Perimeter defenses
Fences
Gates
Bollards
Lights
CCTV
Locks
- Key locks
- Master and core keys
Combination locks
Smart cards
Magnetic Stripe cards
Mantraps
Turnstiles
Motion detectors
Doors
Windows
Walls, floors, ceilings
Guards
Dogs
Restricted areas and escorts
Site Selection
Topography
Utility reliability
Crime
Site Design and configuration issues
Site marking
Shared tenancy
Adjacent buildings
Shared demarc
System defenses
Asset tracking
Port control
Drive and tape encryption
Media storage and transportation
Media cleaning and destruction
Paper shredders
Overwriting
Degaussing
Destruction
Environmental Control
Electrical faults
- Blackout
- Brownout
- Fault
- Surge
- Spkie
- Sag
Surge protectors
Uninterruptible Power Supplies (UPS)
Electromagnetic interference
HVAC
Heat/ Humidity
Static
Corrosion
Airbone contaminants
Detectors:
Heat detectors
Smoke detectors
Flame detectors
Personal safety
Evacuation routes
- Roles:
- Procedures
Duress warning systems
Travel safety
Fire:
Class A
Class B
Class C
Class D
Class K
Suppression agents:
Water
Soda acid
Dry powder
Wet chemical
CO2
Halon
Halon subtitutes: Argon, FE-13, FM200, Inergen
Sprinkler systems
Wet pipe
Dry pipe
Deluge
Preaction
Portable fire extinguisher
22 jun 2014
CISSP: Legal, Regulations, Investigations and Compliance
Legal Systems:
Civil Law (legal system): judicial precedents do not carry the weight they do under common law
Common Law
Religious law
Customary law
Common law
criminal law
Civil law
Administrative law
Computer Crime
Computer system as a target
Computer as a tool
Intellectual property:
Trademark
Patents
Copyright
- First sale
- Fair use
Licenses
Trade secrets
Intellectual property attacks:
Counterfeiting
Dilution
Cybersquatting
Typosquatting
Privacy
Opt-out
Opt-in
EU Dataprotection Directive
EU-US safe harbor
Forensics
Forensic Media Analysis
Allocated space
Unallocated space
Slack space
Bad blocks/clusters/sectors
Live forensics
Network forensics
Concepts:
Evidence
Real evidence
Direct evidence
Circumstantial evidence
Corroborative evidence
Hearsay
Best evidence
Secondary evidence
Chain of custody
Entrapment
Enticement
Ethics
ISC Code of ethic
Computer Ethics Institute
IAB Ethics and the Internet
Civil Law (legal system): judicial precedents do not carry the weight they do under common law
Common Law
Religious law
Customary law
Common law
criminal law
Civil law
Administrative law
Computer Crime
Computer system as a target
Computer as a tool
Intellectual property:
Trademark
Patents
Copyright
- First sale
- Fair use
Licenses
Trade secrets
Intellectual property attacks:
Counterfeiting
Dilution
Cybersquatting
Typosquatting
Privacy
Opt-out
Opt-in
EU Dataprotection Directive
EU-US safe harbor
Forensics
Forensic Media Analysis
Allocated space
Unallocated space
Slack space
Bad blocks/clusters/sectors
Live forensics
Network forensics
Concepts:
Evidence
Real evidence
Direct evidence
Circumstantial evidence
Corroborative evidence
Hearsay
Best evidence
Secondary evidence
Chain of custody
Entrapment
Enticement
Ethics
ISC Code of ethic
Computer Ethics Institute
IAB Ethics and the Internet
CISSP: Operations Security
Administrative Security
Personnesl Controls:
Leats Privilege
Need to know
Separation Of duties
Rotation of duties?Job rotation
Mandatory leave/forced vacation
Non-disclosure agreement (NDA)
Backgroud checks
Privilege monitoring
Personnesl Controls:
Leats Privilege
Need to know
Separation Of duties
Rotation of duties?Job rotation
Mandatory leave/forced vacation
Non-disclosure agreement (NDA)
Backgroud checks
Privilege monitoring
CISSP: Cryptography
Cryptography can provide confidentiality and integrity.
