22 jun 2014

CISSP: Physical Security

Perimeter defenses
Fences
Gates
Bollards
Lights
CCTV
Locks
- Key locks
- Master and core keys
Combination locks
Smart cards
Magnetic Stripe cards
Mantraps
Turnstiles
Motion detectors
Doors
Windows
Walls, floors, ceilings
Guards
Dogs
Restricted areas and escorts

Site Selection
Topography
Utility reliability
Crime

Site Design and configuration issues
Site marking
Shared tenancy
Adjacent buildings
Shared demarc

System defenses
Asset tracking
Port control
Drive and tape encryption
Media storage and transportation

Media cleaning and destruction
Paper shredders
Overwriting
Degaussing
Destruction

Environmental Control

Electrical faults
- Blackout
- Brownout
- Fault
- Surge
- Spkie
- Sag

Surge protectors
Uninterruptible Power Supplies (UPS)
Electromagnetic interference
HVAC
Heat/ Humidity
Static
Corrosion
Airbone contaminants

Detectors:
Heat detectors
Smoke detectors
Flame detectors

Personal safety
Evacuation routes
- Roles:
- Procedures
Duress warning systems
Travel safety

Fire:
Class A
Class B
Class C
Class D
Class K

Suppression agents:
Water
Soda acid
Dry powder
Wet chemical
CO2
Halon
Halon subtitutes: Argon, FE-13, FM200, Inergen


Sprinkler systems
Wet pipe
Dry pipe
Deluge
Preaction
Portable fire extinguisher

CISSP: Legal, Regulations, Investigations and Compliance

Legal Systems:
Civil Law (legal system): judicial precedents do not carry the weight they do under common law
Common Law
Religious law
Customary law

Common law
criminal law
Civil law
Administrative law

Computer Crime
Computer system as a target
Computer as a tool

Intellectual property:
Trademark
Patents
Copyright
- First sale
- Fair use
Licenses
Trade secrets

Intellectual property attacks:
Counterfeiting
Dilution
Cybersquatting
Typosquatting

Privacy
Opt-out
Opt-in
EU Dataprotection Directive
EU-US safe harbor


Forensics

Forensic Media Analysis
Allocated space
Unallocated space
Slack space
Bad blocks/clusters/sectors

Live forensics
Network forensics

Concepts:
Evidence
Real evidence
Direct evidence
Circumstantial evidence
Corroborative evidence
Hearsay
Best evidence
Secondary evidence
Chain of custody
Entrapment
Enticement


Ethics
ISC Code of ethic
Computer Ethics Institute
IAB Ethics and the Internet

CISSP: Operations Security

Administrative Security

Personnesl Controls:

Leats Privilege
Need to know
Separation Of duties
Rotation of duties?Job rotation
Mandatory leave/forced vacation
Non-disclosure agreement (NDA)
Backgroud checks
Privilege monitoring

CISSP: Cryptography

Cryptography can provide confidentiality and integrity.
Diffusion: Plaintext should be diffused (disperser)
Confusion: relation between plaintext and ciphertext should be confused (or random)

Substitution: Replace one character for another
Permutation (transposition): Anagram style

Monoalphabetic cipher: susceptible to frequency analysis
Polyalphabetic cipher.


Crypto History
Egyptian hieroglyphics
Spartan scytale
Rotation Cipher: Caesar cipher, ROT-13
Vigenere cipher
Cipher disk
Jefferson disk
Book cipher and running-key cipher
Codebook
One-time pad
Vernam cipher
Purple
Enigma
SIGABA

Crypto Laws
COCOM
Wassenaar Arrangement



Symmetric Cryptography

DES: Standard name that describes DEA (Data Encryption Algorithm)
ECB
CBC
CFB
OFB
CTR

TDES: Standar name that describe TDEA

1TDES EDE
2TDES EDE
3TDES EDE

AES: Standar name that describe Rijndael
ShiftRows
MixColumns
SubBytes
AddRoundKey

Blowfish and Twofish
RC5 and RC6

Asymmetric Cryptography

Asymetric methods:
Factoring prime numbers
Discrete logarithm
Elliptic curve cryptography

Hash Functions
MD5
SHA1
SHA2
HAVAL

Cryptographic Attacks
Bruteforce
Social engineering
Known plaintext
Chosen plaintext and adaptive chosen plaintext
Chosen ciphertext and adaptive chosen plantext
Meet-in-the-middle attack
Know Key
Differential cryptanalysis
Linear cryptanalysis
Side-channel attacks
Implementation attacks
Birthday attack
Key clustering


Digital Signature: Provide authentication and integrity, non-repudiation
Message Authenticate Code (MAC)
HMAC
PKI

21 jun 2014

CISSP: BCP and DRP

Business Continuity Plan (BCP):
Business oriented. Long term, strategic.

