CISSP Flashcards
RMM mnemonic
[After People Die I’m Out] (Adhoc, Preliminary, Defined, Integrated, Optimized)
ISC2 Code of Ethics Preamble
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.
ISC2 Code of Ethics Canons
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
Bell-LaPadula
Confidentiality (MAC)
Simple Security Property - No Read Up
* Security Property - No Write Down
Strong * Property - No Read or Write UP and Down
BIBA
Integrity (MAC)
Simple Integrity Axiom - No Read Down
* Integrity Axiom - No Write Up
Invocation - NRU,NWU
Lattice Based, who, when, type of access control, concerned with restricting…, based on the interaction between… , diagram
(Denning 1976) (MAC)
restrict information flow,
based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations)
TS1,2
TS1 TS2
S1,2
S1 S2
TS
S
Graham Denning, based on what other model?, what type of systems?, what does it show mainly?, what else does it address, functions
EDSA
(Extended LBAC)
Distributed Systems
Shows how subjects and objects should be securely created and deleted.
It also addresses how to Assign specific access rights.
Graham and GA are associated
1 TA
2 GA
3 DA
4 RO
5 CO
6 DO
7 CS
8 DS
Harrison Ruzzo Ullman, extended from what other model?, access control type, used for…, functions
Extended GD
DAC
Operating System level Subjects = Objects
1 CO
2 CS
3 DS
4 DO
5 ERAM (enter right into access matrix)
6 DRAM (delete right from access matrix)
Clark Wilson, description, used to ensure data… and … using … to ensure the system maintains … …, provides (2)
CW (consistent state / well formed transactions)
Integrity - Separates Users Well Formed Transactions
Subjects / Programs / Objects
Consistent State -> Consistent State
Provides: Separation of Duties and Data Integrity
Brewer Nash / Chinese Wall / Information Barriers, constructed to provide information … … controls that can … …
Info Flow
N conflict of interest
constructed to provide information security access controls that can change dynamically
Non-Interference definition
actions at higher sec levels don’t affect lower levels subject knowledge of system state
Take Grant, used in the field of computer security to … or … the … of a given … … that follows … rules, diagram
used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules.
S1
t
S2 g S3
c/r
O
Zachman Framework, used for, by establishing 6 frameworks for whom (6)
provides a means of classifying an organization’s architecture
6 Frameworks (What, How, Where, Who, When, Why)
mapped to rules for Planner, Owner, Designer, Builder, Programmer, User
Cybersecurity Evaluation Methods, Certification, Accreditation
Historical and current (4 items total)
1980’s DoD Orange Book - Trusted Computer Systems (retired)
1980’s Dod Red Book - Trusted Networks (retired)
ITSEC (Europe) 1st International, references Orange Book (retired)
ISO / IEC 15408 (International Common Criteria)
International Common Criteria
EAL’s
Mnemonic
[Footbal Seams Mostly Mean Says Silly Fools]
1F Functionally Tested
2S Structurally Tested
3M Methodically Tested
4M Methodically Designed and Tested
5S Semi-formally Tested
6S Semi-formally Designed and Tested
7F Formally Designed and Tested
Need to know
employes who don’t need to know shouldn’t access (even if they can access)
While” need to know” indicates the user has a legitimate reason to access something, least privilege is the enforcement method that limits access to that something, and what the user can do with that something.
need to know predicates invocation of least privilege
Secure / Security Design Principles detail on usage (4), one has 7 characteristics
Trust but Verify (security perimeter, outside perimter not trusted, once inside trusted)
Zero Trust (no security perimeter, always verify - best for clouds)
Privacy by design (proactive, default, embedded, full functionality, end to end, visibility / transparency, respect for privacy) PED FEVR
Share responsibility (shared with cloud provider)
Security Domains (Modes) for Hardware access (5)
Kernel mode / Supervisor mode - unrestricted access to hardware
User mode / problem mode - no direct access to hardware only access via API
Open systems - components built with open standards (tested but open to common vulnerabilities)
Closed systems - proprietary hardware and software (not tested but not open to common vulnerabilities)
Ring Model from -1 (hypervisor), 0 (kernel), 1, 2 (drivers), 3 (applications)
TPM, what does it mean,
what is it,
functions provided (5),
ties … … to … to prevent …,
can also be used to … the … … to prevent …,
2 keys in persistent memory,
3 keys in versatile memory,
what is each key used for
Trusted Platform Module
international standard for a secure cryptoprocessor -
functions:
RNG (random number gen),
encryption,
hashing,
secure key storage,
boot integrity
ties hard drive to system to prevent tampering
can also be used to “seal” the system configuration in order to prevent tampering
keys: EaSy / P A Ss
2 keys in persistent memory:
EK - endorsement key ensures the authenticity of the TPM
SRK - storage root key, master key to secure other keys stored in TPM
3 keys in versatile memory:
PCR - used to store hashes for sealing
AIK - Attestation Identity Keys - used for attestation of TPM chip, AIK ensures integrity of EK
Storage Keys - used to encrypt storage
monolithic kernel
one static executable run in supervisor mode
DCS
distributed control systems, computerized control system with distributed, autonomous controllers 1000’s+
XOR
add key to plain text to create cipher text
always done in binary 0’s and 1’s
result If both are the same, it’s 0, if not it’s 1
Substitution, how it’s done and what does it provide
replaces characters in plain text with cipher text, provides confusion
Permutation
provides diffusion by rearranging characters in plain text into the cipher text
Symmetric Encryption Ciphers mnemonic
3-hole Is Anything But Trusted Frantically Reverse Run Right (3DES, IDEA, AES, Blowfish, Twofish, Feistel, RC4, RC5, RC6)
Assymetric Encryption mnemonic
Rugged Defensive Ends Easily Destroy Kickers (RSA, DSA, ECC, EG, DH, K)
3DES, distinguished from DES by what?, what to know about it’s current usefulness
DES with 3 keymodes only K1 is considered secure (until 2030)
IDEA, what does it mean, block size, key size, secure or not, open source or not
International Data Encryption Algorithm
IDEA
I was born in 64, hope to Die before 128, Essentially secure, As expected it’s proprietary
64 bit block size
128 bit key,
(still secure but proprietary)
AES,5 characteristics (2 tech used, open vs. closed source, 2 crypto methods used)
Advanced Encryption Standard
A ROTS
AddRoundKey,
Rijndael,
Open source,
Transposition,
Substitution
Blowfish type of cipher, uses what, block size(s), key length(s), secure or not
block cipher,
uses Feistel,
64 bit blocks,
32 - 448 bit key lengths,
NOT SECURE
Twofish, block size(s), key length(s)
similar to Blowfish but 128 bit blocks, key lengtsh of 128, 192, 256
Feistel cipher, overview of how it works (4 steps)
splits plaintext into left and right halves,
righ half doesn’t change but is XOR’d with a subkey,
then XOR’s it again with the left block,
recipient reversed XOR order
RC4, cipher type, key lengths, used by (4), secure or not?
stream cipher
40-2048 bit key lengths -
used by WEP/WPA/SSL/TLS
NOT SECURE
RC5,cipher type, uses what cryptographic algorithm, block size(s), key length(s), secure or not secure and under what condition(s)
Rivest Cipher
remember key length similar to RC4 but with basic block sizes of 32,64,128
R for Roblox, 5 is for 5 lines need to remember below
block cipher (Roblox)
uses Feistel,
32/64/128 bit blocks,
key length 0-2040 bits
secure if high number blocks / keys
RC6, distinguished from RC5 how?, block size, key lengths, current status
based on RC5 but meets AES requirements,
128 bit blocks,
128, 192, 256 bit key lengths,
secure, but not widely used
RSA, cypher type, keys generated by…, key sizes, provides what services (4), common use
Rivest Shamir Adleman,
RSA
block cipher, (Roblox)
new keypair using very large prime numbers, (Supersized prime number keys)
1094-4096 bit keys ( of Amount)
services
authentication, key encryption, digital signatures, encryption
uses
AES symmetric encryption
DH, used for, earliest …, after keys are established…
Diffie-Helman,
key exchange,
earliest to allow unknown parties to establish shared key,
after keys established, can be used for later encryption
ECC, what is it, open source or proprietary?, 2 advantages
Elliptic Curve Cryptography,
logarithms applied to elliptical curves,
proprietary,
256 bit ECC key is as strong as 3072 bit RSA key,
power efficient
EG, what does it mean, based on, used in 2 technologies
EIGamal,
based on DH,
used in GNU Privacy guard and PGP
DSA, what does it mean, uses different what than RSA, provides same or different level of security as RSA, … … key gen, variant of what
Digital Signature Algo,
uses different algo for signing and encryption than RSA, provides same level of security,
2 phase key gen,
variant of EIGamal
K, what does it mean, type of encryption, use of public / private keys, secure or not
KOPP”N
Knapsack,
one-way,
public key for encryption,
private key for decryption,
NOT SECURE
Hash Algorithms mnemonic
Menacing Middle Stops Small Speedy Halfbacks Reversing Run (MD5, MD6, SHA1, SHA2, SHA3, HAVAL, RIPEMD, RIPEMD160)
MD5, length, current status
128 bit fixed length has value
widely used but
can create collisions (2 different data can equal the same hash)
MD6
withdrawn due to flaws
SHA1, what is it, hash value, current status
Secure Hashing Algo,
160bit hash value,
weak collision avoidance,
still used alot
SHA2
Secure Hashing Algo, newer and collision resistant, used some
SHA3
Secure Hashing Algo, newest, not used much yet
HAVAL, what does it mean, length(s), current status
Hash of Variable Length,
MD length is variable 128/169/192/224/256 bits,
not widely used
RIPEMD
developed outside of defense to ensure no government backdoors,
NOT SECURE
RIPEMD160
fixed RIPEMD but not widely used, secure
key stretching, what is it, what does it use, helps thwart 2 types of attacks
A technique used to increase the strength of stored passwords. it adds additional bits (called salts) and can help thwart brute force and rainbow table attacks.
MAC, what does it mean, what kind of function, provides 2 forms of protection
Message Authentication Code
hash function
provides integrity, authenticity
PGP, what does it mean, what 2 security concepts does it provide at base level and what additional concepts (3) can be provided
Pretty Good Privace
provides privacy, authentication,
can also provide confidentiality, integrity, and non-repudiation
PGP used for 4 things and uses what
used for file, directory & whole disk encryption,
email,
uses Web of Trust model (if you trust me you trust those I trust)
S/MIME, is an IETF standard that provides … … for … …
uses … to … and … email
S/MIME is an IETF standard that provides cryptographic security for electronic messaging
uses PKI to encrypt and authenticate email
TCP/IP - PDU - OSI mapped
[LLITA,BFPSD] Large Lineman Interrupt Tackling Attempts, But Freaky Passers See Downfield
TCP/IP / PDU / OSI
Link & Physical / Bits / (OSI 1)
Link & Physical / Frames / (OSI 2)
Internetwork / Packets / (OSI 3)
Transport / Segments / (OSI 4)
Application / Data / (OSI 5-7)
IPv4 Header
Very Intelligent Quarterbacks Identify Top Pass Catchers Strethcing Defense Out
Version
IHL/IP Header Length
QoS
ID/Flags/Offset for fragmentation
TTL
Protocol number
Checksum
Source address
Destination address
Options
IPv6 Header
Vicious Tacklers Frighten Passers Needing To Score Deep
Version
Traffic class/ Priority
Flow label (QoS)
Payload length
Next header
TTL
Source address
Destination address
EDRM process (9 steps)
Internet-Games Involve People Chanting Pretentious R A P P
(Electronic Discovery Reference Model)
Information Governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
Change Management Process steps (9)
In Practice All Players Try Something Not In Playbook
IPA PT SNIP
Identify
Propose
Assess risk, impact
Provisional change approval
Test the change
Schedule the change
Notification of change
Implementation of change
Post implementation reporting
DRP Lifecycle (4 phases)
Planning Recovery Rarely Matters
Preparation
Response
Recovery
Mitigation
Developing BCP/DRP
P S B I R P I T T M
Project Initiation
Scoping Project
BIA (business impact analysis)
Identify Preventive Controls
Recovery Strategy
Plan Design
Implementation
Training
Testing
Maintenance
OWASP current Top 10
Best Coaches Intend Immediate Success Visionary Inspire Spur Stimulate Sacrifice
Broken Access Control
Cryptographic Failures
Injection
Insecure Design (new)
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures (new)
Security Logging and Monitoring Failures
Server-Side Request Forgery (new)
Agile Software Development Umbrella of Methodologies, Principles (12), how does it work (5)
Every Win For Competitive Teams Forces Players Subserviance to Coaches Superior Schemes with Confidence
Principles:
(FF PEWT CCC SSS)
1 Face to Face communication is best
2 Frequent delivery
3 Primary measure of progress is working software
4 Early continuous delivery
5 Welcome changes
6 Trusted individuals
7 Cooperation between business and developers
8 Continuous attention to good design
9 Continuous improvement
10 Self-organizing teams produce best results
11 Simplicity
12 Sustainable development at constant pace
How it works:
Agile does not deliver prototypes, but breaks product down to individual features and features are continuously delivered
does not follow rigid processes, but focuses on getting the product finished faster
focus on user stories,
small incremental deliveries
less documentation, more focus on delivering right software
Extreme Programming Characteristics (8), relation to Scrum, result
(PU CAFFE) - only somebody EXTREMEly stupid would eat at the pu caffe)
Pair programming (continuous code reviewing, or taking code reviews to the EXTREME)
Unit testing
Code clarity and simplicity
Avoidance of features until they are needed
Flat management
Frequent communication between dev and bus
Expecting changes as problem is better understood
“take away regularity of scrum and add alot of code reviewig you get Extreme Programming”
Results in less errors, better code
Spiral Model phases, what does angular aspect represent, what does diameter of spiral represent
PREE
Planning
Risk Analysis
Engineering
Evaluation
angular aspect is progress
diameter of spiral is cost
Secure Coding Techniques (12)
VOMIT SCiEnCE DB
Validation Points
Obfuscation / Camouflage
Memory Management
Input Validation
Third Party Libraries and SDKs
Stored Procedures
Code Reuse / Dead Code
Encryption
Code Signing
Error and Exception Handling
Data Exposure (Applications)
Balancing Time and Quality
CSF
Cybersecurity Framework NIST
(I Protect Data Revealing Robberies)
Identify
Protect
Detect
Respond
Recover
RMF process
Risk Management Framework (RMF)
NIST 800-37 Steps
(Perilous Cases Start In An Angry Mob)
Prepare - establish context and priorities
Categorize - based on impact of loss
Select - set of controls for a system based on risk assessment
Implement - controls and describe how they fit
Assess - controls for propiety
Authorize - system of controls to determine if risk is acceptable / reasonable
Monitor - system and controls for changes
DRM Tools
[CAP]
Continuous Audit Trail
Automatic Expiration
Persistent Online Authentication
Symmetric Encryption Info
Name / Block Size / Key Size(s) / Secure or Insecure
3D DIRRRT CCARBS
3DES / 64 / 112,168 / S
DES / 64 / 56 / I
IDEA (used in PGP) / 64 /128 / S
RC4 (Rivest Cipher) / N/A stream cipher / 40-2048 / I
RC5 / 32,64,128 / 0-2040 / S
RC6 / 128 / 128,192,256 / S
Twofish / 128 / 1-256 / S
CAST-128 / 128 / 40-128 / S
CAST-256 / 128 / 128,160,192,224,256 / S
AES / 128 / 128,192,256 / S
Rijndael / variable / 128,192,256 / S
Blowfish / 64 / 32-448 / I
Skipjack / 64 / 80 / S
Hashing algorithm info
Name / Hash value length(s) / Secure or Insecure
MRS S2and3 H H
MD 5or6 / 128 / 5-I, 6-S
RIPEMD / 128,160,256,320 / 128 I, other S
SHA1 / 160 / I
SHA 2or3 / 224,256,384,512 / S
HAVAL / 128,160,192,224,256 / S
HMAC / variable / S
Supported Digital Signature Standards
NIST
DSA (FIPS 186-4)
RSA (ANSI x9.31)
ECDSA (ANSI x9.62)
Authorizing Official Decisions (RMF)
[ACAD]
ATO authorization to operate
CCA common control authorization - used for inheritance when risk is acceptable
ATU authorization to use - used when third party providers servers are acceptable risks or for reciprocity of another AO’s ATO
DOA denial of authoriztion
ARP poisoning
uses unsolicited replies
NAC
has a subset which is port-based (802.1X)
Rule Based Access Control
uses global rules applied to all users equally
Heirarchical MAC
grants access using predefined labels for specific labels
MAC is based on a hierarchical model. The hierarchy is based on security level. All users are assigned a security or clearance level. All objects are assigned a security label. Users can only access resources that correspond to a security level equal to or lower than theirs in the hierarchy.
OIDC
uses JSON web tokens
provides authentication and profile information for internet SSO,
it is built on OAuth 2.0 framework
goal of DRP
restore normal business activity in the case of a disaster event
BCP focus
focused on keeping business functions uninterrupted
DRP purpose
guides an organization through recovery of normal operations at the primary facility affected by disaster
Kerberos Process
The Kerberos protocol flow involves three secret keys: client/user hash, TGS secret key, and SS secret key. The basic protocol flow steps are as follows:
C K C C K C T
Step 1: Initial client authentication request: The user asks for a Ticket Granting Ticket (TGT) from the authentication server (AS). This request includes the client ID.
Step 2: KDC verifies the client’s credentials. The AS checks the database for the client and TGS’s availability. If the AS finds both values, it generates a client/user secret key, employing the user’s password hash.
The AS then computes the TGS secret key and creates a session key (SK1) encrypted by the client/user secret key. The AS then generates a TGT containing the client ID, client network address, timestamp, lifetime, and SK1. The TGS secret key then encrypts the ticket.
Step 3: The client decrypts the message. The client uses the client/user secret key to decrypt the message and extract the SK1 and TGT, generating the authenticator that validates the client’s TGS.
Step 4: The client uses TGT to request access. The client requests a ticket from the server offering the service by sending the extracted TGT and the created authenticator to TGS.
Step 5: The KDC creates a ticket for the file server. The TGS then uses the TGS secret key to decrypt the TGT received from the client and extracts the SK1. The TGS decrypts the authenticator and checks to see if it matches the client ID and client network address. The TGS also uses the extracted timestamp to make sure the TGT hasn’t expired.
If the process conducts all the checks successfully, then the KDC generates a service session key (SK2) that is shared between the client and the target server.
Finally, the KDC creates a service ticket that includes the client id, client network address, timestamp, and SK2. This ticket is then encrypted with the server’s secret key obtained from the db. The client receives a message containing the service ticket and the SK2, all encrypted with SK1.
Step 6: The client uses the file ticket to authenticate. The client decrypts the message using SK1 and extracts SK2. This process generates a new authenticator containing the client network address, client ID, and timestamp, encrypted with SK2, and sends it and the service ticket to the target server.
Step 7: The target server receives decryption and authentication. The target server uses the server’s secret key to decrypt the service ticket and extract the SK2. The server uses SK2 to decrypt the authenticator, performing checks to make sure the client ID and client network address from the authenticator and the service ticket match. The server also checks the service ticket to see if it’s expired.
Once the checks are met, the target server sends the client a message verifying that the client and the server have authenticated each other. The user can now engage in a secure session.
Kerberoasting
a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”).
In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN.
Prevention: HER G (Hygiene, Extraction, Restrict, Governance)
Practice good password hygiene for service accounts
Use long passwords (at least 25 characters) for service accounts Regularly rotate passwords every 30 days Implement group managed service accounts (gMSAs) or third-party solutions for automated password management
Institute proper governance for service accounts
Keep track of service accounts and their usage Enforce the principle of least privilege for all service accounts Follow NIST guidelines for password security, prioritizing password length over complexity and avoiding frequent password changes
Restrict access to the KRBTGT account password
Limit access to the KRBTGT password hash to minimize vulnerability to Golden Ticket attacks Identify accounts with rights to extract password hashes and remove unnecessary permissions Regularly change the KRBTGT password to invalidate any existing Golden Tickets Use Microsoft’s KRBTGT account password reset script every 180 days
Prevent the extraction of service accounts
Create an inventory of all service accounts and their details Maintain documentation for when accounts should be reviewed, deactivated, or deleted Grant minimum privileges necessary for each service account Change default passwords of service accounts Use automated password management solutions to regularly rotate passwords Use separate accounts for different services Avoid using the same password for multiple service accounts Promptly decommission service accounts that are no longer needed Use tools to detect and manage inactive service accounts Monitor service accounts for suspicious activity Use a real-time auditing solution with machine learning for anomaly detection and response
Kerberos User Enumeration
brute-force attack on Kerberos
has a distinct advantage over attacks on other authentication methods: no domain account is required to perform the attack, just a connection to the KDC
there is a u in both enumeration and brute force and unrealistic
solution: detect unrealistic amounts of AS-REQ requests without follow-up requests
AS-REP Roasting
attackers steal encrypted parts of a AS_REP message from user accounts in order to then crack them offline
AS-REP ends with P and preauthentication starts with P
solution: make sure all accounts in your domain have the Kerberos pre-authentication enabled
Golden Ticket Attack
A golden ticket in Active Directory — much like its namesake for Willy Wonka’s chocolate factory — grants the bearer unlimited access. A Golden Ticket attack abuses the Kerberos protocol, which depends on the use of shared secrets to encrypt and sign messages.
P. L. Kurl is an oomploompa
solution: PLKURL
Protect against phishing attacks by training staff to identify suspicious emails and avoid sharing credentials.
Limit user privileges to necessary roles and only use admin accounts for administrative tasks.
Keep operating systems updated and disable plain text password storage in Active Directory to prevent Mimikatz-style attacks.
Use a real-time auditing solution to respond to failed login attempts with custom scripts to disable accounts, stop processes, change firewall settings, or shut down servers to prevent brute force attacks.
Regularly change the password for the KRBTGT user, doing it twice around 12-24 hours apart to avoid service disruptions.
Look for signs of a Golden Ticket attack, such as nonexistent usernames, username and RID mismatches, modified group memberships, weaker encryption types, and ticket lifetimes exceeding the domain maximum.
Incipient Fire Detectors
Can detect fire at incipient stage using air ionization detection
SHA2 aka
SHA256
preaction fire suppression system
activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.
grid computing most significant risk
an isolation breach in the distributed computing client could be catastrophic, allowing someone who compromises the controller to assume control of every device in the organization
Multistate systems definition
Multistate systems are certified to handle data from different security classifications simultaneously by implementing protection mechanisms that segregate data appropriately.
Accreditation definition
Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.
TEMPEST program
The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations.
Mimikatz tool
The use of the Mimikatz tool is indicative of an attempt to capture user password hashes for use in a pass-the-hash attack against Microsoft Active Directory accounts.
zero-knowledge proof
In a zero-knowledge proof, one individual demonstrates to another that they can achieve a result that requires sensitive information without actually disclosing the sensitive information.
Secure VOIP practices and what is usually not used
patching / updates
authentication implementation
disable unnecessary ports and services
a dedicated VLAN for VoIP devices to help separate them from other networked devices
the use of SIPS and SRTP, both secure protocols that will keep VoIP traffic encrypted
IPS for VoIP is not a typical deployment in most organizations
AIO book conflicts and says to use IDS / IPS
Best Authentication out of EAP, LEAP, PEAP and EAP-TLS without complexity
PEAP is the best solution. It encapsulates EAP in a TLS tunnel, providing strong encryption.
EAP is not protected
LEAP is a Cisco proprietary protocol that was originally designed to help deal with problems in WEP. LEAP’s protections have been defeated, making it a poor choice.
EAP-TLS is secure but requires client certificates, making it difficult to deploy and manage.
Securing collaboration platforms
Most modern platforms support TLS for best user experience and sufficient security
best option for providing free wireless to customers without need for accounts / passwords
WPA3 SAE (simultaneous authentication of equals) is new and best, if need to worry about older devices, WPA2 PSK should be used
OSI layer for ARP and RARP
ARP and RARP operate at the Data Link layer
JPEG, ASCII, and MIDI OSI Layer
6 Presentation
SDWAN advantages
PCS
predefined rules to optimize performance
continuous monitoring to support better performance
self-learning techniques to respond to changes in the network
802.1x authentication type and can be used with, supported by
port based authentication (can be used on both wired and wireless)
can be used with EAP technologies
supported by 802.1AE, 802.1AR, 801.1AF
SIPS
ensures that his VoIP session initialization is secure
WPA2 CCMB basis
based on AES
zigbee encryption method
uses AES
captive portal function and implication
combine the ability to gather data from customers with an open network, so customer data will not be encrypted.
This avoids the need to distribute network passwords but means that customers must ensure their own traffic is encrypted if they are worried about security.
biggest challenge most common for EDR / endpoint security system deployments
Endpoint security solutions face challenges due to the sheer volume of data that they can create
CAM table flooding symptom and prevention
large numbers of MAC addresses being used on a single port
prevented by using port security on switch
pre-admit NAC definition
will test systems before they are allowed on the network
post-admit NAC
tests after clients are already on the network
clientless NAC used when
useful for when not possible to install a client
client based NAC advantage
can determine more about a system than a clientless model can
primary security concern using SMS as MFA
SMS messages are not encrypted by default
security concerns using SMS
MESS
can be received by More than one phone,
messages are not Encrypted
messages can be Spoofed,
messages are typically Stored on the recipient’s phone
most common VPN protocols (5)
PPTP,
L2F,
L2TP,
IPsec
TLS
4G LTE security capabilities (3)
encryption
device-based authentication (for example, using certificates)
SIM-based authentication
SCADA Devices over TCP/IP networks
SCADA was never designed for an open network like TCP/IP, should have their own network
CCMP associated with what wireless authentication
included in the WPA2 standard
Infrastructure mode wireless router
connects endpoints to a central network
standalone mode of wireless router
connects clients using a wireless access point but not to wired resources like a central network
ad hoc mode
directly connects two clients
wired extension mode
uses a wireless access point to link wireless clients to a wired network
Number of Tiers in Firewall
is equal to number of zones protected behind the firewall
cross-site scripting attacks defenses
An intrusion protection system can scan traffic and stop both known and unknown attacks.