Diffusion: Plaintext should be diffused (disperser)
Confusion: relation between plaintext and ciphertext should be confused (or random)
Substitution: Replace one character for another
Permutation (transposition): Anagram style
Monoalphabetic cipher: susceptible to frequency analysis
Polyalphabetic cipher.
Crypto History
Egyptian hieroglyphics
Spartan scytale
Rotation Cipher: Caesar cipher, ROT-13
Vigenere cipher
Cipher disk
Jefferson disk
Book cipher and running-key cipher
Codebook
One-time pad
Vernam cipher
Purple
Enigma
SIGABA
Crypto Laws
COCOM
Wassenaar Arrangement
Symmetric Cryptography
DES: Standard name that describes DEA (Data Encryption Algorithm)
ECB
CBC
CFB
OFB
CTR
TDES: Standar name that describe TDEA
1TDES EDE
2TDES EDE
3TDES EDE
AES: Standar name that describe Rijndael
ShiftRows
MixColumns
SubBytes
AddRoundKey
Blowfish and Twofish
RC5 and RC6
Asymmetric Cryptography
Asymetric methods:
Factoring prime numbers
Discrete logarithm
Elliptic curve cryptography
Hash Functions
MD5
SHA1
SHA2
HAVAL
Cryptographic Attacks
Bruteforce
Social engineering
Known plaintext
Chosen plaintext and adaptive chosen plaintext
Chosen ciphertext and adaptive chosen plantext
Meet-in-the-middle attack
Know Key
Differential cryptanalysis
Linear cryptanalysis
Side-channel attacks
Implementation attacks
Birthday attack
Key clustering
Digital Signature: Provide authentication and integrity, non-repudiation
Message Authenticate Code (MAC)
HMAC
PKI
Diffusion: Plaintext should be diffused (disperser)
Confusion: relation between plaintext and ciphertext should be confused (or random)
Substitution: Replace one character for another
Permutation (transposition): Anagram style
Monoalphabetic cipher: susceptible to frequency analysis
Polyalphabetic cipher.
Crypto History
Egyptian hieroglyphics
Spartan scytale
Rotation Cipher: Caesar cipher, ROT-13
Vigenere cipher
Cipher disk
Jefferson disk
Book cipher and running-key cipher
Codebook
One-time pad
Vernam cipher
Purple
Enigma
SIGABA
Crypto Laws
COCOM
Wassenaar Arrangement
Symmetric Cryptography
DES: Standard name that describes DEA (Data Encryption Algorithm)
ECB
CBC
CFB
OFB
CTR
TDES: Standar name that describe TDEA
1TDES EDE
2TDES EDE
3TDES EDE
AES: Standar name that describe Rijndael
ShiftRows
MixColumns
SubBytes
AddRoundKey
Blowfish and Twofish
RC5 and RC6
Asymmetric Cryptography
Asymetric methods:
Factoring prime numbers
Discrete logarithm
Elliptic curve cryptography
Hash Functions
MD5
SHA1
SHA2
HAVAL
Cryptographic Attacks
Bruteforce
Social engineering
Known plaintext
Chosen plaintext and adaptive chosen plaintext
Chosen ciphertext and adaptive chosen plantext
Meet-in-the-middle attack
Know Key
Differential cryptanalysis
Linear cryptanalysis
Side-channel attacks
Implementation attacks
Birthday attack
Key clustering
Digital Signature: Provide authentication and integrity, non-repudiation
Message Authenticate Code (MAC)
HMAC
PKI
21 jun 2014
CISSP: BCP and DRP
Business Continuity Plan (BCP):
Business oriented. Long term, strategic.
List of plans
Disaster Recovery Plan
Continuity of Operations Plan
Business Recovery Plan
Continuity of Support Plan
Cyberincident Response Plan
Occupant Emergency Plan
Crisis Management Plan
Threats:
Natural:
Human:
Environmental:
Concepts:
RTO: the amount of time allowed for the recovery of a business function
RPO
WRT
Process:
Respond
Activate team
Communicate
Assess
Reconstitution
Developing:
Project Initiation
Scope the project
Business Impact Analysis
Identify Preventive Controls
Recovery Strategy
Plan Design and Development
Implementation, Training and Testing
BCP/DRP Maintenance
Disaster Recovery Plan (DRP):
IT Focus. Short term, tactical.
