CISSP Flashcards
RMM mnemonic
[After People Die I’m Out] (Adhoc, Preliminary, Defined, Integrated, Optimized)
ISC2 Code of Ethics Preamble
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.
ISC2 Code of Ethics Canons
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
Bell-LaPadula
Confidentiality (MAC)
Simple Security Property - No Read Up
* Security Property - No Write Down
Strong * Property - No Read or Write UP and Down
BIBA
Integrity (MAC)
Simple Integrity Axiom - No Read Down
* Integrity Axiom - No Write Up
Invocation - NRU,NWU
Lattice Based, who, when, type of access control, concerned with restricting…, based on the interaction between… , diagram
(Denning 1976) (MAC)
restrict information flow,
based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations)
TS1,2
TS1 TS2
S1,2
S1 S2
TS
S
Graham Denning, based on what other model?, what type of systems?, what does it show mainly?, what else does it address, functions
EDSA
(Extended LBAC)
Distributed Systems
Shows how subjects and objects should be securely created and deleted.
It also addresses how to Assign specific access rights.
Graham and GA are associated
1 TA
2 GA
3 DA
4 RO
5 CO
6 DO
7 CS
8 DS
Harrison Ruzzo Ullman, extended from what other model?, access control type, used for…, functions
Extended GD
DAC
Operating System level Subjects = Objects
1 CO
2 CS
3 DS
4 DO
5 ERAM (enter right into access matrix)
6 DRAM (delete right from access matrix)
Clark Wilson, description, used to ensure data… and … using … to ensure the system maintains … …, provides (2)
CW (consistent state / well formed transactions)
Integrity - Separates Users Well Formed Transactions
Subjects / Programs / Objects
Consistent State -> Consistent State
Provides: Separation of Duties and Data Integrity
Brewer Nash / Chinese Wall / Information Barriers, constructed to provide information … … controls that can … …
Info Flow
N conflict of interest
constructed to provide information security access controls that can change dynamically
Non-Interference definition
actions at higher sec levels don’t affect lower levels subject knowledge of system state
Take Grant, used in the field of computer security to … or … the … of a given … … that follows … rules, diagram
used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules.
S1
t
S2 g S3
c/r
O
Zachman Framework, used for, by establishing 6 frameworks for whom (6)
provides a means of classifying an organization’s architecture
6 Frameworks (What, How, Where, Who, When, Why)
mapped to rules for Planner, Owner, Designer, Builder, Programmer, User
Cybersecurity Evaluation Methods, Certification, Accreditation
Historical and current (4 items total)
1980’s DoD Orange Book - Trusted Computer Systems (retired)
1980’s Dod Red Book - Trusted Networks (retired)
ITSEC (Europe) 1st International, references Orange Book (retired)
ISO / IEC 15408 (International Common Criteria)
International Common Criteria
EAL’s
Mnemonic
[Footbal Seams Mostly Mean Says Silly Fools]
1F Functionally Tested
2S Structurally Tested
3M Methodically Tested
4M Methodically Designed and Tested
5S Semi-formally Tested
6S Semi-formally Designed and Tested
7F Formally Designed and Tested
Need to know
employes who don’t need to know shouldn’t access (even if they can access)
While” need to know” indicates the user has a legitimate reason to access something, least privilege is the enforcement method that limits access to that something, and what the user can do with that something.
need to know predicates invocation of least privilege
Secure / Security Design Principles detail on usage (4), one has 7 characteristics
Trust but Verify (security perimeter, outside perimter not trusted, once inside trusted)
Zero Trust (no security perimeter, always verify - best for clouds)
Privacy by design (proactive, default, embedded, full functionality, end to end, visibility / transparency, respect for privacy) PED FEVR
Share responsibility (shared with cloud provider)
Security Domains (Modes) for Hardware access (5)
Kernel mode / Supervisor mode - unrestricted access to hardware
User mode / problem mode - no direct access to hardware only access via API
Open systems - components built with open standards (tested but open to common vulnerabilities)
Closed systems - proprietary hardware and software (not tested but not open to common vulnerabilities)
Ring Model from -1 (hypervisor), 0 (kernel), 1, 2 (drivers), 3 (applications)
TPM, what does it mean,
what is it,
functions provided (5),
ties … … to … to prevent …,
can also be used to … the … … to prevent …,
2 keys in persistent memory,
3 keys in versatile memory,
what is each key used for
Trusted Platform Module
international standard for a secure cryptoprocessor -
functions:
RNG (random number gen),
encryption,
hashing,
secure key storage,
boot integrity
ties hard drive to system to prevent tampering
can also be used to “seal” the system configuration in order to prevent tampering
keys: EaSy / P A Ss
2 keys in persistent memory:
EK - endorsement key ensures the authenticity of the TPM
SRK - storage root key, master key to secure other keys stored in TPM
3 keys in versatile memory:
PCR - used to store hashes for sealing
AIK - Attestation Identity Keys - used for attestation of TPM chip, AIK ensures integrity of EK
Storage Keys - used to encrypt storage
monolithic kernel
one static executable run in supervisor mode
DCS
distributed control systems, computerized control system with distributed, autonomous controllers 1000’s+
XOR
add key to plain text to create cipher text
always done in binary 0’s and 1’s
result If both are the same, it’s 0, if not it’s 1
Substitution, how it’s done and what does it provide
replaces characters in plain text with cipher text, provides confusion
Permutation
provides diffusion by rearranging characters in plain text into the cipher text
Symmetric Encryption Ciphers mnemonic
3-hole Is Anything But Trusted Frantically Reverse Run Right (3DES, IDEA, AES, Blowfish, Twofish, Feistel, RC4, RC5, RC6)
Assymetric Encryption mnemonic
Rugged Defensive Ends Easily Destroy Kickers (RSA, DSA, ECC, EG, DH, K)
3DES, distinguished from DES by what?, what to know about it’s current usefulness
DES with 3 keymodes only K1 is considered secure (until 2030)
IDEA, what does it mean, block size, key size, secure or not, open source or not
International Data Encryption Algorithm
IDEA
I was born in 64, hope to Die before 128, Essentially secure, As expected it’s proprietary
64 bit block size
128 bit key,
(still secure but proprietary)
AES,5 characteristics (2 tech used, open vs. closed source, 2 crypto methods used)
Advanced Encryption Standard
A ROTS
AddRoundKey,
Rijndael,
Open source,
Transposition,
Substitution
Blowfish type of cipher, uses what, block size(s), key length(s), secure or not
block cipher,
uses Feistel,
64 bit blocks,
32 - 448 bit key lengths,
NOT SECURE
Twofish, block size(s), key length(s)
similar to Blowfish but 128 bit blocks, key lengtsh of 128, 192, 256
Feistel cipher, overview of how it works (4 steps)
splits plaintext into left and right halves,
righ half doesn’t change but is XOR’d with a subkey,
then XOR’s it again with the left block,
recipient reversed XOR order
RC4, cipher type, key lengths, used by (4), secure or not?
stream cipher
40-2048 bit key lengths -
used by WEP/WPA/SSL/TLS
NOT SECURE
RC5,cipher type, uses what cryptographic algorithm, block size(s), key length(s), secure or not secure and under what condition(s)
Rivest Cipher
remember key length similar to RC4 but with basic block sizes of 32,64,128
R for Roblox, 5 is for 5 lines need to remember below
block cipher (Roblox)
uses Feistel,
32/64/128 bit blocks,
key length 0-2040 bits
secure if high number blocks / keys
RC6, distinguished from RC5 how?, block size, key lengths, current status
based on RC5 but meets AES requirements,
128 bit blocks,
128, 192, 256 bit key lengths,
secure, but not widely used
RSA, cypher type, keys generated by…, key sizes, provides what services (4), common use
Rivest Shamir Adleman,
RSA
block cipher, (Roblox)
new keypair using very large prime numbers, (Supersized prime number keys)
1094-4096 bit keys ( of Amount)
services
authentication, key encryption, digital signatures, encryption
uses
AES symmetric encryption
DH, used for, earliest …, after keys are established…
Diffie-Helman,
key exchange,
earliest to allow unknown parties to establish shared key,
after keys established, can be used for later encryption
ECC, what is it, open source or proprietary?, 2 advantages
Elliptic Curve Cryptography,
logarithms applied to elliptical curves,
proprietary,
256 bit ECC key is as strong as 3072 bit RSA key,
power efficient
EG, what does it mean, based on, used in 2 technologies
EIGamal,
based on DH,
used in GNU Privacy guard and PGP
DSA, what does it mean, uses different what than RSA, provides same or different level of security as RSA, … … key gen, variant of what
Digital Signature Algo,
uses different algo for signing and encryption than RSA, provides same level of security,
2 phase key gen,
variant of EIGamal
K, what does it mean, type of encryption, use of public / private keys, secure or not
KOPP”N
Knapsack,
one-way,
public key for encryption,
private key for decryption,
NOT SECURE
Hash Algorithms mnemonic
Menacing Middle Stops Small Speedy Halfbacks Reversing Run (MD5, MD6, SHA1, SHA2, SHA3, HAVAL, RIPEMD, RIPEMD160)
MD5, length, current status
128 bit fixed length has value
widely used but
can create collisions (2 different data can equal the same hash)
MD6
withdrawn due to flaws
SHA1, what is it, hash value, current status
Secure Hashing Algo,
160bit hash value,
weak collision avoidance,
still used alot
SHA2
Secure Hashing Algo, newer and collision resistant, used some
SHA3
Secure Hashing Algo, newest, not used much yet
HAVAL, what does it mean, length(s), current status
Hash of Variable Length,
MD length is variable 128/169/192/224/256 bits,
not widely used
RIPEMD
developed outside of defense to ensure no government backdoors,
NOT SECURE
RIPEMD160
fixed RIPEMD but not widely used, secure
key stretching, what is it, what does it use, helps thwart 2 types of attacks
A technique used to increase the strength of stored passwords. it adds additional bits (called salts) and can help thwart brute force and rainbow table attacks.
