Collected attributes are not unique enough, so it is commonly used in conjunction with
hand geometry.
Password checkers (called password cracker by hackers) are tools that perform dictionary and/or
brute-force attacks to detect the weak password.
In Linux, passwords are located in a file called “shadow”, which store hash values of passwords.
Salts are random values added to the encryption process to add more complexity and
randomness.
Password aging is used to set expiration date for passwords. Also the system can keep history of
most recently used passwords to prevent users from using them.
Cognitive password:
• It is a fact or opinion-based information used to verify an individual’s identity. A user is
enrolled by answering several questions based on her life experience (e.g. first person he
kissed, name of friend in 8th grade).
• Best for services that are not used in daily basis because it takes longer that other
authentication techniques.
One-time password:
• A dynamically generated password.
• 2 types:
o Synchronous token device:
▪ The token device synchronizes with the authentication server by using
time or a counter.
Page | 91
▪ If it is a time-based, both the token device and the server much hold the
same time in their internal clocks.
▪ If it is a counter-based (a.k.a event-based), the user needs to create an
OPT by pushing a button on the token device. This let authentication server
to advance to the next counter value.
▪ The server and the token device must share the same secret base key.
o Asynchronous token device:
▪ A challenge/response scheme to authenticate the user.
▪ The server sends a challenge (random value called nonce).
▪ The user enters the nonce into the token device, which encrypts it and
returns a value the user uses as OTP.
o Not vulnerable to electronic eavesdropping, sniffing, or password guessing.
o If OTP is generated in software, it called soft token.
• implemented in 3 formats:
o Dedicated physical device with a small screen that displays the OTP.
o Smartphone application
o A service that sends an SMS message.
SecureID:
• A well-known time-based token from RSA Security Inc.
• One version of the product generates the OPT by using a mathematical function on the
time, date and ID of the token card. Another version of the product requires a PIN to be
entered into the token device.
Cryptographic key can be used to prove one’s identity by using a private key to generate a digital
signature.
Passphrase:
• A sequence of characters that is longer than a password.
• The user enters the passphrase into the application, and the application transforms the
value into virtual password.
• More secure than password because it is longer, thus, harder to guess.
• The user more likely to remember a passphrase than a password.
Memory cards holds information but cannot process information. It contains authentication
information (e.g. swipe card, ATM card).
Page | 92
2 types of contactless smart cards are available:
• Hybrid: has two chips, with the capability of utilizing both contact and contactless
formats.
• Combi: has one microprocessor chip that can communicate to contact or contactless
readers.
Contactless smart cards have extra cost for readers and overhead of card generation.
RFID:
• An electronic tag that has an integrated circuit for storing and processing data.
• A common security issue that that data can be captured as it moves from the tag to the
reader.
Authorization creep is when an employee is working in a company for a long time and moves
from one department to another and get assigned more and more access rights and permissions.
Kerberos:
• Works in a client/server model.
• Open protocol (vendors can manipulate it).
• Based on symmetric key cryptography.
• Example of an SSO system for distributed environment (de-facto for heterogeneous
networks).
• Provides end-to-end security.
• Key Distribution Center (KDC):
o Holds all users’ and services’ secret keys.
o Provides an authentication service (AS).
o Offers key distribution functionality.
o Provides security services to principals (e.g. users, applications, network services).
o Shares secret key for each principal.
Page | 93
o Ticket granting service on the KDC generates ticket and give it to the principal
when he needs to authenticate to another principal (e.g. print server).
o Realms are used to allow an administrator to logically group resources and users.
• How does it work?
o Username of user sends to AS within KDC.
o KDC sends TGT encrypted with user’s symmetric key.
o User then decrypts the TGT using his password and access his machine.
o When user wants to access print server, he sends his TGT to TGS within KDC.
o TGS creates another ticket to user. It contains a 2 instances of the session key,
once encrypted with the user’s key and the other with the print server’s key. It
also contains an authenticator (user ID, IP address, sequence number, timestamp).
o User sends the generated ticket to the print server, which decrypts the session
key.
o Timestamp is used to fight against replay attack.
• Weaknesses:
o KDC can be single point of failure.
o KDC must be able to handle the number of requests.
o Secret keys are temporarily stored on the users’ workstations.
o Session keys are decrypted and resides on the users’ workstations.
o Vulnerable to password guessing (don’t know if dictionary attack is taking place).
o Needs all client and server clocks to be synchronized.
SEASME extends Kerberos and offers symmetric and asymmetric keys for encryption and uses
Privileged Attribute Certificates (PACs) instead of tickets.
Security domains:
• Set of resources available to a subject.
• Network administrator can put similar users in same domain as they use the same
resources.
• Different domains are separated by logical boundaries (e.g. firewalls with ACL, directory
services making access decisions, ACL on objects).
• Subjects can access resources in domains of equal or lower trust levels.
• Domain can contain network devices, users, processes.
Federated identity:
Page | 94
• A portable identity, and its associated entitlements, that be used across business
boundaries.
• Doesn’t need to synchronize or consolidate directory information.
Digital identity:
• A collection of attributes (user, department, role, shift time, clearance), entitlement
(resources available, authoritative rights), traits (biometrics, height, sex).
Web portal:
• A part of a website that act as a point of access to information.
• Presents information from diverse resources in a unified manner.
• Made up of portlets, which are pluggable user-interface software components that
present information from other system.
XML is a universal and foundational standard that provides a structure for other independent
markup languages to be built from and still allow for interoperability.
Page | 95
OpenID:
• open standard for user authentication by 3rd parties.
• Similar to SAML, but information is handled by 3rd party and not user’s organization.
• It defines 3 roles:
o End user: user who wants to be authenticated.
o Resource party: server that owns the resource required by the user
o OpenID provider: system that an end user already has an account on.
OAuth:
• Open standard for authorization (not authentication) to 3 rd parties.
• Authorizes a website to use something you control at a different website.
Identity as a service (IDaaS): A type of SaaS that is normally configured to provide SSO, federated
IdM, and password management services.
Page | 96
o Centrally administered set of controls to determine how subjects and objects
interact.
o Access to resources based on the role the user holds.
o Best model for organization with high employee turnover.
o RBAC can be managed in the following ways:
▪ Non-RBAC: users mapped directly to applications and no roles are used.
▪ Limited RBAC: users mapped to multiple roles and mapped directly to
other types of applications that do not have role-based functionality.
▪ Hybrid RBAC: users mapped to multiapplication roles with only selected
rights assigned to those roles.
▪ Full FBAC: users mapped to enterprise roles.
o Core RBAC:
▪ Integrated in every RBAC implementations because it is the foundation of
the model.
▪ RBAC can be configured to include time of day, location of role, day of
week to make access decisions.
o Hierarchical RBAC:
▪ The component allows an administrator to map the RBAC model to the
organizational structures.
▪ 2 types:
• Limited hierarchies: only one level of hierarchy is allowed (Role 1
inherits from Rom 2 and no other role).
• General hierarchies: allows for many level of hierarchies (Role 1
inherits Role 2’s and Role 3’s permissions).
▪ Different separation of duties are provided under this model:
• Static separation of Duty (SSD) Relations through RBAC: user
cannot be a member of both the Cashier and Accounts groups.
• Dynamic separation of Duty (DSD) Relations through RBAC:
constraining combination of privileges that van be activated in one
session (user cannot be in both the Cahier and Cashier Supervisor
roles at the same time, but user can be a member of both).
o Privacy-aware RBAC (e.g. manager can access employee details, but don’t see his
social security number).
o RBAC can be used in combination with DAC and MAC systems.
• Rule-based access control (RB-RBAC):
o uses specific rules that indicates what can and cannot happen between a subject
and object (e.g. If X then Y).
o Built on top of traditional RBAC.
Page | 97
• Physically constrained interfaces: provide only certain keys on a keypad or certain touch
buttons on a screen.
Capability table:
• Access rights a certain subject pertaining to specific objects.
• Corresponds to the subject’s row in the access control matrix.
• A capability can be in the form of a token, ticket, or key. (e.g. Kerberos ticket).