A web application firewall, or WAF, is also a suitable technology
3 multi-layer protocol drawbacks
Filters and Rules can be Bypassed
network Segment boundaries can be bypassed
Covert channels
device used for assignment of endpoint systems to VLANs
normally done on switch
ECPA
Electronic Communications Privacy Act of 1986
The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.
requires approvals for wiretaps, etc.
CALEA
Communications Assistance for Law Enforcement Act (1979)
requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order
Privacy Act
Electronic Communications Privacy Act of 1986 (ECPA)
The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.
HITECH Act
promote the adoption and meaningful use of health information technology through funding.
FISMA, what it defines as basic drivers for security
Federal Information Security Management Act (FISMA) was originally passed in 2002 as part of the Electronic Government Act. FISMA defines a framework of guidelines and security standards to protect government information and operations.
Defines CIA triad
PCI DSS, what it is and who it applies to
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.
Not enforced by gov entity
PCI DSS controls cover any business that:
Processes digital transactions and payments using cards. Stores credit card data. Transmits cardholder information to another entity. Has contact with protected cardholder data.
If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
BCP Team Roles / Members (12)
HeLPS IT COMMAnD (e,n not used)
Human Resources
e
Legal Affairs
Procurement - Equipment and Supplies
Security
IT members from each major area
Transportation & Relocation
Crisis Management
Operations Assessment
Management
Media Relations
Administrative Support
n
Damage Assessment
Company Acquisition Concerns for Security (3)
DIC
Documentation of security policies
Integration of security tools
Consolidation of security functions
civil case evidence requirement
prepoderance of evidence
criminal case evidence requirement
beyond a reasonable doubt
internal case evidence requirement
none, but should develop a standard for the organization based on needs
list of supply chain risks (6)
NIST 800-53
TPC VCS
- Third party service providers or vendors – from janitorial services to software engineering -‐-‐ with physical or virtual access to information systems, software code, or IP.
- poor Information security practices by lower-‐tier suppliers.
- Compromised software or hardware purchased from suppliers.
- software security Vulnerabilities in supply chain management or supplier systems.
- Counterfeit hardware or hardware with embedded malware.
- Third party data Storage or data aggregators.
examples from practice tests:
adversary tampering with hardware prior to shipment to end customer
adversary using social engineering to compromise an employee of SaaS vendor to gain access to customer accounts
who should receive BCP training
everyone
FERPA
Family Educational Rights and Privacy Act (FERPA, 1974)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI)
Prudent Man Rule, who it applies to, what it means, originally applied to, but also now applies to
requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in the United States in 1991.
Due Care
The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard.
prudent actions
applicable to everyone
due diligence
The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner
data gathering
usually applicable to leaders, laws and regulations
FISMA, what it is, who it applies to, what it defines, what it requires
The U.S. Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors.
Defines a framework of guidelines and security standards to protect government information and operations.
FISMA requires all federal agencies to develop, document and implement agency-wide information security programs.
GDPR compliance / business partners
The European Union provides standard contractual clauses that may be used to facilitate data transfer.
GDPR compliance / internal to entity
If the data were being shared internally within a company, binding corporate rules would also be an option.
EU/U.S. Privacy Shield
The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid.
NCA / NDA
usually signed at start of employment not at termination
SOX
Sarbanes Oxley put strict reforms into place to improve financial disclosures and prevent fraudulent accounting practices
requires the following committees within board of directors must be only outside (independent) directors (non-employees)
watermark
used to digitally label data and can be used to indicate ownership, as well as to assist a digital rights management (DRM) system in identifying data that should be protected
metadata
used to label data and might help a data loss prevention system flag it before it leaves your organizatio
minimum email security requirements
Encrypting and labeling sensitive email will ensure that it remains confidential and can be identified.
NIST SP 800-88 / Validation
Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence
COBIT / who most likely to use
Business owners have to balance the need to provide value with regulatory, security, and other requirements.
Data Owners responsibilities
Co Cla Set AS IS
Control Selection
Classifying the Data
Sets the Rules for use and protection of data
assisting with or Advising the System owners on security requirements
data owners are likely to ask that those responsible for control selection to Identify a Standard to use
Data processors
Data processors are required to perform specific actions under regulations like the EU GDPR.
data stewards
are internal roles that oversee how data is used.
EOS
company is intentionally ending support and needs to address what happens to the devices next—secure disposal, destruction, or re-sale—depending on data security requirements and policies set by the company
EOL
when a device or software is no longer made or supported, in contrast to end of support, which may be when it is no longer serviced, including via patches, upgrades, or organizational maintenance
Tokenization
replaces data in a database field with a randomized string of characters that remains the same for each instance of that data
Anonymization
removes all personally identifiable data to ensure that the original subject cannot be identified
Data masking results
obscures some, but not all, data
Pseudonymization
uses a pseudonym or alias to replace other information
system owner security responsibilities
PIIT
develops system security Plan
Id’s and Implements security controls
ensures system users receive appropriate security Training
Sensitive data scanning tools purpose
designed to scan for and flag sensitive data types using known formatting and structure
most difficult location to protect data
memory, as it can’t be encrypted
best method to sanitize a solid-state drive
disintegration
grid computing most significant risk
Isolation breach, an isolation breach in the distributed computing client could be catastrophic, allowing someone who compromises the controller to assume control of every device in the organization
Mimikatz tool
used in pass the has attacks for AD accounts
split knowledge proof
A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.
zero knowledge proof
A cryptographic scheme where a prover is able to convince a verifier that a statement is true, without providing any more information than that single bit (that is, that the statement is true rather than false).
logical proof
an argument that establishes the validity of a proposition. Although proofs may be based on inductive logic, in general the term proof connotes a rigorous deduction.
mathematical proof
the logical way in which mathematicians demonstrate that a statement is true
SaaS
Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet.
PaaS
Platform as a service. Platform as a service (PaaS) is a complete development and deployment environment in the cloud
IaaS
Infrastructure as a Service (IaaS) is a business model that delivers IT infrastructure like compute, storage, and network resources on a pay-as-you-go basis over the internet.
CaaS
Containers as a service (CaaS) is a cloud service that allows software developers and IT departments to upload, organize, run, scale, manage and stop containers by using container-based virtualization. A CaaS provider will commonly provide a framework which allows users to make use of the service.
Reduced cost – Using CaaS allows an organisation to pay for only the services used, such as load balancing, scheduling and compute instances. CaaS can also help clients reduce infrastructure, software licensing and operating costs.
OAuth2, what is it, provides…, focus on….
protocol
provides the ability to access resources from another service,
focus on authorization - you’ve never signed up before
OIDC what is it, what is it used for and how it works, entities, 3 flows
OpenID Connect
standard to allow the use of an account from another service with an application,
builds on oauth2 and adds authentication
uses JSON Web Tokens (JWT)
entitiies:
relying party (target of access)
IdP (identity provider)
flows:
authorization code flow - request -> IdP -> authorization token -> use consent request -> authorization code -> ID token *preferred and more secure
implicit flow - relying party request includes scope values *good for javascript or other serverless / browser-based request, less secure because ID token can be manipulated by user
hybrid flow (combo of two above)
2 techniques for session management for web application
cookies
URL rewriting
HSM, what is it, what 3 advantages, often required for what
Hardware Security Modules
the most secure way to store keys associated with a CMS
provides enhanced key management capabilities
In addition to these advantages, an HSM can improve cryptographic performance for the organization due to dedicated hardware designed for just that purpose
are often required to be FIPS certified.
sodoers file
lists the specific users who can use sudo
lists the commands or directories that are allowed for them
RADIUS default vs more secure implementation
implement RADIUS over TCP using TLS (UDP is default and does not support TLS)
time and location requirements and accountability
do not impact accountability
TBAC
Task-based access control, lists tasks for users
OAuth use
log in to third-party websites using existing credentials
SAML,
what does it mean,
it’s a standardized way to…,
it enables…,
primary role in online security is…
used to make what 2 kinds of data
Security Assertion Markup Language
Standardized way to tell external applications and services that a user is who they say they are. (SAM is who he says he is)
SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications (Sam can use SSO)
primary role in online security is that it enables you to access multiple web applications using one set of login credentials (Sam uses SSO to sign on many places with one credential set)
used to make authorization and authentication data
Google’s identity integration is a type of what? Why?
is a federation and not just SSO as it goes beyond simple SSO
most important step to take to prevent privilege escalation with service accounts
ensuring the account has only the access required
XSS attack, what is it, how to prevent
Cross site scripting
malware script in site (e.g. bulletin board) which is hidden but can be unintentionally run by others who access the site
use script tags to prevent
CSRF,what is it, how does it work, how is prevented
Cross site request forgery,
an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.
use session tokens / keys to prevent
XACML,what is it (2 items) and what is it used for (3 items), 2 elements
eXtensible Access Control Markup Language and a processing model
used to describe access controls,
a means to send an individual’s authentication information in a standard format (password, key or certificate),
can also be used to enforce policies
elements:
subject element
resources element
action element
SPML,what is it and what does it allow, 3 entities
service provisioning markup language
allow platforms to generate and respond to provisioning requests
entities:
RA - requesting authority
PSP - provisioning service provider (software)
PST - provisioning service target
SOAP,what is it, how is it used, what is required for it to be used, components
simple object access protocol
used for the exchange of information in decentralized, distributed application environments using XML over HTTP
can transmit SOAP messages in any way that the applications require, as long as both the client and the server use the same method.
components:
message envelope - defines the messages allowed and how they will be processed by recipient
encoding rules used to define data types
conventions for remote procedures / how to interpret responses
best way to prevent horizontal privilege escalation
MFA
CAS
Central Authentication Services is an SSO implementation
Kerberos and SSO
Kerberos is not an SSO implementation, but can be used as an SSO technology enabling component
best way to address concerns about third parties that control SSO redirects
awareness training
which identity provider is used in a Federated Indentity provider
home organization of user
password requirement with highest impact of preventing brute force attacks
password length
Yubikey, Titan Security Key is what type of Type 2 authentication factor
token, something you have
PIV
PIV cards are used government-wide to control access to Federally Controlled Facilities and information systems at the appropriate security level.
personal identity verification is a full multifactor authentication solution and is not a device
MAC subjects and objects
all subjects and objects have a label
session guessing prevention (key length and assignment of keys)
prevented by using 128 bit or greater session ID’s and session entropy (randomness)
session entropy
randomness
what algorithm protects user names and password in Kerberos
AES
Type 2 error
false positive
Type 1 error
false negative
FRR
False Rejection Rate / False negative
FAR
False acceptance rate / false positive
CER
cross over error rate, where FRR = FAR
aka EER (equal error rate)
lower numbers indicate more accurate
Nmap default scan weakness
only covers 1000 ports out of 65K
errors showing users information about code (e.g. directory and file info) indicates what issue
lack of proper exception handling
in penetration testing, what typically follows additional tool installation
gaining access
Windows and syslog
Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool.
API’s usually are not responsible for
encryption
regression testing is intended to uncover
new bugs introduced by patches or configuration changes
web application vulnerability scanners examples
Nikto, Burp Suite, and Wapiti
use case testing is used to…
used to verify whether a desired functionality works
misuse case testing
focuses on behaviors that are not what the organization desires or that are counter to the proper function of a system or application
dynamic testing
used to determine how code handles variables that change over time
cost of downtime for BIA
total cost of downtime includes:
TDC = BL + RTC + WL
BL(business lost) = business lost during outage $/hour
RTC(recovery time cost) = number of personnel hours worked to recover from outge X recovery time
WL(wages lost) = average wage per hour X total downtime
software testing covers which interfaces
API’s, UI’s and physical interfaces
software testing doesn’t cover which interfaces
network
TCP connect scan used when
When a tester does not have raw packet creation privileges, such as when they do not have escalated privileges on a compromised host
TCP SYN scans requirement
require elevated privileges on most Linux systems due to the need to write raw packets
NIST 800-12
introduction to computer security
NIST contingency planning steps (7)
contingency planning
as a contingency, Please Buy Personal Self Care Toiletries Mama
- develop Policy
- BIA
- identify Preventive controls
- create contingency Strategies
- develop information system Contingency plan
- Testing and training
- plan Maintenance
NIST 800-86
Guide to Integrating Forensic Techniques into Incident Response
NIST 800-53A
Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans - covers methods for assessing and measuring controls
RFC 1918
nonroutable IP addresses (internal IP addresses)
BAS
Breach and Attack Simulation
systems that combine red team (attack) and blue team (defense) techniques together with automation to simulate advanced persistent threats and other advanced threat actors when run against your environment
red team
A red team is a group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses. Red teams work for the organization or are hired by the organization.
blue team
A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.
SOAR, definition, goal, capability
Security Orchestration, Automation, and Response.
SOAR seeks to alleviate the strain on IT teams by incorporating automated responses to a variety of events.
A SOAR system can also be programmed to custom-fit an organization’s needs.
purple team
A purple team is a group of cyber security professionals who simulate malicious attacks and penetration testing in order to identify security vulnerabilities and recommend remediation strategies for an organization’s IT infrastructure. The term is derived from the color purple, which symbolizes the combination of both red and blue teams.
RUM,what is it and what is it used for
Real User Monitoring
a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior
RUM is often used as part of a predeployment process using the actual user interface
SOC 1, type of reporting and audience
financial reporting (internal)
SOC 2 type of report with what audience
security (internal)
Type I audit
only cover a single point in time and are based upon management descriptions of controls
Type II Audit
cover a period of time and do include an assessment of operating effectiveness
SSAE 18 SOC Compliance report
Statement on Standards for Attestation Engagements no. 18 (SSAE 18),
is an auditing standard for service organizations.
It is required by many industries and organization for vendors that provide them services.
The examinations and audits of these Standards are known as SOC reports.
SOC 3 report
intended for distribution to third parties
include the auditor’s opinions and management assertions, along with information about the service organization.
SOC3 reports are specifically intended for external release
CI/CD pipeline, what does it mean, what is it, what is the goal of CI/CD pipeline
continuous integration and continuous deployment
A continuous integration and continuous deployment (CI/CD) pipeline is a series of steps that must be performed in order to deliver a new version of software.
CI/CD pipelines are a practice focused on improving software delivery throughout the software development life cycle via automation.
SCAP, meaning, use and individual specifications
Security Content Automation Protocol
A suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Note: There are six individual specifications incorporated into SCAP:
VCP VSOX
CVE (common vulnerabilities and exposures);
CCE (common configuration enumeration);
CPE (common platform enumeration);
CVSS (common vulnerability scoring system);
OVAL (open vulnerability assessment language); and
XCCDF (eXtensible configuration checklist description format).
XCCDF, what does it mean, what is it used for, what is used by
The Extensible Configuration Checklist Description Format (XCCDF) is used to create security checklists in a standardized fashion.
Used in vulnerability scanning
CVE
The Common Vulnerabilities and Exposures (CVE) database provides a consistent reference for identifying security vulnerabilities.
SCE, what does it mean, what is it designed to do
The Script Check Engine (SCE) is designed to make scripts interoperable with security policy definitions.
OVAL
The Open Vulnerability and Assessment Language (OVAL) is used to describe the security condition of a system.
test coverage report, measures what, used for
measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases
code coverage report
covers how much of the code has been tested
line coverage report
type of code coverage report covers how many lines of code were tested
synthetic monitoring
uses simulated or recorded traffic and thus can be used to proactively identify problems
can be used to detect functionality issues
passive monitoring, limitation and use
works only after issues have occurred because it requires actual traffic
can be used to detect functionality issues
branch coverage
verifies that every if statement was executed under all if and else conditions
Statement coverage
verify that every line of code was executed during the test
Condition coverage
verifies that every logical test in the code was executed under all sets of inputs
Function coverage
verifies that every function in the code was called and returns results
ITIL and auditing
ITIL, which originally stood for IT Infrastructure Library, is a set of practices for IT service management and is not typically used for auditing.
Pair programming, description, is what type of development technique which comes from what other type of technique,
Pair programming is an Agile software development technique originating from Extreme programming (XP) in which two developers team together on one computer. The two people work together to design, code and test user stories.
FCRP
Federal Rules of Civil Procedure
PMBOK
The Project Management Body of Knowledge (PMBOK) provides a common core of project management expertise.
TOGAF
The Open Group Architecture Framework (TOGAF) focuses on IT architecture issues.
Can be used for the following types:
Business Architecture
Data Architecture
Application Architecture
Technology Architecture
uses Architecture Development Method (ADM)
UEBA meaning and purpose
User and entity behavior analytics (UEBA) solutions focus on the user
uses algorithms and machine learning to detect anomalies in the behavior of not only the users in a corporate network but also the routers, servers, and endpoints in that network.
good tool for detecting malicious insiders and compromised accounts
EDR
Endpoint detection and response (EDR) systems focus on endpoint devices.
differential backups
all files changed since last full backup are copied even if copied in backups prior to current backup / archive bit is not changed / requires only the last differential backup + full backup during restoration
Reformatting
does not remove remnant data
electronic vaulting
automated technology moves database backups from the primary database server to a remote site on a scheduled basis
Remote mirroring
maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site
least privilege
The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions.
Least privilege is a result of invoking need to know restrictions
CSIRT,meaning and members
cybersecurity incident response team
members -
core:
CISO
Director of Security Ops
IR Team lead
Cybersecurity Analyst
IT support
Threat Intelligence Analyst
extended:
HR
Legal counsel
PR
Business Unit Lead
minimum:
(e lips)
engineering/technical staff
legal representatives,
information security professionals,
public affairs staff, and
senior management,
security incident
Any attempt to undermine the security of an organization or violation of a security policy
best encryption key protection
two-person control is best
mitigation phase of incident response
The mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.
response phase of incident response
The response phase includes steps taken to assemble a team and triage the incident.
Entitlement
Entitlement refers to the privileges granted to users when an account is first provisioned.
Tower of Hanoi description, algorithm, purpose
Tower of Hanoi consists of three pegs or towers with n disks placed one over the other. The objective of the puzzle is to move the stack to another peg following these simple rules. Only one disk can be moved at a time. No disk can be placed on top of the smaller disk
algorithm:
Move the top n-1 disks from the source peg to the helper peg. Afterward, move the nth disk from the source peg to the destination peg. Finally, move the rest n-1 disks from the helper peg to the destination peg. (n= number of disks)
used to test problem solving ability
SCOM
System Center Operations Manager
in Windows, primarily used to monitor for health and performance
NIST SP 800-137
According to NIST SP 800-137, organizations should use the following factors to determine assessment and monitoring frequency:
VV WORMCORT
Volatility of security controls,
Vulnerability information,
Weaknesses identified in security controls,
Organizational risk tolerance,
Risk assessment Results,
Monitoring strategy review output,
Categorizations/impact levels for system security controls or specific assessments
Objects providing critical functions,
Reporting requirements.
Threat information,
Fagan Inspection
a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process
Threat Modeling Process Overview for applications
threat MOdeling prOcess Overview
threat MOdeling cOmmOnly involves:
Mooo at the dairy
DA IR y M AC (y not used)
Decomposing the Application to understand it and how it interacts with other components or users.
Identifying and Ranking threats allows you to focus on the threats that should be prioritized.
identifying how to Mitigate those threats finishes the process.
Once complete, an organization can take action to handle the threats that were identified with Appropriate Controls.
Sign of SQL injection
single quotation in input field
DAST,what is it and what is it used for
dynamic application security testing (DAST) is used to verify the correct implementation of code
How a NoSQL database stores data
allows to store data using a key-value store
graph database, type of db and how it works
another example of a NoSQL database, but it
uses nodes and edges to store data rather than keys and values
Release control
manages the deployment of code into production
SIEM does not
does not respond to findings
parameterization
used for constructing a db query, each parameter has a placeholder, which is then passed to the query
client side input validation and sql injection
doesn’t stop the attck because can be manipulated by user,
only server side input validation will prevent sql injection
CAB
change advisory board
Stages of Information Life Cycle (ILC)
C/R DUM D/S
Create / Receive
Distribute
Use
Maintain
Dispose / Store
or
ASU SAD
Acquisition
Storage
Use
Sharing
Archival
Disposal
ILC Create / Receive
records from their point of origination
ILC Distribute
moving the information once it has been created or received. This includes both internal and external distribution, as information that leaves an organization becomes a record of a transaction with others.
ILC, implication for data security
How we implement CIA triad over the data takes place after information is distributed internally, and can generate business decisions, document further actions, or serve other purposes
Security Modes List / criteria list
Modes:
D Size Cups Mama (DSCM or DiSHM)
Dedicated
System High
Compartmented
Multi-level
For Each Mode:
Nice Cans Face Nookie Ass (NCFNA or SCANU)
Signed NDA
Clearance
Formal Approval
Need to Know
All users
Dedicated Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval All Data
Valid Need to Know All Data
All users can access All Data
System High Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval All Data
Valid Need to Know Some Data
All users can access Some Data
Compartmented Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval Some Data
Valid Need to Know Some Data
All users can access Some Data
Multi-level Security Mode
Signed NDA All Data
Proper Clearance Some Data
Formal Access Approval Some Data
Valid Need to Know Some Data
All users can access Some Data
What are the protocol(s) of the Application Layer?
communication, file transfer, network management
POP3, SMTP, IMAP, SNMP, FTP, Telnet, HTTP, MIME, PGP (app), S/MIME (app), HTTPS (app), DNS, DHCP, NTP
POP3 - Post Office Protocol version 3
SMTP - Simple Mail Transfer Protocol
IMAP - Internet Message Access Protocol
SNMP - Simple Network Management Protocol
FTP - File Transfer Protocol
MIME - Multipurpose Internet Mail Extensions
HTTP - HyperText Transfer Protocol
PGP - Pretty Good Privacy
DNS - Domain Name Service
DHCP - Dynamic Host Configuration Protocol
NTP - Network Time Protocol
What are the protocol(s) of the Presentation Layer?
GIF, TIFF, JPG, MPEG, MIDI character encoding (ASCII, UNICODE, EBCDIC)
What are the protocols(s) of the Session Layer?
NetBIOS, NFS, PPTP, RPC, RTCP, SQL
(NNPRRS), PAP
NFS - UNIX stateless Network File System
NetBIOS - MS network basic input output system
PPTP - Point-to-Point Tunneling Protocol
RPC - Remote Procedure Call
RTCP - RTP (Real-time Transport Protocol) Control Protocol
SQL - Structured Query Language
PAP - Password Authentication Protocol
What are the protocols(s) of the Transport Layer?
TRANsport / TRANsmission control protocol (TCP)
TCP, UDP, SCTP, QUIC
TCP - Transmission Control Protocol
UDP - User Datagram Protocol
SCTP - Stream Control Transmission Protocol
QUIC
What are the protocols(s) of the Network Layer?
IP, RIP, ICMP, IGMP, OSPF
IP - Internet Protocol
RIP - Routing Information Protocol
ICMP - Internet Control Message Protocol
IGMP - Internet Group Management Protocol
OSPF - Open Shortest Path First
What are the protocols(s) of the Data Link Layer?
ARP, RARP, SLIP, PPP, L2TP, Ethernet, ISDN, Wi-Fi, FCoE
I SLAP a FEW (a not used)
ISDN - Internet Services for Digital Network
SLIP - Serial Line Internet Protocol
L2TP - Layer 2 Tunneling Protocol
ARP / RARP - (Reverse) Address Resolution Protocol
PPP - Point-to-Point Protocol
a
FCoE- Fiber Channel over Ethernet
Ethernet
Wi-Fi
What are the protocols(s) of the Physical Layer?
PCRAV
Pinouts, voltages, cables, antennas, radio waves
RS/EIA/TIA-422,423,449,485
10BaseX
ISDN - Integrated Services Digital Network
DSL - Digital Subscriber Line
SONET - Synchronous Optical Networking
What are the encryption(s) of the Transport Layer?
SSL2, SSL3, TLS (therefore the encryption in support of HTTPS, POP3S, FTPS)
SSL - Secure Socket Layer
TLS - Transport Layer Security
What are the encryption(s) of the Data Link Layer?
WEP, TKIP, CCMP
WEP - Wire Equivalent Privacy
TKIP - Temporal Key Integrity Protocol
CCMP - Counter-Mode/CBC-MAC Protocol
What are the encryption(s) of the Network layer?
IPSec Transport ESP
IPSec Tunnel ESP
(RC5, DES, AES)
What are the SW/HW of the Application Layer?
SW: Gateways and Proxies
What are the encryption(s) of the Presentation Layer?
SSH (therefore, the encryption in support of S-FTP, S-HTTP, PGP, S/MIME)
What are the encryption(s) of the Network layer?
since IPSec is built into IP6 network protocols, and can be used with IP5, think of that to remember that it’s in the network layer
IPSec Transport ESP
IPSec Tunnel ESP
(RC5, DES, AES)
What are the device(s) of the Network Layer?
HW: Router
What are the HW device(s) of the Data Link Layer?
HW: Bridge, L2 Switch
What are the HW devices of the Physical Layer?
HW: Hub, repeater
What is the firewall of the Application, Presentation, and Session Layer?
Proxy Firewall
What is the firewall of the Session and Transport Layer?
Circuit (SOCKS) Firewall
What is the firewall of the Network Layer?
Packet Filter Firewal
EAP
The Extensible Authentication Protocol (EAP) is a framework protocol for wireless networks that can support multiple authentication mechanisms, including tokens, smart cards, certificates, one-time passwords, and public key encryption authentication
PAP
Password Authentication Protocol
Old, not common to see, only used in legacy systems. It’s “in the clear”, no encryption authentication. It’s obviously a weak authentication scheme.
CHAP
A three-way handshake (challenge/response) authentication protocol used for remote access connections. Both devices are configured with a password called a shared secret. For unique user authentication, this value is associated with a user account. The challenge/response authentication mechanism occurs in three steps:
- The server generates a challenge message and sends it to the client.
- The client responds with the username and a value created using a one-way hash function on the challenge message.