MAC, what does it mean, what kind of function, provides 2 forms of protection
Message Authentication Code
hash function
provides integrity, authenticity
PGP, what does it mean, what 2 security concepts does it provide at base level and what additional concepts (3) can be provided
Pretty Good Privace
provides privacy, authentication,
can also provide confidentiality, integrity, and non-repudiation
PGP used for 4 things and uses what
used for file, directory & whole disk encryption,
email,
uses Web of Trust model (if you trust me you trust those I trust)
S/MIME, is an IETF standard that provides … … for … …
uses … to … and … email
S/MIME is an IETF standard that provides cryptographic security for electronic messaging
uses PKI to encrypt and authenticate email
TCP/IP - PDU - OSI mapped
[LLITA,BFPSD] Large Lineman Interrupt Tackling Attempts, But Freaky Passers See Downfield
TCP/IP / PDU / OSI
Link & Physical / Bits / (OSI 1)
Link & Physical / Frames / (OSI 2)
Internetwork / Packets / (OSI 3)
Transport / Segments / (OSI 4)
Application / Data / (OSI 5-7)
IPv4 Header
Very Intelligent Quarterbacks Identify Top Pass Catchers Strethcing Defense Out
Version
IHL/IP Header Length
QoS
ID/Flags/Offset for fragmentation
TTL
Protocol number
Checksum
Source address
Destination address
Options
IPv6 Header
Vicious Tacklers Frighten Passers Needing To Score Deep
Version
Traffic class/ Priority
Flow label (QoS)
Payload length
Next header
TTL
Source address
Destination address
EDRM process (9 steps)
Internet-Games Involve People Chanting Pretentious R A P P
(Electronic Discovery Reference Model)
Information Governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
Change Management Process steps (9)
In Practice All Players Try Something Not In Playbook
IPA PT SNIP
Identify
Propose
Assess risk, impact
Provisional change approval
Test the change
Schedule the change
Notification of change
Implementation of change
Post implementation reporting
DRP Lifecycle (4 phases)
Planning Recovery Rarely Matters
Preparation
Response
Recovery
Mitigation
Developing BCP/DRP
P S B I R P I T T M
Project Initiation
Scoping Project
BIA (business impact analysis)
Identify Preventive Controls
Recovery Strategy
Plan Design
Implementation
Training
Testing
Maintenance
OWASP current Top 10
Best Coaches Intend Immediate Success Visionary Inspire Spur Stimulate Sacrifice
Broken Access Control
Cryptographic Failures
Injection
Insecure Design (new)
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures (new)
Security Logging and Monitoring Failures
Server-Side Request Forgery (new)
Agile Software Development Umbrella of Methodologies, Principles (12), how does it work (5)
Every Win For Competitive Teams Forces Players Subserviance to Coaches Superior Schemes with Confidence
Principles:
(FF PEWT CCC SSS)
1 Face to Face communication is best
2 Frequent delivery
3 Primary measure of progress is working software
4 Early continuous delivery
5 Welcome changes
6 Trusted individuals
7 Cooperation between business and developers
8 Continuous attention to good design
9 Continuous improvement
10 Self-organizing teams produce best results
11 Simplicity
12 Sustainable development at constant pace
How it works:
Agile does not deliver prototypes, but breaks product down to individual features and features are continuously delivered
does not follow rigid processes, but focuses on getting the product finished faster
focus on user stories,
small incremental deliveries
less documentation, more focus on delivering right software
Extreme Programming Characteristics (8), relation to Scrum, result
(PU CAFFE) - only somebody EXTREMEly stupid would eat at the pu caffe)
Pair programming (continuous code reviewing, or taking code reviews to the EXTREME)
Unit testing
Code clarity and simplicity
Avoidance of features until they are needed
Flat management
Frequent communication between dev and bus
Expecting changes as problem is better understood
“take away regularity of scrum and add alot of code reviewig you get Extreme Programming”
Results in less errors, better code
Spiral Model phases, what does angular aspect represent, what does diameter of spiral represent
PREE
Planning
Risk Analysis
Engineering
Evaluation
angular aspect is progress
diameter of spiral is cost
Secure Coding Techniques (12)
VOMIT SCiEnCE DB
Validation Points
Obfuscation / Camouflage
Memory Management
Input Validation
Third Party Libraries and SDKs
Stored Procedures
Code Reuse / Dead Code
Encryption
Code Signing
Error and Exception Handling
Data Exposure (Applications)
Balancing Time and Quality
CSF
Cybersecurity Framework NIST
(I Protect Data Revealing Robberies)
Identify
Protect
Detect
Respond
Recover
RMF process
Risk Management Framework (RMF)
NIST 800-37 Steps
(Perilous Cases Start In An Angry Mob)
Prepare - establish context and priorities
Categorize - based on impact of loss
Select - set of controls for a system based on risk assessment
Implement - controls and describe how they fit
Assess - controls for propiety
Authorize - system of controls to determine if risk is acceptable / reasonable
Monitor - system and controls for changes
DRM Tools
[CAP]
Continuous Audit Trail
Automatic Expiration
Persistent Online Authentication
Symmetric Encryption Info
Name / Block Size / Key Size(s) / Secure or Insecure
3D DIRRRT CCARBS
3DES / 64 / 112,168 / S
DES / 64 / 56 / I
IDEA (used in PGP) / 64 /128 / S
RC4 (Rivest Cipher) / N/A stream cipher / 40-2048 / I
RC5 / 32,64,128 / 0-2040 / S
RC6 / 128 / 128,192,256 / S
Twofish / 128 / 1-256 / S
CAST-128 / 128 / 40-128 / S
CAST-256 / 128 / 128,160,192,224,256 / S
AES / 128 / 128,192,256 / S
Rijndael / variable / 128,192,256 / S
Blowfish / 64 / 32-448 / I
Skipjack / 64 / 80 / S
Hashing algorithm info
Name / Hash value length(s) / Secure or Insecure
MRS S2and3 H H
MD 5or6 / 128 / 5-I, 6-S
RIPEMD / 128,160,256,320 / 128 I, other S
SHA1 / 160 / I
SHA 2or3 / 224,256,384,512 / S
HAVAL / 128,160,192,224,256 / S
HMAC / variable / S
Supported Digital Signature Standards
NIST
DSA (FIPS 186-4)
RSA (ANSI x9.31)
ECDSA (ANSI x9.62)
Authorizing Official Decisions (RMF)
[ACAD]
ATO authorization to operate
CCA common control authorization - used for inheritance when risk is acceptable
ATU authorization to use - used when third party providers servers are acceptable risks or for reciprocity of another AO’s ATO
DOA denial of authoriztion
ARP poisoning
uses unsolicited replies
NAC
has a subset which is port-based (802.1X)
Rule Based Access Control
uses global rules applied to all users equally
Heirarchical MAC
grants access using predefined labels for specific labels
MAC is based on a hierarchical model. The hierarchy is based on security level. All users are assigned a security or clearance level. All objects are assigned a security label. Users can only access resources that correspond to a security level equal to or lower than theirs in the hierarchy.
OIDC
uses JSON web tokens
provides authentication and profile information for internet SSO,
it is built on OAuth 2.0 framework
goal of DRP
restore normal business activity in the case of a disaster event
BCP focus
focused on keeping business functions uninterrupted
DRP purpose
guides an organization through recovery of normal operations at the primary facility affected by disaster
Kerberos Process
The Kerberos protocol flow involves three secret keys: client/user hash, TGS secret key, and SS secret key. The basic protocol flow steps are as follows:
C K C C K C T
Step 1: Initial client authentication request: The user asks for a Ticket Granting Ticket (TGT) from the authentication server (AS). This request includes the client ID.
Step 2: KDC verifies the client’s credentials. The AS checks the database for the client and TGS’s availability. If the AS finds both values, it generates a client/user secret key, employing the user’s password hash.
The AS then computes the TGS secret key and creates a session key (SK1) encrypted by the client/user secret key. The AS then generates a TGT containing the client ID, client network address, timestamp, lifetime, and SK1. The TGS secret key then encrypts the ticket.
Step 3: The client decrypts the message. The client uses the client/user secret key to decrypt the message and extract the SK1 and TGT, generating the authenticator that validates the client’s TGS.
Step 4: The client uses TGT to request access. The client requests a ticket from the server offering the service by sending the extracted TGT and the created authenticator to TGS.
Step 5: The KDC creates a ticket for the file server. The TGS then uses the TGS secret key to decrypt the TGT received from the client and extracts the SK1. The TGS decrypts the authenticator and checks to see if it matches the client ID and client network address. The TGS also uses the extracted timestamp to make sure the TGT hasn’t expired.
If the process conducts all the checks successfully, then the KDC generates a service session key (SK2) that is shared between the client and the target server.