Capability-based access control means that the subject has to presenting something, which
outlines what is can access (e.g. ticket, token, key, password).
Lattice-based access control provides upper and lower bounds of access for a subject pertaining
to a specific object.
Access control administration comes in two basic flavors: centralized and decentralized.
Page | 98
• Remote user is a client to the access server, and the access server is a client to the RADIUS
server.
• Most ISPs authenticate customers to RADIUS server before allowed access to the Internet.
• Client and access server agree upon an authentication protocol (PAP, CHAP, EAP).
• Access server and RADIUS server communicate over the RADIUS protocol.
• RADIUS protocol is set of fields referred to as attribute-value pairs (AVPs) (2^8).
• Appropriate for simplistic username/password authentication with accept/deny
response.
Diameter:
• A protocol that have been developed to build upon the functionality of RADIUS and
overcome many of its limitation.
• Peer-based protocol that allows either end to initiate communication.
• Uses TCP and AVPs (2^32).
• Better error detection and correction than RADIUS.
• Consists on 2 portions:
o Base protocol: provides the secure communication among entities, feature
discovery, and version negotiation.
o Extensions: built on top of the base protocol to allow various technologies to use
Diameter for authentication (e.g. VoIP, FoIP, Mobile IP, wireless, and cell phone
authentication).
Page | 99
Mobile IP:
• Allows a user to move from one network to another and still use the same IP address.
• Allows a user to have a home IP address (associated with his home network) and a care-
of address (changes as he moves from one network to another).
• All traffic addressed to home IP address is forwarded to care-of address.
Personnel controls indicates what security actions should be taken when an employee is hired,
terminated, suspended, moved into another department, or promoted (HR and legal
departments are involved).
Each employee has a supervisor to report to, and that supervisor is responsible for that
employee’s actions.
All security controls, mechanisms, and procedures must be tested on a periodic basis to ensure
they properly support the security policy (management responsibility).
Cables need to be routed throughout the facility and not exposed to any dangers like being cut,
burnt, crimpled, or eavesdropped upon.
Zone control: the company facility should be split up into zones based on the sensitivity of the
activity taking place per zone.
Audit reduction tool reduces the amount of information within an audit log.
SIEM attempts to correlate the log data and provide analysis capabilities (standardization and
normalization of data).
Page | 100
Situational awareness means that you understand the current environment even though it is
complex and dynamic, to make best possible decisions.
Scrubbing is the act of a hacker where he deletes his track (e.g. from audit logs).
Audit logs can be stored in a remote host or on a write-once media (e.g. CD-ROMs) to prevent
loss of modification of the data.
Keyboard dongle (hardware key logger) can be placed between the keyboard and the computer
and can captures even the power-on passwords.
Object reuse: an object must be cleared from sensitive data before being used by another subject
(e.g. memory locations, variables, registers, USB drive).
TEMPEST:
• A standard that outlines how to develop countermeasures to electrical signals emitted by
electrical equipment.
• Devices have an outer metal coating, referred to as Faraday cage, that allows only certain
amount of radiation is released.
• TEMPEST rated devices might need modification to other components like power supply.
• 2 alternatives to TEMPEST:
o White noise: uniform spectrum of random electrical signals, It is distributed over
the full spectrum so the bandwidth is constant.
o Control zone: some facilities use material in their walls to contain electrical
signals, which acts like a large Faraday cage.
Host-based IDS: used to make sure users do not delete system files, reconfigure important
setting.
Knowledge/Signature-based IDS:
• Pattern matching:
o Most popular IDS product.
o Weak against new types of attacks.
• Stateful matching:
o Has rules that outline which state transition sequences should sound an alarm.
o Only identify know attacks.
Anomaly-based IDS:
• Statistical anomaly-based:
o Put in a learning mode to build a profile of an environment’s normal activities.
Page | 101
o Packets are given an anomaly scope. If it is higher than the predefined threshold,
alarm is triggered.
o Capable of detecting “low and slow” and new attacks.
o It sends generic alerts, compared to other types of IDSs (team should be
experienced to analyze).
• Protocol anomaly-based:
o Has specific knowledge of each protocol they monitor.
o Builds a model (or profile) of each protocol’s normal usage (official and real-world
usage).
• Traffic anomaly-based:
o Detects changes in traffic patterns, as in DoS or a new service that appears on the
network.
Rule-based (heuristic-based):
o Use of if/then rule-based programming within expert systems.
o Use of expert system allows for AI usage (inference engine).
o More complex rule requires extra processing.
o Cannot detect new attacks.
Application-based: Very focused in one application and gathers fine-grained and detailed
activities.
IDS sensors:
• Placed in network segments the IDS is responsible to monitor.
• Filter out irrelevant information and detect suspicious activity.
• A monitoring console monitors all sensors.
• Different placements are possible (outside firewall detects attacks, inside firewall detects
intrusions).
• IDS can be centralized (integrated with the firewall) or distributed (multiple sensors
throughout the network).
• In very high-traffic network, multiple sensors are preferred to insure all packets are
investigated.
• Different sensors can be set to analyze each packet for different signatures (load is broken
up over different points).
In switched environment, we have to take all the data on each individual connection, make a
copy of it, and put the copies on one port (spanning port) where the sensor is located.
IPS:
• Detects malicious activity and not allow the traffic to gain access to the target in the first
place.
• Preventive and proactive technology.
• Can be content-based (signature-based and protocol analysis) or rate-based metrics
which focuses on the volume of traffic (flood attack, excessive scans).
Page | 102
Land attack: a hacker modifies the packet header so that when a receiving system responds to
the sender, it is responding to its own address.
Xmas attack: sends a specifically crafted TCP where some of its flags are set to 1.
Attacks or viruses discovered in production environments are referred to as being “in the wild”.
Attacker can establish a DoS attack on IDS to take it offline. Also, he can send IDS incorrect data
to let administrator busy with the wrong part.
Sniffer is a tool that can capture network traffic. If it has the capability of understanding and
interpreting individual protocols, it can be referred as a protocol analyzer.
Hybrid attack can combine both dictionary attack and a brute-force attack.
War-dialing attack: an attacker inserts a long list of phone numbers into a program in hopes of
finding a modem that can be exploited to gain unauthorized access.
Phishing is a type of social engineering with the goal of obtaining personal information
credentials, credit cards number, or financial data (spear-phishing attack is crafted to trick a
specific target). When senior executives are the target, it is called whaling.
Pharming redirects a victim to a seemingly legitimate, yet fake, website. In this type of attack,
the attacker carries out something called DNS poisoning, in which a DNS server resolves a
hostname into an incorrect IP address.
Syskey is a 128-bit RC4 encryption key used in Microsoft Windows to encrypt the SAM database.
Password advisor is a tool that helps a user to create passwords that are easy to remember and
difficult to break.
Page | 103
CHAPTER 6: Security Assessment and Testing
Audit:
• A systematic assessment of the security controls of an information system.
• Could be driven by regulatory or compliance requirement, by a significant change to the
architecture of the information system, or by new developments in the threat facing the
organization.
• The scope of the audit should be determined in coordination with business unit managers.
• Information systems security audit process:
o Determine the goals
o Involve the right business unit leaders
o Determine the scope
o Choose the audit team
o Plan the audit:
▪ To understand any risk introduced to the business processes.
▪ Make sure we meet each of the audit goals.
▪ Ensure that the audit process is repeatable (reproduce the results).
▪ Documentation starts and continue all the way through to the results.
o Conduct the audit
o Document the results
o Communicate the results
Internal audits:
• Familiarity with the inner working of your organization.
• More agile in its assessment efforts.
• Disadvantages:
o The team will probably have a lot of depth in the techniques they know, but not a
lot of breadth.
o Potential conflicts of interests.
o They may be overstate/fabricate security false to secure better funding.
Page | 104
Service organizations are organizations that provide outsourcing services that can directly impact
the control environment of a company’s customers (e.g. insurance and medical claim processors,
hosted data centers, application service providers (ASPs), managed security providers).
Statement of Auditing Standards (SAS 70) audit carried out a way to ensure that a company you
work with and depend upon was really protecting your company’s assets as they claimed to be.