Recovery Options:
Redundant Site
Hot Site
Warm Site
Cold Site
Reciprocal Agreement
Mobile Site
Subscription Service
The site should be in a geographic area that is unlikely to be negatively affected by the same disaster event
The site should have the same amount of physical access restrictions as the primary site
Test types:
Checklist
Structured Walk-Througth/Tabletop
Simulation test/walkthrough drill
Parallel test/Parallel processing
Partial and complete (Full-Interrupt) test
Business oriented. Long term, strategic.
List of plans
Disaster Recovery Plan
Continuity of Operations Plan
Business Recovery Plan
Continuity of Support Plan
Cyberincident Response Plan
Occupant Emergency Plan
Crisis Management Plan
Threats:
Natural:
Human:
Environmental:
Concepts:
RTO: the amount of time allowed for the recovery of a business function
RPO
WRT
Process:
Respond
Activate team
Communicate
Assess
Reconstitution
Developing:
Project Initiation
Scope the project
Business Impact Analysis
Identify Preventive Controls
Recovery Strategy
Plan Design and Development
Implementation, Training and Testing
BCP/DRP Maintenance
Disaster Recovery Plan (DRP):
IT Focus. Short term, tactical.
Recovery Options:
Redundant Site
Hot Site
Warm Site
Cold Site
Reciprocal Agreement
Mobile Site
Subscription Service
The site should be in a geographic area that is unlikely to be negatively affected by the same disaster event
The site should have the same amount of physical access restrictions as the primary site
Test types:
Checklist
Structured Walk-Througth/Tabletop
Simulation test/walkthrough drill
Parallel test/Parallel processing
Partial and complete (Full-Interrupt) test
CISSP: Software Development Security
Application Development Methods
Waterfall Model: Linear application development. Rigid phases
Sashimi model:
Agile Software Development:
Scrum
Extreme Programming
Spiral Model: Designed to control Risk
Rapid Application Development: Protypes.
SDLC
Prepare Security Plan
Initiation
Development/Adquisition
Implementation
Operation/Maintenance
Disposal
Software Vulnerabilities:
Buffer Overflow
Cross Site Scripting
Privilege escalation
Software Testing Methods
Static Testing
Dynamic Testing
WhiteBox
BlackBox
Testing Levels:
Unit Testing
Installation Testing
Integration Testing
Regression Testing
Acceptance Testing
Software Capability Maturity Model (CCM)
Initial
Repeatable
Defined
Managed
Optimizing
Database Systems
Relational:
-DDL
-DML
Hierarchical
Object Oriented
IA
Expert Systems: Knowledge base, Inference Engine
Neural Networks: Training
Issues:
Aggregation
Inference
Mobile Code
Java
ActiveX
Waterfall Model: Linear application development. Rigid phases
Sashimi model:
Agile Software Development:
Scrum
Extreme Programming
Spiral Model: Designed to control Risk
Rapid Application Development: Protypes.
SDLC
Prepare Security Plan
Initiation
Development/Adquisition
Implementation
Operation/Maintenance
Disposal
Software Vulnerabilities:
Buffer Overflow
Cross Site Scripting
Privilege escalation
Software Testing Methods
Static Testing
Dynamic Testing
WhiteBox
BlackBox
Testing Levels:
Unit Testing
Installation Testing
Integration Testing
Regression Testing
Acceptance Testing
Software Capability Maturity Model (CCM)
Initial
Repeatable
Defined
Managed
Optimizing
Database Systems
Relational:
-DDL
-DML
Hierarchical
Object Oriented
IA
Expert Systems: Knowledge base, Inference Engine
Neural Networks: Training
Issues:
Aggregation
Inference
Mobile Code
Java
ActiveX
20 jun 2014
CISSP: Security Architecture and Design
Computer Architecture:
Certification
Accreditation
Assurance
Protection Mechanisms
Trusted Computer Base
Security Modes (MAC)
Reference Monitor: Kernel mediates all access between subjects and objects
Layering: Modular tiers
Abstraction: Hidden details from the user
Domain:
Security Domain: Group of subjects and objects with similar security requirements
Covert Channel: Any communication that violates security policy.