Finally, the KDC creates a service ticket that includes the client id, client network address, timestamp, and SK2. This ticket is then encrypted with the server’s secret key obtained from the db. The client receives a message containing the service ticket and the SK2, all encrypted with SK1.
Step 6: The client uses the file ticket to authenticate. The client decrypts the message using SK1 and extracts SK2. This process generates a new authenticator containing the client network address, client ID, and timestamp, encrypted with SK2, and sends it and the service ticket to the target server.
Step 7: The target server receives decryption and authentication. The target server uses the server’s secret key to decrypt the service ticket and extract the SK2. The server uses SK2 to decrypt the authenticator, performing checks to make sure the client ID and client network address from the authenticator and the service ticket match. The server also checks the service ticket to see if it’s expired.
Once the checks are met, the target server sends the client a message verifying that the client and the server have authenticated each other. The user can now engage in a secure session.
Kerberoasting
a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”).
In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN.
Prevention: HER G (Hygiene, Extraction, Restrict, Governance)
Practice good password hygiene for service accounts
Use long passwords (at least 25 characters) for service accounts Regularly rotate passwords every 30 days Implement group managed service accounts (gMSAs) or third-party solutions for automated password management
Institute proper governance for service accounts
Keep track of service accounts and their usage Enforce the principle of least privilege for all service accounts Follow NIST guidelines for password security, prioritizing password length over complexity and avoiding frequent password changes
Restrict access to the KRBTGT account password
Limit access to the KRBTGT password hash to minimize vulnerability to Golden Ticket attacks Identify accounts with rights to extract password hashes and remove unnecessary permissions Regularly change the KRBTGT password to invalidate any existing Golden Tickets Use Microsoft’s KRBTGT account password reset script every 180 days
Prevent the extraction of service accounts
Create an inventory of all service accounts and their details Maintain documentation for when accounts should be reviewed, deactivated, or deleted Grant minimum privileges necessary for each service account Change default passwords of service accounts Use automated password management solutions to regularly rotate passwords Use separate accounts for different services Avoid using the same password for multiple service accounts Promptly decommission service accounts that are no longer needed Use tools to detect and manage inactive service accounts Monitor service accounts for suspicious activity Use a real-time auditing solution with machine learning for anomaly detection and response
Kerberos User Enumeration
brute-force attack on Kerberos
has a distinct advantage over attacks on other authentication methods: no domain account is required to perform the attack, just a connection to the KDC
there is a u in both enumeration and brute force and unrealistic
solution: detect unrealistic amounts of AS-REQ requests without follow-up requests
AS-REP Roasting
attackers steal encrypted parts of a AS_REP message from user accounts in order to then crack them offline
AS-REP ends with P and preauthentication starts with P
solution: make sure all accounts in your domain have the Kerberos pre-authentication enabled
Golden Ticket Attack
A golden ticket in Active Directory — much like its namesake for Willy Wonka’s chocolate factory — grants the bearer unlimited access. A Golden Ticket attack abuses the Kerberos protocol, which depends on the use of shared secrets to encrypt and sign messages.
P. L. Kurl is an oomploompa
solution: PLKURL
Protect against phishing attacks by training staff to identify suspicious emails and avoid sharing credentials.
Limit user privileges to necessary roles and only use admin accounts for administrative tasks.
Keep operating systems updated and disable plain text password storage in Active Directory to prevent Mimikatz-style attacks.
Use a real-time auditing solution to respond to failed login attempts with custom scripts to disable accounts, stop processes, change firewall settings, or shut down servers to prevent brute force attacks.
Regularly change the password for the KRBTGT user, doing it twice around 12-24 hours apart to avoid service disruptions.
Look for signs of a Golden Ticket attack, such as nonexistent usernames, username and RID mismatches, modified group memberships, weaker encryption types, and ticket lifetimes exceeding the domain maximum.
Incipient Fire Detectors
Can detect fire at incipient stage using air ionization detection
SHA2 aka
SHA256
preaction fire suppression system
activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.
grid computing most significant risk
an isolation breach in the distributed computing client could be catastrophic, allowing someone who compromises the controller to assume control of every device in the organization
Multistate systems definition
Multistate systems are certified to handle data from different security classifications simultaneously by implementing protection mechanisms that segregate data appropriately.
Accreditation definition
Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.
TEMPEST program
The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations.
Mimikatz tool
The use of the Mimikatz tool is indicative of an attempt to capture user password hashes for use in a pass-the-hash attack against Microsoft Active Directory accounts.
zero-knowledge proof
In a zero-knowledge proof, one individual demonstrates to another that they can achieve a result that requires sensitive information without actually disclosing the sensitive information.
Secure VOIP practices and what is usually not used
patching / updates
authentication implementation
disable unnecessary ports and services
a dedicated VLAN for VoIP devices to help separate them from other networked devices
the use of SIPS and SRTP, both secure protocols that will keep VoIP traffic encrypted
IPS for VoIP is not a typical deployment in most organizations
AIO book conflicts and says to use IDS / IPS
Best Authentication out of EAP, LEAP, PEAP and EAP-TLS without complexity
PEAP is the best solution. It encapsulates EAP in a TLS tunnel, providing strong encryption.
EAP is not protected
LEAP is a Cisco proprietary protocol that was originally designed to help deal with problems in WEP. LEAP’s protections have been defeated, making it a poor choice.
EAP-TLS is secure but requires client certificates, making it difficult to deploy and manage.
Securing collaboration platforms
Most modern platforms support TLS for best user experience and sufficient security
best option for providing free wireless to customers without need for accounts / passwords
WPA3 SAE (simultaneous authentication of equals) is new and best, if need to worry about older devices, WPA2 PSK should be used
OSI layer for ARP and RARP
ARP and RARP operate at the Data Link layer
JPEG, ASCII, and MIDI OSI Layer
6 Presentation
SDWAN advantages
PCS
predefined rules to optimize performance
continuous monitoring to support better performance
self-learning techniques to respond to changes in the network
802.1x authentication type and can be used with, supported by
port based authentication (can be used on both wired and wireless)
can be used with EAP technologies
supported by 802.1AE, 802.1AR, 801.1AF
SIPS
ensures that his VoIP session initialization is secure
WPA2 CCMB basis
based on AES
zigbee encryption method
uses AES
captive portal function and implication
combine the ability to gather data from customers with an open network, so customer data will not be encrypted.
This avoids the need to distribute network passwords but means that customers must ensure their own traffic is encrypted if they are worried about security.
biggest challenge most common for EDR / endpoint security system deployments
Endpoint security solutions face challenges due to the sheer volume of data that they can create
CAM table flooding symptom and prevention
large numbers of MAC addresses being used on a single port
prevented by using port security on switch
pre-admit NAC definition
will test systems before they are allowed on the network
post-admit NAC
tests after clients are already on the network
clientless NAC used when
useful for when not possible to install a client
client based NAC advantage
can determine more about a system than a clientless model can
primary security concern using SMS as MFA
SMS messages are not encrypted by default
security concerns using SMS
MESS
can be received by More than one phone,
messages are not Encrypted
messages can be Spoofed,
messages are typically Stored on the recipient’s phone
most common VPN protocols (5)
PPTP,
L2F,
L2TP,
IPsec
TLS
4G LTE security capabilities (3)
encryption
device-based authentication (for example, using certificates)
SIM-based authentication
SCADA Devices over TCP/IP networks
SCADA was never designed for an open network like TCP/IP, should have their own network
CCMP associated with what wireless authentication
included in the WPA2 standard
Infrastructure mode wireless router
connects endpoints to a central network
standalone mode of wireless router
connects clients using a wireless access point but not to wired resources like a central network
ad hoc mode
directly connects two clients
wired extension mode
uses a wireless access point to link wireless clients to a wired network
Number of Tiers in Firewall
is equal to number of zones protected behind the firewall
cross-site scripting attacks defenses
An intrusion protection system can scan traffic and stop both known and unknown attacks.
A web application firewall, or WAF, is also a suitable technology
3 multi-layer protocol drawbacks
Filters and Rules can be Bypassed
network Segment boundaries can be bypassed
Covert channels
device used for assignment of endpoint systems to VLANs
normally done on switch
ECPA
Electronic Communications Privacy Act of 1986
The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.
requires approvals for wiretaps, etc.
CALEA
Communications Assistance for Law Enforcement Act (1979)
requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order
Privacy Act
Electronic Communications Privacy Act of 1986 (ECPA)
The ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.
HITECH Act
promote the adoption and meaningful use of health information technology through funding.
FISMA, what it defines as basic drivers for security
Federal Information Security Management Act (FISMA) was originally passed in 2002 as part of the Electronic Government Act. FISMA defines a framework of guidelines and security standards to protect government information and operations.
Defines CIA triad
PCI DSS, what it is and who it applies to
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.
Not enforced by gov entity
PCI DSS controls cover any business that:
Processes digital transactions and payments using cards. Stores credit card data. Transmits cardholder information to another entity. Has contact with protected cardholder data.
If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
BCP Team Roles / Members (12)
HeLPS IT COMMAnD (e,n not used)
Human Resources
e
Legal Affairs
Procurement - Equipment and Supplies
Security
IT members from each major area
Transportation & Relocation
Crisis Management
Operations Assessment
Management
Media Relations
Administrative Support
n
Damage Assessment
Company Acquisition Concerns for Security (3)
DIC
Documentation of security policies
Integration of security tools
Consolidation of security functions
civil case evidence requirement
prepoderance of evidence
criminal case evidence requirement
beyond a reasonable doubt
internal case evidence requirement
none, but should develop a standard for the organization based on needs
list of supply chain risks (6)
NIST 800-53
TPC VCS
- Third party service providers or vendors – from janitorial services to software engineering -‐-‐ with physical or virtual access to information systems, software code, or IP.