Other evaluation types have existed: WebTrust (e-commerce controls) and SysTrust
(operational controls).
Vulnerability testing:
• Before carrying out vulnerability testing, a written agreement from management is
required.
• The goals are:
o Evaluate the security posture
o Identify as many vulnerabilities as possible.
• Tester must explain the testing ramifications before starting the test.
• Personnel testing:
o Reviewing employee tasks and identifying vulnerabilities in the standards
practices and procedures.
o Social engineering attacks.
• Physical security:
o Reviewing facility and perimeters protection mechanisms.
o Is there a file suppression system?
• System and networking testing:
Page | 105
o Automated scanning products identified known system vulnerabilities and some
may attempt to exploit it (always update the vulnerability database of the product
before the product is used).
Vulnerability testing and penetration testing comes in boxes with different colors:
• Black box testing:
o The tester has no a priori knowledge of the internal design or features of the
system.
o Simulates an external attacker.
o Disadvantages:
▪ May not cover all the internal parts.
▪ May by targeting a subsystem which is critical for the daily operations.
• White box testing:
o Auditor has complete knowledge of the inner workings of the system before the
first scan.
o Achieve more complete testing.
o Disadvantages:
▪ May not be representative of the behaviors of an external attacker.
• Gray box testing:
o Meets somewhere between the other two approaches.
o Some, but not all, information on the internal workings is provided to the test
team.
Penetration testing:
• The process of simulating attacks on a network and its system at the request of the owner,
senior management.
• Measures an organization’s level of resistance to an attack and to uncover any
weaknesses within the environment.
• Timeframe for the tests should be agreed upon so productivity is not affected.
• It may include physical security, as well as, personnel security.
• The final result of a penetration testing is a report given to management.
• Steps the team go through:
o Discovery: foot-printing and information gathering
o Enumeration: performing port scans and resource identification methods
o Vulnerability mapping: identify vulnerabilities in the identified resources
o Exploitation: attempting to gain unauthorized access by exploiting vulnerabilities
o Report to management: deliver a report with all findings to the management.
• The penetration testing team can have varying degree of knowledge about the target:
o Zero knowledge
o Partial knowledge
o Full knowledge
Page | 106
“Get Out of Hail Free Card” is an authorization letter authorizing the extent of the penetration
testing and should be always available with the testing team members.
Blind test: the assessors only have publicly available data to work with and the network security
staff is aware that this type of test will take place.
Double-blind test (stealth assessment): is a blind test to assessors, and security staff is not
notified about the test.
Targeted tests can involve external consultants and internal staff carrying out focused tests on
specific areas of interest (e.g. before a new application is rolled out).
Postmortem: after tests are over and the interpretation and prioritization are done,
management have in its hands a compilation of many of the ways the company could be
successfully attacked. This is the input to the next cycle in the remediation strategy.
War driving is the act of checking for wireless access points while roaming around the facility.
Log reviews:
• The examination of system log files to detect security events or to verify the effectiveness
of security controls.
• Time standardization across all networked devices is very critical in logs (NTPv4).
• By default, logs are stored locally on the corresponding devices.
• Centralization of logs makes it easy to correlate events and archive the logs for long-term
retention and automated alerts generation (SEIM).
Page | 107
Preventing log tempering:
• Remote logging
• Simplex communication
• Replication
• Write-once media
• Cryptographic hash chaining
Synthetic transactions:
• A transaction that is generated by a script and not a person.
• Allows us to systematically test the behavior and performance of critical services (e.g.
periodic visit to a website, measure performance, response time)
• Also, can be written to behave as malicious users (e.g. attempting to XSS attacks).
Page | 108
Code review:
• Performed by someone other than the author of the code.
• Ensure that author follows the team’s style guide and standards.
• Looks for uncalled or unneeded functions or procedures (called code bloat).
• looks for modules that are complex and should be restructured or split into multiple
modules.
• Looks for blocks of repeated code that could be refactored.
• Meeting can be held to review the code:
o Obvious errors can be sent offline (not in a meeting).
o Team leader displays the code and everyone discuss it.
o At the end of the meeting. A decision made:
▪ Passed
▪ Passed with rework (only team leader checks the corrections).
▪ Re-inspect (another meeting is held).
Defensive programming means that as you develop or view the code, you constantly looking for
things to go badly.
Interface testing:
• A systematic evaluation of a given set of exchange points.
• An interface is an exchange point for data between systems and/or users (e.g. NIC, API,
GUI).
• A special case of integration testing (assessment of how different parts of a system
interact with each other).
• Boundary conditions: testing in the boundary that separates the good from bad (e.g. a
packet that should contain a payload of no more than 1024 bytes. You can check 1024-1,
1024, 1024+1).
Business continuity looks holistically at the entire organization. A subset of this effort, called
disaster recovery, focuses on restoring the information systems after a disastrous event.
Many people are moving away from BCP/DR testing (only pass/fail) into performing exercises.
Tests and DR drills and exercises should be performed at least once a year.
Page | 109
Specific parameters and scope of the exercise must be worked out before sounding the alarms.
The team must agree on what exactly is getting tested, timing and duration of the exercise.
Types of drills:
• Checklist test (desk check test): copies of the DRP or BCP are distributed to the different
departments and functional areas for review.
• Structured walk-through test: representative from each department or functional area
come together and go over the plan to ensure its accuracy. The group walks through
different scenarios of the plan from beginning to end to make sure noting was left out.
• Simulation test: all employees who participates in the operational and support functions
come together to practice executing the disaster recovery plan base on specific scenario
(used to test reaction of each team member). This test can continue up to the point of
actual relocation to an offsite facility.
• Parallel test: some systems are moved to the alternate site and processing takes place.
This results are compared with the regular processing that is done at the original site.
• Full-interruption test: the most intrusive to regular operations. The original site is actually
shut down, and processing take place at the alternate site. This time of test only
performed after all other types of tests are successful and it needs senior management
approval.
After a disaster, telephone service may not be available: mobile phones or walkie-talkies may be
used.
Security training is the processing of teaching a skill or set of skills that will allow people to
perform specific functions better.
Security awareness training is the process of exposing people to security issues so that they may
be able to recognize them and better respond to them. The key measure of the effectiveness of
the awareness program is the degree to which people change their behaviors when presented
with certain situations.
Pretexting is usually practiced in person or over the phone, in which the attacker invents a
believable scenario in an effort to persuade the target to violate a security policy (it was legal in
the US, as long as it doesn’t used to obtain financial records).
Key performance indicators (KPIs) measures how well things are going now.
ISO 27004 Information Security Metrics Implementation, outlines a process by which to measure
the performance of security controls and processes.
Factor: an attribute of the ISMS that can be described as a value that can change over time (e.g.
number of alerts generated by an IDS).
Page | 110
Measurement: the value of the factor at a particular point in time (e.g. 356 IDS alerts in the last
24 hours).
Baseline: an arbitrary value for a factor that provides a point of reference (e.g. historic trend in
the number of IDS alerts over the past 12 months).
Metric: a derived value that is generated by comparing multiple measurements against each
other or against a baseline (e.g. the ratio of verified incidents to IDS alerts during a 30-day period).
Indictor: an interpretation of one or more metrics that describes an element of the effectiveness
of the ISMS (indicators are meaningful to management).
Key risk indicators (KRIs) measures how badly things could go in the future.
Technical report:
• Should show that it is a tailored audit (not an output of an automated tool).
• Must document the methodology used.
• Written in the context of system under study (SUS).
• Highlights the findings and recommended controls or changes.
• Raw data and automated reports can be in the appendix.
• Important key elements:
o The treats (should consider threats as per the risk management process (RMP))
o The vulnerabilities
o The probability of exploitation
o The impact of exploitation (often expressed in monetary terms)
o Recommended actions
Executive summaries:
• Technical report includes an executive summary of no more than 1-2 pages.
• Can show ROI.
Management review:
• A formal meeting of senior organizational leaders to determine whether the management
systems are effectively accomplishing their goals (e.g. performance of the ISMS).
Page | 111
• Cycle of continuous improvement Plan-Do-Check-Act loop.