- The server checks the response against its own value created using the same hash. If the values match, the client is authenticated.
With CHAP, plaintext versions of the password are never sent; only the hashed challenge message is sent between devices.
LEAP
Cisco created it using a modified version of the Challenge handshake does not require a digital certificate.
PEAP, what does it mean, uses what type of encapsulation, typical use and support, how does it use certs,
PEAP, or Protected EAP, was developed to protect EAP communication by encapsulating it with Transport Layer Security (TLS).
* PEAP provides that protection as part of the protocol via a TLS tunnel.
PEAP is widely supported by vendors for use over wireless networks.
-Certificate on the server, and we send our EAP communication across that secure tunnel.
EAP-TLS
- This is still considered one of the most secure implementations, primarily because common implementations employ client-side certificates. This means that an attacker must also possess the key for the client-side certificate to break the TLS channel.
- EAP-TLS for mutual authentication requires client and server certificates
EAP-FAST, define, distinguishing characteristic, certificate needs
EAP-FAST
* EAP- It offers a lightweight tunneling protocol to enable authentication. The distinguishing characteristic is the passing of a Protected Access Credential (PAC) that is used to establish a TLS tunnel through which client credentials are verified.
* EAP-FAST does not require certificates.
EAP-TTLS, define, works by, differs from EAP-TLS how, eliminates requirement to do what?
EAP-TTLS
VEES
- Variant of the EAP-TLS protocol. EAP-TTLS
- Server authenticating to the client with a certificate, but the protocol tunnels the client side of the authentication
- In EAP-TTLS, the authentication process is protected by the tunnel from man-in-the-middle attacks, and although client-side certificates can be used, they are not required, making this Easier to set up than EAP-TLS to clients without certificates.
- EAP-TTLS Eliminates the requirement to deploy or use client certificates.
RADIUS 2 benefits
Allows users to use Normal credentials across trusted networks.
Allows users in one organization to authenticate and access resources on another trusted organizations network using one set of credentials
IEEE 802.1X
Authentication standard that supports port-based authentication between authorization device and user
MS-CHAP
Microsoft’s proprietary challenge-response authentication method used for remote access connections. MS-CHAP:
- Encrypts the shared secret on each system so it is not saved in plaintext.
- Provides a mechanism for changing the password over the remote connection.
- Allows for mutual authentication, where the server authenticates to the client, if you use v2.
Be aware that MS-CHAP and MS-CHAP v2 both have known security vulnerabilities and should be avoided if possible.
CDN Benefits (4)
Lower latency for clients, especially for applications in which
multiple round-trips are required to load content.
Large scaling to better handle instantaneous high loads, such
as the start of a product launch event.
Reduce the traffic sent to the origin server, as requests are
handled by the edge servers.
Provides protection from DoS attacks
3 ways CDN provide DDoS protection
A content delivery network provides DDoS protection by
design, by being able to absorb volumetric attacks.
CDN also
include always-on traffic monitoring,
and real-time mitigation of
common network-level attacks.
CDN Zone-based restriction
Allows to restrict access to content by country/region.
With geo-filtering, it is possible to create rules on specific paths
on the CDN endpoint to allow or block content in selected
countries/regions.
CDN Data transmission steps
1: Request forwarded to the
edge server (DNS returns
server based on the client
location).
2/3: If data is not in the
cache, it is requested to the
origin server.
4: The result is returned to
the client. The data is cached
according to a TTL.
Describe FCoE operation.
FCoE encapsulates FC frames inside ETH frames. SAN and LAN traffic terminate in the same port in the server (the CNA virtualizes a NIC/MAC address and HBA/WWN).
What is the primary difference betwen iSCSI and FCoE?
iSCSI can use the existing network infrastructure (standard Ethernet switches and NICs). FCoE requires CNAs and converged switches.
In addition, iSCSI uses the IP protocol stack and traditional Ethernet. In contrast, FCoE does not use IP at all and uses enhanced Ethernet.
iSCSI, definition, can be used on which 3 types of networks
In computing, iSCSI (Listeni/aɪˈskʌzi/ eye-SKUZ-ee) is an acronym for Internet Small Computer Systems Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities.
By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.
VXLAN
Virtual Extensible LAN, can support up to 16 M segments
It allows a single physical network to be shared by multiple different organizations, or “tenants,” without any one tenant being able to see the network traffic of any other.
ZigBee speed range
40-250 kbps
Z-Wave speed range
9.8-100 kbps
ZigBee # of devices
65,000
Z-Wave # of devices
232
ZigBee frequency
868 mhz to 2.4 ghz
Z-Wave frequency
908.42 mhz in North America
zigbee, what it enables, designedfor, which IEEE specification, networks secured by…, rate of transmission, best suited for…
An IoT standard based protocol. Zigbee is a standards-based wireless technology that enables wireless machine-to-machine (M2M) and IoT networks.
It is designed for low-data rate, low-power applications, and is an open standard. Zigbee is a specification based on IEEE 802.15.4
Its networks are secured by 128-bit symmetric encryption keys. Zigbee has a defined rate of 250 kbps, best suited for intermittent data transmissions from a sensor or input device.
Z-Wave, define, uses what encryption (same as zigbee), how many nodes permitted?
IoT standard based protocol. Simpler and less expensive than Zigbee. Z-Wave was created by a Danish company named Zensys. It uses the same AES-128 symmetric encryption as Zigbee.
Like Zigbee, Z-Wave devices all link up together to form a mesh network. There’s one central hub that connects to the internet and then the devices themselves don’t have Wi-Fi at all, they use Z-Wave connectivity to talk to the hub either directly or through the mesh network. This is called a “source-routed mesh network topology.” Z-Wave allows up to 232 nodes on the mesh network.
4G speed
100 Mbps, whereas stationary devices can reach 1 Gbps
5G speed
up to 10 Gbps
5G technology
higher frequencies than previous cellular technologies, which has allowed for higher transmission speeds but at a reduced distance
Why is a 5G Communication System preferred over a 4G Communication System?
In terms of speed 5G communication system is able to provide up to 100 gigabits per second which is 100 times faster than 4G communication system.
4G has very high latency compare to 5G.
5G Communication System will also able to fix the bandwidth issue with emerging technology such as driverless cars and connected home products.
s/mime
MIME multipart/signed and multipart/encrypted framework
S/MIME is an IETF standard that provides cryptographic security for electronic messaging
MOSS what is it and current state of use
MIME Object Security Services (MOSS) is a protocol that uses the multipart/signed and multipart/encrypted framework to apply digital signature and encryption services to MIME objects.
MOSS was never widely deployed and is now abandoned, largely due to the popularity of PGP.
PEM, when, developed for?, current use, formalized in IETF / RFC xxxx?
Privacy-Enhanced Mail (PEM) is now a de facto file format for storing and sending cryptographic keys, certificates, and other data, based on a set of 1993 IETF standards defining “privacy-enhanced mail.”
While the original standards were never broadly adopted and were supplanted by PGP and S/MIME, current use involves the textual encoding they defined which became very popular.
The PEM format was eventually formalized by the IETF in RFC 7468.
DKIM, what is it, what is it used for, how does it work
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.
Works by leveraging PKI
DKIM allows the receiver to check that an email that claimed to have come from a specific domain was indeed authorized by the owner of that domain.[1] It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message.
DKIM is an Internet Standard.[3] It is defined in RFC 6376, dated September 2011, with updates in RFC 8301 and RFC 8463.
NAC captive portal definition / limitations (4)
captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources
Limitations: CBDM
may be Circumvented
Dns tunneling
Mac spoofing
require web Browser
WPA3 security has new authentication mode known as what?, benefit of this mode? Describe 3 modes with some technical detail and their benefits
WPA3-Personal (WPA3-SAE). This mode focuses on improving protection for individual users by providing better security using SAE. SAE increases security over WPA2, even when using a simple password. Personal mode lets users choose easy-to-remember passwords while still providing increased security using perfect forward secrecy to protect data traffic.
WPA3-Enterprise. Enterprise mode builds on top of the previous WPA2 Enterprise mode. However, enterprise mode requires the use of Protected Management Frames on all WPA3 connections. Enterprise mode also has multiple Extensible Authentication Protocol (EAP) methods for authentication, 128-bit authenticated encryption, 256-bit key derivation and confirmation, as well as 128-bit management frame protection. Wi-Fi Enhanced Open. This extra mode focuses on increasing privacy in open networks. Enhanced Open mode prevents passive eavesdropping by encrypting traffic even when a password isn't used. This mode uses 256-bit authenticated encryption, 384-bit key derivation and confirmation, as well as 256-bit management frame protection.
SAE, define, variant of x, based on y key exchange, doesn’t use DH because DH has no z mechanism, resulting key is influenced by a preshared key and what?
In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method
SAE is a variant of the Dragonfly Key Exchange defined in RFC 7664,[2] based on Diffie–Hellman key exchange using finite cyclic groups which can be a primary cyclic group or an elliptic curve.[1] The problem of using Diffie–Hellman key exchange is that it does not have an authentication mechanism. So the resulting key is influenced by a pre-shared key and the MAC addresses of both peers to solve the authentication problem.
WPA3 vs. WPA2, 5 points
BiG SIS (i not used)
Bigger session keys
GCMP WPA2 uses AES for encryption, while WPA3 uses the more secure GCMP
SAE protocol
Individualized data encryption
Stronger brute-force attack protection
GCMP, what does it mean, what type of cryptography, what makes it special, what is it used for (12 technologies)
Galois/Counter Modea mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources
GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, WPA3-Enterprise Wifi security protocol, IEEE 802.11ad (also dubbed WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards,[6][7] SSH,[8] TLS 1.2[9][10] and TLS 1.3.[11] AES-GCM is included in the NSA Suite B Cryptography and its latest replacement in 2018 Commercial National Security Algorithm (CNSA) suite.[12] GCM mode is used in the SoftEther VPN server and client,[13] as well as OpenVPN since version 2.4.
CAM table flooding
MAC flooding
MAC flooding description / solutions (3)
attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go
solutions / network operators usually rely on the presence of one or more features in their network equipment:
port security
MAC filtering
IEEE 802.1X
VLAN hopping definition, types and mitigation of each type
gain access to traffic on other VLANs that would normally not be accessible and is mitigated through proper vlan configuration
switch spoofing - mitigated by ensuring that ports are not set to negotiate trunks automatically by disabling DTP on ports that are not meant to be trunks and explicitly configured as access ports
double tagging - mitigated by not putting any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port, Change the native VLAN on all trunk ports to an unused VLAN ID and Explicit tagging of the native VLAN on all trunk ports. Must be configured on all switches in network autonomy
IP spoofing how and how to stop
IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system
solutions: packet filtering and do not allow authentication based on IP address1
802.1x
IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN
802.3
IEEE 802.3 is a working group and a collection of standards defining the physical layer and data link layer’s media access control (MAC) of wired Ethernet
802.15.1
IEEE 802.15 is a working group of the Institute of Electrical and Electronics Engineers (IEEE) IEEE 802 standards committee which specifies Wireless Specialty Networks (WSN) standards. WPAN / Bluetooth
IEEE 802.15.1
WPAN / Bluetooth
IEEE 802.15.5
Mesh networking
IEEE 802.15.7
7 is an inverted L (for LiFi)
Visible Light Communication / LiFi
IEEE 802.15.13
Multi-Gigabit/s Optical Wireless Communications
SRTP what does it stand for, what OSI layers, 4 types of protection over what
Secure Real-time Transport Protocol
Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications
between transport and application layer
provides
CREM
confidentiality,
replay protection
encryption,
message authentication
SIPS, what is it, what used for?, what osi layer
Session Initiation Protocol Secure
a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications
session layer
to signal and control interactive communication sessions
SRTP vs SIPS(SIP TLS)
E AIR
SRTP is an RTP profile intended to provide Encryption, message Authentication and Integrity, and Replay attack protection to the RTP data.
PI
SIP TLS protocol aims primarily to provide Privacy and data Integrity between two or more communicating computer applications.
NAT vs PAT
NAT maps public to private via IP address
PAT maps public to private via port#
PAT more efficient as it can use one public address for many different internal devices
BIA process
PROcess / PROtect
Protect Real Life Investment Revenue
(id Priorities, id Risks, Likelihood, Impact, Resource priorities)
Communication threats
RIDEM
(Replay, Impersonation, Modification, Eavesdropping, Denial of service)
ASLR
address space layout randomization - memory protection for O/S
MSA (web)
microservice architecture
serverless aka
FaaS (only functions)
microkernels
add function via kernel modules
reference monitor definition, 3 properties
handles access between subjects and objects (concept, not physical component)
aka abstract machine
properties:
always invoked
tamper-resistant
verifiable
Grid Computing
leveraging distributed computing resources (of other entities) for complex problems
DCE
distributed computing environment - collection of systems that work together
PLC
programmable logic controllers, industrial digital computer for controlling manufacturing processes less than 1000’s
Cryptology
the science of securing communications
Substitution Ciphers types, weakness
(monoalphabetic / polyalphabetic) easily broken by frequency analysis
Confusion
relationship between plaintext and cipher text
Diffusion
how order of plaintext should be dispersed throughout cipher text
Vigenere Cipher
uses a matrix (vigenere square) x axis is plain text / y axis is key
Cipher Disk
Cryptographic device that uses two concentric disks, each with an alphabet around the periphery
One-Time Pad
an example of perfect (unbreakable) encryption, which is achieved by using, only once, a random polyalphabetic key that is as long the message itself.
SIGABA
similar to Cipher Disk with 3x5 sets of rotors, large, heavy, expensive, hard to operate, mechanically complex and fragile
COCOM
(Coordinating Committee of Multilateral Export Controls) - prevented export of critical technologies including encryption (1947-1994)
Wassenaar
similar to COCOM for dual-use techonologies but added Iron Curtain countries as members (1996 - present)
Meet-in-the-middle attack
Cryptanalysis attack that tries to uncover a mathematical problem from two different ends.
HMAC
Hashed Message Authentication Code
XOR and hash function
TLS / SSL initiation process,
SYN, SYN/ACK, ACK, session
IPSec Modes
- Transport Mode (Only data encrypted)
- Tunnel Mode (entire packet encrypted)
TCP Flags mnemonic
Nosetackles Can Easily Upend Any Puny Runningback Sneaking the Football or first 3 not used, Unskilled Attackers Pester Real Security Folks
NS (not used anymore)
CWR (not used anymore)
ECE (not used anymore)
URG urgent
ACK acknowledgement
PSH push
RST reset
SYN synchronizeing
FIN finish
CMM
I Rarely Develop My Own
1 Initial -undocumented and not consistent
2 Repeatable - some processes are repeatable, process might be strictly controlled
3 Defined - documented processes and standards
4 Managed - metrics used for performance measurement and process users are competent
5 Optimizing - focus on continuous improvement
edge computing vs. fog computing
decentralized distributed computing
fog computing is centralized distributed computing
fog computing
centralized distributed computing
UDP is simplex or duplex?
simplex mode (per port)
microsegmentation (edge and fog computing)
does not support edge/fog computing
How do Application-level firewalls work
make access control decisions based on content of communications
Authentication Header provides…
provides integrity and non-repudiation
Risk-based access control
evaluates the environment / situation then makes access decisions based on coded policies
OID vs OIDC
OID does not include profile information
ABAC, often used in…?
Attribute Based Access Control
grants access based on attributes (often used in SDN’s)
network access server within RADIUS
is a client
DRP relation to BCP / COOP
picks up where BCP leaves off, is site specific, only addresses disruption requiring relocation, may involve multiple ISCP’s
expert system’s decision making process
a series of if/then rules codified in a knowledge base
contamination
when data from a higher classification is mixed with data from a lower classification
best to prevent cross-site scripting attacks
input validation
ALE (formula)
ALE = ARO*SLE [Ale = A RO SlE]
formula for SLE
formula for ALE
SLE = AV * EF
SLE single loss expectancy
AV asset value
EF exposure factor
ALE = ARO * SLE
or
ALE = ARO * AV * EF
Cost / Benefit of countermeasures
[V -AA +AB -AC] Value = ALE BEFORE less ALE AFTER less Annual Cost of measure
Total Risk
TR [total risk exposure] = A T V ([asset value] [threat impact] [vulnerabilities likelihood])
BCP Steps high level steps
SICA
(scope, impact, continuity, approval)
BCP high level process to be combined with SICA card
SPAT
(strategy, provisioning, approval, training)
Fagan code review, definition and process
a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process
P O P Is Real Fedup [POPIRF]
(planning, overview, prep, inspect, rework, followup)
Incident Response process, goals
[Dirty Rotten Mean REPublicans RECruit REMarkable Losers]
detection, search for indicators, declaration of incident
response, (initial response, contain damage)
mitigation, (eradicate threat actor, determine details of attack and how to mitigate and perform mitigation)
reporting,
recovery, (restore full functionality of business process)
remediation, (prevent future incidents)
lessons learned (continuous improvement)
PASTA steps
Process for Attack Simulation and Threat Analysis
It’s a bowl of spaghettios or alphabet soup
DO DTS ADA TA VA AMS RAM
(determine objectives,
define tech scope,
application decomp analysis,
threat anal,
vulnerability anal,
attack modeling simulation,
risk anal mngmt)
SAMM Process
Software Assurance Maturity Model - from OWASP focused on secure software development
Business functions:
[Giving Developers Incentive Via Offers]
Governance,
Design,
Implementation,
Verification,
Operations
Each function has 3 security practices
SW/CMM levels
[I Rarely Develop My Own]
(initial,
repeatable,
defined,
managed,
optimized)
Application attack types
RoBBoT
(Buffer overflow,
Backdoors,
TImeofchecktotimeofuse TOCTOU (asynchronous attack),
Rootkits)
Auditing activities
A DAM LIAR
(alarm triggers,
data reduction,
analysis of logs,
monitoring,
logging,
IDS,
alert usage,
review of logs)
Authorization mechanisms
IAACCCC (implicit deny, ACL, ACM, capability tables, constrained xfaces, content, context)
COBIT elements
GOD HO ST GOS TA EN
(GOvernance is Dynamic,
HOlistic approach,
STakeholder value,
GOvernance Separate from mgmt,
TAilored to entity,
ENd to end)
Computer Crimes
[The Mother Fuckers Better Takeoff Running]
(terrorism,
military,
financial,
business,
thrill,
revenge)
Control Classification
CCDDDPR
(corrective,
compensating,
detective,
deterrent,
directive,
preventive,
recovery)
Data Classification Criteria
DATa LIVe SUM
(disclosure damage,
age,
timeliness,
lifetime,
implications of disclosure to business or national security,
value,
storage,
usefulness,
modification damage, )
Elements of Cable Plant
BEETH
(Backbone distribution,
Entrance facility,
Equipment room,
Telecommunication room,
Horizontal distribution)
Evaluating access control attacks
VAT
(vulnerabilities,
assets,
threats)
Halon subs
FF AI CLAN
(FM200,
FE13,
Argonite,
Inergen,
CEA410/308,
Low pressure water mist,
Aragon,
NAFSIII)
Memory addressing methods (5)
BIRDI
(base+offset,
immediate,
register,
direct,
indirect)
Processing States
RRSSW
(ready,
running,
supervisory,
stopped,
waiting)
Sabotage prevention
CAMO
(compensation / recognition of excellence,
auditing,
monitoring,
open communication)
Symmetric Encryption Modes
ECCCCOG
(ECB,
CBC,
CFB,
CTR,
CCM,
OFB,
GCM)
ECB short only
Symmetric Encryption Modes with IV
IV initialization vectors
CCO
(CBC,
CFB,
OFB)
Threat ranking methods
PD HML DREAD
(Probability X Damage Potential,
H/M/L,
DREAD)
Threat rating model
DREAD
(damage,
reproducibility,
exploitability,
affected users,
discoverability)
Virus propagation
BI FI MI SI
(Bootsector Infection,
File Infection,
Macro Infection,
Service Injection,
Security Models List mnemonic
Bill Belichik Loves Great Head Coaches Big Nose Tackles
(Bell-La Padula,
BIBA,
Lattice,
Graham-Denning,
HRU,
Clark-Wilson,
Brewer-Nash,
Non-Interference,
Take / Grant)
Access Control Matrix
Subjects rows / Objects Columns
Least Privilege
employees given minimum access to perform duties
Separation of Duties
separating duties as an internal control
Two Person Control used for…
For highly sensitive separation of duty tasks such as encryption key retrieval
Northbridge
CPU, RAM, Memory (Fast)
Southbridge
I/O controller, peripherals (mouse, USB, HD)
DEP
data execution prevention - prevents damage from malware by not allowing execution in Windows reserved memory locations
Containerization summary
only o/s components needed are in a container
Peer to Peer
each node is both server and client, used mostly for file sharing (subset of grid computing)
HPC
high performance computing - similar to grid but not shared
Edge Computing, what is it
pushing processing as close to client as possible
CDN
content distribution network - subset of edge computing
multiple servers distributed across a large region which is optimized for users closest to a particular server
SCADA,what does it mean and used for what type of computing
Supervisory Control and Data Acquisition - distributed computing for industrial controls
DNP3
distributed network protocol used in SCADA
Cryptography
creating secure messages
Cryptanalysis
the science of breaking encrypted communications
Cipher
the generic term for a technique (or algorithm) that performs encryption
Spartan Scytale
Message written lengthwise on a long thin piece of parchment wrapped around a certain size round stick. By itself it would make no sense, but if rewrapped around a stick of the same diameter it would be decipherable.
Ceasar Cipher
A substitution cipher that shifts characters a certain number of positions in the alphabet
Jefferson (president invented) Disk / Bazeries (Bazeries improved) Cylinder
set of cipher disks around axle
Number of Symmetric keys required:
n(n-1)/2, where n = number of users
Number of Asymmetric keys required
2n, where n = number of users
anything better than AES…
is proprietary
Digraph Attack
frequency analysis with two letter combos
Differential Cryptanalysis
Seeks to find the “difference” between related plaintexts that are encrypted
Linear Cryptanalysis
Known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key
Differential Linear Cryptanalysis
Applies differential analysis with linear analysis
OSI model mnemonic
Please Do Not Try Stupid Passes Again
1 Physical
2 Data Link
3 Network
4 Transport
5 Session
6 Presentation
7 Application
Security Perimeter
physically secure area around system or imaginary boundary separating Trusted Computing Base TCB from rest of the system
Best Risk Reduction for portable devices
minimizing data on portable devices
capacitance detectors
sense changes in magnetic or electrical fields
security guards and knowledge of what they are guarding
not knowing about what they are guarding is not a disadvantage of using guards
Appliance firewalls limitation
unable to prevent internal attacks
required for logs to support accountability
Identification & Authentication
detect compromised accounts
Account access reviews
Mandatory Access Control
Mandatory Access Control
subjects and objects all have labels
RBAC
grants access based on roles for subjects
SOC Type 1
review of description provided by management, specific point in time
review of description provided by management, specific point in time
SOC Type I
best method to ensure systems are patched
Patch management system
Organizations BCP/DRP responsibility
can choose to do BCP/DRP, but they really should
RFC 1087
Privacy
AV, what is it for, how is it expressed and what does it include
asset value for risk assessment
expressed in monetary units
includes both replacement cost and value to the business
High Level Cyber Supply Chain Security Principles
Cyber Supply Chain Security Principles:
Since it’s high level it’s the BIG picture
BIG (breaches happen so develop defenses for them, IT isn’t only concern, Gaps will exist between physical and cybersecurity)
- Develop your defenses based on the principle that your systems will be breached. When one starts from the
premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach. - Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity
practices. - Security is Security. There should be no gap between physical and cybersecurity. Sometimes the bad guys
exploit lapses in physical security in order to launch a cyber attack. By the same token, an attacker looking for
ways into a physical location might exploit cyber vulnerabilities to get access.
divestiture security risks
CA CA SP RC IP
Which security measures will be in place for Continuity of Access?
How employees will Access Business-critical applications and systems as the divestiture proceeds. (Critical App access)
The buyer’s and seller’s Security Policies. Are their policies compatible, or will additional training be needed before employees transfer to the new business unit?
Are there Regulatory and IT Compliance issues requiring additional training before the divestiture concludes?
Are there issues with Intellectual Property custody and protection as per the divestiture agreement or not covered by the agreement.
SAML, most commonly used to
It is more commonly used to help enterprise users sign in to multiple applications using a single login (i.e. provide sso for enterprise users)
PaaS vs CaaS
PaaS focuses on code stack infrastructure, while CaaS offers more customization and control over applications and services. Pay for a period of time, no matter what is used.
As a result, CaaS is better suited to emerging frameworks, such as microservices. Pay as you use. Timed use. CaaS must be started, stopped
IaaS vendor / customer responsibilities
vendor up to virtualization
customer from o/s on up
PaaS vendor / customer responsibilities
vendor up to Security
customer application only
SaaS vendor / customer responsibilities
vendor up to application (all)
CaaS vendor / customer responsibilities
a form of PaaS but only pay for what you use where normal PaaS you pay for a period not a timed amount use
Vendor provides everything up to container, customer responsible for what’s in the container
noise
A type of network attack. It is interference that can be introduced to the cable that causes problems.
crosstalk
A type of network attack. It occurs when signals from two wires (or more) interfere with one another and distort the transmission.
attenuation
Can be considered a type of network attack. It is the weakening of a signal as it travels down the cable and meets resistance.
eavesdropping (sniffing)
A type of network attack where information remains intact, but privacy is compromised. It intercepts private data over cabling lines
blind [IP Address] spoofing, what is it, most effective for…, solutions (3)
Peaky blindER packets - to remember the solutions
A type of network attack where the sequence ACK numbers cannot be attained. Packets are sent to the target to obtain a sampling of the sequence numbers so that the attacker can generate a valid sequence number for the attack. Mostly used to attack older machines. Newer machines use random sequence number generation.
Solutions:
PER
use Packet filtering;
use Encryption on routers for inbound traffic; and
Reject packets with incorrect network origin.
non-blind spoofing, what is it, prevented by (3)
A type of network attack which occurs when the attacker is on the same subnet as the victim. The attack sniffs the sequence and ACK numbers and uses them to hijack the session.