- poor Information security practices by lower-‐tier suppliers.
- Compromised software or hardware purchased from suppliers.
- software security Vulnerabilities in supply chain management or supplier systems.
- Counterfeit hardware or hardware with embedded malware.
- Third party data Storage or data aggregators.
examples from practice tests:
adversary tampering with hardware prior to shipment to end customer
adversary using social engineering to compromise an employee of SaaS vendor to gain access to customer accounts
who should receive BCP training
everyone
FERPA
Family Educational Rights and Privacy Act (FERPA, 1974)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI)
Prudent Man Rule, who it applies to, what it means, originally applied to, but also now applies to
requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in the United States in 1991.
Due Care
The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard.
prudent actions
applicable to everyone
due diligence
The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner
data gathering
usually applicable to leaders, laws and regulations
FISMA, what it is, who it applies to, what it defines, what it requires
The U.S. Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors.
Defines a framework of guidelines and security standards to protect government information and operations.
FISMA requires all federal agencies to develop, document and implement agency-wide information security programs.
GDPR compliance / business partners
The European Union provides standard contractual clauses that may be used to facilitate data transfer.
GDPR compliance / internal to entity
If the data were being shared internally within a company, binding corporate rules would also be an option.
EU/U.S. Privacy Shield
The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid.
NCA / NDA
usually signed at start of employment not at termination
SOX
Sarbanes Oxley put strict reforms into place to improve financial disclosures and prevent fraudulent accounting practices
requires the following committees within board of directors must be only outside (independent) directors (non-employees)
watermark
used to digitally label data and can be used to indicate ownership, as well as to assist a digital rights management (DRM) system in identifying data that should be protected
metadata
used to label data and might help a data loss prevention system flag it before it leaves your organizatio
minimum email security requirements
Encrypting and labeling sensitive email will ensure that it remains confidential and can be identified.
NIST SP 800-88 / Validation
Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence
COBIT / who most likely to use
Business owners have to balance the need to provide value with regulatory, security, and other requirements.
Data Owners responsibilities
Co Cla Set AS IS
Control Selection
Classifying the Data
Sets the Rules for use and protection of data
assisting with or Advising the System owners on security requirements
data owners are likely to ask that those responsible for control selection to Identify a Standard to use
Data processors
Data processors are required to perform specific actions under regulations like the EU GDPR.
data stewards
are internal roles that oversee how data is used.
EOS
company is intentionally ending support and needs to address what happens to the devices next—secure disposal, destruction, or re-sale—depending on data security requirements and policies set by the company
EOL
when a device or software is no longer made or supported, in contrast to end of support, which may be when it is no longer serviced, including via patches, upgrades, or organizational maintenance
Tokenization
replaces data in a database field with a randomized string of characters that remains the same for each instance of that data
Anonymization
removes all personally identifiable data to ensure that the original subject cannot be identified
Data masking results
obscures some, but not all, data
Pseudonymization
uses a pseudonym or alias to replace other information
system owner security responsibilities
PIIT
develops system security Plan
Id’s and Implements security controls
ensures system users receive appropriate security Training
Sensitive data scanning tools purpose
designed to scan for and flag sensitive data types using known formatting and structure
most difficult location to protect data
memory, as it can’t be encrypted
best method to sanitize a solid-state drive
disintegration
grid computing most significant risk
Isolation breach, an isolation breach in the distributed computing client could be catastrophic, allowing someone who compromises the controller to assume control of every device in the organization
Mimikatz tool
used in pass the has attacks for AD accounts
split knowledge proof
A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.
zero knowledge proof
A cryptographic scheme where a prover is able to convince a verifier that a statement is true, without providing any more information than that single bit (that is, that the statement is true rather than false).
logical proof
an argument that establishes the validity of a proposition. Although proofs may be based on inductive logic, in general the term proof connotes a rigorous deduction.
mathematical proof
the logical way in which mathematicians demonstrate that a statement is true
SaaS
Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet.
PaaS
Platform as a service. Platform as a service (PaaS) is a complete development and deployment environment in the cloud
IaaS
Infrastructure as a Service (IaaS) is a business model that delivers IT infrastructure like compute, storage, and network resources on a pay-as-you-go basis over the internet.
CaaS
Containers as a service (CaaS) is a cloud service that allows software developers and IT departments to upload, organize, run, scale, manage and stop containers by using container-based virtualization. A CaaS provider will commonly provide a framework which allows users to make use of the service.
Reduced cost – Using CaaS allows an organisation to pay for only the services used, such as load balancing, scheduling and compute instances. CaaS can also help clients reduce infrastructure, software licensing and operating costs.
OAuth2, what is it, provides…, focus on….
protocol
provides the ability to access resources from another service,
focus on authorization - you’ve never signed up before
OIDC what is it, what is it used for and how it works, entities, 3 flows
OpenID Connect
standard to allow the use of an account from another service with an application,
builds on oauth2 and adds authentication
uses JSON Web Tokens (JWT)
entitiies:
relying party (target of access)
IdP (identity provider)
flows:
authorization code flow - request -> IdP -> authorization token -> use consent request -> authorization code -> ID token *preferred and more secure
implicit flow - relying party request includes scope values *good for javascript or other serverless / browser-based request, less secure because ID token can be manipulated by user
hybrid flow (combo of two above)
2 techniques for session management for web application
cookies
URL rewriting
HSM, what is it, what 3 advantages, often required for what
Hardware Security Modules
the most secure way to store keys associated with a CMS
provides enhanced key management capabilities
In addition to these advantages, an HSM can improve cryptographic performance for the organization due to dedicated hardware designed for just that purpose
are often required to be FIPS certified.
sodoers file
lists the specific users who can use sudo
lists the commands or directories that are allowed for them
RADIUS default vs more secure implementation
implement RADIUS over TCP using TLS (UDP is default and does not support TLS)
time and location requirements and accountability
do not impact accountability
TBAC
Task-based access control, lists tasks for users
OAuth use
log in to third-party websites using existing credentials
SAML,
what does it mean,
it’s a standardized way to…,
it enables…,
primary role in online security is…
used to make what 2 kinds of data
Security Assertion Markup Language
Standardized way to tell external applications and services that a user is who they say they are. (SAM is who he says he is)
SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications (Sam can use SSO)
primary role in online security is that it enables you to access multiple web applications using one set of login credentials (Sam uses SSO to sign on many places with one credential set)
used to make authorization and authentication data
Google’s identity integration is a type of what? Why?
is a federation and not just SSO as it goes beyond simple SSO
most important step to take to prevent privilege escalation with service accounts
ensuring the account has only the access required
XSS attack, what is it, how to prevent
Cross site scripting
malware script in site (e.g. bulletin board) which is hidden but can be unintentionally run by others who access the site
use script tags to prevent
CSRF,what is it, how does it work, how is prevented
Cross site request forgery,
an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.
use session tokens / keys to prevent
XACML,what is it (2 items) and what is it used for (3 items), 2 elements
eXtensible Access Control Markup Language and a processing model
used to describe access controls,
a means to send an individual’s authentication information in a standard format (password, key or certificate),
can also be used to enforce policies
elements:
subject element
resources element
action element
SPML,what is it and what does it allow, 3 entities
service provisioning markup language
allow platforms to generate and respond to provisioning requests
entities:
RA - requesting authority
PSP - provisioning service provider (software)
PST - provisioning service target
SOAP,what is it, how is it used, what is required for it to be used, components
simple object access protocol
used for the exchange of information in decentralized, distributed application environments using XML over HTTP
can transmit SOAP messages in any way that the applications require, as long as both the client and the server use the same method.
components:
message envelope - defines the messages allowed and how they will be processed by recipient
encoding rules used to define data types
conventions for remote procedures / how to interpret responses
best way to prevent horizontal privilege escalation
MFA
CAS
Central Authentication Services is an SSO implementation
Kerberos and SSO
Kerberos is not an SSO implementation, but can be used as an SSO technology enabling component
best way to address concerns about third parties that control SSO redirects
awareness training
which identity provider is used in a Federated Indentity provider
home organization of user
password requirement with highest impact of preventing brute force attacks
password length
Yubikey, Titan Security Key is what type of Type 2 authentication factor
token, something you have
PIV
PIV cards are used government-wide to control access to Federally Controlled Facilities and information systems at the appropriate security level.
personal identity verification is a full multifactor authentication solution and is not a device
MAC subjects and objects
all subjects and objects have a label
session guessing prevention (key length and assignment of keys)
prevented by using 128 bit or greater session ID’s and session entropy (randomness)
session entropy
randomness
what algorithm protects user names and password in Kerberos
AES
Type 2 error
false positive
Type 1 error
false negative
FRR
False Rejection Rate / False negative
FAR
False acceptance rate / false positive
CER
cross over error rate, where FRR = FAR
aka EER (equal error rate)
lower numbers indicate more accurate
Nmap default scan weakness
only covers 1000 ports out of 65K
errors showing users information about code (e.g. directory and file info) indicates what issue
lack of proper exception handling
in penetration testing, what typically follows additional tool installation
gaining access
Windows and syslog
Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool.