• The input to the management review comes from variety of sources (e.g. results of
relevant audits, executive summaries, impact to the organization, recommended
changes, list of open issues and action items from the previous meeting, customer
feedback).
Page | 112
CHAPTER 7: Security Operations
Operational security: the practice of operational maintenance to keep an environment running
at a necessary level, liability, and legal responsibilities.
Operations departments often focuses on the hardware and software aspects. Management is
responsible for employees’ behavior and responsibilities.
Users’ access attempts and activities need to be properly monitored, audited and logged
(accountability).
Clipping level is a threshold/baseline number of certain type of errors that will be allowed before
the activity is considered suspicious (Mostly IDS is used to track these).
Inconspicuousness prevents the user from knowing too much about security controls.
Page | 113
Life-cycle assurance: how the product was developed and maintained (design specifications,
clipping-level configurations, unit and integration testing).
Investigation of the:
• unusual or unexplained occurrence
• deviation from standards: device accepts 300 requests per minute but now accepts 3
only
• Unscheduled initial program loads (IPL) (rebooting): on servers and appliances,
rebooting is always scheduled, or intentionally triggered by an authorized person or
process.
IPL is a mainframe term for loading the OS’s kernel into the main memory.
Page | 114
Troubleshoot and fix system after crash:
• enter into single user mode or safe mode (when system cold start happens). “single user”
mode will not start services for users or the network and only local console is accessible.
• Fix issue and recover files
• Validate critical files and operation
Unneeded software must be removed; unneeded services must be disabled. Components that
can be neither left off not disabled, must be configured to the most conservative practical
settings.
Companies are responsible for ensuring software in their environment is not pirated, and that
the licenses are not exceeded.
AUP must indicate what software users can install and inform user that regular survey will
happened to verify compliance.
Page | 115
• Strong authentication should be there
• Truly critical system should be administered locally only
• Small number of administrators should be able to carry out this remote functionality.
Review should happen to identify which individuals should be allowed into what area and deploy
access control points accordingly.
The delay time provided by the lock should match the penetration resistance of the surrounding
components (e.g. door, door frame, hinges).
Combination locks have internal wheels that have to line up properly before being unlocked.
Electronic combination locks use keypad that allows a person to type in the combination.
Mechanical locks:
• Warded lock (padlock):
o It has a spring-loaded bolt with a notch cut on it
Page | 116
o Cheapest locks
o Easiest to pick
• Tumbler lock:
o Has more pieces and parts that warded lock
o The key fits into a cylinder, which raises the lock metal pieces to the correct height.
Once all the pieces are in the correct level, the internal bolt can be turned
o 3 types:
▪ pin tumbler:
• most commonly used
▪ wafer tumbler (disc tumbler):
• small round locks used for file cabinets
• can be easily circumvented
▪ lever tumbler
Device locks:
• Switch controls: covers on/off power switches.
• Slot locks: tie bracket mounted in a spare expansion slot to a stationary component using
a steel cable.
• Port controls: block access to disk drives or unused serial or parallel ports.
• Peripheral switch control: secure a keyboard by inserting an on/off button switch
between the system unit and they keyboard input slot.
• Cable trap: prevent removal of input-output devices by passing their cables through a
lockable unit.
Tension wrench:
• is a tool shaped like an L and is used to apply tension to the internal cylinder of a lock.
• the lock picker uses a lock pick to manipulate the individual pins to their proper
placement. Once picked, a tension wrench holds these down while the lock picker figures
out the correct settings of the other pins.
Raking:
• to circumvent a tumbler lock, a lock pick is pushed to the back of the lock and quickly slid
out while providing upward pressure.
Lock bumping:
• force the pins in tumbler lock to their open position by using a special key called bump
key.
• The stronger the material of the lock, the smaller the change for this way to success.
Locks strengths:
• Grade 1: commercial and industrial use
Page | 117
• Grade 2: heavy-duty residential/light-duty commercial
• Grade 3: residential/consumer
Cards types:
• memory card: the reader pulls information from it and makes an access decision
• smart card: individual may be required to enter a PIN or password
Electronic access control (EAC) tokens is a generic term used to describe proximity
authentication devices: proximity readers, programmable locks, biometric systems.
Fence height:
• 3-4 feet (deter casual trespassers)
Page | 118
• 6-7 feet (too high to climb easily)
• 8 feet (deter more determined intruder)
Gates strengths:
• Class I: residential usage
• Class II: commercial usage (public access)
• Class III: industrial usage (limited access)
• Class IV: restricted access (prison)
Underwriters Laboratory (UL) classifies electronic devices, fire protection equipment, and
specific construction materials.
Bollards placed to limit the treat of someone driving a vehicle through the exterior wall
Lighting is used to eliminate dead spots (unlit areas) should exist between the lights
If the light is going to bounce off of dark, dirty, or darkly painted surface, then more illumination
is required for contrast between people and environment.
Continuous lighting is an array of lights that provides an even amount of illumination across area.
Security guards can switch lights on and off, so potential intruder thinks that people are inside.
Attack on CCTV is to replay previous recording without security guards knowing it.
Digital recorders save images to hard drives and allow advanced search techniques that are not
possible with videotape recorders. It also used advanced compression techniques.
Type of lens:
• Fixed focal length: wide, medium, narrow (normal view is like human eye)
• Zoom (varifocal)
Page | 119
Focal length:
• Effectiveness in viewing objects from a horizontal and vertical views
• Its value relates to the angle of view that can be achieved
• Short focal length lenses provide wider-angle view.
• Long focal length lenses provide a narrower view.
Fixed focal length lenses doesn’t allow optical change of the area that fills the monitor. Though,
it achieved data digitally (decrease the image quality) (digital zoom).
Depth of field:
• the portion of the environment that is in focus when shown in the monitor
• to take photo of a person, use shallow depth of focus
• to take photo of the background, use greater depth of focus
• the depth of field increases as the size of the length opening decrease.
CCTV lenses have irises, which control the amount of light that enters the lengths:
• manual iris lens must adjust manually by rotating a ring around the lens.
• Auto iris should be used in environment where the light changes (outdoor).
Annunciator system: listen for noise, or detect movement, and activate electrical devices (e.g.
lights, sirens). No need for security guards to keep staring at a CCTV monitor.
Electromechanical systems: detecting a change or break in a circuit (e.g. strip of foil embedded
in window)
Page | 120
Vibration detectors can detect movement on walls, screens, ceilings, floors by fine wires
embedded into the structure.
Photoelectric systems (photometric) detects the change in light beam (used only in windowless
rooms):
• cross-sectional means that one area can have several different light beams extending
across it (e.g. using hidden mirrors to bounce back until it hits the receiver).
Vibration sensors used to detect forced entry (used in walls of vaults in banks).
Wave-pattern motion detectors differ in the frequency of the waves they monitor:
• It sends patterns and receive it back. If pattern is distributed, it means something in the
room moves.
Electrostatic IDS:
• Creates and electrostatic magnetic field made up of subatomic particles.
• Creates a balanced electrostatic field between itself and the object.
• If intruder comes within a certain range of the monitored object, there is a capacitance
change.
IDSs are:
• Expensive and require human intervention
• Require redundant and emergency power supplies
• Can be linked to a centralized security system
• Should have a fail-safe configuration (default is “activated”)
• Should detect, and be resistant to, tempering
Dogs used to detect intruders (in CISSP dogs might not be the correct choice due to human
safety).
Provisioning is the set of activities required to provide one or more new information services to
a user or group of users.
Page | 121
PAS 28000:2007 means to use a consistent approach to securing supply chain.
Mean Time Between Failures (MTBF): rely on vendor to calculate this value as they have
information on many devices than we do (it means device is repairable, if not, it’ll be called mean
time to failure MTTF).
Stripping:
• divides the data and writes it across multiple drives.
• Write is not affected. Read is improved as multiple disks being read at the same time.
Page | 122
Direct access storage device (DASD):
• a general term of magnetic disk storage devices which has been in mainframes and mini
computers (mid-range computers).
Some tape drives have minimal DASD intelligence (include multitrack tape devices that stored
specific points on the tape).