Solutions:
You don’t have to be blind to give some EFS
enable Encryption on a router for outside connections
use ingress Filters on packets to filter inbound traffic
use Secure protocols to connect to other systems
Man-in-the-Middle attack (MITM), what is it, can be accomplished how (2), solutions (4)
A type of network component attack where the attacker intercepts communications between two trusted hosts. The attacker gains the ability to view and change the information sent, and to forward it undetected.
The attack can be accomplished using ARP cache poisoning or ICMP redirect.
Solutions:
MITM might SEEM like he’s not there.
SEEM
prevented by using Secure connections (HTTPS, SSL, TLS, VPN),
Endpoint detections,
Education
MFA,
MAC Flooding attack, what is it, prevented by (4)
A type of network component attack in which the attack is connected to a switch and “floods” the switch with a large number of different fake MAC address sources.
Prevented by:
Hey MAC, avoiding a flood is SIMPle.
Segmentation of network IDS MAC address filtering: Port security
802.1Q and Inter-Switch Link (ISL) protocol attack, solutions (2)
type of network component attack. It is a tagging attack that occurs when a user on a VLAN gets unauthorized access to another VLAN.
Solutions:
ISL (I Still Love) D FC (Deep Fried Chicken)
Dynamic Trunking Protocol (DTP) on all non-trusted ports
Following Configuration guidelines for the switch.
Double-Encapsulated 802.1.Q nested VLAN attack
remember this one as it’s Nested which is starts with the same letter as Native
A type of network component attack where an attack can cause traffic to hop VLANS by injecting packets that are double-tagged in an 802.1Q VLAN.
Clear the native VLAN from all 802.1Q trunks or pick an unusual VLAN as the native VLAN.
ARP Cache Poisoning, solutions (5)
A type of network component attack where an attacker can send spoofed ARP messages in to a LAN, causing the ARP cache to associate the target’s IP address with the attacker’s computer. All packets meant for the target will then be sent to the attacker. ARP is the protocol used to map an IP address to the physical MAC address.
Prevented by:
Use your PENUS to plug the ARP Cache poison and penus both start with p
Physical Security
Encryption
Network segmentation / isolation
Using switch security / or DAI (dynamic arp inspection)
Static ARP table
ping of death attack, 3 solutions
A type of ICMP network, Denial of Service (DoS) attack on a computer that involves sending malformed or oversized IMCP packets to a target. Hackers send several oversized packets, which can cause the victim’s system to be unstable at the least, and possibly freeze up.
Prevented by:
Death starts with D… CBA, also it’s one of the oldest attacks so should be easy as…
ABC
avoid legacy equipment and patching
block incoming icmp
checks to packet reassembly process to prevent large / malformed packets
Smurf attack, solution, equipment note
U in smurf indicates UDP is used.
Smurf’s must be disabled from broadcasting ip addresses at each router and firewall.
A type of ICMP, DDoS, network attack. The attacker sends a large amount of UDP echo traffic to an IP broadcast address, all of it having a fake source address, which will be the target of the system. As a DDoS attack the target system is flooded with spoofed ICMP packets.
Prevented by:
Smurfs is an old broadcast
disable IP broadcasting addresses at each network router and firewall.
Older routers are likely to enable broadcasting by default, while newer routers will likely already have it disabled
Fraggle Attack, what is it, what kind of traffic is used, what ports are used, solutions (4)
A type of ICMP network, DoS attack attacker sends a large amount of UDP traffic to ports 7 (Echo) and 19 (CHARGEN)
Solutions:
watching Fraggle Rock on my FUTON is FAB ulous
FU TO NF AB
solutions:
Filtering UDP inbound
Turn off source address spoofing by router
configure routers to Not Forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default. Since then, the default standard was changed to not forward such packets.[6]
Configure hosts and routers to ignore packets where the source Address is a Broadcast address;
ICMP Redirect Attack, is what type of attack, how does it occur, solutions (2)
A type of ICMP network attack and an example of a MITM attack.
A router sends an ICMP redirect request to a host when packets are routed via sub optimal paths, requesting the packets use the attacker’s machine as a a default route. The attacker will forward all the redirected traffic to a router so that the victim will not know that his or her traffic has been intercepted.
solutions:
turn off redirect on hosts or network equipment
IDS / IPS can prevent
ping scanning
A type of ICMP network attack that pings every IP address and keeps track of which IP address responds to the ping. This technique is also a basic network scanning technique used to map networks and can also be used to find networking devices.
(aka port scannning)
Prevented by blocking incoming ICMP
port scanning attack
A type of network attack that occurs in the form of probing the TCP services on a machine by establishing the initial handshake for connection. It allows an attacker to test for vulnerabilities on a target system. The scan pings every address and port number combination and tracks which ports are open on each device as the pings are answered by open ports with listening services and not answered by closed ports.
DNS Cache Poisoning, used to …, solutions (4)
DNS
U
Cache
E
A type of DNS attack where the attackers feed false information into the DNS cache. When the server refreshes its query, the attacker inserts his own access point in an attempt to harvest passwords from users through newly created fake website.
Prevented by:
DUCE
DNSSEC
Use most current version of DNS
Configure DNS servers to not rely on trusts with other servers
Education - don’t click links in emails
Distributed Denial of Service (DDoS) attack webservers, solutions (3)
A type of DNS attack that uses multiple compromised systems to send network traffic to a specific targeted system creating a Denial of Service (DoS) attack.
a MIC can unDENIALbly Distribute your voice
Mitigated by:
MIC
Monitoring network traffic volume
IDS / IPS
CDN
URL hiding attack
A type of DNS attack that takes advantage of the ability to embed URLs in web pages and emails.
Cyber Squatting
A type of DNS attack where a hacker registers a domain name with no intent to use it but rather hold it as a hostage, to sell to a company or persons using the same domain name or type.
domain grabbing
A type of DNS attack where an attacker registers a domain name of a web known company before the company itself has a chance to renew the domain name.
war driving
A type of wireless attack where an attacker drives around, using a laptop and a high-powered antenna to locate unsecured WLANs.
war chalking
A type of wireless attack and a practice that is typically used to accompany war driving. After the war driver has located an unsecured WLAN, he write with chalk on the sidewalk the SSID and the types of security used on the network.
Bluesnarfing, solutions (3)
A type of wireless attack that is unauthorized access to a device using a Bluetooth connection. In this case the attacker is trying to access information on the device rather than send messages to the device.
Prevented by:
turn off bluetooth if not being used
have a long password if possible for bluetooth
turn off discovery when not needed
Bluejacking, what is it, solution
A type of wireless attack that happens when an unsolicited message is sent to a Bluetooth-enabled device for the purpose of adding a business card to the victims contact list. It can be prevented by putting the device into a non-discoverable mode.
Email spoofing
A type of email attack where the sender addresses parts of the email with a header altered to appear as through the email originated from a different source. Since SMTP does not provide any authentication, it is easy to impersonate and forge emails. The email appears to come from one source when it actually comes from another.
phishing
A type of email, social engineering attack where the attacker tries to get a person to click on a link in an email that seems to be legitimate. Hackers are attempting to collect data and redirect the victim to the hacker’s website.
spear phishing
A type of email attack used to target a specific person rather than many people. It targets the individual by learning about the person’s habits and likes.
whaling
A type of email cyber attack used to target senior management, such as CEOs, CFOs, and other upper management roles.
SPAM
A type of email attack where attackers send out non-requested emails on a mass basis.
SYN ACK attack, 2 solutions
A type of cyber attack where a hacker takes advantage of the three-way TCP handshake, and spams the victim with SYN packet’s from a spoofed IP address. The victim responds with a SYN-ACK packet, but never gets a response. Eventually, it will reach its maximum number of uncompleted three-way handshakes and will refuse legitimate network connections.
Mitigated by:
In memory, SYNful pACKman eats cookies
limiting memory for syn / ack use
use of syn cookies
Brute-Force attack
A type of cyber attack which tries all possible keys until one is found that decrypts the cypher text. This is why the key length is such an important factor in deterring the strength of the crypto system. The longer the key, the longer it takes to go through all of possible character combinations.
SYN Flooding, what is it, solutions (4)
A type of cyber attack in the form of a DoS attack where the attacker sends SYN packets to a single server, overwhelming the victim system and blocking access to legitimate traffic.
Solutions:
Flooding put out the fires of hell where your half open soul is recycled into cookies
FIReS
Firewall Filtering
Increase Backlog Queue
Recycling the oldest half-open connection
SYN Cookies (will lose some details but not enter DoS state)
teardrop attack, 2 solutions
A type of cyber attack that is a process in which a hacker sends malformed fragments of packets that when reassembled by the receiver, cause the receiver to crash or become unstable.
Solutions (Fucking Pussy, for crying)
Mitigated with firewall / IDS / IPS
patching also helps prevent
IP Address Spoofing, prevented by (4)
The spoofing happening here must FADE.
A type of cyber attack that hackers use to hide their trail or to masquerade as another computer in which they alter the IP address as it appears in the packet.
Prevented by:
FADE
using Firewall
Authentication of all IP addresses
DNSSEC
Ip Encryption
side-channel attack
A type of cyber attack. In cryptography, this is a non-intrusive attack that uses information (timing, power consumption) gained from the physical implementation of the crypto system. This attack tries to figure out how a component works without trying to compromise any type of flaw or weakness.
session hijacking attack, how does it work, solutions (3)
Don’t SIT, hijacking!
A type of cyber attack where an intruder exploits a valid computer session to gain unauthorized access to the system. The attacker places himself in the middle of an active conversation between two computers, for the purposes of taking over the session of one of the two computers, thus receiving all data sent to that computer.
TCP session hijacking takes advantage of predictable TCP sequence numbers
Mitigated by:
SIT
Strong session managment (rotating keys, preventing predictable sequences, enforcing session timeouts)
IDS / IPS
Token based authentication
phone cloning
A type of cyber attack that is a process in which copies of a SIM chip are made, allowing another user to make calls as the original user.
TKIP attack, Parking Lot attack, and shared key authentication flaw.
Three types of attacks on wireless networks.
SQL Injection, what is it, if successful what can it allow (5), solutions (4)
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can:
FORMA
Read sensitive data from the database,
Modify database data (Insert/Update/Delete),
execute Administration operations on the database (such as shutdown the DBMS),
recover the content of a given File present on the DBMS file system and
in some cases issue commands to the Operating system.
Mitigation:
DIPS
Parameterized sql statements / queries
secure Stored procedures
Input validation, input list validation
Do not use escaping for user supplied data whenever possible
Salami attack, what is it, solutions (4)
A salami attack is a cybercrime that attackers typically use to commit financial crimes. Criminals steal money or resources from financial accounts on a system one at a time. This attack occurs when several minor attacks combine to form a powerful attack. Because of this type of cybercrime, these attacks frequently go undetected.
Mitigation:
I PAID for that salami.
Periodic audits
Anomaly detection (many small transactions going to one account)
integrity checks
Data validation
Sending a message using sender private key
provides non-repudiation and integrity
does not achieve confidentiality as anybody can use your public key to decrypt, must use recipient’s public key to provide confidentiality
PIPEDA
The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.
CPTED, what is it and what are it’s 4 strategies
Crime prevention through environmental design
Strategies:
Natural Access Control - guidance of people in and out by placement of doors, fences, lighting, and landscaping
Natural Surveillance - make criminals feel uncomfortable by providing many observance opportunities (maximize visibility)
Territorial Reinforcement - create physical designs that emphasize the organization’s sphere of influence
Maintenance - make environment look cared for which discourages crime (broken window theory - broken windows encourage crime)
Single Tier Firewall
One firewall between private network and external network, no dmz = total of 1 firewalls
Two Tier I Firewall
one external firewall (with dmz stem) - private network = total of 1 firewalls
Three Tier I Firewall
external firewall (1/3) - DMZ - internal firewall (2/3) - transaction subnet - internal firewall (3/3) - private network = total of 3 firewalls
Two Tier II Firewall
external firewall - DMZ - internal firewall - private network = total of 2 firewalls
Three Tier II Firewall
external firewall (with DMZ stem) - transaction subnet - internal firewall - private network = total of 2 firewalls
Exam Tip - All four answers look correct
The right answer will provably encompass the other answers
Core CISSP concept - more than one answer appears correct, one is a policy (and appears correct)
The right answer will be the policy, nothing happens without a policy
Media Sanitization - Clearing
overwrite and replace confidential data spaces with meaningless data using approved s/w or h/w - reasonable assurance that data will not be easily retrieved (not absolute)
Media Sanitization - Purging
completely overwrite all data with degaussing or firmware commands - data unrecoverable with high degree of confidence
Media Sanitization - Destruction / Disintegration
physical destruction - no reuse of media
Exam Tip - baseline
baseline identifies a purpose for change, not a primary reason
Core CISSP Concept - Risk assessment, value of risk assessment …, risk is never …, risk must be re-evaluated …
value of risk assessment diminishes over time,
risk is never fully eliminated,
risk must be re-evaluated after changes
4 classifications of commercial data
confidential
private
sensitive
public
4 classifications of government data
top secret
secret
sensitive, not classified
unclassified
If you don not have formal written approval from system owners to look for vulnerabilities or to perform ethical hacking / penetration testing you are doing what?
Illegal hacking or just hacking
ethical hackers vs penetration testers
are not equal but have overlapping functions
penetration testing steps (4)
PREPaRe the pen test.
Planning - establish goals, scope and rules, management approval and document in writing
Reconnaissance gather target intelligence - IP addresses, ports, network assets, host names, applications, employee information
Exploit vulnerabilities - successful exploitation will be reported
Provide Report - send report in secure method to stakeholders
Exam Tip - if more than one answer appears correct but timing is different
Make sure what timing the question is asking. Is it asking which should happen first or last?
CMMI, what it is, 6 stages and the stage definitions
Capability Maturity Model Integration (aka CMM) - if hiring an outside development firm, can ask if they’ve been CMMI certified
I,I Might Die Questioning Others (IMDQO)
Incomplete (0) chaotic or ad hoc
Initial (1) no effective management, no assurance of consistency or quality
Managed (2) formal structure for change control and QA, repeatable processes
Defined (3) formal procedures carried out in all projects, ability to be proactive
Quantitatively Managed (4) metrics in place and used for self-improvement
Optimizing (5) budgeted and integrated plans for continuous process improvement, can respond quickly to changes
Core CISSP Concept - Is risk mentioned in questions or answers? If it is, then … … is performed before any … is made
Calculating risk is performed before any decision is made
SYN, SYN/ACK, ACK, OSI network layer
4 / Transport
Core CISSP Concept - DOS / DDOS attacks, what is high level countermeasure
BCP / DRP is the high level countermeasure
Core CISSP Concept - before engaging, acquiring, merging, renting, or re-evaluating any third party what must be done?
Risk assessment
Think like a Manager - Question does not fully deal with quantitative cost analysis but it is mentioned or inferred and more than one answer appears like it could be correct.
Choose the answer which makes the most sense economically
Authentication in cryptography
Is not the same as in access control, in cryptography it is means authenticity
Core CISSP concept - high level policies vs. low-level operations
High level policies are always more important
Stateful filtering/inspection firewall, what is it, aka, characteristics (5), weaknesses (1)
a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering,[1] is a security feature often used in non-commercial and business networks.
Characteristics:
state of pennsylvania (chili peppers lyric) is where we find the
SHS CoW (o not used) Dung
State table
High security without performance degrading
Scalable
provides data for tracking Connectionless traffic
stores and updates state / context of data Within packets
Weaknesses:
susceptible to DoS attacks (filling state table)
packet filtering firewall, what is it, advantages (3), weaknesess (4)
inspects packets transferred between computers. The firewall maintains an access-control list which dictates what packets will be looked at and what action should be applied, if any, with the default action set to silent discard
packets inspected by SAH ALUF
advantages:
Scalable
not Application dependent
High performance
weaknesses:
cannot prevent Application vulnerabilities from being exploited
Limited logging
do not support advanced User authentication
may not detect packet Fragment attacks
difference of stateful vs packet filtering
While a packet filtering firewall only examines an individual packet out of context, a stateful firewall is able to watch the traffic over a given connection, generally defined by the source and destination IP addresses, the ports being used, and the already existing network traffic.
due diligence vs due care, results of not taking each
due care must always be taken (by all people), not taking due care results in negligence
due diligence may not be necessary but is best for the long term and maintains the due care effort
due diligence makes sure the same incident doesn’t happen twice, due diligence is generally taken by management, due diligence focuses on risk based decision making, not taking due diligence consequences depend on the situation
enterprise security architecture, definition, steps (5)
Bo Bacardi (BA RA RC DI) is our enterprise security architect.
an integrated and comprehensive strategy for protecting the organization against cyber threats
BO BA RA RC DI
Identify Business Objectives, goals and strategy
Identify Business Attributes that are required to achieve those goals
Identify all the Risk Associated with the attributes that can prevent a business from achieving its goals
Identify the Required Controls to manage the risk
Define a program to Design and Implement those controls
program to design and implement Enterprise Security Architecture controls (4 high level steps)
Architecture is usually the top level and the top is sometimes known as the Capo.
CA PA CAMP OA
define Conceptual Architecture for business risk
define Physical Architecture and map with conceptual architecture
define Component Architecture and Map with Physical architecture
define Operational Architecture
Security Architecture timing
Can only happen after a general architecture
SABSA, what does it mean, what is it - tool for aligning … … with … … and each layer increases … and decreases … (… to …), matrix axes description x (6) y (6)
Sherwood Applied Business Security Architecture - tool for aligning security architecture with business strategy; each layer increases detail (Y axis) and decreases abstraction (policy to implementation)
Matrix
there’s AMPPLe Time on the SABSA Primay CLOCC
X axis: Assets (What), Motivation (Why), Process (How), People (Who), Location (Where), Time (When) (AMPPLT)
Y axis: Contextual, Conceptual, Logical, Physical, Component, Operational (P CLOCC)
SABSA success factors (4)
SABSA is SABEPESE
SA BE PE SE
Strategic Alignment - business drivers and regulatory requirements met by security architecture
Business Enablement - core business processes are integrated withing the security operating model, standards based + risk based (can do new things)
Process Enhancement - integrating security components into business processes (can do things better)
Security Effectiveness - measured by security assessments
ISMS vs ESA
ISMS - (Information Security Management System) specifies the components of the security program
ESA (Enterprise Security Architecture) - specifies how the components of the security program relate to the general business architecture and how the components are integrated in the business environment and is part of EA (enterprise architecture)
ISO 27000 series
Outlines the essential components of a security program
m of n control, what is it, aka
m = agents, n = total pool of agents
m of n agents must participate in the control in order to complete an action
aka: quorum authentication
NIST 800-39, subject, 3 tiers, what type of models are applicable (1)
Hitler mad ‘39 a difficult time to manage information security risks
Managing Information Security Risk
3 Tiers:
Organizational view
Mission / Business view
Information Systems view
Trust models
encapsulation occurs in what layers of the OSI model
occurs in level 1-4
ISRM (9 principles)
Information System Risk Management
Should address:
RR CORK CAP (risk reward cork cap)
formal process of Risk identification
approach of changing staff behavior / resource allocation in Response to risk analysis
Connection between ISRM policy and strategic planning
Objectives of ISRM team
Responsibilities of ISRM team
KPI’s
mapping of risk to internal Controls
Acceptable level of risk
mapping risks to Performance targets / budgets
RM Team, goal, 10 principles
Goal: Organization is protected in a cost effective way
Principles:
The risk management team’s goal is to protect the organization in a cramped mine.
CRAMPED MINe (e not used)
mapping of legal / regulation Compliance to controls
appropriate Resources / fund allocation
security Awareness training
ability to establish risk Mitigation in specific areas as necessary
Procedures to identify and mitigate risks
Establish risk acceptance level
Documented risk assessment process
development of Metrics / KPI’s
Integration of ISRM and change control process
ability to identify and assess New risks
RM Process overview NIST-FARM, 12 sub tasks
FARM PACT TR REDI SM
Frame risk: PACT
Priorities
Assumptions
Constraints
Tolerance
Assess risk: TR
Threat and Vulnerability Identification
Risk Determination
Respond to risk: REDI
Risk Response Identification
Evaluation of Alternatives
Risk Response Decision
Implementation of Response
Monitor risk: SM
Risk Monitoring Strategy
Risk Monitoring
threat definition (2)
potential cause of an unwanted incident which can result in harm
negative effect of uncertainty on objectives (CIA are objectives)
vulnerability definition
weakness that may allow a threat to compromise security
risk definition (2)
likelihood of a threat exploiting a vulnerability and the corresponding impact
the effect of uncertainty on objectives (ISO 31000)
exposure definition
instance of being susceptible to loss
control / countermeasure definition
a mechanism put into place to reduce risk
risk assessment definition
broader effort to evaluate an organization’s risks (gather data)
risk analysis definition
specific tasks performed in a risk assessment to evaluate more narrowly defined risks (examine gathered data)
risk analysis goals (4)
a risky goal is to skip BAIL
provide economic Balance between threat impact and cost of countermeasure / control
identify Assets and value of assets
determine the business Impact of threats
determine Likelihood a threat exploits a vulnerability
assigning value to assets considerations (10)
MOOR MULA AI
Maintenance cost
Operational losses without the asset
value to Owners / users
Replacement cost
Market value
Userfulness to organization
Liabilities if asset is compromised
Acquisition cost
value to Adversaries
Impact to brand / reputation if asset is lost
NIST 800-30, subject, Steps (4), categories of threat events (8)
Guide for Conducting Risk Assessments
Focuses on computer systems and IT security
30 days after assessing the risk, People Can Count Money from ART CRIME
Steps:
People Can Count Money
Prepare
Conduct
Communicate
Maintain
Categories of Threat events:
ART CRIME
Attack
impact / Results
Tools of attack creation
Coordinate campaign
Reconnaissance
malicious capability Insertion / delivery / Installation
Maintain presence / capabilities
Exploit / compromise
NIST 800-30 Conducting Risk Assessment (5 steps)
guys under 30 have 2 eyes (I’s) popping on tripple d’s but TV could be LIaR
identify Threats
identify Vulnerabilities
determine Likelihood of occurrence
determine Impact magnitude
determine Risk
FRAP, what is it, intended for … a … … / …, based on experience of … …, not …
Facilitated Risk Analysis Process
Intended for evaluating a single entity / system
Based on experience of team members, not calculations
OCTAVE, what does it mean,
… percent of consequences come from … percent of the causes, intended for … …
… and focused on …
8 steps (3phases)
Operationally Critical Threat, Asset and Vulnerability Evaluation (Carnegie Mellon U)
80 percent of consequences come from 20 percent of the causes
Intended for Information Security
Qualitative and focused on speed
Steps:
EOS S MIRS
E Octave Sounds Simply Melodic In Rhythmic Songs
Phase 1
identify Enterprise Knowledge
identify Operational Knowledge
identify Staff Knowledge
Phase 2
establish Security Requirements
Phase 3
Map High-priority information assets to Information Infrastructure
perform Infrastructure Vulnerability evaluation
conduct Mulidimensional Risk analysis
develop Protection Strategy
FMEA, what is it, used for (4), goal, uses … … and … .., steps (5)
Failure Modes and Effect Analysis
used for:
PRO’S
Product development,
assurance Risk management and
Operational environments,
first developed for Systems engineering
goal: identify most likely failure and fix possible causes or reduce impact of break
uses failure modes and effect analysis, due to the depth it is usually only performed on critical functions
application of method to chronic failure enables the determination of the point where failure is most likely
steps:
BIFCR (Bad Info Fouls Credible Reports)
BD IF FE CD RA (Bad devices, I find, fail eventually causing destruction right away)
Block Diagram of system / control
consider Impact of Failure for each block
table with Failures and their Effects
Correct Design of system
have engineers Review Analysis of the failure modes and effects
Fault Tree Analysis, good for…, how is it done, examples (5)
good for determining failure modes in complex multiple systems or subsystems
start with a failure (as root of tree) and add possible causes (as branches to the root) and causes to each branch (as more branches or leaves), numbers representing probabilities for each item are added (often done with software)
examples the methodology is good for:
FISTU (and fault tree begin with F, the other item that matches F is not examples)
False alarms
Insufficient error handling
Sequencing / order
incorrect Timing output
valid / Unexpected output
vulnerability assessment vs risk assessment
identifies vulnerabilities but does not assign probabilities of occurrences, etc. like a risk assessment
uncertainty (in risk analysis)
degree to which confidence is lacking in an estimate (expressed as a percent)
Delphi Technique
uses multiple rounds of questionnaires sent to a panel of experts to work toward a mutual agreement or consensus opinion
often anonymous to prevent individuals being pressured by others
control assessment - evaluation of … to determine correct …, … … and … … have been attained
evaluation of control(s) to determine correct implementation, operational effectiveness and end results have been attained
verification of control answers…
did we implement the control properly
validation of control answers…
did we implement an appropriate control
risk monitoring definition - … … the effectiveness of … at … all risks to … levels with focus on …, … and …
continuously assessing the effectiveness of controls at mitigating all risks to tolerable levels with focus on effectiveness, change and compliance
NIST 800-161
theirs 161 links in our supply chain
Supply Chain Risk Management Practices
Create supply chain map
external control evaluation examples (5)
FDIPS
US Federal Risk and Authorization Management Program (FedRAMP)
US DOD Cybersecurity Maturity Model Certification (CMMC)
ISO 27001 certification
PCI DSS certification
Service Organizational Control (SOC1 or SOC2)
BCM definition, lifecycle (5 phases)
Business Continuity Management - holistic management process covering BCP and DRP
Lifecycle:
PADIV
continuity is similar to persistence
Persistent Actions Don’t Involve Variability
Policy / Program management
Analysis - BIA and Risk Assessment
Design
Implementation
Validation - using TTE
3 high level categories of business controls (not CIA)
TAP
Technical
Administrative
Physical
CCPA, what does it mean, what does it apply to (2 + 1 of 3, 1 with 1 other), 1 other note
California Consumer Privacy Act (2020)
PII = first name, last name + (SSN or DL# or CC# with PIN)
Has been copied by many different stats
OECD, what is it, principles for data use (8)
Organization for Economic Co-operation and Development - helps different countries resolve issues with globalized economies
Principles:
Economics frequently involve Aid, cooperate with the cops U
U AID COPS
Use Limitation
Accountability
Individual Participation
Data Quality
Collection Limitation
Openness - open communication of practices
Purpose Specification
Security Safeguards
Data types protected by GDPR (17, W includes 4)
SHIPP RT WE BANG
Sexual Orientation
Health
ID numbers
Political
Phone
Religious
Trade Union
Web Data (LICE - location, IP address, cookies, email)
Ethnic
Biometric
Address
Name
Genetics
Key Provisions of GDPR (6)
DF CRIP
Data Protection Officer (DPO)
right to be Forgotten
Consent
data breach Reporting (72 hours)
right to be Informed
right to restrict Processing
TDF (in relation to GDPR, etc.)