API’s usually are not responsible for
encryption
regression testing is intended to uncover
new bugs introduced by patches or configuration changes
web application vulnerability scanners examples
Nikto, Burp Suite, and Wapiti
use case testing is used to…
used to verify whether a desired functionality works
misuse case testing
focuses on behaviors that are not what the organization desires or that are counter to the proper function of a system or application
dynamic testing
used to determine how code handles variables that change over time
cost of downtime for BIA
total cost of downtime includes:
TDC = BL + RTC + WL
BL(business lost) = business lost during outage $/hour
RTC(recovery time cost) = number of personnel hours worked to recover from outge X recovery time
WL(wages lost) = average wage per hour X total downtime
software testing covers which interfaces
API’s, UI’s and physical interfaces
software testing doesn’t cover which interfaces
network
TCP connect scan used when
When a tester does not have raw packet creation privileges, such as when they do not have escalated privileges on a compromised host
TCP SYN scans requirement
require elevated privileges on most Linux systems due to the need to write raw packets
NIST 800-12
introduction to computer security
NIST contingency planning steps (7)
contingency planning
as a contingency, Please Buy Personal Self Care Toiletries Mama
- develop Policy
- BIA
- identify Preventive controls
- create contingency Strategies
- develop information system Contingency plan
- Testing and training
- plan Maintenance
NIST 800-86
Guide to Integrating Forensic Techniques into Incident Response
NIST 800-53A
Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans - covers methods for assessing and measuring controls
RFC 1918
nonroutable IP addresses (internal IP addresses)
BAS
Breach and Attack Simulation
systems that combine red team (attack) and blue team (defense) techniques together with automation to simulate advanced persistent threats and other advanced threat actors when run against your environment
red team
A red team is a group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses. Red teams work for the organization or are hired by the organization.
blue team
A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.
SOAR, definition, goal, capability
Security Orchestration, Automation, and Response.
SOAR seeks to alleviate the strain on IT teams by incorporating automated responses to a variety of events.
A SOAR system can also be programmed to custom-fit an organization’s needs.
purple team
A purple team is a group of cyber security professionals who simulate malicious attacks and penetration testing in order to identify security vulnerabilities and recommend remediation strategies for an organization’s IT infrastructure. The term is derived from the color purple, which symbolizes the combination of both red and blue teams.
RUM,what is it and what is it used for
Real User Monitoring
a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior
RUM is often used as part of a predeployment process using the actual user interface
SOC 1, type of reporting and audience
financial reporting (internal)
SOC 2 type of report with what audience
security (internal)
Type I audit
only cover a single point in time and are based upon management descriptions of controls
Type II Audit
cover a period of time and do include an assessment of operating effectiveness
SSAE 18 SOC Compliance report
Statement on Standards for Attestation Engagements no. 18 (SSAE 18),
is an auditing standard for service organizations.
It is required by many industries and organization for vendors that provide them services.
The examinations and audits of these Standards are known as SOC reports.
SOC 3 report
intended for distribution to third parties
include the auditor’s opinions and management assertions, along with information about the service organization.
SOC3 reports are specifically intended for external release
CI/CD pipeline, what does it mean, what is it, what is the goal of CI/CD pipeline
continuous integration and continuous deployment
A continuous integration and continuous deployment (CI/CD) pipeline is a series of steps that must be performed in order to deliver a new version of software.
CI/CD pipelines are a practice focused on improving software delivery throughout the software development life cycle via automation.
SCAP, meaning, use and individual specifications
Security Content Automation Protocol
A suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Note: There are six individual specifications incorporated into SCAP:
VCP VSOX
CVE (common vulnerabilities and exposures);
CCE (common configuration enumeration);
CPE (common platform enumeration);
CVSS (common vulnerability scoring system);
OVAL (open vulnerability assessment language); and
XCCDF (eXtensible configuration checklist description format).
XCCDF, what does it mean, what is it used for, what is used by
The Extensible Configuration Checklist Description Format (XCCDF) is used to create security checklists in a standardized fashion.
Used in vulnerability scanning
CVE
The Common Vulnerabilities and Exposures (CVE) database provides a consistent reference for identifying security vulnerabilities.
SCE, what does it mean, what is it designed to do
The Script Check Engine (SCE) is designed to make scripts interoperable with security policy definitions.
OVAL
The Open Vulnerability and Assessment Language (OVAL) is used to describe the security condition of a system.
test coverage report, measures what, used for
measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases
code coverage report
covers how much of the code has been tested
line coverage report
type of code coverage report covers how many lines of code were tested
synthetic monitoring
uses simulated or recorded traffic and thus can be used to proactively identify problems
can be used to detect functionality issues
passive monitoring, limitation and use
works only after issues have occurred because it requires actual traffic
can be used to detect functionality issues
branch coverage
verifies that every if statement was executed under all if and else conditions
Statement coverage
verify that every line of code was executed during the test
Condition coverage
verifies that every logical test in the code was executed under all sets of inputs
Function coverage
verifies that every function in the code was called and returns results
ITIL and auditing
ITIL, which originally stood for IT Infrastructure Library, is a set of practices for IT service management and is not typically used for auditing.
Pair programming, description, is what type of development technique which comes from what other type of technique,
Pair programming is an Agile software development technique originating from Extreme programming (XP) in which two developers team together on one computer. The two people work together to design, code and test user stories.
FCRP
Federal Rules of Civil Procedure
PMBOK
The Project Management Body of Knowledge (PMBOK) provides a common core of project management expertise.
TOGAF
The Open Group Architecture Framework (TOGAF) focuses on IT architecture issues.
Can be used for the following types:
Business Architecture
Data Architecture
Application Architecture
Technology Architecture
uses Architecture Development Method (ADM)
UEBA meaning and purpose
User and entity behavior analytics (UEBA) solutions focus on the user
uses algorithms and machine learning to detect anomalies in the behavior of not only the users in a corporate network but also the routers, servers, and endpoints in that network.
good tool for detecting malicious insiders and compromised accounts
EDR
Endpoint detection and response (EDR) systems focus on endpoint devices.
differential backups
all files changed since last full backup are copied even if copied in backups prior to current backup / archive bit is not changed / requires only the last differential backup + full backup during restoration
Reformatting
does not remove remnant data
electronic vaulting
automated technology moves database backups from the primary database server to a remote site on a scheduled basis
Remote mirroring
maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site
least privilege
The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions.
Least privilege is a result of invoking need to know restrictions
CSIRT,meaning and members
cybersecurity incident response team
members -
core:
CISO
Director of Security Ops
IR Team lead
Cybersecurity Analyst
IT support
Threat Intelligence Analyst
extended:
HR
Legal counsel
PR
Business Unit Lead
minimum:
(e lips)
engineering/technical staff
legal representatives,
information security professionals,
public affairs staff, and
senior management,
security incident
Any attempt to undermine the security of an organization or violation of a security policy
best encryption key protection
two-person control is best
mitigation phase of incident response
The mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.
response phase of incident response
The response phase includes steps taken to assemble a team and triage the incident.
Entitlement
Entitlement refers to the privileges granted to users when an account is first provisioned.
Tower of Hanoi description, algorithm, purpose
Tower of Hanoi consists of three pegs or towers with n disks placed one over the other. The objective of the puzzle is to move the stack to another peg following these simple rules. Only one disk can be moved at a time. No disk can be placed on top of the smaller disk
algorithm:
Move the top n-1 disks from the source peg to the helper peg. Afterward, move the nth disk from the source peg to the destination peg. Finally, move the rest n-1 disks from the helper peg to the destination peg. (n= number of disks)
used to test problem solving ability
SCOM
System Center Operations Manager
in Windows, primarily used to monitor for health and performance
NIST SP 800-137
According to NIST SP 800-137, organizations should use the following factors to determine assessment and monitoring frequency:
VV WORMCORT
Volatility of security controls,
Vulnerability information,
Weaknesses identified in security controls,
Organizational risk tolerance,
Risk assessment Results,
Monitoring strategy review output,
Categorizations/impact levels for system security controls or specific assessments
Objects providing critical functions,
Reporting requirements.
Threat information,
Fagan Inspection
a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process
Threat Modeling Process Overview for applications
threat MOdeling prOcess Overview
threat MOdeling cOmmOnly involves:
Mooo at the dairy
DA IR y M AC (y not used)
Decomposing the Application to understand it and how it interacts with other components or users.
Identifying and Ranking threats allows you to focus on the threats that should be prioritized.
identifying how to Mitigate those threats finishes the process.
Once complete, an organization can take action to handle the threats that were identified with Appropriate Controls.
Sign of SQL injection
single quotation in input field
DAST,what is it and what is it used for
dynamic application security testing (DAST) is used to verify the correct implementation of code
How a NoSQL database stores data
allows to store data using a key-value store
graph database, type of db and how it works
another example of a NoSQL database, but it
uses nodes and edges to store data rather than keys and values
Release control
manages the deployment of code into production
SIEM does not
does not respond to findings
parameterization
used for constructing a db query, each parameter has a placeholder, which is then passed to the query
client side input validation and sql injection
doesn’t stop the attck because can be manipulated by user,
only server side input validation will prevent sql injection
CAB
change advisory board
Stages of Information Life Cycle (ILC)
C/R DUM D/S
Create / Receive
Distribute
Use
Maintain
Dispose / Store
or
ASU SAD
Acquisition
Storage
Use
Sharing
Archival
Disposal
ILC Create / Receive
records from their point of origination
ILC Distribute
moving the information once it has been created or received. This includes both internal and external distribution, as information that leaves an organization becomes a record of a transaction with others.