Covert Storage Channel
Covert Timing channel
Race COnditions (TOCTOU)
Models:
MATRIX:
Take Grant: Direct graphs. State transitions.
Bell-LaPadula: Confidentiality. First Mathematical model.
BIBA: Integrity. Lattice based.
Clark Wilson: Integrity. Access to object throught programs.
Information Flow Model:
Brewer and Nash: Chinese Wall model.
Evaluation Criteria
TCSEC (Orange Book): Trusted Computer System Evaluation Criteria
TCSEC Requirements:
D: Minimal protection
C: Discretionary Protection
C1: Discretionary Security Protection
C2: Controlled Access Protection
B: Mandatory Protection
B1: Labeled Security Protection
B2: Structured protection
B3: Security Domains
A: Verified Protection
A1: Verified Design
ITSEC: Information Technology Security Evaluation Criteria
Common Criteria (ISO 15408):
EAL1: Functionally Tested
EAL2: Structurally tested
EAL3: Methodically tested
EAL4: Methodically designed, tested and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed and tested
EAL7: Formally verified, designed and tested
ST: Security Target
TOE: Target Of Evaluation
PP: Protection Profile
Certification
Accreditation
Assurance
Protection Mechanisms
Trusted Computer Base
Security Modes (MAC)
Reference Monitor: Kernel mediates all access between subjects and objects
Layering: Modular tiers
Abstraction: Hidden details from the user
Domain:
Security Domain: Group of subjects and objects with similar security requirements
Covert Channel: Any communication that violates security policy.
Covert Storage Channel
Covert Timing channel
Race COnditions (TOCTOU)
Models:
MATRIX:
Take Grant: Direct graphs. State transitions.
Bell-LaPadula: Confidentiality. First Mathematical model.
BIBA: Integrity. Lattice based.
Clark Wilson: Integrity. Access to object throught programs.
Information Flow Model:
Brewer and Nash: Chinese Wall model.
Evaluation Criteria
TCSEC (Orange Book): Trusted Computer System Evaluation Criteria
TCSEC Requirements:
D: Minimal protection
C: Discretionary Protection
C1: Discretionary Security Protection
C2: Controlled Access Protection
B: Mandatory Protection
B1: Labeled Security Protection
B2: Structured protection
B3: Security Domains
A: Verified Protection
A1: Verified Design
ITSEC: Information Technology Security Evaluation Criteria
Common Criteria (ISO 15408):
EAL1: Functionally Tested
EAL2: Structurally tested
EAL3: Methodically tested
EAL4: Methodically designed, tested and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed and tested
EAL7: Formally verified, designed and tested
ST: Security Target
TOE: Target Of Evaluation
PP: Protection Profile
19 jun 2014
CISSP: Telecommunications and Network Security
Circuit-switched: Dedicated
Packet-switched:
Layered design
Private IP range:
OSI Model
Application Layer
Presentation Layer
Session Layer: (SOCKS)
Transport Layer
Network Layer: Packets
Data Link layer: Frames
Physical Layer: Electrical signals
TCP/IP Model
Application: data
Transport: segment
Internet: Packet
Network Access:
Encapsulation vs demultiplexing(de-encapsulation)
48bits MAC address vs EUI64 MAC address
IPv4 (32 bits address)
IPv6 (128 bits address)
ATM: Uses fixed length cells
HDLC vs SDLC
Frame Relay: No error recovery
Firewalls:
Packet filter:
Stateful
Proxy
Application-layer
Circuit-level
Firewall Design:
Bastion Host
Dual Homed host
Screened host
DMZ Network:
Classic DMZ: screened subnet dual firewall. Two firewalls
Three-legged DMZ: One firewall
Network Attacks:
TCP SYN Flood
LAND Attack
Smurf Attack
Fragle Attack
Teardrop Attack
Secure Communications:
Authentication Protocols:
PAP / CHAP:
801.1X / EAP
VPN:
PPTP / L2TP
IPSec
SSL / TLS
Wireless
WPA2: Robust Security Network
WPA2: AES + CCMP
WPA: RC4 + TKIP
Packet-switched:
Layered design
Private IP range:
OSI Model
Application Layer