Transborder Data Flow
ISO 27005, what is it, should be used with…, steps (6)
It’s like there’s 27005 treatments for risk. Crime Is Ever Evolving TREAT As-such
Risk treatment (differs from NIST RMF in that risk communication is also an additional process where in NIST RMF it’s only implied)
Should be used with ISO 27001 security program
Steps:
C I E E T A (Crime Is Ever Evolving Treat As-such)
Context Establishment
risk Identification (risk analysis + assessment)
risk Estimation (risk analysis + assessment)
risk Evaluation (risk assessment)
risk Treatment
risk Acceptance
FAIR framework, what is it, focuses on … measurement of … of incidents and their … , why it’s unique, focus not on … threats but … threats
Factor Analysis of Information Risk framework - focuses on precise measurement of probabilities of incidents and their impacts
Only international standard that is quantitative
Focus not on possible threats but probable threats
NIST RMF, which publications make it up (3)
consists of 800-30, 800-37 and 800-39
NIST 800-53
catalog of controls and how to select them to protect US Federal systems, has 20 families of controls and 1000+ controls in those families
CIS (source of help)
Center for Internet Security control framework
COBIT 2019
business framework for IT enterprise management (ISACA)
DoDAF, focus on 7 things
US DoD Architecture Framework - ensures interoperability to meet military goals
Focus on:
IRS is part of US gov
4 C’s IRS (irs all end in nce)
Command
Control
Communications
Computers
Intelligence
Surveillance
Reconnaissance
Risk Frameworks (4)
FONI
NIST RMF
ISO 27005
OCTAVE
FAIR
Security Program Frameworks (2)
ISO 27000
NIST Cybersecurity Framework
Security Control Frameworks (3)
there is 2 c’s and 1 n in “security control”
NIST 800-53
CIS Controls
COBIT 2019
Enterprise Architecture Frameworks (4)
ZTDS
Zachman - taxonomy
TOGAF - The Open Group Arch. Framework
DoDAF - Dept. of Defense Arch. Framework
SABSA - Sherwood Applied Business Security Architecture
NIST RMF - common control definition
control exists outside of multiple systems but applies to these systems
NIST RMF - system-specific definition
control exists and applies within a system
NIST RMF hybrid control
control is partly common and partly system-specific, e.g. security awareness training
POAM / POA&M, what does it mean, used in the … step in NIST RMF
plan of action and milestones used in the Authorize step in NIST RMF
TTP
a threat actor’s Tactics, Techniques and Procedures used in the Monitor step in NIST RMF
ISO 27005 risk treatments (4)
MATA
Mitigate
Accept
Transfer
Avoid
ISO 27001 subject
Information security programs certification
NIST Cybersecurity Framework (CSF) activities (5), tiers (3), what does each tier mean
Industrious Physiques Don’t Ruin Reputation, Causing Imaginary Problems
Activities:
IPDRR
Identify
Protect
Detect
Respond
Recover
Tiers:
CIP
Framework Core - applies to all organizations
Implementation Tiers - categories of rigor / sophistication
Framework Profile - describes the state of organization in regards to categories
CIS Controls, how many families, how many subcontrols, categories (3), implementation groups and what type of org for each (3)
Framework with 20 families of controls and 171 subcontrols
Control Categories:
Basic - should be implemented in every organization
Foundational - best practices
Organizational - focus on people and processes
Implementation Group 1 - SMB’s
Implementation Group 2 - Large organizations with an IT security department
Implementation Group 3 - Large organizations with security experts in different specialty areas
ITIL, what is it, dimensions (4)
Information Technology Infrastructure Library - framework to combine business and IT processes
4 dimensions:
VOIP
Value Streams and Processes
Organizations and People
Information and Technology
Partners and Suppliers
Six Sigma … improvement methodology that utilizes … methods to improve … and reduce …, …. and …
process improvement methodology that utilizes statistical methods to improve efficiency and reduce variation, defects and waste
data criticality defined
how loss of information would impact the fundamental business processes of an organization
data sensitivity
how data disclosure would impact an organization’s losses
how can data be classified (3)
sensitivity, criticality or both
classification levels, commercial (4), gov. / mil (5)
commercial, highest to lowest
c p s p
confidential - disclosure could seriously affect the organization
private - disclosure could adversely affect the organization or personnel
sensitive - requires special precautions for confidentiality and integrity
public - disclosure would not result in adverse impact
military, highest to lowest
ts s c cu u
top secret - disclosure could result in grave danger
secret - disclosure could result in serious damage
confidential - exempt from disclosure by Freedom of Information Act
controlled unclassified - cannot legally be disclosed (e.g. health records)
unclassified - data not sensitive
data classification procedure (9 steps)
DSOCCETRA (Dont separate otherwise classified categories even to raise awareness)
Define classification levels
Specify classification criteria
identify data Owners responsible for classifying data
identify data Custodians responsible for maintaining data and classification level
indicate security Controls
document Exceptions
methods for Transferring custody / ownership
Review procedures for classification / ownership / custody declassification
security Awareness for the above
gold master
a device image with desired configuration and installed software
AUP
Acceptable Use Policy
NIST 800-88
guidelines for media sanitization
NIST 800-111
Guide to storage encryption
Homomorphic encryption
Allows operations on encrypted data, not currently practical
steganography is which type of security, and it’s components (3) are what, where are hidden bits usually stored
is a from of security through obscurity
components:
carrier - file message is hidden within
stegomedium - medium message is hidden on
payload - message
hidden bits stored in least significant bits (LSB)
LSB
least significant bits, or bits which would least affect the carrier
data loss vs. data leak
data loss - it is unknown where the data is
data leak - confidentiality of data has been compromised
NDLP, EDLP and the data protected by each
network data loss prevention normally only protects data in motion
endpoint data loss prevention can protect data at rest and data in motion
CASB, what is it, modes (2), disadvantages (4) of one mode
Cloud Access Security Broker - applies security policies to cloud services
Can be in proxy mode - CASB is in data path, all data is routed through the proxy, includes reverse proxy that protects data not routed through the VPN (routes from cloud service to the proxy),
Proxy disadvantages: (Cloud PICS)
single Point of failure (unless redundant devices added),
can be an Issue with non-company devices,
Changes in cloud must be maintained
Slows down processes,
Can be in API mode - uses API’s and doesn’t have the disadvantages in proxy mode
scoping vs tailoring
scoping - taking broad standard and trimming unneeded parts
tailoring - taking broad standard and changing parts to better work with a specific situation
When faced with questions about managing digital assets
Consider that assets have already been created, classified, labelled, etc. before they become managed
a cloud service presumably could be part of corporate infrastructure (T or F)
True
CRUD (basic functions)
Create, Read, Update, Delete
ACID
Atomicity, Consistency, Isolation, Durability - database properties
cell suppression
hiding specific cells in a database record to prevent inference confidentiality breaches
database partitioning
dividing a database often to prevent inference confidentiality breaches
Noise / Perturbation
inserting bogus information in hopes of midirecting an attacker to provide confusion
RTU
remote terminal unit - devices that relay readings or execute commands in an ICS
Most important general concern in ICS
human safety
NIST 800-82, 7 recommendations
guide to industrial control systems (ICS),
in ‘82 I became an adult in industrial society and now have to follow adult people rules
AP RULES
monitor Audit trails regularly
ensure process for Patch management
apply Risk management to ICS
disable Unneeded ports / services on all ICS devices
implement Least privilege
use Encryption when possible
Segment network to allow IPS/IDS within subnet boundaries
OT
Operational Technology - ensures ICS systems can talk to each other
HMI
Human-Machine Interface - usually a workstation used to monitor / control an ICS or ICS component
Data Historian
log of all activity in an ICS
data diode
security hardened network controllers allowing unidirectional data flow in ICS
DAS
data acquisition server - servers in SCADA systems that receive / process data from endpoints
most important technology principle with OT systems
isolate the OT from internet
thunking
converting 32 bit request to 64 bit
type 1 hypervisor
hypervisor runs on bare metal
type 2 hypervisor
hypervisor is an application running in an O/S
NIST 800-190, 4 recommendations
Application Container Security Guide
TVOG
use container-aware defense Tools (e.g. IPS)
adopt container-specific Vulnerability management tools
use container specific host O/S
only Group containers with same purpose, senstivity and threat postures on the same O/S
atbash
hebrew invention of cryptography from 600 BC which was a monoalphabetic substitution cypher
Lucifer
complex cryptographic project developed by IBM involving mathematical equations which grew into DES encryption after it was adopted by the NSA (1976)
keyspace
range of values available to form a cryptographic key
cryptosystem definition and components (4)
all needed components to allow encryption
components:
paks
protocols
algorithms
keys
software
cryptosystem services (5)
confidentiality
integrity
authentication
authorization
nonrepudiation
Kerckhoff’s Principle
the algorithm should be known and only the key should be secret, if there are too many secrets there would be more vulnerabilities to exploit (as it can’t be tested openly)
Vernam Cypher, aka, 4 requirements
aka one-time pad, perfect encryption using XOR with random key as long as the plaintext
to be unbreakable:
pad only used once
pad must be at least as long as message
secure distribution and storage of pad
pad must be truly random
symmetric encryption provides
confidentiality, does not provide authenticity or nonrepudiation
avalanche effect, what is it, aka?
if a slight change of a key is made, a large amount of the cyphertext is changed (same concept as diffusion)
stream vs block how many bits are acted on at a time
stream acts on one bit at a time
block acts on more than one bit at a time (a grouping or block of bits)
keystream generator, what is it, how does it work, what does it use?
used in symmetric block encryption to produce a stream of bits that are XOR’d with the plain text (similar to one time pad where each bit has it’s own bit to be XOR’d with)
it uses a shared key to generate the stream
stream ciphers, block ciphers and hardware vs software in regards to processing power
stream ciphers work better with hardware implementation and require more processing power
block ciphers work OK on software implementation and require less processing power
how does key agreement in DH key exchange work, used for what type of encryption is it for after the key established?
In DH key exchange, the public keys (assymmetric encryption) of each party is combined by the algorithm to create an agreement on a key to provide symmetric encryption between the parties
QKD
Quantum Key Distribution - using the properties of quantum mechanics in photons to select keys between two parties
Birthday Attack
attack on hashing using the “birhday paradox” in that the chance is more than 50/50 that you have the same birthday as somebody else requires 253 people gathered because you’re looking for a specific birthday, however the chance that 2 people have the same birthday only requires 23 people gathered because it can be any birthday that two people share
A birthday attack is a bruteforce collision attack that exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations (pigeonholes).
Hash security services
Integrity only
HMAC security services provided
hashed based message authentication code
integrity + authentication
Digital signature services (3)
integrity + authentication + nonrepudiation (NOT confidentiality)
digital certificate
used to associate a public key with a unique identity, only considered secure when signed by a valid certificate authority
OCSP (PKI)
Online Certificate Status Protocol - automatically checks CRL’s
RA (PKI)
Registration Authority - acts as a broker between subject and the CA (can be in the same organization as the CA)
PKI security services (5)
Confidentiality
Access Control
Integrity
Authentication
Nonrepudiation
NIST 800-57
Key management
you need a key for a 57 chevy
chosen-plaintext attack
attacker provides the text to be encrypted and then uses it as if in a known-plaintext attack
chosen-cyphertext attack
attacker chooses the ciphertext to figure out the key, attacker probably has some control over the system to be successful
frequency analysis, aka?
(aka statistical analysis) identifies statistically significant patterns in ciphertext
replay attack countermeasures (2)
within authentication mechanism:
time stamps and time limits
nonce based (single use) authentication tokens
work factor
time it takes to break a cryptosystem or encryption process
SHA developed by whom for what
developed by US Fed gov for creating secure message digests
Lockheed Martin Cyber Kill Chain, attack stages (7), Defender actions (6), goals (2)
Attacker Stages:
Real Wars Don’t Ever Indicate Course of Action (RWDEICA)
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command / Control
Actions on Objective
Defender Actions: (5D’s + C)
Deceive
Degrade
Deny
Detect
Disrupt
Contain
Goals:
Identify indicators of attack stages
Defender Actions taken earliest
opportunity is best
MITRE ATT&CK Framework, 14 tactics
Adverserial Techniques Tactics & Common Knowledge
14 tactics have techniques and sub-techniques used by threat actors:
ICED CLoCk DRIPPER (ok to not use ok)
Initial Access
Credential Access
Execution
Defense Evasion
Collection
Lateral Movement
o
Command and Control
k
Discovery
Reconnaissance
Impact
Persistence
Privilege Escalation
Exfiltration
Resource Development
11 Secure Design Principles
DFKLN PSSST Z
Defense in Depth
Fail Securely
Keep it Simple
Least Privilege
Need-to-know
Privacy by Design
Shared Responsibility
Separation of Duties
Secure Defaults
Trust but Verify
Zero Trust
Covert Channel Types (2)
Storage - space changes
Timing - by use of system resources
FDE (hardware)
full disk encryption
SED (hardware)
self encrypting disk
TEE, what is it, aka, used in device / service types (5), has it’s own … … and can only be used with …, typically has it’s own … … and …
trusted execution environment
(aka: secure enclave on apple products) - have been checked to ensure trustworthiness -
frequently used in mobile devices, embedded devices and IoT devices, starting to be used in microservices and cloud services
has it’s own security perimeter and can only be used with API’s,
typically has it’s own hardware resources and O/S
REE (cloud computing)
rich execution environment (untrusted)
TEE and root of trust
TEE don’t have their own root of trust (because they are software) but rely on the hardware’s root of trust where the TEE is run
Processor Security Extensions
instructions that take advantage of security implemented in CPU’s
atomic execution, what is it, prevents (2, 1 is a type of attack), effect on performance
controlling a program to ensure uninterrupted execution of part of a program
prevents other processes from interfering with resources used during execution
prevents TOCTOU attacks
can degrade performance if used often
bus encryption
encrypts data everywhere in the computer except while it’s being processed
physical security goals (5)
DDDAR
deterrence
delaying
detection
assessment
response
developing physical security steps (10)
I don’t really recommend drawing protective curtains closed in morning
(IDRRDPCCIM)
Identify team
Define scope (site vs facility)
Risk analysis
Regulatory / legal requirements
Define acceptable risk level
Performance baselines based on risk levels
Countermeasure performance metrics
Criteria for physical security goals
Identify and implement countermeasures
Monitor for performance and changes
MDF (hardware / facilities)
main distribution facility - data feed to building
IDF (hardware / facilities)
intermediate distribution facility - smaller data feeds within a building
Fire classes (5)
A - common combustibles
B - liquids / gases
C - Electrical
D - metals
K - cooking oils
fire combustion element - suppression agent (4, matched with element)
fuel - soda acid
oxygen - carbon dioxide
temperature - water
chemical reaction - FM-200
LPD (lan protocol)
Line Printer Daemon protocol, enables printing over a network
application layer function (3 protocols)
formats data from applications for transmission over a network (SMTP, HTTP/S, LPD)
presentation layer function (2 types of protocols and 2 specific protocols)
formats (serializes) data in a manner the receiving computer can understand (compression, encryption, TIFF, JPEG)
session layer, main function, sub functions (3), protocols (3)
creates session receiving application can understand, creating session, maintaining session, releasing session (L2TP, PPTP, RPC)
transport layer function, protocols (2)
creates session between two computers to enable communication (TCP, UDP)
network layer function (5 protocols)
insert information into packet header for addressing and routing (RIP, ICMP, OSPF, BGP, IGMP) BRIIO
data link layer function, 2 control functions, NIC function, 9 protocols
formats data for the physical transmission media
2 functions
LLC - logical link control, interfaces with network layer, flow control and error checking
MAC - media access control, interfaces with physical layer adds last header / trailer [framing] to before it hits wire and what volts to put on the wire 1 is +.5 volt / 0 is 0 volts
NIC - bridges data link to physical
protocols:
FLAP ET
(PPP, ATM, L2TP, FDDI, Ethernet, Token Ring)
physical layer functions (5) protocols (4)
CDLST
Convert bits to electromagnetic signals for transmission, Synchronization,
Data rates,
Line noise
and Transmission techniques
protocols:
ethernet
wifi
Fiber Optics
coaxial
CAN (automotive)
Controller Area Network - a bus type network (linear or tree) prevalent in vehicular networks
CSMA, two types and the use of each type
carrier sense multiple access - most common MAC type
CSMA/CD - collision detection, if collision detected random timer is invoked and data retransmitted mostly used with hubs / bridges, not used much currently
CSMA/CA - collision avoidance, listen for “quiet” network then transmit, currently used with wireless
used in FDDI
Token Ring, used by… (1)
Only node with token can transmit, used by FDDI
polling transmission method
central station polls nodes to check if they need to send data, commonly used in WAN’s
Class D address, types of addresses, ip4 vs ip6
224.0.0.0 to 239.255.255.255, multicasting addresses (IP4)
IP6 - addresses starting with 8 1’s
IGMP, what is it, what is it used for
Internet Group Management Protocol
used to report multicast group memberships to routers
802.1AE, what is it, what does it provide (3), what OSI layer, prevents … …, how does it work
MACSec,
provides confidentiality, integrity and authentication
at layer 2,
prevents rogue devices,
checks each frame for ICV (integrity check value) and allows if valid
802.1AR, subject, specifies … per-device … and … binding, provides … device … , works with …
I gave my AR a…
secure device identity
specifies unique per-device identifiers and cryptographic binding, provides secure device provisioning, works with EAP-TLS
802.1AF
provides key agreement for session keys
well known ports range, definition of well known port
0 to 1023, standardized port for particular traffic
registered ports range, how they are used
1024-49151 can be registered with IANA for a particular use
dynamic ports range, aka, used for
49152-65535 can be used as needed (aka ephemeral ports)
name of frames over tcp vs udp
tcp frame is a segment
udp frame is a datagram
IP4 packet size limit
65,535 bytes
IP6 packet size limit
4,294,967,295 bytes
6to4 tunneling, what is it, intersite vs intrasite
embeds IP4 addresses within IP6 addresses (intersite)
Teredo tunneling, what is it, uses … encapsulation so that … are unaffected, intersite or intrasite
temporary IP4 / IP6 solution
uses UDP encapsulation so that NAT are not affected (intersite)
ISATAP tunneling, what is it, intersite vs intrasite
Intra-Site Automatic Tunnel Addressing Protocol treats IP4 network as a virutal IP6 address (intrasite)
DHCP address assignment process 4 steps
Client -> DHCPDISCOVER -> DHCP Server
Client <- DHCPOFFER <- DHCP Server (with IP Address)
Client -> DHCPREQUEST -> DHCP Server
Client <- DHCPACK <- DHCP Server (confirming IP address with validity period)
DHCP attacks list (5), solutions (2)
CMRSS
Compromise Client Configuration
MITM
Route traffic to unauthorized networks
DHCP Spoofing - configure fake DHCP servr on network
DHCP Starvation - flood DHCP server with bogus requests
Solutions:
enable DHCP snooping
port security
DHCP Snooping, ensures only valid … addresses receive … addresses from the … , can provide protection against … … servers
Security measure performed on a switch, ensures only valid MAC addresses receive IP addresses from the server (NOT AN ATTACK)
These switches also can provide protection against rogue DHCP servers
RARP, used for, better alternative is …
used for booting diskless devices to receive IP address, BOOTP is a better alternative with more functionality
ICMP attacks (4), solutions (5)
attacks:
CRaMP
can be used as a covert channel - attacker sets up an ICMP responder
can be used to redirect traffic (routers use icmp to determine best route,etc.)
can be used to map network (traceroute)
can be used for DoS
Solutions:
DDFIS
disable ICMP if coming from one of your on-network devices
disable icmp redirect (hosts)
firewall, block incoming icmp
IDS / IPS
Secure icmp redirect (accept only from default gateways)
Protect against SNMP attacks (4)
Change default community strings
Don’t use SNMP v1 or v2 (clear text community string)
Close ports 161/162 to untrusted networks
Filter ports 161/162 to only authorized endpoints / individuals
DNS attacks and mitigation, not mentioned elsewhere (3 each with a solution)
unauthorized zone transfer (update of dns information from one dns server to another) - allow zone transfers only on specific servers
poisoning dns cache or primary records - use DNSSEC
host file manipulation, don’t allow users to have admin access or access to host files
Routing Protocol Attack prevention (1)
enabling router authentication
CSU/DSU, what is it, used for …
channel service unit / data service unit - used to connect WAN to LAN
OFDM, what is it, used in … (6)
Orthogonal Frequency Division Multi-plexing - uses modulated signals that are orthogonal (perpendicular) to each other in tighter frequency spreads, since signals are perpendicular, they don’t interfere with each other,
used in:
digital tv,
audio broadcasting,
DSL,
wifi and
4/5G wireless
DSSS, what is it, how does it work, uses what
Direct Sequence Spread Spectrum - takes the entire spectrum and splits it into smaller subchannels, uses all frequencies simultaneously using chipping code
FHSS, what is it, how does it work - takes the entire … and … it into smaller …, then … the … frequently, sender and receiver have … … synchronized, protects against …
Frequency Hopping Spread Spectrum - takes the entire spectrum and splits it into smaller subchannels, then changes the subchannels frequently, sender and receiver have hop sequence synchronized, makes eavesdropping harder if hopping sequence is unknown
chipping code definition, aka
allows receiver to reassemble transmission (aka pseudo-nonce sequence) in DSSS
adhoc WLAN security implications
adhoc WLAN’s are less secure than infrastructure WLAN’s
802.16
WiMAX standard
802.11e
all traffic is not Equal
wireless QoS standard supporting multimedia trafic
802.11f
f for free-range wireless
addresses roaming / handoff for wireless networks
802.11h, what is it for, where developed, uses what two technologies
h - hell
subject: address wireless interference (wireless hell)
originally developed in Europe to address interference from other wireless activities using DFS (dynamic frequency selection) and TPC (transmit power control)
WEP deficiencies (4)
WSIL
weak authentication
static encryption keys
ineffective initialization vectors
lack of packet integrity assurance
802.11i what is it , improvements over WEP (5), WPA2 Enterprise adds
WPA2 (note WPA is just WEP on steroids)
Improvements:
STAMP
sequence numbers
TKIP - temporal key integrity protocol - each frame has a new key
AES encryption with CCMP
Message integrity checks
PSK size increased to 256 + salt of the SSID
WPA Enterprise adds 802.1X (port authentication and EAP)
WEP hacking tools (2)
Airsnort
Wepcrack
802.11w, subject, provides protection from … and … attacks
to remember turn over w and it makes an m for management frame
Management frame protection (certain frames that can’t be encrypted) - protects from replay and DOS attacks
WLAN best practices (10)
DAV WU SWAMP
change Default SSID
put AP’s as close to middle of building as possible
VPN for wireless devices
implement WPA3
guest networks should connect to Untrusted VLAN
Separate VLANS for each class of users
deploy Wireless Intrustion Detection System (WIDS)
put AP in DMZ with firewall protection from wireless side
MAC filtering
Penetration testing
CDMA
Code division multiple access - each channel has a code, current technology used by most cell networks
FDMA, used in…
Frequency division multiple access - ealiest multiple access technology for cell phones (1G)
4G / 5G cellular networks require which multiple access technology?
OFDMA
IMSI catchers
International Mobile Suscriber Identity catchers - devices that can jam 3G / 4G / 5G signals and force devices down to 2G which does not have authentication between devices and towers, can be built for less than $1500
E2EE
End to end encryption (most common is TLS)
POODLE attack, originated in what year, why did it work
Padding Oracle On Downgraded Legacy Encryption - (originated in 2014) the attack worked because SSL allowed security downgrading for interoperability
SSL on exam
should not be the correct answer to the question asking for best, or most secure
TLS 1.3 handshake process (4 steps), cipher suites (5), … keys (like one time pad), what other versions of TLS are considered insecure and not deprecated until when
- Client Hello - list of cipher suites and protocols supported by client, client input for key exchange
- Server Hello - servers selection of cipher suite and protocol, server input for key exchange
- Server Authentication - server’s digital certificate, proof server owns the certificate’s private key
- Optional Client Authentication - client’s digital certificate, proof client owns the certificate’s private key
Supported Cipher Suites:
TLS_AES_256_GCM_SHA384 (best protection but highest resources)
TLS_AES_128_GCM_SHA256 (next best protection but next highest resources) - ideal for systems with hardware encryption support
TLS_AES_128_CCM_SHA256 - CCM is 16 bit similar to GCM
TLS_AES_128_CCM_8_SHA256 - CCM is 8 bit, better suited for embedded devices
TLS_CHACHA20_POLY1305_SHA256 - 20 rounds of ChaCha cipher combined with Poly1305 MAC - good for software based encryption
Other feature: ephemeral keys - similar to one time pad, only used once, provides forward secrecy (aka perfect forward secrecy) which is attackers could only decrypt a small portion if they got the key
most features of 1.3 were optional in 1.2
TLS 1.0 and 1.1 are insecure (but not formally deprecated until 3/2021)
ChaCha20 / Poly1305, provides … … key encryption
algorithms providing authenticated symmetric key encryption
AE, what is it, provides … and … (2) for … ciphers
AE is IN (integrity nonrepudiation)
Authenticated Encryption - integrity and non-repudiation for stream ciphers
AEAD, what is it, prevents…
Authenticated Encryption with Additional Data - present in TLS 1.3 to prevent replay attacks
PPTP, what is it? default port, works on, secure or not?