Page | 123
• Increase power saving and disk lifetime
Grid computing:
• Load-balanced parallel mean of massive computation.
• Nodes may join or leave randomly (loosely coupled systems).
• Most computers have extra CPU processing power that is not being used and can be
utilized in grid computing.
• Nodes do not trust each other and have no central control.
• Should not process sensitive data or time-sensitive applications.
Backup policy implements and indicates: what gets backed up, how often it gets backup up, and
how these processes should occur.
Contingency planning:
• Defines what should take place during and after an incident.
• Must be documented and readily available. At least 3 documents:
o Original on site
Page | 124
o Copy on site but in protective, fireproof safe.
o Copy in an offsite location.
• It should be tested (organizations must carry out exercises).
Preventive measures:
• Understand the risk
• Use the right tools
• Use the controls correctly
• Manage your configuration
• Assess your operation
Base-lining is the process of establishing the normal patterns of behavior (even used in rule-
based should be configured with what is normal for an organization).
Patch management is the process of identifying, acquiring, installing, and verifying patches for
products and systems.
Patches are software updates intended to remove vulnerability or provide new feature.
Unmanaged patches (decentralized): each software periodically checks for updates and
automatically applies them. Disadvantages:
• Requires credentials
• Difficult configuration management
• Bandwidth utilization
• Affects service availability
Page | 125
Centralized patch management:
• Best practice
• Comes in different flavors:
o Agent based: an update agent is installed on each device.
o Agentless: use some hosts to remotely connect to each device using admin
credentials and check for updates (usually uses AD objects in domain controllers
to manage patch levels).
o Passive: passively monitor the network traffic to infer the patch levels (least
effective).
Attackers are reverse engineer recent release patches to understand the vulnerability and exploit
still unpatched systems:
• Some vendors use code obfuscation to eliminate this threat.
Sandbox is an application execution environment that isolates the executing code from the
operating system to prevent security violations.
Honeyclients are synthetic applications meant to allow an attacker to conduct a client-side attack
(can be human interactive or highly automated):
• If you suspect a phishing attack, you can let a honeyclient to visit the link in the email and
pretend it is a real user.
Black holes typically are routers with rules that silently drop specific (malicious) packets without
notifying the source (render botnet useless).
Page | 126
• Hybrid team (part is dedicated and part is called upon when required).
Incident response policy should be managed by the legal department and security department.
CERT is an organization that is responsible for monitoring and advising users and companies
about security perpetration and security breaches.
If you can thwart the attack before stage four (exploitation), you stand better change of wining.
Page | 127
• Enter into a formal agreement with another facility.
Service bureau is a company that has additional space and capacity to provide applications and
services such as call centers.
Tertiary site is a secondary backup site, just in case the primary backup site is not available
(backup to the backup).
Reciprocal agreement:
• can be established with another company (usually in similar field).
• If company A have a disaster, company B offers the usage of its facility (and vice versa).
• Difficult for two companies to work in the same shared facility.
• NOT enforceable agreement.
Consortium (mutual aid agreement) is similar to reciprocal agreement but more than two
organizations agree to help one another.
Hot site is a subscription service. Redundant site is a site owned and maintained by the company.
Page | 128
Rolling hot site (mobile hot site) is a site on the back of a large truck (can be data center or
working area).
Multiple processing centers is when organization may have 10 different facilities throughout the
world, where data can be moved between them in a mater of seconds when an interruption is
detected.
Even if the company outsource a service, the organization is ultimately responsible for the
continuity of a product or service that is outsourced.
Hardware backups:
• Estimated of the hardware availability and delivery time.
• Depends on vendors SLA or purchase redundant hardware?
• Replacement of legacy systems?
Software backups:
• 2 copies: 1 (on-site) + 1 (offsite).
Software escrow:
• Where a 3rd party holds the source code, backup of the compiled code, manuals, and
others.
• Customer can have an access to the source code only if and when the vendor goes out of
business.
Executive succession planning is if someone in a senior executive position retires, leave the
company, or is killed, the organization has predetermined steps to carry out to protect the
company (e.g. deputy role).
Online backup technologies usually record the changes to a file in a transaction log, which is
separate from the original file.
Full backup:
• all data is backed up.
• Archive bit is cleared (0).
• Restoration is one step.
• Backup/restore could take along time.
Differential backup:
• Bucks up the files that have been modified since the last full backup.
• Archive bit does not change.
• Full backup restored first, followed by the most recent differential backup is put on top.
Incremental backup:
Page | 129
• Backs up all the files that have been changed since the last full backup or incremental
backup.
• Archive bit is cleared (0).
• Full backup restored first, followed by each incremental backup in order.
It is important to not mix differential and incremental backups. This overlap causes files to be
missed, since the incremental backup change the archive bit and the differential does not.
Disk duplexing:
• Means that there is more than once disk controller. If one disk controller fails, the other
is ready and available.
Disk shadowing:
• Used to ensure availability of data and to provide fault tolerance.
• Duplicating hardware and maintaining more than one copy of information.
• Provides online backup storage.
• Boost read operation performance (parallel read).
Disk mirroring:
• Each disk would have a corresponding mirrored disk that contains the exact same
information.
Electronic vaulting:
• Makes copies of the files as they are modified and periodically transmits them to an offsite
backup site.
• Takes place in batches (not real-time) (e.g. hourly, daily, weekly).
Remote journaling:
• Include moving the journal or transaction logs to the offsite facility not the actual files.
• Logs contains the deltas (changes) that have taken place to files.
• Takes place in real-time.
• Efficient for database recovery.
Tape vaulting:
• The data is sent over a serial line to a backup tape system at the offsite backup site.
• Better than manually transfer the tape.
Asynchronous replication:
• means the primary and secondary data volumes are out of sync.
• Synchronization may take place in: seconds, hours, days.
Page | 130
Synchronous replication:
• means the primary and secondary data volumes are always in sync.
• Real-time duplication.
High availability is a combination of technologies and processes that work together to ensure
that some specific thing is always up and running.
Failover means that if there is a failure that connected be handled, then processing is “switched
over” to a working system.
Reliability is the probability that a system performs the necessary function for a specified period
under defined conditions.
Insurance:
• can be taken to not take the full risk.
• The goal is to make the coverage fills in the gap in what the current preventive controls
cannot protect against.
Cyber insurance is a new type of coverage that insures losses caused by a DoD attack, malware
damages, hackers, etc.
Business interruption insurance if if the company is out of business for a certain period, the
insurance company will pay for specified expenses and lose earnings.
If the company doesn’t practice due care, the insurance company may not be legally obliged to
pay.
Restoration team is responsible for getting the alternative site into a working and functioning
environment
Salvage team is responsible for starting the recovery of the original site.
Reconstitution phase if the time for the company to move back into its original site, or new site.
The least critical function should be moved back first, to uncover any issues in network
configurations or connectivity, etc.
Structure of BCP:
• Initiation phase
• Activation phase
• Recovery phase
Page | 131
• Reconstruction phase
• Appendixes
Even acts of nature (storms, earthquakes, etc.) allow adversaries to victimize the organization.
Forensics is a science and an art that requires specialized techniques for the recovery,
authentication, and analysis of electronic data for the purposes of a digital criminal investigation
(digital evidence).
Scientific working group on digital evidence (SWGDE) aims to ensure consistency across the
forensics community.
Modus Operandi (MO) for computer criminals may include the use of specific hacking tools, or
targeting specific systems or networks. This method usually involves repetitive signature
behaviors.
Locard’s exchange principle also applies to profiling: criminal leaves something behind at the
crime scene and takes something with them.
Forensics process:
• Identification
• Preservation
• Collection
• Examination
• Analysis
• Presentation
• Decision
Exact copy of the hard drive must be taken (e.g. Forensics Toolkit, EnCase, dd Unit utility).
Page | 132
Original media should have 2 copies:
• Primary image (a control copy in the media library)
• Working image (for analysis and evidence collection)
The new media to copy the original image to, must be purged.
Chain of custody is a history that shows how evidence was collected, analyzed, transported, and
preserved in order to be presented in court.
4 characteristics of evidence:
• Relevant: must have a reasonable and sensible relationship to the findings.