Presentation Layer
Session Layer: (SOCKS)
Transport Layer
Network Layer: Packets
Data Link layer: Frames
Physical Layer: Electrical signals
TCP/IP Model
Application: data
Transport: segment
Internet: Packet
Network Access:
Encapsulation vs demultiplexing(de-encapsulation)
48bits MAC address vs EUI64 MAC address
IPv4 (32 bits address)
IPv6 (128 bits address)
ATM: Uses fixed length cells
HDLC vs SDLC
Frame Relay: No error recovery
Firewalls:
Packet filter:
Stateful
Proxy
Application-layer
Circuit-level
Firewall Design:
Bastion Host
Dual Homed host
Screened host
DMZ Network:
Classic DMZ: screened subnet dual firewall. Two firewalls
Three-legged DMZ: One firewall
Network Attacks:
TCP SYN Flood
LAND Attack
Smurf Attack
Fragle Attack
Teardrop Attack
Secure Communications:
Authentication Protocols:
PAP / CHAP:
801.1X / EAP
VPN:
PPTP / L2TP
IPSec
SSL / TLS
Wireless
WPA2: Robust Security Network
WPA2: AES + CCMP
WPA: RC4 + TKIP
CISSP: Access Control
Flow of information between subject (active entity) and object (passive entity)
Subjects: Clearance, capability
Object: Clasiffication, ACL
Principles:
Least privilege:
Separation of duties:
Identification:
Authentication
Authorization:
Accountability:
Controls types:
Administrative
Technical (logical)
Physical
Controls categories:
Directive:
Preventive:
Detective:
Corrective:
Recovery:
Deterrent:
Types:
Mandatory Access Control (MAC): Use labels
Discretionary Access Control (DAC)
Non-discretionary Access Control
Type I: Something you Know
Type II: Something you Have
Type III: Something you Are
Biometric:
Retina: Change over time, Invasion privacy
Iris: Remains (comparatively), not invasive
Minutiae:
Type I Error: FRR (False Reject Rate)
Type II Error: FAR (False Acceptance Rate)
CER (Crossover Error Rate) or Equal Error rate
Single Sign On (SSO)
Pro:
Cons:
Kerberos:
Symetric crypto
KDC
AS
TGT
TGS
SESAME:
KRYPTONIGHT
Directory Services:
Access Control Methodologies:
Centralized:
RADIUS:
DIAMETER:
CALLBACK:
CHAP
TACACS+
Smart Cards:
Contact
Contactless
Combi card
Identity Management:
Directory based
Web access management
Password management
Account management
Provisioning
Profile update
Threats:
Computing: DDOS, Unauthorized software, Software defects
Physical: Unauthorized access, electronic emanations
Personal: Social engineering
Subjects: Clearance, capability
Object: Clasiffication, ACL
Principles:
Least privilege:
Separation of duties:
Identification:
Authentication
Authorization:
Accountability:
Controls types:
Administrative
Technical (logical)
Physical
Controls categories:
Directive:
Preventive:
Detective:
Corrective:
Recovery:
Deterrent:
Types:
Mandatory Access Control (MAC): Use labels
Discretionary Access Control (DAC)
Non-discretionary Access Control
Type I: Something you Know
Type II: Something you Have
Type III: Something you Are
Biometric:
Retina: Change over time, Invasion privacy
Iris: Remains (comparatively), not invasive
Minutiae:
Type I Error: FRR (False Reject Rate)
Type II Error: FAR (False Acceptance Rate)
CER (Crossover Error Rate) or Equal Error rate
Single Sign On (SSO)
Pro:
Cons:
Kerberos:
Symetric crypto
KDC
AS
TGT
TGS
SESAME:
KRYPTONIGHT
Directory Services:
Access Control Methodologies:
Centralized:
RADIUS:
DIAMETER:
CALLBACK:
CHAP
TACACS+
Smart Cards:
Contact
Contactless
Combi card
Identity Management:
Directory based
Web access management
Password management
Account management
Provisioning
Profile update
Threats:
Computing: DDOS, Unauthorized software, Software defects
Physical: Unauthorized access, electronic emanations
Personal: Social engineering
17 jun 2014
CISSP: Information Security Governance and Risk Management
Information Security Governance
(human) safety is always the priority
Confidentiality: Keeping secrets secret. Protect from unauthorized access.