Microsoft’s point to point tunneling
protocol,
TCP port 1723
works on IP networks
(insecure)
L2TP, what is it, default port, works on (3), used for, provide encryption?
Layer 2 Tunneling protocol (current version 3) combination of Cisco L2F [Layer 2 forwarding] and PPTP
UDP port 1701(1 comes before 2 in l2tp)
works on IP, ATM, X.25,
by itself doesn’t provide much protection but integrates with protocols that do (e.g. IPSec) to provide confidentiality, integrity, authentication
used when PPP needs to be extended through another network
DOES NOT ENCRYPT
Why is PPP needed
line devices (e.g. routers) do not understand ip networks, but do understand PPP
Why is L2TP needed
extends PPP connections to be able to go through IP networks (which don’t understand PPP)
PPP
Point to Point Protocol
Gateway VPN’s, what are they, don’t need… (3)
VPN provided by connecting Gateways on each end, they don’t need PPP, L2TP, IPSec (LIP)
gateway vpn’s don’t need any lip, ok?
IPSec works at what layer, components (6) what do components provide, works on, used for …
works at network layer (layer 3)
AH - integrity, authentication, protection from replay attacks
SA - specifies security properties that are recognized by communicating hosts, allows for secure exchange of data
ESP - confidentiality, authentication, integrity, anti-replay (most secure part of ipsec)
ISAKMP - framework for SA and IKE
IKE - authenticated keying material for ISAKMP
works on IP networks only, LAN to LAN communication
used for g/w to g/w connections
TLS VPN’s what layer, 2 types, features (3), used to protect … application layer traffic
session (layer 5) PT PEG
types:
PT
tls Portal vpn - accessed via web browser (with built in TLS) to connect to websites
tls Tunnel vpn - accessing non-web-based protocols / applications, usually needs custom programming to access through web connection
features:
PEG
Protects a small number of Protocol types, so not good for infrastructure-level VPN
Granular access control and configuration
Easy to deploy (already built in browser)
used to protect specific application layer traffic
SOA, what is it, 3 characteristics
Service-Oriented Architecture
self-contained components
standardized protocol for request / response (API)
components that implement business functions
REST, what does it mean, uses … to provide … to make … from … , creates a … where every … is a an … … , must use…, also needs … … (to make it secure)
Representational State Transfer architectural pattern
uses HTTP to provide API to make requests from servers, creates a language where every statement is a an HTTP URI
since it does the above, must use HTTPS
also needs input validation
HTTP characteristics (2)
connectionless - sent on best effort (TCP ensures the message is received)
stateless - previous conditions are not taken into account (session ID’s and cookies take care of this)
http get vs http post
get gives Uri up
get - will show the request in the URI
post - will not show the request in the URI
implications of using HTTPS
deep packet inspection can not be performed on HTTPS packets without expensive TLS decryption proxies
WSS, what is it, enables … security, provides …, … and … through … … signatures and security …
Web Service Security, enables SOAP security, provides confidentiality, integrity and authentication through XML digital signatures and security tokens
DNS Tunneling what is it, solutions (3), what does not stop it
an attack using DNS to exfiltrate / infiltrate data
solutions:
RIM of tunnel
RIM
Rate limiting - capping DNS traffic per host
IDS / IPS
dns Monitoring tools
DNSSEC does not stop it
DNS reflection, what is it, solutions (4)
I see a BIRD in the reflection
DOS attack that uses open DNS servers to bombard a server with DNS queries, while spoofing source address
solutions:
bird
Block unsolicited dns replies
IDS / IPS
dns Rate limiting
DNS aware firewall
DNS amplification, what is it, how does it work, what DNS queries can be used (3)
DOS attack that uses open DNS servers to bombard a server with DNS queries that require much larger responses than the size of the query (DNS ANY, EDNS(0), DNSSEC)
DNSSEC, what is it, provides (1), does not provide (2), digitally … groups of … records into … with an … record, drawbacks (1)
set of standards developed to protect DNS record integrity (not confidentiality or availability)
digitally signs groups of DNS records into RRSets with an RRSig record
Also opens the possibility of DNS amplification attack
DoH, what is it, how does it work, provides … (2 related), does not provide (1), drawback (1)
DNS over HTTPS - sends DNS queries over HTTPS/TCP/IP instead of UDP providing confidentiality / privacy, does not provide integrity, but makes some DNS attacks harder to discover
DNS Filtering, how is it implemented
a web proxy that blocks DNS requests to known malicious domains
ESMTP, what is it, allows … to negotiate … sessions when … …
Extended SMTP allows servers to negotiate TLS sessions when sending mail (SMTPS)
POP what is it, what port(s), authentication capabilities
Post Office Protocol, POP3 is current, listens on port 110 or port 995 (POP3S using TLS)
110 ends in 0 POP has O
SASL authentication
IMAP what is it, what port(s), authentication capabilities
can remember port as 3 turned on left size makes an M in IMAP
Internet Message Access Protocol listens on port 143 / 993 (IMAPS)
143, 3 tilted on left side makes an M in IMAP
SASL authentication
SPF (email), what is it, what does it do
Sender Policy Framework, email validation to prevent email spoofing (forged emails)
DMARC, what does it mean, how implemented
Domain-based Message Authentication, Reporting and Conformance combines SPF and DKIM
Modbus
enables communications among SCADA devices (PLC’s)
VTEP, what is it, provides …
Virtual Tunnel Endpoint - in VxLANS provides interface between underlay and overlay networks
VNI
Virtual Network Identifier - equivalent to VID in VLAN’s
SDN most important concept
abstraction of the control and forwarding planes
Approaches to SDN (3)
Open - Open Network Foundation approach relying on open-source code and standards as the building blocks of a solution, uses OpenFlow a standard interface
API - Cisco claims that OpenFlow is insufficient to fully leverage SDN, can do deep packet inspection and manipulation, propietary approach that enriches ONF approach
Overlays - virtual overlay of physical network
DGA
domain generation algorithm - produces random domain names that is predictable to somebody who knows the algorithm, used in DNS attacks
synchronous vs asynchronous communication, 6 characteristics of both (how each: controls character separation, is used for, complexity / cost, error checks, overhead, type of data - framed vs stream)
asynchronous:
uses start / stop bits to separate characters,
typically used for unpredictable data transmission
simple, less costly
error checking using parity bits
each byte requires 3 bits (stop/start/parity)
framed data
synchronous:
uses timing to separate characters clock or signal,
typically used for large amounts of data in a predictable manner
more complex, costlier
robust error checking, CRC (cyclic redundancy check)
less overhead
stream of data
baseband vs broadband
baseband: signal sent in one channel, occupying entire channel
broadband: signal sent in multiple channels simultaneously
UTP Categories (7), speeds of each, where each is used
Untwisted pair, least secure network cable
Cat 1, 1Mbps, no longer used
Cat 2, 4Mbps, no longer used
Cat 3, 10Mbps, used in older networks, phone lines
Cat 4, 16Mbps, used in token ring networks
Cat 5, 100 Mbps, 2 twisted pairs, deprecated for data, still used for phone and video
Cat 5e, 1Gbps, 4 twisted pairs, wideley used currently
Cat 6, 1 to 10Gbps(55 meters), used in newer network installations, standard for 1Gb ethernet
Optical Fiber components (3)
light source, optical fiber cable, light detector (source converts electrical signals to light, detector converts light back to electical)
Fiber light sources (2)
LED’s
Diode lasers
optical fiber modes (2)
single mode used for high-speed over long distances, less susceptible to attenuation
multimode better for short distance
maximum suggested ethernet cable length
100M
fire rated cables should be used …
should be used in plenum spaces
pressurized conduits
used to detect cable tampering (pressure changes when access to cables is gained)
bandwidth
theoretical maximum amount of data that can be carried
throughput, what it means, how much it always is
actual amount of data that can be carried over a real link, always less than or equal to bandwidth
repeaters, bridges, switches, routers:
repeater … and … entire frame received, do not separate … or … domains
bridges can separate … domains
bridges do not separate … domains, switches do
bridges / switches … and can send to specific … addresses (if not a broadcast)
routers can send to specific … addresses, do not forward …
repeater amplifies and resends entire frame received, do not separate collision or broadcast domains
bridges can separate collision domains
bridges do not separate broadcast domains, … do
bridges / switches amplifies and can send to specific MAC addresses (if not a broadcast)
routers can send to specific IP addresses, do not forward broadcasts
802.1Q, subject, 3 sub topics
Qanon is a bridge leading from reality to fantasy RealM M
bridges
relaying and filtering frames on MAC addresses
maintenance of frame filtering / relaying decisions
management of listed elements
STP what is it, where used, what does it do, can also build…, assigns … (2), calculates…
spanning tree protocol, prevents frames from looping endlessly, used in bridges on up
also can build redundancy information
assigns unique bridge ID’s
assigns priorities
calculates path cost
transparent bridging, why is it transparent, how does it work
bridge learns about the network and forwards based on the knowledge,
sends query frame looking for destination when a new destination is required, destination responds to query frame
SPB, what is it, vs. STP
shortest path bridging, more efficient than STP
802.1aq
the bridge over AQua water is the shortest path
SPB (shortest path bridging standard)
switches, are like…, prevents … and … issues, operates in … … that doesn’t compete for same …, basic switch OSI level, what other types are available, what does tagging do, why can they be faster than routers
is like a multi port bridge
prevents collisions and contention issues
operates in duplex mode that doesn’t compete for the same bandwidth
basic switches are layer 2, however layer 3 and 4 switches are also available, they read deeper into the data packets for decisions and tag data, the first switch a data packet encounters tag the data so any other switches can just read the tag instead of analyze the packet, last switch before destination removes the tag
since switches have ASIC chips processing at the hardware layer, they can be faster than routers which function on the software layer.
MPLS, what is it, use of … in switches, allows for faster … and … service requirements for different … … (…)
multiprotocol label switching, use of tags in switches, allows for faster routing and differing service requirements for different packet types (QoS)
router vs. bridge / switch (6 points about header, filtering, port addressing, broadcast traffic, unknown destinations)
router creates new header for each packet, bridges / switches do not alter header information
router forwards / filters on IP address, b/s forward / filter on MAC address
router assigns network addresses to ports, b/s do not read network addresses
routers do not forward broadcast traffic, b/s forward broadcast traffic
routers do not forward if destination is unknown, bridges do forward if destination is unknown
router can provide some limited gateway functions (connecting to unlike networks like token ring and ethernet)
gateways connect two … providing … or …
connect two environments providing restrictions or translations,
proxy servers act as … (and can add …) between clients that want … to … and the … that provide the …
can provide … for frequently requested data - reduces …
act as intermediary (and can add controls) between clients that want access to services and the servers that provide the services
can provide caching for frequently requested data - reduces latency
TOR network, what is it, what is it’s benefit, what is it’s drawback
originally the onion router (tor)
network of proxy servers that provides privacy by routing encrypted traffic anonymously
tor traffic probably shouldn’t be present in corporate networks as it’s commonly used by dark web users
SS7 (PTSN), what is it, when developed
Signaling System 7 , developed in 70’s, protocol used by PSTN to connect calls
SSP (PTSN), what does it mean, what is it
Signal Switching Point - a point belonging to the telephone company where your phone is connected
STP (PTSN)
signal transfer point in telephone companies which allows phone calls to be made
SCP (PTSN), what does it mean, what is it
sCp - c for cell phones
service control point - signaling which allows PTSN to connect to mobile numbers
DSL services and speed of each(3)
AVG
ADSL - asymmetric DSL - 24Mbps download, 1.4Mbps upload
VDSL- Very high-data rate DSL - 300Mbps download, 100Mbps upload
G.fast - uses fiber optic between phone company and points near customers, 1Gbps
ISDN services, what is it, 3 different services and first two speeds, 3rd used for what
Integrated Services Digital Network - uses legacy telephone lines to digitally transfer data
BRI - Basic rate interface ISDN 64 to 144Kbps
PRI - Primary rate interface ISDN 1.544 Mbps
BISDN - broadband ISDN, primarily used in telco backbone networking
DDR (ISDN)
dial-on-demand routing - allows use of ISDN as a temporary WAN link (lower cost than regular WAN links but for low amounts of data)
isochronous network used for…
used for voice and video and other applications using time sensitive data transfers
H.323, what is it, 4 components and their functions
VOIP standard for voice and video calls
4 components:
TGMG
terminals - endpoints such as phones, video conferencing equipment
gateways - interface H.323 with non H.323 networks
MCU - multipoint control units, allow 3 or more conferences
gatekeeper - provides call control services
SIP, what is it, components (2), process (6 steps), what does SIP do
Session Initiation Protocol
UAC - user agent client, places calls
UAS - user agen server, connects calls
process:
Isn’t Open Always Ring Bell Once
IOARBO
INVITE (trying, ringing)
OK (after answer)
ACK
RTP voice call
BYE (after hangup)
OK
SIP does not carry the call only the signaling to start / end calls, call carried by RTP
SIP architecture components (3)
be a siPRR
Proxy Server - relay packets between UAC and UAS
Registrar Server - store locations of users on network
Redirect Server - allows users to change locations and still get calls
RTP / RTCP, what are they, what do they do, what OSI network layer for each
RTP (Real Time Protocol) - used for streaming call data (transport layer)
RTCP - (Real Time Control Protocol) used to control RTP (session layer) and provide QoS data
Meeting Application precautions (8)
we’ll work on the case in the meeting
CASE WURK
don’t use Consumer-grade products
use AES256 bit encryption where possible
restrict participant screen / camera Sharing as appropriate
control access to Each meeting
enable Waiting room feature (prevent zoom-bombing)
keep software Updated
don’t Record meetings unless necessary or low risk
know how to Kick-out unwanted participants
EAP variants (top 10)
TIPT MG FAGS
EAP-TLS - considered one of most secure, uses digital certificates
EAP-IKE2 - provides mutual authentication, can be used with symmetric or asymmetric keys
EAP-PSK - preshared keys
EAP -TTLS - tunneled TLS, only server requires key
PEAPv0/EAP-MSCHAPv2 - only requires server certificate
PEAPv1/EAP-GTC - Cisco variant using Generic Token Card
EAP-FAST - Cisco variant, flexible authentication via secure tunneling
EAP-AKA - authentication key agreement (UMTS Universal mobile telecom systems) using USIM
EAP-GSS - generic security services (kerberos)
EAP-SIM - uses SIM (subscriber identity module)
Socket, what OSI network layer construct, components (5)
layer 4 (transport) construct defined by:
source address
source port
destination address
destination port
protocol (tcp or udp)
To secure sockets (5 recommendations)
a socket is the SAME As an ip address and port combination
SAME A
use Segmentation
apply ACL to block every connection except those authorized
Map every authorized socket
where possible Encrypt channel
Authenticate requests
PTSN main components (3)
STP
SSP
SCP
Identification (2 concepts)
method by which a subject claims a specific identity
public information
Authentication, what is it, process steps (2)
method to verify the identity claims of a subject
two step process - entering public information (identification step) + entering private information (authentication step)
Authorization
method to determine that a subject has rights / privileges to carry out a specific action
Accountability requires two things
subject is uniquely identified and the subject’s action(s) are recorded
KBA
knowledge-based authentication
NIST 800-63B, subject, guidelines for passwords (3)
63 and earlier I only had a digital identity 8/64 AD parents had first anniversary
digital identity guidelines
passwords:
8-64 characters
allow special characters (but not require)
disallow password hints
clipping level
threshold level (e.g. password clipping level is the threshold after which an account will be locked out after a threshhold of x failed attempts is reached)
rainbow table
collection of password in their hashed format
2 methods of synchronous token-based OTP
can be time or counter (aka event) based
3 steps of asynchronous token-based OTP
server sends challenge (nonce),
user enters challenge and
user then receives OTP to use to sign in
two types of contactless smart cards
hybrid - has two chips one for contact and another for contactless
combi - has one chip but can communicate both to contact or contactless systems
fault generation attack
introducing errors on a system to see the result and potentially obtain additional information about the system
microprobing
uses needles and ultrasonic vibration to remove outer protective material on cards circuits so that the card’s chips can be accessed and / or manipulated
NFC - used by 2 devices
near field communications can be used with smart cards and cell phones
ASOR
authoritative system of record
meta-directory vs. virtual directory
gathering data from multiple sources into a single means of searching
meta-directory actually stores the data separately
virtual directory only points to the original location of the data
Access control models (6) + description of each
discretionary -
owners have discretion to allow access,
individual or group identity based,
no access trumps all other access,
ACL’s and ACM’s,
rights assigned explicitly
mandatory -
owners do not have discretion to allow access,
highly classified data protection,
system is specialized,
uses clearances and security / sensitivity labels for subjects and objects,
categories (e.g. need to know rules) can also be used to further restrict access,
categories are not heirarchical,
can have software or hardware guards,
considered non-discretionary
role-based -
allows permissions to be granted based on user roles,
rights assigned implicitly,
good for high employee turnover,
core and heirarchical components,
can be limited or fully implemented
rule-based -
uses specific rules to limit / grant access to objects,
IFTT programming rules from simple to complex,
built on top of RBAC (as RB-RBAC) and used in MAC, is not discretionary as rules are coded and can’t be over-ridden by users or owners
attribute-based -
uses attributes of any part of a system to define access,
provides most granularity but can lead to conflicting policies that may lead to unpredictable results
risk-based -
makes access decisions dynamically based on risk of a situation,
likelihood X impact = risk,
is access less than or equal to maximum tolerable risk threshold
AppArmor
a linux security mode that provides MAC
SELinux, what does it mean, developed by … and implements a … … model of security
security enhanced linux
developed by NSA and implements a flexible MAC model of security
MLS, (security arch)
multi-level security
DAC vs MAC on how access is controlled
DAC checks subject’s identity to ACL of resource
MAC compares clearance and need to know level to object’s security label
software guard
front end product that allows interconnectivity between systems working at different security levels
hardware guard is a system with 2 or more … that perform / allow … between … …
system with 2 or more different NICs that perform or allow the connections between two systems
Core RBAC characteristics (5)
a RoBe or A MUMU can be worn
AMUMU
Accommodates Robust group-based access control,
Maps to Security policy,
Uses a Session as a mapping,
Many to Many relationship among users and privileges,
Uses Other information than user ID and credential for access decisions
Hierarchical RBAC, maps to … structures and … delineations,
an … of rights and permissions can occur,
… … (allows only one level to be …) or
… … (allows more than 1)
… separation of duty - two roles have no shared …
… separation of duty - two roles may have shared …, but users can’t assume … simultaneously
maps to organizational structures and functional delineations,
an accumulation of rights and permissions can occur,
limited (allows only one level to be inherited) or
general hierarchies (allows more than 1)
static separation of duty - two roles have no shared principles
dynamic separation of duty - two roles may have shared principles, but users can’t assume both simultaneously
OASIS
The Organization for the Advancement of Structured Information Standards
scope values (OIDC)
in OIDC, the allowed specific information to be shared between IdP and relying party
TACACS, XTACACS vs TACACS+, TACACS+ compatibility, has … capability and is built on …
Terminal Access Controller Access Control System
TACACS+ not compatible with other two, but does have MFA capability, is built on TCP
RADIUS vs TACACS+, differences in: encryption, authentiction / authorization / auditing treatment, protocol the work over, authenticaion process, good for…, similarity
Radius does not encrypt all data (unless used with TLS)
TACACS+ encrypts all data
RADIUS combines authentication and authorization
TACACS+ separates authentication / authorization / auditing (or accounting) in ture AAA architecture
RADIUS only works over PPP
TACACS+ works over many protocols such as Apple talk, NetBIOS and IPX
RADIUS - single challenge and response
TACACS+ each AAA activity must be authenticated
RADIUS - good for simple accept or deny situations
TACACS+ - good for more sophisticated implementations
both are just protocols
Diameter, builds on …, base protocol provides … …, has … built on base to allow … with different technologies, compatibility with radius, AVP’s compared to radius
builds upon RADIUS
base protocol - provides secure comms
extensions - built on top of base to allow functionality with different technologies
not directly compatible with RADIUS but has upgrade path
has 2^32 AVP’s (attribute value pairs) compared to RADIUS (2^8)
AVP what does it mean, within a …, set of defined … that can only accept … values
Attribute-Value Pairs - within a protocol, set of defined fields that can only accept certain values
TACACS+ / RADIUS vs Diameter (in regards to architecture)
TACACS+ / RADIUS is client server, server can’t respond unless request is made by client
Diameter is peer based allowing each side to initiate communication
system account vs service account
system account created by O/S
service account required for a service
system vs application
system - software providing services to other software
application - software that interacts with humans
capability-based access control
subject must present credentials which indicates what access is available (capability tied to subject)
if a company is providing an SOA to other organizations, it needs what markup languages (2) and protocol
XACML, SAML and SOAP
if a company is providing access to employees of another company’s SOA it needs what markup language
SAML
penetration testing steps (5), knowledge types (3)
Steps:
Does Everybody Vicariously Enter Reality
DEVER
Discovery
Enumeration
Vulnerability mapping
Exploitation
Report
knowledge types
zero
partial
full
data diode / simplex communication
severing “receive” pairs between reporting devices and the central log repository in high security environments to create a one-way path
ISO 27004, subject
Monitoring, measurement, analysis and evaluation of Information Security
factor definition - … of a system that has … that can … over …
attribute of a system that has value that can change over time
measurement definition - … … of a … at a point in …
quantitative observation of a factor at a point in time
baseline definition - … … that provides a point of … or denotes that some … is met by reaching a …
factor value that provides a point of reference or denotes that some condition is met by reaching a threshold
metric definition - … from comparing multiple … against … … or against a …
value from comparing multiple measurements against each other or against a baseline
indicator definition
an important metric that describes a key element of the effectiveness of a system
6 characteristics of useful security metrics 5 general characteristics of metrics
QARRCS
quantifiable - objective measurement
actionable - leads to improvement
robust - relevant over time
relevant - aligns with goals
comparative - can be evaluated against other metrics, baselines or standards
simple - easy to understand
SMART
specific
measurable
achievable
relevant
time-bound
Types of metrics (3)
Risk (strategic)
Preparedness (for security incidents - operational)
Performance (tactical)
MTTD
mean time to detect
MTTR
mean time to resolve
KRI
key risk indicators - where we are in relation to risk appetite
KPI definition and process (5 steps)
key performance indicators - where we are in relation to goals
Fast Breaking Performance Always Counts
FBPAC
Choose Factors that show state of security
Define Baselines for factors
Develop Plan for capturing factor values
Analyze and Interpret data
Communicate Indicators to stakeholders
Key Administrative Processes to Monitor (6)
ASS BAM
security Awareness training
Security training
Suspending accounts
Backup verification
Adding accounts
Modifying accounts
Pretexting
form of social engineering typically performed over the phone to persuade targets to violate a security policy (e.g. calling somebody pretending to be an authority and getting them to expose their account number)
hot wash
immediate de-briefing after a security event
AAR, what does it mean, what is it (security process)
after-action review - after a security incident, a more deliberate review is conducted some time after the incident is analyzed
Management Review
formal meeting involving senior management to determine if ISMS are effective
Ansible, what is it, allows … … and …
open sourced configuration management, deployment and orchestration tool using YAML - allows automated provisioning and configuration
YAML
Yet Another Markup Language - used in Ansible for configuration files
HSM (storage)
heirarchical storage management
having more than one tier of storage available for backups, keeping frequently used files in high speed / expensive storage and less frequently files in lower speed / lower cost media
CERT/CC
Computer Emergency Response Team / Coordination Center - main clearinghouse for vulnerability disclosures
process vulnerabilities definition and how to find
vulnerability existing in a business process, can be identified using “Red Team” procedures
social engineering definition / types (14)
manipulating a person to take an action to assist in a violation of a security policy
Types:
BBD HPP QSSS TV WW
baiting - offering something of perceived value
blackmail - threatening to expose secret information
diversion theft - having something of value sent to an unintended destination
honey trap - fake romance
pretexting - simulating a situation
phishing - fake email
Quid pro Quo - promising reward for doing something (aka Tech Support Attack)
SMS phishing / whaling - like phishing / whaling using SMS (aka smishing)
scareware - fake virus alerts
Spear phishing - like phishing only with a particular target in mind
tailgating / piggybacking - unathorized individual following somebody to secure area
Vishing - like phishing using phone (voice phishing)
whaling - fake email to executives
watering hole - capturing user credentials at a legitimate site
PIDAS Fencing, what does it mean, what is it
Perimeter Intrusion Detection and Assessment System - has sensors to detect when somebody tries to climb / cut a fence
UL, (organization) what does it mean, what does it do (4) for what (3)
Underwriters Laboratory - provides gate classifications, also tests, inspects and classifies electronic devices, fire protection equipment, and other construction materials
answers including guard dogs
are usually incorrect
if an answer has human safety
it is usually correct
OEP (physical security), what does it mean, used to ensure…
occupant emergency plan - used to ensure safety of personnel during emergencies
Elements of Mature SOC, technology (3), people (4), processes (5)
Technology:
EDR
NDR
SIEM
People:
TTII
Tier 1 Analyst - monitor alerts, eliminate false positives
Tier 2 Analyst - deeper analysis of alerts
Intelligence Analyst - investigate items passed by Tier1/2 analysts
Incident Responder - contain, eradicate threats
Processes:
socks and podiatrists concern feet
podiatrists prevent bunion pain gout
Policies
Procedures
Business
Partners
Government
Threat Intelligence characteristics (4) and cycle (4)
CART ‘R CAD (if you’re from Boston)
Characteristics:
CART
Complete - enough to detect / prevent the threat from actualization
Accurate - factual / error free
Relevant - useful to detect / prevent the threat from actualization
Timely - performed fast enough to impact damage
Cycle:
RCAD
Requirements
Collection
Analysis
Dissemination
CMF, what does it mean, what is it used for, data sources (3)
Collection Management Framework - collecting relevant data, organizing and analyzing the data
Data Sources:
Third-party Feeds (generally proprietary)
Open-Source INTelligence [OSINT] (free)
Internal Sources - logs, alerts, etc.