ILC, implication for data security
How we implement CIA triad over the data takes place after information is distributed internally, and can generate business decisions, document further actions, or serve other purposes
Security Modes List / criteria list
Modes:
D Size Cups Mama (DSCM or DiSHM)
Dedicated
System High
Compartmented
Multi-level
For Each Mode:
Nice Cans Face Nookie Ass (NCFNA or SCANU)
Signed NDA
Clearance
Formal Approval
Need to Know
All users
Dedicated Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval All Data
Valid Need to Know All Data
All users can access All Data
System High Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval All Data
Valid Need to Know Some Data
All users can access Some Data
Compartmented Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval Some Data
Valid Need to Know Some Data
All users can access Some Data
Multi-level Security Mode
Signed NDA All Data
Proper Clearance Some Data
Formal Access Approval Some Data
Valid Need to Know Some Data
All users can access Some Data
What are the protocol(s) of the Application Layer?
communication, file transfer, network management
POP3, SMTP, IMAP, SNMP, FTP, Telnet, HTTP, MIME, PGP (app), S/MIME (app), HTTPS (app), DNS, DHCP, NTP
POP3 - Post Office Protocol version 3
SMTP - Simple Mail Transfer Protocol
IMAP - Internet Message Access Protocol
SNMP - Simple Network Management Protocol
FTP - File Transfer Protocol
MIME - Multipurpose Internet Mail Extensions
HTTP - HyperText Transfer Protocol
PGP - Pretty Good Privacy
DNS - Domain Name Service
DHCP - Dynamic Host Configuration Protocol
NTP - Network Time Protocol
What are the protocol(s) of the Presentation Layer?
GIF, TIFF, JPG, MPEG, MIDI character encoding (ASCII, UNICODE, EBCDIC)
What are the protocols(s) of the Session Layer?
NetBIOS, NFS, PPTP, RPC, RTCP, SQL
(NNPRRS), PAP
NFS - UNIX stateless Network File System
NetBIOS - MS network basic input output system
PPTP - Point-to-Point Tunneling Protocol
RPC - Remote Procedure Call
RTCP - RTP (Real-time Transport Protocol) Control Protocol
SQL - Structured Query Language
PAP - Password Authentication Protocol
What are the protocols(s) of the Transport Layer?
TRANsport / TRANsmission control protocol (TCP)
TCP, UDP, SCTP, QUIC
TCP - Transmission Control Protocol
UDP - User Datagram Protocol
SCTP - Stream Control Transmission Protocol
QUIC
What are the protocols(s) of the Network Layer?
IP, RIP, ICMP, IGMP, OSPF
IP - Internet Protocol
RIP - Routing Information Protocol
ICMP - Internet Control Message Protocol
IGMP - Internet Group Management Protocol
OSPF - Open Shortest Path First
What are the protocols(s) of the Data Link Layer?
ARP, RARP, SLIP, PPP, L2TP, Ethernet, ISDN, Wi-Fi, FCoE
I SLAP a FEW (a not used)
ISDN - Internet Services for Digital Network
SLIP - Serial Line Internet Protocol
L2TP - Layer 2 Tunneling Protocol
ARP / RARP - (Reverse) Address Resolution Protocol
PPP - Point-to-Point Protocol
a
FCoE- Fiber Channel over Ethernet
Ethernet
Wi-Fi
What are the protocols(s) of the Physical Layer?
PCRAV
Pinouts, voltages, cables, antennas, radio waves
RS/EIA/TIA-422,423,449,485
10BaseX
ISDN - Integrated Services Digital Network
DSL - Digital Subscriber Line
SONET - Synchronous Optical Networking
What are the encryption(s) of the Transport Layer?
SSL2, SSL3, TLS (therefore the encryption in support of HTTPS, POP3S, FTPS)
SSL - Secure Socket Layer
TLS - Transport Layer Security
What are the encryption(s) of the Data Link Layer?
WEP, TKIP, CCMP
WEP - Wire Equivalent Privacy
TKIP - Temporal Key Integrity Protocol
CCMP - Counter-Mode/CBC-MAC Protocol
What are the encryption(s) of the Network layer?
IPSec Transport ESP
IPSec Tunnel ESP
(RC5, DES, AES)
What are the SW/HW of the Application Layer?
SW: Gateways and Proxies
What are the encryption(s) of the Presentation Layer?
SSH (therefore, the encryption in support of S-FTP, S-HTTP, PGP, S/MIME)
What are the encryption(s) of the Network layer?
since IPSec is built into IP6 network protocols, and can be used with IP5, think of that to remember that it’s in the network layer
IPSec Transport ESP
IPSec Tunnel ESP
(RC5, DES, AES)
What are the device(s) of the Network Layer?
HW: Router
What are the HW device(s) of the Data Link Layer?
HW: Bridge, L2 Switch
What are the HW devices of the Physical Layer?
HW: Hub, repeater
What is the firewall of the Application, Presentation, and Session Layer?
Proxy Firewall
What is the firewall of the Session and Transport Layer?
Circuit (SOCKS) Firewall
What is the firewall of the Network Layer?
Packet Filter Firewal
EAP
The Extensible Authentication Protocol (EAP) is a framework protocol for wireless networks that can support multiple authentication mechanisms, including tokens, smart cards, certificates, one-time passwords, and public key encryption authentication
PAP
Password Authentication Protocol
Old, not common to see, only used in legacy systems. It’s “in the clear”, no encryption authentication. It’s obviously a weak authentication scheme.
CHAP
A three-way handshake (challenge/response) authentication protocol used for remote access connections. Both devices are configured with a password called a shared secret. For unique user authentication, this value is associated with a user account. The challenge/response authentication mechanism occurs in three steps:
- The server generates a challenge message and sends it to the client.
- The client responds with the username and a value created using a one-way hash function on the challenge message.
- The server checks the response against its own value created using the same hash. If the values match, the client is authenticated.
With CHAP, plaintext versions of the password are never sent; only the hashed challenge message is sent between devices.
LEAP
Cisco created it using a modified version of the Challenge handshake does not require a digital certificate.
PEAP, what does it mean, uses what type of encapsulation, typical use and support, how does it use certs,
PEAP, or Protected EAP, was developed to protect EAP communication by encapsulating it with Transport Layer Security (TLS).
* PEAP provides that protection as part of the protocol via a TLS tunnel.
PEAP is widely supported by vendors for use over wireless networks.
-Certificate on the server, and we send our EAP communication across that secure tunnel.
EAP-TLS
- This is still considered one of the most secure implementations, primarily because common implementations employ client-side certificates. This means that an attacker must also possess the key for the client-side certificate to break the TLS channel.
- EAP-TLS for mutual authentication requires client and server certificates
EAP-FAST, define, distinguishing characteristic, certificate needs
EAP-FAST
* EAP- It offers a lightweight tunneling protocol to enable authentication. The distinguishing characteristic is the passing of a Protected Access Credential (PAC) that is used to establish a TLS tunnel through which client credentials are verified.
* EAP-FAST does not require certificates.
EAP-TTLS, define, works by, differs from EAP-TLS how, eliminates requirement to do what?
EAP-TTLS
VEES
- Variant of the EAP-TLS protocol. EAP-TTLS
- Server authenticating to the client with a certificate, but the protocol tunnels the client side of the authentication
- In EAP-TTLS, the authentication process is protected by the tunnel from man-in-the-middle attacks, and although client-side certificates can be used, they are not required, making this Easier to set up than EAP-TLS to clients without certificates.
- EAP-TTLS Eliminates the requirement to deploy or use client certificates.
RADIUS 2 benefits
Allows users to use Normal credentials across trusted networks.
Allows users in one organization to authenticate and access resources on another trusted organizations network using one set of credentials
IEEE 802.1X
Authentication standard that supports port-based authentication between authorization device and user
MS-CHAP
Microsoft’s proprietary challenge-response authentication method used for remote access connections. MS-CHAP:
- Encrypts the shared secret on each system so it is not saved in plaintext.
- Provides a mechanism for changing the password over the remote connection.
- Allows for mutual authentication, where the server authenticates to the client, if you use v2.
Be aware that MS-CHAP and MS-CHAP v2 both have known security vulnerabilities and should be avoided if possible.
CDN Benefits (4)
Lower latency for clients, especially for applications in which
multiple round-trips are required to load content.
Large scaling to better handle instantaneous high loads, such
as the start of a product launch event.
Reduce the traffic sent to the origin server, as requests are
handled by the edge servers.
Provides protection from DoS attacks
3 ways CDN provide DDoS protection
A content delivery network provides DDoS protection by
design, by being able to absorb volumetric attacks.
CDN also
include always-on traffic monitoring,
and real-time mitigation of
common network-level attacks.
CDN Zone-based restriction
Allows to restrict access to content by country/region.
With geo-filtering, it is possible to create rules on specific paths
on the CDN endpoint to allow or block content in selected
countries/regions.
CDN Data transmission steps
1: Request forwarded to the
edge server (DNS returns
server based on the client
location).
2/3: If data is not in the
cache, it is requested to the
origin server.
4: The result is returned to
the client. The data is cached
according to a TTL.
Describe FCoE operation.
FCoE encapsulates FC frames inside ETH frames. SAN and LAN traffic terminate in the same port in the server (the CNA virtualizes a NIC/MAC address and HBA/WWN).