• Complete: must present the whole truth of an issue.
• Sufficient/believable: persuasive enough.
• Reliable: consistent with facts.
Exigent circumstance is when a law enforcement agent collects an evidence that is not included
in the warrant.
Enticement is legal.
Interviewer of a suspect:
• should be in a position that is senior to the employee suspect.
• Held in a private place.
• No need to read person’s rights unless law enforcement officers do the interrogation.
Due care means that a company did all it could have reasonably done to prevent security
breaches (company practiced common sense and prudent management and acted responsibly).
Due diligence means that the company properly investigated all of its possible weaknesses and
vulnerability.
Page | 133
Downstream liability is where a company A sue company B because company B was negligent
and affected company A.
To prove negligence in court, the plaintiff must establish that the defendant had a legally
recognized obligation to protect data reasonably.
Proximate cause is an act or omission that naturally and directly produces a consequence (e.g.
cause to an injury).
Occupant emergency plan (OEP) describes that actions that facility occupants should take in
order to ensure their safety during an emergency situation.
S-RPC uses Diffie-Hellman public key cryptography to to determine a shared key to be used with
DES to encrypt remote procedure calls.
Parallel test ensures that specific systems moved and work at the new location, without
interfering with business operation.
Simulation test go through a simulated disaster to identify whether emergency response plans
are adequate.
Checklist test is a test where all departments are given a copy of the continuity plan. Each
department must review and confirm that the information is correct.
Slamming is when a user’s telephone service provider has been changed without that user’s
consent.
Cramming is adding on bogus charges for services that user did not request or receive.
Page | 134
First Amendment protects person’s free speech and expression.
SATAN (Security Administrator Tool for Analyzing Network) is a scanning tool that can uncover
weaknesses within a network.
Page | 135
CHAPTER 8: Software Development Security
Programmers traditionally are not educated to secure coding.
Security products can, to a certain degree, help mitigating risks rise by bad coding.
Out of the box implementations are not secure. Most security has to be configured and turned
on after installation.
Page | 136
▪ Manual testing
▪ Unit, integration, acceptance, regression testing
• Release/maintenances:
o Security topics:
▪ Final security review
If a software product is developed for a specific customer, it is common for a Statement of Work
(SOW) to be developed, which describes the product and customer requirement. This help to
make sure the requirements are properly understood and assumptions are made.
Work breakdown structure (WBS) is a project management tool which decompose the project
into tasks and subtasks.
Code review:
• Manual inspection by human.
• Can detect logical and design flaws.
Static analysis:
• Examining the code without executing the program.
• Carried out before the program is complied.
• Usually done by automated tools.
• Cannot reveal logical errors and design flaws (e.g. must be used with code review).
Dynamic analysis:
• Evaluation of a program in real-time, when it is running.
• Effective for compatibility testing, detection memory leakage, identifying dependencies.
Types of Testing:
• Unit testing: testing individual component.
• Integration testing: verifying that components work together.
Page | 137
• Acceptance testing: ensure meeting customer requirements.
• Regression testing: happen after a change is introduced to the system.
Fuzzers use complex input to impair program execution to discover flaws (e.g. buffer overflows,
DoS vulnerabilities, injection weaknesses, validation flaws).
Verification: determines if the product accurately represents and meets the specifications (did
we built the product right?).
Validation: determines if the product provides the necessary solution for the intended real-world
problem (did we built the right right?).
Waterfall model:
▪ Linear-sequential life-cycle approach.
▪ Each phase must be completed entirely before the next phase can begin.
▪ At the end of each phase, a review takes place to make sure the project is in the correct
path.
▪ All requirement gathered in the initial phase and they is no formal way to integrate new
changes or requirement (e.g. waiting for the entire project to complete).
▪ Could be useful for small projects that have all requirements fully understood.
Page | 138
▪ Verification and validation of the product at each phase and provides a formal method of
developing testing plans as each coding phase is executed.
▪ Sequential path of execution processes. Each phase must be completed before the next
phase begins.
▪ Requires testing throughout the development phases and not just waiting until the end
of the project.
▪ Adapting to changes is more difficult and expensive.
▪ Good if the requirements are understood up front and scope changes are small.
Prototyping:
▪ Prototype is a sample of software code or a model that can be developed to explore
specific approach to a problem before investing expensive time and resources.
▪ 3 different main prototype models:
o Rapid prototype (throwaway):
▪ Develop a prototype to test the validity of understanding.
▪ “quick and dirty”.
▪ Sample not meant to be built upon, but to be discarded.
o Evolutionary prototype:
▪ Build for incremental development until it reaches the final product stage.
▪ Feedback obtained through each phase is used to improve the prototype.
o Operational prototype:
▪ An extension of the evolutionary prototype method.
▪ Designed to be implemented within a production environment as it is
being tweaked.
Incremental Model:
▪ Allows the team to carry out multiple development cycles on a piece of software
throughout its development stage.
▪ Each incremental phase results in a deliverable that is an operation product.
▪ Product is available at early stages of development (flexibility).
▪ Allows for changes to take place.
▪ Testing after each operation allows errors to be identified earlier.
▪ Good if vendor wants to deliver customer a working product with basic functionality as it
works in the development of the product.
Spiral Model:
▪ An iterative approach.
▪ Emphasis on risk analysis.
▪ 4 main phases:
o Determine objectives
o Risk Analysis
o Development and test
o Plan the next iteration
▪ Allows new requirement to be addressed as they are uncovered.
Page | 139
▪ Allows for testing to take place early in the development project.
▪ Good model for complex projects that have fluid requirements.
Agile model:
▪ An umbrella for several development methodologies.
▪ Focus on incremental and iterative development methods (not prototype).
▪ Considered “lightweight”.
▪ Focuses on small increments of functional code that are created based upon business
need (not too much upfront design analysis).
▪ Promotes customer collaboration instead of contract negotiation.
▪ User story is a sentence that describes what a user wants to do and why.
▪ Development team can take parts of all of the available SDLC methods.
Scrum:
▪ The most widely adopted agile methodology today.
▪ Good for projects of any size and complexity.
▪ Vere lean and customer focused (the fact the customer needs cannot be completely
understood in the initial phase).
▪ Focus on team collaboration, customer involvement and continuous delivery.
▪ Addition, changes, removal can happen at the conclusion of each sprint.
▪ Sprint is a fixed duration development interval that is usually two weeks in length and
promises delivery of a very specific set of features.
Kanban:
▪ Developed by Toyota.
▪ Stresses visual tracking of all tasks so that the team knows what to prioritize as what point
in time (e.g. sticky notes in a conference room).
▪ Kanban wall usually divided vertically by production phase (Planned, In Progress, Done).
Exploratory model:
▪ Clearly defined project objectives have not been presented.
Page | 140
Joint Application Development (JAD):
▪ Workshop-oriented environment.
▪ Includes of members other than coders in the team (e.g. executives, experts, end-users).
Reuse model:
▪ Reusable programs are evolved by gradually modifying pre-existing prototypes to
customer specifications.
▪ Doesn’t require programs to be built from scratch.
▪ Reduces development time and cost.
Cleanroom:
▪ Attempts to prevent errors by following structured and formal methods of developing
and testing.
▪ Used for high-quality and mission-critical applications.
DevOps: development team includes software development, operations staff (IT), quality
assurance (QA).
Page | 141
▪ The company has formal processes in place to collect and analyze
quantitative data.
▪ Metrics are defined and fed into the process improvement program.
o Optimizing (continuous improvement):
▪ The company had budgeted and integrated plans for continuous process
improvement.
Change control is the process of controlling the changes that take place during the life cycle of a
system and documenting the necessary change control activities.
New code should go to the librarian. Production code should come only from the librarian and
not from a programmer or directly from a test environment.
Code repositories:
▪ Encouraged to be implemented in an isolated network (air-gaped). This enhance security
but makes it hard for external developers to collaborate and for remote access.
▪ Can be hosted in the internet, with VPN connection with an added SSH security layer.
Page | 142
o Works like black box.
o Use advanced knowledge-based processing and AI (eliminate the need of the
programing expertise).