IOC
Indicator of Compromise
NOD
Newly Observed Domain
COI (web security)
Community of Interest
Cyberthreat (or just Threat) Hunting, what is it, two step process
Proactively looking for threats, possibly based on intelligence feeds instead of waiting for SIEM alerts
develop a hypothesis and look for evidence to prove or disprove
Prevention / Detection Process (5 steps)
detecting radio waves with my RCA SIMulator
R C C C A
S I M
Risk analysis
Control Selection
Control Implementation
Configuration Management
Assessment
Firewall Types (5)
Packet filtering
Stateful Inspection
Proxy
Next Generation
Web Application
Firewall Architectures 3 types
Screened Host - communicates directly with perimeter router and internal network, the firewall is screened behind the router, single tiered
Multihomed - between different internal networks
Screened Subnet - another layer of security to screened host model (DMZ), there is an external firewall, then a DMZ, then an internal firewall, two tiered, if three firewalls create two separate subnets (e.g. transaction filter and DMZ), this would be three tiered
TCP States (11)
LoSSeS RarE oFF CoW C LA ToW c
L SS SR E F1 F2 CW C LA TW c
LISTEN
SYN-SENT
SYN-RECEIVED
ESTABLISHED
FIN-WAIT1
FIN-WAIT2
CLOSE-WAIT
CLOSING
LAST-ACK
TIME-WAIT
CLOSED (fictional)
proxy firewall, what is it (4 items), two types, advantages (3), disadvantages (3)
HUBS
Hides true source of data from untrusted network
Used between trusted and Untrusted networks
Breaks communication channel (no direct connections)
Starts new communication Sessions between sender and receiver on the sender’s behalf
Types:
circuit-level proxy (on lower OSI levels - up to session layer) - cannot look at packet contents, application independent, can only approve on protocol (up to session layer) not by command, does not require configuration for each protocol (e.g. SOCKS)
application-level proxy (on application layer) - inspect all the way up to application layer, can see packet content - can make specific command level decisions (e.g. FTP put or get) but must be configured for each protocol
Advantages:
EDS
Extensive logging capabilities
Direct authentication
Spoofing protection
disadvantages:
RNL
not good for high bandwidth / real-time applications
limited in support for new applications / protocols
lower performance
Next generation firewall (NGFW), description:
multiple …
combines … , … , … capabilities and adds … based … engine
can share … with all other … of the same vendor
connects to … … sources such as … … , … , … , … …
multiple layers
combines packet, stateful, proxy capabilities and adds signature based IPS engine
can share signatures with all other firewalls of the same vendor
connects to external data sources such as:
Active Directory, whitelists, blacklists, policy servers
Bastion Host
host with little protection from internet, should be locked down to only necessary services
zombie indicator
packets with source addresses from outside the protected network leave the network (egress)
source routing
packet decides how to get to destination, not routers in the network, should be denied ingress
IDS / IPS types (2) and how each works
Rule-based - looks for traffic matching rules (e.g. signatures of malware)
Anomaly-based - uses training mode or other means to determine what traffic is normal (baseline) and then converts to testing mode where it reports / acts on abnormal traffic, more prone to false-positives
XDR
eXtended Detection and Response, correlates results of EDR/NDR with other sensors (cloud and / or on-prem)
emulation buffer
sandbox or vm used to run suspicious code to determine the effects of the code
static vs dynamic analysis of code difference / similarity
static - reviews information about the code
dynamic - allow portion of code to run to review effects
both are heuristic
MSSP, before hiring steps (5)
Managed Security Service Provider - third party security service vendors
Before hiring:
DCURL (don’t use really corrupt losers)
Determine requirements
determine if MSSP Understands your business processes
Reputation
Costs
Liability limits
black hole
drop specific traffic without notifying the sender
honeypots, honeynets, honeyclients, tarpits
honeypot - network device intended to be exploited to observe TTP’s of attackers
honeynet - network subnet intended to be exploited to observe TTP’s of attackers and can spawn honeypots attractive to particular attackers
honeyclient - synthetic applications allowing client-side attacks to observe TTP’s
tarpits - like honeypots but to a smaller degree (such as a specific service instead of whole device)
Symbolic vs Non-symbolic AI
symbolic - model real-world concepts, the concepts relationships and how they interact to solve problems, requires extensive knowledge and engineering, analogical reasoning, rule-based systems, decision trees, expert systems
non-symbolic - focuses on learning patterns in data for classifying objects, predicting future results or clustering similar data, involves instance-based learning, statistical methods and neural networks, machine learning, requires extensive data gathering and curating
non-symbolic AI prediction
compares previous sample of data to determine the next sample should be using statistical regression analysis
non-symbolic AI clustering useful for … …
useful for anomaly detection
non-symbolic AI reinforcement
tunes decision making parameters to choices that lead to positive outcomes
Logstash
open source log pipeline system
Splunk
commercial SIEM tool + data analytics platform
ELK, stack / Elastic Stack
open source SIEM tool + data analytics platform
Egress monitoring, what is it, can involve…, … is a subset
only allow certain hosts to communicate directly with external resources to make sure organizations systems aren’t being used to attack others and not communicating with known bad actors
can involve decrypting data for deep packet inspection
DLP is a subset
DPI (firewalls)
deep packet inspection
Best way to begin IDS / IPS installation
start with white lists / black lists
primary driver of threat intelligence
questions senior management may have about threats / controls
NIST 800-61, life cycle (7 steps), report contents (8)
Computer Security Incident Handling guide
I hope I’m not 61 before I manage security incident handling
lifecycle:
Please Don’t Allow Creepy, Evil, Random People
Preparation
Detection
Analysis
Containment
Eradication
Recovery
Post Incident activity
information to include in report:
SIRACI IN
Summary
Indicators
Related Incidents
Actions Taken
Chain of custody for all evidence
Impact assessment
Identity / Comments of incident handlers
Next steps
IOA / IOC, what does it mean, what are typical indicators (5)
indicators of attack / indicators of compromise
typical indicators:
HRODD
unusually large HTTP requests / responses
new Registry entries
Outbound traffic to specific IP address(es)
abnormal DNS queries
DDoS traffic
IMP / IRP
incident management policy - establishes roles and responsibilities
incident response plan - detailed steps to take
security event
any action involving a security mechanism
security event vs. security incident
security events are normal
security incidents require a response
Incident Classification, what is it useful for (2), considerations for classification (3)
useful for:
allows preauthorized commitment of resources and
who needs to be contacted
considerations:
Impact
Urgency
Type
MOM
Motive
Opportunity
Means
ISO 27037 - phases of evidence handling (4) and description of each phase
Guidelines for digital evidence
I CAP
Identification:
determination of the evidence required
Collection:
gaining control of evidence in a lawful manner
Acquisition:
digital acquisition - creating forensic image of digital data for examination, bit by bit copy of media outside the O/S [logical acquisition is done using the O/S)]
2 copies are made (1 is control copy) 1. Primary image 2. Working image
Compute cryptographic hash of original and each copy
Preservation:
hashing as indicated above + access limited to qualified people to do limited actions (read only), possibly two-person control
admissable evidence requirements (3)
relevant - directly related to crime
reliable - chain of custody, business records
legal - acquired by legal means
business records requirements (4) when used as evidenced
MR TT
made in regular course of business
regular practice of making the records
timing is near time of crime
transmitted by a person with knowledge of the contents of the record
forensic field kit contents (4)
DDPC
documentation tools - tags, labels, etc.
disassembly and removal tools - anti-static bands, pliers, tweezers, screw drivers, wire cutters, etc.
package / transport supplies - anti-static bags, tape, cable ties, etc.
cables / adapters - for any type of interface that may be present
well known forensic tools (3)
FED
FTK - Forensic Toolkit
EnCase Forensic
dd - unix utility
investigative interview best practices (6)
POD COK
have a Plan
be Objective / fair
Do not record unless meeting legal requirements, use a note taker and validate accuracy of notes afterwards
Compartmentalize information - isolate information from different interviewees where necessary
One interviewee at a time
Keep confidential
MDT =
MDT = RTO + WRT
maximum tolerable downtime is the sum of recoverty time objective and work recovery time
RPO, what is it, what does it mean, what does it refer to exactly
recovery point objective
acceptable amount of data loss measured in time
earliest point in time which data must be recovered
incremental backup
all files that have changed since last full backup are selected for backup / archive bit is changed / requires all incremental backups + full backup to be restored
PACE in relation to DRP scenarios
in relation to DRP communication means:
Primary - normal method
Alternate - if primary not available a second option which can be used quickly
Contingency - a third possibility that can work albeit maybe not as well as primary and alternate
Emergency - a final possibility that will require much more effort or resources (only used when other are all not available)
contingency plans definition, focus
how to deal with smaller more contained incidents rather than the broad BCP, narrow in scope and deal with specific issues,
focus:
mostly related to information systems
Types of BCP / DRP Testing (6)
Che Str Tab Sim Par Ful (Chester Tabsim Parful)
Checklist Test - (aka desk check test) reviewed by various business units for completeness and accuracy
Structured Walkthrough - similar to desk check, but all representatives come together and allow others see how the parts of the plan fit together
Tabletop Exercises - (TTX, aka read-through exercise) involve technical control infrastructure, test procedures to ensure functionality, usually involve the most likely events, can have branches (decision tree) and sequels (subsequent responses after initial procedure is carried out)
Simulation - involves large portion of those that would be involved in actual event and includes only that which would be available during an actual event
Parallel - detailed testing but does not take production down
Full-Interruption Test - production shut down and business tested in the alternative site, etc.
Role of CISSP in BCP vs. DRP
BCP - active participant, not lead
DRP - may be tapped as lead
Order of returning to primary site after disaster recovery
Least critical first to provide additional testing and working out unforeseen issues that may arise
WBS (project management)
Work Breakdown Structure - tool used in project management to define and group a projects’s individual work elements in an organized manner
Requirements Phase, what 4 things are done during this phase, security requirements include what 3 categories,
G RA PA RA
Gather system and security requirements from SOW and / or other product management documentation
security requirements should be in categories: (triad)
confidentiality
integrity
availability
security Risk Assessment - identify threats and associated consequences
Privacy risk Assessment - HML rating of private data,
H - stores / transfers private data (PII), or makes it possible to do so<e.g. change settings, install software>,
M - one time user initiated transfer of PII
L - no effect to privacy
Risk-level Acceptance
SRS, what does it mean, 2 types
System / Software Requirements Specification
can be functional or nonfunctional
functional - features
nonfunctional - performance standard / security requirements
UML
Unified Modeling Language - (flowcharting)
UCD, what does it mean, used to capture … and … requirements
Use Case Diagram - used to capture functional and nonfunctional requirements
Design phase, what is it, 3 models, what security tasks (2) in this phase
mapping planned functionality to real world possibilities
BIF models designs AS A TM task
Models:
BIF
Behavioral - explains state system will be in during and after certain transitions take place
Informational - type of information to be processed and how it will move around the software system
Functional - task, functions and their sequence(s)
Security tasks:
attack surface analysis - reduce the code that is usable by untrusted users, reduce entry points for untrusted users, provide least privilege, eliminate unnececessary services, can use software tools to perform
threat modeling - analyzing the various weak points in the system (e.g. input fields, back doors, vulnerabilities, etc.) using threat trees or other constructs, software tools are also available, such as OWASP Threat Dragon
SDLC Security Concerns - Development phase (3)
USC developed
Use of automated tools helps develop more secure code
Secure Coding techniques - helped by MITRE CWE (Common Weakness Enumeration) list of most impactful issues
Code reviews catch common syntactical issues, especially input validation, prevention of covert channels, proper data typing, checksums, etc.
Testing Phase security concerns (7)
If you pass the test you’re all square.
MR SQUAR EF
Map security risks to test cases and code
Separation of duties including not allowing developers to access production code
separate QA testing, including possibly Red Team type of testing
Unit Testing for modules using Test-Driven Development where a test is designed before or during actual coding
Attack simulation / Penetration Testing
Repeat testing until objectives are achieved
Ensure systems Fail securely if no human life is at risk
Verification vs. Validation in software testing
verification - did we build it right
validation - did we build the right product
Operations and Maintenance Phase security concerns (2 closely related concerns), most likely phase to concern …
Change Management (general approach) / Change Control (specific changes)
Most likely phase to concern CISSP individuals
3 types of prototyping
REO
rapid - end result is usually discarded, it is done to test validity of understanding of problem
evolutionary - end result is not discarded but built upon
operational - similar to evolutionary, but it is intended to be implemented to production
Incremental Development Methodology, what is it, benefits (4), used when
incremental waterfalls often result in a werl of water
a multi-waterfall approach, each incremental phase results in a deliverable
benefits:
WERL
working model delivered early
end-users can provide input
lower cost of initial delivery
risk of critical changes are lower due to feedback cycle with end-users
best used when various aspects of the project need to be understood early in the development cycle
RAD, phases (7)
Rapid Application Development - using working prototypes to quickly deliver software
that’s RAD dude, A Quick Board Doesn’t Really Turn Instantly
Analysis
Quick design
Build,
Demonstrate,
Refine (prototypes)
Testing
Implementation
Scrum, 6 characteristics
SCRUM SCCRAL
uses Sprints (predefined time of building, usually 2 weeks) or time between scrums
focused on Collaboration
Continuous delivery
project can be Reset (like in rugby, when the game is reset to a scrum) adding new features, etc.
a very widely Adopted Agile devlopment methodolgy
Lean and customer focused
Kanban stresses …, uses …
stresses visual tracking of all tasks so priorities can easily be accommodated
uses a “Kanban Wall” where all tasks are placed for visualization under Planned, In progress and Done
DevOps / DevSecOps, what is it, benefits (4)
combining development, operations, <security> and QA into one team to improve security, reduce conflict, increase trust and job satisfaction</security>
IPT
Integrated Product Team - management technique incorporating diverse (in terms of job function) members to develop a product
JAD
Joint Application Development - can employ an IPT to develop software
CASE
Computer Aided Software Engineering - software to increase the speed, productivity and reduce errors
Cleanroom devlopment methodology
focuses on developing critical error free software
cohesion, what is it, is higher or lower cohesion desirable (2 reasons)
in OO s/w dev. the diversity of tasks provides high cohesion the fewer or more similar those tasks are in a method
when cohesion is high it makes modification, reuse and maintenance easier without it affecting other modules
high cohesion also makes security task easier to build
coupling, what is it, do you want it to be high or low (tight or loose), it’s implications on maintenance and security
low / loose coupling indicates a module does not need to communicate with many other modules to perform it’s function
low / loose coupling is considered good due to less of a need to modify other modules if you want to change the related module
security is stronger with loose coupling due to reduced attack surface
source code vulnerability
defect in code (design flaw or implementation flaw) that provides a threat actor an opportunity to compromise security of a system
design flaw
a source code vulnerability that would remain even if all code was written perfectly
coding standards, requirements (3) to be useful
REV
Reduces risk of a vulnerability
Enforceable across all development efforts
Verifiable in implementation
Application Security Testing types (3)
SDF
Static - examining source code, typically with automated tools without executing the code, of course requires access to the source code
Dynamic - examining running code without access to the source code, of course requires running the code
Fuzzing - used to discover flaws and vulnerabilities by sending large amounts of test data to the target trying to cause failure
SAST
Static Application Security Testing
Codecov
platform enabling CI/CD, was breached in 2021 allowing the theft of credentials
ISO 27034
Software developer certification
FEDRAMP, what does it mean, what is it - provides a … approach to … …, … and … … for … products and services
It’s a standard approach ramp to SA A C’M in the cloud.
Federal Risk and Authorization Management Program - United States federal government-wide compliance program that provides a standardized approach to Security Assessment, Authorization, and Continuous Monitoring for cloud products and services.
Third Party Software
custom or customized software developed for a particular entity, it is not COTS
Garbage Collector
identifies memory blocks that are no longer in use and marks them as available
OOP, what is it, + 3 characteristics regarding the structure / interaction of components
Object Oriented Programming
related functions encapsulated in classes
classes instantiated into objects
objects communicate with each other using messages with API’s
SDS (networking), what is it, aka, implemented within …
software defined security (aka SDSec)
implemented within SDN
SCM platform, what is it, allows … … … to promote … and …
Software Configuration Management platform - allows methodical change control to promote integrity and traceability
What does Software Security Assessment do (dev)
verify the entire development process is working properly
greatest risk of open source software
relying on outdated versions
best way to assess third party software
external or third party audits
3 Tiers of Information Security (Main directives)
Tier 1 Create / Deliver value
Tier 2 Support business
Tier 3 Protect assets from threats through safeguards to achieve CIA
Security Professional characteristics (7)
BS VOICE
Behave ethically, responsibly and legally
think Strategically
focus on Value / ROI
emphasize Outcome and cost / benefit
Innovate / enable business
Continuous improvement
Effective / Efficient
IA, what does it mean, includes what goals (5), now known as …
Information Assurance (DOD directive 8500.01E)
CIA + non-repudiation + authenticity
now known as cybersecurity
Protection Ring - … objectives direct … affecting … … which initiate … … to exploit … which circle back and impact … …
Security Objectives direct Safeguards affecting Threat Sources which initiate Threat Events to exploit Vulnerabilities which circle back and impact Security Objectives
Simplified Generic Risk Model (Wentz Wu) 5 nouns separated by 4 verbs
Simply, Every Voice Is Repressed In Every Country of Putin
nouns SEVIR
verbs IECP
both SIEEVCIPO
threat Souce
Initiates
threat Event
Exploits
Vulnerability
Causing
adverse Impact
Producing
Organizational risk
Peacock Model 8 general items arranged in a peacock around … …
Information Systems impacted by:
Data
Computer Systems
Operating Systems
Software
Networks
Data Centers
People
Business Processes
can be arranged as a “peacock” shape around Information Systems
Wentz Model (Information Security)
has peacock in middle of CIA triad which is surrounded by the Onion Model which is surrounded by the Protection Ring Model above the model feeding threats is the Generic Risk Model
Onion Model, (Wentz Wu - surrounds 2 items) 3 types of controls
Layered defense (aka defense in depth)
surrounds Peacock Model and CIA triad with:
Control Types (Onion is a root vegetable; TAP root)
Technical Controls
Administrative Controls
Physical Controls
threat vs threat event
event situation initiated by a threat source that has potential for adverse impact
threat is more generic, not caused by a particular source
Threat Scenario
combination of threat source and threat event
NIST 800-154, 2 forms
models went to Studio 54
Threat modeling
2 forms:
Software
System (Data included)
STRIDE
microsoft threat modeling for categorization
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
DREAD
microsoft threat modeling for prioritization
Damage
Reproducibility
Exploitability
Affected users
Discoverability
Threat modeling common steps (5)
A MODEL of Resistance Definitely Inspires Many Victims (RDIMV)
define security Requirements
create Diagram of system
Identify threats
Mitigate threats
Validate threat mitigation
ENISA
European Union Agency for Cybersecurity
Threat landscape (5 elements)
RAATTs
collection of Risks, Assets, threat Actors, Threats, and observed Trends
ETL (threat monitoring)
ENISA Threat Landscape
IAL
Identity Assurance Level
PACS (security)
physical access control system
Access Control Components (3)
Authentication - proving identity
Authorization - proving clearance
Accounting - recording activity
Accordingto ISO 27005, what are an entity’s Primary Assets (2)
Information
Business processes and activities
ISO 29100 Privacy Principles (11)
My CUPs could use some privacy CAIN CAID
CUP of CAIN CAID
Consent
Use, retention and disclosure limitation
Purpose
Collection limitation
Accuracy
Individual participation / access
Notice provided to owner
Compliance with privacy laws
Accountability
Information Security
Data minimization
Data Governance positions (3) and who in org is in each position, what they have responsibility for at each position
Data Owner - The Board of Directors, Senior Management - strategic goals, opportunities, decision making, data classification, authorization, accountability
Data Steward - Business Processes - data quality, data rules, data semantics
Data Custodian - Information Systems - data sources, day-to-day data security, backup / restore
NIST 800-64 R2 SDLC (5 phases)
no IDIOTs born in 64
Initiation
Development / acquisition
Implementation / assessment
Operations / maintenance
Trash / disposal
SDLC Security Activities - Initiation (5 steps)
Initiate Cycle By Pushing Switch
ICBPS
Initiate Security Planning
Categorize System
Business impact Analysis
Privacy impact analysis
ensure use of Secure dev processes
SDLC Security Activities - Dev. / Acq. (6)
Random Strangers Develop Eventual Social Ties (RS DEST)
Risk assessment
Select / doc. security controls
Design security architecture
Engineer security controls
Security documentation
Testing of dev., function, security
SDLC Security Activities - Implementation (4)
DIAA de implementacion
DIAA
Detailed compliance / auditing plan
Integrate security into established systems
Assess system security
Authorize the system
SDLC Security Activities - Operations (3)
(OCC)
operational readiness
configuration management
continuous monitoring
SDLC Security Activities - Disposal (5)
dispose of that Cockroach PEST
P E S T C
build disposal Plan
Ensure information preservation
Sanitize media
Trash / dispose of h/w & s/w
Close system
KGI
Key Goal Indicator - a measure for outcome rather than performance, usually KPI’s are part of a KGI
GRC, how to diagram
Governance, Risk Management and Compliance - Compliance is surrounded by Risk which is surrounded by Governance and the 3 make up an integrated discipline
OCEG
Open Compliance and Ethics Group
Wentz Governance Model, general shape, 4 interior components, 3 exterior components
EA SM OS OP (Aesop) or G RiM C (Grim) model?
Shape: triangle with 4 interior triangles surrounded by a circle
interior triangles:
EA SM OS OP
Enterprise Architecture at the top of a pyramid,
Strategic Mangement in a center triangle, with
Organizational Structure and
Organizational Processes the two lower triangles
exterior:
surrounded by a circle with Risk Management, Compliance and Governance in the circle outside the triangle
G RiM C
FEAF
Federal Enterprise Architecture Framework
SCRM
Supply Chain Risk Management
FOCI (supply chains)
Foreign Ownership, Control or Influence - supply chain concern that foreign involvement may impact security
Types of Trust Models (5) and what each is based on
Validated - based on evidence of trusted party
Direct Historical - based on the trusted party’s past
Mediated - assurances provided by third party
Mandated - required by third party in position of authority
Hybrid - combination of 2 or more of above
ISO 31000, subject, concepts (4)
The risk management chain has 31000 links where Virtuous People Find Purpose.
Subject: Risk management guidelines
elements:
Virtuous People Find Purpose
Values -> Risk Management Principles -> Risk Mangement Framework -> Risk Management Process
purpose of risk management, elements (8), cycle (5), process (4), relationship of monitoring and communication
The purpose is creating and protecting value
CHICS BID on risky bets. After losses they think it’s a cycle and ask “Is Doom In Every Inbox.” They use the process of “Selecting Rarely Repeated Ranges.”
elements: CHICS BID on risky bets
cycle: “Is Doom In Every Inbox”
process: “Selecting Rarely Repeated Ranges”
principles:
CHICS BID
Customized
Human / cultural factors
Integrated
Continual Improvement
Structured and Comprehensive
Best available information
Inclusive
Dynamic
cycle:
IDIEI
Is Doom In Everybody’s Inbox
Integration
Design
Implementation
Evaluation
Improvement (circles back to integration)
process:
Selecting Rarely Repeated Ranges
Scope, Context, Criteria
Risk Assessment (identification, analysis, evaluation)
Risk Treatment
Recording and reporting
monitoring / review (across all of above)
communication / consultation (across all of above)
ERM, Business Model Steps (5) and associated principles (20)
Enterprise Risk Management (ERM)
Steps:
MS O’s IV
business Model
Strategy development
busines Objectives
Implementation / performance
enhanced Value
Principles:
BODVA ADEF RAPID ARP ICR
business Model step (ERM Principles
Mission, Vision, Core Values)
BODVA
1 Board oversight
2 Operating structures
3 Desired culture
4 commitment to core Values
5 Attract, develop, retain capable individuals
Strategy development
ADEF
6 Analyze business context
7 Define risk appetite
8 Evaluate alternate strategies
9 Formulate business objectives
business Objectives
RAPID
10 identify Risks
11 Assess risk
12 Prioritize risks
13 Implement risk responses
14 Develop portfolio view
Implementation and performance
ARP
15 Assess change
16 Review risk and performance
17 Pursues improvement
enhanced Value
ICR
18 leverage IT
19 Communicate risk information
20 Reporting
CFR
Code of Federal Regulations
2 levels of Compliance
Organization-level:
Laws & Regulations
Industry Standards:
Contracts
security control assessment, what is it
project / process of testing / evaluating security controls
information security assessment end result
determining how well an entity is meeting security objectives
SWOT analysis, what does it mean, how is it portrayed
Strengths
Weaknesses
Opportunities
Threats
on a matrix:
SW
OT
RACI (project management roles & responsibilities), what does it mean, what is it used for
Responsible - those that do the work
Accountable - those liable for project result
Consulted - provide information for project success
Informed - informing people affected by the project
used to ID roles and responsibilities for a project
Risk Context Components (6)
C SPLIT (C as in context)
Culture
governance Structure
financial Posture
Laws / regulations
Investment strategies
Trust relationships
risk management strategy components (5)
G PACT strategy
guidance - risk management + risk response / monitoring
priorities
assumptions
constraints
tolerance
risk assessment methodologies (3)
MAA
model analysis assessment
risk model - defines terms and assessable risk factors and how they’re related to each other
analysis approach - describes how combinations of risk factors are identified and analyzed (threat, asset or vulnerability oriented)
assessment approach - determines values against a scale (e.g. quantitative, qualitative)
3 Tiers of Risk
1 Organization
2 Business Processes
3 IT Systems
risk threshold
level of risk exposure where risks above the level are addressed and below which are accepted
DRI / ABCP, CFCP, CBCP, MBCP
Disaster Recovery Institute / Associate Business Continuity Planner, Certified Functional Continuity Professional, Certified Business Continuity Professional, Master Business Continuity Professional
BCI / CBCI
Business Continuity Institute / Certification of the BCI
ISO 22301 / 22313
business continuity planning
Definitions of incident, emergency, crisis, disruption, disaster
incident - event that could lead to a disruption, loss, emergency or crisis
emergency - unintended circrumstance that is a clear and present danger to personnel or property requiring immediate response
crisis - a critical event that will impact an organization’s profitability, reputation or ability to operate if not handled timely
disruption - incident that causes unplanned negative deviation from expected delivery of product or service in relation to org’s objectives
disaster - catastrophic incident that causes long term disruption or physical damages, requires activation of recovery plans
What do Tier 1, Tier 2, Tier 3 interruption planning types address.