What is the primary difference betwen iSCSI and FCoE?
iSCSI can use the existing network infrastructure (standard Ethernet switches and NICs). FCoE requires CNAs and converged switches.
In addition, iSCSI uses the IP protocol stack and traditional Ethernet. In contrast, FCoE does not use IP at all and uses enhanced Ethernet.
iSCSI, definition, can be used on which 3 types of networks
In computing, iSCSI (Listeni/aɪˈskʌzi/ eye-SKUZ-ee) is an acronym for Internet Small Computer Systems Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities.
By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.
VXLAN
Virtual Extensible LAN, can support up to 16 M segments
It allows a single physical network to be shared by multiple different organizations, or “tenants,” without any one tenant being able to see the network traffic of any other.
ZigBee speed range
40-250 kbps
Z-Wave speed range
9.8-100 kbps
ZigBee # of devices
65,000
Z-Wave # of devices
232
ZigBee frequency
868 mhz to 2.4 ghz
Z-Wave frequency
908.42 mhz in North America
zigbee, what it enables, designedfor, which IEEE specification, networks secured by…, rate of transmission, best suited for…
An IoT standard based protocol. Zigbee is a standards-based wireless technology that enables wireless machine-to-machine (M2M) and IoT networks.
It is designed for low-data rate, low-power applications, and is an open standard. Zigbee is a specification based on IEEE 802.15.4
Its networks are secured by 128-bit symmetric encryption keys. Zigbee has a defined rate of 250 kbps, best suited for intermittent data transmissions from a sensor or input device.
Z-Wave, define, uses what encryption (same as zigbee), how many nodes permitted?
IoT standard based protocol. Simpler and less expensive than Zigbee. Z-Wave was created by a Danish company named Zensys. It uses the same AES-128 symmetric encryption as Zigbee.
Like Zigbee, Z-Wave devices all link up together to form a mesh network. There’s one central hub that connects to the internet and then the devices themselves don’t have Wi-Fi at all, they use Z-Wave connectivity to talk to the hub either directly or through the mesh network. This is called a “source-routed mesh network topology.” Z-Wave allows up to 232 nodes on the mesh network.
4G speed
100 Mbps, whereas stationary devices can reach 1 Gbps
5G speed
up to 10 Gbps
5G technology
higher frequencies than previous cellular technologies, which has allowed for higher transmission speeds but at a reduced distance
Why is a 5G Communication System preferred over a 4G Communication System?
In terms of speed 5G communication system is able to provide up to 100 gigabits per second which is 100 times faster than 4G communication system.
4G has very high latency compare to 5G.
5G Communication System will also able to fix the bandwidth issue with emerging technology such as driverless cars and connected home products.
s/mime
MIME multipart/signed and multipart/encrypted framework
S/MIME is an IETF standard that provides cryptographic security for electronic messaging
MOSS what is it and current state of use
MIME Object Security Services (MOSS) is a protocol that uses the multipart/signed and multipart/encrypted framework to apply digital signature and encryption services to MIME objects.
MOSS was never widely deployed and is now abandoned, largely due to the popularity of PGP.
PEM, when, developed for?, current use, formalized in IETF / RFC xxxx?
Privacy-Enhanced Mail (PEM) is now a de facto file format for storing and sending cryptographic keys, certificates, and other data, based on a set of 1993 IETF standards defining “privacy-enhanced mail.”
While the original standards were never broadly adopted and were supplanted by PGP and S/MIME, current use involves the textual encoding they defined which became very popular.
The PEM format was eventually formalized by the IETF in RFC 7468.
DKIM, what is it, what is it used for, how does it work
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.
Works by leveraging PKI
DKIM allows the receiver to check that an email that claimed to have come from a specific domain was indeed authorized by the owner of that domain.[1] It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message.
DKIM is an Internet Standard.[3] It is defined in RFC 6376, dated September 2011, with updates in RFC 8301 and RFC 8463.
NAC captive portal definition / limitations (4)
captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources
Limitations: CBDM
may be Circumvented
Dns tunneling
Mac spoofing
require web Browser
WPA3 security has new authentication mode known as what?, benefit of this mode? Describe 3 modes with some technical detail and their benefits
WPA3-Personal (WPA3-SAE). This mode focuses on improving protection for individual users by providing better security using SAE. SAE increases security over WPA2, even when using a simple password. Personal mode lets users choose easy-to-remember passwords while still providing increased security using perfect forward secrecy to protect data traffic.
WPA3-Enterprise. Enterprise mode builds on top of the previous WPA2 Enterprise mode. However, enterprise mode requires the use of Protected Management Frames on all WPA3 connections. Enterprise mode also has multiple Extensible Authentication Protocol (EAP) methods for authentication, 128-bit authenticated encryption, 256-bit key derivation and confirmation, as well as 128-bit management frame protection. Wi-Fi Enhanced Open. This extra mode focuses on increasing privacy in open networks. Enhanced Open mode prevents passive eavesdropping by encrypting traffic even when a password isn't used. This mode uses 256-bit authenticated encryption, 384-bit key derivation and confirmation, as well as 256-bit management frame protection.
SAE, define, variant of x, based on y key exchange, doesn’t use DH because DH has no z mechanism, resulting key is influenced by a preshared key and what?
In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method
SAE is a variant of the Dragonfly Key Exchange defined in RFC 7664,[2] based on Diffie–Hellman key exchange using finite cyclic groups which can be a primary cyclic group or an elliptic curve.[1] The problem of using Diffie–Hellman key exchange is that it does not have an authentication mechanism. So the resulting key is influenced by a pre-shared key and the MAC addresses of both peers to solve the authentication problem.
WPA3 vs. WPA2, 5 points
BiG SIS (i not used)
Bigger session keys
GCMP WPA2 uses AES for encryption, while WPA3 uses the more secure GCMP
SAE protocol
Individualized data encryption
Stronger brute-force attack protection
GCMP, what does it mean, what type of cryptography, what makes it special, what is it used for (12 technologies)
Galois/Counter Modea mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources
GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, WPA3-Enterprise Wifi security protocol, IEEE 802.11ad (also dubbed WiGig), ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards,[6][7] SSH,[8] TLS 1.2[9][10] and TLS 1.3.[11] AES-GCM is included in the NSA Suite B Cryptography and its latest replacement in 2018 Commercial National Security Algorithm (CNSA) suite.[12] GCM mode is used in the SoftEther VPN server and client,[13] as well as OpenVPN since version 2.4.
CAM table flooding
MAC flooding
MAC flooding description / solutions (3)
attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go
solutions / network operators usually rely on the presence of one or more features in their network equipment:
port security
MAC filtering
IEEE 802.1X
VLAN hopping definition, types and mitigation of each type
gain access to traffic on other VLANs that would normally not be accessible and is mitigated through proper vlan configuration
switch spoofing - mitigated by ensuring that ports are not set to negotiate trunks automatically by disabling DTP on ports that are not meant to be trunks and explicitly configured as access ports
double tagging - mitigated by not putting any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port, Change the native VLAN on all trunk ports to an unused VLAN ID and Explicit tagging of the native VLAN on all trunk ports. Must be configured on all switches in network autonomy
IP spoofing how and how to stop
IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system
solutions: packet filtering and do not allow authentication based on IP address1
802.1x
IEEE 802.1X is an IEEE Standard for port-based network access control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN
802.3
IEEE 802.3 is a working group and a collection of standards defining the physical layer and data link layer’s media access control (MAC) of wired Ethernet
802.15.1
IEEE 802.15 is a working group of the Institute of Electrical and Electronics Engineers (IEEE) IEEE 802 standards committee which specifies Wireless Specialty Networks (WSN) standards. WPAN / Bluetooth
IEEE 802.15.1
WPAN / Bluetooth
IEEE 802.15.5
Mesh networking
IEEE 802.15.7
7 is an inverted L (for LiFi)
Visible Light Communication / LiFi
IEEE 802.15.13
Multi-Gigabit/s Optical Wireless Communications
SRTP what does it stand for, what OSI layers, 4 types of protection over what
Secure Real-time Transport Protocol
Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications
between transport and application layer
provides
CREM
confidentiality,
replay protection
encryption,
message authentication
SIPS, what is it, what used for?, what osi layer
Session Initiation Protocol Secure
a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications
session layer
to signal and control interactive communication sessions
SRTP vs SIPS(SIP TLS)
E AIR
SRTP is an RTP profile intended to provide Encryption, message Authentication and Integrity, and Replay attack protection to the RTP data.
PI
SIP TLS protocol aims primarily to provide Privacy and data Integrity between two or more communicating computer applications.
NAT vs PAT
NAT maps public to private via IP address
PAT maps public to private via port#
PAT more efficient as it can use one public address for many different internal devices
BIA process
PROcess / PROtect
Protect Real Life Investment Revenue
(id Priorities, id Risks, Likelihood, Impact, Resource priorities)
Communication threats
RIDEM
(Replay, Impersonation, Modification, Eavesdropping, Denial of service)
ASLR
address space layout randomization - memory protection for O/S
MSA (web)
microservice architecture
serverless aka
FaaS (only functions)
microkernels
add function via kernel modules
reference monitor definition, 3 properties
handles access between subjects and objects (concept, not physical component)
aka abstract machine
properties:
always invoked
tamper-resistant
verifiable
Grid Computing
leveraging distributed computing resources (of other entities) for complex problems
DCE
distributed computing environment - collection of systems that work together
PLC
programmable logic controllers, industrial digital computer for controlling manufacturing processes less than 1000’s
Cryptology
the science of securing communications
Substitution Ciphers types, weakness
(monoalphabetic / polyalphabetic) easily broken by frequency analysis
Confusion
relationship between plaintext and cipher text
Diffusion
how order of plaintext should be dispersed throughout cipher text
Vigenere Cipher
uses a matrix (vigenere square) x axis is plain text / y axis is key
Cipher Disk
Cryptographic device that uses two concentric disks, each with an alphabet around the periphery
One-Time Pad
an example of perfect (unbreakable) encryption, which is achieved by using, only once, a random polyalphabetic key that is as long the message itself.