Compliers converts high-level language statements into the necessary machine-level format
(.exe, .dll) for specific processors to understand (develop once and compile for various
platforms).
Interpreters:
▪ Interprets the application’s code into processor-specific code at run-time.
▪ Improve portability.
▪ Java source code is compiled into a bytecode. Once code wants to run, a JVM started and
has an interpreter specific for the platform it is installed on (converts bytecode into a
machine-level code).
▪ Advantages: platform independence and memory management functions are part of it.
▪ Disadvantage: cannot run as standalone as it requires the interpreter to be installed on
the local machine.
Programs written in the C language could be vulnerable to buffer overrun and format string
errors.
Java performs automatic garbage collection. C requires the developer to perform memory
management manually.
Garbage collection:
▪ Identifies blocks of memory that were used and no longer required and mark them as
free.
▪ Gathers scattered blocks of free memory and combines them into larger blocks.
Page | 143
The private portion offers data hiding.
Objects can be catalogued in a library. The library holds pointers to where the object is living
within the system or on another system.
Benefits of OOP:
▪ Modularity: autonomous objects cooperating through the exchange of messages.
▪ Deferred commitment: internal components of an object can be redefined without
changing other parts of the system.
▪ Reusability
▪ Naturalness: modeling map to business needs.
Polymorphism is where two objects can receive the same input and have different outputs
(overloading and overriding).
Object-oriented analysis (OOA) is the process of classifying objects that will be appropriate for a
solution. A problem is analyzed to determine the classes of objects to be used in the application.
Data modelling: OOA and databases are example of data modelling (e.g. attributes and
relationships).
Data structure:
▪ A representation of the logical relationship between elements of data.
▪ Can be: scalar, array, hierarchical.
Cohesion:
▪ how many different types of tasks a module can carry out.
▪ If a module carries out only one task, or very similar tasks, it is having high cohesion
(good).
▪ The higher the cohesion, the easier to update/modify a module without affecting other
modules.
▪ Easier to reuse and maintain.
Coupling:
▪ Measurement that indicates how much interaction one module requires to carry out its
tasks.
▪ High (tight) coupling means a module depends upon many other modules to carry its
tasks.
▪ Lowe coupling is good.
API specifies how software components interacts with other software components.
Page | 144
Software library is a collection of components that do specific things that are useful to many
other components.
Page | 145
Java Platform, Enterprise Edition (Java EE):
▪ Client/server model that is object-oriented and platform independent.
▪ Its inter-process communications are based upon CORBA.
▪ Java EE application server can handle scalability, concurrency, transactions, security for
the client.
▪ Focus on let developers focus on business logic.
▪ Enterprise JavaBeans (EJB) is a structural design for the implementation of distributed
applications written in Java.
Directory service when given a name, it returns the network address of the resource.
Mashup is the combination of functionality, data, and presentation capabilities of two or more
sources to provide some type of new service or functionality.
Mobile code: a code that can be transmitted across a network, to be executed by a system or
device on the other end (e.g. web browser applets: to watch video or download more contents).
Page | 146
Java applet are small components that run in a user’s web browser.
JVM is created to run the Java program or applet in a sandbox. Bad guys figured out how to
escape the confines and restrictions of the sandbox.
ActiveX:
• Microsoft technology composed of a set of SOA technologies and tools based on COM and
DCOM.
• Programmers can create ActiveX controls (similar to Java applets) the can be executed in
Windows environment.
• These controls can be automatically downloaded from websites to add extra functionality.
Also, they are also components of Windows OS itself.
• Allow web browsers to execute other software applications within the browser (e.g. play
media files, open PDF).
• The problem lay in the fact that ActiveX controls shared the privilege levels of the current
user on a system.
• ActiveX control can download further ActiveX components without user authentication.
• Comes with a component container feature that allows multiple applications and networked
computers to reuse active components.
• Unlike Java applets, ActiveX components are downloaded to the hard drive when user
chooses to add the functionality the component provides.
• Security level of the web browser dictates if the ActiveX component can be downloaded
automatically, or the user is first prompted with a warning.
• The main security different between Java applets and ActiveX controls is that Java sets up a
sandbox for the applet code to execute in, while, ActiveX uses Authenticode technology,
which relies on digital certificates and trusting certificate authorities.
• Authenticode doesn’t necessarily provide security.
Page | 147
SQL injection: instead of valid input, the attacker puts actual database commands into the input
fields.
Parameter validation where the values that are being received by the application are validated
to be within defined limits before the server application processes them within the system.
Web developers uses cookie to help server remember things of the state of the connection
(session cookie), or store details of the session locally in a file (persistent cookie).
Web proxy:
▪ A piece of software installed on a system that is designed to intercept all traffic between
the local web browser and the web server (e.g. Burp Suite).
▪ Attacker could monitor and modify information as it travels in either direction.
▪ Exploits the user of hidden fields in web pages.
Per-validation: input controls verifying data in in appropriate format prior to submission to the
application (e.g. form validation).
Session management:
▪ Most commonly used technique is to assign a unique ID (session ID).
Page | 148
▪ Using sequential session ID for clients is a mistake (attacker can guess and hijack a
session).
▪ Usage of timestamp or time-based validation will combat replay attacks.
Database management system (DBMS) is a suite of programs used to manage large sets of
structured data with ad hoc query capabilities for many types of users. It can also control the
security parameters of the database.
Transaction persistence means the database procedures carrying out transactions are durable
and reliable.
Database models:
▪ Relational:
o Attributes (columns) and Tuples (rows)
o 2-d tables
o primary key links all the data within a record to a unique value.
▪ Hierarchical:
o Combines records and fields that are related in a logical tree structure.
o The parents can have one child, many children, or no children.
o Useful to mapping one-to-many relationships.
o Not as flexible in creating relationships between data elements as in relational
database.
o Employs when building indexes for relational databased. An index can be built on
any attribute and allows for very fast searches of the data over that attribute.
o Most commonly used in Lightweight Directory Access Protocol (LDAP).
▪ Network:
o allows each data elements to have multiple parent and child records.
o Forms a redundant network-like instead of strict-tree structure.
o Allows for quick retrieval of data compared to the hierarchical model.
o Uses a construct of records and sets:
▪ A record contains fields.
▪ Sets define the one-to-many relationships between the different records.
▪ Object-oriented:
o Handles a variety of data types (images, audio, documents, video).
o More dynamic as objects can be created when needed and the data and methods
go with the object when it is requested.
o Has classes to define the attributes and procedures of its objects.
o When application queries for some data, data and a code that can carry out
procedures on this data are returned
o Doesn’t depend upon SQL for interactions.
Page | 149
▪ Object-relational:
o A relational database with a software front end that is written in an object-
oriented programming language.
o The front end provides the procedures (methods) that can be carried out on the
data, then each and every application that accesses this database doesn’t need to
have the necessary procedures.
Data dictionary:
▪ A central collection of data element definitions, schema objects, and reference keys.
▪ The schema object can contain tables, views, index, procedures, function, triggers.
▪ A data dictionary can contain default values of columns, integrity information, the name
of users, privileges and roles of users, auditing information.
▪ A tool to manage data about data (e.g. metadata).
▪ Different view settings for each user are held within the data dictionary.
Page | 150
Database can run into concurrency problems when there is data that will be accessed and
modified at the same time by different applications/users.
To ensure no concurrency problems happen, software lock can lock the table within the database
until the change happens, then release the lock.
Operations that help protects the integrity of the data within the database:
▪ Rollback:
o Operations the ends a current transaction and cancels the current changes to the
database.
▪ Commit:
o Completes a transaction and executes all changes just made by the user.
o Changes can be made to the data or schema information.
▪ Savepoints:
o Used to make sure that if a system failure occurs, or if an error is detected, the
database can attempt to return to a point before the system crashed or
hiccupped.
o Having too many savepoints can degrade the performance.
o Can be initiated by:
▪ Time intervals
▪ Specific action by the user
▪ Number of transactions or changes made
▪ Checkpoints:
o very similar to savepoints.
o When a database software fills up a certain amount of memory, a checkpoint is
initiated, which saves the data from the memory segment to a temporary file.
o If a glitch experienced, the software will try to use this information to restore the
user’s working environment to its previous state.