Integrity: Complete, consistent and accurate. Integrity protection (Disallowing unauthorized alteration). Integrity Verification (Verifying accurate, complete and consistent)
CIA vs DAD (Disclosure, Alteration, Destruction)
Balance CIA with organization security needs.
Information classification:
Criteria: Bussiness value, retention policy
Level: depends (goverment, private sector)
Security awareness: Change user behavior
Security training: Provide skill
Policies: High-level. Mandatory (compulsory)
Procedures: Step-by-step
Standars: Specific use of technology
Guidelines: Recommendations
Baselines:
Security Planning:
Operational Goals: Daily goals and objectives.
Tactical Goals: Mid-term goals
Strategic Goals: Long term goals
Roles and Responsibilities:
Senior management: Responsible
Information Security Officer:
Security Analyst
Owner:
Custodian:
User:
Auditor:
Due Care:
Due diligence:
"Prudent man rule"
Certification: Detailed inspection
Accreditation: Data owner acceptance
Risk Management:
Assets: Valuable resources. People are the most valuable asset.
Threat agent:
Threat: Potentially harmfull ocurrence
Vulnerability: A weakness that allows a threat to cause harm
Impact (Consequences): Severity of the damage (in $).
Risk: Threat x Vulnerability
Control (countermeasure):
ARO: Annual Rate of Occurrence
ALE: Annualized Loss Expectancy (SLE x ARO)
ROI: Amount of money saved by implementing a safeguard
Risk Choices:
Accept
Mitigate
Transfer
Avoid
(human) safety is always the priority
Confidentiality: Keeping secrets secret. Protect from unauthorized access.
Integrity: Complete, consistent and accurate. Integrity protection (Disallowing unauthorized alteration). Integrity Verification (Verifying accurate, complete and consistent)
- Data Integrity: Protect information (data)
- System Integrity: Protect a system
CIA vs DAD (Disclosure, Alteration, Destruction)
Balance CIA with organization security needs.
Information classification:
Criteria: Bussiness value, retention policy
Level: depends (goverment, private sector)
Security awareness: Change user behavior
Security training: Provide skill
Policies: High-level. Mandatory (compulsory)
Procedures: Step-by-step
Standars: Specific use of technology
Guidelines: Recommendations
Baselines:
Security Planning:
Operational Goals: Daily goals and objectives.
Tactical Goals: Mid-term goals
Strategic Goals: Long term goals
Roles and Responsibilities:
Senior management: Responsible
Information Security Officer:
Security Analyst
Owner:
Custodian:
User:
Auditor:
Due Care:
Due diligence:
"Prudent man rule"
Certification: Detailed inspection
Accreditation: Data owner acceptance
Risk Management:
Assets: Valuable resources. People are the most valuable asset.
Threat agent:
Threat: Potentially harmfull ocurrence
Vulnerability: A weakness that allows a threat to cause harm
Impact (Consequences): Severity of the damage (in $).
Risk: Threat x Vulnerability
Control (countermeasure):
- Qualitative Analysis: Values
- Quantitative Analysis: Expert Opinion (subjective)
EF: Exposure Factor
SLE: Single Loss Expectancy (AV x EF)ARO: Annual Rate of Occurrence
ALE: Annualized Loss Expectancy (SLE x ARO)
ROI: Amount of money saved by implementing a safeguard
Risk Choices:
Accept
Mitigate
Transfer
Avoid
Suscribirse a:
Entradas (Atom)