SIGABA
similar to Cipher Disk with 3x5 sets of rotors, large, heavy, expensive, hard to operate, mechanically complex and fragile
COCOM
(Coordinating Committee of Multilateral Export Controls) - prevented export of critical technologies including encryption (1947-1994)
Wassenaar
similar to COCOM for dual-use techonologies but added Iron Curtain countries as members (1996 - present)
Meet-in-the-middle attack
Cryptanalysis attack that tries to uncover a mathematical problem from two different ends.
HMAC
Hashed Message Authentication Code
XOR and hash function
TLS / SSL initiation process,
SYN, SYN/ACK, ACK, session
IPSec Modes
- Transport Mode (Only data encrypted)
- Tunnel Mode (entire packet encrypted)
TCP Flags mnemonic
Nosetackles Can Easily Upend Any Puny Runningback Sneaking the Football or first 3 not used, Unskilled Attackers Pester Real Security Folks
NS (not used anymore)
CWR (not used anymore)
ECE (not used anymore)
URG urgent
ACK acknowledgement
PSH push
RST reset
SYN synchronizeing
FIN finish
CMM
I Rarely Develop My Own
1 Initial -undocumented and not consistent
2 Repeatable - some processes are repeatable, process might be strictly controlled
3 Defined - documented processes and standards
4 Managed - metrics used for performance measurement and process users are competent
5 Optimizing - focus on continuous improvement
edge computing vs. fog computing
decentralized distributed computing
fog computing is centralized distributed computing
fog computing
centralized distributed computing
UDP is simplex or duplex?
simplex mode (per port)
microsegmentation (edge and fog computing)
does not support edge/fog computing
How do Application-level firewalls work
make access control decisions based on content of communications
Authentication Header provides…
provides integrity and non-repudiation
Risk-based access control
evaluates the environment / situation then makes access decisions based on coded policies
OID vs OIDC
OID does not include profile information
ABAC, often used in…?
Attribute Based Access Control
grants access based on attributes (often used in SDN’s)
network access server within RADIUS
is a client
DRP relation to BCP / COOP
picks up where BCP leaves off, is site specific, only addresses disruption requiring relocation, may involve multiple ISCP’s
expert system’s decision making process
a series of if/then rules codified in a knowledge base
contamination
when data from a higher classification is mixed with data from a lower classification
best to prevent cross-site scripting attacks
input validation
ALE (formula)
ALE = ARO*SLE [Ale = A RO SlE]
formula for SLE
formula for ALE
SLE = AV * EF
SLE single loss expectancy
AV asset value
EF exposure factor
ALE = ARO * SLE
or
ALE = ARO * AV * EF
Cost / Benefit of countermeasures
[V -AA +AB -AC] Value = ALE BEFORE less ALE AFTER less Annual Cost of measure
Total Risk
TR [total risk exposure] = A T V ([asset value] [threat impact] [vulnerabilities likelihood])
BCP Steps high level steps
SICA
(scope, impact, continuity, approval)
BCP high level process to be combined with SICA card
SPAT
(strategy, provisioning, approval, training)
Fagan code review, definition and process
a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process
P O P Is Real Fedup [POPIRF]
(planning, overview, prep, inspect, rework, followup)
Incident Response process, goals
[Dirty Rotten Mean REPublicans RECruit REMarkable Losers]
detection, search for indicators, declaration of incident
response, (initial response, contain damage)
mitigation, (eradicate threat actor, determine details of attack and how to mitigate and perform mitigation)
reporting,
recovery, (restore full functionality of business process)
remediation, (prevent future incidents)
lessons learned (continuous improvement)
PASTA steps
Process for Attack Simulation and Threat Analysis
It’s a bowl of spaghettios or alphabet soup
DO DTS ADA TA VA AMS RAM
(determine objectives,
define tech scope,
application decomp analysis,
threat anal,
vulnerability anal,
attack modeling simulation,
risk anal mngmt)
SAMM Process
Software Assurance Maturity Model - from OWASP focused on secure software development
Business functions:
[Giving Developers Incentive Via Offers]
Governance,
Design,
Implementation,
Verification,
Operations
Each function has 3 security practices
SW/CMM levels
[I Rarely Develop My Own]
(initial,
repeatable,
defined,
managed,
optimized)
Application attack types
RoBBoT
(Buffer overflow,
Backdoors,
TImeofchecktotimeofuse TOCTOU (asynchronous attack),
Rootkits)
Auditing activities
A DAM LIAR
(alarm triggers,
data reduction,
analysis of logs,
monitoring,
logging,
IDS,
alert usage,
review of logs)
Authorization mechanisms
IAACCCC (implicit deny, ACL, ACM, capability tables, constrained xfaces, content, context)
COBIT elements
GOD HO ST GOS TA EN
(GOvernance is Dynamic,
HOlistic approach,
STakeholder value,
GOvernance Separate from mgmt,
TAilored to entity,
ENd to end)
Computer Crimes
[The Mother Fuckers Better Takeoff Running]
(terrorism,
military,
financial,
business,
thrill,
revenge)
Control Classification
CCDDDPR
(corrective,
compensating,
detective,
deterrent,
directive,
preventive,
recovery)
Data Classification Criteria
DATa LIVe SUM
(disclosure damage,
age,
timeliness,
lifetime,
implications of disclosure to business or national security,
value,
storage,
usefulness,
modification damage, )
Elements of Cable Plant
BEETH
(Backbone distribution,
Entrance facility,
Equipment room,
Telecommunication room,
Horizontal distribution)
Evaluating access control attacks
VAT
(vulnerabilities,
assets,
threats)
Halon subs
FF AI CLAN
(FM200,
FE13,
Argonite,
Inergen,
CEA410/308,
Low pressure water mist,
Aragon,
NAFSIII)
Memory addressing methods (5)
BIRDI
(base+offset,
immediate,
register,
direct,
indirect)
Processing States
RRSSW
(ready,
running,
supervisory,
stopped,
waiting)
Sabotage prevention
CAMO
(compensation / recognition of excellence,
auditing,
monitoring,
open communication)
Symmetric Encryption Modes
ECCCCOG
(ECB,
CBC,
CFB,
CTR,
CCM,
OFB,
GCM)
ECB short only
Symmetric Encryption Modes with IV
IV initialization vectors
CCO
(CBC,
CFB,
OFB)
Threat ranking methods
PD HML DREAD
(Probability X Damage Potential,
H/M/L,
DREAD)
Threat rating model
DREAD
(damage,
reproducibility,
exploitability,
affected users,
discoverability)
Virus propagation
BI FI MI SI
(Bootsector Infection,
File Infection,
Macro Infection,
Service Injection,
Security Models List mnemonic
Bill Belichik Loves Great Head Coaches Big Nose Tackles
(Bell-La Padula,
BIBA,
Lattice,
Graham-Denning,
HRU,
Clark-Wilson,
Brewer-Nash,
Non-Interference,
Take / Grant)
Access Control Matrix
Subjects rows / Objects Columns
Least Privilege
employees given minimum access to perform duties
Separation of Duties
separating duties as an internal control
Two Person Control used for…
For highly sensitive separation of duty tasks such as encryption key retrieval
Northbridge
CPU, RAM, Memory (Fast)
Southbridge
I/O controller, peripherals (mouse, USB, HD)
DEP
data execution prevention - prevents damage from malware by not allowing execution in Windows reserved memory locations
Containerization summary
only o/s components needed are in a container
Peer to Peer
each node is both server and client, used mostly for file sharing (subset of grid computing)
HPC
high performance computing - similar to grid but not shared
Edge Computing, what is it
pushing processing as close to client as possible
CDN
content distribution network - subset of edge computing
multiple servers distributed across a large region which is optimized for users closest to a particular server
SCADA,what does it mean and used for what type of computing
Supervisory Control and Data Acquisition - distributed computing for industrial controls
DNP3
distributed network protocol used in SCADA
Cryptography
creating secure messages
Cryptanalysis
the science of breaking encrypted communications
Cipher
the generic term for a technique (or algorithm) that performs encryption
Spartan Scytale
Message written lengthwise on a long thin piece of parchment wrapped around a certain size round stick. By itself it would make no sense, but if rewrapped around a stick of the same diameter it would be decipherable.
Ceasar Cipher
A substitution cipher that shifts characters a certain number of positions in the alphabet
Jefferson (president invented) Disk / Bazeries (Bazeries improved) Cylinder
set of cipher disks around axle
Number of Symmetric keys required:
n(n-1)/2, where n = number of users
Number of Asymmetric keys required
2n, where n = number of users
anything better than AES…
is proprietary
Digraph Attack
frequency analysis with two letter combos
Differential Cryptanalysis
Seeks to find the “difference” between related plaintexts that are encrypted
Linear Cryptanalysis
Known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key