▪ Two-phase commit:
o Many times a transaction will require more than one database by updated during
the process (either each database is properly modified, or no modification takes
place).
o A transaction monitor will send out a “pre-commit” command to each database.
o If all databases respond with an acknowledgement, then the monitor sends out a
“commit” command to each database.
▪ Batch processing:
Page | 151
o Requests for database changes are put into a queue and activated all at once (not
the exact time the user makes the request).
Database views: permit one group, or a specific user, to see certain information while restricting
another group from viewing it altogether.
Database Polyinstantiation: enables a table that contains multiple tuples with the same primary
keys, with each instance distinguished by a security level (prevents inference attacks).
Data warehousing:
o Combines data from multiple databases or data sources into a large database for the
purpose of providing more extensive information retrieval and data analysis.
o Data is normalized (redundant information is stripped out and data is formatted in the
required format).
o Related pieces of data are summarized and correlated before being presented to the user.
Datamart:
• Collection of data from different databases or systems that fulfill a specific need (subset
of data warehouse).
Data mining:
o The process of massaging the data held in the data warehouse into more useful
information.
o It finds an association and correlation in data to produce metadata. Revealing unseen
relationships or abnormal patterns (such data must be highly protected).
o Look at complex data and simplify it using fuzzy logic (a set of theory) or expert systems
(uses AI).
o Also knows as Knowledge Discovery in Database, KDD. These approaches are used in
KDD systems to uncover patterns:
Page | 152
o Classification: group data according shared similarities
o Probabilistic: identifies interdependencies and applies probabilities to
relationships.
o Statistical: identifies relationships between data elements and uses rule
discovery.
Neural network can deal with different situations and data (can learn) (e.g. Artificial Neural
Network ANN).
Big data:
o A very large data sets with characteristics that make them unsuitable for traditional
analysis techniques.
o Includes heterogeneity, complexity, variability, lack of reliability, and sheer volume.
Some malware stored in the RAM and not a hard drive (difficult to detect).
Malware can be installed in a “drive-by download” process (victim is tricked into clicking
something malicious).
Viruses:
o a small application, or string of code, that infects software.
o It reproduces and deliver its payload and require a host application to do this. If is cannot
self-replicate they don’t fall into the category of viruses.
o It infects a file by inserting or attaching a copy of itself to the file.
o Examples: ILOVEYOU, Melissa, Naked Wife (uses Outlook or Outlook Express as host).
o Marco virus is a virus written in one of micro languages (Visual Basic, VBScript) and is
platform independent. It is extremely easy to write.
o Boot sector viruses infects the boot sector by either move data within the boot sector or
overwrite the sector with new information (initiates the virus when a system boots up).
The rest of their code in sectors on the hard drive that the virus has marked off as bad
(they’ll not get overwritten).
o Stealth virus is a virus that hides its tracks after infecting a system.
o Polymorphic virus produces varied but operational copies of itself (e.g. using different
encryption algorithms, different action sequence, include noise, use mutation engine and
random-number generator for randomization).
Page | 153
o Multipart virus has several components to it and can be distributed to different parts of
the system (e.g. infects the boot sector and the hard drive).
o Meme virus is not a computer virus, but types of email messages that are continually
forwarded around the internet (replicated by human and not software).
o Script viruses are files that are executed by an interpreter (written in VBScript and Jscript).
o Tunneling virus attempts to install itself “under” the antimalware program. When
antimalware makes a request to the OS to gather this information, the tunneling virus can
intercept this call and reply that everything is fine.
Malware components:
o Insertion: insert itself on the victim’s system
o Avoidance: avoids detection
o Eradication: removes itself after the payload has been executed
o Replication: makes copy of itself and spreads to other victims
o Trigger: uses an event to initiate its payload execution
o Payload: carries out its function
Worms:
o Can reproduce on their own without a host application (self-contained programs).
o Used to transport and deliver malicious payloads.
o Example: Stuxnet
Rootkit:
o a bundle of tools that first this usually do is installing a back-door program.
o Other tools within the rootkit used for: credentials capturing, sniffing, covering tracks.
o Replaces itself with default system tools It acts as Trojaned programs, because it carries
out the intended functionality and the malicious activities in the background.
o Log scrubbers: removes traces of the attacker’s activities from the system logs.
o Powerful rootkits update the kernel of the system (very difficult to detect). Re-installation
of the OS may be the only solution.
Spyware: gathers sensitive information about the user (e.g. logging keystrokes, taking
screenshots).
Adware: a software that automatically generates (renders) advertisements (e.g. through pop-
ups, user interface components).
Botnets:
o Bots are type of malware and are being installed on thousands of computers. It usually
lies dormant (zombie code) and waits for command instructions for activation purposes.
o The owner of the botnet called bot herder.
Page | 154
o Usually communicated through Internet Relay Chat (IRC) protocol.
o Can be used for legitimate purposes (e.g. web crawling).
o Command & Control server manages the bots.
Fast flux:
o An evasion technique. Botnets can use fast flux functionality to hide the phishing and
malware delivery sites they are using. One common method is to rapidly update DNS
information to disguise the hosting location of the malicious websites.
Logic bomb:
o Executes a program, or string of code, when a certain set of conditions is met (e.g. time
and date, after a user carries out a specific action, if forensics activities started).
Trojan Horses:
o A program that is disguised as another program (e.g. can be names Notepad.exe).
o When a user executes Notepad.exe, the program deletes system files.
o Perform useful information, as well as, malicious functionality in the background.
o Remote Access Trojans (RATs) are malicious programs that run on systems and allow
intruders to access and user a system correctly (e.g. Sakula, KjW0rm, Havex, Dark Comet).
Crimeware Toolkits:
o Can be purchased from the black market.
o Allow hackers to create their own tailored malware through a GUI.
o It provides pre-developed malicious code that can be easily customized, deployed, and
automated.
Antimalware Software:
o Traditional malware uses signatures.
o Scans files, email messages, an other data passing through specific protocols.
o Some antimalware created a virtual machine (sandbox) to assess the code (emulation
buffer).
o Signature-based detection (fingerprint detection) is effective way to detect conventional
malware, but there is a delayed response time to new threats.
o Heuristic detection analyzes the overall structure of the malicious code, evaluate the
coded instructions and logic functions. It collects information about the code and assesses
the likelihood of it being malicious in nature (e.g. uses suspiciousness counter).
Behavior blocking antimalware allows the suspicious code to execute within the OS unprotected
and watches its interactions with the OS.
Page | 155
Proactive and can detect new malwares: Heuristic detection and Behavior blocking.
Reputation-based protection: vendor collects data from many customers and mines the data to
identify good and bad files. Each file is assigned a reputation metric value.
Immunizer:
o Attaches code to the file or application, which would fool a virus into “thinking” it was
already infected (e.g. would make a file or application looks as it has been infected).
o The challenge is that the immunizer is virus specific.
Spam detection:
o Bayesian filtering reviews prior events to predict future events, which is basically
quantifying uncertainty. It carries out a frequency analysis on each word and then
evaluates the message as a whole to determine it is spam or not.
o Spams eats up a lot of network bandwidth.
o Can be the source of spreading malware.
Antimalware files that contain updates (new signatures) are called DAT files (.dat).
The scanning software can be integrated into a mail server, proxy server, or firewall (e.g. virus
walls). It can scan SMTP, HTTP, FTP, and other protocol types.
EICAR test is a file used to test the configurations of the antivirus software package.
Pseudo-flaw is code inserted into an application or OS with the sole purpose to trap intruders
who break into these systems.
Smurf attack is a DDoS in which large number of ICMP packets with the intended victim’s spoofed
source IP are broadcast to a network using an IP broadcast address. Most of devices will respond
by reply to the source IP address.
Fraggle attack is similar to Smurf attack but uses spoofed UDP traffic.
Teardrop attack is a DoS attack where an attacker is sending fragmented packets to a target
machine, and let the victim unable to reassemble the fragmented packets.
Page | 156
Good Luck!
Page | 157