Tier 1 - Emergency planning
Tier 2 - Continuity planning
Tier 3 - Contingency planning
NIST 800-34, subjects (2)
addresses risk at the level of information systems and
introduction to organizational resilience planning
COOP, definition, process (4 steps), requirements (11)
Continuity of Operations Plan (US gov. dept. or agency) - concentrates on restoring mission essential function(s) MEF to alternate site (at least 5 miles) for up to 30 days, minor threats not addressed
COOPer’s IBBM found the DR PEDO CHEAT
process:
IBBM
ID MEF’s
Business process analysis (BPA)
Business impact analysis (BIA)
Mitigate risks
requirements:
DR PEDO CHEAT
Devolution
Reconstitution
Program management
Essential Functions
Delegation of authority
Order of succession
Communications and Information Systems
Human Resources
Essential records management
Alternate locations
Test training and exercises
MEF
Mission Essential Function - primary, unique function
ISCP definition, Structure / Phases (4), Planning steps (7)
Information System Contingency Plan - system specific plan
I
Systems Affected Rarely Recover Perfectly But Please Stop Pissing-away The Money
C
P
Structure:
SARR Systems Affected Rarely Recover
Supporting Information - BIA, POC lists, Procedures
Activation and Notification - activation criteria, notification procedures, outage assessment
Recovery - sequence of recovery activities, recovery procedures, escalation and notification procedures
Reconstitution - concurrent processing, testing, notifications, cleanup, offsite data storage, backup, documentation
Planning Steps
Perfectly But Please Stop Pissing-away The Money
Policy for contingency planning
BIA (system-level)
Preventive controls
Strategies for contingency
Plan for contingency
TTE
Maintenance
TTE
Testing, Training and Exercises
AIW, what is it, formula
Acceptable Interruption Window - maximum time a system can be unavailable before compromising enterprise business objectives
(aka MTD)
AIW = RTO + MTO
MTO
Maximum Tolerable Outage - maximum time organization can operate in alternate mode
RTO, what does it mean, formula
Recovery Time Objective
RTO = Restoration + WRT
RPO
Recovery Point Objective - earliest point in time before an event that an organizations desires to recover to (based on acceptable data loss time)
SDO (bcp)
Service Delivery Objective - level of service during alternate mode until returning to normal operations (e.g. 60% of normal capacity)
alternate mode
during disaster, acceptable level less than normal capacity before restoration to normal capacity
BCMS, elements (6)
Business Continuity Management System - set of interrelated or interacting elements to establish policies and objectives and processes to achieve objectives of business continuity
Components:
if you need to manage elements, you have to see the Continuity Planning PIMP.
CI
P
P
I
MR
PA
Continual improvement
Policy
Planning
Implementation / Operation
Management review
Performance assessment
Business Continuity Program has 2 parts
governance over BCM, implement and maintain BCM
MTPD, aka (2)
Maximum Tolerable Period of Disruption (aka MTD, AIW)
MBCO
Minimum Business Continuity Objective - minimum acceptable level of service or production
PDCA cycle (general management)
Plan, Do, Check, Act - 4 basic management steps that can be applied to a variety of business processes
statistical analysis is best used at what stage of SDLC
development
Domain 1 and Domain 2
D1 (policies, procedures, laws, regulations, risk management, ethics, governance, training). being the foundation that everything else builds on.
Anything assets and data lifecycle (D2) is really based on D1 choices.
password spray attack, what is it, solutions (3)
a type of brute force attack which involves a malicious actor attempting to use the same password on multiple accounts before moving on to try another one.
Solutions:
MFA
Monitor locations of logins
Configure permissions to keep control of access parameters
Regulatory Investigation
An investigation undertaken to determine if a law or regulation was broken
Lean software development, principles (7)
translation of lean manufacturing principles and practices to the software development domain
principles:
Lean or skinny like a snake (boa)
BOA DEED
Build integrity in
Optimize the whole
Amplify learning
Decide as late as possible
Eliminate waste
Empower the team
Deliver as fast as possible
release and deployment management, definition, what tech org, primary goals (2)
ITIL: aims to plan, schedule and control the movement of releases to test and live environments.
The primary goal of this process is to ensure that the integrity of the live environment is protected and that the correct components are released.
MFA Authentication types (3) something you…
Type 1 – Something You Know – includes passwords, PINs, combinations, code words, or secret handshakes. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
Type 2 – Something You Have – includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices. (A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.).
Type 3 – Something You Are – includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.
Spectre / Meltdown, what are they, resolution
CPU vulnerabilities
spectre - tricks a program into accessing arbitrary locations in the program’s memory space
meltdown - can be used to read privileged memory in a process’s address space which even the process itself would normally be unable to access
resolution:
patching O/S
CWSS, what is it, metric groups (3), factors (16)
Common Weakness Scoring System (CWSS) provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry.
BAE 565
TI AP AL IC FC (tilapia icky fish)
RP RL AV AS IN SC (raper lava as in SC)
BI DI EX EC EP/p (bidi exec p)
Metric Groups:
BAE
Basic Finding
Attack Surface
Environmental
Factors:
TI AP AL IC FC RP RL AV AS IN SC BI DI EX EC EP/p
Metric Group | factor |description
Base Finding Technical Impact (TI) The potential result that can be produced by the weakness, assuming that the weakness can be successfully reached and exploited.
Base Finding Acquired Privilege (AP) The type of privileges that are obtained by an attacker who can successfully exploit the weakness.
Base Finding Acquired Privilege Layer (AL) The operational layer to which the attacker gains privileges by successfully exploiting the weakness.
Base Finding Internal Control Effectiveness (IC) the ability of the control to render the weakness unable to be exploited by an attacker.
Base Finding Finding Confidence (FC) the confidence that the reported issue is a weakness that can be utilized by an attacker
Attack Surface Required Privilege (RP) The type of privileges that an attacker must already have in order to reach the code/functionality that contains the weakness.
Attack Surface Required Privilege Layer (RL) The operational layer to which the attacker must have privileges in order to attempt to attack the weakness.
Attack Surface Access Vector (AV) The channel through which an attacker must communicate to reach the code or functionality that contains the weakness.
Attack Surface Authentication Strength (AS) The strength of the authentication routine that protects the code/functionality that contains the weakness.
Attack Surface Level of Interaction (IN) the actions that are required by the human victim(s) to enable a successful attack to take place.
Attack Surface Deployment Scope (SC) Whether the weakness is present in all deployable instances of the software, or if it is limited to a subset of platforms and/or configurations.
Environmental Business Impact (BI) The potential impact to the business or mission if the weakness can be successfully exploited.
Environmental Likelihood of Discovery (DI) The likelihood that an attacker can discover the weakness
Environmental Likelihood of Exploit (EX) the likelihood that, if the weakness is discovered, an attacker with the required privileges/authentication/access would be able to successfully exploit it.
Environmental External Control Effectiveness (EC) the capability of controls or mitigations outside of the software that may render the weakness more difficult for an attacker to reach and/or trigger.
Environmental Prevalence (P) How frequently this type of weakness appears in software.
ATA Secure Erase
overwrite command in the ATA standard (as ‘Security Erase Unit’) that leverages a firmware-based process to overwrite the media (SSD’s)
sashimi (OOP)
a way of organizing a waterfall project with feedback that doesn’t have to wait with Waterfall feedback only allows testing to start when the whole implementation has been completed
The Sashimi Model is a modification of the classic Waterfall model that allows for some overlap and iteration between the phases. It is named after the Japanese dish of sliced raw fish, which is served slightly overlapping on a plate.
conditional MFA
Conditional Access is, quite literally, a number of conditions you define to permit access. One of those conditions can be requiring MFA. But, it could also include where a user is logging in from, what the user is trying to access, the device they are using, group membership, or any combination you choose.
While Standard MFA strengthens user authentication and blocks outdated protocols, Conditional Access offers centralised control and customisation, allowing you to tailor security policies to the unique needs of each client. As an MSP, it is essential to adopt a proactive approach to security
RAID 0 - 6, features of each (mirroring, parity, striping), min # of disks for each
0 - used for striping data on a disk, increases speed, no redundancy, min # drives = 2
1 - Mirroring without parity or striping, min drives = 2
2 - Bit-level striping with Hamming code for error correction, min # drives = 3
3 - Byte-level striping with dedicated parity, min # drives = 3
4 - Block-level striping with dedicated parity, min # drives = 3
5 - Block-level striping with distributed parity, min # drives = 3
6 - Block-level striping with double distributed parity, min # drives = 4
ARCNET, what does it mean, when was it used, how is it used now, what type of configuration
Attached Resource Computer NETwork (ARCNET or ARCnet) is a communications protocol for local area networks.[1] ARCNET was the first widely available networking system for microcomputers; it became popular in the 1980s for office automation tasks. It was later applied to embedded systems where certain features of the protocol are especially useful
used star configuration
backup types that clear archive bit
full, incremental
best way to deal with advanced persistent threats
security monitoring / incident response
first step for data retention policy
understand legal / regulatory requirements
most comprehensive framework for cybersecurity reviews
ISO 27001
most effective way to implement NAT
PAT
What is the difference between cloud user and cloud customer?
Cloud User means a single authorized individual End User who has access rights to the Service. -
Cloud Customer means any Person to which a CSP agrees to provide Cloud Services based on a Cloud Contract or other business relationship between the CSP and that Person. Customer includes Customer Affiliates and End Users.
Burp Suite
software security application used for penetration testing of web applications
virtual user
an instance of a load testing script that is meant to simulate a real-world visitor on your web app
Access Control model providing the most availability
Role BAC
scaled agile framework, what is it, core values (5), principles (9)
The Scaled Agile Framework® (SAFe®) is a set of organizational and workflow patterns for implementing agile practices at an enterprise scale. The framework is a body of knowledge that includes structured guidance on roles and responsibilities, how to plan and manage the work, and values to uphold.
SAFe promotes alignment, collaboration, and delivery across large numbers of agile teams. It was formed around three primary bodies of knowledge: agile software development, lean product development, and systems thinking.
Core Values:
TABLe P
Transparency
Alignment across org
Built-in quality - five key dimensions of built-in quality: flow, architecture and design quality, code quality, system quality, and release quality
Leadership
Program execution
Principles:
EAV BMW CMD
1 take an Economic view
2 Apply systems thinking
3 assume Variability; preserve options
4 Build incrementally with fast, integrated learning cycles
5 base Milestones on objective evaluation of working systems
6 visualize and limit Work in Process (WIP), reduce batch sizes, and manage queue lengths
7 apply Cadence, synchronize with cross-domain planning
8 unlock the intrinsic Motivation of knowledge workers
9 Decentralize decision making
generational programming languages characteristics
2nd - assembly
3rd - 3GLs are much more machine-independent (portable) and more programmer-friendly [C, C++, Java, Python, PHP, Perl, C#, BASIC, Pascal, Fortran, ALGOL, COBOL]
4th - Fourth-generation languages tend to be specialized toward very specific programming domains [ABAP, Unix Shell, SQL, PL/SQL, Oracle Reports, R, Halide] low code, GUI based, database, screen painters, data manipulation, software creators, mathematical optimization, web developmet
5th - A fifth-generation programming language (5GL) is any programming language based on problem-solving using constraints given to the program, rather than using an algorithm written by a programmer [Prolog, OPS5, Mercury, CVXGen [6][7] , Geometry Expert] Mainly used in AI
safe harbor clause (privacy law)
provides exception for encrypted data that is lost, leaked
first indicator of successful security policy
well defined risk management process
break and fix project management methodology
reactive model of hiring IT service providers to perform one-time services and pay them only for the work done
primary method used for syntactic validation
regular expressions
does challenge / response authentication add an additional authentication factor
No
least effective method of detecting errors in transmitted data
parity checks
object oriented analysis and design
a technical approach for analyzing and designing an application, system, or business by applying object-oriented programming, as well as using visual modeling throughout the software development process to guide stakeholder communication and product quality.
OOAD in modern software engineering is typically conducted in an iterative and incremental way. The outputs of OOAD activities are analysis models (for OOA) and design models (for OOD) respectively. The intention is for these to be continuously refined and evolved, driven by key factors like risks and business value.
Object-oriented analysis
The purpose of any analysis activity in the software life-cycle is to create a model of the system’s functional requirements that is independent of implementation constraints.
The main difference between object-oriented analysis and other forms of analysis is that by the object-oriented approach we organize requirements around objects, which integrate both behaviors (processes) and states (data) modeled after real world objects that the system interacts with. In other or traditional analysis methodologies, the two aspects: processes and data are considered separately. For example, data may be modeled by ER diagrams, and behaviors by flow charts or structure charts.
Object-oriented design
Main article: Object-oriented design
During object-oriented design (OOD), a developer applies implementation constraints to the conceptual model produced in object-oriented analysis. Such constraints could include the hardware and software platforms, the performance requirements, persistent storage and transaction, usability of the system, and limitations imposed by budgets and time. Concepts in the analysis model which is technology independent, are mapped onto implementing classes and interfaces resulting in a model of the solution domain, i.e., a detailed description of how the system is to be built on concrete technologies
Object-oriented modeling
Main article: Object-oriented modeling
Object-oriented modeling (OOM) is a common approach to modeling applications, systems, and business domains by using the object-oriented paradigm throughout the entire development life cycles. OOM is a main technique heavily used by both OOD and OOA activities in modern software engineering.
PII, 26 + 3 categories
Personally Identifiable Information
Examples of personally identifiable information (PII) include :
Social security number (SSN),
passport number,
driver’s license number,
taxpayer identification number,
patient identification number, and
financial account or
credit card number
Personal address and
phone number
Biometric records such as photographic image (especially of face or other distinguishing characteristic),
x-rays,
fingerprints,
retina scan,
voice signature,
facial geometry
Information that when combined with other information like that listed above which can then be used collaboratively to identify a specific individual. For example,
date of birth,
place of birth,
race,
religion,
geographical indicators,
employment information,
medical information,
education information,
financial information.
bit splitting / data dispersion storage
Bit splitting is the technique of splitting up and storing encrypted information across different cloud storage services. * One way that criminals hide data across the cloud that makes it extremely difficult for forensics to find and obtain.
breach and attack simulation
What is a breach and attack simulation? A breach and attack simulation is a type of advanced computer security testing method. It aims to identify different vulnerabilities in security environments by simulating the attack paths and techniques likely to be used by malicious actors
can be automated
attribution
when an entity is named as being responsible or accountable for an act
SCAP, what does it mean, what is it for, features (3), benefits (3)
security content automation protocol
SCAP is a method for using specific standards to help organizations automate vulnerability management and policy compliance evaluation. SCAP comprises numerous open security standards, as well as applications which use these standards to check systems for vulnerabilities and misconfigurations
Features:
SIR
Scan systems against open cybersecurity standards
Report back with a “score” to help evaluate the system’s security posture
Interoperate with other SCAP-validated scanners to express results in a standardized way
Benefits:
SSS
cooperation among Stakeholders
Stops attacks and closes vulnerabilities
puts Standards into action
metrics used in cvss (3 groups) and meaning of each
BE the I in TEEM
Base:
exploitability metrics
impact metrics
Threat / Temporal:
exploit maturity
Environmental:
modified base + CIA
data normalization
the process of structuring a relational database in accordance with a series of so-called normal forms in order to reduce data redundancy and improve data integrity. It was first proposed by British computer scientist Edgar F. Codd as part of his relational model.
Normalization entails organizing the columns (attributes) and tables (relations) of a database to ensure that their dependencies are properly enforced by database integrity constraints. It is accomplished by applying some formal rules either by a process of synthesis (creating a new database design) or decomposition (improving an existing database design).
hipaa 3 core rules
The Privacy Rule.
The Security Rule.
The Breach Notification Rule.
data masking, definition, aka (3)
the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel.
Data masking can also be referred as:
anonymization
tokenization
obfuscation
blind penetration test
simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand
standard used to evaluate the security of cryptographic modules
Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules.
nfc vs rfid
nfc used more for cell phones
rfid used more for smart cards
PRIMARY indicator of QoS
lowest packet loss
Config Mgmt DB implementation process (6 steps), 3 C’s
Process:
D DIED V
(Don’t Do It Every Day Victoria)
Determine business objectives.
CMDB Discovery tools.
ITSM system integration.
Equip data owners/data stewards with the right tools.
Data management and retention plan.
CMDB: data Visualization.
The 3 C’s of CMDB -
Configuration Items,
Changes, and
Compliance -
MOST common type of security investigation
network security investigation
MOST important indicator for ensuring compliance with legislative and regulatory requirements
quality of the compliance management system
MOST effective way to secure network components
updating software and firmaware
SOC 2 vs. SOC 3
SOC 3 doesn’t provide as much detail ast the SOC2 Type II report
types of block chain and what they’re used for (4),
two types have aka’s, one of them has two aka’s
Permissionless Blockchain
It is also known as trustless or public blockchains, are available to everyone to participate in the blockchains process that use to validate transactions and data. These are used in the network where high transparency is required.
Permissioned Blockchain
These are the closed network only a set of groups are allowed to validate transactions or data in a given blockchain network. These are used in the network where high privacy and security are required.
Hybrid Blockchain:
combination, controlled by permissionless
Consortium Blockchain:
It is a creative approach that solves the needs of the organization. This blockchain validates the transaction and also initiates or receives transactions.
Also known as Federated Blockchain. This is an innovative method to solve the organization’s needs. Some part is public and some part is private. In this type, more than one organization manages the blockchain.
referential database entity integrity
Referential integrity is based on entity integrity . Entity integrity requires that each entity have a unique key. For example, if every row in a table represents relationships for a unique entity, the table should have one column or a set of columns that provides a unique identifier for the rows of the table.
False positive / False negative in IDS / IPS
A false positive state is when the IDS identifies an activity as an attack but the activity is acceptable behavior. A false positive is a false alarm.
A false negative state is the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack.
Manual penetration testing vs. automated, which is better and why (5 points)
manual goes beyond automated
There are five primary reasons why manual pen testing yields superior outcomes when compared to automated penetration tests.
Human expertise: Manual penetration tests are conducted by security experts with in-depth industry experience and technical know-how. They can adjust the testing methodology as per your organization’s structure. This results in optimal findings with efficient remediation measures down the line when compared to an automated report that may contain false positives. Human validation of findings: In a manual pentest exercise, the testing team validates their findings during the process as everything is done manually; each step can be documented and double-checked. However, in automated tests, this transparency is not available, and results can be tough to verify. The findings from pure automated pentests may contain false positives that analysts must verify before remediation can occur. Customized Pentest Engagements: Manual testing allows customizations based on threats your organization is more likely to face. While the efforts required by the testing team increase substantially, a thorough inspection is conducted in manual pen testing. Manual Detection of Logical Flaws: Automated tests fail to identify logical flaws in applications. While not every logical flaw is a vulnerability, manual tests can identify broken structures within your applications. Improve Mean Time to Remediate (MTTR): The remediation process becomes more effective when a test is customized for your organization’s structure, compliance requirements, and external and internal environments. Organizations can realize their return on investment by significantly reducing their overall mean time to remediate as they eliminate vulnerabilities discovered in manual pen te
CA role vs File / Printer sharing role
F/P cannot be applied on a domain controller
CA role can be applied
= vs ==
== is equality
= is assignment
Best approach to risk transfer
insurance
RDP and encryption
RDP has built in encryption
ITAM (IT Asset Mgmt) primary purpose
maximize ROI
primary factor that determines the value of an asset in terms of its impact on an organization’s cyber security
an asset’s potential to cause harm to an org if compromised
governance standard and control frameworks focused on IT service management
ITIL
DR restoration order
most critical first
white hat vs black hat vs gray hat hackers
White hat hackers probe cybersecurity weaknesses to help organizations develop stronger security; black hat hackers are motivated by malicious intent; and Gray hat hackers operate in the nebulous area in between — they’re not malicious, but they’re not always ethical either
database bind variables
Bind variables allow the same SQL statement (cursor) to be reused repeatedly even though specific predicate values being referenced change from one execution to the next by masking the literal value that’s changing each time. Then the SQL text is identical each time and requires only one (hard) parse.
Open Source License types (2), examples of each
Permissive: BSD, MIT, Apache
Copyleft: require source code to be distributied, GPL, LGPL, AGPL, EPL, MPL
Most important role of incident management team
prevent further damage
IKE OSI layer
3 / network
OSI layer is responsible for ensuring that data is delivered to the correct destination and ensuring that messages are delivered in the correct order
3 / network
first indicator of successful cloud migration
least downtime for users
most important business need that must be identified in order to ensure the success of the merger
Ensuring that all data is encrypted during transmission
key feature of a secure network architecture
Network Segmentation
most important policy requirement
Ensuring that all employees receive proper training on security policies and procedures
EASIEST way to secure cloud data storage
Implementing encryption on all data
primary concern when configuring the discretionary access control permissions
main security concern in a DAC model is the potential misconfiguration of permissions by the data owners
RAID meaning
Redundant Array of Independent Disks
Domain transitive trust
optimal balance between resource accessibility and security for org with many domains
PRIMARY reason we would choose to use hash functions
To create a unique identifier for data
MOST effective way to prevent a SYN flooding attack
Increasing the number of SYN cookies
PRIMARY reason why organizations implement security logging and monitoring
To detect and prevent security breaches
MOST effective way to implement FWaaS (Firewall as a Service)
Cloud-based FWaaS solutions offer the highest level of security and scalability – better than h/w based due to maintenance being performed by cloud provider
primary function of a Public Key Infrastructure (PKI)
To manage the distribution and revocation of digital certificates
kerberos security concerns (3)
Weaknesses of Kerberos:
Single Point of Failure
Each Network Service Needs a Set of Kerberos Keys
Strict Time Requirements
the BEST method for implementing job rotation in order to prevent security breaches and maintain confidentiality
Scheduling regular job rotation for all employees
MOST effective strategy to comply with privacy laws and regulations across different regions, ensuring that personally identifiable information (PII) is securely managed (for orgs that have many jurisdictions)
Implementing the strictest privacy standards (such as those of the European Union) across all operations globally
HIGHEST level of responsible disclosure
Coordinating with the affected organization to fix the issue before disclosing it
FIRST measure of the effectiveness of a biometric system
The Failure to Enroll Rate (FTER)
CCTV doesn’t need
alarm system or internet (but more modern systems need internet)
WPA3 and 802.11ax backwards compatibility status
are backwards compatible
MOST effective indicator of a successful cloud security implementation
Robust access controls
security analyst vs security engineer
A security analyst focuses on identifying vulnerabilities, while a security engineer focuses on implementing security controls
IKE process
phase 1, an authenticated connection between the host and user is established using a preshared key or a digital certificate. The goal is to secure the communications that occur in phase 2. The Diffie-Hellman key exchange algorithm creates a secure authentication communication channel. This digital encryption method uses numbers raised to specific powers to produce decryption keys. The negotiation should result in session keys and one bidirectional SA.
Phase 1 operates under one of two modes: main mode or aggressive mode. The main mode consists of both parties sending three two-way exchanges equaling six messages in total. The first two messages confirm encryption and authentication algorithms. The second set of two messages starts a Diffie-Hellman key exchange, where both parties provide a random number. The third set of messages verifies the identities of each party.
Aggressive mode accomplishes the same task as the main mode but does so in just two exchanges of three messages. Whereas the main mode protects both parties’ identities by encrypting them, the aggressive mode does not.
Phase 2 of IKE negotiates an SA to secure the data that travels through IPsec, using the secure channel created in phase 1. The result is a minimum of two SAs that are unidirectional. Both parties also exchange proposals to determine which security parameter to use in the SA.
Phase 2 operates in only one mode: quick mode. Quick mode provides three resources: proxy IDs, perfect forward secrecy (PFS) and replay protection. The proxy IDs of each participant are shared with each other. PFS delivers keys independent from preceding keys. Replay protection is a security method to protect against replay attacks.
The main and aggressive modes found in phase 1 only apply to IKE version 1 and not to IKE version 2.
IKE v2 improvements (10)
Improvements in IKEv2 over IKEv1 are as follows:
BDFL
MMNORS
requires less Bandwidth; provides more resistance to denial-of-service (DoS) attacks; enables message Fragmentation and allows IKEv2 to operate in areas where IP Fragments might be blocked and an SA may fail to establish; detects automatically if an IPsec tunnel is still Live so that IKE can automatically reestablish a connection if needed; demands fewer cryptographic Mechanisms to protect packets; supports Mobile platforms, including smartphones; comes equipped with the built-in Network Address Translation (NAT) traversal needed to support routers that perform translations; requires only One four-message initial exchange mechanism; enables Rekeying to build new keys for SA. supports the securing of Stream Control Transmission Protocol (SCTP) traffic;
MFA and password policy
doesn’t improve the policy
What are each of these methods best suited for:
OCATAVE
PASTA
DREAD
STRIDE
OCATAVE: broad organization wide risk assessment
PASTA: application threat modeling framework
DREAD: classification scheme for categorizing the severity of security threats
STRIDE: risk assessment for software development process
First step in divestiture
Announce the divestiture to stakeholders