List of plans
Disaster Recovery Plan
Continuity of Operations Plan
Business Recovery Plan
Continuity of Support Plan
Cyberincident Response Plan
Occupant Emergency Plan
Crisis Management Plan

Threats:
Natural:
Human:
Environmental:


Concepts:
RTO: the amount of time allowed for the recovery of a business function
RPO
WRT

Process:
Respond
Activate team
Communicate
Assess
Reconstitution

Developing:
Project Initiation
Scope the project
Business Impact Analysis
Identify Preventive Controls
Recovery Strategy
Plan Design and Development
Implementation, Training and Testing
BCP/DRP Maintenance

Disaster Recovery Plan (DRP):
IT Focus. Short term, tactical.

Recovery Options:
Redundant Site
Hot Site
Warm Site
Cold Site
Reciprocal Agreement
Mobile Site
Subscription Service

The site should be in a geographic area that is unlikely to be negatively affected by the same disaster event
The site should have the same amount of physical access restrictions as the primary site


Test types:
Checklist
Structured Walk-Througth/Tabletop
Simulation test/walkthrough drill
Parallel test/Parallel processing
Partial and complete (Full-Interrupt) test

CISSP: Software Development Security

Application Development Methods
Waterfall Model: Linear application development. Rigid phases
Sashimi model:
Agile Software Development:
Scrum
Extreme Programming

Spiral Model: Designed to control Risk
Rapid Application Development: Protypes.

SDLC 
Prepare Security Plan
Initiation
Development/Adquisition
Implementation
Operation/Maintenance
Disposal

Software Vulnerabilities:
Buffer Overflow
Cross Site Scripting
Privilege escalation

Software Testing Methods
Static Testing
Dynamic Testing
WhiteBox
BlackBox

Testing Levels:
Unit Testing
Installation Testing
Integration Testing
Regression Testing
Acceptance Testing



Software Capability Maturity Model (CCM)
Initial
Repeatable
Defined
Managed
Optimizing

Database Systems
Relational:
-DDL
-DML
Hierarchical
Object Oriented

IA
Expert Systems: Knowledge base, Inference Engine
Neural Networks: Training



Issues:
Aggregation
Inference

Mobile Code
Java
ActiveX



20 jun 2014

CISSP: Security Architecture and Design

Computer Architecture:
Certification
Accreditation
Assurance
Protection Mechanisms
Trusted Computer Base
Security Modes (MAC)

Reference Monitor: Kernel mediates all access between subjects and objects
Layering: Modular tiers
Abstraction: Hidden details from the user
Domain:
Security Domain: Group of subjects and objects with similar security requirements

Covert Channel: Any communication that violates security policy.
Covert Storage Channel
Covert Timing channel
Race COnditions (TOCTOU)


Models:
MATRIX:
Take Grant: Direct graphs. State transitions.
Bell-LaPadula: Confidentiality. First Mathematical model.
BIBA: Integrity. Lattice based.
Clark Wilson: Integrity. Access to object throught programs.
Information Flow Model:
Brewer and Nash: Chinese Wall model.


Evaluation Criteria
TCSEC (Orange Book): Trusted Computer System Evaluation Criteria

TCSEC Requirements:
D: Minimal protection
C: Discretionary Protection
C1: Discretionary Security Protection
C2: Controlled Access Protection
B: Mandatory Protection
B1: Labeled Security Protection
B2: Structured protection
B3: Security Domains
A: Verified Protection
A1: Verified Design



ITSEC: Information Technology Security Evaluation Criteria

Common Criteria (ISO 15408):

EAL1: Functionally Tested
EAL2: Structurally tested
EAL3: Methodically tested
EAL4: Methodically designed, tested and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed and tested
EAL7: Formally verified, designed and tested

ST: Security Target
TOE: Target Of Evaluation
PP: Protection Profile

19 jun 2014

CISSP: Telecommunications and Network Security

Circuit-switched: Dedicated
Packet-switched:
Layered design
Private IP range:

OSI Model

Application Layer
Presentation Layer
Session Layer: (SOCKS)
Transport Layer
Network Layer: Packets
Data Link layer: Frames
Physical Layer: Electrical signals

TCP/IP Model
Application: data
Transport: segment
Internet: Packet
Network Access:

Encapsulation vs demultiplexing(de-encapsulation)
48bits MAC address vs EUI64 MAC address
IPv4 (32 bits address)
IPv6 (128 bits address)

ATM: Uses fixed length cells
HDLC vs SDLC
Frame Relay: No error recovery


Firewalls:
Packet filter:
Stateful
Proxy
Application-layer
Circuit-level

Firewall Design:
Bastion Host
Dual Homed host
Screened host
DMZ Network:
Classic DMZ: screened subnet dual firewall. Two firewalls
Three-legged DMZ: One firewall

Network Attacks:

TCP SYN Flood
LAND Attack
Smurf Attack
Fragle Attack
Teardrop Attack

Secure Communications:

Authentication Protocols:
PAP / CHAP:
801.1X / EAP

VPN:
PPTP / L2TP
IPSec
SSL / TLS

Wireless
WPA2: Robust Security Network
WPA2: AES + CCMP
WPA: RC4 + TKIP

CISSP: Access Control

Flow of information between subject (active entity) and object (passive entity)
Subjects: Clearance, capability
Object: Clasiffication, ACL

Principles:
Least privilege:
Separation of duties:


Identification:
Authentication
Authorization:
Accountability:

Controls types:
Administrative
Technical (logical)
Physical

Controls categories:
Directive:
Preventive:
Detective:
Corrective:
Recovery:
Deterrent:

Types:

Mandatory Access Control (MAC): Use labels
Discretionary Access Control (DAC)
Non-discretionary Access Control

Type I: Something you Know
Type II: Something you Have
Type III: Something you Are

Biometric:
Retina: Change over time, Invasion privacy
Iris: Remains (comparatively), not invasive
Minutiae:
Type I Error: FRR (False Reject Rate)
Type II Error: FAR (False Acceptance Rate)
CER (Crossover Error Rate) or Equal Error rate

Single Sign On (SSO)
Pro:
Cons:

Kerberos:
Symetric crypto
KDC
AS
TGT
TGS

SESAME:

KRYPTONIGHT

Directory Services:

Access Control Methodologies:

Centralized:
RADIUS:
DIAMETER:
CALLBACK:
CHAP
TACACS+

Smart Cards:
Contact
Contactless
Combi card

Identity Management:
Directory based
Web access management
Password management
Account management

Provisioning
Profile update

Threats:
Computing: DDOS, Unauthorized software, Software defects
Physical: Unauthorized access, electronic emanations
Personal: Social engineering

17 jun 2014

CISSP: Information Security Governance and Risk Management

Information Security Governance

(human) safety is always the priority

Confidentiality: Keeping secrets secret. Protect from unauthorized access.
Integrity: Complete, consistent and accurate. Integrity protection (Disallowing unauthorized alteration). Integrity Verification (Verifying accurate, complete and consistent)
  • Data Integrity: Protect information (data)
  • System Integrity: Protect a system
Availability: Access to information when is needed
CIA vs DAD (Disclosure, Alteration, Destruction)
Balance CIA with organization security needs.

Information classification:
Criteria: Bussiness value, retention policy
Level: depends (goverment, private sector)

Security awareness: Change user behavior
Security training: Provide skill

Policies: High-level. Mandatory (compulsory)
Procedures: Step-by-step
Standars: Specific use of technology
Guidelines: Recommendations
Baselines:

Security Planning:
Operational Goals: Daily goals and objectives.
Tactical Goals: Mid-term goals
Strategic Goals: Long term goals

Roles and Responsibilities:
Senior management: Responsible
Information Security Officer:
Security Analyst
Owner:
Custodian:
User:
Auditor:

Due Care:
Due diligence:
"Prudent man rule"

Certification: Detailed inspection
Accreditation: Data owner acceptance

Risk Management:
Assets: Valuable resources. People are the most valuable asset.
Threat agent:
Threat: Potentially harmfull ocurrence
Vulnerability: A weakness that allows a threat to cause harm
Impact (Consequences): Severity of the damage (in $).
Risk: Threat x Vulnerability
Control (countermeasure):

  • Qualitative Analysis: Values
  • Quantitative Analysis: Expert Opinion (subjective)
AV: Asset Value

EF: Exposure Factor
SLE: Single Loss Expectancy (AV x EF)
ARO: Annual Rate of Occurrence
ALE: Annualized Loss Expectancy (SLE x ARO)
ROI: Amount of money saved by implementing a safeguard

Risk Choices:
Accept
Mitigate
Transfer
Avoid